Evidence Collection

Envirenment

For IR-Workstation and IR-Laptop VMs the credentials are:

Username : investigator, 
password : L34rn1ng!

There is a samba server installed on the IR-Workstation VM, for files sharing with host (login : investigator, password : investigator). The shared directory is ~/data. If it is not installed yet, you can call this command :

fast-update install_samba investigator

For Corp-Laptop VM, you have two users :

Username : Michael Scott 
password :  L34rn1ng!

Username: Administrator 
Password: P4$$w0rd!

In this scenario, we are faced with a security breach involving confidential information from a global energy company. The CEO’s computer is suspected to have been hacked during a recent trip to Asia. As the lead investigator, our first step is to gather as much information as possible from the CEO and then proceed with first-response procedures on their computer.

To start the investigation, we need to identify the storage locations of the compromised information and determine who has access to it. In this case, only the CEO has access to the information, making them a potential target. While the CEO’s computer is the primary focus, we should not rule out the possibility of reviewing other devices.

During our meeting with the CEO, we will gather details that provide context and help us narrow down the type of information we are looking for. Once the interview is complete, we will request the CEO’s computer to perform disk and memory forensic imaging. This will allow us to analyze the data from the period between the CEO’s trip and the discovery of the information leak.

In addition to disk and memory imaging, we will also collect specific artifacts such as program installations, timelines of executed applications, and information about network requests (domains or Internet Protocol (IP) ). These artifacts will aid in expediting the investigation and identifying potential compromise vectors, such as malicious websites visited by the user.

Once we have identified the necessary information, we will select appropriate tools based on the environment and specific circumstances of the case. These first-response tools will help us gather the evidence needed to uncover the truth behind the security breach.

Creating first usb aid kit to use in case of an emergency

1. Once your pen usb disk drive (formated as NTFS or ExFat) is ready, open the drive and create a folder called FirstResponseTools (this is where we will save all our tools).
2. Then, create a folder called Evidence (this is where we will save the acquired files from the suspect devices).
3. Inside the FirstResponseTools folder, we will create a new folder called Installers.
4. Inside the Evidence folder, we will create two more folders—one called MemDump and another one called Artifacts.

Memory Acquisition

Why ?

There are several advantages of acquiring the full memory; for instance, we should not worry about maintaining the volatility order since we are capturing everything at a specific point in time.

Another advantage is that we will not lose any of the information, and if the environment changes, that will not affect us since we will be able to access it as many times as necessary without risking it.

Capturing memory using MAGNET RAM Capture

1. Download MAGNET RAM and save it in folder under the FirstResponseTools/Installers/MagnetRamCaptur.

2. In the Corp-Laptop VM, proceed as follows:

   • Connect the pen drive to the VM
   • Once the pen drive is connected to the VM, just double-click on the MAGNET RAM Capture executable file and Save RAM capture to Evidence\MemDump
   • Disconnect the pen drive from the VM

Note

Remember—it is very important that you interact as little as possible with the suspicious computer because there is a risk of contaminating the evidence.

Once the memory-capture process is complete, you must disconnect your device and analyze the information later in your own computer or laboratory. In this case, you can use the investigator VM to analyze the evidence.

Memory capture and artifacts acquisition using Velociraptor

When conducting a forensic investigation, it is beneficial to gather both memory images and forensic artifacts. This allows for a more efficient analysis process, as the artifacts provide valuable information that can guide the search within the memory or hard drive.

Velociraptor offers the capability to capture memory using WinPmem and define specific artifact collectors for each case, enabling investigators to obtain accurate and relevant evidence.

In the investigator VM, follow these next steps:

1. As in the previous exercise, we will follow the procedures to connect our pen drive to the VM.

• Create a folder inside the FirstResponseTools directory called velociraptor to download the tool there.

• Navigate to the Velociraptor website, https://github.com/Velocidex/velociraptor/releases/, and click on the DOWNLOAD LATEST version appropriate to your machine architecture

• Change the name of the velociraptor-vx.x.x-windows-amd64.exe file to velociraptor.exe.

• Press the Shift key, right-click on the Windows terminal icon on the taskbar, and select Run as administrator option to open a new Windows terminal with admin privileges..

• Change to the USB drive unit using the corresponding letter and switch to the FirstResponseTools/velociraptor directory.

• In the console, run the command bellow. This will send to a text file the different forensics artifacts supported by Velociraptor.

  velociraptor.exe artifacts list > artifacts.txt

2. Now, we are going to create a batch file where we’ll define which artifacts we want to get from the computer to investigate.

