Digital forensics - ucilnica.fri.uni-lj.si

DigitalforensicsAndrejBrodnik

AndrejBrodnik:DigitalForensics

Computer

chapter 15• pre-knowledge:

• architectureofcomputers• basics(BIOS)• operatingsystem• secondarymemory(disc)anditsorganization• filesystems


Startup

• startupsteps• BIOS(BasicInputOutputSystem)

• OpenFirmware(MacPowerPC),EFI(MacIntel),OpenBootPROM(Sun),…

• POST(PowerOnSelfTest)

• theoperatingdataarestoredinxROM• sometimesthepasswordprotectsthedata– passwordisenteredbytheuser


Startup…

• exampleMoussawi:

Thecomputerhasbeenshutdownforaverylongtimeandthebatteryonthemotherboardhasbeenemptied

• howthedataisencrypted• ASCII,...• Little/bigendian

• Whathappensifyoutakedisctoanothercomputer


Fileformat

• atthebeginningallfileshavetheiruniquesignatures(www.garykessler.net/library/file_sigs.html)• jpg:FFD8FFE0 orFFD8FFE3• gif:474946383761 or47 4946383961• doc:D0CF11E0A1B11AE1


Fileformat- example

• jpegencodedexif(Exchangeableimagefileformat)file


Fileformat

• thefilecanbeembeddedinanotherfile• findthefile• itcanbelabeledandcopied(copy-paste)• orusetooldd

• thisprocedureiscalled carving• othertools:

• scalpel(http://www.digitalforensicssolutions.com/Scalpel/),DataLifter(http://www.datalifter.com/)• EnCase (http://www.guidancesoftware.com/forensic.htm),FTK(ForensicToolkit,http://accessdata.com/products/computer-forensics/ftk),X-Ways(http://www.x-ways.net/)


Curving

• intheend,weonlygetcontentandnotmetadatafromthedirectory• Theotherproblemisthatthedatacanbescatteredthroughthedisk

• Adroit(http://digital-assembly.com/products/adroit-photo-forensics/)


Fileformat- challenge

• Challenge:Embedonefileintheanotherfileandpublishthatontheforum.Theothercolleaguesshouldfindtheembeddedfileandextractitusingtoolslikedd orsomeothertoolsmotioneditthepreviousslides.• Challenge:Dividethefileintomorepiecesandinserteachoneintoanotherfileandpostitallintheforum.Letyourcolleaguesreconstructyourdistributedpieces.


Datastorageandhiding

• theI/Ounitsareconnectedtothecomputervia:• bas (IDE,ATA,SATA;SCSI,firewire)• interface(controller)

• theinterfacescanalsobesmart• SMART(Self-Monitoring,Analysis,andReportingTechnology)• keepaccessstatistics andothersimilardata• usuallyarenotrelevantforforensicresearch



• usuallywestoredatapermanentlyonadisk• Whatdoestheharddrivelooklike?



• howisthediskorganized?• spindle,platter,cylinders,tracks,sectors,cluster

• atthefirstsectorarecontroldata (MBR,masterbootrecord)• size(geometry),blocks,partitions,...

• whatorganizationinSSDlookslike?



• Challenge:findtheanadisk toolandseewhatitknowsandcando.• Challenge:whatistheMBRstructure?BuildyourMBRandpostitintheforum..



• lookattheWindows95bootsectorwiththeNortonDiskUtils tool



• simplifiedorganizationofthediskwiththeFATfilesystem



• partition,volume,sector• insidethefilesystem• canalsobewithoutthefilesystem



• hidingdataduetointernalandexternalfragmentation:• hidingwithinacluster• hidingwithinthepartition(partitionsusuallybeginatthebeginningofthetrace)• hidingpartition

• partitionencryption• servicedata:DCO(Drive/deviceconfigurationoverlay)and HPA(Host/hiddenprotectedarea)–http://www.forensicswiki.org/wiki/DCO_and_HPA



• thevirusishiddenintheemptypartitionvolume(volumeslack)



• whenfileisdeleted,datadoesnotdisappear• evenwhenweformatthedisk,thedatadoesnotdisappear

• takealookatthetoolfdisk• theresultofbothoperationsiscorrectfilesystemandaclusterofemptyblocks• tools:sleuthkit (http://www.sleuthkit.org/),NortonDiskEdit,…



• AnexampleofthereconstructionoffilesonafreshlyformatteddiskwiththeEnCase tool



• Challenge:SeewhattheMBRandbootsectoronyourcomputerlookslikewithanappropriatetool.Reportaboutthisontheforum.• Challenge:Checktheconfigurationofyourdrive.



