|
Home > Company > Nick's Blog
Nick's Blog
I've had some very good feedback about the Skypeex tool and I appreciate all your comments.
One or two have not really seen the point of the tool as there are plenty of Skype log viewers around such as from Nirsoft and Skypr. I will repeat what I posted on the LinkedIn discussion board.
"the Nirsoft tool, and others, are log viewers and this presupposes that you have access to the disk/logs. A covert live acquisition will often just take RAM and other volatile data, RAM may be taken before the plug is pulled only to discover that the disk is Full Disk Encrypted or that the logs are in a Truecrypt container. The user could even be using 'Portable Apps' Skype on a USB key which would mean no log files at all on the disk, however the data could still be in RAM.
This little tool is not meant to be a replacement for the excellent chat log viewers out there but provides a way of getting the data from RAM where circumstances dictate."
I'm working on an improved version where Strings isnt needed and hope to have that sorted in the next couple of weeks.  Posted on 11 March 2010 | 3:41 pm
Well I was going to keep testing but it just seems to keep working, so here it is in version 0.5.
Download
I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script (http://www.jeffbryner.com/code/pdgmail) to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.
The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.
The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.
The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.
This is very much work in progress but will simply do the following:-
1. Run Strings against your RAM dump
2. Run the Skypeex tool against the resulting Strings file
3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.
It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.
This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.
I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.
Please do not hesitate to get in touch with ideas and improvements.
Usage:
There are 2 versions in the zip file.
skypeex.py is designed for use under Python 3.1.1 and above
skypeex26 is designed for use under Python 2.6
Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.
For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):
I recommend Win32dd (or Win64dd) from Matthieu Suiche - http://windd.msuiche.net/
Run strings against the RAM image (e.g. Windows version can be found in Helix distro)
example: strings c:\ramdump.dd > c:\stringsout.txt
On linux box do:
strings ramdump.dd > stringsout.txt
Script usage -
from command shell - python skypeex.py - then, when prompted, simply provide the path to the strings output file.
The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.
In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.
The primary message content is in the 'body_xml' column.
Code:
The key elements of the code are:-
if "INTO Messages" in line:
def extract(text, sub1):
return text.split(sub1)[-1]
str2 = extract(line, 'VALUES (')
This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-
Chatname – the initiator and recipient of the session
Timestamp – The time and data the message was sent in UNIX time
Author – the sender of the message
From_dispname – the screen name being used by the sender
Body_xml – the body of the message, can slip into the chat_msg column
GUID – session identifier
Next:
if "#" and "/$" in line:
outfile.write(line)
nxt = next(data)
outfile.write(nxt)
This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:
#nfurneaux/$bennyboy1982;810b0fd9ef04db08
This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.
Sometimes we recover session line like the following:
#bennyboy/$nfurneaux;9fa7c85b71354392Jd1bbennyboy1982Ben Brown
#andyw/$nfurneaux;9fa7c85b71354392Jd1TnfurneauxNick Furneaux
We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-
#bennyboy/$nfurneaux;8f915423c984767aJ[VonfurneauxNick Furneaux
ok quite close
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown
Aug 23
# bennyboy /$nfurneaux;8f915423c984767aJ[VQnfurneauxNick Furneaux
when are you presenting at HTCIA
# bennyboy /$nfurneaux;8f915423c984767aJ[bennyboy Ben Brown
Interestingly this conversation is carved in reverse. We can ascertain that bennyboy started the conversation but see the sender in the second part of the session line, followed by the chat.
I've never released a tool to the community before so be kind! Let me know how you get on.
Nick Furneaux
Download  Posted on 9 March 2010 | 5:33 pm
Im just preparing to release a Skype RAM carver written in Python and I thought that my blog would be the best place to put it. However, I just checked it to make sure I remembered how to log in and noticed that my last blog was in Oct. This is a coincidence as Oct was the last time I went for a run! I was thinking that there was no correlation but actually, moving house, traveling all over the place and a very busy work 6 months has contributed to both.
Yesterday I went out with my lad and ran for 2.5 miles, including loads of up hill and was pretty surprised at my retained fitness, which is good, however my blogging looks in much worse shape.
It doesn't help that the eponymous Happy Monkey is regularly blogging fabulously funny and insightful ditties that anything I do will be put to shame. However, watch this space for a free, and rather cool, Skype Chat RAM Carver.
Posted on 9 March 2010 | 5:23 pm
Although I quite like this blogging lark, you will notice from the total lack of activity in recent months that I’m not very good at it. Fact of the matter is that I’ve been extremely busy, which I guess in the current climate I should be thankful for. Computer Forensics is a good career choice in a recession as, simply put, there are always bad people. In fact there is some evidence that white collar crime (and today that almost always involves computers) is on the rise as people worry about jobs, mortgages etc and when an opportunity to pilfer away a quick buck is found, many will succumb.
I’m writing this on a train to the Midlands where I’m helping a Bank improve its analysis of Malware written specifically to target its customers. This too is on the rise with phishing attacks commonplace. The problem with Malware written specifically for a task is that the AV products often don’t have a signature for it and hence it renders itself fairly invisible even from the ‘Heuristic’ scanners. To counter this it seems that the AV companies are lowering the bar, almost every time I write a script or compile a new piece of code, Kaspersky or AVG or McAfee scream that its Root Ware, or a Trojan or something equally nasty.
If you download virtually any of the fabulously useful tools from Nirsoft (www.nirsoft.com) such as their password recovery, USB key parser or Wifi tool and, wham, ‘It’s a virus!!’. No its not. Cain and Able password recovery tool recently started triggering an alert, Nessus fires an alert….what is going on. It feels at the moment that any software tool not in their database is automatically a Trojan come to steal your car, wallet and way of life.
Anyhow, rant aside, there has to be a better way of analysing Malware and I think RAM is the answer. Nothing can hide in RAM, processes hidden from the OS can be uncovered in RAM. Many tools do a process called List Walking to discover processes running in live RAM or a RAM dump however manipulating the DKOM object can render a process out of the ‘flow’ and essentially invisible from the OS or from list walking programs. Psscan2 in the volatility suite overcomes this by scanning the dump file for process objects whether or not they are connected to others. Outputting this view in a dot format and opening in something like graphwiz provides a fantastic, clean view of the running processes and their threads. Simply invoke by:-
Python volatility psscan2 –d –f > output.dot
Analysing the process start times, thread and parents, exe path and other variables provides a very ‘quick win’ when searching for malware of any type.
This is a manual process and would be tricky to automate but very worthwhile to do if malware analysis is your business.
Few minutes til the train is due in so will speak later, hopefully sooner!
Posted on 23 October 2009 | 1:53 pm
It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.
My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.
The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.
Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!  Posted on 9 July 2009 | 8:39 am
It’s been a busy few weeks which is why I haven’t had a chance to blog for a while. I had the opportunity to present at the ACPO Conference 2 weeks back which is always a good event, with friends and colleagues from many different Forces and Agencies. It is normally a chance for a late night drink but exhaustion from the past few weeks activities had me in bed by 11pm each night.
My brothers company, Bright Forensics, was exhibiting there and had e-fense’s Eric Smith on the stand. Eric is a very talented investigator and has a tremendous knowledge of the forensic world and marketplace. They were focusing on touting e-fenses’ Live Response key. This is a USB key designed for fast and easy acquisition of live and volatile data from a running machine. In my view it is the first tool that provides an ease of use capable of being used by a front line arresting officer. I know that this is a sensitive subject at the moment, but a plug and play device that will grab Internet History, RAM and other useful data, is a very interesting addition to an officers arsenal. Discuss ☺.
The buzz word of the conference was ‘Triage’. In simple terms the phrase is being used to suggest that we could use a device or software tool to ‘search’ a machine and include or exclude it from an investigation, hence shortening backlogs that exist in most HiTech Crime units . Umm. I have a real problem with the idea of triage in this situation. In a hospital or emergency setting triage is used to prioritise not exclude and I think this is where such tools could have a role. If you get 5 machines in for a CP case, prioritising the machines, perhaps quickly locating the one with the primary evidence could work fine. However, I think that we will struggle to never image or investigate those other drives. If I think as a defence expert I may suggest that although there was a large amount of evidence on one drive, evidence existing on the ‘sons’ or ‘lodgers’ computer could lend credence to the fact that someone else used the computer belonging to the accused. I appreciate this is somewhat simplistic and perhaps the initial data might make the chap stick his hand up, but I’m sure that you can still see my concern.
Last week I taught my first Advanced Live Forensics course with a particular focus on RAM analysis. I don’t mean to blow my own trumpet but I think it was a resounding success. A chap from one of the UK Counter-Terrorism units suggested that it should be required learning for all computer forensic people and another was impressed by what he called the ‘first new computer forensic discipline since the advent of disk forensics’. Overall, I was chuffed. Obviously this is rapidly turning into an advertisement which I apologise for but if you would like to come then you can find dates on the www.csitraining.co.uk website!  Posted on 9 July 2009 | 8:39 am
I've been spending some time working with Matt Blackband today on issues surrounding imaging Windows 7 disks and RAM. I've got a copy of Windows 7 32bit RC1 installed under VM Fusion with 2 Processors and 2 Gig of RAM allotted to it.
Before I start I just want to point out that although I have quite a bit to do with e-fense on a day to day basis including teaching the use of Helix 2.0, I do not make anything out of the new Helix Pro. This bit of research was just myself and Matt wanting to see whether it worked well under Windows 7 and compared to Helix 2.0. This is NOT an infomercial!
Although there has been alot of talk about exFAT and its uses, Windows 7 installs with NTFS as default and installed very quickly indeed. There have been some concerns and questions over whether our current typical live forensic tools would be able to successfully run and acquire drives and RAM. As Helix is a personal favourite tool and one that I teach, I focused my attention on that.
I loaded the latest Beta 2 version of Helix Pro (Should be released soon) which loaded quickly and successfully. Helix Pro saw the connected drives and partitions and also correctly reported the RAM size. Running the Helix RAM acquisition I was able to acquire 2 Gig of RAM, writing to a shared drive on the host MAC in a little over 2 minutes which is very good indeed. I was then able to successfully run Strings and Foremost to extract text data and carve files respectively. As expected Volatility refused to run and we wait to see if a Vista/7 update is forthcoming?
Disk imaging also worked correctly as expected for making both a RAW and an Encase 6 image, also creating disk and imaging information and checksum PDF's.
One of my favourite aspects of Helix Pro is its lightening fast volatile data acquisition. I was a little dubious that it would work under 7, but work it did, finishing in less than 20 secs and producing a 96 page report! Enjoy reading that!
Helix 2.0, the remaining free offering, as expected, did not fare as well. The GUI fires up OK but you are unable to trigger a command shell from the GUI as no Windows 7 shell exists on the disk, however browsing to /IR/Vista, and opening a Vista cmd file directly and then running cmdenv, did provide a usable shell which enabled me to run binaries on the disk.
System Information worked correctly reporting Owner, Network and Logical disks.
As expected the GUI would not image RAM or Disks although extracting MDD from /IR/RAM to a USB key and running it, successfully imaged the RAM in a little under a minute to the local disk (not recommended in the real world :)).
After some down and dirty testing today it is good to see that Helix Pro is up to the task of working with 7 which I guess makes it a £200 tool worth having in your toolkit. Of course, it will be interesting to see the take up of 7 after the lack-lustre reaction to Vista, but I have to say, even as a hard and fast Mac user, its not too bad. It installed very quickly and just worked out of the box. The interface is clean and simple and programs pop up nice a fast. Could this be a 'good' version of Windows? Time will tell. More research to be done.
 Posted on 5 June 2009 | 1:34 pm
I had a couple of chaps turn up for a meeting yesterday from a certain UK Law Enforcement Agency and due to a crackingly sunny day were able to sit in a pub garden for a late and leisurely lunch. Anyway, thats not the point!
One of the chaps, Simon, pulled a little Netbook PC out of his bag and low and behold it was running OSX. It was really impressive to see such a tiny machine, designed for Linux or Windows to be running, very successfully, OSX in all its 'never crashing' glory. Being very small and light its essentially a MacBook Air but about £1000 cheaper.
I guess because I'd never gone to look, I did not know that since Apples move to Intel chipsets there has been a huge amount of effort in the hacking community (I use the word hacking in its proper sense) to get OSX successfully working on PC architecture. The Netbooks with their Intel Atom processors are, apparently, perfect.
Wired magazine wrote about it late last year (http://blog.wired.com/gadgets/2008/10/os-x-running-on.html) with similar results, although they noted that some elements such as Wifi and Sound fail to work on some Netbooks including the one they tried.
A very good list of Netbooks with the elements that work or do not can be found at http://gadgets.boingboing.net/2008/12/17/osx-netbook-compatib.html. It appears that the Dell Mini 9 is perfect and virtually anything can be made to work.
