Tag: Memory

VS Code Interactive Notebooks

DFIR, PowerShell

I’ve been using Visual Studio Code as my go to editor for PowerShell, JSON, plain text, and recently even a dash of Python. VS Code is very extensible and much like the App Stores we’ve come to know, there’s an extension marketplace to broaden its capabilites.

One of my favorite extensions is the .NET Interactive Notebooks. Notebooks combine markdown text and code snippets that you can run right within the notebook. This can be very useful for designing playbooks for a SOC or Junior Analyst to execute as you can describe and provide guidance on how to utilize the code functions.

An easy way to get started with Interactive Notebooks is to create a “Quick Codes” notebook. Title it as you choose. For this particular notebook, I’ve got a number of commands saved that I may reference semi-frequently, but due to limited space in my mind palace I wind up googling them anyway, even if it’s googling my own site.

Trying to remember a specific PowerShell syntax

Note before installing:
As your scripts and notebooks develop, there is a likelihood that you will want to run some either as Administrator or using another user credential. One way to do so simply launch VS code (right click) as Admin, or use the Run As feature when you launch the application.

  1. Download and install VS Code.
    Note – as you may be running this with multiple credentials, the “System” installer is recommended.
    https://code.visualstudio.com/Download#
  2. Install the latest .Net SDK
    https://dotnet.microsoft.com/download/dotnet/6.0
  3. When inside VS code, bring up the Extensions view by clicking on the Extensions icon in the Activity Bar on the side of VS Code, or the View: Extensions command (Ctrl+Shift+X).
    Search for “interactive”
    Select .NET Interactive Notebooks and choose install

Once everything is all set, relaunch VS Code.

Hit Ctrl+Shift+P and select .NET Interactive – Create New Blank Notebook.

That’s it. Now start adding blocks for text and code. You can use simple markup codes for Heading (#), Heading 2 (##), Heading 3 (###), etc.

To execute the code snippet, just click on the small ‘play’ arrow to the left.

Do you have any novel uses for Interactive Notebooks? If so, please share in the comments area.

CSIRT-Collect

DFIR, Forensic Imaging, PowerShell

A PowerShell script to collect memory and (triage) disk forensics for incident response investigations

There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they actually work, may not be the same. What I wanted was a repeatable pre-defined collection mechanism, that could scale out to be supported by non-forensics team members to participate in forensic evidence collection for incident response examinations. The intent is that the collection process can be distributed among remote team members, be it site support or Security Operations Center (SOC). The script can also be integrated into SOAR and EDR platforms.

CSIRT-Collect was written to fill that role.

https://github.com/dwmetz/CSIRT-Collect

CSIRT-Collect leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection.

Permission requirements for said directory will be dependent on the nuances of the environment and what credentials are used for the script execution (interactive vs. automation). In the demonstration code, a network location of \\Synology\Collections can be seen. This should be changed to reflect the specifics of your environment.

The Collections folder will need to include:
– subdirectory KAPE; copy the directory from any existing install
– subdirectory MEMORY; 7za.exe command line version of 7zip and winpmem.exe

CSIRT-Collect Operations:

  • Maps to existing network drive –
  • Subdir 1: “Memory” – Winpmem and 7zip executables
  • Subdir 2: ”KAPE” – directory (copied from local install)
  • Creates a local directory on asset
  • Copies the Memory exe files to local directory
  • Captures memory with Winpmem
  • When complete, ZIPs the memory image
  • Renames the zip file based on hostname
  • Documents the OS Build Info (no need to determine profile for Volatility)
  • Compressed image is copied to network directory and deleted from host after transfer complete
  • New temp Directory on asset for KAPE output
  • KAPE !SANS_Triage collection is run using VHDX as output format [$hostname.vhdx] **
  • VHDX transfers to network
  • Removes the local KAPE directory after completion
  • Writes a “Process complete” text file to network to signal investigators that collection is ready for analysis.

** Note: you can build different KAPE collection profiles by modifying just one line of code. Profiles can be chosen to support the requirements of the investigation.

CSIRT-Collect_USB

This is a separate script that performs essentially the same functionality as CSIRT-Collect.ps1 with the exception that it is intended to be run from a USB device. There is no need for a temporary host directory as the information is written direct to the USB device. The extra compression operations on the memory image and KAPE .vhdx have also been omitted. There is a slight change noted below to the folder structure for the USB version. On the root of the USB:

  • CSIRT-Collect_USB.ps1
  • folder (empty to start) titled ‘Collections’
  • folders for KAPE and Memory – same as above
  • Execution: -Open PowerShell as Adminstrator -Navigate to the USB device -Execute ./CSIRT-Collect_USB.ps1

To see a demonstration of CSIRT-Collect in action please register for my talk this Thursday, PowerShell Tools for IR Forensics Collection as part of the Enterprise Pulse lecture series hosted by Magnet Forensics.

Q&A will be live on Discord during the event.