DOCSLIB.ORG

Lab II: Search Word Filtering from Unallocated, Slack and Swap Space

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Lab II: Search Word Filtering from Unallocated, Slack and Swap Space New Mexico Tech Digital Forensics Fall 2006 Lab II: Search Word Filtering from Unallocated, Slack and Swap Space Objectives - Understand the interview process to develop an initial search list for an investigation - Extract unallocated space from an image - Extract slack space from an image - Copy the swap file - Filter out and analyze evidence from unallocated, slack and swap space using your search list. - Modify your list of search words based on the evidence you find and repeat searching as needed. Introduction When given a system to analyze for evidence, you need to develop a method for learning what to look for. You will need to create a search list that is relevant to the case to aid you in finding that evidence. Conducting interviews is one of the most important steps during the process of forensics to begin creating a search list. The individuals to be interviewed may be the suspect, the system administrator, coworkers, or other key witnesses. During the interview process you should make a list of important names, dates, IP addresses, email contacts, documents, project titles, etc. that may aid you in finding the critical data that can be used as evidence. If a person who was engaged in illegal activities is careless, he or she may leave undeleted or “in the open” files on their machine which can be used as evidence. In the event that someone is under investigation, browse through their system's directories (on a mounted image or cloned drive of course) searching for files that may be of interest. You may be looking for emails, Internet addresses, images, personal word documents, spreadsheets, etc. From these discovered files, record important search words relevant to the investigation. Even if you find evidence in this allocated space, your search is not complete. You will next use your search list to find additional evidence in unallocated, slack, and swap space. Your investigation will consist of multiple searches as your Prepared by Regis Cassidy Sandia National Laboratories Page 1 search list grows with the evidence you find. The Scenario Roberta Hutchins is being investigated for selling company secrets on a top secret project to a competitor. Her computer was seized and turned over to your team for analysis. You've been asked to find the evidence on her computer to link her to the crime. During the interview process you learn that Roberta is a secretary for Kerry Shank who is the leading manager for Project Boondoggle. She was using a Windows XP system formatted with the NTFS File system. Roberta's colleagues have reported seeing her browsing Porsche websites and pricing them even though her salary at the company is not significantly high. She has been carrying a new cell phone to work in which coworkers have only heard her talk to a person whom she calls Jessie. Unfortunately, the cell phone was not found during the seizure of her computer and remains missing. You also discover that proper procedures were not taken when suspicions were raised. Roberta's boss made the mistake of confronting Roberta about the accusations before considering to call in a forensics team. Roberta denied everything and would have had plenty of time to delete any incriminating files before your team was notified. Question 1: From the information given about this interview process, what will you include in your list of search words when beginning your search of Roberta's hard drive? An example list would include: Boondoggle, Porsche, Jessie, Kerry, Shank, phone You may not want to include Roberta Hutchins name because of all the false hits it may generate since this is her machine and her name will be on almost everything. Procedures Step 1 NOTE: The data you will be analyzing in this lab is purely simulated and does not actually reflect files that ever existed. You will not be performing any kind of file recovery in this lab. Assume Roberta had time to delete files from her computer that may have been Prepared by Regis Cassidy Sandia National Laboratories Page 2 incriminating. She cleared out her email, Internet history, and any personal documents linking her to the crime. Therefore, you now need to look for evidence in places that most computer users don't think about. The first place you choose to look at, is unallocated space. Unallocated space will contain deleted files (part or whole). Launch your “Linux – Forensics” virtual machine. An image of Roberta's system has already been created for you and is located on /dev/hdb1. There is also a file, image.sha1.txt that contains the hash value of the image. Mount /dev/hdb1 to /mnt/evidence (You'll have to create the mount point) Notice /mnt/evidence/lab2 contains the image file image.dd which is from Roberta's system. The image is of a single Windows XP partition (Roberta's c: drive). Verify the hash of the image is correct. If necessary refer to Lab 1 for this task (Step 7). Question 2: Could you use dd to write the image file to a new blank drive as a clone that is bootable? Why or why not? No. The image file is of a single partition and not the entire disk. The image will not contain the Master Boot Record making it bootable. Running fdisk on the image will result in an error message or bogus data. Extract Unallocated Space You are now going to use a Linux tool called dls, which is part of the Sleuthkit forensics tool kit. With this tool you can extract unallocated data blocks to a separate file. The option -f is used to specify the file system type. Every file system contains a section on disk that is used as a road map to all the allocated blocks or clusters of that disk. On Linux this is known as the superblock and on NTFS it is known as the master file table (MFT). You will learn more about these in the section of the course on file systems. dls must read from the superblock or MFT in order to extract unallocated blocks. # dls -f ntfs /mnt/evidence/lab2/image.dd > /mnt/evidence/lab2/image.unalloc.dls Extract Slack Space Prepared by Regis Cassidy Sandia National Laboratories Page 3 Step 2 The -s option of dls will extract data from slack space only. With this option, dls will use the file size for every file on the disk, specified by the file system. It then checks for data from the end of that size boundary to the end of the associated cluster. # dls -f ntfs /mnt/evidence/lab2/image.dd -s > /mnt/evidence/lab2/image.slack.dls Question 3: You just extracted data from slack space. Will that data also exist in the file you extracted of unallocated space? Why or why not? This data will not exist in unallocated and slack space. Unallocated data resides on clusters that are unused and free for the file system to reuse. Slack space is actually found on clusters that have been reallocated. Question 4: What do you think the difference is between slack space and slack data? Can slack data exist in unallocated space? Why or why not? Slack space is the area on disk from the end of a file to the end of an allocated cluster. Slack data is the actual data found in that slack space, but can still exist on unallocated clusters. Once a file containing slack is deleted, there is technically no slack space associated with that file since the whole cluster becomes unallocated. However, the slack data associated with that deleted file remains. Copy the Swap File Step 3 The Windows XP swap file is found at c:\pagefile.sys. You need to mount the image file provided as a loopback device and as read only. ( Review Lab 1, Step 9, to do this. Don't forget to create a mount point). Copy the pagefile.sys file to /mnt/evidence/lab2/image.swap Prepared by Regis Cassidy Sandia National Laboratories Page 4 Unmount the image after the swap file has been copied. To see how much data exists in unallocated, slack and swap space # ls -lh /mnt/evidence/lab2/ Step 4 You need to set the permissions and compute hashes for these files. Get used to this routine! Question 5: What permissions should be set on the unallocated, slack and swap data files? What command do you use to do this? What command do you use to append all three hashes to the file /mnt/evidence/lab2/image.sha1.txt? Be careful not to overwrite the hash of the complete image file. Permissions should be set to read only to avoid accidental modification. # chmod a-w /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap # sha1sum /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap >> /mnt/evidence/lab2/image.sha1.txt Extract Plaintext from Unallocated, Slack and Swap Step 5 The unallocated, slack and swap files will contain binary data that is of no use for keyword searching. Therefore, you need to extract out the data that is in plain text. This will make your files significantly smaller and faster to search. The strings command in Linux will extract printable characters from a given file. By default it looks for strings of at least 4 characters in length. You can change this default using the -n option followed by the desired number. Run the command below on your file of unallocated space. # strings -a -t d /mnt/evidence/lab2/image.unalloc.dls > /mnt/evidence/lab2/image.unalloc.str Prepared by Regis Cassidy Sandia National Laboratories Page 5 The option -a (all) makes sure the whole file is searched.
Load more

Recommended publications
  • How to Find out the IP Address of an Omron
    Communications Middleware/Network Browser How to find an Omron Controller’s IP address Valin Corporation | www.valin.com Overview • Many Omron PLC’s have Ethernet ports or Ethernet port options • The IP address for a PLC is usually changed by the programmer • Most customers do not mark the controller with IP address (label etc.) • Very difficult to communicate to the PLC over Ethernet if the IP address is unknown. Valin Corporation | www.valin.com Simple Ethernet Network Basics IP address is up to 12 digits (4 octets) Ex:192.168.1.1 For MOST PLC programming applications, the first 3 octets are the network address and the last is the node address. In above example 192.168.1 is network address, 1 is node address. For devices to communicate on a simple network: • Every device IP Network address must be the same. • Every device node number must be different. Device Laptop EX: Omron PLC 192.168.1.1 192.168.1.1 Device Laptop EX: Omron PLC 127.27.250.5 192.168.1.1 Device Laptop EX: Omron PLC 192.168.1.3 192.168.1.1 Valin Corporation | www.valin.com Omron Default IP Address • Most Omron Ethernet devices use one of the following IP addresses by default. Omron PLC 192.168.250.1 OR 192.168.1.1 Valin Corporation | www.valin.com PING Command • PING is a way to check if the device is connected (both virtually and physically) to the network. • Windows Command Prompt command. • PC must use the same network number as device (See previous) • Example: “ping 172.21.90.5” will test to see if a device with that IP address is connected to the PC.
    [Show full text]
  • Disk Clone Industrial
    Disk Clone Industrial USER MANUAL Ver. 1.0.0 Updated: 9 June 2020 | Contents | ii Contents Legal Statement............................................................................... 4 Introduction......................................................................................4 Cloning Data.................................................................................................................................... 4 Erasing Confidential Data..................................................................................................................5 Disk Clone Overview.......................................................................6 System Requirements....................................................................................................................... 7 Software Licensing........................................................................................................................... 7 Software Updates............................................................................................................................. 8 Getting Started.................................................................................9 Disk Clone Installation and Distribution.......................................................................................... 12 Launching and initial Configuration..................................................................................................12 Navigating Disk Clone.....................................................................................................................14
    [Show full text]
  • Problem Solving and Unix Tools
    Problem Solving and Unix Tools Command Shell versus Graphical User Interface • Ease of use • Interactive exploration • Scalability • Complexity • Repetition Example: Find all Tex files in a directory (and its subdirectories) that have not changed in the past 21 days. With an interactive file roller, it is easy to sort files by particular characteristics such as the file extension and the date. But this sorting does not apply to files within subdirectories of the current directory, and it is difficult to apply more than one sort criteria at a time. A command line interface allows us to construct a more complex search. In unix, we find the files we are after by executing the command, find /home/nolan/ -mtime +21 -name ’*.tex’ To find out more about a command you can read the online man pages man find or you can execute the command with the –help option. In this example, the standard output to the screen is piped into the more command which formats it to dispaly one screenful at a time. Hitting the space bar displays the next page of output, the return key displays the next line of output, and the ”q” key quits the display. find --help | more Construct Solution in Pieces • Solve a problem by breaking down into pieces and building back up • Typing vs automation • Error messages - experimentation 1 Example: Find all occurrences of a particular string in several files. The grep command searches the contents of files for a regular expression. In this case we search for the simple character string “/stat141/FINAL” in all files in the directory WebLog that begin with the filename “access”.
    [Show full text]
  • What Is UNIX? the Directory Structure Basic Commands Find
    What is UNIX? UNIX is an operating system like Windows on our computers. By operating system, we mean the suite of programs which make the computer work. It is a stable, multi-user, multi-tasking system for servers, desktops and laptops. The Directory Structure All the files are grouped together in the directory structure. The file-system is arranged in a hierarchical structure, like an inverted tree. The top of the hierarchy is traditionally called root (written as a slash / ) Basic commands When you first login, your current working directory is your home directory. In UNIX (.) means the current directory and (..) means the parent of the current directory. find command The find command is used to locate files on a Unix or Linux system. find will search any set of directories you specify for files that match the supplied search criteria. The syntax looks like this: find where-to-look criteria what-to-do All arguments to find are optional, and there are defaults for all parts. where-to-look defaults to . (that is, the current working directory), criteria defaults to none (that is, select all files), and what-to-do (known as the find action) defaults to ‑print (that is, display the names of found files to standard output). Examples: find . –name *.txt (finds all the files ending with txt in current directory and subdirectories) find . -mtime 1 (find all the files modified exact 1 day) find . -mtime -1 (find all the files modified less than 1 day) find . -mtime +1 (find all the files modified more than 1 day) find .
    [Show full text]
  • Linux Command Line Cheat Sheet by Davechild
    Linux Command Line Cheat Sheet by DaveChild Bash Commands ls Options Nano Shortcuts uname -a Show system and kernel -a Show all (including hidden) Files head -n1 /etc/issue Show distribution -R Recursive list Ctrl-R Read file mount Show mounted filesystems -r Reverse order Ctrl-O Save file date Show system date -t Sort by last modified Ctrl-X Close file uptime Show uptime -S Sort by file size Cut and Paste whoami Show your username -l Long listing format ALT-A Start marking text man command Show manual for command -1 One file per line CTRL-K Cut marked text or line -m Comma-separated output CTRL-U Paste text Bash Shortcuts -Q Quoted output Navigate File CTRL-c Stop current command ALT-/ End of file Search Files CTRL-z Sleep program CTRL-A Beginning of line CTRL-a Go to start of line grep pattern Search for pattern in files CTRL-E End of line files CTRL-e Go to end of line CTRL-C Show line number grep -i Case insensitive search CTRL-u Cut from start of line CTRL-_ Go to line number grep -r Recursive search CTRL-k Cut to end of line Search File grep -v Inverted search CTRL-r Search history CTRL-W Find find /dir/ - Find files starting with name in dir !! Repeat last command ALT-W Find next name name* !abc Run last command starting with abc CTRL-\ Search and replace find /dir/ -user Find files owned by name in dir !abc:p Print last command starting with abc name More nano info at: !$ Last argument of previous command find /dir/ - Find files modifed less than num http://www.nano-editor.org/docs.php !* All arguments of previous command mmin num minutes ago in dir Screen Shortcuts ^abc^123 Run previous command, replacing abc whereis Find binary / source / manual for with 123 command command screen Start a screen session.
    [Show full text]
  • Node and Edge Attributes
    Cytoscape User Manual Table of Contents Cytoscape User Manual ........................................................................................................ 3 Introduction ...................................................................................................................... 48 Development .............................................................................................................. 4 License ...................................................................................................................... 4 What’s New in 2.7 ....................................................................................................... 4 Please Cite Cytoscape! ................................................................................................. 7 Launching Cytoscape ........................................................................................................... 8 System requirements .................................................................................................... 8 Getting Started .......................................................................................................... 56 Quick Tour of Cytoscape ..................................................................................................... 12 The Menus ............................................................................................................... 15 Network Management ................................................................................................. 18 The
    [Show full text]
  • Networking TCP/IP Troubleshooting 7.1
    IBM IBM i Networking TCP/IP troubleshooting 7.1 IBM IBM i Networking TCP/IP troubleshooting 7.1 Note Before using this information and the product it supports, read the information in “Notices,” on page 79. This edition applies to IBM i 7.1 (product number 5770-SS1) and to all subsequent releases and modifications until otherwise indicated in new editions. This version does not run on all reduced instruction set computer (RISC) models nor does it run on CISC models. © Copyright IBM Corporation 1997, 2008. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents TCP/IP troubleshooting ........ 1 Server table ............ 34 PDF file for TCP/IP troubleshooting ...... 1 Checking jobs, job logs, and message logs .. 63 Troubleshooting tools and techniques ...... 1 Verifying that necessary jobs exist .... 64 Tools to verify your network structure ..... 1 Checking the job logs for error messages Netstat .............. 1 and other indication of problems .... 65 Using Netstat from a character-based Changing the message logging level on job interface ............. 2 descriptions and active jobs ...... 65 Using Netstat from System i Navigator .. 4 Other job considerations ....... 66 Ping ............... 7 Checking for active filter rules ...... 67 Using Ping from a character-based interface 7 Verifying system startup considerations for Using Ping from System i Navigator ... 10 networking ............ 68 Common error messages ....... 13 Starting subsystems ........ 68 PING parameters ......... 14 Starting TCP/IP .......... 68 Trace route ............ 14 Starting interfaces ......... 69 Using trace route from a character-based Starting servers .......... 69 interface ............ 15 Timing considerations ........ 70 Using trace route from System i Navigator 15 Varying on lines, controllers, and devices .
    [Show full text]
  • GNU Findutils Finding Files Version 4.8.0, 7 January 2021
    GNU Findutils Finding files version 4.8.0, 7 January 2021 by David MacKenzie and James Youngman This manual documents version 4.8.0 of the GNU utilities for finding files that match certain criteria and performing various operations on them. Copyright c 1994{2021 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled \GNU Free Documentation License". i Table of Contents 1 Introduction ::::::::::::::::::::::::::::::::::::: 1 1.1 Scope :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 1 1.2 Overview ::::::::::::::::::::::::::::::::::::::::::::::::::::::: 2 2 Finding Files ::::::::::::::::::::::::::::::::::::: 4 2.1 find Expressions ::::::::::::::::::::::::::::::::::::::::::::::: 4 2.2 Name :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 4 2.2.1 Base Name Patterns ::::::::::::::::::::::::::::::::::::::: 5 2.2.2 Full Name Patterns :::::::::::::::::::::::::::::::::::::::: 5 2.2.3 Fast Full Name Search ::::::::::::::::::::::::::::::::::::: 7 2.2.4 Shell Pattern Matching :::::::::::::::::::::::::::::::::::: 8 2.3 Links ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 8 2.3.1 Symbolic Links :::::::::::::::::::::::::::::::::::::::::::: 8 2.3.2 Hard Links ::::::::::::::::::::::::::::::::::::::::::::::: 10 2.4 Time
    [Show full text]
  • Partition.Pdf
    Linux Partition HOWTO Anthony Lissot Revision History Revision 3.5 26 Dec 2005 reorganized document page ordering. added page on setting up swap space. added page of partition labels. updated max swap size values in section 4. added instructions on making ext2/3 file systems. broken links identified by Richard Calmbach are fixed. created an XML version. Revision 3.4.4 08 March 2004 synchronized SGML version with HTML version. Updated lilo placement and swap size discussion. Revision 3.3 04 April 2003 synchronized SGML and HTML versions Revision 3.3 10 July 2001 Corrected Section 6, calculation of cylinder numbers Revision 3.2 1 September 2000 Dan Scott provides sgml conversion 2 Oct. 2000. Rewrote Introduction. Rewrote discussion on device names in Logical Devices. Reorganized Partition Types. Edited Partition Requirements. Added Recovering a deleted partition table. Revision 3.1 12 June 2000 Corrected swap size limitation in Partition Requirements, updated various links in Introduction, added submitted example in How to Partition with fdisk, added file system discussion in Partition Requirements. Revision 3.0 1 May 2000 First revision by Anthony Lissot based on Linux Partition HOWTO by Kristian Koehntopp. Revision 2.4 3 November 1997 Last revision by Kristian Koehntopp. This Linux Mini−HOWTO teaches you how to plan and create partitions on IDE and SCSI hard drives. It discusses partitioning terminology and considers size and location issues. Use of the fdisk partitioning utility for creating and recovering of partition tables is covered. The most recent version of this document is here. The Turkish translation is here. Linux Partition HOWTO Table of Contents 1.
