BTLO investigation tips & tricks

When it comes to tackling the investigations on BTLO there are a number of things that can set up success. Much like in our average day when we're trying to achieve things, I believe that forming good habits will lead to consistent and better results.

Investigation preparation

Its probably true that using the NIST cybersecurity framework is why I try to always run through preparation steps for each investigation. Doing these things is how I frame the problem and have a start point, it usually works well.

Take notes

I use Silverbullet for taking notes, and have a template specifically for investigations. It's a pretty simple template that lays out:

• Tags - What the difficulty and category of the investigation is
• Lab resources - What do I have in front of me, to force me to evaluate the initial evidence
• Tools - This is so that I can refer back and check if I haven't used a tool yet, and in future to let me review how I used the tools
• Questions - Specifically a set format of:
  • Question number
  • How to answer (can be very rough)
  • The actual answer

Read the investigation info

Certainly for Easy level investigations the introduction can often give you good clues. Take the time to just read and understand what the context is, because otherwise you might do the natural human thing and make assumptions.

Another great resource are the tags, they can give you an idea of what you're looking for or going to potentially use. MITRE ATT&CK techniques, if you aren't familiar with them, can be useful to help you focus on the right things or remind you what tools are potentially helpful.

Diving in

Once into the investigation it can be easy to get caught up in the moment, even becoming target fixated.

Read the question twice, slowly

Its easy to skip details in a question, over think it or misunderstand. This is in some ways exam technique, making sure you know what the question wants. Deliberately reading it more than once and stopping on punctuation to pause helps so much.

Review outputs carefully

More than once I've moved too quickly through the content output from a command and failed to spot what in hindsight was straight forward. When you have a reasonable idea what you are looking for it can be easy to skip and miss that relevant log line.

Consider alternative methods

Just because a tool is right there in front of you doesn't always mean it is the right one to use. Native tools within the operating system might be more effective, if you know them it'll speed you up a lot!

An example of this is when the supposedly obvious tool to use actually isn't helping you. For example when Libre Office for opening a CSV because its the default application might not help if that is a giant multi Mb file. Running a filter might take minutes in the GUI app, but a simple use of cat piped into grep is a much faster search.

When you hit a wall

It is probably inevitable that we will all hit something, and if you've taken the above into consideration you probably need to step back from the problem.

Take a break

One of the simplest things to do sometimes is walk away. It can be frustrating if you just have one

Reach out for hints

In real life scenarios you would speak to colleagues, bounce ideas around where they will no doubt say "Have you tried ..." or "I once saw this...". Asking for hints from SBT staff or others who have completed the investigation is basically the same thing.

As I think of more I'll come back to this post and update it, changelog will follow. I hope this helps Defenders!

10 Nov 2024: Formatting and creating sections.