Step3: Analysis & Examination of Evidence
Examination. The next step is to examine the digital evidence. This may involve using specialized software to view and analyze the data. The examiner may also look for specific artifacts or indicators that can be used to piece together the events that occurred.
1. Analysis tools
Digital forensic analysis tools are software programs designed to aid digital forensic investigations by acquiring, preserving, analyzing, and presenting digital evidence. Some popular digital forensic analysis tools include:
AccessData FTK: This tool is designed for digital investigations and can acquire and analyze data from a wide range of digital devices and sources. It also includes advanced search and analysis features.
Autopsy: This open-source tool can be used for digital investigations and can analyze data from a variety of sources, including hard drives, mobile devices, and cloud storage
Oxygen Forensic Detective: This tool is designed for mobile device forensics and can acquire and analyze data from a wide range of mobile devices. It also includes advanced analysis and reporting features.
Magnet Forensics: This tool is designed for digital investigations and can acquire and analyze data from a variety of sources. It also includes advanced search and analysis features.
AccessData FTK
We can load and mount VMware image, when open evidence root where actual file system, unlocated space where disk has been freed or its available space, orphan deleted file overwritten
Autopsy
We can use kali version or windows version Autopsy - Download
Androguard Getting Started — Androguard 3.4.0 documentation
· git clone https://github.com/androguard/androguard.git
· cd androguard
· pip install -r requirements.txt
· sudo apt install graphviz
· $ virtualenv venv-androguard
· $ source venv-androguard/bin/activate
· $ pip install -U androguard[magic,GUI]
Home · androguard/androguard Wiki · GitHub
- To start analysis :
$ cd androguard/
$ python cli.py analyze /home/sansforensics/Desktop/cases/Vst7.1.8rd_git_1.apk
- We can use different scripts like :
- In [2]: a.get_permissions()
- In [3]: a.get_activities()
- In [4]: a.get_package()
- In [7]: a.get_androidversion_code()
- In [15]: a.get_android_manifest_axml().get_xml()
- In [2]: dx.get_classes()
2. Registry Analysis Intro to Windows Forensics: Windows Registry Artifacts - TryHackMe Walkthrough - YouTube
2.1 Download Registry explorer https://www.sans.org/tools/registry-explorer/
2.2 Regripper
2.3 Autopsy
2.4 FTK
HKEY_CURRENT_USER
Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as HKCU.
HKEY_USERS
Contains all the actively loaded user profiles on the computer
HKEY_LOCAL_MACHINE
Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM.
HKEY_CLASSES_ROOT
Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR.
The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key has settings that override the default settings and apply only to the interactive user.
HKEY_CURRENT_CONFIG
Contains information about the hardware profile that is used by the local computer at system startup.
· Registry explorer
The majority of these hives are located in the C:\Windows\System32\Config directory and are we can get it from offline image or we can go to regedit.exe and export key:
DEFAULT (mounted on HKEY_USERS\DEFAULT)
SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
· To export registry
· Right click
· Select what to Export (e.g we want to export HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSert)
· Choose reg hives
· Now open registry explorer and choose load Hives
· Find : computerName , TimeZone,
· Find network settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSert\Services\Tcpip\Parameters\Interfaces
· where to find recentdocs in registry windows: NTUSER.DAT\Software\Microsoft\Windows\Current Version\Explorer\RecentDocs”. Under this key we see a list of recently accessed files (in hex) with a number assigned.
· Or we can export :
Open it in registry explorer à select recentdocsà select fileà data interpreter
· Find last visit application
ComDlg32
· Find device identification: when usb attached first and last seen(write)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\
· We can use tools from Arsenal Arsenal Recon
· RAM Analysis What is Random Access Memory? - YouTube
· Forensics: What data can you find in RAM? - YouTube
Introduction to Memory Forensics with Volatility 3 - YouTube
Memory Forensics with Volatility 3
· Create a memory dump using FTK or memory dump.exe
· Open Ubuntu SIFT machine
· Download and install Volatility 3 https://github.com/volatilityfoundation/volatility3
· https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#psscan
· pip3 install -r requirements.txt · sudo python3 setup.py build
· sudo python3 setup.py install
· To see process list we need to navigate to vol directory : Python vol.py -f z:\ memory.mem windows.pslist.PsList
· Note from error we can find correct parameters like windows.pslist.PsList
· To see open ports : Python vol.py -f z:\ memory.mem windows.netstat.NetStat
· To see password hash :python vol.py -f /home/sansforensics/Desktop/cases/memdump.mem windows.hashdump.Hashdump
· To see registry :python vol.py -f /home/sansforensics/Desktop/cases/memdump.mem windows.registry.userassist.UserAssist
Volatility Memory Analysis: Building Linux Kernel Profiles
Volatility Memory Analysis: Building Linux Kernel Profiles - YouTube
1. Collect memory dump using Lime
2. Create a profile
3. Cd Volatility\tool\
· Memory Analysis - strings, grep and photorec
1. Dump memory using dump.exe
2. GitHub - chrisjd20/compiled_windows_memory_acquisition: This contains compiled versions of winpmem winpmem.exe and dumpit dumpit.exe
3. Copy the raw file to SIFT machine
4. Cat memory.raw | string > directionary.txt
5. Note the open files
6. Looking for word: Cat memory.raw | strings | grep “www”
· Extract file from memory
1. From memory.raw
2. Photorec memory.raw
To find malware we looking for subspecies process and open port: $ python vol.py -f /home/sansforensics/Desktop/cases/memory.raw windows.pslist.PsList
Once the data has been collected, it must be analyzed to determine what actions were taken on the system, who was responsible for those actions, and what data was accessed or stolen. This may involve analyzing files, examining system logs, and conducting searches for keywords or other indicators of suspicious activity.
1. Analysis tools
Digital forensic analysis tools are software programs designed to aid digital forensic investigations by acquiring, preserving, analyzing, and presenting digital evidence. Some popular digital forensic analysis tools include:
AccessData FTK: This tool is designed for digital investigations and can acquire and analyze data from a wide range of digital devices and sources. It also includes advanced search and analysis features.
Autopsy: This open-source tool can be used for digital investigations and can analyze data from a variety of sources, including hard drives, mobile devices, and cloud storage
Oxygen Forensic Detective: This tool is designed for mobile device forensics and can acquire and analyze data from a wide range of mobile devices. It also includes advanced analysis and reporting features.
Magnet Forensics: This tool is designed for digital investigations and can acquire and analyze data from a variety of sources. It also includes advanced search and analysis features.
AccessData FTK
We can load and mount VMware image, when open evidence root where actual file system, unlocated space where disk has been freed or its available space, orphan deleted file overwritten
Autopsy
We can use kali version or windows version Autopsy - Download
Androguard Getting Started — Androguard 3.4.0 documentation
· git clone https://github.com/androguard/androguard.git
· cd androguard
· pip install -r requirements.txt
· sudo apt install graphviz
· $ virtualenv venv-androguard
· $ source venv-androguard/bin/activate
· $ pip install -U androguard[magic,GUI]
Home · androguard/androguard Wiki · GitHub
- To start analysis :
$ cd androguard/
$ python cli.py analyze /home/sansforensics/Desktop/cases/Vst7.1.8rd_git_1.apk
- We can use different scripts like :
- In [2]: a.get_permissions()
- In [3]: a.get_activities()
- In [4]: a.get_package()
- In [7]: a.get_androidversion_code()
- In [15]: a.get_android_manifest_axml().get_xml()
- In [2]: dx.get_classes()
2. Registry Analysis Intro to Windows Forensics: Windows Registry Artifacts - TryHackMe Walkthrough - YouTube
2.1 Download Registry explorer https://www.sans.org/tools/registry-explorer/
2.2 Regripper
2.3 Autopsy
2.4 FTK
HKEY_CURRENT_USER
Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is associated with the user's profile. This key is sometimes abbreviated as HKCU.
HKEY_USERS
Contains all the actively loaded user profiles on the computer
HKEY_LOCAL_MACHINE
Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM.
HKEY_CLASSES_ROOT
Is a subkey of HKEY_LOCAL_MACHINE\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR.
The HKEY_LOCAL_MACHINE\Software\Classes key contains default settings that can apply to all users on the local computer. The HKEY_CURRENT_USER\Software\Classes key has settings that override the default settings and apply only to the interactive user.
HKEY_CURRENT_CONFIG
Contains information about the hardware profile that is used by the local computer at system startup.
· Registry explorer
The majority of these hives are located in the C:\Windows\System32\Config directory and are we can get it from offline image or we can go to regedit.exe and export key:
DEFAULT (mounted on HKEY_USERS\DEFAULT)
SAM (mounted on HKEY_LOCAL_MACHINE\SAM)
SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)
SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)
SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)
· To export registry
· Right click
· Select what to Export (e.g we want to export HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSert)
· Choose reg hives
· Now open registry explorer and choose load Hives
· Find : computerName , TimeZone,
· Find network settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSert\Services\Tcpip\Parameters\Interfaces
· where to find recentdocs in registry windows: NTUSER.DAT\Software\Microsoft\Windows\Current Version\Explorer\RecentDocs”. Under this key we see a list of recently accessed files (in hex) with a number assigned.
· Or we can export :
Open it in registry explorer à select recentdocsà select fileà data interpreter
· Find last visit application
ComDlg32
· Find device identification: when usb attached first and last seen(write)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\
· We can use tools from Arsenal Arsenal Recon
· RAM Analysis What is Random Access Memory? - YouTube
· Forensics: What data can you find in RAM? - YouTube
Introduction to Memory Forensics with Volatility 3 - YouTube
Memory Forensics with Volatility 3
· Create a memory dump using FTK or memory dump.exe
· Open Ubuntu SIFT machine
· Download and install Volatility 3 https://github.com/volatilityfoundation/volatility3
· https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#psscan
· pip3 install -r requirements.txt · sudo python3 setup.py build
· sudo python3 setup.py install
· To see process list we need to navigate to vol directory : Python vol.py -f z:\ memory.mem windows.pslist.PsList
· Note from error we can find correct parameters like windows.pslist.PsList
· To see open ports : Python vol.py -f z:\ memory.mem windows.netstat.NetStat
· To see password hash :python vol.py -f /home/sansforensics/Desktop/cases/memdump.mem windows.hashdump.Hashdump
· To see registry :python vol.py -f /home/sansforensics/Desktop/cases/memdump.mem windows.registry.userassist.UserAssist
Volatility Memory Analysis: Building Linux Kernel Profiles
Volatility Memory Analysis: Building Linux Kernel Profiles - YouTube
1. Collect memory dump using Lime
2. Create a profile
3. Cd Volatility\tool\
· Memory Analysis - strings, grep and photorec
1. Dump memory using dump.exe
2. GitHub - chrisjd20/compiled_windows_memory_acquisition: This contains compiled versions of winpmem winpmem.exe and dumpit dumpit.exe
3. Copy the raw file to SIFT machine
4. Cat memory.raw | string > directionary.txt
5. Note the open files
6. Looking for word: Cat memory.raw | strings | grep “www”
· Extract file from memory
1. From memory.raw
2. Photorec memory.raw
To find malware we looking for subspecies process and open port: $ python vol.py -f /home/sansforensics/Desktop/cases/memory.raw windows.pslist.PsList
Comments
Post a Comment