Vista Timestamps

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:

• Correlate events from different sources.
• Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
• Value Name: NtfsDisableLastAccessUpdate
• Data Type: REG_DWORD (DWORD Value)
• Value Data: set 1 to prevent the Last Access time stamp updates.

This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing or modifying the file. It will only change when you copy the file or move it to another volume.

More toughts on Visualisation

Image by charmainezoe via Flickr

Information visualisation is a rapidly growing research field and I see more and more people become interested in using visualisation techniques in the field of Digital Forensics. There were a series of discussions about "Visualisation" on computer forensic forums and digital forensics blogs. Last week I attended Australian High Tech Crime Centre (AHTCC) conference in Sydney where I met with a couple of researchers who were also interested in doing a research in this area.

Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.

There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.

Analysis

The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.

Presentation

The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.

Sparsing - New technology set to revolutionise digital forensics.

                         Image via Wikipedia

Periodically forensics examiners have to acquire large amounts of data and often facing a dilemma whether to compress it or not.

Using compression usually means a performance trade-off.

In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.

Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.

Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.

During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.

Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.

What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.

FTK Imager can acquire RAM

FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.

Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.

Parsing setupapi.log

I mentioned about setupapi.log files in one of my posts a few months ago. Since that time a couple of good tools were released that makes my life easier when working with setupapi.log files.

One of such tools is called SetupAPI Extractor or SAEX. It is still in beta and is currently free. The tool only works with Win XP setupapi.log files and there is no support for Vista's setupapi.app.log and setupapi.dev.log files yet. The best thing about this tool is its ability to parse the log files and extract only
the information you need.

Another tool I often use to work with various log files including setupapi.log files is Mandiant Highlighter. It was previously mentioned on Cyberspeak and is free to download. It works with ANY text files and allows users to highlight relevant keywords or remove unrelated lines. In case of setupapi.log files, setup event id like #-199, #140 or placeholders such Device_Description, Manufacturer_Name or Hardware_ID can be either displayed or removed, making the information contained in Setupapi logs more manageable.

Ubuntu 9.04 guest in vmware - sluggish mouse.

I just installed Ubuntu 9.04 at work and enjoying my ‘dual screen via KVM switch’ panoramic view :-) which was not possible before due to the driver limitations.

I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.

The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:

Section "InputDevice"
Identifier "VMware Mouse"
Driver "vmmouse"
Option "CorePointer"
Option "AlwaysCore"
EndSection

A couple of acrticles on DIGital FORensics.

All my free time is now consumed by a 'little' python development project. I will try to keep this blog up-to-date with anything really worth mentioning. Whilst I am busy coding and refreshing my pretty rusty math skills, I still spend about three hours a week reading about digital forensics and information security (mostly on a bus or train). Last week I came across a couple of documents by Dr. Frederick B. Cohen, Ph.D. called "Fundamentals of Digital Forensic Evidence" and "A structure for addressing digital forensics". These documents are about application of digital forensics within a legal context and I personally find them quite educational.

Windows Event Logs

The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.

Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.



Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.

The Sleuth Kit and Autopsy on Ubuntu

A quick installation guide for the latest TSK and autopsy on Ubuntu 8.04.
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.

Step 1
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.

Type sudo apt-get install build-essential zlib1g-dev libssl-dev

Then navigate to afflib folder and type the usual:
./configure, make, sudo make install

Step 2
Download libewf, unpack and install all three .deb packages

Step 3
Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install

Step 4
Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install

When asked, type the full path to your evidence directory and you done.

To start autopsy, just type sudo ./autopsy and follow the instructions.

My blog statistics

Some time ago I have played with Google Analytics and as a result here is my blog visitor's statistics, which I find quite educational.

The first one is not particularly surprising and shows which web browsers were used by geeks to view my blog.

1	Firefox	57.17%
2	Internet Explorer	28.05%
3	Opera	6.37%
4	Safari	3.74%
5	Chrome	2.58%
6	Konqueror	0.83%
7	Mozilla	0.63%
8	SeaMonkey	0.24%
9	Camino	0.05%
10	Mozilla Compatible Agent	0.05%

The second table displays the top 70 Countries for my blog readers.

1.	United States
2.	United Kingdom
3.	Australia
4.	Italy
5.	Canada
6.	Netherlands
7.	Germany
8.	South Korea
9.	France
10.	Brazil
11.	Spain
12.	Russia
13.	India
14.	Belgium
15.	Norway
16.	China
17.	Austria
18.	Malaysia
19.	Taiwan
20.	Singapore
21.	Japan
22.	Poland
23.	Sweden
24.	Czech Republic
25.	New Zealand
26.	Thailand
27.	Mexico
28.	Portugal
29.	Egypt
30.	Indonesia
31.	Denmark
32.	Turkey
33.	South Africa
34.	Brunei
35.	United Arab Emirates
36.	Greece
37.	Ireland
38.	Switzerland
39.	Hungary
40.	Hong Kong
41.	Romania
42.	Israel
43.	Finland
44.	Saudi Arabia
45.	Pakistan
46.	Lithuania
47.	Colombia
48.	Vietnam
49.	Dominican Republic
50.	Serbia
51.	Macau SAR China
52.	Croatia
53.	Ukraine
54.	Morocco
55.	Argentina
56.	Slovakia
57.	Slovenia
58.	Bahamas
59.	Philippines
60.	Bulgaria
61.	Trinidad and Tobago
62.	Panama
63.	Venezuela
64.	Chile
65.	Bosnia and Herzegovina
66.	Honduras
67.	Cambodia
68.	Iceland
69.	Ecuador
70.	Nigeria

WinRAR

WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.

If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

Useful little tools.

Mail Viewer for Outlook Express versions 4+ (.idx .mbx and .dbx), Windows Vista Mail and Windows Live mail databases including .eml files. It is very similar to OE Reader and the web site states that it is actually based on MITeC Outlook Express Reader. No installation required, it has only one 520 KB executable file. The viewer handles attachments quite well (text and HTML view) and the most importantly it is absolutely free. It works on Windows 95 --> Vista.

This web site has several interesting little application that may be useful in digital forensics http://www.mitec.cz/

---

ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mount new virtual disk (Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.

Hard Drives with Zero Insertion Force (ZIF) Connectors

Image via Wikipedia

If you are a first responder, then you may want to get yourself a couple of ZIF to IDE adapters, in case you don't have them yet. These new tiny laptops have become very popular and lots of them use hard drives or solid state drives with ZIF connectors. In situations when there is a limited time available to pull out the drive or suitable adapter is not available, I often use Helix3 Live CD.

This option works well when the computer I preview has a CD/DVD Drive. The problem is that not all of these new and portable laptops have one. Fujitsu Siemens AMILO MINI is a perfect example of the portable laptop that uses ZIF HDD and has no CD/DVD Drive built-in.

Then the options are:

1. Have a USB flash drive with bootable Helix3 or any other forensic Live CD. It is relatively easy to create such device with UNetbootin or by hand (just google for "Helix Linux on a USB thumb drive").

2. Have a portable external USB CD/DVD Drive with you all the time and use it to boot the suspect’s machine from the Live CD of your choice.

3. Get yourself ZIF to IDE adapter or buy the 'Hard Drive ZIF Adapter' from Digital Intelligence guys. It also comes with different cables for Toshiba and Hitachi drives.

NTFS-3G driver in Ubuntu 8.04.2 LTS

The NTFS-3G driver used by Ubuntu may cause input/output error while transferring large (4.3Gb +) files. NTFS-3G version 1.2216 is the default NTFS driver in Ubuntu 8.04.2 and later. The latest STABLE Version is 2009.1.1 (January 22, 2009). Synaptic Package Manager or apt-get remove can be used to uninstall the default version.

There are no deb packages for the latest version yet, so ./configure -> make -> make install must be used to install the latest driver. Instructions and download link are here. No problems were detected after installing the latest NTFS-3G driver.

Interesting fact is that some drives may work just fine with the default drivers and some will fail and end up with the corrupt NTFS partition. Maxtor OneTouch II (300GB) worked just fine and Maxtor OneTouch III (500GB) got corrupted when I tried to write to it a few large files. Windows chkdsk with /f switch should fix the problem and make the drive accessible again.

The latest Helix3 Live CD is based on Ubuntu and also using NTFS-3G version 1.2216. When it is used to acquire an image or large files, it is probably a good idea to have some spare external storage for saving the data.

Helix3 Pro

As expected, e-fense is moving to a commercial business model with their Helix3 Pro (to be released in April) and no free support or user's forum will be available to Helix users from 2 February 2009. To get access to Helix support and forum e-fense is introducing the membership for $19.95 a month or $239 a year. It is not very clear at this stage; whether Helix3 Pro will be available for free download to non-members.

30 January 2009
I have a clarification in relation to Helix3 Pro availability. The product will not be free ........... So Long free Helix!


Youtube videos:

e-fense Inc. announces new management team

Helix3 vs Helix3 Pro

2 May 2009

E-fense desided to keep a free version of Helix3 alive.

It can be downloaded at here.

Learning the Open Systems Interconnection Reference Model

Here is a link for an excellent OSI model tutorial that I recently came across. It is good for refreshing your memory and includes mnemonics and even review questions.

Internet Explorer 8 in ‘anti forensic mode’

Microsoft has introduced some new features to the new Internet Explorer 8, which is currently in beta. 'InPrivate' browsing mode, which has been called by the media "porn mode" is one of such features that I found to be worth looking at.

The similar functionality can be found in Firefox via plug-ins and built in Safari 'Private browsing', but given the significant market share of Internet Explorer this new feature may have some serious impact on the successful identification of the suspect's web browsing activities.

Here is some information found on IEBlog.

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored
• All new cookies become "session" cookies
• Existing cookies can still be read
• The new DOM storage feature behaves the same way
• New history entries will not be recorded
• New temporary Internet files will be deleted after the Private Browsing window is closed
• Form data is not stored
• Passwords are not stored
• Addresses typed into the address bar are not stored
• Queries entered into the search box are not stored
• Visited links will not be stored

It is very easy to switch to InPrivate mode by simply entering Ctrl+Shift+P. All tabs and new windows after that will also be opened in InPrivate mode.

'InPrivate' can be useful for corporations to make use of this feature as an additional step to negate their liability in various harassment etc. litigations. Some however may decide to turn this feature off and it is also easily done via editing Group Policies. Here is one way of doing this via GPEdit.msc

A quick search for artefacts left by 'InPrivate' browsing confirmed that there was no browsing history saved.

Whilst in 'InPrivate' mode I went to google.com web site and changed search preferences to "Do not filter my search results". Later I was able to recover this: http://images.google.com.au/setprefs?sig=0_Ai3r3BRa_NyzSVLmEfe1fo_5H6M%3D&hl=en&lang=all&safe=off&num=10&q=&prev=http%3A%2F%2Fimages.google.com.au%2Fimghp%3Fhl%3Den%26tab%3Dwi&submit2=Save+Preferences+

I then searched for "military tanks" pictures and clicked on several links. After viewing some images, I closed IE 8 and went searching for any traces of the above-mentioned activities. To accomplish this task I used X-Ways Forensics and Netanalysis tools. I was unable to locate my typed search term "military tanks" and no browsing history was found.

Searching inside
c:\Users\%USER%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RandomFolderName
produced good results and I was able to recover most of the deleted images.

Digging further confirmed that upon exiting 'InPrivate' mode, IE 8 deleted Temporary Internet Files and inside %Windows%\Temp directory. IE 8 beta 2 was tested on Windows XP and Windows 7 Beta test machines. In general, 'InPrivate' mode works as stated by Microsoft with only a few traces left behind, which means extra work for forensic examiners.

Antivirus and Last Access timestamps

Last October I blogged about Time and Time Stamps . I have recieved a question in relation to Antiviruses and their ability to preserve the Last Access timestamp of files that are scanned by such AV.

I desided to post a quick answer here.

Corporate and Retail Antivirus solutions are usually designed a bit differently. Many corporate information systems are utilising various File Replication Services, Migration of files based on last access date and Backups. A non compliant Antivirus solution my result in excessive replications, long or failed backups of unchanged files, and failed security audits that are depending on Last Access timestamps.

A good example a corporate Antivirus solution that deals with such issues is Norton Antivirus (NAV) Corporate edition. To my knowledge since NAV version 7.61 Symantec includes "Preserve file times" option. This option allows restoring the Last Access timestamp of files that are scanned by NAV "Auto-Protect" module. See attached image of NAV Corp v 10 for details.

"During a scan, NAV will save various attributes of the file (file attributes, the security descriptor GetFileSecurity, last access timestamp, and so forth) before the scan so that the file can be restored to its original condition.... " Microsoft Article ID: 284947

On the time forensics site you can find a resonable quality research paper by K. Chow, F. Law, M. Kwan, P. Lai called "the Rules of Time on NTFS" that describes the relationship between file searching tools, Antiviruses and the Last Access Time Stamp. Just keep in mind that there are also Corporate Antivirus Solutions and other tools, which may be using defferent methods to open files.

PTK 1.0.2 on Ubuntu

PTK 1.0.2 is the latest GUI based forensic tool by DFLabs. It is 'an alternative Sleuthkit Interface' that works with the Mozilla Firefox, Safari, Opera and Chrome browsers.

I have played with the version released prior to PTK 1.0 in October this year and found the project to be very promising but completely unusable and buggy. Today I have installed and tested the latest version of PTK and must admit that DFLabs guys put a lot of work to make this application more stable and more useful.

The installation is very simple; I just follow the instructions and was up and running in about 15min. This version of PTK only works with Sleuthkit 3.0.0, which is not on default Ubuntu repository yet, so I had to manually download and install it.

I liked its tabbed interface as well as Timeline, Gallery and Keyword Search features. Report creation option worked quite well.

Creating filters to search for specific file types within the specified timeframe is a nice feature. The speed and responsiveness of the application is not great, but acceptable from the usability point of view.

It is still not a bug free application yet, if there is such thing.

I came across PTK version 1.0 vulnerability report by Secunia Advisory stating that PTK is vulnerable to 'an input validation error' when handling forensic images. It is somewhat unusual to read a vulnerability report about Forensic Tools simply because the different environment these tools are designed to operate. I then found on DFLabs web site a very good response in relation to this particular vulnerability report and I have nothing further to add to this.

Conclusion:

1. This is a free forensic tool with great potential!
   
2. I will keep an eye on this tool, but will not be using it for forensic examinations yet.

Backwards incompatible Perl 6 & Python 3.0

Both Perl 6 and Python 3.0 are made backwards incompatible with the previous releases due to the changes made in both languages. It appears that at first, these new versions are going to be much slower (10% +) than their predecessors and will be optimised in the future releases. Python 3.0 was released on 4^th December 2008. Python 2.6 however will be developed and maintained until version 2.9, which is still a few years away. 'A Byte of Python' is a free ebook for those who want to learn Python. It has already been updated for the Python 3.0 language.

Write blockers - firmware

Update your write blockers with new firmware. It may be the case that a person responsible for maintenance of your forensic lab and equipment has left the organisation and your forensic equipment is left without proper attention and no one in the office gets manufactures notifications about available updates. Some updates resolve only minor issues and offer support for newer devices but there are also updates that are critical.

The upgrade process is quick and easy. Testing and documenting also takes only a few minutes. The Tableau Firmware Update tool can be found here.

Recovering web browser passwords

All popular web browsers offer a password manager option to store usernames and passwords of the visited websites. It is possible to recover these usernames & passwords and in some cases view dates and times when a person registered/logged in with these credentials the first time.

1. Internet Explorer - IE PassView

2. Mozilla Firefox - PasswordFox v1.10

3. Safari – Method applicable to several web browsers

4. Opera – Unwand

5. Google Chrome - ChromePass v1.05

There are some other utilities incl. commercial versions, which I have not tested. The above mentioned tools are free and tested to be working.

A bit of technology in a world of geeks

Tesla Personal Supercomputer under $10,000 with Nvidia graphics processing unit (GPU) inside and utilising parallel computing architecture. Claims are that Computers with the Tesla C1060 GPU processor have 250 times the processing power of a PC workstation. It should be good for password cracking :-).

Microsoft is going to offer a free anti-malware solution codenamed "Morro" to provide 'comprehensive protection from malware including viruses, spyware, rootkits and trojans'. Windows Live OneCare will no longer be sold from June 30, 2009. Hopefully it would have a positive impact on stopping malware from spreading without killing the sales figures of other anti-virus vendors.

Faster FireWire and USB speeds

Next year we may see a new version of FireWire known as S3200. This new version is to deliver a peak of 3.2 gigabits per second (400 MB/s) compared to the current 800 megabits (100MB/s).

The new USB 3.0 also called 'USB Superspeed' is set to multiply USB 2.0 (480Mmb/s) bandwidth tenfold and will transfer data at speeds up to 4.8Gbit/s. That would allow transferring a 27GB of date in only 70 seconds. USB 3.0 is designed to be backwards-compatible with USB 2.0 and USB 1.1.

17/12/2008
Here is an interesting link re: USB 3.0

CISCO Routers forensics

Some interesting links to resources about forensics on CISCO routers.

• Book "Cisco Router and Switch Forensics" by Jesse Varsalone

• Powerpoint presentation "Cisco Router Forensics" by Thomas Akin, Black Hat Briefings, 2002

• Powerpoint presentation "Router forensics DDoS/worms update" by Nicolas Fischbach, Senior Manager, IP Engineering/Security - COLT Telecom

• Another interesting document "Auditing CISCO Routers" by the Technology Pathways

• A document called "CISCO Routers as Targets" by Joshua Wright

• Ms.S. Thesis "Forensic examination of log files" by Joan Petur Petersen

My forensic 'dream' machine

Here are the specs for a forensic machine I would like to get one day.
Intel Dual-Core Xeon Processor X5272
There is no point to use quad core because current forensic applications are not designed to take advantage of multi-core CPU's
8GB ECC Registered DDR2 Memory

ECC uses an advanced error correction system that can correct data transmission errors on the fly. Because ECC memory involves more processing, it may be a bit slower that non ECC memory, however ECC provides reliability and greater system stability. ECC RAM is more expensive however.

SATA RAID hardware controller with 4 x 10,000 RPM SATA II drives

RAID controller configured as RAID 0+1 which is a mirrored array whose segments are RAID 0 arrays. It provides the same fault tolerance as RAID level 5 and the same overhead for fault-tolerance as mirroring alone. It supports a very high I/O rates due to multiple stripe segments.

Other must-have components

Drive Bay Controller with multi-bay read/write status, a couple of SATA /IDE write-blocked bays, write-blocked universal memory card reader, built-in USB write-blocker, USB 2.0 ports, FIREWIRE 400/800 and eSATA ports.

Operating System

To get maximum compatibility with drivers and software, I would go for Windows 32-bit operating system. Microsoft Windows Server 2003 Enterprise Edition allows using memory beyond the 4-gigabyte range that is inherent to 32-bit operating systems. The 32-bit version of Microsoft Windows Server 2003 Enterprise Edition allows 8GB RAM and Windows Server 2003 with Service Pack 2 (SP2), Enterprise Edition supports 64 GB. Most of Windows XP drivers are compatible with Windows Server 2003. FTK, EnCASE, X-Ways Forensics and many other forensic applications run very well under Windows Server 2003. FTK however requires admin privileges to work correctly. The operating system needs some tweaking to enable prefetch etc. All adjustments take about 10 min to complete. Instructions can be found here. Additionally, there is a free tool for automated server to workstation transformation.

USB Flash drives acquisition!

Wear Levelling

Most flash drives are NAND EEPROM devices capable of 100,000 to 1 million erase and write cycles. The lifetime of the flash drive depends on endurance of the flash chip. To extend the life of flash drives, manufacturers often implement wear-levelling (also referred as wear-leveling).

Wear-levelling mechanism spreads write cycles across a flash chip, thus reducing continual usage of the same areas of the flash chip, and as a result promotes even usage of all memory cells.

What this means for forensic examiners? The content of a file that is no longer exists from the point of view of the file system may have been fully or partially changed by the wear-levelling algorithm. On many NAND flash memory devices this occurs upon writing the new data.

NAND flash drives are not very efficient at random writes due to the requirement of an application to locate a free block, before it can write to it. If such block is not available, the block must be fully erased which takes additional time, thus reducing the efficiency of the device. Different manufacturers are taking different approaches to tackle this problem. Some implement additional controllers or/and memory into their flash drives. Some change the software (firmware) and wear-levelling algorithms that shuffles "unallocated" free space every time the device is read, so when the application is about to write the new data, free blocks are already available to the application for writing.

Acquiring these devices require an additional step that from my experience is rarely taken. The standard procedure is to simply connect such USB device to a forensic machine via hardware or software write blocking device and let the forensic software to do the acquisition and verification. There are two problems with this approach.

1. Most forensic tools verify (calculate MD5 or SHA1 hash) of the device, then acquire the data followed by MD5 or SHA1 verification of the image. There is no verification of the physical device after that. So, we essentially rely on the write blocker to prevent any changes.
   
2. Some USB devices (approximately one in every ten from my experience) will produce different cryptographic hash every time you calculate it, despite the fact that no write is allowed. So, by simply reading such devices, we are changing something inside these drives.
   

The significance of this is obvious. If an independent party checks the integrity of such device, (s)he will end up with a completely different MD5 or SHA1 value. Unless you know about the problem before hands, it may be too late to explain this difference in Court.

So, what is actually changed on the drive and how to deal with this issue? The good news is that existing files are not changed and this can be easily confirmed by comparing hash values of files from two images of the same device taken at a different time. X-Way forensics is probably the best tool for this task.

By utilising the above mentioned tool and its terminology we can see that changes occurred in 'Free space' and 'previously existed files'. It is up to the forensic examiner to deal with admissibility of the data/evidence extracted from 'Free space'. Taking an additional image of the device, extracting (carving) files and comparing these files with the files from the first image is one of these techniques. There will be many files that are changed by the sector shuffling, thanks to the wear-levelling algorithm.

Deletion/wiping

Additionally, because of the wear-levelling mechanism and dynamic mapping of logical to physical sectors, some file artefacts may be left behind even after "secure wiping" of the USB flash drive.

Ordinary hard disks in general do not have wear-levelling implemented; however this may soon change due to becoming increasingly popular in notebooks solid-state drives.

27 February 2009

Yes,

The issue does exist despite some people finding it hard to believe, and it is here to stay for some time. The only way to deal with this is through the correctly devised procedures that in general can be described as:

1. Identifying the device with the specific wear-levelling behaviour (via hashing before and after the procedure for example).

2. Isolate the existing (not marked as deleted) from the deleted files. Verify the integrity of the existing files.

3. Deal with the deleted files in a way that the accurate and verifiable data can be presented in court.

------------------------------------------------------------------------------------------
"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)
----------------------------------------------------------------------------------------------------------
March 2009

Here is the link to a series of youtube videos of 'DEFCON 16' presentation by Scott Moulton who does a good job of explaining how the concept works.

VMware Workstation 6.5 released

Finally I have found some time to install the recently released VMware Workstation 6.5 and regretted that I haven't done this earlier. This version offers several new features such as improved performance of Copy/Paste operations between the Host and Guest. USB devices are handled quite well by this version, so no more pain getting a device recognised by the guest and not the host OS. Some sources claim that USB device performance is improved by as much as 50%. Unity feature is interesting but too me it is a little toy at this stage.

Case Notes Software

A proper forensic analysis is rarely accomplished with just one forensic tool such as EnCase or FTK. So, jumping from one tool to another, from one operating system to another makes it a necessity to keep contemporaneous notes in one place, so they can be quickly searched and referenced. I was looking for a tool that would be lightweight and easy to use. I have found a nice application called CaseNotes from QCC. It is a free application that runs on MS Windows machines and is designed for Computer Forensic records keeping. I have found it quite useful. Tabbed interface and MS Word like interface are very useful; however a simple spell checking and easier way to import photographs would make this application more user friendly. I like to have the formatting and spell-check of Office at my disposal, so after using CaseNotes for a few days, I have started playing with MS Office OneNote 2007. It has tabbed interface, insert day and time (ALT+SHIFT+F), password protect option, search option, easy formatting, adding photographs and can be shared with others in my office. OneNote has a nice option to export all the records to PDF. For me, this could be the way of moving away from paper based records keeping.

Right click on a file to calculate hash

HashTab v1.14 is my favorite Windows Shell Extension for calculating and comparing hash values. It works with MD5 and SHA-1 hashes by providing an easy-to-use right-click menu for files in Windows.

It is possible to have a similar functionality in Linux. On my Ubuntu I am using Zenity. Zenity is a tool that allows to create nice GUI widgets and windows for shell scripts.

Here is a little bash script that you can save as CalcHash file and make it executable.

#!/bin/bash
# The script "CalcHash" calculates MD5 hash of a selected file.
# You can replace md5sum with sha1sum to calculate sha1 instead
title="CalcHash"
tmp_file="/tmp/md5-`date +'%s'`"
/usr/bin/md5sum $NAUTILUS_SCRIPT_SELECTED_FILE_PATHS > $tmp_file
zenity --text-info --title="$title" --filename="$tmp_file" --width=1100 --height=100
rm $tmp_file
exit 0

To make the file executable just open gnome-terminal by clicking Applications > Accessories > Terminal. Then type:

chmod 755 CalcHash

or, if you prefer GUI, right-click on the file, select "Properties" click on the "Permissions" tab and then tick the appropriate box.

The script needs to be copied to /.Gnome2/nautilus-scripts.

You can go to Places > Home Folder

In Nautilus click Ctrl+H or just go to View and click Show Hidden Files

Navigate to .Gnome2 / nautilus-scripts and paste your script.

To calculate MD5 Hash, right click on any file or group of files and you should see something like this:

Disposable anti-virus!

One of the quick ways to check the acquired image for presence of malware is to mount it with Mount Image Pro or Smart Mount and run your favourite anti- virus. Using two different anti-virus solutions is usually a good idea. However, running on the isolated forensic network two anti-viruses and keep them up-to-date may require some extra effort.

Kaspersky® Virus Removal Tool that also often referred to as AVPTool is a virus scanning and removal utility that employs very effective virus detection algorithms from Kaspersky Lab. Kaspersky is one of my favourite anti-virus solution and it rated fairly high amongst other anti-virus solutions.

AVPTool is rebuild every 2 hours and contain the latest virus signatures.
It installs into a folder on your desktop and upon finishing the scan, an uninstall prompt appears and removes the tool if you answer yes to the prompt. It can produce virus scan reports and doesn't leave much behind after it uninstalled.


CON: It is 25Mb file that you will have to download every time you need an up-to-date scanner.

AVPTool is available for free on HTTP and FTP.

Briefly about Visualisation

The process of collection, preservation and analysis of digital forensic data is normally followed by presentation of findings by forensic examiner. At this stage it is important for non-forensic people (legal etc.) to clearly understand the significance of uncovered evidence. Visualisation can help to make this task a lot easier by displaying the findings in a graphical manner, making even small details visible and demonstrate the relationship between various pieces of evidence.
A variety of commercial and free open source software can be utilised to accomplish this task. A free and open source graphical time line editor called Zeitline and commercial ConceptDraw MINDMAP are worth mentioning here.
Zeitline is an open source graphical tool written in Java developed and maintained by CERIAS (Computer Forensics Research Group).
ConceptDraw MINDMAP is a mind mapping software that normally cost US $199. It appears that the company is offering the previous version of this software free for a limited time. You can find more details at Lifehacker's web site.

Time and Timestamps

"A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).

The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.

The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time." MSDN


Why 1 January 1601?

This is to do with leap years having 400 years cycle and 1st of January 1601 being a Monday. If modulo (MOD) function is performed in a date integer mod 7 the result will be the day of the week.
(0=Sunday,1=Monday,2=Tuesday,3=Wednesday,4=Thursday,5=Friday,6=Saturday)
Day of the Week = Days Since 1601 MOD 7

There are five different time formats and it can be confusing.

The original FAT12/FAT16 file systems had only the last-modified time. The later FAT32 and NTFS file systems have three types of time stamps for each file.

1. Time when the file was First-created
2. Time when the file was Last-modified
3. Time when the file was Last-accessed

Here is how these values are changed by the Operating System (OS)

A quick picture reference to FAT and NTFS Date and Time stamps for files and folders based on Microsoft Article 299648.

.

.A file from FAT file system to FAT file System

A file from FAT file system to NTFS file System

A file from NTFS file system to NTFS file System

.

.Folder 2 copied into Folder 1

Folder 2 moved into Folder 1

FAT system works a bit differently according to the same document. If you copy or move Folder 2 into Folder 1, the created date and modified date of Folder 1 remains unchanged.

Microsoft Article ID :127830 called "Time Stamps Change When Copying From NTFS to FAT" is also quite interesting. According to this article when a file copied from NTFS file system device to a FAT device, the time stamp is rounded to the nearest two seconds. It happens with FAT only because NTFS time stamps can end with even or odd number of seconds. So, NTFS time stamp 10:00:0:000 is going to be FAT time stamp 10:00:0:000, but anything more than NTFS 10 hours 00 min 0 sec 000, let's say NTFS 10:00:0:001 and up until 10:00:1:999 will produce FAT 10:00:2:000.

A Few Things To Keep In Mind

1. The NTFS Last Access Time Stamp updates can be easily disabled in registries on Windows NT , Windows 2000 and Windows XP.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Value Name: NtfsDisableLastAccessUpdate
Data Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.


Note that Windows Vista has Last Access Time updates disabled by default to improve NTFS performance. To operate correctly, some applications require the Last Access timestamps to be enabled. This can be easily done by issuing the following command: fsutil behavior set disablelastaccess 0 followed by computer restart.



2. Antivirus software requires access to files to read/scan them for viruses. After the scan is finished, the software restores the Last Access timestamp of files that are scanned to the original time before scanning. However, if a file was cured, the access and modification times are updated.



3. The accuracy of the timestamps depends on the internal clock. The NTFS file system has a precision of 100 nanosecond (ns), but the precision of the Windows internal clock is only 1 ms, for that reason the accuracy of timestamps in NTFS on Windows systems is limited to 1 ms.


--------
System Forensic Analysis book by Brian Carrier (highly recommended) helped me to undersand this material a bit better.


There is a great collection of academic papers about Date and Time stamp forensics. It can be found at Time Forensics website maintained by Svein Y. Willassen.

A Useful Quote

"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)

get SUDO to work on Red Hat systems

In the terminal enter su --login -c 'visudo'


Press enter and go through the password for root.

Below the line root ALL=(ALL) ALL add the user (Garfield in this case :-) that you want to have root access as shown below:
Garfield ALL=(ALL) ALL

If you wish sudo to prompt for a password, go down to the line # %wheel ALL=(ALL) ALL and delete the # at the beginning of the line using the x key or use your favorite vi editor commands to edit and navigate around.

If you don't want password prompts (not secure), go down to # %wheel ALL=(ALL) NOPASSWD: ALL and uncoment it.

Save and exit: wq

Smart Mount by ASR Data

Smart Mount by ASR Data is going to be oficially released on October 27, 2008. Smart Mount is a tool that allows mounting dd, SMART, E01, VMWare images.

Supported file systems are:

• All Windows based Fat and NTFS
• Linux/Unix based HFS, Ext2 and Ext3
• CD/DVD based ISO9660 and UDF

There are versions for Linux and Windows and you will have to pay for each version separatelly. There are also 'Pro' versions for both Linux and Windows that offer read/write options. It looks like it is going to be $100 more expencive that Windows only version of Mount Image Pro ($299). Smart Mount Pro version is another $100 extra.

New Forensic Search Engine

Digital Forensics Search Engine has been added to this blog. It requires a lot of work to add resources and also fine tune it, so I don’t expect it to be very functional for some time. If you have a good & relevant link that should have been included in this search engine, send me an email or just leave the comment (I will not publish these comments).

dtSearch in Linux

dtSearch 7.54 has been installed and worked fine in CentOS 5.2 under wine.

The main indexing and searching functions worked OK. dtSearch forensic indexing with unicode support worked as well. Some additional dtSearch functions did not work and performance suffered a bit (subjective observation). Gecko needs to be installed prior installing dtSearch. Running non native application is not a good idea though and it is probably a matter of time before we all see a nice GUI front end to dtSearch Linux engine.

Disposable Emails

Almost every forum or web site require user registration and asks about you real email address. Not supplying one may result in download links or activation link to be sent somewhere else. Disposable emails illiminate the need to give out your real email and allow you to receive download or activation links. The beauty of such disposable emails is in their limited lifespan. The temporary email address gets redirected to the real email address and dies together with the spam.

There are several free disposable email services available:

• Mailinator
  

• MyTrashMail
  

• MailExpire
  

In my view Jetable is the best one. No registration is required to use the service, and no spam or advertisement sent by Jetable themselves. The service is provided by the French non-profit Association for a Non-Commercial Internet.

Window XP and Vista setupapi.log

setupapi.log is a plain-text file that contains some interesting information about various devices and service-pack installations. The file may contain serial numbers of the devices connected to Windows machine. By studying setupapi.log it may be possible to tell if a particular device has been connected to the computer during OS installation #-199 message –newsetup or connected at a later stage incl. date and time when it was connected.

The file is located in %windir%\ directory for Windows XP machines.

Microsoft has a good paper regarding this log file Troubleshooting Device Installation with the SetupAPI Log File

Harlan Carvey in his book Windows Forensic Analysis DVD Toolkit explained very well the significance of setupapi.log to forensic examiners.

Vista has two similar files setupapi.app.log and setupapi.dev.log located in %windir%\inf\ directory.

setupapi.dev.log becomes the primary log file and setupapi.app.log contains some legacy logging information.

Useful links in relation to Vista log files are:

• Debugging Device Installation in Windows Vista
  
• Windows Vista setup log file locations
  

Time Zone Converter

Getting various time zone conversations can be confusing. Using calculator is fine, but I tend to double check my calculations with this online Time Zone Converter.

Keeping things organised.

Wiki is an excellent tool for sharing the knowledge and collaborate with other project members. Who wants to learn HTML or spend time learning on how to use Wiki though? Most people that require Wiki are busy doing more important things. The best and ‘easy to use’ Wiki that I came across is Mintouch Deki. It runs on Windows, Linux, BSD, MAC OS X and it is free. Installation and configuration on Ubuntu 8.04 LTS Server takes approximately 10 minutes. It has indexing component that allows indexing and searching attachments PDF or MS Office documents (and many other formats). WYSIWYG Page Creation is great, though I would like to see a good spell check. Indexing is based on Lucene indexing engine and requires mono to be installed. I am not big fan of mono but deki and mono run well together since I have installed them about 3 months ago. There are some tweaking required to allow bigger attachments to be scanned and for indexing to work correctly. How can Wiki be used in forensic investigations? Sometimes running a big investigation makes it difficult to remember everything and I tend to miss/forget some important information because too much information and it may take a long time to investigate/complete the project.

MindTouch Deki Virtual Appliance is pre-installed and configured, and runs in VMWare. It can be run on a desktop computer to keep my records/discoveries. All information is organised and can be shared with other team members for peer review or comments. Cliking on "Recent Changes" allows to monitor all changes. Deki has great access control mechanism and it is very easy to administer. All information is indexed and can be found within seconds. It also has function to export to PDF.

Having different VM snapshots allows multiple investigations/projects to be run independently.

In case Indexing doesn't work:

Edit mindtouch.deki.startup.xml
add after word indexer

the following line with the appropriate html formatting

delay-index-interval 10 delay-index-interval

then restart deki wiki
/etc/init.d/dekiwiki restart

Log in to deki as admin and rebuild index

To be able to index big PDF's etc:

Change the following entries in your php.ini file located in /etc/php5/apache2/php.ini

and restart apache /etc/init.d/apache2 restart
post_max_size = 32M
upload_max_filesize = 32M

Also value for pdf filter has been changed to xpdf after XPDF package has been installed.

From

/var/www/dekiwiki/bin/filters/pdf2text

to

/var/www/dekiwiki/bin/filters/xpdf2text

Installing Helix 2008R1

The long awaited Helix 2008R1 is finally out. There are still some problems with download speeds experienced by the forensic community that eager to try this new toy (including myself of course). There are some problems with installation to hard drive that I have found a way to get around.

1. Installation has to be started after live CD is booted by going to System->Administration->Install

2. Just follow the instructions and after you get to the Who are you screen, press Forward and here is the trick. The installation would usually stop there due to some problems with os-prober not being able to find volume groups. The trick is to press cancel and start the installation procedure again. It should work after that.

3. All new Helix looks nice and shiny but don't yet relax. Adepto, autopsy, av programs and some others would not run. I suggest to run an update (apt-get upgrade or allow automatic update), and after about 20 new updates most of the tools should work.

4. Adepto would not though, and to fix it, here what I done:

$ sudo -i
# cd /usr/local/adepto
# mv logs logs1
# mkdir logs

Obviously there is a problem with the logs file sitting in /usr/local/adepto directory
Instead there should be a directory/folder called logs

Done.

correction - I just realised that logs file is a symlink to /home/ubuntu/adepto/logs
I guess, if everyone creates user ubuntu during the installation, adepto should work just fine. (or create a new folder and symlink it )

Installing VMware tools on CentOS 5.2

Running CentOS as a guest OS with VMware is OK without VMware tools installed. However there may be some problems with mouse/screen etc. Installing VMware tools on CentOS can be accomplished by using RPMs that come with VMware workstation. I have encountered a few problems whilst trying to install VMware tools. I could not unload pcnet32 module and the system did not shut down gracefully. After digging through the Internet and experimenting I came up with the following.

1. Disable ipv6 by modifying /etc/modprobe.d/modprobe.conf.dist and adding anywhere install ipv6 /bin/true (and disabling iptables for ipv6 later on)

2. Start CentOS in a single user mode by typing as root: init 1 or /sbin/init 1

3. Then run vmware-config-tools.pl

4. After the installation complete, reboot

5. I also have a button on the gnome panel with the following command gksu vmware-toolbox to be able to copy and paste between guest and host operating systems.

6. A slightly more elegant solution would be to put /usr/bin/vmware-user & line into /etc/rc.local with no window to close after the program starts. To modify the settings, vmware-toolbox can be started manually as needed. In Ubuntu it is even easier SYSTEM > PREFERENCES > SESSIONS and in startup programs tab ADD NAME and /usr/bin/vmware-user &
   

A few things to consider when using FTK Imager.

In March 2008 NIST has released their test results for FTK Imager 2.5.3.14. Several problems have been detected:

• with acquisition of a logical NTFS partition;
• hidden by a host protected area (HPA) sectors;
• the sectors hidden by device configuration overlay (DCO); and
• FTK imager didn’t reported the location of corrupted data.

AccessData has released FTK Imager version 2.5.4
Release Date: April 8, 2008

Version 2.5.4 release notes for this version has no mention of any bug fixes detected by NIST.

USB dongle for SMART with Ubuntu

SMART from ASR Data is being tested on my Ubuntu 8.4

Initially didn't want to recognise the USB dongle that comes with SMART. Running aksusbd didn't help. It is recommended to attach the USB dongle before booting Linux. It didn't work. After issuing mount -t usbfs none /proc/bus/usb followed by aksusbd worked fine. /etc/fstab has then been modified and usbfs /proc/bus/usb usbfs auto 0 0 added. (0 = zero, not letter o) aksusbd daemon is not correctly installed to start up at boot in Ubuntu. The easiest way to deal with this is to write a bash script:

#!/bin/bash

mount -t usbfs none /proc/bus/usb

/usr/sbin/aksusbd; /usr/local/bin/smart

Then add to Gnome Panel custom application and point it to the script. I am sure there are better ways of doing this, but it works well for me and doesn't take much time :-) To run SMART or any other application that required root, install gksu and type gksu /usr/local/bin/smart

SMART stands for:

S torage
M edia
A nalysis
R ecovery
T oolkit

LinEn & ewfacquire to produce EnCase images

Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.

tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.

PyFlag

PyFlag finally installs on Ubuntu 8.4. Will play with it a bit more and try to compare it with the functionalities of PTK. PTK is promising but is still too buggy. Works better with Opera browser, Firefox is no good. Some issues with PHP and SQL.
---
12 Oct 2008
PTK 1.0 is going to be released 28 October 2008.

grab & adepto

grab is a very useful program by Drew Fahey . Installed and tested it on Ubuntu 8.04. It has several dependencies to deal with. To solve the problem:
apt-get install sharutils cryptcat libx11-dev libtsk-dev
sharutls is needed otherwise uudecode error will show up. cryptcat is also required for grab to function and libx11-dev will stop any complaints about problems re: gettimeofday(). It also would not work without libtsk-dev and several other dependencies connected to libtsk-dev. adepto is a replacement of grab and new version is coming next week together with the new release of Helix.
The modified grab.tar.gz can be downloaded from here or here. MD5 Hash for grab.tar.gz f569a458b35cf100284bb578fa3d3e74