From f4f6fa119a90270bdcb2761871dc3ec23720ce82 Mon Sep 17 00:00:00 2001
From: Jef Roosens <Jef.Roosens@UGent.be>
Date: Wed, 1 Jan 2025 12:33:13 +0100
Subject: [PATCH] ch08

---
 08_digital_forensics.md | 112 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 08_digital_forensics.md

diff --git a/08_digital_forensics.md b/08_digital_forensics.md
new file mode 100644
index 0000000..49e6120
--- /dev/null
+++ b/08_digital_forensics.md
@@ -0,0 +1,112 @@
+# Digital forensics
+
+* branch of forensic science focused on recovery, investigation, analysis of
+  material on digital devices
+* goal: uncover and preserve digital evidence
+* pillars
+    * **identification**: recognize potential sources of evidence (computers,
+      phones...)
+    * **preservation**: ensure digital evidence is protected from tampering
+      (e.g. taking disk images)
+    * **analysis**: examine evidence to extract information
+    * **documentation**: keep detailed records of all actions done during
+      investigation
+    * **presentation**: report findings in a clear way
+
+## Types of devices
+
+1. computers and laptops: disk image made, analyse for files, browser history,
+   metadata...
+2. smartphones and tablets: call logs, messages, GPS, cloud data...
+3. network devices and servers: logged/real-time network traffic
+4. IoT devices: configuration, certificates, user interaction data
+5. wearables: user profile, GPS data
+6. drones: telemetry data, video/photos
+7. vehicles: onboard computers contain lots of information (engine control,
+   navigation...)
+8. medical devices: patient health data, usage logs...
+9. CCTVs: video footage, access logs
+10. device memory (RAM): memory of running processes, network connections...
+11. gaming consoles: personal user info, communication (chat logs)
+12. cloud storage: files and data
+
+## Cyber-incident response process
+
+Secure. Contain. Protect.
+
+1. preparation: identify risk, plan for threats, training
+2. incident identification
+    * event monitoring, alerting, threat analysis
+    * identify stage attackers are in
+3. containment / intelligence development
+4. eradication / remediation
+    * harden entrypoints / patch
+    * purge malicious files
+5. recovery: restore from backups; get back to safe state
+6. improvement
+    * report on what happened
+    * update training
+
+### indicators of compromise
+
+* evidence that points to breach
+* some examples
+    1. unusual network traffic
+    2. suspicious file activity: malware signatures, unauthorized file creation
+    3. abnormal user behavior
+    4. system performance anomalies
+    5. log file entries: weird stuff in logs, basically all of this but in the
+    logs
+    6. malicious emails
+    7. changes in configuration
+    8. unauthorized access attempts
+    9. indicators in memory and processes
+    10. external device connections
+    11. anomalies in data exfiltration
+        * unusual outbound data transfers
+        * use of non-standard ports or encrypted channels
+    12. DNS anomalies
+        * queries to known malicious domains
+        * sudden spike
+        * unusual traffic patterns
+
+### Indicator sharing languages
+
+* **[STIX](https://oasis-open.github.io/cti-documentation/)**: Structured
+  threat Information Expression
+* **[MISP XML and JSON](https://github.com/MISP/MISP)**
+* transport protocols
+    * Traffic Light Protocol (TLP)
+    * TAXII: HTTPS exchange of STIX info
+* Yara and Yara-X: pattern matching tools for malware identification
+* MISP
+    * open framework for sharing IoC information
+
+### Indicator of attack
+
+* newer cousin of IoC
+* proactive
+* tries to identify intent of attacker regardless of exploit used
+* nowadays lots of malware is signed with legit certificate
+    * bought from lax CAs
+    * by setting up fake company
+    * stealing certificates
+* entropy as indicator: measure of randomness in system
+    * malware packs, compresses, encrypts and obfuscates
+    * this greatly increases entropy in file
+    * entropy calculation can be used to detect malware
+* tools
+    * pestudio: static file analysis tool
+    * cuckoo sandbox: sandbox environment to analyse malware
+    * redline: tool to analyse processes and file handles on host
+    * Process Hacker: visual overview of running processes; inspect memory
+    * ProcMon: record live process activity
+    * ProcDot: graphical presentation of ProcMon data
+    * Fiddler: acts like web proxy to analyse HTTP(S) traffic
+* forensic tools
+    * Encase: tool to find case evidence on devices
+    * FTK: forensic toolkit
+    * X-Ways Forensics: can restore deleted files
+    * Sleuth-Kit and Autopsy: disk image investigation
+    * Volatility: toolkit for investigation RAM to extract data
+        * create RAM dump