Toriality's Blog

COMPUTER FORENSICS - 08

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 08 SOURCES: INFOSECINSTITUTE.COM

MEMORY FORENSICS

WHAT IS MEMORY FORENSICS?

Memory forensics is a vital form of cyber investigation that allows an invetigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system's memory as a snapshot file also known as a memory dump. This file can then be taken offsite and searched by the investigator.
This is useful because of the way in which processes, files and programs are run in memory and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as: 
    - Proccesses running;
    - Executable files that are running;
    - Open ports, IP addresses and other networking inforamtion;
    - Users that are logged into the system, and from where;
    - Files that are open and by whorm.
    
Already we can see how much this information can help an investigator as they seek out system anomalies and by being able to capture the volatile inforamtion inside the system's memory, they are able to create a permanent record of the system's state as it was.
This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system's hard drive, making memory forensics especially important as a means to identify such activity. 
Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted of powered off, then that information is flushed from system memory. Hard drives, on other hand, are a non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator.

ACQUISITION METHODS:

The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. This depends largely on the operating syste mthat your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. How you go about capturing the image also depends on what you are trying to establish through your investigative proccess, and what it is that you are trying to prove or disprove.
Generally your investigation will focus on the activities of the user on the system, or evidience that proves that the system in question has been compromised. Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. There must be a clear undestanding of what needs to be established on the target system, and how it can help to advance your investigation. 
These are five most common methods and formats used today:
RAW Format: Extracted from a live environment; 
    
    Crash Dump: Information gathered by the operating system;
    
    Hibernation File: A saved snapshot that your operating system can return after hibernation;

    Page File: This is a file that stores similar information that is stored in your system RAM;
    
    VMWare Snapshot: This is a snapshot of a virtual machine, which saves its state as it was at the exact moment that the snapshot was generated.
    
Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well.

MEMORY FORENSICS TOOLS:

VOLATILITY SUITE:
This is an open source suite of programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare and VirtualBox dumps with no issues. 
    
REKALL:
This is an end-to-end solution for incident responders and investigators, and features both acquisition and analysis tools. It can be thought of as more of a forensic framework suite than just a single application. 
    
HELIX ISO:
This is a bootable live CD as well as a standalone applicaiton that makes it very easy for you to capture a memory dump or a memory image of a system. There are some risks associated with running this directly on a target system, namely an acquisiton footprint, so make sure that it fits your requirements. 
    
BELKASOFT RAM CAPTURER:
This is another forensic tool that allows for the volatile section of a system memory to be captured to a file. First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible. 
    
PROCESS HACKER:
This is an open source process monitoring applicaiton that is very useful to run while the target machine is in use. It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time.

EXAMINING YOUR CAPTURED DATA:

We'll take a look at some commonn approaches that can be used by an investigator when trying to glean more infroamtion via memory forensics:
OPEN FILES ASSOCIATED WITH PROCESS: 
    This is an extremely useful approach, as it shows which files are open by a suspicious process on the target system. Malware can often be identified just by the locaiton of the associated files that are open, and knowning where these files are located is also beneficial to the overall investigation, especially if these files are sotring logs of user inputs via the keyboard. This would mean that the user's passwords could have been inadvertently divulged to the malware authors that created the software. This will help to strengthen the case that the investigator is building.
    
DECODED APPLICAITIONS IN MEMORY:
Sometimes, the author of the malware that is present on the target system will be encrypted, making it impossible for anyone but the perpretator to successfully make use of the data that it has been collecting. However, sometimes a decrypted version of the applicaiton can be caught in the memory snapshot, which allows the investigator to more accurately examine the application's activies. The investigator might even be able to identify the hash or cipher that was used for the encryption, thus allowing them to read previously inaccessible data associated with the malware instance on the target machine. 
    
TIMESTAMP COMPARISON:
In some instances, malware can interfere with the target host's timestamps on the system files, making them appear to be untouched by the infection. This is knwon as time stomping, and can seriously inhibit an investigator's ability to discover when the infeciton first occurred. By capturing the memory dump, investigators can compare the proccess time stamps to the system file timestamps to establish when the system was first compromised. Once a date and time has been established, records such as emails and browser history can be looked to identify the possible cause of the infeciton by finding any correlations in time and date between the process timestamp and the application time frames. 
    
NETWORK INFORMATION:
Once the infected processes have been identified, theen the specific network communications surrounding the infection can be further dissected. This can reveal a virtual treasure trove of information, such as: 
    
        - Source IP addresses such as where the malware instance is reporting back to;
        
        - Compromised ports on the host machine;
        
        - The frequency at which malware was communicating over the network;
        
        - Understanding how the infection spreads itself over the network.
        
