CYBR 4850/5850: Computer and Network Forensics Notes

Network Forensics Analysis 01: Network Traffic Analysis

  • Evidence Locations:
    • Packet capture files (.pcap, .pcapng, .cap, .dmp)
    • APIs for network traffic capture
    • Log data: switches, routers, firewalls, etc.
  • PCAP/PCAPNG Files:
    • .cap and .dmp are also used.
    • .pcapng is a successor to .pcap.
    • .pcapng: captures from multiple interfaces.
    • .pcapng: expanded metadata (statistics).
  • Logs can be found in:
    • Operating System Logs
      • Microsoft Windows Logs
        • Event Log Service and Event Viewer
        • Windows Eventing 6.0
      • Syslog
    • Application Logs
      • Proxy servers
      • Web servers
      • Database servers
      • Mail servers
      • DNS servers
      • VoIP servers
      • Authentication servers
  • Wireshark:
    • Free and open-source packet analyzer. Cross-platform.
    • Command line version: tshark.
    • Can parse hundreds of protocols
  • TCP/IP Stack Layers:
    • Application: HTTP, FTP, SMTP, DNS, SMB, NTP, etc.
    • Transport: TCP, UDP
    • Network: IP, BGP, RIP, ICMP
    • Data Link: Ethernet, 802.11, ARP
    • Physical: Cable, Radio spectrum
  • Packets:
    • Smallest data unit at the bottom of the layering system.
    • Contains data for transmission.
    • Control information for routing.
  • Layer 1 (The Wire):
    • Physical layer.
    • Describes the medium on which data flows.
  • Layer 2 (Ethernet):
    • Data Link layer.
    • Describes the Ethernet protocol.
    • Delivers packets on a local area network (LAN).
  • Layer 3 (IP):
    • Network layer.
    • Internet Protocol (IP) resides.
    • Communicates with hosts: inside the LAN and outside (other subnets, Internet, via routers).
  • Layer 3 (ICMP):
    • Internet Control Message Protocol (ICMP): error reporting.
    • Host-to-host communication (OS use, not users).
    • No port numbers, reliable delivery, packet order, etc.
  • Layer 3 (ICMP) – Ping:
    • Echo-Request: used by ping.
    • Echo-Reply: response to Echo-Request.
    • Determines system status.
    • Determines packet latency.
  • Layer 4 (TCP, UDP):
    • Transport layer.
    • TCP: reliable transport, ordering, and retransmission.
  • Layer 4 (TCP, UDP):
    • UDP: unreliable transport.
    • Short request/response transactions.
      • Domain Name System (DNS).
    • Data streaming.
    • Less overhead.
  • Layers 5-7 (HTTP, SSL, etc.):
    • Application layer.
    • Applications using TCP and UDP.
    • HTTP, SSL, DHCP, FTP, SSH, TLS/SSL, etc.
  • Optional Fields:
    • May be misused for data extraction/injection.
    • Packets should be inspected for such misuse.

Log Analysis

  • Access Log:
    • Records client application and user access events to a resource.
    • Examples: web server, FTP command, database query logs.
  • Command-Line Tools:
    • cat: Reads files sequentially, writing them to standard output.
    • grep: Searches a file for a pattern and displays matching lines.
    • awk: Scripting language for pattern scanning and processing, data manipulation, and report generation.
      • User can use variables, numeric functions, string functions and logical operators.
        *Statements define text patterns to be searched for in each line of a document and the action that is to be taken when a match is found within a line.
        *Searches one or more files to see if they contain lines that matches with the specified patterns and then performs the associated actions
    • sort: Sorts a file, arranging records in order. Default: ASCII. Can sort numerically with options.
    • uniq: Reports or filters out repeated lines in a file.
    • cut: Cuts parts of a line by byte, character, or field.
    • wc: Finds the number of lines, words, bytes, and characters in a file.
      • Displays four columns: lines, words, characters, and filename.

E-Mail Forensics

  • E-mail Forensics:
    • Host-based e-mail: Client and storage on the individual's computer.
    • E-mail servers: Servers receiving, sending, and storing e-mails.
    • Cloud-based e-mail: Services hosted on remote servers.
    • Mobile e-mail: Use of e-mail services on mobile devices.
  • What can we find?
    • Sender: E-mail address, IP address, contextual clues.
    • Time sent: Header data and time, mail server timestamps.
    • Origin: IP address, ISP, geo-location, mail server domain, message ID.
    • Relevant content: Message body, attachments, address book, calendar entries.

Internet Browser Forensics

  • Browser Forensics Overview
    • What websites did the user visit?
      • History
      • Cache
      • Cookies
      • Recovery Folders
      • Typed URLs
    • How many times was a site visited?
      • History
    • When was a site visited?
      • History
      • Cookies
      • Cache
      • Recovery Folders
    • What websites were saved by the user?
      • Bookmarks
    • Were any files downloaded?
      • Download Folder
      • Cache
    • Can we identify any usernames?
      • Cookies
      • Cache
      • Auto-Complete
      • Recovery Folders
    • What was the user searching for?
      • Auto-Complete
      • Cache
  • Chrome 101:
    • Artifacts format:
      • SQLite: a majority of artifacts
      • JSON: preferences, bookmarks, and loaded extensions
      • SNSS: session restore files
  • What is Epoch?
    • UNIX represents time in numbers
    • It does so by counting the number of seconds since a special date in history
      • Special as in a preset date:
        • The date is Jan 1st 1970
    • UNIX uses 32-bits to represent time
      • The first bit is used for sign
        • 0 (positive) 1 (negative)
      • Remaining 31 bits are the actual data
      • 2^{31} - 1 = 2,147,483,647
  • Session Recovery
    • Comprises session or tab recovery
    • Uses SNSS (session saver) format

Windows Forensics - Overview

  • Evidence of…
    • User communications
    • File Download/Opening/Creation/Knowledge
    • Program Execution
    • Physical Location
    • USB Key Usage
    • Account Usage
    • Browser Usage
  • User Communications
    • Web-Based E-Mail
      • E-Mail
      • Calendar
    • Chat and IM
      • Chat/Webmail Memory Artifacts

Windows Forensics Analysis 01

  • Acquisition: Step-by-Step Overview
    • Begin
      • Analysis of Image
      • Triage Image
      • Image Entire Hard Drive
      • Create Quick Triage Image
      • Check for Disk Encryption
      • Image Ram
  • Step 1: Memory Acquisition
    • Why?
      • Massive amount of useful user attributed data
      • Processes
      • Network connections
      • Open files
      • Registry keys
      • Devices
      • Configuration parameters
      • Encryption keys and passwords
  • Acquisition: Step-by-Step Overview
    • Begin
      • Analysis of Image
      • Triage Image
      • Image Entire Hard Drive
      • Create Quick Triage Image
      • Check for Disk Encryption
      • Image Ram
  • Step 2: Check for Encryption
    • Before you power off anything → Is the hard drive encrypted?
    • Encrypted? → Live Logical Image
  • Acquisition: Step-by-Step Overview
    • Begin
      • Analysis of Image
      • Triage Image
      • Image Entire Hard Drive
      • Create Quick Triage Image
      • Check for Disk Encryption
      • Image Ram
  • Step 3: Create Triage Image
    • What do we grab?
      • All registry hives and perhaps backup registry hives
      • SAM, SYSTEM, SOFTWARE, DEFAULT, NTUSER.DAT, USRCLASS.DAT
      • *.evtx (Event Log) and other log files
      • *.lnk files
      • *.pf (Prefetch File)
      • pagefile.sys
      • hiberfil.sys
      • The RECENT folder and sub folders
      • The User’s Home folder of "APPDATA": it contains the cache, history, cookies files, and more
  • Acquisition: Step-by-Step Overview
    • Begin
      • Analysis of Image
      • Triage Image
      • Image Entire Hard Drive
      • Create Quick Triage Image
      • Check for Disk Encryption
      • Image Ram
  • Step 4: Image Entire Hard Disk
    • Makes disk-to-image copies of evidence drives
      • At logical partition and physical drive level
    • Can segment the image file
    • Evidence drive must have a hardware write-blocking device
      • Or run from a Live CD, such as Kali Linux
    • Formats: Robocopy, dd, AFF, etc.
  • Step 4: Image Entire Hard Disk
    • Validating Data Acquisition
      • Validating evidence may be the most critical aspect of computer forensics
      • Requires using a hashing algorithm utility
    • Validation techniques
      • CRC-32, MD5, and SHA-1 to SHA-512
  • Acquisition: Step-by-Step Overview
    • Begin
      • Analysis of Image
      • Triage Image
      • Image Entire Hard Drive
      • Create Quick Triage Image
      • Check for Disk Encryption
      • Image Ram
  • Image Mounting
    • Mount read-only as drive or physical device
    • Mount types:
      • RAW/DD, E01, S01, AD1, and L01 images
  • Benefits to Mounting Images
    • Interact with files with their native or associated application
    • Run anti-virus and malware detection applications
    • Share with remote computers
    • Copy files out of image
  • SSD Wear Leveling and Trimming
    • Wear Leveling
      • SSD storage only good for a certain number of writes
      • Problem? Loss of integrity
      • The problem of loss of integrity arises when the limited number of write cycles in an SSD is reached.
      • It can be difficult to reconstruct the exact history of data writes and erases, potentially complicating forensic analysis.
  • SSD Wear Leveling and Trimming
    • Trimming
      • Trimming is a process used by SSDs to proactively clear data that has been marked for deletion.
      • Problem? Data (Evidence) loss
      • Automatically zeroing out unallocated areas can permanently erase potential evidence or data that forensic analysts may need to recover.
  • Internal File Metadata
    • Parsing Metadata in Files
      • Tool needed to pull metadata from these data formats easily and quickly
        • e.g., Exiftool
  • PhotoRec: Data Carving Tool
    • Data Layer Carving Utility
      • Extracts artifacts from:
        • Hard drives
        • Mounted images
        • Image files

Windows Registry Forensics

  • Windows Registry Structure
    • Collection of data files called HIVES
    • Hives contain (sub)keys and values
      • Keys – folders
      • Sub keys – sub folders
      • Values – data stored in keys
    • Contains info for:
      • Hardware
      • Software
      • User settings
      • System configuration
  • Registry Hives
    • Collection of data files called hives
    • When viewed in a registry viewer, hive names are used
    • Registry Hive
      • HKEYLOCALMACHINE\SAM
        • Nickname: HKLM\SAM
        • File: SAM
      • HKEYLOCALMACHINE\Security
        • Nickname: HKLM\Security
        • File: SECURITY
      • HKEYLOCALMACHINE\System
        • Nickname: HKLM\System
        • File: SYSTEM
      • HKEYLOCALMACHINE\Software
        • Nickname: HKLM\Software
        • File: SOFTWARE
      • HKEYUSER or HKEYCURRENT_USER
        • Nickname: HKCU
        • File: NTUSER.DAT
  • Registry Viewing
    • Online via regedit.exe
    • Offline via Registry Explorer, Yaru, cafae, etc.
  • Analyzing the Registry
    • User/Group Analysis (SAM hive)
      • When a user last logged in, number of times logged in, and user’s RID
    • User Activity Analysis (NTUSER.DAT)
      • Specific things the user was doing on the system
      • Recent opened documents, last programs executed, the commands typed into the machine, etc.
    • System/Software Analysis (SYSTEM and SOFTWARE hives)
      • System configuration analysis
      • The way a computer system is set up, the networks it has connected to, time zone, etc.
  • SAM: Profiling Users/Groups
    • Username
    • Relative Identifier (RID)
    • User Login Information
      • Last Login
      • Last Failed Login
      • Logon Count (not incremented if using an MS live account to log in)
    • Password Policy
    • Account Creation Time
    • Group Information
      • Administrators
      • Users
      • Remote Desktop Users
  • Analyzing the Registry
    • User/Group Analysis (SAM hive)
      • When a user last logged in, number of times logged in, and user’s RID
    • User Activity Analysis (NTUSER.DAT)
      • Specific things the user was doing on the system
      • Recent opened documents, last programs executed, the commands typed into the machine, etc.
    • System/Software Analysis (SYSTEM and SOFTWARE hives)
      • System configuration analysis
      • The way a computer system is set up, the networks it has connected to, time zone, etc.
  • Collecting User Activity
    • Analyze the NTUSER.DAT hive
      • Search history
      • Typed paths
      • Recently opened files
      • File download
      • Program execution
      • File opening/creation
      • File knowledge
      • USB key usage
      • XP Vista/7 8/10
  • Analyzing the Registry
    • User/Group Analysis (SAM hive)
      • When a user last logged in, number of times logged in, and user’s RID
    • User Activity Analysis (NTUSER.DAT)
      • Specific things the user was doing on the system
      • Recent opened documents, last programs executed, the commands typed into the machine, etc.
    • System/Software Analysis (SYSTEM and SOFTWARE hives)
      • System configuration analysis
      • The way a computer system is set up, the networks it has connected to, time zone, etc.
  • System/Software Analysis (SYSTEM and SOFTWARE HIVES)
    • Identify OS
    • Computer Name
    • Time zone information
    • Last Access time
    • Networks Connected to
    • Network shares
    • System Boot Autostart Programs

Shell Item Analysis

  • LNK Files
    • A ‘.lnk’ file in Windows is a shortcut file that serves as a link to:
      • Original file
      • Folder
      • Application
      • Specific data object
    • They contain information on how to find the linked item, including:
      • Its file path
      • The drive on which it's stored
      • Sometimes a specific location within a file (like a bookmark)
  • Layout of an LNK file
    • Header
      • CLSID:A Class Identifier (CLSID) is a globally unique identifier (GUID) that identifies the file as a shortcut.
      • Attributes: Shortcut behavior, like whether it points to a file or directory.
    • Timestamps: When the shortcut was last Modified, Accessed, or Created (MAC).
      • Size:The total size of the .lnk file.
    • Target PIDL
      • Shellpath:The PIDL (Pointer to an Item ID List) specifies the target of the shortcut within the shell namespace, which can be a file, directory, or a virtual folder.
      • Why use PIDL instead of file path?
        • PIDL helps locate target even if the file is renamed or moved. * A GUID is a 128-bit value used to uniquely identify something, like a user, object, file, or record in software applications.
  • Layout of an LNK file – Cont'd
    • Link Info
      • Volume ID: Information about the volume that the target is located on, such as the volume label and serial number.
      • Share path: If the target is on a network share, this path identifies the network location.
      • Device name/letter: For local files, this could be the drive letter where the target is located.
    • String Data
      • Name String:The display name of the shortcut as it appears in the Windows UI.
      • Relative Path:A path relative to the .lnk file itself that leads to the target.
      • Working Directory:The directory that the target application starts in.
      • Command-line arguments:Any command-line arguments that should be supplied when the target is executed.
      • Icon location:The path to the file that contains the icon used for the shortcut. Relative Path: .\Docs\report.docx or just Docs\report.docx
  • Layout of an LNK file – Cont'd
    • Extra Data
      • Console info: Specific settings for console applications, like color, font size, and screen buffer size.
      • Code page:The character encoding used for the strings in the .lnk file.
      • Environment variables:Any environment variables required by the application when it starts.
  • JumpLists
    • Right-click one of the application in the Windows taskbar
    • Allow users to “Jump” to frequently or recently opened files
    • Enabled by default
    • Control Panel → taskbar and navigation → Start → “Show recently opened item in jump Lists on Start or the taskbar”
  • ShellBags
    • Store information about folder views and positions, as well as the sizes and views of windows.
    • The Shellbag information is available only for folders that have been opened and closed in Windows Explorer at least once
    • The existence of a Shellbag subkey for a given directory indicates the specific user account once visited that folder
    • It is extremely useful because it can help us track a user through seeing which folders they have recently utilized

Analyzing USB Devices

  • Purpose of USB Device Forensics
    • USB Information:
      • Types of USB devices (printer, camera, etc.)
      • Vendor/Make/Version
      • Unique serial number
    • User information and activity with a USB device:
      • Find a user that used the specific USB device
      • Determine device’s drive letter and volume name
      • Determine first/last time device connected
  • USB MSC Device Forensics
    • 1. Write down vendor, product, and version information
    • 2. Write down a serial number
    • 3. Determine VendorID (VID) and ProductID (PID)
    • 4. Determine device’s drive letter
    • 5. Determine volume name device mapped to
    • 6. Find user that used the specific USB device
    • 7. Determine last time device connected

Steganography

  • Steganography hides information inside image files
  • Steganalysis - term for detecting and analyzing steganography files
  • Two major forms of steganography: insertion and substitution
    • Insertion
      • Hidden data is not displayed when viewing host file in its associated program
      • You need to analyze the data structure carefully
      • Example: Web page
    • Substitution
      • Replaces bits of the host file with other bits of data
      • Usually change the last two LSBs (least significant bit)
      • Detected with steganalysis tools (a.k.a - steg tools)

Linux and Macintosh File Systems

  • EXT3
    • ext3 is an enhanced extension of ext2
    • Other popular file system replacements to ext2:
      • e.g., ext4, Btrfs, XFS, ReiserFS
      • These have significant improvements in performance and stability over ext2
  • XFS
    • Originally developed for IRIX OS (discontinued)
    • IRIX OS was developed by Silicon Graphics
    • It was later ported to the Linux kernel
    • Default file system by several Linux distros (RHEL, CentOS)
  • Macintosh File Structures
    • With OS X, Macintosh moved to the Intel processor and become UNIX based
    • Before OS X, Hierarchical File System (HFS)
      • Files stored in nested directories (folders)
    • Extended Format File System (HFS+)
      • Introduced with Mac OS 8.1
      • Supports smaller file sizes on larger volumes, resulting in more efficient disk use
    • Apple File System (APFS)
      • Introduced in macOS High Sierra
      • When data is written to a device, metadata is also copied to help with crash protection
  • Forensics Procedures in Mac
    • There are some differences between Linux and macOS file systems
      • Linux has the /home/username and /root directories
      • In macOS, the folders are /Users/username and /private/var/root
      • The /home directory exists in the macOS but it is empty
      • macOS users have limited access to other user accounts’ files and the guest account is disabled
  • Forensics Procedures in Mac
    • Keychains
      • Files used to manage passwords for applications, Web sites, and other system files
      • The Mac application Keychain Access enables you to restore passwords
    • Deleted files are in the Trashes folder
      • If a file is deleted at the command line, however, it doesn’t show up in the trash

Cryptanalysis and Attacking Passwords

  • Cryptanalysis
    • The process of deciphering coded messages without the key
      • Attack exploits the characteristics of the algorithm
      • It tries to attempt to deduce a specific plaintext, or the key being used
  • Attacking Passwords
    • Offline dictionary attacks:
      • Dictionary:A set of passwords that are commonly chosen
      • Attacker computes hash h(password) for every password in the dictionary (rainbow table)
      • The attacker then checks to see if the result is in the password file
      • Password file is sometimes available to the attacker
      • If there is a match, finds the corresponding user account, eventually has both username and password
  • Attacking Passwords
    • Online dictionary attacks:
      • The attacker supplies a guess to the authentication function
      • If the guess is correct, then the attacker has found the password
      • Trial and error
      • Unlike offline dictionary attacks, this attack cannot be prevented. Why?
      • Because the authentication functions must be available to enable legitimate users to access the system

Data Acquisition

  • Understanding Storage Formats for Digital Evidence
    • Data in a forensics acquisition tool is stored as an image file
    • Three formats
      • Raw format
      • Proprietary formats
      • Advanced Forensics Format (AFF)
  • Raw Format
    • Makes it possible to write bit-stream data to files
    • Advantages
      • Fast data transfers
      • Ignores minor data read errors on source drive
      • Most computer forensics tools can read raw format
    • Disadvantages
      • Requires as much storage as original disk or data
  • Proprietary Formats
    • Most forensics tools have their own formats
    • Features offered
      • Option to compress or not compress image files
      • Can split an image into smaller segmented files
      • Can integrate metadata into the image file
    • Disadvantages
      • Inability to share an image between different tools
      • The Expert Witness Compression format is unofficial standard
  • Advanced Forensics Format
    • Developed by Dr. Simson L. Garfinkel as an open-source acquisition format
    • Design goals
      • Provide compressed or uncompressed image files
      • No size restriction for disk-to-image files
      • Provide space in the image file or segmented files for metadata
      • Simple design with extensibility
      • Open source for multiple platforms and OSes
      • Internal consistency checks for self-authentication
    • File extensions include .afd for segmented image files and .afm for AFF metadata
    • AFF is open source
  • Determining the Best Acquisition Method
    • Types of acquisitions
      • Static (Dead) acquisitions and live acquisitions
    • Four methods of data collection
      • Creating a disk-to-image file
      • Creating a disk-to-disk
      • Creating a logical disk-to-disk or disk-to-data file
      • Creating a sparse data copy of a file or folder
    • Determining the best method depends on the circumstances of the investigation
  • Mini-WinFE Boot CDs and USB Drives
    • Mini-WinFE
      • Enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are mounted as read-only
  • Acquiring Data with a Linux Boot CD
    • Linux can access a drive that isn’t mounted
    • Windows OSs and newer Linux automatically mount and access a drive
    • Forensic Linux Live CDs don’t access media automatically
      • Which eliminates the need for a write-blocker
  • Using Remote Network Acquisition Tools
    • You can remotely connect to a suspect computer via a network connection and copy data from it
    • Remote acquisition tools vary in configurations and capabilities
    • Drawbacks
      • Antivirus, antispyware, and firewall tools can be configured to ignore remote access programs
      • Suspects could easily install their own security tools that trigger an alarm to notify them of remote access intrusions

Regular Expressions

  • Relevance of Regular Expressions in Computer Network Forensics
    • Regular expressions (regex) are powerful tools for searching, matching, and manipulating text.
    • Uses:
      • Pattern Matching:
        • Network forensics involves analyzing logs and network packets to look for patterns that might indicate malicious activity.
        • Regex can match complex patterns that go beyond simple fixed strings Therefore, making it possible to detect signatures of known attacks, unusual activity, or policy violations.
  • Relevance of Regular Expressions in Computer Network Forensics
    • Uses (cont’d.):
      • Log File Analysis:
        • Logs from servers, firewalls, and other network devices often contain vast amounts of data.
        • Regex can be used to filter and extract relevant information from these logs quickly, such as IP addresses, timestamps, URLs, error codes, and specific log messages.
      • Data Extraction:
        • Regex can help identify and extract sensitive information such as credit card numbers, email addresses, or personal identification numbers from large datasets.
  • Relevance of Regular Expressions in Computer Network Forensics
    • Uses (cont’d.):
      • Automation:
        • Forensic analysis often requires the examination of the same patterns across different datasets.
        • Regex can be incorporated into scripts to automate these tasks Thus, reducing the chance of human error and increasing the speed of analysis.