Section 3.1: Enterprise and Remote Analysis Flashcards
What is Kape?
Triage imaging tool that is manually used for standalone cases that is not designed for large scale use. It can though, be downloaded to a remote system and have the files sent a STFP server. It can retrieve locked files as well as volumne shadow copies or data streams. Deduplicates Sha-1 hashes.
What is remote access?
An agent that gives an analyst unfettered remote access to a remote system’s storage components such as disk or memory for analysis. It does not rely on the remote system’s API so its an advantage against rootkits. The only downside is that it causes congestion inside the network.
What is an remote analysis agent?
Its designed to actively parse/monitor artifacts back to analyst. It relies on the remote system’s API. Its downside is that it eats RAM.
Pros and cons of F-Response
Good for registry, file query, $MFT file or any locked file for parsing. It doesnt require reboot. Not so good for file carving or memory analysis so imaging it is best.
Pros and cons of Velociraptor
Good for deep analysis, memory analysis. Con is that it hogs RAM and needs a controller to manage the agent.
Simple Kape command line to retrieve and create system triage.
Kape.exe –tsource <drive> --target !Sans_Triage --tdest <directory>. Other syntaxes: [vss][vhdx][debug]</directory></drive>
What is a bottleneck when it comes to server-to-client analysis? What are possible solutions?
Its bottlenecked because of the encryption. One method is to have a reverse proxy to offload encryption task. Another is to have multiple servers to handle client connections but sharing distributed filesystems.
What is VQL?
Velociraptor’s Query Language. It can do a one time collection of data or continuous monitoring. It can parse anything Ive read so far and more.
Describe the built-in artifacts in Velociraptor?
I can change the template names to parse what I want, all pre-built.
Best places to collect necessary data at the endpoint.
Process objects & file executions, commandlines, process trees, unusual API activity, networking, file, service and registry changes.
EDR vs Forensics
EDR is more forward facing telling live activity while forensics tells a deep story. Use EDR as a supplement. EDR doesn’t collect a complete set of data as forensics does.
What are EDR’s advanced capabilities?
In-memory detections such as: commandline, network activity, process tracking, DLL hooking, rootkits, thread creation and memory allocation..