Forensic Blogs

An aggregator for digital forensics blogs

by

Data Recovery Blog 3

Imaging Hard Drives

The data recovery team has been busy making disk images for the last couple of weeks and working with a variety of unique tools. The objective of our team is to test and determine the effective means of securely deleting data. Our investigation requires a set of samples to test our techniques and programs. The creation of disk images allows us to safely do this and inspect the data without risk. How clean can a hard drive be and what do these standards look like? 

What is a Disk Image?

In a world where 95% of people own a smartphone and 85% have a computer, disk images are the norm for digital forensics and criminal justice as a whole. A disk image is a collection of the data that’s stored on a device. Programs can load these files, to display the contains of the original source material. Some of these programs include GetDataBack and Wizard Partition Recovery. Sleuth Kits like FTK Imager can often produce disk images as well.

(From left to right) GetDataBack and Wizard Partition Recovery

Why Use Disk Images?

The most important piece of a case is the evidence that will solve it. The rise of technology has made computers the easiest way to store and send data. Thus, the evidence is mostly localized to a drive and its safety becomes of the utmost importance. Data recovered from a crime scene is volatile and extremely sensitive. Investigators cannot go into the device haphazardly or they run the risk of altering critical data. Altered data is unusable in court, thus data integrity and movement are heavily documented and preserved. However, in conjunction with other investigative devices, disk images allow users to access the data without risk of invalidating the evidence. They also allow an investigator to look through the data without the physical components, allowing easy access and transportation. Not only can disk images come from computers and hard drives, but also from phones and tablets.

The downside to disk images is that files are often quite large, but this depends on the size of the storage device they were made from. Compression usually mitigates this problem, but frequently, the disk images will keep the exact same size as the device being copied. This presents more problems, such as the amount of time it takes to create the file. The means of transportation also pose a problem unless there is another hard drive or cloud storage that is the same size or larger.

Benefits of File Hashing

Every detail of digital evidence is unique and valuable to digital forensic analysts and the law. Even an edit as small as changing a character then changing it back could make the data unusable in court. This is due to the creation of hash files and how they ensure validity. File hashing is the process of creating a code for a file that’s linked to the file itself. If any changes happen, including the opening, copying, pasting, or moving of a file, the hash value will change. This ensures the integrity of the evidence, even if there is no way someone could tell that a change had been made. This code is one way generated, meaning nothing can glean data from the code. Standalone programs found on the internet can generate this code. Integrating file hashing it into programs can generate this code while also completing some other function.

(From left to right) The program File Hasher in standby and File Hasher in progress

The program above is an example of a file hasher, aptly called “file hasher”. It takes the file from the user then generates a code based on the size and order of the characters in the file. This is how it ensures that there have been absolutely no changes to the order of the code. These changes can occur even when moving or copying the image.

The method of creating this code is not universal, and there are many types and methods of hash algorithms. The most popular are MD5 and SHA1, which generate a 40 digit long code. Other types of hash algorithms include RIPEMD, Whirlpool, and Blake, which all vary in the length of the code as well as the structure of the output. Though SHA1 is no longer considered safe for government use, it is still a very effective and safe method to ensure the safety of noncritical data.       

Write Blockers

As previously mentioned, the hash code changes for all interactions with it. That of course raises the question: How do you copy the data from the device without changing the hash code? The answer is a device called a write blocker, which allows the user to move or copy evidence from a hard drive onto a computer without changing the data. It does this by blocking commands from the computer that attempt to change the data on the device. This preserves integrity for the investigators and allows them to create the hard drive image. This only lets the user read and move the files. Write blockers do not prevent changes in computer data, though. This means data intentionally or unintentionally changed on the computer is still not viable.

Data recovery is the future of criminal justice and the better understanding we have of the technology used, the easier it is to understand what does and does not work. Data recovery programs allow easy access to data and allow the performance of digital investigations without a hitch. Write blockers may not always be a professional tool with limited public access. We believe the future will be more accustomed to these practices, making data easier and safer to store. To stay updated with the conclusion of our project, check out our Twitter, Instagram, and Facebook!

The post Data Recovery Blog 3 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Building a Visualization Tool for mac_apt

Matthew Goldsborugh / Daniel Hellstern

Image of mac_apt results

Introduction

An important part of any forensic investigation is to find indicators left behind by an attacker on a compromised computer. This process can be very difficult, especially when the attacker takes steps to hide their tracks. Software that finds these artifacts as possible already exists, but our project revolves around one of them: mac_apt. 

mac_apt is an open-source collection tool for macOS devices, created by Yogesh Khatri. The tool collects everything from known WiFi networks to old print jobs and paired Bluetooth devices. Unfortunately, mac_apt outputs a lot of raw data, which is often difficult to go through by hand. That’s why we’re working on building a tool to help investigators find important artifacts among those discovered by mac_apt.

Design goals

The primary goal of the mac_apt graphical user interface (GUI) is to augment what’s available with existing tools like EnCase. Investigators use these tools to analyze artifacts and find which could be compromising. The mac_apt GUI will work to provide a better experience when analyzing macOS artifacts.

We have made significant progress since we began this project. In 8 weeks, we chose a Python GUI framework that would fit our needs, designed the basic structure and elements of the GUI, and have implemented many of the desired features.

Our main obstacle thus far has been the limitations of the wxPython framework that we chose. Features such as infinite scrolling and dynamic widget resizing are not built into the framework. Implementing these features ourselves would require a significant amount of time. We have opted instead to focus our attention on getting other elements of the GUI up and running before committing our time to those features.

Our team has been using the Python sqlite3 database API to pull the relevant data from the mac_apt databases using SQLite queries. The program converts the data into a human readable format and populates it into a table. We are now working hard to make the table user friendly with features like sorting, filtering, and column manipulation.

We have also been working on the text and hexadecimal preview window to display the contents of individual cells. While displaying the contents of a cell was simple, dealing with the “Source” column of our data tables has proven more difficult. The source column holds the file path of the file from which the table data was collected. Our goal has been to display the contents of the source file in a human readable format. The difficulty arises from the many different file formats represented in the database. The previewer must handle text, plist, sqlite, history, gz, xml, and kext file type and convert them into human readable and hex formats. Currently we are having trouble getting the hex viewer to display the corresponding ASCII character for some hex values.

Conclusion

With most of the basic components of the mac_apt GUI working, the next step is to implement more advanced features to make the GUI more user-friendly. We would like to add a file system tree, advanced searches, copying cell data to clipboard, and the ability to open source files in another application. Eventually, we hope to build a powerful, user-friendly tool that investigators can rely on to whittle down collected data to exactly what they need.

The post Building a Visualization Tool for mac_apt appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Intrusion into the IoT: The Final Blog

D-Link intrusion footage screenshot Recap: Intrusion Blogs 1/2

In last month’s blog, the IoT Intrusion team hit a major roadblock with the TP-Link Kasa camera, but were able to overcome it through research into Man in the Middle Attacks. Now, armed with more knowledge than before, our team pressed on to new devices. We moved much faster this month than last. We started investigations into the intrusion of two devices, one of which we completed. These devices proved to be good subjects for investigation, but there are so many at the LCDI that we would have liked to look into. Hopefully, the end of the year does not bring the end of the project.

Picture of the D-Link DCS 5030L

D-Link DCS 5030L

After our struggles with the TP-Link, the team decided to work on a different IoT security camera: the D-Link DCS 5030L. We were originally attracted to this device by a statement that the FTC put out saying that D-Link needs to increase their security in order to market themselves as offering, “advanced network security.” This gave us hope that the device might not be secure. This proved to be true, as we were able to exploit features letting users control their camera from a browser. We were able to gain access to all elements of the camera. We were able to change the password as well as view a live feed.

Malicious Intrusion Opportunity

Through this, we were able to brainstorm all the ways a malicious hacker could use this intrusion to their advantage. They could hold the device for ransom and require the owner to pay in order to regain access. An attacker could physically break into a room that had one of these cameras in it and then upon leaving erase the camera footage from the SD card. The quick success that our team had the D-Link camera allowed us to move on to another device this month. 

picture of the WeMo Insight Switch

WeMo Insight Switch 

The next device we decided to work on was the WeMo Insight Switch from Belkin. This device showed up on our radar as a potential subject back in our initial research phase of the project. A serious issue with the device was reported by Bitdefender saying that they had discovered a vulnerability that the switch leaks out wifi passwords. This was based on research done by McAfee that found a vulnerability in the UPnP ports listening on the local network in the device. Our team wants to see what we can do with this information on the device. We have it all set up and ready to test.

The Future of IoT Intrusion

Although this may be the team’s final blog post, this is not the end of our project. We still have a few more weeks scheduled at the Leahy Center. After we attempt our intrusion on the WeMo Insight Switch, we will complete our final report. Make sure to look out for that here when it is published. As our project comes to a close, we ponder what the future may hold. We were only able to scratch the surface of this very in depth and involved line of research. That said, we hope this project laid the groundwork for future research.

Stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI so you always know what we’re up to!

The post Intrusion into the IoT: The Final Blog appeared first on The Leahy Center for Digital Forensics & Cybersecurity.