Hands-on Guide to Digital Forensics

Digital forensics is one of the most interesting fields in information security. In this post, we will explore what digital forensics is and we will learn how to perform some digital forensics tasks using some powerful tools and utilities.

In this article we are going to explore the following points:

Digital Forensics Fundamentals
Digital Forensics Lab
Network evidence collection and Analysis
Host-based evidence collection and Analysis
Forensics Imaging
Practical Lab: Autopsy Forensics Browser
Practical Lab: Memory Analysis with Volatility

Digital Forensics Fundamentals

Before diving into the practical labs it is essential to explain many important terminologies. First, what is digital forensics?

NIST is describing Forensics as the following:

_The most common goal of performing forensics is to gain a better understanding of an event of interest by finding and analyzing the facts related to that event... Forensics may be needed in many different situations, such as evidence collection for legal proceedings and internal disciplinary actions, and handling of malware incidents and unusual operational problems. _

Like any methodological operation, Computer forensic analysis goes through well-defined steps: Identification , Preservation , Collection , Examination , Analysis and Presentation.

Figure

let's explore these steps one by one:

Identification
Preservation
Collection
Examination
Analysis
Presentation

According to worldsecuresystems:

"A chain of custody is a document that is borrowed from law enforcement that tracks evidence from the time the Computer Forensics Examiner gains possession of the item until it is released back to the owner. "

The following illustration presents a chain of custody template:

Figure

Digital Forensics Lab

To perform digital forensics, obviously, you need to prepare a lab for it. It is essential to have both the required hardware and software.

Hardware

During investigations, digital forensics experts are dealing with many hardware pieces and devices including RAMs and Storagemedia devices. Thus, it is important to acquire a suitable hardware equipment to perform the task in good condition. Some of the required hardware pieces are the following:

A digital Forensics laptop (A minimum of 32 GB of RAM is recommended) with an OS that contains the needed digital forensics tools
A secondary machine with Internet connexion
A physical write blocker

Figure

Software

As I said previously, a digital forensics computer needs to be equipped with many DF tools. Some of the most used tools and operating systems are the following:

SANS SIFT
CAINE OS
_Volatility _
X-Ways Forensics
Autopsy: the Sleuth Kit
Bulk Extractor

Figure

Network evidence collection and Analysis

An evidence is the information to be investigated. Digital forensics analysts are dealing with different categories of evidence including network-based evidence and host-based evidence. Let's start exploring how to deal with network evidence. As we cited earlier, the first step is collecting the evidence. In networking, we can perform the collection using many techniques and tools. After identifying the source of evidence using for example network diagrams, you can use packet capture tools such as:

TCPdump

"Tcpdump is a powerful command-line packet analyzer; and __libpcap__ , a portable C/C++ library for __network traffic__ capture." (Source: tcpdump.org)

Wireshark

"Wireshark is the world's foremost and widely-used __network protocol__ analyzer. It lets you see what's happening on your network at a microscopic level and is the de facto (and often de jure) __standard__ across many commercial and non-profit __enterprises__ , __government agencies__ , and educational institutions. __Wireshark__ __development__ thrives thanks to the __volunteer__ contributions of networking __experts__ around the globe and is a continuation of a __project__ started by Gerald Combs in 1998". (Source: __wireshark.org__ )

As a demonstration let's explore how to analyse a small pcap file with Wireshark.

If you are using Kali Linux, Wireshark is already installed there.

Open Wireshark

We are going to analyse this Pcap file http_with_jpegs.cap.gz from here: https://wiki.wireshark.org/SampleCaptures

Open the file with Wireshark:

To select a TCP stream go to Analyze -\> follow TCP stream

For example, we are going to extract the files from the captured packet:

Go to File -\> Export objects -\> HTTP -\> Save all

Voila! we extracted the included files:

Host-based evidence collection and Analysis

As an investigator and digital forensics expert, it is essential to acquire knowledge about the different storage means and the different filesystems. By definition, a storage media is a device where we can store data and information. There are many used storage devices including:

Hard drive
DVD-ROM
USB drive
_Memory cards and so on _

Figure

The removable storage media pieces need to be formatted with a specific filesystem. Some of the most used filesystems are:

