Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lab-based lesson offers step by step instructions in how to navigate the H drive on the computer to hash files in order to produce a result which can be exported to a notepad. This preserves the integrity of a file and allows an investigator to gather volatile information. This lesson also covers the use of Mandiant Redline, which allows the collection of volatile memory and analysis.

Video Transcription

00:04
So in order to run that MD five deep command, the first thing that you're gonna want to do is open up a command prompt from your forensic machine
00:17
on Dhe. You can see it. They're running a traitor.
00:24
So now that we have that set up,
00:26
we would essentially navigate to where we have our MD five
00:31
program up and running.
00:33
I also have one on my desktop, and we have one here on this H drive
00:41
so we can navigate
00:44
to R H. Drive
00:49
go into the MD five folder.
00:54
I think it's one more level down,
01:00
and then we would essentially want to run the MD five
01:04
64 e x e. Since we're on a 64 bit system
01:08
and we're gonna want to hash this Enola *** file up here, that is in the e. Dr.
01:15
So we would essentially tell it to hash that file.
01:21
Another like a dot meme. So here we have the
01:23
directory where RMB five dot e x e program is,
01:29
and then we have the file that we want to hash,
01:33
and then we will enter,
01:34
and then just to save some time,
01:37
I've already done this.
01:41
So you will see
01:42
that it produces
01:45
a result that looks like this. So here is our file. The H drive file
01:49
here is the Enola *** dot meme, and this essentially is the hash of that.
01:56
So you would want to go ahead and export that out to the note pad
02:00
on, then copy that over to your notes. And that way you have the integrity of that file throughout the course of your investigation.
02:12
So that's just a couple of different ways. Thio. Look at some of the volatile memory, and this promised I will go into the Mandy It red line a cz well, just so you could see what that looks like.
02:25
So we'll close some of these windows out,
02:31
and then we will open up the Mandy it red Line programs. Get Mandy a red line,
02:37
one of things that you could do.
02:39
It's just Google
02:44
Mandy, a red line,
02:46
and you'll go to the
02:47
fire eyesight.
02:53
And then from here, you can fill out your personal information and click download,
02:59
and you will receive a copy of Mandy. It's red line,
03:05
and it's a pretty powerful software. It allows you to collect that volatile memory and do that analysis kind of in a one stop shop,
03:14
and it's free,
03:15
so I like free. So we've already got Mandy it Red Line installed our desktop,
03:21
I said, Well, just go ahead and launch that
03:24
once you launch red line, you come up with
03:29
this prompts
03:30
so you have a few options to choose from. You can collect Ah, standard collector. You can create a comprehensive collector, or you can create a IOC search collector just for demonstration purposes. We're going to create a standard collector,
03:47
and as you look at this, it gives you a couple options. You can go in and edit your script.
03:52
Eso When looking at memory,
03:53
it will essentially look at all of these different options that you select,
04:00
and then you can go down and ask for different hash values
04:04
for all of these different processes. It will also acquire a memory image.
04:13
If you so choose again, it will take a little bit of time. That's that's something that you want to select, especially a machine that has a large amount of ram.
04:23
Uh, you could look at the disc
04:26
us and choose different options under the the desk. You could look at the system
04:32
and then you can go over and network,
04:35
and then the other tape has some
04:40
other types of searches that you may want to do.
04:42
So those were just some basic searches. Uh, really. Depends on what you're looking for, how you would want to set this tool up,
04:51
but it is again very powerful tool for searching.
04:57
So after that, uh, you would then want to save this collector to a location,
05:02
so we would browse,
05:04
Um,
05:06
we could save this to our forensic thumb drive that way. Wanted to,
05:11
um
05:13
and then put that into our victim's system and essentially run the capture program
05:19
in order for it to work. So
05:24
we will just create if we have to create a folder on the forensic thumb drive so we'll just create a new folder.
05:30
Just call a red line
05:32
so we know what it iss.
05:36
It's select.
05:40
And then what? Okay,
05:42
then creates that portable collector package
05:46
gives you instructions saying that your collector packages creative and saved to that location where we specified on are some dry
05:53
and then on the machine that we want to audit or collect from. You're going to run the read
06:00
run Red line on dot that script
06:02
and then they say, preferably on removable media
06:05
on the script will run. And then it's going to create essentially the results sessions 123 However many sessions that you
06:15
have going our have analyzed, it will just depend a new number on the back of that. And then when it's finished, you can transfer the results back to our analysis machine, and then we can go back in and look at the files and folders that we have.
06:30
So we go to our
06:33
forensic drive where we say that we can see that we now have the footwork, old red line,
06:40
and that we do have a run Red Line audit
06:44
batch file. And then once we insert that into our victim machine, we could run the redline program, and then it would essentially execute
06:55
and, uh, and produce some results for us to look at.
07:00
So I'm already done this just to save some time, because it is quite time consuming
07:06
for that process to run, and we will go ahead and look at some of these examples.
07:15
So one of the examples that Iran was this Analysis Session three. So we could just go ahead and pull that up,
07:23
and it will take all of the information that we had our system.
07:29
I ran it on my own system.
07:30
Eso it essentially will identify the system here, So it says that we're running Windows 10 professional
07:38
domains and a work group. The host name is Little Boy, and the primary I P address is my internal I feei drafts of 192168 So that gives you all of that information.
07:50
Click on this and then essentially just provides an overall view of the system so it provides how much physical memory we have. It provides the time that our system is in the identity of the processor
08:07
up time.
08:09
How many drives we have in
08:11
again, the operating system system directories for product ID's,
08:16
uh,
08:18
how many bits it iss
08:20
the type of user that's logged in
08:24
so again, a very powerful tool you can look at the The
08:28
essentially service is that you have running
08:31
some of the registry keys,
08:37
the persistent registry information
08:41
users with Sid's
08:43
identities
08:45
on. Then you can scroll down through and look at event logs,
08:50
D N s history browser history. So again, it's a
08:54
It's a very powerful tool, and it makes the analysis of this data very easy.
09:01
Um,
09:03
I like it a lot. I use it whenever I can. However, this shouldn't be your primary go to method every single time. Because, like any tool, something can go wrong. It will go wrong serves of knowing how to do some of these other methods eyes very important.
09:22
So once you have this, this essentially the dump file that we created earlier
09:28
the dot meme file
09:31
on our forensic Dr.
09:33
If the analysis portion were to fail,
09:35
you could go back in and use a python scripting
09:39
two.
09:41
To essentially look at literature, you're dot meme file
09:46
and get a little bit more information through the use of volatility
09:52
so that that is an option. However, the Mandate Redline program will also look at that dot Memphis. So again, there's numerous options on how to go about doing this process. It's good to know more than one option. It's good to use more than one tool
10:09
when you're doing your forensic investigation.
10:13
That way, you can go and correlate some of the answers that you get, and then some tools. They just provide different information that other tools can provide. And some of them just have better user interfaces. So again, don't just stick with one tool. There are literally hundreds of tools out there,
10:33
uh,
10:33
for you to use.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor