tag:blogger.com,1999:blog-62592557611698120612024-03-06T20:21:10.785+11:00digforDigital Forensics Notes.
Windows, Mac and Linux tools & tricks.ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.comBlogger92125tag:blogger.com,1999:blog-6259255761169812061.post-3234996422834263632014-10-01T13:59:00.000+10:002019-10-18T03:41:45.495+11:00I am not suffering from blogger’s block.I post rarely on this blog, but not because I am suffering from blogger’s block; on the contrary, I have too many ideas and exciting things to share. Unlike writing about travel or weather however, digital forensic topics require more time to verify, test and research. Work eats up most of my time, so I have not much time left for blogging at the moment.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5-stHDIwD3cebWNw69uV6_ih82zGyJS0Vr0nmMzTuRwlwFvS-SGjZ2KhsywjIeNXHTAthWNxpKjoPQ5yIH9UafwVbZrZ05g0mtsCYynsFYfjOh_qz8Z-ylj7k7mnUKGGocDsGpbF65IVd/s1600/Blogger.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5-stHDIwD3cebWNw69uV6_ih82zGyJS0Vr0nmMzTuRwlwFvS-SGjZ2KhsywjIeNXHTAthWNxpKjoPQ5yIH9UafwVbZrZ05g0mtsCYynsFYfjOh_qz8Z-ylj7k7mnUKGGocDsGpbF65IVd/s1600/Blogger.png" width="400" /></a></div>
<br />
<br />
Currently, I am contributing to our <a href="https://www.elvidence.com.au/" target="_blank">Computer Forensic Company</a>'s blog, where you can always find fresh stuff under the NEWS section.<br />
<br />
Social Media has finally caught up with me as well, despite my resistance. I recently started using Google+ for quick sharing, commenting or exchanging ideas. You can find me<a href="https://plus.google.com/115781251724773943513/about" target="_blank"> here </a>.<br />
<br />
<br />
Where time permits, I will try updating this blog as well, but no promises.<br />
<br />
[Google+ is no more. Is the Internet a Living Thing?]<br />
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-52659536447238019212014-05-21T02:23:00.000+10:002017-08-18T08:34:25.036+10:00Disarming suspicious PDF files on Apple MacYou can't be too careful these days when browsing the Internet. I tend to read a lot of documents in PDF, often emailed to me as attachments or downloaded directly from the net. Even if the document comes from a trusted source, I tend to run in through Didier Stevens's <a href="http://didierstevens.com/files/software/pdfid_v0_1_2.zip" rel="nofollow" target="_blank">pdfid tool</a> with <b>-d</b> for disarm argument. <b>pdfid.py</b> script is written in Python and disables the automatic actions and scripts in PDF. You can read a brief explanation about how it works <a href="http://blog.didierstevens.com/2009/04/29/quickpost-disarming-a-pdf-file/" rel="nofollow" target="_blank">here</a>.<br />
<br />
Most of the time I am online on my beloved MacBook Air. Running the script in command line in the middle of something can be disruptive. To deal with this, I used <a href="http://sveinbjorn.org/platypus" rel="nofollow" target="_blank">Platypus</a> tool (freeware) to quickly create an app, that simply sits on my desktop. When I get a PDF file, I just drag and drop it into this app, which I called <b>PDFdisarm</b>. The app is nothing but pdfid.py script GUI wrapper. A few seconds later it spits out a new version of the PDF file to the same location as the original. It adds <i>".disarmed.pdf"</i> to the new PDF version. If you on Mac, you can simply download this app from <a href="https://www.dropbox.com/s/nq0vri4hlyqq4f9/PDFdisarm.app.zip?dl=0" rel="nofollow" target="_blank">here</a> or make one for yourself. MD5 [PDFdisarm.app.zip = 028f76abce5b6ea6f0425b34ebab9dd2]<br />
<br />
Here are the instructions.<br />
<br />
First, you need to download <a href="http://sveinbjorn.org/files/software/platypus.zip" rel="nofollow" target="_blank">Platypus</a> and the latest <a href="http://didierstevens.com/files/software/pdfid_v0_1_2.zip" rel="nofollow" target="_blank">pdfid.py </a>script. Open Platypus, then name your app, choose one of the default icons or use your own. <b>Select Script Type</b> as Python. Select <b>Script Path</b> and navigate to your saved pdfid.py script. Click <b>Args</b> button and add "<b>-d</b>" as <b>Argument for Script.</b> <b>Output</b> can be <b>Droplet</b> or you can choose <b>Progress Bar </b>if you like. <b>Secure bundled script</b> is really optional.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrKxxF0PHDfFjvYlNbqj7Ka0oOEo-NV9FpJ7v2K_mNsBdNYPmp3_-By5yfjmuDD2ppxNFEAFOCPq6kEGjIXx7gqZOiVmFRVAVHEgduwVoBkO3-P_3ULqk07aOweQNJ31XmdeFkNlOElVFT/s1600/Screen+Shot+21.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrKxxF0PHDfFjvYlNbqj7Ka0oOEo-NV9FpJ7v2K_mNsBdNYPmp3_-By5yfjmuDD2ppxNFEAFOCPq6kEGjIXx7gqZOiVmFRVAVHEgduwVoBkO3-P_3ULqk07aOweQNJ31XmdeFkNlOElVFT/s1600/Screen+Shot+21.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
<br />
Make sure to add '-d' argument for the <b>script</b>, not for Python <b>interpreter</b>!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNwk_DkDyLHgwDQnFXh6A_9JhC-wqhWZvrczeegcELyV68GkplwS8jy0BFyL-hYVWSsSHpRFJTP3hxABSNNqC5KdEuWa-ts3b4POsI54uMGNhlqkBnBo9LUwFSG7RCUGjP78oa5dXPby_v/s1600/22.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNwk_DkDyLHgwDQnFXh6A_9JhC-wqhWZvrczeegcELyV68GkplwS8jy0BFyL-hYVWSsSHpRFJTP3hxABSNNqC5KdEuWa-ts3b4POsI54uMGNhlqkBnBo9LUwFSG7RCUGjP78oa5dXPby_v/s1600/22.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
<br />
Use <b>Accept dropped items</b> option to make sure you can drop files into your new app. You can specify the type of files to accept by entering <b>pdf</b> and removing default <b>*</b> symbol.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MMJhfJwETMmR-Fntu8Ss7jyNbKTszhFXPpZCV4VqKREl3QnSscaueeHR25iIkQVA4PH0otXbpIcWD8NXcRDio7d5Kr6v_XJ6JWfodrUJVnCXOhCprVSzgxqayQ1poixkO7i9j8MK2_v3/s1600/23.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9MMJhfJwETMmR-Fntu8Ss7jyNbKTszhFXPpZCV4VqKREl3QnSscaueeHR25iIkQVA4PH0otXbpIcWD8NXcRDio7d5Kr6v_XJ6JWfodrUJVnCXOhCprVSzgxqayQ1poixkO7i9j8MK2_v3/s1600/23.png" width="380" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
<br />
Click <b>Apply</b> and <b>Create.</b> If you followed these instructions, you should now have a useful app at your disposal. Don't forget to visit Didier Stevens's <a href="http://blog.didierstevens.com/" rel="nofollow" target="_blank">blog</a> and say thanks for his great work.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-4887062990342817062014-05-10T14:04:00.001+10:002014-10-20T02:32:10.931+11:00Distributed Processing NotesI tested <b>distributed</b> case processing and password cracking today by adding Amazon EC2 instances to the local processing resources. Purpose - tmp improve processing (& decryption) speed with security and budget in mind. I used Amazon "compute optimised" instances "<i>c3.8xlarge", </i>each with 32 Virtual CPU; 60GB RAM; 2 x 320 (SSD) and 10 Gigabit Network. "<i>c3.8xlarge</i>" instance costs around $3 USD per hour. My Internet link was a bottleneck, because it only supports 15.62 Mbps (15615 kbps). I used 'soon to be decommissioned' <b>Free</b> LogMeIN service, participating nodes were setup as "MESH" Network. Free account only supports up to five nodes in Mesh network.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2uhj61_zZ6bu8L1-1qphGF8DY6l_nmMNNwgyRPxwlfM8u5js7kBU2CsUtQjvrzGAGPJEVb9el-vRHha5a80vIiFdkqrrZptfp6mvL9zkWDQZWfQmx1rLuRv374S40lHpot2e0E76aUPhO/s1600/AWSPass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2uhj61_zZ6bu8L1-1qphGF8DY6l_nmMNNwgyRPxwlfM8u5js7kBU2CsUtQjvrzGAGPJEVb9el-vRHha5a80vIiFdkqrrZptfp6mvL9zkWDQZWfQmx1rLuRv374S40lHpot2e0E76aUPhO/s1600/AWSPass.png" height="308" width="400" /></a></div>
<br />
<br />
In order to use LogMeIN Hamachi, it must be installed on each computer. Windows Server 2008 OS had issues with failing to connect to tunnelling engine, so to save time Windows Server 2003 OS was used instead. No problems encountered with installing and connecting the instances to the Mesh. Perhaps Windows Server 2008 R2 or later OS would also work without too much tinkering. I called my network "Passware", but had to use network ID instead to connect each instance.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoU1Ei_E560H7r9-0phUhQtlhAZ2aDA9Ockw-spTKzHdXcSvdTTN33kKUlyD8a3t6evKytdkAHwNfaHZcXTc2e-z-UpjDoEhzPhdkjshU7PKQDaFkWt0uksjqPs0iBFV8RA0qeaK8Eqbv-/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoU1Ei_E560H7r9-0phUhQtlhAZ2aDA9Ockw-spTKzHdXcSvdTTN33kKUlyD8a3t6evKytdkAHwNfaHZcXTc2e-z-UpjDoEhzPhdkjshU7PKQDaFkWt0uksjqPs0iBFV8RA0qeaK8Eqbv-/s1600/4.png" height="320" width="203" /></a></div>
<br />
Firstly, <a href="http://www.lostpassword.com/kit-forensic.htm" target="_blank">Passware</a> Password Recovery Kit Forensic was used to decrypt SAM + System registry files. The tool has its own integration with Amazon Cloud, however I always had connectivity issues with it. Additionally, the purpose of this exercise was to make sure no data is transferred between the local network and external resources in a clear.<br />
<br />
After the 1st EC2 instance was connected to the local workstation running Passware, I saw a significant improvement in speed compared to two (1CPU) local workstations at brute-forcing NTLM hashes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEz6Oiev2SVfkx7A2R7xiRXQPYwJdsOQjOWcoZkf2JodbYn4ydK0xHMz90sz0TJuR6v1ulBDp_2O9az7YSSiqMRVGQ8wP34TzPoWZiYiVT1kOLcPnU7LsUehfaDSybHuwiJnvNaWhTRyb5/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEz6Oiev2SVfkx7A2R7xiRXQPYwJdsOQjOWcoZkf2JodbYn4ydK0xHMz90sz0TJuR6v1ulBDp_2O9az7YSSiqMRVGQ8wP34TzPoWZiYiVT1kOLcPnU7LsUehfaDSybHuwiJnvNaWhTRyb5/s1600/2.png" height="81" width="640" /></a></div>
<br />
When three remaining EC2 instances were connected, each added 153 000 000 pwd/sec to the pool.<br />
<br />
<div class="separator" style="clear: both; text-align: start;">
AccessData Password Recovery Toolkit (<a href="http://www.accessdata.com/products/digital-forensics/decryption" rel="nofollow" target="_blank">PRTK</a>), <a href="http://hashcat.net/oclhashcat/" rel="nofollow" target="_blank">oclHashcat</a> v1.20 and <a href="http://www.elcomsoft.com/edpr.html" rel="nofollow" target="_blank">ElcomSoft</a> Distributed Password Recovery, all produced decent results. I would be even more happier if I could make the new EC2 NVIDIA GRID GPU driver to work.</div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
Distributed processing of evidence with <a href="http://www.x-ways.net/forensics/index-m.html" target="_blank">X-Ways</a> Forensics, <a href="http://www.nuix.com/Enterprise-eDiscovery" target="_blank">NUIX</a> and Forensic Toolkit (<a href="http://www.accessdata.com/products/digital-forensics/ftk" rel="nofollow" target="_blank">FTK</a>) also produced some good results, however I would not call these tests scientific :-). </div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
X-Ways Forensics calls the process "Distributed Volume Snapshot Refinement". It splits the task of processing <i>different evidence objects</i> of the <i>same case</i> between multiple computers, that must live on the same network to be able to process the evidence at the same time. </div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
NUIX is a completely deferent beast, it is the fastest evidence processing solution I ever worked with. My network has quickly became a bottleneck with NUIX, which was expected. </div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
Setting up FTK distributed processing engine took me some time ( configuring shares, DB connectivity etc.). Processing of 50 Gb E01 image was completed about 30% faster compared to a stand-alone machine.</div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
Several Amazon EC2 instances provide 10 Gigabit Network option, which is more than enough for distributed processing. With faster internet connection at the lab it makes sense to use Amazon EC2 resources when time is limited or demand for these resources is higher then usual. Configuration time is relatively short, CPU overhead (due to encryption) is only slightly noticeable and Security should not be the issue with VPN tunnel established between all processing nodes. </div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: start;">
<br /></div>
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-48720137665102605962014-05-05T17:43:00.002+10:002014-10-20T02:32:26.300+11:00InfoSec To-Do list<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_qmmZBDmN2U4zkYSydJVvX2SLSK1oNPHHfbahEBChjJQcXbkVfx2B9_EvHh962yB3fMQNYDw0-z4fvnJ_cnuvPkEP35qz-Z4BlAsapg9CrgQJ-EHMEjomIwLNpL1uAJRgpC3medCQ5ZMg/s1600/InfoSec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_qmmZBDmN2U4zkYSydJVvX2SLSK1oNPHHfbahEBChjJQcXbkVfx2B9_EvHh962yB3fMQNYDw0-z4fvnJ_cnuvPkEP35qz-Z4BlAsapg9CrgQJ-EHMEjomIwLNpL1uAJRgpC3medCQ5ZMg/s1600/InfoSec.png" height="397" width="400" /></a></div>
<br />
Chief InfoSec Officer's (CISO) To-Do list as <a href="http://www.computerweekly.com/news/2240219589/Cyber-threat-detection-paramount-says-SANS-fellow" rel="nofollow" target="_blank">mentioned</a> by E. Cole.<br />
<br />
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-44753336249598175582013-11-20T22:38:00.000+11:002014-10-20T02:33:14.368+11:00Windows Forensic Live CDPreviously, making Windows based Forensic Live CD was not for everyone, mostly due to the amount of tinkering involved. WinXP and Win7 based Live CD's also have <a href="http://www.forensicswiki.org/wiki/WinFE" target="_blank">problems</a> with writing a Windows drive signature to write-protected drives.<br />
<br />
<b>Mini-WinFE</b> <a href="http://reboot.pro/files/file/375-mini-winfe/" rel="nofollow" target="_blank">project</a> has changed this. Creating a Forensic Live CD with Mini-WinFE is done in a few mouse-clicks. Windows 8 and 8.1 also appear not to write a drive signature to the wire-protected disk.<br />
From my experience Windows 8.1 Enterprise based Live CD has some issues when adding custom programs to it. The Win 8.1 Pro version works perfectly well.<br />
<br />
The boot time is about a minute longer compared to Linux based Live CD's but you get driver and app flexibility with Windows.<br />
<br />
TrueCrypt is missing in the default app selection. I had to spend a half an hour to fix it.<br />
Below are scripts to add TrueCrypt 7.1a to the Live CD.<br />
<br />
TrueCrypt must be downloaded first and extracted, not installed on the machine (though it may work also, but I haven't tested it)<br />
<br />
<a href="http://www.mediafire.com/download/gqdsdiqqfk194j8/TrueCrypt.script" rel="nofollow" target="_blank">TrueCrypt.script</a> must be placed to <b>\Mini-WinFE\Projects\WinFE\Programs</b> folder<br />
<br />
<span style="font-size: x-small;">MD5 (TrueCrypt.script) = 383c5a68888e258f0954c009f813b3ed</span><br />
<div>
<br /></div>
<div>
To add TrueCrypt to the program menu, download and replace <a href="http://www.mediafire.com/download/gq6qnw3g8sdgdf5/bblean1.17.1.script" rel="nofollow" target="_blank">bblean1.17.1.script</a> located at <b>\Mini-WinFE\Projects\WinFE\Shell.Then.End</b></div>
<div>
<br /></div>
<div>
<span style="font-size: x-small;">MD5 (bblean1.17.1.script) = 75115b21edf70501fe329cb911c80e66</span></div>
<div>
<span style="font-size: x-small;"><br /></span></div>
<div>
Then just follow <a href="http://mistype.reboot.pro/mini-winfe.docs/readme.html" rel="nofollow" target="_blank">the instructions</a> to create your Forensic Live CD and you are done. </div>
ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-62581895262094126482013-06-24T18:42:00.004+10:002014-10-20T02:33:37.568+11:00Advanced Cyber Threat EnvironmentAPT or <a href="http://en.wikipedia.org/wiki/Advanced_persistent_threat">Advanced persistent threat</a> is usually associated with governments or organised groups of <a href="http://mashable.com/2012/03/28/history-of-hacktivism/" rel="nofollow" target="_blank">hacktivists</a>.<br />
<br />
It is no secret however, that in the Digital Age Organised Crime has established its own presence in cyberspace. Conventional Street gang’s strength depends on their access to disposable foot soldiers willing to take the greatest risks.<br />
<br />
Organised crime specialising in cybercrimes recruit hackers in place of foot solders. Countries with high unemployment, low wages, immature legislation and incompetent law-enforcement are breeding grounds for them. While these groups can become a gun-for-hire and be involved in APT, they normally operate on “the cash must flow” principle. This means, they must move on to another target when unsuccessful at hacking for a ‘reasonable’ period of time. The effort and persistence usually depends on the complexity of hacking or potential reward.<br />
<br />
Having access to the skilful hackers makes these groups capable of launching sophisticated attacks, but these attacks are less persistent compared to hacktivism motivated or .gov sponsored attacks. The problem is that organised cybercrime groups are attracted to the potentially high reward targets. As a result, the different and uncoordinated groups of hackers constantly attack these targets, creating an <b>Advanced Cyber Threat Environment</b> (ACTE) for successful businesses and financial institutions.<br />
<br />
Smaller and less successful businesses are also operating in ACT Environment in these countries *. In the Wild West era, it used to be a Colt, but these days DDoS attacks are often invoked by the competition as its most convincing argument. The effective DDoS attack protection relies on expert knowledge and good understanding of the company’s core business, not software or hardware. Small businesses don’t normally have the capacity.<br />
<br />
I haven't specifically named the countries with Advanced Cyber Threat Environment and left this for you to decide.<br />
<!--EndFragment--><br />
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-80992662265380070362013-03-27T04:16:00.000+11:002014-10-20T02:35:21.686+11:00Fruity Shingles<h2 style="text-align: center;">
</h2>
<h2 style="text-align: center;">
Identifying similar documents</h2>
<div>
<br /></div>
<div>
MD 5 hashing technique has been used in Computer Forensics for years now. The primary uses are to insure integrity of evidence and also to identify identical files. Around 2006 Jesse Kornblum has <a href="http://dfrws.org/2006/proceedings/12-Kornblum.pdf" rel="nofollow" target="_blank">published a paper</a> on "fuzzy hashing" (official name is "context triggered piecewise hashes") algorithm capable of identifying near identical files on a binary level. I remember my excitement at the time and today I still often use this technique sifting through the clutter etc.<br />
<br />
Thanks to the advancements in Data Mining and Information Retrieval fields, computer forensics professionals now have another tools at their disposal. It is capable of identifying near duplicates and chained near duplicates based on the context of a document, not just a binary level. The algorithm is called <a href="http://en.wikipedia.org/wiki/W-shingling" rel="nofollow" target="_blank">w-shingling</a> or just shingling. Shingling does not attempt to understand the meaning of the text like some Natural Language Processing algorithms do, so its is language agnostic. It also works with the context of a document regardless of formatting (.pdf, .dot, .eml etc). </div>
<div>
<br /></div>
<div>
The algorithm may have a significant impact on the investigator's workflow because: </div>
<div>
a) it is very effective at reducing the amount of irrelevant files, and</div>
<div>
b) great at finding documents that are similar to the files, already identified as being relevant.</div>
<div>
<br /></div>
<div>
Some times we hear about admissibility problems caused by the use of black box algorithms in eDiscovery, most often associated with another cool technology "<a href="http://www.kmworld.com/Articles/Editorial/What-Is-.../What-is-Predictive-Coding-Including-eDiscovery-Applications-87108.aspx" rel="nofollow" target="_blank">predictive coding</a>". Well, shingling is not part of this legal battle and the algorithm is not a "black box". In fact, most of us already using it on a daily basis when searching the Internet. The variations of the algorithm are used by search engines to ensure that the original content gets returned in response to our keyword query and the duplicates are omitted. </div>
<div>
<br /></div>
<h2 style="text-align: center;">
Shingling</h2>
<div style="text-align: center;">
<br /></div>
<div>
Shingling is an effective and efficient method for comparing the sets of shingles in files containing text. As I previously mentioned, shingling doesn't rely on linguistics.<br />
<br />
As once said by Albert Einstein <i>“If you can't explain it to a six year old, you don't understand it yourself.”</i> Taking this literally, the algorithm extracts the plain text from a document and performs the following:<br />
<br />
a) removes all characters except letters and digits and puts everything into lower case*<br />
b) splits the text into tokens (overlapping groups of words, hence its name “<a href="http://en.wiktionary.org/wiki/shingle#English" rel="nofollow" target="_blank">shingling</a>”)<br />
c) compares the sets of shingles generated from the documents to check how similar two documents are<br />
<br />
Here is an example of w-shingling where w = 2 words:<br />
<br />
<br />
Text:<i> "Apples Are Not Oranges."</i><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJFDJ50YmbkE2pkq-dQftNjhqm1KGlJ62-EfiSWcb3oq7WdWDf3S8CXPAr22W7mngT0ddobQCb9OkXbkHAyzKVKJ4R5JQHdfPJh912JvUIl45NFYNkx3BlrmUOR0OrtWlyySfokedTt4YE/s1600/Untitled+1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJFDJ50YmbkE2pkq-dQftNjhqm1KGlJ62-EfiSWcb3oq7WdWDf3S8CXPAr22W7mngT0ddobQCb9OkXbkHAyzKVKJ4R5JQHdfPJh912JvUIl45NFYNkx3BlrmUOR0OrtWlyySfokedTt4YE/s320/Untitled+1.png" height="181" width="320" /></a></div>
<br />
<br />
<br />
<i> </i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Shingle size can vary, however w-shingle size 1 would produce a bag of unordered words, which can be found in many dissimilar documents. So, essentially by shingling we capture the relationship between the words. Once we created shingles, we need a method to compare them.<br />
<br /></div>
<h2 style="text-align: center;">
Jaccard similarity</h2>
<div>
<br /></div>
<div>
<a href="http://en.wikipedia.org/wiki/Paul_Jaccard" rel="nofollow" target="_blank">Paul Jaccard</a> (1868 - 1944) was a professor of botany and <a href="http://en.wikipedia.org/wiki/Plant_physiology" rel="nofollow" target="_blank">plant physiology</a>. He developed and published the Jaccard index of similarity in 1901. The method used to calculate the distribution of various plants in the alpine zone. It measures similarity between sample sets. Today the method is used in a wide range of disciplines including biology, genealogy, mathematics, computer science and we can now add computer forensics to this list.<br />
<br />
<br /></div>
<div>
<div>
<div style="text-align: left;">
Lets take two baskets of fruits, basket <b><span style="font-size: large;">A</span></b> and basket <b><span style="font-size: large;">B</span></b></div>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl2XsQLkVqAptxSqiJp1C99vF_aPD_z2jO5Uzqr4gpmTCyTIckqFjbjZwEhI5ZtV-jNLYDvSLGRnc2SsjvcxLCI2BRjOaedjOtoMgm0ntYsmZhMctYe3tEFba-zrW-Xaea4aTIh69YB7mP/s1600/bascetAandB.fw.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl2XsQLkVqAptxSqiJp1C99vF_aPD_z2jO5Uzqr4gpmTCyTIckqFjbjZwEhI5ZtV-jNLYDvSLGRnc2SsjvcxLCI2BRjOaedjOtoMgm0ntYsmZhMctYe3tEFba-zrW-Xaea4aTIh69YB7mP/s640/bascetAandB.fw.png" height="222" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: left;">
