Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Code: Select all

This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.

The original post can be found here:
http://www.antionline.com/showthread.php?s=&threadid=272469&perpage=10&pagenumber=1

Overview: (Please Read)
=+=+=+=+=+=+=+=+=+=+=+=+=+
As many of you venture into a pervasive computing environment, it will not be long before
you will be faced with a situation where forensics will be needed. This is an upcoming, and
in my opinion, will be the hottest area of security. If you’re one to chase the big bucks and
you want to stay in the technology track, then this is the route for you. Otherwise, go off
and write documentation for all of the new regulations. That too is hot and returning hefty salaries.

I’m going to step you through the process of dissecting a malcode sample using tools and
techniques that are commonly used by forensic teams. Keep in mind that at the time of
this writing there are no set standards in forensics. This means that you may find other
forensic teams doing things differently but rest assured that the techniques I’m about to
show you are used by the top minds in the discipline, including myself.

Throughout this tutorial, all operations will be done in a 6 gig Windows 2000 professional
VM environment. The OS is fully patched and there are no antivirus scanners or firewalls
running (A virgin installation). The VM does have network connectivity and the network it
sits on is VLANed into a network segment that only has internet access upon manual
activation. There are no routes to production or other lab environments. In other words, it’s
in complete isolation from areas where it could cause harm.

Typically you want to use a VM instance to conduct your initial testing of the code or any
other host that you can reformat or otherwise abuse for the purposes of analysis without
affecting production hosts/environments. I use VMs because when a problem crops up I
can simply regenerate a fresh image in seconds instead of hours if I had to do a fresh
install. The point here is to have a controlled throw away environment to conduct your
examination.

This tutorial is limited to one very small part of forensics. If this tutorial proves valuable
based on feedback, I will move on to other situations/techniques such as scraping data
from a hard drive to establish what users have done on the host including attempts to
remove traces of their activities, what disposable media was used on the host, etc.
Network forensics is another area I can touch on but would require me to write a book to be
thorough.

One last thing. Because I don’t want to attach images and such to the thread, I’ve decided
to describe what I can without screenshots. I will insert text where I can but things should be relatively clear. If not, PM me
and I will put together a screen shot library for you.

Our Malcode: hax0r.exe
=+=+=+=+=+=+=+=+=+=+=+=+=+
You find a piece of malcode on a host. No antivirus company knows what it is and you want
more information about it.

TIP: Norman Sandbox:

http://sandbox.norman.no/live_4.html

Is a place where
malcode is run in a sandbox and the results are returned to you. I use this for quick and
dirty analysis. All you do is upload a sample and it maps out what the malcode does. This
can be very helpful in a zero day scenario. As we will see, this method may not always
work for you.

Let’s begin by doing a tool inventory. Whenever you’re going to do an examination of code,
you’re going to need a few base tools.
a) A good hex editor. I use OllyDbg (Free) or if you have a few thousand dollars, SoftICE will
be an excellent selection.
b) A Strings program. Strings.exe on Win32 is not native. You’ll have to grab a third party
tool such as strings.exe (command line) or BinText (Win32 GUI). Both are free and do the
same thing.
c) A Win32 Portable EXE identifier. A key part of analysis will be to identify what packer was
used to compress an EXE. If you cannot identify the packer, you’ll be forced to actually run
the malcode to see what it does. This isn’t necessarily a problem but for this tutorial, we’re
going to want to identify the packer. I use PEiD for identification. Again, a free tool found
here:

http://peid.has.it/

d) Once we ID the packer, we’ll need to unpack it. UnFSG and Procdump will be needed for
this case. Both are free.
e) A program to monitor changes to your environment. I use install watch pro.

http://www.epsilonsquared.com/installwatch.htm

TIP: There are hundreds of PE packers out there. You may not always be able to unpack
them and will be forced to try to run the malcode to see what it does. For a list of PE
packers, see:

http://www.exetools.com/compressors.htm

. Note that the site also
has a bunch of unpackers as well. Depending upon successful identification of the packer,
you may be able to use one of them to unpack the malcode.

