Computer forensics (forsensik) - a review of the tools and training sites

Forensic (computer forensics, cybercrime investigation) - an applied science about the disclosure of crimes related to computer information, the study of digital evidence, methods of searching, obtaining and consolidating such evidence. In this article we will look at popular tools for conducting forensic analysis and collecting digital evidence.

Distributions

Let's start the review of utilities with a specialized distribution kit containing the majority of utilities, frameworks and tools for forensic analysis.

Digital Evidence & Forensics Toolkit: DEFT Linuix

This distribution is designed on the Lubuntu platform and is equipped with a user-friendly graphical interface. In addition, a set of specialized utilities has been added to the product, starting from antiviruses, information search systems in the browser's cache, network scanners and rootkit detection tools and ending with the tools needed when searching for data hidden on disk.
')
The main purpose is to carry out measures on forensics - to analyze the consequences of hacking computer systems, determining lost and compromised data, and also to collect so-called. digital evidence of cybercrime.

www.deftlinux.net

Frameworks

One of the most popular frameworks is the Volatility Framework , a framework for examining RAM images and extracting digital artifacts from volatile memory (RAM).
Recoverable data:

• date and time;
• list of running processes;
• list of open network sockets;
• list of open network connections;
• list of loaded libraries for each process;
• open file names for each process;
• memory addresses;
• OS kernel modules;
• mapping of physical offsets to virtual addresses.

List of supported RAM images for the following operating systems:

• 32-bit Windows XP Service Pack 2 and 3
• 32-bit Windows 2003 Server Service Pack 0, 1, 2
• 32-bit Windows Vista Service Pack 0, 1, 2
• 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
• 32-bit Windows 7 Service Pack 0, 1
• 32-bit Windows 8, 8.1, and 8.1 Update 1
• 32-bit Windows 10 (initial support)
• 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
• 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
• 64-bit Windows Vista Service Pack 0, 1, 2
• 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
• 64-bit Windows 2008 R2 Server Service Pack 0 and 1
• 64-bit Windows 7 Service Pack 0 and 1
• 64-bit Windows 8, 8.1, and 8.1 Update 1
• 64-bit Windows Server 2012 and 2012 R2
• 64-bit Windows 10 (including at least 10.0.14393)
• 64-bit Windows Server 2016 (including at least 10.0.14393.0)
• 32-bit Linux kernels 2.6.11 to 4.2.3
• 64-bit Linux kernels 2.6.11 to 4.2.3
• 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
• 32-bit 10.6.x Snow Leopard
• 64-bit 10.6.x Snow Leopard
• 32-bit 10.7.x Lion
• 64-bit 10.7.x Lion
• 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
• 64-bit 10.9.x Mavericks (there is no 32-bit version)
• 64-bit 10.10.x Yosemite (there is no 32-bit version)
• 64-bit 10.11.x El Capitan (there is no 32-bit version)
• 64-bit 10.12.x Sierra (there is no 32-bit version)

To test the framework, I recommend using ready-made RAM images .

DFF (Digital Forensics Framework) - a framework for forensic analysis, interfaces are presented as a command line, and GUI. DFFs can be used to examine hard drives and volatile memory and report on user and system actions.

PowerForensics provides a single platform for real-time hard drive forensic analysis.

The Sleuth Kit (TSK) is a set of command line tools for digital forensics that allow you to examine hard disk and file system volume data.

MIG: Mozilla InvestiGator is a platform for conducting operational research on remote endpoints. Fremywork allows researchers to simultaneously obtain information from a large number of sources, thereby speeding up the investigation of incidents and ensuring the security of everyday operations.

bulk_extractor - allows you to extract information using special scanners (mail, credit card number, GPS coordinates, phone numbers, EXIF ​​data in images). The speed of work is achieved through the use of multithreading and work with the hard disk "directly."

PhotoRec is a multisystem platform for searching and extracting files from test images of operating systems, compact discs, memory cards, digital cameras, etc. The main purpose is to extract deleted (or lost) files.

Network communication analysis

SiLK (System for Internet-Level Knowledge) - designed for the effective collection, storage and analysis of network flow data. SiLK is ideally suited for analyzing traffic on a trunk or border of a large, distributed enterprise or medium-sized provider.

Wireshark - this network packet sniffer (or sniffer) can be effectively used to analyze traffic (including malware). One of the most popular tools. The functionality that Wireshark provides is very similar to the capabilities of the tcpdump program, however, Wireshark has a graphical user interface and much more options for sorting and filtering information. The program allows the user to view all the traffic passing through the network in real time, translating the network card into promiscuous mode.

Study material

In order to carry out certain actions on data analysis, it is necessary to have a basis of theoretical material on the investigation of cybercrime. For this, I recommend reading the following publications:

• NN Fedotov: Forensic - computer forensics
• Darren Quick, Ben Martini, Raymond Choo: Cloud Storage Forensics
• Suzanne Widup: Computer Forensics and Digital Investigation with EnCase Forensic v7
• Brian Carrier: File System Forensic Analysis
• Brett Shavers, John Bair: Hiding the Keyboard: Uncovering Covert Communication Methods with Forensic Analysis
• Philip Polstra: Linux Forensics
• Jonathan Levin: Mac OS X and iOS Internals: To the Apple's Core
• Ric Messier: Operating System Forensics
• Satish Bommisetty, Rohit Tamma, Heather Mahalik: Practical Mobile Forensics
• Michael Hale Ligh, Andrew Case, Jamie Levy, AAron, Walters: The Art of Memory, Detective Malware and Threats in Windows, Linux, and Mac Memory
• Harlan Carvey: Windows Registry Forensics, Second Edition: Advanced Digital Forensic Analysis of the Windows Registry
• Laura Chappell: The Official Wireshark Certified Network Analyst Study Guide

Practical sites

To test the above tools, you can use specialized platforms or images for analysis, presented on the visualized mindmap . As the first samples for training, I recommend:

• ready-made RAM images for volatility;
• Wireshark Sample Captures ;
• p0wnlabs Sample Challenges .

Conclusion

Forensic, as an offshoot of information security, is much less developed than penetration testing or the organization of protective equipment. Competent approach in carrying out activities to collect digital evidence will not only restore the picture of a possible incident, but also allow you to identify ways and prerequisites for the occurrence of the incident.