Saturday, March 10, 2012

Incident Response Toolsets and Checklists

A few months ago I was reading this Digital Forensics Case Leads: ReFS, Ex01, and DFIROnline post and came across the following bit under the Tools section:

Michael Ahrendt recently released an interesting looking "Automated Triage Utility," written in the AutoIT scripting language. It is a GUI-driven data collection utility designed for live system response. In this regard, it reminds me a lot of Monty McDougal's Windows Forensic Toolchest. They differ in UI and programming language, but aim at the same objective.

I hopped over to take a look at Michael’s Automated Triage Utility and it is pretty cool. You do have some "light” building work to do to seed the structure Michael provides with some extra applications but in total it provides a responder a great set of information logs and evidence collection.

While one-click incident assessments are no substitute to a detailed and focused analysis and pick-apart, these toolsets and first-responses may be of significant benefit getting some assessment data to determine scope of impact and breadth incident. With the core data collected an analyst or response team can then plan out additional responses.

Of course, use of these tools on a live system may have an impact of their own on that system. If possible it might be best to first try to capture both system and memory images if possible to preserve volatile system state information. That said, if the threat is significant enough and risk of critical data loss high, then it might be wise to isolate the system from the network immediately if your response protocol allows. Detailed documentation of response actions and tools run will also help in the post-mortem.

Here are some other related tools and resources that came to my mind after looking at the Automated Triage Utility Toolset.

RegRipper - Harlan Carvey’s Perl-based toolset for picking apart critical registry locations and data for a forensic response. Addition of additional community-based scripts extends the features wonderfully.

RegExtract - Mark Woan’s own take of RegRipper that uses a Windows binary with other 70 plugins to assess system information.

BinPack -Godai Group - a portable application storehouse with over 100 security tools for security assessment and pen-testing.

MIR-ROR - CodePlex project from Russ McRee and Troy Larson. MIR-ROR = Motile Incident Response - Responde Objectively, Remediate. Customized CLI script that uses Windows Sysinternals tools and others to do live-system captures. More info here at HolisticInfoSec’s Toolsmith: (PDF) June 2009 - MIR-ROR: Motile Incident Response - Respond Objectively, Remediate.

Confessor - CodePlex project built from the concepts of MIR-ROR. This allows remote intel gathering on a host of systems in an AD environment. Pretty cool stuff. More info here at HolisticInfoSec’s Toolsmith: (PDF) November 2010- Confessor & MOLE

Registry Decoder Digital Forensics Software - registrydecoder & regdecoderlive - Automated, live acquisition of registry files - via Google Project Hosting. Some of the previous tools listed work on Windows Registry hives that have already been collected. This one is a bit different in that it can be used against live registry files as well as historical ones. More info here at HolisticInfoSec’s Toolsmith: (PDF) December 2011 - Registry Decoder

MANDIANT: Intelligent Information Security has an outstanding collection of free software for incident response and malware analysis. In particular, their Redline utility does some super-awesome host triaging work. See also: IOC Finder

Security Database IT Watching - Evidence Collector - Not supported from some time, but still a very clever and useful “command and control center” tool that leverages other applications in collecting information from systems being assessed.

OSForensics - PassMark Software’s tool can be used to build a portable version to do extensive system information and analysis.

ESET Sysinspector - Neat tool to collect details on a running system, then perform heuristic analysis for risk level labeling of captured components. Makes it easy to begin a top-down assessment of a system.

Nigilant32 - Agile Risk Management LLC. Tiny tool to create a report snapshot of critical live-system processes, services, accounts, tasks, ports, and so on, as well as file-system review tool and active memory imaging support.

rapier - First Responders Info Gathering Tool - Google Project Hosting - RAPIER stands for Rapid Assessment & Potential Incident Examination Report tool. It doesn’t appear to be active since early 2008 but there may be some good material left in this tool. Check the “Downloads” page for some additional PDF and presentation material regarding the toolset. Based on the Intel (R) RPIER project. Added to post list 04-21-12

Response Checklists

Of course, just because you got some tools in your box doesn’t mean that you should just run rough-shod onto a system that is the target of some evilness. Hopefully you and/or your organization has a well-documented incident response framework already in place to guide and shape your response activities in a meaningful and effective way.

Here is a collection of some good ones you may want to consider.

Information and Security Cheat Sheet and Checklist References - Lenny Zeltser. Serious collection of cheat sheets and checklists for IT security response pros. Look carefully at the bottom of the page as Lenny offers some additional cheat sheets form others as well. - Checklists galore!

Incident Response Checklist (PDF) - via

Procedure for Windows Incident Response (PDF) - via

Request for Forensic Examination (PDF) - via

Computer Security Incident Handling Guide (PDF) - NIST

An Incident Handling Process for Small and Medium Businesses - SANS Institute. Page 39 in particular has a good “Checklist for incident response capability”

Malware Detection Checklist - GoogleDocs - Instrument developed by Harlan Carvey and posted in this DFIROnline: Detecting Malware in an Acquired Image in Windows Incident Response blog post.

His work was expanded a bit in these posts:

Cheat Sheets - Packet Life - For the network incident response crew.

More resources:

Simple Malware Research Tools - ISC Diary. Some fresh tools from the SANS gang.

Can we believe our eyes? Another story - Microsoft Malware Protection Center

Malware Analysis Blog - Great new blog (to me) covering malware review and study.

PXE Boot Server in a Malware Lab - Malware Analysis Blog

Using Free Windows XP Mode as a VMWare Virtual Machine - Lenny Zeltser on Information Security blog

US-CERT: United States Computer Emergency Readiness Team - 2011 GFIRST 2011 Conference papers and materials. So much goodness!


--Claus V.

1 comment:

Unknown said...

Hey, thanks for the reference and I'm glad you think the tool is cool. You have a ton of great references here. I will have to look through the checklists more to see if I can update my tool, make it better and incorporate maybe some things I've missed.

Thank you!