Monday, October 27, 2008

Right click on a file to calculate hash

HashTab v1.14 is my favorite Windows Shell Extension for calculating and comparing hash values. It works with MD5 and SHA-1 hashes by providing an easy-to-use right-click menu for files in Windows.

It is possible to have a similar functionality in Linux. On my Ubuntu I am using Zenity. Zenity is a tool that allows to create nice GUI widgets and windows for shell scripts.

Here is a little bash script that you can save as CalcHash file and make it executable.

# The script "CalcHash" calculates MD5 hash of a selected file.
# You can replace md5sum with sha1sum to calculate sha1 instead
tmp_file="/tmp/md5-`date +'%s'`"
/usr/bin/md5sum $NAUTILUS_SCRIPT_SELECTED_FILE_PATHS > $tmp_file
zenity --text-info --title="$title" --filename="$tmp_file" --width=1100 --height=100
rm $tmp_file
exit 0

To make the file executable just open gnome-terminal by clicking Applications > Accessories > Terminal. Then type:

chmod 755 CalcHash

or, if you prefer GUI, right-click on the file, select "Properties" click on the "Permissions" tab and then tick the appropriate box.

The script needs to be copied to /.Gnome2/nautilus-scripts.

You can go to Places > Home Folder

In Nautilus click Ctrl+H or just go to View and click Show Hidden Files

Navigate to .Gnome2 / nautilus-scripts and paste your script.

To calculate MD5 Hash, right click on any file or group of files and you should see something like this:

Wednesday, October 22, 2008

Disposable anti-virus!

One of the quick ways to check the acquired image for presence of malware is to mount it with Mount Image Pro or Smart Mount and run your favourite anti- virus. Using two different anti-virus solutions is usually a good idea. However, running on the isolated forensic network two anti-viruses and keep them up-to-date may require some extra effort.

Kaspersky® Virus Removal Tool that also often referred to as AVPTool is a virus scanning and removal utility that employs very effective virus detection algorithms from Kaspersky Lab. Kaspersky is one of my favourite anti-virus solution and it rated fairly high amongst other anti-virus solutions.

AVPTool is rebuild every 2 hours and contain the latest virus signatures.
It installs into a folder on your desktop and upon finishing the scan, an uninstall prompt appears and removes the tool if you answer yes to the prompt. It can produce virus scan reports and doesn't leave much behind after it uninstalled.

CON: It is 25Mb file that you will have to download every time you need an up-to-date scanner.

AVPTool is available for free on HTTP and FTP.

Sunday, October 19, 2008

Briefly about Visualisation

The process of collection, preservation and analysis of digital forensic data is normally followed by presentation of findings by forensic examiner. At this stage it is important for non-forensic people (legal etc.) to clearly understand the significance of uncovered evidence. Visualisation can help to make this task a lot easier by displaying the findings in a graphical manner, making even small details visible and demonstrate the relationship between various pieces of evidence.
A variety of commercial and free open source software can be utilised to accomplish this task. A free and open source graphical time line editor called Zeitline and commercial ConceptDraw MINDMAP are worth mentioning here.
Zeitline is an open source graphical tool written in Java developed and maintained by CERIAS (Computer Forensics Research Group).
ConceptDraw MINDMAP is a mind mapping software that normally cost US $199. It appears that the company is offering the previous version of this software free for a limited time. You can find more details at Lifehacker's web site.

Saturday, October 18, 2008

Time and Timestamps

"A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).

The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.

The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time." MSDN

Why 1 January 1601?
This is to do with leap years having 400 years cycle and 1st of January 1601 being a Monday. If modulo (MOD) function is performed in a date integer mod 7 the result will be the day of the week.
Day of the Week = Days Since 1601 MOD 7

There are five different time formats and it can be confusing.

The original FAT12/FAT16 file systems had only the last-modified time. The later FAT32 and NTFS file systems have three types of time stamps for each file.

1. Time when the file was First-created2. Time when the file was Last-modified3. Time when the file was Last-accessed

Here is how these values are changed by the Operating System (OS)

A quick picture reference to FAT and NTFS Date and Time stamps for files and folders based on Microsoft Article 299648.

.A file from FAT file system to FAT file System

A file from FAT file system to NTFS file System

A file from NTFS file system to NTFS file System

.Folder 2 copied into Folder 1

Folder 2 moved into Folder 1

FAT system works a bit differently according to the same document. If you copy or move Folder 2 into Folder 1, the created date and modified date of Folder 1 remains unchanged.

Microsoft Article ID :127830 called "Time Stamps Change When Copying From NTFS to FAT" is also quite interesting. According to this article when a file copied from NTFS file system device to a FAT device, the time stamp is rounded to the nearest two seconds. It happens with FAT only because NTFS time stamps can end with even or odd number of seconds. So, NTFS time stamp 10:00:0:000 is going to be FAT time stamp 10:00:0:000, but anything more than NTFS 10 hours 00 min 0 sec 000, let's say NTFS 10:00:0:001 and up until 10:00:1:999 will produce FAT 10:00:2:000.

A Few Things To Keep In Mind

1. The NTFS Last Access Time Stamp updates can be easily disabled in registries on Windows NT , Windows 2000 and Windows XP.

Value Name: NtfsDisableLastAccessUpdateData Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.

Note that Windows Vista has Last Access Time updates disabled by default to improve NTFS performance. To operate correctly, some applications require the Last Access timestamps to be enabled. This can be easily done by issuing the following command: fsutil behavior set disablelastaccess 0 followed by computer restart.

2. Antivirus software requires access to files to read/scan them for viruses. After the scan is finished, the software restores the Last Access timestamp of files that are scanned to the original time before scanning. However, if a file was cured, the access and modification times are updated. (See my other post for details)

3. The accuracy of the timestamps depends on the internal clock. The NTFS file system has a precision of 100 nanosecond (ns), but the precision of the Windows internal clock is only 1 ms, for that reason the accuracy of timestamps in NTFS on Windows systems is limited to 1 ms.

System Forensic Analysis book by Brian Carrier (highly recommended) helped me to undersand this material a bit better.

There is a great collection of academic papers about Date and Time stamp forensics. It can be found at Time Forensics website maintained by Svein Y. Willassen.

Friday, October 17, 2008

A Useful Quote

"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)

Sunday, October 12, 2008

get SUDO to work on Red Hat systems

In the terminal enter su --login -c 'visudo'

Press enter and go through the password for root.

Below the line root ALL=(ALL) ALL add the user (Garfield in this case :-) that you want to have root access as shown below:
Garfield ALL=(ALL) ALL

If you wish sudo to prompt for a password, go down to the line # %wheel ALL=(ALL) ALL and delete the # at the beginning of the line using the x key or use your favorite vi editor commands to edit and navigate around.

If you don't want password prompts (not secure), go down to # %wheel ALL=(ALL) NOPASSWD: ALL and uncoment it.

Save and exit: wq

Saturday, October 11, 2008

Smart Mount by ASR Data

Smart Mount by ASR Data is going to be oficially released on October 27, 2008. Smart Mount is a tool that allows mounting dd, SMART, E01, VMWare images.

Supported file systems are:
  • All Windows based Fat and NTFS
  • Linux/Unix based HFS, Ext2 and Ext3
  • CD/DVD based ISO9660 and UDF

There are versions for Linux and Windows and you will have to pay for each version separatelly. There are also 'Pro' versions for both Linux and Windows that offer read/write options. It looks like it is going to be $100 more expencive that Windows only version of Mount Image Pro ($299). Smart Mount Pro version is another $100 extra.

New Forensic Search Engine

Digital Forensics Search Engine has been added to this blog. It requires a lot of work to add resources and also fine tune it, so I don’t expect it to be very functional for some time. If you have a good & relevant link that should have been included in this search engine, send me an email or just leave the comment (I will not publish these comments).

Tuesday, October 7, 2008

dtSearch in Linux

dtSearch 7.54 has been installed and worked fine in CentOS 5.2 under wine.

The main indexing and searching functions worked OK. dtSearch forensic indexing with unicode support worked as well. Some additional dtSearch functions did not work and performance suffered a bit (subjective observation). Gecko needs to be installed prior installing dtSearch. Running non native application is not a good idea though and it is probably a matter of time before we all see a nice GUI front end to dtSearch Linux engine.

Friday, October 3, 2008

Disposable Emails

Almost every forum or web site require user registration and asks about you real email address. Not supplying one may result in download links or activation link to be sent somewhere else. Disposable emails illiminate the need to give out your real email and allow you to receive download or activation links. The beauty of such disposable emails is in their limited lifespan. The temporary email address gets redirected to the real email address and dies together with the spam.

There are several free disposable email services available:

In my view Jetable is the best one. No registration is required to use the service, and no spam or advertisement sent by Jetable themselves. The service is provided by the French non-profit Association for a Non-Commercial Internet.

Wednesday, October 1, 2008

Window XP and Vista setupapi.log

setupapi.log is a plain-text file that contains some interesting information about various devices and service-pack installations. The file may contain serial numbers of the devices connected to Windows machine. By studying setupapi.log it may be possible to tell if a particular device has been connected to the computer during OS installation #-199 message –newsetup or connected at a later stage incl. date and time when it was connected.

The file is located in %windir%\ directory for Windows XP machines.

Microsoft has a good paper regarding this log file Troubleshooting Device Installation with the SetupAPI Log File

Harlan Carvey in his book Windows Forensic Analysis DVD Toolkit explained very well the significance of setupapi.log to forensic examiners.

Vista has two similar files and located in %windir%\inf\ directory. becomes the primary log file and contains some legacy logging information.

Useful links in relation to Vista log files are: