@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #10: Milestone 7 and 8 detailed

Hola Reader,
    Another day, another blog! Day 10 and so far I'm enjoying this. It's nice to post regularly and get good feedback. If you are a returning reader, hey there buddy hope you are enjoying the new daily format. If you are a new reader, welcome! I have 342 of these blogs left so you came just in time! Today the milestone series (there are three days of these left, and conveniently three days left this week!) continues with milestones 7 and 8 which I believe are exciting times in a digital forensic examiner's progression.

Milestone 7 - You master re-creation testing.

    Many people are confused when I talk about re-creation testing, and it's something we do a lot in my lab when we encounter certain situations. What is re-creation testing you ask? It's attempting to reliably reproduce an artifact or an observed state in a forensic image through controlled testing. This usually happens in a virtual machine but you can also do it with a fresh install of the operating system if you believe a virtual machine may inhibit proper results. Here is a list of situations where I consider re-creation testing:
  • An artifact has been recovered that will not parse correctly,
  • An application is performing out of the ordinary in a way that effects the normal forensic data it leaves recoverable,
  • You encounter an unknown application and need to understand possible artifacts,
  • You find a new artifact and you need to validate its meaning,
  • You need to test a new tool,
  • You need to test how an artifact changes on different versions of the same artifact or application,
  • An opposing expert has issued an opinion that you are unsure of, and you need to test to see if you can agree or disagree with his findings,
  • You find a system cleaner or wiper and need to see what signs of use it leaves behind.
    In order to do re-creation successfully you need to have a test plan, an expected result and good test environment
  • A test plan - This can be as simple as 'install X application and see what registry keys it creates', to as complicated as 'virtualize the enterprise network and determine what is recorded when X occurs'. Your test plan needs to state what version of the operating system and application you are planning to test. This will normally be the versions found on the forensic image you are attempting to recreate.
  • An expected result - You should use your understanding of the forensic process and the operating system to predict what will happen. This is important as the test results will increase your knowledge and it gives you direction in your testing.
  • A good test environment - Many times people will get the suspect system booted into a virtual environment to better understand what was occurring on the system. I think doing this is great for understanding more about how your suspect's systems were configured/operated but it is not a good way to do re-creation testing. The goal of re-creation testing is to test for your expected result in a controlled environment. This means you know all the software/service packs/configurations for the system you are testing and whatever the custodian left behind in his original system will not throw you off.
    Re-creation testing is how you go beyond what you've been trained on, read about, seen presented on a conference, and into your own tested and verified facts. The documentation of this testing will become the basis for your opinion and the defense of your results. As you take on more challenging cases where the activity your seeing may be unique to your environment and no blog, book, or person can help you, re-creation testing is where you turn for help.

    This is a big topic and one I plan to follow up with a better framework/example for testing in the coming weeks. If you are currently working to achieve this milestone here is some advice; I know it seems hard and a time sink right now, but the better you get at this the better your results will be. It's easy for an opposing expert to argue against probable outcomes and conjecture, it's very hard to disprove documented test results!

Milestone 8 - Your processes and workflow become not only understandable, but accepted by 3rd parties.

    This milestone is all about the maturity of your process. You understand your workflows well enough, and the types of cases you typically work, to create a repeatable process of artifacts to check and their meaning. The major reason to do this is to allow others you bring in to collaborate on investigations follow the workflow you've verified to create reliable results as they work their way through the first milestones.

    The other major purpose is documenting and defending your process when it is questioned by third parties. This can come in the face of whomever is requesting your work; auditors, regulatory agencies or opposing expert witnesses being a few examples.

    Documenting your processes and workflows take time, but you will better for it and if you are able to do it in a group setting you will likely be able to pool together knowledge for a better end result.

    That's all for today's post, as I write these milestones I see more places where I feel dedicated blogs are necessary to really explain my experiences and learned lessons so you can avoid making my mistakes. Glad I have 342 more of these to fit those in!

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.