Monday, July 29, 2013

PowerShell Intro

Before covering how Incident Responders can leverage Windows PowerShell, I thought it would be appropriate to provide a small introduction for those who are not familiar with all the cool things that can be done through PowerShell.

What is PowerShell:
Windows PowerShell is Microsoft's answer to our cries for a better scripting environment and command shell.  Scripting in PowerShell is much more intuitive than batch, and although PowerShell does have some Microsoft centric quirks it more closely resembles other interpreted languages like Python.  Microsoft has made the entire .NET framework available through PowerShell, which allows a great deal of flexibility to those who want to take on development.  Through PowerShell, Microsoft without a doubt opened many doors for Forensicators and Incident Responders.

PowerShell introduces two features which make scripting significantly more easy.  The first feature is tab completion, those readers familiar with unix will understand how nice tab completion can be.  If you do not know the exact command syntax all you have to do is press tab and PowerShell will do the work for you.  The second, and in my opinion most important, feature is the object oriented nature of PowerShell.  PowerShell commands (Cmdlets) return .NET objects, which can be manipulated to display the desired results.  These new features alone make scripting in PowerShell easier and more logical than batch or VB scripting.

PowerShell History:
To better understand Windows PowerShell's origins refer to Jeffrey Snover's Monad Manifesto. The manifesto describes Monad platform, one part of which was the Monad Shell.  The Monad Shell is the brainchild which would eventually morph into PowerShell.

PowerShell version 2.0 is available on Windows 7 and Windows Server 2008 by default.  Depending on your patching you may have version 2.0 if you are running Windows XP SP3, Windows Vista SP1, or Windows Server 2003 SP2. If you have a pre Windows 7 host that does not have PowerShell you can find the appropriate patches here.  PowerShell version 3.0 is available on Windows 8 and Windows Server 2012, and version 4.0 will be introduced with Windows 8.1 Beta and Windows Server 2012 R2.  To learn more about the additions to PowerShell in version 3.0 and 4.0 click the links embedded in their version numbers.


PowerShell provides users two main environments, the Command Line Interface (CLI) and the Integrated Scripting Environment (ISE).

Windows PowerShell (CLI)

Windows PowerShell ISE
The CLI is your go to interface for PowerShell.  You can treat it exactly the same as the Windows Command Shell (in fact if you enter a native Windows command, PowerShell will automatically spawn a Command Shell and execute the command for you).  The CLI's utility begins to run out when you want to introduce logic or use more than one line which is why Microsoft gives us the ISE.  The ISE is enabled by default on Windows 7, but on Server 2008 you must install the Windows PowerShell Integrated Scripting Environment (ISE) feature.  The ISE provides, as the name implies, an environment that is fairly useful for writing, testing, and debugging scripts.  As seen in the picture above the ISE has three windows.  The window on the right is the script pane, where users can author scripts using some niceties like tab completion.  The bottom left window is the console pane which has practically identical use as the Windows PowerShell CLI.  The top left windows is the output pane, which is where output is written by default (PowerShell supports many different outputs such as: text, csv, html, and xml)

Cmdlet Naming Convention:
All PowerShell cmdlets follow a standard naming convention which is called the verb-noun convention.  Each cmdlet name will consist of a verb followed by a dash (-) and a singular noun.  Some example cmdlet names are Get-Process, Stop-Service, Set-Variable, and New-Object.  MSDN has a list of each approved verb and its meaning.

3 Cmdlets to Rule them All:
There are three cmdlets that will enable new users to use every other cmdlet available in Windows PowerShell.

The first cmdlet every PowerSheller should know is Get-Command.  This cmdlet returns a list of every cmdlet available in the current shell.  Get-Command can be used alone, or if you are looking for a specific type of cmdlet you can the -Verb parameter to specifically look for cmdlets that perform a certain action, and -Noun which will show all cmdlets pertaining to a specific type of object.

The second important cmdlet is Get-Help which is the equivalent of Linux's man command.  This cmdlet returns the help file which contains syntax, parameter descriptions, and usage examples.
Once you have found the cmdlet you want to use, and have determined the proper syntax it is important to understand what output you will receive.

