4. Adding a Host

Cyber Triage supports a variety of ways of getting host data into it. Some scenarios will involve using the Cyber Triage Collector tool to extract artifacts from a live system. Others involve importing an already collected data set, such as an E01 image.

The basic process is: * Optionally, customize what files get collected. This is not typical, but is an option that must be done before the collection starts. See Customize File Collection. * Optionally, update any threat intelligence data, such as Yara (Configure Yara Signatures) and Good/Bad Lists (Configure Bad and Good Lists). These are applied as soon as data starts coming in. * Choose the method for adding data. They are listed out below in detail. * Choose what Malware Analysis settings you want to use on the data as it comes in.

4.1. Add Host Types

To add data from a host, press Add New Host from the Incident Dashboard and you’ll be presented with this screen, which gives you several options:

../../_images/import_add_host.png

Add New Host Panel

There are many ways to get data into Cyber Triage, but they can be put into three categories. Cyber Triage has its own collection tool called the Collector, which will be discussed later.

  • Launch the Cyber Triage Collector over the network:

    • Network - PsExec: Cyber Triage® will push the Collector to a remote host over the network using PsExec. Collected data is sent directly back to Cyber Triage®. See Network - PsExec for details. This is not available in the Lite version.

    • EDR/PowerShell/WMI: The Collector can be pushed to computers using an EDR or other IT infrastructure. See Deploy via EDR, PowerShell, WMI, etc. for details.

  • Manually launch the Collector on a live host using an interactive login:

    • Cyber Triage File: The Collector is manually run from a network or USB drive on the remote host. Data is saved to the USB drive, network share, or S3 bucket and then manually imported into Cyber Triage®. This is useful when the host has been unplugged from the network or for consultants who have clients perform the acquisition. See Cyber Triage File for details.

    • Network - Manual: The Collector is manually run from a network or USB drive on the remote host (like Cyber Triage File), but the data is sent over the network instead of being saved to the USB drive. See Network - Manual for details.

  • Import data from another acquisition method:

    • Disk Image: An existing raw, E01, or virtual disk image are analyzed by the Collector. See Disk Image for details.

    • Memory Image: Volatility v2 is run on a memory image that was previously acquired (using your own tools - Cyber Triage® does not do memory acquisition). See Memory Image for details.

    • KAPE: The output of the third-party KAPE tool is analyzed by the Cyber Triage Collector. See KAPE Outputs for more information.

    • Logical Files: A folder with a set of files is analyzed by the Collector. Hives and event logs are parsed if they are in the correct relative path. See Logical Files for more information.

    • Local Disk: A locally mounted drive (such as G:) is analyzed by the Collector. This is most often used when a disk image mounting tool is used, which could be required if the image was encrypted. See Local Disk for more information.

The following sections provide more details of each method.

4.2. Queueing Up Data

If you have a Standard Pro or Team version of Cyber Triage, then you can add more than one host at a time. Cyber Triage has a scheduler that will process hosts as resources become available.

You can queue up hosts in two ways:

  1. Many of the “Add Host” UIs will allow you to add multiple files or hosts in a single step. The set of files will get added to the scheduler.

  2. When you add a host and others are already being analyzed, the new host will get added to the scheduler.

Note

You cannot add a “Local Disk” to the queue because there is the risk that the image is unmounted or the removable media is unplugged.

At any point, you can see the status of the queue by pressing the “View Queue and Recent Hosts” dialog from the opening window.

../../_images/import_queue.png

Incident Dashboard - Queued Data

4.3. Cyber Triage Collector

Cyber Triage has its own collection tool named the Collector and this section provides some of the high-level basics:

  • It’s a single file, command line executable.

  • Runs on Windows XP SP3 and above

  • Has no dependencies, such as .NET

  • Can write results to a local JSON file, over the network to Cyber Triage, or to an S3 bucket.

  • Uses The Sleuth Kit to by parse the file system so that it can bypass rootkits and access locked files.

  • Is “Smart” and parses artifacts on the live system so that it can resolve additional files, such as collecting the EXE files associated with a startup item.

The Collector is used in nearly all of the below methods. Sometimes you will directly launch it and other times it is run behind the scenes.

4.4. Network - PsExec

With Network - PsExec (previously called ‘Live Automatic’), Cyber Triage® will push the Collector to a live system using PsExec and it will send its results back to Cyber Triage® over the network.

This feature is not available in the Lite version.

To do this, you’ll need the following on the remote Windows system:

  • File and network sharing enabled

  • Administrator privileges

Refer to Network - PsExec Target: Listening Ports (Standard and Team) for details on network requirements and Configuring for Network - PsExec Collections for details on configuring the target systems.

4.4.1. Adding a Single Live Host

To perform the collection on a single host, select the Network - PsExec icon. You will be presented with a panel to enter:

  • Host name of computer to collect from

  • User name, domain, and password for an account on the remote system that has administrator privileges

If you did not configure PsExec as described in Configure PsExec, then you will be prompted to do so.

../../_images/import_live_automatic_options.png

Single Network - PsExec Options

After pressing Continue, you will be prompted to choose what data types to collect and what malware scanner settings to use. Refer to Collection and Analysis Settings for details on those panels.

If this is your first time running the program, you may also be prompted by Windows or a security program to allow Cyber Triage® to open a network port. You will need to allow this to happen so that the Collector can send data to Cyber Triage® on TCP port 443.

See Configuring for Network - PsExec Collections if the administrator account on the remote system is a local account and you are having problems.

After the collection has started, you will be able to see the results. Proceed to Analyzing The Host Data for an overview of the analysis techniques.

4.4.2. Adding Multiple Live Hosts

If you have a Team deployment of Cyber Triage®, you can submit multiple host names to collect from. This allows you to enter a set of hosts, have basic data collected from them, and then you can prioritize what you review. To do this, use the Add Multiple button when entering host details.

../../_images/import_live_automatic_multiple.jpg

Multiple Network - PsExec

You can then enter a list of host names.

../../_images/2_7.jpg

Add Multiple Host Names

Cyber Triage® will then validate the credentials with those host names and then queue them up. You can see progress from either the Incident Dashboard (which is where Cyber Triage® will redirect you to) or by choosing the All Hosts button from the main panel.

../../_images/import_all_hosts_button.jpg

All Hosts Button on Opening Panel

4.5. Cyber Triage File

The Cyber Triage File (previously called ‘Live File’) approach saves the collected data from the live host to a file (typically on a USB drive or up to S3 bucket). That file is then manually imported into Cyber Triage®.

The first thing you’ll need to do is get access to the Cyber Triage® Collector. Follow the instructions in Extracting the Collector for Live Collections to do this.

4.5.1. Collecting From The System

To perform a collection, the following are performed on the remote computer:

  1. Insert the USB device into the target computer or make the Collector available on a network share.

  2. Decide if you want to use the graphical interface or command line interface. The graphical interface will ultimately call the command line interface tool with arguments based on your UI selections.

  3. To use the graphical interface:

    1. Double click on the CyberTriageGUI.exe program.

    2. Confirm that the data is going to the correct location (path, S3 bucket, etc.)

    3. Add an optional password if you want to encrypt the output. NOTE there is no recovery mechanism if you forget it.

    4. Choose the data types you want to collect. See Data Collection Types for details.

    5. Choose Start.

  4. To use the command line interface:

    1. Open a window that shows the CyberTriageCollector.exe executable. Right-click the CyberTriageCollector.exe file and select Run as Administrator. This will start collection of the host.

    2. Alternatively, you can launch a command prompt with admin privileges and run the CyberTriageCollector.exe program with no arguments.
      If you want to customize what data types are collected, then there are arguments you can give. Run with —help to get the list.

  5. When the Collector has finished its collection, there will be a directory called CyberTriage_<timestamp> on the USB device, network share, or S3 bucket.

The next step is to import the collected data into Cyber Triage®. If you have Standard Pro or Team, then you can add multiple files at the same time.

Warning

It is important to have AutoRun disabled on the computer running Cyber Triage® so that it does not get infected by malware that spreads by USB devices.

4.5.2. Adding a Single Host File

Use the following steps if you have a single file to add.

  1. From the Incident Dashboard, choose Add New Host and then choose the Cyber Triage File box.

  2. Enter a display name for the remote host (it can be a host name or more descriptive).

  3. In the file selector, navigate to the folder that was created for the collection on the USB drive or downloaded S3 bucket.
    Choose the JSON file in that folder. This will import the data into Cyber Triage®.

../../_images/2_9.jpg

Cyber Triage File

  1. You will then be prompted to configure malware scanning settings, see Malware Analysis Settings.

After collection has started, proceed to Analyzing The Host Data for an overview of the analysis techniques.

4.5.3. Adding Multiple Host Files

You can add multiple files in one step if you have Team or Standard Pro. The multiple files must be either:

  • In the same folder. This is the default behavior of the Collector, which will save files into a single ‘CyberTriageOutput’ folder.

  • In a subfolder of the same folder. This is the behavior of previous versions of the Collector.

As an example of the subfolders, you could have two JSONs at the following paths:

  • C:incident1host1file.JSON.gz

  • C:incident1host2file.JSON.gz

You can point Cyber Triage at the ‘C:incident1’ folder and it will go down into the ‘host1’ and ‘host2’ folders to find JSON files in there.

To specify a folder of files to add, use the following steps:

  1. From the Incident Dashboard, choose Add New Host and then choose the Cyber Triage File box.

  2. Enter a host name for the remote host.

  3. Select Browse next to Multiple Files and select the folder that contains your JSONs.

Once you select the folder, the number of files found will be listed under the source folder path, like so:

../../_images/2_24.jpg

  1. Press Continue on bottom right and the files will begin to process.

  2. You will then be prompted to configure malware scanning settings, see Malware Analysis Settings.

  3. Return to the Incident Summary Panel to show the status and open the ones that have been processed.

../../_images/2_25.jpg

Note that there are two steps to this scheduling process. The first is for each file to get added to the “ingest scheduler” and then it needs to be fully processed.

The hosts will be added with a display name that equals the file name.

4.6. Importing from S3

Some users use S3 buckets as a way to get data from remote sites. To do this:

  • Extract the Collector with S3 configured (see Extracting the Collector for Live Collections).

  • On the target system, launch CyberTriageGUI.exe and choose S3 Cloud Bucket as the destination (it should be the default if you configured the S3 destination)

  • Pick an optional encryption password.

After the collection has locally saved the data, it will then perform an upload to S3.

To get data into Cyber Triage® from S3, you need to manually download it to a local file and then add it using Cyber Triage File using the above sections.

4.7. Network - Manual

Network - Manual (previously called ‘Live Manual’) is for cases when you cannot automatically push the Collector to the remote system. In this approach, you run the Collector from the remote system and it sends the results over the network to Cyber Triage®.

As with Network - PsExec, the Collector will need to be able to communicate with the Cyber Triage® system over TCP port 443.

If you haven’t already done so, extract the Collector to a USB drive using the steps outlined in Extracting the Collector for Live Collections.

To perform the collection, you will need to interact with both Cyber Triage® and the remote system.

4.7.1. Prepare Cyber Triage For the Data

In Cyber Triage®:

  1. Choose the Network - Manual box from the Add New Host area.

  2. You will be prompted to enter information about the host being collected from. The display name can be a host name or more descriptive.

../../_images/2_10.jpg

Network - Manual

  1. If this is the first time that you are running Cyber Triage®, you maybe prompted by Windows Firewall or another security application to allow Cyber Triage® to accept connections. You will need to do this to allow data to be imported into Cyber Triage®.

  2. Cyber Triage® will tell you what settings to use on the remote system.

../../_images/2_11.jpg

Network - Manual

  1. You will then be prompted to configure malware scanning settings, see Malware Analysis Settings.

At this point, Cyber Triage is waiting for an incoming connection.

4.7.2. Start Collection on Remote Host

Next, perform the following on the remote system.

  1. Insert the USB device with the Collector, or ensure that the Collector is available via a network share. See Extracting the Collector for Live Collections for details.

  2. Decide you are going to use the graphical interface or command line interface.

  3. To use the graphical interface:

    1. Open the USB drive in file explorer.

    2. Double click on the CyberTriageGUI.exe program.

    3. Choose Remote Server as the Destination and enter the host name of the computer running Cyber Triage®.

    4. Press Start after configuring the other collection options

    ../../_images/2_12.jpg

    Collector

  4. To use the command line interface:

    1. Open a command prompt with Administrator privileges and change directory to the Collector folder.

    2. Type the command that was given by Cyber Triage®. You can get the certificate hash from the Certificate Info tab on the options panel. Something like:
      CyberTriageCollector.exe --server host1 --cert_hash e21be6eb --sessionid 1234567890
    3. You should see the Collector start to produce output:
      ../../_images/import_add_live_manual_cli.png

      Command Output

After collection has started, proceed to Analyzing The Host Data for an overview of the analysis techniques.

4.8. Disk Image

Disk image-based analysis is useful if a full disk image has already been performed of the system.

Supported disk image formats:

  • Raw Single (*.img, *.dd, *.raw, *.bin)

  • Raw Split (*.001, *.aa)

  • EnCase (*.e01)

  • Virtual Machine Disk (*.vmdk)

  • Virtual Hard Disk (*.vhd)

To collect data from a disk image:

  1. Choose the Disk Image button from the Add New Host area.

  2. Browse to your raw or E01 file.

  3. Enter a display name for the host (it can be a host name or more descriptive).

  4. You will need to configure what data to collect and malware settings. Refer to Collection and Analysis Settings.

After collection has started, proceed to Analyzing The Host Data for an overview of the analysis techniques.

There are some special considerations of disk images:

  • Not all files will be accessible after importing the disk image. Only the files that the Collector was interested in. You can use the Autopsy integration to see all files. See Autopsy Integration.

  • Some files will be extracted from the disk image into the temp folder in your Data Directory (see Changing Where Data is Stored). This could cause local antivirus to flag files. You should good list this folder.

  • If you are using the Team version of Cyber Triage, then note that the client will do the parsing of the disk image and send the results to the server. The client must continue to run until the disk image has been parsed.

4.9. Memory Image

Memory image-based analysis allows you to review volatile data from a system and bypass advanced rootkits and malware. Cyber Triage® uses the open source Volatility 2 program to parse the memory images. You need to acquire the memory with your own software. Cyber Triage® will not make an image of memory.

Supported memory image formats:

  • Raw (.img, .bin, .raw, .mem)

  • Lime (.lime)

  • AFF4 (.aff4)

  • .dmp

  • .vmem

  • .hpak

  • .E01

To import a memory image:

  1. Choose the Memory Image button from the Add New Host area.

  2. Browse to your memory image file

  3. Choose the Volatility profile, if you know it. Cyber Triage® will use Volatility’s auto detection features, but sometimes they are not correct and manually picking will provide better results.

  4. Enter a display name for the host. It can be a host name or more descriptive.

  5. You will need to configure what data to collect and malware settings. Refer to Collection and Analysis Settings.

After collection has started, proceed to Analyzing The Host Data for an overview of the analysis techniques.

If you are using the Team version of Cyber Triage, then note that the client will do the parsing of the memory image and send the results to the server. The client must continue to run until the memory image has been parsed.

Note

A host created from a memory image will not have all of the data and fields that you’d see from the Cyber Triage® Collector. The interface will identify places that have incomplete data.

4.10. KAPE Outputs

KAPE is an external collection tool, the output of which can be imported into Cyber Triage®. If you use KAPE to collect data from a computer, but want to take advantage of the analytics in Cyber Triage, then you can import the KAPE .vhd or .zip file.

Note

Currently Cyber Triage imports only the KAPE .vhd and .zip file contents. It ignores any other KAPE outputs, and will not parse KAPE “Module” output.

To export data from KAPE for import into Cyber Triage®.

  1. Run KAPE with either the !BasicCollection or !SANS_Triage options selected.

../../_images/2_kape_export_options.png

  1. Use either No Container or VHD for the output.

Note

You may see warnings from KAPE, however with these options selected Cyber Triage® should have no issue reading the file.

To import KAPE data:

  1. Choose the KAPE button on the right-hand side of the Add New Host area.

  2. Enter a display name (it can be a host name or more descriptive).

  3. If your KAPE data is in a VHD file, then Browse to the .vhd file.

  4. If your KAPE data is in a ZIP file, then extract the contents to a folder and Browse to that folder. The selected folder must contain a subfolder named either ‘C’ or ‘C%3A’.

  5. Press Continue to then configure what data to collect and malware settings. Refer to Collection and Analysis Settings.

../../_images/import_add_kape.png

If you are using the Team version of Cyber Triage, then note that the client will do the parsing of the KAPE data and send the results to the server. The client must continue to run until the VHD or folder have been parsed.

After collection has started, proceed to Analyzing The Host Data for an overview of the analysis techniques.

You can read more about KAPE and the differences between it and our collection tool on our blog.

4.11. Logical Files

If you have a folder of files, you can import them by using the Logical Files feature. If registry hives and event logs are at the correct relative offset, then they will be parsed. For example:

  • The SAM registry hive could be locally stored at c:\cases\case1\host1\windows\system32\config\SAM.

  • You should import the c:\cases\case1\host1 folder so that the SAM file is at its usual relative offset.

All files in the imported folder will be added to the Incident.

To import logical files:

  1. Choose the Logical Files button from the Add New Host screen.

  2. Enter a display name (it can be a host name or more descriptive).

  3. Browse to the logical file directory, press Select.

  4. Press Continue to then configure what data to collect and malware settings. Refer to Collection and Analysis Settings.

../../_images/import_add_logical.jpg

The software will warn you if it cannot find a Windows subfolder within the selected folder, which may indicate that the incorrect folder was specified.

4.12. Local Disk

You can analyze a mounted drive, which most often occurs when you have a disk image that is not directly supported by Cyber Triage. This most often occurs when the disk image is encrypted with BitLocker.

Note

Admin credentials are needed for this and you will be prompted to grant those via UAC.

To import a local disk:

  1. Choose the Local Disk button from the Add New Host screen.

  2. Enter a display name (it can be a host name or more descriptive).

  3. Choose the disk from the pulldown. It will not show the C:drive or network shares.

  4. Press Continue to then configure what data to collect and malware settings. Refer to Collection and Analysis Settings.

../../_images/import_add_local_disk.png

Note that you cannot queue up a Local Disk even if you have Team or Standard Pro. So, you will need to wait until other hosts are done processing before adding in a local disk.

4.13. Deploy via EDR, PowerShell, WMI, etc.

If you have a Team deployment, you can launch the Collector via an EDR or other IT infrastructure that allows you to remotely run programs. Organizations do this if they can’t use PsExec.

There are two phases of configuration:

  1. If you will send data back over the network, you’ll need to configure the Cyber Triage server to accept connections that are not initiated by Cyber Triage. Refer to Allow Collector To Initiate Collections for details.

  2. Configure the infrastructure to copy and launch the collector.

Details for various systems (such as WMI and Powershell Remote) are given in the subsections, but here are the common elements:

  1. Extract the Collector as outlined in Extracting the Collector for Live Collections

  2. Identify what command line arguments you want to use based on what you want to collect and where you want data saved to. See Collector Arguments for the list of arguments.

Most users will send data to a waiting server and therefore you’ll ultimately need to specify at least:

  • The hostname of your server

  • The server key (from the Deployment Mode on options panel)

  • The certificate hash of the server (from Certificate Info on options panel)

Something like:

CyberTriageCollector.exe --server cybertriage.acme.com --server-key 123456 --cert_hash 3241eabd

If the server is at capacity when the collection starts, it will accept the data, but queue it up for later processing.

If the collection was successful, CyberTriageCollector will return 0 for its exit code. A non-zero value indicates an error or that it was killed by an EDR or other anti-virus program.

One challenge with most of these methods is that they can be hard to debug when they do not work. If they launch the process, but you don’t get data back, then you can debug by saving the STDERR (Standard Error) messages to a file and then looking at them. You can do this by adding “2>Errors.txt” to the end of the command and then copying the file off. For example:

CyberTriageCollector.exe --server [...] 2> C:\windows\temp\errors.txt”

You can then log into the system and look at this file. This is obviously more useful while testing your environment than during a real incident.

4.13.1. Collect with EDR

We recommend that you use the Cyber Triage Deployer Powershell script (see Collector Deployer Powershell Script) to run Cyber Triage from an EDR. If that doesn’t work for you, then you simply need to copy the collector and launch it using your EDR capabilities.

4.13.2. Collect with WMI

If your environment is configured to run remote software with WMI, you can use that to copy the collector and launch it. This section assumes you read the parent section (Deploy via EDR, PowerShell, WMI, etc.) on enabling the server to listen for connections.

  1. On your “trusted” system, open a command prompt that runs as an account that has administrator access on the target machine you want to collect from.

  2. You next need to copy the collector to the target machine. One way to do that is to copy by UNC paths if file sharing is enabled on the target system, such as:

    copy CyberTriageCollector.exe “\\192.168.3.10\ADMIN$\Temp”

  3. Run the collector by executing the following WMI command from the command prompt. You’ll need to specify the Cyber Triage server address:

    wmic.exe /node:192.168.3.10 process call create ”c:\windows\temp\CyberTriageCollector.exe --server cybertriage.acme.com --server-key 123456 --cert_hash 3241eabd”

  4. If it was successful, wmic will print the process ID. Though, the process could have not collected data if it could not connect to the server or if invalid arguments were given.

WMI-specific Troubleshooting Steps:

4.13.3. Collect with Powershell (PSRemote)

This section provides an example for deploying the collector using Powershell Remote. It assumes you read the parent section (Deploy via EDR, PowerShell, WMI, etc.) about the basic steps of getting the collector and what arguments to specify.

4.13.3.1. Prerequisites

  • An Administrator-level user account on the target system

  • Powershell v5 or higher

  • PS-Remoting enabled on local and target system. It is enabled by default only on Servers. See below for steps.

4.13.3.2. Collection Steps

  1. Open up PowerShell prompt on your trusted analysis system. Optionally, open it as the same user that has admin rights on the target system.

  2. Copy the Collector to the target system:

    Copy-Item -Path <Path To CyberTriageCollector.exe> -Destination C:\Windows\Temp\CybertriageCollector.exe -ToSession $(New-PSSession <target_hostname> -Cred $(Get-Credential))

  • Update ‘Path’ with where you extracted the Collector to.

  • Update ‘<target_hostname>’ with the target host.

  • This will prompt you for the username and password to use on the target system. You can skip the ‘-Cred’ argument if you run this Powershell prompt as the same user that has admin access on the target system.

  1. Create a remote session:

    Enter-PSSession <target_hostname> -Cred $(Get-Credential)

  • ‘<target_hostname>’ is the same as the copy-item command.

  • You can skip ‘-Cred’ if this shell is running as a user with admin rights on the target system.

  1. Start the copied CybertriageCollector within the remote session. If you are sending data back over to a server, the command would look like:

    Start-Process -Filepath "C:\Windows\Temp\CybertriageCollector.exe" -Wait -ArgumentList "--server cybertriage.acme.com --server-key 123456 --cert_hash 3241eabd"

Or, if you are saving to a file on the target system, it would look like:

Start-Process -Filepath "C:\Windows\Temp\CybertriageCollector.exe" -Wait -ArgumentList "-o c:\Windows\Temp\Cybertriage"

  • Update ‘-ArgumentList’ with any other arguments that you want to use.

  • The ‘-Wait’ argument will force Powershell to wait until the program has been completed. You can also skip this if data is being sent back and you do not need to wait.

  1. After completion, you can exit the remote session using:

    Exit-PSSession

  2. If you sent data back to the server over the network, you are done. If you saved it to a file (i.e. ‘-o’), you’ll need to copy the output back with something like:

    Copy-Item -Path “c:\Windows\Temp\*.json.gz” -Destination <local_path> -FromSession $(New-PSSession <target_hostname> -Cred $(Get-Credential))

  • Update ‘-Path’ with where you specified in the Start-Process command.

  • ‘<local_path>’ is a place on your system to copy the data to

  • ‘<target_hostname>’ is the same as the previous two commands.

4.13.3.3. Enable PS-Remoting

PS-Remoting is enabled by default on Servers, but not other Windows systems. It must be enabled on the source and target systems for the above process to work.

Microsoft has documentation to enable this.

The basic idea is to: * Open an Administrator PowerShell command prompt on the system to enable. * Type in: ‘Enable-PSRemoting -Force’

If you get an error to the effect of “WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Change the network connection type to either Domain or Private and try again.”. If so, then use ‘Enable-PSRemoting -SkipNetworkProfileCheck -Force’

4.14. Extracting the Collector for Live Collections

If you are going to use either Network - Manual or Cyber Triage File methods to create a session, you will need to first extract the Collector and supporting files from the Cyber Triage® UI.

To extract, choose the Extract Collector feature from the opening Cyber Triage® window.
Choose a folder and it will make a CyberTriageCollector folder with the command line and graphic interface programs.
This folder will typically go on either a USB drive, a network share, or emailed to someone.

../../_images/2_14.jpg

Extract Collector

4.14.1. Configuring S3 Bucket Uploads

If the Collector is going to automatically upload data to an S3 bucket (on AWS or some other provider), then you will need to configure those settings before you extract it.

The settings will be saved to a configuration file. The intended use case is that the Cyber Triage® user will configure the S3 details and pass off the extracted folder to an end user.

You will need to pick:

  • Provider: Amazon AWS or another S3-equivalent

  • Region: If using AWS, you’ll need to pick the region your bucket is in.

  • Service URL: If using a non-AWS provider, you’ll need to specify the Service URL. It should have the region in the URL. + For example: S3.us-east-2.wasabisys.com

  • Bucket: The name of the bucket to save the results to. The bucket will be created if it does not already exist. There are limits on bucket names, so please be mindful of them. For example, no spaces or capital letters.

  • Access Key ID and Key: You will need to get an access key from the provider. These will be saved unencrypted in the configuration file.

  • Session Token: An optional field if you are using temporary credentials. You can generate this via the AWS Command Line Tool:

../../_images/2_15.jpg

S3 Configuration

After these settings are entered, you need to press Test Connection to verify they are correct.

Note

Testing with proxies does not work. So, the test may fail if your network has a proxy.

4.14.2. S3 Access Control

The extracted Collector will have S3 credentials in a configuration file. We recommend:

  • You create access keys that have only write (not read) permissions for objects in the target bucket.

  • The collector will create a bucket if it does not already exist

  • Consider using temporary credentials (see above) that last for only the duration of the incident.

With this design, if the S3 credentials are compromised, the data already uploaded cannot be accessed.

The minimum set of actions needed by the Collector are:

  • s3:PutObject

  • s3:CreateBucket

Note that as of 3.9, the main application will also use the following actions to test that the passed in credentials have permissions. If the credentials you use do not have them, then the test will fail, but the collector will ultimately be able to upload. This will be fixed in a future version.

The application also uses:

  • s3:ListBuckets

  • s3:ListAllMyBuckets

4.15. Collection and Analysis Settings

Regardless of the method used to get data from the target system into Cyber Triage®, you will need to decide at some point about what data types to collect and how to detect malware.

4.15.1. Data Collection Types

The Add New Host wizard will show you a dialog such as this:

../../_images/import_data_types_wizard.png

Data Collection Panel

This is where you pick what types of data will be collected. The Collector has a similar interface and set of options.

Cyber Triage® groups the types based on the concepts in the Divide and Conquer DFIR Process:

Users

  • Accounts: Collects information about all users on the system and who is actively logged in.

  • Logins: Collects user login information from event logs and the registry.

  • Network Shares: Collects information about mounted network shares.

  • Programs Run: Collects information about what programs were executed by users and collects the corresponding executable file.

  • Web Artifacts: Collects Firefox, Chrome, IE and Edge databases and analyzes them for downloads, cookies, and history. Also collects downloaded files from the Download and Temp folders.

  • Data Accessed: Collects information about what files a user opened or created.

Malware

  • Startup Items: Collects the programs that are run each time the computer is started or a user logs in.

  • Triggered Tasks: Collects Schedule Task information, WMI, BitsJobs and the associated executable files.

  • Processes: Collects information about running processes. Includes executable files being used by processes.

  • Network: Collects information about active network connections and open ports

  • Network Caches: Collects DNS cache, ARP cache, and routing tables.

System Configuration

  • System Configuration: Collects information about the system, such as audit and security settings.

Full File System Scan: Scans each file on the system and collects the file content if they are suspicious. This is the most time intensive step of the collection process.

Collect hash instead of file content: This will calculate the hash values for EXE and DLL files and save those instead of the full file content. This makes the collection smaller, but also means that the file can not be uploaded for full malware analysis.

The Collector will also make copies of various application-specific logs and configuration files, if they exist.

The default is Full Scan, which includes all of the types listed above. You can also skip the most time intensive process and choose Skip File Scan.

If time is very limited and you what you are looking for, you can choose Custom and select only certain types.

4.15.2. Malware Analysis Settings

You will also be prompted to choose how the files will be analyzed for malware.

../../_images/2_17.jpg

Malware Analysis Options

Cyber Triage® uses its Online Malware Analysis Service to analyze files for malware. This service uses ReversingLabs, the NIST NSRL, and other sources to assign a score to each file.

You need to configure what data is uploaded. See Analyzing The Host Data for details on how these results are used.

  • Upload MD5 hashes: This will send only the MD5 hash of your files to the service. If the service knows that the file content is associated with malware, then it will identify it as such. Note that any minor change to malware will change its MD5 and it will not be flagged as malware using this technique.

  • Upload file content: This will send the full file to the service if the SHA1 value was not found. It will be scanned and a result will be returned. The raw content will not be visible to other users, only the analysis results.

  • Mark unknown file as suspicious: If the file was not known to the service and you do not want to upload file content, you can choose to have those files marked as suspicious so that you can be aware of them and decide that they are worth additional analysis or ignored.

If you use Cyber Triage® on a computer not connected to the Internet, then you have two options:

  • You can export hash values and manually submit them to the online service using a website (Advanced Topics)

  • You can use a local copy of the NIST NSRL to ignore known files (see Advanced Topics)

Because some responders are sensitive about uploading files and how it could be associated with them, here are some notes about common questions:

  • When you query by hash value, there is no link stored between your account and the hash value.

  • Only EXE and DLL files can be uploaded. This reduces a PII leak risk.

  • Uploaded files will not become publicly available.

Note

To scan files using the Recorded Future Sandbox malware scanning service after your collection is processed, see Scanning Files in the Recorded Future Sandbox. Note that this service happens after the data has been processed and has different privacy terms than the above methods.

4.16. Collector Arguments

The Collector is a command line program with various optional arguments that allow you (or other applications) to control what it will collect. To see the options, you can choose supply the —help option. If you supply no arguments, the Collector will collect from the live running system using default settings:

CyberTriageCollector.exe [-i input_source] [-o output_file] [<other options>]
File Output Options:
    -o: Specify the full path and name of the output JSON file. Default is in CyberTriageOutput folder
    --encrypt_outfile password password : Encrypt the output file with a password (specify the password twice)

Network Output Options:
   --server host : Stream data back to the given Cyber Triage server hostname/IP instead of to a file
   --cert_hash hash : Hash (full or short) of the server cert. Use 'nohash' to skip verification. Req'd with --server.
   --port port : Port number to connect to the Cyber Triage server. Optional. Default is 443.
   --sessionid sessionID : Session ID to add host to. Required for Network - Manual and Network - PsExec.
   --serverkey serverkey : Key used to authenticate with the Team server. Can be found on the server options panel
   --incident name: Specify an incident name to add the host to. Use with --serverkey
   --s3_upload_config s3_config_file : Upload output file to S3 storage using supplied configuration

Collection Options:
  --fast : Skips full file system scan. Faster but less comprehensive triage
  --dtypes : Comma list of data types. Use '--dtypes list' to get list of options
  --ruleset_file ruleset_file : Path to file with rules of additional files to collect
  --request_rule_sets: Indicates that the server should be contacted to get a file collection rule set
  --skip_file_contents : Report only hashes and not content for files of interest.
  --skip_source_file_contents : Report only hashes and not content for source files (registry hives, prefetch, etc..)
  --tempdir : Path where temp files are written to

Input Options:
  -i: Specify the input. Can be a disk image, OS device, or logical folder. Default is \\.\PhysicalDrive0
  --logical_dir : Indicates that the input is the path to a logical directory
  --kape : Indicates that the image/logical dir was created by KAPE

If you want to specify the list of data types to collect, the list is below. Note that if you just want to skip the full scan, you should use ‘–fast’:

F:\>CyberTriageCollector.exe --dtypes list
Specify the following 2-letter codes separated by commas, to indicate the data types to collect:
    lo - Logons
    ns - Network shares
    wb - Web artifacts
    st - Startup items
    sc - Triggered tasks
    pr - Processes
    nw - Network
    nc - Network caches
    co - Config settings
    ud - User accessed data
    fs - Full file system scan

The program will return 0 if successful or non-zero if an error occured or the program was terminated by an EDR.

4.16.1. Examples

Collect from local system and save output to a file in the default location:

F:\>CyberTriageCollector

Collect from local system, send data to server (for Network - Manual):

F:\>CyberTriageCollector --server 192.168.0.1 --sessionid 12345 --cert_hash 4a781abe

Collect from local system, save to encrypted file, and skip the full scan:

F:\>CyberTriageCollector --fast --encrypt_outfile passw0rd passw0rd

Collect from local system and copy only processes to a local file:

F:\CyberTriageCollector --dtypes pr