As a continuation of Richard Davis’ “Introduction to Windows Forensics” series, this video introduces Recycle Bin Forensics. From Windows 95 to Windows 10, the history of the Recycle Bin is covered. You’ll learn about the INFO2 metadata files found on older operating systems, as well as the $I and $R files found on modern operating systems. You’ll take a look at exactly what happens when a file is placed in the Recycle Bin, and also at a tool that will help us extract metadata from $I files.
Minoru Kobayashi has presented a tool for carving and recreating deleted VSS at at Japan Security Analyst Conference 2018. The script is already available for downloading at his GitHub.
If you don’t know what to do on a Sunday evening, there is a bunch of nice digital forensics and incident response challenges for you. CyDefe Labs have prepared memory forensics, incident response and some other challenges, find them here.
Sergey Golovanov from Kaspersky Lab has announced a new EVTX parser. One of its great features is different operating systems support, so it doesn’t matter if you use a Windows workstation, a MacBook or a Linux WS – all of them are supported. If you’ve decided to give it a try – go straight to GitHub.
Nilay Mistry has shared his research papers for publication. If you want to publish your research or articles at Cyber Forensicator – contact us via Telegram group.
fileserve
As a continuation of the “Introduction to Windows Forensics” series, this video introduces Remote Desktop Protocol (RDP) Cache Forensics. Did you know that when you use the mstsc.exe RDP client on Windows, cache is stored within your user profile? The cache consists of compressed bitmap data that you’ll need to extract before being able to view it. The purpose of the cache, as you might imagine, is to improve performance by storing sections of the screen that infrequently change.
In this video, Richard Davis will show you a tool that can extract these bitmap files, allowing us to reassemble sections of the screen manually (not unlike putting together a puzzle). You can often glean data such as file names, icons, backgrounds, and various other data that could be useful in helping us determine the actions of a given user (or at the very least, help focus your investigation).
“Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer” by
· Understand the realities of cybercrime and today’s attacks
· Build a digital forensics lab to test tools and methods, and gain expertise
· Take the right actions as soon as you discover a breach
· Determine the full scope of an investigation and the role you’ll play
· Properly collect, document, and preserve evidence and data
· Collect and analyze data from PCs, Macs, IoT devices, and other endpoints
· Use packet logs, NetFlow, and scanning to build timelines, understand network activity, and collect evidence
· Analyze iOS and Android devices, and understand encryption-related obstacles to investigation
· Investigate and trace email, and identify fraud or abuse
· Use social media to investigate individuals or online identities
· Gather, extract, and analyze breach data with Cisco tools and techniques
· Walk through common breaches and responses from start to finish
· Choose the right tool for each task, and explore alternatives that might also be helpful
The book is available for order here.
PcapXray is a network forensics tool for visualizing packet captures offline as network diagrams including device identification, highlighting important communication and file extraction. You can learn more about the tool and download it here.
The Sleuth Kit and Autopsy 4.6.0 are available for downloading. Here are the lists of new features:
The Sleuth Kit
Autopsy
SQLite databases are very common sources of forensic artifacts nowadays. A lot of mobile applications store data in such databases, you can also find them on desktop computers and laptops as well, for example, forensicating web-browsers, messengers and some other digital evidence sources.
There are a lot of forensic tools on the market that support analysis of SQLite databases, for example, Magnet AXIOM, Belkasoft Evidence Center and BlackBag BlackLight to name a few. The tools can automatically parse some of these databases and even carve data out of free lists and unallocated space. Also they provide SQLite viewers forensicators can use to analyze this type of databases manually.
But what about damaged or corrupted databases? Let’s find out!
One of our DFIR-mates sent us a SQLite database he couldn’t open with any tool he had. He even wrote an email to one of the vendors, but the answer was – the database contained no tables.
Ok, let’s start our journey. The database has the following name: “contacts2.db”. If you are forensicating mobile devices often enough, you notice that it’s a typical Android database, the one containing information about user’s contacts.
As we have quite a big forensic toolkit, we decided to start from trying to open the database with most popular tools, including Belkasoft Evidence Center, BlackBag BlackLight, Cellebrite UFED Physical Analyser, DB Browser for SQLite, Magnet AXIOM and Oxygen Forensic Detective. Unfortunatelly, none of the tools could open the database. Look at the following screenshots:
The database opened with Belkasoft Evidence Center
The database opened with BlackBag BlackLight
The database opened with Cellebrite UFED Physical Analyzer
The database opened with DB Browser for SQLite
The database opened with Magnet AXIOM
The database opened with Oxygen Forensic Detective
As you can see, none of the big guys could solve the problem. So what a forensic analyst should do in such situation? Go back to the roots!
First of all, go to to the official SQLite website and download command-line tools for managing database files.
Now extract the contents of the archive and put the database to the same folder (optional).
Start Windows Command Prompt and change directory to the one you extracted SQLite command-line tools.
Run the following command sequence:
sqlite3.exe database_name.db
.mode insert
.output database_dump.sql
.dump
.exit
Now you have an SQL file with dumped database tables. If you are lucky, you can just delete transaction statements, like BEGIN TRANSACTION and ROLLBACK, and import the file to a new SQLite database, for example, using DB Browser for SQLite. But in our case the database was heavily damaged, so we had to examine the file manually and save tables of interest in separate SQL files.
For example, we found ‘accounts’ table, it looked like the following:
CREATE TABLE accounts (_id INTEGER PRIMARY KEY AUTOINCREMENT,account_name TEXT, account_type TEXT, data_set TEXT);
INSERT INTO accounts VALUES(1,’vnd.sec.contact.phone’,’vnd.sec.contact.phone’,NULL);
INSERT INTO accounts VALUES(2,’primary.sim.account_name’,’vnd.sec.contact.sim’,NULL);
INSERT INTO accounts VALUES(4,’vnd.sec.contact.agg.account_name’,’vnd.sec.contact.agg.account_type’,NULL);
INSERT INTO accounts VALUES(506,’test@gmail.com’,’com.google’,NULL);
INSERT INTO accounts VALUES(538,’WhatsApp’,’com.whatsapp’,NULL);
INSERT INTO accounts VALUES(655,’test’,’com.yandex.passport’,NULL);
INSERT INTO accounts VALUES(656,’+7 903 000-00-00′,’com.yandex.passport’,NULL);
INSERT INTO accounts VALUES(657,’+7 925 000-00-00′,’com.yandex.passport’,NULL);
INSERT INTO accounts VALUES(658,’+7 978 000-00-00′,’com.yandex.passport’,NULL);
INSERT INTO accounts VALUES(672,’test’,’com.vkontakte.account’,NULL);
INSERT INTO accounts VALUES(677,’+7 968 000-00-00′,’com.yandex.passport’,NULL);
INSERT INTO accounts VALUES(687,’Youla account’,’com.allgotitm.youla’,NULL);
INSERT INTO accounts VALUES(792,’+7 968 000-00-00′,’com.viber.voip’,NULL);
We saved it into a separate SQL file and use DB Browser for SQLite to create a database.
Here is how to do it:
Recovered table
Of course, you can do the same with all the other tables of interest. And yes, our database actually CONTAINS tables. This is one more prove that digital forensic analysts mustn’t rely on forensic tools, even if he or she has most of the top commercial products. Don’t forget to check potential digital evidence sources manually!
Happy forensicating!
Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.
Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.
The first beta Linux version of your favourite open source DFIR tool Autopsy. You can download it here. Now the tool has the following known limitations:
If you are looking for a SIFT replacement and already have a Debian workstation, this package is for you. Forensics-full package will help you to get everything you need to perform a first class digital forensic examination. Worth a try!
Marcus Bakker from MB Secure has published a tutorial on how to catch malware beaconing from an infrastructure where a non-transparent proxy is used for all outgoing network traffic.
In this video Aliaume Leroy from Bellingcat talks about open source investigation/verification tools and presents a number of real life examples of its usage:
Joseph Balazs, Dr. Marcus Rogers, Dr. John Springer and Dr. Dawn Laux conducted a research on decoding the hexademical representation of a PostgreSQL database tables. Simple testing was done on a table to insert, update, and delete records. A hex interpreter was used to analyze the differences between the records at the file system layer. You can find a poster with the results here.
In this video, Belkasoft discusses new features of Evidence Center version 9.0 such as new reporting, deduplication, PhotoDNA, NTFS compression, macOS system configuration analysis and other features added to the new major release.
McGraw-Hill Education has anounced the second edition of award-winning “Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation” by Lee Reiber. Written by an expert in the field, the second edition of the book fully explains the latest tools and methods along with features, examples, and real-world case studies. You will get photographs demonstrating proper legal protocols―including seizure and storage of devices―and screenshots showcasing mobile forensics software at work. The book is expected to be publiched in November 2018 and available for pre-order here.
As an incident responder, one of the things you need to be able to quickly do when looking at a list of processes, is immediately spot things that don’t look right. As you saw in previous videos in this series by Richard Davis, this could include things like an svchost.exe that has a parent other than services.exe, or the presence of more than one lsass.exe process. So, you’ll take a look at the core processes that are found on a Windows system – the processes at the very heart of the operating system that control the most basic functions, including providing the Windows API; the ability for us to authenticate; and even the ability for us to interact with the GUI.
You’ll start with a visual representation of these processes and their hierarchy, and cover all of this basic information. Then, you’ll look at a memory sample acquired from a “normal” Windows system. Finally, you’ll take a look at a memory sample acquired from a Windows system that has been infected with malware.