Skip to main content
Red Canary help

Automate: collecting a forensics package

  • Updated .

Automate forensic collection when threats are identified or for ad-hoc investigations.

Red Canary Automate allows you to automate the collection of a forensics package from your Windows, macOS, and Linux endpoints. This action can be automatically performed whenever a threat is identified or manually invoked for ad-hoc investigations.

Forensic artifacts give you additional visibility into the state of an endpoint and enhance your ability to scope, contain, and eradicate threats.

Use cases

Automate Forensics Packages enable you to quickly capture forensic artifacts from an endpoint before they are tampered with, expire, or the endpoint goes offline.

This data, coupled with endpoint telemetry, helps you obtain a more complete picture of the endpoint in question.

There are two common use cases:

  • Automatically collect a forensics package when a high severity threat is identified.
  • Manually collect a forensics package to investigate third-party alerts or support internal investigations.

What was once a one-off, time-sensitive process can now be implemented and automated with a few clicks.

Getting started

Add the “Collect Forensics” action to a new or existing Automate playbook.

Select an output format (CSV or JSON) and specify who receives a notification when the package is available for download.

mceclip1.png

For ad-hoc investigations, click Play and choose the desired endpoint:

mceclip2.png

You'll receive a notification email that links to the Red Canary "Share a File" system. Follow the link and download your forensics package. Note that the download link expires after seven days.

Example

We collect anonymous and named pipes on Windows endpoints. Pipes are an interprocess communication mechanism that are utilized both by malware families like NotPetya and Ramnit and by legitimate tools like Cobalt Strike and PsExec (see our earlier blog here on named pipes and lateral movement):

mceclip3.png

Details collected

Windows forensic artifacts

  • Address resolution cache (ARP)
  • Application Compatibility shims
  • Autoruns (services, scheduled tasks, …)
  • Bitlocker details
  • Chrome plugins/extensions
  • Disks/drives
  • Drivers
  • \etc\hosts
  • Firewall profiles and rules
  • Groups (local system)
  • Installed programs
  • Internet Explorer plugins/extensions
  • Listening ports
  • Logged in users and logon sessions
  • Muicache
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Patches
  • Pipes
  • Prefetch files
  • Processes
  • Recycle Bin entries
  • Registry (persistence mechanisms) 
  • Routes
  • Scheduled tasks
  • Services
  • Shared resources (drives, printers, IPC, …)
  • Shimcache
  • System details
  • Time (time zone specific)
  • Uptime
  • UserAssist settings
  • Users and groups
  • Windows Crashes
  • Windows Event Log availability
  • WMI consumers and filters

macOS forensic artifacts

  • AccountPolicy details
  • Active Directory details
  • Address resolution cache (ARP)
  • Applications installed
  • Battery details
  • Block devices (disk, ramdisk, …)
  • Browser plugins/extensions
  • Crashes
  • Crontab entries
  • Disk encryption details (ex: FileVault)
  • DNS resolvers configured
  • Emond rules
  • /etc/hosts entries
  • /etc/periodic entries
  • /etc/rc.common details
  • Firewall profiles and entries
  • Gatekeeper settings
  • Groups
  • Kernel extensions
  • Kernel panics
  • Logged in users
  • Logs available (/var/log)
  • Managed configuration policies (AD, MDM, …)
  • Mounts and NFS shares
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Package install history and receipts
  • Printers
  • Processes (environment variable, open files, network connections, …)
  • Python packages
  • Recent logins
  • Routes
  • Shared folders
  • Sharing preferences (screen sharing, file sharing, remote login, …)
  • Shell history (bash_history, zsh_history, …)
  • SSH keys, configs and details (authorized_keys, known_hosts)
  • Startup items (ex: launchd)
  • Sudoers
  • System Integrity Protection (SIP) configuration
  • Time (time zone specific)
  • TimeMachine usage and details
  • Uptime
  • URI protocol handlers
  • USB devices
  • Users and Groups
  • Wi-Fi details (network, current status)
  • XProtect details

Linux forensic artifacts

  • Address resolution cache (ARP)
  • APT repositories
  • Block devices (disk, ramdisk, …)
  • Crontab entries
  • Disk encryption details
  • DNS resolvers configured
  • /etc/hosts entries
  • Iptables entries
  • Kernel details
  • Kernel modules
  • Load average
  • Logged in users
  • Logs available (/var/log)
  • Mounts
  • Network connections
  • Network interfaces (addresses, details)
  • Operating System details
  • Package details (ex: DEB, NPM, RPM, Python, YUM, ...)
  • Processes (environment variable, network connections, …)
  • Recent logins
  • Routes
  • shadow
  • Shell history (bash_history, zsh_history, …)
  • SSH keys, configs and details (authorized_keys, known_hosts)
  • Sudoers
  • System details
  • Time (time zone specific)
  • Uptime
  • USB devices
  • Users and Groups

Support

The following endpoint sensors support forensics package collection:

  • Crowdstrike Falcon
  • Elastic Endgame
  • Microsoft Defender Endpoint
  • VMware Carbon Black Cloud
  • VMware Carbon Black Response

The following operating systems support forensics package collection:

  • Windows
  • macOS
  • Linux

Important: If you use an application control product like Carbon Black Protection, you must add additional publishers to your allowlist.

Comments

0 comments

Please sign in to leave a comment.