Friday, March 30, 2012

FORENSICS EXAMINERS INTRODUCTION FOR LINUX

In this chapters i will trying to increase my knowledge and skill about computer forensic (digital forensic). In this chapters using backtrack forensics tool for utilities to make imaging and basic analysis of suspect disks and drives comparatively easy. These tools are : dd, sfdisk and fdisk, grep, the loop device, md5sum and sha1sum, file and xxd.  

Analysis organization
It just for intoducing computer forensic most of the work you will do here can be applied to actual casework. The practice floppy (in raw image format from a simple dd), create the practice floppy with the following command. First practical with image of "practical.floopy.dd". 

create image from flopy
For the One way of organizing your data would be to create a directory in your “home” directory for evidence and then a subdirectory for different cases. Since we will be executing these commands as root, the home directory is /root:
Create directory
The tilde (~) in front of the directory name is shorthand for “home directory”, so when I type ~/evid, it is interpreted as $HOME/evid.  If I am logged in as root, the directory will be created as /root/evid.  Needed another directory for a special mount point for all subject file system analysis, This is used to separate for a common system used in the processing of evidence.

Create directory analysis
Determining the structure of the disk
We can get the partition information on that disk with:
Partion Information from Hardisk ATA(SATA)
We can redirect the output of this command to a file for later use by issuing the command as:
Redirect to file output
Name of file output is fdisk.fdisk1 will be created in /root/evid. If you use the fdisk in the flopy you can get the strange output. The output will just confuse, the fdisk command works by examining the partition table in the first sector (0) of a device. So don’t use fdisk on the practice floppy.

Creating a forensic image of the suspect disk
By dd to create the image of the disk.
Create Image
Change the read­write permissions of your image to read­ only
Permission
The image file was created and now restore the image to another disk "clone" of the original disk.
Put another floppy (blank)
Mounting a restored image
By assuming this is a DOS formatted disk from Win 98/95 machine. the mounting of the image / mnt / analysis above are some command options are used to protect the disk and the system. As for some of the mount command options like the "-o ro, noexec" option determines ro (readonly) and noexec to protect from the execution of the user.
Mount
 You can check by looking the content of the image file and Be sure to unmount the disk when you finish.    
Mount finish
Mounting the image using the loopback device
Another way to view the contents of the image without having to restore it to another disk is to mount using the loop interface. 
Mounting using loopback

After mounting you can browse the content of the file and if you are finished to see the content you must unmount the image of the disk.
Unmount
File Hash
Using sha1sum to hashing the file image. It is imprtant step to verify the integrity of the data.
Hashing
The redirection in the second command allows us to store the signature in a file and use it for verification later on. We can get a very useful list of SHA hashes for every file on a disk by loop mounting the image again, and then changing to the /mnt/analysis directory. By using the find command and an option that allows us to execute a command on each file found.
Find
Looking the result from hash file using cat command to stream the file to standard output.
Using cat with result hash
And than verify of the integrity data from the image disk clone with -c command, to read more about this hashing and command maybe you can read my previous post in this blog...see this read more about hashing. If the sha hash match you can get report like this.
Report hash match
The Analysis
By using ls command to see the content from the image disk in the directory /mnt/analysis. If you want to save a copy of each command’s output, be sure to direct the output file to your evidence directory (/root/evid/) using an explicit path.
ls command
And we can compare with ls command with -a to show the all of hiden files, -l to show list in long format to
identify permission, date, etc. and than –R option to list recursively through directories. You might want to pipe that through less.

Other ls command
The output
Making a List of All Files
Even these phase same for using the ls and find command, maybe you must be creative with the manual command (man) it is importan because in the man of command include various list options from he command.
List all files
In the picture above using -i it used to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option). And than find and set the output file to directory ~/evid. Next by using tree to list of directory.
Tree
Ok, next step is using grep command on either of list created by the first two commands above for whatever strings or extensions,in this phase is jpg extension. 
grep file
Making a List Of File Types
It is the example of file command for compares each file's header, if there are have a large number of files without extensions have changed, so run the file command on all the files on a disk. After running the file commands using "find and exec" for looking resulting list you can use "cat, less and grep" commands.
Using find -exec and cat command
Using grep command
The information from the resulting list we can find the ./ouchy.dat JPEG image data... its means because their descriptions do not contain the word  “image” so the images do not show up in our grep list. 

To be continue



Wednesday, March 21, 2012

HASHING FILE WITH MD5 HASH AND HOW TO USE IT?

MD5 HASH This program is used to compute and check message digest MD5 (Message Digest Algorithm 5). md5sum hash function is often used in cryptography and computer forensics to check the integrity of the file. MD5 is an Internet standard (RFC 1321). In addition to using the md5sum hashing can also use the sha1sum, sha224sum, sha256sum, sha384sum, sha512sum. While for the sum and cksum can only be used to view the file size in bytes. 

At this session I will try to check the two files in one folder, and then one file editing is done by removing the space between two words. First step will create two file.

Create different file and save with the name testfile1 and testfile2:
testfile1
testfile2
Next, lets use md5sum to hashing this file.

Hashing md5sum
In the picture above there are two types use the md5sum :
  • The first md5sum check on all files located in folder hashing.
  • The second with the md5sum check on each files
The results of the two files above hashing is an md5 hash of the first column of size 32 character hexadecimal.  To prove that the md5sum to check the validity and integrity of a file then I will do the editing in one file (testfile2) by deleting the existing space between two words. In th

Editing testfile2
Further to check the validity of all existing files in the folder hashing.

md5sum validity
The result is testfile1 OK its means this file valid (the file unedited), and the second file with the name testfile2 is Failed its means this file is already modification or edited by someone so the checksums of testfile2 after and before editing did not match. Check with each files.

md5 hash testfile2 after edited
md5 hash testfile2 before edited
Look this hexadecimals before file edited and after file edited did not match !.







Sunday, March 18, 2012

3GP FILE STRUCTURE FOR DIGITAL FORENSIC BASICS

3GP its one of many kinds digitall video format becoming a more common from digital evidence with increasing prevalence of video in th computers, mobile devices and cameras. Thye basic of 3GP file stucture is 3GP have "Boxes" . Generally 3GP file contains the file type box ((ftyp), the Movie Box (moov), and the Media Data Box (mdat). Boxes start with a header, which indicates both size and type (these fields are called, namely, "size" and "type").The movie box (moov) contains track boxes (trak) include information abaut track. A track box contains the track header boc (tkhd), media header box (mdhd) and media information box (minf).

It is example of file carving limitations known file header in order to salvage deleted data. 

Hex View 3gp Header in Motorola flash Memory DUmp
3GP in this example, a file carving that searched in the Motorola V3 Memory dump for several 3GP header signatures found two files in as shown in the audit log :

 source :
forensic analisys 
basic structure 



MAGIC NUMBER FOR DIGITAL FORENSIC BASICS

Magic Number is a number embedded at or near the beginning of a file that indicates its file formats. It is also sometimes referred to as a file signature. It is a special data located at the begining of a binary data file to indicate ia type to a utility. Magic numbers are generally not visible to users. However, they can easily be seen with the use of a hex editor, which is a specialized program that shows and allows modification of every byte in a file. 

Magic numbers is important to purpose significance of additional knowledge.  

UNALLOCATED SPACE FOR COMPUTER FORENSIC BASICS

First time when you format the hard drive first term there is "unallocated space", or when you are going to partition your hard disk to the file system will see unallocated space. Is it? UNALLOCATED SPACE is cluster of a media  partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk (Free Space). Free space it used to allocated to file system. Learn more

SLACK SPACE FOR FORENSIC BASICS

To start the computer forensic session there are some things you need to understand one of them is the understanding about file system. Why? Because computer forensics is not separated from the file system and the file system. The file system located on the hardrive (storage device). In the hard drive (storage devvice) we often hear the term slack space. What is the meaning of "SLACK SPACE"?.

SLACK SPACE is the unused space between the end of the actual file and the end of the the defined data unit (cluster) or a remnant of data that exists within a sector of data that has been overwritten. Specifically, slack space is the area of the sector that was not fully overwritten by a recent write to disk. Or each file always starts at the beginning of a cluster because this simplifies organization and makes it easier to grow files. Any space left over between the last byte of the file and the first byte of the next cluster is a form of internal fragmentation called file slack, slack space, or cluster overhang. for example, if you wrote 3K of data to a 64K sector, the remaining 61K of data would not be reused. Instead, this unused sector space would still contain whatever data was written to it previously.

So "Slack space is a very important source of evidence in computer forensic investigation" 

Thursday, March 15, 2012

FILE SYSTEM

filesystem is a method to manage of storing and organizing files or computer storage media in regulating the location of the file. filesystem provides procedures for storing, retrieving and updating data, and manage the available space on the devices that contain it.

File system on :
  • Linux (ext2, ext3, ext4, XFS, JFS, ReiserFS, btrfs.
  • Mocrosoft Windows (FAT, NTFS, ExFAT, ref.
File System Function is used to add a name of file and put it on the storage media. The other function is as a file name convention and the laying of the file to the directory structure.

FAT (File Allocation Table) 
Is a File System that uses to allocation file into table structure as a way to operate.

FAT16
FAT16 is one of many kinds file system format which has a limit of up to 16-bit. FAT16 is a fixed amount of capacity in the cluster partition, so the bigger the hard drive, then the cluster size is increased. FAT16 does not support the lack of compression, encryption dankontrol access the partition 


FAT32
FAT32 is a file system that uses the allocation unit that has a limit of up to 32-bitFAT32 advantage is the ability to accommodate a larger number of clusters in the partition. However, the disadvantage of using File System This is a limitation of the Operating System that can recognize FAT32.
Structure

NTFS
As in other file systems, NTFS also share all the places on the disk in the form of clusters. Cluster data blocks are used at the time. NTFS support for all cluster sizes, from 512 bytes to 64 Kilo Bytes. However, the standard cluster size is 4 Kilo Bytes. Here is the default size for the cluster in NTFS:

When formatting using the NTFS file, made ​​some file system and Master File Table (MFT) which contains information about all files and directories on that partition. The first information contained on that partition using the NTFS is Partition Boot Sector, which starts at sector 0 and sector length can reach 16. The first file contained on the partition using the NTFS Master File Table (MFT).

Ext2 – Second Extended File System 2
The Ext2 File system purpose to create a powerful file system, which can implement those files from UNIX semantics, and has advanced features of service.
 abilities:
  • Ext2 file system capable of supporting multiple file types from UNIX standard, such as regular files, directories, device special files and symbolic links.
  • Ext2 able to manage system files are created in a large partition.
  • Ext2 file system capable of generating file names are long. Maximum of 255 characters.
  • Ext2 require several blocks to super user (root).
EXT3
Ext3 is a filesystem that was developed for use on the Linux operating system. Ext3 is the result of improvement of Ext2 Ext2 into better shape by adding a variety of advantages.
 
Abilities: 
  • Ext3 does not support the process of checking the file system, even when the system is not cleaned experiencing "shutdown", except in some very rare hardware errors.
  • Things like this happen because the data is written or stored into a disk in a way so that the file system is always consistent.
  • The time required to recover EXT3 file system after the system is not cleaned off
  • Is independent of the size of the file system or file number, but depends on the size of the "journal" used to maintain consistency. Journal of the size of the initial (default)
  • Requires about 1 second to recover (depending on the speed of hardware).
 

MBR (MASTER BOOT RECORD)

Master Boot Record (MBR) 
Master Boot Sector is known as one of the most important sector in a PC hard drive that stores information for the boot process and loading the operating system.

MBR is a special place which leads to a hard drive, the MBR will be automatically made ​​when you first partition the hard drive. You could say MBR is the sector of the filesystem. because there is a MBR partition table that lists the partitions

MBR is a place where information about the number of partitions, partition type, the allocation of the BIOS can load the initial boot to the process of loading the operating system.

The master boot record contains the following structures: 
Master Partition Table: This small bit of code that is referred to as a table contains a complete description of the partitions that are contained on the hard disk.
Master Boot Code: The master boot record is the small bit of computer code that the BIOS loads and executes to start the boot process.

When the PC (turn on) -> processors begin processing -> here MBR task is:
- Look for the active partition to the partition table is intended for the boot process) in the partition table
- Find the first sector of the partition being active to get the boot sector of partition
- Contains a copy of boot sector of the active partition into memory
- Giving further control to the executable code in the boot sector


Friday, March 9, 2012

FAKE FILM ARTIS INDONESIA Feat BEEF AND METASPLOIT

This containts is fiction aimed at learning

The Scenario :
  1. Attacker with social enginnering technique using social network, chatting or mail to victim send the url or link the web page contains beef and metasploit. 
  2. Victim open the url of web page and download the metasploit file.
  3. Attacker get connection via opened beef page (url web page) and get backdoor using metasploit
Lets make the hook beef home page...fake web application about porn film. Look the script carefully!.


the script
 How with the display? 
The Fake Web Infected Beef and Metasploit contains
Lets make the payload with the name tyas.avi


Making The Payload
The result ....
The Sexy payload Found
The hooks file ...
Hooks file
Lets to "SOCENG" social engineering technique, send the information about this artist porn film to social network, micro blogging, SEO, email, chatting, sms...etc. 
Next open the BEEF in the attacker..

Beef Log in
 Wait the victim to open the page...and ..ok, the victim open the beef page, so look your beef.


Connected with victim.
Next, victim will download the film...."what is in the victims mind? its a fake file" ...



Victim Download the file
What next .... ?
To be continued......