New Incident Response Features
Cellebrite is pleased to announce these new incident response features for computer collections:
- Support for YARA Rules
- Collecting from Computers with YARA Rules
Support for YARA Rules
Cellebrite is pleased to introduce YARA rules for incident response collections in Endpoint Inspector. These rules describe malware families based on textual or binary patterns. With YARA rules, incident responders can define computer collections that identify and detect malware and security threats.
YARA rules examine the contents of files on remote computers. Therefore, if you select a large quantity of rules, the agent may consume a lot of resources. You can limit the scope of search for YARA rules by specifying a file path.
YARA rule sets for Windows computers are already loaded from ReversingLabs into the Endpoint server (https://github.com/reversinglabs/reversinglabs-yara-rules)
Import YARA Rules
You can import additional rules from sites like GitHub, or rules your organization already uses, or rules you write yourself.
Collecting from Computers with YARA Rules
When defining a computer collection for incident response, examiners can choose rule categories and then rule sets from a list on the Select YARA Rule Sets dialog. If you want to also collect files that respond to the YARA rules, mark the Collect Responsive Files checkbox.
On the Details page for a computer collection that included YARA rules, those rules are visible. The resulting report is a text file. If you chose to collect responsive files, an L01 file is created that contains the responsive files and folders.
Collecting Incident Response Files from Computers
It is now easier to define computer collections and templates that focus on common targets for incident response. You can choose exactly which volatile data types to target for collection. You can also use YARA rules to collect files. The resulting collection is an L01 file. Endpoint Inspector can ingest these files so you can examine the items in the incident response collection.
New Features for Mac Computers
We are pleased to introduce these features for Mac computers:
- Collecting Mac Computer Images
- Collecting Mobile Data with Mac Computers
Collecting Mac Computer Images
We are pleased to introduce the Endpoint mobile agent for Mac computers. This mobile agent can collect information from both iOS and Android devices. First, an administrator must upload the installer for the Mac mobile agent to the Endpoint server.
Then, examiners can create mobile collections as normal. It is not necessary to know or specify which platform any custodian’s computer runs on. Just as when using a Windows computer to collect mobile data, custodians receive an automated email message with information they need to start the mobile collection. In this email message, they click the link for the mobile application, which opens the Download Agent page in their default web browser. From there, custodians follow the instructions in their web browser to complete the collection process.
Searching the Operating System Index
When you define a computer collection to collect files, you can now use keywords to search the operating system’s index. On macOS, the index is Spotlight. On Windows, the index is Search.
OS index search in computer collections has these benefits:
- The volume of collected files is reduced and the collection is complete more quickly.
- Collected files are more likely to be relevant, which accelerates the time to meaningful insights.
- Endpoint Inspector is transparent about what is indexed, searched, and collected, which produces defensible results.
OS Index Search Keywords
OS index searches are not case sensitive. Each keyword must be on its own line. Examiners can choose whether results contain an exact match for all or at least one of the supplied keywords in its name or its text content. Keywords can be a partial word or phrase and may include the asterisk (*) as a wildcard. Examiners can either type or load a list of keywords.
Computer Agent Installation Requirement for Mac
This is a requirement to enable memory collection from remote M1 and M2 Mac computers. At the time the computer collection agent is installed on these computers, a third-party kernel extension (kext) must be enabled in the recovery environment. Users of these computers must participate in this process, which requires the computers to be restarted twice.
If this memory kext fails to install, the config.json file on the remote Mac computer is updated to prevent the kext from attempting to load. This means that while collections can be made from these computers, attempts to collect memory cannot succeed.