Key Toolkit Components

The following components are common to most forensic toolkits. Forensic workstations may be a desktop, a laptop, or even a server, and the specific components should be tailored to your organization. But this basic set of items will allow you to perform forensic investigations under most circumstances.

• A digital forensics workstation. A good forensic workstation is designed to allow for data capture and analysis, and those tasks can benefit from a powerful, multicore CPU and plenty of RAM. Having lots of fast, reliable storage is also important, since large investigations can deal with terabytes of data.
• A forensic investigation suite or forensic software like FTK, EnCase, the SANS Investigate Forensic Kit (SIFT), or The Sleuth Kit (TSK) that provides the ability to capture and analyze forensic images as well as track forensic investigations.
• Write blockers, which ensure that drives connected to a forensic system or device cannot be written to. This helps to ensure the integrity of the forensic investigation; having file access times changed—or worse, having the system that is analyzing the data modify the content of the files on the drive—can prevent forensic evidence from being useful.
• Forensic drive duplicators, which are designed to copy drives for forensic investigation and then provide validation that the original drive and the content of the new drive match. Many forensic tools and suites also offer this capability, but a dedicated cloning device can be useful (and can sometimes make it easier to prove that the duplication process was completed in a forensically sound manner).
• Wiped drives and wiped removable media of sufficient capacity to handle any drive or system that you are likely to encounter. Fortunately, large SATA hard drives, portable NAS devices, and large SSDs make it a lot easier to capture and transport multiple forensic images. Removable media, in the form of large USB thumb drives, writable Blu-ray or DVD media, or flash media, can also be valuable for transporting forensic data or for sending it to other organizations when necessary.
• Cables and drive adapters of various types to ensure that you can connect to most types of devices you are likely to encounter. In a corporate environment, you are likely to know what types of machines and drives your organization deploys, allowing you to select the right adapters and cables to match what you have. In law enforcement, consulting, or other environment where you may not know what you will encounter, having a broad selection of cables and adapters can be incredibly helpful.
• A camera to document system configurations, drive labels, and other information. Cameras are a surprisingly important part of forensic capture because they can speed up data recording and can provide a visual record of the state of a system or device.
• Labeling and documentation tools, including a label maker or labels, indelible pens, and other tools to help with chain-of-custody and forensic process documentation.
• Notebooks and preprepared documentation forms and checklists to record forensic investigation processes and notes. Common types of forms include chain-of-custody forms that track who was in possession of evidence at any time, incident response forms for tracking a response process, incident response plans and incident forms, and escalation lists or call lists of people to contact during a response process. These are sometimes replaced by a forensic recording software package or another software tool that provides ways to validate log entries and that tracks changes. Figure 13.1 shows an example of a chain-of-custody form.

Mobile Device Forensic Toolkit Components

Handling mobile device forensics can create additional challenges. The diversity of mobile device operating systems, connection types, security options, and software versions can make capturing data from devices difficult. Having the right tools plays a big role in successfully connecting to and capturing data from mobile devices. If you need to build a mobile forensic toolkit, you may need to add some or all of the following to your existing forensic kit:

• Tools for accessing SIM cards and flash memory cards. For some phones, this is simply a pin-style push device, whereas others may require small screwdrivers or other tools.
• A mobile device connection cable kit that includes the most common connector types for current and recent phones. This has become simpler in recent years, and having USB micro, Lightning, and USB-C connectors will cover most smartphones and tablets. Connecting to older phones and non-smartphones can still require additional proprietary cables. Fortunately, many vendors provide mobile device forensic cable kits, allowing you to buy many of the most common cables at once.
• Mobile device–specific forensic software and tools designed to target mobile device operating systems.

Imaging Media and Drives

The first step in many forensic investigations is to create copies of the media or disks that may contain data useful for the investigation. This is done using an imaging utility, which can create a forensic image of a complete disk, a disk partition, or a logical volume.

Forensic images exactly match the original source drive, volume, partition, or device, including slack space and unallocated space. Slack space is the space left when a file is written. This unused space can contain fragments of files previously written to the space or even files that have been intentionally hidden. Unallocated space is space that has not been partitioned. When used properly, imaging utilities ensure that you have captured all of this data.

Analysis Utilities

Forensic analysis utilities provide a number of useful capabilities that can help offer insight into what occurred on a system. Examples include the following:

• Timelines of system changes
• Validation tools that check known-good versions of files against those found on a system
• Filesystem analysis capabilities that can look at filesystem metadata (like the Windows Master File Table for NTFS) to identify file changes, access, and deletions
• File carving tools that allow the recovery of files without the filesystem itself available
• Windows Registry analysis
• Log file parsing and review

These analysis tools can help identify information that is useful for a forensic investigation but using them well requires detailed forensic knowledge to avoid missing important data.

Carving

When data is recovered as part of forensic analysis, the original filesystem may no longer be intact. In this, and other scenarios where the original filesystem cannot be used, file carving tools come in handy. File carving tools look at data on a block-by-block basis, looking for information like file headers and other indicators of file structure. When they find them, they attempt to recover complete or even partial files.

Three common types of file carving methods are as follows:

• Header- and footer-based carving, which focuses on headers like those found in JPEG files. For example, JPEGs can be found by looking for xFFxD8 in the header and xFFxD9 in the footer.
• Content-based carving techniques look for information about the content of a file such as character counts and text recognition.
• File structure-based carving techniques that use information about the structure of files.

Figure 13.2 shows a JPEG file opened in HxD, a free hex editor tool. At the top left of the image you can see the header information for the JPEG showing FF and D8 as the first pair of entries in the file.

Chain-of-Custody Tracking

Support for properly maintaining chain-of-custody documentation in an automated and logged manner is an important part of a forensic suite, and it is an important part of their documented forensic procedures for many organizations. Maintaining chain-of-custody documentation ensures that drive images and other data, as well as the actions taken using the suite, are properly validated and available for review, thus reducing the potential for legal challenges based on poor custodial practices.

Legal Holds

One common use of forensic tools is in support of legal holds. A legal hold (or litigation hold) is conducted when information must be retained for a legal case. In this scenario, forensic and backup tools are often leveraged to ensure that a current copy of the target system, drive, or network storage location is preserved and maintained as required by the hold. Although forensic tools are often leveraged as part of this process, a purpose-built eDiscovery tool is often the better choice if your organization deals with a reasonable volume of legal holds.

Hashing and Validation

Verification of the forensic integrity of an image is an important part of forensic imaging. Fortunately, this can be done using hashing utilities built into a forensics suite or run independently to get a hash of the drive to validate the contents of the copy. The goal of this process is to ensure that the copy exactly matches the source drive or device.

Forensic image formats like EnCase's EO1 format provide built-in hashing as part of the file. In cases where formats like these are not used, both MD5 and SHA1 hashes are frequently used for this purpose. Hashing large drives can take quite a bit of time even using a fast algorithm like MD5, but the process itself is quite simple as shown here. The following provides the MD5 hash of a volume mounted on a Linux system:

user@demo:~# md5sum /dev/sda1
9b98b637a132974e41e3c6ae1fc9fc96 /dev/sda1

To validate an image, a hash is generated for both the original and the copy. If the hashes match, the images are identical. Both hashes should be recorded as part of the forensic log for the investigation.

Hashing is also often used to validate binaries and other application related files to detect changes to the binaries. Manual checksums using MD5 or SHA1 utilities can be used to check if a file matches a known good version or one from a backup, or it can be checked against a provided checksum from a vendor or other source.

Fortunately for incident responders and forensic analysts, known file hash databases are maintained by a handful of organizations, including these:

• The OWASP File Hash Repository: www.owasp.org/index.php/OWASP_File_Hash_Repository
• The NIST National Software Reference Library, which includes the Reference Data Set with digital signatures for software: www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl

Many organizations also track known hashes of malware, allowing responders to upload suspected malicious code to have it checked.

Disk Forensics

The most common forensic activity for endpoints is disk, or storage-based analysis. This can range from manual inspection of files to complete imaging and analysis of entire disks or volumes as mentioned earlier in the chapter.

Memory Forensics

Conducting memory forensics requires either running live forensic analysis on a running machine or making a copy of live memory to point in time forensic memory analysis. Tools like Volatility, an open source memory forensics framework, can capture and analyze memory.

Volatility has a wide range of plug-in commands, including the ability to detect API hooks, read the keyboard buffer, grab the Windows clipboard, look for live TCP connections, scan for driver objects, and many more. If there is data accessible in live memory in an unencrypted form, you should assume it can be recovered—and if it is encrypted, the encrypted version can be accessed and potentially decrypted if the key is available.

Memory forensics can be particularly useful when attempting to recover security artifacts that are stored in memory when in use such as encryption keys and passwords. As a forensic practitioner, you should keep in mind that system crash dumps often contain a copy of live memory, making them an attractive target for both practitioners and knowledgeable attackers.

Mobile Device and Cell Phone Forensics

Mobile device forensic capabilities exist in many commercial forensic suites, as well as in the form of stand-alone tools. Due to the security features that many phone operating systems provide, they often have specialized decryption or brute-forcing capabilities to allow them to capture data from a locked and encrypted phone or phone volume.

Phone backup forensic capabilities are also a useful tool for mobile forensics. Backups may not have all current data, but they can contain older data that was deleted and may not have the same level of security that the phone itself does, thus making them an attractive target for forensic acquisition and review.

Password Crackers and Password Recovery

An increasing number of drives and devices are encrypted or use a password to protect the system or files. This makes password recovery tools (also called password crackers) very useful to a forensic examiner. Common places to discover password protection beyond the operating system or account level include Microsoft Office files, PDFs, as well as ZIP and RAR compressed files.

Recovering passwords for forensic investigations can be challenging, but tools like ElcomSoft's Advanced Office Password Recovery, shown in Figure 13.3, provide brute-force password breaking for a range of file types.

Cryptography Tools

Cryptographic tools are common both to protect forensic data and to protect data and applications from forensics. Forensic tools often have encryption capabilities to ensure that sensitive data under forensic investigation is not breached as part of the investigation when drives or files are transferred, or if the forensic environment is compromised.

Encryption tools are also needed to handle encrypted drives and network protocols. These capabilities vary from tool to tool, but handling BitLocker, Microsoft Office, and other common encryption mechanisms are common tasks during forensic investigations.

When forensic techniques are used to investigate malware, encryption and other protection schemes are frequently encountered as a means of preventing code analysis of malware. Many malware packages use tools called “packers,” intended to protect them from reverse engineering. Packers are intended to make direct analysis of the code difficult or impossible. Some forensic tools provide support for unpacking and decoding from packing techniques like Base64 encoding.

Log Viewers

Log files can provide information about the system state, actions taken on the system, and errors or problems, as well as a wide variety of other information. This makes log entries particularly useful when you are attempting to understand what occurred on a system or device. Forensic suites typically build in log viewers that can match log entries to other forensic information, but specialized logs may require additional tools.

Wireshark Network Forensics

Wireshark is an open source network protocol analyzer (sometimes called a packet sniffer, or sniffer). It runs on many modern operating systems and can allow users to capture and view network data in a GUI. Captures can be saved, analyzed, and output in a number of formats.

Figure 13.4 shows a simple Wireshark capture of traffic to the CompTIA website. Note the DNS query that you can see that starts the connection. If you scrolled further you'd see the multitude of trackers and ad sites that also get hit along the way!

As you prepare for the CySA+ exam, you should spend a little time capturing traffic using Wireshark and tcpdump, and make sure you know the basics of how to find a packet by text strings and protocols. You should also be able to identify what common traffic like the start of a TCP connection looks like.

Tcpdump Network Forensics

Tcpdump is a command-line packet capture utility found on many Linux and Unix systems. Tcpdump is a powerful tool, particularly when combined with other tools like grep to sort and analyze the same packet data that you could capture with Wireshark. Although Wireshark typically has to be installed on systems, tcpdump is more likely to be installed by default.

In Figure 13.5, you can see a tcpdump watching network traffic for DNS traffic.

As you can see, text representations of packets can be harder to sort through. In fact, when capturing this example the authors had to output the capture to a file rather than to the terminal buffer because loading the CompTIA website generated more traffic than the terminal's default buffer. Tcpdump is powerful and helpful, but you will need to learn how to filter the output and read through it.

Performing Cloud Service Forensics

Performing forensic investigations on cloud services can be challenging, if not impossible. Shared tenant models mean that forensic data can be hard to get and often require the cloud service provider to participate in the investigation. Maintaining a proper chain of custody, preserving data, and many other parts of the forensic process are more difficult in many cloud environments.

If a cloud service is likely to be part of your forensic investigation, you may want to do the following:

• Determine what your contract says about investigations.
• Determine what legal recourse you have with the vendor.
• Identify the data that you need and whether it is available via methods you or your organization controls.
• Work with the vendor to identify a course of action if you do not control the data.

Performing Virtualization Forensics

Virtualization forensics can be somewhat less complex than attempting forensics on a hosted environment. Virtualized systems can be copied and moved to a secure environment for analysis, but as a forensic practitioner you will need to keep in mind your forensic goals. Incident response forensics may be easier since the evidentiary requirements are typically less than those found in a legal case, making how you handle the forensic copies of systems and how and when you capture them less critical.

Regardless of whether you're conducting an investigation for incident response, an internal investigation, or law enforcement, you will need to understand the limitations of what your capture and copying methods can do. Remember to also consider the underlying virtualization environment—and what you would do if the environment itself were the target of the forensic work!

Virtualization and containerization share many of the same goals and operate in somewhat similar ways. Figure 13.6 shows how the two concepts look at a high level. Note the separation of the virtual machines in the virtualized environment versus the applications running under the same containerization engine.

Container Forensics

Containers are increasingly common, and container forensics can create some unique issues. Perhaps the most important of them is that most containers are designed to be disposable, and thus if something goes wrong many organizations will have processes in place to shut down, destroy, and rebuild the container in an automated or semi-automated fashion. Even if there isn't a security issue, due to their ephemeral nature, containers may be destroyed or rescheduled to a different node. This means that forensic artifacts may be lost.

Containerization technology also creates other challenges: internal lots and filesystem artifacts are ephemeral; they communicate over software-defined networks that change frequently as containers are bought online, taken offline, or moved; and security contexts are dynamically modified by the containerization orchestration tool.

All of this means that if you anticipate the need to respond to incidents involving containerized applications, you need to preplan to capture the data you will need. That means identifying tooling and processes to audit activities, as well as methods to capture data that may be necessary for container forensics. Fortunately, containerization security tools are available that can help with this.

Forensic Copies

Forensic copies of media don't work the same way that simply copying the files from one drive to another would. Forensic copies retain the exact same layout and content for the entire device or drive, including the contents of “empty” space, unallocated space, and the slack space that remains when a file does not fill all the space in a cluster.

The need for a verifiable, forensically sound image means that you need to use an imaging tool to create forensic images rather than using the copy command or dragging and dropping files in a file manager. Fortunately, there are a number of commonly available tools like dd or FTK's Imager Lite built into major forensic suites that can create forensic images.

Imaging with dd

The Linux dd utility is often used to clone drives in RAW format, a bit-by-bit format. dd provides a number of useful operators that you should set to make sure your imaging is done quickly and correctly:

• Block size is set using the bs flag and is defined in bytes. By default, dd uses a 512-byte block size, but this is far smaller than the block size of most modern disks. Using a larger block size will typically be much faster, and if you know the block size for the device you are copying, using its native block size can provide huge speed increases. This is set using a flag like bs = 64k.
• The operator if sets the input file; for example, if = /dev/disk/sda1.
• The operator of sets the output file; for example, of = /mnt/usb/.

Figure 13.8 shows a sample dd copy of a mounted drive image to a USB device. The speed of copies can vary greatly based on block size, the relative speeds of the source and destination drive, and other variables like whether the system is virtual or physical.

Handling Encrypted Drives

Drive and device encryption is increasingly common, making dealing with drive images more challenging. Of course, live system imaging will avoid many of the issues found with encrypted volumes, but it brings its own set of challenges. Fortunately, commercial forensic suites handle many of the common types of encryption that you are likely to encounter, as long as you have the password for the volume. They also provide distributed cracking methods that use multiple computers to attack encrypted files and volumes.

Using Write Blockers

Write blockers are an important tool for both forensic investigation and forensic drive image acquisition. During drive acquisition, using a write blocker can ensure that attaching the drive to a forensic copy device or workstation does not result in modifications being made to the drive, thus destroying the forensic integrity of the process. The same capability to prevent writes is useful during forensic analysis of drives and other media because it ensures that no modifications are made to the drive accidentally.

• Hardware write blockers prevent writes from occurring while a drive is connected through them. Hardware write blockers can be certified to a NIST standard, and testing information is available via the NIST Computer Forensics Tool Testing program at www.cftt.nist.gov/hardware_write_block.htm.
• Software write blockers are typically less popular than hardware write blockers, making them less common. Due to the possibility of problems, hardware write blockers are more frequently used when preventing writes from occurring is important.

Verifying Images

Image verification is critical to ensuring that your data is forensically sound. Commercial tools use built-in verification capabilities to make sure the entire image matches the original. When investigators use dd or other manual imaging tools, md5sum or sha1sum hashing utilities are frequently used to validate images. Each time you generate an image, you should record the hash or verification information for both the original and the cloned copy, and that information should be recorded in your forensic logbook or chain-of-custody form. FTK's Imager Lite will display the hash values in a report at the end of the process, as shown in Figure 13.9.

Acquiring and Reviewing Log Data

Log data is often stored remotely and may not be accurate in the case of a compromised machine or if an administrator was taking actions they wanted to conceal. At other times an investigation may involve actions that are logged centrally or on network devices, but not on a single local system or device that you are likely to create a forensic image of. In those cases, preserving logs is important and will require additional work.

To preserve and analyze logs:

• Determine where the logs reside and what format they are stored in.
• Determine the time period that you need to preserve. Remember that you may want to obtain logs from a longer period in case you find out that an issue or compromise started before you initially suspected.
• Work with system or device administrators to obtain a copy of the logs and document how the logs were obtained. Checksums or other validation are often appropriate.
• Identify items of interest. This might include actions, user IDs, event IDs, timeframes, or other elements identified in your scope.
• Use log analysis tools like Splunk, Sawmill, Event Log Analyzer, or even a text editor to search and review the logs.

Viewing USB Device History

Windows tracks the history of USB devices connected to a system, providing a useful forensic record of thumb drives and other devices. USB Historian can be used to review this based on a mounted drive image. During a forensic examination, the information provided by USB Historian or similar tools can be used to match an inventory of drives to those used on a computer, or to verify whether specific devices were in use at a given time. USB Historian, shown in Figure 13.10, provides such data as the system name, the device name, its serial number, the time it was in use, the vendor ID of the device, what type of device it is, and various other potentially useful information.

Capturing Memory-Resident Data

Shutting down a system typically results in the loss of the data stored in memory. That means that forensic data like information in a browser memory cache or program states will be lost. Although capture information in memory isn't always important in a forensic investigation, it is critical to be able to capture memory when needed.

There are a number of popular tools for memory captures, with a variety of capabilities, including the following:

• fmem and LiME, both Linux kernel modules that allow access to physical memory. fmem is designed to be used with dd or similar tools; LiME directly copies data to a designated path and file.
• DumpIt, a Windows memory capture tool that simply copies a system's physical memory to the folder where the DumpIt program is. This allows easy capture to a USB thumb drive and makes it a useful part of a forensic capture kit.
• The Volatility Framework supports a broad range of operating systems, including Windows, Linux, and macOS, and has a range of capabilities, including tools to extract encryption keys and passphrases, user activity analysis, and rootkit analysis.
• Both EnCase and FTK have built-in memory capture and analysis capabilities as well.

Using Core Dumps and Hibernation Files

In addition to memory images, core dumps and crash dump files can provide useful forensic information, both for criminal and malware investigations. Since they contain the contents of live memory, they can include data that might not otherwise be accessible on the drive of a system, such as memory-resident encryption keys, malware that runs only in memory, and other items not typically stored to the disk.

The Windows crash dump file can be found by checking the setting found under Control Panel ➢ System And Security ➢ System ➢ Advanced System Settings ➢ Startup And Recovery ➢ Settings. Typically, crash dump files will be located in the system root directory: %SystemRoot%MEMORY.DMP. Windows memory dump files can be analyzed using WinDbg; however, you shouldn't need to analyze a Windows kernel dump for the CySA+ exam.

Acquisitions from Mobile Devices

Mobile device forensic acquisition typically starts with disabling the device's network connectivity and then ensuring that access to the device is possible by disabling passcodes and screen lock functionality. Once this is done, physical acquisition of the SIM card, media cards, and device backups occurs. Finally, the device is imaged, although many devices may be resistant to imaging if the passcode is not known or the device is locked.

There are four primary modes of data acquisition from mobile devices:

• Physical, by acquisition of the SIM card, memory cards, or backups
• Logical, which usually requires a forensic tool to create an image of the logical storage volumes
• Manual access, which involves reviewing the contents of the live, unlocked phone and taking pictures and notes about what is found
• Filesystem, which can provide details of deleted files as well as existing files and directories

Much like desktop and server operating system forensics, a key part of mobile forensics is knowing the key file locations for useful forensic data. Table 13.2 lists some of the key locations for iOS devices.

Similar information exists on Android, Windows, and other devices, although different carriers and OS versions may place data in slightly different locations. As you can see from the partial list of important files in Table 13.2, mobile phones can provide a very detailed history of an individual's location, communications, and other data if all of their data can be acquired.

Goals of the Investigation

This section of your report should include the goals of the investigation, including the initial scope statement for the forensic activities. This section will also typically include information about the person or organization that asked for the investigation. An example of a statement of the goals of an investigation is “John Smith, the Director of Human Resources, requested that we review Alice Potter's workstation, email, and the systems she administers to ensure that the data that was recently leaked to a competitor was not sent from her email account or workstation.”

Targets

The report you create should include a list of all the devices, systems, and media that was captured and analyzed. Targets should be all listed in your tracking notes and chain-of-custody forms if you are using them. The same level of detail used to record the system or device should be used in this listing. A sample entry might read:

Alice Potter's workstation, internal inventory number 6108, Lenovo W540 laptop, with Samsung SSD serial number S12KMFBD644850, item number 344

If large numbers of devices or systems were inspected, the full listing of targets is often moved to an appendix, and the listing of what was reviewed will list a high-level overview of systems, applications, devices, and other media, with a reference to the appendix for full detail.

Findings and Analysis

Findings are the most critical part of the document and should list what was discovered, how it was discovered, and why it is important. The Stroz Friedberg forensic investigation conducted as part of a contract dispute about the ownership of Facebook provides an example of the detail needed in forensic findings, as shown in Figure 13.18. While the report is now dated, many of the same forensic artifacts and concepts still show up—although floppy disks have been replaced with flash media and cloud storage!