Computer forensic investigations are used to determine what activities, changes, and other actions have occurred on a system, who or what performed them, and what data is stored there. This means that computer forensic techniques are used in a variety of scenarios, including police investigations, inquiries into system administrator misuse, compromise and malware analysis, and investigations related to internal policy violations.
In this chapter you will learn how to be prepared to conduct basic forensic investigations. You will learn about forensics kits, their contents, and the use of the devices and tools they contain. Then, you will explore forensic tools and processes needed to capture and preserve forensics data for network-based, endpoint-based, mobile, and cloud and virtual investigations.
One of the first steps to being able to conduct a forensic investigation is to gather the right set of tools. Forensic tools come with a broad variety of capabilities, costs, and purposes. You should determine what types of investigations you are likely to conduct, what types of systems and devices you will need to analyze, and what evidentiary standards you will need to comply with before you build your toolkit.
A complete forensic toolkit is an important part of any forensic investigation. Not only can having the right tools and materials make the process easier, but it can also help ensure that your investigation has the right documentation and support materials in case you need to provide proof of your process—either in court, to management, or to auditors.
Over the next few pages you will learn about the major components of a forensic toolkit, including a forensic workstation, data capture tools and devices, and the administrative tools that help provide proper chain-of-custody tracking. Keep in mind how your organization is likely to conduct forensic investigations—not all of these components may be needed for your use cases.
The following components are common to most forensic toolkits. Forensic workstations may be a desktop, a laptop, or even a server, and the specific components should be tailored to your organization. But this basic set of items will allow you to perform forensic investigations under most circumstances.
Handling mobile device forensics can create additional challenges. The diversity of mobile device operating systems, connection types, security options, and software versions can make capturing data from devices difficult. Having the right tools plays a big role in successfully connecting to and capturing data from mobile devices. If you need to build a mobile forensic toolkit, you may need to add some or all of the following to your existing forensic kit:
There are many types of forensic software, ranging from purpose-built forensic suites and tools like FTK, EnCase, CAINE, Autopsy, and SIFT to forensic utilities like DumpIt and Memoryze. Many common Linux and Windows utilities also have forensic applications, including utilities like dd and WinDbg.
Forensic investigations can take many forms, which means that you'll need a broad software toolkit to handle situations, systems, and specific requirements you encounter. Key forensic tool capabilities to include in your forensic software toolkit are imaging, analysis, hashing and validation, process and memory dump analysis, password cracking, and log viewers.
The first step in many forensic investigations is to create copies of the media or disks that may contain data useful for the investigation. This is done using an imaging utility, which can create a forensic image of a complete disk, a disk partition, or a logical volume.
Forensic images exactly match the original source drive, volume, partition, or device, including slack space and unallocated space. Slack space is the space left when a file is written. This unused space can contain fragments of files previously written to the space or even files that have been intentionally hidden. Unallocated space is space that has not been partitioned. When used properly, imaging utilities ensure that you have captured all of this data.
Forensic analysis utilities provide a number of useful capabilities that can help offer insight into what occurred on a system. Examples include the following:
These analysis tools can help identify information that is useful for a forensic investigation but using them well requires detailed forensic knowledge to avoid missing important data.
When data is recovered as part of forensic analysis, the original filesystem may no longer be intact. In this, and other scenarios where the original filesystem cannot be used, file carving tools come in handy. File carving tools look at data on a block-by-block basis, looking for information like file headers and other indicators of file structure. When they find them, they attempt to recover complete or even partial files.
Three common types of file carving methods are as follows:
xFFxD8
in the header and xFFxD9
in the footer.Figure 13.2 shows a JPEG file opened in HxD, a free hex editor tool. At the top left of the image you can see the header information for the JPEG showing FF and D8 as the first pair of entries in the file.
Support for properly maintaining chain-of-custody documentation in an automated and logged manner is an important part of a forensic suite, and it is an important part of their documented forensic procedures for many organizations. Maintaining chain-of-custody documentation ensures that drive images and other data, as well as the actions taken using the suite, are properly validated and available for review, thus reducing the potential for legal challenges based on poor custodial practices.
