The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.
Live response and traditional forensics have a lot in common in that they both are looking for similar artifacts on a system. The differentiator with live response is that the artifacts are being discovered on a live running system against an active adversary. With traditional forensics, images are taken of volatile memory and disks before being analyzed. Imaging alone can take hours and then the images need to be processed and indexed to allow for keyword searches. Obtaining and processing the image can easily take a day or longer with large capacity discs. With live response there is no imaging or processing that has to occur. . , everything is real time. This dramatically improves the response time in identifying and quantifying a threat and the quicker the threat is identified, the quicker it can be contained and remediated.
In a typical live response scenario it is a response to an immediate and active threat. Many times the details of the threat are unknown, so the first priority is identifying and quantifying the threat. Using live response memory analysis techniques we can quickly pull a process listing showing what processes are running and begin identifying suspicious ones. Some other common artifacts that we can look for in memory are suspicious mutexes. It is common for a malicious mutex to be a string of random characters similar to Zeus domain names. Once we have identified the suspicious process, a sample of the code is pulled from running memory and analysis of the malware and creation of IOCs can begin. Of course an advantage to pulling the code from memory as opposed from disk is that it is unencrypted and unpacked so no special processing is required; all of this work can easily be completed before images would be gathered using a traditional forensic approach.
It’s not just volatile memory but any other information such as prefetch files, registry keys, open network connections, system accounts, etc. can be gathered almost instantly using live response.
The key to using live response successfully is being very specific and focused on what to examine. When large files such as the registry or $MFT are transferred things slow down dramatically. For example, instead of pulling back the entire $MFT, focus on specific locations that malware is commonly located such as C:\Users\%APPDATA%\roaming and instead of pulling back the complete registry start by looking at the keys commonly used for persistence such as HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Traditional forensics will always be needed to provide in depth analysis identifying how the malware got on the system and what activities took place while it was active. Where live response excels is at quickly identifying and containing an active threat. The quicker we can identify the threat the quicker containment and remediation will take place.
There are many open source and commercial tools available for live response for insight into one of them check out my colleague Trent Healy’s post on Yara