Ext4
Ext3
NTFS
FAT32

To collect host-based evidence, you need to know the difference between volatile data and non-volatile data. Volatile data is data that is lost after a shutdown or some system changes. CPU data and ARP cache are some forms of volatile data. Data stored in hard drives and Master File Table (MFT) entries are non-volatile data. The host-based evidence acquisition can be done locally or remotely. Also, it can be done online or offline. Evidence collection is performed with what we call "Forensics Imaging"

Forensics Imaging

Forensics imaging is a very important task in digital forensics. Imaging is copying the data carefully with ensuring its integrity and without leaving out a file because it is very critical to protect the evidence and make sure that it is properly handled. That is why there is a difference between normal file copying and imaging. Imaging is capturing the entire drive. When imaging the drive, the analyst image the entire physical volume including the master boot record. There are two imaging techniques:

Live imaging: the compromised system is not-offline
Dead imaging: the compromised system is offline

Also, the taken images can be in many formats such as:

Raw images
EnCase evidence files
AFF
Smart and so on

For imaging, you can use FTK Imager:

"FTK Imager is a data preview and imaging __tool__ used to acquire data (evidence) in a __forensically__ sound manner by creating copies of data without making changes to the original evidence."

Figure

Practical Lab 1: Autopsy Forensics Browser

As a second demonstration, we are going to learn how to use a great forensics tool called "Autopsy Forensics Browser". According to https://www.linuxlinks.com/autopsy/ :

The Autopsy __Forensic__ __Browser__ is a graphical __interface__ to the __command line__ digital __investigation__ tools in The Sleuth Kit. The two together enable __users__ to investigate volumes and file __systems__ including __NTFS__ , __FAT__ , UFS1/2, and Ext2/3 in a 'File Manager' style interface and perform __key__ __word__ searches.

If you are using Kali Linux, can found it directly there without the need to install it:

Run it from the menu:

Go to:

http://localhost:9999/autopsy

Create a new case:

Select the profile

Add a host

Check the configuration and click Add Image

For the demo, we are going to use a memory dump sample (NTFS Undelete) from http://dftt.sourceforge.net (Digital Forensics Tool Testing Images)

Add the path of the dump:

Click on Analyze:

These are some pieces of information about the dump

Now you can analyse the file freely:

Practical Lab 2: Memory Analysis with Volatility

Memory malware analysis is widely used for digital investigation and malware analysis. It refers to the act of analysing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artefacts including network information, running processes, API hooks, kernel loaded modules, Bash history, etc. ... This phase is very important because it is always a good idea to have a clearer understanding of malware capabilities.

Process list and the associated threads
Networking information and interfaces (TCP/UDP)
Kernel modules including the hidden modules
Opened files in the kernel
Bash and commands history
System Calls
Kernel hooks

To analyse memory You can simply use volatility framework, which is an open-source memory forensics tool written in Python. It is available under GPL. Volatility comes with various plugins and a number of profiles to ease obtaining basic forensic information about memory image files. To download it you can visit this website: The Volatility Foundation - Open Source Memory Forensics or GitHub - volatilityfoundation/volatility

As a hands-on practice, we are going to analyse a memory dump from an infected computer with Volatility. You can find many samples here: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples

For the demonstration, we are going to analyse a memory dump called " cridex.vmem"

wget http://files.sempersecurus.org/dumps/cridex_memdump.zip

Get info about the memory dump:

python vol.py -f cridex.vmem imageinfo

Get Processes

python vol.py -f cridex.vmem psxview

Processes as Parent/Child

sudo python vol.py -f cridex.vmem pstree

Get hidden and terminated Processes

sudo python vol.py -f cridex.vmem psscan

Get DLLs

sudo python vol.py -f cridex.vmem dlllist

Get commandline args

sudo python vol.py -f cridex.vmem cmdline

Get SIDs:

sudo python vol.py -f cridex.vmem getsids

Networking information:

sudo python vol.py -f cridex.vmem connscan

Kernel modules:

sudo python vol.py -f cridex.vmem modules

For more information about the most used Volatility commands check these two helpful cheatsheets:

References:

Summary

In this module, we discovered what digital forensics is, what are the different steps to perform it, including evidence acquisition and analysis. Later, we explored some well-known digital forensics tools by analyzing some memory dumps using Autopsy and Volatility framework.