Cyber Forensics Unit-2 Lecture Notes, Study notes of Forensics

Download Cyber Forensics Unit-2 Lecture Notes and more Study notes Forensics in PDF only on Docsity! UNIT-II Initial Response and forensic duplication: Initial Response: One of the first steps of any preliminary investigation is to obtain enough information to determine an appropriate response. The goal of an initial response is twofold: Confirm there is an incident, and then retrieve the system’s volatile data that will no longer be there after you power off the system. Initial response is an investigative as well as a technical process. Forensic duplication: A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. We also define forensic duplication as an image of every accessible bit from the source medium. Volatile Data Collection: Two basic types of data are collected in computer forensics. Those are, Persistent (Non-Volatile) data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off. Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “live forensics” It is essential to the forensic investigation that the immediate state of a computer is recorded before shutting it down. Volatile information is lost once the suspect's computer is powered down and this may be crucial to the claim. When collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. To avoid losing this volatile storage on a mobile device, keep this continuously charged to avoid losing volatile memory. A computer system will lose volatile memory when this is powered down, so the only way to safeguard this evidence is to leave the system powered up until a forensics expert can salvage this memory. Live Data/ Volatile Data Collection from Windows System: The main goal of the live data collection is to obtain temporal or volatile data before forensic duplication. The scope of initial response can be expanded by obtaining configuration files, system files, files that contain attacker’s tools and suspicious programs, and log files to confirm quickly whether the event has occurred or not. Here, the first step is to determine whether the system was used by the victim or the attacker. After that we need to create a Response Toolkit. Creating a Response Toolkit: A response toolkit is a collection of tools which are helpful to extract or read the information from the system was used by the victim or the attacker. We have to be careful about not destroying or altering the evidence and to do this we need to create a response toolkit. An Investigator should maintain a CD or a floppy that involves a minimum of the tools described in the following table. Tool Description Source cmd.exe The command prompt for Windows NT and Windows 2000 Built in PsLoggedOn A utility that shows all users connected locally and remotely www.foundstone.com rasusers A command that shows which users have remote access privileges on the target system NT Resource Kit (NTRK) netstat A system tool that enumerates all listening ports and all current connections to those ports Built in Fport A utility that enumerates all processes that opened and TCP/IP ports on a Windows NT/2000 system www.foundstone.com PsList A utility that enumerates all running processes on the target system www.foundstone.com nbstat A system tool that lists the recent NetBIOS connections for approximately the last 10 minutes. Built in ipconfig A system tool that displays interface configuration information. Built in Arp A system tool that shows the MAC addresses of systems that the target system has been communicating with, within the last minute Built in doskey A system tool that displays command history for Built in open cmd.exe shell Built in netcat A utility used to create a communication channel between two different system www.atstake.com/research/ tools/network_utilities 4. Record creation, access time, and all the modifications made to the files: To get the list of all the directory files on the target machine, "dir' command is used. It includes the size, access, and alteration and creation time. The time and date stamps become the evidence, if the significant information about the time frame when an event occurred is identified. Windows system performs the task of collecting time and date stamps very quickly. An example of using "dir" command to gain access, modification, and time of creation: dir/t:a/a/s/o Provides a recursive directory listing of all the access times on the drive dir/t:w/a/s/o Provides a recursive directory listing of all the modification times on the drive dir/t:c/a/s/o Provides a recursive directory listing of all the creation times on the drive 5. Identifying open ports: There are several networking commands available, out of which Netstat can be used to determine which ports are open. It also enlists all listening port and currents connections to those ports. Volatile data, such as recently terminated connections and current connections, can be recorded using Netstat. The above figure illustrates the execution of Netstat command window machine. There are several local host connections in the output. The applications on the local host 127.0.0.1 will always be displayed by Netstat command. 6. List of applications that are associated with those ports: Knowing which services listen on which ports is helpful. A free tool fport is used to enlist listening ports for all the processes. 7. List of all running processes: It is necessary to record all the processes that are currently executing on the system before turning off the target system. Unplugging the power cable will destroy this information. The executable code that resides in address space has been created when a process is created on the Windows system. To manage the process and maintain statistical information about the process, the kernel object is created by the operating system. 8. List of current and recent connections: To know who is connected or who has connected recently, the networking commands like Netstat, ARP, and Nbstat are useful. For many Windows system, these utilities might be the only way to determine a remote system connecting to workstation. Many experts refer Netstat command to enlist the ports that are opened on a system. As previously discussed, fport lists open ports and application listening to them, so also can Netstat be used to identify IP address of remote system and current connections of the systems. ARP networking command is used to map IP address to the MAC address. The utility named nbtstat is used to access the remote NetBIOS (Network Basic Input/output System) name cache, listing NetBIOS connections for approximately the last 10 minutes. Live Data/Volatile Data Collection from UNIX System: The main goal of the live data collection is to obtain temporal or volatile data before forensic duplication. The scope of initial response can be expanded by obtaining configuration files, system files, files that contain attacker’s tools and suspicious programs, and log files to confirm quickly whether the event has occurred or not. Here, the first step is to determine whether the system was used by the victim or the attacker. After that we need to create a Response Toolkit. Creating a Response Toolkit: It is difficult to create a trusted toolkit as it takes a lot of time; the reason behind this is that every variable in UNIX requires a UNIX toolkit. In some cases, you may need to compile a source code on your own because some recommended tools are not included with the official UNIX system. Obtaining Volatile Data We collect the following temporal/volatile data before forensic duplication:  The date and the time of the system.  List of users that are currently logged on.  Entire file system’s time and date stamp.  List of sockets/ports that are open currently.  Applications that are listening on the open sockets.  List of processes that are currently running.  List of systems that have current or had recent connections to the system. 5. Indentify open ports: The most widely used command for listing open ports on a UNIX system is netstat. To view all open ports use –an command line argument along with netstat command. 6. Enlist applications associated with open ports: The –p option of netstat command used to map the name of the application and its process identification number (i.e., PID) to open ports. 7. Indentify the running processes: Taking snapshots of ps command, the processes that are running during the initial response is difficult; but by using ps command we can achieve this. Output will be different on different UNIX flavors. The following command shows the running processes. Forensic Duplication: Forensic duplication is the copying of the contents of a storage device completely and without alteration. The technique is sometimes known as bitwise duplication, sector copying, or physical imaging. Forensic duplication is the primary method for collecting hard disk, floppy, CD/DVD, and flash-based data for the purpose of evidence gathering. A simple duplication consists of making a copy of specific data. The data may consist of a single file, a group of files, a partition on a hard drive, an entire hard drive, or other elements of data storage devices and the information stored on them. A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. In other words, we define forensic duplication as an image of every accessible bit from the source medium. Rules of Forensic Duplication: 1. Make two copies of the original media (digital evidence). (a) One copy becomes the working copy on which investigation will be done. (b) One copy is a library/control copy for future reference. (c) Verify the integrity of the copies. 2. The working copy is used for the analysis. 3. The library copy is stored for disclosure purposes or in the event that the working copy becomes corrupted. 4. If performing a drive to drive imaging (not an image file), use clean media to copy to. 5. Verify the integrity of all images using hash values. Necessity of Forensic Duplication:  After securing the computer, we should make a complete bit stream backup of all Computer data before it is reviewed or processed.  Bit stream backups are much more thorough than standard backups.  They involve copying of every bit of data on a storage device, and it is recommended that two such copies be made of the original when hard disk drives are involved.  Any processing should be performed on one of the backup copies.  IMDUMP was the first software for taking bit stream back-ups developed by Michael White. 