Download Cyber Forensics Unit-2 Lecture Notes and more Study notes Forensics in PDF only on Docsity!
UNIT-II
Initial Response and forensic duplication:
Initial Response: One of the first steps of any preliminary investigation is to obtain enough information to determine an appropriate response. The goal of an initial response is twofold: Confirm there is an incident, and then retrieve the system’s volatile data that will no longer be there after you power off the system. Initial response is an investigative as well as a technical process. Forensic duplication: A forensic duplication is an accurate copy of data that is created with the goal of being admissible as evidence in legal proceedings. We also define forensic duplication as an image of every accessible bit from the source medium.
Volatile Data Collection:
Two basic types of data are collected in computer forensics. Those are, Persistent (Non-Volatile ) data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off. Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). The investigation of this volatile data is called “ live forensics ” It is essential to the forensic investigation that the immediate state of a computer is recorded before shutting it down. Volatile information is lost once the suspect's computer is powered down and this may be crucial to the claim. When collecting data for a computer forensic investigation you want to collect the most volatile data first as it will be lost the quickest. To avoid losing this volatile storage on a mobile device, keep this continuously charged to avoid losing volatile memory. A computer system will lose volatile memory when this is powered down, so the only way to safeguard this evidence is to leave the system powered up until a forensics expert can salvage this memory.
Live Data/ Volatile Data Collection from Windows System:
The main goal of the live data collection is to obtain temporal or volatile data before forensic duplication. The scope of initial response can be expanded by obtaining configuration files, system files, files that contain attacker’s tools and suspicious programs, and log files to confirm quickly whether the event has occurred or not. Here, the first step is to determine whether the system was used by the victim or the attacker. After that we need to create a Response Toolkit. Creating a Response Toolkit: A response toolkit is a collection of tools which are helpful to extract or read the information from the system was used by the victim or the attacker. We have to be careful about not destroying or altering the evidence and to do this we need to create a response toolkit. An Investigator should maintain a CD or a floppy that involves a minimum of the tools described in the following table. Tool Description Source cmd.exe The command prompt for Windows NT and Windows 2000 Built in PsLoggedOn A utility that shows all users connected locally and remotely www.foundstone.com rasusers A command that shows which users have remote access privileges on the target system NT Resource Kit (NTRK) netstat A system tool that enumerates all listening ports and all current connections to those ports Built in Fport A utility that enumerates all processes that opened and TCP/IP ports on a Windows NT/2000 system www.foundstone.com PsList A utility that enumerates all running processes on the target system www.foundstone.com nbstat A system tool that lists the recent NetBIOS connections for approximately the last 10 minutes. Built in ipconfig A system tool that displays interface configuration information. Built in Arp A system tool that shows the MAC^ addresses of systems that the target system has been communicating with, within the last minute Built in doskey A system tool that displays command history for Built in open cmd.exe shell Built in netcat A utility used to create a communication channel between two different system www.atstake.com/research/ tools/network_utilities
2. Recording the system time and date: After executing the trusted command shell, it is a good idea to capture the local system date and time settings. This is important to correlate the system logs, as well as to mark the times at which you performed your response. The time and date commands are a part of the cmd.exe application. The above figure illustrates the execution of the date command, redirecting the output to a file called date.txt. The second command in the figure uses the append operator (>>) to add the output to the time command to the date.ext file. To indicate that you do not want to change the setting, press the "enter" key. 3. Identify who has logged on to the system and who are the remote access users: It is necessary to identify which user accounts have remote access rights on the target system, in order to respond to a system that offers remote access via modem. You need to decide if you want to pull the telephone lines from the system at the time of response, if several accounts access systems via Remote Access Services (RAS). You may not want to allow any access to the target system while you are responding. The commands to determine the number of the users who logged into the system (via RAS) is called rasusers.
4. Record creation, access time, and all the modifications made to the files: To get the list of all the directory files on the target machine, "dir' command is used. It includes the size, access, and alteration and creation time. The time and date stamps become the evidence, if the significant information about the time frame when an event occurred is identified. Windows system performs the task of collecting time and date stamps very quickly. An example of using " dir " command to gain access, modification, and time of creation: dir/t:a/a/s/o Provides a recursive directory listing of all the access times on the drive dir/t:w/a/s/o Provides a recursive directory listing of all the modification times on the drive dir/t:c/a/s/o Provides a recursive directory listing of all the creation times on the drive 5. Identifying open ports: There are several networking commands available, out of which Netstat can be used to determine which ports are open. It also enlists all listening port and currents connections to those ports. Volatile data, such as recently terminated connections and current connections, can be recorded using Netstat.
As previously discussed, fport lists open ports and application listening to them, so also can Netstat be used to identify IP address of remote system and current connections of the systems. ARP networking command is used to map IP address to the MAC address. The utility named nbtstat is used to access the remote NetBIOS (Network Basic Input/output System) name cache, listing NetBIOS connections for approximately the last 10 minutes.
Live Data/Volatile Data Collection from UNIX System:
The main goal of the live data collection is to obtain temporal or volatile data before forensic duplication. The scope of initial response can be expanded by obtaining configuration files, system files, files that contain attacker’s tools and suspicious programs, and log files to confirm quickly whether the event has occurred or not. Here, the first step is to determine whether the system was used by the victim or the attacker. After that we need to create a Response Toolkit. Creating a Response Toolkit: It is difficult to create a trusted toolkit as it takes a lot of time; the reason behind this is that every variable in UNIX requires a UNIX toolkit. In some cases, you may need to compile a source code on your own because some recommended tools are not included with the official UNIX system. Obtaining Volatile Data We collect the following temporal/volatile data before forensic duplication: The date and the time of the system. List of users that are currently logged on. Entire file system’s time and date stamp. List of sockets/ports that are open currently. Applications that are listening on the open sockets. List of processes that are currently running. List of systems that have current or had recent connections to the system.
Following are the steps used for collecting the data:
1. Run a trusted shell: As discussed earlier, investigators should be careful about the traps that have been implemented by an attacker, which will mislead the investigator to place wrong incident response. Running trusted command shell is the first step in all response. Bash shell can be used for this purpose. By pressing ctrl + alt + T, we get the following terminal. 2. Recording the system time and date: After executing the trusted command shell, it is a good idea to capture the local system date and time settings. This is important to correlate the system logs, as well as to mark the times at which you performed your response. The following command can be used to capture this information. 3. Identify who has logged on to the system: It is easy to identify who is logged on. We just need to execute the w command. The user IDs of logged on users, the system they logged on from, and what they are currently executing can be displayed by using this w command.
5. Indentify open ports: The most widely used command for listing open ports on a UNIX system is netstat. To view all open ports use – an command line argument along with netstat command. 6. Enlist applications associated with open ports: The – p option of netstat command used to map the name of the application and its process identification number (i.e., PID) to open ports.
7. Indentify the running processes: Taking snapshots of ps command, the processes that are running during the initial response is difficult; but by using ps command we can achieve this. Output will be different on different UNIX flavors. The following command shows the running processes.
Forensic duplication importance can be summarized as:
1. Working from a duplicate image provides following features: (a) Preserves the original digital evidences. (b) Prevents inadvertent alteration of original digital evidence during examination. (c) Allows recreation of the duplicate image, if necessary. 2. Digital evidence can be duplicated with no degradation from copy to copy: (a) This is not the case with most other forms of evidence.
Forensic Duplicates as Admissible Evidence:
Digital evidence should satisfy minimum criteria of legal standards. Some standards are given by the United States, known as Federal Rules of Evidence (FRE).
- FRE §1001 states that if data are deposited in a computer or alike device, any printout or other output readable by sight, shown to reflect the data precisely is an “original.”
- FRE §1002 requires an original to prove the content of a writing, record, or photograph. This means the item or information presented in court must be original. It follows from the best evidence rule: Copying can introduce errors.
- FRE §1003 states that a duplicate is admissible to the same extent as an original if: (a) An honest question is elevated to the authenticity of the original or (b) In the circumstances, it would be partial to confess the identical in lieu of the original. Forensic Image Formats:
- Complete Disk Image: The process for getting a “complete disk image” is meant to duplicate each addressable computer memory unit on the medium. This includes Host Protected Areas (HPAs) and Drive Configuration Overlays (DCOs).
- Partition Image: Most forensic imaging tools permit you specifies a personal partition, or volume, as the source for a picture. A partition image may be a set of a whole disk image and contains all of the allocation units from a personal partition on a drive. This includes the unallocated space and file slack present within that partition.
3. Logical Image: A logical image is a smaller amount of Associate in Nursing “image” and additional of a straightforward copy. A logical image is less of an “image” and more of a simple copy. 4. Image Integrity: When a forensic image is formed, cryptologic checksums are generated for two reasons. First, once the image is taken from a drive, which is offline (static) and preserved, the hash is employed to verify and demonstrate that the forensic image could be a true and correct illustration of the initial. Second, the hash is employed to sight if the info was changed since the purpose of your time at which the image was created. Traditional Duplication:
- Hardware Write Blockers: The write blockers are generally protocol bridges that contain changed code or an ASIC designed to intercept a set of the protocol’s commands. With these in your kit, you will faithfully duplicate SATA, PATA, SCSI, SAS, and USB devices.
- Image Creation Tools: The three main tools we tend to use are a unit DC3dd, AccessData’s FTK Imager, and steering Software’s incase. Each has its pros and cons that build it additional or less appropriate for a given scenario.
Forensic Duplication Tool Requirements:
Forensic duplication tools must satisfy the following criteria:
- The tool shall make a bit stream duplicate or an image of an original disk or partition.
- The tool shall not alter the original disk.
- The tool will be able to verify the integrity of a disk image file.
- The tool shall log I/O errors.
- The tool’s documentation shall be correct.
- The tool should create a mirror image or forensic duplicate of the original storage media.
- The tool must be able handle read errors.
- The tool should not make any changes to the source medium.
- The tool must have the capability to be held up to scientific review. Results must be verifiable by a third party.
- If there are no errors accessing the source, then the tool shall create a bitstream duplicate or image of the source.
- If there are I/O errors accessing the source, then the tool shall create a qualified bitstream duplicate or image of the source.
- The tool shall log I/O errors in an accessible and readable form, including the type of error and location of the error.
- The tool shall be able to access disk drives through one or more well-defined interfaces.
- Documentation shall be correct, insofar as the mandatory and any implemented optional requirements are concerned, that is, if a user following the tool’s documented procedures produces the expected result, then the documentation is deemed correct.
Creating a Qualified Forensic Duplicate of a Hard Drive:
A Forensic Duplicate is a file that contains every bit of information from the source, in a raw bitstream format. A Qualified Forensic Duplicate is a file that contains every bit of information from the source in a raw bitstream format, but stored in an altered form. A file that contains every bit of information from the source, but may be stored in a altered form. Tools that create qualified forensic duplicate output files:
- SafeBack
- EnCase
- FTK Imager 1. Creating a Boot Disk : Clean operating environment is required for imaging a system. You must create an MS DOS boot disk when imaging drives using DOS applications such as SafeBack or EnCase. 2. Creating a Qualified Forensic Duplicate with SafeBack : New Technology Inc. (NTI) offers SafeBack. It is used to make qualified forensic duplication of any hard drive. You need to have a clear environment ready on the floppy for SafeBack application because it runs from DOS boot floppy. 3. Creating a Qualified Forensic Duplicate with EnCase : The most popular commercially available forensic tool is EnCase from Guidance Software. It provides ‘easy-to-navigate’ GUI. Allowing the examiner to customize the types of searches performed by the tool, a flexible scripting language in included. Preview option is the most significant feature of EnCase. You can use the preview function to quickly ascertain whether a computer system is material to the issue being investigated, during the first stages of the investigation.
Creating a Forensic Duplicate
In today’s digital era, the indulgence of devices is increasing more and more and with-it cybercrime is also on the rise. When such a crime occurs, the hard drive becomes an important part as it is crucial evidence. Therefore, during investigation one cannot directly perform various tasks on the hard drive as it is considered tempered. Also, one can lose data by mistake while performing tasks on it. Hence, the necessity of disk image. Now that we have understood the importance and use of disk image, let us now understand that what exactly a forensic image is. What is a Forensic image? A Forensic image is an exact copy of hard drive. This image is created using various third-party tools which can easily capture the image of a hard drive bit by bit without changing even a shred of data. Forensic software copies data by creating a bitstream which is an exact duplicate. The best thing about creating a forensic image is that it also copies the deleted data, including files that are left behind in swap and free spaces. Now that we have understood all about the forensic
imaging, let us now focus on the practical side of it. We will learn and understand how to create such image by using five different tools which are: FTK Imager Belkasoft acquisition tool Encase imager Forensic imager FTK Imager: FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose. After installing the FTK imager we can start by creating an image and to do so, we have to go to the file button and from the drop-down menu, select the Create Disk Image option. After selecting the create disk image it will ask you the evidence type whether i.e. physical drive, logical drive, etc. and once you have selected the evidence type then press the next button to move further in the process.
Then select the type you want your image to be i.e. raw or E01, etc. Then click on Next button. Further it will ask you to provide details for the image such as case number, evidence number, unique description, examiner, notes about the evidence or investigation. Click on Next button after providing all the details.
After this, it will ask you for the destination folder i.e. where you want your image to be saved along with its name and fragment size. Once you fill up all the details, click on the Finish button. And now the process to create the image will start and it will simultaneously inform you about the elapsed time, estimated time left, image source, destination and status.
