TheTAZZone - Internet Chaos

Tutorial – Forensic Process and Tricks


Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Code: Select all
Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.Enjoy

Ahhh, vacations are wonderful things… I can read books I don’t have time for under the Jamaican sun with a Pina Colada in hand….

What follows are the notes I made while reading the book “Hacking Exposed – Computer Forensics” ISBN: 0-07-225675-3. It’s a very involved book with a heavy emphasis on the legalities of what you do during an investigation as well as the legally acceptable process and some neat tricks to help you find evidence. I thought it would be useful to some here.

Disclaimer: These are my notes on the book. They may be verbatim from the book in places because there is no opportunity to word the information better.

There are three types of investigation

Criminal: avoid if possible

Always assume criminal otherwise evidence may be worthless.

Be utterly unbiased – full disclosure.

No assumptions can be made.

The investigator is fiscally or criminally liable if the evidence is bad and the case turns civil or criminal. Call in professionals if the situation changes.

The elements of good process are:-

Cross-validation of findings: Use multiple tools to backup your findings

Proper evidence handling:
Chain of evidence – MD5 SHA1 – record who accessed the evidence, when, why and what they did. Appendix A form

Completeness of investigation:
Search in a complete manner – follow counsel’s direction on what to search for. Use a process that finds every piece of evidence.

Management of archives:
Just because a judge rules on a case doesn’t mean its closed. Records must be kept for years. A case can be lost years later because the data is now unavailable or potentially tainted

Technical competency:
Know the details of the tools you use and the details of the processes they carry out. Know their weaknesses and their strengths.

TRAP: Even with a thorough understanding of the OS, processes, technology etc. you will have to defend yourself and your knowledge at every turn as the defense asks obscure questions in order to make you look incompetent.

Explicit definition and justification of the process:
Follow a clear process that you can explain to a judge. It must be repeatable. Never be in a position to be able to be questioned about process or the accuracy of the evidence you gathered.

Legal compliance:
In the arena of the investigation comply fully with the corporate policy and the laws of the jurisdiction the investigation takes place in. Consult counsel and administration – you support them, not the other way around.

Things change, especially technology. Keep up with changes and modernize your tools and process.

Process Definition:


1. Determine scope and quantity of data: work with the people requesting the investigation to discover the scope and amount of data required

2. Identify data locations: Where is the data – Do you have the tools and knowledge to properly extract and preserve the data?

3. Protect and Preserve the data. This should be done as soon as possible. Alteration of data through normal business processes can be acceptable up to this point but not once the process begins.

4. Establish a chain of custody: Must begin immediately – if you wait then the investigation may prove to be flawed.

5. Preview the data: the data must not be changed. This allows for preparation for the acquisition phase. Only use forensically approved tools.


1. Identify the source media: this may not be as easy as it sounds if the media is very old.

2. Identify the destination media: try to make it identical or as close to the original as possible.

TRAP: if you have to alter the media type be careful to document the reasoning for your decision and to show that the new media did not alter data nor add anything new to the image. This is a common area where the opposing expert will try to bring your case down.

3. Select acquisition parameters: Make sure the tools you use are appropriate

4. Make the image: Metadata is required at this point to be able to validate this phase in the authentication phase.


The purpose is to ensure that the image is exact. If the hashes don’t match you are wasting your time. MD5 and SHA1 or 2 are acceptable.


BE COMPLETE. Look at everything – in every corner – be creative – where might data be hidden?


Often the hardest part – keep it simple!!!


How much should you keep – for how long – and how likely is an appeal.


“a forensic tool produces useful, reproduceable and verifiable results”

How do you verify software tools:-

Visit the Scientific Working Group on Digital Evidence, (SWGDE), at


Tool categories:-

Data Discovery
Internet History
Image Viewers
E-mail Viewers
Password cracking
Mobile device
Large storage analysis

Case Management:-

This is essential to any investigation – if you haven’t properly documented everything, stored everything or, having done so, you can’t find it then everything you did was wasted.

Acquisition from a single system:-

You may photograph everything as you find it and after you have acted on it but this is not usually necessary but for them to be admissible in court they are required to conform to certain rules laid down in law.

1. Pull the power cord. DO NOT rely on power switches – they may place the system in standby mode. Note this action in Chain of Custody Log, (CoCL).

2. Remove ALL drives from the system even if they are not currently cabled or powered. CoCL.

3. Note in the CoCL the manufacturer, model, serial number and a description of all drives removed.

4. Check the system for removable media and remove any found. CoCL. Only search surroundings IF you have the authority. Check with counsel/administration if you are unsure – get the authority in writing if you can.

5. Boot the system and note the BIOS settings in the CoCL – specifically note the system date and time in the BIOS. All files recovered should then have their date and time adjusted accordingly to determine when they were created, modified or accessed.

6. Remove any media that could not be removed with the power off and enter them in the CoCL. Remember CDs can often be removed with a paper clip in the small hole in the front of the drive.

7. Wipe the image drive: This is done to show that all data copied to it came from the source drive. The DOD has guidelines at

.There is an unlicensed/acquisition mode of EnCase that can be used for Windows though it may not be free, (it doesn’t appear to be). If you use Linux you can use the following command:-

dd if=/dev/random of=/dev/<image drive>

8. Imaging the drive.

How ever you do this start by making a cryptographic hash to a safe location.

FAT16/32:- You require an altered boot disk in DOS to prevent alteration of the source media. There are boot disks available for download at

under the drivers section.

NTFS:- You require a hardware write blocker for Windows/EnCase because Windows will try to write system information to the drive when it detects it. Fastbloc is a well known and acceptable write blocker.

Using Linux you can issue the following command after booting and identifying the devices since Linux will not even try to determine the file system of attached devices – no write blocker is required.

dd if=/dev/<suspect drive> of=/dev/<some dir>/<imagename>

In all cases this is the point at which you make your second cryptographic hash. Be careful to write them to a safe location. Compare the hashes to ensure they match. In Linux the command is:-

md5sum /dev/<some dir>/<imagename>

9. Secure the evidence: Anti static bags, proper labeling and a secure location are all imperative here. Note everything in the CoCL.

TRAP: Sometimes imaging a drive could provide opposing counsel more information than your counsel would wish – make sure he understands what you will give him and let him decide – sometimes only the relevant files may be needed.

Remote investigation and collection:-

The privacy policy of the organization is critical here – make sure that the user(s) have had access to a well written AUP otherwise the court may uphold an invasion of privacy defense.

Remote investigation involves the actual investigation such as keyword searches and file hashing across the network and would usually precede the remote collection of evidence.

It is absolutely acceptable to retrieve an image before investigation but it is more time consuming and you may find no evidence after the image has been retrieved.

EnCase Enterprise and ProDiscover are tools that can be used for remote investigation and acquisition in a court acceptable fashion.

Frankly, since the only acceptable tools for this seem to be high cost commercial tools and there are so many pitfalls this type of operation should be left to professionals.

Notes on USB’s:-

Check HKLM/system/currentcontrolset/enum/USBSTOR to find out what kinds of device have been connected to the system.

Some USB thumb drives have a secure area and will not automatically show you all the data. Check with the manufacturer to find out if the device is a secure device and the security mechanism.

Windows System Analysis:

File systems:-

MSDOS FAT12 max size 8Mb
Win 3.1/95 FAT16 max size 4Gb
Win 98 FAT32 max size 32Gb
NT 3.5/4.0/2K/XP NTFS max size 256Tb

Floppy disks use FAT12 under normal circumstances.

Win95 introduced VFAT which allowed files to be named outside the old 8.3 format.


The Master Boot Record, (MBR), points to the partitions each of which have a partition table that tells the OS of the file system. If the partition table is deleted the partition remains intact.

The FAT table describes the clusters and if they are free or occupied. If occupied it describes which other clusters they are linked to. It contains no file information such as file name, size, created, (MAC), times etc.

Directory entries are stored in the same way as file entries but are noted as a special case. Directories are linked from a parent directory so the structure is not defined in the FAT but it becomes apparent as you traverse the links.

The root directory is defined when the drive is formatted, (the file system creation), and space is set aside for it. By accessing the root directory you can access files and directories linked to it. Directories hold the first cluster of files or directories linked to it and these can be recovered by following the subsequent links.

Directories are written just like files and are similarly recoverable. This is useful since you can recover a directory entry and see what files and directories were in it along with thier MAC times

The FAT always has a backup FAT so if the original is damaged the system can be investigated from the backup


NTFS uses a Master File Table, (MFT), to store information about the partition such as filename, attributes and MAC times to name just a few.

Information about available clusters is held in a special inode called $BITMAP where there is an entry for every cluster on the disk and its value indicates whether it is free or busy.

There is a backup of the MFT that can be used if the original is damaged. In the case of a drive that has been quick formatted the backup MFT should still be in place.

Recovering deleted files:

In FAT partitions the first character of the filename is changed to E5h or “_”. Simply replacing this with any valid character will make the file available again.

In NTFS the IN-USE flag is changed to indicate the deletion.

Windows Artifacts:

These are key points in an investigation and often point to evidence you require to complete the investigation.

Recycle Bin: when emptied the data usually ends up in unallocated space. The recoverable data may include the filename or where it was stored on the disk. Information about files placed in the recycle bin are held in INFO records which remain after the deletion, (> Win95). These records include full path, filename and time of deletion. EnCase and SMART can recover them for you but a disk level hex editor set to search for:

05 00 00 00 00 00 00 00 00 00 00 00 20 03

will find the header of each remaining INFO file – one for each deletion.

The Pagefile: The data held here is unstructured and difficult to extract. With practice you can discover the keywords that will help you find email, chat sessions, web pages etc.

Print Spools: documents that were printed from removable media can often be found in the print spool. Depending on the version of Windows the location will vary but a good start will be:


Win9X: You will find .SPL files and a matching .SHD file. The .SPL file is an image of the print job – usually in .EMF format and can be viewed in any app. that supports it. The .SHD file includes the printer used, the filename and the path to the temporary file containing the image.

Win2K: Search for files at the disk level with the following headers:-

\x01\x00\x00\x00\x18\x17\x00 or


WinXP: Search for headers:-


NOTE: On NTFS filesystems there may be no evidence because NTFS can generate temporary files on the fly that are never committed to disk.

.LNK files: Every time a document is opened in Win95 and later a .LNK file is created. It contains the filename, path, (including network paths), MAC times and the MAC times for the .LNK file itself. They can be found in unallocated space by searching for:-

4C 00 00 00

This may turn up many FP’s so searches for the specific filename in either ASCII or Unicode are more efficient.

For more information on .LNK file formats see:-


Determining the version of Windows:

Since there are many version specific objects in Windows it is important to know the version you are dealing with. This is done by locating the registry.

Win98: windows\system.dat
WinNT: winnt\system32\config\system
WinXP: windows\system32\config\system

Determining when the system was last shut down:

On Win2K\XP checking the last time the hive key $$$PROTO.HIV was written tells you the last shutdown time of the computer.

Determining when the user first logged on:

Check the creation date of the users directory.

Win9X: \windows\profiles

Win2K\XP: \documents and settings\<user login>

Office Document Metadata:

Much information can be gleaned from here including participants in its creation and editing. If you can recover the entire document you can load it into the appropriate Office application to view the properties. If only fragments are available you can load them into the OLE\COM Object Viewer located at:-


Finding the MAC address of the machine that wrote the document:

Load the Office document into a text editor and search for:-


Closely following its location will be some unicode in braces, ({}), separated by dashes. The last unicode is the MAC address of the NIC that wrote the document. NOTE: Later in the book it claims that this is only available in Word 97 documents.

Which programs has a user run?:

In WinXP only when ever a user runs a program a program called User Assist captures the event. User Assist cannot be turned off – Bonus!! User Assist records are encrypted… In ROT13. The User Assist records are found in the registry at:


There are two subkeys. Within them are all the programs a user has executed and all the web pages a user has visited.

To recover User Assist entries from unallocated space search for HKZR_ which is fixed in each record.

A ROT13 decoder is available at:


Anti Forensic Technologies:

Obscurity Method:

This entails renaming a file or changing its extension to mask its true nature.

The Unix FILE command uses file signaturing to determine the true nature of the file regardless of its name or extension.

Encoding Methods:

This is where a file contents are altered to hide the contents, (encrypted). It can be hard to determine the encryption method but in Windows do not rule out ROT13.

