Thursday, September 3, 2015

Browser Forensics Investigation with Mandiant Redline - Part 2

In part one, we establish our criteria for testing, now let's see how well Redline does.


Initial Configuration

Redline has been configured to use all installed browsers. This is achieved by not specifying any browser but leaving the system to identify data from all installed browsers.

Below shows Redline configuration for detecting browsing history


Initial Data Retrieval

Figure below shows the results retrieved from the system, As can be seen no entry was returned for Project Spartan or Opera 11.


Filtering Data

Redline provides the ability to filter data based on multiple criteria such as “contains”, “equals”, regex, etc.

Figure below shows the filter options available in Mandiant’s Redline. These filters makes looking for specific data relatively easy.


Searching

In addition to filtering, Redline provides the ability to search across one or more fields using regular expressions (regex). This can help tremendously in quickly identifying patterns across the data, reducing the amount of time needed for capturing same and or similar data patterns.

Figure below shows Redline’s search capabilities using regex.


Tagging

The ability to “tag” with the objective of understanding what is priority, important or what action should be taken on a specific entry is critical for focusing on the things which are considered relevant for your investigation. Redline tags uses various colors and numbers from 0 to 6 with actions which you may tag the items with.

Figure below shows Redline various tags




Cookies

Redline’s ability to identify and extract the contents of cookie within the one tool is very important. Some of the information reported for cookies are its name, file path, contents, creation and expiration dates, etc.

Figure below shows an extract of some of the information retrieved from the various cookies




Download history

It’s critical to be able to identify any files which were downloaded during the browsing activity. Redline provides the Download Type”, the “URL” from which the download occurred, the “Target Directory” to where the file was saved, its “Filename” number of “Bytes Downloaded” etc.

Figure below shows the File Download History of Redline

Timeline

Timeline analysis is very important to the forensics process. It’s provides the analyst with the ability to pinpoint exactly when an event occurred. The analyst can then correlate this information with data from other sources to get a clearer picture and context of what may have transpired.

By default, Redline provides fields such as “Created”,  “Modified”, “Changed”, etc as shown in figure 11 below.


In addition, timelines can be viewed by “Users”, “TimeWrinkles”, “TimeCrunches”, “Processes”, etc.
Time Wrinkles allows users to select a date and time, then based on this date and time you can specify a number of minutes for which you would like to see information before and after this time.

Figure below shows the TimeWrinkle configuration

Tags and Comments

Being able to tag and leave notes about items you identify during the forensics process is just as important as identifying the events. Redline’s “Tags and Comments” provides the ability to leave notes on an identified items while allowing the analyst to determine how important it is to the task being performed.

Well that's it for a detailed analysis of using Mandiant Redline to perform browser forensics investigations. In part one we laid the foundation of the testing and in this part two we looked at the how we can use Redline to verify that information.

Browser Forensics Investigation with Mandiant Redline - Part 1

When performing a forensic investigation, every piece/source of information becomes relevant. In this post, we will focus on the information which we can learn from browsers. For this post I will use Mandiant Redline. However, there are many tools out there which will can perform similar function.

Redline is considered Mandiant’s premier free tool for host investigative capabilities (Mandiant, 2015). While Redline has the ability to audit and collect running processes and drivers from memory, file system metadata, registry data, event logs, network information, service and tasks  (Mandiant, 2015) the objective of this post is to evaluate its web history component.

Figure below shows Mandiant's Redline Main Screen







OS used

Windows 10 Insider Preview

Browsers Tested


Firefox v39.0
Internet Explorer v11.0
Google Chrome -  v43.0.2357.134 m
Opera v30.0.1835.125
Project Spartan (Microsoft Windows [Version 10.0.10130])



Functional Analysis

This analysis will test Redline's ability to identify the following from all browsers.
Links visited
Date visited
Time visited
Cookies
Search entries
Action taken
Browser used
Files downloaded



Links opened within each browser

http://securitynik.blogspot.com
http://www.gmail.com
http://www.cnn.com
http://www.washingtonpost.com
http://www.nba.com
http://www.nhl.com
https://www.youtube.com
http://www.portableapps.com
http://www.sourceforge.net


Videos played from

htttp://www.youtube.com
Search for “Linux Security”
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=c_PZvA9qi2k


Files downloaded from sourceforge.net

http://sourceforge.net/projects/clamwin/?source=directory
http://sourceforge.net/projects/ophcrack/?source=directory
http://sourceforge.net/projects/shielausbshield/?source=directory
http://sourceforge.net/projects/modbus-traffic-generator/?source=directory


Files downloaded from portable apps:

http://portableapps.com/apps/music_video/aimp-portable
http://portableapps.com/apps/music_video/cdex_portable
http://portableapps.com/apps/music_video/audacity_portable

Now that we have laid out the information relating to the test, in part two we will look at the actual analysis. See you there



Splunk Investigation - Who Enabled That Account

The objective of this post is to quickly determine through the use of splunk, who enabled a particular account.

Using search "SecurityNik" produced " 28,376 events (before 7/10/15 11:13:04.000 AM)" results.
The above starts across "All Time"

From below, we see that on "07/08/2015 06:31:55 PM" "SecurityNik" account was disabled by user "OtherAdmin" on computer "SecurityNik_DC.securitynik.com". "SecurityNik_DC.securitynik.com" is one of the Domain Controllers.

07/08/2015 06:31:55 PM
    EventCode=4738
    Message=A user account was changed
    ComputerName=SecurityNik_DC.securitynik.com
   
    Subject:
        Security ID:    SECURITYNIK\OtherAdmin
        Logon ID:    0x13309228
           
    Target Account:
            Security ID:    SECURITYNIK\SecurityNik    
       
        Old UAC Value:    0x10210
        New UAC Value:    0x10211
       
        User Account Control:    Account Disabled
   

Below shows that the account "SecurityNik" was disabled on "03/13/2015 11:27:03 AM" by user "SecurityAdmin". While above it was disabled on the Domain Controller "SecurityNik_DC.securitynik.com", in this case it was disabled on "SECURITYNIK_TS".

03/13/2015 11:27:03 AM
    EventCode=4738
    Message=A user account was changed
    ComputerName=SECURITYNIK_TS
   
     Subject:
        Security ID:    SECURITYNIK_TS\SecurityAdmin
        Logon ID:    0x85817e4d
       
        Target Account:
            Security ID:    SECURITYNIK_TS\SecurityNik
       
        Old UAC Value:    0x10
        New UAC Value:    0x11
       
        User Account Control:   
            Account Disabled



Analyzing "SECURITYNIK_TS"

running the command "C:\>net user | findstr /i SecurityNik" determined that the user "SecurityNik" has an account on "SECURITYNIK_TS"
   

Learning more about account "SecurityNik"

running "C:\>net user SecurityNik" shows (none relevant information extracted)
    User name                    SecurityNik
    Full Name                    SecurityNik
    Account active               No
    Last logon                   7/20/2014 10:42:40 PM
   
The information above confirms that the "SecurityNik" account is disabled on computer "SECURITYNIK_TS"


"SecurityNik" account being enabled on "SECURITYNIK_TS"

Below shows that "SecurityNik" account was enabled on "SECURITYNIK_TS" by user "SecurityAdmin". Please note this "SecurityAdmin" account is for the local machine and not the Domain.

06/10/2014 04:38:00 PM
    EventCode=4738
    ComputerName=SECURITYNIK_TS
    Message=A user account was changed.
   
   
    Subject:
        Security ID:    SECURITYNIK_TS\SecurityAdmin
        Logon ID:        0x4a072799

    Target Account:
        Security ID:    SECURITYNIK_TS\SecurityNik
       
    User Account Control:   
        Account Enabled

   

"SecurityNik" account being enabled on "SecurityNik_DC.securitynik.com"

Below shows that the account "SecurityNik" was enabled on "06/10/2014 10:12:52 AM" by user "OtherAdmin."
   
    06/10/2014 10:12:52 AM
    EventCode=4738
    ComputerName=SecurityNik_DC.securitynik.com
    Message=A user account was changed.
   
    Subject:
        Security ID:    SECURITYNIK\OtherAdmin        
        Logon ID:        0xa6644425
   
    Target Account:
        Security ID:    SECURITYNIK\SecurityNik
       
    User Account Control:   
        Account Enabled
   

The findings at this point is that for the domain "securitynik.com" user "SecurityNik" was last enabled on "06/10/2014 10:12:52 AM" by account "OtherAdmin". In addition, the account for "SecurityNik" was also enabled on computer "SECURITYNIK_TS" by account "SecurityAdmin"