digital forensic 101 - img1.wsimg.com
TRANSCRIPT
Digital Forensics 101
1 | P a g e
Table of Contents The Need for Computer Forensics ............................................................................................................ 4
Cybercrime ................................................................................................................................................ 4
Rules of Forensics Investigations .............................................................................................................. 4
Types of Digital Evidence .......................................................................................................................... 4
Computer Forensics Investigations Process ............................................................................................. 5
Forensics Lab Licensing ............................................................................................................................. 5
Forensics Lab Consideration and Need ..................................................................................................... 5
Forensics Workstation .......................................................................................................................... 5
Collecting Physical Evidence ..................................................................................................................... 6
Powered-On Computers ....................................................................................................................... 6
Powered-Off Computers ....................................................................................................................... 6
Networked Computer ........................................................................................................................... 6
Operating System Shutdown Procedure................................................................................................... 6
Windows 10, 8.1, 7, 2012, 2008 ............................................................................................................ 6
MAC OS X .............................................................................................................................................. 7
Seizing Portable Computers ...................................................................................................................... 7
Handling a Powered-On Portable Computer ............................................................................................ 7
Evidence Management ............................................................................................................................. 7
Exhibit Numbering ................................................................................................................................ 7
Duplicate the Data (Imaging) .................................................................................................................... 8
Recover lost or Deleted Data .................................................................................................................... 8
Data Analysis ............................................................................................................................................. 8
Hard Drive and File Systems ......................................................................................................................... 9
Disk Drive .................................................................................................................................................. 9
HDD Structure ........................................................................................................................................... 9
HDD Geometry = CHS Value .................................................................................................................. 9
Slack Space ................................................................................................................................................ 9
Types of Disk Partitions ......................................................................................................................... 9
Master Boot Record (MBR) ....................................................................................................................... 9
GUID Partition Table (GPT) ..................................................................................................................... 10
Identifying GPT .................................................................................................................................... 10
Digital Forensics 101
2 | P a g e
File System Analysis Tools ....................................................................................................................... 10
Windows File System .............................................................................................................................. 10
File Allocation Table (FAT)................................................................................................................... 10
New Technology File System (NTFS) ................................................................................................... 10
Linux File System ..................................................................................................................................... 11
MAC OS X File System ............................................................................................................................. 11
Oracle Solaris 11 File System .................................................................................................................. 11
CD-ROM/Digital Versatile Disk (DVD) ..................................................................................................... 12
Data Carving ............................................................................................................................................ 12
Data Acquisition and Duplication................................................................................................................ 12
Types of Volatile Data ............................................................................................................................. 12
Acquiring Data on Linux ...................................................................................................................... 13
Anti-Forensics ............................................................................................................................................. 14
File/Data Deletion ................................................................................................................................... 14
Location of the Recycle Bin ................................................................................................................. 14
Password Cracking .................................................................................................................................. 14
Rainbow Table Creation Tool .............................................................................................................. 15
Security Account Manager (SAM) ........................................................................................................... 15
Tools to Crack the SAM File ................................................................................................................ 15
BIOS Cracking ...................................................................................................................................... 15
Steganography ........................................................................................................................................ 15
Tools .................................................................................................................................................... 16
Operating System Forensics ........................................................................................................................ 16
Windows Forensics ................................................................................................................................. 16
Windows Forensic Tool ....................................................................................................................... 17
Network Forensics ...................................................................................................................................... 18
Web Attacks ................................................................................................................................................ 19
Approach ................................................................................................................................................. 19
Internet Information Server (IIS) Logs .................................................................................................... 19
Apache Logs ............................................................................................................................................ 19
Red Hat, CentOS, Fedora .................................................................................................................... 19
Debian & Ubuntu ................................................................................................................................ 19
Digital Forensics 101
3 | P a g e
FreeBSD ............................................................................................................................................... 20
Tools .................................................................................................................................................... 20
Database Forensics ..................................................................................................................................... 21
Microsoft SQL Forensics .......................................................................................................................... 21
Data & Logs Files ................................................................................................................................. 21
Location of Files .................................................................................................................................. 21
Tools .................................................................................................................................................... 21
MySQL Forensics ..................................................................................................................................... 21
Tools: ................................................................................................................................................... 22
Cloud Forensics ........................................................................................................................................... 23
Types of Cloud Computing ...................................................................................................................... 23
Cloud Deployment Models ..................................................................................................................... 23
Dropbox Cloud Storage ........................................................................................................................... 23
Tools .................................................................................................................................................... 23
Google Drive............................................................................................................................................ 24
Tools .................................................................................................................................................... 24
Malware Forensics ...................................................................................................................................... 25
Identifying Malware ................................................................................................................................ 25
Extracting Malware ................................................................................................................................. 25
Malware Analysis Lab.............................................................................................................................. 25
Types of Malware Analysis ...................................................................................................................... 25
Static Malware Analysis .......................................................................................................................... 26
Dynamic Malware Analysis ..................................................................................................................... 26
Email Forensics ............................................................................................................................................ 27
Crimes ..................................................................................................................................................... 27
Investigating Emails ................................................................................................................................ 27
Investigating Webmail ............................................................................................................................ 27
Tools .................................................................................................................................................... 27
Digital Forensics 101
4 | P a g e
The Need for Computer Forensics Computer forensics deals with the process of finding evidence related to a digital crime to find the culprits and initiate legal action against them. Cyber Crime is defined as any illegal act involving a computer device, network, its systems or its application.
Cybercrime
Internal Attacks – Espionage
External Attacks – DoS, SQL attacks.
Rules of Forensics Investigations
1. Limited access and examination of the original evidence.
2. Record changes made to the evidence files
3. Create a chain of custody document
4. Set standards for investigating the evidence
5. Comply with the standards
6. Hire professionals for analysis of evidence
7. Evidence should be strictly related to the incident
8. The evidence should comply with jurisdiction standards
9. Document the procedures applied on the evidence
10. Securely store the evidence
11. Use recognised tools for analysis
Types of Digital Evidence
1. Volatile Data – Lost when the device us powered-off. Example, RAM, open files, clipboard
content, etc.
2. Non-Volatile Data – Persistent data that is stored on secondary storage such as HDD. Example,
Hidden files, event logs, slack space, etc.
Digital Forensics 101
5 | P a g e
Computer Forensics Investigations Process
1. Pre-investigation Phase
a. Setting up a computer forensics lab, setting up the investigation team
2. Investigation Phase
a. Acquisition, preservation and analysis of evidentiary data.
3. Post-investigation Phase
a. Documentation and Reporting.
Forensics Lab Licensing
ASCLD/LAB Accreditation - American Society of Crime Lab Directors
ISO/IEC 17025 Accreditation.
Forensics Lab Consideration and Need
Dedicated internet connections
UPS for each workstation and equipment
Dry chemical fire extinguisher (Class A, B and C)
One (1) door with lock and log book.
Forensic Toolkit: Paraben’s First Responder Bundle, Digital Intelligence Forensic Hardware
(FRED)
Write Blocker
Stronghold Bag
Forensics Workstation
High capacity processor
8GB RAM (min.)
DVD/Blu-Ray R/W Drive
Motherboard supporting: IDE. SCSI, USB, NIC
Minimum of 2 HDD for loading different Operating Systems.
Extra RAM & HDD.
Digital Forensics 101
6 | P a g e
Collecting Physical Evidence
Handle all the pieces of the evidence collected carefully.
Tag all objects identified as evidence and mention all details on the tag, such as, Date & Time,
Investigator’s name, control number, etc.
Powered-On Computers
If the device is on, the screen should be photographed and the running processes should be
documented.
If the screensaver is on the screen, the investigator should move the mouse slowly without
pressing the mouse buttons.
Powered-Off Computers
If it’s already off, leave it off.
If only the monitor is off, turn on the monitor and photograph the screen.
Networked Computer
Unplug the network cable from the router.
Photography all the devices connected to the victim’s computer from several angles.
Unplug all cords, and devices connected to the computer, label them.
Unplug the main power cord from the wall socket.
Operating System Shutdown Procedure
Windows 10, 8.1, 7, 2012, 2008
Take a photograph of the screen.
Document any running programs.
Unplug the power cord.
Digital Forensics 101
7 | P a g e
MAC OS X
Record the time from the menu bar.
Click the “apple icon” then select shutdown.
Unplug the power cord.
Seizing Portable Computers
Photograph the computer and connected equipment.
Record which cables are connected to which ports.
Label each connector.
Remove battery.
Handling a Powered-On Portable Computer
Should be handled the same as a powered-on desktop.
If wakes up, time and date should be recorded.
Prior to pulling the power cord, remove the battery.
If the battery cannot be removed, hold down power button for 30 seconds to force the power
off.
Evidence Management
Use a Chain of Custody. (Slide 2, page 116)
Exhibit Numbering
aaa/ddmmyy/nnnn/zz
aaa – initials of the investigator who seize the items.
ddmmyy – date of seizure.
nnnn – sequential number of the exhibits. Example, 001, 002.
zz – sequence number for parts of the same exhibit.
Digital Forensics 101
8 | P a g e
Duplicate the Data (Imaging)
Never use original evidence for analysis.
Make a bit by bit copy of the original.
Verify Integrity (use of hashing).
Recover lost or Deleted Data
Recover My Files, Recuva, and EaseUS Data Recovery.
Data Analysis
FTK, Encase, The Sleuth Kit (TSK)
Digital Forensics 101
9 | P a g e
Hard Drive and File Systems
Disk Drive
HDD – Non-volatile, random access digital data storage.
SSD – Uses solid-state memory to store data.
HDD Structure
Platters
Tracks – concentric rings
Disk Blocks – smaller partitions. Each block is 512 bytes.
Each track contains a number of smaller units called sectors. A sector is the smallest physical storage unit on a disk platter. It is almost always 512 bytes in size.
HDD Geometry = CHS Value
Cylinders x Heads x Sectors per Track x 512 bytes
CHS value shares the actual size of the HDD and not the advertised size.
Slack Space Slack space is the area of a disk cluster between the end of the file and the end of the cluster. If the file size is less than the cluster size, still a full cluster is assigned to that file. The remaining space remains unused and is called slack space.
Types of Disk Partitions
Primary Partition
Extended Partition
Master Boot Record (MBR)
The MBR is the first sector (sector zero) of a data storage device.
MBR is referred to the 512 byte boot sector.
The MBR file has information about the files on the disk, their location and size.
Digital Forensics 101
10 | P a g e
Hold the partition tables, which is used to Bootstrapping an Operating System (OS).
The partitions table is a 64-byte data structure storing information about the type of partitions present on a HDD and their location.
GUID Partition Table (GPT)
Globally Unique Identifiers (GUID) is a standard partitioning scheme for hard disks and part of
the Unified Extensible Firmware Interface (UEFI), which replaces legacy BIOS firmware
interfaces.
UEFI overcome the limitations of using MBR.
GPT allows partitions larger than 2 Terabyte (TB).
Uses CRC to ensure integrity.
Identifying GPT
Open the Computer Management > Disk Management > right click on Disk 0 > Properties.
File System Analysis Tools
Autopsy, The Sleuth Kit (TSK): fsstat, istat.
Windows File System
File Allocation Table (FAT)
FAT12, FAT16 and FAT32.
Boot sector is the first sector; 512 bytes.
FAT32 supports drives up to 2 TB.
New Technology File System (NTFS)
Windows XP, Vista, 7, 8, 10, Server 2003, 2012, NT 3.1
The first 16 sectors are used as the boot sector and the bootstrap code.
Digital Forensics 101
11 | P a g e
NTFS Master File Table (MFT)
A database that consists of information regarding the files and their attributes.
The first 16 records are reserved for the file system.
NTFS supports multiple data streams or Alternate Data Streams (ADS) which are a unique set of attributes that can hide data inside other files without affecting the “carrier” file size. ADS Example:
C:\ECHO text_message > myfile.txt: stream1 (Hide data)
C:\MORE < myfile.txt.stream1 (View data)
NTFS – supports indexing, compression and encryption.
