First, it is widely accepted that cyber-attacks are inevitable. The idea that you can hope attackers will never show up only really works if you don’t have anything electronic. If you have a computer, especially an internet-connected one, you need to be ready to do some DFIR one day.
For lots of businesses, this creates a problem. Good DFIR is not cheap and even if you don’t need highly skilled professionals, buying the tooling can be eyewateringly expensive. One of the basic components you need is an EDR (endpoint detection and reporting) tool. There are amazing products in this space but they aren’t cheap. Basic deployments can quickly hit 5 figures, per year, for even small networks.
It’s the same with forensics tools – they are brilliant and can really help you find things, but for most of the commercial tools its another 5 figures per year for a licence. It’s ok if you have a big budget, but putting £50,000+ a year aside for just two DFIR tools is challenging for most people. When you add in the tools you need to cover the extra bits you will almost certainly need, then it really becomes a financial burden. This is without considering the cost of skilled staff.
The good news is that there are lots of alternative options. You can build a fully functional DFIR capability for a fraction of the cost, using a mix of free or low priced tooling. One caveat, free isn’t really free. You will need to pay with your own time to resolve any issues or purchase support contracts, but even these are often less than the annual cost of a commercial licence of the big-name products. In this post, we will look at some options you really should consider, even if you have an expensive tool already, as these can help cover the inevitable gaps.
Your Low-Cost DFIR Toolkit
First some caveats. This isn’t an in-depth look at the tools, that might come later. Also it wont cover everything – it cant. There will always be new projects or ones we haven’t heard of. If this spurs you into looking for a good tool then we have achieved our aim! Finally, it’s not going to cover things like SIEMs or Log Analysis/centralisation. That is critical for DFIR but requires additional focus. If we can, we will pick this up in a future post.
To help organise this, we can group the tools into categories.
Endpoint Detection and Response
Velociraptor – https://www.velocidex.com/
At the time of writing, this is probably one of the best EDR platforms available – free or paid for. It uses an agent which reports into the main console allowing for very versatile deployment options. In the event of an incident, the investigator logs into the console and can control the agents to either hunt for malicious activity, run targeted collections, file analysis or even pull large data samples.
If you need support this is available for a fee but it is still significantly cheaper than some of its closed-source, commercial competitors.
The main challenge you are likely to face is the bandwidth between console and agent. However, this is true for all EDR products and any remote access solution. If you have a need to regularly collect full disk or memory images, then you either need to ensure incredibly high bandwidth (images can be 1tb or larger) or establish a way to do local evidence collections.
Evidence Collection
Kape – Kroll artifact parser extractor
Another amazing tool. This is free for internal use but requires a licence to be used as a service. If you want it to run internally by your own staff, there shouldn’t be any problems.
Kape allows for targeted evidence collection into a versatile VHDX format container. This can have the impact of changing a 1TB full disk image into 200MB of targeted data. You lose things like the ability to scan unallocated space but in 99% of incidents, you won’t do that. If you have any doubt, then you can use Kape to gather “triage” data for quick analysis while you send the disk image in slower time.
Every IR team should have a copy of Kape and some practice in its use.
CyLR – Live Response
Similar to Kape, this is a tool which runs rapid collection of pre-determined artifacts on the target system. It is less configurable than Kape but has some advantages in that it runs on multiple platforms and you can use to send the collected data to a remote system via SFTP. This can be invaluable if you need a sysadmin local to the victim system to capture data and send it back to your analysis server (or AWS S3 buckets).
Belkasoft RAM Capturer – https://belkasoft.com/ram-capturer
There are many tools you can use to capture RAM from a target system, but we’ve found Belkasoft’s tool one of the easiest to use. It is definitely something you should practice with and make sure it fits your DFIR workflow. One additional consideration, as endpoints become more secure, the ability to capture RAM (and analyse it) is reducing. If you are running the cutting edge versions of Windows, you need to make time to practice RAM dumping to make sure it is still feasible.
FTKImager – https://accessdata.com/product-download/ftk-imager-version-4-5
FTK, by Access Data, is one of two biggest forensic tool providers in the world. The full suite is pretty expensive, but the free Imager is very useful for collecting data from a suspect system. It works on a variety of platforms and stores images in standard formats. An additional advantage of FTKImager is that it also captures memory.
