πŸ“˜ Manual



Created: 12.10.2020

TODO: Move this to methodology.

Each OS and system type will have a separate section (see below). However, the main principles will remain the same.

There are two significant types of acquisition: live πŸ€ and dead ☠️. It’s usually preferable to choose based on the system’s initial state in question. So, for example, if the system is turned on, perform live acquisition first, capturing all volatile data that will be deleted after reboot. Otherwise, jump right to the dead acquisition (if the system is shut down).

⚠️ There are some caveats which need to be handled, though. For example, at the moment of this writing (πŸ“† 11/07/2022), macOS has introduced Share Disk mode for the newest M1 machines. Unlike the Target disk mode, which would treat the disk as external, making it possible to turn on the write blocker, this new mode is more like a network share and works over SMB (over the wire). This way, the target disk won’t show with the diskutil list; thus, all standard procedures for write blocking won’t work. I don’t know if an ordinary physical write blocker will work since the mechanism is different. I have posted this question on forensicfocus.com but have not received any updates.

Evidence

Expand …

❗️Mind the scope when collecting the evidence. For example, you might not have permission to manage personal devices.

Obvious Physical Evidence. PC, cameras, flash drives, PDAs, removable media, and mobile devices. Mind the chain of custody.

Non-obvious Physical Evidence. Manuals for devices that were not found - look for these devices. Digital media taken with some device that was not found -look for this device: sticky notes or little papers with scrambled letters.

Cloud Evidence.

⚠️ Do not forget the charger!

Toolkit Assembly For Physical Acquisition

Expand …
  • A PC technician’s toolkit 🧰 (screwdrivers πŸͺ›, squeezers, scissorsβœ‚οΈ, portable batteries πŸ”‹, etc.) to be able to remove HDD, lockdown cables etc.) βœ…
  • Digital camera πŸ“Έ that embeds timestamps on the photos. πŸ“ Take photos; the more, the better!
  • Video camera πŸ“Ή. πŸ“ Take a video; the longer, the better.
  • For labelling and documenting (labels, markers, pens, πŸ–Š, evidence tape 🚧).
  • They are transporting and managing evidence πŸ’Ό (Faraday bag, Anti-static bag, evidence log, large envelopes βœ‰οΈ, gloves🧀, sanitiser).
  • Documents (chain of custody, notes πŸ—’, warrants/subpoenas).
  • Digital forensics specifics (forensics software, write blockers, laptop πŸ’», sterilise target media, flash drives for live/dead acquisition, bootable, Apple USB Type-C wires).

Evidence Integrity

One of the essential parts is to ensure evidence integrity. Hashing and Chain of Custody (CoC) exist for this purpose. You can always video record all you do on the screen, commenting on every step. Evidence also needs to be transported and stored safely.

Physical Integrity

Don’t contaminate the scene itself (try not to be tempted to eat biscuits πŸͺ and burgers πŸ” on the stage, however hard that might seem). This means that you should also preserve the physical evidence as well. Don’t touch ANYTHING before the lead investigator says β€œOK” πŸ‘. Always mind the scope and get it in writing, even if it’s not a criminal case. Do fingerprints need to be collected? DNA?

Package the evidence for transport. Transport the evidence. Store the proof while in possession. Use Faraday bags to avoid remote tampering and anti-static and plastic bags to protect from discharge and moisture. Tape and seal the bags with the evidence.

Digital Integrity

For dead acquisition, it’s pretty simple:

  • You calculate the hash of the drive before imaging it.
  • Do you imagine the drive?
  • You get the hash of the image.
  • whenever you copy this image, you get the copy’s hash as well

All of the steps are recorded in the report and the CoC.

For live acquisition, it becomes trickier.

The live system is changing all the time. At all times, keep in mind the Locard’s Exchange Principle. It states that when two entities come into contact, they leave the evidence on each other. For the DF field, the investigator will leave traces of their activity when working with the system. This might even result in overwriting some information. That’s why keeping a profile as low as possible is essential. That’s why you need to know how “noisy” the tool is, how many files it writes to the disk, and how much RAM space it needs. It’s called footprint 🐾. To see how much data is being written to the disk or how much space is occupied in RAM (this overwriting some portion of this RAM), open Task Manager or Activity Monitor to stop etc., whatever tool is working for this OS. Note the “Memory” and “Disk” columns, run the utility and see how heavy the footprint is. For example, Belkasoft RAM Capturer has a ~4Mb footprint for RAM acquisition. Magnet RAM Capturer - colossal footprint. Dumpit - the fastest, the smallest footprint. That’s why tools must be checked and tested regularly before the investigation.

Block any network connection, Bluetooth, while on the scene to avoid remote wiping. Look for running wiping software or kill switches.

Use the latest industry-acceptable hashing algorithms (at least SHA-256). Even though collisions might not be that probable, DF is usually about the court, and if you use MD5, for example, this might be used to discredit your work. The best practice is to use several hashing algorithms (especially when automating the process). If there are arguments around one of the hashing algorithms you’ve been using, you’d always have another one to back up your process sanity.

❗️Sometimes, a tool might produce a different hash. It might be due to a bug in the code. That’s why it’s essential to validate the instruments. It’s always better to use built-in Linux or macOS hashing tools (shasum, for example). For more examples, see the Tools section.

To prevent battery loss (in case we need the device to be on), keep the device connected to the power supply (for example, portable).

⚠️ Turning off might trigger encryption!

Chain Of Custody

Expand …

❓Where the evidence was found ❓Time and date the evidence was collected
❓Who found the evidence
❓Description of the evidence
❓Make, model, and S/N of device (if applicable)

πŸ“ I think one of the best ways to keep the Chain of Custody is on Google Drive. This way, we have a history of changes and who has made them. Another way would be to use GitHub.

Identify the evidence

Assign IDs for each piece of evidence. For example, for a flash drive, it would look like thisβ€”FD (flash drive) + its sequence number within this case + case number. Subsequent images of these devices will have the same number + copy sequence number.

Example: A USB Flash drive was found on the scene during case study 0124. It was the first USB drive found yet. This device was assigned the number FD-01-0124. Then we made two bit-by-bit copies of this drive, ids assigned: FD-01-0124-01 and FD-01-0124-02, respectively.

Report

Expand …

Keep track of all the steps taken, the reason for these steps and the outcome. Document the physical condition (mouse to left or right as the owner is a lefty or a righty), applications running, and keep audio notes. Make photos and videos, and make notes. Maintain the Chain of Custody at all times.

Reports are often read by those who could be more techie. Besides, you would want your information usable at court, should the need arise.

This is also crucial to share the findings, IOCs and info about threat actors with the threat-hunting team πŸ”ͺ .

The final report should contain the following:

  • Case summary (who requested, who’s in charge, principles involved, when did the incident occur, when was this report filed, what allegedly happened, copies of all legal authorisations to proceed);
  • Authorisations (original request in writing, warrants, subpoenas, written permissions);
  • procedural docs (inventory of items examined and chain of custody for each, tools used, a timeline of procedures, list of people performing these procedures, hashed before and after);
  • Case notes (all logs extracted from the target system and from the forensic tools, a diagram of the network where investigation occurred (sometimes));
  • What physical evidence was collected (videos, pics, copies of docs, interview transcripts);
  • Conclusion (ties altogether, supports or refuses the original claim, does NOT prove guilt/innocence).

Make electronic copies of the report. An archive copy is maintained by the teamβ€”DVDs for distribution. Copies of written docs are filed. A summary report is provided along with timelines and written + electronic docs.

Photos And Videos

First, make sure that timestamps are configured on both devices. Take as many photos and videos as possible. Take overall and close-up images. Make sure that all the connections between the devices are photographed clearly. Photograph the evidence in situ (if possible).

Acquisition

http://www.cyber-forensics.ch/acquiring-data-with-dd-dcfldd-dc3dd/

πŸ“˜ BTFM