Toriality's Blog

COMPUTER FORENSICS STUDY - 06 SOURCES: INFOSECINSTITUTE.COM

FORENSIC TECHNIQUES

LIVE FORENSICS:

DEFINITION:

    

Otherwise known as Live Response, attempts to discover, control and eliminate threats in a live, running system environment.

    
OVERVIEW:

    

In traditional computer forensics, we take snapshots of memory and storage drives as images, and perform analysis on these images in an isolated environemnt. Of course, this can clog up the analysis pipleline, as imaging is far from being a time-efficient process. This is where live forensics come into play. As opposed to traditional forensics, live forensics deals with active threats at runtime. You can think of live forensics as an active response, in contraast to the passive nature of traditional forensics.

    
    It is useful if you plan on tackling a threat on the spot. It should be noted that the difference between traditioal forensics and live forensics lies onlyy in response times, you still have to follow the same steps of identifying, quantifying and eliminating the threat. Live forensics allows for near-instant access to registry keys, system user accounts, live connections and memory objects. 
    
    Live forensics are short-lived. Instead of brute force, you should look for "usual suspects" files in the system, such as TEMP directions. In Windows, a good way of initializing live forensics is by peaking at the active user's APPDATA directiory, especially its ROAMING folder.
    
EXAMPLE:

    

A common exampl of live forensics is the analysis of system memory. Analyze all running processes, being particularly wary of mutexes. Upon isolating some suspicious processes, you can then proceed to code analysis of said processes.

DATA RECOVERY:

DEFINITION:

    

Data recovery is the restoration of data that has been damaged, deleted or lost.

    
OVERVIEW:

    

This is one of the more typical settings that a forensics professional may encounter. As our lives become more and more data-driven, most cannot afford to lose this data for good. This can include personal data, including family photos and videos, or professional data such as documents, sensitive company information, and such.

    
    Data recovery commonly takes one of two forms: in-place recovery, where tools can be used to recover data by remediating disk drive errors; or read-only recovery, which does not repair errors on the original point of failure, instead storing the recovered files somewhere else on the disk.
    
EXAMPLE:

    

Quite a lot people accidentally delete their files, but deleted files rarely get erased permanently: the system keeps them the drive until it needs space for a new file. This means that within a certain time-frame, you can recover deleted files. Generally, a utility is required to achieve this, similar to TestDisk.

PASSWORD RECOVERY:

DEFINITION:

    

It refers to tthe recovery of password-protected files that are rendered useless if the passwords are lost.

    
OVERVIEW:

    

A password can provide robust protection to sensitive data or information. But in the not-so-rare case that it gets lost or the admin forgets it, a password can also be a nuisance. In such instances, password recovery is your best bet to recover files.

    
    Passowrd recovery can be achieved by cracking the pasasword through brute force, which attempts all possible combinations allowed for that password. In most cases, this can be highly time-comsuming. Smarter techniques can be employed to substantially reduce the number of possible passwords. The problem can be compounded if the files are also encrypted.
    
EXAMPLE:

    

During criminal investigations, a common sight faced by law enforcement is password-proctected files on the suspect's system. A wide array of utilities is availabe to pry open such files. Among them is Passware, a tool used by law enforcements agencies in the U.S. to crack password-protected files.

FILE CARVING:

DEFINITION:

    

A forensics technique that uses file contents, rather than file metadata, to find or recover that file.

    
OVERVIEW:

    

As dicussed above, when a file is deleted, it does not necessarily means that it has been erased from the drive. Usually, the operating system merely loses its handle on the file, otherwise known as the file's metadata. Thus, you cannot acces the file through your file system, as it is now oblivious to the file's existence itself.

    You can stil recover such files based on their content, and such a recovery is known as file carving. File carving extracts meaningful, structured data from structureless, unallocated portion of the drive. It is most useful when file or directiory entries are either corrupt or missing.
    
EXAMPLE:

    

A famous example of file carving is when the U.S. Navy Seals raided Osama Bin Laden's compound and took away all storage drives found inside. Carving was employed to dissect those drives, and the information acquired thereafter aided in tightening national security.

KNOWN FILE FILTERING:

DEFINITION:

    

Known file filtering is a common forensics technique used to locate only relevant files by filtering out irrelevant artifacts.

    
OVERVIEW:

    

In your computer forensics career, you will often encounter heaps of data completely irrelevant to what you're trying to accomplish. You will often be searching for specific files, which means sifting through tons of unrelated artifacts Known file filtering makes this easy: rather than excluding all the files that are irrelevant, you start with some known data of the relevant file. This makes the process of exclusion much faster.

    
    Known File Filtering makes use of popular cryptographic hashes MD5 or SHA1, in tandem with hash values of application installation files. It them looks for a matching hash in the file system. A major drawback of known file filtering is that it can only work if the hashes match perfectly. This means that, if the relevant files are even slightly corrupted, this technique becomes powerless.
    
EXAMPLE:
    
    The known file filter (KFF) is used in computer forensics utilities such as Forensic Toolkit (FTK). It utilizes the MD5 cryptographic hash. The hashes are either user-generated or taken from the National Software Reference Library (NSRL) maintained by NIST.

STRING AND KEYWORD SEARCHING:

DEFINITION:

    

It can help identify pertinent data as well as the source of potential threats.

    
OVERVIEW:

    

Long before we had digital files,forensic professsionals would parse paper documents to look for special phrases or words that were relevant to their inquiry. Today we call these string and keywords. Searching for these special sequences of characters can greatly speed-up forensic investigations.

    
EXAMPLE:

    

Keyword searching is one of the main techniques used in Malware Analysis as it can help categorize the origin of the virus. Generally speaking, we use string and keyword searching all the time to narrow down objects of interest, such as in the case of Google searches, video searches on YouTube and so on.

HEADER ANAYLSIS:

DEFINITION:

    

Header analysis enables investigators to analyze email headers, which can point to the IP address of the source email, as well as fix dealys in email delivery.

    
OVERVIEW:

    

Email clients can be used to infiltrate anyone's system, if the receiving party is not careful. Most clients do a commendable job of identifying such suspicious emails themselves, which they can then either move to the spam section or remove entirely from the server.

    
    Still, there is a chance of acquiring a virus through emails. In unfortunate cases such as these, header analysis is used as first resort of identifying where the email came from. An email header contains some useful metadata such as the IP address of the source as well as the computer name. This IP address can be used to trace the perperator.
    
EXAMPLE:

    

Fornesic professionals look at the victim's email inbox, if they believe that the source of the virus is to be found there. Then, tools available online are used to analyze headers of suspect emails, as manually making sense of the headers is laborious. Email clients have different methods of accessing headers.

TIMLINE ANAYLSIS:

DEFINITION:

    

The analysis of events in chronological order that either led to, or followed the main event under investigation.

    
OVERVIEW:

    

Bad occurrences don't happen in a vacuum. There is a chain of events preceding the bad occurrence, and it is often useful to find out what these events were. Timeline anaylsis achieves exactly that. - it uses timestamps and other time-descriptive artifacts to display all the events going on in the system in chronological order. This enable forensics specialists to determine causaility, which is vital for tracing the source of the issue.

    
EXAMPLE:

    

Many forensic tools incorporate timeline analysis to bolster their products. For example, Autopsy has a GUI-based timeline analysis tool that uses web artifacts and miscellaneous extracted data to construct a timeline of events.

GRAPHICAL IMAGE ANALYSIS:

DEFINITION:

    

The extraction of information, such as metadata and geotags from images for investigative purposes.

    
OVERVIEW:

    

In a wolrd that is becoming increasingly reliant on visual data, image analysis can be regarded as a crucial skill for a computer forensic professional without any exaggeration. Most images, apart from containing the obious pixel data, also contain various other kinds of informational tidbits. Graphical image analysis is an aggregation of various techniques used to extract meaningful information out of such images. This information could be image metadata, MME type, etc. Sometimes, within the image metadata of photograhps, you can find geotags - GPS based localization data that tells you the longitude and latitude of the location of where the photograph was taken. You can also determine whether an image has been tampered with, through error level analysis (ELA): This technique scans the image for compression levels, two regions having substantially different results are in indication that the image has been edited.

    
EXAMPLE:

    

Due to the rising popularity of image analysis in forensics, you can find a number of tools designed for professionals. One such tool is Ghiro's Automated Image Analyzer. It is free to use, but you cannot use it for batch analysis. Image analysis is considered a key skill for criminologists and security experts, used for investigating CCTV footage, satelite images and even infrared images

EVENT CORRELATION:

DEFINITION:

    

Analysis of activity logs of a network to establish chain of events.

