Types of Digital Forensic Evidence in Cybersecurity Investigations

we come to the third topic of our session today the types of digital forensic

evidences as we dive into the different types of digital evidences commonly encountered in digital forensic

investigations remember that each type of evidence provides unique insights into the circumstances surrounding a in

a cyber security incident or data Bridge so we continue with our scenario at the large financial institute facing a

digital um traing a data Bridge forensic investigators encounter various types of evidences as they conduct their

investigation firstly we have things like Network locks Network locks are very valuable

source of evidence in digital forensic investigation they capture the flow of data between

devices on a network providing insights into communication patterns unauthorized access attempts and suspicious

activities so in our scenario forensic experts analyze Network traffic locks to identify

anomalous Behavior such as unusual data transfers and connections to delicious IP

addresses shedding light on the me on the methods used by the attackers next we have memory dumps also

known as RAM dumps captures the content of the computer's memory at a specific point in time they can contain valuable

information such as running processes open network connections and encryption keys

so in our scenario forensic analysts extract memory Dums from compromise systems to identify active

malicious um softwares analyze volatile data and uncover evidence of unauthorized access

or manipulation next we have the data images which are forensic copies of star

storage devices such as hard disk drives solid state drives creating them using specialized Imaging

tools these images preserve the content of the storage device in a forensically sound manner allowing

investigators to to analyze the data without authoring the original evidence so in our scenario forensic examp

examiners created data images of the compromise systems to conduct to

analysis recover deleted files and even identify evidence of unauthorized access or data

teest lastly we have the file system artifacts which are traces of users activities left behind on a storage

device such as file access time stamps browser histories or recent access documents these artifacts can provide

valuable insights into user Behavior form manipulation and application usage in our scenario forensic

investigators analyze file system artifacts to reconstruct the timeline of events leading up to the data

Bridge Iden ify the attackers activities and correlate digital

evidence with real world events so as we explore the different types of digital evidence it is clear

that each plays a crucial role in uncovering the truth and reconstructing the digital Narrative of a cyber

security incident or data bridge by leveraging a diverse range of evidence sources forensic investigators

can piece together a comprehensive picture of the event leading up to the incident identifying the

perpetrators and support the administration of justice this digital realm so now let's

start let's dive into one of the most crucial types of digital evidence encounter in digital forensic

investigations Network traffic locks these locks provide valuable insights into communication between

devices on the network offering vital Clues to forensic analysts investigating a security incident or or data

Bridge continue with our scenario at the large financial institute facing a data Bridge foren investigators rely heavily

on network traffic locks to piece together the sequences of events leading up to the

bridge so Network traffic locks contain several key pieces of information that are essential for

forensic analysis day and time time stamping indicates when each lock entry was generated

allowing investigators to establish a timeline of events so in all scenario forensic

experts analyze timestamps to identify

suspicious patterns of activities such as late night excess or unusual spikes in Network

traffic next we have the source and destination zones address and ports these fields provide information

about the origin and destination of network traffic including source and destination zones internal or

external IP addresses and port numbers involved in the communication so in our scenario investigators

scrutinize this data to identify unauthorized assess attempts suspicious connections to external IPS or unusual

Port usage indicative of the malicious activities application names the application names identifies the

specific applications for service responsible for generating the Network

traffic this information helps investigators pinpoint the source of suspicious activities and access its

significance in our scenario forensic analysis analyze application names to identify potentially malicious softwares

or unauthorized access attempts masc created as legitimate Network traffic additional key elements that provide

valuable insights into Network activities are Ingress and egress interfaces these fields specify the

network interfaces which the traffic enters and exits the network by analyzing Ingress and eass interfaces

forensic analysts can determine the path taken by the network traffic and identify potential points of Entry or

exit for unauthorized access in our scenario investigators scrutinize this data

to trace the movement of attackers within the network and identify compromise entry

points next we have the bikes that are being transferred this this field indicates the total number of bikes

exchange during the session by analyzing the volume of data transfer forensic experts can assess the

magnitude of the network activities and identify anomalous data transfers indicative of unauthorized access or

data exportation in our scenario investigators analyze btes transferred

to identify unusually large data transfers or patterns of data exfiltration providing valuable insights

into the scope and impact of the data bridge and it is worth noting that the analysis of network traffic locks is

primarily conducted using specialized tools such as y Shar Network protocol analyzer which you

can download from the link that is provided in this

slide okay a little bit on W shark in case you forgot what was shared with you on in session two wihar is a powerful

open source Network anal analyst to that enables forensic analyst to capture analyze and interpret Network

traffic in real time by leveraging fire shark forensic experts can gain granular visibility

into network communications identify suspicious activities and extract valuable evidence to support

their investigation so as we dive deeper into the analysis of network traffic locks it is evident that each piece of

information contained within these locks play a crucial part in uncovering the truth behind a security incident or data

bridge by meticulously analyzing time stamps source and destination details bik transferred and other key

elements forensic analysis can reconstruct the digital Narrative of an attack identify the perpetrators and

strengthen the organization's defense against future threats now let's dive into the

fascinating world of memory DBS a crucial component in digital forensic investigations especially in the

aftermath of a data bridge at our financial institute memory Dums provide a snapshot

of a comp a computer's volatile memory while it is actively running offering invaluable insights into the state of

the system at the time of dump so identifying the running process is very important so one of the key

aspects of memory Dums is the ability to capture a list of currently running processors these processes reveiew the

application and services that are active at the time of the dump in our scenario at the financial institute forensic

analysts leverage memory Dums to identify suspicious processes that may indicate the presence of malware or

unauthorized activities on the compromise system clipboards and window information so

memory Dums may also contain remnants of clipboard data such as copied text or files the windows information includes

open Windows tiles and content these artifacts can provide valuable clue to forensic investigators aiding in the

construction of user activities and potential Avenues of exploits by

attackers in our scenario analysis meticulously examine clipboard and window information from

Dums to uncover evidence of data exfiltration or or unauthorized access

attempts sensitive information such as credentials can also be found in memory dumps one of the critical considerations

when analyzing memory dumps is the capture of sensitive data such as lockin credentials encryption keys or

tokens and in all scenario forensic experts exercise cautious when handling memory dumps

ensuring that sensitive information is properly protected or encrypted to prevent unauthorized access or

misuse so to conduct an in-depth analysis of memory dumps forensic analysts rely on Specialized tools such

as the volatile memory forensic 2 the link is

below you can download a copy of it to try it out volatility is a open-source

framework designed specifically for the analysis of memory dumps it enables forensic experts to extract valuable

information from memory Maes including process listing network connections and registry

hives facilitating the identification of malware root kits and other malicious artifacts and by leveraging

volatility forensic analysis can uncover hidden insights within memory dumps shedding light on

the tactics used by attackers I identifying potential security vulnerabilities and strengthening the

organization's defense against future threats now we shall take a closer look at the volatility memory

forensics tools a powerful Ally in uncovering the truth behind security incidents such as the data Bridge faced

by our large Financial Institute in our scenario forensic analysts harness the capabilities of

volatility to analyze memory Dums extracted from compromise systems let's take a moment to explore how volatility

is in this crucial process imagine a scenario where forensic analysts are examining a memory

Dum obtained from a compromise workstation at the financial institute with volatility we can execute

commands such as windows. PS list to retrieve a list of currently running processors on the

system as you can see in this screenshot the windows PS Le command executes in the terminal displays a detailed list of

processors running on the compromise those systems each process entry includes

vital informations such as the process ID name parent process ID allowing analysts

to identify potentially malicious or unauthorized processes that may indicate the presence of malware or suspicious

activities let's further break down some of the key key elements visible in the command

output so for process ID each process is assign a unique identifier known as the process ID

forensics analysts use process IDs to track and monitor individual processes facilitating the

identification of anomalies or unusual behavior name the name column displays the name of each running

process providing insights to the application or Services currently active on the

system analyst scrutinize process names to identify known malware or suspicious executables that may require further

investigation parent process ID indicates the process ID of the parent process that spawn the current process

by analyzing the ppid relationships forensic experts can trace the linage of processes and identify potential chains

of execution associated with malware or unauthorized activities as you can see from this

example volatility and Powers forensic analyst the tools and capabilities needed to

extract valuable insights from memory dumps enabling them to uncover hidden Clues identify malicious artifacts and

reconstruct the digital narratives of of a security incident next we shall go into another

important command of volatility now let's dive deeper into volatility by looking at another

essential command called the command scan this command allows forensic analysts to

identify command prom artifacts within memory dumps providing valuable insights into command line activities and

potential malicious activities conducted by attackers so remembering our scenario at

the financial institute forensic analyst execute the command scan command in volatility to scan the

memory Dum for traces of command promt usage let's take a closer look at the command promp

out in the screenshot the command scan command output displays a detailed analysis of command prompt artifacts

found within the memory Dam each entry includes relevant information such as the process ID command line and last

return time allowing analyst to identify and analyze command line activities performed by users or malicious actors

on the compromise system so let's highlight some key elements that we can are very useful in

this command scan output firstly the P ID the process ID similar to the windows PS list

command okay it identifies each process associated with command prompt activities analysts can leverage pids to

track and monitor command line processes identify suspicious and unauthorized activities command line the command line

displays the actual command executed within the command prompt providing insights into the

action performed by users or acers analyst analyze command line entries to identify

potential signs of malicious behavior such such as command injection privilege escalation or data exitation

attempts lastly the last right time this is a time stamp when commands was executed within the command prompt

forensic analysts use timestamps to establish timelines on of activities correlate events and reconstruct the

sequence of actions performed by users or attackers so now we can see by leveraging the

command scan command in volatility we can easily uncover crucial command line artifacts within memory

dumps shedding light on activities conducted by users or attackers on compromis

systems this Insight are invaluable for understanding the scope of a security incident identifying

potential attack vectors and implementing effective remediation measures to mitigate fur

further risk okay now we shall explore how connections to other machines are

examined and analyzed in memory Dums the next slide I hope you found the two commands

that I've introduced you earlier useful let's further deepen our volatility analysis by examining another critical

aspect process listing connections to other machines this capability allows forensic analyst to identify network

connections established by processors within memory dumps providing valuable insights into potential Communications

with external entities or command and control servers operated by attackers so in our ongoing scenario at

the financial institute forensic analyst utilize volatility to execute commands such as net scan or connections

to identify process lease connections to other machines okay so from this screenshot

given here the output of the net scan or connections command displays a comprehensive list of

network connections established by processors within the memory D each entry

includes critical information such as local address remote address protocols and state providing forensic analyst

with valuable insights into Network activities associated with the compromise system

let's highlight some key elements visible in the output in the output of this

command so local address specifies the local IP address and port number associated with the

network connection forensic analysts use local address information to identify the source of outgoing Network traffic

and correlate its processes right in on the compromise system next we have the remote address

the remote address indicates IP addresses and port numbers of the remote endpoint with which the network

connection is established we can then scrutinize remote address details to identify

potential Communications with external entities or suspicious destinations indicative of malicious

activ ities lastly the protocol the protocol specifies the

network protocol used for connection such as UDP TCP understanding the protocol employed

in network connections help analyst assess the nature of communication and identify potential attack vectors or

data exitation channels lastly the state it indicates the current state of the

network connection whether is it established listening or closed the state determines the status

of the network connection and identifies normal or unauthorized connections that may

require further investigation by leveraging the process listing connection to other machines in

volatility forensic analysts gain critical insights into Network activities associated with the

compromise systems these insights enable analysts to identify potential command and

control channels data exportation routes or lateral movement Pathways used by attackers enhancing the organization's

ability to respond effectively to security incidents and mitigate future risk so as we continue our exploration

of volatility analyis it becomes evident that each

command provides unique insight into different aspects of digital forensics empowering forensic experts to uncover

hidden Clues peace together the D digital narratives and ultimately strengthen the

organization's defense against cyber threat let's now dive into another critical forensic evidence called the

data image is a fundamental step in dig digital forensics that plays a pivotal role in

uncovering the truth behind security incidents such as the data Bridge encountered by

our large financial institute so in our scenario foreign analyst initiated the data Imaging

process to create exact electronic copies of the storage devices such as hard dis solid state drives or USB

drives let's explore the significance of data Imaging in forensic investigations firstly the primary

objective of data Imaging is to preserve the Integrity of the original data by creating forensic images forensic

analyst ensure that the original data remains unchanged thereby preserving potential

evidence that might otherwise be lost during traditional file copying methods in our scenario analysts meticulously

create forensic images of the compromise storage devices to capture the state of the system at the specific

moment of attack safeg guarding critical evidence for future analysts next analyzing and retrieving

files data Imaging enable forensic analyst to analyze and retrieve files from

the from the victims computer at the precise moment of the attack by examining the forensic image analyst can

delve into the file systems recover deleted files and explore unallocated clusters for hidden data that may hold

CR crucial evidence related to the C incident so in our scenario analyst analyze using this data

images to extract key artifacts including browser histories potential malicious programs

shading light on the attacker tactics techniques and procedures in short TTP some key artifacts that forensic

analysts investigate are browser histories they scrutinize web browser histories captured within the forensic

images including URLs visited search inquiries and timestamps by analyzing browser histories analysts can

reconstruct the users online activities and identify potential points of compromise or suspicious behavior in

indicative of an attack malicious programs like malware can also be identified and

extracted from vmdks and e1s within the forensic

images provided or collected by analyzing malware artifacts analysts can uncover the presence of malicious

software identify its functionalities and assess its impact on the compromise system to facilitate data Imaging and

analyis forensic analysts rely on Specialized tools such as autopsy and fdk

eagor the links below will will bring you to the respective website ites for downloading of these

softwares autopsy and fdk images are widely used tools in the digital forensic

Community offering comprehensive capabilities for data Imaging analysis and

Reporting these tools Empower forensic analyst to conduct too investigations uncovering hidden

evidence and piecing together the digital narratives of security incidents so by leveraging data Imaging

and Analysis tools like Topsy and fdk imager forensic analyst can meticulously examine forensic images

uncovering hidden Clues identify malicious artifacts and reconstructing the sequence of events leading to the

security Bridge we will then we will next look at how this things can be

used let's navigate through the process of selecting an Evidence file using fdk imager an essential step in digital

forensics that facilitates the creation of forensic images for analysis and investigation

so in our ongoing scenario at the financial institute forensic analyst leverage ftk major choose a physical

Drive such as an e01 or vmdk file as evidence file for Imaging okay let's go a little bit

deeper to the significance of this step so from this screenshot that you can see left K image

interface presents forensic analysis with options to select the desired physical drive as evidence file for

Imaging analyst can navigate through the available drives choose the appropriate Drive containing the target data and

designate it as a evidence file for further analysis let's explore the implications

of choosing a physical drive as the evidence file so selecting a physical drive as

evidence file ensures the preservation of the original data in its original state by creating a forensic image of

the entire Drive analysts capture every sector and bite of the data maintaining data integrity and authenticity

throughout the forensic process comprehensive analysis is when you can actually have a

physical data image provided okay for the analysis and investigation analyst can examine the

entire content of the drive including active data deleted files system files and unallocated space enabling Tower

analysis and retrieval of valuable evidence related to the security incident without having to

worry about tempering with the data so let's consider the scenario at the financial

institute am miss the aftermath of the data Bridge foric analysts initiate fdk IM maor and

navigate to select the physical Drive containing compromise system as the evidence

file so by choosing the physical Drive analyst ensure the capture of all relevant data including system

configuration user profiles application data and potential malware artifacts essential for conducting a

comprehensive forensic investigation by using the fdk imager to

select the physical drive as a evidence file forensic analysts lay the foundation of a for meticulous forensic

analysis enabling them to uncover hidden evidence identifying malicious activities and reconstructing the

digital timeline of the security Bridge so in our ongoing scenario at the financial institute forensic analysts

utilize fdk imager to load an e01 Evidence file as you can see from the from the screen here there's a common

form this e0 one is actually a common format for for images captured during investigation of data Bridge so let's

explore the significance of this step okay so after loading the e01 evidence file it presents the forensic

analyst with a comprehensive view of captured forensic image analyst can navigate through the file structure

examine individual files and directories and extract relevant evidence for future analysis and

investigations so now access to the foric image if you can if you take a look at

this it's actually just the same as a Windows Explorer analyst can explore the file

systems even analyze metadata and retrieve specific artifacts relevant to the

investigation including documents locks and system configurations data Integrity very

ification is being performed by the fdk imager as it does the Integrity check on the loaded e01

evidence file to ensure that the data remains intact and unaltered by verifying data

Integrity forensic analyst can trust the accuracy and reliability of the forensic image enhancing the avilability

of the evidence collected during the investigation now let's continue to consider

the scenario at the financial institute following the data Bridge experts acquir a forensic image

of the compromise system using fdk imager resulting in a e01 evidence F subsequently they loaded into ftk IM

major to initiate the forensic analysis process by loading the evidence file analyst gain access to the captured data

enabling them to uncover evidence of unauthorized access data exitation and other malicious

activities by the attackers so we can understand that the fdk

imager is very important in our step to get a image that can be used as

evidence so as we continue our journey through digital forensics it becomes evident that loading the

e01 into ftk imia is a crucial and critical step in investig in the investig ation

process now having explored the process of analyzing an e01 using ftk imager let's continue the same thing with

autopsy which is another powerful open-source digital forensic platform widely used by investigators around the

world so in our scenario let's load the e01 that we use on the ftk imager and load it into a topsy

now okay e z ones are very standard formats for forensic images Okay so let's let's dive in to

look at a topy so from this screenshot con actually see the interface is slightly different

analyst can navigate through the file systems examine file metadata con even conduct work keyword search as and

visualize relationships between artifacts facilitating indepth analysis and

investigation so let's look at it in dep okay as we load a e01 file into autopsy it enables us to conduct a

comprehensive analysis of the capture data we can see things like file metadata um file content delete recover

deleted files and analyze file relationships uncovering valuable evidence related to

the to the incident he also has this Advanced artifact analysis the tosy offers

Advanced artifact analysis capabilities allowing analysts to identify and extract various

artifacts indicative of malicious activities or security breaches analysts can analyze web browser histories mail

Communications file assess patterns and system locks providing insights into actions of the attackers and their

impact on the compromise system so let's consider our scenario following

the acquisition of the e01 file the file is being loaded into autopsy to initiate the forensic

analysis process so using autopsies intuitive interface and Powerful

analysis tools analysts can meticulously examine the captured data and cover evidence of unauthorized

assess data exfiltration or other malicious activities so by leveraging autopsy

forensic analysts gain more valuable insights into nature and scope of security

breaches so as we continue our exploration it become evident that autopsy serves as a vital tool in

investigative process empowering us to cover hidden Clues I will continue to show you more

in the next slides as you can see from this screenshot autopsy presents us with a

detailed overview of the results obtained from the e01 file but analyst can review file Le

things analyze findings and even look at metadatas providing valuable insights

into content of the forensic image and potential evidence related to the security

incident so let's dive into the implications of analyzing these results findings and metadatas within

autopsy so autopsy provides you with a comprehensive Leist of files extracted from the loaded e01

where you can navigate through the listings examine the file properties and prioritize files without using a

further application and findings on the autopsy are more

detailed where you can review indicators of compromise suspicious file activities

potenti potential security threats during this um analysis can

be can be seen inside a topsy lastly autopsy extracts metadatas from files within the e01

evidence providing valuable information about file Origins creation time stamps and device I

identifiers analysts can leverage on this metadata to establish timelines track file movements and correlate

digital artifacts with real world events therefore enhancing the investigative process so let's go back to our

scenario of the of our financial institute so using a topsy forensic analysis can review the results findings

and metad datas obtained from the E1 file meticulously examining the file

listings prioritize critical artifacts and analyzing findings to uncover evidence

of unauthorized access data exfiltration and other malicious activities so as we continue our journey through

digital forensics it is evident that autopsy serves as a valuable tool in analyzing and

interpretating forensic evidence giving us the power to uncover Clues identify malicious activities and

strengthen the organization's cyber security defense now we come to McQ session two

I'll be flashing five questions three on the first slide and two on the second slide do pause the video to read and

answer the questions the McQ will not be graded but I would strongly recommend you to do and

understand them