Computer Forensics: Forensic Techniques, Part 1 [Updated 2019]
For any computer forensics professional, it is imperative to learn about as many forensics techniques as possible. This not only maximizes your chances of dealing with a wide range of situations, but also allows for solutions to surface more quickly. In short, you are much less likely to get stuck on a problem if you equip yourself with the knowledge of multiple forensics techniques.
Here at InfoSec Institute, we aim to provide you with all the help you need in this matter. In this two-part introductory guide, you will learn about various major computer forensics techniques. Most kinds of computer crime that you will encounter as a forensics professional would be solved using these techniques. This guide is especially useful for students who are planning on enrolling in the Certified Computer Forensics Examiner (CCFE) certification offered by InfoSec, as it relates to some of the techniques covered in the course.
So, without further ado, let’s begin Part 1 of this guide by looking at some of the most popular computer forensics techniques around:
Definition: Live forensics, otherwise known as Live Response, attempts to discover, control, and eliminate threats in a live, running system environment.
Overview: In traditional computer forensics, we take snapshots of memory and storage drives as images, and perform analysis on these images in an isolated environment. Of course, this can clog up the analysis pipeline, as imaging is far from being a time-efficient process. This is where live forensics comes into play. As opposed to traditional computer forensics, live forensics deals with active threats at runtime. You can think of live forensics as an active response, in contrast to the passive nature of traditional forensics.
Live forensics is useful if you plan on tackling a threat on the spot. It should be noted that the difference between traditional forensics and live forensics lies only in response times; you still have to follow the same steps of identifying, quantifying, and eliminating the threat. Live forensics allows for near-instant access to registry keys, system user accounts, live connections, and memory objects.
Live forensics scenarios are short-lived. So, to be successful, one has to be focused on narrowing down the source of the threat. This means, that instead of brute-forcing your way into identification of the problem, you should look for “usual suspects” files in the system, such as TEMP directories. On Windows, a good way of initiating live forensics is by peaking at the active user’s APPDATA directory, especially its ROAMING folder.
Example: A common example of live forensics is the analysis of system memory. Analyze all running processes, being particularly wary of mutexes. Upon isolating some suspicious processes, you can then proceed to code analysis of said processes.
Definition: Data recovery is the restoration of data that has been damaged, deleted, or lost.
Overview: This is one of the more typical settings that a forensics professional may encounter. As our lives become more and more data-driven, most cannot afford to lose this data for good. This can include personal data, including family photos and videos, or professional data such as documents, sensitive company information, and the like.
Data recovery commonly takes one of two forms: in-place recovery, where tools can be used to recover data by remediating disk drive errors; or read-only recovery, which does not repair errors on the original point of failure, instead storing the recovered files somewhere else on the disk.
Example: Quite a lot of people accidentally delete their files. But deleted files rarely get erased permanently; the system keeps them the drive until it needs space for a new file. This means that within a certain time-frame, you can recover deleted files. Generally, a utility is required to achieve this, similar to TestDisk.
Definition: It refers to the recovery of password-protected files that are rendered useless if the passwords are lost.
Overview: A password can provide robust protection to sensitive data or information. But in the not-so-rare case that it gets lost or the admin forgets it, a password can also be a nuisance. In such instances, password recovery is your best bet to recover your files.
Password recovery can be achieved by cracking the password through brute force, which attempts all possible combinations allowed for that password. In most cases, this can be highly time-consuming. Smarter techniques can be employed to substantially reduce the number of possible passwords. The problem can be compounded if the files are also encrypted,
Example: During criminal investigations, a common sight faced by law enforcement is password-protected files on the suspect’s system. A wide array of utilities is available to pry open such files. Among them is Passware, a tool used by law enforcement agencies in the U.S. to crack password-protected files.
Definition: A forensics technique that uses file contents, rather than file metadata, to find or recover said file.
Overview: As discussed above, when a file is deleted, it does not necessarily mean that it has been erased from the drive. Usually, the operating system merely loses its handle on the file, otherwise known as the file’s metadata. Thus, you cannot access the file through your file system, as it is now oblivious to the file’s existence itself.
You can still recover such files based on their content, and such a recovery is known as file carving. File carving extracts meaningful, structured data from a structureless, unallocated portion of the drive. It is most useful when file or directory entries are either corrupt or missing.
