Structure of Case File
Case # Case Files
Image dd image Hash code
Case Index FTK
Report Doc Recovered files E-mails Photos Etc.
Forensic Work Station
Clean install of the OS Clean install of all apps Clean install of all forensic packages Keep all evidence and case related info on
an external clean hard drive After case is “completed” physically archive
the external hard drive Wipe the operational hard drive
HD Data AcquisitionImaging the Hard Drive
1. Acquisition Layers2. Write Blockers3. Media Preparation4. Imaging5. Integrity Hashes
Imaging Digital Media
Hash the media Make an exact copy of the media
Everything Errors, deleted stuff
Hash the image Prove it is an exact copy
Compare with hash of the original MD5, SHA1, SHA256
Acquisition Layers
Device Physical LayerPartition Logical LayerFile Logical Layer
Always acquire data at the lowest possible layer. Acquire every sector on the disk. Your tools can abstract the raw data at any level.
Acquisition Tools
1. Know what your tools do2. Test them3. Validate them
Test plan Test report
NIST - http://www.cftt.nist.gov/disk_imaging.htmhttp://nij.ncjrs.gov/publications/Pub_search.asp?
category=99&searchtype=basic&location=top&PSID=55&sort=date#nijpubs
Write Blockers
Cannot touch the suspect media Evidence cannot be altered Important to verify
Test, test, test Hardware and Software
Always use hardware Be careful of read only and read/write blockers
Write Blockers
1. HW1. Paraben
$249.95 - $20002. Tableau
$249.95 - $20002. SW
Modifies interrupt table3. NIST Reports
1. ttp://www.cftt.nist.gov/software_write_block.htm
Write Blocker
On/Off Switch
IDE Device
SATA Cable
Inputs IDE, SATA
Outputs USB, Firewire
Write BlockerTableau T35e
Case Storage Media Preparation
External hard drive storage Zero all sectors 32 bit checksum = 0
32 bit sum with carry bit added Use WinHex
Partition Format NTFS
Particulars
Start up Helix live CD Zero drive
dd if=/dev/zero of=/dev/sdb Partition Drive
fdisk /dev/sdb Etc.
mkntfs /dev/sdb
Reading the Source
1. Read device directly Extended INT13h
2. Use the BIOS May lie about the size INT13h
3. Dead vs Live acquisition4. Error handling
1. logging, bad blocks
Imaging Apps
FTK Imager Bootable memory stick
EnCase WinHex Open Source
dd – Windows (Garner), linux Helix
Defense Computer Forensic Labs dcfldd dc3dd
Output Format of Image
1. Separate drive1. A single file – ease of use2. Multiple files – facilitate archiving on DVDs
1. 160 Gbytes ~~ 27 DVDs
2. Raw or Custom dd can be interpreted by every thing EnCase has imbedded info
3. Hash codes & errors1. Interlaced
EnCase saves in a proprietary format
2. Separate filedcfldd save hashes in a separate file
3. Nothingdd save hash in a separate fileCan calculate an MD5 hash
Image Formats
dd – Raw bit for bit copy .001
E01 – EnCase format Includes file description, hashes, etc. .e01 Uses zLib compression
AD1 – AccessData Custom Content Logical Image S01 – SMART linux formats
SMART format
dd
Standard on all linux distros Windows
http://gmgsystemsinc.com/fau/ Create a directory at root level
C:\bin Add that path to your path environment variable
Control Panel\System Properties\environment variables\system variables\path – editAppend C:\bin
Add sysinternals
Using dd
Unix command structure
Included with all Unix/Linux/BSD distroshttp://unxutils.sourceforge.net/
Windows version is availablehttp://www.gmgsystemsinc.com/fau/
#dd input output options
#dd if=suspect.drive of=E:\Case\image\captured
Input Sources
Linux
/dev/hda – ATAPI device/dev/sda – SCSI device/dev/fd0 - Floppy/dev/mem - RAM
Windows
\\.\PhysicalDevice0 – IDE bus 0 master device\\.\PhysicalMemory - RAM
Output Sources
Windows
F:\Images\Case-08001
Linux on another drive internal
/dev/hdb1 – Saved onto the slave drive on IDE bus 1
Usually an external USB hard drive is mounted
/media/FlashDisk/hda-evidence.data
Options
bs=n, ibs, obs Block size is n bytes, in or out or both
skip=nSkip n blocks
count=n Copy n blocks
Must declare block size prior to skip/count
#dd if=/dev/sda1 of=/root/lynn.dd bs=4096 count=1
Example
