As an incident response analyst, John Moran kept on running into challenges finding the right combination of tools to get the forensic information he needed.
To solve this challenge, Moran, who now works as a senior product manager at DFLabs, wrote his own tool called No-Script Automation Tool (NAT), which he will demonstrate on Aug. 8 at the Black Hat USA conference in Las Vegas. Prior to working at DFLabs, Moran was a computer forensic analyst for the Maine State Police Computer Crimes Unit and computer forensics task force officer for the U.S. Department of Homeland Security.
“I’m going to talk a little bit about live forensics as a whole and the do’s and don’ts for forensic analysis,” Moran told eWEEK. “But really the whole purpose of the talk is to show the tool that basically came out of my experiences working in incident response.”
Part of an incident responder’s job is to perform a forensic analysis of compromised devices to understand how they were exploited. Moran said he often had to use run 30 or more tools to get the information he needed. Getting each tool to run and then export all the information in a repeatable manner is time consuming. In addition, there is often additional complexity in figuring out the right configuration options for different tools.
“I wanted to build a tool that would be a one-click thing that would enable incident responders to run the right tools and it would just work,” Moran said. “This tool also allows responders to verify the tools they are running, so it has a known good list of accepted, authentic tools.”
The tool’s No-Script Automation Tool name bears a similarity to the popular No-Script, a JavaScript blocking tool for web browsers. Moran said he doesn’t expect there to be any confusion, since his tool is not about blocking scripts, but rather is about running live forensic tools without the need for individual scripts.
NAT is a free tool that Moran said he built to make his own life easier and he is hopeful others will find it useful as well. It will become generally available at the time of Moran’s Black Hat talk, which is scheduled for 2:30 p.m. PDT at the Black Hat Arsenal tools area on Aug. 8.
The tools that Moran has included in NAT are intended to help incident responders perform live forensics on compromised devices. The old way of doing forensics was to take a hard drive out of a system to a lab and then perform analysis, according to Moran.
Modern attacks often involve in-memory exploits and code, which are volatile and will not persist once a system is shut down and a hard drive is removed. As such, Moran said it is important to preserve the running state of a system, such that it can be examined before the evidence disappears. Live forensics tools allow incident responders to gather the volatile information without the need to boot into another operating system or remove hardware.
“You actually want to run trusted tools in a known repeatable way from the operating system itself, so you can get those artifacts from memory,” Moran said.
Tools
NAT supports a long list of tools, some of which are open-source and others Moran said are just freeware. Among the tools are AV, disk imaging, file system, memory, network, process and operating system tools.
While the NAT project ships with a set of suggested tools, Moran said users can choose to use any tool they want, even if it’s not included in NAT. He added that the goal of NAT is to make it easier for users to run tools in a repeatable, orchestrated way and then generate output that can be used in forensic investigations.
NAT is intended to run as a USB drive that a user plugs into a system. Moran explained that all the data from the tools that are run is saved onto the USB drive, which can then be removed and consumed in another system for correlation and analysis.
“Incident responders want to try to avoid using tools that are installed on the operating system because if you’re concerned the operating system or the computer itself might be compromised, there is a good potential that some of those files were compromised as well,” he said. “That’s the idea with having a live response USB drive, letting you run a set of known tools that you can execute all at once in a secure way and then making sure that everything is stored back on that same USB drive.”
NAT is not intended to be an analysis tool. Rather, it is an acquisition and data recovery tool, Moran said. As such, there is no dashboard within NAT that aggregates all the collected data. Instead, data is simply written to the USB drive for further analysis by other tools.
Moran’s day job is at DFLabs, which builds and develops commercial products including the InMan Security Orchestration, Automation and Response (SOAR) platform, which was updated to version 4.4 on Aug. 2.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
