Posts Tagged ‘linkedin’

« Older Entries

Little more on Frag_Find

Tuesday, May 18th, 2010

Since I’m really fond of this tool. I wanted to see what other uses this could have.

1: Documents that have been altered could be found. This could be totally useful if the suspect system has taken a word document, spreadsheet, etc. and has added/deleted some parts of the document. If the analyst has the unaltered document, one could still run Frag_Find against it. Since Frag_Find will percentage out via sectors, there is still a high percentage of the unaltered sectors from the altered document.

Conclusion: this worked flawlessly. I was able to take an old school .doc file that was about 4 pages in length, deleted a paragraph, added a few random words here and there. I also embedded an image. Frag_Find was able produce about 65% accuracy. What does this mean in a forensic sense? Well, a suspect could modify a stolen document, and Frag_Find will still be able to find this document even in it’s modified state.

2: Embedded content in documents should also be capable of being found.

Conclusion: this didn’t work the way I had hoped for. As said, I embedded a jpg image in the above document, ran Frag_Find with the jpg as the target file. I had a 0% success rate. this is unfortunate.

3: Scanning formatted media should also be capable. You could take a Fat32 USB drive that was reformatted. Scan with Frag_Find, and it “should” trace out all the sectors in allocated or unallocated space. Really useful if you intend to carve out data. Finding info in a formatted drive is MORE difficult than just a delta’d out file in the allocation table.

Conclusion: Worked flawlessly. I took a multipartition (and multi filesystem) disk. Added a few files across the partitions, and then cleaned the disk. Image that I created found every file on each partition at 100%. Hence, even raw or formatted partitions are workable with Frag_Find

Tags:
Posted in Hashing, Linux, Uncategorized, forensic tools, linkedin | No Comments »

Messing with Google Gears

Saturday, May 8th, 2010

prior to my LFNW presentation, I found a nifty utility that parsed Google’s Offline mail application. I tried to reuse it just a few hours prior to the presentation and it stopped working:( worked twice for me, but now it doesn’t.

Quick hack time which was awesome! Since my big rule to extract the firefox profile during an imaging (and hash the files to make sure they are still the same as the suspect’s content), this also copies the Google Gears directory as well. I’ve written about importing firefox profiles, and this is exactly the same just a few extra steps:
1: create a gmail account on a dummy workstation, not your forensic station!
2: allow offline mail and install google gears
3: disconnect from the internet so that it’s untainted from gmail sync’ing
4: delete your Gears profile and replace with the suspects Gears profile
5: open up the offline email (no password is required for this!)

While not 100% sound in a forensics method. This works great on letting you view email from offline gmail. While it’s still ok to read the email from the sqlite database (which autopsy parses nicely) this is more legible. gives some more personalization of the event if displaying to courts or lawyers…. I really want a thumbs up from the forensics community to see if there is validity in this procedure.

Tags:
Posted in Linux, Uncategorized, email | No Comments »

Frag_Find is one awesome tool

Thursday, April 29th, 2010

I came across some documents for the advanced forensic (http://afflib.org) format organization the other day, I went and checked out the AFF site. What I really found to be the coolest thing ever was, in the Bloom package, a sector based hash utility called Frag_Find. Super simple to use, if you are semi adept to command line, and Super powerful.
Here’s a scenario:
You have a dd image of a suspect drive, that drive had a file on it that you are needing to find. Clusters could have been partially reallocated and reused. But like 50% of the file still exists somewhere in unallocated space.
You also have that original file.
Run Frag_Find with the original file against the dd image. (awesome switch to use is -xresults.xml, will output results to a results.xml file, great for adding to html reports)
Go get a beer/coffee/nap…. depending on size of the original file, this could take a lot of time, computer resources.

Think of the awesome possibilities here! Partial files can now be located. Linux globbing also works too. so you could do multiple files and push to Frag_Find. One MAJOR issue to be aware of is that Big target files will eat memory up. I ran a 1Gb target file against a 4 GB DD image on a 8CPU i7 with 6Gb memory. I used all memory up and 50% swap. My older machine crapped out (Turion64×2 w/2Gb mem) on the 1Gb target, but smaller files ran fine on it.

I’ve had some issues, such as compiling for x86, switch bugs, etc. Still this is on my top 10 must have tools. I’ve asked the DEFT team to include in v6 which will be out in late 2010 or early 2011.

of the file remain on the suspect image.elemantsCome back later, and Frag_Find will locate what residual

Tags:
Posted in Carving, Hashing, forensic tools | No Comments »

BIG Thanks

Sunday, April 25th, 2010

To all of those of you went to LFNW ‘10 and to those who went to my presentation. I really appreciate the support, the laughs, and all of you who were interested. I’m also sorry if I unintentionally offended anyone.

In my defense; I am a newlywed who is very much in love with my wife. when “I” think partner, married, husband, couple, etc… I think her and how great the past 6 months of marriage has been going. Freudian? maybe, but I feel justified in doing so. I still do apologize if the remarks sounded sexist, or if it even brought up a possible bad relationship. We’re not all the same and I get that now just a smidge more.

Outside of this. I really had fun hoped the people did too. I hope to do another presentation at LFNW ‘11 with more great things to show!

Tags:
Posted in Linux, forensic tools, linkedin | No Comments »

Using FTK imager in Linux

Thursday, April 1st, 2010

I was on my linux forensics box and was trying to analyze a E01 image in autopsy. Didn’t work so well.
instead of taking my images to a windows box, I installed Wine and then ran FTK imager lite through it. I was able to convert the E01’s to dd’s with ease on the linux box. I then tried to use foxanalysis and a few other items. all worked great.
since autopsy saves in a weird .RAW format, I liked using FTK imager to extract directories such as the firefox profiles.
so….. using FTK imager lite in linux is possible for tinkering with images. it’s a nicer way to extract and convert images in my opinion.

Tags:
Posted in FTK, Linux, forensic tools, linkedin | No Comments »

Update: passed the CSFA test

Sunday, February 7th, 2010

I’m highly excited about passing the test, it was a long 1 and a half months of waiting.

Right now I’m checking out some stuff on file carving and unallocated extraction. Trying to find a tool that would best fit my needs. If anyone out there has a good preference on carvers, please let me know! anything that has good support for ext, dd, and simple to use.

Tags:
Posted in News, forensic tools, linkedin | No Comments »

Nautilus objects it saves

Friday, September 25th, 2009

Gnome’s main file browser,  Nautilus, creates some xml’s that seem to hang out in /home/user/.nautilus

If we’re using a gnome based desktop, pretty much anything network or device based touches the Desktop via it’s automounting. Anything saved to the desktop is documented with epoch create times it appears. pretty nice!

Tags:
Posted in Linux, Timestamps, linkedin | No Comments »

DEFT Forensics Live-CD

Sunday, September 13th, 2009

I’ve been checking around for a new bootable forensics enviroment to use outside of Helix.  Now that Helix is selling all their stuff for ungodly prices, I’d rather find something else for the time. I’ve seen hundreds of different ones out there, and they’re pretty much all the same. They just boot into linux, has autopsy, disk imaging utils, and the disks are switched to -RO. I wanted something like how Helix had additional utilities for Win32 incident response.

I stumbled across DEFT, and I’m starting to get quite impressed with it already. It’s xubuntu based, damn fast, and has additional support for Win32 items. Things like FTK imager, FoxAnalysis, USBDView, etc.

I’m really liking how it’s engineered and it’s applications. There’s a CD and a Bootable USB version. A lot of the standard Linux apps, one I’m wanting to dig into more is Xplico; a packet capture parser and analyzer.

While I feel that this could be a great tool, I still would like to tinker around to find out if it’s worthwhile.

Tags:
Posted in Linux, Windows, forensic tools, linkedin | No Comments »

Epoch Time conversion

Tuesday, September 8th, 2009

I was sifting around in an imaged drive I play with and was checking out /home/USER/.cache to see if there is more items I could “discover”

In this image I noticed that Gedit was called and had some meta-data that was hanginng out in .cache. I took a look….

there was a simple gedit-metadata.xml that was created.

Inside the <document> element is something that I was amazed to find. It was the name of the last text document I opened (I recall opening up this txt)

there was also an “atime” inside the element. Googling agound I learned that ctime atime and mtime are for created/accessed/modified. cool, now there’s a record of when I accessed the file… BUT the format was weird.

atime=”1247720990″ 

This is what’s called “Epoch Time”  the number of seconds that have passed since Midnight of January 1, 1970 GMT.

Now, you can google up thousands of Epoch to standard time converters, snag some apps, or do the math yourself. Either way, we now have the ability to find a way to make sense of these times.

I soon later realized that Epoch time is used quite a bit in /var/log. Items that deal with Kernel activity are usually not put in standard time. Also Udev seems to use Epoch time. Every distro is different, and some logging could be pure Epoch, pure Standard, or a mix. Just knowing how to decode that time is worthwhile.

Tags:
Posted in Linux, Timestamps, linkedin | No Comments »

Web History: Firefox in Linux

Monday, September 7th, 2009

I’ve attempted to take Firefox’s profile directory, extract the contents to a Window based machine, and then use FoxAnalysis to decrypt the information present.

FoxAnalysis seems pretty decent as a browsing analysis tool for windows machines, like WebHistorian. I ran against my Vista machine, it was able to provide a huge amount of info… Downloads, pages accesses including dates, frequency of accesses, passwords. This could make the times for analyzing a machine so much quicker and able to be put in a formatted report easier.

I took a fresh linux box, surfed around the interweb a bit. Googled a few items, downloaded a thing or two, and various other stuff. I didn’t save any passwords (I will try that later). Steps and times were written down.

I then exported the profile out, and ran FoxAnalysis against it on my Vista machine.

Linux based Firefox3 profiles are able to analyzed with FoxAnalysis with Great Accuracy! Searches were there, my downloads were shown, queries were present.

This is a HUGE time saver for Analysis. I took that Linux box, imaged, and initiated a case in Autopsy. Info is there, but much harder to read, making it easier to loose valuable data.

Tags:
Posted in Linux, Web History, linkedin | No Comments »

« Older Entries