Computer Forensics Process for Beginners
Computer forensics is currently a very popular term, and a lot of conferences are organized and books written on the subject. This, together with the popularity of the CSI series, brings an aura of certain very special, even magical steps that forensics teams use. In reality, the computer forensics job is a standard process, and every one of us does parts of the process when we debug our computers. So, here is a simple tutorial on what is involved in computer forensics:
Computer forensics process
Below is a diagram of the forensics process. It is a generic process, but applies in computer forensics.
In order to properly apply the forensic process to computers, let’s expand the generic diagram into the following:
As you can see, in computer forensics, a lot of evidence can be collected while the computer is running. That is a one-shot chance, and you’ll never have it again when you turn off the computer.
Your Forensic Toolkit
Every trade needs it’s tools. For the beginner investigator, here is my recommended toolkit:
1. Helix forensic CD – your basic tool for the investigation
2. Digital camera – capturing physical state of the suspect computer
3. Evidence USB – 4 GB Capacity – for removing smaller evidence files from the evidence computer
4. Evidence USB hard drive (500 GB will be enough for most purposes) – for making an evidence copy of the disk drive
5. Analysis computer – probably a laptop, but sparkling clean – no viruses, Trojans, cookies or similar wildlife on it, since they can corrupt the evidence. Even if the evidence isn’t corrupted, it may be considered as contaminated and become inadmissible in a formal case.
6. VDK driver, for the analysis computer (if using windows) – this driver will enable you to mount a DD image created during the evidence collection
7. Antivirus/Antispyware/Rootkit detector software for the analysis computer
Steps of the forensic process process
1. Evidence collection
1.1. While the suspect computer is running
• Make an image of the RAM Memory, and store it on the evidence hard drive/USB. Make MD5/SHA1 hash of the image and save it and write it down in a notebook.
• Make an inventory of all processes, network connections, installed software, hardware, everything you can about the computer. Save this in a file on the evidence hard drive/USB. Make MD5/SHA1 hash of the file and save it and write it down in a notebook
1.2. When the suspect computer is off
• Make an image of the hard disk drive and store it on the evidence hard drive/USB. Make MD5/SHA1 hash of the image and save it and write it down in a notebook
• Photograph the suspect computer from all sides. Save the pictures on on the evidence hard drive/USB. Make MD5/SHA1 hashes of the photographs and save them and write them down in a notebook.
• If any immediate physical tampering is apparent, photograph it specifically, and possibly expand the investigation with a forensic expert who will look for evidence regarding the tampering method (fingerprints, tool markings)
• Open the computer and photograph the interior under good lighting. Save the pictures on on the evidence hard drive/USB. Make MD5/SHA1 hashes of the photographs and save them and write them down in a notebook.
2. Evidence analysis
• Load copies of the evidence images into your analysis computer. Confirm that the copies have the same MD5/SHA1 hashes as the original noted ones.
• Search the raw images of the ram memory and the disk drive for strings, and save them for future reference
All following steps need to be used in the context of the investigation, so there is no specific exact step to use
• Review the strings dump for specific keywords
• If there are specific keywords related to your investigation (‘payroll’, ‘salary’, ‘password’, someones user name or e-mail address), search for those strings in the raw images. Save the results for future reference.
• Mount the disk drive image as a read-only drive. Scan the drive for viruses, rootkits and spyware. Save the results as screenshot or log file
• Analyze the event log of the suspect computer for any anomalies. Log anomalies with times of occurrence
• Analyze the running processes log of the suspect computer for any suspicious processes. If found, refer back to the memory dump to investigate the process (memory content, using a hex editor and string search)
• Find pics/movies/docs/web-mail and log positions for review. Alternatively, review them immediately for specific issues
• If applicable, use steganography detection software to detect hidden data in images and music.
• Analyze browser cookies for connection to specific sites or Internet activity
• Analyse e-mail records for connection to specific sites or Internet activity
• Investigate files in slack space (deleted from the File Allocation Tables but not physically from the disk)
3. All incriminating evidence (context dependent) are to be logged with original timestamps and with appropriate presentation (screenshots, text dumps, audio recording)
Here is a step-by-step tutorial on how to process a suspect computer to obtain dumps of RAM memory and Disk Drive using Helix Forensic CD.
Our suspect computer is a Windows XP Virtual Machine.
Our Example Forensic Toolkit
• Helix forensic CD – your basic tool for the investigation
• Evidence USB – 16 GB Capacity – for removing smaller evidence files from the evidence computer
• Analysis computer – a windows laptop, VDK driver, for the analysis computer (if using windows) – this driver will enable you to mount a DD image created during the evidence collection
• Sophos Antivirus and A-Squared Free Antispyware detector software for the analysis computer
I. Running state evidence collection
1. Insert the Helix CD in the suspects computer CD/DVD drive. The Helix has an autorun so should start immediately, but be careful. If you are logged on as anything other then an administrator, you won’t be able to make a dump of the full physical memory. So close the autorun, and choose the Run as option to start the Helix software, and provide the Administrator credentials.
2. WARNING – DO NOT log off the session in order to log on as an Administrator! Ending a session will inevitably change and contaminate the content of RAM, since a lot of processes are closed upon logoff.
3. When Helix starts, there will be a warning screen stating that Helix won’t be able to protect the suspect OS environment from changing, since it’s running within the suspect OS environment. But, since there is no other way to take a snapshot of the ram memory, just choose accept.
4. You will see the startup screen of the Helix tool. The first icon is just a preview of system info, so it’s not too useful. Go ahead to the second option – acquisition. It will prompt you for the source. Choose physical memory, and direct the output to the evidence USB drive.
5. Acquisition will prompt you for the source to be dumped – choose Physical Memory
It will ask for second confirmation and will start the dump
6. After Memory Dump is finished, choose incident response (3rd icon on the Left menu) and click on the small arrow to go to the second screen (shown below). Run WinAudit
7. Click on the only link and let it perform inventory of the system. Save the result as a PDF on your evidence USB
After Winaudit finishes, close it, and close the Helix mainwindow. It will ask whether you like to record all activities in a PDF file. Confirm that you wish to and save the PDF on your evidence USB.
The above process will create an MD5 hash of the memory dump on the evidence USB. Open this file and take note of the MD5 hash.
II. Disk drive evidence collection
1. Turn off the computer ungracefully, pull the plug – this will prevent any possible shutdown scripts from running and possibly erasing data on the computer.
2. Boot it up again, and from the BIOS select to boot from CD-ROM. I n a real corporate investigation, you may need assistance of IT to provide passwords, since most corporate PC’s are set-up with BIOS password and disabled from booting from CD to prevent possible information theft.
3. Boot the Helix Linux OS
4. When booted, select Adepto from the Forensics Menu
5. Similarly to the memory dump above, select the drive you wish to make a dump of, and select your evidence USB as destination. For hash, you can choose severa. The example is with SHA1. After the dump is finished, choose the last tab (report) and choose to save the dump report as PDF to the evidence USB.
6. Copy all files to your analysis computer, and verify the hashes of the memory and disk dumps again using md5sum and sha1sum, whichever you used initially.
7. Using VDK, mount a copy of the disk image for investigation. The mount command is: vdk open path_to_dump_file\dump_filename.dd /L:free_drive_letter
HERE You can download and review the forensic log documents created in this tutorial (5.19 MB ZIP file)
• SHA1SUM c7d189a78a715fd96127677d39d5ace1d5854ea5
• MD5SUM 9b61fad0cf4418175cb7e387c6962c49
This concludes the easy part of computer forensics – evidence collection. Shortinfosec will follow-up with exercises of the analysis part.