Toriality's Blog

COMPUTER FORENSICS - 10

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 10 SOURCES: INFOSECINSTITUTE.COM

OVERVIEW OF MALWARE FORENSICS

INTRODUCTION

Investigating the competence of malicious software enables the IT team to enhance the assessment of a security incident, and may help prevent more infections. A considerable quantity of computer intrusions entails some variety of malicious software (malware), which somehow finds its way to the victim's workstation or a server. When performing forensics the IT responser usually hunts for to answer questions such as: What actions can the malware carry out on the system? How does it spread? How does it keep up contact with the attacker? These questions can all be answered by analyzing the malware in a controlled environment.
There are different types of malware that cybercriminal uses to infect user and get credential and access to critical and valuable information. The list of Malware types focuses on the most common and the general categories of infection which include: 
    ADWARE:
    
        The slightest dangerious and most beneficial malware for attackers regarding redirecting the user to the desired Adware shows ads on your computer.
        
    SPYWARE:
    
        Spyware is software that aims to gather inforamtion about a person or organization without their knowledge or that asserts control over a device without the consumer's knowledge.
        
    VIRUS:
    
        A virus is an infectious program or code that appends itself to a different piece of software and then utilizes system's resources each time the software is executed.
        
    WORM:
    
        A program that replicates itself to spread to other computers and wipes out data and files on the computer. Worms destroy the operating system's files and data files until the drive is empty.
        
    TROJAN:
    
        It is the most hazardous Malware that creates a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised.
        
    ROOTKIT:
    
        Rootkits allow viruses and malware to "hide in plain sight" by disguising as necessary files that your antivirus software will overlook. It isthe hardest to detect malware and therefore to remove.
        
    BACKDOORS:
    
        Are much the same as Trojans or worms, apart  from that they open a "backdoor" onto a computer, providing a network connection for hackers or other malware to penetrate or send more viruses.
        
    KEYLOGGERS:
    
        Records everything you type on your PC to glean your log-in names, passwords and other sensitive information, and send it on to the source of the keylogging program.
        
    BROWSER HIJACKER:
    
        This dangerous malware will redirect your regular search activity and give you the results the developers want you to see. It intends to make money off your web surfing.
        
    RANSONWARE:
    
        It is the most brutal type of malware that is the most effect in harming victim's data and for financial gain. Ransomware is a sort of noxious programming from cryptovirology that threatens to distribute/publish the victim's data or block access to it unless a ransom is paid. Some of the most critical and famous ransomware includes GoldenEye, CryptoLocker, WannaCry, Locky, Petya, Crysis, HydraCrypt, etc.

MALWARE ANALYSIS

Malware analysis is the practice of determining the functionality, source and possible impact of a given malware such as a virus, worm, Trojan horse, rootkit or backdoor. The rapidly emerging significance of malware in digital forensics and the rising sophistication of malicious code haas motivated advancement in tools and techniques for performing concentrated analysis on malware. As more investigation relies on indulgent and counterracting malwrae, the demand for formalization and supporting documentation has also grown which is done in malware analysis process.
Malware analysis involves two fundamental techniques: static analysis and dynamic analysis: 
    STATIC MALWARE ANALYSIS:
    
        Static analysis entails the investigation of executable files without going through the actual instruction. The static analysis can validate whether a file is malicious, give information about its functionality and sometimes provide information that will allow you to create simple network signatures. It is basic and can be quick but it is mostly useless against sophisticated malware and it can miss significant behaviorus.
        
    DYNAMIC MALWARE ANALYSIS:
    
        It executes malware to observe its activities comprehend its functionality and identify technical indicators which can be used in revaling signatures. The dynamic analysis can revel domain names, IP addresses, file path locations, registry keys, additional files locations and can also classify communication with an attacker-controlled external server for command and control intention or to download other malware files.

OVERVIEW OF DATABASE FORENSICS

WHAT IS DATABASE FORENSICS?

Forensic database specialists have quite a difficult task when it comes to working through corrupted databases, as opposed to standard digital forensics, which deal with fragmented "normal" data as it is found on a conventional hard drive. This is because standard file systems allocate a header and a footer bit to a file, allowing for the reconstruction of the file, in some cases by using information from the metadata in the file system. However, databases do not have static headers or footers, and are in fact scattered across multiple different identifiers. As a result, special tools and techniques are required for this highly specialized forensic work.
Database forensic is not the same as database recovery. This is an important concept to understand for those who wish to get into this field. Database forensics concentrates on scientifically interrogating the failed database and by trying to reconstruct the metadata and page information from within a data set, whereas database recovery implies some kind of restorative process that will enable the database to become biable enough to re-enter a production environment, or become healthy enough to provide a backup thaat can be used in a database restore. 
Sometimes a database may be perfectly healthy but suspicious activies and results may have raised questions from a customer that prompted a forensic investigation.
The follwoing scenratios would require the intervention of a database forensic specialist: 
    - Failure of a database
    
    - Deletion of information frorm database
    
    - Inconsistencies in the data of a database
    
    - Detection of suspicious behavior of users
    
A database forensic expert will normally use a read-only method or an identical forensic copy of the data when interfacing with a database to ensure that no data is compromised. They will run a series of diagnostic tools to help them to:

  • Create a forensic copy of a database for analysis

  • Reconstruct missing data and/or log files associated with the deletion

  • Decipher data and ascertain possible causes of corruption

  • Audit user activities and isolate suspicious and illegal behaviour

    TYPES OF DATABASE MODELS

    As database technologies were developed and utilized over the past few decades, newer approaches to storing, locating and retrieving data were created. These different approaches are also known as database models, and understanding each one ensures maximum efficacy when dealing with instances where your database forensic expertise may be required.

    Generally speaking, today's modern database systems tend to run on relational database structures, which is ideal for many business applications and can handle simple transaction and queries simultaneously, as well as more advanced functions and table joins. It is an efficient method of designing databases and can be considered one of the most popular forms of database structure currently in use.

    As systems become more integrated within businesses and in-house developers become more commonplace, it is a growing trend that more and more object-oriented database design is being employed in applications. This is largely because database functionality is very similar to programming methodologies and the object-oriented database type is very well suited to highly complex data operations, with multiple functions being performed on stored data quickly and almost simultaneously.

    WHAT DATABASE SYSTEMS ARE MOSTLY COMMONLY USED?

    This comes down to database popularity among businesses, companies and individuals. Ther eare hundreds of different DBMS systems to choose from, but the five most popular database companies are listed below, as per DB-ENGINES.COM.

  • Oracle (Relational Database Managment System)

  • MySQL (Relational Database Management System)

  • Microsoft SQL Server (Relational Database Management System)

  • PostgresSQL (Relational Database Managment System)

  • MongoDB (Document Stores)

    WHAT ARE RECORD CARVING AND DATABASE RECONSTRUCTION?

    Record carving is the attempt by a forensic specialist to obtain valid rows of data from within a damaged or corrupt database. While this has not been possible traditionally, there are new software tools that have been developted in recent years that allow for some of this data to be reconstructed from within the metadata of the database that you are interrogating. This is different from file carving, where deleted blocks of data are recovered by using the header information that is encoded intto the file. Database stings of data are far more complex, and can even be encrypted with metadata at this level, making recovery and analysis extremely difficult.

    Database reconstruction is a process whereby a forensics professional attempts to repair a database well enough to get some rudimentary information from it, allowing for further repair and interrogation. This is usually done by analyzing log files of th database system and running the activities through an algorithm that restores records to their previous state at the time of the log creation. This is not always successful however, and the science of database forensics remains a slightly neglected field in the computer sciences.

OF SOFTWARE FORENSICS

INTRODUCTION

Software Forensics is the field of Software Science aimed at authorship analysis of computer source code for legal purposes. It involves the areas of author identification, discrimination and characterization. Authorship analysis, wheter it tis applied to written word or source code, is based on the assumption that authors develop an apporach and style that is identifiable. Though there is no formal proof that a computer program has embedded within the characteristics of the author, it can be seen merely by looking at two code fragments that each author has his own style and methods.
Forensic Specialists attempt to determine if two or more code fragmnts are authored by the same programmer. This is certainly valuable information if security breaches are frequent, in this case, Software Forensics, can assist to find the culprit. 
For authorship disputes, the legal expert is needed who provides empirical evidence to demonstrate that two or more programs are written by the same programmer.

WHAT ARE FILE FORMATS NEEDED TO KNOW FOR THE EXAM?

A Typical PE's .EXE File layout: Forensic Specialist can extract useful information (application metadata) by investigating the contents of .EXE file -- its sections, headers and binary block. Metadata consists of applicaiton name, version, release date,  etc. This information is very helpful in digital investigation.
ASCII and UNICODE Extraction: Every programming language has a unique file extension for its source code file. For example, the code written in C++ has a file type CPP, C has C, and Pascal has PAS. These files will certainly be in ASCII or UNICODE text formats. For header and configuration systems, various systems use ASCII text formats of type H. 
Pratically, most compilers don't compile the source code directly to computer's object code, but create a semi-compiled file format that allows the linking of this semi-compiled file to a library and other files before the creation of the final executable applicaiton. These semi-compiled fiels frequently have the OBJ file type. Library manager sofware is used to group OBJ files into library files of type LIB. The linker produced the final executable program of file format EXE or COM.
ASCII and Unicode strings are located within a separate text files of program. During the investigation of such files, it is wise to extract all the readable ASCCI and UNICODE contents from the file by using utilities such as strings. Often, text strings contain many pieces of useful information (such as the comments of a programmer) in a binary file. 
Microsoft Corp v. Digital Research Inc. (DRI): Gary Kildall, sofware engineer in DRI created the operating system CP/M (Control Program for Microcomputers) in 1974 for personal computers even before the introduction of IBM and Apple machines. Allegedly Microsoft Corporation copied the code of CP/M operating system for its DOS operating system. There were no forensic techniques available when this alleged theft had taken palce. But now, it has been proved that no copying of code has occurred. The forensic analysis is made by comparing code, MS-DOS binary to CP/M source, with scientifially tested and advanced software forensic tools such as CodeSuite.

TYPES OF TRACES/REMNANTS AND APPLICAITONS DEBRIS:

REGISTRY ENTRIES:
Various Registry Values and settings could impact the examination and forensic analysis. Registry holds configuration information, recently accesses files, license datat, and a wide range of other details about the installed software and system. 
    
TEMPORARY FILES:
When a user runs a program, for instance, a word processor, data may be temporarily stored on the hard disk. For example, Microsoft Word saves changes to a document at set intervals in a separate, temporary recovery file when the Auto Recover feature is turned on. These temporary files, not saved by a user, are useful for forensic analysts as they provide access to documents. 
SPOOL FILES:
When a computer prints files, two files, spool files and shadow files, are created for each print job. On windows XP/2003/Vista/2007/8, these files are located in Windows\System32\Spool\printers. Both spool and shadow files contain information useful to a forensic analyst. 
    
PAGE FILE:
When an operating system runs out of RAM, it writes some of the data that is in RAM to a file whose purpose is to cache RAM memory. This file is called a Page File and its name is pagefile.sys. When examining system, investigators check this file to find evidence of software secuity breach.

TYPES OF SOFTWARE ANALYSIS:

HASH ANALYSIS:
A software forensic analyst run files through hash algorithm, a one-way formula that calculates a unique value - in a sense creating a digital fingerprint, uniquely identifying a particular file. The most common hash algorithms are SHA-1 (Secure Hash Standard) and MD5 (Message Digest 5). These hash algorithms are used to derive hah values of individual files and compare tem to known databases of hash values. In this way, forensic specialists can identify known files by their SHA-1 or MD5 hash. If they are known files, such as program files, they can be removed from further analysis. On the other hand, if they are known contraband files, they are quickly identified and bookmarked. 
    
SIGNATURE ANALYSIS:
Most files have a signature or header that can be used by the application program or operating system to identify a file. Frequently, files have filename extensions to identify them as well, specifically, in a Windows. In many cases, signatures and file extensions should match, though there are ea variety of circunstances and exceptions where there is a no match, anomalous results or unknown information. Forensic specialists compare files, their extensions and their headers to a known database of file signatures and extensions and report the outcomes. 
    
PATTERNS:
Sofware analysis can be carried out at many levels. Because programmers solve problems with regular patterns, forensic analysts could analyze the code's semantic structure to find structures and repeating patterns. For instance, the actions that might be taken on the discovery that some fatal errors have occured might vary considerably from programmer to programmer and from program to program. Methods for defining the semantics of programming languages and programs, such as axiomatic semantics and denotation semantics, could be used to find identifying patterns in semantic structed or program logic. 
    
    Forensic Specialists can also find repeating patterns by analyzing the executable behavior of the program, finding data flow patterns, or by looking at user interfaces.
    
STATISTICAL ANALYSIS:
    
    Statistical techniques are usually used to discern trends, correlations and frequencies from data collected out of written text or source code in an attempt to establish authorship style. Data is gathered from an analysis of:
    
        - Mean program line lenght (characters per line)
        
        - The name length of mean local variable, mean global variables and mean function
        
        - Use of conditional complilation
        
        - Does the programmer employ comments that are nearly an echo of the code?
        
        - Type of function parameter declaration. Does the user use the standard format (ANSI C format)?

WEB, EMAIL AND MESSAGING FORENSICS

WEB FORENSICS:

Web forensics relates to any sort of crime commited over the internet. With proper knowledge and expert skills, criminal activies like child pornography, hacking/cracking and identity theft may be traced back to its perperators. Criminals can only be sucessfully punished if a sufficient anmount of conclusive evidence against them isfound. In this case, internet history, cache and server logs are of immense value. You might be surprised by the number of offenders who search the internet for advice on how to conduct a crime.
This leaves a trail of evidence both on the client side (e.g. registry entries, temp files, index.dat, cookies, favorites, history, downloads) and also on the server side (e.g. during log analysis on a server, you may save precious registers such as the perpretator IP Address, a timestamp for each visit, what information was posted, etc) Again, if you have the proper tools and knowledge, once you gather this sort of evidence, it is great step towards building a strong case.

EMAIL FORENSICS:

Email communication is also often exposed to abuse. As one of the, if not the, most utilized way of online communication for rboth business and individuals, emails are amongst the critical system's list for any organization, being used for the most simple information exchange, such as scheduling meetings, to the distribution of documents and even sensitive information.
Unfortunately, cases of illegitimate use are quite present, given that encryption at the sender end and/or interity checks at the recipient end are quite rare, and the fact that the most widely used email protocol, SMTP, does not enforce a source authentication mechanism by default. Also, the mail header metadata, containing information about the sender and the path through which the messaged traveled, can be manipulated quite easily. 
Email rleated crimes can vary from sending spam, phising, cyberbullyng, distributing hate messages or racial abuse content, disclosing sensitive information, distributing child pornography and online sexual harassment. Again, finding and preserving evidence forms the basis of a solid case against cybercriminals, and techniques such as identification and extraction of data are an essential step.
For most cases, the use of emails goes far beyond simple message exchange. Servers are no longer used just to send and receive messages, they have actually expanded into full collaboration tools that include databases, document repositories, contacts and calendar managers amongst many other uses. From an investigator point of view, this imples the necessity of, first and foremost, undestanding this complex system before doing any actual evidence colleciton. 
A quite common requirement is determining sender/receiver attribution, in order to prove or dispute the sender of the message. This is done by a review of the email header, comparing information from fields such as "from" and "to" to what information is on the logs of the server wwhere the message originated. The challenge here lays on the fact, as mentioned before, that header manipulation and mail servers that do not enforce user authentication can be used for email spoofing.
Full non-repudiation, meaning that you can prove without doubt who the sender is, can be achieved by email signing with a digital signature. The signing process uses a PKI (public key infraestructe) based on asymmetric encryption, where the content of the message is hashed and them the hash is encryped with the sender's private key. Sadly, email signing is not as massively implemented as it should be. 
Encryption can also be used for protecting the content of email messages: the content of the message can be encrypted with the recipient's public key, meaning it can only be read by someone in possession of the associated private key. In this scenario, for example, if information is leaked it can be easily proved that it was first decrypted by the recipient.

MESSAGING FORENSICS:

Instant message applications offer the possibility of real-time exchange of both messag and files. The security issues here are quite similar to the email scenario: illegitimate or abusive use branding from spam, phising, malware, cyberbullying, hate content, cp and related stuff.
There are several protocol for instant messaging, including IRC which is used tot creat 'chat rooms' for multiple users. Most current applications use either a proprietary protocol (Skype, Yahoo Messenger) or XMPP (Extensible Message and Presence Protocol) an open standard adopted by many popular IM clients such as Facebook and Google Chat. 
The first challenge for IMs investigation is quite obvious: there are several applications, each sotring information in different areas. An expert forensic investigator must be  acquainted with all those places such as the registry or system folders (i.e. AppData, Program Files, Documents and Settings) which may vary according to the OS. Adding to this situating is the great variety of ways IMs indicate time: some may store local time, while others use UTC, but quite a few will have a particular (and not publically disclosed) way of timestamping messages. Similar variations also occur due to the constant evolution in history format that may be changed each time an IM application is updated.