15. If the tool copies a source to a destination that is larger than the source, then it will document the contents of the areas on the destination that are not part of the copy. 16. If the tool copies a source to a destination that is smaller than the source, then the tool will notify the user, truncate the copy, and log this action. Some Examples of forensic duplication tools are: a. SafeBack (www.forensics-intl.com) b. Ghost (www.symantec.com) c. DD (standard UNIX/Linux utility) d. Encase (www.encase.com) e. Mareware f. FTK (www.accessdata.com) g. ProDiscover Basic Creating a Forensic Duplicate of a Hard Drive: 1. Duplicating with dd and dcfldd: For creating a true forensic duplicate image, dd utility is the most efficient tool. dd will perform bit-for-bit copy of the original, as long as the operating system kernel recognizes the storage medium. However, it is expensive. 2. Creating a Linux Boot Media: Preparation for duplication using Linux is difficult from the methods that we discuss in this section. But using Linux is worthy, as it can be the most flexible boot environment in the toolbox. 3. Performing Duplication with dd: Sometimes, to fit on a specific media type, such as CD/DVD or file systems with files fewer than 2.1 GB, duplication will be stored in a series of files. This is usually referred to as segmented image. 4. Duplicating with the Open Data Duplicator: The new open source tool is ODD. To perform forensic duplication simultaneously on a number of computers over a Local LAN, the client- server model is followed by this tool. To use the software on single forensic workstations, you need to run both halves on the same computer. Three portions of ODD are: 1. Bootable CD-ROMs: This is similar to Trinux Linux Distributions; 2. Server-side applications: Most of the duplications, such as string searches, calculation of hashes, and storage of true forensic duplications, will be done by the server. 3. Client-side applications: If you are duplicating drives on forensic workstations, this portion may be run locally. Creating a Qualified Forensic Duplicate of a Hard Drive: A Forensic Duplicate is a file that contains every bit of information from the source, in a raw bitstream format. A Qualified Forensic Duplicate is a file that contains every bit of information from the source in a raw bitstream format, but stored in an altered form. A file that contains every bit of information from the source, but may be stored in a altered form. Tools that create qualified forensic duplicate output files: 1. SafeBack 2. EnCase 3. FTK Imager 1. Creating a Boot Disk : Clean operating environment is required for imaging a system. You must create an MS DOS boot disk when imaging drives using DOS applications such as SafeBack or EnCase. 2. Creating a Qualified Forensic Duplicate with SafeBack : New Technology Inc. (NTI) offers SafeBack. It is used to make qualified forensic duplication of any hard drive. You need to have a clear environment ready on the floppy for SafeBack application because it runs from DOS boot floppy. 3. Creating a Qualified Forensic Duplicate with EnCase : The most popular commercially available forensic tool is EnCase from Guidance Software. It provides ‘easy-to-navigate’ GUI. Allowing the examiner to customize the types of searches performed by the tool, a flexible scripting language in included. Preview option is the most significant feature of EnCase. You can use the preview function to quickly ascertain whether a computer system is material to the issue being investigated, during the first stages of the investigation. Creating a Forensic Duplicate In today’s digital era, the indulgence of devices is increasing more and more and with-it cybercrime is also on the rise. When such a crime occurs, the hard drive becomes an important part as it is crucial evidence. Therefore, during investigation one cannot directly perform various tasks on the hard drive as it is considered tempered. Also, one can lose data by mistake while performing tasks on it. Hence, the necessity of disk image. Now that we have understood the importance and use of disk image, let us now understand that what exactly a forensic image is. What is a Forensic image? A Forensic image is an exact copy of hard drive. This image is created using various third-party tools which can easily capture the image of a hard drive bit by bit without changing even a shred of data. Forensic software copies data by creating a bitstream which is an exact duplicate. The best thing about creating a forensic image is that it also copies the deleted data, including files that are left behind in swap and free spaces. Now that we have understood all about the forensic imaging, let us now focus on the practical side of it. We will learn and understand how to create such image by using five different tools which are: FTK Imager Belkasoft acquisition tool Encase imager Forensic imager FTK Imager: FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose. After installing the FTK imager we can start by creating an image and to do so, we have to go to the file button and from the drop-down menu, select the Create Disk Image option. After selecting the create disk image it will ask you the evidence type whether i.e. physical drive, logical drive, etc. and once you have selected the evidence type then press the next button to move further in the process. After this, it will ask you for the destination folder i.e. where you want your image to be saved along with its name and fragment size. Once you fill up all the details, click on the Finish button. And now the process to create the image will start and it will simultaneously inform you about the elapsed time, estimated time left, image source, destination and status. After the progress bar completes and status shows Image created successfully then it means our forensic image is created successfully.