Dr.

Zunera Jalil
Email: [email protected]
 Quiz 2
Available on GCR

Time Allowed: 30 minutes

 Major Forensic areas in Windows 3

• Volatile information like system time, logged users, open files, network
information and others.
• Non-volatile information like file systems, registry settings, logs, devices,
slack space, swap file, indexes, partitions etc. these and many more
section under the heading Non-Volatile Information.
 Windows memory like memory dumps and analysing dumps and
other aspects.
 Caches, cookies and history analysis.
 Recycle bins, documents, short cut files, graphics file, executable files
etc.
 Volatile Information 4

• Volatile Information can disappear or be easily modified. It retains its

contents while powered on but when the power is interrupted the stored
data is immediately lost. Following are few methods/tools to acquire some
volatile information in a Windows system.
 To get history of commands used on the computer we can use Doskey.
 Doskey is a utility for DOS and Microsoft Windows that adds command history
 Volatile Information 5

 Uptime from Task Manager

 Use WMIC to get last system boot time

 wmic path Win32_OperatingSystem get LastBootUpTime

https://www.windowscentral.com/how-check-your-computer-uptime-windows-10
 Volatile Information 6

• During an investigation we will always need to know who all were logged on
to the system. Logging to a system can be remotely or locally. Information
like these can add logical view to a context or a situation. The logs can be
related to an event occurrence. Many tools are available like PsLoggedon,
Netsessions, logonsessions etc. to learn the instantaneous information of the
users
 Volatile Information 7

• During an investigation we will always need to know who all were logged on
to the system. Logging to a system can be remotely or locally. Information
like these can add logical view to a context or a situation. The logs can be
related to an event occurrence. Many tools are available like PsLoggedon,
Netsessions, logonsessions etc. to learn the instantaneous information of the
users
Volatile Information-logonsessions 8
 Volatile Information 9

• Similarly we can also get which files were open at the time of logged users.
This is also important many times as to co-relate whether which users were
using which files of the system. Tools that can be used to access information
pertaining opened files are: Netfile, PsFile, open files etc.
 Volatile Information 10

• Investigator needs to discover what processes are running on the system.

This system which can keep clues to a major crime in form of files or
processes that are still on the acquired system is potentially used just before
a crime.
• Information about processes like executable file path, commands to launch
the process, time stamps, current modules etc. along with contexts needs to
be collected.
• Tools like Tlist, Tasklist, Pslist, ListDlls etc. helps us to get all these information.
• Windows Task Manager does give some information but most of the time it
does not show vital information, hence using above tools play significant
role in forensics.
 Volatile Information 11

netStat command
 Volatile Information 12

• Information about the status of the Network Interface Cards

(NIC) connected to a system can be very important.
• Wireless interfaces are very prominent these days and physical
connection does not have too much presence.
• To know the status of all interface devices (Network) is
important.
• Tools like ipConfig, promiscDetect, promgry helps in getting the
vital information
 Volatile Information 13

• Clipboards of windows are another aspect which is of utmost

importance to the investigators. Clipboards contain latest
copied area of memory which can be for later use.
• Clipboards facilitate users to move data in some way between
documents or applications. The fact that recently copied and
pasted items do remain on clipboard can give clue to vital
evidences or circumstances leading to a crime.
• Pclip is a command-line utility which helps the investigators to
retrieve contents of a clipboard.
 Volatile Information 14

Output of ipconfig command

 What is Memory Forensics? 15

• Memory forensics is a vital form of cyber investigation that

allows an investigator to identify unauthorized and anomalous
activity on a target computer or server.
• Achieved by running special software that captures the current
state of the system’s memory as a snapshot file, also known as
a memory dump. This file can then be taken offsite and
searched by the investigator.
• Useful because of the way in which processes, files and
programs are run in memory, and once a snapshot has been
captured, many important facts can be ascertained by the
investigator.
 What is Memory Forensics? 16

• Information that be obtained:

 Processes running
 Executable files that are running
 Open ports, IP addresses and other networking information
 Users that are logged into the system, and from where
 Files that are open and by whom
 What is Memory Forensics? 17

• Capturing the volatile information inside the system’s memory, helps to

create a permanent record of the system’s state as it was.
• This means that suspicious programs such as computer viruses and
malware can be tracked down in a lab environment and traced back to
the source if possible.
 This is vital in instances where malware leaves no trace of its activity on
a target system’s hard drive, making memory forensics especially
important as a means to identify such activity
How is Memory Forensics Different from Hard Drive Forensics? 18

• Memory forensics can be thought of as a current snapshot of a

system that gives investigators a near real time image of the
system while in use. Hard drive forensics is normally focused on
data recovery and decryption, usually made from an image of
the drive in question.
• Memory forensics as a live response to a current threat, while
hard drive forensics can be seen as more of a post mortem of
events that have already transpired. Memory forensics is time
sensitive, as the information that is required is stored in volatile
system memory, and if the system is restarted or powered off,
then that information is flushed from system memory.
How is Memory Forensics Different from Hard Drive Forensics? 19

• Hard drives, on the other hand, are a non-volatile form of

computer storage. There are some volatile elements to hard
drives, to be taken into account by the forensic investigator.
Depending on the nature of the investigation, either technique
can be used.
• Likewise, both methods can be used on the same system if
necessary, and investigators will have to use their discretion
and select the appropriate action where necessary.
• Task to do:
 Try ‘Capturing Memory’ option in AccessData FTK Imager
 Memory Forensics: Acquisition Methods 20

• The angle of investigation that you take during this acquisition

phase will depend mostly on the scenario that you are
presented with and the requirements of the case. This depends
largely on the
 operating system that your host is running,
 what the perceived issue is that needs to be investigated at the time of
the incident.
 How you go about capturing the image also depends on
 what you are trying to establish through your investigative process, and
 what it is that you are trying to prove or disprove.
 Memory Forensics: Acquisition Methods 21

• Generally investigation will focus on the activities of the user on the

system, or evidence that proves that the system in question has been
compromised.
• Sometimes even encryption keys and passwords can be uncovered if
they are part of the evidentiary requirements of your case.
 Hardware Solutions (PCI Card or FireWire) to dump using DMA
 Software Solutions (Run program on live systems)
 Alternate using Hibernation file or paging files
• There must be a clear understanding of what needs to be established on
the target system, and how it can help to advance your investigation.
 Memory Forensics: Acquisition Methods 22

• Generally investigation will focus on the activities of the user on the

system, or evidence that proves that the system in question has been
compromised.
• Sometimes even encryption keys and passwords can be uncovered if
they are part of the evidentiary requirements of your case.
 Hardware Solutions (PCI Card or FireWire) to dump using DMA
 Software Solutions (Run program on live systems)
 Alternate using Hibernation file or paging files
• There must be a clear understanding of what needs to be established on
the target system, and how it can help to advance your investigation.
 Memory Forensics: Acquisition Methods 23

• Forensic investigators are highly

skilled and can identify activity on
a system that should not be
present, allowing them to prove
that a system has been
compromised.
• It allows them to identify rootkits
and malware, to find unusual
processes, and reveal covert
communication, which can shed
light on what is happening
currently in a target system.

https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Most Common Methods and Formats of Memory Acquisition 24

• There are many different memory most common methods and formats
that are used today:
 RAW Format/ Crash Dump :- Extracted from a live environment/Information
gathered by the operating system
 Hibernation File :- A saved snapshot that your operating system can return to
after hibernating
 Page File :- This is a file that stores similar information that is stored in your
system RAM
 VMWare Snapshot :- This is a snapshot of a virtual machine, which saves its
state as it was at the exact moment that the snapshot was generated
• Once data is acquired , the process of examining the system, and any
suspicious activities will then be uncovered through Data carving
 The Memory Forensic Tools 25

• There are both free and commercial products available on the market,
and many forensics investigators will have their own personal
preferences. Here are some examples:
 Volatility Suite: This is an open source suite of programs for analyzing RAM,
and has support for Windows, Linux and Mac operating systems. It can
analyze RAW, Crash, VMWare dumps with no issues.
https://www.volatilityfoundation.org/

 Rekall: This is an end-to-end solution for incident responders and investigators,

and features both acquisition and analysis tools. It can be thought of as more
of a forensic framework suite than just a single application

http://www.rekall-forensic.com/

https://www.howtoforge.com/tutorial/how-to-install-and-use-volatility-memory-forensic-tool/
 The Memory Forensic Tools 26

• Helix ISO: This is a bootable live CD as well as a standalone application

that makes it very easy to capture a memory dump or memory image of
a system. There are some risks associated with running this directly on a
target system, namely an acquisition footprint, so make sure that it fits
requirements.

• Belkasoft RAM Capturer: This is another forensic tool that allows for the
volatile section of system memory to be captured to a file. First
responders will find that the functionality and wide range of tools
available in this software package will allow for their investigations to
start off as quickly as possible.
https://belkasoft.com/ram-capturer
 The Memory Forensic Tools 27

• Process Hacker:

This is an open source process monitoring application that is very useful to

run while the target machine is in use. It will give the investigator a better
understanding of what is currently affecting the system before the memory
snapshot is taken, and can go a long way to help uncover any malicious
processes, or even help to identify what processes have been terminated
within a set period of time.
 Memory Forensics: Examining Captured Data 28

• Open Files Associated With Process: This is an extremely useful approach,

as it shows which files are open by a suspicious process on the target
system.
 Malware can often be identified just by the location of the associated
files that are open.
 Knowing where these files are located is also beneficial to the overall
investigation, especially if these files are storing logs of user inputs via
the keyboard. This would mean that the user’s passwords could have
been inadvertently divulged to the malware authors that created the
software.
 Memory Forensics: Examining Captured Data 29

• User Activity: By looking at the information that was acquired during all of
the previous steps, the forensic investigator can start to piece together a
fairly accurate series of events that led to the main incident.
 This can be determined via the system log files that were captured
earlier, and can help to ascertain to what extent, if any, that a user on
site may have been involved.
 Remote unauthorized access can also be detected, which can help
with determining the extent to which the network protocols of the
organization have been compromised.
 Memory Forensics: Examining Captured Data 30

• Network Information: Once the infected processes have been identified,

then the specific network communications surrounding the infection can
be further dissected. This can reveal a virtual treasure trove of
information, such as:
 Source IP Addresses such as where the malware instance is reporting back to
 Compromised ports on the host machine
 The frequency at which the malware was communicating over the network
 Understanding how the infection spreads itself over the network
 Memory Forensics: Examining Captured Data 31

• Decoded Applications in Memory:

• Sometimes, the author of the malware that is present on
the target system will be encrypted, making it impossible
for anyone but the perpetrator to successfully make use
of the data that it has been collecting.
• However, sometimes a decrypted version of the
application can be caught in the memory snapshot,
which allows the investigator to more accurately examine
the application’s activities.
• The investigator might even be able to identify the hash
or cipher that was used for the encryption, thus allowing
them to read previously inaccessible data associated
with the malware instance on the target
 Memory Forensics: Examining Captured Data 32

• Timestamp Comparison: In some instances, malware can interfere with

the target host’s timestamps on the system files, making them appear to
be untouched by the infection. This is known as time stomping, and can
seriously inhibit an investigator’s ability to discover when the infection first
occurred.
• By capturing the memory dump, investigators can compare the process
time stamps to the system file timestamps to establish when the system
was first compromised.
• Once a date and time has been established, records such as emails and
browser history can be looked at to help identify the possible cause of
the infection by finding any correlations in time and date between the
process timestamps and the application time frames.
 Non-Volatile Information 33

• Remains on a secondary storage device and

persists even after power is off.
• This information can be collected later on
after all perishable information (volatile) can
be collected after the seizure of the system.
• Investigators can collect these information
after procuring the device and doing all the
formalities of the seizure/procuring the
device under law so that the discoveries
later on does not get laid down during
hearing
 Slack Space, Swap File, Deleted Files 34

• Slack Space is the unused space in a disk cluster. The DOS and Windows
file systems use fixed-size clusters. Even if the actual data being stored
requires less storage than the cluster size, an entire cluster is reserved for
the file. The unused space is called the slack space.
• DOS and older Windows systems use a 16-bit file allocation table (FAT),
which results in very large cluster sizes for large partitions.
• For example, if the partition size is 2 GB, each cluster will be 32 K. Even if a
file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of
slack space. In computer forensics, slack space is examined because it
may contain meaningful data
 Slack Space, Swap File, Deleted Files 35

• Most file systems, such as FAT and UNIX Fast File System, work with the
concept of clusters of an equal and fixed size.
 For example, a FAT32 file system might be broken into clusters of 4 KB
each. Any file smaller than 4 KB fits into a single cluster, and there is
never more than one file in each cluster.
 Files that take up more than 4 KB are allocated across many clusters.
Sometimes these clusters are all contiguous, while other times they are
scattered across two or potentially many more so called fragments,
with each fragment containing a number of contiguous clusters storing
one part of the file's data.
 Obviously large files are more likely to be fragmented. File carving is a
highly complex task, with a potentially huge number of permutations to
try.
 Slack Space, Swap File, Deleted Files 36

Swap Space
• Area on a hard disk which is part of the Virtual Memory of your machine,
which is a combination of accessible physical memory (RAM) and the
swap space.
• Swap space temporarily holds memory pages that are inactive. Swap
space is used when your system decides that it needs physical memory
for active processes and there is insufficient unused physical memory
available. If the system happens to need more memory resources or
space, inactive pages in physical memory are then moved to the swap
space therefore freeing up that physical memory for other uses.
 Slack Space, Swap File, Deleted Files 37

• Almost everything on a RAM can be swapped if necessary, because of

this we can find very important and forensically interesting things in the
swap space.
• Apart from plain-text data of an encrypted text in a disk file we can
even find encryption keys! Thanks to flaw-full weaknesses in some
applications that allow unencrypted keys to reside in memory.
• Also, part of e-mails or matter stored at remote locations might still
reside in swap space. And to relief of all investigators, any standard disk
maintenance utility can access this information.
• On Windows, the swap file is a hidden file found in the root directory
called pagefile.sys. The registry path for the swap file is (can be subject
to change).
 File Carving 38

• File Carving is a process used to extract data from a disk drive or other
storage device without the assistance of the file system that originality
created the file.
• A method that recovers files at unallocated space without any file
information and is used to recover data and execute a digital forensic
investigation.
• File carving is the process of reconstructing files by scanning the raw bytes
of the disk and reassembling them. This is usually done by examining the
header (the first few bytes) and footer (the last few bytes) of a file.
 Understanding File Carving 39

• All file systems contain some metadata that describes the actual file
system. At a minimum the hierarchy of folders and files, with names for
each.
• File carving is the process of trying to recover files without this metadata.
This is done by analyzing the raw data and identifying what it is (text,
executable, png, mp3, etc.)
• Some .txt and email have neither header nor footer, this itself can be
identifier.
 Understanding File Carving 40

• Carving is Scraping data from Slack space or Unallocated space and

rebuilding the format to make it viewable as a whole or part of it.
• Recovery of Multimedia files that are stored either on storage devices or
in computer memory using the file carving approach.
• Header-footer or header-“maximum file size” carving—Recover files
based on known headers and footers or maximum file size
 JPEG—”\xFF\xD8″ header and “\xFF\xD9” footer
 GIF—”\x47\x49\x46\x38\x37\x61″ header and “\x00\x3B”
• File structure-based carving
 This technique uses the internal layout of a file
 Elements are header, footer, identifier strings, and size information
File Carving based on known File Headers 41
File Carving based on known File Headers 42
 Manual File Carving 43

• Basically a JPEG file starts with FFD8FFE0, which is called a header

 Manual File Carving 44

• And it ends with FFD9, which is called a trailer.

The rest of the JPEG file itself.

 Manual File Carving 45

• So if we have any kind of document file that contains an image, if we

locate the header and trailer, we can recover that image from the
document.
Manual File Carving 46
Manual File Carving 47
Manual File Carving 48
 Manual File Carving 49

View the image using any photo viewer to confirm it is same as the image
 What is Operating System Forensics? 50

• Operating System Forensics is the process of retrieving useful information

from the Operating System (OS) of the computer or mobile device in
question. The aim of collecting this information is to acquire empirical
evidence against the perpetrator.
 The understanding of an OS and its file system is necessary to recover data for
computer investigations.
 The file system provides an operating system with a roadmap to data on the
hard disk. The file system also identifies how hard drive stores data.
 There are many file systems introduced for different operating systems, such as
FAT, exFAT, and NTFS for Windows Operating Systems (OSs), and Ext2fs, or Ext3fs
for Linux OSs.
 Data and file recovery techniques for these file systems include data carving,
slack space, and data hiding
 What is Operating System Forensics? 51

• Another important aspect of OS forensics is memory forensics,

which incorporates virtual memory, Windows memory, Linux
memory, Mac OS memory, memory extraction, and swap
spaces.
• OS forensics also involves web browsing artifacts, such as
messaging and email artifacts.
• Some indispensable aspects of OS forensics will be discussed in
subsequent lecture
 Links to explore 52

• https://resources.infosecinstitute.com/topic/file-carving/
• https://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-
response-summit-bas-kloet-advanced-file-carving.pdf
• https://medium.com/@lavineaoluoch/manual-file-carving-241a309b1f30
• http://index-of.co.uk/presentation/extra_carving_w4.pdf
 Reading Task 53

• Windows Memory Forensics: Detecting

(Un)Intentionally Hidden Injected Code by Examining
Page Table Entries
https://www.sciencedirect.com/science/article/pii/S1742287619301574
ANY QUESTIONS