What is Digital Forensics anyway?
Trying to reconstruct the past
Locard's exchange principal
"Every contact leaves a traceโ
A complex case consisting of
Manual investigation of multiple server drives.
Images shipped from multiple countries.
Arrest made of 22yo University Student
Outcome was no conviction recorded
Really good exercise for all involved!
Solution: Triage!
Created a custom bootable CD ๐
Distribute CD in advance
Use every available resource to triage!
Triage is a pragmatic tradeoff between time and accuracy
Unlikely to be very effective!
Bad actors have better Op Sec
Constant tension between User Privacy vs. Digital Forensics!
For example:
Digital Forensics started off as a Law Enforcement tool.
Incident Response is a more modern application of DF techniques
As adversaries became more professional they became more efficient
Financially motivated! Can cause a lot of damage
Time to dwell is measured in days and hours
No time to take full disk images!
We need to rely more on triage!
Faster turn around - we need answers quickly!
Main goal is disruption and eviction of attackers.
Many of the traditional Digital Forensics artifacts are not specifically designed for our needs.
For example:
Use of TRIM in physical drives make slack analysis useless!
Operating systems are becoming hardened!
Much of the time we arrive at the "crime scene" after the fact
Try to reconstruct what happened from incidental information
Forensics by its nature is Making the best of a bad hand!
Sometimes we go into an incident unprepared, but a lot of the time we can prepare in advance!
In a corporate setting we can actually prepare for forensic investigation and incident response
Similar but orthogonal to system hardening
Taking steps in advance to increase our chances of successfully investigating an incident!
Information security is a continuum and a tradeoff between resourcing and usability
What can we do to improve our forensic readiness?
Simple things can be done cheaply!
More sophisticated things may involve more efforts
Consider how likely a forensic investigation will occur?
Configuration change
Installation of EDR/Agents/Endpoint visibility software
Let's re-examine the digital forensic process critically
Identify the things that can go wrong, the gaps and improvements
Can we increase our chances of success?
Event logs are a huge source of forensic information!
But they have some problems:
The best practice for protecting event logs is to forward them off the system.
Built in facility within Windows: Windows Event Forwarding (WEF)
Use agent like Elastic or Velociraptor
Tuning which events to forward
Enable prefetcher on windows server OS's
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f
powershell /c "Enable-MMAgent -OperationAPI"
The USN Journal records filesystem operations
Operations are recorded in the hidden NTFS file $Extend\$UsnJrnl:$J
The USN journal rolls over fairly quickly (Approx 30mb)
Filtering the USN journal for prefetch file modifications gives useful timestamps related to program execution!
Attacker can completely delete the USN Journal.
We are forced to carve the disk for USN records!
Digital Forensics is actually a rapidly evolving field!
Although rooted in "Best Practice" and "Court Admissibility"
Digital forensics is the best we have when preparation is insufficient!
We can do some simple and easy things to improve our forensic preparedness.
Challenge ourselves to preempt the forensic process