Introduction to Cyber Triage - Fast Forensics for Incident Response
Summary
TLDRThis video offers an in-depth look at Cyber Triage, an automated Incident Response tool. It supports Windows XP and newer, collecting volatile data, malware persistence mechanisms, and file metadata without installation on the target system. Created by Brian Carrier, it provides a free 'Lite' version for basic forensics and paid 'Standard' and 'Team' versions. The demo showcases analyzing a Windows 10 disk image and memory capture, highlighting suspicious items and system details. The tool simplifies forensic analysis, though a basic understanding of forensic artifacts is recommended for accurate interpretation.
Takeaways
- 👨💻 The video discusses Cyber Triage, an automated Incident Response software, which can be used for forensic analysis on various Windows systems.
- 🛠️ It offers a collection tool that can be pushed to endpoints or run manually from a USB Drive without installation on the target system.
- 🔍 Cyber Triage can process disk images, memory captures, and utilize Volatility for analyzing memory artifacts.
- 👨💼 Developed by Brian Carrier, known for 'File System Forensic Analysis' and 'Autopsy', Cyber Triage has strong credentials in the forensics field.
- 💾 It collects a wide range of data including volatile data, file metadata, and even content from suspicious files.
- 🆓 A free 'Lite' version is available, providing substantial forensic capabilities, while 'Standard' and 'Team' are commercial versions.
- 💻 The demo in the video analyzes an E01 disk image and a memory capture from a Windows 10 system using Cyber Triage.
- 🔎 The software flags suspicious data and automates the analysis process, helping analysts identify potential threats.
- 💼 Cyber Triage is user-friendly, allowing analysts to quickly generate reports and timelines from the collected data.
- 🔑 It provides a high-level overview, which is beneficial for analysts to quickly identify possible malicious activities, though a basic understanding of forensics is recommended for deeper analysis.
Q & A
What is Cyber Triage and what does it do?
-Cyber Triage is an automated Incident Response capability software that runs on all versions of Windows XP and newer. It utilizes a collection tool that can be pushed to endpoints or run manually from a USB Drive or other removable media. It can also process an L1 or raw disk image or a memory capture using Volatility on the backend.
Who created Cyber Triage?
-Cyber Triage was created by Brian Carrier, the author of 'File System Forensic Analysis' and the creator of Autopsy and TSK, which gives the software significant credibility in the field of digital forensics.
What types of data does Cyber Triage collect?
-Cyber Triage collects volatile data including running processes, open ports, logged-in users, active network connections, DNS cache, malware persistence mechanisms, user activity, file metadata from all files on the system, and even file content from suspicious files.
Is there a free version of Cyber Triage available?
-Yes, there is a free version called 'Lite' which allows users to collect volatile and filesystem data, analyze memory images, pivot through collected data, determine scope, view timelines, and generate reports.
How does the automated analysis process in Cyber Triage work?
-The automated analysis process in Cyber Triage flags any suspicious data and looks for things that are known to be evil or possibly evil. It then requires the analyst to determine whether those flagged items warrant further investigation.
What is the significance of the National Software Reference Library (NSRL) in Cyber Triage?
-The National Software Reference Library (NSRL) is a national database of software that Cyber Triage can use to compare and identify known software on a system. However, during the demo, the NSRL was not specified, indicating that the software can operate without it, but it might limit the software's ability to identify certain software.
What is the purpose of the 'PS exec settings' in Cyber Triage?
-The 'PS exec settings' in Cyber Triage allow the software to push itself to a remote host, facilitating remote incident response capabilities without needing physical access to the endpoint.
What does the memory capture analysis in Cyber Triage involve?
-The memory capture analysis in Cyber Triage involves running Volatility plugins to automatically enumerate and analyze memory data, such as running processes, network connections, and other artifacts, to identify potential malicious activity.
How does Cyber Triage handle false positives?
-Cyber Triage, like any forensic tool, may flag items that are not actually malicious. The software provides detailed information about each flagged item, but it is up to the analyst to verify and determine the true nature of the flagged items, considering the context and other evidence.
What recommendations does the presenter have for using Cyber Triage effectively?
-The presenter recommends having at least a basic understanding of forensic artifacts before using Cyber Triage to avoid misinterpreting the results. While the software provides a high-level view and quick insights, it is important for the analyst to have contextual knowledge to make informed decisions about the findings.
