tag:blogger.com,1999:blog-4080617372940068027.post5484470789349139668..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Finding An Infection Vector After IT Cleaned the SystemCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-4080617372940068027.post-22372524403843487222012-11-16T21:27:02.243-05:002012-11-16T21:27:02.243-05:00@anon
Thanks for stopping by to check out the blo...@anon<br /><br />Thanks for stopping by to check out the blog and leaving a comment. As for how much time, the examination I did for the post is a bad example since I set the scenario up. I recently worked a case similar to this scenario. "Cleaning" attempts destroyed a lot of artifacts but over a span of a week there were reoccurring infections with reoccurring cleaning attempts. That examine took my 3 hours from start to finish. On most cases it takes between 2 to 3 hours; depending on the drive size. <br /><br />The 3 hour time is when nothing is automated in my process and I am not using baselines. I am working on automation so I should be a lot faster; my goal is to make it 90 minutes or less.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-73994424653744208392012-11-16T21:18:00.806-05:002012-11-16T21:18:00.806-05:00@Alexander
Great point about the network and it&#...@Alexander<br /><br />Great point about the network and it's something to keep in mind for when this type of thing occurs for realCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-37221424839718275682012-11-16T15:57:15.747-05:002012-11-16T15:57:15.747-05:00Hi Corey,
This is my first time reading your blog...Hi Corey,<br /><br />This is my first time reading your blog and I'd just like to say that your post was awesome.<br /><br />I never realized how much information still remains on a system even after AV "cleans" the infection.<br /><br />This is also a great real-world scenario and analysis that anyone can immediately incorporate these steps into their own incident response procedures.<br /><br />I am new to computer forensics, so out of curiosity, how much time did it take you to perform this analysis?<br /><br />Thanks for your post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-61656972116608811102012-11-13T11:13:06.642-05:002012-11-13T11:13:06.642-05:00Great write up Corey. Another possible artifact co...Great write up Corey. Another possible artifact could be found in the network logs. You could use the times you extrapolated in your analysis to cross reference the network logs to find the command and control.Alexander Hanelhttps://www.blogger.com/profile/14943273470531588187noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-48022282546688688552012-11-09T09:44:20.834-05:002012-11-09T09:44:20.834-05:00Excellent post Corey. Not only does this type of ...Excellent post Corey. Not only does this type of thing happen in IR, but across the board of computer forensics. Loved the analogies and summary....Mari DeGraziahttps://www.blogger.com/profile/07035429062451749639noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-21054572542515144052012-11-09T07:14:59.583-05:002012-11-09T07:14:59.583-05:00Corey,
In a lot of ways, I really think that this...Corey,<br /><br />In a lot of ways, I really think that this post goes along with your root cause analysis posts, in that analysts don't go after this sort of thing enough. I don't know why...perhaps they feel it will take too long, or that the amount of effort it takes to determine the root cause/IIV is too much. <br /><br />Regardless, it's something that *NEEDS* to be done, as without it, how does an organization defend themselves? Where do you focus your efforts in defense if you don't have the intel that lets you make those decisions effectively?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-46719089323115043792012-11-08T18:31:28.083-05:002012-11-08T18:31:28.083-05:00Great, thanks for the info!
KPGreat, thanks for the info!<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-42288705924453654862012-11-08T17:07:52.186-05:002012-11-08T17:07:52.186-05:00@Ken
I made this timeline last Spring so I do thi...@Ken<br /><br />I made this timeline last Spring so I do things differently now. At the time I used Sleuthkit's fls.exe to get the filesystem metadata and regtime.pl to dump the ntuser.dat. Afterwards, I used log2timelime against the regtime.pl and fls.exe output files to convert them into csv. I still do things similar but I'm now using RegRipper to get all timeline data from registry hivesCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-42452035851419287242012-11-08T16:12:41.988-05:002012-11-08T16:12:41.988-05:00Corey,
Another excellent blog post, my friend. I ...Corey,<br /><br />Another excellent blog post, my friend. I really learned a lot from it.<br /><br />I just watched a Mandiant webinar from August last night about INDX records and they occurred to me as I started reading this. I was interested to see what you found, and didn't find with regards to them.<br /><br />Did you use Log2Timeline or some other means to create your timeline of the ntuser and file system?<br /><br />Well done!<br />KPKen Pryorhttps://www.blogger.com/profile/06777221347861058406noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-26403508818905770552012-11-08T07:06:16.493-05:002012-11-08T07:06:16.493-05:00Corey,
All this is very cool. One of the things ...Corey,<br /><br />All this is very cool. One of the things I try to express to analysts when this sort of thing comes up is that cleaners typically don't clean everything, and knowing where to look for indicators or artifacts can really mean the difference between an exam coming to a complete halt, and finding an answer.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-3664756782716167402012-11-07T19:50:40.083-05:002012-11-07T19:50:40.083-05:00Harlan,
Thanks for the comment. Typically looking...Harlan,<br /><br />Thanks for the comment. Typically looking at the program execution artifacts is one of the first steps I do but I wanted to highlight other artifacts that can contain useful info. Here is some of the information from program execution which falls within the same time frame. I extracted the info with Regrigger so the times are in UTC. To make it into EDT use the -4 offset. Also, I modified some output to make it easier for others to read<br /><br />Appcompatcache from System hive<br /><br />UNC\XP-SP3-SHARES\Main_Share\Software\npp.6.0.0.Installer.exe<br />UpdTime: Sun Apr 8 19:06:21 2012 Z<br />Size : 5574272 bytes<br /><br />C:\WINDOWS\system32\msmhxy.com<br />UpdTime: Sun Apr 8 19:33:59 2012 Z<br />Size : 30869 bytes<br /><br />C:\WINDOWS\svchost.exe<br />UpdTime: Sun Apr 8 19:34:02 2012 Z<br />Size : 30869 bytes<br /><br />C:\WINDOWS\msagent\msqgix.com<br />UpdTime: Sun Apr 8 19:34:10 2012 Z<br />Size : 30869 bytes<br /><br /><br />MUIcache from corey's ntuser.dat hive<br /><br />C:\DOCUME~1\corey\LOCALS~1\Temp\npp.5.9.3.Installer.exe (npp.5.9.3.Installer)<br />C:\DOCUME~1\corey\LOCALS~1\Temp\server.exe (server)<br />C:\WINDOWS\svchost.exe (svchost)<br />C:\WINDOWS\system32\msmhxy.com (msmhxy)<br />C:\WINDOWS\msagent\msqgix.com (msqgix)<br /><br /><br />userassist from corey's ntuser.dat hive<br /><br />Sun Apr 8 19:06:21 2012 Z<br /> UEME_RUNPATH:\\XP-SP3-SHARES\Main_Share\Software\npp.6.0.0.Installer.exe (1)Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-70957833160199448162012-11-07T18:54:41.763-05:002012-11-07T18:54:41.763-05:00Cory,
Great job.
Anything in the appcompatcach...Cory,<br /><br />Great job. <br /><br />Anything in the appcompatcache? How about an entry in UserAssist for the npp.6.0.0.Installer.exe?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com