As I am going through the Cyber Triage videos, I am coming up with new questions. As a former (retired) developer, I know that many of the things that a person might do to hide digital evidence of a crime would require something like a developer's system, e.g., Microsoft Visual Studio, hex editors, tools (like exiftool), etc. Or advanced scripting tools or scripts, such as for Python, Powershell, Bash, etc.
Is this something that existing analysis tools would point out?
Thanks,
Mitch
If I'm understanding your question correctly, then the answer is no - a forensic analysis tool will not point out to the analyst that, for example, the system being analysed has Python installed.
What forensic analysis tools will do however, is let you view installed programs/software, and it is up to you as the analyst to search through this and see if anything stands out as potentially relevant.
Â
Edit: Some tools, such as Axiom, might make a list for you which will include 'anti-forensic tools' such as encryption software or software which can permanently delete data (Shredder etc.) however, you should still do your own search and not blindly trust what the tool is showing because no too is perfect, and can miss relevant evidence.
@cheesestring - Thank you... I was just thinking that, at least in the case of a real intruder, there would probably be a long list of programs that would not be seen on the average computer.Â
@cheesestring - Thank you... I was just thinking that, at least in the case of a real intruder, there would probably be a long list of programs that would not be seen on the average computer.Â
I guess it depends on the intruder, but a *good* one would install NOT any software, using portables from another device AND clean possible artefacts related to the connection to this other device.
Let's say that you bring your car to the mechanics for some repairs, do you expect to later find upon inspection a couple spanners and screwdrivers in the bonnet? [1]
jaclaz
[1] d@mn, wrong comparison, last week I found wedged near the front lights a pair of very long thin nose pliers ...
Â
Â
@jaclaz - good point.. I have created my own Kali Linux bootable USB, but have not gotten around to actually trying it!  Soon...
If you know that the target computer is not 'average', its easier. In corporate cases, where the company has some degree of software control, you can often ask for a copy of the expected setup of a particular user, create a hashset/equivalent from that, and then apply that to your target image to find differences. But then, if the owner/user happens to be IT backoffice expert, you must be prepared to find just about anything on his/hers system.
However, if you don't know what to expect, going by averages is not necessarily relevant. Better to just inventory the system: these installed binaries, these executables, these apps, these virtual machines, these docker images, and so on, and leave the question of 'is this expected, is it average, or ...'Â for later. Ideally, also look for traces of previously installed system. If you have a case that has to do with Microsoft .doc documents, for example, you should not ignore traces from other word processors, especially if it is known that any timestamp metadata from them does not survive standard conversion to Microsoft format.
@athulin Good points.  I know that as a software engineer, we basically had (unlike most employees) *no* restrictions from IT as to what software we could load onto our machines.
> Is this something that existing analysis tools would point out?
Unlikely, because it's not their job. "Analysis tools" is a misnomer; what you're thinking of as "analysis tools" are really "data parsing and presentation tools"; analysis and interpretation is up to the...not to be circular...analyst.
Could they do this? Sure. Many of the commercial suites include a hash comparison capability, and as long as you're maintaining the hash sets, you have this capability at your fingertips. All of this is also pretty trivial to accomplish without the use of the commercial suites.
Almost all of the commercial suites are configurable (I say "almost" because I haven't seen every one of them). As such, asking "would the tool point this out" would illicit the response, "sure, if you tell it to do so".
I found the statement about a "good" intruder not installing any software an interesting one. I say "interesting" because I agree that a "good" intruder would likely use native tools to accomplish their mission, and minimize what they bring over. However, a _great_ intruder knows that they can get away with installing whatever they want. In 2016, the Samas ransomware folks had an average dwell time of 4 months, during which they installed and ran Hyena, a network scanner...if they'd been detected, I never would've seen the case.
I remember one particular engagement where one of the analysts on my team was telling the customer how he felt that the threat actor was a n00b, based on what we could see as the tools they used, etc. After the meeting, I gently reminded the analyst that by the time we had been called, the actual intrusion had been over for almost 8 months.
Yep, but don't forget that those could also be "lucky intruders" (or "good-for-nothing defenders"), truth is that every single case is a story on it's own and, as Athulin stated going by average is complex when you don't know what is average.
jaclaz