F9-Common Forensic Analysis Techniques Dr. John P. Abraham Professor UTPA

Introduction When you conduct forensic analysis, there are a few steps you must execute in nearly every type of investigation to prepare the data for your analysis. For instance you usually want to recover any deleted files and add them to your analysis. It is always advantageous to reduce your data set to the smallest number of files to analyze so that you can efficiently review the data. Another step you want to perform is string searching to identify relevant files and fragments of relevant files. In Unix-like operating systems, a loop device, vnd (vnode disk), or lofi (loopback file interface) is a pseudo-device that makes a file accessible as a block device. Before use, a loop device must be connected to an existing file in the filesystem. The association provides the user with an API that allows the file to be used in place of a block special file (cf. device file system). Thus, if the file contains an entire file system, the file may then be mounted as if it were a disk device.

Recovering Deleted Files –Do this first in order to avoid having to perform all other steps twice. –Open source solutions –This open source tool enables us to take a forensic duplication and make it act like a real hard drive device under Linux. –It is a modified version of the Linux kernel developed by NASA –ftp://ftp.hp.nasa.gov/pub/ig/ccd/enhanced_loopbackftp://ftp.hp.nasa.gov/pub/ig/ccd/enhanced_loopback –Some distributions of Linux include this functionality into the Linux kernel by default. –The kernel is altered so that you can associate a file on (the forensic duplication drive) with a local loopback device such as /dev/loop0

Open source solutions slide 2 –When forensic duplication drive is associated with a device, you can run tools on it such as fdisk, just as if the original suspect’s drive were connect to your forensic workstation. –After installation of the enhanced loopback kernel, »You will want to associate the duplication from JBR Bank (JBRWWW) with the /dev/loop0 device. »Make sure the forensic duplication is read-only so that it is not modified during our analysis. These steps are done with the following commands: evid]# chmod 500 JBRWWW.dd evid]# losetup /dev/loop0 JBRWWW.dd »losetup is used to associate loop devices with regular files or block devices

Open source solutions slide 3 After association, we can treat as a normal hard drive. We can now run fdisk on the device to see what the partition table looks like: evid]# fdisk –l /dev/loop0 –We can then mount the partition with the following command: bin]# mount –r /dev/loop1 /mnt/part1 Notice that we mounted loop1 instead of loop0. This is because each partition is associated with the next greater loop device. Partition 1 is loop1, while partition 2 is loop2 and so on.

Recovering deleted files The most used tool used to be The Coroner’s Toolkit at one of the limitations was that it recovers files only from Windows. The recommended tool is TASK and later renamed to The Sleuth Kit that contains all we will need to undelete. It gives several tools.

Tools associated with the Sleuth Kit Fls – provides a file listing. On Linux JBRWWW: –Fls –f ntfs /dev/loop1 –The –f switch tells fls which type of file system we are analyzing. In this case it is NTFS. The sleuth system supports FAT12, Fat16, FAT32, EXT2, EXT3, FReeBSD, FSS, NetBSD, FFS, OpenBSD FFS, and Solaris FFS. If we use the –r switch, you will see a recursive directory listing of the whole hard drive. Using the –p switch you see the full path of every file listed rather than the pseudo-graphical directory structure. Inode of 0 (see p 210) not recoverable. Reallocated inodes are not recoverable.

Examine BRJDEV –We associate the new image with the loopback device using the following commands Chmod 500 bjrdev.dd Losetup /dev/loop0 brjdev.dd We can then see the partition table for BRJDEV with the following command: fdisk –l /dev/loop0 –Once deleted file is found and has not been relocated, we can reconstruct it by using the icat tool included with the sleuth kit. (pg 213). To reconstruct a a file, you can use the icat tool included with the Sleuth Kit.

Commercial Solutions `Remember: with MOST commercial software, deleted files are recovered automatically. Both EnCase and FTK will recover files without user intervention. –Encase: The first step to recover deleted files is to load or evidence into EnCase. Although EnCase enables you to acquire a forensic duplication using its proprietary interface, it also imports raw disk images created with the dd command.

