Forensic Blogs

An aggregator for digital forensics blogs

by

Building a Visualization Tool for mac_apt

Matthew Goldsborugh / Daniel Hellstern

Image of mac_apt results

Introduction

An important part of any forensic investigation is to find indicators left behind by an attacker on a compromised computer. This process can be very difficult, especially when the attacker takes steps to hide their tracks. Software that finds these artifacts as possible already exists, but our project revolves around one of them: mac_apt. 

mac_apt is an open-source collection tool for macOS devices, created by Yogesh Khatri. The tool collects everything from known WiFi networks to old print jobs and paired Bluetooth devices. Unfortunately, mac_apt outputs a lot of raw data, which is often difficult to go through by hand. That’s why we’re working on building a tool to help investigators find important artifacts among those discovered by mac_apt.

Design goals

The primary goal of the mac_apt graphical user interface (GUI) is to augment what’s available with existing tools like EnCase. Investigators use these tools to analyze artifacts and find which could be compromising. The mac_apt GUI will work to provide a better experience when analyzing macOS artifacts.

We have made significant progress since we began this project. In 8 weeks, we chose a Python GUI framework that would fit our needs, designed the basic structure and elements of the GUI, and have implemented many of the desired features.

Our main obstacle thus far has been the limitations of the wxPython framework that we chose. Features such as infinite scrolling and dynamic widget resizing are not built into the framework. Implementing these features ourselves would require a significant amount of time. We have opted instead to focus our attention on getting other elements of the GUI up and running before committing our time to those features.

Our team has been using the Python sqlite3 database API to pull the relevant data from the mac_apt databases using SQLite queries. The program converts the data into a human readable format and populates it into a table. We are now working hard to make the table user friendly with features like sorting, filtering, and column manipulation.

We have also been working on the text and hexadecimal preview window to display the contents of individual cells. While displaying the contents of a cell was simple, dealing with the “Source” column of our data tables has proven more difficult. The source column holds the file path of the file from which the table data was collected. Our goal has been to display the contents of the source file in a human readable format. The difficulty arises from the many different file formats represented in the database. The previewer must handle text, plist, sqlite, history, gz, xml, and kext file type and convert them into human readable and hex formats. Currently we are having trouble getting the hex viewer to display the corresponding ASCII character for some hex values.

Conclusion

With most of the basic components of the mac_apt GUI working, the next step is to implement more advanced features to make the GUI more user-friendly. We would like to add a file system tree, advanced searches, copying cell data to clipboard, and the ability to open source files in another application. Eventually, we hope to build a powerful, user-friendly tool that investigators can rely on to whittle down collected data to exactly what they need.

The post Building a Visualization Tool for mac_apt appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Recovery of Data Fall Blog 1

Comic about data recovery Data Recovery Project Goal

This semester, The Leahy Center for Digital Investigation created a project to solve issues related to data recovery. This project shows that the average user often does not truly delete their data, and that it is possible to recover this data without spending money on high end tools, such as EnCase and Axiom. These are tools which range from $1,700 to $4,800 a year. The Data Recovery Team at the LCDI has researched free tools that anyone can use to recover deleted files, whether you are someone who has erased files they need or the next owners of a poorly wiped drive. 

Is data ever “deleted”?

PC hard drives often contain data known as Personally Identifiable Information, or PII. This includes names, credit card numbers, addresses and other information important to one’s personal life. This is why true data deletion is so important. The average user doesn’t understand that they’re not actually deleting their data. The fact that this data is not always deleted is what can lead to the leak of the user’s PII when they sell the drive. One can truly delete their data by using the common standards for wiping drives.  

Visual vs Actual Deletion

Many people assume that they are deleting the file when it is no longer visible (for example, after it is in the recycle bin). This is never the case. After dragging said file to the bin, the user still needs to empty it. Even when the user empties the bin, the user has not actually deleted the file. When a user drags a file to the Recycle Bin, all that does is remove the link to said file from the user. The user has hidden the data, not deleted it. It will stay available on the computer until that part of the hard drive is overwritten by other files.

Proper Data Recovery Services

To achieve proper data deletion, one needs to use common drive wiping standards, such as US DoD 5220.22-M. This standard implements a three pass system, working as follows:

First pass: Overwrite all addressable locations with binary “zeroes”. Second pass: Overwrite all addressable locations with binary “ones”. Third pass: Overwrite all addressable locations with a random bit pattern Verify the final overwrite pass.

Another common standard for deleting data is the NIST method. This method describes different types of sanitation for drives, and recommends using more than one type.

Who Cares?

Net collecting black, yellow and white squares symbolizing data.

One of the most important questions that we at the Data Recovery Team ask is: why does any of this matter? This information can serve to help the user protect their PII. Whether it is by teaching the user how to delete their data, or teaching them how to recover it. This means that a normal user could recover their data without having to spend a lot of money. We understand that sometimes accidents happen and data may get erased unintentionally. Hopefully, with the information that this project will provide, users can retrieve their own lost data. 

Be sure to look for future posts and stay up to date with Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI!

 

The post Recovery of Data Fall Blog 1 appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.