SANS Digital forensics & incident response summit

https://medium.com/@geminiimatt/whoami-a513e9e4c02f

https://medium.com/@geminiimatt/how-to-reach-me-securely-80d69a5ce38e

https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/

https://holistic-security.tacticaltech.org/

https://www.fordfoundation.org/

Michael Kimmel: Why gender equality is good for everyone — men included

TacticalTech has a great resource that educates young people to  Digital Privacy, Security, Wellbeing and Misinformation - critical when they rely so much on remote social connections these days.     

Check it out: https://datadetoxkit.org/en/families/datadetox-x-youth

https://www.opentech.fund/

https://foundation.mozilla.org/en/

https://www.ngoisac.org/

https://en.wikipedia.org/wiki/Wire_(software)

https://www.accessnow.org/

https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

https://internetfreedomfestival.org/

https://www.techcongress.io/

TraceLabs is doing great work in the OSINT for good space - https://www.tracelabs.org/ they have CTFs and training regularly

hadn't considered volunteering in dfir before but will now - lots of orgs, esp those pertaining to protection of children, id love to assist - many thanks for ideas

https://safeescape.org/
Lodrina Cherne (SANS) I have volunteered with them - I can provide an intro

geminiimatt / matt mitchell 

Are there any organizations or ways to provide comprehensive security training to activists on the ground / communities directly impacted by what's being organized around? Like, for those of us who aren't impacted by inequities being fought against, we'll never fully be able to understand those communities' needs, and I'd imagine it would be more effective to remove "gatekeepers" to security, and ensure that folks don't need to rely on a non-profit industrial complex to keep themselves ecure?

matt mitchell: YES! there are programs i am working on NOW to build that infrastructure on the ground LOCALLY. in the meanwhile look to groups like accessnow.org, frontlinedefenders.org, defenddefenders.org and more who have a network of local talent in different regions.

I never tagged my question (genius!) So, I am reposting... haha. Great presentation by the way! I would love to get involved, but I am a fresh graduate and I'm not really sure what I have to offer. What level or experience are these organizations generally looking for

matt mitchell: all levels including "no previous experience". we want to grow the field. look at fellowships , sponsorships, and partnerships. look into citizen clinic at Berkelet's CLTC. https://medium.com/cltc-bulletin/introducing-the-citizen-clinic-cybersecurity-education-center-28aa18084334

its always needed. there is a lot of fake news, misinformation, and also threat analysis that is done with OSINT in this space.

Will be looking through any links posted as well, but does anyone have particular charities/organisations that are looking for OSINT people? I am aware of Trace Labs but would like to see more general civil justice things too

matt mitchell: its always needed. there is a lot of fake news, misinformation, and also threat analysis that is done with OSINT in this space.

Yeah true! Just looking for something to do it in a more organised way. I know of Bellingcat, but other than that it seems like the community's more active separately on Twitter

matt mitchell: i have friends at bellingcat. there are other collections of OSINT folks. at tactical tech i did the security edits on this guide, encouraging folks to be investigators and form their own outfits. https://kit.exposingtheinvisible.org/en/

Motivated by Lee Whitfield's talk, I'm going to extend the free Autopsy training to public defenders in addition to law enforcement!

https://www.osdfcon.org/

https://www.autopsy.com/support/training/

Hey all, you can download Cyber Triage here if you're interested to try it out! https://www.cybertriage.com/download-eval/

The mention of the global repository for file hashes reminds me of MISP (https://www.misp-project.org/). Also a really cool project

bcarrier

With its apparent vast analytic capabiltiy, could you briefly share your thoughts as to how Autopsy could best be used as an information security audit tool - just simple example if possible.

- Out of the box, Autopsy isn't really setup to be an audit tool. You can run it on a system and manually review settings and such. But, there is nothing special in it for that. I think of Cyber Triage as our solution more for audit since it focuses more on the security-related artifacts.

Can you also create an allow case where it ignores recurring fp?

- There isn't currently an explicit feature to "Ignore this moving forward" feature, but its on the roadmap.

Is Cyber Triage an agent based tool or does the information come to it in some other way? Thanks, this event is awesome.

- It's "agentless". It's got a single windows executable collection tool that grabs volatile and file system artifacts. you can run it remotely via PsExec, PowerShell, or your EDR. Or, run from a USB / network share. It supports a bunch of ways of getting data from the endpoints.

How do you correlate polymophic files?

- We don't have a good solution for this yet. But, are looking at ssdeep, tlsh, imphash, etc. They are just much slower to lookup than SHA256, etc.

Is it possible to make Autopsy utilise multiple CPU cores?

- Yes, you can configure how many ingest threads are used. A caveat though is that Solr and reading disk images are usually the bottle necks. The release in the Fall should be much faster with Solr though.

How would cyber triage fit in an examiner’s toolbox/workflow that contains a platform such as X-Ways?

- I haven't used X-Ways in a while, but off the top of my head:

-- Cyber Triage has a live collection tool to grab artifacts and files related to intrusions.

-- Cyber Triage scores artifacts based on how likely they are to be associated with an intrusion.

-- Cyber Triage has the correlation databases to show you how common or rare an rtifact is.

- Basically, I view X-Ways in the same category as Autopsy as a general purpose forensics tool. Cyber Triage is hyper focused on intrusions and makes it easier to focus on users and malware.

I have a question about the Global Repository. If my coworkers and I are working in a localized enviroment (i.e. each workstation is isolated), can we sync our localized Global Repositories to a master GR, and when we do, does the GR automatically dedup all incoming data?

- For Cyber Triage, you can access it offline. We allow you to export the hash value to a JSON file, copy them to an internet-connected computer, upload the hashes to the repo, get results as JSON, and import them back in. We don't support an on-prem version.

When will more work be done on STIX with Autopsy?

- I honestly didn't know anyone was using that module. :). What would you like done?

When can we expect it to support LVM filesystem for Linux analysis

- We added in a new "Layer" into TSK this past year as part of the APFS donation from BlackBag. That pool layer was designed to be used for LVM and LDM. Hopefully we'll have it in the next year.

if it crashes does it pick up at the last saved position or does it start everything from scratch?

- From scratch. Sorry.

Will it store some sort of timeline with when it sees each hash?

- The Autopsy Central Repository doesn't store a time stamp with each hash. It does for the case, which could be good enough. I think the Cyber Triage Global Repository also has a time stamp for each hash.

Support inputs to Cyber Triage are: - Output from its collection tool on a live system (we have folks who run it via EnCase Enterprise, EDR. etc.) - Disk image (our collection tool is based on The Sleuth Kit so that we can access locked files, etc., so we can also take in raw/E01 files) - Memory image. We run a set of volatility commands on the data to simulate our collection tool.

https://drive.google.com/drive/folders/1DqP9vZLkUNT3644__P17cAWf1MS4RbYH

unsure if there's a recording, forensic focus sometimes posts recordings so may be worth checking there

https://dfrws.org/presentation/memory-forensics-as-triage-analysis-2/

Ulf Frisk’s MemProcFS FTW!

https://github.com/ufrisk/MemProcFS

you can watch Alissa's talk on process memory analysis: https://www.youtube.com/watch?v=pKQ_Io_8lTc

https://github.com/stuxnet999/MemLabs

Here are my writeups for MemLabs, I hope, it will be useful for someone. https://bolisettynihith.github.io/categories/Memlabs/

Aaron had an amazing talk at DFRWS US 2019. His triage techniques that he mentioned during that talk had me taking pages of notes and implementing them into my workflows. https://dfrws.org/presentation/memory-forensics-as-triage-analysis-2/

Methodologies:

• Before and After = Collection/Parsing = Collect, Parse, Differential
• Live Monitoring = Watch File, System Events = Process, Monitor
• Hybrid = Monitor for understanding and Monitor for Triggering 

https://github.com/forensicmatt/RsWindowsThingies

https://github.com/forensicmatt/PyWindowsThingies 

You can call windows api and get callback:

• USN Listening 
• MFT Listening
• Registery

ANJP

Eric Zimmerman (SANS): i just mentioned anjp on iacis list this morning!

Eric Zimmerman (SANS): the only thing standing between you and the NTFS source code is a USB drive and significant jail time

CyberChef

http://icyberchef.com/

You can download the offline version

Awesome tool, definitely download it and use it offline

PEStudio

https://www.winitor.com/

is pestudio similar to Process explorer ?

Jim Clausing: No pestudio is a static analysis tool, drop an executable or dll and find lots of info about the structure and what Marc Ochsenmeier finds suspicious about it, without running it. Process explorer is a beefed up task manager it shows you the running processes and some info about them

XOR, BASE64 are the most common encdoing-based obfuscation techniques

then you can apply multiple obfuscation layers by using token-level or AST-based obfuscation techniques, for example in PowerShell

Ciphey is pretty great too: https://github.com/Ciphey/Ciphey

Unfurl

Extract and Visualize Data from URLs using Unfurl

https://github.com/obsidianforensics/unfurl

Never used unfurl before, but can it support redirects based on url's and keep unfurl'g?

If the redirect URL is encoded in the original URL, it will. It will only call out to get a redirect URL in the case of those allowed URL shortener

right now the CLI tool just has the text-tree version, but it would be easy to expand to others. It uses JSON behind the scenes for the web version and vis.js for the display

https://visjs.github.io/vis-network/docs/network/

And in case you really want the 3D / VR version, here's a link and gif:

https://twitter.com/_RyanBenson/status/1252264369439666177

No one moves from DFIR to eDiscovery, but everyone moves from eDiscovery to DFIR

Digital Forensics & Incident Responces

Areas: LE, Government, IR, Consulting,

Knowledge: Mobile, Network,

Jessica Hyde: Interesting talk about this from Warren Kruse and Bobby Kruse "Not Your Father's Forensics" (Father and son who work separately) at MVS2020. They discuss some of the technology from eDisco that can and should be use in DFIR. https://www.magnetforensics.com/resources/magnet-virtual-summit-not-your-fathers-forensics-recording-may-14/

For those with an interest in E-discovery Edmonds College has a new class on E-Discovery for IT professionals.. I'm only one session in, but it's been good stuff so far. (Edmonds also has a digital forensics program as well)

- Can a SHA-256 encryption, tied to the windows license, be used for the required DLL files, and then have that put into a file that only kernel has access to? This would build a "white list" for all DLLs required on the system, to perform legitamite functions. My thoughts are that every legitamite DDL should have a predicted outcome from a hash or encryption algorythm.

So, thinking along the same lines as requiring signed drivers on 64-bit systems? Besides obviously having to be implemented, mandated, and enforced by the OS, that would probably help mitigate to a degree. As we all know, that type of things is still only a temporary roadblock to threat actors.

Where there's a security control, there's a way around it, lol. Probably brings us back around to the other detection techniques - when mitigation/prevention fails/can't go far enough, we have to be able to identify when it happens.

https://MalwareArchaeology.com

https://Log-MD.com

https://www.malwarearchaeology.com/cheat-sheets

The Incident Response Podcast

FileLess Malware can be only found in the memory of a running system, not as a file (Malware + Memory = Memware)

For example:
Regware = malware + payload in registry
Downloadware = generated on a fly , autorun/ASEP

However not all malware will have an autorun/ASEP; or it's deleted

So what is in the momory may be all that we can see

Traditional forensics has us dumping a memory image and running tools like Volatility against it

Windows Logging Cheat Sheet(s)

Enable to collect 'Process Command'

GRR + Rekall --> Velociraptor

Not easily. We're collecting to azure log analytics using the MMA agent

What are people using for collecting Win10 memory? I have tried Volitility and have found that it can't deal with the newer Win10 systems

Do you mean the analysis?

https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html

And part 2 - https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html

I have gotten away from EventID 4688 and gone to Sysmon with a highly customized XML configuration file. Sysmon is more configurable than the standard Windows Event log

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

For linux, checking /dev/shm is also interesting ... enabling auditd for execve is important (also taking that OUT of the system via SIEM or rsyslog). Execve will let you know what and where was running. We've been able to even reconstruct source code of malware compiled in the box.

check out Hal Pomeranz Linux forensics stuff... it's great

Volatility all the things and the books associated with it will teach you a LOT

Never tried doing memory forensics. what are people using to get started? Resources?

1. https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098
2. SANS InfoSec Skills has some great courses
3. Check out 13cubed channel on youtube for memory forensics
4. Came across this channel the other day too and it's pretty good. Not a lot of posts yet though. https://www.youtube.com/watch?v=eQVsx5kr0bk
5. Introduction to Memory Forensics

Look at ARTHIR.com for the WinRM tool and all their modules of what it can do... and RTFM

Do EDRs look for the core system file names showing up in nonstandard folders? (IE: explorer.exe and svchost.exe in SYSWOW).