SANS Investigate Forensics Toolkit – Forensics Martial Arts Part 2
This is a continuation of the first article on SANS Investigate Forensics Toolkit. In this article we will be covering the rest of the tools discussed earlier in the start of the article.
Maltego is an open source intelligence gathering and forensics tool. It provides a library of transforms for the discovery of data from open sources and visualizing that information in a graph format. It provides a link between people, websites, groups and all other Internet infrastructure which might be connected to some entity.
For using this we need to create an account and then log in using that credentials.
Once we have logged in, we will have a long list of infrastructure which we may use for information gathering. This is a very powerful tool because of the link that it creates.
Now let us start some investigation/ intelligence gathering about example.com. This has been done purely for demonstration purpose.
Now let us run all transforms by right clicking the domain entity. We can see a large amount of information being shown to us.
We can also run specific transforms to gather more information on particular entities. Hence you can see that we were able to gather a lot of information. Similarly, doing multiple transforms can keep digging out more information. Go ahead and try this on any entity you may wish to.
The PTK tool is digital forensic tool and is a GUI for SleuthKit. This uses a centralized database for case management and has the ability to allow multiple investigators to work on the same case. It has an interesting feature of timeline analysis and file timestamps that clearly lists the timeline of all the activities. My personal opinion is that this is one of the best tools to do for digital forensic investigation.
Let us have some hands on now with it. This is how the interface looks:
Let us create a new case to do the forensic investigation. We have our first case created here:
Now let us add some raw image to perform our investigation. We have the option to calculate MD5 and SHA1 hashes as well. After filling in the details, finally we have the image added in our case:
We now move on to some indexing operations for the image to keep a track of our investigation.
Now let us move to some analysis, where we will analyze the image for forensic evidence. So we have it here, a detailed view of all the files on the image with time stamping, modification timings, and md5 hashes as well. This is just fabulous! We can export these images for further investigation as well as have all the details about a specific file.
The timeline feature which I talked about previously in the article above is just awesome. I can have a view of all the files and activity which was done on a particular timeline which helps a lot in the investigation. So here is how we do it. Suppose I want to find out what files were accessed during which a particular incident happened. I simply put in the date which I suspect and get the results.
We also have the feature to view the file details or the particular file in the timeline:
PTK has a keyword search that helps to do searches for important keywords during a forensic investigation. We here search for the keyword “password,” let us see if it fetches some good results for our investigation. On searching for this keyword, we find a file named secret.txt which contains the keyword. This keyword searching may give a lot of important information during an investigation and is hence very important.
Let us view this file to find out contents that might be interesting. Looks as if we have some of the user’s passwords.
We also have a Gallery section that segregates out all the images to make our investigation simpler. Here is how it looks:
We also have options for bookmarking certain items that might be important and a neat report generator as well. PTK makes forensics extremely easy and a piece of cake!
Volatility is one of the best tools for live memory forensics. It comes bundled with SIFT for doing memory forensics. Here it is:
I have already covered the Volatility framework in detail here. Please check this out.
There are a few cheatsheets provided by SANS in SIFT to make forensic work pretty easy. It is recommended that you check them out.
Command Line Tools
There is further a long list of command line tools present under /usr/local/bin:
SIFT comes bundled with mobile forensics tools such as Blackberry Analyzer and iPhone Analyzer which are pretty much effective.
Reference Links for Parts 1 and 2