JCAC Module 16, Forensics Methodology & Malware Analysis

Ace your homework & exams now with Quizwiz!

EnCase Forensic Software

- Acquires data from multiple sources to include RAM, documents, Internet artifacts, Web history, RAIDs, workstations, servers - Produces an exact binary duplicated (forensic image) of the original drive or media - Imports National Software Reference Library (NSRL) updates, published in EnCase hash library format

Outlook Express file extensions

.dbx & .mbx

Outlook file extensions

.pst & .ost

Incident response has two phases

1) Documentation process in regards to Chain of Custody & evidence handling 2) Serves as the basis of analysis

Acquisition

2nd phase of forensics methodology; ID & collect relevant volatile and non-volatile data using sound forensic techniques and tools that ensure data integrity. Data with the HIGHEST chance of being modified, changed, or lost should be collected first

dd.exe has how many MD5 options?

3

Analysis

3rd Phase of forensics Methodology. Forensic tools & techniques are used to ID & extract relevant info from the acquired data while protecting its integrity

index.dat

A user's internet history file, provides info about the user's web surfing activity such as the URL of the web site visited as well as the time the site was visited. File can be routinely cleared, but easy to find.

Software Acquisition

Analyst boots the suspect system with the Helix Boot CD-ROM and images the local hard drives attached to the system

Fuzzy Hashing

CLI function used to look for two files that are exact copies and have identical hashes.

Route the evidence takes from the time you find it until the case is closed or goes to court. The forensic analyst should be able to clearly describe how the evidence was found, how it was handled, and everything that happened to it

Chain of Custody

Sleuth Kit: Gather

Collect file timestamps from the file system's metadata layer to create an intermediate data file, often called the BODY file.

Incident Response Disk

Collection of analysis tools gathered on a portable and bootable disk; like a thumb drive, CD-ROM, or external hard drive.

Physical Drive Imaging

Considered the best evidence (more data, not the volatile data though)

Statically-linked Executable

Contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious computer

Temporary Files

Contains copies of other files on the system, application data, or other info

Evidence Integrity

Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after the collection. This ensures evidence was not altered

Process of collecting digital evidence from electronic media.

Data Acquisition

The practice of collecting & analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data?

Digital (Computer) Forensics

Bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media

Disk Image

Slack Space

Even if a file requires less space than the allocated unit size, an entire file allocation unit is reserved leaving the unused portion (slack space) available for examination

Defined as "electronically-stored" info found on or in use by digital media devices

Evidence

Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after collection , ensuring that the evidence has not been altered

Evidence Integrity

Format: Raw (dd)

Extension: .dd or .img Description: -original true bit image -Same size as original drive -No metadata or compression involved

Expert Witness Format (EWF)

Extension: .e01 Description: -Proprietary format created by EnCase Guidance Software -Contains metadata & can compress data

File System Timestamps: Linux

Filesystem: Ext2/3 M: Modified A: Accessed C: Inode Changed B/D: Deleted

File System Timestamps: Windows

Filesystem: NTFS M: Modified A: Accessed C: MFT Modified B/D: Created

Sleuth Kit: creation process has 2 steps

Gather & Make

3 Acquisition Methods

Hardware Software Live

Two types of write-blockers

Hardware and software

3 Types of Data Acquisition

Hardware, software, and live

Forensics primarily concerned w/ computer workstations, removable storage devices, & other physical digital media storage devices

Host-based

Hash set: notable

ID'd as illegal/inappropriate, such as hacking tools, or kiddie porn

Initial response to a computer-related event that seeks to verify & incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss

Incident Response

What are the four phases of Digital Forensics Investigative Methodology?

Incident Response Acquisition Analysis Reporting

Four phases used to transform media into evidence/intelligence

Incident Response Acquisition Analysis Reporting

List of words and phrases used to search evidence

Keyword or Dirty Word List

Keyword List

List of words and phrases used to search evidence

What are the 2 types of system states?

Live & Dead

Sleuth Kit: Make

Make a human-readable document of file activity by sorting the BODY file in order from earliest to latest timestamp

non-volatile data

Making an exact PHYSICAL copy of the device

What are the main goals of a digital forensics acquisition?

Minimize the loss of volatile data & Avoid altering suspect machine data *ex: timestamps

A user who has logged into a Windows computer has an _____________ file

NTUSER.dat

Two disciplines of Digital Forensics

Network-based & Host-based

Process of collecting & analyzing raw network data & systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network is:

Network-based forensics

Is a write blocker required for UNIX/Linux?

No, media can be manually mounted as 'read-only' (Helix, Sleuth Kit)

Swap Space

ONLY LOGICAL SPACE & ONLY USED BY WINDOWS!!! Extends the amount of memory available to a program by allowing pages (segments) of data to be swapped in & out of RAM to secondary storage such as a hard drive

Examples of Volatile Data

Open Ports Open Files Running Processes Current Network Connections Currently Running Processes Timestamps Logged on Users System Data, Time, Uptime RAM

Hardware Acquisition

Performed by removing the hard drive from the suspect system and connecting it to the analyst's forensics workstation via an appropriate drive adapter (SATA/IDE/SCSI)

Where is the master boot record located & what does it contain?

Resides @ the 1st physical sector of the drive (sector 0) and contains the master boot program, master partition table, and a 2-byte marker indicating the end of the sector (0x55AA)

Contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious (suspect) computer

Statically-Linked Executable (Incident Response Disk/Helix)

OS Configuration Files

Store OS & application settings that list the services to be started automatically after system boot, & specify the location of log & temporary files

File contents alone determine a hash value; not associated metadata such as file name, timestamps, size, etc..., true or false?

True

Is a write blocker required for Windows?

Yes, since Windows automatically mounts the hard-drive as read+write. This ensures no data is written back to the suspect's hard drive

Live Acquisition

You're in an environment that constantly is changing; Sometimes it is difficult or impossible to power down and isolate a specific computer from a network

Master boot program read the partition table to determine which partition is the __________

active/bootable partition

Digital Forensics

aka. Computer Forensics, is the practice of collecting and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data

Standalone program

all .DLLs or binaries are contained on an acquisition system. *never rely on the suspect system to have the tools

"Dirty Word List"

an analyst's list of keywords & phrases. aid in examining large amounts of data to find keywords or strings.

Disk Image

bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media

Network-based forensics

collects & analyzes raw network data to track network traffic and determine how an attack was carried out or how an event occurred on a network

Volatile Data

data likely to be erased if the device loses power (i.e. RAM); info that helps ID an incident has taken place as well as whom, how, and possibly why

If MD5 hashes match then...

data was collected properly & the next phase can be started

Three versions of dd

dd dd.exe (Windows Version) dcfldd

The collection phase uses simple tools (CLI) such as ___ and _____ as well as scripting tools that automate the execution of these tools

dd; netstat

National Institute of Standards and Technology (www.nist.gov) does what?

develops & maintains a very large set of hashes called the National Software Reference Library (www.nist.gov/nsrl)

Evidence

electronically stored information found on or in use by digital media devices with intelligence or evidentiary value

Data Recovery

extraction of deleted files from a file system's unallocated space

Hash set: known

files can be ignored, such as typical system files (ex: explorer.exe, winword.exe)

Unallocated (Free) Space

flagged as no longer needed, but it remains in the file system until it is overwritten. Deleted files remain in unallocated (free) disk space

File Signature

header/footer (or both) w/i a file that indicates the application associated w/ a file or the type of file

pagefile.sys

hidden system file used by Windows NT/XP systems for virtual memory when there is not enough physical memory to run programs. Contains portions of documents & other material a user produces while using the computer. Older Windows 9X systems use a file named win386.swp. UNIX uses a swap partition

dd -> ______->|device capture|imaging|copies

host-based

dcfldd

implemented the same ad dd, but with two extra options

Incident Response

initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss

Review of network logs from servers, routers, firewalls, and other networked devices provides...

insight to an intrusion

Files in a hash set typically fall into one of two categories:

known or notable

The Sleuth Kit (TSK) forensic toolkit

library & collection of command-line tools allowing investigation of volume and file system data

Use trusted tools from the response disk, and DO NOT assume some parts of the suspicious computer are reliable. Using _______ commands on the suspicious computer may trigger Trojans, logic bombs, and other malware to delete key volatile data

native commands

Two disciplines of digital forensics

network-based and host-based

SANS SIFT forensic workstation

open source, VMWare appliance created by Rob Lee. It is a Linux-based VMWare workstation configured to conduct forensic investigations on both Windows and UNIX systems

Dead Systems

powered on or off with data "at rest" making it easier to gather the non-volatile, unchanging, data.

Live Systems

powered on w/ system processes running. Allows volatile data to be collected; necessary because some attacks may leave footprints only in RAM, i.e. malware that disappears after a system restart

Hibernation Files

preserve the current state of a system; when the system is turned on, the state of the system is restored, in Windows this file is called hiberfil.sys

Host-based forensics

primarily concerned w/ computer workstations, removable storage devices, & other physical digital media storage devices

Write-blocker

protects evidence disks by preventing accidental writes to source data.

Master Boot Record (MBR)

resides at the 1st physical sector of the drive (Sector 0). Contains: The Master Boot Program, Master Partition Table (64-bytes, bytes 446 - 509), & a 2-byte marker indicating the end of the sector (0x55AA)

If MD5 hashes DO NOT match then...

something happened during collection, & data must be reacquired (that's long & tedious)

Forensic Workstation

standalone computer system used to perform forensic analysis of digital media

Tools should be _______ and should not require the use of any libraries other than those on the read-only media

statically-linked (self-contained)

Analysis tools

take data as input and display it in a more useful (human-readable) format. Ex: EnCase, Autopsy, and Helix

Hash Analysis

technique to reduce the search space by IDing known files by their hashes (MD5/SHA1) Filtering out known files such as known good OS & application files reduces the # of files an analyst must evaluate

Chain of Custody

the route evidence takes from the time it is found until the case is closed or goes to court. How the evidence was examined, who examined it, and when it changed hands. At any given time, only the person who signed for the evidence should have access to it

dd

tool that reads input files block by block and provides the following properties: - Used to create true bit image copies of tapes, disks, partitions, or files - Creates a raw image file - Useful for truncating files, splitting images, or grabbing data from disk blocks

ssdeep

tool to help an analyst check similarities in files by computing and comparing context triggered piecewise hashes (CTPH). CTPH can match inputs that have homologies (similarities)

Analysis involves forensically processing large amounts of collected data using a combination of automated & manual methods to assess & extract data of particular interest, true or false?

true

Forensic Image

use forensic tools to create an exact physical copy (bit-stream image, forensic duplicate) of the evidence

Timelines

useful to sort system files by their modified, accessed, changed, & created (MACB) timestamps. [This] info is gathered from a LIVE system or from a disk image

Hash-Image-Hash

verified to confirm all the data was collected properly

netstat -> CLIN syntax to capture

volatile (live) images


Related study sets

Business Finance Quizzes 1-3 FINC 350

View Set

Chapter 10 Writing Correct and Effective Sentences

View Set

Nursing Management: Patients With Breast and Female Reproductive Disorders

View Set

Micro Lecture Chemical and Physical Control

View Set

"First Aid- Chapter 15: Sudden Illnesses"

View Set

communications test 2: Chapters 5-8

View Set

MGMT 101 - Chapter 4 Journalizing and Posting Transactions

View Set