Practical Digital Forensics Scenario

Scenario Setup

• Target System Access: Use RDP to connect to the Target IP with provided credentials.

• Evidence Locations:

  • Memory Dump: C:\Users\johndoe\Desktop\memdump\PhysicalMemory.raw

  • Rapid Triage Artifacts:

    • C:\Users\johndoe\Desktop\kapefiles

    • C:\Users\johndoe\Desktop\files

  • Full Disk Image: C:\Users\johndoe\Desktop\fulldisk.raw.001

  • Parsed Disk Data: C:\Users\johndoe\Desktop\MalwareAttack

Notes

• Autopsy analysis should be done from C:\Users\johndoe\Desktop\MalwareAttack.

• Ideal forensics environment is separate from the impacted system; analysis is done directly on the affected system here for expediency.

Memory Analysis with Volatility v3

Identifying Memory Profile

To get OS and kernel details of the memory dump:

python vol.py -q -f ..\memdump\PhysicalMemory.raw windows.info

Sample Output

Variable	Value
Kernel Base	0xf80150019000
DTB	0x1ad000
Symbols	file:///C:/Users/johndoe/Desktop/...
Is64Bit	True
SystemTime	2023-08-10 09:35:40
NtSystemRoot	C:\Windows
NtMajorVersion	10
NtMinorVersion	0

Detecting Injected Code

To find process memory regions potentially containing injected code:

python vol.py -q -f ..\memdump\PhysicalMemory.raw windows.malfind

Sample Output

Processes with PAGE_EXECUTE_READWRITE memory:

• PID 3648 (rundll32.exe), PID 6744 (powershell.exe), PID 5468 (rundll32.exe)

Explanation of PAGE_EXECUTE_READWRITE

• This permission allows both execution and modification of code in memory, typically avoided in legitimate applications.

• Common with malware, which injects code into memory and executes it, warranting further investigation.

Identifying Running Processes

Listing Processes

Using windows.pslist to list processes:

python vol.py -q -f ..\memdump\PhysicalMemory.raw windows.pslist

Sample Output (Excerpt)

PID	PPID	ImageFileName	CreateTime	SessionId
4	0	System	2023-08-10 00:22:53.000000	N/A
3648	7148	rundll32.exe	2023-08-10 09:15:14.000000	1
6744	908	powershell.exe	2023-08-10 09:21:16.000000	1
5468	7512	rundll32.exe	2023-08-10 09:23:15.000000	0

Viewing Process Tree

Using windows.pstree to view parent-child process relationships:

python vol.py -q -f ..\memdump\PhysicalMemory.raw windows.pstree

• Shows parent-child relationships, helping identify suspicious child processes spawned by common processes (e.g., rundll32.exe under explorer.exe).

Identifying Process Command Lines

Using windows.cmdline to retrieve command-line arguments:

python vol.py -q -f ..\memdump\PhysicalMemory.raw windows.cmdline

Sample Output

PID	Process	Args
416	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows ...
3648	rundll32.exe	C:\Windows\System32\rundll32.exe payload.dll,StartW
6744	powershell.exe	PowerShell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcAL...

Dumping Process Memory & Leveraging YARA

To analyze process 3648, use Volatility's windows.memmap plugin to extract all memory-resident pages of this process:

python vol.py -q -f ../memdump/PhysicalMemory.raw windows.memmap --pid 3648 --dump

Sample output:

0xf8016d0e9000  0x2077d000      0x3000  0x1bde4000      pid.3648.dmp
... (continues with memory pages)

The memory dump pid.3648.dmp is stored at c:\Users\johndoe\Desktop.

Scanning with YARA

Scan the memory dump with YARA rules using a PowerShell loop to apply all available rules from https://github.com/Neo23x0/signature-base.