#dd if=/dev/sda1 of=/home/lynn/example.dd bs=512 count=10000000: eb3c 904d 5344 4f53 352e 3000 0204 0100 .<.MSDOS5.0.....0000010: 0200 0200 00f8 ff00 3f00 ff00 3f00 0000 ........?...?...0000020: dfe7 0300 8001 2905 8f93 804e 4f20 4e41 ......)....NO NA0000030: 4d45 2020 2020 4641 5431 3620 2020 33c9 ME FAT16 3.0000040: 8ed1 bcf0 7b8e d9b8 0020 8ec0 fcbd 007c ....{.... .....|0000050: 384e 247d 248b c199 e83c 0172 1c83 eb3a 8N$}$....<.r...:0000060: 66a1 1c7c 2666 3b07 268a 57fc 7506 80ca f..|&f;.&.W.u...0000070: 0288 5602 80c3 1073 eb33 c98a 4610 98f7 ..V....s.3..F...0000080: 6616 0346 1c13 561e 0346 0e13 d18b 7611 f..F..V..F....v.0000090: 6089 46fc 8956 feb8 2000 f7e6 8b5e 0b03 `.F..V.. ....^..00000a0: c348 f7f3 0146 fc11 4efe 61bf 0000 e8e6 .H...F..N.a.....00000b0: 0072 3926 382d 7417 60b1 0bbe a17d f3a6 .r9&8-t.`....}..00000c0: 6174 324e 7409 83c7 203b fb72 e6eb dca0 at2Nt... ;.r....00000d0: fb7d b47d 8bf0 ac98 4074 0c48 7413 b40e .}.}[email protected]: bb07 00cd 10eb efa0 fd7d ebe6 a0fc 7deb .........}....}.00000f0: e1cd 16cd 1926 8b55 1a52 b001 bb00 00e8 .....&.U.R......0000100: 3b00 72e8 5b8a 5624 be0b 7c8b fcc7 46f0 ;.r.[.V$..|...F.0000110: 3d7d c746 f429 7d8c d989 4ef2 894e f6c6 =}.F.)}...N..N..0000120: 0696 7dcb ea03 0000 200f b6c8 668b 46f8 ..}..... ...f.F.0000130: 6603 461c 668b d066 c1ea 10eb 5e0f b6c8 f.F.f..f....^...0000140: 4a4a 8a46 0d32 e4f7 e203 46fc 1356 feeb JJ.F.2....F..V..0000150: 4a52 5006 536a 016a 1091 8b46 1896 9233 JRP.Sj.j...F...30000160: d2f7 f691 f7f6 4287 caf7 761a 8af2 8ae8 ......B...v.....0000170: c0cc 020a ccb8 0102 807e 020e 7504 b442 .........~..u..B0000180: 8bf4 8a56 24cd 1361 6172 0b40 7501 4203 [email protected]: 5e0b 4975 06f8 c341 bb00 0060 666a 00eb ^.Iu...A...`fj..00001a0: b04e 544c 4452 2020 2020 2020 0d0a 6720 .NTLDR ..g 00001b0: 5379 7374 656d 206d 6973 7369 6e67 ff0d System missing..00001c0: 0a44 6973 6b20 6572 726f 72ff 0d0a 5072 .Disk error...Pr00001d0: 6573 7320 616e 7920 6b65 7920 746f 2072 ess any key to r00001e0: 6573 7461 7274 0d0a 0000 0000 0000 0000 estart..........00001f0: 0000 0000 0000 0000 0000 00ac bfcc 55aa ..............U.
Md5 Hash
#dd if=/dev/sda1 bs=512 count=1 | md5sum > hash.txt
#cat hash.txt
D41d8cd98f00b204e9800998ecf8427e
#dd if=/dev/sda1 bs=512 count=1 | sha1sum > hash.txt
#cat hash.txt
d41d8cd98f00b204e9800998ecf8427e
dcfldd
Very much like dddcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \errlog=error_log1 \hash=md5 hashwindow=4096 hashlog=hash_dmp1 \hashformat="#hash#" >> report
However lets you make multiple copis of the image
dcfldd if=/dev/mem of=/home/image of=/media/storage/image2
Bad Sectors
Bad Sectors are treated differently Hashes may be different Some imagers zero fill One hash is calculated by ignoring the sector The other using the zero fill after imaging
Hard to explain in court
Remedies
dclfdd conv=noerror,sync
This converts bad sectors to zeroes Continues if an error is encounter
hashconv=after This calcs the hash after the conversion for the device hash Can be questioned in court
Hard to explain in court Better solution
Use small hash window Compare all the hashes of the small chuncks
Hashwindow=1M hashlog=hash-dump Show that on the bad sector hashes don’t agree
dc3dd
Makes dd similar to dcfldd Written Jesse Kornblum Maintained by DoD Cyber Crime Center
dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \errlog=error_log1 \hash=md5 hashwindow=4096 hashlog=hash_dmp1 \hashformat="#hash#" >> report
• Pattern writes. • Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1,
SHA-256, and SHA-512. • Progress meter with automatic input/output file size probing• Combined log for hashes and errors • Error grouping. Produces one error message for identical sequential errors • Verify mode. • Ability to split the output into chunks with numerical or alphabetic extensions
dd_rescue
Sort of like dd However some of the options are not called
the same Ddrescue
Copies data from one device to anotherAttempts to correct block errorsUsually does a really good jobCan take a long time if the drive is hosed
Not forensically sound
ddrescue (GNU)
Sort of like dd_rescue However some of the options are not called
the same ddrescue
Copies data from one device to anotherAttempts to correct block errorsUsually does a really good jobCan take a long time if the drive is hosed
Not forensically sound
Builds WinHex Very good hexadecimal editor $300
And X- Forensics Ways Excellent Forensics package $1000
X-Ways Software Technology AG
Access Data Corp.
FTK – Forensics Tool Kit 1.70, 1.72, 1.80, 2.0, 2.2, 3.2 $3000 - 4000
PRTK – Password Recovery Toolkit Registry Viewer FTK Imager
Free
Spinrite
Fast Accurate Does over write the
drive Not forensically sound Great if you are
desperate Recovers a lot of data
off of an injured drive $89.00