Post on 28-Jun-2020
CSCI 4623: Intro to Digital Forensics
Dept. of Computer ScienceUniversity of New Orleans
Slide Set # 2
Spring 2006Prof. Golden G. Richard III
CSCI 4623: Intro to Digital Forensics 2 © 2004-6 by Golden G. Richard III
NTFS Alternate Data Streams
Included only in NTFS, not present in FATx filesystemsOriginally included in NTFS to support Macintosh compatibilityScant useCan be used to hide malware, “secret” data, executablesADS Syntax: FILENAME:STREAMNAMECan create ADS’s attached to either files or directoriesStrange integration with command line tools and editorse.g., TYPE can be used to create ADS, but not to view contentsTo create an ADS:– type textfile > visible.txt:hidden.txt
To see contents of ADS (assuming you know about it!):– more < visible.txt:hidden.txt
But…– type visible.txt:hidden.txt
…doesn’t work…
CSCI 4623: Intro to Digital Forensics 3 © 2004-6 by Golden G. Richard III
NTFS Alt Data Streams (2)
Another "feature" of alternate data streams is that they are difficult to (reliably) deleteCopying file to FAT drive and back loses the association……but forensics software analyzing the drive image will find the ADS contents!Better to overwrite the ADS with more data than currently existsthen delete container fileecho “blah blah blah blah blah blah blah” > VISIBLE.TXT:HIDDEN.TXTTo (unsecurely) remove an ADS without deleting the file, can’t use copy!Instead, rename, cat, and delete:– cat visible.txt > BACKUP– del visible.txt– rename BACKUP visible.txt
CSCI 4623: Intro to Digital Forensics 4 © 2004-6 by Golden G. Richard III
NTFS Alt Data Streams (3)
Need to do something else to remove ADS’s attached to directories!notepad DIRECTORY:hidden.txtDelete all characters in the ADSGotcha: You’re left with an empty ADS, at least on Win2K/XP
CSCI 4623: Intro to Digital Forensics 5 © 2004-6 by Golden G. Richard III
NTFS Alt Data Streams (4)
See www.heysoft.de for lots of interesting info on ADS’sFreeware LADS (List Alternate Data Streams) tools can be found at that website…Unfortunately, no source code availableLADS in action on next slideYou may have more ADS’s than you think?
http://www.heysoft.de/
CSCI 4623: Intro to Digital Forensics 6 © 2004-6 by Golden G. Richard III
LADS Screenshot
CSCI 4623: Intro to Digital Forensics 7 © 2004-6 by Golden G. Richard III
Windows Swap Files
Supports Windows virtual memory systemContains swapped out pages corresponding to executing processesNT, Win2000, XP– Generally, c:\pagefile.sys– Hidden file
95/98– c:\windows\win386.swp– Hidden file
CSCI 4623: Intro to Digital Forensics 8 © 2004-6 by Golden G. Richard III
Windows Swap File: Overview
Potentially, contains a lot of junkFile carving or keyword searches against the raw disk will yielda superset of the information in the swap file (obviously)May be useful to target swap file directly, particularly on large drivesCareful!Keyword matches against the swap file DO NOT necessarilymean that the corresponding strings were in pages swapped out during the last boot!When the swap file is created, the “underlying” blocks aren’t cleanedAs the swap file is reused, blocks aren’t cleanedSwap file can create a “jail”, where e.g., deleted file data from the browser cache end up “trapped” in the set of blocks allocated to the swap fileBlocks may not be overwritten even during months of use!
CSCI 4623: Intro to Digital Forensics 9 © 2004-6 by Golden G. Richard III
Swap File Snippets
JPEGcarved out of XPswap file, corresponds toan Adobe filethat was openduring last bootof targetmachine
CSCI 4623: Intro to Digital Forensics 10 © 2004-6 by Golden G. Richard III
Swap File Snippets (2)
Deleted filefrom IEcache “jailed” bycreation of swap file
This file createdand deletedbefore swap filewas even ENABLED ontarget machine!
Months old!
CSCI 4623: Intro to Digital Forensics 11 © 2004-6 by Golden G. Richard III
Hibernation Files
Memory image of XP box, created at shutdownAllows fast restartHibernation file locked during OS executionApproximately the size of physical RAM (e.g., 2GB RAM == ~2GB hibernation file)Potentially much more interesting than swap file, since it allows the last “on” state of the machine to be recreatedCan search hibernation file for interesting strings, including URLs, passwords, etc.First block of file is zero-filled after boot, so you get one chance to “boot” the machine again, unless you have a backup of the hibernation fileRemainder of hibernation file remains unchanged until another hibernation event occurs…Means that you may be able to recover interesting information that is quite old
CSCI 4623: Intro to Digital Forensics 12 © 2004-6 by Golden G. Richard III
Hibernation File: Challenges
Huge amount of fairly unstructured dataFTK has no native support for hibernation file, but can treat the file as one big binary blob and search / carve ite.g., email addresses: – A start: [a-z][0-9a-z][0-9a-z][0-9a-z]+@[a-z][0-9a-z][0-9a-z]+
e.g., phone numberse.g., SSN’se.g., IP addressese.g., credit card numbersTrick for textual searches: Pipe file through strings before using grep/egrep
CSCI 4623: Intro to Digital Forensics 13 © 2004-6 by Golden G. Richard III
Windows Print Spool Files
*.spl, *.shd files.shd file contains information about the file being printed.spl file contains info to render the contents of the file to be printedPresence of .shd files can be used in a similar fashion as for shortcut files……shows knowledge of existence of files and a deliberate attempt to access (print) the contents of the fileFormat is proprietary, but has been reverse engineeredEMFSpoolViewer to view .SPL filesSee: http://www.codeproject.com/dotnet/EMFSpoolViewer.asp
CSCI 4623: Intro to Digital Forensics 14 © 2004-6 by Golden G. Richard III
Application Metadata
Microsoft Office maintains a lot of metadata tracking revision history, authors, etc. for Word documentsDemo: Tony Blair document in FTKDemo: apology-NOFASTSAVES.docDemo: apology-FASTSAVES.docDemo: Tolstoy (email leak)Commercial tools for recovery of metadata:– Forager (no personal experience)– Trace! by Workshare
• Misses very “interesting” data illustrated in Fast Saves allowed demo!
CSCI 4623: Intro to Digital Forensics 15 © 2004-6 by Golden G. Richard III
Application Metadata
See:– “Information Leakage Caused by Hidden Data in Published
Documents, Byers, S.;IEEE Security & Privacy Magazine, vol 2, no 2, Mar-Apr 2004, pp. 23 – 27.
Problem is wide-spreadMicrosoft now offers a patch for scrubbing metadata from Office 2003Still lots of danger for older Office documentsOne final tidbit (and annoyance)Open a Powerpoint file, ** don’t ** save it, and it gets modified anyway!Reason: “last opened by”Illustrates that investigation using “live” file access under Windows is generally forensically unsound
CSCI 4623: Intro to Digital Forensics 16 © 2004-6 by Golden G. Richard III
Targeting Evidence: RegEx’s
Examples of built-in regular expressions in FTK 1.50
CSCI 4623: Intro to Digital Forensics 17 © 2004-6 by Golden G. Richard III
Cookies
Provide “safe” (cough) persistent storage on clients for web serversNetscape details at http://wp.netscape.com/newsref/std/cookie_spec.htmlAlso see RFC, but doesn’t cover storage, which is what we’re primarily interested inServer deposits a cookie into a client and can request cookie when client revisits the web siteOnly server depositing cookie can read: domain must matchProvides context for server– user ID, previous item being viewed, etc.
From a digital forensics point of view, concerned with what information stored cookies can provide
http://wp.netscape.com/newsref/std/cookie_spec.html
CSCI 4623: Intro to Digital Forensics 18 © 2004-6 by Golden G. Richard III
Aside: Cookies: Safe?
Many exploits, many targeting only specific versions of specificbrowsersThese from a cookies presentation at http://cis.tamu.edu/security/microsoft/:Older Netscape:
– Cookie operations in Javascript then use the specified src as the domain!
