Free Workshop: Investigating Insider Threats — February 20-27

What Cyber Triage Collects

Cyber Triage can collect and analyze all the types of data listed below. It’s a comprehensive list, but if we’re missing something you really need, reach out!

Volatile Data

  • Processes and running services (including full path to executable, arguments, PID, parent PID, and SID) from Windows APIs
  • Network connections (including local and remote ports, remote address, and local process) from Windows APIs
  • Open network ports (including local process) from Windows APIs
  • DNS cache, routing tables, and ARP cache from Windows APIs
  • Logged in users from Windows APIs

User Data

  • User information is collected from the ProfileList keys in the Software Hive and the SAM Hive
  • Group membership is collected from the NTUser.dat hives
  • Deleted accounts are inferred from parsing event logs
  • Interactive logon events are collected from the event logs
  • Inbound remote desktop connections are collected from the Security and Terminal Services event log
  • Outbound remote desktop connections are collected from the NTUser.dat registry hives

Program Run

  • MUI Cache
  • Run MRU/li>
  • UserAssist/li>
  • AppCompatCache (ShimCache)/li>
  • Prefetch/li>
  • Background Activity Monitor (BAM / DAM)/li>
  • StartupInfo.xml/li>
  • Scheduled Task action started event (ID 200)/li>
  • Process Created event (ID 4688)/li>

Startup/Persistence Locations

File metadata and content are collected for files that are automatically run. The following locations are parsed:
  • All of the “Auto Runs” locations, including Run, RunOnce, etc./li>
  • Startup folders/li>
  • Scheduled Tasks (including all actions)/li>
  • WMI actions/li>
  • Powershell profiles

Web Artifacts

  • History, downloads and cookies from Chrome, Firefox, IE, and Edge databases
  • Executable files from downloads folder

File Analysis

  • Files are accessed using forensic techniques from The Sleuth Kit ® to access locked files and bypass rootkits
  • File content from startup items, processes, programs run, etc. are collected and hashed
  • Signatures of executables are verified
  • All files are analyzed to detect:
    • Encrypted archive files that could be from data exfiltration
    • Executables that are packed
    • Executables stored in NTFS alternate data streams

Network Shares

  • Mounted network shares from parsing NTUser.dat hive
  • Accessed shares are inferred from parsing UNC paths

System Settings

The collection tool will gather various settings to help the investigator understand the system they are investigating. Settings collected include:
  • Operating System version
  • Audit Levels for logon and logoff events
  • Firewall settings
  • Task Manager enabled
  • Windows Defender enabled
  • Windows Automatic Update enabled

Other Files Collected

  • All registry files
  • Windows HOST and LMHOST files
  • Source files (any file that we analyze and extract evidence from. Ex. prefetch files for program run analysis)
  • Event logs
    • Application.evtx
    • HardwareEvents.evtx
    • Security.evtx
    • Setup.evtx
    • System.evtx
    • Microsoft-Windows-TaskScheduler%4Operational.evtx
    • Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
    • Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operation.evtx
    • Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx
    • Microsoft-Windows-PowerShell%4Operational.evtx
    • Microsoft-Windows-WinRM%4Operational.evtx
    • WMI-Activity%4Operational.evtx
  • Windows PowerShell.evtx
  • WindowsPowerShell.evt
  • AppEvent.evt
  • SecEvent.evt
  • SysEvent.evt