New Mexico Tech Digital Forensics Fall 2006

Lab II: Search Word Filtering from Unallocated, Slack and Swap Space

Objectives

- Understand the interview process to develop an initial search list for an investigation - Extract unallocated space from an image - Extract slack space from an image - Copy the swap file - Filter out and analyze evidence from unallocated, slack and swap space using your search list. - Modify your list of search words based on the evidence you find and repeat searching as needed.

Introduction

When given a system to analyze for evidence, you need to develop a method for learning what to look for. You will need to create a search list that is relevant to the case to aid you in finding that evidence. Conducting interviews is one of the most important steps during the process of forensics to begin creating a search list. The individuals to be interviewed may be the suspect, the system administrator, coworkers, or other key witnesses. During the interview process you should make a list of important names, dates, IP addresses, email contacts, documents, project titles, etc. that may aid you in finding the critical data that can be used as evidence.

If a person who was engaged in illegal activities is careless, he or she may leave undeleted or “in the open” files on their machine which can be used as evidence. In the event that someone is under investigation, browse through their system's directories (on a mounted image or cloned drive of course) searching for files that may be of interest. You may be looking for emails, Internet addresses, images, personal word documents, spreadsheets, etc. From these discovered files, record important search words relevant to the investigation.

Even if you find evidence in this allocated space, your search is not complete. You will next use your search list to find additional evidence in unallocated, slack, and swap space. Your investigation will consist of multiple searches as your

Prepared by Regis Cassidy Sandia National Laboratories Page 1 search list grows with the evidence you find.

The Scenario

Roberta Hutchins is being investigated for selling company secrets on a top secret project to a competitor. Her computer was seized and turned over to your team for analysis. You've been asked to find the evidence on her computer to link her to the crime.

During the interview process you learn that Roberta is a secretary for Kerry Shank who is the leading manager for Project Boondoggle. She was using a Windows XP system formatted with the NTFS File system. Roberta's colleagues have reported seeing her browsing Porsche websites and pricing them even though her salary at the company is not significantly high. She has been carrying a new cell phone to work in which coworkers have only heard her talk to a person whom she calls Jessie. Unfortunately, the cell phone was not found during the seizure of her computer and remains missing. You also discover that proper procedures were not taken when suspicions were raised. Roberta's boss made the mistake of confronting Roberta about the accusations before considering to call in a forensics team. Roberta denied everything and would have had plenty of time to delete any incriminating files before your team was notified.

Question 1: From the information given about this interview process, what will you include in your list of search words when beginning your search of Roberta's hard drive?

An example list would include: Boondoggle, Porsche, Jessie, Kerry, Shank, phone

You may not want to include Roberta Hutchins name because of all the false hits it may generate since this is her machine and her name will be on almost everything.

Procedures

Step 1 NOTE: The data you will be analyzing in this lab is purely simulated and does not actually reflect files that ever existed. You will not be performing any kind of file recovery in this lab.

Assume Roberta had time to delete files from her computer that may have been

Prepared by Regis Cassidy Sandia National Laboratories Page 2 incriminating. She cleared out her email, Internet history, and any personal documents linking her to the crime. Therefore, you now need to look for evidence in places that most computer users don't think about. The first place you choose to look at, is unallocated space. Unallocated space will contain deleted files (part or whole).

Launch your “Linux – Forensics” virtual machine.

An image of Roberta's system has already been created for you and is located on /dev/hdb1. There is also a file, image.sha1.txt that contains the hash value of the image.

Mount /dev/hdb1 to /mnt/evidence (You'll have to create the mount point)

Notice /mnt/evidence/lab2 contains the image file image.dd which is from Roberta's system. The image is of a single Windows XP partition (Roberta's c: drive).

Verify the hash of the image is correct. If necessary refer to Lab 1 for this task (Step 7).

Question 2: Could you use dd to write the image file to a new blank drive as a clone that is bootable? Why or why not?

No. The image file is of a single partition and not the entire disk. The image will not contain the Master Boot Record making it bootable. Running fdisk on the image will result in an error message or bogus data.

Extract Unallocated Space

You are now going to use a Linux tool called dls, which is part of the Sleuthkit forensics tool kit. With this tool you can extract unallocated data blocks to a separate file. The option -f is used to specify the file system type. Every file system contains a section on disk that is used as a road map to all the allocated blocks or clusters of that disk. On Linux this is known as the superblock and on NTFS it is known as the master file table (MFT). You will learn more about these in the section of the course on file systems. dls must read from the superblock or MFT in order to extract unallocated blocks.

# dls -f ntfs /mnt/evidence/lab2/image.dd > /mnt/evidence/lab2/image.unalloc.dls

Extract Slack Space Prepared by Regis Cassidy Sandia National Laboratories Page 3

Step 2 The -s option of dls will extract data from slack space only. With this option, dls will use the file size for every file on the disk, specified by the file system. It then checks for data from the end of that size boundary to the end of the associated cluster.

# dls -f ntfs /mnt/evidence/lab2/image.dd -s > /mnt/evidence/lab2/image.slack.dls

Question 3: You just extracted data from slack space. Will that data also exist in the file you extracted of unallocated space? Why or why not?

This data will not exist in unallocated and slack space. Unallocated data resides on clusters that are unused and free for the file system to reuse. Slack space is actually found on clusters that have been reallocated.

Question 4: What do you think the difference is between slack space and slack data? Can slack data exist in unallocated space? Why or why not?

Slack space is the area on disk from the end of a file to the end of an allocated cluster. Slack data is the actual data found in that slack space, but can still exist on unallocated clusters. Once a file containing slack is deleted, there is technically no slack space associated with that file since the whole cluster becomes unallocated. However, the slack data associated with that deleted file remains.

Copy the Swap File

Step 3 The Windows XP swap file is found at c:\pagefile.sys.

You need to mount the image file provided as a loopback device and as read only. ( Review Lab 1, Step 9, to do this. Don't forget to create a mount point).

Copy the pagefile.sys file to /mnt/evidence/lab2/image.swap

Prepared by Regis Cassidy Sandia National Laboratories Page 4 Unmount the image after the swap file has been copied.

To see how much data exists in unallocated, slack and swap space

# ls -lh /mnt/evidence/lab2/

Step 4 You need to set the permissions and compute hashes for these files. Get used to this routine!

Question 5: What permissions should be set on the unallocated, slack and swap data files? What command do you use to do this? What command do you use to append all three hashes to the file /mnt/evidence/lab2/image.sha1.txt? Be careful not to overwrite the hash of the complete image file.

Permissions should be set to read only to avoid accidental modification.

# chmod a-w /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap

# sha1sum /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap >> /mnt/evidence/lab2/image.sha1.txt

Extract Plaintext from Unallocated, Slack and Swap

Step 5 The unallocated, slack and swap files will contain binary data that is of no use for keyword searching. Therefore, you need to extract out the data that is in plain text. This will make your files significantly smaller and faster to search. The strings command in Linux will extract printable characters from a given file. By default it looks for strings of at least 4 characters in length. You can change this default using the -n option followed by the desired number.

Run the command below on your file of unallocated space.

# strings -a -t d /mnt/evidence/lab2/image.unalloc.dls > /mnt/evidence/lab2/image.unalloc.str

Prepared by Regis Cassidy Sandia National Laboratories Page 5 The option -a (all) makes sure the whole file is searched. The option -t is used to print the byte offset in the file that the string is located and the d means to print that offset in decimal form.

Use strings on the slack and swap file as well.

# strings -a -t d /mnt/evidence/lab2/image.slack.dls > /mnt/evidence/lab2/image.slack.str

# strings -a -t d /mnt/evidence/lab2/image.swap > /mnt/evidence/lab2/image.swap.str

Filter Out Evidence Using a List of Search Words

Step 6 You now need to develop your search list.

Create a text file searchlist.txt that contains the search words you chose from Question 1. Be sure to place each search word on a new line. If you want to search for a string containing multiple words, put it in quotes.

A good search list will have variations of the words and possible misspellings.

NOTE: Make sure you do not have a new line at the end of your search list file. If you do, you will be searching for all occurrences of a new line!

The next tool you are going to use is called grep. This tool will print lines from a file that match a specified pattern.

Some important arguments to grep are described as follows:

-A num Print num number of lines After line containing searchword. -B num Print num number of lines before line containing searchword. -i Ignore case -f specifies a file containing patterns to match

Run grep on your unallocated, slack and swap string file system and show 5 lines before and after search word matches. Write the output to file named /mnt/evidence/lab2/results.grep

# grep -A 5 -B 5 -i -f searchlist.txt /mnt/evidence/lab2/*.str > results.grep

Carefully look through the results of your string searches.

Prepared by Regis Cassidy Sandia National Laboratories Page 6

# less results.grep

Question 6: What sorts of interesting information are you finding? Did you get a lot of false hits and if so, why? How would you now refine your search list? You should find clues that will help you continue to search for other evidence.

You should start to develop an understanding of Roberta's interaction with Jessie. She is being paid to steal information regarding Project Boondoggle and in order to do so, must break into Kerry Shank's computer. How you refine your search list will depend on the first list you made and the evidence you found.

Rinse and Repeat!

Step 7 Edit your search words so that you have as few false hits as possible. Add new search words that came up in the evidence you found with the first search. Run grep again with your modified list.

You should be able to find all the evidence with your search list to answer the following questions:

Question 6: What was the full name of the correspondence Roberta was selling company secrets to? What organization was that person with? Where did they like to meet?

Roberta Huchins was selling company secrets to Jessie Watsonburgh from Digitech corporation. They liked to meet at Maggiano's for lunch when discussing their deal.

Question 7: How did Roberta get access to the Boondoggle Files?

Roberta had to get on her boss Kerry Shank's machine to have access to the Boondoggle files. She stole Mr. Shank's password by watching over his shoulder (shoulder surfing) several times to see what password he was typing.

Question 8: What was the device, including the brand name, that Roberta was given to carry out the Boondoggle files? What was the model and make of her cell phone?

Roberta downloaded the Boondoggle files onto a Lacie pocketdrive. She Prepared by Regis Cassidy Sandia National Laboratories Page 7 was also given a Samsung SPH P510 to correspond with Jessie.

Question 9: How much was Roberta expected to make from this deal?

1.5 Million.

Question 10: What other project is Jessie interested in having Roberta try and steal for him? Is Roberta able to do this? Why or why not?

Jessie was also interested in Project Cyber Defense. Roberta refused to look for files on this project because she knew she was most likely about to be investigated.

You can use the strings tool to extract plaintext from the entire disk (image.dd). This will find data in allocated space as well as unallocated, slack and swap space. You do not need to do this step for this lab, but answer the following question:

Question 11: Why would you choose to do a search by running strings on the entire disk? What might be the disadvantages if you were to only do it this way and not by also extracting unallocated, slack and swap?

It would be a good idea to use your search list on allocated space as well since there may be evidence hard to find that the suspect did not know or have time to delete. The problem with only doing a search this way is that it is not easy to readily identify whether the data is from unallocated, slack, etc. When viewing evidence from an unallocated space image file, you know it is a deleted file and there is the possibility of being able to recover it. Data in slack and swap is not recoverable because you will know it is just fragments of data. Viewing strings extracted from the entire image will not give you any information as to what kind of data it is. A good practice may be to first search unallocated, slack and swap, followed by search of the entire disk. Any additional evidence found you will know came from allocated space on the disk.

Question 12: What are your comments and suggestions for this lab?

Step 8 Unmount any drives you mounted and shutdown the VMWare system.

Prepared by Regis Cassidy Sandia National Laboratories Page 8