Getting started...help me help you

and on-site support to clients around the world Dave is also an unrecovered Lions fan and believing in the eventual possibility of a playoff spot has doubtless given him the strength of Will and character to continue working towards our eventual total victory over the forces of network evil ladies gentlemen and assorted Security Professionals please give a warm besides its almost party o' welcome to David [Applause] [Music] trollman all right uh can you guys hear me you hear me all right all right thanks uh yeah I appreciate it I know I'm the last speaker I know I'm a a last minute substitute but I I'm happy to be here uh so yeah I'll be honest this is

the most professional slide of the rest of the deck so it just goes south from here so yeah my name is Dave trowman I'm the director of instant response for Access Data uh resolution one in Centric you know whatever whatever you want me to be I'll all direct and in incident respond uh so just a quick disclaimer because everybody has to have some sort of disclaimer a so I'm going to sling mine uh all opinions thoughts are my own uh I use a lot of memes uh it's not for profit it's definitely not uh used for the profit of Scumbag Steve there um if I fail to shout out to someone's tool it's unintentional I love tools I am a

tool so uh just a quick overview I'm going to talk today I'm going to walk you through a quick scenario uh if anybody's actually done incident response for a while they probably have had a similar type scenario happen to them I'm going to talk a little bit about why I think speed is greater than forensic soundness um that's that's kind of a uh I don't know it's blasphemy at access data right now but but it is what it is uh I'll give you kind of a list of things that I would grab if I'm in the middle of an incident and I just want to go home uh talk a little bit about what the odds

are of of systems that are compromised and and when they're compromised who uh how they're being popped um and then I'm going to give a list of the tools that I'm going to use for the demo and then God willing I'm going to do a demo uh so and then lastly I'll finish up with just kind of a reality check so obviously demos are really really uh you if they work well they look really polished and and really uh good but the reality is is that you know this stuff this stuff goes sideways really quickly so uh just some quick you know so right off the bat you're enjoying your day it's 4 o'clock it's it's 3: in the afternoon you're

getting ready to leave and then a van like this rolls up um and then homeboy like this come walking out of the van and then your your first thought might be okay man time to be cool uh I'm here celebrating uh Earth Day uh but in reality you're about to become one of those 4% of people that have to work on a Friday uh and it's always Friday it's always 3 p.m. it's always right before maybe a three-day weekend or a holiday or something like that that [ __ ] starts to go sideways uh and so what I'm going to talk about is is what you can do to get yourself up and running and get

rocking and rolling so but before I dig into that I really want to dig into why I think inent response uh in speed and incident response is more important than forensic soundness uh I I'll just be honest you know your job usually as an inant responder is to get [ __ ] back up and running uh if you're a firefighter a firefighter doesn't stop at the house and say nobody moved nobody breathe I've got to figure out who set the fire in reality a firefighter goes in and tries to go save people save property you know do that do that kind of work you're kind of in the same situation but generally you're going to be fatter whiter and not

as fit so um that that's that's a joke howdy um so but the deal is uh you your important job is to get the the system back up and running get your company back up and running it's not to go to court and let's be honest you are not going to testify about forensic techniques in court I've I've been doing this like it like the bio says for 10 years I've never had to go to court I've never had to testify in court uh and and a lot of times if you're working with the feds they've already got some sort of data that that's legally admissible through whatever wire taps or whatever the hell they're doing to to have

identified you as a possible victim so if you go and start running tools on your boxes yeah they're probably going to get pissed at you because you didn't collect an image or something like that but the fact of the matter is uh they're the FBI they want taxes so they want to keep your company in business so you can pay taxes uh if you are a lot of people will say you know step one collect the full dis image that's a waste of time it takes forever how many guys have done a full dis image before yeah it blows it takes forever and to be honest with you it doesn't really capture the information that you really need during

an incident um it you're really and what you end up doing is you you collect a bunch of dis images and then you're just sorting through files willy-nilly with kind of no concept of where you're wanting to go what you're wanting to collect so I'm going to talk to you a little bit about five things that I would collect and it doesn't involve a full dis image uh if if you want to I can you know do a full dis image after this and uh we can talk tomorrow when it's done but but in reality I'm going to do this demo in 30 minutes um and and I mean the bottom line again is you

