In this room https://tryhackme.com/room/introdigitalforensics we are learning about digital forensics formerly called computer forensics. The reason for the name change is because as technology progressed, we no longer are doing just forensic analysis on computers but now smart phones, SD cards, CDs, and thumb drives, etc… all contain potentially exponential amounts of information that is valuable to an investigation.
Types of Investigations
- Public Sector Investigations – these are investigations conducted by police departments and governments to investigate criminal activity.
- Private Sector Investigations – are investigations conducted by private company such as corporation to investigate possible misconduct that is against company policy, it could be an internal investigator or a 3rd party investigator that conducts the investigation.
Evidence Collection/Analysis Process
- Acquire evidence – gather all digital devices such as computers, tablets, storage devices. If a computer is running it requires special handling for instance if you turn off the computer, you’re going to lose any valuable data available in RAM (Random Access Memory – the memory that stores information about programs currently running) as it is volatile memory and once a machine is restarted or turned everything in RAM is cleared. You could also potentially miss out on external connections the computer is making, such as the culprit could be remotely logged into it to attempt to destroy evidence. There are special tools to use to make sure nothing is overlooked or missed.
- Establish a Chain of Custody – this is a form filled out to show who has had access to evidence to ensure no unauthorized person accessed the evidence or was able to alter it. If chain of custody is broken / not established this can be detrimental to an investigation.
- Place Evidence in a Secure Container– this is done to ensure devices remain intact, you want to make sure the evidence is kept in a container that is safe from damage as well as make sure devices such as smart phones and computers can’t connect to the internet or any wireless communication a good method to achieve this would be air gapping via a faraday case.
- Transportation – this step involves safely transporting the evidence to the forensics lab.
- Retrieve the Evidence from the Secure Container – once you arrive at the lab you need to carefully unpack the evidence to be examined.
- Create a Forensic Copy of Data/Evidence – when analyzing digital data, you never work with the original data you always make a copy to remove the risk of accidentally altering the data. When making you have to make a bit-level copy of the original data. There are forensic software suites both paid and free that can help with this such as EnCase, FTK, Autopsy, etc… Linux also comes pre-packaged with the ability to do this using the dd (data duplicator) command.
- Return the Original Evidence to the Secure Container – as previously stated you will be working with the copy of the data and not the original. If you accidentally alter the copy, you can always create another bit-level copy using the original.
- Start Processing the Copy of Data
Hands-On Learning
In this room we are given hand-on practice of using various tools to do digital forensics on a few different types of files. When a file is created whether it be a picture, text document, or another type of file there is metadata generated. This metadata can prove to be invaluable at determining who, when, and how the data was created. The files we get to analyze are located in the /root/Rooms/introdigitalforensics directory of the AttackBox. Optionally you have the ability to download these files to your local machine as well.
Tools
- PDFInfo – used to display metadata about a pdf as seen below
We can see in the above image that upon using the pdfinfo command to view the metadata of the file ransom-letter.pdf we can see various information such as the title, subject, author, software used to create the file, software used to produce the file, creation date, modification date, and so on…
- exiftool – used to extract metadata from photos, when a photo is taken there is various metadata that gets imbedded into the image such as:
- Model of smartphone or camera used.
- Date and time photo was taken.
- Location, via GPS coordinates, where photo was taken.
- Photo settings such as shutter speed, focal length, ISO settings, and aperture
As you click through the slide show above you can see the plethora of information that is available due to metadata stored on a simple picture file. To answer the question #2 of the task we need to locate GPS Position info which is displayed in image 8/9 of the slide show. We will take these coordinates and go to google and see what street is.
For the 3rd and final question, you need to locate the model of the camera used to take the picture. To accomplish this step, you can manually scroll through the Exif data, but the work smarter not harder method would be to make use of the grep command. To do this you can enter the below:
exiftool letter-image.jpg | grep -o Camera
- exiftool letter-image.jpg – gets the metadate from the picture
- | – this is the pipe operator, you put this at the end of one command and before another command to have the data output of the preceding command (exiftool letter-image.jpg) be the input to the succeeding command (grep -o Camera)
- grep -o – this combination of the command and switch is useful to search through a document or result of another command for a specified keyword in this “Camera“
Note if you have never used grep before you can enter grep –help to assistance with it’s use
Task Question / Answers
- Using pdfinfo, find out the author of the attached PDF file.
A: Ann Gree Shepherd - Using exiftool or any similar tool, try to find where the kidnappers took the image they attached to their document. What is the name of the street?
A: milk street - What is the model name of the camera used to take this photo?
A: Canon EOS R6
Cyber Security Adventures with Damion 
Leave a comment