I’ve worked remotely for the past 6 years which means I spend a lot of time in my home office. Last year we moved into a new house with much better space for my office, and I’ve been shaping it more and more to my tastes.
I do a lot of forensic imaging. I’ve got a pretty basic but rock solid setup that works for me (see Forensic Imaging a Microsoft Surface Pro). Since I use it frequently I’m hesitant to put it away, but at the same point I don’t like looking at a pile of wires and devices when not in use. That brings us to the latest home office update, the Forensic Imaging Station (Steampunk Edition).
For this project I grabbed a small wooden box from Hobby Lobby. A good cigar box will also work. That was going to be my first choice but the only spare box I had on hand said “Corona” on the face and… you know. This box looks nice but it’s composed of mostly particle board, so go slow drilling.
I drilled four holes in the box. A 1/2 inch hole on the front face under the locking clasp for the USB-C cable, and three 5/8 inch holes – 2 on the side and one on the back, to accommodate the rest.
Inside the box I’ve arranged a USB hub connecting:
Paladin flash drive
External WD hard drive
RF dongle for mouse.
Pass through for “universal” laptop power adapter
This box had plenty of space to arrange the components. The laptop power adapter comes in the back of the box and then back out on the side. The USB connector for the hub is also passed through the side. The cable for the keyboard passes through the front.
Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here.
If you missed the presentation, just look to the previous post and you’ll find a link for YouTube.
Does the CSIRT script check for sufficient available space for the temp files before running? I’ve run into this issue with KAPE collections that get a lot of event logs.
No it doesn’t. Depending on the artifact collection type, the output sizes can vary greatly. Once you have a collection script that you want to use as your default, I’d measure what the average size is. In all my collection processes I like to make sure I have 1.5x available free space for what I anticipate collecting. A WMI ‘check’ could be built into the script to verify the freespace vs. expected collection needs.
This will present the available free space on any fixed disks attached to the system.
The best utilization of free space I could come up with was to grab the memory first, compress it, ship it off and then repeat the collection, compression and transfer with KAPE. This minimizes the amount of disk space needed on the remote host. Both processes have a clean-up operation where all local data is deleted from the endpoint once the network transfer has successfully completed.
With memory sizes so big lately, is it possible to configure the script to collect the important artifacts from memory, rather than the entire memory (e.g. process listing, network connections, etc.)?
It would be possible to generate that information on the endpoint using a series of PowerShell commands and write the output to a text file (Get-Process, Get-NetTCPConnection, etc.). This is certainly useful from an IR perspective, but the only artifact that would be returned back would be the output file. Depending on the circumstances of the investigation you may still need/want the full memory image as evidence.
Do we have the list of artifacts that are being collected here?
In the example presented we’re leveraging the SANS Triage KAPE collection target. The specific collection template used by the CSIRT-Collect script can be adjusted by changing the KAPE command options in the script. You can view the details for any KAPE target by either double-clicking the entry in the KAPE gui, or by viewing the corresponding .tkape file in the program directory (use your text editor of choice). For the SANS Triage collection, the following artifacts are gathered:
# Event Logs
# Evidence of Execution
Name: Amcache transaction files
Name: Syscache transaction files
Name: PowerShell Console Log
# File System
# LNK Files and JumpLists
Name: Lnk files from Recent
Comment: Also includes automatic and custom jumplist directories