Creating a Toolkit for Live Incident Response Data Acquisition and
Download
Report
Transcript Creating a Toolkit for Live Incident Response Data Acquisition and
Creating a Toolkit for Live Incident
Response Data Acquisition and Tips
for Better Timeline Analysis
Jonathan Glass
[email protected]
Bio
• Originally from Roanoke, VA.
• Awesome Wife and Two Kids
• Hopeless tinkerer, maker, and security
professional.
• MCSA,MCSE,S+,CEH,CNDA,CISSP,GCIH,GAWN
Disclaimer
The Live Response Script presented here was
prepared for this presentation to frame the
discussion. Feel free to use it. While it is
functional on this demo vm, I make no
guarantees that it will work every time in every
environment. Use at your own risk.
Disclaimer
I do not claim to be an expert. This presentation
is meant to be a discussion of possible
techniques. If you know a better way to do
something, shout it out. I would love to hear it.
Objectives
• Motivation
• How Live Response Data Collection Works
–
–
–
–
Drop script and tools on target
Run tools in correct order to collect artifacts
Securely send back to analysts.
General Guidelines for Live Response
• An Overview of Artifacts to Collect
– What to Grab
– How to Grab It
– What to Do with It
• Forensic Timelines
– How to create
– Tips on Faster/Better Analysis and Summarization
Motivation
• Building your own script is a great way to
understand forensic artifacts/tools.
• Adds context and verification of COTS tools
• Gives analyst the ability to compare memory
artifacts vs. live output vs. artifacts from the
physical drive
– Malware/rootkits may attempt to mask processes and
falsify output of commands. Hard to falsify numerous
sources of redunant info
– Everything means something
Live Response vs. Memory Analysis
• Memory Analysis is ideal for understanding
the current state of the machine but…
– Full Memory Dumps are Huge
• Not uncommon to see 8GB or 16GB of RAM in a
workstation. Takes time to dump, compress, and
encrypt memory dumps to be sent over a network.
• Solid State Drives are becoming the standard, even
though they have far less capacity than HDDs. There
might not be enough free space on the workstation to
dump memory.
General Guidance for
Live Response Scripts
• Communication should be encrypted to and from
target machine.
• Tread Lightly – The smaller footprint you create on a
remote machine, the less likely you are going to cause a
business interruption.
– Keep LR Packages small with only the tools you need.
– Be concise. Do not generate any more files than what is
absolutely necessary.
• Get In, Grab Stuff, and Get Out – Avoid processing
artifacts on the target machine.
• Don’t connect to a Target machine directly from your
workstation.
General Guidance for
Live Response Scripts
• Protect Privileged Domain Accounts during Live
Response
– Don’t use any kind of “Interactive Logon”
• Interactive Logons store password hashes as cached
credentials and in memory while you are logged on.
• This includes “Run As” from the command line.
– Use Temporary Admin Credentials
• Reset account passwords after acquisition or everyday.
– Limit the exposure of a compromised LR Account.
General Guidance for
Live Response Scripts
• Batch Programming, Visual Basic Scripting, and
PowerShell are great native options to create Live
Response Scripts
– Stick to native solutions unless you are going to compile
your Python, Ruby, Perl or whatever into a
executable…every time you make a change.
– Windows has a ton of built-in utilities for pulling a lot of
forensically relevant information. Leverage those.
Live Response Data Collection
Analyst
Target
5. Runs Script
Forensic Server
PsExec v2.1
• PsExec is a light-weight telnet-replacement that lets
you execute processes on other systems, complete with
full interactivity for console applications, without
having to manually install client software.
• http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
• New with Ver 2.1 – March 7, 2014
– enables you to execute programs on remote systems without
preinstalling an agent
– encrypts *all* communication between local and remote
systems.
– including the transmission of command information such as
the user name and password under which the remote
program executes.
7zip
• 7-Zip is a open source file archiver with a high
compression ratio. GUI and command line
options. GNU LGPL license.
• 7za.exe is the command line version
– Can use AES256 GPG Encryption
– High Compression is great for memory dumps and
other large files.
PsExec v2.1 + 7zip = Encrypted Communication
• Great way to transfer a collection package to a
machine, run apps with as System, and collect data
back to the analyst through a “secure” channel.
How this Example Script Works
LiveResponse.bat
CollectionScript.bat
7za.exe
127.0.0.1
TargetMachine.zip
Processes Collected Data
TargetMachine
An Overview of Artifacts to
Collect
What/Why To Collect
How To Collect It
What To Do With It
Artifacts to Collect
• Artifact to Grab
– Significance
– Location on Target
– Tools to Grab and/or Parse
– Batch File Example
Protected or Locked Files
• Significance
– The majority of the files needed for analysis are locked, open, or
protected.
• Location
– Everywhere
• Method To Grab /Parse
– VSS
• Shadowcopy
– http://www.runtime.org/shadow-copy.htm
• *HoboCopy
– http://hobocopy.cvs.sourceforge.net/viewvc/hobocopy/hobocopy/
– Low Level Disk Reading
• *RawCopy
– https://code.google.com/p/mft2csv/
• NTFSCopy
– https://www.tzworks.net/prototype_page.php?proto_id=9
• FGET – HBGARY(old)
– http://opensecurityresearch.com/files/FGET.zip
RawCopy
• Compiled AutoIt Script
• Console application that copy files off NTFS
volumes by using low level disk reading method.
• Will let you copy files that usually are not
accessible because the system has locked them.
For instance the registry hives like SYSTEM and
SAM. Or files inside the "SYSTEM VOLUME
INFORMATION". Or any file on the volume.
• Works best with the MFT record number.
Protected or Locked Files
Example:
FOR /F "tokens=*" %%G IN ('dir /b /a C:\Users\') DO (
IF EXIST "C:\Users\%%G\NTUSER.DAT" (
MD C:\windows\temp\lrscript\collecteddata\Registry\%%G\
C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe
"C:\Users\%%G\NTUSER.DAT"
"C:\windows\temp\lrscript\collecteddata\Registry\%%G\“))
Physical Memory
• Significance
– Running processes and services, open network connections, ARP cache, web
history, running malware/Trojans, unpacked/decrypted versions of protected
programs, system information (e.g. time lapsed since last reboot) ,information
about logged in users, decryption keys for encrypted volumes mounted at the
time of the capture, and much more.
• Location on Target
– \\.\PhysicalMemory
• Method to Grab and Parse
– Grab
• WinDD
– http://sourceforge.net/projects/windd/
• Dumpit
– http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
• *DD for Windows
– http://gnuwin32.sourceforge.net/packages/coreutils.htm
• Memoryze
– https://www.mandiant.com/resources/download/memoryze
– Parse
• *Volatility - https://code.google.com/p/volatility/
• Redline - https://www.mandiant.com/resources/download/redline
Physical Memory
REM **************BEGIN MEMORY DUMP*************
echo Checking if there is enough free disk space to dump
Memory
FOR /F "tokens=*" %%G IN ('cscript /nologo
C:\windows\temp\lrscript\lrtools\MemCheck.vbs') DO (
SET MEMGO=%%G
IF %MEMGO:~0,4% == GOOD (
echo Dumping Memory
start /wait cmd /c
"C:\Windows\Temp\lrscript\LRTools\MemoryDD.bat output=C:\Windows\Temp\lrscript\CollectedData") ELSE
(echo "NOT ENOUGH FREESPACE FOR MEMORY Dump"))
REM Wait 30 seconds to give time for the memory dump to
complete
PING -n 31 127.0.0.1>nul
REM **************END MEMORY DUMP*************
Running Processes
• Significance
– Critical to almost all investigations
– Trivial to determine while online
– Very hard to piece together offline
• Locations on Target
– Memory, Physical Disk, Removable Media
• Method to Grab and/or Parse
– List
• WMIC.exe Process List Full
• *Volatility - pslist,pstree,psscan,dlllist,handles
– Grab
• ProcDump
– http://technet.microsoft.com/en-us/sysinternals/dd996900
• *Volatility – procexedump
Running Processes
• wmic process list full >
C:\windows\temp\lrscript\collecteddata\processes\
ProcessList.txt
• C:\windows\temp\lrscript\lrtools\pslist.exe -t >
C:\windows\temp\lrscript\collecteddata\processes\
ProcessTree.txt
• C:\windows\temp\lrscript\lrtools\handle.exe -asu >
C:\windows\temp\lrscript\collecteddata\processes\
Handles.txt
$MFT Master File Table
•
Significance
–
–
–
–
•
Location on Target
–
–
•
The single most important file in a NTFS file system.
