1. COEN 252 Computer Forensics
Data Analysis Techniques
for
Hard Drives

2. Data Analysis Techniques
Create forensic duplicate.
Protect original as best evidence.
Review image file (with tools).
Report.
Testify.

3. Data Analysis Techniques
Need collaboration between forensics investigators and case workers.

4. Data Analysis Techniques
Sources of Evidence
Existing Files
Deleted Files
Logs
Special system files (registry, cron)
archives, printer spools
Administrative settings

5. Data Analysis Techniques
File restoration techniques
FAT, NTFS
By hand with a hexeditor
Specialty tools like Norton undelete
Forensics software like encase, FTK
Mount drive on UNIX system and use UNIX tools (Fatback)

6. Data Analysis Techniques
Unix system
With a hex editor edit the link count in inodes, file will then be linked to Lost&Found
debugfs to relink a file to Lost&Found in ext2

7. Data Analysis Techniques
Deleted files are overwritten if
Drive is wiped (e.g. part of PGP suite)
New files are created on the partition
New software is installed on the partition
Applications running may update the partition

8. Data Analysis Techniques
Deleted files are overwritten if
The partition stores the %systemroot% directory and Windows modifies it for internal housekeeping.
If the partition contains the web browser cache
If the volume contains the TEMP directory

9. Data Analysis Techniques
Deleted files are overwritten
At system shutdown / startup

10. Data Analysis Techniques
Free, slack and unallocated space
Use a hex-editor 
Use a specialty tool that generates a file by appending all slack and free space
Use a forensics tool 
Free: Outside of a partition.
Slack: Allocated, but unused overhang in the last cluster of a file
Unallocated: Not assigned to a current file.

11. Data Analysis Techniques
First Task:
Generate database of all files
Full path.
MAC-dates & -times.
Logical size of file.
MD5 hash (to counteract evidence deterioration).

12. Data Analysis Techniques
Generate database of all files
Use MD5 hash to exclude well-known files from investigation.

13. Data Analysis Techniques
Prepare drive for string searches.
Forensics tools do this automatically.
Need to deal with proprietary formats.
Compressed files need to be uncompressed.
Encrypted files need to be unencrypted.

14. Data Analysis Techniques
Perform string searches
On UNIX, use grep.
Forensics tools preprocess forensic duplicates.

15. Data Analysis Techniques
Perform String Searches
The “How” is easier than the “What”.
Investigator and analyst need to work together:
“What are we looking for?”
“What information do we need?”

16. Data Analysis Techniques
Example:
The hard drive of a robbery suspect contains numerous references to his “little excursions”.
To tie the suspect to the computer, establish usage by suspect alone by:
Finding personal pictures (look for jpg).
Restore old s.
Restore chat sessions.

17. Data Analysis Techniques What to look for
Primary Source of Evidence.
in transit is protected by the EPCA and other statutes.
Checking after transition is treated similar to searches of files.

18. Data Analysis Techniques What to look for
Print Spooler Files.
Typically deleted right after printing.
Might not be overwritten.

19. Data Analysis Techniques What to look for
Web Cache Evidence
All web browsers cache.
Some delete files after session closes.
Ex.: United States v. Tucker:
The government introduced Internet conversations taken from Tucker's computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images.
United States Court of Appeals, Eleventh Circuit.No

20. Data Analysis Techniques What to look for
Swap Files / Virtual Memory Files
Can be very large.
Use Forensics Tools like Encase
Alternatively: Hex Editors, Norton Disk Commander (under Windows)

21. Windows Data Analysis Perform keyword searches. Review Logs.
Review Registry.
Review swap files.
Review special application files:
Internet Cache
Recycle Bin
Printer Spool
Files

22. Windows Data Analysis: Text Searches
Raw Data Level
BinText (Foundstone)
Disk Investigator (K. Soloway)
SectorSpyXP (McCamy, Lexun Freeware)
Forensics Tools
Encase
FTK
Mareswares

23. Windows Data Analysis: Text Searches

24. Windows Data Analysis Logs
Windows NT, 2000, XP maintain log files
System Log
Application Log
Security Log

25. Windows Data Analysis Logs
Live System:
Use Event Viewer

26. Windows Data Analysis Logs Event Viewer

27. Windows Data Analysis Logs
Event Log Dump
Use PsLogList (sysinternal)
dumpel (Win2000 Resource Kit)

28. Windows Data Analysis Logs
From forensics duplicate
secevent.evt
appevent.evt
sysevent.evt

29. Windows Data Analysis Logs
Drawbacks
Default security logging is “no logging”.
Do not record IP addresses
Application log uses localized settings.
(Forensics workstation will not interpret these.)

30. Windows Data Analysis Logs
Internet Information Services (IIS) has its own set of logs.
Uses W3C standards as a default

31. Windows Data Analysis Logs
Need to be enabled.
More important for incidence response than for law enforcement.
Get HTTP status codes.

32. Windows Data Analysis Logs
Many other applications log:
Internal firewalls.
Create your own log from the timestamp of files around critical times.
FileList ( will do this for you.

33. Windows Data Analysis Reviewing Relevant Files
Recycle Bin
Folder Recycled in Win95/98.
Folder Recycler in WinNT/2000/XP.
Date and Time of Deletion in
System file INFO in Win95
System file INFO2 in Win98
Information available in Win2000, WinXP

34. Windows Data Analysis Reviewing Relevant Files
Windows moves deleted file into the recycle bin.
It deletes from there.
Thus, files can be retrieved from deleted recycle bin entries.

35. Windows Data Analysis Reviewing Relevant Files
$Logfile entry in the MFT contains the log of all file system transactions
Deletion of a file leaves several entries in $Logfile
Not unusual to find files that are no longer on the disk
Shows that file was used by the system

36. Windows Data Analysis Reviewing Relevant Files
Shortcuts can contain relevant information.
Stored in the desktop folder.
A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated Casey, p. 153

37. Windows Data Analysis Reviewing Relevant Files
Thumbs.db (System file)
Contains thumbs pictures for folder.
Not perfectly synchronized with folder.
Deleted images might still be available.

38. Windows Data Analysis Reviewing Relevant Files
Temporary files
Files with extension tmp
Created by many applications
s with large attachments:
Attachments are probably stored as temp files. (Depends on system.)
Look for file extensions .tmp .

39. Windows Data Analysis Reviewing Relevant Files
Internet Explorer (as well as other browsers) use a cache.
index.dat contains internet explorer cached websites.
Written in binary.
Use Pasco from Foundstone.

40. Windows Data Analysis Reviewing Relevant Files

41. Windows Data Analysis Reviewing Relevant Files

42. Windows Data Analysis Reviewing Relevant Files
Browser Cache
C:\Documents and Settings\ Username\ Local Settings\Temporary Internet Files Or
C:\Program Files\Netscape\Users\ Username\Cache

43. Windows Data Analysis Reviewing Relevant Files

44. Windows Data Analysis Reviewing Relevant Files
Cookies can be partially decyphered.
Use galleta from foundstone.

45. Windows Data Analysis Reviewing Relevant Files
Typically, concatenate all cookies.
Redirect galleta into an excel file.
Investigate the excel file.

46. Windows Data Analysis Reviewing Relevant Files
Dial-up Networking
rasautou –s gives autodial addresses

47. Windows Data Analysis Registry
Database that stores settings and options for 32b MSWin OS
Contains information and setting for
Hardware
Software
Users
Preferences

48. Windows Data Analysis Registry
Win95, Win98
USER.DAT, SYSTEM.DAT in Windows
WinME
USER.DAT, SYSTEM.DAT, CLASSES.DAT
WinNT, 2000, XP
In %SystemRoot%\System32\Config

49. Windows Data Analysis Registry
Use RegEdit to access.
Before experimentation, make a backup of the registry.

50. Windows Data Analysis Registry
Hierarchical structure
Main branches are Hives
Hives contain keys.
Keys can contain subkeys and values

51. Windows Data Analysis Registry

52. Windows Data Analysis Registry
Six main branches
HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.

53. Windows Data Analysis Registry
HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.

54. Windows Data Analysis Registry
HKEY_CURRENT_CONFIG - links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
HKEY_DYN_DATA - points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.

55. Windows Data Analysis Registry
Registry Editor can import and export registry settings to / from a text file.
Copy registry hive files from the forensic duplicate to your forensic work station.
Import them into regedit.
IF YOU MESS UP THE REGISTRY, YOU NEED TO REBUILD YOUR SYSTEM.

56. Windows Data Analysis Registry
In a recent investigation by the Los Angeles County Sheriff’s Computer Crime Unit, a detective investigated an employee suspected of misappropriating confidential computer information stored by his company. When the detective examined one of the workplace computers, he found remnants of a key-trapping program in the registry. During an interview, the suspect admitted to having installed, used, and deleted the key-trapping program for the purposes of obtaining user names and passwords of coworkers.

57. Windows Data Analysis Registry
Use the registry to
Find installed software (such as L0phtcrack).
Manually deleted software.
Use backups of the registry to trace the installation and uninstallation of software.
Find data on user accounts

58. Windows Data Analysis Unusual or Hidden Files
NTSF uses a feature from Mac Hierarchical File System to store multiple entry under one file entry. “Data Streams”
Allow us to hide a file
cp nc.exe logo.jpg:nc.exe
Now nc.exe is hidden.
Use SFind (foundstone) to find stremed files.

59. Windows Data Analysis Print Spooler Files
Print Spooler Files. (EMF under Win).
EMF files are deleted after printing.
“Gap-Toothed Bandit”, Micheal Craig Dickman, used proceeds from bank robberies to support his struggling biotech start-up.
Arrested after a heist in La Jolla, 1999.
SD RCFL found the demand notes as a deleted EMF file on his laptop.

60. Data Analysis Techniques What to look for
Print Spooling uses temporary files.
contain data to be printed.
data on the print job.
Two methods, RAW and EMF
Shadow file .SHD info on print job
.SPL contains data to be printed (RAW)
.SPL contains file name, method, list of files with print data EMF****.TMP

61. Data Analysis Techniques What to look for
Department of Consumer Affairs in Orange County, CA, arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiners had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiners requested a second review from the California Department of Insurance, Fraud Division, the Computer Forensics Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive were the enhanced metafiles. The defendant was convicted at trial Casey, p. 163

62. Windows Data Analysis Rogue Processes
To find rogue processes on a duplicate image
Restore the file system.
Run a virus software.
Disable writing to restored volume.

63. Windows Data Analysis Find Hidden Doors
Schedule an event
remote /s “cmd.exe” mysystem
Remote command from NT Resource Kit
remote /c “cmd.exe” mysystem
Allows to connect with a command prompt from outside the system
Schedule this with the at or the soon utility

64. Windows Data Analysis Find Hidden Doors
at will find any jobs that have been scheduled:

65. Windows Data Analysis Review last searches
Use AFind (foundstone) to look for the last few files accessed.
Look at the Find scrollbox.

66. UNIX Data Analysis Review all pertinent logs Perform keyword searches
Review relevant files
Identify unauthorized user accounts or groups
Identify rogue processes
Check for unauthorized access points
Analyze trust relationships
Check for kernel module rootkits

67. Unix Data Analysis Logs
Unix maintains a variety of logs.
A hacker could change the logs.
But you need to look at them.
Placed in directories depending on UNIX flavor
/var/log
usr/adm
Var/adm

68. UNIX Data Analysis Logs
syslog
Controlled by /etc/syslog.conf
Uses syslogd
Can be used to log remotely

69. Unix Data Analysis Logs
Look at the syslog.conf
Three fields:
Facility field: subsystem that produced the log (e.g. mail)
Priority field: debug, info, notice, warning, err, crit, alert, emerg
Action field: how is the log recorded, typically name of log field (or IP address)

70. Unix Data Analysis Logs
Log entries
In ASCII
Usually world-readable
Only writable by root

71. Unix Data Analysis Logs
Remote Syslog Server logs
Attackers with root privileges can change the logs
Use a remote syslog server for safety
Attacker can add spurious entries to the remote syslog
Harden remote syslog server

72. Unix Data Analysis Logs
TCP Wrappers
Host based access control for TCP and UDP services
Any connection attempt are logged via syslog
May 13 23:11:45 victim sshd[12528]: ROOT LOGIN REFUSED FROM
May 13 23:19:03 victim in.tftpd[524]: connect from

73. Unix Data Analysis Logs
Other network logs
Server specific logs, e.g. for FTP

74. Unix Data Analysis Host Logging
su command logs
Part of syslog
Stored in var/log/messages
Currently logged in users
Stored in utmp or wtmp
Use w, who, finger, last to read
Modified by many hacker tools

75. Unix Data Analysis Host Logging
Logon attempt logs
Recorded on most UNIX machines
/var/messages in LINUX

76. Unix Data Analysis Host Logging
cron
Allows users to schedule programs for future execution
Often used for attacks
Logged, typically in /var/cron/log

77. Unix Data Analysis User Activity Logging
Every command by every user can be logged
Shells store history files for each user

78. Unix Data Analysis Logging
Attacker gains root access to system
Deletes .bash-history file
Links file to /dev/null
Can no longer log
Look for the shell log:
[linuxbox] # ls –al
total 52
drwxr-x root root Dec 12 04:47 .
drwxr-x root root Dec 8 01:27 ..
-rw root root Dec 12 04:47 .XAuthority
-rw-r--r root root Aug 23 04:47 .XDefaults
lrwxrwxrwx 1 root tty Dec :12 .bash_history -> /dev/null

79. UNIX Data Analysis String Searches
grep
String search within a file
String search within a binary file
Recursive searches
# grep root /etc/passwd
root:x:0:0:root: /root: /bin/bash
# grep PROMIC /sbin/ifconfig
Binary file /sbin/ifconfig matches
# grep –r –I password /

80. UNIX Data Analysis String Searches
find
Use to search for a file by name
E.g., find “…” (a typical hacker trick to hide a file)
Found one.
# find / -name “\.\.\.” –print
/home/hacker/MDAc/temp/…/root/…

81. UNIX Data Analysis Relevant Files
Finding relevant files after an incident is an art.
Careful about destroying evidence by running system commands that will change times.
Mount evidence drive read-only or better, duplicate.

82. UNIX Data Analysis Relevant Files
Identify the time of the incident.
Look for files accessed, created or modified around that time.
Use find with –atime, -ctime, -mtime option

83. UNIX Data Analysis Relevant Files: SUID Programs
UNIX allows applications to set the user-id (SUID) and set the group-id (SGID).
Programs runs with privileges of owner, typically root.
Programs are source of most privilege escalation attacks.

84. UNIX Data Analysis Relevant Files: SUID Programs
Sometimes unprivileged users need to accomplish tasks that require high privileges.
For example, passwd needs to access the password file in /etc/passwd
But users should not be given access to /etc/passwd

85. UNIX Data Analysis Relevant Files: SUID Programs
User invokes passwd
passwd changes its UID (with SUID)
passwd now runs with root UID
passwd can now access the password file.

86. UNIX Data Analysis Relevant Files: SUID Programs
You recognize these programs with ls –l
File permission have an s instead of an x
-rwsr-xr-- SUID program
-rwxr-sr-- SGID program

87. UNIX Data Analysis Relevant Files: SUID Programs
SECURITY INCIDENT EXAMPLE
Superuser is logged on as root and leaves terminal unattended
Creates SUID shell.
Anyone invoking /tmp/break-account gets root privileges.
# cp /bin/sh /tmp/break-acct
#chmod 4755 /tmp/break-acct

88. UNIX Data Analysis Relevant Files: SUID Programs
Old Break-in
/usr/lib/preserve is used by vi and ex editors to make an automatic backup of a file that is edited when the users suddenly disconnects.
preserve writes file changes to a temp file in a special directory

89. UNIX Data Analysis Relevant Files: SUID Programs
preserve uses /bin/mail to send the user a notification that the file has been saved.
This temp file should not be accessible by world.
Thus, preserve needs root privileges

90. UNIX Data Analysis Relevant Files: SUID Programs
preserve was installed as SUID root.
preserve ran /bin/mail as root.
preserve executed the mail program with the system function call.
system uses sh to parse the string that it executes.

91. UNIX Data Analysis Relevant Files: SUID Programs
Problem:
Shell variable IFS tells sh how to interpret the white spaces.
Normally sets white spaces to be space, tab, enter, etc.
Attacker sets white spaces to “/”

92. UNIX Data Analysis Relevant Files: SUID Programs
Attacker runs vi.
Attacker crashes system.
preserve runs.
system interprets /bin/mail as “bin mail”
Thus, it executes any program called bin with argument mail as root.

93. UNIX Data Analysis Relevant Files: SUID Programs
Find all SUID SGID with the following command:
find starts in /
Looks for files with permission (SGID) or (SUID)
Know what to expect.
# find / \( -perm –o –perm \) –type f -print

94. UNIX Data Analysis Relevant Files: Hidden Files
Hide “bad” files
By giving them innocuous names
By giving a name similar to a reasonable name “ syslog” vs. “syslog”
Calling a directory “…” (“.” current directory, “..” parent directory)

95. UNIX Data Analysis Relevant Files: Configuration Files
Primary target to keep access for a hacker.
etc/hosts.allow etc/hosts.deny determine access policy.
/etc/inetd.conf controls network services

96. UNIX Data Analysis Relevant Files: Configuration Files
Add an entry to inetd.conf:
Simple backdoor that listens on port 55000
Same telnet server as the one for port 23.
Port might not be monitored
telnet2 stream tcp nowait root /usr/sbin/tcpd in.telnetd

97. UNIX Data Analysis Relevant Files: cron
cron facility used to schedule future executions of programs
/var/spool/cron /usr/spool/cron stores cron jobs
/etc/rc.d contains a listing of programs that start when UNIX boots.
Check all startup scripts for trojans.

98. UNIX Data Analysis Phone Home
Outgoing traffic is usually not monitored.
Compromised system uses cron to initiate a connection to an outside system.
Outside system can control the compromised system.

99. UNIX Data Analysis Relevant Files: Startup
User home directory contain startup files.
.login
.profile
.cshrc

100. UNIX Data Analysis Relevant Files: /tmp
Only world-writable file system on a typical UNIX system.
Hangout for nefarious tools.

101. UNIX Data Analysis User Accounts
Each user has an entry in /etc/passwd
dvader:x:512:516:Darth Vader:/home/dvader:/bin/bash
User name
Password (shadowed)
User Id
Group Id
Comment field
Home directory
Default login shell

102. UNIX Data Analysis User Accounts
/etc/groups defines groups:
root::0:root, tschwarz
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
User names

103. UNIX Data Analysis User Accounts
If suspicious of compromise, investigate user accounts and group accounts.

104. UNIX Data Analysis Checking for Unauthorized Access Points
Investigate all network services for potential access points.
X-server
FTP
Telnet
DNS
Sendmail
finger
SNMP
IMAP
POP
HTTP
HTTPS

105. UNIX Data Analysis Analyzing Trust Relationships
If machine A trusts machine B, then anyone on machine B can access services on machine A.
Don’t do it.
Check files such as /etc/hosts.equiv or .rhosts

106. UNIX Data Analysis Analyzing Trust Relationships
Network topology routes data through other computers.
Sniffing (esp. for passwords).
Even possible in a switched environment: arpredirect in dsniff

107. UNIX Data Analysis Loadable Kernel Modules
LKM can by dynamically loaded with root-level access.
Used to let a hacker maintain access.
Adore, Knark, Itf

108. UNIX Data Analysis Loadable Kernel Modules
Trojan system utilities used to detect them.
Look for discrepancies between internal and external scans.
Detection tools are available.