Sunday, March 25, 2012

Digital Forensic Analysis

After a week of hibernation, its time to move again..  >:)

So, in this post I'll try to perform a simple digital forensic analysis on an image of a floppy disk. You can download it here :
I use Backtrack OS in this post, because in Linux, there are some basic forensic analysis tools that have been already included.

As I told before, linux have been integrated with some basic forensic analysis tools such as :

dd - a tool used to clone a file, disk partition, or even an entire disk content. This is a bit-by-bit cloning tools, so the cloned file or device is 100% identical to the original one as long as the cloned file or device is not modified.
sfdisk and fdisk - tools used to see the disk structure in the computer.
grep - used with the other linux command such as ls or more, the output of the command will only display the lines that match with the pattern given by this command.
looping device - allows us to mount an image without having to rewrite the image to a disk.
md5sum and sha1sum - creating a md5 or sha1 hash of a file. Used to authenticate that the evidence is valid to be used.
file - great tool to find out a specific file type. This command analyze the header information of a file, then match it with its own database.
xxd - a tool to view a file in hex mode.

If you want to know more about the tools above, just type "man [command]" in the terminal. And as I said before, these tools is the basic tools, so there are certainly stronger and smarter digital forensic tools out there. But still, we must know the basic first before using the advanced tools.

Organizing the evidence is very important, you don't want the evidence to be mixed with other files right? That would be a big problem because the data or the metadata of the evidence will be changed. And, guess what? That will make the evidence become useless because it won't be considered a valid evidence again.
We need to make a special directory to place all evidence of a case. 
# mkdir evidence
And then, because forensic analysis is mostly dealing with the image of a disk we must create a mount point directory to mount the image.
# mkdir /mnt/analysis

Ok, that will make our analysis more organized. You can create the directory in any place you like.

We can make an identical copy of a file using dd command. Usual copy and DD copy is different because in usual copy the file doesn't copied bit-by-bit, so the copied usually different with the original file although we can't see it with our bare eyes, but still you can't make a forensic image of an evidence this way because the copied file will not be considered a valid evidence. In DD bit-by-bit copy is performed, this will make sure that copied file is 100% identical to the original one.
Before doing the command we must check the hash of the evidence. Md5sum or sha1sum its up to you. And after that execute the command. This is the format of the dd command.
# dd if=[input evidence] of=[output evidence]
After that we must check the hash of the output evidence and check it with the hash of the original evidence. The hash must be identical.
As you can see in the picture. The original(practical.floppy.dd) and the cloned(evidence.floppy) evidence have the same hash. This means that the evidence duplication is success. :D

After that we must secure both of the evidence by modifying its permission. So that we can only read it.
# chmod 444 practical.floppy.dd
# chmod 444 evidence.floppy

To mount the image we can execute mount command in the terminal.
# mount -t vfat -o ro,noexec,loop evidence.floppy /mnt/analysis/
This command will mount the image to /mnt/analysis directory. Here's the meaning of the option used :
"-o ro,noexec,loop" = specify the options, ro means readonly and noexec will prevents the execution of binaries on the disk and then loop means we use the loop system to mount the image.
After that just enter the /mnt/analysis directory to investigate the disk.
Don't forget to unmount the image if the analysis is completed.
# umount /mnt/analysis

Again, hash file is important to make the evidence valid. We must make sure that the hash of the evidence before and after investigation is still the same. To collect all the file hash at once we can execute this command.
# md5sum *.*
*.* is a wild card. It will make the md5sum executed on all files found. But this is still not effective because the file in the other directory won't be checked. Execute this command.
# find . -type f -exec md5sum {} \; > ~/evidence/md5.list
This command will search for all file starting from the current directory, then execute md5sum command on all files found and after that redirect the output to a file named md5.list in our evidence directory. Heres the content of the file.
To make us easier to check if the hash is changed, we can execute the md5sum command with -c followed by the generated list that we've created before.
# md5sum -c /root/evidence/md5.list
If the hash is matched it will says OK. And will say "Failed" if the file's hash have been changed. Note that our position must be the same as when we create the hash list.

Ok, so now we can explore the contents of the disk on /mnt/analysis folder. Don't worry about the file integrity anymore because we've mounted it with noexec attribute, so no file will be executed in the disk. If the Xserver is on, we can look the contents in the file browser like nautilus, but I will recommend using Terminal because it is more powerful and convenient.

Here's the content of the disk.
# ls -l

Or to be more accurate..
# ls -alR | less
This command will show you us all files including the hidden ones (a), show it in the long format (l), and recursively through all directories (R). Then to make it more comfortable to read we can pipe ( | ) it through "less" command. Press "q" to quit the paging season.

This is the important part..
We must redirect the above command's output so that we have a list of all files and their owners and permissions on the subject file system and also, we don't have to repeat every command again to do the analysis. So, mastering the use of "ls" command is very important. Check the man page to learn more about it. 

We can execute this command to make a detailed list on all files on the disk.
# ls -laiRtu > ~/evidence/access_file.list

We also can get a list of the files, one per line, using find command..
# find . -type f > ~/evidence/file.list.2

There is also "tree" command which will display the structure of the files in a more visual way.

Ok, now we have a detailed full list of all files on the disk. How do we read it?
First we must specify what type of file we look for. Lets say we want to search all jpg files. We can execute this command..
# grep -i jpg ~/evidence/file.list.2

This "grep" command will looks for the pattern "jpg" in the list of files, using the filename extension to alert us to a JPEG file. The "i" attributes make the grep command to be case insensitive. Mastering the use of "grep" commands is essential to make us faster doing the analysis because our searching technique will be far more targeted. Check the grep man page to learn about it.

Ok, move to the next step, now we must have a list of all file types on the disk. To do that "file" command will help us.

This command will compare each file's header (first few bytes of a raw file) with the contents of the "magic" file that contains a lot of file header data, then outputs the description of the file on the shell. This header usually called Magic Number (more about magic number here). Because of that any file that have its extension changed will still be identified correctly by this command.

To check all file types execute this command..
# find . -type f -exec file {} \; > ~/evidence/filetype.list

That command will find all files then execute "file" command on the output and save the output of the command to the "filetype.list".
Here's the content

To be more specific we can use "grep" command to be more accurate about what we're searching. Lets say we want to see only image file.
# grep image ~/evidence/filetype.list

As I said before, any file that have been changed its extension will still be identified correctly by the "file" command. Notice above that file "ouchy.dat" have a ".dat" extension but still identified as a JPEG image file by the command.

For viewing files, "cat", "more", and "less" is more than enough for terminal. But there's a better alternative for viewing an unknown files, that is using "strings" command.

This command can be used to parse regular ASCII text out of any file. It's good for formatted documents, data files and even binaries, which might have interesting text strings hidden in them. It might be best to pipe the output through less because usually the output is long and confusing.
Now lets put it in action. Have a look at the contents of the practice disk on /mnt/analysis. There is afile called arp.exe. What does this file do? We can't execute it, and from the file command we know that it's a DOS/Windows executable. Execute this command and search for an interesting strings in the file.

Ok, enough analysis on the logical view of the disk. Now we will do the analysis on the image itself, especially on the unallocated and the slack space of the disk.
Don't forget to unmount the image first.
# cd ~
# umount /mnt/analysis
Let's assume that we've seized this disk from a former employee of a large corporation. The "wannabe" cracker sent a letter to the corporation threatening to unleash a virus in their network. The suspect denies sending the letter. This is a simple matter of finding the text from a deleted file(unallocated space).
Back to the directory where you save the image.
# cd evidence
# ls -l
The first thing we will do is create a list of keywords to search for. It's rare we ever want to search evidence for a single keyword, after all. For out example, lets use "ransom:, "$50,000"(ransom amount), and "unleash a virus". These are some keywords and a phrase that we have decided to use from the original letter received by the corporation. Make the list of keywords using text editor like vi,nano,gedit, etc. Save it as searchlist.txt. Make sure that each string you want to search is on a different line. And MAKE SURE THAT THERE IS NO BLANK LINES ON THE LIST OR AT THE END OF THE LIST!!.

Now, execute the grep command.
# grep -abif searchlist.txt practical.floppy.dd > hits.txt
Here's the explanation of the above commands.
We are asking grep to use the list we created in "searchlist.txt" for the patterns we are looking for. This is specified with the "f <file>" option. We are telling grep to search practical.floppy.dd for these patterns, and redirect the output to a file called hits.txt, so we can record the output. The "-a" option tells grep to process the file as if it were text, even if it's binary. The option "i" tells grep to ignore upper and lower case(case insensitive). And the "b" option tells grep to give us the byte offse of each hit so we can find the line in xxd.

Now, lets open "hits.txt"
# cat hits.txt

In keeping with out command line philosophy, we will use xxd to display the data found at each byte offse. xxd is a command line hex dump tool, useful for examining files. Do this for each offset in the list of hits. This should yield some interesting results if you scroll above and below the offsets.
# xxd -s 75441 practical.floppy.dd | less

Please note that the use of grep in this manner is fairly limited. There are character sets that are common versions of grep do not support. So doing a physical search for a string on an image file is really only useful for what it does show you. In other words, negative results for a grep search of an image can be misleading. The strings or keywords may exist in the image in a form not recognizable to grep or strings. There are tools that address this, and we will discuss some of them later.

I think that enough for the introduction of a digital forensic analysis. Still have a lot of thing to be learned though. Lets try harder..  >:D

"the quieter you become, the more you are able to hear.."


Brian Fachri said...

kunjungan yud

dragon_master said...

mampir juga ahh.. :D

Post a Comment