EnCase Open EnCase Create a case Add your evidence. Add a raw image to the case. –Click on the case name and then choose file->Add raw image. Add the evidence by changing the name of the evidence to JBRWWW and right-clicking on the empty white area in the middle of the menu. Add the dd image we acquired from the DVD. Next, if we click on any of the “home base” symbols, or sideways triangles, within the directory structures in the left pane in EnCase, we will see all the files in that directory and below. We transverse to the C:\winnt\system32\os2\dll directory on JBRWWW and examined that directory for any deleted files. EnCase does not detect the deleted information that the sleuth kit discovered. If we transverse to the home directory c:\ on JBRWWW, we see that EnCase detected a number of deleted files that the Sleuth Kit did not. See p

Production of Time Stamps and Other Metadata for Files –Metadata includes Full tile names, File sizes, MAC times, MD5 hashes, etc. Open Source Solutions Use GNU’s find command. First create a file called metadata.txt with title using the redirect > Use the find command and append to that file. See commands on p218. You can also use fls from sleuth kit. Fls gives us output we can parse into other programs such as a spreadsheet or database. since we don’t have the MD5 hashes in our output, we write a short Perl script to add MD5 hashes to the information we just collected. See p. 219 for the script.

Commercial Solutions –Production of metadata with EnCase v4 is a very simple task. –We have everything we need in the Windows explorer-like view in the right pane of EnCase. –Before we can export the metadata, we must calculate the MD5 hashes of the files in the evidence. –Although not intuitive, the function to calculate the MD5 hashes is under the “Search” button in the menu bar. –At this point you want to select ONLY “Compute Hash Value” and no other options, and then click start. –After the hashes have been computed, view the files from one of the evidence sets. If you scroll to the right in the right pane, you will see a column named Hash Value, which contains the MD5 hashes we just computed. –Now we are ready to export the file metadata! –To export the metadata, select the home base in the left pane –IN the right pane, right-click and choose Export. We will choose all the fields in the export submenu because we can delete them later if needed. –After you have export the file metadata, you can open the files and view the contents. –We can now examine the file metadata for JBRWWW. First we suspect that the files in C:\winnt\system32\os2\dll were created by the attacker. If we examine the creation times of the relevant files, we see they were created approximately at 7:25PM on 10/01/2003.

Fig 9-7 –If we read from bottom up in figure 9-7, we see that first PSEXECSVC.exe was created on the system at approximately 6:58PM. This is the service that is created when a remote user executes PsExec, a remote control tool –We can assume that someone used PsExec, which requires valid administrator credentials, against our machine at that time. –Next we see that nc.exe was created on the machine at approximately 7:24pm. –Nc.exe is the netcat tool. At 7:25PM, IROFffer was transferred to the machine. –At 7:48 and 7:52, update.exe was transferred to JBRWWWW. –Lastly, after 10PM, several components of IROffer were created, possibly from usage of the tool.

Removing Known Files Files we already know such as all the OS files. In windows, typically located in the C:\windows, C:\winnt, or C:\Program Files directories –A better way to ignore known files is to compare the MD5 hashes of every file in a forensic duplication with a known set of hashes and ignore any matches. –We can create known set of hashes for nearly any type of operating system or use someone else’s work such that is found at

Open source solutions p.225 Md5deep is a program to create md5 hash recursively You can now compare existing hash to this created hash and determine files that do not match. We can download NIST’s NSRL distribution for operating systems and thereby eliminate all operating system files and other trusted files. The left over files would be the unknown files that warrants additional investigation. W can create perl script other scripts to do this for many directories. Commercial Solutions: enCase

File signatures and Electronic discovery Attacker may rename their files to a benign file name such as SCSI.EXE. Investigators may skip all known executable files. Forensic investigation programs will examine contents of all files. Open source solutions: sleuth kit and Perl Script. The magic file (/usr/share/magic)contains information about the headers and footers of several well-known types of files. We can use this and perl to determine file signature of a file on your forensic workstation. Created files will contain sigs as part of your file name indicating that it contains signature information. Commercial solutions: EnCase can determine file signatures

String searching and file fragments Conducting a search across the whole hard drive and detect files or file fragments that contain the information you are looking for. Open source solutions: First extract all strins from the binary data in the evidence file. Use strings command under unix. P.238 bottom. Now we can search the resulting strings file for matches (grep command). Commercial: Encase