Forensic Blogs

An aggregator for digital forensics blogs

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Investigation.

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Mobile App Forensics Final Update

Introduction

During this semester, the Mobile Forensics team analyzed social media apps such as Snapchat, Telegram, and LinkedIn. 

Snapchat

As for a conclusion on our Snapchat analysis, we couldn’t find much outside of prior research within the community. A big concern we had was how much data would remain on a device  twenty-four hours after it was generated. An immediate pull from the device yielded evidence of what stories the user viewed and also a log of messages exchanged with other users (but not the content of the message). This log showed who sent and received the message and the timestamp of the event. The text of messages was only viewable if either user had saved the message. Some pictures were also recovered that had the contents of stories that were viewed. This could provide some information on the interests of a user, but nothing incriminating. An interesting artifact found on the device that could not be decoded was location data found in  /data/data/com.snapchat.android/cache. We could not parse these files and believe they may related to ArcGIS.

We aquired Snapchat after a few days to see what information would still be available. Logs of conversations were not deleted and remained on the device. However, there were still no contents of the conversation again with the exception of any messages that either user saved. It appears Snapchat does not store data from the user directly on the phone, it may simply be processed and erased while in memory. There was little evidence of user activity.

Telegram

When testing Telegram we did two pulls of the tablets. We first did a pull with all three of the members and then a pull with just two members on the different operating systems. When we did the first pull, the data between the group was very easy to analyze, but the solo data was very confusing, so we did the second pull. When we tested Telegram, we were interested in the secret chats the most to see if we could find any information about them. Telegram advertises that the messages are encrypted and we were interested to see if we could verify this. The only chats that were encrypted were messages in a secret chat. This is definitely a note for a forensic investigator. When we did the pull, we could see each message in the chat log as well as any pictures and images. The one thing we could not find was any videos or voice messages that did not get saved.

LinkedIn

While analyzing LinkedIn, we once again didn’t find all the data we were looking for. We had hoped to be able to find the user’s whole work profile but that was not the case. We were able to pull and reconstruct all their chat messages, a summary of their profile, and users they connected with, but we couldn’t find any search history, viewed articles, or viewed jobs. Even when looking in the chat, we didn’t find images or voice messages in the same location as the other chats. We had some temporary files for images, but we weren’t able to confirm what the images were. They could have been images from the chat logs or they could have been images from an articles or profile.

Versions

Readers of previous blog posts may note that we were comparing differences in Android operating system versions. There has been little to no evidence found that the version of the OS has an impact on our examined applications. The only major change we found was occasionally an app on Android 6 would generate a few extra folders, but they were always empty. However, it is important to note the biggest changes would be found with differing application versions.

 

Different operating systems don’t affect the data we pulled because OS updates focus more on new features and security fixes rather than how app data is stored on the device. If we looked into different versions of the application then there would be differences in the pulls. The updates of the apps will have bug fixes as well as security fixes that make the app more secure. If we could test an older version of one of the apps to the most current update then we would find different data.

 

This is clear in the below screenshots:

Snapchat on Android 6

Snapchat on Android 7

As you can see the files may be slightly different. Any files that were not common between the two extractions were empty.

Conclusion

Our work this semester has been a good test of our examined applications to ensure that they work as advertised. One may believe that mainstream applications are secure because of their size and amount of users. Previous reports, which can be found here and here, have shown that Snapchat has been less secure in the past, and we have seen clear improvements in the amount of data that is stored on the device. With Telegram, the application works as it should and doesn’t store data on the phone to be viewed later on. However, this was only the case when using “secure messaging” and is not on by default. With LinkedIn there was little data we were able to recover from the phone. That by no means infers that LinkedIn is not storing your personal data. This simply means that that data is not stored on the device.

 

There has been a lot of hands on with tools such as ADB and Cellebrite to find efficient ways to examine these phones, and one should always question the applications they use every day with their private information. We are glad to have formed a plan of analysis for these apps, and look forward to seeing what research will be performed on the apps we use every day. As always, stay up to date with the LCDI on our social media.  Follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile App Forensics Final Update appeared first on The Leahy Center for Digital Investigation.