Forensic search for...
 
Notifications
Clear all

Forensic search for development tools  

  RSS
mitchmcc
(@mitchmcc)
New Member

As I am going through the Cyber Triage videos, I am coming up with new questions.  As a former (retired) developer, I know that many of the things that a person might do to hide digital evidence of a crime would require something like a developer's system, e.g., Microsoft Visual Studio, hex editors, tools (like exiftool), etc.  Or advanced scripting tools or scripts, such as for Python, Powershell, Bash, etc.

Is this something that existing analysis tools would point out?

Thanks,

Mitch

This topic was modified 2 weeks ago 2 times by mitchmcc
Quote
Posted : 20/10/2020 7:32 pm
Topic Tags
CheeseString
(@cheesestring)
New Member

If I'm understanding your question correctly, then the answer is no - a forensic analysis tool will not point out to the analyst that, for example, the system being analysed has Python installed.

What forensic analysis tools will do however, is let you view installed programs/software, and it is up to you as the analyst to search through this and see if anything stands out as potentially relevant.

 

Edit: Some tools, such as Axiom, might make a list for you which will include 'anti-forensic tools' such as encryption software or software which can permanently delete data (Shredder etc.) however, you should still do your own search and not blindly trust what the tool is showing because no too is perfect, and can miss relevant evidence.

This post was modified 2 weeks ago by CheeseString
ReplyQuote
Posted : 22/10/2020 8:18 am
mitchmcc
(@mitchmcc)
New Member

@cheesestring - Thank you...  I was just thinking that, at least in the case of a real intruder, there would probably be a long list of programs that would not be seen on the average computer. 

ReplyQuote
Posted : 22/10/2020 11:33 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @mitchmcc

@cheesestring - Thank you...  I was just thinking that, at least in the case of a real intruder, there would probably be a long list of programs that would not be seen on the average computer. 

I guess it depends on the intruder, but a *good* one would install NOT any software, using portables from another device AND clean possible artefacts related to the connection to this other device.

Let's say that you bring your car to the mechanics for some repairs, do you expect to later find upon inspection a couple spanners and screwdrivers in the bonnet? [1]

jaclaz

[1] [email protected], wrong comparison, last week I found wedged near the front lights a pair of very long thin nose pliers ...

 

 

ReplyQuote
Posted : 22/10/2020 1:08 pm
mitchmcc
(@mitchmcc)
New Member

@jaclaz - good point.. I have created my own Kali Linux bootable USB, but have not gotten around to actually trying it!   Soon...

ReplyQuote
Posted : 22/10/2020 3:47 pm
athulin
(@athulin)
Community Legend

@mitchmcc

If you know that the target computer is not 'average', its easier.  In corporate cases, where the company has some degree of software control, you can often ask for a copy of the expected setup of a particular user, create a hashset/equivalent from that, and then apply that to your target image to find differences.  But then, if the owner/user happens to be IT backoffice expert, you must be prepared to find just about anything on his/hers system.

However, if you don't know what to expect, going by averages is not necessarily relevant. Better to just inventory the system: these installed binaries, these executables, these apps, these virtual machines, these docker images, and so on, and leave the question of 'is this expected, is it average, or ...'  for later. Ideally, also look for traces of previously installed system. If you have a case that has to do with Microsoft .doc documents, for example, you should not ignore traces from other word processors, especially if it is known that any timestamp metadata from them does not survive standard conversion to Microsoft format.

ReplyQuote
Posted : 22/10/2020 6:16 pm
mitchmcc liked
mitchmcc
(@mitchmcc)
New Member

@athulin Good points.   I know that as a software engineer, we basically had (unlike most employees) *no* restrictions from IT as to what software we could load onto our machines.

ReplyQuote
Posted : 22/10/2020 7:04 pm
keydet89
(@keydet89)
Community Legend

> Is this something that existing analysis tools would point out?

Unlikely, because it's not their job.  "Analysis tools" is a misnomer; what you're thinking of as "analysis tools" are really "data parsing and presentation tools"; analysis and interpretation is up to the...not to be circular...analyst.

Could they do this?  Sure.  Many of the commercial suites include a hash comparison capability, and as long as you're maintaining the hash sets, you have this capability at your fingertips.  All of this is also pretty trivial to accomplish without the use of the commercial suites.

Almost all of the commercial suites are configurable (I say "almost" because I haven't seen every one of them).  As such, asking "would the tool point this out" would illicit the response, "sure, if you tell it to do so".

I found the statement about a "good" intruder not installing any software an interesting one.  I say "interesting" because I agree that a "good" intruder would likely use native tools to accomplish their mission, and minimize what they bring over.  However, a _great_ intruder knows that they can get away with installing whatever they want.  In 2016, the Samas ransomware folks had an average dwell time of 4 months, during which they installed and ran Hyena, a network scanner...if they'd been detected, I never would've seen the case.

I remember one particular engagement where one of the analysts on my team was telling the customer how he felt that the threat actor was a n00b, based on what we could see as the tools they used, etc.  After the meeting, I gently reminded the analyst that by the time we had been called, the actual intrusion had been over for almost 8 months.

ReplyQuote
Posted : 23/10/2020 1:03 pm
mitchmcc liked
jaclaz
(@jaclaz)
Community Legend

@keydet89

Yep, but don't forget that those could also be "lucky intruders" (or "good-for-nothing defenders"), truth is that every single case is a story on it's own and, as Athulin stated going by average is complex when you don't know what is average.

jaclaz

ReplyQuote
Posted : 23/10/2020 4:45 pm
Share: