Unveiling the Inner Analyst: Navigating the Cognitive Labyrinth
The first major thing you’ll learn about Digital Forensics/Incident response is LOGS LOGS LOGS. Without them, you can't explain what generated the alert or what occurred on the device(downloads, unsolicited changes, etc.)At the Enterprise level, it's even more crucial because you are no longer just responsible for a singular host but a series of them that could be anywhere in the world. In an enterprise environment, hosts have their logs forwarded to a SIEM(Security Information and Event Management aka log aggregator) so that an analyst can scope through historical data to investigate the event that took place. (link click, file download, block failure, anti-virus hit, etc.)
A friend of mine reached out earlier this year, about The Last of Us video game shutting off his PC with no warning, blue screen, or error message. In the video game world typically the culprit is driver issues or hardware limitations but this was a new issue that I personally haven't heard of or experienced so research needed to be done. (Analysis post coming soon!)
The game runs on Steam(simple game launcher/store), so checking their forum helped me understand a little bit of what may have been going on. After performing Open Source Research (OSR) via Google here are some possibilities I found:
Possible overheating of CPU/GPU
Game settings/cache needs to be verified
Or the classic reinstallation of the game
So what's the first stop? The LOGS! Remember this is a personal machine so there is no SIEM to review historical data in. For incidents I handle I utilize a template that allows me to capture important low-level details that Team leads/Customer may ask about an incident. Basic but necessary steps, because the last thing you want to say is “Uhhhhh let me go check”.
My folder template layout:
Incident number[Parent folder]
Analyst paperwork[child folder]- Personal case notes/updates provided, and Chain of custody because forensics. This is where you tell the story of how the incident happened, what you found, how the threat was mitigated, who was contacted, etc.
Logs[child folder]- Web traffic logs, Anti-Virus logs, SEIM logs, etc. All the information that helps you tell the story based on historical event data.
Whiteline analysis[child folder]- Results from running alert relevant tests in a closed environment(Virtual machine), or OSR aka what’d you find on Google?
Provided information[child folder] - Anything provided to you prior to the investigation(Event report, spreadsheet data about the event, etc.)
\Note: Inside each folder are potential subfolders to help break out the different organization tools that can provide logs on the incident.*
Since this incident is a bit different(not malicious in nature), some questions will be left unanswered. But this is how I approach the incidents that come across my desk:
Read through the incident report: I ask myself some of these basic questions to get a good feel for the incident. What happened? What’s the name of the malicious file or external IP? Where do I need to look first to gather information on this event? Do I understand everything that happened? Do I need to look something up? How widespread is the issue? Is this a high priority?
- Sample Incident excerpt: On at 9/05/23 5:45:54PM EST the Steam edition of The Last of Us Part 1 PC located at "C:\Program Files (x86)\Steam\steamapps\common\TheLastofUsPart1\tlou-i-l.exe" was executed with pre-configured game recommended settings on the host. (DESKTOP-TZAS12 | 10.10.10.7) During play, the user(Jane.Doe | EST) stated that the game powers off the host with no warning or error message. User reported the host functions normally after powering back up, and that other games have not caused an issue like this.
\Note: Just in case there was any confusion I don’t work with games at my job more like malicious programs, potentially unwanted programs(PUPs), and strange network traffic. 😂 Never the less the logs are still just as important!*
Now from reading the incident report(above) pick out the information you need to help perform your analysis.
Understand the Who with a little what: Identify the username, the host's location(Timezone clarity), hostname, executable name, IP address, and who may need to be notified/questioned about the incident.
Answer: Not too important for this incident just helping a friend 🙃
Event time: 9/05/23 5:45:54PM
File name: tlou-i-l.exe
Flag/Threat: None - Troubleshooting
Understand the What: Executable/file in question & what occurred on the host. This can include other hostnames/IPs involved, anti-virus (AV) information or broader network information. When was AV last updated, and what preventative measures were supposed to mitigate this issue? What were we expecting to happen? Is this an Enterprise-wide issue?
Answer: See no. 1-3 below
File name: tlou-i-l.exe
Analyst notes: Host(DESKTOP-TZAS12|10.10.10.7) shutdown after running "tlou-i-l.exe" for 15 minutes. OSR on the executable determined that the file is related to a video game, The Last of Us, and is considered non-malicious. No AV and Web log analysis is needed. Based on power failure analyst will verify minidump creation(created via game or host), and pull Windows event logs.
Unexpected shutdowns mean:
Mini Dump File generates recording some data from memory
Windows event logs get updated(System/Application)
The game might have saved a crash dump
\Note: Since the file is not malicious(from approved vendor: Steam), the AV logs won't have any useful information, and thus don’t need to be pulled from the host. 9.9/10 times AV files are always pulled because it provides context to how current security measures work and what needs to be changed. (a normalized practice with security incidents) But just because something is not malicious does not mean we want it on our machine, that’s what we call a potentially unwanted program(PUP).*
Understand the When: When did the event first occur on the host? Where did the notification come from? (internal team? self report?) It's a bit more than just knowing the date, rather what tools kept logs long enough so that you can review them. (30 days, a week, etc.) Time is ticking!🕰
Answer: August 31, 2023 - September 5th, 2023
Sample Data extracted:
Incident Dates: August 31, 2023 - September 10th, 2023
Reporting entity: Self Report
Logs to check:
Windows Mini Dump(C:\Windows\Minidump)
Last Of Us Mini Dump(varies based on game location)
Windows Event logs(C:\Windows\sys32\config\winevt)
The importance of the when also comes from the ability of the security measures in place to flag or alert analysts to an incident. You may even hear questions like, why did it take so long for this alert to come in? Why did the host-based security system (HBSS) not flag for this file? The longer it takes for an incident to reach a security team the harder it may be to analyze relevant data in its entirety. And the funny thing about logs is that they overwrite themselves after a certain period of time so incident notification time to resolution is crucial.
Analyst knowledge comes from shadowing the big brains at work, practicing, and retaining your newfound skills. Yes, there are repetitive processes as with many jobs, but the best part is that each incident varies! Giving you the chance to interact with something new almost every day. Strong foundations are important to building something, right? The answer is yes...