Week 2 - Advanced Forensic Methods and Tools
"Forensic Computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable" - Rodney McKemmish
This week we are introduced to advanced forensics. Our primary goals are to learn how to approach and react to incidents when collecting evidence. We are also going to learn how to set up a forensic environment.
There are several case types that require forensic analysis, including but not limited to: fraud, intellectual property theft, data breaches, inappropriate use of Internet, child exploitation, and eDiscovery support for court cases.
There are three steps to forensics: evidence acquisition, investigation and analysis, and reporting the findings. There are four principles that have to be applied to every case: minimize data loss, record everything that you do, analyze all data collected, and report your findings.
Evidence in computer forensics can be found is many locations such as the operating system (the registry for example), the network (log files), removable media, peripherals, databases, and applications. There is always human testimony as well; not all evidence has to be in a digital form. The more outer the ring, the faster the data can disappear.
To adhere to the first principle of forensics, a way to preserve the evidence is by creating a hash of the whole hard disk and each partition. Then create a copy and analyze the copy. Once a copy has been made a hash would once again be made, this time of the copy. The investigator would then compare the two hashes and ensure that they are a match.
There are three broad categories of advanced forensics: live forensics, post-mortem forensics, and network forensics.
The workflow to an incident response process is illustrated below.
An incident response team is a luxury, usually there isn't a true team but instead an ad-hoc team. Incident response team are becoming increasingly common with US companies.
The investigation cycle starts with verification, then eventually evidence acquisition begins.
A key principle that has to be kept in mind is Locard's Exchange Principle. This states "that when any two object come into contact, there is always transference of material form each object onto the other. " Thus it is impossible to interact with a live system without having some effect on it. This is why it is so important to write down everything during the investigation process.
Volatility
According to RFC 3227, during evidence collecting one should proceed from the most to least volatile. A general example of order of volatility for a typical system is:
There are several tools used during evidence gathering. Never install any tools on the suspect computer! Tools used include:
FTK Imager - saves an image of a hard disk in one image or partitions that can be reconstructed
Volatility- advanced memory forensics framework
Yara -
Reg-ripper - used to search the registry
Now that we have some knowledge and a few tools, where should we start to look? One of the most important places to look first look is in memory (RAM). The lecturer compared memory to "the Google of your computer." Memory contains what the user clicked on, strings, passwords (unencrypted here), etc. A crucial place to examine is the master file table (MFT). The MFT contains all of the metadata for every file in the system. Another important place to look is in the Windows registry. Just about everything done in Windows is recorded into the registry and every action taken by the user is referenced in the registry.
Note: all images sourced from lecture material provided by Oregon State University, CS 373
This week we are introduced to advanced forensics. Our primary goals are to learn how to approach and react to incidents when collecting evidence. We are also going to learn how to set up a forensic environment.
There are several case types that require forensic analysis, including but not limited to: fraud, intellectual property theft, data breaches, inappropriate use of Internet, child exploitation, and eDiscovery support for court cases.
There are three steps to forensics: evidence acquisition, investigation and analysis, and reporting the findings. There are four principles that have to be applied to every case: minimize data loss, record everything that you do, analyze all data collected, and report your findings.
Evidence in computer forensics can be found is many locations such as the operating system (the registry for example), the network (log files), removable media, peripherals, databases, and applications. There is always human testimony as well; not all evidence has to be in a digital form. The more outer the ring, the faster the data can disappear.
To adhere to the first principle of forensics, a way to preserve the evidence is by creating a hash of the whole hard disk and each partition. Then create a copy and analyze the copy. Once a copy has been made a hash would once again be made, this time of the copy. The investigator would then compare the two hashes and ensure that they are a match.
There are three broad categories of advanced forensics: live forensics, post-mortem forensics, and network forensics.
The workflow to an incident response process is illustrated below.
An incident response team is a luxury, usually there isn't a true team but instead an ad-hoc team. Incident response team are becoming increasingly common with US companies.
The investigation cycle starts with verification, then eventually evidence acquisition begins.
A key principle that has to be kept in mind is Locard's Exchange Principle. This states "that when any two object come into contact, there is always transference of material form each object onto the other. " Thus it is impossible to interact with a live system without having some effect on it. This is why it is so important to write down everything during the investigation process.
Volatility
According to RFC 3227, during evidence collecting one should proceed from the most to least volatile. A general example of order of volatility for a typical system is:
- system memory
- temporary file systems such as swapfiles or hibernation files
- process table and network connection
- network routing information and ARP cache
- forensics acquisition of disks
- remove logging and monitoring data
- physical configuration and network topology
- backups
There are several tools used during evidence gathering. Never install any tools on the suspect computer! Tools used include:
FTK Imager - saves an image of a hard disk in one image or partitions that can be reconstructed
Volatility- advanced memory forensics framework
Yara -
Reg-ripper - used to search the registry
Now that we have some knowledge and a few tools, where should we start to look? One of the most important places to look first look is in memory (RAM). The lecturer compared memory to "the Google of your computer." Memory contains what the user clicked on, strings, passwords (unencrypted here), etc. A crucial place to examine is the master file table (MFT). The MFT contains all of the metadata for every file in the system. Another important place to look is in the Windows registry. Just about everything done in Windows is recorded into the registry and every action taken by the user is referenced in the registry.
Note: all images sourced from lecture material provided by Oregon State University, CS 373
Comments
Post a Comment