Week 10 (1) - Computer Forensic Triage Flashcards
1
Q
What is Triage?
A
Triage is..
“The process of determining the most important
people or things from amongst a large number that
require attention.”
Source: Oxford Dictionaries
2
Q
To choose the right triage tool what must you need to know?
A
- What to look for
For example: Pictures, Documents, Email, Web history etc. - Where you want to look
For example: Disks, USB, Network, Servers, Remote etc - How much time do you have?
For example: Detention period, Bomb warning, Legal etc
3
Q
A
Often useful when you don’t know exactly what device has been used to commit an offence in a building or organisation
4
Q
What is an example Triage Tool?
A
FIRST (First Responders Free Tool).
Free to LE.
Two versions:
- First Responder
For the first responder
Checks if you can safely shut down the computer
Or contact an digital investigator - Expert
For the digital investigator
Possible to control the tool
Make memory or proc dump
5
Q
What is an example of a paid for tool?
A
F-RESPONSE
- Price from 520 to 5290 USD
- Connects a remote disk and memory to a local
computer READ-ONLY - You still need a tool to investigate the disk
- Can be used covert and can be scripted
- Very small footprint on the system
- Wide support for Windows, Mac, Linux, Solaris,
IBM AIX, HP-UX, FreeBSD and SCO - Can support many to many connections
- Works with RAID configuration
- No need to install drivers or components on the
system, only a single executable - Cloud connector to acquire or search cloud
services (dropbox, amazon S3 etc.) read only - Can be used to connect to remote disks, this
enables an investigator to work from a distance.
6
Q
What is a third example of a triage tool?
A
AD TRIAGE
- 1500 USD per license
- Same engine as Triage-Examiner
- Built on FTK technology
- Multiple collection profiles on a single device
- Can also collect volatile data, like memory
- Can be used by non technical first responders
7
Q
What Data can AD Triage Obtain?
A
- Owner information
- Browser history (Firefox, Chrome, Internet
Explorer)
-Typed URLs (from registry) - Desktop Files
- Recently Opened MS Office Files
- Recent Files
- Temporary Executables
- Volatile information (ARP table, DNS cache etc.)
- Local shares
- IP addresses
- Acrobat history
- Installed software
- Manually Launched Applications
- Start-up Programs
- Clipboard Data
- Memory dump
- Scheduled Tasks
- Screenshot of device
- User Accounts
- USB Devices
- Typed Paths
8
Q
What is an example of a 4th Triage Tool?
A
OS TRIAGE
- Collecting live data or searching a computer
- Configurations for different types of investigations
- Allows for differing levels of triage
(depending on need, how much time is available) - Uses plugins (DLL) files.
Displaying: browser history, pictures, information from the
Windows registry,…. (40 plugins by default). - Reporting in HTML files. This allows investigators to quickly and easily view triage reports with nothing more than a web browser.
- Improved in speed, interface consistency, and user interaction with data
- Displays details about a computer including user accounts, physical and logical hard drives, mapped network drives, NIC information, running processes, open ports, installed applications, etc.
- Displays USB devices make, model, and serial number
- Displays browser history Internet Explorer, Firefox, Safari, and Chrome
- Displays recent searches Internet search engines such as Google, Yahoo, etc.
- Detects cloud storage (DropBox and Microsoft OneDrive)
- Warns running applications
(P2P apps such as LimeWire, encryption apps like TrueCrypt) - Locates encryption, P2P, instant messaging, utility
applications, and virtual machine applications - Decodes .lnk files
(showing various dates and times, target file, source drive, etc.) - Warns when encrypted containers are mounted to
a drive letter
(TrueCrypt, PGP, BestCrypt) - Extracts saved passwords (Internet Explorer, Firefox, email clients, instant messaging clients, Chrome, etc.)
- Extracts chat messages (Gigatribe and Skype)
- Extracts a list of all recently opened files
- Extracts a list of recently accessed programs and
files (opened or saved) - Searches one or more directories (network, mounted container, logical, UNC path)
UNC=Uniform Naming Convention - Compares images and videos: hundreds of
thousands of hashes (MD5, SHA1, and InfoHash (used by BitTorrent)). - Checks file names, browser history …. against a
list of keywords - Built in image viewer to preview full size image
- Writes ‘nothing’ to the computer being scanned
- Allows copying of files from a target computer to
the osTriage drive - Looks inside zip, rar and 7z archives (keywords)
- Listing of every file seen by osTriage on a search
including path, MAC dates, etc. - Optionally captures RAM on startup
- Displays a list of all known networks including LAN
and wireless connections (network name or SSID, initial connection date, last connection
date, etc.) - Decodes prefetch files and displays information
about program execution (first executed, last executed, and the number of times a given program was executed) - Displays ARP cache records and resolves the
manufacturer NIC card Computer Forensic Triage 33
Capabilities of osTriage (6) - osTriage can find almost “anything” on a computer that is of interest to an investigator
9
Q
What can osTriage NOT do?
A
-Where needed functionality is not included out of
the box, a plugin can be written
- It does not carve for deleted files
(but a plugin could be written to do this!) - It does not look at file headers to identify files (so if file extensions have been changed it will not recognise this.)
10
Q
Why should you use osTriage?
A
- Capturing evidence (for a better initial interview)
- Detecting virtualization software
- Detecting encryption software (TrueCrypt, Bitlocker, ..)
- Gather volatile data from a computer
(before it is shutdown)
11
Q
What are the requirements for osTriage?
A
- osTriage requires Microsoft .net framework 4.0 client
to be installed on the target computer. - An error that reads the application failed to install properly will appear if it does not have this
- Should this error occur, osTriage will not work and the
runtime will have to be installed or another tool will
have to be used!
Live response or dead box
- osTriage is capable of searching any directory
accessible by Windows on the computer osTriage
is running on
- osTriage works the same way regardless if used
on a subject’s running computer (live response) or
if the subject’s hard drive is connected to another
computer via a write blocker, etc. (dead box)
12
Q
How is osTriage executed?
A
- osTriage can be executed from any type of
writable device (a standard hard drive, thumb drive, etc.) - It should be run osTriage from the fastest external
device available - osTriage requires little disk space to operate
(4GB is the minimum recommended size and NTFS is the
preferred file system) - The size of the file system osTriage is executed from determines how much data can be copied from a suspect machine
13
Q
osTriage Workflow Overview (steps to run)
A
osTriage workflow overview
STOP ACTIVE VIRUSSCANNER(S) !!
- Start osTriage2.exe (Run as Administrator)
- osTriage locates plugins
- User selects a configuration to load
- Initialize plugins are run
- Warning screen displayed with results of Initialize plugins
- Warning screen closed by user
- Live response plugins are started
- Main interface displayed
- New search started
- Enabled File system search plugins are run
- User requests to exit osTriage
- Shutdown plugins are run
14
Q
What is a 5th example of a triage tool?
A
ANT. AUTOMATED NETWORK
TRIAGE (ANT)
- Freeware
- For large networks
- Server – Client model
- Some linux knowledge is required to set up
- Configuration through webbrowser
- Updated on request
15
Q
What are the features of ANT?
A
- File signature analysis
- Filebased keyword search
- MD5 Hash matching
- Thumbs creation of all images (JPG’s)
- Search in unallocated clusters
- Search in open XML / Document files
- Support many filesystems
- FAT, NTFS, HFS, EXT, swap, raw, UFS, ISO9660
