DFIR triage and Timeline Analysis
During incident response, it is essential to establish a full context around the time of alert or when suspicious activity was identified. To connect the dots, a quick triage of suspected machines/hosts is required. Often within Enterprise, it’s not easy, mainly due to network complexity and multiple types of Operating Systems/versions. In this blog, I have explored various collectors available to collect forensics artifacts from a variety of Operating Systems and add them to a central server for timeline analysis. Sounds fun!
Scenario:
In the lab, I have Windows 2012 Server, Windows 10, Kali Linux, and Mac OS 10.15.
Collector tools: Kape (!SANS_Triage) as a target, Hoarder using default hoarder.yml configuration file, FireEye (Redline and HX) standard collector.
Parsing and Timeline Analysis, I have used Kuiper and sigma rules match by using Rhaegal
I want to explore the capability of available opensource collectors to parse the artifacts so that Analysts spend more time in the investigation without worrying about missing out on critical artifacts.
Kape
One of the most widely used forensics artifacts collector and parser tool by (@EricZimmerman)
I used kape on windows 10 box with a target set for SANS_triage to collect and then compress it in zipping, which took 83.20 seconds — Fast!
Limitation: Windows OS only.
Kapes.exe –tsource C: — tdest Z:\kapenew — tflush — target !SANS_Triage
Hoarder
This is another excellent collector by Saleh Muhaysin, Twitter (@saleh_muhaysin), Muteb Alqahtani, Twitter(@muteb_alqahtani) and Abdullah Alrasheed, Twitter(@abdullah_rush). It is Fast and straightforward to use — it took 109.21 seconds.
Limitation: Windows OS only.
FireEye (Redline/ HX)
Redline and Hx both are great tools. Redline is an open-source tool that can create a collector script and investigate in a friendly GUI. HX is a FireEye agent continuously running on a host that connects back to Controller. It is easy to use and available for windows/ Mac Os and Linux, which is why I have used it in this experiment. Once the collector job is finished, you will have mans file created (e.g. AnalysisSession1.mans — Redline). This file is a zip file of multiple xml files, and each file includes particular artifacts details, as can be seen in the below snapshot.
Once artifacts have been collected from the tools mentioned above and compressed in the zip below, we will upload them to Kuiper.
Kuiper
It is a digital investigation platform that provides the capability to parse, search, and visualize collected evidence
Kuiper is made up of a bunch of docker images, which is straightforward to deploy. I have used Ubuntu 20 with 16 GB RAM.
Once you have git clone the folder, you need to follow the steps below.
Note: use sudo pip install docker-compose
That will download the latest docker-compose on your machine, as Kuiper is dependent on version 3.8
All docker images need to be up and running. Then, you can point your browser to https[:]//localhost
Next, we will create a case to import zip files manually via GUI or with API
python3 UploadMachines.py -c “<case_id>” -m “<machine_name>” -p ./machine.zip
Bulk zip files can be imported as in the above snapshot simultaneously.
Once the import is finished, we need to parse the artifacts within zip files, and this can also be done in parallel!
Suppose you are processing the FireEye .mans file that needs to be zipped and uploaded. You need to pick RedLineParser to parse all xml files.
For kape and hoarder zip files, I have used “All” parser. It took a bit of time, but it parses all events very nicely.
Once all the parsing jobs are finished, you can click on the machine to view events in the timeline
Kuiper has another fantastic feature which is called “Rhaegal” built-in rules from sigma/custom that you can match on parsed events
Above are the matched alert from kape triage image, which provides analysts with a summarised view of where to focus or start the investigation.
Importing sigma rules to Rhaegal is simple by using SigmaToRhaegal python script.
Kudos to the Kuiper Team! To bundle it all up in a user-friendly tool.
