Forensics Investigations Case Studies and Tools
Forensics Investigations Case Studies and Tools
Editor-in-Chief
Joanna Kretowicz
[email protected]
Managing Editor:
Michalina Szpyrka
[email protected]
Editors:
Marta Sienicka
[email protected]
Marta Strzelec
[email protected]
Bartek Adach
[email protected]
Magdalena Jarzębska
[email protected]
Senior Consultant/Publisher:
Paweł Marciniak
CEO:
Joanna Kretowicz
[email protected]
Marketing Director:
Joanna Kretowicz
[email protected]
DTP
Michalina Szpyrka
[email protected]
Cover Design
Hiep Nguyen Duc
Publisher
Hakin9 Media Sp. z o.o.
02-511 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631
www.eforensicsmag.com
All trademarks, trade names, or logos mentioned or used are the property of their respective owners.
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Word from the team
Dear Readers,
What are forensic tools? The answer to this question leads our thoughts to
Hollywood productions where we see the yellow tape and jumpsuit-clad technicians
collecting evidence with spatulas. But is that all? Well ... no, because today, as our
readers and digital forensics specialists know perfectly well, more and more
evidence is obtained from mobile devices and digital data carriers. So what tools to
use or choose to analyze them? You will find the answer in our magazine! This
month, we have prepared for you a set of texts about digital forensics tools and how
to use them in practice.
• how to analyze the memory dump of an infected computer using the Volatility
tool,
• what AI can do for media forensics, its impact and limitations, and the current
round-up of industry-accepted AI software applications,
Check out our Table of Contents below for more information about each article (we
included short leads for you).
We hope that you enjoy reading this issue! As always, huge thanks to all the
authors, reviewers, to our amazing proofreaders, and of course you, our readers,
for staying with us! :)
With the current threat in cybersecurity, along with the deployment of wipers and ransomware,
Digital Forensics has become a necessity. The increased compromises have become unquestionably
more serious and growing over time. The damage has cost both the consumer and the government
more than 11.5 billion and will grow expediently. Attacks on the government and corporations
happen every 14 seconds and several have happened in the time that you have taken to read this
article. The solution is to use different forensic tools and techniques. I have worked in the fields of
both forensics and cybersecurity and have deployed several different tools that are necessary to
achieve that task, depending on the situation. Some of the tools are open source and others are
paid tools.
So in order to combat cybercrimes, terrorist threats, and security concerns, we must remain forensically
sound. The government sector handles DFI (Digital Forensic Investigators) as an extension of the
Information Technology Department and every tool has to be verified and go through a series of tests
before being deployed. This approach is somewhat cumbersome and allows the intruders to create
new scripts, programs, viruses and worms to be released into the wild. These tools are created to beat
forensics. A perfect example is once I had to solve a situation for a government agency, I was allowed
to use any means because they had run out of options. It happened to be an employee who was
working from the inside and transmitting information to a certain group on the outside. When the initial
forensic examination was performed, the forensic examiner used a paid program known as Forensic
Tool Kit (FTK). This tool is very well known and used by all branches of the federal government and
5
throughout the corporate world. This tool, like any other tool, is a great asset but the mind and
creativity of the examiner or investigator is one of the most important aspects of finding evidence. I first
reviewed the work that the first examiner had done and what evidence he had acquired. It was brought
to my attention that they could not find anything. One should never depend on automated tools to do
the job for you because they will not recover small clues. I used two open source tools that revealed the
fact that the employee was using a live USB and running the Firefox web browser from it. Once the
traces were found, a review of the server logs and local computer logs revealed small breadcrumbs that
led to the discovery of the employee and the files that were transferred. The open source tools of
choice were IntelliAdmin and USBDeview. Both tools revealed the mass storage device that was the
connected USB.
The insider attack is the most dangerous because, as the example shows, it can go undetected for a
long time. And the security staff is used to seeing things egress instead of ingress in the environment of
Let’s address the tools along with the techniques and how we are going to leverage them against our
adversaries.
The best approach to acquire information from a computer system is a cold acquisition. The best tool
for this is FTK imager lite. You can download this tool for free from the FTK website. There are two ways
to deploy this: in the event of a cold clone or a machine that is turned off, you can remove the hard
drive and connect your forensic computer to the subject’s (unknown subjects’) hard drive. Make sure
that you have a write blocker in between the hard drive and the forensically (totally clean and wiped)
drive that you will be transferring the data to. Physical write blocker companies such as Webitech and
6
Tablue create hardware devices for the clean recovery of data. These hardware devices are very reliable,
however, they are also very expensive. Once you connect and the write blocker is in place, fire up your
FTK imager on your forensic machine. Once the program opens, you will see the interface; immediately
navigate to the help menu, which is an in-depth guide of how to use FTK Imager. I have found that one
of the best ways to do a forensic exam on the fly, or when you lack sophisticated tools because they are
either too costly or unavailable, is to use a tool that is usually associated with hackers and pentesters.
The open source tool of choice is Kali Linux Live in Forensic mode.
Kali Creation
The benefits of using Kali Linux in forensic mode is it is live and non destructive because it makes no
disk changes. It also disallows auto-mounting of drives and it can be integrated with FTK. OK, so let’s
get started. First, download a copy of Kali Linux live from Offensive Security.com. Next, download a
program like Rufus to create a bootable USB stick, in the event you download Rufus, use the following
settings. When you start Rufus you will be prompted to show device, choose your USB. Have a thumb
drive dedicated to Kali Live Forensics for your data recovery. Under boot selection of Rufus, select the
Kali Live CD ISO. Now select ready, then start. Rufus will notify you when your USB is bootable. Next,
you must change your BIOS setting to boot from USB, a list of BIOS key commands can be found on
Google. On most HP PCs, press F10 as soon as the machine starts. Next, make sure that Secure Boot is
“It is important to remember to set the computer back to its original settings.”
Boot Up!
The next step is to start the subject computer and boot from the USB drive. Make sure that you confirm
that you are booting from USB. When you see the Kali Linux startup screen, select Live (Forensic Mode)
and after the boot process you will have access to the desktop. Open up the terminal and type the
3.1.1_ubuntu64.tar.gz”.
Then extract the contents of the compressed file using the following command tar –
zxvfFtkimager.3.1.1_ubuntu64.tar.gz The image will then unpack, now switch into the root
mode by issuing sudo su and the typing the command fdisk –l. You can now connect the
7
destination drive that has been forensically sterilized (a new drive or one overwritten with the Bleacher
Time to Image
After booting from the USB and entering your Kali environment, you will be able to see the drives
connected. The first drive will be identified as the disk model, so if your forensic computer drive is a
Seagate, the terminal will display the disk model. In the event that you have two models that are the
same, just do an fdisk –l with only the computer on, no drives connected. Now we connect the
suspect’s drive and reissue the fdisk –l command it will identify the suspect’s drive, then connect the
evidence drive. By recording the Disk /dev/sda/ information, you will be able to define all the drives.
At first the destination drive will not be useable and not writeable. We will need to mount the drive to
the local directory. We create a directory “mkdir {directory Path}, e.g., (mkdir /mnt/
destDrive.) Then mount the disk to the directory you created using the mount
command. An example in my case is “ mount /dev/ sda1 / mnt / dest Drive.”
Now, we run FTK imager to create a forensic image of the hard drive /ftkimager /dev/sda1 /mnt
/destDrive /subPC –e01 –compress 9 –case-number “CO-X-FOR-HDD-001” –evidence
number “HDD-001” –description “subPC” –examiner “A. Alpha” –verify. Here we have
examiner are metadata that should be required for forensic reporting. The – verify is important for
integrity.
Once the forensic imaging process is complete you will need to unmount the drives using the unmount
(unmount_directory) command and you can shut down your Linux instance by issuing the init 0
command
Our next step is to examine the forensic image of the subject’s hard drive. Once again, there are several
different commercial tools such as FTK and Access data that were specifically designed to handle this
task. They are great tools and once again highly expensive. My approach is to use Autopsy Forensic
Browser, this is an open source browser, however, it’s recognized by the industry as a standard and
8
You can find it by googling “Autopsy 4.19.3” as of this writing. Autopsy has a very robust suite of tools
and can compete with the big-league programs such as FTK or Access Data. If you go immediately to
the help tab, which has a step-by-step manual that has very good instructions. The program is
downloaded, executed and deployed, which makes the forensic learning curve easy. I personally found
This proves that you can be a Digital Forensics Investigator without breaking the bank. In the event you
work for a major corporation or the federal government, you would be more able to afford the tools
from FTK and Access Data, however, if you are a consultant or independent Forensic Examiner, the
programs and procedures listed are forensically sound and will stand up against the high-end tools
Byron Gorman: