This document summarizes a digital forensics case discussion between two security experts, Anton and George. They describe recovering data from a damaged hard drive image to help an employee named Anna avoid legal trouble. Techniques discussed include recovering the partition table, system files to obtain machine details, searching for malware, and analyzing a keylogger log file. Ultimately they were able to obtain secret key files that were potentially used in a crime, helping resolve Anna's case.

1. Digital forensics(intro)
By Anton Kalinin & George Lagoda
Feb 15, 2014

2. /whoami
Anton Kalinin
 Malware analyst
 Interests: bad toilet selfie
Work at . . .

3. /wh0x41mi
George Lagoda
 Security expert
 Pentester
 Interests: [deep|web]penetrations,
revers, forensics,
Work at . . .

4. Digital forensics, The.
[quote]
Digital forensics (sometimes known as
digital forensic science) is a branch of forensic
science encompassing the recovery and
investigation of material found in digital devices,
often in relation to computer crime.
[/quote]

5. What itz all about?

6. What we going to talk about
• Data recovery
• Evidence detection
• Group-ib Olympic case discussion
• Some tools discussion
Basically we just goin to run through one more
or less real interesting case and discuss
techniques and tools we used…

7. Why do we need data recovery?

8. Why also we need data recovery
• Damaged discs
• Damaged images
• Deleted files
• Something encrypted
• Something partially missing
• Something damaged by malware
[…]
All these things can omit evidence of crime

9. What can be restored
• MBR
• Partition table
• Encrypted volume
• Private pgp key, certificates,etc..
• Files/audio/video…..
Why? Because it is still text with headers,
structure, etc…
How? TOOLS. Coming up later…

10. Can I haz cheezburger now?
Group-ib image
E01 format (Elcomsoft – making expensive but
not very fast forensics software.)
Image damaged
40 gb of unallocated space
No partition table
1 employee does not want go to jail.
Can we help to Anna?

11. And do u want to help her in that case?


12. Scanning disc with R-Studio

13. Trying to access to file system

14. Tasks for helping Anna
• Find all partitions, their fs, size
• Find system info : OS versions, system time, machine name,
last power off time
• All user accs
• Autorun progs
• All email addresses
• Storage of secret key for digital signature, and is there
anything telling about compromising this key
• Antivirus software, malware detections, rdp connections,
other people involved, their mails, malware on the disc,
and some additional info about incident on disc…

15. Finding all partitions with disk internal partition
recovery

16. Gathering system info
• Recovering files from
WindowsSystem32config
– System, Software, Security, Sam,
• Recovering NTUSER.dat from
Users[username]
• Downloading MiTec Windows Registry
Recovery(www.mitec.cz/wrr.html)
• Obtaining system info

17. searching malware
• - autoruns
• - %temp%
• - %windir% or %systemdir%
• - java cache
• - downloads :)
so on

18. Malware Analysis
• fast way - monitors:
- procmon
- wireshark
- total uninstall
• my way:
- hiew + ida

19. Anna's case. Found malware:
• Mipko keylogger (already in AV’s bases)
• KIS quarantined file
• xls.exe (drops xls+rdptool+installer)
it's enough to do bad stuff

20. Dropper.xls .exe

21. So now we have
Windows 7 Ultimate
Product ID: 00426-OEM-8992662-00400
KEY: 342DG-6YJR8-X92GV-V7DCV-P4K27 Version: Multiprocessor
Free 6.1.7601.win7sp1_gdr.120330-1504
install date: 12.04.2013 17:09:15
With users :

22. Finding autorun with WRR

23. Secret key storage
Recovering files and installing GNU4WIN on VM.
Placing recovered files in the same folder on VM
Opening Kleopatra

24. Obtaining secret key

25. We need to find TC passwd and check on this
secret file. Possible way is to look for keylooger
and dig for logs or screens

26. Potential TC container

27. Keylogger’s log

28. TC cracked

29. What we have?
• System was compromise
• Attackers obtained all passwd and key files to
perform crime
• Anna will be ok. Don’t worry.

30. Y.O.B.A. hacking
The end.