Advanced Game Theory

and

Gaining the Advantage in the

Courtroom

Intro to Digital Forensics

About Jenn Mastin

Employed at Nexigen

Forensics Investigator

Incident Response Engineer

Security Engineer

Bachelor of Science: Computer Information Technology - Network

Administration and Security

Email Address: jmastin@nexigen.com

Linked In: Jennifer Mastin

About Ty Braunwart

I work at Nexigen

Sr Forensics Engineer

Sr Incident Response Engineer

Sr Security Engineer

Penetration Tester

Email address: tbraunwart@nexigen.com

Linked in: Ty Braunwart

My Alphabet Soup

CCFE: Certified Computer Forensics Examiner

CHFI: Computer hacking forensic investigation

CEH: Certified Ethical Hacker v9

Bachelor of Science: Computer Information Technology - Network

Administration and Security

What is

Digital

Forensics?

Digital forensics is the process of uncovering and interpreting electronic data.

The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events.

What knowledge is need?

Networking and networking protocols

Server administration and

logs

Deep understanding on how different operating systems

work

Cloud and cloud services

Various printer functions and configurations

Programing HEX Email Etc. ….

What Tools/Toys Do I Need?

Depends on the investigation

Physical Tools

GO Bag/Box

Screwdrivers

Paper and pens

Chain of custody / Intake forms

Write blockers

Hard Disk, Hard Disk, did I mention Hard Disk

Camera

Flash light

Physical Tools

Forensics Laptop

Live CD/USB media

Cables for every possible device under the sun

Faraday bags

Security Tape/Strips

Network Tape

Etc. ….

Head phones and Music

Software Tools

Investigative software --- commercial or open source

eDiscovery suites --- commercial or open source

Mobile device viewing and backup software

Hex editor

Packet capture and viewing tools

Image viewer

Software to view emails

Software to view documents

Etc. …..

Categories of Digital Forensics Incidents

Criminal

Civil

Corporate

Digital Forensics Steps

Pre Show

Information Gathering / Scope

Securing the scene and identifying evidence

Evidence acquisition

Analysis of evidence looking for artifacts

Reaching a conclusion based on artifacts

Reporting / testifying

Cleaning data

Pre Show

Check Cables

Check Forensics Devices

Check All Forensics Workstations

Check Drives

Check Procedures

Check Skills and Education

Make sure you have enough forms for evidence

Information Gathering / Scope

Find out the Scope of work and what the client is looking for

Find out number devices involved and type

Find out any restrictions placed on the investigation

Find out if any business-critical devices are involved

Find out what data I could expect seeing

Find out where you will be allowed to work

Setup case number and who is going to be assigned to it

Securing the scene and identifying

evidence

Identify the scene and keep people from touching the evidence

Have the client identify each piece of evidence

Ask has anyone touched or modified any data before I got here

Start a chain of custody and evidence acquisition form for each piece of

evidence

Evidence Acquisition

Take pictures of the evidence and the scene

Inspect the first piece of evidence and produce a game plan

Collect artifacts based on volatility.

Make notes of every step you take and WHY you took them

volatility

How fast the artifacts will disappear from either use of device or power loss

Order of Volatility

Memory

Network connections

Running processes / loaded DLL

Users logged on

Hard drives / None volatile media

Memory

Take a snapshot of the memory and save it to an external location

Interacting with the computer in anyway modifies memory

Memory is constantly changing if the computer is on

The memory snapshot will be the same size of all the memory install on the

unit.

Network Connections

Get network connections active on the computer

Get list of listening ports on the computer

Running Processes / Loaded DLL

Get a full list of Running Processes and any DLL loaded in use

Users Logged on

Get a list of active users at the time of evidence collection/s

Hard drive / None volatile media

Make a image of the media either online or offline

Calculate the md5 and sha1 hash

Types of none volatile media

Magnetic Hard Drives

SSD Drives

Flash Drives

Zip Drives

CD / DVD

ETC.

Magnetic Hard Drives

Classic hard drive

Keeps data on drive until it is over written by another file or program

Slower to read and write from

Forensics examiners best friend

SSD Hard Drive

Solid State Drive

No moving parts

Faster Read and Write

Depending on configuration evidence could be destroyed

Becoming standard in most laptops and computers

Other Media

Flash Drives are everywhere.

CD / DVD still are used, but are becoming rare.

ZIP Drive losing competitor to Flash drives.

Floppy disk.

Magnetic tape drives.

SAS drives.

Stored on None Volatile Media

File system.

Folders.

Configuration files.

Pictures.

Documents.

Items that need to remain after reboot.

Types of data collection

Live data collection.

Offline data collection.

Collecting Data from Memory

Use a program like DumpIT to save a snapshot of the memory to an external

drive for later analysis. Once DumpIT is finished, run an md5 and/or sha1

hashing tool on the memory dump.

Once you remove power from the computer the memory will quickly start

losing data stored on the chips.

The size of the dump will be the total size of memory installed on the system.

This would be considered live data collection.

Collect Network Usage

Use network tools like netstat and save the results to an external storage

device.

Some of the network information will also be stored in the memory dump.

Use a LAN tap and a packet analyst tool to capture live network data.

This is also considered live data collection.

For over-all company network usage, you can reach out to the companies ISP

and they will be able to provide that information.

Running process

Use a process monitoring tool like processmon to view all processes running

on the system.

Use the memory dump to view the running processes.

Use task manager and take screen shots.

Save info to external storage device.

This is considered live data collection.

List of Active Users

Use task manager or another program to list Active Users.

System Logs can also be utilized to find active users if it is recorded.

Look in the memory dump.

This is considered live data collection.

Non-Volatile Media

Off-line collection.

Live collection.

Use an imaging software to make a raw disk image or E01 image.

Get md5/sha1 hashes.

Make copies of the images and work off of them exclusively.

Non-Volatile Live Collection

Use FTK, DD, or any other software to make a disk image of the drive and

save it to an external storage device.

Not the most forensically sound method but some times your only choice.

Total size of disk image will be the same size as total disk space of the

system.

Non-Volatile Offline Collection

Power off the system.

Remove the drive.

Connect the drive to a write blocker.

Run imaging tools to make disk image and save to external storage.

Make md5/sha1 hashes of image.

Analysis of Evidence for Artifacts

Work off a copy of the disk image you made from earlier.

Focus on location or items that will help answer your clients questions.

This is where understanding how different Operating Systems work, how they

process and how they store information is important.

Take detailed notes on everything you find and the process/procedures taken.

Look at one piece of evidence at a time.

Coming to a Conclusion Based on

Artifacts

This is the big thing you are getting paid for. It is your job to interpreted the

facts and explain in a way that anyone can understand it.

You need to understand how the artifacts are created and stored.

You need to have strong evidence to support you conclusion.

Reporting / Testifying

Remember the high school science reports you had to write.

Make sure any competent person can repeat your steps and get the same

results.

Remember the notes you were taking the whole time.

Use your hashes.

Write all reports as if it is going to go before a court of law.

The report sets the stage for how people see you.

Only include the facts.

Cleaning Data

This might happen seconds or years after the conclusion of the case.

Zero out your drives.

Make sure all resources collected is returned to their owner/s (have them sign

the Chain of Custody Sheet).

Remove any evidence saved on your forensics computer.

Review how the case went and make changes or improvements.

See Pre show

Lab Time

Sign into NKU Secure/Encrypted with the csc_cyberXX user.

Sign into https://coivcenter1.hh.nku.edu this site only works when you are

“inside” NKU’s network.

Workstation Password: Work-2018;

Lab time

Lab 1: Hacker Man

What operating system was used on the computer?

Who is the registered owner?

What is the computer account name?

What is the account name of the user who mostly uses the computer?

What is the primary domain name?

List all installed programs that may be used for hacking?

List 3 IRC channels that the users of the computer access?

List the network cards used by this computer

Answers

What operating system was used on the computer?

Windows XP

Who is the registered owner?

Greg Schardt

What is the computer name?

N-1A9ODN6ZXK4LQ

What is the account name of the user who mostly uses the computer?

Mr. Evil

What is the primary domain name?

Evil

List the network cards used by this computer

Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface)

Compaq WL110 Wireless LAN PC Card

Answers

List all installed programs that may be used for hacking?

Cain & Abel v2.5 beta45 (password sniffer & cracker)

Ethereal (packet sniffer)

123 Write All Stored Passwords (finds passwords in registry)

Anonymizer (hides IP tracks when browsing)

Look&LAN_1.0 (network discovery tool)

NetStumbler (wireless access point discovery tool)

Answers

List 3 IRC channels that the users of the computer access?

Ushells.undernet.log

Elite.hackers.undernet.log

Mp3xserv.undernet.log

Chataholics.undernet.log

Cybercafé.undernet.log

M5tar.undernet.log

Thedarktower.afternet.log

Funny.undernet.log

Luxshell.undernet.log

Evilfork.efnet.log

Iso-warez.efnet.log

Houston.undernet.log

Lab Time

Lab 2: Case of the Missing Files

Useful tool: gaelinfotech ost to pst

Question

What OS is installed on the image?

What is the timezone setting?

What is the computer name?

Who was the last user to logon into PC?

What websites were the suspect accessing?

what was the email address of the suspect?

List all e-mails of the suspect. If possible, identify deleted e-mails?

(You can identify the following items: Timestamp, From, To, Subject, Body, and

Attachment)

What anti-forensics tools or documents are located on the computer?

What is the IP address of company’s shared network drive?

what file were uploaded to the Internet and what application was used?

What account was use to login to google drive?

Thank you

Any questions?