CompTIA CYSA+ CS0-002 – Analyzing Application-related IOCs Part 2

6. New Accounts (OBJ 4.3)

New accounts. In this lesson we’re going to talk more about new accounts because new accounts are an area that attackers use to be able to give themselves more persistence by creating rogue accounts. This allows an adversary to maintain access to your systems once they’ve broken in. And so they are a dead giveaway as an indicator of compromise that you have been had and somebody using your network, for example, as an attacker, gains access to your system, one of the first things they will do is try to create additional accounts on that system. This way they know they will be able to maintain access because they’ll have multiple user accounts or even administrator accounts with those usernames and passwords that they can use for further attacks.

So one of the things you need to do is check if any accounts have been created. This means that you should be checking for account creation and all account creation should be subject to a monitored change control process to mitigate the creation of rogue accounts. And that way, even if an attacker does create one of these rogue accounts, it will be quickly caught and identified. Now, there are lots of different tools to help you do this. These are known as account and session management tools. For example, you could use Local Users and groups. This is a Windows tool that’s used for the management of local accounts on a system. So if you’re dealing with a standard Windows Ten desktop computer, you can go into the local users and accounts and look through all of the accounts or groups on that system.

If you see any that you don’t recognize, that could be an indication that an attacker has gotten into that system and created a new account. Another tool you can use is the Active Directory Users and Computers tool. This is a Windows tool that’s used for the management of accounts on a domain controller known as a DC. This in Windows is known as Active Directory. So if you go into it, it looks a lot like the other tool we just talked about with local users and groups. Except this works across the entire domain. In here in my sample, I only have 19 objects or 19 accounts. But in a real domain with an enterprise group, you may have hundreds or thousands or even hundreds of thousands of users. And so identifying new accounts are going to be much more challenging than on a system like this where there’s only 19.

That being said, it is still important for you to have some method to control account creation and some form of monitoring over time to look at all the new accounts that have been created and whether or not they were authorized. Additionally, I want you to remember that accounts can still be created using the command line. You don’t have to use these graphical tools. You can be using things like Net commands or the Windows Management Interface command line known as WMIC, or even PowerShell. All of these are ways you can create accounts as well on a Windows system. Now on Linux there’s a couple of tools for session management there too, such as Who, W and Rhoo.

All of these are Linux tools for session management. Who is the first one we’re going to talk about? Who is a Linux command that shows what users are logged in and what terminal teletypes or TTYs they have active for each running process and what date or time they logged in. This is really useful as you’re going through and doing your adversary hunting. W is going to display the same basic information as who, but it’s also going to return the remote host if that’s being used, how long the account has been idle, the name of the process the account is actively running the execution time of each process and more information like that. Finally we have our who, which displays the same basic information as who, but it runs on a client server architecture so it gives you even more details, especially if you’re using more of an enterprise environment.

All three of these commands Who, W and Rhoo are useful as you’re trying to track down malicious users on your systems. The next command I want to talk about is Last log. Now Last log will retrieve the log on history from the VAR log lastlog file and it will display the account name, the TTY, the remote host and the last time the user was logged in. Here you can see an example of Lastlog on the screen. When you type in Last log you’re going to get all the usernames, the ports that they’re using, what IP address they’re using, and the latest login. So you can see here that the root user connected on port one from 1048 dot one, dot seven and the last connection was on July 7.

Another command we might use is what’s known as fail log. This is a Linux command that displays only the authentication failures. This is really helpful if you’re trying to identify somebody who has been using password guessing as they’re trying to guess additional user accounts or administrative accounts on your systems. So if you use fail log, it looks something like this. Notice here I’m looking for all the failures for a particular user, in this case Bruce. And you can see here there were no failures and we haven’t reached the maximum limit yet.

Now in addition to doing it this way, you can do it the way I showed you in a previous lesson. You can go through and grab your authentication log and look for terms like failed or failure. And again, this is a much more accurate way of doing it and a much easier way of doing it across all of your systems by being able to run scripts using this type of a grep command. Either way you want to do it is okay but you should be aware that there are multiple ways to accomplish any goal. And as you get better at doing this in the real world, you’re going to find the ways that work best for you as part of your own tactical processes.

7. Virtualization Forensics (OBJ 4.3)

Virtualization forensics. Now, in previous lessons, we’ve talked about forensics, and from your security plus studies and your A plus studies, you should know all about virtualization. But in this lesson, we’re going to put the two together, because when we deal with applications, oftentimes they’re being run inside some sort of a containerization or virtualization environment. Now, virtualization provides numerous security challenges that we have to mitigate against as a cybersecurity analyst or a cybersecurity engineer. Some of these challenges include process and memory analysis, persistent data acquisition, file carving, deleted VM disk images, and lost system logs. Let’s talk about each of these in this lesson. First, process and memory analysis.

