Sniper Forensics v3.0 Hunt Presented by: Christopher Pogue, CISSP, CEH, CREA, GFCA, QSA Managing Consultant SpiderLabs Incident Response and Digital Forensics
Who Am I? Managing Consultant for the Trustwave SpiderLabs Master s degree in Information Security Author of Unix and Linux Forensic Analysis by Syngress Author of the award winning blog, The Digital Standard Chosen as a SANS Thought Leader in 2010 Member of the USSS Electronic Crimes Task Force Speaker @ SANS DFIR `09, 10, `11, `12, The Computer Forensics Show 09 and 10, Direct Response Forum 09, SecTor `09,`10,`11,`12 USSS ECTF Miami, Dallas, The Next HOPE 10, BSIDESLV 10, DEF CON 18 & 20, LM Connect `10, GFIRST `11, `12, SecureTech `11 and Career Day at my kids school. Former US Army Signal Corps Warrant Officer
Thank You Dan Christensen! http://dcdrawings.blogspot.com/
Thank You MAJ Carole Newell I think Twitter handle: @cpbeefcake
TheDigitalStandard.Blogspot.com
Agenda Recap What is Sniper Forensics? The Evolution of Sniper Forensics What are the benefits of using Sniper Forensics? Testimonials Indicators of Compromise 1000 yard stare In the Cross Hairs Lethal Forensication Case Studies Conclusion
The Evolution of: Sniper Forensics The process of taking a targeted, deliberate approach to forensic investigations: Create an investigation plan Apply sound logic Locard s Exchange Principle Occam s Razor The Alexiou Principle Extract what needs to be extracted, nothing more Allow the data to provide the answers Report on what was done Answer the questions
Sniper Forensics V2.0: Target Acquisition What do I snipe? Registry Hives SAM Security System Software NTUSER.DAT How do I actually DO that? Manually via FTK using F-Response Script it How do I interpret the data? Infiltration Aggregation Exfiltration
Sniper Forensics v3.0: Hunt Identify Indicators of Compromise (IOC) 1000 yard stare In The Cross Hairs Lethal Forensication Endgame
Benefits Don t Take My Word For it! Sniper Forensics is the only methodology worth using. That's something the monolithic driving imaging shops don't want to hear. It will beat them to them results and help to stop the bleeding faster every time. - Nicholas J. Percoco - Senior Vice President, Trustwave SpiderLabs - @c7five
Benefits Don t Take My Word For it! Sniper Forensic rocks because it's foundations lies in logic. Try it, you will thank us later! - Jibran Ilyas - Senior Security Consultant, SpiderLabs DFIR Team - @JibranIlyas
Benefits Don t Take My Word For it! Chris' Sniper Forensics Series teaches something much more important than simple technical skills. It teaches the investigative process and how to keep your eye on the ball. Too many investigators, digital or otherwise, get bogged down and sidetracked with the massive quantities of information. Chris's methodology perfectly illustrates the methods investigators should be using to limit the scope of their engagements. - Larry "Lee" Sult - Security Analyst, SpiderLabs DFIR Team - CyberFrontSecurity.blogspot.com
Benefits Don t Take My Word For it! Look, digital forensics is getting more complicated not less complicated. The old school forensics methodology does not work on mobile and embedded devices, and you re not going to image the cloud. Sniper Forensics is the embodiment of how forensic cases will be worked in the future. Know what you need to solve the case and go get it. - Grayson Lenik - Security Consultant, SpiderLabs DFIR Team - Author of the award winning blog, EyeOnForenscis - @handlefree
Benefits Don t Take My Word For it! During a major breach, there is no plan B. Chris's presentation on Sniper Forensics are the result from his time spent on the front lines in the field. If you are looking to equip your team with what they really need, Sniper Forensics details special ops TTPs that make a clear difference. - Rob Lee - Forensics Curriculum Lead, SANS Institute - @RobtLee * TTP = Tactics, Techniques, and Procedures
Indicators of Compromise What is different in the eyes of a hunter? They know what they are looking for Valuable past experience They know what it looks like when they found it They do not hesitate to pull the trigger
Indicators of Compromise
Indicators of Compromise
Indicators of Compromise
Indicators of Compromise
Indicators of Compromise
Indicators of Compromise What do all of these images have in common? Hoof print Burned Wall Bullet Cake Ball Comic Book
Indicators of Compromise To the untrained eye, they seem like one of hundreds of thousands images we see everyday. To the expert eye, they hold significant value. Hoof print Deer track Burned Wall Evidence of the use of a liquid fire accelerant Bullet.38 Caliber round Cake Ball Red Velvet cake ball with an almond bark exterior Comic Book Spiderman issue #1
1000 Yard Stare As practitioners of digital forensics, we are the expert eyes of the cyber crime world Arguably the most difficult of all forensic disciplines Constantly changing and evolving data sample Very real, very proactive adversary, with extensive resources and time Thousands of hiding places
1000 Yard Stare Study the terrain What is normal Research Experience Study the target Why is it a target? What value does the target hold? What weakness does the target possess? Study the enemy Learn his behaviors Where does he operate? How does he operate? Why does he operate?
In The Cross Hairs All malware has specific components Propagation Mechanism Aggregation Mechanism Encoding (not encryption) Exfiltration Remote Access
In The Cross Hairs How do those components work? How would a memory dumper, dump memory? Would it dump the entire contents of memory? Would it dump the memory from a specific process? How would a keylogger log keystrokes? Would log the input from a specific device? Would it gather screenshots? How would a network sniffer operate? What critical elements HAVE to be in place? How can you tell?
Lethal Forensication Indicators of Compromise All types of malware have to do three things: Live Run Generate output Once you identify what is being done and how, you can use that IOC on the current case, or future cases (ie build a database of known IOCs).
Lethal Forensication Once you know what the enemy looks like, and how he acts, it becomes exponentially easier to identify: The Likely Target The Likely means of Infiltration The Likely means of Aggregation The Likely means of Exfiltration
Case Studies What s wrong with this picture? Two processes called, OPS.exe Which one is legitimate, and which is not? How can I tell? What can I logically conclude from this finding?
Case Studies What s wrong with this picture? Two dlls called, webcheck.dll Which one is legitimate, and which is not? How can I tell? What can I logically conclude from this finding?
Case Studies What s wrong with this picture? Is svchost.exe a legitimate binary name? Is there a problem with this one? How can I tell? What can I logically conclude from this finding?
Conclusion To have the expert eyes of a hunter, you MUST: Put in the chair time What is normal What is abnormal Study your target Why are they likely a target What do they have that is worth stealing Study the enemy What are they doing How are they doing it What are the current trends Where can you foresee it going
Final Thought Is this merely a laptop? OR Is it a investigation tool in the hands of an expert?
Questions? cepogue@trustwave.com @cpbeefcake