Find out how ELMO can assist with a live incident response situation
In most incident response situations, it is necessary to collect some form of volatile data. While disk forensics continue to play a role in incident response, we know that the tactics of today’s adversaries require different methods from incident responders. One of those tactics is live forensics to capture volatile data.
Much like traditional “dead box” forensics, most investigators will agree that no single tool can meet the needs of every investigation. Instead, investigators commonly use multiple tools to gather information based on the needs of the investigation. Some examples are memory acquisition, running processes, network connections and open file handles.
Running these tools in a Windows environment is most often achieved by scripting multiple tools through the use of a batch file. This achieves several goals. First, it allows the investigator to execute a single file, which will run multiple tools. Second, it ensures that all tools are run correctly. Third, it provides a repeatable method for performing live forensics.
Still, scripting with a batch file is not a perfect solution. Because a batch file is basically a list of Windows commands, it limits the functionality that can be achieved. Investigators often rely on other third party tools to add functionality to the script. Each time a tool is added or another set of command line options is desired, however, the batch file must be updated. This leaves the investigator two choices: maintaining multiple batch files for different requirements, or editing the batch file on the fly, which can lead to errors.
What is ELMO? ELMO is a command line tool written in VB.NET that is intended to take the scripting functionality of a Windows batch file to the next level. The NTT Security Incident Response Team developed ELMO for internal use to increase our efficiency responding to customer incidents.
Why is it named ELMO? It was a temporary name for the project, and that name just stuck.
How does ELMO work? ELMO relies on a main configuration file, which directs ELMO to a set of subfolders containing sets of live forensic tools to be executed. Multiple configuration files can be created ahead of time and specified on the command line depending on the requirements of the investigation. For example, one configuration file may direct ELMO to execute a series of folders containing tools useful for examining a web server, while another configuration file may direct ELMO to execute a series of folders containing tools useful for examining a point of sale server.
Since ELMO is more than just a batch file, it can detect environment variables, such as OS version and architecture, and run only the tools that have been placed in subfolders for those specific environments as shown in the figure below.
Command line arguments are provided in one or more text files for each tool, allowing a single tool to be run with multiple arguments. For example, when running program1.exe, ELMO will look for a corresponding program1.exe.cmd file. If program1.exe.cmd is found, ELMO will execute program1.exe once with each command line argument specified in program1.exe.cmd. ELMO can also utilize variables, such as %SYSROOT% for the system root and %OUTDIR% for the ELMO output directory, to increase the flexibility of these command line arguments.
The following figure shows the result of running ELMO with subdirectories named “Network” and “File System” and further subdirectories for OS version and architecture on a 64bit version of Windows 7.
Figure 1 – ELMO Results
Adding a new tool or modifying arguments is as simple as adding a new tool to the correct folder or updating the tool’s configuration text file. Once configured, an optional password can be provided to ensure that only approved tools and arguments are executed when ELMO is run. Any unauthorized modifications will cause an error.
Because ELMO was designed to be a forensic utility, detailed logging records every tool and each command line argument that is run. Output from each tool is written to a user-defined location, ensuring that no data overwrites the original evidence. All output is hashed using MD5 to provide integrity verification.
How can ELMO fit in a live incident response process? ELMO can be used just about anywhere you need to script multiple tools to run and capture the output. The NTT Security Critical Incident Response Team typically uses ELMO to run a set of tools to collect process, OS, file system and network data after a full memory capture, but before collecting files or a disk image.
On multiple occasions, the NTT Security Incident Response Team has been able to use this process, OS, file system and network data to locate malware without any further evidence processing. While this may not always be the case (due to more advanced malware, anti-forensics techniques, etc.), this data can provide a quick “first-look” at the system in question.
ELMO is just one of the advanced tools that are utilized by the NTT Security Incident Response Team to provide our clients with holistic incident response and management services. In addition to developing tools such as ELMO to assist in everyday incident response engagements, the NTT Security Incident Response Team can also develop one-off tools to solve your specific incident response needs.
Read more on Solutionary Minds about: