Forensic Analysis - 2nd Lab Session

Similar documents
Forensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A

Digital Forensics Lecture 01- Disk Forensics

Forensic Timeline Splunking. Nick Klein

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling

Post Mortem an Introduction to Filesystem Forensics and Data Recovery Dr. Oliver Tennert, Head of Technology

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics

MFP: The Mobile Forensic Platform

Digital Forensics. Module 6 CS 996

VISUAL CORRELATION IN THE CONTEXT OF POST-MORTEM ANALYSIS

DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX

INSTITUTO SUPERIOR TÉCNICO

From TCT to the Adaptability of Computer Forensic Tools

File system internals Tanenbaum, Chapter 4. COMP3231 Operating Systems

File System Interpretation

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

ECE 598 Advanced Operating Systems Lecture 14

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

Index. A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, , 362, 364. of recovered uncompressed aio binary,

incident reponse unravelled

File Systems Forensics

Macintosh Forensic Survival Course

Forensic Discovery. Wietse Venema IBM T.J.Watson Research, USA

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Overview Metadata Extraction Tool Hachoir Sleuthkit Summary CS 6V Metadata Extraction Tools. Junyuan Zeng

ANALYSIS AND VALIDATION

File System Basics. Farmer & Venema. Mississippi State University Digital Forensics 1

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition

Disk Forensics. Oliver Giudice. Banca D Italia

IT Services IT LOGGING POLICY

Introduction to Disk Forensics Discovering evidences in mass storage devices

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

Tupelo Whole Disk Acquisition, Storage and Search

Timeline Creation and Analysis Guides

Windows Forensics Advanced

ACRONIS TRUE IMAGE 11 HOME REVIEWER S GUIDE

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

The Art of Defiling. Defeating Forensic Analysis on Unix File Systems the grugq

Digital Forensics Lecture 02- Disk Forensics

The Next Generation Data Recovery Clone/Image Tool

Southern Maine Community College Information Technology Professor Howard Burpee. Installing Windows Server 2012

Installing or booting DSS V6 from a USB flash drive or other writable media starting with the ZIP file

1/10/11. A Timing Analysis Case Study. Time Machines. System Times. Reviewing Time Measurement. Altering Time. MACtimes from Barney

Is Your Firewall Enough? Tools to Improve the Security of Your Site

AccessData Advanced Forensics

Digital forensics. Andrej Brodnik. Andrej Brodnik: Digital Forensics

File Systems and Volumes

NAVAL POSTGRADUATE SCHOOL THESIS

Disk Drill by LaWanda Warren

J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

24) Type a note then click the OK button to save the note. This is a good way to keep notes on items of interest.

The quick brown fox jumped over the lazy dogs back. THE QUICK BROWN FOX JUMPED OVER THE LAZY DOGS BACK (typed in all caps)

Introduction to Computer Forensics

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

2018/01/30 18:11 1/6 Disks Management HDD Management. Disks must be added before they can be formatted and mounted or configured in a RAID array.

Volatile Data Acquisition & Analysis

Reducing the Cost of Incident Response

TZWorks Graphical Engine for NTFS Analysis (gena) Users Guide

Forensic analysis Local Incident Response Toolset, Document for students 1.0 DECEMBER European Union Agency For Network And Information Security

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

The ability to reliably determine file timestamps on modern filesystems using copy-on-write

HDM 2010 Workstation

Training for the cyber professionals of tomorrow

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

An Introduction to Incident Detection and Response Memory Forensic Analysis

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

under attack Listing Deleted Files A SECURITY BREACH CAN INSPIRE

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

A Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018

Certified Digital Forensics Examiner

Fundamentals of Linux Platform Security

Why the Change? 2 updates per year for the course. OS versions are progressing with no signs of slowing

Computer System Management - File Systems

John Coggeshall Copyright 2006, Zend Technologies Inc.

