2. #whoami
Vipin George
Ad-hoc faculty at CEK
Handled Internet plumbing for a Tier- 1 ISP
M.Tech in Cyber Forensics and InfoSec
Mozillian, Wikipedian
Enjoys tinkering with Electronic gadgets
Licensed Radio amateur, call sign: VU3YVG/ KC9VED
3. What is Digital Forensics?
The gathering and analysis of
digital information in an authentic,
accurate and complete form for
presentation as an evidence in a
court of law
Any electronic device (mp3 player,
Hard disk, Mobile phone) can be
the source of evidence
4. What is Digital Forensics?
Investigation takes place after
an incident has happened
Try to answer questions:
Who?
What?
When?
Where?
Why? and
How?
6. Locard’s Exchange principle
whenever two
computers come "into
contact" and interact,
they exchange
something from each
other
This may appear in log
files, and be visible in
the output of
commands.
7. Stages
Digital forensics activities
commonly include:
the secure collection of data
the identification of suspect data
the examination of suspect data
without modifying it
the presentation of information
to courts of law
the application of country's laws
to computer practice.
9. First of the few
One cent crime 1960’s
millions of daily transactions
add up
small attacks add up to one
major attack that can go
undetected due to the nature
of this type of cyber crime
Salami attack !
10. Why Debian GNU/Linux?
It is mandatory to image suspect drive using at least
two tools
Budget
Stability
Dedicated solutions are predictable
Eg: EnCase Forensic Imager vulnerability
Ability to dig deeper
11. Why Debian GNU/Linux?
Support for rapidly changing storage mediums & size
Plenty of tools - Debian Forensics Environment -
essential components (metapackage) by Debian
Security Tools Team has 158 packages as of now
https://packages.debian.org/sid/forensics-full
Restoring a virus infected Thumb-drive to a Windows
system will infect the workstation itself
13. Digital Forensics toolkit
Laptop
Operating System with all patches
Reliable software tools with all
patches
Dedicated Hardware if needed
Evidence container
Storage media
Digital Camera
14. Digital Forensics
Four Cardinal Rules
Never Mishandle Evidence
Never Work on Original Digital Evidence
Never Trust the Subject's OS
Document everything
15. Ensuring Forensic soundness
Use a live CD/DVD
Don’t store anything on suspect storage
Don’t attach these workstation to any network
Use separate VMs for each case to avoid any
cross-contamination
16. Ensuring Forensic soundness
Destination storage should be equal or larger than the
source
Reinstall Forensic platform each time
Normal image
Ghost image
Use Write-blockers
17. Write blocker
Malware, or AV update or scan may update timestamps
Write blocker prevents Data from being written on to drive
Preserves all data on drive
Decreases chance of corrupting drive
Allows investigator to image the drive without affecting the
drive
Write protection
Hardware – SATA, IDE, USB, FireWire
Software
18. Hardware write blocker
Prevents Data from being written on to drive
FORENSIC
WORKSTATION
USB TO IDE/SATA
ADAPTER
EVIDENCE DRIVE
IDE/SATA CABLE
20. Software write blocker
Disable Auto-mount
Turn Swap off
Kernel patch and
userspace tools to
enable Linux software
write blocking
Source:
https://github.com/ms
uhanov/Linux-write-
blocker
21. Acquiring Disk Image
Ordinary file copy won't work
Bit by bit copy needed for Forensic soundness
Why?
22. Acquiring Disk Image
Evidence can be hidden in many places in a disk
Printer Queue can be a source
A hard drive contains partitions, a partition contains a file
system and a file system is used to structure data
Bit by bit disk image
Capture both allocated and unallocated space
Do not use gzip/tar or normal backup tools
Lose unallocated space
Can’t recover deleted files
27. Acquiring Disk Image - Software
dd: Full disk dd if=/dev/sda of=/mnt/usb/sda.img bs=512
But not forensically sound
ddrescue: good for data recovery, but not forensically
sound
dcfldd: disk image verification to ensure integrity, can split
large files
dcfldd if=/dev/sdX hash=md5,sha256 md5log=/root/md5.txt
sha256log=/root/sha256.txt conv=noerror,sync
of=/root/diskimage.dd
28. Acquiring Disk Image - Software
Guymager
Fast, due to multi-threaded, pipelined design and multi-
threaded data compression
Makes full usage of multi-processor machines
Generates flat (dd), EWF (E01) and AFF images, supports
disk cloning
Source https://guymager.sourceforge.io/
29. Examining and Analyzing Disk Images
How to find and interpret forensic artifacts?
TSK + Autopsy (GUI-frontend)
The Sleuth Kit and Autopsy browser
http://www.sleuthkit.org/
It can ingest a disk image, we can explore and extract files
of interest
supports raw, Expert Witness, and AFF file formats
30. Metadata: Data speaks to us
Valuable info. such as time, date, author
of documents may be embedded in the
file
Serial killer Dennis Rader was caught after
31 years
31. On Suspect system
Trusted binaries - statically compiled binaries run from CD
or USB
ls, lsof, ps, netstat, grep, uname, date, find, file, ifconfig, arp
Test before use
different Linux distributions and kernels
both 32 bit and 64 bit platform
Will not modify Access time of system binaries
Be aware of limitation - Kernel mode rootkit
32. Volatile Data Collection
Collect as much volatile data as possible
But minimise footprint on the target system
In the order of most volatile to least
Memory
Network status and connections
Running processes
Other system information
Document everything
33. Volatile Data Collection
Be aware of the concept of “Chain of
custody”
Maintain a good record (a paper trail) of
what you have done with evidence
34. Memory Forensics
Data might be encrypted on disk, but unencrypted on
memory
LiME – Linux Memory Extractor
Less memory footprint
Pre-compile LiME for suspect system architecture for
specific kernel as a loadable Kernel object
Compile LiME on suspect system if architecture
unknown(less recommended)
Source: https://github.com/504ensicsLabs/LiME
35. Memory Forensics
Analyze the memory dump using Volatility
Source: https://github.com/volatilityfoundation/volatility
Photorec can carve out files from memory images too
Supports DD raw image, EnCase E01 image etc.
Source:
https://www.cgsecurity.org/wiki/TestDisk_Download
36. Network Forensics: collecting RAW network
data
Wireshark – GUI
tshark - CLI
tcpdump - CLI
Nmap: Map a network
Snort
P0f (OS passive fingerprinting)
XPLICO: Network Forensic Analysis
Tool, can extract pcap files, has
web interface