EFS – Encrypting File System. Introduced in NTFS 3.0.
Linux File System
EXT – Extended File System
EXT2 – Second Extended File System
EXT3 – Third Extended File System
EXT4 – Forth Extended File System
MAC OS X File System
Hierarchical File System (HFS) now HFS+
o Designed by Apply
o HFS+ volumes are divided into logical blocks of 512 bytes.
Oracle Solaris 11 File System
ZFS – Zettabyte File System
o Superior performance and availability.
Digital Forensics 101
12 | P a g e
CD-ROM/Digital Versatile Disk (DVD)
Uses Compact Disk File System (CDFS)
Universal Disk Format (UDF)
Data Carving
It is a technique to recover files and fragments of files from unallocated space of the hard disk in
the absence of the file metadata.
Used to identify file format.
Hex Editor, WinHex.
JPEG: started with FF D8 FF and has JFIF on the top row.
BMP: started with 42 4D and has BM on the top row.
GIF: started with 47 49 46 and has GIF on the top row.
PNG: starts with 89 50 4E and has %PDF on the top row.
DOC/DOCX: starts with D0 CF E0 A1 or 50 4B 03 04.
PPT/PPTX: starts with D0 CF E0 A1 B1 1A E1 or 50 4B 03 04 00 06 00
XLS/XLSX: starts with D0 CF E0 A1 B1 1A E1 or 50 4B 03 04 00 06 00
WMV: starts with 30
FLV: starts with 46
Data Acquisition and Duplication Types of Data Acquisition:
Live - Volatile (RAM Cache, Registries, etc.)
Static – Non-Volatile
Types of Volatile Data
Network states, open connections, open ports, ARP cache.
Current system date & time, command history, open files, clipboard data, logged-on users,
system uptime.
Digital Forensics 101
13 | P a g e
DO NOT OPEN or use the command shell or Terminal of the suspicions system. DO NOT WORK on the original evidence. Make two (2) copies of for analysis. If performing a drive to drive imaging, use clean media. Tools: ProDiscover, Encase, FTK, The Sleuth Kit (TSK) X-Way Forensics.
Acquiring Data on Linux
dd if=<source of data> of=<destination of data>
Example: dd if=/dev/hda of=/dev/case1.img1
Copy RAM
dd if=/dev/mem of=/home/sam/mem.bin bs=1024 Always use two (2) different tools when acquiring data. Use hashing to validate data integrity. SHA-1 & MD5. Sparse Data Copy – Only certain files/folders. Bit Stream
Disk to Disk
Disk to Image
Digital Forensics 101
14 | P a g e
Anti-Forensics
File/Data Deletion FAT
When a file is deleted, the Operating System replaces the first letter of the file with hex, E5h. NTFS
The Operating System mark the file as deleted in the Master File Table (MFT).
The computer sees there are empty clusters available for use
The deleted file can be recovered is the space is not allocated.
Location of the Recycle Bin
Windows 98 and prior: Drive:\RECYCLED (FAT)
Windows 2000, NT & XP: Drive:\RECYCLER\S- (NTFS) (S = SID)
Windows Vista and later: Drive:\$Recycle.Bin
File Recovery Tools
Windows: Recover My Files, EaseUS Data Recovery Wizard.
MAC: File Recovery, MAC Data Recovery, MAC Keeper File Recovery.
Linux: Steller Phoenix Linux Data Recovery, R-Studio for Linux, TestDisk.
Partition Recovery Tools
Active@ Partition Recovery, MAC Data Recovery, NTFS Data Recovery Toolkit. When a partition is deleted, not everything is deleted but only the parameters which defined the partition.
Password Cracking
Brute Force
- Slowest, guesses by trying every combination of characters.
Dictionary
- Uses a wordlist.
Digital Forensics 101
15 | P a g e
Rule Based
- Some information about the password is known.
Rainbow Table
- Pre-computed lookup tables
Default Password
Rainbow Table Creation Tool
Rtgen and Winrtgen.
Security Account Manager (SAM) The SAM file is located in C:\Windows\system32\config\SAM John : 1004 : ****No Password**** : <NTLM Hash> Uname UID LM Hash NTLM Hash
Tools to Crack the SAM File
L0phcrack, Ophcrack, Cain and Abel
BIOS Cracking
Remove CMOS Battery for at least 10 – 30 minutes.
Steganography Technique of hiding a secret message within an ordinary message. Steganalysis
- Art of discovering and rendering covert messages.
Digital Forensics 101
16 | P a g e
Tools
Gargoyle Investigator Forensic Pro
Xsteg secret
Stegdetect
Stg Expose
Operating System Forensics
Windows Forensics Acquire or duplicate the memory of the target system before extracting volatile data.
System Time
o cmd > date /t and time /t
o net statistics server
Logged-On Users
o PsLoggedOn
o net sessions
Open Files
o PsFile
Network Status
o netstat –ano
o nbtstat
Event Logs
o psloglist.exe (log files are in .evt format)
ADS Stream
o Stream Armor
Web Cache, Cookie & History
o MZCookies View, Chrome Cache View, Chrome History View, IE Cache View, Browsing
History View.
Metadata
o Meta Shield Analyser
Digital Forensics 101
18 | P a g e
Network Forensics Network forensics is the capturing, recording and analysis of network event in order to discover the source of security incidents.
Network Time Protocol (NTP)
o Synchronize the clocks of clients computers
Centralized Logging
o Uses syslog server or a Security Incident and Event Management (SIEM) system.
Log Capture & Analysis
o GFI Events Manager, Kiwi log Viewer.
Network Protocol Analyser
o WireShark, tcpdump, Capsa Network Analyser.
Digital Forensics 101
19 | P a g e
Web Attacks Web application forensics involves collection and analysis of logs and other artefacts along the complete path taken by a web request.
Approach
Identify the nature of the attack
Capture volatile data
Make forensic image
Analysis of logs
Collection of application and server configuration files
Check firewall and IDS logs
Block the attack
Trace source IP address
Check event viewer logs (C:\>eventvwr.msc)
Check network sessions
- net view <ip address> file shares
- net session open sessions
- net use open session on other system
- nbtstat –S NetBIOS TCP/IP activity
- netstat –an TCP/UDP ports
Internet Information Server (IIS) Logs
%SystemDrive%\inetpub\logs\LogFiles
IIS records logs in UTC time format.
Apache Logs
Red Hat, CentOS, Fedora
/var/log/httpd/access_log
/var/log/httpd/error_log
Debian & Ubuntu
Digital Forensics 101
20 | P a g e
/var/log/apache2/access_log
/var/log/apache2/error_log
FreeBSD
/var/log/httpd-access.log
/var/log/httpd-error.log
Tools
Deep Log Analyser
Web Log Expert
WhoIS
Digital Forensics 101
21 | P a g e
Database Forensics
Microsoft SQL Forensics Microsoft SQL forensics takes action when a security incident has occurred and detection and analysis of the malicious activities performed by criminals over the SQL Database file are required.
Data & Logs Files
1. Primary Data File (MDF)
2. Secondary Data File (NDF)
3. Transaction Log Data File (LDF)
Location of Files
Database and Logs
o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\*.MDF
o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA\*.LDF
Trace Files
o \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG\LOG_#.TRC
SQL Server Error Logs
- \\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\LOG\ERRORLOG
Gather Windows Logs
Tools
Apex SQL DBA’s Apex SQL Audit
SQLCMD
SQL Server Management Studio
MySQL Forensics Stores all the databases, status and log files under the Data Directory Data Directory
- C:\ProgrameDATA\MySQL\My SQL Server 5.n\
Digital Forensics 101
22 | P a g e
- C:\mysql\data Tools: MySQL Dump, MySQL Access, My SQL DB Export, MySQL Binlog
Digital Forensics 101
23 | P a g e
Cloud Forensics
Types of Cloud Computing
Infrastructure as a Server (IaaS)
o Provides virtual machines, hardware and Operating System
o Example, Amazon EC2
Platform as a Server (PaaS)
o Provides development tools, development platform.
o Example, Google App Engine
Software as a Server (SaaS)
o Provides software to subscribers on demand.
o Example, Office 365, Google Docs
Cloud Deployment Models
Private Cloud – operates for a single organization.
Public Cloud – network that is open for public uses.
Hybrid Cloud – two or more types of clouds.
Community Cloud – shared between several organizations.
Dropbox Cloud Storage
Free version, the last thirty (30) days files can be recovered.
Commercial, all deleted files can be recovered.
Last browser session, linked devices and linked Apps
Version history of files and events
In windows, C:\Program File (x86)\Dropbox
Default folder, C:\Users\username\Dropbox
Tools
WhatChanged Portable – scans for modified files and registries.
Magnet IEF – find, analyse and report digital evidence.
Data Pulse, Directory Monitor.
Digital Forensics 101
24 | P a g e
Google Drive
Check the trash, manage versions, recent folders.
C:\Programe Files (x86)\Google\Drive
C:\Users\username\Google Drive
C:\Users\username\AppData\local\Google\Drive\user_default
Tools
UFED Cloud Analyser
Digital Forensics 101
25 | P a g e
Malware Forensics Malware forensics deals with identifying and capturing malicious code and evidence of its effect on the infected system.
Identifying Malware Check installed programs, suspicious executable, auto-starting locations, services, logs, user account, etc.
Extracting Malware
Balbuzard, Cryturn, Malware Document Detection Suite.
Malware Analysis Lab
1. Allocate a physical system
2. Install virtual machine
3. Install guest operating system
4. Isolate the system
5. Simulate internet (tool: netsim)
6. Disable the shared folder and guest isolation
7. Install malware analysis tools
8. Generate hash of each OS and Tool
9. Copy malware to guest OS
Types of Malware Analysis
Static Malware Analysis
o Code analysis, without actually executing the code
o Use Disassemblers – IDA Pro.
Dynamic Malware Analysis
o Behavioural analysis, actually running the code.
o Require sandboxing
o Uses Debuggers – GDB, OllyDbg, Win Dbg
Digital Forensics 101
26 | P a g e
Static Malware Analysis
1. Fingerprinting – create a hash
2. Online & local malware scanning – Virus total and Jotti
3. String Search – Resources Extract, Hex Workshop
4. Packing / Obfuscation – PEiD detects packers, cyptors and compliers
5. Portable Exec Info – Dependency Walker, check for DLLs
6. Malware Disassembly.
Dynamic Malware Analysis
1. System Baseline
a. Take a snapshot, record network activity, open ports
2. Installation Monitor
a. SysAnalyser, to detect changes
3. Process Monitor
a. Process Monitor and What’s Running
4. File & Folder Monitor
a. Tripwire – scan & report system files for changes.
b. Sigverif – checks integrity of critical files digitally signed by Microsoft.
c. FCIV – computer MD5 and SHA-1 hashes.
5. Registry Monitor
a. Jv16 power tools
6. Network / Trojan / Worm
a. Capsa Network Analyser
7. Port Monitor
a. netstat –ano
Digital Forensics 101
27 | P a g e
Email Forensics
Crimes
Spamming, mail bombing, harassment, child porn, identity fraud, chain letters.
Investigating Emails
Headers – information about origin, path and sender.
MS Outlook Database
o \user\local setting\AppData\Microsoft\Outlook
o Stored as .pst file
MS Outlook Express Files
o Documents and Settings\user\local settings\AppData\Identities\user
ID\Microsoft\outlook express
o Stored as .mbx (mail box)
Exchange Server Log Files
o C:\Program Files\Exchsrvr\servername.org
o Mail Detective, FTK
Investigating Webmail Check for cookies, history, URLs, Temporary Internet Files, Cache, bookmarks, auto-complete form.
Tools
Web Cache Illuminator
Cache Auditor,
Internet Cache Explorer.