Based on an Interpol review due to the popularity of IoT devices and an increase in cyber attacks, the digital forensics market is expected to grow to USD 9.68 billion by 2022 Digital Forensics deals with the recovery and investigation of digital media often in relation to computer crimes. If there is a data breach, or an attempt to damage or manipulate data to cover up evidence, it is the job of a digital forensic investigator to recover these files or determine how an attacker gained access and what they did on the network. The digital forensics process can be broken down into three phases – acquisition of the digital media to be examined, its analysis, and presentation of the results by the examiner. In addition to getting started on some basic concepts, we’ll look at an example scenario on how to acquire an image (that can be used as evidence in a court of law), and then perform a simple data reconstruction using the Sleuth Kit. This open-source toolkit comes pre-installed with Kali Linux. Acquiring the Image Once a forensic investigator arrives at the crime scene, they seize all relevant evidence and retain volatile data (that is lost once the power supply is removed) before transferring the evidence to a forensic lab. Then they create an exact duplicate of the original evidence taking care not to tamper with the original disk, examining it as little as possible, and documenting any changes. In addition to preserving the evidence, it is essential to prepare and record the chain of custody to keep track of who handled the evidence at every stage and include it in the final report. This step is necessary to prevent any allegations of evidence tampering in a legal proceeding. Let’s begin by creating an image that will be analyzed and investigated. 1. Capturing the Image In order to create a bit-by-bit image of the hard drive, and generating an MD5 checksum of the image, we run the following command on our Kali Linux machine: dcfldd =/dev/sdb1 =md5 =/media/[filename].dd =512 noerror if hash of bs (input file) is the source drive. if =/dev/sdb1 is used to calculate an MD5 hash of the image that verifies the image integrity. hash=md5 (output file) is the disk image file that gets created (in this case, the location is on an external device mounted at /media). of =/media/[filename].dd is used to transfer the image, 512 bytes at a time. bs=512 indicates that the command will continue the data transfer in the case of read errors by writing zeros where the error occurs. noerror This step creates a bit-by-bit identical image of the disk (which in my case is a 16 GB removable USB drive) and saves it to my external hard drive with the extension .dd, 512 bytes at a time, and writes zeros when encountering an error (rather than terminating and providing us with the md5 hash of the image). However, you can also run the command without the noerror option. 2. Hashing The most critical task that we need to do when acquiring an image is to ensure its integrity. is one-way encryption that creates a unique output (digest) for any input. The hash will change even if a single bit changes in the image from the original input file. It assures that the bit-by-bit copy of the evidence is an exact duplicate of the initial evidence. Hashing The step above will generate a hash file along with the image. We can hash the image on our end to verify that the values match. To read the hash value run the command: cat [filename] To create a hash execute the following: md5sum [filename] .dd 3. Verifying the Image In this step, we get the associated details of the image file and use the ‘mmls’ command to obtain information about the partition layout. mmls [filename] .dd If you receive the following error (as shown in the screenshot), it could indicate that the disk image created is a logical one and not a physical disk image. For this walk-through, we will need a bit by bit copy of the disk, aka a physical disk image. 4. Acquiring Image Using Guymager is a forensic imaging tool that can be used in place of the ‘dcfldd’ command to generate a physical disk image. Run guymager in Kali Linux using the following command: Guymager sudo guymager Right-click on the device to be acquired and select Linux dd image. The image can also be split into multiple files. Specify the directory where the image file will be saved and click on start. The files are split into four starting from [filename].000 to [filename].003, and [filename].info contains the hash values. The hash for the individual split files will be different, but to calculate the md5 of all the files together we can use the following command: cat [filename]. * 0 | md5sum Now when we run mmls on the disk image (working on a complete test image, not split files) we can see the partition layout: Analysis and Recovery After successful image acquisition, the next step brings us to examining the evidence and analyzing the disk to trace the crime. It typically involves data recovery, extracting hidden files, accessing protected content if technically feasible and legally appropriate, etc. 1. Obtain the file system information with the command: fsstat 2048 fsstat -o [filename] .dd Using fsstat, we get a whole bunch of information about the file system. The offset is given as 2048 since the rest is either unallocated or has partition table info (see the partition layout, as shown above, using mmls). The other areas can also be investigated. Host protected areas on a disk that typically contain vendor restoration utilities can be used to hide data by anyone with sufficient knowledge of hard drives. The disk_stat tool in the Sleuth kit can determine if an HPA exists on a disk. 2. Read the files and directories in this file system using : fls 2048 fls -o [filename] .dd Deleted files are indicated with a ‘*’ symbol before them, such as Enrollment form.docx. If we want to look into the test directory, we can refer it using its inode number (which in this case is 5). 2048 fls -o [filename] .dd [inode number] Once inside the test directory, apart from regular files, we see a dot ‘.’ before a filename, indicating that the file is hidden. 3. Retrieving contents of a hidden file using icat You can use the icat tool if you have to read the contents of a particular file, without recovering the drive. You can also read the contents of a hidden file using this command. icat -o [filename_of_the_image].dd [inode you want ] 2048 number of the file to read Some other Sleuth kit tools that work on metadata include ifind and ffind that can be utilized to find the file, based upon where a string is located. Apart from using a keyword search, another common technique is conducting a file signature search to examine specific file types relevant to the investigation. 4. Recovering the drive using tsk_recover To recover files from the image [filename].dd, execute the command below specifying the path where you want to store recovered files. Make sure there is sufficient available space in this drive. tsk_recover -e -o .dd /root/ 2048 [filename] [destination folder path] Reporting Findings The report is the final deliverable that’ll be presented to whoever requested the initiation of the digital forensic investigation. It will only contain facts observed, analyzed, and documented from a completely objective standpoint relevant to the case. It must, at the very least, provide the following: The section gives an overview of the case and related observations. executive summary The in a report describes in detail the evidence collection and analysis process. It should include a thorough discussion of all the steps taken by the investigator to confirm or refute the allegations that form the basis of the investigation. analysis summary The wraps up the report with closing arguments and a conclusion. final summary In Summary A forensic report's importance in any legal proceeding will rely heavily on two primary factors: authenticity (focusing on the source and non-contamination of the evidence), and reliability (questioning the accuracy of the evidence). If an attorney can establish reasonable doubt with regards to these two aspects of the evidence, though it is not considered inadmissible, the weight assigned to the evidence gets reduced. The forensic investigator should be mindful of this while carrying out and documenting the investigation.

Chain

BUNCH

Trace

Using OSINT for Maritime Intelligence

Read My Blog https://sectigostore.com/blog/

Getting Started With Digital Forensics Using the Sleuth Kit

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Using OSINT for Maritime Intelligence

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

Using OSINT for Maritime Intelligence

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps