πŸ—’οΈ Forensic Investigation Methodology


Before this process starts, there probably has already been some Incident Response done or even finished (refer to https://bakerst221b.com/docs/dfir/ir-checklist/).

Identification/Assessment (aka Preparation)

In short, understand your scope (technical and legal aspects), your goals and people you are going to work with. Identify the stakeholders. Decide on the tools.

Scope

πŸ–Ό Get the scope for your investigation!

Choose the appropriate media.

❓ What’s the file system and OS of the target media? Depending on the answer you might need to appropriately format the evidence drive and assemple a flash drive with the tools needed.

Choose the acquision method.

❓ Will there only be live or dead acquisition? ❓ Will you make a logical backup (doesn’t copy all i.e. doesn’t copy slack, free space and deleted files) or imaging (bit-by-bit copy). ⚠️ Should not be used on a live system!

Sterilizing Target Media

See here for media sterilisation.

Collection

Evidence collection begins with the first response and arriving to the scene (how weird….). The person collecting the evidence is assuming the role of a first responder. Not always they are digital forensic experts. Opponents will try to discredit their work. That’s why it’s so important to use industry accepted tools and know the digital footprint of these tools (checked on a monthly basis). For each media type there is a separate section under Incident Investigation -> Collection section on this website - https://bakerst221b.com/docs/dfir/investigation/collection/.

There are several important notes to keep in mind:

❗️Document everything. Before anything can be acquired, it needs to be properly documented first. First responder needs to record all the findings in the Chain of Custody form.

❗️Take photos and videos before touching anything. These photos/videos need to have proper time-stamping.

❗️Do never make any analysis on the original media! Any analysis and investigation is only performed against a copy.

❗️Make hashes before acquisition, after and when making copies.

βœ… First Responder Checklist

  • Sanitise the target disk that will be used to copy evidence to
  • Prepare all the toolkit that will be needed
  • Start filling out the Chain of Custody form, each evidence assigned a unique ID (see below for examples).
  • All photos taken before touching the scene
  • Make sure that Internet, Bluetooth, AirDrop are all turned off on the machine that is used to acquire the image (* in case of physical acquisition).
  • Connect the write blocker to the PC and the evidence drive to the write blocker (power + data cables) or launch a software write blocker on the acquirer machine (see below for how-to) (* in case of physical acquisition).
  • Calculate the hash of the evidence drive (pre-hash). Document it.
  • Image the evidence.
  • Calculate the hash of the original evidence again, validate the hash and document it.
  • Calculate the hash of the image that was taken (post-hash) and make sure it matches the above ones taken previously.

Documenting And Recording

Start documenting even before you get to the scene. First, make sure that timestamps are configured on both devices. Take as many photos and videos as possible. Take overall and close-up photos. Make sure that all the connections between the devices are photographed clearly. Photograph the evidence in situ (if possible). Identify and asign unique ids to the evidence collected

chain-of-custody

Acquisition

Dead Acquisition

Live Acquisition

Evidence Preservation

  1. copy original, operate on the copy
  2. hashes
  3. write blocking devices
  4. min files created
  5. register timestamps before openning files

Examination & Analysis

Art supersedes science. Know what is garbage. Unexpected places. Don’t ignore exculpatory (proving innocence) data.

❗️ Correlate data with other independent sources. Some data might have been tampered with and you should try to find other evidence that describe the same data. For example, timestamps can be easily changed. Therefore, try to find network or login events to correlate them.

  • Analysis of non-volatile storage devices

  • Analysis of volatile storage devices (RAM)

  • Analysis of communication devices

  • Physical Storage Media Analysis

    • Volume analysis. Volume - collection of storage locations.
      • File System
        • Application
        • OS
      • DB
      • Swap space
    • Memory analysis
  • Network

βœ… Examiner Checklist

Expand …

Is this computer compromised? Let’s break down into smaller questions. Below will be the full checklist, this one is for overview.

  • Malicious Process
    • Are there malprograms (backdoors, key loggers)?
    • Network
    • Files
    • Processes
  • User
    • Is there maluser activity (account takeover, insider threat)?
  • OS Configs
    • Are there malconfigs (services enabled, disabled logging)?
  • Hardware
    • Are there Mal hardware changes (firmware, BIOS)?

Bypassing controls (if, say, it’s PIN protected, data encrypted, ACL, compression). There will be lots of data and only some is relevant. In most cases, NSRL file data is used to eliminate known files, such as operating system and application files, during criminal forensic investigations. This reduces the number of files which must be manually examined and thus increases the efficiency of the investigation. See here. This list is used by Autopsy.

Testing computer tools. Video analytics here and photo here. And about NIST research in cloud forensics here.

About SIM forensics as well here.

Main idea is to concentrate on some areas, answer some specific questions, like:

  1. Is there child exploitation material? Search videos and pictures.
  2. Is this PC compromised? Not obvious.
  3. Who did this computer communicate with?

First option:

Big problem –> n*(small problem). Recursively break a problem into smaller problems until one of them becomes solvable.

Second option:

Or we can be guided by artifact ⛏️ categories.

First, break the bigger problem into a smaller one. Then answer questions with artifact ⛏️ categories.

Here is the pseudocode for this:

function breakIntoSmallerProblems(Stack problemStack, int stackLen){
  if problemStack.len == 0 return 0;
  currentProblem = problem.pop; 
  getArtifacts(poseQuestion(currentProblem, stackLen));
  breakIntoSmallerProblems(problemStack);
}

function poseQuestion(string problem, int stackLen){
  if (stackLen < 100) prioritisize(problem);
  else answerWithAutoTools(problem);
}

How computer works? Hardware, OS, Processes. How attacker works? Remote access changes, detection avoidance etc.

RoadMap

  1. Is the system compromised?
    1. Are there mal related changes?
    2. Is there mal user activity?
      1. Suspicious logins?
        1. Login artifact category ⛏️: Event log 4624, 4778, active users etc
    3. Are there malware progs?
    4. Are there mal OS changes?

Prioritization is based on: likely relevant, result acuracy, time to answer.

Beginner: start with a process and fill in categories

Advanced: when you already know about categories, think from that procpective.

Manager: categories

Cyber Truage User: same

File name –> meta –> content

Prioritization and Process

There are different paths to follow to answer the same questions. Some are more efficitent.

Pulling on threads. Find a piece of evidence and focus on that to fully understand it. Example (depth search):

  • Looking for malware and find program run entry for malware
  • Stop looking for other malware and focus on that one
    • What happened before and after?
    • What else is in the same folder?
    • What does it do?
  • Repeat for each you find

How to find the first evidence? Prioritize or brute force.

  • Prioritize (Manual). You never know where the evidence are going to be.
    • impact on investigation result
    • likelyhood to find anything
    • false poisitive?
    • time required
  • Brute force (Automated). Let tools and software to find evidence.

Cyber Triage: can I mark something as bad and run analysis for this piece of evidence again. - yes

See the general schema here.

Critical Thinking

Challenge assumptions (sometimes its something you have not seen or dealt with before), consider alternatives, evaluate data, identify key drivers, understand context.

List all assumptions and ask yourself how sure you are of these statements and what might happen if they are wrong. Categorize these assumptions based on the certainty. Refine and remove those assumptions that are proven to be wrong. Identify addition data needs for those assumptions that are still uncertain. Research?

Think about the alternatives, for example, brainstorming. Ask yourself the six W’s to help develop the alternatives. Null hypothesis - the opposite to the main hypothesis (for anomalous data).

Know your data! Know normal and abnormal. Establish the baselines for normal to be able to detect the abnormal (like, a clean installation of a system is examined and everything is then compared to it). Look for incosistent data. Assess the data against different hypothesis to see how well it fits.

Identify key drivers: technology, regulatory (laws and standards), society (politics, people want to be safe), supply chain (logistics, cost, scheduling, customer requirements), employees (skills and training needed), threat actors (tech capabilities, motives, opportunity).

Understand the context from the perspective of different stakeholders. Framing techniques help keep everyone on the same page (what do they need from me, how can I frame the issue, do I need to place their questions in a broader context). Same vocabulary. Steps:

  • Key components. Break the problem down and identify the partss, actors and categories.
  • Factors at Play.
  • Relationships. Static? Dynamic? Graphing.
  • Similarities/Differences. Leverage the past work!
  • Redefine. Rephrase and paraphrase the issue. What is the root cause?

πŸ’‘ May be it’s better to arrange it as a table. Merge with the information from Cyber Triage DFIR webinar by Brian Carrier and Digital Archaeology.

Known Good

Not all the files are worth considering. However, it’s hard to keep all of them in mind. So, I’ve made (about to) several database files that contain information on files on a clean installed system. There will be some diviations, I presume, but I hope it will help eliminate a huge pack of files as well.

References

Expand …

[1] Digital Archaeology LiveLessons (Video Training), Safari by [Michael W Graves](https://learning.oreilly.com/search?query=author%3A"Michael W Graves"&sort=relevance&highlight=true)

[2] InfoSec Digital Forensics Course, module Forensics Methodology and Investigations

[3] Webinar, METHODOLOGY FOR TESTING FORENSIC HYPOTHESIS AND FINDING TRUTH by Jessica Hyde

[4] Live vs Dead System Acquisition

[5] IBM course