Preparation, Case Categorization and Scoping

Case Related Info: Crime Type/Category, Investigation Type, Damages made (Financial, Social, IT disruption), Location (Within/Outside Organization), Systems Involved, OS Involved.

Crime Against Individuals

  • Email Spoofing
  • Phishing
  • Hacking
  • Cyber-Stalking
  • Obscene Material
  • Unauthorized Access
  • Fraud & Cheating

Crime Against Organizations

  • Unauthorized Access
  • Data/IP Theft
  • Malware
  • Hacking

Crime Against Society

  • Cyber Trafficking
  • Financial Crimes
  • Online Gambling
  • Online Forgery
  • Cyber Terrorism
  • Pirated Software

Feasibility Check

Evidence RelatedLikelihood of evidence on media, Strength of evidence, Volatile/Non-volatile evidence
Scope of InvestigationSystems, Users, Locations, 3rd Party vendors, Social media involved
Time & Cost AnalysisValue of info vs recovery cost, Access level required, Manpower availability
Tools AvailabilityIdentify and select required tools, Purchase new software/hardware/licenses if needed

Investigation Related Info

Case PrioritizationOwner of the system involved, Level of initial intelligence (IoC)
Impact/Likely ValueLoss of company data (IP), Loss of customer base, Market value & reputation, Financial loss
Investigation CostNumber of systems involved, Complexity of case, Examination type (Internal/External vendor)
Investigation ApproachReview case information, Review initial IOC, Review evidence involved, Technical expertise required

Tasks in Investigation

  • IoC gathering
  • Initial Timeline Creation
  • Evidence identification and Acquisition (Local/Remote, Live/Dead)
  • Creation of Tasks Checklist
  • Identify best methods of investigation

Evidence Identification

Volatile Evidence

  • Running Processes
  • Network Connections
  • Memory-only Malware
  • Opened Files/Sockets
  • Encryption Keys

Non-Volatile Evidence

  • File System (FAT/NTFS/ReFS)
  • Logical Evidence (OS view)
  • Physical Evidence (Disk image)
  • Registry Hives
  • Event Logs

Technical Category of Evidence

User Activity: File download, Program execution, File creation/opening/deletion, USB activity, Account usage
System Activity: Browser activity, Chat activity, Internet activity, Installed/deleted applications, Deleted registry entries

Evidence Locations

Local: Hard Drive · USB · Peripheral Devices · System Share · Sharepoint
Cloud: Dropbox · OneDrive · Google Drive · Azure · AWS
Mobile: Android · iOS · BlackBerry · Windows Mobile

Evidence Acquisition

Acquisition Types

Local/RemotePhysical access vs network-based acquisition
Logical/PhysicalOS-level view vs full disk image
Live/DeadRunning system vs powered-off system
Full/PartialComplete image vs targeted collection

Write Blockers

Software: Safeblock, Registry modificationsHardware: Tableau, WiebeTech, ICS Write Blocker, EPOS WriteProtect

Imaging Commands

# DD Imaging
dd if=/dev/sda of=/path/to/evidence.raw bs=512 status=progress conv=noerror,sync

# DC3DD with hashing
dc3dd if=/dev/sdb of=case1.disk1.raw hash=sha1 hash=md5 log=image.log

# Over Network (netcat)
# Receiver: nc -l -p 5555 | dd of=/mnt/evidence/net_dd.raw
# Sender: dd if=/dev/sda | nc 192.168.0.1 5555

Acquisition Tools

Open Source: dd, dc3dd, ddrescue, ewfacquire, FTK Imager, KAPE, Memoryze, Redline, Dumpit.exe
Commercial: EnCase, FTK, Tableau, LogiCube, X-Ways Imager, Magnet Acquire

Evidence Extraction and Analysis

Extraction Techniques

File Carvingrecoverjpeg, foremost, photorec, scalpel, bulk-extractor
Keyword Searchinggrep-based searches across allocated and unallocated space
Registry AnalysisRegRipper, Registry Explorer, FTK Registry Analyzer
MFT AnalysisanalyzeMFT, mft2csv, SleuthKit

Analysis Focus: 5 Ws

  • What happened?
  • Where did it happen?
  • When did it happen?
  • Who did it?
  • Why did it happen?

Artifact Analysis

Registry Analysis: System info, AutoStart, USB devices, UserAssist, RecentDocs, RunMRU
Shell Items: LNK Files, Jump Lists, Shellbags
Browser Forensics: IE/Edge, Chrome, Firefox history, cache, cookies, downloads
Email Forensics: Outlook PST/OST, Exchange EDB, Webmail analysis
USB Forensics: USBSTOR registry keys, Setupapi logs, MountPoints2

Report Writing

Comprehensive Forensic ReportsCase Overview, Methodology, Findings, Interpretations, Limitations, Conclusion
Chain of Custody DocumentationIdentification, Custody History, Handling Actions, Location Tracking, Authentication
Evidence LogsCapture chain of custody and handling for each evidence item
Expert Testimony PreparationReview reports, Anticipate cross-examination, Simplify complex concepts

Documentation Requirements

  • Case Details: Case Name/Number, Investigator info, Case description
  • Evidence Details: Evidence type, Make/Model, Serial Number, Drive Capacity, Hash values
  • Process Documentation: Tools utilized, Exact commands, Procedures followed
  • Chain of Custody: Chronological documentation of evidence handling

Enterprise Forensics Techniques

Remote AcquisitionF-Response like tools to mount drives remotely, Acquiring RAM through network
Cloud Storage AcquisitionDropbox, OneDrive, Amazon S3, Google Drive
Triage AcquisitionIdentifying what to collect, Data collection with custom scripts
Multi-Disk AcquisitionRAID, JBOD (Just a Bunch Of Disks)
Memory ForensicsFTK Imager, Memoryze, Redline, Dumpit.exe, Volatility
Enterprise ToolsEnCase Enterprise, FTK Enterprise, KAPE for rapid triage

Forensics Evidence in the Court

Legal / Compliance RequirementsHR investigation, Employee related internal investigation, LEA Investigation
Local Laws and RegulationsLocal Country specific laws, International Laws, Industry specific laws, Regional laws, GDPR
Evidence AdmissibilityForensic soundness, Chain of custody integrity, Hash verification, Proper documentation
Expert TestimonyRole of forensic expert, Preparation for cross-examination, Legal standards (Daubert/Frye)
# Evidence Integrity Verification # Compute hash of original evidence md5sum /dev/sdb > original.hash # Verify after imaging md5sum evidence.dd | diff - original.hash

Forensics Tools

Commercial Tools

EnCaseFTKCellebriteMagnet AXIOMX-Ways

Open Source Tools

Autopsy/SleuthKitVolatilityKAPEWiresharkdd/dc3dd

Registry Analysis

RegRipperRegistry ExplorerFTK Registry Analyzer

Browser Forensics

NirSoft ToolsHindsightSQLite Browser

File Carving

ForemostScalpelPhotorecBulk Extractor

Memory Forensics

VolatilityRedlineDumpit

📚 This is an overview of the complete Windows Forensics Framework.

Access the Full Original Framework