# Class 1 ## Introduction to Digital Forensics > Digital forensics involves the preservation, acquisition, documentation, analysis and interpretation of evidence of various storage media types found. It is a supporting function of the overall Incident Response(IR) process. General digital forensic processes include: * Imaging * Hashing * File recovery * File system basics * Identifying * Mismatched * File types * Reporting ### Methodologies and Frameworks DF requires that you follow best practices and procedures to produce the same results time and time again, providing proof of evidence preservation and integrity, which can be replicated if called upon to do so {% embed url="" %} {% embed url="" %} ### DFIR Operating Systems and Platforms * DEFT Linux * Computer Aided INvestigative Environment (CAINE) * CSI Linux * Kali Linux {% hint style="info" %} There are many open-source tools, however, if the investigation is for legal purposes we can only use regulated, tested, and approved tools by your bodying government. {% endhint %} ### Anti-forensics Anti-forensics aims to conceal or manipulate digital evidence to avoid detection and prosecution >:) These anti-forensics techniques include: * Data encryption * Data destruction * Steganography * File obfuscation and manipulation * Counter-forensic tools DFIR professionals must stay up to date on all anti-forensics TTP's to effectively counter it. Proper documentation, secure evidence handling, and making sure best practices are followed are crucial for mitigating the impact of anti-forensics {% hint style="warning" %} Before testing data, we must take a hash value of the data source, image the data, and then generate another hash to validate that the data is exactly the same. {% endhint %} ### Digital Forensics Processes

## Incident Response > Incident response (IR) is the effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents * These are the steps used to prepare for, detect, contain, and recover from a data breach/cyber incidence

https://www.upguard.com/blog/creating-a-cyber-security-incident-response-plan

### Incident Response Playbook Every IR Playbook is a set of instructions and actions to be performed at every step in the IR process. Playbooks are created to give companies a clear path through the process so everything is crazy dog water, however it includes a degree of flexibility in the event that the incident under investigation doesn't fit neatly into a cute box. {% hint style="info" %} A playbook can be made for each kind of incident (e.g. ransomware, wide spread malware, social engineering, etc) {% endhint %} ## Order of Volatility | Data Type | Lifetime | | ------------------------------------------ | ------------- | | Registers, peripheral memory, chaches, etc | nanoseconds | | Main memory (RAM) | nanoseconds | | Network State (Arp cache, routing tables) | miliseconds | | Running processes | seconds | | Disk images | minutes | | Extenral media (USBs | years | | CD-ROMs, printouts, etc. | Tens of years |

## Chain of Custody Chain of custody describes the documentation of a piece of evidence through it's lifecycle. The life cycle begins when the first person takes custody of a piece of evidence and ends when the incident is finally disposed of, and the evidence can either be returned or destroyed. {% hint style="danger" %} Maintaining a proper chain of custody is very critical for the validity of the evidence {% endhint %} ## Evidence Acquisition ### Fdisk Used to view and manage disk partitions on a system ``` fdisk -l ``` ``` fdisk /dev/sda ``` ### MD5 and SHA1/256 Hashing ``` md5sum /dev/sdb ``` ``` sha1sum /dev/sdb ``` ``` sha256sum /dev/sdb ``` ### DC3DD DC3DD is a Data Dump (DD) tool, used for forensic acquisition and hashing #### Create a forensic image of a drive ``` dc3dd if=/dev/sdb hash=sha1 log=logfilename of=driveimage.dd ``` #### Copying a Forensic Image to a new drive ``` dc3dd if=driveimage.dd of=/dev/sdc log=drivecopy.log ``` #### Erasing a Drive ``` d3dd wipe=/dev/sdb ``` {% hint style="info" %} This will overwrite the data with a bunch of 0's {% endhint %} ``` d3dd wipe=/dev/sdb pat=1010101010 <-- Choose overwrite the pattern ``` ### Drive Acquisition using DD Used for creating forensic disk images or performing data copying and manipulation tasks. ``` dd if=/dev/sdb of=forensicimage.img bs=65536 conv=noerror,sync ``` ### GuyMager This is a standalone acquisition tool that can be used to create forensic images and perform disk cloning. This has a GUI and is preferred by newbies :3 ## Autopsy Autopsy offers a GUI interface with a variety of investigative command-line tools including: * File analysis * Imaging and file hashing * Deleted file recovery * Case management