Forensic Blogs

An aggregator for digital forensics blogs

by

FTK Tool Evaluation Update

Introduction

In our tool eval team, we are researching and evaluating AccessData’s Forensic Toolkit. This program advertises itself as an all encompassing tool for extracting, analyzing, and compiling digital evidence into a readable format that is acceptable for use in a court of law. Our primary goal is to understand FTK in every aspect possible, with preference given to the searching and efficiency aspects of its use.

Current Progress

Over the past month, we spent a significant amount of time familiarizing ourselves with online FTK manuals and tutorials. We felt it was important to understand exactly which functions and features would help digital investigators the most before trying to run data through FTK’s systems. When we felt we were proficient in our knowledge, we set up our virtual machine with support from the LCDI helpdesk.

More recently, we have been participating in a multi-team effort to generate test data. To do this, we recreated digital footprints of a professor killing another for tenure. We knew that we had to make our test data as realistic as possible, so we threw searches of jazz musicians and golf tournaments into our fictional professor’s data stream. We plan to sift through the test data in Forensic ToolKit to discern how reliable the program is at catching criminal data in a stream of normal internet browsing.

We have been documenting our shift-to-shift progress on a website with updates in a shorter bullet point format. Along with the website, we have created and started maintenance of our twitter handle, @FTKToolEvalLCDI. We have also been researching any and all aspects of FTK that remain beyond the scope of our knowledge. This is a rather time consuming process, made much more difficult by the lack of guides and videos online. Regardless, we appear to be on track for a timely end to this project.

Conclusion

We have already accomplished a lot, but still have a long way to go. Once we get our data gen back, we can begin benchmark tests and can report with more hard data. Getting everything set up on the virtual machine was a small hurdle that we overcame. We are eager to continue our progress and report back with more concrete data on FTK.

After we complete our research, we plan to compare statistics of multiple digital forensic programs, such as Encase and Autopsy, to FTK. Our hope is to provide an accurate comparison of digital forensic tools so digital investigators all over the world can have accurate knowledge and preparation in their own ventures.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post FTK Tool Evaluation Update appeared first on The Leahy Center for Digital Investigation.

by

Experiences, Accomplishments, and Lessons Learned

Introduction

When people join a new workforce, they often find themselves saying: “I am in way over my head.” I experienced that during my first week as an intern at the Leahy Center for Digital Investigation (LCDI). It was only my second week of my first year of college, and I couldn’t wait to get my foot in the door and start my internship at the LCDI. I was a part of a team of three (Matthew Eckhardt, Jordan Kimball, and Jessica Hunsberger), and immediately I noticed that our project was more complicated than anything we had done before. None of us knew where to begin with an “Automated Network Scanner.” We didn’t have the answers right off the bat. Luckily for us, the LCDI is a place for people who don’t always know all the answers, as the truth is, nobody does. My team and I got to work, and found out we were a lot more capable than we previously thought. The following is the culmination of our work and research into Nmap, port scanning, and Raspberry Pi’s.

What we learned so far

First, we should explain what it is we are actually doing. Our team was tasked with creating an “Automated Network Scanner”—that is, a device that could be plugged into the network at the LCDI and scan it for available ports, hosts, and services, as well as give a report on what it found. In pursuit of this goal, we learned how to use Nmap, an industry staple for scanning and testing a network for vulnerabilities.

This, by itself, was not too difficult. If you do your research, you can download Nmap and figure it out, no problem. The difficulty comes in the “automated” part of “Automated Network Scanner.” We solved this problem with Python 3. It turns out that Nmap can be inserted as a part of a Python script. One of the great boons in this project was that almost everything we were working on was well documented online, albeit small pieces individually. Using this knowledge, we learned we could inject the script into a Raspberry Pi’s startup protocols, and run the script as soon as the Raspberry Pi turned on. Furthermore, using Python allowed us to create a formatted report, and send it to a private email account automatically.

Conclusion

All in all, our research and effort put towards this project have proved successful. Our team has been moving at a steady rate, and our Automated Network Scanner is almost complete. This technology has a lot of widespread utility as this machine could be used by just about any person or organization who is heavily invested in a computer network. Creating a map of your network and potential vulnerabilities is extremely useful, especially in this current digital age. The next step for our team is perfecting our scripts, making sure our scanner is as efficient and informative as possible, and then setting up a mock network out of Raspberry Pi’s and testing the scanner on it, before testing it on the LCDI network.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Experiences, Accomplishments, and Lessons Learned appeared first on The Leahy Center for Digital Investigation.

by

One Month of Network Scanning

Welcome to Our Project

Welcome to the official blog of the Automated Network Scanning % Team. Our team includes three interns from the Senator Patrick Leahy Center for Digital Investigation. Liam Barry is a computer networking and cyber security major who wants to learn more about networks and strengthen his skills in python. Alexander Zimmerman is also a computer networking and cyber security major who wishes to strengthen his skills in programming and teamwork. Nathan DiMauro is a computer science and innovation major who hopes to learn more about computer networking throughout his work on the project. Our long term goal is to create an automated network scanner using Raspberry Pi 2’s. The purpose of this blog is to document our progress so far.

Nmap

For a majority of our time this month, we researched goals of our project. None of us had ever made a network scanner before, so we were all completely new to this. The first thing we began researching was Nmap.

Nmap is the go to open source project for network scanners. We looked into how it works and how we can use it in our own network scanner. We came up with a list of scans that Nmap offers that we intend on using in our script. They range from basic port scanning, to version detection on an operating system. With the power of Nmap behind us, we were ready to look into scripting.

Python

Once we had learned about the ins and outs of Nmap, it was time to move on to script writing. Our project supervisors gave us the opportunity to choose between Bash and Python. Because the entire team had worked in python before, we choose to go with that. We started out making some basic scripts to re-familiarize ourselves with the language. From there we set up a GitHub so that we could collaborate on code. We also found a premade python library that allowed us to call Nmap commands directly from a python script. We all read though the source code of the library and started planning on how we could use it. With the majority of our software figured out, it was time to look into our hardware.

Devices

Now that our plan for scripting was complete, we needed to write up a list our devices. Our supervisors provided us with a box of supplies that we would use The box contained 3 raspberry pi model 2’s, an 8GB micro SD card, a micro SD to SD card adapter, a USB WiFi adapter, and a power supply unit. We all were familiar with most of the contents of the box. The only real research we had to do was on installing an OS onto our raspberry pi’s. We decided to go with Raspbian because it seemed the simplest to learn.

In the Next Month

September was a great month for the team. We got a lot of research done and are now very familiar with our tools. Throughout October we will start to actually create our scanner. Step one will be to get our script working. From there the plan is to put that script onto the raspberry pi and automate it. Be sure to come back next month to see our progress on the network scanner!

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post One Month of Network Scanning appeared first on The Leahy Center for Digital Investigation.