Collecting data with Live Response

Tanium Live Response 1.1.2

A critical step in the incident response process is the collection of data from compromised endpoints for further forensic analysis. With Live Response, you can collect extensive data from Windows systems that have PowerShell 2.0 or later.

Live Response might work on Windows XP and Windows 2003 endpoints that have PowerShell 2.0 or later installed, but is not supported.

The Live Response package collects forensic information from endpoints, and transfers the results to the specified location. The Live Response - Windows package contains configuration files that specify what data to collect, and where to copy the data.

Before you begin

Configure a copy location and endpoints

  • You must have a copy location to save the forensic data to be collected. The server that receives information from Live Response can be an Amazon S3 Bucket, or able to communicate over SFTP, SCP, or SMB protocols.
  • For an SMB copy location, the endpoint and user must have permissions to mount the server as a share and write to the directory. For authenticated domain computers, configure the destination directory as a write-only share. Required advanced permissions :

    • Read attributes
    • Create files / write data
    • Create folders / append data
    • Write attributes
  • For Amazon S3 Bucket copy locations, ensure that clients are synchronized with a time server. Transfers fail if the client time differs from the server time by more than 15 minutes.

Configure the Live Response package

Before you deploy the Live Response - Windows package, customize the transfer and collector configurations.

You can upload multiple JSON files to the package with different configurations. Select the appropriate configuration when you deploy the package.

Custom configuration files are not saved when you upgrade Live Response. For more information, see Preserve configuration files before upgrading Live Response .

Edit the Live Response package

  1. Open the package to edit.
    1. From the Main Menu, click Authoring > Packages.
    2. In the search box, type live response.
    3. Select the Live Response - Windows package and click Edit.
  2. (Optional) Update the package timeouts.

    When you deploy the Live Response package as an action on endpoints, the minimum expiration time for the action is the sum of the Command Timeout and Download Timeout values. You can change the default values to increase or decrease the timeout when you deploy the action.
    These timeouts affect only the transfer of the Live Response package to the endpoints. Live Response runs in detached mode, so file transfers are not associated with the completion of the action.

Update the transfer configuration files

Collected files are sent to network destinations that you specify in transfer configuration files.

  1. Add information about a transfer destination.
    The Files section of the package contains a sample transfer configuration file (SMB.json, SCP.json, SFTP.json, S3.json) for each supported transfer method. Download the files for the destinations that you want to configure, and update the contents to specify the details about your transfer destination. For more information on the configuration file format, see Reference: Transfer configuration.
  2. Add files that are required to verify the identity of the destination, such as: 
    • A known_hosts file for SSH-based transfer mechanisms, such as SCP or SFTP
    • RSA files, if you are using an RSA key
    • S3 secret key file, if you are using an Amazon S3 Bucket

(Optional) Update collector configuration

The collector configuration controls the data that gets collected. Choose from one of the following configurations when you deploy the Live Response - Windows package:

  • Standard_Collection.json: Use for default data.
  • Extended_Collection.json: Use to collect the same data as Standard_Collection.json, plus more file based artifacts, such as the kernel, the Master File Table, USN Journal, event logs, registry hive files, and so on.
  • Memory_Collection.json: Use for memory acquisition.
  • Custom_Collection.json: Use as an example if you are adding your own PowerShell scripts to Live Response.

For more information about what gets collected for each file, see Default data modules.

(Optional) Set default values

In the Parameters section, select a parameter. You can choose default values that are selected when you deploy the package.


Collect data from endpoints

To collect data from endpoints, deploy the Live Response package.

To prevent resource overload on endpoints, only issue this action manually. Do not create a scheduled action.

  1. Target endpoints for data collection. Use an operating system-based question, for example: Get Computer Name from machines with Is Windows containing "True" .
  2. Select the endpoints from which you want to collect data and click Deploy Action.
  3. In the Deployment Package field, type Live Response - Windows.
  4. Define the collector and transfer configurations.
  5. Click Show Preview to Continue.
  6. After you preview the list of endpoints to which the action is being deployed, click Deploy Action.

Live Response tests the connection by writing a LRConnectionTestfile to the destination. If the write fails, the action tries the other destinations in the transfer configuration in the order they are listed in the configuration file. If all the connection tests fail, the Live Response action does not proceed.

The Tanium Server shows the package as complete almost immediately after the package is downloaded on the endpoints. This completion is not accurate because Live Response runs in detached mode. File transfers continue after the action completes.

The actual time to complete the transfer depends on the endpoint activity and connection speed between the endpoint and the destination system.

Collect logs

In addition to the standard action logs on the endpoint (<Tanium Client>\Downloads\Action_###\Action_####.log), a log file of Live Response activities included in the same directory. This file follows the naming convention: YYYYMMDDhhmm_LR.log.

When Live Response completes, the YYYYMMDDhhmm_LR.log is copied to the destination. The action log is not copied to the destination.

Use both the action log and the Live Response log file to troubleshoot problems. The action log captures messages written to standard error (stderr).

Reference: Transfer configuration

Live Response includes the following example configuration files for file transfer: 

  • S3.json
  • SCP.json
  • SFTP.json
  • SMB.json

All transfer configuration files must contain one connection string.

{
	"dest":[
		"scp://<...>"
	],
	"throttlembps": 0.5
}	

The throttlembps parameter specifies the maximum amount of endpoint bandwidth a transfer is permitted to consume, in megabits per second. Without specifying a maximum rate, the data is sent at the rate it is collected on the endpoint.

The contents of these configuration files must be URL encoded. For example, replace # with %23. Other special characters in URLs include:
  • space - %20
  • & - %26

  • # - %23

  • ? - %3F

  • : - %3A

  • = - %3D

  • @ - %40

  • % - %25

View supported protocols and options for file transfers

To see all supported protocols and protocol-specific options, you can run the taniumfiletransfer.exe file. The Live Response package contains the taniumfiletransfer_32.exe and taniumfiletransfer_64.exe files. When the package is deployed, the file that is appropriate for the bitness of the endpoint is copied to the endpoint and renamed to taniumfiletransfer.exe.

Download the taniumfiletransfer_32.exe or taniumfiletransfer_64.exe file from the Live Response - Windows package.

To see a list of supported protocols, run one of the following commands, depending on the bitness you are using:

taniumfiletransfer_64 protocol
taniumfiletransfer_32 protocol

To see details about scp protocol, including options for the protocol connection string, run: 

taniumfiletransfer_64 protocol scp

Reference: Collector configuration

You can customize the data and files that are collected when you deploy the Live Response package. It might be helpful to have multiple versions of the configuration file for specific types of endpoints, such as endpoints that would have antivirus or quarantine files.

Live response includes the following example configuration files: 

  • Standard_Collection.json: Use for default data.
  • Extended_Collection.json: Use to collect the same data as Standard_Collection.json, plus more file based artifacts, such as the kernel, the Master File Table, USN Journal, event logs, registry hive files, and so on.
  • Memory_Collection.json: Use for memory acquisition.
  • Custom_Collection.json: Use as an example if you are adding your own PowerShell scripts to Live Response.

Global Settings

You can configure the base settings for the Live Response configuration files. A module or file collection setting can override these base settings by including the setting name and value in the appropriate section.

"options":{
		"disk_info": true,
		"copy": true,
		"depth": 0,
		"max_num_files": -1,
		"raw": false,
		"raw_fallback": false,
		"hashes": ["md5","sha256"],
		"log_level": "info"	
	}

 

disk_info

Specifies whether to collect time stamp information from the MFT. (Default: true)

true Collect Standard_Information time stamps from the MFT. If raw file collection occurs, File_Name attribute time stamps are also collected from the MFT. Enable raw file collection by setting one of the following properties: raw: "true" or raw_fallback: "true"
false: No time stamp information is collected.

copy

Specifies whether to copy files to the destination. The default global option is true, with overrides set to false for the process details, module details, and driver details modules.

true: Copy all files to the destination as part of the Live Response process. This set of files includes everything related to processes, loaded modules (dlls), driver files, and so on. Copying files adds significant time, bandwidth and storage space requirements to the process. In general, target file collection to files of particular interest.
false: Files are not copied.

depth

Specifies the number of subdirectories in which the regular expression is evaluated.

max_num_files

Specifies a maximum number of files to collect. For an unlimited number, set to -1.

raw

Specifies whether to use Windows API mode, or to parse the master file table (MFT). API mode is faster than parsing the MFT.
false: (default) Use API mode.
true: Parse the master file table.

raw_fallback

Specifies whether to parse the MFT if API calls are unsuccessful. Set to true to enable.

hashes

Specifies the type of hash to calculate for the files.
Valid values: md5, sha256. SHA1

log_level

Reserved for future use to control logging to the Live Response log file.

 

Scripts

You can configure your own PowerShell script (ps1 file) to run as part of the Live Response. For example, the following configuration enables a collect-test-script.ps1 file to run. You must also upload the script file to the package, for example: collect-test-script.ps1

"scripts":[{
	{
		"name": "collect-test-script",
		"filename": "collect-test-script.ps1",
		"safe_args": ["-i", "input_file.txt", "-o", "output_file.txt"],
		"enabled": true,
		"order": "01"
	}
]

name

Specifies the name of the script.

filename

Specifies the name of the ps1 file. The script file must be uploaded to the Live Response package.

safe_args

Specifies a list of parameters and example values for the script.

enabled

Specifies whether the script is run when the Live Response package is deployed.

order

Controls the order in which scripts run. This order is commonly referred to as the "order of volatility" in digital forensics and incident response fields. It is often advisable to collect that data which is most likely to change before collecting data that changes less frequently for example, collecting running process details, which may change more frequently than configuration files stored on disk.

Modules

The modules section contains the data collection functions included with Live Response. An example of a module definition follows: 

"modules":[
	{
		"name": "ProcessDetails",
		"enabled": true,
		"copy": false,
		"order": "02"
	},
]

name

Specifies the name of the module.

enabled

Specifies whether the module is enabled during the deployment of the Live Response package.

order

Controls the order that data is collected. This order is commonly referred to as the "order of volatility" in digital forensics and incident response fields. Collect data that is most likely to change before collecting data that changes less frequently. For example, collect running process details first, then configuration files stored on disk.

Default data modules

The following data is captured by default, and is configurable in the Standard_Collection.json file: 

  • Process details
  • Module details
  • Driver details
  • Prefetch
  • Amcache
  • Shim cache
  • Scheduled tasks
  • Recent files
  • Network connections
  • Process handle details
  • Autoruns details
  • Hosts file

Extended data modules

The following data is configurable in the Extended_Collection.json file: 

  • Process details
  • Module details
  • Driver details
  • Prefetch
  • Amcache
  • Shim cache
  • Scheduled tasks
  • Recent files
  • Network connections
  • Process handle details
  • Autoruns details
  • Hosts file

  • Standard and Master Boot Record
  • Master File Table
  • USN Journal, Kernel
  • Registry Hives
  • User Profiles
  • Event Logs
  • Prefetch files
  • Chrome user data
  • Trace database (if present)
  • Index Database (if present)

Files

The Files section specifies which files to collect from the endpoints, along with the associated metadata.

"files":[
	{
						
		"name": "MFT",
		"path": "%systemdrive%",
		"regex": "(\\$MFT$)",
		"hashes": ["md5","sha1","sha256"],
		"enabled": true,
		"order": "01",
		"raw": true
			
	}
]

File properties

name

Specifies a name that describes the group of files.

path

Specifies a file path on the endpoint.

regex

Specifies a regular expression that is run on the specified directory path. All files that match are gathered.

hashes

Specifies a list of hashes to collect for each file, can include md5, sha1, sha256.

enabled

Description

order

Controls order that files are gathered. Collect that data that is likely to change before collecting data that changes less frequently.

depth

Specifies the number of subdirectories in which the regular expression is evaluated.

Last updated: 10/23/2018 2:00 PM | Feedback