Yes guys-- sorry it took a while. Been busy with work and vacation (my desktop in the video is a photo from Iceland!)
This one I feels like I ramble a bit, so here is a quick rundown for those with better things to do:
This one I feels like I ramble a bit, so here is a quick rundown for those with better things to do:
- I am using Mandiant's Highlighter tool to parse thru the log file. This tool seems very flexible and there are many additional features I did not highlight (see what I did there??) in the video. Check out the tool yourself at Mandiant's website.
- The Prefetch Parser is the tool I used to parse the prefetch from the victim machine. This is from RedWolf Computer forensics.
- Baselining is a very important aspect in IR. If you know how your network normally operates and how the software you run interacts with the OS it become much easier to pick out the abnormal instances.
- The TEMP and Prefetch directories have been storehouses for malware for as long as I can remember. Even meterpreter which sits in memory needs to leave a footprint -somewhere-. When doing an investigation always look at these two locations (SHAMELESS PLUG: My powershell script does this for both Vista/7)
So if you fear a meterpreter session in your workplace, take heart that all is not lost, there are still place to find traces of it! Of course, if the attackr tries to maintain persistence then you know there will be traces on the filesystem/registry. Timeline analysis could be very useful here as well, and again I cannot stress enough memory dumps.
3 comments:
Few things to keep in mind...
1) Highlighter is a great tool to have in your toolkit (as long as you have it installed prior) but take into note that you need adequate RAM on your system since when you filter out lines it displays a "temp" view of the file and uses RAM for storing the actual file... this can be overcome by saving the changes as your working though. Another useful feature is instead of going line by line to exclude things you can import a list of what you want to exclude right off the bat.
2) Prefetch can be a goldmine, especially in malware cases but you also have to know the default settings for the Windows OS you're investigating. i.e. Server 2k3 is set to only do "boot prefetching" and SSD's have it disabled by default. Useful tidbits to know since as Harlan says "the absence of an artifact where you expect to find one is itself an artifact." -> really love that quote.
Keep up the posts!
Excellent points Glenn! I definitely like the idea of having a list of files/process that are 'white noise' so it immediately removes them.
:: thumbs up ::
Hi there. Nice blog. You have shared useful information. Keep up the good work! This blog is really interesting and gives good details. wrapping machine manufacturers, shrink wrapping machines manufacturer.
Post a Comment