[Dshield] Forensics and hard drives
superc at visuallink.com
Tue Apr 17 15:54:29 GMT 2007
I thank you for the suggestion. I did indeed get Index.dat Analyzer and
play with it a little. It did find connection evidence on my laptop.
However, like many of the tools I have examined in the past month it
presumes the path to be examined is C:, and doesn't allow exam of
another drive letter. Since my examination is not on a live system,
this will be one of the last tools used.
I do like the Linux tools in Helix, but become a little frustrated at
trying to export some of the results. Time Analysis tells me
'permission denied, restricted file' every time I try to save the
output, while I am at root status. Changing the file type from read to
write is ignored. My printer is too new for Linux to even see it.
Aaargh.. New PCs lack a serial port so my old serial modem becomes
useless as an output mechanism. Again aargh. Paper and pen copies of
the entries result.
I do not know why there isn't a similar time analysis tool capable of
examining a slave drive on the Windows side of the Helix CD. I am
acquiring an impressive collection of tools designed for use on live
systems, but only a few designed for examination of a Windows drive
other than C:. I have found several malwares on the suspect drive, so
there is no way I am going to configure it as a boot drive for some time.
Picture examination was a nightmare. 200 gigs, 34,000 Jpeg files. I
exported them with an Easeus tool to a different drive and found a cute
free tool called "Disk Detective" that examines images for skin tone and
shape. That cut the workload down to only a few thousand images to look
at. Amazing how many cats flag as pornography colors and shapes.
Smiling babies with faces filling the frame flag too.
Just for kicks I ran a steg analysis tool on the 34,000 images and found
nothing interesting beyond a lot of erased Efix data on the more
interesting images when sector viewing in hex. The Helix windows tool
for pulling passwords off a C: drive is very impressive. Scary too. It
only missed one password on my laptop but easily found the rest. I look
forward to trying that tool on the Subject drive.
I ordered the CD library of file hashes ($90) and will run that file
type exercise too when the CDs arrive. Hopefully by then I will have
figured out a way to make my Autopsy write results to something other
Interesting in that I have yet to find a tool that sees and flags
encrypted virtual drives such as PC Dynamics 'Safehouse.' If I didn't
know it was there, just by running tools, I would have never seen it.
Only when viewing the directory do I see it. This raises the
possibility that some of the large encrypted files I have found are
similar utilities. Hopefully the file type hash CDs will identify them.
I suppose that sooner or later I will have to configure the drive as a
C: drive in a dedicated box (hopefully not too different than the one it
came out of (so as to minimize the found new hardware writes)), but for
now I will stick with the tools designed to forensic a D: or M: slave
drive. I know the remote access erase business files deed was done, but
with no trace of an active firewall log, I haven't identified the method
More information about the list