Dr. Brian Carrier •
Cyber Triage Lite
Cyber Triage Lite – Analyzing User Activity -Video Transcription
Hi, this is Brian Carrier from Cyber Triage and this video covers how to analyze user activity in our free Cyber Triage Light tool.
It’s part of our free DFIR with Cyber Triage light series.
This video gets to the real value of the light version.
Cyber Triage, which is having a UI to review the artifacts you’ve collected.
After all, there are several free DFIR collection tools out there, but most of those give you a folder text files to review.
Cyber Triage Light makes your free-response faster by making it easier to review data, identify anomalous artifacts, and make reports.
Now I’m going to assume you’ve watched the two previous videos in this series on how to collect data from live systems or disk images.
You can download Cyber Triage Light from cybertriage.com.
Subscribe to this channel to get updates on free DFIR material.
Now to help understand how we organize data in the UI, let’s review the divide and conquer defer process, which is how we approach digital investigations.
The basic concept is that you’re going to start with an investigative question, such as what’s the attacker access.
It’s going to be hard to answer, so the solution is to break it into smaller and smaller questions that can then be answered by a single type of artifact.
It relies on the basic problem solving technique of breaking a hard problem into a bunch of smaller problems.
As some of our previous blog posts and videos have outlined, we often break investigative questions into 3 themes.
Users and looking for suspicious user activity.
Malware and looking for malicious programs and notice configuration settings and answer questions about malicious system changes.
Each of these kinds of questions are further broken down and further broken down until we can get to a single artifact type.
That’s the basic jist.
To learn more about the divide and conquer process you can refer to our blog series or watch our free 3 Hour Video course on the topic.
Your DFIR investigation will likely look at users, because account takeover is a big part of intrusions from stolen passwords and phishing attacks.
A computer may not have malware on it, but may have signs of a compromised user account, so it should be looked at.
Cyber Triage Light allows you to investigate users and its UI is organized around the dividing conquer concepts.
It breaks down the question of was their suspicious user activity into smaller questions that can be more easily answered.
Notably, which users were active on the system.
Are the suspicious logins on the system?
And what do the users do when they’re logged into the system?
Let’s dive in each of these questions more.
To answer questions about what user accounts existed, use the accounts tab on the left.
This will show you the list of OS accounts from the registry hives and references that were found in various event logs.
Now some of the columns here will not be populated in the free Lite version, but you can see on the far right column what kinds of actions each account performed, such as if they had interactive access or maybe just access to file on the system.
Now the paid version of Cyber Triage will also flag accounts as suspicious or bad based on their login behaviors, and provides more of a summary of user activity.
Now, once you select an account, you can use the bottom area to get more details.
This is how the light version becomes much more valuable than just having a pile of text files to go through.
For example, the files tab will show you what files were owned by that user and were collected by the collection tool.
Now note the user may have had more files on the system, but this will show you which files were suspicious and collected as part of the collection.
Now the process tab will show you what processes are running for that user and the user tab will give you more information about their activities such as their local and remote logins.
If anytime you decide and the account is suspicious or bad, you can use the mark item as section to mark them as bad or suspicious and they’ll get added to your final report.
The next question that Cyber Triage light can help you answer is about logins.
You’ll want to review logins to look for lateral movement and account takeovers.
We choose the logins menu on the left.
You can see the logins that were found based on event logs.
The amount of data will depend on the audit settings on the system.
The value of cyber triage light over a manual review is that its mapping various eventlog types in the inbound and outbound or local and grouping the entries in one place.
By default, remote logins are shown inbound and outbound, but you can change that by using the pulldown.
When you show remote logins, they’ll be grouped by the host, so you can focus in on those that are from anomalous locations.
Or you can choose the ungroup button at the top and be able to see all logins sorted by time.
The paid version.
Cyber Triage will mark logins as suspicious based on things like remote and local usernames and timing of logins.
When you select a session, you’ll then get further details below, such as about what remote host or user were involved.
The program run section will answer your questions about what programs will run on the system.
The value of using Cyber Triage Lightt for reviewing this kind of data is that it merges many types of artifacts such as prefetching user assist into a single view, and then you can dive into details of the unique program names if they’re relevant.
The programs will be grouped by parent folder.
To make it easier to focus on anomalies.
You can right click on an entry to export the EXE file for further analysis.
On the bottom you can select execution history to see the specific dates and times that the programs are run if they’re known.
The paid version will also mark programs as bad or suspicious based on their path and malware scan results.
The web artifact section of Cyber Triage Light can be used to answer questions about web activity.
This data is needed to identify where task tools were downloaded from or investigate phishing attempts.
This panel will show downloads, cookies, and history items from Chrome, Firefox and Edge.
The value of using Cyber Triage Light for reviewing this data instead of using only text files is that it’s extracted automatically and you can quickly focus on the anomalous domains and downloads now by default, only the previous two months of activity is shown, but you can expand that with the pull
You can also filter based on other kinds of activity, such as only cookies or only downloads.
Any item can be manually scored as bad or suspicious and added to the final report.
Well, that’s it for this video.
I hope you saw how the Cyber Triage Light UI makes it easier to investigate systems for free than having a pile of text files.
It displays data in a group fashion and allows you to filter them and see related details.
Subscribe to this channel for more of these videos on Cyber Triage Light and you can download the software from Cyber Triage.