Host-based digital forensics is just one aspect of investigating cyber security incidents with a lens on the investigation and analysis of individual computers and devices. This is in contrast to Network forensics which is focused on network logs and packet captures. This blog post will look at key concepts and tools from a 30,000 foot level.
What is Host-Based Digital Forensics?
Host-based digital forensics involves analysing data from individual computers, laptops, and mobile devices to uncover evidence related to cyber incidents. This can include examining file systems, memory, and system logs to identify malicious activity, recover deleted files, and understand how an attacker gained access.
If you’re interested in Digital Forensics, check out my podcast : TLP – Traffic Light Protocol The Digital Forensics Podcast. https://open.spotify.com/episode/6ZyAyPBqTQMmwWdO7wTGHc?si=b0f5775d3f42418b
An artefact that is often overlooked is memory. Around 2003 @thegrugq coined the term ‘the data condom’. What he was referring to here is fileless malware that attempts to run in memory only and not on disk.
Many malicious activities leave little to no trace on disk but do leave artifacts in memory. Memory analysis can reveal:
Running Processes: See all the programs and scripts running, including hidden or malicious ones (this is great if you don’t have sysmon or sysmon process tracking enabled (but you should))
Network Connections: Check for suspicious connections to the internet or other devices (the same effect can be achieved by running netstat -nao from cmd (don’t forget to track the time you typed the command and opened cmd.exe in your contemporaneous notes though, as this can look like attacker tradecraft)
Loaded Modules: Identify loaded DLLs and other modules that could be part of an attack. Module analysis is going a bit deeper into the rabbithole of memory forensics. Once you start analysing individual modules you can detect more malware and malicious activity. This is a good step to look at things like process hollowing and code injection.
These attacks are where an exploit is used to overwrite memory for a legitimate process. On the surface, it looks like a legitimate process but the code inside is actually malicious (process hollowing)
Real-World Example: Investigating a Malware Infection
Imagine a scenario where a company’s employee reports unusual behavior on their computer. The incident response team suspects malware and begins a host-based forensic investigation. Using tools like FTK Imager (to capture ram) and volatility to analyse memory, they analyze the computer’s file system and memory. They discover a malicious executable file hidden in a seemingly innocuous folder. Further analysis reveals that the malware was designed to steal sensitive data and send it to an external server.
Step-by-Step Investigation Process:
Data Acquisition: The first step is to create a memory forensic image of the compromised host. As always, save the memory dump to an external harddrive.
To capture the memdump use FTK Imager. Just click on File->Capture Memory
Analysis: To investigate the memdump, use volatility. Some of my favourite commands in volatility are:
vol.py -f base-rd01-memory.img kdbgscan > kdbgscan.txt
This isn’t a favourite, it’s a necessity! The output from this command gives me a profile (which is on the next line). Specifying the profile is essential for some volatility commands so Volatility knows where to look and how the memory space is addressed.
vol.py -f base-rd01-memory.img --profile=Win10x64_16299 malfind --dump-dir=./malfind-baserd01 > malfind.txt
For context here lets break down the command. vol.py is how you execute volatility, -f followed by the filename is the memory dump file itself to be analysed, –profile=[Profile to be used] is what you identified by scanning the memory image first. Once you have identified the profile to use, you don’t need to do this again, but some plugins do expect you to specify the profile that is being used. malfind is the plugin we’re using and –dump-dir= is where we want the output to go. I’m exporting the results of what it finds to a txt file, as sometimes the output can be lengthy.
Once I’ve got the command running the way I want it, i’ll run it a second time and export the results to a text file. This helps with the investigation as everything is in one place.
(To find code that has been injected into a process, just use 'grep Process malfind.txt' literally the word process, as this is the output from the malfind plugin from Volatility)
. For context here lets break down the command. vol.py is how you execute volatility, -f followed by the filename is the memory dump file itself to be analysed, dlldump is the plugin we’re using, -p followed by the number is the process ID or PID,-b is the base address and –dump-dir=/output/dumpfiles is the location where the contents of the dll will be exported.
Dll Dump
vol.py -f memory.img dlldump -p 1012 -b 0x10000000 --dump-dir=/output/
dumpfiles (volatility)
vol.py -f memory.img dumpfiles -n -i -r \.exe --dump-dir=./output
Dump specific process from RAM image
1
vol.py -f base-rd01-memory.img --profile=Win10x64_16299 procdump -p 8260 --dump-dir=./
Extract files from memory
vol.py -f memory.img dumpfiles -n -i -r \.exe --dump-dir=./output
Extract processes vol.py memory.img procdump --dump-dir=/output/
Volatility - process handles (checking files open on disk)
vol.py -f base-rd01-memory.img --profile=Win10x64_16299 handles -s -t File,Key -p 5948 (-p switch and number is process ID)
Volatility netscan
vol.py -f base-rd01-memory.img --profile=Win10x64_16299 netscan | egrep -i 'CLOSE|ESTABLISHED|Offset'
With all of this, what’s the TL;DR?
- Put together clues from memory analysis (Check out my blog post here on Volatility in detail) https://dfirinsights.com/2018/02/12/simple-volatility-syntax/
- Dive deeper into files, registry, and system settings
- Capture these IOC’s, then sweep the rest of your network for the IOC’s you discovered on what appears to be patient 0
- Remove any malicious files and fix the changes made by attackers (or better yet, rebuild the system)
- Update and secure the system based on your root cause analysis
- Learn from the experience and share your knowledge with the team with an incident debrief
If you want to see what else FTK Imager can do, take a look at my blog post on FTK Imager here where I explain how to create a custom content image: https://dfirinsights.com/2018/02/15/ftk-imager-creating-custom-content-images-with-classic-file-types/