digital forensic 101 - img1.wsimg.com

DIGITAL FORENSIC 101 Introduction to Computer Forensics

JANUARY 20, 2020

Digital Forensics 101

1 | P a g e

Table of Contents The Need for Computer Forensics ............................................................................................................ 4

Cybercrime ................................................................................................................................................ 4

Rules of Forensics Investigations .............................................................................................................. 4

Types of Digital Evidence .......................................................................................................................... 4

Computer Forensics Investigations Process ............................................................................................. 5

Forensics Lab Licensing ............................................................................................................................. 5

Forensics Lab Consideration and Need ..................................................................................................... 5

Forensics Workstation .......................................................................................................................... 5

Collecting Physical Evidence ..................................................................................................................... 6

Powered-On Computers ....................................................................................................................... 6

Powered-Off Computers ....................................................................................................................... 6

Networked Computer ........................................................................................................................... 6

Operating System Shutdown Procedure................................................................................................... 6

Windows 10, 8.1, 7, 2012, 2008 ............................................................................................................ 6

MAC OS X .............................................................................................................................................. 7

Seizing Portable Computers ...................................................................................................................... 7

Handling a Powered-On Portable Computer ............................................................................................ 7

Evidence Management ............................................................................................................................. 7

Exhibit Numbering ................................................................................................................................ 7

Duplicate the Data (Imaging) .................................................................................................................... 8

Recover lost or Deleted Data .................................................................................................................... 8

Data Analysis ............................................................................................................................................. 8

Hard Drive and File Systems ......................................................................................................................... 9

Disk Drive .................................................................................................................................................. 9

HDD Structure ........................................................................................................................................... 9

HDD Geometry = CHS Value .................................................................................................................. 9

Slack Space ................................................................................................................................................ 9

Types of Disk Partitions ......................................................................................................................... 9

Master Boot Record (MBR) ....................................................................................................................... 9

GUID Partition Table (GPT) ..................................................................................................................... 10

Identifying GPT .................................................................................................................................... 10


2 | P a g e

File System Analysis Tools ....................................................................................................................... 10

Windows File System .............................................................................................................................. 10

File Allocation Table (FAT)................................................................................................................... 10

New Technology File System (NTFS) ................................................................................................... 10

Linux File System ..................................................................................................................................... 11

MAC OS X File System ............................................................................................................................. 11

Oracle Solaris 11 File System .................................................................................................................. 11

CD-ROM/Digital Versatile Disk (DVD) ..................................................................................................... 12

Data Carving ............................................................................................................................................ 12

Data Acquisition and Duplication................................................................................................................ 12

Types of Volatile Data ............................................................................................................................. 12

Acquiring Data on Linux ...................................................................................................................... 13

Anti-Forensics ............................................................................................................................................. 14

File/Data Deletion ................................................................................................................................... 14

Location of the Recycle Bin ................................................................................................................. 14

Password Cracking .................................................................................................................................. 14

Rainbow Table Creation Tool .............................................................................................................. 15

Security Account Manager (SAM) ........................................................................................................... 15

Tools to Crack the SAM File ................................................................................................................ 15

BIOS Cracking ...................................................................................................................................... 15

Steganography ........................................................................................................................................ 15

Tools .................................................................................................................................................... 16

Operating System Forensics ........................................................................................................................ 16

Windows Forensics ................................................................................................................................. 16

Windows Forensic Tool ....................................................................................................................... 17

Network Forensics ...................................................................................................................................... 18

Web Attacks ................................................................................................................................................ 19

Approach ................................................................................................................................................. 19

Internet Information Server (IIS) Logs .................................................................................................... 19

Apache Logs ............................................................................................................................................ 19

Red Hat, CentOS, Fedora .................................................................................................................... 19

Debian & Ubuntu ................................................................................................................................ 19


3 | P a g e

FreeBSD ............................................................................................................................................... 20

Tools .................................................................................................................................................... 20

Database Forensics ..................................................................................................................................... 21

Microsoft SQL Forensics .......................................................................................................................... 21

Data & Logs Files ................................................................................................................................. 21

Location of Files .................................................................................................................................. 21

Tools .................................................................................................................................................... 21

MySQL Forensics ..................................................................................................................................... 21

Tools: ................................................................................................................................................... 22

Cloud Forensics ........................................................................................................................................... 23

Types of Cloud Computing ...................................................................................................................... 23

Cloud Deployment Models ..................................................................................................................... 23

Dropbox Cloud Storage ........................................................................................................................... 23

Tools .................................................................................................................................................... 23

Google Drive............................................................................................................................................ 24

Tools .................................................................................................................................................... 24

Malware Forensics ...................................................................................................................................... 25

Identifying Malware ................................................................................................................................ 25

Extracting Malware ................................................................................................................................. 25

Malware Analysis Lab.............................................................................................................................. 25

Types of Malware Analysis ...................................................................................................................... 25

Static Malware Analysis .......................................................................................................................... 26

Dynamic Malware Analysis ..................................................................................................................... 26

Email Forensics ............................................................................................................................................ 27

Crimes ..................................................................................................................................................... 27

Investigating Emails ................................................................................................................................ 27

Investigating Webmail ............................................................................................................................ 27

Tools .................................................................................................................................................... 27


4 | P a g e

The Need for Computer Forensics Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. Cyber Crime is defined as any illegal act involving a computer device, network, its systems or its application.

Cybercrime

Internal Attacks – Espionage

External Attacks – DoS, SQL attacks.

Rules of Forensics Investigations

1. Limited access and examination of the original evidence.

2. Record changes made to the evidence files

3. Create a chain of custody document

4. Set standards for investigating the evidence

5. Comply with the standards

6. Hire professionals for analysis of evidence

7. Evidence should be strictly related to the incident

8. The evidence should comply with jurisdiction standards

9. Document the procedures applied on the evidence

10. Securely store the evidence

11. Use recognised tools for analysis

Types of Digital Evidence

1. Volatile Data – Lost when the device us powered-off. Example, RAM, open files, clipboard

content, etc.

2. Non-Volatile Data – Persistent data that is stored on secondary storage such as HDD. Example,

Hidden files, event logs, slack space, etc.


5 | P a g e

Computer Forensics Investigations Process

1. Pre-investigation Phase

a. Setting up a computer forensics lab, setting up the investigation team

2. Investigation Phase

a. Acquisition, preservation and analysis of evidentiary data.

3. Post-investigation Phase

a. Documentation and Reporting.

Forensics Lab Licensing

ASCLD/LAB Accreditation - American Society of Crime Lab Directors

ISO/IEC 17025 Accreditation.

Forensics Lab Consideration and Need

Dedicated internet connections

UPS for each workstation and equipment

Dry chemical fire extinguisher (Class A, B and C)

One (1) door with lock and log book.

Forensic Toolkit: Paraben’s First Responder Bundle, Digital Intelligence Forensic Hardware

(FRED)

Write Blocker

Stronghold Bag

Forensics Workstation

High capacity processor

8GB RAM (min.)

DVD/Blu-Ray R/W Drive

Motherboard supporting: IDE. SCSI, USB, NIC

Minimum of 2 HDD for loading different Operating Systems.

Extra RAM & HDD.


6 | P a g e

Collecting Physical Evidence

Handle all the pieces of the evidence collected carefully.

Tag all objects identified as evidence and mention all details on the tag, such as, Date & Time,

Investigator’s name, control number, etc.

Powered-On Computers

If the device is on, the screen should be photographed and the running processes should be

documented.

If the screensaver is on the screen, the investigator should move the mouse slowly without

pressing the mouse buttons.

Powered-Off Computers

If it’s already off, leave it off.

If only the monitor is off, turn on the monitor and photograph the screen.

Networked Computer

Unplug the network cable from the router.

Photography all the devices connected to the victim’s computer from several angles.

Unplug all cords, and devices connected to the computer, label them.

Unplug the main power cord from the wall socket.

Operating System Shutdown Procedure

Windows 10, 8.1, 7, 2012, 2008

Take a photograph of the screen.

Document any running programs.

Unplug the power cord.


7 | P a g e

MAC OS X

Record the time from the menu bar.

Click the “apple icon” then select shutdown.

Unplug the power cord.

Seizing Portable Computers

Photograph the computer and connected equipment.

Record which cables are connected to which ports.

Label each connector.

Remove battery.

Handling a Powered-On Portable Computer

Should be handled the same as a powered-on desktop.

If wakes up, time and date should be recorded.

Prior to pulling the power cord, remove the battery.

If the battery cannot be removed, hold down power button for 30 seconds to force the power

off.

Evidence Management

Use a Chain of Custody. (Slide 2, page 116)

Exhibit Numbering

aaa/ddmmyy/nnnn/zz

aaa – initials of the investigator who seize the items.

ddmmyy – date of seizure.

nnnn – sequential number of the exhibits. Example, 001, 002.

zz – sequence number for parts of the same exhibit.


8 | P a g e

Duplicate the Data (Imaging)

Never use original evidence for analysis.

Make a bit by bit copy of the original.

Verify Integrity (use of hashing).

Recover lost or Deleted Data

Recover My Files, Recuva, and EaseUS Data Recovery.

Data Analysis

FTK, Encase, The Sleuth Kit (TSK)


9 | P a g e

Hard Drive and File Systems

Disk Drive

HDD – Non-volatile, random access digital data storage.

SSD – Uses solid-state memory to store data.

HDD Structure

Platters

Tracks – concentric rings

Disk Blocks – smaller partitions. Each block is 512 bytes.

Each track contains a number of smaller units called sectors. A sector is the smallest physical storage unit on a disk platter. It is almost always 512 bytes in size.

HDD Geometry = CHS Value

Cylinders x Heads x Sectors per Track x 512 bytes

CHS value shares the actual size of the HDD and not the advertised size.

Slack Space Slack space is the area of a disk cluster between the end of the file and the end of the cluster. If the file size is less than the cluster size, still a full cluster is assigned to that file. The remaining space remains unused and is called slack space.

Types of Disk Partitions

Primary Partition

Extended Partition

Master Boot Record (MBR)

The MBR is the first sector (sector zero) of a data storage device.

MBR is referred to the 512 byte boot sector.

The MBR file has information about the files on the disk, their location and size.


10 | P a g e

Hold the partition tables, which is used to Bootstrapping an Operating System (OS).

The partitions table is a 64-byte data structure storing information about the type of partitions present on a HDD and their location.

GUID Partition Table (GPT)

Globally Unique Identifiers (GUID) is a standard partitioning scheme for hard disks and part of

the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware

interfaces.

UEFI overcome the limitations of using MBR.

GPT allows partitions larger than 2 Terabyte (TB).

Uses CRC to ensure integrity.

Identifying GPT

Open the Computer Management > Disk Management > right click on Disk 0 > Properties.

File System Analysis Tools

Autopsy, The Sleuth Kit (TSK): fsstat, istat.

Windows File System

File Allocation Table (FAT)

FAT12, FAT16 and FAT32.

Boot sector is the first sector; 512 bytes.

FAT32 supports drives up to 2 TB.

New Technology File System (NTFS)

Windows XP, Vista, 7, 8, 10, Server 2003, 2012, NT 3.1

The first 16 sectors are used as the boot sector and the bootstrap code.


11 | P a g e

NTFS Master File Table (MFT)

A database that consists of information regarding the files and their attributes.

The first 16 records are reserved for the file system.

NTFS supports multiple data streams or Alternate Data Streams (ADS) which are a unique set of attributes that can hide data inside other files without affecting the “carrier” file size. ADS Example:

C:\ECHO text_message > myfile.txt: stream1 (Hide data)

C:\MORE < myfile.txt.stream1 (View data)

NTFS – supports indexing, compression and encryption.

EFS – Encrypting File System. Introduced in NTFS 3.0.

Linux File System

EXT – Extended File System

EXT2 – Second Extended File System

EXT3 – Third Extended File System

EXT4 – Forth Extended File System

MAC OS X File System

Hierarchical File System (HFS) now HFS+

o Designed by Apply

o HFS+ volumes are divided into logical blocks of 512 bytes.

Oracle Solaris 11 File System

ZFS – Zettabyte File System

o Superior performance and availability.


12 | P a g e

CD-ROM/Digital Versatile Disk (DVD)

Uses Compact Disk File System (CDFS)

Universal Disk Format (UDF)

Data Carving

It is a technique to recover files and fragments of files from unallocated space of the hard disk in

the absence of the file metadata.

Used to identify file format.

Hex Editor, WinHex.

JPEG: started with FF D8 FF and has JFIF on the top row.

BMP: started with 42 4D and has BM on the top row.

GIF: started with 47 49 46 and has GIF on the top row.

PNG: starts with 89 50 4E and has %PDF on the top row.

DOC/DOCX: starts with D0 CF E0 A1 or 50 4B 03 04.

PPT/PPTX: starts with D0 CF E0 A1 B1 1A E1 or 50 4B 03 04 00 06 00

XLS/XLSX: starts with D0 CF E0 A1 B1 1A E1 or 50 4B 03 04 00 06 00

WMV: starts with 30

FLV: starts with 46

Data Acquisition and Duplication Types of Data Acquisition:

Live - Volatile (RAM Cache, Registries, etc.)

Static – Non-Volatile

Types of Volatile Data

Network states, open connections, open ports, ARP cache.

Current system date & time, command history, open files, clipboard data, logged-on users,

system uptime.


13 | P a g e

DO NOT OPEN or use the command shell or Terminal of the suspicions system. DO NOT WORK on the original evidence. Make two (2) copies of for analysis. If performing a drive to drive imaging, use clean media. Tools: ProDiscover, Encase, FTK, The Sleuth Kit (TSK) X-Way Forensics.

Acquiring Data on Linux

dd if=<source of data> of=<destination of data>

Example: dd if=/dev/hda of=/dev/case1.img1

Copy RAM

dd if=/dev/mem of=/home/sam/mem.bin bs=1024 Always use two (2) different tools when acquiring data. Use hashing to validate data integrity. SHA-1 & MD5. Sparse Data Copy – Only certain files/folders. Bit Stream

Disk to Disk

Disk to Image


14 | P a g e

Anti-Forensics

File/Data Deletion FAT

When a file is deleted, the Operating System replaces the first letter of the file with hex, E5h. NTFS

The Operating System mark the file as deleted in the Master File Table (MFT).

The computer sees there are empty clusters available for use

The deleted file can be recovered is the space is not allocated.

Location of the Recycle Bin

Windows 98 and prior: Drive:\RECYCLED (FAT)

Windows 2000, NT & XP: Drive:\RECYCLER\S- (NTFS) (S = SID)

Windows Vista and later: Drive:\$Recycle.Bin

File Recovery Tools

Windows: Recover My Files, EaseUS Data Recovery Wizard.

MAC: File Recovery, MAC Data Recovery, MAC Keeper File Recovery.

Linux: Steller Phoenix Linux Data Recovery, R-Studio for Linux, TestDisk.

Partition Recovery Tools

Active@ Partition Recovery, MAC Data Recovery, NTFS Data Recovery Toolkit. When a partition is deleted, not everything is deleted but only the parameters which defined the partition.

Password Cracking

Brute Force

- Slowest, guesses by trying every combination of characters.

Dictionary

- Uses a wordlist.


15 | P a g e

Rule Based

- Some information about the password is known.

Rainbow Table

- Pre-computed lookup tables

Default Password

Rainbow Table Creation Tool

Rtgen and Winrtgen.

Security Account Manager (SAM) The SAM file is located in C:\Windows\system32\config\SAM John : 1004 : ****No Password**** : <NTLM Hash> Uname UID LM Hash NTLM Hash

Tools to Crack the SAM File

L0phcrack, Ophcrack, Cain and Abel

BIOS Cracking

Remove CMOS Battery for at least 10 – 30 minutes.

Steganography Technique of hiding a secret message within an ordinary message. Steganalysis

- Art of discovering and rendering covert messages.


16 | P a g e

Tools

Gargoyle Investigator Forensic Pro

Xsteg secret

Stegdetect

Stg Expose

Operating System Forensics

Windows Forensics Acquire or duplicate the memory of the target system before extracting volatile data.

System Time

o cmd > date /t and time /t

o net statistics server

Logged-On Users

o PsLoggedOn

o net sessions

Open Files

o PsFile

Network Status

o netstat –ano

o nbtstat

Event Logs

o psloglist.exe (log files are in .evt format)

ADS Stream

o Stream Armor

Web Cache, Cookie & History

o MZCookies View, Chrome Cache View, Chrome History View, IE Cache View, Browsing

History View.

Metadata

o Meta Shield Analyser


17 | P a g e

Windows Forensic Tool

OS Forensics

Helix 3


18 | P a g e

Network Forensics Network forensics is the capturing, recording and analysis of network event in order to discover the source of security incidents.

Network Time Protocol (NTP)

o Synchronize the clocks of clients computers

Centralized Logging

o Uses syslog server or a Security Incident and Event Management (SIEM) system.

Log Capture & Analysis

o GFI Events Manager, Kiwi log Viewer.

Network Protocol Analyser

o WireShark, tcpdump, Capsa Network Analyser.


19 | P a g e

Web Attacks Web application forensics involves collection and analysis of logs and other artefacts along the complete path taken by a web request.

Approach

Identify the nature of the attack

Capture volatile data

Make forensic image

Analysis of logs

Collection of application and server configuration files

Check firewall and IDS logs

Block the attack

Trace source IP address

Check event viewer logs (C:\>eventvwr.msc)

Check network sessions

- net view <ip address> file shares

- net session open sessions

- net use open session on other system

- nbtstat –S NetBIOS TCP/IP activity

- netstat –an TCP/UDP ports

Internet Information Server (IIS) Logs

%SystemDrive%\inetpub\logs\LogFiles

IIS records logs in UTC time format.

Apache Logs

Red Hat, CentOS, Fedora

/var/log/httpd/access_log

/var/log/httpd/error_log

Debian & Ubuntu


20 | P a g e

/var/log/apache2/access_log

/var/log/apache2/error_log

FreeBSD

/var/log/httpd-access.log

/var/log/httpd-error.log

Tools

Deep Log Analyser

Web Log Expert

WhoIS


21 | P a g e

Database Forensics

Microsoft SQL Forensics Microsoft SQL forensics takes action when a security incident has occurred and detection and analysis of the malicious activities performed by criminals over the SQL Database file are required.

Data & Logs Files

1. Primary Data File (MDF)

2. Secondary Data File (NDF)

3. Transaction Log Data File (LDF)

Location of Files

Database and Logs

o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\*.MDF

o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\*.LDF

Trace Files

o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG\LOG_#.TRC

SQL Server Error Logs

- \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG\ERRORLOG

Gather Windows Logs

Tools

Apex SQL DBA’s Apex SQL Audit

SQLCMD

SQL Server Management Studio

MySQL Forensics Stores all the databases, status and log files under the Data Directory Data Directory

- C:\ProgrameDATA\MySQL\My SQL Server 5.n\


22 | P a g e

- C:\mysql\data Tools: MySQL Dump, MySQL Access, My SQL DB Export, MySQL Binlog


23 | P a g e

Cloud Forensics

Types of Cloud Computing

Infrastructure as a Server (IaaS)

o Provides virtual machines, hardware and Operating System

o Example, Amazon EC2

Platform as a Server (PaaS)

o Provides development tools, development platform.

o Example, Google App Engine

Software as a Server (SaaS)

o Provides software to subscribers on demand.

o Example, Office 365, Google Docs

Cloud Deployment Models

Private Cloud – operates for a single organization.

Public Cloud – network that is open for public uses.

Hybrid Cloud – two or more types of clouds.

Community Cloud – shared between several organizations.

Dropbox Cloud Storage

Free version, the last thirty (30) days files can be recovered.

Commercial, all deleted files can be recovered.

Last browser session, linked devices and linked Apps

Version history of files and events

In windows, C:\Program File (x86)\Dropbox

Default folder, C:\Users\username\Dropbox

Tools

WhatChanged Portable – scans for modified files and registries.

Magnet IEF – find, analyse and report digital evidence.

Data Pulse, Directory Monitor.


24 | P a g e

Google Drive

Check the trash, manage versions, recent folders.

C:\Programe Files (x86)\Google\Drive

C:\Users\username\Google Drive

C:\Users\username\AppData\local\Google\Drive\user_default

Tools

UFED Cloud Analyser


25 | P a g e

Malware Forensics Malware forensics deals with identifying and capturing malicious code and evidence of its effect on the infected system.

Identifying Malware Check installed programs, suspicious executable, auto-starting locations, services, logs, user account, etc.

Extracting Malware

Balbuzard, Cryturn, Malware Document Detection Suite.

Malware Analysis Lab

1. Allocate a physical system

2. Install virtual machine

3. Install guest operating system

4. Isolate the system

5. Simulate internet (tool: netsim)

6. Disable the shared folder and guest isolation

7. Install malware analysis tools

8. Generate hash of each OS and Tool

9. Copy malware to guest OS

Types of Malware Analysis

Static Malware Analysis

o Code analysis, without actually executing the code

o Use Disassemblers – IDA Pro.

Dynamic Malware Analysis

o Behavioural analysis, actually running the code.

o Require sandboxing

o Uses Debuggers – GDB, OllyDbg, Win Dbg


26 | P a g e

Static Malware Analysis

1. Fingerprinting – create a hash

2. Online & local malware scanning – Virus total and Jotti

3. String Search – Resources Extract, Hex Workshop

4. Packing / Obfuscation – PEiD detects packers, cyptors and compliers

5. Portable Exec Info – Dependency Walker, check for DLLs

6. Malware Disassembly.

Dynamic Malware Analysis

1. System Baseline

a. Take a snapshot, record network activity, open ports

2. Installation Monitor

a. SysAnalyser, to detect changes

3. Process Monitor

a. Process Monitor and What’s Running

4. File & Folder Monitor

a. Tripwire – scan & report system files for changes.

b. Sigverif – checks integrity of critical files digitally signed by Microsoft.

c. FCIV – computer MD5 and SHA-1 hashes.

5. Registry Monitor

a. Jv16 power tools

6. Network / Trojan / Worm

a. Capsa Network Analyser

7. Port Monitor

a. netstat –ano


27 | P a g e

Email Forensics

Crimes

Spamming, mail bombing, harassment, child porn, identity fraud, chain letters.

Investigating Emails

Headers – information about origin, path and sender.

MS Outlook Database

o \user\local setting\AppData\Microsoft\Outlook

o Stored as .pst file

MS Outlook Express Files

o Documents and Settings\user\local settings\AppData\Identities\user

ID\Microsoft\outlook express

o Stored as .mbx (mail box)

Exchange Server Log Files

o C:\Program Files\Exchsrvr\servername.org

o Mail Detective, FTK

Investigating Webmail Check for cookies, history, URLs, Temporary Internet Files, Cache, bookmarks, auto-complete form.

Tools

Web Cache Illuminator

Cache Auditor,

Internet Cache Explorer.