In part one, we establish our criteria for testing, now let's see how well Redline does.
Initial Configuration
Redline has been configured to use all installed
browsers. This is achieved by not specifying any browser but leaving the
system to identify data from all installed browsers.
Below shows Redline configuration for detecting browsing history
Initial Data Retrieval
Figure below shows the results retrieved from the system,
As can be seen no entry was returned for Project Spartan or Opera 11.
Filtering Data
Redline provides the ability to filter data based on multiple criteria such as “contains”, “equals”, regex, etc.
Figure below shows the filter options available in Mandiant’s Redline. These filters makes looking for specific data relatively easy.
Searching
In addition to filtering, Redline provides the ability
to search across one or more fields using regular expressions (regex).
This can help tremendously in quickly identifying patterns across the
data, reducing the amount of time needed for capturing same and or
similar data patterns.
Figure below shows Redline’s search capabilities using regex.
Tagging
The ability to “tag” with the objective of understanding
what is priority, important or what action should be taken on a specific
entry is critical for focusing on the things which are considered
relevant for your investigation. Redline tags uses various colors and
numbers from 0 to 6 with actions which you may tag the items with.
Figure below shows Redline various tags
Cookies
Redline’s ability to identify and extract the contents of cookie within the one tool is very important. Some of the information reported for cookies are its name, file path, contents, creation and expiration dates, etc.
Figure below shows an extract of some of the information retrieved from the various cookies
Download history
It’s critical to be able to identify any files which were downloaded during the browsing activity. Redline provides the Download Type”, the “URL” from which the download occurred, the “Target Directory” to where the file was saved, its “Filename” number of “Bytes Downloaded” etc.
Figure below shows the File Download History of Redline
Timeline
Timeline analysis is very important to the forensics process. It’s provides the analyst with the ability to pinpoint exactly when an event occurred. The analyst can then correlate this information with data from other sources to get a clearer picture and context of what may have transpired.
By default, Redline provides fields such as “Created”, “Modified”, “Changed”, etc as shown in figure 11 below.
In addition, timelines can be viewed by “Users”, “TimeWrinkles”, “TimeCrunches”, “Processes”, etc.
Time Wrinkles allows users to select a date and time, then based on this date and time you can specify a number of minutes for which you would like to see information before and after this time.
Figure below shows the TimeWrinkle configuration
Tags and Comments
Being
able to tag and leave notes about items you identify during the
forensics process is just as important as identifying the events.
Redline’s “Tags and Comments” provides the ability to leave notes on an
identified items while allowing the analyst to determine how important
it is to the task being performed.
Well that's it for a detailed analysis of using Mandiant Redline to perform browser forensics investigations. In part one we laid the foundation of the testing and in this part two we looked at the how we can use Redline to verify that information.
When performing a forensic investigation, every piece/source of information becomes relevant. In this post, we will focus on the information which we can learn from browsers. For this post I will use Mandiant Redline. However, there are many tools out there which will can perform similar function.
Redline is considered Mandiant’s premier free tool for host investigative capabilities (Mandiant, 2015). While Redline has the ability to audit and collect running processes and drivers from memory, file system metadata, registry data, event logs, network information, service and tasks (Mandiant, 2015) the objective of this post is to evaluate its web history component.
Figure below shows Mandiant's Redline Main Screen
OS used
Windows 10 Insider Preview
Browsers Tested
Firefox v39.0
Internet Explorer v11.0
Google Chrome - v43.0.2357.134 m
Opera v30.0.1835.125
Project Spartan (Microsoft Windows [Version 10.0.10130])
Functional Analysis
This analysis will test Redline's ability to identify the following from all browsers.