Compression Method:

this involves compressing the data for storage or transmission. Export the file from the image and try the standard compression engines for the OS.

NTFS Alternate Data Streams:

This hides the file entirely behind another file – tools such as LADS can show the existence of the alternate streams.

Slack Space:

This is the space in a re-used data sector that did not get overwritten because the new data written was smaller than the old data written to the data sector. Accurately and efficiently locating slack space is nearly impossible without professional forensic tools.

Defeating Encryption:

Surprisingly the easiest way is to ask the subject for the key(s) and encryption method. If they will not give it and a court is involved ask the court to demand it. Failure to provide it to the court usually will result in a contempt of court charge and is the way law enforcement usually deals with encryption.


This is quite new and very difficult to locate. Usually your clue is found elsewhere in the form of a steganography tool installed on a machine. For .JPEG files there is an open source program at:-



If done correctly there isnt much to be done. It may be easy to show wiping took place but the data may not be retrievable without considerable resources. This is commonly known as secure deletion.

You may find elements of a wiped file in:-

MFT or FAT table
NTFS journal
Slack space
Backups of the system

the same locations apply for wiped slack space, unallocated space, etc.

Acquiring RAID systems:

You need to note the original sequence of the drives in the bays.

RAID 1 isn’t so difficult to reproduce but the higher RAIDs can be more difficult. Under Linux the command:-

mount -o loop,ro /path/to/image /path/to/where/to/mount

where -o is the local loopback and ro is for Read Only will supply you with a read only RAID array if you can get it to mount. Then you can use the raidtools program in Linux to build the array without changing it.

NAS and SANS are too difficult!!!


Suck – there are so many formats and so much proprietary software to write them that change so quickly that they are a pain.

In Windows you need to install Cygwin. Once installed you can issue the following command because the Windows driver’s automatically recognize the block sizes and any other tape level settings:

dd if=/dev/st0 | less


dd if=/dev/st0 > tape0

will copy the tapes data out to a file called tape0. NOT SURE – book is unclear – check this!!!

TRAP – AGAIN? too much data – be careful – consult counsel – you could lose the case by having too much data!

Email Analysis:


There are 9 file types associated with outlook:

1. .PST is the data file found in \documents and settings\<user>\local settings\application data\microsoft\outlook

2. .OST are offline files found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

3. .PAB is the personal address book found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

4. .OAB is the offline address book found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

5. .NK2 are contacts nicknames found in
\documents and settings\<user>\local settings\application data\microsoft\outlook

6. .RWZ are rules files found in
\documents and settings\<user>\local settings\application data\microsoft\outlook – lf the import or export function has been used the default location is
\documents and settings\<user>\my documents

7. .RTF, .TXT, .HTM are the signature files found in
\documents and settings\<user>\application data\microsoft\signatures

8. .DIC are dictionary files found in
\documents and settings\<user>\application data\microsoft\proof

9. .MSG, .HTM, .RTF are saved messages found in
\documents and settings\<user>\my documents

While there are several tools available to analyze Outlook files it can be done quite well with a new installation of Outlook.

Outlook Express:

Outlook Express uses .DBX files located in the following locations:-

Win2K\XP\2K3: \documents and settings\<user>\local settings\application data\identities\<unique string>\microsoft\outlook express

WinNT: winnt\profiles\<user>\local settings\application data\identities\<unique string>\microsoft\outlook express

Win9X\ME: \windows\application data\identities\<unique string\microsoft\outlook express

These files can be imported into Outlook Express for analysis.

Mozilla and Netscape:

The files for these programs are held in a single directory. The files are similar to Unix email and are held as .TXT files and can be analyzed in several ways.

America Online:

Mail can be held either on the computer or AOL’s server. The file format is proprietary and only a few tools can read the .PFC files.

is $120 for a single user and is able to analyze these files.

Web Based email:

You have two choices – subpoena the ISP or reconstruct the data from the drive. For reconstruction:-


Search for showfolder, showletter, compose and attachments. There will be a second compose file created when the email is sent – search for:

input type=hidden name=<field name> value=

the data immediately after will be the addressing information etc.

The body of the email can be found immediately after:

input type=hidden name=body value=

Yahoo files are unencoded and can be easily read but opening them in a browser may not render all fields visible.


Search for hotmail, doaddress, getmsg, compose and calendar.


This is becoming more popular as a desire for privacy increases. Fortunately, users dont understand that Hushmail only promises security on the server and in transit not on the client thus the data can be found by searching for:

hushappletframe.message.<e-mail field>

Tracking User Activity:

Office Documents:-

Documents sent by email for review have a wealth of information both in its properties under File – Properties – Custom or held in .RCD files, (either adhoc.rcd or review.rcd), in the users documents and settings folder under \application data\microsoft\office.

Recovering undo information:

If a document is saved with quicksave turned on then it is quite possible that any undo information will remain within the document which will be easily visible in a hex editor. You may be able to recover multiple changes that go back some way.

Past Filenames:

Older office documents keep every filename the file was ever saved as which can point to network drives or removable media the suspect used. The filenames are held in unicode and using Strings from SysInternals with the -u option will find them for you.

Office documents can be very valuable if you look beyond that which is obvious though it is important to remember that this evidence is non-authoritative and should only be used to corroborate other evidence or to help find new evidence.

Tracking Internet Use:

Internet Explorer:

It is far from easy for a user to hide their activity in IE. While all the data is available for the investigator in the form of multiple index.dat files it is important to understand how IE stores this information should you ever find yourself in a courtroom.

There are two command line tools that can assist in the process of tracking the user in IE. Both are available from Foundstone. The first is Pasco which parses index.dat files and the second is Galleta which can parse cookies.

In WinXP\2K data will be found under the users folder under documents and settings.

\Cookies\index.dat is the audit trail for all cookies installed on the system in the users context.

\local settings\history\history.IE5\index.dat is the browser history for the last calendar day

\local settings\history\history.IE5\MSHistXXXXXXXXX\index.dat is where the daily history rolls over to as each day passes

\local settings\temporary internet files\content.IE5\index.dat is where the information for the location of supporting files such as images etc. is held – look here to try to reconstruct web pages.

\userdata\index.dat keeps information on automatic accesses to the internet such as automatic updates.

In earlier versions it is best found by searching for all the index.dat files.

IE History:

In order to make the history function work windows has to keep this data somewhere. Under the History.IE5 folder you will find several folders with names such as:-


If you remove the MSHistXX what remains is two dates that corresponding to one week periods prior to todays date. In each of these folders is an index.dat file that can be analyzed with Pasco.

Pasco’s output on a History file would consist of:-

TYPE: the type of request made – this will usually be URL for GET request.

URL: the actual url requested

MODIFIED TIME: the time the page was loaded into history

ACCESS TIME: the time the history entry was last accessed.

FILENAME: this is used if redirection occurred and will show URL if a url is requested

DIRECTORY: same as FILENAME but for directory – blank on a url request.

HTTP HEADERS: holds any headers such as form data for POST requests. Blank for url requests.

Getting information from cookies:

Use Pasco on the index.dat file in the users \cookies folder to see the details of all the cookies. Notice that the FILENAME parameter is now displaying the name of the cookie. Sometimes you need to look more deeply into a cookie. This is where Galleta comes in. Its output fields are as follows:-

SITE: name and url of where the cookie came from.

VARIABLE: the name of the variable stored in the cookie.

VALUE: the value of the variable

CREATION TIME: the time the cookie was created – the time the web site was visited.

EXPIRE TIME: when the cookies date expires. If a site retrieves a “stale” cookie it will create a new one.

FLAGS: enumerates the flags set in the cookie – see RFC for more information on cookie flags.

Recreation from the cache:

The process is the same here… Convert the index.dat into a readable format, find the interesting entries and use the data to reconstruct the pages.

From here the book goes deeply into PDA’s and Cell Phones using proprietary software and then into the legal stuff which is long, boring and not appropriate for this location.

2 Responses to Tutorial – Forensic Process and Tricks

  1. admin March 17, 2010 at 7:24 pm

    Well they’ve definitely helped popularize the computer.

  2. Lisa March 10, 2010 at 3:41 am

    Give Microsoft a break! They’re awesome and make great products.

Leave a Reply

Your email address will not be published. Required fields are marked *


If you'd like to advertise on The Mutt ( aka ) feel free to contact us at: administration[at]

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.