Week 3 - Creating & Testing a LDF Toolkit

Question 1

Summarise the key things to think about when considering your tools in a live environment

Answer 1

• It is an UNTRUSTED environment.
  Cannot trust output of native programs (for example the suspect could have changed the command ip config to be a wiping tool that wipes all data).
  Cannot trust libraries on the native system
• Use TRUSTED tools
  Use own pre-tested tools
  Use write protected media
  Determine linked libraries
• Determine the environment
  What operating system is is running
  What service pack is installed
  32 or 64 bit
  How will you save the aquired data

Question 2

Dependencies - what are they?

Answer 2

Dependencies are external software components or libraries that a program needs in order to function correctly. Dependencies can include a wide range of elements, such as:
Libraries: Prewritten code or modules that provide specific functionality (e.g., mathematical functions, data handling, etc.). Programs often depend on external libraries like Python’s requests library for making HTTP requests.

Frameworks: A collection of libraries and tools that provide a structured way to build applications (e.g., React for JavaScript web development, Django for Python web applications).

Operating System Dependencies: Specific features or versions of an operating system that the software needs (e.g., a program requiring Windows 10 or macOS).

Other Applications: Some software relies on other programs to be installed. For example, a Java application needs a Java Runtime Environment (JRE) to run.

Environment Variables: Programs may need certain environment settings or variables to locate resources or configure the application properly.

Question 3

Dependencies - All about Static Libraries

Answer 3

• Static Libraries (also called Static Builds)
  Where all the necessary dependencies are included directly into the executable file at compile time, as opposed to dynamically linking them at runtime (when you start the program).
  The executable is a stand-alone file (doesn’t need any other file or library)

Advantages of Static Libraries/Builds:
-No External Dependencies: Once compiled, the program doesn’t need any external libraries, making it easier to distribute.
-Performance: Since everything is compiled together, static builds can sometimes be faster because there’s no need to load external libraries dynamically.
-Version Consistency: The program always uses the same version of the library that it was compiled with, avoiding version conflicts at runtime.

Disadvantages of Static Libraries/Builds:
-Larger File Size: The final executable is larger because it includes the entire code of the libraries, even if only a small part is used.
-No Updates: If a bug or security flaw is discovered in a statically linked library, you would need to recompile and redistribute the entire application to apply the fix.
-Memory Usage: If multiple programs use the same static library, each one will have its own copy in memory, leading to higher memory consumption compared to dynamic linking

Question 4

Dependencies - all about Shared Libraries

Answer 4

A shared library (also known as a dynamic library) is a collection of precompiled functions or code that can be used by multiple programs during runtime, without being embedded directly into the executable. Instead of including the library code during compilation (as with static libraries), a program dynamically loads the shared library into the memory at runtime.
Therefore:
- requires the library at run time
- must be able to find the library
- the static path to the library is in the executable
- the name of the library is int he executable. The operating system finds the library and provides it to the program.

Question 5

How to determine linked libraries - on Windows

Answer 5

Various tools.

Free tool is Dependency Walker. Gives you all linked libraries that the computer is using.

Another tool is Anywhere PE Viewer (jre - uses a java runtime environment) - also runs on Mac & linux

Windows linked libraries are called Dynamic Link Library (.dll extension)

Question 6

How to determine linked libraries - on Mac OSX

Answer 6

Use Otool. The the -L command you can find all linked libraries.

In Mac OSX the linked libraries are called Dynamic Link Library (same as windows) but have a .dylib file extension

Question 7

How to determine linked libraries - on Linux

Answer 7

Use Ldd tool (available in most linux distributions)

Linux uses more linked libraries than in Mac OSX

In Linux linked libraries are called Shared Objects and have the .so file extension

Question 8

What to do when dealing with a tool that calls for a shared library

Answer 8

1. Is the tool open source? Maybe you can re-compile the tool with the modules included into a standalone version. But if you do recompile make sure you have a licence to do so.
2. Use a different tool that doesn’t use a shared library.
3. If you cannot do either of these things then only option is to run it anyway and note the dependencies in your report.

Question 9

Setting up your tool kit - Scope

Answer 9

To set up your tool kit you have to identify the SCOPE.

Scope is determind by the pre-search plan
For each pre-defined scenario:
- what data is required?
- what data is commonly collected?
- why is the data collected?
- local or remote collection

Order data by how CRITICAL it is to the investigation (because we then need to consider how INTRUSIVE gethering it will be)

Once the data scope is identified, tools can be evaluated.

Question 10

What are your considerations when looking at evaluating tools to use?

Answer 10

• What tool is best for each particular situation? (may need multiple)
• Reliability of tool
• how comprehensive is the tool?
• how intrusive is the tool? (minimal footprint)
• speed
• cost / availability / support

Question 11

Media Preparation

Answer 11

2 main types of storage:
- Attached local storage (USB - handy but limited space / speed. Or redundant external storage RAID, lots of space but not as portable. Fast speed and big storage). If using USB then speed is a key factor - ideally USB 3.0. Faster = less change to suspect device.

• Network pipe technique (a method of data transfer over a network, where the term “pipe” is metaphorical, describing how data flows between two points. It allows a continuous stream of data to move between two systems or processes, either locally or across a network). Can even aqcuire machines across the internet. Can get data fast. But needs preparing beforehand, and potentially anyone (incl. suspect) can see where evidence is being copied to.

For writable attached storage there is the potential for viral contamination between machines.

Question 12

Other preparation - Interfaces. What interfaces are available on the suspect computer?

Answer 12

Hardware interface options (physical ports include):
-USB (a, b c)
-Thunderbolt (A high-speed interface that combines data, video, and power in a single connection. Thunderbolt ports often share the same connector as USB-C)
-HDMI
-Firewire (An older standard used for connecting peripherals like external hard drives and digital cameras, largely replaced by USB and Thunderbolt
-eSATA (An external version of SATA, used for connecting external storage devices with faster speeds than USB 2.0)
-Ethernet (RJ45)
- 3.5mm audio jack

Question 13

Other Preparation - Interfaces. What should a LDF examiner do / think about in terms of interfaces?

Answer 13

-Be prepared. Take adapters and various cables.
-Be aware of speed limitations. If too slow then you may need to make quick alternative decisions 9incl netw.
-Be aware of data transfer limitations. USB specs do not guarantee successful comprehensive data transfer or control speed. Fireware & SATA have more stable protocols.
- Plugging indevices to the suspect’s interfaces will change their system (registry) and must be included in your report.

Question 14

Interface Preparation - USB devices

Answer 14

USB.
- use devices with large capacity, ideally 64GB or 128 GB or more where possible.
- For acquisition tasks use high speed devices
- Mainly useful for storage of tools & physical memory
- For use of storing trusted tools look for devices that can be write protected. Can be done with a USB 3.0 device that ahs the option to create one part that is read only for yopur tools, and a data partion for the actual acquired evidence. Means there is less chance your trusted tools will be changed.

Question 15

Interface Preparation - CD / DVD

Answer 15

CD / DVD
- use validated forensic collections / suites like Helix, Deft or Kali or make your own
- CD / DVD could be used to both boot a suspect system (cold forensics) or for LDF purposes depending on the tools you want to use.
- Expand these tools to your own needs / update or add as needed
- CD / DVD is write protected so the tools can be trusted.

Question 16

Interface Preparation - External hard drive - what are the considerations / requirements

Answer 16

External Hard Drive
- preferred solution due to size & speed
- external storage sometimes needs to be initialised on the suspect system
- FAT 32 limits file size to 4GB, limits file numbers within folders and file names - NTFS is a better choice for windows machines.
- Set up the external hard drive with a simple folder / file structure to limit the impact on the memory of the examined system.
- Simple set ups are preferable - powered by external power source & use enclosures with a fan. Good set up would be a blank box with option to change the hard drive, with USB + Firewire + eSATA)
- Test your system before leaving the office by:
1. Prepare a clean installation of your hard drive (clean = no viruses, trusted binaries, no traces of other cases)
2. Obtain reference traces that your set up produces (interface, hard drive, file system) and document this.
- Good quality cables (important for stability & speed)
- be prepared for various operating systems and environments
- bring spare hard drive just in case
- protect the hard disk during transport & handle with care.

Question 17

Interface Preparation - External hard drive - set up options

Answer 17

Options:

• two seperate enclosures, one write protected for the tool storage & one to store the evidence.
• could have tools on a CD / DVD
• another option is to use a drive like the Zalman ZM-VE400 or IODD 2541 that act like a CD / DVD player and a hard drive. You can use an ISO and mount it on the system so you can be sure that your tools don’t get changed or delted by the suspect system (either intentionally or by e.g a firescanner).

Question 18

List some examples of Live Response tools for Windows

Answer 18

Usually need administrator privilages on machine
- Windows forensic toolchest
- ProDiscoverIR
- OnlineDFS / LiveWire
- Regimented Potantial Incident Examination Report
- Nigilant32
- Helix (multi tools)
- KAPE
- many others

Detecting encryption can be difficult

Question 19

List some examples of Live Response tools - MAC & Linux

Answer 19

Not as many tools
Usually need administrator privilages on machine.
Mac no longer uses /dev/mem
Memory imaging is difficult

-Develop own toolkits based on scope. i.e what info do I need? What processes do I need? Networking? Logged in users?

Detecting encryption can be difficult

Question 20

Live Data Acquisition Tools - Windows

Answer 20

Many tools exist. such as:
- FTK Imager. Can do forensic file copying, live disk imaging & memory acquisition.

• DD.exe / MDD / tar.exe
• Dumpit.exe

Question 21

Live Data Acquisition Tools - Mac & Linux

Answer 21

Many native tools exist in both systems that allow for live disk / memory imaging and forensically sound file copying:

• cp-a / tar / rsync
• dd

Know your tools & operating systems

Question 22

Memory Analysis Tools - Windows / Mac / Linux

Answer 22

• Volatility
• Rekall
• Memoryze (Windows)
• HBGary Responder (Windows)
• Testdisk (file carving)
• Grep / strings
• Lsproc.pl / Lspd.pl (process extraction_
• Pyflag - with Volatility
• PTK - with Volatility
• Xways Forensics - hex
• RAPIER (Windows Collector & Parser)

Question 23

What is TOOL MARKING?

Answer 23

• Done after testing the tool
• Used to prove that the tool has not been changed by anything and is still the tool you tested. Allows you to identify the tool quickly by a unique hash.
• Can change the original tool file name so it is clear it is an investigator tool not a scheduled process for example.
• Can add identifying data (such as your initials or organisation details) to the executable using a hex editor. Edit the area of executable header that will not impact the operation of the tool. Afterwards TEST tool again to make sure it still works
• Document the original file name & hash and new file name & hash

Question 24

Tool Testing & Validation

Answer 24

Implement in a test system.
- did the tools collect all the data as expected?
- what changes did the tools make to the system?
- Document the above

Can also use virtual machines for testing e.g VMWare or VirtualBox
- allows investigator to take snapshots of the system before and after the tool has been run to compare changes.
- can be reverted back to the original
- allows for fast reuse & support of many different operating system

You should have virtual images of every type of machine (Operating Systems & versions) you expect to be investigating. This is time consuming

Question 25

What tools can we use for change monitoring (to monitor changes to a system when tools are run i.e the IMPACT of the tools on the system)

Answer 25

Windows:
- Snapshot based: Winalysis (end of life but still downloadable), InstallSpy, The Sleuth Kit (snapshot based are preferred by lecturer)
- Real time monitoring: Process monitor (Microsoft / Sysinternals)

MAC OS X
- Fseventer, The Slueth Kit

Linux:
- Kfsmd, The Slleuth Kit

Question 26

Give an example of the steps taken when you test memory acquisition tools

Answer 26

1. Tool feature comparison
2. What operating systems are supported
3. Testing on various systems for the following features:
   - forensically sound (no critical data changed on the system)
   - what are the output formats (e.g RAW, E01 etc)
   - special needs of the tools (e.g only working on 64bit systems or DLL’s
   - speed comparison. Speed is key in LDF. The faster the better.

Helpful to use a tool comparison chart (see p.28 of lecture 3.1). decisions will vary on case, scope, investigator preference, and priorities.

Command line interface tools (CLI) are often preferable because they have less impact on the memory

Question 27

What problems are there in testing and validating LDF tools?

Answer 27

Biggest problem with tools for LDF (especially memory acquisition) is:
- You can’t check that a tool is 100% working because the hash will change in the process
- comparison of the integrity of data is very difficult if not impossible.
However with experience and knowledge yopu can make educated guesses about the impact of tools on the system.

Question 28

Tool kit summary

Answer 28

• programs in a suspect system may have been modified so trusted tools should be loaded on write protected media.
• Where possible tools should not use shared libraries on the suspect system
• Determine what tools are needed based on the pre-search plan
• Prepare storage media to ensure no cross contamination between cases
• Test tools & investigation processes before use to determine what changes will occur on a system system because of running your tool.