digital forensics - ucilnica.fri.uni-lj.si
TRANSCRIPT
Computer
chapter 15• pre-knowledge:
• architectureofcomputers• basics(BIOS)• operatingsystem• secondarymemory(disc)anditsorganization• filesystems
AndrejBrodnik:DigitalForensics
Startup
• startupsteps• BIOS(BasicInputOutputSystem)
• OpenFirmware(MacPowerPC),EFI(MacIntel),OpenBootPROM(Sun),…
• POST(PowerOnSelfTest)
• theoperatingdataarestoredinxROM• sometimesthepasswordprotectsthedata– passwordisenteredbytheuser
AndrejBrodnik:DigitalForensics
Startup…
• exampleMoussawi:
Thecomputerhasbeenshutdownforaverylongtimeandthebatteryonthemotherboardhasbeenemptied
• howthedataisencrypted• ASCII,...• Little/bigendian
• Whathappensifyoutakedisctoanothercomputer
AndrejBrodnik:DigitalForensics
Fileformat
• atthebeginningallfileshavetheiruniquesignatures(www.garykessler.net/library/file_sigs.html)• jpg:FFD8FFE0 orFFD8FFE3• gif:474946383761 or47 4946383961• doc:D0CF11E0A1B11AE1
AndrejBrodnik:DigitalForensics
Fileformat- example
• jpegencodedexif(Exchangeableimagefileformat)file
AndrejBrodnik:DigitalForensics
Fileformat
• thefilecanbeembeddedinanotherfile• findthefile• itcanbelabeledandcopied(copy-paste)• orusetooldd
• thisprocedureiscalled carving• othertools:
• scalpel(http://www.digitalforensicssolutions.com/Scalpel/),DataLifter(http://www.datalifter.com/)• EnCase (http://www.guidancesoftware.com/forensic.htm),FTK(ForensicToolkit,http://accessdata.com/products/computer-forensics/ftk),X-Ways(http://www.x-ways.net/)
AndrejBrodnik:DigitalForensics
Curving
• intheend,weonlygetcontentandnotmetadatafromthedirectory• Theotherproblemisthatthedatacanbescatteredthroughthedisk
• Adroit(http://digital-assembly.com/products/adroit-photo-forensics/)
AndrejBrodnik:DigitalForensics
Fileformat- challenge
• Challenge:Embedonefileintheanotherfileandpublishthatontheforum.Theothercolleaguesshouldfindtheembeddedfileandextractitusingtoolslikedd orsomeothertoolsmotioneditthepreviousslides.• Challenge:Dividethefileintomorepiecesandinserteachoneintoanotherfileandpostitallintheforum.Letyourcolleaguesreconstructyourdistributedpieces.
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• theI/Ounitsareconnectedtothecomputervia:• bas (IDE,ATA,SATA;SCSI,firewire)• interface(controller)
• theinterfacescanalsobesmart• SMART(Self-Monitoring,Analysis,andReportingTechnology)• keepaccessstatistics andothersimilardata• usuallyarenotrelevantforforensicresearch
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• usuallywestoredatapermanentlyonadisk• Whatdoestheharddrivelooklike?
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• howisthediskorganized?• spindle,platter,cylinders,tracks,sectors,cluster
• atthefirstsectorarecontroldata (MBR,masterbootrecord)• size(geometry),blocks,partitions,...
• whatorganizationinSSDlookslike?
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• Challenge:findtheanadisk toolandseewhatitknowsandcando.• Challenge:whatistheMBRstructure?BuildyourMBRandpostitintheforum..
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• lookattheWindows95bootsectorwiththeNortonDiskUtils tool
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• simplifiedorganizationofthediskwiththeFATfilesystem
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• partition,volume,sector• insidethefilesystem• canalsobewithoutthefilesystem
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• hidingdataduetointernalandexternalfragmentation:• hidingwithinacluster• hidingwithinthepartition(partitionsusuallybeginatthebeginningofthetrace)• hidingpartition
• partitionencryption• servicedata:DCO(Drive/deviceconfigurationoverlay)and HPA(Host/hiddenprotectedarea)–http://www.forensicswiki.org/wiki/DCO_and_HPA
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• thevirusishiddenintheemptypartitionvolume(volumeslack)
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• whenfileisdeleted,datadoesnotdisappear• evenwhenweformatthedisk,thedatadoesnotdisappear
• takealookatthetoolfdisk• theresultofbothoperationsiscorrectfilesystemandaclusterofemptyblocks• tools:sleuthkit (http://www.sleuthkit.org/),NortonDiskEdit,…
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• AnexampleofthereconstructionoffilesonafreshlyformatteddiskwiththeEnCase tool
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• Challenge:SeewhattheMBRandbootsectoronyourcomputerlookslikewithanappropriatetool.Reportaboutthisontheforum.• Challenge:Checktheconfigurationofyourdrive.
AndrejBrodnik:DigitalForensics
Datastorageandhiding
• hidingpartitions• tool TestDisk(http://www.cgsecurity.org/)
• atfilelevel• hidingfiles:e.g. MSWindows:attrib+H indir/AH• parlament.jpg->test.exe• picturein.ppt pres.
• thelatesttools
AndrejBrodnik:DigitalForensics
Passwordsandencryption
• toolsforbreakingandsearchingpasswords• PasswordRecoveryTool– PRTKinDistributedNetworkAttack– DNA(http://accessdata.com/products/computer-forensics/decryption)• JohntheRipper(www.openwall.com/john/)• CainandAbel(www.oxid.it/cain.html)• AdvancedArchivePasswordRecovery(www.elcomsoft.com/azpr.html)
AndrejBrodnik:DigitalForensics
Passwordsandencryption
• moreaboutencryptionandcryptographylater• someexamples
• tools caesar,rot13• supportforthe PGP• tool crypt
AndrejBrodnik:DigitalForensics
OSWindows
chapter 17• filesystems• datarecovery• notes(logfiles)• register• communicationtrails
AndrejBrodnik:DigitalForensics
OSWindows–filesystem
• twobasicfilesystemsFAT(FileAllocationTable)inNTFS(NewTechnologyFileSystem)
• FAT• developedfirstforharddisks(floppydisks)• FAT12,FAT16,FAT32
AndrejBrodnik:DigitalForensics
FilesystemFAT
• FATxx isalistofindexclustersinwhicheachfileisstored• xxmeansthenumberofbitsusedfortheindex• 12=212=4096,16=216=65.536,32=228=268.435.456
AndrejBrodnik:DigitalForensics
FilesystemFAT
• viewtherootofthefilesystemontheharddiskusingtheX-Waysprogram• keepsthecreationtimeandlastchangesbutonlythelastaccessdate
AndrejBrodnik:DigitalForensics
FilesystemFAT
• Challenge:SeeforyourselfwhattheFATlookslikeonyourdisk.Lookinparticularforthoseclustersthatareempty- theyarenotpartofanyfilesystem.
AndrejBrodnik:DigitalForensics
FilesystemNTFS
• amoremodernfilesystem• everythingisinfiles• thefileinformationisstoredinthesystemfile $MFT• directoryisonlyafile(Btreestructure)• isjournalandstorestransactionsoverafileinthesystemfile$LogFile
• supportsmultiplefilefunctionality• ACL(AccessControlList)
• betterprotected,sinceitstorescopiesoffilesystemdatainmultiplelocations($MFTMirr)
AndrejBrodnik:DigitalForensics
FilesystemNTFS
• Challenge:lookforjournalsinyourNTFSjournalsthatareempty(unused)andthenlookattheircontent.
AndrejBrodnik:DigitalForensics
NTFS– $MFT
• exampleofonerecordin$MFT• therecordconsistsofattributes,therecordisthesizeofthe1kB• ifthefileissmall,itisstoredintherecord• whentheflagisdeleted,thentherecordisreused
AndrejBrodnik:DigitalForensics
NTFS- searchfordata
• thereisaphysicalfilesize(cluster),logicalsize(directoryentry)andtheendofthefile(EOF)
AndrejBrodnik:DigitalForensics
NTFS- searchfordata
• Inonedirectorywecanhavemultiplefileswiththesamename
AndrejBrodnik:DigitalForensics
FilesystemNTFS
• Challenge:WhichClustersComposeYourFile?• Challenge:Findabusybutunusedpartofyourfile(onwhichclusters)andwhat'sinit.• Challenge:Whathappensifwemake1000files,thenwedelete1000andworkonit?
AndrejBrodnik:DigitalForensics
Timecodingforfiles
• FILETIME• 64bitrecord• value=1.1.1600+number*100ns
AndrejBrodnik:DigitalForensics
NTFS- tracksfiles
• variousoperationshaveadifferentimpactontherecordedtimesinthedirectory(creation- CR,lastaccess- LA,lastchange- LC,recordchanged(NTFS)- RC):• movingthefileintoadirectory:itdoesnotaffectanything• movingthefiletoanotherdirectory:CR,LA,RC• copyfile(targetfile):CR,LA,RC• copy/paste:LA(*)• drag&drop:LA(*)• delete:LA,RC
• specialfeatures:• fileonastick,canbeviascp/...:CR >LC• whendeletingadirectory,fileinformationdoesnotchange
AndrejBrodnik:DigitalForensics
NTFS- tracksfiles...
• thecontentofofficefilescontainsmetadatafromthedirectory• Saveas:ifanexistingfileispicked,thedatainthefileisoverwrittenandnonewfileiscreatedinthedirectory
• printingfirstcopiesthefiletoaspecialdirectoryandthenprintsit• C:\Windows\Spool\Printers,C:\WinNT\System32\Spool\Printers• evenwhenweprintonlinecontent,etc.
AndrejBrodnik:DigitalForensics
NTFS- tracksfiles...
• Challenge:Findafilethathasacreationtimegreaterthanthetimeofthelastchange.• Challenge:Whatcanyousay,istheresuchafileonthesystemthathasthelastaccesstimesameathetimeofthecreation?• Challenge:WhatistheEMFprintingmethod?Whatisstoredintheprintfile(spooler)?
AndrejBrodnik:DigitalForensics
Datarecovery
• recoverdeletedfiles• varioustoolsthatcanrunonWinOS
AndrejBrodnik:DigitalForensics
� SleuthKitcombinedwithAutopsyBrowsercanevenbrowsethroughthebrowser(http://www.sleuthkit.org/autopsy/)
Datarecovery…
• Challenge:installsleuthkit andAutopsyBrowserandfindthelostfiles.
AndrejBrodnik:DigitalForensics
Datarecovery…
• searchingforlostfilesfromalargeunformedmound• sameascurving files
AndrejBrodnik:DigitalForensics
• tool DataLifter:looksforalostfilefromtwoemptyspacesandoneoftherestofthefilesystem
Datarecovery…
• ifasmallfileoverwriteslargerone,wecanreconstructmostofthelargerfiles
AndrejBrodnik:DigitalForensics
• enCase:anexampleofashoppingcartintheCDUniverse,foundintherestofthefilespace
Logfiles
• theoperatingsystem(dependingonthesettings)records• accesstoresources• appearanceanddeletionofresources,• errors,etc.
• saved on %systemroot%\system32\config (c:\winnt\...)• differentnotesindifferentfiles: Appevent.evt,Secevent.evt,Sysevent.evt
AndrejBrodnik:DigitalForensics
Logfiles
• Challenge:checktheformatoftheevt fileandcheckwhatisinthemandwhendidyouloggedintothesystem.
AndrejBrodnik:DigitalForensics
Register
• InWindowsOS,theprocessenvironmentvariablesaredefinedintheregisters• actually,thedataisstoredinthefiles(hives)inthesystemdirectory%systemroot%\system32\config• ntuser.dat foreachuseraccount
• filescanbeviewedwiththeWindowstool regedt32(EnCase,FTK,...)
AndrejBrodnik:DigitalForensics
Networktracking
• sometimesfromthesystemenvironment• whenconnecting,...
• mostlycomesdirectlyfromapplication• browsers,mailagents,...
AndrejBrodnik:DigitalForensics
NetworkTracking- Browsers
• history:• firefox-3 isstoringhistoryinthesqlitedatabases Places.sqlite• InternetExplorerstoreshistoryinthefile index.dat• toolsthatareavailabletosearchthroughthesedatabases:Oddesa(www.odessa.sourceforge.net)
• localcache• cookies
AndrejBrodnik:DigitalForensics
Browsers- Cookies
• exampleofcookiesinspectionin CookieView(www.digitaldetective.co.uk)
AndrejBrodnik:DigitalForensics
Browsers
• Challenge:Findoutwhatleftoversyoudohaveinyourcacheandcheckwithyourbrowsinghistory.• Challenge:Getafilefromyourfriend'sbrowserhistoryanddisassembleit.• Challenge:CheckoutwhatkindoftracesareleftbehindbytheIEbrowser,whatkindbytheMozillaandwhatkindbytheOpera.
AndrejBrodnik:DigitalForensics
• Tracesdependonthemailagentweuse• sentandreceivedmails• summaryofIMAPmailbox
• contentthatisinteresting• textmailsonly• attachments(!)– MIMEformat
AndrejBrodnik:DigitalForensics
Otherprograms
• differentprogramsleavedifferenttraces• networksoftware
• accesstoothersystems• allowothersystemstoaccessinoursystem
• systemprogramsleavetracesintheregistry
AndrejBrodnik:DigitalForensics