Understanding Digital Forensics
Digital forensics involves the recovery and investigation of material found in digital devices (Windows or Linux computers, smartphones and legacy mobile phones and now, even cars) often in relation to computer crime, cyber intrusions and insider threats. The goal of the attackers can be disruption, (hacktivism), intellectual property theft (plans for a proprietary chemical, engineering drawings or confidential information) and employees who are seeking to disrupt or steal form the business.
In the role of a digital forensics examiner or incident responder, you’re acquiring gigabytes of logs and searching for evidence of file access, file opening, plugging in external devices and upload to cloud file storage on computers, smartphones, and networks. The goal is to uncover what happened, how it happened, and who was responsible. Depending how quickly you respond can change the outcome of the investigation. Logs can be overwritten with time, and there can be a low signal to noise ratio. Signal is what you’re looking for, noise is the day to day occurances in the logs of normal or baseline network traffic.
Digital Forensics Podcast:
Have you heard about TLP? To learn more about Digital Forensics, listen to my podcast: TLP – Traffic Light Protocol. The Digital Forensics Podcast: https://open.spotify.com/show/4E7GQAtCVMbTvqhwLFM68L?si=2ecc7080931c4309.
The Importance of Preparation
Before getting started in digital forensics you need to get started! Getting started with preparing the software and hardware aspects of an investigation. By following the NIST Computer Incident Handling Guide (SP 800-61) the first step is preparation. This means having the right skills, tools, and procedures in place before an incident occurs. Think of it as practicing fire drills; you want to know exactly what to do when the alarm goes off.
Tools of the Trade
In digital forensics, having a well-equipped forensic lab is not optional, it’s what you need to get the job done. Here are some key tools and their purposes:
Forensic Software: Tools like Volatility (a python script that performs Memory Analysis from previously captured memory dumps), Autopsy (A GUI for general forensic parsing) ,Hayabusa (Command line event log analysis tool for Windows event logs (enhanced greatly by using sysmon))
Memory Acquisition Tools: FTK Imager (take memory images on Windows. These capture live memory from devices and gives a different perspective to what has occured like what processes were running during an incident. Often, the initial point of an intrusion is found from reviewing memory!
Network Analysis Tools: Wireshark to analyse captured packet data if you’re fortunate enough to have a PCAP prior to the intrusion, or you’ve collected one while the intrusion is ongoing. Security Onion or Zeek (hooked up to a SPAN port or using a network tap to intercept your East/West (internal) network Traffic or North/South (Outbound and Inbound internet traffic) for continuous monitoring. These tools analyse network traffic and, using dashboards and filtering options give you an insight to identify suspicious activity.
Lots of storage: Either using external hard drives (SSD preferred for copying and reading gigabytes of data at a time) or network storage.
Real-World Example: The Importance of Memory Acquisition
Live memory contains information about what was happening on a device at a specific time and is completely different from artifacts that can appear on disk. However, to be effective, you must capture RAM before the system restarts. If the system is restarted after the intrusion, the majority of the contents of RAM is gone.
Using FTK Imager on the compromised device, take a memory capture (File-Capture Memory) and ensure that you save it to an external hard drive (so you don’t accidentally overwrite what’s on the compromised hosts hard drive). FTK will create a text file that contains the filename, and SHA1 hash. You should note this down in your contemporaneous notes for later. At this point, I’d recommend making a backup of the ram capture and storing that drive in a safe or secure storage area, clearly labelled with the investigation details.
Running volatility to analyse the memory is an involved process that can take some time to run (30-60 minutes) and has a couple of steps. First you need to scan the memory image to identify what ‘profile’ to use. This tells volatility where items are located in the memory space. Once this is identified, you’ll pass that string as a switch, alongside the plugin you want to run. Some plugins are:
cmdscan – Attempt to extract command history.
dlllist – Print a list of dlls for each process.
iehistory – Attempt reconstruction of Internet Explorer history/cache.
imagecopy – Copies an address space out as a raw DD image.
malfind – Find hidden and injected code.
pslist – Print all running processes.
psscan – Pool scanner for process objects.
sockets – lists open sockets (IP address & port number).
wintree – Print Z-Order Desktop Windows Tree.
svcscan -Search for windows services.
shutdowntime – Print shutdown time from the machine registry.
netscan – Lists connections and sockets.
In future I’ll share some intrusion examples that explain how to use volatility in real life and you’ll know how to go end to end.
Case Studies: Learning from the Pros
One of the most valuable ways to learn is by studying real-life case studies. Major cybersecurity vendors like Verizon, Mandiant, and CrowdStrike often publish reports detailing how they handled significant cyber incidents. These reports provide insights into the methodologies and tools used, keeping you across the latest TTP’s of threat actors.
Take a look at the Verizon Data Breach Report: https://www.verizon.com/business/en-au/resources/reports/dbir/
Mandiant M-Trends 2024: https://cloud.google.com/security/resources/m-trends
Crowdstrike Global Threat Report: https://www.crowdstrike.com/global-threat-report/
TLP – Traffic Light Protocol The Digital Forensics Podcast
To learn more about Digital Forensics, listen to my podcast: TLP – Traffic Light Protocol. The Digital Forensics Podcast: https://open.spotify.com/show/4E7GQAtCVMbTvqhwLFM68L?si=2ecc7080931c4309
The best way to learn digital forensics is by doing it as often as possible. Learning and grinding away at Capture The Flag (CTF) challenges is one of the best ways to get that muscle memory for using these tools and analysing the pages and pages of logs. This practical experience help you develop a deep understanding of the tools and techniques used in real-world investigations.