Email Forensics & Malware Forensics

Flashcards on Email Forensics & Malware Forensics

Role of Email in Investigations

Scams and fraud attempts using phishing or spoofing necessitate investigators to examine and interpret unique email content.

Pharming

A technique where DNS poisoning redirects a user to a fake site.

Spam Act 2003

Prohibits sending unsolicited commercial electronic messages with an Australian link.

Roles of Client and Server in E-mail

Emails are sent and received through client/server architecture, differing in OS and software; protected accounts require usernames and passwords.

E-mail client

Email client programs like Microsoft Outlook and Evolution.

E-mail server

Email server programs such as Exchange Server and Sendmail.

Email Header

The envelope of the email with sender/receiver address, subject, time, delivery stamps, author, CC, and BCC.

Email Body

The main content of the email message.

Email Encoding

A protocol that translates emails, allowing different email programs to pass data.

Multipurpose Internet Mail Extensions (MIME)

A protocol that allows non-ASCII files (video, graphics, and audio) to be built in the email message

Email Attachment

Extra items that supplement the body of an email.

SMTP(Port 25)

Simple Mail Transfer Protocol is a core Internet protocol used to transfer email from client to server and server to server.

POP3 (Port 110)

Post Office Protocol allows clients to retrieve stored email.

IMAP (Port 143)

Internet Message Access Protocol provides a means of managing e-mail messages on a remote server and retrieve stored e-mail

Investigating E-mail Crimes and Violations

Investigators must find who is behind the crime, collect evidence, present findings, and build a case while knowing applicable privacy laws.

Tracing an Email

In email forensics, the process to find out where an email came from

Router Logs

Record all incoming and outgoing traffic and have rules to allow or disallow traffic, resolving the path an email has taken.

Firewall Logs

Filter email traffic and verify email passage using these logs.

Email Server

Loaded with software using email protocols, maintains logs for investigations, and can recover deleted emails.

Microsoft Exchange Server

Uses a database based on Microsoft Extensible Storage Engine (ESE) for email data

Magnet AXIOM

Tool with 'Process' and 'Examine' modules for email forensics.

Recovering Outlook Files

Necessary to reconstruct .pst files and messages, also recovers deleted files

Message Tracking Logs in Exchange

A setting in Exchange that records log files of e-mail traffic as messages travel between mailboxes within the organization.

Email Forensics Obstacles

Open relays, false 'received from' headers, open proxies, and SSH tunnels.

Malware

A type of software that cybercriminals use to harm computer systems or networks.

Malware Forensics

The objective is to identify collected malicious code and examine its behavior in a secure environment through static and run-time analysis.

Malware Forensic Artifacts

File system, email, cryptographic, registry, and log file anomalies.

System Baselining

A snapshot of the baseline state of the forensic workstation before conducting Malware execution

Static Analysis

Involves going through the executable binary codes without the actual execution, i.e., through IDA Pro.

Identifying file dependencies

Identifying file dependencies through Dependency Walker, Snyk.

Indicators window

A list of suspicious elements in a PE file's metadata examination (Pestudio).

DLLs used to run and load programs

kernel32.dll, Wininet.dll, Advapi32.dll, User32.dll, WSock32.dll, Ntdll.dll.

Run-Time Analysis

Behavioral analysis, executing malware code to simulate the environment.

Monitoring Network Activities

Scanning to check IP addresses, Open ports, DNS entries.

Registry Artifacts Analysis

Malware manipulates the registry to run automatically

System Behavior Analysis

Malware uses Pes (portable executables) to inject themselves into processes

Malware Initial Assessment

Examine malware's characteristics such as file name, hash value, file size, file type and strings.

Malware Concealment

The location where malicious code is placed. Can be in alternate data streams, binary padding, hidden files, memory or registry keys.

Sandboxing

A sandbox is isolated for safe malware execution, capturing interactions—file access, registry changes, network traffic—assisting in analysis and understanding of actions.

Malware Code Analysis

Use of hex editors, disassemblers, and debuggers to understand malware's functionality.

Malware Communication Analysis

Analyzing communication patterns of malware.

Incident Response

The process of identifying an incident, its cause, and the damage it has caused

Incident Response steps

Preparation, identification, containment, eradication, recovery, and lessons learned.

Preparation Phase

Creating and maintaining incident response plan, assembling an incident response team, establishing communication protocols, and investing in necessary tools and training.

Identification Phase

Detecting and analyzing security events to determine if they constitute an incident. Involves monitoring systems, reviewing logs, and using intrusion detection/prevention systems (IDS/IPS)

Containment Phase

Limiting the scope and impact of an incident to prevent further damage. Includes isolating affected systems, segmenting networks, and disabling compromised accounts.

Eradication Phase

Removing the root cause of the incident from the environment. This may involve patching vulnerabilities, removing malware, and reconfiguring systems.

Recovery Phase

Restoring systems and data to normal operation. This may involve restoring from backups, rebuilding systems, and verifying functionality.

Lessons Learned Phase

Reviewing the incident and the response to identify areas for improvement. Includes documenting the incident, analyzing the effectiveness of the response, and updating incident response plans and procedures.

SIEM Tools

Security Information and Event Management (SIEM) tools are used to collect and analyze security logs and events from various sources to identify and respond to incidents.

SOAR Platforms

Security Orchestration, Automation, and Response (SOAR) platforms automate incident response processes by integrating various security tools and technologies.

EDR Systems

Endpoint Detection and Response (EDR) systems monitor endpoint devices for suspicious activity and provide tools for incident investigation and response.

Network Forensics

Network Forensics is the process of capturing and analyzing network traffic to investigate security incidents and gather evidence.

Memory Forensics

Memory Forensics involves analyzing the contents of a computer's memory (RAM) to uncover malware, hidden processes, and other evidence of compromise.

Timeline Analysis

Timeline Analysis is the process of creating a chronological timeline of events to understand the sequence of actions that occurred during an incident.

Rootkit Analysis

Rootkit Analysis involves identifying and analyzing rootkits, which are malicious software tools designed to hide the presence of malware and provide unauthorized access to systems.

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) tools monitor and prevent sensitive data from leaving the organization's control.

Vulnerability Scanning identifies