Helpful Navigation Toolbar

Tuesday, February 4, 2014

Automating Initial Data Gathering for Windows Live Response

This blog post will cover something that I have often encountered throughout my career in the DFIR field and my (small) contribution to try to alleviate the issue. The typical commercial incident response scenario kind of follows this order:

1) Receive frantic call along the lines of "we have been hacked"
2) Calm <client> down, try to determine what all they know
3) Ask <client> what the size of their environment is
4) Explain size will likely determine cost/length of engagement
5) Attempt to have client do initial data gathering of volatile data 
6) ..... <awkward silence>

Well, good news everyone!! I've been working for quite some time on trying to automate the initial data gathering in a client environment and I finally think it is ready to be widely shared, especially since it is just a collection of tools and a batch script that runs the tools. I present to you <drum roll please> ... the Windows Live Response collection!

That is right! Now, you can simply send your client a zip file or point them to a download link, have them put the file(s) onto an external drive of some sort, let them run the batch script, and allow them to sit back as the data is gathered automagically! I am quite sure that there are similar programs out there, I know Michael Ahrendt did quite a bit of work on Triage-IR in the past, and I am sure that some of you may have something similar, so by no means am I trying to re-invent the wheel. I am merely sharing what I have been working on automating/collecting during my incident response process. The batch script automates the collection/creation of:

  • Memory dump (using Belkasoft RAM Capture) (if run with Admin privileges)
  • Prefetch file copying (if run with Admin privileges)
  • Network connections
  • Default gateway correlation (more on this in a future blog post)
  • System versions
  • Time/date settings
  • Running processes
  • Loaded dlls
  • Runs (and cleans up after) some SysInternals tools
  • And many, many more! - download here 

MD5: 8603e36be474e8b69c652e5dc86adc2e
SHA-256: ec79422ce2e7218a7bc57b0caf52a5eae2eca98810ac466dddac1115aade493e 

Updated: December 12, 2016

(Thanks to @The_IMOL for pointing out I didn't include the hashes for comparison sake!)

Outside of the tools the scripts uses, I also included several other utilities including PeStudio from Marc Ochsenmeier. Once again, please feel free to add additional tools/methods as you see fit!

Fortunately, the collection comes with the "Compromised Windows System Live Data Gathering Checklist" which details each of the commands, and the command syntax, that the script runs. (ONE IMPORTANT NOTE: In order to run nmap, winpcap is installed on the system. I originally included the script to uninstall it, but that requires user interaction, which I wanted to limit. You can take it out if you wish, or you can uninstall it manually (or keep it on there for future use, the choice is up to you.)) 

My typical usage scenario is I first put the tools on an external drive, usually a large capacity flash drive, or if I am also going to create a disk image, an external USB hard drive. (If the system is using Comodo or other sandbox/isolating AV, I will ensure that it is not sandboxed/isolated)(I love that Comodo tries to protect me from myself!) Then I run the script either as Administrator or with normal privileges (which the script determines for you), and then sit back while the data collection happens. I've had the best success using the Belkasoft RAM Capture tool, as I highlighted in my RAM collection tool post, plus it is free and works on every Windows system that I have ever encountered, including Windows 8.1.

I did not attempt to conceal what the script does or anything like that and would very much enjoy hearing additional items to include, exclude, or hearing about modifications that you make to it in order to make it more suited for your environment. 

My eventual goal is to include all of the executables themselves in this collection, so if for example "ipconfig.exe" has been replaced with a malicious executable, you don't have to worry about additional issues. I would also like to create a script that parses through the results of the data and attempts to identify possible areas of interest to focus on (more on that in a future post too, specifically Prefetch files). I am also working on creating similar scripts/collections for the OSX and *nix environments, but since I encounter Windows more often than the other operating systems, I decided to focus my efforts more on the Windows side, for now.

I chose the Mega site for hosting this download because it has the widest available "free" bandwidth that I could find (10GB every 30 minutes). I used this script while running through my Target malware research as well as several "real-world" cases that I have worked. I have been tweaking and making adjustments ever since the first basic version I threw together, and based off of feedback will continue to add new features and make improvements.

I want to again thank Mari DeGrazia and Adrian Leong for the extensive testing that they performed on this script and dealing with my emails and chats at odd hours with bug/issue fixes. By all means please feel free to make any changes and/or modifications to the script and add any additional tools that you want. If you would like to know a little bit more there are plenty of great resources, one of the online resources that was recommended to me was Rob van der Woude's Batch scripting pages.

I hope that you find this post and the tool useful and insightful. If you have any questions/comments/feedback/grumblings/gripes/etc. please feel free to reach out to me through the comments, drop me an email, or however you with to communicate! This collection will also be one of the topics that I will be discussing on this weeks Forensic Lunch, so be sure to tune in on Friday afternoon!

No comments:

Post a Comment