Scribd
Upload
171 views

LO - 2 - Data Capture and Memory Forensics

This document discusses tools that assist with digital investigations in different situations. It describes disk and data capture tools like Autopsy/Sleuth Kit that analyze disk images and file systems. It covers memory forensics tools like Volatility that analyze RAM captures. It also mentions network forensics, registry analysis, forensic toolkits, and browser forensics tools. Specific tools are defined including FTK Imager, Guymager, Scalpel, OpenText EnCase, Mandiant RedLine, Bulk Extractor, and memory forensics tools like LIME and SIFT Workstation.

Uploaded by

israa
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
171 views

LO - 2 - Data Capture and Memory Forensics

This document discusses tools that assist with digital investigations in different situations. It describes disk and data capture tools like Autopsy/Sleuth Kit that analyze disk images and file systems. It covers memory forensics tools like Volatility that analyze RAM captures. It also mentions network forensics, registry analysis, forensic toolkits, and browser forensics tools. Specific tools are defined including FTK Imager, Guymager, Scalpel, OpenText EnCase, Mandiant RedLine, Bulk Extractor, and memory forensics tools like LIME and SIFT Workstation.

Uploaded by

israa
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 51

LESSON OBJECTIVE 2

https://resources.infosecinstitute.com/topic/computer-forensics-to
ols/

https://tryhackme.com/room/windowsforensics1
APPLY THE TYPES OF TOOL THAT
SUPPORT PROFESSIONAL DIGITAL
INVESTIGATIONS AT A STRATEGIC LEVEL

• 2.1 Analyse the range of tools that assist digital


investigations in different situations

• 2.2 Select the appropriate tools to carry out a digital


investigation for a given situation, justifying the selection
DIGITAL FORENSICS TOOLS

• a) Disk and data capture tools:


• b) Memory forensics:
• c) Network forensics:
• d) Registry analysers:
• e) Forensic kit components:
• f) Forensic investigation suite:
• g) Browser forensics:
1. DISK AND DATA
CAPTURE TOOLS
1. DISK AND DATA CAPTURE TOOLS

• Forensic disk and data capture tools focus on analysis of a system and extracting
potential forensic artifacts, such as files, emails and so on. This is a core part of the
computer forensics process and the focus of many forensics tools.

A. Autopsy/The Sleuth Kit


B. FTK Imager
C. Guymager
D.  Scalpel
E. OpenText EnCase
F. Mandiant RedLine
G. Bulk Extractor
A. AUTOPSY/THE SLEUTH KIT

• Autopsy/The Sleuth Kit -These tools are designed to analyze disk


images, perform in-depth analysis of file systems and include a wide
variety of other features.

• Click here to download autopsy : https://www.autopsy.com/download/


• Click here how to analyse files using autopsy : https://youtu.be/6WKZAcRajbc
• Features
• Multi-User Cases: Collaborate with fellow examiners on large cases. 
• Timeline Analysis: Displays system events in a graphical interface to help identify activity. 
• Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular
expression patterns. 
• Web Artifacts: Extracts web activity from common browsers to help identify user activity. 
• Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices. 
• LNK File Analysis: Identifies shortcuts and accessed documents 
• Email Analysis: Parses MBOX format messages, such as Thunderbird. 
• EXIF: Extracts geo location and camera information from JPEG files.
• Media Playback and Thumbnail viewer. 
• Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660
(CD-ROM), Ext2/Ext3/Ext4, Yaffs2, 
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages 
• File Type Detection based on signatures and extension mismatch detection. 
• Interesting Files Module will flag files and folders based on name and path. 
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.
WHAT IS FILE CARVING?

• File Carving is a process to recover or reconstruct the deleted or formatted


files in the computer.
• It is the process of searching a file in a data stream and carve out deleted
files.
• To recover these deleted files the forensics expert uses certain software and
programs to carve out these files.
• Many file types have a well-known value or magic number in the first and
last bytes .
• we can carve out those files based on these first and last bytes
EXAMPLE – FILE CARVING

• JPEG – ”xFFxD8″ header and “xFFxD9” footer.


• If we define this header and footer to some specific tools (scalpel), we can
carve out the JPEG file if it is deleted from the dis
DIFFERENT METHODS OF FILE
CARVING

• File Structure Based Carving-


• The elements we use to check are header, footer, identifier strings and size information, etc.

• Content Based Carving-


• You can carve following information
1. Character count
2. Text/Language recognition
3. White and Black listing of data (filter)
4. Statistical attributes
5. Information entropy
FILE CARVING USING AUTOPSY

• https://youtu.be/-UZo1wP_4GY

• How to analyse information in autopsy


• https://www.geeksforgeeks.org/analysis-of-data-source-using-autopsy/
B. FTK IMAGER

• FTK Imager is able to make exact copies of computer files


(forensically sound images) without actually altering the original
evidence.

• Specifically, it can create forensic images of local hard drives,


floppy diskettes, Zip discs, CDs, and DVDs, as well as whole
folders and individual files from several locations within the media
(Joakim Kävrestad, 2018).

• Data and directories on hard disk drives, network storage, USB


storage mediums, CDs, as well as DVDs can all be displayed in
advance (Hidayat et al., 2018).
• FTK Imager is compatible with Windows, Mac, and Linux
C. GUYMAGER

• Guymager is a data acquisition application that uses an open platform


forensic disc imager.
• What is multithread https://youtu.be/0KAGazeMZ2o
• This method is only usable on Linux. Kali Linux which is a specialised
OS for penetration testing and forensic investigation has this pre-
installed (Karampidis & Papadourakis, 2017).
• Because of the multi-threaded, pipelined architecture as well as
multi-threaded compression, it is extremely fast.
• Utilizes multi-processor computers to their maximum potential.
• Supports disc replication and produces flat (dd), EWF (E01), as well as
AFF images (Chaudhary et al., 2016).
D. SCALPEL

• Scalpel is a Windows and Linux tool for carving as


well as indexing files.

• File carving would be the process of retrieving and


restoring, reconstructing, or reassembling broken files
when a disc has been formatted, or even if
it's filesystem or partition has been lost or destroyed, or
the metadata of a file has been removed (Samer Al-
Khateeb & Nitin Agarwal, 2019). 
E. OPENTEXT ENCASE

• Forensic is a court-approved approach for profound digital forensic


analysis, efficient retrieval, and automated investigation workflows
with versatile reporting solutions that is known internationally as
the benchmark for digital forensics (Schatz & Cohen, 2017).

• EnCase VFS or Virtual File System, EnCase Smartphone


Examiner, PDE or Physical Disk Emulator, Decryption Suite, and
finally FastBloc Software Edition are all included in this package
(Holt et al., 2018).
F. Mandiant RedLine =Mandiant RedLine is a popular tool for memory and file analysis.
• It collects information about running processes on a host, drivers from memory and gathers other data like
• meta data, registry data, tasks, services, network information and internet history to build a proper report.

G. Bulk Extractor=Bulk Extractor is also an important and popular digital forensics tool.
• It scans the disk images, file or directory of files to extract useful information.
• In this process, it ignores the file system structure, so it is faster than other available similar kinds of tools.
• It is basically used by intelligence and law enforcement agencies in solving cybercrimes.
ACTIVITY – ANALYZE IMAGE USING
AUTOPSY

• Kali Linux - Online in the Cloud (onworks.net)


• Open and browse any image/file and download it.
• Open applications ->Forensic ->click on Autopsy
• Click on link http://localhost:9999/autopsy
• Create new case
• Add image url
• Partision and create a copy , u can see the autopsy has successfully copied
image as the MD5 hash values are identical
• U can perform further analyzes
• p0f -i eth0 –p –o /root/Desktop/abc.log
• Firefox 192.168.1.2
2. MEMORY FORENSICS
ABOUT MEMORY

• About RAM
• https://youtu.be/PVad0c2cljo

• Types of memory
• https://youtu.be/ygElbzv1S_w
TERMS / TECHNOLOGY USED IN
MEMORY FORENSIC ANALYZE

• Volatality
• Dump formats
• Profiles
• Kernel Debug
• .raw files
• Hybernate system files
TERMS IN MEMORY FIORENSIC

• .raw file = It’s a file that contains an image of the system memory. It is a output file
generated after using Dumpit / Win32dd / Memoryze tools.

