Digital Forensics investigation is the art of determining what activities and actions have occurred on a system, who or what performed them, and what data is stored there.
In Cybersecurity field, digital Forensics investigation can be used for many purposes, such as tracking down the source of attacks, responding to incidents, detecting data corruption, and troubleshooting operational problems.
According to the NIST (National Institute of Standards and Technology), the process for performing digital Forensics comprises the following basic phases:
- Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.
- Examination: Forensically processing collected data using a combination of automated and manual methods, and assessing and extracting data of particular interest, while preserving the integrity of the data.
- Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
- Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., Forensics examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the Forensics process.
Building your Forensics investigation suite
Forensics tools come with a variety of capabilities and purposes. Here are some key criteria to include in your search for the best Forensics tool:
- Consider whether the following features are included:
- Consider whether the purpose of your investigation fits with the tool: If you are analyzing e-emails, look for a Forensics tool capable of reading e-mail content
- Consider whether the tool can save your time during investigations
- Consider whether the cost of the product can be afforded
Most investigators work with a wide variety of tools like Access Data’s FTK, the SANS Investigate Forensics KIT (SIFT), or the Sleuth Kit (TSK). On the commercial side is Access Data’s FTK and Encase that provide the following capabilities:
Evidence and volatile memory acquisition, dd, AD Information extractor, hardware analysis, deleted file/folder recovery, file finder, gallery view, calendar view, Internet and email search, binary search, reporting in RTF or HTML Format, …
Data acquisition from various sources (hard disks, floppy disks, flash drives, digital cameras, CD/DVD image formats), Powerful file filtering, full text indexing, advanced searching, deleted file recovery, data-carving, email and graphics analysis, hashing, reporting in HTML Format, … Both tools include the validation prosses that check known-good versions of files against those found on a system. EnCase prompts you to obtain the MD5 hash value of acquired data whereas FTK validates MD5 and SHA-1 hash sets during data acquisition.
On the open-source side is the SANS Investigate Forensics KIT (SIFT), CAINE, and Autopsy.
There are also some open-source command lines that help you to perform Forensics Investigation:
- The Linux dd that provides a Bit-by-Bit copy of drives, partitions, and filesystems: https://doc.ubuntu-fr.org/dd
- Volatility which is an open source memory Forensics framework : https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf
It is important to note that there are many other Forensics tools out there. Most investigators will want to use at least two or three tools. One will find information that the other will miss.
The Otter tool
As we seen in the first part of this page, there are four basic phases in a Digital Forensics Investigation. By using Otter, you will have the four steps performed in a single click.
In addition, Otter fulfills two different situations:
- I’m a part of the CSIRT/SOC team, I have a doubt about a host. Is it compromised or not?
- I’m a high school student and I think there's some suspicious activity occurring on my computer. Since I’m not familiar with the architecture of systems, where and how should I track it down?
Thus, Otter can be used in order to respond to an incident that occurred in your organization or simply to protect and detect malicious activities on your personal computer.
The following useful capabilities of Otter can help offer insight into what occurred on your system:
- User’s guide
- Final report including digital investigation tips and the following worksheets:
- System information
- Timestamp of documents changes, accounts changes,
- Network connections changes
- Processes, associated DLLs, and programs analysis
- Windows Registry and system files analysis
- Hashing with MD5 and SHA-1
- Malware threat scoring system
Because everyone is subject to computer attacks, we offer a Digital Forensics capability that helps you to get a real-time view of what’s happening on your system with affordable prices.