Forensics: How to guide?

Cyber Security Forensics: Know all about restoring deleted files and evidence of execution.

C-DAC, The institution, which has developed a number of cyber forensic tools such as True Back, Cyber Check, Email Tracer, Cyber Investigator, Hasher and PDA Analyzer has proved the robustness of its tools used for probing cyber crimes.

Union Minister Raja said government had taken steps to amend the IT Act so that information collected using Cyber Forensic Tools developed by C-DAC would be considered as solid evidence in any court of law in the country. As of now, courts do not accept such information as evidence. The amendment would be brought in the next Parliament session.

TIP #1 :CyberCheck: Disk Forensics Tool

Cybercheck is a Windows-based application, which allows law enforcement agencies to analyze hard disk content, including deleted files.

CyberCheck supports data indexing. The text data in different document file formats can be indexed. This index-based search gives faster results compared to conventional search. The search facility of CyberCheck supports adding multiple keywords, regular expression and fuzzy options with filtering based on date and file size. CyberCheck has Unicode based searching to find data in any languages, search based on file hash values and search based on filename with wildcard options.

Other Features

• Web browser based user interface.

• Multiuser solution with multiple case analysis option.

• Registry Analysis.

• Sophisticated data carving facility to carve documents, images, audio and video.

• Disk Indexing with stop and resume options.

• Browser analysis feature for extracting forensically relevant information from Google Chrome, Firefox, Safari and Opera.

• Communication App analyser for Microsoft Windows 10.

• Shell bag Analysis & Anti Forensic activities detection like Signatures Mismatch analysis and password protected files detection.

• Advanced Timeline Analysis with multiple event options.

• Known good file filtering using NSRL dataset.

• Document language detection.

• Recycle bin data extraction.

• Recover images from thumbnail database.

• Evidence hash verification using MD5, SHA1, SHA256 and SHA512 algorithms

• Can convert proprietary evidence file formats to raw image.

• Integrated viewer for file content, Meta information, pictures and file hex-values.

• Integrated Gallery view for viewing all pictures in the evidence.

• File hash computation in MD5, SHA1, SHA256 and SHA512 algorithms

• File bookmarking and bulk file export.

Reference: https://www.cdac.in/index.aspx?id=cs_cf_CSG_CCS_DFT

Tip #2: Win-LiFTImagerBuilder (Tool for building Win-LiFTImager)

Win-LiFT Imager Builder, which runs in the Investigator's machine, builds Win-LiFTImager tool.

Features

• Facility to enter crime details

• Facility to select / deselect the list of volatile artifacts to be collected from the Suspect's system

Win-LiFTImager (Forensic Volatile Data Acquisition Tool)

Facility to select USB/Hard Disk drive to which Win-LiFTImager tool is to be built

Searching and Filtering

Searching and filtering helps to reach analyst's goals faster. Flexible filter expressions are provided for packet level analysis and for data level analysis. The data level filtering supports filtering based on date, time, IP, MAC and port. The regular expression based searching gives the analyst the full power that he expects from a tool.

Features

• Analyze the Live Forensics data captured by Win-LiFTImager from the Suspect's machine

• Advanced Memory Analysis from Windows XP and Windows 7 Physical Memory dump to extract the following forensically sound information

  1. Running Process and its associated details

  2. Process Reconstruction

  3. Bitlocker Key Reconstruction

  4. Internet usage based Information

  5. MFT Records

  6. Executable Reconstruction

• Structural Analysis of Reconstructed Executables

• Forensic Data Carving

• Event Log Analysis

• Browser Forensics of IE, Edge, Chrome, Firefox, Mozilla and Safari

• Keyword Searching facility

• Detailed Report Generation

• Bookmarking and appending to Report facility

• Facility to save and print Report

• Independent Loading and analysis of Memory dump

• Hash Verification of acquired information

Other Features

• Display forensic evidence acquired in List/Tree/Summary View.

• Gallery View and Summary view

• Text-Hex View of raw files with built-in search and go to facility.

• Parent-Child view of Running processes

This first tip should be a juicy one. It’ll keep your readers with you.

Tip #3: NeSA (Network Packet Analysis Tool)

NetForce is a collection of three tools named NeSA, CyberInvestigator and EmailTracer used for Network Forensics. NeSA is used for packet analysis, CyberInvestigator is used for log analysis and EmailTracer is used for email tracing.

Data Reconstruction

With the help of flexible and powerful filtering system, data from HTTP, SMTP, POP3 and FTP session can be recreated and visualized in an analysis friendly manner. The tool has built-in data viewers including a Mailview, to help the analyst to concentrate on analysis.

Analysis Modes

NeSA supports both data level and packet level analysis of network data. In data level, the analyst can concentrate on the data and can avoid the nuts and bolts of network protocols. But if he/she wishes to dig deeper, the packet analysis mode is ready to extend its helping hands.

Searching and Filtering

Searching and filtering helps to reach analyst's goals faster. Flexible filter expressions are provided for packet level analysis and for data level analysis. The data level filtering supports filtering based on date, time, IP, MAC and port. The regular expression based searching gives the analyst the full power that he expects from a tool.

Other Features

• Loads pcap formatted dump files and rebuilds TCP sessions.

• Reconstructs files from HTTP, FTP, SMTP and POP3 packets.

• Built in Hex, Thumbnail, File and Mail view.

• Powerful filter for filtering TCP sessions and packets.

• Regular expression based search capability.

• Supports port customization and time zone based analysis.

• Loads multiple pcap files.

• Statistics generation.

• IP Tracing.

• Merging and sorting of packets.

• DNS Attack analysis.

• Report generation.

• Can capture from multiple interfaces.

CyberInvestigator (Log Analysis Tool)

CyberInvestigator is a Network Forensics Tool for log analysis. It involves gathering different kinds of logs available in machines which were compromised in an attack. The analysis involves tracing down the intrusions, usage of network and creating a detailed forensic report. Network Forensic analysts should analyze various type of logs such as Linux, Unix and Windows OS Logs, Web Server Logs, Database Logs, Firewall Logs, IDS Logs, VPN Logs, Router Logs, Proxy Logs, Windows Domain Logs, Wireless Access Point Logs etc. Manual analysis of these logs is very cumbersome and analysts need special tools to efficiently analyze and find out different types of attacks and other types of criminal activities.

Features

• Supports Windows Logs, Linux Logs

• Supports Analysis of wtmp, utmp, secure, mail, message, cron, access and IIS logs

• Investigator friendly User Interface

• Finds out Successful Login & Login Failures

• Finds out the Insertion & Removal of Removable Media Displays Software Installation & Uninstallation details

• Provides Intrusion Analysis

• Provides Web Traffic Analysis

• Customized Reports

EmailTracer

EmailTracer is a forensic tool to track email sender's identity. It can be used to trace the sender's details of any email by analyzing its header. The tool is able to analyze email headers collected from web based and local mail programs. EmailTracer gives details of the sending machine including IP address, which is the key point to find the culprit. It also gives geographical location of the sender, route traced by the email etc. It can also be used for retrieving emails and its details from mailbox files of local mail programs like Outlook Express(.dbx), .Microsoft Outlook(.pst), Eudora(.mbx), Pegasus(.cnm), The Bat(.tbb), Netscape Messenger(.nsm), Incredimail(.imm), KMail(MailDir), Mozilla(.mbox) and Windows7 Mail(.eml).

• Trace IP Address of the machine from which mail is sent

• Analyze email header collected from web based mail program like Yahoo!, Hotmail, Rediff etc.

• Generates detailed analysis report in HTML format

• Detects the city and country IP address location of the sender. Plots route traced by the mail from the sender to the receiver. Displays the geographic location of the mail in the world map. Whois Search, NS LookUp and IP TraceBack Facility

• Extract emails from mailbox files of different local mail clients

• Keyword Searching facility on recovered emails

• Facility to extract and save attachments in native format

• Facility to extract embedded mails

• Facility to extract and analyze email header

• Facility to save suspicious emails in .eml format

Tip #4 - Mix it up : DEMS

Information Technology revolution has changed the way the world lives. Electronic gadgets and devices exist in our society in myriad forms. Along with this development the amount of criminal activities associated with electronic devices also started increasing. Every crime has an electronic component associated with it. The investigation and analysis of these will be very pivotal in modern crime investigations. So, investigators have to deal with large volumes of digital devices as material evidence. These digital evidences have to undergo analysis and sometimes to be shared with external agencies for detailed analysis. Maintaining chain of custody and managing the life cycle of evidence is extremely difficult in such situations. The Digital Evidence Management System (DEMS) is a web evidence management system developed by CDAC, Thiruvananthapuram. The DEMS is mainly targeted for law enforcement agencies and analysis labs for managing large volumes of digital evidence including the chain of custody. It shall also be used for enterprises or government departments, who have to handle digital evidence.

Features

• Provision to include additional dynamic fields to capture all details of Cases and Evidences

• Provision to securely upload all forms digital images belonging to hard disk, image files, audio files, video files, Call Data Records (CDR) and mobile phones

• Provide secure access to all digital images for authorized users

• Extensive search and filter capabilities for Cases and Evidences

• Email/SMS Notifications for updates on Cases and Evidences

• Facility to upload analysis reports

• Multiple levels of authorization for users

• Feature rich dashboard for quick insight

• Workflow support Case and Evidence Life Cycle Management

• Rule based Service Level Agreements (SLA) for Case and Evidence handling

• Comprehensive analysis and reporting

Tip #5 - Evidence Collection & Seizure

When a compromise of security or a unauthorized/illegal action associated with a computer is suspected, it is important that steps are taken to ensure the protection of the data within the computer and/or storage media.

The initial response to a computer security incident may be more important than later technical analysis of the computer system because of the actions taken by incident response team members. Actions taken by the incident response team impact subsequent laboratory examinations of the computer and/or media. Of most importance is that the first responder act appropriately.

In the event of a suspected computer incident, care must be taken to preserve evidence in its original state. While it may seem that simply viewing files on a system would not result in alteration of the original media, opening a file changes it. From a legal sense, it is no longer the original evidence and may be inadmissible in any subsequent legal or administrative proceedings.

The activities/procedures for securing a suspected computer incident scene include

• Securing the scene

• Shutting down the computer

• Labeling the evidence

• Documenting the evidence

• Transporting the evidence

• Providing chain-of-custody documentation

Documentation is key.

Detailed notes should be maintained during all aspects of the scene processing. This not only includes the usual who, what, where, when but overall observations of the scene. A evidence/property document should contain entries with a description of the items (model and serial number), any visible markings present on the item, the condition of the item, the manner it was marked for evidence and the location from within the scene it was seized. Every item of evidence has its own characteristics, but should be identified in a manner it can be easily identified at a later date. Items should be collected as found and documented.

Happy to do it all for you. Do let us know in case of any emergency. Cynorsense are of expertise are in forensics and security operations. We have seen them all recovered. Hope this blog post helped you know little more. Subscribe and follow us on Linkedin and Facebook to get instant updates. Please do comment for more interactive details.