Hey guys,
If you haven’t read the previous articles here they are:-
I finished the MITRE ATT&CK stuff I was working on separate from my ECIH so am now back and raring to go on ‘Module 03 Forensic Readiness and First Response’ which I was really looking forward too.
Have to say as well that so far, I have been really pleased and surprised with the hand on practical workshops/labs at the end of each module as I kind of had expected it to be more of a read this and answer some multiple-choice questions, but I was wrong, the labs are excellent.
So, we speak about the steps take ‘Pre-investigation Phase’, ‘Investigation Phase’ and ‘Post-Investigation Phase.’
We go over everything from setting up the computer forensics lab, reviewing the policies and laws through to documenting is the process of writing all the actions the investigators have performed during the investigation to obtain the desired results as well as everything in between.
In my last job I was tasked with creating the Incident Response plan and I don’t mind telling you I wish I knew all of this before starting hahaha
We touch on all the ‘Forensic Readiness’ procedures too from creating the investigation team to maintaining inventory to the one I found really interesting ‘Network Monitoring’ and using the tools like Cyber Triage, Process Explorer. Netstat and the like for networking and Helix3, Autopsy, EnCase and Foremost from a more straight up forensic analysis standpoint.
Quite ashamed, given that I work in incident response (8 months now) that I was totally unaware of ‘Anti-Forensics’.
I knew what it was I just didn’t know it came under this name which actually sounds pretty cool.
Anti-forensics, also known as counter forensics, refers to a set of techniques that attackers or perpetrators use to avert or side-track the forensic investigation process or try to make it extremely difficult to perform. These techniques negatively impact the quantity and quality of the evidence gathered from a crime scene. Therefore, the incident responder may have to conduct a few more additional steps to fetch the data, which in turn causes a delay in the investigation process.
There are a whopping TWELVE LABS on this module, which is pretty great to be honest, here they are.
Lab 1
Collecting Volatile Information in a Windows System
The Windows operating system stores user-and session-related data in RAM when the system is live.
Pretty easy going in this lab, more about learning the commands than anything else.
Lab 2
Extracting Volatile Information Using Process Explorer
Processes are the instances of computer programs running on a system and contain the code-required activity.
Was aware of process explorer but have never used it before so was nice to be shown through it.
Lab 3
Viewing, Monitoring, and Analysing Events in a Windows System
Event Log Explorer is a software solution for viewing, monitoring, and analysing events recorded in the security, system, application, and other logs of Microsoft Windows operating systems.
I have used this software quite a bit so was pretty straight forward, really is a great piece of software and its not until you try using other that you see how good it is
.
Lab 4
Acquiring Volatile Data in a Linux System
The Linux operating system stores user-and session-related data in RAM when the system is live.
I use Linux at home and adore pottering around in it so am always up for learning new skills in it especially Incident Response related.
I LOVE LINUX!!!!
Lab 5
Acquiring Volatile Data from a Remote System
The Cyber Triage tool investigates the endpoint by pushing a collection tool over the network, collecting relevant data, and analysing it for malware and suspicious activity.
Cyber Triage is an automated digital forensics tool and Incident Response (DFIR) software that allows you to quickly answer intrusion questions related to:
- Malware
- Ransomware
- Account Takeover
It uses host-based data, scoring, advanced analytics, and a recommendation engine to ensure your investigations are fast and comprehensive, it actually seems to be a really good piece of software to be honest.
Lab 6
Creating a Disk Image File of a Hard Disk Partition Using the R-Drive Image Tool
The R-Drive Image tool is used to create disk image files for backup or duplication purposes.
Pretty straight forward creating an image.
Lab 7
Creating a Disk Image using FTK Imager
FTK Imager is a data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, and network drives.
I have used FTK before a good bit (I mainly use Autopsy).
Same as above only better.
Lab 8
Verifying Image Integrity
Image integrity indicates that the hash values of a newly created image file are same as those of the original evidence file.
Lab 9
Discovering and Extracting Hidden Forensic Material on Computers Using OS Forensics
The OS Forensics suite simplifies the task of analysing vast amounts of data on live systems and storage media with an easy-to-use modular interface.
Really enjoyed this and would love to learn more about OSForensics.
Lab 10
Performing a Computer Forensic Investigation Using the Helix Tool
Helix is an incident response and forensics tool. It is meant to be used by individuals who have a sound understanding of incident response and forensic techniques.
Lab 11
Analysing Non-volatile Data in Linux System
non-volatile data are the information that do not change when you switch off the system.
Autopsy and it is really good for investigating images and drives, I use it personally and am aware you can use FTK for the same but I just like this more.
Lab 12
Data Carving from a Disk Image using Foremost
Foremost is a console program to recover files based on their headers, footers, and internal data structures.
Really interesting learning this and will delve deeper in the future.
And there we have module 3, easily the most fun module so far and getting more into proper forensics and searching also a lot more stuff pertinent to stuff I do day to day in a junior Incident Response role.
Back soon for module 4.
Regards
Alex