Thursday, December 24, 2009
Tuesday, November 24, 2009
What you get is a secure government job; good training; convenient location not far from Sydney Central Station; exposure to a wide variety of criminal cases, which provides you with an extremely valuable in this industry 'law-enforcement experience'.
Additionally, there are some great people over there with an extensive hands-on experience to learn from.
I suggest to check the selection criteria first, as there are strict conditions placed on the potential candidates in terms of qualifications and skills and of course criminal history.
Actually, there are two positions that are directly related to Computer Forensics, one forensic examiner and one R&D position. The third is a position for Sysadmin.
For those who interested, here is a link to these advertised jobs.
Tuesday, November 10, 2009
Ubuntu 9.10 is now using "fourth extended file system" by default, speaking of which SMART-2009-11-08 is out. The new version provides "enhanced support for EXT4 file system".
Wednesday, October 28, 2009
Cyberspeak podcast Oct 25 2009 is out, Ovie and Bret eventually found the time for it. I have been listening Cyberspeak podcasts since the day one and it remains my favorite "computer forensics, computer security, and computer crime podcast". Keep up the good work boys.
Ubuntu 9.10 is due for release tomorrow (October 29th). Canonical guys always come up with a quirky name for each release such as Fisty Fawn, Gusty Gibbon, Horny Hardon :-), and Ubuntu 9.10 is no different, it is called "Karmic Koala".
Friday, October 23, 2009
The only secret that you need to know
The passage of time is a one way flow
If you understand, joyously you’ll grow
Else you will drown in your own sorrow.
Omar KhayyamOccasionally I found myself struggling to keep up with the rapid technological progress that we all witness today. Here is what I do for keeping up with it, which can easily be summarised into three main principles:
- Adapt and change your habits
I use Google Reader and Google News quite extensively to stay abreast of technology. I also utilise my “Blogs I read” blog roll to keep an eye on my favourite forensic blogs. I found that Podcasts, which I normally listen on the go, are great source of information & inspiration. Reading online publications, manuals and whitepapers became my daily routine.
Since I now have an iPhone, I use iTunes to manage all subscribed Podcasts. Recently, I discovered and became a great fan of Apple’s “iTunes U”, which is a part of iTunes Store featuring FREE University lectures, audio books etc.
Books, books, books of course. They can be expensive if you buy them yourself. I consider myself a very lucky person, because I can get books for free as a reviewer at Computing Reviews. Although the review dead lines are quite strict and put you on a tight schedule, it also encourage you to read/finish the book and take comprehensive notes, which later can be summarised and converted into a review. If you have a master's degree and experience in computer related discipline, you may be eligible too. As a reviewer you have additional benefits such as free access to "over 19,000 reviews", be published in an Association for Computing Machinery journal etc.
Joining groups of peers from Computer Security/Forensic industry for formal or informal gatherings can help gaining reality checks on your current level of knowledge, seek out advice and guidance on technical issues and receiving valuable feedback. If you are in Sydney, AU send me an email and you may get invited to one of our monthly informal assembly [subject of approval by all members]. Attending conferences and courses is beneficial but in real live is not always possible due to involved, so I want go into this right now.
I still believe that Windows XP is a great Operating System and I use Win XP 64-bit machine as my primary forensic workstation. However, for this blog post right now I am using Windows 7 Professional that just came out. It doesn’t mean that I love it so much. I have started using it, and not just playing with it, early and in a non-production environment to learn the OS. Hopefully, when I get the job involving Win 7, I wouldn’t have too many surprises.
iPhone is another example, you don’t have to like the phone, which I actually do. You simply cannot learn everything by attending iPhone forensics course if you never seen or used iPhone before. I didn’t know for example that when iPhone is plugged in to a computer to transfer music etc, a backup copy of the iPhone is automatically created on this computer. This backup contains a wealth of information such as photos, notes, email account settings, contacts, calendars, call history, SMS messages, bookmarks, browser history and currently open pages etc. iPhone’s backup files is a separate topic though.
My point is, get yourself out of the technological comfort zone and don’t be afraid to dump your favourite web browser, at least for some time, and use something new. There is a good chance that you come across this new browser again during the forensic investigation.
Use Google docs or another corroboration tools to do your (non sensitive) work, take notes with electronic Mind Maps, set up Google calendar and get free SMS for upcoming event. Learn how these tools work and become more productive. It definitely helps me to be more productive, better understand the technology and trends.
- Has the Rate of Technical Progress Slowed? (tech.slashdot.org)
Monday, September 21, 2009
On a more serious note, I am currently busy doing some studies and also reviewing a book for Computing Reviews, which takes up all my time outside work. “…and Yes, I did get the iPhone 3GS 16GB. I have to say that I love and hate it at the same time.
Friday, August 28, 2009
I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.
Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.
Saturday, August 15, 2009
Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.
The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)
Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.
Evgueni Tchijevski posted an easier way to deal with VDI disks - vboxmanage internalcommands converttoraw source destination. It works great, thanks Evgueni.
Acquiring RAM on latest Ubuntu or Fedora becomes a little bit problematic.
/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."
/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.
RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.
My favourite quotes about digital forensics and security by Richard Drinkwater and Richard Bejtlic.
"I don't validate my tools - I validate my results."
"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."
Both hit the nail on the head!
Tuesday, August 4, 2009
Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.
Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.
Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]
I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.Does your organisation have a policy mandating wireless devices off during forensic examination?
Saturday, July 4, 2009
- Correlate events from different sources.
- Identify the factors leading to the timestamps changes.
Correlating events from different sources.
Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.
Identify the factors leading to the timestamps changes.
There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.
The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.
- Value Name: NtfsDisableLastAccessUpdate
- Data Type: REG_DWORD (DWORD Value)
- Value Data: set 1 to prevent the Last Access time stamp updates.
Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.
Friday, June 19, 2009
Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.
There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.
The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.
The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.
Wednesday, June 10, 2009
Using compression usually means a performance trade-off.
In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.
Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.
Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.
During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.
Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.
What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.
Thursday, May 21, 2009
FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.
Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.
Saturday, May 2, 2009
the information you need.
Thursday, April 30, 2009
I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.
The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:
Identifier "VMware Mouse"
Saturday, April 25, 2009
Saturday, April 18, 2009
The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.
Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:
Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1
To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.
Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.
Sunday, April 19, 2009
Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.
Another interesting post re: Vista Event Logs by Rob Faber can be found here.
Saturday, April 4, 2009
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.
Type sudo apt-get install build-essential zlib1g-dev libssl-dev
Then navigate to afflib folder and type the usual:
./configure, make, sudo make install
Download libewf, unpack and install all three .deb packages
Step 3Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install
Step 4Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install
When asked, type the full path to your evidence directory and you done.
To start autopsy, just type sudo ./autopsy and follow the instructions.
Update for Ubuntu 9.10 - 25 November 2009
For Ubuntu 9.10 the procedure is similar except for Step 1.
afflib make may not work, and if you really want aff support, the simple solution is to download .deb files for older distributions.
The files below worked for me:
afflib-dev_1.6.31-0ubuntu1_i386.deb and afflib_1.6.31-0ubuntu2_i386.deb
and can be downloaded from these locations:
Step 2 is easy, just get all 3 libewf packages (just search with Synaptic).
The rest of the procedure is the same.
Updates for Ubuntu 10.10 and the Sleuthkit 3.2.0 are here
Tuesday, March 31, 2009
The first one is not particularly surprising and shows which web browsers were used by geeks to view my blog.
|10||Mozilla Compatible Agent||0.05%|
The second table displays the top 70 Countries for my blog readers.
|35.||United Arab Emirates|
|51.||Macau SAR China|
|61.||Trinidad and Tobago|
|65.||Bosnia and Herzegovina|
Friday, March 27, 2009
If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.
Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.
CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.
Friday, March 13, 2009
This web site has several interesting little application that may be useful in digital forensics http://www.mitec.cz/
ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mount new virtual disk (Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.