Looking forward to chapter 4. Most of the stuff in this chapter is common sense. For instance, there is a section on the investigators lab, office ergonomics, and environmental conditions in an office. Needless to say, if you have had any experience as a system administrator, this chapter can be skipped.
The only part that I enjoyed was reading was on the forensic certifications and training. It makes me wonder what, if any, forensics experts are in the Cedar Falls area that work with law enforcement that have this training. Or if forensic analysis is just contracted out. I know ACES and Iowa Technology Services are in the area and will probably be able to handle such a case. But, back to the forensic certification and training. This has always been appealing to me, as, I thought it would be my way in to a career with the FBI. It wasn't until later when I realized that working to find the scum of the earth really wouldn't be my favorite job. However, these certifications are always an option in continuing my education.
I really shouldn't knock on this chapter too much. It discusses some important 'things to consider' in handling budgets, necessary equipment, hiring staff, machine maintenance, storage, etc. All good stuff, but, not exactly things that I'm worried about.
Chapter 4 covers the software and tools! Looking forward to it.
Wednesday, September 16, 2009
Sunday, September 13, 2009
Weekend with dd
In the past I had only used dd sparingly. I knew that it has great potential, but haven't really used it a whole lot. This weekend I had a great reason to use it. The application was simple, create an image of a hard drive. Here's the command I used.
crsvcs-techlap01-3:Forensics hartzd$ dd if=/dev/disk1 of=/Users/hartzd/Desktop/Forensics/drive-20090913-1900.dmg conv=noerror,sync
1024000+0 records in
1024000+0 records out
524288000 bytes transferred in 92.648891 secs (5658870 bytes/sec)
The original plan was to image an old hard drive that was in my external laptop enclosure. Unfortunately, the external hard disk was the same size as my internal disk. So, time for plan B. I decided to use my wife's USB drive instead. Which is great, because, I had no idea what was on it. The funny thing was it turned out to be my old thumb drive that I lost a while back. Score!
Anyways, the result was nice. I was able to create a dmg image that can be mounted and examined. I never tried to recover any deleted files off of the drive, as the only application I've ever used were windows executables. (Suggestions?) I did find a site with some OSX tools and was able to take a look at the drive image through a hex editor. (http://www.macosxforensics.com). Although, I was only able to pick up bits and pieces of files on the disk.
To be continued with any analysis of this drive. . .
crsvcs-techlap01-3:Forensics hartzd$ dd if=/dev/disk1 of=/Users/hartzd/Desktop/Forensics/drive-20090913-1900.dmg conv=noerror,sync
1024000+0 records in
1024000+0 records out
524288000 bytes transferred in 92.648891 secs (5658870 bytes/sec)
The original plan was to image an old hard drive that was in my external laptop enclosure. Unfortunately, the external hard disk was the same size as my internal disk. So, time for plan B. I decided to use my wife's USB drive instead. Which is great, because, I had no idea what was on it. The funny thing was it turned out to be my old thumb drive that I lost a while back. Score!
Anyways, the result was nice. I was able to create a dmg image that can be mounted and examined. I never tried to recover any deleted files off of the drive, as the only application I've ever used were windows executables. (Suggestions?) I did find a site with some OSX tools and was able to take a look at the drive image through a hex editor. (http://www.macosxforensics.com). Although, I was only able to pick up bits and pieces of files on the disk.
To be continued with any analysis of this drive. . .
Wednesday, September 9, 2009
That's my choice, and I'm sticking to it.
I've decided reading more than one book at a time is probably not a good idea. So, I'm going to read, Guide To Computer Forensics and Investigations, first. That being said, I've proceeded through chapter 2 and here are some findings.
Chapter 2: Understanding Computer Investigations
This chapter discusses the in's and out's of an investigation. I really never thought of the proper way to investigate a machine legally, but, obviously documentation is key. The stuff I am more interested in is actually doing the investigating. Even though this book is only three years old, it shows age in this chapter. I understand that this book is tailored to those who use Windows machines and have little forensic background. However, this chapter discusses in detail how to create a DOS based boot floppy. Need I say more? Needless to say I glazed over during much of this discussion, as I have found much more useful tools. All of which are not restricted to 1.44 MB floppies. Knoppix, as stated in an earlier post, being the primary tool of use. Other bootable operating systems I've used are Bart's PE (http://www.nu2.nu/pebuilder/), Oophcrack (http://ophcrack.sourceforge.net/), and last but definitely not least the BCCD (http://www.bccd.net/)
Bart's PE is a Windows XP bootable environment. There are quite a few optional pluggins to enhance what is already available. One of which will reset the administrative password on Windows XP machines. This has helped me a few times in the past after dropping a machine out of active directory. I have had some difficulties trying to create a fully bloated Bart's disk that includes all the plugins. Yet, you can usually find prebuilt iso's with the plugins already installed.
Ophcrack is simply a bootable password cracker. That is if you don't want to use a Bart's disk to change the password. Ophcrack uses rainbow tables that are preloaded, but, there is an option to add additional tables from removable media if available. I've always wanted to try the 80 GB worth of hashes from Project Rainbow Crack, but never found the time. (http://project-rainbowcrack.com/table.htm)
DriveSpy is the bootable environment on a floppy that is discussed in this chapter. Upon doing some further investigation, there is nothing that drivespy can do that Knoppix cannot. For instance, you can tailor DriveSpy to keep a log of all the commands you run while looking at evidence on the command line. Enter, bash_history, in Knoppix. However, the chapter does mention the ability to look through unallocated and slack space on a disk. Add that to the To Do list, because I'm not exactly sure how to look through slack space on a disk. Maybe I'm making that sound more difficult than it really is.
A great piece of information discussed in this chapter was about finding deleted files on a Windows machine. The FAT32 file system uses the lowercase sigma character to signify that a file has been deleted. So, when perusing the file allocation tables, file names that begin with a sigma have been deleted. Very cool! I am guessing this is how my Undelete freeware application works. I found a little more information on the subject from Informit here: http://www.informit.com/articles/article.aspx?p=339066 This reading piqued my interest into how other file systems do trash cleanup.
While this chapter wasn't exactly enthralling, it did touch on a couple items that I would like to investigate further. Hopefully, I'll find some time over the weekend to do this. So, I've discussed one item on my To Do list to research for this class, here are a few more items:
- Unallocated and Slack Space Research
- How do other file systems denote deleted files (HFS+, Ext's, NTFS)
- Also, getting an exact copy of a drive or "piece of evidence" as the book would call it. What I'm interested in is creating an iso of an HFS+ Mac OSX drive, then to stepping into the drive backup. I have the perfect situation ready at home. I recently purchased a new hard drive for my Macbook and didn't wipe the contents off of the old disk. Sounds like a date with Netcat and DD are in order for this weekend!
Chapter 2: Understanding Computer Investigations
This chapter discusses the in's and out's of an investigation. I really never thought of the proper way to investigate a machine legally, but, obviously documentation is key. The stuff I am more interested in is actually doing the investigating. Even though this book is only three years old, it shows age in this chapter. I understand that this book is tailored to those who use Windows machines and have little forensic background. However, this chapter discusses in detail how to create a DOS based boot floppy. Need I say more? Needless to say I glazed over during much of this discussion, as I have found much more useful tools. All of which are not restricted to 1.44 MB floppies. Knoppix, as stated in an earlier post, being the primary tool of use. Other bootable operating systems I've used are Bart's PE (http://www.nu2.nu/pebuilder/), Oophcrack (http://ophcrack.sourceforge.net/), and last but definitely not least the BCCD (http://www.bccd.net/)
Bart's PE is a Windows XP bootable environment. There are quite a few optional pluggins to enhance what is already available. One of which will reset the administrative password on Windows XP machines. This has helped me a few times in the past after dropping a machine out of active directory. I have had some difficulties trying to create a fully bloated Bart's disk that includes all the plugins. Yet, you can usually find prebuilt iso's with the plugins already installed.
Ophcrack is simply a bootable password cracker. That is if you don't want to use a Bart's disk to change the password. Ophcrack uses rainbow tables that are preloaded, but, there is an option to add additional tables from removable media if available. I've always wanted to try the 80 GB worth of hashes from Project Rainbow Crack, but never found the time. (http://project-rainbowcrack.com/table.htm)
DriveSpy is the bootable environment on a floppy that is discussed in this chapter. Upon doing some further investigation, there is nothing that drivespy can do that Knoppix cannot. For instance, you can tailor DriveSpy to keep a log of all the commands you run while looking at evidence on the command line. Enter, bash_history, in Knoppix. However, the chapter does mention the ability to look through unallocated and slack space on a disk. Add that to the To Do list, because I'm not exactly sure how to look through slack space on a disk. Maybe I'm making that sound more difficult than it really is.
A great piece of information discussed in this chapter was about finding deleted files on a Windows machine. The FAT32 file system uses the lowercase sigma character to signify that a file has been deleted. So, when perusing the file allocation tables, file names that begin with a sigma have been deleted. Very cool! I am guessing this is how my Undelete freeware application works. I found a little more information on the subject from Informit here: http://www.informit.com/articles/article.aspx?p=339066 This reading piqued my interest into how other file systems do trash cleanup.
While this chapter wasn't exactly enthralling, it did touch on a couple items that I would like to investigate further. Hopefully, I'll find some time over the weekend to do this. So, I've discussed one item on my To Do list to research for this class, here are a few more items:
- Unallocated and Slack Space Research
- How do other file systems denote deleted files (HFS+, Ext's, NTFS)
- Also, getting an exact copy of a drive or "piece of evidence" as the book would call it. What I'm interested in is creating an iso of an HFS+ Mac OSX drive, then to stepping into the drive backup. I have the perfect situation ready at home. I recently purchased a new hard drive for my Macbook and didn't wipe the contents off of the old disk. Sounds like a date with Netcat and DD are in order for this weekend!
Wednesday, September 2, 2009
Introductions....
Well, I've started reading Digital Evidence and Computer Crime, and have gotten through the first two introductory chapters. They were, just that, very introductory. It's hard to find anything very interesting to talk about. The chapters covered definitions and just set the stage for later chapters. I have a feeling this book is going to cover aspects of specific cases and study what was found therein. I will like reading about the Electronic Communication and Privacy Act, as well as the Computer Fraud and Abuse Act in later chapters. Not having a great knowledge of the specific laws currently in place, that should make for a good read.
It was interesting to read some phrases were defined in these opening chapters. For example:
Hardware as contraband was defined as hardware used to intercept electronic communication. Which makes me wonder how www.thinkgeek.com can remain open when it sells a Key Katcher key logger.
The information as contraband section discussed how having encryption software was illegal in some states. This must be an old example, because, honestly any and every machine could be considered suspect. Maybe that was the intention.
Digital information as instrumentality was defined as programs used as a means for committing computer crimes. This made me think of the first time I met Rick Seeley as an undergraduate. During the conversation I mentioned using Knoppix for some task. He then gave me a strange look and quipped something about it being a hacking tool. Well, yes it was, but that wasn't exactly the purpose of the project. Yet, just having such a cd can look incriminating to some. Needless to say, I may have to figure out a good alibi for having Oophcrack, Kismat, Nmap, Desniff, Nessus, Netcat, Hping....et al all installed at home.
Digital information as evidence was really defined as the paper trail. No not T.I's latest album. Unless you obtained it via bittorrent, then yes that is evidence.
I've also made it through the first chapter of Guide to Computer Forensics and Investigations. Which really just discussed being an forensics professional. Most of what was covered seemed to be common sense. Topics included lawful search and seizure procedures, preparing for investigations, working in the private sector, having a working knowledge of multiple operating systems, becoming a part of different computer related user groups and organizations, etc.
What peaked my interest in this first chapter came about through one of the case studies. They described a case involving a murder investigation and the seizure of a computer containing evidence. Files were recovered off of the suspects computer that had been deleted and were timestamped prior to the murder which were then used during litigation to prove premeditation. Now, I've recovered data from drives in the past. However, I don't remember if the timestamp had been preserved. As, obviously, the timestamp didn't matter. The application used was a free Windows program called undelete. It simply scoured hard drives for files that had the pointers deleted but still remained in tact on the drive. Hopefully this and more topics will be discussed later in the book.
I haven't read much about network forensic work, but, I decided to play around with netcat this week. Doing some simple connections and file transfers. Seeing how netcat is the TCP/IP swiss army knife, I should get to know it! I did find how to use netcat to send a hard drive image across the network via: nc -w3 hostname port | dd of=/dev/hda. This could be handy in doing forensic analysis of a drive.
It was interesting to read some phrases were defined in these opening chapters. For example:
Hardware as contraband was defined as hardware used to intercept electronic communication. Which makes me wonder how www.thinkgeek.com can remain open when it sells a Key Katcher key logger.
The information as contraband section discussed how having encryption software was illegal in some states. This must be an old example, because, honestly any and every machine could be considered suspect. Maybe that was the intention.
Digital information as instrumentality was defined as programs used as a means for committing computer crimes. This made me think of the first time I met Rick Seeley as an undergraduate. During the conversation I mentioned using Knoppix for some task. He then gave me a strange look and quipped something about it being a hacking tool. Well, yes it was, but that wasn't exactly the purpose of the project. Yet, just having such a cd can look incriminating to some. Needless to say, I may have to figure out a good alibi for having Oophcrack, Kismat, Nmap, Desniff, Nessus, Netcat, Hping....et al all installed at home.
Digital information as evidence was really defined as the paper trail. No not T.I's latest album. Unless you obtained it via bittorrent, then yes that is evidence.
I've also made it through the first chapter of Guide to Computer Forensics and Investigations. Which really just discussed being an forensics professional. Most of what was covered seemed to be common sense. Topics included lawful search and seizure procedures, preparing for investigations, working in the private sector, having a working knowledge of multiple operating systems, becoming a part of different computer related user groups and organizations, etc.
What peaked my interest in this first chapter came about through one of the case studies. They described a case involving a murder investigation and the seizure of a computer containing evidence. Files were recovered off of the suspects computer that had been deleted and were timestamped prior to the murder which were then used during litigation to prove premeditation. Now, I've recovered data from drives in the past. However, I don't remember if the timestamp had been preserved. As, obviously, the timestamp didn't matter. The application used was a free Windows program called undelete. It simply scoured hard drives for files that had the pointers deleted but still remained in tact on the drive. Hopefully this and more topics will be discussed later in the book.
I haven't read much about network forensic work, but, I decided to play around with netcat this week. Doing some simple connections and file transfers. Seeing how netcat is the TCP/IP swiss army knife, I should get to know it! I did find how to use netcat to send a hard drive image across the network via: nc -w3 hostname port | dd of=/dev/hda. This could be handy in doing forensic analysis of a drive.
Subscribe to:
Comments (Atom)