When you're broke. Lots of companies or organizations, public organizations like
the one I work for, are dealing with budget constraints now. It's a very real
thing. You need a tool, or you think you need a tool, and it costs a lot of money.
And how do you get that job done? You need people that are knowledgeable,
problem solvers that can come up with those kinds of solutions. And after all
my experience in the field, and poking around a bit, playing around with
different stuff, I believe I found quite a few tools out there that can pretty
much get the job of forensics done for a company. Which is kind of amazing that
you don't have to pay $5,000 for something. So another thing, another
thing I wanted to, a group of people I wanted to speak to, or anybody that's new
to forensics, thinking about getting into forensics, I wanted to speak to them too.
Because I want to show you what the forensic process looks like, what it's
all about, what you're actually striving to do, and what kind of tools are out
there for each step of the way. So I hope you guys get something out of that. This
isn't like a, this isn't a presentation about, you know, listing all the free
tools out there and, you know, training you on how to do them. This is just a, you
know, this is what computer forensics looks like. These are the things you need
to watch out for. And here's some tools along the way that can help you get each
step of the process done. And I'm also going to demonstrate a few of those
things. They're pretty simple demos. You'll see them along the way. So yeah, let's
get into the meat of it. So the goals of forensics. What do you
think the goal of forensics is? This is, I want to make this like an
interactive class too. So feel free to raise your hand, okay?
What's forensics? I mean, you can think like CSI, whatever. Yeah. Evidence.
Evidence is definitely part of it. What's the, what's the aim of forensics?
Figuring out what happened. Good. Those are, those are good accurate answers. Some
people think that forensics is, oh you're trying to, you know, you're trying to
analyze evidence to prove a point. I don't like that answer. I don't like that
answer at all. I don't think forensics is about proving points. I think forensics
is about reviewing the evidence and presenting the facts of a case. And
points can be made based off those facts. So yeah, good answers. So yeah,
you're trying to answer the who, what, when, why, and how, those kinds of questions.
We're gonna go into the process of forensics more, but basically the way it
works is you're gonna start out, somebody's gonna have a question about
something. So for example, let's say I'm working at the university and, you know,
somebody says that, oh so-and-so down the hall had, you know, nude ladies up on a
screen last week or something like that. Well that rolls down to me and that's an
allegation. That's got a specific, you know, time and date stamped on it for me.
And so my goal at that point is to say, you know, did he look at that stuff at
that point in time and present the facts around that. So that's kind of an
example of something you'd be seeing. So like I said, explicit content. Another
really practical one for like enterprise-wide environments is if you
have a SIM and you receive some kind of alert that there's malicious activity on
whatever segment of your network. It's, you know, just blowing up traffic or
whatever and it's coming from this IP address. That's another thing that I
would go and analyze. I try to see what's on the, what's on that box, what's
causing it and preserve the evidence there. So those are the goals of
forensics. The process. This, I came up with this. This isn't like the official
forensic process. This is just like, this is what I do every time. Every time I
work on a case, this is what I do. Starts out with communication. What I mean by
that is, it starts somewhere. You know, someone asks for my service. Someone's
gonna ask for, if any forensic examiners are out there, they're gonna ask for your
service to help you answer a question. So that's, that's kind of what I mean by
communication. You might receive a telephone call asking you to do
something, that kind of thing. So you got the first alert. Preserving the evidence.
I would argue that preserving the evidence is probably the most important
part of the forensic process. And why is that? What happens, what happens if I get
it wrong? What happens if I don't preserve the evidence properly? Yeah. Yeah.
The whole, I mean, that's the foundation. That's the foundation of your
investigation. The integrity is just shot. The credibility is out the window. If you
do it wrong, then, you know, down the road, if you end up in litigation and you got
to stand before a judge, like, what are you gonna say? What are you gonna say about the
integrity of an evidence, of the evidence? What's the attorney on the other side
gonna say about you? You know? I'll get into, I'll get into that. I'm gonna go, so
you can line out in more details about exactly what I mean with that and do
some demos on that. All right. So, yeah. Let's move on. Oh, I'm sorry. Actually, yeah.
Processing it. The evidence that you preserve it and then you process it.
Processing has specific goals in mind. I'm gonna get into that. You analyze the
evidence to try to answer the questions. And then, lastly, you're gonna report the
findings to the person who asked you to do it in the first place. That's the
forensic process in a nutshell. All right. Preserving the evidence. Look like
that got more powerful. So, we already talked about why we do it, why it's
important. There's some free tools out there. FTK Imager, Forensic Linux
Distribution, such as CAIN, which stands for the Computer Aided Investigative
Environment. Volatility and Redline are also wonderful tools. Preserving the
evidence. Yeah, important. Credibility there. I want to talk about a couple
concepts, forensic concepts. Right-blocking. Does anybody know what
right-blocking is? I'm assuming we have... we've got newbies here. We've got, you
know, middle of the road. We've got seasoned veterans. So, can somebody
answer what's right-blocking? Yeah, back there.
Right. Right, yeah. So, right-blocking. It's, yeah, it's exactly what it sounds like.
You're blocking the ability to write to the piece of evidence. Not possible in
all scenarios. I would probably use the example of cell phone forensics as one.
That's not always possible to do that. So, yeah. What was I gonna say? Sorry. So,
FTK Imager is a good tool to create a forensic image of something that's
right-blocked. So, forensics. Thinking about traditional forensics and handling
a crime scene per se. You wouldn't just go walking around on a crime scene
moving things around. You wouldn't be placing new things on the crime scene.
And that's essentially why we're using a right-blocker. We don't want to change
anything about the piece of evidence because it's, like I said, the whole
foundation of our investigation. Some Linux distributions. I mentioned Kane.
It's just a personal favorite of mine. There's other ones out there. Kane is a
forensic Linux distribution that enables right-blocking by default when you boot
into it. So, for example, let's say I have a laptop that has a solid-state drive.
You know, one of those that's, it's like, it looks like a little, I'm not a
hardware guy. Looks like a memory stick almost and doesn't interface well with
traditional SATA interfaces. I'm not really able to plug that in to anything.
So, what I would do in that scenario is I would boot into something like Kane or
another Linux distribution just off the laptop itself. And it's gonna right-block
everything and then I'm gonna plug in an external drive to it and I'm gonna image
it. That's just how it goes. Speaking of imaging, does anyone know what
forensic imaging is? Back. You're not saying it? Okay. Yep. Right, yeah. So, in
traditional crime scenes you see the forensic guys, I'm just gonna call them,
taking pictures and stuff of the evidence, you know, putting numbers by
the evidence and whatnot. We're creating a forensic image of a hard drive or
whatever the digital device is and we're, yeah, making an exact bit-by-bit
copy of that hard drive, preserving it exactly how it was. So, yeah, that's what
forensic imaging is. A couple other tools I listed there, volatility and redline.
Those come into play for memory forensics and that's just a whole
another ballgame. We're gonna be talking more about just doing traditional hard
drive forensics today and doing my labs through that. But if you know anything
about memory, RAM, whatever you want to call it, it's a volatile piece of
evidence. That means as soon as you turn that computer off, you've cleared out
the memory. And I won't go into, you know, all the tricks that you can do to
actually preserve the actual memory using like freezing techniques and
whatnot. But for all intents and purposes, the data is lost once the device gets
turned off. So, yeah, so let's take a look at a demo. I'm just gonna turn the mic
off here and going to fire up FTK Imager. Really simple demo, but I just wanted to
show you like how easy it is to use a free tool like FTK Imager to create a
forensic image of a hard drive. But, you know, saying that we're using a write
blocker and that's the whole foundation of our investigation. I'm just going to
show you how easy it is to just do it right. So, yes, that's a really good
question. How do software write blockers compared to hardware write
blockers? I've played around with that a little bit. I haven't actually used like
a paid piece of software. It's my first inclination to go with a hardware
write blocker every time, because that just kind of leaves, you know, bugs and
things out of the scenario for the most part. If it's just cutting it off at the
hardware level, I feel much more comfortable about that. So if I don't
have that capability of having a hardware write blocker, I would try to
implement a technique like booting into a Linux distribution where, you know, the
policy is just set in the Linux distro to automatically write block. I've played
with things where, you know, it's changed, you know, one bit in the Windows
registry to turn off the ability to write to USB drives. It seemed to have
worked in my testing. I just don't have 100% confidence in that though. So I hope
that answers your question. All right, let's get into the lab.
All right, so FTK Imager. We got it going on here. I am basically just going to go
file and basically say create a disk image. We're creating an image of a hard
drive, whatever. I'm going to select physical disk. I might run over on time if I keep
asking questions like this. What's the difference between a physical drive and
a logical drive? Can someone answer that? Yes. They're partitions, yes. So you'd be
taking a forensic image of a partition, not the actual whole or everything
that's on the physical hard drive. So we want physical drive.
So we're just going to select that.
All right, so we've got the physical drives listed there. We would then find our piece of evidence here that we're
dealing with. You would see, you know, physical drive, zero, one, two, three, four,
five, whatever, however many drives you have. And you would pick the most relevant one.
Hit finish. It's going to ask you where you want to put the forensic image and what
format you'd like to store it in. It gives you a few options here. You have the
ability to store it in just a raw, as a raw DD image. That's just, this is bit by
bit everything that's on the disk. There's no compression, nothing like that.
So if you have a two terabyte drive you are doing a forensic image of, your raw
forensic image is two terabytes as well. So you got to be smart about that.
Typically the formats you're going to see are raw DD and E01 formats. The E01
format is the NCASE witness format and it has compression capabilities. You can
do just a little bit of a compression and all the way to super crazy and that
will change how long it takes for your forensic image to be made.
So we're just going to select raw. At this point you're going to see, it's going to ask you for case number, evidence number, description, your
damner name, all that kind of stuff. It's good to try to fill in as much as you
can. Especially if you have to produce a forensic image to the other side in the
courtroom and they would like to penalize it, they will care about this kind of documentation.
Next, select the destination, give it a name, and you're finished. And it's good. And
that's all there is to it. That's all there is to creating a forensic image there.
Okay, as you can see it's very simple. Processing the evidence. So this is
really where I think the experience in forensics training comes into play.
Because you're trying to figure out, okay, what kind of question am I answering
here? What's the whole reason I'm doing this case? Like we said, are we
looking for, you know, explicit content on somebody's computer on a certain date?
That's the goal of my investigation. Am I going to check and see that, is there
this kind of activity on that date? So by reviewing the goals and trying to
remember them, you're setting yourself up to process the evidence in an
efficient way. Give me a second here. Okay. So some tools to do this. Free tools. You
can write them down if you want. Locked timeline. Redline. Volatility. I mentioned
those already. Red Ripper. Wireshark. Snort. Scalpel. Photoreq. Clam AV. Virus
Total. And Lime. So obviously I'm not taking credit for any of these these
tools whatsoever. There's amazing authors out there in the forensic community. Some
of which I can't even pronounce their names, like Logged Timeline. So some of
the concepts I want to go over. Timeline analysis. Why would you think this
is important? Yeah, you're just trying to prove, did something happen at a certain
time on a computer? It also, for example, if we're dealing with like a piece of
malware or something, you might see a series of events occur on a computer. In
which case, timeline analysis is super helpful for trying to figure out the
whole story of that piece of malware. Delete file recovery. I hope that we
all know that when we delete something on a hard drive, it's not gone forever.
Metadata analysis. We're reviewing pieces of information about a specific file. So
a piece of metadata would be like a timestamp, like the created time of a
file, the modification time of a file. Those could be important. Worked on a
case where there was someone trying to forge a will to gain sole ownership over
a company that this guy was passing along in his will. So he's trying to
forge a will. Just simple metadata analysis right there on a PDF file. Who
the author was, when was the last modified time of it, the creation time of
it. Just answering simple questions and that's, you know, what helps solve the
case. Memory forensics. We talked about that. Capturing. Instead of doing like a
forensic image of a hard drive, you would basically be capturing the live memory
of a computer and performing forensics on it after you captured it. Tools like
volatility and redline can assist you in that. Even FTK imager can actually
done memory. Network forensics. That's usually important when you're dealing
with a piece of malware and you have an outbreak on your network of an
infection and you're trying to see what's communicating with what. Data
exfiltration could possibly be seen by network forensics as well. And lastly
file carving. Does anybody know what file carving is? Yeah. File carving. Yeah.
Go ahead.
Sure. So, and one of the examples I have of a file carver is scalpel and
photorec. So, the way file carving works is you have to kind of think, okay, what
is a file? What is file? Like how does the computer know what an Excel file is? How
does a computer know what a PDF document is? Or so on so forth. Has anyone heard
of the magic numbers at all? Yeah. Magic numbers. So, I don't call them magic
numbers. I usually call them headers and trailers. Hexadecimal numbers that will
identify the signature of a file type. So, it helps the operating system know how
like what is an Excel file? What's a PDF file? So, these tools like scalpel and
photorec, they use the magic numbers to scan your the hard disk or whatever
whatever piece of evidence you're working with. Find matches for those and
then pull them out. Carve them out. So, what could you do with that? I mean, if
you have lots of deleted files on a computer and you're not able to recover
them by conventional means, you can carve them out based on their file signatures.
They're still there if they haven't been overwritten by other data on the hard
drive. So, goodness gracious. So, let's do let's do a demo of log to timeline real
quick. We're just gonna do a quick timeline generation. Okay, so this is how
easy it is. So, I want to make a timeline of all of the data on a computer. It's
it's seriously just one command there. So, I'm using, you may notice that the
command says, hopefully that's easy to see for you guys, it says psteel.exe.
Log to timeline is actually a part of a set of tools called the Plazo tools. I
believe that's how you pronounce it. Psteel is one particular piece of
functionality from log to timeline. Basically, you're just saying that I want
you to generate the entire timeline of absolutely everything on this piece of
evidence. Whereas log to timeline, you might be able to customize it a little
bit more. Say, I only want artifacts in the Windows system 32 folder or something
like that. And it'll generate a timeline based on that. Psteel.exe, it's just
saying, the full kitchen sink, give it all to me. So, commands just psteel.exe
dash dash source, tell where my piece of evidence is. And then, dash W, I tell it
where I want to output just a text file in CSV format. So, here we go.
So, this is what you end up with. It's gonna spit out a CSV file. It's gonna
just, you have these different headers for the columns here. You got the time
stamp, time stamp description. It's gonna tell you, what does that even mean? Where
is it getting this time stamp from? The source, is it just file system metadata
like creation time, the file last access time? Or if you go down here, let's see.
There's different types of metadata and it will kind of list them out. It says
meta, yeah, so there you go. Tells you the source there, tells you the message. So,
the message is kind of just like, let me expand it out here. It's gonna be like
the name of a file, a little bit of information there. So, this particular
file is a PowerPoint file. So, it's pulling a piece of metadata, the
description of the file there. Tells you which log-to-timeline parser it used to
get that information and the display name of the file. So, this one you can
see is just a secret project design concept dot PowerPoint. So, there you go.
Where does it pull all the information from? So, if I took a forensic image of a
hard drive, who asked the question? So, I can just look at you. Great. So, if I took a
forensic image of a hard drive and then ran a PC or a log-to-timeline or
whatever against that hard drive, it's going through there. It's gonna, it's
gonna find the partitions, like Windows partitions or recovery partitions,
whatever it sees. And then it's going to pull all the information from the master
file table is one thing. And the cool thing about log-to-timeline that I
actually really like over a lot of enterprise tools is that it will do
things, it'll like expand out. For example, Windows event logs just automatically
throw that in there with regular file system metadata. And so, yeah, it pulls it
from the master file table. And if any other files, like such as office
documents that are written in XML format, they have some different metadata fields
and will pull that as well. So, I hope that answered your question. Okay, cool.
That's awesome. Sadness. I'm just gonna have to rob you guys of the slideshow. So,
reviewing, going back to the forensic process, the next step would be analyzing
the evidence. Basically, when I analyze stuff like that, you can see it's just
like in a spreadsheet. It's not like in any like fancy tool or whatever. So, I
mean, if you have access to Google Docs, like what I just showed you up there, you
can analyze the timeline of a computer. So, we analyze and, yeah, we analyze
spreadsheets, we can analyze a notepad, terminal, command prompt, looking at the
output of certain commands. What is something, so when you're using all these
different tools, what is something to consider as far as, let's say you're
working on a case that might have to go to litigation, what is an important
consideration of using some of these tools? Yes? Has it been validated in court?
Have I validated it myself? Like, I mean, that has some power in itself that,
hey, I ran my own tests on this. I mean, when you think of traditional
forensics and CSI or whatever, like what are they doing in those shows? They're
like, they're running tests, like all the time. It's got to be the same
thing. You have to validate that kind of stuff. You have to know what you're
talking about. You have to be accurate. Accuracy is so important. I worked on
this case back in California where there is, I was a forensic examiner on
the case and there was one on the opposing side as well, and we were
talking about USB timestamps. When a USB was plugged in, when it was
unplugged, that kind of thing. Files being moved to it. It was a theft to
trade secrets case. I used a particular tool to analyze the USB timestamps. He
used a different one and we came up with different results. Hmm, how does that
happen? We're both forensic examiners. We should both be right somehow, right? So my
boss is like, what happened? You know, like looking at me like, you messed up. You
know, that kind of thing. So I'm like, I'm going into like the Windows Registry.
I'm pulling out the timestamps manually. I'm not relying on a tool to do it for
me. Pulling them out manually. Validating those timestamps that I originally
produced were accurate. And so I'm like, okay, well where is this guy getting his
timestamps from? And eventually they produced their report. And I take a look
at the report and I can kind of tell like, oh, I've used this tool before
somewhere. And you know, I do some googling. I'm like, yeah, it's this tool. So I like
go on their website. I start playing around with it. And I start reading the
fine print on the website. And it was something as silly as not compatible
with versions of Windows after Vista or something like that. And that was it.
That was it. It was a Windows 7 computer. That was it. And he used, so he used it,
that tool. It wasn't compatible with Windows. Sure enough, we go and try to
validate that. And we came up with the timestamps he did on the same piece of
evidence. So you really have to consider, consider accuracy of these tools. And how
important that can be. And you know, if it makes or breaks the case. So yeah.
Right. So a lot, a lot of tools nowadays, man, how do I answer that? It depends on
your tool set for sure. There are some tools that can take an image of just an
encrypted hard drive. Let's say it's just encrypted with like BitLocker. And you
throw that, you point that forensic tool to the the image. It says, oh yeah, it's a
encrypted with BitLocker. Give me the recovery key. Punch in the recovery key.
Voila. And it's opened up. Some of our tools that we deal with, you might have
to get kind of weird with them. I imagine that, you know, perhaps if you mounted an
encrypted disk image to, like, that's encrypted with BitLocker to Windows. How
many minutes? 20 minutes? Thank you. I imagine if you mounted that encrypted
image to Windows, that it might see it as a BitLocker encrypted drive. I can't,
I've never done that, so I can't accurately answer that. But yeah, some of
these tools do handle encrypted hard drives or allow you to move
forward from there. There's different ways to solve the same kind of
problem. You just have to figure out how you want to approach taking the
forensic image. That is a very good question though, especially if you get
like a laptop or something. Asking them right off the bat, is this laptop have
its hard drive encrypted? So yeah, good point. The last thing I want to
talk about with the forensic process is reporting. That's like the
kind of whole point of this. We're given the answers. I'm not gonna talk too much
about reporting because this isn't a class about how to write a report. You
can figure that out on your own. There's some tools out there to do it. Open
Office, LibreOffice, Google Docs. Whenever you're writing a report for
anything at all, for any kind of technical report, you have to consider
who your audience is. Who am I talking to? Am I talking to the chief information
security officer? Am I talking to an attorney? Am I talking to an executive?
Depending on who the person is, there's some assumption of technical
knowledge there. You know, an attorney is probably gonna know less about techie
techie stuff than a CISO is. So you have to kind of consider who your audience is
and man, is that a challenge of computer forensics. Communicating like super
technical information and just layman's terms kind of way. Your report could go
to the courtroom, could be you know put in front of, what is it, just put in front
of the courtroom and people need to understand that, learn how to process
that evidence. So yeah, reporting is a huge part. So all that said, I'm kind of
winding down here. We have all these free tools out there. We have the
knowledge of the forensic process. Where does that leave us now? What are the
where the capabilities of that? And this is kind of what I've been experimenting
with lately is, am I able to, with a little programming and scripting
knowledge, am I able to make a very nice fluid process on how to create a
forensic image, process it in the way I want it processed and produce the exact
kind of information that I care about? The answer is absolutely yes, you can do
that. With a little, little bit of scripting knowledge, a little bit of
programming knowledge, you can automate just about any kind of forensic task out
there. Another thing to consider, especially with memory forensics, which I
didn't talk too much about today, is baselining your evidence. So you, you
might have one particular image running on, you know, all your Windows desktops at
your company. They're all gonna have the same kind of processes sitting in the
memory out there. Can we baseline that to make our investigation a little more
efficient down the road? Yeah, we can. We absolutely can. Another thing I want to
make clear before I wrap up, and if you guys have questions, I left some time for
that, but another thing I want to make clear, I love, I love forensic tools that
you pay for, so I'm not bashing them today. I just wanted to, I wanted to
highlight the, the possibilities of these free tools out there, and how, where
they fit in the forensic process. And hopefully I did a good job of that.
Hopefully you guys got a good understanding, or at least a good
overview of the forensic process, and how these tools can be useful to you. And
just thinking about how we can even automate them after we've mastered using
them in the future. So yeah, there's plenty of enterprise-level, paid-for
forensic tools out there that I use. They're awesome. They have their purpose.
So yeah, anybody have some questions for me? Yeah? What's that?
That's, that's a great question. How do you do forensics in the cloud? Wow. So I've
come across this a few times. So it really depends on what kind of piece of
evidence it is. So let's take like an Amazon web server, for example. Depends
on what kind of service that server is hosting up. The type of way I'm going
to connect to it. So am I just gonna traditionally authenticate to it, like I
normally would with an Amazon web server? Some tools out there have that built
into them, where you say, point me to a server, an Amazon web server, or a Gmail
account even. And you pop in the credentials and it's going to pull down
the data from there. Now, considering that, it makes you wonder, like okay, we talked
about preserving the evidence, right blocking things earlier. What, you know,
what does that mean for like cloud information? How do we, like what does
that, what does that mean? Does that like totally get rid of the credibility of
the evidence at that point? And not necessarily, no. What we will try, what we
try to do as forensic examiners is be honest about the data. Especially like,
for example, if we made a mistake in collecting the data, it's not good to lie.
It's not good to say, oh you know, well that's normal, that's normal behavior. Or
you know, like other forensic examiners do that. No, we mess up. We have to own it.
We got to be responsible. We have to say, this is what I changed about the
evidence. And take responsibility for it and move forward from there. So same kind
of thing with cloud data. We have to recognize it for what it is. We show the
steps that we took to collect that data. We document everything so it can be
reproduced. Same thing with memory forensics too. Yeah, go ahead. Sure, chain
of custody. Yeah, that's that's a really good question. So I don't use any
particular software to handle chain of custody. Chain of custody can really, I
guess I could say Adobe PDF or whatever, you know. Like you could make a PDF
document of a chain of custody form. And depending on what organization you work
with, or if you're just like a private contractor, you could dish those out to
people along the way. As soon as that evidence comes into play, like let's say
you're gonna be working with the server admin. He's gonna be, that's gonna be the
first name on the chain of custody. And the server room is gonna be where it
came from. That kind of thing. Does that kind of answer your question at all?
Right, right, yeah. And you really you want to be involved in the process from
the start. And try to just kind of butt your way in there as soon as you can.
Because like if any of this information is new to you, it's new to other people
out there too. They don't know like how to preserve things. And they might change
things about a piece of evidence before it even comes to you. And you need to
know that. You need to know that information. Really common thing is, I'm
just gonna shut the server down. Like well, it might be important, you know. So
yeah. Any other questions? Yeah, I'm sorry an online service. Yeah, okay.
I'm not sure I understand the question. I'm sorry. Sure, okay. Gotcha, okay, yeah.
Okay, okay, right. Oh that's, I gotcha. Okay, that's an excellent question. So
especially, yeah, like if you're dealing with something like child pornography
that's super serious. So I've worked with a few of those cases. And typically
because I'm not law enforcement, it gets passed along pretty quickly. It's my
obligation if I'm dealing with child pornography, any kind of case like that,
as soon as I know that's what I'm dealing with, it's gone. Like bye-bye.
Calling the police, calling the FBI, whatever. It's going to them. So to answer
your question, they would have to subpoena the ISP to get that information.