DFIR : Zero To Hero Series : Case-0
To help folks (🕵️) who are just starting their journey in DFIR field we are starting one “DFIR Zero To Hero Series” in which we will provide an Investigation scenario. Additionally we will also provide a write-up for the Investigation scenario where we will share our approach.
Case-0 : Remote Access Tool Investigation Part-1
You can download Disk Image by visiting following link:
Let’s see what approach i will take if this case is assigned to me for investigation.
So based on the case background we need to do the following things.
Check if the suspect has used any remote access tools
Check for the installations of the different software that does not align with the JD
- First thing first we will do triage image using the tool of your choice, here I am using KAPE.
- For Remote Access Tools execution we will check Prefetch files, Amcache, & Event Logs.
- For Installations of different software we will look into the Events Logs.
Let’s start with KAPE Triage. First mount the drive using arsenal image mounter. we will utilize KAPE CLI for acquisition of Event Logs, MFT, USNJrnl, Amcache, Prefetch.
kape.exe --tsource “D:” --tdest “C:\Collection\Target” --target EventLogs,EvidenceOfExecution,FileSystem
Let’s check collected data
Now let’s parse acquired data using KAPE. (eric zimmerman tools)
kape.exe --msource "C:\Collection\Target" --mdest "C:\Collection\Module" --module MFTECmd,AmcacheParser,EvtxECmd,PECmd
So based on case background we need to look for remote access tools so we can search for tools like Anydesk, Teamviewer, Getscreen.me, screenconnect, UltraVNC, AnyViewer.
We can start with prefetchfile analysis. One can ask why prefetch-file first ? so simple answer is.
Prefetch doesn’t exist unless something has run at least once
- So let’s open Parsed prefetch file output using Timeline Explorer.
- In Executable Name field let’s search for different remote access tools.
Here we go 😎 we found ANYDESK.EXE entry in prefetch entries.
Exercise For You
Since we found instances of remote access tool (Anydesk) we can check other artifacts like Amcache & Eventlogs to make Timeline of events.
Same way we can check Eventlogs to answer is there any software was installed by suspect or not.
You can share your writeups, thoughts related to this “DFIR Zero To Hero series” over email (email@example.com).