Wednesday, February 06, 2013

There Are Four Lights: The Forensic Scanner

I made a push recently via social media to raise awareness about the Forensic Scanner, and based on some of what I saw come back, I'd like to take a moment to describe what the Forensic Scanner is, and perhaps clear us some misconceptions about the tool.

Just a quick reminder to everyone...in Nov, 2012, the Forensic Scanner moved from the Google Code site to this GitHub site.  If you're going to try the Forensic Scanner, make sure that you run it as Administrator...if you have an admin account and you still have UAC enabled, you won't have what you think are full Admin rights on the box.  Check out Corey's blog post on the topic.

First off, the Forensic Scanner is just a tool, nothing more.  Like any other tool, if you don't understand how it was designed to be used, you very likely won't be using it to it's full capacity, or in it's most effective manner.  Scanner applications have been used in various segments of infosec for quite some time.  When I did vulnerability assessments back in the late '90s, we used scanner products to do some of the heavy lifting.  Even today, there are scanners available for web app assessments, but the key point to remember is that these applications are not intended to replace analysts, or remove analysts from the picture.  Instead, they are intended to perform a wide range of repeatable tests, so that an analyst can review the results and then focus their analysis efforts.  This is also the intention of the Forensic Scanner.

The Forensic Scanner is:

A library of corporate knowledge/intel: An analyst may spend 8, 16, 24 hours or more in analysis and find something new.  Take this finding, for example.  One way to address a finding like this is for the analyst to keep it to himself...but that doesn't really help anyone, does it?  An alternative might be to hold a brown-bag lunch with other analysts, put together a PPT, and tell them what you found.  But how much more useful would it be to write a plugin, and share it with the other analysts?  Within a few minutes, other analysts would have full access to the capability (i.e., finding the issue, or not...) without ever having to have the same experiences as the first analyst.  On a team of eleven analysts, if it took 16 hours for the first analyst to find the issue, you've just saved the team, as a whole, 16 hrs x 10 analysts = 160 hours of time.  This time can mean a great deal to your customer, as you will be providing with information they need to make critical business decisions in an extremely efficient manner.

By creating and maintaining plugins for these findings, the information is maintained in an accessible manner while the examiner who found the artifact is on vacation, or well after they left the organization.  With the proper oversight, the plugin won't simply have lines of code...it will include references and explanations, so that the findings are not only repeatable, but they can be easily understood and explained.

How are you at memorizing the paths to various web browser history files on different versions of Windows (i.e., XP vs Windows 7)?  How are you at mapping USB device usage?  Do you want to have that available at the push of a button?  That's what the Forensic Scanner can give you.

A force multiplier: By looking back at your last engagement and creating or updating plugins based on your findings, and then providing them to the team, you've bridged the gap between a checklist and actually implementing the checklist.  This allows the experience of each analyst to be shared with others, which can lead to more work being done by the same number of analysts, in a much more efficient and timely manner.

A path to a competitive advantage: Analysts are going to find things that others either don't see, or haven't seen yet.  As such, writing a plugin that you keep private within your team can lead to providing better, more comprehensive results to your customers, in a more timely manner.  Based on the plugins you have in your library, you may be able to determine not only the malware that infected a system, but also determine the initial infection vector, in a much more timely manner.  This means that you can provide not just findings, but intelligence to your customer, that they can then use to protect themselves.

The Forensic Scanner is NOT intended to replace any of the current tools that you own and use.  Rather, the purpose of the Forensic Scanner is to augment and optimize your use of those tools that you already own, and get you to the point of deep engagement with those tools much sooner.

Deployment Scenarios
When I first had the idea for the Forensic Scanner,

Lab Tech: A lab tech receives an image, and as part of the verification and in-processing procedures, runs a scan of the mounted image.  The lab tech then contacts the designated analyst to let her know that the image and report are in a specific location, either in the "cloud", or to be retrieved in some other manner.  Rather than having to run through all of the checks herself, the examiner can review the report and focus her analysis faster, providing much more comprehensive and timely findings.

LE examiner: An LE examiner might be interested in P2P file sharing, and one of the biggest issues for LE (at all levels) is that the examiners are cops first.  This makes it very difficult to keep up on various analysis techniques and artifacts, but the Forensic Scanner puts that right at your fingertips.  Perhaps your cases involving illicit images don't require you to do much more than find and catalog the images, and you're done.  Or perhaps you need more...did the user actually access the images at any point?  Did the transfer of the files involve a USB storage device of any kind?  Was a digital camera or a smartphone connected to the system? 

Consultant: A consultant or even an IT security staff member can be on-site, performing triage and acquisitions.  They can run a report, and because the report contains no sensitive (PII, PHI, PCI, etc.) information, they can archive/protect the report, and ship it off to another analyst who is off-site, who can then perform analysis of the report.  The analyst can then respond to the on-site consultant, providing information that can then help them focus their efforts ("..acquire these 5 systems instead of all 300..."). 


Interested in Windows DFIR trainingWindows Forensic Analysis, 11-12 Mar; Timeline Analysis, 9-10 Apr. Pricing and Calendar. Send email here to register.  Each course includes access to tools and techniques that you won't find anywhere else, as well as a demonstration of the use of the Forensic Scanner.

No comments: