by Chetan Gupta, NII Consulting
Many a times as an investigator, I have to deal with the issue of carving data from Read the full article »
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons.
by Chetan Gupta, NII Consulting
Well, last week was abuzz with activity when we had to recover data from a corrupt Linux hard disk. Thought it would be pretty easy but as soon as I loaded the hard disk, I knew something was amiss.
Read the full article »
By Kush Wadhwa, NII Consulting
Have you ever thought of hiding data in such a manner that it cannot be deleted even after the hard disk is formatted? Well, in this this article , we’ll look at just that; we will see how you can hide and unhide crucial data on your hard disk. The technique which is used to hide the data is known as HPA which stands for Host Protected Area. Let us first discuss HPA…
HPA - The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.
Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.
Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.
1 Sector=512 bytes
Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.
From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.
http://www.win.tue.nl/~aeb/linux/setmax.c
To compile this program I will use gcc
[root@hack3rs root]#gcc -o setmax setmax.c
To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c
Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax –delta 64776751 /dev/hdc (depending on your device name).
–delta option will make temporary HPA. If you want to make permanent HPA then use –max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)
When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.
Maximum Disk Sector: This gives the total number of sectors present in hard disk.
Maximum User Sector: This gives the total number of sectors which user can access.
As per example above I got the followin result
Maximum Disk Sector: 78165359
Maximum User Sector: 64776751
** HPA Detected (Sectors 64776751 - 78165359) **
This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.
[root@hack3rs root]#./setmax –delta 78165359 /dev/hdc
This will make all your hard disk accessible. I hope you all enjoyed reading the article.
Happy Experimenting!
by Bhushan Shah, NII Consulting
Mrs Carol L. Stimmel has taken upon her to start a Computer Forensic Volunteer Project to provide low-cost services to those who cannot assert advantage from our skills.
Here is a bit taken from the press release:-
“As expert members of the international computer forensics community which provides unique and highly desirable services to the legal system, we assume a responsibility to provide services to those in need yet unable to pay. As a result, the Computer Forensics Volunteer Project (CFVP) provides pro bono and low-cost forensic services to individuals and organizations who normally would not be able to take advantage of the distinct litigation advantage provided by these techniques.”
On behalf of NII Consulting I have volunteered to take part in the project and would like to help people who cannot afford such services.
by Bhushan Shah, NII Consulting
The index.dat is a file which contains the list of the websites that one has visited. It comes from “indexing” which is used to speed up query responses.
The autocomplete feature in Internet Explorer compares the addresses to the index.dat to find an appropriate match. The size and life of the index.dat depends on the user and the options under: - Internet Explorer: Tools> Internet Options (Days to keep pages in history).
Read the full article »
By Chetan Gupta, NII Consulting
In accordance with NII’s mantra of innovation and research, we have developed our own tool to conduct initial response on compromised Linux systems. This tool is appropriately titled LINReS which stand for “Linux INcident Response Script”. Read the full article »
LINReS is a Live Response script designed to run on suspect/compromised Linux systems. LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (a few which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.
NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.
This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.
By Bhushan Shah, NII Consulting
Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.
A hash function - is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.
The LMHash - LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.
By Chetan Gupta, NII Consulting
In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)
Here is a cool piece of code I found here that allows to decrypt the entries.
Read the full article »
by Chetan Gupta, NII Consulting
A small experiment…Create a new text file. Edit it using Notepad and type “Hello” in it. save and exit the editor. Right click the file and check its properties. Did you notice the two attributes “Size” and “Size on disk”. It looks something like this on my Windows XP system
Size: 5 bytes (5 bytes)
Size on disk: 4.00 KB (4,096 bytes)
Have you ever wondered why this difference? If the size of file contents is only 5 bytes, why are the remaining bytes assigned to the file? Do they serve any purpose? Well, atleast not to any average user of computer systems!
Read the full article »