Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Live Response vs. Traditional Forensics

Created: 04 Aug 2014 • Updated: 04 Aug 2014 • 8 comments
Jamie Porter's picture
+2 2 Votes
Login to vote

liveresponse.png

The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.

Live response and traditional forensics have a lot in common in that they both are looking for similar artifacts on a system. The differentiator with live response is that the artifacts are being discovered on a live running system against an active adversary. With traditional forensics, images are taken of volatile memory and disks before being analyzed.  Imaging alone can take hours and then the images need to be processed and indexed to allow for keyword searches. Obtaining and processing the image can easily take a day or longer with large capacity discs. With live response there is no imaging or processing that has to occur.  . , everything is real time. This dramatically improves the response time in identifying and quantifying a threat and the quicker the threat is identified, the quicker it can be contained and remediated.

In a typical live response scenario it is a response to an immediate and active threat.  Many times the details of the threat are unknown, so the first priority is identifying and quantifying the threat. Using live response memory analysis techniques we can quickly pull a process listing showing what processes are running and begin identifying suspicious ones. Some other common artifacts that we can look for in memory are suspicious mutexes. It is common for a malicious mutex to be a string of random characters similar to Zeus domain names. Once we have identified the suspicious process, a sample of the code is pulled from running memory and analysis of the malware and creation of IOCs can begin. Of course an advantage to pulling the code from memory as opposed from disk is that it is unencrypted and unpacked so no special processing is required; all of this work can easily be completed before images would be gathered using a traditional forensic approach.

 It’s not just volatile memory but any other information such as prefetch files, registry keys, open network connections, system accounts, etc. can be gathered almost instantly using live response.

The key to using live response successfully is being very specific and focused on what to examine. When large files such as the registry or $MFT are transferred things slow down dramatically. For example, instead of pulling back the entire $MFT, focus on specific locations that malware is commonly located such as C:\Users\%APPDATA%\roaming and instead of pulling back the complete registry start by looking at the keys commonly used for persistence such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Traditional forensics will always be needed to provide in depth analysis identifying how the malware got on the system and what activities took place while it was active. Where live response excels is at quickly identifying and containing an active threat.  The quicker we can identify the threat the quicker containment and remediation will take place.

There are many open source and commercial tools available for live response for insight into one of them check out my colleague Trent Healy’s post on Yara

Blog Entry Filed Under:

Comments 8 CommentsJump to latest comment

Robert Shaker's picture

Jamie,

This posts provides a lot of clarity on the two different scenarios for response. What are some things you think organizations can do in advance of an incident that requires live response to provide better information to responders to make them more successful?

Thanks!

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote
Jamie Porter's picture

Bob,

That's a great question.  Garrett Bechler and I did a presentatoin on just that topic at the last Vision conference.  There is a lot that goes into being successful in incident reponse.  Probably more than I can address in this comment. If I had to to pick one thing, it would be understanding what is normal in the environment. 

0
Login to vote
Robert Shaker's picture

That makes me think you read Matt's post on Layer 8 sensor arrays? smiley

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

0
Login to vote
Jamie Porter's picture

I hadn't read it yet.  But it is a good post and I think he is making some great points.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Live response is more useful and direct but the organization has to still make clear demarkation between what qualifies for live response and what qualifies for Forensics.

Also detailed plan for handling live response and the expertise of the person conducting live response, as by ineffectrvely conducting live response on a system might make it useless for forensics specially if at any point law agencies have to be involved.

But for a Incident Response Live response is far more direct as results are quick and understanding the overall impact is much faster, the broader response to the threat is much quicker and will cause less impact for example : understandin which IPs/Domains (C&C) to block, which files to submit/block, what vulnerability was exploited and what patch to apply, what to monitor etc.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Jamie Porter's picture

Live response is not a replacement for forensics and never will be.  It is often difficult to know if forensics will be needed as an incident is spinning up.  Many times during the course of a live response artifacts will be uncovered that move the incident from live response to forenscis.  Some common indicators that would do this are: evidence of data exfiltration or criminal activity.  But there are others.
 

0
Login to vote
idforensic's picture

Firstly, I must say a great article and intiative taken by the author to highlight an interesting and ever changing area in Computer Forensics (Live Forensics).

I agree to an extent that Live Forensics will not replace traditional forensics but the way the storage is increasing day by day, it is becoming & will become very exhaustive, time consuming and would require loads of investment in acquiring such high volumes of data (imagine 2TB is now almost a common internal hard drive & almost every PC, Laptop now is having 8GB RAM which is a lot of "stuff" and then imagine the time to analyse these large chunks of data. The need of the hour has been to acquire the memory, dump registry, live processes, prefetch files, netstats etc. and start analysis using tools like Volatility which I first used in 2009 when I did my research on Live Forensics.

I understand the complexities behind acquiring Volatile Information and the legal standing behind it stating that you have "altered the evidence" when an investigator tries to dump the memory using any tool which would require some amount of memory in order to start the acquisition process.

But, on the other hand, see the benefits of conducting Live Forensics. The RAM or memory not only contains Recent Browsing History & URLs, Recent Docs, Recent Media, Recent Software that  was running, Emails/Messengers but also crucial passwords & that too in cleartext. This would aid in quickly solving cases and disposing them at a faster rate.

Laws need to be amended (APCO good practice guides now need to revisit their guidlines to make a space for Live Forensics and lastly, the judiciary needs to become more competent (by having regular training in Forensics & "Anti Forensics") to understand the cases so that the cases can be disposed off quickly.

Best wishes

ID

0
Login to vote
Jamie Porter's picture

Great comments, Idforensic.

You bring up some excellent points about how live response and forenscis are changing due to the changes in hardware. Hard drive capacities are increasing at a very rapid rate. What is having even more impact on us is the solid state drives (SSDs). SSDs are very desirable from a user perspective because they are faster than traditional hard drives with spining platters. From a forensics perspective we can not analyze an SSD the same way we would a traditional hard drive and in most cases it is impossible to recover deleted data due to the way the SSD works. This is creating some serious challenges for us.  It will be interesting to see how forensic analysis of SSDs developes over the next few years.

It's not just the SSD drives though.  Server and device RAM is increasing dramatically. It is common to see servers with 128GB of RAM.  This poses problems due to the time it takes to image the memory as well as analyze it. Ideally we want to grab the RAM image as quickly as possible since RAM is dynamic and constatly changing. Obtaining a memory image on these large systems can take over an hour. During that time many operations have taken place, pages have been written and delted. We can still analyze the image. It just takes more time and effort.

0
Login to vote