1

Everything Starts with a Dream…

Index

Introduction 5
1. Computer Forensics Processes 7
1.1 Identification 8
1.2 Preservation 8
1.2.1 Collision of digital evidence 13
1.3 Analysis 21
1.4 Presentation 21
2. Types of forensic analysis 23
2.1 The Fruit of the Poisoned Tree Theory 24
3. Collecting evidence 27
3.1 Before starting 27
3.2 Differences between forensic copying and backup 29
3.2.1 RAM on Windows systems 34
3.2.2 RAM on Linux 35
3.3 Windows commands as forensic tools 38
3.3.1 ARP protocol tables 39
3.3.2 CMD history 40
3.3.3 Windows Network Configuration 41
3.3.4 Active connections in Windows 41
3.3.5 Scheduled tasks 44
3.3.6 System information 45
3.4 Browser history 45
3.5 Utilities 46
3.5.1 Agave 47
3.5.2 WinTriage 49
3.5.3 WinUFO 51
4. Forensic copying 52
4.1 Types of forensic copies 52
4.2 Forensic copy formats 53
4.3 Main challenges 55
4.4 Computer forensic hardware 60
4.4.1 Write blockers 60
 3

4.4.2 Duplicators 62
4.5 Forensic copying of hard disks 64
4.5.1 Forensic copying with FTK Imager 64
4.5.2 Forensic copying with OSForensic 72
4.5.3 Forensic copying with HelixPro 73
4.6 Forensic copying from Linux 76
4.7 Live copy forensics, Windows systems 77
4.7.1 Detection of encrypted drives 79
4.7.2 Live copy forensics, encrypted Windows 87
environments
4.8 Hash calculation in Window 90
4.8.1 CMD 90
4.8.2 PowerShell 91
4.8.3 Multihasher 91
4.8.4 OSForensic 92
4.9 Hashing calculation in Linux 94
5. Forensic Lab 95
5.1 Free forensic suite 96
5.2 Autopsy Forensic 97
5.2.1 Creating a case 98
5.2.2 Adding evidence 100
5.2.3 Modules 103
5.2.4 Viewing Evidence 106
5.2.5 Timeline 110
5.3 Commercial Forensic Suite 111
6. Windows digital Investigation 117
6.1 Adding evidence 117
6.2 Mounting forensic copies 121
6.3 Existing users 126
6.4 Host 130
6.5 System Events 132
6.6 Prefetch 135
6.7 Shadowcopy 137
 6.8 MFT 139
7. RAM Analysis 142
7.1 Volatility 142
7.1.1 Profiles 143
7.1.2 Processes and sub-processes 144
7.1.3 Inspection of used libraries 146
7.1.4 Extraction of executables 147
Index of illustrations 149
Computer Forensics Credentials 152
 5

Introduction

The world of computer forensics has always been exciting

to me, not only because of the technological and legal sides
intertwine, but also because over the years I have seen that
those who know and handle these two areas excel in the
sector. The cases I have handled over more than a decade
of investigations are many: from those in which the only
goal is to detect whether users are stealing corporate
information, computer attacks on critical servers (of which it
is unknown whether the attack vector is internal or
external), to media cases in which a person is accused of
serious crimes such as rape, murder or kidnapping and the
mobile device becomes the key piece that can tip the
balance to one side or the other, and allow justice to prevail.

Throughout the following pages, we will discuss both the

techniques and the orderly protocol that enables computer
forensic processes to be carried out. As a main objective,
we will discuss the rationale for each of the techniques and
norms, as appropriate. We will cover the key aspects, which
will provide certainty that the elements extracted yield a
complete and reliable copy of the originals. The latter will
assure the conclusions that have been reached after
processing the information are real, thus consolidating a
record that nothing has been manipulated beyond what is
strictly necessary and ensuring a peer-review process will
lead to replication of the results with any other tool, whether
is free or paid. The aforementioned will be the basis, as we
will see in due course, when presenting a computer forensic
investigation, which, on many occasions, and given the
value and consequences of our report of results, leads to
dismissals, legal action or corporate restructuring. These
makes the right of reply a quite common practice, so it is
necessary to ensure that our investigations are always
guided by best practice.

The book is directed to computer systems personnel, as

well as lawyers who wish to specialize in IT issues. We will
start with a solid knowledge of regulations and laws to delve
into the technical part of extracting the evidence and
processing it.
 7

1. Computer forensics processes

The cornerstone of a computer forensic investigation is

always the preservation of the initial scenario, this is
something that I would like to emphasize. The legal part will
be key if you want to dedicate yourself fully to computer
forensics or at the very least, rest assure that your
investigations can withstand a judicial process if it were
required, in case you will be working within a corporation.

Regarding the preservation process, I would like to share

with you something that happens often when is my turn to
defend someone. Sometimes, companies allegedly detect
that an employee was stealing information of trademarks,
patents, marketing strategies and all the evidence seems
obvious; regardless, if key steps were omitted when
carrying out the evidence preservation process, the
investigation will be worthless in the eyes of the authorities.
This is something I see all too often when I am defending
an employee, and I observe that steps have been omitted
in the evidence preservation process. In a legal trial, it is
enough to point out that the traceability of evidence is in
doubt for a judge to rule that he or she cannot prosecute if
the evidence is questionable as to its immutability.

By now, you are probably wondering, how should I start and

what steps should I follow in my investigations? The answer
is that each case is analyzed individually, however, in
general there are working models. One of those that, in my
opinion, is simple and very practical to apply is the one
developed by the U.S. Department of Justice (2001), which
divides the computer investigation process into 4 steps:

• Identification
• Preservation
• Analysis
• Presentation

1.1 Identification: here comes the analyst part (us), who,

after knowing the details of the case, will make decisions.
Decisions such as: which technological equipment will be
part of our investigation, which cloud instances will be
required, which servers will be requested or if we are going
to take or not the router to analyze it. All of these will be
delicate decisions, since we will be the ones who will
indicate what is analyzed and what can be excluded.

1.2. Preservation: from my perspective, preservation is the

heart of an investigation, whose result will be either
presented to an authority or there is the possibility of a
computer forensic expert rebuttal. Here, a second
investigator will review any error or omission in the process
with a magnifying glass, thus trying to undermine any result
that the analysis may yield.

There is a legal concept known as chain of custody. This

controlled procedure is what will allow us to give traceability
to each of the elements that we have available as
researchers. The chain of custody, in the field of information
 9

technology, provides a record starting from when a file was

extracted from a computer. It also helps to validate its
integrity with a scientific certainty, that allows to verify, that
after passing the evidence from one person to the next, the
file remains intact (or not) just as it was extruded from the
beginning. An example within another area would be a
crime scene where a knife was found, there should be a
controlled record indicating who found and collected it, to
whom it was given for the first time, if it was given to another
person and even the last person who had it in their hands,
that would be the chain of custody. The document that
supports the order of all those who were guarding the
evidence, allows to verify, if the knife that the last person
has is the same one that the first collected, since the size,
colors, characteristics were detailed at the beginning. The
example is clear, but now in the computer world we ask
ourselves, how can I validate that a file that is being
analyzed has not been altered or modified in the past?
length of time? At this point, in the computer forensic
branch, what will allow us to register the chain of custody,
is called the "hash integrity value". This value from now until
the end of this guide, will be the element that will have to be
checked as done sometimes and the rest of the times you
will have to check as done too, in other words, you should
always have the record of that value. The technical process
falls outside the scope of this book, since it calls out for a
volume of its own full of algorithms and programming that
diverges from this book’s objective, which main objective is
the preservation of evidence.
There is a lot more to say, but for the purposes of
understanding hash integrity value, we will say that it is a
serial number associated with a digital item. This digital item
can be a Word, Excel, PowerPoint file, a photo, video,
audio, pdf, HTML file, or, more practically, a hash integrity
value can be of an entire hard disk, including all its partitions
and the hundreds of thousands of files it contains. The hash
integrity value can be generated on any digital item or items
we have available

From algorithms used for calculation of these hash integrity

values, we can give an example by calculating from the
word "hello" the respective hash integrity value, which
would be:

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA-1: da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA-256:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca
495991b7852b855

After colon’:’ the sequence of numbers and letters, which

are observed, represent the hash integrity value under the
corresponding algorithm. Each of these algorithms has
advantages and disadvantages, which will be crucial, so
let's look at their similarities and differences
 11

Similarities:

• The numbers 0-9 and the letters A-F are used.

• The sequence of numbers has a limited extension,
no matter if the hash integrity value is calculated
from a 1 Kb file or from a hard disk with 100,000 Tb,
the hash integrity value will always be of an
extension according to the algorithm.

The fact that the hash integrity value uses letters in addition
to numbers makes it almost impossible for two completely
different items to match the hash integrity value.

From the above example we can take the MD5 value:

d41d8cd98f00b204e9800998ecf8427e

First value is the letter "d", this first value could have been
a number from 0-9 or a letter from A-F (these are known as
hexadecimal values), this implies that there are 16 options
for the first value and is repeated with the second and last
character of the hash integrity value.

Differences:

MD5 has 32 characters, the SHA-1 has 40 characters and

the SHA-256 algorithm has 60 characters.

The probability of coincidence of two hash values is

calculated by raising 16 (each of the possibilities that each
of the values has) to the corresponding power (the number
of characters of each algorithm).

✓ MD5: Matching probability is 16 ^ 32 =

3.4028236692093846346337460743177e+38
✓ SHA-1 Matching probability is 16 ^ 40 =
1.4615016373309029182036848327163e+48
✓ SHA-256 Matching probability is 16 ^ 64 =
1.7668470647783843295832975007429e+72

IMPORTANT: Since this is a question I am often asked, I

clarify that calculating a hash integrity value does not
embed that value on a document, it does not certify or
modify it; it is only a matter of obtaining from the document,
a - so to speak - serial number that must be unique.

1.2.2 Collision of digital evidence

With these probabilities of coincidence, one could think that

any of the algorithms can be used indistinctly, however, for
the purpose of reporting to an authority and to give scientific
certainty, the MD5 and SHA-1 algorithms should not be
used; the reason is very simple, since years ago it was
published and demonstrated that two totally different files
can intentionally have the same MD5 value. It was also
demonstrated that for the SHA-1 algorithm, the same
process of generating two totally different files with the
same SHA1 value can be performed, this is known as hash
collision.
 13

For purposes of understanding the importance and

relevance of collisions in the MD5 and SHA-1 algorithms, I
would like to use a very simple analogy. Imagine two shell
casings, one 9 mm and the other 50 mm, obviously just by
seeing them you know that they correspond to different
firearms. Including the concept of “hash collision” in mind, it
is as if the evidence numbers for those two shell cases
within a legal process were the same. This is what in
computing implies that MD5 or SHA-1 algorithms are used,
which have already been shown to have collisions. Hence,
it cannot be proven that the digital element being analyzed
has not been tampered with.

Let's see this with a graphical example. Below, I present

two images named “image1.jpg” and the file “image2.jpg”

image1.jpg
 image 2.jpg

Illustration 1 y 2 - Colisión MD5

Images can be downloaded from:

https://jocsanlaguna.com/colisionhash

Using any MD5 calculation tool, we can observe that both

images have the same MD5 hash integrity value, which is:
253dd04e87492e4fc3471de5e776bc3d

This can be corroborated as follows:

 15

Illustration 3 – MD5 Colisión demonstration

Illustration 4 - MD5 Colisión demonstration

In the example of the photos the difference was obvious,

but what would happen if it is digital evidence of a
homicide? Imagine that a video that captured the face of the
culprit is replaced by another with an innocent bystander.
Another case could be some logs of banking operations
with a certain number of transactions are replaced by others
in which payment orders are added or eliminated, what
would happen then? Another case could be some logs of
banking operations with a certain number of transactions
are replaced by others in which payment orders are added
or eliminated, what would happen then?

Just as it was done with MD5, a collision can be carried out

with the SHA-1 algorithm, which allows two totally different
files to have the same value. This translates into the
technical possibility of manipulating the evidence that has
been found.

original.pdf
 17

altered.pdf
Illustration 5 y 6 - SHA1 Collision

Carrying out the SHA1 calculation, we can see that both

files, despite being obviously different, have the same
value. Therefore, it is shown that the SHA1 algorithm has a
security gap that allows two different digital files to have the
same value. The evidence is thus compromised because of
the corruption within the chain of custody and the digital
file’s traceability.
 Illustration 7 - SHA1 Collision demonstration

There is no technique that allows us to discover if a digital

file has been tampered with, at least not with MD5 or SHA-
1 integrity value. These values make it impossible to
determine if the digital element has been altered or is intact.
For all of these reasons, elements with MD5 and SHA-1
integrity values should not be presented before a judge or
any authority, due to the lack of scientific rigor. It has been
presented how both algorithms have collisions and
therefore the digital evidence presented on a trial, could be
manipulated without leaving a trace.

The algorithms that give scientific certainty today,

November 03, 2021; would be SHA-256 and also SHA-512.

The detail that the algorithms have is the time and the
computer resources that are used for their calculation. The
 19

greater the extension of the algorithm, the more time

consuming; an MD5 is much faster to calculate than a SHA-
1, in turn SHA-1 is faster to compute than SHA-256.

Within the preservation issue, we are also faced with

questions such as: If a computer is on, should I turn it off?
Can I connect a USB memory stick to extract evidence?

First recommendation is to perform a Windows or MAC

RAM dump - in Linux this does not apply, more on why later.
With this we have the RAM register to be able to analyze it
in our laboratory. However, when the computer is turned off,
the RAM is destroyed, and there is no way to recover it.
Therefore, this is one of the tasks to be performed
immediately upon arrival at an investigation site
.
The initial question, when you find yourself with a computer
on, is how do you shut down that computer? The best way
to do this (despite common belief) is not by clicking on the
operating system icon. This is not recommended, as there
are many programs that can perform maintenance tasks,
such as securely deleting all temporary files. There are also
programs that can be configured so that when the computer
is turned off, all data generated by the user during that
session is deleted from the recycle bin. Given that it is not
possible to know what the computer will do when shutting
down correctly, it is best to pull the power cables, or if it is
a laptop, the recommendation would be to remove the
battery or hold down the off button to perform a forced
shutdown; here the risk of damage to the disk is practically
nil, mechanical disks contain capacitors whose function,
when there is a power failure, is to expel the mechanical
elements that can damage the information. In the case of
solid-state disks, there is no risk of such damage. What
could happen (but is unlikely) would be a corrupted file,
which did not finish writing properly: for example, an Office
file that was working. Beyond this, current operating
systems can cope with power failures.

This raises a question that relates to the alteration of

evidence: can we manipulate computer equipment that is
evidence, and is it legal before an authority?

The short answer is, it depends on what change we are

making. We must start from the fact that opening a program,
closing a window, connecting a USB stick, generate
changes in the computer equipment, and this is valid only if
there is a compelling reason why a modification is made.
For example, connecting a USB memory stick to run a
portable program to make a RAM dump, generates
changes in the computer's registers, uses resources that
clearly alter the evidence. However, this action is justified
given that the alteration is minimal, compared to the fact of
having extracted the RAM memory, which, once the
equipment is switched off, is no longer recoverable. If you
look at it, the portable program may have modified a few
kilobytes, even megabytes, but we obtained 4, 8, 16 or
several Gb of RAM with valuable information, which would
 21

have been lost without our intervention. But, applying the

same example: if instead of using a portable program we
decide to use an installer, run it on the computer and install
it on the evidence hard disk, the alteration of evidence here
is hardly justified. The investigator had other paths to
preserve the evidence and went for one who wrote unto the
hard drive, which is the object of the study. We should
always look for the route that makes the least changes to
the evidence.

1.3 Analysis: This category comprises almost the entire

book and is the technical process of knowing which tools to
use and how to use them to their best advantage. In this
section we only name the topic, but in the following chapters
we develop it further.

1.4 Presentation: We focus on summarizing in a document

the most relevant part of our research, in this regard we can
consider three types of reports.

✓ Executive report: This document will be read

by the directors of a company with an extract
of the analysis, but with emphasis on the
conclusions. They are not interested in
knowing the hash integrity values, nor if we
use a free or commercial code tool. They are
looking for a few concrete pages with
sufficient information to facilitate decision
making.
✓ Technical report: This accompanies the executive
report and is designed so that the systems personnel
can learn about the methodology and all those points
that are relevant, such as: the software used, the
logs analyzed and the records that support the
conclusions reached.
✓ Expert opinion: This is only used in legal
proceedings, its structure is a combination of the
executive report, but with the respective technical
support that is deemed crucial. We should add only
what provides some value to the case, such as:
references of the software or forensic computer
hardware that was used for the investigation, if it has
been used by law enforcement somewhere or
relevant news so that the judge has a broader
scenario. In the same way, the technical elements
can be pointed out, but many times due to them
being highly specialized, the judge might not
understand them. Therefore, they should be
indicated in the report as annexes that accompany
the expert opinion, so that the judge has a lighter
document; but if he wanted, he could refer back to
the annexes and understand how the conclusions
were reached. In the same way, it can be
accompanied by a glossary of terms so that all the
lingo that a specialist employs, can be understood by
the judge.
 23

2. Types of forensic analysis

Here there are differences in the way of classifying the

types of analysis, some classify them on a technical level:
network analysis, RAM analysis, computer analysis; and
the list could go on. However, I consider that there is a
classification that is above all, which encompasses the
technical part as well as obeying the question: will the
research be done for legal purposes?

Depending on the objectives presented to us, there are two

main scenarios that encompass the different types of
research, which are not mutually exclusive.

In the first group are investigations for legal purposes. As a

first annotation, we should know that in this type of
investigation there is a right of reply, that is, our report will
be analyzed by another expert, and in front of a judge, each
investigator will defend his or her work. The treatment of the
evidence will be crucial to safeguard the scientific certainty
of the non-alteration of the records, as well as the tools that
were used to reach the conclusions, and, if applicable, the
current license of the commercial software that has been
used, in addition to the fact that all of the investigator's
activity may be reviewed and objected to, if necessary.

2.1 The Fruit of the Poisoned Tree Theory

This is a doctrine that refers to the fact that evidence of a

crime obtained in an unlawful manner is per se unlawful as
well. For example, if an unauthorized tapping of a telephone
number is carried out, the audio and content of that
recording would be illegal in a legal proceeding. Similarly,
in IT we have a similar scenario, because if one of the tools,
which we use to carry out our investigation has an expired
commercial license, it results in obtaining information
without the authorization of the software manufacturer,
therefore, the report that could have been generated is
irrelevant and worthless in a trial.

In a legal proceeding, one of the strategies used by many

lawyers and forensic systems experts is to check
thoroughly; by finding a single error in the investigation
carried out by the opposing party, the investigation is
discarded. Therefore, it is necessary to review very
carefully and from beginning to end, since even a printing
error will be considered in this type of investigation. Duriva,
a leading data processing company in Mexico, offers a list
of the most frequently performed investigations:

✓ Emails: whether they are provided as evidence in a

trial, or as proof that the emails provided by the
opposing party are invalid.
✓ Messages through social media: In this group we
can comprise WhatsApp, Telegram, Twitter,
Instagram, all those social networks that allow us to
communicate, can be provided as evidence in a trial.
Our task is, first, to extract the information, validating
 25

that it has not been altered, and to make a copy of

these messages available to the authorities.
✓ Bank transfers. These practices have increased in
recent years. A good number of people detect that
they have not made use of online banking; however,
their bank informs them that all their funds were
withdrawn in transactions to other banks. This is an
interesting topic during an investigation of diversion
of resources.
✓ Location of a mobile device: In criminal judicial
matters, it is required to be able to prove the location
of a cellular device on a certain day and time, to
demonstrate where the owner of the cellular device
was at the time when, possibly in another place, an
illegal act took place.

Non-legal investigations. These are most often carried

out by companies that want answers to questions, such as
the origin of a computer attack. To a lesser extent, we can
speak of people seeking any other type of investigation,
which can be categorized as follows:

✓ Ransomware attacks. Usually, they want to know

who is responsible for the encryption of a company's
assets; an investigation that can point to a systems
director who did not apply good policies, or an
employee who downloaded, used or clicked where
he/she should not have, resulting in an encryption
within the company.
✓ Website attacks. This can be seen in places such as
companies or schools, whose website was attacked,
and the attack resulted in a data leak. In these cases,
the aim of the investigation is often to find out how
the attack was possible, because it is known in
advance that whoever was behind the hacking used
VPN connections that make it difficult to trace.
✓ Infidelity. In this case, it is individuals who come to
require the analysis of a mobile device which, on
many occasions, is blocked, requesting the recovery
of messages from social networks, deleted photos
and videos.
 27

3. Collecting evidence

When we are summoned to an investigation and arrive on

site, it is advisable to take a list with you so we can check
the most important aspects of the investigation, as we may
miss important aspects otherwise.

When we arrive at an investigation, my personal

recommendation is to photograph the site and the computer
equipment, to prevent that, if a piece of equipment has a
knock or damage gets attributed to us. Likewise, I
recommend taking the general details of the person who
brought the computer equipment to our attention, the time
when we saw the computer equipment, as well as the time
that the computer equipment was displayed.

Another important recommendation is to listen to the IT staff

but be wary of them. If it were a case of a computer attack,
produced by a mismanagement of security policies,
installation of patches or antivirus updates, the
responsibility of the systems personnel would be affected;
it is therefore advisable to be guided by our own practices
and techniques, and not by suggestions or contributions
from the internal departments of a company.

3.1 Before starting

We should always have available the tools, disks and other

items that we will use in an investigation, some items
require some time to be prepared, such as:
Hard disks and USB sticks. When making a forensic
copy, this will be stored on an external storage medium,
usually a hard disk, which must have been previously
formatted with a slow format, which overwrites all the
sectors of the disk with values of 0 at binary level. This is
essential, because if the disk that supports the forensic
copy contains information, files, videos or any element of a
previous case, we would have a mixture of information
which would completely damage our chain of custody. We
should always format with one, two or even three slow
formatting to have the peace of mind and confidence that
our hard drive that we take to the site is clean.

Portable forensic tools - As we mentioned before, we

must avoid installing anything on the computer equipment
that we are going to investigate. For that reason, we must
have at hand the portable tools that we will use in the case
that we are called, but we must prevent various scenarios;
such as some forensic applications that make use of some
Windows Frameworks, that if they are not on the computer,
we could not run our forensic tool. We must have one, two
or even three alternatives for any task we want to do.

Static binaries. - It is widely recommended that we always

carry our portable CMD (command). It is dangerous to
execute any instruction within the command line of a
computer that we are going to analyze, as it is possible that
someone has made a modification and a simple "dir"
command, performs an action of deletion or shutdown of
 29

the computer. It is something that we must prevent and

therefore everything we run should run in our portable
toolkit.

3.2 Differences between forensic copying and backup

The widespread idea of backup is very common nowadays.

We see it when we change mobile devices and want to keep
our contacts, photos, and other files. However, in computer
forensics this concept or what it represents, has little value.
The job of a digital forensic investigator is to generate a
complete copy of the source media, including what we see
as white space within a drive. This "available space"
contains all the files that were deleted, so it is crucial to an
investigation when analyzing deleted files and recovering
them.

The available space is also known as empty space and is

referred to as "unallocated space" in the software we will
see.
 Illustration 8 - Differences between backup and forensic copying

The backup of the drive shown in the graphic above would

be 294 Gb in size, however, a forensic copy would be 931
Gb in size, as the "empty space" is copied as it is on the
source media, including all data that may exist. It is possible
to generate backups and forensic copies with compression
factors, which only reduce the size of the copy, without
affecting the integrity of the copy and/or the same difference
in concept still applies.

3.3.1 RAM memory on Windows systems

If, on arrival at a site, the computers under study are on, the
RAM memory will be crucial, so we must proceed to extract
it.
 31

There are free and commercial tools that allow us to obtain

a copy of the RAM memory, a process known as memory
dump. Here, the use of tools at a technical level is indistinct
since all of them obtain a copy of the RAM memory. The
difference lies in the graphical interface, which in some
cases is more or less intuitive, and with more or less options
to be configured. The main tools that can be found are:

• FTK Imager1
• OSForensic2
• Belkasoft Live RAM Capturer3

Let's see an example of memory captured using FTK

Imager. Once the program is executed, we will have a
graphical interface with the button "Capture Memory".

Illustration 9 – RAM copy using FTK

1 https://accessdata.com/product-download/
2 https://www.osforensics.com/download.html
3 https://belkasoft.com/ram-capturer
When you click it, a window will open, asking you to define
the destination path and the name to be assigned to the
memory dump file.

Illustration 10 - RAM copy using FTK

Give or take in general terms that is the process follow in

the other computer forensic tools. Testing the tool
"Belkasoft Live RAM Capturer", when performing the
memory copy, one can tick or untick the inclusion of the
pagefile (extension of the RAM that is stored on the hard
disk).
 33

Illustration 11 - RAM copy using Capturer

Next step would be to obtain the hash integrity value, which

was previously discussed. A portable tool could very well
be Multihasher. With this tool we can select the algorithm
we are interested in using, as well as the path to the file, so
that the program gives us as a result the text string of the
required hash value.

Illustration 12 - RAM copy using Capturer

Within the RAM memory, we must know that there are two
places from which we can extract information. The first is
the information itself stored in the RAM memory physically.
On the other hand, Windows operating systems, make use
of a fraction of the hard disk to store an extension of the
memory, which is known as pagefile.

Although an alternative method to access the RAM memory

would be to generate an error in the system (the famous
blue screen), this is not suggested because it generates a
partial or complete copy of the RAM memory inside the hard
disk, as we have discussed. We should always try to make
the least impact on the modification of evidence, which is
why I advise against using this method as much as
possible.

3.3.2 RAM in Linux

On Linux systems, we have the advantage of not needing

external programs; the system's own command line will be
our forensic tool. For this purpose, there is a command
called dd, which can be found in any version of Linux and
even in MAC systems. This command is the one that will
allow us to make a copy from a source to a destination,
including the "empty space" that we saw earlier.

The command has a very simple yet powerful syntax.

 35

Illustration 13 - Linux copy using dd

In the image above we are copying the path /dev/sdb and

dropping it in the desktop folder.

Knowing that the path to the RAM memory in Linux is

located in /dev/mem, this dd command would be enough to
make the copy of the RAM. However, from Linux Kernel
2.4.x, it is no longer possible; it is not possible even with
super administrator permissions. We can no longer access
the RAM memory directly, because the file "mem" does not
belong to the super administrator user, but to the Kernel.
Therefore, when trying to make a copy, the system throws
an error and generates a log of the attempt to access this
file.

Illustration 14 – Linux copy in Memory using dd

While there are tools such as LiME that can help you make
a copy of RAM in Linux, this is a tricky thing to do, as
changes made to the operating system are written to hard
disk. This is not a minor modification that you are making,
therefore defending this series of modifications to an
authority would be a difficult task.

But all is not lost with respect to the items that are in RAM.
Inside the unit, there is a folder that keeps detailed
information on each of the processes: the folder is /proc.

The ls command allows us to know the content of files

inside a directory.

The ps command shows the processes that are running,

with additional variants such as ps aux, ps axjf. However, it
is left to the reader to investigate the main commands in
Linux.
 37

Illustration 15 – Accesing /proc in Linux

When typing "ls" into /proc, we find that there are several
directories, and that the name of many of them is a number.
This is even more understandable if we run "ps" or one of
its variants, such as "ps aux", inside /proc.

Illustration 16 – Process list in Linux

Second column named "PID" reflects the identification
number of the listed process, which can be found in detail
in the /proc folder. This allows us to understand that the
/proc folder contains a lot of valuable information belonging
to the processes and can be a very important source of
information. In this way, if the RAM memory is protected
and does not allow direct copying, we can go with the proc
data.

Just as Windows makes use of part of the hard disk, as an

extension of the RAM, in Linux we find a disk partition
destined for it, known as SWAP. Although this partition can
be copied, because it is inside the hard disk partition, it
would not be advisable to copy it when the computer is on.

3.3 Windows commands as forensic tools

We have already talked about always carrying our own

portable CMD, since, by making use of Windows
commands, it is possible to extract a large amount of
information. The following table shows, in alphabetical
order, some of the tools that can be consulted.
 39

Comando Descripción

arp Muestra tablas de Protocolo ARP.

date Muestra la configuración de fecha actual.

doskey Muestra el historial de comandos para CMD.EXE.

ipconfig Muestra la configuración local del equipo.

netstat Muestra la información de conexión actual.

time Muestra la configuración de hora actual.

schtasks Muestra las tareas programadas.

systeminfo Proporciona información general acerca del

equipo.

hostname Muestra el nombre de host del equipo.

Illustration 17 – Windows Command applied to forensic

3.3.1 ARP Protocol Tables

Temporarily, a list is created on each of the network

interfaces with a relation between IP addresses and the
registered physical addresses. This table is important, as
we can know if it is of a static type or if it was created
manually.
 Illustration 18 – ARP protocol

3.3.2 CMD History

There is some debate here, as the doskey /history

command shows the history of commands placed in CMD,
however, if this command is used in our portable CMD, it
will show us the history of the commands that we, as
researchers, placed there. The ideal thing to do would be to
run it from the machine you are analyzing, but make sure
you know what the application will do.
 41

Illustration 19 – CMD history

3.3.3 Windows network configuration

At first glance, the network configuration may seem trivial,

but it is important to know how the computer equipment in
front of us interacts with the local area network. In case of
servers, we will notice that they have more than one
network output, to provide services and provide access to
company documents through more than one way; this is so
that, in the event that a network fails, there is another
independent one, which allows to continue with the
operations within a corporation.

Using the ipconfig /all command, a list of the network

distribution will be displayed, including the configuration of
VPN networks or, if applicable, the details of each of the
network adapters that the equipment has, as well as the IP
address assigned to each of the adapters.
 Illustration 20 – Network configuration

3.3.4 Active Connections in Windows

By using the "netstat" command, you can find out which

network connections are active and interacting with each
other. The options of this command allow you to sort the
result by protocol, indicating the remote address to which a
connection has been established or a listening status is
maintained.
 43

Illustration 21 – Active network connections

Among the free tools, there is "currports", which performs

the same action as netstat, with the advantage that this tool
is a graphical interface that allows us to interact in a visual
environment, as well as to export the results to different
formats.

Illustration 22 - CurrPorts
3.4.5 Scheduled tasks

With this command we can know the scheduled tasks, the

next execution time, as well as the path where a task is
executed.

Illustration 23 - Scheduled tasks

3.3.6 System Information

Among commands that take the longest time to execute is

"systeminfo". In that time the command collects a detailed
report of the computer equipment, among other things,
operating system information, build, the date of the
operating system installation (very important), the
motherboard type, system configuration, architecture type,
RAM usage detail, location of the pagefile and detail of
applied updates.
 45

Illustration 24 – System information

3.4 Browser history

Although it is possible to carry out the analysis of activity in

the main web browsers, my recommendation is not to do so
with the computer switched on; instead, you can use
several of the portable tools that exist. However, an
important factor jumps to consideration, the file associated
with the browsing history has, within its properties, the date
it was last opened. These tools allow us to visualize the
activity history, which are not essentially necessary to run
in a portable form, ideally, we should make use of them in
our laboratory, since the forensic copy was generated; in
this way we do not run the risk of altering the traceability of
the evidence. Among the tools that allow us to generate a
list of browsing history, the following stand out:

• MozillaHistoryView
• ChromeHistoryView
• IEHistoryView
 Illustration 25 –Chrome History View

The most important feature of these tools is that the results

can be exported. The recommendation that should be
considered is to always export to "csv", as the data in this
format allows you to work later with a spreadsheet file such
as Excel and to apply filters within rows and columns.

3.5 Utilities

There are tools that simplify our work in terms of obtaining

elements in switched-on systems, although we can prepare
a USB memory stick with these utilities beforehand, there
are people who have taken on the task of creating tools with
which, with a couple of clicks, we can extract a lot of general
information.

Many will ask why to get the information now and not in our
laboratory, working on the forensic copy? The answer is
very simple: extracting this information takes only a couple
of minutes. In this way, the reports can be brought back to
our lab for analysis, which saves us a lot of hours, and, in
several cases, we could have the answer to the
 47

investigation without having to do an exhaustive research

process on the forensic copy.

3.6.1 Agave

This utility was developed by the author of this book (yours

truly), during my time at the university and was released in
2015 by the National Autonomous University of Mexico
(UNAM, by its acronym in Spanish ). It contains a large
number of tools classified according to their use.

Illustration 26 – Agave Forensic

Tools on the left-hand side are classified as:

 • Acquire - Duplicate Preserve
• Analyze Logs
• System recognition
• Recover
• Networking
• Suite
• Utilities

Agave allows applications to be launched one by one, so

that the user can choose what to view and the exported
results are at the discretion of the researcher.

It can be downloaded from: https://tequila-so.org

 49

3.6.2 WinTriage

This tool was developed by Lorenzo Martínez, a great

friend, expert, and with an amazing trajectory in the
company “Securízame”.

Once downloaded, this application, its applications must be

placed in their respective folders, since due to licensing
issues, they can be in the application itself and delivered
directly to the researchers. However, the process of adding
the necessary program does not take more than 5 minutes,
so it is a very good option.

Illustration 27 - WinTriage

One of the advantages of WinTriage is that the researcher

can select the targets for extraction and the tool performs
the process automatically.
 Illustration 28 – WinTriage options

WinTriage can be downloaded from:

https://www.securizame.com/wintriage-la-herramienta-de-triage-para-
el-dfirer-en-windows/
 51

3.6.3 WinUFO

Driven by the developers of Caine, this tool, although

discontinued, works very similarly to Agave, as it contains
the tools ordered according to the objectives and the
researcher decides which application to launch.

Illustration 29- WinUFO

4. Forensic copying

As we have already mentioned in previous chapters,

computer forensic investigations are aimed at obtaining a
complete copy of the computing device on which the
analysis will be carried out (or as close as the possibilities
allow). This in order to be able to work on this copy and not
compromise the original digital evidence in our analysis
processes, which is why forensic copying is fundamental in
this area.

4.1 Types of forensic copies

According to the objective we have set ourselves, a copy

can be made of a hard disk with very different results, since
all forensic tools allow us to select any of the following
objectives:

Physical: This copy is the most complete of all, since, from

a 1 Tb hard disk an exact copy of 1 Tb is obtained (in the
formats we can compress the result, but this is another
subject). Within this copy are all the partitions specified on
the hard disk, as well as the empty space. This gives you a
complete physical copy of the disk, and also gives you the
possibility to recover files that were deleted from the source
disk.

Logical: Here, from a storage medium, only the partition on

which the forensic copy is to be made should be selected,
 53

i.e., only the existing files would be copied. On a practical

level, this is very similar to the backup of a partition.

Specific: In this case, only specific folders or files are

copied. This is very common when, for example, you want
to copy a user's mailbox; however, legislation does not
allow you to take more data with you than is intrinsically
necessary.

4.2 Forensic copy formats

There are different formats in which a copy can be made,

all of them fulfilling the objective of having as a result a
complete copy of the source item. The differences between
each of the formats revolve around the compression, the
speed of the copy, but also (very importantly) the
compatibility with the tools that will later be used in our
laboratory.

• dd: This is the most basic, but universal, format for

making a forensic copy, and it is made byte by byte.
The output can be single or multiple files, since this
format has no compression option; the output will be
a file with the same size as the source media. dd is
commonly referred to as raw or RAW format. It is
important to note that, under this format, all
information pertaining to the copy, such as software
used, hardware and hash integrity values, are not
contained in the copy file; usually, the tools generate
 a txt file with the details, otherwise, one must create
them manually. The major advantage of the dd
format is its compatibility, since all free and
commercial tools can work with dd copies.
• E01: This format was developed by the company
EnCase. The format, which is called EnCase
Evidence Format, is an evolution of the dd format,
with improvements such as the fact that, within the
forensic copy file itself, the information of the
examiner's notes, MD5 hash value, compression
factor and encryption are included. This is a very
attractive format for the advantages it offers. In terms
of compatibility, most (if not almost all free forensic
tools) are compatible; as for commercial tools,
compatibility is guaranteed. One of the details of E01
is that, as it is a commercial product and not open
source, there is no documentation. Nevertheless,
E01 has been widely accepted by the community,
and is widely used.
• AFF: This format, called Advanced Forensics
Format, is an open format that incorporates
compression and encryption of the copy. The most
important free forensic tools are compatible, and, as
for the commercial ones, full compatibility is not
available.
• Smart: This format is a Linux utility employed with
disk partitions, the use and compatibility of this
format is currently somewhat limited.
 55

There are also private formats of commercial tools, we do

not address these formats as their use is not general and
they are exclusive for the use of a single developer's own
tool.

4.3 Main challenges

Is it SATA, SAS, PCIE, USB, SCSI? what capacity does it

have? This is one of the biggest challenges we face when
we arrive on site and set out to make a forensic copy. This
often happens when we are called to an emergency, and
we have no information on the characteristics of the disks.
Here, it is advisable to have connectors for all the disks.

We must be prepared with the specific connector to be used

and take into account the amount of time it will take to
perform the whole process.

Let's look not at the history and data of disks, which we can
easily find on Wikipedia, but a look at the main types of
disks for forensic purposes.

SATA: It is one of the most widely used formats, practically

all desktop computers and laptops use it (except for recent
Apple devices), so it is highly recommended to have this
connector, given the high demand for its use. It is important
to note that there are different versions, SATA I, SATA II
and SATA III, depending on the type of connector different
speeds are handled. In practice we can say that a copy of
a SATA I will have an average speed of 22 Mb/s, SATA II
reaches an average of 60 Mb/s and SATA III in mechanical
hard disks up to 120 Mb/s in solid state disks - in my
practice I have reached up to 195 Mb/s sustained
(constant).

Illustration 30 – SATA vs SAS disks

SAS: Currently the most common type of disk in servers, it

shares some compatibility with SATA, so much so that we
can connect SATA disks to SAS cables and vice versa.
However, this does not mean that we will be able to read
this type of disks. SAS disks require a controller card to read
them, which means that a specific device is needed to be
able to read these disks, and I should warn you that there
are no SAS to SATA adapters. In terms of copy speeds, we
are talking about a base average of 320 Mb/s sustained for
 57

mechanical hard disks, SSD disks can exceed these

speeds.

SCSI: Oriented to servers. Due to their antiquity, SCSI hard

disks are almost in disuse, therefore, it is almost impossible
to see them in servers that provide services to end users,
rather we could find them in industrial systems, which were
acquired many years ago. These disks have the main
characteristic that, there are several versions of them,
which makes our task of having compatibility with the
different types of disks even more difficult.

Illustration 31 – SCSI disks

USB: Hard disks that are connected via USB are mostly
internally SATA hard disks with an adapter to USB, the
average speed of these disks is around 120 Mb/s.

Illustration 32 – USB hard disk

PCIE: These disks have been on the market for years, their
massive use came about through Apple, which
incorporated them in its laptops and desktop computers, the
transfer rates of a copy are around 1,100 Mb/s.
 59

Illustration 33 - PCIE ( Aorus model AIC PCIE) hard disks

M.2: These drives are most found in desktop computers,

as they require the motherboard to have a dedicated slot.
M.2 drives have the same benefits as PCIE drives and
average copy speeds from 1,100 Mb/s sustained; they are
found in SATA and NVMe models.

Illustration 34 - M.2 hard disks

4.4 Computer forensics hardware

Forensic hardware helps us a lot to simplify processes and

give an additional technical certainty that our procedure
was carried out with the highest standards, but also with
technological parts intended for it. There are two main
branches of hardware that we will address, one of which are
hardware devices that can perform forensic copying without
the need for additional hardware or software, as well as
devices whose sole purpose is to block writing and ensure
that neither additionally nor by accident is written to the
original media.

4.4.1 Write blockers

Write blockers should be seen as an adapter that creates a

bridge between the source disk and the computer, which
performs the analysis or forensic copy.

These devices will provide certainty, at the physical level,

that the source media will not be modified, edited or altered
when connected to a computer. It is very common that, by
accident, this accident can occur if, for example, an
evidence hard disk is connected to the computer, the
antivirus will not do its function and could modify a file; with
this, my source disk would have been manipulated
incorrectly and, if previously, the hash integrity value had
already been calculated, this would be that of a different
calculation, thus losing the scientific certainty of no
 61

alteration. Two of the recognized hardware brands of

jammers are:

• Wiebetech
• Tableau

Illustration 35 – Tableau blockers

 Illustration 36 – Wiebetech blockers

4.4.2 Duplicators

When looking for high portability, forensic duplicators allow

the forensic copy to be carried out from the device itself.
This is very beneficial, since we will not need a computer or
installed software to carry out the task, just connect the
source disk on one side, the target disk on the other and,
after a couple of clicks, select the copy format, the hash
algorithm used to validate the process, as well as advanced
options in terms of one-to-one, one-to-two copies, low-level
disk deletion, among other options that each manufacturer
incorporates. In this way, our forensic copy process is
carried out.
 63

Illustration 37 – Tx1 de Tableau duplicator

Illustration 38 – Data Copy King II SalvationData

4.5 Forensic copy of hard disks

When we are in our lab and we are going to proceed with

the creation of a forensic copy, we must already have ready
the disk that will receive the copy. In previous chapters, we
have already talked about the importance of this target disk
being formatted at a low level, to be sure that our procedure
is carried out in the best possible way.
You will see that the procedure is very similar to other
forensic tools, with small changes in the graphical interface.
All tools ask us the same question: what are we going to
copy, in what format and where is it going to be saved?

4.5.1 Forensic copying with FTK Imager

1) The first point is to select the option to create a disk

image.

Illustration 39 – Forensic copy using FTK Imager

 65

2) The next step would be to select the type of evidence of

our target.

Illustration 40 – Forensic copy using FTK Imager

3) The system displays the drives that meet our previous

selection; we must select the one we want to copy.
 Illustration 41 – Forensic copy using FTK Imager

4) Subsequently, the system displays a summary of the

task to be carried out. Here we will have to select "Add", to
indicate where we want to place the forensic copy.
 67

Illustration 42 – Forensic copy using FTK Imager

5) The application asks for the type of format for our

forensic copy.
 Illustration 43 - Illustration 42 – Forensic copy using FTK Imager

6) We must indicate exactly in which drive and folder we are

going to dump the copy, as well as the name of the resulting
file (optionally we can fragment the copy into small files of
a size of our choice).
 69

Illustration 44 - Illustration 42 – Forensic copy using FTK Imager

7) As a final step, the system shows us the complete

summary, indicating the destination folder. Optionally, we
can enable the pre-calculation of the progress, as well as a
list of found files; we could also enable hash verification, a
comparison between the source and the resulting copy, to
validate that the copy was made without errors.
 Illustration 45 - Illustration 42 – Forensic copy using FTK Imager

When making a forensic copy of a powered-on system, it is

of no use that the validation process is enabled, as the
powered-on computer is working, there are processes,
open files, multiple writes to the hard disk and
consequently, it would always mark the verification as not
correct.
While the copying process is being carried out, a progress
bar is displayed, as well as the remaining time to finish.
 71

Illustration 46 - Illustration 42 – Forensic copy using FTK Imager

4.5.2 Forensic copy with OSForensic

1) In the main menu select "Create Forensic Image".

Illustration 47 - Illustration 42 – Forensic copy using FTK

2) A window with options opens, from which we select

"Add".

Illustration 48 - Forensic copy using FTK

 73

2) A new window will allow us to select the source disk. You

can choose between full disks or partitions, the destination
path to host the forensic copy and enable or disable the
option to verify the image, as well as the algorithm we want
to use to validate the forensic copy.

Illustration 49 - Forensic copy using FTK

4.5.3 Forensic copy with HelixPro

The "Helix 3 Pro" tool, despite having been launched in

2009, aims to use a series of portable applications to extract
the RAM memory, while obtaining a report with the general
state of the system, which we can then analyze in our
laboratory and take a starting point to begin the in-depth
analysis.

1) Select 'hard disk' from the left menu, which will be the
one to copy.

Illustration 50 – Forensic copy using HelixPro

2) This enables the option 'acquire evidence'.

 75

3) The program displays the configuration options for

the forensic copy, among which we can choose the copy
format, the segmentation size (if we wish), the algorithm
used to validate the copy and, finally, the destination of
the copy, which, remember, must be a storage medium
that is clean and free of old records or data (after low-
level formatting or slow formatting).

Illustration 51 - Forensic copy using HelixPro

4.6 Forensic copy from Linux

1) As a first step, we must identify the existing disks,

partitions, and mount point, to do this with the lsblk
command we can obtain the system information

Illustration 52 List of Linux drives and mount points

2) dd command will get the forensic copy, it is only

necessary to indicate what we want to copy and where we
want to throw it.

Illustration 53 – Linux Forensic copy using dd

 77

3) Optionally, but highly recommended, line

"conv=noerror,sync bs=512" must be added to the 'dd'
command, this allows the application that, in case of
disk reading error due to damaged or inaccessible
sectors, the process is not stopped, nor the block size
that avoids as much as possible to transfer damaged
segments.

Illustration 54 – Linux Forensic copy using dd

4.7 Live Forensic Copy, Windows systems

As we have already discussed above, it is possible that the

computer in front of us and switched on is encrypted, so if
we switch off the system, we will be faced with the problem
of having an encrypted drive, whose password is
indispensable to be able to carry out our investigation.

As far as possible, it is recommended to have the computer

system turned off, to disconnect the disks and to take the
forensic copy one by one. However, there are situations
where, upon arrival on site, we find the computer equipment
switched on and, after a brief analysis, we detect that it is
not feasible to carry out the forensic copy by switching off
and disconnecting the disks one by one, for example:

• Computer equipment is critical, and it is not possible

to shut it down.
• System is mounted on a RAID array and the RAID
architecture is unknown.
• Computer is encrypted, no matter if under BitLocker,
TrueCrypt, File Vault or any disk encryption system
(the partition copy is performed).

From steps described in the forensic disk copy, we need to

change the one corresponding to point 3, as we would have
to select our main hard disk (usually the one described as
PHYSICALDRIVE0). The order of the disks must be verified
(either by size or from the disk utility) to be sure that the
copy is made with the disk associated with the Windows
system that we have switched on.
 79

Illustration 55 – Live Forensic copy using Windows

4.7.1 Detecting Encrypted Drives

Before shutting down, it is important to check whether the

computer equipment we have in sight is encrypted. If it is,
we should check with the owner of the equipment or the
systems people to see if they know the password to decrypt
the disk. It is important to request the signature of a
document stating that the client knows the password, to
avoid any future problems or misunderstandings.
If it is detected that the disk is encrypted and the password
is not available, we would have to carry out a forensic copy
of the drive at that very moment, in order to obtain a copy
of the disk with all the available data, since, once the
equipment is turned off, we will not be able to access these
records and our forensic copy would be the only accessible
source of information on the case.

One of the tools I prefer for detecting encrypted drives is

MAGNET Encrypted Disk Detector because, with a single
click, it performs a review of the hard drives and tells us if
one of them is with some type of encryption. It is important
that we do not depend only on a tool, but that we know and
have the certainty of why the tool is indicating a result, and
not just click on it. Using FTK Imager tool, we will learn the
manual procedure to analyze the drives, with this we can
add evidence of the hard disk, of which it is desired to know
if it is encrypted or not.

Illustration 56 - Detection of encrypted drives using MAGNET

 81

From the option panel select "Add Evidence item...".

The system generates the following window. We must

select "Physical Drive".

Illustration 57 - Detection of encrypted drives with FTK

Now, we indicate which of the connected storage devices

we want to analyze.
 Illustration 57 - Detection of encrypted drives using FTK

FTK Imager reads the drives and indicates the file system
contained in each partition. Under "normal" circumstances,
and I am referring to the result of a manual installation with
the Windows default values, you should see something like
this.
 83

Illustration 58 - Detection of encrypted drives using FTK

Once the drive has been added, FTK Imager reads the
drives and displays the information about the files contained
in each partition and produces a manual installation with
Windows defaults.

Illustration 59 - Detection of encrypted drives using FTK

The system generates the following window. We must
select "Physical Drive".

Illustration 60 - Detection of encrypted drives using FTK

We can see that the partitions are listed with a number (1)
followed by the corresponding size. The first of these are
very small, 100 and 16 Mb and refer to the Windows
operating system that creates them at the time of
installation. The one that is relevant in this case is the one
with a size of 91.5075 Mb and with the name "Basic data
partition". In this partition we can see that in the row below,
"NONAME" [NTFS] is indicated, the value of NTFS tells us
that the FTK tool was able to identify the file system and
could list all the items contained in the drive.

[NTFS] NTFS value tells us that the FTK tool was able to
identify the file system and could list all the items contained
on the drive.
 85

When the tree evidence is displaying, we will see a list of

files which allows us to conclude that the drive is NOT
encrypted.

Illustration 61 - Detection of encrypted drives using FTK

If drive were encrypted, the largest partition would show the

text "unrecognized file system [Data]", and the system
would not have displayed the tree of contained files. This
allows us to conclude that the drive is indeed encrypted and
forensic copying is required to be performed in what is
known as "live", i.e., copying the hard disk without shutting
down the operating system. The process of forensic
copying is described in a later topic.

Illustration 62 - Detection of encrypted drives using FTK

If we do not perform the copy of the logical drive at this
point, when we wish to analyze the items on that drive in
our lab, by mounting the drive or adding it as evidence. We
will see that the drive has a lock on it as shown in the
picture. The problem we would face in this case is that we
must then carry out a brute force attack to get the 48 digits
of the password.

Illustration 62 - Detection of encrypted drives using FTK

If we do not perform the copy of the logical drive at this

point, when we wish to analyze the items on that drive in
our lab, by mounting the drive or adding it as evidence, we
will see that the drive has a lock on it as shown in the
picture.

Illustration 63 - BitLocker
 87

The problem we would face in this case is that we must then

carry out a brute force attack to get the 48 digits of the
password.

Illustration 64 - BitLocker

If it is detected that the disk is NOT encrypted, we can

proceed with the shutdown of the computer.

4.7.2 Live Forensic Copy, encrypted Windows

environments

It is possible that the computer in front of us and switched

on is encrypted, therefore, if we switch off the system, we
will face the problem of having an encrypted drive and
whose password is indispensable to be able to carry out our
investigation.

If the system is encrypted, the procedure is very similar to

the one described in the forensic copy of disks: there is only
one change at point 2 when selecting the type of forensic
copy, since, instead of selecting the physical device as the
target, we must select "Logical Drive".
 Illustration 65 - Live Forensic Copy, encrypted Windows environments

This small change in the procedure shows us the letters of

the drives that are available: we select the C drive:
 89

Illustration 66 - Live Forensic Copy, encrypted Windows environments

The remaining steps are the same as described in the topic

of forensic disk copying, however, the result will be a copy
of the drive unencrypted and available for us to access all
the stored data.

It is important to understand that, physically, a drive that

was encrypted will always be encrypted (unless the
encryption is disabled), however, at a technological level,
when the password is set to view or boot the drive, virtually
the BitLocker, TrueCrypt, FileVault or whatever application
was used, virtually creates a disk with the accessible data.
In our case, the C: drive exists only virtually, so if the
computer is switched on and the encryption is already
detected, it is necessary to make this type of forensic copy
as soon as possible.

4.8 Hash calculation in Windows

As we saw in the first topics, the hash integrity value is the

central issue in evidence preservation. In this case, there
are many programs that allow us to obtain this calculation
very quickly.

4.8.1 CMD

The Windows operating system itself can natively perform

the calculation of hash algorithms. The certutil tool can be
used to calculate a hash value, although its purpose is to
handle digital certificates and various processes. Its syntax
is very simple,

certutil -hashfile <file path> SHA256

Illustration 67 – Hash value calculation from CMD using Certutil

 91

4.8.2 PowerShell

With a similar simplicity to CMD, PowerShell can be used

to calculate hash values, using the command "Get-
FileHash", the syntax would be:

Get-FileHash <file path> -algorithm <algorithm>

Illustration 68 – Hash value calculation from CMD using PowerShell

4.8.3 Multihasher

This tool is free and portable (there is an installation

version), which has only one goal and it fulfils it perfectly: to
calculate the hash value of a given file, or of a whole
directory. It is necessary to select the algorithm you want to
use; MD5, SHA1, SHA256, SHA384, SHA512 and indicate
to the program the file or directory from which you want to
perform the calculation process. The program will display a
progress bar that, when it reaches 100%, will show each of
the resulting hash values.
 Illustration 69 – Hash Calculation using Multihasher

4.8.4 OSForensic

We must select module "Create Hash". This tool has

options that Multihasher does not have, such as being able
to choose between calculating the value to a file, a volume,
or a text, as well as giving the opportunity to decide which
algorithm we want to use for the calculation and, optionally,
a second algorithm if we want it.

Illustration 70 – Hash Calculation using OSForensic

 93

OSForensic has additional options to Multihasher, such as

being able to choose between calculating the value to a file,
a volume or a text, as well as being able to decide the
algorithm we want to use for the calculation and optionally
a second algorithm if we so wish.

Illustration 71 – Hash Calculation using OSForensic

4.9 Hash calculation in Linux

All Linux distributions natively allow us to calculate the hash

value of a file or directory in a fairly simple way, similar to
what we saw with CMD and PowerShell.

The syntax is: <algorithm>sum /path

The algorithm can be md5, sha1, sha256, sha512 for

example:

sha256sum /home/file.txt
sha1sum /home/file.txt
md5sum /home/file.txt

Illustration 72 – Hash Calculation using Linux

The result of the calculation as you can see is displayed on

the screen, so the procedure is very simple.
 95

5. Forensic lab

It is very important that our forensic laboratory is configured

for a high demand, to avoid bottlenecks that, at the
beginning of our forensic computing, can, by ignorance, to
generate funnels that increase the processing time.

Having three hard disks would be an ideal scenario to start

with. The following graph shows the recommended
configuration.

Disk 1: On this hard disk we will have our operating system

(Windows or Linux) and the software we will use. It is highly
recommended that it is an SSD.

Illustration 73 – Forensic Labs

Disk 2: Every time we use a forensic suite such as Autopsy,

OSForensic, EnCase, FTK, Nuix, among others, the tools
create a database in which all the data generated in the
investigation process will be dumped. This disk is the one
that will have the highest transfer and usage rate.
(Commercial tools allow for an additional hard disk to
decompress the files that require it, as well as to unpack the
PST and OST files).

Disk 3: Our digital evidence will be stored on this hard disk,

whether it is a full, partial or target forensic copy. This disk
will only have stored the digital evidence, and its reading
speed will not be very high, since the tools process the
information little by little, that is why an SSD disk would not
be indispensable, but it does help to improve the
performance slightly.

Under this working model, we can rest assured that no

bottlenecks will be created at the hard disk level. With
regard to the processor and the amount of RAM memory,
the recommendation is always to have at least 2 Gb for
each of the processor cores, if possible, with Xeon
processors for the number of cores and threads it delivers,
as well as the amount of RAM memory it supports.

5.1 Free forensic suite

As a first point, we must clarify the difference between a

Forensic Suite and a forensic distribution. The former is a
program that contains the necessary tools to automate the
investigation process. A forensic distribution is a version of
an operating system oriented precisely to computer
 97

forensics, but, at the same time, it can contain a Forensic

Suite.

The most representative forensic distributions are Caine,

DEFT, SIFT, Tequila SO (developed by the author of this
book, so it could not be missing from this list) and Tsurugi.
Each of them incorporates what their respective developers
consider to be the best tools for the investigation process in
a forensic laboratory. Autopsy, which contains a series of
free applications to carry out forensic copies, metadata
analysis, system file interpretation, hexadecimal viewers,
file classification by MAC time, interpretation of $MFT files,
among many other applications that we will see gradually.

5.2 Autopsy Forensic

As previously mentioned, this is the most important forensic

suite due to the power of its automated process, its modules
and the maturity of its development. In the first versions, its
graphical interface was a concrete port within the browser,
with a way of working like this.

Nowadays, it is a very solid tool, running as cross-platform

in Java, but above all, it has a quite intuitive graphical
interface that we will see.
 Illustration 74 - Autopsy Forensic

5.2.1 Creating a case

Autopsy Forensic displays a window with three options,

from which we choose "Create New Case".

Then, a window opens to fill in the data for the new case. It
is important to note that the "Base Directory" path must be
on a storage medium independent of everything;
independent of the operating system, independent of the
hard disk containing the forensic copy, a hard disk only
reserved for storing temporary files (this was already
covered at the beginning of topic 5).
 99

Illustration 75 - Autopsy Forensic

 Illustration 76 – Creating a case with Autopsy Forensic

If you are conducting many simultaneous investigations, it

may be helpful to fill in the general details of the case.

5.2.2 Adding the type of evidence

Autopsy Forensic allows you to choose between different

types of evidence such as: image disks (forensic copies)
and virtual machines

• Attached physical disks

• Disk partitions
• Only analyze the unhosted space of a forensic copy
 101

• Pre-generated Autopsy/XRY reports

Illustration 77 – Creating a case with Autopsy Forensic

 Illustration 78 – Creating a case with Autopsy Forensic

The next step is to indicate the evidence path.

 103

Illustration 79 – Creating a case with Autopsy Forensic

5.2.3 Modules

Next step is the most important, since we will choose the

modules that we want to apply on the evidence, natively all
the selected modules are found, however I DO NOT
RECOMMEND IT, the ideal is only to enable the modules
that we require initially, in many occasions it is possible to
reach a result without processing all the evidence, for
example, we could analyze only the activity of the user and
this could give us information that allows us to solve the
case, with this we save many hours of work.
 Illustration 80 – Autopsy Forensic Modules

This should not be interpreted to mean that only that

module is functional, but that we can run one module, see
the result, and if the information obtained is not sufficient,
we can run subsequent modules, without having to enable
everything and having to wait for days until the evidence is
finished processing.

In this book we will not go into each of the modules, as the

official Autopsy website has a detailed description of each
of them.
 105

IMPORTANT: an antivirus on your computer must consider

the forensic copy directory and the temporary directory in
its exclusions, otherwise the antivirus could delete files that
are being analyzed and the Autopsy Forensic result would
be incomplete.

The process can take a couple of minutes, however, when

it is finished, it has only just finished adding the evidence,
the processing is just beginning.

The overall progress of each of the modules we selected

can be seen at the bottom left of the screen. Depending on
the hardware characteristics, the size of the forensic copy,
as well as the number of modules, the process could take
anywhere from a couple of hours to a couple of days or
weeks. In order not to cause bottlenecks, I emphasize the
use of at least 3 hard disks in the process (see start of
module 5).
 Illustration 81 – Autopsy Forensic Processing

Illustration 82 - Autopsy Forensic Processing

2.4 Viewing evidence

As the modules progress, the evidence results will fill in and

new categories will appear.

I recommend that, as the analysis progresses, browsing

should be as slow as possible and, if possible, restricted
until the completion of the modules, as the processor is
most likely working at maximum power and browsing
through the various categories could cause the program to
stop responding and fail to make full progress. For this
 107

reason, you should only look at specific data or wait until

the process has finished.

Illustration 83 - Viewing evidence in Autopsy

I recommend that, as the analysis progresses, browsing
should be as slow as possible and, if possible, restricted
until the completion of the modules, as the processor is
most likely working at maximum power and browsing
through the various categories could cause the program to
stop responding and fail to make full progress. For this
reason, you should only look at specific data or wait until
the process has finished.

Illustration 84 - Viewing evidence in Autopsy

 109

Illustration 85 - Viewing evidence in Autopsy

At the end of the processing, you will see that Autopsy

Forensic has already sorted the evidence into categories of
deleted file types and sizes, and by each of the sorting
categories, which will allow you to go through hundreds of
thousands or millions of files contained in the forensic copy
in segmented data, which you will be able to analyze little
by little.

5.2.5 Timeline

In the top menu, a frequently used option is "Timeline".

Since all files are classified according to MAC (Modify /
Access / Create) times, this is useful when, for example,
there might have been a hack on a certain day and time,
and with this tool we can start to visualize which other files,
logs, or whatever at that time or previously was modified.

Illustration 86 – Timeline in Autopsy

Timeline takes a long time to sort the data, so we should be

aware that, when running this option, Autopsy Forensic will
again enter a mode that consumes almost all of the
processor's resources.
 111

Illustration 87 – Timeline in Autopsy

5.3 Commercial forensic suite

In commercial software, there are options ranging from a

few dollars to thousands of dollars, and in the thousands,
we reach numbers that can exceed hundreds (multi-user
licenses for governments or very large corporations). Here
are the main brands we know of and their advantages.

Of the companies that have been in the market for the

longest time, EnCase, FTK, Magnet Axiom, Nuix
Workstation, with a primary focus on computer hardware.
On the other hand, there are Cellebrite, Oxygen Forensic,
MobilEdit which are mainly aimed at mobile devices. I
emphasize "mainly", because many of these developers
started to develop modules within their programs or stand-
alone software aimed at covering other areas. I have tested
most of them and the results are, in my opinion, that they
still have a long way to go, except for Cellebrite, whose
programs have a very high efficiency.

Since, it is not the intention of this book to paraphrase what

the respective authors say about each of the program
mentioned, I will give an overview of what in general terms
the commercial tools can accomplish.

• Technical support

Let's start by mentioning that, in the event of a program

failure, we will have technical support from a company
when carrying out our investigations, as opposed to what
happens with Autopsy Forensic, which requires us to get
help in the forums. Here, in case the program fails, or we
have any other inconvenience with the software, we can go
to the manufacturer, whose attention is very fast. Other
added values that these companies provide are.

• Speed

The robustness of their built-in modules allows us not only

to classify evidence as free tools can do, but also to
maximize the use of the hardware. This is crucial when we
have a constant workflow, as manufacturers spend a lot of
time making the program use the processor, RAM and hard
 113

disks containing the databases to the maximum. Thus, the

processing time of the evidence can be finished in a time
well below what free software achieves.

• Classification with AI

Another very interesting point is the Artificial Intelligence

technology, which some manufacturers incorporate, since
it is only necessary to load the evidence, enable the AI
option and tell the program what we want to classify: for
example, drugs, weapons, nudity, pornography, violence,
vehicles, credit cards, mobile phone screenshots, OCR
detection, among other modules, which greatly helps the
investigator to have at a click away, not thousands of files,
but highly classified information of relevance.
Illustration 88 – Evidence Classification with IA
 115

Viewing multiple formats

When we have analyzed millions of data, which is common

with a forensic copy of about 250 Gb, we have classified
various files. However, in tools such as Autopsy Forensic,
we can only view the file in hexadecimal with graphical view
(if it is an image or PDF) and hexadecimal view. If you have
files in a different format, there is difficulty in analyzing
them, as one by one the files must be exported from
Autopsy to another storage medium that is suitable for us
to view them correctly. From commercial tools, this is
solved in most cases, as when browsing the evidence, the
files can be selected and the program takes care of showing
the correct display, for example, of Excel tables, browsing
history with filtering and sorting options, and so on for most
of the main formats.

Illustration 89 - Evidence Classification with IA

Brute force attacks

When there are encrypted files in the digital evidence, both

free and commercial tools can detect such files, the
significant difference being that commercial tools allow
brute force attacks to break the password. You would think
that, with a tool like JohnTheRipper, you could do the same
thing, but this is not the case. Commercial tools, such as
AccesData's PRTK-DNA, consisting of brute-force attack
software with distributed processing, allow the use of
graphics cards to create a group of computers that will
coordinate with each other by pooling their hardware
resources, boosting the attack. In addition to the different
profiles for very specific brute-force attacks, and of course,
they have very robust dictionaries.
 117

6. Windows Digital investigation

As we have already mentioned in previous chapters,

computer forensic investigations are aimed at having a
complete copy of the computing device on which the
analysis will be carried out (or as close as the possibilities
allow), to be able to work on this copy and not compromise
the original digital evidence in our analysis processes,
which is why the forensic copy is fundamental in this area.

6.1 Adding evidence

When we have a copy in dd, E01, AFF or whatever format

we have selected at the time of copying, the question
arises: how do I interpret this information? Different tools
allow us to interpret this data, for example, FTK, which we
have already worked with, is similar to the process
described in topic 4.7.1; the only change would be that, at
the moment of adding the evidence, instead of selecting
"Physical Drive", "Image File" must be selected; in this
case, the tool will ask us for the file corresponding to the
forensic copy, in the case that it is fragmented, we only have
to indicate the first file and the program will virtually join the
parts of the forensic copy. Additionally, we can extract the
complete files or directories to where it is more convenient
for us by right clicking and selecting "Export Files...".
 Illustration 90 – Adding evidence using FTK

Additionally, we can extract the complete files or directories

to where it is more convenient for us by right clicking and
selecting "Export Files...".
 119

Illustration 91 - Adding evidence using FTK

Illustration 92 - Adding evidence using FTK

An alternative would be OSForensic, which has the

following steps:

1. We must create a new case from the main menu.

 Illustration 93 - Adding evidence using OSForensic

2. In the "Add Device" option, we must select "Image

File" and the path where the forensic copy is
located.

Illustration 94 - Adding evidence using OSForensic

 121

3. With this, we will have in the "File System Browser"

menu, the forensic copy added, and we will be able
to browse the directories and access the files, with
the same extraction functions as those described for
the FTK.

Illustration 95 - Adding evidence using OSForensic

6.2 Mounting forensic copies

The assembly of a forensic copy is the same as the

aggregation of a forensic copy as evidence, as it allows us
to interpret the copy data. The difference is that instead of
viewing the files from the forensic program, Windows
Explorer can be used to work on a drive as if a hard disk
were connected.

Its process is similar to what common programs such as

Alcohol 120%, UltraISO, Nero Burning ROM allow when
virtualizing an .iso file.

The company that developed OSForensic, has a free

application called OSFMount, which is quite intuitive using
the following steps:

1. Once the application is open, select "Mount new".

Illustration 96 – Forensic copies assembly using OSFMount

The system opens a new window requesting the path to

the forensic copy. It is worth noting that OSFMount has
great support for copy formats, as well as virtual
machine files.
 123

Illustration 97 - Forensic copies assembly using OSFMount

2. System prompts you to indicate which partition you

want to mount. If you have a forensic copy of a Windows
system, you will see that there are multiple partitions, in
this case, unless you require other partitions for a
particular case, just select the operating system
partition, without checking the "mount entire image as
virtual disk" option.
 Illustration 98 - Forensic copies assembly using OSFMount

3. Last step is to indicate whether you want the mount

to be read-only, read/write and the emulation type.
 125

Illustration 99 - Forensic copies assembly using OSFMount

Result is a virtual drive fully accessible to all files.

Illustration 100 - Forensic copies assembly using OSFMount

But what is the benefit of mounting a drive versus just
adding it as evidence? The answer is that all known
applications, which do not work on forensic copies, can
access and analyze this drive. For example, from
something as basic as a program that recovers deleted
files, the first step is to indicate the disk you want to analyze,
with the drive mount; here we can indicate the disk "H:" or
the letter of the drive we have mounted, as they do not work
with forensic copies, and not only recover files, forensic
tools for log analysis, browsing histories, analysis of system
files: in other words, everything is now accessible.

6.3 Existing users

A file that is very important for us is the SAM, which is in

C:\Windows\System32\config\. This file allows us to know
locally the users that are registered on the computer, but
also to know important data such as: if the account is active,
the last password change, last login, number of times the
password has been mistyped.

It is important to note that, in order to be able to analyze it,

we must know that we cannot interpret it on a running
Windows machine, the ideal is to extract it from a forensic
copy. Once the file has been extracted with one of the
methods we saw previously, we must proceed to the
interpretation of this, since, if we open it with a text editor
such as Notepad, the data is not presented in plain text.
 127

A tool that I like for its high compatibility is AccesData

"Registry Viewer". It is worth noting that this tool requires a
license for the software. If we don't have this license, we
can still go ahead by selecting "demo mode".

Procedure is very simple:

1. Open SAM file

Illustration 101 – SAM Analysis using Registry Viewer

2. Go to the path SAM/Domains/Account/Users.

 Illustration 102 – SAM Analysis using Registry Viewer

By selecting one by one of the records, we can see the

respective interpretation of the data, where the last write
date, the SID (unique identification number), number of
logins, last password change and other data is broken
down.
 129

Illustration 103 – SAM Analysis using Registry Viewer

SID values, which are in the range of 500, correspond to

users that the operating system created; here we can find
an administrator account 500 and a guest account 501,
which is part of all Windows systems. In the natively
disabled form, it would be worthwhile to check if the 500
account was enabled at some point, as it is very common
to find this enablement in cases of hacks to company
servers, in which someone internal or external, came to
enable the account, without this being shown within the
Windows control panel.
6.4 Hosts

To understand the importance of this file, we must

understand that, when we put an address such as
www.google.com in our browser, it does not understand
addresses: it needs to know what Google's IP is to connect.
The first thing it does is to consult the cache to see if it has
a record of this IP, otherwise it checks in the "hosts" file if
the IP of www.google.com is defined. If the IP is defined, it
connects to this address, otherwise it queries the router, the
ISP, and the domain registrants for this information. But it
is at the point in the hosts file that an attacker may have
defined an IP, perhaps not for www.google.com but for a
bank page, a social network, or a target site. It may also be
the case that the system administrator is blocking social
networks or domains that are of interest and thus
employees of a company cannot access specific pages.

A clean file should look like this.

 131

Illustration 104 – Windows hosts

“hosts" file can be found in the path

C:\Windows\System32\drivers\etc, which can be opened

with any text editor.

In case there is no value to specific domains, this does not

guarantee that it has not been modified, so we should
always check the date and time of modification, in which the
values of the files in this folder, match in a clean installation
of Windows. In case we find that they have been
manipulated, it should be a wake-up call that there is
something strange.

One explanation for a change in these files occurs when

unlicensed software is installed and an activator is run,
these programs often modify the hosts file to prevent the
program from validating the key or receiving updates.

Illustration 105 – Windows Hosts

An explanation for a change in these files occurs when

unlicensed software is installed and an activator is run,
these programs often modify the hosts file to prevent the
program from validating the key or receiving updates.

6.5 System events

Windows events have a defined folder, which can be found

in C:\Windows\System32\winevt\Logs, but the system
administrator can easily move the event path, so it would
be worthwhile to scan the following Windows keys to see if
the original paths have been changed.
 133

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\
Application

HKLMM\SYSTEM\CurrentCurrentControlSet\Services\
EventLog\System

HKLMM "HKLM "SYSTEM"

CurrentCurrentControlSettingsServicesEventLog
Security

Files are originally in. evt format, of binary type. Now the
format is .evtx, which offers many improvements in
searchability.

These files are interpreted by the Windows operating

system itself, so there is no need for third party applications,
however, third party applications allow not only to open the
files, but also to apply filters according to the risk level of
the events.

The OSForensic tool, in the "Event Log Viewer" section,

has a series of filters that help us filter through thousands
of system events.
Illustration 106 - Windows System Events
 135

Illustration 107 - Windows System Events using OSForensic

6.6 Prefetch

Windows systems contain a prefetch service for the main

applications running, this service stores the data in
C:\Windows prefetch. To be able to analyze this data,
dedicated programs are required.

The relevance of this service is that it contains a list of

applications, for example WinWORD.exe, which is the
Word executable. If we analyze the prefetch of
WindWord.exe, we can get a list of the files that were
opened by Word, in this example, WinPrefetchView v1.37
was used.

Illustration 108 - Prefetch

This is useful when a user has run an application that

deletes their activity history, as the prefetch folder is not
deleted with the standard settings of the deletion programs.
So, it is always worth looking at applications that are of
relevance to us.

Another example is explorer.exe, which tells us that Word,

Excel, OSForensic and Oxygen Forensic have been
opened, but does not tell us when these programs were
opened; it only confirms that they were opened.
 137

Illustration 109 - WinPrefetchView

6.7 Shadowcopy

Windows operating systems automatically make

"snapshots" of files. This is very useful when an update
comes along, or a program is installed that causes
problems and you need to revert to a previous version.
Shadowcopy can be used when, for example, a
Ransomware has attacked and encrypted your files,
hopefully you can recover documents that are in these
snapshots, although various ransomware families often go
looking for the snapshots and delete the content.

To access the snapshots, just type the command "vssadmin

list shadows" from CMD with administrator permissions; the
result should look like the following.
 Illustration 110 - Shadowcopy

It is possible that the system "did not find items that comply
with this feature", which is interpreted as, that disk does not
have snapshots. This is because, the space for such
snapshots was disabled as a way to save disk space.

The syntax to find the path to the detected snapshots is as

follows

\GLOBALROOTDEVICEHarddiskVolumeShadowCopy3

To access the contents of this snapshot, we need to create

a symbolic link, which is achieved as follows:

In the example, a symbolic link was created in C: with the

name "shadow1".
 139

Illustration 111 - Shadowcopy

When accessing this folder, you see a similar structure to

the C:\shadow1 but, when browsing the documents,
downloads, desktop, or various user folders, you can find
files that had been deleted a long time ago.

6.8 MFT

NTFS (Windows) file systems manage a directory with a log

of all the files that have been stored over time (every time
the drive is formatted a new log is created and deleted), the
log as such is the "$MFT" file, which is located on the root
drive of the partition. Its relevance to forensic level is that,
despite the passage of time, we can know the files that have
come to have, no matter if it was executed an application or
deleting activity history as CClenear; the $MFT file does not
remove the name of the file that was.

In this case I'm using Mft2Csv, which is totally free and has
a very powerful graphical interface.
We can scan existing disks, partitions or directly load a
$MFT file, only this is necessary for the tool to start the
interpretation process and give us .csv files that we can
open and apply the filters and column order that are most
important to us.

An example of its use is to be able to detect if an employee

has had a file, which the company suspects could have
been stored, to detect files that were modified, edited, or
created in a certain time range, prior to a hacking or after it.

Illustration 112 - MFT

 141

The .csv files will be created in the same folder where our
tool is located unless we indicate a specific path to the
program.
7.- RAM analysis

As mentioned at the beginning, part of our work as

computer forensic experts is the preservation of evidence,
and it is here where the RAM memory had to be copied so
as not to lose those gigabytes of information that would be
lost when the computer is turned off.

How to analyze this data? If it is a forensic copy, can we

analyze it from previous tools, how much information can
we find?

We will see that RAM memory is wonderful in the analysis

process, having this file in our lab will give us access to a
lot of information and accurate data that was there while the
computer was on.

7.1 Volatility

Volatility is a graphical interface tool for RAM analysis, they

are just a GUI of Volatility itself, like the OSForensic tool.

Volatility is free and multiplatform. Around this project many

tools have been developed and used as the engine, which
makes it a quite robust and up-to-date tool.

The initial syntax is:

volatility -f <file-path> <command>

 143

Next, the profile must be included, which will be specific to

each ram analysis to be performed:

volatility -f <file-path> <profile> <command>

<command>

7.1.1 Profiles

Until version 2.6 of Volatility (the most widespread), you first

had to analyze the memory dump and indicate the version
of the corresponding operating system: Windows XP,
Vista,7,8,8.1,10,11. In the case of Linux, MAC 32/64 bits,
its RAM memory structure is different from that of Windows
XP 32 bits and Windows XP 32 bits SP2. In fact, each
update presents changes to your system, which affect the
RAM structure. For this reason, Volatility, first, analyzed the
profile to be able to make use of it and to show us the
processes, services, libraries or any relevant data. With
version 3, the information can be requested directly using
the following syntax:

vol.py -f <path-file> <what-we-seek>.

How to use "vol.py -h" to get help:

 Illustration 113 - Volatility

7.1.2 Processes and sub-processes.

First, it looks at the processes that were running at the time

the computer was turned on, like the power on a computer's
task manager. With the clear advantage that you can
analyze in depth the libraries used by each of the
processes: executable path and parent and child
processes; this is achieved by python3 vol.py -f <path-
file> windows.psscan.PsScan.
 145

This command returns a report with very valuable

information, such as process name, PID, PPID as well as
execution time.

Illustration 114 – Volatility

An alternative is to list the processes in the form of a tree,

to have a graphical report of the parent process and the
processes that are derived from it, the command would be:

python3 vol . py -f <path-file> windows.pstree.PsTree

 Illustration 115 – Volatility PsTree

There are columns with additional information, but, for the

sake of better visualization, the above image has been
cropped.

7.1.3 Inspection of used libraries

Knowing the name of a running process does not tell us

much at a forensic level. We can see the listing of a process
called "Explorer.exe", however, in a computer attack, the
objective is often to find out if normal processes have a
malicious process or if they are using libraries that allow an
attacker to perform various activities. For this reason, the
 147

libraries being used in a process must be identified. The

command to use would be:

python3 vol . py -f <file-route> windows.dlllist.DllList

pid <number of process>

Illustration 116 – Volatility DllList

Volatility will list the libraries that <process-number>

(1220) was using.

7.1.4 Extracting executables

One of the options of Volatility, which is invaluable, is to be

able to recover the process that was running in RAM
memory. To do this, we tell Volatility the exact process we
want to have available. The required command would be:

sudo python3 vol.py -f memory.mem

windows.pslist.PsList --pid 1220 --dump

sudo python3 vol.py -f memoria.mem

windows.pslist.PsList --pid 1220 --dump
 Illustration 117 – Volatility DllList

The resulting file can be parsed in a variety of ways such as

(to name a few) OllyDbg, Ghidra or WinDbg. This implies a
solid knowledge of decompiling an executable file, or (a
quick alternative) uploading it to a free sandbox, found on
the internet, as well as uploading it to virustotal.com, so that
various antivirus scans it and indicate if it is detected as
malicious.
 149

Index of illustrations
Number Description Page
1y2 MD5 Collision 13
3 MD5 collision demo 15
4 MD5 collision demo 15
5y6 SHA1 collision 16
7 Collision demo 18
8 Differences between backup and forensic 30
copy
9 y 10 RAM backup with FTK 32
11 y 12 Backup of RAM with Live RAM Capturer 33
13 Linux backup with dd 35
14 Linux RAM backup with dd 35
15 Access to /proc processes in Linux 37
16 Process listing in Linux 37
17 Windows commands applied to forensics 39
18 ARP protocol 40
19 CMD history 41
20 Network configuration 42
21 Active network connections 43
22 CurrPorts 43
23 Scheduled tasks 44
24 System information 45
25 Chrome history view 46
26 Agave Forensics 47
27 WinTriage 49
28 WinTriage options 50
29 WinUFO 51
30 SATA vs SAS disks 56
31 SCSI disks 57
32 USB hard drives 58
 33 PCIE hard drives 59
34 M.2 hard drives 59
35 Tableau Blockers 61
36 Wiebetech Blockers 62
37 Tableau Tx1 Duplicator 63
38 SalvationData Data Copy King II 63
39 - 46 Forensic copy with FTK Imager 64-71
47- 49 Forensic Copy with OSForensic 72-73
50 y 51 Forensic copy with HelixPro 74-75
52 Listing of drives and mount points on Linux 76
53 y 54 Forensic backup on Linux with dd 76-77
55 Live copy forensics, Windows systems 79
56 Detection of encrypted drives with 80
MAGNET
57 - 62 Detection of encrypted drives with FTK 81-86
63 y 64 BitLocker 86-87
65 y 66 Live Forensic Copy, Encrypted Windows 88-89
Environments
67 Hash value calculation from CMD 90
68 Hash Value Calculation from PowerShell 91
69 Hashing with Multihasher 92
70 y 71 Hashing with OSForensic 92-93
72 Hashing from Linux 94
73 Forensic lab 95
74 y 75 Autopsy Forensic 98-99
76 - 79 Creating a case in Autopsy Forensic 100-
103
80 Modules in Autopsy Forensic 104
81 y 82 Processing in Autopsy Forensic 106
83 - 85 Viewing Evidence in Autopsy 107-
109
86 y 87 Timeline in Autopsy 110-
111
 151

88 y 89 Grading Evidence with AI 114

90 - 92 Adding evidence with FTK 118-
119
93 - 95 Adding evidence with OSForensic 120-
121
96 - 100 Mounting forensic copies with OSFMount 122-
123
101 - 103 Analyzing the SAM with Registry Viewer 127-
129
104 y 105 Windows Hosts 131-
132
106 Windows system events 134
107 Windows system events with OSForensic 135
108 Prefetch 136
109 WinPrefetchView 137
110 y 111 Shadowcopy 138
112 MFT 140
113 Volatility 144
114 Volatility PsScan 145
115 Volatility PsTree 146
116 Volatility DllList 147
117 Volatility Dump 148
Computer forensic credentials
• It is important to point out that in each country there
are requirements to be able to perform and appear
before a judge as an expert in computer forensics, in
most cases it is accredited with diplomas or
certifications, in Mexico, for example, there are
states that require a bachelor's degree in
engineering and other states do not require it.

• American Council for Cybersecurity and Computer

Forensic (ACCCF) has practice labs.
https://americancybersecurity.org/laboratorios

• Exercises in this book can be replicated on a virtual

machine at: https://jocsanlaguna.com/laboratorios

As for courses, diplomas, or certifications that I know

firsthand are in alphabetical order:

Duriva. The certification is: Computing Analysis Forensics

Specialized Certification (CAFSC), online and classroom
mode (a server teaches the entire course).

SANS. There are several levels, on average each course

has a duration of 40 hours, online and face-to-face mode.
Securízame. The certification offered is: Digital Forensic &
Incident Response (DFIR), online and classroom mode,
with a total duration of 90 hours, although it is possible to
access specific modules.
 153

Disclaimer of Liability

Trademarks named in this book belong to their respective

owners and their names and images were used for
educational and illustrative purposes.