cyber check manual version 3.0

Introduction

Copyright © 2006, C-DAC, Resource Centre for Cyber Forensics- Trivandrum 1

1.0 Introduction

Breaking a law is generally considered as a crime. Though this is a broad definition of crime, it is very difficult to define precisely what a crime is? Many attempts have been made to formulate an accurate definition, such as “an antisocial act,” or “a failure or refusal to live up to the standard of conduct deemed binding by the rest of the community,” or “some act or omission in respect of which legal punishment may be inflicted on the person who is in default whether by acting or omitting to act.” There are numerous examples that have been considered as crimes like murder, burglary and theft, rape, forgery, etc.

All these crimes might have been committed due to various reasons. Whatever be the reasons, it is the duty and responsibility of the law enforcement agencies to book the criminal and protect the society from such happenings. They resort to different methods of investigations and evidence collection for the proof of committing a crime. In the case of conventional crimes like murder or robbery, the investigating team inspects the scene of crime for collecting evidences. They might look for a weapon, fingerprints, bloodstains, hairpieces, etc., which will be acting as clues for the identification of culprits. All these items will be further analyzed using forensic methods to make evidences out of these.

Cyber forensics deals with the acquisition, authentication, analysis, preservation and documentation of evidences extracted from and/or contained in a computer system, computer network, computer media or computer peripheral.

Similar to conventional crimes and forensic analysis, the crimes and its investigation and analysis in the cyber world form part of cyber forensics. Cyber crimes may be defined as those crimes involving computers as tools for committing crimes or computers as the targets of crimes. Document forgery, making fake currencies, sending threatening e-mails, etc., are examples of using computers as tools for committing cyber crimes, whereas, unauthorized access into a computer system and deleting or modifying or stealing the

Introduction


information available on the system is an example of computer as a target of the crime.

Analogous to conventional crime, in the case of cyber crime also, the investigating team has to collect evidences mainly from the computer system, which is involved in the crime. One of the difficulties that the investigating team might face in collecting evidences is the absence of a definite scene of crime. This is because removal of a computer system from the actual scene of crime is very easy. Another difficulty is the absence of physical evidences except the computer system and its peripheral devices. Whatever evidence that might be available as proof of committing a cyber crime will be stored in the storage devices of the system. Therefore, utmost care should be taken by the investigating officers while dealing with these devices. They should follow specially formulated procedures while seizing a computer system. This is to ensure that contents of storage devices are tampered by no means. This is one of the basic requirements that has to be adhered by all of the investigating officers.

As the probable evidences in the storage media are intangible, it can be analyzed using software programs only. Normal programs, which show only the contents of normal files, are not much useful in the cyber forensic analysis point of view. This is because, evidences that might be resident in deleted files and special areas of the storage media are not reachable to normal programs. Special programs are required to look into these areas of storage media and extract evidences from them. These special programs for acquiring, authenticating and analyzing storage media as a whole are termed as Cyber Forensic Tools.

CyberCheck

CyberCheck is a forensic analysis tool developed by C-DAC, Thiruvananthapuram, for analyzing the Evidence file acquired by the Imaging tool TrueBack (Forensic Imaging tool developed by C-DAC, Thiruvananthapuram).It is also capable of analyzing raw images generated by other Cyber Forensic Tools. MD5 Hash Algorithm is used in CyberCheck for verifying data integrity. When loading the software, it performs a self-integrity check on itself. If the

Introduction


CyberCheck Executable is corrupted, it will display a message notifying that CyberCheck Executable is corrupted, cannot continue with analysis. Further loading of the software will be terminated. It should be noted the CyberCheck do the self-integrity check while loading the software itself. If the software is corrupted beyond loading it, it may not be possible to load the software at all. In this case, the software may be considered as totally corrupted.

The main features of CyberCheck are Standard Windows application. Self Integrity check Minimum system configuration check. Analyses FAT12, FAT16 and FAT32, NTFS and Linux EXT2FS

file system evidence files. User login facilities. Creates log of each analysis session and Analyzing officer’s details.

Block by block data integrity verification while loading evidence file.

Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes.

Show/Hide system files. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images.

Graphical representation of the following views of an evidence file.

Disk View Cluster View Block View Timeline View of All files Deleted files

Introduction


Time anomaly files Signature Mismatched files Files created within a time frame

Single and Multiple Keyword search. Search with GREP expressions. Extraction of Disk, Partition, File and MBR Slacks. Exclusive search in slack space.

Data recovery from deleted files and slack space. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to an external viewer.

Extraction of unused unallocated clusters and exclusion from search space.

Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Exporting Swap files. Exclusive search in data extracted from Swap files. File search based on extension. Exclusion of system files from search space.

Local and Network preview of storage media Book marking facility for data, files and folders Mailbox viewer Registry viewer Expansion trigger at different levels of folder structure Recovery of deleted partitions Recovery of formatted media Facility for analyzing raw images Identification of encrypted & Password protected files Identification of overwritten files Unicode support Indian Language support Support for dynamic disk analysis Customized hash set library creation

Introduction


Support for scripting Customization of File Signature Library Facility for extracting ZIP files Internet History Viewer Facility to view metadata of Microsoft office files Generation of analysis report with the following features.

Complete information of the evidence file system. Complete information of partition and drive geometry. Hash verification details. User login and logout information. Exported content of text file and slack information.

Includes picture file as image. Customization of report.

Save report. Print report.

Fundamentals


2.0 File System Fundamentals

CyberCheck supports analysis of evidence files containing FAT12, FAT16, FAT32, NTFS, CDFS and EXT2FS file systems. This section explains fundamentals of different file systems.

Different secondary storage media in a computer are hard disks, floppy disks, CDs and new generation USB and other interface media like memory sticks, thumb drives, pen drives, etc.

2.1 FAT File System

DOS and Windows operating systems use this type of file systems for data storage. FAT stands for File Allocation Table. Hard disks make use of FAT16 or FAT32 file systems, while floppy disks use FAT12 file system. Some of the fundamental parameters that are referred to in the file systems are explained below.

2.1.1 Sector

The sector is actually the smallest unit of storage on a computer storage device. A sector is really just a bunch of bits (4096 to be exact) stored as data on disk. Sectors are generally a power of 2 bytes in size. Thus, a “regular” disk sector is 512 bytes and a CD-ROM sector is 2048 bytes. Read/Write Optical drives commonly have sector length either 512, 1024 or 2048 bytes.

2.1.2 Clusters

All Microsoft operating systems rely upon the storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors, which are used to allocate the data storage area in all Microsoft operating systems, i.e., DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP. Cluster size may vary from 1-128 sectors. The size varies depending on the size of the logical storage volume and the operating system involved.

Fundamentals


2.1.3 File Chaining and FAT Cluster Allocation

The file allocation table (FAT) is used to keep track of which clusters are assigned to each file. The operating system (and hence any software applications) can determine where a file’s data is located by using the directory entry for the file and the file allocation table entries. Similarly, the FAT also keeps track of which clusters are open and available for use. When an application needs to create (or extend) a file, it requests more clusters from the operating system, which finds them in the file allocation table. There is an entry in the file allocation table for each cluster used on the disk. Each entry contains a value that represents how the cluster is being used. There are different codes used to represent the different possible statuses that a cluster can have. Every cluster that is in use by a file has in its entry in the FAT a cluster number that links the current cluster to the next cluster that the file is using. Then that cluster has in its entry the number of the cluster after it. The last cluster used by the file is marked with a special code that tells the system that it is the last cluster of the file; for the FAT16 file system this may be a number like 65,535 (16 ones in binary format). Since the clusters are linked one to the next in this manner, they are said to be chained. Every file (that uses more than one cluster) is chained in this manner. See the example that follows for more clarification. In addition to a cluster number or an end-of-file marker, a cluster’s entry can contain other special codes to indicate its status. A special code, usually zero, is put in the FAT entry of every open (unused) cluster. This tells the operating system which clusters are available for assignment to files that need more storage space. Another code is used to indicate “bad” clusters. These are clusters where a disk utility (or the user) has previously detected one or more unreliable sectors, due to disk defects. These clusters are marked as bad so that no future attempts will be made to use them. Accessing the entire length of a file is done by using a combination of the file’s directory entry and its cluster entries in the FAT. This is confusing to describe, so let’s look at an example. Let’s consider a

Fundamentals


disk volume that uses 4,096 byte clusters, and a file in the C:\DATA directory called “PCGUIDE.HTM” that is 20,000 bytes in size. This file is going to require 5 clusters of storage (because 20,000 divided by 4,096 is around 4.88).

OK, so we have this file on the disk, and let’s say we want to open it up to edit it. We launch our editor and ask for the file to be opened. To find the cluster on the disk containing the first part of the file, the system just looks at the file’s directory entry to find the starting cluster number for the file; let’s suppose it goes there and sees the number 12,720. The system then knows to go to cluster number 12,720 on the disk to load the first part of the file.

To find the second cluster used by this file, the system looks at the FAT entry for cluster 12,720. There, it will find another number, which is the next cluster used by the file. Let’s say this is 12,721. So the next part of the file is loaded from cluster 12,721, and the FAT entry for 12,721 is examined to find the next cluster used by the file. This continues until the last cluster used by the file is found. Then, the system will check the FAT entry to find the number of the next cluster, but instead of finding a valid cluster number, it will find a special number like 65,535 (special because it is the largest number you can store in 16 bits). This is the signal to the system that “there are no more clusters in this file”. Then it knows it has retrieved the entire file. Since every cluster is chained to the next one using a number, it isn’t necessary for the entire file to be stored in one continuous block on the disk. In fact, pieces of the file can be located anywhere on the disk, and can even be moved after the file has been created. Following these chains of clusters on the disk is done invisibly by the operating system so that to the user, each file appears to be in one continuous chunk of disk space.

2.1.4 File Deletion and Undeletion

As you use any PC, you will routinely create and delete files. Now, deleting a file means to erase it from the disk, which you would think means the file is destroyed. Naturally, you would only do this to files you no longer needed. However, in many circumstances, it is useful to be able to “undo” the results of deleting a file.

Fundamentals


One of the advantages of the FAT file system is the ease with which it allows for files to be undeleted, because of the way that it deletes files. Contrary to what many people believe, deleting a file does not result in the contents of the file actually being removed from the disk. Instead, the system places the hex byte code E5h into the first letter of the file name of the file. This is a special tag that tells the system “this file has been deleted”. The space that was formerly used by the file is available for use by other files, but it is not cleared. It is just sort of “left there”. Over time, these “freed” clusters will eventually be reused by other files, as they request more space for storage. However, if you accidentally delete a file you can very often recover it if you act quickly. In DOS you can use the UNDELETE command. There are also third-party tools that will undelete files, such as Norton Utilities’ UNERASE. If you run one of these tools immediately, it can identify and recover the deleted files in a directory. You will have to provide the software with the missing first character of the file name (which was overwritten by the E5h code in that file’s directory entry when the file was deleted). The less work you do between the time the file is deleted and the time when you try to undelete it, the more likely you will be able to recover the file. If you delete a file on a system that is fairly full, and then start making many new files, some of the clusters formerly used by the deleted file may be reused, and their former contents lost. Obviously, if you defrayments your disk or do some other large-scale disk work, you will most likely lose the contents of deleted files forever. Many operating systems have made deletion and undeletion less of an issue by integrating protection for erased files into the operating system itself. Newer Windows versions send all deleted files initially to a “Recycle Bin”, from which they can be restored if needed. These deleted files stay around for a while, in case you want to undelete them, and if they are in the Recycle Bin they can be restored to their former locations with no data loss. However, the size of the Recycle Bin is limited and eventually files will be permanently removed from it.

Fundamentals


2.1.5 File Allocation Tables

The structure that gives the FAT file system its name is the file allocation table. In order to understand what this important table does, you must first understand how space on the hard disk is allocated under operating systems that use FAT family file systems (including DOS and most versions of Windows.)

Data is stored in individual 512-byte sectors on the hard disk. In theory, it is possible for each file to be allocated to a number of individual sectors, and this is in fact done for some file systems (such as HPFS). However, for performance reasons, individual sectors are not allocated to files in the FAT system. The reason is that it would take a lot of overhead (time and space) to keep track of pieces of files that were this small: a 10 GB disk partition has 20,000,000 sectors! The hard disk is instead broken into larger pieces called clusters, or alternatively, allocation units. Each cluster contains a number of sectors. Typically, clusters range in size from 2,048 bytes to 32,768 bytes, which corresponds to 4 to 64 sectors each.

The file allocation table is where information about clusters is stored. Each cluster has an entry in the FAT that describes how it used. This is what tells the operating system which parts of the disk are currently used by files, and which are free for use. The FAT entries are used by the operating system to chain together clusters to form files.

The file allocation tables are stored in the area of the disk immediately following the volume boot sector. Each volume actually contains two identical copies of the FAT; ostensibly, the second one is meant to be a backup of sorts in case of any damage to the first copy. Damage to the FAT can of course result in data loss since this is where the record is kept of which parts of the disk contain which files. The idea behind the backup copy is that it could be used in the event that the primary becomes damaged.

In the conventional FAT system, however, the backup FAT system doesn’t work too well. The problem is that the two copies are kept right next to each other on the disk, so that if, for example, bad sectors develop on the disk where the first copy of the FAT is stored,

Fundamentals


chances are pretty good that the second copy will be affected as well. Another problem is that disk utilities frequently duplicate the primary FAT to the backup FAT location. This means that any corruption that arises in the primary FAT may be duplicated to the backup copy before it is noticed.

Under FAT32, some improvements were made to the FAT backup scheme. First, either copy of the FAT can be designated the “primary” and either the “backup”. Second, the method by which the FAT is copied from the primary to the backup location can be disabled. The combination of these features allows the second FAT to be protected and used in the event of problems with the first.

2.1.6 FAT Sizes : FAT12, FAT16 and FAT32

The file allocation table stores information about the clusters on the disk in a table. There are three different varieties of this file allocation table, which vary based on the maximum size of the table. The system utility that you use to partition the disk will normally choose the correct type of FAT for the volume you are using, but sometimes you will be given a choice of which you want to use.

Since each cluster has one entry in the FAT, and these entries are used to hold the cluster number of the next cluster used by the file, the size of the FAT is the limiting factor on how many clusters any disk volume can contain. The following are the three different FAT versions now in use:

FAT12 : The oldest type of FAT uses a 12-bit binary number to hold the

cluster number. A volume formatted using FAT12 can hold a maximum of 4,086 clusters, which is 2^12 minus a few values (to allow for reserved values to be used in the FAT). FAT12 is therefore most suitable for very small volumes, and is used on floppy disks and hard disk partitions smaller than about 16 MB (the latter being rare today.)

Fundamentals


FAT16 : The FAT used for older systems, and for small partitions on modern systems, uses a 16-bit binary number to hold cluster numbers. When you see someone refer to a “FAT” volume generically, they are usually referring to FAT16, because it is the de facto standard for hard disks, even with FAT32 now more popular than FAT16. A volume using FAT16 can hold a maximum of 65,526 clusters, which is 2^16 less a few values (again for reserved values in the FAT). FAT16 isused for hard disk volumes ranging in size from 16 MB to 2,048 MB. VFAT is a variant of FAT16.

FAT32 : The newest FAT type, FAT32 is supported by newer

versions of Windows, including Windows 95’s OEM SR2 release, as well as Windows 98,WindowsME and Windows 2000. FAT32 uses a 28-bit binary cluster number—not 32, because 4 of the 32 bits are “reserved”. 28 bits is still enough to permit ridiculously huge volumes — FAT32 can theoretically handle volumes with over 268 million clusters, and will support (theoretically) drives up to 2 TB in size.

Here’s a summary table showing how the three types of FAT compare:

Fundamentals


2.1.7 FAT File System Errors

As a result of how the FAT file system allocates space and chains file together, there are several common types of errors that can crop up over time. File system errors are occasionally the result of corruption on the disk that can have at its root a real hardware problem. These errors can therefore result from any system problem that can cause disk corruption, such as resource conflicts, bad drivers, etc. Far more often, however, file system problems occur as a result of a software problem. Program crashes, for example, often leave around clusters that had space allocated to them but not assigned to a file. A power failure on a PC running Windows will often result in one or more file system errors due to files not being closed properly. This is why you are always supposed to exit Windows before shutting down a PC. It is also why newer versions of Windows automatically scan the disk for errors when they starts, if they detect that Windows ended without doing a proper file system shutdown. The following are the most common errors encountered on a FAT disk: Lost Clusters: Virtually every user has come across this problem from time to time. Lost clusters are simply ones that are marked in the FAT as being in use, but that the system cannot link to any file. Every file consists of aseries of clusters that can be traced by starting with the directory entry and following the linked list of clusters to the end of the file. Disk checking programs can can an entire disk volume for lost clusters using the following procedure (or something similar to it):

1. Create a copy of the FAT in memory, noting all of the clusters marked as in use.

2. Starting at the root directory, trace through the clusters used by each file and mark them as “accounted for”, since they have been seen to be connected to a file. Then do the same for all the subdirectories of the root directory, and then their subdirectories, and so on.

Fundamentals


3. When finished, every cluster that is marked in the FAT as in use should be accounted for. Any that are in use but not accounted for are “orphans” that don’t belong to any file - lost clusters. Lost clusters are usually the result of interrupted file activity of some sort-a program will allocate some clusters to a file it is building, and if the file is not properly finished and closed, the clusters never get correctly linked to a file name. The program that detects lost clusters will usually give you the choice of clearing them (marking them as “available” and returning them to the pool of free clusters) or saving them as a file. In the latter case, the program generates an artificial file name and links the lost clusters to that name, so that a real file is formed. Usually this file will then be damaged in some way, but you can often at least see what this orphaned data was and in some cases, recover at least part of it.

Cross-Linked Files : On rare occasions, two files can end up pointing to the same data on the disk. Both files will have the starting cluster number in the directory entry pointing to the same cluster number. Alternately, one of the clusters in the middle of two or more cluster chains may point to the same place. Each time you use either of the cross-linked files, you will overwrite all or part of the other one. The only solution to this problem is to make new copies of each of the affected files. You will generally lose the contents of one or the other of the files (in fact, by the time you discover this problem, you have already lost the contents of at least one of them.) Often, both files will be lost and you will need to restore them from a backup.

Invalid Files or Directories: Very rarely, the internal structures of file or directories can become

damaged so that some entries are no longer following the “rules” for how a file or directory is supposed to be laid out. An example would be a directory that doesn’t have a pointer to its parent directory, or a file that has an invalid start cluster. Sometimes files get assigned an invalid date or time by a buggy piece of software. These problems can usually be fixed by the disk scanning software.

Allocation or FAT Errors : Occasionally the entries in the FAT can become corrupted or set to invalid values. Again, most disk-checking utilities will detect and correct these sorts of problems on the fly.

Fundamentals


2.1.8 FAT Partition Efficiency : Slack

One issue related to the FAT file system that has gained a lot more attention over the years is the concept of slack , which is the colloquial term used to refer to wasted space due to the use of clusters for storing files. Since files are always allocated whole clusters, this means that on an average, the larger the cluster size of the volume, the more space that will be wasted. (When collecting rain water, it’s more efficient to use smaller, cup-sized bottles instead of quart-sized ones, if minimizing the amount of storage space is a concern). If we take a disk that has a truly random distribution of file sizes, then on average each file wastes half a cluster. (They use any number of whole clusters and then a random amount of the last cluster, so on average half a cluster is wasted). This means that if you double the cluster size of the disk, you double the amount of storage that is wasted. Storage space that is wasted in this manner, due to space left at the end of the last cluster allocated to the file, is commonly called slack. Every disk or hard disk that has been formatted with the FAT system is built as follows:

The file system exists from a number of special areas of the disk set aside for organization when the disk is formatted: the master boot record, the partition table, the boot record, the file allocation table (from which the FAT system takes its name), and the root directory. At a low level, disks are organized into 512 byte groups called sectors. The FAT system allocates space for files using a unit called a cluster, made up of an integral number of sectors.

A boot record is a sector, which contains code that is executed by the computer. The master boot record is the first boot record that the computer executes when it accesses the hard disk. Additionally a boot record contains important information about the FAT file system, e.g. the cluster size and the positions of the file allocation table, data area and the root directory.

The file allocation table (FAT), located behind the boot record is a database that associates clusters of disk space with files. It has one entry (each 12, 16 or 32 bits) for each cluster. Because the first two entries are reserved for the file system, the third entry and those following are assigned to clusters of disk space (data area). Files

Fundamentals


saved in the data area are not necessarily stored successively and therefore the operating system has to know where a complete file is located in the data area. That is the task of the FAT. For any cluster that is used by a file but is not the file’s last cluster, the FAT entry contains the number of the next cluster used by the file. When a program asks the operating system (OS) to provide the content of a file, the OS has to read the first cluster of a file. It then looks at the corresponding first cluster entry in the FAT and knows the next cluster number where the file continues. Now it reads the associated cluster in the data area. After this cluster is also totally read the OS repeats this method until the whole file is read. This way of organizing a file is called the FAT chain. FAT entries may contain a few special values to indicate that the cluster is free-that is, not in use by a file (0000H for FAT16) the cluster contains one or more sectors that are physically damaged and should not be used (FFF7H for FAT16) and the cluster is the final cluster in a file (FFF8-FFFFH for FAT16), also called End Of File (EOF)

Figure 2.1.8.1 – FAT File System Structure

Fundamentals


But from where does the OS know what files are on the disk and where to find the first cluster of that files? That is the reason for the directory entries which are also stored in the data area. Each directory entry has a size of 32 byte and includes information about the file or directory name, size, first cluster number and its attributes.

2.1.8.1 File Slack

Files are created in varying lengths depending on their contents. DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called “file slack”.

2.1.8.2 RAM Slack

The space from the end of file to the end of the containing sector is called RAM Slack.

2.1.8.3 Logical File Size

All file systems keep track of the exact size of a file in bytes. This is the logical size of the file and this is the number we can see in the properties for a file.

2.1.8.4 Physical File Size

The physical size of a file is the amount of space that the file occupies on the disk. A file or folder occupies a whole number of clusters, even if it does not completely fill that space. Therefore, even if a file has a logical size of only ten bytes, its physical size is one cluster.

Fundamentals


2.1.9. MD5 Hash Algorithm

Hashing is an extremely good way to verify the integrity of a sequence of data bits (e.g., to make sure the contents of the sequence haven’t been changed inadvertently). The sequence might make up a character string, a file, a directory, or a message representing data (binary 1s or 0s) stored in a computer system. The word “hash” means to “chop into small pieces”. A hashing algorithm is a mathematical function (or a series of functions) taking as input the aforementioned sequence of bits and generating as output a code (value) produced from the data bits and possibly including both code and data bits. Two files with exactly the same bit patterns should hash to the same code using the same hashing algorithm. If a hash for a file stays the same, there is only an extremely small probability that the file has been changed. On the other hand, if the hashes for the files do not match, then the files are not the same. Thus, hashes could be used as a primary verification tool to find identical files. The MD5 message-digest algorithm takes as input a message of arbitrary length and produces as output a 128-bit “fingerprint” or “message digest” of the input. It is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest. After some initial processing, MD5 processes the input text in 512-bit blocks, divided into 16 32-bit sub-blocks. The output of the algorithm is a set of four 32-bit blocks, which concatenate to form a single 128-bit hash value.

2.2 NTFS File System

Windows XP (NTFS 3.1), 2000(NTFS 3.0) and NT (NTFS 1.2) with Service Pack 4.0 installed supports NTFS (New Technology File System). NTFS file system is one of the most complex and successful file systems existing at present. The NTFS partition theoretically can be almost of any size. The limit certainly exists but it will be more than enough for the next hundreds of years of computer technology development at any growth rates. The maximum size of the partition NTFS at the moment is limited only by

Fundamentals


the hard disks sizes. NTFS provides a combination of performance, reliability, and compatibility not found in the FAT file system.

Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table (MFT), this contains information about all the files and folders in the NTFS volume.

The first information in an NTFS volume is the Partition Boot Sector, which starts at sector 0 and can be up to 16 sectors long. The first file on an NTFS volume is the Master File Table (MFT).

Basically, everything in the volume is a file and everything in a file is an attribute, from the data attribute, to the security attribute, to the file name attribute. Every sector on an NTFS volume that is allocated belongs to some file. Even the file system metadata (information that describes the file system itself) is part of a file.

2.2.1 Structure of NTFS

Like the FAT file system, the NTFS file system uses clusters as the fundamental unit of disk allocation. Clusters, however, need not be made up of just 512 bytes sectors. In the NTFS file system, the default cluster size depends on the volume size and is a multiple of the default allocation unit of whatever hardware the system is installed to.

Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table (MFT), which contains information about all the files and folders on the NTFS volume. The first information on an NTFS volume is the Partition Boot Sector, which starts at sector 0 and can be up to 16 sectors long. It consists of two structures:

The BIOS Parameter Block, which contains information on the volume layout and file system structures.

Code that describes how to find and load the startup files for whatever operating system is being loaded. For Windows NT on x86-based computers, this code loads NTLDR.

Fundamentals


The first file on an NTFS volume is the Master File Table (MFT).

2.2.2 Master File Table (MFT)

When you format an NTFS volume, the format program creates a set of files that contains the metadata used to implement the file system structure. The NTFS file system reserves the first 16 records in the MFT for the information about these metadata files. The NTFS file system uses approximately 1 MB for the metadata files and the first 16 records in the MFT.

The MFT contains records that describe each file on an NTFS volume. The NTFS file system allocates space for each of the MFT records based upon the cluster size. The attributes of a file are written to the allocated space in the MFT. Small files and folders can be contained entirely within the MFT record.

The NTFS file system views each file (or folder) as a set of file attributes. Elements such as the file’s name, its security information, and even its data, are all file attributes. Each attribute is identified by an attribute type code and, optionally, an attribute name.

2.3 EXT2FS File System

When Linux was first developed, it supported only one file system – Minix file system. The Minix file system contains two serious limitations: the maximal file system size is restricted to 64 mega bytes, and directories contain fixed-size entries and the maximal file name is 30 characters.

Extended File System was implemented in April 1992. Its maximal file system size was 2 GB and the maximal file name size was 255 characters. This file system used linked lists to keep track of free blocks and this produced bad performances: as the file system was used, the lists became unsorted and the file system became fragmented.

As a response to these problems, Second Extended File System was released in January 1993. The goal was to provide a powerful

Fundamentals


file system which implements Unix file semantics and offer advanced features.

Ext2fs was designed by Remy Card and Wayne Davison and was implemented by Remy Card. It is an extensible and powerful file system for Linux. It is the most successful file system in Linux community. It includes provision for extensions to allow users to benefit from new features without reformatting their file system.

In order to ease management, the Ext2fs logically divides the disk into small units called blocks. A block is the smallest unit, which can be allocated. System administrator can choose block size from 1024,2048, 4096 bytes depending on expected average file length while creating the file system. Every file size is rounded up to an integral number of blocks.

Ext2fs groups together a fixed number of sequential blocks into Block Group. The file system is managed as a series of Block Groups as shown in the figure 2.3.1 given below. This is to keep related information physically close on the disk and to ease the management task.

Figure 2.3.1 – Block Structure of Ext2FS file system The Ext2fs can access file systems as large as 4TB. Maximum file

size is 2GB. It uses a variable length directory and can have filenames that are as long as 255 characters. Another advantage is its reliability. Because the block groups contain copies of the primary control structures, these copies can repair it if the super block at the start of the disk gets corrupted. Linux trades off a relatively inefficient disk usage in order to reduce the workload on the CPU.

Every file and directory in the file system is described by one and only one Inode. The Inodes for each block group are kept in the Inode table. System administrator may choose how many Inodes to allow for a partition of given size, depending on the expected number of files to be stored on it. This maximizes the effectively usable disk space.

Fundamentals


Ext3 file system has been designed with two simple concepts in mind: • To be a journaling file system • To be, as much as possible, compatible with the old Ext2 file system.

Ext3 is the descendant of ext2, as its name implies. In fact, it is essentially ext2 with added support for journaling. Ext3 has a significant advantage over the other options described below:

It is backwards compatible. Ext2 partitions can be converted to ext3 and vice-versa without reformatting the partition. An older kernel with no ext3 support can mount an Ext3 partition - it is just seen as a normal ext2 partition. In particular, it is largely based on Ext2, so its data structures on disk are essentially identical to those of an Ext2 file system.

Linux swap partition is something you generally create once and then forget about. This is an amount of disk space in which Linux temporarily writes data from RAM to free up memory for other processes. The swap partition is different from all others in that it is not used to store files in.

ReiserFS developed by Hans Reiser and other developers, is quite stable and is very fast, depending on a balanced tree structure instead of the traditional blocks. It was the first journaling file system available for Linux.

Xiafs was designed as a stable, safe file system by extending minix. But it's no longer actively supported and is rarely used.

Journaled file systems: Whenever a computer is switched off without a proper shutdown there is the possibility that data on the disk becomes corrupted - that is, some of the data will have been written while some have not, leaving files or even internal file system data in a "half-finished" state. Whenever that happens the system goes through a routine to check the disk for errors - "fsck" in Linux and "scandisk" in Windows. This is time consuming, especially on today's very large capacity disks. This check is also forced once

Fundamentals


every so many boot-ups, to make sure everything is working properly. Journaling file systems get rid of these problems. Instead of writing modified files directly onto their area on the disk, the system maintains a "journal" on the disk, which describes all the changes, which must be made to disk. Then, a background process takes each journal entry, makes the change and marks it as completed. If the system is halted without a shutdown, any pending changes are performed when it is restarted and the system is ready to continue running in seconds. Incomplete entries in the journal are discarded. This guarantees consistency and removes the need for a long and complex file system check on boot-up.

2.4 CDFS File System

A file system facilitates the storage and retrieval of perhaps many hundreds or even thousands of files. Each computer operating system uses a different file system and therefore there are a number of CD-ROM file systems in use to suit a range of platforms including Windows, Macintosh,UNIX, etc. The most common file system for CD-ROM is ISO 9660, which is the international standard version of the High Sierra Group file , system, and is designed for the PC and MSDOS. The JOLIET extensions provide long filenames. The ISO 9660 data starts at track time 00:02:16 or logical sector 16 of track one. The ISO 9660 specification defines two levels:

1. Compatible with an MS-DOS file system. Filenames in UPPER case and up to 8 + 3 characters. Subdirectories are allowed to nest up to eight levels deep.

2. Longer filenames, up to 32 characters. Not usable for MS-DOS systems. Most restrictions of Level 1 remain. File system (Level 1) particularly when used with Windows95 and later.

2.4.1 JOLIET Extensions to ISO 9660

Fundamentals


The Joliet specification was designed to resolve a number of deficiencies in the original ISO 9660 file system (Level 1) particularly when used with Windows95 and later. These include:

Character Set limitations to upper case characters, numbers and underscore.

File Name Length limited to 8 characters plus three-

character extension.

Directory Tree Depth limitations.

Directory Name Format limitations. The Joliet specification uses the supplementary volume descriptor

(SVD) feature of ISO 9660 to solve the above problems. In order to maintain compatibility with MSDOS the primary volume descriptor and its associated path table meets the ISO 9660 Level 1 specification. The SVD uses a second path table with long filenames for full Windows 9x/2000 compatibility.

2.4.2 The Volume Descriptors

There are currently four types of Volume Descriptors defined in ISO 9660. Only one of these, the Primary Volume Descriptor, is commonly used. The other types are the Boot Record, the Supplementary Volume Descriptor, and the Volume Partition Descriptor. The Boot Record can be used for systems that must perform some type of initialization before the user can access the volume, although ISO 9660 does not specify what information must be in the Boot Record or how it is to be used. The Supplementary Volume Descriptor can be used to identify an alternate character set for use by systems that do not support the ISO 646 character set. The Volume Partition Descriptor can be used to logically divide the volume into smaller volume partitions, although ISO 9660 does not specify how to do this, only that it can be done.1 The Volume Descriptors are recorded starting at Logical Sector 16 (which corresponds to two seconds and sixteen sectors into the CD, or in CD "Atime", 00:02:16).

Fundamentals


The Primary Volume Descriptor seen is the starting point in identifying a CD-ROM. It contains the Standard Identifier, the Volume Identifier, the Volume Set Identifier, the System Identifier ,the size of the Volume, the number of Volumes in the Volume Set it belongs to, the sequence within the Volume Set that this Volume belongs, the Logical Block size of the blocks in this volume, the size of the Path Table, the location of the Path Table, the Directory record for the Root Directory, other identifiers and important times relating to the Volume. The Standard Identifier is a set of characters, defined by ISO 9660 to be CD001, that tells the Operating System that this is an ISO 9660 disc. This is to distinguish the volume from other file systems that use a similar layout, such as High Sierra, whose Standard Identifier is CDROM, and Compact Disc Interactive, whose Standard Identifier is CD-I. The Volume Identifier is simply the name that is given to the ISO 9660 volume. The characters that can be used in the Volume Identifier are restricted to what ISO 9660 calls d characters and the length is restricted to 31 characters.

Structure of Primary Volume Descriptor

BP Field Name

1 Primary Volume Descriptor Id 2-6 Standard Identifier 7 Volume Descriptor Version No

41-72 Volume Identification 81-88 Volume Size 129-132 Logical Block Size 133-140 Path Table Size 141-144 Location of Type L Path Table 149-152 Location of Type M Path Table 157-190 Directory record for Root Directory 814-830 Volume Creation Date & Time 831-847 Volume Modification Date & Time

The Volume Size is a number that tells the operating system how

Fundamentals


many Logical Blocks are in this Volume. A Logical Block is the basic way of locating things in the Volume. All locations are given as Logical Block Numbers. If the Volume is pictured as an Interstate highway, then the Logical Block Numbers are the mile markers. The Logical Block Size is the number of bytes that make up the smallest amount of space that is allocated in this volume. This number can be 512, 1024, or 2048 bytes. Most ISO 9660 discs use a Logical Block Size of 2048, the same as the Sector Size. The Path Table Size tells the operating system how many bytes are in the Path Table. Most operating systems that use the Path Table keep it in fast, local memory (RAM), and this number is a quick way for the operating system to know how much memory it needs to allocate before it reads the Path Table. This way the Operating system only reads the Path Table once, saving time. The location of the Path Table must be in the Primary Volume Descriptor since the Path Table itself may be anywhere in the Volume. The Root Directory record contains the information the operating system needs to locate and read the top level directory. It is formatted exactly the same as any other directory record. The time stamps are fields in the Primary Volume Descriptor that contain information about when the Volume was created, when it may have been modified, when the data becomes effective, and when the data becomes obsolete.

2.4.3 The Directory Structure

The ISO 9660 directory structure is organized in a hierarchical manner similar to most modern file systems. At the top of the hierarchy is the Root Directory, the location of which is identified in the Primary Volume Descriptor. When drawn hierarchically, the directory structure resemble the roots of a tree, with the Root directory at the top of the structure, as shown in the figure.

Fundamentals


Figure 2.4.3.1 – Directory Structure

As shown in figure 2.4.3.1, there are distinct levels in this hierarchy. The Root Directory is the only directory at level 1. In the example illustrated by figure, Subdirectories ALPS and ROCKIES are at level 2, Subdirectories AUSTRIAN and FRENCH are at level 3, Subdirectory SKIING is at level 4, and the file MATTERHORN.MOUNT;1 is at level 5. To insure compatibility, ISO 9660 imposes a limit of eight levels to the depth of the directory structure. It also imposes a limit on the length of the path to each file. The length of the path is the sum of the lengths of all relevant directories, the length of the File Identifier, and the number of relevant directories. The length of the path cannot exceed 255. A directory in an ISO-9660 volume is recorded as a file containing a set of directory records. Each directory record describes a file or another directory. Every directory has a parent directory. The parent directory contains the directory record that identifies that directory. The Root directory's parent is the Root directory itself. Each directory also contains a record for its parent directory. A given directory may contain entries for several files as well as for several directories, all of which have the same parent.

Fundamentals


Structure of Directory Record

Byte Position Field Name Content

1 Length of directory Record Bytes

3-10 Location of the Dir or File Location in Logical Block Number 11-18 Data Length Length of the file section in bytes 19-25 Recording Date and TimeRecording Date and Time

26 File Flags 0 - File is Hidden if this bit is 1 1 - Entry is a Directory if this bit is 1 .

29-32 Volume Sequence Number

Number of the Volume in Volume Set

33 Length of File Identifier (LEN_FI) Byte

34 to (33 + LEN_FI) File Identifier Name of the Directory or a File

2.4.4 The Path Table

Figure 2.4.4.1 – Path Table

The Path Table indicates to the operating system a short cut to each directory on the disc rather than making the operating system read

Fundamentals


through each directory to get to the file it needs. This is done primarily to enhance performance. For each directory other than the Root directory, the path table contains a record that identifies the directory, its parent directory, and its location. Most operating systems read the Path Table once and keep it in memory, rather than reading it over and over again. In the example shown in the Directory Hierarchy, a system that does not make use of the path table would have to read the root directory to find the location of the ALPS directory, then read the ALPS directory to find the location of the AUSTRIAN directory, then read the SKIING directory to find the location of the file MATTERHORN.MOUNT;1. By making use of the Path Table, the operating system can look up the location of the SKIING directory in the Path Table, read the SKIING directory and find the location of the file. This requires only one seek on the CD-ROM, rather than four. The time difference, for a typical drive with a seek time of 250 msec, is 3/4 of a second. When accessing many files, this difference can significantly affect performance.

Structure of the Path Table

Byte Position Field Name Content

1 Length of Directory Identifier (LEN_DI) Length in Bytes

3-6 Location of Dir Logical Block Number of the Directory

7-8 Parent Directory Number

The record number in the Path Table for the parent directory of this directory

9 to (8 + LEN_DI) Directory Identifier Name of the

Directory

Fundamentals


2.5 UDF FILE SYSTEM

Universal Disk Format (UDF) is a file system specification defined by OSTA (Optical Storage Technology Association). UDF offers the following features:

• Robust file exchange

• System & vendor independent

• Writable & read-only media

• Based on ISO 13346

UDF Bridge : A combination of UDF and ISO 9660 (known as UDF Bridge) is used on some DVD discs to provide compatibility with existing operating systems, including Windows9x and later. Applications can access the data files using either ISO 9660 or UDF file structures, but use of UDF is recommended.

Anchor Volume Descriptor Pointer

An Anchor Volume Descriptor Pointer shall identify the Main Volume Descriptor Sequence and may identify a Reserve Volume Descriptor Sequence . Let n is the largest logical sector number in the volume space. Anchor points shall be at two or more of the following logical sector numbers: 256, n 256, n.

Byte Position Field Name

16-24 Location of the Main Volume Descriptor

MAIN VOLUME DESCRIPTOR SEQUENCE Main Volume Descriptor has the following sequences

• Primary Volume Descriptor • Implementation Use Volume Descriptor • Partition Descriptor • Logical Volume Descriptor

Fundamentals


A Volume Descriptor Sequence shall contain Primary Volume Descriptors. A Primary Volume Descriptor shall identify the volume and the volume set to which it belongs, the sequence number of the volume within the volume set, attributes of the volume, and the character sets used in recording the contents of certain fields within the Primary Volume Descriptor. Each Primary Volume Descriptor shall have an assigned Primary Volume Descriptor Number. A Volume Descriptor Sequence shall contain Implementation Use Volume Descriptors. An Implementation Use Volume Descriptor shall identify an implementation and contain information for that implementation's use.A Volume Descriptor Sequence shall contain Partition Descriptors. A Partition Descriptor shall specify a partition, attributes of the partition and an identification of the partition, referred to as the partition number.A Volume Descriptor Sequence shall contain Logical Volume Descriptors. A Logical Volume Descriptor shall specify an identification of the logical volume, the logical block size of the logical volume,identification of the partitions comprising the logical volume and attributes of the logical volume. If the Reserve Volume Descriptor Sequence is identified, it shall specify a Volume Descriptor Sequence equivalent to the Main Volume Descriptor Sequence.

PARTITION DESCRIPTOR

A partition is an extent of a volume and shall be identified by a Partition Number in the range 0 to 65 535 inclusive.The information about a partition shall be recorded in a Partition Descriptor. The prevailing instance of the Partition Descriptor with a specific Partition Number shall specify whether volume space has been allocated to the partition and may specify an identification of the partition's contents. The following details are obtained from the partition descriptor.


188-192 Partition Starting Location 192-196 Partition Length

Fundamentals


LOGICAL VOLUME DESCRIPTOR

A Logical Volume Descriptor specifies a logical volume identification, the logical block size of the logical volume. The Location in which the first File Set Descriptor Sequence of the logical volume is recorded shall be identified by the Logical Volume Contents Use field.


84-212 Logical Volume identifier 212-216 Logical Block Size 248-264 Logical Volume Content Use

FILE SET DESCRIPTOR

A file set shall be identified by a File Set Descriptor which identifies the root of a directory hierarchy describing a set of files and certain attributes of the file set.

Byte position Field Name 400-416 Root Directory File Entry Location

FILE IDENTIFIER DESCRIPTOR

A directory contains zero or more file or directory identifications. A directory hierarchy shall be a set of directories descended from a single root directory. A directory shall contain a set of directory descriptors, each of which identifies a parent directory or a component file or a component subdirectory. Each directory descriptor shall specify the name of a component file or the name of

Fundamentals


a component subdirectory, or identify the parent directory of the directory. The length, in bytes, of the name of a component file or subdirectory shall be greater than 0. Each directory descriptor shall contain an indication of whether the identified component is a directory.

Byte position Field Name

18 File Characteristics 19 Length of the File identifier 20-36 Location of the File Entry 38-LFI File Identifier

The following bits are set in the File characteristics Field. File Characteristics

Bit 0 Existence : ZERO - Existence of the file Bit 1 Directory : ZERO - File ; ONE - directory Bit 3 Parent : ONE - Subdirectory

Bit 1 is used to identify whether it is a file or a directory.

FILE ENTRY

A file shall be described by a File Entry , which shall specify the attributes of the file and the location of the file's recorded data.

Byte position Field Name

56-64 Information Length 64-72 Logical Blocks Recorded 74-84 Access Date and Time 84-96 Modification Date and Time 96-108 Creation Date and Time 176-LAD Location of the File/Dir

Installing CyberCheck 3.0


3.0 Installing CyberCheck 3.1 System Requirements: Hardware: Intel Pentium IV 2.2GHz 512MB RAM Minimum, 1GB recommended. 20GB HDD with minimum 10GB free space for CyberCheck operations. Software: Windows 2000/XP

The minimum system requirements are sufficient to run CyberCheck for a normal image analysis. However, depending upon the size and content of the image to be analysed, more memory might be required. In such a case, it may so happen that messages like “Memory Allocation Error“ might be displayed by the system and the analysis session might be terminated. You may continue analysis with a new session with or without enhancing system memory.

Deliverables of CyberCheck software are:

1. A CD containing CyberCheck Software in a folder \CyberCheck. 2. A Hardware Lock. 3. User Manual. 4. A 10/100 Base-T Cable (Cross over cable).

3.2 Installing CyberCheck

Installation of CyberCheck software is similar to that of any other Windows application. To install the software, do the following steps:

1. Insert the CD containing CyberCheck installation program into

your CD-ROM drive. 2. Change directory to the \CyberCheck folder in the CD. 3. Click on the Setup.exe program available in this folder.



A window as shown in figure 3.2.1 given below will be displayed. This is the main window of the InstallShield Wizard for setting up the CyberCheck software.

Figure 3.2.1 – Main window of the InstallShiled Wizard of CyberCheck.

4. Click Next button on the Wizard window. The window shown in figure 3.2.2 will be displayed.



Figure 3.2.2 – Specifying a folder path for installation

5. User may specify an appropriate Destination Folder path in the field provided for that and continue with the installation as per the guidelines of the Wizard.

6. When CyberCheck is installed successfully, you may have to restart

the system for the setup to be completed. 3.3 Installing Hardware Lock Driver

A hardware lock is also supplied to you along with the installation CD. This is to ensure the copy protection of the software. You have to properly install the driver of this hardware lock for the proper operation of the software. You may refer README.TXT file available in the CD for driver installation.

3.4 User Pre-requisites

CyberCheck is a tool for data recovery and analysis on a digital



evidence file. The data recovery part assumes that the user is well conversant about the concepts of deleted files, folders, partitions, formatted partitions, different types of slacks, unallocated clusters, lost clusters and swap files. The analysis part assumes that the user knows about different analysis methods and areas where digital evidence might be available. User is expected to have good knowledge about different types of file systems used in different operating systems.

Getting Started


4.0 Getting Started

CyberCheck is software developed by Centre for Development of Advanced Computing (C-DAC), Thiruvananthapuram for recovering and analyzing the content of a storage media. The input to this software should be an evidence file created using the TrueBack software, also developed by C-DAC, Thiruvananthapuram, or raw images of storage media taken using other cyber forensics tools. CyberCheck also supports analysis of image files acquired using Encase cyber forensic tool.

CyberCheck provides facilities for loading the evidence file (Copy

of the suspect’s storage media), created using TrueBack and to view the data contained in different areas of the evidence file like the normal files, deleted files, picture files, slack areas, master boot record, file allocation tables, swap files etc. A normal program may not be able to access most of these files and areas. It also helps an analyzing officer to create a report of the analysis s/he might have performed on the evidence file.

CyberCheck has the facility to analyze evidence files having

different file systems like FAT12/FAT16/FAT32, NTFS, EXT2FS and CDFS. Most of the features are common to all file systems and described based on FAT file system. Wherever there is a change in the features, it will be explained at that point of time.

When CyberCheck is properly installed (Refer Sec.3.0 above), it will

be available in the Programs sub-menu of the Start Menu item. Since CyberCheck is a standard Windows program, it can be invoked either by selecting Start|Programs|CyberCheck menu item or by double clicking the CyberCheck.exe from the folder, where it has been installed in the system. When CyberCheck is invoked, after displaying a splash screen, the main user interface as given in figure 4.0.1 below will be displayed.

Getting Started


Figure 4.0.1 – Main user interface of CyberCheck

The main user interface consists of different menu items like File, Preview, Tools, Language and Help and some icons in the tool bar. The File menu item consists of sub menu items, viz., New, Open and Exit. The New sub-menu item is used for opening a new analysis session and the Open sub-menu item is used for opening a previous analysis session saved into a file. The Exit sub-menu item is used for exiting from the application.

The Preview menu item is for previewing a storage media. This option would be very useful for doing a preliminary analysis of a storage media at the scene of crime before seizing or acquiring a storage media. Previewing can be done either locally or through network. When previewing is done locally, User should take care not to write anything on the storage media being previewed. Local preview means analysing a storage media connected to the analysis machine. This can be done only after write

Getting Started


protecting the storage media to be analyzed using some kind of drive lock. It is the responsibility of the user to make sure that the storage media to be analyzed is properly write protected. Refer Preview Section for more details. The Tools menu item consists of two Sub-menu items, viz., Seize & Acquire, Hasher and Create Boot disk. Seize & Acquire is a link to the Windows version of TrueBack, the disk imaging tool. This version of TrueBack does not support write protection of storage media whose image has to be taken using the tool. Please note that it is the responsibility of the user to make sure that the storage media to be imaged is properly write protected using some kind of drive lock. Refer Windows version of TrueBack section for more details. Hasher is a utility for data integrity checking of a file. Refer Hasher manual for more details. The Create Boot Disk is a utility for creating TrueBack boot disk from CyberCheck. Refer Creating Boot Disk section for more details. The Language menu item is for selecting a language. This version of CyberCheck supports English, Hindi and Tamil languages. Default language is English. When another language is selected, descriptions of all buttons, menu items and labels and other instructions in various controls of the application will be displayed in the language selected. Refer Indian Language section for more details. The Help menu item provides help facility for the CyberCheck software. This is just like any other Windows application and consists of sub-menu items, viz., About CyberCheck, Contents and Using Help. The following sessions explain working of CyberCheck tool in detail.

Getting Started


4.1 Login Procedures

CyberCheck allows only registered users to start an analysis session. It provides login facility for registering users. User can enter into the Login window in two ways.

1. Select File|New from menu as shown in figure 4.1.1 given below. 2. Select the New icon from the tool bar.

This is for creating a new Probe. Creating a new probe starts a new analysis session. Here, probe is used to denote the process of analysis. The analyzing officer should be a registered user to use CyberCheck. We will be discussing different features of CyberCheck one by one and logging into the CyberCheck tool is a pre-requisite for entering into the world of analysis using CyberCheck.

Figure 4.1.1 - Selecting New option from File menu for starting an Analysis Session

Getting Started


When the user selects New menu item, the following window as given in figure 4.1.2 will be displayed for collecting Login details. An authorized user should give his/her User Name and Password. S/he should also give a Lab Reference Number. Once the Login details have been given, the user will have to specify the image file to be analyzed. This can be either the Raw image of the storage media to be analyzed or the image of the storage media taken using either TrueBack or the third party tool Encase.

Figure 4.1.2 - Window for collecting Login details

The above window shows the details to be entered by the user for logging into the system. Assuming the user as a registered user, s/he has to enter the registered name (as Investigator Name), Password, Lab Reference No. and Evidence File Name. The Lab Reference No. can be a number associated with a case. The Evidence File Name is the name of the file in which the storage media to be analyzed is acquired. User may select the evidence file using the button Open, which opens a file open window as given in figure 4.3.2 below. After filling the different fields appropriately, the User may press OK button to continue with analysis, or s/he may press Cancel button for going back to the main user interface. If any of the field is not filled, appropriate warning message will be displayed, and the user will be allowed to fill it again.

Getting Started


4.2 Login Procedure for New Users

If the analyzing officer is a new user of CyberCheck, then s/he will have to create a ‘New Account’ by clicking the New User button from the Login window displayed in figure 4.1.2 above. Then a window as shown in figure 4.2.1 below will be displayed and the user will be asked for entering the Administrative password. Only a person knowing the Administrative password can create a new account. The default Administrative Password is cyber, which may be changed by the Administrator after loading an evidence file. Refer Change Password section for more details.

Figure 4.2.1 - Window for entering Administrative password.

After entering the Administrative password, User may press OK button for continuing with the creation of new user, or press Cancel button to cancel the creation of new user. When OK button is pressed, a window as shown in figure 4.2.2 given below will be displayed. Then create a new account by giving the user name and a password. User will be asked to reconfirm the password.

Getting Started


Figure 4.2.2 - Window for creating a new User Account

When all the fields shown above are filled appropriately, click the OK button. Then a message box indicating that a new user has been successfully created will appear. Now the User can Login using the account that s/he has created.

If the User wants to continue with an earlier analysis process, which were saved into a probe file earlier (Refer the Section Saving a Probe) then select File|Open menu item as shown in the figure 4.2.3 given below.

Figure 4.2.3 - Window for opening an existing probe file

Getting Started


Again user has to login as a registered user by specifying the Investigator Name and Password. Click the Browse button and specify the location of probe file as shown in the figure 4.2.4 given below.

Figure 4.2.4 - Window for specifying the .prb file

After specifying the locations of probe file (.prb), click OK button to continue. When an existing probe file is selected, CyberCheck will automatically load the corresponding evidence file(s) previously used in the analysis session. If it cannot locate any of the evidence file(s) previously used in the previous path, CyberCheck will display appropriate warning message and allows the user to browse and select appropriate evidence file(s) from the analysis system. If there is any mismatch between the probe file and the evidence file(s), appropriate messages will be displayed and appropriate action (in some case CyberCheck allows the user to browse and select proper evidence file(s) and in some other case CyberCheck will be terminated) will be taken.

4.3 Loading an Evidence File

An analysis session is started after loading an evidence file into the CyberCheck environment. CyberCheck is capable of analysing more than one evidence file (corresponding to different storage

Getting Started


media related to a case) at a time. After loading the initial evidence file, other evidence files can be loaded separately from the CyberCheck environment. Refer Add Evidence Section for details.

For loading the initial evidence file, location of the image file is specified in Login window itself as shown in figure 4.3.1 given below.

Figure 4.3.1. Window for specifying location of Evidence File Click the Browse button for specifying the Evidence File Name. Then a File Open dialog box will be displayed for browsing and selecting the desired image file as given in figure 4.3.2 below.

Figure 4.3.2 – File open window for locating Evidence File

Getting Started


The above figure shows the dialog box for specifying the location of image (.P01) file or the location of the raw image file, which is created using other cyber forensic tools. The evidence file created by TrueBack disk imaging tool will be having extensions .P01, .P02, and so on depending upon the number of files available in the evidence (E.g. If the storage media of the suspect is of 20GB in size, then 10 files of approximately 2GB each with file extension .P01, .P02, .P03 … and so on will constitute an evidence). User needs to specify only the first file with extension .P01. CyberCheck, if any, which are part of the evidence, will automatically load all other files. If the evidence consists of more than one file, it is better to have all files available in the same folder, which will enable fast loading of the evidence. If any one of the files is not available in the specified path, CyberCheck will display appropriate warning message and allows the user to browse and select the missed file from other path. It is the user’s responsibility to select appropriate files of the evidence being loaded. User is not supposed to change the names of evidence files. If the name of any of the files is changed, CyberCheck will not properly load the image and the working of the CyberCheck will be unpredictable. After selecting the first evidence file (.P01) to be analyzed from the desired path, press Open button to complete the selection. When Open button is pressed, a window as shown in figure 4.3.3 given below will be displayed.

Figure 4.3.3 - Login window after selecting an Evidence file

Getting Started


On clicking the OK button, User will be asked to specify the location of Export Folder. This is the location, where all swap files, Lost Clusters, Used Free Clusters, Files of raw images if created from CyberCheck, etc. will be saved. If you want to load a raw image file or an evidence file created by Encase, select All Files (*.*) from the File Open dialog box as given in figure 4.3.2 above. A raw image file will be having extension .000, .001, .002 and so on. An Encase image file will be having extension .E01, .E02, .E03, and so on. Choose the desired evidence file based on these extensions. Similar to TrueBack evidence file, you have to select only the first split file (.000 or .E01) and other split files will be loaded by CyberCheck automatically. For example, for loading an Encase image file with two split files as shown in figure 4.3.4 given below, you may select the .E01 file from the path as shown.

Figure 4.3.4 – File open window for loading an Encase evidence file

After selecting the desired evidence file, press Open button. A window with different media type will be displayed as shown in figure 4.3.5 given below. User is supposed to know the type of the media for which the image has been taken.

Getting Started


Figure 4.3.5 – Window for specifying the type of media

After selecting an appropriate media type, Press OK button to continue with analysis session.

4.4 Setting other Options 4.4.1 Setting the Export Folder Path

Once the User has specified the location of image file as explained above, s/he will be asked to specify the location of Export Folder Path. A window as shown in figure 4.4.1.1 given below will be displayed for specifying an appropriate path.

Figure 4.4.1.1 - Window for specifying the Export Folder Path

Getting Started


The User is supposed to select a fixed drive path for specifying the export folder path. If s/he selects a path other than a fixed drive path, appropriate warning message will be displayed and the User will be allowed to select a fixed drive path again. The export folder path should be in a drive such that enough free disk space is available in the drive for exporting different items when the analysis is in progress. 10 GB free disk space is desirable in the drive selected. It is the User’s responsibility to make sure that enough free disk space available in the drive selected. If enough free space is not available in the selected disk, a warning message as given in figure 4.4.1.2 below will be displayed.

Figure 4.4.1.2 – Message displaying inadequate disk space in the selected export folder path

CyberCheck allows the user to specify an alternate destination if s/he desires or allows her/him to continue with the analysis if the selected destination has more than 2GB free space. If the free space available is less than 2GB, CyberCheck displays a warning message as shown in figure 4.4.1.3 forcing the user to select a different destination path.

Figure 4.4.1.3 – Message for specifying a different destination path.

Getting Started


User may press OK button when the appropriate export folder path is selected, or Cancel button to go to the main user interface. When the User Presses OK button, a window as given in figure 4.4.2.1 below will be displayed.

4.4.2 Setting Different Options

CyberCheck provides a facility for automatically saving the findings of an analysis session into a probe file for later use. By default, CyberCheck saves the operations every 10 minutes if the probe file name is available. Otherwise, it will display a Save As Window for specifying a probe name. Refer section Saving Probe for more details.

Figure 4.4.2.1 - Window for setting other options. The window shown above consists of Auto Save Settings, Options

for setting Enable Hash Verification, Extract Used Free Clusters and facility for setting Default Export Folder and Temporary Export Folder.

The default time period for saving the probe file automatically is set

as 10 minutes. This can be changed using the combo box given in the above dialog box. If the time has been set as 0, auto saving

Getting Started


functionality will be disabled. Auto Save functionality can also be enabled/disabled using the menu item Options|AutoSave.

User can specify the two options Enable Hash Verification and Extract Used Free Clusters. If the Enable Hash Verification Option is set, CyberCheck computes the hash value of each blocks of the image while loading the image for analysis. Also it computes the whole image hash and compares with the acquire time hash value of the image. It displays the result in a message box specifying the comparison is successful or not as well as if there any mismatch in the block hash computation.

Similarly, if the Extract Used Free Clusters option is set, CyberCheck would extract used free clusters while loading the image.

The Default Export Folder path will contain the path selected by the user from the window displayed in figure 4.4.1.1 above. This is the path, where exported items like Lost Clusters, Used Free Clusters, Swap Files, Slack Data and Folder Structure will be residing, if any one of the items is exported during an analysis session. The Temporary Export Folder path is meant for writing temporary files that may be created by CyberCheck while analysis is in progress. CyberCheck will delete these temporary files while exiting. User may change these paths by clicking on the Browse button provided in the above figure.

When all the options are set, User may continue with the analysis by pressing the OK button. If s/he wants to terminate the analysis session, press Cancel button. In this case, the control goes back to the main user interface. When OK button is pressed, the selected evidence file will be loaded. The following window as shown in figure 4.4.2.2 given below will be displayed with a progress bar indicating the status of verifying the evidence file as the user has already selected Enable Hash Verification; otherwise it would have shown the status of loading the evidence file.

Getting Started


Figure 4.4.2.2 – Window displaying verification of an evidence file

While loading the evidence file, CyberCheck analyses the evidence for different file systems and partitions available in the evidence file. If the user has set the hash verification option as shown in figure 4.4.2.1 above, CyberCheck computes the hash value of each block of the evidence taken during acquisition, while loading the evidence. When the verification is over, a massage box will be displayed as shown in figure 4.4.2.3 below containing the details of the hash verification. In case of any mismatch in block hash, it will be highlighted in the report. The message “Hash Success” indicates that the acquire hash value and the verification hash value of the evidence file are same and hence the hash verification success.

Figure 4.4.2.3 – Message box displaying result of hash verification When the verification is over, the specified image file will be analyzed for creating folder structures as shown in figure 4.4.2.4 given below.

Getting Started


Figure 4.4.2.4 – Progress bar displaying loading of image file

When the folder structure creation is over, CyberCheck displays this information in the left pane of the main user interface in an explorer like view, as given in the following figure 4.4.2.5 below. One thing to remember here is that even though the images of all the storage media is having a .P01 extension, the analysis procedures may slightly vary depending upon the file system (for file system information, please refer chapter 2 which explains in detail, the different file systems). For example, NTFS file system is having a different storage methodology. If the image that we are analyzing is having NTFS file system and if the file that we are analyzing is a deleted file (not over written), then in the Text view, the entire file content will be displayed in black colour unlike in other file systems. In other file system, the Text view of deleted files will be in red colour. There is a slight difference in Disk view of NTFS file system. We will be discussing the significant differences in the respective topics.

Figure 4.4.2.5 – Window displaying the explorer like view of evidence file

Getting Started


If the user has set the Extract Used Free Clusters option, CyberCheck extracts the content of used free clusters available in different partitions of the evidence file.

Getting Started


4.5 Analysis Window

When loading of the evidence file is started, the menu bar is changed to provide number of different items to support the analysis process more user-friendly. The figure 4.5.1 given below shows the new user interface with modified menu bar. This particular window is named as the analysis window.

Figure 4.5.1 - Analysis Window

Different menu items available in the modified menu bar are: File, Edit, View, Filters, Evidence, Options, Keyword, Bookmark, Search, Export, Extract, Report, Timeline, Recovery, Tools, Language and Help.

Sub-menu items of File menu are: Save, Save As, Print Report and Exit.

Sub-menu items of Edit menu are: Copy and Copy Hash Value. The Copy and Copy Hash Value sub-menu items will be disabled and it will be enabled whenever some item is available in the clipboard for copying.

Getting Started


Sub-menu items of View menu are: Toolbar, Status Bar, Cluster Chain, Block View, Mailbox Viewer, Registry Viewer, Internet History Viewer, Export Path and Storage Media Details. The Cluster Chain menu item will be disabled initially. Sub-menu items of Filters are: Temporary Files, Deleted Files, Deleted and not Overwritten Files, Normal Files and Temporary Internet Files & Cookies. Sub-menu item of Evidence menu is : Add Evidence. Sub-menu items of Options menu are: Change Password, Hash Files, Check Encrypted Files, Check File Signature, Auto Save, Create Raw Image, Restore disk from Image, Verify Image Hash, Show/Hide System Files, File Signature Customization and Settings. The show/hide system files sub-menu item will be disabled initially. Sub-menu items of Keyword menu are : Add Keyword, Send to Recycle Bin, Delete Keyword, Restore Keyword and Empty Recycle Bin. All the sub-menu items are disabled initially. Sub-menu items of Bookmark menu are: Bookmark File, Bookmark Folder, Bookmark Selected data, Send to Recycle Bin, Restore Item, Delete Item and Empty Recycle Bin. All the sub-menu items are disabled initially. Sub-menu items of Search menu are: Keyword Search, File Search, Send to Recycle Bin, Restore Session, Delete Session and Empty Recycle Bin. Sub-menu items of Export menu are: File/Folder, Lost Clusters, Used Free Clusters, Swap Files, Slack Data and Folder Structure. Sub-menu item of Extract menu is: Used Free Clusters. Sub-menu items of Report menu are: Append Folder/File, Append Selected Data, Append Folder Structure and Delete from Report. All the sub-menu items are disabled initially.

Getting Started


Sub-menu items of Timeline menu are: Zoom Out, Show Grid, Hide Grid, Options, and Show Files. These sub-menu items will be disabled initially. Sub-menu items of Recovery menu are: Partition Recovery and Format Recovery. Sub-menu items of Tools menu are: Seize & Acquire, Hasher and Create Boot Disk. Sub-menu items of Language are: English, Hindi and Tamil. Sub-menu items of Help menu are: About CyberCheck …, Contents and Using Help. The analysis window has 3 different views. They are Left Pane, Right Pane, and Bottom Pane. Left Pane is the View that appears at the left side of the CyberCheck Analysis window, Right Pane is the view that appears at the Right side and Bottom Pane is the one that appears at the bottom. User can re-size each pane by dragging the frame of each pane into desired location. This is illustrated for the bottom pane by increasing its size as shown in the figure 4.5.2 given below. Also user can expand each pane to its full size, either vertically or horizontally as the case may be, by clicking on the small buttons provided in each pane for this purpose as shown in the figure below.

Getting Started


Figure 4.5.2 - Analysis Window with different Panes, resizing the Bottom Pane

Left Pane contains four tab views, viz., Probe View, Keywords View, Bookmarks View and Search View. These tabs can be properly viewed either by resizing the left pane by dragging the pane frame or by clicking the small buttons given adjacent to the tab items.

Right Pane contains 5 tab views, viz., Table View, Gallery View, Timeline View, Summary View and Report View.

Bottom Pane contains 7 tab views, viz., Text view, Picture view, Hex view, Disk view, Cluster view, Summary View and Cyber Script View. Using these views, an analyzing officer can view each and every byte of an evidence file and look for any evidence related to a case. Bottom Pane also contains a Lock check box to retain the view as the selected view during the analysis.

The left pane contains more details of the evidence file loaded. Right pane contains more details of the item selected from the left pane. The bottom pane shows further details of an item selected from the right pane.

4.5.1 Menu Bar

Getting Started


This session explains more about the different items available in the menu bar.

4.5.1.1 File

In File menu item, there are 5 sub-menu items. 4.5.1.1.1 Save

During an analysis session, the analyzing officer may collect different digital evidences from the evidence file(s), which he will be analyzing. There different facilities in CyberCheck to search for various keywords, bookmark a relevant item available in the evidence file(s), generate a report containing details of different partitions available in the evidence file(s), login information of the analysis session, etc. CyberCheck provides a facility for saving the content of report, bookmarked items and search hits in a file for later use. This facility can be invoked by selecting the File|Save or File|Save As menu item from the main user interface as shown in the figure 4.5.1.1.1.1 given below. If the user tries to save the items for the first time, both Save and Save As… options will behave similarly. In this case, Save As… window as shown in figure 4.5.1.1.1.2 given below will be displayed for specifying a filename to save the data.

Figure 4.5.1.1.1.1 - Selecting Save or Save As option from main menu

Getting Started


Figure 4.5.1.1.1.2 - Display of Save As window for specifying a file name

CyberCheck will supply a default file name – Untitled.prb as shown in the above figure. User can change the base file name as s/he wishes, but the extension of the file should be .prb. User may also select a path in which this file has to be created. After entering an appropriate file name, user may click the Save button to continue with the saving process. If the given file name already exists in the specified path, a warning message will be displayed asking whether you want to overwrite the existing file or not. You may either change the file name or overwrite the file or select another path.

Functionalities of Save and Save As… options are same as that of standard Windows applications. Save As… option will always ask for a file name to save the data. But, Save will ask for the file name only for the first time. CyberCheck provides a facility for saving the details automatically into the filename specified by the user. Time interval for automatically saving the details can be set with the Auto Save option in the Settings dialog box, before loading the evidence file. This will save the data at regular intervals as specified by the User.

Getting Started


The first item in the toolbar also has the same functionality.

4.5.1.1.2 Save As…

Refer the Save session given above. 4.5.1.1.3 Print Report

CyberCheck provides a facility for printing the analysis report. User should take care to connect a printer with the analysis machine and appropriate driver of the printer should be installed in the system. The Print facility can be invoked by selecting the File|Print Report menu item from the main user interface as shown in the figure 4.5.1.1.3.1 given below.

Figure 4.5.1.1.3.1 - Selecting Print Report option

When this menu item is selected, if the printer is connected to the system properly, appropriate Print dialog box of the printer will be displayed. As an example, the following figure 4.5.1.1.3.2 given below shows the dialog box presented by the Canon S6300 printer.

Figure 4.5.1.1.3.2 - Dialog box returned by the printer driver

Getting Started


User may change the settings appropriately, and click OK button to continue with printing. If the printer is not made ON or any other problem is there with the printer, appropriate error message will be displayed. If no error is displayed, printing will be completed. The third item in the toolbar also has the same functionality.

4.5.1.1.4 Exit

By selecting Exit from File menu as shown in figure 4.5.1.1.4.1 below will enable the user to exit from CyberCheck. Also user may exit from CyberCheck by clicking the close button given in the top right corner of the main window.

Figure 4.5.1.1.4.1 - Selecting Exit item from File Menu. 4.5.1.2 Edit

Different sub-menu items available in Edit menu are explained below.

4.5.1.2.1 Copy

CyberCheck provides a facility for copying files, selected data, etc. Copying can be invoked by selecting Edit|Copy as shown in figure 4.5.1.2.1.1 given below.

Getting Started


Figure 4.5.1.2.1.1 - Selecting Copy item from Edit Menu.

From the Text view, block the data to be copied and either select Edit|Copy or right click mouse button and select Copy from the context menu to copy the blocked item into clipboard. The copied item can be pasted wherever the user desired to do so. The second item in the toolbar also has the same functionality.

4.5.1.2.2 Copy Hash Value

The Hashing Files facility can be invoked by selecting the Options|Hash Files menu item from the main user interface as given in the figure 4.5.1.2.2.1 given below.

Figure 4.5.1.2.2.1 - Selecting Hash Files facility.

Getting Started


When this menu item is clicked, the following window as shown in figure 4.5.1.2.2.2 given below will be displayed for selecting the extent of hashing to be done.

Figure 4.5.1.2.2.2 - Specifying the extent of Hashing.

Hashing files can be done either on Entire files available in the evidence file or on Selected files only. This can be specified by using the radio buttons provided in the dialog box above. If you want to limit the extent to selected files, you have to select the desired files or folders before invoking this facility. After specifying the extent, you may press OK button to continue with file hashing. A progress bar will be displayed to indicate the status of the process in the status bar. User may cancel the process in between by right clicking on the status bar and subsequently clicking on the Cancel button displayed. When the hashing process is completed, hash value of each file will be added as an attribute of the file. This can be viewed in the Table view as the end of the attribute bar as shown in the figure 4.5.1.2.2.3 given below.

Getting Started


Figure 4.5.1.2.2.3 - Display of the hash values of selected files.

When the hash values of all the files are available, user may do a search for files having the same hash values by the file search facility. Before starting the file search facility, User may copy the hash value of the file to be searched from the Table view. User may click the right mouse button on the file, which has the desired hash value. A context menu as given in the following figure 4.5.1.2.2.4 will be displayed.

Figure 4.5.1.2.2.4 - Context menu for copying hash value.

User may select the Copy Hash Value menu item from the context menu or using Edit|Copy Hash Value menu item from the menu bar as shown in figure 4.5.1.2.2.5 . The hash value will be copied into the clipboard. This value can be used to paste into the File search facility.

Getting Started


Figure 4.5.1.2.2.5 - Selecting Copy Has Value item from Edit Menu.

4.5.1.3 View

The View menu item consists of number sub-menu items. Operations of these sub-menu items are explained in more detail below.

4.5.1.3.1 Tool Bar

ToolBar is one in which there will be some icons for copying, pasting, searching, etc. It can be seen just below the menu bar. By default, the tool bar will be displayed in the main user interface.

Tool Bar can be enabled/disabled by selecting View|Toolbar, which will show the toolbar when it is checked and on the other case it will be disabled. When it is unchecked, it will be removed from the main user interface show as shown in figure 4.5.1.3.1.1 given below.

Figure 4.5.1.3.1.1 - Main User Interface without Toolbar.

Getting Started


Toolbar can be enabled by checking the View|Toolbar menu item as shown in figure 4.5.1.3.1.2 given below.

Figure 4.5.1.3.1.2 - Enabling Toolbar from the View menu.

When the toolbar is checked it will be shown as given in figure 4.5.1.3.1.3 given below.

Figure 4.5.1.3.1.3 - Display of Toolbar in the Main User Interface. 4.5.1.3.2 Status Bar

Status Bar is the one in which we can see some description when we select some items like File|Save. In this case, the status bar at the bottom of the window will display a message “Save the active document” as shown in figure 4.5.1.3.2.1 given below.

Getting Started


Figure 4.5.1.3.2.1 - Display of Status of the item selected in status bar

Figures 4.5.1.3.2.2 and 4.5.1.3.2.3 given below show how to disable/enable the status bar in the Main user interface.

Figure 4.5.1.3.2.2 - Disabling Status bar.

Getting Started


Figure 4.5.1.3.2.3 - Enabling Status bar. 4.5.1.3.3 Cluster Chain

CyberCheck provides a facility for viewing the cluster chain of a file selected from the Table view. This facility can be invoked by selecting the View|Cluster Chain menu item from the main user interface as shown in the figure 4.5.1.3.3.1 given below. This option will be enabled when a file has been selected from the Table View. This option can also be invoked from the Table view by clicking the right mouse button on selected file. From the context menu displayed, user may select the View Cluster Chain menu item.

Figure 4.5.1.3.3.1 - Selecting Cluster Chain view option at main menu

When this item is selected, a list box as shown in the Figure 4.5.1.3.3.2 given below will be displayed.

Getting Started


Figure 4.5.1.3.3.2 - Display of Cluster Chain of selected file

The list displays the complete cluster numbers allocated to the selected file. It can be seen from the example that the clusters are contiguous representing a not fragmented file. If the file were in different clusters, scattered cluster numbers would have been displayed in the list. Press OK button to remove the display of cluster chain.

4.5.1.3.4 Block View

Block view is a block-by-block representation of the entire evidence file as shown in figure 4.5.1.3.4.1 given below. This view can be invoked by selecting the View|Block View menu item from the main user interface. The blocks are displayed in three different colors representing:

Blue - Used Blocks White - Unused blocks Red - Mismatch blocks

In the block view the information like total blocks, sectors per block, last block sector, used blocks, unused blocks and the number of blocks with hash mismatch are given. When a block is selected in the block view the corresponding block number, sectors in that block, seize hash, source hash, image hash and analysis hash are displayed. As an example, the figure below shows all the above mentioned details of the first block. Note: CyberCheck displays block view of an evidence taken using

Getting Started


TrueBack disk imaging tool only. The TrueBack tool divides the entire content of a storage media into a convenient group of sectors and considers that as a block of data. This data will be hashed and the hash value is stored at the end of the last image file. Only when this information is available, CyberCheck can display the block view.

Figure 4.5.1.3.4.1 - Block View of an Evidence file.

Now let us see how Block View is helpful in the analysis process. We have seen earlier that TrueBack computes the Hash value of each block of source media. We can see the hash value of each block using Block Viewer as explained above. Suppose we have done some searching and found some evidence, we will be book marking those evidences. How can we be sure that those evidences are not tampered? Here comes the need of Block Viewer. We can go to Bookmark view and in the bottom pane, select Disk View. From there, we can find out the sectors occupied by that file. From the Block Viewer, we can find out the block corresponding to that sector and see whether there is any Hash Mismatch in that block. If there is a hash mismatch, then we can conclude that the evidence file is not a valid one and we cannot substantiate it before court of law. If there is no hash mismatch, then that evidence will be a valid one and we can add that to report.

4.5.1.3.5 Mailbox Viewer

Getting Started


CyberCheck has the capability to analyze different mailbox files available in an evidence file. Various mailbox files supported are extensions with dbx (Outlook Express), pst (Microsoft Outlook), mbx (Eudora) and mbox (Mozilla). The mailbox viewer can be invoked by selecting the View|Mailbox Viewer menu item from the main user interface. The following figure 4.5.1.3.5.1 given below shows the selection of Mailbox Viewer from the main user interface.

Figure 4.5.1.3.5.1 - Selecting Mailbox Viewer.

When the Mailbox viewer is invoked, a progress bar as shown in Figure 4.5.1.3.5.2 will be displayed indicating the exporting process of different mailbox files, if any available, from the evidence file.

Figure 4.5.1.3.5.2 - Status of exporting Mailbox files

If there is no mailbox file available in the evidence file, a message will be displayed as shown in the figure 4.5.1.3.5.3 given below indicating that no mailbox file available in the evidence file.

Getting Started


Figure 4.5.1.3.5.3 - Display of message for non-availability of mailbox files.

When the exporting of different mailbox files is over, the main user interface of the mailbox viewer will be displayed as shown in the following figure 4.5.1.3.5.4 given below.

Figure 4.5.1.3.5.4 - Main user interface of Mailbox Viewer.

In the mailbox viewer, the mailbox files available and their full path in the image file are listed on the Top pane. When the User selects a mail box file from the top pane, it will be loaded, and the folders if any available will be displayed in the top portion of the left pane. This is illustrated in the following figure 4.5.1.3.5.5 given below.

Getting Started


Figure 4.5.1.3.5.5 - Available folder of the mailbox file selected.

When a particular folder is selected from the left pane, all the mails available, if any, will be displayed in the middle pane and the content of the first mail (as default) will be displayed in the bottom pane as shown in the figure 4.5.1.3.5.6 given below.

Figure 4.5.1.3.5.6 - Available mails in the selected folder.

The mailbox viewer has an Outlook Express like view. The folders are displayed in the left pane and the sender and subject header on the middle pane. Click on individual mail to view the contents of the mail on the bottom pane. Mailbox viewer has an additional feature for keyword search within the entire mailbox files. Type the keyword for which the searching has to be done in the search field and click Go button. All the search hit messages are displayed on the bottom left side pane. On traversing through the search hits, the corresponding mail is displayed on the right side pane with the search hit keywords

Getting Started


highlighted. The searching through the contents of mails is a time consuming process and the User may have to wait for some time before the result is displayed. However, this is a good feature as far as the cyber forensics analysis is concerned. Figure 4.5.1.3.5.7 given below shows the result of a keyword search in mailbox files.

Figure 4.5.1.3.5.7 - Result of a keyword search in mailbox files.

The keywords are highlighted in the display in blue color.

Getting Started


4.5.1.3.6 Registry Viewer Registry viewer is another feature available in CyberCheck. This facility, enable the User to view the contents of registry files available in an evidence file. Registry files contain information regarding various softwares installed in a system and also the system settings. This can lead to valuable evidences in cyber crime investigation. The Registry viewer can be invoked by selecting the menu item View|Registry Viewer from the main user interface as shown in the figure 4.5.1.3.6.1 given below.

Figure 4.5.1.3.6.1 – Invoking Registry Viewer from the main menu

When the Registry viewer is invoked, the following window given in figure 4.5.1.3.6.2 below will be displayed to show the progress of exporting of registry files to the export folder path.

Figure 4.5.1.3.6.2 – Displaying the progress of Registry files exporting.

Getting Started


If any registry file is available in the evidence file, the window as given in figure 4.5.1.3.6.3 given below will be displayed showing the main user interface of the registry viewer. If no file is available, appropriate message will be displayed. In this case, registry viewer user interface will not be displayed.

Figure 4.5.1.3.6.3 – Main user interface of Registry Viewer.

The registry files available in the evidence file will be listed in the top pane of the viewer as shown in the above figure. User may click on any one of the files to view the keys available in the file in the left pane. This illustrated in the following figure 4.5.1.3.6.4 given below.

Getting Started


Figure 4.5.1.3.6.4 – Display of settings in a registry file.

User may select a key from the left pane to see more details. The view in the left pane is more or less like an explorer view. Each key in the left pane can be clicked to expand further as shown in figure 4.5.1.3.6.5 given below.

Figure 4.5.1.3.6.5 – An expanded view of a left pane item.

If any of the items has attributes like Value, Type and Data, these will be displayed in the middle pane as shown in the figure 4.5.1.3.6.6 given below.

Getting Started


Figure 4.5.1.3.6.6 – Display of attributes in the middle pane.

The value-type pairs of the key selected are displayed in the middle pane as shown in the above figure. The Registry viewer provides a find facility for searching a key in a selected registry file. This facility can be invoked from the main menu by selecting the Tools|Find menu item. This is shown in the following figure 4.5.1.3.6.7 given below.

Figure 4.5.1.3.6.7 – Selecting the Find facility.

When this facility is selected, a dialog box as shown in figure 4.5.1.3.6.8 given below will be displayed for specifying a key for which the search is to be initiated.

Getting Started


Figure 4.5.1.3.6.8 – Dialog box for entering Key for searching. The find facility can be used for searching a key shown in the left pane in the selected registry file. The registry file to be searched can be selected from the top pane. The key to be searched can be entered in the edit box given against the label – Find What, as shown in the above figure. The entered key may be available in the file to be searched either as Keys or as Values or as Data. If the user wants to search for all these types, s/he may tick the check boxes provided in the Look For group as shown in the figure. When all the details are specified, User may click on Find button provided in the dialog box to start the search process. A progress bar will be displayed to indicate the progress of search process. At the end of the search, search results if any available, will be displayed in the bottom pane as shown in the figure 4.5.1.3.6.9 given below.

Getting Started


Figure 4.5.1.3.6.9 – Search results of a Key in a registry file.

The bottom pane shows the search result of the key searched in the specified file. It shows the different occurrences of the key under respective columns. The type column provides the type of data displayed in the search results. Different types displayed are value, keys and data.

The search facility in registry viewer can be used to find out whether particular software has been installed in the system while seizing the system. The software name may be entered as the key to be searched.

Lost Keys

Lost Keys enables the user to view deleted keys in the registry file selected. Figure 4.5.1.3.6.10 given below shows the lost keys available in a sample image. This is applicable only to Windows 95 and 98 registry files.

Getting Started


Figure 4.5.1.3.6.10 - Selecting Lost Key menu item to view the deleted keys.

4.5.1.3.7 Internet History Viewer

The Internet History Viewer is another feature available in CyberCheck. This facility enables you to view the contents of history files available in an evidence file. The Microsoft Internet Explorer stores its history details in the Index.dat files. Index.dat file is hidden in the computer that contains all of the Web sites that a user has ever visited. Every URL, and every Web page is listed there. Not only that but all of the email that has been sent or received through Outlook Express is also being logged. The file names and locations depend on what version of Internet Explorer is being used. Internet History Viewer analyzes the index.dat files for the URL that was browsed or a website that redirected the user's browser to

Getting Started


another site. It also envisages the type of activity record in the index.dat file and displays the information contained in that activity record depending on the filtering options. The Internet History Viewer can be invoked by clicking the ‘View’ option from the menu bar and selecting ‘Internet History Viewer’ as shown in figure 4.5.1.3.7.1.

Figure 4.5.1.3.7.1 – Invoking Internet History Viewer from the main

menu

A progress bar will be displayed indicating the exporting of history files to the export folder path as shown in figure 4.5.1.3.7.2 given below.

Figure 4.5.1.3.7.2 – Displaying Progress Bar indicating the exporting of

History files If any index.dat file is available in the evidence file, the main user interface of the Internet History Viewer will be displayed as in figure 4.5.1.3.7.3 given below. Otherwise, appropriate message box will be displayed.

Getting Started


Figure 4.5.1.3.7.3 - Main User Interface of Internet History Viewer

The index.dat files available will be listed in the top pane of the Viewer. You can click any of the history files to view the contents in the right pane. Initially, All Records option is selected .When a file is selected, all records in the file are displayed in the list box by default as shown in figure 4.5.1.3.7.4 given below. If there is no record in the selected file, appropriate messages will be displayed.

Getting Started


Figure 4.5.1.3.7.4 – Display of all records by clicking the file path.

If you want to view the contents of the file that belongs to a particular type, select the appropriate option (URL Activity Record or REDR Activity Record or LEAK Activity Record) and click the Display Button. This is shown in figure 4.5.1.3.7.5 below. If there is no record of the particular type chosen, appropriate message will be displayed.

Getting Started


Figure 4.5.1.3.7.5 – Display of records belonging to a particular type

To view the Advanced Search option, check the ‘Advanced..’ option. This will show search options as shown in figure 4.5.1.3.7.6 given below.

Getting Started


Figure 4.5.1.3.7.6 – Display of the search options in the left pane when Advanced.. option checked.

Select anyone of the search options (Date or Address) and click the Search Button. The filtered records will be displayed in the list box. The search of a particular record depends on the type of the activity record.

When Date option is selected, you can search the records based on the Modified Date or the Last Accessed Date. Choose the appropriate option, select the From date and To date and click the Search Button. Then those records whose chosen date is between the From date and To date are displayed in the list box as shown in figure 4.5.1.3.7.7. If there is no record between the given dates then appropriate messages are displayed.

Figure 4.5.1.3.7.7 – Search result based on a chosen date.

When Address option is selected a text box for entering the URL or part of the URL (address/keyword) appears. Enter the address to be searched in the text box and click Search Button. The record(s) with the entered address will be displayed in the list box as shown in

Getting Started


figure 4.5.1.3.7.8. If there is no record of with that address/keyword, appropriate message will be displayed.

Figure 4.5.1.3.7.8 – Search result after entering a keyword/address.

When Ok Button is clicked, the interface of Internet History Viewer is closed.

4.5.1.3.8 Export Path

CyberCheck provides a facility to view the export path in which exported information like lost free clusters, used free clusters, slack

Getting Started


contents, folder structure details, etc., are saved. This information is very useful, if the User wants to search for a particular item in these contents externally. This facility can be invoked by selecting the View|Export Path menu item from the main user interface as shown in the figure 4.5.1.3.8.1 given below.

Figure 4.5.1.3.8.1 – Selecting Export Path view option from main user interface.

When this menu item is selected, a message box as given in the following figure 4.5.1.3.8.2 will be displayed showing the export folder path.

Figure 4.5.1.3.8.2 – Display of Export folder path.

4.5.1.3.9 Storage Media Details

CyberCheck provides a facility for displaying the details of storage media connected in the analysis machine. This facility can be invoked by clicking on the Storage Media Details icon provided in the tool bar as shown in the figure 4.5.1.3.9.1 given below or by selecting View| Storage Media Details.

Getting Started


When Storage Media Details icon is clicked from the tool bar, a list box as shown in figure 4.5.1.3.9.2 given below will be displayed, listing the details of the fixed storage media available in the analysis machine.

Figure 4.5.1.3.9.1 – Selecting Storage Media Details icon from tool bar

Figure 4.5.1.3.9.2 – Display of Fixed Storage Media details

Storage Media Details

Getting Started


The seventh item in the toolbar also has the same functionality. 4.5.1.4 Filters

This section explains about how to separate normal, deleted, overwritten or temporary Internet & cookies files from the set of files in the loaded evidence.

4.5.1.4.1 Temporary Files

CyberCheck provides a facility for viewing the temporary files of the operating system, if available, in the evidence file. This facility can be invoked by selecting the Filters|Temporary Files menu item from the main user interface as shown in the figure 4.5.1.4.1.1 given below. Temporary files can be viewed from the Temporary Files item given in the Probe View in left pane, provided we have invoked it as explained above.

Figure 4.5.1.4.1.1 – Selecting Temporary Files from Filters option from main menu

When this item is selected from the main user interface, the Temporary Files item if available will get highlighted as shown in the figure 4.5.1.4.1.2 given below.

Getting Started


Figure 4.5.1.4.1.2 – Display of Temporary Files in Table view.

If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.

4.5.1.4.2 Deleted Files

CyberCheck provides a facility for viewing the deleted files in the loaded evidence. This facility can be invoked by selecting the Filters|Deleted Files menu item from the main user interface as shown in the figure 4.5.1.4.2.1 given below. Deleted files can be viewed from the Deleted Files item given in the Probe View in left pane.

Getting Started


Figure 4.5.1.4.2.1 – Selecting Deleted Files Filters option from main menu

Figure 4.5.1.4.2.2 – Display of Deleted Files in Table view.


4.5.1.4.3 Deleted but not Overwritten Files

CyberCheck provides a facility for viewing the temporary files of the operating system, if available, in the evidence file. This facility can be invoked by selecting the Filters|Deleted but not Overwritten Files menu item from the main user interface as shown in the figure 4.5.1.4.3.1 given below. Deleted but not Overwritten files can be viewed from the Deleted but not Overwritten Files item given in the Probe View in left pane.

Getting Started


Figure 4.5.1.4.3.1 – Selecting ‘Deleted but not Overwritten Files’ Filters option from main menu

Figure 4.5.1.4.3.2 – Display of Deleted but not Overwritten Files in Table view.


4.5.1.4.4 Normal Files

Getting Started


CyberCheck provides a facility for viewing the normal files(files which are not deleted, overwritten or temporary) of the operating system in the evidence file. This facility can be invoked by selecting the View|Normal Files menu item from the main user interface as shown in the figure 4.5.1.4.4.1 given below. Temporary files can be viewed from the Normal Files item given in the Probe View in left pane, provided we have invoked it as explained above.

Figure 4.5.1.4.4.1 – Selecting Normal Files view option from main menu

Figure 4.5.1.4.4.2 – Display of Normal Files in Table view.

Getting Started



4.5.1.4.5 Temporary Internet Files and Cookies

CyberCheck provides a facility for viewing the temporary internet files and cookies files of the operating system, if available, in the evidence file. This facility can be invoked by selecting the View|Temporary Internet Files and Cookies menu item from the main user interface as shown in the figure 4.5.1.4.5.1 given below. Temporary files can be viewed from the Temporary Internet Files and Cookies item given in the Probe View in left pane, provided we have invoked it as explained above.

Figure 4.5.1.4.5.1 – Selecting Temporary Internet Files and Cookies Filters option from main menu

Getting Started


Figure 4.5.1.4.5.2 – Display of Temporary Internet Files and Cookies in Table view.


4.5.1.5 Evidence

This section explains about how to add more than one evidence file into the CyberCheck environment.

4.5.1.5.1 Add Evidence

If a case is having more than one evidence files of different storage media, all the evidence files can be analyzed in a single go by adding the evidence files into the CyberCheck environment one after the other. Add Evidence facility provides you an interface to add additional evidence files into the CyberCheck environment. This facility can be invoked from the main menu as shown in figure 4.5.1.5.1.1 given below.

Getting Started


Figure 4.5.1.5.1.1 - Selecting Add Evidence from

Evidence

When Add Evidence menu item is selected, a File Open dialog box as shown in figure 4.5.1.5.1.2 given below will be displayed to browse and select the desired evidence file.

Figure 4.5.1.5.1.2 – File Open dialog for adding evidence file.

User may appropriately select the desired file and press Open button for continuing with adding of selected evidence file into the CyberCheck environment. When the new evidence file is loaded into the environment, the probe view will be updated with the details of new evidence as shown in figure 4.5.1.5.1.3 given below.

Getting Started


Figure 4.5.1.5.1.3 – Modified Probe View with newly added evidence file.

If an already added evidence file is again selected for adding, appropriate warning message will be displayed and CyberCheck will not allow adding of the selected evidence file into the CyberCheck environment.

4.5.1.6 Options

The Options menu contains number of sub-menus, which will be explained in more detail below.

4.5.1.6.1 Change Password

Only an authorized user can Login to CyberCheck and only a person knowing the administrative password can add new users. The default Administrative password is cyber. CyberCheck provides a feature to change this administrative password. This can be changed by the Administrator at any time by selecting the Options|Change Password menu item from the main user interface as shown in the figure 4.5.1.6.1.1 given below.

Getting Started


Figure 4.5.1.6.1.1 – Selecting Change Password option from main menu

When this menu item is selected, a dialog box as given in figure 4.5.1.6.1.2 below will be displayed.

Figure 4.5.1.6.1.2 – Dialog box for changing the old Password The Administrator may enter the old password and new password in the respective fields provided in the above dialog box. When OK button is pressed, the new password will be set, if all the information entered are correct.

4.5.1.6.2 Hash Files

This is a useful facility provided in CyberCheck to find out files with same content but having different names and extensions. This is

Getting Started


very important in the cyber forensic point of view. To confuse the investigator, culprit might save a document in different forms or with different names. If there is a facility to take the hash values of all the files available in an evidence file, and a facility to search files based on a particular hash value, it is possible to find out all the files in the evidence file having same hash value with different names and extensions. Same hash value for different files means that the contents of the different files are exactly same. This is based on the property of the hash algorithm. MD5 hashing algorithm will be used for computing hash value of each file. This algorithm takes a stream of data as input and returns a128-bit value as the message digest (hash value). This algorithm has the remarkable property of returning a totally different message digest, even with a single bit change in the content of a file. CyberCheck provides facilities for Hashing Files and Searching files based on hash values. The Hashing Files facility can be invoked by selecting the Options|Hash Files menu item from the main user interface as given in the figure 4.5.1.6.2.1 given below.

Figure 4.5.1.6.2.1– Selecting Hash Files facility.

When this menu item is clicked, the following window as shown in figure 4.5.1.6.2.2 given below will be displayed for selecting the extent of hashing to be done.

Getting Started


Figure 4.5.1.6.2.2 – Specifying the extent of Hashing.

Hashing files can be done either on Entire files available in the evidence file or on Selected files only. This can be specified by using the radio buttons provided in the dialog box above. If you want to limit the extent to selected files, you have to select the desired files or folders before invoking this facility. After specifying the extent, you may press OK button to continue with file hashing. A progress bar will be displayed in the status bar to indicate the status of the process. User may cancel the process by right clicking on the progress bar and then selecting the Cancel button displayed. When the hashing process is completed, hash value of each file will be added as an attribute of the file. This can be viewed in the Table view at the end of the attribute bar as shown in the figure 4.5.1.6.2.3 given below.

Figure 4.5.1.6.2.3 – Display of the hash values of selected files.

Getting Started


This hash value can be used for File Search based on hash values as explained in Search section. 4.5.1.6.3 Create Custom Hash Library

The hash feature can be used to identify files, whose contents are of no use to the investigator, such as application programs, operating system files, etc. This can also be used to identify files like known viruses, Trojans and other unauthorized applications. Hash sets are collection of hash values that belong to a group of files. For example, a hash set of all Microsoft Office files could be created and named “MS Office Files”. The keyword searching can be made fast by exempting the files with known hash values. A group of known hash values are created from a subset of available hash sets created by investigator. This set of hash values is termed as ‘Custom Hash Library’. The hash library may consist of one or more hash sets having hash values of different files. This library can be used in search process to avoid unnecessary search for evidence in these sets of files.

4.5.1.6.3.1 Creating a Hash Set

Create hash set can be invoked by any one of the following selections.

1. Right click on any of the files in probe list of Table View. From the popup menu, click ‘Create HashSet’ menu item as shown in figure 4.5.1.6.3.1 given below. This item can be used to create a customized hash set as explained in the section “Creating a Custom Hash Set” below.

Getting Started


Figure 4.5.1.6.3.1- Selecting Create Hash Set from context menu

2. From Options menu, select Create Custom Hash Library… as shown in figure 4.5.1.6.3.2 given below. This item can be used to create either a standard hash set or custom hash set.

Figure 4.5.1.6.3.2 - Selecting Create Custom Hash Library from Options menu

Getting Started


When this item is selected, a dialog box as shown in figure 4.5.1.6.3.3 given below will be displayed for selecting the type of hash sets to be created.

Figure 4.5.1.6.3.3 – Dialog box for selecting the type of hash sets

User can create two types of hash sets, viz., Standard and Custom. A standard hash set will consists of hash values of known standard files of operating system, application files, etc. These files will mostly be available in external storage media. A custom hash set will consists of hash values of files, in which the user has specific interest. These files may be available in evidence files that are being analyzed by the user.

4.5.1.6.3.1.1 Creating a Standard Hash Set

From the dialog box shown in figure 4.5.1.6.3.3 above, check the Standard radio button and press Next button to continue. A dialog box as shown in figure 4.5.1.6.3.4 will be displayed for adding desired standard files into a list.

Getting Started


Figure 4.5.1.6.3.4 – Dialog box for adding desired files for creating Standard Hash Set

When all desired files are added into the list, press Next button. A dialog box as shown in figure 4.5.1.6.3.5 given below will be displayed containing any existing hash set and an edit box for specifying a name for the newly creating hash set.

Getting Started


Figure 4.5.1.6.3.5 – Dialog box for specifying Hash Set name

This dialog box contains an edit box for entering name for the newly creating hash set. It also displays names of existing hash sets, if any available in the folder where CyberCheck is installed. Press Create HashSet button after entering a name for the new hash set. New hash set will be created and the name will be added into the list of existing hash sets. To add hash values available in any of the hash sets into a hash library, check the desired hash set names and then press (Re)Build HashLibrary button. The hash library will be available in a file named “CustomHashLib.hash” in the folder where CyberCheck is installed. When hash library is re-built, this file will be over-written with contents of the selected hash sets. This hash library will be used in keyword search to exclude those files having hash values available in the hash library. HashSets that are included in existing ‘Custom Hash Library’ can be identified by a grey check box at the left side of the hash set name.

Getting Started


4.5.1.6.3.1.2 Creating a Custom Hash Set

Custom hash sets are created using files available in evidence file that is being analyzed. To create a custom hash set, select desired files from the Table view by checking the square box near the filename. From the dialog box shown in figure 4.5.1.6.3.3 above, check the Custom radio button and press Next button to continue. A dialog box as shown in figure 4.5.1.6.3.6 will be displayed for specifying a name for the newly creating hash set.

Figure 4.5.1.6.3.6 – Dialog box for specifying Hash Set name

This dialog box contains an edit box for entering name for the newly creating hash set. It also displays names of existing hash sets, if any available in the folder where CyberCheck is installed. Press Create HashSet button after entering a name for the new hash set. New hash set will be created and the name will be added into the list of existing hash sets. To add hash values available in any of the hash sets into a hash library, check the desired hash set names and then press (Re)Build HashLibrary button. The hash library will be available in a file named “CustomHashLib.hash” in the folder where CyberCheck is installed.

Getting Started


When hash library is re-built, this file will be over-written with contents of the selected hash sets. This hash library will be used in keyword search to exclude those files having hash values available in the hash library. HashSets that are included in existing ‘Custom Hash Library’ can be identified by a grey check box at the left side of the hash set name. It should be noted that these hash sets and library are specific to a case analysis session. When the user exits from the CyberCheck environment, hash set files and CustomHashLib.hash file would be deleted from CyberCheck installed folder. Therefore, if the user wants to save these files, it should be saved into a probe file.

4.5.1.6.4 Check Encrypted Files

CyberCheck has provided a facility for identifying encrypted files available in an evidence file. This is limited to password protected Microsoft Office files and zipped files. If a password protected word document file is present in the evidence file, it will be marked as encrypted in the Description attribute of the file. This facility can be invoked by selecting the Options|Check Encrypted Files menu item from the main user interface as shown in the figure 4.5.1.6.4.1 given below.

Figure 4.5.1.6.4.1 – Selecting Check Encrypted Files option from main menu.

Getting Started


When this option is selected, a dialog box as shown in the figure 4.5.1.6.4.2 given below will be displayed for specifying the type of file to be checked for encryption.

Figure 4.5.1.6.4.2 – Dialog box for selecting the type of file.

User may select an appropriate option from the above dialog box and press OK button to continue. If there are a large number of files available in the evidence file, checking for encrypted files in the entire evidence file may take some time. A progress bar will be displayed in the status bar to indicate the progress of the process. When the process is over, if there are any encrypted files, the description file attribute in the Table view will be updated with encrypted file. This is shown in the figure 4.5.1.6.4.3 given below.

Figure 4.5.1.6.4.3 – Display of encrypted file in Table view.

Getting Started


4.5.1.6.5 Check File Signature

Most of the document files and image files will be having some kind of unique signature written in the headers of the files. Normally, type of a file is identified by looking into the extension. But, if the extension is changed by some means, it is difficult to identify the real type of the file. It is possible to identify the real type of the file by comparing the signature available in the header. If there is a mismatch between the extension and that specified in the header, then a signature mismatch can be notified. This is applicable to those files, which are having well defined signatures available in the header. In cyber forensic point of view, identification of signature-mismatched files is important, as it leads to gathering of evidence in a particular case.

CyberCheck provides a facility to identify the signature-mismatched files in an evidence file. From the main user interface, select Options|Check File Signature menu item as given in the figure 4.5.1.6.5.1 below.

Figure 4.5.1.6.5.1 – Selecting Check File Signature option.

When this option is selected, a dialog box will be displayed to specify the extent of checking required. You can either specify the entire evidence file or selected files. If you specify selected files, you should have selected the desired files before. When the extent is specified, you may press OK button to continue with the identification of signature-mismatched files. A progress bar will be displayed to indicate the status of the process. When the process is

Getting Started


completed, the Table view will be updated with the SM (Signature Mismatch) column. If there is a signature-mismatched file in the view, a ‘Y’ will be marked in the column against that file as shown in the figure 4.5.1.6.5.2 given below.

Figure 4.5.1.6.5.2 – Display of Signature Mismatched files in Table view.

If the user wants to consider signature mismatched files (with their proper extensions) in ‘Gallery View’, ‘Picture View’, ‘Check Encrypted Files’, ‘File Search by file extension’, ‘Mailbox Viewer’, ‘ZipFile Extractor’ and ‘MetaData Viewer’, it is his/her responsibility to complete checking file signature before starting any of the above specified processes. If the User wants to see all Signature Mismatched files, select the Timeline tab. The following dialog box as shown in the figure 4.5.1.6.5.3 given below will be displayed for selecting different options.

Signature Mismatched File

Getting Started


Figure 4.5.1.6.5.3 – Dialog box for setting signature mismatch option.

From the Advanced Option, select Options and then enable Signature Mismatch only. Select All Files option to view the entire Signature Mismatch files in the evidence file. Select Created option from Display by Time group, and Both from Files group. Click Show Chart button to show the signature-mismatched files. If the signature mismatched files have already been extracted from the evidence file using the method explained above, you would get an immediate display of the timeline chart. Otherwise, a message box as shown in the figure 4.5.1.6.5.4 given below will be displayed.

Getting Started


Figure 4.5.1.6.5.4 – Message box for starting signature mismatch check.

When you click Yes button, first the signature mismatched files will be checked and then the timeline chart will be displayed. The checking of signature-mismatched files may take some time depending upon the number of files to be checked. When the checking of the signature-mismatched files is completed, the time line chart will be displayed as shown in the figure 4.5.1.6.5.5 given below, which shows the signature mismatched files in violet color.

Figure 4.5.1.6.5.5 – Display of signature mismatched files in timeline chart.

Once you get the Signature mismatch files in the Timeline view, click your right mouse button in the Timeline chart view. A context menu will be displayed as shown in the figure above. When you select

Getting Started


Show Files option, list of signature-mismatched files will be displayed in the Table View as shown in the figure 4.5.1.6.5.6 given below.

Figure 4.5.1.6.5.6 – Display of signature mismatched files in the Table view.

4.5.1.6.6 Auto Save

Auto Save option can be set at two stages. The first stage is while loading the evidence file before the Analysis window appears. This is shown in the figure 4.5.1.6.6.1 given below. If AutoSave is enabled, probe file will be saved in fixed intervals specified by the user. User can specify the time interval in minutes as shown in the figure.

Getting Started


Figure 4.5.1.6.6.1 – Window for setting Auto Save time

Time interval can be an integer value between 0 and 100. Time interval set to 0 means AutoSave is disabled. If the user has not supplied a filename to the probe file, AutoSave will prompt the user to supply a filename. Once it is given, the save process will run in the background at specified intervals, with out the need of user intervention. Another stage at which user can change the time interval and Enable/Disable AutoSave is by selecting the menu Options|AutoSave from the main user interface as given in the figure 4.5.1.6.6.2 below.

Figure 4.5.1.6.6.2 – Setting Auto Save option from main user interface

Getting Started


In the dialog box, there is a check box for Enable Auto Save option. If the User checks this box, auto save option will be enabled, otherwise, it will be disabled. By default, this option will be enabled with an auto save time set at 10 minutes. User may change this time by clicking on the combo box button provided in the dialog box.

4.5.1.6.7 Create Raw Image

CyberCheck provides a facility to create raw image of an evidence file from the analysis environment. Such raw images can be used for analysis by other cyber forensics tools. This facility can be invoked by selecting the menu item Options|Create Raw Image from the main user interface as shown in figure 4.5.1.6.7.1 below.

Figure 4.5.1.6.7.1 – Selecting Create Raw Image option.

When this menu item is selected, a dialog box as shown in figure 4.5.1.6.7.2 given below will be displayed for selecting an evidence file with which the raw image will be created.

Getting Started


Figure 4.5.1.6.7.2 – Selecting evidence file for creating Raw Image

When the desired evidence file is selected from the dialog box, press OK button to continue with creation of Raw Image. A progress bar will be displayed in the status bar as shown in figure 4.5.1.6.7.3 given below. The raw image will be created in the export folder path in a folder having the same name of the evidence file selected. The raw image will be having the file name as that of the evidence file and an extension .000.

User may select all evidence files displayed in the dialog box by checking the Select All check box given in the dialog box above. In this case, raw images of all evidence files will be created in the export folder path in respective names.

Getting Started


Figure 4.5.1.6.7.3 – Progress of creating Raw Image

If the user wants to cancel the process of creating raw image, s/he may right click on the progress bar and subsequently select the Cancel button for canceling the process.

4.5.1.6.8 Restore disk from Image

CyberCheck provides a facility for restoring a disk from an image so that the restored disk can be used for booting a system, if the restored disk contains boot information. This facility will be very useful to study different applications the suspect has installed and to view contents of different files in their native viewers. This feature can be started by selecting the menu item Options| Restore disk from Image from the main user interface as shown in figure 4.5.1.6.8.1 below.

Figure 4.5.1.6.8.1 – Selecting Restore Disk from Image option.

When this option is selected, a dialog box as shown in figure 4.5.1.6.8.2 given below will be displayed for selecting the desired evidence file and the storage media into which the image has to be restored.

Getting Started


Figure 4.5.1.6.8.2 – Dialog box for selecting desired evidence file and storage media

Above dialog box shows different evidence file(s) available in the CyberCheck environment as the Source and different disks available in the analysis system as the destination disk. The list of destination disks does not include the system boot disk. User may select appropriate evidence file and destination disk to restore the image into the selected destination disk. Before restoring the image, user may wipe the destination disk using the wipe facility provided. Also user can specify whether the whole media to be wiped or the remaining sectors after restoring the image to be wiped. After restoring the image into the disk, user may use this disk to boot a system, if boot information is available in the disk.

4.5.1.6.9 Verify Image Hash

CyberCheck provides a facility to verify the hash value of evidence file. The hash value of the evidence file can be verified while loading the evidence file, if the Enable Hash Verification option is set in the Settings dialog box. If this is not set at the loading time of the evidence file, User may use the Verify Image Hash facility provided in the CyberCheck.

Getting Started


This facility can be invoked by selecting the File|Verify Image Hash menu item from the main user interface as shown in the figure 4.5.1.6.9.1 given below.

Figure 4.5.1.6.9.1 – Selecting Verify Image Hash option from main menu

When this menu item is selected, a progress bar as given in the following figure 4.5.1.6.9.2 will be displayed showing the progress of evidence file verification.

Figure 4.5.1.6.9.2 – Image hash verification in progress

When the hash verification is completed, a message box will be displayed as shown in the figure 4.5.1.6.9.3 given below.

Figure 4.5.1.6.9.3 – Display of result of hash verification

Getting Started


The message box shows the result of the hash verification. It shows whether the hash verification is a success or not, time taken for verification, total number of blocks verified etc. The status of the hash verification will be appended to the report.

4.5.1.6.10 Show / Hide System Files

CyberCheck provides a facility for showing/hiding system files available in an evidence file in the Table view. This facility can be invoked by selecting Options|Show/Hide System Files as shown in figure 4.5.1.6.10.1 given below.

Figure 4.5.1.6.10.1 – Selecting Show/Hide System Files from Options menu item.

CyberCheck considers files with extensions .SYS, .DRV, .DLL, .VXD, .VBX and .OCX as system files. Also, NTFS file system contains some system files $MFT, $MFTMirr which are created at the time of creating the partition. When this icon is clicked, if the system files are already displayed in the Table view, it will be removed and the display will be refreshed without these files. If they are not displayed in the Table view, it will be displayed, when the icon is clicked. CyberCheck keeps a set of hash values of Microsoft Windows and application files. If the user invokes the Hash Files menu item from the Options menu, hash values of different files will be computed and compared with the hash sets. If any of the hash values matches

Getting Started


with the hash set values, corresponding files also will be treated as system files. When S/H icon is pressed, these files also will be either displayed or not displayed. In the case of NTFS and EXT2FS, those files whose attributes are set as system, will also be treated as system files. The sixth item in the toolbar shown in figure 4.5.1.6.10.2 also has the same functionality.

Figure 4.5.1.6.10.2 – Selecting Show/Hide System Files icon from tool bar

4.5.1.6.11 File Signature Customization

File Signature customization enables the user to modify file signature database. File Signature database consist of four fields in the table, viz., Extension, Header, Alias and Length. A file can be identified externally by its extension and internally by the signature available in the file header. The Header field in the database indicates the signature of the file. An Alias name can be attributed to the extension of the file if the user desires and that can be stored in the Alias field of the database. The Length field indicates the number of characters available in the file signature. This functionality can be invoked from the CyberCheck by selecting the menu item Options| File Signature Customization from the main user interface as shown in figure 4.5.1.6.11.1 given below.

Show / Hide System Files

Getting Started


Figure 4.5.1.6.11.1 – Selecting File Signature Customization item from main menu

When this item is selected, a dialog box as shown in figure 4.5.1.6.11.2 given below will be displayed for further processing.

figure

4.5.1.6.11.2 – Display of File Signature Customization interface.

The module consist of mainly three basic functions Add, Modify and Delete. For all these functionalities 3 buttons are provided such as Add, Modify and Delete along with three radio option buttons. When user select Add option button it will enable Extension, Header, Length and Type field edit boxes, so it enables the user to enter values in respective fields. User can add these values to the database by clicking Add button.

Getting Started


When user selects Modify option button all the field values will be taken from the database. That is, if Extension is selected by the user it will attach all the header related to particular Extension to the combo box. Now the user is able to select the required header. Based upon the Header and Extension corresponding Length and Type values will be attached to the edit field and user can modify all these fields. When clicking on Modify button, database will be updated with new values. In case of deletion, user should select Delete radio button so that Extension field will be populated from the Extension field of the Database. It enables the user to select particular Header based upon user selection of Extension. After selecting both Extension and Header user can delete values from the database by clicking on Delete button.

Selecting the Add radio button will enable all the four fields and when Add button is pressed all the four fields data will be inserted to database. Figure 4.5.1.6.11.3 given below shows the successful information of data into the signature database.

Figure 4.5.1.6.11.3 - File Signature Inserting into the table

Header (In ASCII) option will enable the user to enter header (signature) in ASII format as shown in figure 4.5.1.6.10.4 given below.

Getting Started


Figure 4.5.1.6.11.4 - Inserting Header in ASCII format

Modify Option enables to modify extension, header, length and alias as shown in figure 4.5.1.6.11.5 given below.

Figure 4.5.1.6.11.5 - Modifying File Signature fields

Delete option enables the user to delete file signature from database as shown in figure 4.5.1.6.11.6 given below.

Getting Started


Figure 4.5.1.6.11.6-File Signature Deletion from the database

4.5.1.6.12 Settings

CyberCheck allows the user to customize some of the parameters of the analysis environment like Unicode settings, colours of the foreground and background display and for setting the font used in the environment. This facility can be invoked from the main menu by selecting the Options|Settings sub menu item as shown in figure 4.5.1.6.12.1 given below.

Figure 4.5.1.6.12.1- Selecting Settings menu item from main menu

When this item is selected, a dialog box as shown in figure 4.5.1.6.12.2 given below will be displayed for further processing.

Getting Started


Figure 4.5.1.6.12.2- Various items available in Settings dialog box

There are three tabs in this dialog box, viz., Global, Colours and Fonts. In the Global tab, there is a file viewer group containing 2 items Ascii view and Unicode view. The Ascii view is nothing but the display of contents of a file in Ascii format in the Text viewer. The Unicode view enables the user to view the contents of a Unicode file in Unicode format in the Text viewer. If there are files with different languages are available in an evidence file, it can be seen in respective languages when the Unicode settings is used. How to set Unicode settings is explained in more detail below.

4.5.1.6.12.1 UNICODE

Unicode is an encoding standard in which all characters are two bytes long. Unicode characters are sometimes called wide characters because they are wider (use more storage) than single-byte characters. A Unicode string is terminated by two zero bytes (the encoding of the value 0 in a wide character). Double-byte characters are used in East Asian and Middle Eastern languages.

Getting Started


How characters are stored in memory

Single-byte strings are stored one character after the next, with a single zero byte marking the end of the string. So for example, "Bob" is stored as: 42 6F 62 00 B o b EOS

The Unicode version, L"Bob", is stored as:

42 00 6F 00 62 00 00 00 B o b EOS

with the character 0x0000 (the Unicode encoding of zero) marking the end.

4.5.1.6.12.1.1 How To Display Unicode Characters In CyberCheck

Figure 4.5.1.6.12.3 - Choosing Unicode View From Settings

Choose Options|Settings and then Global Tab. There are two options available, one is ASCII View, and another is Unicode View as shown in figure 4.5.1.6.12.3 given above. The Ascii View is what we normally see in CyberCheck. To display the language content, Unicode View should be chosen. While selecting and pressing the

Getting Started


OK button then the contents in text view is changed to Unicode format as shown in figure 4.5.1.6.12.4 given below.

Figure 4.5.1.6.12.4 -Viewing Unicode Characters in Text View

The above figure shows the language characters that are in Hindi, Tamil, English. You can see while selecting the individual character shows the offset position incremented by two, represents each taking two bytes as shown in figure 4.5.1.6.12.5 given below.

Getting Started


Figure 4.5.1.6.12.5 - Selection of Single Unicode Character

The Table view in the right Pane also displays the Unicode file names in original language characters. In the Hex viewer, the equivalent of hexadecimal characters are displayed for the individual Unicode character as shown in figure 4.5.1.6.12.6 given below.

Figure 4.5.1.6.12.6 - Hexadecimal Display for Unicode Character

The above figure shows the Hexadecimal equivalents of characters. The Hexadecimal equivalent for � is 0B95 like wise we can get the

Getting Started


complete Unicode character set hexadecimal values. In disk view, we can find the same Text-Hex Viewer which displays the Unicode character and the equivalent hexadecimal characters.

Figure 4.5.1.6.12.7 - Unicode Text-Hex Viewer in Disk View in Bottom Pane

We can do the same processing in Unicode as we do in the ASCII view from the Text-Hex viewer as shown in figure 4.5.1.6.12.7 above. We can also append Unicode data into the report as shown in figure 4.5.1.6.12.8 given below.

Figure 4.5.1.6.12.8 - Appending Unicode Data to a Report

Getting Started


Select the Unicode data then Right Mouse Click, the context menu displayed. In the context menu select Append Selected Data to Report, then it asks for the Comment, finally the selected data is appended to report. In Report also, you can see the Unicode or language characters displayed as shown in figure 4.5.1.6.12.9 given below.

Figure 4.5.1.6.12.9 - Appended Unicode Data in Report

The above figure shows the Unicode characters appended in the Report from the Text Viewer.

Figure 4.5.1.6.12.10 - Copying the Unicode Data

You can also copy the Unicode characters in to the clipboard and also Paste the characters wherever you want. Copying is shown in

Getting Started


figure 4.5.1.6.12.10 above. The copied data can be pasted in Add Keyword Dialog as Unicode characters as shown in figure 4.5.1.6.12.11 given below.

Figure 4.5.1.6.12.11 - Pasting the Unicode Character in Keyword edit box

Like ASCII data you can Bookmark the data and view it from the BookMark Data in the Left Pane.

Getting Started


In the File Summary and the Folder Summary you can get the Details of the File and Folders with the names displayed in Unicode characters. This is illustrated in figure 4.5.1.6.12.12 given below. Note that the Full Path is also displayed in Unicode format.

Figure 4.5.1.6.12.12 - Display of Unicode Character in File Summary View

4.5.1.6.12.1.2 How To Perform Unicode Character Based File Search

Copy and Paste the Unicode Character in Add Keyword Dialog Box, select the Unicode check box. This will make the search based on Unicode. This is shown in figure 4.5.1.6.12.13 given below. It should be noted that this version of CyberCheck does not support Unicode based GREP search.

Getting Started


Figure 4.5.1.6.12.13 - Adding the Unicode Keyword for Search

In the Table View of the Keyword Section Ascii/Unicode character is entered as Unicode. This is shown in figure 4.5.1.6.12.14 given below.

Figure 4.5.1.6.12.14 - Keyword List Showing Unicode Character

Getting Started


In the Search Tab of the Left Pane, we can get the Search hits based on the Unicode search and the Corresponding selections are marked in the Text-Hex Viewer. This is shown in figure 4.5.1.6.12.15 given below.

Figure 4.5.1.6.12.15 - Results of the Unicode Based Search

4.5.1.6.12.1.3 How to Change the Default Color For Selection, Bookmark And Hits

Choose Settings|Colors Tab. The following dialog box as given in figure 4.5.1.6.12.16 given below will be displayed with three colours. These colours indicate the foreground and background colours of the Book Mark Selection, Search Hit, and Text Selection respectively.

Figure 4.5.1.6.12.16 – Settings|Colors Tab Selection

Getting Started


If you click on the corresponding foreground or background column, you will get a colour dialog box. There you can choose the colour what foreground or background you wish to change as shown in figure 4.5.1.6.12.17 given below.

Figure 4.5.1.6.12.17 - Selecting desired Colour from the Color Dialog Box

Select the desired colour and then press the OK button. Selected color will get displayed in the Column of the Foreground colour. You can view the preview of the colours in the first column where the Text Selection is displayed as shown in figure 4.5.1.6.12.18 given below.

Figure 4.5.1.6.12.18 - Preview of the Colour Selection in the Color Tab

Getting Started


Similarly you can change the background colour also and the corresponding color change is reflected in the item column. After choosing everything press OK, this will affect the text selection color of the CyberCheck Text View as shown in figure 4.5.1.6.12.19 given below.

Figure 4.5.1.6.12.19 - Change of Text Selection Colors Similarly you can change the Bookmark selection and the search hit colors also using the Settings|Colors option.

Figure 4.5.1.6.12.20 Regaining the Default Color

Getting Started


After changing the color suppose you want to get back the default colours, you can check the default color check box. This will regain the default setting colours of the CyberCheck as shown in figure 4.5.1.6.12.20 given above.

4.5.1.6.12.1.4 How to Change the Font for the Viewers and Tab Items Choose Settings|Font, the default fonts are displayed for the Table and Tabs and in the File Viewer as shown in figure 4.5.1.6.12.21 given below.

Figure 4.5.1.6.12.21 - Choosing the Settings Font Tab, displays default

font If you want to change the font of the Table View, click on the font name it will immediately display the Windows Default Font Dialog Box as shown in figure 4.5.1.6.12.22 given below.

Getting Started


Figure 4.5.1.6.12.22 - Choosing the desired Font from the Font Dialog Box

Choose the Comic Sans MS for the Table Font, Font Style as Bold and Size 11, for example, and Cilck the OK button.

Figure 4.5.1.6.12.23 - Font Change Reflected in Table View

As shown in figure 4.5.1.6.12.23 given above, the Table View is updated with the current chosen font Comic Sans MS.

Getting Started


Figure 4.5.1.6.12.24 - Font Change Reflected in File Viewer

If you repeat the same thing for the File Viewer you can view it with the Changes in the Font. The above figure 4.5.1.6.12.24 shows the File Viewer with the comic font.

4.5.1.7 Keyword Keyword search is one of the most common methods of analysis. Keyword Search is for finding out the availability of different key words in different files. The search results will be displayed in a table format with the details of the location in the file in which the keyword is found.

Before starting Keyword Search, the analyzing officer should enter the keyword(s) to be searched and select the required keywords to be included in a search session. The analyzing Officer can set the search space depending upon the nature of the problem in hand. If s/he wants to search the entire files and folders, s/he can do so. Limited search in selected files, slack space, unallocated free clusters, lost clusters or swap files also is possible. Case sensitive search and GREP search are also possible with CyberCheck.

Getting Started


4.5.1.7.1 Add Keyword The list of keywords needs to be created for a keyword search. Single or multiple keyword search can be done at a time. Keywords can be added in two ways. The first method is by selecting Keyword Tab from the left pane and press ’Ins’ key or press the toolbar item with ’key’ symbol or right click Keywords and select Add Keyword. The second method is by selecting Add Keyword option from the Keyword Menu as shown in figure 4.5.1.7.1.1 given below. This sub-menu item will become enabled, only when you are in the Keywords tab in the left pane.

Figure 4.5.1.7.1.1 – Selecting Add Keyword menu item

When this item is selected, a dialog box will be displayed as shown in figure 4.5.1.7.1.2 given below.

Figure 4.5.1.7.1.2 – Dialog box for entering keywords

Getting Started


You may enter the keyword to be searched in the edit box given in the above dialog box. You may also specify, whether the entered keyword is Case Sensitive, or Unicode or Grep type by checking the appropriate checkboxes given in the above dialog box. After entering the keyword, when you press ’Add Keyword’ button, it will be added to a list of keywords in the Table view of keywords as shown in figure 4.5.1.7.1.3 given below. You can add any number of keywords by pressing ‘Add Keyword button’ after entering the keywords in the edit box. This user friendly feature enables the Investigating Officers to add the needed keywords in a very short time.

Figure 4.5.1.7.1.3 – List of added keywords

You may specify the keywords to be included in a search session by checking the boxes given in the left side of the keywords as shown in the above figure. Keywords can also be added by right clicking on the keyword item in the Keyword tab pane as shown in figure 4.5.1.7.1.4 given below. When this item is selected, the dialog box given in figure 4.5.1.7.1.2 will be displayed for entering the keyword.

Figure 4.5.1.7.1.4 – Selecting Add Keyword menu from Left Pane

After selecting the keywords, click the Binocular icon in tool bar or select the Search option from main user-interface. The forth item(item with key symbol) in the toolbar also has the same functionality.

Getting Started


4.5.1.7.2 General Regular Expression (GREP) Search

GREP is a pattern matching program originally found on UNIX that uses “regular expressions” to look for text strings in a file. A regular expression (regex) is a special text string for describing a search pattern. To add GREP expression, select Add Keyword option from Keywords menu. Then in the Add Keyword dialog shown in figure 4.5.1.7.2.1 below, enter the expression to be searched and select the “Grep” option. If you want the searching to be Case sensitive, then select the case sensitive option there. Add one expression at a time. If you want to add more expressions, repeat the same process. Check the keywords to be included in the search process as explained above and start searching by selecting the Search menu item.

Figure 4.5.1.7.2.1 – Entering GREP expression to be searched

The following is a list of valid GREP tokens

. - Matches any single character except newline.

* - An asterisk after a character matches any number of occurrences of that character, including zero. For example, "john,*smith" would match "john,smith", "john,,smith" and "johnsmith".

Getting Started


\ - A backslash before a character indicates that that character is to be treated literally and not as a GREP character. For example, \* indicates that the special meaning of asterick should be turned off & it has to be treated literally.

a[a*] - Any number of occurances of ‘a’ except zero. For example, "john,[,]*smith" would match "john,smith" or "john,,smith" but would NOT match "johnsmith".

[ ] Characters in brackets match any one character that appears in the brackets. For example, "smit[hy]" would match "smith" and "smity".

[-] - A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e; [2-8] matches any number from 2 to 8.

(a|b) - An OR symbol represents the occurance of either a or b.

Grep Examples:

The following examples show some of the power that GREP expressions give you when looking for text.

john.smith

The '.' period matches any character. This expression finds "john" followed by any character followed by "smith".

john smith john,smith johnQsmith

john[ ,;]smith

The characters inside the brackets are called a set. They are treated as a single character. This expression finds "john" followed by a space OR a comma OR a semi-colon followed by "smith". john smith

Getting Started


john,smith john;smith

john[0-9a-z]smith

The dash indicates a range of characters when inside a set. This expression finds "john" followed by any character between ('0' and '9' or 'a' and 'z') followed by "smith". john0smith john1smith johnzsmith

john [ ]*smith

This indicates that repeat the preceding character (or set) any number of times, but at least once. This expression finds "john" followed by any number spaces followed by "smith". john smith john smith john smith

john-*smith

The '*' star says repeat the preceding character (or set) any number of times including zero. This expression finds "john" followed by any number dashes followed by "smith". johnsmith john-smith john---smith

[a-z][a-z0-9_]*@[a-z][a-z]*\.[a-z][a-z]*

This expression matches all email addresses. If you want to search the email address with TLD (Top Level Domain) use the following expression.

[a-z][a-z0-9_]*@[a-z][a-z]*\.(com|org|co.in|in|uk|edu)

Getting Started


http://www\.[a-z]*\.com

This expression matches "http://www." followed by any alphabetic characters followed by ".com". This is a good way to look for web site references. http://www.bozo.com NOT http://www.to-wong-foo.com NOT http://www.bozo.org You can use the following expression to list all the website references regardless of the domain.

(http|https|ftp)://[a-z]*\.[a-z][a-z0-9\- ]*[\.a-z0-9/_\-#:]*

Getting Started


4.5.1.7.3 Send to Recycle Bin

If you want to delete a keyword from the list of keywords, first you have to send this keyword to the Recycle Bin and then from Recycle Bin you can delete the keyword. The term Recycle Bin referred to here is only a folder in the CyberCheck environment, and not the Operating System related Recycle Bin. Functionality of this folder is same as that of the OS related Recycle Bin and acts as a temporary placeholder for items to be deleted/recovered later. For keywords, items can be sent to Recycle Bin by selecting the Send to Recycle Bin menu item from the window shown in figure 4.5.1.7.4.1 given below. Select the item to be sent to Recycle Bin, right click on the item and then select Send to Recycle Bin.

Figure 4.5.1.7.4.1 – Selecting Send to Recycle Bin menu item from Keywords window When an item is selected and the Send to Recycle Bin menu is selected, a warning message will be displayed to confirm the process, and subsequently move the item to the recycle bin. If you want to see the items available in the Recycle Bin, you may select Recycle Bin menu item from the Keywords pane as given in figure 4.5.1.7.4.2 given below.

Figure 4.5.1.7.4.2 – Items available in Recycle Bin

Getting Started


4.5.1.7.5 Delete Keyword

CyberCheck provides a feature to Delete Keywords already added into the list of keywords. This can be done as shown in figure 4.5.1.7.5.1 given below.

Figure 4.5.1.7.5.1 - Deleting a Keyword

Choose Recycle Bin menu item from the Keywords pane and right click on the item to be deleted from the list of items displayed in the right window. Select Delete Keyword menu item from the context menu and press Yes when the warning message is displayed for confirming the deletion process. The delete operation can also be invoked by selecting the menu item Keywords|Delete Keyword from the main user interface. The Delete Keyword menu will be highlighted only when a key word is selected from the list of key words.

4.5.1.7.6 Restore Keyword

If you want to restore a keyword, which is available in the Recycle Bin, you may place your mouse cursor on that keyword and click the right mouse button. A context menu will be displayed and from that you can select Restore Keyword as shown in figure 4.5.1.7.6.1. This can also be initiated from Keywords menu item from main user interface, when an item is selected from the list of items available in the Recycle Bin.

Figure 4.5.1.7.6.1 - Restoring a Keyword

Getting Started


4.5.1.7.7 Empty Recycle Bin

If you want to empty the Recycle Bin, right click on the Recycle Bin menu item and select the Empty Recycle Bin item as shown in figure 4.5.1.7.7.1.

Figure 4.5.1.7.7.1 – Emptying RecycleBin

4.5.1.7.8 Edit Keyword If you want to modify a keyword, you may place your mouse cursor on that keyword and click the right mouse button. A context menu will be displayed and from that you can select ‘Edit Keyword’ as shown in figure 4.5.1.7.8.1.

Figure 4.5.1.7.8.1 - Editing a Keyword

4.5.1.8 Bookmark

When the analysis is in progress, investigator may find a file, folder or part of a file worth for detailed analysis. CyberCheck provides a facility for book marking these items into separate folders and later examine these items in detail. If the investigator could identify

Getting Started


valuable evidence from these items, it can be appended to the report from the book marked items. User can start this view by clicking the Bookmarks tab from the Left pane. The following figure 4.5.1.8.1 given below shows the Bookmark view.

Figure 4.5.1.8.1 - Bookmarks TabView

The Bookmarks tab view provides three options namely:

Folders - This contains information regarding all bookmarked folders

Files - This contains information regarding all bookmarked files.

Selected Data - This contains information regarding the data selected for BookMarking during the analysis

The Folder bookmarking and File bookmarking can be done only from the Table view from right pane. Selected data bookmarking can be done only from the Text view from bottom pane. This can be done by selecting the data to be bookmarked and then right clicking the mouse and then bookmarking that data. A sample bookmarked data item is shown in figure 4.5.1.8.2 given below.

Getting Started


Figure 4.5.1.8.2 – Selected data that is bookmarked

The right pane shows number of different attributes of the bookmarked data, which include the file name in which the data is available, whether the file is deleted, file type, comment about the book marked item, etc. The comment is available as the last item of the attributes.

4.5.1.8.1 Bookmark File

To bookmark a file, select the desired file from the Table view and right click on the item to view the context menu. Choose Bookmark File item from the context menu as shown in figure 4.5.1.8.3 given below. This can be done by selecting Bookmark|Bookmark File as shown in figure 4.5.1.8.4 also.

Getting Started


Figure 4.5.1.8.3 – Bookmarking a file using context menu.

Figure 4.5.1.8.4 – Bookmarking a file using main menu.

When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this file. Enter appropriate comment and press OK button for bookmarking the selected file.

4.5.1.8.2 Bookmark Folder

To bookmark a folder, select the desired file from the Table view and right click on the item to view the context menu. Choose Bookmark Folder item from the context menu as shown in figure 4.5.1.8.5 given

Getting Started


below. This can be done by selecting Bookmark|Bookmark Folder as shown in figure 4.5.1.8.6 also.

Figure 4.5.1.8.5 – Bookmarking a folder using context menu.

Figure 4.5.1.8.6 – Bookmarking a folder using main menu.

When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this folder. Enter appropriate comment and press OK button for bookmarking the selected folder.

4.5.1.8.3 Bookmark Selected Data

To bookmark data, block the desired data from the Text view and right click on the block of data to view the context menu. Choose Bookmark Folder item from the context menu as shown in figure

Getting Started


4.5.1.8.7 given below. This can be done by selecting Bookmark|Bookmark Selected Data as shown in figure 4.5.1.8.8 also.

Figure 4.5.1.8.7 – Bookmarking selected data using context menu.

Figure 4.5.1.8.8 – Bookmarking selected data using main menu.

When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this folder. Enter appropriate comment and press OK button for bookmarking the selected folder.


If you want to delete a bookmarked item from the Bookmark tab view, choose the item from the tab view and right click on the desired item from the Table view. Choose Send to Recycle Bin menu item from the context menu as shown in figure 4.5.1.8.9 given below . This can be done by selecting Bookmark| Send to Recycle Bin as shown in figure 4.5.1.8.10 also.

Getting Started


Figure 4.5.1.8.9 – Sending a book marked item to Recycle Bin using context menu.

Figure 4.5.1.8.10 – Sending a book marked item to Recycle Bin using main menu.

4.5.1.8.5 Restore Item

To restore an item from the Recycle Bin, select the desired item from it. Available items of the selected category will be displayed in the Table view. You may right click on the desired item from the Table view and right click on the item to view the context menu. Choose Restore Item from the context menu as shown in figure 4.5.1.8.11 given below. This can be done by selecting Bookmark| Restore Item as shown in figure 4.5.1.8.12 also.

Getting Started


Figure 4.5.1.8.11 – Restoring an item from Recycle Bin using context menu.

Figure 4.5.1.8.12 – Restoring an item from Recycle Bin using main menu.

4.5.1.8.6 Delete Item

To delete an item from the Recycle Bin, select the desired item from it. Available items of the selected category will be displayed in the Table view. You may right click on the desired item from the Table view and right click on the item to view the context menu. Choose Delete Item from the context menu as shown in figure 4.5.1.8.13 given below. This can be done by selecting Bookmark| Delete Item as shown in figure 4.5.1.8.14 also.

Getting Started


Figure 4.5.1.8.13 – Deleting an item from Recycle Bin using context menu.

Figure 4.5.1.8.14 – Deleting an item from Recycle Bin using main menu.


To empty all the contents of Recycle Bin, right click on it to view the context menu. Choose Empty Recycle Bin menu item as shown in figure 4.5.1.8.15 given below and follow the instructions displayed in the subsequent dialog boxes. This can be done by selecting Bookmark| Empty Recycle Bin as shown in figure 4.5.1.8.16 also.

Figure 4.5.1.8.15 – Emptying Recycle Bin using context menu.

Getting Started


Figure 4.5.1.8.16 – Emptying Recycle Bin using main menu.

4.5.1.9 Search

Searching is one of the main ways to find digital evidence in an evidence file using CyberCheck. Searching can be File Searching or Keywords Searching. In File searching, you can search for the files with specific extensions. In Keywords searching, you can search for single keyword or multiple keywords that might be present in the evidence file. You can search for as many keywords as there are in your keyword list. The more keyword you have, the longer the search time it takes. If needed, you can do the searching in different sessions. When you go to the search results, you can see the different search sessions independently. You can limit the scope of search space by opting for only selected files or by checking only the required items you want to search in the Search dialog box.

CyberCheck has the facility to search for keywords from the whole evidence file, selected files/folders, swap files, slack area, lost clusters and used unallocated clusters. Slack searching includes MBR slack, EMBR slack, Partition slack, Disk Slack, Ram Slack and File Slack. Each of the slack will be searched separately. CyberCheck has the facility for ‘case-sensitive’ searching also. This can be done by selecting the case sensitive option while you are adding keywords in the Keywords tab in left pane.

4.5.1.9.1 Keyword Search

Keyword search is one of the most common methods of analysis.

Getting Started


Keyword Search is for finding out the availability of different key words in different files. The search results will be displayed in a table format with the details of the location in the file in which the keyword is found. Before starting Keyword Search, the analyzing officer should enter the keyword(s) to be searched and select the required keywords to be included in a search session. Refer section “Keyword” for more details. The analyzing Officer can set the search space depending upon the nature of the problem in hand. If s/he wants to search the entire files and folders, s/he can do so. Limited search in selected files, slack space, unallocated free clusters, lost clusters or swap files also is possible. Case sensitive searching is also possible in CyberCheck. After adding and choosing the keywords to be included in the search session, select Search|Keyword Search menu item from the main interface as shown in figure 4.5.1.9.1 given below or click on the binocular icon given in the tool bar.

Figure 4.5.1.9.1 – Selecting Keyword Search menu item

When this item is selected, a dialog box as shown in figure 4.5.1.9.2 given below will be displayed for setting different options for the search space.

Getting Started


Figure 4.5.1.9.2 – Dialog box for setting search options

There are number of options to limit the search space as shown in the above figure. To search through the entire folders and files of the evidence file, you may click on the Entire Case radio button. If you want to limit the search in a selected files and folders of the evidence file, click on the Selected Only radio button. Keep in mind to select the desired files and folders before selecting Search|Keyword Search menu item. Above dialog box also shows the evidence files and keywords selected for searching. There are other options like Files and Folders, Swap Files, Used unallocated clusters, Lost clusters and Slack for limiting the search space.

Getting Started


When Files and Folders are selected for searching, it can be further limited by choosing options like Ignore Files in Custom Hash Library, Search by Extension and Ignore System files. Custom Hash Library is a library of hash values of known files like operating system files, application files and user desired files. Search by extension option enables you to limit the search in files with specific extension. You can enter the desired extension in the edit box given under the Search by Extension option. Ignore System files option enables you to exclude the system files from the search space. Also you can limit the search in Swap Files, Used unallocated clusters, Lost clusters and Slack space by selecting the respective items from the above dialog box. When appropriate options are specified, press Start Search button to initiate the search process. A progress bar will be displayed to indicate the status of the process. If you want to cancel the process, right click on the progress bar and subsequently select the Cancel button displayed. After confirmation, the process will be terminated. If you want to know the number of hits before completing the search process, place the mouse pointer on the progress bar for sometime. A tool tip as shown in figure 4.5.1.9.3 given below will be displayed indicating the number of hits occurred at that time.

Figure 4.5.1.9.3 – Tool tip indicating search hits during the search process

When the search process is completed, a message box showing the total hits and elapsed time is displayed as shown in figure 4.5.1.9.4. If the user selects ‘yes’, then the control will go to the currently added session in the search pane as shown in figure 4.5.1.9.5.

Getting Started


Figure 4.5.1.9.4 – MessageBox coming after the completion of search process.

Figure 4.5.1.9.5 – Search results displayed in Search Tab

Search can be conducted in different sessions with sets of keywords. Result of each session will be added into the Search Tab as shown in the above figure displaying keywords and the number of hits occurred. In the right pane, details of the search hits like

Getting Started


filename in which the keyword is available, a preview of the keyword, location of the keyword in the file and the complete path of the file have been provided. When a particular hit is selected from the right pane, the content of the file with the keyword highlighted is displayed in the text viewer as shown in the above figure. You may browse through the search hits one by one and the corresponding hits will be highlighted in the text viewer. If you find some portion of the text relevant to the case being analyzed, that portion may be bookmarked and later appended to the report. The fifth item in the toolbar also has the same functionality.

4.5.1.9.2 File Search

In file searching, you can search for files with a particular extension. You can select File Search option either by selecting the Search option from main menu or by clicking the Binocular icon from the Toolbar. Figure 4.5.1.9.6 given below shows how to select the File search option from the menu.

Figure 4.5.1.9.6 - Selecting File Search option

Select the Files option from that window. File search is provided to find out the existence of a file in the evidence file with a particular extension. Once you choose the File Search option, a small window as given in figure 4.5.1.9.7 given below will be displayed to choose between the type of files to be searched.

Getting Started


Figure 4.5.1.9.7 – Dialog box for specifying the type of file to be searched

CyberCheck provides different options for selecting the type of files. They are:

Search Document files Search Image Files Search Audio Files Search Video Files

When any of these options is selected, corresponding extension will be added in the edit box shown in the dialog box. If the User wants to add any other extension, it should be typed into the edit box. Only extension is needed without the period (.). Any number of extensions may be specified, each separated by a semicolon. By default, searching will be done on the entire case file. You can limit the file search to the selected folder also. This can be done by selecting the Selected Files option from the dialog box shown above. After specifying the File Types to be searched, click the OK button. On clicking the OK button, a progress bar will be displayed to indicate the progress of the search process as given in the following figure 4.5.1.9.8 given below.

Figure 4.5.1.9.8 - Progress bar displaying the search status

The files, which match the specified extensions, will be added into

Getting Started


the Search Files item given in the Search Tab view given in the left pane and displayed in the Table View. You can also see the various file attributes in the Table View. If you click on a file, the file content will be displayed in the Text viewer. This set of files will be available in the File extension folder in the Search Tab view, till it is replaced by the result of another File Search. The search result is shown in figure 4.5.1.9.9 given below.

Figure 4.5.1.9.9 - Displaying the File Search result

To search for files with a particular hash value, you have to click the ‘File Hash’ option in the ‘Search by’ group in the ‘File Search’ window. Then the options ‘File Types’ get disabled and you have to enter the hash value of the file in the text box. The hash value is a 32 character hexadecimal number. CyberCheck offers a facility to get the hash value of a particular file by right clicking on the file entry from the Table View. Again, this will be possible if the particular file

Getting Started


is hashed and the hash value is displayed in the Table View in the last column. If hash value is not displayed, you can hash the file with Options|Hash Files from the Analysis Window’s menu bar. After copying the hash value, paste it in the text box and click the OK button. This is shown in figure 4.5.1.9.10 given below. A Progress Bar will be displayed on the status bar to indicate the progress of file search process.

Figure 4.5.1.9.10 – Selecting file search based on hash value

On the successful completion of search process, CyberCheck will add the available files in the Search Tab in a folder having title File Hash. Attributes of the file will be displayed in the Table view as shown in figure 4.5.1.9.11 given below.

Figure 4.5.1.9.11 – Result of file search based on hash value

Getting Started



If you want to send the search results of a session into recycle bin, right click on the desired session and click on send to recycle bin. Search hits of that session will be moved into the recycle bin.

4.5.1.9.4 Restore Session

If you want to restore a session from the recycle bin, right click on the desired session in the recycle bin and select restore session menu item. The desired session would be moved to the appropriate section in the Search Result group.

4.5.1.9.5 Delete Session

If you want to delete a session from the recycle bin, right click on the desired session in the recycle bin and select delete session menu item.


If you want to empty the Recycle Bin, right click on the Recycle Bin menu item and select the Empty Recycle Bin item.

4.5.1.10 Export

CyberCheck provides a facility to export folder/files, lost clusters, used free clusters, swap files, slack data and folder structure into a user specified path. Exporting deleted files and folders become part of data recovery. The following sections explain this facility in more detail.

4.5.1.10.1 File/Folder

Getting Started


If you want to export a file or folder, select the desired item from the Table view and either select the menu item Export|File/Folder from main user interface or right click on the selected item and select Export item from the context menu. A dialog box as shown in figure 4.5.1.10.1 given below will be displayed to specify a path into which the selected item will be exported.

Figure 4.5.1.10.1 – Dialog box for specifying a folder path to export

an item

After exporting the item into the specified path, a message will be displayed showing the status of the export process.

4.5.1.10.2 Lost Clusters CyberCheck provides a facility to export lost clusters available in an evidence file into a folder in the export folder path and a facility to search through lost clusters for gathering evidence. Lost clusters are one of the most likely areas of having digital evidence. User may invoke this facility from the main user interface by selecting the menu item Export|Lost Clusters as shown in figure 4.5.1.10.2 given below.

Getting Started


Figure 4.5.1.10.2 – Selecting Export | Lost Clusters option from main

menu

When this option is selected, the exporting of lost clusters into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the lost clusters contents are saved. CyberCheck has added a Lost Clusters entry in the Table view for each partition available in the evidence file to view the content of the Lost Clusters as shown in figure 4.5.1.10.3 given below.

Figure 4.5.1.10.3 – Display of Lost Clusters entry in the Table view.

When the lost clusters are exported, clicking on the Lost Clusters entry in the Table view will display its contents in the Text viewer as shown in the above figure. User may search the contents of the lost clusters for particular key words as explained the search section. Result of an example search is displayed in figure 4.5.1.10.4 given below.

Getting Started


Figure 4.5.1.10.4 – Result of a key word search in Lost Clusters.

4.5.1.10.3 Used Free Clusters CyberCheck provides a facility to export used free clusters available in an evidence file into a folder in the export folder path and a facility to search through used free clusters for gathering evidence. used free clusters are one of the most likely areas of having digital evidence. User may invoke this facility from the main user interface by selecting the menu item Export|Used Free Clusters as shown in figure 4.5.1.10.5 given below.

Figure 4.5.1.10.5 – Selecting Export|Used Free Clusters option from

main menu

Getting Started


When this option is selected, the exporting of used free clusters into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the used free clusters contents are saved. CyberCheck has added a used free Clusters entry in the Table view for each partition available in the evidence file to view the content of the used free Clusters as shown in figure 4.5.1.10.6 given below.

Figure 4.5.1.10.6 – Display of Used Unallocated Clusters entry in the Table view.

When the used free clusters are exported, clicking on the Used Unallocated Clusters entry in the Table view will display its contents in the Text viewer as shown in the above figure.

User may search the contents of the used free clusters for particular key words as explained the search section. Result of an example search is displayed in figure 4.5.1.10.7 given below.

Getting Started


Figure 4.5.1.10.7 – Result of a key word search in Used Free Clusters.

4.5.1.10.4 Swap Files

CyberCheck provides a facility to export swap files available in an evidence file into a folder in the export folder path and a facility to search through swap files for gathering evidence. Swap files are one of the likely areas of having digital evidence. User may invoke this facility from the main user interface by selecting the menu item Export|Swap Files as shown in figure 4.5.1.10.8 given below. This feature is not applicable if the file system under analysis is a Linux file system since Linux file system won’t be having swap files.

Getting Started


Figure 4.5.1.10.8 – Selecting Exporting|Swap Files option from main

menu When this option is selected, the exporting of swap files into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the swap files contents are saved. User may search in the contents of the swap files for particular key words. After selecting the desired key words from the key words list as explained in the search section, start key word search. A window as given in figure 4.5.1.10.9 will be displayed for setting swap file search option.

Getting Started


Figure 4.5.1.10.9 – Selecting Swap Files for search.

After selecting swap files from the above dialog box, click Start Search button to start the swap file search. A progress bar will be displayed to indicate the status of the process. When the search process is completed, the result of the search hits will be displayed as shown in figure 4.5.1.10.10 given below.

Getting Started


Figure 4.5.1.10.10 – Result of a key word search in Swap Files.

4.5.1.10.5 Slack Data

CyberCheck provides a facility to export data contained in different slacks available in an evidence file. The content of these slacks will be exported to export folder path. User may search in these areas for particular key words as explained in the search section. Slack areas are one of the key areas of having digital evidence. User may invoke this facility from the main user interface by selecting the menu item Export|Slack Data as shown in figure 4.5.1.10.11 given below.

Getting Started


Figure 4.5.1.10.11 – Selecting Export|Slack Data option from main menu When this option is selected, exporting of contents of different slack areas into the export folder path would be started. Appropriate progress bar will be displayed to indicate the status of the process when different contents are exported. After completing the process, a message box will be displayed to notify the end of the process. User may search the slack area for particular key words. After selecting the desired key words from the key words list as explained in the search section, start key word search. A window as given in figure 4.5.1.10.12 will be displayed for setting slack area search option.

Getting Started


Figure 4.5.1.10.12 – Selecting different slacks for search. After selecting different slacks from the above dialog box, click Start Search button to start the search. A progress bar will be displayed to indicate the status of the process. When the search process is completed, the result of the search hits will be displayed as shown in figure 4.5.1.10.13 given below.

Getting Started


Figure 4.5.1.10.13 – Result of a key word search in Slack Data.

4.5.1.10.6 Folder Structure

If you want to export structure of a folder into a file, select the desired folder from the Probe view and either select the Export|Folder Structure menu item from the main user interface or right click on the selected item and choose Export Folder Structure menu item from the context menu. CyberCheck will confirm before exporting the folder structure and display the path and filename in which the folder structure is written into.

Getting Started


4.5.1.11 Extract 4.5.1.11.1 Used Free Clusters

CyberCheck provides a facility to extract used free clusters available in an evidence file. This is to separate the used free clusters from the total free clusters available in an evidence file. The total free clusters may include unused free clusters also. The unused free clusters do not have much of a value in the investigative point of view and it can be avoided from the search space. Doing so will improve the speed of search in used free clusters. User may invoke this facility from the main user interface by selecting the menu item Extract|Used free Clusters as shown in figure 4.5.1.11.1 given below.

Figure 4.5.1.11.1 – Selecting Extract | Used Free Clusters option from

main menu

When this option is selected, a dialog box as shown in figure 4.5.1.11.2 given below will be displayed to select partitions, from which used free clusters are to be extracted.

Figure 4.5.1.11.2 – Dialog box for selecting partitions.

Getting Started


When the desired partitions are marked in the dialog box and when OK button is pressed, extraction of used free clusters will be started and a progress bar will be displayed indicating the status of the process. This process will be started only if the details of used free clusters are not already available. Extracting of used free clusters can be initiated while loading the evidence file also, if the Extract Used Free Clusters Option is set in the Settings dialog box.

4.5.1.12 Report

CyberCheck provides a facility to generate report of the findings of an analysis session. During the analysis, document files having keywords related to a case may be found. In this case, either the complete file or part of the file has to be added to the report to indicate the presence of digital evidence in the evidence file. Similarly, case related pictures also have to be added to the report. CyberCheck provides facilities for doing these functionalities, which are explained in more detail in the following sections.

4.5.1.12.1 Append File/Folder

On finding evidence, it should be stored for future reference and also for producing before the Court. You may do this by adding the evidence to a report. CyberCheck provides a very effective way for Report handling. We can add the Folder details, File contents, File slack contents and even data segments to the report. All the information of the evidence file added to the probe like when was the analysis process done and how long it lasted and other details related to the case like Crime Number, Lab Reference Number, Police station, Media Type, etc., are automatically added to the report file. If you want to append a particular file or folder to the report, then you can do it in two ways. First of all select the particular file or folder from Table view. Then you can either click the right mouse button and select Append to Report or select Report option from main Menu and select Append Folder/File. Both of these options are shown in the figures 4.5.1.12.1 and 4.5.1.12.2 given below.

Getting Started


Figure 4.5.1.12.1 – Adding a file to report from Table view.

Figure 4.5.1.12.2 – Adding a file to report from main menu

In both these cases, file should be selected from the Table view. Once you select the Append Folder/File option, a new window as shown in figure 4.5.1.12.3 given below will be displayed asking whether you want to append File Content or File Slack, provided you have selected a File for appending.

Getting Started


Figure 4.5.1.12.3 – Dialog box for choosing Append Options.

If you have selected file content, then the entire file content will be appended to the report. But there is a limitation to the size of the file that can be appended to the report. The size of the file that can be appended to the report is limited to 1MB. If the size is more than this, appropriate error message will be displayed. If you have selected Append File Slack, then the File Slack of the selected file will be appended to the report. If the file slack is empty, then that is indicated in the report. If you have selected Both as the option, then both content as well as slack would be appended to the Report. Once you click the OK button, the content will be added to the Report file. The report can be viewed in the report view. Clicking the Report Tab from right pane will show the Report as given in figure 4.5.1.12.4 given below.

Getting Started


Figure 4.5.1.12.4 – Display of the Report containing the added content.

4.5.1.12.2 Append Selected Data You can also add selected data from the Text View to the Report. This can be done by selecting the data with mouse and then clicking the right mouse button. On clicking the right mouse button in the Text View after selecting the data, select the option “Append Selected Data to report”. The following figure 4.5.1.12.5 given below illustrates the method.

Figure 4.5.1.12.5 - Appending selected data from Text View.

Getting Started


The selected data will be appended to the report as shown in figure 4.5.1.12.6 given below. Here also, there is a limitation to the size of the data that can be appended to the report. Maximum size of the data that can be appended at a time is limited to 1MB

Figure 4.5.1.12.6 - Display of the Report containing the selected data.

4.5.1.12.3 Append Folder Structure to Report If you want to add the folder details into the report, you may select the folder from the Probe view and right click the mouse button and select ‘Append folder structure to Report’ menu item. The details of the attributes of the folder will be appended to the report.

Getting Started


Figure 4.5.1.12.7 - Display of the Report containing the folder structure 4.5.1.12.4 Delete from Report

CyberCheck provides a facility to delete data from the report. This can be invoked by clicking the ‘Report’ from the main menu bar and selecting the ‘Delete From Report’ submenu. This submenu remains disabled if there are no records in the Report. When this menu is clicked a window is shown as in figure 4.5.1.12.1 given below. The ReportDataCodes of the items appended to the report will be displayed in a list box.

Fig 4.5.1.12.1 – Main Interface for Delete From Report

Select the ReportDataCode of the item to be deleted from the report and click the Delete Button. A confirmation message box will be displayed as shown in figure 4.5.1.12.2.

Getting Started


Fig 4.5.1.12.2 – Confirmation before Deleting an item From Report

If Yes is clicked, the item with the selected ReportDataCode gets deleted from the report.

4.5.1.13 Timeline

The timeline view gives a graphical representation for the patterns of file creation, access, last written attributes. The Timeline view can be invoked by clicking on the Timeline tab from the Right Pane.

The Timeline view can be invoked by clicking on the Timeline tab from the Right Pane. In the Timeline view, as shown in figure 4.5.1.13.1 given below, a graphical representation for the patterns of file creation, file access, last written attributes, time anomaly files, signature mismatched files, etc., are displayed.

Figure 4.5.1.13.1 - Graphical display of timeline information

Getting Started


Select Probe View Tab in the left pane. Click the Timeline tab on the right pane. A window as shown in figure 4.5.1.13.2 given below will be displayed with different options that can be set for getting a particular pattern of timeline view.

Figure 4.5.1.13.2 – Different Options for Timeline View

The different options available are

Search Options Files Display by Time Advanced Options

Search Options The user has the option to narrow down the number of the files displayed in the timeline chart by selecting these options.

All Files

Getting Started


If the User selects All Files option, Time Line of all the files in the evidence file will be displayed in the Timeline view.

Selected Files If the User selects Selected Files, TimeLine of selected files will be displayed in the Timeline view. Desired files can be selected from the Probe view and Table view before going for timeline view.

Date From To

If the User selects this option, s/he can view the Timeline of files with different attributes limited to a specific period defined by From and To limits. These limits can be specified as shown in figure 4.5.1.13.3 given below.

Figure 4.5.1.13.3 – Calendar for specifying From – To period

User may drop the calendar for setting the period by clicking on the combo box arrow button given for From and To date fields. From the calendar window, user may change the month of the year by clicking on left and right arrows given. If the user wants to change the year, click on the year displayed in the calendar. A combo box will be displayed as shown in figure 4.5.1.13.4 given below.

