How to Investigate Like a Rockstar
Live a real crisis to master
the secrets of forensic analysis
Copyright 2017 Sparc FLOW
All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.
Foreword
There are two kinds of companies: those that have been breached and those that do not know it yet. And when they finally find out if they are that lucky a violent panic sets in that quickly escalates to the executive level.
This book describes in detail such an incident inspired by real life events, from the first doubtful call made by a bank to the height of tension caused by preliminary forensic analysis.
We will go as deep as memory analysis, perfect disk copy, threat hunting and data carving while sharing insights into real crisis management: how to steer people in the right direction, what are the crucial reflexes of a first responder, what to say and do in the first minutes of a security incident, and how to address the inevitable challenge of security versus business continuity.
Finally, we will tackle the most important issue of all: how to rebuild a trusted and secure information system.
We will find out how we can regain trust in machines that have been breached, and how we can make sure attackers will not come back to exact a bitter revenge.
Note: Custom scripts and special commands documented in this book are publicly available at www.hacklikeapornstar.com.
Important disclaimer
The examples in this book are entirely fictional. The tools and techniques presented are open-source, and thus available to everyone. Investigators and pentesters use them regularly in assignments, but so do attackers. If you recently suffered a breach and found a technique or tool illustrated in this book, this neither incriminates the author of this book in any way nor implies any connection between the author and the perpetrators.
Any actions and/or activities related to the material contained within this book is solely your responsibility. Misuse of the information in this book can result in criminal charges being brought against the persons in question. The author will not be held responsible in the event any criminal charges are brought against any individuals using the information in this book to break the law.
This book does not promote hacking, software cracking, and/or piracy. All of the information provided in this book is for educational purposes only. It will help companies secure their networks against the attacks presented, and it will help investigators assess the evidence collected during an incident.
Performing any hack attempts or tests without written permission from the owner of the computer system is illegal.
http://amzn.to/2jiQrzY
http://amzn.to/2iwprf6
https://amzn.to/2uWh1Up
http://amzn.to/2gadyea
Content table
The first call
To pity distress is but human; to relieve it is Godlike.
Horace Mann
Like most major security incidents, our story begins with a distress call at 6 am:
Hello, this is LeoStrat Inc. I am trying to reach the Computer Emergency Response Team to report unusual activity on our mainframe. We have reason to believe malicious actors have attempted to access sensitive banking information, and we would like you to assist us in conducting an investigation.
Very well. Please do not perform any actions on the machine until we are on-site.
Given the nature of the incident, we quickly dispatch a first responder to assess the severity and sophistication of the attack. Are we talking about a classic malware, a rootkit or a targeted attack? What kind of evidence do we have? Which other machines are infected?
The small detail that troubles us, though, is the nature of the machine reportedly impacted. How can there be malware on a mainframe? These systems do not even have public vulnerabilities listed on popular websites .
Actually, we are surprised that the attacker even bothered to target this legacy machine in the first place.
In any case, in preparation for going on-site we arrange our regular toolkit:
- Laptop with both Linux Kali and Windows for analysis purposes. Some like to use SIFT virtual machine, which comes with pre-installed forensic tools.
- A few empty external hard drives. There are never enough of these, so we take as many as we can.
- A bootable USB key containing a Debian distribution.
- A USB key containing classic forensic tools, and also clean versions of Linux and Windows binaries (cmd.exe, bash, etc.).
- Multiple screwdrivers in case we need to deal with physical machines.
- Physical write blocker to perform forensically sound copies (more on this later).
- Miscellaneous equipment: RJ45 USB adapter, USB hub, USB-C to USB adapter, male to female USB cable and SATA to USB adapter
Action plan
We arrive on LeoStrats main site at 7 am and request the same three items we always ask for in an investigation:
- A fresh update on the situation
- All documents describing the network and system architecture
- Contact information of every key IT component inside the company (network admins, mainframe admins, Linux admins, Windows admins, security officer, CTO, etc.)
People tend to believe that a forensic investigator is some kind of wizard who can instantly ward off evil with his magic wand. This could not be further from the truth.
It is a challenge to dive into an unknown ecosystem and deal with its intricate complexities. That is why it is crucial to both get as many documents as possible and also to quickly identify key people who can assist us in the investigation by mapping critical machines, extracting logs, creating accounts, contacting personnel, etc.
While LeoStrart is building its crisis team and setting up shifts, we get a description of the incident by a mainframe admin (also called sysadmin or sysprog):
We noticed an unusual spike in the CP workload around 4 am. Our sysprog checked the JES SPOOL and found a JOB consuming almost all I/O. The JOB was submitted by an unknown account called G09861.
Before asking what the heck a JES SPOOL is, we start with a somewhat nave question:
So, we understand that some banking data was leaked? Precisely what kind of data are we talking about?
Oh, on the Z machine we have client accounts, pension funds, balance files, personal information, tax returns you name it.
And thats when it hits us! The mainframe is not their good ol legacy machine; its where almost all of their core business is processed! This is promising.
Now that they have our attention, let us break down what just happened on their mainframe.
Lets start with the machine itself. A mainframe is a big Iron machine that powers up to 20 billion transactions per day without breaking a sweat : wire transfers, money withdrawals, flight bookings, etc. Its Z series by IBM is used by 75% of Fortune 500 companies and is without question the foundation of our modern business economy.
Next page