Forensic platforms

Over the past 15 years, there has been an increase in the power of disk forensic platforms. For the incident response analyst, there are options as to what type of platform can be leveraged for conducting an examination of the disk drives. Often, the limiting factor in utilizing these platforms is the cost of more robust systems, when a lower cost alternative will be just as effective for an incident response team.

There are several factors that should be addressed when examining software for disk analysis. First, has the platform been tested? There are several organizations that test platforms for efficacy, such as the National Institute of Standards and Technology Computer Forensic Tools Testing Program (https://www.cftt.nist.gov/). Second is an examination of the tool's use in criminal and civil proceedings. There is no single court- accepted standard but tools should conform to the rules of evidence. The use of a platform that has not been tested or does not conform to the rules of evidence may lead to the evidence being excluded from the legal proceedings. In other, more disastrous consequences, it may lead an analyst to arrive at the wrong conclusion.

An example of an untested and forensically unsound toolset that was used in a criminal proceeding was in the case of The State of Connecticut vs. Amero. In that case, a law enforcement agency utilized unsound forensic methods and tools to convict a woman for allegedly allowing children to see sexual explicit pop-up ads. A subsequent review of the methods and facts of the case indicated that there were a number of problems with the forensic examination. An excellent examination of this case is available from the Journal of Digital Forensics, Security and Law at http://ojs.jdfsl.org/index.php/jdfsl/article/viewFile/120/5.

One final consideration is how the tool fits into the overall incident response plan at the organization. For example, commercial disk forensic tools are excellent at locating images and web artifacts. They are also excellent at carving out data from the suspect drive. This is often due to the fact that forensic software is utilized by law enforcement agencies as a tool to investigate child exploitation cases. As a result, this capability is paramount to bringing a criminal case against such suspects. While these are excellent capabilities to have, incident response analysts may be more interested in tools that can be utilized for keyword searches and timeline analysis, so that they can reconstruct a series of events prior to, during, and after, an incident.

While most commercial and free forensic platforms have a variety features, there are several common ones that can be of use to incident response analysts:

  • File structure view: It is often very important to be able to view the file structure of the disk under examination. Forensic platforms should have the ability to view the file structure and allow for analysts to quickly review files with known locations on a suspect system.
  • Hex viewer: Having the ability to view files in hexadecimal allows analysts to have a granular look at the files under examination. This may be beneficial in cases involving malware or other custom exploits.
  • Web artifacts: With a great deal of data stored on the drive associated with web searching, forensic platforms should have the ability to examine these pieces of data. This is very handy when examining social engineering attacks where users navigate to a malicious website.
  • Email carving: Incident responders may be called into cases where malicious employees are involved in illegal activities or have committed policy violations. Often, evidence of this type of conduct is contained within emails on the suspect system.Having a platform that can pull this data out for immediate view, assists the analyst to view communications between the suspect system and others.
  • Image viewer: Often it is necessary to view the images saved on systems. As was stated previously, law enforcement utilizes this feature to determine if there is evidence of child exploitation on a system. Incident response analysts can utilize these features to determine if there has been a policy violation.
  • Metadata: Key pieces of data about files such as date and time created, file hashes and location of a suspect file on the disk are useful when examining a system associated with an incident. For example, the time an application is run, taken in conjunction with a piece of malware, may be correlated with network activity allowing the analyst to determine the actual executable run.

In terms of commercial options, the following three platforms are generally accepted as sound and are in use by commercial and government entities all over the world. Each of these have the features described among other more specialized tools.

  • EnCase guidance software: Arguably the preeminent forensics platform, EnCase has a long history with the platform being used in major criminal investigations such as the BTK Killer. EnCase is a feature-rich platform that makes it a powerful tool in the hands of a trained analyst.In addition to disk forensics, EnCase also has integrated features for mobile devices. This is a powerful capability for organizations that may have to analyze not only disks, but also mobile devices, in connection with an incident.
  • Forensic Took Kit by Access Data: In Chapter 5, Understanding Forensic Imaging, the FTK Imager tool was utilized to acquire disk and memory evidence. This tool is part of a suite of tools provided by Access Data specifically tailored to disk forensics.In addition to the imager, Access Data has a fully featured forensic platform that allows analysts to perform the range of tasks associated with an incident. FTK is in use by law enforcement agencies such as the Federal Bureau of Investigation and has proven to be more than effective in assisting analysts with incident investigations.
  • X-Ways Forensics: One drawback of FTK and EnCase is cost. These platforms can cost several thousands of dollars per year. For larger organizations such as government agencies and large enterprises, the trade-off of cost versus features may not be an issue. For smaller organizations, these platforms may be cost prohibitive. An alternative, feature rich forensic platform is X-Ways.This platform has the ability to perform the variety of tasks necessary, but at a fraction of the cost.Another great benefit of X-Ways is that it is less resource-intensive and can be run off a USB device, making it an alternative platform, especially for incident response.

Each of these platforms has a rich feature set and provides analysts with a powerful tool for conducting a wide range of forensic tasks. The specific tools in each of these platforms are outside the scope of this book.As such, it is recommended that analysts are trained on the platform in use to ensure that they fully understand the tool's capability.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.134.79.121