digital forensics workshop
TRANSCRIPT
What are we going to cover?
Brief legal overview
Where can you find digital evidence
Collecting and preserving digital evidence
Examining digital evidence
Documenting the process
What am I not going to cover
Digital Forensics is a massive area and this
workshop only scratches the surface
Windows commercial tools
Network forensics
Report writing
So what, why do I care about this?
Understanding the landscape, what information
can be retrieved
Forensics Readiness, eg collecting FDE keys
Incident response
Ever been asked to “have a look at” what
someone has been doing?
Legal Overview
First I’m not a lawyer, but I have studied some
of the key acts involved.
Respect other people’s privacy
Have a plan if you find something unexpected
eg child pornography or terrorist material
ACPO Guidelines
Who are they - Association of Chief Police
Officers
Set guidelines on procedures for all police
forces in England and Wales
The guidelines are well thought out
Principle 1
No action taken by law enforcement agencies,
persons employed within those agencies or
their agents should change data which
may subsequently be relied upon in court.
In circumstances where a person finds it
necessary to access original data, that person
must be competent to do so and be able to give
evidence explaining the relevance and the
implications of their actions.
Principle 2
Principle 3
An audit trail or other record of all processes
applied to digital evidence should be created
and preserved. An independent third
party should be able to examine those
processes and achieve the same result.
Principle 4
The person in charge of the investigation has
overall responsibility for ensuring that the law
and these principles are adhered to.
Collecting Evidence
If you are examining digital evidence in a
workplace, consult HR and get permission in
writing.
If you are doing this professionally make sure
you have advice and support from a real
lawyer.
Chain of evidence
It is absolutely critical to be able to account for
what happened to an exhibit such as a
computer from the moment it was seized to the
moment it was examined by a forensic
examiner.
Fear the words “I’ve had a quick look…..”
Training
For learning and training purposes the key
point is that you should only examine kit you
own, and if in doubt seek advice from a real
lawyer.
Today you will get an iPhone and a Windows
system image to examine
Attribution
Digital evidence proves “a computer” did
something
Proving who was using the computer at the
time can be challenging.
Digital evidence can be considered “hearsay”
Where do you find digital evidence?
Desktops / Laptops
Embedded devices, eg home routers
Servers / Home NAS units
Cell phones
The Cloud
Public Internet / Social Media
Tools for collecting
Disk imaging - depends on your budget
Write blockers - hardware is expensive
Software can work
Collect to a blank disk - SSDs help here
otherwise 4 pass badblocks test
Key point - practice and test
How do you gather evidence?
Pull the power, ship it to the lab…...
When would this work?
When wouldn’t this work?
What about cloud storage?
What about Mobile devices?
What about full disk encryption?
Imaging normal computers
If the computer is active
Document the screen / gather artifacts
Assess if there is encryption
Do you need to image the RAM?
Secure the system and plan investigation
Imaging FDE computers
Who has the password?
Gather evidence without powering off?
Other evidence sources, logs or backups?
Exploit firewire or thunderbolt?
Cold boot attack - only get 1 go
Mobile devices
Passcodes / PINs
Backups?
Cloud storage?
Hardware flaws?
Remember - Faraday bags to stop remote wipe
NAS units and servers
Vast amounts of data
How do you find what matters?
Are you invading others privacy?
What is the business impact of seizure?
Where are they and who owns them?
Mostly just normal computers
Examining Digital Evidence
Understand the context
Consider what you are looking for
Build and understand a timeline
Digital Triage - what is the context?
Understand your adversary
Examine what matters
Reduce the evidence you have
Eliminate noise - eg NIST hash DB
What are you looking for?
Image files
Geolocation
Emails / Messages
Meta data
Content
Browser history
Timelines
What happened when?
Who or what caused it to happen?
What order did things happen in?
Correlation with other sources
System logs, Social Media
Can often point to new sources of evidence
Tool selection
There are 100s of tools that let you examine
systems, pick those you are comfortable with.
Autopsy - web front end to “the sleuthkit”
Standard unix tools find, strings and etc
Other tools - exiftool, sqlitebrowser
Windows tools - nirsoft and sysinternals
Volatility - Memory forensics
Mobile devices
Is the device jailbroken or joined to a MDM
Can you get the PIN?
Specialist software tools
iOS - Elcomsoft
Older Apple hardware - Limera1n
Android - ADB
Training - II
Virtualisation is very powerful for learning and
training
Resettable state - test your tool or technique
and then reset the VM
Dump RAM contents without complex tools
Documentation
Remember ACPO principle 3
Contemporaneous notes, paper or electronic
Video and photographic evidence is powerful
Log system sessions eg ssh
Your evidence bags
32GB memory stick containing
iPhone4 image - raw nand, key bag and
encrypted disk image
Windows XP disk image
1GB memory stick image
Remember - chain of evidence
iOS exploitation demo
Using iphone-dataprotection https://code.google.com/p/iphone-dataprotection/
iPhone 4 - note this doesn’t work on newer
models
Exploits the bootloader, uploads a ramdisk
Lets you bruteforce the PIN and extract the
NAND
What do you know?
Fluffy the dog has been dognapped!
The owner has been told to meet at a pub
The dognapper might have scouted the area
An iPhone and laptop have been seized
Can you find evidence that the owner of them
was involved?
Tools to use
sha1sum - check your images
Autopsy - apt-get install autopsy
Exiftool - apt-get install perl-exiftool
SQLitebrowser - apt-get install…..
Kali Linux - Bootable from the Memory Stick
Autopsy
Perl based web front end to The SleuthKit
Allows file browsing of disk images
Search for text strings
Build file timelines
Extract raw disk sectors
Interesting files on the memory stick
Memory Stick: MemoryStick.raw.gz
Windows: WindowsXP.raw.gz
iPhone: d0c3eaaaa2/d0c3eaaaa2-data.dd.gz
Checksums: sha1sums
Starting points
Most user files in iOS are under /var/mobile
iOS includes lots of SQLite databases
The memory stick might tell you where to look
Recycle Bin and Web history