Forensic Images: For Your Viewing Pleasure

By Sally Vandeven

For a student just getting started in digital forensics, concepts regarding forensic images can be confusing. Terminology like images, clones, bit-stream copies and forensic images are often used incorrectly, further complicating the issue. This paper will attempt to clear up the confusion. We will present an instructive clarification of what a forensic image is as well as what it is not. In addition, we will provide a comprehensive look at the many different ways to access data on forensic images using mostly open source tools on both Windows and Linux platforms.
» Read more

Windows ShellBag Forensics in Depth

By Vincent Lo

The problem of identifying when and which folders a user accessed arises often in digital forensics. Forensicators attempt to search for them in the ShellBag information because it may contain registry keys that indicate which folders the user accessed in the past. Their timestamps may demonstrate when the user accessed them. Nevertheless, a lot of activities can update the timestamps. Moreover, the ShellBag structure differs slightly between different Windows operating systems. How to interpret ShellBags correctly has become a challenge. This paper summarizes the details of ShellBag information and discusses various activities across Windows operating systems.
» Read more

Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise

By Kenneth J. Zahn

The 2012 DC3 Digital Forensic Challenge included two malware analysis-related exercises, one described as “basic” and one described as “advanced.” For each exercise, competing teams were provided with an ostensibly malicious—though ultimately innocuous—sample and asked to conduct an analysis befitting the sample’s complexity. The author’s challenge team, Plan 9, placed 2nd in the Government-only category, 3rd in the US-only category, and 5th in the overall competition. This paper will discuss an updated version of Plan 9’s solution to the basic malware analysis exercise using a combination of goal-driven and process-driven approaches. It should be noted that one of Plan 9’s goals in the competition was to use only freely available or open source tools to guarantee the portability of the exercise solutions. To improve the utility of this paper, the tools that were presented in the original solution have been updated to reflect their latest versions at the time of writing. Further, the solution has been expanded to include additional analysis tools that were not presented in the original exercise submission.
» Read more

Introduction to IT Security & Computer Forensics – InfoSec Resources

By Dalasta Darren

This introductory course covers IT Security and goes more in-depth into Computer Forensics. There are 12 modules to cover the categories of Anonymity on the Internet, Darknets Tor Hidden Services, Anti-forensics with USB Rubber Ducky, Forensic Imaging, Forensic Recovery, Forensics with Autopsy, Network Analysis, Hacking Android, Armitage 101, Memory Analysis with Volatility, Network Analysis, and Forensics with DFF.

» Read more

Digital Forensic Analysis of Amazon Linux EC2 Instances

by Kenneth G. Hartman

Companies continue to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2). With demand for skilled security engineers at an all-time high, many organizations do not have the capability to do an adequate forensic analysis to determine the root cause of an intrusion or to identify indicators of compromise. To help organizations improve their incident response capability, this paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS “Finding Malware – Step by Step” process for Microsoft Windows.
» Read more

Investigative Forensic Workflow-based Case Study for Vectra and Cyphort

By Jennifer L. Mellone

This paper addresses real-world enterprise Vectra and Cyphort detections and walks through a detailed forensic workflow case study resulting in conclusive findings. Even though the workflow is based on the Vectra and Cyphort commercial detection platforms, this workflow is applicable to security events generated by other commercial or free products. Vectra performs behavioral analysis to detect malicious activities on the network. Cyphort performs malware detection. Upon notification of Vectra and Cyphort events, the security analyst must drill into the events with respect to the target host to find out if it was the victim of a malicious attack. This requires an investigative workflow using forensic tools and Internet research. Free forensic tools are primarily used for the analysis, but commercial products Bit9 and Carbon Black are also used to corroborate evidence. The workflow is the same whether the findings are confirmed to be true or false positives.
» Read more

iPhone Forensics

by Satish B

iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone. iPhone 4 GSM model with iOS 5 is used for forensics. Researchers at Sogeti Labs have released open source forensic tools (with the support of iOS 5) to recover low level data from the iPhone. The details shown below outline their research and give an overview on the usage of iPhone forensic tools.

» Read more

Detection of Backdating the System Clock in Windows

By Xiaoxi Fan

In the digital forensic industry, evidence concerning date and time is a fundamental part of many investigations. As one of the most commonly used anti-forensic approaches,
system backdating has appeared in more and more investigations. Since the system clock can be set back manually, it is important for investigators to identify the reliability of date
and time so as to make further decision. However, there is no simple way to tell whether the system clock has been backdated or tampered especially when it was subsequently
reset to the correct time. There are a variety of artifacts to detect the behavior of backdating the system clock. If the investigator needs to prove the hypothesis that “the
system clock has not been backdated,” he or she must examine multiple artifacts for corroboration.
This paper presents three categories of related objects, showing how they work together in detecting system clock backdating: (1) system artifacts (e.g. Windows event log, $MFT, $Logfile, $UsnJrnl, Volume Shadow Copy, $STDINFO and $FILENAME timestamps, and Windows update logs); (2) application artifacts (e.g. antivirus update log and cloud storage sync log); and (3) Internet artifacts (e.g. Internet history and email). The paper intends to put together these artifacts and serve as a reference for investigators to detect system clock backdating.

» Read more

Using IOC (Indicators of Compromise) in Malware Forensics

By Hun-Ya Lock

Currently there is a multitude of information available on malware analysis. Much of it describes the tools and techniques used in the analysis but not in the reporting of the results. However in the combat of malware, the reporting of the results is as important as the results itself. If the results can be reported in a consistent, well structured manner that is easily understood by man and machine, then it becomes possible to automate some of the processes in the detection, prevention and reporting of malware infections. This paper would study the benefits of using OpenIOC framework as a common syntax to describe the results of malware analysis.

» Read more

Commercial Computer Forensics Tools

By Infosec Resources

Contrary to popular belief, the domain of digital forensics is far from being monolithic. From the outside looking in, it might appear that computer forensics lacks versatility in terms of use cases. But just as computers have evolved over the years, both in terms of hardware and software, so has the landscape of retrieving valuable information from them through sound forensic techniques. Constant innovation in computing leads to better methods of encryption, concealment and manipulation of data. This consequently leads to the development of more powerful tools that can match the contemporary demands of digital forensics. Today, the tools for addressing various digital forensics use cases can be divided into multiple categories, whether we’re looking at differing systems or the range of forensic functions. In this article, we will look at these categories and discuss some of the most popular digital forensics tools available to us.

» Read more

1 2