Forensic Blogs

An aggregator for digital forensics blogs

by

SIFT Tool Evaluation

Introduction:

The Senator Leahy Center for Digital Investigation (LCDI) is an establishment that was created to encourage Champlain College students to gain technical knowledge of an area within their field of study. As a team, interns are expected to communicate and work together in order to finish a project. This is the experience of the LCDI through the eyes of two interns.

 

Our Experience:

Our experience so far at the LCDI  has been exceptional. As first year students, we have learned valuable information about computer and digital forensics that we can actually use in the field. As technical interns, we are compiling information about a digital forensics tool. We are doing this to determine what tool has the greatest functionality and to gain real world experience working with a digital forensic tool. We are working with SIFT, and, so far, everything about it has been thrilling.

 

As interns, we have learned a few new things working with more experienced members. As one might expect, we have honed a large amount of new technical skills while working in a computer lab. But we have also practiced skills newer to us, such as working on a team and working under a team of supervisors. You can attend any amount of hours in a technical course without ever learning the social skills required in a workplace. Our time at the lab has given us great experience in interpersonal relations we’ll need to utilize in our future careers.

 

Before starting our work, we knew very little about digital forensics or the tools used to analyze data. We also didn’t know very much about Linux commands. This was difficult at first because SIFT is a Linux based forensics toolkit, but we have gained exponential knowledge from working with it over these past months.

 

Our experience at the LCDI has thus far been overwhelmingly positive and exciting. The environment the LCDI has allows me to explore the social aspect of a workplace while also exploring the technical aspect. This, to me, is exactly what we were looking for in college, and is unique to Champlain College. We are excited to have the future opportunity to work ever higher positions at the LCDI.

 

Conclusion:

Our next step is analysis of the data that we just finished generating. We’ll keep you posted!

 

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post SIFT Tool Evaluation appeared first on The Leahy Center for Digital Investigation.

by

Links

Presentations
I recently ran across this presentation from Eric Rowe of the Canadian Police College (presentation hosted by Bloomsburg University in PA).  The title of the presentation is Volume Shadow Copy and Registry Forensics, so it caught my eye.  Overall, it was a good presentation, and something I've done myself, more than once.

Education and Training
Now and again, I see posts to various lists and forums asking about how to get hands-on experience.  If you can't afford the courses that provide this, it's still not difficult to get it.  There are a number of sites available online that provide access to images, and tools are available just about...well...everywhere.

For images, Lance's first practical is still available online, having been originally posted about 8 years ago; the image is of a Windows XP system, and it includes System Restore Points.  Want to work with some Volume Shadow Copies (VSCs) in a Win7 image?  David has an image available with this blog post.  For other sorts of images, there's the Digital Corpora site,  the CFreds "hacking case" from NIST, and the InfoSec Short Takes competition scenario and image, to name a few.

From these images, you can select individual artifacts to extract and parse, in order to get familiar with the data and the tools, you can follow the scenario provided with each image (answer the questions, etc.), or you can conduct analysis under the tutelage of a mentor.  All of these provide great opportunities for education and training.

If I were in a position to hire for an opening, and an applicant stated that they'd downloaded and analyzed one of these images, I would ask to see their case notes and report, or even a blog post they'd written, something to show that they had a thought process.  I'd also ask questions about various investigative decisions they'd made throughout the process.

Tools
OLETools - this is a (Python) package of tools for analyzing MS structured storage files, the old style Office docs (more info/links availablespecifically here).  Tools such as these would be most helpful when performing malware detection with documents that use this format.  To upgrade or install the tools, you can use 'pip' within your Python installation.

Jon Glass has released an updated version of his WebCacheV01.dat parser, written in Python.  I've been using esedbexport and esedbviewer, but this will be a great addition to my toolkit, because with the code available, I was able modify it so that the information parsed from the WebCacheV01.dat file can be added directly into my timeline analysis process (that is, I modified the script to output in TLN format).  Thanks to David Cowen's blog, if you need to install (updated) libraries for use by Python, here's a great place you can go to get the compiled binaries.

For converting Python scripts into standalone Windows executable files, py2exe appears to be the solution; at least, that's what I'm finding in my searches.

Speaking of Python, if you're into (or new to) Python programming for DFIR work, you might want to check out (Mastering) Python Forensics; Jon's review can be found here.  I'm considering getting a copy; from what I can see so far, it's similar to Perl Scripting for Windows Security.

Books

Speaking of books, Windows Registry Forensics, 2/e is due out in April.  I'm looking forward to this one for a couple of reasons; first, a lot of the material is completely rewritten, and there's not only some new material with respect to the hives themselves, but I added a chapter on using RegRipper.  My hope is that analysts will read the chapter, and get a better understanding of how to use RegRipper to further their investigations, and go beyond simply downloading the distribution and running everything via the GUI.

Second, this book has entirely new cover art!  This is awesome!  When the first edition came out, I took two copies to a conference to give away at the end of my presentation...I had received the copies the day before leaving for the conference, they were that new.  When I went to give one of the books away, the recipient said, "I already have that one."  But there was no way that they could have, because it was brand new.  The issue was that the publisher had decided to several books (not just my titles) with the same color scheme!  Rather than reading the title of the books, most folks were simply looking at the color and thinking, "...yeah, I've seen/got that one...".  Right now, I have 8 Syngress books on my book shelf, comprised of two color schemes...both of which are simply just slightly different shades of green!  Most folks don't know the difference between Digital Forensics with Open Source Tools and Windows Registry Forensics 1/e, because there is no difference in the color scheme.  It's great to see this change.

by

Minor Updates to Auto_rip

This is a quick post to pass along that I updated my auto_rip script. For those who may not know, auto_rip is a wrapper script for Harlan Carvey's RegRipper program and it executes RegRipper’s plug-ins based on categories and in a specific order. To learn more about my script please see my previous post Unleashing auto_rip. The auto_rip updates are pretty minor. I separated out the changes to a change log instead of documenting changes in the script itself, added a device category (due to a new plug-in), and I added most of the new RegRipper plug-ins Harlan created (as of 7/30/15). The download location can be found on the right of my blog or using this link to its Google drive location.


****** 08/11/2015  Update *******

At this time I removed the compiled executable from auto_rip. The compiled executable is having issues and I'm working to resolve it. However, the perl script is present and works fine. As soon as I'm able to compile the script into an exe then I'll add it back to the auto_rip archive