SANS Investigate Forensics Toolkit – Forensics Martial Arts Part 2
This is a continuation of the first article on SANS Investigate Forensics Toolkit. In this article we will be covering the rest of the tools discussed earlier in the start of the article.
Maltego
Learn Digital Forensics
Maltego is an open source intelligence gathering and forensics tool. It provides a library of transforms for the discovery of data from open sources and visualizing that information in a graph format. It provides a link between people, websites, groups and all other Internet infrastructure which might be connected to some entity.
For using this we need to create an account and then log in using that credentials.
Once we have logged in, we will have a long list of infrastructure which we may use for information gathering. This is a very powerful tool because of the link that it creates.
Now let us start some investigation/ intelligence gathering about example.com. This has been done purely for demonstration purpose.
Now let us run all transforms by right clicking the domain entity. We can see a large amount of information being shown to us.
We can also run specific transforms to gather more information on particular entities. Hence you can see that we were able to gather a lot of information. Similarly, doing multiple transforms can keep digging out more information. Go ahead and try this on any entity you may wish to.
PTK
The PTK tool is digital forensic tool and is a GUI for SleuthKit. This uses a centralized database for case management and has the ability to allow multiple investigators to work on the same case. It has an interesting feature of timeline analysis and file timestamps that clearly lists the timeline of all the activities. My personal opinion is that this is one of the best tools to do for digital forensic investigation.
Let us have some hands on now with it. This is how the interface looks:
Let us create a new case to do the forensic investigation. We have our first case created here:
Now let us add some raw image to perform our investigation. We have the option to calculate MD5 and SHA1 hashes as well. After filling in the details, finally we have the image added in our case:
We now move on to some indexing operations for the image to keep a track of our investigation.
Now let us move to some analysis, where we will analyze the image for forensic evidence. So we have it here, a detailed view of all the files on the image with time stamping, modification timings, and md5 hashes as well. This is just fabulous! We can export these images for further investigation as well as have all the details about a specific file.
The timeline feature which I talked about previously in the article above is just awesome. I can have a view of all the files and activity which was done on a particular timeline which helps a lot in the investigation. So here is how we do it. Suppose I want to find out what files were accessed during which a particular incident happened. I simply put in the date which I suspect and get the results.
We also have the feature to view the file details or the particular file in the timeline:
PTK has a keyword search that helps to do searches for important keywords during a forensic investigation. We here search for the keyword "password," let us see if it fetches some good results for our investigation. On searching for this keyword, we find a file named secret.txt which contains the keyword. This keyword searching may give a lot of important information during an investigation and is hence very important.
Let us view this file to find out contents that might be interesting. Looks as if we have some of the user's passwords.
We also have a Gallery section that segregates out all the images to make our investigation simpler. Here is how it looks:
PTK also gives us the option to view complete details of the image being forensically investigated. Here is how we do it:
We also have options for bookmarking certain items that might be important and a neat report generator as well. PTK makes forensics extremely easy and a piece of cake!
Volatility
Volatility is one of the best tools for live memory forensics. It comes bundled with SIFT for doing memory forensics. Here it is:
I have already covered the Volatility framework in detail here. Please check this out.
https://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/
SANS Cheatsheets
There are a few cheatsheets provided by SANS in SIFT to make forensic work pretty easy. It is recommended that you check them out.
Command Line Tools
There is further a long list of command line tools present under /usr/local/bin:
Mobile Forensics
SIFT comes bundled with mobile forensics tools such as Blackberry Analyzer and iPhone Analyzer which are pretty much effective.
Reference Links for Parts 1 and 2
http://computer-forensics.sans.org/community/downloads
https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcRWtZAbGq0mmcDk638vPrgMA9kmzugZDsG3qPoG2JSLMsaedlfR
http://en.wikipedia.org/wiki/Maltego
http://en.wikipedia.org/wiki/PTK_Forensics
Learn Digital Forensics
www.basistech.com/conference/2010/osdf-slides/forte-ptk-forensics.pdf
In this Series
- SANS Investigate Forensics Toolkit – Forensics Martial Arts Part 2
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics