Hands-on Guide to Digital Forensics
Digital forensics is one of the most interesting fields in information security. In this post, we will explore what digital forensics is and we will learn how to perform some digital forensics tasks using some powerful tools and utilities.
In this article we are going to explore the following points:
- Digital Forensics Fundamentals
- Digital Forensics Lab
- Network evidence collection and Analysis
- Host-based evidence collection and Analysis
- Forensics Imaging
- Practical Lab: Autopsy Forensics Browser
- Practical Lab: Memory Analysis with Volatility
Digital Forensics Fundamentals
Before diving into the practical labs it is essential to explain many important terminologies. First, what is digital forensics?
NIST is describing Forensics as the following:
_The most common goal of performing forensics is to gain a better understanding of an event of interest by finding and analyzing the facts related to that event... Forensics may be needed in many different situations, such as evidence collection for legal proceedings and internal disciplinary actions, and handling of malware incidents and unusual operational problems. _
Like any methodological operation, Computer forensic analysis goes through well-defined steps: Identification , Preservation , Collection , Examination , Analysis and Presentation.
let's explore these steps one by one:
According to worldsecuresystems:
"A chain of custody is a document that is borrowed from law enforcement that tracks evidence from the time the Computer Forensics Examiner gains possession of the item until it is released back to the owner. "
The following illustration presents a chain of custody template:
Digital Forensics Lab
To perform digital forensics, obviously, you need to prepare a lab for it. It is essential to have both the required hardware and software.
During investigations, digital forensics experts are dealing with many hardware pieces and devices including RAMs and Storagemedia devices. Thus, it is important to acquire a suitable hardware equipment to perform the task in good condition. Some of the required hardware pieces are the following:
- A digital Forensics laptop (A minimum of 32 GB of RAM is recommended) with an OS that contains the needed digital forensics tools
- A secondary machine with Internet connexion
- A physical write blocker
As I said previously, a digital forensics computer needs to be equipped with many DF tools. Some of the most used tools and operating systems are the following:
- SANS SIFT
- CAINE OS
- _Volatility _
- X-Ways Forensics
- Autopsy: the Sleuth Kit
- Bulk Extractor
Network evidence collection and Analysis
An evidence is the information to be investigated. Digital forensics analysts are dealing with different categories of evidence including network-based evidence and host-based evidence. Let's start exploring how to deal with network evidence. As we cited earlier, the first step is collecting the evidence. In networking, we can perform the collection using many techniques and tools. After identifying the source of evidence using for example network diagrams, you can use packet capture tools such as:
"Tcpdump is a powerful command-line packet analyzer; and __libpcap__ , a portable C/C++ library for __network traffic__ capture." (Source: tcpdump.org)
"Wireshark is the world's foremost and widely-used __network protocol__ analyzer. It lets you see what's happening on your network at a microscopic level and is the de facto (and often de jure) __standard__ across many commercial and non-profit __enterprises__ , __government agencies__ , and educational institutions. __Wireshark__ __development__ thrives thanks to the __volunteer__ contributions of networking __experts__ around the globe and is a continuation of a __project__ started by Gerald Combs in 1998". (Source: __wireshark.org__ )
As a demonstration let's explore how to analyse a small pcap file with Wireshark.
If you are using Kali Linux, Wireshark is already installed there.
