Imagine this: A hacker has compromised and infiltrated your company's environment, and you’re the defender on shift. You want to find the evidence of their activities as quickly as possible, but you don’t have unlimited time!
Luckily for you, Dray Agha and Max Rogers discussed some efficient ways to find exactly what you need on our Tradecraft Tuesday episode, Quick Forensics for the Lazy Investigator.
We’ll cover some of the basic tips that Dray and Max shared to fast-track your investigation and save time when dealing with digital forensics. These techniques are perfect for busy investigators who want (or need) to move on to other things. So sit back, relax and read on if you want to accelerate your investigation process.
Tips for Digital Forensics Investigations
1. Establish a timeline of events
To begin any investigation, narrow the time window as much as possible. By limiting your investigation to this short window of time, you’ll be able to focus on what really matters.
Keep expanding the window of time if you don’t find anything telling straight away…once you identify one finding, you’ll start to uncover more and more; you can now use this to create a wider timeline of events.
This is iterative, as one thread of evidence will likely speak to other threads. You want to pull and weave threads together until you have a tapestry that best illuminates the attacker’s campaign from start to finish.
2. Collect evidence
To create a timeline of the incident, why not leverage forensic artifacts to piece everything together?
In this process, we recommend making use of the various Windows tools at your fingertips. Prefetch can list the executables the threat actor ran, but this will also feature other harmless executables—so be discerning and careful. The PowerShell console history file can reveal commands the threat actor ran but does not provide timestamps, so don’t confuse commands ran prior to the intrusion with those current. And System Resource Usage Monitor can offer insight into any network communication or data exfiltration the threat actor deployed, but this is a verbose artifact and should be approached with other threads of analysis to cut through the volume.
Using this variety of tools, you can begin to identify and forecast the threat actor's possible actions.
3. Analyze findings
Consider the method of initial access the threat actor took and close this off. Ejecting them from your environment won’t count for much if they just walk back through the front door…it’s like a game of whack-a-mole, but worse.
So instead, identify the initial access by reviewing your VPN logs, the emails and related attachments users will have received, or your RDP logs and related forensic artifacts like jump lists. You’ll then be able to see when systems were initially compromised or at least identify lateral movement.
Check Windows Event Logs
With a timeline of events in hand, it’s time to check the windows event logs (EVTXs) for suspicious activity related to the incident.
Event logs are a treasure trove of information when investigating a breach. If you collect the right ones (system, security, application, DNS, firewall, RDP [local and remote session]), you may be fortunate enough to retrieve a number of threads related to the attacker’s activities.
This could include their public IP addresses, specific timestamps of their activity, the user accounts they have compromised and controlled and initial access or persistence activities. You can use tools like Chainsaw to help you parse through logs.
Identify Lazy Patterns
Being a lazy, efficient investigator is okay because threat actors are also lazy! As Max and Dray explained in the webinar, hackers typically follow the path of least resistance. Take note of repeated actions, commands and especially tool names that threat actors fail to rename.
Often, you'll see them appearing in the same directories repeatedly—what are the chances C:\programdata should have executables in there? Although their methods will evolve over time, you can count on hackers to use the same patterns and close variations on these names, which will help your investigation.
Finalize Your Digital Forensics Investigation
Using a systematic approach in your investigation and leveraging forensic artifacts with zealous analytical rigor, you’ll wrap up your investigation and eject the adversary asap. It is not uncommon for investigators to find themselves lacking time or resources to conduct an effective digital forensics investigation. It’s okay if there are gaps in your timeline; focus on the most important things:
- Can we evidence how the threat actor got in?
- Can we evidence if the threat actor has established persistence?
- Is there any evidence suggesting the threat actor has stolen sensitive data?
- Can we verify the threat actor has been ejected for good?
- And what have we learned from this intrusion?
As defenders, the last point is crucial. Reflect with the team: were you missing a detection, was the AV excluding a directory that the threat actor worked out of, or was there a user whose VPN account did not have 2FA?
Digital forensics will help you answer all the above. If you like the sound of this, why not come and have a chat with us on Twitter? We’re always posting hot new threat intel or findings from our investigations.
If you have an hour to spare, Dray and Max recorded a whole episode on using forensics to investigate intrusions! Check out the Tradecraft Tuesday episode to learn some hot forensic tips for your next investigation.