USER ACTIVITY:
By looking at the inforamtion that was acquired durng all of te previous steps, the fornesic investigator can start to piece togheter a fairly accurate series of events that led to the main incident. This can be determined via the system log files that were captured earlier, and can help to ascertain to what extent, if any, that a user on site may have been involved. Remote unauthorized access can also be detected, which can help with determining the extent to which the network protocols of the organization have been compromised.

MULTIMEDIA AND CONTENT FORENSICS

WHAT IS MULTIMEDIA FORENSICS?

When applied to the field of multimedia, digital forensics faces some new challenges. Because multimedia is content thta uses a mix of various forms, such as text, audio and images, it has become an actively changing form of investigation in the digital world. And, thanks to the wide adoption of mobile devices, high bandwitdth and cheaper storage, online users now generated crazy anmounts of multimedia content, all of which they are free to  store and share via the internet. This growth has pushed digital multimedia into the forefront of human activity and made it an integral part of everyday life. As such, this varied content must also be secured from illegal use through the forensic process.

TYPES OF MULTIMEDIA AND CONTENT FORENSICS:

WATERMARKING:
Is a technique used in multimedia forensics to identify the original source and user authentication for a particular image. This forensic (or digital) watermark is a code of characters embedded in a digital document, image, video or computer program that offers the details investigators need to find out more about the images they encounter. This insight can protect the interest of content creators against illegal use and make it easier for copyright holders to locate individuals who violate this ownership. Further, a forensic watermark can alert an honest user in the event that they inadvertently receive an illegitimate document or program. Moreover, these marks can be repeated at random locations within the content, which can make them somewath difficult to predict and remove. 
    
DIGITAL SIGNATURE:
Are the equivalent or handwritten ones except that they appear in electronic form. These signatures encrypt the contents of a document, allowing applicaitons to detect if it has been tampered with in some way. From a legal perspective, this allows the creator to prove that a document existed at a certain date and time. This can be useful in situations where the exact moment of a cybercrime needs to be nailed down within a larger forensic investigation.

APPROACHES TO MULTIMEDIA AUTHENTICATION:

By reconstructing the history of the iamge itself - a process known as image ballistics - investigators can match metadata and file structure with a known device such as digital camera's make and model. Multimedia security divides its effors between two main approaches: active and passive.
ACTIVE IMAGE AUTHENTICATION: 
    Is a technique that uses a known authentication code embedded in the image or sent with it for assessing its integrity on the receiving end. This approach requires a watermark or a digital signature to be created precisely when the image is recorded or sent, which limits its ability to handle special equipped digital devices. However, the overwhelming majority of images on the internet today do not have a digital watermark or signature, which has forced this authentication method to consider additional techniques.
    
PASSIVE IMAGE AUTHENTICATION:
Is a method that uses only the image itself for assessing its integrity, without any peripheral inforamtion, such as signature or watermark from the sender. This technique works well in the absence of these identifying features. It works on the assumption that digital forgeries may disturb the underlying property or quality of an image, even though no visual clue has been left behind.

COMMON DIGITAL FINGERPRINTS

Althrough cryptographic tools and access control ensure the safe delivery of multimedia over networks, this protection ends as soon as the content is delivered and safely decrypted. Digital fingerprints has emerged to address this post-delivery dilemma by identifying users who have legitimate access to the plaintext but use it for unauthorized purposes. This process alows investigators to trace the illegal usage of multimedia through unique identfying inforamtion, known as "fingerprint", embedded in the content before distribution.
Althrough these prints are technically coded strings of binary digits generated by mathematical algorithms, they are as inique as the analog fingerprints of a person. In the multimedia world, this technology can identify a piece of media like a song or video clip as being originally itself complete with its own unique feature, As a forensic tool, this process enables sites like YouTube to scam files and match the digital fingerprints they find against a database of copyrighted material to see if any intellectual property is being violated. But this is not the only way digital fingerprinting can be utilized. In a more traditional way, a user's personal computer could also be equated to a digital fingerprint with the ability to trace online activity. Both concepts rely on the notion of a unique indetifier - but with complete disparate functionalities. 
https:/
/mk0resourcesinfm536w.kinstacdn.com/
wp-content/uploads/2-129.png
    
As an emerging forensic tool, digital fingerprinting is still in something of a fledgling state, with one powerful adversay known as multi-user collusion attack. This threat occurs when a group of hackers work togheter to remove any trace of these identifying fingerprints. Through the connectedless of the internet, malicious actors with differently marked versions of the same content can come togheter to mount attacks against these fingerprints. .And hackers can also produce a new untraceable version of the content just by reducng the identfying nature of their own. This is a cost-effective way to remove identifying features and it poses a major threat to multimedia fingerprinting.