Collecting data with IR Gatherer

Tanium IR Gatherer 3.6.0

A critical step in the incident response process is the collection of information from compromised endpoints for further forensic analysis. With IR Gatherer, you can collect extensive data from Windows, Linux, and Mac operating systems.

The IR Gatherer packages collect information from endpoints, and transfers the results to the specified location. For information about the data that IR Gatherer collects, see Tanium Knowledge Base: Tanium IR Gatherer data.

Before you begin

  • If you are collecting data for Windows endpoints that have PowerShell 2.0, use Live Response. See Collecting data with Live Response for more information.
  • Install IR Gatherer
  • (Mac, optional) Download KnockKnock

    KnockKnock is command-line Python script that lists binaries found on OS X that automatically run each time the operating system starts.

  • (Mac, optional) Download OS X collector

    OS X Collector is a toolkit for the collection and analysis of forensic evidence from Mac OS X.

Install IR Gatherer

Use Tanium IR Gatherer to collect of information from compromised endpoints for further forensic analysis

System requirements

Import the Tanium IR Gatherer solution

  1. From the Main Menu, click Tanium Solutions.
  2. In the Tanium Content section, select the IR Gatherer row and click Import Solution.Import IR Gatherer solution
  3. Review the list of packages and sensors and click Proceed with Import.

    If you are prompted to specify whether to keep or overwrite database items that duplicate content in the downloaded solution, select the option to overwrite duplicates.

  4. When you are returned to the Solutions page, verify that the values in the Available Version and Imported Version columns match.
  5. Verify that the IR Gatherer sensors and packages were installed.
    1. From the Main Menu, click Authoring > Packages. Search for gatherer. The IR Gatherer packages are displayed.
    2. From the Main Menu, click Authoring > Sensors. Search for gatherer. The Last IR Gatherer Push Date sensor is displayed.

Set up a copy location and service account

You must have a location on a server where you are saving the IR Gatherer data. Specify the information about this server when you are deploying the IR Gatherer packages as an action on your endpoints.

Assign the account that you are using copy operations write access only. Read and append access for this account is not necessary.

Log data might include the user names and passwords that are used to access accounts. The accounts that are used for file transfer should expire as soon as possible after use.

Copy location file transfer methods

The following methods of transfer are available:

File Transfer Protocol (FTP) / Secure Copy Protocol (SCP)

Requires a user account limited to write access. Do not assign read, append and delete permissions to the user. An account that expires soon after creation is preferred.

Secure File Transport Protocol (SFTP)

Requires a user account limited to write access. Do not assign read, append and delete permissions. An account that expires soon after creation is preferred.

Server Block Message (SMB) Protocol

(Windows only) A \\server\share location, ideally a Distributed File System (DFS) location, that allows write access to the Domain Computers group. Do not enter user name and password information for the SMB transfer type.

Create SSH key pair

(Optional) If you are using SFTP or SCP as your transfer method on any platform, you might need to generate a private key (id_rsa) to add to the appropriate IR Gatherer package. This key enables endpoint authentication with the server copy location so that the files can be transferred. See the documentation for your SFTP, SCP, or SSH server for more information.

Configure the IR Gatherer packages

You can customize settings in the IR Gatherer - Collect Info to Central Server, IR Gatherer - Mac, or the IR Gatherer - Linux packages that are applied any time that package is deployed as an action.

Open the package to edit

From the Main Menu, click Authoring > Packages. Type gather in the search box. Select the package that you want to update and click Edit.

Update package timeouts

When you deploy an IR Gatherer package as an action on endpoints, the minimum expiration time for the action is the sum of the Command Timeout and Download Timeout values. You can change the default values to increase or decrease the timeout when you deploy the action.

Field Description
Command Timeout

The interval of time, in minutes, before the package command expires.

By default, the command times out after 15 minutes.

Download Timeout The interval of time, in minutes, before the download operation times out.

By default, the download operation times out after 10 minutes.

Ignore Action Lock Enable locked clients to run actions that include this package. For more information about the Action Lock setting, see Tanium Knowledge Base: Action Lock.

Review and update files in package

To update existing files in a package, delete the file from the package and click Add to upload the updated file.

Mac

If you downloaded KnockKnock or OSX collector, add these files to the IR Gatherer - MAC package.

  1. In the Files section of the IR Gatherer - MAC package, click Add.
  2. Upload the KnockKnock master.zip file or the osxcollector.py file.
  3. (Optional) If you generated a key pair, upload the id_rsa file to the Files section of the package.

Linux

If you generated a key pair, upload the id_rsa file to the IR Gatherer - Linux package.

  1. In the Files section, click Add.
  2. Upload the id_rsa file.

Save the package

After you configure other settings and parameters, click Save.

Collect data from endpoints

You can customize IR Gatherer to retrieve specific endpoint information.

Target endpoints

  1. In Tanium Console, use an operating system-based question to locate computers on which to deploy the IR Gatherer package. For example you might ask: 
    • Get Computer Name from all machines with Is Windows is "True"
    • Get Computer Name from all machines with Is Linux is "True"
    • Get Computer Name from all machines with Is Mac is "True"
  2. Drill down to the endpoints from which you want to retrieve data. Select the endpoints from which you want to gather data and click Deploy Action.

Deploy the IR Gatherer package as an action

  1. Use the package that is appropriate for the operating system of the endpoints that you targeted.
    • Use the IR Gatherer - Collect Info to Central Server package to retrieve artifacts from Windows-based operating systems.





    • Use the IR Gatherer - Linux package to retrieve artifacts from Linux-based operating systems.





    • Use the IR Gatherer - MAC package to retrieve artifacts from Mac-based operating systems.




  2. Specify information about where you want to copy the artifacts. For more information about the requirements for transferring files with IR Gatherer, see Set up a copy location and service account.

  3. Click Show Preview to Continue.
  4. After you preview the list of endpoints to which the action is being deployed, click Deploy Action.

Verify results and view files

(Windows only) View IR Gatherer run history

Use the Last IR Gatherer Push Date sensor to obtain information about the last run of IR Gatherer.

Use the Reset Last IR Gatherer Push Date package to clear the date of the last collection from Windows Registry.

View log files

If an action is issued but the specified files do not appear, check the endpoint log files for the Action ID displayed in Tanium Console. For example, for an Action ID of 7684, see the /opt/Tanium/Tanium Client/Downloads/Action_7684 directory.

View copy job activity

Copy job activity is logged for each client. Log files are rotated every ninety days. Copy job activity is logged in in the Tanium Client\Tools\Copy\Logs directory for each endpoint.

View collected files on server

The output is a single zip archive that is named after the host, date time, and output hash of the file. Inside the zip file is a series of folders, one for each artifact that was collected. Within each artifact folder are with files and folders that correspond to the evidence that was collected.

Reference: IR Gatherer sensors and packages

For details about the parameters for each IR Gatherer sensor and package, see Tanium Knowledge Base: IR Gatherer Reference.

Last updated: 6/12/2018 10:26 AM | Feedback