PREVIEW: Digital Forensics Toolbox 2021 edition

Collation: Digital Forensics Software

by Phalgun N. Kulkarni

The article aims to collate proprietary and open-source digital forensics software to state differences from the perspective of various functionalities used during a digital forensic investigation, which makes a digital forensics examination process fast and efficient. The paper answers questions like “how reliant the software is when collecting the data”, “how fast is the processing of the image file/data”, “how accurate are the results”, and similar questions. In simple terms, to state which software is good at what functionality. The paper discusses the importance of comparing digital forensics software. The paper also derives a conclusion on whether open-source digital forensics software is able to compete with highly-priced proprietary software and if the open-source software can provide the same functionalities as provided by the proprietary software.  Also, whether or not the high prices of the proprietary software justified. The paper contributes an understanding of which forensics software is better than another forensics software at one or many functions by comparing all the software by using them to analyze the digital forensics images. This paper will provide a better understanding of forensics software and its functionalities to the digital forensics community.

Static Analysis Using REMnux

by Paulo Pereira, PhD

For many years, forensic analysis of malware has relied on tools for understanding the assembly of malware (i.e., the base of instructions that assemble the final file, or the modules of the malware). Even the tools to reverse the code have advanced a lot and the example we have is the Ghidra project (https://ghidra-sre.org/). Many of the existing tools were available separately, something that REMnux solved very satisfactorily. In this article, we will analyze malware in its static capabilities using REMnux. It is not our intention to analyze the live behavior of the malware, that is, to show the behavior of the malware infecting a host.

There is also a note about Kali Linux (https://www.kali.org/) as a platform for malware analysis. We cannot compare Kali Linux with REMnux, as they are different proposals. However, there is nothing to prevent you from installing the tools that are in REMnux on Kali and proceed with your analysis. The same goes for CAINE

Multimedia Authentication Testing – How to detect and document a forgery

by Doug Carner

There are hundreds of available authentication tests, and the Forensic Working Group has consolidated the most effective ones into a simple Multimedia Authentication Testing (MAT) worksheet form. Image and audio tests can be performed using free, or nearly free, software. Video authentication software can be priced beyond most budgets. Fortunately, there is an effective work around.

Modern video codecs integrate visual contents by periodically storing complete reference “i” frames, between a series of subornative predictive “p” vector frames and bi-directional “b” frames. It is these “i” frames that contain the truest scene details. When video authentication software is unavailable, most video tests can be performed using image authentication software upon the uncompressed extracted video “i” frames.

Data Recovery Software – The First Aid for Data Loss

by Prashant Singh and Nandini Gupta

Data is the most important asset in today’s world. When data is concerned, its loss causes significant damage to the individual or an organization. To minimize such a tragedy, data recovery software was developed to recover lost data. Data recovery software is available in both freeware and paid versions. An experiment was carried out to find out which among the available freeware data recovery software was the best in recovering lost data in the least time and the best software based on experimental observations was identified.

PowerShell and the Art of Live Forensics

by David Tatum

In the Art of Live Digital forensics, investigators will find various tools to assist in their investigations. Live forensics is an emerging technique with different tools needing testing and validation. Because of its scripting capability, evidence located in RAM can be obtained in a quick and efficient manner using PowerShell. This is what makes PowerShell an effective tool when conducting Live Forensics. Imagine a scenario where suspects can rapidly be linked to criminal activity supported by a warrant or subpoena.  Security breaches can be quickly identified and stopped before further damage is incurred. PowerShell can gather information without altering potential evidence. This article examines some basic elements of PowerShell and how it can be useful when performing live forensics.

Using Microsoft Information Protection to Audit Sensitive Information Usage

by Michal Zdunowski

When you process your data in an application, there is usually a database behind it on which you can log any access or connection attempt and block it if it comes from an unknown source or unauthorized user. What if you process your information in a Word document or an Excel spreadsheet, can you control the data in the same way you can control an application? You can surely apply access controls to the SharePoint site or even password protect the file, but if you share the file you need to share the password as well. Right then you lose control over your company’s sensitive information. Well, there is a solution.

Dating and Romance Scams in the Digital World

by Mohith S Yadav

This article provides an opportunity to develop the typology of cybercriminals and analyze this typology in terms of the dimensions of criminal techniques, organizations and ideology. After examining the organizational dynamics of fraudsters, the next section describes the characteristics of online romance scams.

Digital Forensics toolbox

by  Johan Scholtz 

This article might not fully reflect the capability or coverage of all the digital forensic investigation tools available, however, it is a summary of the most commonly used digital forensics tools suited for specific investigation scenarios. Several researchers covered the topic in the past and some of the tools might already be in your personal list of preferences; nevertheless, every situation depends on investigation outcome specifics before a tool is chosen. In other words, you may find a specific tool suitable to your case or based on your previous experience and often a different approach is required to find the correct tool for your particular case. Hard-core investigators probably stick to their best-known tool, other novice investigators still need to find the correct tool fit to their scenarios.

Successful (And Easy) Attack Vectors 2020

by  LIFARS

This article is written from the perspective of white hat hackers. Its goal is to point out what can still be easily exploitable in 2021, based on our experiences from last year. It describes a different set of attack vectors than what our colleagues from LIFARS DFIR department have commonly seen being misused during their recent engagements. And that is understandable, as the security posture of companies that are willing to engage penetration testers or red teamers is probably somewhat better than the security posture of many companies seeking reactive DFIR services.

In this article, we describe the most successful attack vectors that repeatedly worked for us (LIFARS Offensive Security Department) in 2020 infrastructure penetration tests and red team engagements. Spear phishing attacks are deliberately omitted from this summary.

Exclusive interview with Filipi Pires!

„Threat hunting is a proactive approach to Cyber Defense with Offensive mindset, and I like to use this definition, “The process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” ... and the Threat Hunter, is a qualified security professional to Recognize, Isolate and Disable potential APTs using manual and/or AI-based techniques, many threats cannot be detected by network monitoring tools.”