5 - Digital Forensics

The Forensic Toolkit (FTK) from AccessData

A commercial investigation suite designed to run on Windows Server (or server cluster).

EnCase Forensic

A digital forensics case management product created by Guidance Software. Case management is assisted by built-in pathways, or workflow templates, showing the key steps in diverse types investigation. In addition to the core forensics suite, there are separate products for eDiscovery (digital evidence management) and Endpoint Investigator (for over the network analysis of corporate desktops and servers).

Write Blockers

Assures that the image acquisition tools you use do not contaminate the source disk. Prevents any data on the disk or volume from being changed by filtering write commands at the firmware and driver level. Mounting a drive as read-only within a host OS is insufficient. Can be implemented as a hardware device or as software running on the forensics workstation.

Data Acquisition Sources

CPU registers and cache memory (including cache on disk controllers, GPUs, and so on). Contents of system memory (RAM), including: Routing table, ARP cache, process table, kernel statistics. Temporary file systems/swap space/virtual memory. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space. Remote logging and monitoring data. Physical configuration and network topology. Archival media.

Forensic Timeline

How was access to the system obtained? What tools have been installed? What changes to system files or applications have been made? What data has been retrieved? Is there evidence data was exfiltrated over the network or via attached storage?

A hard disk has been removed from a computer so that it can be subjected to forensic evidence collection. What steps should you take to complete this process?

Ideally, record or document the process. Attach the disk to a forensic workstation, using a write blocker to prevent contaminating the source-disk contents. Make a cryptographic hash of the disk contents. Make an image of the disk contents. Make a cryptographic hash of the image and verify it matches the source disk hash. Make a copy of the image and validate with a cryptographic hash. Perform analysis on the copy of the image.

Digital Forensics Procedures

Identification Collection Analysis Reporting

Which four phases outline the procedures involved in a forensics investigation?

Identification, collection, analysis, and reporting.

A forensics analyst may play several roles:

Investigating and reconstructing the cause of a cybersecurity incident. Investigating whether any crimes, compliance violations, or inappropriate behavior have occurred. Following forensics procedures to protect evidence that may be needed if a crime has occurred. Determining if sensitive, protected data has been exposed. Contributing to and supporting processes and tools used to protect evidence and ensure compliance. Supporting ongoing audit processes and record maintenance.

SHA-2

Defines variants using longer digests (notably 256 bits and 512 bits). Also addresses the weaknesses found in SHA-1.

Digital Forensics Procedures: Collection

Ensure authorization to collect the evidence using tools and methods that will withstand legal scrutiny. Document and prove the integrity of evidence as it is collected and ensure that it is stored in secure, tamper-evident packaging.

Digital Forensics Procedures: Identification

Ensure that the scene is safe. Threat to life or injury takes precedence over evidence collection. Secure the scene to prevent contamination of evidence. Record the scene using video and identify witnesses for interview. Identify the scope of evidence to be collected.

Data Acquisition

The process of obtaining a forensically clean copy of data from a device held as evidence. If the computer system or device is not owned by the organization, there is the question of whether search or seizure is legally valid. This impacts bring-your-own-device (BYOD) policies. For example, if an employee is accused of fraud you must verify that the employee's equipment and data can be legally seized and searched. Any mistake may make evidence gained from the search inadmissible.

Chain of Custody

The record of evidence handling from collection through presentation in court. The evidence can be hardware components, electronic data, or telephone systems. The _________ documentation reinforces the integrity and proper custody of evidence from collection, to analysis, to storage, and finally to presentation. When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected. Every person in the process who handles evidence must log the methods and tools they used.

Digital Forensics

The science of collecting evidence from computer systems to a standard that will be accepted in a court of law. As a cybersecurity analyst attached to a Computer Security Incident Response Team (CSIRT) or a Security Operations Center (SOC), you may be called upon to work closely with forensics analysts following an incident. You will often be called upon to use basic forensics tools and perform close analysis of digital evidence.

Disk Image Acquisition: Live Acquisition

This means copying the data while the computer is still running. This may capture more evidence or more data for analysis and reduce the impact on overall services, but the data on the actual disks will have changed, so this method may not produce legally acceptable evidence. It may also alert the adversary and allow time for them to perform anti-forensics.

Disk Image Acquisition: Static acquisition by pulling the plug

This means disconnecting the power at the wall socket (not the hardware power-off button). This is most likely to preserve the storage devices in a forensically clean state, but there is the risk of corrupting data.

Disk Image Acquisition: Static acquisition by shutting down the computer

This runs the risk that the malware will detect the shut-down process and perform anti-forensics to try to remove traces of itself.

Digital Forensics Workstation

To perform any kind of meaningful collection and analysis of evidence, you'll need one or more computers that act as the hub for your forensics investigation. These need to be access controlled, hardened, and isolated from any production systems that could be part of the incident. Must be able to process large files.

Why might a forensics investigator need to be hired on a work product retention basis?

To protect analysis of evidence from disclosure to opposing counsel, should a court case be involved.

What two types of space on a disk are analyzed by file-carving tools?

Unallocated space (clusters marked as free for use in file-write operations) and slack space (cluster portions that were not overwritten when a new file was created).

You must contain a host that is suspected of effecting a violation of security policy. No methods of live evidence acquisition are available. What is your best course of action to preserve the integrity of evidence?

Using a software shut-down routine risks changing data on the host disk, so if live memory acquisition cannot be performed, pulling the plug to terminate processes is the best course of action. This process should ideally be video recorded with an explanation as to why this course of action is being taken.

Work Product Retention

Refers to the way in which a forensic examiner is hired to investigate a case. In a civil or criminal trial, the principles of discovery and disclosure govern the exchange of evidence between prosecution and defense. In terms of digital forensics, there is potentially a distinction between the evidence, such as a hard disk and associated image captured at a crime scene, and analysis of the evidence, such as a forensics report highlighting artifacts within the evidence that are relevant to the case. Analysis of evidence created by an attorney for his or her client is protected from disclosure by the work product doctrine. In this context, an attorney may retain experts to perform the analysis.

Secure Hash Algorithm (SHA)

A set of algorithms developed by the National Institutes of Standards and Technology (NIST) and other government and private parties. These secure encryption or "file check" functions have arisen to meet some of the top cybersecurity challenges of the 21st century, as a number of public service groups work with federal government agencies to provide better online security standards for organizations and the public.

The Sleuth Kit

An open-source collection of command line tools and programming libraries for disk imaging and file analysis. Autopsy is a graphical front-end for these tools and acts as a case management/workflow tool. The program can be extended with plug-ins for various analysis functions. Autopsy is available for Windows and can be compiled from the source code to run on Linux.

Forensics Analyst Ethics

Analysis must be performed without bias. Conclusions and opinions should be formed only from the direct evidence under analysis. Analysis methods must be repeatable by third parties with access to the same evidence. Ideally, the evidence must not be changed or manipulated. If a device used as evidence must be manipulated to facilitate analysis (disabling the lock feature of a mobile phone or preventing a remote wipe for example), the reasons for doing so must be sound and the process of doing so must be recorded.

Digital Forensics Procedures: Analysis

Create a copy of evidence for analysis, ensuring that the copy can be related directly to the primary evidence source. Use repeatable methods and tools to analyze the evidence.

Digital Forensics Procedures: Reporting

Create a report of the methods and tools used, and present findings and conclusions.

Legal Hold

Information that may be relevant to a court case must be preserved. Information might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or attorneys pursuing a civil action. This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails. When an incident involves law enforcement, appoint a liaison with legal knowledge and expertise who can be the point of contact for the forensics team or for the incident response team. This way, your CSIRT will have a single, authoritative voice with which to communicate your results, and to identify instructions and requests that must be followed.

Carving

The process of extracting data from an image when that data has no associated file system metadata. The tool analyzes the disk at sector/page level and attempts to piece together data fragments from unallocated and slack space to reconstruct deleted files, or at least bits of information from deleted files. Depends heavily on file signatures or magic numbers—the sequence of bytes at the start of each file that identifies its type. This is made extremely difficult if the file system is heavily fragmented and disk capacity low, as data from old files is less likely to reside in contiguous sectors and more likely to have been overwritten.

Message Digest Algorithm (MDA/MD5)

Was designed in 1990 by Ronald Rivest. The most widely used version is MD5, released in 1991, which uses a 128-bit hash value. No longer considered secure as ways have been found to exploit collisions in the cipher. No longer considered secure for use for password hashing or signing digital certificates. Despite this, many forensics tools default to using this as it is a bit faster than SHA, it offers better compatibility between tools, and the chances of an adversary exploiting a collision in that context are more remote.

SHA-1

Was quickly released (in 1995) to address a flaw in the original SHA algorithm. It uses a 160-bit digest. Was later found to exhibit weaknesses.