Digital Forensics Data Analysis

Questions and Answers

What is the first step to ensure that a target drive is secure for forensic analysis?

Immediately create a bit-stream image of the drive.

Inspect and clear the drive of any possible malware. (correct)

Reformat the drive without any inspections.

Use a previously used drive that may contain malware.

Why is it important to document the condition of the computer when seized?

To ignore the BIOS date and time values.

To manipulate the evidence during analysis.

To establish a chain of custody and provide context for the evidence. (correct)

To assess the age of the hardware components.

What should be done if password-protected files related to the investigation are found?

Make an effort to recover file contents using password-recovery tools. (correct)

Ignore them, as they are not relevant.

Automatically delete them to avoid complications.

Report them without attempting to access their content.

When examining a drive for forensic analysis, what should be the starting point?

The root directory of the volume partition.

What should you do if you discover an executable file with an unknown hash value?

Identify its function and note any discrepancies.

What problem does IP address normalization seek to address?

Dynamically assigned IP addresses may not correlate events due to their non-static nature

What is a recommended best practice for time normalization?

Standardize time formats as much as possible

What is the main difference between validation and verification in forensics?

Validation confirms functionality, while verification proves data identity

Which issue does time normalization face regarding timestamps?

Incorrect timestamp due to lack of synchronization to a central source is common

What is crucial for ensuring high accuracy in time normalization?

Implementing clock synchronization with NTP

What is the purpose of normalizing log data?

To simplify analysis and reporting by using consistent formats

Which of the following capabilities does log analysis provide?

Creating human-readable histograms for event analysis

How can event timestamps assist in log tampering detection?

By correlating timestamps to identify discrepancies

What is a key benefit of aggregating similar log events?

To reduce the amount of data and focus on significant events

Which tool mentioned is used for log normalization and aggregation?

Kibana

In digital forensics, what is necessary for records to be effectively correlated?

They should use comparable formats and identifiers.

What is an example of evidence that can indicate system manipulation during an investigation?

Inconsistencies in recorded timestamps

Which of the following is NOT a direct focus area for event analysis?

Identifying deleted data for recovery

What is the primary purpose of conducting a timeline analysis in digital forensics?

To determine the sequence of events during an incident

What is meant by 'scope creep' in a digital forensics investigation?

The expansion of the investigation's goals beyond initial targets due to new findings

Which factor largely determines the approach taken in a digital forensics investigation?

The type of case being investigated, such as civil or criminal

Why is data normalization important in digital forensics?

It organizes data from multiple sources to enable accurate analysis.

In private-sector investigations, what role does the company attorney typically play?

They may direct the investigator to recover as much information as possible.

What is the first step in a digital forensics investigation?

Create a plan defining the goals and scope of the investigation

What is a significant consideration when investigating employee suspected of industrial espionage?

Understanding the organization's rules regarding privacy rights and usage

What is the effect of a search warrant in criminal investigations regarding evidence collection?

It restricts the investigation to specific data as defined in the warrant

Which of the following is a common limitation faced in civil investigations?

Court orders restrict the types of evidence that can be examined

Which method might be employed when investigating an employee's suspected misconduct?

Utilizing keyloggers and monitoring internet activity with proper authorization

What is the purpose of generating hash values during digital forensics acquisition?

To ensure the integrity of the data image file

What should an investigator do if the hashes of the original data and the acquired image do not match?

Create a new forensic image of the original data

Which of the following is a feature offered by AccessData FTK Imager?

Reporting of hash values in .E01 or .S01 files

If a forensic tool does not support verification features, which tool is suggested for use?

WinHex as a Hex editor

What outcome is expected if an investigator cannot create a new forensic image due to lost original data?

Report the mismatched hash values and potential inaccuracies

Study Notes

Introduction

• The phase involving analysis and verification of collected data is crucial in digital forensics.
• Determining which data to collect and analyse involves conducting a timeline analysis of the incident, aggregating correlating data from varying sources, and normalising data.
• The collected data can then be verified using forensics software and Hex editors.
• Investigation plans are refined and updated during this stage.

Data Analysis & Investigation Plans

• Examining and analyzing digital evidence depends on the nature of the investigation and the amount of data to process.
• In criminal investigations, analysis is limited to finding data specified in the search warrant.
• In civil investigations, the analysis is often limited by court orders for discovery.
• Private sector investigations might be searching for company policy violations requiring examination of specific items, such as emails.
• Investigations often prioritize locating and recovering specific items.
• If litigation is anticipated in the private sector, the company attorney typically directs the investigator to recover as much information as possible.
• Unexpected evidence may necessitate expanding the investigation beyond the original description, prompting further examination.

Data Analysis & Investigation Plans (Continued)

• Starting an investigation involves creating a plan that defines objectives, scope, required materials, and tasks to be performed.
• The chosen approach depends on the type of investigation.
• Gathering evidence for an email harassment case might involve accessing network logs and email server backups to locate specific messages.
• The approach also varies depending on whether the investigation is internal, civil, or criminal.
• Internal investigations tend to be more straightforward.
• Criminal investigations typically require contacting ISPs and email services, although some companies have systems in place to handle such situations.

Data Analysis & Investigation Plans (Continued)

• Investigations involving suspected industrial espionage are often the most demanding.
• Before initiating such an investigation, it is essential to ensure the organization has established rules of use and limitations of privacy rights.
• Techniques like software or hardware keyloggers may be employed.
• Remote acquisition of the employee's drive and using tools to determine accessed peripheral devices are crucial steps.

Data Analysis & Investigation Plans (Continued)

• Follow these basic steps for all digital forensics investigations:
  • Use a target drive inspected and cleared of malware, reformatting it to the original drive configuration.
  • Inventory the suspect's computer hardware, noting its condition, checking the system's BIOS date and time values, and documenting all physical components.
  • Record the data acquisition method from the suspect drive (e.g., bit-stream image, tool used, hash value).
  • List all folders and files on the image/drive, noting the location and relevance of specific evidence.
  • Examine the contents of all data files in all folders, starting from the root directory of the volume partition.
  • Make every effort to recover contents of password-protected files using password-recovery tools.
  • Identify the function of every executable file that doesn't match known hash values, and note any out-of-place system files and folders.
  • Develop context around events or alerts.
  • Add additional data sources to the investigation.
  • Detect times of high system activity and events occurring at unusual times (outliers).
  • Concentrate on crucial events.
  • Detect system clock manipulation and log tampering through timestamp correlation.
  • Differentiate between automated/system activities and human activities.
  • Differentiate between regular system tasks and less frequent activities.
  • Create human-readable histograms.
  • Normalise timestamps from disparate sources, formats, and time zones.
  • Provide information about deleted data, even if it is not recoverable.

Aggregation & Correlation of Different Sources

• Analysing logs and other incident data in digital forensics involves aggregating events.
• "Similar" events are grouped together for examination.
• Records must be comparable and correlatable based on information items like timestamps, IP addresses, process identifiers, user identifiers, and vulnerability identifiers (CVE).

Aggregation & Correlation of Different Sources (Continued)

• In log normalization, each log data field is converted to a specific data representation and categorized consistently.
• One common use of normalization is storing dates and times in a single format.
• Normalizing data simplifies analysis and reporting, especially when multiple log formats are in use.
• Tools like Kibana and Squert aid in log normalization and aggregation.
• Both tools use web browsers to view and analyze data, with data sourced from Elasticsearch databases (Kibana) and Squil databases (Squert).
• These tools allow for viewing event data in various display forms like curves, charts, and graphs, which can be combined into dashboards.

Data Normalization

• IP Addresses Normalization:
  • IP addresses may not be static due to DHCP and NAT, making them not globally unique.
  • Correlation based solely on IP addresses would be difficult.
  • To overcome this, investigators should acquire logs from DHCP servers and NAT gateways to correlate events.
• Time Normalization:
  • Time Normalization:
    • Timestamps might be inaccurate if not synchronized with a central time source (e.g., NTP), have fallen out of sync, or have incorrect daylight savings time settings.
    • Different formats might make timestamps unreadable by the analyzing software.

Data Normalization (Continued)

• Best practice recommendations for Time Normalization include:
  • Implementing clock synchronization (NTP) on all systems for accurate time.
  • Monitoring correct operation, especially when switching to/from daylight savings time.
  • Logging time zone information as an offset instead of the time zone name.
  • Including the full four-digit year in all timestamps.
  • Standardizing time formats as much as possible.
  • Normalizing timestamps to UTC as early as possible in the log chain.

Forensics Verification

• Validation vs. Verification:
  • Validation confirms a process or product functions as intended.
  • Validation is essential for forensics tools, processes, and methods.
  • Verification proves the identity of two data sets by calculating hash values or using similar methods.
• The purpose of forensic verification is to demonstrate the exact match between the created image and the original suspect data.
• This proves that the investigator's analysis does not modify the image, ensuring data integrity protection.

Forensics Verification (Continued)

• Digital forensics tools generate hash values (e.g., MD5 and SHA-1) when acquiring a data image file.
• When the data image is loaded into a forensics tool, another hash is calculated and compared with the original hash value.
• If the hashes don't match, the tool identifies data corruption, and the investigator must create a new forensic image of the original data.
• If the original data is unavailable, the investigator should document the mismatched hash values in a report while stating that findings may be inaccurate.

Forensics Verification (Continued)

• Many forensics tools directly support verification.
• For example, AccessData FTK Imager provides additional hashing options when selecting Expert Witness (.E01) or SMART (.S01) formats.
• It inserts a report into the .E01 or .S01 file, listing MD5 and SHA-1 hash values.
• Autopsy has a similar feature called E01 Verifier for verifying Expert Witness image files.
• If a forensics tool lacks verification support, a Hex editor (e.g., WinHex) can assist in this process.

Description

Explore the crucial phase of data analysis and verification in digital forensics. This quiz covers the processes of timeline analysis, data aggregation, and the importance of forensic software in investigations. Test your knowledge on how different types of investigations affect data analysis and investigation plans.