How to approach a case: Digital evidence analysis

The trojan did it defense, touched upon but because a group were going to represent it later it was basically skipped for now.

Repetition from last time

• Hard drive evidence acquisition: write blocker, imaging, hashing
  
• Media analysis: how to read it, how to decode the data
  
• File system forensics: unallocated space and and file slack
  
• Meta data and deleted files: dates, access/user, references
  
• Live forensics vs post mortem: It's powered, impact of evidence integrity --> chain of custody.
  
• Remote forensics: Accusation across the network.
  

The objective is determined by the situation. It could be forgery of documents, usage of pirated software, detecting malware, or other illegal action using or utilizing computing devices. It's important to be objective and the findings must be repeatable.

The target of analysis is all available data and the goal is to correlate between different sources like workstations, network equipment logs (firewalls, IDS, routers) and third party hosts (DNS, web servers). Cell phones and other embedded devices in addition to backup media can be important sources.

It is important to be aware of the dependencies or assumptions made in higher layers of abstraction. Instead of trusting a file extensions one can search for file signature analysis, remember to unpack archived files and backup files for searching and restoring deleted files. The goal is to find the "hidden" data.

Time line analysis is an important tool for understanding the events. Note the real system clock (bios) from acquired machines, not time zone and be aware that drift and manipulation of time is possible but even that can leave traces like "out of order" events in the filesystem. A basic but easy mistake to do could be when tracing an IP for an end user given a time. IPs are usually allocated dynamically from ISPs and could belong to someone else if the timing is not correct.

Presentations

• Cross evidence to identify malware: Searching and clustering bad files across multiple VM machines
  
• Uncertainties of digital evidence: Basically concluded that all evidence can theoretically be tampered with
  
• Social networking applications on mobile devices: Twitter, FB and MySpace data on Android, iPhone and Blackberry phones
  

Methods for finding interesting evidence artifacts:

• File hash signature analysis: separate known good and known bad files by hash value, find identical files and similar files (fuzzy hashing).
  
  
  
  
  
• String extraction: using key word search for things like bank accounts, IP adresses or other relevant criteria. One possible obstacle is usage of different encoding.
  
• Malware detection: Try to find malware by using malware scanners (file hashing search will probably find some to) and root kits. Use "dual tool verification" by using more than one tool.
  
• Analyze malware: try to track possible "bot masters" by searching for similar files on many machines for clues (common nominator), "priding" (string search for initials or nicks, even passwords hidden in executables) in malware
  
• Handling encrypted evidence: dictionary attacks, rainbow tables, brute force. Get keys from live systems. Get clues from one machine that could be a key to another machine.
  

Active research areas: Automated analysis creating tools like Encase, AccessData FTK, Fiwalk, Digital forensics framework, pyFlag. The main issue has to do with creating tools and methods that can help the investigator to spot "bad" behavior and doing so in a way that is both general and not easily avoided by bad guys (said in a simple stupid way). It's easy to automate but hard to make a machine "understand". Another goal is to reduce risk of mistakes made by humans by automating tasks that are well understood and easy to make mistakes on.

More presentations

• Cross evidence to identify malware: Once more..
  
• The trojan horse did it: In a court deciding on whether the human or malware is to blame for an illegal action
  
• Cryptographic keys in volatile memory: Finding symmetric block cipher keys like AES, TwoFish and Serpent using tool Interrogate
  
• Digital forensics in cloud: Extracting evidence from Amazon cloud services using common tools