Links visited
Date visited
Time visited
Cookies
Search entries
Action taken
Browser used
Files downloaded
Links opened within each browser
http://securitynik.blogspot.com
http://www.gmail.com
http://www.cnn.com
http://www.washingtonpost.com
http://www.nba.com
http://www.nhl.com
https://www.youtube.com
http://www.portableapps.com
http://www.sourceforge.net
Videos played from
htttp://www.youtube.com
Search for “Linux Security”
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=c_PZvA9qi2k
Files downloaded from sourceforge.net
http://sourceforge.net/projects/clamwin/?source=directory
http://sourceforge.net/projects/ophcrack/?source=directory
http://sourceforge.net/projects/shielausbshield/?source=directory
http://sourceforge.net/projects/modbus-traffic-generator/?source=directory
Files downloaded from portable apps:
http://portableapps.com/apps/music_video/aimp-portable
http://portableapps.com/apps/music_video/cdex_portable
http://portableapps.com/apps/music_video/audacity_portable
Now that we have laid out the information relating to the test, in part two we will look at the actual analysis. See you there
The objective of this post is to quickly determine through the use of splunk, who enabled a particular account.
Using search "SecurityNik" produced " 28,376 events (before 7/10/15 11:13:04.000 AM)" results.
The above starts across "All Time"
From below, we see that on "07/08/2015 06:31:55 PM" "SecurityNik" account was disabled by user "OtherAdmin" on computer "SecurityNik_DC.securitynik.com". "SecurityNik_DC.securitynik.com" is one of the Domain Controllers.
07/08/2015 06:31:55 PM
EventCode=4738
Message=A user account was changed
ComputerName=SecurityNik_DC.securitynik.com
Subject:
Security ID: SECURITYNIK\OtherAdmin
Logon ID: 0x13309228
Target Account:
Security ID: SECURITYNIK\SecurityNik
Old UAC Value: 0x10210
New UAC Value: 0x10211
User Account Control: Account Disabled
Below shows that the account "SecurityNik" was disabled on "03/13/2015 11:27:03 AM" by user "SecurityAdmin". While above it was disabled on the Domain Controller "SecurityNik_DC.securitynik.com", in this case it was disabled on "SECURITYNIK_TS".
03/13/2015 11:27:03 AM
EventCode=4738
Message=A user account was changed
ComputerName=SECURITYNIK_TS
Subject:
Security ID: SECURITYNIK_TS\SecurityAdmin
Logon ID: 0x85817e4d
Target Account:
Security ID: SECURITYNIK_TS\SecurityNik
Old UAC Value: 0x10
New UAC Value: 0x11
User Account Control:
Account Disabled
Analyzing "SECURITYNIK_TS"
running the command "C:\>net user | findstr /i SecurityNik" determined that the user "SecurityNik" has an account on "SECURITYNIK_TS"
Learning more about account "SecurityNik"
running "C:\>net user SecurityNik" shows (none relevant information extracted)
User name SecurityNik
Full Name SecurityNik
Account active No
Last logon 7/20/2014 10:42:40 PM
The information above confirms that the "SecurityNik" account is disabled on computer "SECURITYNIK_TS"
"SecurityNik" account being enabled on "SECURITYNIK_TS"
Below shows that "SecurityNik" account was enabled on "SECURITYNIK_TS" by user "SecurityAdmin". Please note this "SecurityAdmin" account is for the local machine and not the Domain.
06/10/2014 04:38:00 PM
EventCode=4738
ComputerName=SECURITYNIK_TS
Message=A user account was changed.
Subject:
Security ID: SECURITYNIK_TS\SecurityAdmin
Logon ID: 0x4a072799
Target Account:
Security ID: SECURITYNIK_TS\SecurityNik
User Account Control:
Account Enabled
"SecurityNik" account being enabled on "SecurityNik_DC.securitynik.com"
Below shows that the account "SecurityNik" was enabled on "06/10/2014 10:12:52 AM" by user "OtherAdmin."
06/10/2014 10:12:52 AM
EventCode=4738
ComputerName=SecurityNik_DC.securitynik.com
Message=A user account was changed.
Subject:
Security ID: SECURITYNIK\OtherAdmin
Logon ID: 0xa6644425
Target Account:
Security ID: SECURITYNIK\SecurityNik
User Account Control:
Account Enabled
The findings at this point is that for the domain "securitynik.com" user "SecurityNik" was last enabled on "06/10/2014 10:12:52 AM" by account "OtherAdmin". In addition, the account for "SecurityNik" was also enabled on computer "SECURITYNIK_TS" by account "SecurityAdmin"