forensics Archives | Page 3 of 32

September 17, 2019 by LCDI

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College. It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.

Blog written by Champlain College junior Lavine Oluoch

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

November 26, 2018 by LCDI

Mobile Forensics Update 2

Introduction

If you read our last blog post, you know that the Mobile Forensic team ran into some issues early on. We are happy to share that we have since overcome those issues, and we’ve hit the ground running with our project. We are no longer using the LG G6 devices mentioned last month due to issues rooting these devices. Instead we are using Nexus 7 tablets running Android 6 and 7.

Two apps we pulled and analyzed data from are Snapchat and Telegram. Before we set up accounts, we had to create different personas for each team member. The personas we came up with were Johan Smith, Tony Pepperoni, and Mallow Operator.

Snapchat

Before we started collecting our data, we had to figure out what actions we would go through so we all had data we could compare. Some of the actions to generate data for Snapchat included adding each other as friends, creating a group chat, and posing to a story. When generating data for analysis, we kept track of who sent chats to whom, what time we did each action, and if anything went wrong. After pulling the data with adb, we compared the timestamps and actions from the pull with our datagen log. We were successfully able to see what Snapchat saves and what we can find on the phone.

When we were setting up Telegram, we had to setup Google Voice numbers in order to create our profiles. With Telegram we also had to figure out what actions we wanted to take so that each person could get similar pull results—hence the creation of another datagen. With Telegram our actions included adding contacts, joining different groups, and sending videos and stickers. We kept track of timestamps again and then compared the data and the pull. We decided to use both Cellebrite and adb to see if there was any benefit of one tool over the other. At the moment, we’re still analyzing Telegram to see if there is anything noteworthy so stay tuned!

Conclusion

With these pulls we were able to see what data Snapchat and Telegram save on your phone. We were looking to see if any unusual data was saved by the applications. So far nothing has stood out with either Snapchat or Telegram. The next app we will be doing a datagen and pulling is LinkedIn.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Mobile Forensics Update 2 appeared first on The Leahy Center for Digital Investigation.

November 15, 2018 by LCDI

SIFT Update 2

Introduction

This month at the Senator Leahy Center for Digital Investigation, we started analyzing our data. As a part of the SIFT research team, we used our knowledge of digital forensics to scan through files in order to find artifacts that would help us put our criminal behind bars. After we found artifacts, we went on to conduct keyword searches where we found very useful evidence for our investigation.

Experience

We have learned so much over the past month about SIFT. SIFT allows for artifact gathering, and keyword searching. Artifact gathering involves going into the imaged drive and gathering potentially incriminating files, or anything that could be useful to a digital investigators analysis. Pair that with keyword searching and a strong case can be built and argued in criminal court.

Originally SIFT had major issues in the srch_strings function within Autopsy. This was a major issue because srch_strings is used for keyword searching, an essential part of a digital investigator’s case. Being new to SIFT was difficult because as a team we did not know how to fix this problem. Eventually, we learned the issue occurred because SIFT runs an older, unsupported version of Autopsy (Autopsy 2.24). The only way to fix this was to import a new version of srch_strings into SleuthKit. After importing the new version, we managed to get keyword searching to work with up to three characters, and on the letter “e” alone, got 3 million hits.

For our project, our data gen had us searing for “cyanide”. Therefore, a keyword search for “cyanide” would be useful in finding files that contain information about the poisoning.

Conclusion

Finding artifacts and searching for keywords are extremely important to a digital investigator. Within the coming weeks, we are going to be recovering deleted files from the disk image. Stay tuned for our next blog about recovering deleted files.

The post SIFT Update 2 appeared first on The Leahy Center for Digital Investigation.