FORENSICS EXAMINERS INTRODUCTION FOR LINUX

In this chapters i will trying to increase my knowledge and skill about computer forensic (digital forensic). In this chapters using backtrack forensics tool for utilities to make imaging and basic analysis of suspect disks and drives comparatively easy. These tools are : dd, sfdisk and fdisk, grep, the loop device, md5sum and sha1sum, file and xxd.  

Analysis organization

It just for intoducing computer forensic most of the work you will do here can be applied to actual casework. The practice floppy (in raw image format from a simple dd), create the practice floppy with the following command. First practical with image of "practical.floopy.dd". 

create image from flopy

For the One way of organizing your data would be to create a directory in your “home” directory for evidence and then a subdirectory for different cases. Since we will be executing these commands as root, the home directory is /root:

Create directory

The tilde (~) in front of the directory name is shorthand for “home directory”, so when I type ~/evid, it is interpreted as $HOME/evid.  If I am logged in as root, the directory will be created as /root/evid.  Needed another directory for a special mount point for all subject file system analysis, This is used to separate for a common system used in the processing of evidence.

Create directory analysis

Determining the structure of the disk

We can get the partition information on that disk with:

Partion Information from Hardisk ATA(SATA)

We can redirect the output of this command to a file for later use by issuing the command as:

Redirect to file output

Name of file output is fdisk.fdisk1 will be created in /root/evid. If you use the fdisk in the flopy you can get the strange output. The output will just confuse, the fdisk command works by examining the partition table in the first sector (0) of a device. So don’t use fdisk on the practice floppy.

Creating a forensic image of the suspect disk

By dd to create the image of the disk.

Create Image

Change the read­write permissions of your image to read­ only

Permission

The image file was created and now restore the image to another disk "clone" of the original disk.

Put another floppy (blank)

Mounting a restored image

By assuming this is a DOS formatted disk from Win 98/95 machine. the mounting of the image / mnt / analysis above are some command options are used to protect the disk and the system. As for some of the mount command options like the "-o ro, noexec" option determines ro (readonly) and noexec to protect from the execution of the user.

Mount

 You can check by looking the content of the image file and Be sure to unmount the disk when you finish.    

Mount finish

Mounting the image using the loopback device

Another way to view the contents of the image without having to restore it to another disk is to mount using the loop interface. 

Mounting using loopback

After mounting you can browse the content of the file and if you are finished to see the content you must unmount the image of the disk.

Unmount

File Hash

Using sha1sum to hashing the file image. It is imprtant step to verify the integrity of the data.

Hashing

The redirection in the second command allows us to store the signature in a file and use it for verification later on. We can get a very useful list of SHA hashes for every file on a disk by loop mounting the image again, and then changing to the /mnt/analysis directory. By using the find command and an option that allows us to execute a command on each file found.

Find

Looking the result from hash file using cat command to stream the file to standard output.

Using cat with result hash

And than verify of the integrity data from the image disk clone with -c command, to read more about this hashing and command maybe you can read my previous post in this blog...see this read more about hashing. If the sha hash match you can get report like this.

Report hash match

The Analysis

By using ls command to see the content from the image disk in the directory /mnt/analysis. If you want to save a copy of each command’s output, be sure to direct the output file to your evidence directory (/root/evid/) using an explicit path.

ls command

And we can compare with ls command with -a to show the all of hiden files, -l to show list in long format to
identify permission, date, etc. and than –R option to list recursively through directories. You might want to pipe that through less.

Other ls command

The output

Making a List of All Files

Even these phase same for using the ls and find command, maybe you must be creative with the manual command (man) it is importan because in the man of command include various list options from he command.

List all files

In the picture above using -i it used to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option). And than find and set the output file to directory ~/evid. Next by using tree to list of directory.

Tree

Ok, next step is using grep command on either of list created by the first two commands above for whatever strings or extensions,in this phase is jpg extension. 

grep file

Making a List Of File Types
It is the example of file command for compares each file's header, if there are have a large number of files without extensions have changed, so run the file command on all the files on a disk. After running the file commands using "find and exec" for looking resulting list you can use "cat, less and grep" commands.

Using find -exec and cat command

Using grep command

The information from the resulting list we can find the ./ouchy.dat JPEG image data... its means because their descriptions do not contain the word  “image” so the images do not show up in our grep list. 

To be continue

HASHING FILE WITH MD5 HASH AND HOW TO USE IT?

MD5 HASH This program is used to compute and check message digest MD5 (Message Digest Algorithm 5). md5sum hash function is often used in cryptography and computer forensics to check the integrity of the file. MD5 is an Internet standard (RFC 1321). In addition to using the md5sum hashing can also use the sha1sum, sha224sum, sha256sum, sha384sum, sha512sum. While for the sum and cksum can only be used to view the file size in bytes. 

At this session I will try to check the two files in one folder, and then one file editing is done by removing the space between two words. First step will create two file.

Create different file and save with the name testfile1 and testfile2:

testfile1

testfile2

Next, lets use md5sum to hashing this file.

Hashing md5sum

In the picture above there are two types use the md5sum :

• The first md5sum check on all files located in folder hashing.

• The second with the md5sum check on each files

The results of the two files above hashing is an md5 hash of the first column of size 32 character hexadecimal.  To prove that the md5sum to check the validity and integrity of a file then I will do the editing in one file (testfile2) by deleting the existing space between two words. In th

Editing testfile2

Further to check the validity of all existing files in the folder hashing.

md5sum validity

The result is testfile1 OK its means this file valid (the file unedited), and the second file with the name testfile2 is Failed its means this file is already modification or edited by someone so the checksums of testfile2 after and before editing did not match. Check with each files.

md5 hash testfile2 after edited

md5 hash testfile2 before edited

Look this hexadecimals before file edited and after file edited did not match !.

3GP FILE STRUCTURE FOR DIGITAL FORENSIC BASICS

3GP its one of many kinds digitall video format becoming a more common from digital evidence with increasing prevalence of video in th computers, mobile devices and cameras. Thye basic of 3GP file stucture is 3GP have "Boxes" . Generally 3GP file contains the file type box ((ftyp), the Movie Box (moov), and the Media Data Box (mdat). Boxes start with a header, which indicates both size and type (these fields are called, namely, "size" and "type").The movie box (moov) contains track boxes (trak) include information abaut track. A track box contains the track header boc (tkhd), media header box (mdhd) and media information box (minf).

It is example of file carving limitations known file header in order to salvage deleted data. 

Hex View 3gp Header in Motorola flash Memory DUmp

3GP in this example, a file carving that searched in the Motorola V3 Memory dump for several 3GP header signatures found two files in as shown in the audit log :

 source :
forensic analisys 
basic structure 

MAGIC NUMBER FOR DIGITAL FORENSIC BASICS

Magic Number is a number embedded at or near the beginning of a file that indicates its file formats. It is also sometimes referred to as a file signature. It is a special data located at the begining of a binary data file to indicate ia type to a utility. Magic numbers are generally not visible to users. However, they can easily be seen with the use of a hex editor, which is a specialized program that shows and allows modification of every byte in a file. 

Magic numbers is important to purpose significance of additional knowledge.  

UNALLOCATED SPACE FOR COMPUTER FORENSIC BASICS

First time when you format the hard drive first term there is "unallocated space", or when you are going to partition your hard disk to the file system will see unallocated space. Is it? UNALLOCATED SPACE is cluster of a media  partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk (Free Space). Free space it used to allocated to file system. Learn more

SLACK SPACE FOR FORENSIC BASICS

To start the computer forensic session there are some things you need to understand one of them is the understanding about file system. Why? Because computer forensics is not separated from the file system and the file system. The file system located on the hardrive (storage device). In the hard drive (storage devvice) we often hear the term slack space. What is the meaning of "SLACK SPACE"?.

SLACK SPACE is the unused space between the end of the actual file and the end of the the defined data unit (cluster) or a remnant of data that exists within a sector of data that has been overwritten. Specifically, slack space is the area of the sector that was not fully overwritten by a recent write to disk. Or each file always starts at the beginning of a cluster because this simplifies organization and makes it easier to grow files. Any space left over between the last byte of the file and the first byte of the next cluster is a form of internal fragmentation called file slack, slack space, or cluster overhang. for example, if you wrote 3K of data to a 64K sector, the remaining 61K of data would not be reused. Instead, this unused sector space would still contain whatever data was written to it previously.

So "Slack space is a very important source of evidence in computer forensic investigation" 

FILE SYSTEM

filesystem is a method to manage of storing and organizing files or computer storage media in regulating the location of the file. filesystem provides procedures for storing, retrieving and updating data, and manage the available space on the devices that contain it.

File system on :

• Linux (ext2, ext3, ext4, XFS, JFS, ReiserFS, btrfs.
• Mocrosoft Windows (FAT, NTFS, ExFAT, ref.

File System Function is used to add a name of file and put it on the storage media. The other function is as a file name convention and the laying of the file to the directory structure.

FAT (File Allocation Table) 
Is a File System that uses to allocation file into table structure as a way to operate.

FAT16

FAT16 is one of many kinds file system format which has a limit of up to 16-bit. FAT16 is a fixed amount of capacity in the cluster partition, so the bigger the hard drive, then the cluster size is increased. FAT16 does not support the lack of compression, encryption dankontrol access the partition 

FAT32

FAT32 is a file system that uses the allocation unit that has a limit of up to 32-bit.  FAT32 advantage is the ability to accommodate a larger number of clusters in the partition. However, the disadvantage of using File System This is a limitation of the Operating System that can recognize FAT32.

Structure

NTFS

As in other file systems, NTFS also share all the places on the disk in the form of clusters. Cluster data blocks are used at the time. NTFS support for all cluster sizes, from 512 bytes to 64 Kilo Bytes. However, the standard cluster size is 4 Kilo Bytes. Here is the default size for the cluster in NTFS:

When formatting using the NTFS file, made ​​some file system and Master File Table (MFT) which contains information about all files and directories on that partition. The first information contained on that partition using the NTFS is Partition Boot Sector, which starts at sector 0 and sector length can reach 16. The first file contained on the partition using the NTFS Master File Table (MFT).

Ext2 – Second Extended File System 2

The Ext2 File system purpose to create a powerful file system, which can implement those files from UNIX semantics, and has advanced features of service.

 abilities:

• Ext2 file system capable of supporting multiple file types from UNIX standard, such as regular files, directories, device special files and symbolic links.

• Ext2 able to manage system files are created in a large partition.

• Ext2 file system capable of generating file names are long. Maximum of 255 characters.

• Ext2 require several blocks to super user (root).

EXT3

Ext3 is a filesystem that was developed for use on the Linux operating system. Ext3 is the result of improvement of Ext2 Ext2 into better shape by adding a variety of advantages.
 

Abilities: 

• Ext3 does not support the process of checking the file system, even when the system is not cleaned experiencing "shutdown", except in some very rare hardware errors.
• Things like this happen because the data is written or stored into a disk in a way so that the file system is always consistent.
• The time required to recover EXT3 file system after the system is not cleaned off
• Is independent of the size of the file system or file number, but depends on the size of the "journal" used to maintain consistency. Journal of the size of the initial (default)
• Requires about 1 second to recover (depending on the speed of hardware).

 

MBR (MASTER BOOT RECORD)

Master Boot Record (MBR) 

Master Boot Sector is known as one of the most important sector in a PC hard drive that stores information for the boot process and loading the operating system.

MBR is a special place which leads to a hard drive, the MBR will be automatically made ​​when you first partition the hard drive. You could say MBR is the sector of the filesystem. because there is a MBR partition table that lists the partitions

MBR is a place where information about the number of partitions, partition type, the allocation of the BIOS can load the initial boot to the process of loading the operating system.

The master boot record contains the following structures: 

Master Partition Table: This small bit of code that is referred to as a table contains a complete description of the partitions that are contained on the hard disk.

Master Boot Code: The master boot record is the small bit of computer code that the BIOS loads and executes to start the boot process.

When the PC (turn on) -> processors begin processing -> here MBR task is:
- Look for the active partition to the partition table is intended for the boot process) in the partition table
- Find the first sector of the partition being active to get the boot sector of partition
- Contains a copy of boot sector of the active partition into memory
- Giving further control to the executable code in the boot sector

FAKE FILM ARTIS INDONESIA Feat BEEF AND METASPLOIT

This containts is fiction aimed at learning

The Scenario :

1. Attacker with social enginnering technique using social network, chatting or mail to victim send the url or link the web page contains beef and metasploit. 
2. Victim open the url of web page and download the metasploit file.
3. Attacker get connection via opened beef page (url web page) and get backdoor using metasploit

Lets make the hook beef home page...fake web application about porn film. Look the script carefully!.

the script

 How with the display? 

The Fake Web Infected Beef and Metasploit contains

Lets make the payload with the name tyas.avi

Making The Payload

The result ....

The Sexy payload Found

The hooks file ...

Hooks file

Lets to "SOCENG" social engineering technique, send the information about this artist porn film to social network, micro blogging, SEO, email, chatting, sms...etc. 
Next open the BEEF in the attacker..

Beef Log in

 Wait the victim to open the page...and ..ok, the victim open the beef page, so look your beef.

Connected with victim.

Next, victim will download the film...."what is in the victims mind? its a fake file" ...

Victim Download the file

What next .... ?
To be continued......