Sift your Security Onions carefully and Rekall the order of Volatility before you Autopsy

PDF slides here, Demo notebook here

Links to the tools

Toolkit distros

Raw notes from slides

TODO: needs markdown help

Forensics? Digital Forensics primer Free tools to practice with Free evidence to learn from DFIR! Forensics: Wikitionary 1. “Relating to the use of science and technology in the investigation and establishment of facts or evidence in a court of law.” 2. (dated) “Relating to, or appropriate for courts of law.” 3. (archaic) “Relating to, or used in debate or argument.” Forensics: On Telly criminalistics, crime scene investigations "looking at dead things" to find out what killed them → forensic pathology Bones, CSI, Dexter, Dr Who, NCIS, Twin Peaks, Quincy, Torchwood, The X-Files, ... and every cop show since Dragnet? IANAL,IANYL Carrier and many others distinguish between the use of these techniques for investigations versus their use in legal proceedings He contrasts digital investigation with digital forensic investigation forensics versus Forensics (and IANAL) Same technology and science but the outcomes (and travel, dress code, billing rate, exams) … are very different. Core Forensics Principles Evidence integrity Rules and types of evidence Adversarial system of justice Forensics: from Law Evidence integrity Don't alter evidence! (if you can avoid it) hashes can (dis)prove it ... understand what changes you made
Rules and types of evidence Lawful collection Real, direct, best evidence Chain of custody Adversarial system of justice The other side does their own analysis Forensics: from SCIENCE Scientific Method: Observation, Hypothesis, Experiment, Revise Reproducible experiments do it again with same tool, get same result? do it again with different tool, same result? someone else does it, same result? Careful detailed notes and precise reporting Anticipate peer review and critiques Two Core Forensics Theories: Locard's Exchange Principle the Order of Volatility Locard's Exchange Principle

“Every contact leaves a trace.” - Dr. Edmond Locard Founded world's first police lab

Order of Volatility What changes first, fastest? Preserve it first Capturing always alters volatile evidence Understand these changes Incorporate in technology and process

Digital Investigation (Carrier) “develop and test hypothesis about digital events” File System Forensics Analysis, Brian Carrier (2005)

The science of examining evidence to find out : what happened when it happened how it happened who did it by proving and disproving hypothesis with evidence DF Skills & Roles Acquisition Get the evidence safely and correctly Use acquisition tools and follow process. DF Specializations differ primarily by the source data type share much in theory and process but may use totally different tools link up Voltron style when available to slay monsters fill in blanks in your case DF specializations Host Forensics: Disk (drive) Physical media: disk, disc, tape Magnetic, optical, logical Memory full or partial memory from devices Platform and OS Windows, Mac, Unix Phones, tablets, devices

free host DF tools! Disk (drive) tools The Sleuth Kit Autopsy plaso Disk : The Sleuth Kit Descendant of TCT CLI tools and library for drive artifact analysis at every level: blocks & inodes files, directories, partitions, volumes, filesystems mmls, fls, fsstat, blockcat tskgettimes, tskrecover mactime Disk : Autopsy Autopsy 2 : Perl web tool Case and evidence mgmt timelines and searching hashing tools & timelines Autopsy 3 (Windows): Sophisticated GUI for TSK 4 Case mgmt, indexed searching Pre / reprocessing evidence Artifact extraction Plugin architecture Timeline graphing (beta) Disk : plaso Plaso: supertimeline toolbox Python library and utilities for l2t Reads Raw, VSS, VDI, VMDK, QCow2, AFF, E01 ... Processes: Filesystem MAC times (FAT/MFT) Registry keys, Event Logs App logs and caches, Prefetch (SIFT 3),,, Filtering by time, query, or tags Multiple engine outputs: SQLite, CSV, XML, text , 4n6Time Elastic Search → ELK → In SIFT 3 or from

Memory Analysis: Mandiant tools Volatility Rekall Memory: Mandiant Memoryze Free to use* memory collection and processing framework Redline Windows memory collection and analysis tool, free to use* frontend for Memoryze, m_agent, and more Threat scoring, activity timelines, binary analysis Scan against OpenIoC indicators Memory: Volatility Framework Volatility Advanced multi-platform open source memory analysis (Python) Analyse Windows, Linux, OS X memory amazing analysis plugins: screenshot → timeliner iehistory malfind hashdump Memory: rekall Rekall Volatility fork from techpreview branch for GRR Better integration with other Python tools Sophisticated profile scheme and autoloader iPython and notebook support WebUI →

Free collections of tools SIFT, DEFT Security Onion REMnux … as well as Kali & Backtrack

Free Evidence! Public Sources Free downloads HoneyNet CTFs, challenges DigitalCorpora Wireshark wiki Pcappr Contagio & malwr DFIR is awesome! Digital Forensics: portable, cloneable, replayable crime scenes science you can safely learn for free *** Forensic techniques key to effective Incident Response Digital Forensics & Incident Response *** Just add labour (yours) Q&A References Wiktionary, Wikipedia Hidden Evidence, David Owen (2E 2009) File System Forensics Analysis, Brian Carrier (2005) Windows Forensic Analysis, Harlan Carvey (1E 2007, 2E 2009) RFC 3227 Guidelines for Evidence Collection and Archiving (2002) Resources PMA, PNSM, ANSM, DFOSS books projects sites for tsk, Autopsy, Volatility, SO,etc Mailing lists for SANS DFIR, sleuthkit, etc researcher blogs webcasts & white papers SANS SEC503, SEC504 and DFIR curriculum