really do need to get your [ __ ] back up and running that's the most important part of incident response uh but at the same time you don't want to just a lot of folks will just say hey just wipe the box and go keep moving but that doesn't really get you any information either uh so these simple tools you can run takes about 30 minutes to get all the data uh and then call call it a day go ahead and wipe the box and you've got some good data that can help you attribute the attack figure out what's going on uh and then better more importantly stop the rest of the attack so you don't have to

burn down your entire infrastructure so uh playing the odds uh I'm just going to I'm just going to guess here that most of the time uh it's going to be a Windows box I know somebody came came up here yesterday and said there's a [ __ ] ton of malware for OS 10 that is true chances are though attackers are going to go after your windows boxes especially if they're moving laterally through your network or something like that it's going to be on a Windows box uh chances are if the box has popped is going to be a a server or it's going to be a VIP you know one of those VIPs that has like one of those

nice really Dell like really Gucci 13inch Dell XPS boxes that they never want to go home with um there's a good chance that the box that you're dealing with with is not the only box that's pwned on your network um so that's another important fact as to if you just wipe that box if it's patient four then patient 3 2 1 and zero are still out there so you need to gather not a full dis image worth of data but you need to gather some data that's going to help you figure out where that attack came from uh and then finally you know when it comes to attack vectors there's really only a handful of attack vectors

that are really valid in terms of of finding how the system got compromised and this is going to help you you in your investigation there's going to be a fishing attack it's going to be a web server compromise it's going to be maybe a browser exploit um Everybody patches Java all the time right yeah okay yeah well you guys you guys are all excited here so but yeah nobody patches Java um so and then the last part is is you have a misc config uh or a default password chances are you want to know that because chances are there are other systems that are misconfigured or have a default password that you want to know

about and look for on your network but you have to get that information first to find out how the attack came through oh and by the way uh this is just really simple don't shut off the system don't be a [ __ ] and and this is this is also another part of this if it is a vip's box or if the FED showed up chances are you've got a lawyer there and and usually you're not allowed to talk to the FBI it's a lawyer that talks to the FBI for you that person and then probably a c-level person are there they're completely freaking out um so the first thing they're going to do is

shut off the system they're going to tell you to shut off the system don't do that uh they're going to tell they're going to start googling around and they're going to say hey dude let's download let's download malware bites and we'll be good uh or they're going to stumble upon some crap like super antivirus XP 2015 uh which is totally legit and and download that and try to run that and you know we've had a couple cases where clients have called us and said hey I downloaded this you know janky XP antivirus 2012 and now all my files are encrypted you know what should I do um you you hit yourself in the head with a

ballpen hammer because you're a [ __ ] um and then you know the second thing the third thing I would say there is uh don't start deleting [ __ ] willy-nilly that's another thing that a lot of people do is is they they run some sort of tool and it tells them they've got malware and they just start like deleting everything in their system 32 folder um or they or they do something and they start deleting files left and right right at that point yeah I am probably going to have to pull a disc image because I'm going to find something like in the mft OR in memory and it's not on disk anymore because you

deleted it so now I'm going to have to go pull it out of slack space so thanks for that and then lastly don't freak out um again firefighters don't freak out you are the fatter you know whiter version of a firefighter so be the calm in the storm and and that's that's hard to that's hard to say it's easy to say on a presentation but it's hard to practice in real life so what what I grab I'm going to grab generally I'm just going to grab five things I'm going to grab the running memory the page file the master file tables the registry and the event logs that's all I need uh and you're going to see here in the demo that it

doesn't take that long to get all that information um you know so running memory a lot of folks will say like oh you need to run syis inter internal tools to go collect all this information nowadays with volatility you just grab that memory you can get all that information out so you can get ARP tables and all that crap so just grab the memory uh page file it's a little bit tough you can't do much with it but there is some value in there you can see stuff that might have been loaded or hanging in memory virtually uh Master file tables is obvious a lot of systems as they're set up they've got a C

