Structure of Case File Case # Case Files Image dd image Hash code Case Index FTK Report Doc Recovered files E-mails Photos Etc. Forensic Work Station Clean install of the OS Clean install of all apps Clean install of all forensic packages Keep all evidence and case related info on an external clean hard drive After case is “completed” physically archive the external hard drive Wipe the operational hard drive HD Data Acquisition Imaging the Hard Drive 1. 2. 3. 4. 5. Acquisition Layers Write Blockers Media Preparation Imaging Integrity Hashes Imaging Digital Media Hash the media Make an exact copy of the media Everything Errors, deleted stuff Hash the image Prove it is an exact copy Compare with hash of the original MD5, SHA1, SHA256 Acquisition Layers Device Partition File Physical Layer Logical Layer Logical Layer Always acquire data at the lowest possible layer. Acquire every sector on the disk. Your tools can abstract the raw data at any level. Acquisition Tools Know what your tools do Test them Validate them 1. 2. 3. Test plan Test report NIST - http://www.cftt.nist.gov/disk_imaging.htm http://nij.ncjrs.gov/publications/Pub_search.asp?category= 99&searchtype=basic&location=top&PSID=55&sort=da te#nijpubs Imaging Hardware Setup Forensics Workstation Write Blocker Suspect Media Forensic Storage External Write Blockers Cannot touch the suspect media Evidence cannot be altered Important to verify Test, test, test Hardware and Software Always use hardware Be careful of read only and read/write blockers Write Blockers 1. HW 1. Paraben 2. $249.95 - $2000 Tableau $249.95 - $2000 2. SW 3. Modifies interrupt table NIST Reports 1. ttp://www.cftt.nist.gov/software_write_block.htm Write Blocker Tableau T8 Inputs USB Outputs USB, Firewire Write Blocker On/Off Switch USB Device Inputs IDE, SATA Outputs USB, Firewire Write Blocker Tableau T35e Write Blocker On/Off Switch IDE Device SATA Cable Write Blocker Paraben Inputs IDE Outputs USB, Firewire Write Blocker On/Off Switch IDE Device Case Storage Media Preparation External hard drive storage Zero all sectors 32 bit checksum = 0 32 bit sum with carry bit added Use WinHex Partition Format NTFS Particulars Start up Helix live CD Zero drive Partition Drive dd if=/dev/zero of=/dev/sdb fdisk /dev/sdb Etc. mkntfs /dev/sdb Imaging Exact copy of drive Cannot be changed Must be verifiable HW/SW Reading the Source 1. 2. 3. 4. Read device directly Extended INT13h Use the BIOS May lie about the size INT13h Dead vs Live acquisition Error handling 1. logging, bad blocks Imaging Apps FTK Imager EnCase WinHex Open Source Bootable memory stick dd – Windows (Garner), linux Helix Defense Computer Forensic Labs dcfldd dc3dd Output Format of Image 1. Separate drive A single file – ease of use Multiple files – facilitate archiving on DVDs 1. 2. 1. 2. Raw or Custom 3. 160 Gbytes ~~ 27 DVDs dd can be interpreted by every thing EnCase has imbedded info Hash codes & errors 1. Interlaced EnCase saves in a proprietary format 2. Separate file dcfldd save hashes in a separate file 3. Nothing dd save hash in a separate file Can calculate an MD5 hash Image Formats dd – Raw bit for bit copy E01 – EnCase format .001 Includes file description, hashes, etc. .e01 Uses zLib compression AD1 – AccessData Custom Content Logical Image S01 – SMART linux formats SMART format Integrity Hashes 1. 2. 3. 4. CRC, MD5, SHA, SHA1, SHA256 By device By partition By sector dd Standard on all linux distros Windows http://gmgsystemsinc.com/fau/ Create a directory at root level C:\bin Add that path to your path environment variable Control Panel\System Properties\environment variables\system variables\path – edit Append C:\bin Add sysinternals Using dd Unix command structure Included with all Unix/Linux/BSD distros http://unxutils.sourceforge.net/ Windows version is available http://www.gmgsystemsinc.com/fau/ #dd input output options #dd if=suspect.drive of=E:\Case\image\captured Input Sources Linux /dev/hda /dev/sda /dev/fd0 /dev/mem – – - ATAPI device SCSI device Floppy RAM Windows \\.\PhysicalDevice0 – IDE bus 0 master device \\.\PhysicalMemory - RAM Output Sources Windows F:\Images\Case-08001 Linux on another drive internal /dev/hdb1 – Saved onto the slave drive on IDE bus 1 Usually an external USB hard drive is mounted /media/FlashDisk/hda-evidence.data Options bs=n, ibs, obs Block size is n bytes, in or out or both skip=n Skip n blocks count=n Copy n blocks Must declare block size prior to skip/count #dd if=/dev/sda1 of=/root/lynn.dd bs=4096 count=1 Example #dd if=/dev/sda1 of=/home/lynn/example.dd bs=512 count=1 0000000: 0000010: 0000020: 0000030: 0000040: 0000050: 0000060: 0000070: 0000080: 0000090: 00000a0: 00000b0: 00000c0: 00000d0: 00000e0: 00000f0: 0000100: 0000110: 0000120: 0000130: 0000140: 0000150: 0000160: 0000170: 0000180: 0000190: 00001a0: 00001b0: 00001c0: 00001d0: 00001e0: 00001f0: eb3c 0200 dfe7 4d45 8ed1 384e 66a1 0288 6616 6089 c348 0072 6174 fb7d bb07 e1cd 3b00 3d7d 0696 6603 4a4a 4a52 d2f7 c0cc 8bf4 5e0b b04e 5379 0a44 6573 6573 0000 904d 0200 0300 2020 bcf0 247d 1c7c 5602 0346 46fc f7f3 3926 324e b47d 00cd 16cd 72e8 c746 7dcb 461c 8a46 5006 f691 020a 8a56 4975 544c 7374 6973 7320 7461 0000 5344 00f8 8001 2020 7b8e 248b 2666 80c3 1c13 8956 0146 382d 7409 8bf0 10eb 1926 5b8a f429 ea03 668b 0d32 536a f7f6 ccb8 24cd 06f8 4452 656d 6b20 616e 7274 0000 4f53 ff00 2905 4641 d9b8 c199 3b07 1073 561e feb8 fc11 7417 83c7 ac98 efa0 8b55 5624 7d8c 0000 d066 e4f7 016a 4287 0102 1361 c341 2020 206d 6572 7920 0d0a 0000 352e 3f00 8f93 5431 0020 e83c 268a eb33 0346 2000 4efe 60b1 203b 4074 fd7d 1a52 be0b d989 200f c1ea e203 1091 caf7 807e 6172 bb00 2020 6973 726f 6b65 0000 0000 3000 ff00 804e 3620 8ec0 0172 57fc c98a 0e13 f7e6 61bf 0bbe fb72 0c48 ebe6 b001 7c8b 4ef2 b6c8 10eb 46fc 8b46 761a 020e 0b40 0060 2020 7369 72ff 7920 0000 00ac 0204 3f00 4f20 2020 fcbd 1c83 7506 4610 d18b 8b5e 0000 a17d e6eb 7413 a0fc bb00 fcc7 894e 668b 5e0f 1356 1896 8af2 7504 7501 666a 0d0a 6e67 0d0a 746f 0000 bfcc 0100 0000 4e41 33c9 007c eb3a 80ca 98f7 7611 0b03 e8e6 f3a6 dca0 b40e 7deb 00e8 46f0 f6c6 46f8 b6c8 feeb 9233 8ae8 b442 4203 00eb 6720 ff0d 5072 2072 0000 55aa .<.MSDOS5.0..... ........?...?... ......)....NO NA ME FAT16 3. ....{.... .....| 8N$}$....<.r...: f..|&f;.&.W.u... ..V....s.3..F... f..F..V..F....v. `.F..V.. ....^.. .H...F..N.a..... .r9&8-t.`....}.. at2Nt... ;.r.... .}.}....@t.Ht... .........}....}. .....&.U.R...... ;.r.[.V$..|...F. =}.F.)}...N..N.. ..}..... ...f.F. f.F.f..f....^... JJ.F.2....F..V.. JRP.Sj.j...F...3 ......B...v..... .........~..u..B ...V$..aar.@u.B. ^.Iu...A...`fj.. .NTLDR ..g System missing.. .Disk error...Pr ess any key to r estart.......... ..............U. Md5 Hash #dd if=/dev/sda1 bs=512 count=1 | md5sum > hash.txt #cat hash.txt D41d8cd98f00b204e9800998ecf8427e #dd if=/dev/sda1 bs=512 count=1 | sha1sum > hash.txt #cat hash.txt d41d8cd98f00b204e9800998ecf8427e dcfldd Very much like dd dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \ errlog=error_log1 \ hash=md5 hashwindow=4096 hashlog=hash_dmp1 \ hashformat="#hash#" >> report However lets you make multiple copis of the image dcfldd if=/dev/mem of=/home/image of=/media/storage/image2 Bad Sectors Bad Sectors are treated differently Hashes may be different Some imagers zero fill One hash is calculated by ignoring the sector The other using the zero fill after imaging Hard to explain in court Remedies dclfdd conv=noerror,sync hashconv=after This converts bad sectors to zeroes Continues if an error is encounter This calcs the hash after the conversion for the device hash Can be questioned in court Hard to explain in court Better solution Use small hash window Compare all the hashes of the small chuncks Hashwindow=1M hashlog=hash-dump Show that on the bad sector hashes don’t agree dc3dd Makes dd similar to dcfldd Written Jesse Kornblum Maintained by DoD Cyber Crime Center dcfldd if=/dev/mem of=/home/image conv=noerror bs=4096 \ errlog=error_log1 \ hash=md5 hashwindow=4096 hashlog=hash_dmp1 \ hashformat="#hash#" >> report • • • • • • • Pattern writes. Piecewise and overall hashing with multiple algorithms and variable size windows. Supports MD5, SHA-1, SHA-256, and SHA-512. Progress meter with automatic input/output file size probing Combined log for hashes and errors Error grouping. Produces one error message for identical sequential errors Verify mode. Ability to split the output into chunks with numerical or alphabetic extensions dd_rescue Sort of like dd However some of the options are not called the same Ddrescue Copies data from one device to another Attempts to correct block errors Usually does a really good job Can take a long time if the drive is hosed Not forensically sound ddrescue (GNU) Sort of like dd_rescue However some of the options are not called the same ddrescue Copies data from one device to another Attempts to correct block errors Usually does a really good job Can take a long time if the drive is hosed Not forensically sound X-Ways Software Technology AG Builds WinHex Very good hexadecimal editor $300 And X- Forensics Ways Excellent Forensics package $1000 Access Data Corp. FTK – Forensics Tool Kit 1.70, 1.72, 1.80, 2.0, 2.2, 3.2 $3000 - 4000 PRTK – Password Recovery Toolkit Registry Viewer FTK Imager Free Spinrite Fast Accurate Does over write the drive Not forensically sound Great if you are desperate Recovers a lot of data off of an injured drive $89.00 Lab Today Dry Run Use dd on the hard drive in the workstation Only capture the first 100 sectors or so Look at the image in WinHex Save it, you will need it next week