Presentation given at 44CON London in September of 2015. This presentation introduced the audience to the PowerForensics module for PowerShell.

1. Old Dog, New Tricks:
Forensics with PowerShell
Jared Atkinson
Veris Group’s Adaptive Threat Division

2. Special Thanks
○This tool and presentation would not be
possible if it wasn’t for the help and
phenomenal work from these people:
□Matt Graeber (PowerShell Wizardry)
□Richard Russon (Linux-NTFS Project)
□Joachim Metz (Libyal Project)
□Jeff Bryner (NBDServer)
□Carlos Perez (PowerShell Binary Module)
□David Cowan (NTFS Triforce)
□Ange Albertini (Corkami)
□Phil Polstra (Linux Forensics)
□James Habben (NTFS Fixup Values)

3. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive detection
and response to advanced threats in Fortune 100
commercial environments
□Adjunct Lecturer at Utica College
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GREM, and more

4. tl;dr
○ Hunting Philosophy
○ Evolution of Forensics
○ PowerShell 101
○ PowerForensics
○ Investigation Demo
○ The Future

5. Hunting
Philosophy
To Hunt, or not to Hunt...

6. Intrusions

7. Cyber Kill Chain
○F2T2EA
□Find, Fix, Target, Track, Engage, Assess
○Adapted from Lockheed Martin White Paper
○Any broken link will affect the entire chain

8. Prevention
○Prevailing Network Defense Concept for much
of the 90s and 2000s
○Goal of stopping attacks at the perimeter
□ Glory years of “Server Side Exploits”
○Largely failed due to rise in the popularity of
“Client Side”attacks
“...more than two-thirds of [Cyber Espionage]
incidents ... have featured phishing.” -Verizon

9. Incident Response
○Early 2000s to mid 2010s
○“Five Alarm Fire” Concept
○Kicked off by:
□Network security monitoring alerts
□Third party notification
□Public disclosure
○By the time you notice it is often too late

10. Hunting
○Concept originating in the US DoD
○Practice “Assume Breach” mentality
○Detection, Investigation, Response
□Deny, Degrade, Disrupt, Manipulate
“Fundamentally, if somebody wants to get in, they're getting in… Accept
that… What we tell clients is:
Number one, you're in the fight, whether you thought you were or not.
Number two, you're almost certainly are penetrated.”
Michael Hayden
Former Director of CIA & NSA

11. Evolution of
Forensics
“Intelligence is based on how efficient a
species became at doing the things they
need to survive.” -Charles Darwin

12. Investigation
Techniques
Image
Collection
Scripts
Live
Response

13. Look Familiar?

14. Image
○Analyst takes an infected machine offline,
make a hard drive image (bit for bit copy)
and perform forensic analysis
○Pros
□“Gold” Standard over past 2+ decades
□Repeatable results
□Allows for thorough analysis
○Cons
□Lose all volatile data
□Slow/non-scalable

15. Collection Scripts
○Analyst uses a script to collect forensically
relevant files often using third party
binaries to access certain files
□First step in automating digital forensic/incident
response processes
○Pros
□Speed
□Scalability
○Cons
□Often Messy (Not Forensically Sound)
□Third party dependencies (File Access, Artifact
Parsing, Remote support)

16. Live Response
○Analyst quickly triages key file system artifacts
in a forensically sound manner
□Merges some of the best attributes of Imaging and
Collection Scripts
□“Intelligent” Analysis – Where the analysis of one
artifact points the analyst in the direction of another
○Pros
□Speed/Scalability
□Forensically Sound
□Self contained
○Cons
□Repeatability

17. PowerShell 101
“Blue is the New Black” -
@obscuresec

18. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface (Modules)
○ Independent software vendors and enterprise developers can
build custom tools and utilities to administer their software.
□Full access to the Windows API

19. Response
PowerForensics
Old Dog, New Tricks
Detection Investigation

20. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live (running) host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage

21. What is Forensically
Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey

22. Forensics Toolbox

26. Fast?!?

27. Get-BootSector
Boot Sector
Get-MBR Get-GPT
Get-PartitionTable

28. NTFS Structures
Get-VolumeBootRecord
Get-FileRecord
Get-FileRecordIndex

29. NTFS System Files
Get-AttrDef
Get-BadClus
Get-Bitmap
Get-UsnJrnl
Get-UsnJrnlInformation
Get-VolumeInformation
Get-VolumeName

30. Meta Cmdlets
Copy-FileRaw
Get-AlternateDataStream
Get-ChilditemRaw
Get-ContentRaw
Get-Prefetch
Get-ScheduledJob
Invoke-DD

31. Linux Support
(Ext4)
Get-Superblock
Get-BlockGroupDescriptor
Get-Inode

32. Investigation Demo
My sacrifice to the demo gods…

33. Attack Demo

34. Notification
○Time: 20 August 2015 16:50
○Hostname: WIN-KFGTOETNIFJ
○IP Address: 10.20.3.187
○Activity Description:
□At 16:50 on 20 Aug 2015 a machine with IP of
10.20.3.187 called out to a previously unseen IP
address of 10.20.3.191 (pretend this is a domain
:-D) over port 80. During this and a number of
additional connections analysts noticed a sizeable
amount of data transferred from the internal asset
to an external system (10.20.3.191).

35. Investigation Demo

36. Report
○Time: 20 August 2015 16:48 - 16:54
○At job to elevate to SYSTEM context
□Executed launcher.bat
○Implant appeared to use some combination of
PowerShell and WMI in implant
○Created staging directory name “exfil”
○Used 7za.exe (7-zip) to compress three files to
exfil.zip
□hamburgerrecipes.txt
□finances.csv
□password.txt

37. The Future
The Shiny Shiny Future

38. Moving Forward
○More artifacts!!
□Registry support
□ESE database support
○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT
□Linux: Ext2, Ext3, Ext4
□Mac: HFS+
○Online documentation (Open API)
○Community Involvement!!!
○Organic Remoting
□Network Block Device (NBD) to the rescue

39. Remoting Demo

40. Take Aways
○Order of Volatility (RFC 3227)
□routing table, arp cache, process table, network
connections, kernel statistics, memory
□temporary file systems
□hard drive disks
○Imaging Process ≢ Enterprise Response
○Don’t be part of the problem
□Local vs Domain Admin
□Interactive vs Network Logins
□Delegate vs Impersonation Tokens
○Hunting is like a Poker game
□Be careful about showing your hand to the
attacker

41. @jaredcatkinson
https://github.com/Invoke-IR/PowerForensics
https://github.com/Invoke-IR/PowerForensics_Source
Any questions?