Archive

Posts Tagged ‘forensics’

One attempt at copier forensics

August 7, 2010 5 comments

In April of 2010, CBS News kicked off a bit of a firestorm with an article about the lack of security in digital copiers. Like too many mainstream news articles about security, this one was a bit sensationalistic and lacked a broad perspective. Yes, there certainly are some copiers out there that keep unencrypted digital copies of scanned documents but based on my own experience and the experiences of other forensic examiners, there are a lot of secure copiers out there as well.

A high level view of my experience with one Ricoh copier follows. This is one copier that is not susceptible to accidental information leakage and that would require tools beyond those available to a normal forensic examiner to crack.

I was able to determine that:

  1. The copier uses two hard drives that have an identical 193 byte boot (?) sector and are superficially close but not identical after that. They contain large sections of null bytes.
  2. The copier uses two operating systems, one a BSD derivative and one a proprietary OS using a proprietary file system.
  3. The processor is a MIPS processor that is bi-endian, capable of operating in little or big endian mode.

I imaged both drives. None of the following tools will recognized a file system, RAID, or any artifacts in the images:

- X-Ways
- FTK 3
- EnCase 6.15
- UFS Explorer
- RAID Reconstructor
- strings

To restate – running strings over the images produces no recognizable strings, none of the file carving tools locate any artifacts, and indexing produced no results.

To account for the bi-endian nature of the CPU, I swapped the bytes in both images with dd (‘swab’ option) and applied all the tools to the byte swapped images with the same negative results.

I looked at the images with a hex editor and found the 193 byte start to the drives along with the similar but not identical structure after that.

I don’t believe the drives were encrypted per se but it seems likely that they contain a proprietary file system.

I have output from the copier’s printer configuration utility that shows BSD style daemons and logging.

A Ricoh engineer who works in an area other than copiers confirmed that the copier does use two operating systems, and that one of them is proprietary and very tightly guarded.

analyzeMFT – a Python tool to deconstruct the Windows NTFS $MFT file

January 20, 2010 Leave a comment

Three elements combined last week to inspire me to write a tool to deconstruct the Windows NTFS $MFT file:

  1. I’ve been wanting to learn Python for quite awhile. (I found a “Learning Python” book on my shelf published in 1999.
  2. Mark Menz’s MFT Ripper started me wondering about the significance of the MFT sequence number.
  3. I’d been trying to get through the SANS 508.1 book but couldn’t bear to read about NTFS structures yet again.
  4. I wanted to start building a framework for doing more detailed timeline analysis.

So, last week I sat down and wrote analyzeMFT.py.  Please keep in mind that this is a novice Python programmer’s code and is definitely a work in progress. A simple project page and a link to the source can be found here.

If you have any comments, suggestions, or improvements, please do let me know. I’d like to keep building on this and making it as useful as possible.

Categories: Software Tools Tags: , , ,

Using Python to parse and present Windows 64 bit timestamps

January 16, 2010 1 comment

I’m working on learning Python since Perl, even after 20 years, still doesn’t stick in my head. The phrase “like a duck to water” doesn’t quite apply to my experience with Python, but I’m certainly swimming along nicely.

Since I learn languages and tools more effectively when I have a real problem to work on, I set out to parse the NTFS MFT record using Python. This was going swimmingly until I hit the file MAC times. According to Microsoft:

“A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).”

So, two problems: 1) It is a 64 bit value and python only has 32 bit longs and b) it doesn’t use the Unix definition of epoch.

After a lot of false starts, I learned the power of dictionaries and classes and came up with the following:

from datetime import date, datetime
class WindowsTime:
    def __init__(self, low, high):
        self.low = long(low)
        self.high = long(high)
        self.unixtime = self.GetUnixTime()
        self.utc = datetime.utcfromtimestamp(self.unixtime)
        self.utcstr = self.utc.strftime("%Y/%m/%d %H:%M:%S.%f")
# Windows NT time is specified as the number of 100 nanosecond intervals since January 1, 1601. 
# UNIX time is specified as the number of seconds since January 1, 1970. 
# There are 134,774 days (or 11,644,473,600 seconds) between these dates.
    def GetUnixTime(self):
        t=float(self.high)*2**32 + self.low
        return (t*1e-7 - 11644473600)

I have a module that defines a dictionary and parses chunks of data read from the MFT:

# Decodes the Standard Information attribute in a MFT record
def decodeSIrecord(s):

 d = {}
 d['crtime'] = WindowsTime(struct.unpack("<L",s[:4])[0],
                           struct.unpack("<L",s[4:8])[0])
 ...

Then just do:

SIobject = decodeSIrecord(data)

And you can print the times out directly from the dictionary:

print "CRTime: %s" % (SIobject['crtime'].utcstr)

This isn’t rocket science, and there’s probabaly a better way to do it, but if you’re trying to use Python to work with Windows filesystems and metadata, this could come in handy.

ACPO, triage tools, and the LE computer forensics backlog

November 24, 2009 3 comments

An article on PoliceProfessional.Com (original article has vanished and been replaced with new content) contains the following statement:

“ACPO is currently working on a new software tool that will allow forensic officers to operate locally and uncover information almost instantaneously. “What we’re very keen on doing is looking for a forensic triage tool that police officers or forensic officers can use locally. One that is quite simple, one they can ask questions of, such as, ‘in this computer is there the following…?’,” said Ms Williams. “The triage tool can pull that out for them.” She said the current backlog is one of e-crime’s biggest problems and that ACPO is close to identifying the right product to handle it.”

[Note: I've been told that the ACPO is looking to the vendor community for this solution. Rereading this quote, I suspect I should focus less on "working on new software" and focus more on "identifying the right product". I'll leave the post as originally written but will insert commentary.]

The apparent expectation that a tool will significantly address the backlog is rather disturbing for three reasons:

1)  The tool will not provide context. It may indicate the presence of an encrypted file container on the system but cannot determine its contents. Or that file sharing is present, but not what it was used for. Or that seven different chat programs are in use, but not the information going through them. As several people have pointed out, these PBF tools will get the low hanging fruit and gather disparate facts but cannot put do any analysis to show relationships, or lack thereof. Further, we’ll need to err on the conservative side and may well end up with a lot of false positives.

2) Technology, and the criminal’s use of technology, advances rapidly, often more rapidly than the tools. This is why DriveProphet’s author is very willing to add new capabilities as issues are reported to him. It is why Digital Detective Group’s Blade product has plug in modules that they can develop and release as new capability is required. Keeping a triage tool current requires ongoing investment by the developer and ongoing training for the users. A one time investment in the technology and training will quickly lead to a situation where the triage tool is missing relevant information. [Note: ACPO's looking to a vendor solution should address the support issue. Keep in mind maintenance costs when investing in a tool. Some vendors charge upwards of 20% of the initial investment each year for maintenance.]

3) I’ve not seen any well researched study on the LE computer forensics backlog that we can use to determine where resources should be spent. The ACPO and others believe that the the backlog is in the triage stage. This appears to be valid, particularly for getting evidence back to the owners, but I suspect that “fixing” the triage stage will simply move the backlog further downstream, even more so if the number of false positives is high.

I also wonder why the ACPO is working on a new tool rather than working with a vendor of an existing tool to tune it to their particular needs. A number of good, well supported, triage tools already exist – Drive Phrophet, Blade, EnCase Portable, e-fense’s suite (now Access Data’s?), to name a few. The ACPO money might be better spent creating a fund to provide training on these existing tools rather than bringing another tool to an already crowded market. [Note: This point is moot given the feedback I received, noted above.]

Triage is an incredibly valuable process, particularly in time critical situations where limited resources are available. Triage, in the medical environment, is performed by trained specialists using diagnostic tools. Computer forensics triage tools often are designed to be used by anyone with minimal training. Witness the Microsoft press release about COFFE – “According to a Microsoft spokesperson ‘an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.’” I believe there is value in this sort of tool when used as part of a well designed forensics process. I fear that, due to vendor marketing, budget issues, and backlog pressures, these tools will be deployed without the necessary framework to properly support them.

Allow me to close with some questions:

  1. Why is the ACPO creating a new tool rather than using an existing one? [Note: Addressed by feedback, noted above.]
  2. Who will use these triage tools and how much training will they get? If they’re designed for lab use to address the backlog will they stay in the lab? Can they safely be deployed earlier in the process?
  3. Are there any well documented studies on the LE computer forensics backlog?
  4. What other options are available for addressing the backlog? Anyone who knows me also knows that I’m very interested in finding ways for the private sector to assist LE with computer forensics and this would be one option.

Push button forensics – managing the downsides

November 19, 2009 2 comments

My post about the value of push button forensics produced a number of interesting comments for which I am quite thankful. A common thread in many of the remarks was that someone needs to understand the the science, logic, and art behind the PBF tools. I absolutely agree. Anyone depending on a technician and a tool alone is doing a disservice to their clients, and will likely fail spectacularly in court.

As one reader put it:

“I think the point that is being missed is this – at the end of the day the goal is to produce admissible evidence. The fact remains that our system generally looks to an expert to introduce digital evidence into court. “

Harlan made a similar comment, and really got to the heart of the matter:

“The fact is that the questions being asked by customers…was data exfiltrated, did the malware make data exfiltration possible, etc…cannot be answered by a $50/hr “analyst” with a dongle. This approach will work for low hanging fruit, but even a relatively unsophisticated compromise will be improperly and incompletely investigated in this sort of environment.”

A $50/hour analyst with a PBF dongle should not testify in court and their findings alone should not be presented to a client as they lack context and perspective. Their results are only pieces of the larger construct, a construct that should be built and signed off on by people with significantly more experience. A senior examiner can guide a team of less experienced staff using a wide variety of tools, interpret and combine the results into a well constructed report, and sign off on the team’s work product.

Law firms and private investigation firms are but two of many examples of organizations that employ associates to perform many of the simpler tasks involved in preparing cases. Doing so distributes the workload, frees senior staff up for more complex tasks, provides associates with opportunities to learn on the job under the supervision of senior staff, and ensures that work product is reviewed and approved by someone in the firm who is responsible for presenting the case to the court or to the client. The same can hold true in a computer forensics firm, lab, or department. In fact, any firm with more than a few examiners needs to operate in this manner simply for coordination and responsibility purposes. I’m just proposing that the same structure works well to mitigate the risks of using push button forensics.

We build everything from airplanes to software applications to roads out of component parts that are designed to accomplish a specific task but that, standing on their own, have little value. Organizations work in a similar manner, utilizing human components along with their associated skills and tools to streamline many processes and produce better results than one person standing alone could accomplish. Integrate PBF tools and less experienced people into your organization, manage them appropriately, validate the tools, review the results, and let the senior examiners do the heavy lifting with the complex problems, clients, and courts.

Also, I suspect if most people looked around their organization, they’ll see technicians using push button tools as part of the computer forensic process already. Do you have Voom Hard Copy II or a Talon or one of the other hardware imaging solutions? How many button presses does it take to image a drive, and who is usually pushing those buttons? Do you really believe that you’ll need to explain to a client or a court how the Talon creates an E01 image? Your report will say “Imaged the suspect’s drive with a Talon, serial number XXXXX. The hash values reported by the Talon were XXXX and they matched. The Talon was certified to be operating normally during our regular maintenance, conducted per our SOPs.” It is pretty likely that the imaging was performed by a technician, and as was the regularly scheduled testing.

Push button forensics tools are here to stay and they’re already in use in most of our organizations. There clearly are risks to using PBF and inexperienced examiners inappropriately but through sound business practices they can safely contribute to our projects and improve our efficiency in the process.

The value of push button forensics

November 17, 2009 7 comments

Access Data recently entered into a partnership with e-fense. In the announcement, they wrote: “Digital investigations are no longer the exclusive domain of highly trained experts.” I don’t think Access Data is wrong, and I think the forensics community needs to accept that “push button forensics” is here to stay. Further, I think it can be an important part of our future.

(Two notes: 1) For the purpose of this article, forensics and e-discovery are essentially interchangeable. 2) I’m using “technician” to describe someone with basic to moderate technical skills but lacking in deep forensics and/or e-discovery experience.)

“Push button forensics” (PBF) is often derided by computer forensics professionals. We rail against it, occasionally joke about it, and have even made “Find Evidence” buttons to stick on our keyboards. Certain facts suggest that we should embrace it, though perhaps while wearing PPE.

  1. Tool vendors have a vested interest in selling forensics and e-discovery tools that can be used by people without forensics experience and certifications. If you can make a tool that any technician, lawyer, or IT person can use in a legally defensible manner, you will expand your potential market considerably. We are no match for the combined weight of the marketing departments of the vendors whose tools we are using.
  2. Corporations, LE agencies, law firms, and other consumers of computer forensics services have a financial interest in acquiring tools that will perform complex forensics and e-discovery tasks and that can be used by technicians rather than by experts. The cost per hour of computer forensics services in the San Francisco Bay Area is around $250. There is a lot of appeal in buying a tool and using a $50 per hour in house technician if you can get the same results.
  3. The volume and complexity of digital evidence is growing, and growing faster than we can cope with it. LE agencies at all levels have significant computer forensics backlogs, made worse by current budget issues. Corporate legal departments and law firms are under pressure to sift through enormous volumes of data more quickly, and more efficiently, than ever before. The number of people available who can manually sort through the complex evidence isn’t keeping pace, and the explosion in new computer forensics certification and degree programs will not solve the problem any time soon.

In addition to the facts that suggest we need to accept PBF into our environments, I’d like to suggest that, properly integrated, it can be very good for us personally and for our businesses. Here’s one example:

I’ve quite enjoyed following the development of Harlan Carvey’s timeline analysis tools and procedures. I’ve learned a lot from working through his examples, and I’d strongly encourage others to do so. But, the process is currently far too time consuming to use on any project with any significant pressure. We will need more automation, more “push buttoness”, to effectively employ it. And once it is “push button” AND validated, why can’t I farm that part of the process out to a technician? In doing so, I will:

  • Acquire useful information in a more timely manner, speeding the investigation and saving the client money.
  • Distribute the workload among more junior staff, enhancing their ability to contribute and decreasing the bottleneck on senior resources.
  • Free up senior staff for tasks that truly require more experience and knowledge.

Put another way, from a consulting perspective, I can save my clients money, free up experienced people to work on more difficult problems, and safely incorporate people with less experience. The clients will be happy – better results for less money; the senior people will be happy – real challenges, less grunt work; and the junior people will be happy – more opportunity to gain experience.

Our forums are full of discussions about how to use an enormous number of tools, many of which automate and greatly simplify our processes.

  • Anyone proficient with EnCase, FTK, X-Ways, or Sleuthkit could replicate Drive Prophet’s results but it would take hours longer, and the chance of missing something is greater.
  • Similar point for web browser analysis – if there wasn’t a need to automate this, why do we have Mandiant Web Historian, Gaijin Historian, Cache Back, Pasco, Fox Analysis, NirSoft Mozilla History View, and Passcape History Viewer to name a few?
  • With Mount Image Pro, I can provide a forensically sound image to a reviewer to examine with tools they’re comfortable with – Outlook, Explorer, dtSearch – without any risk that they’ll modify the evidence. This can save me a lot of back and forth to produce directory listings, copies of the My Documents folder, and .pst files.

If we look back through the archives of out discussion forums we’ll see that we’ve been automating and simplifying computer forensics processes since the dawn of the profession. In doing so we’ve made the profession more accessible to new practitioners, more valuable to our clients, and more interesting to ourselves. This mimics developments in the rest of the computer industry, and in every aspect of our lives. We’ve got push button cooking, push button flying (auto-land capability), push button navigation, push button photography, …. Push button forensics is here to stay. Accepting the fact and incorporating it into our processes and companies seems wise.

Mind you, I say this with several important assumptions in mind:

  • The tools work as advertised, their behavior and results are well understood, and the process and results can be verified.
  • The tools are verified internally.
  • The use of the tools is supervised by experienced staff.

“Push Button Forensics” has a place in our business toolkits. Digital investigations are no longer the exclusive domain of highly trained experts. Validated PBF tools in the hands of properly trained and supervised technicians can be a very powerful combination for law enforcement agencies, law firms, corporations, and consulting firms.

I’d like to leave you with perhaps the most important point, one that is frequently overlooked or assumed – Finding the evidence is only a small part of the process. Tools can find keywords, put together a timeline, or show you the CP images. They cannot put any of that information in context. Interpreting the information, whether found manually or by PBF tools, still falls squarely in the pervue of a trained and experienced computer forensics investigator.

 

[Comments on this post also appear on Forensic Focus, LinkedIn’s DFA Group, and the CCE mailing list.]

Digital Media Collections Kit

November 13, 2009 3 comments

Digital Evidence Collection Kit

Overview

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. – as well as the processes and procedures governing how they are applied. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.

This kit, and the thoughts and processes behind it, attempts to address concerns I’ve encountered while doing collections all over the world. The novice investigator or experienced examiner can use this as a foundation for their own kit, or just find insight to fine tune their existing processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.

Kit Contents

Collection Kit – items with serial numbers

The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.

Item Description Serial Number Quantity Country of Origin Internal Name Unit Price ($USD)
Lenovo ThinkPad T-60 Laptop Computer 1 China CK-01 $1,000.00
Wiebetech Forensic UltraDock Write Block Hardware 5 pcs China UD-01 $1,000.00
Wiebetech ADAv4-18-TOSH Hard Drive Adapter USA
Wiebetech ADAv4-10 Hard Drive Adapter USA
Wiebetech ADAv4-25 Hard Drive Adapter USA
Wiebetech ADAv4-PCCARD Hard Drive Adapter USA
Nikon COOLPIX L18 Digital Camera 1 China - $100.00
Brother PT-80 Electronic Labeler 1 China - $30.00
Targus PADVD010U External DVD-Rom Drive 1 Indonesia - $140.00
Western Digital 1TB MyBook External hard drive 2 Thailand - $300.00
Western Digital 320MB Passport External hard drive 2 Thailand - $120.00
eSATA PCMCIA card PCMCIA interface card 1 Unknown - $80.00

Column descriptions:

Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.

Collection Kit – items with without serial numbers

The following items lack serial numbers and generally are not of interest to customs though I’d still include all of these on the list I gave to customs. Customs issues aside, you still want to ensure that they are in the kit before heading out the door, of course.

Pelican Case Cables
Pelican 1510 LOC Complete set of UltraDock cables
Pelican 1515 case organizer Cross over cables (2x)
Pelican TSA lock Extra SATA and IDE cables
Electrical power strip
Office Supplies Network tap
Small magnifying glass
Small stapler w/ extra staples Tools
Small ruler Wiresnips
PostIt notes Set of precision screwdrivers
Index cards Flashlight
Ball point pen Needle nose pliers
Sharpie – extra fine point
Sharpie – fine point
Scissors Other
AA batteries Powered USB hub
Pill boxes 100Mb network hub
Media card reader – USB
Anti-static bags
Software Forensic evidence bags
USB Thumbdrive Case (6 slots) Cable ties – velcro
CD case Cable ties – plastic
Helix 1.9 – CD and USB
Helix 2 – CD and USB Spare hard drive jumpers
EnCase – CD and USB Printed copies of forms
General purpose 2GB stick Spare battery and media for camera.
Dongles
X-Ways dongle
EnCase dongle
MIP dongle
Paraben dongle

Explanation of items:

Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The “LOC” designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.

Office Supplies

  • PostIts – For labeling drives and systems temporarily.
  • Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
  • Sharpies – For labeling evidence and for filling in the notecards.
  • Notecards – The notecards get the following information on them:
    • Custodian
    • Date
    • System serial number

I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.

Tools

  • The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
  • Wiresnips are for cutting cable ties.

Software

  • I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes..
  • I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.

Other notes:

  • The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
  • You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
  • TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
  • Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
  • There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
  • For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
  • If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
  • If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
  • Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
  • One copy of the inventory goes in the case, under the inserts. One goes in the case, on top of the inserts to give to Customs. One goes in my laptop bag.

Other items for consideration

There are a number of items missing from this kit that you might want to consider including. For example:

  • It doesn’t include anything for collecting cell phones.
  • It doesn’t contain a dedicated hardware imaging solution.
  • There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
  • Spares of many things.

Packaging

The entire kit fits into the Pelican 1510 LOC using the case organizer.

(Note: I bought mine through Amazon but this company will sell you all the pieces and will custom cut inserts for you as well – http://www.casesbypelican.com/app-1510.htm)

  • There aren’t quite enough dividers for my taste.
  • The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
  • Pack the stuff you really need on top.
  • I wish there was room for a clipboard with a forms storage compartment.
  • Put a business card under the organizer and another one elsewhere in the kit.
Digital Media Collections Kit

Digital Media Collections Kit

  • Laptop is in lid, left side.
  • Power supplies are in lid, right side.
  • UltraDock and adapters are in case, upper left.
  • Labeler and some cables are next to adapters.
Follow

Get every new post delivered to your Inbox.

Join 41 other followers