Digital Forensics
It’s semester 2 2023 and time for my final subject in the UNSW Cyber Security Masters course, digtital forensics run by Seth Enoka.
I got to venture deep into Windows internals, including core Windows memory structures, subsystems such as prefetch and shimcache, NTFS file system internals and mechanicsm including MFT analysis and much more. All this analysis was conducting using the following Linux analysis tools:
Tools⌗
| Tools | Description |
|---|---|
| Yara | A pattern-matching tool used in malware research and forensic analysis to identify and classify files based on defined rules and signatures. |
| Volatility 2 & 3 | Open-source memory forensics frameworks used to extract and analyze digital artifacts from volatile memory (RAM) in a memory dump to investigate cyber incidents and malware. |
| Volatility USNParser Plugin | A Volatility plugin specifically designed to parse and extract information from the USN journal on Windows systems, aiding in file activity analysis. |
| SCCA Tools | SCCA (Source Code Control System Analysis) Tools assist in examining version control system repositories to identify code changes, contributors, and track project history. |
| ESEDB Tools | These tools provide access to Extensible Storage Engine (ESE) Database files, commonly used in Windows applications, for analysis and recovery purposes. |
| analyzeMFT | A tool used in digital forensics to parse and analyze the Master File Table (MFT) entries from NTFS filesystems, revealing information about files and directories. |
| Oletools | A collection of Python-based tools for analyzing and extracting data from OLE (Object Linking and Embedding) files, such as Microsoft Office documents, often used in malware analysis. |
| Wireshark | A widely-used network protocol analyzer that captures and inspects data packets on a network, helping with network troubleshooting, security analysis, and protocol reverse engineering. |
| The Sleuth Kit (TSK) | An open-source digital forensic toolkit that includes various CLI tools (mmls, fls, icat) for file system analysis and data recovery from different operating systems. |
| Plaso | An open-source Python-based tool used for super timeline creation and log analysis, helping to reconstruct events and activities from various data sources for forensic investigations. |
| Advanced Forensics Format Library (afflib) Tools | Tools for working with the Advanced Forensics Format (AFF), an extensible open file format used in computer forensics to store disk images and related metadata. |
| wxHexEditor | A hexadecimal editor with a graphical user interface, used for low-level data inspection and editing in forensic analysis and reverse engineering. |
| Gnumeric | A spreadsheet application, similar to Microsoft Excel, used for data analysis and visualization, including data manipulation and statistical functions. |
| Personal Folder File Tools (pfftools) | Tools designed to work with Personal Folder File (PFF) formats, commonly used by Microsoft Outlook to store emails, calendars, and other personal data. These tools aid in email forensics and analysis. |
Resources⌗
- Windows shellbags
- 8 timestamps on an NTFS file system, an attacker can fairly easily mutate 4 of them, hard to convincingly adjust nano-second level
- Eric Zimmermans Windows Forensics Tools
- SANS Hunt Evil Poster Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use this information as a reference to know what’s normal in Windows and to focus your attention on the outliers.
- MITRE ATT&CK
- MITRE ATT&CK for ICS
- Cyber Kill Chain
- Industrial Cyber Kill Chain
- Locard’s Exchange Principle
- NIST Guide to Forensics in Incident Response
- Dragos Threat Groups
- Crowdstrike Adversary Groups
- Diamond Model for Intrusion Analysis
- The Four Types of Threat Detection
- Volatility v2.4 cheat sheet
Module 0 - Intro⌗
Locards Principle (Edmond Locard aka Sherlock Holmes of France)
Every contract by a criminal leaves behind a trace
- A perpetrator will bring something to a crime scene
- A perpetrator will leave something at a crime scene
- Trace evidence bears witness to the crime and does not forget
- The only failure of trace evidence is when a human is unable to find, study, or understand it
Digital Forensic Analysis is the detailed examination of the various data elements, and their structures, extracted from digital evidence. Examination is performed from multiple viewpoints to derive meaning and intelligence:
- Analysis is not just looking at individual artefacts in isolation
- Analysis is more than just making observations, it’s requires critical thinking
- Data points must be tied together to tell a complete story, if possible
- Your aim should be to derive meaning from your data
Its not enough to stick to surface levels findings, analysis needs to go deeper. To prove the existance of a file for example, can occur through file system recovery, using backups or volume shadow copies, MFT, eventlog, what user account was responsible, was it created over a network file server such as SMB or NFS. Correlating this evidence creates a much a stronger case.
The Detective⌗
During an investigation, your primary role will be the digital detective; the person charged with solving the situation at hand. As a detective, you’re responsible for solving the puzzle, which often requires you to:
- Acquire the digital evidence
- Examine the digital evidence for potential leads
- Postulate potential narratives derived from your leads
- Extinguish lines of inquiry
The Storyteller⌗
Once the investigation is complete your role changes to that of the storyteller. As a storyteller you’re responsible for recounting the events of the situation, which includes:
- Compiling and filtering your investigation findings into a single narrative
- Effectively communicating your narrative to your client
- Directly answering your client’s questions
- Supporting your findings and assertions with evidence
Tips: always take notes as you go with time details, the report is king, report should address clients enquiries or problems
The Adversary⌗
To aid your investigation there’s another role you may want to play, which is that of the perpetrator. Being able to think like your adversary provides a significant advantage in your detective work:
- Seeing through the eyes of the perpetrator can help reveal their purpose and intent
- Increases the efficiency of the investigation
- Extinguishes lines of inquiry that are of low probability
Tips: this does NOT mean red teaming which can conflate or stomp on evidence, helps to think what is likely most lucrative to an adversary
Module 1 - The Forensic Method⌗
Investigative Leads⌗
Real world forensic investigations are not linear; don’t expect to easily find your answers on the first try. The typical method of investigation is to generate and extinguish hypotheses and lines of inquiry:
- A lead is simply a data point of interest that requires further investigation
- Think of it as a clue as to what occurred
- You might start your investigation with very few leads
- If something feels off, then it becomes a candidate for investigation
Tips: try not to get tunnel vision on a particular lead it could be a legimate false positive
Analysis Administration⌗
It is imperative that you take a structured, methodical, and documented approach to your forensic investigations. Most students and junior investigators skip this step, discounting its importance. They always learn the hard way.
Using something as simple as a spreadsheet, document and track your:
- Evidence (e.g. size, hash, datetime, origin)
- Investigative leads (i.e. threads/hypotheses) (e.g. description, datetime, status, priority)
- Analysis findings (description, datetime, related artefacts)
- Client requirements (description, datetime, importance, deadline)
The Value of Contemporaneous Notes
Gathering Requirements⌗
The first step in all analysis workflows should be qualifying the client’s investigation requirements. This sounds easier than it usually is; most clients don’t have the required experience to know what questions they should ask, and what questions it’s possible to answers with forensics:
- Investigations need to be appropriately SMART (specific, measurable, achievable, relevant, time-bound)
- Tell me everything is never a valid requirement
- Requirements need to be of a fine enough granularity for you to be able to predict your costs (e.g. time, money, etc)
- What was taken? Which accounts were compromised? What was the initial attack vector?
Tips: its just not possible to completely prove that all adversary activity has been identified
Analysis Prioritisation⌗
Being able to prioritise your forensic analysis is key to an efficient and timely forensic investigation:
- Align your investigation priorities with those of the client requirement priorities
- If you identify multiple analysis pathways to (potentially) the same destination, then always do the easy stuff first
Tips: go for low hanging fruit think like an adversary, for example a user that can’t access email vs anomalious domain controller activity
The Digital Forensic Lifecycle⌗
Just like in software engineering (and several other disciplines), agility is important when conducting a digital forensic investigation. Investigations can be large and run for several months:
- Produce reports and update the client often
- Seek client feedback to re-orient your investigation priorities as and when necessary
- Provide rapid actionable feedback with the intent to disrupt the adversary
- Promote efficacy and efficiency
Tips: client priorities change regularly validate, ultimately lifecycle is in the interest of being most effective
For gory details on the following topics: