Posts Tagged ‘Forensics’

GREM test-taking guide

Posted: January 7, 2018 in Defense, Misc
Tags: , , ,

When I decided to take this course, I signed up for the one OnDemand. What I like about these OnDemand courses is that the course is available for 4 months. Not just that, but you will have access to a group of great mentors available at the tip of your fingers. Those mentors will try to answer your questions and help you understand any point you face that you can’t figure out. I strongly urge you to use their services to ask any question or discuss any related topic that crosses your mind as you are going through the course.

Now, remember, if you intend to take the course, you need to know that this course is a bit dense and requires technical “understanding” of programming languages, computer architecture, and software engineering in general. Though, you don’t need to be a developer to bloom in this field, but the more knowledge you have in these different areas, the easier it is to absorb the material and apply it to your future investigations. By taking this course you will be able to do the following:

  • Set up a Malware Analysis Lab
  • Learn how to use debuggers and disassemblers
  • Perform behavior analysis of a malware sample
  • Perform static analysis of a malware sample
  • Learn the fundamentals of Assembly language
  • Analyze Microsoft Office files with Macros (doc, xl, ppt), PDF files, Win32 samples, memory analysis with Volatility
  • Analyze unpacked and packed malware
  • Learn about common malware obfuscation and de-obfuscation methods

Note that the list above is not an exhaustive list. There are more topics, tips, and tricks in the course. Always remember the course itself is not your only resource to learn the material. In often instances, I’ve found myself on YouTube searching for multiple explanations for technical terms or further details on assembly instructions. It’s part of the course to pause the SANS video and do some searching to better understand the material. You should find yourself repeating video segments multiple times to ensure you understand that point, otherwise, you won’t be able to apply it in real life.

On the other hand, you need to complete 2 tasks as you go through the study material:

  1. Create your own summary of concepts, principles, how-to, and your understanding of any methodology learned throughout the course. This becomes handy as your play-book and as your future reference. Personally, I keep a notebook with hand written notes. Future plan is to digitize my notes so that it’s accessible and available with higher retention period.
  2. Create your index for the test. My strategy was having an Excel spreadsheet open. Any term, command, or concept that I feel is of importance, I highlight on the book with a highlighter and type that word in my excel file along with the book number and page number.

I can’t stress enough that I found myself still using my notes and index. It’s not for passing the test, it’s your reference when you need it.

The key to any technical course is practicing. Find a good reverse engineering CTF to hone your skills and remember, “Practice makes Perfect!”

Advertisements

Dealing with digital evidence falls under the Murhpy’s Law: “If anything can go wrong, it will go wrong!” Therefore, investigators need to take precautions to protect the evidence. Investigators should make a duplicate of the disk-to-image file and keep the original image intact for emergencies in case if something go wrong. It is the most common and time-consuming technique for preserving an evidence.

So, the standard practice is to make at least 2 images of the collected evidence. It is also advised to create each image with a different imaging tool, if possible, such as ProDiscover, FTK, or X-Ways Forensics. If there’s only one imaging tool, it is suggested to create an image with compression and another with no compressions with tools like EnCase or ProDiscover.

Keep in mind, there are many acquisition tools that don’t copy data in the Host Protected Area (HPA) unless using a hardware acquisition tool that can access the drive at the BIOS level like ProDiscover with the NoWrite FPU write-blocker, ImageMASSter Solo, or X-Ways Replica. 

 

Source: GCFI, 4th ed, Ch4

In digital Forensics, there are 2 types of acquisitions: 

  1. Static Acquisition: which is the preferred way to collect a digital evidence when a computer seized during police raid.
  2. Live Acquisition: is the way to collect digital evidence when a computer is powered on and the suspect has been logged on to. This type is preferred when the hard disk is encrypted with a password. 

For both types, there are 4 methods of collecting data: 

  1. 1.    Creating a disk-to-image file: the most common method to collect data. It allows the investigator to create on or many bit-for-bit replications of the original drive. By using this method, we can use any of the forensics tools such as ProDiscover, EnCase, FTK, X-ways, ILook, SMART, and Sleuth Kit to read the different types of disk-to-image files.
  2. 2.    Creating a disk-to-disk copy: is used when disk-to-image faces hardware of software errors due to incompatibilities. It copies the entire disk to a newer disk by using any of the forensics tools such as EnCase and SafeBack. These tools can adjust the target disk’s geometry to match the original drive.
  3. 3.    Creating a logical disk-to-disk or disk-to-data file: this is the preferred method with large data storage such as RAID servers. This method captures only specific files or file types of interest to the case. It is used when time is limited.
  4. 4.    Creating a sparse copy of a folder or file: this method is similar to creating a logical acquisition but it also collects deleted data (unallocated). Also this method is used when an investigator doesn’t need to examine the whole drive.

To determine the appropriate acquisition method, the investigator must consider the following:

  1. The size of the source disk.
  2. Can you retain the source disk as an evident or must you return it to the owner?
  3. Time to do perform the acquisition.
  4. Location of the evidence

 

Source: GCFI, 4th ed, Ch4