[How To] Forensic Memory Acquisition in Linux - LiME

This week we will be using LiME to acquire a memory image in a suspect Linux system. LiME is a loadable kernel module that needs to be compiled based on the specific arch of the suspect device. We show the basics of compiling, and how to load the kernel object to copy a RAW memory image.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed//_7Tq8dcmP0k' frameborder='0' allowfullscreen></iframe></div></div>

~1 min read

[How To] Forensic Data Recovery in Linux - tsk_recover

This week we will talk about The Sleuth Kit, and specifically the tool tsk_recover. tsk_recover is a useful tool for allocated and unallocated file recovery. tsk_recover is a good quick solution, but in terms of performance, other tools tend to carve data better. I recommend using this in conjunction with other tools in an automated processing chain.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed/MS6zruRaxyA' frameborder='0' allowfullscreen></iframe></div></div></div>

~1 min read

No More Ransom - Detecting and unlocking ransomware without paying

Data is valuable. Ransomware takes advantage of the financial or sentimental value of our data, as well as the fact that most homes and organizations do not have adequate data backup solutions in place.

Once a computer is infected with ransomware, individual files are normally encrypted and users are asked to pay a ransom to unlock their data. If the victim pays, the data may or may not be unlocked. Ransomware started off like most viruses, targeting average computer users opportunistically. Ransomware groups, however, started targeting hospitals, police organizations and others.

<div class="separator" style="clear: both; text-align: center;">Use nomoreransom.org to unlock your data</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">So what can you do if you are infected with ransomware? Internet vendors and law enforcement have come together to create No More Ransom. This website gives users information about current types of ransomware, download unlocking tools (for free), provides prevention information and even has a tool to analyze your encrypted files and recommends which unlocking tool to use.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">The Problem</div><div class="separator" style="clear: both; text-align: left;">Ransomware is possible because people do not have backups in place.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">The Solution</div><div class="separator" style="clear: both; text-align: left;">Backups.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">If you have an extra hard-drive that you are not using, or even another computer that is often on, CrashPlan is a pretty straightforward backup solution that is free if you save data to your own computers.</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">Note: DropBox or similar are not good backup solutions because they constantly sync changes. If ransomware infects your systems, the changes may be synced to your cloud storage. With a backup solution like CrashPlan, 1) backup is not instantaneous and 2) CrashPlan keeps track of prior versions of data. So if encrypted files were backed up, you can still restore prior versions. Best of all, CrashPlan provides end-to-end encryption (if enabled).</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div><div class="separator" style="clear: both; text-align: left;">
</div>


<div class="alignleft"> </div>

1 min read

[How To] Forensic Data Recovery in Windows - Photorec

This week we will show how to use Photorec to recover data form a suspect disk image. Photorec supports the recovery of many different file types, but we will focus on jpg image recovery. Photorec works in Windows, Mac and Linux and is a useful tool for automating data recovery on suspect disk images.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed//PTbgDEhqx1k' frameborder='0' allowfullscreen></iframe></div></div>

~1 min read

Warning to Forensic Investigators: USB KILLER

This single is informational for digital forensic investigators and first responders. Be aware of the ‘USB Killer’. Very basically, it’s a USB device that contains a high-voltage capacitor that charges up from the USB power supply, then releases a large charge directly into the USB data bus potentially destroying the motherboard.
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody><tr><td style="text-align: center;"></td></tr><tr><td class="tr-caption" style="text-align: center;">USB Killer device from USB Kill [https://www.usbkill.com]</td></tr></tbody></table>The device itself is made for ‘penetration testers’ to test the physical security of a system. The device shown is from USB Kill, but such a device would be trivial to create using any USB device and a high-voltage capacitor - like so.

Here are some comments on Reddit about whether a suspect would be liable if the police seize one of these and fry the investigation computer / write blocker.

This device is not to be confused with the USB Kill Switch, that checks if devices are added or removed and shuts the system down. The USB Killer focused on physical damage.

Unfortunately, I’ve not seen more information on forensic forums about these type of devices. SANS and Forensic Focus have some short articles on it. The device looks like a normal USB stick. Be sure to check any USB devices before imaging. <div class="alignleft"> </div>

~1 min read

[How To] Forensic Acquisition in Windows - FTK Imager

In this video we show how to do a forensic acquisition of a suspect disk using FTK Imager in Windows.

<div class="separator" style="clear: both; text-align: center;"><div class='embed-container'><iframe src='https://www.youtube.com/embed/TkG4JqUcx_U' frameborder='0' allowfullscreen></iframe></div></div></div>

~1 min read