    [Show full text]
  • Partitioning Disks with Parted
    Partitioning Disks with parted Author: Yogesh Babar Technical Reviewer: Chris Negus 10/6/2017 Storage devices in Linux (such as hard drives and USB drives) need to be structured in some way before use. In most cases, large storage devices are divided into separate sections, which in Linux are referred to as partitions. A popular tool for creating, removing and otherwise manipulating disk partitions in Linux is the parted command. Procedures in this tech brief step you through different ways of using the parted command to work with Linux partitions. UNDERSTANDING PARTED The parted command is particularly useful with large disk devices and many disk partitions. Differences between parted and the more common fdisk and cfdisk commands include: • GPT Format: The parted command can create can be used to create Globally Unique Identifiers Partition Tables (GPT), while fdisk and cfdisk are limited to msdos partition tables. • Larger disks: An msdos partition table can only format up to 2TB of disk space (although up to 16TB is possible in some cases). A GPT partition table, however, have the potential to address up to 8 zebibytes of space. • More partitions: Using primary and extended partitions, msdos partition tables allow only 16 partitions. With GPT, you get up to 128 partitions by default and can choose to have many more. • Reliability: Only one copy of the partition table is stored in an msdos partition. GPT keeps two copies of the partition table (at the beginning and end of the disk). The GPT also uses a CRC checksum to check the partition table's integrity (which is not done with msdos partitions).
    [Show full text]
  • From DOS/Windows to Linux HOWTO from DOS/Windows to Linux HOWTO
    From DOS/Windows to Linux HOWTO From DOS/Windows to Linux HOWTO Table of Contents From DOS/Windows to Linux HOWTO ........................................................................................................1 By Guido Gonzato, ggonza at tin.it.........................................................................................................1 1.Introduction...........................................................................................................................................1 2.For the Impatient...................................................................................................................................1 3.Meet bash..............................................................................................................................................1 4.Files and Programs................................................................................................................................1 5.Using Directories .................................................................................................................................2 6.Floppies, Hard Disks, and the Like ......................................................................................................2 7.What About Windows?.........................................................................................................................2 8.Tailoring the System.............................................................................................................................2 9.Networking:
    [Show full text]
  • (Router) Address Open the DOS Command Prompt Window As Follows
    1 – Find the Gateway (Router) Address Open the DOS Command Prompt window as follows - Windows XP Click the Start icon in the bottom left corner of the screen and then select Run... The Run dialog box will open. Type cmd in the box and press Enter or click OK. The DOS Command Prompt window will open. Windows Vista / Windows 7 Click on the Windows icon in the bottom left corner of the screen. Type cmd into the search box and press Enter. The DOS Command Prompt window will open. Windows 8 Push the Windows button on your keyboard or click the Windows icon in the bottom left corner of the screen if there is one visible. Type cmd once you see the Start screen and press Enter. The DOS Command Prompt window will open. In the DOS Command Prompt window, type ipconfig and then press Enter. You will see information relating to the computer’s network settings. The IPv4 Address is the local IP address of the computer you are using. The Gateway address is the router’s address. The DVR's IP address needs to be in the same range as these – i.e. the first three numbers need to be the same, but the last one different. If ipconfig returned a Gateway address of 10.10.0.1, the DVR would have an address of 10.10.0.xxx where xxx is between 2 and 254. In the above screenshot, the PC's IP address is 192.168.1.77, the Subnet Mask is 255.255.255.0 and the Gateway is 192.168.1.254.
    [Show full text]