computer forensics Archives

October 18, 2019 by LCDI

Recovery of Data Fall Blog 1

Data Recovery Project Goal

This semester, The Leahy Center for Digital Investigation created a project to solve issues related to data recovery. This project shows that the average user often does not truly delete their data, and that it is possible to recover this data without spending money on high end tools, such as EnCase and Axiom. These are tools which range from $1,700 to $4,800 a year. The Data Recovery Team at the LCDI has researched free tools that anyone can use to recover deleted files, whether you are someone who has erased files they need or the next owners of a poorly wiped drive.

Is data ever “deleted”?

PC hard drives often contain data known as Personally Identifiable Information, or PII. This includes names, credit card numbers, addresses and other information important to one’s personal life. This is why true data deletion is so important. The average user doesn’t understand that they’re not actually deleting their data. The fact that this data is not always deleted is what can lead to the leak of the user’s PII when they sell the drive. One can truly delete their data by using the common standards for wiping drives.

Visual vs Actual Deletion

Many people assume that they are deleting the file when it is no longer visible (for example, after it is in the recycle bin). This is never the case. After dragging said file to the bin, the user still needs to empty it. Even when the user empties the bin, the user has not actually deleted the file. When a user drags a file to the Recycle Bin, all that does is remove the link to said file from the user. The user has hidden the data, not deleted it. It will stay available on the computer until that part of the hard drive is overwritten by other files.

Proper Data Recovery Services

To achieve proper data deletion, one needs to use common drive wiping standards, such as US DoD 5220.22-M. This standard implements a three pass system, working as follows:

First pass: Overwrite all addressable locations with binary “zeroes”. Second pass: Overwrite all addressable locations with binary “ones”. Third pass: Overwrite all addressable locations with a random bit pattern Verify the final overwrite pass.

Another common standard for deleting data is the NIST method. This method describes different types of sanitation for drives, and recommends using more than one type.

Who Cares?

Net collecting black, yellow and white squares symbolizing data.

One of the most important questions that we at the Data Recovery Team ask is: why does any of this matter? This information can serve to help the user protect their PII. Whether it is by teaching the user how to delete their data, or teaching them how to recover it. This means that a normal user could recover their data without having to spend a lot of money. We understand that sometimes accidents happen and data may get erased unintentionally. Hopefully, with the information that this project will provide, users can retrieve their own lost data.

Be sure to look for future posts and stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI!

The post Recovery of Data Fall Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

September 17, 2019 by LCDI

Leveraging PowerShell & Python MUS 2019

Leveraging PowerShell & Python for Incident Response & Live Investigation With Chet Hosmer

Recently, I had the great opportunity to attend the 2019 Magnet User Summit hosted by Magnet Forensics in Nashville, Tennessee. Presenters at the Magnet User Summit dedicate their time to presenting new research, demonstrating new techniques, and teaching users in the fields of digital forensics and investigation. There were many great presentations and labs that I attended and learned so much from!

As someone who uses Windows PowerShell and Python for scripting, I took notice in a presentation called “Leveraging PowerShell & Python for Incident Response & Live Investigations” presented by Chet Hosmer, founder of Python Forensics. I was excited to find new ways to expand my knowledge of PowerShell and Python and increase my proficiency.

PowerShell and Python

Windows PowerShell is a command shell and scripting language created by Microsoft. It provides more features and functionalities than Windows basic command line. System and network administrators use PowerShell for automation and also forensic investigators. PowerShell excels at automation and acquiring evidence and artifacts from the system. It has recently been made available for other operating systems including Linux and OSX. Making it even more powerful and useful. Python is an object oriented scripting and programming language. It’s a simple language that’s easy for beginners but still powerful enough for the more experienced users. It’s been integrated into many popular tools for digital forensics, cybersecurity, and incident response.

One point that Hosmer highlighted is that Microsoft’s PowerShell really excells at evidence and artifact acquisition, while Python is good at analysis and examination of data. Therefore, combining these two programs would create a powerful platform for DFIR. To accomplish this, he has created two methods of integration between the two programs.

Image taken from Chet Hosmer

Integrating PowerShell and Python

The first method involves creating a Python script that would accept PowerShell parameters as input, launch PowerShell, and pass those parameters to a PowerShell script. That would then read, analyze and present the results. The second method begins with a PowerShell script. The PowerShell script would launch Python and run through the PowerShell scripts, piping its results to a Python script for it to analyze and organize the data. Both methods will work equally, but if one is more experienced in PowerShell, they may want to use the second method and vice versa. Using the ‘subprocess’ command in Python allows for variables to pass through a PowerShell script. PowerShell can input to Python using a standard pipe, like “| & $Python $Script”. Users can then use he piped data with “stdin” in Python.

With the rise of cloud infrastructure and international use, Hosmer also demonstrated that PowerShell is capable of interacting with and accessing Microsoft Azure logs. Azure is Microsoft’s cloud platform created for large businesses and enterprise. Cloud has become a large source of data and potential evidence for digital investigators, but is often harder to access and difficult to integrate into programs. In order to interact with azure, the user installs a PowerShell module called ‘AzureRM’ using the ‘Install-Module’ cmdlet in PowerShell. Once installed, PowerShell will have access to thousands of more powerful cmdlets dedicated to Azure.

Conclusion

Over my two days at Magnet User Summit, I met with many professionals and had a great time attending presentations on new technologies and techniques. I also learned how to use the tools created by Magnet and improve my forensics skills. While I really did learn a lot from the summit and had plenty of fun too. I am glad I got this great opportunity to learn and network with industry professionals. Thank you to both the Leahy Center for Digital Investigation and Magnet Forensics for giving me this great opportunity.

Blog written by Champlain College sophomore Chris Mathieson

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Leveraging PowerShell & Python MUS 2019 appeared first on The Leahy Center for Digital Investigation.

December 13, 2018 by LCDI

SIFT Update 3

Introduction

As we are coming to an end working at the Senator Leahy Center for Digital Investigation, we are closer to completing our final report. Our last post was about recovering artifacts and keyword searches. Due to time issues and inexperience, our team couldn’t recover deleted files.

Experience

Throughout the semester, working at the LCDI with the SIFT-workstation has been a refreshing challenge. Coming into the Center has always been a fun and engaging experience. We’ve learned vital information, especially in regards to digital forensics. We’ve even been exposed to the Linux Command Line.

Researching the SIFT-workstation from SANS also exposed us to quite a bit of information about SANS. The more we have learned, the more we have realized how exciting the digital forensics field can be. From a first year student’s perspective, technical jargon and new information can be daunting. With the amount of easy-to-read information that SANS has put out, our team agrees that learning becomes simpler.

In regards to the Linux Command Line, our team was subjected to the experience of learning syntax, system commands, and other programs. Both my partner and I have heard from our professors that these skills are integral as investigators. Having that experience is important to us as aspiring students.

Since we are nearing the end of our time on this project, our team has focused on learning how to generate timelines and search clusters. We’ve also looked into bulk extraction and learned that these are typical and required tasks in this field.

Conclusion

In the end, our experience at the LCDI has been overwhelmingly positive and beneficial. We were exposed to and learned from largely important topics which is an opportunity we’ll always be grateful for. Although our team didn’t meet every expectation we had, we still experienced much more than we expected out of the internship.

The post SIFT Update 3 appeared first on The Leahy Center for Digital Investigation.