Watch video: https://www.youtube.com/watch?v=F2u6H90eMMg Background A file stream is a sequence of bytes

Watch video: https://www.youtube.com/watch?v=F2u6H90eMMg

Background

A file stream is a sequence of bytes that contains data about a file, such as keywords or the identity of the user who created the file. Think of a data stream as a file within a file — a hidden file residing within a legitimate one. Each stream has its own disk space allocation, its own actual size (bytes in use) and its own file locks.

Every file in your NTFS file structure has at least one stream, its default stream. The default data stream is the normal, viewable file content — for example, the text in a .txt file or the executable code in a .exe file. This information is stored in the $Data attribute. Because the name of this default attribute is empty (set to “”), the default data stream is also often referred to as the “unnamed data stream”.

Files can also contain one or more alternate data streams (ADSs). An ADS must be named. Note that the default data stream remains unchanged with the addition of alternate data streams.

File name: Assignment 7.E01

MD5:b2eaae1f1ce8f94306e0aa7e4bd58ced

Instructions:

Finding Attacks from Alternate Data Streams

You Must Use This Approach:

Hidding EXEs in ADS

Running Malicious EXEs from ADS

Checking if Windows Defender (or other Anti-Virus software), truly scan ADS

Hiding Malicious EXEs in Stealthy ADS

Show how all of the above methods could be detected

Submissions without supporting evidence will receive a zero.

Each assignment may require a mix of tools to complete. approval is required if you wish to use tools outside of this list.

Encase Forensics Suite

Magnet Axiom https://www.magnetforensics.com/

Autopsy https://www.autopsy.com/

Volatility https://volatilityfoundation.org/

FTK Forensics Tools https://www.exterro.com/ftk-product-downloads (30-day trial)

KAPE https://www.sans.org/tools/kape/

CyberChef https://gchq.github.io/CyberChef/

CyberChef recipes https://github.com/mattnotmax/cyberchef-recipes

stegdetect/stegbreak, jphide/jpseek

John the Ripper https://www.openwall.com/john/

Eric Zimmerman’s Tools: https://ericzimmerman.github.io/#!index.md

The methodology section lays the foundation for the entire expert report and the conclusions formed by the IT experts. This section of the report is just as important as the results section. A well-written and thorough methodology is critical to the IT expert’s success. This section must explain to the reader, who is often a non-technical, layperson, the steps that were followed by the IT expert to acquire, preserve, recover, and analyze the data. The methodology section must show all of the steps that were followed to recover data and reach conclusions. The procedures you followed to conduct your investigation. These procedures should be presented in a logical, orderly fashion. The purpose is to show a list of steps that are reproducible by another forensic expert.

Each assignment approach provided in this class serves as a helpful outline for the methodology section.

For Example, Assignment xx approach located on blackboard has three parts:

Extract keylogger script from the memory dump

Extract the master key from the packet capture

Reverse the script to get the information

Assignment 1 Methodology section would have 3 parts:

Part 1: Extract keylogger script from the memory dump

download the evidence files from ….[Findings and Analyses ]

Unzip files to …. on forensic computer [Findings and Analyses ]

Ingest file into [Findings and Analyses ]

Verify file integrity [reference Section 6 Acquisition and Verification of Media ]

command used to locate keylogger script [Findings and Analyses ]

command used to locate keylogger script [Findings and Analyses ]

command used to locate keylogger script [Findings and Analyses ]

command used to extract keylogger script from memory dump [Findings and Analyses ]

command used to extract keylogger script from memory dump [Findings and Analyses ]

command used to extract keylogger script from memory dump [Findings and Analyses ]

Part 2: Extract the master key from the packet capture

Ingest file into [Findings and Analyses ]

…..

Part 3: Reverse the script to get the information

1. …..

The methodology section is a requirement in the assignment response. Leaving out the methodology section will cause a failing grade for the assignment.

The methodology section must explain to the reader, who is often a non-technical, layperson, the steps that were followed by the IT expert to acquire, preserve, recover, and analyze the data. The methodology section must show all of the steps that were followed to recover data and reach conclusions (i.e., anyone should be able to follow each step and get the same results in the evidence section without guessing how the evidence was found).

This is where you will identify:

The procedures you followed to conduct your investigation. These procedures should be presented in a logical, orderly fashion. The purpose is to show a list of steps that are reproducible by another forensic expert.

Additional software used in your investigation.

Keep in mind that throughout this section, you must (1) define all technical terms in a way that can be understood by non-technical individuals and (2) describe exactly how each process works. For example, with respect to the term “MD-5 Hash Value,” you must define it and tell the reader its purpose. Frequently, this is accomplished by using an analogy. With respect to the software used by the forensic examiner in the analysis, such as Guidance Software’s EnCase, you must tell the reader exactly what the program does, and then explain, step-by-step, exactly how you used it.