Embed Size (px)
Citation preview
CSI Challenge2012
Provides the backstory behind the crime Provides pertinent information related to the motive
behind the crime Requires the use of 2 software packages:
◦ Forensics Tool Kit (FTK) Version 1.8.0 or 1.8.1
◦ S-Tools Software must be downloaded on your laptop prior to
the competition
Computer Forensics at the CSI Challenge
1. Creating & Opening a Computer Forensics Case 2. Finding Hidden Data in Slack Space or Unallocated
Space 3. Finding a Recently Deleted File4. Finding a File with an Improper File Extension 5. Finding a Stego’d Image or Data Hidden in a JPG File
Evaluation = 5 Critical Skills
How you do it?A. Start FTK and Create a New CaseB. Add evidenceC. Save the case on exiting
Once created you only need to start FTK and open an existing file to continue working on the case
1. Creating & Opening a Computer Forensics Case
A case represents an ‘incident’ You will need to supply:
◦ Name or number of Case◦ Investigator’s name◦ Evidence to be added to the case
New cases can be Created You can Open existing cases previously
created
What is a “Case”?
Should run in “administrator mode”◦ Right-click FTK icon and select “run as administrator”
Or… click properties, and select appropriate option for icon (then you won’t need to repeat each FTK startup)
You may receive a prompt looking for “security device”◦ It’s OK to run without the dongle or security device
USB “dongle” is required to run FTK in “Full Mode” Also might ask for “Code Meter
◦ We’re running in Demo Mode Limits us to 5,000 files in the case, but otherwise fully
functional!
1.A. FTK
Known File Filter◦ Used to “ignore” Known Files◦ OK to load FTK without KFF
KFF Hash Library
Select the appropriate option◦ Generally you’ll either be creating new case or
opening an existing case
Startup
Enter Captions for◦ Case Number
I chose LIPD-2012-0001 Long Island Police Dept., Case 1 of 2012
◦ Case Name Something meaningful
◦ Case Path The folder where case saved on hard drive
The default is the case name
New Case
Enter information about investigator◦ Next screen
Case Log Options◦ Select all options◦ Next screen
Processes to perform◦ Keep default values◦ Next screen
Refine case◦ Accept defaults◦ Next screen
Refine index◦ Accept defaults◦ Next screen
Case setup (cont.)
1.B. Finally… Add Evidence
Click “Add Evidence”
Information to be added to the Case◦ Acquired forensic “image” of Drive
This is a single file, but contains contents of an entire drive!!! Similar to a “zip file” Also referred to as
“image file” Bitstream file Bit-for-bit image file
This “image file” is captured and produced by some forensic software or utility program
Viewed with forensic software which “understands” the file structure It is NOT the same as a GIF or JPEG, which is a PICTURE type of image file and
IS a single file◦ Local Drive (not on CSI 2012)
Attached to the system and addressable as a disk drive For example, the C: or E: disk Could include a CD, DVD, USB, etc..
◦ Contents of a Folder◦ Individual File
What is Evidence
Created earlier by someone using◦ Utility program or Forensic software
Add… Acquired ImageHard Drive “Image files” captured earlier• *.img ending added by
creator• Other endings dependent on software used to create them
Fill in captions◦ Evidence Name/Number
For example, an item number of the evidence list Serial number, if unique
◦ Comments (optional) How acquired or unusual circumstances, etc..
◦ Local Evidence Time Zone -05:00 for NY timezone
Don’t forget about Daylight Savings, if it applies! Used for time comparisons
Adding the Acquired Image File
All Evidence Added.Click “Next”
After clicking “Finish”◦ FTK will Process Files◦ Add them to the case
Finish adding evidence
As part of adding evidence FTK will◦ Keep track of certain items and summarize them◦ Build an “index” of words or terms encountered
Can be used to short-cut a search Can be used to identify words in the entire case
Might provide insight into something not normally considered For example, seeing “gun”, “secret” or “password” as one
of the words in the index
FTK processing added evidence
FTK presents 3 “panes” or “panels” by default◦ Users can configure the placement if desired
FTK provides a list of “summary” buttons with counts◦ Clicking on these can bring up those items in a detail pane so
that you focus on them Bad extensions Image files Deleted files Documents Unknown types Folders Bookmarked items etc
1. Opening a Computer Forensics Case (cont)…what you’ll see
Tabs on the main window◦ Overview◦ Explore◦ Graphics◦ Email◦ Search◦ Bookmark
FTK Panes/Panels
Shows general information about the case◦ Selection in one “pane” shows details in another
“pane” or sub-window
Overview
The “bad extensions” shows 7 files in the bottom pane◦ Selecting one of the files in the bottom pane
shows the contents in the 3rd pane (upper right)
Still in “Overview”
File list contains information about files◦ “X” icon indicates deleted file◦ File extension might indicate one type of file
In reality, another type of file
Overview (cont.)
Shows a “Windows Explorer” style of presentation◦ 3 evidence items seen
Each has sub-items◦ Collapsible or expandable levels
Click on Plus or Minus signs to expand/collapse views Selected item is shown in 3rd pane List of items in the selected item are shown
in bottom (2nd) pane◦ Clicking on one of these will present that item in
the 3rd (top-right) pane
Explore Tab
Icons at top of 3rd pane◦ Alter the “presentation” of data
View as native application Text view Hexadecimal view
◦ It’s the same data, just a different way of viewing it!
Same item… different view of it
The following demonstrates what a user sees if selecting a single file in Explorer Tab
Selecting a single file
Selecting Giants Tickets.doc in Explorer Tab Word document
◦ Really made up of different “components” Selecting the file shows an item list of
components in the file File slack is one of them
Giants Tickets.doc
Shows a pane with thumbnails of images in the currently selected item in your case
Graphics Tab
On the main menu◦ Select “File”
Close Closes the case, remains in FTK
Save Allows you to continue working on the case
Exit Allows you to save (and backup.. Optional) the case Shuts down FTK
1.C. How to exit and save
What is “Slack Space”?◦ It’s disk space which belongs to a file, but is not considered part of
the file’s data Happens because of the way the system allocates disk space to files
◦ How does the system give disk space to a file? By “clusters”… a collection of 1 or more disk “sectors”
A “sector” is 512 bytes (depends on the system) A cluster can be 1, 2, 4, or 8 sectors
Files are written in these clusters, and don’t normally fill up an entire sector or cluster
◦ Two types of “Slack Space” Ram slack
Disk space after the file data and before the end of that sector File slack
Disk space in sectors not used by the file, but belonging to the file
2. Finding Hidden Data in Slack Space
What’s the significance of “slack space”?◦ Contents of RAM slack is generally whatever was
in memory when the file was saved last Might be a password, credit card number, etc.. Or
garbage◦ File slack’s contents can simply be whatever was
left over and not erased when no longer needed by some other file Maybe even another user created that other file
◦ Slack can be used to hide information It’s not visible to users It won’t be “grabbed” by system and overwritten
2. Finding Hidden Data in Slack Space (cont)
In Overview Tab◦ Select Slack/Free Space button
Details pane contains all slack/free space items Full Path describes where that slack space is located
In a specific file◦ It’s part of the file, but not part of the data itself
Comes after the “end of file” marker Do a “search”
◦ Word might appear in “slack”, which might indicate an attempt at hiding something
2. Finding Hidden Data in Slack Space (cont)
Slack: Overview Tab
Start from the “Explore” Tab◦ Locate the file (Giants Tickets.doc)
This file is deleted◦ Highlight the file in Explore
You’ll see: Pane 2 (Lower pane): list of embedded “stuff” in the file,
INCLUDING FileSlack Pane 3 (Upper right): The document as presented by FTK
believing it to be a “Word doc”
◦ Then… in pane 2, select “File Slack” and observe what’s displayed in pane 3
Slack: Specific File
Conduct a search◦ Examine the returned “hits” of the search
Search results (“hits”) indicate where the occurrence was Even if in slack space
Each “hit” also shows the data immediately before and after the “hit” phrase
Slack: Search
Click the SEARCH tab◦ As you type a word or “character string”
Indexed words in case show up◦ Once you’ve found or typed your search term
ADD it to the search You’ll see # of hits You’ll see # of files containing those “hits”
Searching
Select the “hits” for the search item◦ Then “View Item Results”◦ You can use “AND” or “OR” logic when looking for
multiple search items in the same file AND requires all to be present OR requires any one of them to be present
Searching
Indexed vs. Live◦ Indexed
Looks up terms indexed by FTK as evidence was added◦ Live
Looks up a term which wasn’t necessarily in the index built by FTK
Options Text
ASCII UNICODE CASE SENSITIVE REGULAR EXPRESSION
Hexadecimal
Searching
Keep ASCII and Unicode selected◦ They’re both defaults
Default is “ignore case”◦ Won’t care if upper or lower
Will take time◦ Searches the entire case
Regular expressions (NOT IN CSI 2012)◦ A “pattern” to match
Zip code Telephone number Social security number Credit card number
Hexadecimal◦ Look for “non-printable” character values
Live Search
How do you find a deleted file?◦ Overview Tab
Select the summary button for Deleted Files All those files appear in the lower pane
◦ In the Explorer Tab You can view the “directory structure” in the 1st pane Deleted files appear with a red “X” on the icon of the file or folder
◦ Deleted files are often recoverable You need to EXPORT the file
3. Finding a Recently Deleted File
3. Finding a Recently Deleted File (cont)
Why could this be significant?◦ Investigator might recover information the suspect was
attempting to hide or destroy◦ might demonstrate intent to evade detection
It can be demonstrated that a large number of files were deleted Just prior to execution of a search warrant After being interviewed by the police After receiving a call from a victim or conspirator
When taken into account, might provide circumstantial evidence of intent
3. Finding a Recently Deleted File (cont)
How you do it?◦ Overview Tab
Find the Summary Button for “Bad Extensions” Pane 2 lists all those files
◦ Explorer Tab Navigate to the location Pane 2 shows files in that location, with additional information for
each file
4. Finding a File with an Improper File Extension
What is “exporting”?◦ Exporting allows an investigator to
Select a file or files Save them as discrete files to another location outside of the
FTK Case file Why?
◦ Allows investigators to process the exported file “natively” using applications such as Word, Excel, Paint, etc Some files must be processed natively (for example a Stego’d
file must be exported and handled using S-Tools as explained in section 5)
◦ Can burn to a DVD and give to DA or other investigator◦ Allows investigator to consolidate items of interest in one
place and present only those items
Exporting a file
How do you export a file?◦ Select the file (highlight it) in Explorer Tab◦ Right-click on the file, and “Export it”
Exporting a file
How do we find the file?◦ Overview Tab
Click on the “Improper Name” summary button◦ Explorer Tab
In pane 2 (lower pane), improper file extensions will be noted
4. Finding a File with an Improper File Extension
What it means◦ It might be a deliberate attempt to evade detection and hide
information Information might be important
◦ It could also just be a mistake on the part of the user File saved or renamed with the wrong extension
4. Finding a File with an Improper File Extension (cont)
How do I process a file with an “Improper File Extension”?◦ Note the type of file it really should be◦ Export the file◦ Use the appropriate software to view the file, according to the
“real type” of file it is
4. Finding a File with an Improper File Extension (cont)
How you do it?◦ Certain files, such as Windows “BMP” files, can be
“containers”◦ Software such as S-Tools can hide information inside these
“container files”a. Locate a suspected “stego’d” file (the container file)
a. Should be a “BMP” fileb. Export it from FTK’s Case
i. This saves it as a separate file you can then process outside of FTK
c. Use S-Tools to extract the “message file” from the “container file”
i. Password or a passphrase might be required!
5. Finding a Stego’d Image or Data Hidden in a JPEG File
Open S-Tools Drag the “exported” file believed to be a “container
file” into S-Tools
5. Finding a Stego’d Image or Data Hidden in a JPEG File
Right-click the “container” in S-Tools◦ Select “Reveal”◦ When prompted, provide the “passphrase”
Can be a single word or a phrase Could be case sensitive
◦ A “revealed archive” window shows with the hidden file name and size
◦ Select the file in the “Reveal Archive” box Right-click the file you wish to extract from the container
file Save as…
Choose a location You’ve now successfully extracted the hidden message!
5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
The result!
5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
What it means◦ Definitely a means of evading detection. It’s not accidental!!
1. Data is hidden 2. passphrase might be required
◦ Whoever can be demonstrated to know the passphrase either put the hidden data there, or knew how to retrieve it Guilty knowledge!
5. Finding a Stego’d Image or Data Hidden in a JPEG File (cont)
Best of luck to all CSI Challenge participants!
The End!
