Forensics & Incident Response
Finding attackers, preserving evidence, investigating breaches
The Other Side of the Story
This chapter examines attacks from the defender's perspective. How do you find the techniques described in this curriculum? How do you investigate a breach, preserve evidence, and understand what happened? This pairs with The Long Con— imagine you're the IR team investigating that attack.
Incident Response Process
NIST Incident Response Lifecycle
┌─────────────────────────────────────────────────────────────────────────────┐ │ INCIDENT RESPONSE LIFECYCLE │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌───────────────┐ ┌────────────────┐ ┌──────────────┐ │ │ │ PREPARATION │───▶│ DETECTION & │───▶│ CONTAINMENT │ │ │ │ │ │ ANALYSIS │ │ ERADICATION │ │ │ └───────────────┘ └────────────────┘ │ RECOVERY │ │ │ ▲ └──────────────┘ │ │ │ │ │ │ │ ┌────────────────┐ │ │ │ └─────────│ POST-INCIDENT │◀───────────────┘ │ │ │ ACTIVITY │ │ │ └────────────────┘ │ │ │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ PREPARATION DETECTION/ANALYSIS CONTAINMENT/ERADICATION │ │ ─────────── ────────────────── ─────────────────────── │ │ • IR plan • Alert triage • Isolate affected hosts │ │ • Team training • Log analysis • Block C2 domains/IPs │ │ • Tool deployment • Memory forensics • Reset credentials │ │ • Playbooks • Timeline creation • Patch vulnerabilities │ │ • Communication • Scope assessment • Remove persistence │ │ templates • IOC extraction • Rebuild if needed │ │ │ │ POST-INCIDENT │ │ ───────────── │ │ • Lessons learned • Update detection • Improve defenses │ │ • Document findings • Share IOCs • Brief leadership │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
Evidence Collection
Order of Volatility
Collect evidence in order of how quickly it disappears:
| Priority | Evidence Type | Volatility | Collection Method |
|---|---|---|---|
| 1 | CPU registers, cache | Nanoseconds | Specialized hardware (rarely done) |
| 2 | Memory (RAM) | Power-dependent | Memory dump tools |
| 3 | Network connections | Seconds-minutes | netstat, network capture |
| 4 | Running processes | Minutes | Process listing, handles |
| 5 | Disk (filesystem) | Persistent | Disk imaging |
| 6 | Logs (remote) | Days-months | SIEM, log servers |
| 7 | Backups, archives | Months-years | Backup systems |
Memory Acquisition
# Windows - Using WinPMEM (Rekall)
winpmem_mini_x64.exe memory.raw
# Windows - Using DumpIt
DumpIt.exe
# Windows - Using FTK Imager (GUI)
# File → Capture Memory
# Linux - Using LiME (Loadable Kernel Module)
sudo insmod lime-$(uname -r).ko "path=/tmp/memory.lime format=lime"
# Linux - Using /proc/mem (requires root)
sudo dd if=/dev/mem of=memory.raw bs=1M
# macOS - Using osxpmem
sudo osxpmem -o memory.raw
# Verify acquisition
sha256sum memory.raw > memory.raw.sha256Disk Imaging
# Linux - Using dd (block-level copy)
sudo dd if=/dev/sda of=/mnt/evidence/disk.raw bs=4M status=progress
sha256sum /mnt/evidence/disk.raw > disk.raw.sha256
# Using dcfldd (forensic dd with hashing)
sudo dcfldd if=/dev/sda of=/mnt/evidence/disk.raw hash=sha256 hashlog=disk.hash
# Using ewfacquire (E01 format - compressed, split, hashed)
sudo ewfacquire /dev/sda -t disk -f encase6 -c fast
# Mount E01 for analysis
sudo ewfmount disk.E01 /mnt/ewf
sudo mount -o ro,loop /mnt/ewf/ewf1 /mnt/analysis
# Create forensic timeline from disk
fls -r -m / disk.raw > timeline.body
mactime -b timeline.body -d > timeline.csvMemory Forensics
Volatility is the standard tool for memory analysis. It extracts processes, network connections, registry hives, and more from memory dumps.
Volatility 3 Basics
# Identify OS profile (automatic in Vol3)
vol -f memory.raw windows.info
# List processes
vol -f memory.raw windows.pslist
vol -f memory.raw windows.pstree # Tree view with parent/child
# Find hidden processes (compare methods)
vol -f memory.raw windows.psscan # Scan for EPROCESS structures
# Compare pslist vs psscan - differences may indicate rootkits
# Process command lines
vol -f memory.raw windows.cmdline
# Network connections
vol -f memory.raw windows.netstat
vol -f memory.raw windows.netscan # Includes closed connections
# DLL analysis
vol -f memory.raw windows.dlllist --pid 1234
# Injected code detection
vol -f memory.raw windows.malfind # Find injected/suspicious memory regions
# Dump suspicious process
vol -f memory.raw windows.pslist --dump --pid 1234
# Registry analysis
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"Detecting Common Attack Techniques in Memory
# Detect Mimikatz / credential dumping
# Look for lsass.exe access patterns
vol -f memory.raw windows.handles --pid [lsass_pid]
# Suspicious: Other processes with handles to lsass
# Detect process injection
vol -f memory.raw windows.malfind
# Look for: PAGE_EXECUTE_READWRITE memory regions with code
# MZ headers in non-image memory regions
# Detect beaconing malware
vol -f memory.raw windows.netscan | grep ESTABLISHED
# Look for: Connections to unusual ports/IPs
# Multiple connections from same process to same destination
# Detect fileless malware
vol -f memory.raw windows.cmdline
# Look for: powershell -enc, mshta, regsvr32 /s /n /u /i:
# Large encoded strings in command lines
# Extract suspicious strings
vol -f memory.raw windows.strings --pid 1234 | grep -i "http\|password\|admin"YARA Integration
# Scan memory with YARA rules
vol -f memory.raw windows.yarascan --yara-rules malware.yar
# Example YARA rule for Cobalt Strike beacon
rule CobaltStrike_Beacon {
strings:
$a = { 69 68 69 68 69 6B 69 68 } // Watermark
$b = "beacon.dll"
$c = "%s (admin)" wide
$d = "Could not open process token"
condition:
2 of them
}
# Scan all processes
vol -f memory.raw windows.yarascan --yara-rules cobalt.yarLog Analysis
Windows Event Logs
# Key Windows Security Events
# Authentication
# 4624 - Successful logon
# 4625 - Failed logon
# 4648 - Explicit credential logon (runas)
# 4672 - Special privileges assigned (admin logon)
# 4776 - NTLM authentication
# Account changes
# 4720 - User account created
# 4722 - User account enabled
# 4724 - Password reset attempt
# 4728 - Member added to security group
# 4732 - Member added to local group
# Process execution
# 4688 - New process created (enable command line logging!)
# 4689 - Process exited
# Scheduled tasks
# 4698 - Scheduled task created
# 4702 - Scheduled task updated
# Services
# 7045 - Service installed (System log)
# PowerShell (requires enhanced logging)
# 4103 - Module logging
# 4104 - Script block logging (captures actual code!)
# Query specific events
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 100
# Search for lateral movement (Type 3 = Network logon)
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} |
Where-Object { $_.Properties[8].Value -eq 3 }
# Export for analysis
wevtutil epl Security C:\evidence\security.evtxDetecting Attack Patterns in Logs
# Password spray detection
# Many 4625 (failed logon) for different users from same source
# Then 4624 (success) - they found a valid account
# Pass-the-Hash detection
# 4624 with Logon Type 9 (NewCredentials) followed by Type 3 (Network)
# NTLM authentication without prior Kerberos
# DCSync detection
# Event 4662 - Directory Service Access
# Look for: DS-Replication-Get-Changes permissions
# From non-DC computers
# Kerberoasting detection
# Event 4769 - Kerberos Service Ticket Operation
# Encryption type 0x17 (RC4) for service accounts
# High volume from single source
# Golden Ticket detection
# Event 4769 with unusual properties
# Account doesn't exist in AD
# Ticket lifetime > policy allows
# Scheduled task persistence
# Event 4698 - Scheduled Task Created
# Look for: Tasks with suspicious commands
# Tasks created by unusual accountsLinux Log Analysis
# Key Linux logs
# /var/log/auth.log or /var/log/secure - Authentication
# /var/log/syslog or /var/log/messages - System events
# /var/log/audit/audit.log - Audit framework (if enabled)
# ~/.bash_history - Command history per user
# Authentication analysis
grep "Failed password" /var/log/auth.log
grep "Accepted password" /var/log/auth.log
grep "session opened" /var/log/auth.log
# SSH brute force detection
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
# Sudo usage
grep "sudo" /var/log/auth.log
# Cron job changes (persistence)
grep "CRON" /var/log/syslog
ls -la /etc/cron.*/ # Check all cron directories
# User account changes
grep "useradd\|usermod\|passwd" /var/log/auth.log
# Audit log analysis (if auditd enabled)
ausearch -i -m execve # All command executions
ausearch -i -f /etc/shadow # Access to shadow file
aureport --auth # Authentication summaryTimeline Analysis
Building a chronological timeline of events is crucial for understanding attack progression.
Creating Supertimeline with Plaso
# log2timeline - Extract timestamps from all sources
# This can take hours for large disks
log2timeline.py --storage-file timeline.plaso disk.raw
# Process into readable format
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter by date range
psort.py -o l2tcsv -w filtered.csv timeline.plaso "date > '2024-03-01' AND date < '2024-03-15'"
# Filter by source type
psort.py -o l2tcsv -w prefetch.csv timeline.plaso "parser == 'prefetch'"
# Timeline sources include:
# - Filesystem timestamps (MACB - Modified, Accessed, Changed, Birth)
# - Windows Event Logs
# - Registry keys (last modified)
# - Prefetch files (execution times)
# - Browser history
# - LNK files
# - Jump lists
# - NTFS $MFT, $UsnJrnlKey Timestamp Sources
# Windows Prefetch - Evidence of execution
# Location: C:\Windows\Prefetch\*.pf
# Contains: Last 8 run times, run count, files accessed
# Tool: PECmd.exe (Eric Zimmerman)
PECmd.exe -d C:\Windows\Prefetch --csv C:\output
# Windows Amcache - Program execution
# Location: C:\Windows\AppCompat\Programs\Amcache.hve
# Contains: Full path, SHA1, first execution time
AmcacheParser.exe -f Amcache.hve --csv C:\output
# ShimCache - Application compatibility
# Location: SYSTEM registry hive
# Contains: Path, last modified time, execution flag
AppCompatCacheParser.exe -f SYSTEM --csv C:\output
# SRUM - System Resource Usage Monitor
# Location: C:\Windows\System32\sru\SRUDB.dat
# Contains: Network usage per application, execution time
SrumECmd.exe -f SRUDB.dat --csv C:\output
# Jump Lists - Recent files per application
# Location: %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\
JLECmd.exe -d AutomaticDestinations --csv C:\outputNetwork Forensics
Packet Capture Analysis
# Extract HTTP objects from pcap
tshark -r capture.pcap --export-objects http,./extracted_http
# Extract files from SMB
tshark -r capture.pcap --export-objects smb,./extracted_smb
# Find DNS queries (potential C2 domains)
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq -c | sort -rn
# Extract potential beaconing (regular intervals)
tshark -r capture.pcap -Y "ip.dst == 192.168.1.100" -T fields -e frame.time_relative | \
awk '{print int($1)}' | uniq -c
# TLS certificate analysis (C2 often uses self-signed)
tshark -r capture.pcap -Y "tls.handshake.certificate" -T fields \
-e x509sat.printableString -e x509sat.uTF8String
# JA3 fingerprint extraction (identify malware by TLS client)
# JA3 = MD5(SSLVersion,Ciphers,Extensions,EllipticCurves,EllipticCurvePointFormats)
tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields \
-e ip.src -e tls.handshake.ja3_full -e tls.handshake.ja3
# Zeek (Bro) for automated analysis
zeek -r capture.pcap
# Creates conn.log, dns.log, http.log, ssl.log, etc.
# Find long connections (potential C2)
cat conn.log | zeek-cut id.orig_h id.resp_h duration | sort -t$'\t' -k3 -rn | headNetFlow Analysis
# NetFlow shows connection metadata without full packet capture
# Useful for: High-volume environments, historical analysis
# Using nfdump
nfdump -r netflow.dat -o extended
# Find top talkers
nfdump -r netflow.dat -s srcip/bytes
# Find connections to suspicious ports
nfdump -r netflow.dat "dst port 4444 or dst port 8080 or dst port 443"
# Data exfiltration detection (large outbound transfers)
nfdump -r netflow.dat "src net 192.168.0.0/16 and bytes > 100000000" -s dstip/bytes
# Beaconing detection (regular connections)
nfdump -r netflow.dat "dst ip 1.2.3.4" -a -A srcip,dstip,dstportMalware Analysis
Static Analysis
# Basic file identification
file suspicious.exe
sha256sum suspicious.exe
# Check VirusTotal
# https://www.virustotal.com/gui/file/[SHA256]
# Strings extraction
strings suspicious.exe | less
strings -el suspicious.exe # Unicode strings
# Look for:
# - URLs, IP addresses
# - Registry keys
# - File paths
# - Interesting function names
# - Encoded strings (base64, etc.)
# PE header analysis
# Using pefile (Python)
python3 -c "
import pefile
pe = pefile.PE('suspicious.exe')
print(f'Compiled: {pe.FILE_HEADER.TimeDateStamp}')
print(f'Imports:')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f' {entry.dll.decode()}')
for imp in entry.imports:
print(f' {imp.name.decode() if imp.name else imp.ordinal}')
"
# YARA scanning
yara -r rules/ suspicious.exeDynamic Analysis (Sandboxing)
# Run in isolated VM!
# Use snapshots, network isolation
# Process monitoring
# - Process Monitor (Windows) - File/Registry/Network activity
# - Process Hacker - Memory, handles, network
# Network monitoring
# - Wireshark - Full packet capture
# - FakeNet-NG - Simulate network services, capture traffic
# API monitoring
# - API Monitor - Windows API calls
# - x64dbg - Debugging with breakpoints
# Automated sandboxes:
# - Cuckoo Sandbox (self-hosted)
# - Any.Run (online)
# - Joe Sandbox (online)
# - Hybrid Analysis (online)
# Cuckoo submission
cuckoo submit suspicious.exe
cuckoo web # View results in web interfaceThreat Hunting
Proactive searching for threats that evaded detection.
Hunt Hypotheses
# Hypothesis-driven hunting examples:
# 1. "Attackers are using PowerShell for execution"
Search: Process creation with powershell.exe
Filter: Encoded commands (-enc), download cradles (IEX, WebClient)
Parent process anomalies (Word → PowerShell)
# 2. "There is unauthorized lateral movement"
Search: Type 3 logons to workstations
Filter: Source is not expected admin workstation
Time is outside business hours
Destination is sensitive system
# 3. "Persistence mechanisms have been installed"
Search: New scheduled tasks, services, registry run keys
Filter: Created in last 30 days
Not from approved software deployment
References suspicious paths/commands
# 4. "Data is being exfiltrated"
Search: Large outbound transfers
Filter: Destination not in approved list
Protocol anomalies (DNS TXT, ICMP payload)
Time-based patterns (regular intervals)SIEM Queries (Splunk Examples)
# PowerShell encoded command execution
index=windows EventCode=4688
| where like(CommandLine, "%-enc%") OR like(CommandLine, "%-encodedcommand%")
| stats count by ComputerName, ParentProcessName, CommandLine
# Potential credential dumping (lsass access)
index=windows EventCode=4663 ObjectName="*lsass*"
| stats count by SubjectUserName, ProcessName, ComputerName
# Kerberoasting detection
index=windows EventCode=4769 TicketEncryptionType=0x17
| stats count by ServiceName, ClientAddress
| where count > 5
# Unusual parent-child process relationships
index=windows EventCode=4688
| eval parent_child=ParentProcessName."->"NewProcessName
| where parent_child IN ("winword.exe->cmd.exe", "excel.exe->powershell.exe",
"outlook.exe->rundll32.exe")
# Beaconing detection (regular intervals)
index=network dest_ip=*
| bucket _time span=1m
| stats count by src_ip, dest_ip, _time
| eventstats stdev(count) as std, avg(count) as avg by src_ip, dest_ip
| where std < 1 AND avg > 0 # Very regular = suspicious