Forensic Blogs

An aggregator for digital forensics blogs

by

Overview of Content Published in April

Here is an overview of content I published in April:

Blog posts:

April 1st 2020: FlashPix File With VBA Code Video: GNU Radio Companion: Acoustic Beats Update XORSearch Version 1.11.3 Update: zipdump.py Version 0.0.17 Update: zipdump.py Version 0.0.18 Analyzing Malformed ZIP Files Update: xmldump.py Version 0.0.6 Update: hex-to-bin.py Version 0.0.5 Update: python-per-line.py Version 0.0.7 Handling Diacritics Quickpost: My SpiderMonkey’s Cheat Sheet NVISO Innovation Coin Update: zipdump.py Version 0.0.19

YouTube videos:

YARA: Ad Hoc Rules GNU Radio Companion: Acoustic Beat GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File

Videoblog posts:

GNU Radio Companion: Acoustic Beats YARA: Ad Hoc Rules GNU Radio Companion: Simple Filters GNU Radio Companion: .WAV File zipdump.py: Malformed .docm File

SANS ISC Diary entries:

New Bypass Technique or Corrupt Word Document? Password Protected Malicious Excel Files Wireshark 3.2.3 Released: Mac Users Pay Attention Please Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.” KPOT Analysis: Obtaining the Decrypted KPOT EXE KPOT AutoIt Script: Analysis MALWARE Bazaar Video: Malformed .docm File

NVISO blog posts:

Video: Attack Surface Reduction (ASR) Bypass using VBA

by

Mac OS X Forensics Final Update

ewrtfreter

Intro

Mac OS X Yosemite and El Capitan have both been available to Mac users for a while now. As such, many users have updated their systems to at least one of the two versions of the OS X operating system. El Capitan has brought several new updates to OS X especially in terms of the default Apple apps. However, in terms of forensic artifacts it was fairly similar to OS X Yosemite with a few changes noted, but most of the artifacts remained the same.

It has been a while since the last time we reported on our progress. During that time period we finished examining the two operating systems and compiled spreadsheets containing the artifact locations. Then we generated a final report that will be available at “Mac Forensics Report” (Link to the final report). Overall the two versions of OS X were very similar and only had a few minor differences.

Analysis

The last time we update our progress we had just completed data gen and imaging of both the OS X Yosemite and El Capitan machines. We are happy to report that we finished our examination of the two images and were able to compile a list of artifact locations for both Yosemite and El Capitan. The lists contained many different artifacts ranging from application specific artifacts to system configuration files. Most of the artifacts that we located were user specific while a few were machine specific.

Once we had created the spreadsheets of the artifact locations we then compared them to determine what artifacts were different between Yosemite and El Capitan. We determined that the two versions were very similar and only a few artifacts had moved to new locations in El Capitan. However, through our analysis and comparison we were unable to locate some artifacts. We broke theses artifacts into two groups, obsolete and missing. Obsolete artifacts were determined if neither versions of the operating system had that artifact. Missing artifacts were determined if the artifact should have been generated during data gen but was still missing. In the end we created a comprehensive list of artifacts and their locations. This list can be found in our final report.

We created our final report using google docs so that we could all edit it at the same time. This led to a few problems, seeing as Microsoft Word and Google Docs do not keep the same formatting. This led us to have a few headaches further down the line. As a result, we had to type everything in Google Docs and then import it manually into Word in order to obtain the proper formatting that we were seeking. Once that was completed we then had to import all of our spreadsheets containing the artifact locations and format them to fit the theme of the final report as well. In the end we had created a nice report that looks great and has detailed information about the artifact locations for both OS X Yosemite and El Capitan.

With our final report completed we are now officially done with this project, at least for now. Our final report details specifically our methods and outcomes of our research. It goes into depth about what artifacts were determined to be new, obsolete, and what artifacts we expected to find but were unable to. Research into operating systems is never complete and further work can always be completed to enhance the available knowledge base and resources available.

Conclusion

Overall we determined a lot about the artifacts in both OS X Yosemite and El Capitan. We were able to overcome some of the difficulties of using virtual machines by using two separate iMacs to conduct our data gen. In general, Yosemite was very similar to the last project that we conducted at the LCDI. Almost all of the artifacts from last year’s research into Yosemite were exactly the same. The artifact locations in El Capitan were very similar to those in Yosemite. We only found a handful of artifacts in new locations and a few artifacts were unable to be located in El Capitan that we found in Yosemite. The largest change from Yosemite to El Capitan was with the mail application, and many of the artifact paths had changed. The two versions of OS X are very similar, but there is always more research to be done.

