This week was about digital forensics, the collection of evidence from electronic devices, usually for reasons related to cyber crime.
Major cases of cyber crime that involve digital forensics include: fraud, intellectual Property Theft, hacking, and electronic discovery(e-discovery), which is the process where data is sought and secured with the intent of use for a criminal or civil legal case.
Forensics in a Nutshell
There are 3 broadly classified categories in forensic computing:
- Live forensics
- Post-mortem based forensics(analysis after the fact)
- Network based forensics
There are standards and methods of data collecting that must always be followed:
Minimize data loss, record everything, analyze all data colected(evidence) and report findings.
Evidence is anything that can be used to prove or disprove a claim. In forensics evidence can be found networks, operating systems, databases and apps, and removable media, such as disks and USBs. Admissible evidence is what courts accept as legitimate.
Preserving the Evidence
When handling evidence, it is crucial to perform procedures as so:
- Create a cryptographic hash of the entire disk and each partition before analyzing. A cryptographic hash is used to verify the integrity of a file. It can be used to tell if a file has been tampered or changed. Popular forms of hashing include MD5 of SHA1.
- Create bit-images of hard drives and analyze them. This means to create a bit for bit copy of the hard drive, so they will be identical.
- Lock the original disk in a limited access room or container. This is to keep the disk safe from any outside influence from tampering with evidence.
What to acquire when looking for evidence:
- Virtual and Physical
- Entire physical drive
- Logical: a partition
- Network Traffic:
- Full packet captures
Locard’s Exchange Principle
We learned about this principle this week, which states that when any two objects come in contact, there will be a transfer of material from each object onto the other. The main point is that it is impossible to interact with a system without affecting it in some way.
Locard’s principle is not a digital forensic principle exclusively, it also applies to real life crimes.
Data can be volatile, which means it can be easily lost. There are degrees of volatility, and the most volatile must be acquire first, or be lost forever. Data that can be lost on powering down, is an example of the most volatile.
An example of the acquisition of data on Windows would be to acquire volatile data first, then non-volatile, which includes event logs and registry, if applicable. Lastly, obtain any relevant files, such as unknown executables, and any leftover tools.
In a computer, RAM, or random access memory, is the source of short term memory on a computer. Once a computer is powered down, the information will begin to rapidly decay and be lost. There is tons of useful info that can be found in the RAM, such as data that is not obtained from a hard drive, as well as any leftover artifacts ‘hidden’ by hackers. Some examples of such data are processes at the time of memory snapshot, device drives, loaded modules and DLL’s, keystrokes, and wireless keys, among other things.
How does physical memory work? It is divided into “pages” and allocated space onto the physical memory page by page. Same pages of memory can appear in different locations and can be moved from physical memory into a page file to make more space. A page file is used to store data that RAM can’t hold.
We were introduced to some tools for analyzing data, one of them was Volatility, which is a memory forensics framework, which can be used to write and create plugins, on top of a lot free and useful tools that are available.
Yara is a tool that can create signatures for malicious behavior, which can then be used to scan for that malicious behavior.
Christiaan showed us a tool name FTK Imager(Forensic Tool Kit). He made a point to never install forensic tools on suspect machines, calling it “the worse case thing you can do” because it can influence evidence, also known as Locard’s Principle.
One of the main functions of this program is to capture the memory from the computer of interest. It can create an image of a disk, USB stick, or capture RAM memory.
Christiaan says he prefers using the command line to do that same thing, but FTK is free and has a good GUI for learning. A drawback is that it leaves a large fingerprint in the memory.
Command line based forensic tool. A cheatsheet with various commands was provided:
Ran with command:
volatility.exe -f<name of memory dump> plugin
An extra tag, “imageinfo” can be used if you want to know more about the memory you want to analyze. He also used “psscan” to find hidden or terminated processes. “dlllist” is used to show .dll’s used by a process.
An image recovery tool. Christiaan walked us through the process of mounting a virtual disk and recovering photos from it. This is called “carving”.
This week was about the collection of data and evidence in a safe manner that preserves the integrity of the original data. It is important to present the facts in an unbiased manner, so we learned how to collect without leaving traces of tampering.