43,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Leverage the power of digital forensics for Windows systems
About This Book
- Build your own lab environment to analyze forensic data and practice techniques.
- This book offers meticulous coverage with an example-driven approach and helps you build the key skills of performing forensics on Windows-based systems using digital artifacts.
- It uses specific open source and Linux-based tools so you can become proficient at analyzing forensic data and upgrade your existing knowledge.
Who This Book Is For
This book targets forensic analysts and professionals who would like to develop skills in digital forensic analysis for the Windows platform. You will acquire proficiency, knowledge, and core skills to undertake forensic analysis of digital data.
Prior experience of information security and forensic analysis would be helpful. You will gain knowledge and an understanding of performing forensic analysis with tools especially built for the Windows platform.
What You Will Learn
- Perform live analysis on victim or suspect Windows systems locally or remotely
- Understand the different natures and acquisition techniques of volatile and non-volatile data.
- Create a timeline of all the system actions to restore the history of an incident.
- Recover and analyze data from FAT and NTFS file systems.
- Make use of various tools to perform registry analysis.
- Track a system user's browser and e-mail activities to prove or refute some hypotheses.
- Get to know how to dump and analyze computer memory.
In Detail
Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process.
We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Style and approach
This is a step-by-step guide that delivers knowledge about different Windows artifacts. Each topic is explained sequentially, including artifact analysis using different tools and techniques. These techniques make use of the evidence extracted from infected machines, and are accompanied by real-life examples.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 298
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Practical Windows Forensics
Practical Windows Forensics
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2016
Production reference: 2220616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78355-409-6
www.packtpub.com
Credits
Authors
Ayman Shaaban
Konstantin Sapronov
Project Coordinator
Judie Jose
Reviewers
Jim Swauger
Dr. Stilianos Vidalis
Zhouyuan Yang
Proofreader
Safis Editing
Acquisition Editor
Manish Nainani
Indexer
Monica Ajmera Mehta
Content Development Editor
Rashmi Suvarna
Graphics
Disha Haria
Technical Editor
Vivek Arora
Production Coordinator
Arvindkumar Gupta
Copy Editor
Priyanka Ravi
Cover Work
Arvindkumar Gupta
About the Authors
Ayman Shaaban (@aymanshaaban) has been working as a security researcher for Kasperksy Lab since May 2014. He worked in the Egyptian national CERT as a digital forensics engineer for 5 years. During his career, Ayman has participated in building digital forensics labs, provided analysis for cases with national and international scopes, and delivered training courses on digital forensics analysis for different high-profile entities.
Ayman is a certified GSEC, GCIH, GCFA, and CFCE. He also has a BSc in communication and electronics, an information security diploma from ITI, and is working on his master's degree in information security. Ayman can be found on LinkedIn at http://eg.linkedin.com/in/aymanshaaban.
I would like to thank my family and my friends for their continuous support. Also, I want to thank all my current and past colleagues in Kaspersky Lab, EG-CERT, and Nile University for their support and dedication.
Konstantin Sapronov works as the deputy head of the Global Emergency Response Team at Kaspersky Lab. He joined Kaspersky Lab in 2000 and has been in his current position since August 2011. His previous position was group manager of the virus lab in China since 2007, and he has been responsible for establishing and developing the virus lab at Kaspersky Lab's office in China. Prior to this, he worked as a virus analyst and head of the Non-Intel Platform Group in the virus lab at Kaspersky Lab's HQ in Moscow, specializing in reverse engineering and the analysis of malware, exploits, and vulnerabilities. Konstantin is the author of several analytical articles on malware for Unix and other information security topics.
Konstantin holds degrees from the Moscow Power Engineering Institute (a technical university) and the Moscow State University of Economics, Statistics and Information Technology.
First of all, many thanks to all my family—my parents, my wife, and my daughter, who have always supported me. Also, I would like to thank all the people I have worked with all these years at our company for their support, professionalism, and willingness to help.
About the Reviewers
Jim Swauger has over 18 years of experience in the digital forensics field, starting as a computer forensics specialist with the Ohio Attorney General's Computer Crime Unit and then moving on to being the technical security investigator for a top financial institution before becoming an expert consultant with Binary Intelligence. At Binary Intelligence, a firm that specializes in complex cellphone forensic services, Jim manages advanced mobile device Chip-Off, JTAG, and ISP extractions and subsequent forensic data analyses. Jim is an avid Linux user and proponent of using open source resources in digital forensic investigations. His clients include law enforcement and government agencies, corporations, and law firms.
Dr. Stilianos Vidalis was born and raised in Mykonos, a Greek island in Cyclades. He moved to the UK in 1995 to study computer science. He holds a PhD in the threat assessment of micro-payment systems. He is currently the Director of Training for the Cyber Security Centre at the University of Hertfordshire. He lectures on the subjects of cyber security and digital forensics and undertakes consultancy for a number of private and public organizations.
His involvement in the information operations arena began in 2001. Since then, he has participated in high-profile, high-value projects for large international organizations and governments. He has collected and analyzed information for prestigious European financial institutions, applying international standards under the context of risk and threat assessment. He trained the British Armed Forces (Tri-Service) in penetration testing and digital forensics for a number of years.
During his career, Dr. Vidalis has developed and published in peer-reviewed scientific journals his own threat-assessment methodology and other aspects of his work on threat agent classification, vulnerability assessment, early warning systems, deception in CNO, identity theft, and computer criminal profiling.
Zhouyuan Yang has a master's degree in advanced security and digital forensics. His research areas include host- and network-based security, forensics, penetration testing, and IDP/S systems.
Currently, he is a researcher at Fortinet's Fortiguard Labs on the zero-day team, focusing on network security and vulnerability research.
I would like to thank my father, Qisheng Yang, who gives his full love supporting my career dreams.
www.PacktPub.com
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Preface
Regardless of your level of experience in the field of information security in general, Practical Windows Forensics will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence properly, and walk you through the various stages of the analysis process.
We start by discussing the principles of the digital forensics process and move on to learning about the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and nonvolatile data. This will be followed by recovering data from hard drives and learning how to use multiple tools to perform registry and system log analyses.
Next, you will be taught how to analyze browsers and e-mails as they are crucial aspects of investigations. We will then go on to extract data from a computer's memory and investigate network traffic, which is another important checkpoint. Lastly, you will learn a few ways in which you can present data, because every investigator needs a work station where they can analyze forensic data.
What this book covers
Chapter 1, The Foundations and Principles of Digital Forensics, explains the importance of the principles of the digital forensics process and the approaches that are usually used to conduct an analysis.
Chapter 2, Incident Response and Live Analysis, discusses the hardware and software that the responder should have to perform incident response properly. Incident response is a very important process that needs to be conducted carefully to properly collect all the available evidence, which will be analyzed in the analysis phase.
Chapter 3, Volatile Data Collection, discusses how to collect the volatile data of the system. Volatile data, such as system memory, is very important and can tell what is happening in the system in the running time. So, to conduct post mortem analysis on this kind of evidence, we need to acquire the evidence first. Also, it changes very quickly, and collecting it in the right way is a very important issue.
Chapter 4, Nonvolatile Data Acquisition, talks about the acquisition of nonvolatile data, such as the hard drive, and how to collect such data forensically in order to not change the integrity of this evidence.
Chapter 5, Timeline, discusses Timeline, which shows all the system and user activities on the system in chronological order. It helps building the whole picture of the incident. And we will show you how to do it with the plaso framework.
Chapter 6, Filesytem Analysis and Data Recovery, gives you a good understanding of the most famous file systems. To perfectly understand how the tools work, either for analysis or recovery, the reader needs to understand how the files are stored in the file system in the partitioned hard drive.
Chapter 7, Registry Analysis, discusses the structure of the registry and some tools used to perform analyses. When MS Windows operates, almost all actions are mapped in the registry. The registry files are considered the Windows database. Registry forensics can help answer a lot of issues, from what kind of application has been installed on the system to user activities, and many more.
Chapter 8, Event Log Analysis, explains that the MS Windows system has good features out of the box, we just need to know how to use them. One of these features is logging. Logging can help to figure out what has happened on the system. It logs all the events on the system including security events or other events related to the applications within the system.
Chapter 9, Windows Files, tell us that MS Windows has a lot of artifacts, which are created in the currently running Windows. During analysis, these artifacts can be used to prove or refute hypotheses, or in some cases uncover new interesting information with evidential value.
Chapter 10, Browser and E-mail Investigation, talks about the Internet, and the World Wide Web of course, is the main channel of information that users use to exchange data. Browsers are the most common tools that are used to do that. So, the investigation of browsers is important when analysts try to investigate user’s activity. There are a lot of browsers and we will cover the most popular among them: IE, FF, and Chrome.
E-mail still remains a way to communicate with people in the computer world, especially in a corporate environment. This chapter will cover e-mail formats and explain how to read e-mails from PFF files for analysis and to trace senders.
Chapter 11, Memory Forensics, discusses how memory is the working space for the operating system. It the past, memory forensics was optional, but now there are a few very powerful tools that allow us to extract a lot of evidential information from the memory and take digital forensics to a new level.
Chapter 12, Network Forensics, discusses how network forensics provides another perspective to the incident. Network traffic can reveal a lot of information about the behavior of malicious activity. Together with other sources of information, networks will speed up the investigation process. You will also learn not only about the traditional tools, such as Wireshark, but also about the powerful Bro framework.
Appendix A, Building a Forensic Analysis Environment, discusses the creation of convenient work environment to conduct the digital forensics analysis in the digital forensics lab at an enterprise scale. After the previous chapters we should now have realized how important incident response is for digital forensics processes and how necessary it is to deal with both of them accurately.
Appendix B, Case Study, uses an infected machine to illustrate how to conduct primary analysis on different types of evidences and we will go through live analysis along with the post-mortem analysis.
What you need for this book
There are no special requirements for this book.
Who this book is for
If you have previous experience in information security or did some digital forensic analysis before and want to extend your skill set about digital forensics this is the perfect guide for you. This book will provide you with the knowledge and core skills necessary to use free and open source tools mostly under Linux operating system and undertake forensic analysis of digital evidence with them.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "In the destination machine, which is the handler machine, you need to run the network listener from the same receiver.exe folder."
Any command-line input or output is written as follows:
dd conv=sync, noerror bs=64K if=/dev/sda | pv | dd of=/media/Elements/HD_image/image.ddNew terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Now from the source machine, run the FTK Lite program, and then open Create Disk image from File."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from http://www.packtpub.com/sites/default/files/downloads/PracticalWindowsForensics_ColorImages.pdf.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at [email protected] with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.
Chapter 1. The Foundations and Principles of Digital Forensics
Everything around us is changing, the way that we communicate, how we do our work, how we store or retrieve data, and even the rate of life is changing. Technology is changing everything. Crime has its share of the change because the nature of targeted valuable assets has changed, it is digital now. The normal users can now perform monetary transactions without leaving their chair, and corporations and businesses of different sizes and types usually exchange their sensitive data using their local network. So in return, instead of breaking into banks or companies, crime has also gone digital. Nowadays, your personal information, bank account details, and your corporate database are some of the targets for digital criminals.
So, how can we investigate these crimes? The investigation concepts haven't changed. This is what we will look at in this introductory chapter.
In this chapter, we will cover the following topics:
What is digital crime?
Let's suppose that a criminal breaks into a bank to steal the money in the safe, and in another case an attacker somehow hacked into the bank's private network and transferred money to his account. Both of these are targeting the monetary assets of the company.
