This guide aims to assist investigators focused on cybercrime by guiding incident handling, response, and thorough, methodical evidence processing. It is intended as a supplementary resource to support investigators and serves as a reminder rather than a standalone procedure.
Cyber Investigator Experimental Detachment
Live Analysis
Static Analysis | Investigation
Incident Handling/Response: Phishing
Malware Analysis! (This is Big Brain Time d(>_< ) )
- Malware Analysis!
Post-Incident | Recovery Phase
Preserving the crime scene is crucial for any investigator. Any changes made must be documented to minimize the risk of evidence tampering. If a client reports an incident, advise them to secure the area, remove all personnel from the suspected crime scene, and ensure no one interacts with the environment. Establishing an incident response plan will be necessary to accurately record and process the situation. (One will be provided soon ^-^ / )
Upon arriving at the scene, start by interviewing the client with a few key questions to set the foundation for your investigation:
- What do you think has happened?
- What systems are affected?
- How important is this system to production?
These questions will help you determine how to proceed. Keep in mind how critical the system is to the client delays might cost them significant losses. If time is of the essence, they should ideally have a backup system ready for situations like this. If not, you could assist in setting up a backup (even though it’s technically not your job sooooo '-').
Whatever you do, DO NOT alter the crime scene without proper documentation. If you must process the scene quickly, prioritize live analysis to address the client’s urgency. However, remember that this approach limits the number of artefacts or evidence you can gather compared to a more thorough imaging process (aka static analysis).
Before diving into the investigation and potentially altering evidence, start by using tools like gKAPE and Autopsy or any other artifact collection applications to analyze recent activity. Another excellent option is FTK Imager , which can also perform memory analysis on a live system. Depending on the situation, gKAPE may be sufficient, but for a more thorough investigation, using both gKAPE and FTK Imager is recommended.
You should start with memory analysis when performing live analysis, as RAM contains volatile evidence that cannot be replicated. Use FTK Imager's built-in memory acquisition feature to capture the memory or Magnet RAM Capture Memory Acquisition , and then analyze it using Volatility.
You can use other tools if you prefer, but I personally like using these :3
Important
Take pictures! Use your phone or a camera to take photos of the scene AND take pictures/video os what you're doing to the hardware. Documentation is key! >->
You can acquire pagefile.sys using FTK Imager or gKAPE as well and extract the information using bulk_extractor OR read it through a Hex editor like ImHex !!! ^o^. You can use Autopsy to read it as well but using bulk_extractor is better imo :3 as it's more conclusive.
Note
bulk_extractor can also be used to scan whole disk images and individual files or directories!! >.>
In order to keep things simple put bulk_extractor.exe in the same folder as your pagefile.sys file and open a terminal in the folder.
Run ./bulk_extractor64.exe -o output .\pagefile.sys
Once it's finished you can analyse the output using your favourite text editor...I'm using Notepad but I know you'll use something cooler '-'
You'll need to analyse this closely and have a goal in mind. What is it you're looking for ?
An application (.exe) ? A background process/service ? A specific thumbnail/image ?
Alternatively, you can use Belkansoft though I personally don’t have much experience with it. With Belkansoft you can easily analyze pagefile.sys and view its contents, including images and thumbnails from websites. Plus, it has a GUI, sooo... that’s poggers. BUT! the outputs from bulk_extractor are already sufficient.
Important
Use whatever tools you feel comfortable with, do some scenarios with them! >.>
gKAPE is a powerful tool to have in your arsenal. Think of it as a collection of tools within a tool so uhh that's convinient! :3 This tool collects Windows event logs, registry hives, and much more. It’s also compatible with additional modules like Magnet RAM Capture Memory Acquisition a memory acquisition tool for live analysis. These are integrated into gKAPE, making it even more versatile. Tools like Hayabusa and others are also integrated, adding even more power to this incredible toolkit!! So, this is a must have in your USB!! ^o^
One way of using gKAPE is selecting BasicCollection and SANS_Triage. By choosing these options, you can grab Event logs and Windows registry hives, which are crucial for identifying what happened during the incident. These selections will also help you collect artifacts that can give insight into the system’s behavior, user activity, and potential malicious actions. Both of these modules are great for quickly gathering key data that will be essential in your investigation sooo it's poggers for live analysis. From there, you can analyze the collected data for clues to track down the malicious activity.
Here's some example of the results from gKAPE.
Event log or winevt is absolutely the most useful system for you. Windows keeps logs of what happens to a system in the event manager so if the computer did something then event manager knows about it. So analysing this in details can give insights of what happened or what's happening! You should check these three logs Microsoft-Windows-Windows Defender%4Operational.evtx, Security.evtx and System.evtx. Now, usually you should have a laptop on site...right ? If you do, you can use EventLogExpert by analysing the log files on your own machine using EventLogExpert BUT! you can use the normal Event Viewer built into Windows, just keep in mind you are using evidence so uhhh '-'
The event log provides information about the Windows Defender processes log, offering an in-depth view of what Windows Defender is doing and the processes it’s handling. Essentially, it’s a more detailed look of MPLog. This can come in handy if you're looking for anything suspicious like the disabling of Windows defender or any changes made by the user towards Windows Defender. It is suggested that you use MPLog as well to correlate the event :3
This is a crucial event log to analyze... Well, I mean, all logs are important, but this one is especially handy >->.
This log provides details about administrative powers that have been granted and to whom. Think of it like those UAC (User Account Control) prompts asking Yes or No for elevated privileges. Using this log, you can track which applications requested admin rights and what they were trying to access.
This is why RBAC (Role-Based Access Control) is so important! :> in short, this event logs keeps track of security events.
System.evtx is a crucial log file that stores system event records on Windows operating systems. It’s part of the Event Viewer system, which helps you troubleshoot system operations so if anything goes wrong the error log should be stored here.
This event log provides valuable information about system processes and services, including any error codes that may help identify issues.
- Hardware Events: Logs issues or changes involving hardware, such as driver updates, device disconnections, or hardware failures.
- System Services: Tracks the startup, shutdown, and behavior of essential Windows services.
- System Errors: Records critical issues affecting the operating system's stability or functionality, such as blue screens or kernel errors.
- Startup and Shutdown: Includes details about boot processes and shutdown operations.
Time to time, it’s useful to track the uptime of a system or determine when it was turned on or off. This can help narrow your investigation to a specific time window. By searching for a specific application that always starts on boot, you can identify when the machine was powered on.
One such application is EventLog what a surprise, right? EventLog, along with many other crucial system applications, starts early in the boot process, making it a useful tool for this purpose. Orrr...Another key application to track is Explorer, as it often runs in the background and can help pinpoint system activity during startup or shutdown.
| Use case | Order | Logfile | Source | Level | Event ID | Event Description | Description |
|---|---|---|---|---|---|---|---|
| Planned reboot | 1 | System | User32 | Info | 1074 | The process Explorer.EXE has initiated the restart of computer | The process Explorer.EXE has initiated the restart of computer on behalf of user Administrator. |
| Planned reboot | 2 | System | Event Log | Info | 6006 | The Event log service was stopped. | |
| Planned reboot | 3 | System | Kernel Power | Info | 109 | The kernel power manager has initiated a shutdown transition. | |
| Planned reboot | 4 | System | Kernel Boot | Info | 13 | The operating system is shutting down at system time 2024-11-25T08:11:45.765230100Z. | |
| Planned reboot | 5 | System | Kernel General | Info | 20 | The last shutdown's success status was true. | |
| Planned reboot | 6 | System | Event Log | Info | 12 | The operating system started at system time 2024-11-25T08:12:32.486934500Z. | |
| Planned reboot | 7 | System | Event Log | Info | 6005 | The Event log service was started. | |
| Planned reboot | 8 | System | Event Log | Info | 6013 | The system uptime is 10 seconds. | |
| Planned shutdown | 1 | System | User32 | Info | 1074 | The process Explorer.EXE has initiated the shutdown of computer | The process Explorer.EXE has initiated the shutdown of computer on behalf of user Administrator. |
| Planned shutdown | 2 | System | Event Log | Info | 6006 | The Event log service was stopped. | |
| Planned shutdown | 3 | System | Kernel Power | Info | 109 | The kernel power manager has initiated a shutdown transition. | |
| Planned shutdown | 4 | System | Kernel Boot | Info | 13 | The operating system is shutting down at system time 2024-11-25T08:11:45.765230100Z. | |
| Planned shutdown | 5 | System | Kernel General | Info | 20 | The last shutdown's success status was true. | |
| Planned shutdown | 6 | System | Event Log | Info | 12 | The operating system started at system time 2024-11-25T08:12:32.486934500Z. | |
| Planned shutdown | 7 | System | Event Log | Info | 6005 | The Event log service was started. | |
| Planned shutdown | 8 | System | Event Log | Info | 6013 | The system uptime is 10 seconds. | |
| Unexpected shutdown | 1 | System | Kernel General | Info | 12 | The operating system started at system time 2024-11-25T08:12:32.486934500Z. | |
| Unexpected shutdown | 2 | System | Kernel General | Info | 20 | The last shutdown's success status was false. | |
| Unexpected shutdown | 3 | System | Kernel General | Critical | 20 | The system has rebooted without cleanly shutting down first. | This error could be caused if the system shuts down unexpectedly. |
| Unexpected shutdown | 4 | System | Event Log | Error | 6008 | The previous system shutdown at 02:11:03 PM on 2024-11-25 was unexpected. | |
| Unexpected shutdown | 5 | System | Event Log | Info | 6005 | The Event log service was started. | |
| Unexpected shutdown | 6 | System | Event Log | Info | 6013 | The system uptime is 10 seconds. | |
| Unexpected shutdown | 7 | System | User32 | Warning | 1076 | The reason supplied by user Administrator for the last unexpected shutdown of this computer is: check process name. | |
| LSASS process crash | 1 | System | User32 | Info | 1074 | The process wininit.exe has initiated the restart of computer | The process wininit.exe has initiated the restart of computer on behalf of user TRFSF01. |
| LSASS process crash | 2 | System | Kernel General | Info | 13 | The operating system started at system time 2024-11-25T08:12:32.486934500Z. | |
| LSASS process crash | 3 | System | Kernel General | Info | 20 | The last shutdown's success status was true. | |
| LSASS process crash | 4 | System | Event Log | Error | 6008 | The previous system shutdown at 01:21:34 PM on 2024-11-25 was unexpected. | |
| LSASS process crash | 5 | System | Event Log | Info | 6005 | The Event log service was started. | |
| LSASS process crash | 6 | System | Event Log | Info | 6013 | The system uptime is 10 seconds. | |
| LSASS process crash | 7 | System | User32 | Warning | 1076 | The reason supplied by user Administrator for the last unexpected shutdown of this computer is: check process name. |
Use the table above to find the information you need for your investigation! You can search for more but these are the ones I find useful ^-^
Registry analysis is a broad topic, but when dealing with malware or anything fishy ;3, the Windows Registry is often affected. It’s important to know what to look for in the registry to uncover any potential malicious activity. >-<
To analyse the registry, you can use tools such as Registry Explorer, which allows you to read the registry files you’ve acquired whether through gKAPE or by manually extracting them :3
| System info and accounts | Path |
|---|---|
| OS Version | SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| Current Control Set | HKLM\SYSTEM\CurrentControlSet\SYSTEM\Select\Current SYSTEM\Select\LastKnownGood |
| Computer Name | SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName |
| Time Zone Information | SYSTEM\CurrentControlSet\Control\TimeZoneInformation |
| Network Interfaces and Past Networks | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces |
| Autostart Programs (Autoruns) | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce |
|
SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
|
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
|
| SAM Hive and User Information | SAM\Domains\Account\Users |
| File/folder usage or knowledge | Path |
|---|---|
| Recent Files | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RecentDocs |
| Office Recent Files | NTUSER.DAT\Software\Microsoft\Office\VERSION |
NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU |
|
| Shellbags | USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags |
USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
|
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU |
|
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags |
|
| Open/Save and LastVisited Dialog MRUs | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDMRU |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPIDMRU |
|
| Windows Explorer Address/Search Bars | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery |
| External/USB device forensics | Path |
|---|---|
| Device Identification | SYSTEM\CurrentControlSet\Enum\USBSTOR |
SYSTEM\CurrentControlSet\Enum\USB |
|
| First/Last Times | SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties |
| USB Device Volume Name | SOFTWARE\Microsoft\Windows Portable Devices\Devices |
| Evidence of execution | Path |
|---|---|
| UserAssist | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count |
| ShimCache | SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache |
| AmCache | Amcache.hve\Root\File\(Volume GUID\) |
| BAM/DAM | SYSTEM\CurrentControlSet\Services\bam\UserSettings\(SID) |
SYSTEM\CurrentControlSet\Services\dam\UserSettings\(SID) |
You must study these registry hives carefully and understand what each category is for. This will make it easier to identify malware and track recent changes. Use the tables I've provided above as a start :3
gKAPE have the options to collect browser data artifacts as well. BUT the depending on the browser the results may vary, in this part I'll just show Google Chrome and Firefox. You can use Hindsight to analyse Google Chrome Web artifacts. Use Session History Scrounger for Firefox for Firefox. You can also get some login information too! :3
You can use Session History Scrounger for Firefox to view baklz4 and jsonlz4 files, this format is used to store session history for Firefox.
Hindsight use this tool to analyse Google Chrome artifacts.
Login information. (This is a little dangerous as it may tamper with evidence, I suggest using this in Static analysis phase! >->)
This is where we might rely on our infamous counterpart to handle the tricky tasks essentially acquiring someone's login information. Please ensure this is done lawfully and only when absolutely necessary! '-'. Using HackBrowserData you can acquire the user's Login information and History in seconds. I suggest you do this last because it may tamper with evidence due to how the scripts works thus I recommend to do this in the Static analysis phase!
Important
Remember your goal here! DO NOT DO ANYTHING UNNECESSARY TO THE INVESTIGATION! >->
If you're dealing with a live system when you arrived then Static analysis should be a second priority. Static analysis takes a lot of time and depending on the situation, a thorough live analysis of the affected machine should suffice. Anyways, first you need to remove every storage drives in the system since you don't want to deal with RAID systems and missing a HDD and all that so better pay attention >->. You can use your own machine to conduct the imaging process, you can use TestDisk or DMDE. Choose your preferred format, such as .dd or any other that fits your situation.
Important
Do keep in mind, if the system uses Bitlocker you'll need to unlock it first! Soooo better ask for the password '-'
You can use a dedicated imaging rig like the Tableau TX-1 or ATOLA TaskForce. These devices are specifically designed for advanced forensic, used for digital data acquisition.
Important
Depending on your hardware data imaging will take AGES!!! '-'
To do a full imaging of a system can take a long time and if it’s a server you can take a vacation and come back and it’s not finished imaging. It is also expensive, imaging a 1 TB drive requires another 1 TB drive to store the image and this is called Physical imaging. That said, you have options. Physical imaging captures everything but takes the longest. Logical imaging is faster but less thorough. Carefully consider the situation to decide the best approach for your investigation. There's also RAW imaging but this for cases where you need more details or for Corrupted data recovery.
Important
Use WRITE BLOCKER I don't care how experienced you are, a WRITE BLOCKER IS ESSENTIAL '~'
Once you have imaged the storage components, you can use Autopsy to open your image file. Autopsy it is an open-source digital forensics platform. It supports analysing disk images, recovering deleted files, and identifying artefacts like browser history, emails, user activity, and registry changes. Autopsy provides tools for timeline analysis, keyword searches, and automated parsing of common file formats. The parsing process may take some time and it's generally the longest part of the procedure sooo better make some tea :3.
You can navigate easily using Autopsy and if there's no bad sectors or corrupted/encrypted files, you should see everythingggg >-> that is stored in the device. Depending on your case it's difficult to fit everything in this one guide so I'll cut it down a little!
If you're looking for a specific application the navigating to C:\Windows\Prefetch or C:\Program Files\. In a case like this, researching the application further and finding the location of said application is easy enough...Hopefully >-<
You can navigate to System32 to locate all logs and event logs for analysis, if needed. Pretty much, the key is to define your goal once you have a clear objective, the process becomes much smoother!. Just remember to be patient :3
Note
Static Analysis are somewhat similar to Live analysis, is just that you're not working directly with the evidence which reduces the liklihood of evidence tampering!
Let’s talk about Phishing incidents. One common issue is the defacement of a client’s website. If the client has set up their web server properly, they should have a Security Information and Event Management (SIEM) system or an Intrusion Detection System (IDS) in place to prevent malicious activity. If that’s the case, it’s mostly about finding the logs, reviewing them, and implementing a fix to prevent the incident from happening again. But it’s not that simple.
Clients will want a thorough investigation and report done before moving into the eradication process. This is where the analysis part of the job comes in. Assuming the client has an SIEM/IDS system in place, your first task is to trace which machine or computer carried out the malicious activity. Any remote attack MUST originate from an infected machine, so identifying that machine is crucial. If it’s a network of machines involved, you’ll need to ISOLATE them by separating them from the main network. (Talk with the company’s engineer…They don’t have one ? Welp it’s now your job :P).
Once the machines are isolated, begin the identification process. If it's a network of infected machines, it’ll take more than just you to get it done quickly. You’ll need a team to move efficiently.
Start by commanding one of your team members to interview the employees. They may have seen something unusual or noticed any signs of the attack before it escalated. Meanwhile, you or another member should work on isolating the machines from the network and securing any potential entry points.
While the interviews are happening, keep an eye on the overall network. Once the network is contained, it’s time to dive into the forensics. Use your tools to analyze the compromised systems, check logs, and gather evidence that can point to how the attack occurred, what vulnerabilities were exploited, and what impact it had on the system.
It’s also essential to document every action taken during this phase this will be crucial for building a report and providing evidence for any legal actions down the line.
Note
This is assuming it’s a medium-large company if it’s small then taking it off the grid is needed MAYBE idk what you’re working with ‘ ^ ’ Act SWIFTLY!!! 'o'
- What have you done in the past 24hr ?
- Did you notice anything weird when using your computer ? A random CMD popped out of nowhere ? (Say a black box for the elderly >->)
- Downloaded anything recently ?
- Clicked on anything ?
- Plugged a USB into this machine before ?
With these questions hopefully you can pinpoint WHEN the infection started and WHERE it originated.
Tip
Be FLEXIBLE!! Use these questions as a reference but ask what you need to know to assist you with the investigation!!
According to Cloudflare, 90% of cyber attacks come from email phishing campaigns so you shouldn’t be surprised! :3. First, analyze the suspicious email using tools like EmailDossier or any other good options like EML Analyzer (which is awesome too). There are multiple ways to check if the email address looks fishy (see what I did there? :3… No, I won’t stop). Just read through the results from EML Analyzer, and if anything seems off, you’ll likely have your culprit. Unless, of course, there are multiple phishing emails... So, uh, good luck!! ^-^
A phishing email must have a payload, and you can check to see whether the attached file is suspicious. But remember, these malicious actors are smart and sneaky, so they’ll do their best to hide it >.<. Use these tools to help you analyze the payload and uncover what’s really lurking inside.
Alright!! So, you’ll need to navigate through Gmail (or whatever email provider the company uses) and find a way to display the .eml file. In Gmail it is as shown in the picture. Once you click Show original
It should open a new tab named Original Message. Next you need to download the .eml file.
Once you’ve acquired the .eml file use the EML analyzer to well uh analyse it ???
Here you can see what EML Analyzer has provided. EML Analyzer has VirusTotal API integrated into it so you can see if the attachments are malicious or not.
Email Dossier helps checks
- Owner’s contact information
- Registrar and registry information
- The company that is hosting a Web site
- Where an IP address is geographically located
- What type of server is at the address
- The upstream networks of a site
Now, this is technically a post incident. You need to analyse what that malware does. There are multiple ways to do this of course… So let’s get into it!! ^o^
I’m going to be honest, this is where things are complicated and time consuming. Malware analysis is a WHOLE nother topic and I will make another guide for it soon bear with me!! >-<.
First, identify HOW the malware breached the systems.
- Phishing Email ?
- Bad USB/Physical infection ?
- Pirated software ?
Secondly, identify the aftermath of the attack.
- What did the malware do to the system ?
- Is it a backdoor ?
- A ransomware ?
Try to identify the goal of this malicious actor. This can give you some sort of an idea of how to continue the investigation.
Windows systems This part is going to be a bit tricky. If the system is known to be infected and YOU have already isolated it from the network, you can perform a full system imaging and analyze the malware safely using the copied image. This is called static analysis, and it’s the safest way to analyze a system. If you’re going this route, you can use tools like IDA, PE-Explorer and OllyDbg. Yeah, this is reverse engineering area WHICH will not be fully covered in this guide. (I don't think you're going to analyse this deep in some cases! ^-^).
Linux systems. For Linux systems you can use REMnux this has everything you need to analyse malware in Linux systems.
Another way is to dynamically analyze the malware. Every malware has a goal, and achieving that goal requires processing power from the infected machine. You can use Procmon from Microsoft itself, to identify suspicious services and processes running on the system (make sure you learn how to use this properly '-'). There was also an application called Winpatrol, but unfortunately, it has been sent to heaven (RIP Scotty, you were the best puppy Y-Y). Procmon depending on the situation, can give you insights into what the malware’s goals are and provide enough data to include in your report. However, static analysis and reverse engineering can help you understand the malware in even greater detail.
Another fantastic tool to consider is App any run. This cloud-based sandbox is designed specifically for analysing malware and phishing links. By running the malware in a controlled virtual environment, it provides detailed insights into what the malware is attempting to do. It’s incredibly fast, intuitive to use, and an excellent choice for quick analysis. Whether you’re dealing with suspicious attachments or phishy links, this tool can save a lot of time while ensuring you stay safe during the investigation process! ^-^
Keep in mind you have to slowly comb all processes in Procmon and if the malware is sneaky they can and might go dormant to avoid detection. This is where things get dicey. New malware is constantly being developed, and attackers are always evolving their methods. You’re playing their game now, so it’s crucial to stay vigilant and closely monitor the situation.
Well, you've made it to Recovery phase. Now, you can begin recovering the system AFTER addressing and patching all identified vulnerabilities. The recovery process will vary depending on the situation. For instance:
- Human error, which is a common culprit. Some clients may even request that you conduct training sessions, so be prepared with a good presentation.
- Network/Server misconfigurations or any misconfiguration are typically straightforward, just reconfigure it '-'. Employees should be made aware of the error too.
- Zero-day application-based malware may necessitate temporarily disabling the affected application and promptly reporting the issue to the vendor.
In cases involving legal implications, if a suspect has been arrested, you will need to submit a thorough report to the authorities. For significant cases, you might also be required to testify in court. It’s crucial to be well-prepared for this stage, as the post-incident process can become complex once legal authorities are involved.
After completing everything, it’s time to pack up and head back to base. Make sure that a copy of your report is uploaded to your reports databse. Once done, you can call it a day and made some tea! :3
Congratulations you've solved your case! I hope this guide has been useful and make sure to check out other guides such as Mobile-Forensic and many more in the Branch section.
Thank You!! :3