Investigative Forensic Workflow-based Case Study for Vectra and Cyphort

By Jennifer L. Mellone

This paper addresses real-world enterprise Vectra and Cyphort detections and walks through a detailed forensic workflow case study resulting in conclusive findings. Even though the workflow is based on the Vectra and Cyphort commercial detection platforms, this workflow is applicable to security events generated by other commercial or free products. Vectra performs behavioral analysis to detect malicious activities on the network. Cyphort performs malware detection. Upon notification of Vectra and Cyphort events, the security analyst must drill into the events with respect to the target host to find out if it was the victim of a malicious attack. This requires an investigative workflow using forensic tools and Internet research. Free forensic tools are primarily used for the analysis, but commercial products Bit9 and Carbon Black are also used to corroborate evidence. The workflow is the same whether the findings are confirmed to be true or false positives.
» Read more

Forensic Science

By InfoSec Resources

Forensic science is defined as “the application of science to the investigation and prosecution of crimes, or just the settlement of conflicts” (Casey 2004). It has also been described as “the use of science and technology to scrutinize and establish facts in a civil or criminal justice system” (Hankins & Jigang 2009). In recent years, forensic science has gained tremendous popularity because of mainstream media entertainment. Many television channels broadcast shows involving popular crime investigations and forensic science, resulting in a massive interest in the field of forensic science throughout the world. As forensic science assists in the detection and deterrence of crimes, it has paramount importance in civil and criminal justice systems.

» Read more

Loki-Bot: Information Stealer, Keylogger, & More!

By Rob Pantazopoulos

Loki-Bot is advertised as a Password and CryptoCoin Wallet Stealer on several hacker forums (carter, 2015) (Anonymous, 2016) (lokistov, 2015) but aside from cheap sales pitches on the black market, not much has been published regarding the details of its characteristics and capabilities. This poses a problem to information security analysts who require such details in order to accurately prevent and/or defend against incidents involving this malware. The primary goal of this paper is to provide a comprehensive resource on Loki-Bot for those looking to better understand its inner workings and to provide contextual knowledge in support of incident response efforts. Contents of this paper will focus solely on characteristics identified during code-level analysis within a debugger. Basic static and dynamic analysis of Loki-Bot will be left as an exercise for the reader.
» Read more

iPhone Forensics

by Satish B

iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone. iPhone 4 GSM model with iOS 5 is used for forensics. Researchers at Sogeti Labs have released open source forensic tools (with the support of iOS 5) to recover low level data from the iPhone. The details shown below outline their research and give an overview on the usage of iPhone forensic tools.

» Read more

Detection of Backdating the System Clock in Windows

By Xiaoxi Fan

In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches,
system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date
and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently
reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that “the
system clock has not been backdated,” he or she must examine multiple artifacts for corroboration.
This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus update log and cloud storage sync log); and (3) Internet artifacts (e.g. Internet history and email). The paper intends to put together these artifacts and serve as a reference for investigators to detect system clock backdating.

» Read more

Using IOC (Indicators of Compromise) in Malware Forensics

By Hun-Ya Lock

Currently there is a multitude of information available on malware analysis. Much of it describes the tools and techniques used in the analysis but not in the reporting of the results. However in the combat of malware, the reporting of the results is as important as the results itself. If the results can be reported in a consistent, well structured manner that is easily understood by man and machine, then it becomes possible to automate some of the processes in the detection, prevention and reporting of malware infections. This paper would study the benefits of using OpenIOC framework as a common syntax to describe the results of malware analysis.

» Read more

Commercial Computer Forensics Tools

By Infosec Resources

Contrary to popular belief, the domain of digital forensics is far from being monolithic. From the outside looking in, it might appear that computer forensics lacks versatility in terms of use cases. But just as computers have evolved over the years, both in terms of hardware and software, so has the landscape of retrieving valuable information from them through sound forensic techniques. Constant innovation in computing leads to better methods of encryption, concealment and manipulation of data. This consequently leads to the development of more powerful tools that can match the contemporary demands of digital forensics. Today, the tools for addressing various digital forensics use cases can be divided into multiple categories, whether we’re looking at differing systems or the range of forensic functions. In this article, we will look at these categories and discuss some of the most popular digital forensics tools available to us.

» Read more

Forensication Education: Towards a Digital Forensics Instructional Framework

By J. Richard “Rick” Kiper

The field of digital forensics is a diverse and fast-paced branch of cyber investigations. Unfortunately, common efforts to train individuals in this area have been inconsistent and ineffective, as curriculum managers attempt to plug in off-the-shelf courses without an overall educational strategy. The aim of this study is to identify the most effective instructional design features for a future entry-level digital forensics course. To achieve this goal, an expert panel of digital forensics professionals was assembled to identify and prioritize the features, which included general learning outcomes, specific learning goals, instructional delivery formats, instructor characteristics, and assessment strategies. Data was collected from participants using validated group consensus methods such as Delphi and cumulative voting. The product of this effort was the Digital Forensics Framework for Instruction Design (DFFID), a comprehensive digital forensics instructional framework meant to guide the development of future digital forensics curricula.

» Read more

A Forensic Look at Bitcoin Cryptocurrency

By Michael Doran

The increased use of cryptocurrencies such as Bitcoin among private users and some businesses has opened a new avenue of research in the field of digital forensics involving cryptocurrencies. Since the creation of Bitcoin in 2008, cryptocurrencies have begun to make a presence in the world of ecommerce. Cryptography serves as the underlying foundation for Bitcoin, which gives it the benefits of confidentiality, integrity, nonrepudiation and authentication. Having been designed and built upon the foundation of these four objectives makes Bitcoin an attractive alternative to mainstream currency and provides users with the benefits of payment freedom, security, very low fees, and fewer risks for merchants. Tools such as Internet Evidence Finder have the capability to recover some Bitcoin artifacts. However, because the cryptocurrency technology is relatively new, very little research has been dedicated to what other forensic artifacts are left on a user’s system as a result of Bitcoin, what those artifacts mean and how to recover them in order to build a successful case involving Bitcoin. This research seeks to ascertain what forensic artifacts are recoverable from a user’s system with Bitcoin wallet applications installed and actively used. Furthermore, this research seeks to recover any evidence of Bitcoin mining that would be present on a user’s system due to the use of such software or applications.
» Read more

x86 Representation of Object Oriented Programming Concepts for Reverse Engineers

By Jason Batchelor

Modern samples of malicious code often employ object oriented programming techniques in common languages like C++. Understanding the application of object oriented programming concepts, such as data structures, standard classes, polymorphic classes, and how they are represented in x86 assembly, is an essential skill for the reverse engineer to meet today’s challenges. However, the additional flexibility object oriented concepts affords developers results in increasingly complex and unfamiliar binaries that are more difficult to understand for the uninitiated. Once proper understanding is applied, however, reversing C++ programs becomes less nebulous and understanding the flow of execution becomes more simplified. This paper presents three custom developed examples that demonstrate common object oriented paradigms seen in malicious code and performs an in-depth analysis of each. The objective is to provide insight into how C++ may be reverse engineered using the Interactive Disassembler software, more commonly known as IDA.
» Read more

1 2 3 4