It is worth noting that although a great fun project, by loading OSX onto a 3rd party piece of hardware you are breaking the Apple licensing agreement, really fancy getting a Dell Mini on order though :)  Posted on 24 April 2009 | 2:42 pm
Since the Supercomputer got fixed I've been doing some tinkering with quite staggering results. Elcomsoft have released a new version of their Wireless Cracking tool and you can now specify multiple dictionaries which is very useful. In addition, ATI now have new drivers that improve the GPU acceleration so I've got those downloaded and installed.
It then occurred to me that processing time would be taken up with the software figuring out all the permutations for each word in the dictionary, so I took a good 3 million word dictionary and ran it through the permutation generator that is part of John the Ripper.
john -w:dictionary.txt -rules -session:johnrestore.dat -stdout:63 > newdict.txt
This turned a 40 meg dictionary file into a 1.6 Gig monster with a staggering array of derivatives for each word. Feeding this into the cracker I have now raised my cracking speed from around 18000 passwords a second to a mind-blowing 45000 per second, or 3.8 billion a day. Not too shabby!
To deal with purely numeric WPA passwords I've got a friend writing a bit to code to generate a dictionary with every permutation up to 10 billion which is a nice long 11 digit password. Although we are looking at the best part of a week to run I believe that it is worth the effort.
Crack on - if you pardon the pun!
 Posted on 17 April 2009 | 11:00 am
This is a post where I am not going to say anything :) I'm not going to say what we have found, what we can do and how we do it, but let me explain the problem.
Many Police Agencies have an interest in where a particular Internet user may be located and to achieve this, detecting their IP address and then asking the ISP for user information is a great way to do it. It is no secret that some Agencies monitor chat rooms and ingratiate themselves with known offenders on Instant Messaging (CEOPS invited the BBC in last year to discuss this), however chat using something like Windows Live Messenger proxies and anonymizes at Microsoft meaning a whole load of paperwork is needed to get the actual subjects IP.
Well that's the problem and Microsoft say that there is no way to circumvent this issue. If you are in this position and would like to discuss the 'problem', you know where to find me.
Posted on 16 April 2009 | 11:01 am
In addition to my last post, after just a couple of days of password cracking my super-beasty computer packed in. It seems the 4 uber GPU units decided to up and die which is not helpful when everything is GPU accelerated. Engineers turned up and we are firing on all cylinders again.
Interestingly I am now getting the full 20,000 passwords per second cracking speed that I was expecting whereas before I was only getting a fraction of that, I think there was something wrong from the start. As I look to my left a cracking job for a Police Agency is running at 18,000 per second, not too shabby.
Posted on 16 April 2009 | 10:54 am
It's been a big day! My supercomputer arrived in a rather large box, much to the obvious annoyance of the delivery man who had to drag the thing 30 yards as he couldn't get the van up the lane near the office.
Unwrapped and connected up to a suitably large screen the beasty purred into life and promptly crashed. No Apple technology here. Side off, found a couple of loose cards,tighten up, reboot and we are away.
The machine is based on AMD motherboard technology with 2 uber ATI 4870X2 boards providing 800 parallel processing cores per board giving a total of 1600 processing cores. With the right software designed for GPU parallel processing it will chug along at 2.4 terraflops or 2.4 trillion floating point calculations per second.
The definition of a supercomputer is 1 trillion terraflops and the first one was built by Intel just 11 years ago, it took up 2000 sq ft of space. 11 years on I have a machine 2 1/2 times more powerful under my desk, the lights dim when I fire it up but you can't have everything!
I've bought it to carry out super fast password cracking, I can chew through 60,000 passwords per second or 5.1 billion per day which is some work rate especially when using intelligent varying dictionary based attacks. Instead of pure brute forcing which is all down to key space (password length * all possible combinations), an intelligent varying dictionary attack takes a word such as 'password' and attempts all likely variations such as :-
pa55word
pa55wOrd
6a55w0rd
password1
password123 etc etc
Using this process a 3 million word dictionary can quickly be turned into a 150 million word table or much more. When done 60,000 times per second you can try an awful lot of variations and the success rate becomes very high indeed. A completely, pattern free, randomized password/phrase will still require brute forcing and we will all probably retire before a guaranteed success.
The new software I'm using focuses on WPA 4 way handshake attacks, you can check it out here. Other software allows the GPU accelerated attacks against Office files and loads of others.
My first job arrived from a Police Department yesterday so we shall see how it goes.  Posted on 3 March 2009 | 9:56 pm
Again, I have been neglecting my blog and I apologise! Little one was in hospital for the first 2 weeks of the year and I've taken 3 weeks to catch up.
Continuing with the wireless attack theme I came across an interesting way (illegal) to force a deauth. As some of you will know, to get the 4-way handshake needed for WPA cracking you need to force a authentication of a client and pick up the transaction of packets as it reauthenticates. However, this is easier said than done and does not always work.
One way to ensure deauth is to employ a hardware wifi jammer. You can readily source from the Far East a jammer with 30+ft range which is sufficient to take out a house's wifi network whilst walking by. Now I am at pains to say that jamming a radio signal in the UK is illegal and I mention this only for my LE friends who may be able to get the appropriate clearances/warrant to achieve a deauth this way. Of course you would need an antenna faced on the property ready and running Kismet or Airodump to grab the packets as the reauth takes place. I wrote some great Linux Shell scripts to automate the process recently to achieve just this type of situation.
I wont publish where to purchase them, you can always get in touch.
You can also pick up a GSM jammer while you have your credit card out and next time you see in your rear view mirror the lorry driver chatting on the phone whilst passing the local primary school you could have the satisfaction of hitting the button and jamming his call. Oh if only it was legal!!  Posted on 11 February 2009 | 10:50 pm
In Yorkshire on holiday with the extended family. Touch of man flu!
Its been a while since my last post as life has been flat out. Just a week back I taught the first LE only wireless attack course. I taught it at the Defford SB facility which was perfect, as apart from a bunch of huge radio telescopes there is no wireless interference at all.
What was interesting was the vast difference made by different antenna's. I guess this is obvious but I had the chance to really test the differences between the omni-directional and directional antennas I had available. The out and out winner was the 12dbi directional 'can' antenna which took us to the edge of the facility, at least 100 meters from the Access Point with plenty of power left over. Having returned to the office I thought I would invest in a parabolic mesh antenna slated as 24dbi. I bought 2, one for me and one for an operation I'm working on with a Police force. When they arrived they were HUGE! When put together the dish was at least 70cm square, not terribly useful in a covert setting. When hooked up the coverage was astonishing, I reckon that 1km could be possible with clear line of sight.
As WPA cracking is very reliant on a dictionary attack it is interesting to note that Elcomsoft are releasing a WPA specific cracking tool that uses a dictionary attack associated with GPU acceleration which is very exciting. They have offered me a beta copy and I will let you know how it goes.
The company already has brute force cracking a ability of WPA passphrases with GPU acceleration which the press have been having a field day over, saying WPA is dead. In reality a box with 2 super fast NVIDIA GTX 280 cards in will still take 3 months to break an 8 character password. I think the new dictionary version will be much faster.
We shall see...  Posted on 18 December 2008 | 1:51 pm
Sat in Brussels airport, flight delayed for 2 hours, 10pm :(
I’ve been presenting today at the European Network Forensics and Security Conference in Holland. It is not a big event but there were some very interesting people in attendance including Laura Chappell from Wireshark University and James Lyle from NIST. I had not met either before but look forward to communicating more with them in the future.
I was presenting today on the subject of extracting just the information we perceive we need from a case rather an always imaging an entire drive, or more commonly now, a gaggle, bunch, collection (what is the term for multiple drives) of drives which regularly can exceed a TB. Now I know the purists amongst you will shout foul, the whole drive is best evidence and I do not disagree with you; but when dealing with, for example, a fraud case where the predominant evidence will be found in email, an accounting partition and chat logs, why ‘initially’ image vast amounts of data when we know where to start. It is very straight forward to image out just a .pst file or just take a partition and this can reduce processing and searching times tremendously. This does not mean that you never image the drive, however when we have multiple machines to look at why initially image them all when the pertinent data might be available in key containers.
A number of Police Forces in the UK and I’m led to believe ACPO too are looking at a methodology of pre-imaging triage to try and reduce workloads and backlogs and I am in general agreement with this.
There are a bunch of ways of extracting what you need. On a live machine you can simply write your own script to search a machine and extract just the files you need. For example, open notepad and just enter:-
xcopy "%systemdrive%\documents and settings\*.pst" /h /s
..save the text file as a batch file (myprog.bat) and put it on a USB key or external drive. When you plug the drive in to a machine and run the batch file it will search all folders under documents and settings and copy back any .pst file it finds. Easy as that! You could make a couple of subtle changes and it would find and copy back all the thumbs.db files which you could parse out in Encase, FTK, Vinetto and have a pretty good idea what images were on the machine. Quite handy.
xcopy "%systemdrive%\documents and settings\*bs.db" /h /s
If you want things to feel a bit more ‘forensic’ then use dd on the target system to extract what you need:-
dd if=\outlook.pst of=e:\harvest\outlook.dd conv=noerror
You could use this method with Helix and use either the Windows terminal on a live machine or boot to the swanky new Ubuntu Linux side and do it there. You can then MD5 the file and off you go.
md5sum > md5.txt
The argument is even more compelling with live servers in a corporate environment. Tell a sysadmin that you are going to shut down his email server for 8 hours while you image it and he will go a rather nasty colour. Do a live response and just take the pertinent .edb or whatever, files and everyone is happy and you likely have all you need. The same argument can be made when looking at a RAID array. The ‘Financial Director’ under investigation will rarely, if ever, have access to the RAID controller to hide any data anywhere clever on the array disks. So in that situation, do a live response on his machine and figure out what disk partitions/folders he has access to and just go and get those. Imaging the appropriate partition on a RAID will give you everything you need and saves a shed load of time trying to figure out the striping pattern.
I appreciate this blog entry is overly simplistic and all these decisions should be made on a case by case basis with full comprehension of what is potentially being missed, however the modern investigator should be aware of these techniques and use them where appropriate.  Posted on 16 October 2008 | 7:43 pm
I mentioned a few posts ago about the wonders of the tiny Asus EEE. I’ve just had the latest 901 version delivered with 8 hours battery life and an Intel Atom processor. One of the coolest things I’ve been doing is booting the machine to an alternative OS on an SD card. Perhaps one of the most useful is the ability to boot to the Backtrack distro. It means that you have your tiny portable machine totally ready to carry out sysadmin tasks and even wireless cracking using the inbuilt Atheros wireless chipset.
However getting Backtrack 3 to boot on the EEE has been a problem and a number of forums have questions about it. When you download the bootable USB version (http://www.remote-exploit.org/cgi-bin/fileget?version=bt3-usb) there is a helpful text file telling you which files to copy to the USB key or SD card, then simply browse to the ‘Boot’ folder on the card and run the ./bootinst.sh script. To get a command shell up in the EEE Xandros Linux distro just hold down CTRL-SHIFT-T. Then as if by magic you can boot to Backtrack by simply holding down the ESC key at boot time.
However, a number of people have noted that it seems impossible to run the shell script. You simply get an error message. The solution is very simple. If you look at the permissions for the script (ls -la) you will note that the files on the SD card do not have execute permissions. If you try and change the permissions:-
chmod 777 bootinst.sh
..it pretends to work but another look at ls -la and you see that it hasnt.
The problem is to do with the mount permissions for the device as a whole. If you execute the ‘mount’ command you will see that the device is mounted with the noexec flag set and that is what is messing things up! With no other keys or devices plugged in it seems to always mount at /media/D:, so.. simply unmount the device:-
umount /media/D:
then remount with the following:-
mount -o rw /dev/sdc1 /media/D:
Dropping the noexec flag makes the files executable. Now just browse back to the right directory:-
cd /media/D:/boot
then execute the shell
./bootinst.sh
That’s it, now you can reboot to BT3. Have fun.  Posted on 28 August 2008 | 3:34 pm
I've been spending some more time looking at why the bad sectors on the NIST tests (see last post) were in the middle of a read run. In their conclusions they state that:-
"Up to seven accessible sectors adjacent to a faulty sector may be missed when imaged with dd based tools in the Linux environment directly from the ATA interface."
This doesn't seem to make any sense if we are saying that some sectors are skipped when a bad sector is encountered. Surely it would always be the first sector with later sectors skipped? This explanation seems to go some of the way in finding a solution.
When dd requests a block, the mapping layer figures the position of the data on the disk via its logical block number. The kernel issues the read operation and the generic block layer kicks off the I/O operation to copy the data. Each transfer of data involves not just the block in question but also blocks that are adjacent to the required block. Hence a 4096byte 'page' transfered from the device to the block buffering layer in the kernel (often a page segment in RAM) will contain the bad block and adjacent 'good' blocks.
If you have a 4096byte page with a single 512byte bad block you will have, wait for it, 7 good 512byte blocks in that page. This fits with the observations of NIST that 7 sectors may be missed, obviously something bad is happening to the entire 4096byte page.
They then go on to conclude that:-
"For imaging with dd over the firewire interface, the length of runs of missed sectors associated with a single, isolated faulty sector was a multiple of eight sectors."
This makes perfect sense, as the kernel pages the data in 4096byte blocks including 7 good and 1 bad sectors, any 'loss' of data by the block buffering layer would be in 'whole pages' or 8 sector multiples. Am I making any sense?
Hence, I'm reasoning that when dd hits a bad block, something is happening to the block buffering layer to either overwrite, clear or otherwise remove some or all of the buffered pages. The speed of the differences in moving blocks to and from different media such as ATA rather than firewire may help to explain the different numbers of lost pages. e.g. there is physically more or less data in the buffer when it gets deleted/wiped/overwritten etc.
I now need to look at why the buffer is possibly being affected. Any comments are welcomed!  Posted on 16 July 2008 | 1:00 pm
I've written a couple of simple overviews of the issues surrounding dd and the seeming lost sectors when bad blocks are encountered. I neglected in my previous posts to include a link to the research by NIST at http://dfrws.org/2007/proceedings/p13-lyle.pdf.
Speaking to both Drew Fahey and Barry Grundy the feeling is that there is no reason to overreact, virtually every tool we use has some flaw or another, however further research is needed to be clear about the issue and how to circumvent it.
I'm off to present at the ACPO conference tomorrow and I'm sure the subject will come up, I'll post any interesting comments.
Posted on 24 June 2008 | 9:19 am
I'm teaching this week at the National Police University in Norway and have met some very interesting and talented investigators from various services. What is very interesting is the almost total lack of organised defense experts. It is quite fascinating that most cases with computer evidence rely almost totally upon the prosecution expert with no counter from an alternative position.
As I do both prosecution and defense work I can see the pros and cons from both sides but although I do not doubt the integrity of the officers here I do believe that a sound defense requires experts giving testimony from both sides. Even though with the best will in the world the reports should be the same, we both look at the same data, we all know that things get missed and some issues and elements can be explained in more ways than one.
It is does seem that some officers are now beginning to leave the service and set up on their own so I suppose we will begin to see that change. In the UK, of course, we have many defense experts and although one has to wonder about the competence and even integrity of one or two, at least a defendant can be assured of a second set of eyes on the data. Dont get me started on the need for industry control, I can go on all day. Doesn't mean I know how to solve the problem though!
I guess setting up in Norway could be a good thing for someone?  Posted on 11 June 2008 | 6:48 pm
I spoke in the last few posts about the issues with dd both in Windows and Linux. Having recommended in a previous post that you use dd_rescue with the -d flag added to enable direct disk access I have since found that when running it from the Helix distro it appears to work but instead creates a 0 byte file. I can't get my head around why it would do this.
However, following more research it appears that using GNU-dd in Linux you can enable the iflag=direct argument. This seems to enable O_DIRECT disk access and avoid the seeming buffering issues. Testing this against a drive with no errors it acquired the drive as expected and provided the right hash, so at least it doesn't mess things up.
Interestingly I emailed Barry Grundy about it and he had been following the same line of research and testing. Both of us are away from our labs for a week or so and will not be able to test against a drive with bad sectors until then but I will post again.
If you wish to try it the syntax is simple:-
dd if=/dev/(drive) of = (where you save it) conv=noerror iflag=direct
If you get any interesting results please don't hesitate to contact me.
 Posted on 11 June 2008 | 6:34 pm
Having just posted about DCFLDD, my good friend Jim also pointed out that I had ignored the issues with FAU-dd from George Garner. Helix uses this dd version on the Windows side, specifically because it supports the \\.\PhysicalMemory device to grab RAM. It has been noted that even if the block size is set to 512b FAU-dd still copies data at 4096b to increase speed. however, if it encounters a bad block it will skip 4096b.
