The Cado Platform From Cado Security

Pieces0310 reviews the Cado Platform, a cloud-native digital forensics solution designed to streamline and accelerate the investigation of security incidents.

Cloud services have become one of the emerging technologies widely used by the public in recent years. Traditional digital forensics cannot be applied to cloud forensics, as the focus shifts from simply identifying potential digital evidence to determining which cloud services the user has utilized. Additionally, the targets of acquisition are no longer just physical hard drives that can be seized, but may include specific disk tracks within large-scale disk arrays located in the data center.

According to the characteristics of cloud computing, data is centrally stored on cloud servers and distributed across different regions, or countries. The main difference between the cloud computing and the traditional environment is that enterprises lose control over their data. This makes the collection and extraction of digital evidence significantly more challenging during digital forensic operations.

In traditional digital forensics, investigators have complete control over the target machine. However, in a cloud computing environment, control over the data varies depending on the computing model, requiring the cooperation of cloud service providers. This reliance on providers presents a potential bottleneck during the evidence collection stage in the cloud computing environment

Introducing the Cado Platform

If a cloud service is suspected of being hacked or infected with malware, how should investigators conduct an incident investigation and cloud forensics? The Cado Platform is the leading solution for Incident Response on cloud services.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


The Cado Platform is a cloud-based forensic platform and also a powerful tool for incident response. With it, security teams can quickly initiate investigations when potential threats arise in cloud services, search for suspicious traces, and thereby identify potential suspects.

Unlike hosted solutions, cloud services do not use an agent-based approach for forensic investigations. Instead, correct credentials are required for importing data from the Cloud. The Cado Platform can be deployed in either AWS, Azure or Google Cloud. Once deployed on the target subject, Cado can perform evidence extraction and processing, which is not only fast but also efficient.

The Cado Platform supports various evidence formats, including AWS、Azure and GCP Capture Formats. It could also integrates with SIEM、Webhook and XDR platforms such as Crowdstrike, SentinelOne and Microsoft Defender. Cado Host is a solution to acquire forensic artifacts from systems and place them into cloud storage, enabling you to perform a quick triage investigation of a target system. The Cado Platform supports local evidence formats such as .E01/.split E01, .VHD/.VHDX, .DD, .Gz/.Tar/.Zip, etc.

In terms of volume formats, the Cado Platform supports common formats like MBR, GPT and LVM, as well as VSS (Volume Shadow Snapshots). In terms of file systems, the Cado Platform supports not only the commonly used FAT and NTFS on Windows but also ext 2/3/4 on Linux. Additionally, it includes support for APFS(Apple File System) and XFS. XFS is the file system used by the well-known Unix distribution, Irix. In addition, if there are specific formats you would like Cado to support, you can submit a request to support@cadosecurity.com.

The strength of the Cado Platform lies in its support for various common logs and a wide range of evidence types. By simply importing them into the Cado Platform, it can effectively analyze them. Besides, the Cado Platform can capture logs from cloud services via their APIs.

The Cado Platform also supports memory acquisition and analysis. When discussing the importance of memory analysis, no matter how malicious programs attempt to conceal their traces, they inevitably reveal themselves in memory during execution. Therefore, for investigators engaged in incident response, the extraction of volatile data must include memory. Investigators often regard memory analysis as a primary indicator in incident investigations, aiming to quickly identify suspicious programs.

Support for third-party tools is also one of Cado’s key features. From an evidence collection perspective, collecting Triage is certainly faster and more storage-efficient than acquiring a full disk image. However, Cado can also import full disk image files like .dd or .e01. Additionally, it can process Triage zip files extracted by open-source tools such as KAPE or Velociraptor.

Evidence Acquisition

Let me you show you how to acquire evidence in the Cado Platform. First I create a case named IR-1.

Then I click [import] and Cado shows me the type of sources supported. I’d like to import evidence from cloud services so I click [Cloud].

Next I ‘d like to choose AWS and its IAM Role is “default”. An IAM (Identity and Access Management ) role is an IAM identity that you can create in your account that has specific permissions. 

Then I click [EC2] to import data from EC2 instances.

Then choose the Region ”us-east-2”.

Select the target instance name “appstack-db-ec2-3932132771” and Its instance ID is “i-0d89848649204b589”.

Next I have to decide what action type to choose. Under normal circumstances, [Triage Acquisition] can quickly and effectively provide initial clues. However, if a thorough analysis of the evidence is required, the [Full Acquisition] option can be selected.

Additionally, take a look at options of acquisitions and you will see [Generate SHA-256 Hash] option. Don’t forget to click it. The hash value of image files acquired can demonstrate the file’s integrity and non-repudiation.

Before I start importing, I review my selections carefully. If adjustments are needed, you can go back and make changes.

After reviewing, I start to import. Click [Go to pipeline] to see what’s going on while the evidence is being imported.

Pipelines can display the current progress, the start time of each process, and how long it took. The status value informs us whether each process was successful or failed. Furthermore, any alerts are clearly visible.

Don’t worry about how long it takes to finish importing. Investigators don’t need to constantly watch the screen to see if it’s finished. You can walk away to have a cup of coffee and check back later to see if the import is complete. When the importing has completed, I can click [Download pipeline] to review the progress during importing.

The pipeline log file is a plaintext file. After all, the target of acquisition is a cloud service, not a PC or laptop in hand. Keeping a detailed record of the acquisition process helps to understand everything that occurred during the acquisition. Therefore, the pipeline log can be regarded as the acquisition log.

You might be wondering whether the actions performed by investigators on the Cado Platform, such as creating cases and acquiring evidence, leave any records for auditing purposes. The answer is yes; the Cado Platform stores user actions as audit logs for review.

Now take a look at [Evidence]. Details of imported evidence can be viewed here, including metadata about imported evidence. It contains several important details, including the status value “Complete”, indicating that the acquisition was successful. The target of the acquisition was AWS EBS, with the operating system being Linux. The evidence image file is approximately 12GB, and there are 120 key events. [Suspected compromise] is “Yes” means suspicious intrusion activity has been identified.

If investigators need to download the evidence image file, just click [Download evidence] to get it directly.

After downloading, a 12GB dd file shows up. The word “dd” stands for data duplicate, and dd is a bit-by-bit stream copy. While doing a forensics investigation, it is always advisable to go for bit stream imaging rather than just making a copy of the source.

Compared to image files produced by Ghost or TrueImage, the difference is that Ghost/TrueImage images cannot be considered bit stream copies. Therefore, after acquisition using DD, hash comparison can be performed to determine if the file contents have been altered, ensuring consistency of the content. You could use FTK Imager to mount this dd image file and verify the hash value manually.

But FTK Imager only provides MD5 and SHA-1 hash value. All you have to do is to use another checksum tool to calculate SHA-256 hash for you.

Investigation and Analysis

For investigators, once the evidence has been processed, their greatest hope is to obtain relevant clues as soon as possible. Take a look at [Overview] to see what we’ve got here. The red keyword ‘Malicious’ in the [Key Events] indicates that, based on Cado’s analysis, there is suspicion that the target may contain malicious software.

However, it is important to remind everyone that the judgments made by the tool after analysis do not necessarily represent absolute truth and there is a possibility of misjudgment. Therefore, when interpreting the analysis results from the tool, it is essential to maintain an objective perspective. If there are doubts about the analysis results, you should cross-reference with other tools to clarify the situation.

Be patient and let’s start with [Automated investigations]. The Automated Investigation tab provides a summary of what Cado has determined during its investigation. Automated investigation is one of Cado’s powerful features. While acquiring evidence, the analysis is also being performed simultaneously. Once the acquisition is complete, the analysis is essentially completed as well.

Let’s take a closer look at the analysis results provided in the [Timeline Results]. This includes suspicious operational behavior.

For example, in the first record, on 2024-08-13 at 01:28, changes were detected in the file content under a specific path, and the reason for the alert can be found in the [Alarms].

Based on the keyword “cronjob” in the alert message, it can be inferred that the suspicious behavior is related to cron scheduling. The importance of cron lies in its ability to allow system administrators to deploy automated and periodic tasks. For example, it can be used for regular time synchronization with a time server or for performing data backups in the early morning.

Imagine if a hacker were to alter the scheduling content, they might be able to carry out malicious activities. If the system administrator fails to notice this, they could be unknowingly compromised.

If we look at an earlier time point, we can see that the same situation has been occurring repeatedly. The hacker has been continuously tampering with crontab. Without even needing to check the contents in cronjob, it’s evident that this is not normal behavior.

Take a look at keyword “Pastebin”. Pastebin is a website where you can store text online for a set period of time. In general, hackers use Pastebin to share the code snippets they have developed, while also allowing users to download the original source code.

Click [Possible Cronjob Downloading From Pastebin] and you will go to [Search] tab. Now it becomes a filter criteria. Take advantage of the filter function to narrow down the scope so that it’s easier to find what you want.

Then click [Key Events] and focus on [Malicious Events] first. There are two malicious events at present.

At this moment, it can be observed that the timeline is narrowed down to between July 10, 2024, and July 16, 2024. In the Alarms section, suspicious keywords such as ‘XMRig’ were found.

If you clear the keywords in filter window and type XMRig, you can find the same timeline results as well. At any time, you can clear the keywords in the filter window as needed and search again using new keywords based on the clues you have gathered.

Take a look at [Event Information] and you will get more detailed information about this event. Take note of the Timestamp value ‘1721107879.’ It might seem difficult to understand what it represents, right? Actually, it is what’s known as Epoch Time or Unix Time. It appears to be a series of numbers, with its starting point being January 1, 1970. By using online resources, you can convert it to local time.

Next, let’s focus on XMRig. According to the information we’ve found, it is a program related to cryptocurrency mining. XMRig is open-source software used for mining cryptocurrencies like Monero or Bitcoin. However, cybercriminals also commonly use it in attacks. They infect computers with cryptojackers and consume subjects’ resources to mine cryptocurrency for the attackers.

After learning the relevant information about this incident, you can add [Comments] to the event. Entering this information not only helps you to remember it, but also provides a reference for other team members involved in the investigation. Therefore, in this case, I added the comment ‘Miner’ to the event.

According to the path “/var/spool/postfix/maildrop/”, you will know the file “279F08D3287” is a mail. And it has three timestamps including Created, Accessed and Modified time.

Interestingly, in the [Indicator] section under [URL or IP], Pastebin appears again. However, this URL seems to be inaccessible. It can be inferred that this strange file, “983KKneh”, is likely an executable or a script.

Next, in the [Content] section, we can directly view the content of the email named “279F08D3287”. When you see the keyword ‘curl,’ be very cautious. It often indicates the downloading of malicious programs.

To view the full details, you can click [Download] and download the file on your workstation. There are two options here; first, we select the [Download file] option to directly obtain the file itself.

Once the download is complete, you can open the file with a hex editor to view its contents.

However, if you have concerns about the file potentially containing suspicious content and are worried that accessing it might compromise the investigator’s workstation, you can choose the second option, [Download as encrypted zip]. This option encrypts the file before downloading it.

Indeed, investigators should always maintain a cautious mindset when dealing with files in evidence image files. You can never be too careful to avoid the risk of infecting your environment.

When attempting to extract this file, be sure to enter the previously set password to successfully decompress it.

Now you should have a clear understanding of the clues mentioned earlier, confirming the presence of a malicious threat in the evidence. The hacker’s method involved tampering with the cron job to achieve their objective.

I’d like to use another tool to review the root’s scheduled tasks for comparison. First I mounted the evidence image file, then examined the contents of the files in the directory. The findings are consistent with the clues previously discovered.

Integration with External Resources

Cado is highly effective in detecting malicious software and can integrate with the VirusTotal API for querying to determine if known threats are present.

VirusTotal is a free service that analyzes suspicious files and URLs, helping to quickly detect viruses, worms, trojans, and all types of malware.

Cado can also integrate with YARA rules to enhance its malware detection capabilities. YARA rules refer to defining patterns of malicious software characteristics as rules. For example, some malware might hide specific strings or bytes within a program. By writing these specific strings as rules, the scanning process can reference them to check whether a file matches certain criteria, which helps in determining if it poses a malicious threat.

Cado can also integrate with custom IoCs. Indicators of Compromise (IoC) are pieces of information related to specific security vulnerabilities that help security teams determine if an attack has occurred. This data may include details of the attack, such as the type of malicious code used, involved IP addresses, and other technical specifics.

Cado can be integrated with Webhook, SIEM, and XDR.

Conclusion

As an excellent cloud-based digital forensics solution, the Cado Platform not only allows investigators to quickly acquire evidence from target platforms but also effectively performs analysis to identify crucial leads. It is particularly advantageous in incident investigations, assisting security teams in determining whether threats like webshells exist in the environment, and enabling rapid remediation to prevent recurrence of harm.

Leave a Comment