digfor

a couple of newly discovered tools

2011-11-24T00:20:00.001+11:00

It's been an extremely busy autumn for me. Whilst running around, I came across a couple of useful tools.

SAFE (System Acquisition Forensic Environment) is Windows PE boot disk with built in software write blocking. I use Enterprise version, which requires a dongle only to start up the environment. The dongle then can be removed to start up the next machine. A bootable USB can also be created with SAFE USB Creator. There are several tolls listed as officially SUPPORTED by ForensicSoft, but plenty of other tools can also run just fine in this environment. To get the ability to image over the network I put F-Response on the Live CD as well and found it to be working rather well. SAFE has some problems with recognising Unicode file names when opening with OpenOffice for example and some other minor bugs. Win PE is based on Windows 7 32-bit and works well with most hardware.

Another Windows based GUI Forensic Imager has been released in beta. This time from GetData. It has a very simple interface, works in a portable mode and supports DD, AFF and E01 image formats. It also converts from one format to another. I wonder if it remains free after it is out of beta.

SSD - TRIM, Encryption, Formating and Fragmentation

2011-08-03T23:23:00.004+10:00

Operating System identify Solid State Drives by querying the hard drive for its rotational speed. To be precise it is done by identification of nominal rotation rate as described in AT Attachment – 8 ATA/ATAPI Command Set (ATA8-ACS).

Word 217
0000h - rate not reported
0001h - Non-rotating media (SSD)
0002h-0400h - Reserved
0401h-FFFEh - Nominal media rotation rate in rotations per min (rpm)
7200rpm = 1c20h 5000rpm = 1388h 10 000rpm 2710h
FFFFh – Reserved

If 0001h value is returned, Windows 7 for example turns on TRIM support and disables defragmentation. Furthermore, to reduce the frequency of writes and flushes, Windows 7 in addition to boot and application launch prefetching also disables services such as ReadyBoost and Superfetch. As far as I am aware Windows XP or Windows Vista cannot differentiate SSDs from hard drives. The following file systems are known to be TRIM supported by its respective Operating Systems: NTFS, HFS+, EXT4, Btrfs. Here I should mention that modern Linux and Apple OSX support TRIM commands as well. TRIM functionality can also be implemented independently of the operating system. The O&O Defrag for example enables TRIM operations for FAT32 and exFAT formatted SSD’s.

I know that many forensic folks are still wondering how OS’s, file systems and SSD controllers talk to each other to make TRIM work. Louis Gerbarg did an excellent job of explaining and demystifying the process.

It should be noted that Windows 7 sends the TRIM command to the SSD not only when file gets deleted or partition gets formatted, but in several other instances as described in Support and Q&A for Solid-State Drives blog post.

"The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature."

A quick format is all that is required to trigger the TRIM command on SSD and all data will be erased (zeroed out). Speaking about formatting, there has been not much difference between the Quick and Full format options in pre-Vista Windows machines. The only difference between the two was that full format also scanned for bad sectors. The data could still be recovered from formatted drives. Since Windows Vista a full format erases all data and writes zeros and completely destroying the old data. The same applies to Windows 7 and my tests confirmed this.

TRIM can be enabled and disabled manually. In Windows 7 to check TRIM status, as Administrator in the command prompt window, enter the following:

fsutil behavior query disabledeletenotify

Output:
DisableDeleteNotify = 1 Windows TRIM commands are disabled
DisableDeleteNotify = 0 Windows TRIM commands are enabled

The following command enables TRIM fsutil behavior set disabledeletenotify 0 and fsutil behavior set disabledeletenotify 1 disables it.

To my knowledge TRIM is not yet supported in RAID volumes. Recently there has been some confusing on this topic in relation to Intel Rapid Storage Technology supporting TRIM for RAID volumes. Intel had to publish a correction that TRIM is only supported in AHCI and RAID modes for drives that are not part of a RAID volume.

Not all SSD’s support the TRIM command; some manufacturers do not even recommend enabling TRIM. Sandforce and OCZ recommend against enabling TRIM in the Mac OS (due to Apple's implementation of TRIM) and discourage using TRIM on controllers with internal low-level compression (due to the way they operate/built).

TRIM + Encryption, a topic worth its own cookbook, so I am going to only lightly touch on it. In my previous post I have mentioned that Apple OS X Lion “FileVault 2” enables whole-disk encryption. It is certainly a big step forward compared to “FileVault 1”; however this needs to be clarified a bit. “FileVault 2” is VOLUME based encryption. For example NTFS, FAT/FAT32 or exFAT partitions located on the same drive will not be encrypted. A recovery partitions also cannot be encrypted by “FileVault 2”. TRIM is believed to be supported on “FileVault 2” encrypted drive. The TRIM command also works on NTFS file system encrypted with Bitlocker and TrueCrypt . TrueCrypt has issued several security warnings in relation to Wear-levelling security issues and the TRIM command revealing information about which blocks are in use and which are not. (Trim Operation Link & Wear-Leveling Link) PGP WDE doesn’t support TRIM, but I remember someone has mentioned that with CLI is possible to encrypt only used sectors. It is likely that the same security issue would arise as in case of TrueCrypt.

The Mighty Lion

2011-07-31T20:37:00.001+10:00

Snow Leopard 10.6 wasn't much of a problem from the forensics perspective and left paws imprints all over the snow. It had no TRIM enabled by default and FileVault was not particularly difficult to deal with. Advanced users could install TRIM for their SSD drives by using TRIM Enabler 1.1 but this wasn't wide spread. Apple OS X Lion 10.7 came and the game has changed.

The new OS adds support for the TRIM command and it is turned ON by default. TRIM allows OS-level garbage collection and also assists with wear-levelling and fragmentation, as well as reducing write amplifications and improves random writes speed. Basically if an operating system supports TRIM, delete really does mean delete, not just flagging space as available.

OS X Lion also introduces "FileVault 2", which instead of merely encrypting user home folders, now offering "Full Disk Encryption". Upon upgrading existing users are offered to upgrade to "FileVault 2". Old FileVault, lets call it "FileVault 1" is also supported but only for existing users of "FileVault 1". The new encryption method uses XTS-AES 128-bit encryption. When "FileVault 2" is enabled, a user is presented with the option to create a recovery key.

WARNING: You will need your login password or a recovery key to access your data. A recovery key is automatically generated as part of this setup. If you forget both your password and recovery key, the data will be lost.

Recovery key: CCQP-DDA3-XDSF-5656-UHGX-MTN8

Additionally, Apple now provides with an option to store the recovery key with them, which I am sure will be useful for both, forgetful users and law-enforcement.

Safeboot with EnCase or FTK

2011-07-18T21:27:00.003+10:00

Both (current versions) of EnCase and FTK work with Safeboot Full Disk Encryption 4.x.
EnCase has to be 32 bit version (not 64 bit). According to Guidance Software support people Safeboot 4.1 or higher versions are not supported by EnCase. In reality Safeboot 4.1 decryption works just fine with EnCase 6.18 as long as one follows the detailed instructions.

FTK 3 officially supports SafeBoot Version 4.x and Version 5.x as well as McAfee Endpoint Encryption Version 6.x. There is no '32 bit only' limitations because there is no need to install SafeBoot Tool or anything extra.

Access to the SafeBoot server is requred when working with both EnCase and FTK.There is no need to export/copy out any files for decrypting with FTK. For Safeboot versions 4.x and 5.x the decryption key can be obtained by runing SbAdmCl.exe command line tool. It's location can vary from version to version on the Safeboot server.

SbAdmCl.exe -AdminUser:admin -AdminPwd:password -command:GetMachineKey -Machine:Machinename

To extract decryption keys for a group of computers the same command can be issued with -Group:* instead of -Machine:Machinename

The command should return 32 bit Encryption Key(s) that can be entered in FTK when the encrypted evidence files are added to the case.

In McAfee Endpoint Encryption Version 6.x the key is exported from the server by using ePO (ePolicy Orchestrator). Check "Exporting the recovery information file from ePO" section of McAfee EETech User Guide for details. Once the .xml file is exported, a base64 key located between < key > and < / key > needs to be copied, decoded and converted to hex. The easiest way to accomplish the task is to utilise this online "Base64 -> hexadecimal string decoder", which should produce the decryption key required by FTK.

UPDATE: 16 August 2011
EnCase Version 6.19 just has been released. The new version now provides support for McAfee Endpoint Encryption 6.0.

No trust in a single tool.

2011-06-13T08:28:00.004+10:00

"If the only tool you have is a hammer, you tend to see every problem as a nail."

Abraham Maslow

More and more often I find myself working on a case with at least two forensic tools simultaneously. Depending on a task I select EnCase and X-Ways or FTK and X-Ways in pairs.

All three are great and one is better than another at certain tasks.I like working with EnCase to analyse registries, automate things with enscipts or searching and bookmarking hits in unallocated space. FTK is best with emails and has excellent ‘indexed’ searching capability. X-Ways Forensics is simply fast and reliable.

There is no point in doing ALL operations with a pair of these tools. There are always several the most important pieces of evidence supporting the hypothesis that need extra attention. This is especially true when confirming the absence of certain evidence.

I don’t just use two tools in parallel, in addition I attempt to utilise different methods to confirm the facts. This becomes some sort of Devil's Advocate Peer Review Activity.

Lately, forensic tools became more complex and attempting to provide more interpretation for the sake of convenience. Not surprisingly, I frequently observe different interpretations by different tools and have to dig dipper to find the true.

Although I often use a bunch of open source or free tools like Harlan’s RegRipper or Mandiant’s Highlighter etc., having another full featured forensic tool provides an additional layer of protection. Several times I had a situation when the main tool would start constantly crashing, or be unable to process certain types of evidence in the middle of examination. Sounds famialiar? When time is limited and vendor’s technical support is slow or sometime useless, having a back up tool ready to go is as good as gold.

Selecting the right tools for different investigations requires a good knowledge of forensic tools in your arsenal. For example, Lotus Notes is very popular in the corporate environment, with over 140 million corporate licensees sold worldwide. EnCase would normally work with NSF files and handle emails quite well. You will need FTK, or some other solution, to handle Lotus Notes databases, because EnCase …. well, may be EnCase 7 will do a better job. X-Ways Forensics can’t handle NSF at all. For the sake of completeness I should mention here that since Lotus Notes version 8.5 Databases are now called Applications.

Obviously one needs to be trained on using all of these tools and this might not be economically possible for small organisations or Rookie examiners. In this case there are Open Source Resources/Tools that each examiner must become proficient with and have them ready to go. The new book by Cory Altheide and Harlan Carvey called Digital Forensics with Open Source Tools should provide you with the necessary knowledge and insight.

Most computer forensic examiners Need Shrinks

2011-06-05T00:19:00.008+10:00

Many computer forensic specialists sooner or later get exposed to potentially psychologically harmful material. Images or (worse) videos of people being tortured and killed; children being exploited and raped are often encountered by forensic examiners. Some have only occasional exposure, and some have to constantly work with such material due to the nature of their work. The exposure causes all sorts of problems from stress and loss of productivity to more serious psychological traumas.

The above also applies to private and corporate forensic examiners who often accidentally locate offensive images or videos. What are the ways to minimise negative impacts of exposure to such material?

Prevention is better than cure.
It is technically difficult to completely insulate all personnel from the exposure. The only logical choice is to adequately prepare specialist for such situations by introducing mandatory introductory programs. These programs need to be specifically designed to deal with exposures to potentially harmful material and possible reactions to such exposures. Most importantly new computer forensic specialists must be put through the program before they walk in to the lab.

As part of occupational health and safety, career longevity and work performance initiative we are currently working with professional psychologists to develop such program for our organisation. The program is going to be integrated in the Standard Operating Procedures (SOP), and will also include mandatory reporting, debriefing and follow up. To minimise harmful effects, the arrangements are being made with psychologists to conduct debriefing within the first 24 to 72 hours after the initial exposure.

These procedures are designed to equip computer forensic personnel with knowledge, skills and professional assistance to enable them to cope with exposures to offensive graphics. As an additional benefit, the program may also assit staff in dealing with other stressful situations. These steps are also designed to insure productivity and retention of the highly trained forensic specialists.

Oh mama - my iPhone is no longer secure!

2011-05-26T19:31:00.010+10:00

ElcomSoft guys are offering " near-instant forensic access to encrypted information stored in iPhone devices" ...even if its hardware encrypted. Here is a LINK to the the press release. Good job.

I hope it won't repeat destiny of COFEE.

Relevant read from ElcomSoft's blog link1 & link2

DDos on LiveJournal - turning crisis into opportunity.

2011-04-09T01:24:00.003+10:00

Developing an effective incident response procedure is crucial to minimizing the impact of a security breach or DDoS attack. A good incident response plan not only helps secure the impacted infrastructure, but can also increase consumer loyalty. The recent DDoS attack on LiveJournal clearly required the use of public relations techniques, which did not appear to happen in time.

In the absence of information, the rumour mill will take over. Instead, an immediate and honest statement should clarify known details, and the information be frequently updated. The organisation must demonstrate commitment and this will be appreciated by its customers. In case certain information cannot be released it is important to offer an explanation. By doing this the organisation appear responsive and cooperative even if not a great deal of information has been released.

The organisation also must educate all employees on use of social media during the crisis and monitor Twitter, MySpace, Facebook and other social sites. Tracking and quickly responding to the relevant conversations should help uncovering and defusing any potential crises-in-the-making.

While no organisation is immune to similar incidents, this does not necessarily have to turn into a disaster.

Accessing VMFS partitions

2011-04-02T02:48:00.021+11:00

VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.

Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.

Mount TYPE is PHYSICAL.

Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav

Next navigate to http://localhost:50080/vmf and you should see VMDK files you were after.
Correction: I forgot to put an "s" at the end of the above address. The correct address would be http://localhost:50080/vmfs Thanks Tim for pointing this out.

The world isn't perfect though and you may run into a couple of problems:

Problem 1:
You may get an error similar to this:
Exception in thread "main" java.io.IOException: VMFS FDC base not found
at com.fluidops.tools.vmfs.VMFSDriver.openVmfs(VMFSDriver.java:1180)
at com.fluidops.tools.vmfs.VMFSTools.cli(VMFSTools.java:225)
at com.fluidops.tools.vmfs.VMFSTools.main(VMFSTools.java:492)

Problem 2:
There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.

There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.

vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.

In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l

The above shows that the vmfs file system is located on /dev/sdb3

The next command is to mount VMware VMFS partition:
mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/system
and see what's inside.... ls -alh

I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.

P.S. Paul Henry did a good write-up on a similar subject here.

GPU password cracking.

2011-01-22T00:29:00.004+11:00

GPU acceleration has been used to crack passwords for some time now. This is due to GPU's parallel layout, which is a hip better at large-scale mathematical operations compared to ordinary CPU’s. Before, there was only nVidia with its CUDA SDK. I must admit that while I was building the lab and doing lots of administrative work, I totally missed the arrival of AMD’s Stream SDK. It appears that ATI Radeon cards are much faster at crunching the numbers, in some cases x 10 times and software developers are quickly adding support for ATI cards. I just discovered a nice blog on password cracking by Vladimir Katalov from ElcomSoft. The blog is very informative and a good read. The author mentioned that a new version of Elcomsoft Phone Password Breaker for example already supports both nVidia and ATI cards achieving speeds around "7,000 passwords per second on NVIDIA GeForce GTX 580, and about 20,000 passwords per second on ATI Radeon HD 5970".

Sleuthkit 3.2.0 on Ubuntu 10.10

2010-12-15T07:09:00.003+11:00

Some time ago I have written a short "how-to" in relation to installing the Sleuthkit on Ubuntu. Recently I have tried to install the latest Sleuthkit 3.2.0 on Ubuntu 10.10 (32-bit) and ran into a problem when compiling it. It took me some time to figure out how to get it working.

Step 1:

sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev

Step 2:

Download and extract afflib 3.6.4
In terminal go to the extracted directory and run the usual
./configure
make
sudo make install

Step 3:

Download Sleuthkit 3.2.0 and extract it. Next I had to apply a quick fix by adding LDFLAGS link option to configure.ac file located inside the extracted sleuthkit-3.2.0 directory. Adding the following line LDFLAGS="$LDFLAGS -lsqlite3 -lpthread -ldl" seems to fix the problem.

I then navigated to sleuthkit-3.2.0 directory in terminal and run

./configure
make
sudo make install

DONE

iSCSI initiator on Win 7

2010-12-07T03:31:00.001+11:00

F-Responce (and Helix3 Pro) both can be handy for imaging over iSCSI. Win 7 iSCSI initiator looks slightly different to Win XP.

Typing iscsicpl and hitting enter brings the initiator.

In Discovery tab press Discover Portal. This should open another window Discover Targt Portal. Enter IP address and port (if not default) and click Advanced button.

In Advanced Settings window mark Enable CHAP log on and enter username and password as per F-Responce target configuration.

The target(s) should appear in Discovery tab.

In Targets tab there should be the drive with status indicated as Inactive.
Click connect button.

Another window will open and there will be an option to add this disk to favorite targets. It is up to you if you 'd like to do that or not. Click Advanced button.

The same proceedure here, Enabling CHAP log on and entering username and password.

The drive should be connected now.

Imaging SAS drives the easy way.

2010-11-30T02:04:00.003+11:00

Every time a came to image machines with Serial Attached SCSI (SAS) hard drives, I thought about SAS writeblocker. The problem was that there were no such things available. Live CD's, F-Responce, Live Imaging, SAS to SATA Adapters (I haven't tried this one) or SAS cards were the only options. I am glad that recently Tableau came up with one such device. It is called Tableau T6es SAS and I am just about getting one.

Many nice things have already been said about FTK Imager 3, which is certainly my tool of the year. It even works from USB Flash drive with all these nice new features for mounting image files. Just copy the folder from "C:\Program Files (x86)\AccessData\FTK Imager" onto your portable drive and you are pretty much set.

iOS 4.2 has arrived!

2010-11-23T07:24:00.006+11:00

Apple iOS 4.2 Software has finally arrived making my beloved iPhone and iPad even more functional and probably introducing new bugs/vulnerabilities. I must admit that I have lately jumped on the Apple wagon, even right now I am typing this blog on MacBook Pro :-) .

I still do most of the forensic work on Windows machines and only occasionally utilising Linux.
Having a busy life lately, I have Mac(s) mostly for personal use, and the main reason for choosing Apple devices for me was it's functionality, relative security and low maintenance.

I recently attended a presentation, where several current Windows vulnerabilities/hacks have been demonstrated. These little beasts were able to disable all major antivirus solutions, even when executed with 'guest' privileges. Another logical attack vector on commercial antivirus software would be an attack on it's license, for example by corrupting the license or changing the clock to the future, making AV's license expired. Several commercial products dropped it's defences in my tests straight away.

The funniest thing was that the above mentioned presentation was given right after a computer forensic presentation by a young and very enthusiastic person, who was questioning the need to have a forensic machine disconnected from the Internet, while performing the examination. I simply have no time or energy to deal with possible security compromises and other issues that may arise from having my forensic machine connected to the Internet. At the end of the day I have bought these Apple gadgets to safe my time for something better than constantly fixing my home Windows computer or checking firewall and security logs on my forensic machine :-) after each forensic examination.

BranchCache - Distributed Cache Mode

2010-11-15T22:40:00.000+11:00

BranchCache is designed to solve problems with the availability of information in remote offices with slow WAN connections.

According to Microsoft BranchCache is only supported on Windows Server 2008 R2 and Windows 7 Enterprise and Windows 7 Ultimate. The technology supports two modes: Hosted Cache and Distribute Cache. It allows data to be cached on computers in the remote branch office and is made available to other computers in the branch.

In Hosted Cache mode, the content is cached on a Windows Server 2008 R2 content server on the remote branch network. In Distributed Cache mode the content is distributed between Windows 7 client computers on the remote branch network and no additional server infrastructure is required. When distributed mode is enabled, a client computer first receives information from the BranchCache content server at the head office. The next client computer that requests the same information from the head office only receives the (small in size) content information and actual content is obtained from another client computer in the remote branch.

Files changes are monitored by using hashes. If the client is unable to locate the necessary file in his own cache, it sends requests to the local subnet via UDP protocol and then fetches it from one of the local client computer via HTTP/HTTPS.

Not only the actual content, but the requests and 'content information' might potentially be a good source of valuable evidence.

Evidence movers

2010-09-27T18:42:00.000+10:00

Using an evidence mover helps to transfer files around and preserve its integrity. It is also savesa lot of time on image verification after the evidence have been transferred. I have been using MicroForensics Evidence Mover (the latest version is 1.1.17) for quite some time now. It is a nice free tool. There is one little problem with this tool. When the destination drive becomes unavailable, MicroForensics Evidence Mover happily reports that all files have been successfully transferred. Unless you check for the logs and make sure that every (source) file has been listed in the log, there is a good chance that the transfer is incomplete.

Nuix Evidence Mover 2.0.21 is also free and looks and feels like the one from MicroForensics, except one little detail. The tool from Nuix actually reports that all files have been transferred OK. If the destination drive becomes unavailable during the transfer, you will not see the line similar to this one:

09/27/10 12:09:58 - All files were moved successfully

DRM protection

2010-09-17T04:37:00.001+10:00

This pastebin http://pastebin.com/kqD56TmU
page probably has been one of the most visited place lately. Hardware Blu-Ray rippers HDfury2 and DVIMagic may soon have software competition due to the HDCP master key getting out in the wild.

FTK RegEx

2010-09-11T01:24:00.004+10:00

FTK 3.x "PATTERN" is using Boost C++ RegEx libraries, which is a new name for Regex++.

There are three main syntax options available for Boost: Perl, POSIX extended and POSIX Basic with Perl being default. It is good to know that FTK is definitely using Perl implementation. The exact RegEx syntax is available here.

... and yes, I am back. .. well kind of... I'm just not sure how often I 'd be able to post here.

This blog will be updated soon!

2010-02-25T18:45:00.003+11:00

This blog has not been updated for some time. I am planning to update it soon.

Acronis Try&Decide

2010-01-30T00:30:00.014+11:00

Acronis True Image Home 2010 is a backup utility that offers ability to perform full, differential and incremental backups. Be able to mount Acronis back-up image as a logical drive in read or read/write mode is also handy. Acronis True Image is more then just a backup software however. It includes Disk Cleanser, File Shredder, and System Clean-up, which wipes data stored on a hard disk, individual partitions or individual files.

The software also has a nifty feature called "Try and Decide". As the name might suggest, it is designed to give users a second life whilst they make potentially dangerous changes to the system. It is easily activated by pressing "Try&Decide" button.

When Try and Decide is activated, all the changes made be the user are recorded in an automatically created folder named "Acronis Try&Decide" on external hard drive instead of drive C. Virtualisation technology is used to "isolate your "real" operating system from changes" and there is no need to install VMware or other virtualisation software.

Try&Decide continue working after the system reboots. Upon completion, the user is presented with options to accept or discard the changes.

After changes have been discarded and Try&Decide was stopped, the folder "Acronis Try&Decide" gets automatically deleted.

Inside "Acronis Try&Decide" folder the program creates a sub-folder that looks similar to C59FD9A9-D675-48B8-80E2-38662B09C411. This sub-folder contains a single file where all temporary data is being stored by Acronis. Searching for hex value 4163726f746e6430 should locate this file unless it has been overwritten.

Knowledge - Management and Retention

2010-01-13T20:42:00.004+11:00

Along digital forensics and information security I have always been interested in knowledge management and knowledge retention subjects. These areas are especially relevant to Information Security/Digital Forensics because these disciplines heavily rely on highly knowledgeable professionals. When such professionals leave the organisation, they create a giant gap that has to be filled.

There are several publications on this topic, many of them packed with unnecessary statistical data, useless formulas and usually boring as dry toast.

I just finished reading a book by Jay Liebowitz "Knowledge Retention Strategies and Solutions" and I was pleasantly surprised by the quality of material. This book is written to be concise and full of insights and knowledge of topic.

It is hard to disagree with the author who suggests that "younger workers are less likely to stay with one employer for more than a few years" and that a "learning organization" must develop "knowledge retention strategies so that critical knowledge does not walk out the door".

Unfortunately, I haven't seen many such organisations around, at least not in this industry. Instead, I came across many good professionals who would keep their expertise to themselves and only share the knowledge when it suits they own interests. In his book Liebowitz identifies major challenges to knowledge sharing and states that 'about 80% of knowledge management is people, culture, and process, and only 20% is technology' such as document management systems, wiki's etc. He suggests that the experts should be motivated to share their knowledge "through being recognized and rewarded". Of course this would require a competent management capable of creating the right atmosphere and build a high level of trust throughout an organisation.

The author also mentioned the knowledge-engineering paradox, which I found to be quite amusing but dead right. The knowledge-engineering paradox 'means that the more expert an individual, the more compiled his/her knowledge and the harder it is to extract that knowledge'. Recently, I was surprised when someone told me, that occasionally it is hard to get a quick technical explanation from me. I thought about it for a moment and then realised that I have to decompile this information first and only after that, translate it to a language understandable by a non technical person.

This book is a good read and should be a valuable addition to every computer forensics manager's library.

Merry Christmas and Happy New Year!

2009-12-24T23:45:00.003+11:00

"We make a living by what we get but we make a life by what we give."

Winston Churchill

Computer Forensic Jobs in Sydney.

2009-11-24T19:37:00.005+11:00

One of the best organisations in Australia for advancing your career as a digital forensic investigator is now recruiting. The New South Wales Police Force State Electronic Evidence branch (SEEB) have a few positions opened for the qualified candidates.

What you get is a secure government job; good training; convenient location not far from Sydney Central Station; exposure to a wide variety of criminal cases, which provides you with an extremely valuable in this industry 'law-enforcement experience'.

Additionally, there are some great people over there with an extensive hands-on experience to learn from.

I suggest to check the selection criteria first, as there are strict conditions placed on the potential candidates in terms of qualifications and skills and of course criminal history.

Actually, there are two positions that are directly related to Computer Forensics, one forensic examiner and one R&D position. The third is a position for Sysadmin.

For those who interested, here is a link to these advertised jobs.

Ubuntu 9.10 installation problems.

2009-11-10T22:55:00.001+11:00

It appears that new Ubuntu 9.10 has a bug that may interfere with a smooth installation process normally offered by this distribution. Some SATA drives are not recognised by Ubuntu partitioning tool. These SATA drives however are visible via fdisk -l command or by gparted tool.

The problem appears to be caused by dmraid. Dmraid provides support for 'software RAIDs'. If normal LiveCD is used, then booting this CD and removing dmraid via synaptic is the easiest way to deal with this problem. After removing dmraid, installation can begin as per normal. Alternate installation CD allows "nodmraid" option, which can be accessed by pressing F6 at boot time.

Ubuntu 9.10 is now using "fourth extended file system" by default, speaking of which SMART-2009-11-08 is out. The new version provides "enhanced support for EXT4 file system".

(.pst) Documentation Specs are to be released by Microsoft

2009-10-28T22:02:00.003+11:00

Finally, Microsoft has decided to release PST specifications, so no more reverse engineering for forensic people. Here is the link to MSDN Blog.

Cyberspeak podcast Oct 25 2009 is out, Ovie and Bret eventually found the time for it. I have been listening Cyberspeak podcasts since the day one and it remains my favorite "computer forensics, computer security, and computer crime podcast". Keep up the good work boys.

Ubuntu 9.10 is due for release tomorrow (October 29th). Canonical guys always come up with a quirky name for each release such as Fisty Fawn, Gusty Gibbon, Horny Hardon :-), and Ubuntu 9.10 is no different, it is called "Karmic Koala".

Staying Up to Date with Technology.

2009-10-23T21:39:00.008+11:00

The only secret that you need to know
The passage of time is a one way flow
If you understand, joyously you’ll grow
Else you will drown in your own sorrow.

Omar Khayyam

Occasionally I found myself struggling to keep up with the rapid technological progress that we all witness today. Here is what I do for keeping up with it, which can easily be summarised into three main principles:

Learn
Embrace
Adapt and change your habits

Learn

I use Google Reader and Google News quite extensively to stay abreast of technology. I also utilise my “Blogs I read” blog roll to keep an eye on my favourite forensic blogs. I found that Podcasts, which I normally listen on the go, are great source of information & inspiration. Reading online publications, manuals and whitepapers became my daily routine.

Since I now have an iPhone, I use iTunes to manage all subscribed Podcasts. Recently, I discovered and became a great fan of Apple’s “iTunes U”, which is a part of iTunes Store featuring FREE University lectures, audio books etc.

Books, books, books of course. They can be expensive if you buy them yourself. I consider myself a very lucky person, because I can get books for free as a reviewer at Computing Reviews. Although the review dead lines are quite strict and put you on a tight schedule, it also encourage you to read/finish the book and take comprehensive notes, which later can be summarised and converted into a review. If you have a master's degree and experience in computer related discipline, you may be eligible too. As a reviewer you have additional benefits such as free access to "over 19,000 reviews", be published in an Association for Computing Machinery journal etc.

Joining groups of peers from Computer Security/Forensic industry for formal or informal gatherings can help gaining reality checks on your current level of knowledge, seek out advice and guidance on technical issues and receiving valuable feedback. If you are in Sydney, AU send me an email and you may get invited to one of our monthly informal assembly [subject of approval by all members]. Attending conferences and courses is beneficial but in real live is not always possible due to involved, so I want go into this right now.

Embrace

I still believe that Windows XP is a great Operating System and I use Win XP 64-bit machine as my primary forensic workstation. However, for this blog post right now I am using Windows 7 Professional that just came out. It doesn’t mean that I love it so much. I have started using it, and not just playing with it, early and in a non-production environment to learn the OS. Hopefully, when I get the job involving Win 7, I wouldn’t have too many surprises.

iPhone is another example, you don’t have to like the phone, which I actually do. You simply cannot learn everything by attending iPhone forensics course if you never seen or used iPhone before. I didn’t know for example that when iPhone is plugged in to a computer to transfer music etc, a backup copy of the iPhone is automatically created on this computer. This backup contains a wealth of information such as photos, notes, email account settings, contacts, calendars, call history, SMS messages, bookmarks, browser history and currently open pages etc. iPhone’s backup files is a separate topic though.

My point is, get yourself out of the technological comfort zone and don’t be afraid to dump your favourite web browser, at least for some time, and use something new. There is a good chance that you come across this new browser again during the forensic investigation.

Adapt

Use Google docs or another corroboration tools to do your (non sensitive) work, take notes with electronic Mind Maps, set up Google calendar and get free SMS for upcoming event. Learn how these tools work and become more productive. It definitely helps me to be more productive, better understand the technology and trends.

Sources Of Knowledge - How To Gain Knowledge In Any Field
(by Syd Hs)

Taking a break from blogging!

2009-09-21T13:10:00.001+10:00

This month I got myself an iPhone and I spend all my free time playing with all the cool things instead of blogging. I am planning to resume my ‘normal’ activities next month.

On a more serious note, I am currently busy doing some studies and also reviewing a book for Computing Reviews, which takes up all my time outside work. “…and Yes, I did get the iPhone 3GS 16GB. I have to say that I love and hate it at the same time.

Mounting Parallels HDD and HDS files

2009-08-28T13:45:00.006+10:00

During examination of a Mac Laptop, I located a file similar to winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds. Further digging revealed that Parallels Workstation was installed and used on this computer and virtual machines have been later deleted. I found a good link that explains how to deal with .hds files. I then searched for .pvs files and DiskDescriptor.xml and was lucky to find a couple of DiskDescriptor.xml files. On of these files contained GUID 5fbfaae3-6747-49ff-82a7-750e329bcb51 and stated that the virtual disk is compressed. The rest was easy. I renamed winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds to winxp.hdd, went to Start -> All Programs -> Parallels and fired up Parallels Image Tool which was installed by default together with Parallels Workstation. With this tool I converted winxp.hdd to plain hard disk image, which took only a few minutes.

I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.

Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.

Quick notes

2009-08-15T18:04:00.023+10:00

VirtualBox dynamic disks (VDI).

Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.

The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)

Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.

Evgueni Tchijevski posted an easier way to deal with VDI disks - vboxmanage internalcommands converttoraw source destination. It works great, thanks Evgueni.

Acquiring RAM on latest Ubuntu or Fedora becomes a little bit problematic.

/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."

/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.

RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.

My favourite quotes about digital forensics and security by Richard Drinkwater and Richard Bejtlic.

Richard Drinkwater

"I don't validate my tools - I validate my results."

Richard Bejtlic

"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."

Both hit the nail on the head!

Digital Contamination

2009-08-04T22:34:00.005+10:00

Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.

Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.

Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]

I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.

Does your organisation have a policy mandating wireless devices off during forensic examination?

Vista Timestamps

2009-07-04T19:39:00.021+10:00

Timestamps can certainly be tricky because of many factors that can affect its accuracy. This fact however doesn’t automatically mean that file timestamps cannot be relied upon as evidence. This usually means that more work needs to be done by a forensic examiner to:

Correlate events from different sources.
Identify the factors leading to the timestamps changes.

Correlating events from different sources.

Some time ago a came across of an article about ‘selective enhancement’ method used to reconstruct a digital photograph from digital video footage. This method takes advantage of the fact that different frames are slightly different because the object moved or the light source is changed. These differences are collected and then utilised in reconstructing the image. Now going back to digital forensics, correlating events involves the process of identifying alternative sources of evidence. Taken out of context, such evidence may be viewed as an irrelevant or insignificant detail in the presence of more weighty findings. Nevertheless, this kind of evidence may become crucial in reconstruction of events and is too important an area to neglect.

Identify the factors leading to the timestamps changes.

There are many factors that can affect timestamps including, but not limited to various scanning or indexing applications, changing the system clock, the clock skew or using anti-forensic tools. Unless the application responsible for altering time stamps has been resident in memory for a long time, such applications are identifiable based on its execution time.

The knowledge and experience plays a critical role in the process of verifying the accuracy of timestamps. There are many publications available on the Internet that discusses timestamps and Vista timestamps in particular. You can find a link to these publications in my old post. Yet, there are several recent ‘white papers’ on the Internet that just can’t get Vista timestamps right.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Value Name: NtfsDisableLastAccessUpdate
Data Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.

This doesn’t indicate that no ‘Access Time’ would not be updated at all. By simply experimenting with a text file sitting on your (if you have Vista of course) desktop, you would be able to quickly determine that ‘Access Time’ value doesn’t change on accessing and in most circumstances modifying the file would leave 'Acessed Time' unchanged. It will only change when you copy the file or move it to another volume.

Compound files such as MS Office .doc or .docx files and possibly certain other files such as .jpeg may also change 'Accessed Time' if these files have been modified.

More toughts on Visualisation

2009-06-19T22:36:00.017+10:00

Image by charmainezoe via Flickr

Information visualisation is a rapidly growing research field and I see more and more people become interested in using visualisation techniques in the field of Digital Forensics. There were a series of discussions about "Visualisation" on computer forensic forums and digital forensics blogs. Last week I attended Australian High Tech Crime Centre (AHTCC) conference in Sydney where I met with a couple of researchers who were also interested in doing a research in this area.

Visualisation is a process or technique that graphically represents the collected data to enable better understanding of its significance. I have been using visualisation techniques since late 1990's after I discovered Mind Mapping technique, which was originated by Tony Buzan. Since then, I have successfully used visualisation for learning and in various presentations.

There appears to be many attempts made to enhance digital forensics techniques by adding visualisation to it. This is a welcome move considering the problems faced by forensic examiners while processing increasing quantities of digital evidence. These attempts however are mostly focused on automating the entire process, which in my view leads only to a dead-end. I believe that visualisation techniques, at least in digital forensics, must be separated in two distinct areas of 'analysis' and 'presentation. They are two different paths to two different goals.

Analysis

The analysis side of visualisation involves digital data processing to produce data suitable for further analysis, pattern discovery, pattern analysis, detection of anomalies etc. In my opinion this is the most challenging area of visualisation. This is the knowledge discovery stage, which employs data reduction and data interpretation techniques and can only be performed by a qualified and experienced forensic examiner. Once such data processing is successfully carried out, a visual representation of digital evidence would enable a forensic examiner to see trends or relationships between various sets of data.

Presentation

The presentation side of visualisation is simply a technique for making the facts visible and easily understood by the target audience. The significant relationships discovered during the analysis stage needs to be emphasised with vivid colours, charts, "3D" representations or Mind Maps. This PowerPoint presentation by the Department of Image Processing and Neurocomputing of University of Pannonia is good start.

Sparsing - New technology set to revolutionise digital forensics.

2009-06-10T23:14:00.011+10:00

Image via Wikipedia

Periodically forensics examiners have to acquire large amounts of data and often facing a dilemma whether to compress it or not.

Using compression usually means a performance trade-off.

In circumstances when both, time and available storage are limited, X-Ways Forensics can be an invaluable tool. It is capable of creating compressed .e01 evidence files by utilising 'adaptive compression'. Unfortunately, compression negatively affects forensic examination at a later stage because compressed disk images must be decompressed before they can be used by forensic tools such as EnCase or FTK.

Raw (dd) images are commonly used because they work with practically every forensic tool. On the other hand, raw images are not compressed and one may end up with a very large dd image even if the drive contained very little amount of actual data.

Smart Acquisition Workshop or simply SAW is a "Data Acquisition and case management framework" from ASR Data. It utilises 'sparsing' to deal with large drives most commonly found on mid-range to high-end server systems. Vast majority of these drives are only 50% to 80% full and the rest of the storage contains no data (0000). When SAW is used, only nonzero data is collected and locations on the drive containing no meaningful data (all zeros) are only referenced. This method offers significant reductions in size of the forensic images and also avoids the need to decompress the data during the analysis stage. The hashing process is utilised during acquisition of the evidence to insure the integrity of the data. SAW forensic images then can be mounted with Smart Mount (available for Win32, Linux and Mac platforms) and analysed with a forensic tool of the choice. SAW can also convert the acquired 'sparsed' image to a raw image at the same time preserving integrity of the data.

During the recent demonstration a 2TB sample forensic image stored on a portable 200Gb USB drive had been mounted on a regular Eee PC without a problem.

Sparsing is not entirely new concept and NTFS for example provides full sparse file support functionality. "With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data." Knozall Software, Inc.

What is really new is the fact that this technology has been successfully applied to digital forensics with its strict data integrity requirements. SAW provides for several other functions including: converting other forensic images to sparse images and creating VMware .vmdk files directly from these images.

FTK Imager can acquire RAM

2009-05-21T21:50:00.007+10:00

FTK Imager 2.6.0 got a new functionality. Finally, it can capture RAM. There is no portable version as yet, so I can't see much use for it at this stage unless it can be used with F-response? I found FTK Imager be much slower compared to my favourite X-Ways Forensics tool. Additionally, I was unable to acquire RAM with the new FTK Imager on Win 2003 Server with 8GB RAM, the acquisition just stopped at 48%. I should mention that the new version of this popular imaging tool got a few bug fixes and 'improvements' listed here.

Speaking of RAM, VMware vSphere 4 supports a few TB of memory on the host server and up to 256GB of memory for a guest. That's a lot of RAM and perhaps this is the future of any forensic lab. Whilst the Cloud is often viewed as a "cost savings" that comes together with a loss of control of the computing infrastructure and various information security issues, the future may be in private cloud networks. These private clouds are capable of delivering flexible computer networks that are able to accelerate when and where it is needed most.

Parsing setupapi.log

2009-05-02T21:10:00.008+10:00

I mentioned about setupapi.log files in one of my posts a few months ago. Since that time a couple of good tools were released that makes my life easier when working with setupapi.log files.

One of such tools is called SetupAPI Extractor or SAEX. It is still in beta and is currently free. The tool only works with Win XP setupapi.log files and there is no support for Vista's setupapi.app.log and setupapi.dev.log files yet. The best thing about this tool is its ability to parse the log files and extract only
the information you need.

Another tool I often use to work with various log files including setupapi.log files is Mandiant Highlighter. It was previously mentioned on Cyberspeak and is free to download. It works with ANY text files and allows users to highlight relevant keywords or remove unrelated lines. In case of setupapi.log files, setup event id like #-199, #140 or placeholders such Device_Description, Manufacturer_Name or Hardware_ID can be either displayed or removed, making the information contained in Setupapi logs more manageable.

Ubuntu 9.04 guest in vmware - sluggish mouse.

2009-04-30T17:16:00.004+10:00

I just installed Ubuntu 9.04 at work and enjoying my ‘dual screen via KVM switch’ panoramic view :-) which was not possible before due to the driver limitations.

I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.

The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:

Section "InputDevice"
Identifier "VMware Mouse"
Driver "vmmouse"
Option "CorePointer"
Option "AlwaysCore"
EndSection

A couple of acrticles on DIGital FORensics.

2009-04-25T15:19:00.003+10:00

All my free time is now consumed by a 'little' python development project. I will try to keep this blog up-to-date with anything really worth mentioning. Whilst I am busy coding and refreshing my pretty rusty math skills, I still spend about three hours a week reading about digital forensics and information security (mostly on a bus or train). Last week I came across a couple of documents by Dr. Frederick B. Cohen, Ph.D. called "Fundamentals of Digital Forensic Evidence" and "A structure for addressing digital forensics". These documents are about application of digital forensics within a legal context and I personally find them quite educational.

Windows Event Logs

2009-04-18T16:44:00.018+10:00

The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.

Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.

Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.

The Sleuth Kit and Autopsy on Ubuntu

2009-04-04T14:17:00.016+11:00

A quick installation guide for the latest TSK and autopsy on Ubuntu 8.04.
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.

Step 1
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.

Type sudo apt-get install build-essential zlib1g-dev libssl-dev
Then navigate to afflib folder and type the usual:
./configure, make, sudo make install

Step 2
Download libewf, unpack and install all three .deb packages

Step 3Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install

Step 4Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install

When asked, type the full path to your evidence directory and you done.

To start autopsy, just type sudo ./autopsy and follow the instructions.

Update for Ubuntu 9.10 - 25 November 2009

For Ubuntu 9.10 the procedure is similar except for Step 1.
afflib make may not work, and if you really want aff support, the simple solution is to download .deb files for older distributions.

The files below worked for me:
afflib-dev_1.6.31-0ubuntu1_i386.deb and afflib_1.6.31-0ubuntu2_i386.deb

and can be downloaded from these locations:

http://packages.ubuntu.com/intrepid/i386/afflib-dev/download
or
http://np.archive.ubuntu.com/ubuntu/pool/universe/a/afflib/

Step 2 is easy, just get all 3 libewf packages (just search with Synaptic).

The rest of the procedure is the same.

Updates for Ubuntu 10.10 and the Sleuthkit 3.2.0 are here

My blog statistics

2009-03-31T22:43:00.004+11:00

Some time ago I have played with Google Analytics and as a result here is my blog visitor's statistics, which I find quite educational.

The first one is not particularly surprising and shows which web browsers were used by geeks to view my blog.

1	Firefox	57.17%
2	Internet Explorer	28.05%
3	Opera	6.37%
4	Safari	3.74%
5	Chrome	2.58%
6	Konqueror	0.83%
7	Mozilla	0.63%
8	SeaMonkey	0.24%
9	Camino	0.05%
10	Mozilla Compatible Agent	0.05%

The second table displays the top 70 Countries for my blog readers.

1.	United States
2.	United Kingdom
3.	Australia
4.	Italy
5.	Canada
6.	Netherlands
7.	Germany
8.	South Korea
9.	France
10.	Brazil
11.	Spain
12.	Russia
13.	India
14.	Belgium
15.	Norway
16.	China
17.	Austria
18.	Malaysia
19.	Taiwan
20.	Singapore
21.	Japan
22.	Poland
23.	Sweden
24.	Czech Republic
25.	New Zealand
26.	Thailand
27.	Mexico
28.	Portugal
29.	Egypt
30.	Indonesia
31.	Denmark
32.	Turkey
33.	South Africa
34.	Brunei
35.	United Arab Emirates
36.	Greece
37.	Ireland
38.	Switzerland
39.	Hungary
40.	Hong Kong
41.	Romania
42.	Israel
43.	Finland
44.	Saudi Arabia
45.	Pakistan
46.	Lithuania
47.	Colombia
48.	Vietnam
49.	Dominican Republic
50.	Serbia
51.	Macau SAR China
52.	Croatia
53.	Ukraine
54.	Morocco
55.	Argentina
56.	Slovakia
57.	Slovenia
58.	Bahamas
59.	Philippines
60.	Bulgaria
61.	Trinidad and Tobago
62.	Panama
63.	Venezuela
64.	Chile
65.	Bosnia and Herzegovina
66.	Honduras
67.	Cambodia
68.	Iceland
69.	Ecuador
70.	Nigeria

WinRAR

2009-03-27T20:00:00.027+11:00

WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.

If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

Useful little tools.

2009-03-13T17:24:00.017+11:00

Mail Viewer for Outlook Express versions 4+ (.idx .mbx and .dbx), Windows Vista Mail and Windows Live mail databases including .eml files. It is very similar to OE Reader and the web site states that it is actually based on MITeC Outlook Express Reader. No installation required, it has only one 520 KB executable file. The viewer handles attachments quite well (text and HTML view) and the most importantly it is absolutely free. It works on Windows 95 --> Vista.

This web site has several interesting little application that may be useful in digital forensics http://www.mitec.cz/

ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mount new virtual disk (Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.

Hard Drives with Zero Insertion Force (ZIF) Connectors

2009-02-16T21:53:00.010+11:00

Image via Wikipedia

If you are a first responder, then you may want to get yourself a couple of ZIF to IDE adapters, in case you don't have them yet. These new tiny laptops have become very popular and lots of them use hard drives or solid state drives with ZIF connectors. In situations when there is a limited time available to pull out the drive or suitable adapter is not available, I often use Helix3 Live CD.

This option works well when the computer I preview has a CD/DVD Drive. The problem is that not all of these new and portable laptops have one. Fujitsu Siemens AMILO MINI is a perfect example of the portable laptop that uses ZIF HDD and has no CD/DVD Drive built-in.

Then the options are:

1. Have a USB flash drive with bootable Helix3 or any other forensic Live CD. It is relatively easy to create such device with UNetbootin or by hand (just google for "Helix Linux on a USB thumb drive").

2. Have a portable external USB CD/DVD Drive with you all the time and use it to boot the suspect’s machine from the Live CD of your choice.

3. Get yourself ZIF to IDE adapter or buy the 'Hard Drive ZIF Adapter' from Digital Intelligence guys. It also comes with different cables for Toshiba and Hitachi drives.

NTFS-3G driver in Ubuntu 8.04.2 LTS

2009-02-08T02:06:00.012+11:00

The NTFS-3G driver used by Ubuntu may cause input/output error while transferring large (4.3Gb +) files. NTFS-3G version 1.2216 is the default NTFS driver in Ubuntu 8.04.2 and later. The latest STABLE Version is 2009.1.1 (January 22, 2009). Synaptic Package Manager or apt-get remove can be used to uninstall the default version.

There are no deb packages for the latest version yet, so ./configure -> make -> make install must be used to install the latest driver. Instructions and download link are here. No problems were detected after installing the latest NTFS-3G driver.

Interesting fact is that some drives may work just fine with the default drivers and some will fail and end up with the corrupt NTFS partition. Maxtor OneTouch II (300GB) worked just fine and Maxtor OneTouch III (500GB) got corrupted when I tried to write to it a few large files. Windows chkdsk with /f switch should fix the problem and make the drive accessible again.

The latest Helix3 Live CD is based on Ubuntu and also using NTFS-3G version 1.2216. When it is used to acquire an image or large files, it is probably a good idea to have some spare external storage for saving the data.

Helix3 Pro

2009-01-29T14:46:00.016+11:00

As expected, e-fense is moving to a commercial business model with their Helix3 Pro (to be released in April) and no free support or user's forum will be available to Helix users from 2 February 2009. To get access to Helix support and forum e-fense is introducing the membership for $19.95 a month or $239 a year. It is not very clear at this stage; whether Helix3 Pro will be available for free download to non-members.

30 January 2009
I have a clarification in relation to Helix3 Pro availability. The product will not be free ........... So Long free Helix!

Youtube videos:

e-fense Inc. announces new management team

Helix3 vs Helix3 Pro

2 May 2009

E-fense desided to keep a free version of Helix3 alive.

It can be downloaded at here.

Learning the Open Systems Interconnection Reference Model

2009-01-21T23:40:00.004+11:00

Here is a link for an excellent OSI model tutorial that I recently came across. It is good for refreshing your memory and includes mnemonics and even review questions.

Internet Explorer 8 in ‘anti forensic mode’

2009-01-17T21:38:00.016+11:00

Microsoft has introduced some new features to the new Internet Explorer 8, which is currently in beta. 'InPrivate' browsing mode, which has been called by the media "porn mode" is one of such features that I found to be worth looking at.

The similar functionality can be found in Firefox via plug-ins and built in Safari 'Private browsing', but given the significant market share of Internet Explorer this new feature may have some serious impact on the successful identification of the suspect's web browsing activities.

Here is some information found on IEBlog.

While InPrivate Browsing is active, the following takes place:

New cookies are not stored
All new cookies become "session" cookies
Existing cookies can still be read
The new DOM storage feature behaves the same way
New history entries will not be recorded
New temporary Internet files will be deleted after the Private Browsing window is closed
Form data is not stored
Passwords are not stored
Addresses typed into the address bar are not stored
Queries entered into the search box are not stored
Visited links will not be stored

It is very easy to switch to InPrivate mode by simply entering Ctrl+Shift+P. All tabs and new windows after that will also be opened in InPrivate mode.

'InPrivate' can be useful for corporations to make use of this feature as an additional step to negate their liability in various harassment etc. litigations. Some however may decide to turn this feature off and it is also easily done via editing Group Policies. Here is one way of doing this via GPEdit.msc

A quick search for artefacts left by 'InPrivate' browsing confirmed that there was no browsing history saved.

Whilst in 'InPrivate' mode I went to google.com web site and changed search preferences to "Do not filter my search results". Later I was able to recover this: http://images.google.com.au/setprefs?sig=0_Ai3r3BRa_NyzSVLmEfe1fo_5H6M%3D&hl=en&lang=all&safe=off&num=10&q=&prev=http%3A%2F%2Fimages.google.com.au%2Fimghp%3Fhl%3Den%26tab%3Dwi&submit2=Save+Preferences+

I then searched for "military tanks" pictures and clicked on several links. After viewing some images, I closed IE 8 and went searching for any traces of the above-mentioned activities. To accomplish this task I used X-Ways Forensics and Netanalysis tools. I was unable to locate my typed search term "military tanks" and no browsing history was found.

Searching inside
c:\Users\%USER%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RandomFolderName
produced good results and I was able to recover most of the deleted images.

Digging further confirmed that upon exiting 'InPrivate' mode, IE 8 deleted Temporary Internet Files and inside %Windows%\Temp directory. IE 8 beta 2 was tested on Windows XP and Windows 7 Beta test machines. In general, 'InPrivate' mode works as stated by Microsoft with only a few traces left behind, which means extra work for forensic examiners.

Antivirus and Last Access timestamps

2009-01-11T13:27:00.004+11:00

Last October I blogged about Time and Time Stamps . I have recieved a question in relation to Antiviruses and their ability to preserve the Last Access timestamp of files that are scanned by such AV.

I desided to post a quick answer here.

Corporate and Retail Antivirus solutions are usually designed a bit differently. Many corporate information systems are utilising various File Replication Services, Migration of files based on last access date and Backups. A non compliant Antivirus solution my result in excessive replications, long or failed backups of unchanged files, and failed security audits that are depending on Last Access timestamps.

A good example a corporate Antivirus solution that deals with such issues is Norton Antivirus (NAV) Corporate edition. To my knowledge since NAV version 7.61 Symantec includes "Preserve file times" option. This option allows restoring the Last Access timestamp of files that are scanned by NAV "Auto-Protect" module. See attached image of NAV Corp v 10 for details.

"During a scan, NAV will save various attributes of the file (file attributes, the security descriptor GetFileSecurity, last access timestamp, and so forth) before the scan so that the file can be restored to its original condition.... " Microsoft Article ID: 284947

On the time forensics site you can find a resonable quality research paper by K. Chow, F. Law, M. Kwan, P. Lai called "the Rules of Time on NTFS" that describes the relationship between file searching tools, Antiviruses and the Last Access Time Stamp. Just keep in mind that there are also Corporate Antivirus Solutions and other tools, which may be using defferent methods to open files.

PTK 1.0.2 on Ubuntu

2008-12-12T23:18:00.024+11:00

PTK 1.0.2 is the latest GUI based forensic tool by DFLabs. It is 'an alternative Sleuthkit Interface' that works with the Mozilla Firefox, Safari, Opera and Chrome browsers.

I have played with the version released prior to PTK 1.0 in October this year and found the project to be very promising but completely unusable and buggy. Today I have installed and tested the latest version of PTK and must admit that DFLabs guys put a lot of work to make this application more stable and more useful.

The installation is very simple; I just follow the instructions and was up and running in about 15min. This version of PTK only works with Sleuthkit 3.0.0, which is not on default Ubuntu repository yet, so I had to manually download and install it.

I liked its tabbed interface as well as Timeline, Gallery and Keyword Search features. Report creation option worked quite well.

Creating filters to search for specific file types within the specified timeframe is a nice feature. The speed and responsiveness of the application is not great, but acceptable from the usability point of view.

It is still not a bug free application yet, if there is such thing.

I came across PTK version 1.0 vulnerability report by Secunia Advisory stating that PTK is vulnerable to 'an input validation error' when handling forensic images. It is somewhat unusual to read a vulnerability report about Forensic Tools simply because the different environment these tools are designed to operate. I then found on DFLabs web site a very good response in relation to this particular vulnerability report and I have nothing further to add to this.

Conclusion:

This is a free forensic tool with great potential!
I will keep an eye on this tool, but will not be using it for forensic examinations yet.

Backwards incompatible Perl 6 & Python 3.0

2008-12-07T15:39:00.002+11:00

Both Perl 6 and Python 3.0 are made backwards incompatible with the previous releases due to the changes made in both languages. It appears that at first, these new versions are going to be much slower (10% +) than their predecessors and will be optimised in the future releases. Python 3.0 was released on 4^th December 2008. Python 2.6 however will be developed and maintained until version 2.9, which is still a few years away. 'A Byte of Python' is a free ebook for those who want to learn Python. It has already been updated for the Python 3.0 language.

Write blockers - firmware

2008-12-01T10:56:00.001+11:00

Update your write blockers with new firmware. It may be the case that a person responsible for maintenance of your forensic lab and equipment has left the organisation and your forensic equipment is left without proper attention and no one in the office gets manufactures notifications about available updates. Some updates resolve only minor issues and offer support for newer devices but there are also updates that are critical.

The upgrade process is quick and easy. Testing and documenting also takes only a few minutes. The Tableau Firmware Update tool can be found here.

Recovering web browser passwords

2008-11-29T16:13:00.002+11:00

All popular web browsers offer a password manager option to store usernames and passwords of the visited websites. It is possible to recover these usernames & passwords and in some cases view dates and times when a person registered/logged in with these credentials the first time.

1. Internet Explorer - IE PassView

2. Mozilla Firefox - PasswordFox v1.10

3. Safari – Method applicable to several web browsers

4. Opera – Unwand

5. Google Chrome - ChromePass v1.05

There are some other utilities incl. commercial versions, which I have not tested. The above mentioned tools are free and tested to be working.

A bit of technology in a world of geeks

2008-11-23T15:51:00.005+11:00

Tesla Personal Supercomputer under $10,000 with Nvidia graphics processing unit (GPU) inside and utilising parallel computing architecture. Claims are that Computers with the Tesla C1060 GPU processor have 250 times the processing power of a PC workstation. It should be good for password cracking :-).

Microsoft is going to offer a free anti-malware solution codenamed "Morro" to provide 'comprehensive protection from malware including viruses, spyware, rootkits and trojans'. Windows Live OneCare will no longer be sold from June 30, 2009. Hopefully it would have a positive impact on stopping malware from spreading without killing the sales figures of other anti-virus vendors.

Faster FireWire and USB speeds

Next year we may see a new version of FireWire known as S3200. This new version is to deliver a peak of 3.2 gigabits per second (400 MB/s) compared to the current 800 megabits (100MB/s).

The new USB 3.0 also called 'USB Superspeed' is set to multiply USB 2.0 (480Mmb/s) bandwidth tenfold and will transfer data at speeds up to 4.8Gbit/s. That would allow transferring a 27GB of date in only 70 seconds. USB 3.0 is designed to be backwards-compatible with USB 2.0 and USB 1.1.

17/12/2008
Here is an interesting link re: USB 3.0

CISCO Routers forensics

2008-11-19T16:41:00.003+11:00

Some interesting links to resources about forensics on CISCO routers.

B ook "Cisco Router and Switch Forensics" by Jesse Varsalone

Powerpoint presentation "Cisco Router Forensics" by Thomas Akin, Black Hat Briefings, 2002

Powerpoint presentation "Router forensics DDoS/worms update" by Nicolas Fischbach, Senior Manager, IP Engineering/Security - COLT Telecom

Another interesting document "Auditing CISCO Routers" by the Technology Pathways

A document called "CISCO Routers as Targets" by Joshua Wright

Ms.S. Thesis "Forensic examination of log files" by Joan Petur Petersen

My forensic 'dream' machine

2008-11-15T21:56:00.014+11:00

Here are the specs for a forensic machine I would like to get one day.
Intel Dual-Core Xeon Processor X5272
There is no point to use quad core because current forensic applications are not designed to take advantage of multi-core CPU's
8GB ECC Registered DDR2 Memory

ECC uses an advanced error correction system that can correct data transmission errors on the fly. Because ECC memory involves more processing, it may be a bit slower that non ECC memory, however ECC provides reliability and greater system stability. ECC RAM is more expensive however.

SATA RAID hardware controller with 4 x 10,000 RPM SATA II drives

RAID controller configured as RAID 0+1 which is a mirrored array whose segments are RAID 0 arrays. It provides the same fault tolerance as RAID level 5 and the same overhead for fault-tolerance as mirroring alone. It supports a very high I/O rates due to multiple stripe segments.

Other must-have components

Drive Bay Controller with multi-bay read/write status, a couple of SATA /IDE write-blocked bays, write-blocked universal memory card reader, built-in USB write-blocker, USB 2.0 ports, FIREWIRE 400/800 and eSATA ports.

Operating System

To get maximum compatibility with drivers and software, I would go for Windows 32-bit operating system. Microsoft Windows Server 2003 Enterprise Edition allows using memory beyond the 4-gigabyte range that is inherent to 32-bit operating systems. The 32-bit version of Microsoft Windows Server 2003 Enterprise Edition allows 8GB RAM and Windows Server 2003 with Service Pack 2 (SP2), Enterprise Edition supports 64 GB. Most of Windows XP drivers are compatible with Windows Server 2003. FTK, EnCASE, X-Ways Forensics and many other forensic applications run very well under Windows Server 2003. FTK however requires admin privileges to work correctly. The operating system needs some tweaking to enable prefetch etc. All adjustments take about 10 min to complete. Instructions can be found here. Additionally, there is a free tool for automated server to workstation transformation.

USB Flash drives acquisition!

2008-11-08T16:27:00.018+11:00

Wear Levelling

Most flash drives are NAND EEPROM devices capable of 100,000 to 1 million erase and write cycles. The lifetime of the flash drive depends on endurance of the flash chip. To extend the life of flash drives, manufacturers often implement wear-levelling (also referred as wear-leveling).

Wear-levelling mechanism spreads write cycles across a flash chip, thus reducing continual usage of the same areas of the flash chip, and as a result promotes even usage of all memory cells.

What this means for forensic examiners? The content of a file that is no longer exists from the point of view of the file system may have been fully or partially changed by the wear-levelling algorithm. On many NAND flash memory devices this occurs upon writing the new data.

NAND flash drives are not very efficient at random writes due to the requirement of an application to locate a free block, before it can write to it. If such block is not available, the block must be fully erased which takes additional time, thus reducing the efficiency of the device. Different manufacturers are taking different approaches to tackle this problem. Some implement additional controllers or/and memory into their flash drives. Some change the software (firmware) and wear-levelling algorithms that shuffles "unallocated" free space every time the device is read, so when the application is about to write the new data, free blocks are already available to the application for writing.

Acquiring these devices require an additional step that from my experience is rarely taken. The standard procedure is to simply connect such USB device to a forensic machine via hardware or software write blocking device and let the forensic software to do the acquisition and verification. There are two problems with this approach.

Most forensic tools verify (calculate MD5 or SHA1 hash) of the device, then acquire the data followed by MD5 or SHA1 verification of the image. There is no verification of the physical device after that. So, we essentially rely on the write blocker to prevent any changes.
Some USB devices (approximately one in every ten from my experience) will produce different cryptographic hash every time you calculate it, despite the fact that no write is allowed. So, by simply reading such devices, we are changing something inside these drives.

The significance of this is obvious. If an independent party checks the integrity of such device, (s)he will end up with a completely different MD5 or SHA1 value. Unless you know about the problem before hands, it may be too late to explain this difference in Court.

So, what is actually changed on the drive and how to deal with this issue? The good news is that existing files are not changed and this can be easily confirmed by comparing hash values of files from two images of the same device taken at a different time. X-Way forensics is probably the best tool for this task.

By utilising the above mentioned tool and its terminology we can see that changes occurred in 'Free space' and 'previously existed files'. It is up to the forensic examiner to deal with admissibility of the data/evidence extracted from 'Free space'. Taking an additional image of the device, extracting (carving) files and comparing these files with the files from the first image is one of these techniques. There will be many files that are changed by the sector shuffling, thanks to the wear-levelling algorithm.

Deletion/wiping

Additionally, because of the wear-levelling mechanism and dynamic mapping of logical to physical sectors, some file artefacts may be left behind even after "secure wiping" of the USB flash drive.

Ordinary hard disks in general do not have wear-levelling implemented; however this may soon change due to becoming increasingly popular in notebooks solid-state drives.

27 February 2009

Yes,

The issue does exist despite some people finding it hard to believe, and it is here to stay for some time. The only way to deal with this is through the correctly devised procedures that in general can be described as:

1. Identifying the device with the specific wear-levelling behaviour (via hashing before and after the procedure for example).

2. Isolate the existing (not marked as deleted) from the deleted files. Verify the integrity of the existing files.

3. Deal with the deleted files in a way that the accurate and verifiable data can be presented in court.

------------------------------------------------------------------------------------------
"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)
----------------------------------------------------------------------------------------------------------
March 2009

Here is the link to a series of youtube videos of 'DEFCON 16' presentation by Scott Moulton who does a good job of explaining how the concept works.

5 November 2009
Another good article about SSD and NAND flash technology.

VMware Workstation 6.5 released

2008-11-07T13:09:00.002+11:00

Finally I have found some time to install the recently released VMware Workstation 6.5 and regretted that I haven't done this earlier. This version offers several new features such as improved performance of Copy/Paste operations between the Host and Guest. USB devices are handled quite well by this version, so no more pain getting a device recognised by the guest and not the host OS. Some sources claim that USB device performance is improved by as much as 50%. Unity feature is interesting but too me it is a little toy at this stage.

Case Notes Software

2008-11-01T13:57:00.003+11:00

A proper forensic analysis is rarely accomplished with just one forensic tool such as EnCase or FTK. So, jumping from one tool to another, from one operating system to another makes it a necessity to keep contemporaneous notes in one place, so they can be quickly searched and referenced. I was looking for a tool that would be lightweight and easy to use. I have found a nice application called CaseNotes from QCC. It is a free application that runs on MS Windows machines and is designed for Computer Forensic records keeping. I have found it quite useful. Tabbed interface and MS Word like interface are very useful; however a simple spell checking and easier way to import photographs would make this application more user friendly. I like to have the formatting and spell-check of Office at my disposal, so after using CaseNotes for a few days, I have started playing with MS Office OneNote 2007. It has tabbed interface, insert day and time (ALT+SHIFT+F), password protect option, search option, easy formatting, adding photographs and can be shared with others in my office. OneNote has a nice option to export all the records to PDF. For me, this could be the way of moving away from paper based records keeping.

Right click on a file to calculate hash

2008-10-27T22:52:00.009+11:00

HashTab v1.14 is my favorite Windows Shell Extension for calculating and comparing hash values. It works with MD5 and SHA-1 hashes by providing an easy-to-use right-click menu for files in Windows.

It is possible to have a similar functionality in Linux. On my Ubuntu I am using Zenity. Zenity is a tool that allows to create nice GUI widgets and windows for shell scripts.

Here is a little bash script that you can save as CalcHash file and make it executable.

#!/bin/bash
# The script "CalcHash" calculates MD5 hash of a selected file.
# You can replace md5sum with sha1sum to calculate sha1 instead
title="CalcHash"
tmp_file="/tmp/md5-`date +'%s'`"
/usr/bin/md5sum $NAUTILUS_SCRIPT_SELECTED_FILE_PATHS > $tmp_file
zenity --text-info --title="$title" --filename="$tmp_file" --width=1100 --height=100
rm $tmp_file
exit 0

To make the file executable just open gnome-terminal by clicking Applications > Accessories > Terminal. Then type:

chmod 755 CalcHash

or, if you prefer GUI, right-click on the file, select "Properties" click on the "Permissions" tab and then tick the appropriate box.

The script needs to be copied to /.Gnome2/nautilus-scripts.

You can go to Places > Home Folder

In Nautilus click Ctrl+H or just go to View and click Show Hidden Files

Navigate to .Gnome2 / nautilus-scripts and paste your script.

To calculate MD5 Hash, right click on any file or group of files and you should see something like this:

Disposable anti-virus!

2008-10-22T00:25:00.002+11:00

One of the quick ways to check the acquired image for presence of malware is to mount it with Mount Image Pro or Smart Mount and run your favourite anti- virus. Using two different anti-virus solutions is usually a good idea. However, running on the isolated forensic network two anti-viruses and keep them up-to-date may require some extra effort.

Kaspersky® Virus Removal Tool that also often referred to as AVPTool is a virus scanning and removal utility that employs very effective virus detection algorithms from Kaspersky Lab. Kaspersky is one of my favourite anti-virus solution and it rated fairly high amongst other anti-virus solutions.

AVPTool is rebuild every 2 hours and contain the latest virus signatures.
It installs into a folder on your desktop and upon finishing the scan, an uninstall prompt appears and removes the tool if you answer yes to the prompt. It can produce virus scan reports and doesn't leave much behind after it uninstalled.

CON: It is 25Mb file that you will have to download every time you need an up-to-date scanner.

AVPTool is available for free on HTTP and FTP.

Briefly about Visualisation

2008-10-19T15:14:00.004+11:00

The process of collection, preservation and analysis of digital forensic data is normally followed by presentation of findings by forensic examiner. At this stage it is important for non-forensic people (legal etc.) to clearly understand the significance of uncovered evidence. Visualisation can help to make this task a lot easier by displaying the findings in a graphical manner, making even small details visible and demonstrate the relationship between various pieces of evidence.
A variety of commercial and free open source software can be utilised to accomplish this task. A free and open source graphical time line editor called Zeitline and commercial ConceptDraw MINDMAP are worth mentioning here.
Zeitline is an open source graphical tool written in Java developed and maintained by CERIAS (Computer Forensics Research Group).
ConceptDraw MINDMAP is a mind mapping software that normally cost US $199. It appears that the company is offering the previous version of this software free for a limited time. You can find more details at Lifehacker's web site.

Time and Timestamps

2008-10-18T00:44:00.018+11:00

"A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).

The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.

The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time." MSDN

Why 1 January 1601?

This is to do with leap years having 400 years cycle and 1st of January 1601 being a Monday. If modulo (MOD) function is performed in a date integer mod 7 the result will be the day of the week.
(0=Sunday,1=Monday,2=Tuesday,3=Wednesday,4=Thursday,5=Friday,6=Saturday)
Day of the Week = Days Since 1601 MOD 7

There are five different time formats and it can be confusing.

The original FAT12/FAT16 file systems had only the last-modified time. The later FAT32 and NTFS file systems have three types of time stamps for each file.

1. Time when the file was First-created
2. Time when the file was Last-modified
3. Time when the file was Last-accessed

Here is how these values are changed by the Operating System (OS)

A quick picture reference to FAT and NTFS Date and Time stamps for files and folders based on Microsoft Article 299648.

.A file from FAT file system to FAT file System

A file from FAT file system to NTFS file System

A file from NTFS file system to NTFS file System

.Folder 2 copied into Folder 1

Folder 2 moved into Folder 1

FAT system works a bit differently according to the same document. If you copy or move Folder 2 into Folder 1, the created date and modified date of Folder 1 remains unchanged.

Microsoft Article ID :127830 called "Time Stamps Change When Copying From NTFS to FAT" is also quite interesting. According to this article when a file copied from NTFS file system device to a FAT device, the time stamp is rounded to the nearest two seconds. It happens with FAT only because NTFS time stamps can end with even or odd number of seconds. So, NTFS time stamp 10:00:0:000 is going to be FAT time stamp 10:00:0:000, but anything more than NTFS 10 hours 00 min 0 sec 000, let's say NTFS 10:00:0:001 and up until 10:00:1:999 will produce FAT 10:00:2:000.

A Few Things To Keep In Mind

1. The NTFS Last Access Time Stamp updates can be easily disabled in registries on Windows NT , Windows 2000 and Windows XP.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Value Name: NtfsDisableLastAccessUpdate
Data Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.

Note that Windows Vista has Last Access Time updates disabled by default to improve NTFS performance. To operate correctly, some applications require the Last Access timestamps to be enabled. This can be easily done by issuing the following command: fsutil behavior set disablelastaccess 0 followed by computer restart.

2. Antivirus software requires access to files to read/scan them for viruses. After the scan is finished, the software restores the Last Access timestamp of files that are scanned to the original time before scanning. However, if a file was cured, the access and modification times are updated.

3. The accuracy of the timestamps depends on the internal clock. The NTFS file system has a precision of 100 nanosecond (ns), but the precision of the Windows internal clock is only 1 ms, for that reason the accuracy of timestamps in NTFS on Windows systems is limited to 1 ms.

--------
System Forensic Analysis book by Brian Carrier (highly recommended) helped me to undersand this material a bit better.

There is a great collection of academic papers about Date and Time stamp forensics. It can be found at Time Forensics website maintained by Svein Y. Willassen.

A Useful Quote

2008-10-17T00:43:00.004+11:00

"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)

get SUDO to work on Red Hat systems

2008-10-12T06:00:00.002+11:00

In the terminal enter su --login -c 'visudo'

Press enter and go through the password for root.

Below the line root ALL=(ALL) ALL add the user (Garfield in this case :-) that you want to have root access as shown below:
Garfield ALL=(ALL) ALL

If you wish sudo to prompt for a password, go down to the line # %wheel ALL=(ALL) ALL and delete the # at the beginning of the line using the x key or use your favorite vi editor commands to edit and navigate around.

If you don't want password prompts (not secure), go down to # %wheel ALL=(ALL) NOPASSWD: ALL and uncoment it.

Save and exit: wq

Smart Mount by ASR Data

2008-10-11T15:13:00.003+11:00

Smart Mount by ASR Data is going to be oficially released on October 27, 2008. Smart Mount is a tool that allows mounting dd, SMART, E01, VMWare images.

Supported file systems are:

All Windows based Fat and NTFS
Linux/Unix based HFS, Ext2 and Ext3
CD/DVD based ISO9660 and UDF

There are versions for Linux and Windows and you will have to pay for each version separatelly. There are also 'Pro' versions for both Linux and Windows that offer read/write options. It looks like it is going to be $100 more expencive that Windows only version of Mount Image Pro ($299). Smart Mount Pro version is another $100 extra.

New Forensic Search Engine

2008-10-11T03:29:00.004+11:00

Digital Forensics Search Engine has been added to this blog. It requires a lot of work to add resources and also fine tune it, so I don’t expect it to be very functional for some time. If you have a good & relevant link that should have been included in this search engine, send me an email or just leave the comment (I will not publish these comments).

dtSearch in Linux

2008-10-07T22:41:00.003+11:00

dtSearch 7.54 has been installed and worked fine in CentOS 5.2 under wine.

The main indexing and searching functions worked OK. dtSearch forensic indexing with unicode support worked as well. Some additional dtSearch functions did not work and performance suffered a bit (subjective observation). Gecko needs to be installed prior installing dtSearch. Running non native application is not a good idea though and it is probably a matter of time before we all see a nice GUI front end to dtSearch Linux engine.

Disposable Emails

2008-10-03T15:54:00.006+10:00

Almost every forum or web site require user registration and asks about you real email address. Not supplying one may result in download links or activation link to be sent somewhere else. Disposable emails illiminate the need to give out your real email and allow you to receive download or activation links. The beauty of such disposable emails is in their limited lifespan. The temporary email address gets redirected to the real email address and dies together with the spam.

There are several free disposable email services available:

Mailinator

MyTrashMail

MailExpire

In my view Jetable is the best one. No registration is required to use the service, and no spam or advertisement sent by Jetable themselves. The service is provided by the French non-profit Association for a Non-Commercial Internet.

Window XP and Vista setupapi.log

2008-10-01T21:49:00.009+10:00

setupapi.log is a plain-text file that contains some interesting information about various devices and service-pack installations. The file may contain serial numbers of the devices connected to Windows machine. By studying setupapi.log it may be possible to tell if a particular device has been connected to the computer during OS installation #-199 message –newsetup or connected at a later stage incl. date and time when it was connected.

The file is located in %windir%\ directory for Windows XP machines.

Microsoft has a good paper regarding this log file Troubleshooting Device Installation with the SetupAPI Log File

Harlan Carvey in his book Windows Forensic Analysis DVD Toolkit explained very well the significance of setupapi.log to forensic examiners.

Vista has two similar files setupapi.app.log and setupapi.dev.log located in %windir%\inf\ directory.

setupapi.dev.log becomes the primary log file and setupapi.app.log contains some legacy logging information.

Useful links in relation to Vista log files are:

Time Zone Converter

2008-09-28T16:37:00.003+10:00

Getting various time zone conversations can be confusing. Using calculator is fine, but I tend to double check my calculations with this online Time Zone Converter.

Keeping things organised.

2008-09-25T21:38:00.012+10:00

Wiki is an excellent tool for sharing the knowledge and collaborate with other project members. Who wants to learn HTML or spend time learning on how to use Wiki though? Most people that require Wiki are busy doing more important things. The best and ‘easy to use’ Wiki that I came across is Mintouch Deki. It runs on Windows, Linux, BSD, MAC OS X and it is free. Installation and configuration on Ubuntu 8.04 LTS Server takes approximately 10 minutes. It has indexing component that allows indexing and searching attachments PDF or MS Office documents (and many other formats). WYSIWYG Page Creation is great, though I would like to see a good spell check. Indexing is based on Lucene indexing engine and requires mono to be installed. I am not big fan of mono but deki and mono run well together since I have installed them about 3 months ago. There are some tweaking required to allow bigger attachments to be scanned and for indexing to work correctly. How can Wiki be used in forensic investigations? Sometimes running a big investigation makes it difficult to remember everything and I tend to miss/forget some important information because too much information and it may take a long time to investigate/complete the project.

MindTouch Deki Virtual Appliance is pre-installed and configured, and runs in VMWare. It can be run on a desktop computer to keep my records/discoveries. All information is organised and can be shared with other team members for peer review or comments. Cliking on "Recent Changes" allows to monitor all changes. Deki has great access control mechanism and it is very easy to administer. All information is indexed and can be found within seconds. It also has function to export to PDF.

Having different VM snapshots allows multiple investigations/projects to be run independently.

In case Indexing doesn't work:

Edit mindtouch.deki.startup.xml
add after word indexer

the following line with the appropriate html formatting

delay-index-interval 10 delay-index-interval

then restart deki wiki
/etc/init.d/dekiwiki restart

Log in to deki as admin and rebuild index

To be able to index big PDF's etc:

Change the following entries in your php.ini file located in /etc/php5/apache2/php.ini

and restart apache /etc/init.d/apache2 restart
post_max_size = 32M
upload_max_filesize = 32M

Also value for pdf filter has been changed to xpdf after XPDF package has been installed.

From

/var/www/dekiwiki/bin/filters/pdf2text

/var/www/dekiwiki/bin/filters/xpdf2text

Installing Helix 2008R1

2008-09-21T18:42:00.015+10:00

The long awaited Helix 2008R1 is finally out. There are still some problems with download speeds experienced by the forensic community that eager to try this new toy (including myself of course). There are some problems with installation to hard drive that I have found a way to get around.

1. Installation has to be started after live CD is booted by going to System->Administration->Install

2. Just follow the instructions and after you get to the Who are you screen, press Forward and here is the trick. The installation would usually stop there due to some problems with os-prober not being able to find volume groups. The trick is to press cancel and start the installation procedure again. It should work after that.

3. All new Helix looks nice and shiny but don't yet relax. Adepto, autopsy, av programs and some others would not run. I suggest to run an update (apt-get upgrade or allow automatic update), and after about 20 new updates most of the tools should work.

4. Adepto would not though, and to fix it, here what I done:

$ sudo -i
# cd /usr/local/adepto
# mv logs logs1
# mkdir logs

Obviously there is a problem with the logs file sitting in /usr/local/adepto directory
Instead there should be a directory/folder called logs

Done.

correction - I just realised that logs file is a symlink to /home/ubuntu/adepto/logs
I guess, if everyone creates user ubuntu during the installation, adepto should work just fine. (or create a new folder and symlink it )

Installing VMware tools on CentOS 5.2

2008-09-21T18:12:00.005+10:00

Running CentOS as a guest OS with VMware is OK without VMware tools installed. However there may be some problems with mouse/screen etc. Installing VMware tools on CentOS can be accomplished by using RPMs that come with VMware workstation. I have encountered a few problems whilst trying to install VMware tools. I could not unload pcnet32 module and the system did not shut down gracefully. After digging through the Internet and experimenting I came up with the following.

Disable ipv6 by modifying /etc/modprobe.d/modprobe.conf.dist and adding anywhere install ipv6 /bin/true (and disabling iptables for ipv6 later on)
Start CentOS in a single user mode by typing as root: init 1 or /sbin/init 1
Then run vmware-config-tools.pl
After the installation complete, reboot
I also have a button on the gnome panel with the following command gksu vmware-toolbox to be able to copy and paste between guest and host operating systems.
A slightly more elegant solution would be to put /usr/bin/vmware-user & line into /etc/rc.local with no window to close after the program starts. To modify the settings, vmware-toolbox can be started manually as needed. In Ubuntu it is even easier SYSTEM > PREFERENCES > SESSIONS and in startup programs tab ADD NAME and /usr/bin/vmware-user &

A few things to consider when using FTK Imager.

2008-09-19T01:28:00.004+10:00

In March 2008 NIST has released their test results for FTK Imager 2.5.3.14. Several problems have been detected:

with acquisition of a logical NTFS partition;
hidden by a host protected area (HPA) sectors;
the sectors hidden by device configuration overlay (DCO); and
FTK imager didn’t reported the location of corrupted data.

AccessData has released FTK Imager version 2.5.4
Release Date: April 8, 2008

Version 2.5.4 release notes for this version has no mention of any bug fixes detected by NIST.

USB dongle for SMART with Ubuntu

2008-09-16T07:25:00.005+10:00

SMART from ASR Data is being tested on my Ubuntu 8.4

Initially didn't want to recognise the USB dongle that comes with SMART. Running aksusbd didn't help. It is recommended to attach the USB dongle before booting Linux. It didn't work. After issuing mount -t usbfs none /proc/bus/usb followed by aksusbd worked fine. /etc/fstab has then been modified and usbfs /proc/bus/usb usbfs auto 0 0 added. (0 = zero, not letter o) aksusbd daemon is not correctly installed to start up at boot in Ubuntu. The easiest way to deal with this is to write a bash script:

#!/bin/bash

mount -t usbfs none /proc/bus/usb

/usr/sbin/aksusbd; /usr/local/bin/smart

Then add to Gnome Panel custom application and point it to the script. I am sure there are better ways of doing this, but it works well for me and doesn't take much time :-) To run SMART or any other application that required root, install gksu and type gksu /usr/local/bin/smart

SMART stands for:

S torage
M edia
A nalysis
R ecovery
T oolkit

LinEn & ewfacquire to produce EnCase images

2008-09-15T08:20:00.004+10:00

Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.

tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.

PyFlag

2008-09-14T19:24:00.005+10:00

PyFlag finally installs on Ubuntu 8.4. Will play with it a bit more and try to compare it with the functionalities of PTK. PTK is promising but is still too buggy. Works better with Opera browser, Firefox is no good. Some issues with PHP and SQL.
---
12 Oct 2008
PTK 1.0 is going to be released 28 October 2008.

grab & adepto

2008-09-14T13:40:00.008+10:00

grab is a very useful program by Drew Fahey . Installed and tested it on Ubuntu 8.04. It has several dependencies to deal with. To solve the problem:
apt-get install sharutils cryptcat libx11-dev libtsk-dev
sharutls is needed otherwise uudecode error will show up. cryptcat is also required for grab to function and libx11-dev will stop any complaints about problems re: gettimeofday(). It also would not work without libtsk-dev and several other dependencies connected to libtsk-dev. adepto is a replacement of grab and new version is coming next week together with the new release of Helix.
The modified grab.tar.gz can be downloaded from here or here. MD5 Hash for grab.tar.gz f569a458b35cf100284bb578fa3d3e74