0% found this document useful (0 votes)
269 views9 pages

Forensics Investigations Case Studies and Tools

This article discusses the importance of digital forensics tools in combating modern cybersecurity threats like ransomware and wipers. It describes how the author used open source tools IntelliAdmin and USBDeview to solve an insider threat case where a paid forensic tool did not find evidence. The author advocates using multiple tools and leveraging the skills of the examiner, not just relying on automated tools. Different tools are suitable for different situations like cold acquisitions, with FTK Imager Lite recommended for making a forensic image of a powered-off hard drive.

Uploaded by

Vlad Vikernes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
269 views9 pages

Forensics Investigations Case Studies and Tools

This article discusses the importance of digital forensics tools in combating modern cybersecurity threats like ransomware and wipers. It describes how the author used open source tools IntelliAdmin and USBDeview to solve an insider threat case where a paid forensic tool did not find evidence. The author advocates using multiple tools and leveraging the skills of the examiner, not just relying on automated tools. Different tools are suitable for different situations like cold acquisitions, with FTK Imager Lite recommended for making a forensic image of a powered-off hard drive.

Uploaded by

Vlad Vikernes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

TEAM

Editor-in-Chief

Joanna Kretowicz 

[email protected]

Managing Editor:

Michalina Szpyrka

[email protected]

Editors:

Marta Sienicka

[email protected]

Marta Strzelec 

[email protected]

Bartek Adach

[email protected]

Magdalena Jarzębska

[email protected]

Senior Consultant/Publisher: 

Paweł Marciniak 

CEO: 

Joanna Kretowicz 

[email protected] 

Marketing Director: 

Joanna Kretowicz 

[email protected]

DTP

Michalina Szpyrka

[email protected]

Cover Design

Hiep Nguyen Duc

Publisher 

Hakin9 Media Sp. z o.o.

02-511 Warszawa

ul. Bielawska 6/19 

Phone: 1 917 338 3631 

www.eforensicsmag.com

All trademarks, trade names, or logos mentioned or used are the property of their respective owners.

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Word from the team
Dear Readers,

What are forensic tools? The answer to this question leads our thoughts to
Hollywood productions where we see the yellow tape and jumpsuit-clad technicians
collecting evidence with spatulas. But is that all? Well ... no, because today, as our
readers and digital forensics specialists know perfectly well, more and more
evidence is obtained from mobile devices and digital data carriers. So what tools to
use or choose to analyze them? You will find the answer in our magazine! This
month, we have prepared for you a set of texts about digital forensics tools and how
to use them in practice.

In the magazine you will find, among others:

• tips on how to analyze Xbox using SmartGlass and Xbox App,

• how to analyze the memory dump of an infected computer using the Volatility
tool,

• what AI can do for media forensics, its impact and limitations, and the current
round-up of industry-accepted AI software applications,

• how to perform memory forensics during incident response using Redline,

• what Spiderman has to do with building an enterprise cyber security system.

Interested? Don't miss out on this unique toolbox.

Check out our Table of Contents below for more information about each article (we
included short leads for you).

We hope that you enjoy reading this issue! As always, huge thanks to all the
authors, reviewers, to our amazing proofreaders, and of course you, our readers,
for staying with us! :)

Have a nice read!



Regards,

Michalina Szpyrka

and the eForensics Magazine Editorial Team
The Missing Piece: An Exploration Of Digital Artifacts
5 Found Using The SmartGlass and the Xbox App
by Jessica Kimmel-Freeman and Douglas A. Orr, Ph.D.

Memory Analysis Of Stuxnet Malware


29
by Sumit Kumar
Table of Contents

The Benefits And Risks Of Artificial Intelligence As


41 Legal Evidence
by Doug Carner

Forensic Tools? Elementary, My Dear Watson


47
by Wilson Mendes

Redline: Analyze Memory Image Files To Find Signs Of


59 Malicious Activity
by Sergio Figueiredo

Tools Of The Forensic Trade


67
by Byron Gorman

XDR: The New Way To Save The Day Through A Web


72 Of Impediments
by Alexandra Hurtado

Who Or What Is OSCAR The Modular Body? An OSINT


79 Investigation Into The Legitimacy Of This Story
by Jeff Minakata

Forensic Disc Imaging Options From Bootable To


88 Remote Imaging
by Amber Schroader

Cyberwar The New Kind of Warfare Of The 21st


101 Century
by Deivison Franco, Cleber Soares, Daniel Müller and Joas Santos
Tools Of The
Forensic Trade
by Byron Gorman

With the current threat in cybersecurity, along with the deployment of wipers and ransomware,
Digital Forensics has become a necessity. The increased compromises have become unquestionably
more serious and growing over time. The damage has cost both the consumer and the government
more than 11.5 billion and will grow expediently. Attacks on the government and corporations
happen every 14 seconds and several have happened in the time that you have taken to read this
article. The solution is to use different forensic tools and techniques. I have worked in the fields of
both forensics and cybersecurity and have deployed several different tools that are necessary to
achieve that task, depending on the situation. Some of the tools are open source and others are
paid tools.

So in order to combat cybercrimes, terrorist threats, and security concerns, we must remain forensically

sound. The government sector handles DFI (Digital Forensic Investigators) as an extension of the

Information Technology Department and every tool has to be verified and go through a series of tests

before being deployed. This approach is somewhat cumbersome and allows the intruders to create

new scripts, programs, viruses and worms to be released into the wild. These tools are created to beat

forensics. A perfect example is once I had to solve a situation for a government agency, I was allowed

to use any means because they had run out of options. It happened to be an employee who was

working from the inside and transmitting information to a certain group on the outside. When the initial

forensic examination was performed, the forensic examiner used a paid program known as Forensic

Tool Kit (FTK). This tool is very well known and used by all branches of the federal government and

5
throughout the corporate world. This tool, like any other tool, is a great asset but the mind and

creativity of the examiner or investigator is one of the most important aspects of finding evidence. I first

reviewed the work that the first examiner had done and what evidence he had acquired. It was brought

to my attention that they could not find anything. One should never depend on automated tools to do

the job for you because they will not recover small clues. I used two open source tools that revealed the

fact that the employee was using a live USB and running the Firefox web browser from it. Once the

traces were found, a review of the server logs and local computer logs revealed small breadcrumbs that

led to the discovery of the employee and the files that were transferred. The open source tools of

choice were IntelliAdmin and USBDeview. Both tools revealed the mass storage device that was the

connected USB.

The insider attack is the most dangerous because, as the example shows, it can go undetected for a

long time. And the security staff is used to seeing things egress instead of ingress in the environment of

a corporation or government agency.

Let’s address the tools along with the techniques and how we are going to leverage them against our

adversaries.

The best approach

The best approach to acquire information from a computer system is a cold acquisition. The best tool

for this is FTK imager lite. You can download this tool for free from the FTK website. There are two ways

to deploy this: in the event of a cold clone or a machine that is turned off, you can remove the hard

drive and connect your forensic computer to the subject’s (unknown subjects’) hard drive. Make sure

that you have a write blocker in between the hard drive and the forensically (totally clean and wiped)

drive that you will be transferring the data to. Physical write blocker companies such as Webitech and

6
Tablue create hardware devices for the clean recovery of data. These hardware devices are very reliable,

however, they are also very expensive. Once you connect and the write blocker is in place, fire up your

FTK imager on your forensic machine. Once the program opens, you will see the interface; immediately

navigate to the help menu, which is an in-depth guide of how to use FTK Imager. I have found that one

of the best ways to do a forensic exam on the fly, or when you lack sophisticated tools because they are

either too costly or unavailable, is to use a tool that is usually associated with hackers and pentesters.

The open source tool of choice is Kali Linux Live in Forensic mode.

