One Tool Does Not Fit All: How Mandiant Applies Traditional Forensics

Mandiant has been conducting incident response investigations since 2004. Our roots in this field are in traditional forensic analysis, with EnCase® Forensic as the top tool of choice among our consultants. As Mandiant grew, so did our client’s environments and the sophistication of attacks. Mandiant began focusing on how we scale our investigations. This resulted in the creation of Mandiant Intelligent Response (MIR), a tool designed to run on endpoints and help identify evidence of compromise and perform live response analysis. Building and deploying MIR has helped transform our approach to a mix of live response analysis and traditional forensics, allowing for very fast and efficient investigations.

For many systems that Mandiant analyzes, we can understand the story of an attack through live response analysis with MIR. Yet, in every investigation, there are a number of systems that we want to dig deeper into, either for detailed data points, or to collect and process data that can withstand legal challenge. Traditional forensic tools help identify and carve out evidence of deleted files, recover deleted attacker malware, pinpoint specific attacker activity, and answer difficult questions for our clients. To do that, Mandiant relies on traditional forensics, and looks to accomplish that with EnCase® Forensic.

Here are three common scenarios in our incident response engagements where we choose to supplement live response with forensic analysis.

1) Patient Zero

"Patient Zero" refers to the original source of compromise in an investigation. Patient Zero may be a workstation that belonged to a user who clicked on a phishing email, a web server that was compromised, or a system that contained vulnerable software. In many cases the evidence of what happened on the system may no longer be present on the system. When Mandiant thinks we have located patient zero, we want a forensic image to help prove it is indeed “the one.”

Real World Example: A user receives a malicious phishing email and clicks on a link that directs the user’s browser to a malicious website. Mandiant loaded the forensic image of the system into EnCase® and used the Internet History search capability to extract the corresponding URL and last visited date. We then pivoted off the last visited date to “sort by” file created, modified, accessed, and entry modified to find more evidence of attacker activity. In this case, the malicious site exploited a vulnerable version of Java, which left various Java artifacts and ultimately resulted in the creation of a backdoor on the system. In cases where a user deleted their browsing history, Mandiant consultants have extracted URL records from unallocated space – something that is only possible through forensic analysis. 

2) Data Theft

When Mandiant identifies evidence of data theft on a system, we instantly want to dig as deep as possible into the system. In these cases, live response data may not be enough to give us the answers we need. Because of this, Mandiant always requests an image of a system associated with data theft, or the system the attacker used to “stage" data. Forensic analysis of the system using EnCase® allows Mandiant to identify trace evidence of data theft and, most importantly, recover deleted data from the disk.

Real World Example: An attacker staged client data in a RAR archive and transferred it to a remote system. For Mandiant to determine what data was stolen, consultants used EnCase® to search for RAR archive headers across the entire disk and look for other evidence such as accessed files and mapped drives. Not only was Mandiant able to carve out a deleted RAR archive from deleted space, but we also found additional RAR archives that the attacker had given “DLL” file extensions. In addition, when Mandiant knows the domain and/or IP address information of attacker command and control (CnC) servers, we create EnCase® keywords and search the system to determine how the data was transferred. In one case, we found a random application log that had recorded the connection to the CnC server and even tracked the amount of data that was transferred!

3) Critical Systems

A typical Mandiant investigation may find hundreds of systems that the attacker interacted with during the compromise. In the hundreds of systems lies a critical attack path – a series of systems the attacker used to accomplish their mission. The following is an example of a critical attack path and the associated systems:

1.     The attacker gained access to the environment through a phishing email that resulted in the creation of a backdoor on SYSTEMA.

2.     The attacker accessed SYSTEMB, a domain controller, and used the server as a pivot point to access other systems.

3.     The attacker accessed the file share server SYSTEMC and harvested data. The attacker transferred data from SYSTEMC to an external attacker controlled server.

For systems identified to be part of the critical attack path, Mandiant consultants prefer analysis with EnCase® Forensic software.  This helps ensure that Mandiant has a complete picture of what happened on that system. Some of the common activities Mandiant consultants use EnCase® Forensic to perform are:

·      Recover previously deleted files and folders

·      Run keyword searches against all files for suspicious strings

·      Perform timeline analysis around known periods of malicious activity

·      Identify Windows backup copies of malware

·      Carve deleted logs from deleted space that show additional evidence of attacker activity

·      Identify evidence of lateral movement

Real World Example: Mandiant network monitoring identified a workstation that communicated with a bad domain, e.g. “”. Mandiant received a forensic image of the system and used EnCase® to perform a keyword search for “”. The keyword search hit results identified a hit in unallocated space. Mandiant consultants carved around the search hit to extract a deleted malware configuration file. This finding was critical to understanding the cause of the communication. Timeline analysis around a timestamp in the configuration file revealed output from a credential harvesting tool. Mandiant then carved Windows event logs from unallocated space and identified Windows service starts/stops for the Windows Credential Editor (WCE) password dumping utility. In this case, the majority of evidence was located in unallocated space – something that live response analysis does not have visibility into.

One Tool Does Not Fit All

When Mandiant needs to dive deep into analysis, we rely on traditional forensics. MIR and EnCase® are just two tools on our IR belt. An effective investigation leverages the best tool for each situation. Relying on just one will ultimately affect the quality and speed of your investigation.