CSCI 4623: Intro to Digital Forensics - 123seminarsonly.com · CSCI 4623: Intro to Digital...

CSCI 4623: Intro to Digital Forensics

Dept. of Computer ScienceUniversity of New Orleans

Slide Set # 2

Spring 2006Prof. Golden G. Richard III

CSCI 4623: Intro to Digital Forensics 2 © 2004-6 by Golden G. Richard III

NTFS Alternate Data Streams

Included only in NTFS, not present in FATx filesystemsOriginally included in NTFS to support Macintosh compatibilityScant useCan be used to hide malware, “secret” data, executablesADS Syntax: FILENAME:STREAMNAMECan create ADS’s attached to either files or directoriesStrange integration with command line tools and editorse.g., TYPE can be used to create ADS, but not to view contentsTo create an ADS:– type textfile > visible.txt:hidden.txt

To see contents of ADS (assuming you know about it!):– more < visible.txt:hidden.txt

But…– type visible.txt:hidden.txt

…doesn’t work…


NTFS Alt Data Streams (2)

Another "feature" of alternate data streams is that they are difficult to (reliably) deleteCopying file to FAT drive and back loses the association……but forensics software analyzing the drive image will find the ADS contents!Better to overwrite the ADS with more data than currently existsthen delete container fileecho “blah blah blah blah blah blah blah” > VISIBLE.TXT:HIDDEN.TXTTo (unsecurely) remove an ADS without deleting the file, can’t use copy!Instead, rename, cat, and delete:– cat visible.txt > BACKUP– del visible.txt– rename BACKUP visible.txt



Need to do something else to remove ADS’s attached to directories!notepad DIRECTORY:hidden.txtDelete all characters in the ADSGotcha: You’re left with an empty ADS, at least on Win2K/XP



See www.heysoft.de for lots of interesting info on ADS’sFreeware LADS (List Alternate Data Streams) tools can be found at that website…Unfortunately, no source code availableLADS in action on next slideYou may have more ADS’s than you think?

http://www.heysoft.de/


LADS Screenshot


Windows Swap Files

Supports Windows virtual memory systemContains swapped out pages corresponding to executing processesNT, Win2000, XP– Generally, c:\pagefile.sys– Hidden file

95/98– c:\windows\win386.swp– Hidden file


Windows Swap File: Overview

Potentially, contains a lot of junkFile carving or keyword searches against the raw disk will yielda superset of the information in the swap file (obviously)May be useful to target swap file directly, particularly on large drivesCareful!Keyword matches against the swap file DO NOT necessarilymean that the corresponding strings were in pages swapped out during the last boot!When the swap file is created, the “underlying” blocks aren’t cleanedAs the swap file is reused, blocks aren’t cleanedSwap file can create a “jail”, where e.g., deleted file data from the browser cache end up “trapped” in the set of blocks allocated to the swap fileBlocks may not be overwritten even during months of use!


Swap File Snippets

JPEGcarved out of XPswap file, corresponds toan Adobe filethat was openduring last bootof targetmachine


Swap File Snippets (2)

Deleted filefrom IEcache “jailed” bycreation of swap file

This file createdand deletedbefore swap filewas even ENABLED ontarget machine!

Months old!


Hibernation Files

Memory image of XP box, created at shutdownAllows fast restartHibernation file locked during OS executionApproximately the size of physical RAM (e.g., 2GB RAM == ~2GB hibernation file)Potentially much more interesting than swap file, since it allows the last “on” state of the machine to be recreatedCan search hibernation file for interesting strings, including URLs, passwords, etc.First block of file is zero-filled after boot, so you get one chance to “boot” the machine again, unless you have a backup of the hibernation fileRemainder of hibernation file remains unchanged until another hibernation event occurs…Means that you may be able to recover interesting information that is quite old


Hibernation File: Challenges

Huge amount of fairly unstructured dataFTK has no native support for hibernation file, but can treat the file as one big binary blob and search / carve ite.g., email addresses: – A start: [a-z][0-9a-z][0-9a-z][0-9a-z]+@[a-z][0-9a-z][0-9a-z]+

e.g., phone numberse.g., SSN’se.g., IP addressese.g., credit card numbersTrick for textual searches: Pipe file through strings before using grep/egrep


Windows Print Spool Files

*.spl, *.shd files.shd file contains information about the file being printed.spl file contains info to render the contents of the file to be printedPresence of .shd files can be used in a similar fashion as for shortcut files……shows knowledge of existence of files and a deliberate attempt to access (print) the contents of the fileFormat is proprietary, but has been reverse engineeredEMFSpoolViewer to view .SPL filesSee: http://www.codeproject.com/dotnet/EMFSpoolViewer.asp


Application Metadata

Microsoft Office maintains a lot of metadata tracking revision history, authors, etc. for Word documentsDemo: Tony Blair document in FTKDemo: apology-NOFASTSAVES.docDemo: apology-FASTSAVES.docDemo: Tolstoy (email leak)Commercial tools for recovery of metadata:– Forager (no personal experience)– Trace! by Workshare

• Misses very “interesting” data illustrated in Fast Saves allowed demo!


Application Metadata

See:– “Information Leakage Caused by Hidden Data in Published

Documents, Byers, S.;IEEE Security & Privacy Magazine, vol 2, no 2, Mar-Apr 2004, pp. 23 – 27.

Problem is wide-spreadMicrosoft now offers a patch for scrubbing metadata from Office 2003Still lots of danger for older Office documentsOne final tidbit (and annoyance)Open a Powerpoint file, ** don’t ** save it, and it gets modified anyway!Reason: “last opened by”Illustrates that investigation using “live” file access under Windows is generally forensically unsound


Targeting Evidence: RegEx’s

Examples of built-in regular expressions in FTK 1.50


Cookies

Provide “safe” (cough) persistent storage on clients for web serversNetscape details at http://wp.netscape.com/newsref/std/cookie_spec.htmlAlso see RFC, but doesn’t cover storage, which is what we’re primarily interested inServer deposits a cookie into a client and can request cookie when client revisits the web siteOnly server depositing cookie can read: domain must matchProvides context for server– user ID, previous item being viewed, etc.

From a digital forensics point of view, concerned with what information stored cookies can provide

http://wp.netscape.com/newsref/std/cookie_spec.html


Aside: Cookies: Safe?

Many exploits, many targeting only specific versions of specificbrowsersThese from a cookies presentation at http://cis.tamu.edu/security/microsoft/:Older Netscape:

– Cookie operations in Javascript then use the specified src as the domain!

IE: – site could direct the user's browser to:

http://www.verybadhacker.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com

– Replacing "%2f“ with "/" characters and "%3F" with "?", yields the actual URL:http://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.com

– But IE parsing is broken and IE believes Amazon.com is the domain

http://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.comhttp://www.verybadhacker.org/security/iecookies/showcookie.html?.amazon.com


Cookies (2)

During an examination, need to look for cookies in several placesEach browser dumps cookies into a different placeIE:– Stored in individual text files– For a first try, look for “Temporary Internet Files” directory

Netscape/Mozilla:– “cookies.txt” stores all cookies for all domains– Typical location under XP is in a subdir off “Application Data”

in the user’s Documents and Settings profile– e.g.:

• C:\Documents and Settings\Golden\Application Data\Mozilla\Profiles\GOLDEN\92k4olbc.slt


IE Cookies

This is just the view from Explorer—no details on values stored in cookie until you look inside


IE Cookie Format

e.g.: [email protected][2].txt contains:UID // name of var == UID184698238 // value zdnet.co.uk/ // domain1536 // all domains/HTTP only encoding4142023168 // expiration date/time (encoded)297143172060511968 // creation date/time (encoded)29640892

Use a tool: e.g., Cookie Editor, to parse

mailto:[email protected][2].txt


IE Cookie Format (2)


Mozilla Cookie File (partial)

……

www.fedex.com FALSE / FALSE 1577836800 CP null*www.avsforum.com FALSE / FALSE 1121101244 bblastvisit 1089565242www.avsforum.com FALSE / FALSE 1121363172 bbuserid 7460210

……

http://www.fedex.com/http://www.avsforum.com/http://www.avsforum.com/


Netscape/Mozilla Cookie Format

domain - The domain that created AND that can read the variableflag - A TRUE/FALSE value indicating if all machines within a given domain can access the variablepath - The path within the domain that the variable is valid forsecure - A TRUE/FALSE value indicating if a secure connection with the domain is needed to access the variableexpiration - The UNIX time that the variable will expire on. UNIX time is defined as the number of seconds since Jan 1, 1970 00:00:00 GMTname - The name of the variablevalue - The value of the variable


Netscape/Mozilla Date FormatStored as number of seconds since 1/1/1970 GMTEasy to convert to human-friendly date/time:

#include #include #include #include

int main(int argc, char *argv[]) {

time_t t;

printf("Enter # of seconds since\n”);printf(“00:00:00 GMT, January 1, 1970:");scanf("%d", &t);printf("DATE/TIME: %s\n", ctime(&t));

}


Aside: IE: index.dat files

IE maintains browsing history in “index.dat” filesObscure binary format, but has been parsedSee: http://www.cqure.net/tools.jsp?id=13, IEHist tool by Alexander GeschonneckTypical output:

URL|2005/2/22 19:39:46|http://computer-forensik.org/images/cf_header_r4_c4.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r4_c6.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r4_c8.gifURL|2005/2/22 19:39:47|http://www.hisolutions.com/images_extern/banner_hisolutions.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r5_c2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cover_computer-forensik.jpgURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c4_f3.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c4_f2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c6_f2.gifURL|2005/2/22 19:39:47|http://computer-forensik.org/images/cf_header_r2_c6_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r2_c8_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r2_c8_f2.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r3_c2_f3.gifURL|2005/2/22 19:39:48|http://computer-forensik.org/images/cf_header_r3_c2_f2.gifURL|2005/2/22 19:39:55|http://www.geschonneck.com/security/images/security_audit.gif

http://www.cqure.net/tools.jsp?id=13http://geschonneck.com/impressum.htmlhttp://geschonneck.com/impressum.html


Investigating Email

Web-based mail– Hotmail– Yahoo– Google (gmail)– …others…

Traditional POP or IMAP-based emailOutlook– structured .PST file, not plain text

Unix mail storage generally is plain text– Messages are concatenated into one file (per email folder),

complete with headers– Investigation is straightforward


Web-based Email

Generally, complete web pages are easier to retrieveRetrieve undeleted, deleted HTML pages from browser cacheNOT only .htm / .html files!Firefox cache doesn’t use extensionsAlso, CACHE files may contain embedded bits!Carve disk image for … blocksMuch harder if only fragments are available


Hotmail (e.g., "getmsg[1].htm” file in browser cache)


Hotmail (e.g., HoTMaiL[1].htm file in browser cache)


Viewing Complete Web-based Emails

Basically, an offline HTML viewing problemGenerally, do NOT want to resolve external links!In general, investigation should be performed on a machine w/o an Internet connectionlynx –localhost –dump is useful for simple stuffDon’t trust lynx on complicated, multi-frame stuff in “-dump” modeFTK does a good jobFirefox does a great job, but use “Work Offline”!!Can be activated from the command line


Web Email Fragments

Much more problematic“strings” can helpFor Hotmail: want context around “cgi-bin/hotmail”For Yahoo: – want context around “ym/ShowLetter– want context aroudn “ym/Compose”– Yahoo email bodies sealed in … pairs– Retrievable even if top of message has been wiped out (e.g.,

the portion)– grep –A -B “/ym/ShowLetter”

Worst case: devolves into looking for readable strings in “strings” output


Outlook

Investigation without tools will get you nowhere…First step is to find Outlook fileAll folders (Inbox, Drafts, etc.) typically stored in a single fileOn XP, in a directory off Documents and Settings:– e.g.,

C:\Documents and Settings\Golden\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst


Outlook Investigation: Freeware

libpst is a good start for investigation of Outlook email w/o a budgetIt’s also a good basis for developing other Outlook-hacking software…Designed to convert Outlook email boxes to plaintext formatImproving rapidly—will show you progress from 0.3.4 to 0.5.1Commercial software is substantially better– FTK– Encase– Paraben Email Examiner


0.3.4

./readpst –o recovered …Outlook.pstls –l recovered

-rw-r--r-- 1 root root 3151 Feb 22 17:43 Calendar-rw-r--r-- 1 root root 2732 Feb 22 17:43 Contacts-rw-r--r-- 1 root root 27 Feb 22 17:43 Deleted Items-rw-r--r-- 1 root root 4533 Feb 22 17:43 Drafts-rw-r--r-- 1 root root 0 Feb 22 17:43 Handheld Synchronization-rw-r--r-- 1 root root 0 Feb 22 17:43 Notes-rw-r--r-- 1 root root 0 Feb 22 17:43 Personal Folders-rw-r--r-- 1 root root 0 Feb 22 17:43 Tasks-rw-r--r-- 1 root root 0 Feb 22 17:43 ZoneAlarm Junk Mail


0.5.1: More Folders Recognized

./readpst –o recovered …Outlook.pstls –l recovered

-rw-r--r-- 1 root root 26603 Feb 22 17:59 Calendar-rw-r--r-- 1 root root 21601 Feb 22 17:59 Contacts-rw-r--r-- 1 root root 215 Feb 22 17:59 Deleted Items-rw-r--r-- 1 root root 4553 Feb 22 17:59 Drafts-rw-r--r-- 1 root root 0 Feb 22 17:59 Handheld Synchronization-rw-r--r-- 1 root root 0 Feb 22 17:59 Inbox-rw-r--r-- 1 root root 0 Feb 22 17:59 Journal-rw-r--r-- 1 root root 0 Feb 22 17:59 Junk E-mail-rw-r--r-- 1 root root 0 Feb 22 17:59 Norton AntiSpam Folder-rw-r--r-- 1 root root 0 Feb 22 17:59 Notes-rw-r--r-- 1 root root 0 Feb 22 17:59 Outbox-rw-r--r-- 1 root root 0 Feb 22 17:59 Personal Folders-rw-r--r-- 1 root root 0 Feb 22 17:59 Sent Items-rw-r--r-- 1 root root 0 Feb 22 17:59 Tasks-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Challenged Mail-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Fraudulent Mail-rw-r--r-- 1 root root 0 Feb 22 17:59 ZoneAlarm Junk Mail


0.3.4: Contacts

Joshua and Elise Aasgaard Frank Adelstein Alex Andy Anderson Mowgli Assor Sue Barkowski ……


0.5.1: ContactsBEGIN:VCARDFN:Aasgaard\, Joshua and EliseN:Aasgaard;Joshua;and Elise;;ADR;TYPE=home:;;NO\, LA 70122;NO;LA;70122;LABEL;TYPE=home:NO\, LA 70122TEL;TYPE=cell,voice:(504) 957-XXXXVERSION: 3.0END:VCARD

BEGIN:VCARDFN:Adelstein\, FrankN:Adelstein;Frank;;;EMAIL:[email protected];TYPE=home:;;XXX Graham Rd. #XXX;Ithaca;NY;14850;United States of AmericaLABEL;TYPE=home:XXX Graham Rd. #XXX,\Ithaca\, NY 14850TEL;TYPE=work,fax:(607) 257-XXXXTEL;TYPE=work,voice:(800) 672-XXXXTEL;TYPE=home,voice:(607) 266-XXXXVERSION: 3.0END:VCARD

……


0.3.4: Drafts folderFrom "(null)" Fri Dec 28 12:06:21 2001From: "(null)" Subject: This is an email messageTo: [email protected]: multipart/alternate;

boundary="--boundary-LibPST-iamunique-1109115805_-_-"

----boundary-LibPST-iamunique-1109115805_-_-Content-type: text/plain

This is the body of an email message.

If I loved Sally, this is where I would profess that love.

Love (not),

--Golden……

WRONG!


0.5.1: Drafts folderFrom "(readpst_null)" Fri Dec 28 12:06:21 2001From: "(null)" Subject: This is an email messageTo: [email protected]: 1.0Content-type: multipart/alternate;

boundary="--boundary-LibPST-iamunique-1804289383_-_-"

----boundary-LibPST-iamunique-1804289383_-_-Content-type: text/plain

This is the body of an email message.

If I loved Sally, this is where I would profess that love.

Love (not),

--Golden……

WRONG!


Aside: Default Outlook “Encryption”

Default “encryption” level is a simple substitution cipher:// from libpst: translation table for Outlook medium-level encryptionunsigned char comp_enc [] = { 0x47, 0xf1, 0xb4, 0xe6, 0x0b, 0x6a, 0x72, 0x48,

0x85, 0x4e, 0x9e, 0xeb, 0xe2, 0xf8, 0x94, 0x53, /*0x0f*/0xe0, 0xbb, 0xa0, 0x02, 0xe8, 0x5a, 0x09, 0xab,0xdb, 0xe3, 0xba, 0xc6, 0x7c, 0xc3, 0x10, 0xdd, /*0x1f*/0x39, 0x05, 0x96, 0x30, 0xf5, 0x37, 0x60, 0x82,0x8c, 0xc9, 0x13, 0x4a, 0x6b, 0x1d, 0xf3, 0xfb, /*0x2f*/0x8f, 0x26, 0x97, 0xca, 0x91, 0x17, 0x01, 0xc4,0x32, 0x2d, 0x6e, 0x31, 0x95, 0xff, 0xd9, 0x23, /*0x3f*/0xd1, 0x00, 0x5e, 0x79, 0xdc, 0x44, 0x3b, 0x1a,0x28, 0xc5, 0x61, 0x57, 0x20, 0x90, 0x3d, 0x83, /*0x4f*/0xb9, 0x43, 0xbe, 0x67, 0xd2, 0x46, 0x42, 0x76,0xc0, 0x6d, 0x5b, 0x7e, 0xb2, 0x0f, 0x16, 0x29, /*0x5f*/0x3c, 0xa9, 0x03, 0x54, 0x0d, 0xda, 0x5d, 0xdf,0xf6, 0xb7, 0xc7, 0x62, 0xcd, 0x8d, 0x06, 0xd3, /*0x6f*/0x69, 0x5c, 0x86, 0xd6, 0x14, 0xf7, 0xa5, 0x66,0x75, 0xac, 0xb1, 0xe9, 0x45, 0x21, 0x70, 0x0c, /*0x7f*/0x87, 0x9f, 0x74, 0xa4, 0x22, 0x4c, 0x6f, 0xbf,0x1f, 0x56, 0xaa, 0x2e, 0xb3, 0x78, 0x33, 0x50, /*0x8f*/0xb0, 0xa3, 0x92, 0xbc, 0xcf, 0x19, 0x1c, 0xa7,0x63, 0xcb, 0x1e, 0x4d, 0x3e, 0x4b, 0x1b, 0x9b, /*0x9f*/0x4f, 0xe7, 0xf0, 0xee, 0xad, 0x3a, 0xb5, 0x59,0x04, 0xea, 0x40, 0x55, 0x25, 0x51, 0xe5, 0x7a, /*0xaf*/0x89, 0x38, 0x68, 0x52, 0x7b, 0xfc, 0x27, 0xae,0xd7, 0xbd, 0xfa, 0x07, 0xf4, 0xcc, 0x8e, 0x5f, /*0xbf*/0xef, 0x35, 0x9c, 0x84, 0x2b, 0x15, 0xd5, 0x77,0x34, 0x49, 0xb6, 0x12, 0x0a, 0x7f, 0x71, 0x88, /*0xcf*/0xfd, 0x9d, 0x18, 0x41, 0x7d, 0x93, 0xd8, 0x58,0x2c, 0xce, 0xfe, 0x24, 0xaf, 0xde, 0xb8, 0x36, /*0xdf*/0xc8, 0xa1, 0x80, 0xa6, 0x99, 0x98, 0xa8, 0x2f,0x0e, 0x81, 0x65, 0x73, 0xe4, 0xc2, 0xa2, 0x8a, /*0xef*/0xd4, 0xe1, 0x11, 0xd0, 0x08, 0x8b, 0x2a, 0xf2,0xed, 0x9a, 0x64, 0x3f, 0xc1, 0x6c, 0xf9, 0xec}; /*0xff*/

Compare “outlook.pst”and “outlook.out”(processed by troutlook)


“Problematic”: Outlook Web Client

Artifacts?Quick look didn’t reveal much info in the browser cache other than images that populate the interfaceEmail content may not be cached at all on client side


Windows Events

NT/Win2K/XP eventing mechanisms are similar to syslog in UnixSystem, security, and applications events capture “interesting” system statesAdministrative Tools Event Viewer runs the standard Windows tool for examining event logsCommercial/open source tools for examining event logs– Free: psloglist, from pstools– Can extract event logs from a (dead) target, then examine

using “-l” switch– e.g., psloglist –l golden.evt– http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml


Interesting System Events (XP)

Dial up connection established,username is shown

IP addr assigned


Interesting System Events (XP) [2]

Time synchronizationfailed

Time synchronizationsucceeded


Interesting System Events (XP) [3]

DNS failure on attemptedtime synchronization


Interesting App Events (XP)

Virus scanningmodule crashed


Interesting App Events (XP) [2]

Mozilla hang

These types ofevents are interesting because they establish that software pkgs are installed and can sometimes provide time/date evidence


Unix Logging

Under Unix:– Lots of logging done in /var/log or equivalent (e.g.,

/var/adm, /var/adm/log, …)Linux, in particular:– dmesg: console messages for last boot– maillog: email sends, receives, checks, etc.– messages: All logins, DHCP events, general stuff

like loggers and devices being started/restarted…– wtmp: Detailed information about logins/outs– btmp: Failed login attempts– secure: connects to machine, denied connection

attempts :– Additionally, web server logs


messages snipSep 10 06:41:16 memphis login[5565]: LOGIN ON ttyp0 BY golden FROM boudinSep 10 06:41:16 memphis PAM_pwdb[5565]: (login) session closed for user goldenSep 10 06:41:34 memphis PAM_pwdb[5577]: (su) session opened for user root by

golden(uid=0)Sep 10 06:50:39 memphis PAM_pwdb[5577]: (su) session closed for user rootSep 10 06:51:12 memphis PAM_pwdb[5625]: (su) session opened for user root by

golden(uid=0)Sep 10 07:15:04 memphis dhcpd: DHCPREQUEST for 10.0.0.17 from

00:60:1d:f1:12:7f via eth0Sep 10 07:15:04 memphis dhcpd: DHCPACK on 10.0.0.17 to 00:60:1d:f1:12:7f via

eth0


secure snipOct 28 07:43:52 memphis in.telnetd[10512]: refused connect from bbig041116.netvigator.comOct 28 09:30:10 memphis in.telnetd[10581]: refused connect from AC83B731.ipt.aol.comOct 28 13:33:10 memphis in.telnetd[10718]: refused connect from ACA1647D.ipt.aol.comOct 28 14:57:35 memphis in.telnetd[10753]: refused connect from fsck.orgOct 29 09:42:58 memphis in.ftpd[11762]: refused connect from ci59092-a.nash1.tn.home.comOct 29 16:52:42 memphis in.telnetd[12001]: refused connect from cx824883-

a.omhaw1.ne.home.comOct 29 16:58:14 memphis in.telnetd[12002]: refused connect from cx824883-

a.omhaw1.ne.home.comOct 29 20:27:18 memphis in.ftpd[12139]: refused connect from pD901328A.dip.t-dialin.netOct 29 23:05:41 memphis in.ftpd[12242]: refused connect from ci59092-a.nash1.tn.home.comOct 30 08:31:52 memphis in.telnetd[364]: connect from boudin


Snip of output from lastgolden ttyp1 boudin Thu Jan 31 20:54 - 20:55 (00:00)golden ttyp1 dsl-216-227-105- Wed Jan 30 20:05 - 21:14 (01:09)golden ttyp0 bluelu Wed Jan 30 19:18 - down (1+01:37)golden ttyp1 bluelu Thu Jan 24 16:46 - 08:06 (15:19)golden ttyp0 moe.cs.uno.edu Thu Jan 24 13:56 - 15:09 (3+01:13)golden ftp moe.cs.uno.edu Wed Jan 23 18:10 - 18:11 (00:01)golden ttyp0 bluelu Mon Jan 14 15:40 - 22:19 (5+06:38)golden ttyp1 foxglove.cs.uno. Sun Jan 13 07:51 - 08:10 (00:19)golden ttyp0 bluelu Fri Jan 11 23:43 - 00:54 (2+01:11)golden ttyp0 bluelu Thu Jan 10 11:55 - 21:57 (1+10:02)golden ttyp0 bluelu Tue Jan 8 15:44 - 16:38 (00:53)golden ttyp0 bluelu Tue Jan 8 13:25 - 13:43 (00:17)golden ftp bluelu Sat Jan 5 23:29 - 23:29 (00:00)golden ttyp0 bluelu Sat Jan 5 06:50 - 16:20 (2+09:29)golden ftp bluelu Fri Jan 4 18:19 - 18:20 (00:00)golden ttyp0 bluelu Fri Jan 4 08:08 - 18:21 (10:13)root tty1 Thu Jan 3 22:25 - down (27+22:30)reboot system boot Thu Jan 3 22:04golden ttyp0 bluelu Thu Jan 3 21:52 - 22:02 (00:10)


Time

Timestamps are often crucial in forensics analysisDetermining who was using a systemDetermining if a system has been compromisedDetermining when files were downloaded, modified, organizedEstablish whether a person could have actually committed a computer crimeEstablish validity of alibisLots of chances for error in timestamps– Routers may have incorrect time– Machines performing logging may have incorrect time– Extreme care needed to ensure correct timezone– Many times are reported in GMT, not in local time– User may change, e.g., using “touch” command

