Computer_Forensics_2..

advertisement
2012



Provides the backstory behind the crime
Provides pertinent information related to the motive
behind the crime
Requires the use of 2 software packages:
◦ Forensics Tool Kit (FTK)
 Version 1.8.0 or 1.8.1
◦ S-Tools

Software must be downloaded on your laptop prior to
the competition
1.
2.
3.
4.
5.
Creating & Opening a Computer Forensics Case
Finding Hidden Data in Slack Space or Unallocated
Space
Finding a Recently Deleted File
Finding a File with an Improper File Extension
Finding a Stego’d Image or Data Hidden in a JPG File

How you do it?
A. Start FTK and Create a New Case
B. Add evidence
C. Save the case on exiting

Once created you only need to start FTK and open an
existing file to continue working on the case


A case represents an ‘incident’
You will need to supply:
◦ Name or number of Case
◦ Investigator’s name
◦ Evidence to be added to the case


New cases can be Created
You can Open existing cases previously
created

Should run in “administrator mode”
◦ Right-click FTK icon and select “run as administrator”
 Or… click properties, and select appropriate option for icon
(then you won’t need to repeat each FTK startup)

You may receive a prompt looking for “security
device”
◦ It’s OK to run without the dongle or security device
 USB “dongle” is required to run FTK in “Full Mode”
 Also might ask for “Code Meter
◦ We’re running in Demo Mode
 Limits us to 5,000 files in the case, but otherwise fully
functional!

Known File Filter
◦ Used to “ignore” Known Files
◦ OK to load FTK without KFF

Select the appropriate option
◦ Generally you’ll either be creating new case or
opening an existing case

Enter Captions for
◦ Case Number
 I chose LIPD-2012-0001
 Long Island Police Dept., Case 1 of 2012
◦ Case Name
 Something meaningful
◦ Case Path
 The folder where case saved on hard drive
 The default is the case name

Enter information about investigator

Case Log Options

Processes to perform

Refine case

Refine index
◦ Next screen
◦ Select all options
◦ Next screen
◦ Keep default values
◦ Next screen
◦ Accept defaults
◦ Next screen
◦ Accept defaults
◦ Next screen

Information to be added to the Case
◦ Acquired forensic “image” of Drive
 This is a single file, but contains contents of an entire drive!!!


Similar to a “zip file”
Also referred to as
 “image file”
 Bitstream file
 Bit-for-bit image file
 This “image file” is captured and produced by some forensic software or
utility program
 Viewed with forensic software which “understands” the file structure
 It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and
IS a single file
◦ Local Drive (not on CSI 2012)
 Attached to the system and addressable as a disk drive


For example, the C: or E: disk
Could include a CD, DVD, USB, etc..
◦ Contents of a Folder
◦ Individual File

Created earlier by someone using
◦ Utility program or Forensic software

Fill in captions
◦ Evidence Name/Number
 For example, an item number of the evidence list
 Serial number, if unique
◦ Comments (optional)
 How acquired or unusual circumstances, etc..
◦ Local Evidence Time Zone
Evidence Added.
 -05:00 for NY All
timezone
Click “Next”
 Don’t forget about Daylight Savings, if it applies!
 Used for time comparisons

After clicking “Finish”
◦ FTK will Process Files
◦ Add them to the case

As part of adding evidence FTK will
◦ Keep track of certain items and summarize them
◦ Build an “index” of words or terms encountered
 Can be used to short-cut a search
 Can be used to identify words in the entire case
 Might provide insight into something not normally
considered
 For example, seeing “gun”, “secret” or “password” as one of
the words in the index

FTK presents 3 “panes” or “panels” by default

FTK provides a list of “summary” buttons with counts
◦ Users can configure the placement if desired
◦ Clicking on these can bring up those items in a detail pane so
that you focus on them








Bad extensions
Image files
Deleted files
Documents
Unknown types
Folders
Bookmarked items
etc

Tabs on the main window
◦
◦
◦
◦
◦
◦
Overview
Explore
Graphics
Email
Search
Bookmark

Shows general information about the case
◦ Selection in one “pane” shows details in another
“pane” or sub-window

The “bad extensions” shows 7 files in the
bottom pane
◦ Selecting one of the files in the bottom pane shows
the contents in the 3rd pane (upper right)

File list contains information about files
◦ “X” icon indicates deleted file
◦ File extension might indicate one type of file
 In reality, another type of file

Shows a “Windows Explorer” style of
presentation
◦ 3 evidence items seen
 Each has sub-items
◦ Collapsible or expandable levels
 Click on Plus or Minus signs to expand/collapse views


Selected item is shown in 3rd pane
List of items in the selected item are shown in
bottom (2nd) pane
◦ Clicking on one of these will present that item in
the 3rd (top-right) pane

Icons at top of 3rd pane
◦ Alter the “presentation” of data
 View as native application
 Text view
 Hexadecimal view
◦ It’s the same data, just a different way of viewing it!

The following demonstrates what a user sees
if selecting a single file in Explorer Tab


Selecting Giants Tickets.doc in Explorer Tab
Word document
◦ Really made up of different “components”


Selecting the file shows an item list of
components in the file
File slack is one of them

Shows a pane with thumbnails of images in
the currently selected item in your case

On the main menu
◦ Select “File”
 Close
 Closes the case, remains in FTK
 Save
 Allows you to continue working on the case
 Exit
 Allows you to save (and backup.. Optional) the case
 Shuts down FTK

What is “Slack Space”?
◦ It’s disk space which belongs to a file, but is not considered part of
the file’s data
 Happens because of the way the system allocates disk space to files
◦ How does the system give disk space to a file?
 By “clusters”… a collection of 1 or more disk “sectors”
 A “sector” is 512 bytes (depends on the system)
 A cluster can be 1, 2, 4, or 8 sectors
 Files are written in these clusters, and don’t normally fill up an entire
sector or cluster
◦ Two types of “Slack Space”
 Ram slack
 Disk space after the file data and before the end of that sector
 File slack
 Disk space in sectors not used by the file, but belonging to the file

What’s the significance of “slack space”?
◦ Contents of RAM slack is generally whatever was in
memory when the file was saved last
 Might be a password, credit card number, etc.. Or
garbage
◦ File slack’s contents can simply be whatever was
left over and not erased when no longer needed by
some other file
 Maybe even another user created that other file
◦ Slack can be used to hide information
 It’s not visible to users
 It won’t be “grabbed” by system and overwritten

In Overview Tab
◦ Select Slack/Free Space button
 Details pane contains all slack/free space items
 Full Path describes where that slack space is located

In a specific file
◦ It’s part of the file, but not part of the data itself
 Comes after the “end of file” marker

Do a “search”
◦ Word might appear in “slack”, which might indicate an attempt
at hiding something

Start from the “Explore” Tab
◦ Locate the file (Giants Tickets.doc)
 This file is deleted
◦ Highlight the file in Explore
 You’ll see:
 Pane 2 (Lower pane): list of embedded “stuff” in the file,
INCLUDING FileSlack
 Pane 3 (Upper right): The document as presented by FTK
believing it to be a “Word doc”
◦ Then… in pane 2, select “File Slack” and observe
what’s displayed in pane 3

Conduct a search
◦ Examine the returned “hits” of the search
 Search results (“hits”) indicate where the occurrence
was
 Even if in slack space
 Each “hit” also shows the data immediately before and
after the “hit” phrase

Click the SEARCH tab
◦ As you type a word or “character string”
 Indexed words in case show up
◦ Once you’ve found or typed your search term
 ADD it to the search
 You’ll see # of hits
 You’ll see # of files containing those “hits”

Select the “hits” for the search item
◦ Then “View Item Results”
◦ You can use “AND” or “OR” logic when looking for
multiple search items in the same file
 AND requires all to be present
 OR requires any one of them to be present

Indexed vs. Live
◦ Indexed
 Looks up terms indexed by FTK as evidence was added
◦ Live
 Looks up a term which wasn’t necessarily in the index
built by FTK
 Options
 Text




ASCII
UNICODE
CASE SENSITIVE
REGULAR EXPRESSION
 Hexadecimal

Keep ASCII and Unicode selected

Default is “ignore case”

Will take time

Regular expressions (NOT IN CSI 2012)
◦ They’re both defaults
◦ Won’t care if upper or lower
◦ Searches the entire case
◦ A “pattern” to match





Zip code
Telephone number
Social security number
Credit card number
Hexadecimal
◦ Look for “non-printable” character values

How do you find a deleted file?
◦ Overview Tab
 Select the summary button for Deleted Files
 All those files appear in the lower pane
◦ In the Explorer Tab
 You can view the “directory structure” in the 1st pane
 Deleted files appear with a red “X” on the icon of the file or folder
◦ Deleted files are often recoverable
 You need to EXPORT the file

Why could this be significant?
◦ Investigator might recover information the suspect was
attempting to hide or destroy
◦ might demonstrate intent to evade detection
 It can be demonstrated that a large number of files were deleted
 Just prior to execution of a search warrant
 After being interviewed by the police
 After receiving a call from a victim or conspirator
 When taken into account, might provide circumstantial evidence
of intent

How you do it?
◦ Overview Tab
 Find the Summary Button for “Bad Extensions”
 Pane 2 lists all those files
◦ Explorer Tab
 Navigate to the location
 Pane 2 shows files in that location, with additional information for
each file

What is “exporting”?
◦ Exporting allows an investigator to
 Select a file or files
 Save them as discrete files to another location outside of the
FTK Case file

Why?
◦ Allows investigators to process the exported file
“natively” using applications such as Word, Excel, Paint,
etc
 Some files must be processed natively (for example a
Stego’d file must be exported and handled using S-Tools as
explained in section 5)
◦ Can burn to a DVD and give to DA or other investigator
◦ Allows investigator to consolidate items of interest in
one place and present only those items

How do you export a file?
◦ Select the file (highlight it) in Explorer Tab
◦ Right-click on the file, and “Export it”

How do we find the file?
◦ Overview Tab
 Click on the “Improper Name” summary button
◦ Explorer Tab
 In pane 2 (lower pane), improper file extensions will be noted

What it means
◦ It might be a deliberate attempt to evade detection and hide
information
 Information might be important
◦ It could also just be a mistake on the part of the user
 File saved or renamed with the wrong extension

How do I process a file with an “Improper File
Extension”?
◦ Note the type of file it really should be
◦ Export the file
◦ Use the appropriate software to view the file, according to the
“real type” of file it is

How you do it?
◦ Certain files, such as Windows “BMP” files, can be
“containers”
◦ Software such as S-Tools can hide information inside these
“container files”
a. Locate a suspected “stego’d” file (the container file)
a.
Should be a “BMP” file
b. Export it from FTK’s Case
i.
This saves it as a separate file you can then process outside of
FTK
c. Use S-Tools to extract the “message file” from the “container
file”
i.
Password or a passphrase might be required!


Open S-Tools
Drag the “exported” file believed to be a “container
file” into S-Tools

Right-click the “container” in S-Tools
◦ Select “Reveal”
◦ When prompted, provide the “passphrase”
 Can be a single word or a phrase
 Could be case sensitive
◦ A “revealed archive” window shows with the hidden file
name and size
◦ Select the file in the “Reveal Archive” box
 Right-click the file you wish to extract from the container file
 Save as…
 Choose a location
 You’ve now successfully extracted the hidden message!

The result!

What it means
◦ Definitely a means of evading detection. It’s not accidental!!
 1. Data is hidden
 2. passphrase might be required
◦ Whoever can be demonstrated to know the passphrase either
put the hidden data there, or knew how to retrieve it
 Guilty knowledge!

Best of luck to all CSI Challenge participants!
Download