In the first case, if an investigator needs to track a criminal, they would apply their investigation skills to the crime scene. They would track the attacker's fingerprints and activities to finally get a clear idea about what happened and identify the criminal. In the second scenario, the investigator needs to track the criminal's digital traces on the local system, the network, and even through the Internet in order to understand the criminal's activities, and this may uncover their digital identity.
In an ordinary crime, the investigator needs to find the crime's motivation and target. In cybercrime, the investigator needs to know the malicious code—the weapon—that the attacker used in conducting their crime, the vulnerability exploited to compromise the digital system, and the size of the damage. In the same way, we can apply the same investigation mechanisms to digital crime after taking into consideration the different nature of assets and attacks.
There are various targets of digital crime. These start from harassment to stealing credit cards and money online, to espionage between countries or big companies; as we recently saw there were some famous and aggressive malware programs and attacks that were thought to be developed with nation-level support against other nations, targeting some infrastructure or sensitive information. Also, these attacks that were targeted at some famous companies in different fields led to information and data leakage.
For these reasons, investing in securing the assets in their digital form has gained great importance in the last decade in both governmental and private sectors. One branch of the information security process is digital forensics.
Digital forensics
Identifying and analyzing information security incidents and the related digital evidence is called digital forensics. Generally, forensic science is the scientific method of gathering and examining data about the past to extract useful information related to the case under investigation. Digital forensics is the analysis of digital evidence in order to answer questions related to a digital incident, which takes place at the time of the analysis in case of a live analysis or takes place in the past; this is called postmortem analysis.
Postmortem analysis is applied after the incident has occurred, and it usually takes place in all cases. However, some cases require the analysis to be conducted during the incident. Generally, the analysis can confirm or refute a hypothesis about the incident to rebuild a full picture about the activities of both the attacker and the victim during the time of the incident.
One of the definitions of digital forensics is Rodney McKemmish's, which stated the following:
"Forensic Computing is the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable."
From this, we can divide the digital forensics analysis into four subphases, which also represent the four principles of a successful process:
During incident handling, the first responder may need to acquire a live system. Each acquisition or analysis step performed on a live system will leave a trace, and in some cases, this overwrites previous data or traces either in the system memory or on the hard drive. The responder must understand the consequences of using the handling tools on the system and try to minimize their tools' traces on the system in order to minimize data loss during incident handling.
Acquisition and preservation: The acquisition methods of digital evidence must ensure integrity preservation of the evidence and justify this when needed.Acquiring all the data from the incident scene will help in the analysis phase to build a whole picture of the incident. In a busy working environment, retrieving the status of the incident scene won't be easy. One way to memorize this is to take notes about all the systems in the scene, and in some cases, taking snapshots will be beneficial to remembering how these devices were connected.
Analysis: Different platforms and technologies mean different types of evidence, which need to be examined. Therefore, the analyst or the investigator needs to have the required technical and investigation skills to find and extract the related information to the case under investigation.The analyst needs to examine all the data collected even if the case has been solved. Examining all the evidence could provide new clues or state new possibilities.
Reporting and presentation of the digital evidence: This should summarize the first three phases of the process. It should include the steps taken in order to identify, seize, and examine the digital evidence. Besides including the findings of the examination, the conclusion of the findings and the expert opinion must be included in the report.Digital evidence
As a normal reaction, the change in technology led to a change of possible evidence, as compared to previous traditional evidence. All the components of the computer system could be evidence, such as the following:
Due to the wide range of possible evidence, the incident handler or first responder who will handle and process the available devices in the incident scene must have sufficient experience in dealing with whatever types of evidence they may find at the scene.
Handling digital devices is a very significant task, which the whole investigation process relies on. This is considered to be one of the main principal needs that have to be fulfilled in order to conduct successful digital analysis.
Digital forensic goals
The main object in the digital forensic analysis is the digital device related to the security incident under investigation. The digital device was either used to commit a crime, to target an attack, or is a source of information for the analyst. The goals of the analysis phase in the digital forensics process differ from one case to another. It can be used to support or refute assumptions against individuals or entities, or it can be used to investigate information security incidents locally on the system or over a network.
Consider analyzing a compromised system, the goals of the digital forensics, as a whole, are to answer these questions:
During the analysis too, the analyst could answer some other questions based on their findings, such as the following:
Analysis approaches
During incident handling, each case can be considered as a different scenario. Therefore, different approaches can take place during the first response, based on the circumstances of the individual case. There are two general approaches that can be used to deal with a security incident:
Mainly, the hybrid approach is considered the best, where the responder conducts the live analysis on the powered on and accessible systems, records their findings, and acquires all the data, including the live ones, for postmortem analysis. Combining both results from live and postmortem analysis can clearly explain the status of the system under investigation. Performing the acquisition first in such a case is the best practice as the evidence will be acquired before any analysis traces are in the system.
Summary
In this introductory chapter, we discussed some definitions that are related to digital forensic science, its goals, and its analysis approaches.
In the next chapter, the live and postmortem analysis approaches will be explained in details with the tools that are recommended for each approach.
Chapter 2. Incident Response and Live Analysis
The stages of preparation to respond to an incident are a matter which much attention should be paid to. In some cases, the lack of necessary tools during the incident leads to the inability to perform the necessary actions at the right time.
Taking into account that the reaction time of an incident depends on the efficiency of the incident handling process, it becomes clear that in order to prepare the IR team, its technical support should be very careful.
The whole set of requirements can be divided into several categories for the IR team:
Let's consider the main issues that may arise during the preparation of the incident response team in more detail.
If we want to build a computer security incident response team, we need people with a certain set of skills and technical expertise to perform technical tasks and effectively communicate with other external contacts. Now, we will consider the skills of members of the team.
The set of skills that members of the team need to have can be divided into two groups:
Personal skills
Personal skills are very important for a successful response team. This is because the interaction with team members who are technical experts but have poor social skills can lead to misunderstanding and misinterpretation of the results, the consequences of which may affect the team's reputation.
A list of key personal skills will be discussed in the following sections.
Written communication
For many IR teams, a large part of their communication occurs through written documents. These communications can take many forms, including e-mails concerning incidents documentation of event or incident reports, vulnerabilities, and other technical information notifications. Incident response team members must be able to write clearly and concisely, describe activities accurately, and provide information that is easy for their readers to understand.
Oral communication
The ability to communicate effectively though spoken communication is also an important skill to ensure that the incident response team members say the right words to the right people.
Presentation skills
Not all technical experts have good presentation skills. They may not be comfortable in front of a large audience. Gaining confidence in presentation skills will take time and effort for the team's members to become more experienced and comfortable in such situations.
Diplomacy
The members of the incident response team interact with people who may have a variety of goals and needs. Skilled incident response team members will be able to anticipate potential points of contention, be able to respond appropriately, maintain good relationships, and avoid offending others. They also will understand that they are representing the IR team and their organization.
Diplomacy and tact are very important.
The ability to follow policies and procedures
Another important skill that members of the team need is the ability to follow and support the established policies and procedures of the organization or team.
Team skills
IR staff must be able to work in the team environment as productive and cordial team players. They need to be aware of their responsibilities, contribute to the goals of the team, and work together to share information, workload, and experiences. They must be flexible and willing to adapt to change. They also need skills to interact with other parties.
Integrity
The nature of IR work means that team members often deal with information that is sensitive and, occasionally, they might have access to information that is newsworthy. The team's members must be trustworthy, discrete, and able to handle information in confidence according to the guidelines, any constituency agreements or regulations, and/or any organizational policies and procedures.
In their efforts to provide technical explanations or responses, the IR staff must be careful to provide appropriate and accurate information while avoiding the dissemination of any confidential information that could detrimentally affect another organization's reputation, result in the loss of the IR team's integrity, or affect other activities that involve other parties.
