Digital Forensics Tools

Questions and Answers

What inherent challenge exists when relying solely on signature-based detection within the National Software Reference Library (NSRL) for identifying malicious software?

• The NSRL's RDS is limited to file profiles of operating systems, and therefore lacks the scope to identify malicious application software.
• The NSRL exclusively focuses on known, traceable software applications, and therefore cannot detect unknown or zero-day malware. (correct)
• Signature-based detection in the NSRL cannot identify polymorphic malware that constantly changes its signature to evade detection.
• The NSRL primarily catalogs signatures of illicit data, such as child abuse images, making it ineffective against executable threats.

An investigator is tasked with imaging a suspect drive and maintaining multi-tool compatibility. Which file format would be most suitable for this purpose?

• .img
• .aff
• .dd (correct)
• .e01

Which of the following requirements outlined in ISO 27037 directly supports the validation of digital evidence integrity throughout its lifecycle?

• Repeatable
• Reproducible
• Auditable (correct)
• Justifiability

During a live acquisition on a Linux system, which command-line tool would be most effective for creating a bit-by-bit copy of the RAM?

dd (B)

What inherent risk is introduced when using a software-enabled write blocker in a Windows Command Line Interface (CLI) environment?

Software-enabled write blockers cannot prevent data alteration by privileged system processes. (D)

Which of the following scenarios would necessitate carving based on cluster analysis over sector or byte analysis?

Recovering fragmented files that span multiple non-contiguous areas on the disk. (B)

In the context of digital forensics, what is the key distinction between 'validation' and 'verification' when evaluating the reliability of acquired data?

Validation confirms a tool functions as expected, while verification confirms that two sets of data are identical. (D)

Why is the 'Justifiability' principle in digital forensics important when selecting tools and methodologies, particularly in the context of legal proceedings?

It demonstrates that the tools and methods chosen are appropriate and scientifically sound for the task at hand. (A)

In conducting a digital forensic investigation, which sub-function of the 'Acquisition' phase is most crucial for preserving the temporal context of digital artifacts?

Remote, live, and memory acquisitions (A)

A key feature with vendor acquisition tools involves creating smaller segmented files. Why is this important in digital investigations?

To reduce the potential for data corruption during transfer and storage. (B)

When using a hex editor during digital forensics, what is the primary advantage of analyzing the hexadecimal area of a file over the character area?

The hexadecimal area presents the raw binary data, allowing examination of non-printable characters and structural metadata. (B)

Which of the following is the most critical consideration when selecting a forensic workstation for mobile device examination, given the potential for hardware and software incompatibility?

Ensuring compatibility of connector types and protocol support for various mobile devices. (B)

In the context of Linux forensics, which of the following commands from The Sleuth Kit (TSK) is most appropriate for identifying the timestamps associated with a recently deleted file?

fls (C)

What are the critical distinguishing features between Helix3 and Kali Linux forensic suites that would influence an investigator's choice for a specific investigation?

Helix3 offers a simplified interface for novice users, while Kali Linux provides advanced penetration testing tools. (D)

In the realm of digital forensics, how does performing a 'partial acquisition' affect the integrity and completeness of potential evidence, and what considerations must be taken into account?

Partial acquisition may miss crucial artifacts, requiring a strong justification and documentation of the limitations. (D)

When planning a digital forensics investigation, what would be the determining factor in selecting a hardware versus a software write blocker?

Hardware write blockers would be applicable when using GUI forensic tools, and software write blockers are better for command line. (A)

What is the most relevant implication of using volatile memory in modern computing systems from a digital forensic investigator's perspective?

Data stored in volatile memory requires specialized tools and techniques for acquisition due to its temporary nature, necessitating immediate analysis upon discovery. (D)

Under what circumstance would you choose to run multiple forensics software?

When retrieving and examining data. (D)

In the context of digital forensics, how would using disk editors in investigations affect the integrity of digital evidence?

Disk editors can alter data. (B)

Which statement accurately reflects the role of the National Institute of Standards and Technology (NIST) in the context of forensic software validation and testing?

NIST publishes articles, provides tools, and creates procedures in order to perform testing/validating forensics software. (C)

What is a challenge that is present for a digital tool to be considered forensically sound for admission in court?

The tool must not alter the original data. (A)

An investigator needs to examine a suspect drive, but cannot connect to it. What type of acquisition needs to occur?

Local acquisition (D)

What is an advantage of using suites for digital forensics?

Suites have simplified training for beginning examiners. (D)

You are tasked with creating a forensic workstation for software review and analysis, and have no budget constraints. Which recommendations will you implement?

Choose a full-tower workstation with as much memory and processor power as possible, along with diverse drive adapter bridges. (D)

Why is memory acquisition crucial, even if the data has been removed?

Because there is a possibility that data remains, even if it's not on the hard disk. (C)

Which of the following practices is MOST important when upgrading forensic tools?

Always run a validation test. (A)

What is the purpose of the swap file?

Allows the operating system to use disk space as virtual memory. (C)

What are the three sub-functions of reporting?

Book marking or tagging, log reports, and report generator. (B)

Following ISO 5725, what is the requirement for testing of findings in court?

Findings must be repeatable and reproducible. (D)

As a digital forensic investigator, you are using EnCase to perform keyword searches within a disk image. However, the tool fails to identify occurrences of the keyword 'steganography,' which you suspect is present. What is the MOST likely reason for this discrepancy?

The keyword is located within an area of the disk image that has not been indexed. (B)

Which of the following reflects the most appropriate actions for a digital forensics examiner upon discovering a potential problem or anomaly with a chosen forensics tool during validation testing?

Report it to the forensics tool vendor and do not use the tool until the problem has been fixed. (D)

When performing data extraction, you are faced with the choice of performing a password dictionary attack or a brute-force attack. Which of the options best describes your choice?

A password dictionary attack should come before a brute-force attack, since they are quicker. (A)

As a digital forensic investigator, you're tasked with acquiring data from a severely damaged hard drive. Which acquisition subfunction provides the best approach in this situation?

Physical data copy (D)

Which is a disadvantage of using GUI forensic tools over command-line tools?

They have less computing expertise. (C)

What is most likely to cause you to choose 'disk-to-image' copy over 'disk-to-disk' copy?

Disk-to-image allows for quick re-imaging. (C)

Why is it important to use validated digital tools during a forensics investigations?

To ensure evidence is acceptable in court. (A)

In the context of digital forensics, what potential risk is introduced when the forensic examiner uses the suspect's own computer for demonstration of findings in court?

The suspect's computer may contain malware or be configured in a way that alters the displayed evidence. (A)

Flashcards

Hardware forensic tools

Range from single-purpose components to complete computer systems and servers.

Software forensic tools

Software used to copy data from a suspect's disk drive to an image file.

Validated tools

Digital Evidence First Responders should use validated tools (ISO standard 27037).

Requirements for Digital Evidence

Auditable, repeatable, reproducible, and justifiable.

Acquisition

Making a copy of the original drive.

Acquisition subfunctions

Physical data copy, logical data copy, and data acquisition format.

Hex editors

Used to examine or modify the physical structure of a binary file.

Hex editor areas

Address, character, and hexadecimal areas.

Validation

Confirming a tool is functioning as intended.

Verification

Proving two data sets are identical using hash values or similar methods.

Hashing algorithms

CRC-32, MD5, SHA-1.

Filtering

Analyzing/verifying header values to discriminate files by type.

Extraction

Recovery task in a digital investigation. Analyze Recover Data

Keyword search

Keyword search to speeds up analysis for investigators

Password cracking techniques

Password dictionary or brute-force attacks.

Reconstruction Methods

Disk-to-disk, partition-to-partition, image-to-disk, image-to-partition copy and Rebuilding files from data runs and carving

File carving

Cluster, sector or byte based carving.

Disk-to-image copy tools

Linux dd command or Voom Technologies Shadow Drive.

Voom Technologies Shadow Drive

Operates and investigates suspect hard drives, analyzing without re-imaging.

ProDiscover Forensics

Multi-tool compatibility reading/writing images in pervasive UNIX .dd format.

Reporting

Sub-functions include bookmarking or tagging, log reports, and report generators.

Report considerations

Flexibility, reliability, and future expandability.

Early forensic tools

First tools for analyzing data from disks were MS-DOS tools for IBM PC file systems.

Command line forensics

Requires few system resources; current programs are more powerful with more capabilities.

UNIX

You might still encounter systems running UNIX.

SMART

Can analyze a variety of file systems with plug-in utilities, hex viewer, and reporting.

Helix 3

Loads as a bootable Linux OS from a cold boot of windows system, but Some courts reject live acquisitions.

Kali Linux

Includes Autopsy, Sleuth Kit, ophcrack, and MemFetch.

Autopsy and SleuthKit

Analyze volume and file system data with browser interface, examines raw (dd), Expert Witness (EnCase) and AFF files & images.

Fsstat

Details of a file system in TSK.

Istat

Details of a meta-data structure.

Fls command

Lists file and directory names in a disk image. Can customize with flags.

GUI Forensic Tools

Simplifies investigations and training.

Volatility Workbench

Volatility Workbench Graphical User Interface(GUI), is a tool for memory analysis and for extracting artefacts.

Forensic Workstation Types

Stationary, portable, lightweight.

Workstation Recommendations

Full tower, memory and processor power, different sized hard drives, 400-watt power supply, external FireWire and USB ports, assortment of drive adapter bridges.

Forensic Toolkit Considerations

Expected investigations, OS needs, background/training, budget, and status.

Volatile Memory

Volatile memory that requires power maintenance, RAM provides large quantities of temporary storage.

Volatile Evidence

Application data stored in RAM is lost when the system is powered down, present in RAM even after removal from HD

Write-Blockers

Write-blockers prevent data writes to a hard disk.

Study Notes

Current Digital Forensics Tools

• Digital forensics tools are essential for cyber forensics.

Objectives

• Understand how to evaluate the needs for digital forensics tools
• Learn to describe available digital forensics software
• Discover considerations for digital forensics hardware
• Study methods for validating and testing forensics tools

Types of Digital Forensics Tools

• Hardware forensic tools range from single-purpose components to complete computer systems and servers.
• Software forensic tools commonly copy data from a suspect's disk drive to an image file.
• Software forensic tools include command-line applications and GUI applications.
• Examples of software: PassMark Software OSForensics, X-Ways Forensics, Guidance Software EnCase, Magnet Forensics AXIOM, AccessData FTK.

Tasks Performed by Digital Forensics Tools

• ISO standard 27037 states that Digital Evidence First Responders (DEFRs) should use validated tools.
• Five major categories of task: acquisition, validation and verification, extraction, reconstruction, and reporting.

Requirements for Identification, Collection, Acquisition, and Preservation of Digital Evidence (ISO 27037)

• Requirements are auditable, repeatable, reproducible, and justifiable.
• Tasks performed include but are not limited to: tasks performed by digital forensics tools and partial acquisition.

Acquisition

• Acquisition involves making a copy of the original drive
• Acquisition subfunctions: physical data copy, logical data copy, data acquisition format, command-line acquisition, GUI acquisition, remote, live, and memory acquisitions.

Hex Editors

• Hex editors like WinHex and HexWorkshop examine or modify the physical structure of a binary file.
• Hex editors have three areas, which are the address area, character area, and hexadecimal area.
• Hex editors can view stored or deleted data, provide file and disk editor displays, and view specific parts of a disk.

Acquisition in Vendor tools

• Creating smaller segmented files is a typical feature in vendor acquisition tools

Validation

• Validation can confirm that a tool is functioning as intended

Verification

• Verification can prove that two sets of data are identical by calculating hash values or using another similar method.
• Examples of hash algorithms: CRC-32, MD5, SHA-1 (Secure Hash Algorithms)

Filtering

• Filtering involves analyzing and verifying header values to discriminate files based on their types.

Extraction

• Extraction is a recovery task in a digital investigation and considered the most challenging
• Recovering data is the first step when analyzing an investigation's data
• Extraction subfunctions may include keyword search that can speeds up analysis for investigators.

Extraction cont'd

• Many password recovery tools have a built-in feature for generating potential password lists.
• Password recovery can involve a password dictionary attack or a brute-force attack.

Reconstruction

• Reconstruction methods: disk-to-disk copy, partition-to-partition copy, image-to-disk copy, image-to-partition copy.
• Reconstruction includes rebuilding files from data runs and carving.

Reconstruction copy tool

• Example of disk-to-image copy tools: Linux dd command, ProDiscover, and Voom Technologies Shadow Drive.

Rebuilding files

• Rebuilding files from data runs and carving includes: cluster based carving, sector based carving and byte based carving.

ProDiscover Forensics

• ProDiscover Forensics can preview and image disks and preview and search suspect files to find evidence quickly without altering data or metadata.
• ProDiscover Forensics automatically creates and records MD5, SHA1, and SHA256 hashes of evidence files.
• ProDiscover creates bit-stream copies of suspect disks, including hidden HPA sections to keep original evidence safe.
• ProDiscover maintains multi-tool compatibility by reading and writing images in the pervasive UNIX .dd format.

Voom Technologies Shadow Drive

• Voom Technologies Shadow Drive, can operate and investigate suspect HDDs, and re-image the forensics lab in seconds
• Voom can present evidence comprehensible to lay persons on the suspect's own computer in the courtroom.

Reporting

• Sub-functions of reporting are bookmarking or tagging, log reports, and report generator.
• Other considerations for reporting include flexibility, reliability, and future expandability.

Tool Comparison

• Tool comparisons for forensics tool functions such as Acquisition, Validation and verification, Extraction, Reporting.

Command-line Forensics Tools

• The first tools that analyzed and extracted data from floppy disks and hard disks were MS-DOS tools for IBM PC file systems.
• Norton DiskEdit is one of the first MS-DOS tools used for computer investigations.
• Command-line tools require few system resources and are designed to run in minimal configurations.
• Current programs are more powerful and capable.

Linux Forensics Tools

• UNIX has been mostly replaced by Linux, but you might still encounter systems running UNIX.
• Linux platforms are becoming more popular with home and business end users.

SMART

• SMART, is designed to be installed on Linux versions, can analyze a variety of file systems
• SMART Has many plug-in utilities and a hex viewer with a reporting features

Helix 3

• Helix 3 is one of the suites, can be used with either Linux or Windows
• Helix 3 loads as a bootable Linux OS from a cold boot
• Some international courts have not accepted live acquisitions as a valid forensics practice.

Kali Linux

• Kali Linux was formerly known as BackTrack and includes a variety of tools with an easy-to-use KDE interface.
• Kali Linux includes tools like Autopsy and Sleuth Kit, ophcrack, dcfldd, MemFetch, and MBoxGrep;

Autopsy and SleuthKit

• Sleuth Kit is a Linux forensics tool.
• Autopsy is the GUI browser interface used to access Sleuth Kit's tools to analyze volume and file system data.
• The volume system allows to examine the layout of disks.
• Analyses raw (dd), Expert Witness (EnCase) and AFF files and images.
• Also supports FAT, NTFS, ext2, ext3, ext4, HFS, etc

Fsstat

• Fsstat shows general details of a file system in TSK -t type: Print the file system type only. -f fstype: Specify the file system type. Use ’-f list’ to list the supported file system types. If not given, autodetection methods are used. -i imgtype: Identify the type of image file, such as raw. -o imgoffset: The sector offset where the file system starts in the image. -b dev_sector_size: The size, in bytes, of the underlying device sectors. -v: Verbose output of debugging statements to stderr -V: Display version
• For example fsstat –i raw image.dd

Istat

• Istat shows details of a meta-data structure in -B num: Display the addresses of num disk units. Useful when the inode is unallocated with size 0, but still has block pointers. -s seconds: The time skew of the original system in seconds.

Fls

• Fls lists file and directory names -a: Display the "." and ".." directory entries (by default it does not) -d: Display deleted entries only -D: Display directory entries only -F: Display file (all non-directory) entries only. -l: Display file details in long format. -m mnt: Display files in time machine format so that a timeline can be gid created with mactime(1). -p: Display the full path for each entry. -r: Recursively display directories. For example: fls –i image.dd

Image_stat

• Image_stat: Displays details of an image file -i imgtype: Identify the type of image file, such as raw. Use '-i list' to list the supported types. If not given, autodetection methods are used. -b dev_sector_size: The size, in bytes, of the underlying device sectors. If not given, the value in the image format is used (if it exists) or 512-bytes is assumed. -t: Print the image type only. -v: Verbose output of debugging statements to stderr -V: Display version
• image [images]: disk or partition image to read, whose format is given with '-i'.

Other GUI Forensics Tools

• GUI forensics tools can simplify digital forensics investigations and have simplified training for beginning examiners
• Most of them are put together as suites of tools with corresponding advantages and disadvantages

volatility Workbench

• Volatility Workbench is a graphical user interface (GUI). For the volatility tool.
• Volatility is a command line memory analysis and forensics tool for extracting artefacts from memory dumps.

Forensics Workstations

• Forensics workstations can be divided into stationary workstation, portable workstation and lightweight workstation categories.

Recommendations for a Forensic Workstation

• Recommendations when choosing a stationary or lightweight workstation: full tower, memory and processor power (based on budget), different hard drive sizes, 400-watt or better power supply with battery backup, external FireWire and USB 2.0 ports, and assortment of drive adapter bridges.

Your Forensic Toolkit

• To prepare for expected investigations it must be determined whether to be presented in a court of law or only used for internal reporting/auditing.
• Requires operating system needs and preferences, and requires a budget dependent on status (law enforcement or private organization).

Volatile Memory

• Volatile memory is also known as volatile storage. It requires power to maintain stored information.
• Most forms of modern Random Access Memory (RAM) are volatile memory.
• RAM provides temporary storage in a computer system.

Volatile Evidence

• When an application is running, its data is stored in RAM.
• This data is lost when the system is powered down.
• Evidence can be present in RAM even after it has been removed from the hard disk.
• The dd command can also work on RAM, or using dedicated tools.

Swap file

• A swap file extends computer's real memory (RAM).
• Modern computers virtualize their memory - which means memory pages are temporarily swapped out to disk.

Volatile Evidence Features

• Feature: Full Android memory acquisition, acquisition over network interface and hash of dumped memory

Using a Write-Blocker

• A write-blocker prevents data writes to a hard disk, especially on software enabled blockers
• Software-enabled blockers typically run in a shell mode (Windows CLI), such as "PDBlock from Digital Intelligence"
• Hardware options are ideal for GUI forensic tools and act as a bridge between the suspect drive and the forensic workstation.

Write Blocker cont'd

• One can navigate to the blocked drive with any application where the written data is discarded
• When the OS has the data copy.
• Connecting technologies: FireWire, USB 2.0 and 3.0, SATA, PATA, and SCSI controllers

Validating and Testing Forensic Software

• Validating and testing ensures that evidence is admissible in court
• Testing/validation prevents damaging the evidence.
• NIST publishes articles, provides tools, and creates procedures for testing/validating forensics software.

Using National Institute of Standards and Technology Tools

• A lab must establish categories for digital forensics tools, identify forensics category requirements, develop test assertions and test cases, establish a test method, and report test results.
• ISO 5725 states that results must be repeatable and reproducible.

Using Validation Protocols

• Its recommended to verify results by performing the same tasks with other similar forensics tools using a disk editor.
• Two tools should be used: one for retrieving and examination, and one for verification.

Digital Forensics Examination Protocol

• Conduct an investigation of the digital evidence with a GUI tool and the same investigation with a disk editor is needed.
• Obtain the hash values and verify the tool is seeing the same digital evidence in the same places on the suspect drive's image.

Summary

• A digital forensics tool upgrade protocol requires testing for new releases and os Patches/Upgrades
• Problems, found while setting a protocol, need to be reported to forensics tool vendor and be addressed before usage
• Use test hard disk for validation purposes
• Check the web for new editions, updates, patches, and validation tests for your tools.

Summary of Forensics Tools

• Computer Forensic tools types include software and hardware, and forensics software includes command-line, and GUI
• Forensics hardware includes customized equipment, commercial options, and workstations and write-blockers.
• GUI environments don't share compute tools as command-line tools
• Always run a validation test when upgrading forensic tools.