Forensic Artifacts Rundown
A quick overview of artifacts you will commonly find with both cases found here and in actual investigations. This is merely a primer.
First the high level overview of the major mediums from which individual artifacts are extracted:
- Disk Images
- Memory Images
- PCAP’s
Then a quick overview of the individual artifacts that investigators extract.
Indicators of Compromise (IOC’s)
There will be many references to IOC’s throughout this post and many others. IOC’s are pivot points for investigators and threat hunt teams to enable and enrich their activities. Pivot points are like “flags” in the data to help focus investigative efforts. Finding a plane wreckage in the middle of the wilderness or the Ocean is extremely difficult without clues about potential impact points, last known course, or planned flight routes. Imagine how much quicker the search would go with that knowledge. The wreckage is quickly found once the debris fields are located.
The same occurs during digital investigations. Investigations can generate gigabytes of data to sift through, and often the situation demands that it is done quickly. Effective IOC’s allow teams to quickly develop an operational picture of what happened or still ongoing. For example, imagine that one of the attackers IP Addresses is discovered. That IP Address can now be used to identify hosts that are infected from looking at firewall traffic, spot malicious processes in memory, or find persistence from malicious exectuables on disk.
E01 / Raw Images of the Disk
Disk images provide a wealth of information to the investigator. Investigators can carve out deleted files, root out dormant malware, and generate valuable super timelines to enhance there visibility into “what happened”. A downside to images is their size. As a bit for bit copy of the computer’s hard drive they can be rather large for servers in production. Due to the size of disk images the logistics to get them to the investigator is more complex than other artifacts. It will often involve portable hard drive being transferred with personnel or sent in the mail. E01 images are great compression and forensic integrity, but don’t have the highest performance. Raw images are large, but are great for performance and Digital Video Recording investigations.
Goals and Capabilities
- Generate IOC’s and Pivots
- Establish comprehensive timelines
- User and Attacker activities
- Continuous reference to answer questions in the investigation
- Operating System artifacts found in the state they were during imaging
- Carve out deleted/orphaned files hidden by adversaries
- Offline scans for dormant malware
- Autoruns
- Historical look at files with Volume Shadow Service (VSS) copies
Common Tools
- Plaso/Log2Timeline
- FLS
- clamav (or any AV)
- Reg Ripper
- Autopsy
Useful Artifacts Found Within
- Logs
- Windows Vista/2008 +: %System Root%\System32\winevt\Logs
- Linux: /var/log
- Registry Hives
- %System Root%\System32\config
- Previous Registry Config: %System Root%\System32\config\RegBack
- Volume Shadow Copies
- Plus tons more (Seriously)
Memory Images
Memory captures often provide quick wins in the fight against the adversary. Objects in memory are loaded and executed unencrypted; this provides an invaluable view of malware and other processes in action. In digital forensics there is a common saying, “Malware can hide, but it has to run.” Memory is one of the places investigators can see malware when its naked, vulnerable and on the run.
Goals and capabilities
- Quickly generate IOC’s and Pivots
- Extract malware unencrypted
- A treasure for Reverse Engineers
- Understand malware capabilites
- And often intent
- Discover passwords used by attackers
- Enrich timelines!
Common Tools
- Volatility
- Rekall
- Redline
- Plaso/Log2Timeline
- ClamAv
Useful Artifacts Found Within
- Unencrypted version of malware
- Shimcache entries that haven’t been written to disk yet
- Network connections
- Even connections hidden by rootkits
- Rootkit activity
Packet Captures (PCAP’s)
Packet Capture files are binary blobs of recorded network traffic. These files are often large and a challenge to collect. An example of capturing network data at the perimeter can be found on the article, Building a SIEM at Home. In an Enterprise environemnt full packet captures of protected subnets are as invaluable as they are expensive. This is another place where “Malware can hide but it has to run” applies.
Goals and Capabilites
- Perimeter PCAP’s: Scope the indcident
- Provide IOC’s and Pivots
- Extract malware in it’s “in-flight” form
Common Tools
- Snort/Suricata
- Tcpdump
- Tshark
- Zeek
- Wireshark
Quick Overview of Artifacts
A very very brief overview of some key artifacts and where they come from.
- Windows Registry
- Modern warehouse version of the old days where everything had its own ini file.
- Located on disk AND in memory if system is running
- Located on disk if system is offline
- EVTX Logs
- Hundreds of different logs in Windows
- Application / Function specific
- Super timeline CSV’s
- Disk Image is run through FLS and Log2Timeline
- Memory is run through Volatility’s Timeliner
- Then they are combined
- Viewed in Timeline Explorer or Excel
- Memory analysis outputs
- Volatility and its plugins
- Rekall and its plugins
- FireEye’s Redline
- Artifacts that give evidence of execution (Did it really run?)
- Shimcache – Windows Registry
- Prefetch – Windows Prefetch Directory
- Amcache – Windows Registry
- Windows User Assist (GUI Execution) – Windows Registry
- BAM – Windows Registry
- File Downloads
- Open/Save MRU – Windows Registry
- E-Mail Attachments – Windows User Directory
- Browser Artifacts – Windows User App Data
- Downloads – Browser DB’s and Folders, and Downloads folder
That was just a very fast overview of only a sampling of artifacts and tools. To start learning by practicing head over to The Case of The Stolen Szechuan Sauce.
