|eForensics Magazine 2018 03 Best Of PREVIEW.pdf|
We are proud to present the fourth installment of our “Best Of” series. This one includes the best of the best articles that were published in eForensics since 2015 until now. You can find all the details below, we believe every single article in this issue is well worth your time.
Without further ado, let’s dive in!
Enjoy your reading,
and the eForensics Mag
TABLE OF CONTENTS
PowerShell For Computer Forensics
by Luca Cadonici
Available on Windows 7 since version 2.0, Windows PowerShell is a Windows command-line shell designed primarily for system administrators which accepts and returns .NET Framework objects. Unlike other shells, Windows PowerShell gives you access not only to the file system on the computer, but also to other data stores, such as the registry, using providers, Microsoft .NET Framework-based programs designed to take data storage and make it look like a disk drive. Windows PowerShell includes more than one hundred basic core cmdlets, simple, single-function command-line tools built into the shell that can be used separately or in combination to perform complex tasks.
Digital Forensic Backlogs and the use of Automation in Digital Investigations
by Ryan Duquette
Leaps in technology over the last 20 years have created some true benefits to society; real-time collaboration, cheap and reliable digital storage, the ability to perform complex processing in a matter of seconds – all things designed to simplify and speed up our lives. Generally speaking, as technology has evolved, it’s allowed us to complete tasks more efficiently, and more cost effectively. While this benefits most individuals and businesses, one area where this evolution is having an adverse effect is in the digital forensic space, especially within the realm of law enforcement.
Digital Video Chain of Evidence in the 21st Century
by Mark Sugrue
Digital evidence is now a component in the majority of criminal investigations. Video evidence, whether from CCTV, covert surveillance cameras, mobile or body-worn cameras, is important in the majority of criminal investigations. Following correct procedures in the collection and processing of digital evidence is critical. Advancing technology is creating new challenges both in the volume of digital evidence and the difficulty in both reviewing it and disclosing it at trial. There are new technologies and solutions that can help the evidential process but there are also some that represent threats. This article will take a look at different technologies in the context of video investigations, past, present and future.
Forensic Analysis of Spoliation Cases Part 1 - Macintosh
by Steve Bunting
When the police investigate a crime and they execute a search warrant for digital evidence, the charged party usually isn’t aware that the police are coming with warrant in hand. In essence, the search of the digital media is often achieved by surprise and the suspect has little or no time to dispose of evidence. Even if the defendant had some prior warning and subsequently deleted or secreted digital evidence, from a practical sense, there’s no crime or penalty for doing so. Furthermore, the criminal defendant enjoys the right not to self-incriminate.
Forensic Analysis of Spoliation Cases Part 2 - Windows
by Steve Bunting
As a quick refresher, in part one of this two-part series, we defined spoliation as the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying of evidence relevant to a legal proceeding. Thus, in simple terms, withholding, deleting, or hiding evidence are forms of spoliation. To add legal specificity to this definition, we quoted an Arkansas court ruling, referencing Black’s Law Dictionary, in which they defined spoliation as "the intentional destruction of evidence and when established, [the] fact finder may draw [an] inference that [the] evidence destroyed was unfavorable to [the] party responsible for its spoliation.” Thus, spoliation carries with it a very specific penalty in that the aggrieved party may legally infer the destroyed evidence was unfavorable, which often has a devastating impact on the party who destroyed the evidence.
Ten Lessons for Incident Response
The author of the article requested to remain anonymous.
It started with an email. There was an odd amount of traffic from our Primary Data Center to the IP of some non-descript website. I had a Blackberry at the time and felt safe checking out the site to see if it was obviously malicious. It was a Sunday, I was in the car with the family and the website didn’t seem threatening at first blush. I replied that this could wait until Monday morning to dive deeper and find out what was wrong.
MalwareStats: Improving Static Analysis of Modern Malware
by Andrea Melis, Marco Prandini, and Marco Ramilli
The continued growth in number and complexity of malware is a well established fact. Malware are no longer simple pieces of code that rely on unsuspecting users to spread and thrive. They can change, adapt and hide themselves from analysts, using very sophisticated techniques. Static analysis is complex and time consuming, and it could be difficult to deduce every possible malicious behavior, yet it is often very effective because it hinders the capability of malware to detect the analysis environment. The purpose of this work is to illustrate an open web-based project the authors are developing, and to show how its results can provide valuable assistance to the phase of static analysis. The goal is to support analysts in their exploration of code features, enabling them to make more focused, statistically motivated and structured decisions.
Analysis of Malicious Excel Spreadsheet
by Monnappa K A
Malicious Office documents are often used in targeted attacks against individuals or organizations. Attackers embed malicious code into documents - Excel spreadsheets or Adobe Acrobat PDF files. This article contains the analysis details of the malicious spreadsheet that delivered malware to its victim in a spear phishing campaign.
Understanding Hollow Process Injection using Reverse Engineering and Memory Forensics
by Monnappa K A
This article contains the details of a code injection technique called "Hollow Process Injection" (also called process replacement). This article mainly focuses on how attackers use hollow process injection techniques to remain stealthy and bypass detection from live forensic tools. Understanding these techniques is essential from an incident response standpoint to better counter such attacks.
Seeing the Invisible: Advanced Persistent Threats
by Cecilia McGuire
Deep in the depths of digital trenches, concealed war prevails. Forces assemble of expert hackers to punch through perimeters, launching the next-generation of malware attacks. Boundaries are dissolving, opening the perimeter to conquest. Navigating through the virtual maze leads assailants to the doors of national security, government, defense, banking and retail through to the critical infrastructure services, health - all verticals targets for compromise.
Applying Geopolitical Events to Threat Intelligence with Splunk
by Dennis Chow
Our goal in this article is to leave you with a basic model, method, and a brief tutorial in acquiring and monitoring key indicators, data sets, and analytic considerations for practicing geopolitical cyber threat intelligence using the Splunk Enterprise tool.
A Journey Deep Inside Reverse Engineering
by Leonardo Marciano and Deivison Franco
- Part 1: Introduction to Reverse Engineering
You were sure you already wanted to be a hacker/cracker, but after you watched Mr Robot, you got super excited to revolutionize the world with lines of code or even invade your school system and change your grades. To start our adventure, we will introduce you to reverse engineering, but first, what is it?
- Part 2: Using OllyDbg - First Steps
In the first part of our journey, you've been introduced to reverse engineering, learned what reverse engineering is used for, what knowledge is needed to study it, and what kinds of tools are used in its process. In addition, we presented the OllyDbg tool. Now, in this part, we will continue to use OllyDbg.
- Part 3: Using OllyDbg - Advanced
In this article, we will continue to learn how to use Olly. We will use the same custom version used in the last article.
On the Role of Dempster-Shafer Theory of Evidence in Digital Visual Media Forensics
by Raahat Devender Singh and Naveen Aggarwal
Ever since the invention of photography, digital visual media has continued to play a pivotal role in shaping our community's belief system by continually affecting our perception of reality. Aside from satisfying their usual recreational purposes, digital images and videos have been providing investigative benefits by serving as an evidence repository that can be used for post-incident analysis for quite some time now.
Comparison of Forensic Animation and Visual Effects
by Michele Bousquet
How does forensic animation differ from visual effects in movies and games? While early forensic and entertainment animations bore a strong resemblance to one another, the two fields have since evolved separately in a variety of ways.
To understand these differences, let’s first look at how forensic animation has evolved in comparison to entertainment graphics.