One common use of forensic tools is in support of legal holds. A legal hold (or litigation hold) is conducted when information must be retained for a legal case. In this scenario, forensic and backup tools are often leveraged to ensure that a current copy of the target system, drive, or network storage location is preserved and maintained as required by the hold. Although forensic tools are often leveraged as part of this process, a purpose-built eDiscovery tool is often the better choice if your organization deals with a reasonable volume of legal holds.
Verification of the forensic integrity of an image is an important part of forensic imaging. Fortunately, this can be done using hashing utilities built into a forensics suite or run independently to get a hash of the drive to validate the contents of the copy. The goal of this process is to ensure that the copy exactly matches the source drive or device.
Forensic image formats like EnCase's EO1 format provide built-in hashing as part of the file. In cases where formats like these are not used, both MD5 and SHA1 hashes are frequently used for this purpose. Hashing large drives can take quite a bit of time even using a fast algorithm like MD5, but the process itself is quite simple as shown here. The following provides the MD5 hash of a volume mounted on a Linux system:
user@demo:~# md5sum /dev/sda1
9b98b637a132974e41e3c6ae1fc9fc96 /dev/sda1
To validate an image, a hash is generated for both the original and the copy. If the hashes match, the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.
Hashing is also often used to validate binaries and other application related files to detect changes to the binaries. Manual checksums using MD5 or SHA1 utilities can be used to check if a file matches a known good version or one from a backup, or it can be checked against a provided checksum from a vendor or other source.
Fortunately for incident responders and forensic analysts, known file hash databases are maintained by a handful of organizations, including these:
www.owasp.org/index.php/OWASP_File_Hash_Repository
www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl
Many organizations also track known hashes of malware, allowing responders to upload suspected malicious code to have it checked.
Traditionally, the great majority of forensic activity has taken place on endpoint systems: servers, desktops, laptops, and mobile devices of all types. As organizations increasingly move to the cloud, more forensic activity is taking place there, but a majority of forensic work is likely to continue to involve traditional endpoints for most practitioners.
Information about the state of the operating system (OS), including the data that is stored in memory by processes, can be important to both forensic investigations as well as investigations of malware infections or compromise. Often data that is otherwise kept encrypted is accessible in memory to processes, or the encryption keys that those processes use to access encrypted data are available. The ability to capture memory, process information and data, as well as operate specific analysis capabilities, is a useful forensic capability. OS analysis can provide key data about what was occurring on a system during the timeframe targeted by an investigation.
In addition to live memory capture and analysis, memory dump analysis can be particularly valuable when recovering decryption keys for full-disk encryption products like BitLocker. Hibernation files and crash dumps can both contain the data needed to decrypt the drive, which makes accessing an unlocked machine critically important for a forensic practitioner.
The most common forensic activity for endpoints is disk, or storage-based analysis. This can range from manual inspection of files to complete imaging and analysis of entire disks or volumes as mentioned earlier in the chapter.
Conducting memory forensics requires either running live forensic analysis on a running machine or making a copy of live memory to point in time forensic memory analysis. Tools like Volatility, an open source memory forensics framework, can capture and analyze memory.
Volatility has a wide range of plug-in commands, including the ability to detect API hooks, read the keyboard buffer, grab the Windows clipboard, look for live TCP connections, scan for driver objects, and many more. If there is data accessible in live memory in an unencrypted form, you should assume it can be recovered—and if it is encrypted, the encrypted version can be accessed and potentially decrypted if the key is available.
Memory forensics can be particularly useful when attempting to recover security artifacts that are stored in memory when in use such as encryption keys and passwords. As a forensic practitioner, you should keep in mind that system crash dumps often contain a copy of live memory, making them an attractive target for both practitioners and knowledgeable attackers.
Mobile device forensic capabilities exist in many commercial forensic suites, as well as in the form of stand-alone tools. Due to the security features that many phone operating systems provide, they often have specialized decryption or brute-forcing capabilities to allow them to capture data from a locked and encrypted phone or phone volume.
Phone backup forensic capabilities are also a useful tool for mobile forensics. Backups may not have all current data, but they can contain older data that was deleted and may not have the same level of security that the phone itself does, thus making them an attractive target for forensic acquisition and review.
An increasing number of drives and devices are encrypted or use a password to protect the system or files. This makes password recovery tools (also called password crackers) very useful to a forensic examiner. Common places to discover password protection beyond the operating system or account level include Microsoft Office files, PDFs, as well as ZIP and RAR compressed files.
Recovering passwords for forensic investigations can be challenging, but tools like ElcomSoft's Advanced Office Password Recovery, shown in Figure 13.3, provide brute-force password breaking for a range of file types.
Cryptographic tools are common both to protect forensic data and to protect data and applications from forensics. Forensic tools often have encryption capabilities to ensure that sensitive data under forensic investigation is not breached as part of the investigation when drives or files are transferred, or if the forensic environment is compromised.
Encryption tools are also needed to handle encrypted drives and network protocols. These capabilities vary from tool to tool, but handling BitLocker, Microsoft Office, and other common encryption mechanisms are common tasks during forensic investigations.
When forensic techniques are used to investigate malware, encryption and other protection schemes are frequently encountered as a means of preventing code analysis of malware. Many malware packages use tools called “packers,” intended to protect them from reverse engineering. Packers are intended to make direct analysis of the code difficult or impossible. Some forensic tools provide support for unpacking and decoding from packing techniques like Base64 encoding.
Log files can provide information about the system state, actions taken on the system, and errors or problems, as well as a wide variety of other information. This makes log entries particularly useful when you are attempting to understand what occurred on a system or device. Forensic suites typically build in log viewers that can match log entries to other forensic information, but specialized logs may require additional tools.
Network traffic forensics require capturing traffic on the network or reviewing artifacts of that traffic like security or network device logs, traffic monitoring data, or other information that can help forensic practitioners to reconstruct events and incidents.
For the purposes of the CySA+ exam, you will need to know the basics of both Wireshark and tcpdump.
Wireshark is an open source network protocol analyzer (sometimes called a packet sniffer, or sniffer). It runs on many modern operating systems and can allow users to capture and view network data in a GUI. Captures can be saved, analyzed, and output in a number of formats.
Figure 13.4 shows a simple Wireshark capture of traffic to the CompTIA website. Note the DNS query that you can see that starts the connection. If you scrolled further you'd see the multitude of trackers and ad sites that also get hit along the way!
As you prepare for the CySA+ exam, you should spend a little time capturing traffic using Wireshark and tcpdump, and make sure you know the basics of how to find a packet by text strings and protocols. You should also be able to identify what common traffic like the start of a TCP connection looks like.
Tcpdump is a command-line packet capture utility found on many Linux and Unix systems. Tcpdump is a powerful tool, particularly when combined with other tools like grep to sort and analyze the same packet data that you could capture with Wireshark. Although Wireshark typically has to be installed on systems, tcpdump is more likely to be installed by default.
In Figure 13.5, you can see a tcpdump watching network traffic for DNS traffic.
As you can see, text representations of packets can be harder to sort through. In fact, when capturing this example the authors had to output the capture to a file rather than to the terminal buffer because loading the CompTIA website generated more traffic than the terminal's default buffer. Tcpdump is powerful and helpful, but you will need to learn how to filter the output and read through it.
Cloud computing, virtualization, and containerization have created a new set of challenges for forensic practitioners. Many of the artifacts that would have once been available are now part of ephemeral virtual machines or containers, or are hosted by third-party providers. Practitioners must plan in advance for how they will conduct forensic investigations, meaning you need to know what artifacts you can gather, what you will need to do to gather them, and what you may need to partner with a cloud provider to obtain, or if they will provide the access or data you need at all.
Performing forensic investigations on cloud services can be challenging, if not impossible. Shared tenant models mean that forensic data can be hard to get and often require the cloud service provider to participate in the investigation. Maintaining a proper chain of custody, preserving data, and many other parts of the forensic process are more difficult in many cloud environments.
If a cloud service is likely to be part of your forensic investigation, you may want to do the following:
Virtualization forensics can be somewhat less complex than attempting forensics on a hosted environment. Virtualized systems can be copied and moved to a secure environment for analysis, but as a forensic practitioner you will need to keep in mind your forensic goals. Incident response forensics may be easier since the evidentiary requirements are typically less than those found in a legal case, making how you handle the forensic copies of systems and how and when you capture them less critical.
Regardless of whether you're conducting an investigation for incident response, an internal investigation, or law enforcement, you will need to understand the limitations of what your capture and copying methods can do. Remember to also consider the underlying virtualization environment—and what you would do if the environment itself were the target of the forensic work!
Virtualization and containerization share many of the same goals and operate in somewhat similar ways. Figure 13.6 shows how the two concepts look at a high level. Note the separation of the virtual machines in the virtualized environment versus the applications running under the same containerization engine.
Containers are increasingly common, and container forensics can create some unique issues. Perhaps the most important of them is that most containers are designed to be disposable, and thus if something goes wrong many organizations will have processes in place to shut down, destroy, and rebuild the container in an automated or semi-automated fashion. Even if there isn't a security issue, due to their ephemeral nature, containers may be destroyed or rescheduled to a different node. This means that forensic artifacts may be lost.
Containerization technology also creates other challenges: internal lots and filesystem artifacts are ephemeral; they communicate over software-defined networks that change frequently as containers are bought online, taken offline, or moved; and security contexts are dynamically modified by the containerization orchestration tool.
All of this means that if you anticipate the need to respond to incidents involving containerized applications, you need to preplan to capture the data you will need. That means identifying tooling and processes to audit activities, as well as methods to capture data that may be necessary for container forensics. Fortunately, containerization security tools are available that can help with this.
Forensic investigations rely on more than just a forensic toolkit and a forensic suite. The process of conducting an investigation is often complex due to the number of systems, devices, individuals, and other material involved. Next, we will look at a typical forensic process.
Forensic investigations can take many forms and there are many formal models for forensic investigations, but the basic process involved when conducting them remains the same. In almost all investigations you will take these steps:
Acquisition processes need to take into account the order of volatility, which measures how easily data is to lose. This means that data stored in memory or caches is considered highly volatile, since it will be lost if the system is turned off, whereas data stored in printed form or as a backup is considered much less volatile. Figure 13.7 shows a view of the order of volatility of common storage locations that data is likely to be acquired from during a forensic investigation.
Target locations differ based on operating system or device type, but Windows, macOS, and Linux systems are the most common targets of forensic acquisition. Table 13.1 lists common locations and examples of how they might be used for Windows forensics.
This isn't an exhaustive list, and the needs of each forensic investigation will vary, but knowing where to look and what files you may need can help guide your decisions when determining which systems and volumes to image. Unfortunately, each Linux distribution and macOS version tends to have slightly different locations, making it harder to provide a simple list of common locations. You can find a useful macOS listing at forensicswiki.xyz/wiki/index.php?title=Mac_OS_X
. Linux forensics analysts will often target the contents of /var
, /home
, and /etc
as excellent starting locations for system logs, user data, and configuration information.
TABLE 13.1 Forensic application of Windows system artifacts
Windows | Use |
Windows Registry | Information about files and services, locations of deleted files, evidence of applications being run |
Autorun keys | Programs set to run at startup (often associated with malware or compromise) |
Master File Table (MFT) | Details of inactive/removed records |
Event logs | Logins, service start/stop, evidence of applications being run |
INDX files and change logs | Evidence of deleted files, MAC timestamps |
Volume shadow copies | Point-in-time information from prior actions |
User directories and files | Logged-in user artifacts |
Recycle Bin contents | Files that were intended to be deleted but forgotten |
Hibernation files and memory dumps | Memory artifacts of commands run |
Temporary directories | Artifacts of software installation, user temporary file storage, or other limited lifespan data |
Application logs | Application-specific data |
Removable drives (including flash drives) | System logs may indicate drives were plugged in; data may be relevant to investigations |
Drive and media images must be captured in a forensically sound manner. They also require hashing and validation, and with the exception of live system forensics where it cannot be completely avoided, forensic duplication should not change the source drive or device. To do this, an exact bit-for-bit copy is made using an imaging utility, write blockers are employed to prevent the possibility of modifying the source drive, and multiple copies are made so that the original drive can be retained for evidence.
Forensic copies of media don't work the same way that simply copying the files from one drive to another would. Forensic copies retain the exact same layout and content for the entire device or drive, including the contents of “empty” space, unallocated space, and the slack space that remains when a file does not fill all the space in a cluster.
The need for a verifiable, forensically sound image means that you need to use an imaging tool to create forensic images rather than using the copy command or dragging and dropping files in a file manager. Fortunately, there are a number of commonly available tools like dd or FTK's Imager Lite built into major forensic suites that can create forensic images.
The Linux dd utility is often used to clone drives in RAW format, a bit-by-bit format. dd provides a number of useful operators that you should set to make sure your imaging is done quickly and correctly:
bs
flag and is defined in bytes. By default, dd uses a 512-byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k
.if
sets the input file; for example, if = /dev/disk/sda1
.of
sets the output file; for example, of = /mnt/usb/
.Figure 13.8 shows a sample dd copy of a mounted drive image to a USB device. The speed of copies can vary greatly based on block size, the relative speeds of the source and destination drive, and other variables like whether the system is virtual or physical.
Drive and device encryption is increasingly common, making dealing with drive images more challenging. Of course, live system imaging will avoid many of the issues found with encrypted volumes, but it brings its own set of challenges. Fortunately, commercial forensic suites handle many of the common types of encryption that you are likely to encounter, as long as you have the password for the volume. They also provide distributed cracking methods that use multiple computers to attack encrypted files and volumes.
Write blockers are an important tool for both forensic investigation and forensic drive image acquisition. During drive acquisition, using a write blocker can ensure that attaching the drive to a forensic copy device or workstation does not result in modifications being made to the drive, thus destroying the forensic integrity of the process. The same capability to prevent writes is useful during forensic analysis of drives and other media because it ensures that no modifications are made to the drive accidentally.
www.cftt.nist.gov/hardware_write_block.htm
.Image verification is critical to ensuring that your data is forensically sound. Commercial tools use built-in verification capabilities to make sure the entire image matches the original. When investigators use dd or other manual imaging tools, md5sum or sha1sum hashing utilities are frequently used to validate images. Each time you generate an image, you should record the hash or verification information for both the original and the cloned copy, and that information should be recorded in your forensic logbook or chain-of-custody form. FTK's Imager Lite will display the hash values in a report at the end of the process, as shown in Figure 13.9.
When systems are using full disk encryption, or when applications, malware, or other software may be memory resident without a copy on the disk, an image may need to be collected while the system is running.
Live imaging may not obtain some desirable data:
Both commercial and open source tools provide portable versions that can be loaded on a live system to provide live imaging capabilities.
There are many other types of specialized data beyond drive images that you may want to specifically target during acquisition. Fortunately, in most cases, forensic images of the host drives will also provide access to that data if it is resident on the systems. A few of the other areas you may want to specifically target include log data, USB device histories, application data, browser cache and history, email, and user-generated files.
Log data is often stored remotely and may not be accurate in the case of a compromised machine or if an administrator was taking actions they wanted to conceal. At other times an investigation may involve actions that are logged centrally or on network devices, but not on a single local system or device that you are likely to create a forensic image of. In those cases, preserving logs is important and will require additional work.
To preserve and analyze logs:
Windows tracks the history of USB devices connected to a system, providing a useful forensic record of thumb drives and other devices. USB Historian can be used to review this based on a mounted drive image. During a forensic examination, the information provided by USB Historian or similar tools can be used to match an inventory of drives to those used on a computer, or to verify whether specific devices were in use at a given time. USB Historian, shown in Figure 13.10, provides such data as the system name, the device name, its serial number, the time it was in use, the vendor ID of the device, what type of device it is, and various other potentially useful information.
Shutting down a system typically results in the loss of the data stored in memory. That means that forensic data like information in a browser memory cache or program states will be lost. Although capture information in memory isn't always important in a forensic investigation, it is critical to be able to capture memory when needed.
There are a number of popular tools for memory captures, with a variety of capabilities, including the following:
In addition to memory images, core dumps and crash dump files can provide useful forensic information, both for criminal and malware investigations. Since they contain the contents of live memory, they can include data that might not otherwise be accessible on the drive of a system, such as memory-resident encryption keys, malware that runs only in memory, and other items not typically stored to the disk.
The Windows crash dump file can be found by checking the setting found under Control Panel ➢ System And Security ➢ System ➢ Advanced System Settings ➢ Startup And Recovery ➢ Settings. Typically, crash dump files will be located in the system root directory: %SystemRoot%MEMORY.DMP
. Windows memory dump files can be analyzed using WinDbg; however, you shouldn't need to analyze a Windows kernel dump for the CySA+ exam.
Mobile device forensic acquisition typically starts with disabling the device's network connectivity and then ensuring that access to the device is possible by disabling passcodes and screen lock functionality. Once this is done, physical acquisition of the SIM card, media cards, and device backups occurs. Finally, the device is imaged, although many devices may be resistant to imaging if the passcode is not known or the device is locked.
There are four primary modes of data acquisition from mobile devices:
Much like desktop and server operating system forensics, a key part of mobile forensics is knowing the key file locations for useful forensic data. Table 13.2 lists some of the key locations for iOS devices.
TABLE 13.2 Key iOS file locations
Location | Content |
com.apple.commcenter.plist |
Device identification data |
com.apple.Maps.plist |
Map search history and latitude/longitude data |
SystemConfiguration/com.apple.wifi.plist |
Wi-Fi network data |
Library/CallHistory/call_history.db |
Phone call logs |
Library/SMS/sms.db |
SMS messages |
Library/SMS/Attachments |
MMS files |
Library/Safari |
Safari web browser data |
Library/Caches/com.apple.WebAppCache/ApplicationCache.db |
Web browser cache |
Library/Accounts/Accounts3.sqlite |
Account information |
/private/var/mobile/Library/Caches/com.apple.routined/ |
Frequent location data (binary plist) |
Similar information exists on Android, Windows, and other devices, although different carriers and OS versions may place data in slightly different locations. As you can see from the partial list of important files in Table 13.2, mobile phones can provide a very detailed history of an individual's location, communications, and other data if all of their data can be acquired.
In the following section, you will learn the basics of a forensic analysis using FTK. Since we have already discussed imaging, we will start from a previously acquired forensic image and will perform analysis, including
Remember that a full forensic examination of a system can involve more tasks than those listed here and that the scope and direction of the investigation will help to determine what those tasks are. You are also likely to encounter additional clues that will point you in new directions for forensic examination as you explore a system image.
Once you have a forensic image in hand and have made a copy to use in your investigation, you will typically import it into your forensic tool. Figure 13.11 shows how information about the case is captured as an image is imported.
Once your image has been imported into a case and properly logged, the image is then indexed and analyzed. This includes identifying file types, searching slack and unallocated space, building an index of file timestamps, and other analysis items. This can take some time, especially with large drives. Figure 13.12 shows the forensic image used for this case partially through the indexing process.
With indexing done, you can now begin to explore the forensic image. FTK provides a series of tabs with common evidence categories, including email, graphics, video, Internet/chat, bookmarks, and others. Most investigators will take some time to ensure that the operating system, time zone, and other computer information (such as which users have accounts on the system) are recorded at this stage.
Since this is a data leakage case, Internet browser history and email are likely to be of particular interest. Figure 13.13 shows how email can be read via FTK's browser capability. We can see an email that was sent reading “successfully secured.” Other emails also mention a USB device, and that spy would like it if the informant can deliver the storage devices directly. This provides another clue for further investigation.
Searching the web browser history provides more information about the informant's likely behavior. The history file for Chrome includes searches for antiforensics techniques and a visit to the antiforensics techniques page of forensicswiki.org
, as shown in Figure 13.14.
Since the informant searched for antiforensic techniques, it is likely that they applied them with some degree of success. A visit to the antiforensics techniques page, as well as searches for data that was deleted or otherwise hidden, is needed.
Some of this additional information can be gathered by reviewing data cached by Windows, including install information from the local user directories. Since the sample image is a Windows 7 machine, install information resides in C:Users
<username>
AppDataLocalTemp
. Checking there shows that iCloud was installed in the middle of the timeframe that email communications were occurring, as shown in Figure 13.15.
FTK also indexes and displays deleted files, allowing you to see that CCleaner, a system cleanup program that removes browser history and cache and wipes other information useful for forensic investigations, was removed from the system in Figure 13.16, and that Eraser, a file wiping utility, appears to have been partially deleted but left a remnant directory in the Program Files folder. Both of these utilities are likely to be found as part of an antiforensics attempt, providing further evidence of the user's intention to delete evidence.
At the end of the timeline for the informant in our case, a resignation letter is created and printed. This can be found easily using a timeline of events on the system, or as part of a manual file review using the indexed list of files and searching for Microsoft Office documents, as shown in Figure 13.17.
The final stage of forensic investigation is preparing and presenting a report. Reports should include three major components: the goals and scope of the investigation; the target or targets of the forensic activities, including all systems, devices, and media; and a complete listing of the findings and results.
This section of your report should include the goals of the investigation, including the initial scope statement for the forensic activities. This section will also typically include information about the person or organization that asked for the investigation. An example of a statement of the goals of an investigation is “John Smith, the Director of Human Resources, requested that we review Alice Potter's workstation, email, and the systems she administers to ensure that the data that was recently leaked to a competitor was not sent from her email account or workstation.”
The report you create should include a list of all the devices, systems, and media that was captured and analyzed. Targets should be all listed in your tracking notes and chain-of-custody forms if you are using them. The same level of detail used to record the system or device should be used in this listing. A sample entry might read:
Alice Potter's workstation, internal inventory number 6108, Lenovo W540 laptop, with Samsung SSD serial number S12KMFBD644850, item number 344
If large numbers of devices or systems were inspected, the full listing of targets is often moved to an appendix, and the listing of what was reviewed will list a high-level overview of systems, applications, devices, and other media, with a reference to the appendix for full detail.
Findings are the most critical part of the document and should list what was discovered, how it was discovered, and why it is important. The Stroz Friedberg forensic investigation conducted as part of a contract dispute about the ownership of Facebook provides an example of the detail needed in forensic findings, as shown in Figure 13.18. While the report is now dated, many of the same forensic artifacts and concepts still show up—although floppy disks have been replaced with flash media and cloud storage!
Cybersecurity analysts need to understand the tools, techniques, and processes required to conduct forensics. Forensics toolkits are typically built around powerful forensic workstations that may run a purpose-built forensic investigation suite or may provide individual forensic utilities and tools. Toolkits also often include write blockers, forensic duplicators, media, and documentation equipment and supplies. Specialized tools exist for mobile device forensics, law enforcement, and other types of specific forensic investigations.
Forensic software provides the ability to image and analyze systems, carve filesystems, and acquire data from various types of drives and devices. It also often supports important forensic functions, allowing analysts to maintain chain-of-custody documentation to provide who had access to an image and what was done with it. Hashing and validation are also critical to prove that forensic images match the original.
The forensic process includes identifying targets, conducting acquisition and validating that the images match, analysis, and reporting. A host of specific tools, techniques, file locations, and other elements come together as part of an investigation to create a complete forensic case. In the end, a forensic report must include the goals of the investigation, the targets, a listing of what was found, and careful analysis of what that data means.
Explain the purpose of forensic software and how it provides specialized capabilities for investigations. Forensic tools include analysis utilities that can provide timelines; file validation; filesystem analysis for changes, deletions, and other details; log file viewing; and other analysis. Key data acquisition capabilities include dead, or offline system, cloning and validation via hashing, the ability to identify changes to binaries and other files, filesystem carving, chain-of-custody and activity logging, and live system imaging. Password cracking and recovery, as well as the ability to decrypt common types of encrypted files, are necessary for many systems. Mobile forensic tools provide the ability to perform the same types of activities for iOS, Android, and other mobile platforms and their unique types of data.
