DIGITAL FORNSICS

Section C
 Analyzing Network Evidences
• Network Evidences Overview
• Analyzing Firewall and Proxy Logs
• NetFlow
• Packet captures
 Analyzing Evidence
• Analyzing Network Evidence
• Ananlyzing System Memory
• Analyzing System Storage
• Analyzing Log Files
 Analyze Network Evidence
• Analyzing packet capture
• Analyzing Firewall and proxy logs
– Manual Log Riview
– Filtered Log review
– Log file searching
– Log file correlation
– Log file data mining
 Analyzing System Memory
• it contains the following :
• Running Processes
• Loaded device drivers
• Open registry keys
• Network connections
• Command history
 SANS six-part methodology
• Identify rogue processes
• Analyze process DLL’s handles
• Review network artifacts
• Look for evidence of code injection
• Check for signs of a rootkit
• Dump suspicious process and drivers
 Network Connection Methodology
• Suspicious Network connection
• Process name
• Parent process ID
• Associated entities
 Analyzing system Storage

Features required to analyze storage:

• file structure view
• hex viewer
• web artifacts
• email carving
• image viewer
• metadata
 Autospy (Tool)
• web artifacts
• emails
• attached devices
• deleted files
• keyword searches
• timeline analysis
• Registry analysis
 Analysing Log Files
• Logs and log management
• Security information and event management
• Windows event logs
• Windows event log analysis
 Issues with log management
• Establish logging as a normal business practice
• logging close to the event
• knowledgeable personel
• Comprehensive logging
• Qualified custodian
• Document failures
• log file discovery
• log from compromised system
 Network Evidence
• Reconnaissance and Scanning Behaviour
• Initial Infection
• Lateral Movement
• Comman and control
• Data exfiltration
 Analyzing Firewall and Proxy Logs
• Manual Log Review : review log line by line
• Filtered Log Review : log files along specific parameters
• Log file Searching : search for specific expression
• Log file correlation : Separate log activity can be correlated
with other logs based upon either
preconfigured rules or
algorithms
• Log file data mining : ability to mine lof files and extract
meaninf from these
 ElasticStack
• combines three tool together to allow for analysis of large
data set Elastic stack,Logstash, Kibana
• loe searching tool, powered by Lurene
• make query like elements as userID, IP addresses etc
• key feature of Elastic search is the ability for the platform
to expand the solution
• useful to organizatiom that may wantt to test this
capability
 Analyzing Netflow
• Introduced bu Cisco System in the 1990s
• collect specific data about packet
• as they enter or exit an interface of s router or switch
• This data is then sent to a Netflow collector via a Netflow
Exporter
• It collects the data for analysis
• This data is often leveraged by network and system
administrator to troubleshoot bandwidth issue.
Src Addr
Dst Addr
Sport
Dport
Proto
Packets
bytes
Flow
 Tools
• Moloch
• Wireshark
• merge
• split
 Analyzing system Memory
• Memory analysis overview:
• Memory analysis methodology:
• Memory analysis with Redline
• Memory analysis with Volatility:
• Memory analysis with Strings:
 Memory analysis overview
• Running processes
• Loaded Dynamic Link Libraries (DLL)
• Loaded device drivers
• Open registry keys
• Network connections
• Command history
 Network connections methodology
• Suspicious network connections
• Process Name
• Parent process ID
• Associated entities
 Alalyzing System Storage
• File structure View
• Hex Viewer
• Web Artifacts
• Email Carving
• Image Viewer
• Metadata
 Analysing Log Files
• Logs and log management
• Security information and event management
• Windows event logs
• Windows event log analysis
 Issues with log management
• Establish logging as a normal business practice
• logging close to the event
• knowledgeable personel
• Comprehensive logging
• Qualified custodian
• Document failures
• log file discovery
• log from compromised system
SIEM
 Task performed by SIEM , security and network
analyst related to incidence response
• Log retention
• Log aggregation
• Routine analysis
• Alerting
• Incidence response
 Security Onion
• It is a cost prohibitive for some organization with full SIEM
• It contain features of OSSEC, Suricata, Snort in it.
• It contains dashboard and tools for deep analysis of log
files.
• It is a powerful tool
• It requires some resources in terms of time.
• It is a low cost alternative for small organization whom
cannot afford a full-featured SIEM solution.
Security Onion
 Elastic Stack
• Elastic stack is also known as ELK stack
• It an open source tool with feature of 3 tools combined,
those are Elastic Search, Logstash, Kibana.
• Kibana contains threat hunter that digests data and then
transform it into a format that can be analyzed.
• It can be also configured as a standalone SIEM solution
• With tool as Winlogbeat, which forward Windows event
log to the Elastic Stack.
Elastic Stack
 Understanding Windows Logs
• Security log: contains data entries concerning the security of the
system which includes logons, logoffs, security group membership
and program execution.

• Application log: Application developers determine which types of

activity applications will log. These are aggregated in the application
log file.

• System log : Often utilized to troubleshoot non-malicious activity,

the system logs maintain data that the Windows OS creates.
 Useful Windows event Logs
• 4624 and 4634 Log on and log off
• 4625 account failed logon
• 4672 Special priv assigned to new logon
• 4688 a new process has been created
• 4678-4773 Kerberos service
• 5140 a network share object was accessed
• 7045 a new service was installed

https://www.ultimatewindowssecurity.com/
 Analyzing Windows Event Logs
• It is a detailed process.
• It encountered by responders is the sheer number of log
• That they may have to potentially analyze during an incident
• In case of multiple system, the responder have to deal with
millions of seperate event log enteries.
• Analysis start with acquisition, moving into triage, and then
focusing on analyzing the key event log.
 Acquisition
• Idealy, log files should be sent to a SIEM to allow the
responder to search log enteries across the enterprise.
• It has an issue of storage costs with commerical, open src
• It used a simple technique is to store in removable disk
from the local system
• It also has the option of scripting the acquisition of log file
through simple bash script.
• These types of scripts can be run from a USB device or
through remote sessions to reduce interaction with system
Scripts can be run from a USB device
 Triage
• It is a PowerShell script, developed by Eric Conrad.
• It can detect Suspicious Windows event log enteries
• It can detect service creation, account creation
• It can detect high number of Logon failures
• It can detect malicious Powershell usage.
 Analysis
• event logs are available will require the use of specialized
tools to digdeeper into the data that they provide.

• The Windows operating system has a native event log

viewer.

• In the experience of many responders, that viewer is

more suited to limited troubleshooting than to a deep
analysis of the event logs
 Event Log Explorer
• It is event log analysis tool with GUI interface
• The responder can utilize the filter to focus

• There are 3 main areas.

– Center pane contains the individual log enteries
– Lower pane contains the details contained within each log entry
– left pane includes the Windows event log types
 Analyzing Logs with Skadi
• It has the ability to ingest logs and other forensics data
• CyLR.exe can be configured to send its output via SFTP to
a remote system.