During or after an incident, there may be a need for forensic analysis on the endpoints involved in a breach or compromise. This blog discusses Digital Forensics and Incident Response (DFIR) targeted evidence collections as they relate to endpoint analysis using the latest capabilities of OpenText™ EnCase™ Endpoint Investigator.
The overall goal of the endpoint analysis is to identify the actual business impact of the compromise and tell the story of what happened. It is also important to make sure any malicious files are identified. The findings from the forensic analysis can be essential inputs to remediation planning, which ideally should be developed during the overall investigation.
As an example, in a recent dead-box analysis of an incident involving an Emotet infection, OpenText Security Consulting Services found a persistent application that was missed when the client’s IT department attempted to clean an infected driver for re-use. The network was again compromised, allowing the attacker to regain access, and nullifying the entire remediation effort.
In these types of investigations, immediate and accurate answers are needed, so to avoid having to forensically image an entire drive – either in person or over the wire – then spend time processing the entire image to analyze evidence as it relates to relevant artifacts.
Ideally, we want to connect to the live endpoint once it is identified, then use a method to extrapolate only artifacts that are of forensic interest. Using Endpoint Investigator with a custom collection condition, we can do just that.
In a malware campaign or an insider threat scenario, what are those artifacts?
To start, we want to identify any malicious applications that are in play. Then, we want to determine initial infection vector, we want to track user activity, and we want to identify all other endpoints involved.
Here are a few starting DFIR collection points used by our Security Consulting Services’ incident responders:
- For application use:
- ActivitiesCache
- AmCache
- ShimCache
- SRUDB
- PreFetch
- For persistence:
- Registry
- For user activity:
- Forensic Journaling
- ShellBags
- JumpLists
- RecycleBin
- EventLogs
In addition to this list, we always want to try to get a RAM dump, as well as an image from Microsoft’s Volume Shadow Copy Service (VSS). On a 100GB endpoint user drive, the collection should be reduced by as much as 99% depending on the size of the NTJournal, Registry files and other artifacts.
Without a collection condition, we must export these artifacts manually. To save time and to make sure we consistently export the relevant artifacts across all investigations, we use a custom Collection EnCondition.
Getting to the point where you can use the Encondition
When acquiring data over a network, we will want to preview the evidence first. If we are working from an image file, we must first load it into the Endpoint Investigator interface. No matter the collection method, once evidence drive is shown, we can double click the EnCondition in the lower right of the interface to run it.
This will filter the view to the parsed files. We select, using the blue tick, all the files that we want to collect, then we right click, and we select “Acquire > Create Logical Evidence File”. Finally, we complete the dialog box as we would for a standard acquisition.
We see that we were able to reduce the time to collect significantly, as well as the size of the dataset. In this example of a 4TB drive, we have a sub-set of relevant evidence that is only 446MB. We can now process the subset of data from our image to conduct our analysis.
Incident Response Collection EnCondition
OpenText Security Consulting Services provides customers an editable copy of the Incident Response Collection EnCondition, contact your Client Manager or contact us to obtain a copy.
Currently, the Incident Response Collection EnCondition (version 09012022) contains the code to collect the following artifacts:
- Any file with a .log extension
- All Registry Files including the user’s NTUSER.DAT registry files
- All Prefetch files
- The SRUDB.dat
- The $MFT
- The $UsnJrnl
- The $LogFile
- Any file with a .lnk extension
- Windows .evt and .evtx Event logs
- The Amcache.hve file
- The SetupAPI.dev.log
- The $Recycle.bin
- All Cookie files
- Chrome, IE, Edge, Firefox and Safari browser artifacts.
- The Activitiescache.db
- The following executable type files; exe, applications, hta, scr, bat, jar, jse, js, vbe, vb, vbs, pptm, docm, dotm, xlsm, dll.
Targeted Digital Forensics and Incident Response Evidence Collections using EnCase enables organizations to collect relevant artifacts during an incident response investigation, and this can be done efficiently using EnCondition. In the next blog, we will discuss why these artifacts are relevant. We will also look at how to parse some of these files with EnCase and others with open-Source tools written specifically for these artifacts.
The OpenText Security Services team uses their extensive experience to identify an organization’s security risks and work with them to keep systems protected, offering multiple services to address cybersecurity and privacy objectives.
If you are attending Enfuse 2022, consider attending the SC17 - Dissecting an Intrusion on October 6th 11:45 AM – 12:30 PM in Lando 4304 to further learn about conducting IR investigations using EnCase.
Engage with OpenText Security Consulting Services for assistance with your EnCase Endpoint Investigator or for assistance with digital forensics and incident response cases, contact your Client Manager or contact us.
Author: John Minotti, Lead Consultant with the OpenText Security Consulting Services
