FORENSICINSIGHT;DIGITALFORENSICSCOMMUNITYINKOREA

GRRRapidResponse

demantos

demantos@gmail.com

http://malwarel4b.blogspot.kr

ChoHoon

forensicinsight.org Page

Agenda

2

▪ ForensicAcuisition&Analyze

▪ WhatisGRRRapidResponse

▪ Architecture

▪ Framework

▪ Flows

▪ Hunt

▪ Artifacts

▪ TimelineVisualization

▪ Demo

▪ Q&A

forensicinsight.org Page

Acquisition

3

▪ TraditionalForensicAcquisitionStep

• Shuttingdowntargetsystem

• Removingdisks

• Acquiringabitforbitcopyofthedrive

▪ Advantage?

• Preservationofdigitalevidence

• Courtvalidatedprocedureenhancingtheadmissibilityofevidence

▪ Disadvantage

• Timeconsuming

• Requireatrainedforensicinvestigator

• Increasethecostofimagingandresponsetime

• Lossofimportantvolatileevidence

forensicinsight.org Page

Analyze

4

Investigation

IncidentResponse

forensicinsight.org Page

AnalyzeCompromisedSystem

5

IncidentResponse

remoteorlocal?

liveorunlive?

targetsystemis1~10ormorethan100?

whataboutyourcompany?

forensicinsight.org Page

WhatisGRRRapidResponse?

6

▪ GRRRapidResponseisanincidentresponseframeworkfocusedonremoteliveforensics

• OpenSource

• DiskForensics(Sleuthkit)

• MemoryForensics(Rekall)

• Scalable

• Cross-platformsupport(Windows,Linux,OSX)

forensicinsight.org Page

GRRArchitecture

7

ClientClientClientClient FrontendHTTPServer

AFF4DataStorage

ClientQueuesClientQueuesClientQueues

WorkerQueue(W:)

EnrollerQueue(E:)

Console

AdminUI

WorkerWorkerWorkerWorker

Enroller

AnalystsAnalystsAnalysts

"DistributedForensicsandIncidentResponseintheenterprise",MichaelCohen,DarrenBilbyandGermanoCaronni

MongoDatabase

forensicinsight.org Page

DataModel

8

▪ AFF4-AdvancedForensicsFileFormat

▪ BasedonRDForNoSQLmodels

• UniqueID(AFF4URN)

• Shardedacrossmanyservers

• RDFallowscrossreferencing

▪ AFF4example

• aff4:/C.06d423b86ba45660

• aff4:/C.06d423b86ba45660/fs/os/C:/Windows/System32/config/SAM

• aff4:/C.06d423b86ba45660/fs/tsk/\\?\Volume{95ba5414-13dd-11e5-80b3-806e6f6e6963}/$MFT

• aff4:/C.06d423b86ba45660/registry/HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsNT/CurrentVersion

forensicinsight.org Page

GRRRapidResponseFramework

9

▪ GRRComponentOverview

• Client

• FrontEndServers

✓ decryptPOSTrequestsfromtheclient

✓ queuethemuntilfinalSTATUSresponseisreceived

• Datastore

✓ ResourceDescriptionFramework(RDF)

✓ centralstoragecomponentfordata

✓ communicationmechanismforallcomponents

• Console

✓ centralapplicationforIRman

• Worker

✓ checkqueuesinDatastoreforresponses

✓ processdataandre-queuenewrequest

forensicinsight.org Page

GRRRapidResponseFramework

10

▪ Communications

• ServercommunicatewithclientsviaMessages(AES265+randomsessionkey+IV)

• Request:fromservertoclient

• Response:fromclienttoserver

• HTTPProtocol

forensicinsight.org Page

GRRRapidResponseFramework

11

▪ Clientenrolment

• Clientimpersonationattack

forensicinsight.org Page

GRRRapidResponseFramework

12

▪ Flows

• Server-sidecodeentitiesthatcallclientaction

• ProcessedontheWorkers

Aflowtocopyafilefromtheclient

forensicinsight.org Page

GRRRapidResponseFramework

13

▪ Transmissionofmessages

• FinalresponseisStatusmessage

forensicinsight.org Page14

▪ Processingqueues

• W:generalpurposeworker

• CA:responsibleforCAenrollmentscommunicates

GRRRapidResponseFramework

forensicinsight.org Page

Flows

15

CPU I/O Socket

GRRServer

MAX

forensicinsight.org Page

Flows

16

CPU I/O Socket

GRRServer

MAX

forensicinsight.org Page

Flows

17

▪ Tosolvetheresourcehoggingproblem,Flowswerecreated.

▪ Callclientactions

▪ Completelyasynchronous

• Triggeredbyincomingresponsesfromaclientorfromasubflow

Startnewflows>Memory>AnalyzeClientMemory

Start

RunPlugins

KcoreStatResult

StoreResult

End

DeleteFiles

LogDeleteFiles

UpdateProfile

CalltheclientwiththeRekallactions

forensicinsight.org Page

▪ LifeofaFlow

Flows

18

WorkerQueue FlowQueue ClientQueueFrontend Client

1.AdminUIcreatesflowwithStartFlow

2.CallClientcreatesRequestsontheFlowQueue

3.CallClientcopiesRequeststotheClientQueue

4.ClientRequestsWork

5.FrontendsendsrequeststoClient

6.Clientsendsresponses.FrontendwritesthemtoFlowqueue

7.ClientsendsStatusresponsetoindicatecompletion

8.Frontendnotifiesworkerthatresponsesareready

9.Workerreadsresponsesandrunsnextflowstate.

processing

request

response

forensicinsight.org Page

Hunt

19

▪ Foundsuspiciousfileononemachine,othermachinehaveit?

▪ Flowsonmanymachines

▪ Fleetcheck

• maliciouscode

• abnormalbehavior

MILLENNIUM FALCON ON THE STAR DESTROYER

forensicinsight.org Page

Hunt

20

▪ FindawebshellforIISfromareport.Twomd5sandanacoupleofstringsfromtheaspx.

• C:\**100,Action=HASH

• C:\**100.aspx,Contentregex=pwnies

• C:\Inetpub\**20.aspx

Contentregex=pwnies

Size<5MB

Windowsmachines

Action=Download

▪ Huntingisevery10minutes(default)

• Client.foreman_check_frequency

forensicinsight.org Page

Artifacts

21

▪ Definewhattocollect

▪ Definehowtoparseit

▪ Definewhattheyproduce

▪ Dataonly,nocode

▪ YAMLbasedformat

▪ https://github.com/ForensicArtifacts/artifacts

forensicinsight.org Page

Artifacts

22

Iffilename"temp.exe"containsstring"evil"orissignedby"stolencert"

HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Run\*

IOCs

Artifacts

purelydata,nologic

▪ Artifactsvs.IOCs

forensicinsight.org Page

Artifacts

23

name: SafariHistory doc: Safari browser history (History.plist). sources: - type: FILE attributes: paths: - '%%users.localappdata%%\Apple Computer\Safari\History.plist' - '%%users.appdata%%\Roaming\Apple Computer\Safari\History.plist' supported_os: [Windows] - type: FILE attributes: paths: - '%%users.homedir%%/Library/Safari/History.plist' supported_os: [Darwin] labels: [Browser] urls: ['http://www.forensicswiki.org/wiki/Apple_Safari']

name: WindowsSetupAPILog doc: Windows setup API logs. sources: - type: FILE attributes: {paths: ['%%environ_systemroot%%\setupapi.log']} conditions: [os_major_version < 6] - type: FILE attributes: paths: - '%environ_systemroot%%\inf\setupapi.app.log' - '%%environ_systemroot%%\inf\setupapi.dev.log' - '%environ_systemroot%%\inf\setupapi.offline.log' conditions: [os_major_version >= 6] labels: [Logs] supported_os: [Windows] urls: ['http://www.forensicswiki.org/wiki/Setup_API_Logs']

forensicinsight.org Page

Artifacts

24

▪ KnowledgeBaseInterpolation

• %%environ_allusersprofile%%->c:\DocumentsandSettings\AllUsers

• %%systemroot%%->c:\Windows\System32

• %%users.name%%->c:\DocumentsandSettings\demantos\AppData\Roaming

->c:\DocumentsandSettings\testuser\AppData\Roaming

->c:\DocumentsandSettings\hellboy\AppData\Roaming

https://github.com/google/grr/blob/master/proto/knowledge_base.proto

forensicinsight.org Page

▪ GRR+GRRFuse+Plaso+Timesketch

TimelineVisualization

25

CollectArtifacts

MountfromDatastore

ExtratTimestamp ViewResults

GRRAgents GRRDatastore FuseMount PlasoProcessingElasticsearchTimeSketch

forensicinsight.org Page

Demo

26

▪ Collectartifacts

▪ Viewfilesystem

▪ Viewbrowserhistory

▪ Processlist

▪ GRR+GRRFuse+Plaso+Timesketch

forensicinsight.org Page

Question and Answer

27