Your SlideShare is downloading. ×
0
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Latest presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Latest presentation

1,148

Published on

Digital Forensic Training

Digital Forensic Training

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,148
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. PRACTICAL DEMONSTRATIONS OFDIGITAL FORENSIC TOOLS
  • 2. INSTRUCTOR’S PROFILEAdeoje Adetunji EmmanuelCertified Ethical Hacker (CEH)EC-Council Security Analyst(ECSA)Computer Hacking Forensic Investigator(CHFI)AccessData Certified Examiner(ACE)Certified Information System Auditor(CISA)Encase specialistLicensed Penetration Tester(LPT) 2
  • 3. agenda Introduction The Forensic Investigation Objective of Digital Forensics Analysis Roles of Digital Forensic Analysts in IR Forensic readiness and Business continuity Computer forensic process Computer forensics tools Demos
  • 4. Introduction Data breaches, hacking attacks, viruses, and insider threats are some of the security issues many companies face on a daily basis. Besides employing preventive measures, such as the use of firewalls and intrusion detection devices to prevent data breaches and thwart external attacks, many organizations around the world have been using computer forensics to identify instances of computer misuse and illegal intrusion. The use of computer forensic techniques also has flourished in the internal audit profession. However, many internal auditors are unaware of the advantages that computer forensics can bring to audit investigations. Learning how to acquire, analyze, and report data through the use of computer forensics can help auditors make the most of this investigative technique, as well as recover previously deleted documents that can provide the "smoking gun" needed to determine if a fraudulent activity took place.
  • 5. 5
  • 6. 6
  • 7. THE FORENSIC INVESTIGATION Computer forensics is the application of analytical techniques on digital media after a computer security incident has occurred. Its goal is to identify exactly what happened on a digital system and who was responsible through a structured, investigative approach. Forensic investigations cover all areas of computer misuse, including fraud, Internet and e-mail abuse, entry to pornographic Web sites, and hacking, as well as accidental deletions or alterations of data. During the forensic investigation, evidence may be obtained in a variety of ways, including affidavits, search warrants, depositions, and expert testimony. Regardless of the means used to obtain data, examination of a computer or other device must be done thoroughly, carefully, and without changing anything. This ensures that the integrity of the original data and the evidences validity are maintained. If an internal auditor suspects fraud may have occurred, he or she should fill out an incident detection report form or similar document. The document needs to specify the date and time of the suspected fraud, who reported the incident, the nature of the incident, and the system(s) and application(s) involved. Note: It is important for companies to have an established, clear process for dealing with these kinds of incidents. This kind of pre-planning can help ensure that the proper channels are followed when an incident occurs. Forensic investigations consist of three phases: acquiring the evidence, analyzing results, and reporting results. Below is a description of each.
  • 8. Acquiring the Evidence The process of securing or acquiring evidence starts with previewing the contents of a computers hard drive or other media. To acquire the electronic data, including deleted information, the storage device must be mirrored or duplicated exactly bit by bit. Once the storage device is secured, a second device may be needed as a working copy if the original storage device was not seized or secured. This allows the examiner access to an unaltered copy of the electronic data.
  • 9. Imaging An image is an exact replica of the computers hard drive or other media, and should include any slack space. The image is then investigated, rather than the original, to avoid altering the original data, which would make any evidence gathered inadmissible in court. Imaging is a vital step in a computer forensic investigation and is accepted as the best method for capturing computer evidence that may be presented in a court of law. Having captured an exact image of the data, the next step is to process it. All data must be processed, including deleted or partially overwritten files, information hidden outside normal storage areas, and data in virtual memory and slack space. The most common method used by forensic examiners to capture this data is by using a write-blocking device. This device prevents the forensic examiners machine from writing or altering the data on the suspect drive. Windows operating systems are notorious for this problem.
  • 10. Understanding Bit-stream Copies 10
  • 11.  Typically, the suspect drive is removed from the machine if possible and plugged directly into the write-blocking device. Once this has occurred, an examiner can make what is called a "bit-stream" image of the drive. This is an exact bit-for-bit copy of the drives contents, including deleted space, file slack, and logical files. Another method of capturing this data is using a Linux live CD or a boot disk, which allows the investigator to view the files on the drive, including deleted space and unallocated clusters, without altering the drives contents. The examiner can then copy the files onto an external hard drive and view them. Hidden data often contains the most vital evidence to prove or disprove a case. In some cases, a file extraction may be appropriate. In other situations, a data index may be created to support powerful search tools. After auditors have a complete image of the drive, they can start collecting the evidence. Most forensic software includes ready-made scripts for a variety of operating systems that automate certain functions such as encrypted registry parser, file finder, and file mounter. Because different programs may work better for different tasks, auditors should ensure organizations are using the right product based on their data analysis needs.
