A Beginner’s Journey into DFIR: Using Flare VM, OpenEDR, Access Data FTK, and Autopsy
Flare VM, OpenEDR, and Access Data FTK
As a Computer Forensics student, I’m always looking for new ways to learn about the field and broaden my skills. Recently, I was introduced to Flare VM, a virtual machine pre-loaded with many tools for malware analysis and digital forensics. This sounded like a great way to learn more about the industry and get comfortable with various applications and tools.
Flare VM can be downloaded here. After successfully installing Flare VM on my computer, I started exploring the various tools and features available.
On the Flare VM, I installed the OpenEDR, a popular tool for dynamic and static analysis of malware. OpenEDR is an open-source initiative started by Xcitium. OpenEDR is a platform that analyzes the base-security-event level and generates reports for IT staff members. Running malicious software on the virtual system would be our first step in testing Open EDR if its installation was successful.
The above shows the installed Open EDR agent on the Flare VM, this will help analyze base-security-events.
An endpoint manager is included in OpenEDR, allowing for comprehensive and continuous endpoint monitoring. With this tool, you can easily analyze malware, monitor unusual activity, correlate and visualize endpoint security data, and investigate attacks thoroughly. With its help, users may take action to fix issues and improve security, which reduces risks on endpoints. As a powerful protector of endpoint security, OpenEDR can foil assaults, lateral movement, and breaches.
Installation of AccessData’s Forensic Toolkit (FTK), a program that simplifies and expedites the complex field of digital forensics, would be the next step. To digital investigators, FTK is more than a solution; it’s an ally, providing a full suite for digital evidence extraction, analysis, and comprehension. FTK goes beyond data mining and gives investigators the tools they need to solve the digital mystery.
Access Data FTK can be downloaded here. I downloaded the most recent version as of today which is version 4.7.1.2
After installation keep the application open as we will be using it after the next steps
Next, we would test our OpenEDR by downloading malware. Downloading malware and infecting our virtual machine would allow us to test how well our OpenEDR works. If you want to keep your host PC safe from viruses, you should do this on your virtual machine (VM).
Downloading the infected files
Unzipping the files
I selected some samples of the downloaded malware files, I used the Virus Total a website that can rapidly scan files for viruses and malware, to determine the proper file extension. After making the necessary adjustments, I ran the files to infect the virtual machine. I was amazed by the speed at which the malware ran on the VM.
After running the sample files, I ran the below command to discreetly run without displaying any visible indications and with error messages suppressed.
The CMD prompt will disappear, and we will determine whether any alerts were generated in OpenEDR. And yes it triggered an alert as expected.
Return to the active Access Data FTK application. Click “FILE” then click the “Capture Memory” button.
Browse the DOWNLOAD directory for the Destination Path and put a name for the memory dump file. If you get an error that you don’t have enough space you can delete a few programs that came preinstalled with Flare VM, this should free up some space for the memory dump file to be fully captured.
This is how to capture the memory of a system for analysis. When investigating a system for signs of malware, capturing the memory of the system is an essential step. This is because malware can leave traces in memory that can be used to identify and analyze its behavior. Capture memory is also called a memory dump, which is a copy of the system’s RAM at a specific moment in time.
The captured memory can then be further analyzed using FTK or other analysis tools, such as Open EDR, which can help us understand the malware’s behavior and determine its origin. This information can then be used to identify and remove the malware from the system, as well as protect it against future attacks.
Autopsy
What is Autopsy?
Autopsy is a computer forensics open-source application that allows users to examine, analyze, and report on digital evidence. It is primarily used for investigating cybercrime and digital forensics investigations. The tool allows users to investigate the contents of a computer’s hard drive, RAM, registry, internet history, and other areas where data is stored. Autopsy provides a simple and user-friendly interface for performing digital investigations, allowing users to perform tasks such as file analysis, keyword searches, and digital photo analysis.
We go over the basics of utilizing the Autopsy app. In this case, we’d be looking at a VMDK file. This procedure may be executed with any VMDK file.
Autopsy can be downloaded here, after installation open the application.
Click on “New Case” and then give the case a name and browse the directory you want to save it
Fill in the below information and then click “Finish”
You can ignore any error you get at this stage
The analysis will take some time to complete depending on the size of the artifact you are analyzing. At the bottom right of the application, you can monitor the completion percentage.
Once the analysis is finished, we may utilize the artifact to find the answers to questions like the ones below.
Question: When was the OS built?
Answer: The OS was built Sunday, September 10, 2023
On a Windows OS the OS built can be checked in this registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
You can locate the file path from Windows → config → SOFTWARE → Microsoft → Windows NT → CurrentVersion. You would see InstallDate, get the hexadecimal value and convert it.
I used the below website to get the hexadecimal date
Question: Who are the admin users?
To get the Admin users, You need to analyze the SAM registry file which is located in Windows → config → SAM
Then download RegRipper(https://github.com/keydet89/RegRipper3.0) to analyze the exported SAM file
You will find the user's SIDs allocated to the group “Administrators” and the names of the group’s members in the produced report. The users in this group are admins.
Question: What applications were installed in 2023?
The below applications were installed in 2023.
Question: What was downloaded?
The following files were downloaded.
Conclusion
Autopsy, Flare VM, Open EDR, and Access Data FTK form a dynamic synergy that will take you on an exciting adventure into the world of cybersecurity. Beginners and seasoned explorers can benefit from these tools since they make investigation easier. These tools provide insights and information into forensic analysis.
References
https://en.wikipedia.org/wiki/OpenEDR
https://github.com/mandiant/flare-vm/blob/main/README.md