Both baskets <b>A</b> and <b>B</b> have a set of common fruit items, called <b>the Intersection</b> (denoted as <span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: large;">∩</span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">)</span>.</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHsu_wq39ZwIUJ7Qf-OXs5VxHq-TaSoKm96sqHSTGcHXwUz93o3m1BckZCb7cycw7Faevasg_q44OxcYSpxJkBnCbIyToM7AgnmA_cRyfcVRTtOyXVupNIBxacheU9FxRDVRtaAQFfOcf/s1600/Intersection.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnHsu_wq39ZwIUJ7Qf-OXs5VxHq-TaSoKm96sqHSTGcHXwUz93o3m1BckZCb7cycw7Faevasg_q44OxcYSpxJkBnCbIyToM7AgnmA_cRyfcVRTtOyXVupNIBxacheU9FxRDVRtaAQFfOcf/s200/Intersection.png" height="142" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<br />
<br />
A <a href="http://en.wikipedia.org/wiki/Set_(mathematics)" rel="nofollow" target="_blank">set</a> of unique items in either baskets <b>A</b> and <b>B</b> is called <b>the Union</b> (denoted as <b>∪</b>)<span style="font-family: Calibri, sans-serif;"><span style="line-height: 18px;">. </span></span><br />
When two sets have one or more elements in common, these elements counted only once in their union set. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2X2UE5ozx2b5-XuwUaw5hY7gKJ9M-eduLsHo5j-ITUwN8Ng_96wNVf6nDkHKwbCI-wACEMfq3N81yFeH1mX5l8SKlqSSpTjjtpk71bQqByYnJPJHd1jzQ_VL2_KKxkCnaxIdJz3eD8HkB/s1600/Union.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2X2UE5ozx2b5-XuwUaw5hY7gKJ9M-eduLsHo5j-ITUwN8Ng_96wNVf6nDkHKwbCI-wACEMfq3N81yFeH1mX5l8SKlqSSpTjjtpk71bQqByYnJPJHd1jzQ_VL2_KKxkCnaxIdJz3eD8HkB/s200/Union.png" height="151" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Click to enlarge</td></tr>
</tbody></table>
<div>
<br />
Jaccard similarity index (lets denote it as <b><i>Sim</i></b>) is calculated based on the number of items in <b>the intersection</b> of <b>A</b> and <b>B</b> divided by the number of items in <b>the union</b> of <b>A</b> and <b>B</b>. The result ranges from 0 (with no elements in common) to 1 (identical items).<br />
<br />
<br />
<span style="color: #674ea7; font-size: large;">\[Sim(A,B) = \frac{|A ∩ B|}{|A ∪ B|}\]</span></div>
</div>
</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
In the above example we have:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL3DUC7tMrO-pe3nN3B5FTPqC3Mqed_cnYTI7a1gwg-gCkonX8ebByPViqdXCEAZQVw-QDITGJU6UG4YxzQE3eMrS_xHOijsYglL03LmtkMj1vSvBKY6tLy8qAC-UrPPEqvFbTAnvG0cTl/s1600/Intersection.fw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL3DUC7tMrO-pe3nN3B5FTPqC3Mqed_cnYTI7a1gwg-gCkonX8ebByPViqdXCEAZQVw-QDITGJU6UG4YxzQE3eMrS_xHOijsYglL03LmtkMj1vSvBKY6tLy8qAC-UrPPEqvFbTAnvG0cTl/s640/Intersection.fw.png" height="100" width="640" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIqkyXAXKzXo-ApZMHsbg4UV5PyOUislZx9lS9nuCJt9rNIXUoxQwG3bs5Kw3gMFPyZEWFNk_5UhpjcGse5K-eSJJy1FyBGBxKY4wXh3bgtJ9ixQDFYAfRWEidhC7b90PPzoah3TdfoxIv/s1600/Union.fw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIqkyXAXKzXo-ApZMHsbg4UV5PyOUislZx9lS9nuCJt9rNIXUoxQwG3bs5Kw3gMFPyZEWFNk_5UhpjcGse5K-eSJJy1FyBGBxKY4wXh3bgtJ9ixQDFYAfRWEidhC7b90PPzoah3TdfoxIv/s640/Union.fw.png" height="90" width="640" /><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<span style="font-family: Times, 'Times New Roman', serif; font-size: large;">$Sim(A,B) = \frac{|A ∩ B|}{|A ∪ B|} = \frac{3}{10} = 0.3$</span><br />
<br />
<br />
<h2>
<span style="font-size: small;"><i style="font-weight: normal;">Notes and notations: </i><i style="font-weight: normal;">Objects separated by commas, inside parenthesis </i><i style="font-weight: normal;">(A, B, C, D, E) denote an ordered set, or (A, B) ≠ (B, A). </i><i style="font-weight: normal;">If the objects are in inside curly brackets </i><i style="font-weight: normal;">{A, B, C, D, E}, they are unordered, or {A, B} = {B, A}</i><i style="font-weight: normal;"><br /></i><i><span style="font-weight: normal;">In mathmathics, a value between | | denotes the absolute value of a real number, which is always the non-negative value. Example | -3 | = 3. </span><a href="http://en.wikipedia.org/wiki/Cardinality" rel="nofollow" style="font-weight: normal;" target="_blank">The cardinality</a><span style="font-weight: normal;"> uses the same notation. We mean the later in our example, where a number of elements in |A ∩ B| is divided by a number of elements in |A ∪ B|.</span></i></span></h2>
</div>
<div>
<i><br /></i> Here is another example:<br />
<br />
Lets consider two sets A and B, where:<br />
<br />
A = {0, 1, 2, 3} and B = {1, 2, 3, 4, 4, 5, 6, 7}</div>
<div>
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;">
</div>
</div>
<br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span>
<span style="font-family: Times, Times New Roman, serif; font-size: large;">$Sim(A,B) = \frac{\{1, 2, 3\}}{\{0, 1, 2, 3, 4, 5, 6, 7\}} = \frac{3}{8} = 0.375$</span><br />
<br />
<br />
Python has a built-in <a href="http://docs.python.org/2/library/stdtypes.html#set" rel="nofollow" target="_blank">class</a> to calculate the union and intersection. Calculation of Jaccard similarity index can be done in just a few lines:<br />
<br />
<i><span style="color: #38761d;"> </span><span style="color: #666666;">IntersectionAB = len(A.intersection(B))<br />UnionAB = len(A.union(B))<br />SimAB= IntersectionAB / float(UnionAB)</span></i><br />
<br />
Jaccard Distance or how dissimilar two sets are, can be calculated as:<br />
<br />
<i><span style="color: #444444;">DistanceAB = (len(A.union(B)) - len(A.intersection(B)))/ float(len(A.union(B)))</span></i><br />
<br />
An implementation of Jaccard distance is also <a href="http://nltk.org/api/nltk.metrics.html" rel="nofollow" target="_blank">available</a> in Python Natural Language Toolkit and could be implemented as follows: <br />
<br />
<i><span style="color: #38761d;"><b> <span style="color: #444444;">from nltk.metrics.distance import Jaccard_distance</span></b></span></i><br />
<i><span style="color: #38761d;"><br /></span><span style="color: #444444;">A = {0, 1, 2, 3}</span></i><br />
<i><span style="color: #444444;">B = {1, 2, 3, 4, 4, 5, 6, 7}<br />DistanceAB = <b>jaccard_distance(A,B)</b></span></i><br />
<br />
<br />
<b>Jaccard similarity is simple yet effective method but not without limitations:</b><br />
<ul>
<li><i>Doesn't account for the frequency of the query term occurrence</i></li>
<li><i>Unique words or combinations of words are more informative compared to commonly used one</i></li>
<li><i>Longer documents produce more hits compared to short documents. I have seen a modified formula <span style="color: #3d85c6; font-family: Helvetica Neue, Arial, Helvetica, sans-serif; font-size: large;">$Sim(A,B) = \frac{|A ∩ B|} {\sqrt{ | A ∪ B |}}$</span> </i><i>been used for the length normalisation</i></li>
</ul>
Shingle size should be more than 1 word; take into account the length of the document and ideally the amount of commonly used words in the document. Its size should be selected to be sufficiently large to make sure the low probability of <b>an accidental</b> collision in the selected document (s) [collision means similarity].<br />
<br />
* Other considerations when implementing shingling are capitalisation, white spaces, punctuation, stop words, using natural language processing to identify nouns, verbs and synonyms etc.<br />
<br />
When dealing with large sets of data, storing generated shingles becomes a challenge. To reduce it's size, a hash function can be used instead of the actual strings. Obviously, we would need something more suitable than MD5 hash. Actually, we want the algorithm that functionally is opposite to MD5 and closer in the outcome to "fuzzy hashing". "The min-wise independent permutations algorithm" or in short <a href="http://en.wikipedia.org/wiki/MinHash" rel="nofollow" target="_blank">MinHash</a> is used for those purposes. I am going to leave MinHash for some other time, as this isn't necessary for understanding the algorithm of finding near-duplicate documents.<br />
<br />
Currently, most commercial computer forensic tools are missing this future, though I can see some snippets of the functionality being implemented in the latest FTK Lab edition. By expanding its functionality, <a href="http://www.nuix.com/new-release" target="_blank">NUIX 4.2</a> has become a new player in Computer Forensics field and brought from eDiscovery a new set of useful tools. My favourites so far are:<br />
<br />
<ul>
<li>solid support for various email formats (NSF, PST, EDB. etc.); </li>
<li>fast and reliable indexing; </li>
<li>and of course shingling, the ability to export shingle lists for use across the cases similarly to <a href="http://www.nsrl.nist.gov/" rel="nofollow" target="_blank">NSRL</a> or MD5 hash sets, being able to identify near-duplicates and also find <b>chained near-duplicates</b>.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf9tKhznOSDh77DoMEv-SR1Z4J30wPxMBC3Q1B_QsIx2y9DCFqImFwiD7LYgHmNbgtFcr-9LwjIXvApcuOiSTOij9_SomGO6nDZFmOPt-Tki96AL8fpz14gIK6kjPgpyTjRfDvxENDRNn6/s1600/ChainedDups1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf9tKhznOSDh77DoMEv-SR1Z4J30wPxMBC3Q1B_QsIx2y9DCFqImFwiD7LYgHmNbgtFcr-9LwjIXvApcuOiSTOij9_SomGO6nDZFmOPt-Tki96AL8fpz14gIK6kjPgpyTjRfDvxENDRNn6/s320/ChainedDups1.png" height="320" width="218" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Chained near-duplicates</td></tr>
</tbody></table>
<b><u>UPDATE:</u></b><br />
<div>
1 October 2014<br />
<div>
<b><br /></b><script type="text/x-mathjax-config"> MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']]}}); </script> <script src="http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"> </script><br />
<div>
We do a lot of cool stuff at work with this technology in <a href="https://www.elvidence.com.au/" target="_blank">eDiscovery</a>, <a href="https://www.elvidence.com/" target="_blank">Computer Forensic</a> and <a href="https://www.elvidence.com.au/" target="_blank">Incident Response</a> space. With <a href="http://info.nuix.com/open-new-worlds-of-data-with-nuix6.html" rel="nofollow" target="_blank">NUIX 6</a> just been released, shingling can now be used for log analysis (evtx, ISS, Apache etc). It is a game changer in Incident Response .. and hey, I now run NUIX on my MacBook Air natively. </div>
</div>
</div>
ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com2tag:blogger.com,1999:blog-6259255761169812061.post-67658578032591861412012-07-15T19:17:00.000+10:002012-07-15T19:21:18.436+10:00A quick note on Fraud <-- from the trenches<div class="separator" style="clear: both; text-align: center;">
</div>
Just finished an interesting investigation, where millions of dollars have been stolen by a sales person. It turned out that the company has KPI (Key Performance Indicators) based on volume of sale, not how much profit sales team makes for the company. This approach breeds all kinds of corruption.<br />
<br />
<div style="text-align: right;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlakrKWVakuXMBhM1JkXPVCTFQ0JrQOJPSSyaSOCiP3o44CcgPx4mvrHsTqnN91kF78vytm_csSScIAB-flEDYgKzYnYD64AEoNXa0Wqc1vi6L2gjRk0ohJfQER5QVtGmjjjVg62yoIYzS/s1600/result.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlakrKWVakuXMBhM1JkXPVCTFQ0JrQOJPSSyaSOCiP3o44CcgPx4mvrHsTqnN91kF78vytm_csSScIAB-flEDYgKzYnYD64AEoNXa0Wqc1vi6L2gjRk0ohJfQER5QVtGmjjjVg62yoIYzS/s200/result.jpg" width="200" /></a></div>
<br />
In this particular case CCleaner and Eraser have been used 4 times before I got the computer. The guy simply didn't think of automatic Apple backups, that were made every time he connected his precious iPad to his work computer.<br />
<br />
<br />
<br />
<br />
<br />
Lately, I have noticed that it has become more frustrating to navigate the web. Adds have been pushed to my screen from every imaginable place. What's more annoying is that many are showing up before the content of a page that your were urgently looking for, with a little button in some obscured place allowing you to skip or fast forward the add. I wander how many annoyed or naive customers actuall click on this kind of adds and if these adds are doing more damage than good for the advertiser.<br />
