DFIR : Zero To Hero Series : Case-0
To help folks (🕵️) who are just starting their journey in DFIR field we are starting one “DFIR Zero To Hero Series” in which we will provide an Investigation scenario. Additionally we will also provide a write-up for the Investigation scenario where we will share our approach.
Case-0 : Remote Access Tool Investigation Part-1
Case Background:
New employee recently joined the company as a Web Developer. Company suspect that newly joined employee has used Remote Access Tools and thus wants to verify the use of same and also want to check what other activities suspected employee has performed. Any employees who join as web developers, the company allows them to use different software like XAMPP, Sublime Text Editor [As most of the time company use PHP & JavaScript for web development] but they are not allowed to use any Remote Access Tools and other software that does not align with job description. So, the company has provided the disk image for the suspected machine and has asked you to do Forensic analysis.
You can download Disk Image by visiting following link:
Let’s see what approach i will take if this case is assigned to me for investigation.
Initial Thoughts
So based on the case background we need to do the following things.
Check if the suspect has used any remote access tools
Check for the installations of the different software that does not align with the JD
Planning
- First thing first we will do triage image using the tool of your choice, here I am using KAPE.
- For Remote Access Tools execution we will check Prefetch files, Amcache, & Event Logs.
- For Installations of different software we will look into the Events Logs.
Execution:
Triage Part:
Let’s start with KAPE Triage. First mount the drive using arsenal image mounter. we will utilize KAPE CLI for acquisition of Event Logs, MFT, USNJrnl, Amcache, Prefetch.
kape.exe --tsource “D:” --tdest “C:\Collection\Target” --target EventLogs,EvidenceOfExecution,FileSystem
Let’s check collected data
Now let’s parse acquired data using KAPE. (eric zimmerman tools)
kape.exe --msource "C:\Collection\Target" --mdest "C:\Collection\Module" --module MFTECmd,AmcacheParser,EvtxECmd,PECmd
Analysis
So based on case background we need to look for remote access tools so we can search for tools like Anydesk, Teamviewer, Getscreen.me, screenconnect, UltraVNC, AnyViewer.
We can start with prefetchfile analysis. One can ask why prefetch-file first ? so simple answer is.
Prefetch doesn’t exist unless something has run at least once
- So let’s open Parsed prefetch file output using Timeline Explorer.
- In Executable Name field let’s search for different remote access tools.
Here we go 😎 we found ANYDESK.EXE entry in prefetch entries.
Exercise For You
Since we found instances of remote access tool (Anydesk) we can check other artifacts like Amcache & Eventlogs to make Timeline of events.
Same way we can check Eventlogs to answer is there any software was installed by suspect or not.
You can share your writeups, thoughts related to this “DFIR Zero To Hero series” over email (upadhyayraj007@gmail.com).
