This lab emphasizes the aspects of computer forensics that are encountered with the
highest frequency. The activities are broken into small activities with specific
foci. Alert your instructor to your successful completion of each section.
A. Lab Setup
- Create a directory named
class31 on your
desktop.
All of the files created in this lab will be stored there.
-
Download and Install FoxAnalysis:
Download FoxAnalysis_v1.4.1.zip, double
click to extract, double click on Setup.msi
to begin install.
FoxAnalysis Setup Wizard: Select "Next
|
License Agreement: Select "I Agree", Select "Next" |
Select Installation Folder: Select "Everyone",
Select "Next"
|
Confirm Installation: Select "Next". |
- Download and Install ChromeAnalysis
Download ChromeAnalysis_v1.0.1.zip, double
click to extract, double click on Setup.msi
to begin install.
ChromeAnalysis Setup Wizard: Select "Next
|
License Agreement: Select "I Agree", Select "Next" |
Select Installation Folder: Select "Everyone",
Select "Next"
|
Confirm Installation: Select "Next". |
B. File carving
This section of the Forensics Lab introduces you to file carving.
File carving is an incredibly useful skill to have in the
world of computer forensics. It basically means recovering files
from a physical storage device after the files have been
deleted, the device has been erased, or the device has been
partially destroyed. At this point, the data on the device
just looks like a sequence of "raw bytes" — meaning a
sequence of bytes without any information as to where any file(s)
begins or ends in this sequence.
-
How a storage device ("drive") is formatted
A storage device (hard drive, thumb drive, etc) is nothing
more than a huge sequence of bytes. We can refer to a
specific byte by its offset, i.e. it's distance
from the initial byte. So the initial byte has offset 0,
the next offset 1, and so forth. A formatted drive has
-
a filesystem — which means a record for each file
of its name, the byte offset at which it begins, and the byte offset
at which it ends; as well as records that indicate what
directories (folders) there are, and which directory each
file belongs in. Some of the bytes on the drive are
used to represent the filesystem.
-
files — the filesystem only contains
information about the files, the actual files
themselves are (usually) nothing more than a chunk of
consecutive bytes on the drive.
-
free or unallocated space — these are
the bytes on the drive that are not currently being
used to store information either as part of the
filesystem or as part of
a file. When new files are created, bytes
from the unallocated space are commandeered to store
the new file.
The Windows "Recycle Bin"
When a user "deletes" a file in Windows, the file is
simply moved to a new directory, called the "Recycle Bin".
When the user "empties" the Recycle Bin, the files in that
directory are deleted as described to the left.
-
What does "delete" a file really mean?
When you tell the operating system to delete a file,
all it really means is that
- the filesystem structure's
record of that file (its name, the byte offset it starts
at and the byte offset it ends at) is destroyed,
and
- the
bytes that constitute the file itself are simply
reclassified as "unallocated space".
How to truly delete a file
So what if you want to delete a file so that it truly
cannot be recovered? To do that you have to not only
"delete" the file in the sense of removing its record from
the filesystem, you must also overwrite the the bytes of
that file with zeros or with random values. There are
utilities that will do that for you.
It is possible that a sophisticated forensics analysis
could analyze the magnetic patterns on a drive and
determine not only the current bit pattern of a byte, but
also previously stored bit patterns. Fear of this has led
many people to consider a file to only truly be deleted if
its bytes have been overwritten many times.
-
Recovering a file that has been "deleted"
Notice that after a file is "deleted", all of its bytes
are still sitting there on the drive ... they are simply
categorized as "unallocated", which means they are
available for use in representing new files.
So, a file that has been deleted is recoverable up until
the time that its bytes are commandeered for other
purposes. However, the file's name and the offsets at
which it begins and ends are no longer available. So the
trick is finding where the file begins and ends, and that
is what "file carving" is all about.
With computers, "deleting" a file doesn't necessarily mean
the data stored in the file (the bytes that comprise the
file) are gone. It means that the filesystems record of the
file's name and its connection to that area of the hard
drive are gone. Those bytes become "unallocated space".
To carve a file from a block of bytes, you'll need to look for
the header
(and, depending on the file type, the footer) of the file.
For example, the header (in hex) for a PNG file is 89 50 4e 47
and the footer is 49 45 4e 44 ae 42 60 82.
Below we have an example of a chunk of unallocated space from
a drive. Looking carefully, we spot a PNG header (starting at
offset 10) and,
following it, a PNG footer (ending at offset 42) and thus we can deduce that the from
offset 10 to 42 is a PNG file.
| Block of unallocated space from a drive |
|
PNG header |
body |
PNG footer |
|
| 7e | 93 | 57 | 6d | 51 | e9 | 05 | 6d | ff | 67 | 89 | 50 | 4e | 47 | 0d | 0a | 1a | 0a | 00 | 00 | 00 | 0d | 49 | 48 | 44 | 52 | 54 | 78 | 9c | 62 | 60 | 01 | 00 | 00 | 00 | 49 | 45 | 4e | 44 | ae | 42 | 60 | 82 | 3d | 69 | c4 | 82 | 81 | f0 | 6f | 61 | e4 | 40 | 4b | b4 | 34 | 2f | 2e | bb |
| 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
File Carving Activity Starts ...
Suppose you recover a hard drive from a bad guy's computer.
Your job is to find incriminating data, or data that will
help in an investigation.
Now you have before you a sequence of tasks:
- To start with, let's review a basic file format. The Portable Network Graphics
format give us files with a .png extension. This file type has a very distinctive
header and footer.
- Header in hex:
89 50 4e 47 (.PNG)
- Footer in hex:
49 45 4e 44 ae 42 60 82 (IEND...)
Save the following file into your class31 directory: oneFile.
Using frhed, open the saved file. Can you see the PNG header in the file anywhere?
You can always press cntl+F and enter a search for
'PNG' or alternatively, type in <bh:89><bh:50><bh:4e><bh:47>
to the search prompt. You can follow the same style for
the footer.
(Note: Search only looks forward in the
file from the current location.)
Write down the offset (the location relative to
the start of the file, which is shown at the bottom left
of the frhed window.) of the first byte of the header and
the last byte of the footer. You can use the decimal or
the hex offset, just be consistent and stick with one of them.
Once you have the header and footer located, i.e. you know
their offsets, then:
- Select Edit ⇒ Copy, and enter the start and ending offsets.
- Select File ⇒ New to create a new document.
- Select Edit ⇒ Paste, choosing the option to Insert (NOT OVERWRITE).
Press ok.
- Choose File ⇒ Save and save as a .png file.
- Open the file from the file browser to see the image.
- Your next task is to carve two files from a chunk of data called
twoFiles, which you first need to save into your
class31 directory,
and open with frhed like you did with oneFile.
You will use the same file carving
technique with your hex editor. In this case, one file is a jpg image and the
other file is an audio file of the wav format. The information below should help
you on your task.
Remember, if you need to search for the hex values, use this format:
<bh:89><bh:50><bh:4e><bh:47>
| File Format |
Header in hex |
Footer in hex |
| jpg |
ff d8 ff e0 |
ff d9 |
| wav |
52 49 46 46 (RIFF) |
NO FOOTER! |
Some file formats do not have footers. This can be problematic, but humans
are often better than computers at solving this problem. In the case of the
audio file, you will see a change in the information in the file. You
can also try cutting differing amounts of data into the file, and see if it
works. Experiment and answer the questions on the lab worksheet.
-
You are now skilled at file carving by hand! But what if the data in question
is megabytes large and the number of files is either very large or unknown. Because
we know how to do this task on a small scale, it can be automated for larger sets
of data, which is great. We'll be using a file carving
program called scalpel, which is free software;
If you did it correctly, scalpel was installed
to your C:\SI110Programs directory
during the first homework assignment.
Scalpel automates file carving.
A user sets up a configuration file that lists
different types of files it can search for, based
on headers and footers. We've prepared one for you to use.
Next, follow these steps:
- First
download unknownChunk.raw
and
scalpel.conf
and save them in the
class31
directory.
unknownChunk.raw - This is raw bytes
recovered off the hard drive of a confiscated
computer.
scalpel.conf - This describes file
headers and footers in a form scalpel.exe can use.
- Open a Command Prompt and navigate to
your
class31 directory.
- Execute this command:
scalpel.exe -c scalpel.conf unknownChunk.raw
-
A summary of how many files and of what types
scalpel found are produced as output in the
shell (if everything was done correctly). Read through the output
and determine how many and what types of files
scalpel found. In other words, what data was
hidden on this hard drive. A directory called
scalpel-output will be created in
the class31
directory. Using the file browser, explore the
scalpel-output directory and
confirm what was reported in the shell about
what the
file carver "scalpel" was able to retrieve.
Then answer the questions
on your worksheet. If you got an error instead
of scalpel results in the shell (the scalpel
command never ends - you get stuck in the
shell), you will need to start over. There will
still be a scalpel-output directory
created.
NOTE: Scalpel will not run if it detects a folder called scalpel-output
that already exists. If you need to run scalpel again, first delete that
folder.
C. Web Browser Forensics
Now we turn our attention to the world of internet browsers. Among the more popular
browsers are Firefox, Chrome, Safari, Opera, and Internet Explorer. Did you know that
these all retain information about what you do online? Now, with our newfound computer
forensics expertise, we can see what they save. In general, they each maintain a lengthy
history of web sites you visit, cookies web sites give you, stored passwords and form
data, and often search terms. Today we'll explore Firefox and Chrome.
Both Firefox and Chrome build a profile for a user. This allows the browser to store
all of this information for multiple users on a computer. It's very convenient, but
do you want all of this information stored on the computer? We have taken some time to
put together a couple profiles for you to use. Just download and then unzip the files
to a location you will remember (see below). The actual profile folder for Chrome is called
Default and the Firefox profile is called ebkkqy8u.default.
Save the below files to the directory you created.
For each of the two downloaded browser profile files,
right-click on the file and extract all files.
The tools we'll use for this activity come from the same author. FoxAnalysis and ChromeAnalysis
are sister tools that accomplish the same thing for different browsers. They each attempt
to load the profile of the user, and then parse the information.
We need a tool to help us, because the data is stored in sqlite3 database format, which
is not readable to the average human. Because the task is well understood on a small
scale, we can build a tool that helps automate the task for larger data sets. First we
will analyze the Firefox profile.
- Run the FoxAnalysis program. Select File ⇒ New Case.
- In the window that opens, click on the ellipsis to navigate to the Firefox profile
you downloaded from above. Select
the
ebkkqy8u.default folder
within the Firefox Profile folder.
- Click on the Check Files button just below. This will verify that you have the
required sqlite files in the profile directory. Close the window when all files have
been found.
- Click Next three times.
- Click Extract.
- Click Finish.
- Analyze the history, bookmarks, cookies, downloads, form history, and logins for
any suspicious activity.
Example FoxAnalysis Results:
-
Repeat the above process for ChromeAnalysis, except that when you
navigate to the Chrome profile, select the Default
folder within the Chrome Profile folder.
Example ChromeAnalysis Results:
D. Trace an Email
Email is one of the most common forms of communication today. While older forms of communication
required the presence and participation of two parties, email is more asymmetric in nature.
Email makes use of the SMTP protocol, meaning that it follows a proscribed set of rules, which
makes it predictable and simple to understand. Today we're going to look at a couple emails
and determine if they are legitimate or a spam email. The basis for this analysis will come
from the header of the email. An email header contains information from every Mail Transfer
Agent it comes in contact with on its route to the destination. This can be very helpful when
putting together the path it traveled.
First examine this email: Email 1. If we start
from the bottom of the email, you'll see several large chunks of data that look like some
sort of encoding. These are images being sent through email. All attachments get broken into
the base64 format for transfer. Before each chunk you can actually see the file name, for
when it gets reconstituted on the receiving end. If you scroll up past the images, you'll
eventually arrive at the actual text of the message. Interesting, but this rarely helps
with attribution.
As you move up the email, you can see the following fields and their meaning:
| Field |
Meaning |
| Message-ID |
A unique message ID as it transits smtp servers. This is used to avoid
duplication of messages. |
| From |
The address the sender filled in here. This could be made up! |
| To |
This is the destination address. |
| X-Mailer |
The mail client (program) from which the email was sent. |
| Subject |
The subject of the email. |
| Reply-To |
This is the address
the "reply" button usually uses.
The sender can fill this in with whatever he wants! |
| Received |
These fields indicate the location and time of receipt of this email
by a mail server. The top received is closest to you, while the received
that is lowest is closest to the sender. |
| Return-Path |
This is the address delivery error (bounce) messages
should be sent to.
|
Typically, we want to follow the path of Received messages. This represents a very real path
that the email took, and it is nearly impossible to forge
this. Examine the fields described above of email #1.
Now, investigate Email 2 and see if
you can determine where it originated from.