JCAC Module 16, Forensics Methodology & Malware Analysis
EnCase Forensic Software
- Acquires data from multiple sources to include RAM, documents, Internet artifacts, Web history, RAIDs, workstations, servers - Produces an exact binary duplicated (forensic image) of the original drive or media - Imports National Software Reference Library (NSRL) updates, published in EnCase hash library format
Outlook Express file extensions
.dbx & .mbx
Outlook file extensions
.pst & .ost
Incident response has two phases
1) Documentation process in regards to Chain of Custody & evidence handling 2) Serves as the basis of analysis
Acquisition
2nd phase of forensics methodology; ID & collect relevant volatile and non-volatile data using sound forensic techniques and tools that ensure data integrity. Data with the HIGHEST chance of being modified, changed, or lost should be collected first
dd.exe has how many MD5 options?
3
Analysis
3rd Phase of forensics Methodology. Forensic tools & techniques are used to ID & extract relevant info from the acquired data while protecting its integrity
index.dat
A user's internet history file, provides info about the user's web surfing activity such as the URL of the web site visited as well as the time the site was visited. File can be routinely cleared, but easy to find.
Software Acquisition
Analyst boots the suspect system with the Helix Boot CD-ROM and images the local hard drives attached to the system
Fuzzy Hashing
CLI function used to look for two files that are exact copies and have identical hashes.
Route the evidence takes from the time you find it until the case is closed or goes to court. The forensic analyst should be able to clearly describe how the evidence was found, how it was handled, and everything that happened to it
Chain of Custody
Sleuth Kit: Gather
Collect file timestamps from the file system's metadata layer to create an intermediate data file, often called the BODY file.
Incident Response Disk
Collection of analysis tools gathered on a portable and bootable disk; like a thumb drive, CD-ROM, or external hard drive.
Physical Drive Imaging
Considered the best evidence (more data, not the volatile data though)
Statically-linked Executable
Contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious computer
Temporary Files
Contains copies of other files on the system, application data, or other info
Evidence Integrity
Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after the collection. This ensures evidence was not altered
Process of collecting digital evidence from electronic media.
Data Acquisition
The practice of collecting & analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data?
Digital (Computer) Forensics
Bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media
Disk Image
Slack Space
Even if a file requires less space than the allocated unit size, an entire file allocation unit is reserved leaving the unused portion (slack space) available for examination
Defined as "electronically-stored" info found on or in use by digital media devices
Evidence
Cryptographic hashes of files/media obtained prior to collection should match hashes obtained after collection , ensuring that the evidence has not been altered
Evidence Integrity
Format: Raw (dd)
Extension: .dd or .img Description: -original true bit image -Same size as original drive -No metadata or compression involved
Expert Witness Format (EWF)
Extension: .e01 Description: -Proprietary format created by EnCase Guidance Software -Contains metadata & can compress data
File System Timestamps: Linux
Filesystem: Ext2/3 M: Modified A: Accessed C: Inode Changed B/D: Deleted
File System Timestamps: Windows
Filesystem: NTFS M: Modified A: Accessed C: MFT Modified B/D: Created
Sleuth Kit: creation process has 2 steps
Gather & Make
3 Acquisition Methods
Hardware Software Live
Two types of write-blockers
Hardware and software
3 Types of Data Acquisition
Hardware, software, and live
Forensics primarily concerned w/ computer workstations, removable storage devices, & other physical digital media storage devices
Host-based
Hash set: notable
ID'd as illegal/inappropriate, such as hacking tools, or kiddie porn
Initial response to a computer-related event that seeks to verify & incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss
Incident Response
What are the four phases of Digital Forensics Investigative Methodology?
Incident Response Acquisition Analysis Reporting
Four phases used to transform media into evidence/intelligence
Incident Response Acquisition Analysis Reporting
List of words and phrases used to search evidence
Keyword or Dirty Word List
Keyword List
List of words and phrases used to search evidence
What are the 2 types of system states?
Live & Dead
Sleuth Kit: Make
Make a human-readable document of file activity by sorting the BODY file in order from earliest to latest timestamp
non-volatile data
Making an exact PHYSICAL copy of the device
What are the main goals of a digital forensics acquisition?
Minimize the loss of volatile data & Avoid altering suspect machine data *ex: timestamps
A user who has logged into a Windows computer has an _____________ file
NTUSER.dat
Two disciplines of Digital Forensics
Network-based & Host-based
Process of collecting & analyzing raw network data & systematically tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network is:
Network-based forensics
Is a write blocker required for UNIX/Linux?
No, media can be manually mounted as 'read-only' (Helix, Sleuth Kit)
Swap Space
ONLY LOGICAL SPACE & ONLY USED BY WINDOWS!!! Extends the amount of memory available to a program by allowing pages (segments) of data to be swapped in & out of RAM to secondary storage such as a hard drive
Examples of Volatile Data
Open Ports Open Files Running Processes Current Network Connections Currently Running Processes Timestamps Logged on Users System Data, Time, Uptime RAM
Hardware Acquisition
Performed by removing the hard drive from the suspect system and connecting it to the analyst's forensics workstation via an appropriate drive adapter (SATA/IDE/SCSI)
Where is the master boot record located & what does it contain?
Resides @ the 1st physical sector of the drive (sector 0) and contains the master boot program, master partition table, and a 2-byte marker indicating the end of the sector (0x55AA)
Contains all the code necessary to successfully run as a standalone program and limit the impact (footprint) on the suspicious (suspect) computer
Statically-Linked Executable (Incident Response Disk/Helix)
OS Configuration Files
Store OS & application settings that list the services to be started automatically after system boot, & specify the location of log & temporary files
File contents alone determine a hash value; not associated metadata such as file name, timestamps, size, etc..., true or false?
True
Is a write blocker required for Windows?
Yes, since Windows automatically mounts the hard-drive as read+write. This ensures no data is written back to the suspect's hard drive
Live Acquisition
You're in an environment that constantly is changing; Sometimes it is difficult or impossible to power down and isolate a specific computer from a network
Master boot program read the partition table to determine which partition is the __________
active/bootable partition
Digital Forensics
aka. Computer Forensics, is the practice of collecting and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data
Standalone program
all .DLLs or binaries are contained on an acquisition system. *never rely on the suspect system to have the tools
"Dirty Word List"
an analyst's list of keywords & phrases. aid in examining large amounts of data to find keywords or strings.
Disk Image
bit-for-bit image of the original evidence gathered from a system such as the hard drive (logical or physical), memory, or removable media
Network-based forensics
collects & analyzes raw network data to track network traffic and determine how an attack was carried out or how an event occurred on a network
Volatile Data
data likely to be erased if the device loses power (i.e. RAM); info that helps ID an incident has taken place as well as whom, how, and possibly why
If MD5 hashes match then...
data was collected properly & the next phase can be started
Three versions of dd
dd dd.exe (Windows Version) dcfldd
The collection phase uses simple tools (CLI) such as ___ and _____ as well as scripting tools that automate the execution of these tools
dd; netstat
National Institute of Standards and Technology (www.nist.gov) does what?
develops & maintains a very large set of hashes called the National Software Reference Library (www.nist.gov/nsrl)
Evidence
electronically stored information found on or in use by digital media devices with intelligence or evidentiary value
Data Recovery
extraction of deleted files from a file system's unallocated space
Hash set: known
files can be ignored, such as typical system files (ex: explorer.exe, winword.exe)
Unallocated (Free) Space
flagged as no longer needed, but it remains in the file system until it is overwritten. Deleted files remain in unallocated (free) disk space
File Signature
header/footer (or both) w/i a file that indicates the application associated w/ a file or the type of file
pagefile.sys
hidden system file used by Windows NT/XP systems for virtual memory when there is not enough physical memory to run programs. Contains portions of documents & other material a user produces while using the computer. Older Windows 9X systems use a file named win386.swp. UNIX uses a swap partition
dd -> ______->|device capture|imaging|copies
host-based
dcfldd
implemented the same ad dd, but with two extra options
Incident Response
initial response to a computer-related event that seeks to verify an incident, triage the incident, and gather necessary evidence while minimizing data and evidence loss
Review of network logs from servers, routers, firewalls, and other networked devices provides...
insight to an intrusion
Files in a hash set typically fall into one of two categories:
known or notable
The Sleuth Kit (TSK) forensic toolkit
library & collection of command-line tools allowing investigation of volume and file system data
Use trusted tools from the response disk, and DO NOT assume some parts of the suspicious computer are reliable. Using _______ commands on the suspicious computer may trigger Trojans, logic bombs, and other malware to delete key volatile data
native commands
Two disciplines of digital forensics
network-based and host-based
SANS SIFT forensic workstation
open source, VMWare appliance created by Rob Lee. It is a Linux-based VMWare workstation configured to conduct forensic investigations on both Windows and UNIX systems
Dead Systems
powered on or off with data "at rest" making it easier to gather the non-volatile, unchanging, data.
Live Systems
powered on w/ system processes running. Allows volatile data to be collected; necessary because some attacks may leave footprints only in RAM, i.e. malware that disappears after a system restart
Hibernation Files
preserve the current state of a system; when the system is turned on, the state of the system is restored, in Windows this file is called hiberfil.sys
Host-based forensics
primarily concerned w/ computer workstations, removable storage devices, & other physical digital media storage devices
Write-blocker
protects evidence disks by preventing accidental writes to source data.
Master Boot Record (MBR)
resides at the 1st physical sector of the drive (Sector 0). Contains: The Master Boot Program, Master Partition Table (64-bytes, bytes 446 - 509), & a 2-byte marker indicating the end of the sector (0x55AA)
If MD5 hashes DO NOT match then...
something happened during collection, & data must be reacquired (that's long & tedious)
Forensic Workstation
standalone computer system used to perform forensic analysis of digital media
Tools should be _______ and should not require the use of any libraries other than those on the read-only media
statically-linked (self-contained)
Analysis tools
take data as input and display it in a more useful (human-readable) format. Ex: EnCase, Autopsy, and Helix
Hash Analysis
technique to reduce the search space by IDing known files by their hashes (MD5/SHA1) Filtering out known files such as known good OS & application files reduces the # of files an analyst must evaluate
Chain of Custody
the route evidence takes from the time it is found until the case is closed or goes to court. How the evidence was examined, who examined it, and when it changed hands. At any given time, only the person who signed for the evidence should have access to it
dd
tool that reads input files block by block and provides the following properties: - Used to create true bit image copies of tapes, disks, partitions, or files - Creates a raw image file - Useful for truncating files, splitting images, or grabbing data from disk blocks
ssdeep
tool to help an analyst check similarities in files by computing and comparing context triggered piecewise hashes (CTPH). CTPH can match inputs that have homologies (similarities)
Analysis involves forensically processing large amounts of collected data using a combination of automated & manual methods to assess & extract data of particular interest, true or false?
true
Forensic Image
use forensic tools to create an exact physical copy (bit-stream image, forensic duplicate) of the evidence
Timelines
useful to sort system files by their modified, accessed, changed, & created (MACB) timestamps. [This] info is gathered from a LIVE system or from a disk image
Hash-Image-Hash
verified to confirm all the data was collected properly
netstat -> CLIN syntax to capture
volatile (live) images