• hiberfil.sys =  Hibernation file contains a compressed memory image from the


previous boot. Microsoft Windows systems use this in order to provide faster boot-
up times.
Create .raw
dump file
TOOLS USED FOR MEMORY
FORENSICS

1. The Volatility
2. LIME
3. SIFT
1.THE VOLATILITY

• The Volatility Workbench is a series of methods for


capturing the target system's live memory.
• This contains data that is normally stored in the program's
physical memory.
• If Volatility is used in conjunction with Encase, a live
memory allocation snapshot can be created, that can then
be analysed in Encase (Schatz & Cohen, 2017).
2. LIME

• LIME A LKM or Loadable Kernel Module helps Linux as well as Linux-


based applications, such as Android, to acquire volatile memory.

• This distinguishes LiME as the very first method to support full memory
capturing on smartphone OS's such as Android (Schatz & Cohen, 2017).

• It also minimises the amount of interference between user as well as kernel


space operations while acquisition, resulting in more forensically sound
memory captures than most Linux memory acquiring tools.
3. SIFT

• SIFT Workstation is nothing but a collection of open-source incident management and investigative software
that can be used to conduct comprehensive automated forensic investigations in a range of situations.
• It can be used in conjunction with any existing incident management and forensic tool set. It's similar to Kali
Linux, except it's built especially for forensics.

• SIFT can be installed on any Linux or Windows installation (Karampidis & Papadourakis, 2017)
• .
• SIFT supports processing of evidence in a variety of formats, like AFF, E01, as well as raw format (or DD).

•  SIFT provides the following file systems support: ext2 as well as ext3 for Linux, then the HFS for Mac and
finally for windows it supports MS-DOS, FAT, NTFS and V-FAT. 
LIVE MEMORY FORENSIC

What is live forensic acquisition?


Live Acquisition refers to the
acquisition of a machine that is
still running and can retrieve
both static and dynamic, volatile
data (Forte 2008:13).
LIVE FORENSIC PROCESS
TOOLS USED IN LIVE MEMORY
FORENSIC

• Belkasoft Live RAM Capturer


• Ftk Imager
• Madiant Memoryze
• DumpIt
1. BELKASOFT LIVE RAM CAPTURER

• Belkasoft Live RAM Capturer21 is a free


volatile memory forensic tool to capture the
live RAM .

• It is equipped with 32-bit and 64-bit kernel


drivers a.

• The memory dump will be stored with .mem


extension and later it the memory dump can
be analyzed using Belkasoft evidence centre
tool.
2. FTK IMAGER

• The Ftk Imager22 creates a bit-by-bit image,


including unallocated space and slack space. It
helps to capture the live RAM as shown in
Figure 2 but cannot analyze the captured
memory dump.

• It stores the memory dump with


memextentionas which later can be analyzed
using wxHexEditor tool or some another tool.
3. MADIANT MEMORYZE

• MadiantMemoryz23 is free memory


forensic software that helps incident
responders find evil in live memory.

• It can acquire as well as analyse the


captured memory.

• This tool can acquire all running


processes, all drivers, and full range
of system memory image as
demonstrated in Figure 4.
4. DUMPIT

• It is a very interesting tool for those who want to https://youtu.be/SEs4ZAolED0


capture the RAM of some suspicious or under
observation person.

• This tool can be stored on a pen drive and takes less


than a minute to acquire the live RAM.

• When the pen drive is attached and DumpIt24 is


executed on that person’s computer, only a
confirmation question (ie. Asking yes or no) is
prompted as shown in Figure 5 and .mem file of that
person’s live RAM gets stored in the pen drive.
RECAP

• MEMORY FORENSICS
• VOLATALITY
• LIME
• SIFT
• LIVE MEMORY FORENSICS
• BELKASOFT LIVE RAM CAPTURER
• FTK IMAGER
• MADIANT MEMORYZE
• DUMPIT
2. ACTIVITY TO EXTRACT LOGS OF
HOST

• Open kali terminal


• Type p0f –i eth0 –p -o /root/Desktop/abc.log
• Where the parameter "-i" is the interface name as shown above. "-
p" means it is in promiscuous mode. "-o" means the output will be
saved in a file.
• Open the browser , type any host IP 192.168.1.2
• U can see the OS of the host.

You might also like