1. Just 4 meeting - Tiago Henriques - Computer Forensics WorkshopIn this booklet you will be given the materials needed to participate in the workshop ofcomputer forensics at the Just 4 Meeting event.During this workshop you will have learn the basic parts of a Computer ForensicInvestigation, and will now work on a set of exercises where you will put in practice whatyou learned.In some parts you will have to try and think outside the box to reach a solution,this is a skill that cannot be taught and you either have it or get it with years ofexperience in the field.The exercises will start on a basic level and increase to a more complex level. Also andvery important when you solve one exercise you will get indication on how toreach the next one.Following is some information that you need to know before starting.With this booklet you will also receive:-A DD image of a Windows XP instalation which was captured from what we will call inthis scenario a Suspect machine. This acquisition was done by inserting a Live-cd ofDEFT linux into the Suspect machine, mounting the Windows XP partition as read-onlyand using the command dd if=/dev/sda conv=noerror,sync bs=65000 | nc192.168.1.45 1337. This will make DD create a bit-image copy of the partition andsend it through netcat to our Acquisition machine where we will type nc -l 1337 | ddof=/home/tiago/evidence/suspect.dd .Depending on the size of the partition we are imaging this process can take from fewminutes to a couple of hours, which is why we wont make you go through it, and provideyou directly with a DD image.So that we dont waste time copying the DD image into the Ubuntu image, I willput the DD file inside the VirtualBox image straight way.Another important point: this was a NTFS partition!-A VirtualBox disk image, this is a simple Linux Ubuntu installation, with some forensictools previously installed into it. Everyone should have VirtualBox installed and in caseyou dont request it and I will provide you with the setup file for your Operating system.You should then import this image into VirtualBox and start the Virtualmachine. Thisvirtual machine will have all the tools needed to finish the exercises given in thisworkshop.List of tools needed to solve exercises (not mandatory to use these feel free to useothers if you prefer):Autopsy-sleuthkitBless Hex editorWinrar - use command rarGeditVLCTotem music playerWiresharktcpdumptcpxtractchaosreader
2. On exercise Number 1 we will simply start Autopsy and have a go at some of thefeatures it has, which is a Web front end for Sleuthkit. For those of you that dont know,Sleuthkit is a set of tools that allows you to analyse volume and file system data.As mentioned before the .DD file will already be located inside the VirtualBox Ubuntuimage. So first thing we have to do is open a command line and start autopsy.root@thor:/home/balgan# autopsy================================================================ Autopsy Forensic Browser http://www.sleuthkit.org/autopsy/ ver 2.21================================================================Evidence Locker: /var/lib/autopsyStart Time: Mon Jun 21 13:13:24 2010Remote Host: localhostLocal Port: 9999Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsyKeep this process running and use <ctrl-c> to exitWe then follow the on screen instructions and point our browser tohttp://localhost:9999/autopsy
3. If we press New case We are then presented with a page that asks us for someinformation.Case Name - Suspect 1Description - Simple one line description of what this case is aboutInvestigator Name - Tiago HenriquesPress New CaseWe are then presented with:
4. Then we add an Host to this case by pressing the Add Host buttonWe are then asked about the host information:We will then be asked to add the Image related to this host! So we then proceed topoint to the .DD filein the Type we choose DISK.
5. We press NextWe can ignore the file hash in this case .And ADD the imageWe can then explore all the different tools provided to us.In this exercise we will focus on Analyze and file system analysis.When we press file system analysis, we are presented with a view of the C:/
6. In File browsing we can pre-visualize a file. After we find an interesting file we canexport it and use the tools installed on our machine to analyze that file.
7. You can find Exercise 1 Folder located on C:/ Try getting the word file located inside thefolder into your computer (the folder name should be pretty obvious :) ) and open it withan Hex editor and locate Exercise 2.Hex EditorsEverytime you need to analyse the content of a file you will most likely use a Hex Editor!Installed on ur Analysis machine is a Hex editor called Bless!
8. A hex editor is relatively simple to use you can search for different strings this can helpyou locate important bits of information faster!Magic NumbersTo finish this workshop you will be provided with a list of magic numbers, I canguarantee you that to finish this workshop all the magic numbers you will need arelocated in the following list: • JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file. • Microsoft Office document files start with D0 CF 11 E0, which is visually suggestive of the word "DOCFILE0". • Wav file magic number - Hex: 52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 ASCII: RIFF....WAVEfmtWinrarTo extract a file on the command line you can use the command unrar <filename>Wireshark, tcpdump, tcpxtract
9. These are all network forensic tools that should only be used in case we are analysingsome sort of network capture file such as a .PCAP file.Wireshark is a network sniffer but can also work as a visualiser for the .PCAP filestcpdump can extract different sessions from a .PCAP fileandtcpxtract can be used to extract commonly known files such as .TXT, .JPG, .PNG etc fromnetwork captures(.PCAP files).chaosreader can be used to analyse sessions within a .PCAP fileMisc...All the rest of standard tools of Linux are also provided such as, cat,strings, file, andsome others that can be used to finish these exercises faster and more reliably.Exercise 2 -Extract a JPEG out of .DOC file using Hex editor - this jpeg will be text indicatinglocation of files for exercise 3Exercise 3 -This JPEG has a bit more to it then it first appears. And it will help you to find Exercise 4!Exercise 4 -Oh oh a Truecrypt image! Maybe that other file can help me, but what is it ?Exercise 5 -What a weird file, inside it somehow there is the location of exercise 6.Exercise 6 -Somehow recover the file with the address where the meeting is gonna happen.