CDR October 9, 2008 Mike Oertli Jonathan Karnuth Jason Rancier.
Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel...
Transcript of Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel...
![Page 1: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/1.jpg)
Digital Forensics ModulePart 2
Jaap van GinkelSilvio Oertli
July 2016
![Page 2: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/2.jpg)
Hands-On (Acquisition)
![Page 3: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/3.jpg)
• We will use open source tools for this part– DEFT 8.2 (Forensic Linux distribution)– Guymager (Graphical Acquisition Tool)
Tools used in the Hands-on Workshop
3
![Page 4: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/4.jpg)
• Booting Computer with DEFT-CD or USB Stick– Depending on the Computer, you need to change Bootingdevice (F2/F6/F9/…)
Acquisition
4
![Page 5: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/5.jpg)
• When you see the Desktop, insert the evidence USB-Stick on the computer
• Doubleclick the Guymager-Icon on the left
Acquisition
5
Guymager
![Page 6: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/6.jpg)
• Rightclick on the USB-Stick-Entry and Choose Acquire image
Acquisition
6
![Page 7: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/7.jpg)
• Fill in your Case data
Acquisition
7
![Page 8: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/8.jpg)
• State turns green after finishing. Your done!
Acquisition
8
![Page 9: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/9.jpg)
Theory in Practice
![Page 10: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/10.jpg)
• You‘r part of the local branch of a global CERT-Team in your country. The main office advice you to seize and analyze all local devices which could contain evidence about dataleakage on Project XXX.
Scenario
10
Seizure
Analysis Presentation
IdentificationPreparation
![Page 11: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/11.jpg)
Preparation
• What to expect on-site...
11
Image Source: http://images.hayneedle.com/mgen/master:BHI305.jpg
Spot the hidden USB-key...
Image Source: http://nixuxu.ru/load/344430.jpg
Preparation
![Page 12: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/12.jpg)
Toolbox
• Paper and Pencils (yes, even nowadays...)• Camera• Tools
– Screwdrivers (Torx, Crosshead, Flathead, etc.)– Tweezers– Antistatic wrist strap– etc.
12
Image Source: http://www.nachi.org/images10/wrap.jpg
Preparation
![Page 13: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/13.jpg)
Target Media Preparation
• We have to ensure that the target media is empty before we use the device for storing evidence
– We can re-use storage media if we wipe their content before using it– There might even be data on virgin storage media directly coming from the
manufacturer– Ensure that there is no data from old cases left. This might ruin your day
• Especially important if no container formats are used (we discuss this in a moment)
– The commands can be found in the references
• Be careful to specify the right storage media when wiping drives…
• Do not execute the commands in the references during the hands-on exercises!
13
Preparation
![Page 14: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/14.jpg)
Tool Verification
• Verify your Tools– Tools should do what they have to– Document the tests
• Use high quality equipment (e.g. Enterprise disks)
14
Preparation
![Page 15: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/15.jpg)
Reducing altering
15
Identification
• Separate Persons from equipment• Prevent altering evidence by accident or on
purpose• Pay attention on user credential• Cloud storage
![Page 16: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/16.jpg)
Locating Evidence
16
Identification
• Private even more• TV’s, Playstation, more
![Page 17: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/17.jpg)
The ON vs. OFF Debate
17
Identification
• Depends on the circumstances whether to leave a computer running or to turn it off
• Turning a computer off means loosing all volatile evidence– RAM– Might be a problem with encrypted file systems where the password is not known
• Keeping a computer running means altering evidence– Memory content changes constantly– Disk is used and file fragments might be overwritten
![Page 18: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/18.jpg)
Evidence Handling
• Definition from [12]:– Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the
seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been planted fraudulently to make someone appear guilty.
• Goal: Prove that the evidence came from or was produced by the suspect and not inserted or altered by the forensics analyst.
• Document who had access (physical and electronic) to the evidence at every given moment.
