Introduction to Cyber Triage - Fast Forensics for Incident Response

00:06

let's talk about cyber triage just the

00:09

quick note before we begin this is not a

00:12

sponsored episode I was provided with a

00:14

license so that I could evaluate the

00:16

software but I was under no obligation

00:17

to create a 13 cubed episode covering

00:20

this content I chose to do so because I

00:22

think it's actually going to be very

00:23

beneficial to many of you watching this

00:25

so with that out of the way what does

00:28

cyber triage even do well it provides an

00:32

automated Incident Response capability

00:34

it runs on all versions of Windows XP

00:37

and newer it utilizes a collection tool

00:40

that can be pushed to endpoints or it

00:42

can be manually run on an endpoint from

00:44

a USB Drive or other removable media

00:47

doing either requires no installation on

00:50

the target but it can also just process

00:53

an l1 or raw disk image or a memory

00:56

capture utilizing volatility on the back

00:59

end these last two points the disk

01:02

images and memory captures are what

01:03

we're actually going to take a look at

01:05

in the live demo coming up next it was

01:08

created by Brian carrier author of

01:10

filesystem forensic analysis and of

01:13

course autopsy and TSK so plenty of

01:16

street cred here this is not created by

01:18

some sort of fly-by-night forensics

01:20

company what does it collect well it

01:24

collects volatile data including running

01:26

processes open ports logged in users

01:28

active network connection DNS cache also

01:31

malware persistence mechanisms including

01:34

startup items and scheduled tasks user

01:36

activity including what programs were

01:38

run web activity logins file metadata

01:42

from all files on the system and even

01:44

file content from suspicious files so

01:47

maybe I should have said what does it

01:48

not collect right how does it work well

01:52

if you actually use the option to push

01:55

it to an end point or run the tool from

01:57

a USB Drive on an end point then you

01:59

have this collection tool that Flags any

02:02

suspicious data and you have an

02:04

automated analysis process that goes

02:06

through and just basically looks for

02:08

things that are known evil or possibly

02:10

evil and then it's up to you as the

02:12

analyst to determine whether or not

02:13

those things warrant further

02:14

investigation how much does it cost

02:18

well here's the cool thing there's

02:19

actually a light version it's completely

02:21

free

02:22

and as you can see from the capabilities

02:24

it allows you to collect volatile and

02:26

filesystem data you can even collect

02:28

data to USB Drive analyze memory images

02:31

pivot through the collected data to

02:33

determine scope view timelines and

02:35

generate reports so a lot of stuff for

02:38

free now of course there are some

02:40

commercial versions like standard and

02:42

team that you see here I'm evaluating

02:44

the standard version but again the Lite

02:47

free version still provides plenty of

02:49

forensic value so with that out of the

02:53

way let's talk about the demo we're

02:56

going to analyze an eeo one image from a

02:58

Windows 10 box and then check out the

03:00

results then we'll analyze a memory

03:03

capture from a Windows 10 box and review

03:06

those results so let's go ahead and hop

03:09

over to a Windows 10 analysis

03:11

workstation and get started all right

03:17

we're at our windows 10 analysis VM and

03:19

we'll go ahead and launch cyber triage

03:21

and take a look at the options available

03:23

to us first off though you'll notice

03:25

this warning saying that no in SRL file

03:28

has been configured we'll come back to

03:29

that in a minute let's go ahead and

03:30

choose no for now we can choose new

03:33

session open session or open incident

03:36

but first let's check out the options

03:38

option this will provide a list of

03:41

options used by the software the first

03:43

being the national software reference

03:45

library or in SRL which is a national

03:49

database of software now of course we're

03:52

going to leave that unset for now and

03:54

then the PS exec settings is what will

03:57

allow cyber triage to push itself to a

03:59

remote host we'll leave that blank as

04:01

well we are going to change the time

04:03

zone to UTC however because that is the

04:05

only time zone you should be using for

04:07

forensic analysis under network settings

04:10

we can set up proxy under malware

04:12

settings we can clear cache and safe

04:14

results from previous scans deployment

04:17

mode is just single user basic

04:19

deployment for this demo whitelist of

04:21

course is a list of known good blacklist

04:23

is a list of known bad stuff dynamic DNS

04:27

is a list of the D DNS providers the

04:29

software knows about and the license

04:31

info

04:31

contains information about the license

04:34

go figure

04:35

let's go ahead and choose okay and we're

04:37

going to choose the new session option

04:40

and now we have five options live

04:44

automatic means that cyber triage will

04:45

push the collection tool to a remote

04:47

host live manual means the collection

04:50

tool is manually run from a network or

04:52

USB drive on the remote host and then

04:56

live file means the same except the data

04:58

saved to the USB Drive warp to a network

05:00

share and manually imported we're going

05:02

to be taking a look at the last two disk

05:04

image in memory image first up though

05:07

disk image this will allow us to point

05:10

to an l1 or raw disk image let's go

05:12

ahead and choose demo for our incident

05:14

name we'll type in localhost for the

05:16

host name and now let's browse for an l1

05:19

file we're going to use for this first

05:21

part of the demo I happen to have a

05:24

Windows 10 full disk image that's about

05:26

15 gigs in size and there you see it so

05:30

let's go ahead and choose that when we

05:33

do it populates the source file in the

05:35

field and now we'll simply click

05:37

continue for the full scan which is what

05:40

we're going to be using you'll notice

05:41

everything is checked except some of the

05:43

volatile data which is used in the

05:45

memory portion and then we can also

05:47

choose a custom scan or skip file scan

05:50

again we're going to use a full scan

05:52

find all the things that you can find in

05:55

other words let's go ahead and choose

05:57

continue and at this point we have the

05:59

option to query external services to get

06:03

malware results now the radio button is

06:05

set to upload the file so it can be

06:08

analyzed but for opposite purposes you

06:10

may want to go ahead and just tell it to

06:12

mark the file as suspicious but not

06:14

uploaded which I would recommend in most

06:16

cases so having selected that I click

06:20

start collection we can expand the

06:22

status here but after a few seconds

06:24

what's going to happen is you're going

06:26

to see the full screen window appear of

06:29

course it tells us the NSR el database

06:31

was not specified so we'll click OK and

06:33

now we're off to the races of course I

06:35

have greatly sped this up it's going to

06:38

take a variable amount of time we do see

06:41

the Windows Defender firewall prompt

06:43

let's go ahead and tell it to allow

06:44

access

06:45

so that cyber triage can go ahead and do

06:47

its thing and run some queries to

06:49

determine whether or not it finds any

06:50

evil and you'll notice the suspicious

06:53

item count is growing fairly rapidly so

06:57

we have at the end of the scan 47

07:00

suspicious items and as you can see all

07:02

ten steps have completed and no tasks

07:05

are currently running we have zero high

07:08

threats in this case and again 47

07:10

suspicious so let's go ahead and take a

07:13

look at the left column here under bad

07:16

items again we have none but we have 47

07:18

suspicious items and it's very

07:21

self-explanatory you can see them there

07:23

on the Left what it thinks are threats

07:25

and in this case some of these are

07:28

indeed blacklisted password dumping

07:30

tools as you can see and other that it

07:33

may have flagged as interesting or

07:35

possibly suspicious because they're

07:37

running out of app data local here we

07:39

see the users present within this disk

07:41

image which is handy we see some login

07:44

information with a couple of IP

07:46

addresses here if we click on one of

07:48

these you'll notice more information you

07:50

can see that this is an outgoing

07:51

connection you'll notice the local user

07:54

involved the remote host IP address

07:56

remote user and various other

07:58

information this is from the inti user

08:00

data registry key under terminal server

08:03

client servers we have network shares

08:06

here which are enumerated from the image

08:08

again very useful programs run sothank

08:11

things like prefetch or we can determine

08:13

exactly what has executed on the system

08:16

and if you notice that scroll bar on the

08:18

right side there's a lot of stuff here

08:20

as you would expect as we scroll down

08:22

through here we can kind of get an idea

08:24

of exactly what was being run on this

08:27

Windows 10 system so quite a bit of

08:30

useful information under programs run

08:33

under web artifacts we don't really have

08:36

anything to show in this demo under

08:38

startup items we do have quite a few

08:40

things though this is going to of course

08:42

enumerate the good ole run key and

08:45

numerous other locations from which

08:46

programs can start automatically on our

08:49

Windows systems quite a few things here

08:52

we would need to look at but according

08:53

to this there's only one suspicious item

08:56

under triggered tasks again quite a few

08:59

things

08:59

one of which is flagged because of the

09:01

location from which it's running no

09:03

processes because that's gonna come from

09:05

memory right we don't have that

09:07

information here same with active

09:09

connections not connected or not

09:11

collected rather from a disk image

09:13

listening ports same DNS cache nothing

09:17

here registry Keys no suspicious entries

09:20

found under files we do have a few

09:22

things that it did flag for whatever

09:25

reason it flagged USB detective which is

09:27

absolutely not evil under timeline it's

09:30

actually built a rudimentary timeline

09:32

for us showing us timestamps and UTC and

09:35

under system configuration we get some

09:38

information about the system

09:39

configuration from that particular

09:41

system from which this disk image was

09:43

acquired so again I just breezed through

09:46

that because it's very self-explanatory

09:47

I'm not going to insult your

09:49

intelligence by explaining what each of

09:51

those things are because I think you'll

09:52

agree it's very easy to figure out

09:54

what's going on here it's almost to the

09:56

point of click a button and find evil so

10:00

obviously you do have to perform some

10:02

analysis but still very easy now let's

10:05

go ahead and make another new session

10:06

this time though for the memory image so

10:10

for our incident name let's choose demo

10:12

two because I can't think of anything

10:14

better to type here under host name

10:17

we'll go ahead and type in localhost

10:18

again and for our source file we're

10:22

going to go ahead and browse to a memory

10:24

capture I haven't half which is named

10:27

after the correct profile that we're

10:29

going to be using in this case you'll

10:31

notice the name actually is from Windows

10:34

10 built 17 134 so under the volatility

10:38

profile drop-down I'm going to go ahead

10:40

and choose Windows 10 x64 build 17 134

10:45

so that'll save us some time we won't

10:47

have to run image info or kdb g-scan on

10:50

the back end to try to determine which

10:52

profile volatility should use we'll

10:55

click continue here and as you can see

10:58

some things are unchecked because

11:00

they're not really applicable to a

11:01

memory image but we can choose a custom

11:04

scan here again a lot of things are

11:06

grayed out because they're not

11:08

applicable we could choose network

11:09

processes programs run

11:12

startup items and that's really about it

11:15

if we go back however to the skip file

11:18

scan you'll notice it's pretty much

11:20

exactly what's been chosen there so I'm

11:22

going to go ahead and just use skip file

11:24

scan and just stick with the default

11:26

options really and click start

11:28

collection and as you might imagine this

11:30

tool is simply running volatility on the

11:33

back end automatically and aggregating

11:35

the results force I'll go ahead and

11:38

click past this dialog as before and

11:40

again I'm going to greatly speed this up

11:42

you'll notice here though it's running

11:44

PS list gets id's mal find various other

11:47

volatility plugins we've talked about

11:49

numerous times in other introduction to

11:52

memory forensics episodes so at this

11:54

point it is complete and this time

11:56

you'll notice we have a critical error

11:58

message where a requested registry key

12:01

that volatility tried to enumerate user

12:03

assist in this case was not found that's

12:06

okay

12:06

remember there's no guarantees in memory

12:08

forensics some stuff may be there it may

12:11

not be there so don't freak out if you

12:13

see an error message here and there as

12:15

the memory image is trying to be

12:16

enumerated notice the rudimentary

12:19

timeline on the right side for a

12:21

suspicious bunch of SVC host processes

12:24

and notice we have a bunch of bad items

12:27

this time eight in total whereas we had

12:29

none in the disk image and you'll notice

12:32

it flagged Explorer and svchost.exe

12:36

which is always a favorite for malware

12:40

authors so clicking on any one of these

12:42

will provide more detail as always but

12:46

particularly I would focus in on the

12:48

svchost.exe s and I can tell you in this

12:51

memory image there's definitely some

12:53

wonky stuff going on with SVC host that

12:56

path below the highlighted area there

12:59

you'll notice windows svchost.exe well

13:02

that's not the right path for

13:03

svchost.exe for sure

13:05

we can click on all these other tabs

13:07

though to get additional information and

13:10

as before it's very self-explanatory

13:12

you'll notice user account related

13:14

information and details just pretty much

13:17

anything that was able to be enumerated

13:19

from the various volatility plugins that

13:22

were run

13:24

have execution history we have

13:26

information about startup items various

13:29

things like that of course I can expand

13:30

any of the columns here so it fits but

13:33

again start off items nothing here

13:35

sessions nothing here and our analysis

13:38

results as you can see the score is bad

13:40

the confidence is high and the software

13:43

is correct this is evil again clearly

13:46

evil especially because of the name and

13:48

path of that svchost.exe and posture

13:52

process but clicking on any one of these

13:55

will give us more details below and we

13:58

can scroll through and click on any of

14:00

these very self-explanatory very easy

14:03

and user-friendly so for suspicious

