Digital Forensics Hardware

Hi

This post is absolutely on my study so this can be just for information.

In this post we discuss about forensics hardware used for analysis of an evidence
(evidence = any information stored on a digital media).

Why do we need to use forensics hardware when we have too many software’s?

Hardware equipment assures data acquisition easy and trusted. Many of the software’s may alter data when we take an image whereas when we use write blockers and other writing to the disk is blocked.

Where this hardware is mostly used

These hardware devices you can definitely observe at any Law enforcement areas where Digital forensic analysis is done. Other than them these are used by Corporate, Individual Forensic consultant. If you are ready to pay for those, you can also get them 😉

How can we judge its integrity in the usage?

Hashing

Can a normal user afford for to buy this hardware?

Well, this is absolutely depends on the user we can get some devices at cheaper price from eBay like online shopping sites

Who are the pioneers of forensics hardware?

As per my knowledge, the famous hardware leader is Logicube then tableau continues with others

You can get details from the below sites

Logicube http://www.logicube.com/
Tableau http://www.tableau.com/

List of Hardware

Hardware on which we concentrate

  • Write blockers: To restrict the writing on the disks while imaging / accessing
  • Drive wipers: Used to wipe the previous contents of the disk, usually some of the tools overwrite zeros and one to do this. Sterilized hard disks also usually under goes this process for safety
  • Drive accelerators: To accelerate the process of the imaging / analysis
  • Duplicators: Used to make a copy of disks

Below are the commonly we use so I don’t think need of any explanation

  • Storage media
  • Cables
  • Read / write blockers
  • Hardware accelerators
  • Adapters
  • Media Enclosures
  • Storage
  • Bridges from tableau
  • Supply kit and
  • Drive tray.

 For more details you can refer the below sites

http://www.digitalintelligence.com/forensichardware.php
http://www.forensic-computers.com/
http://www.forensicpc.com/
http://www.logicube.com/
http://www.tableau.com/
http://www.paraben.com/hardware.html

 Mobile Forensics devices

            Mobile forensics is one another interesting and challenging part for  a digital investigator , most of the times we have to analyze the memory items using Hardware itself.

AFAIK the mostly used mobile hardware is

Celldek http://www.logicubeforensics.com/products/hd_duplication/celldek.asp
Cell brite http://www.cellebrite.com/
Jtag http://www.jtagbox.com/
Paraben http://www.paraben.com/
H3 mobile device tool kit http://www.h11dfs.com/h3-mobile-device-toolkit.php

 Some of the resources for forensics hardware

http://www.patctech.com/forensics/utilities/index.shtml

Posted in Forensics | Tagged , , , | Leave a comment

A look at Digital Acquisition

Hi,

I was about to post this a week ago but my friends asked me to elaborate it and add some more stuff to it. So it was late and finally i covered the basic stuff.

A simple and common hint : The details what ever disclosed here is absolutely my own opinions, these are only for basic use 🙂

What is Acquisition?

Acquisition saves the state of a digital system so that it can be later analyzed and recovered.

Why is it important?

Acquisition is important when we talk about the digital crimes and backups. Evidences are only accepted by the court if they are untampered. By taking a image we can assure the data integrity followed by hashing / other technique.

We can use Acquisition tools for backup of data, these programmes can be basically used for data availability, even we have similar programmes in windows they do not support more features as other programmes do.

For ex: Hashing, File Listing, etc…

These images can be stored with a Hash value which can be used to verify the data integrity. We can store these images with a password for Data confidentiality using any third party tools. Even some imaging tools provide all the features together.

Types of images:

Some of the most popular image types which are used by some open source and

Commercial forensics tools for analysis and data recovery is

    • AD1 (Access Data),

    • E01(Encase),

    • S01(SMART),

    • dd (Linux DD),

    • AFF(Advanced Forensic Format) and many other

How to justify the integrity of the image?

As earlier said it can be done by hashing of a file, using some third party tools we can generate hash values for all the files with in the image but it’s not necessary for normal backups.

Analyzing the Images?

Analysis is itself a different long process involved in digital investigations, then why did i mentioned it in this post is, analysis is the ultimate reason why we take images ;). To produce the evidences in the court of law we need to analyze the evidences and make a detailed report of the steps of investigations.

Different Software’s used?

For acquisition we have a long list some of the popular and free tools are

      • Access data FTK imager,

      • Guymager

      • AIR

Using Default windows system files for analysis by converting them to Raw dumps!

We can use some of the windows system files as raw dumps for the analysis of system usage and user activity.

The files are listed below

Hiberfil.sys from C:\

Pagefile.sys from c:\

How to convert the files to dumps?

To convert the above listed files we use hiber2dmp and hiber2bin applications and  to analyze them we use volatility.

Converting Hiberfil.sys to rawdump

Using hiber2dmp / hiber2bin we can easily convert these files to dumps but as of free edition these only support 32 bit this software can be found here

To convert Pagefile.sys we can use strings  command in linux. more details will be explained soon

Using VMware files as an evidence!

We can use VMDK,VHd and dmg files as evidences in some cases , In new version of FTK we can mount these files as images and analyse

VMSN – Vmware snapshot files we can use to check the state of HDD.

Types of imaging:

Live Imaging

Dead Imaging

Remote Imaging

Zero imaging

What is live imaging and Dead imaging?

Live imaging : It is  nothing but taking a image when a system is in running state , in this We cannot rely on hashes because the value may be changed as after data is acquired.This can be done by using the software’s mentioned here or using bootable live Cd’s like Matriux , backtrack any other forensics distro

Dead imaging : Also called as Normal imaging , this is done when system is in off state like taking the HDD out and connecting to a write protector and taking the image

Remote imaging : This is done via intranet / internet by selecting the remote and local address with respective to port numbers

ex: AIR

Zero Imaging : This is used to wipe out the drive / overwrite the HDD by zeros and one.To do this we can use tools like AIR, Encase and Winhex

Above all mostly used techniques is Live imaging and dead imaging to backup only sterilized hard disk is used.

Why to use these tools ?

Why to use these kind of tools when we have simple and customized command line tools like dd , the answer is ,these single tool can be used for Acquisition ,analysis and recovery , which can be managed by different types of images rather a single file type.Another reason is user friendly.

Various Live CD’s used for Acquisition?

This is a long list which includes the above listed tools and others

Helix www.e-fense.com/products.php
Matriux www.matriux.com
Backtrack www.backtrack-linux.org/downloads/
Deft www.deftlinux.net/2011/01/11/deft-linux-6-ready-for-download/
SIFT www.computer-forensics.sans.org/community/downloads
FIRE www.sourceforge.net/projects/biatchux/

How these images are different from one another?

Yes they are different. Every file types has its identity some of file types is explained here. To explain it more simply

E01 provides compression, checks hashes and contains metadata

DD is a basic and old technique to acquire the image , most of the imaging tools are based out of dd itself

For more details on the differences check these links

http://whereismydata.wordpress.com/2009/06/27/forensics-what-is-imaging/http://whereismydata.wordpress.com/2008/08/10/e01-files/

These only cover basic file types not all.

How to use tools for imaging ?

This is a simple explanation of Acquisition tools, This explanation may vary from user to user.

FTK imager 3.1.0:- A note here this help is not copied from FTK imager help guide, So for proper terms and usage verify FTK user guide too.

Where to download FTK imager?

http://accessdata.com/support/adownloads#FTKImager

How to install it?

It’s as simple as Windows application installation.

Importance and how is it different from other?

It’s simple to use, support is available for any problems you face in using, this application supports features like Hashing, File listing, Multi type imaging, Memory capture, live image mounting and can Capture protected registry files.

How to Use FTK imager?

If you are a windows user then its not any more tough to use, it’s a simple user friendly application which will be guided with simple user controls.

Menu bar:-

FILE:

The main functionality of FTK imager starts from File Menu, almost all the options related to imaging are covered in this option as you can see the screen shot available

This symbol denotes add a evidence item for analysis / imaging. Types of evidences that can be added are Physical drive, Logical drive,Image file and contents of a folder , for the type of images that are accepted by this in image file please check the available help file from the help menu.

This symbol denotes to add all attached devices for analysis / imaging (here attached devices may be SD cards, External disks, / default disks).

This symbol denotes image mounting , this can be use to mount the images acquired from the HDD by Live imaging or Normal imaging / dead imaging. It supports different types of images some of the mostly used are .E01, .S01, .AFF, .VHD, .vmdk, .ad1, .tar , .zip, .dmg, .gho and others.

 This symbol used to remove evidence items used to remove attached evidences.

This symbol used to remove all evidence items which all are attached .

The difference between these two options is when we attach more than one partition / disk as evidences it shows as multiple attached devices to remove one on one we use remove evidence items to remove all in one click we use remove all evidences.

This symbol is used to create the image of the attached disks / imaging by selection of disks . this can be a live imaging / dead imaging.

This symbol is used to export the disk image by selecting this it asks for select the image type which you want to export you can select this from four types as dd, E01, Smart, and AFF. After selecting the image type by filling the details like examiner name and split image size it continues with export.

This Symbol is used to export logical image ( AD1) in ad1 format , of the partitions of a disk / contents of a disk as a image we can use this as a bookmark container for the projects /for a quick references of the entries.

This symbol is used to add the contents in custom image which will be in AD1 format and contents added can be seen in Custom content sources.

In the above figure you can see the other multiple options available in file menu from capture memory we can capture the contents of your memory that is ram and contents of page file .

From Obtain Protected files we can get the restricted registry content files from the machine when a machine is in running state, by which we can actually look into multiple options available for a user for example SAM file can be used to get the key for passwords , SYSTEM file for the user accounts and their counts and many more. check my next post for more details on this files.

Detect EFS Encryyption actually shows you the encrypted files in the imaged loaded / in the disk.

Export options you all know about them 🙂

View:

I don’t  think  i need to explain this 🙂 from the figure you can get the details.

Mode:

To preview the data in which mode you can select the option here and you can observe the data in the white space available below file list dialog.

Tool Bar:

All the options which are explained in File menu is just simply arranged here in this tool box.

Action panes:-

Evidence Tree

This shows you the image / disk  and its contents which are added

File List : Used to see the contents of a folder,partition and  image

Properties : To check the properties of a file or folder in a image which mainly covered wit mac times and others

Hex Value interpreters: Converts the Hex values in to decimal values according to the Little endian / big endian

Custom content sources:As discussed earlier, here the contents shown that you want to add into AD1 images

View Files:The white space which can be seen below the File list where the preview is available for the image.

Using of FTK:

The above figure shows a dialog which is displayed to the user when we try to add evidences , what sort of source it can be as physical drive, logical drive ,image file of supported types and contents of a folder

If we select Physical drive , next dialog would be similar to the above fig, drop down contains all the connected devices .User have to select the devices according to his requirement.

The above figure shows the FTK imager after a evidence added to it for imaging

 

In the context menu of the evidence in evidence tree it shows multiple options for the user where he can verify the image , mount it , and list its directories

After selecting export image, it will pop up the above dialog  we can acquire image from it ,

On clicking Next , User can select destination types from the above options

by selecting any of the image types from the above options it will direct you to examiner details from their it asks you for the image destination ,name, fragment size,compression  and its encryption , encryption technique will change according to the image type.

The new option which is added in FTK 3 version is Image mounting these all are the supported image types which we can mount and use for analysis and recovery.

if we check the context menu of the contents with in the evidence we can observe the export option and adding the specific selection to content image.


when we check the context menu of files in the file list , here also it is same as evidence tree from where you can retrieve single files and its details like mac times , hash values and other .After selecting the file you can check properties tab for more details regarding the file. Hex Value interpreter by selecting the text from view files tab you can check the hex content in decimal . You can change the mode of view by selecting options in Mode.

AIR:-

Where to download AIR?

http://sourceforge.net/apps/mediawiki/air-imager/

Dependencies

http://packages.debian.org/lenny/sharutils

How to install AIR?

Prerequisites for AIR are:-

  1. perl-tk
  2. sharutils
  3. md5deep package
  4. cryptcat
  5. dc3dd 6.12.3
  6. uudecode

Some of these packages you can get with Sharutils. It can be downloaded it from (http://packages.debian.org/lenny/sharutils) according to your architecture.

Then go to terminal, go to the place where you saved the package and type:-

sudo apt-get install sharutils(This installs sharutils package)
Download your AIR package from ( http://sourceforge.net/apps/mediawiki/air-imager/)
sudo tar -zxvf air-version (this unzips your package)
chmod +x install-air-version (This gives a executable permission to the file)
./install-air-version (Installs your air package)

It first checks for Perl updated version and downloads it and then starts AIR installation. After completion you will be given a message “All Done”. If you face any problem in installing AIR please check whether you installed libx11-dev and xutils-dev packages. If not please install them then again run AIR installation.

To access AIR, sudo air in terminal.

Importance of AIR and How is it different from other?

AIR supports Compression, Hashing, verification, HD over writing, remote imaging, and zero wiping

How to Use AIR?

AIR stands for Automated Image & Restore, is a GUI front end for dd. It is easy to create and restore digital images, it has the following features

  • Image verification via MD5 or SHA1
  • Image compression/decompression using gzip/bzip2
  • Image over a TCP/IP network uses netcat/cryptcat
  • Wiping (zeroing) drives or partitions

We can set a source (a disk / a file) as a target and a destination (A disk / a location to store the image).The source can be a disk to copy the disk contents to another disk / image and vice versa with block size  mentioned. We can use multiple options available within the tool like compression, hashing, verification and others.

Compression is a technique which is used to compress the data while imaging to store it with in a minimum space, but this is not recommended unless and until it’s necessary. This tool supports the major compression techniques as bzip2, gzip, tar and others.

Hashing is a technique to ensure the data integrity with in the image , by selecting the hashing technique it will calculate the hash value for you and generates it in the status windows which can be exported in csv / txt format.

To know whether the data is properly imaged / copied we can use verification , to verify the contents we need to select Yes under the verify option.

We can split the image in to pieces if we need to store it in different location one reason to do this can be lack of disk space.

In connected devices we can select the source and destination as CD / HD / Writing zeros to the disk this is mainly done to wipe the Disk for restricting the data recovery but in some cases recovery can be done.Net is to take the image over network internet / intranet we can do this by specifying specific target ip with port number (This has to be explored more as I didn’t used in deep yet).

To start any process you selected click on start, and same for stop. You can observe the status in status windows with Hash values, process of completion.

Encase is a Commercial tool so i don’t want go into it anyway, its little bit tricky and easy if your thorough with the windows apps.

Above these all when i showed this post to my friend for a suggestion for adding more questions he simply asked me what and why should i use this tool for analysis or recovery. well the answer is it depends on your requirement.These are my opnions

Some of the areas where i used this for my personal use to recover deleted files (Really it helped me a lot)

It requires a very unusual mind to undertake the analysis of the obvious.  Alfred North Whitehead.

Any comments , suggestions , doubts please post below

Posted in Forensics | Tagged , , , , , , , , | 4 Comments

ClubHack 2011

Hi

     As a ClubHack team member, I am proud to announce ClubHack 2011. I am working with ClubHack team since 1.5 successful years in this journey I met with some really good information security gurus and my colleagues as a continuation this year we got Mr. Richard Stiennon as a Keynote speaker. We have some more good items programmed in our schedule.

Another great partnership of ClubHack is with National Security Database, Jointly developed by the Government of India and ISAC, a non-profit scientific foundation, the National Security Database (NSD) was conceived after the horrific 2008 Mumbai attacks as a proactive action to Identify the most credible and valuable Information Security professionals in India who work to protect the National Critical Infrastructure and cyber space of the country.

Check details regarding CH2011

Details : http://clubhack.com/2011

Schedule : http://clubhack.com/2011/schedule/

Registrations : http://clubhack.com/2011/registrations/

sayanora meet you all at Clubhack

Posted in General | Tagged , , , , | Leave a comment