partition and then they've got uh all the files and the C partition's hosting mostly just the operating system so it's like 32 gigs maybe 50 gigs um all the actual good data is in like deg grab all those Master file tables and I'll show you how how easy it is with some of these tools just to point the the tool at that particular file partition and grab that file table uh registry is kind of an obvious one you know most malware is going to hide in the registry so you want to grab a copy of it um I'm going to show you there's not really a clean way to do registry collection still um there's no like just

dump memory and nobody usually goes and starts mucking around with regge files and that sort of thing so I'm going to show you just a couple quick techniques to do that and then lastly event logs if all else fails and if your box is you know patient 10 of the attack uh event logs are usually probably going to be the only way that you know that that system was logged into or where the loging came from or or something like that so A lot of times when you have no other uh information event slogs are what's going to get you through and help you figure out and map the attack so get your cameras ready because

I'm going to throw up a screenshot after this uh showing kind of the tools I'm going to use for the demo so I'll give you guys a second to whip out your cameras like this creep all right uh so the tools I'm going to use to collect a live memory I'm going to use a tool called uh uh winp M it comes from recall with a K just like the super sweet movie with Colin Ferell Total Recall with a K uh the second tool I'm going to use is balof Ram capturer um you can look you can look all this up on the Internet uh you can use memorize I've never been able to use memorize successfully

probably because I'm not smart and I don't work at Mand yet um the second tool I'm going to use to dump the page file is again I'm going to use wind PM I'm just going to use a different flag uh and you'll see that uh the other tool I'm going to use is a tool called fet it's an old hvg tool and you know don't freak out about the hbgary part but you can still find it on the internet um and it's a really helpful tool it collects any sort of locked file it looks at you know weird stuff in the partition that you can pull uh to pull the mft I'm going to use a

tool called raw copy um you can pull that down off the internet uh if you can't find fet same deal it it pulls locked files and and that other information that you need uh for registry I'm going to use a tool called crowd response and I've I've got a a janky config file that works with uh that crowd response tool I I asked around and some people said you can use red Ripper uh the Harland Carvey tool I couldn't get it to work that's why I kind of put a question mark there uh to do what I wanted it to do um and then I'm going to use raw copy and I'm just going to capture the raw hives uh

and then lastly for event logs uh I prefer to use PS log list it is a system internal Tool uh and the reason I like to use it is because it can poop out a CSV file um the other option is to use raw copy and raw copy is just going to grab the event logs in in their raw format then you got to use like an event log viewer or something like that so PS log list just works a lot better you can just point it at it and then get a CSV file and grap TI heart's content all right buuck it let's do it live all right I have oh damn that sucks

um I've got a Windows box here and I'm going to walk you through kind of the the things I'm going to do as as I do this so um so step one maybe try to fix the screen configuration H [ __ ] it all right um um open up a command prompt as admin if you didn't know when you have to collect stuff like memory you need to be admin that's awesome can you guys see that I'm sure you can all right so all I did was I opened up a prompt as admin so yay that part worked um first thing you want to do is a lot of these tools when you grab them

they're they're going to be 30 they're going to be compiled for 32 or 64 bit um so you want to know what kind of system you're working on especially if you're doing this remotely um a lot of times it's not going to be obvious to you so uh there's a couple things you can do um you can just run a whimit command uh OS AR so I did is I just told wiimi to tell me what the OS architecture is and then wiimi told me it was a 32-bit operating system so now I know I can use 32-bit tools um there's usually also a um there's a lot of times you can run this set command and this set command is

just going to poop out of the list of environmental variables so one of the environmental variables you can see is uh processor architecture uh that's usually going to be there A lot of times if it isn't you can do the whimit command to get your information so you could do just do like an echo Pro ah typing it's like doing public

math so I I came back with a x86 so now I know it's x86 or 32bit there's a there's a bunch of other things you can do to to get this um you can go looking for the CIS W 64 or the program files x86 directories if you see that then you know you've got a 64-bit system um you can right click on the computer and go to [Music] properties and then it will tell you you've got a 32-bit operating system so again that's it's it's really easy I'm not going to run the um I'm not going to run the the um system info command but you can do it through system info as well um so next thing you want

to look at is space uh general rule of thumb is to have two or three times the amount of uh space available on the hard drive to uh what you have in terms of fixed memory on the system because obviously if you're dumping memory and it's two gigs worth of memory you're going to dump a two gig file onto your hard drive um so general rule of thumb is to have two to three uh gigs of space um so first thing you got to do a lot of times is is figure out how much space you've got so you're going to run that

command and what I'm doing is I'm telling I'm running System Info which is a uh built-in command it takes a while to run takes because it's got to compile a bunch of stuff but then I'm telling it to to look for a string called total physical memory and that will tell me how much memories in installed but it goes through its entire process before it tells you so I have two kilobytes of memory no okay so I've got I've got two gigs of memory uh there's this other uh command I couldn't get it to work um it's a whimit command uh it might be because I'm because I'm using a a virtual box so I got no instances

available but so now I know I've got two gigs of space and a lot of people say well that's great Dave but how do I know how much space I have on my hard drive people tend to forget that dur will tell you how much space is available right at the bottom um so here you go I I've got probably about 11 gigs of space so I've got two gigs of memory so I should be good to to do the demo um that's good so the other thing I do is I'm going to open up a file and I've got all my tools in one place and I I just called it demo tools um but one of

the things you want to do is read your script um so one of the first things you want to do a lot of these tools come with dll or CIS files like drivers and stuff like that uh the best bet is to not not try and get fancy and try to stick them in system 32 so you can call them and all that just stick them in the same folder from the from where you're going to run the tools uh so you can see here like I grabbed red Ripper um and I grabbed the dll with it uh you can see I've got Ram capture um and then I've got its driver file and and for both of them so um that's that's

important so you keep everything just in one place uh the other thing you'll see is I've got this directory called dump oh no wonder I forgot to delete all this [ __ ] hey this is a demo it's going to look good

um now I should have 22 yeah now I've got 22 gigs of space Oh hey Sean good to hear from you um all right so I I now know I have enough space I now know I've got the dlls I'm for the purposes of this demo I'm going to set a uh a location so I don't have to go back and type uh the file directory all the time and this is just a temporary uh variable so if I do go demo now I've got the file location where all my tools are stored um the other thing I'm going to do is uh set a directory so I don't have um my tools and my data co-mingling that I'm

collecting I'm just going to uh do a quick

make demo

dump oh yeah there you go so it was already there good good on get on me again we're doing this live uh so the next step and this is an important step um and you're going to see why uh you need to turn off your AV temporarily so if you're doing this work and and your lawyer and your C CIO or ceso or whoever is there just tell them to go into the other room and then when they go into the other room you're going to turn off uh AV because obviously this tool these tools will where the hell am I these tools will uh not play nicely with ma uh so in this case I've got Maca

installed so all you really need to do is turn off uh real time scanning and turn it off this demo better not take 60 Minutes um so I'm gonna turn it off I'm done McAfee doesn't like it that's too bad but obviously if you have McAfee you're never going to get compromise anyway right so of course not yeah totally oh thanks bro okay uh don't show this alert again and windows every Everybody nobody likes when you turn off AV um all right so I've got the ab turned off temporarily so it's now it's time to and I've got everything set up I know what uh I know what kind of operating system I'm going to be doing I

know where I'm going to be dumping the data uh so it's time to just start running some of these tools so the first tool I'm going to run is uh Wim pm and it's I mean it's this simple it's when PM where do you want the memory and then you name it a raw or image or whatever uh so here we go [ __ ] you um sorry there we go all right let's try it again there we go there we go yay so it gives you this nice little screen as it's copying out the memory you can see these memory tools run really fast too uh which is which is good to be honest with you I'm

happy I'm really happy at this point you could you you could now go throw the river in in the bay as long as you pull this file out for me um the other tool I'm going to run is is the belkasoft and then just to let you see I've got a file I call boss raw and you see it's about it's a little bit bigger than than two gigs but that that that works so the other tool I'm going to run now is the belkasoft tool again it is also really easy to

run and I'm going to dump this to a file called Foo um and so what what these tools do is they load a driver then they dump the memory and then they unload the driver so you can see it it already ran um and the file Siz is match thank God all right so that that part's working so the next thing I'm going to do is uh grab a page file now when PM actually can bake the page file right into the same file it collects the memory so it's going to make this big ass 4 gig file for me um and you have to do it in in the eelf format so you can open it up um

so you can see here

um I'm telling when PM I give it that P flag so it collects the page file I give it that e flag so it dumps the the L file and then I I just called it dump. elf this one's going to take a little bit longer I think this is the longest um it's either this one or the next dump of the page file that's that's going to take the longest so memory runs and it collects a memory and then it starts reading the page file and then it's going to start copying the page file and putting it into the uh dump so you can see it goes 50 Megs at a time so it's it could take

a while um this I wouldn't I don't know if I'd recommend this tool to um you know if you're doing like a big 32 gig memory dump or not I probably recommend balkas soft um and how many people have dealt with users who modify their page file to make their system run faster yeah don't you want to punch those people in the face uh because because I mean if this if homeboy is like oh I'm going to speed up my system and give it like 32 gigs of page file now I got to go dump this and I got got to go through this you know thanks thanks bro um yeah again ballp Hammer um so now I've got this now

you're going to see I've got this Mega for 4 gig file and that's going to be about the equivalent of my Ram uh dump as well as my page file dump so my page file was about two gigs uh the other tool I'm going to use is the fit tool and for those of you who don't know page file sits on system it's it's hidden um and it's usually locked but uh fit can extract any sort of locked

file so it's just telling it uh hey FG extract the cpage file.is file and then dump it into pagefile.sys this is actually the longest time um it's always a good sign if fkit has that little plus and says it actually found the file um just FYI if you do decide to use this tool um this does take a little bit of time so uh yeah I mean you're dumping two gigs of memory um I have no jokes at this time my my apologies uh did you guys get some free food and did you guys get a donnut oh my God I'm about to pass out because I had one of those donnuts um and I'm a little hung over too so um so

I got that going for me uh but I almost drank some of the water here like previous speaker water that's that's really gross um and if I was a consultant by the way I would be charging you for that time that I was running that tool so just let you know all right so I grabbed the uh I grabbed the page file you can see the page file is about the same size give or take you know a couple of of U kilobytes from the memory so that that makes sense um so now I'm going to start grabbing the mfts uh the first thing I'm going to do is I'm going to use raw copy to grab

the first mft um you can see the command here that I'm going to run it's really simple raw copy and then C so now if I want wanted to grab a d well I just change that to a d if I want to grab Z grab it to a z whatever you need to do um this goes pretty fast the the file um because it's a VM and I don't have a lot of stuff on there the mft is uh pretty small

um wait for it there it took two seconds um yeah so it's 138k uh the other way you can dump it is with fet FG again can grab any sort of locked file

um so just I'm just telling fet hey extract the the C dollar sign mft file which should be there and then dump it into this binary file so I can go process it with like analyze mft Pi or something um so FG again found the file thank goodness and dropped it and so if I go back oh thank God they're the same size all right that's always a good sign if uh stuff works that way all right now the registry this is the longest and most boring part of it um the registry is is I haven't found a good tool out there that can dump a registry uh reliably in the format that I like to

use it in uh uh I used to work

yeah uh usually the uh dollar sign in uh in nfts is just showing like a hidden file area yeah so I mean that's that's a pretty standard place to go look for it oh the the the outfit file oh yeah yeah uh I think it's just I think it's just how it grabbed it right you're talking right here yeah I think that's just how it grabbed it yeah so it grabbed it just grabbed it right off a dis including the file name so I don't know if you I you might be able to rename the file when you pull it with raw copy I I don't

know yeah yep cool uh so registry like I said I haven't found any really good tools when I used to work when I was at GE uh we made our own custom tool that that dumped mfts the exact way I wanted it to um unfortunately I got to take that on my way out um you know ethics and crap like that yeah so um so the first tool I'm going to use is this tool called crowd response it's a freely available tool um and I'm going to and I gave it so if you look at the command I basically tell crowd response and then I give it this input file that's a CR CRC config.txt and then I tell it to dump

the file out to an XML file that that gives me a lot of options when it comes to parsing there's also a tool that comes along Ong with this called CR convert so you can take the XML file and then convert it into CSV uh which is ultimately what a lot of people do because again now you've got a CSV with like the time that the key was created the key value and all of that so it makes it a lot easier to to GP and look around and put it into like a log to timeline type thing so my uh CR config tool is just a bunch of commands that it it sends over to crowd response and the

command to dump certain registry values is at reg dump and then I just start throwing um uh I don't remember what the S value is but I just uh I just tell it to start grabbing different uh locations that I want to go

grab where am I where is my mouse anybody see my mouse

yeah dude I got I got lost in the Matrix here um what was that

yeah I'm here let see did I is it the other way there we go it's opposite anyway uh so where was I okay I'm gonna run crowd response all I

got oh yeah this is right so crowd response and Mac if you don't get along um so I actually have to go back and pull crowd response out of uh the place where I had it before uh so as soon as you drop crowd response macae somehow thinks it's a piece of malware so it it deletes it yeah so it it takes care of it right um so I always have to put it back in the demo

yeah yeah that's turn it off man and if you had your chance a and and you missed

it all right yay I think it's working it should run pretty fast I have a I have a fairly small registry um um it doesn't give you any sort of fancy little feedback that it's working um you can go back into the dump and then you'll start to see this reg file uh get written there we go yep so there's my registry regge file um I'm not going to open it up but it's just an XML file um and then once you once you if you have the CR convert tool you can just pass the XML file to CR convert tool and it'll convert it into a text file or CSV or whatever you want uh raw copy this

this part gets boring because I'm going to have to start going and grabbing the registry hives um so the first one I'm going to go grab is the security registry there's um for those of you who don't know the registry hives live in this uh system 32 config

folder and so I'm telling raw copy to go grab uh the security file out of that and it's again it's a locked file because it's hooked into the registry it's going to run and security and um the Sam file are usually pretty small they get bigger if you like got a lot of profiles and crap like that going on Pardon Me carrot oh it's some sort of uh raw copy file I I don't know what it is but it works so security is there yay yeah all right so that that works uh usually software and system are are bigger parts of the registry so this one will take this one will take a consultant second to do and by that I mean it takes

one point two seconds to run um so you see it's a slightly bigger

file and then the last uh file you want to grab is the system file and that's going to have the system registry stuff so now I've got I've got those file and if you do a little little bit of math there there's a there's a shortage there so there's a couple files I still need to grab um the way the registry Works in Windows it's a little weird uh user user specific parts of the registry are stored in two files called user class and N user uh so in order to go find where those files are buried you have to go look for them so you're going to run this this uh First Command to go find where NT user

dat is uh and if it works so I just go to the rout to C and I tell it to go run this directory and just poop out the location of any n user. I've only got one profile on this system so it should only find one oh actually I've got a couple so I could go grab all those uh it's going to keep searching for a little bit and it found four ENT user dat files so I could go grab all four of those if I wanted to um but just for purposes of this demo I'm just going to grab the one on my user

profile P Doom there we go and did this last time hey that worked so now I've I don't know why uh but so now I've got an N user uh file there and then the other one I want to go grab grab is uh the user class. file so again I'm going to run this dur command to go look for where n user um where the dirt user class is again this is the most painful and boring part of this talk so found it in this app data local Microsoft uh user class so I'm going to go grab that you might notice I'm at the uh I'm at the root of C so I actually have to give

it uh just real quick I have to give it the demo variable that I set earlier so it's not trying to look for raw copy at the rout of c um just another reason to to go ahead and set your uh path at the beginning of of what whatever you're doing all right so now I've got a user class.at file I've got an ENT user so this is all these are all registry files that you can now like throw at uh red dripper whatever you want to do to go look for that uh to go process that or you could take this regge file and then turn it into a CSV and then you can

ready to rock um so the last thing I need to do is grab the event logs so the event logs obviously are important where they're going to hide is is in the uh Windows system 32 win event logs uh directory um and there's only usually three that I that I uh ask people to grab and it's really easy to remember it's just ass it's application system and security uh so just grab those three files so grab some ass

um don't forget to CD to the demo

folder

so I grab the event uh. text file and you can tell it's an application file so you could open this up an Event Viewer if you were so inclined um then I'll grab the

system I'll grab that and then I'll grab the security one so

ass all right so now I've got those files and again I can go back now and look at these in event log viewer I can do anything like that you know my honestly my preferred method is to use PS log list because it gives you a CSV file and if you wanted to you could pipe all of these into one big CSV file so you can go rooting around for it

um so I'm just oh it's already done so I'm telling PS log list to uh give it to me in a string so it gives it one string at a time and then the X flag tells it to give me the extended values and the extended information in there um if you exclude either one of those it just kind of dumps it out into this crazy text file that's hard to work with so um strings allows you to like send it over to grep or something like that if you want to look for that

um here is there it is grabbing the uh system files and then the CSV for uh security and and generally if you are running any sort of investigation with Advanced Tacker uh security is the most important log file because that's going to show you when somebody logged in when somebody logged out um if you're an attacker that's generally the first thing you're going to go delete so um so now I've got those I've got those files um so I can go this is all the information that you need really at this point I've got multiple copies of everything so you could just run one of these tools to collect all five of those things um so I've got the memory uh the page

file the master file tables uh the registry and then the event logs and then again I I go grab some ass so I grab application system and security event logs so that is it for that part of the demo and it worked and my hand is sore from doing this don't Don't Clap yet save your save your save your clapping for the end all right all right so [ __ ] we did it live um so the reality is you can script this if you want you just saw me run a bunch of copy paste commands into something you can write a script I'm going to give you an example of a script out there um there are a lot of

wonderful endpoint threat detection and response Technologies like resolution one cyber security that could do this for you if you were so inclined um but I will tell you one of if you are working with a consultant and they walk in and they start Imaging every box they can get their hands on that should raise a red flag for you because that's not real IR that's I mean you just saw I just did IR you know for intense purposes I knocked it out I did double the amount of ir that I would normally do and I would charge you four times for that um most of us don't but the reality is too you know you could write a script you could

buy an etdr solution you could go get yourself some ftk imager and a bunch of hard drives and start running around like a madman but most of us don't have the time to do this right like we we don't have the time to write the scripts especially in the middle of an incident you don't have time to go ask for money to go deploy an etdr solution uh no matter what a sales guy tells you it's going to take a little bit more than 24 hours to go deploy an etdr to to all of your endpoints uh so this is this is just how to get you started just grab a bunch of tools run a bunch of commands

gather that data obviously you saw that file you could just seven zip it compress it and then just send that to me and that's a fantastic start um and we can do that over the phone we can do that really quickly um so if you give me that dump directory I'd be very happy uh here are some examples of of some of the tools I just wanted to give a shout out to to the homies that pointed me into some of this direction there's a script out there uh it's it's available on uh journey to to IR blogspot.com it's called a tr3 script it basically is that batch script that I'm talking about um and all you have to do

is throw in a bunch of the tools that are in there um and and then point tier three on whatever box you want to run it on

yes yeah sure yeah I I'll find a place to post it yeah uh they wanted me to post my text file from the talk so yeah as long as my VM holds up uh between here and Detroit and as long as like I don't get mugged and my Mac doesn't get stolen um I should be good to do that um but yeah anyway tr3 script is another way to do that uh he goes really fancy and sets architecture variables and all sorts of cool stuff which generally you have to do to make this thing work uh properly um so if you want to grab that take a look at that it's it's there uh crowd

response again I I W I walked around asking for who who does registry good um and my buddy Chris merid at crowd strike pointed me at the crowd response tool and then the belkasoft tool I got turned on uh from my uh buddy Jordan Cruz he's on our he's on our Centric Kate team um if you do go to the belkasoft site and grab it you have to put in some uh personal you have to put in like an email address so just put in like a mailinator address or something so you don't they don't bother you um so thanks that's it um yeah BR Bru story

Co