Digital Forensics – The Importance of Forensic Triage Images by Ryan Irving

[Music] all right all right I appreciate everyone joining is everyone enjoying their bside Tampa though so far good good well let's get some energy together for Mr Ryan Irving Ryan Irving has been in information in cyber security for over a decade in various roles including Hillsboro County government and JP Morgan Chase Ryan's specialty is in digital forensics and he is currently a security operations center manager at Cyber Florida which is housed here at the University of South Florida Ryan holds a master's degree in digital forensics from the University of Central Florida Ryan also holds various certifications from CompTIA ISC squared and G and without further Ado Mr Ryan Irving all right thank you Alfredo thank

you for that great presentation first off thank you ladies and gentlemen for joining me here today on this interesting talk on digital forensics um I hope that you're going to get something out of this you're going to get uh taught a few things uh take something away in your jobs my goal is to have a very practical approach to this so with that go ahead and Advance a slide for me willfredo uh real quick I have about four slides here that really just talk about cyber Florida since we only have 45 minutes I'm not going to delve into that too often but just to give you a high level understanding of what cyber Florida does our main goals

here are to have education Outreach and research uh throughout the entire state so especially if you're public sector and you need help with cyber security from an education perspective technical perspective um anything really you can reach out to cyber Florida and possibly uh get services at least get some Consulting I know that I've worked with some judicial circuits I know I've worked with some Clerks of circuit courts as well as some bccc's board of County Commissioners so if you need help uh we're here especially for public sector go ahead and Advance through the title slide for me all right so this is what we're here to talk about today um and most of my slides are going to be memes so

hopefully it'll be slight entertaining and I remember what I wanted to talk about but today we're going to be talking about digital forensics and the importance of forensic triage images well Fredo already did a fantastic job of introducing myself so I don't need to focus I did update the head shot though I had a head shot where it was a much uh a much larger Mei but now that is AI generated so I thought that looked a whole lot better than what I had before so that AI generated headshot does work ladies and gentlemen if you need a good-look pick there you go go ahead and pass that to the next slide for me so again here are today's

objectives my goal here today is to make the case to you if you are working in not just cyber security it networking I don't really care what why you need to know how to make a forensic triage image all right we're going to cover the importance of them I'm also going to give you a starter kit on what you can do and what you need to collect all right we're going to focus primarily on this talk on Windows artifacts that's the predominant uh operating system in the Enterprise environment um if we want to talk Linux and Mac we surely can we can take that offline though but the goal of this talk is just to focus on

Windows and we're going to talk about why the artifacts um that I'm going to list to you here in this talk are chosen and it's not an exhaustive list by any means but it's going to be the goal to get your investigation going all right we're also going to cover tools that can do the job paid and unpaid again not an exhaustive list but again you need to get started somewhere my goal will be to show you uh with tools that you may already have in your Enterprise uh that you can leverage or if you don't have anything uh what you can use for free and then I'm going to give you the all why should I care all right so that's

what we're going to talk about next slide please all right so forensic triage image what is it first uh we need to really Define it it is the process of collecting assembling analyzing prior prioritizing digital evidence in a crime incident whatever something happened and we need to be able to collect evidence to uh to figure out what what what happened uh it's a process of conducting an examination to eliminate or include a full forensic analysis so just an example of that would when I worked at the bank uh we would typically do triage images first and very rarely did we ever go to any sort of full logical or full full uh full dis image what I mean by

that is collecting all the data from either the partition or the drive itself more than nine times out of 10 our cases could be solved uh with just a triage image that we would collect so again we already talked about some of the goals and objectives uh today uh but Focus here is we're going to identify data set that you want to analyze as well as understand the importance of data volatility and the importance of collection order next slide please so time all right so I can't tell you how many times I would have a case and then they would be like uh we need answers and we need answers now I'm like I literally just got this this morning

and it's 11:00 a.m. and I'm still acquiring data right so if you're looking to acquire 500 gig Drive of data how long is that going to take well it depends are you collecting locally are you collecting remotely um how fast is the network speed if you're collecting remotely um if you're collecting locally how fast is your USB fire wire or whatever speed you have um how much you know if it's more than 500 gigs of data that could take a really long time collect it could take hours even if you have fast equipment all right so a triage image is a targeted collection of files that we're going to collect and it's going to allow us to process and

analyze much faster all right now you can do them simultaneously you can collect your triage image start your analysis and then if you think you need a full or logical you can move right into that and have that collection going but your manag and people above them are wanting answers and they want answers yesterday especially when it's important so it's important to know what data you need to collect so you can get to that analysis and parsing quicker next slide so with coming to analysis here uh it's a distilling of the relevant artifacts of value and we're going to get to those artifacts for Windows here in a second but the focus is going to be

so we could take those files and figure out okay what did the user interact with what binaries executed on a system what logs can we identify for people logging into the system very quickly you know if I can have a small subset of data that I have I can collect in let's say 30 minutes compared to back to the time issue that's going to take five hours of collection I can identify likely most of those answers that we need to have and odds are 99% of what you're looking for is going to be in 1% of the data anyway right so very rarely um did I ever have to kind of go back to the well so to say

and let me tell you for you folks in the room really the only time I can recall having to go back to the well beyond my initial triage image was you developers and it folks because you guys always made things very difficult uh for us investigators so next slide please all right so um memory memory uh who here is at least familiar with the term and concept memory forensics quick show hands all right fair amount of hands in the room glad to hear that uh memory is really really getting more and more important all right we can find all kinds of great things because in order for computers to do things it has to hit

Ram and typically if there's encryption involved it has to be unencrypted right so we can identify things like passwords or sensitive data that may be relevant to an investigation but of course the issue with memory is it moves very fast it's always changing it's constantly Dynamic right and whenever we collect it it's really just a snapshot of time of what's going on in the system next slide please so like I said with memory if you're collecting a um a triage image or targeted data set from a system memory should be the first thing you go for the reason why it is the most volatile as it's being used stuff is constantly being paged out of the of RAM and you're

going to have data loss occur much faster with that data set than most of the other ones right then once we have RAM and memory collected we're going to move to the uh targeted files from a windows-based system all right and we're going to cover uh some of those artifacts we can't go in depth due to time but I'm definitely going to share with you um some of my favorites and why and uh yeah next slide please so if you're wondering what should I collect from a windows-based system from the disk Beyond memory here's your starter list right here now certainly there like I said there are more artifacts that we can focus on and

that we can uh acquire however these will give you most of the answers you're looking for I can guarantee it and if you don't get the content what you're looking for I can almost guarantee you that these will at least build you the map of what you need to go look for quick show of hands anyone know what the mft is I hear Master file table does anyone know the functionality of the master file table yeah think of it as like the post office for all files on your system it literally keeps a record of every single file that has touched your system even if you delete it there's just a little marker that says it got deleted we can

at least show that the file existed at one point on a system in the master file table we also get other great data such as about eight different time stamps look um around the metadata time as well as the uh uh actual file info time and things of that nature recycle bin what do people who are trying to hide things do they try to delete them and most of the time I wish I could tell you you know criminals or people who try to you know steal or whatever they get sophisticated they really haven't I mean some do but by and large um it's not real hard to find and I can't tell you how many cases I solve just by looking

in someone's recycle bin because they they deleted it and stuff was still there all right so that's something you should definitely uh uh acquire and again I'm also giving you the pass here um for for these at least for most of them because uh it's important uh with the user profile I don't do the full pass because they're a little bit long uh but they're all just within the user profile and I would collect that anyway now the user profile is very interesting because if you open up a Word document or PowerPoint or Excel sheet or whatever there's about four or five different windows for artifacts that will tell me you perform set action and

Associate it to your user account all right so if I say like oh man yeah I never opened up that word document I never edited it or anything like that I'm like well there's these things called link files which really they look like shortcuts have you ever like opened up word and be like words like here's your most recent documents you ever wonder where that comes from or how it knows that well stored in two different locations there's one in your profile and one in the in your ENT user. registry um that that is within your profile and it literally logs these files that youve open up and it's Associated to your username and also

depending on how you interacted with said file maybe like through an open save as or file save as dialogue box it gets recorded in that way too so with some of these files I can actually determine how you interacted with said file which just gives me more Credence to my investigation because I can say well you actually did this and and this is how you opened it up and I tell you what I've got a lot of deer in the headlights when I said those sorts of things when I know that level of detail Okay jumplist jump list is another one one of my favorite artifacts it's very akin to link files but it gives us additional data now what is a

