Use PowerForensics for Ransomware IR

In this post we will talk about the experience, which got Greg Carson in the investigation. He looked at; Ransomware, live incident response using PowerForensics and USN Journal.

Customer ABC requested assistance in the investigation of cases of extortion and said that the file extensions have changed, and more could not open documents. They also received a note demanding payment.

 
However there are two primary complications (both of which may be readily encountered in the real world).

 
1. The users browser history is gone (either wiped by malware or by the user themselves – they may have been browsing inappropriate content and are concerned about the IT staff identifying this).We aren’t concerned about recovering this data, we want to look for an alternate method to investigate the infection.

 
2. The company does not retain centralized logs, nor do they have an adequate local firewall log retention policy. There are no web browsing/firewall logs to obtain. This is of course, a finding in and of itself, but again, our focus here is working around these limitations.

 
It is important to have different options when conducting forensics and digital incident response. For this scenario, we will primarily use a single tool to perform real-time forensics on a compromised system, PowerForensics (from DFIR guru Jared Atkinson). This is a very powerful structure of forensic – medical examination, consisting of PowerShell (version 2 and above) scenario, which we can use for common tasks DFIR.

 
There are many fantastic modules that are built Jared, but, in particular, the author used the command “Get-ForensicUsnJrnl”, since you can pass its way through a switch to VolumeName USN artifacts to extract a certain amount. Use Get-Help module for use syntax for each cmdlet (Get-Help Get-ForensicUsnJrnl).

 
NTFS is a proprietary Microsoft file system, which means it is responsible for tracking and managing files on the disk.
USN Journal is a feature of NTFS, which maintains a record of changes made to a given volume. Each volume of the journal is the journal USN. USN Journal is a meta file system, and can not be considered in the regular directory listing. In most systems, it is included in Windows by default, uses it for a variety of basic system operations (such as the File Replication Service). When NTFS objects are added, modified or deleted, the record is written to the USN journal to an appropriate volume. This log does not contain sufficient information to “reverse” changes, it’s just a statement of activities that includes the type of change, the file object is affected.

 
The main thing to remember is that when you are dealing with USN journal, you’ll have to deal with hundreds of thousands, if not millions of records. In this case, we are dealing with a ransomware infection that usually leaves a ransom note on the desktop.
Step by Greg Carson’s comments can be read in his post. I would like to cover more specifically in this post. It really is only one component of this type of research. There are a number of other artifacts and avenues to make broader conclusions about this case. The main thing was to demonstrate some of the thinking process in solving a fairly common problem with some creative solutions and to demonstrate the importance of this quality in DFIR work. If you have any comments or additions, you can comment.

You can find more info here.