Introduction
I'm going to write about digital forensics.
Who am i ?
I'm a humble engineer.
Expected readers of this article
- People who want to know about digital forensics
- People who want to know about introductory books on digital forensics
- others
What is digital forensics?
Digital forensics is generally described as Digital Forensics in English and abbreviated as DF. We will follow that notation here as well.
The page of the Digital Forensics Study Group describes the definition of DF as follows.
A series of scientific investigation methods and technologies for preserving evidence, investigating and analyzing electromagnetic records in the event of incident response*, legal disputes, and lawsuits, as well as analyzing and collecting information on the falsification and damage of electromagnetic records. say.
*Incident response = Abuse of resources and environments such as computers and networks, denial of service, destruction of data, unintended disclosure of information, etc., and responses to actions (events) that lead to them.
Also, you need to be familiar with both technology and law, and you have to keep in mind that the law is different in Japan and overseas. Commonly called fast forensics is one of DF.
"Evidence Preservation Guidelines" have been published by the Digital Forensics Study Group. It looks like it will be released around February 2023.
Books have also been published. I personally recommend "Learning Digital Forensics from the Basics - From Beginners to Practical Responses".
In the following, I will simply refer to fast forensics as DF and explain it.
We will not touch on cloud forensics here. It is assumed that the target of forensics is a normal terminal etc. with an OS in the physical environment.
Commonly used tools in DF
It's a tool I use a lot in DF. Malware analysis is not included in DF here.
Carving Tools
CDIR-C
Bulk Extractor
First, a terminal infected with malware (hereinafter referred to as infected terminal) is converted into an image such as a VM using some means, but after converting to a VM, carving is possible by using the following tools.
Bulk Extractor is very powerful for artifacts that cannot be carved with CDIR-C.
It may be obvious, but try not to mess with the information of the infected terminal as much as possible. It is important to be aware of the Chain of Custody.
Simple forensic tool
FTK Imager
- FTK Imager can extract files and restore simple files, so this is enough for the first time, but be aware that it is not always possible to restore data.
Windows only tools
Registry parsing
KaniReg (requires compilation)
Prefetch parsing
PECmd
PECmd is also introduced on this blog.
Parsing memory dumps
Kani Vola
Parse NTFS related files
file recovery tool
Recuva
If you just want to restore files, this is also useful.
Tool for analyzing Windows event logs
Windows event logs are binary files, which makes them difficult to work with. Basically, it is basic to introduce a paid log analysis tool such as Splunk, but there is also free software. Below is an example.
chainsaw
Hayabusa
Certification in Japan
"Digital Forensics Professional Certification (CDFP)" from the Digital Forensics Study Group
(CDFP: Certified Digital Forensic Professional) can be applied for.
《Qualification Category》
1. Basic qualifications (Basics) abbreviation: CDFP-B
2. Practitioner abbreviation: CDFP-P
3. Manager Qualification (Management) Abbreviated name: CDFP-M
*Acquisition of "basic qualification" (CDFP Basics) is a prerequisite for obtaining "practitioner qualification".
Implementation of the “manager qualification” certification exam is scheduled for 2023.
This qualification needs updating.
2. Practitioner abbreviation: CDFP-P
It is listed below.
Of particular interest are the following statements.
2 Eligible for Continuing Education Points
(1) IDF-sponsored events and subcommittees
Participation in IDF-sponsored IDF communities is limited to presentations or workshops listed as
1 point for 1 hour, if the total participation time is 1 hour or more, convert to time and round up to one decimal place.
(e.g. 210 minutes total participation time = 3.5 hours = 3.5 points, rounded up to one decimal place)
4 points). However, if the total participation time is less than 1 hour, 0 points will be given.
Participation in IDF training courses and breakout sessions organized by IDF is priced at 1 per course or breakout session.
1 point per hour. If it is more than 1 hour, it will be converted to hours and the decimal point will be rounded up. However, participation
If the time is less than 1 hour, 0 points will be given.
The following subcommittees are eligible for continuing education points.
・Technical subcommittee
・Legal and Audit Subcommittee
・Medical Subcommittee
・DF human resource development subcommittee
・Legal Practitioners Subcommittee
In the future, even if you establish a new subcommittee, it will be eligible for continuing education points.
(2) other events
Participation in events such as other symposiums and workshops is 0.5 points per hour, total participation time
1 hour or more will be calculated in 10 minute increments and rounded up to two decimal places (e.g. total participation time is 210 minutes
then 3.5 hours = 1.75 points, rounded up to two decimal places to get 1.8 points).
Events eligible for continuing education points will be announced as soon as they have been decided.
I feel that the continuation requirements are quite strict. Basically, it is necessary to participate in a study session hosted by IDF.
lastly
DF thinks that it is difficult to identify infected terminals when there are many terminals. There are only CTF opportunities for individuals to play DF, so I would like to think about how to do it efficiently as an organization.
Malware analysis is introductory, but it is described here, so if you are interested, please take a look.