As mentioned earlier PowerShell is object oriented, so each cmdlet will return an object with a series of properties and methods.  The cmdlet Get-Member accepts an object as a parameter, and will return the properties and methods of the object.  The most common syntax for Get-Member is Get-Process | Get-Member which will provide the output of Get-Process as the input object for Get-Member

PS Drives:
One final feature readers should be aware of is how PowerShell deals with structured system data.  PowerShell has a feature known as PSDrives through which it treats structured system data (i.e. the Windows Registry) as if it were the file system.  Additionally, PSDrives do not require single letter names, so you can name you data drive "Data" instead of "D:\".

To enumerate all PSDrives on the system use the cmdlet Get-PSDrive.  Below is some example output of the Get-PSDrive cmdlet.  As you can see there are many PSDrives available in the current PowerShell session such as the Local Machine and Current User registry hives, as well as, shell variables and aliases.  PowerShell treats all data as items, and the PSDrive concept allows administrators to learn one method that will work for files, registry, environment variables, etc.

Further Reading:
For those interested in learning a little more in depth about PowerShell basics there is an excellent book written by Don Jones called Learn Windows PowerShell 3 in a Month of Lunches. Don Jones is one of, if not the most, respected minds in regard to PowerShell, and he does an excellent job introducing this application to readers through a series of 1 hour lessons or lunches (I read it over a weekend because I was in a hurry to learn as much as possible).

Thursday, July 25, 2013

SANS FOR 508 Advanced Computer Forensics and Incident Response Review

Last week I was lucky enough to attend the FOR 508: Advanced Computer Forensics and Incident Response course at SANS' Digital Forensics and Incident Response Summit, as a work study student. The course (508) was taught by Chad Tilbury (Check him out!), and is the brain child of SANS Fellow Rob Lee. Not only was Chad one of if not the best instructor I have had in the Computer Security field, but the course material is second to none. 508 is without a doubt worth the time and money you (or your employer) will invest in it.

The Concept:
508 has recently been retooled to focus on battling the much maligned Advanced Persistent Threat (APT). The class motto is "APT is in your network, start hunting". The APT focus makes it 100% relevant to not just forensic investigators, but to anyone wanting to learn to defend their network. This course is up to date with the latest forensics techniques, in fact, Chad introduced us to tools that were still in beta and methodologies that are still being researched!

The Material:
SANS recommends that students attend FOR 408: Computer Forensic Investigations - Windows In-Depth before attending 508 (they recommend it for a reason), but if you have a forensics background or are willing to put in a little overtime you should be able to catch up enough to take 508 (508 has more direct application to my needs, although I look forward to attending 408 in the future). Rob Lee says the expectation of 508 students is that they understand conversational forensics (can speak to different forensics artifacts and tools). This course is a smorgasbord of valuable skills and information for incident responders, system administrators, and forensicators alike.

On day 1 they cover the physical layers of the file system (from the physical platters to the file name layer that contains file names and a directory structure), and how to properly mount images for analysis (e.g. read only). Just when you think the first day couldn't cover any more information the class jumps into the exciting world of Enterprise Analysis and Live System Incident Response (my favorite!!).  This portion teaches students about domain authentication, how to secure domain administrator credentials, and many methods of accessing system information on remote of hosts (Many of my future blog posts will revolve around utilizing PowerShell for "Live System 'Enterprise' Incident Response" for lack of a better term).

Day 2 is spent covering memory forensics. SANS offers a course on Memory Forensics that is currently 5 days long and covers the details of memory (memory structures and such), but 508 offers a very practical lesson in how to implement memory forensics TODAY. Students will learn how to acquire memory, as well as, how to provide in depth analysis of the memory once acquired (Day 1 offers insight into a method of analyzing memory without having to first complete the acquisition process...which is awesome!). Memory forensics is absolutely necessary when combating APT as it is one of the best, if not only, methods to detect rootkits (See SANS instructor and FOR 526 author Jesse Kornblum's paper regarding the rootkit paradox). The best part of Day 2 is that it doesn't focus on one method of analyzing memory. Instead 508.2 spends the time to teach students the pros and cons to different tools, and even different methods of using the same tool.

Day 3 is dedicated to timeline analysis. No one should be considered a forensicator or incident responder if they do not have an intimate knowledge of timeline analysis (Specifically using log2timeline). Log2timeline came out of a GCFA Gold Paper written by Kristinn Guðjónsson, and the community has never looked back. Log2timeline is really a cultural shift in the way we perform investigations, as it aggregates almost every forensic artifact into one timeline that truly tells the story of actions taken on a machine. This is where that 408 knowledge comes in handy... if you do not know how to interpret a specific artifact, then you lose fidelity in your timeline (possibly the opportunity to spot malicious activity).

Day 4 and 5 begin with XP Restore Point and Volume Shadow Copy analysis which can be harnessed for some really cool stuff. We can use these snapshots to add fidelity and depth to our timeline, and we can use them to recover deleted files. Next, Chad covered deep dive forensics (This is where the class dives into the weeds of file system analysis). The class dives into $MFT analysis which introduces us to a second set of timestamps ($STDINFO), and new artifacts like the NTFS TriForce (David Cowen's baby). These artifacts will not be presented in any other course!  Day 5 wraps up with methods and techniques of finding unknown malware. Assuming anti-virus fails to detect a threat, what are some methods we can use for detection? FOR 508 introduces and spends half a day discussing the concept of malware funneling which is the process of reducing data through a series of automated tasks until you have a small enough data set that you can perform manual analysis (SANS instructor Alissa Torres has an excellent webinar on the subject).

The Lab (Day 6):
The last day of the class is spent in on a team exercise.  The team investigates a set of hosts that were part of an intrusion, however this is not your normal everyday exercise....this is where it gets interesting!

Rob Lee went all out on this course developing it around an "as real as it gets" scenario. The scenario is about an R&D firm that makes a great discovery, only to be hacked by APT. Students are given four hosts to conduct forensic investigations to determine what happened.  Questions like the initial infection vector, when the initial infection occurred, what data was lost, and the current state of the network can be answered.

When we talk about this lab it is important to understand the level of detail used to create this virtual network. Not only did the network have 100s of hosts and 1000s of users, Rob Lee went out of his way to ensure this network was as real looking as possible (He basically lived with multiple personalities over the course of a year to ensure the systems were used as they would be in a real domain environment). He hired a professional Red Team and trained them up to act like APT, he hired domain architects to build the domain in a professional/secure manner, and he even loaded the systems with some of the latest security tools.  You will not find a lab this extensive anywhere else!

All in all this course is so relevant and so practical that there is no reason not to put this one on your wishlist. If you are serious about finding bad guys in your network, cause lets face it they are there, then this course has your name on it. I learned more about forensics in one week than I have learned over the past three years!

At the DFIR Summit in Austin Rob Lee and his Forensicating Cohorts at SANS introduced, for the first time in the United States, a new version of SANS' famous NetWars. Following along with the 508 labs they have created a forensic version of NetWars which tests students on basic forensic artifacts, timeline, registry, file system, and memory analysis. Anyone that has participated in NetWars will agree that it is terrific learning environment and is worth the investment of time.

I was lucky enough to earn my Lethal Forensicator Coin by placing first in this NetWars competition at the DFIR Summit.

Saturday, July 20, 2013

Welcome to Invoke-IR

Welcome to Invoke-IR, the blog where I (Jared Atkinson) will discuss Digital Forensics and Incident Response using Windows PowerShell.  Windows PowerShell is an excellent application that solves many of the complaints we all have about the native Windows command shell.  Unfortunately many system administrators, incident responders, and forensicators are not familiar enough with Windows PowerShell to understand its use.  Through Invoke-IR (the name is a PowerShell pun) I will introduce readers to PowerShell itself, some resources that will provide a deeper understanding of PowerShell and digital forensics, and how we can apply PowerShell to Incident Response.

Some topics I plan on covering in the near future are:
1) Intro to PowerShell
2) PowerShell Remoting
3) Windows Logon and Authentication (How it relates to PowerShell)
4) Dealing with Event Logs in PowerShell
5) Handling the Windows Registry through PowerShell
... and much much more

Thank you for visiting Invoke-IR and I am looking forward to reading your comments and questions.

- Invoke-IR - By Jared Atkinson -