jump list on your windows taskbar have you ever clicked like say word or Outlook or some application and you get a list of files that come up that you've interacted with that's what a jump list is all right that gets recorded into an unstructured database within your windows profile and while it only shows you 10 I don't know if they've actually figured out the threshold of how many entries it stores like it could be a bunch like thousands okay so not only am I finding like those 10 but really I can go way back in time and see the files you interacted with also it does sometimes capture binary execution so at times it can be um um an identif an

identifier of evidence of execution but predominantly I use it to associate file activity and file knowledge that someone has interacted with it okay n user do uh into user. I've talked about that a little bit it can be excellent again for identifying what um um what files you've interacted with and it correlates very strongly uh to link files and jump list as well as other attributes and actions that you've taken user class. dat I think it's sometimes an overlooked forensic artifact but this is also known as what's called shell bags um when it actually tracks the folder in the or the folders in the order that you actually click through folders so a lot of times

I'll actually include that forensic artifact in a timeline with the files you interacted with and I can literally piece together the folder path you took to get the said file and I say you went to folder a to folder B to folder C to confidential to salaries and you opened up everyone's salary. xlsx what do you have to say you know so that's happened serum database that's an excellent one too uh stands for system resource utilization monitor uh it keeps a lot of metadata uh about how the systems performing such as you know um if you're connected to a wireless network how many bytes were sent and received power consumption as well as other things like that why might that

matter well maybe there's a data exfiltration case right we can identify packets being sent and received uh from different locations or from wireless networks to determine well hey we have a lot of data being sent out to this network that could be important to know or I know there's been um folks who have used it not in my investigations but other investigations to where yeah bad guy said I never even opened up that laptop never even used it well that's funny not only do we identify logins but we can also identify batteries Rec consumption right so something's not telling the truth here uh to go some to go over some of these other quickly set up api. dev. log

that's associated USB activity can tell you know if you're interacting with USB uh devices or not prefetch one of my favorite artifacts Associated to Windows uh binary executions not only do we get the first time and the last time that you executed said system but data embedded within these files actually have the last eight timestamps total when the binary ran as well it keeps an overall run count of how many times the binary ran as well as possible um things like volume goods and things like that so there's a lot of good um activity that could be identified in there as well as uh potentially like if I like double click a Word document when word

starts windw might actually have a full reference to that file path as well and we could identify dlll things like that um Associated there registry hives registry hives are basically what it's basically a database of Windows settings again we can identify anything from user activity to USB activity to mount share activity bunch of other things now I don't have enough time we could have actually have a whole class on just registry forensics that's a week long right the point is we can get a lot of good forensic value um off that but one important thing I do want to note does any has anyone ever in the registry folders in system 32 config ever see a

log one and log2 file Associated to a registry Hive has anyone ever seen that raise your hand because if you are I'm proud of you I got two hands in the air very proud of you too now do you guys know what those files are all right no hands so this is going to be something that everyone could take away okay um these are the journal transactions that have occurred that have not yet saved to said registry Hive so for example you may have like like the system registry Hive you'll have the system.log 1.log two there are changes that have occurred that have not yet written to registry so if you're doing an investigation and you acquire the

system Hive do you have all the recent updates for that Hive no no you don't you could be missing potential evidence and that's the important of this so what what I've done is I would always collect those and then there are tools we can leverage to basically run those journal entries into a new Hive it'll take the actual Hive run the log files and actually merge them together into a new file and then we can look at it that way um and I'll and the tool to do that I don't have it in this talk but there's a tool called registry Explorer um that's by the same creator of a tool I am talking about I'll mention that but that

that's that's what I used to basically run those of course Windows event logs um that's an excellent uh resource for authentication Service actions all kinds of other things is something that you should collect and then AMC doive I think another kind of overlooked artifact um a lot of times I put asterisk because a lot of people are like oh well that's evidence of execution we can prove that a binary ran on the system it's been proven that's not exactly true like it's kind of hit or miss on whether something actually ran on the system but what it can tell us is file existence so if there was malware on a system system or some binary of interest that you were looking

for and it was it's within that registry Hive because really that's all it is is a hive file just like the other registry ones um we can prove that that actually resided here on the system at one time not necessarily as ran we might have to refer to the registry or prefetch to prove execution but at least similar to the mft we can show that it was there next slide now if you want that and much more I recommend you go to Sans you create a free account and you get the um digital forensic artifact poster you know I'm kind of a weird dude like I had this up in my lab uh when I was

working you know at the bank I had this up in my personal office I mean I know some people have like maybe inspirational like pictures in their office or in their wall or you know maybe as a kid you had like some model poster me no it's digital artifacts right I want the forensic artifacts hanging up in my room uh so I can understand uh what it is I'm looking at um but again you can get a free account from Sans and download these posters and they're extremely helpful I would pin them up and whenever I'm doing an investigation I can't tell you how many times I referenced them like what what was that artifact again what was the

location what's the meaning of it does it make sense is there anything odd going on again free resource you can leverage next slide all right so now we've talked about we've talked about the artifacts we've talked about the importance but how do we collect it right how do we collect it how many crowd strike users in the room all right at the Enterprise okay we got a few hands in the air right so if you have your EDR tools crowd strike Sentinel one carbon black Microsoft Defender whatever you likely already have some capability to collect these in your Enterprise right um You just got to figure out how to connect to the system and do it and we'll talk about that with

crowd strike specifically as well as a free tool here in a minute um but they have the capability to help you do that now targeted collection tools um we have fdk imager end case f response uh those are specific forensic related tools um en case does have an Enterprise version that allows you to install an agent and collect um fdk imager uh you can deploy that to a local system if you had to and then kind of run it locally on the system Cape or the C artifact uh parer and extractor uh that's by Eric Zimmerman he's also the Creator registry explorer that I'm um talked about before we will be actually talking about that

and giving you something to walk away with it's a free tool that you can download even um as long as you're like not a consultant using it to uh get paid they pretty much give it away for free uh croll does uh binize that's another uh in cyber triage those are paid tools uh velas softt RAM capture that's actually for memory collection um that's actually a free Tool uh that you can get it's one of the best free memory collection tools that I've ever used so if you're looking to collect Ram uh belkasoft RAM capture tool is what I would go for uh vity surge uh who in the room has heard of volatility the memory

forensics okay so vity is the commercialized volatility and they created it in which by the way it's like like I think it's like the only real good uh commercial memory forensic parser uh but they created a collection tool called Surge and it can collect Ram as well as targeted files too so if these are things that you have either paid or unpaid um that's a way to get this done next slide not best uh uh screenshot to look at but what we're looking at here is the crowd strike realtime responder uh console anyone familiar with this screen all right yeah so if you have crowd strike real time response a lot of built-in tools and functionality to deal

directly with the system let's say you have a system compromised you have crowd strike you can isolate system you could go and do um I believe it's XM dump will give you the full um memory of the system if you want or you can deploy scripts and deploy files like what we could do is deploy Cape to that system and then run command line uh for Cape to collect the files that we need to collect right so we can either use some of the built-in tools but really what I would do is I might use XM dump for memory uh but I might deploy surge or might deploy Cape to the system and then use the Powershell um uh functionality

which you can't really see it too well but there's an edit and run scripts tab at the bottom there uh you can open that up and run scripts directly against it or if you have it stored in the crowdstrike cloud you could push those uh to the isolated machine and collect from there next slide now this is a free tool called Cape it's that c artifact parser an extractor okay if you don't have anything this is something that you can leverage you can leverage leverage it either in a gooey format or you can leverage it in a command line format and what's nice is in the guey format and it doesn't show in the screenshot here but

as you check things and click things it starts building the command line for you at the bottom which is nice why do we want tools that can do command line functionality anyone know hand in the back okay you have you don't have a gooey but even more powerful than that if I could use command line we can script it if that script if we can script it then what can we do with it we can automate it right so the guy is going to help us maybe do oneoff figure out what we want to run against a system but once we know the command line activity we can automate it right and once we can automate it we can hit

multiple multiple machines at once so if we have a compromise of 20 assets we could push it through crowd strike whatever and then deploy scripts and run it all simultaneously against those systems right so that's the importance about that now the looking at it the right side is your acquisition all right um as you can see the Sans quote unquote uh the sore Trio is selected that's going to be all those artifacts that we talked about I think minus the mft so I also have the mft not check there but in the command line I'm about to give you um I have that marked now the left side though over here that is the actual

parser so again this tool is by Eric Zimmerman he has a lot of great forensic tools I've used them over and over you can simult well I say simultaneously you can acquire said data and then also have Cape parse that data for you it'll parse the link files the jump the prefet the event logs whatever you want to do and then some okay so you can kind of do that all together me personally I like to kind of do them individually because I like to look at it and do it myself but if you got a lot of systems and a lot of assets and you just need to get to looking at the data

in Excel sheet because at the end of the day if you're doing forensics you're looking at Excel sheets just like every other job in the planet um that's what you're going to do next slide oh yeah so there's that other um uh the bottom of that screenshot that I said wasn't there there it is guess I forgot that was there uh next slide and then if you want to take anything away you want to run a command line Cape there you go that is the command line for Cape you call the cape binary you call your destination Source in this case we're just calling the rud of C drive you call your destination where do

you want the data to go all right in this case apparently have a d Drive either USB or some other uh Drive location to a folder and then the flush argument is going to actually clear out anything in that folder to make sure it's clean there's no other Cape data there and then the target is the modules that are going to run for uh Cape which is in this case the sandore triage and the mft and then you can actually put it to a zip file or vhd or other sort of formats all right so there's multiple formats that we could deal with so I'm just putting it out to a zip archive file there which most forensic tools are

very easily able to process next slide all right can you send to an sftb I believe with K actually you do have that functionality um yes good question um so I already kind of talked about this a little bit uh as far as the process and workflow for crowd strike but really this can work with other edrs too right um obviously if you have a compromised asset you need to figure out likely how to isolate it first um as long as that isolation you can still maintain communication as long as you can maintain said communication uh for example on crowd strike we can go into uh real-time responder and then perform either native actions to collect right

or we can deploy our own tools like surge Cape whatever and then run that locally um I know I've had experience doing that with Cape Surge and F response which F response is actually a pretty fantastic remote forensic uh tool as well all right next slide all right all right so to take one of my favorite comedians Dave Chappelle and some of the things that he has said before in his skits he's like you know poor is just a mindset that's few people ever really come out of you are broke right so how many people have security budgets that where they feel broke got some hands I should see some more hands in there okay there we go I got

some more hands you feel broke like ran I got no money they expect me to lock this thing down like Fort Knox but really I just have a Cheeto in the lock okay where the bad guy just pushes it in right so I've worked there I've been there in fact I'm still kind of there right like so I feel that pain I feel that pain so what can we do when we don't have any money for crowd strike or Sentinel one or maybe we're so bat off we can't even get the Microsoft Defender license and if you're in that place we need to talk okay um so next slide again free tools all right fdk

imager it's an oldie and a goodie and here's the way I like to describe fdk imager it's like a bad relationship okay it's like you leave it you never want to see it again it hurts you so many times it you know the Rel it was an abuse of relationship it said it was collecting it lied it didn't collect the things it said it collected and it was just like H but you know what in the newer tools The Grass Is Always Greener and they usually work but then there's those times where it's like why are you failing why are you failing and you know what this actually happened to me in a case I was actually doing a Windows 11

system and it was like one of those like hybrid tablet laptop type of things I'm like why are you failing magnet I love you I love you magnet forensics please don't fail me magnet response thank you okay but I'm like all right I can't collect it it's just it's just failing it's you know not working right so what did I res to I resorted to fdk imager not my favorite way to collect things I know it misses things I've caught it missing things before especially with memory but I had to go back to it because I needed something right so it's one of those I kind of keep in the toolbox I hope I never have to use it

but if I have to pull it out and use it then I will all right belkasoft Ram capture not a better forensic uh memory acquisition that I've used magnet response it's a relatively newer instant response tool again it's free magnet uh axim is a commercial product but they offer this for free they collects Ram targeted files and things of that nature too highly recommend you check it out and Syer Syer is a very easy uh biner to collect targeted files with a very easy to make text configuration file next slide but what about it scale you know all that one-off stuff is nice but what if I have a bunch of assets that's where Velociraptor comes in anyone quick show

of hands heard of velociraptor all right good that's that's a fair amount of hands probably about two maybe about half the room a little bit less than half the room all right because remember we are still broke we have no money all right we have no money to do anything but that's where Velociraptor which is still freely available even though rapid 7 acquired them um so if you have rapid 7 your rapid 7 customer maybe reach out to them see what they're doing for Velociraptor I'm not sure they're sure I kind of asked and I don't know I kind of get like sometimes hit and miss answers but maybe time you know maybe that's changed but I know they purchased a

velociraptor and it's actually a pretty excellent tool it doesn't have all the EDR features that your crowd strike Sentinel one or even Defender going to have but think of it more of that uh real-time responder you can isolate interact with the system collect um artifacts and run things against it you can do this and plus look it's Windows Mac and Linux capable all right you can make agents for all three of those platforms really with a little bit of elbow grease and hard work you can make this thing work you can even kind of make it almost like a poor man's or broke man's EDR in a way with constant monitoring and scripts running next

slide uh so here's some just some screenshots of how it looks like we can see um I've protected you know part of the host names for uh protection purposes here but you can see that these systems are connected to our Velociraptor platform and we can interact with them remotely anywhere where I can access the console I can interact with those clients and get said data from them next slide and look what they have in here oh Windows Cape files and targets well isn't that convenient they actually already buil in a cape collection into Velociraptor and this can help with that at scale capability maybe not quite fully automation but you know at least semi-automation right and

it's already built in for us to do so we really don't have to do a lot here but we already have the capability to collect all those things that we talked about earlier in the talk via Cape that I already talked to you about automatically within Velociraptor next slide all right and this is just an example of what the collection would look like it gives you uh what they call a hunt ID and sometimes some of their terminology and and and the way they name things uh I don't necessarily agree with but it's okay um they have a hunt ID that's associated to what you're doing and what you're collecting and it gives you T date and time stamps and

things of that nature uh next slide and I believe it's going to show yeah we can see here that now I want you to think about this remember I told you you have this large system right you have this large system that you want to do an investigation on how much data did I actually collect off of this system this is a 500 gig drive and we have 2.7 gigs of data collected we're saving time we're saving time on initial acquisition but not just on on initial acquisition also on analysis because if you're just having a a tool process this and provide you output you know how much time is it going to take to process 2.7

gigs versus 100 gigs 250 gigs 500 gigs a terabyte or more of data right and then we're getting that in a compressed format of one and a half gigs how much more is your network team going to love you for only copying a 1.5 gigs across the network as opposed to however many gigabytes or even terabyte of data right not to mention dealing with failed downloads for images is not fun if you ever had to deal with that and it's like why won't my stuff just give them across the network and get here so I can actually do my job well then it's a very painful thing to feel I promise you all right next

slide and this is just a brief screenshot showing you some of the examples that it's collecting uh there's a lot more files here than what's listed but we can see some of the main uh stuff off the root that we would care about which also is inclusive not just mft but we have a dollar sign log file dollar sign uh usn Journal things like that which is you know the transaction logs of files and things of that nature so we're getting all that good data right off the root which is also important because yeah you can't just see these files with unless you have this special tools to see them right these are what are called

dollar sign files that if you just go into Windows explore you go to see you're not going to see them there just not to even if you unhide everything you're not going to see them because they're really made for um system metadata and system tracking so you have to have use special tools to identify them next slide all right now we're going to get to the why should I care probably one of the more fun part of the talks right we got about 15 minutes left so so the first scenario that ain't no process I ever heard of all right I just saw this Samuel Jackson me I'm like I got to use that thing that thing's like

freaking sweet okay so go ahead and uh next slide here all right so scenario one I don't care name your malware name your ransomware threat name your intrusion your Intruder name your AP I I don't really care about the event but this is you know going to be interactive so I'm not just answering this for you how long should you guys wait before you collect data here immediately everyone pretty much agree that and you should as soon as you know you should collect right all right how often does it actually occur though like time to breach the time to collection yeah like I see now I see a lot of heads like yeah no you gota be

once you know something's happen yes you should collect but then now we get to well how long have they been there and what and what not and that leaves us next question or will be yeah I guess so they call work when do they call you in to work on it right exactly so let me ask you this let's say something happens and uh do you think so we'll so do I have my question up there yeah I do okay okay so we'll get to that in a second but will the data collected be enough well I don't know it might be you know that's one of those depend sort of answers I will I will kind of give you

that one right depends on what we collect we may have to go back to the well but if we do our triage image we should at least be able to build a map to what the data where the data is now I'm not talking about timelining but when I say build a map I'm talking about timelining those artifacts into a nice uh nice orderly manner to where we could follow the bouncing ball of the system to figure out what happened now what could you uncover all right so just think about this take take this Top Line scenario malware ransomware Intruder whatever what are some things you guys think we we we could find in our triage

image what could we find we could find potentially who you find potentially when let's say it's a fishing let's say start with let's let's say it start with the fishing email fishing email hit users inbox they downloaded a Microsoft Word document Microsoft Word document had a macro Powershell executed to download additional binary binary ran on the system based on the artifacts we talked about what could we see you want to take a guess yeah registry could show things registry could show things such as um the Microsoft Word document being open link files and jump list would also be able to show Microsoft Word document being open right the prefetch would be able to show the Powershell ran maybe if

we're lucky we'll get the command line activity from the Powershell perhaps if we event logs perhaps we have Powershell logging enabled um or you know if you have just Standard Security logging if you did one thing today for your Enterprise and you have nothing else new or nothing go turn on event ID 4688 in your security log that's process tracking you will get your command line activity Associated to the process running that will immensely help you if you have to track something down okay but the point is we can uncover a lot of those activities in the triage image without collecting like a lot of data content now let me ask you this question will the data be there in one

hour and also think from from a memory perspective too what's that in memory things could start to page out but I'll tell you even with memory about an hour probably got a good chance that you'll find good stuff what about 12

hours something is going to depend on log sizes we're going get there in a second right at right so 12 hours I still think you know memory you could still get some things your dis persistent stuff you're gonna be fine I think no issue there what about two days two weeks a month and longer right now why why do I mention these times like this because if you do not have this skill or capability either yourself or in house and you have to rely on a consultant you got to rely on law enforcement you got to rely on someone else to do it there's been plenty of ransomware cases where they took 30 days for people to come out

and that's when they start collection you could probably get some log activity depending on how good log retention is you could probably get good disc artifacts but a lot of that stuff a lot of the good gooey stuff that we can find in there is in memory and other artifacts such as that and uh you may you know you could potentially miss that so we already talked about also what could some of the artifacts show us um right so just to kind of WRA wrap up this scenario you don't just have to collect a memory uh and triage image but it's great to start and it'll let you jump to analysis you can always go back to the well right you

can always go back to the well but if you have that image of memory you know the memory is changing um you're going to be able to have that and have people analyze that right and with the triage image you're going to be able to get probably all the answers that really matter or if you don't you're going to have the map to know where to go to okay well this it person did this and they have this special folder uh in the program data folder and then now I got to go and collect that that happened to me a lot especially with developers um so next slide all right next scenario Insider threat predominantly what I dealt with

right so just a quick there you know my bread andb butter cases where people just basically you know trying to steal things or accidentally moving things in manners of email uploading to websites or even just printing off data right just print like I actually had a case where a guy like tried to print off like 800 pages of like source code or something for their application I'm like dang that is you know what you are trying sir I can at least give you that right so next slide but we have the same questions just because we have a malware ransomware intrusion event versus an Insider threat like the questions get tweaked a little bit for cont for

contextual purposes but really they're the same right so what if we have an Insider threat discr an employee or someone who just decides to quit and walk out with sensitive data that's never happened to anybody before right like no one just walks in plugs a USB in takes all your company data or your personal or you know your organization data and walks out or tries to print that doesn't happen ever right no of course it does all the time right so again how long should we wait before collection right as soon as we know about the activity we we should be able to do that now I'll tell you some of my experience um I was working in a place

where we had a full packet capture solution not many places have that right but we're able to acquire full Network traffic including decryption right so even if it was encrypted we could acquire the decrypted network traffic contents problem is retention right when you have hundreds of thousands employees using this solution data retention for that becomes well an issue right so if we get a case that came in right and it came in say 20 days after event actually occurred and we only have about 26 days of retention on said solution because it has literally pedabytes of data on it you know and by the time it hits my team and then it comes and gets assigned

we're now at 23 days and that's a Friday and then the weekend goes by and then I decide to look at it well now I may have lost that data right so again how long you wait before we collect the data can be an issue now thinking of our triage image right let's say this person copied a lot of files to a USB drive or tried to email them out or or whatever like like I talked about will the data that we collect be enough I will tell you more than nine times out of 10 my triage image I never went beyond right I could show that they um I know I could show their actions and most

users just keep it in their documents folder or within their profile as long as they were doing that I was collecting the whole users Prof file anyway for the subject of Investigation right so odds are I always had it especially like with what I called print cases when they were just trying to print content out and steal it and all that sort of stuff like those are pretty easy to to identify right but you know there were times where people password protected files and guess what the question is of course like nothing's ever good enough like I recovered the file and I figured out what they did isn't that good enough they're like no we want you to figure

out what they use for a password so yeah had password software that could try to crack it and it worked about 60% of the time and that was all good but you know what worked even more than that just looking through their email because a lot of times they just emailed the password to thems with the document or in a separate email I was actually more successful with finding the password in their email records than I was when I had to actually crack said file right so again dealing with most users people are lazy people like convenience right and that doesn't change here here like the same things occur but I was able to build an act a

timeline of activity and even better like I take to tell people is you got to keep pulling on that thread of an investigation all right something's going on you can't figure something out or yeah something just doesn't seem right here right like I've had investigations that were simple hey I emailed this thing out they shouldn't have did it they should just get a slap on the wrist all of a sudden I'm finding oh you actually created your own separate company in in our referring yourself business from your company you're working for is that a problem not my pay grade to figure it out but it doesn't seem okay to me so you know those are things that we would we would

identify we would report on and things like that or um we had these uh cases where people were committing fraud okay and basically what they were doing is is they they all kind of have like their own little method but once you kind of figured out their moo you you could really kind of put it together like we had people um give quotes for competitive pricing to give themselves business and sometimes they would fabricate it themselves uh one guy it wasn't my case but my partner's case like the guy was actually dead and we proved that he was dead and he was still getting quotes from the guy even though he was dead like like all these sorts of

things would occur and it's just like you can't believe it and sometimes it's very low Tech like sometimes people would like just forge signatures and just tape it over the signature line like you can't make this stuff up but like those sorts of things happen right but again going back to our question you know what could we uncover well we could put together the map of exactly or within really good reason of what they interacted with how they interacted with and when when it occurred and a lot of times it was open shut you know what I mean but again we have to ask the questions what will happen in an hour 12 hours two days two

weeks a month Etc the point of that question is the longer you wait to collection the greater chance you have for evidence degradation and when evidence degrades there could be chances to where you can't prove the case right you can't prove said allegation and then you know nothing happens to the person and that can be okay like I'm not trying to like I'm not trying to fire people I was just good at firing people back in the day like it just was a thing although it was really rewarding when I got someone out of going to jail like that was probably one of the more rewarding things but by and large getting people fired was a regular daily

job that I had all right um so again the point is these triage images they're going to be able to help you guys in one getting data faster faster time to analysis and even if you never ever ever want to do forensics you hate forensics but you work it as a system admin someone needs to know what how to do it and what to collect because maybe you're not the guy to do the investigation maybe you're not the guy or gu to do the analysis but you can hand that over to law enforcement hey law enforcement thanks for showing up a month later after our thing occurred I took this the day after the day after the breach you

know how they're going to thank you for that they don't get that like I talk to FDLE fairly regularly like that just doesn't happen so like one of my missions is telling people like you need to know how to do this even if you just work in it because well go to the next slide we'll get to the because here in a second we'll get there okay so real quick we're I now we running out of time is this forensically sound I get that question well the answer is um in in court anyway there's no really such thing as sound forensic acquisition with mobile devices because in order to uh um acquire mobile devices nowadays A lot of

times you actually have to exploit said device and that goes against a lot of the academic knowledge so the important thing uh when it comes to quote unquote forensically sound is documentation of your activities how did you interact with the system when did you interact with the system what tools did you use all that because that's what's going to come into the question nowadays the whole textbook thing of like pull the power and everything like that that's actually just bad for so many reasons now full dis encryption all that sort of stuff that's for another talk next slide and the point data preservation as I just mentioned you need to do this so if you bring your consultant in days

after FDLE law enforcement FBI cyber Florida I don't care who it is you actually have a snapshot in time of some evidence even if it's some things are missing you're going to at least probably be able to put together that map of where something existed okay you can prove that something was there at one point or that a user took this certain activity right and it's going to lend more Credence as opposed to well now we're 30 60 days out whatever and now we're starting collection as opposed to when closer you know closer to the time of actual event next slide all right and then again like I mentioned longer the delay the greater the degradation of evidence which means

you're not going to find things and that is a difference between maybe you being the hero and maybe you having an RNG or you know resume generating event rge so timing is everything with that all right uh and the quicker you you get that acquisition the more likelihood you will be able to find your artifacts and events of relevance and next slide that's going to be it for me and wrapping up here 144 so any questions all right very good thank you I'll be up here for a little bit if you have any questions thank you [Music]

[Music]