Introduction

Often Incident Response Analysts struggle to extract forensic artifacts from specific systems during an incident investigation. Sometimes the target systems have restricted access to the Internet, so it's impossible to send data over protocols like SSH or SFTP. In other cases, the output of the tools used to collect the evidence is very large, so it becomes slow to upload this data to a common file storage solution like OneDrive or Box. The analysts could also perform faster investigations if they can surgically extract only specific artifacts from the compromised device instead of capturing hundreds of other artifacts that are not relevant or full disk images.

These challenges motivated us to develop a method for the extraction of specific forensic artifacts from Windows systems leveraging our own tool developed for this purpose: the Falcon Uploader. This method easily extracts forensic artifacts and stores them securely in encrypted AWS S3 buckets. The IR analysts can afterward download the artifacts from S3 and perform the analysis on their own workstations. The Falcon Uploader tool is free for non-commercial purposes and can be downloaded from the link below.

https://github.com/FalconGuard/FalconUploader

Create an AWS S3 bucket

In this section, we will cover the steps to create an S3 bucket that can be used to store forensic artifacts. It is essential that the data that will be uploaded to this bucket will be encrypted by default with server-side encryption. This will protect the data at rest to ensure its confidentiality.

1. Create a new bucket

On the AWS S3 console click on the button "Create bucket"

2. Give a name to the bucket

Under the General configuration section give a name to the bucket and select the region where the bucket should be created.

3. Data encryption

In the default encryption section, enable the option "Server-side encryption" and choose your preferred type of encryption.

4. Finalize the bucket creation

Scroll to the bottom of the page and click on the "Create bucket" button.

The new bucket should be now available in the list of buckets.

Prepare the AWS service account

In order to upload data to the AWS S3 bucket created previously, we must first create a dedicated service account that can be used for this purpose. This account must be restricted to perform only specific operations on the target bucket to prevent data breach incidents in case its credentials will be accidentally leaked by a person performing the data upload on behalf of the IR analyst.

1. Add a new user in the IAM Management Console

Open the IAM Management Console in your AWS subscription, click on "Users" under Access Management and click on the button "Add users"

2. Add user details and access type

Give a name to this user and select only the access key in the access type section.

3. Set permissions

Do not select anything on this screen. We will add the permissions later. Click on "Next: Tags"

4. Add tags

Add any custom tags that you may want to use on this screen. This is optional.

Click on "Next: Review" to continue.

5. Create the user

On this screen, you can ignore the warning about the user's permission. We will add the permissions in the next step.

Click on "Create user" to continue.

6. Download the user's security credentials

Click on "Download .csv" button to download the security credentials for the new user. You will need these credentials to perform the upload of the evidence to S3. It's highly recommended to store these credentials safely in a password manager and afterward delete the .csv file from the system.

Click on "Close" to exit the screen.

The new user should be now visible under "IAM/Users"

7. Access the details of the new user account

Under "IAM/Users" click on the name of the new user created to open the account details.

8. Add permissions

Click on "Add permissions" in the Permissions tab.

9. Create a new policy

Click on "Attach existing policies directly" and afterward on the button "Create policy"

In the Create policy editor screen click on the "JSON" tab.

Delete the default JSON content and insert the JSON template below. Replace the string "<BUCKET NAME>" with the name of the bucket that was created previously.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "ListObjectsInBucket",

"Effect": "Allow",

"Action": [

"s3:ListBucket"

],

"Resource": [

"arn:aws:s3:::<BUCKET NAME>"

]

},

{

"Sid": "AllObjectActions",

"Effect": "Allow",

"Action": "s3:*Object",

"Resource": [

"arn:aws:s3:::<BUCKET NAME>/*"

]

}

]

}

Click on "Next: tags"

10. Name your new policy

Create a name for your new policy and click on the "Create policy" button to save it.

11. Attach the new policy to the service account created previously

Repeat steps 7 and 8 to access the account details of the newly created user. Filter the existing policies to find the custom policy created in the previous step. Select the checkbox next to the policy name and click on "Next: Review".

Click on "Add permissions" on the next screen.

The new policy should be visible now on the user summary page under the "Permissions policies" tab.

Use the Falcon Uploader tool

Once the AWS service account and the bucket have been created, then the Falcon Uploader tool can be used for the acquisition of the forensic artifacts needed for the incident investigation. The tool can be downloaded from its GitHub repository below:

https://github.com/FalconGuard/FalconUploader

The tool has 32 and 64 bit versions. Choose the correct version for your target systems. The following parameters are required for the execution of the tool:

Source Directory: It's the Windows directory that contains the forensic artifacts that need to be acquired - e.g. C:\Windows\Prefetch

Collection Name: The identifier (tag) of the collection that will be performed - e.g. Prefetch

File Name Pattern: A string pattern that matches the files that are the target of the acquisition - e.g. *.pf

Bucket Name: This is the name of the AWS S3 bucket that was created for the acquisition

AWS Key ID: This is the key ID from the security credentials of the AWS service account that will be used for the acquisition

AWS Secret Access Key: This is the secret key from the security credentials of the AWS service account that will be used for the acquisition

Copy the Falcon Uploader tool to the target system. Then open a command prompt and execute the tool with the command line below:

C:\> falcon_uploader.exe -d <SOURCE DIRECTORY> -c <COLLECTION NAME> -p <FILE NAME PATTERN> -b <BUCKET NAME> -k <AWS KEY ID> -s <AWS SECRET ACCESS KEY>

Note: This software was written in Python and compiled as a Windows executable. Some Antivirus products could flag Python executables as malicious and block their execution. If you have issues running this tool, then try to create an exclusion for it in your Antivirus console.

The tool will print its progress to the console.

After the tool has finished all the operations we can verify that the files have been uploaded to S3 correctly. The tool will organize the evidence with the following folder structure: "Hostname/Collection Name/Artifacts"

The tool also uploads all the SHA1 file hashes calculated for each original artifact on the target system to the collection folder.

After the artifacts have been successfully uploaded to S3, they can be downloaded to the forensic workstation of the IR analyst with a tool like Cyberduck.

Final thoughts

The combination of a tool like Falcon Uploader and AWS S3 buckets can greatly improve the speed of IR investigations and reduce the time to respond to cyber threats. Unfortunately, this is sometimes not enough, so don't hesitate to contact us through our web contact form or write us directly at sales@falconguard.cz if you need further help with complex investigations involving hundreds, or thousands of devices. We have the tools and resources to investigate, hunt for threats, and respond at any scale.