Computer criminology (forensics) – review of tools and training grounds

8 May 2023 5 minutes Author: Cyber Witcher

The history of digital forensics and its tasks

Digital forensics appeared in the mid-1970s as one of the areas of computer forensics and for a long time was focused mainly on cyber attacks, data leaks and other similar cases. Over the next 50 years, digital forensics has evolved, changed, and now exists as a separate field (it even has its own ISO standard since 2005). Specialists employed in digital forensics restore any data deleted from various gadgets, provide the necessary digital evidence for legal proceedings, help special services establish the identity of the criminal and determine a possible motive for the crime. In addition to the relevant divisions within the intelligence services, many private firms have appeared around the world providing services from conducting research to collecting digital evidence: for example, Business Intelligence Associates, FireEye, AccessData abroad, and Group-IB Laboratory in the Russian market. But like other industries, digital forensics faces its challenges. The main one is the difficulties associated with adding digital data to the case file by the court.

Sometimes providing “electronic” evidence can be difficult due to its specific nature and the court is not always ready to accept it; sometimes there are differences of opinion regarding the interpretation of the digital data already attached to the case. One of the most vivid examples of such an ambiguous interpretation of collected digital evidence is the case of Casey Anthony, which remains one of the most mysterious trials in the history of US justice.

Digital Evidence & Forensics Toolkit: DEFT Linuih

This distribution is developed on the Lubuntu platform and is equipped with a user-friendly graphical interface. In addition, a set of profile utilities has been added to the product, ranging from antiviruses, search engines for information in the browser cache, network scanners and utilities for detecting rootkits, ending with tools necessary when searching for data hidden on the disk.

The main purpose is to carry out forensic activities – analysis of the consequences of hacking computer systems, determination of lost and compromised data, as well as to collect the so-called digital evidence of cybercrimes.

Frameworks

One of the most popular frameworks is the Volatility Framework, a framework for examining images of RAM contents and extracting digital artifacts from volatile memory (RAM).

Extracted data:

  • Date and time;

  • List of running processes;

  • List of open network sockets;

  • List of open network connections;

  • List of loaded libraries for each process;

  • Names of open files for each process; memory addresses;

  • OS kernel modules;

  • Mapping of physical displacements to virtual addresses.

List of supported RAM images for the following operating systems:

  • 32-bit Windows XP Service Pack 2 and 3

  • 32-bit Windows 2003 Server Service Pack 0, 1, 2

  • 32-bit Windows Vista Service Pack 0, 1, 2

  • 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)

  • 32-bit Windows 7 Service Pack 0, 1

  • 32-bit Windows 8, 8.1, and 8.1 Update 1

  • 32-bit Windows 10 (initial support)

  • 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)

  • 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)

  • 64-bit Windows Vista Service Pack 0, 1, 2

  • 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)

  • 64-bit Windows 2008 R2 Server Service Pack 0 and 1

  • 64-bit Windows 7 Service Pack 0 and 1

  • 64-bit Windows 8, 8.1, and 8.1 Update 1

  • 64-bit Windows Server 2012 and 2012 R2

  • 64-bit Windows 10 (including at least 10.0.14393)

  • 64-bit Windows Server 2016 (including at least 10.0.14393.0)

  • 32-bit Linux kernels 2.6.11 to 4.2.3

  • 64-bit Linux kernels 2.6.11 to 4.2.3

  • 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn’t supported)

  • 32-bit 10.6.x Snow Leopard

  • 64-bit 10.6.x Snow Leopard

  • 32-bit 10.7.x Lion

  • 64-bit 10.7.x Lion

  • 64-bit 10.8.x Mountain Lion (there is no 32-bit version)

  • 64-bit 10.9.x Mavericks (there is no 32-bit version)

  • 64-bit 10.10.x Yosemite (there is no 32-bit version)

  • 64-bit 10.11.x El Capitan (there is no 32-bit version)

  • 64-bit 10.12.x Sierra (there is no 32-bit version)

For testing the framework, I recommend using ready-made RAM images

  • DFF (Digital Forensics Framework) – framework for forensic analysis, the interfaces are presented as both command line and GUI. DFF can be used to investigate hard drives and non-volatile memory and generate reports on user and system activity.

  • PowerForensics provides a single platform for real-time hard drive forensics.

  • Sleuth Kit (TSK) — is a set of digital forensics command-line tools that allow you to examine data on hard disk volumes and file systems.

  • bulk_extractor — allows you to extract information using special scanners (mail, credit card number, GPS coordinates, phone numbers, EXIF data in images). The speed of operation is achieved due to the use of multithreading and working with the hard disk “directly”.

  • PhotoRec — a multi-system platform for searching and extracting files from the studied images of operating systems, CDs, memory cards, digital cameras, etc. The main purpose is to retrieve deleted (or lost) files.

Analysis of network interaction

SiLK (System for Internet-Level Knowledge) — designed for efficient collection, storage and analysis of network flow data. SiLK is ideal for backbone or border traffic analysis of a large, distributed enterprise or medium-sized ISP.

Wireshark — this network packet analyzer (or sniffer) can be effectively used to analyze traffic (especially malicious). One of the most popular tools. The functionality that Wireshark provides is very similar to that of tcpdump, but Wireshark has a graphical user interface and much more options for sorting and filtering information. The program allows the user to view all traffic passing through the network in real time, putting the network map in promiscuous mode.

(Українська)

Матеріал для вивчення

Для того щоб проводити ті чи інші дії з аналізу даних необхідно мати базис теоретичного матеріалу з розслідування кіберзлочинів. Для цього я рекомендую ознайомитися з такими виданнями:

  • Darren Quick, Ben Martini, Raymond Choo: Cloud Storage Forensics

  • Suzanne Widup: Computer Forensics and Digital Investigation with EnCase Forensic v7

  • Brian Carrier: File System Forensic Analysis

  • Brett Shavers, John Bair: Hiding Behind the Keyboard: Uncovering Covert Communication Methods with Forensic Analysis

  • Philip Polstra: Linux Forensics

  • Jonathan Levin: Mac OS X and iOS Internals: To the Apple’s Core

  • Ric Messier: Operating System Forensics

  • Satish Bommisetty, Rohit Tamma, Heather Mahalik: Practical Mobile Forensics

  • Michael Hale Ligh, Andrew Case, Jamie Levy, AAron Walters: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

  • Harlan Carvey: Windows Registry Forensics, Second Edition: Advanced Digital Forensic Analysis of the Windows Registry

  • Laura Chappell: The Official Wireshark Certified Network Analyst Study Guide

Практичні майданчики

Для тестування перерахованого вище інструментарію можна скористатися спеціалізованими платформами або образами для аналізу, представленими на візуалізованій mindmap. Як перші зразки для тренування рекомендую:

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.