OK, so here we go.

1) Using strings.exe, I first determine if the exe is compressed with a Win32 packer. Typically, you will see
short bursts of 4 or so random characters and maybe a line or two of
text if it is packaged/encrypted. Once you’ve seen a few packaged exe files you’ll quickly be
able to tell when an exe is packaged or not. Even if you fail to do so, OllyDBG will throw a
warning up if it detects that the exe is packaged/encrypted.

First let’s look at an example of a non packaged exe: sid2user.exe. This is totally random. I
chose it simply because I had it in the same folder as my strings executable.

code:——————————————————————————–
c:\temp\strings.exe sid2user.exe
string:utofrange
Borland C++ – Copyright 19
Evgenii Rudnyi (C) All rig
Chemistry Department, Mosc
119899 Moscow, Russia, htt

rudnyi@comp.chem.msu.su

This utility is freeware a
distribute it. Optionally,
you may send me a bottle o
Disclaimer of warranty:
This utility is supplied a
express or implied, includ
merchantability and of fit
no liability for damages d
the use of this utility.
The goal of the utility is
sid2user [\\computer_name]
where computer_name is opt
sid2user 5 32 544
By default, the search sta
could not allocate SID
Name is
Domain is
Type of SID is
SidTypeUser
SidTypeGroup
SidTypeDomain
SidTypeAlias
SidTypeWellKnownGroup
SidTypeDeletedAccount
SidTypeInvalid
SidTypeUnknown
LookupSidName failed – no
<notype>
**BCCxh1
__GetExceptDLLinfo
Stack Overflow!
Error 0
Invalid function number
No such file or directory
Path not found
Too many open files
Permission denied
Bad file number

C:\temp>
——————————————————————————–

As you can see, strings can be helpful in identifying potential help or avenues of
investigation against standard output statements. Notice lots of plain text and system error
syntax.

And now, here is what a packaged exe looks like: hax0r.exe.

code:——————————————————————————–
c:\temp>strings.exe hax0r.exe

.text
.idata
hvGz)
f?m+1
$;9C8
K(~C,
[k{XA0CI-tz
n4?z+
QIY
QP@XY
=n p>+
Q1,$]Yu
C:\temp>
——————————————————————————–

So as you can see, spotting a packaged exe is pretty easy. Now we have to figure out what
the exe is packed with. Let’s open hax0r.exe in PEiD and see what it has to say.

NOTE: This is where a screen shot would be nice but instead, I will give you simple steps to
perform.

code:——————————————————————————–
1) Open PEiD
2) Browse to the hax0r.exe file
3) Look at the bottom of the dialog box to see the packager. In our case, it shows FSG,
which is a acronym for Fast, Simple, Good. There is other info returned about the file such
as entry point, offset, first bytes, etc. These values are important but will not play heavily
in this tutorial.
——————————————————————————–

TIP: Evil mean haxors will repackage their malcode with different packers as soon as they
discover that anti virus companies have a signature out for it. It is not uncommon to see
the same malcode show up with 20 or 30 different hash values. This is done to beat AV
signatures

OK, so we now know that our hax0r.exe malcode is packed with FSG. It is useless to us
until we unpack it. This is where UnFSG comes in.

code:——————————————————————————–
1) Open UnFSG
2) Select the file to “UnFSG”
3) Tell it where to write the file.
——————————————————————————–

OK, so now we have a good unpacked copy right? Wrong. During the unpack, damage is
done to the PE headers and tables and we need to fix that before going forward. Procdump
will do this for you.

code:——————————————————————————–
1) Open procdump
2) Select the file to fix
3) Select a place to write the file.
——————————————————————————–

NOTE: There is a command line and GUI version of this tool. The commands vary slightly on
each.

OK, we now have a unpacked malcode executable that we can run. OH NO! The malcode is
password protected. What ever will I do?

TIP: Sometimes malcode is password protected so that only the C&C master can run it.
This is the case in our example. Also, some malcode is very advanced and can detect when
it’s being run in a hex editor such as OllyDBG and will crash the system. Be aware of this
because it’s not your PC or software, it’s done by design of the malcode author.

OK folks, time to break open this malcode to find the embedded password. Incidentally, the
technique I’m about to show you is close to that used when stripping license info out of
commercial software. Please don’t abuse this knowledge.

code:——————————————————————————–
1) In the OllyDBG main window, select F9 or select debug-run from the main menu.
2) The malcode executes and we see a “Enter password” prompt at the command prompt.
Since we know that “Enter password” was displayed, we can now go to the OllyDBG stack
history window and search for this term. This window is in the bottom right of the display.
3) A reference to the string was found at 0×00304052A71. Double click this value and you
be taken to this address in the main thread window.
4) Set a breakpoint (this is as much art as it is science at times) about ten lines below
which is where it will break right before the password is entered. To do this simply right
click the line and choose, set break point. It will then turn red.
5) Now, go to the command prompt and enter any old password. I’ll enter “dummy” and
press enter.
6) Press F7 a few times to step through some instructions. Keep an eye on the
Examination of registers window in the top right side of the display. Soon you will see:

EAX 0012FB6D ASCII “j00arenotl33t”
ESI 0012FB8C ASCII “dummy”
Examination of the registers have yielded the password comparison and shows that the
password to the malcode is j00arenotl33t.
——————————————————————————–

Anyway, that’s how you can easily discover passwords in any kind of password protected
application. Be aware that malcode writers do not want you to do this so they will go to
great length to keep you from unpacking their malcode.

I now turn on a free application called install watch pro. This will trace everything that the
malcode does in my environment. To use this app, install it, open it and simply start
the “record session” process. It’s a GUI tool and is VERY simple. Once you turn on the
record feature (which is simply a snapshot of the current system) you open the malcode
from within the install watch pro interface. I then records everything and exports it in
several formats for your enjoyment.

I now examine the output from install watch pro. I see several references in there that
execute netcat shell commands. BINGO.

OK, so what I see is that my malcode is a password protected NetCat shell that shovels a
terminal back to the attacker. This is a very simple example of a malcode payload. There
are many out there that obviously do much more complex things. This is for educational
purposes to get the mechanics down for performing the actual analysis.

Anyway, I hope you found this informative. Again, if feedback is good, I will do other
forensic tutorials. As always, comments good or bad are always welcome.

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Code: Select all

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

Enjoy

Ahhh, vacations are wonderful things… I can read books I don’t have time for under the Jamaican sun with a Pina Colada in hand….

What follows are the notes I made while reading the book “Hacking Exposed – Computer Forensics” ISBN: 0-07-225675-3. It’s a very involved book with a heavy emphasis on the legalities of what you do during an investigation as well as the legally acceptable process and some neat tricks to help you find evidence. I thought it would be useful to some here.

Disclaimer: These are my notes on the book. They may be verbatim from the book in places because there is no opportunity to word the information better.

There are three types of investigation

Internal
Civil
Criminal: avoid if possible

Always assume criminal otherwise evidence may be worthless.

Be utterly unbiased – full disclosure.

No assumptions can be made.

The investigator is fiscally or criminally liable if the evidence is bad and the case turns civil or criminal. Call in professionals if the situation changes.

The elements of good process are:-

Cross-validation of findings: Use multiple tools to backup your findings

Proper evidence handling:
Chain of evidence – MD5 SHA1 – record who accessed the evidence, when, why and what they did. Appendix A form

Completeness of investigation:
Search in a complete manner – follow counsel’s direction on what to search for. Use a process that finds every piece of evidence.

Management of archives:
Just because a judge rules on a case doesn’t mean its closed. Records must be kept for years. A case can be lost years later because the data is now unavailable or potentially tainted

Technical competency:
Know the details of the tools you use and the details of the processes they carry out. Know their weaknesses and their strengths.

TRAP: Even with a thorough understanding of the OS, processes, technology etc. you will have to defend yourself and your knowledge at every turn as the defense asks obscure questions in order to make you look incompetent.

Explicit definition and justification of the process:
Follow a clear process that you can explain to a judge. It must be repeatable. Never be in a position to be able to be questioned about process or the accuracy of the evidence you gathered.

Legal compliance:
In the arena of the investigation comply fully with the corporate policy and the laws of the jurisdiction the investigation takes place in. Consult counsel and administration – you support them, not the other way around.

Flexibility:
Things change, especially technology. Keep up with changes and modernize your tools and process.

Process Definition:

Assessment:-

1. Determine scope and quantity of data: work with the people requesting the investigation to discover the scope and amount of data required

2. Identify data locations: Where is the data – Do you have the tools and knowledge to properly extract and preserve the data?

3. Protect and Preserve the data. This should be done as soon as possible. Alteration of data through normal business processes can be acceptable up to this point but not once the process begins.

4. Establish a chain of custody: Must begin immediately – if you wait then the investigation may prove to be flawed.

5. Preview the data: the data must not be changed. This allows for preparation for the acquisition phase. Only use forensically approved tools.

Acquisition:-

1. Identify the source media: this may not be as easy as it sounds if the media is very old.

2. Identify the destination media: try to make it identical or as close to the original as possible.

TRAP: if you have to alter the media type be careful to document the reasoning for your decision and to show that the new media did not alter data nor add anything new to the image. This is a common area where the opposing expert will try to bring your case down.

3. Select acquisition parameters: Make sure the tools you use are appropriate

4. Make the image: Metadata is required at this point to be able to validate this phase in the authentication phase.

Authentication:-

The purpose is to ensure that the image is exact. If the hashes don’t match you are wasting your time. MD5 and SHA1 or 2 are acceptable.

Analysis:-

BE COMPLETE. Look at everything – in every corner – be creative – where might data be hidden?

Articulation:-

Often the hardest part – keep it simple!!!

Archival:-

How much should you keep – for how long – and how likely is an appeal.

Software:-

“a forensic tool produces useful, reproduceable and verifiable results”

How do you verify software tools:-

Visit the Scientific Working Group on Digital Evidence, (SWGDE), at

http://ncfs.org/swgde/documents.html

Tool categories:-

Acquisition
Data Discovery
Internet History
Image Viewers
E-mail Viewers
Password cracking
Mobile device
Large storage analysis

Case Management:-

This is essential to any investigation – if you haven’t properly documented everything, stored everything or, having done so, you can’t find it then everything you did was wasted.

Acquisition from a single system:-

You may photograph everything as you find it and after you have acted on it but this is not usually necessary but for them to be admissible in court they are required to conform to certain rules laid down in law.

1. Pull the power cord. DO NOT rely on power switches – they may place the system in standby mode. Note this action in Chain of Custody Log, (CoCL).

2. Remove ALL drives from the system even if they are not currently cabled or powered. CoCL.

3. Note in the CoCL the manufacturer, model, serial number and a description of all drives removed.

4. Check the system for removable media and remove any found. CoCL. Only search surroundings IF you have the authority. Check with counsel/administration if you are unsure – get the authority in writing if you can.

5. Boot the system and note the BIOS settings in the CoCL – specifically note the system date and time in the BIOS. All files recovered should then have their date and time adjusted accordingly to determine when they were created, modified or accessed.

6. Remove any media that could not be removed with the power off and enter them in the CoCL. Remember CDs can often be removed with a paper clip in the small hole in the front of the drive.

7. Wipe the image drive: This is done to show that all data copied to it came from the source drive. The DOD has guidelines at

http://www.dss.mil/isec/chapter8.htm

.There is an unlicensed/acquisition mode of EnCase that can be used for Windows though it may not be free, (it doesn’t appear to be). If you use Linux you can use the following command:-

dd if=/dev/random of=/dev/<image drive>

8. Imaging the drive.

How ever you do this start by making a cryptographic hash to a safe location.

FAT16/32:- You require an altered boot disk in DOS to prevent alteration of the source media. There are boot disks available for download at

http://www.guidancesoftware.com/support/downloads.shtm

under the drivers section.

NTFS:- You require a hardware write blocker for Windows/EnCase because Windows will try to write system information to the drive when it detects it. Fastbloc is a well known and acceptable write blocker.

Using Linux you can issue the following command after booting and identifying the devices since Linux will not even try to determine the file system of attached devices – no write blocker is required.

dd if=/dev/<suspect drive> of=/dev/<some dir>/<imagename>

In all cases this is the point at which you make your second cryptographic hash. Be careful to write them to a safe location. Compare the hashes to ensure they match. In Linux the command is:-

md5sum /dev/<some dir>/<imagename>

9. Secure the evidence: Anti static bags, proper labeling and a secure location are all imperative here. Note everything in the CoCL.

TRAP: Sometimes imaging a drive could provide opposing counsel more information than your counsel would wish – make sure he understands what you will give him and let him decide – sometimes only the relevant files may be needed.

Remote investigation and collection:-

The privacy policy of the organization is critical here – make sure that the user(s) have had access to a well written AUP otherwise the court may uphold an invasion of privacy defense.

Remote investigation involves the actual investigation such as keyword searches and file hashing across the network and would usually precede the remote collection of evidence.

It is absolutely acceptable to retrieve an image before investigation but it is more time consuming and you may find no evidence after the image has been retrieved.

EnCase Enterprise and ProDiscover are tools that can be used for remote investigation and acquisition in a court acceptable fashion.

Frankly, since the only acceptable tools for this seem to be high cost commercial tools and there are so many pitfalls this type of operation should be left to professionals.

Notes on USB’s:-

Check HKLM/system/currentcontrolset/enum/USBSTOR to find out what kinds of device have been connected to the system.

Some USB thumb drives have a secure area and will not automatically show you all the data. Check with the manufacturer to find out if the device is a secure device and the security mechanism.

Windows System Analysis:

File systems:-

MSDOS FAT12 max size 8Mb
Win 3.1/95 FAT16 max size 4Gb
Win 98 FAT32 max size 32Gb
NT 3.5/4.0/2K/XP NTFS max size 256Tb

Floppy disks use FAT12 under normal circumstances.

Win95 introduced VFAT which allowed files to be named outside the old 8.3 format.

FAT:-

The Master Boot Record, (MBR), points to the partitions each of which have a partition table that tells the OS of the file system. If the partition table is deleted the partition remains intact.

The FAT table describes the clusters and if they are free or occupied. If occupied it describes which other clusters they are linked to. It contains no file information such as file name, size, created, (MAC), times etc.

Directory entries are stored in the same way as file entries but are noted as a special case. Directories are linked from a parent directory so the structure is not defined in the FAT but it becomes apparent as you traverse the links.

The root directory is defined when the drive is formatted, (the file system creation), and space is set aside for it. By accessing the root directory you can access files and directories linked to it. Directories hold the first cluster of files or directories linked to it and these can be recovered by following the subsequent links.

Directories are written just like files and are similarly recoverable. This is useful since you can recover a directory entry and see what files and directories were in it along with thier MAC times

The FAT always has a backup FAT so if the original is damaged the system can be investigated from the backup

NTFS:

NTFS uses a Master File Table, (MFT), to store information about the partition such as filename, attributes and MAC times to name just a few.

Information about available clusters is held in a special inode called $BITMAP where there is an entry for every cluster on the disk and its value indicates whether it is free or busy.

There is a backup of the MFT that can be used if the original is damaged. In the case of a drive that has been quick formatted the backup MFT should still be in place.

Recovering deleted files:

In FAT partitions the first character of the filename is changed to E5h or “_”. Simply replacing this with any valid character will make the file available again.

In NTFS the IN-USE flag is changed to indicate the deletion.

Windows Artifacts:

These are key points in an investigation and often point to evidence you require to complete the investigation.

Recycle Bin: when emptied the data usually ends up in unallocated space. The recoverable data may include the filename or where it was stored on the disk. Information about files placed in the recycle bin are held in INFO records which remain after the deletion, (> Win95). These records include full path, filename and time of deletion. EnCase and SMART can recover them for you but a disk level hex editor set to search for:

05 00 00 00 00 00 00 00 00 00 00 00 20 03

will find the header of each remaining INFO file – one for each deletion.

The Pagefile: The data held here is unstructured and difficult to extract. With practice you can discover the keywords that will help you find email, chat sessions, web pages etc.

Print Spools: documents that were printed from removable media can often be found in the print spool. Depending on the version of Windows the location will vary but a good start will be:

%system%/system32/spool/printers

Win9X: You will find .SPL files and a matching .SHD file. The .SPL file is an image of the print job – usually in .EMF format and can be viewed in any app. that supports it. The .SHD file includes the printer used, the filename and the path to the temporary file containing the image.

Win2K: Search for files at the disk level with the following headers:-

\x01\x00\x00\x00\x18\x17\x00 or

\x01\x00\x00\x00\xC4\x36\x00

WinXP: Search for headers:-

\x01\x00\x00\x00\x5C\x01\x00

NOTE: On NTFS filesystems there may be no evidence because NTFS can generate temporary files on the fly that are never committed to disk.

.LNK files: Every time a document is opened in Win95 and later a .LNK file is created. It contains the filename, path, (including network paths), MAC times and the MAC times for the .LNK file itself. They can be found in unallocated space by searching for:-

4C 00 00 00

This may turn up many FP’s so searches for the specific filename in either ASCII or Unicode are more efficient.

For more information on .LNK file formats see:-
http://www.i2s-lab/papers/the_windo…file_format.pdf

Determining the version of Windows:

Since there are many version specific objects in Windows it is important to know the version you are dealing with. This is done by locating the registry.

Win98: windows\system.dat
WinNT: winnt\system32\config\system
WinXP: windows\system32\config\system

Determining when the system was last shut down:

On Win2K\XP checking the last time the hive key $$$PROTO.HIV was written tells you the last shutdown time of the computer.

Determining when the user first logged on:

Check the creation date of the users directory.

Win9X: \windows\profiles

Win2K\XP: \documents and settings\<user login>

Office Document Metadata:

Much information can be gleaned from here including participants in its creation and editing. If you can recover the entire document you can load it into the appropriate Office application to view the properties. If only fragments are available you can load them into the OLE\COM Object Viewer located at:-
http://www.microsoft.com.asp

Finding the MAC address of the machine that wrote the document:

Load the Office document into a text editor and search for:-

PID_GUID

Closely following its location will be some unicode in braces, ({}), separated by dashes. The last unicode is the MAC address of the NIC that wrote the document. NOTE: Later in the book it claims that this is only available in Word 97 documents.

Which programs has a user run?:

In WinXP only when ever a user runs a program a program called User Assist captures the event. User Assist cannot be turned off – Bonus!! User Assist records are encrypted… In ROT13. The User Assist records are found in the registry at:

HKCU\software\microsoft\windows\currentversion\exp
lorer\userassist

There are two subkeys. Within them are all the programs a user has executed and all the web pages a user has visited.

To recover User Assist entries from unallocated space search for HKZR_ which is fixed in each record.

A ROT13 decoder is available at:
http://tools.geht.net/rot13.html

Anti Forensic Technologies:

Obscurity Method:

This entails renaming a file or changing its extension to mask its true nature.

The Unix FILE command uses file signaturing to determine the true nature of the file regardless of its name or extension.

Encoding Methods:

This is where a file contents are altered to hide the contents, (encrypted). It can be hard to determine the encryption method but in Windows do not rule out ROT13.

Compression Method:

this involves compressing the data for storage or transmission. Export the file from the image and try the standard compression engines for the OS.

NTFS Alternate Data Streams:

This hides the file entirely behind another file – tools such as LADS can show the existence of the alternate streams.

Slack Space:

This is the space in a re-used data sector that did not get overwritten because the new data written was smaller than the old data written to the data sector. Accurately and efficiently locating slack space is nearly impossible without professional forensic tools.

Defeating Encryption:

Surprisingly the easiest way is to ask the subject for the key(s) and encryption method. If they will not give it and a court is involved ask the court to demand it. Failure to provide it to the court usually will result in a contempt of court charge and is the way law enforcement usually deals with encryption.

Steganography:

This is quite new and very difficult to locate. Usually your clue is found elsewhere in the form of a steganography tool installed on a machine. For .JPEG files there is an open source program at:-
http://www.outguess.org.php

Wiping:

If done correctly there isnt much to be done. It may be easy to show wiping took place but the data may not be retrievable without considerable resources. This is commonly known as secure deletion.

You may find elements of a wiped file in:-

Pagefile
MFT or FAT table
NTFS journal
Slack space
Backups of the system

the same locations apply for wiped slack space, unallocated space, etc.

Acquiring RAID systems:

You need to note the original sequence of the drives in the bays.

RAID 1 isn’t so difficult to reproduce but the higher RAIDs can be more difficult. Under Linux the command:-

mount -o loop,ro /path/to/image /path/to/where/to/mount

where -o is the local loopback and ro is for Read Only will supply you with a read only RAID array if you can get it to mount. Then you can use the raidtools program in Linux to build the array without changing it.

NAS and SANS are too difficult!!!

Tapes:

Suck – there are so many formats and so much proprietary software to write them that change so quickly that they are a pain.

In Windows you need to install Cygwin. Once installed you can issue the following command because the Windows driver’s automatically recognize the block sizes and any other tape level settings:

dd if=/dev/st0 | less

Then:-

dd if=/dev/st0 > tape0

will copy the tapes data out to a file called tape0. NOT SURE – book is unclear – check this!!!

TRAP – AGAIN? too much data – be careful – consult counsel – you could lose the case by having too much data!

Email Analysis:

Outlook:

There are 9 file types associated with outlook:

1. .PST is the data file found in \documents and settings\<user>\local settings\application data\microsoft\outlook

2. .OST are offline files found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

3. .PAB is the personal address book found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

4. .OAB is the offline address book found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

5. .NK2 are contacts nicknames found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

6. .RWZ are rules files found in
\documents and settings\<user>\local settings\application data\microsoft\outlook – lf the import or export function has been used the default location is
\documents and settings\<user>\my documents

7. .RTF, .TXT, .HTM are the signature files found in
\documents and settings\<user>\application data\microsoft\signatures

8. .DIC are dictionary files found in
\documents and settings\<user>\application data\microsoft\proof

9. .MSG, .HTM, .RTF are saved messages found in
\documents and settings\<user>\my documents

While there are several tools available to analyze Outlook files it can be done quite well with a new installation of Outlook.

Outlook Express:

Outlook Express uses .DBX files located in the following locations:-

Win2K\XP\2K3: \documents and settings\<user>\local settings\application data\identities\<unique string>\microsoft\outlook express

WinNT: winnt\profiles\<user>\local settings\application data\identities\<unique string>\microsoft\outlook express

Win9X\ME: \windows\application data\identities\<unique string\microsoft\outlook express

These files can be imported into Outlook Express for analysis.

Mozilla and Netscape:

The files for these programs are held in a single directory. The files are similar to Unix email and are held as .TXT files and can be analyzed in several ways.

America Online:

Mail can be held either on the computer or AOL’s server. The file format is proprietary and only a few tools can read the .PFC files.

http://www.hotpepperinc.com/emd.html

is $120 for a single user and is able to analyze these files.

Web Based email:

You have two choices – subpoena the ISP or reconstruct the data from the drive. For reconstruction:-

Yahoo:

Search for showfolder, showletter, compose and attachments. There will be a second compose file created when the email is sent – search for:

input type=hidden name=<field name> value=

the data immediately after will be the addressing information etc.

