Forensic Blogs

An aggregator for digital forensics blogs

by

Exploring Axiom 3.0 and the Child Protection System at MUS 2019

Introduction:

This past April, I had the opportunity to attend the Magnet User Summit 2019 as a representative of Champlain College. This year marked my first year attending a conference in addition to being a first-year student. I couldn’t be more grateful for this opportunity, and I consider myself lucky to have networked with industry professionals and learn from them as an undergraduate student.

Session Review:

Child Exploitation: Collaboration to combat online child sexual exploitation

One of my favorite session from this year’s conference was “Child Exploitation: Collaboration to combat online child sexual exploitation”. Bill Wiltse and Patrick Beaver, two professionals from Child Rescue Coalition, presented the session. Wiltse and Beaver gave a compelling presentation on how people use Magnet Forensics’ new launch of the Axiom 3.0 in collaboration of the release of the new site to help catch sex offenders.

The new site is CPS, also known as Child Protection System. This originally started in 2004, but redone as of 2019. CPS site monitors nine systems that sex offenders frequent and what happens if that they bring all the data back and put in a joint centralized data. It then examines the results and stories it in a document as evidence. On average 20-30 million records go into this database a day. CPS is a centralized database of all the targeted sex offenders in a region. In 2010 it was discovered that this database is so trustworthy, law enforcement officers use it as the sole basis for search warrants, its original purpose.

Axiom comes into play here as it highlights IP addresses using key words linked to child exploitation. This program can detect how many files are on a predator’s computer, the profile make-up of the victims, and intent to distribute or cause physical harm.  

Conclusion:

My biggest takeaway from this session was how useful Axiom is with the centralized database to catch sex offenders. Both professionals highlighted how this database is constantly providing useful information to law enforcement to make decisions about threats.

MUS provided me with opportunities to broaden my understanding of the digital forensic and cybersecurity industries. I also got to connect with others who are just as passionate about these fields as I am. Even more, I was able to explore and experience Nashville with my friends! I’d like to thank Magnet Forensics and Champlain College for affording me the opportunity to attend Magnet User Summit 2019. I can only hope to attend another conference next year!

 

Blog written by Champlain College first year Angel Gallien.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Exploring Axiom 3.0 and the Child Protection System at MUS 2019 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Investigation.

by

Using Memory Forensics Analysis to Guide Your Investigation

Introduction

I had the honor of attending the Magnet User Summit 2019 in Nashville on April 1-3. This was my first professional conference as a junior at Champlain College.  It was exciting to be able to correlate the presentations with the knowledge I’ve gathered in my courses. The conference was also a great networking space where I got to meet professionals in the digital forensics industry. I participated in various sessions, both lectures and labs. One of the sessions that I really appreciated was on Using Memory Forensics Analysis to Guide your Investigation by Aaron Sparling, Computer Forensic Examiner with Portland Police Bureau.

Memory analysis speeds up traditional forensic examinations and can drive the investigation. On a Windows system, memory includes physical memory (RAM) and system files such as pagefile.sys and hiberfil.sys. There are a lot of forensic artifacts that reside in memory which should not be ignored. Almost every process executed on a computer goes through RAM at some point. Not to mention that memory acquisition can be done in a fraction of the time compared to hard drive acquisition which usually takes hours.

Some of the analysis tools shared with us include: Bulk Extractor, Photorec, Scalpel, Volatility, Page_Brute.py and YARA. You can also use strings and GREP/REGEX. I had a bit of experience with all these tools except for Yara which was completely new to me. It is a tool that allows the analyst to write textual and/or binary patterns to hunt for malware or anything else they choose. Page-brute.py uses YARA rules to parse pagefile.sys within a command-line interface. Volatility is good for decompressing hiberfil.sys to .bin for faster analysis. It is extensible i.e. you can write your own plugins or modify existing plugins for your analysis.

Memory Forensics Lab

In addition to this lecture, I also took part in a lab on memory forensics run by Jamey Tubbs, Magnet’s Director of Training Operations and Curriculum Development. During this hour and a half lab, we were able to build a case/user profile from 2GB of RAM using Magnet Axiom Process and Examine. We found crucial artifacts such as user SID, browser search terms, their timestamps, and local file paths. Such information gives the investigator direction and speeds up the process once the hard drive is acquired.

Conclusion

The importance of preserving memory when dealing with a live system cannot be overstated. The conference was quite informative and a great first experience. It was also inspiring to see all the projects Magnet Forensics are working on and how beneficial their products have been to the industry both within the private sector and with law enforcement.  

 

Blog written by Champlain College junior Lavine Oluoch 

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Using Memory Forensics Analysis to Guide Your Investigation appeared first on The Leahy Center for Digital Forensics & Cybersecurity.