We present a brand new edition of our magazine, containing the best tutorials we gathered in the last few years. This issue will be divided into two parts, each with certain topics covered. We decided to do this for your convenience. Everyone gets to browse through each part and choose which topics interest them the most, and those who are not our subscribers will enjoy lower prices for buying separate e-books - everyone wins!
Still, each part contains close to 400 pages of content and a few dozen of articles and step by step tutorials, guides and how-to’s. We believe you will find those issues very useful to have in your storage of choice, without the need to search through all our issues in search for that one perfect article which solves your problems.
Part 2 - this one - contains all tutorials we tagged as “Basics”, so general and introductory articles, everything regarding Linux, Mac and Windows forensics, all you need to know about FTK Imager, a few extras on counter forensics and articles that fit into the “Miscellaneous” category.
As always, we count on your feedback. Leave your reviews on the website, give us your comments on Facebook (/EForensicsMagazine) and tweets on Twitter (@eForensics_Mag). Your opinions really matter to us, so don’t be shy! You can also reach our editors directly, sending your e-mails to our Editor in Chief Joanna Kretowicz at [email protected] and Marta Strzelec at [email protected]. We can’t wait to hear from you!
Enjoy your reading!
TABLE OF CONTENTS:
DIGITAL FORENSICS TUTORIAL KEYWORD SEARCHES
by Patric Oulette
When we hear people talk about forensics, we typically imagine scenes from Crime Scene Investigation (CSI) or Crime Scene Unit (CSU) shows or movies so popularized in recent years. Although glamorized and using shortened time-frames for processes involved, these shows do adequately represent standard criminal and crime scene investigative and analytical processes.
FORENSIC VIDEO ANALYSIS – STEP BY STEP
by David Spreadborough
Through an examination of the underlying digital data, a Forensic Video Analyst is able to make the correct decisions when dealing with a piece of proprietary video.
CREATING AN INCIDENT RESPONSE PROCESS
by Vincent Beebe
In today’s technologically advanced society, our response to events is extremely important. This is never truer than when it comes to assets within a company. There are a lot of tools in place in today’s business world to monitor and protect. Unfortunately, in a lot of cases, there is no established process that defines what to do when an alert occurs...
AN OVERVIEW OF CLOUD FORENSICS
by Dejan Lukan
When discussing cloud forensics, we’re actually talking about the intersection between cloud computing and network forensic analysis. Cloud computing basically refers to a network service that we can interact with over the network; this usually means that all the work is done by a server somewhere on the Internet, which might be backed up by physical or virtual hardware. In recent years, there has been a significant increase on the use of virtualized environments, which makes it very probable that our cloud service is running somewhere in a virtualized environment.
UNDERSTANDING DOMAIN NAME SYSTEM
by Amit Kumar Sharma
Domain Name System (DNS) DNS spoofing also referred to as DNS cache poisoning in the technical world is an attack whereinjunk (customized data) is added into the Domain Name System name server’s cache database, which causes it to return incorrecdata thereby diverting the traffic to the attacker’s computer.
STEP BY STEP WALKTHROUGH TO DO THREATS AND RISKS MANAGEMENT BY ADHERING INDUSTRY STANDARDS
by Jaya Ram Kumar Pothi
Information Security Governance became more reputed in all organization right from the beginning of modern era that is now known as “Internet”. In all the organizations they have customized their practice as a Governing Operating System for easier visual management of project progress tracker. Governing Operating System commonly made with combination of existing systems like ISO27001, Lean, SOX, Six Sigma etc. In Information Security Governance the Imperative factor is Threats and risks Management.
DATA MASKING: A MUST KNOW FOR COMPUTER FORENSICS
by Cordny Nederkoorn
Data masking is a process that is used to protect the information that is stored in data management systems. It is used to prevent data corruption and to give only users with the right authorization access to the data. For computer forensics, this is interesting because it shows how a company can protect itself against external (and internal) data breaches. This article shows what data masking is by showing an example using software from Camouflage, a leading provider of enterprise-class data masking solutions for securing sensitive data.
THE APT (ADVANCED PERSISTENT THREATS) IN A NUTSHELL THE APT – OVERVIEW
by Sameera de Alwis
The APT is an utmost vital interrogation these days in the digital world or cyber interstellar of contemporary information era. The APT routinely has unconventional digital outbreak competencies and it does not mean hi-tech proficiencies always, then again well strategic, systematized and occasionally hybrid executed just like a top-secret US undercover operation 9/11 was avant-garde. In addition to aforesaid supplementary information and crossway point, the persistent outbreaks are to uphold conversant and uninterrupted access to information and cyber empowered networked systems.
INTRODUCTION TO 4G MOBILE TECHNOLOGIES: LTE (LONG TERM EVOLUTION), NETWORK ARCHITECTURE
by Bappaditya Dey
Mobile telephony standards have been gradually adopting packet switched technologies since the introduction of 2.5G GPRS networks back in the nineties. But the continuous growth in demand for data services has forced the mobile networking standardisation processes to move away from legacy circuit switched technologies and to focus primarily on implementing efficient wider bandwidth data carrying capabilities. This has finally culminated in the introduction of the all IP based Fourth Generation Long Term Evolution (4G LTE) standard by 3GPP standardisation body; and this new technology is already being deployed worldwide and going through several feature additions such as ‘LTE-Advanced’. Here in this first article of this series, we will take a look the overall architecture of a basic LTE network including the network elements and protocol stacks.
LINUX, WINDOWS & MACINTOSH:
SIMPLE WIRESHARK USAGE IN KALI LINUX
by Victor Panisa
This article introduced basic concepts of Wireshark – a sniffer tool, and how to use it.
CORRELATING CARVED DATA IN KALI
by Drew Perry
In this article Drew Perry will be investigating how the BackTrack Penetration and Security Auditing Linux distribution has evolved into Kali. He will put some of the powerful forensics tools to good use by utilizing a data carving technique and then use the results to perform open source reconnaissance. He will also be demonstrating an ownership relationship between the original data and a remote server which can help expand the scope of a forensic investigation.
RECOVERING DELETED FILES FROM A WINDOWS MACHINE WITH KALI LINUX BY USING DD_RESCUE AND FOREMOST
by Cory Miller
There are many tools that have been added in the Kali Linux suite, comparing to BackTrack, some of which can be used to preserve digital evidence as well as retrieving deleted files. Open source tools such as dd_rescue and Foremost allow you to create an image of any type of storage device such as USB, Hard Drives, and SD Cards, and retrieve deleted or corrupt files. Let Cory Miller put the theory into practice.
PASSWORD CRACKING WITH JOHN THE RIPPER IN KALI LINUX
by Alexandre Beletti
In this article Alexandre Beletti will introduce you to the basic concepts of John The Ripper, a software that can crack passwords usingvariety of different techniques.
DIGITAL EVIDENCE ACQUISITION WITH BACKTRACK
by Ayei Ibor
It has become increasingly important to have a veritable means of acquiring digital evidence needed to prove the authenticity of a case or scenario that can be admissible in court. Evidence recovery processes usually need to be presented in such a way that the same results will be obtained by a third party, assuming the same methods are employed by an investigator. Ayei Ibor will present us practical applications and a sample of evidence acquisition.
WINDOW FORENSICS ANALYSIS
by Muhammad Irfan
For any forensic investigation, the most challenging thing is the collection of information which will lead us in the right direction to solve a case successfully. If actual information is not collected, then we are not able to proceed in the right direction and sometimes the investigation will not give us any fruitful information. If an investigation is done properly, then we have the maximum chance that we can find the culprit and successfully end the case.
WINDOWS REGISTRY FORENSICS 101
by Jason Stradley
This article is meant to serve as a very basic introduction to the Windows Registry and its usefulness as a resource for certain types of forensic investigations. Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003 store configuration data in a data structure called the Registry. The Windows Registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. It is a central repository for configuration data that is stored in a hierarchical manner.
WINDOWS MEMORY FORENSICS & MEMORY ACQUISITION
by Dr Craig S. Wright, GSE, GSM, LLM, MStat
This article takes the reader through the process of imaging memory on a live Windows host. This is part one of a six part series and will introduce the reader to the topic before we go into the details of memory forensics. The first step in doing any memory forensics on a Windows host involves acquisition. If we do not have a sample of the memory image from a system we cannot analyze it. This sounds simple, but memory forensics is not like imaging an unmounted hard drive. Memory is powered and dynamic, and changes as we attempt to image it.
INTRODUCTION TO WINDOWS FORENSICS USING PARABEN P2 COMMANDER
by Dauda Sule, CISA
Microsoft Windows is the most widely used operating system both for business and personal use. Such popularity has made it one of the most targeted operating systems by malicious attackers. As a result, it is often used as a platform to access personal and work place data, or even to commit policy breaches assisting in the commission of criminal acts. Investigations that are based on electronic evidence stand a very high chance of being carried out on a system with one or the other version of Windows operating system. It is therefore one of the most important operating systems anyone going into the field of cyber forensics will need to know how to investigate.
FORENSIC APPROACH TO ANALYSIS OF FILE TIMESTAMPS IN MICROSOFT WINDOWS OPERATING SYSTEMS AND NTFS FILE SYSTEM
by Matveeva Vesta Sergeevna, Leading specialist in computer forensics, Group-IB company
All existing file browsers display 3 timestamps for every file in NTFS file system. Nowadays there are a lot of utilities that can manipulate temporal attributes to conceal the traces of file using. However, every file in NTFS has 8 timestamps that are stored in file record in MFT and are used in detecting the fact of attributes substitution. The author suggests a method of revealing original timestamps after replacement and automated variant of it in case of a set of files.
HOW TO PERFORM A BASIC AND FAST FORENSIC ANALYSIS ON MACINTOSH OPERATING SYSTEMS – A QUICK START GUIDE
by Deivison Pinheiro Franco
Computer Forensics is an area that is very Windows-centric. Many tools pay lip service to Apple’s Macintosh (Mac) platform, and others do not even recognize it at all. The few Mac tools available are either expensive or inadequate. Regardless, it is necessary for an investigator to know what to look for and where to look. This article is intended to give investigators a brief outline of what the file system and structure of a Mac looks like and to give a basic criteria on what to look for, as well as some generalized locations for where to look. It is far from a comprehensive forensic manual for Macintosh computers, but it does attempt to give an examiner relatively comfortable with Windows environments a place to start learning about Mac forensics.
HOW TO USE ENCRYPTED ITUNES BACKUPS FOR SMS HISTORY WITHOUT THE DEVICE OR JAILBREAKING
by Gouthum Karadi, CISSP,CEH, MBA
Imagine it is late Friday afternoon at Forensics, Inc. and you get a call from ABC Corp, one of your top clients. It seems that ABC had competitor XYZ cornered and agreeing to submit to a deal before a timely lunch. Yet when talks resumed after the break, XYZ began to negotiate more fiercely. The opponent began to negotiate using not only the exact tactics that ABC prepared for, but even using the exact words in some cases. How could XYZ know what ABC was planning? Someone had to have leaked the internal talking points memorandum the morning of the negotiaton.
by Bridgette Braxton
AccessData FTK Imager provides an easy way to image a hard drive that allows the investigator to create dd images, Smart images, and EnCase images. The program loads quickly, creates forensic images that allow easy previewing of the hard drives files/folders and media, mounts images for read-only view to see the contents on the original drive, exports/recovers files that have been deleted that have not been overwritten, and creates hash files using Message Digest 5 (MD5) and Secure Hash Algorithm (SHA1) that verifies the integrity of the images have not been altered or changed. FTK Imager is a free program provided by AccessData the same company that provides AccesData FTK Imager lite and it is one of the best drive imaging and evidence collection programs I have used and it’s a court-accepted digital forensic tool.
HOW TO INVESTIGATE FILES WITH FTK IMAGER
by Mark Stam
The Master File Table or MFT can be considered one of the most important files in the NTFS file system, as it keeps records of all files in a volume, the physical location of the files on the drive and file metadata. One of the most important tasks of a computer forensics expert is making file artifacts and metadata visible. Learn how in a straightforward manner, conduct the process of extracting NTFS file system data from a physical device. NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use the MFT to investigate data and find detailed information about files. In this example we use FTK Imager 22.214.171.124 to find a picture (JPEG file) in Windows 7.
USING FTK IMAGER CREATE FORENSICALLY-SOUND COPIES OF DIGITAL MEDIA
by Austin Troxell
The first step in Digital Forensic examinations is to create precise duplicates of any storage media collected as potential evidence. One of the key principles of Digital Forensics is that examiners must eliminate or minimize the risk of altering any information contained on the original evidence items. Where at all possible, the analyst will make digital copies of the media to be examined and work from these duplicates, preserving the originals. The Digital Forensics examiner has numerous options for creating exact bit-stream representations of digital media, including hardware duplicators as well as various software tools that create digitally identical copies. In this article Austin Troxell focuses on the features and use of AccessData’s FTK Imager.
CREATING A FORENSIC IMAGE OF A HARD DRIVE USING FTK IMAGER AND IMAGER-LITE FROM ACCESSDATA
by Bridgette Braxton
The advancement in the world of computer forensics has provided many tools to assist incident responders perform live analysis on a computer. The capabilities of forensics tools have improved by making analysis feasible by integrating enhanced interfaces, documentation, built-in detection methods, and new ways to collect evidence. Let’s see how FTK Imager can be used in those processes and how to do it!
FTK IMAGER ON THE FLY
by Robert C DeCicco
Practicing computer forensics often times means having to jump on a plane or in a car to get someplace quickly to collect evidence. In part, response to the ofthen reactive nature of the work, agnecies and firms have developed fly away kits, mobile labs or other solutions that are prepped and ready to go and can handle a variety of environments or evidence types.What about when you’re not prepared for a collection? What about those instances where you may be only scheduled to attend a meeting or scoping exercise at a client site? Robert DeCicco will show you how FTK Imager literally saved the day when the circumstances suddenly changed.
DETECTING EVIDENCE OF INTELLECTUAL PROPERTY THEFT USING FTK® IMAGER (AND FTK® IMAGER LITE)
by Ana M. San Luis & Robert K. Johnson
In today’s world of constantly evolving technology, there arise a number of options for thieves, embittered and disgruntled employees, or naive colleagues to participate in the theft of intellectual property, whether intentional or otherwise. IP theft can cost victims their jobs, reputations, and even millions of dollars, depending on what is stolen. Experts and investigators have a number of industry and court accepted tools available at their fingertips to investigate suspicions or allegations of IP theft. Some of these tools allow forensic experts and investigators to examine live running suspect machines or media, while making little to no changes to the suspect machines or media. Two such tools are AccessData’s FTK Imager and FTK Imager Lite.
FILE RECOVERY – PART 01
by Everson Probst
One of the core activities of a computer forensic expert is the file recovery. Through recovering, it is possible to examine records deleted by users or deleted automatically by the system. This tutorial will show you how to recover files as well as the technical properties performed with FTK Imager and Recuva software. Recuva is the free software distributed by Piriform whose main function is to recover deleted files. It uses the archive system index to recover deleted files and also runs Data Carver, but in this aspect, it is not very efficient when compared to Foremost.
FILE RECOVERY – PART 02
by Everson Probst
In this tutorial you will learn how to conduct file recovery with FTK Imager and Foremost software. Foremost is the free software that has the function of recovering files based on the Data Carver method. It is capable of recovering files whose record entries are no longer found in the archive system. That makes it a very useful tool to recover older files, despite it is not capable of recovering all original properties of the recovered file.
COUNTERFORENSICS: HOW TO MISLEAD COMPUTER FORENSICS SOFTWARE
by Cordny Nederkoorn
Forensic investigators frequently use forensic software tools for their collection and analysis. However, specific software is being developed and used to thwart the use of forensic software by the forensic investigators. This is known as counterforensic software aka counterforensics.
