Mod 16
what are the parts of Anti-Forensics
1. Data Hiding 2. Artifact Wiping 3. Trail Obfuscation
Assembly language: registers frequently used as a course/destination pointer that copy memory
1. ESI - Source index 2. EDI - Destination index
what are some common forensic analysis tools associated with host based forensics
1. EnCase 2. Sleuth Kit/Autopsy 3. FTK (forensic tool kit)
Analysis: what are the three file systems
1. Ext2/3 2. FAT 3. NTFS
what are the four phases used in the digital forensics methodology
1. Incident Response 2. Acquisition 3. Analysis 4. Reporting
malware analysis: what are some common DLLs
1. Kernel32.dll 2. Advapi32.dll 3. User32.dll 4. Ntdll.dll 5. WSock32.dll & Ws_32.dll 6. Wininet.dll
what are the two possible computer system states
1. Live 2. Dead
what are the two goals of Acquisition
1. Minimize data loss 2. avoid compromising the suspect system with additional data that may modify access time of files
Analysis: what are the two email programs and associated extensions
1. Outlook -- .pst and .ost 2. Outlook Express -- .dbx and .mbx
malware analysis: what three ways do malware writers use DLLs
1. store malicious code 2. by using windows DLLs 3. by using third party DLLs
what are the four reasons why malware can create/copy (drop) files onto a system
1. to hide themselves 2. to install the malicious tools 3. to take advantage of an exploit 4. to install files needed for the tool to run properly
Analysis: what are the data sources for media analysis
1. unallocated space 2. slack space 3. swap space 4. dump or core files 5. hibernation files 6. temporary files 7. OS configuration files
Anti-Analysis: what are the three analyst countermeasures to VM checks
1. use a physical system vice a virtual system for your lab 2. do not install VM tools on your VM 3. disable tool detecting code. this is referred to as patching
malware analysis: what are the steps to a PDF file malware execution
1. user opens file 2. embedded script executes...... 3. ...or the script downloads from the internet 4. malware is installed note- also opens a legit PDF file
what are the five pre-malware analysis activities
1. verify file header 2. virus scan 3. hash the file 4. strings analysis 5. identify packer
malware analysis: what are the classifications of malware
1. virus 2. worm 3. trojan 4. rootkit 5. adware/spyware 6. scareware 7. bot
what three questions must be answered before analysis can be conducted on a device
1. why was this device seized 2. what type of information do I expect to obtain 3. how long do I have to conduct analysis
what are the components of the analysis phase
1.timeline analysis 2. data sources for media analysis 3. file system analysis 4. hash analysis 5. fuzzy hashing 6. file signature analysis 7. string and keyword search 8. windows registry analysis 9. email analysis 10. browser history analysis 11. data recovery
methodology phase: this is the second phase, and is performed in a timely manner based on the nature of the investigation. the focus is to collect the relevant volatile and non volatile data using sound forensic techniques and tools that ensure data integrity
Acquisition
these are used to take data as input and display it in a more useful format
Analysis tools
this is defined as an approach to manipulate, erase, or obfuscate digital data or to make its examination difficult, time consuming, or virtually impossible
Anti-Forensics
this state applies when systems are powered off leaving data "at rest" making it easier to gather the non-volatile unchanging data
Dead systems
static malware analysis: Program that allows software developers to observe their program while it is running. when using a debugger, the file is viewed in assembly language; however the analyst can execute the file instruction by instruction
Debugger
methodology phase: this phase begins the documentation process in regards to chain of custody. It also serves as the basis of the analysis
Incident Response
Assembly language: register that acts as the CPU's stack pointer. stores the current position in the stack
ESP
this forensic workstation was developed by Guidance software. it contains the ability to analyze both linux/unix as well as windows OS based storage devices
EnCase forensic workstation
defined as electronically stored information found on or in use by digital media devices.
Evidence
Analysis: where contents of memory automatically get stored during an error condition, creating files to assist in subsequent troubleshooting
dump or core files
Analysis: which file system annotates a file "deleted" timestamp
Ext2/3
Analysis: which file system does not have a metadata change time
FAT
malware analysis: this file format is the current windows way to use libraries to share code among multple applications. cannot be executed on its own
dynamic link libraries (DLL)
the goal of this process is to identify system changes such as registry key creation/modification, created files, or network activity
dynamic malware analysis
Anti-forensics: this is the technique of using a key and an algorithm to change the code in a way to make information unreadable
encryption
Terminology: electronically stored information found on or in use by digital media devices
evidence
Terminology: cryptographic hashes or files obtained prior to collection should match hashes obtained after collection
evidence integrity
Analysis: a header or footer within a file that indicates the application associated with a file or the type of file
file signature/ file signature analysis
Analysis: explores the file systems allocated space by mounting the image file on the forensic workstation as read-only
file system analysis
Anti-forensics: these utilities are used to delete indiviudual files as well as unallocated/free space from an OS
file wiping
Assembly language: the basic tool for creating conditional code
flags
what is a standalone computer system utilized to perform forensic analysis of digital media
forensic workstation
Analysis: can be used to look for similar files
fuzzy hashing
acquisition: conducted when the hard drive is removed from the suspect system and connected to the analyst's forensics workstation
hardware acquisition
this is placed between the suspect hard drive and the acquisition system
hardware write-blocker
Analysis: a technique to reduce the search space by identifying known files by their hashes
hash analysis
Analysis: what is the name of the windows hibernation file
hiberfil.sys
Analysis: created to preserve the current state of a system.
hibernation files
Terminology: the initial response to a computer related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss
incident response
Terminology: an analyst toolkit that resides on a seperate storage media device
incident response disk
a helix linux boot cd is an example of what
incident response disk
Analysis: what file contains a users internet history
index.dat
Anti-Analysis: a popular language used for designing malicious web pages and obfuscating code to deter analysts or hide true intent
javascript
Terminology: list of words and phrases used to search evidence
keyword list
acquisition: in this situation the investigator my be forced to work on a live system. -system stays powered on -image can be obtained locally or over network
live acquisition
obtains only the file system partition
logical drive imaging
this is defined as programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation. blah blah blah
malicious software (malware)
the process of analyzing malware to determine exactly what the malware is designed to do
malware analysis
a one-way hash algorithm that takes as an input a file of arbitrary length and outputs a 128-bit hexadecimal formatted number that is unique to a file's contents
message digest (MD5)
what does malware often require to be completely malicious
network connectivity
what are the two disciplines of digital forensics
network-based, host-based
Anti-Analysis: this tool allows for debugging programs
ollyDbg
pre-malware: this refers to the process of compressing the original malicious executable and concealing it inside another executable
packing
Anti-Analysis: what are the two easiest methods of code obfuscating
packing or compressing
Analysis: a hidden system file that is used by windows for virtual memory when there is not enough physical memory to run programs
pagefile.sys
for what purpose does malware often make changes to the system registry
persistence or configuration data
considered the best evidence. grabs the entire contents of a drive or digital media device, including slack space, unallocated space, and swap space
physical drive imaging
malware analysis: this file format is used by windows executables, object code, and DLLs
portable executable (PE)
Assembly language: these are small chunks of internal memory that reside within the processor and can be accessed very easily
registers
the purpose of this, is for the analyst to describe the actions performed, determine what other actions need to be performed, and recommend improvements to policies, guidelines, blah blah blah
reporting
malware analysis: this is the process of analyzing something that has already been built, to determine how and why it functions
reverse engineering
class of malware: stealthy type of malware designed to hide the existence of certain processes or programs from normal methods of detectoin and enable continued privileged access
rootkit
class of malware: malware that makes you believe your computer is infected
scareware
what is the process of acquiring non-volatile data
simply making an exact physical copy of the device
acquisition: uses an incident response boot disk that can be used to collect or analyze files forensically
software acquisition
this is placed and used on the acquisition system to prevent writes to source data
software write-blocker
Analysis: a tool to help investigator check similarities in files by computing and comparing context triggered piecewise hashes (CTPH)
ssdeep
information on malware that cannot be identified when the program is executing is gained by what method
static malware analysis
Terminology: contains all the code necessary to successfully run as a standalone program and limit the impact on the suspicious computer
statically linked executable
Anti-forensics: this is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight
steganography
Analysis: uses string searches to aid in examining large amounts of data to find keywords or strings
string and keyword searches
pre-malware: In a program this is a sequence of characters such as "the". searching them can be a simple way to get hints about the functionality of a program
strings
Analysis: used by OS in conjunction with RAM to provide a large virtual memory area for data and code n use by applications
swap space
Analysis: created during OS/application install or upgrade
temporary files
what is the location of the master boot record (MBR)
the first physical sector of the drive (sector 0)
Analysis: used to sort file system files by their modified, accessed, changed, and created timestamps
timelines/ timeline analysis
Anti-forensics: the purpose of this is to confuse, and divert the forensics examination process
trail obfuscation
class of malware: seemingly innocent file that contains malicious code
trojan
Analysis: deleted files remain here where clusters/blocks are not assigned but may contain data
unallocated space
class of malware: self replicating. attaches to executable programs and makes copies
virus
pre-malware: what must be done before analyzing a file to see if a known signature exists
virus scan
what is data that is likely to be erased if the device loses power.
volatile data
class of malware: self replicating. replicates over a network and does not need human interaction
worm
what are used to protect evidence disks by preventing accidental writes to source data
write-blockers
what hexadecimal represents the end of the MBR sector
0x55AA
malware analysis: what are the portable executable file header sections
1) .text - instructions for CPU 2) .rdata - import/export 3) .data - global data 4) .rsrc - resources used that are not part of executable
Assembly language: what are the different flags
1. CF & OF - overflow flags 2. ZF - zero flag 3. SF - sign flag 4. PF - parity flag
what are the three image file formats and extensions
1. Raw (dd) - uses .dd or .img -- no compression 2. Expert Witness Format (EWF) - uses .e01 -- can compress -- created by EnCase 3. Advanced Forensic Format (AFF) - uses .AFF -- can compress
Analysis: what are the OS configuration files analyzed
1. Users and groups 2. passwords 3. network shares 4. scheduled jobs 5. logs 6. system events 7. audit records 8. application events 9. command history 10. recently accessed files
malware analysis: what are four methods involving the use of MS word document file format
1. VBA Macros 2. Payload of a microsoft office exploit 3. embedded flash program 4. embedded javascript
Anti-Analysis: what are the four methods of anti analysis
1. VM detection 2. Anti-debugging checks 3. rootkit use 4. code obfuscation
analysis environment: what two machines make up the basic analysis environment
1. Victim machine- where all system and file analysis is conducted 2. Listener machine- contains the tools required for packet analysis or other type of networking traffic
pre-malware: what are 6 common examples of strings to look for
1. action words 2. IP addresses or domains 3. developer information 4. suspicious files or API calls 5. registry keys 6. packing routine identification
what are the eight different pieces of reportable information
1. anti-virus signatures 2. strings 3. created/deleted files 4. registry keys 5. callbacks 6. network traffic 7. obfuscation identification 8. miscellaneous information
Analysis: what are the three common string and keyword search techniques
1. based on patters in their names 2. based on keyword in their content 3. based on temporal data, such as the last accessed
what are some features of EnCase
1. can acquire data from multiple sources 2. produces exact binary duplicate of original drive 3. has National Software Reference Library (NSRL) included 4. automatically generates reports
what are the three versions of the dd image tool
1. dd 2. dd.exe 3. dcfldd
malware analysis: what are the two disciplines of malware analysis
1. dynamic analysis - analysis based on the file behavior (triage). this technique involves monitoring the system in which the file is executed to determine what has changed 2. static analysis - analyzing the file in a constant, non changing state. usually involves analyzing the file from a code level
what are the four steps to acquiring volatile data
1. establish a trusted command shell 2. establish a method for transmitting and storing the acquired information 3. collect volatile data from the system and output the collected data to a forensic workstation/storage device 4. correlate system/network based logs and mark the beginning and ending time when incident response was performed
what are the three purposes reports may be used for
1. evidence to help prosecute specific individuals 2. actionable intelligence to help stop or mitigate some activity 3. generate new leads for a case
what are the three reasons listed for performing static malware analysis
1. file is packed and unpacker is not available 2. file requires an encryption key 3. file does not reveal any activity during dynamic analysis
Anti-forensics: what are the different levels of encryption
1. file level encryption 2. whole disk encryption 3. partition level encryption 4. encrypted containers
what are the three data acquisition methods dependent on the incident situation
1. hardware 2. software 3. live
what four things are the SIM card necessary for
1. identifies subscriber to the network 2. stores personal information 3. stores address books and messages 4. stores service-related information
Analysis: what are the two categories of hashes in hash analysis
1. known - files that can be ignored. system files 2. notable - identified as illegal or inappropriate
Anti-forensics: what are methods of trail obfuscation
1. log cleaners 2. spoofing 3. misinformation 4. zombie accounts 5. trojaned commands
what are the three sub directories of the MBR
1. master boot program 2. master partition table 3. 2-byte marker indicating the end of the sector
Anti-forensics: what are additional forms of data hiding, other than encryption, steganography, and ADS
1. memory 2. slack space 3. hidden directories 4. bad blocks/clusters 5. hidden partitions 6. host protected area of hard drive
what are the reasons for malware analysis
1. network defense 2. understand how malware works
what are five examples of volatile data
1. open ports 2. running processes 3. registers and cache 4. logged on users 5. timestamps
Anti-Analysis: what things can a malware check to avoid running in a VM
1. organizationally unique indentifier (OUI) 2. global unique identifiers (GUID) 3. Driver detection 4. I/O port detection
malware analysis: what are the common malware formats
1. portable executable format 2. dynamic link library 3. PDF 4. MS word document
Anti-Analysis: what are some clues that could identify the code as being obfuscated
1. random symbol names or random combinations of numbers and letters 2. use of non printable characters in symbol names 3. strings that identify packing routines 4. static analysis does not reveal any readable ASCII terms
Assembly language: what are the basic parts of assembly language
1. registers 2. memory stack 3. flags 4. instructional format
Analysis: what are things learned from NTUSER.dat
1. search history 2. typed URL's 3. last commands executed 4. last files saved 5. recent documents 6. application artifacts
Analysis: what are the five things learned from windows registry analysis
1. software that has been installed 2. system configuration 3. recently used files 4. startup programs 5. user data
Anti-forensics: this is the process by which a magnetic field is applied to a digital media device
disk degaussing
Anti-forensics: these utilities use a variety of methods to overwrite the existing data on disks
disk wiping
malware analysis: what is the main DLL function
DLLMain()
Analysis: this usually refers to the extraction of deleted files from a file systems unallocated space
Data Recovery
defined as the practice of collecting and analyzing computer related data for investigative purposes in a manner that maintains the integrity of the data
Digital forensics
static malware analysis: Takes a programs executable binary as input and generates textual files that contain the assembly language code for the entire program or parts of it
Disassembler
Terminology: a bit for bit image of the original evidence gathered from a system such as the hard drive, memory, or removable media
Disk image
Assembly language: generic registers used for any integer, boolean, or memory operatoin
EAX, EBX, EDX, ECX
Assembly language: register mostly used as the stack base pointer
EBP
this is a repository of electronic versions of captured material such as paper notes and documents as well as electronic files found on a variety of different media sources
Harmony database
what type of forensics are associated with dead systems
Host forensics
primarily concerned with computer workstations, removable storage devices, and other physical digital media storage devices
Host-based forensics
Anti-Analysis: allows you to load executable files and reverse engineer them by disassembling the program
IDA pro
this state applies when the systems are powered on with system processes running
Live system
malware analysis: this file format is one of the most effective methods of compromising computer secruity. involves emailing the victim a malicious office document
MS word document
Analysis: contains the configuration and environment settings which includes a great deal of identifiable data pertaining to user activity
NTUSER.dat
Intelligence gathered in theater will ultimately be logged where
National Media Exploitation Center (NMEC) database
Analysis: what is the name of the very large set of hashes maintained by the national institute of standards and technology
National Software Reference Library (NSRL)
what type of forensics are associated with live systems
Network forensics
collects and analyzes raw network data to systematically track network traffic to determine how an attack was carried out or how an event occurred on a network
Network-Based Forensics
Analysis: store OS and application settings that list the services to be started automatically after system boot
OS configuration files
malware analysis: malicious code writers have been embedding malicious scripts into this file format since 2001
Anti-Analysis: encoded file has its bytes rotated by certain number of bits
ROL/ROR
Anti-Analysis: encoded file has its alphabetic characters rotated by a certain number of positions
ROT
Anti-Analysis: released in 2004 by joanna rutkowska. a simple tool that reliably detects VM usage without looing for file system artificats
Red pill
this is a VMWare appliance created by SANS faculty fellow Rob Lee
SANS SIFT forensic workstation
Analysis: where file information from previous use is still available, long after deletions and rewrites, due to file system not using entire fixed length of clusters to store files
Slack space
Assembly language: an area in program memory that is used for short term storage of information by the CPU and the program. Used for storing slightly longer term data
Stack
this is a library and collection of command line tools that allow you to investigate volume and file system data. It works on both unix and windows platforms
The Sleuth Kit (TSK)
T/F: analysis involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest
True
T/F: if two hashes are the same, then the copy made is a bit for bit duplicate of the evidence
True
T/F: smart phones use either the same OS as PCs or a stripped down OS version
True
T/F: the SANS SIFT workstation is linux based
True
T/F: the file contents alone determine a hash value
True
malware analysis: T/F: DLLs use PE file format
True
what action may trigger Trojans, time bombs, and other malware to delete key volatile data
Using native commands on the suspicious computer
Anti-Analysis: this is the most popular self defense mechanism that malware authors will place in their code
VM detection
which OS requires the use of write-blockers
Windows
Anti-Analysis: method of encoding strings in a binary file. some or all bytes have been XOR'd with a constant value
XOR
volatile data provides the current state of a system or network device and is useful when dealing with what types of attacks
active network intrusion attacks
class of malware: a program that forces unsolicited advertising on end users
adware/spyware
Anti-forensics: this provides the ability to attach any kind of file to any kind of other file without storing the data in the file
alternate data streams
methodology phase: during this third phase, forensic tools and techniques are used to identify and extract the relevant information from the acquired data while protecting its integrity
analysis
Anti-Analysis: can be performed to detect whether or not a debuger is running on the system and if so either refuse to run or attmept to diable it
anti-debugging checks
Anti-forensics: this is the process of permanently eliminating a particular file or entire file system
artifact wiping
Anti-Analysis: takes three bytes, each consisting of eight bits, and represents them as four printable characters in the ASCII standard
base64
class of malware: allows an attacker access to the system, but all computers infected with the same botnet receive instructions form a single command and control server
bot
what byte range contains the 64-byte MBR partition table
bytes 446 - 509
Terminology: the route the evidence takes from the time you find it until the case is closed or goes to court
chain of custody
This is one of the most important documents maintained during an investigation. it documents how the evidence was examined, by whom, and when it changed hands
chain of custody
Anti-Analysis: intentionally hiding or misleading source code to prevent reverse engineering or masquerade the true intent of a progarm.
code obfuscaton
Anti-forensics: this is the process of making data difficult to find while also keeping it accessible for future use
data hiding
what are the mobile forensics steps to take when the device is either ON or OFF
device off - leave device off, but find charger asap. note in log file device on - do everything possible to keep the device powered on until a full examination can be performed. store in a faraday bag to prevent transmitting/receiving