Thanks! We weren’t expecting this level of demand – nor did we realize OneDrive would cut us off the way they did. Partial service is restored for now. All the files should be back shortly. We are working on a better long term solution. Thanks for your patience, and the enthusiastic demand.
Hi I am Om and very interested. I think it is too much to ask, if possible can you also provide Encase old version 6.14 that has dongle as latest version is costly or set Autopsy with repositories and all ingestion modules
, in open source virtual environment for analysing. This way you can just provide login details once registered for the virtual workstation. The virtual workstation will have the Image, Encase tool, mobile forensic tool for mobile images, Eric Zimmerman open source tools for parsing and the case hypothesis-background where it will be very easy to analyse for the people who are interested by assigned slots to access this virtual workstation. Very limited access to OS and other applications that are required in point of Analysis.
This way people will have a Good experience in analysing, using the tool and time management . Either in word or text they can provide their findings as per the hypothesis and also answer the questions.
Because most of them doesn’t have proper licensed tool and Autopsy is too tedious to set the repository and ingestion modules. In addition to this one has to have Good supportive System configuration.
The answers will be released soon. The walk-throughs will be coming over time. We do this in our spare time as a way to give back to the community. I hope to have all of them in the next couple of weeks. The memory analysis walk-through just published with as a bit of a rough draft. More will be added to it. Enjoy!
Thanks James for the very nice writeup! I was having trouble installing remnux.. This might help people running in to the same problem.
——————————–
>> Running: ssh
Update returned exit code not zero
Error: Update returned exit code not zero
at ChildProcess. (/snapshot/remnux-cli/remnux-cli.js:562:23)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)
——————————–
Thanks for creating a good sample case to practice IR.
I have a question about Q3. I checked the following key of dc01.
“HKLM¥SYSTEM¥ControlSet001¥Control¥TimeZoneInformation”
It shows me the timezone settings is “Pacific Standard Time (UTC -8)”.
But this article says the answer is “Mountain Standard Time (UTC -6)”
What were my mistakes in this question?
It is not a mistake on your part… it’s a bad admin! Alas – there is a bit of work you will have to do to get the timelines to align. In other words the victim machines were not set to the right time.
When trying to mount the E01 files on the SIFT workstation I receive the error that NTFS signature is missing. Failed to mount ‘dev/loop21’ : invalid argument. How do I resolve this error?
Can you please help me how you got Mountain Standard Time (UTC -6) as the answer for local DC server time. According to my calculations looking at different “Bias” variables, my answer was Mountain Daylight Time/Pacific Standard Time UTC-7. Please clarify. Thanks a lot for this exercise 🙂
Thank you for the effort put into creating this tutorial series.
One question, why is the adversary IPv4 address sometimes written with square brackets, e.g 203.78.103[.]109? Is it a typo (it occurs several times, but not all?
Hopefully it has the brackets where ever its copy/pastable. The brackets are a method of making the IP address harder to cut and paste, or “clickable”. This is known as “de-fanging”. It’s a bad moment when a defender accidentally clicks or pastes a known malicious IOC.
When you find out the IP trying to RDP brute force domain controller is 194.61.24.102, why don’t you just carve the .PCAP file and keep examining with Wireshark? Why did you have to spend time on the “Who went where” part while you can find out the IP 10.42.85.115 in the later step?
The method you are discussing is demonstrated later in the article. I felt it was important to show how to use command line tools effectively while also teaching BPF and ECN bits. Having a deeper understanding of what the packets are really saying is key before carving them for WireShark analysis.
There are countless ways to approach intrusion analysis. The section you are discussing starts with, “Another approach to investigating PCAPs is to look at what internal systems were reaching out to remote systems. …” This is deliberately written that way stating it is about to take you down “another method”.
The intent here is to arm analysts with as many tools as possible to carve and examine PCAPs. Each artist will learn their own approach and methods.
I am in awe of the level of detail put into this guide. I am a new swimmer in the ocean of Reverse Engineering and Forensic Analysis and the link to this site was sent to me by a close connection of mine on LinkedIn. What a treasure trove I came upon. I had to bookmark this site as an essential for my career journey. Thank you, James.
There is a problem with the time side in the csv file eg 11/15/2037 or 1:49:00 AM 8/31/1902 12:32:00 PM ridiculous dates why is that? how can we turn them into the right time
I want to try this
Hi, can’t download the files 🙁
Thanks! We weren’t expecting this level of demand – nor did we realize OneDrive would cut us off the way they did. Partial service is restored for now. All the files should be back shortly. We are working on a better long term solution. Thanks for your patience, and the enthusiastic demand.
Hi I am Om and very interested. I think it is too much to ask, if possible can you also provide Encase old version 6.14 that has dongle as latest version is costly or set Autopsy with repositories and all ingestion modules
, in open source virtual environment for analysing. This way you can just provide login details once registered for the virtual workstation. The virtual workstation will have the Image, Encase tool, mobile forensic tool for mobile images, Eric Zimmerman open source tools for parsing and the case hypothesis-background where it will be very easy to analyse for the people who are interested by assigned slots to access this virtual workstation. Very limited access to OS and other applications that are required in point of Analysis.
This way people will have a Good experience in analysing, using the tool and time management . Either in word or text they can provide their findings as per the hypothesis and also answer the questions.
Because most of them doesn’t have proper licensed tool and Autopsy is too tedious to set the repository and ingestion modules. In addition to this one has to have Good supportive System configuration.
Unfortunately, I am unable to download the files…
Can’t download ENCASE images. Receiving AccessDenied.
Hi. Can you try again? The permissions are updated now, but if you still have trouble let us know.
Hi I’m unable to download Encase images
Hi, please try again. The permission should be updated now.
Where can I find answers or walkthrough?
Hey,
The answers will be released soon. The walk-throughs will be coming over time. We do this in our spare time as a way to give back to the community. I hope to have all of them in the next couple of weeks. The memory analysis walk-through just published with as a bit of a rough draft. More will be added to it. Enjoy!
Looks amazing ! Can’t wait to start. Thanks for all your work my sift/remnux workstation is ready :p
The link to Eriz Zimerman tool refers to Flare VM.
Here’s the proper URL for zimmerman’ s tool : https://ericzimmerman.github.io/
Thank you so much James
Thanks James for the very nice writeup! I was having trouble installing remnux.. This might help people running in to the same problem.
——————————–
>> Running: ssh
Update returned exit code not zero
Error: Update returned exit code not zero
at ChildProcess. (/snapshot/remnux-cli/remnux-cli.js:562:23)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)
——————————–
SOLUTION (https://github.com/REMnux/remnux-cli/issues/14):
sudo python3 -m pip install r2pipe
sudo remnux install –mode=addon
Thanks for creating a good sample case to practice IR.
I have a question about Q3. I checked the following key of dc01.
“HKLM¥SYSTEM¥ControlSet001¥Control¥TimeZoneInformation”
It shows me the timezone settings is “Pacific Standard Time (UTC -8)”.
But this article says the answer is “Mountain Standard Time (UTC -6)”
What were my mistakes in this question?
It is not a mistake on your part… it’s a bad admin! Alas – there is a bit of work you will have to do to get the timelines to align. In other words the victim machines were not set to the right time.
Where is the evidence of secret.zip being exfil’d and deleted? I can see loot.zip being deleted but not secret
Great stuff!
When trying to mount the E01 files on the SIFT workstation I receive the error that NTFS signature is missing. Failed to mount ‘dev/loop21’ : invalid argument. How do I resolve this error?
Are you running as root, or elevating with sudo?
Also – not being snarky here, but did you Google the problem? In hacking/forensics/IT google is your best method for getting past an error code.
Excellent piece of work. Thank you!
Great write-up and easy instructions to follow along. Thanks!
Hello,
Can you please help me how you got Mountain Standard Time (UTC -6) as the answer for local DC server time. According to my calculations looking at different “Bias” variables, my answer was Mountain Daylight Time/Pacific Standard Time UTC-7. Please clarify. Thanks a lot for this exercise 🙂
Thank you for the effort put into creating this tutorial series.
One question, why is the adversary IPv4 address sometimes written with square brackets, e.g 203.78.103[.]109? Is it a typo (it occurs several times, but not all?
Great question!
Hopefully it has the brackets where ever its copy/pastable. The brackets are a method of making the IP address harder to cut and paste, or “clickable”. This is known as “de-fanging”. It’s a bad moment when a defender accidentally clicks or pastes a known malicious IOC.
Awesome content. Thanks for providing such a concise explanation on how mounting works.
grt stuff
When you find out the IP trying to RDP brute force domain controller is 194.61.24.102, why don’t you just carve the .PCAP file and keep examining with Wireshark? Why did you have to spend time on the “Who went where” part while you can find out the IP 10.42.85.115 in the later step?
Erik,
Great question!
The method you are discussing is demonstrated later in the article. I felt it was important to show how to use command line tools effectively while also teaching BPF and ECN bits. Having a deeper understanding of what the packets are really saying is key before carving them for WireShark analysis.
There are countless ways to approach intrusion analysis. The section you are discussing starts with, “Another approach to investigating PCAPs is to look at what internal systems were reaching out to remote systems. …” This is deliberately written that way stating it is about to take you down “another method”.
The intent here is to arm analysts with as many tools as possible to carve and examine PCAPs. Each artist will learn their own approach and methods.
Thank you for the tutorial. (Previous question – check your file system offsets. Got the same error messages until I used the correct offsets.)
I am in awe of the level of detail put into this guide. I am a new swimmer in the ocean of Reverse Engineering and Forensic Analysis and the link to this site was sent to me by a close connection of mine on LinkedIn. What a treasure trove I came upon. I had to bookmark this site as an essential for my career journey. Thank you, James.
There is a problem with the time side in the csv file eg 11/15/2037 or 1:49:00 AM 8/31/1902 12:32:00 PM ridiculous dates why is that? how can we turn them into the right time
Hi James,
can’t find the file to download. can you provide me with the link pls?
Thanks a lot. Great post.
Great, work – big thank you for this AMAZING WORK!
How we can mount an E01 on windows?