• Using Windows Explorer, double-click on the artifacts.txt file to open it on Notepad and review the list of artifacts.
• Open a new instance of Notepad and create a new file with the name triage.bat,
• From the artifacts.txt file, copy the following artifacts to the triage.bat file:

Windows.Memory.Acquisition
Windows.Forensics.Timeline
Windows.Applications.Edge.History

3. For this TP, we want to collect a memory dump image, the forensics timeline activity on the suspicious computer, and the browsing history from Microsoft Edge. To do this, we will write the following sentences in the triage.bat file:

• For the memory acquisition, we will write this:

velociraptor.exe artifacts collect -v <artifactname> --output ..\..\Evidence\MemDump\<outputfilename.zip>

• For the forensic timeline and the browsing history from Microsoft Edge, we will write this:

velociraptor.exe artifacts collect -v <artifactname> --output ..\..\Evidence\Artifacts\<outputfilename.zip>

• Once finished, optionally add the following sentence at the top of the @echo off file to indicate the command lines will not be displayed when you run the batch file, and save the file in the same directory.

4. In the Corp-Laptop VM, proceed as follows:

• Connect your first-response toolkit pen drive to the VM.
• Open a command-line console using admin privileges.
• Run the triage.bat batch file from the LETTER:\FirstResponseTools\velociraptor\ directory
• Once the process has finished, the files containing the forensic artifacts obtained from the compromised device will be created in their respective directories.
• Disconnect the pen drive from the VM.

You can now analyze the content of the artifact files and memory in the investigator

We already have valuable information to start the analysis, such as the timeline of executed applications, details about the user’s navigation using Microsoft Edge, and the dump of the random-access memory (RAM) of the suspicious device. In this case, we assumed that we performed the process directly; let’s see how we can create preconfigured files for someone else to run.

Creating artifact collectors

In the IR-Workstation VM, proceed as follows:

• Open a Linux Terminal.
• In the home directory, create a new directory called DFIR_Tools, and under this directory, create a new one called velociraptor.
• Navigate to the website https://github.com/velocidex/velociraptor/releases. Click and download the newest stable Linux version, velociraptor-vx.x.x-x-linux-amd64, and save it inside the velociraptor directory.
• Change the name of the file to velociraptor.
• Change the permissions of the file to be executable by running the following code:

$ sudo chmod +x velociraptor

• Generate the configuration server and client configuration files by running a

$ sudo ./velociraptor config generate -i

Note

if you select all the default options, the server.config and client.config files will be created in the same working directory and the server will be configured with the address 127.0.0.1, using a self-signed certificate to allow connections using the HyperText Transfer Secure (HTTPS) protocol.

• Create a new user to operate the server. We can do that by running the following command:

$ sudo ./velociraptor --config server.config.yaml user add investigator --role administrator

• Now, we can start running the server just by executing a command

$ sudo ./velociraptor --config server.config.yaml frontend -v 

• Open Firefox and navigate to https://127.0.0.1:8889 to access the web interface of Velociraptor.

Note

A warning message will appear because we are using an auto-signed certificate. Just press the Advanced… button, and a new message will appear at the bottom. Then, press the Accept the Risk and Continue button

• Log in to the server

• In the left sidebar, expand the sidebar by clicking on the upper button, before clicking on the Velociraptor logo.

• Select the Server Artifacts option.

• Press the Build offline collector button.

• A new window will be opened. You can select the artifacts and configurations that you want to include for the generation of the executable file; to do so, you must follow the next steps.

  • Select the following forensic artifacts:

Triage.collection.upload
Windows.Applications.Edge.History
Windows.Attack.Prefetch

• Next, press the Configure Parameters button to define parameters for every artifact; each artifact may require different configuration parameters. In this case, just press on the artifact to review the parameters, but we will not change any of these.

• Press the Configure Collection button to define additional configuration parameters such as the password, the collection type, the temp directory, the level of compression, and any others. In this case, we will use the default options without changes.

• Press the Review button to view a summary of the selected options and configurations.

• Finally, press the Launch button to create an executable file.

• Once the process has finished, the window will be closed, and you just need to click the name of the FlowId collector created.

• Select the Uploaded Files tab.

• Finally, click on the link of the generated executable file.

• Copy the downloaded file to your first-response toolkit pen drive in the velociraptor directory.

• Connect your pen drive to the Corp-Laptop VM and open the velociraptor directory. Right-click on the Collector_velociraptor-vx.x.x-x-windows-amd64 file and then select Run as administrator.

• The collector will now retrieve the previously configured artifacts, as we did earlier with the triage.bat file

Memory capture and artifacts acquisition using KAPE

KAPE, also known as Kroll Artifact Parser and Extractor, is a powerful tool that greatly simplifies the collection and analysis of forensic artifacts. It not only allows us to capture memory but also includes preprocessing modules and memory analysis capabilities, enabling us to quickly find valuable information during an investigation. With KAPE, we can significantly reduce the time required for data collection and analysis.

1. In the investigator VM, proceed as follows:

• Connect your first-response toolkit pen drive.
• Under the FirstResponseTools directory, create a folder named KAPE.
• Under the Evidence directory, create a folder called KAPE as well.
• Under the Evidence\KAPE directory, create two folders: Target and Module.
• Navigate to the website https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape.
• Fill in the web form with your information and then press the Download Now button.
• Save the .zip file in the KAPE folder and unzip it.
• Disconnect your pen drive from the VM.

2. In the Corp-Laptop VM, proceed as follows:

• Connect your pen drive to the VM.
• Navigate to the FirstResponseTools\KAPE folder and execute the gkape.exe file (this will start the graphical user interface (GUI) version of KAPE).
• Once opened, you can configure the information you want to collect from the compromised computer.
• Select the Use Target options checkbox.
• For the Target source option, select C:\.
• For the Target destination option, select the E:\Evidence\KAPE\Target directory.
• For the Targets option, select the following artifact collectors:

!SANSTriage
EdgeChromium
WindowsTimeline

• For the Container option, select VHDX (this will create a virtual disk in this format).
• For the Base name option, enter the name of the virtual hard disk (VHD) to create.
• From the right-side column, we are going to select modules to preprocess the information we will need—for instance, the network connections, the system information, and memory acquisition.
• Select the Use Module options checkbox.
• For the Module destination option, select the E:\Evidence\Kape\Module directory.
• In the Modules list, select the following checkboxes:

!EZParser
NetworkDetails
Systeminfo
WinPmem

• For the Export format option, keep the Default option.
• Under Other options, select the Zip password checkbox and write the following .
• Press the Execute button.

Now, KAPE will start processing the information and create files with the artifacts obtained from the compromised device.

Once the procedure is complete, you will be able to disconnect your pen drive from the Corp-Laptop VM and connect it to your investigator VM to analyze the information obtained.

Disk drive acquisition procedures

Sometimes, the acquisition of memory or forensic artifacts will not be enough in an investigation, especially if the scenario is complex or limited information is available.

Also, in situations where legal procedures are followed, it may be required that in addition to the procedures described earlier, a forensic acquisition of storage units or disks should also be made.

This procedure can be performed in two ways, as outlined here:

Using specialized software along with disk connectors such as the Tableau Forensic USB 3.0 Bridge, which provides write protection when you connect the disks directly to your computer Using a hardware device that allows you to create forensic images directly and without the need for a computer In both cases, the computer is required to be powered off and the disk from the compromised device needs to be extracted.

Hard drive acquisition using AccessData FTK Imager

Note

To simplify our hands-on labs, we are going to use a VMware virtual disk to simulate the process of connecting the hard drive to our investigator VM, following these steps.

1. In the investigator VM, proceed as follows:

• Connect your pen drive to your VM.
• Navigate to https://www.exterro.com/ftk-imager to download FTK Imager.
• Fill in the web form with your information and press the Download button.
• Save the installer file in the FirstResponseTools\Installers directory.
• Double-click the file to begin the installation of the program and keep the default options.
• Once the program is installed, an icon will appear on the desktop. Double-click it to open the program.

2. Let’s now simulate the connection of the suspicious computer hard drive to our IR laptop. To do this, follow these steps:

• In the computer where you have your VMs, create a new directory called HD_Acquisition_simulation.
• Go to the Corp-Laptop VM directory and copy the Corp-Laptop-cl1.vmdk file to the HD_Acquisition_simulation directory.
• Open the IR-Laptop VM and open the Player menu, select Manage, and then Virtual Machine Settings.
• In the Virtual Machine Settings dialog box, press the Add button.
• In the Add Hardware Wizard functionality, select Hard Disk, and then press the Next button.
• In the Select a Disk dialog box, select Use an existing virtual disk and then press the Next button
• Select the Corp-Laptop.vmdk file from the HD_Acquisition_simulation directory and then press the Open button.
• At that point, the hard drive would appear as a new drive, just as if we had externally connected it to our computer.

Note

In real life, it is very important to use cables that integrate write protection, as mentioned earlier, and preferably, we should not interact with the disk to avoid contaminating the evidence.

3. Now, we will be able to carry out the forensic acquisition on the hard drive and the compromised computer, as follows:

• From the Access Data FTK Imager program, select the File menu and then the Create Disk Image… option
• In the Select Source dialog box, select Physical Drive and press the Next button,
• In the Select Drive dialog box, select the second disk that appears in the list that corresponds to the hard drive we added earlier, and press the Finish button,
• In the Create Image dialog box, press the Add button and select the Destination Image Type format as E01 (Expert Witness Format (EWF) or Encase Image Format) and press the Next button
• In the Evidence Item Information dialog box, fill in the appropriate information and press the Next button.
• Follow the next steps to configure the rest of the image parameters
• Select the directory where you will save the disk image.
• Enter the name of the image file—in this case, Corp-LT-HD.
• Write the value of 0 so as not to fragment the file into multiple files.
• Leave the value of 6 for the compression level so that the disk image size is smaller than the original size.
• Press the Finish button.