Preparing the Incident

Response Toolkit
CHAPTER 9

CYBERSECURITY ANALYSIS - UCC 1

Building a Forensic Toolkit
Digital forensics workstation
Forensic investigation suite
Write blockers
Forensic drive duplicators
Wiped drives/removable media
Cables and adapters
Camera, labels, and notebooks

CYBERSECURITY ANALYSIS - UCC 2

Digital Forensics

Digital forensics is the process of uncovering and interpreting electronic data. The goal of the
process is to preserve any evidence in its most original form while performing a structured
investigation by collecting, identifying and validating the digital information for the purpose of
reconstructing past events.
The context is most often for usage of data in a court of law, though digital forensics can be used in
other instances.
How does one duplicate or preserve evidence without knowing the duplication itself inherently
changed the data?
Time lines are critical for showing who did what, and when. But digital time stamps are notoriously
absent, or can easily be spoofed, in digital data.
In order to be able to state conclusively that Action A caused Result B, the concept of repeatability
must be introduced. This is very difficult with digital forensics.

CYBERSECURITY ANALYSIS - UCC 3

Phases of the Investigation
Seizure
Acquisition
Analysis
Reporting

CYBERSECURITY ANALYSIS - UCC 4

Seizure
The goal of seizure is to ensure that neither the perpetrators nor the investigators make changes
to the evidence.
1. Make sure that once you’ve created a master copy of the original data, you don’t touch it or the
original itself—always handle secondary copies.
2. Have procedures in place to document the nature, extent, and reasons for changes to the data.
3. Make sure you understand what you are doing, because you have to be able to account for any
changes you made and describe exactly what you did. If you ever find yourself out of your depth,
either learn more before continuing (if time is available) or find someone who knows the territory.
4. Make sure your plan of action is not based on trial and error. No one is going to believe you if
they can’t replicate your actions and reach the same results.
5. Work fast, so that there is a less likelihood that the data is going to change.
6. Always try to collect the most volatile evidence first, because some electronic evidence is more
volatile than others. You should proceed from volatile to persistent evidence.
7. Never, ever shut down a system before you collect the evidence.
8. Avoid rebooting at all costs. It is even worse than shutting a system down and should be
avoided. As a general rule, until the compromised disk is finished with and restored, it should
never be used as a boot disk.
9. Any programs you use should be on read-only media (such as a CD-ROM or a write-protected
floppy disk) and should be statically linked. Because the attacker may have left trojaned (trojan
horse) programs and libraries on the system, you may inadvertently trigger something that could
change or destroy the evidence you’re looking for.
10. Make sure your planning stage takes place prior to any investigator arriving at the computer
crime scene, including two ways to structure a team of investigators.
11. Make sure that you have good case management software. It can go a long way in easing the
burden of carrying out a search and seizure.

CYBERSECURITY ANALYSIS - UCC 5

Seizure – Chain of Custody
Chain of Custody is a history that shows how evidence
was collected, transported and preserved a every stage
of the process. It is very important to follow very strict
and organized procedures when collecting and tagging
evidence through its entire life cycle.

CYBERSECURITY ANALYSIS - UCC 6

Acquisition and Preservation
is the second phase. In this phase tasks performed related to the acquiring and collecting
evidence in acceptable manner in which concern data is together base on the accepted methods
utilizing a variety of recovery techniques, then the task is identifying the digital components
from the acquired evidence, and finally in this phase the tasks are transporting, storing and
preserving of data such as creating a good quality case management and ensuring an acceptable
chain of custody. Overall, this phase is where all concern data are captured, stored and
presented for the next phase.

CYBERSECURITY ANALYSIS - UCC 7

Analysis
is the third phase. This is the core and the heart of the forensic investigation process. It has the
largest part of phases including the tasks such as evidence tracing and validation, recovery of
hidden or encrypted data, data mining, and timeline etc. Different types of analysis are
performed on the acquired data using the appropriate tools and techniques to recognize the
source of crime and eventually discovering the person accountable of the crime.

CYBERSECURITY ANALYSIS - UCC 8

Report and Presentation
Report and Presentation is the fourth phase The finding from analysis phase are documented
and presented to the authority with expert testimony. The documentation presented also
includes the adequate and acceptable evidence in order to understand by the concern party
easily. The final outcome from this phase is either to prove or disprove the alleged criminal acts.
All major commercial suites also have a feature that will generate a draft report you can then
customize for your own purposes.

CYBERSECURITY ANALYSIS - UCC 9

Forensic Software Capabilities
Imaging media and drives
Analysis
Chain of custody tracking
Hashing and validation
Dump analysis
Cryptography tools
Log viewers

CYBERSECURITY ANALYSIS - UCC 10

Forensic Investigation Suite

Acquisition Utilities
The acquisition phase of a forensic investigation is perhaps the most critical point in terms of
ensuring admissibility of evidence, analysis and conclusions.

CYBERSECURITY ANALYSIS - UCC 11

Forensic Duplicators
Forensic Duplicators are systems that copy data from a source to a destination while ensuring that not even a
single bit gets altered in the process. This is different from a copying utility in that, they do not rely on the file
system operations, which means they can recover system artifacts such as the Master File Table in windows
systems and inode in Linux systems.

Imaging with dd:

The dd utility that comes by default in Linux systems. dd can duplicate data across files, devices, partitions and
volumes.

The following command will do a bit-for-bit copy of hard drive “had” to a file called case123.img using a block
size of 4096 bytes, and it will fill the rest of a block with null symbols if it encounters an error:
dd if =/dev/hda of=case123.img bs=4k conv=noerror, sync.

Note: this command does not generate a hash…why is the hash important?

CYBERSECURITY ANALYSIS - UCC 12

Imaging Drives
Forensic copies retain the same layout and content for the entire device or drive.

Creating forensic copies requires special tools.

CYBERSECURITY ANALYSIS - UCC 13

Image Metadata

CYBERSECURITY ANALYSIS - UCC 14

 Imaging with FTK
Forensic Toolkit, or FTK, is a computer forensics software made by AccessData.
It scans a hard drive looking for various information.[1] It can, for example,
locate deleted emails and scan a disk for text strings to use them as a
password dictionary to crack encryption.

The toolkit also includes a standalone disk imaging program called FTK Imager.
The FTK Imager is a simple but concise tool. It saves an image of a hard disk in
one file or in segments that may be later on reconstructed. It calculates MD5
hash values and confirms the integrity of the data before closing the files. The
result is an image file(s) that can be saved in several formats, including DD raw

DEMO: https://www.youtube.com/watch?v=OUORBch0zaE

CYBERSECURITY ANALYSIS - UCC 15

 Password Crackers
If the suspect is unable or unwilling to provide the password, or if there is no suspect to interrogate in the
first place, you may have to resort to specialized software that is designed to guess password and decrypt the
protected resources.

Password hacking software has evolved tremendously over the last few years but essentially it comes down
to several thing: firstly, what systems are in place to prevent certain popular types of password cracking
techniques (for example ‘captcha forms’ for brute force attacks), and secondly, what is the computing
processing power of the hacker? Typically password hacking involves a hacker brute forcing their way into a
website admin panel (or login page for example) and bombarding the server with millions of variations to
enter the system. That requires CPU. Yes, a ‘clued-up’ Cybersecurity Professional will be able to prevent brute
forcing but you’ll be amazed at the amount of vulnerable websites that can be forced into with the password
hacking software that we’ve listed below.

Crack. Cain.
DaveGrohl. Hashcat. John the Ripper.
L0phtCrack. Ophcrack. RainbowCrack.

https://www.concise-courses.com/hacking-tools/password-crackers/
CYBERSECURITY ANALYSIS - UCC 16
Cryptography tools
Cryptography is a method of storing and transmitting data in a particular form so that only those
for whom it is intended can read and process it.
Cryptography is closely related to the disciplines of cryptology and cryptanalysis. Cryptography
includes techniques such as microdots, merging words with images, and other ways to hide
information in storage or transit. However, in today's computer-centric world, cryptography is
most often associated with scrambling plaintext (ordinary text, sometimes referred to as
cleartext) into ciphertext (a process called encryption), then back again (known as decryption).
Individuals who practice this field are known as cryptographers.
A popular tool is VeraCrypt, this tool is FREE and available for
windows, OS X, and Linux Systems. VeraCrypt support, AES,
TwoFish, and Serpent.

CYBERSECURITY ANALYSIS - UCC 17

 Cryptography tools
Modern cryptography concerns itself with the following four objectives:
1) Confidentiality (the information cannot be understood by anyone for whom it was
unintended)
2) Integrity (the information cannot be altered in storage or transit between sender and
intended receiver without the alteration being detected)
3) Non-repudiation (the creator/sender of the information cannot deny at a later stage his or
her intentions in the creation or transmission of the information)
4) Authentication (the sender and receiver can confirm each others identity
and the origin/destination of the information)

CYBERSECURITY ANALYSIS - UCC 18

 Hashing Utilities
hashing is a form of cryptographic security which differs from encryption. Whereas encryption is a two step process used
to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-length value, or hash.

The most popular hashing algorithms for forensics analysis are MD5 and SHA-1, and they are supported by all popular
tools we discussed so far.

https://www.digitalvolcano.co.uk/hash.html
CYBERSECURITY ANALYSIS - UCC 19
Verifying Images

CYBERSECURITY ANALYSIS - UCC 20

 Analysis Utilities
The most widely used commercial analysis tool available is Guidance Software's EnCase and Access Data’s
Forensic Toolkit (FTK).
Encase
 Uses an Encase proprietary evidence file format. This format allows for compression, encryption and metadata all
within the same file. If you wanted to save space or ensure the confidentiality of the evidence, you would compress
and encrypt the files separately. EnCase format allows all this to be incorporated into one file in an almost transparent
manner.

FTK
 As widely used as Encase, claim to have a more intuitive interface. The tool is built on top of a database management
system, it is able to access large volumes of data efficiently.

The Sleuth Kit

 This is a collection of tools, many of which use command line interface. But instead of spending the dollars for FTK
and EnCase, these open source tools are free. If you are more adept to GUI, you can use Autopsy with the Sleuth Kit
to get the job done.

CYBERSECURITY ANALYSIS - UCC 21

Interface Autopsy on the Sleuth Kit

CYBERSECURITY ANALYSIS - UCC 22

Operating Systems Process Analysis

Autorun locations
Most recently used lists
Wireless networks
Pg 193 - 194

CYBERSECURITY ANALYSIS - UCC 23

USB Historian

CYBERSECURITY ANALYSIS - UCC 24

Order of Volatility

CYBERSECURITY ANALYSIS - UCC 25

iOS File Locations

CYBERSECURITY ANALYSIS - UCC 26

Target Locations

CYBERSECURITY ANALYSIS - UCC 27

Email Extraction

CYBERSECURITY ANALYSIS - UCC 28

Web Search History

CYBERSECURITY ANALYSIS - UCC 29

iCloud Setup Log

CYBERSECURITY ANALYSIS - UCC 30

Remnant Data

CYBERSECURITY ANALYSIS - UCC 31

Document Searches

CYBERSECURITY ANALYSIS - UCC 32

Mobile Device Forensic Toolkit
Mobile devices require dedicated forensic tools. Among the challenges involved in mobile
forensics is simply getting access to the data. The mobile OS is not designed to support
acquisition., which means the forensic analyst must first get he device load on to an alternate
OS.
This usually requires a custom bootloader, which is an almost essential feature of any mobile
forensic toolkit.

SIM card tools

Mobile device cables
Mobile forensic software and tools

CYBERSECURITY ANALYSIS - UCC 33

Building your Forensic Toolkit
Jump Bag
Build your response kit - This can be a duffle bag or a small carry-on suitcase. Regardless of what
it is, this is what you have with you whenever you work an incident.
You want to make sure that you spend enough time putting this together, so that you are ready
at a moment's notice. You should never steal from your response kit.
Sometimes we are testing something or working on an issue and we need a network cable or
installation software and know it is there in our response kit.
We tell ourselves that we are just going to borrow it and put it back as soon as we are done.
Don't do it because you know it will never make it back there.

CYBERSECURITY ANALYSIS - UCC 34

 Jump Bag
Here is a list of things that you should consider having in your response kit:
 
Network cables—Include various sizes, both crossover and straight-through
A small hub or tap, camera
USB jump drive or external hard drive, Wiped removable media (CDs)
Various peripheral cables—USB, Firewire, parallel, serial, console, and so on
Clean binaries and diagnostic software
Call/escalation list, crime scene tape
Notebooks, pens, pencils, and small audio recorder, Chain of Custody form, Incident response plan
Plastic/anti-static bags for evidence
Forensic software and imaging media
CYBERSECURITY ANALYSIS - UCC 35
Forensic Copiers

CYBERSECURITY ANALYSIS - UCC 36

Write Blockers

CYBERSECURITY ANALYSIS - UCC 37

Acquiring Other Data
Log data
USB device history
Memory-resident data
Core dumps and hibernation files
Mobile device data
Cloud forensics

CYBERSECURITY ANALYSIS - UCC 38

Importing a Forensic Image

CYBERSECURITY ANALYSIS - UCC 39

Case Information

CYBERSECURITY ANALYSIS - UCC 40

Reporting
Goals of the investigation
Targets
Findings and analysis

CYBERSECURITY ANALYSIS - UCC 41

Forensic Report

CYBERSECURITY ANALYSIS - UCC 42

Forensic Process
1. Determine goals
2. Outline location/types of data
3. Document plan
4. Acquire and preserve evidence
5. Perform initial analysis
6. Conduct deeper investigation
7. Report on findings

CYBERSECURITY ANALYSIS - UCC 43