1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Challenges of Digital Drives: Footprint Integrity and Binary View During Incident Response Log Collection

Challenges of Digital Drives: Footprint Integrity and Binary View During Incident Response Log Collection

- Posted in Incident Response by - Permalink
Challenges of Digital Drives: Footprint Integrity and Binary View During Incident Response Log Collection

Background: In one of our previous articles, I've introduced the process of preparing a USB drive/tool for forensic analysis. Now, it is time to delve one level deeper and explore the key points that need to be followed when extracting forensic information from a potentially malicious hard drive. Additionally, it is crucial to understand at which level the information related to a USB's digital footprint is stored.

Introduction: Each file can be represented in a hexadecimal view, which provides a raw, byte-level representation of its contents. A key point of this approach is that each file type has its own header information, which is typically constant . These headers, often referred to as magic numbers or file signatures, are located at the beginning of the file and are used to identify the file type. For example, an image file with the JFIF extension typically has a hexadecimal header starting with 4A 46 49 46 enter image description here Similarly, other file types have their own unique headers: PNG files: Start with 89 50 4E 47. PDF files: Start with 25 50 44 46 (which corresponds to %PDF in ASCII). ZIP files: Start with 50 4B 03 04 (which corresponds to PK in ASCII, indicating the PKZIP format).

Evidence collection process from the drive :

First of all, you need to consider that the collected forensic information can be part of the evidence in a court or other legal case. For this reason, it is crucial to always take care to calculate the SHA-256 hash of the cloned file and drive. This step is essential to prove that the data has not been tampered with and that it remains in its original state. In this example after taking the image/raw of the thumb drive I have collected sha256 data . enter image description here On the next step, if we open cloned disk image , that was cloned using the dd command (or any other forensic imaging method), you can analyze its contents in a hexadecimal view. During this analysis, you may search for specific file headers, such as the 4A 46 49 46 header (which corresponds to the ASCII characters JFIF), to identify JFIF image files or other file types embedded within the image. enter image description here

This method provides us with huge capabilities from the perspective of log searching and file identification. By leveraging YARA rules, we can efficiently search for specific files, patterns, or artifacts within forensic images (disk images) without directly interacting with the files on a system.

Conclusion: A RAW image is essentially a binary copy of a drive . While RAW images are widely used in digital forensics due to their simplicity and ability to capture every bit of data on the drive, they do have significant disadvantages, especially when dealing with encrypted drives. Encryption adds an additional layer of complexity to the investigation, making it more difficult to access and analyze the data.

Tags:

Related posts

« »