Part 13 - Navigating the H Drive

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Transcription
00:00
>> [BACKGROUND] In order to run that md5 deep command,
00:00
the first thing that you're going to want to do is open
00:00
up a command prompt from your forensic machine.
00:00
[NOISE] You can see it there.
00:00
We'll just run it [NOISE] as the administrator.
00:00
Now that we have that set up,
00:00
we would essentially navigate to where we have
00:00
our md5 program up and running.
00:00
I also have one on
00:00
my desktop and we have one here on this H drive.
00:00
We can navigate to our H drive
00:00
and then go into that md5 folder.
00:00
I think it's one more level down.
00:00
[NOISE] Then we would essentially want to run
00:00
the md5 64 exe since we're on
00:00
a 64-bit system and we're going to want to hash
00:00
this EnolaGay file up here that is in the E drive.
00:00
We would essentially tell it to hash
00:00
that file, EnolaGay.mem.
00:00
Here we have the directory
00:00
>> where our md5.exe program is,
00:00
>> and then we have the file that we want to hash.
00:00
Then we will hit "Enter."
00:00
Then just to save some time,
00:00
I've already done this.
00:00
You will see that it
00:00
produces a result that looks like this.
00:00
Here's our file, the H drive file,
00:00
here's the E:\EnolaGay.mem,
00:00
and this essentially is the hash of that file.
00:00
You would want to go ahead and export that out to
00:00
a notepad and then
00:00
copy that over to your notes and that way,
00:00
you have the integrity of
00:00
that file throughout the course of your investigation.
00:00
That's just a couple of different ways
00:00
to look at some of the volatile memory.
00:00
As promised,
00:00
>> I will go into the Mandiant Redline as well,
00:00
>> just so you can see what that looks like.
00:00
We'll close some of these windows
00:00
out and then we
00:00
will open up the Mandiant Redline program.
00:00
To get Mandiant Redline,
00:00
one of the things that you can do is just
00:00
Google, Mandiant Redline and
00:00
you'll go to the FireEye site.
00:00
Then from here you can fill out
00:00
your personal information and then click
00:00
"Download" and you will
00:00
receive a copy of Mandiant Redline.
00:00
It's a pretty powerful software.
00:00
It allows you to collect that volatile memory and
00:00
do that analysis in a one-stop shop,
00:00
and it's free, so I like free.
00:00
We've already got Mandiant Redline
00:00
>> installed our desktop.
00:00
>> We'll just go ahead and launch that.
00:00
Once you launch Redline,
00:00
you'll come up with this prompt.
00:00
You have a few options to choose from.
00:00
You can collect a standard collector,
00:00
you can create a comprehensive collector,
00:00
or you can create a IOC search collector.
00:00
Just for demonstration purposes,
00:00
we're going to create a standard collector
00:00
and as you look at this,
00:00
it gives you a couple of options.
00:00
You can go in and edit your script.
00:00
When looking at memory,
00:00
it will essentially look at all of
00:00
these different options that you select and
00:00
>> then you can go down and ask for
00:00
>> different hash values for
00:00
all of these different processes.
00:00
It will also acquire a memory image if you so choose.
00:00
Again, it will take a little bit of time if
00:00
that's something that you want to select,
00:00
especially if you have a machine
00:00
that has a large amount of RAM.
00:00
You can look at the disk and
00:00
choose different options under the desk,
00:00
you can look at the system.
00:00
Then you can go over and look at network.
00:00
Then the other tab has
00:00
some other types of searches that you may want to do.
00:00
Those are just some basic searches.
00:00
It really depends on what you're looking for,
00:00
how you would want to set this tool up.
00:00
But it is, again, very powerful tool for searching.
00:00
After that, you would then want to
00:00
save this collector to a location.
00:00
We would browse.
00:00
We could save this to
00:00
our forensic thumb drive if we wanted
00:00
to and then put that into
00:00
our victim's system and essentially run
00:00
the capture program in order for it to work.
00:00
We have to create a folder on the forensic thumb drive.
00:00
We'll just create a new folder.
00:00
We'll just call it Redline so we know what it is.
00:00
[NOISE] We'll hit "Select" and then we'll hit "Okay."
00:00
It then creates that portable collector package
00:00
and it gives you instructions
00:00
saying that your collector package is created and
00:00
saved to that location where we
00:00
specified on our thumb drive.
00:00
Then on the machine that
00:00
we want to audit or collect from,
00:00
you're going to run RunRedlineAudit.bat script.
00:00
Then they save perfectly on removable media.
00:00
Then the script will run and then it's going to create
00:00
essentially the result sessions 1, 2,
00:00
or 3, however many sessions that
00:00
you have going or had analyzed,
00:00
it will just depend on the number on the back of that.
00:00
Then when it's finished,
00:00
you can transfer the results back to
00:00
our analysis machine and then we
00:00
can go back in and look at
00:00
the files and folders that we have.
00:00
If we go to our forensic drive where we saved that,
00:00
we can see that we now have that folder we called
00:00
Redline and that we do
00:00
have the RunRedlineAudit batch file.
00:00
Then once we insert that into our victim machine,
00:00
we could run the Redline program
00:00
and then it would essentially
00:00
execute and produce some results for us to look at.
00:00
I've already done this just to
00:00
save some time because it is quite
00:00
time-consuming for that process to
00:00
run and we will go ahead
00:00
and look at some of these examples.
00:00
[BACKGROUND] One of the examples
00:00
that I ran was this analysis session 3.
00:00
We can just go ahead and pull that
00:00
up and it will take all
00:00
of the information that we had on our system.
00:00
I ran it on my own system so
00:00
that essentially it will identify the system here.
00:00
It says that we're running Windows 10
00:00
Professional domains and a work group,
00:00
the host name is LittleBoy and
00:00
the primary IP address is
00:00
my internal IP address of 192168.
00:00
That gives you all of that information.
00:00
Click on this and then essentially just
00:00
provides an overall view of the system.
00:00
It provides how much physical memory we have,
00:00
it provides the time that our system is in,
00:00
the identity of the processor,
00:00
uptime, how many drives we have in.
00:00
Again, the operating system,
00:00
the system directories,
00:00
product IDs, how many bits it is,
00:00
the type of user that's logged in.
00:00
Again, a very powerful tool and you can look
00:00
at essentially the services that you have running,
00:00
some of the registry keys,
00:00
the persistent registry information,
00:00
users with sids and identities.
00:00
Then you can scroll down through and
00:00
>> look at event logs, DNS history, browser history.
00:00
>> Again, it's a very powerful tool
00:00
>> and it makes the analysis of this data very easy.
00:00
I like it a lot, I use it whenever I can.
00:00
However, this shouldn't be your primary go-to
00:00
method every single time because like any tool,
00:00
something can go wrong and will go wrong.
00:00
So knowing how to do some of
00:00
these other methods is very important.
00:00
Once you have essentially at
00:00
the dump file that we created earlier,
00:00
the .mem file on our forensic drive,
00:00
if the analysis portion were to fail,
00:00
you can go back in and use some Python
00:00
scripting to essentially look
00:00
at your.mem file and
00:00
get a little bit more information
00:00
through the use of volatility.
00:00
That is an option. However,
00:00
the Mandiant Redline program will
00:00
also look at that .mem file.
00:00
Again, there's numerous options
00:00
on how to go about doing this process.
00:00
It's good to know more than one option.
00:00
It's good to use more than one tool
00:00
when you're doing your forensic investigation.
00:00
That way, you can go and
00:00
correlate some of the answers that you get.
00:00
Then some tools, they just
00:00
provide different information that
00:00
other tools can't provide and
00:00
some of them just have better user interfaces.
00:00
Again, don't just stick with one tool,
00:00
there are literally hundreds of
00:00
tools out there for you to use.
Up Next