Contains record of the logical/physical size/location for all files on a NTFS volume.
Contains metadata including: Created Date, Entry Modified Date, Accessed Date and Last Written Date.
Contains security permissions for each file.
Logical: ROOT:\$MFT
Physical: Location found the MBR(first 512 bytes of on Volume)
Method to Grab and Parse
–
–
–
–
Need to be running with system level privs to gain direct access to $MFT
Use *RunAsSystem https://code.google.com/p/mft2csv/or
PsExec http://technet.microsoft.com/en-us/sysinternals/bb897553
Grab:
•
•
–
*RawCopy https://code.google.com/p/mft2csv/
*MFTDumper.py - https://github.com/Kvetch/Kludge-Collector/blob/master/collector/mftfinder.py
Parse:
•
*AnalyzeMFT
–
•
https://github.com/dkovar/analyzeMFT
*ntfswalk
–
https://code.google.com/p/mft2csv/
$MFT Master File Table
REM **************BEGIN MFT DUMP*************
echo Running fls-live.exe to grab MFT data from all NTFS drives
connected to the system.
FOR /F "tokens=*" %%A IN ('cscript /nologo
C:\windows\temp\lrscript\lrtools\ListOfLocalDrives.vbs') DO (
SET "BAM=%%A"
start /wait cmd /c "C:\windows\temp\lrscript\lrtools\fls-live.exe
%%A\ >> C:\Windows\Temp\lrscript\collecteddata\TimelineFiles\flsbodyfile.txt"
mkdir C:\Windows\Temp\lrscript\collecteddata\MFT\%BAM:~0,1%\
start /wait cmd /c
"C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe %BAM:~0,1%:0
C:\Windows\Temp\lrscript\collecteddata\MFT\%BAM:~0,1%\
)
REM **************END MFT DUMP*************
Registry
• Significance:
– Hierarchical “database” that contains system configuration information, and tracks a
great deal of system and user activity. Much of that activity has some form of time
stamp associated with it.
• Location on Target
– System
• C:\Windows\system32\config
• C:\Windows\system32\config\RegBack
– User
• C:\Users\user\NTUSER.DAT
• C:\Users\user\AppData\Local\Microsoft\Windows\USRCLASS.DAT
• Method to Grab and Parse
– Grab
• locked file utilities
– Parse
• RegRipper
• Volatility
– hivescan,hivelist,printkey,hivedump,hashdump,lsadump,userassist
• Python
– https://github.com/williballenthin/python-registry
Registry
• Significance:
– Hierarchical “database” that contains system configuration information, and tracks a
great deal of system and user activity. Much of that activity has some form of time
stamp associated with it.
