Class 1
Introduction to Digital Forensics
Digital forensics involves the preservation, acquisition, documentation, analysis and interpretation of evidence of various storage media types found. It is a supporting function of the overall Incident Response(IR) process.
General digital forensic processes include:
Imaging
Hashing
File recovery
File system basics
Identifying
Mismatched
File types
Reporting
Methodologies and Frameworks
DF requires that you follow best practices and procedures to produce the same results time and time again, providing proof of evidence preservation and integrity, which can be replicated if called upon to do so
DFIR Operating Systems and Platforms
DEFT Linux
Computer Aided INvestigative Environment (CAINE)
CSI Linux
Kali Linux
Anti-forensics
Anti-forensics aims to conceal or manipulate digital evidence to avoid detection and prosecution >:)
These anti-forensics techniques include:
Data encryption
Data destruction
Steganography
File obfuscation and manipulation
Counter-forensic tools
DFIR professionals must stay up to date on all anti-forensics TTP's to effectively counter it. Proper documentation, secure evidence handling, and making sure best practices are followed are crucial for mitigating the impact of anti-forensics
Before testing data, we must take a hash value of the data source, image the data, and then generate another hash to validate that the data is exactly the same.
Digital Forensics Processes
Incident Response
Incident response (IR) is the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents
These are the steps used to prepare for, detect, contain, and recover from a data breach/cyber incidence
Incident Response Playbook
Every IR Playbook is a set of instructions and actions to be performed at every step in the IR process. Playbooks are created to give companies a clear path through the process so everything is crazy dog water, however it includes a degree of flexibility in the event that the incident under investigation doesn't fit neatly into a cute box.
Order of Volatility
Registers, peripheral memory, chaches, etc
nanoseconds
Main memory (RAM)
nanoseconds
Network State (Arp cache, routing tables)
miliseconds
Running processes
seconds
Disk images
minutes
Extenral media (USBs
years
CD-ROMs, printouts, etc.
Tens of years
Chain of Custody
Chain of custody describes the documentation of a piece of evidence through it's lifecycle.
The life cycle begins when the first person takes custody of a piece of evidence and ends when the incident is finally disposed of, and the evidence can either be returned or destroyed.
Maintaining a proper chain of custody is very critical for the validity of the evidence
Evidence Acquisition
Fdisk
Used to view and manage disk partitions on a system
fdisk -lfdisk /dev/sdaMD5 and SHA1/256 Hashing
md5sum /dev/sdbsha1sum /dev/sdbsha256sum /dev/sdbDC3DD
DC3DD is a Data Dump (DD) tool, used for forensic acquisition and hashing
Create a forensic image of a drive
dc3dd if=/dev/sdb hash=sha1 log=logfilename of=driveimage.ddCopying a Forensic Image to a new drive
dc3dd if=driveimage.dd of=/dev/sdc log=drivecopy.logErasing a Drive
d3dd wipe=/dev/sdbd3dd wipe=/dev/sdb pat=1010101010 <-- Choose overwrite the patternDrive Acquisition using DD
Used for creating forensic disk images or performing data copying and manipulation tasks.
dd if=/dev/sdb of=forensicimage.img bs=65536 conv=noerror,syncGuyMager
This is a standalone acquisition tool that can be used to create forensic images and perform disk cloning. This has a GUI and is preferred by newbies :3
Autopsy
Autopsy offers a GUI interface with a variety of investigative command-line tools including:
File analysis
Imaging and file hashing
Deleted file recovery
Case management
Last updated