14:06

items we have 10 things here that were

14:08

flagged for various reasons again some

14:10

of these are in fact evil so looking at

14:14

this one we have notepad we have smart

14:16

screen dot exe which is interesting

14:18

because it's often flagged to buy mal

14:20

find as it was in the description as you

14:23

can see here and that is actually a

14:25

false positive that mal fine reports on

14:27

every time so interesting there you can

14:29

ignore that one for users we have the

14:32

users that was able to enumerate from

14:34

the memory image CTF being one of the

14:37

main users if we scroll down through

14:40

here and start clicking on all of these

14:41

various things here's some network share

14:43

related information which could be

14:45

potentially useful to us and as you can

14:48

see we have AC : path here under windows

14:51

system32 w bim we have programs run

14:55

again program execution artifacts that

14:57

were able to be derived from memory

15:00

which is very cool things we've talked

15:02

about in previous memory forensics

15:04

episodes no web artifacts a few startup

15:08

items one of which is flagged as

15:10

suspicious

15:10

no triggered tasks here is an awesome

15:14

output of a tree based list of our

15:16

processes which I really really like

15:18

this so very very easy kind of like PS

15:21

tree if you will but we have a GUI

15:23

version of it where we can go in and

15:25

look at the parent-child relationships

15:26

and find anything that might be

15:28

suspicious or bad you'll notice the

15:31

icons like this one for example says bad

15:34

and again that's another one of our evil

15:37

spc host dot exe processes in this image

15:39

and as we continue to scroll down

15:41

through this you'll notice again the

15:43

yellow and the red icons which represent

15:46

the suspicious or bad items respectively

15:50

for active connections we actually do

15:52

have some things here that we can expand

15:54

see a bunch of remote IP addresses here

15:57

that we might want to take a look at all

15:58

on 80 and 443 some of these could for

16:02

example be c2 listening ports might be

16:05

of interest to us you see a bunch of

16:07

svchost.exe with the dash k options here

16:10

which are probably legit but again we

16:12

would want to look through this stuff

16:13

and verify DNS cache registry entries

16:16

nothing here of interests same with

16:18

files here's a timeline that it built

16:20

for us based on time based artifacts out

16:24

of our memory image all in UTC very cool

16:27

that it makes a timeline for us and very

16:30

useful information here about process

16:32

creation ports that are opened things

16:35

that are run active connections very

16:39

useful information and for system

16:41

configuration as before it's pulled some

16:44

things out of the memory image most of

16:46

which we already knew

16:47

but still very interesting information

16:49

overall so that's cyber triage we looked

16:54

at a disk image and we looked at a

16:56

memory image and as you can see it's

17:00

almost the point of point-and-click

17:02

forensics you guys have heard me say

17:04

this over and over and over again I am

17:07

NOT one to believe that you should just

17:09

put software in front of a person with

17:11

no forensics knowledge and have them

17:13

click buttons and make assumptions about

17:16

what has happened on a particular system

17:18

in other words I saw this thing called

17:20

prefetch and it says here that that

17:22

means something ran so clearly something

17:24

ran on the system at this time well

17:26

while that may be true if the analyst

17:29

looking at it doesn't really understand

17:31

the underlying meaning of any of these

17:33

artifacts that may not be so good so I

17:36

would recommend at least a basic

17:37

understanding of what these forensic

17:39

artifacts are before you go just click a

17:42

button and have a tool output a bunch of

17:44

stuff for you that you're expected to

17:45

know what it is

17:46

you can't just click the solve case a

17:48

button and expect everything to be happy

17:51

that said this software goes a long way

17:53

to provide what I like to call a 30,000

17:56

foot view it's basically a very

17:58

high-level view that we can derive very

18:01

quickly by simply opening a beautifully

18:04

designed and really pretty GUI clicking

18:06

the Browse button clicking on a disk

18:09

image or a memory image as we just saw

18:11

and basically saying show me some stuff

18:13

here that may be evil and let me figure

18:16

it out there are different flavors of

18:18

the tool available and you can certainly

18:20

download a free version and actually

18:22

play around with it and even the

18:24

commercial versions are very

18:25

competitively priced compared to other

18:27

commercial tools that I've seen in this

18:30

space so I hope you found this

18:33

information useful and I hope you will

18:35

check this out

18:36

but that's it for now so as always thank

18:40

you for watching thank you for

18:42

subscribing and I will catch you in the

18:44

next episode

18:54

you