The recent cybersecurity symposium that aimed to “prove” the 2020 US election was a fraud made headlines not because of evidence found, but rather the absence of evidence. As I watched the three-day event, it reminded me how unknown most of the technology behind computers is. A bit of disclosure: While I’ve analysed computer systems and even testified in court about them, I would not consider myself an expert in all forensic circumstances. I can authoritatively discuss what a Windows event log looks like, but if I’m looking at a software that I’m not familiar with, I don’t know what its “normal” looks like.
Computer forensics is a combination of understanding exactly what a computer is doing, the evidence it leaves behind, what artifacts you are looking at, and whether you can come to a conclusion about what you are seeing. Packet capture expert Robert Graham said it best in a recent tweet:
Remember that's what we are trying to sift through: a world of things we don't understand that look suspicious as hell, and the world of things that we do understand that we can pin down exactly what happened.
Questions to ask before doing a forensic investigation
When an event occurs the first thing you should ask yourself these questions:
- What did you plan on capturing before the event occurred?
- Did you have event logging enabled and enhanced with Sysmon?
- Do you know if the computers and systems you plan to sample are synchronised in time so that when you look at the log file of one device it will correlate with the timestamps of another device?
- Do you know the normal traffic or behavior of the software you are looking at?
- Do you know what websites or IP addresses are normal and baseline for that machine?
Why forensic images are different
Reviewing a computer system in a tool like FTK Imager can be daunting if you have never taken a forensic image of a computer system and seen it in its flat, raw form. You aren’t looking at the system in a bootable form. Rather, it is in hexadecimal or what I would call a flattened format, as you can see in the video below. You typically begin the review while the image is not booted. While you can use forensic tools to mount the forensic image and boot into it, it will need a password and you may not wish to reset or remove passwords.
The forensic analyst likely wants to analyse the data and save the booted virtual machine for any potential evidence in trial. When it comes to evidence, a picture is truly worth a thousand words in a courtroom.
Starting a forensic analysis of a disk image
To understand what FTK Imager is and can do, download and use it to make a copy of any sample computer. You’ll also need a supply of external USB hard drives or a network storage location. While you are learning, don’t worry about what a normal forensic examiner needs to do. Think about the end goal of a forensic examination when you begin it: You’ll want to come to a conclusion, so taking notes of what you observe will help the investigator write the report. Old-school examiners will just take a dd image of the drive, tools like FTK Imager have become a standard way to obtain the image of the drive and document the SHA hash value of the drive and its contents.
You can use FTK Imager to review the drive’s contents. Remember, because you are looking at the unbooted operating system, some information may take some analysis before you can determine what actions are going on. You’ll need to understand where the event logs are located as well as where log files for each application may be located.
Often this doesn’t tell the full story of what went on with a system. As we turn more to cloud services, you must review artifacts left behind in the browser to determine what went on with the cloud services.
Then you need to layer on the additional log files that will back up your analysis. Ideally you will find a firewall log file on the edge that will back up what you are seeing on the computer. If you suspect that a phishing attack let to a workstation takeover that then led to lateral movement and subsequently a full ransomware attack, there will be evidence in the firewall of IP addresses accessed and egress traffic to a command-and-control server. All this analysis takes a lot of understanding of how computers work as well as possibly recreating some of the sequences to confirm what you think is going on in your system.
Gathering packet captures is another task that needs planning. The typical tool used to analyse packets is Wireshark. Similar to imaging a system, understanding what Wireshark is telling you is requires knowing what is normal to your system and what is not.
A Windows 10 E5 license combined with Windows Advanced Threat Protection is yet another way to have a real-time forensic view of your computer system. The Microsoft Defender for Endpoints portal shows a console view of the activities going on with your computer. Once again, fully understanding what is going on in your computer can be confusing. In my own analyses computer systems, I often forget tasks or tools that I’ve installed and I’ve had to go back to my documentation to determine that I actually set up the questionable item I saw on the machine.
Bottom line, computer forensics take both time and evidentiary logs. Ensure that you’ve enabled your network to capture this information ahead of time. Logging should be enabled on devices and the logs stored and archived. Don’t do this project in front of a live audience. It takes time, skill, and investigation. Often it takes setting up testbeds and recreating actions to confirm what you think is going on.