32309 Digital Forensics

Lecture 1
Types of Forensics
Industrial Actions
Civil Actions
Criminal Actions
Malware Intrusion

- employment guidelines
- business operations; divorce
- using a device to commit a crime; stealing the device

Causes of Forensic Incidents

Threats and extortion
Accidents and negligence
Stalking and harassment
Commercial disputes
Disagreements, deceptions, and malpractice
Property rights infringement
Economic crime e.g. fraud, money laundering
Distributing porn
Content abuse
Privacy invasion and theft

Intrusions
Script Kiddies
Black Hat Hackers
Criminals
The Big Boys - governments; employers; military

Trusted Media: media of a known state and

risk to the examination.
Evidence Triage: prioritization of data for
collection and/or analysis
Evidence Preview: initial screening of data
to determine relevance to a case

Regional Internet Registries

APNIC
LAPNIC
ARIN
RIPE NCC

Digital Forensics (3 forms)

Forensic Analysis - evidence is recovered to support or oppose a hypothesis before a criminal court
eDiscovery - related to civil litigation
Intrusion Detection - specialist investigation into nature and extent of an unauthorised network intrusion
Branches of DF
Computer
- examining comp memory and disks
Network
- examining network devices and packets
Database
- examining database records
Mobile Device

Live Forensics
- device is live and attack is current or very recent
- capture live evidence before power down
Disk Forensics
- device is powered down, or attack is over
- want to examine permanent disk or usb storage for traces of the attack

Order of Volatility
1. CPU Registers, CPU Cache
2. Routing Table, Process table, Memory allocation
3. Temporary File Systems, Swap Space
4. Disks
5. Remote logging (such as syslog)
6. Network Topology, Device Hardware
7. Archived data
Forensic Methods
1. Obtain Authority to search
2. Secure and isolate
- locate removable media
- secure mobile devices (Faraday bag)
- collection methods must not alter evidence
3. Record the scene
- document and photograph; store on Read-only media
4. Conduct a systematic search for evidence
- order of volatility
5. Collect and package evidence
- maintain chain of custody > continuity of possession > handlers to testify CoC form logs when, where,
why evidence was transferred. Minimises loss or contamination.
- hash files for digital fingerprint
6. Analyse evidence in a forensic lab work on copy > image file raw or in forensic container
7. Prepare forensic report
8. Submit evidence as an expert witness
- expert opinion to court
Data Integrity
9. Methods challenged
AUTHENTICATION
Identify source of evidence
- Human and digital device
Oral evidence (suspect identifies his laptop)
Circumstantial evidence
Digital evidence (private encryption key - compelling)
REPEATABILITY
Copy + Paste vs Cloning: Cloning copies everything including metadata, etc.
Name and version of all tools used must be documented - second investigator able to follow
Locard's EXCHANGE Principle:
- Contact between two items = an exchange
- Between suspect and victim
- Between investigator and crime scene
- PHYSICAL exchange e.g. fingerprint
- DIGITAL exchange e.g. email
- In a computer intrusion, attacker may leave evidence in disk space, log files and Win Registry
- Act of sending an email may leave traces on the sender's hard disk, complete with time stamps
INTEGRITY
- Confirm evidence has not been altered after collection = hash
- Evidence usually kept as disk files > hash files for digital fingerprints once collected
- Hash copy of evidence > should match originals hash verification hash before analyzation

FORENSIC ACQUISITION
- 3 Methods:
o RAM dump copies content from system memory
o Logical copying of files network systems to removable media
o Physical acquisition of entire system access to volatile data
- 4 Types Physical; Logical; Live; Targeted File
- Prove any alterations are minor
- Work on copy of disk similar disk | image file raw | forensic container
EVIDENCE CHARACTERISICS
Traces =
- CLASS
apply to many cases e.g. copy of Word 2007 found on suspects laptop
- INDIVIDUAL apply to one case e.g. photoshops serial number embedded in every image produced
LEVELS OF CERTAINTY
C0 Evidence contradicts known facts
- Incorrect
C1 Evidence is highly questionable
- Highly uncertain
C2 Only one source of evidence which is not protected against tampering
- Somewhat uncertain
C3 Some tamper protection, some inconsistencies
- Possible
C4 Evidence is tamperproof or there are multiple independent sources of evidence that agree
- Probable
C5 Tamperproof evidence from several independent sources that agree, some minor uncertainties (loss of
data, timing uncertainties)
- Almost certain
C6 Tamperproof evidence with a high statistical probability
- Certain
Forensic Soundness requires technique that preserves evidence

Lecture 2 Reconnaissance

Hackers attack Targets for their Value

Threat = attack develops
An attack violates security; exploits a vulnerability
A secure system minimises the risk of a successful attack
Zero-day attack = unexpected; unknown to vendor/public e.g. heartbleed

Data Breaches
Stealing login credentials
Backdoors local PC or C&C link
SQL Injection database manipulation
Source of Breach
- External
- Internal
- Business Partner

Principles of Security
Deny by default not ideal
Defence in depth Hierarchy
Complex = Insecure
Least privilege principle need to know accessibility
Security not obscurity IIS vs Apache
Types of Attack
Operating System
- Buffer overflows in faulty code
Man in the Middle
- Dns, dhcp, vpn
Web Applications
- SQL Injection
- XSS (Cross Site Scripting)
Malware
- Virus Writer Apps

Cyber Attacks
Cyber Crime
Hacktivism
Cyber Warfare
Cyber Espionage

HACKING PHASES
Reconnaissance
- Monitoring and gathering general info about the client
Scanning
- Looking for specific network info
- ip addresses, ip ports, software versions
Gaining Access
- Cracking passwords, hijacking sessions
Maintaining Access
- Installing backdoors and root kits
Clearing tracks
- Delete files and cleanout log files
RECONNAISSANCE PHASE
AKA Footprinting
- Forming an understanding of the target/client business
- Physical presence
- Internet presence
Usually passive information gathering
- Internet searching different sources
Can be active (with risk)
- Social engineering
Network Information
o Domain Names
DNS registers
o Address blocks
Used by a target company
o Active IP addresses
Part of scanning, done later
o IP Access Paths
Use of Autonomous System Numbers (ASNs)
Part of BGP routing protocol

Organisation Information
o Employee details
o Company websites
o ABN Register
o Address and phone numbers
o News Articles / Press releases
o Competitive Intel

INTERCEPTING PROXY
PROXY = Man in the Middle
A form of Transparent proxy
Intercepts web traffic between client and server
Allows inspection of Web Sessions
Burp Suite common example
An extension of Inspection is to modify traffic gain access to session
Search Techniques
Google hacking advanced search operators to locate specific strings in text; deleted data in cache
o "#-Frontpage-" inurl:administrators.pwd
o "#-FrontPage-" inurl:(service | authors | administrators | users) ext:pwd
o inurl:"ViewerFrame?Mode=" live cams
Netcraft Reports
Web crawler robots
Google Earth
People media Facebook
Competitive Intel check out a company; bankrupcies
DNS: table of name:ip-number pairs
Copies of often used names cached in local dns server

nslookup tool
- Allows talking to dns server like http for a web page name
- Built into windows and linux (dig)
i. select dns name server to query (or default)
ii. set dns record type desired (default is A)
iii. set web name
iv. send query
>nslookup - server; ip address
>set type=RP
- primary name server; responsible mail addr
>set type=ns
- default server
>set type=A
- name; address
Find processes running java : list dlls | grep java

Lecture 3 Cookies

A web server tracks a web client

By IP address
HTTP referrer tag
Cookie saved on the target
- 3 - http cookie; web cookie; browser cookie

Web pages transferred over Internet via HTTP Stateless

Cookies save state (viewer choices) on the client device as a file on disk
Small, fast/lightweight resist Denial of Service Attack
Save state for session key negotiation (Wireless and VPN)
- Personalisation server remembers last visit
- Data Capture server remembers requests
- Sales tracking using a shopping basket
- Authentication no need for password for repeated login

Deleting cookies will disable many websites.

Viewing cookies:
Websites visited
Actions taken/pages visited
Date of first visit
Date of last visit
Setting Cookies
Web client asks for a web page using http
GET /index.html HTTP/1.1
Web server sets a cookie when replies
HTTP1.1 200 OK
Set-Cookie: name=value
Cookie is returned each time page is accessed
Server keeps a log of cookies to track viewers
viewer=ip address+referrer+cookie
Set-Cookie
Server as code to set the cookie
Browser asks for the server page
Server sets the cookie
Cookie file appears on client PC date in cookie format

COOKIE TYPES
i.
Session Cookie
- No expiry date, deleted by browser when session ends
ii.
Persistent Cookies (tracking cookies)
- Expiry date in future
iii.
Secure Cookie
- Sent encrypted using https
iv.
Third Party Cookies (for marketing)
- Set from a different URI domain // InPrivate Filtering to stop
- web page tracking used by Advertisers // provide contents Pay Per Click (PPC) Business Model

Browser Storage:
- IE Folder C:\Users\...\AppData\Roaming\Microsoft\Windows\Cookies
Win +R; Shell:Cookies
Low Folder UAC activated [Control Panel > Action Centre]
Database: Index.dat
Pasco viewer
o Another Index.dat is used to index web browser history files
- Mozilla C:\Users\...\AppData\Roaming\Mozilla
Database: sqlite
sqlite manager add-on
Urchin Tracking Modules
UTMA Visitor Identifier: tracks dates and visits
UTMB 30 Minute session identifier
B/C: indicate session expired
UTMC On exit identifier
UTMV Custom variable cookie
UTMZ Visitor segmentation: tracks the user
Temporary Internet Files
http allows web browsers to cache recently visited webpages.
When viewer revisits page, http checks date on cached page and decides to show cached copy or refresh
page from server.
Caching cuts down web traffic and speeds webpage rendering.
Location chosen by webpage layout engine:
IE : Trident
Firefox : Gecko
Chrome : Blink
Web History
InPrivate Browsing (IE)
Protects against local and web attack
Hides web history data
Recovery
Volatile memory
- System history & Process history
Disk
- Temporary files (incl. cached) & swap files
Local DNS server cache

Lecture 4a Network Based Evidence

The Network All internet packets are available at the edge router.
The TCP Session
Setup by three way handshake using flags
Uses sequence number to provide resend of lost or
damaged packets
Torn down by a three way close
TCP Session Sequence
i.
Setup Phase: various options negotiated between server
and client
ii.
Data Transfer Phase: often encrypted
iii.
Session Teardown: Either side may initiate process

Network Activity Protocols

Device Start-up
Device Connection
Background noise
User Activity
Intruder Activity

- dhcp
- ssh | telnet
- switch STP, routing protocols (OSPF), windows AD
- access website, send/receive email, access work connection (VPN)
- as above, back-door

Attack on a Digital Device can be performed in person or over the digital network.
A Network Attack:
Open trapdoor on target device
Contact target device from a remote device
Exchange network packets to:
- Install snooping software
- Then retrieve sensitive information such as passwords
Network Intrusion Detection:
Special Intrusion detection hardware IDS/IPS
Equip firewall with IDS features
Have Network based IDS to examine all network packets
Have Host based IDS to examine local network activity
Record network activity in local log files
Use local Firewall/Virus Scanner
Locating Network Evidence:
Suspects device
Local network
ISP
Remote website

file folders, cache, swap files

proxies, firewalls, IDS
proxies, firewalls
logs

Access Website Sequence

Dns request
http handshake: browser details, server details
html handshake: style sheets, javascript
page display: images, gifs, pngs
SSL: SSL Certificate Exchange requires authentication, trusted certs issued by Certificate Authority (CA)
Plug-ins: flash
Extras: cookies, hit counters, page tracking, ASP.Net
NBE 4 broad methods
1. Full Content data - examine every packet
2. Session data
- examine TCP session data
3. Alert data
- examine errors and exceptions
4. Statistical data
- examine unusual events

NBE Tools
Best tools run on Linux FreeBSD
TCPDump full content capture
Winpcap Windows version of libpcap
Packets analysed using Wireshark or Snort
online or from packet dump
TCPView session data
Snort provide alert data in addition to the IPS

 Full Content Data

o Every bit of every pack
o On Ethernet or wireless
o Need a packet capture library (libpcap) on device network interface
o Wireshark
o Usually used only after an intrusion
o Extensive disk space used
o Excellent Evidence
can detect attack on other systems
can expose advanced attacks
o Encrypted packets a problem
Session Data
o Derived from TCP sessions
o Available during initial intrusion
o Indicates time, date and parties involved
o Can see intrusion sequence
o Look for strange IP addresses
o Look for unusual ports in use, e.g. IRC
o High traffic could indicate file transfer
Alert Data
o When IDS/IPS sees a packet that matches a virus signature or an intrusion rule alert.
o Tune IPS for best results and:
Avoid false positives
An event, incorrectly identified by IDS as intrusion when none has occurred
Avoid false negatives
An event IDS fails to identify as intrusion when one has occurred
Watch a back door
Statistical Data
o Measure health and performance of a network
o Need a normal profile
o Can show variations
Top ten websites, unusual web addresses and ports, which processes/services transfer most
data
o Immune to encryption, but does not affect statistical data
Accessing the Wire (2 Methods)
i)
Place pcap device on wire between edge router and firewall
a. Use a hub; or
b. Two interface cards as a bridge
ii)
Use a Switch running SPAN
Switch Port Analyser built into cisco switches

WIRESHARK to baseline device NBE

Data Sources
Packets can come live from a device from a pcap on network adaptor
Packets can come from a pcap file wireshark, tcpdump, dumpcap, text2pcap, other capture prog.
Accessing a Web Site
Identify web site
Start packet capture
Protocols in Wireshark
Access website may involve website cache
SSH remote site log on
Stop capture
VPN ISAKMP, ESP, AH
Analyse results
SSL X.509 Certs / accessing a bank website
- Conversations for ip addresses involved
802.11 using Wireless
- Statistics to identify protocols
SIP using VOIP
- Reassembly of webpages visited
Evidence of Accessing a Web Site
Browser/server http handshake
CSS & JavaScript download
Page download text, gifs, jpegs || some may come from local cache
Plug-ins started
Cookies downloaded
External Page Tracking
Searching a pcap for URLs
Use grep or wireshark, pithing script search words that match a keyword dictionary.

Lecture 4b CPU and Memory

CPU executes instructions to perform actions on data

o Instructions are kept in memory as program segments
o Data is also kept in memory as data segments
o Memory in RAM is volatile unlike disk storage
Memory
o Physical Address Extension (PAE) allows access to more RAM
o Memory Management Unit (MMU) handles memory requests
o Translation Look aside Buffer (TLB) may hold memory data
o Direct Memory Access (DMA) devices like graphic cards.
Data Structures in Memory
- Arrays usually fixed size
- Bit Maps sparse arrays (e.g. tcp ports in use)
- Records name:value pairs
- Strings often 00 terminated
- Linked lists
- Hash tables
- Hierarchical trees
Operating System Modes
o Kernel Mode core OS
Can access most of the RAM
Includes many drivers
All kernel mode processors can see each others RAM
o User Mode user apps
RAM access is restricted
Each user mode process runs in own sandbox
User mode process cannot access kernel mode RAM

 Processes
o Is a running program launched from an exe
o Every task in a PC runs as a process
o Forensics examine processes to locate evidence
Process Startup
- Task Manager how start, publisher, when written
- Task List (built in Windows)
- PsList (SysInternals)
Memory Process Footprint
Each process has artifacts that identify in in RAM:
- Open file handles
- Recent dlls used
- Memory mappings
- Network connections (sockets)
- Privileges

Task Manager | Linked List

o Keeps track of processes (tasks)
o Uses linked list of nodes
o Each node in the list has a value and a pointer to next node last node linked to a terminator
Listing Processes
o Task Manager displays list of processes
Starts at PsActiveProcessHead links to each _EPROCESS structure actv processes displayed
o Executive Process list has more processes
Active, Hidden, Deleted
o Some tools can dump all these
A virus can hide an evil process by manipulating the list

Windows DLLs
o Dynamic Link Library - piece of code that can be shared by one or more processes
o Stored on disk in windows
o Difficult to spot malware introduced dll
Can also alter existing dll can detect by examining dll hash
o View running dlls Listdlls | Tasklist
Listdlls shows how a process was launched: >listdlls cmd | grep A2 pid
Viewing dll version detail: >listdlls v > process_detail.txt
Viewing with Tasklist: tasklist /m /fi imagename eq cmd.exe
/m = list modules
/fi = filters by name or PID

 Services
o Long running processes
o No user interface
o Many services start automatically at boot
o Similar to daemons in linux
o Some used for networking webclient; Remote Procedure Calls (rpc)
o Can be run by Service Host Processes: svchost.exe
o See running services, call service controller sc with query ex(tended) option

sc queryex > services.txt

o See processes running Services: Tasklist /svc

Windows Memory
o Memory accesses faster than disk accesses
o Process opens files contents into memory decodes encryption (ssl & vpn) in mem | passwords also
in memory
o Memory Data can be: incomplete, randomly organised, partly overwritten, repeated in different
locations, changed by memory managers at any instant
o Dump Memory = win32dd.exe large and may interfere with Memory Managers
Analyse with Volatility (Python add-on) for Windows, Linux, Mac OSX, & Android ARM
Volatility can recover process lists, network connections, passwords and web sessions.
o May also contain: parts of Win Registry, parts of Disk File Table, terminated processes, malware
Memory Addressing
i.
Request to read virtual address
ii.
Translate to physical memory address
iii.
Translate to file offset, decompress (if necessary)
iv.
Seek to and read from file offset
Searching Process Memory
Process Memory Dump = Task Manager; cmd tool dp.exe or Proc Dump
Strings to extract text in binary dump: strings iexplore.dmp > iexplore.txt
Search text file: grep passwd iexplore.txt
Looks for cookies: grep Set-Cookie iexplore.txt
Virtual Memory = not enough RAM for CPU to access all its programs in unused RAM swapped to disk files
Memory on Disk virtual memory page files (25% of RAM); hibernation files (75% of RAM); win8 swap files;
crash files == C:\pagefil.sys ; hiberfil.sys ; swapfile.sys