    
OVERVIEW:

    

Event correlation is one of the most widely used digital forensic technique. This is because it is often the first step in forensic investigations. Essentially, security professionals are tasked with analyzing activity logs of a specific network (every network contains log files detailing web traffic). This tells them everything they need to know about the network traffic, and which events transpired before critical failure of a security compromise.

    
EXAMPLE:

    

Event correlation is often used as an initial step in tracing the source of a hack. As log contain a full chronological timeline of the events registred on the network, they can be helpful in determining the cause of security breaches.

CRYPTANALYSIS/STEGANALYSIS

DEFINITION:

    

Decoding data that has been concealed through either cryptography or steganography.

    
OVERVIEW:

    

Deciphering data is one of the oldest investigative approaches, far preceding the advent of computing. In the digital age, however, modern methods of hiding data using cryptography and steganography have revived interest in this domain. Cryptoanalysis is the process of decrypting data that has been encrypted using ciphers. Similarly, steganalysis is the study of finding hidden data in regular messages or files. The difference between the two lies in the way messages are encoded: data hidden through cryptography doesn't make sense, which means that one could thell wether a message has encrypted. On the other hand, steganography hides data in non-secret messages. These could be text files, audio files, or, most commonly, images.

    
EXAMPLE:

    

Cryptoanalysis is common when trying to decode messages that have been intercepted by law enforcement. Typical techniques include brute force decryption and man-in-the-middle attacks.

SANDBOXING:

DEFINITION:

    

Running suspicious programs or code in an isolated environemnt.

    
OVERVIEW:

    

Sandboxes are safe virtual environments that can be used to test programs for unverified sources. Using a sandbox can be helpful in containing threats that come bundled with untrusted software. Sandboxes are generally assign a portion of hardware resources to run virtual machines, including CPU cores, memory and disk space. You may think of sandboxing as a special case of virtualization. A key distiction between them is that, unlike virtualization, sandboxing heavily restricts network access to the guest operating system, which limits a program's ability to spread nay viruses it may contain.

    
EXAMPLE:

    

Sandboxing tools like Sandboxie are used by forensic speciaists to identify and contain potentially hostile programs. It emulates a fairly rudimentary Windows-based operating system. You can safely run any programs inside Sandboxie and, if amlware is found in any of them, your host operating system would be unaffected by it.

NETWORK SNIFFING:

DEFINITION:

    

Capturing and analyzing packets coming and going through a specific network.

    
OVERVIEW:

    

Network sniffing, or packet sniffing, is a technique used by investigators to capture data packets being transferred over a network. These packets are then logged and analyzed. The tools used for such purposes are known as network sniffers or, simply, sniffers. Sniffers intercept data packets and, depending on their capabilities, can pry these packets open to reveal raw data carried inside. In theory, one could monitor a network's complete traffic using sniffing tools.

EXAMPLE:

    

One of the most popular network sniffers is Wireshark. It is available for free and developers have even made its soruce code available. Wireshark does it all: capturing packets, logging traffic, and individual packet analysis.

DATA MINING:

DEFINITION:

    

Using forensic techniques on unusally large data sets to find meaningful patternsn.

    
OVERVIEW:

    

Companies, big and small, are starting to move towards digitizing their operations. This means that the volume of data they hold is increasing rapdly. And, as data volume increases, so does the complexityy of its analysis. Data mining refers to the manipulation of large amounts of data to extract useful information out of it. While it is largely used for recognizing business trends, data mining has also found its way into computer forensics.

    
EXAMPLE:

    

It can be used as a time saving mechanism.

EVIDENCE VISUALIZATION:

DEFINITION:

    

Visualizing forensic evidence in order to recognize valuable patterns during investigation.

    
OVERVIEW:

    

An extension of timeline analysis, evidence visualization attempts to represent evidence in a visual format. As image are more intuitive than text, evidence visualization can greatly speed up the investigative process, in addition to identifying new, pertinent patterns. This is tangentially related to data mining, as it also works best when the amount of evidence is too large for regular forensic analysis.

    
EXAMPLE:
    
    Digital forensics tools like EnCase are used to gather forensic evidence and this evidence is then fed to a pattern recognition engine (example: SKLearn for python) Finally, the results from the engine are passed on to a visualization or graph plotting library, which presents a visual representation of the evidence.