Tuesday, September 3, 2013

[Forensics] Memory Analysis

I haven't written on blog in the past few days as I'm busy on studying memory analysis. I highly recommend anyone who wants to explore more about memory forensics to access SANS blog -

SANS Computer Forensics Blog.


I've been certified as GCFA since 2005 and memory analysis in new course material is more in depth.

I only highlight the stages of memory analysis here: 

1. Identify Rogue Processes
2. Analyze Process DLLs and Handles
3. Review Network Artifacts
4. Look for Evidence of Code Injection
5. Check for Signs of a Rootkit
6. Acquiring Processes and Drivers

These stages make me open eyes widely to understand not all evidence be found on dead forensic image that may be retrieved in memory - especially volatile registries. Some malwares take advantages of memory space to compromise PCs while all volatile data will be gone once the PCs are powered off. I'll provide more details in coming blogs. 

Wednesday, August 28, 2013

[Forensics] How to acquire EFS protected files without exporting certificates?

Microsoft Encrypted File System (EFS) is used to encrypt files on Windows. It's a file-level encryption, usually files in user profiles are being encrypted. It's a big challenge when I received a Windows with EFS enabled for data acquisition. I did many researches on forensic tools or cracking tools before I tried to acquire the data. However, the steps are time-consuming and ineffective. Here is an interesting method; hopefully it saves your day.

Microsoft EFS is only effective to files on NTFS file system but FAT32. What we need to do is to connect a new FAT32 formatted hard drive. Running Robocopy to copy all files to FAT32. All EFS encrypted files will be in decrypted state. Done! Kindly image the file by FTK Imager.

Tuesday, August 27, 2013

[Forensics] How to acquire Microsoft Bitlocker enabled Windows OS?

Nowadays, it does not uncommonly see Windows OS enabled with Bitlocker to protect laptops of frequent travellers. To acquire Windows OS with Bitlocker is not a difficult task. Refer to my blog about acquiring hard drive encrypted by McAfee Endpoint (formerly Safeboot) by FTK imager, the procedure is similar. However, creating E01 image on live Windows using FTK imager must take a caution. When you add local hard drive as a physical device, you won't see a file structure in FTK imager except unallocated clusters. The E01 image is still bitlocker protected. If you add the image to a case on EnCase v7, with EnCase Decryption Suite, it prompts to ask for bitlocker recovery key or passphrase. Therefore, you must export the bitlocker recovery key after you receive a credential with local administrative right. Keep in mind that the md5 hash is different if you use the same way to acquire the hard drive in live mode. 

Using FTK imager is one of the way. On the other way, asking IT administrator to provide a recovery key, you do not need to login the Windows but take the hard drive out of the computer, connect it as a local device to EnCase v7 via write-blocker, hardware is better. EDS detects bitlocker and asks for recovery key/passphrase. Once you input the key provided by IT administrator, the data of the hard drive is shown on Tree pane that is in decrypted state. You right-click the physical hard drive icon and select acquire to create another E01 image. The final E01 image is in decrypted state that you can mount it to forensic tools. 

If you want to keep the encrypted state of the hard drive into E01, you may connect to Tableau TD2 duplicator and simply create E01. You then don't have to build an encrypted target hard drive to store the image. Of course, do remember to store the recovery key separately.

[Forensics] Using Microsoft Robocopy to copy loose files to a destination and preserve metadata of the files

In civil cases, one of the common practices is to copy loose files when forensic imaging can't be applied. Especially, you need to collect shared data on server where is at remote site. However, we still need to preserve the metadata of the files such as the MAC times. Robocopy is a command utility which is built-in in Windows Vista/7 that can provide significant functions. Here is an overview of the parameters -- http://technet.microsoft.com/en-us/library/cc733145.aspx.

In Forensic field, there are so many ways to achieve your objectives - using commercial products or open source tools. No matter how, I prefer to find the most effective way and get the work done immediately. Not only your clients will be happy with your services, but also you do balance your work and life. Right, this is how we need to work smart.

Of course, it's important that you prepare well and test everything before going to client's site. To do so, it increases your confident index.

Let's go back to "Robocopy" and take Windows 7 environment as an example.

Server: \\fileserver\projects\

Source folder: \\fileserver\projects\accounting_data

Target drive (new wiped drive and formatted as NTFS with USB interface connected): N: drive

1. On your forensic workstation running Windows 7, you can map the path \\fileserver\projects\accounting_data to a letter drive (e.g. M:\) on Windows explorer with domain credentials. The best is to map with administrative rights so that you ensure no barrier when duplicating the data/files.

2. Run "Command Prompt" as an administrator.

3. Test whether robocopy is present - C:\>robocopy /? - it shows all parameters of robocopy. If not present, IT's best friend - google it, download it, and test it.

4. Run the command "C:\>robocopy M: N: /S /ZB /COPY:DAT /R:0 /W:0 /FP /NP /LOG+:"N:\accounting_data.log" (read the link above to understand why we use the parameters).

5. Double-click "Enter" few times and wait. Once Robocopy completes, drive letter of where you are will prompt. You can check the log (N:\accounting_data.log) with wordpad or favorite editor if list of files is copied and errors are recorded.

Note that your target drive (N: drive) contains all copied data from fileserver. DO NOT open, access, browse, and click the N: drive. Kindly disconnect the USB interface from the Windows forensic workstation.

If you do want to read the files, connect the target drive to Windows forensic workstation via hardware write-blocker such as WiebeTECH or Tableau. To do so, that avoids any modification to the data on target drive.

When the time is available, running forensic tools such as EnCase Imager, EnCase, X-Ways Forensics image files from the target drive to E01 (expert witness format) or L01 (logical evidence format).

Hope this helps and Good Luck!

Saturday, August 24, 2013

[Forensics] Acquire a hard drive encrypted by McAfee SafeBoot version 6

Encrypted hard drive is a challenge to forensicator when performing an acquisition. At least, I always face to the challenge everyday. Some of my client request to acquire encrypted hard drives at the very last minutes or without technical information about the encryption. With limited timeframe, nothing is better than getting well-preparation in advance.

If a hard drive is merely taken out of the laptop/desktop case, connecting it to forensic workstation via write-blocker to create forensic image or even using forensic device such as Tableau duplicator to create forensic image. To do so, the data in the image is still in encrypted state, you can usually read unknown file system / read as unallocated space without actual data when it is mounted to forensic tools.

I had a chance to acquire a hard drive encrypted by McAfee SafeBoot version 6. As EnCase version 7 has a EnCase Decryption Suite that can help to detect a mounted media or forensic image if it is encrypted. If EDS detects the encryption by its supported encryption applications (such as McAfee SafeBoot), it prompts windows to ask for credentials to unlock the decryption. Note: Unlock means that you can read file structure in Tree pane. When you right-click the physical hard icon and select acquire to another E01, the latest E01 will contain data in decrypted state. I think this is an optimal method.

However, you might not be able to obtain the encryption recovery key or credentials easily for some reasons. Here is another method.

1. To ask the end-user to provide his windows login credential.
2. Lock in to windows OS.
3. Ensure the account is in local administrator group.
4. Download FTK imager - free edition at http://www.accessdata.com/support/product-downloads to a USB drive.
5. Run FTK on the USB drive and mount the hard drive as physical.
6. View the file structure in Tree pane, it's decrypted if you can read actual files. (export a file to the USB drive and open it with associated applications such as docx for Words)
7. Connect a new hard drive to store acquire image files.
8. Export drive image to E01 on FTK imager and store to the new hard drive.
9. Verify it and try to mount the E01 in other forensic tools.

Unfortunately, using this method with FTK imager to image Microsoft Bitlocker enabled drive doesn't work. I'll explain in another article.

Disclaimer: This article is used for reference. Please test it before you apply to actual scenario and the author has no liability to cause any damages.