Forensic Blogs

An aggregator for digital forensics blogs

by

Leveraging PowerShell & Python MUS 2019

Leveraging PowerShell & Python for Incident Response & Live Investigation With Chet Hosmer Recently, I had the great opportunity to attend the 2019 Magnet User Summit hosted by Magnet Forensics in Nashville, Tennessee. Presenters at the Magnet User Summit dedicate their time to presenting new research, demonstrating new techniques, and teaching users in the fields […] ... Read More

The post Leveraging PowerShell & Python MUS 2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Magnet User Summit 2019

Introduction

During the first week of April, I had the chance to go to the Magnet User Summit in Tennessee. During the trip I met many Champlain students that I wouldn’t have known if I hadn’t gone. I also had the chance to talk with upperclassmen within my major who told me about their experience at Champlain. They gave me pointers on opportunities that I should take advantage of while at Champlain.

During this conference, I learned about many topics within the digital forensics field. Specifically, I had the chance to learn more about how to leverage Python within PowerShell and how I could further my knowledge about PowerShell and Python. I was also able to learn about IoT and the artifacts that someone could find within devices that people use every day.

One of the sessions that stood out the most to me was the session called “IOC Easy as 1-2-3”. During this session, the presenters talked about the term IOC referring to the Indicator of Compromise. Attackers easily breached a leading company’s software because nobody looked in the file where it was located. There ended up being multiple files with funny names like “totallynotavirus” within a folder containing software from the company FireEye. The files clearly contained malware from attackers who had access to the system. The presenters also mentioned that the IT team at the business was compromised and was quite embarrassed about this happening. It goes to show that even a company like FireEye software may have vulnerabilities even though it’s meant to protect a computer system.

Conclusion

Overall, I believe that going to the Magnet User Summit was a great learning experience. I was able to learn about many new things in the field of digital forensics. I also was able to meet new people, both from Champlain and industry professionals. It was a great experience for me and I hope to be able to attend more in the future. I highly recommend MSU to anyone interested in going to a conference. Learn as much as you can and have fun!

Blog written by Champlain College’s Liam Barry.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Magnet User Summit 2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Forensics & Cybersecurity.