Expanding Response: Deeper
Analysis for Incident Handlers
Russ McRee
November 2011
GIAC GCIH Gold, GCFA, GCIA, GPEN, GWAPT,
GSEC Gold
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
• Expand incident response tactics
beyond common horizons
• Sample Overview – SpyEye
• Demonstrate tools for expanded toolkit
•
•
•
•
Volatility 2.0
Xplico
Maltego
Confessor
• Summary
SANS Technology Institute - Candidate for Master of Science Degree
2
Broaden IR perspective
• Opportunities to enhance IR tactics via:
• Memory analysis (Volatility)
• Network Forensic Analysis Tooling (Xplico)
• Derive disparate entity relationships
(Maltego)
• Analysis of systems at scale with uniform
results (Confessor, MOLE)
• Review sample’s attributes with all tools
SANS Technology Institute - Candidate for Master of Science Degree
3
Sample Overview
• Trojan.SpyEye
– MD5: 00b77d6087f00620508303acd3fd846a
• Modifies registry
– [HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run]
• cleansweep.exe =
"C:\cleansweep.exe\cleansweep.exe"
• Creates directory C:\cleansweep.exe
– Populates with .exe and config file
SANS Technology Institute - Candidate for Master of Science Degree
4
Volatilty 2.0
• For the extraction of digital artifacts
from volatile memory image
• “A Python version of the Windows
Internals book, since you can really
learn a lot about Windows by just
looking at how Volatility
enumerates evidence.” - Michael Hale Ligh
SANS Technology Institute - Candidate for Master of Science Degree
5
Volatilty 2.0
• Gather image info:
– vol.py imageinfo –f HIOMALVM02.raw
• Network connections:
– vol.py --profile=WinXPSP3x86 connscan -f
HIOMALVM02.raw
• Active processes:
– vol.py --profile=WinXPSP3x86 pslist -P -f
HIOMALVM02.raw
SANS Technology Institute - Candidate for Master of Science Degree
6
Volatilty 2.0
• Process tree:
– vol.py --profile=WinXPSP3x86 pstree -f
HIOMALVM02.raw
• Discover malware attributes:
– vol.py --profile=WinXPSP3x86 -f
HIOMALVM02.raw malfind -p 1512 -D output/
• Demonstration
SANS Technology Institute - Candidate for Master of Science Degree
7
Xplico
• Xplico decodes packet captures
(PCAP) extracting the likes of:
• email content (POP, IMAP, and SMTP protocols)
• HTTP content
• VoIP calls (SIP)
• IM chats
• FTP
• TFTP
SANS Technology Institute - Candidate for Master of Science Degree
8
Xplico
• Demo: SpyEye PCAP analysis
SANS Technology Institute - Candidate for Master of Science Degree
9
Maltego
• Maltego: open source intelligence & forensics
application offering extraordinary data mining
and intelligence gathering capabilities
• Results are well represented in a variety of
easy to understand views
• In concert with its graphing libraries, Maltego
identifies key relationships between data sets
and identifies previously unknown
relationships between them
SANS Technology Institute - Candidate for Master of Science Degree
10
Maltego
• PCAPs can be converted to CSV then
directly imported by Maltego
• tcpdump -vttttnnelr SpyEye.pcap
| /usr/local/bin/tcpdump2csv.pl
"sip dip dport" > SpyEye.csv
produces a CSV that Maltego can consume
easily
SANS Technology Institute - Candidate for Master of Science Degree
11
Maltego
• Demo: IP address relationships
SANS Technology Institute - Candidate for Master of Science Degree
12
Confessor
• Confessor collects from hundreds or thousands of
systems simultaneously via Sysinternals:
• System logs
• Volatile data
• User and account information
• MAC times
• Can run SecCheck on 32-bit systems
• Search for reg keys and existence of specific files
SANS Technology Institute - Candidate for Master of Science Degree
13
Confessor
• Confessor
configuration
optimized for
specific
registry keys
and file checks
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
• Tools offered to enhance the incident
handler toolkit and address challenges
• Takeaways:
– Tool to scale
– Seek unique opportunities to correlate
– Build what you can’t buy or borrow
• Q&A: russ at holisticinfosec dot org
SANS Technology Institute - Candidate for Master of Science Degree
15