Correlation of timestamps on machines in a network attack is difficult due to the problems above


“MAC” Analysis

M – modification time (“write” time)A – access time (“read” time)C – creation/changed timeFAT: modified (“M”), accessed (“A”), created (“C”)NTFS: modified (“M”), metadata changed, accessed (“A”), created (“C”)Unix: modified (“M”), accessed (“A”), metadata changed (re-use of inode) (“C”), deletion


FAT MAC Analysis

Basic rules:– Only modification time is required to be correct– Access (“A”) date is optional, access time doesn’t

exist– File creation (“C”) == creation or copy of file– Move/rename is not creation– New file creation counts as a write (changes “M”)


FAT MAC (2)

Timestamp update algorithms:Create file

– All timestamps set to current timeCopy file

– Last access on source is updated– Last access and creation on target set to current time– Last modified for target is same as source– Thus (“C”) > (“A”)

Move file within same volume– Last access doesn’t change

Move file outside volume– Last accessed time is updated– Thus (“A”) DATE >= (“C”) DATE

For directories, creation date is correct, but other dates do not seem to follow a reasonable update patternDeletions don’t update times, so can’t determine deletion date


NTFS MAC Analysis

Basic rules:– File creation (“C”) == creation or copy of file– Move/rename is not creation– Changing attributes of files leaves “M” alone– “Metadata changed” timestamp is modified when file

attributes change• Brian Carrier has also observed that this timestamp changes

when a file is opened but not modified• Changed when a file is renamed or moved within the same

volume• Doesn’t appear to change when file is moved to a different

volume– Accessed (“A”) changes when file data or attributes are

viewedFile deletion doesn’t seem to change timestamps in a useful way, so can’t determine deletion date


NTFS MAC (2)

Timestamp update algorithms:Create file– All timestamps set to current time

Copy file– Last access on source is updated– Last access and creation on target set to current time– Last modified and metadata changed on target are copies of source

values– Thus (“C”) > (“A”)

Move file within same volume– Last access and metadata changed are set to current time

Move file outside volume– Last accessed time is updated– Thus (“A”) > (“C”)

File created or deleted within a directory– Last modified for directory set to current time


NTFS MAC (3)

Contents of directory listed– Last access for directory is set to current time

Directory is copied– All timestamps on target are set to current time

Directory is moved to different volume– All timestamps on target are set to current time

Directory is moved within volume– Last access and metadata changed are set to

current time– Other timestamps remain unchanged


ext2/3 MAC Analysis

Timestamp update algorithms:Create file

– All timestamps set to current time, delete time is set to 0– Parent directory’s modification and create times are changed

Copy file– Last access on source file and directory is set to current time– Last access, modification, and creation on target set to current time– Last modified and creation on target directory are changed

Move file within same volume– Source directory access, modification, and creation times are updated– File’s creation time is updated, but modification and access times remain

unchanged– Target directory has updated modification and creation times

Move file outside volume– Additionally, original inode is released and gets all timestamps set to current

time (including delete)Directory listings modifiy accessed time, otherwise as above


Windows: Command Line

Limited usefulness:– e.g., dir /s /od /tc \windows

Problem is that timeline is fragmented on a directory by directory basismac.pl was a popular Perl script for extracting MAC timelines under Windows, but seems to have disappeared…


FTK/Winhex

Pretty simple—simply open a case, and use the File Explorer’s modify/create/access times to sort the files… on USBKEY.ddSimilar with Winhex on USBKEY.ddUSBKEY.dd created via:– dd if=\\.\j: of=USBKEY.dd on XP


Unix Command Line

Simple timelines (on one time dimension) possible with, e.g. “ls –ltr”Useful, but there’s a good trick when it’s likely that a user has modified MAC info(Easy to do under Unix w/ touch command)“ls –li” will display inodes associated with filesMUCH harder to fakeDemo: “ls –ltr” vs. “ls –i | sort” printoutsWhich is the single file that doesn’t belong?


Sleuthkit

Sleuthkit MAC tools (by Brian Carrier) “light up the filesystem”Idea: – Create a timeline that begins with the date

of creation for the first file of interest…– …traces all subsequent file access,

modification and creation dates…Good news: Deleting a file counts as a “modification” and often the deletion dates of files can be retrieved


Sleuthkit MAC Tools

Filename-layer MAC informationfix timezone:

# export TZ=CST6CDT

for a single FAT disk image:# fls –f fat -m / -r image.dd > BODY

for multiple images (OpenBSD):# fls –f openbsd -m / -r root.dd > BODY# fls –f openbsd -m /var/ -r var.dd >> BODY

then:# mactime –h –b BODY


Sleuthkit MAC Tools (2)

Meta-data layer MAC information: MAC information associated with “free” inodes:

# ils -m 128MB.dd > BODY && mactime -h -b BODY | less

or# ils -f openbsd -m var.dd >> BODY

followed by

# mactime -b BODY > BODY.out


Data Hiding

Legitimate OS features– alternate data streams– tricky pathnames (“…”)– …

Deliberate manipulation of low-level filesystem structures– Unused space in superblock, inode structures– StegFS– bmap– Avoiding fsck w/ journaling filesystems (Knut Eckstein, DFRWS

2005)Encryption– Application level– Filesystem level– Whole disk encryption

Even stranger places…– flashable BIOS– …


File Carving

Goal: recover files or file fragments when file metadata (or filesystem structures) are destroyedSpecify headers, footers, and other characteristics of file formatsSearch for these headers, footers on raw disk imageCarve (copy) data into regular filesFile carving works well for file formats with well-defined headers and footers or other file format characteristicsMore poorly for other file types, such as MP3s


Headers/Footers

JPEG Header: ffd8ffe00010 Footer: ffd9

FFD8FFE000104A46494600010201004800480000FFE11B344578696600004D4D002A00000008000A010F

……

F2B54840253BA4AA67F932C6EE14C4455991B9E2C18FC66BAED9919934BCC4A13AB86CE14B7FFFD9


Interlude: On Good Software Design

Hypothesis: Performance of many current generation digital forensics tools can be drastically improvedCan do a much better job on available hardwareWhy?– Some “quick and dirty” applications become mainstream

• Probably written in a hurry to solve a problem• No time or resources to improve• Even if open source, average user may not have capability to

fix– Application is poorly designed or design is dated– Problem has evolved, but basic design hasn’t…– Please, please, don’t use Visual Basic for serious apps– Pre-“terabyte terror” design


A No-brainer Solution

Digital forensics tools move GB of dataTreat digital forensics tools like OS componentsSimple lessons from OS internals community:– Must minimize memory-to-memory copies– Already have data in a buffer? Leave it there!– Minimize disk I/O– Writes more expensive than reads

Faster HW isn’t an excuse for poor SW


Better File Carving

When disk image is on mechanical secondary storage, file carving is I/O boundI/O statistics:– Tread : # of bytes to read entire disk image– Twrite : # of bytes written to carve files

Want to carve files fast? Need to minimize factors for Tread ,TwriteNeed sophisticated, binary-capable, string search algorithmMinimize memory-to-memory copying


Victim: Foremost InternalsForemost 0.69Well-known open source file carver

Multiplicative factor for Tread can be very largeEquivalent to tens or hundreds of reads of entire imageTwrite effectively minimizedExcessive memory to memory copying


New File Carver: Scalpel(My) Requirements:– Frugal

• don’t want to use expensive machines for file carving—they have better things to do

• run on machines currently stored in the closet• Pentium II class machine with 256MB of RAM, running a

bootable Linux distribution• handle any size target, subject only to available disk space

– High-performance• run fast, even on modest hardware

– Support for distributed implementation

"Scalpel: A Frugal, High Performance File Carver," Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005), New Orleans, LA.


Scalpel InternalsTwo sequential passes over each disk imageProcess disk image(s) in 10MB blocksFrugal on reads, header/footer searches, mem to memPass # 1:– Build header/footer databases– Populate work queues for pass # 2– Work queue controls carving operations for each 10MB

block in pass # 2Pass # 2:– Use work queues to carve files as buffers are read– Use seek operations to skip portions of disk image for which

no work is scheduledAt most 2 * Tread


Scalpel Internals (2)JPGheaders: 1,500footers: 5,000, 6,500

MPGheaders: 9,000,000footers: 26,000,000

GIFheaders: nonefooters: none

38MB DISK IMAGE

STARTSTOPCARVEstart: 1,500stop: 6,500name: small.jpg

STARTCARVEstart: 9,000,000name: movie.mpg

CONTINUECARVEname: movie.mpg

STOPCARVEstop: 26,000,000name: movie.mpg

NULLHeader/footer database

wor

k qu

eues

chunk boundary (10MB)

chunk boundary (10MB)

large MPGsmall JPG

Tries hard to replace reads with seeks, avoid searching for footers which can’t match a header, …, etc.


Linux: Experimental Setup

P2-350:– 350MHz Pentium 2 with 512MB of RAM and no swap.– 4 port ATA-133 IDE controller, 7200rpm 80GB drive for

holding carve results.– Operating System: Knoppix 3.7.

T40p (development system):– Thinkpad T40p, 1.7GHz Pentium M, with 2GB of RAM and

4GB swap.– 7200rpm 60GB drive.– Operating System: RH9 with upgraded 2.40.20 kernel.

Scalpel v1.52Foremost v0.69


Scalpel Results (1)

Scalpel 1.5 (20MB max) 13s

Foremost 0.69 (1MB max) 12s



Foremost 0.69 (20MB max) 1m43s

Table 1. Carving results for 512MB USB key image on T40p. Carving parameters: 1MB / 5MB / 10MB / 20MB JPG and DOC. ~1,100 files carved.


Scalpel Results (2)

Scalpel 1.5 1h33m10s Foremost 0.69 6h21m54s

Table 6. Carving results for 8GB raw drive (unknown source, no partition table) on P2-350. Carving parameters: 10MB GIF, 10MB JPG, 10MB AVI, 10MB MOV, 10MB MPG, 100K BMP, 5MB DOC, 50MB PST/OST, 50K HTML, 5MB PDF, 200K WAV, 1MB RealAudio, 10MB ZIP. ~52,000 files carved.

Tread + 238,270,750,000 bytes

Big targets, large carve sizes, huge improvement (over 5 hours faster)


Scalpel Results (3)

Scalpel 1.5 2h40m39s Foremost 0.69 9h50m31s

Table 7. Carving results for 40GB NTFS (from a UNO laboratory) on P2-350. Carving parameters: 10MB JPG, 50MB AVI, 10MB DOC, 50K HTML, 5MB PDF. ~ 72,000 files carved.

Tread + 117,622,357,936 bytes

Big targets, large carve sizes, huge improvement (over 7 hours faster)


To Do (Desperately Needed)

Milestones– Required: means file format isn’t valid without them– Confidence increasing: means that seeing these milestones

increases confidence that file is correct format– For latter, encode confidence level in carved file’s pathname or

destination directoryFirst and last block milestones particularly important, help to establish whether file beginnings/ends are “real”Minimum carve sizesOutput directory splitting (so file browsers don’t die)Field value sanity checksFormat verification (via file ?)(Optional) interaction with filesystem so undeleted files are not “re-” carved– e.g., use Sleuthkit

Much harder: support for fragmented files


Fragmented Files: More

What characteristics do individual blocks of fragmented files have?JPG, ZIP, other compressed formats: not much?PDF, Word, etc. : tagsByte frequency analysis for individual blocks?n-gram analysis?Easy fragmentation: Linear: 12—3-4Harder: Jumbled: 4—3 —1-2 How to reassemble properly?O(N!) to try all possible combinations…need to do a better job


Carving: General Problem

More generic description useful for identifying non-hacking solutionse.g., Hidden Markov Models (HMMs), Support Vector Machines (SVMs), other supervised learning stuff Targets: – Whole files– Fragments


General (1)

Basic issues:– I'm carrying a bunch of things of types X1, ... XN– I drop the various items of types {Xi} in a pot filled with random

"garbage" items of various sizes and swirl everything around– Some of the things in the pot, on a quick glance, may look like an

Xi, but in fact be random garbage--a deeper analysis should reveal this

– Some of the items I've dropped in the pot "break"--some of their heads or tails come off

– Some breakage is major--the items "shatter" and pieces mix with the random garbage

– Good news is that all of the broken pieces are the same size– This is what a hard drive that's been formatted, but still contains

data, looks like– You've lost all the identities of the files and some files may be

fragmented or partially overwritten.– Need to reconstruct as many files as possible


General (2)

For some sort of model (HMMs, whatever) that has seen a bunch of exemplars of X:– is this new thing an X?– is this new thing a *piece* of an X?– if it's a piece, can I tell where it goes in an

X?


General (3)

For whole files of type X, need to automatically generate a template that describes what it means to be an X – strings at fixed locations– strings that float around in the middle of the file

somewhere but are always there for this file type– strings that aren't necessarily in a file type X but

increase your confidence that the file being scrutinized is an X

For current generation tools, this analysis is done manuallyToo much work, too error-prone


General (4)

For random files f, is f an X?If f doesn't meet the criteria established in the template, [perhaps because the file is damaged], how confident are we that the file might still be an X or that it absolutely isn't an X?Currently, left to the human operator to sift through things that are potentially X's, because the tools are too stupid to eliminate things that "sort of" resemble X's but really aren't


General (5)

For an individual disk block with no other context, does the disk block belong to a file of type X?For some file types, e.g., compressed file types such as JPEG, probably impossible in the general case, but some other files may have identifiable structureFinally, given that we've determined that a set of disk blocks used to belong to files (there's probably not just one source file--but rather a pile of blocks from many files) of type X, can the blocks be sampled somehow and reassembled in their correct order?


Hiding Data in Slack Space w/ bmap: File carving won’t help!

Dear Mom, Dropp ed the hamster. D idn’t mean to kill He rbie! pa

To Whom It May C oncern: … Best, Fred ssword is frid

#include #include void zapQ(void);ay

tools for creating a simple filesystem in slack space


Forensics Analysis of Portable Devices

Palm, Pocket PC, Blackberry + variantsVariants include telephone/PDA combosAvailable software to assist in forensics investigation includes:– pdd (“Palm dd”)

• Palm only, no longer under development– Paraben’s PDA Seizure (industry leader?)

• Palm, Pocket PC, Blackberry• Incorporates pdd

Often best solution is to attack the peer of the PDA—examine the laptop or desktop that provides HotSync/ActivesynccapabilityMost data stored on the PDA will be stored on the peerWatch out for 3rd party synchronization tools, which may place PDA data in “non-traditional” locations


Palm Forensics

Palm memory organized into “cards”Card 0 is internal memoryOther cards, e.g., “Card 1”, are removable devices such as CF/memory sticks/etc.Typically, no traditional filesystem, though later Palm OS versions support traditional filesystems through VFS (Virtual File System manager)Good news: fixed locations for many types of dataData stored in databasesHeader on database contains the creation, modification, and last backup timesDatabase times can be changed and shouldn’t be considered definitive


Palm Forensics (2)

Palm database types:– PRC: code + user interface == an

application– PDB: database containing records which

hold application/user data (e.g., contact list)

– PQA: WWW content for web clipping applications


Palm Forensics (3)

Palm: Significant eventsLetting batteries die == loss of volatile memory– On older Palms, this means that virtually all user data +

installed applications are permanently lost– On newer Palms, e.g. UX-50 from Sony, system

automatically backs up volatile memory and can restore after complete power drain

Hard reset– Device restored to initial state, all content of Card 0 lost– CF/Memory stick storage, etc. is unaffected

Soft reset– Memory cleanup == some deleted material likely to be lost– Database items marked for deletion are removed

Hotsync– Items marked for deletion are removed


Palm Forensics: Passwords

On older Palms (OS 4 and prior), password storage scheme is poor and can easily be broken– Important: device can be placed into debug mode

on older Palms, bypassing the power-on password– XOR of password with constant block, hash can

be recoveredFor newer Palms, not easy– Password storage is secure– “Cannot” bypass power-on password


Palm: Debug mode

Key to “invasive” Palm forensics is Palm’s debug modeAllows serial/USB interface to a Palm, memory can be dumpedEntered by issuing a special Grafitti sequenceTerminated via a soft resetBoth pdd and Paraben’s tools use debug modeImplication of final soft reset: Get the imaging right the first time—some data will be lost during the soft reset that terminates debug mode!


pdd

Provides a bunch of information about the Palm under investigationE.g., from “investigation” of Palm 505 by Joe Grand, author of pdd

Current Time: Tue Mar 05 16:34:39 2002 UCTCard Number: 0Card Name: PalmCardManufacturer: Palm ComputingCard Version: 0001Creation Date: Thu Dec 10 16:10:14 1998 UCTPalm OS Version: 3.1.0Processor Type: Motorola DragonBall 68EZ328RAM Size: 2097152 bytesFree RAM: 2042784 bytesROM Size: 2097152 bytesROM Used By OS: 1212412 bytesFlash ID: 10FF1C795R3G-DImage Output File: Standard outputImage Memory Type: RAMStarting Address: $00000000

Allows dump of Palm memory, but interpreting the image is largely up to you (the investigator); use strings command, etc.


Blackberry

Networked email appliance + PDAPassword protects *data* in phoneForgot (or don’t know the password)?Enter an incorrect one 10 times and Blackberry erases data and allows access to phonePassword storage is a SHA-1 hash of password on the deviceNo known way to defeat password protection on BlackberryWhen powered on, Blackberry may send queued data items if it has access to the network– Perform analysis in a shielded area

Software to cause commands to be executed via email exists– Owner may circumvent investigation

SDK provides ability to save data “outside” the file system which will survive a device reset


Smartphones

Example from Kyocera QCP 6035 smartphone (Joe Grand, author of pdd)– Web browser cache (plaintext HTML documents)– E-mail with full header information and

attachments– Scripts and passwords for network connections– Call History and Recent Calls database (incoming,

outgoing, and missed calls)– Speed Dial database (199 commonly dialed

numbers)– Voice Dial database (30 commonly dialed

names/voice tags)


Other PDA-related stuffBlackberry investigation:

– http://www.rh-law.com/ediscovery/Blackberry.pdfCracking (older) Palm passwords:

– Kingpin, “Palm OS Password Retrieval and Decoding,” September 2000, www.atstake.com/research/advisories/2000/a092600-1.txt

Open source tools for connecting Palm to Linux– http://www.pilot-link.org/

General Palm security badness– Kingpin & Mudge, “Analysis of the Palm Operating System and its Weaknesses

Against Malicious Code Threats,” USENIX 10th Security Symposium, August 2001, www.atstake.com/research/reports/ security_analysis_palm_os.pdf

Original pdd paper– J. Grand, “pdd: Memory Imaging and Forensic Analysis of Palm OS Devices,”

Proceedings of the 14th Annual Computer Security Incident Handling Conference, Waikoloa, Hawaii, June 2002, also @ www.grandideastudio.com.

NIST guideless for PDA seizure and analysis– http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf

http://www.grandideastudio.com/


Cell Phone Forensics

Some high-level data can be retrieved via the phone’s OS:– Web browser cache (plaintext HTML documents)– E-mail with full header information and attachments– Scripts and passwords for network connections– Call History and Recent Calls database (incoming, outgoing, and

missed calls)– Speed Dial database (commonly dialed numbers)– Voice Dial database (commonly dialed names/voice tags)

Low-level stuff– Deleted SMS messages– Deleted cache documents

Can require really nasty de-soldering techniques– “Ball Grid Array Technology”

“Forensic Analysis of Mobile Phone Internal Memory” (SveinWillassen), Proceedings of the International Conference on Digital Forensics (IFIP 2005).


Practical Cryptography for Digital Forensics

SteganographyCryptographic hashes/message digestsPrivate key systemsPublic key systemsFocus: Practical aspects, impact on digital forensics investigations


Steganography: Basics

Techniques for hiding information within other informationTattoosText on wood under wax layer on a wax tablet“Invisible” ink (e.g., lemon juice)Writing poetry or prose where the last letter of each word is a letter in a message“microdot” technology: photographs shrunk to the size of a periodNow typical: hide documents w/in an image or other documentLeast significant bit encoding, masking of bits, more sophisticated methodsGenerally encryption is also employed—helps to scramble bits of hidden document within container document


Stego (2)


Stego (3)


Stego (4)

Statistical analysisby “stegdetect” guessescorrectly that somethingis hidden. But jphideuses Blowfish to scramble the order of embedded data, sosuccessful extraction isvery unlikely.

Slipped insidethe 2nd cactuspicture by “jphide”…

Embedding in this case is not obvious (visually)…and image w/ embedded Golden is actually smaller (in bytes) than original


Stego (5)

Core

Igniter

This “bomb” diagram, however,is not detected.


Stego: In Detail

Background: – “Hide and Seek: An Introduction to Steganography” (Provos,

Honeyman)– “Defending Against Statistical Steganalysis” (Provos)

Idea: Hide information, hide the fact that communication is taking placeA covert communication channelClassical methods depended on hiding the mechanismModern mechanisms employ, e.g., encryption, to make extraction of the hidden information difficultTo improve security, nice to be able to make it difficult to detect that stego is in use……in addition to making extraction difficultCan increase level of plausible deniability by embedding multiple information sets in a target


Stego Detail (2)

One goal: detect changes to a target that indicate stego is in use– Seek out traces of ‘invasive’ manipulation of bits in

the targetOpposite goal: reduce traces of invasive manipulation to the point where tests for stego fail– Careful embedding: try not to change statistical

characteristics of target “container”


Stego: Embedding

Idea: identify ‘redundant’ bits that can be used to hide informationWant changes to target to be as invisible as possible……both in terms of what a casual user would see– Image not changed so dramatically that it looks

suspicious…and what a detailed study reveals– e.g., don’t want to be ‘busted’ by statistical tests


Stego: Embedding (2)

1. Choose redundant bits2. Select bits in which hidden information will be

placed3. Choose order in which redundant bits will be used

Need to take care that bits are “locked” as necessary to enable embedding of multiple hidden streamsWant to spread hidden info across the entire space of redundant bits, avoid “clustering”

– e.g., don’t simply dump hidden info at beginning or end of JPEG file


Stego: Embedding (2)

Requirements (Zollner):– Secret key used to embed the hidden information remains

unknown to adversary– Adversary does not know the original cover medium

Second requirement means that access to original media, without embedding, is preventedOtherwise, comparison of two copies (one ‘pure’, one with embedding) will raise suspicionOne method: Use a digital camera to take an image, embed secret information, securely delete the original image from the original media (e.g., memory stick or Compact Flash card)


Stego: Popular Tools

Outguess (more resistant to detection than many other tools)– See www.outguess.org– (But it’s been “broken”—pointers are also on that

page)jphide/jpseek– Freeware, detectable

Stegdetect– Primary open-source detection software

http://www.outguess.org/


Stego: Opinions [mine]

Tests for “good” stego involve complicated statistical testsState-of-the-art stego software isn’t as brain-dead as the first generation and does a pretty good job of avoiding detection, if # of bits stored is smallFor digital forensics, detection of stego may be essentially an interesting diversionHow useful is detection likely to be?Maybe not that usefulWhy?


Opinions (2)

Detection ExtractionIf embedded bits are scrambled using high-quality encryption algorithms (e.g., Blowfish or RSA), then extraction is essentially as hard as breaking the corresponding encryptionIf you have an RSA key (e.g., on a seized floppy) and you’re looking for a “lock” to plug the key into…Then maybe it makes more senseThe bad news is that low bitrate covert channels are essentially impossible to detect– A snapped branch on a tree– A gate left open– An attempted login with an improper username, from a

random machine– Ordering a large cappuccino with 2 extra shots– A few bits of information embedded in an image

In critical cases, attacks on stego may be worth it


Encryption: Basics

Types of algorithms– Public key

• encryption/decryption keys different– Private key

• encryption/decryption keys the same– Algos for digital signatures (for authentication)– Cryptographic hash functions– Message digest algorithms– …

Further..– Restricted (no access to details, may have to discard

technique if details become known!) --or--– Open (details available, everyone gets to try to break)– Open is generally accepted to be a better idea (except by

NSA)


Encryption: Basics (2)

“Strength”– Key secrecy– Difficulty of doing a key search– Difficult in breaking the encryption algorithm– Indifference to properties of plaintext (same

preface, etc.)– Resilience to a variety of attacks

• differential cryptanalysis• power analysis

– Implementation issues are another story…notoriously difficult to get right!


More on Asymmetric vs. Symmetric

Asymmetric algos permit the encryption key to be publicAdvantage: Anyone can encrypt using public key, only intended recipient can decrypt (using private key)Asymmetric generally MUCH slowerSymmetric faster, but key management is a pain (need mechanism for pushing around shared secret)In either event, there are blobs of human-unfriendly bits (keying material) that need to be stored somewhereRecall that public and private key encryption can be used together…Use public key algo to encrypt a “session key” which is used in a symmetric algo for encryption of a data stream


Popular Encryption Packages

PGP (Pretty Good Privacy)– Free version available with limited features– www.pgp.com– Don’t attack encryption algo directly…– Password Recovery ToolKit (PRTK) can attack passphrases that protect

keyrings– Consider downloading extra dictionaries!!

TrueCrypt (whole disk)ScramDisk (whole disk)FineCrypt

– Freeware, but with some limitations– Commercial removes limitations on # of files to encrypt at a time, etc.– AES, Blowfish, CAST-256, GOST, IDEA, MARS, RC-6, Serpent, TripleDES

and Twofish– www.finecrypt.net– Good integration with Windows Explorer– Careful to delete original files after encryption (includes secure wipe, tho)

http://www.pgp.com/http://www.finecrypt.net/


Encryption in a Forensics Investigation

If the encryption schemes are awful, there’s hope– e.g., XOR-ing against a constant bitstream– Character substitution (Outlook), etc.

But good, easy-to-use packages existNo keying material == big trouble for investigatorGood news: copies or fragments of unencrypted files may be available– Temporary files– Print spool files

Social engineeringSearch for slips of paperSearch for unencrypted password lists


Encryption in Investigation (2)

Keystroke logging to capture keying materialInvestigation of media that may hold keys (e.g., floppies, ZIP disks, thumbdrives, etc.)Search PDAs, phones, and organizers for passwordsOn some systems (e.g., Windows 2000: administrator), a “recovery agent” is able to read all encrypted filesSoftware or hardware keystroke loggersIf the file can’t be decrypted, the name of the file may still be useful in prosecutionLive process memory captures during triage


Encryption in Investigation (3)

Windows: may be possible to use a combination of pstools + pmdump, if machine is still runningIdea: dump memory of apps handling encryption and analyzeSee See “Practical Approaches to Recovering Encrypted Digital Evidence” (Eoghan Casey, International Journal of Digital Evidence, Fall 2002)Available @ www.ijde.orgLinux: mem interface through /dev/kmemand /dev/mem

http://www.ijde.org/


Windows Memory Dump to Defeat Encryption

Process infoMem dump

Plaintext


Cryptographic Hashing

Generate electronic “fingerprints” for either individual files or logical/physical devicesFile, Partition, Entire Physical DeviceSeveral forensics-related purposes for hashing:– Establish that evidence has not been altered

• Hash evidence before analysis, hash after analysis– Quickly and automatically find files of interest

• Have set of hash values for files of interest• Compute hash values for all files on a device• Matching files can either be targeted for investigation, or

for ignoring…


Explaining Hashing to Non-techies

Generally, the fingerprint analogy is usedFingerprints identify human beings as cryptographic hashes identify filesHuman changes hair style, paints toenails, wears a funny hat fingerprints don’t changeFilename gets changed, location of file is changed (e.g., file is copied to a removable drive) cryptographic hash doesn’t changeStronger identification than fingerprints, in some senseEven one bit of file content changing—even an “insignificant” bit…completely changes the “fingerprint”


Hashing Tools

Typical algorithms: MD5, SHA-1Examples:

Windows and Unix:

C:> md5sum golden.jpgb28f08b004a7251a418e089ef3bb7409 *golden.jpgC:> rename golden.jpg winword.exeC:> md5sum winword.exeb28f08b004a7251a418e089ef3bb7409 *winword.exe

Unix:

[root@tasso root]# openssl dgst -sha1 md5deep-0.16.tarSHA1(md5deep-0.16.tar)=

db1573b7c2dfcf36f51d9fde93d8a9c572a9407b[root@tasso root]# openssl dgst -md5 md5deep-0.16.tarMD5(md5deep-0.16.tar)=

a7891c1fd96a457c16266efb2f577269


Aside: NSRL

NSRL: National Software Reference Libraryhttp://www.nsrl.nist.govAs of December, 2003:– 3,800+ software packages– Over 17,000,000 files

Includes:– Consumer software– Development software– Cracked software– Malicious software (“malware”)

Hashes for every file in each packageSee: http://www.nsrl.nist.gov/documents/aafs2005/aafs2005.pdf


NSRL Uses

Automatically eliminate as many known files as possible from the examination process Example: From NSRL slides, Win2K contains almost 6,000 graphics filesUse of NSRL can eliminate need to examine these files (at all)Discover “known” filenames whose contents aren’t the expected onesIdentify origins of filesIdentify presence of “malicious” files


Hashing: Concerns

Hashing algorithms aren’t infallible—chance of 2 different files hashing to the same hash value (“collision”) is non-zeroWhy?Finite number of bits in the hash, potentially infinite number of different files which could be used for inputWant to use algorithms that minimize collisions, but the harm that unintentional or intentional collisions cause varies depending on what hashing is being used for


Hashing: Concerns (2)

(1) For hashing of individual files, e.g., to discover ‘contraband’ files by matching hashes of unknown files with a dictionary of known hashes…– Less concern that collisions might result in persecution of an

innocent party– Why?– Hashes primarily used in this context to quickly discover potential

evidence– Evidence (e.g., child pornography or nuclear secrets) will be

verified once discovered– If a collision occurs and an “innocent” file is flagged as contraband,

examination of the file will close the matter– Major concern: utility of hashing is limited by the very power of the

hashing functions—a small change in a file yields a completely different hash…

– Criminals need only change one bit in a target file (e.g., a contraband image) to render hashing worthless…



Will criminals bother to change a bit in an image file to defeathashing?Suspicion: Maybe.But a criminal with enough technical literacy to understand thatchanging a single bit defeats hashing will take far stronger measures, because she understands the danger of having the computer capturedDefeating hashing doesn’t end the matter—powerful thumbnail viewers can still allow an investigator to target ‘contraband’imagesAnd we hope that we can come up with more powerful techniques than looking at miniaturized images…Suspicion: Hashing isn’t dead and measures other than hacking bits, such as strong encryption, are much more likely to make our lives difficult



(2) For hashing entire drives to show that evidence has not beenfabricated…– Concern that evidence might be altered to persecute an innocent

party and hashes used to prevent detection of the alterations– Why?– Hashes primarily used in this context to show that evidence is

genuine– If an investigator can hash a drive yielding hash H1– …change contents of the drive to introduce evidence…– …then modify other portions of the drive (e.g., slack space) to force

hashing of modified drive to yield H1…Easier to do with simple checks like checksums or CRCsThese mechanisms are primarily to guard against accidental errors (e.g., transmission errors on a serial line)MD5, SHA-1 and other cryptographic hash functions are more complex…very difficult to deliberately (or accidentally!) generate useful collisions


Hashing: More Details

Hash functions operate on blocks of data to yield an n bit output128 bits of output for MD5, 160 bits for SHA-1Requirements for a hash function H (from Stallings, Cryptography and Network Security, 3e):– H can be applied to data of any length– H produces a fixed-length output– H(x) is relatively easy to compute for any given x; that is, both

software and hardware implementations are feasible– For a given hash value h, it is computationally infeasible to find x

such that H(x)=h– For any given data x, it is computationally infeasible to find

yx such that H(y)=H(x) [weak collision avoidance]– It is computationally infeasible to find any pair (x, y) such that H(x)

= H(y) [strong collision avoidance]NON-trivial to create useful hash functions


Hashing: A Goofy Attempt

For an n-bit hash function, why not process input in n bit blocks, xor-ing each block to obtain the hash value?


Goofy (2)

Doesn’t work well (at all)Given h=H(x), where H is the xor-ing hash function described previously, can force a collision for data y by appending an n bit block that forces the xor operation to yield h:– e.g., can force h=H(x) = H(y . block)

Good hash functions will generate significantly different hash values if even a single bit in the input changes


MD5 (Some) Details

Start with b bits of inputPad input so that length is 64 bits short of being a multiple of512A 64 bit integer representing b is appended to the input (that is, length before padding is attached to end of padded input)Now input’s length is a multiple of 5124 rounds of computation for each 512 bit block of the input– 128 bit hash value broken into (4) 32 bit words (A, B, C, D)– A, B, C, D statically initialized before first round– Each round processes A, B, C, D with current 512 bit input and a

different logic function (F, G, H, I in the diagrams) + a T function based on sin()

– 16 operations per roundNon-intuitive


MD5


Working value for thehashMD5


SHA-1

“Secure Hash Algorithm”Developed by NIST and NSA ~ 1993SHA-1 ~ 1994, result of unpublished weakness discovered in SHAInput less than 2 ** 64 bits 160 bit hashUsed in DSS (Digital Signature Standard)


SHA-1 “Broken”

Details are sketchy as this is written…The full paper describing the attack hasn’t been releasedPunchline: in 2 ** 69 steps rather than 2 ** 80 steps (brute force), can find 2 messages M1, M2 such that:– sha1(M1) == sha1(M2)

Not yet important for digital forensics, but the major concern is that this is a first step toward much more serious weakening of SHA-1


Aside: SHA-1 “Broken”

Not clear that DSS is damaged by current SHA-1 “crack” (yet)

See: http://www.itl.nist.gov/fipspubs/fip186.htm


Privacy: Some Options

Don’t use computersNever store or transmit private informationActive discovery and purging of sensitive data– Difficult to do properly and thoroughly

Anti-forensics toolsUse volatile computingCareful use of encryption for sensitive filesSteganographyEncrypted FilesystemsSteganographic Filesystems


Privacy: Why?

Possibility: You don’t want your personal information disclosedPossibility: You don’t have any stored personal informationAgents that may want info to be disclosed:– Court may order information to be turned over

• e.g., in pre-trial “discovery” phase, where parties examine evidence held by other to discover strength of the case for and against

• Failure to provide info in intelligible form may result in contempt of court (jail)

– Government agencies (e.g., FBI)– Organized crime


Why?

– UK: Customs may scan laptops for illegal materials (example: pornography) withoutprobable cause requirement

• Such searches might reveal private information which while not illegal, an individual might want to remain private

– Soldiers might be captured and tortured into revealing cryptographic keys protecting a PDA

– …


Why?

Legal protection against forced disclosure of encryption keys is shaky at best, even when memorizedWhen violence is involved, even worseSolution: Make it obvious that the material isn’t available at all“I don’t own a computer”“My computer doesn’t have a hard drive”Plausible deniability


Privacy: Checklist

(Many from Computer Forensics and Privacy, Caloyannides)Physically disable builtin microphone by inserting a cut-off plug into the external microphone jackUse fresh hard drives. Avoid purchasing used drives unless you personally sanitize them before useDon’t use the Window recycle binInstall a secure file deletion utilityConsider turning off browser history functionsDisable “cookies”Ensure that messenger programs do not log chat sessions unless you absolutely need them toModern versions of Messenger prompt when installedConsider volatile computing for access to the InternetBuy a lot of physical memory and disable virtual memory. This eliminates the swap file, which is a massive privacy holeCareful: Then vmware won’t work…CAREFUL ABOUT TURNING SWAPPING BACK ON!!!


Privacy: Checklist (2)

In XP, ClearPageFileAtShutdown registry key can be set to force overwriting the swapfile on shutdownKnow the exact location of the temp directories used by your web browser and download utilitiesSubject these to secure deletionUse steganographic tools to hide extremely sensitive documents within other ‘benign’ documentsExample: jphide, jpseek(Different from stego filesystems)Then, use steganographic detection tools to ensure that you haven’t embedded enough data to trigger statistical detection methodsExample: stegdetectBelieve that system crashes during important operations are disasterCheck temp directories and securely eliminate temporary files


Privacy: Checklist (3)

If a sensitive computer must be repaired, remove the hard driveUse strong encryption tools liberallyProtect backups and removable media in the same way that you protect the computer and its internal storageUse a powerful digital forensics software package (such as FTK) to test the effectiveness of your privacy efforts


Anti-forensics Tools

Many privacy-enhancing, anti-forensics tools availableSecure file deletionRegistry cleanersSlack/free space scrubbingMany have significant problemsFor a good survey:

“Evaluating Commercial Counter-Forensic Tools” by Matthew Geiger (Carnegie Mellon University), 5th Annual Digital Forensic Research Workshop (DFRWS 2005), New Orleans, 2005.


Privacy: Volatile Computing

Idea: No use of non-volatile storage, turn off machine to destroy all volatile dataMS-DOS on floppies– e.g., use “Lynx” web browser

Bootable CD Linux distributions– F.I.R.E.– Damn Small Linux (50MB)– Knoppix– Helix


Damn Small Linux


Steganographic Filesystems

Steganographic filesystemsGoal: plausible deniabilityWhen an agent forces a person to reveal the key protecting a filesystem, reveal a key that exposes enough data that suspicion is avertedOther hidden data cannot be exposedWant: impossible to even detect that other encrypted data is present, given the revelation of some hidden stuffStegFS: Hack of ext2 Linux filesystemDescribed in “StegFS: A Steganographic Filesystemfor Linux” (McDonald et al)


StegFS: Basics

Steganographic in the sense that blocks of hidden files are scattered about a partition that also contains blocks of non-hidden filesSupports multiple security layers so that some “incriminating”evidence can be revealedHas some advanced security features: deleting hidden (or non-hidden) files results in destruction of the file contentsScenario:– “Ah hah! You’ve installed StegFS! Reveal the filesystem contents

to us!”– “I installed StegFS because of the advanced security features, such

as secure deletion of files. I only used one security level.”– – Investigator is satisfied?


StegFS: Some Details

Block allocation table in a typical filesystem contains one bit per block (block is used or not)Block allocation table in StegFS contains a 128 bit entry per blockTable is stored in a normal, non-hidden fileEach entry encrypted with same key that protects the corresponding data blockTable entries which are unused contain random data, so impossible to tell if particular blocks are in-useEntry contains a 32bit checksum which can be used to see if the block contents were destroyed by a regular ext2 accessEntry also contains the inode # for the corresponding hidden fileFinally, magic numbers which indicate whether block contains inode data or is a data block


StegFS: Details (2)

Multiple, redundant blocks allocated for each block of a hidden file and for the inode to improve chances that data won’t be lostMust always use checksum when reading a block of a hidden fileWhen a security level is “open”, no danger of destroying data blocks of files at that levelWhen closed, blocks of hidden files might be overwritten


StegFS: Details (3)

inodes in StegFS look like regular Unix inodes, except they contain block numbers for all replicas of a file’s contentsNo inode tableInstead, given a 32bit inode number, search block table for a matching inode


StegFS: Last Details

mkstegfs initializes block tableBlock table also stores 15 encryption keys, one for each levelstegfsopen command opens a security level, prompts for passphraseOnce open, hidden files are revealed in /stegfs/1, /stegfs/2, etc.


Encrypted Filesystems

Differences between encrypted and steganographic– No file loss in encrypted filesystems as in

steganographic filesystems– Potentially less performance penalty– Plausible deniability is lost, but data is safe– Some stigma attached, since law

enforcement (or you, if you’re doing the investigation!) will almost certainly look more closely when encryption is detected


Encrypted Filesystems: Linux

Encryption via loopback device– Available in modern kernels

EncFS– http://freshmeat.net/projects/encfs/– Actively being developed

CFS– http://www.crypto.com/papers/cfs.pdf– Aging, in need of rewrite, but you might see it in

the fieldTCFS– http://www.tcfs.it/– 2.2 kernel, not updated in some time (~2002?)

http://freshmeat.net/projects/encfs/http://www.crypto.com/papers/cfs.pdfhttp://www.tcfs.it/


Encrypted Filesystems: Win

Windows– Some commercial solutions + native support in

Win2K/ WinXP for encrypted directories– Can encrypt individual directories and/or files– If directory isn’t encrypted, then on modification

file becomes unencrypted– Administrator account is typically a backdoor,

since Microsoft fears that otherwise users might permanently lose files (for Win2000)

– XP: Must designate a recovery agent, none by default, so more secure

END OF SLIDE SET # 2

CSCI 4623: Intro to Digital ForensicsDept. of Computer ScienceUniversity of New OrleansSlide Set # 2NTFS Alternate Data StreamsNTFS Alt Data Streams (2)NTFS Alt Data Streams (3)NTFS Alt Data Streams (4)LADS ScreenshotWindows Swap FilesWindows Swap File: OverviewSwap File SnippetsSwap File Snippets (2)Hibernation FilesHibernation File: ChallengesWindows Print Spool FilesApplication MetadataApplication MetadataTargeting Evidence: RegEx’sCookiesAside: Cookies: Safe?Cookies (2)IE CookiesIE Cookie FormatIE Cookie Format (2)Mozilla Cookie File (partial)Netscape/Mozilla Cookie FormatNetscape/Mozilla Date FormatAside: IE: index.dat filesInvestigating EmailWeb-based EmailHotmail (e.g., "getmsg[1].htm” file in browser cache)Hotmail (e.g., HoTMaiL[1].htm file in browser cache)Viewing Complete Web-based EmailsWeb Email FragmentsOutlookOutlook Investigation: Freeware0.3.40.5.1: More Folders Recognized0.3.4: Contacts0.5.1: Contacts0.3.4: Drafts folder0.5.1: Drafts folderAside: Default Outlook “Encryption”“Problematic”: Outlook Web ClientWindows EventsInteresting System Events (XP)Interesting System Events (XP) [2]Interesting System Events (XP) [3]Interesting App Events (XP)Interesting App Events (XP) [2]Unix Loggingmessages snipsecure snipSnip of output from lastTime“MAC” AnalysisFAT MAC Analys

CSCI 4623: Intro to Digital Forensics - 123seminarsonly.com · CSCI 4623: Intro to Digital...

Documents

Transcript of CSCI 4623: Intro to Digital Forensics - 123seminarsonly.com · CSCI 4623: Intro to Digital...