Monday, April 7, 2014

computer forensics

  • what is computer forensics

    the interest of figuring out what happened, when it happened, how it happened, and who was involved.

    This can be for the purpose of performing a root cause analysis of a computer system that had failed or is not operating properly,

    or to find out who is responsible for misuse of computer systems

    or perhaps who committed a crime using a computer system or against a computer system

    computer forensic techniques and methodologies are commonly used for conducting computing investigations

    Think about a murder case or a case of financial fraud. What do the investigators involved in these cases need to ascertain? What happened, when did it happen, how did it happen, and who was involved.


    The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.


    References:

    http://www.csisite.net/forensics.htm
    http://www.computerforensicsworld.com
    http://www.craigball.com
    http://en.wikipedia.org/wiki/Computer_forensics
    http://swizardb.blogspot.com/search/label/Computer%20Forensics


    • Computer forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.
    http://searchsecurity.techtarget.com/definition/computer-forensics


    • Computer forensics is the practice of collecting, analysing and reporting on digital data in a way that is legally admissible.
    https://forensiccontrol.com/resources/beginners-guide-computer-forensics/
  • The Open Computer Forensics Architecture (OCFA) is an distributed open-source computer forensics framework used to analyze digital media within a digital forensics laboratory environment. The framework was built by the Dutch national police.

    • https://en.wikipedia.org/wiki/Open_Computer_Forensics_Architecture

  • Open Computer Forensics Architecture

    • The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the Dutch National Police Agency [KLPD/Dutch]. The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface.
    http://ocfa.sourceforge.net/

  • The Open Computer Forensics Architecture (OCFA) is a modular computer forensics framework built by the "Dutch National Police Agency". The main goal is to automate the digital forensic process to speed up the investigation and give tactical investigators direct access to the seized data through an easy to use search and browse interface...
    • http://www.forensicfocus.com/index.php?name=News&file=article&sid=477
     Exploring the Open Computer Forensics Architecture
    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture. http://www.linux-magazine.com/Issues/2008/93/OCFA

  •  DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API). It can be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidence without compromising systems and data. - See more at http://www.toolwar.com/2014/06/dff-digital-forensics-framework.html#sthash.gC97vxd2.dpuf

  • Digital Forensics Framework
    • DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigation and perform incident response.
    http://www.arxsys.fr/

  •  Preserve digital chain of custody: Software write blocker, the cryptographic hash calculation.

    •    Access to local and remote devices: Disk drives, removable devices, remote file systems
        Read standard digital forensics file formats: Raw, Encase EWF, AFF 3 file formats
        Virtual machine disk reconstruction: VMWare (VMDK) compatible
        Windows and Linux OS forensics: Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems
        Quickly triage and search for (meta-)data: Regular expressions, dictionaries, content search, tags, timeline.
        Recover hidden and deleted artifacts: Deleted files/folders, unallocated spaces, carving
        Volatile memory forensics: Processes, local files, binary extraction, network connections
    http://tools.kali.org/forensics/dff







  • AlmaNebula, a conceptual framework for the analysis of digital evidence built on top of a Cloud infrastructure, which aims to embody the concept of “Forensics as a service”.

    • http://www.sciencedirect.com/science/article/pii/S1877050913006315

  • EnCase is a suite of digital forensics products by Guidance Software. The software comes in several forms designed for forensic, cyber security and e-discovery use.
http://en.wikipedia.org/wiki/EnCase


  • Built on the EnCase Enterprise platform are market-leading electronic discovery and cyber security solutions, EnCase eDiscovery, EnCase Cybersecurity, and EnCase Analytics. They empower organizations to respond to litigation discovery requests, perform sensitive data discovery for compliance purposes, conduct a speedy and thorough security incident response, and reveal previously hidden advanced persistent threats or malicious insider activity.

http://www.guidancesoftware.com/


  • Forensic Toolkit- FTK
FTK is a court-accepted digital investigations platform built for speed, stability, and ease of use
http://www.accessdata.com/products/digital-forensics/ftk

  • IBM i2 provides intelligence analysis, law enforcement and fraud investigation solutions. i2 offerings deliver flexible capabilities that help combat crime, terrorism and fraudulent activity.
http://www-01.ibm.com/software/info/i2software/


  •  Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer

 http://www.sleuthkit.org/autopsy/



  •  The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

 http://www.sleuthkit.org/


  • SANS Investigative Forensic Toolkit (SIFT) Workstation Version 3

the SANS Incident Forensic Toolkit (SIFT) Workstation for incident response and digital forensics use and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern incident response and forensic tool suite, is also featured in SANS' Advanced Incident Response course (FOR 508)
http://digital-forensics.sans.org/community/downloads
  • The Volatility Framework

The Volatility Foundation is an independent 501(c) (3) non-profit organization that maintains and promotes open source memory forensics with The Volatility Framework.
http://www.volatilityfoundation.org/

  • FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps
http://accessdata.com/product-download/digital-forensics/ftk-imager-lite-version-3.1.1
  • dc3dd

A patch to the GNU dd program, this version has several features intended for forensic acquisition of data. Highlights include hashing on-the-fly, split output files, pattern writing, a progress meter, and file verification.
https://sourceforge.net/projects/dc3dd/
  • CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics projec

http://www.caine-live.net/
  • bulk_extractor

bulk_extractor is a program that extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. It is a useful forensic investigation tool for many tasks such as malware and intrusion investigations, identity investigations and cyber investigations, as well as analyzing imagery and pass-word cracking

http://tools.kali.org/forensics/bulk-extractor
  •  Guymager is contained on several live CDs and VMs. Some of them are updated more often than others. Take care to chose one with a recent version of Guymager.forensic imager for media acquisition


http://guymager.sourceforge.net/

  • libyal is a collection of libraries that are used to access various data formats, such as the OLE Compound File or NT File System. The original use case for the libraries is for analyzing data formats or their content for analysis in the context of digital forensics and incident response (DFIR).
https://github.com/libyal/libyal/wiki
  • a Python-based backend engine for the tool log2timeline.
log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them
The initial purpose of plaso was to have the timestamps in a single place for computer forensic analysis (aka Super Timeline).
https://github.com/log2timeline/plaso/wiki
  • plaso is a Python-based backend engine for the tool log2timeline.
https://github.com/log2timeline/plaso
  • Rekall is an advanced forensic and incident response framework. While it began life purely as a memory forensic framework, it has now evolved into a complete platform
http://www.rekall-forensic.com/

  • The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
https://github.com/google/rekall
  • Exercise 2 - Track User Mode Process Allocations


 Heap allocations are made directly via Heap APIs (HeapAlloc, HeapRealloc, and C/C++ allocations such as new, alloc, realloc, calloc) and are serviced using three types of heaps:

  1. Mainline NT Heap – Services allocation requests of sizes less than 64 KB.
  2. Low Fragmentation Heap – Composed of sub-segments that service allocation requests of fixed size blocks.
  3. VirtualAlloc – Services allocation requests of sizes greater than 64 KB.


 VirtualAlloc is used for large dynamic memory allocations that are made directly via the VirtualAlloc API. The typical usage is usually for bitmaps or buffers. You can use VirtualAlloc to reserve a block of pages and then make additional calls to VirtualAlloc to commit individual pages from the reserved block. This enables a process to reserve a range of its virtual address space without consuming physical storage until it is needed.

 There are two concepts to understand in this area:
  1. Reserved memory: Reserves an address range for usage but does not acquire memory resources.
  1. Committed memory: Ensures that either physical memory or page file space will be available if the addresses are referenced.

https://docs.microsoft.com/en-us/windows-hardware/test/wpt/memory-footprint-optimization-exercise-2
VirtualAlloc is a specialized allocation of the Windows virtual memory system, meaning it allocates straight into virtual memory via reserved blocks of memory
HeapAlloc allocates any size of memory that is requested dynamically in Windows, and is a concept of Microsoft Windows.

Heaps are set up by VirtualAlloc and are used to initially reserve allocation space from the operating system.
  • Forensic Analysis of Windows User-Space Applications Through Heap Allocations


 Why Userspace analysis?
Forensically very valuable
Users interact directly with applications.
Applications interact with the OS kernel.
Therefore we can sometimes infer user activity by OS kernel evidence but not always
e.g: user chats on IRC, Sockets, Connections, network packets, Strings in IRC process - no context

 Challenges for user-space analysis
So many userspace applications - manual reversing just does not scale
Userspace memory is often paged and address translation is more complex;
Current tools and techniques are unable to resolve
userspace memory from Prototype PTEs or the Pagefile
Why is page translation in userspace fairly complex?
Have to consider shared memory (Prototype PTEs).
Some memory forensic tools are extremely buggy
Associate random data with the content of user space memory. (Very dangerous from an evidentiary perspective.).

 Conclusions
For the first time, a FOSS memory analysis framework supports reliable user space address translation
Prototype PTE, Page file, Transitioned PDEs etc.
High-quality address translation is essential in order to reliably parse heap structures
Thorough heap analysis enables seeing memory through an app's own abstractions.


https://pdfs.semanticscholar.org/aed3/087a4f3c36dc4e1becfa8cc5b9fb0af4d6fa.pdf
  • Incident Forensics Lifecycle


 GCTI certification
CTI - cyber threat intelligence
Diamond Model and Cyber Kill-Chain

 Incident response lifecycle 
preparation
identification
recovery
lessons learn

 Digital forensics lifecycle 
collection
examination
analysis
reporting

 Cyber Kill-Chain
used for identification and prevention of cyber intrusions and describes 7 stages of a cyber attack
reconnaissance (and precursors)
weaponization
delivery
exploitation
installation 
command and control
actions on objectives

https://cyberforensicator.com/2019/03/24/incident-forensics-lifecycle/
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)