Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Transcription

1 Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida

2 Table of Contents I. CAINE 8.0 Overview... 1 II. CAINE 8.0 Functionality... 1 III. CAINE 8.0 User s Guide... 2 A. Create a Forensic Image... 2 B. Create a Case... 7 C. Image Analysis D. Data Carving E. Network File Analysis IV. Appendix V. Reference... 26

3 I. CAINE 8.0 Overview CAINE 8.0 which stands for Computer Aided Investigative Environment is an Italian GNU/Linux live distribution design for computer forensics. CAINE is an open source project that started as a project for Digital Forensics for Interdepartmental Centre for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia, Italy. It comes packed with tools and utilities for digital investigations. The main objectives of CAINE as stated on their site is to provide investigators with an environment to support the four phases of investigations, as well as a user-friendly interface. In addition, CAINE has a Windows Incident Response and Live forensics tools. There has been 10 versions of CAINE, with the most recent 9.0 released on October 25, II. CAINE 8.0 Functionality CAINE includes a wide range of tools that are cataloged in menus such as Analysis, Memory forensics, Mobile forensics, Disks, Database, Malware analysis, Network forensics and Hashes, see Figure 1-10 for a full list of tools included. Included in the distribution are scripts to help with examination of allocated files within the Caja web browser. The script render databases, internet histories, Windows registries, deleted files, and it also extracts EXIF data to text files. Below is a description of a few tools used during this project. Autopsy Forensic Browser 2.0 is a graphical interface for the command line investigation analysis tools in The Sleuth Kit. It s essential for Linux investigation, and it can analyze disk images, local storage drives such as local drive and USB-attached drive, and logical file systems such as NTFS, FAT. UFS1/2, Ext2/3. Autopsy is HTML-based, which allows investigators to connect from different systems. Autopsy provides the following features File Listing, File Content, Hash Databases, File Type Sorting, Timeline of File Activity, Keyword Search, Meta Data Analysis, Data Unit Analysis, Image Details, Case Management, Event Sequencer, Notes, Image Integrity, Reports, Logging, Open Design (allows to export data and use it in other tools), Client Server Model. QPhotoRec is a data recovery software for lost files such as images, videos, archive and document formats. PhotoRec originally had to be run from command line to scan for deleted ANA L. HERNANDEZ 1

4 file. QPhotoRec is the GUI version of the command line. PhotoRec identifies file types by comparing its signatures to the start of each data block. This tool will work even the file system is damaged or reformatted as it doesn t work with the file system, but the underlying data. There is no risk of altering the evidence as it uses read-only access. PhotoRec work with hard disks, CD-ROMS, memory cards, USB memory drives, DD raw image, EnCase E01 image, among others. Wireshark is network protocol analyzer. It can be used to capture packets in real time, for network troubleshooting, and file analysis. Wireshark includes display filters, color coding (green for TPC, dark blue for DNS, light blue for UDP, and black for TCP packets with problems), as well as the ability to inspect individual packets. III. CAINE 8.0 User s Guide In this guide I will cover how to create a case with Autopsy, how to analyze an image, and recover files. Moreover, I will cover how to carve data from a raw image DD using QPhotoRec, and how to analyze network log files in Wireshark. All this will be done using CAINE 8.0 live distribution. A. Create a Forensic Image Step 1. After mounting the device, check it is in read-only mode using BlockON/OFF from System Tools. Check-mark the device and click OK to switch to read-only mode if needed. We do not want to compromise the integrity of the image. ANA L. HERNANDEZ 2

5 Step 2. Create a folder to store the image when captured. You will use this location later on. Step 3. Open Guymager from Main Menu. Step 4. Select disk to be imaged, ensure it is the right one before proceeding. Step 5. Right-click the selected disk and select Acquire Image. ANA L. HERNANDEZ 3

6 Step 6. The Acquire Image window will show up. Select file format, whether you want to split the image, filename, and select Hash calculation and image verification. Then click Start when ready to image. Step 7. When the image processing starts, it will show the first screen where you will see the state, progress bar, etc. as well as metadata about the image. Now wait until it completes. ANA L. HERNANDEZ 4

7 Step 8. Once completed, the state light will turn green and say Verifies & Ok, you can close the window. Step 9. Navigate to the evidence folder created in Step 2. You will see two files, one the actual acquired image, and an info file. ANA L. HERNANDEZ 5

8 Step 10. Open the info file and verify image. The info file will contain all the metadata entered previously, device information, information returned, acquisition include MD5 hash and image verification. ANA L. HERNANDEZ 6

9 B. Create a Case Step 1. Start Autopsy by clicking on Menu, then select Forensics Tools, then Analysis, then click on Autopsy 2.24 to open the program. The terminal and browser will open - Or - entering on the browser. ANA L. HERNANDEZ 7

10 Step 2. Click on New Case and fill out required information. Make sure to name the case with a significant and descriptive name for later use. Fill out description if desired, and add your initials to the case. If working with more than investigator, include their initials as well. Then click New Case. Step 3. After the case has been created, you will see the Case Directory and Configuration file directories. Note the location of the case. Select your name if there are multiple investigators. When ready click Add Host. ANA L. HERNANDEZ 8

11 Step 4. Fill out Host Name, and any other information you deem necessary and relevant for your case. Note, if time zone is left blank, it will use your local time. You should use the time from where the evidence was obtained. Then click Add Host. Step 5. The next window will show the Host Directory and Configuration file locations. Take note of the location of these directories. Then click on Add Image. ANA L. HERNANDEZ 9

12 Step 6. Click on Add Image File to add the image to be analyzed. Step 7. Add the location of your image file, then select either Disk or Partition. Disk if your image is a full disk image, and if your image is only a partition of a Disk, select Partition. Use Symlink to create a symbolic link to the image in the evidence locker. Then click Next. Note that image name should not contain space, or you will get an invalid path error. ANA L. HERNANDEZ 10

13 Step 8. Select if you want to calculate MD5 hash for integrity. It is recommended that you do, to have verification of integrity. Then click Add. Step 9. Overview data, and click OK. ANA L. HERNANDEZ 11

14 C. Image Analysis Step 1. Select the desired image, and click on Analyze Step 2. Select an analysis mode, from the menu on the top. See Steps 2-A 2-C for some examples of modes. ANA L. HERNANDEZ 12

15 Step 2-A. Image Details mode gives general file system information, this mode provides information useful for data recovery later on. Step 2-B. File Analysis shows the files and directories, including names of deleted files. ANA L. HERNANDEZ 13

16 Step 2-C. File Type Sorting mode sorts the files by internal signatures. ANA L. HERNANDEZ 14

17 Step 2-C.1 Results of the sorting. Go to Output path provided to view recovered files. Step 2-C.2 Here will be any recovered files that can be used for further analysis. ANA L. HERNANDEZ 15

18 D. Data Carving Step 1. Open QPhotoRec from Menu, then click on Add raw image to disk. Add the raw image, then click Search. Step 2. After search it completed, you can see the number of recovered files and its type. ANA L. HERNANDEZ 16

19 Step 3. Click on Destination URL, It will take you to the recovered files. You can use these files for further analysis. E. Network File Analysis Step 1. Open Wireshark, under Forensics Tools, Network forensics from Main Menu. Step 2. To add network trance for analysis, click on File then Open. Select desired network file. ANA L. HERNANDEZ 17

20 Step 3. The capture split into 3 panels, the packet list, packet details, and packet bytes. Apply filter to narrow down on desired protocols, e.g. type ftp in the filter section, and apply filter by clicking on the, and analyze the content. Step 4. To go into more details and isolate a TCP Stream, right click on a specific packet from the packet list to follow, and select Follow, then TCP Stream. ANA L. HERNANDEZ 18

21 Step 5. Follow TCP Stream window will show up. It will contain packets from that TCP session only. It can be saved by selecting Save As to save as evidence for later analysis. Then close the window. Now only packets from the selected TCP stream will show up. Step 6. To save all objects contained in the packets, click File -> Export Objects -> HTTP and save the file. It will capture data from TCP stream. Wireshark will scan the trace and list objects that have been transferred via HTTP. Note: you should ensure Preferences for TCP "Allow subdirector to reassemble TCP streams" is checked. ANA L. HERNANDEZ 19

22 Step 7. Click Save All or Save just to save the selected file. Browse to the desired location where the objects will be saved. Then close the HTTP object list window. Step 8. Open folder where the objects were saved to review the evidence. ANA L. HERNANDEZ 20

23 IV. Appendix Figure 1 - Tools Included in CAINE 8.0 Figure 2 - Tools Included in Analysis Folder ANA L. HERNANDEZ 21

24 Figure 3 - Tools Included in Disks Folder Figure 4 - Tools Included in Database Folder ANA L. HERNANDEZ 22

25 Figure 5 - Tools Included in Hash Folder Figure 6 - Tools Included in Malware Folder ANA L. HERNANDEZ 23

26 Figure 7 - Tools Included in Memory Forensics Folder Figure 8 - Tools Included in Mobile Forensics Folder ANA L. HERNANDEZ 24

27 Figure 9 - Tools Included in Network Forensics Folder Figure 10 - Tools Included in Timeline Folder ANA L. HERNANDEZ 25

28 V. Reference Analysis Tools. List of tools, Autopsy: Description, C.A.IN.E. CAINE Live USB/DVD - computer forensics digital forensics, DistroWatch. CAINE. DistroWatch.com: CAINE, Download. Wireshark Go Deep., Lyle, James R. Rhino Hunt, PhotoRec. PhotoRec - Digital Picture and File Recovery, Sharma, Shashank. CAINE 8.0 review. TechRadar, TechRadar pro IT insights for business, 23 Feb. 2017, ANA L. HERNANDEZ 26