DFIR Tooling - Outline
Let's define the ideal state for my ideal DFIR toolkit
I feel like the existing DFIR tooling I've used is crazy complex. That makes it pretty hard to separate signal from noise during forensic analysis and incident response, and I'd like to dive into building some tools to fix that gap.
Standard two-dimensional user interfaces provide a barrier to analysts trying to get to the information they need. Don't get me wrong, I've seen some pretty amazing analysts who can just kinda dive in and find exactly what they're looking for. Those folks are anomalies. A three dimensional space would provide humans with a unique advantage in parsing this mountain of information. It's a challenge to lay out that space in a way that's easy to work with. I'll need a lot of design help to get it done, as well as the help from some skilled test users and specialists in user experience. I'm getting ahead of myself, though.
User Interface Design
I'm picturing a VR user interface, similar to what I built for my malware analysis lab. In fact, I'll be taking a lot of inspiration from my old malware analysis lab.
Unity has a concept called "Scenes," which typically separate different levels from each other. My design will leverage scenes to handle loading/unloading of assets related to different types of information on the endpoint. The default scene will provide summary information on system performance, running processes, network traffic, background tasks, and network services. Each UI panel will provide drill-downs into these different facets of the endpoint, including filesystem analysis and registry monitoring functionality. Of course, none of this will actually be possible without a robust endpoint agent.
The endpoint agent needs to be deployable on-demand. If this project gains traction, malware will perform checks for the endpoint agent before detonating. Therefore, this agent will be designed in such a way that any malware on the endpoint won't be able to anticipate or defend against it. All of that is to say that the endpoint agent is going to be sketchy as hell. I'll be stealing tactics and techniques I've observed in nation-state malware samples to provide some strong guarantees against detection. Which means I probably won't be comfortable open-sourcing the endpoint agent. Some knowledge is too powerful for public consumption, you know?
As far as capabilities go, flexibility is my first priority. That's followed closely by cross-platform compatibility. The endpoint agent will be written in Go, and will have a variety of deployment strategies available to analysts depending on circumstances. I won't get into all of those here, just stay tuned!
Network traffic analysis is tricky when dealing with advanced malware. Installing a driver can provide an indicator to the threat actor that they've been detected, so I won't be relying on traditional PCAP drivers or anything like that. Rather, I'll be relying on my old favorite tool - The USB Armory Mk. 2.
Without diving into too much detail, I can share that the USB Armory has hardware VPN capabilities that leverage a driver built into Windows. Those capabilities, combined with out-of-band communications capabilities and a safe execution environment, provide the perfect platform to build around.
I have a few more things on my mind for this toolkit. Here's the highlight real:
- Filesystem & Registry analysis
- Event Log analysis
- Detection rules, used to highlight specific indicators for the analyst
- And more!
Think of these tools as my contribution to building the cyberpunk future we deserve. I'm really looking forward to the challenge!
Continue Reading: DFIR Tooling - Timmy and His File System