Chapter 7 Performing Forensic Analysis Flashcards
- Forensic toolkit
- Design to allow data capture and Analysis and those tests can benefit from powerful multi-core CPU and plenty of RAM
Digital Forensic Workstation
- Forensic toolkit
- Provides the ability to capture and analyze forensic images as well as track forensic investigations
Examples FTK, EnCase, the SANS Investigate Forensic Kit (SIFT), or Sleuth Kit (TSK)
Forensic Investigation Suite or Forensic Software
- Forensic toolkit
- Ensures that drives connected to a forensic system or device cannot be written to this helps to ensure the Integrity of the forensic investigation
Write blockers
- Forensic toolkit
- Designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match
Forensic Drive Duplicators
- Forensic toolkit
- Large SSDs, USB thumb drives, or flash media make it easier to capture and transport multiple forensic images
Wiped drives and wiped removable media
- Forensic toolkit
- A form used to track who was in possession of evidence at any time
- Reduces the potential for legal challenges based on poor custodial practices
Chain of custody form
- Built into forensics suite or run independently to get a hash of the drive to validate the contents of the copy
- The goal of this process is to ensure that the copy exactly matches the source drive or device
Hashing utilities
- Used in malware packages to protect from reverse engineering
- Intended to make direct analysis of the code difficult or impossible
Packers
What’s the forensic process?
- Determine what you are trying to find out - Compromise system, actions taken by malware, system admin made an unauthorized change.
- Outline the locations and types of data that would help you answer the questions you are answering from Step One - At this step you should be able to come up with the types of data and systems you need to capture data from
- Document in review your plan
- Acquire and preserve evidence - Cloning media, seizing systems or devices, making live memory images
- Perform initial analysis - Carefully tracking your actions, the systems and data you work within your findings
- Use the initial analysis to guide further work - including deeper investigations and review where the initial analysis pointed to additional data
- Report on the findings of the investigation
Measures how easily data is to lose (the top being the most volatile to lose)
- CPU cache, Registers, Running Processes, and RAM
- Network traffic
- Disk drives
- Backups, Printouts, Optical drives
Order of validity
- Common location used for Windows forensics
- Information about files and services, locations of deleted files, evidence of applications being run
Windows registry
- Common location used for Windows forensics
- Program set to run at startup (often associated with malware or compromise)
Auto run keys
- Common location used for Windows forensics
- Details of an active / removed records
Master file table
- Common location used for Windows forensics
- Logins, service start / stop, evidence of applications being run
Event logs
- Common location used for Windows forensics
- Evidence of deleted files, MAC timestamps
INDX files and change logs
- Common location used for Windows forensics
- Point-in-time information from prior actions
Volume Shadow copies
- Common location used for Windows forensics
- Login user artifacts
User directories and files
- Common location used for Windows forensics
- Files that were intended to be deleted but forgotten
Recycle bin contents
- Common location used for Windows forensics
- Memory artifacts of commands run
Hibernation files and memory dumps
- Common location used for Windows forensics
- Artifacts of software installation, user temporary file storage or other limited lifespan data
Temporary directories
- Common location used for Windows forensics
- Application specific data
Application logs
- Common location used for Windows forensics
- System logs may indicate drives were plugged in; data may be relevant to investigations
Removable drives
Linux utility used to clone drives in raw format, a bit-by-bit format
DD utility
A full forensic suite and provides imaging capabilities from many types of devices
FTK
Physically prevents writes from occurring while the drive is connected to them
Hardware write blockers
Typically less popular than hardware write blockers due to the possibility of problems
Software write blockers
To preserve and analyze logs
- Determine where the logs reside and what format they’re stored in
- Determine the time period that you need to preserve
- Work with system administrators to obtain a copy of the logs and document how the logs were obtained
- Identify items of Interest - might include actions, use your IDs, event IDs, time frames, or other events identified in your scope
- Use log analysis tools like Splunk, Sawmill, event log analyzer to searching and review logs
- Linux kernel module that allows access to physical memory
- Designed to be used with DD or similar tools
fmem
- Linux kernel module that allows access to physical memory
- Directly copies data to a designated path and file
LiME
- Windows memory capture tool
- Copies a System’s physical memory to a folder where the program is
DumpIt
- Supports a broad range of operating systems
- Capabilities including tools to extract encryption keys and passphrases, user activity analysis, and rootkit analysis
The Volatility Framework
Two tools that have built-in memory capture and analysis capabilities
EnCase and FTK
- One of the ways used to acquire data from a mobile device
- Acquisition of the SIM card, memory cards, or backups
Physical
- One of the ways used to acquire data from a mobile device
- Usually requires a forensic tool to create an image of the storage volumes
Logical
- One of the ways used to acquire data from a mobile device
- Involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found
Manual access
- One of the ways used to acquire data from a mobile device
- Provides details of deleted files as well as existing files and directories
File system
If a cloud service is part of your forensic investigation you may do the following:
- Determine what your contract says about investigations
- Determine what legal recourse you have with the vendor
- Determine the data that you need and whether it is available via methods you or your organization controls
- Work with the vendor to identify a course of action if you do not control the data