Mastering DFIR: Tools and Processes to Analyze Forensic Data
In this post, the first of two blogs, Tim Bandos helps break down the DFIR tools and processes he uses to carry out investigations.
Digital Guardian’s resident cybersecurity expert Tim Bandos recently helped present on our most recent webinar, “How a $0 DFIR Kit Can Take on Big Dollar Enterprise Tools.” If you haven’t had a chance to watch it yet and have interest in building out your Digital Forensics & Incident Response (DFIR) arsenal, it’s worth the time. Tim’s background as a cybersecurity practitioner gave him first hand experience with these tools and helped him when it came to developing DG Wingman, our free DFIR utility.
As part of the webinar, we had dozens and dozens of questions submitted to learn more about Wingman, DFIR tools, DFIR processes, open source software, and Digital Guardian capabilities. Because many of these questions fell into similar categories, we'll be addressing them in two blogs. The first will focus on DFIR tools and processes, the second will focus on DG Wingman and Digital Guardian's data protection capabilities.
Part 1 - Mastering DFIR
Many webinar attendees asked about the best tools that DFIR teams use for their investigations and Tim showed gave several examples of his favorite tools, outside of DG Wingman. There is no single tool that will address all needs - the below is just a partial list - but investing the time to learn and use these tools can serve your cybersecurity needs well.
- DumpIt: This utility from Comae Technologies is a fusion of two trusted tools, win32dd and win64dd, combined into one executable. Launching this utility will take a snapshot of the system’s physical memory.
- Volatility: The Volatility Framework is a completely open source collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples. Some of Tim’s favorite plugins to run are:
- Sysmon: This utility provides detailed information about process creations, network connections, and changes to file creation time continuously.
- Yara: This tool helps to identify and classify malware samples based on family name leveraging custom signatures.
- Plaso: This tool extracts timestamps from various files and aggregates them into a single view.
- RegRipper: This tool that quickly extracts values of interest from within the registry.
- Offline Registry Finder: This tool llows you to quick search for keys/values from offline registry files.
- ELK Stack: Elasticsearch, Logstash, and Kibana tool that provides a search and analytics engine, log ingestion, and security visualization platform.
- Wingman: See comments above
Trusting open source software was also brought up as a concern. While any software can have vulnerabilities, open source tools should not be looked at as inherently better or worse than commercial software. Vetting these tools in the cybersecurity community is one step to mitigate the risk. Who else is using it and what have their results been? Much like when downloading any “free app,” you look to the number of people who have already done so. User #1 is taking more of a risk than user #1,000,000.
That same community that vets these tools can also be a support mechanism. People like Tim are generally eager to help others and share how they have been successful. All cybersecurity vendors, including Digital Guardian, benefit from a well-educated customer base.
Each of these tools outlined above provide a key element in the DFIR process for investigating and analyzing forensic data. One of the first steps to a forensic investigation is collecting the RAM (memory) from the computer using a tool like DumpIT. Then you can extract additional evidence such as Event Logs, Registry, $MFT, etc. using the DG Wingman tool. Volatility can then be used against the memory sample that was obtained for conducting a deeper dive on what transpired on the machine during the time it was up and running. Afterwards, you can use a tool like Plaso to create a timeline of events from the extracted artifacts that were collected. Tools like RegRipper and Offline Registry Finder can be used for inspecting the registry content further as well.
This process can be further enhanced by rolling out the Sysinternals Sysmon tool for continuous data collection. Once you have Sysmon out in the environment, setting up an ELK stack can then assist with consuming, processing, and analyzing the data. Sysmon is great for initial detection and can aid in expediting the analysis process of what all ran on a machine that was compromised.