RegForensicTool: Evidence Collection and Analysis of Windows Registry

Forensic Discovery. Wietse Venema IBM T.J.Watson Research, USA

HARD DISK MANAGER 11 / FULL FEATURES LIST. HDM 11 Professional. HDM 11 Server. Features. Virtualization. Add-on. Drive Partitioning

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Honeynet/pot : the data capture possibilities

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

COMP091 Operating Systems 1. File Systems

Installing Ubuntu Server

ABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further

Live Forensics on a Windows System:

Digital Forensics. Module 7 CS 996

COURSE OUTLINE AND SCHEDULE: ASSIGNMENTS ARE DUE EACH MONDAY WEDNESDAY JANUARY Computing Overview

File System Implementation. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

The UNIX file system! A gentle introduction"

Quantifying FTK 3.0 Performance with Respect to Hardware Selection

Analysis of Open Source and Proprietary Source Digital Forensic Tools

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Security+ SY0-501 Study Guide Table of Contents

Time attributes. User behaviors. Crime Scene

Transcription:

File System Forensic and Analysis December 12, 2014

File System Analysis File System Analysis can be used for Analysis the activities of an attacker on the honeypot file system. Analysis of a malware leaving traces on the file system. Analysis of a compromised system to recover legitimate and malicious activities. Recovering lost files or data on a file system. Correlating and validating memory or network analysis with the file system activities.

File System Analysis - Time is critical Don t forget the following points: Timestamps stored on a system are not always in the same format (e.g. some might be in UTC, GMT or in system-local time). Timestamps can be also in different format (e.g. Epoch timestamp in 32-bit or 64-bit, NTFS 64-bit timestamp). Timezone and time are also important on your analysis workstation (e.g. don t mixup your timezone and the analysis timezone). Summer time and winter time are not the same in various timezones. GMT and UTC are not the same. Don t forget to take note of all the time, time zone or time references given during an acquisition.

File System Analysis - Format? ntfs (NTFS) fat (FAT (Auto Detection)) ext (ExtX (Auto Detection)) iso9660 (ISO9660 CD) hfs (HFS+) ufs (UFS (Auto Detection)) raw (Raw Data) swap (Swap Space) fat12 (FAT12) fat16 (FAT16) fat32 (FAT32) ext2 (Ext2) ext3 (Ext3) ufs1 (UFS1) ufs2 (UFS2)

File System Analysis - Interface,Support and Acquisition SATA, IDE, USB 3.0/2.0/1.1, SAS, and FireWire (1394A/B). Acquisition in software or hardware? Support of the acquisition to another equivalent disk? Can we trust the acquisition process 1? How long it will take? 1 http: //events.ccc.de/congress/2012/fahrplan/events/5327.en.html Prototyping Active Disk Antiforensics

File System Analysis - Tools Many proprietary and free software tools exist for file system analysis. In this lab, we will use sleuthkit 2 as a basis. Sleuthkit is including TCT (the coroner toolkit) but evolved overtime to support more file system and new tools. Sleuthkit got a GUI companion called Autopsy. Sleuthkit is able to analyze a lot of file system format from raw acquisition. Sleuthkit supports the extraction of metadata and timeline from supported file system in a non intrusive way. 2 http://www.sleuthkit.org/

File System Analysis - SleuthKit - fls fls lists file and directory names in a disk image. /usr/local/bin/fls -r -p fat-test.dd As this is the representation of the file system, you can dump/recover files based on their inode reference /usr/local/bin/icat fat-test.dd 965

SleuthKit - fls - mactime Usually in forensic analysis, you ll need to have a time line sorted for all the events on a file system. SleuthKit provides a tool called mactime allowing to use fls output to generate a time line. /usr/local/bin/fls -mr fat-test.dd /usr/local/bin/mactime -b -

SleuthKit - fls - mactime output Mactime output and file system interpretation: fs m a c b EXT2/3 Modified Accessed Changed N/A FAT Written Accessed N/A Created NTFS File Modified Accessed MFT Modified Created UFS Modified Accessed Changed N/A Mactime is doing an interpretation of the fls output. It might be missing some additional timestamp from some file system format (e.g. the deleted timestamp in Ext2/3). Extended time or values can usually be check with istat.

SleuthKit - Autopsy Forensic Browser Autopsy Forensic Browser 3 is a web interface to the SleuthKit toolsuite and provide an easy way to handle forensic analysis. Take the existing image and test it with Autopsy. 3 http://www.sleuthkit.org/autopsy/index.php

Bibliography Forensic Discovery, Dan Farmer, Wietse Venema, Addison Wesley ω Incident Response, Kenneth R. Van Wyk, O Reilly Computer Forensics, Incident Response Essentials, Warren G. Kruse, Addison Wesley File System Foresinc Analysis, Brian Carrier, Addison Wesley Mechanisms, New Media and the Forensic Imagination, Matthew G. Kirschenbaum, The MIT press ω

Thanks for listening. a@foo.be

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback