Tuesday, February 7, 2023

Case_Notes.py - A simple “how to” guide…

            When I first started doing computer and mobile forensics, I used to keep a handwritten log of my case notes and forensic findings. A short time later, I switched to using text editors like Notepad and Notepad++ to keep my notes in a digital format. The basic concept of these notes was and still is considered to be my “work product” and was never my final report that was given to the client. That is still something completely different.

Now this next part is my own personal opinion and some people may disagree with me - and that is okay! I do not like using ANY forensic tool’s “report” as my final forensic report for the client. Some forensics tools reports are better than others. It can be very convenient to provide a pdf or html report from a tool but it lacks the details behind the meaning or interpretation of the artifacts. A forensic report should take highly technical information and translate it to an easy to read explanation of what happened. 

What my notes allow me to do is to account for and have an audit trail of ALL the things that I do when interacting with the device from initial collection all the way through to the examination being complete. The notes are then used to help me draft my final report and keep my findings organized. My final report contains my findings and opinions which are derived from the careful analysis of the evidence and the facts of the case. My notes are much more detailed and include information such as the tools (including version number) used to conduct the examination. The final report is then compiled using my detailed notes and screenshots taken during the examination process to help the reader understand not only what happened but also my methodology to reach my conclusions. 

Detailed notes are especially important to this process. You will end up with “GIGO”, which can be interpreted one of two ways: “Good In Good Out” or “Garbage in Garbage Out.” It is completely up to you how much value you will get out of using this tool. I wanted to find a way to streamline my forensic examination and report writing process. One key aspect to automation is that if you have to do something more than once you should probably script it. So, I set about taking some time and generated a script that does just that - easy case notes documentation complete with date/time stamps for every entry, and the ability to easily take screenshots to enhance or reinforce the notes.

Now, with all of that explanation over with, how do we use the script? The latest version of the script can be found here: https://github.com/jgasmussen/Case_Notes.py. The README.md file explains how to install and configure your device to use the script so I won’t rehash that here. Instead, I will cover how the script can be used:

FICTITIOUS SCENARIO A: Let’s pretend you have been contracted by “Acme Corporation'' to investigate an employee’s desktop computer for an “acceptable use” policy violation. The HR representative, Alice, at Acme Corporation states they have received complaints that Bob, a veteran employee of the Acme Corporation sales department, who is suspected of using his desktop computer for personal use. Alice informs you this is not the first time they have received complaints about Bob using his work computer for personal use. HR states the first complaint against Bob came in approximately 6 months ago. Alice stated Bob was cautioned to stop using the computer for personal use, and was required to read the company policy that covers the acceptable use of corporate computers, and Bob signed the policy stating he understood and agreed to follow the policy. With these new complaints, Bob has been placed on paid leave pending the outcome of an investigation. Bob’s supervisor, Jim, informs you that the sales team routinely uses the Google Chrome web browser to access company applications and databases for sales work. The Legal and HR team at Acme Corporation agreed an independent investigation is warranted and you are legally authorized to investigate this matter. An HR representative escorts you to Bob’s office where you will conduct a forensic acquisition of the desktop computer and then conduct a forensic examination of the evidence you collected back in your lab. You will then complete a forensic report and provide it to Alice. 

This is what I would do:

With the Case_Notes.py script installed on my laptop, I would create a new case folder for the case. I would then run the script using the command:

$ python3 Case_Notes.py -f Bob_AcmeCorp -t localtime

The first thing the script will do is prompt us to input some basic information for the header of the log file such as, your Agency/Company, Examiner’s Name, Examiner’s ID, and a Case number. Once the information is input, the script drops the user into a persistent command prompt where the user can enter case notes. Each time the user enters a note and presses return or enter the information is logged in the log file complete with the date and timestamp. 

The first note I would enter would be a brief description of the case and the relevant names needed for documentation purposes:

“On [DATE /TIME] Alice of Acme Corporation contacted me to investigate employee, Bob, for a corporate policy violation regarding the use of company computers for personal use.” 

The next note I would make would be a description of the desktop computer (make, model, serial number, etc.), its location (what floor, office, cubicle, etc.), and its current state (powered on, powered off, hibernation, etc.). 

