Velociraptor Deployment

## A trip down memory lane...

* What is Digital Forensics anyway?

* Trying to reconstruct the past
  * What occurred on this system?
  * When did this occur?

* Locard's exchange principal

> "Every contact leaves a trace”

---

![](physical_analogy.png)

</a>

---

## A hacking case...

![](./nat_060322internetarrest.svg)

<a>

---

## A hacking case...

![](./nat_060322internetarrest2.svg)

<a>

---

## A hacking case...

* A complex case consisting of
  * Manual investigation of multiple server drives.
    * Compromises over a couple of years

* Images shipped from multiple countries.

* Arrest made of 22yo University Student
* Outcome was no conviction recorded
  * let off with a warning: motive was curiosity and desire to learn computer security.

* Really good exercise for all involved!
  * Best practice evidence collection, chain of custody etc!

---

## Large scale operation! 🚨

![](MR30092004OpAuxin.svg)

</a>

---

## How do you execute 400 search warrants simultaneously?

* A large scale coordinated operation poses a lot of challenges!
   * We don't have hundreds of DF experts! 👮
   * We can not take images of absolutely everything (Even in 2004!)
   * We can not seize every device. 🖥️ 💻📵
   * 72 hours to determine relevance!
   * Need to have chain of custody and follow correct procedures!

---

## How do you execute 400 search warrants simultaneously?

* Solution: Triage!

* Created a custom bootable CD 📀
  * Knoppix!
  * Carve images from disk!
  * Present them in a page of thumbnails!

* Distribute CD in advance
* Use every available resource to triage!
  * No specialist DF skill required 🧑‍💻
  * It is usually pretty obvious when a system requires proper
    escalation to DF experts 😱

---

## Key takeaways...

* Digital Forensics is a rigorous science with strong evidentiary procedures!
* However... We are trying to solve real life problems!
   * Need to be flexible and evolve to meet operational challenges
   * Scale, resourcing and time are critical challenges

> Triage is a pragmatic tradeoff between time and accuracy

---

## This was 20 years ago!
### Could we do the same today?

* Unlikely to be very effective!
   * Modern devices don't generally have DVD drives
   * Full Disk Encryption is widely available
   * Trusted boot, protected BIOS to prevent booting into DVD
   * Many devices are hardened (e.g. Chromebooks)
   * Modern drives are huge

* Bad actors have better Op Sec
   * Much more awareness of DF techniques
   * Widely available encryption and security products

## Is Digital Forensics Dead?

* Constant tension between User Privacy vs. Digital Forensics!

* Much of the time DF undermines device security.
   * Device manufacturers now focus on security and privacy as a first
     class feature.

* For example:
   * Full disk encryption
   * Incognito browsers
   * VPN and TLS everywhere!

---

https://www.abc.net.au/news/2024-10-14/hannah-grundy-reveals-the-ultimate-betrayal-after-photos/104404784

</a>

---

</a>

---

## Triage is useful!

* Digital Forensics is about capturing the best available evidence
  * As long as general principals are followed it is useful!
     * What is appropriate for this evidence?

---

## Wider application of Digital Forensics

* Digital Forensics started off as a Law Enforcement tool.

* Valuable tool to "determine what happened"

* Incident Response is a more modern application of DF techniques

* Initially DF was used hoping for prosecution
       * Preserving evidence to evidentiary standards
       * Shipping drives via FedEx!
       * Thorough analysis and reporting by DFIR experts

---

## Priority of DFIR

* As adversaries became more professional they became more efficient

* Financially motivated! Can cause a lot of damage

* Time to dwell is measured in days and hours

* No time to take full disk images!

* We need to rely more on triage!

* Faster turn around - we need answers quickly!

* Main goal is disruption and eviction of attackers.

## Is Digital Forensics Good enough?

* Many of the traditional Digital Forensics artifacts are not
  specifically designed for our needs.

* For example:
   * Prefetch files
      * Evidence of execution
   * Jumplists
      * Evidence of user actions
   * USB device insertion
      * Various registry keys

---

## Other challenges

* Use of TRIM in physical drives make slack analysis useless!

* Operating systems are becoming hardened!
   * MacOS System Integrity Protections means we can not access some files.
   * Chromebooks anyone?
   * Ipads?

---

## Sometimes Digital Forensics is unsatisfying!

* Much of the time we arrive at the "crime scene" after the fact

* Try to reconstruct what happened from incidental information

* Forensics by its nature is **Making the best of a bad hand!**

---

## If we rely on Digital Forensics, we have already lost!

### Digital Forensics is reactive in nature

* In a perfect world we would not need Digital Forensics!

---

## What if we could prepare for forensics?

* Sometimes we go into an incident unprepared, but a lot of the time
  we can prepare in advance!

* In a corporate setting we can actually prepare for forensic
    investigation and incident response

* Similar but orthogonal to system hardening

>  Taking steps in advance to increase our chances of successfully
>  investigating an incident!

---

## Forensic Readiness

1. Maximizing an environment's ability to collect credible digital
   evidence
2. Minimizing the cost of forensics in an incident response.

[Forensic Readiness John Tan @Stake (2001)](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.480.6094&rep=rep1&type=pdf)

---

## Levels of preparedness

* Information security is a continuum and a tradeoff between
  resourcing and usability

* What can we do to improve our forensic readiness?

* Simple things can be done cheaply!
     * Set configuration parameters in the environment.

* More sophisticated things may involve more efforts
     * Install an agent, EDR etc.

* Consider how likely a forensic investigation will occur?
  * Tradeoff between cost and completeness
  * Table top exercises!

---

## What types of interventions can we employ?

* Configuration change
  * Increases the system's ability to support forensic analysis

* Installation of EDR/Agents/Endpoint visibility software
  * Increases resilience against malicious anti-forensics.

---

## Reimagine the forensic process

* Let's re-examine the digital forensic process critically

* Identify the things that can go wrong, the gaps and improvements

* Can we increase our chances of success?
   * Passive target: No deliberate interference with the DFIR process
   * Active Adversary: Employing Anti-Forensics to frustrate investigation

## DFIR Mind map

<a href="https://www.sans.org/posters/windows-forensic-analysis/" >
 The SANS Windows Forensic Analysis Poster
</a>

---

## Event logs

---

## Event logs

* Event logs are a huge source of forensic information!
* But they have some problems:

* Rotation of event logs. By default event log size is very small
      (20 mb)
  * We can adjust the maximum size of log files through group policy
    or the registry.

---

## Setting event log size

---

## Clearing the event logs

* Many attackers clear the event logs to frustrate forensic analysis.
   * Use Volume Shadow copies to periodically snapshot the disk
   * Forward events off the system, e.g. for SIEM or even built in
     Event Log forwarding.
   * Detect event log configuration modifications (Registry changes)

---

## Forwarding event logs off the system

* The best practice for protecting event logs is to forward them off
  the system.

* Built in facility within Windows: [Windows Event Forwarding (WEF)](https://learn.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection?source=recommendations)

* Use agent like Elastic or Velociraptor

* Tuning which events to forward
  * Sending only relevant events means less volume
  * Indexing events on the server side may increase costs (can just
    forward for backup).

---

## Example: Forwarding Sysmon logs

---

## Disabling of event logs

* Attackers can actively change logging configuration

---

## What can we do with an agent?

* We can constantly check configuration for compliance

![](checking_log_modifications.png)

---

## What can we do with an agent?

* Real time alerting on configuration modifications

![](detection_log_modifications.png)

## File based forensic artifacts

## Prefetch files

* Useful to determine evidence of execution
* Only enabled on non-server Windows Versions.

</div>
<div class="col">

</div>

---

## Prefetch files

Enable prefetcher on windows server OS's

```text
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f

powershell /c "Enable-MMAgent -OperationAPI"
```

---

## Filesystem artifacts: USN

* The USN Journal records filesystem operations

* Operations are recorded in the hidden NTFS file `$Extend\$UsnJrnl:$J`

* The USN journal rolls over fairly quickly (Approx 30mb)

---

## Using the USN journal in IR

Filtering the USN journal for prefetch file modifications gives
useful timestamps related to program execution!

---

## Querying the USN journal

* The [fsutil tool](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn) can be used to manipulate the USN journal.

</div>
<div class="col">

</div>

---

## Attackers may clear the USN journal

* Attacker can completely delete the USN Journal.

* We are forced to carve the disk for USN records!

---

## What can we do with an agent?

* Forward USN records off the system in a timely fashion.

---

## Forwarding USN logs off the system