Evidence processing methodology
I'm curious to know how everyone goes about processing their evidence. What are your must get areas of the disk? Do you follow a standard procedure to try to collect as much as possible with the least effort?
I aim for
deleted files - including malware
swap -file slack -unallocated
a keyword search
then move in to internet history and registry, although I am thinking of putting the registry a bit higher in the list.
I'm thinking that in most cases, it really depends upon the case.
For example, with some cases, is it necessary to develop a timeline of activity on the system? If so, are other sources considered besides file MAC times? Say, log files? On Windows systems, how about Registry key LastWrite times?
How useful is a keyword search, in some cases? Say, within the Registry? Sure, it works sometimes, but not all entries that may pertain to some activity are maintained as ASCII strings…some are ROT-13 strings, others are binary data types, etc.
Depends on the scope defined for the case.
Recently I worked on a email / chat related case. I did get the forensic image. I used FTK and at the beginning of the wizard I chose email investigation only. It is a nice feature and the evidence processing doesn't take forever. I did validate my results against email and chat examiner.
So basically I rather invest extra time validating the results than going out of scope of the investigation.
The list you provide is thorough though. If there are irregularities or discrepancies in the investigation this is a good list to start with.
Do you think there is a place for a forensics analysis methodology that will assist in the mining of evidence out of all the data available?
I am looking at standard data mining methodologies and developing a methodology to assist with the finding of evidence - I call it Evidence Mining.
We hope to then adapt some of the advanced data mining type algorithms to make it applicable in evidence mining.
What's the general feeling? Is this a worthwhile route to follow?
> What's the general feeling? Is this a worthwhile route to follow?
This definitely has potential, but without knowing more about what it is you plan to do, what you actually plan to implement, it's hard to tell.
I've used Eoghan casey's examination methodlogy and found it to be extremly useful for gleannig evidence. of course in certain cases this methodlogy would need to be enhanced to cater for specific attacks.
In general the methodlogy is composed of these steps
- listing create a list of all files and direcories in the system (including deleted files). this listing should show file names, sizes, MAC times, MD5 hashes, …etc.
- recovery recovers deleted files, unallocated space, file slack, …etc.
- filter uses a database of known good hashes and known bad hahses to filter the files into a smaller subset by ignore noisy data (like OS files, known applications, ..etc).
- process using the small subset, try to categorise it into types using the magic number.
after the process phase, you would eventually find yourself touching on specific data types where more focused analysis will take place. This what I call the application layer analysis where analysis of artifcats like IE, Outlook, Registry, ..etc, will take place.
This methodology is more thorough and may not be suited to all cases, but for educautoal purposes and, in some cases, is the best bet you can have.
Other methdology tend to use keyword search as an assessment of worth, and then follow it by focused analysis. this only works if you are looking for specific data types, and you know the inherent vulnerabiltiy of tools in hand i.e. physical keyword search vs logical keyword search.
It varies from case to case. However, the Computer Forensic Examiner
may use specific methods for analysis considering the case history-
(1)Cases related to E mail abuse/ child pornography Specific attention may be given to chat log, e-mail ids, user names, alias, images depicting minors in sexual context, information about digital camera, scanners, ISP logs etc.
(2)Cases related to frauds Specific attention may be given to images of controlled documents used for counterfeiting, use of advanced desktop tools like Photoshop, carol draw etc. Information about the scanners, high-end printers installed in system etc.
(3)Cases related to data theft/ hacking Specific attention to be given to user logs, e-mail accounts, e-mail IDs, ISP used, network configurations and users, system logs, passwords, user names, installed Trojans, installed removable devices etc.
During analysis one may follow following steps (general)-
(3)File list & hash value generation
(4)Recovery of deleted files, slack & unassigned clusters
(5)Remival of known/unnecessary/duplicate files
(6)Identification & decryption of encrypted files
(7)Email extraction etc.
The specific analysis method may be used depending upon the case history and investigating agencies request-
(2)Data hiding analysis
(4)Documenting & reporting
youcefb9 mentioned some very useful data reduction techniques, ones that are widely used today..specifically, the use of hashes. However, given the rate at which updates to operating systems occur, the number of files that ship with many applications, etc., it is difficult at best to maintain the list of known good hashes. The same is true with known bads, and especially illicit images, as the flipping of a single bit (let alone modifying the size or transforming using another algorithm, such as JPG -> TIFF) changes the hash.
On Windows systems in particular, I would suggest that the filter phase include processes for classification based on hash comparison, file signature analysis, metadata retrieval, header analysis (for PE files) as well as correlation with Registry artifacts (ie, autostart locations, services, etc.).
Automating all of this will serve to greatly reduce the amount of data that must be analyzed.
As mentioned previously, keyword searches can produce dubious results.