file · web viewassignment. write a detailed essay about the following topics below. the essay...
TRANSCRIPT
INFORMATION AND COMMUNICATIONS UNIVERSITY
UNIVERSITY UNDERGRADUATE PROGRAMMES
NAME : EMMANUEL K. KALENGE
COMPUTER NUMBER : 1303282745
MODE OF STUDY : DISTANCE
PROGRAMME : BSC IN INFORMATION SECURITY
AND COMPUTER FORENSICS
COURSE : COMPUTER HACKING FORENSICS
INVESTIGATION 2
ASSIGNMENT NUMBER : TWO (02)
DUE DATE :
PHONE NUMBER : 0978864054 / 0955363127
EMAIL ADDRESS : [email protected]
POSTAL ADDRESS : ZAMBIA DAILY MAIL LIMITED
P.O BOX 31421
LUSAKA, ZAMBIA
ANSWERS TO ASSIGNMENT
1. Write a detailed essay about the following topics below. The essay should include the
process, tools used and operation. Essay should be 2 – 3 pages:
(a) Intrusions and the honeypots
(b) Application Password Crackers
(c) Windows Admin Login bypass
(d) Audio File Forensics
(e) Data Acquisition and Duplication
(f) Recovering Deleted Files and Partition
(g) Image Files Forensics
(h) Windows Registry Evidence Analysis
(i) Steganography Detection
(j) Forensics Investigations Using Encase
(A) INTRUSIONS AND THE HONEYPOTS
What is an Intrusion?A network intrusion is any unauthorized activity on a computer network. Detecting an intrusion depends on the defenders having a clear understanding of how attacks work.In most cases, such unwanted activity absorbs network resources intended for other uses, and nearly always threatens the security of the network and/or its data. Properly designing and deploying a network intrusion detection system will help block the intruders.
The attack can be any use of a network that compromises its stability or the security of information that is stored on computers connected to it. A very wide range of activity falls under this definition, including attempts to destabilize the network as a whole, gain unauthorized access to files or privileges, or simply mishandling and misuse of software. Added security measures cannot stop all such attacks. The goal of intrusion detection is to build a system which would automatically scan network activity and detect such intrusion attacks. Once an attack is detected, the system administrator is informed and can take corrective action.
As a first step of defense, here's a brief rundown of popular attack vectors:
Asymmetric RoutingIn this method, the attacker attempts to utilize more than one route to the targeted network device. The idea is to have the overall attack evade detection by having a significant portion of the offending packets bypass certain network segments and their network intrusion sensors. Networks that are not set up for asymmetric routing are impervious to this attack methodology.
Buffer Overflow Attacks This approach attempts to overwrite specific sections of computer memory within a network, replacing normal data in those memory locations with a set of commands that will later be executed as part of the attack. In most cases, the goal is to initiate a denial of service (DoS)
2
situation, or to set up a channel through which the attacker can gain remote access to the network. Accomplishing such attacks is more difficult when network designers keep buffer sizes relatively small, and/or install boundary-checking logic that identifies executable code or lengthy URL strings before it can be written to the buffer.
Common Gateway Interface ScriptsThe Common Gateway Interface (CGI) is routinely used in networks to support interaction between servers and clients on the Web. But it also provides easy openings—such as "backtracking"—through which attackers can access supposedly secure network system files. When systems fail to include input verification or check for backtrack characters, a covert CGI script can easily add the directory label ".." or the pipe "|" character to any file path name and thereby access files that should not be available via the Web.
Protocol-Specific AttacksWhen performing network activities, devices obey specific rules and procedures. These protocols—such as ARP, IP, TCP, UDP, ICMP, and various application protocols—may inadvertently leave openings for network intrusions via protocol impersonation ("spoofing") or malformed protocol messages. For example, Address Resolution Protocol (ARP) does not perform authentication on messages, allowing attackers to execute "man-in-the-middle" attacks. Protocol-specific attacks can easily compromise or even crash targeted devices on a network.
Traffic FloodingAn ingenious method of network intrusion simply targets network intrusion detection systems by creating traffic loads too heavy for the system to adequately screen. In the resulting congested and chaotic network environment, attackers can sometimes execute an undetected attack and even trigger an undetected "fail-open" condition.
TrojansThese programs present themselves as benign and do not replicate like a virus or a worm. Instead, they instigate DoS attacks, erase stored data, or open channels to permit system control by outside attackers. Trojans can be introduced into a network from unsuspected online archives and file repositories, most particularly including peer-to-peer file exchanges.
Worms A common form of standalone computer virus, worms are any computer code intended to replicate itself without altering authorized program files. Worms often spread through email attachments or the Internet Relay Chat (IRC) protocol. Undetected worms eventually consume so many network resources, such as processor cycles or bandwidth that authorized activity is simply squeezed out. Some worms actively seek out confidential information—such as files containing the word "finance" or "SSN"—and communicate such data to attackers lying in wait outside the network.
What is a Honeypot?Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.
Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a
3
sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.
A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.
An example of Honey Pot systems installed in a traditional Internet security design: (Image courtesy of https://www.sans.org)
Generally, there are two popular reasons or goals behind setting up a Honey Pot:Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruderâs activities is kept, you can gain insight into attack methodologies to better protect your real production systems.Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute.The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.
