DFIR · EVIDENCE · TRIAGE

Digital Forensics - practical teams

The most commonly used Windows, Linux and macOS commands to collect evidence, view network data and logs. Above - simple diagrams of how the investigation is going. Only for training and authorised investigation.

Sequence of evidence

Order of Volatility (RFC 3227) - collect the most volatile first

Order of volatility Septiņi pierādījumu līmeņi no gaistošākā (CPU/RAM) uz stabilāko (arhīvi), ar attiecīgajām komandām. Order of Volatility - RFC 3227 Jo augstāk, jo ātrāk dati pazūd - savāc tos pirmos GAISTAMĪBA ↓ · savāc pirmo → pēdējo 1 · CPU reģistri & keš ns–µs · praktiski neiegūstami (hardware-level) 2 · RAM - operatīvā atmiņa procesi · tīkla savienojumi · atslēgas · injicēts kods AVML · winpmem · LiME 3 · Tīkla stāvoklis aktīvie savienojumi · ARP · DNS keš · maršruti ss · netstat -ano · arp -a 4 · Pagaidu faili / swap /tmp · pagefile.sys · hiberfil.sys mount · ls · find 5 · Disks (HDD / SSD) bit-for-bit attēls + hash verifikācija dd · ddrescue · sha256sum 6 · Attālinātie logi & monitorings syslog · SIEM · journald · auditd journalctl · Get-WinEvent 7 · Arhīvi & backup vismazāk gaistošs - offline datu nesēji (offline media) IETF RFC 3227 · NIST SP 800-86 - Live-acquire RAM PIRMS izslēgšanas, ja iespējams

Application

At the beginning of the incident helps to decide what to collect first. The higher the list, the faster the data disappears - the RAM disappears, turning off the computer. Connections change in seconds.

Reference

IETF RFC 3227 (2002) - Guidelines for Evidence Collection and Archiving · NIST SP 800-86 · ISO/IEC 27037.

Safety Note

The computer disables the RAM (processes, encryption keys, malware memory). If you can, read the memory first and then disconnect the current.

Lifecycle Response for Incidents

NIST SP 800-61 (4 phases) ↔ SAN PICERL (6 steps)

Incident response lifecycle NIST četras fāzes ar atgriezenisko cilpu un SANS PICERL sešu soļu kartējumu. Incidentu reaģēšanas cikls Forensika notiek galvenokārt “Detection & Analysis” fāzē 1 · Preparation politikas · rīki · log apmācība · baselines 2 · Detection & Analysis 🔎 forensika · triage 3 · Containment Eradication · Recovery 4 · Post-Incident Lessons Learned · atskaite ⇢ uzlabo Preparation SANS PICERL - 6 soļi Preparation Identification Containment Eradication Recovery Lessons Learned NIST SP 800-61 Rev. 2 · SANS PICERL · ISO/IEC 27035 - NIS2: brīdinājums 24 h, paziņojums 72 h

Application

Helps to arrange how to react to an incident. NIST 4 phases are consistent with 6 steps of SANS PICERL - evidence is collected and analysed in the second phase.

Reference

NIST SP 800-61 Rev. 2 · SANS PICERL · ISO/IEC 27035 (Incident management).

NIS2 deadlines

NIS2 p. 23: Early warning 24 hours, full message 72 hours. Forensics findings give content to these reports in CERT.LV.

Where evidence is found

Evidence Source Map - Windows / Linux / macOS

Evidence sources map Seši pierādījumu veidi un to atrašanās vieta + komanda Windows, Linux un macOS sistēmās. Pierādījumu avotu karte 🪟 Windows 🐧 Linux / Unix 🍎 macOS Atmiņa & procesi pagefile.sys · hiberfil.sys winpmem · Get-Process /proc/kcore · /dev/mem AVML · LiME · ps aux /dev/mem (SIP) · AFF4 osxpmem · ps aux · vmmap Tīkls & savienojumi TCP tabula · DNS keš netstat -ano · Get-NetTCP… /proc/net · sockets ss -tupn · lsof -i · arp -a BSD netstat · sockets netstat -an · lsof -i · nettop Logi & notikumi …\winevt\Logs\*.evtx wevtutil · Get-WinEvent /var/log · journald · auditd journalctl · ausearch unified log · /var/db/diagnostics log show · log stream Faili & timeline $MFT · USN $J fsutil usn · dir /T inode atime/mtime/ctime find · stat · debugfs FSEvents · Spotlight · xattr mdls · xattr · stat -f Persistence Run keys · Scheduled Tasks reg query · schtasks cron · systemd units crontab -l · systemctl LaunchAgents/Daemons plists launchctl · plutil Lietotāji & sesijas SAM · aktīvās sesijas net user · query user utmp/wtmp/btmp · passwd who · w · last · lastb dslocal plists · loginwindow dscl . -list /Users · w

Application

Quickly find where concrete evidence is in each system and which team to get it. The full arguments are set out in the table below.

