LongCut logo

DFIR 101: Digital Forensics Essentials | Kathryn Hedley

By SANS Digital Forensics and Incident Response

Summary

Topics Covered

  • Metadata Catches BTK Killer
  • Slack Space Recovers Deleted Evidence
  • ACPO Principles Govern Forensics

Full Transcript

all right so i am going to introduce catherine here before i eat up any of her time but before i introduce her katherine headley sam's instructor i've had the honor of

teaching with her being in paris shut down with her experiencing total chaos during coven but kat is brilliant um she knows so much the way that

you explain things cat like as a seasoned stand instructor sitting back and watching you break it down to a level that everyone has a way to approach the topic is fantastic and

that's why i really appreciate you doing something like this d4 101 because sometimes we take things that make them so complex in our worlds and they really don't need to be so thank you for your

approach that everyone can take something away from i really appreciate it all right thanks scott well sam thank you very much and thank you to all of you lovely

lovely people who are on the other end of this call uh good morning good afternoon good evening because i appreciate there's a mixture of those those things in here

cool and yeah so i'm going to talk to you for the next uh hour and a bit on on digital forensics what that means

and and how we kind of break it down uh into first of all what is digital evidence because if we don't understand the evidence that we're dealing with then how do we start to explain forensics

then starting to talk about an investigation what that process is and and what it kind of means in terms of digital forensics then i'm actually going to talk about digital forensics

because that's what we're all here for and last but not least why am i talking about this how does this actually help people what does digital forensics do and

what kind of results can we get from that so that's that's the the process i'm going to go through and what i'm going to talk about today and first of all uh in case anybody doesn't know what dfir stands for

because i appreciate that is plastered all over the summit all over my slides i've called this defer 101 just digital forensics and incident response it is it's a common acronym

that we use and i am referring to digital forensics a lot in this presentation so i'm focusing more on the df side of that acronym but i will touch on instant

response as well so just to give you a flavor of what that is and and how that translates as well across i've lost my buttons again

there we go hey cool okay so first thing what do i mean by digital evidence i simply mean it's digital information that may be of potential

of potential relevance to my investigation that is either stored or transmitted in some sort of digital format on some sort of digital device or traversing a

network of some sort and that breaks down into what we call data and metadata data is just information that can be transmitted or processed it's just

digital information of some sort metadata is also data it's a specific type of data that provides information about other data so data that describes

other data and when we talk about digital evidence we are talking about these two things and what does that mean in real life

i have a photograph here uh this photograph uh was actually taken in australia um looking out on the on the great barrier reef so this photograph you can see

there's a boat there's some trees that photograph itself is data that's just what i mean by data it's it's files on the system it is content

metadata is information that's describing that so it's things like the file name the size the created timestamp the time that that file was last modified

the path the file path for that particular file and that is data as i say that describes it it's not the photograph itself and talking about metadata there are

actually two different types of metadata just to complicate things a little bit further there is metadata that is stored

completely separate to the file and that is what we call file system metadata and i'll come on to explain what i mean by a file system but that is metadata that is stored

on the system not anywhere near the file itself or not within the file itself it's dependent on the type of file system that you have

and this includes things like the file name timestamps file size all those things i showed you on that previous slide you then have potentially a second type

of metadata this is dependent on the file type so some types of file things like jpeg photographs things like microsoft word documents

both doc and docx things like excel spreadsheets things like pdf documents these files have a specific structure

and within that structure includes or may include some metadata and i say may um because it isn't always there the structure basically allows for

that metadata but when that file is created that is or modified that's the point where that metadata may or may not be written for example this might include things

like another created timestamp it might include the author name so in a word document you if you go and see the properties and open up that file tab you can enter your

name as the author name you can enter comments keywords all sorts of a description for the document a title for the document that's all embedded metadata within the file

and because it's embedded within the file itself we call it file metadata but it is heavily dependent on the type of file because that dictates that structure and that dictates what

metadata can be stored within that particular file but just because it can be stored doesn't mean it always is so you may or may not find that metadata within that file but the file system

metadata will always be there because that's dependent on the file system not the file itself so for every file created on that system there will be file system metadata

how much metadata depends on the file system but there will be some metadata there within the file system and just to show you the difference between these two this is another jpeg

file and on the left hand side as you look at this you have the file system metadata which is as i said things like file name

created created timestamp the path the size all of those types of things on the right hand side i appreciate it's really small writing but it you don't need to read it it's just to show the

magnitude of how much data can be in file metadata can be embedded within that file and particularly for a jpeg it can be a lot it can be a heck of a

lot you can have exposure information whether the flash went off the dimensions of the photograph the created timestamp the make and model of camera

that took that photograph the camera serial number potentially if it's a digital camera you can have gps latitude and longitude for the location where that photograph was taken

uh you can have all sorts of things in there so that's just a very small snapshot shown in in this this screen of the type of metadata that you may or may not get

and there's more there's there's often often more things like a word document might include the person who last saved

that document the author's name how many words are in that document how many paragraphs are in that document how many hours have been spent editing

that particular file the date and time the file was created the date and time the file was last printed and saved lots and lots of data can be embedded within these types of document

and it's not just the data that is potentially useful to us the data itself the content of the word document might be might be useful it might be a

manual on how to make bombs and if we're looking for terrorist information in a terrorist case or um that sort of case that is relevant to us and we're going

to want to look at that but we also want to know who created that document who last modified that document how much time potentially was spent editing that

document that may show more of an intent to to create that particular content so all of these things are just as helpful to us potentially more in in some cases

so that's why we we're kind of i'm talking to you about both of these things and highlighting that these things exist and i just want to illustrate that point by talking about

one of my favorite cases to talk about which is of the btk killer now the btk killer was a guy called dennis raider he nicknamed himself heard

the btk killer as you do you know um stands for bind torture kill because that's what he did to all of his victims

he killed at least 10 people that we know of potentially a lot more that we don't know of they are the ones that that he kind of confessed to in the end

and he got away with it for about 30 odd years the police didn't have a clue who he was and he got a bit cocky because of this he

got very very confident because nobody was was coming after him and he therefore decided to start basically taunting the police he was sending

letters to the media he was sending leaving letters and things lying around in things like um i think it was home depot he left he left something and they were being passed to the police

to say i i did this murder i i killed this particular person naming that person and leaving things like id from the victim to prove that that he was

responsible for these and he would leave them in cereal boxes as a nod to being a serial killer so he really was confident and and very messed up um

however one of these items one of the cereal boxes that he left for the police in it he wrote a letter asking the police

if he was to give the police a floppy disk drive yes this was in the the actual this was early 2000's he was sending these so around about uh 2003

2004 he uh he sent this saying if i if i gave you a floppy disk drive would you be able to trace it back to me tell me the truth be honest with me i i'm trusting

you to be honest with me will you be able to trace that back to me and of course the police seized this opportunity and responded in in through the media that's how they were

communicating with him to say no no we we can't do this there's no way we can we can trace anything back to you if you give us a floppy disk drive and

dennis rader thought great okay brilliant so he gave them a floppy disk drive and on it was the letter that he'd written for the police

but also there was a deleted word document deleted microsoft word document and within that particular document there was metadata that showed that the last person who saved that

particular file was somebody called dennis there was also metadata within that document that pointed to a particular church and

doing a search on the internet for that church and somebody called dennis came up with dennis raider because he was heavily involved in the church at the time and it was very straightforward to

make that link so they went knocking and they arrested him and as they did his immediate reaction was just surprise and anger because the

police had lied to him it wasn't the fact he'd been caught it was the fact the police had specifically said no we can't trace you from a floppy disk drive

and then they did simply through the metadata of a deleted docx file so just to emphasize metadata can be extremely useful and in that case

the the content of the the document itself wasn't of particular interest so the data itself wasn't wasn't that relevant but the metadata was what got

them to to to get their guy and he went to prison for a very long time as well as understanding what data and metadata are

we also need to understand how to interpret that data how to show its potential relevance to our investigation and to do that we first need to

understand how that data is stored on an electronic device data is stored in a few different layers most users

don't kind of go below the operating system they use applications so at the moment i am talking to you using zoom which is an application that is running on all of our systems

that application is installed on the operating system so maybe you're running windows maybe you're running mac os maybe you're running linux or android or ios if you're on a smartphone

that operating system is something we interact with and we also interact with the applications but the applications sit on top of the operating system underneath that is is what i'm going to

to run through next so starting with the bottom of that pyramid data is stored in binary in bits and bytes

it's stored it is is ones and zeros a single zero or a single one is called a bit bits are grouped together into sets of eight which are called bytes and

half a byte is a nibble so if you think of if you take a big bite out of something or you nibble it a nibble is is half a byte or four bits

it's otherwise potentially known as base two you may hear it called base two and that's simply because there are two potential options for each bit there's a zero or there's a one

and this is this is just to illustrate what it looks like we have one byte here which is zero one zero zero zero zero zero one all of that is is one byte

that is our data we we can see that's the the contents of the data we also need to know how to interpret that and there are many different ways that we can interpret that particular byte

for example the capital letter a in in the ascii character set so in the english language is is this is is stored like this as one byte so that's just one way of

interpreting this particular byte of data and we need to have those two bits of information we need to know what the data is and how to interpret that data

in order to make sense of it analyze it and do our investigation but we don't look we don't talk in bytes uh it would

take forever for me to say okay uh i have this bite zero zero zero one one zero one one and yeah we we don't talk that way we tend to talk in hexadecimal as digital forensic

examiners before i talk about hexadecimal i just want to break down a numbering system that is more familiar to everybody in decimal most most of us think in

decimal in in normal everyday life and mathematics and if we think about how we break down decimal numbers that helps us to better understand things like

hexadecimal which is a different way of looking at the same data decimal otherwise known as base 10 because we have 10 options we have the numbers not to nine

if we have the number one two three four five we can automatically read that as twelve thousand three hundred and forty five because this is the numbering system that we use every day

but if we break that down what you actually have is five ones four tens three hundreds two thousands and one ten thousand

otherwise known as five times ten to the zero because ten to the zero is one four times ten to the one three times ten to the two two times ten to the three and one times 10 to the 4. so you can see

our multipliers as as we go across we start from the right hand side and we go 10 to the power 0 10 to the power 1 10 to the power 2 and all the way along and and that's how we

we break it down and we understand that number in hexadecimal instead of having just 10 options we have 16 options so this is known as base 16.

we have the numbers not to nine but we then extend that character set by basically carrying on counting 10 11 12 13 14 15 but we have to

put those into single characters so instead of 10 we say a instead of 11 we say b and and so on so we get

0 to 9 a to f as we go through and as you can see in this table each hexadecimal value is 4 bits it's a nibble so when i talk about a byte of

data i will have two hexadecimal characters that make up one hexadecimal value so every value in hex

is always two characters side by side and we tend to write them as 0x and then the two characters so if i say 9a in hex it will be

0x9a and we write it that way to make sure we can differentiate between hexadecimal and decimal because if i was just writing 1 2 we don't know if that's 12 in decimal or

1 2 in hexadecimal so by putting 0x at the beginning we know that is a hexadecimal value with that in mind this is how we we read data and this is

how we look at a byte of data and we get to the hexadecimal value so just to walk you through this we start out with a byte we have zero zero one zero one zero 1 1 at the top of this

slide we split that out into two nibbles so just put a bigger gap in between the two nibbles because we know each four byte

value is going to be one hex small character so we calculate those two separately we then come up with our multipliers so in in uh

in binary we have 2 to the power of 0 2 to the power 1 2 by 2 2 to the power 3.

so our multipliers here the one two four eight going from the right hand side just as we did with with decimal numbering when we broke that number down we add those multipliers here but this

time it's two to the power so one times two to the power zero is is one one times two to the power one is two zero times two to the power of three is

zero because it's always zero when you multiply by zero um and then one times two to the power three uh is eight so we add eight two and one and we get

eleven and remember that i said we get naught to nine and then we have to start counting instead of going 10 11 12 we go a b c so 11 is the letter b

so on the right hand side we have a b we do the same on the left hand side you can see we have no ones we have one two no fours and no eights so it's two on the left hand side so we bring those two

together at that point and we would write this hex decimal value as zero x to b and and that's the way that hex decimal works

above our bits and bytes so that's that's our lowest level of the data as we understand it above that we then have sectors and clusters bytes of data are grouped together

intersectors and clusters a sector is typically 512 bytes at this point in time that's the the most common value you will come across

however that is not guaranteed it's set by the device manufacturer and it is written into the file system header so you can see that value and and

verify it is 512 bytes but at the moment most of them are are set uh as a default to 512 bytes in the future it's likely to become 4096

it will be the common value so as i say don't always assume it's necessarily 512 but at the moment that's probably the the one you're most likely to come across in an investigation

so each 512 bytes is grouped together and that's called a sector and then you have eight sectors is a cluster a cluster is the smallest amount of

space that the operating system can see and write to so you create a file on a system if the file is less than 4096 bytes

which is eight sectors then it will be written into one cluster once a file occupies a cluster no other space in that cluster can be used that entire cluster is used by that

file whether the data fills it or not the operating system allocates that cluster so that is the the smallest space that the system can can see and can use

each individual cluster is labeled by the operating system as either allocated or unallocated allocated simply means a file is in it

it's allocated to a file so no other file can use it unallocated simply means it's not currently allocated to any files on that

system so it's available to be used and that's all those two terms mean it's important to note however if a cluster is unallocated now

that does not mean it was never allocated to a file you may have deleted files existing within an allocated clusters so this is what we mean when we talk about an

allocated space it's areas of the disk that may contain deleted data that might be relevant to our investigation you also have something called slack

space i mentioned if a file is smaller than a cluster size it will be written to one cluster but it won't occupy the entirety of that cluster

the space left over is what we call slack space and this is actually if we draw it out there's actually a few different types of slack space

you can see here you have an entire cluster which i've broken down here into eight different sectors so you can see each of these uh light markers is a sector boundary

the file only occupies this amount of space so you have five and a third ish

sectors occupied by actual file content you then have all of this bit so two and two-thirds-ish sectors completely unused and

nothing can use that space because it's allocated to this one particular file now when this file is written the operating system does slightly different things

with these two bits of slack space you have this area here which is the end of the file's actual content to the end of that sector so this is one sector here

this bit contains content and this bit doesn't but this is all still one sector this bit in here is what we call ram slack has nothing to do with ram um it's a

historical name um this is zeroed when you write a file the rest of that sector is zeroed the two sectors at the end here that

aren't used by the file completely unused sectors at the end of the cluster they are just left alone so if they previously contained any data

when this file is written that data will still be there nothing else is is going to use that space nothing else is written there it's not zeroed it's just left alone so those it's all slack space

at the end of the file but it's two different types of slack ram slack is zeroed file slack which is what we call the unused sectors it isn't so there may be deleted content in there as well that

is of interest to us there's actually a third type of slack which i will mention and this is the unused space potentially that may exist at the end of a file

system this is typically going to be smaller than the size of a cluster it's typically very small unless hypothetically or it is technically

possible for somebody to to create space at the end maybe they want to hide some data maybe a malicious attacker has deliberately created some volume slack to hide something

i've not seen that in the real world but it is possible and so there may be that that case where that happens but for the most part it will be a tiny amount and

it purely exists because the partition is not an exact uh multiple of of clusters so there's a bit of space left over at the end where it

wasn't able to allocate an entire cluster for the operating system to use so it's just dead space basically it may contain deleted data potentially

uh in most cases i've come across it it doesn't exist or it doesn't contain useful data but it's you need to know about it and you can check for it if you

you have a case where you think it maybe may exist or may be used and to illustrate why we might want to look in in slack space this is what happens when a file is deleted

i have a text file you can see there's information that is highly relevant to my particular investigation in here my latin is now non-existent i did study

latin i don't remember any of it but let's let's say this is relevant to our particular investigation somebody overwrites that file they've deleted it and they've decided to

overwrite it with baby shark because baby shark was of more interest to them and what's happened here is this second file this image file is smaller than the

original text file it's been written into the same space but you then have this ram slack which is that space between the end of the file's content and the end of that

cluster so this is zeroed out you can see it's blank but then you can see there are two sectors at the bottom here that still contain part of our text file and because that

is a text file we can read it we can still see the contents of that particular file if it was a zip file for example the data would still be there but it's

compressed and we don't have the header anymore so we may not be able we most likely can't recover that data at that point in time but because this is a plain text file we can recover that data

so we could see that is still relevant to our investigation and we're going to want to go and have a look at it so that data there is our file slack and that's what we're going to to look

at in our investigation and it's really easy to recover deleted files if they're still intact so the previous example it had been overwritten but if it hadn't been

how do we recover that data well the answer is quite easy if it hasn't been overwritten all of that complete file still exists on the system along with all of that

metadata the embedded metadata because it's within the file and the file is intact but also the file system metadata in this particular example we can see

this is a file named cruise ship.jpeg

that file name is in file system metadata so that hasn't been overwritten it's still there and in this case we can use a tool in this case i've used ftk

imager which is just one of the tools you can use and we can we can literally just right click and export the file and have a look at it in any way we want

so really easy to recover intact files and that middle layer in our pyramid was file systems i briefly mentioned file systems but what do i mean

think of a file system as the digital equivalent of a filing cabinet you have a filing cabinet that can contain files it can contain folders

you can have files within folders you can have folders within folders you can have files loose in there it's just a structure for you to be able to store files and folders and that's all i mean

by a file system there are different types of file systems that you may come across windows by default at the moment is installed on

ntfs which is the new technology file system that has been the case for many many years so if you ever look at a windows system you are likely to come across ntfs

you can also format usbs with ntfs if you so wish it's not the default option but you can the default option will likely be fat32 if it's a thumb drive or exfat if it's

an external usb so those you were likely to come across fat32 was the old default for windows so if you come across

probably windows server 2000 or something like that some windows xp maybe although that's when ntfs came in you may come across fat32

you may come across expat if somebody has chosen to format the file system in that way so they're the main ones for windows mac

os at the newer max will be apfs so apple file system older max will be hfs plus if you're on linux it will be ext4

probably the default used to be ext3 there used to be ext2 there's a pattern uh these these are just some of the common ones that you may come across and it's just different

different filing cabinets different instructions for how the operating system should be storing files and folders and as i mentioned for each of these different file systems the file

system metadata that is stored so the type and the amount of file system metadata will differ slightly between those for example ntfs stores way more

time stamps in file system metadata than fat32 so just just one example where those things differ and now that we've talked about what we mean by digital evidence where do we

find it where can we actually get hold of that digital evidence that is relevant to do our investigation the answer is pretty much everywhere um

any electronic device is is the short answer to that this is a non-exhaustive list but just things that think about what you have around the home you have

desktop computers laptop computers you'll have tablets mobile devices usbs removable media you might have internet of things devices

you might have a google home uh amazon alexa cameras a ring doorbell all sorts of of things around the home you may have drones i've yet to play

with a drone but i need to add that to my my to-do list for fun vehicles if you have a car then that's basically a massive of moving computers there's

your head unit but there's also electronic devices that control everything the lights the doors uh the the signals the brakes

everything is is controlled by a computer on a vehicle so pretty much everywhere there's there's data all over uh networks if you have a network set up

the cloud everything we do now and increasingly so as we go along data is stored in the cloud so we we also have to go and look there

uh to go and grab the data that may be relevant to our particular investigation that is digital evidence moving on to digital investigation and and what that

means what do i mean by digital investigation it's simply a process that we go through to ask questions about what happened and

try and find answers to that we need to try and work out what the series of digital events were that happened on that particular system

and we do that by following a process of identifying what may be of interest acquiring our data processing and interpreting our data analyzing it

to determine those events and write a report based on the findings that we come across all of which is relevant to the investigation we ignore things that aren't relevant to that particular

investigation and we say this should be done by someone who has had some sort of training to do this

and we say this because if you are acquiring data if you are interpreting data and reporting on it to

tell your your client or stand up in a court of law and explain what happened you need to do that correctly and it's it's very easy to get it to get it wrong

if you don't acquire data in the right way you can change the data you can erase data quite easily by by doing something in

the wrong way so that's why we say it's it's important to know what you're doing in order to conduct an investigation in this way and an investigation

as i said asks questions it tries to find answers to those questions we're looking for the what why when where how

i may have missed one out what when why where yeah how all the questions as to what happened on that system as we start to try and answer those questions we will probably come up with

more questions that's the way investigation works you have lines of inquiry you dig in to that line of inquiry and potentially get to the end or

come to some sort of evidence that that proves it or disproves it you work your way back and you go down another line of inquiry it's this kind of dance almost of uh looking at the

evidence and working out exactly what happened and making sure you get the facts in that particular case you will have lots of stakeholders most likely or you have at least one

stakeholder right somebody's asked you to do the investigation it may be clients it may be in a legal setting you may have attorneys it may be human resources if

it's an internal case it can be a mixture of all of these things so lots of different angles that we come from and there are lots of different types of

case these are just some of the investigations that you might come across it is by no means an exhaustive list but just to walk through what some of these are

instant response and threat hunting are basically two sides of the same coin incident response is where you receive an alert something has happened on a

system on a network and you need to respond to that so this is a reactive process you get the notification you go and investigate it may be

something like an intrusion it may be phishing it may be malware and attackers in the system or unauthorized access denial of service

all of these things you will likely have someone monitoring your networks they get an alert you go and investigate threat hunting

is assuming that a breach has occurred but without having evidence of it and actively going off and looking hunting for evidence of that particular

breach this is all about understanding what looks normal on your network and on your systems having threat intelligence having indicators of compromise

information about known attacks that you can go off and search for you can use those indicators and go and search your network and try and find evidence that some sort of incident has

occurred but that you haven't received an alert for so this is this is a similar kind of process but it's proactive you're actively hunting for something that's happened

we then have domex documented media exploitation this is all about intelligence and less about the strict process of evidence and best

practice around evidence you have severe time pressures it may be something like a child has been kidnapped you only have a very short

window to be able to get to the data as quickly as possible analyze it and find something useful to be able to act on it to go in and find that child before it's

too late it's that sort of case so heavy time pressures and much more about the intelligence than it is about following process getting all of the

data and doing a thorough investigation it's very targeted and it's it's really high time pressure uh you have other military action so

domex can be a military environment uh the example i gave was was it was child kidnapped but it could be that you have uh you're in the field in a battle and you need to get that

intelligence quickly to be able to determine what your troops next action needs to be so that can be a military focus as well but then you

can have other military-based action and this is where there's less of a time less of a heavy time pressure you still need to get to the information quickly it's still all about

intelligence but it's not quite as heavily focused on on time pressure you don't have that missing child but you do need to make sure that your troops are heading in the right

direction so it's not an immediate need but it is still a focus on triage and it's still a focus on grabbing that intelligence and acting upon it while you still can

we then have auditing and this is where we are using an investigation to assure

that companies are following the processes that they should be following they're following standards they should be should be following uh and they are doing their their work in the right way

they're following the standards that they claim to be complying with it's all about providing that assurance around all of those things around processes and systems in in an

organization regulatory investigations so regulators are empowered by law

to be able to investigate organizations to make sure they are behaving in the right way and to protect consumers and if

they are if they need investigating so somebody maybe makes a complaint to a regulator about an organization they can then launch an investigation and go and

do a formal inquiry into that particular set of circumstances so all the same processes in terms of doing the investigation but it has a focus on

what should that company be doing and have they have they followed the correct procedures and and all of those things it can be things like insider trading fraud

negligence or all of those types of things and there are loads of regulatory bodies worldwide these are just some of them on this particular slide but there are loads of them in various different countries that do these types of

investigations you can have internal investigations this is mostly what i do day in day out looking working with hr

and looking at things like acceptable use policies in organizations and are employees complying with that or are they looking at websites they shouldn't be looking at are they

stealing information are they connecting devices they shouldn't be connecting to particular systems depending on what the the policy dictates for that particular system

these are generally not legal cases they're not criminal acts they could be you could have an example where an employee is looking at illegal material

online it does happen uh why people do things at work i have no idea but it can it can happen and it does happen so it can become a criminal investigation

and for that any investigation can become a criminal investigation and for that reason we say always always always follow the correct procedures for dealing with evidence

however these are just one example where it's not expected they would become criminal from the word go but we follow those processes anyway and then you do have criminal and civil

litigation so legal cases and it will be either criminal law or civil law criminal law deals with an offense against the state so this is where it may be an individual

it may be an organization but basically a law has been broken civil law deals with an injury to an individual or an organization

this is likely to be something like somebody claiming compensation for an injury walking down the street because the path was broken or something along those lines

with all of these uh any any offense so anything any criminal acts can involve digital devices

we tend to think lots of people tend to think oh i know i've got a criminal case and it involves digital forensics so it must be cyber crime cyber warfare um

it could be but actually every single crime can have a digital element to it if you think about somebody commits a homicide maybe they were carrying a smartphone

maybe the victim was carrying a smartphone maybe they did it in a place where there was lots of cctv maybe there were internet of things devices maybe there

was a video doorbell maybe there was a google home that recorded everything that was said all of these things are their digital evidence they are things that we can use in that

particular investigation so yeah just because it's not a cyber crime type thing it doesn't mean it it won't include digital devices

and with all of these things we need to deal with the courts we we have to go through the courts and we have to make sure we preserve the evidence properly we do all of our documentation

properly to be able to present that to the court and do it in a way that they will accept our evidence and our findings when we when we report when we testify

the difference between criminal and civil criminal litigation you have to prove the case beyond reasonable doubt civil litigation is a balance of

probabilities so one side of the argument simply has to prove the case better than the other side of the the argument so that's less for us to worry about as digital

forensic analysts but it's good to be aware of how these things work for when we go and testify if we need to we also from a digital forensic

perspective we might need to deal with some constraints with civil litigation which are incredibly frustrating but we need to be aware of them there may be

things like privileged data if i go and talk to my lawyer that data is privileged and it may be that that data is excluded from any investigation of my particular device so

something to be aware of there may be data we cannot acquire there may be data we cannot analyze and we just need to accept that's the way it is and any

findings we come across are based on what we could analyze what we could acquire and we just ignore everything else that we couldn't look at summary

lots of different types of investigation the process that we follow the documentation that we produce is the same for all of them we still need to follow best practice advice in the industry

we need to make sure our evidence is is preserved properly collected properly all of our documentation is put together the difference between these is more

around which questions we're asking so that who what why when where how different types of questions different angle different artifacts we're going to be looking at but the process and and all of those skills

are the same in all these different types of investigation moving on to what is digital forensics which is why you're all here really so

i needed to talk about digital evidence and investigation before actually talking about digital forensics as a whole and digital forensics is just bringing all of that together it's the

process of how do we identify which evidence is relevant in our case how do we acquire it how do we properly preserve it and store it we need to make

sure that evidence is not changed in any in any way if we possibly can it's preserved as we go through the case so that we are analyzing the actual data we need to

interpret that data properly we need to report on that data and present on that data potentially in a way that it will always in a way that is legally acceptable because potentially we're

going to go to court even if we don't it still needs to maintain that that legal acceptability we still need to present to clients to

stakeholders to hr to whoever our stakeholders are and therefore we still need to maintain those standards and the way that we do this is that we

use best practice we use scientifically derived and proven methods best practice in the industry to do all of these things and in that way we maintain consistency

we make sure that we do things in the right way and in an acceptable way so that everyone is is on the same page and they can have confidence that we've we've

done our job properly in doing this we need to understand what our digital evidence is how to interpret that data

when artifacts are created what circumstances lead to particular artifacts being created so therefore what our digital evidence can show us we need to be

working out what the facts are of that particular case because it's our job to present on the facts that that's all our job is is to work out what the actual

events were that occurred on that system how that digital evidence was created and used what actions a user performed on that system and that's what we're presenting

that's our job to to put all that together we need to to do that properly we need to understand a little bit about the history of digital forensics

how did we get to where we are now because it took a while uh we we are now in a really good place where we have really well established

processes guidelines best practice we have an incredible community of digital forensic practitioners a lot of whom spend a lot of their own

time doing research and development producing amazing tools that are really useful for the rest of us things like examine suite of tools

things like uh sarah edwards apollo things like alexis brignonis i leap all of these things have a look on this sans.org free a bunch of free tools that

a lot of the community have developed and they're amazing and we have all of that because we've we've kind of gone through this progression through the the decades

starting from from nowhere basically so digital forensics back in the 80s wasn't a thing it didn't really exist back in the 80s we just really started to get personal

computers they were very expensive they were really only owned by hobbyists by universities primarily by businesses

people who had enough money to be able to acquire these these bricks as they were because they were massive things and

generally i mean there was no concept of crime on a computer and the the incidents that happened were generally just in terms of cost how much

does it cost to fix this thing if you haven't read the cuckoo's egg this this book by clifford stahl i would highly recommend it it's a very good

read about how in in the 80s i think it was 1986 or 87 he basically came across a minimal accounting error and in order to try and or in the process of

trying to work out what actually happened he detected an attacker in the system and it's all about that journey of going through identifying this this one tiny

accounting error that most people may have missed and picked away at that thread and pulled and pulled and pulled and eventually found an attacker in the network so it's a very good read i

highly recommend that book to anyone and everyone if you haven't read it already moving forward 10 years to the 90s this is when

computers were in ever in well a lot of homes not every home but more and more people bought computers at this point in time this is i had a computer in the 90s i

got the internet in 1996 i believe it was aol of course because everyone had aol uh online with the um you got mail

yeah uh that probably wasn't a good impression anyway everyone had aol and the dial up modem which i can still remember the weird wizzy sound that dialup makes when

you connect to aol uh you you set it off you walk away you go grab a drink and you come back in and and hopefully it's connected by that point in time i don't really miss those

days um but this is where we had more people with computers homes were connected at this point in time you had things like netscape and you started to have browsers to to go and

access the internet and you could go and do lots of instant messaging with random strangers that was the great thing about aol back then

we had storage media we had lots of floppy disks at this point in time uh i yeah remember floppy disks not so much the the actual floppy ones the the larger five and a quarter it was more

than the three and a half inch ones that are in this picture here we started to get um standards as well so this is where digital forensics really did start to develop as a field

and this is where we have the the acpo guidelines which i'll talk about so these were the first best practice guidelines that were produced on how to deal with digital

evidence digital evidence was recognized at this point in time the police had started to have to deal with with crimes being committed on computers so guidelines were put together to try and

tell people the best way of dealing with these things this is where standards started to come into play and after we had the akpo guidelines that's the association of chief police officers and

we started to then have swgde then picked up on that and brought out some standards and they now have loads of standards 2000s we then got windows xp yay which

was the best operating system for many years until it was discontinued we got search engines we got google this is where the internet became really

searchable and really useful to people we got the first smartphones we got the first iphone and then of course as soon as we got the first iphone we got the first android smartphone not long

afterwards and this is where mobile phone usage really took off because you had a portable computer in your pocket at this point in time this is a decade where we started to get

training and research and and workshops and conferences and and more and more collaboration in the community the first

iterations of of sans for 408 and 508 came out in this decade we had dfr ws i always get those wrong way around a digital forensic research workshop which

is where the community started talking about research and development that they were doing in the field of digital forensics so this is where things really took off with with training and all of

those awesome things that we kind of take for granted now 2010s is where we kind of saw evolution really in terms of electronic

devices more data stored in the cloud more storage available on devices more internet of things more connectivity

constant updates there are millions and millions of applications for android for ios for windows for blackberry for windows phone if you want to go back to this kind of this

kind of time so many systems so many applications we started to see encryption we started to see things like snapchat where

you can delete chats we now have of course lots of applications that do that things like signal whatsapp now has uh chats that automatically disappear all of those things started to become a

thing and are now much more prevalent um these days we started to see lots of data breaches as well in this decade and we did get a bit of breach fatigue i think

i mean i i get notifications fairly regularly saying this linkedin's been hacked this this other website's been hacked your data's been leaked and

the more notifications that users get about these types of breaches you do kind of just think oh that's happened again fine let's just file away this email and

yeah my information's already out there and so we kind of got a lot of these in in this decade and we still to be fair get a lot now

all of these things these developments have led to a few challenges and we still have these challenges today getting around encryption for example if you're trying to acquire a device you

don't have the password it's encrypted it's turned off we have issues these are all challenges that we need to to try and get around so this is where those challenges really started

and they're only only evolving um as we go through so now what now what happens uh this is kind of where i often throw it out to the to the

floor what what does everyone predict from from 2020 and beyond throw your ideas in slack and let let me know what you think

the pandemic's been an interesting one i think in many ways it's accelerated a lot of changes that may have happened anyway but but more slowly things like there's now a lot more

remote working so remote working capability has taken a big leap forward if you think about zoom everyone we're on zoom now everyone suddenly

decided to get zoom in in march last year it became the application to use for video calling whereas beforehand i think it was a

small minority who'd even heard i had i hadn't heard of the application um before march 2020 and then all of a sudden everyone was using it including our prime minister in the uk for the

daily covert briefs so there you go it was catapulted into the limelight as a consequence it's had a lot of updates since that point in time it's become much more secure because

originally it wasn't too secure because they hadn't had that opportunity really it was still quite new and they hadn't had so many thousands of users on

it so that's just one example where i think the pandemic has accelerated technological development and i think hopefully hopefully that's a good thing that will come out of all of this

hopefully that will continue and we will see some of those those really cool things coming out in the years ahead we we shall see watch this space i think

so why do we do digital forensics what's the what's the purpose of it just to work out what happened that that's that's all we're trying to do what happened on that device what were

the events that led to an incident that we're investigating or the reason behind us doing this investigation everything we do has to be repeatable

and that's why we follow best practice guidelines we follow accepted methodology because that's been that's what everybody knows that's what's proven to be a good way of doing it and if we

write our report we write down everything we do i could hand that to a colleague they could repeat exactly what i did and come to the same conclusion that's that's the reason that we do

everything following all of these these guidelines and and methodologies based on our current understanding our understanding changes as everything generally does particularly

with technology it evolves it adapts over time as new operating systems come out new applications come out we discover new artifacts artifacts change potentially

over time that the whole field is constantly evolving so as does our understanding of of devices of processes of tools of

everything that we rely on on digital forensics we need to ask the right questions one of the skills in digital forensics is about asking learning to ask questions what

are the questions we should be asking what questions can we answer and what questions can't we answer and we need to make sure we back up all of our answers

with corroborating evidence if we find one artifact that tells us one thing that happens we need to try and get as much corroborating evidence as possible to back that up before we

produce our report before we we reach our conclusions so that's why why we have it why we do it and why we do it in depth agpo principles i mentioned came in the

late 1990s this was a team of uk chief police officers uh just because it was developed in the uk don't be don't

be fooled it is used globally and it was the first standard that came out the first guidelines that came out so this was widely adopted everywhere and a lot of

the current standards we have today are based on exactly these principles and it consists of four principles principle one do not do anything

that will change your data if possible principle two says it may be possible to sometimes access original data which will change that data

if you need to do that make sure the person doing so is competent and they are able to explain exactly what they did and the implications of

what they did principle three says document everything write everything down create an audit trail document exactly what you did and when you did it

principle four says that somebody needs to be ultimately in charge of the investigation and responsible for the entire team adhering to these principles and

the law so putting that into practice principle one if possible don't change the evidence if we can use a right blocker so a write blocker is just a device

it may be software it may be hardware but you put it between your evidence item your electronic device and your analysis machine and it just stops your analysis machine from writing to your

evidence if we can do that we should do that there are circumstances where you can't do that and that moves on to to principle two and principle two

says there are some cases where you need to access the original data for example if i'm acquiring a mobile device i can't

pull it apart and remove the hard drive i need to turn that device on to access the data i'm accessing it live in that instance i can't use a right blocker

i just have to be able to explain exactly what i did did i change the data any in any way what data did i change

what are the implications of the actions i did on that particular device because if i can't explain all of those things and i go into a courtroom and the lawyer stands up and says you change

this data on the device therefore everything you're saying wasn't something that my client did it's something that you did when you access the device and it's about being able to explain why

that that's not an accurate picture of what happened principle 3 document it simple as that documentation

is the non-glamorous side of digital forensics but it is one of the the most important aspects if you didn't if you don't document it it didn't happen it is the short version

to this and write everything down when you do it as you do it so that you remember exactly what happened back it up with photographs back it up with videos if

you can and make sure all of that is is properly filed so that you can access it when you need to you can refer back to notes when you need to write a report

you can't write too much it's not a thing to have written too much down but it is a thing to not write enough down if you don't write it down and you need to then refer back to what you did later

on and you haven't got those notes guess what you have to do it all again and that's not fun so write everything down and write down more than you think is is

enough last but not least in the aqua principles someone has to be in charge basically you can delegate responsibility for

particular tasks for collecting evidence for writing a report but not accountability somebody has to be accountable to make sure the team is properly qualified they have the right skills

the right competency they know what they're doing they are following the standards they should be following they are doing their documentation they're adhering to the law they're getting getting

authorizations when they need to all of those things one person has to be accountable for that and and that's all principle for states i just want to throw in this slide here

to say be wary of the expert label i personally hate the word expert um expert has specific specific meaning specific connotations i

think so i tend to use the word specialist practitioners need to understand what their own strengths and weaknesses are and what the strengths and weaknesses of

their team are everyone has limitations you can be really really good and know loads and loads of things about say windows artifacts on a windows system but maybe

you don't look at mac systems very often so you're not as confident you don't have as many skills on the mac os system maybe you don't do reverse engineering of malware very

often so you're not a specialist in that maybe you don't do memory analysis that often everyone has their own areas that they they specialize in and one person cannot

know everything about all of those things so an expert in digital forensics all of digital forensics is isn't a thing uh people will

specialize in in one topic or a few topics but everyone can't know everything about everything so i try and avoid the word expert i would

use specialist and it's important to understand your own limitations your team's limitations and also get that point across your stakeholders because

stakeholders can expect a lot they may not understand where the limitations are in a team

and you may need to call out specialists in from an external team or external organization if you need to to fill gaps in reporting and get the

the right results for your particular investigation don't be afraid to do that have those relationships built up in advance and make sure your client understands

what you can and can't do there are many challenges as i mentioned that we come across just to name a few well yeah i probably won't cover all of these um

but things like rapidly changing technology updates are happening all the time to operating systems to applications that changes artifacts and we need to

know how those artifacts change maybe they change location maybe they change the way they store data the amount of data stored maybe they compress data now when they

didn't before we have devices that are storing more data you now have a smartphone that comes in 256 gigs by default it used to be

