Performing Forensic Analysis and Techniques
Activity 13.1 Create a Disk Image
In this excercise I will go over how to use the linux dd tool to create a disk image and then verify the image’s integrity.
- First, I will start my Kali Linux VM. (Although any linux distro can be used)
- Next mount a USB flashdrive into the VM. In VirtualBox, flash drives can be mounted by clicking the little USB icon and selecting the drive you would like to mount.
- If you have issues mounting the USB, you may need to install VirtualBox guest additions first.https://www.virtualbox.org/manual/ch04.html
- Once the USB file is mounted, it should appear on the desktop or filesystem. Verify the files are contained inside the USB drive.
- Next make a directory to hold the copy of your disk image. I have created a directory called tmp in my home directory.
mkdir ~/tmp
- Next we will create an MD5 checksum of the USB drive before creating the image. This checksum will be used to validate the integrity of the drive. I will create an MD5 checksum called “…original.md5”. Here is the command I used. Note: you may need to elevate your priveleges in order to run this command. Let the command run, as it could take some time to generate.
- Lets check the md5 generated.
- Now I will clone the the USB drive. Here is the command:
dd if=/dev/disk/by-label/CYSA of=~/tmp/excercise7_1_disk.img bs=64k
Breaking down each part of the command:if=/dev/disk/by-label/CYSA
- Sets the input file by drive label nameof=~/tmp/excercise7_1_disk.img
- Sets the path of the output filebs=64k
- Set the block size of the copy, if you know the block seize of the copy, this will result in a performance increase.
- Wait until the command completes. There is not progress bar, but once the command completes, the following output will apppear.
- Now I will create an md5 checksum of the clone.
- Last, I will compare md5 checksums the clone and original in order to cerify the integrity of the forensic copy.
more excercise7_1_clone.md5 more excercise7_1_original.md5
Activity 13.2 Conduct the NIST Rhino Hunt
In this excercise we will go on the great NIST Rhino Hunt. NIST provides numerous practice forensic images which can be downloaded to hone your skills.
- First we will download SIFT. A forensics toolkit VM by the SANS institute. According to SANS SIFT is “The SIFT Workstation is a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.” After creating a free community membership on the SANS site, the SIFT can be downloaded as an OVA appliance from: https://digital-forensics.sans.org/community/downloads
- Once downloaded, the appliance can be imported into Virtualbox with File > Import Appliance
- Start the VM. Login with a password of forensics. You should be greeted with a screen similar to this:
- From within this VM, we will download and extract the SANS Rhino Hunt disk image. This can easily be downloaded from:
wget http://www.cfreds.nist.gov/dfrws/DFRWS2005-RODEO.zip
- Navigate to the disk image’s directory in the terminal. Now mount the Rhino USB image.
sudo mount RHINOUSB.dd /mnt/usb
- Navigate to the folder to view the pictures. Note there are only two files in this directory. What has been deleted?
ls /mnt/usb
- Lets recover the deleted files. Create a directory for the output
mkdir output
- Run the foremost utility against the RHINOUSB utility. The foremost utility automatically recovers files based on headers and other info. If you recieve the processing image below, the utility has been successful.
foremost -o output/ RHINOUSB.dd
- Navigate to the output folder and open the new document recovered from the USB image.
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
Forensic Toolkit Components | Digital forensics workstation, forensic investigation software, write blockers, drive duplicators, wiped drives, cables, camera, labels, notebooks, chain of custody forms |
Common Forensic Software | FTK, EnCase, CAINE, Autopsy, SIFT, DumpIt, Memoryze, dd, WinDbg |
Slack Space | Space leftover when a file is written, can contain fragments of previous files or hidden files. |
File Carving | Tools which look at data on a block-by-block basis and attempt to recover data |
Legal hold | States information must be retrained for a legal case |
Hashing | Used to validate that drive data has not changed |
Binary | Any executable file, i.e. non-text file |
Volatility | Open source memory forensics tool |
Advanced Office Password Recovery | Utility for recovering passwords |
Order of volatility | Refers to how easy data is to lose. The order of volatility is 1. CPU cache, registers, running processes, RAM 2. Network Traffic 3. Disk Drives 4. Backups, Printouts, Optical Media |
Windows Registry | Provides info about files and services, locations of deleted files, evidence of applications being run |
Autorun Keys | Lists programs set to run at startup |
MFT | Master File Table; details of inactive and removed records |
Event logs | Logins, service start/stop, evidence of applications being run |
INDX files and change logs | Evidence of deleted files, MAC timestamps |
Volume Shadow Copies | Point-in-time info from prior actions |
User Directories and files | Logged-in user artifacts |
Hibernation Files or Memory Dumps | Memory artificats of commands run |
Temp Directories | Artifacts of software installation, user temp file storage, limited lifespan data |
dd | Linux utility used to lone drives in RAW format |
Write blocker | Attach to a drive to prevent forensic software from writing to it and ruining drive integrity |
USB Historian | Tracks the history of USB drives connected to a system |
md5sum | Hash used to determine if a drive is forensically sound |
FTK | Full featured forensics suite |
WinDbg | Tool used to review Windows memory dumps |