Fg45 : Digital Forensic : Assessment Answers

This requires that you watch the anti-forensics video. After that please complete this assignment with a paragraph for each answer. 

An overview of the video

Anti-Forensics and Anti-Anti-forensics: Attacks and Mitigating Techniques” is a video by Michael Perklin. The author of the video takes around 49 minutes and ten seconds to talk about digital forensics. Three major points have been discussed by Michael, these are a discussion on digital complications, techniques which can complicate digital-forensic examinations, and methodologies to mitigate the said techniques.

Lessons learned from the video

To start with Michael Perklin is a digital forensic examiner and computer programmer. From his tutorial, I have learned some various complications which can arise during digital investigation (Marshall, 2009). One is the typical workflow during digital investigation process; the first one is creating a copy, processing data for analysis, then analyzing data for relevance, preparing a report on findings, and archiving data for future. One of the issues I never knew is that when preparing a report, one has to include snapshots, snippets or thumbnails. In addition, I have learned that how investigators are paid; according to Michael, the intermediate investigators are paid on an hourly basis for 300 US dollars. In addition is the stage number two which is the process data for analysis; this stage involves hashing, file type identification, and full-text indexing.

Surprises from the video

One of the things that surprised me is on stage four that is separating the “wheat from the chaff”; the process takes 16 hours which calculates to $4800. What astonished most is the payment of the investigators. From the description of all the stages, it seems that digital forensic investigators reap a lot of money after the overall process. This made me re-think my career. I thought I would be an information security analyst but according to the figures given by Michael, I think I might be a digital forensic investigator. Lastly, the statement by Michael surprised me i.e. “smart investigators never say that this occurred at this time” but they say they say logs show that it occurred at this time” (Lammle, 2015).

Four different ways that a bad actor may try to obfuscate their tracks

1. Process log files with tools: According to Michael some of these tools use string matching or regular expressions
2. Circular references: Tools that use Hard-Disk do not bat an eye. Some of the tools that usually scan folders are usually affected by attacks. Other tools such as “Remote Analysis” and “Field Triage” methodologies are usually affected
3. Creating restricted files names
4. Broken log files confusion

Mitigation strategies of the attacks

1. Process Log files:To mitigate this issue, the investigator needs to use Ascii characters in custom messages. In addition, the investigator needs to use eLfL in Windows Event Logs.
2. Circular references:  To mitigate this it is advisable to always work from an image. It is also very important for the investigator to be mindful of different types of attacks during any investigation(Sachowski, 2016)
3. Creating restricted files names:To mitigate this issue an investigator should never at one point export native filenames. It is also very important to specify a different name
4. Broken log files:This can be mitigated by parsing a few pertinent records manually and then documenting the methodology (Carvey, 2016)

References:

Carvey. (2016). Windows Registry Forensics: Advanced digital forensic analysis of Windows registry. Chicago: Chicago Press.

Lammle, T. (2015). CompTIA Network+ Study Guide. Indianapolis: Sybex.

Marshall, A. M. (2009). Digital Forensics : Digital Evidence in Criminal Investigations. London: Spring Press.

Sachowski. (2016). Implementing Digital Forensic Readiness: From Reactive to Proactive. NewYork: Spring Press.