Internet Forensics Flashcards
What are the common techniques used for collecting information in internet forensics?
There are two main approaches. Tracing is concerned with collecting data about the endpoints themselves, and Acquisition which are the efforts to collect information from the endpoints.
How may tracing be carried out?
Tracing include all efforts to learn something useful about a host. Useful tools include default UNIX binaries like ping and whois which allow you to perform a routine health check on the device, or get detailed information on the individual/organization or local network attached to the provided network. traceroute allows investigators to ping a given host while also getting detailed information on the path the request took through the web (useful for getting a rough outline of the geolocation of the endpoint). Finally, Nmap is a port scanning tool which enables investigators to see what ports are open on the host. The information gathered through tracing is often useful when acquisition is to carried out later on.
What are the three types of acquisition?
Local acquisition - Carried out on the endpoints involved in the incident (attacker and/or victim)
Network acquisition - Carried out on the local networks which hold the IP address of the endpoints
Remote acquisition - Carried out on systems or endpoints not directly connected to the incident
What is Local Acquisition?
Local Acquisition is the process of collecting information directly from the involved endpoints. This is essentially a subset of computer forensics collection as the internet related artifacts are often found in disk images.
Some of the most valuable information found on the endpoints is the browser history and cookies. Browser history does not only provide insight into the visited websites, it also contains information on bookmarks, favourite web pages, and download history. This information is usually enriched by the many cookies also found on disk which provide further information on the activities the user of the device carried out on different websites.
Downloaded emails and chat messages are also invaluable sources of information often seen on endpoints.
There are many more artifacts of interest (but only these were covered in the book).
What is Network Acquisition?
Network Acquisition is carried out on the local network of the endpoints. Common techniques are perform packet capturing, e.g., tcpdump, and inspecting DHCP logs.
Most high security environments capture all packets and store them for a set period of time. If this is done, a lot of valuable information may be accessed. Performing packet captures after an incident is also recommended as there still may be clues in the traffic (the malicious process still may be running and trying to reach out to command and control servers).
DHCP is a protocol used for assigning IP addresses on local networks, When a device receives an IP address from a DHCP server, the server logs the provided IP address along with the MAC address of the device, and a timestamp. This can be used to identify the malicious endpoint.
What is Remote Acquisition?
Remote Acquisition is a method of data collection where the investigators acquire data from endpoints not directly involved in an incident. This can be carried out in many ways. If the IP address of the attacker is known, investigators may contact other service providers, such as social media platforms to see if any one logged into their account using that IP address. Investigators can also conduct open source intelligence through gathering relevant publicly available information, e.g., inspect social media accounts.
