Saturday, November 10, 2018

Digital Forensics:eLearnSecurity Certified Digital Forensics

Digital Forensics:eLearnSecurity Certified Digital Forensics Professional (eCDFP) – a friendly dive into digital forensics

เตรียมความพร้อมเพื่อสอบ Certified Digital Forensics

eLearnSecurity Certified Digital Forensics Professional

Through the ongoing war raged against the security community by big name companies who want to charge my kidneys for a certification I have found solace in eLearn’s platform. As such I will be taking multiple of their courses, though this is the first I have seen to the end (yes I got certified, woot). The course itself was very well done, having very straightforward material (sans multiple spelling/grammatical errors, if you are a Grammar Nazi this course may bug you a bit) and labs (though the test was a little iffy, which I’ll get into later). Another nice part about this course is that all of the tools used are open source/freeware, so you don’t need to buy some fancy product to do your job (though I will admit some of them can be nice). The course itself covers the following sections:

  1. Introduction to Digital Forensics
  2. Data Acquisition
  3. Data Representation & Files Examination
  4. Disks
  5. File Systems
  6. Windows Forensics
  7. Network Forensics
  8. Log Analysis
  9. Timeline Analysis
  10. Reporting (important but.. yawn)
 
The introduction modules was actually very important (sometimes I feel you can skip the intro sections for things). However, they covered some very key points that tie into forensics (especially digital) specifically. These points are:

  • The main goal of a digital investigation is to answer the 5 “W’s”, i.e. the What, Where, When, Who, and How related to a digital incident. This may seem kind of obvious, but it is extremely important to help out the client and build a strong case so you can charge a criminal if it goes to court or even just help them get their insurance claim (as is the case for a lot of ransomware cases). Those 5 “W’s” are a great guide to help start a forensics investigator throughout the investigation.
  • Digital forensics goes beyond just “finding out what the attacker did” and forensics investigators can work in a plethora of different fields, from law enforcement agencies, internal investigation teams, consulting, and even larger scope international investigative teams (whether through law enforcement or an international organization).
  • Digital forensics has a life cycle, and like most things it can be repeated over and over again. This life cycle is “Acquisition <> Analysis <> Presentation” and it is important to remember that each step could be revisited multiple times throughout an investigation as new pieces of evidence are brought to light or old ones need to be re-examined.
  • Forensics (in general) takes a scientific method approach, and if you remember from high school that means lots of note taking as a process should be able to be repeated to lead to the same result or conclusion. This is highly important and depending on the scope of the case or type of the case it may be extremely important to document everything that you do, so find a note taking method that works for you and stick with it.


The rest of the course is pretty straightforward and I won’t dive to deep into it here or go into exactly what each step is as I figure the module names are pretty descriptive of what they are all about. What I do think this course lacks is some more in depth experience with some of the artifacts that you come across. Like some of the labs could have been made (especially the Windows’ ones) a little bit longer and little bit less straightforward, more real life scenario. For example, MFT in NTFS file systems is a huge forensic artifact for seeing what was on disk and when. I’ve always used it to help build a timeline for cases irl, and though it is talked about in the course, it isn’t really explored in the labs or in the exam. Another thing that this course lacks is a look at linux forensics, though parts may be slightly covered (think log analysis) in some modules there is no talk about location, per say or meaning. Though in the wild, let’s be honest, you will definitely encounter some nix boxes (including mac), but you will most definitely encounter Windows, a lot of Windows boxes. That being said the course does do a good job of covering that, including older systems and going into detail about artifact differences between different versions.

Let’s talk about the exam. There are 30 questions total, all multiple choice, since I had to take it twice I can tell you that they are not the same each time. You get one 24 hour period to take it and the first 15 questions are completely theory; and if you have gone through the material they will be pretty straightforward to answer, though some you may have to look back at the material for. The last 15 are a little trickier as they require actual hands on forensics. There were a few questions that I complained about (like one question suggesting that “bad” images contain “kittens”, when really the only suspicious photos were of things from the tv series “Mr. Robot”, and there was no photos of kittens or options to select 0). Other than that though I’d suggest taking it slow, and thinking through each artifact. What is nice is that you don’t have to write up a report (I’m sure version 2 may change this), so get it while you can.

Overall, it was an enjoyable experience and I think it would be beneficial for noobs and 1337s alike. I also found that if you are a red teamer this may be a good/cheaper way to get an inside scoop on the artifacts that forensic examiners look at, and their process, which may in turn help you cover your tracks when performing an exercise. That being said, if you do decide to take the course, glhf, and take it slow, really ingesting what each artifact is and how it affects the investigation will help in the long run outside of the course.


Digital Forensics Professional (DFP) — Launch Webinar



Some Tools Gone Over:
Autopsy https://www.sleuthkit.org/autopsy/
OSFMount https://www.osforensics.com/tools/mount-disk-images.html
FTK Imager http://accessdata.com/product-download/ftk-imager-version-3.4.3
dd https://linux.die.net/man/1/dd
DCode http://www.digital-detective.net/digital-forensic-software/free-tools/
Volatility http://www.volatilityfoundation.org/
HashCalc http://www.slavasoft.com/hashcalc/
Bambiraptor https://www.brimorlabs.com/tools/
ExifTool https://www.sno.phy.queensu.ca/~phil/exiftool/
ExifReader http://www.takenet.or.jp/~ryuuji/minisoft/exifread/english/
PhotoRec http://www.cgsecurity.org/wiki/PhotoRec
Active Disk Editor http://www.disk-editor.org/
WinHex https://www.x-ways.net/winhex/
bulk_extractor https://github.com/simsong/bulk_extractor
MFTCarver https://github.com/jschicht/MftCarver
SleuthKit http://www.sleuthkit.org/
PowerForensics https://github.com/Invoke-IR/PowerForensicshttps://github.com/Invoke-IR/PowerForensics
Immunity http://www.immunityinc.com/products-immdbg.shtml
WinDBG https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk
Wireshark https://www.wireshark.org/

 reference:

https://inurdata.sh/elearnsecurity-certified-digital-forensics-professional-ecdfp-a-friendly-dive-into-digital-forensics/ 

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud

1 comment: