The End: DFIR

It feels like just yesterday that I was hopping on my first video call with the Com|Code team, waiting to see what my research topic was for the summer. Initially, I was under the impression that I would be doing cloud forensics while Ian did Big Data forensics, and that we would come together halfway through the summer or so to combine into one big project. Within a week of us working separately, it was decided that due to the very large nature of the topic that it made more sense for two people to work on one than to wait and overlap later. I took on writing about artifact acquisition, centralization, and analysis within the context of incident response. I researched remote imaging tools and techniques, the known limitations of memory analysis, how to prioritize machines for analysis, and all of the steps that need to be taken by a team to ensure forensic integrity in the midst of a large-scale attack.

Originally, my hands-on project was going to consist of me creating my own mini-enterprise for analysis, where I wanted to use a new and upcoming tool to test its limitations and abilities. Unfortunately, the tool that I had been very excited about experimenting with and thought to be a genuine inclusive solution to the original issue ended up not working out as planned. Installation issues and sporadic communication from their support line lead to me not even being able to deploy the tool for testing past the initial installation. This was an unfortunate dead end for that particular idea, as I had high hopes for this implementation. I went back to working on my original idea of combining a handful of open source tools onto a custom Linux . ISO fulfilled all of the requirements discussed in previous blogs (which you can see here), and although mildly successful in that it did technically work, I have my doubts about its scalability, and it needs to be manually configured for use every time.

Knowing that the tool testing was beginning to fall through, I was given a new side project: Create a general overview of the NSO’s Pegasus, the significant artifacts, and give a small write upon whether or not the general public should be worried about the existence of this spyware (and the first hands-off malware to ever infect iPhones). If I hadn’t mentioned it before, my forensic interests lie within mobile devices and data recovery. I worked in the mobile device repair and data recovery industry for about 3 years and did some contract work for both Samsung and Apple during that time frame. If I could pick a dream job for myself after graduation, it would be only doing mobile device forensics for criminal cases. I am digressing, but the point I was trying to make is that I thoroughly enjoy anything to do with cell phones, and was elated to be assigned this project. Other organizations have put out detailed forensic reports (in the 100s of pages range) with all known attack vectors, vulnerabilities, and artifacts, so my goal wasn’t to rewrite what has already been saying.

I was tasked with creating a scaled-down version of the vulnerabilities (and why they matter) for the internal use of Com|Code, and then to create a presentation breaking down the threat for those who aren’t in the field to understand. Given the extremely technical and specialized skill set and knowledge base needed to understand the weight and significance of this malware, the crafting of a non-technical report was challenging but was also something I genuinely enjoyed doing.

The scale of the initial proposed project meant that there was a lot of reworking of the end deliverable into what was practical given the relatively short timeframe. This in turn did cause there to be a few instances where we had to change directions or had to decide to mark certain topics as being out of scope (at least for us this summer).  Despite these unplanned setbacks, I really enjoyed this experience and my time with the Munich Cyber Security Program. I was pushed out of my comfort zone, forced to think about technology and digital forensics from angles I never considered. The incident response was never something I saw myself doing, but then I had to write a 100+ page document on how to do it, and find myself walking away with an appreciation for the quick-paced sub-category of digital forensics. Although COVID-19 may have canceled all of my plans for the past year and a half, it wasn’t able to take away this challenging and rewarding opportunity to explore my major further, and for that, I am very grateful to Com|Code for hosting the MCSP, The Leahy Center for hosting us when Germany couldn’t, and to the very nature of technology that allowed this to work out remotely. 

Follow us for more updates on this project!  For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written by Kaya Overholtzer ‘22 //Digital Forensics & Cybersecurity

More Partners
Say what about SAMD
Smartphone On Wheels
Being Proactive in an Insecure World