Collection and Analysis

Created: 09.06.2023

There are numerous tools available for collecting and analysing artefacts and evidence. I will provide an overview, relevant links, or even comparison charts, depending on the tools.

Kansa

โ—๏ธWindows only โ—๏ธNot for forensic acquisition โœ๐Ÿป IR and TH

This tool is used primarily for artefact collection. However, it was improved over the years and can also help with initial triage. Also, it’s been improved to allow scaling (distributed Kansa).

While Kansa heavily relies on PowerShell, its capabilities extend beyond PowerShell cmdlets. Kansa is a flexible and modular tool. Modules folder contains all the available modules that can be turned on and off in a Modules.conf.

F-Response

โ—๏ธDoesn’t scale well โœ๐Ÿป Triage imaging, artefact post-processing

Since it has access to raw data, file locking can be circumvented. People can work simultaneously. Supports Windows, Apple, some FreeBSD, Linux and even Android. The examiner needs to create an agent for the target system and deploy it. Then, connect to the machine via the forensics workstation.

KAPE

โ—๏ธWindows only

KAPE is cool (Eric Z.); it preserves all metadata and even keeps audit logs - super forensically sound. Shadow copies and ADS are also supported. Removes duplicates based on the hash. Sends data over SFTP. Customisable and portable.

kape.exe --tsource F --target configfile --tdest \output\path # vss for shadow copies, vhdx and vhd for virtual hard drive

Velociraptor

โ—๏ธWindows, macOS and Linux โ—๏ธUpdated often โœ๐Ÿป Triage imaging, IR and TH

It scales really well. You can run VQL queries. Deployment via WebUI, CLI or API. Can be used as a monitor or analysis tool. Consists of client and server parts. Velociraptor artefacts are preconfigured queries. Some examples of artefacts are Filesystem Timeline, MFT, $I30, Yara Scanning, Prefetch Timeline, Netstat, ARP, Processes, DLLs, Event logs, DNS queries. SRUM, BAM, UserAssist etc.

Hunts (active queries) for threat hunting live for 7 days.

EDR

โ—๏ธ70% of breached originate on the endpoint.

Threat Hunting (anomaly detection and manual) IR. Agents send data to a central repo. EDRs usually have direct access to RAM (like a rootkit).

โ—๏ธOne can circumvent the EDR when booting into safe mode.

References

Expand… https://docs.velociraptor.app/