IE: – site could direct the user's browser to:
http://www.verybadhacker.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
– Replacing "%2f“ with "/" characters and "%3F" with "?", yields the actual URL:http://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.com
– But IE parsing is broken and IE believes Amazon.com is the domain
http://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.comhttp://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.com
CSCI 4623: Intro to Digital Forensics 19 © 2004-6 by Golden G. Richard III
Cookies (2)
During an examination, need to look for cookies in several placesEach browser dumps cookies into a different placeIE:– Stored in individual text files– For a first try, look for “Temporary Internet Files” directory
Netscape/Mozilla:– “cookies.txt” stores all cookies for all domains– Typical location under XP is in a subdir off “Application Data”
in the user’s Documents and Settings profile– e.g.:
• C:\Documents and Settings\Golden\Application Data\Mozilla\Profiles\GOLDEN\92k4olbc.slt
CSCI 4623: Intro to Digital Forensics 20 © 2004-6 by Golden G. Richard III
IE Cookies
This is just the view from Explorer—no details on values stored in cookie until you look inside
CSCI 4623: Intro to Digital Forensics 21 © 2004-6 by Golden G. Richard III
IE Cookie Format
e.g.: golden@zd.co[2].txt contains:UID // name of var == UID184698238 // value zdnet.co.uk/ // domain1536 // all domains/HTTP only encoding4142023168 // expiration date/time (encoded)297143172060511968 // creation date/time (encoded)29640892
Use a tool: e.g., Cookie Editor, to parse
mailto:golden@zd.co[2].txt
CSCI 4623: Intro to Digital Forensics 22 © 2004-6 by Golden G. Richard III
IE Cookie Format (2)
CSCI 4623: Intro to Digital Forensics 23 © 2004-6 by Golden G. Richard III
Mozilla Cookie File (partial)
……
www.fedex.com FALSE / FALSE 1577836800 CP null*www.avsforum.com FALSE / FALSE 1121101244 bblastvisit 1089565242www.avsforum.com FALSE / FALSE 1121363172 bbuserid 7460210
……
http://www.fedex.com/http://www.avsforum.com/http://www.avsforum.com/
CSCI 4623: Intro to Digital Forensics 24 © 2004-6 by Golden G. Richard III
Netscape/Mozilla Cookie Format
domain - The domain that created AND that can read the variableflag - A TRUE/FALSE value indicating if all machines within a given domain can access the variablepath - The path within the domain that the variable is valid forsecure - A TRUE/FALSE value indicating if a secure connection with the domain is needed to access the variableexpiration - The UNIX time that the variable will expire on. UNIX time is defined as the number of seconds since Jan 1, 1970 00:00:00 GMTname - The name of the variablevalue - The value of the variable
CSCI 4623: Intro to Digital Forensics 25 © 2004-6 by Golden G. Richard III
Netscape/Mozilla Date FormatStored as number of seconds since 1/1/1970 GMTEasy to convert to human-friendly date/time:
#include #include #include #include
int main(int argc, char *argv[]) {
time_t t;
printf("Enter # of seconds since\n”);printf(“00:00:00 GMT, January 1, 1970:");scanf("%d", &t);printf("DATE/TIME: %s\n", ctime(&t));
}
CSCI 4623: Intro to Digital Forensics 26 © 2004-6 by Golden G. Richard III
Aside: IE: index.dat files
IE maintains browsing history in “index.dat” filesObscure binary format, but has been parsedSee: http://www.cqure.net/tools.jsp?id=13, IEHist tool by Alexander GeschonneckTypical output:
URL|2005/2/22 19:39:46|http://computer-forensik.org/images/cf_header_r4_c4.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r4_c6.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r4_c8.gifURL|2005/2/22 19:39:47|http://www.hisolutions.com/images_extern/banner_hisolutions.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r5_c2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cover_computer-forensik.jpgURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c4_f3.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c4_f2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c6_f2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c6_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r2_c8_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r2_c8_f2.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r3_c2_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r3_c2_f2.gifURL|2005/2/22 19:39:55|http://www.geschonneck.com/security/images/security_audit.gif
http://www.cqure.net/tools.jsp?id=13http://geschonneck.com/impressum.htmlhttp://geschonneck.com/impressum.html
CSCI 4623: Intro to Digital Forensics 27 © 2004-6 by Golden G. Richard III
Investigating Email
Web-based mail– Hotmail– Yahoo– Google (gmail)– …others…
Traditional POP or IMAP-based emailOutlook– structured .PST file, not plain text
Unix mail storage generally is plain text– Messages are concatenated into one file (per email folder),
complete with headers– Investigation is straightforward
CSCI 4623: Intro to Digital Forensics 28 © 2004-6 by Golden G. Richard III
Web-based Email
Generally, complete web pages are easier to retrieveRetrieve undeleted, deleted HTML pages from browser cacheNOT only .htm / .html files!Firefox cache doesn’t use extensionsAlso, CACHE files may contain embedded bits!Carve disk image for … blocksMuch harder if only fragments are available
CSCI 4623: Intro to Digital Forensics 29 © 2004-6 by Golden G. Richard III
Hotmail (e.g., "getmsg[1].htm” file in browser cache)
CSCI 4623: Intro to Digital Forensics 30 © 2004-6 by Golden G. Richard III
Hotmail (e.g., HoTMaiL[1].htm file in browser cache)
CSCI 4623: Intro to Digital Forensics 31 © 2004-6 by Golden G. Richard III
Viewing Complete Web-based Emails
Basically, an offline HTML viewing problemGenerally, do NOT want to resolve external links!In general, investigation should be performed on a machine w/o an Internet connectionlynx –localhost –dump is useful for simple stuffDon’t trust lynx on complicated, multi-frame stuff in “-dump” modeFTK does a good jobFirefox does a great job, but use “Work Offline”!!Can be activated from the command line
CSCI 4623: Intro to Digital Forensics 32 © 2004-6 by Golden G. Richard III
Web Email Fragments
Much more problematic“strings” can helpFor Hotmail: want context around “cgi-bin/hotmail”For Yahoo: – want context around “ym/ShowLetter– want context aroudn “ym/Compose”– Yahoo email bodies sealed in … pairs– Retrievable even if top of message has been wiped out (e.g.,
the portion)– grep –A -B “/ym/ShowLetter”
Worst case: devolves into looking for readable strings in “strings” output
CSCI 4623: Intro to Digital Forensics 33 © 2004-6 by Golden G. Richard III
Outlook
Investigation without tools will get you nowhere…First step is to find Outlook fileAll folders (Inbox, Drafts, etc.) typically stored in a single fileOn XP, in a directory off Documents and Settings:– e.g.,
C:\Documents and Settings\Golden\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
CSCI 4623: Intro to Digital Forensics 34 © 2004-6 by Golden G. Richard III
Outlook Investigation: Freeware
libpst is a good start for investigation of Outlook email w/o a budgetIt’s also a good basis for developing other Outlook-hacking software…Designed to convert Outlook email boxes to plaintext formatImproving rapidly—will show you progress from 0.3.4 to 0.5.1Commercial software is substantially better– FTK– Encase– Paraben Email Examiner
CSCI 4623: Intro to Digital Forensics 35 © 2004-6 by Golden G. Richard III
0.3.4
./readpst –o recovered …Outlook.pstls –l recovered
-rw-r--r-- 1 root root 3151 Feb 22 17:43 Calendar-rw-r--r-- 1 root root 2732 Feb 22 17:43 Contacts-rw-r--r-- 1 root root 27 Feb 22 17:43 Deleted Items-rw-r--r-- 1 root root 4533 Feb 22 17:43 Drafts-rw-r--r-- 1 root root 0 Feb 22 17:43 Handheld Synchronization-rw-r--r-- 1 root root 0 Feb 22 17:43 Notes-rw-r--r-- 1 root root 0 Feb 22 17:43 Personal Folders-rw-r--r-- 1 root root 0 Feb 22 17:43 Tasks-rw-r--r-- 1 root root 0 Feb 22 17:43 ZoneAlarm Junk Mail
CSCI 4623: Intro to Digital Forensics 36 © 2004-6 by Golden G. Richard III
0.5.1: More Folders Recognized
./readpst –o recovered …Outlook.pstls –l recovered
-rw-r--r-- 1 root root 26603 Feb 22 17:59 Calendar-rw-r--r-- 1 root root 21601 Feb 22 17:59 Contacts-rw-r--r-- 1 root root 215 Feb 22 17:59 Deleted Items-rw-r--r-- 1 root root 4553 Feb 22 17:59 Drafts-rw-r--r-- 1 root root 0 Feb 22 17:59 Handheld Synchronization-rw-r--r-- 1 root root 0 Feb 22 17:59 Inbox-rw-r--r-- 1 root root 0 Feb 22 17:59 Journal-rw-r--r-- 1 root root 0 Feb 22 17:59 Junk E-mail-rw-r--r-- 1 root root 0 Feb 22 17:59 Norton AntiSpam Folder-rw-r--r-- 1 root root 0 Feb 22 17:59 Notes-rw-r--r-- 1 root root 0 Feb 22 17:59 Outbox-rw-r--r-- 1 root root 0 Feb 22 17:59 Personal Folders-rw-r--r-- 1 root root 0 Feb 22 17:59 Sent Items-rw-r--r-- 1 root root 0 Feb 22 17:59 Tasks-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Challenged Mail-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Fraudulent Mail-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Junk Mail
CSCI 4623: Intro to Digital Forensics 37 © 2004-6 by Golden G. Richard III
0.3.4: Contacts
Joshua and Elise Aasgaard Frank Adelstein Alex Andy Anderson Mowgli Assor Sue Barkowski ……
CSCI 4623: Intro to Digital Forensics 38 © 2004-6 by Golden G. Richard III
0.5.1: ContactsBEGIN:VCARDFN:Aasgaard\, Joshua and EliseN:Aasgaard;Joshua;and Elise;;ADR;TYPE=home:;;NO\, LA 70122;NO;LA;70122;LABEL;TYPE=home:NO\, LA 70122TEL;TYPE=cell,voice:(504) 957-XXXXVERSION: 3.0END:VCARD
BEGIN:VCARDFN:Adelstein\, FrankN:Adelstein;Frank;;;EMAIL:frank@mycause.comADR;TYPE=home:;;XXX Graham Rd. #XXX;Ithaca;NY;14850;United States of AmericaLABEL;TYPE=home:XXX Graham Rd. #XXX,\Ithaca\, NY 14850TEL;TYPE=work,fax:(607) 257-XXXXTEL;TYPE=work,voice:(800) 672-XXXXTEL;TYPE=home,voice:(607) 266-XXXXVERSION: 3.0END:VCARD
……
CSCI 4623: Intro to Digital Forensics 39 © 2004-6 by Golden G. Richard III
0.3.4: Drafts folderFrom "(null)" Fri Dec 28 12:06:21 2001From: "(null)" Subject: This is an email messageTo: golden@cs.uno.eduContent-type: multipart/alternate;
boundary="--boundary-LibPST-iamunique-1109115805_-_-"
----boundary-LibPST-iamunique-1109115805_-_-Content-type: text/plain
This is the body of an email message.
If I loved Sally, this is where I would profess that love.
Love (not),
--Golden……
WRONG!
CSCI 4623: Intro to Digital Forensics 40 © 2004-6 by Golden G. Richard III
0.5.1: Drafts folderFrom "(readpst_null)" Fri Dec 28 12:06:21 2001From: "(null)" Subject: This is an email messageTo: golden@cs.uno.eduMIME-Version: 1.0Content-type: multipart/alternate;
boundary="--boundary-LibPST-iamunique-1804289383_-_-"
----boundary-LibPST-iamunique-1804289383_-_-Content-type: text/plain
This is the body of an email message.
If I loved Sally, this is where I would profess that love.
Love (not),
--Golden……
WRONG!
CSCI 4623: Intro to Digital Forensics 41 © 2004-6 by Golden G. Richard III
Aside: Default Outlook “Encryption”
Default “encryption” level is a simple substitution cipher:// from libpst: translation table for Outlook medium-level encryptionunsigned char comp_enc [] = { 0x47, 0xf1, 0xb4, 0xe6, 0x0b, 0x6a, 0x72, 0x48,
0x85, 0x4e, 0x9e, 0xeb, 0xe2, 0xf8, 0x94, 0x53, /*0x0f*/0xe0, 0xbb, 0xa0, 0x02, 0xe8, 0x5a, 0x09, 0xab,0xdb, 0xe3, 0xba, 0xc6, 0x7c, 0xc3, 0x10, 0xdd, /*0x1f*/0x39, 0x05, 0x96, 0x30, 0xf5, 0x37, 0x60, 0x82,0x8c, 0xc9, 0x13, 0x4a, 0x6b, 0x1d, 0xf3, 0xfb, /*0x2f*/0x8f, 0x26, 0x97, 0xca, 0x91, 0x17, 0x01, 0xc4,0x32, 0x2d, 0x6e, 0x31, 0x95, 0xff, 0xd9, 0x23, /*0x3f*/0xd1, 0x00, 0x5e, 0x79, 0xdc, 0x44, 0x3b, 0x1a,0x28, 0xc5, 0x61, 0x57, 0x20, 0x90, 0x3d, 0x83, /*0x4f*/0xb9, 0x43, 0xbe, 0x67, 0xd2, 0x46, 0x42, 0x76,0xc0, 0x6d, 0x5b, 0x7e, 0xb2, 0x0f, 0x16, 0x29, /*0x5f*/0x3c, 0xa9, 0x03, 0x54, 0x0d, 0xda, 0x5d, 0xdf,0xf6, 0xb7, 0xc7, 0x62, 0xcd, 0x8d, 0x06, 0xd3, /*0x6f*/0x69, 0x5c, 0x86, 0xd6, 0x14, 0xf7, 0xa5, 0x66,0x75, 0xac, 0xb1, 0xe9, 0x45, 0x21, 0x70, 0x0c, /*0x7f*/0x87, 0x9f, 0x74, 0xa4, 0x22, 0x4c, 0x6f, 0xbf,0x1f, 0x56, 0xaa, 0x2e, 0xb3, 0x78, 0x33, 0x50, /*0x8f*/0xb0, 0xa3, 0x92, 0xbc, 0xcf, 0x19, 0x1c, 0xa7,0x63, 0xcb, 0x1e, 0x4d, 0x3e, 0x4b, 0x1b, 0x9b, /*0x9f*/0x4f, 0xe7, 0xf0, 0xee, 0xad, 0x3a, 0xb5, 0x59,0x04, 0xea, 0x40, 0x55, 0x25, 0x51, 0xe5, 0x7a, /*0xaf*/0x89, 0x38, 0x68, 0x52, 0x7b, 0xfc, 0x27, 0xae,0xd7, 0xbd, 0xfa, 0x07, 0xf4, 0xcc, 0x8e, 0x5f, /*0xbf*/0xef, 0x35, 0x9c, 0x84, 0x2b, 0x15, 0xd5, 0x77,0x34, 0x49, 0xb6, 0x12, 0x0a, 0x7f, 0x71, 0x88, /*0xcf*/0xfd, 0x9d, 0x18, 0x41, 0x7d, 0x93, 0xd8, 0x58,0x2c, 0xce, 0xfe, 0x24, 0xaf, 0xde, 0xb8, 0x36, /*0xdf*/0xc8, 0xa1, 0x80, 0xa6, 0x99, 0x98, 0xa8, 0x2f,0x0e, 0x81, 0x65, 0x73, 0xe4, 0xc2, 0xa2, 0x8a, /*0xef*/0xd4, 0xe1, 0x11, 0xd0, 0x08, 0x8b, 0x2a, 0xf2,0xed, 0x9a, 0x64, 0x3f, 0xc1, 0x6c, 0xf9, 0xec}; /*0xff*/
Compare “outlook.pst”and “outlook.out”(processed by troutlook)
CSCI 4623: Intro to Digital Forensics 42 © 2004-6 by Golden G. Richard III
“Problematic”: Outlook Web Client
Artifacts?Quick look didn’t reveal much info in the browser cache other than images that populate the interfaceEmail content may not be cached at all on client side
CSCI 4623: Intro to Digital Forensics 43 © 2004-6 by Golden G. Richard III
Windows Events
NT/Win2K/XP eventing mechanisms are similar to syslog in UnixSystem, security, and applications events capture “interesting” system statesAdministrative Tools Event Viewer runs the standard Windows tool for examining event logsCommercial/open source tools for examining event logs– Free: psloglist, from pstools– Can extract event logs from a (dead) target, then examine
using “-l” switch– e.g., psloglist –l golden.evt– http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml
CSCI 4623: Intro to Digital Forensics 44 © 2004-6 by Golden G. Richard III
Interesting System Events (XP)
Dial up connection established,username is shown
IP addr assigned
CSCI 4623: Intro to Digital Forensics 45 © 2004-6 by Golden G. Richard III
Interesting System Events (XP) [2]
Time synchronizationfailed
Time synchronizationsucceeded
CSCI 4623: Intro to Digital Forensics 46 © 2004-6 by Golden G. Richard III
Interesting System Events (XP) [3]
DNS failure on attemptedtime synchronization
CSCI 4623: Intro to Digital Forensics 47 © 2004-6 by Golden G. Richard III
Interesting App Events (XP)
Virus scanningmodule crashed
CSCI 4623: Intro to Digital Forensics 48 © 2004-6 by Golden G. Richard III
Interesting App Events (XP) [2]
Mozilla hang
These types ofevents are interesting because they establish that software pkgs are installed and can sometimes provide time/date evidence
CSCI 4623: Intro to Digital Forensics 49 © 2004-6 by Golden G. Richard III
Unix Logging
Under Unix:– Lots of logging done in /var/log or equivalent (e.g.,
/var/adm, /var/adm/log, …)Linux, in particular:– dmesg: console messages for last boot– maillog: email sends, receives, checks, etc.– messages: All logins, DHCP events, general stuff
like loggers and devices being started/restarted…– wtmp: Detailed information about logins/outs– btmp: Failed login attempts– secure: connects to machine, denied connection
attempts :– Additionally, web server logs
CSCI 4623: Intro to Digital Forensics 50 © 2004-6 by Golden G. Richard III
messages snipSep 10 06:41:16 memphis login[5565]: LOGIN ON ttyp0 BY golden FROM boudinSep 10 06:41:16 memphis PAM_pwdb[5565]: (login) session closed for user goldenSep 10 06:41:34 memphis PAM_pwdb[5577]: (su) session opened for user root by
golden(uid=0)Sep 10 06:50:39 memphis PAM_pwdb[5577]: (su) session closed for user rootSep 10 06:51:12 memphis PAM_pwdb[5625]: (su) session opened for user root by
golden(uid=0)Sep 10 07:15:04 memphis dhcpd: DHCPREQUEST for 10.0.0.17 from
00:60:1d:f1:12:7f via eth0Sep 10 07:15:04 memphis dhcpd: DHCPACK on 10.0.0.17 to 00:60:1d:f1:12:7f via
eth0
CSCI 4623: Intro to Digital Forensics 51 © 2004-6 by Golden G. Richard III
secure snipOct 28 07:43:52 memphis in.telnetd[10512]: refused connect from bbig041116.netvigator.comOct 28 09:30:10 memphis in.telnetd[10581]: refused connect from AC83B731.ipt.aol.comOct 28 13:33:10 memphis in.telnetd[10718]: refused connect from ACA1647D.ipt.aol.comOct 28 14:57:35 memphis in.telnetd[10753]: refused connect from fsck.orgOct 29 09:42:58 memphis in.ftpd[11762]: refused connect from ci59092-a.nash1.tn.home.comOct 29 16:52:42 memphis in.telnetd[12001]: refused connect from cx824883-
a.omhaw1.ne.home.comOct 29 16:58:14 memphis in.telnetd[12002]: refused connect from cx824883-
a.omhaw1.ne.home.comOct 29 20:27:18 memphis in.ftpd[12139]: refused connect from pD901328A.dip.t-dialin.netOct 29 23:05:41 memphis in.ftpd[12242]: refused connect from ci59092-a.nash1.tn.home.comOct 30 08:31:52 memphis in.telnetd[364]: connect from boudin
CSCI 4623: Intro to Digital Forensics 52 © 2004-6 by Golden G. Richard III
Snip of output from lastgolden ttyp1 boudin Thu Jan 31 20:54 - 20:55 (00:00)golden ttyp1 dsl-216-227-105- Wed Jan 30 20:05 - 21:14 (01:09)golden ttyp0 bluelu Wed Jan 30 19:18 - down (1+01:37)golden ttyp1 bluelu Thu Jan 24 16:46 - 08:06 (15:19)golden ttyp0 moe.cs.uno.edu Thu Jan 24 13:56 - 15:09 (3+01:13)golden ftp moe.cs.uno.edu Wed Jan 23 18:10 - 18:11 (00:01)golden ttyp0 bluelu Mon Jan 14 15:40 - 22:19 (5+06:38)golden ttyp1 foxglove.cs.uno. Sun Jan 13 07:51 - 08:10 (00:19)golden ttyp0 bluelu Fri Jan 11 23:43 - 00:54 (2+01:11)golden ttyp0 bluelu Thu Jan 10 11:55 - 21:57 (1+10:02)golden ttyp0 bluelu Tue Jan 8 15:44 - 16:38 (00:53)golden ttyp0 bluelu Tue Jan 8 13:25 - 13:43 (00:17)golden ftp bluelu Sat Jan 5 23:29 - 23:29 (00:00)golden ttyp0 bluelu Sat Jan 5 06:50 - 16:20 (2+09:29)golden ftp bluelu Fri Jan 4 18:19 - 18:20 (00:00)golden ttyp0 bluelu Fri Jan 4 08:08 - 18:21 (10:13)root tty1 Thu Jan 3 22:25 - down (27+22:30)reboot system boot Thu Jan 3 22:04golden ttyp0 bluelu Thu Jan 3 21:52 - 22:02 (00:10)
CSCI 4623: Intro to Digital Forensics 53 © 2004-6 by Golden G. Richard III
Time
Timestamps are often crucial in forensics analysisDetermining who was using a systemDetermining if a system has been compromisedDetermining when files were downloaded, modified, organizedEstablish whether a person could have actually committed a computer crimeEstablish validity of alibisLots of chances for error in timestamps– Routers may have incorrect time– Machines performing logging may have incorrect time– Extreme care needed to ensure correct timezone– Many times are reported in GMT, not in local time– User may change, e.g., using “touch” command
Correlation of timestamps on machines in a network attack is difficult due to the problems above
CSCI 4623: Intro to Digital Forensics 54 © 2004-6 by Golden G. Richard III
“MAC” Analysis
M – modification time (“write” time)A – access time (“read” time)C – creation/changed timeFAT: modified (“M”), accessed (“A”), created (“C”)NTFS: modified (“M”), metadata changed, accessed (“A”), created (“C”)Unix: modified (“M”), accessed (“A”), metadata changed (re-use of inode) (“C”), deletion
CSCI 4623: Intro to Digital Forensics 55 © 2004-6 by Golden G. Richard III
FAT MAC Analysis
Basic rules:– Only modification time is required to be correct– Access (“A”) date is optional, access time doesn’t
exist– File creation (“C”) == creation or copy of file– Move/rename is not creation– New file creation counts as a write (changes “M”)
CSCI 4623: Intro to Digital Forensics 56 © 2004-6 by Golden G. Richard III
FAT MAC (2)
Timestamp update algorithms:Create file
– All timestamps set to current timeCopy file
– Last access on source is updated– Last access and creation on target set to current time– Last modified for target is same as source– Thus (“C”) > (“A”)
Move file within same volume– Last access doesn’t change
Move file outside volume– Last accessed time is updated– Thus (“A”) DATE >= (“C”) DATE
For directories, creation date is correct, but other dates do not seem to follow a reasonable update patternDeletions don’t update times, so can’t determine deletion date
CSCI 4623: Intro to Digital Forensics 57 © 2004-6 by Golden G. Richard III
NTFS MAC Analysis
Basic rules:– File creation (“C”) == creation or copy of file– Move/rename is not creation– Changing attributes of files leaves “M” alone– “Metadata changed” timestamp is modified when file
attributes change• Brian Carrier has also observed that this timestamp changes
when a file is opened but not modified• Changed when a file is renamed or moved within the same
volume• Doesn’t appear to change when file is moved to a different
volume– Accessed (“A”) changes when file data or attributes are
viewedFile deletion doesn’t seem to change timestamps in a useful way, so can’t determine deletion date
CSCI 4623: Intro to Digital Forensics 58 © 2004-6 by Golden G. Richard III
NTFS MAC (2)
Timestamp update algorithms:Create file– All timestamps set to current time
Copy file– Last access on source is updated– Last access and creation on target set to current time– Last modified and metadata changed on target are copies of source
values– Thus (“C”) > (“A”)
Move file within same volume– Last access and metadata changed are set to current time
Move file outside volume– Last accessed time is updated– Thus (“A”) > (“C”)
File created or deleted within a directory– Last modified for directory set to current time
CSCI 4623: Intro to Digital Forensics 59 © 2004-6 by Golden G. Richard III
NTFS MAC (3)
Contents of directory listed– Last access for directory is set to current time
Directory is copied– All timestamps on target are set to current time
Directory is moved to different volume– All timestamps on target are set to current time
Directory is moved within volume– Last access and metadata changed are set to
current time– Other timestamps remain unchanged
CSCI 4623: Intro to Digital Forensics 60 © 2004-6 by Golden G. Richard III
ext2/3 MAC Analysis
Timestamp update algorithms:Create file
– All timestamps set to current time, delete time is set to 0– Parent directory’s modification and create times are changed
Copy file– Last access on source file and directory is set to current time– Last access, modification, and creation on target set to current time– Last modified and creation on target directory are changed
Move file within same volume– Source directory access, modification, and creation times are updated– File’s creation time is updated, but modification and access times remain
unchanged– Target directory has updated modification and creation times
Move file outside volume– Additionally, original inode is released and gets all timestamps set to current
time (including delete)Directory listings modifiy accessed time, otherwise as above
CSCI 4623: Intro to Digital Forensics 61 © 2004-6 by Golden G. Richard III
Windows: Command Line
Limited usefulness:– e.g., dir /s /od /tc \windows
Problem is that timeline is fragmented on a directory by directory basismac.pl was a popular Perl script for extracting MAC timelines under Windows, but seems to have disappeared…
CSCI 4623: Intro to Digital Forensics 62 © 2004-6 by Golden G. Richard III
FTK/Winhex
Pretty simple—simply open a case, and use the File Explorer’s modify/create/access times to sort the files… on USBKEY.ddSimilar with Winhex on USBKEY.ddUSBKEY.dd created via:– dd if=\\.\j: of=USBKEY.dd on XP
CSCI 4623: Intro to Digital Forensics 63 © 2004-6 by Golden G. Richard III
Unix Command Line
Simple timelines (on one time dimension) possible with, e.g. “ls –ltr”Useful, but there’s a good trick when it’s likely that a user has modified MAC info(Easy to do under Unix w/ touch command)“ls –li” will display inodes associated with filesMUCH harder to fakeDemo: “ls –ltr” vs. “ls –i | sort” printoutsWhich is the single file that doesn’t belong?
CSCI 4623: Intro to Digital Forensics 64 © 2004-6 by Golden G. Richard III
Sleuthkit
Sleuthkit MAC tools (by Brian Carrier) “light up the filesystem”Idea: – Create a timeline that begins with the date
of creation for the first file of interest…– …traces all subsequent file access,
modification and creation dates…Good news: Deleting a file counts as a “modification” and often the deletion dates of files can be retrieved
CSCI 4623: Intro to Digital Forensics 65 © 2004-6 by Golden G. Richard III
Sleuthkit MAC Tools
Filename-layer MAC informationfix timezone:
# export TZ=CST6CDT
for a single FAT disk image:# fls –f fat -m / -r image.dd > BODY
for multiple images (OpenBSD):# fls –f openbsd -m / -r root.dd > BODY# fls –f openbsd -m /var/ -r var.dd >> BODY
then:# mactime –h –b BODY
CSCI 4623: Intro to Digital Forensics 66 © 2004-6 by Golden G. Richard III
Sleuthkit MAC Tools (2)
Meta-data layer MAC information: MAC information associated with “free” inodes:
# ils -m 128MB.dd > BODY && mactime -h -b BODY | less
or# ils -f openbsd -m var.dd >> BODY
followed by
# mactime -b BODY > BODY.out
CSCI 4623: Intro to Digital Forensics 67 © 2004-6 by Golden G. Richard III
Data Hiding
Legitimate OS features– alternate data streams– tricky pathnames (“…”)– …
Deliberate manipulation of low-level filesystem structures– Unused space in superblock, inode structures– StegFS– bmap– Avoiding fsck w/ journaling filesystems (Knut Eckstein, DFRWS
2005)Encryption– Application level– Filesystem level– Whole disk encryption
Even stranger places…– flashable BIOS– …
CSCI 4623: Intro to Digital Forensics 68 © 2004-6 by Golden G. Richard III
File Carving
Goal: recover files or file fragments when file metadata (or filesystem structures) are destroyedSpecify headers, footers, and other characteristics of file formatsSearch for these headers, footers on raw disk imageCarve (copy) data into regular filesFile carving works well for file formats with well-defined headers and footers or other file format characteristicsMore poorly for other file types, such as MP3s
CSCI 4623: Intro to Digital Forensics 69 © 2004-6 by Golden G. Richard III
Headers/Footers
JPEG Header: ffd8ffe00010 Footer: ffd9
FFD8FFE000104A46494600010201004800480000FFE11B344578696600004D4D002A00000008000A010F
……
F2B54840253BA4AA67F932C6EE14C4455991B9E2C18FC66BAED9919934BCC4A13AB86CE14B7FFFD9
CSCI 4623: Intro to Digital Forensics 70 © 2004-6 by Golden G. Richard III
Interlude: On Good Software Design
Hypothesis: Performance of many current generation digital forensics tools can be drastically improvedCan do a much better job on available hardwareWhy?– Some “quick and dirty” applications become mainstream
• Probably written in a hurry to solve a problem• No time or resources to improve• Even if open source, average user may not have capability to
fix– Application is poorly designed or design is dated– Problem has evolved, but basic design hasn’t…– Please, please, don’t use Visual Basic for serious apps– Pre-“terabyte terror” design
CSCI 4623: Intro to Digital Forensics 71 © 2004-6 by Golden G. Richard III
A No-brainer Solution
Digital forensics tools move GB of dataTreat digital forensics tools like OS componentsSimple lessons from OS internals community:– Must minimize memory-to-memory copies– Already have data in a buffer? Leave it there!– Minimize disk I/O– Writes more expensive than reads
Faster HW isn’t an excuse for poor SW
CSCI 4623: Intro to Digital Forensics 72 © 2004-6 by Golden G. Richard III
Better File Carving
When disk image is on mechanical secondary storage, file carving is I/O boundI/O statistics:– Tread : # of bytes to read entire disk image– Twrite : # of bytes written to carve files
Want to carve files fast? Need to minimize factors for Tread ,TwriteNeed sophisticated, binary-capable, string search algorithmMinimize memory-to-memory copying
CSCI 4623: Intro to Digital Forensics 73 © 2004-6 by Golden G. Richard III
Victim: Foremost InternalsForemost 0.69Well-known open source file carver
Multiplicative factor for Tread can be very largeEquivalent to tens or hundreds of reads of entire imageTwrite effectively minimizedExcessive memory to memory copying
CSCI 4623: Intro to Digital Forensics 74 © 2004-6 by Golden G. Richard III
New File Carver: Scalpel(My) Requirements:– Frugal
• don’t want to use expensive machines for file carving—they have better things to do
• run on machines currently stored in the closet• Pentium II class machine with 256MB of RAM, running a
bootable Linux distribution• handle any size target, subject only to available disk space
– High-performance• run fast, even on modest hardware
– Support for distributed implementation
"Scalpel: A Frugal, High Performance File Carver," Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005), New Orleans, LA.
CSCI 4623: Intro to Digital Forensics 75 © 2004-6 by Golden G. Richard III
Scalpel InternalsTwo sequential passes over each disk imageProcess disk image(s) in 10MB blocksFrugal on reads, header/footer searches, mem to memPass # 1:– Build header/footer databases– Populate work queues for pass # 2– Work queue controls carving operations for each 10MB
block in pass # 2Pass # 2:– Use work queues to carve files as buffers are read– Use seek operations to skip portions of disk image for which
no work is scheduledAt most 2 * Tread
CSCI 4623: Intro to Digital Forensics 76 © 2004-6 by Golden G. Richard III
Scalpel Internals (2)JPGheaders: 1,500footers: 5,000, 6,500
MPGheaders: 9,000,000footers: 26,000,000
GIFheaders: nonefooters: none
38MB DISK IMAGE
STARTSTOPCARVEstart: 1,500stop: 6,500name: small.jpg
STARTCARVEstart: 9,000,000name: movie.mpg
CONTINUECARVEname: movie.mpg
STOPCARVEstop: 26,000,000name: movie.mpg
NULLHeader/footer database
wor
k qu
eues
chunk boundary (10MB)
chunk boundary (10MB)
large MPGsmall JPG
Tries hard to replace reads with seeks, avoid searching for footers which can’t match a header, …, etc.
CSCI 4623: Intro to Digital Forensics 77 © 2004-6 by Golden G. Richard III
Linux: Experimental Setup
P2-350:– 350MHz Pentium 2 with 512MB of RAM and no swap.– 4 port ATA-133 IDE controller, 7200rpm 80GB drive for
holding carve results.– Operating System: Knoppix 3.7.
T40p (development system):– Thinkpad T40p, 1.7GHz Pentium M, with 2GB of RAM and
4GB swap.– 7200rpm 60GB drive.– Operating System: RH9 with upgraded 2.40.20 kernel.
Scalpel v1.52Foremost v0.69
CSCI 4623: Intro to Digital Forensics 78 © 2004-6 by Golden G. Richard III
Scalpel Results (1)
Scalpel 1.5 (20MB max) 13s
Foremost 0.69 (1MB max) 12s
Foremost 0.69 (5MB max) 42s
Foremost 0.69 (10MB max) 57s
Foremost 0.69 (20MB max) 1m43s
Table 1. Carving results for 512MB USB key image on T40p. Carving parameters: 1MB / 5MB / 10MB / 20MB JPG and DOC. ~1,100 files carved.
CSCI 4623: Intro to Digital Forensics 79 © 2004-6 by Golden G. Richard III
Scalpel Results (2)
Scalpel 1.5 1h33m10s Foremost 0.69 6h21m54s
Table 6. Carving results for 8GB raw drive (unknown source, no partition table) on P2-350. Carving parameters: 10MB GIF, 10MB JPG, 10MB AVI, 10MB MOV, 10MB MPG, 100K BMP, 5MB DOC, 50MB PST/OST, 50K HTML, 5MB PDF, 200K WAV, 1MB RealAudio, 10MB ZIP. ~52,000 files carved.
Tread + 238,270,750,000 bytes
Big targets, large carve sizes, huge improvement (over 5 hours faster)
CSCI 4623: Intro to Digital Forensics 80 © 2004-6 by Golden G. Richard III
Scalpel Results (3)
Scalpel 1.5 2h40m39s Foremost 0.69 9h50m31s
Table 7. Carving results for 40GB NTFS (from a UNO laboratory) on P2-350. Carving parameters: 10MB JPG, 50MB AVI, 10MB DOC, 50K HTML, 5MB PDF. ~ 72,000 files carved.
Tread + 117,622,357,936 bytes
Big targets, large carve sizes, huge improvement (over 7 hours faster)
CSCI 4623: Intro to Digital Forensics 81 © 2004-6 by Golden G. Richard III
To Do (Desperately Needed)
Milestones– Required: means file format isn’t valid without them– Confidence increasing: means that seeing these milestones
increases confidence that file is correct format– For latter, encode confidence level in carved file’s pathname or
destination directoryFirst and last block milestones particularly important, help to establish whether file beginnings/ends are “real”Minimum carve sizesOutput directory splitting (so file browsers don’t die)Field value sanity checksFormat verification (via file ?)(Optional) interaction with filesystem so undeleted files are not “re-” carved– e.g., use Sleuthkit
Much harder: support for fragmented files
CSCI 4623: Intro to Digital Forensics 82 © 2004-6 by Golden G. Richard III
Fragmented Files: More
What characteristics do individual blocks of fragmented files have?JPG, ZIP, other compressed formats: not much?PDF, Word, etc. : tagsByte frequency analysis for individual blocks?n-gram analysis?Easy fragmentation: Linear: 12—3-4Harder: Jumbled: 4—3 —1-2 How to reassemble properly?O(N!) to try all possible combinations…need to do a better job
CSCI 4623: Intro to Digital Forensics 83 © 2004-6 by Golden G. Richard III
Carving: General Problem
More generic description useful for identifying non-hacking solutionse.g., Hidden Markov Models (HMMs), Support Vector Machines (SVMs), other supervised learning stuff Targets: – Whole files– Fragments
CSCI 4623: Intro to Digital Forensics 84 © 2004-6 by Golden G. Richard III
General (1)
Basic issues:– I'm carrying a bunch of things of types X1, ... XN– I drop the various items of types {Xi} in a pot filled with random
"garbage" items of various sizes and swirl everything around– Some of the things in the pot, on a quick glance, may look like an
Xi, but in fact be random garbage--a deeper analysis should reveal this
– Some of the items I've dropped in the pot "break"--some of their heads or tails come off
– Some breakage is major--the items "shatter" and pieces mix with the random garbage
– Good news is that all of the broken pieces are the same size– This is what a hard drive that's been formatted, but still contains
data, looks like– You've lost all the identities of the files and some files may be
fragmented or partially overwritten.– Need to reconstruct as many files as possible
CSCI 4623: Intro to Digital Forensics 85 © 2004-6 by Golden G. Richard III
General (2)
For some sort of model (HMMs, whatever) that has seen a bunch of exemplars of X:– is this new thing an X?– is this new thing a *piece* of an X?– if it's a piece, can I tell where it goes in an
X?
CSCI 4623: Intro to Digital Forensics 86 © 2004-6 by Golden G. Richard III
General (3)
For whole files of type X, need to automatically generate a template that describes what it means to be an X – strings at fixed locations– strings that float around in the middle of the file
somewhere but are always there for this file type– strings that aren't necessarily in a file type X but
increase your confidence that the file being scrutinized is an X
For current generation tools, this analysis is done manuallyToo much work, too error-prone
CSCI 4623: Intro to Digital Forensics 87 © 2004-6 by Golden G. Richard III
General (4)
For random files f, is f an X?If f doesn't meet the criteria established in the template, [perhaps because the file is damaged], how confident are we that the file might still be an X or that it absolutely isn't an X?Currently, left to the human operator to sift through things that are potentially X's, because the tools are too stupid to eliminate things that "sort of" resemble X's but really aren't
CSCI 4623: Intro to Digital Forensics 88 © 2004-6 by Golden G. Richard III
General (5)
For an individual disk block with no other context, does the disk block belong to a file of type X?For some file types, e.g., compressed file types such as JPEG, probably impossible in the general case, but some other files may have identifiable structureFinally, given that we've determined that a set of disk blocks used to belong to files (there's probably not just one source file--but rather a pile of blocks from many files) of type X, can the blocks be sampled somehow and reassembled in their correct order?
CSCI 4623: Intro to Digital Forensics 89 © 2004-6 by Golden G. Richard III
Hiding Data in Slack Space w/ bmap: File carving won’t help!
Dear Mom, Dropp ed the hamster. D idn’t mean to kill He rbie! pa
To Whom It May C oncern: … Best, Fred ssword is frid
#include #include void zapQ(void);ay
tools for creating a simple filesystem in slack space
CSCI 4623: Intro to Digital Forensics 90 © 2004-6 by Golden G. Richard III
Forensics Analysis of Portable Devices
Palm, Pocket PC, Blackberry + variantsVariants include telephone/PDA combosAvailable software to assist in forensics investigation includes:– pdd (“Palm dd”)
• Palm only, no longer under development– Paraben’s PDA Seizure (industry leader?)
• Palm, Pocket PC, Blackberry• Incorporates pdd
Often best solution is to attack the peer of the PDA—examine the laptop or desktop that provides HotSync/ActivesynccapabilityMost data stored on the PDA will be stored on the peerWatch out for 3rd party synchronization tools, which may place PDA data in “non-traditional” locations
CSCI 4623: Intro to Digital Forensics 91 © 2004-6 by Golden G. Richard III
Palm Forensics
Palm memory organized into “cards”Card 0 is internal memoryOther cards, e.g., “Card 1”, are removable devices such as CF/memory sticks/etc.Typically, no traditional filesystem, though later Palm OS versions support traditional filesystems through VFS (Virtual File System manager)Good news: fixed locations for many types of dataData stored in databasesHeader on database contains the creation, modification, and last backup timesDatabase times can be changed and shouldn’t be considered definitive
CSCI 4623: Intro to Digital Forensics 92 © 2004-6 by Golden G. Richard III
Palm Forensics (2)
Palm database types:– PRC: code + user interface == an
application– PDB: database containing records which
hold application/user data (e.g., contact list)
– PQA: WWW content for web clipping applications
CSCI 4623: Intro to Digital Forensics 93 © 2004-6 by Golden G. Richard III
Palm Forensics (3)
Palm: Significant eventsLetting batteries die == loss of volatile memory– On older Palms, this means that virtually all user data +
installed applications are permanently lost– On newer Palms, e.g. UX-50 from Sony, system
automatically backs up volatile memory and can restore after complete power drain
Hard reset– Device restored to initial state, all content of Card 0 lost– CF/Memory stick storage, etc. is unaffected
Soft reset– Memory cleanup == some deleted material likely to be lost– Database items marked for deletion are removed
Hotsync– Items marked for deletion are removed
CSCI 4623: Intro to Digital Forensics 94 © 2004-6 by Golden G. Richard III
Palm Forensics: Passwords
On older Palms (OS 4 and prior), password storage scheme is poor and can easily be broken– Important: device can be placed into debug mode
on older Palms, bypassing the power-on password– XOR of password with constant block, hash can
be recoveredFor newer Palms, not easy– Password storage is secure– “Cannot” bypass power-on password
CSCI 4623: Intro to Digital Forensics 95 © 2004-6 by Golden G. Richard III
Palm: Debug mode
Key to “invasive” Palm forensics is Palm’s debug modeAllows serial/USB interface to a Palm, memory can be dumpedEntered by issuing a special Grafitti sequenceTerminated via a soft resetBoth pdd and Paraben’s tools use debug modeImplication of final soft reset: Get the imaging right the first time—some data will be lost during the soft reset that terminates debug mode!
CSCI 4623: Intro to Digital Forensics 96 © 2004-6 by Golden G. Richard III
pdd
Provides a bunch of information about the Palm under investigationE.g., from “investigation” of Palm 505 by Joe Grand, author of pdd
Current Time: Tue Mar 05 16:34:39 2002 UCTCard Number: 0Card Name: PalmCardManufacturer: Palm ComputingCard Version: 0001Creation Date: Thu Dec 10 16:10:14 1998 UCTPalm OS Version: 3.1.0Processor Type: Motorola DragonBall 68EZ328RAM Size: 2097152 bytesFree RAM: 2042784 bytesROM Size: 2097152 bytesROM Used By OS: 1212412 bytesFlash ID: 10FF1C795R3G-DImage Output File: Standard outputImage Memory Type: RAMStarting Address: $00000000
Allows dump of Palm memory, but interpreting the image is largely up to you (the investigator); use strings command, etc.
CSCI 4623: Intro to Digital Forensics 97 © 2004-6 by Golden G. Richard III
Blackberry
Networked email appliance + PDAPassword protects *data* in phoneForgot (or don’t know the password)?Enter an incorrect one 10 times and Blackberry erases data and allows access to phonePassword storage is a SHA-1 hash of password on the deviceNo known way to defeat password protection on BlackberryWhen powered on, Blackberry may send queued data items if it has access to the network– Perform analysis in a shielded area
Software to cause commands to be executed via email exists– Owner may circumvent investigation
SDK provides ability to save data “outside” the file system which will survive a device reset
CSCI 4623: Intro to Digital Forensics 98 © 2004-6 by Golden G. Richard III
Smartphones
Example from Kyocera QCP 6035 smartphone (Joe Grand, author of pdd)– Web browser cache (plaintext HTML documents)– E-mail with full header information and
attachments– Scripts and passwords for network connections– Call History and Recent Calls database (incoming,
outgoing, and missed calls)– Speed Dial database (199 commonly dialed
numbers)– Voice Dial database (30 commonly dialed
names/voice tags)
CSCI 4623: Intro to Digital Forensics 99 © 2004-6 by Golden G. Richard III
Other PDA-related stuffBlackberry investigation:
– http://www.rh-law.com/ediscovery/Blackberry.pdfCracking (older) Palm passwords:
– Kingpin, “Palm OS Password Retrieval and Decoding,” September 2000, www.atstake.com/research/advisories/2000/a092600-1.txt
Open source tools for connecting Palm to Linux– http://www.pilot-link.org/
General Palm security badness– Kingpin & Mudge, “Analysis of the Palm Operating System and its Weaknesses
Against Malicious Code Threats,” USENIX 10th Security Symposium, August 2001, www.atstake.com/research/reports/ security_analysis_palm_os.pdf
Original pdd paper– J. Grand, “pdd: Memory Imaging and Forensic Analysis of Palm OS Devices,”
Proceedings of the 14th Annual Computer Security Incident Handling Conference, Waikoloa, Hawaii, June 2002, also @ www.grandideastudio.com.
NIST guideless for PDA seizure and analysis– http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf
http://www.grandideastudio.com/
CSCI 4623: Intro to Digital Forensics 100 © 2004-6 by Golden G. Richard III
Cell Phone Forensics
Some high-level data can be retrieved via the phone’s OS:– Web browser cache (plaintext HTML documents)– E-mail with full header information and attachments– Scripts and passwords for network connections– Call History and Recent Calls database (incoming, outgoing, and
missed calls)– Speed Dial database (commonly dialed numbers)– Voice Dial database (commonly dialed names/voice tags)
Low-level stuff– Deleted SMS messages– Deleted cache documents
Can require really nasty de-soldering techniques– “Ball Grid Array Technology”
“Forensic Analysis of Mobile Phone Internal Memory” (SveinWillassen), Proceedings of the International Conference on Digital Forensics (IFIP 2005).
CSCI 4623: Intro to Digital Forensics 101 © 2004-6 by Golden G. Richard III
Practical Cryptography for Digital Forensics
SteganographyCryptographic hashes/message digestsPrivate key systemsPublic key systemsFocus: Practical aspects, impact on digital forensics investigations
CSCI 4623: Intro to Digital Forensics 102 © 2004-6 by Golden G. Richard III
Steganography: Basics
Techniques for hiding information within other informationTattoosText on wood under wax layer on a wax tablet“Invisible” ink (e.g., lemon juice)Writing poetry or prose where the last letter of each word is a letter in a message“microdot” technology: photographs shrunk to the size of a periodNow typical: hide documents w/in an image or other documentLeast significant bit encoding, masking of bits, more sophisticated methodsGenerally encryption is also employed—helps to scramble bits of hidden document within container document
CSCI 4623: Intro to Digital Forensics 103 © 2004-6 by Golden G. Richard III
Stego (2)
CSCI 4623: Intro to Digital Forensics 104 © 2004-6 by Golden G. Richard III
Stego (3)
CSCI 4623: Intro to Digital Forensics 105 © 2004-6 by Golden G. Richard III
Stego (4)
Statistical analysisby “stegdetect” guessescorrectly that somethingis hidden. But jphideuses Blowfish to scramble the order of embedded data, sosuccessful extraction isvery unlikely.
Slipped insidethe 2nd cactuspicture by “jphide”…
Embedding in this case is not obvious (visually)…and image w/ embedded Golden is actually smaller (in bytes) than original
CSCI 4623: Intro to Digital Forensics 106 © 2004-6 by Golden G. Richard III
Stego (5)
Core
Igniter
This “bomb” diagram, however,is not detected.
CSCI 4623: Intro to Digital Forensics 107 © 2004-6 by Golden G. Richard III
Stego: In Detail
Background: – “Hide and Seek: An Introduction to Steganography” (Provos,
Honeyman)– “Defending Against Statistical Steganalysis” (Provos)
Idea: Hide information, hide the fact that communication is taking placeA covert communication channelClassical methods depended on hiding the mechanismModern mechanisms employ, e.g., encryption, to make extraction of the hidden information difficultTo improve security, nice to be able to make it difficult to detect that stego is in use……in addition to making extraction difficultCan increase level of plausible deniability by embedding multiple information sets in a target
CSCI 4623: Intro to Digital Forensics 108 © 2004-6 by Golden G. Richard III
Stego Detail (2)
One goal: detect changes to a target that indicate stego is in use– Seek out traces of ‘invasive’ manipulation of bits in
the targetOpposite goal: reduce traces of invasive manipulation to the point where tests for stego fail– Careful embedding: try not to change statistical
characteristics of target “container”
CSCI 4623: Intro to Digital Forensics 109 © 2004-6 by Golden G. Richard III
Stego: Embedding
Idea: identify ‘redundant’ bits that can be used to hide informationWant changes to target to be as invisible as possible……both in terms of what a casual user would see– Image not changed so dramatically that it looks
suspicious…and what a detailed study reveals– e.g., don’t want to be ‘busted’ by statistical tests
CSCI 4623: Intro to Digital Forensics 110 © 2004-6 by Golden G. Richard III
Stego: Embedding (2)
1. Choose redundant bits2. Select bits in which hidden information will be
placed3. Choose order in which redundant bits will be used
Need to take care that bits are “locked” as necessary to enable embedding of multiple hidden streamsWant to spread hidden info across the entire space of redundant bits, avoid “clustering”
– e.g., don’t simply dump hidden info at beginning or end of JPEG file
CSCI 4623: Intro to Digital Forensics 111 © 2004-6 by Golden G. Richard III
Stego: Embedding (2)
Requirements (Zollner):– Secret key used to embed the hidden information remains
unknown to adversary– Adversary does not know the original cover medium
Second requirement means that access to original media, without embedding, is preventedOtherwise, comparison of two copies (one ‘pure’, one with embedding) will raise suspicionOne method: Use a digital camera to take an image, embed secret information, securely delete the original image from the original media (e.g., memory stick or Compact Flash card)
CSCI 4623: Intro to Digital Forensics 112 © 2004-6 by Golden G. Richard III
Stego: Popular Tools
Outguess (more resistant to detection than many other tools)– See www.outguess.org– (But it’s been “broken”—pointers are also on that
page)jphide/jpseek– Freeware, detectable
Stegdetect– Primary open-source detection software
http://www.outguess.org/
CSCI 4623: Intro to Digital Forensics 113 © 2004-6 by Golden G. Richard III
Stego: Opinions [mine]
Tests for “good” stego involve complicated statistical testsState-of-the-art stego software isn’t as brain-dead as the first generation and does a pretty good job of avoiding detection, if # of bits stored is smallFor digital forensics, detection of stego may be essentially an interesting diversionHow useful is detection likely to be?Maybe not that usefulWhy?
CSCI 4623: Intro to Digital Forensics 114 © 2004-6 by Golden G. Richard III
Opinions (2)
Detection ExtractionIf embedded bits are scrambled using high-quality encryption algorithms (e.g., Blowfish or RSA), then extraction is essentially as hard as breaking the corresponding encryptionIf you have an RSA key (e.g., on a seized floppy) and you’re looking for a “lock” to plug the key into…Then maybe it makes more senseThe bad news is that low bitrate covert channels are essentially impossible to detect– A snapped branch on a tree– A gate left open– An attempted login with an improper username, from a
random machine– Ordering a large cappuccino with 2 extra shots– A few bits of information embedded in an image
In critical cases, attacks on stego may be worth it
CSCI 4623: Intro to Digital Forensics 115 © 2004-6 by Golden G. Richard III
Encryption: Basics
Types of algorithms– Public key
• encryption/decryption keys different– Private key
• encryption/decryption keys the same– Algos for digital signatures (for authentication)– Cryptographic hash functions– Message digest algorithms– …
Further..– Restricted (no access to details, may have to discard
technique if details become known!) --or--– Open (details available, everyone gets to try to break)– Open is generally accepted to be a better idea (except by
NSA)
CSCI 4623: Intro to Digital Forensics 116 © 2004-6 by Golden G. Richard III
Encryption: Basics (2)
“Strength”– Key secrecy– Difficulty of doing a key search– Difficult in breaking the encryption algorithm– Indifference to properties of plaintext (same
preface, etc.)– Resilience to a variety of attacks
• differential cryptanalysis• power analysis
– Implementation issues are another story…notoriously difficult to get right!
CSCI 4623: Intro to Digital Forensics 117 © 2004-6 by Golden G. Richard III
More on Asymmetric vs. Symmetric
Asymmetric algos permit the encryption key to be publicAdvantage: Anyone can encrypt using public key, only intended recipient can decrypt (using private key)Asymmetric generally MUCH slowerSymmetric faster, but key management is a pain (need mechanism for pushing around shared secret)In either event, there are blobs of human-unfriendly bits (keying material) that need to be stored somewhereRecall that public and private key encryption can be used together…Use public key algo to encrypt a “session key” which is used in a symmetric algo for encryption of a data stream
CSCI 4623: Intro to Digital Forensics 118 © 2004-6 by Golden G. Richard III
Popular Encryption Packages
PGP (Pretty Good Privacy)– Free version available with limited features– www.pgp.com– Don’t attack encryption algo directly…– Password Recovery ToolKit (PRTK) can attack passphrases that protect
keyrings– Consider downloading extra dictionaries!!
TrueCrypt (whole disk)ScramDisk (whole disk)FineCrypt
– Freeware, but with some limitations– Commercial removes limitations on # of files to encrypt at a time, etc.– AES, Blowfish, CAST-256, GOST, IDEA, MARS, RC-6, Serpent, TripleDES
and Twofish– www.finecrypt.net– Good integration with Windows Explorer– Careful to delete original files after encryption (includes secure wipe, tho)
http://www.pgp.com/http://www.finecrypt.net/
CSCI 4623: Intro to Digital Forensics 119 © 2004-6 by Golden G. Richard III
Encryption in a Forensics Investigation
If the encryption schemes are awful, there’s hope– e.g., XOR-ing against a constant bitstream– Character substitution (Outlook), etc.
But good, easy-to-use packages existNo keying material == big trouble for investigatorGood news: copies or fragments of unencrypted files may be available– Temporary files– Print spool files
Social engineeringSearch for slips of paperSearch for unencrypted password lists
CSCI 4623: Intro to Digital Forensics 120 © 2004-6 by Golden G. Richard III
Encryption in Investigation (2)
Keystroke logging to capture keying materialInvestigation of media that may hold keys (e.g., floppies, ZIP disks, thumbdrives, etc.)Search PDAs, phones, and organizers for passwordsOn some systems (e.g., Windows 2000: administrator), a “recovery agent” is able to read all encrypted filesSoftware or hardware keystroke loggersIf the file can’t be decrypted, the name of the file may still be useful in prosecutionLive process memory captures during triage
CSCI 4623: Intro to Digital Forensics 121 © 2004-6 by Golden G. Richard III
Encryption in Investigation (3)
Windows: may be possible to use a combination of pstools + pmdump, if machine is still runningIdea: dump memory of apps handling encryption and analyzeSee See “Practical Approaches to Recovering Encrypted Digital Evidence” (Eoghan Casey, International Journal of Digital Evidence, Fall 2002)Available @ www.ijde.orgLinux: mem interface through /dev/kmemand /dev/mem
http://www.ijde.org/
CSCI 4623: Intro to Digital Forensics 122 © 2004-6 by Golden G. Richard III
Windows Memory Dump to Defeat Encryption
Process infoMem dump
Plaintext
CSCI 4623: Intro to Digital Forensics 123 © 2004-6 by Golden G. Richard III
Cryptographic Hashing
Generate electronic “fingerprints” for either individual files or logical/physical devicesFile, Partition, Entire Physical DeviceSeveral forensics-related purposes for hashing:– Establish that evidence has not been altered
• Hash evidence before analysis, hash after analysis– Quickly and automatically find files of interest
• Have set of hash values for files of interest• Compute hash values for all files on a device• Matching files can either be targeted for investigation, or
for ignoring…
CSCI 4623: Intro to Digital Forensics 124 © 2004-6 by Golden G. Richard III
Explaining Hashing to Non-techies
Generally, the fingerprint analogy is usedFingerprints identify human beings as cryptographic hashes identify filesHuman changes hair style, paints toenails, wears a funny hat fingerprints don’t changeFilename gets changed, location of file is changed (e.g., file is copied to a removable drive) cryptographic hash doesn’t changeStronger identification than fingerprints, in some senseEven one bit of file content changing—even an “insignificant” bit…completely changes the “fingerprint”
CSCI 4623: Intro to Digital Forensics 125 © 2004-6 by Golden G. Richard III
Hashing Tools
Typical algorithms: MD5, SHA-1Examples:
Windows and Unix:
C:> md5sum golden.jpgb28f08b004a7251a418e089ef3bb7409 *golden.jpgC:> rename golden.jpg winword.exeC:> md5sum winword.exeb28f08b004a7251a418e089ef3bb7409 *winword.exe
Unix:
[root@tasso root]# openssl dgst -sha1 md5deep-0.16.tarSHA1(md5deep-0.16.tar)=
db1573b7c2dfcf36f51d9fde93d8a9c572a9407b[root@tasso root]# openssl dgst -md5 md5deep-0.16.tarMD5(md5deep-0.16.tar)=
a7891c1fd96a457c16266efb2f577269
CSCI 4623: Intro to Digital Forensics 126 © 2004-6 by Golden G. Richard III
Aside: NSRL
NSRL: National Software Reference Libraryhttp://www.nsrl.nist.govAs of December, 2003:– 3,800+ software packages– Over 17,000,000 files
Includes:– Consumer software– Development software– Cracked software– Malicious software (“malware”)
Hashes for every file in each packageSee: http://www.nsrl.nist.gov/documents/aafs2005/aafs2005.pdf
CSCI 4623: Intro to Digital Forensics 127 © 2004-6 by Golden G. Richard III
NSRL Uses
Automatically eliminate as many known files as possible from the examination process Example: From NSRL slides, Win2K contains almost 6,000 graphics filesUse of NSRL can eliminate need to examine these files (at all)Discover “known” filenames whose contents aren’t the expected onesIdentify origins of filesIdentify presence of “malicious” files
CSCI 4623: Intro to Digital Forensics 128 © 2004-6 by Golden G. Richard III
Hashing: Concerns
Hashing algorithms aren’t infallible—chance of 2 different files hashing to the same hash value (“collision”) is non-zeroWhy?Finite number of bits in the hash, potentially infinite number of different files which could be used for inputWant to use algorithms that minimize collisions, but the harm that unintentional or intentional collisions cause varies depending on what hashing is being used for
CSCI 4623: Intro to Digital Forensics 129 © 2004-6 by Golden G. Richard III
Hashing: Concerns (2)
(1) For hashing of individual files, e.g., to discover ‘contraband’ files by matching hashes of unknown files with a dictionary of known hashes…– Less concern that collisions might result in persecution of an
innocent party– Why?– Hashes primarily used in this context to quickly discover potential
evidence– Evidence (e.g., child pornography or nuclear secrets) will be
verified once discovered– If a collision occurs and an “innocent” file is flagged as contraband,
examination of the file will close the matter– Major concern: utility of hashing is limited by the very power of the
hashing functions—a small change in a file yields a completely different hash…
– Criminals need only change one bit in a target file (e.g., a contraband image) to render hashing worthless…
CSCI 4623: Intro to Digital Forensics 130 © 2004-6 by Golden G. Richard III
Hashing: Concerns (3)
Will criminals bother to change a bit in an image file to defeathashing?Suspicion: Maybe.But a criminal with enough technical literacy to understand thatchanging a single bit defeats hashing will take far stronger measures, because she understands the danger of having the computer capturedDefeating hashing doesn’t end the matter—powerful thumbnail viewers can still allow an investigator to target ‘contraband’imagesAnd we hope that we can come up with more powerful techniques than looking at miniaturized images…Suspicion: Hashing isn’t dead and measures other than hacking bits, such as strong encryption, are much more likely to make our lives difficult
CSCI 4623: Intro to Digital Forensics 131 © 2004-6 by Golden G. Richard III
Hashing: Concerns (4)
(2) For hashing entire drives to show that evidence has not beenfabricated…– Concern that evidence might be altered to persecute an innocent
party and hashes used to prevent detection of the alterations– Why?– Hashes primarily used in this context to show that evidence is
genuine– If an investigator can hash a drive yielding hash H1– …change contents of the drive to introduce evidence…– …then modify other portions of the drive (e.g., slack space) to force
hashing of modified drive to yield H1…Easier to do with simple checks like checksums or CRCsThese mechanisms are primarily to guard against accidental errors (e.g., transmission errors on a serial line)MD5, SHA-1 and other cryptographic hash functions are more complex…very difficult to deliberately (or accidentally!) generate useful collisions
CSCI 4623: Intro to Digital Forensics 132 © 2004-6 by Golden G. Richard III
Hashing: More Details
Hash functions operate on blocks of data to yield an n bit output128 bits of output for MD5, 160 bits for SHA-1Requirements for a hash function H (from Stallings, Cryptography and Network Security, 3e):– H can be applied to data of any length– H produces a fixed-length output– H(x) is relatively easy to compute for any given x; that is, both
software and hardware implementations are feasible– For a given hash value h, it is computationally infeasible to find x
such that H(x)=h– For any given data x, it is computationally infeasible to find
yx such that H(y)=H(x) [weak collision avoidance]– It is computationally infeasible to find any pair (x, y) such that H(x)
= H(y) [strong collision avoidance]NON-trivial to create useful hash functions
CSCI 4623: Intro to Digital Forensics 133 © 2004-6 by Golden G. Richard III
Hashing: A Goofy Attempt
For an n-bit hash function, why not process input in n bit blocks, xor-ing each block to obtain the hash value?
CSCI 4623: Intro to Digital Forensics 134 © 2004-6 by Golden G. Richard III
Goofy (2)
Doesn’t work well (at all)Given h=H(x), where H is the xor-ing hash function described previously, can force a collision for data y by appending an n bit block that forces the xor operation to yield h:– e.g., can force h=H(x) = H(y . block)
Good hash functions will generate significantly different hash values if even a single bit in the input changes
CSCI 4623: Intro to Digital Forensics 135 © 2004-6 by Golden G. Richard III
MD5 (Some) Details
Start with b bits of inputPad input so that length is 64 bits short of being a multiple of512A 64 bit integer representing b is appended to the input (that is, length before padding is attached to end of padded input)Now input’s length is a multiple of 5124 rounds of computation for each 512 bit block of the input– 128 bit hash value broken into (4) 32 bit words (A, B, C, D)– A, B, C, D statically initialized before first round– Each round processes A, B, C, D with current 512 bit input and a
different logic function (F, G, H, I in the diagrams) + a T function based on sin()
– 16 operations per roundNon-intuitive
CSCI 4623: Intro to Digital Forensics 136 © 2004-6 by Golden G. Richard III
MD5
CSCI 4623: Intro to Digital Forensics 137 © 2004-6 by Golden G. Richard III
Working value for thehashMD5
CSCI 4623: Intro to Digital Forensics 138 © 2004-6 by Golden G. Richard III
SHA-1
“Secure Hash Algorithm”Developed by NIST and NSA ~ 1993SHA-1 ~ 1994, result of unpublished weakness discovered in SHAInput less than 2 ** 64 bits 160 bit hashUsed in DSS (Digital Signature Standard)
CSCI 4623: Intro to Digital Forensics 139 © 2004-6 by Golden G. Richard III
SHA-1 “Broken”
Details are sketchy as this is written…The full paper describing the attack hasn’t been releasedPunchline: in 2 ** 69 steps rather than 2 ** 80 steps (brute force), can find 2 messages M1, M2 such that:– sha1(M1) == sha1(M2)
Not yet important for digital forensics, but the major concern is that this is a first step toward much more serious weakening of SHA-1
CSCI 4623: Intro to Digital Forensics 140 © 2004-6 by Golden G. Richard III
Aside: SHA-1 “Broken”
Not clear that DSS is damaged by current SHA-1 “crack” (yet)
See: http://www.itl.nist.gov/fipspubs/fip186.htm
CSCI 4623: Intro to Digital Forensics 141 © 2004-6 by Golden G. Richard III
Privacy: Some Options
Don’t use computersNever store or transmit private informationActive discovery and purging of sensitive data– Difficult to do properly and thoroughly
Anti-forensics toolsUse volatile computingCareful use of encryption for sensitive filesSteganographyEncrypted FilesystemsSteganographic Filesystems
CSCI 4623: Intro to Digital Forensics 142 © 2004-6 by Golden G. Richard III
Privacy: Why?
Possibility: You don’t want your personal information disclosedPossibility: You don’t have any stored personal informationAgents that may want info to be disclosed:– Court may order information to be turned over
• e.g., in pre-trial “discovery” phase, where parties examine evidence held by other to discover strength of the case for and against
• Failure to provide info in intelligible form may result in contempt of court (jail)
– Government agencies (e.g., FBI)– Organized crime
CSCI 4623: Intro to Digital Forensics 143 © 2004-6 by Golden G. Richard III
Why?
– UK: Customs may scan laptops for illegal materials (example: pornography) withoutprobable cause requirement
• Such searches might reveal private information which while not illegal, an individual might want to remain private
– Soldiers might be captured and tortured into revealing cryptographic keys protecting a PDA
– …
CSCI 4623: Intro to Digital Forensics 144 © 2004-6 by Golden G. Richard III
Why?
Legal protection against forced disclosure of encryption keys is shaky at best, even when memorizedWhen violence is involved, even worseSolution: Make it obvious that the material isn’t available at all“I don’t own a computer”“My computer doesn’t have a hard drive”Plausible deniability
CSCI 4623: Intro to Digital Forensics 145 © 2004-6 by Golden G. Richard III
Privacy: Checklist
(Many from Computer Forensics and Privacy, Caloyannides)Physically disable builtin microphone by inserting a cut-off plug into the external microphone jackUse fresh hard drives. Avoid purchasing used drives unless you personally sanitize them before useDon’t use the Window recycle binInstall a secure file deletion utilityConsider turning off browser history functionsDisable “cookies”Ensure that messenger programs do not log chat sessions unless you absolutely need them toModern versions of Messenger prompt when installedConsider volatile computing for access to the InternetBuy a lot of physical memory and disable virtual memory. This eliminates the swap file, which is a massive privacy holeCareful: Then vmware won’t work…CAREFUL ABOUT TURNING SWAPPING BACK ON!!!
CSCI 4623: Intro to Digital Forensics 146 © 2004-6 by Golden G. Richard III
Privacy: Checklist (2)
In XP, ClearPageFileAtShutdown registry key can be set to force overwriting the swapfile on shutdownKnow the exact location of the temp directories used by your web browser and download utilitiesSubject these to secure deletionUse steganographic tools to hide extremely sensitive documents within other ‘benign’ documentsExample: jphide, jpseek(Different from stego filesystems)Then, use steganographic detection tools to ensure that you haven’t embedded enough data to trigger statistical detection methodsExample: stegdetectBelieve that system crashes during important operations are disasterCheck temp directories and securely eliminate temporary files
CSCI 4623: Intro to Digital Forensics 147 © 2004-6 by Golden G. Richard III
Privacy: Checklist (3)
If a sensitive computer must be repaired, remove the hard driveUse strong encryption tools liberallyProtect backups and removable media in the same way that you protect the computer and its internal storageUse a powerful digital forensics software package (such as FTK) to test the effectiveness of your privacy efforts
CSCI 4623: Intro to Digital Forensics 148 © 2004-6 by Golden G. Richard III
Anti-forensics Tools
Many privacy-enhancing, anti-forensics tools availableSecure file deletionRegistry cleanersSlack/free space scrubbingMany have significant problemsFor a good survey:
“Evaluating Commercial Counter-Forensic Tools” by Matthew Geiger (Carnegie Mellon University), 5th Annual Digital Forensic Research Workshop (DFRWS 2005), New Orleans, 2005.
CSCI 4623: Intro to Digital Forensics 149 © 2004-6 by Golden G. Richard III
Privacy: Volatile Computing
Idea: No use of non-volatile storage, turn off machine to destroy all volatile dataMS-DOS on floppies– e.g., use “Lynx” web browser
Bootable CD Linux distributions– F.I.R.E.– Damn Small Linux (50MB)– Knoppix– Helix
CSCI 4623: Intro to Digital Forensics 150 © 2004-6 by Golden G. Richard III
Damn Small Linux
CSCI 4623: Intro to Digital Forensics 151 © 2004-6 by Golden G. Richard III
Steganographic Filesystems
Steganographic filesystemsGoal: plausible deniabilityWhen an agent forces a person to reveal the key protecting a filesystem, reveal a key that exposes enough data that suspicion is avertedOther hidden data cannot be exposedWant: impossible to even detect that other encrypted data is present, given the revelation of some hidden stuffStegFS: Hack of ext2 Linux filesystemDescribed in “StegFS: A Steganographic Filesystemfor Linux” (McDonald et al)
CSCI 4623: Intro to Digital Forensics 152 © 2004-6 by Golden G. Richard III
StegFS: Basics
Steganographic in the sense that blocks of hidden files are scattered about a partition that also contains blocks of non-hidden filesSupports multiple security layers so that some “incriminating”evidence can be revealedHas some advanced security features: deleting hidden (or non-hidden) files results in destruction of the file contentsScenario:– “Ah hah! You’ve installed StegFS! Reveal the filesystem contents
to us!”– “I installed StegFS because of the advanced security features, such
as secure deletion of files. I only used one security level.”– – Investigator is satisfied?
CSCI 4623: Intro to Digital Forensics 153 © 2004-6 by Golden G. Richard III
StegFS: Some Details
Block allocation table in a typical filesystem contains one bit per block (block is used or not)Block allocation table in StegFS contains a 128 bit entry per blockTable is stored in a normal, non-hidden fileEach entry encrypted with same key that protects the corresponding data blockTable entries which are unused contain random data, so impossible to tell if particular blocks are in-useEntry contains a 32bit checksum which can be used to see if the block contents were destroyed by a regular ext2 accessEntry also contains the inode # for the corresponding hidden fileFinally, magic numbers which indicate whether block contains inode data or is a data block
CSCI 4623: Intro to Digital Forensics 154 © 2004-6 by Golden G. Richard III
StegFS: Details (2)
Multiple, redundant blocks allocated for each block of a hidden file and for the inode to improve chances that data won’t be lostMust always use checksum when reading a block of a hidden fileWhen a security level is “open”, no danger of destroying data blocks of files at that levelWhen closed, blocks of hidden files might be overwritten
CSCI 4623: Intro to Digital Forensics 155 © 2004-6 by Golden G. Richard III
StegFS: Details (3)
inodes in StegFS look like regular Unix inodes, except they contain block numbers for all replicas of a file’s contentsNo inode tableInstead, given a 32bit inode number, search block table for a matching inode
CSCI 4623: Intro to Digital Forensics 156 © 2004-6 by Golden G. Richard III
StegFS: Last Details
mkstegfs initializes block tableBlock table also stores 15 encryption keys, one for each levelstegfsopen command opens a security level, prompts for passphraseOnce open, hidden files are revealed in /stegfs/1, /stegfs/2, etc.
CSCI 4623: Intro to Digital Forensics 157 © 2004-6 by Golden G. Richard III
Encrypted Filesystems
Differences between encrypted and steganographic– No file loss in encrypted filesystems as in
steganographic filesystems– Potentially less performance penalty– Plausible deniability is lost, but data is safe– Some stigma attached, since law
enforcement (or you, if you’re doing the investigation!) will almost certainly look more closely when encryption is detected
CSCI 4623: Intro to Digital Forensics 158 © 2004-6 by Golden G. Richard III
Encrypted Filesystems: Linux
Encryption via loopback device– Available in modern kernels
EncFS– http://freshmeat.net/projects/encfs/– Actively being developed
CFS– http://www.crypto.com/papers/cfs.pdf– Aging, in need of rewrite, but you might see it in
the fieldTCFS– http://www.tcfs.it/– 2.2 kernel, not updated in some time (~2002?)
http://freshmeat.net/projects/encfs/http://www.crypto.com/papers/cfs.pdfhttp://www.tcfs.it/
CSCI 4623: Intro to Digital Forensics 159 © 2004-6 by Golden G. Richard III
Encrypted Filesystems: Win
Windows– Some commercial solutions + native support in
Win2K/ WinXP for encrypted directories– Can encrypt individual directories and/or files– If directory isn’t encrypted, then on modification
file becomes unencrypted– Administrator account is typically a backdoor,
since Microsoft fears that otherwise users might permanently lose files (for Win2000)
– XP: Must designate a recovery agent, none by default, so more secure
END OF SLIDE SET # 2
CSCI 4623: Intro to Digital ForensicsDept. of Computer ScienceUniversity of New OrleansSlide Set # 2NTFS Alternate Data StreamsNTFS Alt Data Streams (2)NTFS Alt Data Streams (3)NTFS Alt Data Streams (4)LADS ScreenshotWindows Swap FilesWindows Swap File: OverviewSwap File SnippetsSwap File Snippets (2)Hibernation FilesHibernation File: ChallengesWindows Print Spool FilesApplication MetadataApplication MetadataTargeting Evidence: RegEx’sCookiesAside: Cookies: Safe?Cookies (2)IE CookiesIE Cookie FormatIE Cookie Format (2)Mozilla Cookie File (partial)Netscape/Mozilla Cookie FormatNetscape/Mozilla Date FormatAside: IE: index.dat filesInvestigating EmailWeb-based EmailHotmail (e.g., "getmsg[1].htm” file in browser cache)Hotmail (e.g., HoTMaiL[1].htm file in browser cache)Viewing Complete Web-based EmailsWeb Email FragmentsOutlookOutlook Investigation: Freeware0.3.40.5.1: More Folders Recognized0.3.4: Contacts0.5.1: Contacts0.3.4: Drafts folder0.5.1: Drafts folderAside: Default Outlook “Encryption”“Problematic”: Outlook Web ClientWindows EventsInteresting System Events (XP)Interesting System Events (XP) [2]Interesting System Events (XP) [3]Interesting App Events (XP)Interesting App Events (XP) [2]Unix Loggingmessages snipsecure snipSnip of output from lastTime“MAC” AnalysisFAT MAC Analys