[Dshield] Forensics and hard drives

Kenneth Coney superc at visuallink.com
Tue Apr 17 15:54:29 GMT 2007

I thank you for the suggestion.  I did indeed get Index.dat Analyzer and 
play with it a little.  It did find connection evidence on my laptop.  
However, like many of the tools I have examined in the past month it 
presumes the path to be examined is C:, and doesn't allow exam of 
another drive letter.  Since my examination is not on a live system, 
this will be one of the last tools used. 

I do like the Linux tools in Helix, but become a little frustrated at 
trying to export some of the results.  Time Analysis tells me 
'permission denied, restricted file' every time I try to save the 
output, while I am at root status. Changing the file type from read to 
write is ignored.  My printer is too new for Linux to even see it.    
Aaargh..  New PCs lack a serial port so my old serial modem becomes 
useless as an output mechanism.  Again aargh.  Paper and pen copies of 
the entries result.

I do not know why there isn't a similar time analysis tool capable of 
examining a slave drive on the Windows side of the Helix CD.  I am 
acquiring an impressive collection of tools designed for use on live 
systems, but only a few designed for examination of a Windows drive 
other than C:.  I have found several malwares on the suspect drive, so 
there is no way I am going to configure it as a boot drive for some time. 

Picture examination was a nightmare.   200 gigs, 34,000 Jpeg files.  I 
exported them with an Easeus tool to a different drive and found a cute 
free tool called "Disk Detective" that examines images for skin tone and 
shape.  That cut the workload down to only a few thousand images to look 
at.  Amazing how many cats flag as pornography colors and shapes.  
Smiling babies with faces filling the frame flag too. 

Just for kicks I ran a steg analysis tool on the 34,000 images and found 
nothing interesting beyond a lot of erased Efix data on the more 
interesting images when sector viewing in hex.   The Helix windows tool 
for pulling passwords off a C: drive is very impressive.  Scary too.  It 
only missed one password on my laptop but easily found the rest.  I look 
forward to trying that tool on the Subject drive.

I ordered the CD library of file hashes ($90) and will run that file 
type exercise too when the CDs arrive.   Hopefully by then I will have 
figured out a way to make my Autopsy write results to something other 
than RAM. 

Interesting in that I have yet to find a tool that sees and flags 
encrypted virtual drives such as PC Dynamics 'Safehouse.'  If I didn't 
know it was there, just by running tools, I would have never seen it.  
Only when viewing the directory do I see it.  This raises the 
possibility that some of the large encrypted files I have found are 
similar utilities.  Hopefully the file type hash CDs will identify them. 

I suppose that sooner or later I will have to configure the drive as a 
C: drive in a dedicated box (hopefully not too different than the one it 
came out of (so as to minimize the found new hardware writes)), but for 
now I will stick with the tools designed to forensic a D: or M: slave 
drive.  I know the remote access erase business files deed was done, but 
with no trace of an active firewall log, I haven't identified the method 

More information about the list mailing list