Archaeological Dig for Digital Forensics: February 2013

Friday, February 22, 2013

File System Geography - EXT2

- Create a EXT2 file.
Prior to Test, I made a EXT2 file named EXT2.dd.
Procedures are as below.

(1) Create a File filled with zeros.
# dd if=/dev/zero of=EXT2.dd bs=1024000 count=10
10+0 records in
10+0 records out
10240000 bytes (10 MB) copied, 0.487653 s, 21.0 MB/s

(2) format EXT2.dd as EXT2 filesystem.
# mkfs -T ext2 EXT2.dd mke2fs 1.41.9 (22-Aug-2009)
EXT2.dd is not a block special device.
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
640 inodes, 2500 blocks
125 blocks (5.00%) reserved for the super user
First data block=0
1 block group
32768 blocks per group, 32768 fragments per group
640 inodes per group

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

(3) Identify EXT2.dd file.

# file EXT2.dd
EXT2.dd: Linux rev 1.0 ext2 filesystem data, UUID=8f4aeba5-aa03-4000-be18-3cb597a585f1 (large files)

(4) Mount EXT2 to Local and Copy forensics.jpg for test.
# mount -o loop EXT2.dd ./RAW/

# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 28755580 4839728 22455144 18% /
udev 513268 232 513036 1% /dev
none 513268 136 513132 1% /dev/shm
none 513268 344 512924 1% /var/run
none 513268 0 513268 0% /var/lock
none 513268 0 513268 0% /lib/init/rw
none 28755580 4839728 22455144 18% /var/lib/ureadahead/debugfs
/dev/sda1 233333 23889 197397 11% /boot
/dev/sdb1 206422036 191748 195744668 1% /cases
/dev/loop1 9824 24 9300 1% /test/EXT2/RAW

# cp ~/Desktop/forensics.jpg ./RAW/
# ls ./RAW/
forensics.jpg lost+found

# umount /dev/loop1

- EXT2 Layout

- 6 Contents of Group

Group has 6 contents as follows.

Super Block - Metadata of Group

Group Descriptor Table – Location information of Block Bitmap, Inode Bitmap, Inode Table

Block Bitmap – The information what blocks are allocated

Inode Bitmap – The information what inodes are allocated

Inode Table - The inode that Group use

Data Blocks - The data that Group use

- Super Block

From First Block + 0x400 : Super Block

The Size of Inode : 128 bytes

The Total Count of Inode : 640(0x280)

The Total Size of Inode : 640 * 128 = 81920 bytes

The Size of Block : 2 => 4096 bytes

- Group Descriptor

Second Block : Group Descciptor

Blocks Bitmap Offset : 2 Block
Inodes Bitmap Offset : 3 Block
Inodes Table Offset : 4 Block

- Identify Blocks / Inodes Bitmap and Table offset

Blocks Bitmap Offset : 2 Block * 0x1000 = 0x2000
Inodes Bitmap Offset : 3 Block * 0x1000 = 0x3000
Inodes Table Offset : 4 Block * 0x1000 = 0x4000

Data is placed after end of inode.
Total inodes occupy blocks in accordance with the total count of inode.

The size of a inode is 256 bytes.
The Total Size of Inode : 640 * 128 = 163840 bytes(Super Block has this information)

163840 / 4096(block size) = 40

and then

After first inode table offset + 40 block = Beginning Data offset

- Inode

The six of inode is reserved from 0 inode to 5 inode.

0 - Bad Blocks Inode
1 - Root Inode
2 - ACL Inode
3 - ACL Inode
4 - Boot Loader Inode
5 - Undelete Directory Inode

The size of inodes reserved is 0x600(1536 = 256 * 6)

Inode has many attributes. There is the offset of Directory Entry.
Directory Entry has location information about data.

Root Inode has Direcotry Entries of Data(forensics.jpg).

Root Inode is second inode. so I moved from 0x4000 offset to 0x4100 offset.
(the size of inode is 0x100(256).

I checked Directory Entry offset at 0x4128. this value is 0x2C.

Directory Entry location of Root inode is at 0x2C000.

- Directory Entry

The structure of each entry is as follow.

Forensics.jpg's structure is as follow.
its inode number is 0x0C.

The formula of forensics.jpg's Inode

How : (First Inode Offset + file's Inode Number * Inode Entry Size) – Inode Entry Size
Real Data : (0x4000 + 0xC * 0x100) – 0x100 = 0x4B00

=> The number of First Inode count is 0. So 0x100 must be subtracted.

- The inode of forensics.jpg

forensics.jpg is placed from 32 block to 36 block.

I identified JPEG signature at Offset 0x32000.

- Idendify a JPEG(forensics.jpg)

For identification of forensics.jpg, I used dd tool.
if => input
of => output
bs => block size (=block is cluster in unix)
skip => skip as much as block size.

bash-3.2# dd if=EXT2.dd of=forensics.jpg bs=4096 count=5 skip=204800
5+0 records in
5+0 records out
20480 bytes transferred in 0.000217 secs (94394886 bytes/sec)

File : forensics.jpg
URL : http://pchs.peachschools.org/sites/pchs.peachschools.org/files/computer-forensics.jpeg

Tuesday, February 19, 2013

Tips - Disk Signature

Examiner makes sets of Images for analyzing.

Because a case is analyzed by examiners.

This time, we use single capture function to distribute images.

and then..

A person has images in 1 disk.

B person has images in 2 disk.

But those disks have same disk signature.

So if 1 disk is attached, 2 disk is not attached.

OK!

Let's see the condition through diskmgmt.msc.

2 disk is OFFLINE.

- MBRWiz.exe

This time examiner can use a tool like MBRWiz.exe. CLI is free.

Link : http://firesage.com/mbrwizard.php?x=4x

- Identify Disks

Command : MBRWiz.exe /list

- Change Disk Signature of 2 disk

Command : MBRWiz.exe /disk=2 /signature=generate

- Disk Signature in Boot Sector

You can see the disk signature changed (offset 440 / DWORD)

- Disk State

We can see the 1,2 disk mounted.

How abut MBRWIz.exe? The Result is perfect!!!!!!!

Now we can mount All of disks. ;-)

Friday, February 8, 2013

Tools - Time Maker

This tool decodes and encodes digital times.

Download : http://dorumugs-tools.googlecode.com/files/time_maker.py

Link : http://forensicinsight.org/wp-content/uploads/2012/10/INSIGHT-Digital-Times.pdf

# python time_maker.py --help

Usage: python time_maker.py -e YYYY-MM-DD,##:##:##,GMT

python time_maker.py -e 1980-10-10,10:10:10,9

python time_maker.py -d list

python time_maker.py -d Time_Format -i Input_time

python time_maker.py -d w64 -i 129943698100000000

-- Time Format List --

w64 - Windows 64bit Big Time (EX:129943698100000000)

w64_big_h - (Hex) Windows 64bit Big Time (EX:01cda71ade0d1500)

w64_lit_h - (Hex) Windows 64bit Little Time (EX:00150dde1aa7cd01)

wfiletime - (Hex) Windows FILETIME Time (EX:de0d1500:01cda71a)

wcookie - Windows Cookie Date Time (EX:3725399296,30254874)

unum - Unix Numeric Time (EX:1349896210)

umilli - Unix Millisecond Time (EX:1349896210000)

umicro - Unix Microsecond Time (EX:1349896210000)

unum_big_h - (Hex) Unix Numeric Little Time (EX:5075c812)

unum_lit_h - (Hex) Unix Numeric Big Time (EX:12c87550)

chrome - Google Chrome Time (EX:12994369810317375)

mac_ab - Mac Absolute Time (EX:371589010)

mac_ab_h - (Hex) Mac Absolute Time (EX:1625ff92)

ms32_big_h - (Hex) MS-DOS 32bit Big Time (EX:414a994a)

ms32_lit_h - (Hex) MS-DOS 32bit Little Time (EX:4a994a41)

hfs32_big_h - (hex) HFS 32bit Big Time (EX:cc9b7892)

hfs32_lit_h - (hex) HFS 32bit Little Time (EX:92789bcc)

Options:

-h, --help show this help message and exit

-e ENCODER, --encoder=ENCODER

python time_maker.py -e YYYY-MM-DD,##:##:##,GMT

python time_maker.py -e 1980-10-10,10:10:10,9

-d DECODER, --decoder=DECODER

python time_maker.py -d list

-i INPUT, --Input_Time=INPUT

python time_maker.py -d Time_Format -i Input_Time

python time_maker.py -d w64 -i 129943698100000000

Encoding Sample

# python time_maker.py -e 1980-10-10,10:10:10,9

-----------------------------------------------------------------
1 o' clock is 3600 seconds
1 day is 86400 seconds
1 year is 8760 hours
1 year is 31536000 seconds
1 second is 1000000000 nano seconds
1 second is 1000000 micro seconds
1 second is 1000 milli seconds
-----------------------------------------------------------------
User Input Time - 1980-10-10 10:10:10
User Input Time + GMT - 1980-10-10 19:10:10
-----------------------------------------------------------------
Windows 64bit Time - 119845266100000000
(Hex) Windows 64bit Big Time - 1a9c6a271e71500
(Hex) Windows 64bit Little Time - 0015e771a2c6a901
(Hex) Windows FILETIME Time - 71e71500:01a9c6a2
Windows Cookie Date Time - 1910969600,27903650
Unix Numeric Time - 340053010
Unix Millisecond Time - 340053010000
Unix Microsecond Time - 340053010000000
(Hex) Unix Numeric Big Time - 1444cc12
(Hex) Unix Numeric Little Time - 12cc4414
Google Chrome Time - 11984526610317375
Mac Absolute Time - -638254190
(Hex) Mac Absolute Time - x260afc6
(Hex) MS-DOS 32bit Big Time - 014a9945
(Hex) MS-DOS 32bit Little Time - 45994a01
(hex) HFS 32bit Big Time - 906a7c92
(hex) HFS 32bit Little Time - 927c6a90

Decoding Sample

# python time_maker.py -d w64 -i 129943698100000000

-----------------------------------------------------------------
1 o' clock is 3600 seconds
1 day is 86400 seconds
1 year is 8760 hours
1 year is 31536000 seconds
1 second is 1000000000 nano seconds
1 second is 1000000 micro seconds
1 second is 1000 milli seconds
-----------------------------------------------------------------
User Input Time - 129943698100000000
User Input Time Format - w64
Decode Inputed Time - 2012-10-10 19:10:10
-----------------------------------------------------------------

Thursday, February 7, 2013

Tools - GPS Tracker

If I have a GPS information, I will search these through APP like Google earth.

However if I get a lot of GPS information............

So I made a tool by python.

Download : http://dorumugs-tools.googlecode.com/files/GPS_Tracker.py

# GPS_Tracker.py --help

Usage: Python GPS_Tracker.py -l LINE.TXT -t TACK.TXT

Options:
-h, --help show this help message and exit
-l LINE, --line=LINE Make a line from Start to End
-t TACK, --tack=TACK Tack a GPS on the map

Line.txt

37.3998107,127.1111664

37.3997000,127.1112142

37.3995925,127.1113009

37.3995006,127.1113432

37.3994119,127.1113712

......

37.4674538,127.0361924

37.4681327,127.0355551

.......

37.5343720,126.9972295

37.5342722,126.9969639

37.5342995,126.9966298

37.5342557,126.9965094

37.5344452,126.9964499

Tack.txt

37.4555342,127.0475550

37.5367527,127.0005321

EnScript - EntryClass (2)

I can search for something through
File Name,
Size,
Hash,
Full Path
.....

and

identify files inside zip.

Name	Return Type	Declaration
MountVolume	VolumeClass	const MountVolume (uint Options, const String &Password="")
MountVolume	VolumeClass	const MountVolume (uint Options, CredentialClass credentials)

I brought it from EnCase Help page.
########################### Code and Result ###########################

Black : Code
Red : Result

######################################################################

//Recurse all entries in the case and perform a 'View File Structure' on files that have an extension of ZIP.
//Print out the paths of the files inside the ZIPs

class MainClass;

class MainClass {
bool good;
void Main(CaseClass c) {
int notWorks;
uint opts; //can be any of EntryClass::MountOptions
for(ItemIteratorClass i(c); EntryClass e = i.GetNextEntry();) {
if (e.Extension().Compare("zip") == 0) {
Console.WriteLine("Mounting " + e.FullPath());

Mounting

Console.WriteLine(e.TruePath());

dorumugs\C\Program Files (x86)\Autopsy\java\docs\beansbinding-1.2.1-doc.zip

VolumeClass vol = e.MountVolume(opts, ""); //no password. If a zip is password protected, vol will be null
if (vol) {
forall (EntryClass mountedEntry in vol) {
/*
notice that the 'FullPath' property is not the same as what the Table View shows.
This is because the entries do not become part of the Case's Entry List until
AFTER the script ends. The only way to have the entries become part fo the case's
entry list immediately is to add the device or evidence file to a case that is not
part of the GlobalDataClass::CaseRoot().
*/
Console.WriteLine("Entry Name=" + mountedEntry.TruePath());
Console.WriteLine("Entry FullPath=" + mountedEntry.FullPath());

Entry Name=dorumugs\index-files

Entry FullPath=index-files

Entry Name=dorumugs\index-files\index-1.html

Entry FullPath=index-files\index-1.html

Entry Name=dorumugs\index-files\index-10.html

Entry FullPath=index-files\index-10.html

Entry Name=dorumugs\index-files\index-11.html

Entry FullPath=index-files\index-11.html

}
}
else {
Console.WriteLine("Could Not Mount " + e.FullPath());
notWorks++;
}
}
}
if (notWorks == 0)
Console.WriteLine("Worked");

Worked

else
Console.WriteLine("Does not work");

Does not work

}
}

Wednesday, February 6, 2013

EnScript - EntryClass (1)

I can search for something through
File Name,
Size,
Hash,
Full Path
ETC.............

BookmarkClass

Name	Return Type	Declaration
BookmarkClass	void	BookmarkClass (BookmarkClass parent=null, const String &Name="", uint Options=0)

- BookmarkClass -
parent - The parent folder for this node
Name - Name
Options - 32-bit unsigned integer

ItemIteratorClass

Name	Return Type	Declaration
ItemIteratorClass	ItemIteratorClass	ItemIteratorClass ()
ItemIteratorClass	ItemIteratorClass	ItemIteratorClass (CaseClass _case, uint Options=0, IterateModes mode=ItemIteratorClass::ALL, const String &Name="")
ItemIteratorClass	ItemIteratorClass	ItemIteratorClass (DeviceClass Device, uint Options=0)

Name	Return Type	Declaration
Compare	int	const Compare (const String &Text, uint Options=0)
Contains	bool	const Contains (const String &Expression)
Name	string	static File Name (const String & Name)

- Compare -
Returns < 0 if value is lexically less than, 0 if equal, > 0 if greater
Arguments:
Text - Input string
Options - CASE

- Contain -
Returns true if text is contained in this string
Arguments:
Expression - Search Expression

- Name -
Format string with argument
Arguments:
Format - File Name string

When you test this code, you must select items as picture.

I brought it from EnCase Help page.
########################### Code and Result ###########################

Black : Code
Picture : Result

#######################################################################

//Recurse all entries and bookmark entries named 'win.ini'

class MainClass;

class MainClass {
bool good;
void Main(CaseClass c) {
BookmarkClass folder(c.BookmarkRoot(), "EntryClass Example 1", NodeClass::FOLDER);

for(ItemIteratorClass i(c); EntryClass e = i.GetNextEntry();) {
if (e.Name() == "win.ini") {

BookmarkClass newMark(folder);
newMark.CopyItemData(e);
newMark.SetComment("Bookmarked win.ini");

good = true;
}
}
if (good)
Console.WriteLine("Worked");
else
Console.WriteLine("Does not work");
}

}

Monday, February 4, 2013

EnScript - DateClass

DateClass gives functions about date and time.
So it's useful when i configure time like GMT.

Let's start DateClass!

NameListClass	void	NameListClass (NameListClass parent, const String &Name="", uint Options=0)
DayOfWeek	int	const DayOfWeek ()
Month	int	const Month ()
Day	int	const Day ()
Year	int	const Year ()
GetUnix	uint	const GetUnix ()
GetDateFormat	String	static GetDateFormat ()
GetTimeFormat	String	static GetTimeFormat ()
GetString	String	const GetString (const String &dateformat, const String &timeformat, int timezonebias)

- NameListClass -
parent - The parent folder for this node
Name - Name
Options - 32-bit unsigned integer

- DayofWeek -
Day of the week (0...6), Sunday = 0

- Month -
Month value (1..12)

- Day -
Day value (1..31)

- Year -
Year value in 4 digit format (1970..2040)

- GetUnix -
Retrieves the date as the number of seconds since 1970

- GetString -
Converts the date to the specified string format
Arguments:
dateformat - MM/dd/yy
timeformat - hh:mm:sstt
timezonebias - Time zone bias in seconds

- GetDateFormat -
Returns the global date format string

- GetTo,eFormat -
Returns the global time format string

I brought it from EnCase Help page.
########################### Code and Result ###########################

Black : Code
Red : Result

######################################################################

class MainClass;

class MainClass {

void Main(CaseClass c) {

DateClass date();
date.Now();

NameListClass days();

days.Parse("Sunday,Monday,Tuesday,Wednesday,Thursday,Friday,Saturday", ",");

NameListClass months();

months.Parse("Jan,Feb,Mar,April,May,June,July,Aug,Sep,Oct,Nov,Dec", ",");

Console.WriteLine("Today's date is " + days.ChildName(date.DayOfWeek()) + " " + months.ChildName(date.Month() - 1) + " " + date.Day() + ", " + date.Year());

Today's date is Monday Feb 4, 2013

Console.WriteLine("number of seconds since 1/1/1970 12:00AM = " + date.GetUnix());

number of seconds since 1/1/1970 12:00AM = 1359945233

//The GetString(String, String int) method subtracts the bias from GMT

Console.WriteLine("Current Time In Los Angeles:" + date.GetString(DateClass::GetDateFormat(), DateClass::GetTimeFormat(), 8 * 3600));

Current Time In Los Angeles:02/03/13 06:33:53오후

Console.WriteLine("Current Time In New York:" + date.GetString(DateClass::GetDateFormat(), DateClass::GetTimeFormat(), 5 * 3600));

Current Time In New York:02/03/13 09:33:53오후

Console.WriteLine("Current Time In Moscow:" + date.GetString(DateClass::GetDateFormat(), DateClass::GetTimeFormat(), -3 * 3600));

Current Time In Moscow:02/04/13 05:33:53오전

Console.WriteLine("Current Time In Beijing:" + date.GetString(DateClass::GetDateFormat(), DateClass::GetTimeFormat(), -8 * 3600));

Current Time In Beijing:02/04/13 10:33:53오전

Console.WriteLine("Note that the above times are not adjusted for Daylight Savings Time and thus may be off by an hour.");

Note that the above times are not adjusted for Daylight Savings Time and thus may be off by an hour.

Console.WriteLine("Current System Time:" + date.GetString());

Current System Time:02/04/13 11:33:53오전

}