<br />
To me, this particular advertising model is not dissimilar to the above-mentioned case with all the consequences arising therefrom.<br />
<div class="zemanta-pixie" style="height: 15px; margin-top: 10px;">
</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com2tag:blogger.com,1999:blog-6259255761169812061.post-311217990671612482012-07-04T20:51:00.001+10:002014-10-20T02:35:58.770+11:00Miscellaneous things<h4>
AHCI</h4>
Windows 7 is finally replacing Windows XP in both, private and corporate areas. According to <a href="http://www.engadget.com/2012/07/02/statcounter-windows-7-top-OS/">StatCounter</a> Windows 7 passed 50% threshold in June this year. I have been using Windows 7 almost from day one and started using this OS as a main forensic platform since release of SP1. I found that Windows 7 is more sensitive to hardware changes compared to Windows XP and occasionally would simply refuse to boot after changing settings in motherboard or adding new hardware.<br />
<br />
I still use Dell Optiplex 755 for research and development. 8GB of Ram and Quad Core CPU handling most tasks at acceptable speeds. Last week I reinstalled Win 7 OS and this week decided to add two 2TB drives configured in RAID-0. I went to BIOS and changed Drive Operation mode from default AHCI to RAID and configured these two HHD's in Intel Storage Raid controller as RAID-0.<br />
<br />
The OS refused to boot. I remembered how sometimes Windows XP would go into 'BSOD' and Advanced Host Controller Interface(AHCI) mode had to be switched off in BIOS. Obviously the issue was related to AHCI/RAID. Win 7 automatic repair option didn't help and I went online looking for a solution. It only took me 2 two minutes to find the <a href="http://support.microsoft.com/kb/922976" rel="nofollow">fix</a>. I disconnected two RAID-0 drives, changed back to AHCI mode and booted Windows 7. I them edited two registries and changed their VALUE date to 0, changed back to RAID mode and Voila, everything works again.<br />
<br />
<div class="reg_path" style="margin: 0px; padding: 0px; word-break: break-all;">
<div style="margin: 0px;">
<span style="font-family: Helvetica; font-size: 12px;">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci</span><br />
<div style="font-family: 'Helvetica Light'; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">
<span style="font-family: Helvetica; font-size: 12px;"><br /></span></div>
</div>
<div style="font: 11.0px 'Helvetica Light'; margin: 0.0px 0.0px 0.0px 0.0px;">
<span style="font-family: Helvetica; font-size: 12px;">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IastorV</span></div>
<div style="font: 11.0px 'Helvetica Light'; margin: 0.0px 0.0px 0.0px 0.0px;">
<br /></div>
<h4>
Don't drop your Thunderbolt cable</h4>
<img alt="Untitled 2" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMV1HS_yIk4-uxEnu_aVMc3l7-MaH8Kg8UUNjA1y3CU5CB_LAgo5MygRAUIatho4v4MfBRDq8WTXXB5jF8PTLBbLBMI-vY4gKZcRlABVkWdde0FWTHTFT-YG9_HLymJmuaeiNAoybTitF/?imgmax=800" height="84" title="Untitled 2.png" width="84" /><br />
<br />
I have been holding back on Thunderbolt technology due to its price and lack of available storage<br />
devices. My focus this year was on USB3. Adding USB3 drivers to WinPE Forensic Live CD for<br />
example is easy to do and<a href="http://ru.wikipedia.org/wiki/ExpressCard" rel="nofollow" target="_blank"> Express</a> cards are cheap and extremely useful when imaging laptops that<br />
have no USB3 interface.<br />
<br />
Thunderbolt is still expensive technology, even cables are $50 plus. The technology is very promising <br />
though and gaining popularity. Thunderbolt cables are expensive for a good reason. <br />
<br />
The aren't just a bunch of interconnected copper conductors anymore. To be able to sustain 10Gbps <br />
bidirectional data transfer rate these 'wires' currently have four integrated circuits at both ends. <br />
Transivers, microcontrollers, 3V power management and voltage regulation chips and 15V power <br />
supply are built into the wire making it a very sensitive and advanced piece of hardware.<br />
<div style="font: 11.0px 'Helvetica Light'; margin: 0.0px 0.0px 0.0px 0.0px;">
<br /></div>
</div>
ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-45376374677508285472012-05-28T22:27:00.000+10:002014-06-14T16:19:18.989+10:00A short X-War story.<br />
Around two years ago I got a new job. Part of my responsibility was to build the firm's Computer Forensic practise almost from scratch. On my first day at work I was out imaging a dozen of computers, and then brought the acquired images for processing into a room which later became our computer forensics lab. Dell <a href="http://www.dell.com/us/dfb/p/optiplex-755/pd" target="_blank">Optiplex 755</a> and EnCase were the only tools available at the time and the current investigation urgently demanded computer forensic reports/results. Just as a side note: I have been in the industry for many years, have MCSE certifications and knew well how to install and properly configure a forensic workstation and tools.<br />
<br />
Twenty-four hours later I was nowhere with these images, still dealing with constant <a href="http://www.guidancesoftware.com/forensic.htm" target="_blank">EnCase</a> crashes. Downgrading EnCase version or calling tech support was of no help. Using open source tools was not an option due to the time constrains and to make things worse I had access to only a very slow Internet connection.<br />
<br />
I gave a call to <a href="http://www.x-ways.net/" target="_blank">X-Ways</a> and arranged an urgent delivery of X-Ways Forensics dongle. It has arrived in a couple of days. In just a few hours I had the information start flowing to the investigators. About six days (and nights) later I had all the reports done. X-Ways Forensics was rock solid with not a single crash.<br />
<br />
Currently X-Ways Forensics has been in a very active development stage, with new features being added almost on a weekly basis. Mind you, X-Ways is already a very advanced tool with many unique features that not yet available in EnCase or FTK. Volume Shadow Copy is a good example. The tool is also often more accurately interpreting the data compare to other mainstream forensic tools. I just read Mike’s <a href="http://writeblocked.com/blog.html" target="_blank">post</a> regarding disks using 4k sectors. Mike in his recent post mentioned X-Ways as the only forensic tool able to correctly interpret info from such disks (EnCase 7 might work as well, so may be some folk will actually start using it :-). This is consistent with my experience and very illustrative.<br />
<br />
Looking at the latest features of X-Ways, I wonder if the team of developers at X-Ways ever sleep. Just added support for VMDK snapshot images, support for NK2 Outlook auto-complete, IE travellog files, metadata extraction from manifest.mbdx and manifest.mbdb iPhone backup files. The most significant addition for me personally is a plug-in to run Python scripts as X-Tensions for X-Ways forensics. Did I mention that you actually hear back from their technical support?<br />
<div>
<br /></div>
ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com1tag:blogger.com,1999:blog-6259255761169812061.post-11651175835922446242012-04-23T17:10:00.003+10:002012-04-23T21:16:29.891+10:00USB Flash drive Serial Numbers - "UNIQUE"?Formatted USB flash drives (a.k.a. thumb drives etc) have Volume Serial numbers generated when the new filesystem gets created. The algorithm depends on a file system and OS. Volume Serial number can easily be changed via hex editor at locations:<br />
<div>
<br /></div>
<div>
<b>FAT 12/16</b> - 4 bytes at offset 0x027<br />
<b>FAT 32</b> - 4 bytes at offset 0x043<br />
<b>NTFS</b> - 8 bytes at offset 0x48<br />
<br />
or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of good material written on this topic. The most prominent in my view are written by <a href="http://www.digital-detective.co.uk/documents/Volume%20Serial%20Numbers.pdf" target="_blank">Craig Wilson</a>, <a href="http://computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp/" target="_blank">Rob Lee</a> and <a href="http://windowsir.blogspot.com/search?q=volume%20serial" target="_blank">Harlan Carvey</a>.<br />
<br />
Unlike <i>Device Serial Numbers</i>, Volume ID's get captured by all forensic imaging tools. <i><b>Device Serial Numbers</b></i> however have been considered by computer forensic practitioners as more reliable and "Unique" artefacts. In Windows there are several places when Device Serial Numbers get recorded/logged. <a href="http://windowsir.blogspot.com/search?q=usbstor" target="_blank">USBStor</a> registry key and Windows log files: <a href="http://digfor.blogspot.com/2009/05/parsing-setupapilog_8740.html" target="_blank">Setupapi.log</a> on Windows XP or <a href="http://digfor.blogspot.com/2008/10/window-xp-and-vista-setupapilog.html" target="_blank">Setupapi.dev.log</a> on Vista and above are the most obvious one. It is also a well known fact that when a USB flash drive has no serial number, the system assigns to the device its own number with an ampersand symbol as the second character of this serial number.<br />
<b><br /></b><br />
<b>The question is, how "UNIQUE" these Device Serial numbers are?</b><br />
<i>Well, as it turns out, these numbers are not necessary unique. There could be several reasons for this.</i><br />
<br />
<b>1</b>. There is a tool that gamers are using to spoof device serial numbers called <i>PB DownForce</i>. It is capable of temporary changing the device serial number. The serial number can be changed to a random or predefine serial number.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyOJs6jA78BtDs7Vv4UYdlmRJ4hWU7f_i7k8lvzWy3DDFQPCkL_dNkWSNA2f9mR2hyphenhyphenpS8kxhxJfHlDa2e5XVCTPaj7BGd7JwJUEMq-GNo2vmoOPDnd_7gRqZf7XIyyrbxlIsD-JkqptBC/s1600/Program+Manager_2012-04-21_16-24-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAyOJs6jA78BtDs7Vv4UYdlmRJ4hWU7f_i7k8lvzWy3DDFQPCkL_dNkWSNA2f9mR2hyphenhyphenpS8kxhxJfHlDa2e5XVCTPaj7BGd7JwJUEMq-GNo2vmoOPDnd_7gRqZf7XIyyrbxlIsD-JkqptBC/s400/Program+Manager_2012-04-21_16-24-27.png" width="258" /></a></div>
<br />
This wont fool (see picture below) tools like <a href="http://www.nirsoft.net/utils/usb_devices_view.html" target="_blank">USBDeview</a>, but the software that rely on Operating System to obtain the serial number will fall for it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcg6Hiwx9COc6dqR5SSozXnOEnaEf5WcXOZdII-obIerX07x7HlUymahA2FIMzXYYgm03Nv23_TdrIMkOSZZVDWULl3aRmfztQdwT5r4CYBhoEYERlM0DftyE7hR19T4aySHkGbRv6su4i/s1600/USBDeview_2012-04-21_16-25-03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcg6Hiwx9COc6dqR5SSozXnOEnaEf5WcXOZdII-obIerX07x7HlUymahA2FIMzXYYgm03Nv23_TdrIMkOSZZVDWULl3aRmfztQdwT5r4CYBhoEYERlM0DftyE7hR19T4aySHkGbRv6su4i/s400/USBDeview_2012-04-21_16-25-03.png" width="400" /></a></div>
<br />
<b>2. </b>USB drives serial numbers are meant to be at least 12 valid characters, represented as a UNICODE string. "The last 12 digits of the serial number shall be unique to each USB <i>idVendor</i> and<i> idProduct</i> pair" according <a href="http://www.usb.org/developers/devclass_docs/usbmassbulk_10.pdf" target="_blank">Universal Serial Bus Mass Storage Class paper.</a><br />
<br />
<b>Valid Serial Number Characters</b><br />
<br />
<b> Numeric</b> <b> ASCII</b><br />
0030h through 0039h "0" through "9"<br />
0041h through 0046h "A" through "F<br />
<br />
These requirements have not been adopted as the mandatory standard and a lot of manufacturers use shorter and in many cases <i>identical numbers</i> on their cheaper drives.<br />
<br />
<b>3.</b> Big labels do use "unique" serial numbers, especially on their upper class, higher capacity USB devices. Still some reuse serial numbers every 6th million times as in case with one of the popular USB storage manufacturer I had to deal with.<br />
<br />
<b>4. </b>Devices can be FAKE. On eBay there are plenty of fake 'false capacity usb flash drives', including brand name counterfeits such as 16GB Kingston, 32GB Sandisk etc. Serial numbers on these devices can be ether, all identical or generated at random.<br />
<br />
<b>5.</b> User can change the device serial number accidentally or on purpose. There are many tools, mostly used to fix faulty USB flash drives, capable of changing the device serial number. <a href="http://fixfakeflash.wordpress.com/" target="_blank">FixFakeFlash Inspectortech</a> website is a good place to learn more about fake USB devices and tools capable of changing many parameters on the USB device including the serial number, ability to create, encrypt, hide or write protect certain area on the device.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAs5nZK0nK_WBQgw8CcuZEzEBKjCZ-zfCTBVZcvPOsdy8m7S_q_HGqDy9LMcvmhlBQ9X1NlUXjenfiow7WPgIYwMPPkuEr7zfZyESezzx_PTnQuNGemIRNqlBVP-0mxeTOAIEvQ-lN6L_m/s1600/MW82_1.5.1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="327" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAs5nZK0nK_WBQgw8CcuZEzEBKjCZ-zfCTBVZcvPOsdy8m7S_q_HGqDy9LMcvmhlBQ9X1NlUXjenfiow7WPgIYwMPPkuEr7zfZyESezzx_PTnQuNGemIRNqlBVP-0mxeTOAIEvQ-lN6L_m/s400/MW82_1.5.1.png" width="400" /></a></div>
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH4qGa18WycXUjX0sDJY49vEH0c76NBIg5HL4tnKYH4UExFq3GMT1tgCSw4CoU35vjyqOZYih_7BuZrqpJ0UVK-k5G90c-l5TWAZdhpVuQGlEm93JyWq_w0R2PcGzdmK_NWxGfK62tpj6C/s1600/Ameco+MW8219+1.5.1.4+%E2%80%93+FlashBoot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH4qGa18WycXUjX0sDJY49vEH0c76NBIg5HL4tnKYH4UExFq3GMT1tgCSw4CoU35vjyqOZYih_7BuZrqpJ0UVK-k5G90c-l5TWAZdhpVuQGlEm93JyWq_w0R2PcGzdmK_NWxGfK62tpj6C/s400/Ameco+MW8219+1.5.1.4+%E2%80%93+FlashBoot.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCe98iVBuzR09m-9RSj6nt5ZVKKL8ePxw54OWUIQt8lsGQH2dFztUtD77mgTV1utQXzSvInixmnjx6kH1m0gg7l8i0ydOqXyUoIlybujzOCynTdraQGlRHlyHVwUtQQuRJcFrvT-yokJUt/s1600/Alcor+FC+MpTool+5T2F+6T2F+v05.00.08+%28AU69xx+FC8xxx%29+%E2%80%93+FlashBoot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCe98iVBuzR09m-9RSj6nt5ZVKKL8ePxw54OWUIQt8lsGQH2dFztUtD77mgTV1utQXzSvInixmnjx6kH1m0gg7l8i0ydOqXyUoIlybujzOCynTdraQGlRHlyHVwUtQQuRJcFrvT-yokJUt/s400/Alcor+FC+MpTool+5T2F+6T2F+v05.00.08+%28AU69xx+FC8xxx%29+%E2%80%93+FlashBoot.png" width="400" /></a></div>
<br />
<br />
The above-mentioned tools are designed to work with different USB flash drive controllers and you of course must have the right one to be able to reprogram the device.<br />
<br />
<div>
Names of memory controllers can be coded in the original (Factory set) Serial Number. For example some Kingston's devices in13th position of the serial number have a letter A, B, E, C or F: <br />
<br />
Kingston DataTraveler 200 USB Device SN: 001A92053B6AB<b>B</b>4131340023<br />
<br />
A - SkyMedi<br />
<b>B</b> or E - Phison<br />
C or F - SSS<br />
<br />
<div>
To my knowledge similar tools are available for the memory controllers listed below:<br />
<div>
<ul>
<li>Alcor</li>
<li>Ameco (MXTronics)</li>
<li>Chipsbank</li>
<li>iCreate</li>
<li>ITE tech</li>
<li>Netac</li>
<li>OTI</li>
<li>Phison</li>
<li>Prolific</li>
<li>RAMOS</li>
<li>Skymedi</li>
<li>SMI (Silicon Motion)</li>
<li>SSS (Solid State System)</li>
</ul>
In addition to <i>USBDeview</i> there is another excellent tool called <i>ChipGenius</i> (by Chinese Developers at mydigit.cn) that provides a lot of useful information about a USB Device. The tool can be used to check pretty much all types of USB devices including external hard drives and MP3 players, detect fakes and view the device controller vendor.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWIqZao0TXSdvaupofpjFab7QVzLzN4DtUp8jmSb7LgankQQhKOzNIp-3OvTwK6l6W3J7IAtPC6NBm3LCaQ9_yhos_Au0SbeV4f1ge4rT1BOg_YdzQx3VX3sIf0AAgJXf-2TUYIGB1RXXt/s1600/ChipGenius.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWIqZao0TXSdvaupofpjFab7QVzLzN4DtUp8jmSb7LgankQQhKOzNIp-3OvTwK6l6W3J7IAtPC6NBm3LCaQ9_yhos_Au0SbeV4f1ge4rT1BOg_YdzQx3VX3sIf0AAgJXf-2TUYIGB1RXXt/s400/ChipGenius.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAl7wIenh31j2ZWKdfo-Lau_Zy5dGR6RJs361Ts2TcyglPOAELgg0efxD5pL15N3p3-EF9Ya0C7U1iPBfboReccqS38bf66DF2J63zbj4mBgWUMkC_S0GtFhJPvkMnsKLhVFIkrEeK-2jH/s1600/ChipGenius+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAl7wIenh31j2ZWKdfo-Lau_Zy5dGR6RJs361Ts2TcyglPOAELgg0efxD5pL15N3p3-EF9Ya0C7U1iPBfboReccqS38bf66DF2J63zbj4mBgWUMkC_S0GtFhJPvkMnsKLhVFIkrEeK-2jH/s400/ChipGenius+2.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
It displays chip model, manufacturer, revision number, VID/PID, interface speed, protocol, serial number and media type information.<br />
<br />
Finally, unlike Volume Serial Numbers most forensic imaging tools don't capture a Device Serial number. The only exception to this rule I know are Tableau imagers. Both<a href="http://www.tableau.com/index.php?pageid=products&category=duplicators"> hardware</a> (TD1 & TD2 duplicators) and <a href="http://www.tableau.com/index.php?pageid=products&model=TSW-TIM" target="_blank">Software</a> (TIM a.k.a. Tableau's High Performance Software Imager) include the Device Serial Number in the acquisition log automatically (but not in the image itself).<br />
<br />
Speaking about Tableau devices, a new generation of TD duplicator TD2 is looking really sexy. TD1 has been used by my team quite extensively. The new version "can optionally include USB, SCSI and SAS suspect drive" and what is even more exciting is the ability to image 1:2 or how Tableau called it "Twinning" support. According to the specifications it also supports EnCase v7 .ex01 (AES encrypted) format. I definitely going to order one of these very shortly.</div>
</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com1tag:blogger.com,1999:blog-6259255761169812061.post-1756484337565843972012-04-11T01:32:00.002+10:002014-10-20T02:36:28.436+11:00HELLO - Almost missed it.Computer Forensic tools are rapidly improving and make forensic examinations easier for the masses. Only a qualified forensic practitioner however can reliably produce consistently good results.<br />
For example at present no computer forensic tool can properly detect, search and index text in the Unicode escape sequence. I have recently been working with the image containing some iPad sqlite3 backup files and found an extremely important piece of evidence almost by accident. Well, not exactly by accident, just have been thorough really.<br />
<b>\u0048 \u0045 \u004c \u004c \u004f</b> means <b>HELLO</b> when you convert it from <a href="http://www.mixesoft.com/unicode_escaped_sequence_to_string_literals_converter.html" rel="nofollow" target="_blank">the Unicode-escape</a>, which Apple tends to use quite extensively for recording non Latin characters. Python comes to rescue (once again) with its built-in <a href="http://docs.python.org/library/sqlite3.html" rel="nofollow" target="_blank">sqlite3 library</a> to pull the data and .decode('unicode_escape'). <span style="font-family: sans-serif; font-size: x-small;"><br /></span><br />
A quick script solved the problem, so I get some free time to finally watch "<a href="http://www.imdb.com/title/tt1113829/" rel="nofollow">George Harrison: Living in the Material World</a>" this weekend which has been on my to-do list for a couple of months now.<br />
<br />
And to make it clear, the important piece of evidence I found wasn't "HELLO" word<span style="font-family: sans-serif; font-size: x-small;"> </span><img src="http://www.mazeguy.net/silly/spin.gif" style="font-family: sans-serif; font-size: small;" /><span style="font-family: sans-serif; font-size: x-small;"> </span><br />
<div class="zemanta-pixie" style="height: 15px; margin-top: 10px;">
<br />
<img alt="" class="zemanta-pixie-img" src="http://img.zemanta.com/pixy.gif?x-id=ddad8d71-64e7-4234-bc17-cd0a40e2b756" style="border: none; float: right;" /></div>
<br />
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-33388674047156484662012-02-27T22:49:00.000+11:002012-04-29T20:07:26.815+10:00SharingSharing information on the net has some risks associated with it. "<i>..if you rear yourself against it, you shall fall, you shall be bruised, you shall be battered, you shall be flawed, you shall be smashed.</i>" Dickens, Bleak House (1853) Yet still, I would rather see more information and a healthy discussion or argument about the issue, than seeing nothing. I am glad to see more computer forensic blogs popping out, some of the are really great and some are just excellent. Periodically I get a chance to speak to a very knowledgeable people. These people have a lot to learn from, but they become algophobic of a very thought of putting snippets of their knowledge or ideas online.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Yes, there are risks if you haven't verified your information or your assumptions were wrong. You very well may end up in a situation like this snowman.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUvvpZhBgpuZczJBz-0l2DJsAD5QyaDCtm1blGb9hE0I23GhQN0ntD6OFPRAR86My3oy3trdsPGnBU8chkS7UrHDdadZi1e9xG5wr6ardEkazHmo1y4VIqjFcsRYJB5SpoYIy7UzfNXfKl/s1600/jumper1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUvvpZhBgpuZczJBz-0l2DJsAD5QyaDCtm1blGb9hE0I23GhQN0ntD6OFPRAR86My3oy3trdsPGnBU8chkS7UrHDdadZi1e9xG5wr6ardEkazHmo1y4VIqjFcsRYJB5SpoYIy7UzfNXfKl/s320/jumper1.png" width="240" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
There might be some people out there showing off their "knowledge" without doing a thing themselves to contribute to Computer Forensic community. These people usually look and behave like this snowman :-)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRlwwmN7hc4G90YLZVkbOVICJSJMLn_gtQ5qGkVGj62vz3lN8yhWW4ZtT7nd7uDNVTS3PTmzQRL5uARh2SHdakUidn5tTrJrE8fgkmu7CysKj1k5N-75lv0s6zHnQBbIKWwC8uJ3c3nUaZ/s1600/watcher.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRlwwmN7hc4G90YLZVkbOVICJSJMLn_gtQ5qGkVGj62vz3lN8yhWW4ZtT7nd7uDNVTS3PTmzQRL5uARh2SHdakUidn5tTrJrE8fgkmu7CysKj1k5N-75lv0s6zHnQBbIKWwC8uJ3c3nUaZ/s320/watcher.png" width="240" /></a></div>
<br />
Remember 'Star Thrower story' by Loren C. Eiseley where a young girl was at a beach full of washed after storm starfish. She was picking them up and throwing them back into the ocean. When she was told that she can't possibly make any difference bacuase there are thousands of them around, she picked up another one and said "Well, I made a difference to that one!".<br />
<br />
Unfortunately I don't post often, simply because I am currently working in a country where computer forensics discipline is in its infancy and only one university recently launched a computer forensic course. There is a lot of work in educating, training and explaining besides working the cases, which leaves me with a very little time for any research or blogging.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq9z-ZhmGBxpzbSd93ryXKEtctmyO60ohxsm9xloVzN_c5Y_mEo5J3rvpVHc1kNmM3lqRj9oOShE1gT2N9UDLG54ymDXHPoVdN9PDPIW3_32laagdUtWAMvuE-FVUEONWzv5br3Bd89VMs/s1600/photo(1).jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq9z-ZhmGBxpzbSd93ryXKEtctmyO60ohxsm9xloVzN_c5Y_mEo5J3rvpVHc1kNmM3lqRj9oOShE1gT2N9UDLG54ymDXHPoVdN9PDPIW3_32laagdUtWAMvuE-FVUEONWzv5br3Bd89VMs/s320/photo(1).jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
You cant say I am not trying though :-)<br />
<br />
.. and yes, lots of snow around.ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-22056052577959557712012-02-17T02:29:00.000+11:002012-02-17T02:56:00.336+11:00PFX – Personal inFormation eXchange<br />
