Disk Forensics. Oliver Giudice. Banca D Italia

Size: px

Start display at page:

Download "Disk Forensics. Oliver Giudice. Banca D Italia"

Charlotte Cunningham
5 years ago
Views:

1 Disk Forensics Oliver Giudice Banca D Italia oliver.giudice@bancaditalia.it Dipartimento di Matematica e Informatica Università degli Studi di Catania giudice@dmi.unict.it

2 Outline Computer Basics for Digital Investigators Applying Forensic Science to Computers Windows & Linux System Analysis Tools Overview

3 Computer Basics for Digital Investigators What happens behind the scenes?

4 Computer Basics for Digital Investigators What happens behind the scenes? What s this?

5 Computer Basics for Digital Investigators What happens behind the scenes? What s this? How it works?

6 Computer Basics for Digital Investigators What happens behind the scenes? Power-up Computer Power-up phases: 1. CPU Reset 2. Power-on Self Test (POST) 3. BIOS 4. Boot (disk?)

7 Computer Basics for Digital Investigators What happens behind the scenes? BIOS - CMOS BIOS Password vs. CMOS DATA - Date-Time Information - Peripherals Configuration - Etc. Denies Access Data Destroyed CMOS Reset: only solution

8 Computer Basics for Digital Investigators What happens behind the scenes? BOOT System looks for an Operating System (first in drive sequence) Preventing a computer from using the operating system on the hard disk is IMPORTANT when the disk contains evidence.

9 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Little Endian Vs. Big Endian Viewing Two Tcp-dump Files Created on Intel-Based and Sun Systems Shows the Difference between Little- and Big-Endian Representations of the Same UNIX Data (in Bold)

10 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Binary, HEX, ASCII, Etc.

11 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Files Additional common file signatures are tabulated at

12 Computer Basics for Digital Investigators What happens behind the scenes? Representation of DATA Images EXIF

13 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives How HDs functions? How data are stored? Where data can be hidden?

14 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives IDE (Integrated Disk Electronics) Connectors: (SATA SCSI)

15 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives Magnetic patterns on a hard disk as seen through a magnetic force microscope. Peaks indicate a one (1) and troughs signify a zero (0).

16 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: SMART Modern ATA hard drives use SMART (Self-Monitoring, Analysis, and Reporting Technology) to record basic information on the controller such as how many times the drive has spun up, how many hours it has been powered on, and current internal temperature. This information helps computers anticipate and warn when a hard drive is likely to stop working properly. Specialized tools are needed!

17 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: Special Track The first cylinder on a disk (a.k.a. the maintenance track) is used to store information about the drive such as its geometry and the location of bad sectors. By intentionally marking portions of the disk as bad, an individual can conceal data in these areas from the operating system.

18 Computer Basics for Digital Investigators What happens behind the scenes? 512 bytes Hard Drives: Hidden Partitions Invisible to Operating Systems Easy-to-find by using tools that are specifically designed to conduct forensic examinations Professional VS. Amateur

19 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: File Systems FAT Family (Windows) NTFS (Windows) HFS Family (MAC) EXT Family (Linux) UFS (Solaris) New Cylinder

20 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: File Systems FAT Family (Windows) NTFS (Windows) HFS Family (MAC) EXT Family (Linux) UFS (Solaris) New Cylinder GPT

21 Computer Basics for Digital Investigators What happens behind the scenes? Hard Drives: Files When a file takes up less than one cluster, other files will not use the additional space in that cluster (File Slack Space) When a file is deleted, its entry in the file system is updated to indicate its deleted status and the clusters that were previously allocated to storing are unallocated and can be reused to store a new file. The data will remain on the disk until a new file overwrites them.

22 Computer Basics for Digital Investigators What happens behind the scenes? Not all storage devices have file systems! BACKUP Tapes On UNIX machines, swap partitions do not have file systems

23 Computer Basics for Digital Investigators Data Hiding / Obfuscation (within File Systems) Many ways Hidden/Lost Partitions (Solution: Search pattern on disk byte-wise) Name Changing: child-porn.jpg! system32.exe (Solution: file signature) Hidden Files (Solution: don t use native OS) Alternate Data Stream: An alternate data stream is a feature of Microsoft NTFS that allows one file to be effectively tacked onto another file without being visible to regular users of the system. This feature was intended to provide compatibility with Macintosh resource forks, but some malicious programs use alternate data streams to hide themselves on Windows systems running NTFS. (Solution: disk byte-wise analysis) Steganography

24 Computer Basics for Digital Investigators The question is HOW? Forensic Examinations Tools PRO Automate operations Some Tools have comfortable GUIs EASY and FAST CONS Understanding of what is behind Different results in different tools Common Sense Needed

25 Applying Forensic Science to Computers Where do we start?

26 Applying Forensic Science to Computers ISO IEC 27037/2012 Guidelines for identification, collection, acquisition, and preservation of digital evidence.

27 Applying Forensic Science to Computers Crime Scene Laboratory Preparation Examination and Analysis Survey Reconstruction Preservation Documentation Reporting Results

28 Windows & Linux System Analysis Log Files Windows: C:\Windows\System32\config o o o o Application usage statistics Login account data Security data DIFFICULT to find and read Linux: /var/log o o Almost Everything on the system Easy to read but easy to tamper

29 Windows & Linux System Analysis Windows Registry System configuration and usage details Use of Removable USB devices

30 Windows & Linux System Analysis Internet Traces Modem logs Browsers Clients FTP Clients P2P Clients

31 Tools Overview Partition Analysis fdisk -l: Shows all partitions and memory devices mmls /dev/xxx or mmls filename.dd: shows all partitions in a device mount: shows filesystem types of mounted devices and mode (rw)

32 Tools Overview Mount (where?) /dev/fdx25 for floppy disks (es. /dev/fd0); /dev/hdx hard disk IDE; /dev/sdx hard disk SATA or USB devices; /dev/cdrom for optical devices.

33 Mount (how?) Tools Overview mount t type o options source mount_point o Type: filesystem type for example fat, ntfs-3g, ext3, etc. choose «auto» when not sure! o Source: /dev/hda1 or /dev/sda1 o Mount_point: directory that should be created BEFORE launching mount command o Options: ro: read-only rw: read-write loop: for image-files noatime: access time not modified noexec: doesn t allow executables

34 Tools Overview Mount: examples (devices) mount t ntfs-3g o rw /dev/sdb1 /media/dest mount t ntfs-3g o ro /dev/sdb1 /media/evidence

35 Tools Overview Mount: examples (images) If image file is of an entire disk and not of single partition: mount t ntfs o ro,loop,noatime,noauto,noexec,offset= $((512*32256)) dump.dd /media/dest??????

36 Tools Overview Mount: examples (images) Mmls dump.dd: I want Partition 3 offset=$((512*32256))

37 Tools Overview Never Forget When Finished: umount /media/mount_point

38 Tools Overview Devices Acquisition: Method Compute Device HASH Bit-stream Copy of Device Compute Image HASH and check with device one

39 Tools Overview Hash md5sum /dev/sda sha1sum /dev/sda md5deep l /root/evidence/ > hash_device.txt o Recursively computes hashes of files and save them in a txt dhash -t -f /dev/sda --md5 --sha1 -l dhashlog.html o Computes md5 && sha1 and gives remaining time o GUI Provided o Multilanguage

40 Tools Overview Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!!

41 Tools Overview Devices Acquisition: dd dd if=/dev/sda of=/media/diskimage.img dd if=/dev/sda of=/dev/sdb!!!!dangerous!!!! Devices Acquisition: ddrescue Same signature Sets zero on unreadable bits

42 Tools Overview Devices Acquisition: dcfldd dcfldd if=/dev/sda of=/media/disk.img hash=sha1 hash=md5 o Computes hash and acquisition at the same time Devices Acquisition: dhash (again) dhash -t -f /dev/sda --md5 --sha1-o disk.dd o Acquisition and hash

43 Tools Overview Data Analysis: Timeline (First STEP) FLS (example for images with single partition) fls -z GMT -s 0 -m C: -f ntfs -r /images/disco-c.dd > /workdir/disco-c.body -z: time zone of the system to be analyzed; -s: delay in seconds between system time and UTC; -m: text prefix of path and filename; -f: file system type; /images/disk-c.dd: input image; /workdir/disk-c.body: output; -o: offset, for images with multiple partitions.

44 Tools Overview Data Analysis: Timeline (Body File)????????????????

45 Tools Overview Data Analysis: Timeline (Second STEP) Mactime (body! csv) mactime -b /workdir/disk-c.body -z gmt -d > /workdir/disk-c.csv -b: input file; -z: time zone; -d > /workdir/disco-c.csv: output Activity Analysis: -d i file_name: daily activity -h i file_name: hour activity

46 Tools Overview Data Analysis: Timeline Mactime d -i!!!!

47 Tools Overview Data Analysis: Timeline Mactime (ouput)

48 Tools Overview Data Analysis: Super Timeline Log2timeline (uses file system metadata) 1. Apache2 Access log; 2. Apache2 Error log; 3. Google Chrome history; 4. Encase dirlisting; 5. Windows Event Log files (EVT); 6. Windows Event Log files (EVTX); 7. EXIF; 8. Firefox bookmark; 9. Firefox 2 history; 10. Firefox 3 history; 11. FTK Imager Dirlisting CSV file; 12. Generic Linux log file; 13. Internet Explorer history file, parsing index.dat; 14. Windows IIS W3C log file; 15. ISA server text export; 16. Mactime body file; 17. McAfee AntiVirus Log; 18. MS-SQL Error log; 19. Opera Global and Direct browser history; 20. OpenXML metadata (Office 2007); 21. PCAP files; [ ]

49 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$ ((512*63)) /mnt/raw/img.dd /mnt/c

50 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file)

51 Tools Overview Data Analysis: Super Timeline Log2timeline (Example) log2timeline -p f winxp -r -z Europe/Rome /mnt/c/ -m C: -w c-log2t-unsorted.csv -p: recursive preprocessing (for further analysis); -f: OS type; -r: recursive analysis of file; -z: time zone; -m: prefix string for path -w: ouput (csv file) Returns CSV files in analysis order

52 Tools Overview Data Analysis: Super Timeline L2t_process (Example) l2t_process -i -b c-log2t-unsorted.csv -y k keywords.txt > c-log2t csv -i: prints information not in the time interval if timestomping is suspected; -y: forces date format: yyyy-mm-dd; -b: input -k: for keywords

53 Tools Overview Data Analysis: Super Timeline L2t_process (Output) 1. Date 2. Time 3. Timezone 4. MACB 5. Source 6. Sourcetype 7. Type 8. User 9. Host 10. Short 11. Desc 12. Version 13. Filename 14. Inode 15. Notes 16. Format 17. Extra Long List of entries: - File System operations - Meta-data - Register - Events - Links - Browser history - Etc.

54 Tools Overview Data Analysis: file and directory search Locate (Example) locate finanza q i (case insensitive, show access errors) locate *.png -q Find (Example) find. -iwholename *porn*.png (all files containing porn, case insensitive find. -ctime -2 > lista.txt (file created in last two days)

55 Tools Overview Data Analysis: File Carving Foremost (Example) foremost -o outpdir dump.img (uses configuration in /etc/ foremost.conf) foremost -t png -o outpdir dump.img tiff wmv mov pdf ole doc zip rar jpg gif png bmp avi exe mpg wav htm cpp

56 Tools Overview Data Analysis: Tools (GUI) DHash: Acquisition Hash

57 Tools Overview Data Analysis: Tools (GUI) Guymanager: Acquisition Case management

58 Tools Overview Data Analysis: Tools (GUI) Catfish: Find Locate

59 Tools Overview Data Analysis: Tools (GUI) FindWild: Search file contents Locate

60 Tools Overview Data Analysis: Tools (GUI) Hunchbacked 4most: Foremost Implementation

61 Tools Overview Data Analysis: Tools (GUI) Hunchbacked 4most: Scalpel Implementation

62 Tools Overview Data Analysis: Autopsy File System Analysis Carving Timeline reconstruction Almost Everything!

63 Tools Overview Internet Traces: Browsers IEHistoryView IECookieView IECacheView MozillaHistoryView MozillaCookieView MozillaCacheView MyLastSearch:

64 Internet Traces Tools Overview File.pst (Microsoft Outlook) Kernel Outlook PST Viewer Mail Navigator Microsoft Outlook (Be Careful) SQLITE (Mozilla Thunderbird)

65 Tools Overview Internet Traces (Cloud) Dropbox (example) Files.dbx Config.dbx File_cache.dbx Server_path Parent_path Local_sjid (file version number) Local_mtime (modified time) Local_ctime (created time) "!!! Dropbox Decryptor (MAGNET FORENSIC)

66 Thanks for your attention.

Introduction to Disk Forensics Discovering evidences in mass storage devices

Introduction to Disk Forensics Discovering evidences in mass storage devices ictlab s.r.l. - Spinoff Università di Catania IPLAB - Università di Catania info@ictlab.srl Catania - April 26, 2017 1 Introduction