WEBVTT 0:00:04.120000 --> 0:00:06.960000 Introduction to Endpoint Analysis. 0:00:06.960000 --> 0:00:12.060000 So welcome everyone to the Endpoint Analysis section of this course. 0:00:12.060000 --> 0:00:17.940000 We will be getting our hands dirty with regards to Endpoint Analysis as 0:00:17.940000 --> 0:00:22.380000 the title of this video suggests and likewise the section name. 0:00:22.380000 --> 0:00:27.340000 So now that we have an understanding of what the analysis process is all 0:00:27.340000 --> 0:00:37.540000 about and how we as instant responders handle or pretty much process tickets 0:00:37.540000 --> 0:00:43.900000 or incidents in terms of the first five minutes or in terms of first response, 0:00:43.900000 --> 0:00:52.640000 we can begin the deep analysis or endpoints. 0:00:52.640000 --> 0:00:58.940000 And I already provided you with an intro to this under the guise of Endpoint 0:00:58.940000 --> 0:01:04.440000 -centric analysis when we were talking about deep analysis in the previous 0:01:04.440000 --> 0:01:09.420000 section. So the idea is to introduce you to Endpoint Analysis formally. 0:01:09.420000 --> 0:01:13.400000 We're then going to take a look at what it entails and then the types 0:01:13.400000 --> 0:01:18.200000 of Endpoint Analysis, which is going to be very important because it's 0:01:18.200000 --> 0:01:22.200000 going to lay out or it's going to give you an idea as to what we will 0:01:22.200000 --> 0:01:26.900000 be covering in this course practically as well as technically or theoretically 0:01:26.900000 --> 0:01:37.000000 in the context or specifically to do or in relation to the actual techniques 0:01:37.000000 --> 0:01:39.740000 or the types of Endpoint Analysis will be covering. 0:01:39.740000 --> 0:01:43.420000 So first things first, what is Endpoint Analysis? 0:01:43.420000 --> 0:01:49.920000 Endpoint Analysis is the systematic examination of a single host, workstation, 0:01:49.920000 --> 0:01:54.600000 laptop, server, VM container or even a mobile device. 0:01:54.600000 --> 0:02:00.240000 After an alert has indicated it might be involved in malicious activity. 0:02:00.240000 --> 0:02:04.780000 So pretty much once you've validated an incident and as part of that validation 0:02:04.780000 --> 0:02:09.740000 process you're able to identify this system, this Endpoint, whatever you 0:02:09.740000 --> 0:02:13.800000 want to call it, which it could be a workstation, laptop, server, VM, 0:02:13.800000 --> 0:02:18.460000 etc. Once you've identified that it might be involved in malicious activity 0:02:18.460000 --> 0:02:25.220000 either in various forms either it could have malware executed on it or 0:02:25.220000 --> 0:02:27.760000 it could be the victim of a brute force attack. 0:02:27.760000 --> 0:02:33.640000 Regardless, once you've identified that system or that host or Endpoint 0:02:33.640000 --> 0:02:40.460000 Analysis is where you systematically examine or analyze that host and 0:02:40.460000 --> 0:02:45.120000 you may be asking why do you do this and we'll get to that shortly if 0:02:45.120000 --> 0:02:46.440000 it isn't obvious already. 0:02:46.440000 --> 0:02:53.860000 But using Endpoint or host resident evidence or evidence that's on a particular 0:02:53.860000 --> 0:02:59.200000 Endpoint such as event logs, memory, registry hives in the case of Windows, 0:02:59.200000 --> 0:03:04.020000 file system artifacts, running processes and network sockets, you the 0:03:04.020000 --> 0:03:30.520000 responder are able to reconstruct how to determine the entry or initial 0:03:30.520000 --> 0:03:35.760000 access vector. Examples here would be a phishing link, RDP brute force, 0:03:35.760000 --> 0:03:37.840000 a USB drop, etc. 0:03:37.840000 --> 0:03:42.920000 You're also able to determine or identify the entry or the entry or the 0:03:42.920000 --> 0:03:46.380000 entry or the entry or to verify execution and privilege escalation. 0:03:46.380000 --> 0:03:51.180000 Think of scripts, log bins, service installs, etc. 0:03:51.180000 --> 0:03:55.260000 You're pretty much utilizing the host resident evidence, which I just 0:03:55.260000 --> 0:04:01.240000 outlined there, and then the question you're asking is, what can you identify 0:04:01.240000 --> 0:04:08.620000 in terms of attacker activity using that host resident evidence? 0:04:08.620000 --> 0:04:14.720000 So if we just take the most common example of Windows event logs, you're 0:04:14.720000 --> 0:04:19.080000 able to identify in most cases the entry vector, execution and privilege 0:04:19.080000 --> 0:04:24.300000 escalation, more importantly, persistence in the form of scheduled tasks, 0:04:24.300000 --> 0:04:36.180000 run keys, WMI event subscribers, so on and also identify or determine 0:04:36.180000 --> 0:04:41.260000 credential theft, lateral movement in the form of LSAS, dumps, cached 0:04:41.260000 --> 0:04:45.580000 tokens, these are just examples I'm giving you to set the stage and then 0:04:45.580000 --> 0:04:51.780000 of course local impact, so you're also able to determine, for that specific 0:04:51.780000 --> 0:04:56.620000 endpoint, determine what files were exfiltrated, whether databases were 0:04:56.620000 --> 0:04:59.860000 modified or whether ransomware was dropped and executed. 0:04:59.860000 --> 0:05:07.140000 And then you know you perform additional analysis on that evidence, you 0:05:07.140000 --> 0:05:11.560000 know, in the case of ransomware, you then analyze the ransomware, but 0:05:11.560000 --> 0:05:17.660000 we talk about reconstructing how the interactor interacted with a specific 0:05:17.660000 --> 0:05:24.780000 endpoint. This is generally speaking, you know, what you're able to determine 0:05:24.780000 --> 0:05:33.320000 in terms of the attack activity and the lifecycle of the attack, so you 0:05:33.320000 --> 0:05:37.680000 know, pretty much understanding what exactly the attacker did right from 0:05:37.680000 --> 0:05:40.800000 initial access to impact, right? 0:05:40.800000 --> 0:05:46.260000 So building on to that, you know, while a SEAM may tell you something 0:05:46.260000 --> 0:05:51.540000 suspicious happened on, you know, a system with a host name, Fin Workstation 0:05:51.540000 --> 0:05:57.280000 01, endpoint analysis reveals the step -by-step reality on that particular 0:05:57.280000 --> 0:06:06.540000 host. And you know, that is facilitated, you know, through processes spawned, 0:06:06.540000 --> 0:06:09.960000 the files that were dropped or downloaded on to that system, registry 0:06:09.960000 --> 0:06:14.240000 keys that were modified in the case of Windows, endpoints, credentials 0:06:14.240000 --> 0:06:21.180000 that were harvested, and the evidence left in volatile memory or on, you 0:06:21.180000 --> 0:06:22.060000 know, the actual disk. 0:06:22.060000 --> 0:06:27.000000 So in short, endpoint analysis transforms a vague, you know, something 0:06:27.000000 --> 0:06:32.400000 bad happened on host X into a precise evidence-backed narrative, allowing 0:06:32.400000 --> 0:06:36.700000 instant responders to act surgically, eradicate the threat and prevent 0:06:36.700000 --> 0:06:38.640000 it from returning, right? 0:06:38.640000 --> 0:06:41.320000 So removing persistence as it were. 0:06:41.320000 --> 0:06:44.440000 So what are the objectives of endpoint analysis? 0:06:44.440000 --> 0:06:48.860000 You know, generally speaking to a large extent, you're also going to be 0:06:48.860000 --> 0:06:55.420000 performing, you know, a form of validation of the incident, not that this, 0:06:55.420000 --> 0:07:00.880000 you know, doesn't exist during first response, but now, you know, you 0:07:00.880000 --> 0:07:05.020000 sort of have the opportunity to validate a few more things or a few more 0:07:05.020000 --> 0:07:08.940000 aspects with regards to the initial incident. 0:07:08.940000 --> 0:07:15.220000 So, you know, why this is crucial is because, you know, you are confirming 0:07:15.220000 --> 0:07:20.300000 or it confirms a true positive by showing real malicious artifacts. 0:07:20.300000 --> 0:07:26.080000 So in first response validation would be really pivoting through logs 0:07:26.080000 --> 0:07:29.380000 primarily. Of course, there's a lot more that can be done in first response 0:07:29.380000 --> 0:07:32.780000 or hot triage as it were. 0:07:32.780000 --> 0:07:37.080000 But now with endpoint or host analysis, you're actually able to confirm 0:07:37.080000 --> 0:07:43.760000 it or, you know, conclusively validate a specific incidence by showing 0:07:43.760000 --> 0:07:52.880000 real malicious artifacts, you know, just as it was in first response or, 0:07:52.880000 --> 0:07:56.160000 you know, you're trying to avoid a costly overreaction to a false alarm 0:07:56.160000 --> 0:07:58.080000 or a false negative. 0:07:58.080000 --> 0:08:07.280000 Not to say that, you know, your validation in first response was wrong, 0:08:07.280000 --> 0:08:11.040000 but this is, you know, sort of where you're finding conclusive evidence 0:08:11.040000 --> 0:08:12.760000 or proof, right? 0:08:12.760000 --> 0:08:15.900000 You then have another objective which is coping the compromise. 0:08:15.900000 --> 0:08:20.020000 So, you know, why this is crucial is because, you know, it determines 0:08:20.020000 --> 0:08:24.940000 whether the host is patient zero or just one victim among many of this 0:08:24.940000 --> 0:08:25.660000 is very important. 0:08:25.660000 --> 0:08:29.220000 So you're actually trying through endpoint analysis, you're able to determine 0:08:29.220000 --> 0:08:32.440000 whether, you know, you're dealing with the first host that was compromised 0:08:32.440000 --> 0:08:36.360000 or one of many in a chain, you know, for example. 0:08:36.360000 --> 0:08:40.600000 So it clarifies how far the intruder has progressed if there is lateral 0:08:40.600000 --> 0:08:41.380000 movement, right? 0:08:41.380000 --> 0:08:45.140000 Which you're also able to identify through endpoint analysis to a certain 0:08:45.140000 --> 0:08:50.040000 extent. And then of course, another objective identify root cause. 0:08:50.040000 --> 0:08:53.720000 So, you know, pinpoints, the exact weaknesses, for example, unpatched 0:08:53.720000 --> 0:08:59.100000 DLL hijack week password so that remediation addresses the source or the 0:08:59.100000 --> 0:09:01.680000 cause, not just the symptoms, right? 0:09:01.680000 --> 0:09:05.420000 And then another objective would be to harvest indicators of compromise, 0:09:05.420000 --> 0:09:16.540000 IOCs, right? You're able to go beyond the first set of IOCs which are 0:09:16.540000 --> 0:09:21.100000 really tied to initial detection as it were. 0:09:21.100000 --> 0:09:28.300000 So when we talk about IOCs in a scene, you're limited to, you know, what's 0:09:28.300000 --> 0:09:36.300000 recorded. But of course, you can take an IOC and you can enrich it by 0:09:36.300000 --> 0:09:40.180000 pivoting or using that IOC as a pivot point. 0:09:40.180000 --> 0:09:45.880000 But now when you perform the endpoint analysis, you actually have tangible 0:09:45.880000 --> 0:09:49.140000 access to things like executable so on and so forth. 0:09:49.140000 --> 0:09:53.220000 And as a result, you're able to come up with, you know, an improved or 0:09:53.220000 --> 0:09:55.780000 secondary set of IOCs. 0:09:55.780000 --> 0:09:59.000000 So you extract hashes, you know, you're able to get C2 domains. 0:09:59.000000 --> 0:10:03.280000 If you're able to reverse engineer or analyze an executable, you know, 0:10:03.280000 --> 0:10:08.100000 static analysis, behavioral analysis, etc., another good source is, you 0:10:08.100000 --> 0:10:11.780000 know, registry keys, persistence paths, etc. 0:10:11.780000 --> 0:10:15.220000 So, you know, this feeds hunts across the rest of the environment and 0:10:15.220000 --> 0:10:19.320000 updates, helps in updating detection rules. 0:10:19.320000 --> 0:10:22.420000 Another objective would be to preserve evidence, right? 0:10:22.420000 --> 0:10:27.820000 Which I mentioned in the previous section in the in the previous video 0:10:27.820000 --> 0:10:35.720000 when we're talking about why this is crucial is because, you know, it 0:10:35.720000 --> 0:10:39.440000 collects endpoint analysis, allows for collection of forensically sound 0:10:39.440000 --> 0:10:43.440000 artifacts, whether that be ram dumps or disk images, which are needed 0:10:43.440000 --> 0:10:48.860000 for legal regulatory or insurance obligations, you know, apart from or 0:10:48.860000 --> 0:10:55.120000 in addition to, you know, the reason you're collecting it to begin with, 0:10:55.120000 --> 0:10:57.180000 which is, you know, to analyze it. 0:10:57.180000 --> 0:11:02.760000 You then have another objective, which is to inform containment and eradication, 0:11:02.760000 --> 0:11:06.700000 right? So the reason this is, you know, the reason why this is crucial 0:11:06.700000 --> 0:11:10.760000 is because it tells defenders which services to isolate, what persistence 0:11:10.760000 --> 0:11:15.040000 keys to delete, what patches or password resets to roll out preventing 0:11:15.040000 --> 0:11:18.240000 reinfection. So when you're, you know, when you actually perform endpoint 0:11:18.240000 --> 0:11:23.760000 analysis, you're able, you know, if we're to drill down into some of the 0:11:23.760000 --> 0:11:29.280000 types of endpoint analysis, one of which would be, you know, analyzing 0:11:29.280000 --> 0:11:35.020000 the Windows registry, analyzing processes, etc. 0:11:35.020000 --> 0:11:37.860000 You know, once you've sort of performed your analysis and you're able 0:11:37.860000 --> 0:11:42.120000 to say, okay, these are the persistence keys that were created as a result 0:11:42.120000 --> 0:11:46.480000 of a bit, you know, execution of a particular malicious particular malicious 0:11:46.480000 --> 0:11:52.340000 piece of software or an executable, you're able to, you know, inform the 0:11:52.340000 --> 0:11:54.000000 containment and eradication phase. 0:11:54.000000 --> 0:11:59.720000 So with the specifics, the relevant teams are able to, you know, contain 0:11:59.720000 --> 0:12:05.420000 and eradicate and then consequently, you know, recover that system. 0:12:05.420000 --> 0:12:09.340000 So we then have quantifying the business impact. 0:12:09.340000 --> 0:12:14.640000 So the reason or why this is crucial is because endpoint analysis clarifies 0:12:14.640000 --> 0:12:18.720000 if sensitive data was accessed or altered guiding disclosure decisions 0:12:18.720000 --> 0:12:22.460000 and the recovery priorities. 0:12:22.460000 --> 0:12:27.640000 So you may be asking yourself, because I mentioned quite a few things 0:12:27.640000 --> 0:12:31.760000 there and you saw that endpoint analysis is sort of important or pivotal 0:12:31.760000 --> 0:12:38.900000 to quite a few phases with regards to the incident response process or 0:12:38.900000 --> 0:12:42.600000 life cycle. So, you know, in this case, I'm going to address where it 0:12:42.600000 --> 0:12:45.180000 fits in the IR process as a whole. 0:12:45.180000 --> 0:12:49.340000 So, you know, starting with detection and analysis, I'm not including 0:12:49.340000 --> 0:12:54.400000 preparation, but, you know, let's just stick to what we're covering here. 0:12:54.400000 --> 0:12:58.240000 So endpoint analysis begins after an escalated alert is validated. 0:12:58.240000 --> 0:13:03.140000 You already knew that in terms of containment and eradication, the findings 0:13:03.140000 --> 0:13:10.340000 from endpoint analysis and your analysis in general, drive host isolation, 0:13:10.340000 --> 0:13:11.900000 malware removal and patching. 0:13:11.900000 --> 0:13:15.080000 So containment eradication and recovery. 0:13:15.080000 --> 0:13:21.260000 But speaking specifically about recovery, the verified evidence shows 0:13:21.260000 --> 0:13:25.320000 that the systems are clean before going back to production. 0:13:25.320000 --> 0:13:29.240000 And then lessons learned here, the artifacts and root cause insight that 0:13:29.240000 --> 0:13:34.380000 you're able to identify as a result of performing endpoint analysis, improve 0:13:34.380000 --> 0:13:39.680000 lead or feed improved detections and security controls. 0:13:39.680000 --> 0:13:44.880000 So now that brings us to the core of this video in terms of me laying 0:13:44.880000 --> 0:13:49.880000 the land for, you know, laying out what, you know, giving you a lay of 0:13:49.880000 --> 0:13:53.860000 the land as to what we'll be covering in this section practically. 0:13:53.860000 --> 0:13:56.280000 So there's three columns. 0:13:56.280000 --> 0:13:59.800000 There's a category or type of endpoint analysis. 0:13:59.800000 --> 0:14:05.860000 The core questions answered with regards to a specific type or category 0:14:05.860000 --> 0:14:11.740000 of endpoint analysis and the key artifacts and tools specific or relevant 0:14:11.740000 --> 0:14:16.140000 to that particular category or type of endpoint analysis. 0:14:16.140000 --> 0:14:20.640000 So you'll also notice there's some weird coloring going on here, color 0:14:20.640000 --> 0:14:22.280000 coding, I should say. 0:14:22.280000 --> 0:14:26.140000 And you may be saying, well, Alexis, could you tell me or tell us what 0:14:26.140000 --> 0:14:31.360000 exactly you mean or you're trying to communicate with this coloring? 0:14:31.360000 --> 0:14:32.960000 And you know, that's a very good question. 0:14:32.960000 --> 0:14:40.160000 So whatever category you see highlighted or color coded in green, light 0:14:40.160000 --> 0:14:45.500000 green and not yellow, these are the categories of analysis we will be 0:14:45.500000 --> 0:14:48.140000 addressing in this particular course. 0:14:48.140000 --> 0:14:52.720000 Now, when you see it's yellow, that means we'll be covering it to a certain 0:14:52.720000 --> 0:14:59.540000 extent, most likely to the extent of, you know, collection or acquiring 0:14:59.540000 --> 0:15:07.740000 that type of the type of collecting or acquiring the evidence associated 0:15:07.740000 --> 0:15:12.160000 with that particular category or type of endpoint analysis, right? 0:15:12.160000 --> 0:15:15.620000 When you see it in green, it means we'll cover it to, you know, in a theoretical 0:15:15.620000 --> 0:15:19.120000 sense and also practically using a lab, right? 0:15:19.120000 --> 0:15:23.000000 A practical lab here on the INE platform that, you know, you'll be able 0:15:23.000000 --> 0:15:24.600000 to go through yourself. 0:15:24.600000 --> 0:15:31.280000 Now, in certain cases, we may not go through, you know, many practical 0:15:31.280000 --> 0:15:36.560000 demos, but the ones I've highlighted in green, as I said, we'll be covering 0:15:36.560000 --> 0:15:41.880000 to the extent that I think is important for you as an incident responder. 0:15:41.880000 --> 0:15:45.940000 And so if we start from the first category, when we talk about endpoint 0:15:45.940000 --> 0:15:48.420000 analysis, we have log analysis, right? 0:15:48.420000 --> 0:15:52.940000 So the core question answered or the core question you're trying to answer 0:15:52.940000 --> 0:15:57.800000 with log analysis is what, you know, what did the OS or EDR record with 0:15:57.800000 --> 0:15:59.280000 regards to the instant, right? 0:15:59.280000 --> 0:16:03.260000 And the key artifacts and tools here would be, you know, Windows events, 0:16:03.260000 --> 0:16:07.000000 SISmon, in the case of Linux, you have, you know, general control, author 0:16:07.000000 --> 0:16:12.080000 log, etc. These can be viewed via a SEAM. 0:16:12.080000 --> 0:16:18.660000 So if you're doing, pivoting through, you know, logs, you know, we'll 0:16:18.660000 --> 0:16:21.300000 be doing it through a SEAM source, Plunk. 0:16:21.300000 --> 0:16:27.060000 And then I'll be speaking about, you know, the process of collecting or 0:16:27.060000 --> 0:16:32.020000 acquiring Windows event logs from a life system using multiple tools, 0:16:32.020000 --> 0:16:38.520000 as well as how to analyze them, you know, on Windows system, Linux, etc. 0:16:38.520000 --> 0:16:42.720000 without, you know, having a SEAM. 0:16:42.720000 --> 0:16:45.740000 And then we have process and execution tree analysis. 0:16:45.740000 --> 0:16:49.840000 So the core question answered here is which processes are ran and in what 0:16:49.840000 --> 0:16:54.040000 order? So we're going to talk about parent child process IDs, command 0:16:54.040000 --> 0:16:57.400000 lines, parent hashes, tools. 0:16:57.400000 --> 0:17:03.020000 In the case of tools, we'll be exploring how these process explorer live. 0:17:03.020000 --> 0:17:06.120000 Yeah, we'll not really touch on the EDR console. 0:17:06.120000 --> 0:17:10.680000 We'll, or maybe we'll cover, you know, proc dump or process dump timelines 0:17:10.680000 --> 0:17:15.440000 and Cape. So, you know, quite, quite comprehensive. 0:17:15.440000 --> 0:17:19.660000 And then persistence and auto start analysis, you know, in this case, 0:17:19.660000 --> 0:17:24.160000 the generalized question would be asking is how does the malware survive 0:17:24.160000 --> 0:17:27.260000 reboots, right? So that's what persistence is all about. 0:17:27.260000 --> 0:17:30.760000 And the way this can be determined are the key artifacts and tools here 0:17:30.760000 --> 0:17:38.780000 would be registry run keys, schedule, schedule tasks, services, WMI subscriptions, 0:17:38.780000 --> 0:17:42.280000 on the, in the case of Linux, Chrome or system D units. 0:17:42.280000 --> 0:17:46.020000 When we talk about the tools that will facilitate this, we obviously have 0:17:46.020000 --> 0:17:51.720000 auto runs, red, repair, rate tool, Velociraptor hunts will not really 0:17:51.720000 --> 0:17:54.320000 be using Velociraptor in this particular course. 0:17:54.320000 --> 0:17:57.620000 But when we get to the threat intelligence and threat hunting course, 0:17:57.620000 --> 0:18:00.020000 that's when we'll use that. 0:18:00.020000 --> 0:18:03.700000 So I don't know, this course is long enough as it is, I don't want to 0:18:03.700000 --> 0:18:07.780000 cram in as much as I can, especially because when we talk about endpoint 0:18:07.780000 --> 0:18:13.020000 analysis, more specifically digital forensics, we'll be covering that 0:18:13.020000 --> 0:18:14.680000 in detail in its own course. 0:18:14.680000 --> 0:18:17.920000 And there's a good reason for that, because that is, you know, sort of 0:18:17.920000 --> 0:18:20.660000 a distinct specialization. 0:18:20.660000 --> 0:18:27.620000 But we then have memory, you know, volatile memory forensics, which is 0:18:27.620000 --> 0:18:32.880000 volatile. So this is, you know, analyzing RAM as it were, or capturing 0:18:32.880000 --> 0:18:35.880000 dumping RAM and then analyzing it. 0:18:35.880000 --> 0:18:39.140000 So the core question answered here would be what's injected or running 0:18:39.140000 --> 0:18:43.100000 only in RAM. The key artifacts and tools in this case would be, you know, 0:18:43.100000 --> 0:18:48.420000 in memory, DLLs, reflective loaders, credentials in DLSAS, in LSAS or 0:18:48.420000 --> 0:18:51.940000 the LSAS process cache, encryption keys, etc. 0:18:51.940000 --> 0:18:55.640000 And then the tools that would apply here would be volatility, recall and 0:18:55.640000 --> 0:19:00.620000 co-made. Then we have file system and disk forensics. 0:19:00.620000 --> 0:19:10.200000 So this, we will be covering in the digital forensics course within this 0:19:10.200000 --> 0:19:13.740000 learning path. So the core question, you know, answered here would be 0:19:13.740000 --> 0:19:16.060000 what files were created, modified or deleted. 0:19:16.060000 --> 0:19:20.620000 So, you know, MFT, USN, journal, shadow copies, time stomps, and the tools 0:19:20.620000 --> 0:19:24.760000 you're probably already aware of them would be FDK, Imager, autopsy, and 0:19:24.760000 --> 0:19:30.440000 the sleuth kit. And then we have registry or configuration-high analysis, 0:19:30.440000 --> 0:19:32.580000 generally registry analysis. 0:19:32.580000 --> 0:19:34.300000 This is specific to Windows. 0:19:34.300000 --> 0:19:37.800000 The core questions answered here or that we're looking to answer is what 0:19:37.800000 --> 0:19:40.840000 config changes reveal user or malware activity. 0:19:40.840000 --> 0:19:44.260000 And it's very important to note the two types of activity. 0:19:44.260000 --> 0:19:46.960000 So user or malware activity. 0:19:46.960000 --> 0:19:49.460000 And we talk about the key artifacts and tools. 0:19:49.460000 --> 0:19:59.980000 We have, you know, recent hyper high VEX, you know, will be focusing primarily 0:19:59.980000 --> 0:20:01.340000 on Redger Ripper. 0:20:01.340000 --> 0:20:05.440000 I mentioned it when we're talking about persistence and autostart analysis. 0:20:05.440000 --> 0:20:10.940000 We then have user activity artifact analysis. 0:20:10.940000 --> 0:20:15.860000 So, this is the core question answered here is what did the user open 0:20:15.860000 --> 0:20:17.020000 or execute, right? 0:20:17.020000 --> 0:20:21.000000 And the key artifacts and tools would be jump lists, link files, browser 0:20:21.000000 --> 0:20:25.640000 history, RDP cache, bash history, stuff like this. 0:20:25.640000 --> 0:20:28.820000 And then credential and account analysis will not really be covering this 0:20:28.820000 --> 0:20:32.080000 in too much detail. 0:20:32.080000 --> 0:20:34.220000 That's why it's highlighted yellow. 0:20:34.220000 --> 0:20:37.940000 So, you know, the core question answered here is what credentials dumped, 0:20:37.940000 --> 0:20:39.580000 created or abused. 0:20:39.580000 --> 0:20:43.100000 The key artifacts and tools would be, you know, password hashes, key tab 0:20:43.100000 --> 0:20:45.300000 tickets, new admin accounts. 0:20:45.300000 --> 0:20:49.580000 Tools would be Mimicats, outputs, SAM, diffing and, you know, Kerberos 0:20:49.580000 --> 0:20:54.320000 logs. We then have three other types of analysis. 0:20:54.320000 --> 0:20:59.520000 I should say timeline reconstruction, we will cover, although not formally 0:20:59.520000 --> 0:21:02.880000 or directly, that's something that will, you know, will will explore as 0:21:02.880000 --> 0:21:05.520000 we progress through the other courses. 0:21:05.520000 --> 0:21:10.880000 But when we talk about binary or malware triage, you know, core question 0:21:10.880000 --> 0:21:12.480000 being what does the payload do? 0:21:12.480000 --> 0:21:14.660000 What does the malware do? 0:21:14.660000 --> 0:21:18.320000 We'll be covering this in the digital forensics course. 