INSTITUTO SUPERIOR TÉCNICO

Transcription

1 INSTITUTO SUPERIOR TÉCNICO DEPARTAMENTO DE ENGENHARIA INFORMÁTICA FORENSICS CYBER-SECURITY MEIC, METI Lab Guide II Evidence Examination 2015/2016

2 1 Introduction This guide will introduce you to the basic procedures and tools for the examination of digital evidence in file systems and network traces. To examine the data, you will need to set up a Kali VM and a Windows forensics VM. The images of these VMs can be found on IST s AFS system under the path: /afs/ist.utl.pt/groups/csf/public/toolkit. The data to be examined is distributed in a single tarball (csf-lab2-data.tgz) that can be downloaded from /afs/ist.utl.pt/groups/csf/public/lab2. Start by importing the VM images and bootstrapping them on your computer. Then, retrieve the tarball, copy it into each VM, and decompress the file. Except for the step 9 in Section 2.2, all other steps described in this guide must be performed in the Kali VM. 2 Examination of file system images In this assignment, we will cover some basic techniques for evidence extraction from file system images, namely file carving and keyword searching. In the process, you will be introduced to a few basic forensic tools, such as xdd, foremost, the sleuth kit (TSK), and autopsy. 2.1 Basic file carving In this exercise, you will learn how file carving works by examining the test image 11-carve-fat.dd. Change directory to the decompressed folder section-2_1, where the test image is located. Details of the test image: This test image is intended to test data carving tools and their ability to extract various file formats. The image contains several allocated and deleted files. The header of one JPEG file was modified (with 1 header byte corrupted at offset 19 within the file). This test image is a raw partition image (i.e. dd ) of a FAT32 file system. It was created from a USB thumb-drive that was wiped and formatted using the mkfs.vfat program. The FAT boot sector has been corrupted so that the image cannot be mounted and therefore data carving methods must be used to extract the files. The file system is 62MB and is compressed to 11MB. The MD5 of the image is: MD5: c892a462f88dc6d376624f7d9. The following files and the MD5 hash and description were created on the file system: # Name MD5 Size Note Sectors _document.doc e72f388b36f9370f19696b164c A Valid DOC file enterprise.wav 7629b89adade055f6783dc A valid WAV file haxor2.jpg 84e1dceac2eb127fef5bfdcb0eae324b An invalid JPEG file holly.xls 7917baf afef8b381570c A valid XLS file lin_1.2.pdf e026ec ba1f5765a d A linearized PDF nlin_14.pdf 5b3e806e8c9c06a475cd45bf821af A non-linearized PDF paul.jpg 37a49f97ed279832cd4f7bd002c826a A valid jpeg pumpkin.jpg 6c9859e5121ff54d5d6298f65f0bf3b A valid EXIF jpeg shark.jpg d83428b8742a075b57b0dc424cd297c A valid JPEG sm1.gif d25fb845e6a41395adaed8bd14db7bf A valid GIF surf.mov 5328d2b066f428ea95b ab97fa A valid MOV surf.wmv ff085d0c4d0e0fdc8f3427db68e A valid WMV test.ppt 7b74c2c608d92f4bb76c1d3b6bd1decc A deleted PPT wword60t.zip c0be59d49b7ee0fdc492d2df32f2c6c A valid ZIP domopers.wmv 63c0c6986cf0a446cb54b0ac65a921a A deleted wmv CSF Lab Guide II Page 2 of 6

3 1. In order to check whether some files are directly accessible, start by mounting the file system image: $ mkdir./mnt $ mount 11-carve-fat.dd./mnt 2. If an error is produced when mounting the dd image, it means that the OS was not able recognize the file system data structures in the image. Try again, but now using TSK s tool fstat as follows: $ fsstat 11-carve-fat.dd 3. You will see that the tool was also not able to determine the file system layout of the image. This result concurs to the original hypothesis that the file system s data structures have been tampered with. Let s manually inspect the first sectors of the image and see what they look like. Type: $ xxd 11-carve-fat.dd less Knowing beforehand that the image contained a FAT32 file system, what were you expecting to find in the first sector 1? Do you find any evidence that the file system has been broken? 4. Since the file system s data structures are corrupted, let s look for deleted files using a file carving tool, for example foremost: $ foremost 11-carve-fat.dd The foremost tool creates a directory named output in which it places all the files that it was able to carve from the dd image. The tool organizes the recovered files in subdirectories according to the file type. The name of each file is given after the number of the first sector where the file was found. What would it be necessary in order to recover the files original names? 5. Now, navigate to the output directory, inspect the audit.txt file, and open the recovered files. Check which of the original files were found based on the MD5 fingerprints of the recovered files. To easily calculate the MD5 values of the recovered files across all subdirectories, execute the following command (assuming you are located in the output directory): $ for i in */* ; do md5sum $i ; done 6. What files was foremost not able to recover or recovered with errors? 7. To get a deeper understanding of how foremost works, let s see how this tool managed to extract the JPEG file number 7. According to the name of the recovered file, this file starts in sector and ends in sector Inspect the file s first sector by extracting this sector and displaying its content: $ dd if=../11-carve-fat.dd bs=512 skip=19717 count=1 xxd Verify that the first sector starts with a valid JPEG signature. Confirm that foremost is configured to interpret this signature by reading the tool s configuration file /etc/foremost.conf. How does foremost determine the file ending? 8. Formulate a hypothesis that explains the limitations of foremost in finding all files. 1 FAT32 layout: CSF Lab Guide II Page 3 of 6

4 2.2 Keyword search exercise This exercise is intended to give you practice searching for text strings within a disk image. Quite often there are keywords associated with an investigation that can help find evidence. For example, if the case involves drugs or specific locations, drug or location related keywords can be searched for in the hope of locating documents or s relating to the investigation. Special tools are needed in the event that the keywords are in deleted documents or are hidden in slack or unallocated space. Details of the test image: The test image consists of file fat-img-kw.dd and is located in folder section-2_2. It is a file system with several ASCII strings, including the ones listed in the table below. If one of the below strings is not found by a tool, that does not mean that the tool has an error in it. For example, the 1slack1 string crosses between the end of a file and into the slack space of the file. Some tools will find this and others will not. As long as the functionality of the tool is properly documented, then it is up to the user to use his tools in the needed way to gather the possible evidence. This test image is a raw partition image (i.e. dd ) of a FAT file system. The file system is 25MB and is compressed to 380KB. The MD5 of the image is: MD5: bac12239bd466fa6c86ceb0b0426da0a. This table lists a set of terms that exist somewhere in the file system. # String Sector Offset File Note 1 first file1.dat in file 2 SECOND file2.dat in file SECOND N/A in dentry - file name 3 1cross file1.dat and /file2.dat crosses two allocated files 4 2cross file3.dat crosses consecutive sectors in a file 5 3cross N/A crosses in unalloc 6 1slack file2.dat and file2.dat slack crosses a file into slack 7 2slack file3.dat slack and file4.dat crosses slack into a file 8 3slack file4.dat slack in slack 9 1fragment file4.dat crosses fragmented sectors 10 2fragment sentence file6.dat crosses fragmented sectors on 11 deleted file5.dat (deleted) deleted file 1. Just like in the previous exercise, start the examination by navigating to the location of the test image, and mounting the file system image: $ mkdir./mnt $ mount fat-img-kw.dd./mnt 2. Browse the contents of mnt. Next, learn the details about the file system by typing: $ fsstat fat-img-kw.dd 3. From the output of fsstat, we can confirm that it is a FAT16 file system. To get a deeper understanding of how the file system is structured, let s look at the hex dump of the image, starting from the first sector: $ xdd fat-img-kw.dd less 4. By comparing this output against the FAT16 layout, identify the endianess of the image (tip: see on address 01FEh how the boot sector signature is represented). From this finding, hypothesize the computer architecture from which this image was (not) taken. CSF Lab Guide II Page 4 of 6

5 5. Confirm some of the readings of fsstat, namely that the sector size is 512 (field Bh) and the cluster (data unit) size is 512 (Dh). In addition, determine the number of FAT data structures (field 10h) and the size in sectors of each one (field 16h). Confirm that these values also match the results obtained by fsstat. 6. We are now ready to perform some keyword searches. First, we will use the srch_strings tool from TSK. To start with, create a list of words to search for; this list is typically called a dirty word list 2. Add the following words to a text file, one per line, exactly as shown on the next page: first SECOND SECOND 1cross1 2cross2 3cross3 1slack1 2slack2 3slack3 1fragment1 2fragment sentence2 deleted 7. Save the document as dirty-words.txt where the kwsearch-fat.dd image is located. Search through the.dd file for all the words in the dirty-words list by typing the following commands: $ srch_strings -a -t d fat-img-kw.dd > text-search.asc $ fgrep -f dirty-words.txt text-search.asc > results.txt 8. Was the srch_strings tool able to find all the keywords in the dirty list? Based on these results, discuss the limitations of this tool in terms of keyword searching. 9. Perform similar searches but now using the autopsy tool. There are two versions of this tool: one for Linux and one for Windows. Since autopsy s Windows version is significantly more advanced, we will perform this examination on the Windows VM rather than on the Kali VM. Start the Windows VM, download fat-img-kw.dd, and start autopsy 3. In autopsy, import the image and then perform the same queries. Compare the results of the previous tool against autopsy s. 3 Examination of network traces In this exercise, we will extract evidence from network traces using key word search and / or data carving techniques. The network traces are located in directory section-3. Consider the signatures in the following table: Description Signature PNG file "\x89\x50\x4e\x47" PDF file "%PDF" MP3 file "\x49\x44\x33" addresses "[a-za-z0-9._%+-]+@[a-za-z0-9._%+-]" IP address "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}" Credit card details (Mastercard) "5\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}" Credit card details (Visa) "4\d{3}(\s -)?\d{4}(\s -)?\d{4}(\s -)?\d{4}" Credit card details (Am Ex) "3\d{3}(\s -)?\d{6}(\s -)?\d{5}" Domain name "[a-za-z0-9\-\.]+\.(com org net mil edu COM ORG NET MIL EDU UK) 2 The file is not named this because dirty refers to something that is or may be involved in a crime. 3 Check the autopsy tutorial: CSF Lab Guide II Page 5 of 6

6 1. Using the wireshark network analyzer and these signatures as filters, examine the network traces below in order to determine the required evidence as follows: (a) From file with_png.pcap, find names of PNG files. (b) From file with_pdf.pcap, find names of PDF files. (c) From file with_mp3.pcap, find names of MP3 files. (d) From file _cc2.pcap, find names of addresses. (e) From file _cc2.pcap, find credit card details. (f) From file webpage.pcap, find IP address details. (g) From file webpage.pcap, find domain name details. 2. Use the foremost tool to extract the files of types PNG, PDF, and MP3 from traces with_png.pcap, with_pdf.pcap, and with_mp3.pcap, respectively. Identify the content of each recovered document. Note that it is also possible to carve these files from wireshark. CSF Lab Guide II Page 6 of 6