ISO
27043
- digital forensics evidence
- hands-on process
- identify evidence source
- preincident evidence collection and storage
- evidence manipulation and analysis
27037
- digital evidence processing
- steps:
- identification
- collection
- acquisition
- preservation
- procesiing only in secure environment, otherwise evidence is considered tempered with
ACPO
- association of chief police officers (UK)
- principles
- data should be unchanged: chain of custody
- person with access has to be competent, able to explain actions and present evidence to court
- activities are recorded and preserved – can be validated by third party
- responsibiliy – on person in charge
SWDGE
- scientific working group on digital evidence
- led by FBI and US Secret Service
- forensic guidance
NIST SP 800-86
- forenics for incident response
- process
- collection
- examination
- analysis
- reporting
SANS
- framework for digital forensics
- process
- identification
- classification/individualization
- association
- reconstruction
Investigation
- honeypot, must be legal
- deception: looks like attack is successful, gathers IoAs
- modus operandi
- sending letters
- code style
Evidence preservation
- infected VM → quarantine, last VM snapshot → user to continue working
- memory dump, then shutdown
- modus operandi (MO) – style
- Locard principle: intruder takes smth and leaves smth behind
- file hash and disk image hash – helps to prove integrity later
- label
- date
- time
- who collected
- case number
- writing on top on evidence tape
- chain of custody
Forensics
- triage:
- prepare
- preserve
- analyze
- report
- 5 ‘W’s: who, when, why, what, where + how
Tools
- VirusTotal
- Whois
- strace: syscalls
- autopsy:
- open-source
- storage analysis
- keyword search, hash match
- AccessData FTK:
- commercial
- storage imaging
- hex editors:
- Hex Fiend: macOS
- Hiew Editor: Windows, CLI, disassembler
- HxD: Windows, GUI
- artifact collection
- Kolide K2
- Velociraptor
Network
- traffic analysis
- logs
- path trace
Traffic capture
- persistent connections, long connections
- beacons
- C2 channel
- unexpected application, L4 port
- excessive FQDN
- tools
- Network Miner: file extraction
- xplico: application traffic reconstruction
Endpoints
- killed/zombie processes
- slowdown
- resource usage
- new processes/services
Media
- disk image
- timeline
- Windows registry
- shadow volume
- MBR/GPT data
- BIOS unused code area
- tools:
- Linux: dd
- Windows: FTK
- file formats:
- uncompressed: .img, .raw, .dd
- compressed: .e01, .aff
RAM
- Windows: sysinternals, Dumpit, Memoryze
- Linux: LiME, DumpIt
- record hash and timestamp
- analysis: Volatility
Files:
- metadata:
- GPS information
- timestamps
- types
- browser history
- pictures
- emails
Windows
- sysmon: logs
- event IDs
- 1 = process creating
- 3 = network events
- 11 = file create
- event IDs
Mobile devices
- unauthorized geolocation
- unauthorized SMS, data utilization increase
- data exfiltration (e.g., contacts)
- advertisements on browsing
- arbitrary application start
- tools:
- NVRAM image: Cellebrite, BlackBag
Software
- reverse engineering
- exploit and malware code review
- file entropy (rate of differing bytes) can be used to detect packed/encrypted data (higher entropy) – malware detection
HTTP
- “Accept /” is not common
- User-Agent values
Hardware
- attack point of insertion
- firmware
- embedded OS
- hypervisor
- VM level
Cables
- photo before dismantling system
IoC (reactive)
- traffic to specific IPs or domains
- unusual DNS request pattern
- large HTTP request
- DDoS
- Windows Registry entries
- virus signature, malware hash, malicious URL or domain
- deviation from golden image
IoA (proactive)
- code execution
- persistence
- stealth
- C2
- lateral movement
- network scans
- numerous logins from different locations
- unusual ports, port-protocol mismatch
- escalated privileges by normal user
- DMZ-to-internal traffic
- reinfection: rootkit present