• hidingpartitions• tool TestDisk(http://www.cgsecurity.org/)

• atfilelevel• hidingfiles:e.g. MSWindows:attrib+H indir/AH• parlament.jpg->test.exe• picturein.ppt pres.

• thelatesttools


Passwordsandencryption

• toolsforbreakingandsearchingpasswords• PasswordRecoveryTool– PRTKinDistributedNetworkAttack– DNA(http://accessdata.com/products/computer-forensics/decryption)• JohntheRipper(www.openwall.com/john/)• CainandAbel(www.oxid.it/cain.html)• AdvancedArchivePasswordRecovery(www.elcomsoft.com/azpr.html)


Passwordsandencryption

• moreaboutencryptionandcryptographylater• someexamples

• tools caesar,rot13• supportforthe PGP• tool crypt


OSWindows

chapter 17• filesystems• datarecovery• notes(logfiles)• register• communicationtrails


OSWindows–filesystem

• twobasicfilesystemsFAT(FileAllocationTable)inNTFS(NewTechnologyFileSystem)

• FAT• developedfirstforharddisks(floppydisks)• FAT12,FAT16,FAT32


FilesystemFAT

• FATxx isalistofindexclustersinwhicheachfileisstored• xxmeansthenumberofbitsusedfortheindex• 12=212=4096,16=216=65.536,32=228=268.435.456


FilesystemFAT

• viewtherootofthefilesystemontheharddiskusingtheX-Waysprogram• keepsthecreationtimeandlastchangesbutonlythelastaccessdate


FAT


FilesystemFAT

• Challenge:SeeforyourselfwhattheFATlookslikeonyourdisk.Lookinparticularforthoseclustersthatareempty- theyarenotpartofanyfilesystem.


FilesystemNTFS

• amoremodernfilesystem• everythingisinfiles• thefileinformationisstoredinthesystemfile $MFT• directoryisonlyafile(Btreestructure)• isjournalandstorestransactionsoverafileinthesystemfile$LogFile

• supportsmultiplefilefunctionality• ACL(AccessControlList)

• betterprotected,sinceitstorescopiesoffilesystemdatainmultiplelocations($MFTMirr)


FilesystemNTFS


FilesystemNTFS

• Challenge:lookforjournalsinyourNTFSjournalsthatareempty(unused)andthenlookattheircontent.


NTFS– $MFT

• exampleofonerecordin$MFT• therecordconsistsofattributes,therecordisthesizeofthe1kB• ifthefileissmall,itisstoredintherecord• whentheflagisdeleted,thentherecordisreused


NTFS- searchfordata

• thereisaphysicalfilesize(cluster),logicalsize(directoryentry)andtheendofthefile(EOF)


NTFS– MFTrecord

• MFTrecordandthedifferencebetweensizes


NTFS- searchfordata

• Inonedirectorywecanhavemultiplefileswiththesamename


FilesystemNTFS

• Challenge:WhichClustersComposeYourFile?• Challenge:Findabusybutunusedpartofyourfile(onwhichclusters)andwhat'sinit.• Challenge:Whathappensifwemake1000files,thenwedelete1000andworkonit?


Timecodingforfiles

• FAT:1.1.1980+LLLLLLLMMMMDDDDDhhhhhmmmmmmsssss


Timecodingforfiles

• FILETIME• 64bitrecord• value=1.1.1600+number*100ns


NTFS- tracksfiles

• variousoperationshaveadifferentimpactontherecordedtimesinthedirectory(creation- CR,lastaccess- LA,lastchange- LC,recordchanged(NTFS)- RC):• movingthefileintoadirectory:itdoesnotaffectanything• movingthefiletoanotherdirectory:CR,LA,RC• copyfile(targetfile):CR,LA,RC• copy/paste:LA(*)• drag&drop:LA(*)• delete:LA,RC

• specialfeatures:• fileonastick,canbeviascp/...:CR >LC• whendeletingadirectory,fileinformationdoesnotchange


NTFS- tracksfiles...

