adam's notes

Forensic Methods and Labs

Forensic Methodologies

Handle Original Data as Little as Possible

  • first, make a copy of the storage device
    • make a bit-level copy
    • 2 copies, 1 to work with and a backup
  • tools:
    • EnCase
    • Forensic Toolkit
    • OSForensics
    • basic Linux commands
  • stems from Locard’s principle of transference
    • you cannot interact with an environment without leaving some trace

Comply With The Rules of Evidence

Rules of evidence govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

Federal Rules of Evidence (FRE) governs the admission of facts by which parties in the US Federal court system may prove their cases.

  • provides guidelines for authentication and identification of evidence for admissibility under:
    • Rule 901
    • Rule 902
  • Rule 703 discusses the bases of an expert opinion
  • Rule 705 states an expert can give an opinion without first testifying to the underlying facts or data

Avoid Exceeding Your Knowledge

Create an Analysis Plan

  • start with collecting the most volatile evidence in order of volatility
  • RFC 3227 presents guidelines for evidence collection and archiving
    • volatile data
    • file slack
    • file system
    • registry
    • memory dumps
    • system state backups
    • internet traces

Technical Information Collection Considerations

  1. Life span of the information
  2. Collect information quickly
    • perpetrator may try to obscure, conceal, or change information
  3. collecting bit-level information
    • allows looking for whether unrelated bits were inserted within files
    • enable reconstruction of file fragments if deleted or overwritten
    • most accurate view of how information is stored on the hardware

Formal Forensic Approaches

DoD Forensic Standard

  • DoD Cyber Crime Center (DC3) sets standards for digital evidence processings, analysis, and diagnostics

DFRWS Framework

  • Digital Forensic Research Workshop (DFRWS)
    • nonprofit volunteer organization
    • goal is enhancing the sharing of knowledge and ideas about digital forensic research
    • developed a framework for digital investigation:
      • Identification
      • Preservation
      • Collection
      • Examination
      • Analysis
      • Presentation

SWGDE Framework

  • The Scientific Working Group on Digital Evidence (SWGDE) framework:
    • Collect
    • Preserve
    • Examine
    • Transfer

Event-Based Digital Forensics Investigation Framework

  • Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University
  • CERIAS Framework:
    1. Readiness
      • Operations Readiness
    2. Deployment
      • Detection and Notification
      • Confirmation and Authorization
    3. Physical Crime Scene Investigation
    4. Digital Crime Scene Investigation
    5. Presentation

Documentation of Methodologies and Findings

Evidence-Handling Tasks

  • 3 basic tasks of evidence-handling:
    • find evidence
    • preserve evidence
    • prepare evidence

Evidence-Gathering Measures

  • principles to use:
    • avoid changing the device
    • determine when evidence was created
      • create timelines of computer usage and file access
    • trust only physical evidence
      • bits of data are recorded at the physical level of magnetic materials
    • search throughout a device
    • present the evidence well

Expert Reports

An expert report is a formal document that details the expert’s findings.

  • often filed prior to trial
  • may be used for depositions

How to Set Up a Forensics Lab

Equipment

  • Storage server with lots of space
    • RAID 5 redundancy
    • backup 1/day
  • variety of computers for various drives
    • USB, SCSI, EIDE, SATA drives

Security

  • examined machines should be air-gapped
  • have a separate lab network not connected to the internet
  • room should be shielded from EMI
    • cellular and wireless signals cannot penetrate the room
  • limit access to the lab
    • log access
    • swipe card access is ideal
    • room should be difficult to forcible enter
  • means to secure evidence
    • evidence safe
      • highly fire resistant
  • consider ISO standards:
    • ISO/IEC 27037:2012—Information Technology—Security Techniques—Guidelines for identification, collection, acquisition, and preservation of digital evidence
    • ISO/IEC 27041:2015—Information Technology—Security techniques—Guidance on assuring suitability and adequacy of incident investigative method
    • ISO/IEC 27042:2015—Information Technology—Security techniques—Guidelines for the analysis and interpretation of digital evidence
  • refer to NIST Computer Forensics Tool Testing Program for tools

American Society of Crime Laboratory Directors

The American Society of Crime Laboratory Directors (ASCLD) provides guidelines for managing a forensics lab.

  • also provides guidelines on crime lab and forensics lab certifications

Common Forensic Software Programs

EnCase

EnCase is widely used forensic toolkit that allows the examiner to connect an Ethernet cable or null modem cable to a suspect machine to view data.

  • by Guidance Software
  • prevents accidental changes
  • organizes information into cases
  • based on the evidence file
    • contains the header, checksum, and data blocks
    • data blocks are the actual data copied from the suspect machine
    • is an exact copy of the hard drive
  • multiple methods to acquire data:
    • EnCase boot disk
      • method that boots the system to EnCase using DOS mode rather than a GUI mode
      • can then copy the suspect drive to a new drive to examine
    • EnCase network boot disk
      • allows you to perform the standard boot disk process over a crossover cable between the investigator’s computer and the suspect computer
    • LinEn boot disk
      • specific for acquiring contents of a Linux machine

Forensic Toolkit

Forensic Toolkit (FTK) is a widely used forensic analysis tool.

  • from AccessData
  • useful at cracking passwords
  • can search and analyze Windows Registry
  • has a robust set of tools for examining email
  • has distributed processing
    • allows up to 3 computers to use their compute
  • available for Windows and Mac

OSForensics

  • from PassMark Software
  • cheaper than other products
  • can do most tasks but lacks specialized features

Helix

Helix is a customized Linux Live CD used for computer forensics.

  • suspect system is booted into Linux using the Helix CD
    • then Helix tools are used to perform analysis
  • robust and feature-rich
  • not as popular

Kali Linux

  • free security, forensics, and pentesting OS

AnaDisk Disk Analysis Tool

AnaDisk turns a PC into a sophisticated disk analysis tool.

  • from New Technologies Incorporated (NTI)
  • scans for anomalies that identify formats, extra tracks, and extra sectors
  • used to uncover sophisticated data-hiding techniques
  • supports all DOS formats and many non-DOS formats

CopyQM Plus Disk Duplication Software

CopyQM Plus turns a PC into a disk duplicator.

  • from NTI
  • formats, copies, and verifies a disk in a single pass
  • useful for pre-configuring CDs for specific uses and duplicate them
  • can create self-extracting executable programs to duplicate specific disks
  • ideal tool for security reviews
    • once a disk creation program has been created, anyone can use it to make preconfigured security risk-assessment disks
  • useful for creating computer incident response toolkit disks
  • supports all DOS formats and many non-DOS formats
  • copies files, file slack, and unallocated storage space
    • does not copy all areas of copy-protected disks (extra sectors)
    • use AnaDisk instead for this

The Sleuth Kit

Sleuth Kit is a collection of command-line tools that are available as a free download.

  • not as feature-rich or easy to use as other alternatives
  • has a GUI called Autopsy

Disk Investigator

  • free utility with GUI
  • for Windows OS
  • very easy-to-use
  • not fully featured
  • shows a cluster-by-cluster view of a hard drive in hexadecimal

Forensic Certifications

  • General certification areas:
    • Hardware
      • CompTIA A+
    • Basic Networking
      • CompTIA Network+
      • Cisco Certified Network Associate (CCNA)
    • Security
      • (ISC)2 CISSP
      • CompTIA Security+
    • Hacking
      • Offensive Security OSCP+
      • Certified Ethical Hacker (CEH)
      • GIAC Penetration Tester (GPEN)
    • Vendor Certifications
      • EnCase Certified Examiner (EnCE)
      • AccessData Certified Examiner (ACE)
      • EC Council Certified Hacking Forensic Investigator (CHFI)
      • GIAC
        • well respected in industry
        • GIAC Certified Forensic Analyst (GCFA)
        • GIAC Certified Forensic Examiner (GCFE)

Graph View

Backlinks