PowerShell script:

$rules = Get-ChildItem C:\Users\johndoe\Desktop\yara-4.3.2-2150-win64\rules | Select-Object -Property Name
foreach ($rule in $rules) {C:\Users\johndoe\Desktop\yara-4.3.2-2150-win64\yara64.exe C:\Users\johndoe\Desktop\yara-4.3.2-2150-win64\rules\$($rule.Name) C:\Users\johndoe\Desktop\pid.3648.dmp}

Sample output indicates hits for:

• HKTL_CobaltStrike_Beacon_Strings

• CobaltStrike_Sleep_Decoder_Indicator

• WiltedTulip_ReflectiveLoader

Identifying Loaded DLLs

Examine loaded DLLs using the windows.dlllist plugin:

python vol.py -q -f ../memdump/PhysicalMemory.raw windows.dlllist --pid 3648

Output includes:

• payload.dll at E:\payload.dll, suggesting possible external or ISO origin.

Identifying Handles

Use windows.handles to reveal accessed files and registry entries:

python vol.py -q -f ../memdump/PhysicalMemory.raw windows.handles --pid 3648

Sample output:

• Access to \Device\HarddiskVolume3\Users\johndoe\Desktop

Identifying Network Artifacts

Analyze network connections with windows.netstat:

python vol.py -q -f ../memdump/PhysicalMemory.raw windows.netstat

Sample output reveals connections for:

• chrome.exe, WWAHost.exe, and rundll32.exe

For comprehensive network analysis, use:

python vol.py -q -f ../memdump/PhysicalMemory.raw windows.netscan

Sample output reveals:

• The suspicious process (PID 3648) has been communicating with 44.214.212.249 over port 80.

Disk Image/Rapid Triage Data Examination & Analysis

Searching for Keywords with Autopsy

• Open Autopsy and access the case at: C:\Users\johndoe\Desktop\MalwareAttack

• Search for payload.dll, prioritize by creation time.

• Significant finding: Finance08062023.iso in Downloads, related to E drive DLL.

• Extraction: Right-click on Finance08062023.iso and select Extract File(s).

Identifying Web Download Information & Extracting Files

• .Zone.Identifier via Alternate Data Stream (ADS) confirms internet origin.

• Source URL identified in Web Downloads artifacts as: letsgohunt[.]site.

Analyzing Cobalt Strike Beacon Configuration

• Use CobaltStrikeParser at: C:\Users\johndoe\Desktop\CobaltStrikeParser-master\CobaltStrikeParser-master

• Command: python parse_beacon_config.py E:\payload.dll

• Key Configurations Extracted:

  • BeaconType: HTTP, Port: 80, C2Server: letsgohunt.site,/load

  • Other notable fields: HttpGet_Metadata, bUsesCookies, Spawnto_x64.

Persistence Mechanisms with Autoruns

• Autoruns analysis: Check C:\Users\johndoe\Desktop\files\johndoe_autoruns.arn

• Found entry:

  • Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • Image: C:\ProgramData\svchost.exe

File Hash Identification & VirusTotal

• To identify hash of photo433.exe:

PS C:\Users\johndoe> Get-FileHash -Algorithm SHA256 "C:\Users\johndoe\Desktop\kapefiles\auto\C%3A\Users\johndoe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\photo443.exe"

Scheduled Tasks & Timestomping Analysis

• Inconsistency between $FILE_NAME MFT Modified and $STANDARD_INFORMATION File Modified timestamps indicates timestomping.

SRUM Data Analysis

• Observed potential exfiltration of 430526981 bytes from SRUDB.dat.

Windows Event Logs Analysis with Chainsaw

• Command:

C:\Users\johndoe>chainsaw_x86_64-pc-windows-msvc.exe hunt "..\kapefiles\auto\C%3A\Windows\System32\winevt\Logs" -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output output_csv

• Alerts observed in sigma.csv:

  • Cobalt Strike Load by rundll32

  • UAC Bypass/Privilege Escalation by fodhelper.exe

Prefetch Files Analysis

• Command to analyze prefetch files:

C:\Users\johndoe>C:\Users\johndoe\Desktop\Get-ZimmermanTools\net6\PECmd.exe -d "C:\Users\johndoe\Desktop\kapefiles\auto\C%3A\Windows\Prefetch" -q --csv C:\Users\johndoe\Desktop --csvf suspect_prefetch.csv

USN Journal Analysis

• Command:

C:\Users\johndoe>python C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py -f C:\Users\johndoe\Desktop\kapefiles\ntfs\%5C%5C.%5CC%3A\$Extend\$UsnJrnl:$J -o C:\Users\johndoe\Desktop\usn_output.csv -c

Suspicious activities took place approximately between 2023-08-10 09:00:00 and 2023-08-10 10:00:00.

To view the CSV using PowerShell in alignment with our timeline, we can execute:

PS C:\Users\johndoe> $time1 = [DateTime]::ParseExact("2023-08-10 09:00:00.000000", "yyyy-MM-dd HH:mm:ss.ffffff", $null)
PS C:\Users\johndoe> $time2 = [DateTime]::ParseExact("2023-08-10 10:00:00.000000", "yyyy-MM-dd HH:mm:ss.ffffff", $null)
PS C:\Users\johndoe> Import-Csv -Path C:\Users\johndoe\Desktop\usn_output.csv | Where-Object { $_.'FileName' -match '\.exe$|\.txt$|\.msi$|\.bat$|\.ps1$|\.iso$|\.lnk$' } | Where-Object { $_.timestamp -as [DateTime] -ge $time1 -and $_.timestamp -as [DateTime] -lt $time2 }

Here's the full markdown for the content provided, formatted for clarity and utility in digital forensic analysis:

Disk Image/Rapid Triage Data Examination & Analysis

Analyzing Rapid Triage Data - MFT/pagefile.sys (MFTECmd/Autopsy)

Recovering Deleted Files Using MFT Analysis

1. Objective: Attempt to recover flag.txt via MFT analysis.

   • Challenge: The affected machine's MFT table is unavailable.

   • Alternative: Use another system’s MFT table (C:\Users\johndoe\Desktop\files\mft_data), where flag.txt was similarly deleted.

2. Run MFTECmd to parse the $MFT file:

   C:\Users\johndoe> C:\Users\johndoe\Desktop\Get-ZimmermanTools\net6\MFTECmd.exe -f C:\Users\johndoe\Desktop\files\mft_data --csv C:\Users\johndoe\Desktop\ --csvf mft_csv.csv

   • Output:

     • Processed MFT file with 113,899 records (4,009 marked as free).

     • CSV output saved at C:\Users\johndoe\Desktop\mft_csv.csv.

3. Search for flag.txt:

   PS C:\Users\johndoe> Select-String -Path C:\Users\johndoe\Desktop\mft_csv.csv -Pattern "flag.txt"

   • Result:

     • Provides flag.txt's location: \Users\johndoe\Desktop\reports.

4. Verify with MFT Explorer:

   • Tool: Open C:\Users\johndoe\Desktop\files\mft_data in MFT Explorer (available at C:\Users\johndoe\Desktop\Get-ZimmermanTools\net6\MFTExplorer).

   • Finding: Within the reports folder, flag.txt is marked with the Is deleted attribute.

Understanding NTFS File Deletion

• Insight:

  • Deleted files on NTFS volumes have MFT entries marked as free, making recovery possible until the data is overwritten.

  • Case-Specific: The compromised system’s file was overwritten, necessitating MFT analysis on another system.

Extracting Data from pagefile.sys

1. Scenario: Portions of flag.txt remain in pagefile.sys, which Windows uses to manage RAM overflow.

2. Approach:

   • Use Autopsy to scan pagefile.sys for partial content recovery.

Constructing an Execution Timeline with Autopsy

1. Timeline Parameters:

   • Incident Window: 09:13 to 09:30 (GMT / UTC).

   • Tool: Autopsy, leveraging Plaso for timeline generation.

2. Configuration:

   • Event Types: Select Web Activity: All and Other: All.

   • Time Settings:

     • Start: Aug 10, 2023, 9:13:00 AM

     • End: Aug 10, 2023, 9:30:00 AM

3. Purpose:

   • To map the chronological actions of the malicious actor by filtering files accessed or created during this interval.

The Actual Attack Timeline

• Objective: Examine identified and undetected actions taken by the attacker.

• Next Step: Based on forensic findings, try to match documented activity with any undetected actions outlined in the actual attack sequence.