Our team made great progress in determining the default locations for artifacts in both OS X Yosemite and El Capitan. We were able to overcome several struggles associated with using a VM that earlier research encountered, but we still missed a few key pieces of software such as Microsoft Office. Further research could be conducted into applications that we missed in our data gen. We were unable to locate a few of the artifacts that should have been generated, and as such, further research could be conducted to determine if those artifacts are obsolete or where they are located in the current versions of the OS. It is also important to stay up to date with the current versions of operating systems. They are always being updated and this research needs to be conducted every time an OS is updated.

We look forward to updating you on our future projects here at the LCDI. Please take a look at our “final report”(Link to final report) on this project to get a more in depth look at the default artifacts in OS X Yosemite and El Capitan. If you have questions or comments about the project, you can leave a comment, or contact the LCDI via Twitter @ChampForensics, or via email at lcdi@champlain.edu.

The post Mac OS X Forensics Final Update appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Data Recovery Blog 3

Imaging Hard Drives

The data recovery team has been busy making disk images for the last couple of weeks and working with a variety of unique tools. The objective of our team is to test and determine the effective means of securely deleting data. Our investigation requires a set of samples to test our techniques and programs. The creation of disk images allows us to safely do this and inspect the data without risk. How clean can a hard drive be and what do these standards look like? 

What is a Disk Image?

In a world where 95% of people own a smartphone and 85% have a computer, disk images are the norm for digital forensics and criminal justice as a whole. A disk image is a collection of the data that’s stored on a device. Programs can load these files, to display the contains of the original source material. Some of these programs include GetDataBack and Wizard Partition Recovery. Sleuth Kits like FTK Imager can often produce disk images as well.

(From left to right) GetDataBack and Wizard Partition Recovery

Why Use Disk Images?

The most important piece of a case is the evidence that will solve it. The rise of technology has made computers the easiest way to store and send data. Thus, the evidence is mostly localized to a drive and its safety becomes of the utmost importance. Data recovered from a crime scene is volatile and extremely sensitive. Investigators cannot go into the device haphazardly or they run the risk of altering critical data. Altered data is unusable in court, thus data integrity and movement are heavily documented and preserved. However, in conjunction with other investigative devices, disk images allow users to access the data without risk of invalidating the evidence. They also allow an investigator to look through the data without the physical components, allowing easy access and transportation. Not only can disk images come from computers and hard drives, but also from phones and tablets.

The downside to disk images is that files are often quite large, but this depends on the size of the storage device they were made from. Compression usually mitigates this problem, but frequently, the disk images will keep the exact same size as the device being copied. This presents more problems, such as the amount of time it takes to create the file. The means of transportation also pose a problem unless there is another hard drive or cloud storage that is the same size or larger.

Benefits of File Hashing

Every detail of digital evidence is unique and valuable to digital forensic analysts and the law. Even an edit as small as changing a character then changing it back could make the data unusable in court. This is due to the creation of hash files and how they ensure validity. File hashing is the process of creating a code for a file that’s linked to the file itself. If any changes happen, including the opening, copying, pasting, or moving of a file, the hash value will change. This ensures the integrity of the evidence, even if there is no way someone could tell that a change had been made. This code is one way generated, meaning nothing can glean data from the code. Standalone programs found on the internet can generate this code. Integrating file hashing it into programs can generate this code while also completing some other function.

(From left to right) The program File Hasher in standby and File Hasher in progress

The program above is an example of a file hasher, aptly called “file hasher”. It takes the file from the user then generates a code based on the size and order of the characters in the file. This is how it ensures that there have been absolutely no changes to the order of the code. These changes can occur even when moving or copying the image.

The method of creating this code is not universal, and there are many types and methods of hash algorithms. The most popular are MD5 and SHA1, which generate a 40 digit long code. Other types of hash algorithms include RIPEMD, Whirlpool, and Blake, which all vary in the length of the code as well as the structure of the output. Though SHA1 is no longer considered safe for government use, it is still a very effective and safe method to ensure the safety of noncritical data.       

Write Blockers

As previously mentioned, the hash code changes for all interactions with it. That of course raises the question: How do you copy the data from the device without changing the hash code? The answer is a device called a write blocker, which allows the user to move or copy evidence from a hard drive onto a computer without changing the data. It does this by blocking commands from the computer that attempt to change the data on the device. This preserves integrity for the investigators and allows them to create the hard drive image. This only lets the user read and move the files. Write blockers do not prevent changes in computer data, though. This means data intentionally or unintentionally changed on the computer is still not viable.

Data recovery is the future of criminal justice and the better understanding we have of the technology used, the easier it is to understand what does and does not work. Data recovery programs allow easy access to data and allow the performance of digital investigations without a hitch. Write blockers may not always be a professional tool with limited public access. We believe the future will be more accustomed to these practices, making data easier and safer to store. To stay updated with the conclusion of our project, check out our Twitter, Instagram, and Facebook!

The post Data Recovery Blog 3 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.