DFIR for good

By

December is typically the time of year we think of donating to charity. There are many ways we can help others, including with DFIR. The following is one of such tales authored by Assen Tasheff and copied with permission.

Once upon a time

Once upon a time there was a humanitarian aid organization. They had a limited budget to spend on commercial software therefore Linux was their operating system of choice. For DFIR they relied on a custom toolset that leveraged the Sleuth Kit (TSK) [1] in an EDR (live-response) solution. All was well.


The EDR solution functioned flawlessly for years until the day came that their hardware needed to be upgraded. This hardware upgrade also forced the organization to upgrade their version of Linux. This is where the organization was confronted with (Linux) Logical Volume Manager or LVM. As a result their custom developed EDR solution stopped working. Although the organization could now enjoy faster hardware, they were left without a functioning DFIR solution, essentially affecting millions of people and in a precarious life situation.


Stress levels rose exponentially. Lack of financial resources prevented them from redeveloping the EDR. Updating TSK with LVM support was an alternative possibility but could they find the right people to help?


After a long and perilous journey, talking to numerous freelancers, our humanitarian aid organization stumbled upon libvslvm [2], which offered them the format support they needed.


Since the need of the organization was dire, they reached directly out to the author of libvslvm, Joachim Metz, with a request to see if LVM support could be added to the Sleuth Kit (TSK). After a quest to find a spot on a busy schedule a representative of the organization was able to meet and explain their situation.


Seeing the situation was dire, there was no moment of hesitation to help. Joachim took on the quest and equipped his development environment of choice. In less than a week, there was a fork of TSK that was able to read a LVM created on top of a raw block device. The IT team assisting the organization tested the enhanced version and determined that they needed LVM within a GPT partition as well, which was added shortly thereafter. The organization again could ward off cyber threats.


It was not time to celebrate yet, with every new version of TSK the changes would have to be reapplied. Ideally the newly added LVM functionality in the fork would be integrated back into the main TSK project ensuring future updates. So in parallel a representative of the organization and Joachim reached out to Brian Carrier, one of the maintainers of TSK, to start this conversation.


After several weeks of negotiation Brian agreed to merge the changes and asked Mark McKinnon to help out evaluate the changes and author build instructions. The changes were merged and are now part of TSK and all is well again for the organization and the people they are helping.

Takeaways

So what is the morale of this story?


The role of humanitarian aid organizations nowadays is of huge importance for today's challenges. People struggling for access to basic supplies like food, water, electricity and medical supplies are becoming more and more frequent. These organizations have the ability to ease the burden of people who are unable to access these basic goods, as well as give them a sense of safety and security.


Like any other organization, the humanitarian aid ones rely heavily on IT infrastructure for creating, working with and storing information. A good part of this information is sensitive, such as Personal Identifiable Information (PII), investor data and names of volunteers. Therefore, security of information that is stored and handled in their servers should be taken very seriously.


DFIR plays an important role in humanitarian aid organizations as well. It provides safety and security in the digital space and is one of the needed practices to ensure the confidentiality, integrity and availability of data. Humanitarian aid organizations have to deal with a wide range of threats ranging from being targeted by nation state actors and ransomware.


The landscape of DFIR solutions today is rich in choices - the majority of them as commercial offerings and a smaller part as Free and Open Source (FOSS) tooling. Since humanitarian aid organizations are almost always lacking enough budget for commercial solutions, they significantly rely on volunteers and FOSS tooling.


One of such FOSS toolsets for DFIR is the Sleuth Kit (or TSK), initially released more than 20 years ago by Brian Carrier, with the mission "to create the leading open source file and volume system forensic analysis tools that run on all major platforms and allow access to common data types in methods that support standard analysis techniques".


As any other FOSS, TSK depends on available time and resources of its developers and contributors. In practice this can mean that FOSS DFIR tooling falls behind on supporting new formats. An example of this is adding that of LVM support in the previous story.


People like Brian Carrier, Joachim Metz and Mark McKinnon realize in practice the opportunity for DFIR in the form of FOSS to do good for humanity. But so can you, for example humanitarian aid organizations need volunteers to do DFIR and DFIR FOSS tooling needs volunteers to help with maintenance, testing and documentation. If you’re interested in discussing DFIR for good related topics, reach out on the Open Source DFIR Slack community (#dfir-for-good).


“Great opportunities to help others seldom come, but small ones surround us every day.” - Sally Koch

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can also be filled wit
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Before jump
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wider clust
Read more