Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Disk forensics

1,976 views

Published on

This slide gives the basic disk forensics. The tools "The Sleuth Kit" is also demonstrated.

Published in: Software
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Disk forensics

  1. 1. Disk Forensics Chiawei Wang 2015.10.28
  2. 2. Today we will go through … • Disk forensics on (toward Windows platform) • NTFS Filesystem • Registry • The tools used • The Sleuth Kit • Autopsy (GUI wrapper of TSK) • samdump2/pwdump • The disk image used • WinXP_Course.img, created by QEMU raw image 2
  3. 3. Starting from the Source: Disk • Given a disk image, where is the targeted (NTFS) partition? • Master Boot Record (MBR) • The sector 0 of the disk • Offsets to the partition table 3 Primary Partition # Offset (bytes) 1 0x1BE 2 0x1CE 3 0x1DE 4 0x1EE
  4. 4. • The interested NTFS partition starts from the 63th sector Inspect into the Partition Table 4 +0x00 Bootable 0x00 Do not use for booting 0x80 Bootable +0x00 Partition Type 0x00 Empty 0x07 NTFS 0x83 Linux Native 0x82 Linux Swap Etc. Etc. +0x08 Starting Sector Sector Offset Hex Dump +0x0C Size in Sectors
  5. 5. TSK for Disk Partitions • mmls <image/device> • Display the partition layout of a volume system 5
  6. 6. Autopsy for Disk Partitions 6
  7. 7. Autopsy for Disk Partitions 7 1 2 3 4 5
  8. 8. Autopsy for Disk Partitions 8 6 7
  9. 9. Few Tips Before Digging into NTFS • The basic unit used by NTFS is called Cluster • The key item for the NTFS forensics is called MFT, Master File Table 9
  10. 10. NTFS Boot Sector @ 63th Sector 10 +0x03OEMID=“NTFS” +0x54BootstrapCode[426] +0x0BBytesperSec +0x0CSecperCluster
  11. 11. NTFS Boot Sector @ 63th Sector 11 +0x03OEMID=“NTFS” +0x54BootstrapCode[426] +0x0BBytesperSec +0x0CSecperCluster +0x30ClusterNo.ofMFT
  12. 12. Locate the MFT • Bytes per Sector = 0x0200 • Sectors per Cluster = 0x04 • 1 cluster = 2048 bytes = 4 sectors • Cluster No. of MFT = 0x03E5A7 • MFT Sector = BaseSector + MFTClusterNo * SecPerCluster = 63 + (0x03E5A7 * 4) = 1021479 12 MBR NTFS Boot Record MFT ~ Sector # (Dec)0 63 1021479 0x1C6: Starting Sector 0x30: MFT Cluster No.
  13. 13. Master File Table, MFT • The core of NTFS • The KEY ITEM for the forensics investigation. • Each single file or directory has its corresponding MTF entry • Entry Size 13 File: 2|0xF6| = 210 = 1024 Bytes Directory: 2 Cluster = 4096 Bytes
  14. 14. MFT Entry • Entry format • The first few entries are pre-defined (partially listed) 14 Carrier B. (2005, March 17). File System Forensic Analysis. Addison Wesley Professional MFT Entry # Name Description 0 $MFT Self-reference 1 $MFTMirr Backup of $MFT … 5 . Root directory 6 $Bitmap Cluster in used / free 7 $Boot Boot record 8 $BadCluster Cluster with bad sectors …
  15. 15. Tsk for MFT Entry Info. • istat -o <volume_offset> <image> <MFT_entry#> 15
  16. 16. Autopsy for MFT Entry Info. 16
  17. 17. Attribute of MFT Entry • Attribute header • Attribute types (partially listed) 17 Type # Name Description 0x10 Standard Information access mode, timestamp, link count 0x30 File Name file name 0x80 Data file data 0x90 Index Root used for directory … Type # Length of attribute Non- resident Length of name Offset to name Flags Attribute ID 0 4 8 9 10 12 14 16
  18. 18. File Name Attribute • A MFT entry may have two File Name attribute • Long name & Short name • e.g. Program Files & PROGRA~1 18
  19. 19. DATA Attribute • Resident • The data content is stored in the MTF entry • Most likely a file < 700 Bytes • Non-resident • The data content is stored in other clusters represented by the “Run List” recording the clusters. • e.g. istat on a file with non-resident data 19 Run List
  20. 20. Autopsy for Data Inspection 20 • C:boot.ini (MFT entry# 3605)
  21. 21. TSK for Data Inspection • C:boot.ini (MFT entry# 3605) • icat -o <volume_offset> <image> <MFT entry#> 21
  22. 22. Autopsy for Raw Cluster Inspection 22
  23. 23. TSK for Raw Cluster Inspection • blkstat -o <volume_offset> <image> <cluster_no> • blkcat –o <volume_offset> <image> <cluster_no> 23
  24. 24. Autopsy – MTF entry#  File name 24
  25. 25. TSK – MTF entry#  File name • Known MFT entry# • ffind -o <volume_offset> <image> <MFT_entry#> • Known file name • ifind –o <volume_offset> <image> -n <fname> 25
  26. 26. Autopsy – Cluster No  File name 26
  27. 27. TSK – Cluster No  File name • Known Cluster No • ifind -o <volume_offset> <image> -d <cluster_no> 27
  28. 28. Why Not Just Autopsy ? • Knowing the underlying commands gives the flexibility to customize your forensics process. 28
  29. 29. Practice – Which file is broken ? • Oh my gosh, the 408,052 sector of seems like broken. I wanna figure out which file got shot. Submit your key in BAMBOOFOX{FULL_PATH_FILE_NAME} • Hint: Remove drive letter and replace “” with “/” e.g. C:aaabbbccc.txt  /aaa/bbb/ccc.txt 29
  30. 30. Now the basic is introduced • Time to consider some forensics scenario • Alternate Data Stream • Deleted File Recovery • Timestamp Forge • Advanced • $BadClus Forge • Slack 30
  31. 31. Alternate Data Stream • ADS allow more than one data stream to be associated with a filename. • Alternate streams are not listed in Windows Explorer, and the size is not included in the associated file's size. 31
  32. 32. How do NTFS Store ADS ? • Recall the attribute header • Generally, a file is named by the “File Name” attribute. • A “Data” attribute with a name specified can be distinguished. • E.g. istat on ADS-included file 32 Type # Length of attribute Non- resident Length of name Offset to name Flags Attribute ID 0 4 8 9 10 12 14 16
  33. 33. Create and Read ADS data 33 • The ADS can be created/retrieved by filename:ads_name
  34. 34. Practice – Find ADS • Read the ADS data as the key to submit in BAMBOOFOX{ADS_DATA} 34
  35. 35. What Happened to Deleted File ? • Recall the MFT entry 35 MFT_Entry_Header { … +0x16 Flags … } Flag value Description 0x00 Deleted File Entry 0x01 File Entry 0x02 Deleted Dir Entry 0x03 Dir Entry
  36. 36. Hope of Deleted File • The content is not erased but simply tag the MFT entry unallocated. • NTFS reuse free MFT entry# backward. • A file with the shorter lifetime are harder to be recovered. 36
  37. 37. Autopsy – List Deleted File 37
  38. 38. TSK – List Deleted File • fls -o <volume_offset> <image> -d <DIR_MFT_entry#> • Recursive traversal • fls -o <volume_offset> <image> -r -d <DIR_MFT_entry#> 38
  39. 39. Practice – Recover Deleted Data • Find the key 39
  40. 40. Timestamp Forge • Suppose that a malware infects a system and drops some files pretending to be the system built-in one • A naïve approach is to check the timestamp of files in system directory. • BUT! NTFS has some glitches. • When a file is cut-and-paste to replace another file, the timestamp of the replaced one is inherited. 40
  41. 41. Two Timestamp as a Chance • There are actually two timestamps in MFT entries • “Standard Information” attribute • “File Name” attribute 41S. H. Mahant and B. B. Meshram, “NTFS Deleted Files Recovery: Forensics View,” International Journal of Computer Science and Information Technology & Security, 2012
  42. 42. The Commonly Seen is Not True • Windows Explorer and most disk viewer tools show the timestamp in “Standard Information”. • Now you have something more powerful. Look inside the attributes of MFT entries. 42
  43. 43. Practice – Find the disguised file • Help!! I got hacked on 27 Oct. 2015 at 03:04 PM • TA made a typo...囧rz • Please fix the prefix word BAMOOFOX to BAMBOOFOX when you find the key • Hint: • VMWare is handy 43
  44. 44. Advanced Disk Forensics Task • $BadClus Forge • Modify the $BadClus metafile to mark certain clusters as broken to hide the secret data. • Slack • The remnant space after the cluster allocation is used to hide the secret data. 44
  45. 45. Registry • The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the Registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the Registry. https://en.wikipedia.org/wiki/Windows_Registry 45
  46. 46. First View of Registry 46 Key Value Name Type Value Data
  47. 47. Registry Root Keys Name Abbreviation Description HKEY_CLASSES_ROOT HKCR File name extension associations HKEY_CURRENT_USER HKCU Currently logged-in user settings and profiles HKEY_LOCAL_MACHINE HKLM System-wide hardware settings and OS configuration HKEY_USER HKU Per-user settings and profiles HKEY_CURRENT_CONFIG HKCC Hardware information gathered during boot time 47
  48. 48. Where Are They ? • Basically, registry is an in-memory database. Only certain keys have physical disk files called Hive file • Hive parser can be used against these files to perform offline forensics task 48 Registry Key Hive File HKEY_USERS Documents and SettingsUser ProfileNTUSER.DAT HKEY_USERS/.DEFAULT WINDOWSsystem32configdefault HKEY_LOCAL_MACHINE/SAM WINDOWSsystem32configSAM HKEY_LOCAL_MACHINE/SECURITY WINDOWSsystem32configSECURITY HKEY_LOCAL_MACHINE/SOFTWARE WINDOWSsystem32configsoftware HKEY_LOCAL_MACHINE/SYSTEM WINDOWSsystem32configsystem
  49. 49. Forensics on Registry • System startup operation • Recent operation • Shell Injection • User account 49
  50. 50. System Startup Operation • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRun • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunOnce • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunOnceEx • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunServices • HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunServicesOnce 50
  51. 51. Recent Operation • Most Recently Used (*MRU) • e.g. • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32OpenSaveMRU • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDlg32LastVisitedMRU • Recent* • e.g. • HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs • Browser • e.g. • HKCUSoftwareMicrosoftInternet ExplorerTypedURLs • HKCUSoftwareMicrosoftInternet ExplorerTypedURLs 51
  52. 52. Shell Injection • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell = Explorer.exe %system%system32.exe (injected by Kwbot malware) • HKCR<XXX_FILE>shellopencommand 52
  53. 53. User Account • The user account and the hashed password can be found in the SAM hive. • Windows further obfuscates SAM hive with the syskey(bootkey) composed by the permutation of • HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaJD • HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaSkew1 • HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaData • HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaGBG 53
  54. 54. Extract the Hashed Password • Two Hive is required • SYSTEM, for syskey(bootkey) extraction • SAM, for password hash extraction • Tools available • samdump2 SYSTEM_HIVE SAM_HIVE • Pwdump SYSTEM_HIVE SAM_HIVE 54
  55. 55. Practice – Reveal admin password • Get the admin’s password as the key to submit in BAMBOOFOX{ADMIN_PASSWD} 55

×