Example: A famous example of file carving was when the U.S. Navy Seals raided Osama bin Laden’s compound, and took away all storage drives found inside. Carving was employed to dissect those drives, and the information acquired thereafter aided in tightening national security.
Known File Filtering
Definition: Known file filtering is a common forensics technique used to locate only relevant files by filtering out irrelevant artifacts.
Overview: In your computer forensics career, you will often encounter heaps of data completely irrelevant to what you’re trying to accomplish. You will often be searching for specific files, which means sifting through tons of unrelated artifacts. Known file filtering makes this easy; rather than excluding all the files that are irrelevant, you start with some known data of the relevant file. This makes the process of exclusion much faster.
Known file filtering makes use of popular cryptographic hashes MD5 or SHA1, in tandem with hash values of application installation files. It then looks for a matching hash in the file system. A major drawback of known file filtering is that it can only work if the hashes match perfectly. This means that, if the relevant files are even slightly corrupted, this technique becomes powerless.
Example: The known file filter (KFF) is used in computer forensics utilities, such as the Forensic Toolkit (FTK). It utilizes the MD5 cryptographic hash. The hashes used are either user-generated, or taken from the National Software Reference Library (NSRL) maintained by NIST. The KFF is used to search for known files.
String and Keyword Searching
Definition: In digital forensics, string and keyword searching is exploited, which can help identify pertinent data, as well as the source of potential threats.
Overview: This technique preceded computer forensics itself. Long before we had digital files, forensic professionals would parse paper documents to look for special phrases or words that were relevant to their inquiry. Today, we call these strings and keywords. Searching for these special sequences of characters can greatly speed-up forensic investigations, particularly if the data-set is quite large.
The crucial point here is to choose good keywords and strings. For instance, if you want to look for a file that contains instructions on painting portraits, avoid using the term “instructions” in your search; instead, focus on “portrait,” as you might have other files containing the word “instructions,” while very few files include “portrait.”
Example: Keyword searching is one of the main techniques used in Malware Analysis, as it can help categorize the origin of the virus. Generally speaking, we use string and keyword searching all the time to narrow down objects of interest, such as in the case of Google searches, video searches on YouTube and so on.
Definition: Header analysis enables investigators to analyze email headers, which can point to the IP address of the source email, as well as fix delays in email delivery.
Overview: Email clients can be used to infiltrate anyone’s system, if the receiving party is not careful. Most clients do a commendable job of identifying such suspicious emails themselves, which they can then either move to the spam section or remove entirely from the server.
Still, there is a chance of acquiring a virus through emails. In unfortunate cases such as these, header analysis is used as a first resort of identifying where the email came from. An emails header contains some useful metadata, such as the IP address of the source, as well as the computer name. This IP address can be used to trace the perpetrator.
Example: Forensics professionals look at the victim’s email inbox, if they believe that the source of the virus is to be found there. Then, tools available online are used to analyze headers of suspect emails, as manually making sense of the headers is laborious. Email clients have different methods of accessing headers, which you can find here, as well as by looking at Google’s guide on message headers.
Definition: The analysis of events in chronological order that either led to, or followed the main event under investigation.
Overview: Bad occurrences don’t happen in a vacuum. There is a chain of events preceding the bad occurrence, and it is often useful to find out what these events were. Timeline analysis achieves exactly that – it uses timestamps and other time-descriptive artifacts to display all the events going on in the system in chronological order. This enables forensics specialists to determine causality, which is vital for tracing the source of the issue.
Example: Many forensic tools incorporate timeline analysis to bolster their products. For example, Autopsy has a GUI-based timeline analysis tool that uses web artifacts and miscellaneous extracted data to construct a timeline of events.
In your career as a computer forensics certified professional, you will face a variety of challenges that require different approaches to solve. In this beginner’s guide to forensic techniques, we saw some of the methods most widely used by professionals to make their life easier. By using this guide in conjunction with InfoSec’s Certified Computer Forensics Examiner (CCFE) certification, aspiring computer forensics specialists will gain a robust set of skills to take on even the stringiest of encounters. In part 2, we will explore additional forensic techniques, including Graphical Image Analysis, Event Correlation, Sandboxing, Network Sniffing, and more.