New Mexico Tech Digital Forensics Fall 2006 Lab II: Search Word Filtering from Unallocated, Slack and Swap Space Objectives - Understand the interview process to develop an initial search list for an investigation - Extract unallocated space from an image - Extract slack space from an image - Copy the swap file - Filter out and analyze evidence from unallocated, slack and swap space using your search list. - Modify your list of search words based on the evidence you find and repeat searching as needed. Introduction When given a system to analyze for evidence, you need to develop a method for learning what to look for. You will need to create a search list that is relevant to the case to aid you in finding that evidence. Conducting interviews is one of the most important steps during the process of forensics to begin creating a search list. The individuals to be interviewed may be the suspect, the system administrator, coworkers, or other key witnesses. During the interview process you should make a list of important names, dates, IP addresses, email contacts, documents, project titles, etc. that may aid you in finding the critical data that can be used as evidence. If a person who was engaged in illegal activities is careless, he or she may leave undeleted or “in the open” files on their machine which can be used as evidence. In the event that someone is under investigation, browse through their system's directories (on a mounted image or cloned drive of course) searching for files that may be of interest. You may be looking for emails, Internet addresses, images, personal word documents, spreadsheets, etc. From these discovered files, record important search words relevant to the investigation. Even if you find evidence in this allocated space, your search is not complete. You will next use your search list to find additional evidence in unallocated, slack, and swap space. Your investigation will consist of multiple searches as your Prepared by Regis Cassidy Sandia National Laboratories Page 1 search list grows with the evidence you find. The Scenario Roberta Hutchins is being investigated for selling company secrets on a top secret project to a competitor. Her computer was seized and turned over to your team for analysis. You've been asked to find the evidence on her computer to link her to the crime. During the interview process you learn that Roberta is a secretary for Kerry Shank who is the leading manager for Project Boondoggle. She was using a Windows XP system formatted with the NTFS File system. Roberta's colleagues have reported seeing her browsing Porsche websites and pricing them even though her salary at the company is not significantly high. She has been carrying a new cell phone to work in which coworkers have only heard her talk to a person whom she calls Jessie. Unfortunately, the cell phone was not found during the seizure of her computer and remains missing. You also discover that proper procedures were not taken when suspicions were raised. Roberta's boss made the mistake of confronting Roberta about the accusations before considering to call in a forensics team. Roberta denied everything and would have had plenty of time to delete any incriminating files before your team was notified. Question 1: From the information given about this interview process, what will you include in your list of search words when beginning your search of Roberta's hard drive? An example list would include: Boondoggle, Porsche, Jessie, Kerry, Shank, phone You may not want to include Roberta Hutchins name because of all the false hits it may generate since this is her machine and her name will be on almost everything. Procedures Step 1 NOTE: The data you will be analyzing in this lab is purely simulated and does not actually reflect files that ever existed. You will not be performing any kind of file recovery in this lab. Assume Roberta had time to delete files from her computer that may have been Prepared by Regis Cassidy Sandia National Laboratories Page 2 incriminating. She cleared out her email, Internet history, and any personal documents linking her to the crime. Therefore, you now need to look for evidence in places that most computer users don't think about. The first place you choose to look at, is unallocated space. Unallocated space will contain deleted files (part or whole). Launch your “Linux – Forensics” virtual machine. An image of Roberta's system has already been created for you and is located on /dev/hdb1. There is also a file, image.sha1.txt that contains the hash value of the image. Mount /dev/hdb1 to /mnt/evidence (You'll have to create the mount point) Notice /mnt/evidence/lab2 contains the image file image.dd which is from Roberta's system. The image is of a single Windows XP partition (Roberta's c: drive). Verify the hash of the image is correct. If necessary refer to Lab 1 for this task (Step 7). Question 2: Could you use dd to write the image file to a new blank drive as a clone that is bootable? Why or why not? No. The image file is of a single partition and not the entire disk. The image will not contain the Master Boot Record making it bootable. Running fdisk on the image will result in an error message or bogus data. Extract Unallocated Space You are now going to use a Linux tool called dls, which is part of the Sleuthkit forensics tool kit. With this tool you can extract unallocated data blocks to a separate file. The option -f is used to specify the file system type. Every file system contains a section on disk that is used as a road map to all the allocated blocks or clusters of that disk. On Linux this is known as the superblock and on NTFS it is known as the master file table (MFT). You will learn more about these in the section of the course on file systems. dls must read from the superblock or MFT in order to extract unallocated blocks. # dls -f ntfs /mnt/evidence/lab2/image.dd > /mnt/evidence/lab2/image.unalloc.dls Extract Slack Space Prepared by Regis Cassidy Sandia National Laboratories Page 3 Step 2 The -s option of dls will extract data from slack space only. With this option, dls will use the file size for every file on the disk, specified by the file system. It then checks for data from the end of that size boundary to the end of the associated cluster. # dls -f ntfs /mnt/evidence/lab2/image.dd -s > /mnt/evidence/lab2/image.slack.dls Question 3: You just extracted data from slack space. Will that data also exist in the file you extracted of unallocated space? Why or why not? This data will not exist in unallocated and slack space. Unallocated data resides on clusters that are unused and free for the file system to reuse. Slack space is actually found on clusters that have been reallocated. Question 4: What do you think the difference is between slack space and slack data? Can slack data exist in unallocated space? Why or why not? Slack space is the area on disk from the end of a file to the end of an allocated cluster. Slack data is the actual data found in that slack space, but can still exist on unallocated clusters. Once a file containing slack is deleted, there is technically no slack space associated with that file since the whole cluster becomes unallocated. However, the slack data associated with that deleted file remains. Copy the Swap File Step 3 The Windows XP swap file is found at c:\pagefile.sys. You need to mount the image file provided as a loopback device and as read only. ( Review Lab 1, Step 9, to do this. Don't forget to create a mount point). Copy the pagefile.sys file to /mnt/evidence/lab2/image.swap Prepared by Regis Cassidy Sandia National Laboratories Page 4 Unmount the image after the swap file has been copied. To see how much data exists in unallocated, slack and swap space # ls -lh /mnt/evidence/lab2/ Step 4 You need to set the permissions and compute hashes for these files. Get used to this routine! Question 5: What permissions should be set on the unallocated, slack and swap data files? What command do you use to do this? What command do you use to append all three hashes to the file /mnt/evidence/lab2/image.sha1.txt? Be careful not to overwrite the hash of the complete image file. Permissions should be set to read only to avoid accidental modification. # chmod a-w /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap # sha1sum /mnt/evidence/lab2/*.dls /mnt/evidence/lab2/*.swap >> /mnt/evidence/lab2/image.sha1.txt Extract Plaintext from Unallocated, Slack and Swap Step 5 The unallocated, slack and swap files will contain binary data that is of no use for keyword searching. Therefore, you need to extract out the data that is in plain text. This will make your files significantly smaller and faster to search. The strings command in Linux will extract printable characters from a given file. By default it looks for strings of at least 4 characters in length. You can change this default using the -n option followed by the desired number. Run the command below on your file of unallocated space. # strings -a -t d /mnt/evidence/lab2/image.unalloc.dls > /mnt/evidence/lab2/image.unalloc.str Prepared by Regis Cassidy Sandia National Laboratories Page 5 The option -a (all) makes sure the whole file is searched.