[Dshield] list Digest, Vol 52, Issue 4

pagarb paul.braga at gmail.com
Wed Apr 11 06:10:56 GMT 2007


*Re: contents of list Digest, Vol 52, Issue 4*

Subject: Re: [Dshield] Forensics and hard drives
From: paul.braga at gmail.com

Not sure what "sector clone" means in a forensics context.  The usual
practice is to image the entire drive using something like "dd", you won't
need a write blocker if you remove the drive and use a Linux system to make
the image.  Hash the original and the image to make sure that they are the
same.

You can then use an open source tool like Helix to do a forensic exam of the
drive.  There are proprietary Windows tools like Encase (about $3000) or FTK
(about $1200) and a few others, but these are probably the most widely
known.

There are also hex editors that can reveal what's in the sectors but this is
an extremely slow and painful process.  The X-Ways hex editor (about $250)
can speed it up.  A hex editor will reveal just about anything that's there
in fact that's how suspect pictures are found.  Encase and FTK aren't used
for this.

That's a quick course in forensics.  There's a lot more to it but there's no
way to conduct a full forensics course here.

If you just want to poke around a disk and have the time just take any hex
editor you can find, there are plenty of free ones around, and have at it.
Never know what you'll find, it's an extremely slow and boring process but
it works and you'll see just about everything that's written to the drive,
even stuff that supposed to have been deleted in fact anything that isn't
written over or only partially written over.

For purpose of legal process you'll need to take a lot of precautions and
prove the continuity of the chain of evidence.  If that's broken it's a lost
cause as far as the courts are concerned.  This where hashing plays a big
part.  It proves that the evidence hasn't been tampered with, if it's done
right and the hashing is done before anything else is done.

But it doesn't sound like this is an issue here.  Bear in mind if you find
something illegal the law says you have some responsibility to report it to
the "authorities" depending on what it is.  That assumes you recognize
"illegal" content, it can someone with a specialized training to know what
that means.  I'm not so sure I would recognize it, it covers so many
possibilities.  So the upshot is watch out, the assumption or presumption is
guilty until proven innocent.

If you're familiar with Knoppix you can boot from a CD and do some poking
around too.  It might not recognize what's there but that's when you can
take a hex editor and look at those sectors.

Good luck.







On 4/10/07, list-request at lists.dshield.org <list-request at lists.dshield.org>
wrote:
>
> Send list mailing list submissions to
>         list at lists.dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sans.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
>         list-request at lists.dshield.org
>
> You can reach the person managing the list at
>         list-owner at lists.dshield.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of list digest..."
>
>
> Today's Topics:
>
>    1. Re: Problems with My Reports ? (Freddie Sorensen)
>    2. Forensics and hard drives (Kenneth Coney)
>    3. Re: Forensics and hard drives (Ackley, Alex)
>    4. Re: Forensics and hard drives (Valdis.Kletnieks at vt.edu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 9 Apr 2007 09:07:13 +0200
> From: "Freddie Sorensen" <freddie at parawebic.com>
> Subject: Re: [Dshield] Problems with My Reports ?
> To: "'General DShield Discussion List'" <list at lists.dshield.org>
> Message-ID: <000501c77a75$b3e57470$1bb05d50$@com>
> Content-Type: text/plain;       charset="iso-8859-1"
>
> Johannes,
>
> Yes, cookies turned on
> No, no proxy
>
> I didn't change anything - it is the same problem from work (XP Pro/IE7)
> as
> from home (Vista Business/IE7), it worked fine from both places a couple
> of
> weeks ago
>
> Very strangely - sometimes it works, sometimes it doesn't. Any information
> I
> can provide to help you spot the problem ?
>
> Freddie
>
> -----Urspr?ngliche Nachricht-----
> Von: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org
> ]
> Im Auftrag von Johannes Ullrich
> Gesendet: Sonntag, 8. April 2007 22:16
> An: General DShield Discussion List
> Betreff: Re: [Dshield] Problems with My Reports ?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Freddie Sorensen wrote:
> > Is it only me or is anybody else experiencing problems accessing the My
> > Reports section ? I am randomly kicked back to the login screen
>
> hm. you got cookies turned on? Are you behind some kind of proxy?
> I did make a couple changes a week ago to harden the sessions a bit.
> Maybe it went too far.
>
>
> >
> > _________________________________________
> >
> > SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> > taught by our top rated instructors plus a huge vendor tools expo.
> > Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> >
>
>
> - --
> - ---------
> Johannes Ullrich                        http://isc.sans.org
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
>         Register Today! <http://www.sans.org/info/2501>
> (Brochurecode: ISC)
>
> PGP Key: https://secure.dshield.org/PGPKEYS
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGGU1sPNuXYcm/v/0RAiqIAJ9iXdenBN9LJWGAutMho3DvzPEcDwCffr8y
> XmeJ5XAj71kiw7pompimk4Y=
> =DoOR
> -----END PGP SIGNATURE-----
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 09 Apr 2007 13:51:34 -0500
> From: Kenneth Coney <superc at visuallink.com>
> Subject: [Dshield] Forensics and hard drives
> To: list at lists.dshield.org
> Message-ID: <461A8B36.2060608 at visuallink.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Okay, a little off topic I know, but maybe someone here has an idea.
>
> I am examining an XP hard drive the owner gave me to recover deleted
> files and determine if they have been hacked.  I sector cloned it,
> configured the clone as a slave drive,, and have done the file recovery,
> but I am a little stumped on where to go from here.  The partitions seem
> normal.  I find no trace of a folder called \windows\internet logs, nor
> any recognizable firewall logs.  I have searched for several types
> (i.e., Symantec, ZoneAlarm, etc.) but find nothing recognizable as a
> firewall log.
>
> I know that if this was a live drive, I would be running net stat, or
> something similar, but it is a slaved disk, so the normal tools won't
> work.   A scan with (current) anti virus software found nothing.  How do
> I determine by saved/recovered file examination the last state of the
> processes, or whether or not any firewall was even in place?  I am told
> an unauthorized person had access to the PC for a day or so, and it is
> believed they configured it to allow a remote access, then later hacked
> in and deleted important data files.  This may be correct as the files
> were suddenly deleted (recovered) and the modifications occurred at a
> time when no one was in the building, but how do I prove it was done
> remotely without configuring the hard drive to boot?  What file should I
> be examining?
>
> A search of stored cookies and Internet Explorer logs found nothing
> usable.
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 9 Apr 2007 15:11:09 -0400
> From: "Ackley, Alex" <aackley at epmgpc.com>
> Subject: Re: [Dshield] Forensics and hard drives
> To: "General DShield Discussion List" <list at lists.dshield.org>
> Message-ID: <37F567410F26BC4A9ED7DF519D3B0F3B05F729 at watson.epmgpc.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> You can add the drive as the drive for a virtual server within Microsoft
> virtual Server 2005 R2 (and I'm sure the same is the case with
> VMWare).  Then boot the virtual server using that drive as it's main.  Make
> sure the virtual network adapter only routes internally to the virtual
> environment.  Then you can run all of your tools on it as it is in
> production but without any method of actually getting out.
>
> ________________________________
>
> From: list-bounces at lists.dshield.org on behalf of Kenneth Coney
> Sent: Mon 4/9/2007 2:51 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Forensics and hard drives
>
>
>
> Okay, a little off topic I know, but maybe someone here has an idea.
>
> I am examining an XP hard drive the owner gave me to recover deleted
> files and determine if they have been hacked.  I sector cloned it,
> configured the clone as a slave drive,, and have done the file recovery,
> but I am a little stumped on where to go from here.  The partitions seem
> normal.  I find no trace of a folder called \windows\internet logs, nor
> any recognizable firewall logs.  I have searched for several types
> (i.e., Symantec, ZoneAlarm, etc.) but find nothing recognizable as a
> firewall log.
>
> I know that if this was a live drive, I would be running net stat, or
> something similar, but it is a slaved disk, so the normal tools won't
> work.   A scan with (current) anti virus software found nothing.  How do
> I determine by saved/recovered file examination the last state of the
> processes, or whether or not any firewall was even in place?  I am told
> an unauthorized person had access to the PC for a day or so, and it is
> believed they configured it to allow a remote access, then later hacked
> in and deleted important data files.  This may be correct as the files
> were suddenly deleted (recovered) and the modifications occurred at a
> time when no one was in the building, but how do I prove it was done
> remotely without configuring the hard drive to boot?  What file should I
> be examining?
>
> A search of stored cookies and Internet Explorer logs found nothing
> usable.
>
>
>
> _________________________________________
>
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 09 Apr 2007 15:50:58 -0400
> From: Valdis.Kletnieks at vt.edu
> Subject: Re: [Dshield] Forensics and hard drives
> To: General DShield Discussion List <list at lists.dshield.org>
> Message-ID: <4423.1176148258 at turing-police.cc.vt.edu>
> Content-Type: text/plain; charset="us-ascii"
>
> On Mon, 09 Apr 2007 13:51:34 CDT, Kenneth Coney said:
> > Okay, a little off topic I know, but maybe someone here has an idea.
> >
> > I am examining an XP hard drive the owner gave me to recover deleted
> > files and determine if they have been hacked.  I sector cloned it,
> > configured the clone as a slave drive,, and have done the file recovery,
>
> You're halfway there. :)
>
> You want to sector-clone the original disk (preferably using some flavor
> of
> write-blocker, just in case) to a master work copy.  Then clone the
> master work copy as needed, and use the second-generation clones for any
> actual work.  Doing it this way means that you always have a source other
> than the original disk to clone - that way, you can fire up an image under
> VMWare or whatever, and not feel bad knowing that you're blatting all over
> the image.  You screw up, or just want to try something different, it's
> no biggie - just re-clone the master work copy, go get a cup of coffee
> while
> it reclones, and then go to it.
>
> I've seen some people use the 'snapshot/revert' function in VMWare in a
> similar
> fashion - you screw up, you just hit 'revert' and it's undone.  Of course,
> you do this on a 2nd-gen copy.. ;)
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 226 bytes
> Desc: not available
> Url :
> http://lists.sans.org/pipermail/list/attachments/20070409/2be8d96b/attachment-0001.bin
>
> ------------------------------
>
> _______________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
> End of list Digest, Vol 52, Issue 4
> ***********************************
>



-- 
-----
Fight back spam! Download the Blue Frog.
http://www.bluesecurity.com/register/s?user=cGFnYXJiODg1Mw%3D%3D


More information about the list mailing list