Those goals are:The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected.You need to be careful in what traffic you allow the intruder to send back out to the Internet for you donât want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!)You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.
4
Some caveats exist that should be considered when implementing a Honey pot system. Some of the more important are:
The first caveat is the consideration that if the information gathered from a Honey Pot system is used for prosecution purposes, it may or may not be deemed admissible in court. While information regarding this issue is difficult to come by, having been hired as an expert witness for forensic data recovery purposes, I have serious reservations regarding whether or not all courts will accept this as evidence or if non-technical juries are able to understand the legitimacy of it as evidence.
The second main caveat for consideration is whether hacking organizations will rally against an organization that has set "traps" and make them a public target for other hackers. Examples of this sort of activity can be found easily on any of the popular hackerâs sites or their publications.
Levels or Layers of TrackingThe information provided on an intruder depends on the levels of tracking that youâve enabled on your Honey Pot. Common tracking levels include the firewall, system logs on the Honey Pot and sniffer-based tools.
Firewall LogsFirewalls are useful as part of the overall Honey Pot design for many reasons. Most firewalls provide activity-logging capabilities which can be used to identify how an intruder is attempting to get into a Honey Pot. I liken firewall logs to router logs; they can both be set to trap and save packets of a pre-determined type. Remember that when setting up the firewall, you would normally want to log ALL packets going to the Honey Pot system, as there should be no legitimate reason for traffic going to or from the Honey Pot.
Reviewing the order, sequence, time stamps and type of packets used by an intruder to gain access to you Honey Pot will help you identify the tools, methodology being used by the intruder and their intentions (vandalism, data theft, remote launch point search, etc.). Depending on the detail capabilities of logging on your firewall you may or not be able to gain considerable information from these logs.
Another useful function of many firewalls is their notification capabilities. Most firewalls can be configured to send alerts by email or pager to notify you of traffic going to or from your Honey Pot. This can be extremely useful in letting you review intruder activity WHILE its happening.
System LogsUnix and Microsoft NT seem to have the lion share of the Internet server markets. Luckily, both operating systems have logging capabilities built into their operating systems, which help identify what changes or attempts have been made. It should be noted that out-of-the box, Unix offers superior logging capabilities as compared to Microsoft NT.
Some of their out-of-the box logging capabilities include:Microsoft NTSecurity Available from Event ViewerUser Management Needs to be enabled through User ManagerRunning Services Netsvc.exe needs to be manually run and compared to baseline.
UnixUser activity logs utmp, wtmp, btmp, lastlog, messagesSyslogd An important option is that it can log to a remote server! The range of facilities and priorities available through syslogd is very good.There are also several tools available that greatly increase the information that can be gathered. Many of the Unix tools are public domain, while many of the Microsoft NT tools are not.
5
Sniffer ToolsSniffer tools provide the capability of seeing all of the information or packets going between the firewall and the Honey Pot system. Most of the sniffers available are capable of decoding common tcp packets such as Telnet, HTTP and SMTP. Using a sniffer tool allows you to interrogate packets in more detail to determine which methods the intruder is trying to use in much more detail than firewall or system logging alone.
An additional benefit to sniffer tools is that they can also create and store log files. The log files can then be stored and used for forensic purposes.
Honey Pot SolutionsImplementation of a Honey Pot solution as part of a security system first involves the decision of whether to purchase a commercial solution or decide to develop your own.
Building a Honey PotThere is a variety of public domain tools and software available that can be useful to help you
setup a Honey Pot as well as many sites dedicated to helping guide you through the process.
Most tools seem to have originated on the Unix platform, while many have been ported to
Microsoft NT.
What you will need to create or develop your own Honey Pot system are a minimum of the
following components and considerable configuration time:
A Workstation or PC. It appears as though an Intel-based workstation is fine.
An operating system. I prefer BSD Unix or RedHat as there are more tools available for the Unix
platform than NT.
Commercial Honey Pot SystemsThere are a variety of commercial Honey Pot systems available. The operating systems most
widely supported are Microsoft NT and Unix. As many of the commercial product have been
released in the past 12 â 18 months, some of them are still in relatively early versions.
Some of the commercial Honey Pot systems available are: Network Associates, Cybercop Sting Tripwire Fred Cohen and Associates, Deception Toolkit Recourse Technologies, ManTrap
(B) APPLICATION PASSWORD CRACKERS
6
The concept of cracking passwords is taking a password and decrypting it, or disabling the
password protection of a system and/or network. Since the first passwords were used, there have
been methods to try and crack the actual text based version of the password. The reason we can
crack passwords is two-fold. The users can select a weak password if the administrator has not
enforced a strict password policy, and the other way is because the vendor has done a poor job
with the scrambling of the password.
There are several methods of attacking passwords that we will discuss. The methods are,
Guessing,
Dictionary,
Brute force,
Syllable attack,
Rule-based,
Hybrid.
GuessingIn the guessing attack, perpetrators are successful when they are able to guess a person’s
password. This can be the result of selection by the user of a blank password. It can also be a
result of choosing a simple password such as “password.” Some users think they are smart, and
will try a word in reverse like “drowssap.” Another problem is when users select a password
based on their kids, spouse, relative, or other personal information that is easy to identify.
DictionaryWith this attack you load a file of dictionary words into the password cracking tool, and if the
password is one of the words within the dictionary file it is cracked. It is important to note that
there are dictionary files available for many languages; therefore, it is a simple process of loading
your dictionary for the country you are conducting the testing in.
Brute ForceIn the brute force method of password attacking, the concept is to try every possible combination
of characters until a password is found. It is the slowest method of attack, but given enough time
and resources it will discover any password.
Syllable AttackThis attack is a combination of brute force attack and dictionary attack. The technique usually is
used when the password is known to be a non existent word.
7
Rule-BasedThis technique is used when the perpetrator is able to get some information about the password,
usually following some form of enumeration that has identified the password policy in place for
an organization. For example, if the policy indicates the length of the password is not less than
eight characters, and must contain at least numbers and a special character, then the perpetrator
will adjust and customize the cracking tool for this.
HybridA hybrid attack is used to find passwords that are a dictionary word with combinations of
characters prepended or postpended to it.This attack is surprisingly successful, because in most
cases users will select a password that is a dictionary word surrounded by additional characters.
RainbowThe rainbow attack technique works by calculating all the possible hashes for a character set, and
storing them in a table.The password hash is presented to the tool that uses the rainbow
algorithm, and a table search is made until the password is found. This is a much quicker method
than the other types of attack; however, the limitation of the rainbow technique is the size
requirements for a table, so you need to think in the terms of terabytes for complex passwords.
PASSWORD CRACKING TOOLSWhen it comes to cracking passwords, there are an extraordinary amount of tools that areAvailable:.
(i) Cain and AbelThis is a Windows-based password recovery tool. It uses multiple methods to capture the
password hashes. It can get the hash from the network, or dump it from the local machine. Cain
and Abel uses dictionary attacks, brute force, and other cryptanalysis techniques to crack the
password.
(ii) LCPThe LCP tool was developed as a free alternative to the very popular L0phtcrack tool that was
the pioneer in cracking passwords on a Windows platform. L0phtcrack is no longer offered, and
LCP is an excellent way to get the features that used to be available with l0phtcrack.The tool
offers the ability to import from a variety of formats, and uses dictionary, hybrid, and brute force
attack methodologies to discover the password.
8
(iii) OphcrackOphcrack is a Windows-based password cracker that uses the concept of the rainbow cracking
methodology by conducting the crack from existing rainbow tables.The algorithm deployed is
based on the time-memory trade-off technique of precomputing all possible hashes and then
applying the hash to the table.
(iv) John the RipperJohn the Ripper (JTR) is a fast password cracking tool that will not only crack Windows-based
passwords, but also passwords on Unix and Linux systems. The tool runs both within a Unix and
a Linux environment.
(v) BrutusBrutus is a very fast and flexible password cracking tool that can perform the cracks remotely. It
commonly is used to crack Web site passwords. It is a Windows-based tool that can support up to
60 simultaneous target connections.
(C) WINDOWS ADMINISTRATOR LOGIN BYPASS
Passwords can be reset or bypassed on every operating system. On Windows, Linux, and Mac OS
X, you can gain access to a computer’s unencrypted files after resetting the password — the
password doesn’t actually prevent access to your files. On other devices where you can’t gain
access to the files, you can still reset the device and gain access to it without knowing a password.
These tricks all require physical access to the device.
There are many ways to reset a Windows password. Windows allows you to create a password
reset disk that can reset your password in an approved way — create a disk first and you can use it
if you ever need it.
Resetting a password without an official tool is fairly simple. For example, the Offline NT
Password & Registry Editor works well for this. First, you’ll need to boot from a special disc or
USB drive — either a live Linux system or a specialized Offline NT Password & Registry Editor
boot disc. The tool can edit the Windows registry, allowing you to clear the password associated
with the user account. You can then boot into Windows and log into the account without a
password.
Even if you’re using Windows 8 with a Microsoft account, you can always reset the password of
the built-in Administrator account to gain access.
9
To protect against this, you could password-protect your BIOS and restrict booting from external
devices. Someone with physical access to the PC could reset the BIOS password to bypass this.
Encrypting your Windows system drive with something like BitLocker would prevent the registry
from being accessed and modified with this tool — encryption is the only good protection.
Method 1: Bypass Windows 7 Logon Password in Safe Mode
You can change Windows 7 password from safe mode in following steps:
Step1: Press F8 before the Windows 7 loading screen.
Step2: Choose a Windows 7 safe mode option—"Safe Mode with Command Prompt “→Press
"Enter" next.
Step3: Type net user and press Enter, all accounts on the Windows 7 PC will be displayed.
Step4: Type your locked user account with a new password in the command prompt, for example,
"John 123456" means your new password for net user "Happy".
Step5: After restart your computer, you now can log to your PC with the new password
successfully.
(Note: When you recover Windows 7 password from safe mode, an administrator account with
known password is necessary. If not, move to Method 2)
Method 2: Bypass Windows 7 Password with a Created Windows 7 Password Reset Disk
If you created a Windows 7 password reset disk in the past, below are the steps of how to get
around forgot password on Windows 7:
1. If you enter the wrong password when you attempt to log on, Windows displays a message that
the password is incorrect. Click "OK" to close the message.
2. Click "Reset password", and then insert your password reset disk.
3. Follow the steps in the Password Reset Wizard to create a new password.
4. Log on with the new password. If you forget your password again, you can use the same
password reset disk. You don't need to make a new one.
10
(Note: The disk only works in a certain account you've created, if you changed the Windows XP
password for that account, it still works. But if you don't have a password reset disk, then the only
way to bypass your Windows 7 password is use a third party application.)
(D) AUDIO FILE FORENSICS
Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation
of sound recordings that may ultimately be presented as admissible evidence in a court of law or
some other official venue.
Audio forensic evidence may come from a criminal investigation by law enforcement or as part
of an official inquiry into an accident, fraud, accusation of slander, or some other civil incident.
The primary aspects of audio forensics are establishing the authenticity of audio evidence,
performing enhancement of audio recordings to improve speech intelligibility and the audibility
of low-level sounds, and interpreting and documenting sonic evidence, such as identifying
talkers, transcribing dialog, and reconstructing crime or accident scenes and timelines.
Modern audio forensics makes extensive use of digital signal processing, with the former use of
analog filters now being obsolete. Techniques such as adaptive filtering and discrete Fourier
transforms are used extensively.
Recent advances in audio forensics techniques include voice biometrics and electrical network
frequency analysis.
The remit of a forensic audio laboratory is to provide audio evidence in criminal or civil
investigations. On a day-to-day basis, a forensic audio laboratory will deal with sensitive
law-enforcement recordings, 999 emergency calls, audio from mobile phones, DVD, video,
CCTV, computers, solid-state devices, memory cards — in fact, just about every type of
recorded audio media there is and has ever been. Many of the tasks will at some point involve
forensic enhancement audio for use as evidence at trial. However, general advice and guidance
concerning the correct capture and subsequent review of audio material is also essential. This
provides what is commonly referred to as 'best evidence'.
The principal concerns of audio forensics are
i) Establishing the authenticity of audio evidence
ii) Performing enhancement of audio recordings to improve speech intelligibility and the
audibility of low-level sounds
iii) Interpreting and documenting sonic evidence, such as identifying talkers, transcribing dialog,
and reconstructing crime or accident scenes and timelines
11
Forensic Enhancement
Enhancement is a process that involves the expertise of 'cleaning' or 'removing' of unwanted
noise from an otherwise unintelligible recording. This can be described as 'audio archaeology': its
principal task is to uncover evidence cautiously and without unnecessary damage to the original
recording. This provides the listener with the opportunity to hear 'what is said', which is often
sufficient to prove or disprove an individual's involvement in crime. Often, the 'enhanced'
recording will sound cosmetically worse than the original, but 'what is said' is revealed. This is in
complete opposition to the music industry, where cosmetics are everything! On a daily basis,
investigations are turning to forensic audio enhancement as a final 'roll of the dice' when all other
forensic practices and techniques have failed or are unavailable. Forensic audio alone continues
to routinely solve high-profile criminal investigations and convict serious criminals.
If the examiner determines that enhancement is necessary, a variety of audio DSP tools are
brought to use.
COMMON DSP METHODS
The principle audio forensic enhancement procedures include time-domain level detectors and
frequency-domain filters.
(a) TIME-DOMAIN LEVEL DETECTION
Time-domain enhancement treats the amplitude envelope of the recorded audio signal. One
example is gain compression, whereby the overall level (loudness) of the signal is adjusted to be
relatively constant: quiet passages are amplified and loud passages are attenuated or left alone.
(b) FREQUECY DOMAIN FILTRATION
Frequency-domain methods for forensic audio enhancement often use some form of spectral
subtraction. As its name implies, spectral subtraction involves forming an estimate of the noise
spectrum (noise power as a function of frequency) and then subtracting this estimate from the
noisy input signal spectrum.
The noise-reduced output is created by reconstructing the signal from the subtracted spectrum.
Ideally, all the spectral energy below the noise estimate threshold is removed, so if the desired
signal components exceed the noise level over much of the frequency range and if the noise
estimate is sufficiently accurate, the technique can be useful and effective.
AUDIO FORENSIC TOOLS
There are hundreds if not thousands of Audio Forensic Software. However, the notable ones and
most commonly used tools are as below:
12
Audio Forensics Software by Tracer Technologies
Forensics Audio Workstation by SpeechPro
Forensic Audio Analysis Laboratory Full Solution by Acustek-Technical
(E) DATA ACQUISITION AND DUPLICATION
Data acquisition is the process of gathering evidence or information. This can be done by using
established methods to acquire data from a suspected storage media outlet to gain access to
information about the crime or other incident, and potentially using that data as evidence to
convict a suspect.
In computer forensics, this means using established methods to acquire data from a suspect
computer or storage media to gain insight into a crime or other incident and potentially use it as
evidence to convict a suspect. The goal of data acquisition is to preserve evidence, so any tools
that are used should not alter the data in any way and should provide an exact duplicate. To
prevent contamination, any data that is duplicated should be stored on forensically sterile media,
meaning that the disk has no other data on it and has no viruses or defects.
Duplication of data is a critical part of any computer forensic investigation. To effectively
examine data on a suspect machine, a person performing a forensic examination of the machine
needs to create an image of the disk.
When you create a disk image (a bitstream copy), each physical sector of the disk is copied so
that the data is distributed in the same way, and then the image is compressed into a file called an
image file. This image is exactly like the original, both physically and logically. As an exact
duplicate of the data on a suspect machine or storage media, the mirror image includes hidden
files, temp files, corrupted files, file fragments, and erased files that have not yet been
overwritten. In other words, every binary digit is duplicated exactly.
DATA ACQUISITION TOOLS
Data Acquisition tools may consist of software used to duplicate data, create image files that may
be mounted and analysed afterward, or hardware-based solutions that can acquire data from a
suspect machine. The following are the common tools utilised in this process:
- The Forensic Toolkit (FTK) Imager by AccessData
- SafeBack by NTI
- DriveSpy by Digital Intelligence Forensic Solutions
- Mount Image PRO by GetData Software Development
13
- DriveLook by Runtime Software Labs
- SnapBack DatArrest by SnapBack
- SCSIPAK by Vogon
(F) RECOVERING DELETED FILES AND PARTITION
A deleted file is any file that has been logically erased from the file system but may still remain
physically on storage media. How a file is deleted can vary. Although for many people, deleting a
file means selecting a file and pressing the DEL or Delete button on their keyboard, there are
other ways in which a file may be deleted.
- Command Line Delete
- Moving Files
- Disk Cleanup
Disk erasing software wipes the disk clean by erasing all the files and overwriting the disk space
with a series of ones and zeros. In doing so, every sector of the disk is overwritten, making the
data unrecoverable. If anyone attempted to recover data on the disk, they would not be able to
retrieve anything because the data is completely destroyed.
When a file is deleted, it doesn’t necessarily mean that the data cannot be completely or partially
recovered. Data written on a hard disk generally stays there unless or until it is either overwritten
by more data or physically erased by a magnet. Simply deleting the data using operating system
file management utilities does not get rid of the data. It only removes the pointer used by the file
system to locate that data physically on the disk. The data itself (in the form of the physical
changes to the disk’s magnetic surface) is still there and can be recovered using special recovery
software.
Data recovery is a process of salvaging data that was lost or deleted.
Deleted File Recovery Tools
Data recovery tools are designed to restore data that has been deleted or corrupted from any
number of sources, including hard disks, CDs, DVDs, Blu-ray, HD-DVD, floppy disks, memory
cards used in digital cameras, and other storage media. Depending on the capabilities of the
software, it will scan the media and search for any damaged, corrupted, or deleted files and
display which ones are available for recovery, allowing you to choose which ones will be
restored. Some of the most commonly used software is:
- Undelete
14
- Active@ Data Recovery Software
- R-Undelete
- Easy-Undelete
- WinUndelete
- FileScavenger
- VirtualLab
- Stellar Phoenix
Recovering Deleted Partitions
Partitioning a hard disk involves dividing the disk into volumes, which generally appear to the
operating system as logical drives, identified by different drive letters. The disk is divided into
logical drives for the purposes of performance and organization of the data. Each logical drive can
be formatted separately so that each one uses a different file system.
When a partition is deleted, its entry in the partition table is removed. Although it can appear
quite imposing that an entire partition of information is no longer visible, the data hasn’t been
destroyed from the disk.
Partition recovery tools perform a number of automated tasks that will attempt to restore a
damaged or deleted partition and/or restore data from that partition. The following are some of the
automated tasks these tools will use to locate and recover data:
■ determining the error on the disk and allowing the user to choose another partition and make it
active
■ scanning the disk space for a partition boot sector or damaged partition information, and then
attempting to reconstruct the partition table entry. By finding the partition boot sector, it will have
all the information necessary to reconstruct the entry in the partition table. Because both NTFS
and FAT32 volumes maintain backup boot sectors, you can recover the volume by restoring the
boot sector.
■ scanning the disk space for a partition boot sector or data from deleted partition information,
and then attempting to reconstruct the partition table entry
A number of tools are available for partition recovery, each of which has various features that can
make it easier to restore data that may have been lost from accidental deletion or damage to the
partition.
15
Below are some of the most prominent Partition Recovery Tools:
- Active@ Partition Recovery
- Active@ Disk Image
- DiskInternals Partition Recovery
- GetDataBack
- NTFS Deleted Partition Recovery
- Handy Recovery
- Acronis Recovery Expert
- TestDisk
- Parition Table Doctor
(G) IMAGE FILES FORENSICS
One of the most common types of media acquired in a computer forensic examination is image
files. An image file is any picture or graphical depiction that has been stored in digital format.
Generally, this refers to photographs, drawings, or other graphics that don’t include any motion or
animation.
A primary component of an image’s characteristics is how the image was created. Different types
of images can be created, which determine how the graphic is displayed, its resolution when it is
expanded or reduced in size, the colors displayed, and other elements that make up the overall
presentation of the graphic.
The three (3) types of graphics:
(a) Raster Images
(b) Vector Images
(c) Metafile images
(a) Raster Images
Raster images are graphics that are created or captured as a set of pixels that are mapped to a grid.
(b) Vector Images
16
Vector graphics are generated from mathematical information stored in the graphic, which
instructs the program opening the image how to display the position, width, length, direction, and
other aspects of objects used to create the picture.
(c) Metafile Images
Metafile graphics are images that can contain a combination of raster, vector, and type data.
Because they contain multiple types of data, they can be enlarged or reduced without any loss of
resolution, making the image appear the same regardless of resizing. Some types of metafile
graphics include:
■ Encapsulated PostScript, which have the file extension .eps
■ Computer Graphics Metafile, which have the file extension .cgm
■ Windows Metafile, which have the file extension .wmf
■ Enhanced Metafile, which have the file extension .emf
Common Image File Formats:
■ BMP (Bitmap) files
■ GIF (Graphics Interchange Format)
■ PNG (Portable Network Graphics)
■ JPEG (Joint Photographic Experts Group)
■ JPEG 2000
■ TIFF (Tagged Image File Format)
Locating and Recovering Image Files
Image File Headers
An image file header is a portion of a file that contains data about the image’s size, resolution,
number of colors, and other facts that a program will need to display it properly. File headers
provide information on the unique characteristics of files, which make it possible to identify the
type of file simply by a few bytes in the beginning. For example, all BMP files have the
17
characters BM in the first two positions of the file data. When an application opens a file, it will
read the header to ensure that the image isn’t damaged and can be opened by the program. Such
information can be viewed by using a hexadecimal editor such as WinHex or a binary file viewer.
File Fragments
Even though a file has been deleted, part of the data may still be found in unallocated space or
slack space on the hard disk. Even though part of the data is missing from the file, it is still
possible to view the information using a Hex Editor or other tools, and reconstruct the file so that
it is restored.
Image File Forensic Tools
You can use image file forensic tools to extract data from an existing image file (i.e., a duplicate
of data) so that you can view them. Some of these tools also have built-in image viewers,
allowing you to view images without modifying them. Some of the more popular image file
forensic tools available include the following:
- GFE Stealth
- P2 eXplorer
- ILook
(H) WINDOWS REGISTRY EVIDENCE ANALYSIS
Windows Registry forensics is an important branch of computer and network forensics. Windows
Registry is often considered as the heart of Windows Operating Systems because it contains all of
the configuration setting of specific users, groups, hardware, software, and networks. Therefore,
Windows Registry can be viewed as a gold mine of forensic evidences which could be used in
courts. This paper introduces the basics of Windows Registry, describes its structure and its keys
and subkeys that have forensic values. This paper also discusses how the Windows Registry
forensic keys can be applied in intrusion detection.
A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and
Windows 2000 used to store information necessary to configure the system for one or more users,
applications and hardware devices.
18
The Registry was first introduced with Windows 95 and has been incorporated into many
Microsoft operating systems since. Although some versions slightly differ, they all are essentially
composed of the same structure and serve the main purpose as a configuration database. The
Registry replaces configuration files that were used in MSDOS, such as config.sys and
autoexec.bat. The primary purpose of config.sys was to load device drivers and the primary
purposes of autoexec.bat was to run startup programs and set environment variables - the Registry
now handles these functions. In addition to replacing DOS configuration files, the Registry also
replaces text-based initialization (.ini) files that were introduced in Windows 3.0. The .ini files -
specifically win.ini and system.ini - store user settings and operating system parameters.
Structure of the Windows Registry
By opening the Registry Editor (by typing 'regedit' in the run window), the Registry can be seen
as one unified 'file system'. The left-hand pane, also known as the key pane contains an organized
listing of what appear to be folders. The five most hierarchal folders are called 'hives' and begin
with 'HKEY' (an abbreviation for Handle to a Key). Although five hives can be seen, only two of
these are actually 'real', HKEY_USERS (HKU) and HKEY_LOCAL_MACHINE (HKLM). The
other three are shortcuts or aliases to branches within one of the two hives. Each of these five
hives is composed of keys, which contain values and subkeys. Values are the names of certain
items within a key, which uniquely identify specific values pertaining to the operating system, or
to applications that depend upon that value.
A common analogy that is often used to help understand the structure of the Windows Registry is
a comparison between it and the Windows Explorer file system, both are very similar in their
structures. The key pane of the Registry is much like the hierarchical structure of the left-hand
pane in the Windows Explorer file system. The keys and subkeys located within the five main
hives are similar to folders and subfolders of Windows Explorer, and a key's value is similar to a
file within a folder. In the right-hand pane of the Windows Registry - a value's name is similar to
a file's name, its type is similar to a file's extension, and its data is similar to the actual contents
of a file.
Root Key Functions:
Below are listed the five hierarchical hives seen in Figure 1, with a very basic description of
each. Beside the root key is their commonly referred to abbreviation in parenthesis, which will
frequently be referred to as throughout the paper.
1. HKEY_CLASSES_ROOT (HKCR)
19
Information stored here ensures that the correct program opens when it is executed in Windows
Explorer. It also contains further details on drag-and-drop rules, shortcuts, and information on the
user interface. Alias for: HKLM\Software\Classes
2. HKEY_CURRENT_USER (HKCU)
Contains configuration information for the user who is currently logged into the system,
including user's folders, screen colors, and Control Panel settings. Alias for a user specific branch
in HKEY_USERS. The generic information usually applies to all users and is HKU\.DEFAULT.
3. HKEY_LOCAL_MACHINE (HKLM)
Contains machine hardware-specific information that the operating system runs on. It includes a
list of drives mounted on the system and generic configurations of installed hardware and
applications.
4. HKEY_USERS (HKU)
Contains configuration information of all user profiles on the system, which concerns application
configurations, and visual settings.
5. HKEY_CURRENT_CONFIG (HCU)
Stores information about the systems current configuration. Alias for: HKLM\Config\profile
Examination Tools
Currently, there are many tools available to forensic examiners for extracting evidentiary
information from the Registry. The tool used in this paper to analyze and navigate the registry is
Registry Editor (regedit.exe). Registry Editor is free and available on any installation of
Microsoft Windows XP with administrator privileges.
The Registry as a Log
All Registry keys contain a value associated with them called the 'LastWrite' time, which is very
similar to the last modification time of a file. This value is stored as a FILETIME structure and
indicates when the Registry Key was last modified. In reference to the Microsoft Knowledge
Base, A FILETIME structure represents the number of 100 nanosecond intervals since January 1,
1601. The LastWrite time is updated when a registry key has been created, modified, accessed, or
20
deleted. Unfortunately, only the LastWrite time of a registry key can be obtained, where as a
LastWrite time for the registry value cannot.
Harlan Carvey, author of Windows Forensics and Incident Recovery, refers to a tool called
Keytime.exe, which allows an examiner to retrieve the LastWrite time of any specific key.
Keytime.exe can be downloaded from http://www.windowsir. com/tools.html.
Knowing the LastWrite time of a key can allow a forensic analyst to infer the approximate date
or time an event occurred. And although one may know the last time a Registry key was
modified, it still remains difficult to determine what value was actually changed. Using the
Registry as a log is most helpful in the correlation between the LastWrite time of a Registry key
and other sources of information, such as MAC (modified, accessed, or created) times found
within the file system.
MRU Lists
MRU, or 'most recently used' lists contain entries made due to specific actions performed by the
user. There are numerous MRU lists located throughout various Registry keys. The Registry
maintains these lists of items incase the user returns to them in the future. It is basically similar to
how the history and cookies act to a web browser. One example of an MRU list located in the
Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the
Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\
Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2.
The chronological order of applications executed via 'Run' can be determined by looking at the
Data column of the 'MRUList' value. The first letter of this is 'g', which tells us that the last
command typed in the 'Run' window was to execute notepad. Also, the LastWrite time of the
RunMRU key will correlate with the last application executed in 'Run', or in this case application
'g'.
Forensic Evidence from Security IdentifiersEach user, group, and computer is assigned a Security Identifier (SID). Access Control List also
uses SIDs to distinguish different users and groups. In most real cases, it’s impossible to know
the usernames or group names in a computer. SIDs are the only identifiers for different users and
groups. In addition, the locations of SIDs are very easy to find.
Forensics Evidence about System Access through User Activities
21
User activities include all of the actions that users have performed on a computer. Here we only
focus on those actions that may provide useful information for investigation. In Windows
Registry, most of the user activities are recorded in “ntuser.dat”.
Fig 4.1 - Structure of the Windows Registry
(I) STEGANOGRAPHY DETECTION
Steganography literally means “covered message” and involves transmitting secret messages
through seemingly innocuous files. The goal is that not only does the message remain hidden, but
also that a hidden message was even sent goes undetected (Johnson and Jajodia, 1998). There are
many tools available (Steganograpy Software Web Page) that can hide messages in images, audio
files and video, and steganography is now in common use (Johnson, et al., 2001). Whereas
cryptography has been the preferred tool for sending secret messages, relying on complex ciphers
to prevent detection, the huge bandwidth of the Internet now offers an alternative or
complementary approach.
With the wide use and abundance of steganography tools on the Internet, law enforcement
authorities have concerns in the trafficking of illicit material through web page images, audio, and
other files. Methods of detecting hidden information and understanding the overall structure of this
technology is crucial in uncovering these activities.
Digital image steganography is growing in use and application. In areas where cryptography and
strong encryption are being outlawed [1], people are using steganography to avoid these policies
and to send these messages secretly.
22
What is Steganography?
The word steganography comes from the Greek name “steganos” (hidden or secret) and “graphy”
(writing or drawing) and literally means hidden writing. Steganography uses techniques to
communicate information in a way that is hidden.
Steganography hides the existence of a message by transmitting information through various
carriers. Its goal is to prevent the detection of a secret message. The most common use of
steganography is hiding information from one file within the information of another file. For
example, cover carriers, such as images, audio, video, text, or code represented digitally, hold the
hidden information. The hidden information may be plaintext, ciphertext, images, or information
hidden into a bit stream. The cover carrier and the hidden information create a stegocarrier.
A stegokey, such as a password, is additional information to further conceal a message. An
investigator who does not possess the name of the file and the password cannot know about the
file’s existence.
Visual Detection
By looking at repetitive patterns, you can detect hidden information in stego images. These
repetitive patterns might reveal the identification or signature of a steganography tool or hidden
information. Even small distortions can reveal the existence of hidden information.
You can analyze these patterns by comparing the original cover images with the stego images and
try to see differences. This is called a known-cover attack. By comparing numerous images,
patterns become possible signatures to a steganography tool. A few of these signatures might
identify the existence of hidden information and the tools used to embed the messages. With this
information, if the cover images are not available for comparison, the derived known signatures are
enough to imply the existence of a message and identify the tool used to embed the message.
Tools used to hide information
There are two possible groups of steganographic tools: the image domain and the transform
domain. Image domain tools include bit-wise methods that apply least significant bit (LSB)
insertion and noise manipulation. The tools used in this group are StegoDos, STools, Mandelsteg,
EzStego, Hide and Seek (versions 4.1 through 1.0 for Windows 95), Hide4PGP, Jpeg-Jsteg, White
Noise Storm, and Steganos. The image formats used in these steganography methods cannot be
lost and the information can be rearranged or recovered.
23
The transform domain tools include those groups that manage algorithms and image transforms
such as Discrete Cosine Transformation (DCT). The DCT is a technique used to compress JPEG,
MJPEG and MPEG in which pixel values are converted to frequency values for further processing.
This process makes it difficult for visual analysis attacks against the JPEG images.
These two methods hide information in more areas of the cover and may manipulate image
properties such as luminance or the color palette. These methods will allow more hidden
information (about 30 percent the size of the carrier) in a carrier file. JPEG images are used on the
Internet because of their compression quality, which does not degrade the image.
(J) FORENSICS INVESTIGATION USING ENCASE
EnCase, by Guidance Software, is considered by many to be the industry standard software tool for
computer forensics examinations of media. Law enforcement, government agencies, and many
colleges and universities have adopted EnCase Forensic Edition as their de facto software forensic
tool.
Guidance Software first released EnCase Forensic edition version 1 on February 20, 1998. This
first version ran only on Microsoft Windows Operating systems and was limited to reading the
FAT12, FAT16, FAT32, and NTFS file systems. On January 10, 2007, Guidance Software
released EnCase version 6.This latest version of EnCase runs on a variety of platforms, including
Windows, Linux, and UNIX, and can read over 20 file systems, including TiVo file systems.
Some of the enhanced features of this version include the ability to analyze Microsoft Virtual PC
and VMware images as well some PDA (Personal Digital Assistant) platforms. An EnCase image
contains a duplicate of the suspect’s media, along with additional information about the case. The
evidence file will contain a bit-by-bit copy of the original media copied. A bit-by bit copy is
critical when creating an evidence file because it may contain items such as deleted files, folders,
and slack space from the original media. The items in the evidence file could be critical in
determining the outcome of a computer forensics investigation. In addition to the bit-by-bit copy of
the original suspect’s media, the evidence file will also contain information such as the name of the
investigator, the case number, current date of acquisition, and other pertinent information about the
case. This information is all relevant so that a chain of custody timeline can be established. The
added information about the chain of custody is one way that the actual evidence file will differ
from the actual suspect’s copied media.
Evidence File Format
24
When a computer forensic technician uses the EnCase imaging software, files will be saved with
the extension .E##, numbered sequentially from E01 up to E99. The evidence file contains both the
data from the suspect’s original media, including deleted files, folders, and slack space, as well as
information added by the investigator during the acquisition process. This could include such fields
as case number, examiner name, evidence number, description, notes, and other fields that will
help establish the chain of custody for this particular evidence. Because an EnCase image file
contains both the suspect’s media and other case-related information, it differs from an image
made using dd or dcfldd. So, while Linux dd could be used to create a bit-by-bit image, that image
would not have any case-related information. Using EnCase to acquire evidence files ensures that
both the suspect’s data as well as pertinent case information will be retained.
Ensuring File Integrity
Ensuring file integrity is a critical part of the acquisition of every computer forensic investigator.
For data to have integrity, it should not have been altered or corrupted. To ensure that the forensic
copy of the suspect’s data has integrity, EnCase forensic software does a cyclic redundancy check
(CRC) for every block of 64 sectors (mandatory on all versions of EnCase prior to version 5) on
the original media.
The other mechanism used in EnCase to ensure data integrity is a Message Digest 5 (MD5) hash.
An MD5 hash is an algorithm applied to a data stream. When this algorithm is applied to a set of
data, a MD5 hash value is generated.
How You Acquire a File Image
FastBloc, a hardware write-blocker, can be used to acquire file images. You can also use a
forensically sound DOS boot disk to acquire file images. Another method for acquiring file images
is using LinEn on a live CD that does not auto mount. You can also acquire file images over a
network or through a crossover cable.
25
The Encase interface:
REFERENCES
(a) SANS - Information Security Resources. 2016. SANS - Information Security
Resources. [ONLINE] Available at:
https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9. [Accessed 09
September 2016].
(b) Network Intrusion: Methods of Attack | RSA Conference. 2016. Network Intrusion:
Methods of Attack | RSA Conference. [ONLINE] Available at:
https://www.rsaconference.com/blogs/network-intrusion-methods-of-attack.
[Accessed 09 September 2016].
(c) Wikipedia. 2016. Audio forensics - Wikipedia, the free encyclopedia. [ONLINE]
Available at: https://en.wikipedia.org/wiki/Audio_forensics. [Accessed 10 September
2016].
(d) An Introduction To Forensic Audio | Sound On Sound. 2016. An Introduction To
Forensic Audio | Sound On Sound. [ONLINE] Available at:
http://www.soundonsound.com/techniques/introduction-forensic-audio. [Accessed 10
September 2016].
26
(e) Forensic Focus. 2016. A Forensic Analysis Of The Windows Registry |
ForensicFocus.com. [ONLINE] Available at: http://www.forensicfocus.com/a-
forensic-analysis-of-the-windows-registry. [Accessed 13 September 2016].
(f) George Berg. 2000. Automatic Detection of Steganography. [ONLINE] Available at:
http://web.cs.ucdavis.edu/~davidson/Publications/IAAI103.pdf. [Accessed 13
September 2016].
27