Outlines
🔍 Introduction to Cyber Triage
The paragraph introduces Cyber Triage, an automated Incident Response software that can run on all versions of Windows XP and newer. It can be deployed through a collection tool that can be remotely pushed or manually run from a USB drive without installation on the target system. It also processes disk images and memory captures using Volatility. The software was created by Brian Carrier, known for 'File System Forensic Analysis' and 'Autopsy'. It collects various data including running processes, open ports, user activity, and file content from suspicious files. There's a free 'Lite' version available, as well as commercial versions like 'Standard' and 'Team'. The speaker will demonstrate analyzing a disk image and a memory capture in a live demo.
🖥️ Analyzing a Disk Image with Cyber Triage
The speaker demonstrates how to use Cyber Triage to analyze a disk image. They guide through the process of selecting the disk image, configuring settings, and initiating a full scan. The scan results show 47 suspicious items but no high threats. The software flags potential threats, enumerates user data, login information, network shares, and programs run. It also provides a timeline and system configuration details. The speaker emphasizes the self-explanatory nature of the software, allowing for easy identification and analysis of potential threats.
💾 Memory Image Analysis using Cyber Triage
The paragraph describes the process of analyzing a memory image with Cyber Triage. The speaker sets up a new session, selects the memory capture file, and chooses an appropriate Volatility profile. They explain the options available for memory image analysis, such as checking for network processes, programs run, and startup items. The analysis reveals critical errors, suspicious items, and bad items, including a notably suspicious svchost.exe process. The software provides detailed information about user accounts, network shares, and program execution artifacts, along with a timeline of activities and system configuration details. The speaker highlights the software's user-friendly interface and its ability to quickly provide a high-level view of potential threats.
🔗 Conclusion and Recommendations on Cyber Triage
The speaker concludes the discussion on Cyber Triage by emphasizing its ease of use and the comprehensive analysis it provides. They caution against relying solely on the software for forensic analysis without a basic understanding of forensic artifacts. The software offers a high-level overview that can quickly identify potential threats. The speaker recommends trying the free version of Cyber Triage and considers the commercial versions to be competitively priced. They encourage viewers to explore the tool and appreciate its capabilities in providing a 30,000-foot view of potential digital forensics issues.
Mindmap
Keywords
💡Cyber Triage
💡Endpoint
💡Volatility
💡Malware Persistence Mechanisms
💡Forensic Analysis
💡Disk Image
💡Memory Capture
💡Suspicious Items
💡Incident Response
💡Free Version
Highlights
Cyber Triage offers automated Incident Response capabilities.
It is compatible with all versions of Windows XP and newer.
The collection tool can be pushed to endpoints or run manually from removable media without installation.
Cyber Triage can process disk images, memory captures, and utilize Volatility on the backend.
Developed by Brian Carrier, author of 'File System Forensic Analysis' and creator of Autopsy and TSK.
It collects volatile data such as running processes, open ports, logged-in users, and active network connections.
Malware persistence mechanisms, user activity, and file metadata are also collected.
Cyber Triage Lite version is completely free and offers extensive forensic capabilities.
Commercial versions like Standard and Team provide additional features.
The software flags suspicious data and automates analysis to identify known or potentially malicious items.
A live demo will analyze a Windows 10 disk image and a memory capture to showcase the results.
Cyber Triage provides a warning if no NSRL file is configured, which is a database of known software.
The software allows setting up options like timezone, network settings, and malware settings.
Analysts can choose to upload files for external malware analysis or mark them as suspicious.
The software quickly identifies suspicious items and provides a detailed breakdown of potential threats.
Cyber Triage generates a timeline and system configuration report for further analysis.
The tool is designed for ease of use, allowing even those with basic forensic knowledge to perform analysis.
The presenter emphasizes the importance of understanding forensic artifacts before relying on automated tools.
Cyber Triage is praised for providing a high-level overview for quick incident response.
Different versions of the tool are available, with a free version and competitively priced commercial options.
Transcripts
let's talk about cyber triage just the
quick note before we begin this is not a
sponsored episode I was provided with a
license so that I could evaluate the
software but I was under no obligation
to create a 13 cubed episode covering
this content I chose to do so because I
think it's actually going to be very
beneficial to many of you watching this
so with that out of the way what does
cyber triage even do well it provides an
automated Incident Response capability
it runs on all versions of Windows XP
and newer it utilizes a collection tool
that can be pushed to endpoints or it
can be manually run on an endpoint from
a USB Drive or other removable media
doing either requires no installation on
the target but it can also just process
an l1 or raw disk image or a memory
capture utilizing volatility on the back
end these last two points the disk
images and memory captures are what
we're actually going to take a look at
in the live demo coming up next it was
created by Brian carrier author of
filesystem forensic analysis and of
course autopsy and TSK so plenty of
street cred here this is not created by
some sort of fly-by-night forensics
company what does it collect well it
collects volatile data including running
processes open ports logged in users
active network connection DNS cache also
malware persistence mechanisms including
startup items and scheduled tasks user
activity including what programs were
run web activity logins file metadata
from all files on the system and even
file content from suspicious files so
maybe I should have said what does it
not collect right how does it work well
if you actually use the option to push
it to an end point or run the tool from
a USB Drive on an end point then you
have this collection tool that Flags any
suspicious data and you have an
automated analysis process that goes
through and just basically looks for
things that are known evil or possibly
evil and then it's up to you as the
analyst to determine whether or not
those things warrant further
investigation how much does it cost
well here's the cool thing there's
actually a light version it's completely
free
and as you can see from the capabilities
it allows you to collect volatile and
filesystem data you can even collect
data to USB Drive analyze memory images
pivot through the collected data to
determine scope view timelines and
generate reports so a lot of stuff for
free now of course there are some
commercial versions like standard and
team that you see here I'm evaluating
the standard version but again the Lite
free version still provides plenty of
forensic value so with that out of the
way let's talk about the demo we're
going to analyze an eeo one image from a
Windows 10 box and then check out the
results then we'll analyze a memory
capture from a Windows 10 box and review
those results so let's go ahead and hop
over to a Windows 10 analysis
workstation and get started all right
we're at our windows 10 analysis VM and
we'll go ahead and launch cyber triage
and take a look at the options available
to us first off though you'll notice
this warning saying that no in SRL file
has been configured we'll come back to
that in a minute let's go ahead and
choose no for now we can choose new
session open session or open incident
but first let's check out the options
option this will provide a list of
options used by the software the first
being the national software reference
library or in SRL which is a national
database of software now of course we're
going to leave that unset for now and
then the PS exec settings is what will
allow cyber triage to push itself to a
remote host we'll leave that blank as
well we are going to change the time
zone to UTC however because that is the
only time zone you should be using for
forensic analysis under network settings
we can set up proxy under malware
settings we can clear cache and safe
results from previous scans deployment
mode is just single user basic
deployment for this demo whitelist of
course is a list of known good blacklist
is a list of known bad stuff dynamic DNS
is a list of the D DNS providers the
software knows about and the license
info
contains information about the license
go figure
let's go ahead and choose okay and we're
going to choose the new session option
and now we have five options live
automatic means that cyber triage will
push the collection tool to a remote
host live manual means the collection
tool is manually run from a network or
USB drive on the remote host and then
live file means the same except the data
saved to the USB Drive warp to a network
share and manually imported we're going
to be taking a look at the last two disk
image in memory image first up though
disk image this will allow us to point
to an l1 or raw disk image let's go
ahead and choose demo for our incident
name we'll type in localhost for the
host name and now let's browse for an l1
file we're going to use for this first
part of the demo I happen to have a
Windows 10 full disk image that's about
15 gigs in size and there you see it so
let's go ahead and choose that when we
do it populates the source file in the
field and now we'll simply click
continue for the full scan which is what
we're going to be using you'll notice
everything is checked except some of the
volatile data which is used in the
memory portion and then we can also
choose a custom scan or skip file scan
again we're going to use a full scan
find all the things that you can find in
other words let's go ahead and choose
continue and at this point we have the
option to query external services to get
malware results now the radio button is
set to upload the file so it can be
analyzed but for opposite purposes you
may want to go ahead and just tell it to
mark the file as suspicious but not
uploaded which I would recommend in most
cases so having selected that I click
start collection we can expand the
status here but after a few seconds
what's going to happen is you're going
to see the full screen window appear of
course it tells us the NSR el database
was not specified so we'll click OK and
now we're off to the races of course I
have greatly sped this up it's going to
take a variable amount of time we do see
the Windows Defender firewall prompt
let's go ahead and tell it to allow
access
so that cyber triage can go ahead and do
its thing and run some queries to
determine whether or not it finds any
evil and you'll notice the suspicious
item count is growing fairly rapidly so
we have at the end of the scan 47
suspicious items and as you can see all
ten steps have completed and no tasks
are currently running we have zero high
threats in this case and again 47
suspicious so let's go ahead and take a
look at the left column here under bad
items again we have none but we have 47
suspicious items and it's very
self-explanatory you can see them there
on the Left what it thinks are threats
and in this case some of these are
indeed blacklisted password dumping
tools as you can see and other that it
may have flagged as interesting or
possibly suspicious because they're
running out of app data local here we
see the users present within this disk
image which is handy we see some login
information with a couple of IP
addresses here if we click on one of
these you'll notice more information you
can see that this is an outgoing
connection you'll notice the local user
involved the remote host IP address
remote user and various other
information this is from the inti user
data registry key under terminal server
client servers we have network shares
here which are enumerated from the image
again very useful programs run sothank
things like prefetch or we can determine
exactly what has executed on the system
and if you notice that scroll bar on the
right side there's a lot of stuff here
as you would expect as we scroll down
through here we can kind of get an idea
of exactly what was being run on this
Windows 10 system so quite a bit of
useful information under programs run
under web artifacts we don't really have
anything to show in this demo under
startup items we do have quite a few
things though this is going to of course
enumerate the good ole run key and
numerous other locations from which
programs can start automatically on our
Windows systems quite a few things here
we would need to look at but according
to this there's only one suspicious item
under triggered tasks again quite a few
things
one of which is flagged because of the
location from which it's running no
processes because that's gonna come from
memory right we don't have that
information here same with active
connections not connected or not
collected rather from a disk image
listening ports same DNS cache nothing
here registry Keys no suspicious entries
found under files we do have a few
things that it did flag for whatever
reason it flagged USB detective which is
absolutely not evil under timeline it's
actually built a rudimentary timeline
for us showing us timestamps and UTC and
under system configuration we get some
information about the system
configuration from that particular
system from which this disk image was
acquired so again I just breezed through
that because it's very self-explanatory
I'm not going to insult your
intelligence by explaining what each of
those things are because I think you'll
agree it's very easy to figure out
what's going on here it's almost to the
point of click a button and find evil so
obviously you do have to perform some
analysis but still very easy now let's
go ahead and make another new session
this time though for the memory image so
for our incident name let's choose demo
two because I can't think of anything
better to type here under host name
we'll go ahead and type in localhost
again and for our source file we're
going to go ahead and browse to a memory
capture I haven't half which is named
after the correct profile that we're
going to be using in this case you'll
notice the name actually is from Windows
10 built 17 134 so under the volatility
profile drop-down I'm going to go ahead
and choose Windows 10 x64 build 17 134
so that'll save us some time we won't
have to run image info or kdb g-scan on
the back end to try to determine which
profile volatility should use we'll
click continue here and as you can see
some things are unchecked because
they're not really applicable to a
memory image but we can choose a custom
scan here again a lot of things are
grayed out because they're not
applicable we could choose network
processes programs run
startup items and that's really about it
if we go back however to the skip file
scan you'll notice it's pretty much
exactly what's been chosen there so I'm
going to go ahead and just use skip file
scan and just stick with the default
options really and click start
collection and as you might imagine this
tool is simply running volatility on the
back end automatically and aggregating
the results force I'll go ahead and
click past this dialog as before and
again I'm going to greatly speed this up
you'll notice here though it's running
PS list gets id's mal find various other
volatility plugins we've talked about
numerous times in other introduction to
memory forensics episodes so at this
point it is complete and this time
you'll notice we have a critical error
message where a requested registry key
that volatility tried to enumerate user
assist in this case was not found that's
okay
remember there's no guarantees in memory
forensics some stuff may be there it may
not be there so don't freak out if you
see an error message here and there as
the memory image is trying to be
enumerated notice the rudimentary
timeline on the right side for a
suspicious bunch of SVC host processes
and notice we have a bunch of bad items
this time eight in total whereas we had
none in the disk image and you'll notice
it flagged Explorer and svchost.exe
which is always a favorite for malware
authors so clicking on any one of these
will provide more detail as always but
particularly I would focus in on the
svchost.exe s and I can tell you in this
memory image there's definitely some
wonky stuff going on with SVC host that
path below the highlighted area there
you'll notice windows svchost.exe well
that's not the right path for
svchost.exe for sure
we can click on all these other tabs
though to get additional information and
as before it's very self-explanatory
you'll notice user account related
information and details just pretty much
anything that was able to be enumerated
from the various volatility plugins that
were run
have execution history we have
information about startup items various
things like that of course I can expand
any of the columns here so it fits but
again start off items nothing here
sessions nothing here and our analysis
results as you can see the score is bad
the confidence is high and the software
is correct this is evil again clearly
evil especially because of the name and
path of that svchost.exe and posture
process but clicking on any one of these
will give us more details below and we
can scroll through and click on any of
these very self-explanatory very easy
and user-friendly so for suspicious
items we have 10 things here that were
flagged for various reasons again some
of these are in fact evil so looking at
this one we have notepad we have smart
screen dot exe which is interesting
because it's often flagged to buy mal
find as it was in the description as you
can see here and that is actually a
false positive that mal fine reports on
every time so interesting there you can
ignore that one for users we have the
users that was able to enumerate from
the memory image CTF being one of the
main users if we scroll down through
here and start clicking on all of these
various things here's some network share
related information which could be
potentially useful to us and as you can
see we have AC : path here under windows
system32 w bim we have programs run
again program execution artifacts that
were able to be derived from memory
which is very cool things we've talked
about in previous memory forensics
episodes no web artifacts a few startup
items one of which is flagged as
suspicious
no triggered tasks here is an awesome
output of a tree based list of our
processes which I really really like
this so very very easy kind of like PS
tree if you will but we have a GUI
version of it where we can go in and
look at the parent-child relationships
and find anything that might be
suspicious or bad you'll notice the
icons like this one for example says bad
and again that's another one of our evil
spc host dot exe processes in this image
and as we continue to scroll down
through this you'll notice again the
yellow and the red icons which represent
the suspicious or bad items respectively
for active connections we actually do
have some things here that we can expand
see a bunch of remote IP addresses here
that we might want to take a look at all
on 80 and 443 some of these could for
example be c2 listening ports might be
of interest to us you see a bunch of
svchost.exe with the dash k options here
which are probably legit but again we
would want to look through this stuff
and verify DNS cache registry entries
nothing here of interests same with
files here's a timeline that it built
for us based on time based artifacts out
of our memory image all in UTC very cool
that it makes a timeline for us and very
useful information here about process
creation ports that are opened things
that are run active connections very
useful information and for system
configuration as before it's pulled some
things out of the memory image most of
which we already knew
but still very interesting information
overall so that's cyber triage we looked
at a disk image and we looked at a
memory image and as you can see it's
almost the point of point-and-click
forensics you guys have heard me say
this over and over and over again I am
NOT one to believe that you should just
put software in front of a person with
no forensics knowledge and have them
click buttons and make assumptions about
what has happened on a particular system
in other words I saw this thing called
prefetch and it says here that that
means something ran so clearly something
ran on the system at this time well
while that may be true if the analyst
looking at it doesn't really understand
the underlying meaning of any of these
artifacts that may not be so good so I
would recommend at least a basic
understanding of what these forensic
artifacts are before you go just click a
button and have a tool output a bunch of
stuff for you that you're expected to
know what it is
you can't just click the solve case a
button and expect everything to be happy
that said this software goes a long way
to provide what I like to call a 30,000
foot view it's basically a very
high-level view that we can derive very
quickly by simply opening a beautifully
designed and really pretty GUI clicking
the Browse button clicking on a disk
image or a memory image as we just saw
and basically saying show me some stuff
here that may be evil and let me figure
it out there are different flavors of
the tool available and you can certainly
download a free version and actually
play around with it and even the
commercial versions are very
competitively priced compared to other
commercial tools that I've seen in this
space so I hope you found this
information useful and I hope you will
check this out
but that's it for now so as always thank
you for watching thank you for
subscribing and I will catch you in the
next episode
you
Посмотреть больше похожих видео
Become a Cyber Forensic Investigator (Beginners Roadmap 2024)
Windows and Linux Authentication Bypass with AIM
How to Create a Rufus Bootable USB for Windows 10 in 5 Minutes!
Collect DFIR Artifacts Using PsExec and the Cyber Triage Collector
Begini Cara Install Windows 10 Menggunakan VirtualBox | install windows 10 on virtualbox
Windows 10 Clean Install Guide | The ENTIRE process | How to Install Windows 10
5.0 / 5 (0 votes)