  • 12. Slack space The data between the end of the logical file to the end of the cluster containing the data is called slack space. Slack space will usually contain data from files that used this space before, making it a rich depository of evidence. Because of its history the portion of the slack space from the end of the logical file to the end of the sector (not the cluster) was called RAM slack or sector slack The remainder of the slack, from the end of the last sector containing the logical file until the end of the cluster, is called file slack. The entire slack space, comprising both RAM or sector slack and file slack
  • 13. Computer forensics focuses on three categories of data: Active Data: These are the current files on the computer, still visible in directories and available to applications. One important evidentiary point about data on a hard drive is that no matter what it may represent, whether simple text or convoluted spreadsheets, it exists only as infinitesimal magnetic flux reversals representing ones and zeroes which must be processed by software to be intelligible. 13
  • 14.  Latent Data: Latent data (also called “ambient data”) are deleted files and other data, including memory “dumps” that have “lodged in the digital cracks” but can still be retrieved. Latent data also includes swap files, temporary files, printer spool files, metadata and shadow data. Latent data are generally inaccessible absent the use of specialized tools and techniques. This data resides on the media, e.g., the hard drive, in, e.g., slack space and other areas marked available for data storage but not yet overwritten by other data. The recovery of latent data is the art most often associated with computer forensics, but the identification, extraction and management of active data is no less demanding of a forensic expert’s skill. 14
  • 15.  Archival Data: This is data that’s been transferred or backed up to peripheral media, like tapes, CDs, ZIP disks, floppy disks, network servers or the Internet. Archival data can be staggeringly voluminous, particularly in a large organization employing frequent, regular back up procedures. It is critically important to recognize that an archival record of a source media never reflects all of the data that can be identified and extracted from the source media because such back ups don’t carry forward latent data. Accordingly, an opponent’s offer to furnish copies of back up tapes is, while valuable, no substitute for a forensic examination of a true bit-by-bit copy of the source disk drive. 15
  • 16. Disk imaging using FTK Imager Encase FTK Imager Lite 16
  • 17. Six File systems that FTK Imager can Read 17
  • 18. Four types of Evidences 18
  • 19. Formats that FTK Imager can read 19
  • 20. 20
  • 21. Encase evidence file
  • 22. 22
  • 23. Data on the Computer In files In log files Lost when machine is powered off Browser history Windows prefetch area Slack space Lost if you wait too long Open network connections Virtual memory Physical memory Network traces 23
  • 24. Understanding Bit-stream Copies Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy  Backup software only copy known files  Backup software cannot copy deleted files or e-mail messages, or recover file fragments 24
  • 25. Data in Unexpected Places Anti-virus alerts, real-time anti-virus scans License enforcement / application metering [anything]Management Software  Patch management  Software management  Configuration management  Asset management 25
  • 26. Analyzing the Results The second phase, analyzing the results, takes place after all the evidence is acquired and imaged properly. Because every case is different, auditors need to be fully trained when conducting a data analysis, or they should recommend a trained forensic examiner performs the evaluation if they lack the professional training to do so. To analyze the evidence, auditors should use the working copy of retrieved, deleted, electronic data only, including files and folders. Auditors also need to maintain a chain of custody when handling the evidence. To maintain a digital chain of custody, all images should be hashed — the process of creating a small digital fingerprint of the data. During the data analysis stage, software also is used to inspect the raw data and organize it into an understandable report. As a result, the auditor must be able to tell the computer what to look for by using text-string search terms that will identify data pertaining to the specific incident under investigation.s
  • 27. Reporting Results The final phase of the forensic examination is creating the report and reporting the evidence. Final reports of the investigation should include a list of all the evidence gathered, a copy of printed documents listed as appendices, and an executive summary. In certain cases, (e.g., to obtain a search warrant or make a criminal charge), auditors may need to create interim reports. These reports are updated as new information is gathered and until the investigation is completed. Report findings need to be ready to be used in a court of law. For instance, reports should clearly explain what made the company or auditor suspicious of the hard drive: how the hard drive was imaged how the data was handled prior to the analysis where within the hard drive the evidence was found and what the evidence means. Internal auditors who conduct the forensic examination should expect to be called to provide expert testimony during the court case and help the organization review the opposing counsels evidence.
  • 28. ADDITIONAL STEPS AND TECHNIQUES Before and during the forensic investigation, internal auditors can take additional steps to ensure evidence is court- ready. Prior to the forensic examination, the auditor should physically secure the system in question and take pictures of the room, the area surrounding the system, and the system itself. In addition, the auditor needs to secure the evidence onsite or in a laboratory to ensure a proper chain of custody is followed and digital evidence is secured effectively. The auditor should also document all system details and any connections to the system, such as network cables and 802.11x connections. The following actions should be avoided at all cost prior to collecting the evidence: Modifying the time and date stamps of the system(s) containing the evidence before duplication takes place. Executing nontrusted binaries by double-clicking or running any executable files that are on the computer (e.g., evidence.exe could be a wiping program that, when run, can destroy all the evidence on the drive). Terminating the rogue process. This pertains to processes on the computer that are displayed when users pressCtrl+Alt+Delete. In hacking cases, its common for people to press Ctrl+Alt+Delete and kill any processes they are unsure about. This may have adverse effects, such as wiping the drive or log files and notifying the attacker that the process has been discovered. Updating the system before the forensic investigation takes place. Not recording executed commands. Installing software on the system.
  • 29. Offline Analysis An offline analysis is when the investigation takes place on the imaged copy. When preparing the evidence, auditors need to know how to power down the system correctly. Some systems must be shut down properly, while others can be turned off by pulling the plug
  • 30. Comparison of systems that can be turned off through the shut-down methodor pull-the-plug method
  • 31. Why Live Forensics? Big disks  Disk capacity keeps increasing (Oct’06: 500Gb for ~$158) faster than processors  Terabyte systems are big and common  Searching (or indexing) takes time  Mirroring takes time Minimal downtime (mission critical sys) Harder to seize systems (even with court order) Provide context for static analysis Low-profile examination Long data lifetimes Some data is only in RAM 32
  • 32. Live Analysis While collecting the evidence, a live or offline analysis can be performed as part of the gathering process. A live analysis takes place when the forensic investigation is conducted on the live system (i.e., the system is not powered down). Due to the volatile nature of digital media, auditors need to document all the steps taken while collecting the evidence during a live analysis. Besides refraining from installing software on the system, the auditor should not update the system with any security patches or hot fixes prior to imaging the drive. If the computer has any active windows open, pictures should be taken of the monitor as part of the examinations documentation, as well as the area by the systems clock to determine whether there are encrypted containers and, if so, whether they are open. Internal auditors may encounter problems during any live analysis. Some of these problems include:
  • 33.  Destruction or alteration of digital evidence by the auditor. Because computer files only get overwritten when data needs to take its place on the hard drive, clicking on files or folders on a computer will result in information being written to the drive, potentially overwriting valuable evidence. During a live analysis, this is unavoidable. To capture potentially overwritten data, the auditor should write every action performed on the system so that the forensic examiner can rule out that activity. Logic bombs and slag code. This refers to a piece of code or application that does something based on a condition. For example, wiping software commonly erases the drive on startup or shutdown. Therefore, the auditor can trigger a logic bomb or slag code simply by clicking on Start>Shutdown. The best way to avoid this situation is to unplug the machine from the wall. This will prevent software code from running, because the machine will have no electricity to run. If the investigation involves a laptop, after unplugging the machine, the investigator can shutdown the laptop by pressing the power button and holding it down for approximately five to 10 seconds. This will cut all power to the machine and force it to shutdown. Trojan binaries and root kits. Trojans and root kits are installed by the attacker. When operational, they send alerts to the hacker after a specific action takes place. Some Trojans even allow the attacker to view the computer screen in real time. Properly shutting down the machine, will prevent the hacker from seeing what the forensic investigator is doing. At a minimum, the computers Internet connection must be disabled so that information is not sent to the attacker. No access to slack space, pagefile/hibernation files, Windows NT file system transaction logs, and print spoolers. Sometimes, these files may contain just the right evidence needed to prove a case. For instance, in cases involving the use of forged checks, printed files could have all the evidence needed. However, if the investigator is unable to access these files, the evidence could be lost as the investigation moves forward and files are imaged. Once the data is gathered during the live analysis, the system must be imaged. Depending on the type of operating system, the auditor may need to shut down the system properly without damaging the evidence, while still allowing the system to boot up.