The body of the email can be found immediately after:

input type=hidden name=body value=

Yahoo files are unencoded and can be easily read but opening them in a browser may not render all fields visible.

Hotmail:

Search for hotmail, doaddress, getmsg, compose and calendar.

Hushmail:

This is becoming more popular as a desire for privacy increases. Fortunately, users dont understand that Hushmail only promises security on the server and in transit not on the client thus the data can be found by searching for:

hushappletframe.message.<e-mail field>

Tracking User Activity:

Office Documents:-

Documents sent by email for review have a wealth of information both in its properties under File – Properties – Custom or held in .RCD files, (either adhoc.rcd or review.rcd), in the users documents and settings folder under \application data\microsoft\office.

Recovering undo information:

If a document is saved with quicksave turned on then it is quite possible that any undo information will remain within the document which will be easily visible in a hex editor. You may be able to recover multiple changes that go back some way.

Past Filenames:

Older office documents keep every filename the file was ever saved as which can point to network drives or removable media the suspect used. The filenames are held in unicode and using Strings from SysInternals with the -u option will find them for you.

Office documents can be very valuable if you look beyond that which is obvious though it is important to remember that this evidence is non-authoritative and should only be used to corroborate other evidence or to help find new evidence.

Tracking Internet Use:

Internet Explorer:

It is far from easy for a user to hide their activity in IE. While all the data is available for the investigator in the form of multiple index.dat files it is important to understand how IE stores this information should you ever find yourself in a courtroom.

There are two command line tools that can assist in the process of tracking the user in IE. Both are available from Foundstone. The first is Pasco which parses index.dat files and the second is Galleta which can parse cookies.

In WinXP\2K data will be found under the users folder under documents and settings.

\Cookies\index.dat is the audit trail for all cookies installed on the system in the users context.

\local settings\history\history.IE5\index.dat is the browser history for the last calendar day

\local settings\history\history.IE5\MSHistXXXXXXXXX\index.dat is where the daily history rolls over to as each day passes

\local settings\temporary internet files\content.IE5\index.dat is where the information for the location of supporting files such as images etc. is held – look here to try to reconstruct web pages.

\userdata\index.dat keeps information on automatic accesses to the internet such as automatic updates.

In earlier versions it is best found by searching for all the index.dat files.

IE History:

In order to make the history function work windows has to keep this data somewhere. Under the History.IE5 folder you will find several folders with names such as:-

MSHist012004010120040107

If you remove the MSHistXX what remains is two dates that corresponding to one week periods prior to todays date. In each of these folders is an index.dat file that can be analyzed with Pasco.

Pasco’s output on a History file would consist of:-

TYPE: the type of request made – this will usually be URL for GET request.

URL: the actual url requested

MODIFIED TIME: the time the page was loaded into history

ACCESS TIME: the time the history entry was last accessed.

FILENAME: this is used if redirection occurred and will show URL if a url is requested

DIRECTORY: same as FILENAME but for directory – blank on a url request.

HTTP HEADERS: holds any headers such as form data for POST requests. Blank for url requests.

Getting information from cookies:

Use Pasco on the index.dat file in the users \cookies folder to see the details of all the cookies. Notice that the FILENAME parameter is now displaying the name of the cookie. Sometimes you need to look more deeply into a cookie. This is where Galleta comes in. Its output fields are as follows:-

SITE: name and url of where the cookie came from.

VARIABLE: the name of the variable stored in the cookie.

VALUE: the value of the variable

CREATION TIME: the time the cookie was created – the time the web site was visited.

EXPIRE TIME: when the cookies date expires. If a site retrieves a “stale” cookie it will create a new one.

FLAGS: enumerates the flags set in the cookie – see RFC for more information on cookie flags.

Recreation from the cache:

The process is the same here… Convert the index.dat into a readable format, find the interesting entries and use the data to reconstruct the pages.

From here the book goes deeply into PDA’s and Cell Phones using proprietary software and then into the legal stuff which is long, boring and not appropriate for this location.