You're reading from Digital Forensics and Incident Response Incident response tools and techniques for effective cyber threat response

Product type Paperback

Published in Dec 2022

Publisher Packt

ISBN-13 9781803238678

Length 532 pages

Edition 3rd Edition

Concepts

Forensics

Author (1):

Gerard Johansen

View More author details

Table of Contents (28) Chapters

Preface

1. Part 1: Foundations of Incident Response and Digital Forensics

2. Chapter 1: Understanding Incident Response FREE CHAPTER

3. Chapter 2: Managing Cyber Incidents

4. Chapter 3: Fundamentals of Digital Forensics

5. Chapter 4: Investigation Methodology

6. Part 2: Evidence Acquisition

7. Chapter 5: Collecting Network Evidence

8. Chapter 6: Acquiring Host-Based Evidence

9. Chapter 7: Remote Evidence Collection

10. Chapter 8: Forensic Imaging

11. Part 3: Evidence Analysis

12. Chapter 9: Analyzing Network Evidence

13. Chapter 10: Analyzing System Memory

14. Chapter 11: Analyzing System Storage

15. Chapter 12: Analyzing Log Files

16. Chapter 13: Writing the Incident Report

17. Part 4: Ransomware Incident Response

18. Chapter 14: Ransomware Preparation and Response

19. Chapter 15: Ransomware Investigations

20. Part 5: Threat Intelligence and Hunting

21. Chapter 16: Malware Analysis for Incident Response

22. Chapter 17: Leveraging Threat Intelligence

23. Chapter 18: Threat Hunting

24. Assessments

25. Index

Why subscribe?

26. Other Books You May Enjoy

Appendix

Memory analysis with Strings

In the previous section, the Volatility tools we looked at focused on those areas of the memory image that are mapped. If data is not mapped properly, these tools would be unable to extract the data and present it properly. This is one of the drawbacks of these tools for memory analysis. There is a good deal of data that will become unstructured and invisible to these tools. This could be the case when network connections are shut down or processes are exited. Even though they may not show up when the RAM is examined via Volatility, trace evidence will often still be present. Other evidence such as the pagefile also contains evidence that is unmapped and searchable.

One tool that is useful for extracting these traces is the Strings command, which is present in many Linux and Windows OSs. Strings allows a responder to search for human-readable strings of characters. Given a set of keywords or Global Regular Expression Print (GREP) commands, the responder may be able to extract additional relative data, even from RAM captures that may have been corrupted via malware or improper acquisitions.

Installing Strings

Strings will often come preinstalled in many Linux distributions. Windows has a standalone executable for string searches available at https://docs.microsoft.com/en-us/sysinternals/downloads/strings. If Strings is not installed on the Linux platform of choice for the responder, the following command will install it:

forensics@ubuntu:~$ sudo apt install binutils

For a rather simple tool, Strings is a powerful way to search through bulk data for specific keyword-based strings. In this book, the focus will be on extracting specific data points with the following Strings syntax:

forensics@ubuntu:~$  strings <file name> | grep <Regular Expression>

Common Strings searches

Network artifacts such as IP addresses and domains can often be found within the pagefile or memory. To find IP addresses, use the strings command with the following parameters:

forensics@ubuntu:~$  strings pagefile.sys | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

To find URIs and URLs, use http or https, respectively:

forensics@ubuntu:~$  strings pagefile.sys  | grep "^https?://" | sort | uniq | less

There are also remnants of email addresses that may be discoverable. This is very useful in investigating possible phishing attempts. To find email addresses, use the following command:

forensics@ubuntu:~$ strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'

There is a wide range of search terms and parameters, and it is impossible to cover all of them in this chapter. The main takeaway from this is that the analyst can leverage string searches across the memory image and pagefile as part of the overall memory analysis.