Open the file with Wireshark:
To select a TCP stream go to Analyze -\> follow TCP stream
For example, we are going to extract the files from the captured packet:
Go to File -\> Export objects -\> HTTP -\> Save all
Voila! we extracted the included files:
Host-based evidence collection and Analysis
As an investigator and digital forensics expert, it is essential to acquire knowledge about the different storage means and the different filesystems. By definition, a storage media is a device where we can store data and information. There are many used storage devices including:
- Hard drive
- USB drive
- _Memory cards and so on _
The removable storage media pieces need to be formatted with a specific filesystem. Some of the most used filesystems are:
To collect host-based evidence, you need to know the difference between volatile data and non-volatile data. Volatile data is data that is lost after a shutdown or some system changes. CPU data and ARP cache are some forms of volatile data. Data stored in hard drives and Master File Table (MFT) entries are non-volatile data. The host-based evidence acquisition can be done locally or remotely. Also, it can be done online or offline. Evidence collection is performed with what we call "Forensics Imaging"
Forensics imaging is a very important task in digital forensics. Imaging is copying the data carefully with ensuring its integrity and without leaving out a file because it is very critical to protect the evidence and make sure that it is properly handled. That is why there is a difference between normal file copying and imaging. Imaging is capturing the entire drive. When imaging the drive, the analyst image the entire physical volume including the master boot record. There are two imaging techniques:
- Live imaging: the compromised system is not-offline
- Dead imaging: the compromised system is offline
Also, the taken images can be in many formats such as:
- Raw images
- EnCase evidence files
- Smart and so on
For imaging, you can use FTK Imager:
"FTK Imager is a data preview and imaging __tool__ used to acquire data (evidence) in a __forensically__ sound manner by creating copies of data without making changes to the original evidence."
Practical Lab 1: Autopsy Forensics Browser
As a second demonstration, we are going to learn how to use a great forensics tool called "Autopsy Forensics Browser". According to https://www.linuxlinks.com/autopsy/ :
The Autopsy __Forensic__ __Browser__ is a graphical __interface__ to the __command line__ digital __investigation__ tools in The Sleuth Kit. The two together enable __users__ to investigate volumes and file __systems__ including __NTFS__ , __FAT__ , UFS1/2, and Ext2/3 in a 'File Manager' style interface and perform __key__ __word__ searches.
If you are using Kali Linux, can found it directly there without the need to install it:
Run it from the menu:
Create a new case:
Select the profile
Add a host
Check the configuration and click Add Image
For the demo, we are going to use a memory dump sample (NTFS Undelete) from http://dftt.sourceforge.net (Digital Forensics Tool Testing Images)
Add the path of the dump:
Click on Analyze:
These are some pieces of information about the dump
Now you can analyse the file freely:
Practical Lab 2: Memory Analysis with Volatility
Memory malware analysis is widely used for digital investigation and malware analysis. It refers to the act of analysing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artefacts including network information, running processes, API hooks, kernel loaded modules, Bash history, etc. ... This phase is very important because it is always a good idea to have a clearer understanding of malware capabilities.
- Process list and the associated threads
- Networking information and interfaces (TCP/UDP)
- Kernel modules including the hidden modules
- Opened files in the kernel
- Bash and commands history
- System Calls
- Kernel hooks
To analyse memory You can simply use volatility framework, which is an open-source memory forensics tool written in Python. It is available under GPL. Volatility comes with various plugins and a number of profiles to ease obtaining basic forensic information about memory image files. To download it you can visit this website: The Volatility Foundation - Open Source Memory Forensics or GitHub - volatilityfoundation/volatility
As a hands-on practice, we are going to analyse a memory dump from an infected computer with Volatility. You can find many samples here: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
For the demonstration, we are going to analyse a memory dump called " cridex.vmem"
Get info about the memory dump:
python vol.py -f cridex.vmem imageinfo
python vol.py -f cridex.vmem psxview
Processes as Parent/Child
sudo python vol.py -f cridex.vmem pstree
Get hidden and terminated Processes
sudo python vol.py -f cridex.vmem psscan
sudo python vol.py -f cridex.vmem dlllist
Get commandline args
sudo python vol.py -f cridex.vmem cmdline
sudo python vol.py -f cridex.vmem getsids
sudo python vol.py -f cridex.vmem connscan
sudo python vol.py -f cridex.vmem modules
For more information about the most used Volatility commands check these two helpful cheatsheets:
- Digital Forensics and Incident Response
- Digital Forensics with Kali Linux
In this module, we discovered what digital forensics is, what are the different steps to perform it, including evidence acquisition and analysis. Later, we explored some well-known digital forensics tools by analyzing some memory dumps using Autopsy and Volatility framework.