### ForensicsForensics involves collecting evidence. The job of the forensics

1. ### Forensics
2. Forensics involves collecting evidence. The job of the forensics investigator is to determine what happened on the machine. It has typically involved examining machines collected from locations, but recently 'live forensics' or the examination of the working machine in place has become more common. Live forensics enable the researcher to do a memory dump and analyze what is happening in memory. This would not be possible if a machine was shut down and transported for analysis.
3.  
4. The lecture mention four important principles for forensics:
5. 1. Minimize data loss
6. 2. Record Everything
7. 3. Analyze all data collected
8. 4. Report Findings
9.  
10. When recording evidence you should start with the time and system time. It is important to have proper time recordings so that a timeline of events can be reconstructed.
11.  
12. Triage is a concept mentioned in the lectures where multiple sources of evidence such as registry values and log files are examined and each supports the same conclusion. If you want to investigate a particular question, it is good to examine all evidence which might determine the answer, and all should be consistent.
13.  
14. Incident Response (IR) is the methodology for a team to respond to an ongoing attack.
15.  
16. DMZ is a zone in the corporate network that is between the internal network and the internet. This is where applications which need internet access would reside and there would be firewalls on both ends of the zone.
17.  
18. A typical incident might involve the attackers penetrating the outer firewall, infecting a device in the DMZ, and then further attempting to penetrate the inner firewall to access the internal network. The incident response would need to collect log data from all these devices and synchronize them.
19.  
20. The order of volatility - information which is more volatile, should be collected first. System memory is the first item to be captured, along with any other data that would be erased when the system shuts down.
21.  
22.  
23.  
24. #### Forensic Tools:
25. ##### FTK Imager -
26. - The 'capture memory' button creates a memory dump file. This is all the raw contents of memory, which includes the memory used by the tool itself.
27. - 'Add evidence item' opens a read-only view. For example, adding the physical drive will display all contents of the drive without copying or modifying
28. root\$MFT is the master file table
29. - 'Create disk image', select disk, select output'raw'
30.  
31.  
32. Memory dumps can show almost all activities which are occuring. It is one of the most useful analysis techniques because it has so much valuable information.
33.  
34. ##### Volatility -
35. This runs from the command line. It is easiest to put the .exe file and the memory dump file in the same folder. Then run volatility on the memory dump with some plugin option. These are some plugins which I ran:
36.  
37. imageinfo
38. This is useful for identifying the profile. In this case Win7SP0x86
39. Then other plugins can be run with --profile=Win7SP0x86 attribute
40.  
41. 
42.  
43. psscan
44. this lists the processes which were running on the system
45.  
46. 
47.  
48. dlllist <pid>
49. this displays the dlls called by a particular process identifying
50.  
51. 
52.  
53. netscan
54. this displays network activity
55.  
56. deskscan
57. shows the different desktops which the processes are assigned to
58.  
59. getsids
60. displays which user rights the processes are running under
61.  
62.  
63. timeliner --output=body
64. creates a timeline of events including processes and network activity
65.  
66. mftparser --output=body
67. outputs master file table $MFT
68.  
69. ##### Windows Registry
70. Hierarchical database storing configuration data for users, devices, and more. It contains tons of information and timestamps recording what was accessed, by whom, and when.
71. Two 'real' hives: HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM)
72. RegEdit
73.  
74. Within the registry there are common locations for malware such as: autorun, MRU lists, USB devices, IE history
75.  
76. Other forensics locations:
77. Browser logs
78. Anivirus logs
79. Windows prefetch folder
80. System Restore Points
81.  
82.  
83. Data Recovery/Data Carving-
84. Deleted files remain on disk until they are overwritten. This data can be recovered via a special program which scans the disk for file header and footers. The header identifies the start of the file and the type of the file.