Sam Bowne, profile picture
Uploaded bySam Bowne
44 views

11 Analysis Methodology

This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.

Embed presentation

Download to read offline
CNIT 152: Incident Response 11 Analysis Methodology Updated 10-19-22
Process
De fi ne Objectives
Background • You must have a commanding knowledge of both the situation and the technology, understanding : • What are you looking to determine ? • Is it possible to form a conclusion from the facts you have ? • How long will it take?
Background • What resources will you need ? • Who is interested in your results ? • What do they plan to do with them?
Leadership • Identify who will de fi ne the objective s • Ensure that the entire investigative team knows who that person i s • This prevents miscommunication and loss of focus
Proving a Negative • Don't attempt to "prove" that a server was not compromise d • That task is dif fi cult or impossibl e • Because you won't have enough informatio n • Audit trails don't cover every actio n • Logs don't go back to the start of time
Positive Goals • Look for a set of indicators of compromis e • State if you can fi nd an y • If indicators are reasonable , • You can state an opinion that the system was likely not compromise d • But you don't know for sure
Realistic Questions • Is malware present on this computer ? • Not realistic to determine for sur e • Is there an active fi le with this speci fi c MD5 hash on this computer ? • Realistic, easy to answer
Scope • Too vague : • Look at this hard driv e • Look at all e-mai l • Better : • Review all active .pst fi les for any email Bob Smith received within the last month
Why? • Always ask "Why? " • Keep asking questions until the stakeholders come to a consensus about the scope and purpose of the analysi s • Analyst may need to de fi ne the objectives because the company representatives don't understand what is possible or reasonable
Know Your Data
Where is Data Stored? • Desktop and laptop computer s • Hard drive s • External storag e • Virtual desktops--no local storage, everything on centralized virtualization infrastructure
Where is Data Stored? • Server s • Data centers, server rooms, or communication closet s • Often rack-mounte d • At least one hard drive for operating syste m • May contain additional drives, or use external storage solutions exclusively, especially for virtual servers
Where is Data Stored? • Mobile device s • Phones, personal digital assistants (PDAs), tablet, wearable computer s • Small amount of nonvolatile storag e • Flash memor y • Expansion slots and ports for external storage devices
Where is Data Stored? • Storage solutions and medi a • USB fl ash drives and hard drive s • CDs and DVD s • Network Attached Storage (NAS ) • Storage Area Network (SAN)
Where is Data Stored? • Network Device s • Firewalls, switches, router s • Typically don't store user dat a • Contain con fi guration and logging data
Where is Data Stored? • Cloud service s • Off-site third-party service hosting dat a • Hosted email, timesheets, payroll, human resource s • Dropbox, Google Drive, etc.
Where is Data Stored? • Backup s • Can be stored on local device s • Disaster recovery plan requires off-site backup s • Most commonly on tape, but could be on USB drives or DVD s • Cloud-based, like Carbonite or Mozy
What's Available? • Four types of evidenc e • Operating syste m • Application s • User dat a • Network services and instrumentation
Operating System • File systems like NTFS and HFS + • State information such as running processes and open network port s • OS log s • OS-speci fi c data sources, like Windows registry, Unix syslog, and Apple plist fi les
File Systems • Can be independent of operating system s • General concepts : • Allocation unit s • Active fi les, deleted fi le s • Timestamp s • Unallocated (free) space, fi le slac k • Partition tables
File Systems • Unique characteristics, data, and artifact s • NTFS fi lename timestamps (link Ch 11i ) • NTFS data stream s • UFS inode s • HFS resource fork s • File Allocation Table for FAT12, 16, and 32
Brian Carrier's Book • From 200 5 • Authoritativ e • Very detaile d • Link Ch 11b
Application-Speci fi c Artifacts • Internet browser cach e • Database fi le s • Web server log s • Chat program user preferences and log s • Email client data fi le s • Often left behind when applications are uninstalled
User Data • Email, documents, spreadsheets, source cod e • May be on their day-to-day syste m • Or other systems throughout the environmen t • May be in centralized locations for each user
Network Services and Instrumentation • DHCP, DNS, Proxy server s • Network fl ow dat a • IDS/IPS system s • Firewalls
Access Your Data
Raw Data • May be • Encrypted, compressed, or encode d • In a custom forma t • Provided on original hard drive s • Contained in hard drive image s • Broken
Ask Questions • Determine what you hav e • If someone else provides the data, • You must ask good question s • You may have trouble using the data you receive
Disk Images • May be encrypte d • Could be logical copy, forensic image, or clon e • Could be from a RAI D • Three common formats : • Expert Witness (E01 ) • Raw (DD ) • Virtual machine disk fi les (VMDK, OVF)
Converting Disk Formats • EnCase can handle all three common formats directl y • AccessData's FTK Imager can create, convert, and view disk images for many format s • In Linux, you can mount DD images with Filesystem in Userspace (FUSE) and mount E01 images with libewf
Data Encoding • All three are "the password is solvecrime" i n • Base6 4 • UU encoding (link Ch 11k ) • MD5 hash
Broken Lines • This fi le contains credit card number s • But a simple text search won't fi nd them because the lines are broken by the hexadecimal values
Lindell's "PCAPs" • https://twitter.com/pwnallthethings/status/1400818279292284931
Localizations • Different conventions fo r • Times, dates, numbers, characters, etc . • Many different formats for dates even at the same location
Analyze Your Data
Example: Data Theft • Start with these types of evidenc e • Network anomalie s • Common host-based artifacts of data theft
Network Anomalies • Network fl ow dat a • High outbound volume of data on a single da y • Unusual level of traf fi c over certain protocols or port s • Proxy logs, DNS logs, fi rewall log s • Look for anything suspicious, such as failed login attempts
Host-Based Artifacts of Data Theft
Look for Malware
Legitimate Tools • LOLBINs "Living off the land " • cmd.exe in a folder other than WindowsSystem32 is suspiciou s • Many compromises use normal system tools, not malware
Plan Tasks • Example: search for abnormal user login time s • Do you already have a way to automate that process ? • You may need to develop a technique, or perform steps manuall y • Consider volume of data, time required to process, who is available to work on it, and how likely the data source is to answer your question
Select Methods • General methods
External Resources • Contains MD5 and SHA1 hashes of known fi le s • Exclude known harmless fi les from analysis
VirusTotal • The standard to test suspicious fi le s • Links to many virus database s • Can work with fi les or hashes
VirusTotal Demo • 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46 ca9d1903dd360d9264cb47 • Behavior, Microsoft Sysinternals, svchost in strange folder, Run keys • https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html
VirusTotal Demo • 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16 b69a4aa48fc6e2fb570141d • Behavior, Microsoft Sysinternals, Files Dropped, Email • https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html
Manual Review • Small items such as fl oppy disks can be searched in their entirety manuall y • Sometimes it's faster to just search manually than to fi gure out a shortcu t • Manual review is also good to validate the results obtained from other method s • Select important samples to review
Don't Trust Tools Too Much • There are many tools that help forensic s • Data visualizatio n • Browser artifact analysi s • Malware identi fi catio n • File system metadata reportin g • ALWAYS VERIFY IMPORTANT FINDING S • Manually, or with a second too l • Every tool has bugs
Data Minimization: Sorting & Filtering • File system metadata may have hundreds or thousands of fi le s • Need to exclude irrelevant data & focus on the important dat a • Sort and fi lter b y • Date, fi lename, other attributes
Statistical Analysis • You don't know exactly what you are looking fo r • Or how to fi nd i t • Use statistical analysis to uncover patterns or anomalie s • Ex: Web server log s • Use a log analysis tool to parse data
Sawmill • Link Ch 11a
String or Keyword Search • Create a list of strings relevant to the cas e • Search the fi les for those string s • Emails, Word documents, etc . • Find more strings in those fi les and repea t • You're done when you aren't fi nding any new strings to search for
Unallocated and Slack Space • Unallocated blocks often contain portions of deleted fi le s • Unused bytes at the end of active fi les may also contain fragments of old fi le s • They can both be searched by forensic suites like EnCase, FTK, and Autopsy
File Carving • Look for fi le headers and footers in unallocated spac e • Or other raw data, such as a drive imag e • Attempt to reconstruct fi le s • Usually by just taking all data from the header to the foote r • Foremost is a good fi le-carving tool
Evaluate Results
When to Evaluate Results • Periodically throughout the analysis proces s • Are you making real progress, or wasting time on a blind alley ? • At the en d • How well has your analysis answered the investigative questions?
Ch 11

More Related Content

PDF
CNIT 152 11 Analysis Methodology
bySam Bowne
 
PDF
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
PPTX
Latest presentation
byAdetunji Adeoje
 
PPT
Basics of Digital Forensics, techniques and tools
bymadhulikarsit
 
PPT
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
byMoshoodKareemOlawale
 
PPT
DigitalForensicDigitalForensicDigitalForensic
byRPimpalgaonkar
 
PPT
Computer Forensic
byTawhidur Rahman
 
PDF
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
byGnanavi2
 
CNIT 152 11 Analysis Methodology
bySam Bowne
 
CNIT 121: 11 Analysis Methodology
bySam Bowne
 
Latest presentation
byAdetunji Adeoje
 
Basics of Digital Forensics, techniques and tools
bymadhulikarsit
 
DigitalForensicsDigitalForensics.pptDigitalForensics.ppt
byMoshoodKareemOlawale
 
DigitalForensicDigitalForensicDigitalForensic
byRPimpalgaonkar
 
Computer Forensic
byTawhidur Rahman
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
byGnanavi2
 

Similar to 11 Analysis Methodology

PPTX
cyber Forensics
byMuzzammil Wani
 
PPTX
DigitalForensics foundation and investigation tools
bylexwill2000
 
PPT
DigitalForensics.ppt
byssuserba01a3
 
PPT
DigitalForensics.ppt
byTamannaTabassum21
 
PPTX
Computer forensics and its role
bySudeshna Basak
 
PPTX
Digital forensics lessons
byAmr Nasr
 
PDF
CS6004 Cyber Forensics - UNIT V
byArthyR3
 
PPTX
Cybersecurity and Digital Forensics.pptx
byRyujiChanneru
 
PDF
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
PPT
Role of a Forensic Investigator
byAgape Inc
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PPT
CF.ppt
byKhusThakkar
 
PPTX
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
PDF
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
byMichael Smith
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPTX
First Responders Course- Session 1 - Digital and Other Evidence [2004]
byPhil Huggins FBCS CITP
 
PPTX
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
PPTX
cyberforensicsv2-191113184409.pptx
byPrabithGupta1
 
PPTX
INTRODUCTION TO CYBERFORENSICS AND ITS APPLICATION IN CYBERSECURITY
byranapoonam1
 
cyber Forensics
byMuzzammil Wani
 
DigitalForensics foundation and investigation tools
bylexwill2000
 
DigitalForensics.ppt
byssuserba01a3
 
DigitalForensics.ppt
byTamannaTabassum21
 
Computer forensics and its role
bySudeshna Basak
 
Digital forensics lessons
byAmr Nasr
 
CS6004 Cyber Forensics - UNIT V
byArthyR3
 
Cybersecurity and Digital Forensics.pptx
byRyujiChanneru
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
Role of a Forensic Investigator
byAgape Inc
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
CF.ppt
byKhusThakkar
 
cyberforensicsv2-191113184409.pptx
byPrasannaKumarpanda2
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
byMichael Smith
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
byMoshoodKareemOlawale
 
Digital Forensic ppt
bySuchita Rawat
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
byPhil Huggins FBCS CITP
 
CYB 305 Forensics and Digital Computer Security.pptx
byMuhammad54342
 
cyberforensicsv2-191113184409.pptx
byPrabithGupta1
 
INTRODUCTION TO CYBERFORENSICS AND ITS APPLICATION IN CYBERSECURITY
byranapoonam1
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
PDF
6 Scope & 7 Live Data Collection
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 
6 Scope & 7 Live Data Collection
bySam Bowne
 

Recently uploaded

PDF
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
PPTX
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
PDF
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
PPTX
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
PPTX
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
PPTX
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
PPTX
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
PDF
Conferencia de Abertura_Virgilio Almeida.pdf
byGrupo Tordesillas
 
PPTX
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
PPTX
Physical education notes class ncert 12th
byjatinrg2009
 
PDF
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
PDF
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
PDF
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
PDF
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
PPTX
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
PDF
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
PPTX
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
PDF
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
PDF
Digital Electronics – Registers and Their Applications
byGS Virdi
 
PPTX
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
Quarter 3 lesson 2 of English Grade 8.pptx
byMamGamino
 
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
Conferencia de Abertura_Virgilio Almeida.pdf
byGrupo Tordesillas
 
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
Physical education notes class ncert 12th
byjatinrg2009
 
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
1. Doing Academic Research: Problems and Issues, 2. Academic Research Writing...
byProf. Vinod Kumar Kanvaria
 
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
Digital Electronics – Registers and Their Applications
byGS Virdi
 
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 

11 Analysis Methodology

  • 1.
    CNIT 152: Incident Response 11 AnalysisMethodology Updated 10-19-22
  • 2.
  • 3.
  • 4.
    Background • You musthave a commanding knowledge of both the situation and the technology, understanding : • What are you looking to determine ? • Is it possible to form a conclusion from the facts you have ? • How long will it take?
  • 5.
    Background • What resourceswill you need ? • Who is interested in your results ? • What do they plan to do with them?
  • 6.
    Leadership • Identify whowill de fi ne the objective s • Ensure that the entire investigative team knows who that person i s • This prevents miscommunication and loss of focus
  • 7.
    Proving a Negative •Don't attempt to "prove" that a server was not compromise d • That task is dif fi cult or impossibl e • Because you won't have enough informatio n • Audit trails don't cover every actio n • Logs don't go back to the start of time
  • 8.
    Positive Goals • Lookfor a set of indicators of compromis e • State if you can fi nd an y • If indicators are reasonable , • You can state an opinion that the system was likely not compromise d • But you don't know for sure
  • 9.
    Realistic Questions • Ismalware present on this computer ? • Not realistic to determine for sur e • Is there an active fi le with this speci fi c MD5 hash on this computer ? • Realistic, easy to answer
  • 10.
    Scope • Too vague : •Look at this hard driv e • Look at all e-mai l • Better : • Review all active .pst fi les for any email Bob Smith received within the last month
  • 11.
    Why? • Always ask"Why? " • Keep asking questions until the stakeholders come to a consensus about the scope and purpose of the analysi s • Analyst may need to de fi ne the objectives because the company representatives don't understand what is possible or reasonable
  • 12.
  • 13.
    Where is DataStored? • Desktop and laptop computer s • Hard drive s • External storag e • Virtual desktops--no local storage, everything on centralized virtualization infrastructure
  • 14.
    Where is DataStored? • Server s • Data centers, server rooms, or communication closet s • Often rack-mounte d • At least one hard drive for operating syste m • May contain additional drives, or use external storage solutions exclusively, especially for virtual servers
  • 15.
    Where is DataStored? • Mobile device s • Phones, personal digital assistants (PDAs), tablet, wearable computer s • Small amount of nonvolatile storag e • Flash memor y • Expansion slots and ports for external storage devices
  • 16.
    Where is DataStored? • Storage solutions and medi a • USB fl ash drives and hard drive s • CDs and DVD s • Network Attached Storage (NAS ) • Storage Area Network (SAN)
  • 17.
    Where is DataStored? • Network Device s • Firewalls, switches, router s • Typically don't store user dat a • Contain con fi guration and logging data
  • 18.
    Where is DataStored? • Cloud service s • Off-site third-party service hosting dat a • Hosted email, timesheets, payroll, human resource s • Dropbox, Google Drive, etc.
  • 19.
    Where is DataStored? • Backup s • Can be stored on local device s • Disaster recovery plan requires off-site backup s • Most commonly on tape, but could be on USB drives or DVD s • Cloud-based, like Carbonite or Mozy
  • 20.
    What's Available? • Fourtypes of evidenc e • Operating syste m • Application s • User dat a • Network services and instrumentation
  • 21.
    Operating System • Filesystems like NTFS and HFS + • State information such as running processes and open network port s • OS log s • OS-speci fi c data sources, like Windows registry, Unix syslog, and Apple plist fi les
  • 22.
    File Systems • Canbe independent of operating system s • General concepts : • Allocation unit s • Active fi les, deleted fi le s • Timestamp s • Unallocated (free) space, fi le slac k • Partition tables
  • 23.
    File Systems • Uniquecharacteristics, data, and artifact s • NTFS fi lename timestamps (link Ch 11i ) • NTFS data stream s • UFS inode s • HFS resource fork s • File Allocation Table for FAT12, 16, and 32
  • 24.
    Brian Carrier's Book •From 200 5 • Authoritativ e • Very detaile d • Link Ch 11b
  • 25.
    Application-Speci fi c Artifacts • Internet browsercach e • Database fi le s • Web server log s • Chat program user preferences and log s • Email client data fi le s • Often left behind when applications are uninstalled
  • 26.
    User Data • Email,documents, spreadsheets, source cod e • May be on their day-to-day syste m • Or other systems throughout the environmen t • May be in centralized locations for each user
  • 27.
    Network Services and Instrumentation •DHCP, DNS, Proxy server s • Network fl ow dat a • IDS/IPS system s • Firewalls
  • 28.
  • 29.
    Raw Data • Maybe • Encrypted, compressed, or encode d • In a custom forma t • Provided on original hard drive s • Contained in hard drive image s • Broken
  • 30.
    Ask Questions • Determinewhat you hav e • If someone else provides the data, • You must ask good question s • You may have trouble using the data you receive
  • 31.
    Disk Images • Maybe encrypte d • Could be logical copy, forensic image, or clon e • Could be from a RAI D • Three common formats : • Expert Witness (E01 ) • Raw (DD ) • Virtual machine disk fi les (VMDK, OVF)
  • 32.
    Converting Disk Formats •EnCase can handle all three common formats directl y • AccessData's FTK Imager can create, convert, and view disk images for many format s • In Linux, you can mount DD images with Filesystem in Userspace (FUSE) and mount E01 images with libewf
  • 33.
    Data Encoding • Allthree are "the password is solvecrime" i n • Base6 4 • UU encoding (link Ch 11k ) • MD5 hash
  • 34.
    Broken Lines • This fi lecontains credit card number s • But a simple text search won't fi nd them because the lines are broken by the hexadecimal values
  • 35.
  • 36.
    Localizations • Different conventionsfo r • Times, dates, numbers, characters, etc . • Many different formats for dates even at the same location
  • 37.
  • 38.
    Example: Data Theft •Start with these types of evidenc e • Network anomalie s • Common host-based artifacts of data theft
  • 39.
    Network Anomalies • Network fl owdat a • High outbound volume of data on a single da y • Unusual level of traf fi c over certain protocols or port s • Proxy logs, DNS logs, fi rewall log s • Look for anything suspicious, such as failed login attempts
  • 40.
  • 41.
  • 42.
    Legitimate Tools • LOLBINs"Living off the land " • cmd.exe in a folder other than WindowsSystem32 is suspiciou s • Many compromises use normal system tools, not malware
  • 43.
    Plan Tasks • Example:search for abnormal user login time s • Do you already have a way to automate that process ? • You may need to develop a technique, or perform steps manuall y • Consider volume of data, time required to process, who is available to work on it, and how likely the data source is to answer your question
  • 44.
  • 45.
    External Resources • ContainsMD5 and SHA1 hashes of known fi le s • Exclude known harmless fi les from analysis
  • 46.
    VirusTotal • The standardto test suspicious fi le s • Links to many virus database s • Can work with fi les or hashes
  • 47.
    VirusTotal Demo • 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46 ca9d1903dd360d9264cb47 •Behavior, Microsoft Sysinternals, svchost in strange folder, Run keys • https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html
  • 48.
    VirusTotal Demo • 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16 b69a4aa48fc6e2fb570141d •Behavior, Microsoft Sysinternals, Files Dropped, Email • https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html
  • 49.
    Manual Review • Smallitems such as fl oppy disks can be searched in their entirety manuall y • Sometimes it's faster to just search manually than to fi gure out a shortcu t • Manual review is also good to validate the results obtained from other method s • Select important samples to review
  • 50.
    Don't Trust ToolsToo Much • There are many tools that help forensic s • Data visualizatio n • Browser artifact analysi s • Malware identi fi catio n • File system metadata reportin g • ALWAYS VERIFY IMPORTANT FINDING S • Manually, or with a second too l • Every tool has bugs
  • 51.
    Data Minimization: Sorting &Filtering • File system metadata may have hundreds or thousands of fi le s • Need to exclude irrelevant data & focus on the important dat a • Sort and fi lter b y • Date, fi lename, other attributes
  • 52.
    Statistical Analysis • Youdon't know exactly what you are looking fo r • Or how to fi nd i t • Use statistical analysis to uncover patterns or anomalie s • Ex: Web server log s • Use a log analysis tool to parse data
  • 53.
  • 54.
    String or KeywordSearch • Create a list of strings relevant to the cas e • Search the fi les for those string s • Emails, Word documents, etc . • Find more strings in those fi les and repea t • You're done when you aren't fi nding any new strings to search for
  • 55.
    Unallocated and Slack Space •Unallocated blocks often contain portions of deleted fi le s • Unused bytes at the end of active fi les may also contain fragments of old fi le s • They can both be searched by forensic suites like EnCase, FTK, and Autopsy
  • 56.
    File Carving • Lookfor fi le headers and footers in unallocated spac e • Or other raw data, such as a drive imag e • Attempt to reconstruct fi le s • Usually by just taking all data from the header to the foote r • Foremost is a good fi le-carving tool
  • 57.
  • 58.
    When to EvaluateResults • Periodically throughout the analysis proces s • Are you making real progress, or wasting time on a blind alley ? • At the en d • How well has your analysis answered the investigative questions?
  • 59.