Summerschool Aachen 2004/Incident Research Lab

From C4 Wiki
Jump to: navigation, search


Notes on Presentations

Notes on Lab Session

Analyzing the content of an old hard drive and the content of a downloaded FAT16 image

We first took a used Maxtor 90845d4 8GB (S26361-H435-V100, SAM-2004-10-04-I) hard drive and built it in into our box for external hard drives (photos of that will be available soon). Then we used the command cat /dev/sda | strings > strings.txt in order to write all the strings contained in the image into the file called strings. The image contained a lot of strings, among other things several Windows log-in passwords. We also found a lot of text about inventories and customer data which made us guess that the hard drive was used in a company before. We later found out from Max that the hard drive was used by a computer shop before. On the hard drive there was a HPFS/NTFS filesystem installed. As we wanted to play around a little bit more with the content of that hard drive we decided to copy it to another external hard drive, mount it and further analyze its content. Copying the image from one hard drive to another took us almost three and half hours...After that we tried to mount the partition on the copied image which unfortunately didn't work out. We should have just copied the partition from the image instead of the whole image. But it was too late by the time we had realized this... During the time the image was copied we did several different things: - we took out an scsi hard drive from a Sparc 5 workstation and build it in with an scsi controller into another computer from the laboratory. - we downloaded an image and analyzed its content: There was a password protected zip file which we opened using a zip cracking tool and using the image itself as a dictionary. The password was found very easily and we could read the secret message...

--Samad Nasserian, Boris Leidner

Software packages you might find useful

You might want to look into the following tools:

  • graverobber - grab important data from system
  • ddrescue - spiced up dd
  • sleuthkit, autopsy - forensic toolkit (includes inode cat, ...)
  • fcrackzip - zip password cracker
  • nasm - netwide disasembler
  • e2undel - undelete for ext2
  • ntfstools - undelete for ntfs
  • bview - nice hex editor, vim-like
  • bsdmainutils (includes hd), or vim (includes xxd)
  • chntpw - reset windows passwords, browse registry

Have a look at the Links page!

Images to look at

Image from a Cash Register

Forensic Imaging Best Practice

1. get a disk and ensure that there is a ID on that disk. IDs should look like UU-YYYY-MM-DD-X where UU is your user ID, YYYY, MM, DD represent the date and X is a roman number used as a serial number to distinguish several hard disks you image in one day. So I might use something like md-2004-10-04-I as an ID. Write it on the disk with marker and create a directory with the same name for your evidence data.

2. Connect the disk to your computer. You might want to try to remove the original disk from one of our external USB disk and put in the disk to image. We find that "real" IDE and SCSI works better.

3. Go to you evidence directory and create a file like md-2004-10-04-I.txt where you note model, serial number manufacturer, etc. of the HD, other noteworthy thinks, your name and actual time. Then create the image with something like dd if=/dev/hdX of=./md-2004-10-04-I.image

4. Upload the your whole evidence directory to

5. Now start analyzing the Image, add your observations to the evidence directory and upload missing stuff when done.

Lab Session today

Today I started with analysing the challenge Max gave to us. The first thing I've done after checksuming the image was to mount it, extract the three files and used a tool for cracking the Zip-archive. After an attack with a word-list didn't work out and I got bored by staring at the screen while the computer was performing a brute-force search for the password, I aborted it when it finished the exhaustive search for passwords of length 5.

Afterwards I tried the Sleuth Kit together with Autopsy to search for deleted or hidden stuff in the filesystem and it worked quite well. It is always a pleasure to have the right tools (which also includes a hex-editor). Overall a nice challenge, I especially like these hidden motivations like "good job" or "well done".  :)

In the afternoon I tried to optimise our project from last week, the java application which displays a wardriving session. Though we worked only two days on it, the program is already better than gpsmap (to my view), or it least will be when a few missing features will be implemented. I didn't get to manage to speed up the displaying performance, but I learned that a java application might keep on running after a NullPointerException.

--Jan Gall