Forensic Suites
Autopsy / TheSleuthKit – https://www.sleuthkit.org/autopsy/
Saying Autopsy is a graphical interface for the Sleuth Kit is oversimplistic but helps set the scene. However, Autopsy is probably one of the best forensic tools available and, as it is free, is significantly better value for money than any of the others. It handles windows images with ease as well as Android, iOS and some other unusual file structures.
Autopsy is fully extensible, with a thriving community creating new modules to ingest and analyse data. You can even develop your own if there is a specific need.
Even on systems with limited resources (in forensics terms, this means under 32GB RAM) Autopsy is a fast tool. It allows the investigator access to the disk structures while it is still processing data. Once the processing is complete, it is packaged into useful categories – such as email, downloads, executables, etc – which helps the investigator quickly get the information they need. With the timeline, report generation and ability to search for threat intelligence in STIX format, this easily matches the capabilities of products costing £10,000 per user.
iBackUpBot – https://www.icopybot.com/itunes-backup-manager.htm
This is a little bit more of a niche product, but if you need to investigate iOS images, it can be invaluable. It isn’t really a forensic suite in the normal sense, but if your employees have iPhones or iPads it allows you to easily analyse the data including messages, contacts, installed applications and much more.
Analyst Tooling
There are a lot of products here and we can never do justice to all of them. Rather, in no specific order, this is a list of tooling which will help your day to day IR tasks, allow you to carry out basic analysis of malicious files and even extract malicious code out of office documents.
If you do DFIR, you want access to all of these tools.
- Zimmerman Tools – http://ericzimmerman.github.io/#!index.md
- Regrippper – https://github.com/keydet89/RegRipper3.0
- Sysinternals – https://docs.microsoft.com/en-gb/sysinternals/downloads/
- PEStudio – https://www.winitor.com/
- Oletools – https://www.decalage.info/python/oletools
- oledump – https://blog.didierstevens.com/programs/oledump-py/
- Volatility – https://www.volatilityfoundation.org/26
- Volatility 3 – https://github.com/volatilityfoundation/volatility3
- bulk_extractor – https://github.com/simsong/bulk_extractor
Operating Systems
This is fairly complex and heavily influenced by personal choice. We would strongly recommend your incident response “team” has access to Linux and Windows platforms. This gives maximum flexibility when it comes to assessing attacks and, generally speaking, its a lot “safer” to analyse malicious Windows code on a Linux platform and vice-versa. Virtual Machines are a good choice here.
Linux Sift – https://digital-forensics.sans.org/community/downloads
This is probably the main “go-to” Linux distro you’ll use in DFIR. It has most of the tools you need built in – at least the ones which run on Linux. Sift is especially useful if you need to analyse unusual file systems or structures which dont have widespread support. A good example here is the Linux LVM2 Logical Volume Manager which splits the filesystem across multiple disks. Most forensic tools – even expensive commercial ones – struggle to recreate these. However you can mount then natively on Linux Sift.
REMnux – https://remnux.org/
This is a Linux distro dedicated to reverse-engineering malware and malware analysis.
MS Windows and / or Flare Fireeye Flare VM
You will almost certainly need a windows machine to do DFIR. You can either build your own by installing tools you are comfortable using or you can use the Flare VM provided by FireEye. You will need your own windows licence, but Flare does provide a ready-made install of the tools you are most likely to need. It also includes some FireEye specific tools like Floss which you should consider installing if you go with a self-build VM.
Generally speaking, we strongly advise you use virtualisation for all your IR platforms. This allows you to take regular snapshots and if the inevitable accident happens and your investigation machine is infected, it is trivial to revert.
Summary – DFIR is affordable
So, as you can see there are very cost effective ways to build a robust DFIR environment. If you get all the tools here, including the ones where a commercial licence is needed (such as PEStudio), and the cost of Windows / VMWare licences you are probably looking at a budget of under £500 per year for almost unlimited endpoints. For a mall organisation, you could probably bring this down to the cost of a Windows licence.
Cyber attacks are inevitable. Incidents are inevitable. None of this has to leave you bankrupt.
Great post – thanks. I’d also suggest adding Log-MD (free edition) to assess how well the system is configured to capture stuff.
Also Binee (Carbon Black at Defcon 27) is pretty awesome.
Awesome suggestions! Thank you so much for the reminder.