I totally agree with running FTK then live view. Once you see the behind the scene info. You can see the owners state of mind and lay out.
I guess what I'm saying is that, if an analyst is going to run 3 AV scanners, and deem the image "clean"…there's much more that could be done and I wouldn't bank my reputation on 3 AV scanners.
Ok..But what If you run the 3 AV's..and they are Legit programs with good reputations…then where do you go..? Try a program that no one uses and no one has tested so no studies on it's success rate can be produced? Go through the system file by file?
I think we have a difference between practicality and academics….
I guess what I'm saying is that, if an analyst is going to run 3 AV scanners, and deem the image "clean"…there's much more that could be done and I wouldn't bank my reputation on 3 AV scanners.
Ok..But what If you run the 3 AV's..and they are Legit programs with good reputations…then where do you go..? Try a program that no one uses and no one has tested so no studies on it's success rate can be produced? Go through the system file by file?
I think we have a difference between practicality and academics….
Greetings,
I'd be very unwilling to state with 100% certainty that a particular image was free of any malware, trojans, viruses, etc. I'll make a best effort to find such, given my skills and the tools available. If the facts of the case indicate that the presence of a virus, or lack thereof, is important, I'll make a greater effort, or hire someone more experienced to do so.
My report will state that I ran legal, updated copies of the named tools and that they produced the documented results. If the results are positive, more research and analysis will be included in the report.
-David
Ok..But what If you run the 3 AV's..and they are Legit programs with good reputations…then where do you go..? Try a program that no one uses and no one has tested so no studies on it's success rate can be produced? Go through the system file by file?
I think we have a difference between practicality and academics….
I don't think we do. There are a number of additional techniques that can be used to detect indications of malware that has not been detected by AV scanners. I've listed these in my blog, as well as in responses to posts in this forum.
On Windows systems, all malware has an effect of some kind on the environment. In my blog, I describe four characteristics of malware, which can be used to classify and describe malware, as well as detect the presence of malware, particularly if AV has missed it.
For example, Virut is a file infector, and reportedly does not use Registry artifacts to enable an autostart capability. There have been variants this past spring that have not been detected by commercial, up-to-date AV scanners. As such, other techniques had to be used.
This is a good illustration, IMHO, of the need for members of the community to think critically about the work that we're doing, and think beyond "Nintendo Forensics". I've been involved in engagements where 5 commercial AV products were run against a mounted image and they ALL missed the malware, which was critical to the analysis. It was only through critical thought and analysis that the analyst found the malware.
Simply put, if AV scanners were able to detect all malware, then there'd be no need for educated, thoughtful analysts.
When we mount files, we mount them persistent. However, we do not mount e-mail stores or Office docs. Analysis on those is conducted outside of Encase.
We also run a sig and hash over the case again after mounting the files to sig and hash those files inside of the mounted files.
While not needed in every case, we also run the scripts to analyze LNK files, INFO2 records, extract browser history and carve browser history from unallocated and parse the event logs into a CSV format.
11. Extract registry hives
12. Index case.
I always do File Report. It would be very useful for Public Prosecutor, court etc.
3. Confirm disk geometry, sector count, partitions.
Including some kind of consistency check – which may be difficult to do properly. chkdsk or equivalent should probably required step, but also a tool like PartInfoNT, although I suspect it might be a bit outdated. (I may be overreacting – I've recently seen a volume that was inconsistently reported as either whole drive, or half drive, and the discrepancy was not identified by chkdsk in a Win 7 system. That makes me wonder …).
And also, perhaps, some kind of file system anomaly detection – checking for files with timestamp after acquiry, or so hopelessly off course that they can't be right, etc. Not that this is good place to start an investigation, but it's useful auxiliary information to have later, and can fairly easily be automated..
Kovar, allow me to update this general guideline.
I am doing so in hopes to further flesh it out.
I would love to have tools associated with each step.
Can I get all of you to append to this?
Maybe better wording, or "generalization"?
The list is, as is, is inconsistent because in some places it describes general process, and in some others it specifies exact tools.
1. Create case
a. Ensure that you have all relevant information
i. custodians,
ii. clients,
iii. case name,
iv. etc.
2. Add evidence
a. E01,
b. LEFs,
c. loose files,
d. etc.
3. Confirm disk
a. geometry,
b. sector count,
c. partitions
d. consistency
4. Run Partition Finder if indicated
5. Run Recover Deleted Folders
6. Search case - hash and signature analysis
7. Run File Mounter
a. recursive,
b. not persistent,
c. create LEF,
d. add LEF to case
8. Run Case Processor
a. File Finder
b. Export results,
c. add back in as LEF
9. Search case
a. hash, and
b. signature analysis
10. Search for encrypted or protected files
a. Address as appropriate
11. Extract registry hives
12. Analyze
a. File Report,
b. LNK files,
c. INFO2 records
d. time stamps
13. extract browser history
14. carve browser history from unallocated
15. parse the event logs into a CSV format.
16. Index case
17. Look for malware, viruses, trojans, rootkits
a. AV,
b. SpyBot S&D,
c. HiJackThis!,
d. Malwarebytes,
e. Adaware,
f. etc.
18. Mount image and run triage tool(s) against it
19. Run image in LiveView or VFC to see system as user experienced it
20. Run Run RegRipper, RipXP, RegReport against registry hives
Greetings,
I'll update it. Bear in mind that most of the specific tools were EnCase scripts and it is called "EnCase Workflow". I mentioned a gathering information for use in other tools, though.
-David
I know it is EnCase specific, but the reality is that it is not so far from not being EnCase specific. lol