forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdesign_principles.html
227 lines (206 loc) · 11.6 KB
/
design_principles.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Design Principles — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Architecture" href="architecture.html" />
<link rel="prev" title="Design and Architecture" href="intro_to_data_collection.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="architecture.html" title="Architecture"
accesskey="N">next</a>
<li class="right" >
<a href="intro_to_data_collection.html" title="Design and Architecture"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="intro_to_data_collection.html" accesskey="U">Design and Architecture</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">Design Principles</a></li>
<li class="toctree-l2"><a class="reference internal" href="architecture.html">Architecture</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a></li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="design-principles">
<h1>Design Principles<a class="headerlink" href="#design-principles" title="Permalink to this headline">¶</a></h1>
<div class="section" id="the-approach-one-binary-to-run-them-all">
<h2>The Approach: One Binary to Run Them All<a class="headerlink" href="#the-approach-one-binary-to-run-them-all" title="Permalink to this headline">¶</a></h2>
<p>DFIR ORC was originally developed to address the need for reliable data collection on potentially compromised systems.
Historically, teams have been using two approaches:</p>
<ul class="simple">
<li><p>a script executing a collection of ad hoc tools one after the other,</p></li>
<li><p>a monolithic tool gathering as much data possible from available APIs.</p></li>
</ul>
<p>The first approach is very prone to failures if any of the tools fails, hangs, or expects user input for some reason.
It thus puts in jeopardy the complete set of collected data.
Moreover, these tools usually create a huge amount of data on disk before being able to archive or compress the whole result set in one file.
On the plus side, this approach benefits from the wide variety of tools available to accomplish efficiently live data collection required in the various technological areas (file systems, networking, memory analysis, etc.).</p>
<p>The second approach (monolithic) is prone to application crashes and represents an enormous amount of “reinventing the wheel”.
It also carries the burden of having to integrate various tools and libraries into the same address space.
This approach, however, allows to completely control the output format for fast and meaningful data mining.</p>
<p>DFIR ORC takes the best of both worlds: it reuses existing or independent tools and unites them under the management of an execution engine that allows more control. Moreover, a set of specialized tools has been developed and can also be embedded.
Typically, all data-gathering activities will run under the control of a Windows Job Object putting a strict control on their execution.
Processes output data which is immediately compressed into the output file, to minimize the disk usage and churn.Whenever possible, the output will be added to the archive ASAP and deleted to minimize use of temporary files.</p>
<div class="information admonition">
<p class="admonition-title">The main design motto behind DFIR ORC</p>
<p><strong>Whatever it takes, whatever happens, DFIR ORC will strive to provide valid output files in a predetermined amount of time.</strong></p>
</div>
</div>
<div class="section" id="choosing-your-arsenal-tools-to-embed">
<h2>Choosing Your Arsenal: Tools to Embed<a class="headerlink" href="#choosing-your-arsenal-tools-to-embed" title="Permalink to this headline">¶</a></h2>
<p>DFIR ORC can embed other tools to create a unique file that will be executed on the target systems.</p>
<p>The first step is to define your data collection goals, to choose appropriate tools to run on machines.</p>
<ul>
<li><p>What data do you need to collect?</p>
<blockquote>
<div><ul class="simple">
<li><p>File system related data (file lists, hashes, file signatures, …)</p></li>
<li><p>Registry</p></li>
<li><p>Live data: processes, network communications, kernel objects,</p></li>
<li><p>System configuration (network, ASEPs, …)</p></li>
<li><p>Logs, events</p></li>
</ul>
</div></blockquote>
</li>
<li><p>What are the target platforms?</p>
<blockquote>
<div><ul class="simple">
<li><p>Obsolete platforms (XP? Vista?)</p></li>
<li><p>Modern platforms (8.1? 10?)</p></li>
</ul>
</div></blockquote>
</li>
<li><p>How sensitive and/or personal is this information?</p></li>
</ul>
<p>Next, you need to define and assemble the set of tools required to collect this information from the targeted systems.</p>
<ul>
<li><p>From DFIR ORC itself with the embedded tool set:</p>
<blockquote>
<div><ul class="simple">
<li><p>NTFSInfo,</p></li>
<li><p>FATInfo,</p></li>
<li><p>GetThis,</p></li>
<li><p>RegInfo,</p></li>
<li><p>USNInfo,</p></li>
<li><p>ObjInfo,</p></li>
<li><p>FastFind,</p></li>
<li><p>NTFSUtil,</p></li>
<li><p>GetSectors,</p></li>
<li><p>DD</p></li>
</ul>
</div></blockquote>
</li>
<li><p>From third parties:</p>
<blockquote>
<div><ul class="simple">
<li><p>SysInternals Tools Suite (autoruns, …),</p></li>
<li><p>Tcpdump,</p></li>
<li><p>…</p></li>
</ul>
</div></blockquote>
</li>
</ul>
<p>The flexibility allowed by the configuration enables to consider tuning tools which:</p>
<blockquote>
<div><ul class="simple">
<li><p>only run on specific Windows version or architecture,</p></li>
<li><p>have different output or command line arguments on specific Windows versions,</p></li>
<li><p>require files to be available (configurations, dependencies, …) upon execution.</p></li>
</ul>
</div></blockquote>
</div>
<div class="section" id="a-configurable-framework">
<h2>A Configurable Framework<a class="headerlink" href="#a-configurable-framework" title="Permalink to this headline">¶</a></h2>
<p>DFIR ORC is configurable. On top of the embedded tools, the operational binary <code class="docutils literal notranslate"><span class="pre">DFIR-Orc.exe</span></code> embeds
an XML configuration listing all the tools to run and their options. This is the reason why we call <code class="docutils literal notranslate"><span class="pre">DFIR-Orc.exe</span></code> <em>a configured</em> binary.
To be able to write a valid configuration,
the exact command line required by each tool is needed, as well as a description of the intended output.</p>
<p>DFIR ORC also allows analysts to organize the data collected into one or more archives.
Anything can justify a choice of organization, e.g. the nature and sensitivity of the collected information.
We offer some ideas of criteria below.</p>
<ul class="simple">
<li><p>Sensitivity of information: typically, data containing sensitive information will be collected separately. DFIR ORC can encrypt each archive with a separate list of recipients. For each certificate of recipients provided, DFIR ORC will encrypt the session key. The PKCS#7 CMS standard is used to provide a cross-platform format for the encrypted file ;</p></li>
<li><p>Pace and/or volume: you may want to have separate archives for quick and easy data and for long, slow, massive collection of information. This will enable a phased analysis of the data as it arrives.</p></li>
<li><p>Analysis: if you delegate analysis to other teams, or collect data for other teams (potentially with a different need-to-know), you will organize this data in separate archives to ease the treatment process.</p></li>
<li><p>Behavior: If a tool has known issues or is new to your arsenal, you may want to segregate its execution into a separate archive to enable the command engine to impose specific limitations.</p></li>
</ul>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="architecture.html" title="Architecture"
>next</a>
<li class="right" >
<a href="intro_to_data_collection.html" title="Design and Architecture"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="intro_to_data_collection.html" >Design and Architecture</a> »</li>
</ul>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>