OPTICAL MEDIA DATA HIDING- TIPS, TECHNIQUES AND ISSUES"
by Paul Crowley
Data hiding is substantially different from encryption. Encryption puts the “container” with the data front and center in the examiner’s face and is a challenge. A well-executed encryption can be a serious blockade in that without the password being revealed in some manner the encrypted data is inaccessible. Unfortunately for the world of secrets, it turns out that in the face of this sort of challenge there are many, many ways of acquiring the password and gaining access to the data.
CIRCUMVENTING DIGITAL FORENSICS
by Alexander R. Tambascia, D.Sc.
This paper is to cover ways to defeat digital forensics capabilities to recover personal identifiable information (PII), confidential information and/or property intellectual property on personal computer and laptop. This paper will look at simple mechanism, encryption; that can be used to defeat common digital forensic tools and forensic investigator abilities to collect stored and deleted information.
FINDING ADVANCED MALWARE USING VOLATILITY
by Monnappa Ka
When an organization is a victim of advanced malware infection, a quick response action is required to identify the indicators associated with that malware to remediate, establish better security controls and to prevent future ones from occurring. In this article you will learn to detect advance malware infection in memory using a technique called “Memory Forensics” and you will also learn to use Memory Forensic Toolkits such as Volatility to detect advanced malware with a real case scenario.
HOW AND WHY TO INCLUDE DBAS IN INFORMATION SECURITY GOVERNANCE
by Rob Stewart
Information security has greatly increased in visibility over the past two decades. Over the last ten years governance around the policies and procedures that make up information security has grown and new more specific areas such as data governance have begun to emerge. While some industries are regulated and must comply with government legislation, most companies now understand the necessity staying ahead of the curve when protecting access to and ensuring the integrity of their data. This article will examine why and how to actively involve your DBA group in information security from conception through to implementation and discuss how a complete strategy involves more than just controlling access to information systems.
FORTIFYING THE DEFENSES: IMPLEMENTING SECURE SHELL KEY MANAGEMENT THAT WORKS
by Tatu Ylönen
In an effort to more thoroughly secure files, organizations and governments alike have instituted the use of the Secure Shell protocol. Secure Shell encrypts data as it is transmitted through the network through two encrypted keys; one of which is placed on the server and the other on the user’s machine. Not only does this protocol secure data that is being transferred within the network, but it also allows administrators to manage the systems remotely.
HOW TO INDEX DATA WITH KS
by Nanni Bassetti
This is a keywords searching tool working on the allocated, unallocated data and the slackspace, using an indexer software and a database storage.
BIOMETRIC FACIAL RECOGNITION DATABASE SYSTEMS
by Robert E. Vanaman
A biometric system is effectively a pattern recognition system that operates by acquiring biometric data from an individual, and extracts a feature set from the acquired data for comparison purposes. The information needed for recognition is acquired by a sensor, and is converted into a digital format. This digitized representation of a feature, in this case a face, is then compared to a “biometric template” or a “gallery” stored in a database. This paper will delve into the Facial Recognition Database Systems (FRDBS) currently in place and cover predictions for future use, exploring the processes and methodology employed therein, specifically addressing FRDBS methodologies and techniques employed in capturing, storing, and comparing scanned images.
STEGANALYSIS: EXPLORING THE VIRTUAL STEGANOGRAPHIC LABORATORY PART 1: THE LSB-STEGANALYSIS
by Cordny Nederkoorn
Steganography is the art of obfuscation, hiding information in plain sight, while Steganalysis is the art of finding this hidden information. For computer forensics professionals, steganalysis is becoming a daily job. Different tools are available for steganalysis, with The Virtual Steganographic Laboratory being is one of these tools. This article is the first of a series where different functions of VSL will be tested and discussed.
COMPUTER FORENSICS WITH P2 COMMANDER
by Pranshu Bajpai
Computer Forensics is the methodical series of procedures and techniques used for procuring evidence from computer systems and storage media. This evidence can then be analyzed for relevant information that is to be presented in a court of law. Computer Forensics has frequently been listed as one of the most intriguing computer professions, however beginners may find themselves overwhelmed quickly, as practical step-by-step procedures on this subject may be hard to come by.
Don't forget to leave a review!