Forensic procedure- part 1
Forensic procedure for laptops- part 1
It is ESSENTIAL
to keep an evidence log, follow authorised procedures and prove that data has
not been manipulated!
Where is data held in computer and what does it
contain?
2 areas
1) Random Access Memory (RAM)- this is volatile memory such as currently running apps, which will only stay short term.
RAM gives an insight into how the computer was recently used
An example of this is how RAM shows recently used
commands.
2) Long term memory- this is memory not immediately needed by the operating system, held in various avenues such as hard disks and tapes.
For both- create a hash such as MD5 before and after
to show no tampering has occurred
In the case of RAM,
must do this before and after the transfer, preferably with a witness to get
additional verification. This is so that you can show at the time of
transferring, the RAM hash is the same as one that you are analysing (think of
it like a snapshot).
But what happens to
the original hard drive once you have an image?
Necessary to keep it in an airtight static bag so that
it can suffer no interference
Considerations
Laptops are custom built and don’t follow industry standard
Note: The original operating system should NEVER be booted, you should instead boot the operating system from a CD-ROM
Laptops are custom built and don’t follow industry standard
Note: The original operating system should NEVER be booted, you should instead boot the operating system from a CD-ROM
Conducting an
investigation using a PCMIA ATA controller card
Using this will assure that both drives were written
using the same BIOS, and therefore use the same LBA translation scheme
The
process
You Can perform the analysis when computer is in one of
two states; live or dead.
Below is an example procedure of a Microsoft windows 2000 OS.
Creating
the Event Log
Establish Trusted
Network
In order to minimise the impact of the forensic
process on the analysed computer it is recommended to set up a Cryptcat server
to accept log files from the analysis tools. This should be accepted by a secure server (trusted machine)
Note: crypcat is encrypted netcat.
An event log should be one of the first things that
you do
This would be done by the command5 - cryptcat –l –p 2505
> date-case-logfiles.txt (Sans, 2017)
^This is telling cryptcat to listen on port 2505 and
output any information in to a txt document called date-case-logfiles.txt
Recording the system
time and date
It is well-known that PC time systems are not the most
accurate.
Therefore the examiner should take note of times and make comparisons with
Time Sync or another reliable source- again, document this
Record the ARP Cache
The ARP cache is how the computer communicates,
holding entries that are created when a hostname is resolved to an IP address
and then the address to a MAC address. In short, it does this so that the computer can effectively
communicate with the IP address.
- arp –a | cryptcat xxx.xxx.xxx.xxx 2505
Note the X’s are what would be the IP address of
Cryptcat server
TIP: before cryptcat is the command that you would put in
command prompt
Record the NetBEUI
cache
This is the Microsoft (not linux or anything else)
protocol for LANS (Local Area Networks). This will show any capable systems the machine has
accessed recently as these are stored in the memory
The nbtstat –c | cryptcat xxx.xxx.xxx.xxx 2505
Record the IP
Configuration
This establishes the Network address of the analysed
computer.
- ipconfig /all | cryptcat xxx.xxx.xxx.xxx 2505
Record Network
connections
Netstat- will list all network connections, protocols
and port numbers
Note: this is very useful for seeing if something is
listening in on the computer or other computers it is choosing to connect with.
netstat –an | cryptcat xxx.xxx.xxx.xxx 2505
Fport Network process
enumeration
Useful tool from Foundstone that lists active network
ports and shows what file has them open
-fport –a | cryptcat xxx.xxx.xxx.xxx 2505
Psinfo Process
enumeration
Psinfo is a part of the pstools application
suite from Sysinternals that lists the running processes (Sysinternals).
- psinfo | cryptcat xxx.xxx.xxx.xxx 2505
Psloggedon user logged
on enumeration
Lists who is logged on to system.
psloggedon | cryptcat xxx.xxx.xxx.xxx 2505
PSfile Remote file
access enumeration
PSfile that lists files being accessed remotely.
psfile | cryptcat xxx.xxx.xxx.xxx 2505
Psservice running services enumeration
Lists services currently running on computer, think malware.
psservice | cryptcat xxx.xxx.xxx.xxx 2505
Directory access times
The following three commands mention the
directory access times, modification times, and creation times. By doing this, this information these attributes may
be modified.
Last Access Times
dir /t:a /o:ng /s c:\ | cryptcat xxx.xxx.xxx.xxx 2505
Last Modified Times dir /t:w /o:ng /s c:\
Event Logs
Dumpel.exe- creates a report from the data in the
windows logs.
Security Event Log
dumpel -l security | cryptcat xxx.xxx.xxx.xxx 2505
Application Event
dumpel -l
application | cryptcat xxx.xxx.xxx.xxx 2505
System Event Log
Dumpel
This is all important! Now that it is preserved the
machine must be shut down
Need to choose procedure- unplug or os shutdown and
record in the event log.
TIP: you can create a physical memory dump, which is an
image file you can analyse. You can do this with the following command:
dd.exe if:\\PhysicalMemory conv=noerror | nc.exe
xxx.xxx.x.xxx xxxx
Next part includes:
Disk imaging and network copying
Comments
Post a Comment