• Prepare for the worst during an investigation!– Quick-and-dirty approach à Other party might sue the investigator afterwards or court rejects
the evidence
18
Seizure
![Page 19: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/19.jpg)
Evidence Handling
• Forensic Logbook
19
Seizure
![Page 20: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/20.jpg)
Order of Volatility
• Taken from [13]: Guidelines for Evidence Collection and Archiving
20
Registers, Cache
Routing table, arp cache, process table, kernel statistics, memory
Temporary file systems
Disk
Remote logging and monitoring data that is relevant to the system in question
Physical configuration, network topology
Archival media
volatile
static
Seizure
![Page 21: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/21.jpg)
Write Blockers
• Altering evidence must be avoided either
– with software• Mounting read-only
– with hardware• Some hard disks (eg. SCSI
drives) have jumpers• Forensic write blockers
• The suggested way to go is hardware write blockers
– Depends on circumstances
21
Image Source: https://www2.guidancesoftware.com/products/Pages/tableau/products/forensic-bridges/t35es-r2.aspx
Seizure
![Page 22: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/22.jpg)
• Raw Copy– 1:1 copy using dd from a physical drive to identical physical drive– Forensically sound– Not very convenient to work with– Can only be used for single devices such as hard drives,
memory sticks, etc.– Not possible to store on servers using this method– Deprecated for most situations
Raw Copy vs. Container Format
22
Seizure
Partition 1
MBR Partition 2
Suspect Hard Drive
Partition 1
MBR Partition 2
Evidence Hard Drive
Bit-wisecopy
![Page 23: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/23.jpg)
• Container Format– 1:1 copy from a physical drive into a (forensic) container file– Forensically sound– Libraries and tools available to work conveniently with containers– Container files can be stored everywhere including Servers– This approach is used most often nowadays
Raw Copy vs. Container Format
23
Seizure
Partition 1
MBR Partition 2
Suspect Hard DrivePartition 1
MBR
Evidence Hard Drive
Evidence Container File(s)dd, ewf, awf
Bit-wise into file
![Page 24: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/24.jpg)
• Disk Imaging
• Imaging over a Network
Imaging Scenarios
24
ForensicNotebook Bridge
IDE / SATA
BridgeIDE / SATA
HarddiskIDE / SATA / SCSI
Forensic BridgeUSB
USB orFirewire cable
IDE / SATA / SCSI cable
USB cable
USB cable
HarddiskIDE / SATA
HarddiskIDE / SATA
Seizure
![Page 25: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/25.jpg)
• Physical– RAID à disk configuration– Good environment 80GB/hour– Get all included deleted files
• Logical– Fast
Physical vs. Logical
25
Seizure
Slack Space
512 Bytes
Slack Space
512 Bytes
my_file.txt890 Bytes
Sector 1512 Bytes
Cluster2048 Bytes
Sector 2512 Bytes
Sector 3512 Bytes
Sector 4512 Bytes
![Page 26: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/26.jpg)
• RAID 0 (stripe)
• RAID 1 (mirror)– 1:1 copy on both disks
Redundant Array of Independent Disks
26
Seizure
Partition 1
MBR Partition 2
Partition 1
MBR Partition 2
Partition 1
MBR
Partition 2
![Page 27: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/27.jpg)
• RAID 5– Speed and Redundancy
• Just a bunch of disks (JBOD)
Redundant Array of Independent Disks
27
Seizure
Partition 1
Partition 2
Partition 3
Partition 4
Parity
Parity
Parity
Parity
Partition 1
MBR
Partition 3
Parti-
tion 2
![Page 28: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/28.jpg)
• shasum -a 256 test.txt– 2f50fe79a03391be5b8001606b030f26a5e8fe1dfdb137f7e28d74d2accfc3e9
• shasum -a 256 test.txt– 6f9ea996741487099e783bba8654f2e09c194e8e0eb37f33cd0549c360e493b2
Hashing
28
Seizure
![Page 29: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/29.jpg)
• Master Boot Record (MBR)– Up to 4 primary Partitions– Up to 2 TB per Disk
• Globally Unique Identifier Partitiontable (GPT)– Up to 128 Partitions– 2^64 Blocks à 9.4 Zetabyte
Disk Structure
29
Analysis
primary PartitionMasterBootRecord
primary Partition primary Partition LogicalDrive
LogicalDrive
Master Boot Code
0x55
AA
Parti
tion
Tab
le E
ntry
Parti
tion
Tab
le E
ntry
Parti
tion
Tab
le E
ntry
Parti
tion
Tab
le E
ntry
Partition
Prot
ectiv
eM
BR
Prim
. GPT
Hea
der
Parti
tion
Entri
es(1
28) Partition Partition Partition
Parti
tion
Entri
es(1
28)
Sec.
GPT
Hea
der
…
![Page 30: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/30.jpg)
• ewfmount uses FUSE (Filesystem in Userspace) to mount your evidence
– sudo mkdir /mnt/evidence– ewfmount /home/evidence/20160901_df01/USB_20160901_df01_001.E01 /mnt/evidence
Mounting an image
30
Analysis
![Page 31: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/31.jpg)
• Check partition table– mmls /mnt/evidence/ewf1
Mounting an image
31
Analysis
![Page 32: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/32.jpg)
• Mount Windowspartition (NTFS)– mkdir windows_mount– mount -o ro,loop,show_sys_files,streams_interface=windows,offset=65536 -t ntfs
/mnt/evidence/ewf1 /mnt/windows_mount
Mounting an image
32
Analysis
[128*512]
![Page 33: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/33.jpg)
• A lot of different Filesystems (ntfs, FAT, HFS+, ext2, ZFS)
• But all like Books (table of contents à pages)
File systems
33
Analysis
Table of content
myPasswords.txt 32145Help me.doc 128Important.pdf 6358my_textfile.txt 12412malware.exe 42152FolderOne 54212Safe.lock 65234
![Page 34: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/34.jpg)
• A lot of different Filesystems (ntfs, FAT, HFS+, ext2, ZFS)
• But all like Books (table of contents à pages)
• Deleting Files just deletes or marks Entry in “Table of content”
– File still exists on the Harddrive
File systems
34
Analysis
Table of content
myPasswords.txt 32145Help me.doc 128Important.pdf 6358my_textfile.txt 12412malware.exe 42152FolderOne 54212Safe.lock 65234
![Page 35: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/35.jpg)
• Finding Documents by name– find . -name “*.doc”
• Finding Documents with specific content– grep -r “many secrets” .
Evidence on File systems
35
Analysis
![Page 36: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/36.jpg)
• Finding Document of specific format in unallocated space
– Carving (Scalpel)
– Filesystems magic numbers
• Officefiles (bin): 0xD0CF11
• Officefiles (zip): 0x504B04 PK..
• JPG: 0xFFD8FF ÿØÿ
• GIF: 0x474946383761 GIF87a
• PDF: 0x25504446 %PDF
• EXE: 0x4D5A MZ
Evidence on File systems
36
Analysis
FF D8 FF .. .. .. .... .. .. .. .. .. ..
Sector 1512 Bytes
Sector 2512 Bytes
Sector 3512 Bytes
Sector 4512 Bytes
![Page 37: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/37.jpg)
• Artifacts of programs can be on different places in different formats– $USER/AppData/*
• Example AppData/Roaming/Mozilla/Firefox/Profiles/m3k5a7px.default/formhistory.sqlite• Open with sqlitebrowser
Artifacts
37
Analysis
![Page 38: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/38.jpg)
• Artifacts of programs can be on different places in different formats– $USER/AppData/*
• Example AppData/Roaming/VeraCrypt/History.xml• Open with vi
Artifacts
38
Analysis
![Page 39: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/39.jpg)
• Artifacts of programs can be on different places in different formats– $USER/AppData/*
• Example AppData/Roaming/VeraCrypt/Configuration.xml• Open with vi• Look for LastSelectedDrive
Artifacts
39
Analysis
![Page 40: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/40.jpg)
• If you are investigating an event in the past, you want to know what happened when in order to create a timeline of events
• End result for the report
Timeline Analysis
40
Further Exploitation and Usage
Intrusion,Backdoorinstalled
initial Attack
Suspicious Phone call
Discovery
StartInvestigation
Detection & Investigation
Exploitation & Usage
Analysis
![Page 41: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/41.jpg)
• timescanner– Perlscript uses log2timeline to scan recursive directory and write csv file– timescanner –d /mnt/windows_mount/ -w
/home/evidence/20160901_df01/timeline.csv
– Open it with LibreOffice Spreadsheet
Timeline
41
Analysis
![Page 42: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/42.jpg)
• Registry is a system wide Database in Windows divided in Hive-Files
– Windows/System32/config/SAM – Windows/System32/config/SECURITY– Windows/System32/config/SYSTEM– Windows/System32/config/SOFTWARE– <$USER>/NTUSER.DAT
Registry
42
Analysis
![Page 43: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/43.jpg)
• Registry is a system wide Database in Windows divided in Hive-Files
– Thomas Ehrhart/NTUSER.DAT– reglookup „/mnt/windows_mount/Users/Thomas Erhart/NTUSER.DAT“ | grep „U:“
Registry
43
Analysis
![Page 44: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/44.jpg)
• There are known files by from the Systems which you don‘t like to investigate.
• Elimination through Hashlist• NSRL Downloads (http://www.nsrl.nist.gov)
Hashlist
44
Analysis
![Page 45: Digital Forensics Module Part 2 · 2019-03-04 · Digital Forensics Module Part 2 Jaapvan Ginkel Silvio Oertli July 2016. Hands-On (Acquisition) • We will use open source tools](https://reader033.fdocuments.us/reader033/viewer/2022042921/5f697bec652b2e4c4d7bb4e7/html5/thumbnails/45.jpg)
• Report your findings in a document• An other Digital Forensic Expert should follow your Document and
– Come to the same findings– Can proof your findings
• Report Facts, not guesses
Reporting
45
Presentation