Chapter 13: Performing Forensic Analysis and Techniques for Incident Response Flashcards
Building a Forensic Toolkit
The following components are common to most forensic toolkits that will allow you to perform forensic investigations:
Digital Forensics Workstation
* Can be desktops, laptops, or even servers
* A good forensic workstation is designed to allow for data capture and analysis, and those tasks can benefit from a powerful, multicore CPU with plenty of RAM
* Having a lot of fast, reliable storage is also important since large investigations deal with TB of data
* Always ensure it’s cut off from the internet
Forensic Investigation Suite or Forensic Software
* FTK Imager (.aff file extension), EnCase (.e01 file extension), the SANS Investigative Forensic Kit (SIFT), or The Sleuth Kit (TSK)
* Provides the ability to capture and analyze forensic images as well as track forensic investigations
Write Blockers
* Ensure that drives connected to a fornesic system or device can’t be written to
* Ensures the integrity of the forensic investigation
* Having file access times changed, or having the system that’s analyzing the data modify the content of the files on the drive, can ruin your forensic evidence
Forensic Drive Duplicators
* Designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match
* Many forensic tools and suites offer this, but a dedicated cloning device can be useful and make it easier to prove the duplication process was completed in a forensically sound manner
Wiped Drives and Wiped Removable Media
* Needs to be of sufficient capacity to handle any drive or system that you’re likely to encounter
* Large SATA HD, portable NAS devies, and large SSDs make it easier to capture and transport multiple forensic images
* Removable media like USB drives, Blu-ray or DVDs, or flash media can also be valuable for transporting forensic data or sending it to other orgs when necessary
Cables and Drive Adapters
* Have various types to ensure thatr you can connect to most types of devices
Camera
* To document system configurations, drive labels, and other information
* They can speed up data recording and provide a visual record of a system or device
Labeling and Documentation Tools
* Label maker, labels, indelible pens, etc
* Helps with chain of custody and forensic process documentation
Notebooks and Prepared Documentation Forms and Checklists
* To record forensic investigation proceses and notes
* Common forms include chain of custody forms, incident response forms, incident response plans, incidnet forms, escalation lists or call lists of people to call during a response
* Soimetimes replaced by a forensic recording software package or tool that provides ways to validate log entries and track changes
Understanding Forensic Software
There are many types of forensic software, randing from purpose-built suits and tools to utilities:
* FTK
* EnCase
* CAINE
* Autopsy
* SIFT
* DumpIt
* Memoryze
There are also many common Linux and Windows utilities that have forensic applications like:
* dd
* WinDdg
Page 450
Capabilities and Application
Key forensic tool capabilities to include in a forensic toolkit include:
* Imaging
* Analysis
* Hashing and validation
* Process and memory dump analysis
* Password cracking
* Log viewers
Imaging Media and Drives
The first step in many forensic investigations is to create copies of the media or disks that may contain useful data
This is done with an imageing utility, which can create a forensic image of a complete disk, a disk partition, or a logical volume
Forensic images exactly match the original source drive, volume, partition, or device (including slack and unallocated space)
Slack Space
* The space left when a file is written
* This unused space can contain fragments of files previously written to the space or even files that have been intentionally hidden
Unallocated Space
* Space that hasn’t been partitioned
NOTE: Forensic copies and drive wiping programs may not properly handle spare sectors and bad sectors on traditional spinning disks, or reserved space retained to help with wear leveling for SSDs—it’s possible to miss potentially useful forensic data, and it’s something you should be aware of when wiping disks
Analysis Utilities
Forensic analysis utilities provide a number of useful capabilities that can help offer insight into what occurred on a system, like:
* Timelines of system changes
* Validation tools that check known, good versions of files against those found on a system
* Filesystem analysis capabilities that can look at filesystem metadata (like the Windows Master File Table for NTFS) to identify file changes, access, and deletions
* File carving tools that allow the recovery of files without the filesystem itself available
* Windows Registry analysis
* Log file parsing and review
Carving
File carving is the process of extracting data from a computer when that data has no associated file system metadata—it attemps to piece together data fragments from unallocated and slack space to reconstruct deleted files or at least parts of those files
When data is recovered as part of forensic analysis, the original filesystem may no longer be intact
In this scenario, or in any where the original filesystem can’t be used, file carving tools are necessary
They look at data on a block-by-block basis, looking for information like file headers and other indicators of file structure
When they find them, they attempt to recover complete or partial files
Three common types of file carving methods:
* Header and footer based carving, which foucses on headers like those found in JPEGs—JPEGs can be found by looking for \ xFF \ xD8 in the header and \ xFF \ xD9 in the footer
* Content based carving techniques look for information about the content of a file such as character counts and text recognition
* File structure based carving techniques that use information about the structure of files
Page 453 image example (JPEG carving with HxD)
Chain of Custody Tracking
Support for properly maintaining chain of custody documentation in an automated and logged manner is part of a forensic suite, and it’s a crucial part of their documented forensic procedures for many orgs
Maintaining chain of custody documentation ensures that drive images and other data, as well as actions taken using the suite, are properly validated and available for review—reduces the potential for legal challenges based on poor custodial practices
Hashing and Validation
Hashing utilities built into a forensic suite or run independently will produce a hash that can validate the contents of a copy
The goal of this is to ensure that the copy exactly matches the source drive or device—forensic image formats like EnCase’s .e01 format provide built in hashing as part of the tile
In cases where formats like these aren’t used, both MD5, SHA1, and SHA2 hashes are frequently used for this purpose
Hashing large drives can take a lot of time, even with faster algorithms like MD5, but it’s a relatively simple process
* EX: md5sum /dev/sda1—this provids an MD5 hash of a volume mounted on a Linux system
Hashing is also used to validate binaries and other app related files to detect changes to the binaries
Manual checksums using MD5 or SHA1 utilities can be used to check if a file matches a knonw good version or one from a backup, or it can be chekced against a provided checksum from a vendor or other source
Endpoint Forensics
The majority of forensics take place on physical endpoints like desktops, laptops, servers, and mobile devices
But as orgs move to the cloud, forensic activity is happening there as well
Page 455
OS, Process, and Memory Dump Analysis
Information about the stae of the OS, including data that’s stored in memory by processes, can be important to both forensic investigations and investigations of malware or compromise
Data that is otherwise kept encrypted is often accessible in memory to processes, or the encryption keys used to access data are available
OS analysis can provide key data about what was occuring on a system during the timeframe targeted by an investigation
Memory dump analysis can be particularly valuable when recovering decryption keys for FDE products like BitLocker
Hibernation files and crash dumps can both contain the data needed to decrypt the drive, which makes accessing an unlocked machine critically important for a forensic practitioner
Disk Forensics
The most common forensic activity for endpoints is disk, or storage based analysis
This can range from manual inspection of files to complete imaging and analysis of entire disks or volumes—current, deleted, or hidden files
There are three options for disk forensics:
Live acquisition
* Capturing the contents of the disk drive while the computer is still running
* You sometimes have to do this, like if the disk is normally encrypted—it will be unencrypted during use
* While you’re capturing data, the contents could be changed
Static Acquisition by Shutting Down
* The computer is properly shut down through the OS and then the disk is acquired
* Some malware can detect the shutdown and perform antiforensics
Static Acquisition by Pulling the Plug
* The system’s power is disconnected by removing the power plug from the wall socket
* Nobody can change files if you unplug immediately, and malware can’t perform antiforensics
* Risk that you can corrupt the drive
Memory Forensics
Requires either running live forensic analysis on a running machine or making a copy of live memory to point in time forensic memory analysis
Tools like Volatilty, an open source memory forensics framework, can capture and analyze memory
Volatility Framework
Open source memory forensics tool that has a wide range of plug in commands like:
* The ability to detect API hooks
* Read the keyboard buffer
* Grab Windows clipboard
* Look for live TCP connections
* Scan for driver objects
* Command prompt history
* Web browser history
* And more
* EX Use from Dion: Look at the processes, the files, and then netscan
NOTE: If there’s data accessible in live memory in an unencrypted form, assume it can be recovered—if it’s encrypted, the encrypted version can be accessed and potentially decrypted if key is available
Memory forensics are particularly useful when attempting to recover security artifcats stored in memory when in use, like encryption keys or passwords
Remember that system crash dumps often contain a copy of live memory, making it an attractive target for both practitioners and attackers
Mobile Devices and Cell Phone Forensics
Due to security features of mobile device OS, commercial forensic suites often have specialized decryption or brute forcing capabilities that allow them to capture data from a locked and encrypted phone or phone volume
Phone backup forensic capabilities are also useful—backups might not have all current data, but they can contain older data that was deleted and may not have the same level of security the phone itself does
Password Crackers and Password Recovery
Given the increase in drives and devices that are encrypted or password protected, password crackers are very useful for forensic examiners
Common places to discover password protection beyond the OS and account level:
* MS Office files
* PDFs
* ZIP folders
* RAR compressed files
Tools like Elcomsoft’s Advanced Office Password Recovery help accomplish this challenging task with brute force breaking for a range of filetyeps
Cryptography Tools
Common tools to protect forensic data as well as to protect data and apps from forensics
Forensic tools often have encryption capabilities to ensure that sensitive data under forensic investigation isn’t breached when drives or files are transferred, or if the forensic environment is compromised
Encryption tools are also needed to handle encrypted drives and network protocols, like handling BitLocker, Microsoft Office, and other common encryption mechanisms
Malware Investigations
* Encryption is often used to prevent code analysis of malware
* Many malware packages use tools called packers, that protect them from reverse engineering
* These packers make direct analysis of the code difficult or sometimes impossible
* Some forensic tools provide support for unpacking and decoding from packing techniques
