Now that we have an image of the file system, we can perform MAC timeline analysis of the image to generate a timeline and to place the contents with the date and time in a systematic, readable format. Both the fls and ils commands can be used to build a timeline analysis of the file system. For the fls command, we need to specify that the output will be in MAC timeline output format. To do so, we will run the fls command with the -m flag and redirect the output to a file. We will also use the -m flag with the ils command.
There are various tools that can be used to perform forensics analysis on a USB drive, such as Sleuth Kit Autopsy, FTK Imager, Foremost, etc. First, we will have a look at the Autopsy tool.
USB Forensics Analysis
DOWNLOAD: https://urllio.com/2vHU1X
Autopsy is Graphic User Interface (GUI) for the command-line tool Sleuth Kit and is at the top level in the forensics world due to its integrity, versatility, easy-to-use nature, and the ability to produce fast results. USB device forensics can be performed as easily on Autopsy as on any other paid tool.
FTK Imager is another great tool used for the retrieval and acquisition of data from different types of images provided. FTK Imager also has the ability to make a bit-by-bit image copy, so that no other tool like dd or dcfldd is needed for this purpose. This copy of the drive includes all files and folders, the unallocated and free space, and the deleted files left in slack space or unallocated space. The basic goal here when performing forensic analysis on USB drives is to reconstruct or recreate the attack scenario.
Now, Export the given results to the path of your choice by right-clicking the image name and selecting the Export option to analyze it. The FTK Imager will create a full data log of the forensics process and will place these logs in the same folder as the image file.
USB drive forensics is a good skill to have to retrieve evidence and recover deleted files from a USB device, as well as to identify and examine what computer programs may have been used in the attack. Then, you may put together the steps the attacker may have taken to prove or disprove the claims made by the legitimate user or victim. To ensure that no one gets away with a cyber-crime involving USB data, USB forensics is an essential tool. USB devices contain key evidence in most forensics cases and sometimes, the forensics data obtained from a USB drive can help in recovering important and valuable personal data.
USB device analysis can vary depending on the operating system (ex. Windows XP vs. 7) and the type of USB device connected (ex. USB Mass Storage Device, Removable Storage, or MTP device). The type of device will dictate which drivers have been installed on the system and how Windows handles the device. Most commonly, examiners will find valuable evidence in USB Mass Storage devices, but should still be familiar with other device types and how they are handled. Typically, for USB Mass Storage Devices, examiners need to collect details from multiple locations in order to analyze USB activity on a Windows PC.
USB device history can be a great source of evidence during a forensic analysis, when an examiner needs to determine if an external device was connected to a system and how USB devices have been used on a given system.
USB device analysis can vary depending on the Windows version and the type of USB device connected: the type of device will dictate which drivers have been installed on the system and how Windows handles the device.
usbdeviceforensics is a python script to extract numerous bits of information regarding USB devices. It initially used the information from a SANS blog (Rob Lee) post to retrieve operating system specific information.
Digitial Forensics analysis of USB forensics include preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.
USB device forensics can be difficult. It is fraught with a number of caveats. The data points that can be relied upon vary based on the specific version of Windows, the type of USB device, the type of drive on which the operating system is installed, and more. Compounding these, Windows 10 further complicated things with the device cleanup process, which removes USB device-related records from locations that have long been relied upon by tools and examiners. To help combat these issues and more, I developed USB Detective.
USB Detective aims to ease the burden on the examiner by visually distinguishing attributes with inconsistent timestamps from those with multiple corroborating sources. This is accomplished by leveraging numerous data points for the identification of USB device attributes such as the first connected and last connected time. USB Detective organizes its findings in a way that allows for easy reporting to non-technical individuals or in-depth analysis and reporting for examiners. The source of every value reported by USB Detective is also maintained to allow the examiner to verify and document the results.
Associating a single data point with a specific event, such as a device connection or disconnection, can be problematic if the examiner ignores the context of the data point. For example, the Enum\USB subkey hierarchy in the SYSTEM hive is a well-known location for, in some cases, identifying the last time a USB device was connected to a system. However, this subkey hierarchy can be updated through events that result in the Last Write time of all subkeys in the hierarchy being updated to the same date and time. This is a well-known behavior, but one that an examiner must be cognizant of during analysis. In many cases, there are other data points available that accurately reflect the targeted event.
USB Detective aims to simplify the USB device analysis process by identifying USB device data from dozens of locations, reporting key USB device attributes, and highlighting conflicting and corroborating data points. There are many additional features not mentioned here that are currently available in USB Detective as well as many others on the road map for later release. To learn more about USB Detective or to try it out, visit usbdetective.com.
Applications include windows analysis, cyber defense, cyber attack detection, digital forensics, memory forensics, memory behavior analysis for windows applications, and other reverse engineering activities.
In an effort to determine whether any files were copied to these USB devices, procedures commonly associated with this type of investigation were carefully followed. These included a review of link and log files entries, recovery of link files from unallocated space, review of event logs, analysis of Windows registry artifacts, review of recently accessed files, etc. As part of standard methodology, the forensic analysis included the review of the disk activity following the introduction of these USB devices. A time-line analysis, focusing on Last Accessed, Entry Modified, Last Written, and File Created date stamps of the files following the connection of the USB devices, was performed.
Once it was determined that the theory was possible, it was then necessary to rule out any possible scenarios. Continuing with the analysis, the possibility of antivirus software doing a background scanning at the time of the connection was quickly ruled out since a virus engine would have been able to scan 99 files and 99MB of data much faster than 19 seconds. Furthermore, there was familiarity with the corporate antivirus engine deployed through the enterprise. Moreover, an antivirus software would have not done a selective type scanning without user intervention. Meaning that several files were contained within a specific folder and not all files within this folder were modified, only a selective group of these files. Although, this was a far fetch possibility, an attempt was made in trying to replicate the sequence of events by restoring the forensic image of the laptop to a virtual machine in order to boot up the computer and avoid having to do additional image restores. After booting up the virtual machine, files within the folder were accessed to determine if the files would be scanned and/or modified (Last Accessed) in a similar manner. The observation from the experimentation was very different and therefore unable to replicate the original observation.
Following the analyst's review, a lawsuit was filed and the defendant was asked to provide the external USB devices connected to the corporate laptop prior to his separation with the company. The defendant was also asked not to alter, delete, and/or modify the data in any way. A preliminary analysis of the USB devices revealed the presence of over 999 (over 1.9GB in size) proprietary and confidential company documents including the 99 files initially identified by the preliminary analysis.
Further review of the USB devices reveal that the 'Last Accessed' dates of the files identified as proprietary documents and stored in one of the USB devices were also changed in a similar manner than the previous 99 files identified earlier during the investigation. Following the same procedures conducted on the analysis of the laptop, a series of tests were conducted to rule out other possibilities. Upon completion, it was concluded that the files stored in the USB device were probably copied to yet another unknown source, perhaps a computer or another external drive.
In order to support the initial findings, the company retained an independent forensic expert to conduct a separate review of the USB mass storage device. The consultant was provided with a forensic image of the USB device and asked to perform an analysis on the evidence to determine if the information (identified as proprietary and confidential) stored in the external device was copied from this device. Independently, it was concluded, that based on the sequentially 'Last Accessed' date stamps, the probability of files being copied was very apparent and the findings were consistent with files copying. 2ff7e9595c
Comments