A password and PFX file are needed to open encrypted e-mail messages, whose content is enveloped and attached as smime.p7m. PRTK does a good job at cracking passwords, but some PFX files have different headers which PRTK would not recognise. <a href="http://www.chilkatsoft.com/installPython27.asp" target="_blank">Chilkat Python Modules</a> come pretty handy in this situation. Modules come with a fully-functional 30-day trial and need to be purchased for use beyond this period or for commercial purposes. I wrote a script, which is based on one of the Chilkat module examples to allow a dictionary attack on PFX and p7m encrypted message. <span style="color: #cc0000;">The code is quick and dirty</span>, but gets the job done.<br />
You will need your.p7m encrypted message, your.pfx file and a good ASCII formatted wordlist with .txt; .dic or .lst file extension.<br />
<br />
A sample code is provided for illustrative purposes only and "AS IS" without any warranties of any kind. :-) The code has not been thoroughly tested under all conditions, but should work fine if you know what 're you doing. Here is the<a href="http://code.google.com/p/pypfx/source/browse/" target="_blank"> LINK</a> to it. It should work fine on Windows and maybe on Lin/Mac machines as well (some modifications may be needed). The script relies on Chilkat modules, which must be installed prior to running the script. Instructions are on<a href="http://code.google.com/p/pypfx/" target="_blank"> pyPFX project home</a>.<br />
<br />
<br />
<br />ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-57378378509544873942011-11-24T00:20:00.001+11:002011-11-24T00:59:21.167+11:00a couple of newly discovered toolsIt's been an extremely busy autumn for me. Whilst running around, I came across a couple of useful tools.<br />
<div>
<br />
<div>
<a href="http://www.forensicsoft.com/safe.php">SAFE</a> (System Acquisition Forensic Environment) is Windows PE boot disk with built in software write blocking. I use Enterprise version, which requires a dongle only to start up the environment. The dongle then can be removed to start up the next machine. A bootable USB can also be created with SAFE USB Creator. There are several tolls listed as officially SUPPORTED by ForensicSoft, but plenty of other tools can also run just fine in this environment. To get the ability to image over the network I put F-Response on the Live CD as well and found it to be working rather well. SAFE has some problems with recognising Unicode file names when opening with OpenOffice for example and some other minor bugs. Win PE is based on Windows 7 32-bit and works well with most hardware.</div>
<div>
<br /></div>
<div>
Another Windows based GUI <a href="http://www.forensicimager.com/">Forensic Imager</a> has been released in beta. This time from <a href="http://www.getdata.com/">GetData</a>. It has a very simple interface, works in a portable mode and supports DD, AFF and E01 image formats. It also converts from one format to another. I wonder if it remains free after it is out of beta. </div>
<div>
<br /></div>
</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-76615476957516535792011-08-03T23:23:00.004+10:002011-08-04T03:38:38.150+10:00SSD - TRIM, Encryption, Formating and Fragmentation<div class="MsoNormal" style="line-height: normal;">Operating System identify Solid State Drives by querying the hard drive for its rotational speed. To be precise it is done by identification of nominal rotation rate as described in AT Attachment – 8 ATA/ATAPI Command Set (ATA8-ACS).</div><div class="MsoNormal" style="line-height: normal;"><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">Word 217<br />
<span style="color: black;">0000h</span> - </span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">rate not reported</span></span></i><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;"><br />
<span style="color: black;">0001h</span> - </span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">Non-rotating media (SSD)</span></span></i><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;"><br />
<span style="color: black;">0002h-0400h</span> - </span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">Reserved</span></span></i><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;"><br />
<span style="color: black;">0401h-FFFEh</span> - </span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">Nominal media rotation rate in rotations per min (rpm)</span></span></i><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;"><br />
</span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">7200rpm = 1c20h 5000rpm = 1388h 10 000rpm 2710h</span></span></i><b><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;"><br />
<span style="color: black;">FFFFh</span> – </span></span></b><i><span style="font-size: 14pt;"><span style="color: #666666; font-size: small;">Reserved</span></span></i></div><div class="MsoNormal" style="line-height: normal;"><br />
If 0001h value is returned, Windows 7 for example turns on TRIM support and disables defragmentation. Furthermore, to reduce the frequency of writes and flushes, Windows 7 in addition to boot and application launch prefetching also disables services such as ReadyBoost and Superfetch. As far as I am aware Windows XP or Windows Vista cannot differentiate SSDs from hard drives. The following file systems are known to be TRIM supported by its respective Operating Systems: NTFS, HFS+, EXT4, Btrfs. Here I should mention that modern Linux and Apple OSX support TRIM commands as well. TRIM functionality can also be implemented independently of the operating system. <a href="http://www.oo-software.com/home/en/products/oodefrag/">The O&O Defrag</a> for example enables TRIM operations for FAT32 and exFAT formatted SSD’s.</div><br />
I know that many forensic folks are still wondering how OS’s, file systems and SSD controllers talk to each other to make TRIM work. Louis Gerbarg did an excellent <a href="http://www.devwhy.com/blog/2009/8/4/from-write-down-to-the-flash-chips.html">job of explaining and demystifying the process</a>.<br />
<br />
It should be noted that Windows 7 sends the TRIM command to the SSD not only when file gets deleted or partition gets formatted, but in several other instances as described in Support and Q&A for Solid-State Drives <a href="http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx">blog post</a>.<br />
<br />
<i>"The Trim operation is fully integrated with partition- and volume-level commands like Format and Delete, with file system commands relating to truncate and compression, and with the System Restore (aka Volume Snapshot) feature."</i><br />
<br />
A quick format is all that is required to trigger the TRIM command on SSD and all data will be erased (zeroed out). Speaking about formatting, there has been not much difference between the Quick and Full format options in pre-Vista Windows machines. The only difference between the two was that full format also scanned for bad sectors. The data could still be recovered from formatted drives. <a href="http://support.microsoft.com/kb/941961/en-us">Since Windows Vista</a> a full format erases all data and writes zeros and completely destroying the old data. The same applies to Windows 7 and my tests confirmed this. <br />
<br />
TRIM can be enabled and disabled manually. In Windows 7 to check TRIM status, as Administrator in the command prompt window, enter the following:<br />
<br />
<i style="color: #38761d;">fsutil behavior query disabledeletenotify</i><br />
<br />
Output:<br />
<i><span style="color: #38761d;">DisableDeleteNotify = 1</span></i> Windows TRIM commands are disabled<br />
<i><span style="color: #38761d;">DisableDeleteNotify = 0</span></i> Windows TRIM commands are enabled<br />
<br />
The following command enables TRIM<i style="color: #38761d;"> fsutil behavior set disabledeletenotify 0</i> and <i style="color: #38761d;">fsutil behavior set disabledeletenotify 1</i> disables it. <br />
<br />
To my knowledge TRIM is not yet supported in RAID volumes. Recently there has been some confusing on this topic in relation to Intel Rapid Storage Technology supporting TRIM for RAID volumes. Intel had to <a href="http://www.intel.com/support/chipsets/imsm/sb/CS-031491.htm">publish</a> a correction that TRIM is only supported in AHCI and RAID modes for drives that are not part of a RAID volume.<br />
<br />
Not all SSD’s support the TRIM command; some manufacturers do not even recommend enabling TRIM. Sandforce and OCZ recommend against enabling TRIM in the Mac OS (due to Apple's implementation of TRIM) and discourage using TRIM on controllers with internal low-level compression (due to the way they operate/built). <br />
<br />
TRIM + Encryption, a topic worth its own cookbook, so I am going to only lightly touch on it. In my previous post I have mentioned that Apple OS X Lion “FileVault 2” enables whole-disk encryption. It is certainly a big step forward compared to “FileVault 1”; however this needs to be clarified a bit. “FileVault 2” is VOLUME based encryption. For example NTFS, FAT/FAT32 or exFAT partitions located on the same drive will not be encrypted. A recovery partitions also cannot be encrypted by “FileVault 2”. TRIM is believed to be supported on “FileVault 2” encrypted drive. The TRIM command also works on NTFS file system encrypted with Bitlocker and TrueCrypt . TrueCrypt has issued several security warnings in relation to Wear-levelling security issues and the TRIM command revealing information about which blocks are in use and which are not. (<a href="http://www.truecrypt.org/docs/?s=trim-operation">Trim Operation Link</a> & <a href="http://www.truecrypt.org/docs/?s=wear-leveling">Wear-Leveling Link</a>) PGP WDE doesn’t support TRIM, but I remember someone has mentioned that with CLI is possible to encrypt only used sectors. It is likely that the same security issue would arise as in case of TrueCrypt.<br />
<br />
<br />
<span style="font-family: "Calibri","sans-serif"; line-height: 115%;"></span>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com1tag:blogger.com,1999:blog-6259255761169812061.post-7527680451285526512011-07-31T20:37:00.001+10:002011-08-01T06:24:55.561+10:00The Mighty LionSnow Leopard 10.6 wasn't much of a problem from the forensics perspective and left paws imprints all over the snow. It had no TRIM enabled by default and FileVault was not particularly difficult to <a href="http://osxforensics.wordpress.com/2010/04/10/file-vault-passwords/">deal with</a>. Advanced users could install TRIM for their SSD drives by using <a href="http://www.groths.org/?p=313">TRIM Enabler 1.1</a> but this wasn't wide spread. Apple OS X Lion 10.7 came and the game has changed. <br />
<br />
The new OS adds support for the TRIM command and it is turned ON by default. TRIM allows OS-level garbage collection and also assists with wear-levelling and fragmentation, as well as reducing <a href="http://www.ask.com/wiki/Write_amplification">write amplifications</a> and improves random writes speed. Basically if an operating system supports TRIM, delete really does mean delete, not just flagging space as available. <br />
<br />
OS X Lion also introduces "FileVault 2", which instead of merely encrypting user home folders, now offering "Full Disk Encryption". Upon upgrading existing users are offered to upgrade to "FileVault 2". Old FileVault, lets call it "FileVault 1" is also supported but only for existing users of "FileVault 1". The new encryption method uses <a href="http://www.jetico.com/bcve_web_help/html/02_standards/03_mode.htm">XTS-AES</a> 128-bit encryption. When "FileVault 2" is enabled, a user is presented with the option to create a recovery key. <br />
<br />
<span class="Apple-style-span" style="color: #666666;"><i><b>WARNING:</b> You will need your login password or a recovery key to access your data. A recovery key is automatically generated as part of this setup. If you forget both your password and recovery key, the data will be lost.</i></span><br />
<span class="Apple-style-span" style="color: #666666;"><br />
</span><br />
<span class="Apple-style-span" style="color: #666666;"><b>Recovery key:</b> CCQP-DDA3-XDSF-5656-UHGX-MTN8 </span><br />
<br />
<br />
Additionally, Apple now provides with an option to store the recovery key with them, which I am sure will be useful for both, forgetful users and law-enforcement.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjEJ29TPaBtY1eNFpbyKMD0fkRJTxdRAipyNHOUHJXvoD5wR-S9lXLIJ_lK4Z5F4YEtJo0RQlF0qt-kZz7mo85ekVdIv-hU8DXkF8BzJZTbEZ_vVylP7hMtjkpjSPUwRv25b3AiXD58Z50/s1600/Screen+Shot+2011-07-31+at+12.43.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjEJ29TPaBtY1eNFpbyKMD0fkRJTxdRAipyNHOUHJXvoD5wR-S9lXLIJ_lK4Z5F4YEtJo0RQlF0qt-kZz7mo85ekVdIv-hU8DXkF8BzJZTbEZ_vVylP7hMtjkpjSPUwRv25b3AiXD58Z50/s320/Screen+Shot+2011-07-31+at+12.43.05+PM.png" width="320" /></a></div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-7338285323918331442011-07-18T21:27:00.003+10:002011-08-16T17:37:19.355+10:00Safeboot with EnCase or FTKBoth (current versions) of EnCase and FTK work with Safeboot Full Disk Encryption 4.x.<br />
EnCase has to be 32 bit version (not 64 bit). According to Guidance Software support people Safeboot 4.1 or higher versions are not supported by EnCase. In reality Safeboot 4.1 decryption works just fine with EnCase 6.18 as long as one follows the detailed <a href="https://support.guidancesoftware.com/node/1551">instructions</a>.<br />
<br />
FTK 3 officially supports SafeBoot Version 4.x and Version 5.x as well as McAfee Endpoint Encryption Version 6.x. There is no '32 bit only' limitations because there is no need to install SafeBoot Tool or anything extra.<br />
<br />
<br />
Access to the SafeBoot server is requred when working with both EnCase and FTK.There is no need to export/copy out any files for decrypting with FTK. For Safeboot versions 4.x and 5.x the decryption key can be obtained by runing <b>SbAdmCl.exe</b> command line tool. It's location can vary from version to version on the Safeboot server.<br />
<br />
<b>SbAdmCl.exe <span class="Apple-style-span" style="color: #38761d;">-AdminUser:</span></b><i><span class="Apple-style-span" style="color: blue;">admin</span></i> <b><span class="Apple-style-span" style="color: #38761d;">-AdminPwd:</span></b><i><span class="Apple-style-span" style="color: blue;">password</span></i> <b><span class="Apple-style-span" style="color: #38761d;">-command:</span></b><span class="Apple-style-span" style="color: blue;"><i>GetMachineKey</i></span><b><span class="Apple-style-span" style="color: #38761d;"> -Machine:</span></b><span class="Apple-style-span" style="color: blue;"><i>Machinename</i></span><br />
<br />
To extract decryption keys for a group of computers the same command can be issued with <span class="Apple-style-span" style="color: #38761d;">-Group:</span><span class="Apple-style-span" style="color: blue;">*</span> instead of <span class="Apple-style-span" style="color: #38761d;">-</span><b><span class="Apple-style-span" style="color: #38761d;">Machine:</span></b><span class="Apple-style-span" style="color: blue;"><i>Machinename</i></span><br />
<br />
The command should return 32 bit Encryption Key(s) that can be entered in FTK when the encrypted evidence files are added to the case.<br />
<br />
In McAfee Endpoint Encryption Version 6.x the key is exported from the server by using ePO (ePolicy Orchestrator). Check "<i>Exporting the recovery information file from ePO</i>" section of <a href="https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22404/en_US/McAfee%20EETech.pdf">McAfee EETech User Guide</a> for details. Once the .xml file is exported, a base64 key located between <i><b>< key ></b></i> and <b>< / key ></b> <span class="Apple-style-span" style="color: #38761d;"></span> needs to be copied, decoded and converted to hex. The easiest way to accomplish the task is to utilise <a href="http://tomeko.net/online_tools/base64.php?lang=en"><b>this</b></a> online "<i>Base64 -> hexadecimal string decoder</i>", which should produce the decryption key required by FTK.<br />
<br />
<span class="Apple-style-span" style="color: #cc0000;">UPDATE: 16 August 2011</span><br />
<span class="Apple-style-span" style="background-color: white; color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 12px; line-height: 16px;"> EnCase Version 6.19 just has been released. The new version now provides support for <i>McAfee Endpoint Encryption 6.0.</i></span>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-31172019953433390292011-06-13T08:28:00.004+10:002011-07-31T21:07:35.574+10:00No trust in a single tool.<div dir="ltr" style="text-align: left;" trbidi="on"><blockquote><i>"If the only tool you have is a hammer, you tend to see every problem as a nail."</i></blockquote><blockquote></blockquote><blockquote>Abraham Maslow</blockquote><br />
More and more often I find myself working on a case with at least two forensic tools simultaneously. Depending on a task I select EnCase and X-Ways or FTK and X-Ways in pairs. <br />
<br />
All three are great and one is better than another at certain tasks.I like working with EnCase to analyse registries, automate things with enscipts or searching and bookmarking hits in unallocated space. FTK is best with emails and has excellent ‘indexed’ searching capability. X-Ways Forensics is simply fast and reliable. <br />
<br />
There is no point in doing ALL operations with a pair of these tools. There are always several the most important pieces of evidence supporting the hypothesis that need extra attention. This is especially true when confirming the absence of certain evidence.<br />
<br />
I don’t just use two tools in parallel, in addition I attempt to utilise different methods to confirm the facts. This becomes some sort of Devil's Advocate Peer Review Activity. <br />
<br />
Lately, forensic tools became more complex and attempting to provide more interpretation for the sake of convenience. Not surprisingly, I frequently observe different interpretations by different tools and have to dig dipper to find the true.<br />
<br />
Although I often use a bunch of open source or free tools like Harlan’s <a href="http://regripper.wordpress.com/">RegRipper</a> or Mandiant’s <a href="http://www.mandiant.com/products/free_software/highlighter/">Highlighter</a> etc., having another full featured forensic tool provides an additional layer of protection. Several times I had a situation when the main tool would start constantly crashing, or be unable to process certain types of evidence in the middle of examination. Sounds famialiar? When time is limited and vendor’s technical support is slow or sometime useless, having a back up tool ready to go is as good as gold.<br />
<br />
Selecting the right tools for different investigations requires a good knowledge of forensic tools in your arsenal. For example, Lotus Notes is very popular in the corporate environment, with over 140 million corporate licensees sold worldwide. EnCase would normally work with NSF files and handle emails quite well. You will need FTK, or some other solution, to handle Lotus Notes databases, because EnCase …. well, may be EnCase 7 will do a better job. X-Ways Forensics can’t handle NSF at all. For the sake of completeness I should mention here that since Lotus Notes version 8.5 Databases are now called Applications.<br />
<br />
Obviously one needs to be trained on using all of these tools and this might not be economically possible for small organisations or Rookie examiners. In this case there are <a href="http://www2.opensourceforensics.org/">Open Source Resources/Tools </a>that each examiner must become proficient with and have them ready to go. The new book by Cory Altheide and Harlan Carvey called <a href="http://www.amazon.com/Digital-Forensics-Open-Source-Tools/dp/1597495867">Digital Forensics with Open Source Tools</a> should provide you with the necessary knowledge and insight.</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-38356157212706806212011-06-05T00:19:00.008+10:002011-06-05T17:09:20.561+10:00Most computer forensic examiners Need Shrinks<div dir="ltr" style="text-align: left;" trbidi="on">Many computer forensic specialists sooner or later get exposed to potentially psychologically harmful material. Images or (worse) videos of people being tortured and killed; children being exploited and raped are often encountered by forensic examiners. Some have only occasional exposure, and some have to constantly work with such material due to the nature of their work. The exposure causes all sorts of problems from stress and loss of productivity to more serious psychological traumas.<br />
<br />
The above also applies to private and corporate forensic examiners who often accidentally locate offensive images or videos. What are the ways to minimise negative impacts of exposure to such material?<br />
<br />
<em>Prevention is better than cure.</em><br />
It is technically difficult to completely insulate all personnel from the exposure. The only logical choice is to adequately prepare specialist for such situations by introducing mandatory introductory programs. These programs need to be specifically designed to deal with exposures to potentially harmful material and possible reactions to such exposures. Most importantly <strong>new computer forensic specialists must be put through the program before they walk in to the lab. </strong><br />
<br />
As part of occupational health and safety, career longevity and work performance initiative we are currently working with professional psychologists to develop such program for our organisation. The program is going to be integrated in the Standard Operating Procedures (SOP), and will also include mandatory reporting, debriefing and follow up. To minimise harmful effects, the arrangements are being made with psychologists to conduct debriefing within the first 24 to 72 hours after the initial exposure.<br />
<br />
These procedures are designed to equip computer forensic personnel with knowledge, skills and professional assistance to enable them to cope with exposures to offensive graphics. As an additional benefit, the program may also assit staff in dealing with other stressful situations. These steps are also designed to insure productivity and retention of the highly trained forensic specialists. <br />
<br />
</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-4802920406327551832011-05-26T19:31:00.010+10:002011-07-31T21:20:35.147+10:00Oh mama - my iPhone is no longer secure!<div dir="ltr" style="text-align: left;" trbidi="on"><div style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><span class="Apple-style-span" style="color: #353d43; font-size: large;"><span class="Apple-style-span">ElcomSoft guys are offering " near-instant forensic access to encrypted information stored in iPhone devices" ...even if its hardware encrypted. Here is a <a href="http://www.elcomsoft.com/PR/eppb_110524_en.pdf">LINK</a> to the the press release. Good job.</span></span></div><div style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><span style="font-size: large;"><br />