0:21:18.320000 --> 0:21:22.500000 So, this is where you have, you know, the key artifacts like hash identification, 0:21:22.500000 --> 0:21:26.500000 static string, sandbox, detonation, and the tools being, you know, detected 0:21:26.500000 --> 0:21:32.320000 easy, PE studio, you know, static analysis stuff, analyzing the headers, 0:21:32.320000 --> 0:21:34.660000 cyber chef and any dot run. 0:21:34.660000 --> 0:21:39.520000 So, we'll probably maybe explore a little bit in this, you know, if we 0:21:39.520000 --> 0:21:44.900000 have enough, I shouldn't say time, but if I feel that it should be included. 0:21:44.900000 --> 0:21:50.340000 But the plan is to cover this in detail in the digital forensics course. 0:21:50.340000 --> 0:21:52.240000 We then have drive and kernel module analysis. 0:21:52.240000 --> 0:21:55.200000 This is, you know, quite advanced stuff here. 0:21:55.200000 --> 0:21:58.580000 The core question being, is there a rootkit or malicious driver? 0:21:58.580000 --> 0:22:03.140000 The key artifacts would be unsigned drivers, SSDT hooks, kernel callbacks 0:22:03.140000 --> 0:22:10.900000 and the tools here that will apply would be GMM, SUP or GM, GMM, SUP and, 0:22:10.900000 --> 0:22:13.900000 you know, wind debug, kernel detective. 0:22:13.900000 --> 0:22:18.160000 So, we'll probably touch a little bit on that in the digital forensics 0:22:18.160000 --> 0:22:21.360000 course. And then of course, we have timeline reconstruction, you know, 0:22:21.360000 --> 0:22:24.980000 super timeline. So, core questions answered here would be, when did every 0:22:24.980000 --> 0:22:26.420000 artifact change? 0:22:26.420000 --> 0:22:30.720000 The key artifacts and tools would be combined view of the log file registry 0:22:30.720000 --> 0:22:35.840000 timestamps and the tools here, you know, the ones you're likely to see 0:22:35.840000 --> 0:22:38.880000 and use would be plus O and time sketch. 0:22:38.880000 --> 0:22:42.780000 And then of course, you have live response versus dead box, which is not 0:22:42.780000 --> 0:22:45.700000 really a category, a type of endpoint analysis. 0:22:45.700000 --> 0:22:49.300000 The only reason I mentioned it here is because we're going to address 0:22:49.300000 --> 0:22:54.480000 it in the next video, at least conceptually or theoretically. 0:22:54.480000 --> 0:22:59.560000 And the core question that being answered here is, do we collect artifacts 0:22:59.560000 --> 0:23:03.780000 while the host runs or, you know, is offline? 0:23:03.780000 --> 0:23:06.860000 So, that's the only reason I included it here. 0:23:06.860000 --> 0:23:13.260000 It refers to the means through which it refers to the state of the system 0:23:13.260000 --> 0:23:17.480000 and when you collect the artifacts. 0:23:17.480000 --> 0:23:22.520000 So, pretty much the core question outlines that the objective. 0:23:22.520000 --> 0:23:26.040000 So, do we collect artifacts while the host runs or is offline? 0:23:26.040000 --> 0:23:30.600000 So, in the case of, you know, the system being live or online, you, you 0:23:30.600000 --> 0:23:35.220000 know, have tools like Velociraptor, GR, and then when you're dealing with 0:23:35.220000 --> 0:23:39.220000 the dead box or system that's offline, you're dealing, you know, you have 0:23:39.220000 --> 0:23:41.200000 image and then offline analysis. 0:23:41.200000 --> 0:23:45.480000 So, you take a disk image offline analysis and the choice depends on volatility 0:23:45.480000 --> 0:23:47.020000 and business impact. 0:23:47.020000 --> 0:23:51.820000 So, at least theoretically, I'm going to explain if it isn't all obvious 0:23:51.820000 --> 0:23:54.740000 already what that entails. 0:23:54.740000 --> 0:23:56.900000 So, that brings us to the end of this video. 0:23:56.900000 --> 0:24:00.520000 Just wanted to give you an introduction to endpoint analysis sort of layout, 0:24:00.520000 --> 0:24:02.620000 what we'll be covering. 0:24:02.620000 --> 0:24:06.080000 And with that being said, that's going to be it for this video and I will 0:24:06.080000 --> 0:24:07.880000 be seeing you in the next video.