Getting Started


Figure 4.5.1.13.4 – Combo box in the Calendar for changing year

If the User wants to change the month, click on the month displayed in the calendar window. A list box with names of different months will be dropped to enable the user to select desired month as shown in figure 4.5.1.13.5 given below.

Figure 4.5.1.13.5 – List box in the Calendar for changing month With these facilities, user may set appropriate From and To period for displaying the Timeline of files that falls in this range.

Files

Getting Started


The Files option in the Timeline view allows the user to include Normal files or Deleted files or Both in the Timeline View.

Display by Time

There are three dates associated with all the files; created date and time, last accessed date, modified date and time. User can create the timeline chart based on any of the above three categories. Depending on the selection of the user from the choices,

Created Last Accessed Modified

the timeline chart is drawn accordingly. If, for e.g., ‘Created’ is selected then the timeline chart for the selected file or files will be drawn based on the files’ date and time of creation. The date and time information of the other two dates (Last Accessed and Modified in this case) can be viewed through the tool tip facility. When the mouse pointer is placed on a file representation in the chart, which is displayed as a circle, then the details including the full path gets displayed as a tool tip.

Advanced Options To avail this feature, User has to select the check box named

Options. The number of files that have to be displayed in the Timeline view chart can be limited by selecting these options. Once this has been checked, three other options get enabled. They are:

Time Anomaly Only

When this option is selected, only those files in the evidence file that have time mismatches are displayed in the chart. A file is considered as time mismatched in the following cases,

o Modified date and time is before the created date and time.

o Accessed date is before file’s created date.

Getting Started


o Modified date is before the file’s last accessed date.

If there is a time mismatch associated with a file that is being displayed in the timeline chart, then the file will be displayed with an adjacent yellow circle in the left of the green or red circle representing the file, based on whether the file is normal or deleted.

Signature Mismatch Only

When this option is selected, only those files in the evidence file that have signature mismatch are displayed in the chart. Any file is considered as signature mismatched if its extension does not match with the file signature. Here ‘file signature’ is the initial bytes of the file that uniquely identifies the file of its type.

If there is signature mismatch for a file, a violet circle will get displayed adjacent to the circle representing the file.

Time Anomaly & Signature Mismatch Only

Displays the files that either have time anomaly or signature mismatch. User can also select several options like Created, Last Accessed, Last Written etc. from the same window. After selecting the needed options, User have to click the Show Chart button. Then a window as shown in figure 4.5.1.13.6 given below will be displayed.

Getting Started


Figure 4.5.1.13.6 – Display of Timeline chart

Timeline chart is a very important facility for the analyzing officer. A lot of information related to case can be gathered from the timeline chart. The above chart shows details of a set of files, which are selected based on modified time and having time anomaly or signature mismatch or both and either deleted or normal within a time frame of 12/2002 to 11/2003. Timeline view can be used for searching normal files only, or deleted files only, signature mismatched files only, time anomaly files only, and so on. These are very good features from the cyber forensics analysis point of view. The set of files shown in the above chart are ordered by modified time. User can view the created time and last accessed time of a particular file, by selecting the desired file from the chart as shown in figure 4.5.1.13.7 given below.

Getting Started


Figure 4.5.1.13.7 – Display of Created, Modified and Last Accessed information in a Tool tip

If there are large numbers of files in a timeline chart, the view of the chart will be cluttered as shown in figure 4.5.1.13.8 given below.

Figure 4.5.1.13.8 – A cluttered view of Timeline chart

Getting Started


In this case, the timeline chart can be exploded to view more details of a particular area by zooming in the area. User may select a desired area from the timeline chart by clicking the left mouse button and dragging over the desired area. On releasing the mouse button, those files included in the area will be displayed as the next timeline chart. This can be repeated till a reasonably good view of the chart is reached. User may go back to any previous level by selecting the zoom out menu item from the Timeline menu bar item. Timeline view provides number of other features also. If the User has opted to display signature mismatched files and if the checking of the file signatures is not completed, a message will appear requesting whether to complete the process of checking file signatures before displaying the timeline chart. If s/he chooses ‘Yes’, the timeline will get displayed after checking the remaining files. Otherwise, there may be some more files that are signature mismatched which fails to get displayed in the chart in the category of mismatched files and also there won’t be the violet circle beside those files. User can see a two dimensional graph in which the X-axis indicating the year and Y-axis indicating the Files. There are differently coloured marks on the graph. Green colour indicates that the particular file is a Normal file and red colour indicates that the file is a deleted file. Yellow colour indicates that there is a time Anomaly associated with that particular file. This can occur if the created date of the file is a date later than either the modified date or last accessed date of that file. It can also occur if the modified date is later than the last accessed date of that file. Consider figure 4.5.1.13.9 given below. Different options set for this view are: Search option - ‘Selected Files’, Files - ‘Both’, and Display by time - ‘Modified’.

Getting Started


Figure 4.5.1.13.9 - TimeLine view of the Windows folder of the Evidence file

User may click the right mouse button on the Timeline chart for more options. If s/he Right Click on the TimeLine view, s/he can see options like Zoom Out, Show Grid, Hide Grid, Options and Show Files. Initially, the Zoom Out option will be disabled. S/he can select a portion of the TimeLine view with the mouse. For that press the left mouse button at some point in the TimeLine view and drag the mouse so as to select a portion of the TimeLine view. Now s/he can see the TimeLine view of this selected portion. S/he can continue this until s/he gets the TimeLine of a single file. Now, if s/he clicks the Right Button of mouse again, then the Zoom Out option will be enabled. By selecting Zoom Out, s/he can go back to the previous view. i.e to the view before selecting a portion of TimeLine files. User can select a portion of the TimeLine view with the mouse. Inside the timeline view, left click and drag the mouse on the region where you wish to zoom in. A dotted rectangular path is drawn along the selection path indicating the selected region. User can continue this until s/he gets the TimeLine chart of a single file.

Getting Started


User can also get the Table View of these files. From the Timeline View, just right click the mouse button and then select Show Files. User can see the files in the Table view. By selecting the ‘Options’ option s/he can reset the various options for the TimeLine analysis. By selecting the Show Grid option, the Timeline view can be seen in a grid form.

Timeline Display Timeline chart is displayed in the right pane, when ‘Show Chart’ button is clicked after selecting the required options in the Timeline dialog box. The window given in figure 4.5.1.13.10 depicts a sample timeline display. The heading of the chart conveys the message regarding the options selected by the user in the Timeline dialog box. The first part indicates whether the user has selected ‘ALL FILES’, ‘SELECTED FILES’ or ‘DATE’ in the search options. The second part shows the option chosen from the ‘Display by Time’; so that the display will be either as ‘ORDERED BY CREATED TIME’, ‘ORDERED BY LAST ACCESSED TIME’ or ‘ORDERED BY MODIFIED TIME’. The third part shows, which advanced option is selected and the corresponding display will be ‘TIME ANOMALY’, ‘SIGNATURE MISMATCHED’ or ‘TIME ANOMALY & SIGNATURE MISMATCHED’.

In the display area below the heading, User can see the number of time mismatched and signature mismatched files. In addition to displaying yellow and violet circles on the sides of the circles representing files that have mismatches, User can see the mismatched number of files in each vertical line of the graph here. The number of signature-mismatched files entries will be there only if User has checked the signature mismatches only option.

Timeline Chart

The chart will be represented as a cluttered graph, if there are a large number of files. Along the horizontal line, the date and time is displayed. The horizontal line in the chart or the x-axis is divided depending up on the dates and times that are to be displayed. Along the Y-axis, names of files are plotted. The files can be plotted on the basis of created, last accessed or modified date. Let us take for

Getting Started


example, that we are going to plot on the basis of created date. Then the x-axis will be divided in either of the following ways.

a) Suppose the evidence file is having several files and if the files are created over a larger period of time, all the years in the requested files can not be plotted in the x-axis with distinction. For example, if one file is created in 1980 and another file is created in 2000 and if some other files are created in 2050, then if we plot the graph with every years between 1980 & 2050, the graph will be cluttered. CyberCheck handles this by displaying files created in more than one consecutive year over each vertical line. The range depends on the variation between the minimum and maximum of the file-created dates. For example the range can be something like 2000-2005, 2006-2010 and so on or 2000-2009, 2010-2019, 2020-2029, 2030-2039 and so on.

b) If the entire files to be displayed in the chart are of a single year, then we can view the files based on the months in which they are.

c) If the files are scattered in a single month, then they will be plotted based on the created date.

d) If the files are created on the same day then, plotted on the basis of created hour.

e) If the hour is also same then depending on the minute

f) And if the minute is also same, depends on the second.

Along the y-axis (left most vertical line) we can see the filenames of the files plotted in the graph (only if the number of file is limited).

The legend (Timeline Legend), which is displayed in the bottom left corner, gives information as to what each circle in the timeline view represents. The green circle represents the normal file, red circle represents the deleted file, yellow circle represents the time anomaly file and violet circle represents the signature mismatched file.

4.5.1.13.1 Zoom Out To get a lower resolution of timeline view (or to undo the previous Zoom In process and to go back to the previous view, i.e to the view before selecting a portion of TimeLine files.), right click inside the view and select ‘Zoom Out’ option from the popup menu or ‘Timeline’ main menu. This menu item is disabled if there is no more

Getting Started


lower resolutions to be displayed or when the chart reaches its initial state.

4.5.1.13.2 Show Grid The Show Grid option gives a grid line view of the files. The timeline view is divided into grids based on the number of files available in the view. To display grid lines, click ‘Show Grid’ in the popup menu.

4.5.1.13.3 Hide Grid The Show Grid option gives a grid line view of the files. The timeline view is divided into grids based on the number of files available in the view. To display grid lines, click ‘Show Grid’ in the popup menu. To hide the grid, click on ‘Hide Grid’ option in the popup menu or in the main ‘Timeline’ menu.

4.5.1.13.4 Options On selecting this menu item, the ‘Timeline’ Option window is displayed. It can then be used to redefine the view options of the timeline chart, like viewing only time-mismatched files etc. Thus User can reset the various options for the TimeLine analysis. User should make use of this facility for having different combinations of timeline features. That means, suppose you want to see the time anomaly files only. From the options, you can select the Time Anomaly Only radio button and press Show Chart button for displaying time anomaly files only in the timeline chart. Now, if you want to see the signature mismatched files, you have to select the Signature Mismatch Only radio button and press Show Chart button to display the signature mismatched files in the timeline chart.

4.5.1.13.5 Show Files

When this menu item is selected, User will get the Table View of the files that are then being displayed in the timeline chart; i.e, those files that are in the current Zoom In resolution. This is illustrated in the following figure 4.5.1.13.10 and Figure 4.5.1.13.11 given below.

Getting Started


Figure 4.5.1.13.10 - Selecting Show Files from time line chart

Figure 4.5.1.13.11 - List of files available in the current timeline chart

The list of files available in the current timeline chart can also be viewed from the left pane by selecting the Timeline Files item. When this item is selected, if a previous timeline analysis has been made,

Getting Started


then the files of last time line chart will be displayed in the Table view as shown in the above figure.

Getting Started


4.5.1.14 Recovery 4.5.1.14.1 Partition Recovery

CyberCheck has incorporated a feature to recover the deleted Partitions. The steps involved in recovering the deleted partitions are as follows. From the main menu, select Recovery | Partition Recovery menu item as given in figure 4.5.1.14.1.1 given below.

Figure 4.5.1.14.1.1 – Selecting Partition Recovery option from main menu

A dialog box as shown in figure 4.5.1.14.1.2 will be displayed for selecting the option for Partition Recovery. In the Best option each and every sector in the evidence file will be scanned and in the Fast option, only sectors with sector number, as multiple of 63 will be scanned.

Figure 4.5.1.14.1.2 - Window for selecting option.

Getting Started


Figure 4.5.1.14.1.3-Selecting the Fast Option

The partition recovery process starts when clicking the OK button and its progress is represented by a progress-bar as shown in figure 4.5.1.14.1.4 given below

Figure 4.5.1.14.1.4– Progress of the Partition Recovery.

You have to wait till the progress bar reaches 100%. The number of partition(s) recovered is displayed in a message box as shown in figure 4.5.1.14.1.5 given below.

Figure 4.5.1.14.1.5 – Display of number of Partitions Recovered

Getting Started


Click the “OK” button. It will take some time to load the recovered partition(s). The recovered partition(s) will be displayed below the existing partitions in the Probe view. Their names will starts with “Rec-“. For example, if two partitions have been recovered, then the first partition will be shown with the name Rec-1 and the second one with the name Rec-2. To see the files & folders of recovered partition(s), you click on the “+” symbol near the partition name (like that of an existing partitions). This is illustrated in the following figure 4.5.1.14.1.6 given below.

Figure 4.5.1.14.1.6 – Display of Recovered Partitions

Note:You may cancel the partition recovery process by clicking the cancel button appearing on right clicking on the progress bar. After canceling, if you try to recover partitions by clicking the menu option again, then the recovery process will start from first sector. (i.e. it won’t be a continuation of the previous process.)

4.5.1.14.2 Format Recovery Format recovery recovers the formatted partitions from the evidence file. The procedure for format recovery is as follows. Select the Recovery menu item and then select Format Recovery, i.e., select Recovery | Format Recovery menu item from the main menu as shown in figure 4.5.1.14.2.1 given below.

Figure 4.5.1.14.2.1 – Selecting Format Recovery option from main

menu

Getting Started


CyberCheck will display all the available partitions and a dialog is displayed for selecting the partition(s) you want to recover. figure 4.5.1.14.2.2 given below illustrates this feature. The recovered partition using Format Recovery is added to the Probe view as another partition similar to the actual partitions available in the evidence file. The recovered partitions may not be complete and also it may not be possible to recover the contents of the recovered partitions completely.

Figure 4.5.1.14.2.2 – Display of partitions available in an evidence file

You may tick the Select All option if you want to recover all partitions. Otherwise you select the needed partition(s) by ticking the box beside it. This is shown in the figure 4.5.1.14.2.3 below.

Getting Started


Figure 4.5.1.14.2.3 – Selecting partitions for Format Recovery

After your selection, click the OK button. The Format Recovery process starts and its progress is shown by a progress-bar as shown in the figure 4.5.1.14.2.4 given below.

Figure 4.5.1.14.2.4 – Progress of the Format Recovery

The progress bar displays the drive letter of the partition whose format recovery is currently in progress. You have to wait till the progress bar reaches 100%. When it reaches 100%, the format recovery for all selected partitions will be completed. Then a message box is displayed as shown in the figure 4.5.1.14.2.5 given below to show the process completion.

Getting Started


Figure 4.5.1.14.2.5 – Display of the end of Format Recovery process

Click OK button. The recovered files and folders, if any available, can be viewed by moving to the respective partition and looking for a folder named “Format Recover”. This folder will contain other folders (names starting with “CNo_”) and they will contain the files recovered. This is illustrated in the following figure 4.5.1.14.2.6 given below.

Figure 4.5.1.14.2.6 – Display of recovered files and folders

If you have selected all partitions listed, then the menu option “Format Recovery” will be disabled after format recovery completion. If the Format recovery process is cancelled or not all partitions are selected then the menu option is not disabled.

Getting Started


Note: You may cancel the format recovery process by clicking the cancel button appearing on right clicking on the progress bar. After canceling, if you try to recover partitions by clicking the menu option again, then the selection screen will display those partitions whose format recovery is not completed before cancellation. (i.e. before cancellation if some of selected partition’s format recovery have already been completed then those partitions are not displayed next time. It is like the continuation of previous recovery.)

4.5.1.15 Tools 4.5.1.15.1 Seize & Acquire Refer Appendix A 4.5.1.15.2 Hasher

The Hasher utility provides a way to check the data integrity of a file or a sequence of data bits. User can select a file to be hashed. This can be a flat file or a TrueBack image. Similarly the user can select any one of the hashing algorithms MD5, SHA-1 or HMAC. For MD5 and HMAC you will get a 16-byte digest and for SHA-1 you will get a 20-byte digest. Hasher Utility can be invoked by selecting the Tools|Hasher menu item from the main menu. When this menu item is clicked, main menu of the Hasher will be displayed.

Figure 4.5.1.15.2.1 –Main menu of Hasher Utility

Getting Started


User may use this utility for checking data the integrity of any file (Flat image) or that of a TrueBack image. Refer User Manual of Hasher for more details of the working of Hasher Utility.

4.5.1.15.3 Create Boot Disk CyberCheck provides a utility for creating TrueBack boot disks from CyberCheck. In case TrueBack boot floppy got corrupted or not useable due to some reason, User can always create a new boot floppy using this utility. To invoke this utility, select Tools | Create Bootdisk menu item from the main menu as shown in figure 4.5.1.15.3.1 given below. When this menu item is selected, the following window will be displayed as given in figure 4.5.1.15.3.2 below to create different boot floppies.

Figure 4.5.1.15.3.1 – Selecting ’Create Bootdisk’ Utility from main menu

Figure 4.5.1.15.3.2 – Dialog box for selecting type of boot floppy

Insert a new floppy into the floppy drive and specify the type of boot floppy to be created in the above dialog box. Click OK button to continue with boot floppy creation. The following message box as

Getting Started


shown in figure 4.5.1.15.3.3 given below will be displayed to warn that the content of the floppy will be lost.

Figure 4.5.1.15.3.3 – Message box displaying warning

If you want to continue with the boot floppy creation, click on Yes button. A progress bar as given in the following figure 4.5.1.15.3.4 will be displayed to indicate the status of the process.

Figure 4.5.1.15.3.4 – Progress bar to indicate the status of Boot floppy

creation

When the boot floppy creation is completed, a message box as shown in figure 4.5.1.15.3.5 will be displayed, prompting the user to label the floppy as the selected type.

Figure 4.5.1.15.3.5 – Message Box showing the completion of boot disk creation.

4.5.1.16 Language

Getting Started


UNICODE SUPPORT IN CYBERCHECK

CyberCheck Application is UNICODE enabled for showing the UNICODE files and folders. If you try to run this Application program in Windows 95/98 systems, it may not run. On Windows NT/2000/XP, you can run CyberCheck.

Language

When “Language” menu is changed to ‘Hindi’ it shows the character as small squares, as shown in the Figures 4.5.1.16.1 and 4.5.1.16.2 below, this is because operating System doesn’t support Hindi or Tamil by default.

Figure 4.5.1.16.1 - Display of Language support when Hindi

language is not supported by the Operating System.

Figure 4.5.1.16.2 - Display of Language support when Tamil

language is not supported by the Operating System. In order to show characters correctly refer section ’ How do I display Unicode on my computer?’ given below.

Getting Started


After enabling ‘Hindi’ in Operating System, CyberCheck application can be able to display Hindi interface as Shown in the Figures 4.5.1.16.3 and 4.5.1.16.4 given below.

Figure 4.5.1.16.3 - Display of Language support when Hindi

language is supported by the Operating System.

Figure 4.5.1.16.4 – Main User Interface with Hindi Language Support.

How do I display Unicode on my computer? To enable Hindi in the PC, a simple 5-step procedure is to be followed:

Getting Started


1. The support for Hindi IMEs (input Method Editor) must be enabled in the PC for the possibility of the usage of the IME. If Windows 2000 is installed on the PC and support is to be enabled for Hindi, the user must go to Control Panel, then on to the Regional Options. In the option titled “Language Settings for the System”, check the Indic box as shown in figure 4.5.1.16.5 given below. Then insert the Windows 2000 CD into the CD-ROM drive to complete the configuration for the installation as shown in figure

4.5.1.16.6 given below.

Figure 4.5.1.16.5 – Enabling Indic option in Regional Options settings

Getting Started


Figure 4.5.1.16.6 – Installing language support in Windows 2000.

If Windows XP is installed on the PC, the user must go to Control Panel and then on the button titled “Regional and Language Options”. Three options will emerge as tabs : Regional Options, Languages and Advanced. Select the Languages tab. Check the box titled “Install files for complex scripts and left-to-right languages (including Thai)” and click Apply. Then insert the Windows XP CD to finish the configuration as shown in figure 4.5.1.16.7 given below.

Getting Started


Figure 4.5.1.16.7 – Installing language support in WindowsXP

2. Restart the computer. 3. The next step is to enable the recognition of the keyboard layout a

change in language would necessitate.

Getting Started


o If Windows 2000 is installed on the PC, the user must go to Control Panel and then on to the Text Services section. In the Installed Services section, select the keyboard under an option titled HI and click Add. Then, select the Hindi option in the Input Language section and check the Keyboard Layout /IME box. Now, select the Indic IME 1 option from the choices available. These are illustrated in figure 4.5.1.16.8, figure 4.5.1.16.9 and figure 4.5.1.16.10 given below.

Figure 4.5.1.16.8

Getting Started


Figure 4.5.1.16.9

Figure 4.5.1.16.10

Getting Started


o If Windows XP is installed on the PC, the user must go the Control Panel and then on to Regional and Language Options button. Of the three tabs available, select the Languages tab. Then click on the Details. . . button in the Text services and input languages section. Upon clicking the button, select Hindi as the input language and Add Hindi Traditional as the keyboard. Follow all relevant steps similar to the installation on Windows 2000 and select Indic IME 1 as the option.

Figure 4.5.1.16.11

4. After the installation is complete, start any Office application, including Wordpad or Notepad. Click the Language Indicator located in the System Tray on the right side of the Windows

Getting Started


taskbar, and click to select “Indic IME 1” from the shortcut menu that appears.

Figure 4.5.1.16.12

5. The PC is now ready to start typing in Hindi.

4.5.1.16.1.1 English By default, the language selected when starting CyberCheck is English.

4.5.1.16.1.2 Hindi

From the main menu, select Language | Hindi menu item as given in figure 4.5.1.16.2.1 given below.

Figure 4.5.1.16.2.1 - Select Language Menu and Select ‘Hindi’

Getting Started


Interface changed into Hindi as shown in figure 4.5.1.16.2.2.

Figure 4.5.1.16.2.2 Main Menu of CyberCheck in Hindi

While Loading and Analyzing an Evidence File, its progress is represented by a progress-bar as shown in figure 4.5.1.16.2.3 given below.

Figure 4.5.1.16.2.3 Progress Bar While Loading and Analyzing Evidence File

Getting Started


The Interface after Loading an Evidence File is as shown in the figure 4.5.1.16.2.4 given below.

Figure 4.5.1.16.2.4 Analysis Window Interface in Hindi

Menu Items are changed into Hindi as shown in figure 4.5.1.16.2.5

Figure 4.5.1.16.2.5 Display All Menu items are changed into Hindi

A Dialog Box in Hindi is as shown in figure 4.5.1.16.2.6

Getting Started


Figure 4.5.1.16.2.6 Display A Dialog Box In Hindi.

Pop-up Menu items in Hindi is as shown in figure 4.5.1.16.2.7

Figure 4.5.1.16.2.7 A Pop-Up Menu in Hindi

Interface can be changed back into English by selecting ‘English’ from ‘Language’ Menu as shown in figure 4.5.1.16.2.8.

Getting Started


Figure 4.5.1.16.2.8 Select ‘English’ From ‘Language’ Menu.

Interface changed back to English as shown in figure 4.5.1.16.2.9

Figure 4.5.1.16.2.9 Display Interface backs into English

4.5.1.16.1.3 Tamil

Getting Started


All the interfaces and the messages will be displayed in Tamil on Selecting Tamil from Language main menu item. Other details are similar to the explanation in Hindi.

4.5.1.17 Help

CyberCheck provides an on-line help facility similar to the Help provided in any other Windows application. The help facility can be invoked by selecting the Help menu item from the main menu as shown in Figure 4.5.1.17.1 given below.

Figure 4.5.1.17.1 – Selecting Help option from main menu User may select the Contents sub-menu item for having details regarding the working of CyberCheck.

4.5.1.17.1 About CyberCheck… From the main menu, select Help | About CyberCheck menu item as given in Figure 4.5.1.17.1.1. A dialog box which shows the details like program information, version number and copyright appears as shown in figure 4.5.1.17.1.2.

Figure 4.5.1.17.1.1 - Selecting ‘About CyberCheck’ from Help.

Getting Started


Figure 4.5.1.17.1.2 - About CyberCheck

The eighth item in the toolbar also has the same functionality. 4.5.1.17.2 Contents

From the main menu, select Help | Contents menu item as given in Figure 4.5.1.17.1. The Help window appears as shown in figure 4.5.1.17.2.1. To scroll through a table of contents for Help, click the Contents tab. To search a topic by typing the first few letters of the word you're looking for, click the Index tab. When you want to search for specific words or phrases, click the Find tab.

Figure 4.5.1.17.2.1. Help Topics

Getting Started


4.5.1.17.3 Using Help From the main menu, select Help | Using Help menu item as given in Figure 4.5.1.17.3.1. The window appears as shown in figure 4.5.1.17.2.1, which described how to use the help facility.

Figure 4.5.1.17.3.1. Selecting ‘Using Help’ from Help.

Figure 4.5.1.17.3.2. Help Topics: Using Help 4.5.2 Toolbar 4.5.2.1 Save

Refer Section 4.5.1.1.1

Getting Started


4.5.2.2 Copy Refer Section 4.5.1.2.1

4.5.2.3 Print Report Refer Section 4.5.1. 1.3

4.5.2.4 Add New Keyword Refer Section 4.5.1.6.1

4.5.2.5 Search Keywords Refer Section 4.5.1.8.1

4.5.2.6 Show / Hide System Files Refer Section 4.5.1.5.9

4.5.2.7 Storage Media Details Refer Section 4.5.1.3.9

4.5.2.8 About Refer Section 4.5.1.17.1 4.5.3 Left Pane

Left Pane contains four tab views. They are

Probe View Keywords View Bookmarks View & Search View.

4.5.3.1 Probe View

In this view, CyberCheck displays the directory structure of an evidence file, Timeline Files and Temporary Files. Complete details of different partitions available in an evidence file will be displayed in a view similiar to that of a Windows Explorer. From this view, the user can switch between different partitions and look through the directory structure. Corresponding to each selection from the left

Getting Started


pane, its folders and files are displayed in the Table View (See Table View below) of right pane. If a file is selected from the Tab View, contents of the file will be displayed in the Text View (See Text View below) of the bottom pane. The probe view contains details of different partitions available in an evidence file. These details can be viewed by clicking on the plus (+) sign on the left. Figure 4.5.3.1.1 given below shows the expanded view of the probe view.

Figure 4.5.3.1.1 – Probe view with expanded evidence file content

Number of facilities have been provided in the Probe view. When the User click on a particular item from the probe view, depending upon the nature of the item and the particular tab selected in the right pane, more details will be displayed in the right pane. Default tab selected in the right pane is Table view. If the item clicked from Probe view is the Probe, details of image file loaded will be displayed in the right pane. If the item clicked is the evidence file, details of number of partitions available in the evidence file will be displayed in the right pane. If the item clicked is the root folder, details of sub-folders and files available in the root folder will be displayed in the right pane. If the item clicked is a sub-folder, details of sub-sub-folders and files available in the sub-folder will be

Getting Started


displayed in the right pane. User can select a particular item displayed in the Probe view by clicking on the small square provided adjacent to that item. If the item selected is root folder, all the subfolders and files available in the root folder will be selected and a black dot will be placed inside the small square to indicate that that particular item has been selected. Small squares of partition, evidence file and Probe also will be marked. All the items in the Table view also will be marked. This is shown in the following Figure 4.5.3.1.2 given below.

Figure 4.5.3.1.2 – Display of selected items from the Probe view

If the user wants to select a particular item from the Table view, User may click on the small square provided in the Table view adjacent to different items. When it is marked in the Table view, the sub-folder containing the item in the Probe view, all the parent folders, partition, evidence file and Probe also will be marked as shown in the Figure 4.5.3.1.3 given below. If the partition being analysed is an NTFS one, then CyberCheck will add an extra folder with name “Lost & Found” with each NTFS partition to hold the deleted files found in that partition (if any) for which the correct path cannot be recovered.

Getting Started


Figure 4.5.3.1.3 – Display of a particular item selected

If the user wants to see the complete folders and files available at a particular level of the evidence file, user may click on the D shaped item provided in the Probe view. This is the Expansion Trigger or One Shot facility provided in the CyberCheck. Depending upon the level of selection, all the files available in that level as well as all the sub-folders and their structures will be displayed in the Table view as shown in Figure 4.5.3.1.4 given below.

Figure 4.5.3.1.4 – Display of Expansion Trigger facility

Probe view also supports facility for appending an item from the Probe view into the report as well as a facility to export folder structure into a file. The commands for these facilities are: Append Folder structure to report and Export Folder structure. By clicking the right button of the mouse on the item of interest in the probe view, user can select these commands. When the first command is selected, the folder structure will be appended to the Analysis report. When the second command is selected, the folder structure will be exported to a default file in the export folder path after creating a sub-folder having evidence file name as the name of the sub-folder. The name of the default file is

Getting Started


FolderFileStructure.doc.

CyberCheck also supports a facility for loading and analysing evidence files having dynamic disks. Dynamic disk is a type of disk structure supported by Windows XP professional edition. Dynamic disks first appeared in Windows 2000 and are only compatible with Windows 2000 and Windows XP Professional operating systems. Windows XP Home Edition does not support Dynamic disks. A Dynamic drive contains dynamic volumes rather than partitions, making it possible to have an unlimited number of logical drives. Another big difference between basic and dynamic disks is there is no Master Boot Record (MBR) on a dynamic disk. Instead, it stores the layout of the disk volumes in a database stored on the last 1 MB of the disk. Dynamic disks allow us to create a number of different disk structures that aren't available on basic disks. This facility enables us to the analysis of dynamic disk structure volumes like Simple Volume, Striped Volume and Mirrored Volume. When an evidence file is loaded, the evidence file name will be added in the Probe view as shown in Figure 4.5.3.1.5 given below. If an evidence file does not contain any dynamic disk structure, drive letter(s) will be assigned to the evidence file depending upon the number of partitions available in the evidence file for further processing. In the case of evidence file having dynamic disk structure, no drive letter will be assigned to it. This is an indication to identify evidence files having dynamic disk structures. Also, these evidence files can be easily identified with the help of special icon used in the Probe view to indicate them as shown in the figure 4.5.3.1.5 given below.

Getting Started


Figure 4.5.3.1.5 - Probe view with evidence file having dynamic disk structure When a dynamic disk image is loaded, it won't show any drives or data in the evidence. To view the folder structures and files contained in a dynamic data structure, a dynamic disk has to be created from the image. CyberCheck provides a facility to make dynamic disk evidence from the image. Select the dynamic disk image from the Probe view and click the right mouse button. A context menu as shown in figure 4.5.3.1.6 given below will be displayed.

Evidence file without dynamic disk structure

Evidence file with dynamic disk structure

Getting Started


Figure 4.5.3.1.6 - Context menu for selecting Make Dynamic Disk Evidence option From the context menu, click on the Make Dynamic Disk Evidence option. It may be noted that a dynamic disk may consist of more than one physical disk. In this case, there will be more than one image file also. Before clicking on the Make Dynamic Disk Evidence option, all image files may be loaded into the CyberCheck environment by using the Evidence|Add Evidence facility. For example, the evidence file DynamicDisk140MB consists of two physical disks and correspondingly two evidence files DynamicDisk140MB_1 and DynamicDisk140MB_2. Before making the dynamic disk evidence, second image file also has to be added into the CyberCheck environment. If you try to make the dynamic disk evidence without adding all the constituent images, system will warn you to add the missing image file as shown in figure 4.5.3.1.7 given below.

Getting Started


Figure 4.5.3.1.7 - Message window indicating the missed dynamic disk image. If all image files are available in the CyberCheck environment, selecting the Make Dynamic Disk Evidence option will create a dynamic disk group under which all the partitions of the corresponding dynamic disk is listed as shown in figure 4.5.3.1.8 given below.

Figure 4.5.3.1.8 - Probe view displaying the dynamic disk and available volumes in the disk.

Getting Started


Above figure shows a dynamic disk SanjeevDg0 with three volumes Span1, Simple1 and Stripe1. These volumes can be expanded and the contents can be viewed in the Probe view as shown in the figure 4.5.3.1.8. We can start viewing the contents of the evidence file by expanding the plus sign on the left of the evidence file name. Under each evidence file entry, there is one “Slack” entry and one or more partition entries. The “Slack” entry contains the Disk slack details as shown in the following figure 4.5.3.1.9 given below.

Figure 4.5.1.1.9 – Selecting Disk Slack from Table View

This window shows part of the different slacks available in an evidence file. It consists of Disk Slack, MBR Slack and EMBR Slack. Slack is an ambient data area, that can not be easily accessed and very important in the cyber forensics analysis. CyberCheck extracts data available in these areas and makes available to the analysing officer for gathering evidence from these areas. Disk slack is those sectors, which are not allocated to any of the partitions in a disk. MBR slack is the Master Boot Record slack, which is the unused sectors of the 0th cylinder in a disk. Only the first sector in the 0th cylinder will be used for writing MBR. Rest of the sectors will be left unused for future use.

Getting Started


Within a disk, it is possible to have extended partitions. Extended partitions also will be treated as separate disks and can have Extended Master Boot Records. EMBRs can have EMBR slack. Since a disk can have more than one extended partitions, EMBR slacks are numbered EMBR1, EMBR2, and so on, depending upon the number of extended partitions available in a disk.

User can view the content of any of the slack, if available, by clicking on the item. The content will be displayed in the bottom pane.

Other items available in the Probe view are: Timeline Files and Temporary Files. We won’t be able to see anything in these items when the evidence file is loaded or at the starting of analysis process. Unless we select the option Temporary Files from View option and run it, we can’t see any contents under Temporary Files. If the evidence file contains items in the temporary folder, these will be displayed in the Table view, when Temporary Files item is clicked. Same is the case with other item Timeline Files. We can see the entries corresponding to them only if we have done some Timeline analysis or some searching process. If the file system being analyzed is a Linux (Ext2) File system, then Temporary Files option will not display any file. More over, in Ext2, deleted files are all stored in a folder “Lost & Found” at end of each partition. (even if there are no deleted files, this folder will be displayed.) There can be Swap partitions in Ext2, which does not store any files/folders.

The number of partition entries in the Probe view depends on the number of partitions available in the evidence file. Under each partition entry, there will be one “Slack” entry and zero or more folder entries. The number of folder entries depends on the number of folders available in the current partition. If there are subfolders for a particular folder a plus sign will appear on the left side of the folder.

When the Slack item at the partition level is selected, a window as given Figure 4.5.3.1.10 given below will be displayed containing details of other part of different slacks available in an evidence file. The right pane shows 3 entries, viz., Partition Slack, File Slack and RAM slack. CyberCheck extracts data available in these areas and makes available to the analysing officer for gathering evidence from these areas.

Getting Started


Figure 4.5.3.1.10 – Selecting File Slack from Table View

The Partition slack is those sectors between last cluster of a partition and end of partition.

File slack is the number of bytes that may be available between end of a file to end of last cluster of that file. The file slack item given in this view contains all slacks of individual files available in an evidence file. This is an important facility provided in CyberCheck for easy searching of File slack.

RAM slack is the number of bytes that may be available between end of a file to end of the sector containing the end of that file.

User can view the content of any of the slack, if available, by clicking on the item. The content will be displayed in the bottom pane.

4.5.3.2 Keywords View

User can start this view by clicking the Keywords tab from the Left pane. This is the view, where the User can make a list of all the search terms. All the keyword search results will be listed here. Figure 4.5.3.2.1 given below shows the Keywords TabView.

Getting Started


Figure 4.5.3.2.1 - Keywords TabView

The view contains two items initially, viz., KeyWords and Recycle Bin. Keywords are required to start a search process. The desired key words can be added to the list of key words either by right clicking on the KeyWords item or by selecting the Keywords|Add Keyword menu item from the menu bar. It can be done by pressing Ins from the keyboard when Keywords tab is active. When right clicking on KeyWords item from the Left pane, Add Keyword sub-menu item will be displayed. When this item is selected, the following dialog box as shown in Figure 4.5.3.2.2 below will be displayed for entering the desired key word, say, cyber. Any number of keywords can be entered by just clicking ’Add Keyword’ button in the dialog box. This facility is for helping the Investigating Officer to add a large number of keywords without calling the dialog everytime.

Figure 4.5.3.2.2 – Dialog box for entering keyword

Getting Started


After entering the key word, when the User presses OK button or ’Add Keyword’, the key word will be added to the list of key words as shown in Figure 4.5.3.2.3 given below. If the user wants to add more keywords press ’Add Keyword’ since he can add any number of keywords by pressing ’Add Keyword’ after entering next keyword. If OK is pressed,then dialog box will disappear.

Figure 4.5.3.2.3 – List of keywords added

In the same manner, user may add any number of key words. At the end of the search process, a message box showing the total number of hits and elapsed time is displayed as shown in figure 4.5.3.2.5. For each search operation , a new session will be created in the search view under the keyword folder with the name session with a number along with it.

Figure 4.5.3.2.4-Selecting the keyword by clicking on the checkbox

Figure 4.5.3.2.5-Window showing search session completed.

For more detailed help, refer section 4.5.1.7.

Getting Started


4.5.3.3 Bookmark View

Bookmarking is the facility to mark out the evidences found during analysis into a separate folder. User can start this view by clicking the Bookmarks tab from the Left pane. The following Figure 4.5.3.3.1 given below shows the Bookmark view.

Figure 4.5.3.3.1 - Bookmarks TabView

The Bookmarks tab view provides three options namely:

BookMarks - This contains information regarding the bookmarked folders, files and selected data in seperate folders.

Recycle Bin – The entries deleted from the BookMarks item

move to the respective folder in Recycle Bin. The Bookmarks and Recycle Bin contains three items namely:

Folders - This contains information regarding all the bookmarked folders

Files - This contains information regarding all the bookmarked

files.

Selected Data - This contains the information regarding the data selected for BookMarking during the analysis

The Folder bookmarking and File bookmarking can be done only from the Table view from right pane. Selected data bookmarking

Getting Started


can be done only from the Text view from bottom pane. This can be done by selecting the data to be bookmarked and then right clicking the mouse and then bookmarking that data. A sample bookmarked data item is shown in the Figure 4.5.3.3.2 given below.

Figure 4.5.3.3.2 – Selected data that is bookmarked

The right pane shows number of different attributes of the bookmarked data, which include the file name in which the data is available, whether the file is deleted, file type, comment about the book marked item, etc. The comment is available as the last item of the attributes.

4.5.3.4 Search View

Search results for keyword search and file search are listed in the seach view. The following Figure 4.5.3.4.1 given below shows the Search view.

Figure 4.5.3.4.1 - Search TabView

Getting Started


The Search tab view provides three options namely:

Search Result - This contains result of File Search and Keyword seach.

Recycle Bin – The sessions deleted from the Keyword

Seach move to Recycle Bin. The Search Result contains three items namely:

Keyword Search- This contains keyword search results in different sessions.

File Hash - This contains results of file search with file

hash value.

File Extension - This contains results of file search with extension.

A sample search with File Extension folder active is shown in the Figure 4.5.3.4.2 given below.

Figure 4.5.3.4.2 – Search view with file extension active

The right pane shows the files obtained when performing a file search with .doc extension.

Getting Started


4.5.4 Right Pane

Right pane contains 5 Views. They are:

Table View Gallery View Timeline View Summary View Report View

4.5.4.1 Table View

The Table view can be invoked by clicking on the Table tab from the Right Pane. In the Table view, as shown in Figure 4.5.4.1.1 given below, files and folders with all the information pertaining to them are listed.

Figure 4.5.4.1.1 – Table view tab in the Right Pane Various file attributes are as follows: Four fields indicating whether the file is

Table View

Getting Started


Deleted (DL) Date mismatch (DM) Signature mismatch (SM) Overwritten (OW)

Followed by the the above four, other file attributes available are:

File name Short name File Extention Logical Size Starting cluster File Type Signature Description Last Accessed Last Written Created Is BookMarked Full path & Hash Value Hash Set

The detailed description of each of the fields in the Table view id given in the in the Table below.

Field Value No. Serial Number. There may be icons in this field depending on

the item. Clicking on the square box selects the file or folder / item. If the selected item contains sub items they will also be selected. If the item is deleted a red cross symbol will appear in this field

DL Whether deleted or not DM Whether there is a date mismatch or not SM Whether there is a signature mismatch or not. Valid only after

a check for file signature is made. OW Whether overwritten or not File Name Actual file / folder / partition / item name Short Name The DOS name. For some file systems, this value may be

absent

Getting Started


File Ext. File Extension Logical Size File size Starting Cluster

The cluster number at which the item begins in the media

File Type The content type of the file. This may change after a signature checking is made.

Description Gives a brief description of the file / folder Last Accessed

The date of last access of file / folder

Last Written The date of last writing to file / folder Created The date of creation of file / folder Is Bookmarked

Whether bookmarked or not

Full Path The complete hierarchical path of the file / folder Hash Value Valid only after a file hashing is made. Contains the hash value

of the file. Hash Set The name of the hash set the file belongs.

The entries for deleted items will be made in red colour.

The user may see some difference if the file system being analyzed is a Linux (Ext2) File System. Some of the major differences that you may notice in the table view are

1. It is not possible to get the names of deleted files in Ext2, so inode numbers are displayed as names.

2. No short names for Ext2 files/folders. 3. There can be files with no extensions. Extensions larger

than 4 characters are possible, then only first 4 characters are displayed.

4. There can be files with more than one extension, and then the last extension is taken as extension in cyber check.

5. There can be files with file name starting with “.” 6. The extensions can be numbers. 7. The logical size of a folder in FAT is always displayed as

0, but ext2 displays the correct logical size.

CyberCheck supports the following Mouse / Keyboard operations in the left side under the Table View

Getting Started


4.5.4.1.1 Keyboard Operations

The up and down arrow can be used to traverse through the table. The Page Up / Page Down key can be used to view the table contents one page up / down. The Home / End key can be used to traverse to the first / last item.

4.5.4.1.2 Mouse Operations

Clicking on any field header except the Description field sorts the table based on that field. Double clicking on a file from the Table View either opens the file in an external viewer if an external viewer capable of opening the file is installed in the analysis system; otherwise, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file. If the user double clicks on a folder name, contents of the folder, if any, will be listed. Right clicking produces a Popup menu whose options depend upon the item selected.

4.5.4.1.3 Popup Menu

On right clicking the mouse button in the table view, the following commands can be executed:

Export

This feature helps to export the selected file to a specified

location. This is useful if the analysing officer finds some evidence in that file.

Export Summary

This feature helps to export the summary of the selected

file to an .html file.

View Cluster Chain

Getting Started


View the clusters allocated for the selected file.

Copy Hash Value

Copy the Hash Value, if file hashing is done.

Append to Report

Append either the file data or slack content of the selected file to the report.

There is an option to append both file content and file

slack to the report.

Registry Viewer

On selecting this option we can go for the Registry Viewer. If the selected file is only a registry file, this option will be enabled in the context menu. Example registry files are System.dat and User.dat. User may do a search process for checking the availability of these files in the evidence file using file extension search facility. If the files are available, it will be displayed under the Search Files item in the Probe view. User may select a file from the Table view and right click the mouse button. Now, the registry viewer menu item will be enabled and user may click on it. The regisrty viewer will be displayed in the subsequent window. Registry Viewer option will not make any change in Ext2 file system.

User may also invoke registry viewer using View|Registry Viewer menu item from the menu bar.

Bookmark File

On selecting this option, the selected file will be added to the Files list in the Bookmark tab.

Bookmark Folder

This option will be enabled only if a folder is selected in

Getting Started


the table View. Selecting this option will add the selected folder to the Folders list in the Bookmark tab.

Extract Zip File

If you want to see the list of files available in a ZIP file, select the desired ZIP file from the Table view and right click on it as shown in figure 4.5.4.1.2 given below.

Figure 4.5.4.1.2 – Selecting Extract ZIP File option

Choose the Extract ZIP file menu item from the context menu. A dialog box with a tree view of the ZIP file will be displayed as shown in figure 4.5.4.1.3 given below.

Getting Started


Figure 4.5.4.1.3 – Display of nested ZIP File listing

If the ZIP file contains another ZIP file, there will be a + sign in the left Pane of the tree view and you may expand it to view the list of files available in the inner ZIP file. This can be extended to further depths.

At any time if you want to view the content of a file in the right pane of the ZipFileViewer, you may double click on the desired item. If the item selected is a ZIP file, the ZIP extractor installed in your system will be invoked to extract the contents of the selected ZIP file. If a ZIP extractor is not available, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file. Similarly, if the selected item is any other file type, appropriate native viewer will be invoked for viewing the selected item, if the native viewer is installed in the analysis machine; otherwise, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file.

Meta Data

If you want to see the metadata information of Microsoft office files, select the desired document file from the Table view and right click on it as shown in figure 4.5.4.1.4 given below.

Getting Started


Figure 4.5.4.1.4 – Selecting Meta Data option

Choose the Meta Data file menu item from the context menu. A metadata viewer will be displayed as shown in figure 4.5.4.1.5 given below showing the listing of available metadata in the selected document.

Figure 4.5.4.1.5 – Display of metadata of selected document file

Getting Started


Append to HashSet...

If you want to add hash value of a particular file into an existing hash set, select the desired file from the Table view and select this option from the context menu of the Table view as shown in figure 4.5.4.1.6 given below.

Figure 4.5.4.1.6 – Selecting Append to HashSet... option

When this menu item is selected, a dialog box as shown in figure 4.5.4.1.7 given below will be displayed.

Figure 4.5.4.1.7 – Dialog box displaying existing hash sets

Getting Started


From the list of hash sets displayed, you may select the desired hash set into which the hash value of the selected file to be appended. After selecting the desired hash set, press Append button to append the hash value. If the hash value is already available in the hash set, a warning message will be dispalyed; otherwise the hash value will be appended to the hash set.

Create HashSet

If you want to create a customized hash set from the files available in the evidence file being analysed, you may select this option from the context menu of the Table view as shown in figure 4.5.4.1.8 given below. Before selecting this menu item, select the desired files whose hash values to be added into the hash set to be created.

Figure 4.5.4.1.8 – Selecting Create HashSet option


Getting Started


Figure 4.5.4.1.9 – Dialog box for specifying hash set name

You may enter the desired hash set name in the edit box shown in the above dialog box. The dialog box also shows the list of existing hash sets in a list box. After entering the hash set name, press Create HashSet button. If hash values of the selected files are not available in any of the existing hash sets, new hash in the specified name will be created and added into the list of hash sets; otherwise, a warning message will be displayed and the new hash set will not be created. It should be noted that if the selected item is a folder, which does not have any data, hash value will not be created for the item.

Remove from HashSet...

If you want to remove a hash value from an existing hash set, you may select this option from the context menu of the Table view as shown in figure 4.5.4.1.10 given below.

Getting Started


Figure 4.5.4.1.10 – Selecting Remove from HashSet... option

If the selected hash value is available in any of the existing hash sets, it will be removed from it; otherwise a warning message will be displayed to indicate the non-existence of hash value in any of the hash sets.

4.5.4.1.4 Viewing Compressed Files in NTFS

Compressed files are listed with the description ‘Compressed’ in the table view as shown in figure 4.5.4.1.11 given below. When the file is selected its contents are decompressed and displayed on the bottom pane. If it is a picture file, it is shown in the Picture Tab, otherwise in the Text Tab.

Getting Started


Figure 4.5.4.1.11 – Display of compressed attribute in Table view 4.5.4.1.5 Alternate Data Streams

Alternate data streams (ADS) are additional streams/data attached to a file other than its default contents. These alternate data streams are listed as ordinary files in the table view. Details of ADSs, if any, will be listed just below the details of default contents of the file. The only difference is that the Short Name is not displayed in the case of ADSs. The file to which the ADS is attached is the Base File. Each ADS has its own name. In the File Name field, the name of ADS is displayed along with its base filename. That is, File Name’Stream Name.

For example, a file named ‘ads.txt’ and the different ADSs attached to it are displayed in the table view as shown in the figure 4.5.4.1.12 given below. When the file ‘ads.txt’ is selected, its default contents will be displayed on the bottom pane.

Getting Started


Figure 4.5.4.1.12 – Display of Alternate Data Streams in Table view

When the alternate data stream named ads.txt`Str4 is selected, its contents are displayed as shown in the figure 4.5.4.1.13 given below.

Getting Started


Figure 4.5.4.1.13 – Display of ADS’s content in Text view 4.5.4.2 Gallery View

The Gallery view can be invoked by clicking on the Gallery tab from the Right Pane. In the Gallery view, as shown in figure 4.5.4.2.1 given below, all the pictures available, if any, in a folder will be displayed as thumb nail views.

Figure 4.5.4.2.1 – Gallery View

Gallery view, as shown in figure 4.5.4.2.1 above is a quick way to see all the picture files available in a particular folder. CyberCheck can display almost all types of picture files. The deleted picture files, whose contents can be recovered, are also shown in this view. If the User wants to see the Gallery View, just select a folder and then select the Gallery View tab. All picture files, if any, available in that folder will be displayed in the Gallery Viewer. If s/he wants to see the image in an enlarged form, just select the needed picture which will be displayed in the Picture Viewer below in the Bottom Pane. If the User wants to see all the pictures available in an evidence file, first click on the expansion trigger (trapezoidal shape box) adjacent to

Gallery View

Getting Started


the evidence file name in the Probe View and then click on the Gallery View Tab in the right pane. If the number of picture files available is quite large, it may take some time to display all the pictures. Figure 4.5.4.2.2 given below shows the gallery view after clicking the expansion trigger of the evidence file.

Figure 4.5.4.2.2 - Gallery View after the expansion trigger option has been selected

When the User is in the Gallery View, the normal arrow mouse cursor will be changed to a palm like cursor. If more number of pictures are available, User may scroll through the Gallery View using the adjacent scroll bar. If any of the picture is totally corrupted and could not be loaded properly, a message “Invalid Format” will be displayed in the thumb nail view of that particular picture. Gallery view is an important feature from the cyber forensic point of view, since it enables the User to view the entire pictures available in an evidence file in a single view. It is possible to identify a case related image from the Gallery view easily.

4.5.4.3 Timeline View

Expansion Trigger

Getting Started


Timeline view is already explained in section 4.5.1.12. Please see this section for details of timeline view.

4.5.4.4 Summary View

The Summary view can be invoked by clicking on the Summary tab from the Right Pane. In the Summary view, as shown in figure 4.5.4.4.1 given below, a summary of an item, if any available, selected from the Left pane will be dispalyed. The deleted date of file/folder (if deleted) is displayed in Summary tab if the file system being analyzed is a Linux (Ext2) file system. More over, the logical size of a folder in FAT is always displayed as 0, but ext2 displays the correct logical size.

Figure 4.5.4.4.1 – Display of Summary view of an item in the Left Pane

In the above figure, it displays all the details of the folder ‘WINDOWS’ selected from Probe View. Similarly, summary of keywords is displayed if the selection is on ‘Keywords’ in the Keyword View as shown in figure 4.5.4.4.2.

Getting Started


Figure 4.5.4.4.2 – Display of Summary view of Keywords. Summary of Bookmarked data will be displayed as shown in figure 4.5.4.4.3 in the summary if the selection in the Left Pane is Bookmark tab.

Figure 4.5.4.4.3 – Display of Summary view of Bookmarks. On selecting Search Tab from the Left Pane, Search Results details will be explained in the Summary view as shown in figure 4.5.4.4.4.

Figure 4.5.4.4.4 – Display of Summary view of Search.

Getting Started


4.5.4.5 Report View

The Report view can be invoked by clicking on the Report tab from the Right Pane. Report view, as shown in figure 4.5.4.5.1 given below, provides all the information of the evidence file added to the probe, like when was the analysis process done and how long it lasted and other details related to the case like Crime Number, Lab Reference Number, Police station, Media Type, etc and also the information about the files and folders appended to the report.

Figure 4.5.4.5.1 – Display of Report view of an evidence file

Getting Started


The report will contain all the evidence gathered from the evidence file, when the analysis is over. User can take a print out of the report by selecting File|Print Report… menu item from the menu bar.

If the file system being analyzed is that of a Linux (Ext2) file system, then unlike FAT where the logical size of a folder is always displayed as 0, ext2 displays the correct logical size. Other major differences in Ext2 as far as report is concerned are

1. Ext2 does not have FAT, so instead of “Sectors per FAT”,

“Total I nodes” value is displayed in Report tab.

2. There is no display of values like No: of Fats, Root Sector, and Heads in Ext2.

3. Swap partitions of Linux will not display values like volume

name, volume serial, number of folders. 4.5.5 Bottom Pane

Bottom pane consists of 7 different viewers. They are:

Text View Picture View Hex View Disk View Cluster View Summary View Cyber Script View

In addition to these 7 views, CyberCheck has an additional feature

for locking the views associated all these views except Cyber Script view. If this lock option is enabled, then whatever files the User selects from the Table view, will be opened either in Disk view or in Cluster view, depending upon the view selected.

4.5.5.1 Text View

Text view, as shown in figure 4.5.5.1.1 given below, is for viewing the text contents of the file highlighted in the Table view. This view can be invoked from the Bottom Pane by clicking on the Text Tab. First cluster data of a deleted file will be displayed in black colour

Getting Started


and subsequent cluster data will be displayed in red colour. In the figure given below, a deleted file Copy of Ethernet.pdf has been selected and the User can see the corresponding text view in the bottom pane. If the file is a deleted, overwritten one, the entire content will be displayed in red colour in the text view.

Figure 4.5.5.1.1 - Displaying the Text View of the deleted file ‘Copy of Ethernet.pdf’

In the case of NTFS file system, there is a slight difference in the Text view. If the file is a deleted file and if it is not over written, then that file will be displayed in black colour itself in the Text view. This means that if the file were part of an NTFS file system, then it would have been displayed in black colour in Text view. In the figure 4.5.5.1.2 given below, the file 1000.txt is a deleted file within an NTFS file system and it is displayed in black colour in Text view.

Getting Started


Figure 4.5.5.1.2 -Text View of a deleted file of an NTFS file system

In the text view, file offset information also has been provided at the left side of the view. Offset starts from 00000 to the length of the file. Also it can be seen that the offset of the current cursor position described as SO (Sector Offset), FO (File Offset) and LE (Length) displayed near the Lock check box. Sector offset is the offset of the current cursor position from the starting of the current sector. File offset is the current cursor position from the starting of the first sector. Length is the number of characters block marked in the text viewer. The popup menu associated with the text view is shown in figure 4.5.5.1.3. On selecting ‘Copy’, the selected data will be copied to the clipboard like the Edit|Copy functionality. Selecting the item ‘Bookmark selected data’ is same as selecting Bookmark|Selected data from main menu. Selecting ‘Append Selected Data to Report’ appends the selected data to the report.

Getting Started


Figure 4.5.5.1.3 – Popup menu of Text View. The last item in the popup menu is ‘Export’. This is for exporting selecting data. On selecting this after selecting the data to export displays a dialog box as shown in figure 4.5.5.1.4.

Figure 4.5.5.1.4 – Dialog box for exporting data.

If the user click OK, then the selected data will be written to the file specified in the dialog box. User can change the file name and location after pressing the Browse button labeled ‘…’. The user can specify new data by selecting the ‘Custom View’ option. In that case the user can give the start and end index of the file to specify the data starting and end. CyberCheck also displays the complete path of an item selected

Getting Started


from the table view at the left side of the status bar as shown in the above figure.

4.5.5.2 Picture View

The Picture view, as shown in figure 4.5.5.2.1 given below, is for viewing different picture files that are present in the evidence file. This view can be invoked from the Bottom Pane by clicking on the Picture Tab. If the file selected is not a picture file, then the Picture tab will be disabled. If the selected file is a picture file, then by default the file will be opened in the Picture Viewer. Gallery View gives the thump view of all the picture files present in a folder and if we want to see an enlarged view of a particular picture, then select that picture. That picture will be displayed in the Picture view.

Figure 4.5.5.2.1 - Picture View of a file 4.5.5.3 Hex View

Getting Started


The Hex view, as shown in figure 4.5.5.3.1 below, is for displaying the file contents in Hexadecimal format. This view can be invoked from the Bottom Pane by clicking on the Hex Tab. The file content and the hex value of the file highlighted in Table view are displayed in this view. In the figure given below, content of the file milkmaid.BMP is displayed in Hex format as well as in Text format. When the Hex tab is selected, the Hex view and the Text view Co-exist in the Bottom pane. From the Hex view, if the user selects a set of characters by clicking the left mouse button and dragging over characters, the characters will be highlighted and the corresponding characters in the Text view also will be highlighted. Characters will be highlighted in both views, if the characters are selected from the Text view also.

Figure 4.5.5.3.1 - Displaying the Hex & Text Views of a file 4.5.5.4 Disk View

The Disk View, as shown in figure 4.5.5.4.1 given below, is the graphical representation of the evidence file. This view can be

Hex View Text View

Getting Started


invoked from the Bottom Pane by clicking on the Disk Tab. Disk View allows the User to see the file highlighted in the Table View, as it exists on the physical surface. Through Disk view, you can see where exactly on the hard disk a particular file is located.

Figure 4.5.5.4.1 - Disk view displaying the distribution of allocated sectors of a file

Each block inside the disk view represents a single sector. On selecting a block the sector number is displayed above in a text box and the contents are displayed on the right hand side in both Text view and Hex view. On clicking the ShowLegend tab, you will get

Show Legend Sector Number

Disk View

Getting Started


the description as to what different colors of blocks represent in the disk view. From the figure, it is clear that the file milkmaid.BMP starts from sector number 833108. You can also get the sector count by placing the mouse over a particular sector. In the figure above, mouse was placed over the sector 834356. That is also highlighted in the Disk view of the figure.

figure 4.5.5.4.2 - Disk View with ShowLegend option enabled

In the figure 4.5.5.4.2 given above, ShowLegend button has been enabled and you can see that Red colour in the Disk view indicates Boot Sector, Blue colour indicates allocated sector and so on. Disk view is very helpful in finding out where exactly on the storage media does the data reside. You can also see the sector by sector storage of data on the storage media using Disk view. There are some differences in the Disk View if the File system being analyzed is a Linux (Ext2) File system. They are

While displaying the disk view by selecting Partition name,

FAT is highlighting the boot sector while Ext2 is highlighting the Super block.

The boot sector/superblock of Ext2 won’t be displayed in any Specific color.

Legend View

Getting Started


FAT & Root Directory will not be highlighted in any specific

color in Ext2.

In the case of NTFS, if the file or folder size is small, the file can be stored in the MFT itself. In this case the allocated memory for a file or folder will be some sectors only. The starting of the file/folder can be from any byte position from the beginning of a sector. So in the case of small files, those contents are inside the MFT record itself. When such a file is selected, the disk view shows the allocated sectors and also highlights the text and the hex content for the file within the sector will be highlighted in blue colour. This is shown in figure 4.5.5.4.3 given below.

Figure 4.5.5.4.3 Disk view of a small file in NTFS with file content highlighted in blue color

Sector Viewer

Sector Viewer enables the user to view a particular sector data in FAT12/16,FAT32,NTFS,MBR and Integer format. Sector viewer can be invoked from the disk view by selecting the desired sector and right clicking the mouse button. A context menu as shown in figure 4.5.5.4.4 given below will be displayed for selecting the type of format.

Getting Started


Figure 4.5.5.4.4 - Selecting a sector to view the Sector data in FAT12/16,

FAT32, NTFS, MBR, Integer formats

When the desired format is selected, sector data will be displayed in the selected format as shown in figure 4.5.5.4.5, figure 4.5.5.4.6, figure 4.5.5.4.7, figure 4.5.5.4.8 and figure 4.5.5.4.9 given below.

Figure 4.5.5.4.5 - viewing as FAT12/16.

The above figure shows the selected sector data in FAT12/16 boot sector format.

Getting Started


Figure 4.5.5.4.6 - viewing as FAT32

The above figure shows the selected sector data in FAT32 boot sector format.

Getting Started


Figure 4.5.5.4.7 - viewing as NTFS

The above figure shows the selected sector data in NTFS boot sector format.

Figure 4.5.5.4.8-viewing as MBR

Getting Started


The above figure shows the selected sector data in Master Boot Record format.

Figure 4.5.5.4.9 - Viewing as Integer

The above figure shows the selected sector data in integer format. 4.5.5.5 Cluster View

Cluster view, as shown in the figure 4.5.5.5.1 given below, is similar to the Disk view, with the difference that, in cluster view you get the cluster wise split up of the whole evidence file. This view can be invoked from the Bottom Pane by clicking on the Cluster Tab. Cluster View allows you to see the cluster wise split up of a file in the storage media that has been highlighted in the Table View. In this example, a file Sparse.doc has been highlighted in the Table View. You can see the cluster wise view of the same file by selecting the Cluster tab. Here, the clusters indicated by the highlighted colour (White) shows the cluster view for the selected file.

Getting Started


Figure 4.5.5.5.1 - Cluster view displaying the distribution of allocated clusters of a file

Each block inside the cluster view represents a single cluster. On selecting a block, the cluster number will be displayed as in the case of Disk view and the contents are displayed on the right hand side.

4.5.5.6 Summary View

In the Summary view of Bottom Pane, details of the file selected in the Table View, like File Name, DOS Name, File Extension, File Type, File Attribute, Logical Size, Physical Size, Starting Cluster, Total File Clusters, Full Path, Cluster Chain, etc., will be displayed as a summary of the item selected. This view can be invoked from the Bottom Pane by clicking on the Summary Tab. In the figure 4.5.5.6.1 given below, the file Sparse.doc has been selected and the details of that file are shown in the Summary viewer.

Getting Started


Figure 4.5.5.6.1 - Summary View of a file in the Bottom Pane 4.5.5.7 CyberScript

CyberScript is useful for doing a batch search process in an evidence file. It supports script commands like keyword search, file search and grep search. This can be initiated by selecting the CyberScript tab from the bottom pane as shown in figure 4.5.5.7.1 given below.

Figure 4.5.5.7.1 – Selecting CyberScript from the Bottom Pane

Getting Started


Help facility provided in the CyberScript context menu enables the user to know more about it. The help can be invoked by right clicking the mouse button in CyberScript area. The bottom pane divided into two blank panes shown in the above figure is the CyberScript area. The top half of the area is an edit box, where you can enter different script commands one by one. You should enter the script one command per line. Like that you can enter any number of commands in the edit box. While executing the commands, CyberCheck compiles and validates each command one by one. If there is any error in the syntax of a command, it will be notified in the second half of the CyberScript area and the user will be allowed to correct it before execution.

When you right clicking the mouse button in this area, a context menu as shown in figure 4.5.5.7.2 given below will be displayed.

Figure 4.5.5.7.2 – Display of context menu in the CyberScript area

When you select the Help menu item from this context menu, a CyberScript help window as shown the figure 4.5.5.7.3 given below will be displayed.

Getting Started


Figure 4.5.5.7.3 – Display of CyberScript Help

This window shows the different commands supported in the CyberScript, syntax for calling each command and their arguments. The scroll bar can be used to view the complete help information. Remaining portion of the help information is shown in figure 4.5.5.7.4 given below.

Getting Started


Figure 4.5.5.7.4 – Remaining portion of CyberScript Help

Context menu also contains a menu item Samples, which provides a set of commands with different arguments frequently used in case analysis. User may select desired sample commands from this list and use them as such or modify to make his/her own script based on the options explained in the help facility. When you select Samples menu item from the context menu, a CyberScript sample’s dialog box as shown the figure 4.5.5.7.5 given below will be displayed.

Getting Started


Figure 4.5.5.7.5 – Display of CyberScript Samples

From the above dialog box, you may select desired sample and press Append to Script button for adding the selected script into the CyberScript edit box. You may make appropriate changes, if necessary, or may use as such. If you select the first command from the above dialog box and press Append to Script button, it will be added into the edit box as shown in the figure 4.5.5.7.6 given below.

Figure 4.5.5.7.6 – Display of a command in the edit box

This command is for a file search in the entire evidence file for files having extension “doc”. It should be noted that if a particular command needs some operation in selected files of the evidence file, user should select those files before starting the execution of script commands. Otherwise, that particular command may fail during the execution.

When sufficient number of commands are added into the edit box, you may compile the commands for error checking and validation by

Getting Started


selecting the Compile menu item from the context menu as shown in the figure 4.5.5.7.7 given below.

Figure 4.5.5.7.7 – Selecting Compile command

When you select compile command from the context menu, error checking and validation will be initiated. If there is an error it will be notified in the bottom half; otherwise, a notification regarding the successful compilation process. Since the above command is a well-formed script, only the success notification will be displayed as shown in the figure 4.5.5.7.8 given below.

Figure 4.5.5.7.8 – Display of a successful compilation

After compiling the commands, you may execute the script by selecting the Run menu item from the context menu as shown in the figure 4.5.5.7.9 given below.

Getting Started


Figure 4.5.5.7.9 – Selecting Run command

When Run menu item is selected, the commands will be executed one by one and the result will be added to the appropriate area of the CyberCheck views. For example, the result of the above file search will be added into the File Extension folder of Search Tab in the left pane as shown in the figure 4.5.5.7.10 given below.

Figure 4.5.5.7.10 – Display of File Search result

4.5.5.8 Lock Facility

This feature helps in locking a particular view. If you are in a particular view in the bottom pane and if the Lock Facility is enabled, then whatever file you select from the Table View, it will be displayed in the locked view in the Bottom Pane. As an example, in the figure 4.5.5.8.1 given below, you are in the Disk view and the

Getting Started


Lock facility is enabled. The selected file is HowItWorks.doc. Now, if you select any other file, the view will remain in Disk view itself. If Lock is not enabled, then the file will be opened in its default viewer. i.e., an image file will be opened in Picture viewer and a .txt file will be opened in Text viewer. To lock a particular view, User has to select the corresponding tab and immediately after that check the lock facility. If the lock facility has been checked for any other view previously, then it has to be unchecked and checked again to lock the new view.

Figure 4.5.5.8.1 - Disk view of the selected file with Lock facility enabled 4.6 Preliminary Analysis 4.6.1 Preview

Getting Started


Preview is a useful facility that CyberCheck supports for helping the Investigating Officers and Analyzing Officers, when a cyber crime investigation is dealt with. At the Scene of crime, it helps the investigating officers to decide whether a particular storage media has to be seized or not. Since the Seizure process is a time consuming one, preliminary analysis of the media using preview facility will help the Officer to decide if any evidence is available in the particular storage media. This will avoid seizing of unwanted storage media and hence save precious time of the investigator.

Preview of a storage media can be done in two ways, locally or using network interface card. If the preview is done locally, the storage media to be previewed will be connected to the analysis system. In this case, User should take care for not writing anything on to the storage media to be previewed. User is advised to use drive locking hardware for write protecting the storage media to be previewed. It is safe to preview a storage media over network. In this case, media to be previewed will be connected in a separate machine and write protected by software. Only data will be read and the read data will be sent to the analysis system through network interface card. Working of both the methods are explained in detail in the subsequent sections.

4.6.1.1 Local Preview

Previewing is done before logging into CyberCheck. From the main user interface of CyberCheck, select Preview|Local Devices menu item. A dialog box as shown in figure 4.6.1.1.1 given below will be displayed for selecting the mode of previewing.

Getting Started


Figure 4.6.1.1.1 – Selection of Local Devices preview.


Figure 4.6.1.1.2 – Dialog box for selecting media.

User has to choose the type of storage media to be previewed. There are two types, viz., Removable media and Physical media. In the removable media, user is allowed to preview floppy disk or CD. In the Physical media, user is allowed to preview hard disks and USB devices. When a particular type of media is selected, using the radio buttons provided in the above dialog box, different storage media of the selected type available in the system would be listed in the list box for user selection. User may select a desired storage media from the list.

Getting Started


Once a storage media is selected, rest of the process is similar to analysis of an evidence file. While previewing, the storage media will not be write-protected. In the preview mode, user is not allowed to export any of the items and save the preview findings into a probe file.

4.6.1.2 Network Preview

This is a very useful mode of operation, especially at the scene of crime. The storage media to be previewed might be part of the suspect’s machine. In this case, this machine can be connected to the analysis machine through network interface card using a cross over cable (10/100 Base-T cable). Before starting the preview process, both the systems have to be connected using this cable.

The storage media to be previewed may be connected to a separate system, say suspect’s machine, and this machine has to be booted using TrueBack (Network) boot floppy. How to create boot disk is described in section 4.5.1.14.3. Create TrueBack [Network] and TrueBack [Utility] floppies as per the method described in this section.

To make the suspect’s machine ready for sending data to the analyzing machine first boot the suspect’s system from TrueBack (Network) floppy and then take data using network interface card.

4.6.1.2.1 Preparing Suspect’s System to Boot from TrueBack

(Network) Boot Floppy

When data is taken from a suspect’s machine at scene of crime, care should be taken not to boot the system from the suspect machine’s storage media. Booting from suspect machine’s storage media may cause to change the content of the media and may lead to destroying valuable evidence. User may follow the steps given below to make sure that the system boots from a bootable floppy.

1. Remove main power supply cord of the computer system.

2. Remove the cover of the system.

3. Identify hard disks, CD drive and floppy drive available in the

system.

Getting Started


4. Remove power supply cable (near to data cable) of all drives

except the floppy drive.

5. Connect main power supply cord of the computer system.

6. Insert TrueBack [Utility] floppy containing boot wizard utility into

the floppy drive.

7. Boot the system from the floppy.

8. From the command prompt, input BootWiz and press Enter key.

If the suspect’s system BIOS responds properly to the BootWiz utility, user can change the boot order of the system using this utility. Otherwise, the utility displays a set of key combinations for various systems for entering into the BIOS setup program. Appendix – B shows different key combinations for different computer models. User can manually enter into the BIOS setup program making use of appropriate key combinations depending upon the make and model of the system while booting the system. In this case, boot order has to be changed by the user using the facilities provided by a particular BIOS setup program. Either way, change the boot order in such a way that the system boots from floppy disk when it is set to operational.

9. If the BIOS setup program supports “Onboard LAN

Boot ROM” facility in Advanced/PCI Configuration menu item, disable this facility.

10. Save the BIOS setup changes, if any, into the ROM and exit from the system.

11. Re-connect the power supply cables of all drives. 12. Insert TrueBack [Network] boot floppy into the floppy drive and

start the system.

13. System boots into DOS mode from the TrueBack boot floppy. 4.6.1.2.2 Preparing Suspect’s machine to send data through Network

Interface Card

Getting Started


For sending data through network, the basic requirement is that both the suspect machine and forensic workstation should have Network Interface Card (NIC) installed in the systems. If NIC cards are not available, Network preview process can not be continued. Another requirement is that DOS network packet driver for the corresponding NIC card should be available with the User. TrueBack (Network) boot floppy contains a sample DOS network packet driver (RTSPKT.COM) for NIC cards. User may try to install this packet driver as explained below for the particular NIC card available in the suspect machine. If the User is not able to proceed with the installation of this packet driver, then the appropriate driver for the card should be made available to continue with the acquisition. Sometimes, the driver might be available with the suspect or might be available in public domain. The TrueBack (Network) boot floppy created from CyberCheck environment contains functionality for sending data through network. Before starting sending data through network, connect both the machines using the 10/100 Base-T cable (Cross over cable) supplied along with the software. After connecting the systems with the cable, boot the Suspect’s system using the TrueBack (Network) boot floppy. Now, User is supposed to install the DOS packet driver for the NIC card available in the suspect’s machine. Following steps may be considered as an example on how to install the DOS network packet driver for the NIC card available in the system. These steps assume RTSPKT.COM as the sample packet driver.

1. Type A:\rtspkt 0x62 followed by Enter key.

0x62 is the default I/O address used by this packet driver. If the packet driver is successfully installed, details like line speed, full duplex or half duplex, interrupt number, etc., will be displayed; Otherwise, an error message “Fail to find PCI device!” will be displayed. In the case of error, User has to get the appropriate driver and install it properly. Seize & Acquisition process should be continued only after properly installing the DOS packet driver for the NIC card available in the system.

Getting Started


4.6.1.2.2.1 Sending Data through Network Interface Card

Execute TrueBack from command prompt in Suspect’s machine. Then select the following menu option. Since TrueBack software is used for sending data to the Forensic Workstation (Analysis machine) for previewing the storage media of the suspect’s machine, Network Seize & Acquire mode is used for this purpose. Following figure 4.6.1.2.2.1.1 given below shows the selection of network seize & acquisition mode.

Figure 4.6.1.2.2.1.1 - Window for Selecting Network Seizure & Acquisition Mode

After selecting the above menu option, the following window as given in figure 4.6.1.2.2.1.2 will be displayed for machine selection.

Getting Started


Figure 4.6.1.2.2.1.2 - Window for Selecting Suspect’s Machine

From the suspect machine’s display, select that machine as the suspect’s machine first. A message will be displayed as shown in figure 4.6.1.2.2.1.3 given below. User is advised not to take the floppy from the floppy drive, while this process is taking place.

Figure 4.6.1.2.2.1.3 - Message while Suspect’s Machine Waits

Getting Started


The analyzing machine also has to be set up for receiving data from the suspect’s machine. The following steps may be followed to set up the analyzing machine ready for network previewing. Step 1: Boot the machine in any Windows platform. Step 2: Check the Configuration of TCP/IP protocol.

Windows 2000

Step a : Right click the "My Network Places" icon from the desktop. If that icon is not available on desktop, select Start button of Windows and select Settings and from there select Control Panel. Open the Network and Dial-up Connections icon from control panel and continue with step e shown below.

Step b : Click the properties option. Step c : Right click the "Local Area Connections" icon. Step d : Click the properties option.

Step e : Select the TCP/IP from the list (if not available add the TCP/IP protocol).

Step f : Click the properties. Step g : Click the "Use the following IP address".

Step h : Specify an IP address within the range 172.16.0.1 and 172.16.255.255 and set Subnet Mask as 255.255.0.0.

Step i : Click OK button.

After specifying an IP Address, User may follow the steps given below for starting the network preview from the analysis machine.

1. Connect both the machine with Cross over cable. 2. Boot the suspect’s machine using TrueBack (Network) boot

floppy. 3. Run TrueBack in the suspect’s machine and do the steps till

the window displaying the message “Waiting for Forensic Workstation to Connect”. Here, Forensic workstation is the analysis machine.

4. Boot the analysis machine with a Windows operating system. 5. Run CyberCheck from this machine.

Getting Started


6. Select Preview | Network from the dialog box. 7. Choose a device from the physical media listed in the dialog

box and press OK. 8. Rest of the previewing process is the same as that of the local

preview except for the data to be previewed will be sent by the suspect’s machine. In this case, user need not worry about the protection of the storage media to be previewed, since it is connected to the suspect’s machine.

After setting up the analysis machine and suspect’s machine as explained above, select Preview|Network from the main user-interface as shown in figure 4.6.1.2.2.1.4 given below.

Figure 4.6.1.2.2.1.4 – Selection of Network Devices preview.

If there is no connection error between analysis machine and suspect’s machine, communication between these two machines will be established and the following dialog box as shown in figure 4.6.1.2.2.1.5 given below will be displayed for selection of physical media of the suspect’s machine listed in the list box. In network preview, only physical devices are allowed to preview.

Getting Started


Figure 4.6.1.2.2.1.5 – Selection of physical media of the suspect’s machine.

It may be noted that the details of the physical devices displayed in the above dialog box is that of the Suspect’s machine. When you select a device and press OK button, CyberCheck will display other dialog boxes for specifying Export folder path and setting options and finally the progress bar while creating the folder structure of the selected physical device. When the folder structure is created, CyberCheck will present the structure in the Probe view as shown in figure 4.6.1.2.2.1.6 given below. Network preview of dynamic disks are not supported now. If the selected disk for the network preview is a dynamic disk, then a message box is displayed as shown in figure 4.6.2.2.1.7.

Getting Started


Figure 4.6.1.2.2.1.7 – Probe view displaying the folder structure of the Suspect Machine’s physical media.

Figure 4.6.1.2.2.1.6 – Message Box for dynamic disk. Further data from the suspect’s machine will be sent as and when required when the user selects a file from the Table view. User may preview the content of the Suspect machine’s physical media as in the case of local preview. I network preview, data will be taken from the Suspect machine’s physical media as and when required. Display in the suspect’s machine will be as in the figure 4.6.1.2.2.1.8 given below.

Getting Started


Figure 4.6.1.2.2.1.8 – Window displaying the details of the data send from the Suspect’s machine.

When preview of the media is over, data sending from the Suspect’s machine will be stopped and control will be transferred to the main user interface of TrueBack.

Starting an analysis


5.0 Starting an Analysis

Before starting an analysis, the analyzing officer should have a fair knowledge of the case being analyzed. Once the case is studied well, the analyzing officer will have a broad idea of the things to be searched in the evidence file. Depending upon the nature of the case, these items might be keywords pertaining to the documents involved in the case, or might be for checking the existence of a set of normal or deleted files in the evidence file, etc. Loading an evidence file into the CyberCheck environment is the first step to start an analysis process. Once the evidence file is loaded into the environment, all directories and files available in the evidence file will be displayed in the probe view of the CyberCheck software. Analysis can be started by searching for a particular file, or for particular keywords in files, slack area, swap file, lost clusters or in free clusters.

5.1 Searches

Searching is one of the main ways to find digital evidence in an evidence file using CyberCheck. Searching can be File Searching or Keywords Searching. In File Searching, you can search for the files with specific extensions. In Keywords Searching you can search for a single keyword or multiple keywords that may be available with the evidence file. You can search for as many keywords as there are in your keywords list. The more keyword you have, the longer the search takes. You can limit the scope of search space by opting for only selected files or by checking only the required items you want to search in the Search dialog box. CyberCheck has the facility to search for keywords from the whole evidence file, selected files/folders, swap files, slack area, lost clusters and used unallocated clusters. Slack searching includes MBR slack, EMBR slack, Partition slack, Disk Slack, Ram Slack and File Slack. Each of the slack can be searched separately. CyberCheck has the facility for case-sensitive and GREP searching also.



5.1.1 Search options

An analyzing officer can start a search process either by clicking the Search Keywords icon (Binocular icon) from the toolbar or by choosing the sub-menu item Search Keywords from the Search menu item. File search is provided to find out the existence of a file in the evidence file with a particular extension. Keywords Search is for finding out availability of different key words in different files. Before starting Keywords Search, the analyzing officer should enter the keywords to be searched and select the required keywords to be included in a search session. In File Searching you can search for files with specific extensions. The files, which match the specific extensions, will be displayed in the Table View. You can also see the various file attributes in the Table View. If you click on a file, the file content will be displayed in the text viewer. Multiple file types can be searched at each instance. You can specify your own file types in the Text Box. Remember to put semi colon to separate each file type. For example, if we give an option to search the Document files, CyberCheck will search for files with .doc extension. If you select image and audio files, all the image and audio files with in the evidence will be listed after searching. Keywords search is one of the most common methods of analysis. The analyzing officer can set the search space depending upon the nature of the problem in hand. If s/he wants to search the entire files and folders, s/he can do so. Limited search in selected files, slack space, unallocated free clusters, lost clusters or swap files also is possible. Before starting keywords search, the user has to enter the keywords and select a set of key words to be included in the search session. The searching procedure has been explained in detail in chapter 5.1.8. CyberCheck has the facility to search for keywords in whole of the evidence file. By default the Entire Case option is selected. If you select the Entire Case option in the Files group, by default the entire evidence will be searched. If you don’t need to search slack, just



uncheck the Slack option. Similarly you can set the other options like swap files, Used unallocated clusters, Lost clusters, Hide system files etc., based on the extent of search you need. CyberCheck has the facility to search for keywords only in the selected files / folders. If you select the Selected Files option, only the selected files will be searched. Similarly you can set the other options like swap files, used unallocated clusters, lost clusters, Hide system files etc based on the extent of search you need. For searching Files / Folders just select the Files and Folders options. These options can be set in the Search dialog box shown in the figure 5.1.1.1 given below.

Figure 5.1.1.1 – Dialog box for setting Search Options



Search Slack space

Data residing at slacks like MBR slack, EMBR slack, Partition Slack, Disk Slack, Ram Slack and File Slack can be searched. Each of the above slack will be searched separately. If a hit is found, you can see to which slack the hit belongs. For File Slack, you can see the name and path to which that hit belongs. For slack searching select the slack option and then select the slack types you want to search within.

Search Used Unallocated Clusters

CyberCheck can search for keywords in the used unallocated clusters within the evidence file. For this searching, select the Used Unallocated Clusters option.

Search Lost Clusters

CyberCheck can search for keywords within the lost clusters in the evidence. Lost clusters are simply ones that are marked in the FAT as being in use, but that the system cannot link to any file. For searching select the Lost Clusters option

Search Swap Files

CyberCheck can search for keywords within the Swap files, if the Swap Files option is selected.

Search by Extension

CyberCheck can search for keywords within the files with the extension specified. Select the Search by Extension option and then the Extension field will be enabled where you can specify the extension type to be searched. E.g., if you want to search only document files, enter the extension (.doc in this case) in the Extension field. Note that only extension type needs to be entered. No need of ‘.’ (dot) prior to the extension



type. Then the keywords will be searched only within the document files.

Hide system files

If you don’t want to search within system files, select the Hide System Files option. In this case the system files will be excluded from searching.

Search Results

After specifying the search criteria, click Start Search button. On the upper right hand corner, a progress bar appears showing the status of the search. The search results can be viewed in the Search view. For every hit, you can see the filename, Preview text, hit location within the file and the File Path for that particular hit. In the preview text, the searched keyword will be highlighted in green color. If you click on a hit, all the keyword hits in the specified file will be highlighted in the viewer in blue color and selected hit in yellow color.

Search Sessions

For each search operation, a new session is created under the search results in the Search view. Corresponding to the selection made in a session the search hits for each keyword is listed on the right hand side. File contents are displayed below in the text view. Different sessions for different sets of keywords will be added to the Search Result under Keyword Search folder. This is applicable only for keyword search. Results of search based on File Hash and File extension will overwrite the search hits of a previous search result.

5.2 Slack Analysis

Slack analysis is one of the main features of CyberCheck. Slack analysis includes analysis of MBR Slack, EMBR Slack, Disk Slack, Partition Slack, RAM Slack and File Slack.



Exporting of Slack: The investigator can export the slack by selecting the Export | Slack Data menu item from the menu bar. The slack will be extracted to the Export Folder path specified by the user. If the investigator wants to open this file using some other external software like WORD, s/he can open it provided the size of slack file is not very large. If the size of slack file is very large, then WORD may not be able to handle it properly.

View Slack in the Text Viewer : The investigator can select each of the slack from the table view and view its contents in the Text Viewer. Slack Searching : CyberCheck provides option for keyword searching in each of the slack separately. Viewing Slack in the Disk View : The user can view each of the slack in the Disk View.

5.3 Used Free Clusters Analysis

Extraction of Used Free Clusters: The investigator can extract the Used Free Clusters if it was not extracted during loading. For extraction of Used Free Clusters, select the Extract| Used Free Clusters from the menu bar. Used Free Clusters will be extracted and it can be exported to the Export Folder path specified by the user. View Used Free Clusters in the Text Viewer: The investigator can select Used Free Clusters in the table view and view its contents in the Text Viewer. Searching Keywords in Used Free Clusters: CyberCheck provides keyword searching in Used Free Clusters. Viewing Used Free Clusters in the Cluster view : The user can view Used Free Clusters in the Cluster View.

5.4 Lost Clusters Analysis



Exporting of Lost Clusters: The investigator can export the Lost Clusters to the Export Folder path specified by the user.

View Lost Clusters in the Text Viewer: The investigator can select Lost Clusters from the table view and view its contents in the Text Viewer. Searching Keywords in Lost Clusters: CyberCheck provides keyword searching in Lost Clusters. Viewing Lost Clusters in the Cluster view: The user can view Lost Clusters in the Cluster View.

5.5 Swap Files Analysis

Export Swap File: For exporting Swap File, select the Export|Swap Files menu from the menu bar. Swap File will be exported to the Export Folder path specified by the user. Searching Keywords in Swap Files: CyberCheck provides keyword searching in Swap Files.

5.6 Signature Analysis

To view Signature Mismatched files, select the Timeline tab. Select Advanced Option and then select Signature Mismatch only option. Select All Files option to view the entire Signature Mismatched files in the evidence. To view Signature Mismatch files within selected files, select the other option, i.e., Selected Files. Search option is for searching the signature-mismatched files within the specific range of date. If signature checking is not done earlier, selecting Signature Mismatch Only option from timeline options dialog box will first start signature checking of the files available in the evidence file and then display the signature mismatched files in the timeline chart. Select the options Created, Last Accessed, Last written if you want to view the created, last accessed or last written date of Signature Mismatched files. Select the options Normal; Deleted if you want to view both the normal and deleted signature mismatched files. Signature mismatched files will be displayed in the Timeline



chart. These files can be seen in the Table view by clicking the Timeline Files from the Probe view.

Significance of Signatures

Most graphic and text files contain a few bytes at the beginning of the file that constitute a unique “signature” of that file. The software will verify the signature of every file it searches against a list of known file signatures and associated extensions. If there is a mismatch, such as in a situation where a suspect has “hidden” a file or renamed the extension in an attempt to conceal its identity, CyberCheck will automatically identify those files and include them in the Signature attributes of the file in the Table View. If you double click a file, the file will be opened in the external viewer looking at the signature of the file and not on the file extension.

5.7 Exporting Files

CyberCheck provides the facility to copy a file to the user specified location on the hard disk. To export a file to another location right click on the specified file in the Table view and select the Export option. This is illustrated in the figure 5.7.1 given below.

Figure 5.7.1 - Interface for File Export



A ‘Select Folder’ dialog box appears on the screen as shown in the figure 5.7.2 given below. Select the folder into which you wish to save the selected file and click OK button. (While selecting the destination path the full file path is displayed on the text field at the bottom).

Figure 5.7.2 - Interface for selecting the Export Folder

Export facility can be used if we wish to view any of the files in its native viewer, for this, export the file to any location and double click on it to view, if a viewer associated with that file is installed in the system.

5.8 Using Timeline View Features

The timeline view gives a graphical representation for the patterns of file creation, access, last written attributes. From the right pane, click on the Timeline tab. The following window as shown in figure 5.8.1 below is displayed.



Figure 5.8.1 - Interface for selecting the Timeline Options Timeline View Features View all files or selected files

CyberCheck has the facility to have a Timeline view of either all the files in an evidence file or selected files/folders. To get a timeline view of all the files in an evidence file, select All Files option and click Show Chart button. If Selected file option is used, only those files for which a selection is made in the probe view are displayed.

View Deleted / Normal files

Based on the selection we can either display the deleted files or normal files in the timeline view. There is also an option to display both the deleted and normal files.



View based on File Attribute

The files can be displayed based on the file creation, last accessed or last written date and time stamp. Based on these file attributes, various permutations can be used to get a timeline view.

View Files between a periods of time

CyberCheck also has the facility to display all the files between specified periods of time. To view files between periods of time select the search option, from the calendar control below, select From and To date and click Show Chart button. The list of files based on the specified search criteria will be added to the Timeline Files item in the probe view and will be displayed in the table view.

Time Anomaly

This option gives a list of those files, which has a mismatch in its date and time stamp. For example, if the last accessed date and time is before the file creation date and time stamp, a time mismatch is notified.

Signature Mismatch

For any file, the starting few bytes (the header) uniquely identifies that file to its file type i.e., the file extension. If there is any mismatch in the file extension and the header, a signature mismatch is notified. CyberCheck has the facility to view either time-mismatched files, signature mismatched file or both together.

Features in Timeline View

On right clicking inside the timeline view you get the following options,

Zoom in / Zoom out

We can zoom in and zoom out to get a detailed view of the files. To zoom in, inside the timeline view, left click and drag the mouse on the region were you wish to zoom in. A dotted rectangular path is drawn along the selection path indicating the selected region.



Continue this process to zoom in to higher resolution. Similarly right click inside and select zoom out option to get a lower resolution file view.

Show / Hide Grid

The show grid option gives a grid line view of the files. The timeline view is divided into grids based on the number of files available in the view. To hide the grid view, click the hide grid option.

Options

This brings up the option window, where we can redefine our view options like viewing only modified files etc.

Show Files

The Show files option brings up the probe view with all the timeline files displayed in the right pane. On clicking Timeline tab the view will return to the previous Timeline file list view.

5.9 Book marking in Analysis

When the analysis is in progress, the investigator may find a file, folder or part of a file worth for detailed analysis. CyberCheck provides a facility for book marking these items into separate folders and later examine these items in detail. If the investigator could identify valuable evidence from these items, it can be appended to the report from the book marked items.

5.10 Report

To generate a report with acquisition information, drive geometry information and partition table information, click on the Report tab of right pane. Report view will be displayed as given in figure 5.10.1 below.



Figure 5.10.1 – Report

Report contains the following information

Complete information of the Evidence file system Complete information of the partitions and drive geometry Hash Verification details Details of Mismatch blocks in case of Hash Mismatch (for

TrueBack images only) User login and logout information Appended content of text file and slack information Includes picture file as image Folder structure

5.10.1 Adding Evidence into Report



Once a user has logged in by creating a new probe, CyberCheck keeps track of all the user activities in its report. A probe under analysis can be saved in a Report file. For saving a report, select save option in File menu. While saving a probe the log out date and time is recorded along with the log in date and time and all the traced analysis data that has been saved manually. When a probe is saved under a file name, a password confirmation window pops up. This additional security feature is provided so that the report file is not tampered by a third person.

Opening a Probe

When a saved probe is opened we need to open the report file as shown in the figure 5.10.1.1 given below and click OK button.

Figure 5.10.1.1 - Opening an existing Probe file

A password confirmation window appears on the screen if the probe was saved with a password. If the password typed doesn’t match then access to the saved probe is denied. Similarly if correct evidence file is not given then an error message evidence and report file mismatch is displayed.



Normally the digital evidence will be part of a file. During an analysis session, if the analyzing officer find a likely digital evidence in some part of the file or in slack area of a file, s/he can add the content or slack of that file into the report by selecting the specific file from the table view and right clicking the mouse button on the file. Then context menu would be popped up with different sub-menus. The analyzing officer may choose the sub-menu item Append to Report from the context menu. The analyzing officer may choose to append either File Content or File Slack or both to the report. If the File Content item is chosen, the data part of the selected file will be appended to the report along with the attributes of the file. If the File Slack item is chosen, then the data available in the file slack, if any, will be appended to the report along with the attributes of the file. If both items need to be added into the report, the analyzing officer may choose both. If the selected file is a picture file, content of the file will be added into the report as picture itself and not as data. An example report is shown in the following figures 5.10.1.2, 5.10.1.3 and 5.10.1.4 given below.

Figure 5.10.1.2 - Report after Appending Content of the Selected File



Figure 5.10.1.3 - Report after Appending Slack of the Selected File



Figure 5.10.1.4 - Report after Appending the Picture of the Selected File 5.10.2 Printing Report

Printing of the report can be initiated from the File menu. From the File menu, the analyzing officer can select the Print sub-menu and print the report. Refer section 4.5.1.1.3 Print Report for more details.

cyber check manual version 3.0

Documents