Digital Forensics (35)

Search, Seize, Preserve!: Digital Evidence

As a Criminalist, which of the following actions would you take to preserve computer-based evidence? Ask the suspect to close the computer system down Try to avoid altering any of the evidence Ensure the investigative work is handled by qualified personnel It is of utmost importance that the evidence on a computer is not changed in any way, shape or form so the correct answer would be to avoid altering any of the evidence. Electronic Evidence Seizure Procedure Steps

Getting started with Linux Forensics

The use of Linux systems is increasing every day – in personal computers, servers, IoT devices, etc. When cyber incidents occur, professionals capable of performing forensics on Linux systems are in great demand. It would be a great idea to include ‘Ability to perform Linux Forensics’ in your skill set. Are you wondering how to get started? This blog post will give you a brief introduction to performing Linux forensics.

Collecting Linux System Information for DFIR

When you pick a book to read, you would first read the title and a short summary about the book, before diving into the actual content. In the same way, in forensic investigations it is recommended to have an idea about the system you are working with before proceeding to collect evidence from it. This blog post highlights the information to be collected from a Linux system before proceeding with DFIR tasks during an investigation.

A Note on Linux Directory Structure for DFIR

When you want a glass of water, you will head over to your kitchen to get it. You know the layout of your house, you know that the kitchen would have water – so you navigate there to get what you need. In the same way, to be able to perform Linux Forensics, it would be great to know about the layout of files on a Linux system and have an idea about where critical log files are stored. This blog post introduces you to the main directory structure on Linux systems. Knowing what information is held within the various directories will help a forensic examiner know where to look, while searching for evidence.

A gentle introduction to digital forensics on Linux

Have you watched movies where skilled cyber operators have black windows open in their computers, with coloured text scrolling through? They type some content in the black screens and magical stuff happens. Have you wondered how they go about doing all that? What applications may they be using? All those tasks can be performed on Windows, Linux-based and Mac operating systems. For now, let us focus on the Linux-based ones. This blog post introduces some basic concepts about Linux-based computers and discusses how Linux proves useful in the DFIR domain.

Significance of ‘strings’ tool in Digital Forensics

There is a command like tool called ‘strings’ that helps to extract the text strings from any file. ‘strings’ is one of the most important tools every digital forensic professional must know about. This blog post discusses about the working of ‘strings’ utility and its significance in DFIR.

Windows Recycle Bin Forensics

Windows Recycle Bin Forensics can be likened to dumpster diving. One of the best places to look for evidence is in the trash. Every time a user deletes a file, it lands up in the Recycle Bin, which is the trash area for Windows Operating systems. This blog post discusses how files exist within the Recycle Bin and how digital forensics can be performed on it.

A Note on Volatility Profiles for Memory Forensics

Every DFIR professional must have the ability to perform memory forensics. This includes acquiring memory dumps, processing a memory dump for evidence and drawing conclusions for an investigation. Sometimes processing a memory dump is not a straightforward process. The investigator may have to perform some preliminary steps. This blog post discusses one of the preliminary steps which is sometimes performed before processing a memory dump for evidence.

Importance of Hashing in Digital Forensics

Hashing is a digital fingerprinting technique used to ensure the integrity of data. When data is hashed, a mathematical algorithm is used to generate a unique code that corresponds to the data. This code, called a hash, can be used to verify that the data has not been modified. If even one bit of the data is changed, the hash will be different. In this article, we explain the importance of hashing in digital forensics.

Significance of Windows Alternate Data Streams in DFIR

The best place to hide something is to hide it in plain sight – is a belief that crooks live by. Windows operating systems have a feature called Alternate Data Streams, abbreviated as ADS. The intention behind developing this feature was for technical advancements, but it has been misused to hide things in plain sight. This blog post gives you insight into Windows Alternate Data Streams – what is it, why was it introduced in the first place, how it has been misused and how it impacts DFIR.

Windows NTFS File Attributes for Digital Forensics

Jane just purchased a new mobile phone. She enjoys describing about it to her friends – the color, form factor, storage capacity, RAM, etc. Everything that she is describing about the new phone are attributes. The English dictionary describes an attribute as a feature of a product.

Windows Shellbags in Digital Forensics

Every time you use your Windows computer, you are navigating through many files and folders. When you open a folder for viewing, you may also modify its viewing preferences. Windows stores information about it. Think of it as a logging system for folder access. These logs are stored in Shellbags. This blog post will introduce you to Windows Shellbags and highlight their significance for digital forensics.

An Introduction to Web Browser Forensics

A friend tells you, ‘Hey I was downloading some animation software the other day and now my computer is acting up! I keep seeing these advertisements that my computer is infected by a virus and that I need to install a virus removal tool. What shall I do?’. You suspect that your friend may have inadvertently downloaded some malicious software. But where has this software come from? Since when has this abnormal activity been seen? This is when you put on your Web Browser Forensics hat and work your magic.

Windows File System Tunneling in Digital Forensics

Digital Forensics relies on the power of timestamps and timelines. Windows operating systems that use NTFS or FAT file system for their storage media like hard disks, have a feature called File System Tunneling which influences how timestamps exist. This blog post discusses what file system tunneling is and its impact on digital forensics.

Windows Scheduled Tasks in Digital Forensics

On Windows systems it is possible to schedule tasks to be completed at specific times or when specified triggers occur. This blog post discusses the significance of scheduled tasks in digital forensics.

Windows Event Logs in Digital Forensics

One of the many log sources on windows computers are Event Logs. This blog post discusses what windows Event Logs are and their significance in digital forensics.

A Day in the Life of a Digital Forensic Investigator

Are you wondering what Digital Forensics professionals do on a regular basis? This blog post will give you a brief idea about the activities typically performed by digital forensics professionals.

Windows Master File Table (MFT) in Digital Forensics

In a classroom, a teacher would have details of all the students who have enrolled in a particular course. Details about each student like student ID, name, enrolment date, etc. are stored in an organized way, probably within a table in a word document or a spreadsheet. Likewise, details about every file on your Windows computer are stored in an organized way by the Master File Table. This blog post gives you a brief introduction to the Windows Master File Table and its significance in digital forensics.

Windows File System Journal in Digital Forensics

Windows operating system stores a lot of information about the activities performed by a user. Ranging from which binaries were executed, to how applications were used, to even storing information about which files/directories were created or deleted or modified recently. This blog post discusses about one log source called the $UsnJrnl file, which records information about every operation performed on files and directories.

Forensic Importance of Windows File Management

Have you ever wondered how many files exist on your hard disk right now? Thousands. How does Windows operating system manage thousands of files efficiently? This blog post will give you a brief introduction to how Windows performs file management and its forensic significance.

Windows Volume Shadow Copies in Digital Forensics

‘Say cheese!’ You just took a photograph with all your friends. When you look at the photograph days or years later, you will remember the good memories you had when the picture was taken. Windows has a similar ‘photograph’ feature that helps you capture the state of files on the system, called Volume Shadow Copy Service. This blog post will walk you through the importance of volume shadow copies for digital forensics.

Windows Registry in Digital Forensics

Think about a big dictionary! It is like a database of words listed along with multiple meanings, synonyms and antonyms for each. Likewise, Windows systems store configuration information in a database commonly referred to as the Windows Registry. This blog post will give you a brief idea about the registry and how it may be useful during a forensic investigation.

Importance of Timelines in a Forensic Investigation

Some people write down events of their daily lives in a journal. Looking through the pages of the journal, gives a glimpse into how the person has lived over the years. A journal holds the timeline of a person’s life. Similarly, every time you use your computer, some data about your activity is stored in specific locations. Looking through that data gives a glimpse into how you have used your computer over time. This blog post tells you about the importance of timelines in a forensic investigation.

Windows Hibernation files in Digital Forensics

When you wake up in the morning, you can recall events of the previous day. You also have memories of events that happened over the last few days. In the same way, a Windows computer also has numerous ways to recall how it had been used recently. One way is by using a hibernation file. This blog post discusses how the Windows hibernation file is useful in digital forensics.

What information can I find in a memory dump?

You are a Junior Digital Forensics Investigator. Your manager has asked you to get familiar with performing forensics on memory dumps. This blog post will give you a brief overview about the potential information you can find in a memory dump.

Setting up a DFIR Lab at home

Have you always dreamed of being a Digital Forensics and Incident Response Professional? You are new to the field, you have been applying for jobs, but companies are demanding some experience in the field. You have decided to learn some skills by setting up your very own DFIR lab at home. This blog post will help you get started!

Introduction to Memory Forensics

Memory forensics is the process of analyzing a computer’s memory dump for evidence of a compromise. This process can be used to identify malicious software, track down system intrusions, and recover deleted data. Memory forensics is a critical tool for incident response and digital forensics investigations.

Understanding File Magic Numbers for Digital Forensics

When an x-ray of the human body is taken, the complete skeletal structure of a person can be seen. This structure defines how the human body exists. Similarly, all the files stored on your hard disk too have a special structure. This structure begins with a unique sequence of bytes referred to as file magic number. This blog post introduces you to the internal structure of files on disk and file magic numbers; and why you should know it for digital forensics.

Writing Digital Forensics Reports

“If you did not document it, it did not happen” – is a doctrine followed diligently by digital forensic investigators worldwide. This blog post discusses the importance of documentation in a forensic investigation and provides best practices on how to write reports.

Windows Prefetch files in digital forensics

Alice and Bob are going on a hike. As they walk through the woods, they notice that they are leaving behind footprints of their trail. They hope that these footprints will help track their way back when they return from the hike. Did you know that every application executed on a Windows machine leaves behind footprints of its activity? This blog post introduces the concept of Windows Prefetch files, which acts as one of the critical footprints about recent activity on a system.

Timestamp Format in Windows, Linux-based and MAC Operating Systems

Digital Forensics is the scientific process of uncovering the sequence of events that led to an incident. Timestamps clearly indicate the date and time when an event occurred on a system. This blog post discusses how timestamps are stored by three major operating systems: Windows, Linux-based and MacOS.

Little-endian vs Big-endian

Have you wondered what the terms little-endian and big-endian mean? It refers to the ordering of data stored in memory. This blog post will highlight the difference between little-endian and big-endian systems.

What is a forensic image?

A forensic image is an image created by a digital forensic examiner during the process of investigating a potential crime. This image is an exact replica of the original data, and can be used to identify and analyze digital evidence.

Performing digital forensics on a windows machine – where do I start?

You have just taken up a role as a Junior Digital Forensic Analyst. You have been informed that your regular duties would involve searching for evidence on windows machines suspected of being compromised. If you knew what evidence to collect, when to collect it and how to collect it; then you will be in a great position to help your team with the investigation.

Becoming a Digital Forensics Investigator

Let’s consider a scenario. The new Batman movie has just come out. You are unable to watch it in the theatres, so you head over to a website that says, “Download this software, you can watch the new Batman movie immediately!”. You download the software, only to find out it is fake. Disappointed, you carry on with your work.