Triage Forensic Adv...
 
Notifications
Clear all

Triage Forensic Advice

12 Posts
7 Users
0 Likes
525 Views
(@dr-pepper)
Posts: 13
Active Member
Topic starter
 

Hi guys,

I am thinking about possibly doing something centred on Triage forensics for my Final Year Project at university.
I am thinking of developing some software to do Triage based tasks.

However, i have a few questions hopefully you guys can help me with. I would really appreciate the help.

1. I do not know a great deal about how Triage is done in the real world, so i was hoping that a few members who deal with Triage forensics could give me a bit of a run down as to the process that they go through when performing their investigation. IE, from the discovery of the suspects machine, maybe at their home, to the process that you go through…

2. How often does it occur that you have to investigate machines quickly on site rather than take an image and return the image to the lab for further investigation? Do you turn off the computer and perform your activities or do you leave it switched on and perform your activities then?

3. If you were to do Triage on-site, how much do you worry about "changing" data? IE, plugging in a USB stick would be changing data, running an piece of software Could possibly change data.

I want to create software which would actually be useful rather than just making software for the sake of completing my FYP, so im hoping to gather a fair bit of information to help me achieve that.

Any questions then reply and ill try to answer them!

Thanks

 
Posted : 07/05/2015 12:05 am
(@mrmoo28)
Posts: 16
Active Member
 

What's the scenario for the forensic investigation?

For instance, is it a HR dispute in a corporate environment where you believe they've stolen some company IP through their work laptop?

Or is it a malware investigation for an e-commerce merchant who operates 6 web servers, 3 database servers and a NAS or SAN, along with an office of 60 PCs?

I'd say a different approach might be needed for each, and even for the malware investigation it depends what your aim is. Perhaps you know a breach likely came from the website, but you need to "prove the negative" i guess you could say and rule out the office - do you really want to image 60 PCs at say 2 hours per HDD? Or would it be prudent to just run several malware scans say, or use a previewing tool to do a quick keyword search perhaps over some key areas…

 
Posted : 07/05/2015 1:06 pm
(@deltron)
Posts: 125
Estimable Member
 

What's the scenario for the forensic investigation?

For instance, is it a HR dispute in a corporate environment where you believe they've stolen some company IP through their work laptop?

Or is it a malware investigation for an e-commerce merchant who operates 6 web servers, 3 database servers and a NAS or SAN, along with an office of 60 PCs?

I'd say a different approach might be needed for each, and even for the malware investigation it depends what your aim is. Perhaps you know a breach likely came from the website, but you need to "prove the negative" i guess you could say and rule out the office - do you really want to image 60 PCs at say 2 hours per HDD? Or would it be prudent to just run several malware scans say, or use a previewing tool to do a quick keyword search perhaps over some key areas…

Yes i agree each scenario is different; the first step is to assets the situation, maybe come up with mock situations a describe how you would triage it.

 
Posted : 07/05/2015 7:08 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I may, the OP is NOT involved in any forensic investigation, let alone one involving triage, he is actually asking the professionals in the field what kind of investigations in practice involve triage and what the professional would like to have in terms of features out of a triage tool.
He may well propose a number of "mock" scenarios, but they would be "mock" or theoretical only.

The questions are
How do you go on with triage in a real case?
Which kind of real cases you happened to be involved it in which you used triage?
How often you decide (or are compelled to) use triage as opposed to full examination in laboratory?
How relevant for you is "changing data" in a real life triage situation/case?

I.e. for once that academical originated questions are not "purely theoretical" but actually "real world" or "practical", let's try answering them as they are without attempting to bring them back to the theoretical world.

jaclaz

 
Posted : 07/05/2015 7:44 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

You might look into the Department of Justice document in order to get your project started. It lists type of crimes and what type of data is involved in those type of crimes. Your solution can be menu driven where the user determines the type of investigation and the software selects the most data structures. You definitely want to preserve the volatile data before triaging it and consider the order of volatility in that process. You can focus on collecting common registry values ( AccessData Registry Quick Find Chart ) or regripper modules. You can incorporate or look at log files that log2timeline supports and collect those logs. You can look at how Helix used to manage the incident response with netcat. Look at the Forensic Server Project methodology and collection tools.

The guide for first responders

The main thing is to keep a log of what you are doing/collecting and hashing the collected data preferably to a remote location and not to the same system. ( less foot print )

I hope, one of these resources will help.

 
Posted : 07/05/2015 8:45 pm
(@dr-pepper)
Posts: 13
Active Member
Topic starter
 

If I may, the OP is NOT involved in any forensic investigation, let alone one involving triage, he is actually asking the professionals in the field what kind of investigations in practice involve triage and what the professional would like to have in terms of features out of a triage tool.
He may well propose a number of "mock" scenarios, but they would be "mock" or theoretical only.

The questions are
How do you go on with triage in a real case?
Which kind of real cases you happened to be involved it in which you used triage?
How often you decide (or are compelled to) use triage as opposed to full examination in laboratory?
How relevant for you is "changing data" in a real life triage situation/case?

I.e. for once that academical originated questions are not "purely theoretical" but actually "real world" or "practical", let's try answering them as they are without attempting to bring them back to the theoretical world.

jaclaz

Thanks jaclaz, you formed the questions much better than me!!

I can think up mock scenarios which obviously will each have different needs when it comes to this kind of software as it is very varied.
This is kind of why i wanted to do something based around Triage as it is quite a newish concept and i would like to put my spin on it.

I am just trying to gather as much information about real-world applications as possible so i can create some software which could be applied "in the field".

If anyone could even answer a couple of the questions to the best of their knowledge or provide any further advice or anecdotes which could be helpful then i would be much appreciated.