• thecontentofofficefilescontainsmetadatafromthedirectory• Saveas:ifanexistingfileispicked,thedatainthefileisoverwrittenandnonewfileiscreatedinthedirectory

• printingfirstcopiesthefiletoaspecialdirectoryandthenprintsit• C:\Windows\Spool\Printers,C:\WinNT\System32\Spool\Printers• evenwhenweprintonlinecontent,etc.


NTFS- tracksfiles...

• Challenge:Findafilethathasacreationtimegreaterthanthetimeofthelastchange.• Challenge:Whatcanyousay,istheresuchafileonthesystemthathasthelastaccesstimesameathetimeofthecreation?• Challenge:WhatistheEMFprintingmethod?Whatisstoredintheprintfile(spooler)?


Datarecovery

• recoverdeletedfiles• varioustoolsthatcanrunonWinOS


� SleuthKitcombinedwithAutopsyBrowsercanevenbrowsethroughthebrowser(http://www.sleuthkit.org/autopsy/)

Datarecovery…

• Challenge:installsleuthkit andAutopsyBrowserandfindthelostfiles.


Datarecovery…

• searchingforlostfilesfromalargeunformedmound• sameascurving files


• tool DataLifter:looksforalostfilefromtwoemptyspacesandoneoftherestofthefilesystem

Datarecovery…

• ifasmallfileoverwriteslargerone,wecanreconstructmostofthelargerfiles


• enCase:anexampleofashoppingcartintheCDUniverse,foundintherestofthefilespace

Logfiles

• theoperatingsystem(dependingonthesettings)records• accesstoresources• appearanceanddeletionofresources,• errors,etc.

• saved on %systemroot%\system32\config (c:\winnt\...)• differentnotesindifferentfiles: Appevent.evt,Secevent.evt,Sysevent.evt


Logfiles

• Challenge:checktheformatoftheevt fileandcheckwhatisinthemandwhendidyouloggedintothesystem.


Register

• InWindowsOS,theprocessenvironmentvariablesaredefinedintheregisters• actually,thedataisstoredinthefiles(hives)inthesystemdirectory%systemroot%\system32\config• ntuser.dat foreachuseraccount

• filescanbeviewedwiththeWindowstool regedt32(EnCase,FTK,...)


Register

• Challenge:examinetheforensicvalueofthedataintheregistry.


Networktracking

• sometimesfromthesystemenvironment• whenconnecting,...

• mostlycomesdirectlyfromapplication• browsers,mailagents,...


NetworkTracking- Browsers

• history:• firefox-3 isstoringhistoryinthesqlitedatabases Places.sqlite• InternetExplorerstoreshistoryinthefile index.dat• toolsthatareavailabletosearchthroughthesedatabases:Oddesa(www.odessa.sourceforge.net)

• localcache• cookies


Browsers- Cookies

• exampleofcookiesinspectionin CookieView(www.digitaldetective.co.uk)


Browsers

• Challenge:Findoutwhatleftoversyoudohaveinyourcacheandcheckwithyourbrowsinghistory.• Challenge:Getafilefromyourfriend'sbrowserhistoryanddisassembleit.• Challenge:CheckoutwhatkindoftracesareleftbehindbytheIEbrowser,whatkindbytheMozillaandwhatkindbytheOpera.


E-mail

• Tracesdependonthemailagentweuse• sentandreceivedmails• summaryofIMAPmailbox

• contentthatisinteresting• textmailsonly• attachments(!)– MIMEformat


Otherprograms

• differentprogramsleavedifferenttraces• networksoftware

• accesstoothersystems• allowothersystemstoaccessinoursystem

• systemprogramsleavetracesintheregistry


Networkaccesstracking

• telnetaccessto acf2.nyu.edu


Date post:	14-Jan-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Digital forensics - ucilnica.fri.uni-lj.si

Documents