Author: Doug Metz

CSIRT-Collect

DFIR, Forensic Imaging, PowerShell

A PowerShell script to collect memory and (triage) disk forensics for incident response investigations

There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they actually work, may not be the same. What I wanted was a repeatable pre-defined collection mechanism, that could scale out to be supported by non-forensics team members to participate in forensic evidence collection for incident response examinations. The intent is that the collection process can be distributed among remote team members, be it site support or Security Operations Center (SOC). The script can also be integrated into SOAR and EDR platforms.

CSIRT-Collect was written to fill that role.

https://github.com/dwmetz/CSIRT-Collect

CSIRT-Collect leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.

Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). In the demonstration code, a network location of \\Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.

The Collections folder will need to include:
– subdirectory KAPE; copy the directory from any existing install
– subdirectory MEMORY; 7za.exe command line version of 7zip and winpmem.exe

CSIRT-Collect Operations:

  • Maps to existing network drive –
  • Subdir 1: “Memory” – Winpmem and 7zip executables
  • Subdir 2: ”KAPE” – directory (copied from local install)
  • Creates a local directory on asset
  • Copies the Memory exe files to local directory
  • Captures memory with Winpmem
  • When complete, ZIPs the memory image
  • Renames the zip file based on hostname
  • Documents the OS Build Info (no need to determine profile for Volatility)
  • Compressed image is copied to network directory and deleted from host after transfer complete
  • New temp Directory on asset for KAPE output
  • KAPE !SANS_Triage collection is run using VHDX as output format [$hostname.vhdx] **
  • VHDX transfers to network
  • Removes the local KAPE directory after completion
  • Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis.

** Note: you can build different KAPE collection profiles by modifying just one line of code. Profiles can be chosen to support the requirements of the investigation.

CSIRT-Collect_USB

This is a separate script that performs essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intended to be run from a USB device. There is no need for a temporary host directory as the information is written direct to the USB device. The extra compression operations on the memory image and KAPE .vhdx have also been omitted. There is a slight change noted below to the folder structure for the USB version. On the root of the USB:

  • CSIRT-Collect_USB.ps1
  • folder (empty to start) titled ‘Collections’
  • folders for KAPE and Memory – same as above
  • Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1

To see a demonstration of CSIRT-Collect in action please register for my talk this Thursday, PowerShell Tools for IR Forensics Collection as part of the Enterprise Pulse lecture series hosted by Magnet Forensics.

Q&A will be live on Discord during the event.

Getting Started with a PowerShell Menu

DFIR

We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where it pays off. It also enforces consistency and removes some of the possibility for human error.

We have a collection of internal scripts that we use frequently. As more scripts (or scriptlets) are added to the frequently used, I wanted a means to expose all the scripts to the team and to put some organization to it. I also wanted to easily support changes or additions to the referenced scripts. What I wound up building was a simple PowerShell menu structure.

Each individual script is referenced by a 2 letter code in the menu. Right now in our environment there’s 38 scripts in the menu. Many of those are proprietary (can’t share), however I gathered a handful to share here to illustrate the concept of the menu process.

https://github.com/dwmetz/PSHero

Once you’ve downloaded and unzipped the repository, you’ll want to edit the PSHero.ps1 file to ensure that the paths for the scripts reflect where you’ve got them saved to.

To add or remove scripts from the menu, there are 2 modifications:
In the top section is the menu listing

Write-Host "EX: MX Header Analysis"

Which pairs with

'EX' {
D:\PowerShell\PSHero\Parse-EmailHeader.ps1
}

in the lower section. Use the other scripts as examples and add what you like. Just watch your brackets.

The scripts included in this demo menu include:

Have a favorite PS script you use? Post a recommendation in the comments below.

Forensic Imaging a Microsoft Surface Pro

DFIR, Forensic Imaging

Pre-Requisites:

UEFI Configuration:

Make sure the device is fully powered down (not in standby state) by holding down the power button (15-30 seconds) until the screen goes black.

Remove the Surface Pro keyboard and disconnect any accessories

Boot to the UEFI configuration (BIOS) by holding down the Volume-Up button while pressing the power button. Release the power button and hold the volume button until you see the Surface logo.

Under Security turn off Secure Boot

UEFI Security

Under Boot configuration select “USB Storage” and drag to the top of the list.

UEFI Boot configuration

Power off the device again.

Booting with Paladin

Connect the USB hub to the Surface Pro.

Attached to the USB hub you should have:

USB hub and peripherals

PRO Tip – if the USB hub has power buttons for the individual devices make sure all the ports are powered on. 😉  Yes, I did spend about 10 minutes troubleshooting this. (Mondays)

Hold down the Volume-Down key and press the Power button. Continue holding the Volume-down button until you see the Surface logo.

System should now boot to the Paladin USB

Booting from Paladin USB

Select the default (top) option – Sumiri Paladin Live Session – Forensic Mode

Boot menu selection

Once booting is complete, you will be presented with the Paladin Desktop.

Paladin Desktop on Surface Pro

Imaging:

Click on shortcut for  Paladin Toolbox

Note the Warning about Dates/Times and click OK

Date/time warning

Select the Source Device. In this case I’m choosing /dev/sda which will be the entire disk (3 partitions) on the host hard drive.

Specify the image format: Expert Witness Format, EWF (E01)


Populate the case details for the EWF based on case requirements

Populate E01 Case Information

Specify the image Destination

Specify Destination Drive

Label: $hostname of asset

Check Verify after creation

Click Start

Imaging in process

A full disk image and verification will take several hours. When completed you will see Image completed and Verification completed in the green text at the bottom.

Click on the shield in the left corner and select the power button icon to shut down.

Disconnect the bootable USB drive and your destination USB drive.

Verify files/folders created by mounting the external USB drive to your examination system.