• Location on Target
– System
• C:\Windows\system32\config
• C:\Windows\system32\config\RegBack
– User
• C:\Users\user\NTUSER.DAT
• C:\Users\user\AppData\Local\Microsoft\Windows\USRCLASS.DAT
• Method to Grab and Parse
– Grab
• Locked file utilities
• Export using Reg
– Parse
• RegRipper
• Volatility
– hivescan,hivelist,printkey,hivedump,hashdump,lsadump,userassist
• Python
– https://github.com/williballenthin/python-registry
Registry
FOR /F "tokens=*" %%G IN ('dir /b /a C:\Users\') DO (
IF EXIST "C:\Users\%%G\NTUSER.DAT" (
MD C:\windows\temp\lrscript\collecteddata\Registry\%%G\
C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe
"C:\Users\%%G\NTUSER.DAT"
"C:\windows\temp\lrscript\collecteddata\Registry\%%G\"))
for %%i in (SAM SECURITY SOFTWARE SYSTEM DEFAULT COMPONENTS BCDTEMPLATE) do (C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe
C:\WINDOWS\system32\config\%%i
C:\windows\temp\lrscript\collecteddata\Registry\)
c:\windows\system32\reg.exe
c:\windows\system32\reg.exe
c:\windows\system32\reg.exe
c:\windows\system32\reg.exe
c:\windows\system32\reg.exe
export
export
export
export
export
HKLM C:\windows\temp\lrscript\collecteddata\Registry\hklm.reg
HKCU C:\windows\temp\lrscript\collecteddata\Registry\hkcu.reg
HKCR C:\windows\temp\lrscript\collecteddata\Registry\hkcr.reg
HKU C:\windows\temp\lrscript\collecteddata\Registry\hku.reg
HKCC C:\windows\temp\lrscript\collecteddata\Registry\hkcc.reg
Index.dat
• Significance
– The cache INDEX.DAT file is a database of cache entries. It holds information relating to
individual cached items so that the browser can check whether the resource needs to
be updated (eTag) and information relating to the location of the cached item.
• Location on Target
–
–
–
–
–
–
–
–
–
–
C:\Users\user\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\user\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
C:\Users\user\Local\Microsoft\Windows\History\History.IE5\index.dat\MSHistXXXXXXX
XXXX\index.dat
C:\Users\user\Local\Microsoft\Windows\History\History.IE5\Low\index.dat\MSHistXXX
XXXXXXXX\index.dat
C:\Users\user\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5\index.dat
C:\Users\user\Local\Microsoft\Windows\Temporary Internet
Files\Low\Content.IE5index.dat
C:\Users\user\Roaming\Microsoft\Internet Explorer\UserData\index.dat
C:\Users\user\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat
Index.dat
• Grab
– Assume they are locked.
• Parse
– Perl - http://search.cpan.org/~ishigaki/Win32-UrlCache0.06/lib/Win32/UrlCache.pm
– id - https://tzworks.net/prototype_page.php?proto_id=6
Index.dat and other web history files
echo Grabbing Browser History Files
Set
FilesToGrab=index.dat,*.dat,urlclassifier3.sqlite,index.sqlite,addons.sql
ite,chromeappsstore.sqlite,content-prefs.sqlite,cookies.sqlite,
downloads.sqlite,extensions.sqlite,permissions.sqlite,places.sqlite,searc
h.sqlite,signons.sqlite,webappsstore.sqlite
for %%X in ("%FilesToGrab:,=" "%") do (
for /f "tokens=*" %%a in ('dir /s /a /b c:\%%X') do (
for /f "tokens=*" %%b in ('cscript /nologo
C:\windows\temp\lrscript\lrtools\recursionPath.vbs "%%a"') do (
mkdir "C:\windows\temp\lrscript\collecteddata\WebHistory%%b"
C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe "%%a"
"C:\windows\temp\lrscript\collecteddata\WebHistory%%b"
)
)
)
Journal
• Significance
– The change journal is a component of NTFS that will, when
enabled, record changes made to files and folders. The change
journal records time of the change, affected file/directory, change
type (eg. delete, rename, size extend, etc)
• Location on Target
– [root]\$Extend\$UsnJrnl:$J
– $J is an alternate data stream
• Method to Grab and Parse
– Grab
• Locked File
– Parse
• Windows Journal Parser
– https://github.com/jschicht/LogFileParser
Journal
FOR /F "tokens=*" %%A IN ('cscript /nologo
C:\windows\temp\lrscript\lrtools\ListOfLocalDrives.vbs')
DO ( FOR /F "tokens=*" %%B IN
('C:\windows\temp\lrscript\lrtools\ifind.exe -n
/$Extend/$UsnJrnl:$J \\.\%%A:') DO (
C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe %%A:%%B
C:\Windows\Temp\lrscript\collecteddata\MFT\ ) )
Event Logs
• Significance
– Application, System, and Security
• Location on Target
– C:\Windows\system32\config
• Method to Grab and Parse
– Grab
• Locked File
– Parse
• GrokEVT is a set of forensics scripts designed to make sense of EVT logs for
investigations. Along with RegLookup, it is able to combine registry information
and event log templates to place EVT data in context.
• python-etvx
– http://www.williballenthin.com/evtx/
• LogParser
– http://technet.microsoft.com/en-us/scriptcenter/dd919274.aspx
• Windows Event Log Parser (evtwalk)
– https://tzworks.net/prototype_page.php?proto_id=25
Network Info
• Significance
– Current TCP and UDP connections are extremely
important to document while the machine is
running.
– Very hard to piece together after the fact without
external logs.
• Location on Target
• Memory
Network Info
• Method to Grab and Parse
– Grab
• “netstat -anto & wmic process get
ProcessID,Name,CommandLine >netcon.txt”
–
–
–
–
a Displays all connections and listening ports.
n Displays addresses and port numbers in numerical form.
t Displays the current connection offload state.
o Displays the owning process ID associated with each
connection.
• Volatility
– connections, connscan, sockets, netscan
Prefetch
• Significance
– Designed to boost the startup process of frequently launched
applications
– Name of the executable, Unicode itemizations of the DLLs that the
executable requires to function, Timestamp of when the
application was last launched, a count of the times that the
executable has ran.
• Location on Target
– %SystemRoot%\Prefetch\*.pf
• Method to Grab and Parse
– Grab
• Just copy them.
– Parse
• Windows Prefetch Parser (pf)https://tzworks.net/prototype_page.php?proto_id=1
LNK Files
• Significance
– Created Date, Last Written Date, Last Accessed Date, Full
Path, Command Line, occasionally the MAC address
• Location on Target
– %APPDATA%\ Microsoft\ Windows\ Recent\
– %APPDATA%\Roaming\Microsoft\Office\Recent\
– Desktop, etc...
• Method to Grab and Parse
– Windows LNK Parsing Utility (lp) https://tzworks.net/prototype_page.php?proto_id=11
• “dir /s /b C:\users\*.lnk | LP -pipe -csv >> results.csv”
– LNK Parser - https://code.google.com/p/lnk-parser/
USB Activity
• Significance
– Entry vector for bad stuff
– Exfil vector
• Location on Target
– HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
– HKLM\SYSTEM\CurrentControlSet\Enum\USB
– C:\Windows\inf\setupapi.dev.log
– NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi
on\Explorer\MountPoints2
• Method to Grab and Parse
• Grab C:\Windows\inf\setupapi.dev.log and Registry Files
Recycle Bin
• Significance
– Many cases routinely require examination of Recycle Bin
• Malware often operate from the Recycle Bin
• People delete stuff.
– $I files
• Bytes 0-7: $I File header "01 00 00 00 00 00 00 00".
• Bytes 8-15: Original file size – stored in hex, in little-endian.
• Bytes 16-23: Deleted date/time stamp – represented in number of seconds
since Midnight, January 1, 1601.
• Bytes 24-543: Original file path/name.
• Location on Target
– c:\$Recycle.Bin\%SID%
– %SID% is the SID of the user who deleted the file
• Method to Grab and Parse
– recbin.pl - Harlan Carvey
• https://winforensicaanalysis.googlecode.com/files/wfa3e.zip
Anti-Virus Logs/Quarantined Files
• Significance
– Logs give timestamps of last virus subscription update,
last scan, virus/quarantine activity
– Quarantined files are potentially malicious samples
that have been rendered inert.
• Location on Target
– Application Logs
– Vendor Specific
• Method to Grab and Parse
– Vendor Specific
Not an Exhaustive List
Add anything that you might find useful.
Now We Put It All Together
• DEMO!
“Super” Timeline Creation
Super Timeline?
• Grab any relevant log that has a timestamp
• Make sure they all are on the same time zone
(local vs. UTC) and format (YYYY/MM/DD
hh:mm:ss)
• Put them all in the one big file
• Sort
Setting up Your Machine for
Command Line Timeline Analysis
Useful Tools For Command Line
Timeline Analysis
• Linux or OSX command line
If you absolutely must use Windows for
timeline analysis…
• GnuWin
– GnuWin provides ports of tools with a GNU or
similar open source license, to modern MSWindows (Microsoft Windows 2000 / XP / 2003 /
Vista / 2008 / 7)
– http://gnuwin32.sourceforge.net/packages.html
Useful GnuWin Packages
• Grep - searches one or more input files for lines
containing a match to a specified pattern.
– http://gnuwin32.sourceforge.net/packages/grep.htm
• CoreUtils - collection of basic file, shell and text
manipulation utilities
– http://gnuwin32.sourceforge.net/packages/coreutils.h
tm
• Includes a ton of really useful timeline analysis commands
like cat,cut,fold,head,join,nl,sort,tac,uniq,wc and a few
others.
• Many of these tools are also included in the
Kludge source files
Make a Tools Folder and Update Path
• The %PATH% variable should be updated on regular and
elevated accounts if you are going to use either for timeline
analysis.
• Always append your Tools folder to the END of your PATH.
Do not prepend to the beginning.
Command Line Timeline Analysis
Examples
Command Line Timeline Analysis
Determine the processes that were launched during a
specific hour that do not have “Windows” in the file path:
c:\Incidents\DEMO\TLN>grep "2014-03-14\ 20"
timeline.csv | grep "Microsoft-Windows-SecurityAuditing/4688" |cut -d, -f1,10 |sort| uniq |grep -vi
Windows
2014-03-14 20:05:01,C:\Tools\grep.exe
2014-03-14 20:05:13,C:\Tools\grep.exe
2014-03-14 20:06:36,C:\Tools\grep.exe
2014-03-14 20:31:39,C:\Tools\grep.exe
2014-03-14 20:39:02,C:\Tools\grep.exe
Command Line Timeline Analysis
Use simple regular expressions to help
maximize your searches:
This example shows the event codes for the when the Event
Logging Service Starts (6005) and Stops (6006):
c:\DEMO\TLN>grep -iE "EventLog/600[5,6]" timeline.csv
2014-03-14 19:48:11,EVTX,TARGETMACHINE,,EventLog/6005;4;
2014-03-14 19:46:03,EVTX,TARGETMACHINE,,EventLog/6006;4;
2014-03-14 17:40:10,EVTX,TARGETMACHINE,,EventLog/6005;4;
2014-03-14 17:38:01,EVTX,TARGETMACHINE,,EventLog/6006;4;
2014-03-14 14:33:18,EVTX,TARGETMACHINE,,EventLog/6005;4;
2014-03-14 13:10:44,EVTX,TARGETMACHINE,,EventLog/6006;4;
2014-03-14 10:49:40,EVTX,TARGETMACHINE,,EventLog/6005;4;
2014-03-13 21:26:30,EVTX,TARGETMACHINE,,EventLog/6006;4;
2014-03-13 13:24:32,EVTX,TARGETMACHINE,,EventLog/6005;4;
Command Line Timeline Analysis
c:\DEMO\TLN>grep -E “,URL,|Content.IE5” timeline.csv |
cut -d: -f1,2 | sort| uniq|cut -d" " -f1 |sort |uniq -c
136 2014-03-11
98 2014-03-12
53 2014-03-13
31 2014-03-14
This will give you a count of the unique minutes that web
history or temporary internet files were created and a
rough estimate of how long a user was actively browsing.
Great for when proxy logs are not available.
Command Line Timeline Analysis
Determine the logon times and user names for anyone that interactively
logged on to the system:
C:\DEMO>grep 2014-03-11 timeline.csv | grep "Microsoft-Windows-Security-Auditing/4624"|
cut -d, -f1,10,13 | grep -E ",2$|,11$" |sort | uniq
2014-03-11 12:10:09,DAVESTRUM,11
2014-03-11 12:50:46,DAVESTRUMADMIN,11
2014-03-11 12:59:56,DAVESTRUMADMIN,11
2014-03-11 14:20:45,DAVESTRUMADMIN,11
2014-03-11 14:21:24,DAVESTRUMADMIN,11
2014-03-11 15:16:01,DAVESTRUM,11
2014-03-11 20:39:38,DAVESTRUMADMIN,11
2014-03-11 20:42:22,DAVESTRUMADMIN,11
2014-03-11 20:47:07,DAVESTRUM,2
2014-03-11 20:47:08,DAVESTRUM,2
BUT THIS STILL DOESN’T READ ALL THAT WELL
Command Line Timeline Analysis
LABEL, SEPARATE, and COMBINE YOUR FINDINGS
C:\DEMO>grep 2014-03-11 timeline.csv | grep "Microsoft-Windows-Security-Auditing/4624"|
cut -d, -f1,10,13 | grep -E ",2$|,11$" |sort | uniq > logontimes.txt & FOR /F "delims=" %i IN
('type logontimes.txt') DO @echo %i LOGON >> FINDINGS.TXT
C:\DEMO>grep 2014-03-11 timeline.csv | grep "Microsoft-Windows-Security-Auditing/4647"|
cut -d, -f1,6 | sort | uniq > logofftimes.txt & FOR /F "delims=" %i IN ('type logofftimes.txt') DO
@echo %i LOGOFF >> FINDINGS.TXT
C:\DEMO> type FINDINGS.TXT | sort
2014-03-11 12:10:09,DAVESTRUM,11 LOGON
2014-03-11 12:50:46,DAVESTRUMADMIN,11 LOGON
2014-03-11 12:59:56,DAVESTRUMADMIN,11 LOGON
2014-03-11 14:20:45,DAVESTRUMADMIN,11 LOGON
2014-03-11 14:21:24,DAVESTRUMADMIN,11 LOGON
2014-03-11 15:06:43,DAVESTRUM LOGOFF
References
• https://www.sans.org/reading-room/whitepapers/incident/orionincident-response-live-cd-33368
• https://blogs.sans.org/computer-forensics/files/2012/06/SANSDigital-Forensics-and-Incident-Response-Poster-2012.pdf
• https://code.google.com/p/mft2csv/downloads/list
• https://tzworks.net/download_links.php
• http://journeyintoir.blogspot.com/2013/09/tools-to-grab-lockedfiles.html
• http://www.emich.edu/ia/pdf/research/Live%20Memory%20Acqui
sition%20for%20Windows%20Operating%20Systems,%20Naja%20
Davis.pdf
• https://code.google.com/p/volatility/wiki/CommandReference
• http://www.dfinews.com/articles/2010/12/decoding-prefetch-filesforensic-purposes-part-1
References
• http://securityscaper.com/Protecting%20Privil
eged%20Domain%20Accounts%20during%20L
ive%20Response%20-%20June%202011.pdf
Will post the script and Tools
shortly….
Questions?