Computer Forensics: Forensic Techniques, Part 2 [Updated 2019]
Introduction
This is a continuation of our “Forensic Techniques” series, in which we discuss some of the most common yet powerful computer forensic techniques for beginners. In Part 1, we took a look at live forensics, file carving, data/password recovery, known file filtering, and email header analysis. Part 2 will feature slightly more advanced techniques, so make sure to go through Part 1 to familiarize yourself with the basics. In conjunction, both parts should help you lay a solid foundation for a successful digital forensics career.
Learn Digital Forensics
This series of articles on forensic techniques is designed to complement InfoSec's Computer Forensics Boot Camp. Thus, these articles are highly recommended for any prospective students of the Certified Cyber-Forensics Professional (CCFP) certification. You will find that many topics in the course relate directly to the forensic techniques discussed here. If you don’t plan on taking the course, no problem – this article also serves as a highly accessible entry-point into the world of computer forensics.
So, with the formalities out of the way, let’s begin!
Graphical Image Analysis
Definition
The extraction of information, such as metadata and geotags, from images for investigative purposes.
Overview
In a world that is becoming increasingly reliant on visual data, image analysis can be regarded as a crucial skill for a computer forensic professional without any exaggeration. Most images, apart from containing the obvious pixel data, also contain various other kinds of informational tidbits. Graphical image analysis is an aggregation of various techniques used to extract meaningful information out of such images. This information could be image metadata, MIME type, etc. Sometimes, within the image metadata of photographs, you can find geotags – GPS-based localization data that tells you the longitude and latitude of the location of where the photograph was taken. You can also determine whether an image has been tampered with, through error level analysis (ELA). This technique scans the image for compression levels; two regions having substantially different results are an indication that the image has been edited.
Example
Due to the rising popularity of image analysis in digital forensics, you can find a number of online tools designed for professionals. One such tool is Ghiro’s automated image analyzer. It is free to use, but you cannot use it for batch analysis. Image analysis is considered a key skill for criminologists and security experts, used for investigating CCTV footage, satellite images, and even infrared images.
Event correlation
Definition
The analysis of activity logs of a network to establish chain of events.
Overview
Event correlation is one of the most widely used digital forensic technique. This is because it is often the first step in forensic investigations. Essentially, security professionals are tasked with analyzing activity logs of a specific network (every network contains log files detailing web traffic). This tells them everything they need to know about the network traffic, and which events transpired before critical failure or a security compromise.
Example
Event correlation is often used as an initial step in tracing the source of a hack. As logs contain a full chronological timeline of the events registered on the network, they can be helpful in determining the cause of security breaches.
Cryptanalysis/Steganalysis
Definition
Decoding data that has been concealed through either cryptography or steganography.
Overview
Deciphering data is one of the oldest investigative approaches, far preceding the advent of computing. In the digital age, however, modern methods of hiding data using cryptography and steganography have revived interest in this domain. Cryptanalysis is the process of decrypting data that has been encrypted using ciphers. Similarly, steganalysis is the study of finding hidden data in regular messages or files. The difference between the two lies in the way messages are encoded; data hidden through cryptography doesn’t make sense, which means that one could tell whether a message has been encrypted. On the other hand, steganography hides data in non-secret messages. These could be text files, audio files, or, most commonly, images.
Example
Cryptanalysis is common when trying to decode messages that have been intercepted by law enforcement. Typical techniques include brute force decryption and man-in-the-middle attacks. You can find a list of popular cryptanalysis tools here.
Sandboxing
Definition
Running suspicious programs or code in an isolated environment.
Overview
Sandboxes are safe virtual environments that can be used to test programs from unverified sources. Using a sandbox can be helpful in containing threats that come bundled with untrusted software. Sandboxes generally assign a portion of hardware resources to run virtual machines, including CPU cores, memory, and disk space; you may think of sandboxing as a special case of virtualization. A key distinction between them is that, unlike virtualization, sandboxing heavily restricts network access to the guest operating system, which limits a program’s ability to spread any viruses it may contain.
Example
Sandboxing tools like Sandboxie are used by forensic specialists to identify and contain potentially hostile programs. It emulates a fairly rudimentary Windows-based operating system. You can safely run any programs inside Sandboxie and, if malware is found in any of them, your host operating system would be unaffected by it.
Network Sniffing
Definition
Capturing and analyzing packets coming and going through a specific network.
Overview
Network sniffing, or packet sniffing, is a technique used by investigators to capture data packets being transferred over a network. These packets are then logged and analyzed. The tools used for such purposes are known as network sniffers or, simply, sniffers. Sniffers intercept data packets and, depending on their capabilities, can pry these packets open to reveal raw data carried inside. In theory, one could monitor a network’s complete traffic using sniffing tools.
Example
One of the most popular network sniffers is Wireshark. It is available for free, and the developers have even made its source code available. Wireshark does it all: capturing packets, logging traffic and individual packet analysis.
Data Mining
Definition
Using forensic techniques on unusually large data sets to find meaningful patterns.
Overview
Companies, big and small, are starting to move towards digitizing their operations. This means that the volume of data that they hold is increasing rapidly. And, as data volume increases, so does the complexity of its analysis. Data mining refers to the manipulation of large amounts of data to extract useful information out of it. While it is largely used for recognizing business trends, data mining has also found its way into computer forensics. When investigating extremely verbose datasets, forensic professionals have to first identify relevant data through data mining techniques such as pruning, clustering, etc.
Example
While data mining may not be considered a pure forensic technique in and of itself, it can be used as a time-saving mechanism when faced with unmanageably vast amounts of data. The knowledge of data mining methods can go a long way in assisting forensic experts in time-sensitive investigations.
Evidence Visualization
Definition
Visualizing forensic evidence in order to recognize valuable patterns during investigation.
Overview
An extension of timeline analysis (discussed in Part 1 of this article), evidence visualization attempts to represent evidence in a visual format. As images are more intuitive than text, evidence visualization can greatly speed up the investigative process, in addition to identifying new, pertinent patterns. This is tangentially related to data mining, as it also works best when the amount of evidence is too large for regular forensic analysis.
Example
Forensic professionals have started to adopt visualization as an important forensic practice. Digital forensics tools like EnCase are used to gather forensic evidence and this evidence is then fed to a pattern recognition engine (example: SKLean for Python). Finally, the results from the engine are passed on to a visualization or graph plotting library, which presents a visual representation of the evidence.
Learn Digital Forensics
Conclusion
In this second part of our series of introductory articles on computer forensic techniques, we shed light on a number of popular methods used by forensic specialists to aid their investigations. Going through both parts of this series will give you invaluable knowledge of both classic and modern digital forensic techniques. Moreover, it will also give you confidence to pursue InfoSec's Computer Forensics Boot Camp. And, if you’ve gone through both parts of series, then congratulations - you already have more investigative techniques under your belt than most computer forensic professionals.