Blue - DFIR: Digital Forensics and Incident Response
DFIR: Digital Forensics and Incident Response is a hugely important important sector of cyber security, where your everyday security analysis is take to the next level. While most security analysts will work out of a SIEM or SOAR platform, Incident Responders and Forensic analysts typically work directly with a potentially compromised device. With this, they are required to not only be familiar with a larger array of tools for analysis, but also a much stricter set of process and procedures as their actions are often subject to legal requirements.

DFIR Resource Collections

Incident Response

Resources

IR/Malware Scanners

  • โ€‹https://www.nextron-systems.com/thor/ - IR scanner with more than 12,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.
    • โ€‹Loki Scanner - The free and open IOC scanner using YARA rules.
    • โ€‹Fenrir - Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs).
  • โ€‹ClamAV - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. Can be used with a USB for portable scanning of devices.
  • โ€‹Microsoft Safety Scanner - Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
  • โ€‹gmer Rootkit scanner - An application that detects and removes rootkitsโ€‹
  • โ€‹chkrootkit - A tool to locally check for signs of a rootkit.
  • โ€‹RKHunter - scans systems for known and unknown rootkits, backdoors, sniffers and exploits.
  • โ€‹hashlookup-forensic-analyser - Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service - https://circl.lu/services/hashlookup/โ€‹
  • โ€‹pe-sieve - Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
  • โ€‹Redline by Fireeye - Redlineยฎ, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
  • โ€‹https://www.herdprotect.com/ - herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection. As a second line of defense anti-malware solution, herdProtect is designed to run with any existing anti-virus program already installed on a user's PC. herdProtect is a free service to help user's find and remove malicious software.
  • Windows Defender Scan
    1
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
    2
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
    3
    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\[username]\AppData\Local\Temp
    Copied!
    Note: Types are as follows
    • 1: Quick scan
    • 2: Full system scan
    • 3: File and directory custom scan

    Check Windows Defender for excluded files and default actions

    1
    reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
    2
    Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions'
    3
    Get-MpPreference | Select Exclusion*
    4
    Get-MpPreference | Select *DefaultAction
    Copied!
  • โ€‹Crowdstrike's CrowdResponse Scanner - Static Host Data Collection Tool
1
CrowdResponse -v -i config.txt -o out.xml
Copied!
  • โ€‹Binalyze IREC Tactical - Standalone evidence collector for traditional DFIR situations. Can scan target with set YARA rules
1
IREC.exe --triage-memory
2
IREC.exe -ad "\\MACHINE\IREC-DIR" --triage-ruleset MyYaraRules --triage-memory
Copied!
1
yara32.exe -d filename=[file defined in ruleset.yar] [ruleset.yar] [file to scan]
2
yara32.exe -d filename=[svchost.exe] [ruleset.yar] -r [directory to scan]
3
yara64.exe yararule.yar -r C:
4
yara64.exe yararule.yar -r C: -f 2> $null
Copied!
  • Yara Linux
Note: -s shows matching yara strings.
1
yara rule.yara malware.exe -s
2
yara rule.yara [Directory] -s
Copied!
Depreciated Tools

Other Tools

  • Frameworks and Collections
    • โ€‹Kansa (Powershell) - A modular incident response framework in Powershell. It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.
    • โ€‹Windows Forensic Toolchest - The Windows Forensic Toolchestโ„ข (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.
    • โ€‹Veliciraptor - A tool for collecting host based state information.
    • โ€‹Meerkat - Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent.
  • Utility
    • โ€‹AWS_IR - Python installable command line utility for mitigation of instance and key compromises.
    • โ€‹https://processhacker.sourceforge.io/ - A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
    • โ€‹ADTimeline - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.

DFIR Commands

Forensics

Guides and Resources

Tools

EricZimmermanCommandLineToolsCheatSheet-v1.0.pdf
54KB
PDF
  • Extraction Tools
    • โ€‹bulk-extractor - bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
    • โ€‹dumpzilla - Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.
    • โ€‹regripper - RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.
    • โ€‹safecopy - safecopy tries to get as much data from SOURCE as possible, even resorting to device specific low level operations if applicable.
  • Browser Tools
    • โ€‹galleta - Galleta is a forensics tool that examines the content of cookie files produced by Microsoft Internet Explorer (MSIE). It parses the file and outputs a field separated that can be loaded in a spreadsheet.
    • โ€‹pasco - Pasco is a forensic tool that examines the content of cache files (index.dat) produced by Microsoft Internet Explorer.
  • Misc Utility
    • โ€‹XOR Tool - A tool to do some xor analysis: Guess the key length (based on count of equal chars) and Guess the key (base on knowledge of most frequent char)
    • โ€‹forensics-colorize - forensics-colorize is a set of tools to visually compare large files, as filesystem images, creating graphics of them. It is intuitive because the produced graphics provide a quick and perfect sense about the percentage of changes between two files.
    • โ€‹dislocker - Dislocker has been designed to read BitLocker encrypted partitions under a Linux system
    • โ€‹mac-robber - mac-robber is a digital investigation tool (digital forensics) that collects metadata from allocated files in a mounted filesystem. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab.
    • โ€‹testdisk - TestDisk checks the partition and boot sectors of your disks. It is very useful in forensics, recovering lost partitions.
    • โ€‹unhide - Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp.

File Carving/Recovery

  • โ€‹Foremost: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
  • โ€‹ext4magic - ext4magic can extract the information from the journal and restore files in an entire directory tree, if the information in the journal are sufficient.
  • โ€‹ext3grep - ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter.
  • โ€‹extundelete - extundelete uses the information stored in the partitionโ€™s journal to attempt to recover a file that has been deleted.
  • โ€‹magicrescue - Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.
  • โ€‹myrescue - myrescue is a program to rescue the still-readable data from a damaged harddisk, CD-ROM, DVD, flash drives, etc. It is similar in purpose to dd_rescue (or ddrescue), but it tries to quickly get out of damaged areas to first handle the not yet damaged part of the disk and return later.
  • โ€‹recoverdm - recoverdm recover disks with bad sectors. You can recover files as well complete devices. In case it finds sectors which simply cannot be recovered, it writes an empty sector to the output file and continues.
  • โ€‹recoverjpeg - recoverjpeg tries to recover JFIF (JPEG) pictures and MOV movies from a peripheral. This may be useful if you mistakenly overwrite a partition or if a device such as a digital camera memory card is bogus.
  • โ€‹rifiuti2 - Rifiuti2 analyses recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics.
  • โ€‹scalpel - scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
  • โ€‹scrounge-ntfs - Scrounge NTFS is a data recovery program for NTFS filesystems. It reads each block of the hard disk and try to rebuild the original filesystem tree into a directory.
  • โ€‹undbx - UnDBX is a tool to extract, recover and undelete e-mail messages from MS Outlook Express .dbx files
  • RDP Cache Recovery

Forensic Imaging

  • โ€‹FTK Imager by AccessData - Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.
1
ftkimager --list-drives
2
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01
3
ftkimager [source] [destination]
4
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01 --outpass securepasswordinsertedhere
Copied!
  • โ€‹DD utility - Unix disk manipulation tool
    • โ€‹dc3dd - dc3dd is a patched version of GNU dd with added features for computer forensics
    • โ€‹dcfldd - Enhanced version of dd for forensics and security
    • โ€‹ddrescue - Data recovery and protection tool
1
dd.exe --list
2
dd.exe if=/dev/<drive> of=Image.img bs=1M
3
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
4
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync
Copied!
  • โ€‹X-ways Imager - Forensic disk imaging tool. Stripped down version of the X-Ways Forensics computer forensics software with just the disk imaging functionality and little more
  • โ€‹guymager - The forensic imager contained in this package, guymager, was designed to support different image file formats, to be most user-friendly and to run really fast.

Memory Forensics

USB Analysis

MacOS

Malware Analysis

In incident response, phishing, or security monitoring scenarios, you will encounter potentially malicious files that will require in depth analysis to certify the nature of the file. These files can be as overt as an executable labeled "virus.exe" or as covert as "resume.doc". There will be instances where even after all of your analysis, you still cannot verify the nature of the document, and therefore should be considered malicious until proven otherwise.

Malware Analysis Toolsets and multi-engine scanners

Sandboxing

Outside of sandboxing, there are a host of other tools available that can perform different types of analysis on malware. There are even a few virtual machine distributions that are dedicated to malware analysis. The foremost of them are Flare-VM and Remnux. These will usually include sandboxing tools like cuckoo, code analysis tools like Snyk and Ghidra, and a host of other handy options.
Remember: it is always advised to perform your malware analysis on a virtual machine, in order to prevent unwanted accidents.

File Analysis

Resources

Reverse Engineering