</span></div><div style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><span class="Apple-style-span" style="color: #353d43; font-size: large;">I hope it won't <a href="http://tech.slashdot.org/story/09/11/08/1340208/Microsoft-COFEE-Leaked">repeat</a> destiny of <a href="http://www.microsoft.com/industry/government/solutions/cofee/default.aspx">COFEE</a>.</span><span class="Apple-style-span" style="color: #353d43; font-size: large;"><span class="Apple-style-span"> </span></span></div><div style="font-family: "Helvetica Neue",Arial,Helvetica,sans-serif;"><span class="Apple-style-span" style="color: #353d43; font-size: large;"><span class="Apple-style-span">Relevant read from ElcomSoft's blog <a href="http://blog.crackpassword.com/2011/05/elcomsoft-breaks-iphone-encryption-offers-forensic-access-to-file-system-dumps/">link1</a> & <a href="http://blog.crackpassword.com/2011/05/extracting-the-file-system-from-iphone-ipad-ipod-devices/#more-1637">link2</a></span></span></div><span class="Apple-style-span" style="color: #353d43; font-family: Verdana,Arial,Helvetica,sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="color: #353d43; font-family: Verdana,Arial,Helvetica,sans-serif;"><br />
</span></div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com0tag:blogger.com,1999:blog-6259255761169812061.post-59073956391434802952011-04-09T01:24:00.003+10:002011-04-09T01:38:01.199+10:00DDos on LiveJournal - turning crisis into opportunity.<div dir="ltr" style="text-align: left;" trbidi="on"><span xmlns=""></span><br />
Developing an effective incident response procedure is crucial to minimizing the impact of a security breach or DDoS attack. A good incident response plan not only helps secure the impacted infrastructure, but can also increase consumer loyalty. The recent DDoS attack on LiveJournal clearly required the use of public relations techniques, which did not appear to happen in time.<br />
<br />
In the absence of information, the rumour mill will take over. Instead, an immediate and honest statement should clarify known details, and the information be frequently updated. The organisation must demonstrate commitment and this will be appreciated by its customers. In case certain information cannot be released it is important to offer an explanation. By doing this the organisation appear responsive and cooperative even if not a great deal of information has been released.<br />
<br />
The organisation also must educate all employees on use of social media during the crisis and monitor Twitter, MySpace, Facebook and other social sites. Tracking and quickly responding to the relevant conversations should help uncovering and defusing any potential crises-in-the-making.<br />
<br />
While no organisation is immune to similar incidents, this does not necessarily have to turn into a disaster.<br />
<br />
</div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com1tag:blogger.com,1999:blog-6259255761169812061.post-7499830675532827532011-04-02T02:48:00.021+11:002011-07-31T21:46:53.509+10:00Accessing VMFS partitions<div dir="ltr" style="text-align: left;" trbidi="on"><span xmlns=""></span><br />
<div class="separator" style="clear: both; text-align: center;"></div>VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. <span xmlns="">The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). </span><span xmlns="">The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem. </span><br />
<br />
<span xmlns=""><a href="http://code.google.com/p/vmfs/">Open Source VMFS Driver</a> was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.</span><br />
<span xmlns=""><br />
</span><br />
<span xmlns="">Mount TYPE is<b> PHYSICAL</b>. </span><br />
<span xmlns=""><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZihX7gVLuwUVFSMfxL8kMRAXmXj3EpnEd0ewuJQyaBcyTTomYB6MeVIvdNRC_iewGa4ffo9CGwsQRo5qtXHf_f_FPRJYgZ__rT_gn_YCuEpErBFF6KA75eFYMmfQZDsgYMFJNNdbITQb/s1600/Untitled.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZihX7gVLuwUVFSMfxL8kMRAXmXj3EpnEd0ewuJQyaBcyTTomYB6MeVIvdNRC_iewGa4ffo9CGwsQRo5qtXHf_f_FPRJYgZ__rT_gn_YCuEpErBFF6KA75eFYMmfQZDsgYMFJNNdbITQb/s400/Untitled.jpg" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Running the following command should get you into the partition via webdav interface <b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri,sans-serif; font-size: 11pt;">C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav</span></b><br />
<span xmlns=""><b style="mso-bidi-font-weight: normal;"><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><br />
</span></b></span><br />
<span xmlns="">Next navigate to <a href="http://localhost:50080/vmf">http://localhost:50080/vmf</a> and you should see VMDK files you were after.</span><br />
<b>Correction:</b> <i><span style="font-size: x-small;">I forgot to put an "s" at the end of the above address. The correct address would be </span></i><a href="http://localhost:50080/vmfs">http://localhost:50080/vmfs</a> <i><span style="font-size: x-small;">Thanks Tim for pointing this out.</span></i><br />
<br />
<span xmlns="">The world isn't perfect though and you may run into a couple of problems:</span><br />
<span xmlns=""><br />
</span><br />
<span xmlns=""><b>Problem 1:</b></span><br />
<span xmlns="">You may get an error similar to this:</span><br />
<span xmlns=""><i>Exception in thread "main" java.io.IOException: VMFS FDC base not found</i></span><br />
<span xmlns=""><i>at com.fluidops.tools.vmfs.VMFSDriver.openVmfs(VMFSDriver.java:1180)</i></span><br />
<span xmlns=""><i>at com.fluidops.tools.vmfs.VMFSTools.cli(VMFSTools.java:225)</i></span><br />
<span xmlns=""><i>at com.fluidops.tools.vmfs.VMFSTools.main(VMFSTools.java:492)</i></span><br />
<span xmlns=""><br />
</span><br />
<span xmlns=""><b>Problem 2:</b></span><br />
<span xmlns="">There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.</span><br />
<br />
<span xmlns="">There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk <i>(<span style="font-family: Calibri;">PhysicalDrive4)</span></i> to my Linux guest OS and started it.</span><br />
<span xmlns=""><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2LgWzMSnqBai6rjvfsnvnrk1uV8BUTy8jV_wa5IUD_z6Z40AtaEefyVCqQSFJ2XvzRJ-vTLo4uMqoH-B_7E_oosVooSGL2-rFv0d93EmpR9kfuwgjY2hieFqhXj48aD-4gnSujza9aJKW/s1600/Untitled1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2LgWzMSnqBai6rjvfsnvnrk1uV8BUTy8jV_wa5IUD_z6Z40AtaEefyVCqQSFJ2XvzRJ-vTLo4uMqoH-B_7E_oosVooSGL2-rFv0d93EmpR9kfuwgjY2hieFqhXj48aD-4gnSujza9aJKW/s400/Untitled1.jpg" width="400" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<a href="http://glandium.org/projects/vmfs-tools/">vmfs-tools</a> is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.<br />
<br />
<span xmlns="">In Linux I installed vmfs-tools by running<b>: sudo apt-get install vmfs-tools</b> and typed the following command: <b>sudo fdisk –l</b></span><br />
<span xmlns=""><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCn-eiQW5UFvo4aeSZX-Ir_aj6hYTLphbAdEwPIMz9c_eD37nnwljR75b3mAL7aJm4y2nvDFmrfTzem9KU7TJ5Yl96YD6-S6vnvP6MB4xeTkl9UiewkLQzuyYTdimkUIOndAXo_dlQ9Dlg/s1600/Ubuntu.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCn-eiQW5UFvo4aeSZX-Ir_aj6hYTLphbAdEwPIMz9c_eD37nnwljR75b3mAL7aJm4y2nvDFmrfTzem9KU7TJ5Yl96YD6-S6vnvP6MB4xeTkl9UiewkLQzuyYTdimkUIOndAXo_dlQ9Dlg/s400/Ubuntu.jpg" width="400" /></a><span xmlns=""></span></div><span xmlns=""><br />
</span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span xmlns="">The above shows that the vmfs file system is located on /dev/sdb3<br />
</span><br />
<span xmlns="">The next command is to mount VMware VMFS partition: </span><br />
<span xmlns=""><b>mkdir /home/a/Desktop/system</b> and <b>vmfs-fuse /dev/sdb3 /home/a/Desktop/system</b></span><br />
<span xmlns="">and see what's inside....<b> ls -alh</b></span><br />
<span xmlns=""><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeiYsqmAjQAJ2wOuo0iIrKWx461rgdkSTUrn5Xo8_oD6tss7yEL47YRguE-3I7TjfWoEBi0RRzvSWXj05-3HEmzawQqmi25mjWENLnBpPH7-CLUIpytSu6F-sNNrc_SKZKpSM2isCzGu_G/s1600/Ubuntu-2011-04-01-19-29-10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeiYsqmAjQAJ2wOuo0iIrKWx461rgdkSTUrn5Xo8_oD6tss7yEL47YRguE-3I7TjfWoEBi0RRzvSWXj05-3HEmzawQqmi25mjWENLnBpPH7-CLUIpytSu6F-sNNrc_SKZKpSM2isCzGu_G/s400/Ubuntu-2011-04-01-19-29-10.png" width="400" /></a><span xmlns=""><br />
</span></div><span xmlns=""><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95YVufmHxgPyaZe6fdhyWlfyf1xn98NNFnfcJNBqAf0t8Zt4nwjrWJDmuwvfu3FKqIkIun2kNGDDdlFPikPwTAak0j16iAfMpCNzPV4YGt6MhI9RqyOU3YALvk0oI3imulnFIB6vBgAWc/s1600/Ubuntu-2011-04-01-19-29-48.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg95YVufmHxgPyaZe6fdhyWlfyf1xn98NNFnfcJNBqAf0t8Zt4nwjrWJDmuwvfu3FKqIkIun2kNGDDdlFPikPwTAak0j16iAfMpCNzPV4YGt6MhI9RqyOU3YALvk0oI3imulnFIB6vBgAWc/s400/Ubuntu-2011-04-01-19-29-48.png" width="400" /></a></div><br />
<span xmlns=""><br />
</span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span xmlns="">I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.</span><br />
<span xmlns=""><br />
</span><br />
<span xmlns="">P.S. Paul Henry did a good write-up on a similar subject <a href="http://computer-forensics.sans.org/blog/2010/09/28/digital-forensics-copy-vmdk-vmware-virtual-environment/"> here</a>.</span></div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com4tag:blogger.com,1999:blog-6259255761169812061.post-31030960421524210012011-01-22T00:29:00.004+11:002011-01-22T00:31:57.605+11:00GPU password cracking.<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="line-height: 16px;">GPU acceleration has been used to crack passwords for some time now. This is due to GPU's parallel layout, which is a hip better at large-scale mathematical operations compared to ordinary CPU’s. Before, there was only nVidia with its CUDA SDK. I must admit that while I was building the lab and doing lots of administrative work, I totally missed the arrival of AMD’s Stream SDK. It appears that ATI Radeon cards are much faster at crunching the numbers, in some cases x 10 times and software developers are quickly adding support for ATI cards. I </span><span class="Apple-style-span" style="line-height: 16px;">just discovered a nice <a href="http://blog.crackpassword.com/">blog</a> on password cracking by Vladimir Katalov from ElcomSoft. The blog is very informative and a good read. The author mentioned that a</span><span class="Apple-style-span" style="line-height: 16px;"> new version of Elcomsoft Phone Password Breaker for example already supports both nVidia and ATI cards achieving speeds around "7,000 passwords per second on NVIDIA GeForce GTX 580, and about 20,000 passwords per second on ATI Radeon HD 5970".</span></span></div>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com1tag:blogger.com,1999:blog-6259255761169812061.post-41894702379013220912010-12-15T07:09:00.003+11:002010-12-17T07:21:47.625+11:00Sleuthkit 3.2.0 on Ubuntu 10.10Some time ago I have written a short "<a href="http://digfor.blogspot.com/2009/04/sleuth-kit-and-autopsy-on-ubuntu.html">how-to</a>" in relation to installing the Sleuthkit on Ubuntu. Recently I have tried to install the latest Sleuthkit 3.2.0 on Ubuntu 10.10 (32-bit) and ran into a problem when compiling it. It took me some time to figure out how to get it working.<br />
<br />
<b>Step 1:</b><br />
<br />
sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev<br />
<br />
<b>Step 2:</b><br />
<br />
Download and extract <a href="http://afflib.org/downloads/afflib-3.6.4.tar.gz">afflib 3.6.4 </a><br />
In terminal go to the extracted directory and run the usual<br />
./configure<br />
make<br />
sudo make install <br />
<br />
<br />
<b>Step 3:</b><br />
<br />
Download <a href="http://sourceforge.net/projects/sleuthkit/files/sleuthkit/3.2.0/sleuthkit-3.2.0.tar.gz">Sleuthkit 3.2.0</a> and extract it. Next I had to apply a quick fix by adding LDFLAGS link option to <b>configure.ac</b> file located inside the extracted <b>sleuthkit-3.2.0</b> directory. Adding the following line <b>LDFLAGS="$LDFLAGS -lsqlite3 -lpthread -ldl" </b>seems to<b> </b>fix the problem.<br />
<b><br />
</b><br />
I then navigated to sleuthkit-3.2.0 directory in terminal and run<b><br />
</b><br />
./configure<br />
make<br />
sudo make install<b></b><br />
<b><br />
</b><br />
<b>DONE</b><br />
<b><br />
</b>ecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.com5