Locard’s Exchange Principle says that “every contact leaves behind a trace”. This aphorism is logically extended to mean that all digital crimes will invariably produce evidence of themselves. Although this record of criminality is temporary and not easily detectable in scale, it will still exist, even if for a short time. Digital forensics requires that an examiner can methodically extract, preserve, and analyze this data. However, in order to conduct a sound investigation, they will need specialized training and tools. The Sans Investigative Forensics Toolskit (SIFT), Workstation.
The SIFT Workstation is an open-source forensics framework that can be used for network, registry, memory, and system investigation. Although the open-source community was rich in high-quality tools, many tools required the installation of specific dependencies.
It was not easy for users to build a robust and comprehensive forensic tool kit. SIFT Workstation was a one-stop shop for forensic powerhouses that could securely examine raw disk images, multiple file systems, and evidence formats. Let’s take a look through five of the most important tools you will need to know how to use.
1. The Sleuth Kit/Autopsy
The Sleuth Kit (TSK), a set of command-line tools that aims to extract forensic data from storage media, is a suite designed around the concept of virtual layers. The functionality of each tool within TSK was defined by the following virtual layers:
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Get started with trainingMedia Management Layer
File System Layer
File Layer (“The Human Interface”)
Layer Metadata (“Inode”) Layer
Content (“Block”) Layer
Each tool’s name corresponds to its purpose by using a consistent prefix/suffix format. For example, take the tool “mmls”, which displays the partition layout for a volume system. The prefix “mm”, which indicates that it is operating at Media Management layer, and the suffix “ls”, which simply refers to the Linux command “ls”, is used to list files or directories. In other words, “mmls”, will give you a list of all partitions in a volume system. This includes partition tables and disk label.
The prefix “i” in the tool “icat” indicates that it operates at the metadata layer (inode layer), while the suffix simply refers to the Linux command “cat” which is used to display the contents of a file. We can infer from the name of the tool that “icat” will produce the contents of a file using its inode number. The SIFT Workstation ships with “Autopsy”, which is a GUI interface that simplifies interaction with TSK’s plugins and programs.
TSK/Autopsy provides the tools you need to conduct a thorough and robust forensic examination, regardless of whether you prefer to work from the command line or through a web browser Interface.
Modern cyber attacks are more sophisticated and difficult to detect. They often leave no forensic artifacts on the victim’s hard drive. This, combined with full-disk encryption has made it even more important to be able to extract and analyze a computer system’s entire memory dump.
Volatility allows an examiner to perform memory forensics and obtain a lot of valuable information. Volatility is able to identify rootkits and rogue processes, as well as retrieve password hashes and evidence for malicious code injection. The Volatility framework was designed to perform malware analysis and incident response. It is essential for any modern digital forensics examiner.
The enterprise world is a complex one.