 
Posted : 08/05/2015 3:43 am
(@dr-pepper)
Posts: 13
Active Member
Topic starter
 

You might look into the Department of Justice document in order to get your project started. It lists type of crimes and what type of data is involved in those type of crimes. Your solution can be menu driven where the user determines the type of investigation and the software selects the most data structures. You definitely want to preserve the volatile data before triaging it and consider the order of volatility in that process. You can focus on collecting common registry values ( AccessData Registry Quick Find Chart ) or regripper modules. You can incorporate or look at log files that log2timeline supports and collect those logs. You can look at how Helix used to manage the incident response with netcat. Look at the Forensic Server Project methodology and collection tools.

The guide for first responders

The main thing is to keep a log of what you are doing/collecting and hashing the collected data preferably to a remote location and not to the same system. ( less foot print )

I hope, one of these resources will help.

Thankyou very much - I hadnt thought of looking at those documents!

There are quite a few different modules which i could incorporate into my project, but im not sure on the protocol regarding using other peoples code in my FYP, i would have to clarify this.

 
Posted : 08/05/2015 3:45 am
(@dr-pepper)
Posts: 13
Active Member
Topic starter
 

Heres another question that will help define how i create my software

Consider the scenario where you need to run Triage operations on an office full of PCs (30+).

CURRENTLY, do you sit at each machine and run the Triage software one by one, or do you have multiple CDs/Memory Sticks/etc which you plug into, lets say, 10 machines at a time and click ONE or a COUPLE of buttons on each machine to get it going and leave it
OR
Do you do each machine one by one where you make multiple choices regarding what you want to process and make further decisions as the Triage process is going through?

The reason for the question

I am undecided on how to present the software. Do I write the software in a way which an investigator can have a pre-made settings file which can be loaded onto multiple USBs and with 1 or 2 clicks can be set running
OR
Do i create it in such a way to have more control by answering multiple questions and starting multiple modules throughout the processing of the machine?

 
Posted : 08/05/2015 4:52 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

CURRENTLY, do you sit at each machine and run the Triage software one by one, or do you have multiple CDs/Memory Sticks/etc which you plug into, lets say, 10 machines at a time and click ONE or a COUPLE of buttons on each machine to get it going and leave it
OR
Do you do each machine one by one where you make multiple choices regarding what you want to process and make further decisions as the Triage process is going through?

OR
Would you like to have a very small bootable environment/whatever that runs entirely in RAM and thus allows to remove the Triage tool media as soon as it is completely loaded in order to pass the single media (CD/DVD/USB stick) onto next PC?

(only providing a third alternative)

As I see it (but I am no professional) and with no offence intended of course, the whole triage approach has its own issues/drawbacks, but generically speaking (more as a generic procedural advice than a specific triage oriented one) basically there should be a (limited) set of options that the operator chooses initially then the software should run unattended chunking away byte after byte and end with a report and a large sign on the screen, either of
http//www2.psd100.com/wp-content/uploads/2013/07/Checkmark-and-error-icon-psd20130714.jpg

Or - even better IMHO - with a "probability factor" of the PC containing something of interest, or the priority attributed to its "full" examination (if any).

A progress bar of some kind (or percentage of operations currently reached) and - where possible - an estimation of "time remaining" would be a plus.

As a side-side note, which might be anyway of interest to you, here is a generic discussion on the opportunity (and utility) of triage (and what to expect from it)
http//www.forensicfocus.com/Forums/viewtopic/t=10931/

jaclaz

 
Posted : 08/05/2015 6:57 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Here's my 2 pence

Triage has become a (or the?) buzzword among the those at management level and sales advisers, basically those with no forensic knowledge.
Don't get me wrong triage has its place in the forensic toolkit and I think it will make a very interesting project for you.

I'm responsible for the use of triage within a relatively large police force, so please note my experience is not commercial and I won't even attempt to guess how it would be used in that area.

As I see it, triage processes tend to be one of two possible methods (or both)
Extracting generic high value artifacts (Live internet history, recently accessed files, installed programs, prefetch etc)
Searching for keywords in specific areas or extracting files of a particular type

Both of these methods have their advantages and disadvantages, basically artefact extraction is quick and can get a lot of information however it doesn't find anythin outside of the aretefacts (say a new peer-peer file sharing software) , whereas keyword searches can be slow but can locate hits in unexpected locations. We are using ADF currently and what we have found is that the triage methodology works for a specific type of case, known as CEOP referrals.

CEOP referrals are Indecent Images of Children cases where we get intelligence that an IP address has uploaded/shared/something with an Indecent Image online. This IP was then traced to our AOR and sometimes we get an email address relating to an individual but basically very limited intelligence.

For these cases we have been using a generic keyword search in small files (<1MB), locations of peer-peer download records (such as emule known.met), recent files and all filenames and paths.
This combined with live internet history, looking for encryption/anti-forensics programs and a small hashset of known IIC tends to work quite well.

The reason it seems to work best for these cases is that the intelligence never really changes and so we don;t have to alter the pack very often. The problem with using a pack without testing it is it is very easy to miss and artefact and never know you missed it!
We can even run it over the jobs at the end and see what was missed and try to improve the pack.

In most of our cases, all items are seized and then triaged prior to imaging at the HTCU. Usually we get a hit on one or two of the computers and these are then the focus of a full exam. The other items can then be returned in a more timely manner than waiting for a full exam.

In answer to question 3, the changes made to a system by plugging in a USB are minimal and we would just make a note of what we have done and note the USB serial, VID, PID etc that we plugged in. However as ADF boots from a USB stick, this usually isn't a problem as we never boot the OS drive.

Hope this helps, if you would like some more information about this, feel free to PM me.

 
Posted : 08/05/2015 7:59 pm
Page 1 / 2
Share: