Welcome to the second edition of Digital Forensics with Kali Linux. For those of you who may have purchased the first edition, the practical aspects of this book have been updated with new labs, and there are several new tools (with labs) for us to explore in this updated edition, starting with Chapter 2, Installing Kali Linux, where we will set up the latest version of Kali Linux (2019.3). For readers new to this book, I recommend starting here from the first chapter.
Digital forensics has had my attention for well over 13 years. Ever since I was given my first PC (thanks, Mom and Dad), I've always wondered what happened when I deleted my files from my massively large 2-gigabyte (GB) hard drive or moved (and, most times, hid) my files to a less-than-inconspicuous 3.5-inch floppy diskette that maxed out at 1.44 megabytes (MB) in capacity.
As I soon learned, hard disk drives and floppy disk drives did not possess the digital immortality I so confidently believed in. Sadly, many files, documents, and priceless fine art created in Microsoft Paint by yours truly were lost to the digital afterlife, never to be retrieved again. Sigh. The world will never know.
It wasn't until years later that I came across an article on file recovery and associated tools while browsing the magical World Wide Web (WWW) on my lightning-fast 42-kilobits-per-second (Kbps) dial-up internet connection (made possible by my very expensive USRobotics dial-up modem, which sang the tune of the technology gods every time I'd try to connect to the realm of the internet). This process involved a stealthy ninja-like skill that would make even a black-ops team envious, as it involved doing so without my parents noticing, as this would prevent them from using the telephone line to make or receive phone calls. (Apologies, dear Mother, Father, and older teenage sister.)
The previous article on data recovery wasn't anywhere near as detailed and fact-filled as the many great peer-reviewed papers, journals, and books on digital forensics widely available today. As a total novice (also referred to as a noob) in the field, I did learn a great deal about the basics of filesystems, data and metadata, storage measurements, and the workings of various storage media.
It was at this time that, even though I had read about the Linux operating system and its various distributions, I began to get an understanding of why Linux distributions were popular in data recovery and forensics.
At this time, I managed to bravely download the Auditor and Slax Linux distributions, again on a dial-up connection. Just downloading these operating systems was quite a feat, and it left me feeling highly accomplished as I did not have any clue as to how to install them, let alone actually use them. In those days, easy installation and graphical user interfaces (GUIs) were still under heavy development, as user friendly—or, in my case, user unfriendly—as they were at the time (mostly due to my inexperience, lack of recommended hardware, and, also, a lack of resources such as online forums, blogs, and YouTube, which I did not yet know about). I'll explain more about the Auditor and Slax operating systems in Chapter 2, Installing Kali Linux, including their role in the infamous BackTrack, and now Kali Linux, operating systems.
As time passed, I researched many tools found on various platforms for Windows, Macintosh, and many Linux distributions. I found that many of the tools used in digital forensics could be installed in various Linux distributions or flavors, and many of these tools were well maintained, constantly being developed, and were widely accepted by peers in the field. Kali Linux is a Linux distribution or flavor, but before we go any further, let me explain this concept. Consider your favorite beverage: this beverage can come in many flavors, some without sweeteners or sugar, in different colors, and even in various sizes. No matter what the variations, it's still the basic ingredients that comprise the beverage at the core. In this way, too, we have Linux, and then different types and varieties of Linux. Some of the more popular Linux distributions and flavors include Parrot OS, Computer Aided INvestigative Environment (CAINE), Red Hat, CentOS, Ubuntu, Mint, Knoppix, and, of course, Kali Linux. Kali Linux will be discussed further in Chapter 2, Installing Kali Linux.
For this book, we take a very structured approach to digital forensics, as we would in forensic science. We first stroll into the world of digital forensics, its history, and some of the tools and operating systems used for forensics, and immediately introduce you to the concepts involved in evidence preservation. As far as international best practices and guidelines go, I'd recommend reading up on the Council of Europe's Budapest Convention on Cybercrime (https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016800cce5b) and the Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence (https://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf) to get a better understanding of international frameworks and digital forensics best practices.
How about we kick things off? Let's get started!
This chapter gives an introduction to the various aspects of the science of digital forensics. The topics we are going to cover in this chapter are as follows:
- What is digital forensics?
- Digital forensics methodology
- A brief history of digital forensics
- The need for digital forensics as technology advances
- Operating systems and open source tools for digital forensics
- The need for multiple forensics tools in digital investigations
- Commercial forensics tools
- Anti-forensics – threats to digital forensics
What is digital forensics?
The first thing I'd like to cover in this chapter is an understanding of digital forensics and its proper practices and procedures. At some point, you may have come across several books, blogs, and even videos demonstrating various aspects of digital forensics and the different tools used. It is of great importance to understand that forensics itself is a science, involving very well-documented best practices and methods in an effort to reveal whether something exists.
Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence identified from various storage media types. It is not only limited to laptops, desktops, tablets, and mobile devices, but also extends to data in transit that is transmitted across public or private networks.
In some cases, digital forensics involves the discovery and/or recovery of data using various methods and tools available to the investigator. Digital forensics investigations include, but are not limited to, the following:
- Data recovery: Investigating and recovering data that may have been deleted, changed to different file extensions, and even hidden.
- Identity theft: Many fraudulent activities, ranging from stolen credit card usage to fake social media profiles, usually involving some sort of identity theft.
- Malware and ransomware investigations: To date, ransomware spread by Trojans and worms across networks and the internet are some of the biggest threats to companies, military organizations, and individuals. Malware can also be spread to, and by, mobile devices and smart devices.
- Network and internet investigations: Investigating Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, and tracking down accessed devices, including printers and files.
- Email investigations: Investigating the email header, message IDs, source and Internet Protocol (IP) origins; attached content and geo location information can all be investigated, especially if there is a business email compromise (BEC).
- Corporate espionage: Many companies are moving away from print copies and toward cloud and traditional disk media. As such, a digital footprint is always left behind; should sensitive information be accessed or transmitted?
- Child pornography investigations: Sadly, the reality is that children are widely exploited on the internet and within the deep web. With the use of technology and highly-skilled forensic analysts, investigations can be carried out to bring down exploitation rings by analyzing internet traffic, browser history, payment transactions, email records, and images.
Digital forensics methodology
Keeping in mind that forensics is a science, digital forensics requires appropriate best practices and procedures to be followed in an effort to produce the same results time and time again, providing proof of evidence, preservation, and integrity that can be replicated, if called upon to do so.
Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data's integrity, regardless of which tools are used.
The best practices demonstrated in this book ensure that the original evidence is not tampered with, or, in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.
- The ACPO Good Practice Guide for Digital Evidence
- The Scientific Working Group on Digital Evidence's (SWGDE) Best Practices for Computer Forensics
- The Budapest Convention on Cybercrime (CETS No. 185)
Although written in 2012, ACPO, now functioning as the National Police Chiefs' Council (NPCC), put forth a document in a PDF file called the ACPO Good Practice Guide for Digital Evidence regarding best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by law enforcement agencies in England, Wales, and Northern Ireland, and can be downloaded in its entirety at https://www.npcc.police.uk/documents/FoI%20publication/Disclosure%20Logs/Information%20Management%20FOI/2013/031%2013%20Att%2001%20of%201%20ACPO%20Good%20Practice%20Guide%20for%20Digital%20Evidence%20March%202012.pdf.
Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the SWGDE. The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group, with major members and contributors including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), National Aeronautics and Space Administration (NASA), and the Department of Defense (DoD) Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in, or with access to, such an environment.
The SWGDE's Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including the following:
- Evidence collection and acquisition
- Investigating devices that are powered on and off
- Evidence handling
- Analysis and reporting
The SWGDE's Best Practices for Computer Forensics Acquisitions (April 2018) can be viewed and downloaded directly from here: https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Computer%20Forensic%20Acquisitions
The SWGDE has a collection of 78 documents (at the time of this publication) that detail the best practices of evidence acquisition, collection, authentication, and examination, which can all be found at https://www.swgde.org/documents/Current%20Documents/SWGDE%20Best%20Practices%20for%20Compu%20ter%20Forensics.
A brief history of digital forensics
Although forensic science itself (including the first recorded fingerprints) has been around for over 100 years, digital forensics is a much younger field as it relates to the digital world, which mainly gained popularity after the introduction of personal computers in the 1980s.
For comparative purposes in trying to grasp the concept of digital forensics as still being relatively new, consider that the first actual forensic sciences lab was developed by the FBI in 1932.
Some of the first tools used in digital forensic investigations were developed in FBI labs circa 1984, with forensic investigations being spearheaded by the FBI's specialized Computer Analysis and Response Team (CART), which was responsible for aiding in digital investigations.
Digital forensics as its own field grew substantially in the 1990s, with the collaboration of several law enforcement agencies and heads of divisions working together and even meeting regularly to bring their expertise to the table.
One of the earliest formal conferences was hosted by the FBI in 1993. The main focus of the event, called the International Law Enforcement Conference on Computer Evidence, was to address the need for formal standards and procedures with digital forensics and evidence acquisition.
Many of these conferences resulted in the formation of bodies that deal with digital forensics standards and best practices. For example, the SWGDE was formed by the Federal Crime Laboratory Directors in 1998. The SWGDE was responsible for producing the widely adopted best practices for computer evidence (discussed later in this chapter). The SWGDE also collaborated with other organizations, such as the very popular American Society of Crime Laboratory Directors (ASCLD), which was formed in 1973 and has since been instrumental in the ongoing development of best practices, procedures, and training as it relates to forensic science.
It wasn't until the early 2000s, however, that a formal Regional Computer Forensic Laboratory (RCFL) was established by the FBI. In 2002, the National Program Office (NPO) was established, and this acts as a central body, essentially coordinating and supporting efforts between RCFL's law enforcement.
Since then, we've seen several agencies, such as the FBI, Central Intelligence Agency (CIA), National Security Agency (NSA), and Government Communications Headquarters (GCHQ), each with their own full cybercrime divisions, full digital forensics labs, and dedicated onsite and field agents, collaborating assiduously in an effort to take on tasks that may be nothing short of Sisyphean, when considering the rapid growth of technology and easier access to the internet and even the Dark Web.
In the Caribbean and Latin America, there have also been several developments where cybercrime and security are concerned. The Caribbean Community Implementation Agency for Crime and Security (CARICOM IMPACS) has been formally established and has published the CARICOM Cyber Security and Cybercrime Action Plan (CCSCAP), which seeks to address vulnerabilities within the CARICOM states and also provide guidelines for best practices that would aid in cybercrime detection and investigation. The CCSCAP can be downloaded at https://www.caricomimpacs.org/Portals/0/Project%20Documents/CCSAP.pdf.
With the advancement of technology, the tools for digital forensics must be regularly updated, not only in the fight against cybercrime, but in the ability to provide accountability and for the retrieval of lost data. We've come a long way since the days of floppy disks, magnetic drives, and dial-up internet access, and are now presented with Secure Digital (SD) cards, solid-state drives (SSDs), and fiber-optic internet connections at gigabit speeds. More information on cybercrime can be found on Interpol's website, at https://www.interpol.int/en/Crimes/Cybercrime.
The need for digital forensics as technology advances
Some of you may be sufficiently young-at-heart to remember the days of Windows 95, 3.x, and even Disk Operating System (DOS). Smart watches, calculators, and many Internet of Things (IoT) devices are today much faster than the first generation of personal computers and servers. In 1995, it was common to come across hard disk drives between 4 and 10 GB, whereas today, you can easily purchase drives with capacities of 2 terabytes (TB) and up.
Consider also the various types of storage media today, including flash drives, SD cards, CDs, DVDs, Blu-ray discs, hybrid drives, and SSDs, as compared to the older floppy disks, which, at their most compact and efficient, only stored 1.44 MB of data on a 3 ¼-inch disk. Although discussed in detail in a later chapter, we now have many options for not only storing data but also for deleting and even hiding data (through the art of steganography), especially as Alternate Data Streams (ADS), which can be done on Windows New Technology File System (NTFS) media. Encryption using TrueCrypt, VeraCrypt, and BitLocker also add to the complexity and duration of forensics investigations today.
With the advancement of technology also comes a deeper understanding of programming languages, operating systems both average and advanced, and knowledge and utilization of digital devices. This also translates into more user-friendly interfaces that can accomplish many of the same tasks as with the command-line interface (CLI), used mainly by advanced users. Essentially, today's simple GUI, together with a wealth of resources readily found on search engines, can make certain tasks such as hiding data far easier than before.
Hiding large amounts of data is also simpler today, considering that the speed of processors, combined with large amounts of random-access memory (RAM), including devices that can also act as RAM far surpasses those of as recent as 5 years ago. Graphics cards must also be mentioned and taken into consideration, as more and more mobile devices are being outfitted with very powerful high-end onboard NVIDIA and ATI cards that also have their own separate RAM, aiding the process. Considering all these factors does lend support to the idea put forth by Gordon E. Moore in the 1970s, which states that computing power doubles every 2 years, commonly known as Moore's Law.
However, Jensen Huang, Chief Executive Officer (CEO) of NVIDIA, stated that Moore's Law is dying as graphics processing units (GPUs) will ultimately replace central processing units (CPUs) due to the GPUs' performance and technological advancements and abilities in handling artificial intelligence (AI).
Huang's statement was also mirrored by ex-Intel CEO Brian Krzanich.
All things considered, several avenues for carrying out cybercrimes are now available, including malware and ransomware distribution, DoS and DDoS attacks, espionage, blackmail, identity theft, data theft, illegal online activities and transactions, and a plethora of other malicious activities. Many of these activities are anonymous as they occur over the internet and often take place using masked IP addresses and public networks, and so make investigations that much harder for the relevant agencies in pinpointing locations and apprehending suspects. For more of the latest threats and cybercrime news, have a look at this Trend Micro link: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats.
With cybercrime being such big business, the response from law enforcement officials and agencies must be equally impressive in their research, development, intelligence, and training divisions if they are to put up a fight in what may seem like a never-ending battle in the digital world.
Digital forensics not only applies to storage media but also to network and internet connections, mobile devices, IoT devices, and, in reality, any device that can store, access, or transmit data. As such, we have a variety of tools, both commercial and open source, available to us, depending on the task at hand.
Earlier in 2019, digital forensic solution provider Paraben hosted a blog on their site that mentioned the need for more advanced and complicated Digital Forensics and Incident Response (DFIR) plans and solutions, seeing that business models today include virtualized infrastructure and some type of cloud service or subscription package that has led to the need for Forensics As A Service (FAAS), which encompasses the bundling of forensic skillsets (within the many areas of digital forensics), software, analysis, and the ability to respond to any types of threats, as a service.
Operating systems and open source tools for digital forensics
Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely available forensic distributions.
The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.
Budget is always an issue, and some commercial tools (as robust, accurate, and user friendly as they might be) cost thousands of dollars.
The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers.
Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.
Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions available.
Each of the distributions mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their home pages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference. Please refer to the hash verification of these tools to ensure that the version downloaded matches the exact version uploaded by the developers and creators.
Digital Evidence and Forensics Toolkit (DEFT) Linux
DEFT Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version does not support mobile forensics and password-cracking features. You can refer to the following points for downloading them:
- Download page for DEFT Linux 8: http://na.mirror.garr.it/mirrors/deft/iso/
- Download page for DEFT Linux Z (2018-2): http://na.mirror.garr.it/mirrors/deft/zero/
- Based on: Ubuntu Desktop
- Distribution type: Forensics and incident response
As with the other distributions mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live-response forensic tool that can be used on the go in situations where shutting down the machine is not possible, and also allows for on-the-fly analysis of RAM and the swap file:
When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown in the following screenshot:
In the preceding screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a selection from which to choose.
- Home page: http://www.caine-live.net/
- Based on: GNU Linux
- Distribution type: Forensics and incident response
One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as an UnBlock icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE operating system to the evidence machine or drive:
Forensic tools is the first menu listed in CAINE. As with DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:
The latest version of CAINE 10.0 Infinity can be downloaded from https://www.caine-live.net/page5/page5.html in International Organization for Standardization (ISO) format, approximately 3.6 GB in size.
For installation on a Universal Serial Bus (USB) thumb drive, please ensure that the drive capacity is no less than 8 GB. A bootable CAINE drive can be created in an automated manner using the Rufus tool, which we will see in Chapter 2, Installing Kali Linux.
Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book. The basic points related to Kali Linux are listed here:
- Home page: https://www.kali.org/
- Based on: Debian
- Distribution type: Penetration testing, forensics, and anti-forensics
Kali Linux was created as a penetration testing, or pen-testing, distribution under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.
As with the previously mentioned tools, Kali Linux can be used as a live-response forensic tool as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32-bit and 64-bit systems with minimal resources. It can also be installed on certain mobile devices, such as Nexus and OnePlus, and other phones and tablets.
Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing integrity of the original evidence throughout the investigation.
When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:
The Kali menu can be found at the top-left corner by clicking on Applications. This brings the user to the menu listing, which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the forensic tools available in Kali that we'll be using later on in the book:
It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.
It's also noteworthy that, when in forensic mode, not only does Kali not tamper with the original evidence drive, but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.
The following screenshot shows another view of accessing the forensic tools menu, using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):
Out of the three forensic distributions mentioned, Kali can operate as a live-response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android, as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine, should they decide to use it as a full operating system.
Using these open source forensic operating systems such as Kali gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distributions. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results. Taking this into consideration, we can also look at the requirements and benefits of performing investigations within a forensic lab. Interpol has a very detailed document on Global Guidelines for Digital Forensics Laboratories, which can be downloaded at shorturl.at/ikKR2.
The need for multiple forensics tools in digital investigations
Preservation of evidence is of the utmost importance. Using commercial and open source tools correctly will yield results; however, for forensically sound results, it is sometimes best if more than one tool can be used and produces the same results.
Another reason to use multiple tools may simply be cost. Some of us may have a large budget to work with, while others may have a limited one or none at all. Commercial tools can be costly, especially due to research and development, testing, advertising, and other factors. Additionally, many commercial tools are now subscription-based, with yearly recurring renewal fees. Open source tools, while tested by the community, may not have the available resources and funding as with commercial tools.
So, then, how do we know which tools to choose?
Digital forensics is often quite time consuming, which is one of the reasons you may wish to work with multiple forensic copies of the evidence. This way, you can use different tools simultaneously in an effort to speed up the investigation. While fast tools may be a good thing, we should also question the reliability and accuracy of the tools.
The National Institute of Standards and Technology (NIST) has developed a Computer Forensics Tool Testing (CFTT) program that tests digital forensic tools and makes all findings available to the public. Several tools are chosen based on their specific abilities and placed into testing categories such as disk imaging, carving, and file recovery. Each category has a formal test plan and strategy for testing along with a validation report, again available to the public.
More on the CFTT program can be found at https://www.cftt.nist.gov/disk_imaging.htm. Testing and validation reports on many of the tools covered in this book can be found at https://www.dhs.gov/science-and-technology/nist-cftt-reports.
To re-enforce the importance of using multiple tools in maintaining the integrity of your investigations and findings, multiple tools will be demonstrated in the third and fourth sections of this book.
Commercial forensics tools
Although this book focuses on tools within the Kali Linux operating system, it's important to recognize the commercially available tools available to us, many of which you can download as trial or demo versions before determining a preference.
Because this book focuses primarily on open source tools, I'll just cover some of the more popular commercial tools available, along with their home pages. The tools are listed only in alphabetical order as follows, and do not reflect any ratings, reviews, or the author's personal preference:
Belkasoft Evidence Center (EC) 2020
Belkasoft EC is an automated incident response and forensic tool that is capable of analyzing acquired images of memory dumps, virtual machines, and cloud and mobile backups, as well as physical and logical drives.
Belkasoft EC is also capable of searching for, recovering, and analyzing the following types of artifacts:
- Office documents
- Browser activity and information
- Social media activity
- Mobile applications
- Messenger applications (WhatsApp, Facebook Messenger, and even BlackBerry Messenger)
Belkasoft also has a free acquisition tool and RAM Capturer tool, available along with a trial version of their Evidence Center, available at https://belkasoft.com/get
AccessData Forensic Toolkit (FTK)
FTK has been around for some time and is used professionally by forensics investigators and law enforcement agencies worldwide. AccessData has also recently announced integration with Belkasoft for a better experience. Some features of FTK include the following:
- Fast processing with multi-core support using four engines
- Ability to process large amounts of data
- Indexing of data, to allow faster and easier searching and analysis
- Password cracking and file decryption
- Automated analysis
- Ability to perform customized data carving
- Advanced data recovery
The trial version of FTK can be downloaded at https://accessdata.com/product-download/forensic-toolkit-ftk-international-version-7-0-0. AccessData also has an image acquisition tool that is free to download and use, available at https://accessdata.com/product-download/ftk-imager-version-4-2-1.
Created by Guidance Software, EnCase Forensic has also been at the forefront for many years and has been used internationally by professionals and law enforcement agencies alike for almost two decades. Much like FTK, EnCase comes with several solutions for incident response, e-discovery, and endpoint and mobile forensics.
Apart from being a full digital forensics solution and suite, some of the other features of EnCase include the following:
- The ability to acquire images from over 25 different types of mobile devices, including phones, tablets, and even Global Positioning System (GPS) devices
- Support for Microsoft Office 365
- Evidence decryption using Check Point Full Disk Encryption (FDE)
- Deep forensic and triage analysis
Other commercial tools also worth mentioning are the following:
- Magnet Axiom: https://www.magnetforensics.com/computer-forensics/
- X-Ways Forensics: http://www.x-ways.net/forensics/index-m.html
Many of the preceding commercial tools offer several (with many being proprietary) features, including the following:
- Write blocking
- Bit-by-bit or bit-stream copies and disk cloning/evidence cloning
- Forensically sound evidence acquisition
- Evidence preservation using hashes
- File recovery (hidden and deleted)
- Live and remote acquisition of evidence
- RAM and swap/paging file analysis
- Image mounting (supporting various formats)
- Advanced data and metadata (data about data) searches and filtering
- Bookmarking of files and sectors
- Hash and password cracking
- Automatic report generation
The main advantage of commercial tools is that they are usually automated and are actually a suite of tools that can almost always perform entire investigations, from start to finish, with a few clicks. Another advantage that I must mention is the support for the tools that are given with the purchase of a license. The developers of these tools also employ research and development teams to ensure constant testing and reviewing of their current and new products.
Anti-forensics – threats to digital forensics
As much as we would like the tasks involved in digital forensics to be as easy as possible, we do encounter situations that make investigations, and life as a forensics investigator, not so simple and sometimes stressful. People wishing to hide information and cover their tracks, and even those who have malicious intent or actually participate in cybercrimes, often employ various methods to try to foil the attempts of forensic investigators, with the intention of hampering or halting investigations.
In recent times, we've seen several major digital breaches online, especially from 2011 onward. Many of these attacks allegedly came from, or were claimed to be the work of, infamous hacker groups such as LulzSec, Anonymous, Lizard Squad, and many others, including individuals and hacktivists (people who hack for a specific cause or reason and are less concerned about doing time in prison). Some of these hacks and attacks not only brought down several major networks and agencies, but also cost millions in damages, directly and indirectly. As a result, the loss of public confidence in the companies concerned contributed to further increases in damages.
These daring, creative, and public attacks saw the emergence of many other new groups that learned from the mistakes of past breaches of Anonymous and others. Both social media and underground communication channels soon became the easiest forms of communication between like-minded hackers and hacktivists. With the internet and World Wide Web (WWW) becoming easily accessible, this also heralded competition not only between IPs, but also between private companies and corporations, which led to the creation of free wireless hotspots on almost every street with businesses, large or small.
The result of having internet access at just about every coffee shop enabled anyone with a smartphone, tablet, laptop, or other device to acquire almost unauthenticated access to the internet. This gave them access to hacker sites and portals, along with the ability to download tools, upload malware, send infected emails, or even carry out attacks.
The use of Virtual Private Networks (VPNs) also adds to the complexity of digital forensics investigations today. Many VPN providers do not keep logs of users and their activity for more than 7 days, allowing for the network communication logs of some cybercriminals to be deleted sometimes long before the incident has even been reported.
SSDs also employ newer TRIM technology that deletes data much more efficiently that older magnetic disks, as discussed in a later chapter.
Lastly, it has been my personal experience that in an environment without trained forensic personnel and those without any DFIR plans, policies, and implementations, breaches and incidents may go unnoticed for weeks or months at a time, allowing for important volatile evidence and artifacts that may have been stored in the memory (RAM) along with paging and swap files, to be lost once the systems have been restarted.
Adding to this scenario is the availability of more user-friendly tools to aid in the masking of Publicly Identifiable Information (PII), or any information that would aid in the discovery of unveiling suspects involved in cybercrimes during forensic investigations. Tools used for encryption of data and anonymity, such as the masking of IP addresses, are readily and easily available to anyone, most of which were—and are—increasingly user friendly.
It should also be noted that many Wi-Fi hotspots themselves can be quite dangerous, as these can easily be set up to intercept personal data, such as login and password information together with PII (such as social security numbers, date-of-birth information, and phone numbers) from any user that may connect to the Wi-Fi and enter such information.
The process of encryption provides confidentiality between communication parties and uses technology in very much the same way we use locks and keys to safeguard our personal and private belongings. For a lock to open, there must be a specific matching key. So, too, in the digital world, data is encrypted or locked using an encryption algorithm and must use either the same key to decrypt or unlock the data. There also exists another scenario where one key may be used to encrypt or lock the data and another used to decrypt the data. A few such very popular encryption tools are TrueCrypt, VeraCrypt, BitLocker, and PGP Tool.
These encryption tools use very high encryption methods that keep data very confidential. The main barrier to forensics may be acquiring the decryption key to decrypt or unlock access to the data.
Online and offline anonymity
Encryption, in particular, can make investigations rather difficult, but there is also the concept of anonymity that adds to the complexity of maintaining an accuracy of the true sources found in investigations. As with encryption, there exist several free and open source tools for all operating system platforms—such as Windows, Mac, Linux, and Android—that attempt and, most often, successfully mask the hiding of someone's digital footprint. This digital footprint usually identifies a device by its IP address and Media Access Control (MAC) address. Without going into the network aspect of things, these two digital addresses can be compared to a person's full name and home address, respectively.
Even though a person's IP address can change according to their private network (home and work) and public network (internet) access, the MAC address remains the same.
However, various tools are also freely available to spoof or fake your IP and MAC addresses for the purpose of privacy and anonymity. Adding to that, users can use a system of routing their data through online servers and devices to make the tracing of the source of the sent data quite difficult. This system is referred to as proxy chaining and does keep some of the user's identity hidden.
A good example of this would be the Tor browser; this uses onion routing and several proxies worldwide to route or pass the data along from proxy to proxy, making the tracing of the source very difficult, but not impossible. You can think of proxy chains as a relay race, but instead of having four people, one passing the baton to the next, the data is passed between hundreds of proxy devices, worldwide. Additionally, some hosting companies offer bulletproof hosting, which allows their users and clients to upload and distribute content that may not be allowed by others, allowing for spamming, different types of pornography, and other content that may not be legal, while offering a certain level of protection to customers' data and records.
Congratulations! You made it to the end of the first chapter. Before we jump into the second chapter, let's have a look at what was just covered.
We saw that digital forensics is still a relatively new field, although forensic science has been around for a very long time, as far back as the early 1900s. Although digital forensics may have only been on the scene since the early 2000s, as a science, we have certain best practices, procedures, and standards—such as those created by the ACPO, Budapest Convention, Interpol Guidelines, and the SWGDE—to adhere to. These maintain accuracy and the integrity of both the findings and the actual evidence when carrying out investigations, whether as an amateur or professional digital forensic investigator.
Some of the commercial tools mentioned were EnCase, FTK, and Magnet Forensics. Many of the open source tools available are made for Linux-based distributions and can be downloaded individually, but many are readily and easily available within certain forensic and security operating systems or distributions. These distributions include DEFT Linux, CAINE, and, of course, Kali Linux; all of these are freely available for download at the links provided.
I hope this introduction to digital forensics was informative and fun for you. Now that we've got a grounding in forensics, let's go deeper into Kali Linux as we learn how to download, install, and update Kali in Chapter 2, Installing Kali Linux. See you on the next page.
Please refer to the following links for more information:
- Commercial forensic tools: https://resources.infosecinstitute.com/category/computerforensics/introduction/commercial-computer-forensics-tools/
- Top 20 free forensic tools:https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/