This can be performed by a VM introspection or analyzing save state files. Now, what does this mean? Well, when you start looking at VM introspection or VMI, this is going to use tools installed inside the hypervisor to retrieve pages of memory for later analysis. There are programs inside the VM that can provide information about other processes in it. This information may be sent through a network interface or some other virtual device, like a serial port. There are lots of different examples of these type of programs. For instance, Wind Debug and GDB will both serve to interact with the remote debuggers and send that information over. Now, there are other VMI tools out there, and a lot of these tools can be implemented within the virtual machine, moderate itself, or that hypervisor.

This can contain information and capture it for you, such as the contents of the memory from that virtual machine. Then this data can be interpreted to understand the processes inside the system. One of the most popular tools for such an interpretation is the Volatility Framework that we’ve mentioned before when we talked about memory capture. This framework is going to contain profiles for many popular operating systems, and you can extract different information like process trees or lists of kernel objects from within those virtual machines by using virtual introspection or VMI. Now, the other way we can do this is by going and capturing information from save state files.

These are files that are written when you suspend a virtual machine. And if you take these suspended virtual machine memory files and load them into a memory analysis tool like the Volatility framework, you can then go through that memory and be able to use it just as if you had done a live memory capture. This is one of the nice things about a virtual machine. When you pause that virtual machine and you suspend it, anything running in memory is instantly saved into one of these save state files. Now, the next thing we have to think about is how are we going to capture persistent data? And this persistent data acquisition is something we have to consider.

This is the acquiring of data from persistent devices such as virtual hard drives or other virtualized mass storage devices, to an image based format. Now, when I dealt with a standard laptop or desktop, I could take the hard drive out and plug it into an imaging machine to make an image format and be able to use that for my analysis. But if I’m dealing with a virtual machine, there is no physical hard drive, just an image file that is being created on this virtual machine. And so we have to have a way to persistently capture that data. Now, it is still necessary for us to follow forensic procedures to preserve that data as original evidence, but we do want to get an image of it so that we can do our analysis of it. Now, one of the ways we can do this is we can capture a bit by bit copy of the virtual machine’s virtual hard drive because that virtual hard drive is already a file sitting on the host computer.

So if I do a bit by bit copy of the host computer, I can then have, as part of that, that virtual machine image as well. Or I can just copy that virtual machine image and do it in a forensically sound method. And that way, I don’t have to even shut down the full computer because I just need to shut down that virtual machine and capture that image file. The next area that we have to consider is file carving of deleted virtual machine disk images. Now, file carving of these virtual machines virtualized hard drives can help us to identify files in the unallocated and slack space of those disk images. Now, the challenge with file carving deleted VM disk images is that these virtual machine hosts utilize proprietary file formats or file systems. For example, if you’re using VMware, it uses the VMFS instead of something like NTFS that Windows uses by default.

This can make disk analysis much more difficult for us, and so we often have to rely on file carving. Now, file carving can be used to reconstruct files that have been fragmented across the host file system, and that can actually be made up of parts of different virtual machine images, too. So it does make our challenge a lot harder here when we’re trying to do file carving across these systems. Now, the final area that we have to consider is lost system logs. Now, this happens because virtual machines are optimized to spin up when they’re needed and then destroyed when they’re no longer needed. This is known as elasticity, as you learned all the way back in A Plus.

Now, this is great for operations, but this is horrible for security, because as security analysts, those logs that we rely on are now being destroyed, too. Because if a new Windows machine was spun up and its event logs are then destroyed, when that machine is destroyed, we lose access to that. So we need to make sure that we’re configuring virtual machines to log those events to a remote logging server to prevent the system logs from being lost during the deprovisioning and that scaled down event that happens during the shrinking of elasticity. This is really important for us to consider and a big thing for us to remember inside virtualization because if we don’t configure this upfront in our systems as part of our architecture, we are not going to have the security data we need when a bad thing happens. Bins and we have to go back and put together a timeline of all the events.

8. Mobile Forensics (OBJ 4.3)

Mobile forensics. Now you may be wondering why am I bringing up mobile technologies and forensics inside of this section of the course when we’re talking about applicationrelated indicators of compromise. Well the reason is a lot of our applications these days are being run on mobile devices and these mobile devices can be a vector or a target for many of our incidents, especially in an enterprise environment. Another issue we have to consider here when we’re dealing with mobile devices is the fact that many of them connect to our corporate networks. For example, if you use a VPN to connect your mobile device back into your corporate network and there’s something wrong on your mobile device that is already attacked, you can now bring that into the corporate network as well.

And so this can actually lead to cases where we have to conduct forensics on your endpoint your mobile device to find out exactly what the intrusion vector was. Now, as we go through this section we’re going to talk about a couple of key areas. We’re going to talk about data collection, extraction and analysis methods, forensic software and carrier logs and how we’re going to relate all of these to mobile device forensics. First let’s talk about data collection. We’re going to have to have tools that facilitate the imaging of a mobile device’s system memory, the Ram inside of it, as well as the flash memory that’s used for persistent storage that acts as its hard drive. Even though mobile devices don’t have hard drives, they have solid state devices.

This is really that flash memory we’re talking about. Now how are we going to collect that information? Because the data is stored on flash memory chips that are soldered to the system board so it’s not as easy as going into a laptop and removing a hard drive. We have this soldered on memory chip and that becomes really difficult for us to work with. Yes, it’s true that if we’re dealing with a law enforcement effort we can have experts who know how to desolder these boards and collect them bit by bit using off chip methods. But for most of us we’re not going to have that capability and so instead we’re going to have to hook up these devices and use something like a debugging port or a joint test action group hardware interface that allow us to get the information off of those devices.

Now all modern iOS and Android devices also have encryption enabled by default for these solid state devices. So the data on them is going to be encrypted. So we better have a way to decrypt them as well. The easiest way is if we have the password or the user unlocks the device for us. If we’re working with somebody in our organization that’s cooperative as part of our investigation, that will likely happen. But if we’re dealing with a law enforcement action, again that’s unlikely to happen and we’re going to have to use other methods, including something like a zero day exploit, to get into that device. Now, one other area that I want to bring up real quick is if you’re working for law enforcement and you’re worried about that device being remotely wiped, you do want to collect your devices and put them in a Faraday bag.

A Faraday bag is simply a device that allows you putting your smartphones or tablets into that, and it blocks any radio frequency from getting into that. So if I had a device, for instance, an iPhone, and I placed it in the bag and seal up the bag, it won’t let the cellular signal get in or out of that bag. That way, an attacker can’t remotely send a kill command or a wipe command to that device once I have it in custody. Again, this is something that all law enforcement is trained on, and they use this as one of their standard procedures to ensure nobody can affect that device after they’ve collected it. Now, there is one other area that we have to touch on, and I know that I have students from all around the world, but here in the United States, we have something known as the Fifth Amendment.

Now, in the United States, the Fifth Amendment means that a suspect cannot be compelled to give you access to their devices. For example, if I have my smartphone and I have evidence on there that’s incriminating to me, and you ask me to unlock my smartphone by using my thumbprint or my Face or even my Pin number, I don’t have to do that. If that would give you access to incriminating evidence on my device that’s part of the Fifth Amendment. This has been upheld in courts time and time again. This may not apply in your region of the world if you’re outside the United States, but this is a big area of concern inside the United States and for US. Companies, especially if you’re doing something like a bring your own device policy, where you allow users to bring their own devices onto your corporate network.

Once they do that, that doesn’t automatically give you a right to go and search their devices. That would be an unlawful search and seizure. And so this is an area you have to be thinking about as you’re dealing with different devices. And if you’re working with law enforcement, remember, there are rules against what you can and cannot do. And one of those things is you can’t take the device and hold it up to somebody’s face to unlock it, because that would be a violation of the Fifth Amendment. Now, let’s go into our second area. Let’s assume that we’ve gotten into the device. Now, we need to extract and analyze the data, and we’re going to use extraction and analysis methods for this.

These are analysis techniques for mobile devices, and many of them are very similar to what we talked about with windows and Linux workstations, since most of our mobile devices actually rely on Unixlike operating systems. If you’re using iOS, which is what iPhones use, that is a Unix based operating system. If you’re using Android, it’s a Linux based operating system. If you’re using one of those older Windows Mobile devices that relies on a Windows based operating system. So again, all three of these still have roots in the Windows and Linux and Unix world, and therefore it’s going to use a lot of the same type of techniques that we used before. As we begin our extraction, there are four different ways we can do this. The first is manual extraction.

This means we’re going to take the device and simply scroll through the settings and the app screens to find the information we need. So if I’m part of a law enforcement team and I find a device sitting on a counter and it’s already unlocked, I can actually pick it up and start looking through that, looking through the contacts, the call logs, previous areas they’ve looked at on maps or different addresses they’ve navigated to and collect that information. Now if you’re doing this, you should have somebody over your shoulder filming a video showing everything you’re doing. This way you can prove there are no changes being introduced. For instance, you’re not making phone calls that could then later be put in there and saying, oh, this bad person had made a phone call to this drug dealer and you were really the one who made the call.

So you need to make sure none of that happens. Second, we can move into logical extraction. Now, logical extraction refers to using different utilities that are supplied by the device or the vendor to extract the data for later analysis. For example, if you have somebody who has an iPhone, you can do a data backup to Icloud, and then from Icloud you could get that information you needed. This is one of the ways to do it. It’s an easy way to get the information off the device into another area for later analysis. Again, if your device was encrypted that key, if you don’t have it, you’re not going to get into the data even if you back it up to Icloud.

I cloud is going to require that key to unlock that data because it’s going to do an encrypted backup. If you’re using an Android device, for example, you can also do logical extraction over the device’s debug interface, which is known as ADB, the Android Debug bridge. This will allow you to retrieve data off the device as well. The third way we can do things is by doing a file system extraction. Now a file system extraction is where we’re going to start making a copy of all the unencrypted data, just like we did when we did an image before of a desktop or a laptop. And then we would go into something like Nk’s or FTK to analyze it. Now that will work for these devices. But again, remember, they’re not Windows or Linux, they are Android and iOS. And so there are special tools you may need.

A lot of the data that’s stored on these devices is stored inside of individual databases known as SQL Lite databases. So if you download those, that’s not a file you can just easily open up unless you have a specific tool to do that, such as an SQL database browser, like you see here on the screen. This allow you to get the information out of that. And a lot of these databases contain a lot of information such as logs and user generated data. All of that could be evidence in your investigation. Our fourth method of extraction for mobile devices is called that Extraction. Now, this is where you can use tools to pull out information off of a SIM card. This would give you things like outgoing calls, text messages and other things like that that could be stored on that SIM card, including their contacts.

All of this is data that could be possible evidence in your investigation. Now, the third main area we need to talk about is mobile device forensic software. As I said, lots of these devices are Unix based or Linux based. But there are specific tools you can use to collect this data a lot easier and then analyze it. For example, Celebrite is one of these tools. This is a tool that’s focused on evidence extraction from smartphones and other mobile devices, including older feature phones, and from cloud data and metadata using a Universal Forensic Extraction Device or UFED. Now, what is a Universal Forensic Extraction Device? Well, this is essentially a standalone device and you can just take the phone and plug it into it. And this all in one device does all the hard work for you.

It does a forensically sound image and then allows you to analyze the data from within this standalone workstation. In addition to this, Celebrate does sell a version that is software based that could be loaded onto a laptop. But most people prefer to use the standalone solution. Now another tool you can use is what’s known as the Mobile Phone Examiner Plus or MPE Plus. This is a mobile device forensics tool that’s created by access data, which is the developers of FTK. Essentially, this is a tool that allows us to do a lot of the features like FTK would, but designed specifically for mobile phones. Just like FTK has their version, Nkase has theirs. And Nkase Portable is a mobile device forensic tool created by Guidance Software, the developers of Ncase. And again, this is basically the mobile phone version of Nkase. The fourth and final area we need to talk about is carrier provided logs.

This is any records of device activity that could be acquired from the mobile device’s cellular service provider with the use of a warrant. Now, this is really important because as a company we’re not going to be able to do this. But if you’re working for law enforcement, you could as you go through, you’re going to be able to find a lot of information from these carriers if you have the right warrant. Now, one of the things to keep in mind here is that a lot of the information has a very short retention period. For example, personal identifiable Information or PII has an extremely short retention period due to different privacy laws. And so if you’re trying to go into an investigation and ask for data from a year ago, that company may not have it anymore. Instead, you need to ask for things quickly when you need it using the appropriate warrants.

And again, this really only applies to law enforcement professionals. So what kind of information can you get from carrier provided logs? Well, you can get call details, you can get voicemail details, you can get text message or SMS details. You can even get images sent over those text messages using the MMS service. You can get IP address destinations of what they’re trying to browse over the Internet. You can get session information and you can get geolocation data such as where was that device at what time and in what day? This is all really important information that you can get if you get it from your carrier provider. But again, you are going to have to have a legal warrant to be able to legally search and seize that information from the carrier and they’re not going to provide it to you without that warrant.