May 18th, 2010
Since I’m really fond of this tool. I wanted to see what other uses this could have.
1: Documents that have been altered could be found. This could be totally useful if the suspect system has taken a word document, spreadsheet, etc. and has added/deleted some parts of the document. If the analyst has the unaltered document, one could still run Frag_Find against it. Since Frag_Find will percentage out via sectors, there is still a high percentage of the unaltered sectors from the altered document.
Conclusion: this worked flawlessly. I was able to take an old school .doc file that was about 4 pages in length, deleted a paragraph, added a few random words here and there. I also embedded an image. Frag_Find was able produce about 65% accuracy. What does this mean in a forensic sense? Well, a suspect could modify a stolen document, and Frag_Find will still be able to find this document even in it’s modified state.
2: Embedded content in documents should also be capable of being found.
Conclusion: this didn’t work the way I had hoped for. As said, I embedded a jpg image in the above document, ran Frag_Find with the jpg as the target file. I had a 0% success rate. this is unfortunate.
3: Scanning formatted media should also be capable. You could take a Fat32 USB drive that was reformatted. Scan with Frag_Find, and it “should” trace out all the sectors in allocated or unallocated space. Really useful if you intend to carve out data. Finding info in a formatted drive is MORE difficult than just a delta’d out file in the allocation table.
Conclusion: Worked flawlessly. I took a multipartition (and multi filesystem) disk. Added a few files across the partitions, and then cleaned the disk. Image that I created found every file on each partition at 100%. Hence, even raw or formatted partitions are workable with Frag_Find
Tags: linkedin
Posted in Hashing, Linux, Uncategorized, forensic tools, linkedin | No Comments »
May 8th, 2010
prior to my LFNW presentation, I found a nifty utility that parsed Google’s Offline mail application. I tried to reuse it just a few hours prior to the presentation and it stopped working:( worked twice for me, but now it doesn’t.
Quick hack time which was awesome! Since my big rule to extract the firefox profile during an imaging (and hash the files to make sure they are still the same as the suspect’s content), this also copies the Google Gears directory as well. I’ve written about importing firefox profiles, and this is exactly the same just a few extra steps:
1: create a gmail account on a dummy workstation, not your forensic station!
2: allow offline mail and install google gears
3: disconnect from the internet so that it’s untainted from gmail sync’ing
4: delete your Gears profile and replace with the suspects Gears profile
5: open up the offline email (no password is required for this!)
While not 100% sound in a forensics method. This works great on letting you view email from offline gmail. While it’s still ok to read the email from the sqlite database (which autopsy parses nicely) this is more legible. gives some more personalization of the event if displaying to courts or lawyers…. I really want a thumbs up from the forensics community to see if there is validity in this procedure.
Tags: linkedin
Posted in Linux, Uncategorized, email | No Comments »
April 29th, 2010
I came across some documents for the advanced forensic (http://afflib.org) format organization the other day, I went and checked out the AFF site. What I really found to be the coolest thing ever was, in the Bloom package, a sector based hash utility called Frag_Find. Super simple to use, if you are semi adept to command line, and Super powerful.
Here’s a scenario:
You have a dd image of a suspect drive, that drive had a file on it that you are needing to find. Clusters could have been partially reallocated and reused. But like 50% of the file still exists somewhere in unallocated space.
You also have that original file.
Run Frag_Find with the original file against the dd image. (awesome switch to use is -xresults.xml, will output results to a results.xml file, great for adding to html reports)
Go get a beer/coffee/nap…. depending on size of the original file, this could take a lot of time, computer resources.
Think of the awesome possibilities here! Partial files can now be located. Linux globbing also works too. so you could do multiple files and push to Frag_Find. One MAJOR issue to be aware of is that Big target files will eat memory up. I ran a 1Gb target file against a 4 GB DD image on a 8CPU i7 with 6Gb memory. I used all memory up and 50% swap. My older machine crapped out (Turion64×2 w/2Gb mem) on the 1Gb target, but smaller files ran fine on it.
I’ve had some issues, such as compiling for x86, switch bugs, etc. Still this is on my top 10 must have tools. I’ve asked the DEFT team to include in v6 which will be out in late 2010 or early 2011.
of the file remain on the suspect image.elemantsCome back later, and Frag_Find will locate what residual
Tags: linkedin
Posted in Carving, Hashing, forensic tools | No Comments »
April 25th, 2010
To all of those of you went to LFNW ‘10 and to those who went to my presentation. I really appreciate the support, the laughs, and all of you who were interested. I’m also sorry if I unintentionally offended anyone.
In my defense; I am a newlywed who is very much in love with my wife. when “I” think partner, married, husband, couple, etc… I think her and how great the past 6 months of marriage has been going. Freudian? maybe, but I feel justified in doing so. I still do apologize if the remarks sounded sexist, or if it even brought up a possible bad relationship. We’re not all the same and I get that now just a smidge more.
Outside of this. I really had fun hoped the people did too. I hope to do another presentation at LFNW ‘11 with more great things to show!
Tags: linkedin
Posted in Linux, forensic tools, linkedin | No Comments »
April 1st, 2010
I was on my linux forensics box and was trying to analyze a E01 image in autopsy. Didn’t work so well.
instead of taking my images to a windows box, I installed Wine and then ran FTK imager lite through it. I was able to convert the E01’s to dd’s with ease on the linux box. I then tried to use foxanalysis and a few other items. all worked great.
since autopsy saves in a weird .RAW format, I liked using FTK imager to extract directories such as the firefox profiles.
so….. using FTK imager lite in linux is possible for tinkering with images. it’s a nicer way to extract and convert images in my opinion.
Tags: linkedin
Posted in FTK, Linux, forensic tools, linkedin | No Comments »
February 16th, 2010
I just wanted to blast out a few personal views on Encryption and Passwords. Nothing majorly technical, just theories, and personal views.
Firstly encryption of drives or directories with things such as TrueCrypt or Bitlocker. I get it, most people want to keep data private, and it’s a GREAT thing. I use it on my laptops just in case one gets stolen.
Here’s the thing though, We’re humans and love to have that additional feeling of being backed up in life. I know more people than not who print out their Keys, or store them on some type of archval data medium.
We forget that most encrypted drives also need some type of medium such as a TPM, a usb key, or something to that affect. As a forensic guy, the computer is just part of the evidence collected. I would take CD’s, floppies, printouts, USB keys, etc. I’ll be doing a test on one of my Win7 laptops that I added drive encryption to. And also having the Key to it. I’ll see how well a standard password can rip through it outside the Windows enviroment.
Secondly. I feel that since doing much Linux analysis. Passwords are not needed as much as people think. Finding a user password or the Root password isn’t much of an issue. I may recant this statement when dealing with Keyrings later down the road, but for now. I have Never needed to know the root password for any forensic analysis on a linux machine yet. Same goes for windows. Only times passwords would be needed is for getting into compressed files like zips and rars.
Another thing I’d like to mention is password recycling, I did a presentiation at the BLUG about 6 months ago. I was a blast by the way. But… I asked one thing to the group of 30 or so people. “How many of you use the same password for multiple things?”, just about every hand rose out there. So I conclude that if you look too hard at one item’s password, then most likely you are not going to get it. look other places.
I had a zip file with a good 10 character password. It took a few days to break. but think about what passwords are stored in firefox or pidgen or other areas…. If password recycling is used, then I bet it’s somewhere easier to find.
Just my thoughs.
3/17/10 EDIT:
Found this little tidbit when googling around the internet on “mounting Bitlocker volumes”. About halfway down is showing the ability to view contents of an external Bitlocker drive
Posted in Uncategorized | No Comments »
February 7th, 2010
I’m highly excited about passing the test, it was a long 1 and a half months of waiting.
Right now I’m checking out some stuff on file carving and unallocated extraction. Trying to find a tool that would best fit my needs. If anyone out there has a good preference on carvers, please let me know! anything that has good support for ext, dd, and simple to use.
Tags: linkedin
Posted in News, forensic tools, linkedin | No Comments »
January 27th, 2010
I took the CFSA test in December. still awaiting the results. I’ll honsetly say that it was one of the most difficult test’s I’ve had to do. BUT….
the scenerio of the practical exam of that test gave me some really good ideas to port over to the Linux side of things. Mostly usage of GoogleGears/apps and using file upload sites.
I also was thinking of the movement of files to /dev/null, and IF there are residuals in it. I kinda think so. during a demo analysis, I came across a ton of orphaned files. have not had the time or the ability to carve them together. BUT, I did see INode pointing to the name of the file I pushed over to null. gives me some thoughts:)
Posted in Uncategorized | No Comments »
January 27th, 2010
I’m going to be doing a presentation at LinuxFest Northwest this year up in Bellingham, Wa. in April. I’ve started writing up some Credit Card theft demo’s that should be fun to do for the presentation. I’ll also be working on the new KDE interface for additional forensic material. I know….. I’ve been sticking to Gnome so much, trying to change that. the demo machine that I use really hates the Kubuntu 9.10. Did find that I can install amd64 on it though. I’ll give it some more attention.
I’ve also found some neat browser parsers that I can’t wait to show off!
Till LinuxFest comes, I’m going to be a little quiet on what findings I post.
If you are close to Bellingham, do sign up for the presentation.
Link
Posted in Uncategorized | No Comments »
November 27th, 2009
One of the neatest things I’ve stumbled across is the /home/user/acct file. This has account information for SMB connections. This file is hidden, and deleted once the connection is unmounted.
Take a Look below.
Contents Of File: /1/home/megatron/acct
Starscream:1043:
289dc86f4f7d599e14efbcc05c9817db:8c05f685dae46e1b36050170069fe44b:
DECEPTI:CON:decepticon
I created User Starscream on a Win2K3 server that had it’s own share. Starscreams password was decepticon. which is also in plain text.
There is the 1042 ID which is not much use now. but the next two 32 character strings are. they are NTLM hashes. you can see that DECEPTI and CON are there.
I’m assuming since it’s following the 7 character split rule, that the hashes are as follows:
DECEPTI = 289dc86f4f7d599e14efbcc05c9817db
CON = 8c05f685dae46e1b36050170069fe44b
Pretty awesome there. While this in itself is not worthwhile because we don’t know yet what is the actual SMB server it connected to….. with extra info, we could deduce what server this relates to with nautilus and logs.
Posted in Uncategorized | No Comments »