U T D C S GModule 0x01: ForensicsKevin ‘Hexstr Morgan’ Dickinson

Josh ‘HoboBeard’ Hammond

Christ ‘PossibleSloth’ Walz

Week 0x01: Intro

• What it be• How it’s used• Concepts and terminology• Demonstration: Acquiring evidence• File system basics• Popular tools• Demonstration: EnCase 6 and FTK 4 overview• Important resources

Week 0x02: In-Depth

• File carving and data recovery• Application artifacts• Web browsers, Dropbox

• Windows forensics• Registry, prefetch, hiberfil/pagefile, VSS, LNK files, USB

activity, shellbags, thumbs.db

• Mobile forensics• SQLite DBs, user dictionary, vulnerabilities

Week 0x02: In-Depth

• Investigative techniques• Activity timeline, keyword searches, hash matching, skintone

analysis

• Physical memory• Encryption keys, system activity (processes, network

connections), etc.

• Anti-forensics• Encryption, steganography, timestamp manipulation

• Anti-anti-forensics• Breaking encryption, password cracking, timestamp

manipulation detection

Week 0x03: Examination

Week 0x01: Intro

What is computer forensics?• “(…) a branch of forensic science encompassing the

recovery and investigation of material found in digital devices, often in relation to computer crime”

• Defensibility is key – best practices, documentation, etc.• Largely community driven, lots of research and hard work

by many smart people• Described as both “an art and a science” – SANS institute

Intro

Intro

Law enforcement• Criminal investigations (murder, fraud, etc.)

Litigation• Civil lawsuits• IP theft, subpoenas

Corporate• Internal investigations• Incident response (network intrusions)

Intro

How is it relevant?• We store an incredible, increasing amount of data on our day-to-

day devices

Examples• Sued after being involved in a car accident - texting and driving?• Employee leaves company, suspected of copying off sensitive

documents on last day of work• Corporate network gets compromised - what sensitive resources

might have been accessed, by whom?• Person accused of “unlawful access to a computer resource”,

warrant issued, digital devices seized for analysis• General purpose creepin’

Intro

• Challenges• Requires broad knowledgebase, many different skills, highly detail oriented• Fast paced, constantly changing – new artifacts and roadblocks all the time• New releases every few weeks/months – OSes, applications, hardware (eg:

phones)

• Commercial products are often slow to respond to changes (eg: ReFS)• Reversing, writing new code, testing testing testing…

• Server-side (cloud) computing – physically inaccessible, complex topologies

• Skills and Specialities• Reverse engineering• Incident response• Memory analysis

Terminology

• What it means to be ‘forensically sound’• Difficult to define as it is situational and discretionary• Ideally speaking, an exact 1:1 unaltered representation of an

original data source

• Physical data – bitstream representation of a device’s entire contents (including unallocated space)• eg: /dev/sda or \\.\PhysicalDrive0• Considered the most ‘forensically sound’ but not always possible

• Logical data – a specific ‘logical’ subset of data such as a partition or volume• eg: /dev/sda1 or \Device\Harddisk0\Partition0

Metadata

• Conceptually broad – basically ‘data about data’ • Used in file systems to provide file info independently of

files• MAC (Modified/Accessed/Created times), ownership info,

etc.

• Various file formats use specific metadata• OLE – MS Office• ID3v1/2 – Audio• EXIF data - Images

• Used to convict the BTK Killer

Disk Concepts

• Sector• Smallest physically addressable unit on a storage device (LBA)• 512 bytes most common, 4K becoming popular

• Block• See above (they are essentially the same thing)

• Cluster• NTFS-specific term for a group of sectors• Smallest logically addressable unit on a storage device• Known as block group in EXT2/3/4, allocation blocks in HFS(+)• 4096 bytes default in NTFS, HFS+, EXT3/4 (8 contiguous 512B sectors)• Important concept as it relates to data carving

Disk Concepts

Disk Concepts

• Unallocated space• VERY important - basis for much of forensics• Areas of a storage device not currently assigned to file(s) by

the file system• Likely contains unspeakable things you thought were gone• Captured during physical imaging (but not logical)

• Slack space• Leftover space between the end of a data stream and the

end of a cluster

Disk Concepts

• Slack space (continued)• Can be used to hide data on disk (not well)• Popular capable forensic suites will look for this• “FUN FACT”: Microsoft used to ‘fill in’ space on disk between

the end of a file and end of a cluster by writing random areas from memory – REALLY BAD, THIS IS SO BAD

• Hidden areas• Host Protected Area (ATA-4) – ‘SET MAX ADDRESS’ ATA

command• Device Configuration Overlay (ATA-6) – adjusts number of

sectors visible to the machine at a low level

Cryptographic Hashes

• Hashes• Described as (mostly) unique ‘digital fingerprint’• Important basis for much of forensics• One-way function• Used to uniquely match individual files, evaluate integrity

of evidence (disk images), etc.• MD5/SHA1/SHA256 - most common• hexstr@here /#: md5sum –b /tmp/disk0.001

Cryptographic Hashes

• Hash Sets• Lists of known hashes for system files, popular programs, etc.• Similar to a rainbow table – reverse lookup• Largest repository maintained by NIST (

http://www.nsrl.nist.gov/Downloads.htm)• Extremely useful for filtering out irrelevant data or quickly

identifying known files• Law enforcement agencies will use privately maintained hash

sets for easily identifying contraband files (eg: child pornography)

Forensic Imaging

• Imaging• Duplicating some data source (eg: hard disk, memory, etc.) for post-

mortem review, almost always first step in an investigation• Critical to utilize writeblocking to prevent changes to evidence• Used to be disk-to-disk (cloning) - many issues with this (sterility)• Resulting evidence image often encapsuled as a binary file• Two popular formats - .001 (DD style) or .E01 (Encase)• DD output is a raw binary file• E01 has internal checksums, self-validating, compressible

Forensic Imaging

• Writeblocking• Maintains integrity of a data source by preventing changes

to source media• Absolutely critical as a best practice• Numerous hardware and software based methods available• Not always possible (live servers, encryption, etc.)

Forensic Imaging

• Hardware Writeblockers• Tableau TD1/2/3 (duplicator)• SATA, IDE, USB, 1394, SCSI, etc.• Cache (simulate) disk writes or simply ignore write

requests to device

• Software Writeblockers• Linux Live CDs (Helix, Backtrack, etc.)• Prevent drives from mounting, no disk integrity checks

• USB via Windows Registry (http://www.gaijin.at/en/dlusbwp.php)

Forensic Imaging

• Software Imagers• AccessData FTK Imager – Windows, OSX, Linux http://

www.accessdata.com/support/product-downloads• DD, DCFLDD, DDRescue…

• What is an image• hexstr@here /#: dd if=/dev/sda of=/tmp/disk0.001 bs=512

• What is not an image• Symantec Ghost (alters timestamps)

• Other uses• General purpose backups – mount, restore, etc..

Demo: Acquiring Evidence

File System: FAT

• Two copies of FAT stored for redundancy• Divided into equal-sized clusters (previous slide)• Simple: files stored as a singly linked list of clusters• Table entry marked as one of following (FAT16 shown):• Allocated (value is the next cluster in the chain)• End of chain marker (0xFFF8 - 0xFFFF)• Unused (0x0000)• Bad cluster (0xFFF7)• Source: http://www.forensicswiki.org/wiki/FAT#FATs

File System: FAT

Directory table• Special kind of file• Each file/subdir listed as 32byte entry• Contains name, extension, attribute• Last modified time, address of first cluster, size

File System: EXT

• Inodes• Files associated with an inode number• Stores metadata on files and directories• Two types of inodes• Direct – fixed number, stored in file system portion• Indirect – flexible number, stored in data portion • Chains like FAT: Doubly indirect, triply indirect…

• Tip: ‘ls –i’ shows inode numbers

File System: EXT

File System: Journaling

• Keeps track of changes to be made in a circular log• On crash, system reads journal and makes changes to

regain consistent state• All entries are checksummed, if they don’t match - don’t

replay

File Carving

• Basic file carving• Typically uses predictable file headers/signatures to

independently identify files without the use of other (file system) information

• Cornerstone of forensics - restore deleted files• Generally limited to contiguous clusters, cannot find data

fragmented across a disk unless the format is predictable (eg: SQLite)

• Advanced file carving• Interesting research being done on this• Based on very complex statistics to predict likely file chains

Forensic Suites

• Guidance Software EnCase• Industry standard, highly extensible

• AccessData Forensic Toolkit (FTK)• Cellebrite UFED• Open source• Scalpel – file carving• Volatility – powerful memory analysis

Demo: EnCase 6 and FTK 4

Resources

• http://www.forensicfocus.com• http://www.forensicswiki.org• http://computer-forensics.sans.org/blog• http://www.appleexaminer.com/• http://hexstr-morgan.blogspot.com/• http://tech.groups.yahoo.com/group/win4n6/messages