Kali Creation

The benefits of using Kali Linux in forensic mode is it is live and non destructive because it makes no

disk changes. It also disallows auto-mounting of drives and it can be integrated with FTK. OK, so let’s

get started. First, download a copy of Kali Linux live from Offensive Security.com. Next, download a

program like Rufus to create a bootable USB stick, in the event you download Rufus, use the following

settings. When you start Rufus you will be prompted to show device, choose your USB. Have a thumb

drive dedicated to Kali Live Forensics for your data recovery. Under boot selection of Rufus, select the

Kali Live CD ISO. Now select ready, then start. Rufus will notify you when your USB is bootable. Next,

you must change your BIOS setting to boot from USB, a list of BIOS key commands can be found on

Google. On most HP PCs, press F10 as soon as the machine starts. Next, make sure that Secure Boot is

disabled and UEFI/Legacy boot is enabled.

“It is important to remember to set the computer back to its original settings.”

Boot Up!

The next step is to start the subject computer and boot from the USB drive. Make sure that you confirm

that you are booting from USB. When you see the Kali Linux startup screen, select Live (Forensic Mode)

and after the boot process you will have access to the desktop. Open up the terminal and type the

following to get FTK imager “wget https:// ad-zip.s3.amazonws.com/ftkimager.

3.1.1_ubuntu64.tar.gz”.

Then extract the contents of the compressed file using the following command tar –

zxvfFtkimager.3.1.1_ubuntu64.tar.gz The image will then unpack, now switch into the root

mode by issuing sudo su and the typing the command fdisk –l. You can now connect the

7
destination drive that has been forensically sterilized (a new drive or one overwritten with the Bleacher

program available by searching Google).

Time to Image

After booting from the USB and entering your Kali environment, you will be able to see the drives

connected. The first drive will be identified as the disk model, so if your forensic computer drive is a

Seagate, the terminal will display the disk model. In the event that you have two models that are the

same, just do an fdisk –l with only the computer on, no drives connected. Now we connect the

suspect’s drive and reissue the fdisk –l command it will identify the suspect’s drive, then connect the

evidence drive. By recording the Disk /dev/sda/ information, you will be able to define all the drives.

At first the destination drive will not be useable and not writeable. We will need to mount the drive to

the local directory. We create a directory “mkdir {directory Path}, e.g., (mkdir /mnt/
destDrive.) Then mount the disk to the directory you created using the mount
command. An example in my case is “ mount /dev/ sda1 / mnt / dest Drive.”

Now, we run FTK imager to create a forensic image of the hard drive /ftkimager /dev/sda1 /mnt
/destDrive /subPC –e01 –compress 9 –case-number “CO-X-FOR-HDD-001” –evidence
number “HDD-001” –description “subPC” –examiner “A. Alpha” –verify. Here we have

identified the destination --case-number, --evidence-number, --description and --

examiner are metadata that should be required for forensic reporting. The – verify is important for

integrity.

Once the forensic imaging process is complete you will need to unmount the drives using the unmount

(unmount_directory) command and you can shut down your Linux instance by issuing the init 0

command

Our next step is to examine the forensic image of the subject’s hard drive. Once again, there are several

different commercial tools such as FTK and Access data that were specifically designed to handle this

task. They are great tools and once again highly expensive. My approach is to use Autopsy Forensic

Browser, this is an open source browser, however, it’s recognized by the industry as a standard and

certified forensic tool.

8
You can find it by googling “Autopsy 4.19.3” as of this writing. Autopsy has a very robust suite of tools

and can compete with the big-league programs such as FTK or Access Data. If you go immediately to

the help tab, which has a step-by-step manual that has very good instructions. The program is

downloaded, executed and deployed, which makes the forensic learning curve easy. I personally found

Autopsy to be better than the more expensive programs.

This proves that you can be a Digital Forensics Investigator without breaking the bank. In the event you

work for a major corporation or the federal government, you would be more able to afford the tools

from FTK and Access Data, however, if you are a consultant or independent Forensic Examiner, the

programs and procedures listed are forensically sound and will stand up against the high-end tools

when it comes to an investigation.

About the Author

Byron Gorman:

Current Position - Threat Hunter-intelligence /OSINT Specialist.

Company owner of - Octoberbluedevops & Codeblackglobal.

Professional Goals - Supply knowledge to those in the industry.

Relevant Achievement - securing systems for middle to small businesses.

You might also like