Blue - DFIR: Digital Forensics and Incident Response

DFIR: Digital Forensics and Incident Response is a hugely important important sector of cyber security, where your everyday security analysis is take to the next level. While most security analysts will work out of a SIEM or SOAR platform, Incident Responders and Forensic analysts typically work directly with a potentially compromised device. With this, they are required to not only be familiar with a larger array of tools for analysis, but also a much stricter set of process and procedures as their actions are often subject to legal requirements.

DFIR Resource Collections

• DFIR Compendium - The Definitive Compendium Project Digital Forensics & Incident Response

• Infosec Reference: DFIR - Massive collection of DFIR guides, articles, and tools

• https://start.me/p/jj0B26/dfir - Collection of more DFIR resources

• https://www.jaiminton.com/cheatsheet/DFIR/ - Huge collection of DFIR commands and methodology

• Training

  • DFIR Traning - Tools, resources, and training classes for DFIR professionals

  • https://dfirmadness.com/ - Collection of training use cases to hone your DFIR skills

Incident Response

Guides and Resources

• Awesome Lists Collection: Incident Response

• ATC React - The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques. It can be used for prioritization of Incident Response capabilities development, including skills development, technical measures acquisition/deployment, internal procedures development, etc, as well as gap analysis to determine "coverage" of existing Incident Response capabilities.

  • https://github.com/atc-project/atc-react

  • https://github.com/atc-project/atc-data

• https://github.com/certsocietegenerale/IRM - CERT Societe Generale Incident Response Methodologies 2022

• SANS Incident Handlers Handbook

• Exabeam Incident Response Guide

• NIST 61 R2 - Computer Security Incident Handling Guide

• https://zeltser.com/ddos-incident-cheat-sheet/

• https://gitlab.com/syntax-ir/playbooks#ir-playbooks - Public IR playbooks

• https://learn.microsoft.com/en-us/security/compass/incident-response-playbooks

  • Azure-AD-Incident-Response-PowerShell-Module

  • https://m365internals.com/2021/04/17/incident-response-in-a-microsoft-cloud-environment/

• BTFM: Incident Response checklist - pg. 109

• BTFM: Remediation Tasks - pg. 112

• (BTHb: INRE): Incident Response Steps - pg. 5

IR Report Writing

• https://github.com/cyb3rfox/Aurora-Incident-Response - Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders

• PagerDuty Incident Response processes and document templates

• Zeltser Incident Survey CheatSheet

• https://zeltser.com/cyber-threat-intel-and-ir-report-template/

• (BTHb: INRE): Incident Response Template - pg. 24

Misc

• DNSDB for Incident Response - https://info.farsightsecurity.com/passive-dns-incident-response-ebook

• Let's Defend: Build your own IR tool guide

• https://training.fema.gov/is/courseoverview.aspx?code=IS-100.c - Introduction to the Incident Command System, introduces the Incident Command System (ICS) and provides the foundation for higher level ICS training.

• Incident Response in a Microsoft cloud environment

Training

• Incident Response Challange - IR CTF Style Training Scenarios

IR/Malware Scanners

Frameworks/Collections

• Kansa (Powershell) - A modular incident response framework in Powershell. It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.

• Windows Forensic Toolchest - The Windows Forensic Toolchest™ (WFT) is designed to provide a structured and repeatable automated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant information from the system.

• Veliciraptor - A tool for collecting host based state information.

  • Velociraptor Deep Dive Video training

• Meerkat - Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisreconnaissanceance of Windows-based endpoints without requiring a pre-deployed agent.

• https://www.cadosecurity.com/cado-community-edition/ - The Cado Community Edition leverages the scale and speed of the cloud to simplify deep-dive investigations. With the free community edition, data can be processed in minutes compared to days when using traditional methods. Stop wasting time, money, or effort. Achieve forensic-level detail without forensic-level effort. Only Cado empowers the security community to investigate and respond at cloud speed.

Malware/AV Scanners

• MalwareBytes IR Scanner

  • https://www.malwarebytes.com/pdf/datasheets/mbirdatasheet.pdf

• ClamAV - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. Can be used with a USB for portable scanning of devices.

• Microsoft Safety Scanner - Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.

• hashlookup-forensic-analyser - Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service - https://circl.lu/services/hashlookup/

• Redline by Fireeye - Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

• https://www.herdprotect.com/ - herdProtect is a second line of defense malware scanning platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection. As a second line of defense anti-malware solution, herdProtect is designed to run with any existing anti-virus program already installed on a user's PC. herdProtect is a free service to help user's find and remove malicious software.

  • https://www.herdprotect.com/knowledgebase.aspx

• Windows Defender Scan

  "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
  "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
  "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\[username]\AppData\Local\Temp

  Note: Types are as follows

  • 1: Quick scan

  • 2: Full system scan

  • 3: File and directory custom scan

  Check Windows Defender for excluded files and default actions

  reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
  Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions'
  Get-MpPreference | Select Exclusion*
  Get-MpPreference | Select *DefaultAction

• Crowdstrike's CrowdResponse Scanner - Static Host Data Collection Tool

CrowdResponse -v -i config.txt -o out.xml

• CobaltStrikeScan - Scan files or process memory for CobaltStrike beacons and parse their configuration.

• pe-sieve - Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

  • https://hshrzd.wordpress.com/pe-sieve/

• gmer Rootkit scanner - An application that detects and removes rootkits

• chkrootkit - A tool to locally check for signs of a rootkit.

  • https://www.kali.org/tools/chkrootkit/

• RKHunter - scans systems for known and unknown rootkits, backdoors, sniffers and exploits.

  • https://www.kali.org/tools/rkhunter/

Yara Scanners

pageYARA

• Yara

yara32.exe -d filename=[file defined in ruleset.yar] [ruleset.yar] [file to scan]
yara32.exe -d filename=[svchost.exe] [ruleset.yar] -r [directory to scan]
yara64.exe yararule.yar -r C:
yara64.exe yararule.yar -r C: -f 2> $null

• Yara Linux

  • Note: -s shows matching yara strings.

yara rule.yara malware.exe -s
yara rule.yara [Directory] -s

• https://www.nextron-systems.com/thor/ - IR scanner with more than 12,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

  • Loki Scanner - The free and open IOC scanner using YARA rules.

  • Fenrir - Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs).

• Binalyze IREC Tactical - Standalone evidence collector for traditional DFIR situations. Can scan target with set YARA rules

IREC.exe --triage-memory
IREC.exe -ad "\\MACHINE\IREC-DIR" --triage-ruleset MyYaraRules --triage-memory 

Scanning Utilities

• AWS_IR - Python installable command line utility for mitigation of instance and key compromises.

• https://processhacker.sourceforge.io/ - A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.

• ADTimeline - The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.

• Azure-AD-Incident-Response-PowerShell-Module - The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response.

  • https://www.powershellgallery.com/packages/AzureADIncidentResponse/

DFIR Commands

pageInteract with remote machinepageWindows System EnumerationpageWindows Process InformationpageWindows DFIR CheckspageWindows DFIR Check by MITRE TacticpageWindows Event LogspageWindows Remediation CommandspageIR Event Log CheatsheetpageLinux DFIR CommandspageMacOS DFIR Commands

Forensics

Guides and Resources

• Awesome Lists Collection: Forensics

• DFIR artifact repository

• https://tryhackme.com/room/windowsforensics1

• Cheatsheets

  • Zeltser Critical Log Cheatsheet

  • SANS Forensics Cheatsheets

• Triage and Order of Volatility

  • RFC - 3227: Order of Volatility

  • (BTHb: INRE): Order of Volatility - pg. 29

  • BTFM: Live Triage - pg. 60

Forensic OS/VM

• https://www.sans.org/tools/sift-workstation - The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. It can match any current incident response and forensic tool suite.

  • SANS DFIR Posters and Cheat Sheets

  • How To Mount a Disk Image In Read-Only Mode

  • How To Create a Filesystem and Registry Timeline

  • How To Create a Super Timeline

  • SIFT Workstation YouTube Series

  • FOR508 - Advanced Incident Response

• https://tsurugi-linux.org/ - 64 bit Linux version to perform digital forensics analysis and OSINT research.

  • tsurugi_acquire - a lightweight and streamlined version of Tsurugi Linux [LAB], aimed at providing the basic tools needed to boot a PC and acquire mass storage devices.

  • bento - a portable toolkit designed for live forensics and incident response activities.

  • https://tsurugi-linux.org/documentation_tsurugi_linux_tools_listing_2021.php

Forensic Frameworks

• Autopsy forensic framework - Autopsy is the premier open source forensics platform which is fast, easy-to-use, and capable of analyzing all types of mobile devices and digital media

  • https://dfir-training.basistech.com/

  • https://www.aldeid.com/wiki/Autopsy

  • https://tryhackme.com/room/autopsy2ze0

• X-Ways Forensic Toolkit - X-Ways Forensics is an advanced work environment for computer forensic examiners

  • https://www.x-ways.net/forensics/x-tensions/ - X-Ways plugin tools

  • https://github.com/CrowdStrike/xwf-yara-scanner - YARA Scanner Plugin

  • X-ways Imager - Forensic disk imaging tool. Stripped down version of the X-Ways Forensics computer forensics software with just the disk imaging functionality and little more

• Forensic Tool Kit (FTK) - Premium forensics suite that can perform imaging, file decryption, registry parsing, and much more.

  • FTK Imager by AccessData - Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.

• sleuthkit - The Sleuth Kit, also known as TSK, is a collection of UNIX-based command line file and volume system forensic analysis tools. The filesystem tools allow you to examine filesystems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the filesystems, deleted and hidden content is shown.

  • http://www.sleuthkit.org/sleuthkit/

• NTDSxtract - Active Directory forensic framework

• linux-explorer - Easy-to-use live forensics toolbox for Linux endpoints

  • Installation and Configuration Video

• GRR - GRR Rapid Response is an incident response framework focused on remote live forensics.

• PowerForensics - An all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.

  • https://powerforensics.readthedocs.io/en/latest/

  • https://devblogs.microsoft.com/powershell/powershell-the-blue-team/

• Eric Zimmerman's toolset - SANS instructor and former FBI Forensics expert Eric Zimmerman has created a list of his favorite tools for public use and reference.

  • https://cyberforensicator.com/2017/04/04/a-guide-to-eric-zimmermans-command-line-tools/

  • KAPE - lets forensic teams collect and process forensically useful artifacts within minutes.

    • https://github.com/AndrewRathbun/Awesome-KAPE

    • https://ericzimmerman.github.io/KapeDocs/#!index.md

54KB

EricZimmermanCommandLineToolsCheatSheet-v1.0.pdf

pdf

Extraction Tools

• bulk-extractor - bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.

• dumpzilla - Dumpzilla application is developed in Python 3.x and has as purpose extract all forensic interesting information of Firefox, Iceweasel and Seamonkey browsers to be analyzed.

• regripper - RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

• safecopy - safecopy tries to get as much data from SOURCE as possible, even resorting to device specific low level operations if applicable.

Browser Tools

• galleta - Galleta is a forensics tool that examines the content of cookie files produced by Microsoft Internet Explorer (MSIE). It parses the file and outputs a field separated that can be loaded in a spreadsheet.

• pasco - Pasco is a forensic tool that examines the content of cache files (index.dat) produced by Microsoft Internet Explorer.

Misc Utility

• XOR Tool - A tool to do some xor analysis: Guess the key length (based on count of equal chars) and Guess the key (base on knowledge of most frequent char)

• forensics-colorize - forensics-colorize is a set of tools to visually compare large files, as filesystem images, creating graphics of them. It is intuitive because the produced graphics provide a quick and perfect sense about the percentage of changes between two files.

• dislocker - Dislocker has been designed to read BitLocker encrypted partitions under a Linux system

• mac-robber - mac-robber is a digital investigation tool (digital forensics) that collects metadata from allocated files in a mounted filesystem. This is useful during incident response when analyzing a live system or when analyzing a dead system in a lab.

• testdisk - TestDisk checks the partition and boot sectors of your disks. It is very useful in forensics, recovering lost partitions.

• unhide - Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp.

File Carving/Recovery

• Foremost: Foremost is a console program to recover files based on their headers, footers, and internal data structures.

• ext4magic - ext4magic can extract the information from the journal and restore files in an entire directory tree, if the information in the journal are sufficient.

• ext3grep - ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter.

• extundelete - extundelete uses the information stored in the partition’s journal to attempt to recover a file that has been deleted.

• magicrescue - Magic Rescue scans a block device for file types it knows how to recover and calls an external program to extract them.

• myrescue - myrescue is a program to rescue the still-readable data from a damaged harddisk, CD-ROM, DVD, flash drives, etc. It is similar in purpose to dd_rescue (or ddrescue), but it tries to quickly get out of damaged areas to first handle the not yet damaged part of the disk and return later.

• recoverdm - recoverdm recover disks with bad sectors. You can recover files as well complete devices. In case it finds sectors which simply cannot be recovered, it writes an empty sector to the output file and continues.

• recoverjpeg - recoverjpeg tries to recover JFIF (JPEG) pictures and MOV movies from a peripheral. This may be useful if you mistakenly overwrite a partition or if a device such as a digital camera memory card is bogus.

• rifiuti2 - Rifiuti2 analyses recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics.

• scalpel - scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.

• scrounge-ntfs - Scrounge NTFS is a data recovery program for NTFS filesystems. It reads each block of the hard disk and try to rebuild the original filesystem tree into a directory.

• undbx - UnDBX is a tool to extract, recover and undelete e-mail messages from MS Outlook Express .dbx files

• RDP Cache Recovery

  • https://github.com/BSI-Bund/RdpCacheStitcher/ -A tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps

  • https://github.com/ANSSI-FR/bmc-tools/ - RDP Bitmap Cache parser

Forensic Imaging

• FTK Imager by AccessData - Create forensic images of local hard drives, CDs and DVDs, thumb drives or other USB devices, entire folders, or individual files from various places within the media.

ftkimager --list-drives
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01
ftkimager [source] [destination]
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01 --outpass securepasswordinsertedhere 

• DD utility - Unix disk manipulation tool

  • dc3dd - dc3dd is a patched version of GNU dd with added features for computer forensics

  • dcfldd - Enhanced version of dd for forensics and security

  • ddrescue - Data recovery and protection tool

dd.exe --list
dd.exe if=/dev/<drive> of=Image.img bs=1M
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync

• X-ways Imager - Forensic disk imaging tool. Stripped down version of the X-Ways Forensics computer forensics software with just the disk imaging functionality and little more

• guymager - The forensic imager contained in this package, guymager, was designed to support different image file formats, to be most user-friendly and to run really fast.

pageMemory Forensics

USB Analysis

• https://gbhackers.com/usb-forensics/

• USB Descriptors

• USB Data Transfer Types

• USB WIreshark Filters

MacOS

• Mac OS X 10.9 Forensics Wiki

• Mac OS X 10.11 Forensics Wiki

• Mac OS X Forensics Artifacts Spreadsheet

• osxcollector - A forensic evidence collection & analysis toolkit for OS X

• automactc - This is a modular forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis. The output may provide valuable insights for incident response in a macOS environment. Automactc can be run against a live system or dead disk (as a mounted volume.)

• Mac4n6 - Great blog on Mac OS forensics

• mac_apt - macOS (& ios) Artifact Parsing Tool

• https://themittenmac.com/tools/

  • https://themittenmac.com/the-truetree-concept/

  • https://themittenmac.com/monitorui-tool-release/

  • https://themittenmac.com/the-esf-playground/

Malware Analysis

In incident response, phishing, or security monitoring scenarios, you will encounter potentially malicious files that will require in depth analysis to certify the nature of the file. These files can be as overt as an executable labeled "virus.exe" or as covert as "resume.doc". There will be instances where even after all of your analysis, you still cannot verify the nature of the document, and therefore should be considered malicious until proven otherwise.

Malware Analysis Toolsets and multi-engine scanners

• https://remnux.org/ - REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.

  • https://zeltser.com/remnux-malware-analysis-tips/

• https://github.com/fireeye/flare-vm - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

• MalwareUnicorn's tool collection - Tools used by one of the best malware analysts in the field.

• https://github.com/mindcollapse/MalwareMultiScan - Self-hosted VirusTotal / OPSWAT MetaDefender wannabe API for scanning URLs and files by multiple antivirus solutions.

• RATDecoders - Python Decoders for Common Remote Access Trojans

• mal_unpack - Dynamic unpacker based on PE-sieve

  • https://www.youtube.com/watch?v=8LZ6ksoytpU

• CobaltStrikeParser - Python parser for CobaltStrike Beacon's configuration

• ThreatCheck - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.

Resources

• https://nostarch.com/malware

  • https://www.jaiminton.com/Tutorials/PracticalMalwareAnalysis/

• Awesome Lists Collection: Awesome Malware Analysis

• https://malwareunicorn.org/#/ - Malware Blog, tools, and training

• https://www.sans.org/security-resources/posters/dfir/remnux-usage-tips-malware-analysis-linux-400

• https://www.sans.org/security-resources/posters/dfir/malware-analysis-reverse-engineering-cheat-sheet-395

• SANS Malware Analysis Cheatsheet

• https://zeltser.com/malware-analysis-cheat-sheet/

• https://www.infosecinstitute.com/skills/learning-paths/malware-analysis-reverse-engineering/

• Hackersploit's Malware Analaysis Bootcamp

• https://tryhackme.com/room/malresearching

• BTFM: Malware Analysis - pg. 77

• BTFM: Identifying Malware - pg. 80

• PTFM: Malware Analysis - pg. 149

• BTFM: Malware Attributes Checklist - pg.115

pageSandboxing

Outside of sandboxing, there are a host of other tools available that can perform different types of analysis on malware. There are even a few virtual machine distributions that are dedicated to malware analysis. The foremost of them are Flare-VM and Remnux. These will usually include sandboxing tools like cuckoo, code analysis tools like Snyk and Ghidra, and a host of other handy options.

Remember: it is always advised to perform your malware analysis on a virtual machine, in order to prevent unwanted accidents.

pageFile/Binary Analysis

Reverse Engineering

pageReverse Engineering