The latest version from George steps back from 4096b to 512b when a bad block is found to minimize lost data but unfortunately support for \\.\PhysicalMemory was removed in that version. This is only an issue if bad blocks are found. Removing the noerror switch will stop dd if errors are found and enable you to use a different tool if you are concerned about this. (do not remove the noerror switch when imaging RAM, it will stop almost immediately)
Also, to get around this, FTK imager is installed on the Windows side and there are no reported problems of this type with that tool. However, running from a GUI will have a greater footprint on a live system.  Posted on 3 June 2008 | 9:32 pm
A number of concerns have been raised recently about certain linux dd implementations such as DCFLDD. You can read about it at http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2557 and http://tech.groups.yahoo.com/group/ForensicAnalysis/message/82
In simple terms the problems revolve around how dd treats a bad sector. With the noerror flag set one would hope that dd would jump the bad sector, zero it and move on. However it would seem that a number of sectors are being missed when a bad block is found. Research by Barry Grundy and others indicates that this is due to the way the Linux kernel buffers data coming from the device being imaged. The buffering is a good thing as it speeds things up but it also would seem to enable the skipping of good sectors when a bad one is encountered.
This affects one of my favourite tools, Helix. Helix uses the DCFLDD tool as a basis for the Adepto GUI on the Linux side. In the meantime if you are using Helix you can make use of dd_rescue, making sure that the -d flag is set which enables direct disk access to the device. If you were planning to image the disk sda to an attached drive sdb1 this would look something like:-
dd_rescue -d -v /dev/sda /media/sdb1/image.dd
The release of Helix Pro later this year will deal with issue.  Posted on 3 June 2008 | 3:57 pm
I've recently enjoyed a holiday in France and frighteningly one of the first questions I asked my Brother who booked the house was about Internet availability. He had already asked and Wifi was available in the house. It meant my hands could stop shaking with the stress of possibly being disconnected for 2 weeks. Well in reality my Vodafone dongle would have taken a hammering.
We rocked up to the house (beautiful place by the way) and 20 minutes after unpacking the cars there were 2 MacBook Pros glowing silently on the dining room table. In fact we had 3 notebooks between us as I had also taken my Asus EEE as mentioned in the previous post. Sad eh, but even my wife doesn't moan anymore as long as emails are answered, blogs are written etc at appropriate times.
In fact the laptops came in useful on a number of occasions, looking up the weather, finding a local Kart track, finding a good restaurant and route finding to a Chateaux. Even the parents and in-laws were on board.
Later that day a number of emails arrived but as I've found with a number of ISP's my normal SMTP details were blocked. There are a bunch of ways around this but for your information I used http://whatismyip.com to get the IP address assigned to the router, next I did a look up on SamSpade to find out who owned the IP. This turned out to be France Telecom i.e. Orange, a quick Google search found the details smtp.orange.fr which then worked perfectly with no authentication.
If you travel alot there is a paid option of www.smtp.com, for about $10 a month for 50 emails a day you can send emails through any ISP without the hassle of changing details.
You can of course just switch to webmail but I like my Mac Mail.
As an aside I cracked the WEP code on the house's router in 4 minutes 37 seconds - AAAAAAAAAAAAAFFFFFFFFFFFFF. I love my EEE!  Posted on 31 May 2008 | 8:27 pm
A number of us have been working on the new Asus EEE PC 900. If you haven't heard of it, its a small form PC which is still very useable. The new 900 has a 20 gig solid state HD and larger screen than its predecessor. (I've got the black version which I think looks nicer than the 'ipod'esque white one).
The rather cool element to the EEE is the in-built Atheros WIFI chipset which supports monitor mode and packet injection. I'm not going to write a detailed explanation about why this is a good thing but any user of Aircrack-ng, Kismet or other such tools will be delighted.
The default OS is a Xandros Linux environment which is quite cool for day to day browsing use, however you are able to boot from the internal SD slot. With a little fiddling you can install Backtrack on an SD card, make it bootable (check the readme on the Backtrack download) and just by holding down the ESC key at boot time, fire up a full Backtrack environment. I managed to get up and working in about 10 minutes and even had a USB Railink Wifi adapter up and working too. Its tiny size makes it perfect for Wifi activities when out and about and at around £300 quid it would be rude not to!
 Posted on 27 May 2008 | 2:04 pm
There are lots of computer forensic blogs out on the interweb some superb and others rather less useful. This aspires to be in the latter category. However as I work with, and have the privilege to train some excellent computer forensic professionals both here and abroad, I often hear about some great pieces of research, new tools and other movements within the industry. If appropriate I will try and post them here.
If you tell me about an idea I promise to check with you before I post here and will never name law enforcement persons unless express permission is gained. As you can tell, this is already an exceptionally boring blog.
If you want to contact me (only about computer forensic topics please) please don't hesitate to do so, either via phone, or from the form you can find on the web addresses in the right column.
That'll do for starters
Posted on 27 May 2008 | 1:53 pm
|
