In this issue we invite you to explore the world of tools used in digital forensics with us. Although we can’t dream of including everything, we did our best to bring to you interesting tutorials and perspective on some of the tools and techniques you use every day.
As always, we are extremely grateful for everyone who made that issue possible. From authors, bringing you content, through reviewers keeping us on our toes, to proofreaders checking every word - we appreciate your work and your contributions. We could not do this without you, so let us say “thank you” again.
We start the issue with “The truth is in the metadata” by Tom Turner, which will give us a closer look on something we are very much familiar with. Can you learn something new here?
Then, we have a series of articles written by returning authors. First, we’ll jump into Redline for live analysis and auditing with Paulo Henrique Pereira - and if you’re not using Redline already, maybe you’ll start now. Second, we’ll try automating threat intel with Dennis Chow. Third, Brett Shavers returns with a piece on compiling identities, which is based on his new book, “Placing the Suspect Behind the Keyboard” - make sure you check it out as well! Fourth, Monnappa KA will take us on a journey of hollow process injection (as always, Monnappa’s article is really good!) and finally, Deivison Franco and his colleague Vaine Luiz Barreira will discuss SCADA forensics.
We continue the issue with two more articles, first by Petter Lopes which will get you over basics of investigation, including using Autopsy in the process, and second where Micaela Gallerini will give you a few tips on how to make sure your investigation in Wireshark is acceptable in court.
We’ll finish off the issue with a few links to our blogs, in case you want something a little bit more - we hope that if you don’t frequent our blog already this will give you an incentive to start. And when you finish reading the issue, please consider giving us feedback on our social media, or in the comment section on the website. We listen very carefully to every signal you send our way!
Enjoy your reading,
These days, nearly every person who walks into a meeting is carrying a device that can record high- definition video and high-fidelity audio without anyone knowing about it. While in many states it’s illegal to record a conversation without alerting everyone involved, there are a number of states where it is perfectly acceptable to record all your interactions during the day. Most states are “one-party consent” states, which means you don’t have to alert anyone you are recording a call or conversation unless more than two people are involved.
Practical Live Analysis and Auditing Using Redline IOC Models (Part I)
Paulo Henrique Pereira, PHD.
What is our challenge in a real case? Our discussion on Redline usage will be divided into two parts. In the first part, presented in this article, we will cover a basic introduction to Redline. In the second part, which will be published in a later issue, we will deal with the IOC Models call methodology.
Focusing and Automating Threat Intelligence Analysis
How many hours are spent analyzing strategic and tactical intelligence for cyber security operations? Consider how much of that time is spent trying to figure out which reports or data to read first and which to use as validation only.
Behind the Keyboard: Compiling Identity
Digital forensics analysis is the easy part of an investigation. That is not to say that the work of digital forensics is simple, but rather recovering electronic data is a fairly rote routine of data carving and visual inspection of data. Interpreting the data requires a different type of effort to put together a story of what happened ‘on the computer’. As important as analysis is to determine computer use, it is just as important to identify the user or users and attribute computer activity to each user.
Understanding Hollow Process Injection using Reverse Engineering and Memory Forensics
This article contains the details of a code injection technique called "Hollow Process Injection" (also called process replacement). This article mainly focuses on how attackers use hollow process injection techniques to remain stealthy and bypass detection from live forensic tools. Understanding these techniques is essential from an incident response standpoint to better counter such attacks.
Vaine Luiz Barreira and Deivison Pinheiro Franco
Industrial Automation replaced manual processes of industrial plants and is usually associated with computer activities, which reduced or replaced human labor with regard to safety, quality and cost reduction. These processes resulted in Supervisory Control Systems and Data Acquisition (SCADA), which are also known as Supervisory Systems. The Supervisory Systems monitor and control not only core industrial plant functionality, they are also vital in monitoring infrastructure such as electricity and nuclear, water treatment and sewage, oil and gas, traffic signaling, air traffic, health and financial systems and other related systems.
Forensic Examination with Autopsy for Windows
Because of the great technological advances and the dependence of companies and individuals regarding the equipment and information systems, crimes have also evolved and we started to use computerized equipment as a tool. Thus, the collection and analysis of digital evidence for both legal and commercial purposes requires a professional trained for such work, which is a Forensic Analyst or Forensic Expert, or Expert Witness to court of law. The following study shows some procedures present in the Computer Forensics Expertise cycle; preservation practices, collection, analysis and completion are elucidated in the text. Clarifications about the expert's responsibilities, as well as some search tips are also covered. Free tools are also included and I will cover other general aspects surrounding the subject.
How to Use Wireshark Properly as a Proof in Court
Wireshark has many features. In this article, we will discuss how to use those features to make evidence acceptable in court without possibility of doubt by any of the parties involved. Many times, we think that it is enough to simply bring into court the log as it is; unfortunately, it’s not so simple. The Wireshark log must be explained and managed differently according to the various cases, and the features that you will use to prevent a case from being distorted or one of the parties taking advantage of it in its favor to derail the legal process, features that we will see later help in this type of work.