4 gigs or eight gigs a few years ago so everything is just blowing up in size more data is stored in the cloud which may or may not be accessible to you and

in an investigation trying to recruit people into digital forensic teams can be difficult uh we are an interesting breed

we we're quite analytical uh you kind of need people who want to to investigate to dig into the data to question things and and come up

with the the right conclusions you also need people who can look at data all day you can look at hex and not go cross-eyed um can

do difficult cases you may have cases involving child abuse involving homicide involving co-workers if you're doing internal hr cases so you need people

who can who can deal with that and you need to be able to support the mental health of your team in doing those sorts of cases you need to keep up with the field the field changes all the time

there's new tools coming out new artifacts coming out and it's a bit of a cat and mouse game when it comes to to all those types of things so ongoing education is is critical to

keeping the team current keeping them up to date on on everything tools are great we also need to understand how to look at the data manually we can become over reliant on tools and

just click click click click buttons but we need to make sure we can verify that their output is correct so we need to still have those skills and capabilities to be able to do manual analysis and

verify our tools are working and we should always be verifying that our tools are working as we expect you may get unsupported devices things like internet of things devices may not

be supported by tools so what do we do with that they are they are still challenges encryption is becoming more and more common and anti-forensics may be a thing on your particular case

and if an attacker has deleted all of the evidence then that's a big challenge when it comes to doing an investigation last but not least

how can digital forensics help you what type of investigations do we do what type of artifacts do we come across here is just a small number of the types

of artifacts you may come across on different systems on on networks on on all sorts of different things this red poster here is windows

artifacts so these are all available and from from suns through your portal and i have these plastered all over my my walls because i'm referring to them constantly you're never going to

remember everything so just have these to hand so you can refer to them the the red poster i say is all windows artifacts this gray one here is network forensics

you have finding malware on this blue one how do you know what's normal and what processes should be running versus what is running on your system memory forensics

and smartphone forensics uh there's a another one just come out as well that uh matia afani wrote which is all about third-party applications on smartphones as well so and there are plenty of other

posters available um but these are really good reference sheets and you're not meant to be able to read all of these things it's just to show you this year's scale really of the

different artifacts that that are available that are out there and that we use in different types of investigation to just walk through towards the end don't worry we're coming

to the end um just to walk through an example of the types of artifact that might be useful in a particular case i'm going to talk about malware execution this is a malware case the first thing

that i would be looking at on a windows system is evidence of program execution which applications ran on the system when did they run

which applications ran immediately after an application ran what other artifacts were created immediately after that thing run so we're going to start with the red poster and the red box looking at

windows starting with things like prefetch which shows applications that run on the system it will give you dates and times that that application ran

it will also potentially show you files that were accessed by that application when it last run so you can then potentially also dig into into those files

i'm going to look at things like event logs depending on what event logging is turned on will depend on how much information that might give you but that might give you useful information about what ran on that

system information in the registry things like most recently used will again show you what applications run and and we can add all of these things

together user assist same thing at the activity cache database s windows 10 timeline jump lists all of these things will give you different slightly different evidence

but corroborating evidence on which applications run on that system from there we can then look at other other types of data so what

also happened around the same time i mentioned prefetch data may give you evidence of which files were accessed by that application we can then look at

evidence of file access so things like mru list most recently used lists in the registry which files were opened by the user which files were um

saved by the user at that particular point in time shell bags shows us which folders were accessed at that particular point in time we can look at shortcuts so link files will show us which files

were accessed at a particular point in time we can back this up with with jump lists with other recent data all of this again is corroborating evidence as to

what happened at that point in time so we've seen an application run we can note the timestamp of that and we can then pivot from that and say what else happened at that point in time what

files and folders were accessed at around the same time immediately before and immediately after that malware run and then from there where do we go

we can look to see we need to find out where that malware came from so we can look for evidence of usb devices being connected again we're going to look in the registry there will potentially be as

from the usb store key any usbs that were created we can get the the a model we can get the serial number and we can get some time stamps associated with that we can get the

volume name the drive letter it was mounted as we can look in link files and see which files were accessed from that usb device we can also look in things like browser

usage what browsers are on that system look in browser history to see where any files accessed uh is were any websites visited was it downloaded was it a drive by download

from a particular website did it come from email did they access email through the browser and maybe it was downloaded that way so we can again we can pivot

again around that same timestamp to look for each of these different ways in to see how did that malware get on that particular system and often you'll get the user saying i

didn't do it someone else must have done was it actually malware or did the user do it this is we always need to to start with our hypothesis try and look for evidence of that

happening try and look for evidence specifically saying that didn't happen and then go from there and try and reach the right conclusion so we've started this as a malware

investigation but maybe it wasn't maybe the user actually did these actions and by looking at the evidence we can determine that that happened

Loading...

Loading video analysis...