Forensics Final Notes PDF

Summary

This document provides notes on incident response, disaster recovery planning, and related topics, such as types of plans, federal standards, business impact analysis, and backup types. It also includes information on describing a computer incident, damage potential, reproducibility, exploitability, and affected users.

Full Transcript

Notes

Incident Response:

Disaster Recovery Plan
In place to respond to
○ Fires
○ Flood
○ Hurricanes
○ Tornado
○ HardDrive Failure
○ Network outages
○ Malware infection
○ Data theft or deletion
○ Intrustion

Types of plans:
Business Continuity
○ BCP: focuses on keeping an organization functioning as well as possible
until a full recovery can be made
Incident Response
○ IRP, incident focused.
Disaster Recovery
○ Focuses on executing a full recovery to normal operations, returning to
full functionality.
Federal Standards for BCPs:
ISO 27001: Requirements for Information Security Management
Systems
○ Very Broad standard for Information Security GENERALLY
○ Section 14 addresses business continuity management.
NIST 800-34: Contingency Planning Guide for Information
Technology Systems
○ This contains a seven-step process for BCP and DRP projects from
the U.S. National Institute for Standards and Technology (NIST).
○ 1.Develop policy statement
○ 2.Conduct a business impact analysis (BIA) – identify key assets
○ 3.Identify preventative controls
○ 4.Create contingency strategies
 ○5.Develop an information system contingency plan – detailed
guidance and procedures
○ 1.Based on assets impact level and recovery requirements
○ 6.Plan testing & training
○ 7.Plan Maintenance
○ Both 6 & 7 are usually done annually
NFPA 1600: Standard on Disaster/Emergency Management and
Business Continuity Programs
○ This is from the U.S. National Fire Protection Association.
PHYSICAL
ISO 27035
○ This standard guides you in how to formulate an incident response
plan.
○ It requires a structured and planned approach to detect, report, and
assess information security incidents; respond to and manage
information security incidents; detect, assess, and manage
information security vulnerabilities; and continuously improve
information security and incident management as a result of
managing incidents
NIST 800-61
○ This standard also will help guide you in forming an incident
response plan

Business Impact Analysis: BIA
A process whereby the disaster recovery team contemplates likley disasters and
what impact each would have on the organization.
Identifies the priority of different critical systems
Considers max tolerable downtime (MTD)

MAximum Tolerable Downtime(MTD)
A measure of how long a system or organization can be down before it is
impossible for the organization to recover
○ Mean time to repair(MTTR)
The average time it takes to repair an item
Must always be lower than MTD
○ Recovery Time Objective (RTO)
What is the target time to be back to business as usual
Must always be lower than MTD
○ Mean Time to Failure (MTTF)
The amount of time on average before a given device is likely to
fail through normal use
 ○ Recovery Point Objective (RPO)
Associated with how much data will be lost
This is directly tied to backups

Types of Backups
Full backup:
○ All changes
Differential Backup
○ All changes since last full backup
Incremental Backuo
○ All changes since last backup of any type
Hierarchical Storge Management
○ Continuous backup system
Describing a Computer Incident:
Describing an incident through the vulnerabilities that led to it is effective
Damage Potential: How Much Damage Could the Attack Cause?
0: No damage
5: Information disclosure
8: Non-sensitive user data related to individuals or employer compromised
9: Non-sensitive administrative data compromised
10: Destruction of an information system; data or application unavailability
Reproducibility: How Easily Can the Attack Be Reproduced?
0: Difficult or impossible
 5: Complex
7.5: Easy
10: Very easy
Exploitability: What’s Required to Launch the Attack?
2.5: Advanced programming and networking skills
5: Available attack tools
9: Web application proxies
10: Web browser
Affected Users: How Many People Would the Attack Affect?
0: No users
2.5: Individual user
6: Few users
8: Administrative users
10: All users
Discoverability: How Easy Is the Vulnerability to Discover?
0: Hard to discover the vulnerability
5: HTTP requests can uncover the vulnerability
8: Vulnerability found in the public domain
10: Vulnerability found in web address bar or form
Overall Threat Rating
The overall threat rating is calculated by summing the scores obtained across
these five key areas. The risk severity categories for a threat are as follows:
Critical (40–50): Critical vulnerability; address immediately.
High (25–39): Severe vulnerability; consider for review and resolution soon.
Medium (11–24): Moderate risk; review after addressing severe and critical risks.
Low (1–10): Low risk to infrastructure and data.
Incident Response Process:

Detection:
○ The goal is to determine the affected systems. Analysis is limited since the
incident could be getting worse.
Containment:
○ Limit the incident
Prevent it from effecting more systems
○ Have a policy that allows end users to be the first line of defense
○ This is the primary objective. Contain threats before eradication measures
Eradication:
○ Remove the threat
○ Patch vulnerabilities
○ Evaluate persistence through forensics
Ensures a thorough eradication of the threat
Ensures proper evidence is collected
Recovery:
○ Revert to business as usual
○ Defined within your DRP and IRP
○ Utilize backups
Follow-up:
○ Forensics is key
○ How did the incident occur?
○ How can we ensure it does not reoccur?
○ Classify and report incidents to the proper authorities
Preserving evidence:
Recovery is often performed at the expense of preserving forensic evidence
Failure to preserve forensic information
Forensic data is key to preventing future incidents

Windows Forensics:

Difference between 32- & 64-bit processing
32-bit
○ Addresses up to 4,294,967,295 bytes
○ Limited to 4 GB of RAM
○ Referred to as x86
64-bit
○ Addresses up to 18,446,744,073,709,551,616 bytes
○ Referred to as x64

The Boot Process
Bios
○ POST
○ Read MBR
Assigns logical storage to physical storage
Boot loader
○ Loads NTLDR
Snapshot file
○ Switches to 32- or 64-bit
Boot files
○ Min. drivers
○ Boot.ini
○ NTOSKRNL
○ Hal.dll
○ Windows registry
Kernel loading
Win32 subsystem starts

Volatile Data
Volatile memory analysis is a live-system forensics technique in which you:
○ Collect a memory dump
○ Compute the hash
○ Perform analysis in an isolated environment
Types of Memory
Stack (S)
○ Allocated based on last-in, first-out
○ Most dynamic area of memory process
Heap (H)
○ Data can exist between function calls

Tools to Analyze Live Data
Unix commands that run to investigate windows machines
PsList
○ Processes
PsInfo
○ Operating system details
ListDLLs
○ Loaded DLLs
PsLoggedOn
○ Login info
NetStat
○ Network connections

Windows Swap File
Augments random access memory (RAM)
Place on hard disk where items from memory can be temporarily stored for fast
retrieval
Called ‘pagefile.sys’
Typically found in windows root directory
Often referred to as ‘virtual memory’
hiberfil.sys

Windows Log Files
Files that contain info about events & other activities that occur in windows
Event viewer → used to view log files
5 hives
○ Security
○ Application
○ System
○ ForwardedEvents
○ Applications & Services

Index.dat
Used by Microsoft Internet Explorer (not in Microsft Edge)
 Stores:
○ Web addresses
○ Search queries
○ Recently opened files
Use Window Washer or similar utility to view index.dat

MAC
Refers to 3 critical properties
○ File modified
Date as shown by Windows indicates that there’s been a change
to the file itself
○ File created
Date the file was ‘created’ on the volume
Doesn’t change when working normally with a file
○ File accessed
Date the file was last accessed
Access can be a move, an open or any other simple access

The Registry
Computer hardware configuration
Multiple users & preferences
Program shortcuts & properties sheets
Remote administration through network

Memory Forensics

Key Concepts:
Identify how to perform forensics on system memory through
○ Capturing and analyzing memory using tools like Volatility and OSForensics
○ Determining signs of malware in memory dumps
○ Understanding how malware functions
○ Understanding memory structure in modern computers
○ Sophisticated malware only runs in memory, and doesn't actually store anything
on the system.

Malware Hiding Techiques:
DLL Injection:
○ This involves injecting a malicious dll into a legitimate process through the use of
registry keys
 ○ If a piece of malware can list their DLLs in the Applinut DLLs or AppCertDLLs
registry keys, they will be started amongst common DLLs used by many
applications
Process Hollowing:
○ This involves hijacking a process without crashing that process.
○ The malware would create a process in a suspended state

Capturing Memory:
Options for capturing memory
○ Dumpit
Command line tool that dumps out current memory in a file ending in the.raw extension
○ RAM capturer
Has a graphical interface rather than command line
GUI instead of command line
○ OSForensics
Memory Viewer -> dump physical memory
○ AccessData FTK Imager
Capture memory is an option within FTK imager

Analyzing memory with Volatility
Premier tool for memory analysis is a free tool called volatility
Volatility commands:
○.info
○ Pslist
A good place to start as the first volatility command
Alayzing running processes
○ Pstree
○ Psscan
○ Svcscan
Details of all services
○ Hollowfind
Allows you to look at hollowed processes
○ Psxview
Searches for hidden processes similar to psscan
○ Modscan
○ Moddump
Allows you to dumo kernel drivers
○ Dlldump
Allows you to id specifc DLLs associated with a given process
○ Malfind
Plugin that attempts to identify malware
 Sack vs Heap:

Stack:
○ Computer memory that is automatically allocated and managed as
needed for temporary variables
Heap:
○ Memory that programs can allocate as needed
○ Source of memory leaks

Computer Memory Works
Memory Address Reigister (MAR)
○ Holds addresses in memory
○ Is a CPU register, but it stores the memory addresses so data can be
brought to the CPU
Memory Data Register (MDR)
○ Also part of the CPU
○ Stores data that is being transferred to and from memory
Volatile memories only hold contents while the device has power
Once a device is shut down the data in the volatile memory is lost

Linux Forensics

Key Concpets
Summarize various types of digital forensics within Linux systems by leveraging
○ Linux operating system and file systems
○ What to look for in linux system logs
○ Forensically interesting linux directories
○ Important linux shell commands
○ How to undelete files from linux
Linux Shells

Bourne shell (sh)—This was the original default shell for UNIX. It was first
released in 1977.
Bourne-again shell (Bash)—This is the most commonly used shell in Linux. It
was released in 1989.
C shell (csh)—This shell derives its name from the fact that it uses very C-like
syntax. Linux users who are familiar with C will like this shell. It was first released
for UNIX in 1978.
Korn shell (ksh)—This is a popular shell developed by David Korn in the 1980s.
The Korn shell is meant to be compatible with the Bourne shell, but to also
incorporate true programming language capabilities.

Linux Commands
ls
○ This command lists the contents of the current directory
cp
○ This copies one file to another directory
Mkdir
○ This command creates a new directory
Cd
○ This command is used to change directories
Rm
○ This command is used to delete or remove a file
Rmdir
○ This command is used to remove or delete entire directories
 Mv
○ This command is used to move a file
Diff
○ This command performs a byte-by-byte comparison of two files and tells you
what is different about them
Cmp
○ This command performs a textual comparison of two files and tells you the
difference between the two
>
○ This is the redirect command. Instead of displaying the output of a command like
ls to the screen, it redirects it to a file
Ps
○ This command lists all currently running processes that the user has started. And
program or daemon is a process
Top
○ This command lists all currently running processes, whether the user started
them or not. It also lists more detail on the processes.
Fsck
○ This file a file system check. This command can check to see whether a given
partition is in good working condition.
fdisk
○ This command lists the various paritions
Network Forensics

Key Concepts
Identify how to perform network packet analysis through
○ Understanding a packets structure
○ Capturing packets
○ Analyzing packets
○ Conducting router forensics
○ Conducting forensic on firewall logs

Network Packet Definitions
Network Packets
○ Data sent across the network is divided into chunks called packers
○ Pacers are divided into 3 sections: header, payload and footer
Packet Headers
○ Can have several headers put on by different protocols at different layer of the
OSI model
○ TCP header synchronization bits also yield interesting forensic data
○ Port scanning: seeing incoming packets destined for a well-known ports is a
telltale

Important Ports
20,21
○ File Transfer Protocol (FTP)
22
○ SSH
23
○ Telnet
25
○ SMTP
53
○ DNS
80
○ HTTP
110
○ Post Office Protocol Version 3 (POP3)

Getting Evidence from the router
Do not shut down router
○ Can erase valuable evidence
 Do not alter anything
Document your process
Connect with the router to run the following command

Router Commands
1. Show version – shows information about the router
2. Show running-config shows the current configuration of the router
3. Show stacks can be useful for identifying the reason for system crashes
4. Show interfaces shows information regarding the status of different interfaces on
the router
5. Displays diagnostic and driver-level details on an interface
6. Shows CPU and memory usage over time
7. Buffers are system memory that are allocated to hold packets that are being
process and switched to the correct location.