The six lenses of a files and folders cyberattack investigation

by Terrence Lillard

20 April 2020

A woman looking at a digitised screen

The 60s musical group, The Beatles, produced a song representing the request of today’s organizations that are victims of ransomware, cryptomining, china chopper, web shells and other complex malicious attacks. The song’s initial lyrics are as follows (Table 1):

Help, I need somebody
Help, not just anybody
Help, you know I need someone, help

When I was younger, so much younger than today
I never needed anybody's help in any way
But now these days are gone, I'm not so self-assured
Now I find I've changed my mind and opened up the doors

Help me if you can, I'm feeling down
And I do appreciate you being round
Help me get my feet back on the ground
Won't you please, please help me

Table 1. Beatles. Lyrics to “Help!,” Album - Help!, 1965

Like the song, many organizations request incident response help and can’t rely only on internal IT teams because today’s malicious attacks are more sophisticated and harder to discover. In addition, like snowflakes, no two cyberattacks are alike because no two organizations are identical, and the attacker’s techniques are constantly evolving. So, I use my cyber-incident response investigation framework that encompasses three cyberattack dimensions: Stage, Temporal and Spatial.

 

The Lockheed Cyber Kill Chain - the Stage dimension - is used to identify the stages of a cyberattack which are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives.

The Temporal (Time) dimension is used since cyberattacks require me to review forensics artefacts left-behind on systems (Figure 1) before, during and after a cyberattack. In most cases, both Stage and Temporal based dimensional cyberattacks occur simultaneously which complicates the cyber investigation.

An image showing globalization

Figure 1. Multiple Dimension Cyberattack

Spatial, the third dimension, is the reason many organizations are requesting assistance, because this entails breadth (lateral) and in-depth movements. Spatial cyberattacks can span across multiple systems: domain controllers, application servers, file servers and end-user workstations. In addition, Spatial dimension cyberattacks entrench themselves within a single system. While in-depth movements encompass multiple components of a system, this blog post focuses on my investigative technique associated with two key file system components: files and folders.

Cyberattack investigations that include files and folders require me to visualize the cyberattack through the lenses of a multi-eye insect: a spider (Figure 2). And like each eye of the spider, which performs a specific function, I examine files and folders residing on systems using six different lenses. The six lenses are:

A jumping spider

Figure 2. Multiple eyed spider

  1. I determine what files and folders are legitimately on the system. This is known as the What should be there review. I perform this review via visual inspections, files and folder positive hashing, organization gold disk image comparisons or using the NIST National Software Reference Library (NDSL).
  2. The Left behind review, basically What files are there that should not be there. I focus on the presence of malicious files and their purpose in accordance with the Lockheed Cyber Kill Chain. It’s a negative complement to the first lens. I perform the review via visual inspections, files and folder negative hashing and antivirus scans.
  3. The What should never be there review, basically What is not there, but the attacker need it there. I focus on the baseline of the system and note the absence of malicious files to determine the next steps of the cyberattack, if any, within the Lockheed Cyber Kill Chain. I perform this review based on my experience, threat-hunting models, and Global Threat Intelligence Center (GTIC) threat alerts.
  4. The What is missing review, basically What is not there but should be there (deleted), attackers will use anti-forensics techniques to evade discovery of deleted artifacts which can provide insight into the attacker’s motives for compromising a system. I use forensics recovery tools to identify artifacts deleted by the attacker and the results from the previous three lenses.

    Note: The absence of evidence is as important as the presence of evidence. This is analogous to the missing vase on a mantle, but you can see a dust silhouette.

  5. The What files have been moved, but are still there review, attackers will move files to a different location for various reasons: to modify files based on permissions or to alter the file path for execution. I review the operating rules for file path execution and perform visual inspections of access rights and permissions for common file and folder locations.
  6. The What files are there, but have been changed (altered) review. Attackers will use this technique to hide file changes in plain sight. This lens is the most difficult to perform because attackers employ various file hide and modification techniques to evade detection. Therefore, I do not rely on files names, file extensions, file signatures or internal program coding for file validation. I use trust-but-verify techniques to perform file analysis: positive hashing, fuzzy hashing, Alternate Data Stream analysis, steganography analysis, dynamic analysis and reverse engineering.

In conclusion, like the Beatles song, organizations are requesting incident response help because cyberattacks transverse multiple cyberattack dimensions: Stage, Temporal and Spatial. The Spatial dimension generates the largest organizational outcry because of the business impact of lateral and in-depth movements. For Spatial dimension cyberattacks, I use my spider eyes to assist me during complex cyberattack investigations. The review of files and folders are critical in any cyberattack investigation and may reveal the Who, What, When, Where, Why and How of a complex malicious attack. The ability to apply the six lenses and the extrapolation from each lens is paramount for any investigation. Regardless of the file type or location, you must identify, analyse, and draw conclusions using the artifacts present or missing on a system to investigate today’s cyberattacks.

Terrence Lillard

Terrence Lillard

Senior DFIR Consultant, Consulting Services, NTT Ltd.