Know where forensic activities take place and in what contexts and environments. Forensic activities occur on the network, endpoint systems and devices, on mobile devices, and in cloud, virtualization and containerized environments. Tools like Wireshark, tcpdump, and dd are used to conduct these investigations.
Be familiar with what's involved in a forensic investigation. This stage includes scoping, identifying locations of relevant data, planning, acquisition, analysis, and reporting. Targets include system information; file modification, access, and change detail; lots; user artifacts; and stored data like memory dumps, shadow copies, and Recycle Bin contents. Acquisition requires forensic validation and care to not modify the source data, typically including the use of write blockers.
Describe what tools are used in forensic investigations to review what occurred on a targeted system or device. Chain of custody and tracking of actions taken are critical to conducting a sound forensic investigation. Tools to capture and read network traffic, such as Wireshark, as well as endpoint tools that can read email, web history, deleted files, installed files, disk, memory, and other events make analysis simpler. Forensic discoveries will often result in further work to fully understand the timeline of events on a system.
In this exercise you will use dd to create a disk image and then verify the checksum of the image.
/dev/disk/by-label
, and make sure you see the name of the thumb drive you have mounted. mkdir ~/tmp
This will create a directory called tmp
in your home
directory.
home
directory:
md5sum /dev/disk/by-label/[label of your drive]> ~/exercise7_1_original.md5
dd if=/dev/disk/by-label/[label of your drive] of=~/tmp/exercise7_1_disk.img bs=64k
md5sum ~/tmp/exercise7_1_disk.img> ~/exercise7_1_clone.md5
more
command to view the files, or you can record the values here:
The values should be the same if your clone was successful.
The National Institute of Standards and Technology provides a set of practice forensic images that can be freely downloaded and used to hone your forensic skills. You can find the full set at www.cfreds.nist.gov
. For this exercise we will use the Rhino hunt scenario as well as the SANS SIFT image available from digital-forensics.sans.org/community/downloads
.
sudo apt-get install virtualbox-guest-dkms
and then reboot to get a useful screen resolution.)forensics
. wget http://www.cfreds.nist.gov/dfrws/DFRWS2005-RODEO.zip
unzip DFRWS2005-RODEO.zip
sudo mount -o loop, ro RHINOUSB.dd /mnt/usb
ls /mnt/usb
Note that you will see only two recipes for gumbo. Something was done to this drive that overwrote the original contents, and they need to be recovered!
Next we will recover deleted files using foremost, a utility that automatically recovers files based on file headers and other information.
mkdir output
RHINOUSB
image.
foremost -o output/ RHINOUSB.dd
To open the file you have recovered, click the filing cabinet icon at the top left of the screen, navigate to Home ➢ Output ➢ Doc, and then double-click on the DOC file you recovered. Read to the end of the file to determine what happened to the hard drive.
Once you know where the hard drive went, you are done with this exercise. The Rhino hunt has a lot more to it, so feel free to continue based on the NIST page's instructions.
Match each of the following tools to the correct description:
dd | A memory forensics and analysis suite |
md5sum | A GUI network traffic sniffer |
Volatility Framework | A device used to prevent forensic software from modifying a drive while accessing it |
FTK | Used to validate whether a drive copy is forensically sound |
Eraser | A Linux tool used to create disk images |
Write blocker | A command-line network packet sniffer |
WinDbg | A full-featured forensic suite |
Forensic drive duplicator | A tool used to review Windows memory dumps |
Wireshark | A drive and file wiping utility sometimes used for anti-forensic purposes |
tcpdump | A device designed to create a complete forensic image and validate it without a PC |
b49794e007e909c00a51ae208cacb169 original.img
d9ff8a0cf6bc0ab066b6416e7e7abf35 clone.img
C:WindowsSystem 32Installers
C:WindowsInstall.log
C:WindowsJimInstall.log
C:WindowsJimAppDataLocalTemp
%SystemRoot%MEMORY.DMP
%SystemRoot%/WinDbg