Let's talk about Digital Forensics Triage Analysis
Spoiler Alert!
We are not talking about Emergency Medical Aid or First Aid 😁
Questions/Answers
- File name sub string matches
- File content/metadata YARA matches
- File type filter
- System generated file/User generated file detection
- Log analysis with pre-defined rules
- Weighted score file ranking with multiple algorithms running behind the scenes designed for filtering files
While all these methods are legitimate. They are all relying on the existence of files and file systems. Sometimes, we need to process unknown data streams that may not conform to any known file/file system formats.
Bulk Analysis
This is where bulk analysis comes into the picture. One of the tools that you can use to perform bulk analysis is bulk_extractor. A battle tested and modern forensic triage analysis software.
Performs all basic regex matches for IPs/URLs/Phone Numbers/Credit Card numbers etc.Attempts decompression of known compression formats to extract content. Understands JSON. Extracts PDF files. Analyses PCAP data streams.
And while this software may feel like peak triage. There is much more room for research for everyone.
Research Opportunities
Research Opportunity (figure)
- Embedded triage analysis tools
- Forensic triage in CI/CD pipelines
- Digital forensic triage as a service
- ML for triage
- File system specific useful content detection:
- Slack space usage
- Alternate data stream use
- MBR/GPT mutation/poisoning
- Prefetch files to event log correlation
- Thumbnail preview matching for contraband detection
Sky is the limit. Context aware forensic triage analysis can do wonders in this field. I’ll attach my previous post in the comments section to get you some relevant reading material.