Reference

SANS DFIR artefact references · MITRE ATT&CK - Collection (TA0009) · Windows / Linux forensics references.

Safety Note

Always record the system time zone and clock shift - without it, it is not possible to correct events in order (UTC or local time).

Generation and integrity flow

Chain of Customs - the original never be modified

Chain of custody workflow Seši soļi: identificē, write-block + acquire, hash, verificē, analizē kopiju, dokumentē. Chain of Custody - pierādījumu integritāte 1 · Identificē & izolē atvieno tīklu · fiksē laiku foto · sērijas Nr. 2 · Write-block + Acquire bit-for-bit attēls dd · ddrescue · ewfacquire 3 · Hash (oriģināls) SHA-256 pirms analīzes sha256sum · Get-FileHash 4 · Verificē kopija == oriģināls? hash match 5 · Analizē KOPIJU nekad ne oriģinālu read-only mount 6 · Dokumentē kas · kad · kur · kāpēc custody log 🔒 Hash pirms un pēc · ja nesakrīt - pierādījums kompromitēts

Application

It shall be ensured that the evidence can be used in court - proof of where it comes from and that it has not been changed.

Reference

ISO/IEC 27037 (Identification, collection, acquistion, conservation) · NIST SP 800-86 · ACPO Good Practice Guide.

Safety Note

The addition of Write-Blocker or read-only does not allow for random writing in the original. Only the verified copy, not the original, shall always be analysed.

Where to look for typical traces

Artefact roads - folders and files (Windows / Linux)

Windows

Enforcement C:\Windows\Prefetch\*.pf C:\Windows\AppCompat\Programs\Amcache.hve C:\Windows\System32\sru\SRUDB.dat
Register (hives) C:\Windows\System32\config\ (SAM·SYSTEM·SOFTWARE·SECURITY) %USERPROFILE%\NTUSER.DAT %LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat
Logs C:\Windows\System32\winevt\Logs\*.evtx
Files / timeline C:\$MFT C:\$Extend\$UsnJrnl:$J C:\$LogFile
User Activity %APPDATA%\Microsoft\Windows\Recent\ (LNK · Jump Lists) %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
Persistence C:\Windows\System32\Tasks\ %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
Temporary / Memory C:\pagefile.sys · C:\hiberfil.sys %LOCALAPPDATA%\Temp\ · C:\Windows\Temp\

√ Linux / Unix

Logs /var/log/auth.log · /var/log/secure /var/log/syslog · /var/log/messages /var/log/audit/audit.log /var/log/journal/
Application (utmp) /var/log/wtmp · /var/log/btmp · /run/utmp /var/log/lastlog
User Activity ~/.bash_history · ~/.zsh_history ~/.ssh/authorized_keys · ~/.ssh/known_hosts
Accounts /etc/passwd · /etc/shadow · /etc/group /etc/sudoers · /etc/sudoers.d/
Persistence /etc/crontab · /var/spool/cron/ · /etc/cron.d/ /etc/systemd/system/ · /usr/lib/systemd/system/ /etc/rc.local · /etc/init.d/
Temporary/ staging /tmp · /var/tmp · /dev/shm
Processes/packages /proc/PID/{cmdline,exe,maps,fd} /var/log/dpkg.log · /var/log/apt/ · /var/log/yum.log

√ macOS

Unified log / log /var/db/diagnostics/*.tracev3 /var/log/system.log (legacy) /var/log/install.log
Persistence ~/Library/LaunchAgents/ /Library/LaunchAgents/ · /Library/LaunchDaemons/ /System/Library/LaunchDaemons/
User Activity ~/Library/Preferences/*.plist ~/.zsh_history · ~/.bash_history ~/Library/Safari/History.db
Accounts /var/db/dslocal/nodes/Default/users/*.plist /Library/Preferences/com.apple.loginwindow.plist
Quarantine / Provenities …/com.apple.LaunchServices.QuarantineEventsV2 xattr com.apple.quarantine
FS Events / Spotlight /.fseventsd/ /.Spotlight-V100/
Temporary /tmp · /var/tmp · /private/tmp

Application

Quick return in which folders and files to search for the most common evidence. Good start for triage and KAPE/CyLR goals.

Reference

SANS DFIR √Windows Forensic Analysis-poster · MITRE ATT&CK · Linux forensics reference.

Safety Note

Roads with % are variables which differ for each user. Test all user profiles, not just current.

Command reference
Loading..
Linux Windows macOS Cross
CommandCategoryOSDescriptionMain arguments