  • 34. Information Available Running processes Open files Network connections Memory (physical / virtual dumps) Regular disk files 35
  • 35. Information Available (2) Images of entire disk  Live disk imaging  (a.k.a. shooting a moving target) Deleted files  Live file carving Unencrypted document fragments Encryption keys for whole-disk encryption schemes Copies of volatile-only malware (for disassembly and investigation) 36
  • 36. Running Processes Windows  Open files  Open network connections  Registry activity  Open DLLs  … Unix  Open files  Open network connections  Access to corresponding EXE, even if deleted  Command line that invoked application  Environment variables  … 37
  • 37. Memory Process memory  Finer-grained than dumping entire RAM  Easier to make sense of virtual address space for a process than physical memory  More likely to find contiguous application structures  Can yield passwords, document fragments, unencrypted documents Kernel memory  Search for “hidden” processes  Evaluate health of kernel String searches  Most “brute force” technique 39
  • 38. C:VolatoolsBasic-1.1.1>python volatools ident -f d:MEMDUMP.1GB Image Name: d:MEMDUMP.1GB Image Type: XP SP2 VM Type: nopae DTB: 0x39000 Datetime: Thu Mar 22 18:07:31 2007 40
  • 39. C:VolatoolsBasic-1.1.1>python volatools files -f d:MEMDUMP.1GB************************************************************************Pid: 4File Documents and SettingsAdministrator.HE00NTUSER.DATFile Documents and SettingsAdministrator.HE00NTUSER.DAT.LOGFile System Volume Information_restore{1625C426-0868-4E67-8C21- 25BB305F7E1E}RP228change.logFile TopologyFile pagefile.sysFile WINDOWSsystem32configSECURITYFile WINDOWSsystem32configSECURITY.LOGFile WINDOWSsystem32configsoftwareFile WINDOWSsystem32configsoftware.LOGFile hiberfil.sysFile WINDOWSsystem32configsystemFile WINDOWSsystem32configsystem.LOGFile WINDOWSsystem32configdefaultFile WINDOWSsystem32configdefault.LOGFile WINDOWSsystem32configSAMFile WINDOWSsystem32configSAM.LOGFile Documents and SettingsNetworkService.NT AUTHORITYNTUSER.DATFile Documents and SettingsNetworkService.NT AUTHORITYntuser.dat.LOGFile File Documents and SettingsLocalService.NT AUTHORITYntuser.dat.LOGFile Documents and SettingsLocalService.NT AUTHORITYNTUSER.DATFile WINDOWSCSC00000001************************************************************************Pid: 436File WINDOWSFile WINDOWSsystem32…… 41
  • 40. C:VolatoolsBasic-1.1.1>python volatools pslist -f d:MEMDUMP.1GBName Pid PPid Thds Hnds TimeSystem 4 0 65 262 Thu Jan 01 00:00:00 1970smss.exe 436 4 3 21 Thu Mar 15 08:04:12 2007csrss.exe 492 436 20 421 Thu Mar 15 08:04:13 2007winlogon.exe 516 436 22 626 Thu Mar 15 08:04:14 2007services.exe 560 516 17 366 Thu Mar 15 08:04:14 2007lsass.exe 572 516 19 405 Thu Mar 15 08:04:15 2007svchost.exe 752 560 21 214 Thu Mar 15 08:04:15 2007svchost.exe 812 560 9 264 Thu Mar 15 08:04:16 2007svchost.exe 876 560 72 1582 Thu Mar 15 08:04:16 2007svchost.exe 924 560 6 95 Thu Mar 15 08:04:16 2007svchost.exe 976 560 7 137 Thu Mar 15 08:04:16 2007spoolsv.exe 1176 560 14 159 Thu Mar 15 08:04:17 2007MDM.EXE 1372 560 4 85 Thu Mar 15 08:04:25 2007ntrtscan.exe 1416 560 13 65 Thu Mar 15 08:04:25 2007tmlisten.exe 1548 560 14 179 Thu Mar 15 08:04:28 2007OfcPfwSvc.exe 1636 560 9 145 Thu Mar 15 08:04:29 2007alg.exe 2028 560 6 103 Thu Mar 15 08:04:32 2007XV69C2.EXE 336 1416 1 84 Thu Mar 15 08:04:34 2007AcroRd32.exe 2452 848 0 -1 Wed Mar 21 03:53:27 2007explorer.exe 840 3844 16 410 Thu Mar 22 23:05:51 2007jusched.exe 2608 840 2 36 Thu Mar 22 23:05:54 2007PccNTMon.exe 2184 840 4 67 Thu Mar 22 23:05:54 2007ctfmon.exe 3084 840 1 70 Thu Mar 22 23:05:54 2007reader_sl.exe 1240 840 2 35 Thu Mar 22 23:05:55 2007cmd.exe 368 840 1 30 Thu Mar 22 23:07:01 2007dumpmem.exe 2132 368 1 17 Thu Mar 22 23:07:30 2007 42
  • 41. C:VolatoolsBasic-1.1.1>python volatools sockets -f d:memdump.blueluPid Port Proto Create Time1828 500 17 Wed Mar 28 02:22:36 20074 445 6 Wed Mar 28 02:22:20 2007736 135 6 Wed Mar 28 02:22:25 2007468 1900 17 Wed Mar 28 02:22:58 2007196 1031 6 Wed Mar 28 02:22:54 20071936 1025 6 Wed Mar 28 02:22:35 20074 139 6 Wed Mar 28 02:22:20 20071828 0 255 Wed Mar 28 02:22:36 20071112 123 17 Wed Mar 28 02:22:39 20071804 1029 17 Wed Mar 28 02:22:37 2007384 1028 6 Wed Mar 28 02:22:36 2007384 1032 6 Wed Mar 28 02:22:56 20074 137 17 Wed Mar 28 02:22:20 20071936 1026 6 Wed Mar 28 02:22:35 2007316 1030 6 Wed Mar 28 02:22:44 20071164 3793 6 Wed Mar 28 02:22:28 2007468 1900 17 Wed Mar 28 02:22:58 20071828 4500 17 Wed Mar 28 02:22:36 20074 138 17 Wed Mar 28 02:22:20 2007196 1037 6 Wed Mar 28 02:23:03 20071936 1027 6 Wed Mar 28 02:22:35 20074 445 17 Wed Mar 28 02:22:20 20071112 123 17 Wed Mar 28 02:22:39 2007 43
  • 42. Live-Response Methodologies There are three basic methodologies for performing live response on a Windows system: local , remote and hybrid. Local Response MethodologyPerforming live response locally means you are sitting at the console of the system, entering commandsat the keyboard, and saving information locally, either directly to the hard drive or to a removable(thumb drive, USB-connected external drive) or network resource (network share) that appears as alocal resource. The simplest way to implement the local methodology is with a batch file. An example of a simple batch file that you can use during live response looks like this: tlist.exe –c > %1tlist-c.log tlist.exe –t > %1tlist-t.log tlist.exe –s > %1tlist-s.log tcpvcon.exe –can > %1tcpvcon-can.log netstat.exe –ano > %1netstat-ano.log There you go; three utilities and five simple commands. Save this file as local.bat and include it on the CD, along with copies of the associated tools. 44
  • 43. Remote Response MethodologyRemote Response MethodologyThe remote response methodology generally consists of a series of commands executed against asystem from across the network. This methodology is very useful in situations with many systems,because the process of logging into the system and running commands is easy toAutomateImplementing our local methodology batch file for the remote methodology is fairly trivial:psexec.exe %1 –u %2 –p %3 -c tlist.exe –c > tlist-c.logpsexec.exe %1 –u %2 –p %3 -c tlist.exe –t > tlist-t.logpsexec.exe %1 –u %2 –p %3 -c tlist.exe –s > tlist-s.logpsexec.exe %1 –u %2 –p %3 -c tcpvcon -can > tcpvcon-can.logpsexec.exe %1 –u %2 –p %3 c:windowssystem32netstat.exe –ano > %1netstat-ano.logThis batch file (remote.bat) sits on the responder’s system and is launched as follows:C:forensicscase007>remote.bat 192.168.0.7 Administrator passwordOnce the batch file has completed, the responder has the output of the commands in five files, ready for analysis, on her system. 45
  • 44. The Hybrid Approach (a.k.a. Using the FSP)The Hybrid Approach (a.k.a. Using the FSP)This methodology is most often used in situations where the responder cannot log in to the systemsremotely but wants to collect all information from a number of systems and store that data in a centrallocation. The responder (or an assistant) will go to the system with a CD or thumb drive (ideally, onewith a write-protect switch that is enabled), access the system, and run the tools to collect information.As the tools are executed, each one will send its output over the network to the central “forensicserver.” In this way, no remote logins are executed, trusted tools are run from a nonmodifiable source,and very little is written to the hard drive of the victim system. With the right approach and planning,the responder can minimize his interaction with the system, reducing the number of choices heneeds to make with regard to input commands and arguments as well as reducing the chance formistakes. 46
  • 45. FSPC and FRUC FSPC is the server component, which resides on your forensic workstation. This system will be where all of the data you collect is stored and managed, and then eventually analyzed. FSPC [-d case dir] [-n case name] [-p port] [-i investigator] [-l logfile] [-c] [-v] [-h] -d case dir....Case directory (default: cases) -n case name...Name of the current case -i invest......Investigators name -p port........Port to listen on (default: 7070) -l logfile.....Case logfile (default: case.log) -v.............Verbose output (more info, good for monitoring activity) -c.............Close FSP after CLOSELOG command sent (best used when collecting data from only one system) -h.............Help (print this information) Ex: C:>fspc -d cases -n testcase -i "H. Carvey" C:>fspc -n newcase -p 80 47
  • 46. FRUC is the client component, used to collect data from "victim" system. Download thezipped archive, and extract all of the files (2 EXE files and several DLLs) into a directory,add your third party tools, update your INI file (the default is "fruc.ini") appropriately,and then burn everything to a CD (or copy it to a thumb drive). Then youre ready.Launch the FRUC with the "-h" switch and youll see...FRUC v 1.2 [-s server IP] [-p port] [-f ini file] [-h]First Responder Utility (CLI) v.1.2, data collection utilityof the Forensics Server Project-s system......IP address of Forensics Server-p port........Port to connect to on the Forensics Server-f file........Ini file to use (use other options to override ini file configuration settings)-v.............Verbose output (more info, good for monitoring activity)-h.............Help (print this information)Ex: C:>fruc -s -p -f 48
  • 47. Using netcatFor our purposes, we won’t go into an exhaustive description of netcat; we’ll use it to transmit information from one system to another. First, we need to set up a “listener” on our forensic server, and we do that with the following command line:D:forensics>nc –L –p 80 > case007.txttlist.exe –c | nc %1 %2 –w 5tlist.exe –t | nc %1 %2 –w 5tlist.exe –s | nc %1 %2 –w 5tcpvcon -can | nc %1 %2 –w 5netstat.exe –ano | nc %1 %2 –w 5Save this file as hybrid.bat, and then launch it from the command line, like so (D: is still the CD-ROM drive):D:>remote.bat 192.168.1.10 80Once we run this batch file, we’ll have all our data safely off the victim system and on our forensic server for safekeeping and analysis. 49
  • 48. Network Forensics 50
  • 49. Network Miner Network Miner is a network forensic analysis tool that was developed in order tofacilitate the task of performing network forensic investigations as well as conductingincident response. Network Miner is designed to collect data about hosts on a network rather than tocollect data regarding the traffic on the network. It has a graphical user interface where the main view is host centric (informationgrouped per host) rather than packet centric (information showed as a list ofpackets/frames). One of the most appreciated functions in NetworkMiner is the ability to easily extract files from captured network traffic in protocols such as HTTP, FTP, TFTP and SMB. NetworkMiner actually reassembles files to disk on the fly as it parses a PCAP file.A lot of other useful information like user credentials, transmitted parameters,operating systems, hostnames, server banners etcetera can also be extracted fromnetwork traffic with NetworkMiner. All of this is of course performed fully passive, so that no traffic is emitted to thenetwork while performing the network forensic analysis. 51
  • 50. Analyzing Network Traffic 52
  • 51. 53
  • 52. Forensic softwares Dump tools Permanent deletion of files • Ds2dump • PD Wipe• Choas reader File integrity checkers Slack space & data recovery • Hash Keeper tools Disk imaging tools • DriveSpy • Image• Ontrack • SnapBack DataArrest Hard disk write protection • IXimager tools Partition managers • Pdblock • Part• Write-blocker • Explore2fs• NoWrite• DriveDock 54
  • 53. Forensic softwares contdLinux/UNIX tools Multipurpose tools • Ltools • ByteBack• Mtools • Maresware• TCT • BIA Protect Tools• TCTUTILs • LC-Technology SoftwarePassword recovery tool • WinHex specialist editor• @stake • ProDiscover DFTInternet History Viewer ToolkitsASRData • NTI-ToolsFtimes • DataLifterOxygen phone manager • R-Tools 55
  • 54. Data Recovery ToolsThese tools may be used to recover information from many sources including PDAs, cameras, and disk drives.e.gDevice SeizureByteBack 56
  • 55. Permanent Deletion of FilesDrive wiping is a crucial component of all digital forensic examinations. Any drive that is not thoroughly wiped has to be considered suspect. The following tools aid in this goal.e.g PDWipe, R-wipe Darik’s Boot and Nuke 57
  • 56. File Integrity CheckerThese tools help you to prove that the file you copied into evidence has not been altered subsequently. They make possible a quick and reliable diagnosis of a system image for the purpose of determining if any changes have occurred.e.gFilemon,Hash keeper 58
  • 57. Disk Imaging ToolsThese tools will create a bit-image copy of a drive or other media.e.g. Snapback DatArrest, SafeBack 3.0 Encase FTK Prodiscover 59
  • 58. Partition ManagersHelps to create partitions on a Drivee.gPartimageMagic partition 60
  • 59. E-mail Recovery Tools This product provides forensic analysis, advanced searching, and converting and Exporting of e-mail. E.g. E-mail Examiner can examine over 16 e-mail formats, including AOL 9.0, PST files, and morthan14 others. Paraben suite 61
  • 60. Password Recovery ToolsA password cracker hashes all the words in a dictionary file and compares every result with the password hash. If a match is found, the password is the dictionary word. The following are tools that may be used to file poorly configured passwords. e.g. @Stake, Decryption Collection Enterprise, AIM Password Decoder, MS Access Database Password Decoder, Paraben suite Elcomsoft suiteTalk about GPU tools( Hashcat, Ighashgpu etc) 62
  • 61. NetAnalysisThis product allows for the analysis of a Web browser’s history data. It iscommonly used by law enforcement in child pornography cases. Theforensic examination and analysis of user activity on the Internet can bethe pivotal evidence in any case.e.g.Cookie viewer 63
  • 62. Adobe ReaderThese tools are used to decrypt pdf files so that they can be easily edited.e.g. Nitro Elcomsoft suite Paraben suite 64
  • 63. Stealth SuiteUsers without a forensic background can use the Stealth Suite to assess activity on a computer hard disk. These tools can help identify whether a targeted computer system was used to access inappropriate information. 65
  • 64. Computer Incident Response SuiteThis suite of tools is often used in corporate andgovernment investigations and security risk reviews.They are optimized for MS-DOS, which is the lowestcost forensic platform for MS-DOS and Windowsprocessing. Many of the tools also have Windowsversion.e.g.HelixCAINE 66
  • 65. Oxygen Phone ManagerOxygen Phone Manager II for Nokia phones provides a simple and convenient way to control mobile phones from a PC. 67
  • 66. SIM Card SeizureSIM Card Seizure can be used to recover deleted Short Message Service (SMS) messages and perform comprehensive analysis of SIM card data. 68
  • 67. Steganography Steganography is defined as “The art and science of hiding information by embedding messages within other, seemingly harmless messages” Steganography involves placing a hidden message in some transport medium. The meaning is derived from two Greek words mainly “Stegos” which means secret and “Graphie” which means writing.Tools:Snow, Fort knox, Blind side, image hide, Digital watermarks are imperceptible or barely perceptible transformations of digital data; often the digital data set is a digital multimedia object 69
  • 68. Recovering deleted filesAcronis Recovery Acronis Recovery Expert protects data by recovering hard disk partitions, if damaged or lost by any reason. ItExpert supports disks with capacity greater than 180 Gb. It has unique feature of working independently from bootable CDs or diskettes that recovers partitions even if the operating system fails to boot.Active@ UNERASER - DATA Recovery is a compact and powerful undelete utility that can recover deleted files and folders on FAT12, FAT16, FAT32 and NTFS systems. It can even restore files from deleted and reformatted partitions. It is not necessary to install the utility on your systems hard drive, as it fits on a boot floppy disk, removing the possibility of overwriting data which you want to recoverR-linux R-Linux recovers files from existing logical disks even when file records are lost. R-Linux is a file recovery utility for the Ext2FS file system used in Linux OS and several Unix versions. R-Linux uses unique IntelligentScan technology and a flexible parameter setting that makes recovery faster.Filesaver The FileSaver tool is an undelete application that works by searching for bits of data that can be recovered and pieced together to form the original file.FileSaver restores as many files from as many drives as possible.Data Recovery Tool: File Scavenger can recover files that have been accidentally deleted This would include files that have been removed from :File Scavenger • Recycle Bin • DOS shell• Network drive • Windows Explorer. File Scavenger supports both basic and dynamic disks, NTFS compression, and Unicode filenamesRestorer 2000 It supports windows 95/98/ME/NT/2000/XP platform. It allows the investigator to: • Undelete files • Unerase files• Unformat files • Restore and recover data from NTFS and FAT partitions O&O Unerase O&O Unerase recovers deleted files with the help of an algorithm which enables more files to be recovered at a time. O&O Unerase can also recover important documents such as digital photography, exe rogram files etcZero Assumption It is a free data recovery tool that works with digital images. Digital photographs that are deleted from a digital camera can beDigital Image retrieved using this tool It supports media such as CompactFlash, MemoryStick, SmartMedia etc that can be accessedRecovery through an Operating SystemSearch and Recover It allows the investigator to quickly recover deleted or destroyed files, folders, songs, pictures, videos, programs, critical system components, web pages, and email messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora 70
  • 69. Overview of forensic HardwaresHardware Device DescriptionNoWrite NoWrite prevents data from being written to the hard disk. It supports hard disk drives with high capacities. It is compatible with all kinds of devices including USB or FireWire boxes, adapters, and cables belonging to IDE. It supports communication between common IDE interfaces.FireWire FireWire DriveDock is a forensic instrument designed to load hard drives on computer systems. It comprises of a 3.5-inchDriveDock hard drive that is used along with a single device to give complete FireWire desktop storage. It is a compact device of about 4 cubic inches that would control everything in a 3.5-inch hard drive.LockDown Lockdown by Paraben is an advanced Firewire or USB to IDE write-blocker that combines swiftness and portability to allow IDE media to be acquired quickly and safely in Windows based systems.Write Protect Card The Write Protect Card Reader transfers data to a computer system from digital cameras, digital camcorders, PDAs, MP3Reader players and digital voice recorders. It can read multiple types of flash memory while blocking any writes to it. It is a small palm-size package with a simple USB 2.0/1.1 connection and requires no external power.Drive Lock IDE The DriveLock IDE Hard Drive Write Protection is designed to completely prevent write commands from being accidentally sent to hard disk drives connected through the IDE or PATA hard drive interfaces. This write protect device also blocks Serial ATA hard drives using the SATA option. It is designed to block write commands sent to the hard drive while previewed or duplicated.Serial-ATA The DriveLock Serial-ATA device is a hardware writeDriveLock Kit protect device designed to prevent data writes to SATA, IDE and PATA hard disk drives. The tool is connected to a computer’s PATA interface in order to block write commands sent to the hard drive while being previewed or duplicated.Wipe MASSter Wipe MASSter is a commercial drive wiper.ImageMASSter Designed exclusively for Forensic data acquisition, theSolo-3 IT ImageMASSter Solo-III Forensics data imaging tool is a light weight, portable hand-held device that can acquire data to one or two evidence drives in high speed, exceeding 3GB/Min. 71
  • 70. WHATS NEXT? A forensic investigation can be conducted on any device that stores electronic data, such as a computer hard drive, smart card, or palm pilot. Internal auditors can use computer evidence in a variety of crimes where incriminating documents can be found, including cases involving financial fraud, embezzlement, or data theft. A key point to remember during any forensic examination is that protection of the evidence is critical. Furthermore, the results of a forensic examination can be rewarding. Collecting evidence can allow organizations to respond to any problems immediately and authoritatively and to maintain the companys professional image. Auditors who wish to learn more about computer forensics can visit the Computer Forensics, Cyber Crime, and Steganography Resources Web site, www.forensics.nl/. Besides finding information on computer forensics, auditors can search online for free forensic tools. A couple of good Web sites include: http://users.erols.com/gmgarner/forensics/: This Web site offers freeware forensic tools for Microsoft Windows platforms. http://ftimes.sourceforge.net/FTimes/index.shtml: The site takes visitors to the FTimes system base-lining and evidence collection tool. www.securityfocus.com/tools/525: The Security Focus Web page provides a link to AFind, a tool that lists a files last access time without changing it. www.weirdkid.com/products/emailchemy/: This site provides a link to Emailchemy, a mail-format viewer program. http://ircr.tripod.com/: This site has a link to a Windows forensic tool that enables users to create an incident response collection report.
  • 71. Live Forensics: Selected Web Sites www.invisiblethings.org http://www.vidstrom.net/ http://www.usenix.org/events/sec05/tech/full_papers/chow/chow.pdf (14th Usenix Security) http://www.security-assessment.com/Presentations/Auscert_2006_- _Defeating_Live_Windows_Forensics_DB_v1.8.ppt http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf http://forensic.seccure.net/ http://www.knoppix.net http://www.gcn.com/print/25_22/41502-1.html (“Special Report, ‘Live’ forensics is the future for law enforcement”) http://news.com.com/2100-7349_3-5092781.html (“U.K. teen acquitted with Trojan defense”, Oct. 17, 2003) http://www.newsmax.com/archives/articles/2003/8/12/204345.shtml (“The Trojan Horse Defense in Child Pornography”, Aug. 13, 2003) 73
  • 72. Tools! Tools! Tools! http://www.forensicswiki.org/wiki/Tools http://www.mccrackenassociates.com/links/sectools.h tm http://www.sourceforge.net/projects/windowsir/files/ http://www.cftt.nist.gov/ http://www.ntsecurity.nu/toolbox/promiscdetect/ http://www.mandiant.com/products/free_software 74
  • 73. PRACTICAL DEMOS 75

×