Incident Response Process

Perhaps we are going at this a little backwards by not started with this post. Better late than never.

Step 1: Detection -- can be through three channels.

Firstly automated systems such as IDS, Firewall logs, Tivoli triggers, or other alarms that notify security operations of an event. Some are false positive, some are real. Review of ALL events needs to occur for the process to improve.

Secondly, manual review of systems such as IDS or firewall logs can be a better method of detecting unusual results or activities. Not all signatures or anomalies can be detected by programmed systems. Human eyes on the perimeter is mandatory. Continued analysis of these systems will also aid in the streamlining and efficiency that is required to triage actual security events.

Finally, the last detection method is the most severe. External party; beit Internet Service Provider, security researcher, or law enforcement. Usually at this point, much research has already been done and the security event vetted many times.

Step 2: Identification -- manual analysis required. Once an event has been detected, you need to identify not only what the event is, where it occurred, what business line it affected, but why it happened and if it is a real security threat. If the event is, for example, a Zbot detection then other than re-imaging the affected devices and having passwords reset, you need to determine why the event occurred in the first place. Is there a website that is considered normally safe, infected? Does it need to be blocked by proxies? Did someone take the computer home, get infected and bring it into the office? Is the detection really Zbot? Or is it something else that LOOKS like Zbot?

Step 3: Confirmation -- Once a security incident has been identified, you need to determine through analysis that a breach has actually occurred or the devices have been infected. If we are confirming a virus, look up what the particular virus does? Does it modify registry settings? Does it rename files? Then look for these markers on your device. If you can confirm these markers or indicators of compromise, you can provide these details for either forensic analysis or to support the remediation process.

Step 4: Analysis -- This can take on many forms.

Tools to analyze acquired memory

Here is a partial list of tools you can use to analyze your memory acquired for forensic examination.

Company	Tool	Link
Mandiant	Redline 1.1	http://fred.mandiant.com/Redline-1.1/Redline-1.1.msi
Mandiant	Auditviewer	http://fred.mandiant.com/AuditViewer-bin.zip
Volatile Systems	volatility	http://code.google.com/p/volatility/
HBGary	Responder CE/Pro	http://www.hbgary.com/request-account

Tools to acquire memory

Company	Tool	Link
HB Gary	Fast Dump	www.hbgary.com/fastdump
Guidance	winen and winen64	www.guidancesoftware.com
Access Data	FTK Imager	http://accessdata.force.com/RegisterForDownload?redirectName=000051
Moonsols	Dumpit	http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
Mandiant	Memoryze	http://fred.mandiant.com/MemoryzeSetup2.0.msi
mantech	MDD	http://sourceforge.net/projects/mdd/files/
Matthieu Suiche	win32dd	http://win32dd.msuiche.net/

Acquire RAM from Live Windows System with F-Response Tactical to SIFT Workstation

Here's how:

On the Windows SUBJECT:
1. Insert the SUSPECT F-Response Tactical into the target Windows computer
2. If Autoruns is enabled, the device should automatically load the F-Response utility
3. If Autoruns is NOT enabled, Double-Click on "MyComputer" and open the drive for the USB named "Subject"
4. Open the Folder named "TACTICAL Subject"
5. Double-Click the icon named "f-response-tacsub"
6. Verify that the IP identified is the correct one and select ENABLED for Physical Memory
7. Click Start

On the SIFT Examiner:
1. On the terminal window, enter "sudo su"
2. Enter "fdisk -l" and not the exisiting partitions

3. Note the devices that are identified
4. Insert the F-Response Tactical EXAMINER USB into the SIFT workstation
5. CD to the directory (i.e. cd/ media/EXAMINER/TACTICAL\ Examiner/ )
6. Confirm you can PING the SUBJECT computer
7. Enter "./f-response-tacex-lin.exe -s " <IP of Subject computer> "-p " <port>
8. If successful, you will see a screen similar to the following:

9. To acquire the memory now, note the line that contains the "pmem"

10. Enter "iscsiadm -m node --targetname=iqn.2008-02.com.f-response.marymlaptop:pmem --login
11. Enter fdisk -l and note the NEW device added: (see fdisk-new.png)

12. Now you can do one of two things, you can work directly with the memory or image it so just in case the state of your subject becomes altered.
13. If you choose to image the memory, use dc3dd as you can create an md5 hash of the memory as you create the image. (see dc3dd.png)

14. Now that you have the image, you can run volatility against it for analysis purposes.