Forensic Blogs

An aggregator for digital forensics blogs

by

Encase Tool Evaluation

Introduction:

Over the past five weeks we have been researching and gathering information on Opentext software EnCase 8, readying ourselves to begin dissecting evidence in our mock investigation. As the EnCase 8 intern team, we have been spending large amounts of time watching YouTube videos and diving deep into the manual provided by Opentext software. Most recently, we have spent time running through our mock story, completing final checks of the data generation and finally starting our data generation in the VM. We are a team of two first year interns trying to get our foot in the door of the digital forensic world. This is our story….

Our Story: 

Since day one, we have been slowly figuring out the ins and outs of EnCase 8 and its usability in our investigation. Hours have been spent watching “how to” videos and trying to replicate the actions in EnCase on a flash drive full of files. We have also been doing a heavy amount of reading from the manual, taking notes, and highlighting important commands that will become necessary when using EnCase. One of the main features we needed to know how to do first was imaging drives. To learn how to image a drive, we used a write blocker hooked up to a hard drive and then we followed our notes to image the drive. This was just one of the many important features we will be using with Encase.

Upon completion of our never ending quest to better understand EnCase, we begin to familiarize ourselves with the story we generated as a team of 8 that we’d be using for our investigation. This involved reading through the story day by day and testing the actions from the script that we wrote. Once this was all completed, our team member Matt was the first to run the final data generation in the VM for the first time. He started with opening the tool evaluation VM and began to work his way through the day one script for our mock investigation. Matt followed the script closely while taking detailed notes of anything he added to the script to beef up day one of our data generation. He also took detailed notes on what was displayed on the screen including the time and action that occurred.

Conclusion:

Next up, we will begin to use EnCase by doing keyword searches and gathering artifacts.We are very excited to get our hands on the mock evidence and truly begin our professional digital forensic experience. Expect us to slowly but surely harness the powers of EnCase 8 and dive head first into this investigation evaluating Encase as we go. We will take detailed notes and begin the process of compiling our report on EnCase 8. Stay tuned to hear more about our ups, downs, and everything in between here at the Leahy Center for Digital Investigation. Check in on Instagram @champforensicslcdi and Twitter @ChampForensics!

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Encase Tool Evaluation appeared first on The Leahy Center for Digital Investigation.

by

SIFT Tool Evaluation

Introduction:

The Senator Leahy Center for Digital Investigation (LCDI) is an establishment that was created to encourage Champlain College students to gain technical knowledge of an area within their field of study. As a team, interns are expected to communicate and work together in order to finish a project. This is the experience of the LCDI through the eyes of two interns.

 

Our Experience:

Our experience so far at the LCDI  has been exceptional. As first year students, we have learned valuable information about computer and digital forensics that we can actually use in the field. As technical interns, we are compiling information about a digital forensics tool. We are doing this to determine what tool has the greatest functionality and to gain real world experience working with a digital forensic tool. We are working with SIFT, and, so far, everything about it has been thrilling.

 

As interns, we have learned a few new things working with more experienced members. As one might expect, we have honed a large amount of new technical skills while working in a computer lab. But we have also practiced skills newer to us, such as working on a team and working under a team of supervisors. You can attend any amount of hours in a technical course without ever learning the social skills required in a workplace. Our time at the lab has given us great experience in interpersonal relations we’ll need to utilize in our future careers.

 

Before starting our work, we knew very little about digital forensics or the tools used to analyze data. We also didn’t know very much about Linux commands. This was difficult at first because SIFT is a Linux based forensics toolkit, but we have gained exponential knowledge from working with it over these past months.

 

Our experience at the LCDI has thus far been overwhelmingly positive and exciting. The environment the LCDI has allows me to explore the social aspect of a workplace while also exploring the technical aspect. This, to me, is exactly what we were looking for in college, and is unique to Champlain College. We are excited to have the future opportunity to work ever higher positions at the LCDI.

 

Conclusion:

Our next step is analysis of the data that we just finished generating. We’ll keep you posted!

 

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post SIFT Tool Evaluation appeared first on The Leahy Center for Digital Investigation.

by

Python & Nmap

Automated Network Scanner! Team

 

Network Scanning Overview

So far, the Automated Network Scanning Team ! has learned about Python and Nmap. We are planning to use Python to create an automated network scanner and report generator with Nmap. To do this, we had to learn how to install various Python packages, such as libnmap, a package that enables the execution of Nmap. We also installed argparse, which allows users to change how a program runs without changing the code of the program, and smtplib, which allows Python to send emails from an SMTP server.

Python

The Python scanning portion will first take inputs from the command line using the argparse package, allowing the user to run it with different inputs, specify target IP’s, and identify the output destination of the email report. The team added these features  to the program. Which was intended to run remotely from a Raspberry Pi integrated into a network. After the user specifies these parameters, the program launches a scan utilizing the libnmap package. Unlike all the other packages, to install libnmap we had to learn how to use pip, a python package installation tool. This was a new experience for the team, but we successfully learned how to install packages using pip.

After the scan completes, it is re-organized for readability, and then the smtplib package is used to send the results in .csv file to the target destination. Throughout this process, we had to learn from the documentation of all three of these packages, which we had never worked with before. It improved our understanding of the Python language and sharpened our programming skills.

Network Mapper – Nmap

While using Nmap, we studied different types of scans to obtain all the information needed to compile a full report. We began by examining a ping scan, which scans through a range of IP’s for promising IP addresses to scan. A ping scan uses the same packets as a standard ping request. This scan was done first in our program in order to discover any viable hosts that were up and running, while being relatively fast compared to other host discovery scans. It also provided enough information to execute our next scans. The next scan that ran was the OS Fingerprinting scan.

This scan sent packets to a host, then ran dozens of tests on that host. After this, Nmap compared the results to a database of more than 2,600 OS fingerprints, trying to find a good match. We used this scan type to gather additional information on the target hosts/network.

Conclusion

One added feature of our automated network scanner is to find known vulnerabilities. We decided to scan for a cryptographic vulnerability, the Heartbleed Bug. This vulnerability allows the stealing of information encrypted with OpenSSL, a popular encryption protocol. There are Nmap scripts designed to scan for targets that are vulnerable to this bug. Nmap maintains a database of scripts that other users have found useful for security applications, and individual users can expand their nmap abilities by scripting to obtain new and different information.

Throughout the past few weeks, our Automated Network Scanning Team has learned about several Python packages, like libnmap, argparse, and smtplib. We have explored the functionalities of Nmap, bringing both together in our Python automated network scanner.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Python & Nmap appeared first on The Leahy Center for Digital Investigation.