FOR498: Digital Acquisition and Rapid Triage

Overview

Any baker knows that if you bake with the wrong ingredients, the result will fail. The same holds true for digital evidence collection.

Investigators often respond in high-stress environments where many different entities are critically scrutinizing the collection process. Personnel need to be properly trained and equipped to work in less-than-optimal surroundings, and they must be confident that they have managed the scene, identified all necessary data, collected it in a properly defensible manner, and maintained its integrity.

One of the most common scenarios that can cause headaches is receiving an evidence file (usually an E01), and being expected to provide answers immediately. The common approach is to mount the image and then start running carving and other tools against it. These automated tasks can take many hours (and sometimes days) just by themselves!

Exercises

• DFIR Workstation Installation
• Converting an E01 into a Bootable VM
• Interface Identification and BIOS/UEFI

Topics

SIFT Introduction

• Introduction to the Widows SIFT workstation
• Installation of the Windows SIFT workstation

Introduction to Digital Forensic Acquisition

• Need for a strong understanding of intake/collection
• Understanding how a lack of this knowledge can damage your case
• Not acquiring memory
• Skipping BIOS information
• Determining if encryption is present
• ISO 27037:2012 - Guidelines for identification, collection, acquisition, and preservation of digital evidence
• How to go from where you are to lethal forensicator - the basics
• To specialize or generalize? You can't be good at everything
• Options for diving deeper into specializations

Understanding the Data

• Where is data that is common to the most current acquisition requirements found?
• Phones
• Network
• Traditional
• IoT
• Removable devices
• Unorthodox storage

• What types of critical data are needed for triage and quick-hit investigations?

  • Evidence of communication

• Chat, email, phone calls, SMS

  • Evidence of browser history

• Where the individual was researching, reading, or accessing via Web apps

  • Evidence of geo-location
• Where has the device been located recently?
• GPS, geo-tagging Info
• Pictures - GPS coordinates in EXIF, etc.
• Maps
• Other GEO-tagging artifacts
• Physical devices
• Spinning media
• Flash storage
• Going from physical disks to data storage

• File system overview

  • Purpose: Organize and retrieve data

• How do different file systems achieve this?

  • NTFS, FAT, EXT, HFS, APFS
• Specialty file systems
• ZFS
• EMC
• File system metadata
• Timestamps
• Where data lives
• Security information
• Evidence file formats
• Common formats found in digital forensics
• .E01
• DD/RAW
• SMART
• .AD1/L01
• Determining the approach when someone else created the evidence file

Scene Management and Evidence Acquisition

• The go bag
• Scene safety
• Minimum recommendations vs. LE response
• Documenting the scene
• Sketch
• Photos
• Video
• Scene documentation
• Identifying and collecting evidence
• Evidence seizure
• Chain of custody
• Inventory
• Documenting storage devices prior to imaging
• Physical storage devices inside a computer
• The difference between an enclosure vs. an actual storage device inside it

• Storage and maintenance of evidence

  • Evidence lockups
  • Long-term storage considerations

Device and Interface Identification

• Storage device interface recognition

  • IDE, SATA, SAS, fiber channel, SCSI, USB, Firewire
• Using adapters to convert interfaces
• Accessing BIOS/UEFI

Overview

There is no second chance when seizing or acquiring data. Make sure you get it right the first time.

Portable devices bring their own set of challenges to the table. These devices are more ubiquitous than computers. Seldom is the case today that does not include a cellular device. Unfortunately, there is no standard for cellular operating systems. Even within brands, there can be vastly different data storage. This course section will introduce students to several devices and the tools that will acquire them.

Investigators and first responders should be armed with the latest tools, digital container access techniques, and enterprise methodologies to identify, access, and preserve evidence across a vast range of devices and repositories. They must also be able to scale their identification and collection across thousands of systems in their enterprise. Enterprise and cloud storage collection techniques are now a requirement to track activity that has been intentionally and unintentionally spread across many devices. Responding to these many systems cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will result in lost opportunities due to the time it takes to forensically image entire hard drives. Furthermore, investigators need actionable intelligence as quickly and responsibly as possible. This course section lays the foundation for evidence collection, from initial arrival on a scene to the fundamentals of understanding data at rest and properly identifying the devices, interfaces, and tools that will be needed to carry out collection successfully.

We will also explore the myriad of acquisition hardware and software, not to mention adapters and identification, so that you can make the best decisions about the data.

Exercises

• Portable Device Acquisition
• Portable Device Analysis
• Hard Drive Wiping and Formatting
• Write Blocking Methodologies
• Preparing the Analyst Machine
• Using Timeline Explorer

Topics

Smartphone Acquisition

• Proper device handling techniques
• Airplane mode
• Network isolation
• Acquisition tools
• Cellebrite
• IEF/Axiom
• SIM card acquisition
• How to capture the data and why
• Regional concerns

Smartphone Analysis

• Apple iOS
• Apple iOS fundamentals and "quick win" data

• iOS backups

  • Local and cloud

Android

• Android fundamentals and "quick win" data
• Android backups
• Common analysis techniques
• Applications (Apps)
• Messaging services
• iMessage
• SMS/MMS
• Viber
• Snapchat
• WhatsAPP

• Email

  • iOS vs. other devices

Acquisition Hardware and Software

• Live response
• FTK imager/X-Ways
• KAPE
• F-Response
• Dead box: Write blocking with software imagers
• Software-based write blocking
• Registry key/value entries
• Safeblock
• Hardware-based write blocking

• Physical imaging device (Ditto, Talon, etc.)

  • UltraDock, Tableau, etc.
• Preparing destination media
• Formatting destination media
• Wiping destination media

Acquisition Methodology

• Is the computer off or just suspended?
• Hibernation vs. sleep mode
• Accessing a device: Laptop vs. desktop, etc.
• Recognizing signs of tampering

• Be aware of how the data are stored

  • JBOD vs. RAID vs. network
• Acquisition verification
• Hashing source vs. destination
• Special case: SSD

Discovering and Interacting with Data

• Windows and CLI basic navigation and usage
• PowerShell vs. cmd vs. bash

• Data review techniques

  • Timeline Explorer
• Fundamental artifacts
• Evidence of user communications (email, social media, Skype/Chat)
• Evidence of geo-location
• Web browsing history

Overview

Quick Win Forensics prioritizes locating, extracting, and processing the 1 percent of digital evidence you need to move a case forward.

Given that 99 percent of the necessary evidence typically will exist in 1-2 percent of the data acquired, it is easy to see how a great deal of time can be wasted following the normal procedures in today's digital forensics world. Instead, let's focus on this 1-2 percent and perform a very rapid triage collection that can be used to start our investigation sooner!

Far too often, computers are seized in an "on" state, and immediately powered down because, "that is how we've always done it." With today's computers, this means you are throwing away (essentially destroying) many gigabytes of data. The RAM in a computer holds a treasure trove of data, from keystrokes to network connections, running services, and, quite importantly, passwords and decryption keys. With the vastly increasing spread of file-less malware, in many cases the only place that evidence will exist is in memory. Another often-overlooked factor is full disk encryption. In cases like this, "live" acquisition will be your only hope.

Exercises

• Mounting Evidence
• Triage Acquisition
• RAM Acquisition and Encrypted Media
• Host Based Live Acquisition
• Dead Box Acquisition

Topics

Beginning the Collection Process

• Live response (the system is running)
• Document state of computer (photograph screen and open apps)
• Dump memory
• Triage collection, depending on case
• Check for encryption

• Dead box
• Accessing storage medium
• Write block
• Acquire data
• Rapid triage overview
• Creating a forensic image overview

• Mounting images
• Arsenal Recon Image mounter
• FTK imager

• Triage introduction
• Triage acquisition using FTK imager
• Triage acquisition from original media vs. from forensic image

• Introducing tools to the environment
• Where to store acquisition tools
• Where to save images
• External SSD vs. USB stick for maximal IO/write speed
• Documenting your device

• Command line tools
• Dumpit/Belkasoft RAM capture

• GUI tools
• FTK Imager

• Dealing with encrypted devices
• Bitlocker introduction

Host-based Live Acquisition

• Why live acquisition -- is it okay?
• Determining what to collect
• Logical vs. physical imaging
• Important considerations
• Ensuring the computer doesn't go to sleep
• Do you have the power cord for the laptop?
• 4 W's: Who, what, where, when
• Security devices (yubikey, unlock dongles, etc.)
• Document the known good (date/time, etc.)
• Network connections
• User remote access/connections

Dead Box Acquisition

• Media device removal and handling
• Hardware-based device acquisition
• Software-based device acquisition
• Special cases like Surface Pro, etc.

Overview

Cloud computing and storage is becoming more and more common. Do you know how to collect these critical data?

When we think about acquisition, it usually involves opening the side of the computer, removing the hard drive, connecting to a write blocker or imaging equipment, and completing the task. While this does not necessarily result in an inaccurate assessment, it does not address a great deal of the access and acquisition questions surrounding so much data today. If full disk imaging is necessary, then it is certainly easier and quicker to do it directly from the storage itself. But what happens with devices such as iPads, Surface Books, and other equipment held together by glue instead of screws?

Volume Shadow Copies contains a wealth of historic data that are of great use to investigators. Knowing how to access and collect data from these shadow copies is critical in cases involving the Windows operating system.

Rapid triage is considered the bleeding edge of digital forensics. It requires in-depth knowledge of where the most valuable data reside on the computer and how to get at them as fast as possible. An effective lethal forensicator needs to be extracting actionable intelligence in 90 minutes or less, but the clock does not start when the forensic imaging is done. Rather, it starts from the moment you lay your hands on the device.

This course section will teach you how to identify and access data in non-traditional storage areas. In today's world, so much data live off site, and there are very few methods in place to access and properly acquire those data. We will identify these locations, including SharePoint, Exchange, webmail, network locations, cloud storage, and social media, not to mention Dropbox, Google Drive, and the Internet of Things. This also includes RAID storage and how to best collect these devices regardless of configuration. Moving to the forefront of most Enterprise investigations, we will be examining vSphere and virtual machine collections as well!

Exercises

• Volume Shadow Copy Acquisition
• Using the KAPE Tool for Battlefield Forensics
• Network Acquisition

Topics

File Systems Revisited

• FAT
• Ext
• NTFS
• Timestamp metadata
• Alternate data streams
• Volume shadow copies
• Acquiring volume shadow copies

Rapid Triage with KAPE

• Introduction to the KAPE tool
• Using KAPE to rapidly collect critical artifacts
• Processing data using KAPE
• Analyzing KAPE output

Multi-Drive Storage

• Challenges in imaging multi-drive arrays
• RAID
• JBOD (Just a Bunch Of Disks)
• RAID acquisition concerns
• Logical vs. physical

EMC/non-traditional formats

• Accessing RAID volumes, and choosing methods to image
• Physical access
• Image directly to external storage
• Using a network connection when only USB 2.0 is available

Remote Acquisition

• Using F-Response
• Acquiring storage through the network
• Acquiring RAM through the network
• Cloud storage acquisition
• Email (IMAP)
• Cloud storage
• Dropbox
• OneDrive
• S3

• Google takeout

Overview

Apple must be approached entirely differently from traditional devices.

This course section will explore the fundamentals of acquiring data from Apple devices. Compared to Windows, there are very few tools and techniques available when it comes to acquisition of Apple products. The tools that exist can be quite expensive, and free tools are simply few and far between. In this course section, will acquire memory and identify systems that are running CoreStorage technology and full disk encryption. We will also visit the challenges posed by APFS. Many of the Apple systems are closed systems, in that you simply cannot remove the hard drive because it is soldered directly to the motherboard. The uniqueness of the data storage demands alternative methods of acquisition.

In this course section, you'll learn how to access and forensically image iPads, MacBooks, and other HFS+ devices, working at the command line, as well as how to build a free acquisition boot disk to image even the latest macOS versions on current hardware.

Not to be left out, the pervasive Internet of Things is controlling our fridges, thermostats, security cameras, and door locks. It is listening passively and waiting patiently for an instruction to perform. In this course section, you will learn how these devices communicate, and more importantly, who is controlling them.

Exercises

• PCAP Collection
• PCAP Graphical Tools
• PCAP Command Line Tools

Topics

Apple MacOS Device Overview and Acquisition

• Apple encryption

  • File vault
• Core storage
• APFS imaging
• Fusion drives
• Acquiring RAM
• Latest Apple Security Layers
• T2 Security Chip

• Collecting drive metadata

  • Live or single user mode
• Accessing storage on Apple MacOS devices
• "Must know" Apple keyboard combinations
• Single user mode
• Repair mode
• Target disk mode
• Options mode
• Target disk mode
• Command line imaging
• Creating a macOS GUI boot device
• Using Macquisition to collect a forensically sound image

Internet of Things (IoT)

• Determining devices on the network

  • Internal devices on a LAN
• Methods for collecting network traffic
• Network tap
• Port mirror
• Pen register

• The need to coordinate with network admins

  • Logistic/procedural/legal considerations for network data collections
• Potential communication destinations
• Which external resources are being accessed in the cloud?
• What company holds this data?
• Determining Internet of Things (IoT) communication with portable devices
• Tying IoT activity to the devices controlling them
• Mobile device accessing cameras, doors, and other IoTs
• Understanding the PCAP to find co-conspirators
• Collection of network traffic
• IoT collection considerations

Overview

Tools fail, techniques become outdated, but do not let that hold you back.

You have traced an artifact back to an IP, email, or web address. Now what? In this course section you'll learn the best methods to determine attribution, from proper collection to legal documentation.

The usefulness of file and stream carving cannot be overstated. Some data simply do not live in the defined file space that can be readily accessed by a viewer. From partially overwritten to deleted data, we will explore techniques you can employ when traditional tools fail.

Data carving is an increasingly important skill. Once the reference to a file is destroyed, how can the data still be recovered? File carving tools will assist in this, but examiners must understand the limitations of their tools. Without the proper pieces of the original file, a carver is useless.

Exercises

• Online Attribution
• Data and Stream Carving
• Data Rebuilding

Topics

Identifying Online Asset Ownership

• How to go from a hostname or IP to someone who can receive legal process
• Domaintools
• Search.org
• Considerations of passive DNS
• Insuring against subsequent loss of data
• Preservation letter
• Data retention policies
• Possible pitfalls to consider

• Source of legal process: Does the company recognize the authority of the requestor?
• Domestication of legal process
• State-to-state or country-to-country
• Civil vs. criminal

File and Stream Recovery

• Data streams
• Chat sessions
• IEF/Axiom

• Deleted data recovery
• Carving via Photorec
• Extracting metadata via ExifTool
• File and stream carving
• Understanding carving tool limitations and capabilities

Advanced Data Carving and Rebuilding

• Using manual analysis techniques to find and recover data not normally recoverable
• Understanding file signatures, headers, and footers
• MS Office file format
• OLECF
• OpenXML

• Manual data carving
• Data rebuilding
• Repairing corrupted and/or partially overwritten files

Where Do We Go From Here

• How do go from where you are to lethal forensicator - in depth
• To specialize or generalize: you can't be good at everything