I would then take some photographs of the office and the desktop computer as it was found and notate the photographs were taken with an entry into the notes.  

(For the sake of argument let’s say the desktop computer was currently powered on, the user “Bob” was still logged into the machine, and we have the appropriate admin credentials necessary to collect a live memory capture.) I would choose an evidence collection drive with the appropriate forensic tools loaded onto the drive. I would document in my case notes when the drive was connected to Bob’s desktop computer.

I would document when I ran the memory collection tool, and document when the memory collection process completed. I would run an encryption detection program to see if there were any encryption programs running and document that I ran the program and the results. If necessary, I may take a live triage collection of artifacts using forensic tools like CyberPipe (a future blog post will cover this new tool), KAPE, or FTK Imager and document the start and end time in the case notes.     

In the next note, I would document that I turned off the machine and removed the internal hard disk drive, connected it to a forensic write blocker connected to my forensic laptop, and generated a complete forensic image (.E01) of the hard drive using FTK Imager. I would document the version of FTK Imager used and the settings chosen to generate the image, the time I started the image and the time that the image was completed. 

I would then document that the computer was reassembled and powered back on to ensure it was still in good working order. I would then take photographs of the office after I was done to document how the office was left in the same way it was found.

I would then make a note that the collection process was complete and document the time I was leaving the site.

Once back at the lab, I would then create a derivative evidence copy of the original forensic image to the forensic workstation and verify that the hash values matched. The case notes log file would be copied to the cases folder on the workstation and re-opened using the same command and flags for consistency. I would make a note about the forensic image verification process.

I would then run several forensic tools against the working copy of the forensic image to collect and parse the system artifacts related to the “Bob’s” username looking to establish a timeline of the activity and browser history. I would document the tools I used to do this and their findings. I would create a timeline complete with the artifacts and analyze the output to show whether or not the user “Bob” had, or had not, violated the Acme Corporation’s policies with regard to using company computers for personal use or not. Significant findings and screenshots of relevant evidence would be taken and documented using the case_notes.py script.  

I would also use an antivirus and malware scanner to scan the image for signs of compromise - although that should be clearly evident through the analysis of the system artifacts it doesn’t hurt to show that we did our due diligence and checked to see and rule out the “SODDI” defense (Some Other Dude Did It). 

Let’s pretend there was no evidence of malware or viruses found on the device, and that the forensic analysis of the web browsing history and the artifacts of execution history on the device showed that “Bob” appears to be in violation of the company’s personal use policy. The web browsing history showed that Bob spent approximately 4-6 hours per day of heavy internet browsing to websites for hunting and fishing equipment, outdoor web forums, boating and fishing supplies, etc. and Bob was only accessing the company websites and databases related to his job duties as a salesman on average of 45 minutes to 1 hour per day and approximately 20 to 30 minutes per day was dedicated to checking his company email. 

I would document these findings in my case notes and save the output of the relevant forensic tools to exported files. I would make detailed notes about these artifacts and their meaning. Once my forensic examination was complete. I would then re-verify the integrity of the forensic image by comparing the original image hash and make sure that the hash value of the image was the same and notate that in the case log file. 

I would then start working on typing my final report for Acme Corporation and use my case notes to help me remember all of the steps that were taken and the relevant findings discovered during the examination process. I would attach screenshots of the relevant artifacts of interest and then use data analysis techniques to create graphs and charts showing Bob’s use of the company computer for legitimate work versus what is believed to be personal use. After finishing the examination and the report writing process I would provide Acme Corporation with my final report and a complete copy of the forensic evidence collected. My work products and case notes stay with me and a copy of the forensic evidence is kept for a predetermined amount of time to allow for any civil litigation or review by another forensic expert. 

Although this was a fictional scenario used as an example of one possible use case of the script, it does the job to demonstrate the intended purpose of the script.

In the future I plan to add additional features to the Case_Notes.py script:

1.    A graphical user interface.

2.    A pre-compiled version for Windows.

3.    Ability to export the complete notes log file to a PDF and link the screenshots in the PDF file.

If you have any suggestions for features or changes that you think would be useful please let me know in an email or message.

No comments:

Post a Comment