I am looking forward to our newly introduced dedicated Forensic Computing Training at TR17!
We will start the first day with a detailed background briefing about Forensic Computing as a Forensic Science, Digital Evidence, and the Chain of Custody. The rest of the workshop we will follow the Order of Volatility starting with the analysis of persistent storage using file system internals and carving, as well as RAID reassembly with lots of hands-on case studies using open source tools. As a next step, we will smell the smoking gun in live forensics exercises. Depending on your preferences we will then dig a bit into memory forensics and network forensics.
The goal of our training is to provide the basic knowledge that is required whenever an incident has to be analyzed in a forensically sound manner and covers the techniques needed to cope with the majority of incidents.
You should bring your Laptop with administrative privileges and VirtualBox installed.
No deep knowledge in digital forensics is necessary, but as we are dealing with open source Linux command line tools to allow everybody to directly make use of the techniques we show, you should definitely be familiar with Linux and the shell 😉
In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.
As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.
The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.
Further information is following in the next section.
It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.
In this article, I want to provide a concise sum-up of the (to me) most interesting talks of this year’s DFRWS EU (http://www.dfrws.org/2016eu/).
Eoghan Casey, one of most famous pioneers in digital forensics, and David-Olivier Jaquet-Chiffelle, professor in police science at University of Lausanne, gave a keynote that emphasized the need for theoretical fundamental basis research in the field of digital forensics, which I fully agreed on, as this was exactly what I addressed in some of my former research.
We just presented our Paper “Generic RAID Reassembly using Block-Level Entropy” at the DFRWS EU 2016 digital forensics conference (http://www.dfrws.org/). The article is about a new approach that we developed for forensic RAID recovery. Our technique calculates block-wise entropy all over the disks and uses generic heuristics on those to detect all the relevant RAID parameters such as stripe size, stripe map, disk order, and RAID type, that are needed to reassemble the RAID and make the data accessible again for forensic investigations (or just for data recovery).
We developed an open source implementation of our approach that is freely available at https://www1.cs.fau.de/content/forensic-raid-recovery/. The tool is able to recover RAID 0, RAID 1 and RAID 5 volumes from the single disks or disk images.
It is also able to recover a missing or failed disk in case of RAID 5 systems from the RAID redundancy information.