Forensic Environment Setup
π BTFM
This is an attempt to collect all the most frequently used commands for forensic analysis.
Collection and Analysis
There are numerous tools available for collecting and analysing artefacts and evidence. I will provide an overview, relevant links, or even comparison charts, depending on the tools.
Kansa and Autoruns
Run a tool to collect all the artefacts for this OS (for example, autorunc.exe for Windows) on the machines in question. I use CSV format as output whenever possible because it can be imported in a SIEM, TimeLine Explorer (Windows) or Numbers/Excel/Google Sheets. I prefer the last option because its pivoting functionality is much easier to deploy.
- Open each file (if there are not too many)
- Filter for untrusted or missing vendors. Such vendors as Google and Firefox might be used to trick the user. It would look like `(Not verified) Firefox.
- Show those enabled ones (if applicable)
- Look at the image path, and use the FindEvil SANS poster or your baseline system profile as a reference for known good to find whatβs bad
- Look at the hashes and check against known-good.
- Check with a supernova, google Publishes and Description
- Frequency analysis. What stands out? (see the following sections). Find possible suspicious or malicious things.
- Check the triage files from other machines for the same IoCs (Select-String, grep etc).
- Stacking (frequency-based outlier analysis)
- Frequency analysis. What stands out?
π If the file doesnβt have an image path (File not found), itβs likely it was moved/deleted and thus is not an active threat. Whatβs suspicious?
AWS Forensic Environment Setup
First of all, data that is collected for analysis within the cloud needs to be handled properly as well.
Forensic Frameworks
Here I will keep the list of useful tools for forensics, their advantages and disadvantages.
Forensics Machine Setup
This is about … .