Chapter 7 Performing Forensic Analysis Flashcards
- Forensic toolkit
- Design to allow data capture and Analysis and those tests can benefit from powerful multi-core CPU and plenty of RAM
Digital Forensic Workstation
- Forensic toolkit
- Provides the ability to capture and analyze forensic images as well as track forensic investigations
Examples FTK, EnCase, the SANS Investigate Forensic Kit (SIFT), or Sleuth Kit (TSK)
Forensic Investigation Suite or Forensic Software
- Forensic toolkit
- Ensures that drives connected to a forensic system or device cannot be written to this helps to ensure the Integrity of the forensic investigation
Write blockers
- Forensic toolkit
- Designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match
Forensic Drive Duplicators
- Forensic toolkit
- Large SSDs, USB thumb drives, or flash media make it easier to capture and transport multiple forensic images
Wiped drives and wiped removable media
- Forensic toolkit
- A form used to track who was in possession of evidence at any time
- Reduces the potential for legal challenges based on poor custodial practices
Chain of custody form
- Built into forensics suite or run independently to get a hash of the drive to validate the contents of the copy
- The goal of this process is to ensure that the copy exactly matches the source drive or device
Hashing utilities
- Used in malware packages to protect from reverse engineering
- Intended to make direct analysis of the code difficult or impossible
Packers
What’s the forensic process?
- Determine what you are trying to find out - Compromise system, actions taken by malware, system admin made an unauthorized change.
- Outline the locations and types of data that would help you answer the questions you are answering from Step One - At this step you should be able to come up with the types of data and systems you need to capture data from
- Document in review your plan
- Acquire and preserve evidence - Cloning media, seizing systems or devices, making live memory images
- Perform initial analysis - Carefully tracking your actions, the systems and data you work within your findings
- Use the initial analysis to guide further work - including deeper investigations and review where the initial analysis pointed to additional data
- Report on the findings of the investigation
Measures how easily data is to lose (the top being the most volatile to lose)
- CPU cache, Registers, Running Processes, and RAM
- Network traffic
- Disk drives
- Backups, Printouts, Optical drives
Order of validity
- Common location used for Windows forensics
- Information about files and services, locations of deleted files, evidence of applications being run
Windows registry
- Common location used for Windows forensics
- Program set to run at startup (often associated with malware or compromise)
Auto run keys
- Common location used for Windows forensics
- Details of an active / removed records
Master file table
- Common location used for Windows forensics
- Logins, service start / stop, evidence of applications being run
Event logs
- Common location used for Windows forensics
- Evidence of deleted files, MAC timestamps
INDX files and change logs
- Common location used for Windows forensics
- Point-in-time information from prior actions
Volume Shadow copies
- Common location used for Windows forensics
- Login user artifacts
User directories and files
- Common location used for Windows forensics
- Files that were intended to be deleted but forgotten
Recycle bin contents
- Common location used for Windows forensics
- Memory artifacts of commands run
Hibernation files and memory dumps
- Common location used for Windows forensics
- Artifacts of software installation, user temporary file storage or other limited lifespan data
Temporary directories
- Common location used for Windows forensics
- Application specific data
Application logs
- Common location used for Windows forensics
- System logs may indicate drives were plugged in; data may be relevant to investigations
Removable drives
Linux utility used to clone drives in raw format, a bit-by-bit format
DD utility
A full forensic suite and provides imaging capabilities from many types of devices
FTK