Forensics Tools Overview

Questions and Answers

What are forensics tools primarily categorized into?

Physical and Virtual tools

Remote and Local tools

Hardware-based and Software-based tools (correct)

User-based and Server-based tools

What is the main function of host-based forensics tools?

To analyze network traffic

To encrypt sensitive data

To gather and analyze log data generated by applications and operating systems (correct)

To restore deleted files

Why is network data often the only evidence left in successful attacks?

Network traffic is less susceptible to attack

Because host systems are always backed up

Log files are always easily accessible

The attacker may manipulate a host so that it fails to log useful information (correct)

What are hardware-based forensics tools meant to do?

Prevent data loss during analysis

What is required during incident response regarding traffic capturing?

A full capture of suspicious traffic with provisions for on-demand capturing

What does it mean when it is stated that host systems can represent a target in a network attack?

They may be a point of entry for attackers into the network.

What limitation do host-based forensics tools encounter?

They can only log data up to what was designed into the system.

What is a primary reason for utilizing network forensics tools?

To gain evidence that might be the only record after an attack

What type of encryption is used for communication in EnCase?

Public-key encryption

Which capability is NOT associated with the EnCase forensic tool?

Identify steganography

What is the default output format for the WinPmem tool?

AFF4 file format

Which function is performed by the Forensic Toolkit (FTK)?

Scan slack space for file fragments

What will happen when the 'Capture!' button is clicked in Ram Capturer?

A memory image will be saved

How does EnCase handle the acquisition of files or drives?

Captures selected files or full drives

Which of the following best describes the primary function of WinPmem?

Memory acquisition from running systems

What type of evidence can be collected from network devices like switches and routers?

Access logs and configuration changes

What is the primary purpose of the Argus monitor in the operations, performance, and security management package?

To capture and combine packets into flow records

Which of the following is NOT a feature of Wireshark?

Command line interface only

What is a major drawback of using WinPcap for network forensics?

It needs to be installed on the system

When using tcpdump, what is an important prerequisite for performing a packet capture?

Having administrative privileges

What is a unique feature of RawCap compared to other packet capturing tools?

It can be run without installation on the system

Why is packet capturing considered critical in network forensics?

It provides insight into potential C2 IP address traffic

Which of the following tools is included as part of the Wireshark package?

dumpcap

What information does the sample output from ratop primarily display?

Flow records of captured packets

What command is used to view a list of options and interfaces for RawCap.exe?

D:>RawCap.exe -help

How can a packet capture be initiated on a wireless interface using RawCap?

D:>RawCap.exe 5 RawCap.pcap

What is the function of mergecap in the context of Wireshark?

To combine multiple capture files into one

What is the correct way to stop a packet capture in Wireshark?

Click the red box in the upper-left corner

Which command allows you to save a combined packet capture file using mergecap?

dfir@ubuntu:~$mergecap -w combined.pcap file1.pcap file2.pcap

What command is used to display the basic help menu for tcpdump?

tcpdump -h

Which command can be used to capture packets with normal verbosity on ens33?

sudo tcpdump -i ens33 -v

What does the command 'sudo tcpdump -i ens33 -vvv -w ping_capture' achieve?

Saves captured packets to a file named ping_capture

How can tcpdump be configured to capture packets from a specific source IP address?

sudo tcpdump -i ens33 src host 192.168.10.54

What is the primary purpose of saving tcpdump output to a file?

To analyze the captured packets with tools like Wireshark

What will happen if you do not specify an output file while using tcpdump?

Captured packet data will be displayed on the screen

Which command captures packets destined for a specific host address?

sudo tcpdump -i ens33 dst 162.4.5.23

What is the expected result when using the command 'Ctrl + C' during a tcpdump capture?

To stop the capture process

Study Notes

Introduction to Forensics Tools

• Forensics tools can be hardware or software-based.
• Hardware tools include write blockers and hard drive duplicators.
• Software tools are categorized as host-based and network-based.
• Host tools gather and analyze logs generated by applications and operating systems.
• It's difficult to increase the amount of logging beyond the system's design.
• Network tools are crucial when attacks manipulate host systems to prevent logging or log false information.
• Network forensics requires efficient and lawful logging methods, and tools for on-demand capturing.

Overview of Host-based Evidence

• Host systems can be initial targets or pivots for further attacks.
• Investigators examine these systems for evidence.

Host-based Forensics Tools

• EnCase:

  • Uses a client-server architecture with agents for Windows, Mac, and Linux.
  • Communication is encrypted using public-key cryptography.
  • Capabilities include:
    • Quick system snapshots.
    • Write blocking.
    • Full memory acquisition (can be analyzed with tools like Mandiant Redline or Volatility).
    • Hard drive previews.
    • Full or selective drive capture.
    • Creation of Evidence Files (E01), mountable as drives.
    • Searching across multiple clients and keyword searches.
    • Locating hidden drives, partitions, and files.
    • Drive hashing and file hash collection.
    • Evidence file creation includes metadata like timestamps and hash information.

• Forensic Toolkit (FTK):

  • Capabilities include:
    • Hard drive imaging (using FTK Imager).
    • Evidence analysis (hashing, Known File Filter (KFF) database, searching).
    • Scanning for file fragments in slack space.
    • Email inspection.
    • Identification of steganography.
    • Password cracking.

• WinPmem:

  • Memory acquisition tool for Linux, macOS, and Windows.
  • Outputs Advanced Forensic Framework 4 (AFF4) files.
  • Configuration example: D:\winpmem-2.1.exe --format raw -o e:\Laptop1

• Ram Capturer:

  • Free GUI-based memory acquisition tool.
  • Captures memory images and allows specifying the output folder.

Overview of Network Evidence

• Network logs offer valuable insights and are provided by various network device manufacturers.
• Switches (core and edge) generate log data for operations, performance, and security management.
• Switch evidence includes:
  • Packages like Argus (for capturing and combining packets into flow records) and Argus-clients (for analysis tools like ratop).

Network Forensics Tools

• Packet Capturing:
  • Essential for understanding incidents, especially identifying potential C2 (Command and Control) traffic.
  • Common tools: tcpdump, WinPcap, RawCap, dumpcap/Wireshark.
  • dumpcap is part of the Wireshark package.
  • tcpdump is commonly included with Linux distributions and found on many network devices.
  • WinPcap and RawCap are available for Windows but are not native tools.
  • Wireshark is a packet capture and analysis tool with features besides capture, including GUI-based analysis.
  • tcpdump:
    • Basic help menu: dfir@ubuntu:~$ tcpdump –h
    • List of interfaces: dfir@ubuntu:~$ tcpdump –D
    • Basic capture on ens33 with normal verbosity: dfir@ubuntu:~$ sudo tcpdump -i ens33 -v
    • Detailed capture: dfir@ubuntu:~$ sudo tcpdump -i ens33 -vvv
    • Capturing and saving to a file: dfir@ubuntu:~$ sudo tcpdump -i ens33 -vvv -w ping_capture
    • Capturing traffic from a specific source: dfir@ubuntu:~$ sudo tcpdump -i ens33 src host 192.168.10.54
    • Capturing traffic to a specific destination: dfir@ubuntu:~$ sudo tcpdump -i ens33 dst host 162.4.5.23
  • RawCap:
    • Start Windows Command Prompt as administrator and navigate to the RawCap.exe folder.
    • Get help and interface list: D:\>RawCap.exe -help
    • Capture on wireless interface number 5 and save to RawCap.pcap: D:\>RawCap.exe 5 RawCap.pcap
  • Wireshark:
    • Select an interface for capture, double-click to start.
    • Stop capture by clicking the red box in the upper-left corner of the pane.
    • mergecap tool combines multiple packet capture files into a single file: dfir@ubuntu:~$mergecap -w switches.pcap sw1.pcap sw2.pcap sw3.pcap
  • mergecap helps examine activities across multiple network paths.

Description

This quiz explores the various tools used in forensics, both hardware and software-based. Understanding the differentiation between host-based and network-based tools is crucial for collecting and analyzing evidence effectively. It also looks at specific tools like EnCase and their capabilities in forensic investigations.