Part IV: Tools for Computer Forensics and Incident Response

Chapter List

Chapter 20: Creating a Bootable Environment and Live Response Tool Kit

Chapter 20: Creating a Bootable Environment and Live Response Tool Kit

OVERVIEW

When a call comes in that a system has been hacked, the forensic consultant has to be ready to move quickly. Sometimes, the victim system will be so badly damaged by the attack that the machine won't even be able to boot. Some victim systems may be functional, but the "powers that be" will allow the victim to be taken offline to perform proper analysis on it. Still others, however, will require that the system remain online while the analysis is performed. No matter what the scenario, the forensic consultant has to be prepared to deal with it from an incident response perspective.

In this chapter, we'll tell you how to create a bootable incident response media (usually either CD-ROM or floppy) that contains all the tools you'll need to perform a proper incident response analysis to an attack. We'll also put together a collection of critical Windows and Unix tools that can be used for forensic analysis on live systems.

Chapter 21: Commercial Forensic Image Tool Kits

Chapter 21: Commercial Forensic Image Tool Kits

OVERVIEW

Once the decision is made that an investigation will take place, it is a good idea to obtain a forensic image of the machines involved in the incident. Several choices of forensic image software are available; both commercial and noncommercial tools have withstood the burden the legal system has placed on them. This chapter reviews several tools that are available commercially. Typically, mid-sized to large organizations lean toward commercially available software, so this chapter describes six of the most popular packages: EnCase, SafeBack, SnapBack, FTK Imager, Ghost, and SMART.

Forensic images, also called bit-stream images, exactly replicate all sectors on a given storage device, not just those that are in use.

You may want to read the Case Study toward the end of the chapter first to familiarize yourself with the hard drives and the situation you will face when you use these forensic image tools. The Case Study will be referred to as the "example" within the following sections.

Note

The tools discussed in this chapter perform forensic image and not analysis. See Chapters 22, 23, and 24 for information on tools to aid in forensic analysis.

In keeping with the flow of the investigation, we now move to the Forensic image step in the timeline:

Chapter 22: Open-Source Forensic Duplication Tool Kits

Chapter 22: Open-Source Forensic Duplication Tool Kits

OVERVIEW

Chapter 21 reviewed several commercially distributed tool kits that perform forensic duplications. The tool kit discussed in this chapter can be assembled for free, and in a modest amount of time, you can easily master its use.

With the proliferation of open-source operating systems such as Linux, OpenBSD, NetBSD, and FreeBSD, a whole suite of tools (and source code) is available to the general public that never existed before. Many of the general system administration tools such as dd, losetup, vnconfig, and md5sum can be used for investigations just as effectively as their commercial counterparts.

This chapter explains the use of these tools and how they have proved to be important additions to the investigator's tool kit. Because these tools are free and the results of the duplication methods they provide can be imported into nearly any forensic analysis suite, you may prefer to use these tools over any others. It is important that you note, however, that to use these tools, you'll need a high level of experience and a slight knowledge of file system technical details.

Just as we discussed needing a trusted boot disk (or CD-ROM) in Chapter 21, forensic duplication with noncommercial software has the same requirement. Because Linux is an open-source operating system, many successful distributions have been developed to make Linux run on CDs or floppy disks without accessing the hard drive. We suggest you check out Trinux, which is a Linux distribution designed to run off of a CD-ROM. You can research Trinux at http://trinux.sourceforge.net. Knoppix, available at http://www.knoppix.net, follows in the same vein. It is designed to be installed from a CD-ROM, has excellent documentation, and has been more actively developed than Trinux. Knoppix will have more support for "strange" hardware and more recent tools. Additionally, a similar distribution of FreeBSD is offered at http://sourceforge.net/projects/freebsdtogo/ and properly named FreeBSD To Go.

Another project worth mentioning is F.I.R.E, or the Forensic and Incident Response Environment. It offers an easy-to-navigate menu system for performing a wide variety of forensics and security analyses on a computer without altering the evidence. For more information about forensics-capable CDs, see http://www.linux-forensics.com/links.html. For information on bootable CDs in general, see http://www.distrowatch.com/dwres.php?resource=cd.

Multiple Linux distributions have been designed for the forensics examiner to run off a CD-ROM, including Trinux, Knoppix, Knoppix-STD, F.I.R.E., and many others. These versatile distributions are complete with analysis tools, data-collection resources, disk-recovery utilities, security-testing capabilities, and even virus scanning. Information about each distribution is shown in the following table.

Distribution	Web Site	Strong Points
Trinux	http://trinux.sourceforge.net	Small size allows it to run on old computers.
Knoppix	http://www.knoppix.net	Best hardware detection and GUI, extensive list of tools.
Knoppix-STD	http://knoppix-std.org	Knoppix Security Tools Distribution includes an extensive suite of security-, incident response–, and forensics-related tools.
F.I.R.E	http://fire.dmzs.com	Forensic and incident response environment has nice menu system that makes it easy to use.

In this chapter, we are still within the forensic duplication stage of our investigation:

Chapter 23: Tool Kits to Aid in Forensic Analysis

Chapter 23: Tool Kits to Aid in Forensic Analysis

In Chapters 21 and 22, we reviewed tools that can forensically duplicate a source hard drive. That is the first phase of a two-phase process to perform a successful forensic investigation. The second phase is the analytical component. This chapter discusses the tools used to analyze the data we previously acquired. All of the forensic analysis tool kits we review are capable of importing more than one kind of forensic image format. dd images can be used with all of these tools, and many of these tools are building capabilities into their import mechanisms that will accept other (including competing) formats.

THE FORENSIC TOOLKIT

The Forensic Toolkit (FTK) by AccessData (http://www.accessdata.com) attempts to help the analyst by reducing large datasets to a subset of important information. FTK is a commercial product and can be purchased from AccessData. At the time of this writing, Forensic Toolkit costs around a thousand dollars. Although this may sound steep, it can be a lifesaver on a large case or across multiple datasets because of its ability to index and correlate data. You can get their Ultimate Toolkit for investigations that includes Forensic Toolkit bundled with their Password Recovery Toolkit and other assorted software. This will cost you around $2,000.

Note

FTK requires a dongle to operate. If you do not have an FTK-specific dongle, you should contact AccessData. The demo version available from their web site will allow you to do everything we discuss here.

FTK automatically extracts Microsoft Office documents, client-based e-mail, web-based e-mail, Internet activity, and more. Because the tool does this for you automatically, it can save you a tremendous amount of time so that the analyst can go about the business of analyzing only relevant data. FTK's ability to fully index data yields nearly instantaneous keyword searches. This may not sound important, but on a multigigabyte hard drive image, this can alleviate hours of search time at the forensic workstation. Having immediate results to a large keyword search set is alone worth the price of the product.

FTK analyzes all Microsoft Windows file systems including NTFS, NTFS compressed, and FAT 12/16/32. FTK also analyzes Linux ext2 & ext3. Therefore, if the system you are investigating uses a different file system, you will need to use another tool to perform your analysis such as EnCase or the Coroner's Toolkit.

Implementation

FTK provides an easy-to-use GUI interface, so command-line options are not needed to use the tool. The first thing you do when you start FTK is to decide whether you want to create a new case or open an existing one.

We will create a new case and then import our source evidence data files into it. These evidence files were created from the source drive using the EnCase forensic duplication tool (see Chapter 21). When we select Start A New Case, the screen shown in Figure 23-1 appears so we can enter the specifics of our case.

Figure 23-1: Use this screen in AccessData's Forensic Toolkit to enter specific information about your case.

The next set of screens allows us to enter specific information about the examiner and choose our case options. FTK comes with several options for logging information, and under Case Log Options, shown at right, the user can customize automatic logging. Optionally, the user may add comments during the case by choosing Files | View Case Log.

The next screen, Processes To Perform, highlights several options available to FTK while building the case file. KFF Lookup and Full Text Index are of particular interest. KFF stands for known-file filter. This option filters out files that are presumably harmless. The Windows operating system requires hundreds of standard system files to run properly. These files, if unchanged, will provide little information to the analyst in most scenarios. The KFF Lookup option allows us to reduce the set of files we analyze by eliminating the known files from the case; therefore, it can save us time, money, and resources in our investigation.

If you think you may want to perform keyword searches on the data, you should check the Full Text Index option. The import process will take a significantly longer time, but the price will be worth paying if you search the data more than once. By default, FTK will index everything when creating a new case. However, if time is an issue, this may not be your best option. You can still index all items or selected items after creating the case by choosing Tools | Analyze Tools.

Caution

Indexing by choosing Tools | Analyze Tools is not as fast as indexing using the New Case wizard. If you can spare the time, it helps to index with the New Case wizard when importing the evidence.

FTK automated what used to be a previously painstaking and slow manual process called data carving. FTK will now automatically search through files and free space for hidden or remaining pieces of files and carve them out for you. This feature recovers data that other tools may overlook unless they are set up properly, but it takes extra time. The data carving options include BMP, GIF, JPEG, EMF, PDF, HTML, AOL/AIM, and OLE files.

FTK gives us the option to exclude certain kinds of data under the Refine Case screen in the New Case wizard, shown next. These may include executables, graphics, e-mail, KFF, deleted files, and more. To help the novice or hurried user, settings are offered for graphic, text, and e-mail-intensive cases. Here is an example of the Email Emphasis settings.

If the Full Text Index option is selected in the Processes To Perform screen, the Refine Index screen, shown next, allows you to define the criteria for indexing files. For example, it may not make sense to index data in the Known File Filter.

On the next screen, Add Evidence To Case, FTK asks us to add evidence to the case. Evidence can be either EnCase evidence files or dd image files. EnCase evidence files and acquisition of a hard drive with dd were covered in Chapter 22.

On this screen, we are presented with several options regarding the type of evidence we want to add: We can import an evidence file, analyze a local drive, analyze the contents of a directory, or analyze an individual file. Usually, we will want to import an evidence file (the Acquired Image Of Drive option), but the other methods of analysis are also worth considering. For instance, we may want to connect a drive to the forensic workstation instead of providing FTK with an evidence file (Local Drive). If we have only a logical copy of the subject machine, we may want to analyze the contents of a directory, and that directory would contain the logical copy of the subject machine (Contents Of A Folder). Or we may have a single, very large file that we want to index and search (Individual File).

Since most of the time we will be importing evidence files, we will discuss this method here. In Chapter 21, you created an image using EnCase. You can now add these files to the newly created case in FTK by selecting Continue on the Add Evidence To Case screen. You'll see the Open dialog box. Select all of your evidence files for the current case and then click the Open button.

Next, choose any final options and enter the evidence information into the case for this particular item in the Evidence Information dialog box (as shown at right), and then click OK to return to the wizard.

Note

A full text index will require a significant amount of time to create during the import process. However, if you do not create the index now, you will need to create it later if you want to execute quick keyword searches.

When you are ready, click Next, and the import process begins.

FTK then informs you that the new case setup is complete. Click Finish to begin the import process.

When processing is finished, the main FTK navigation screen appears. Tabs across the top allow us to click through to explore the different parts of the evidence. The Overview tab, shown in Figure 23-2, however, provides an accurate overview of the information found in the evidence. Moreover, it is the most efficient means of quickly reviewing the evidence found in the data. Each of the buttons under File Items, File Status, and File Category is clickable. When you click these buttons, the files are presented to the analyst in the lower half of the FTK screen.

Figure 23-2: The Overview tab

The Evidence Items button lists the evidence files we imported for analysis. The bottom window displays summary information about each of the evidence files collected.

The Total File Items button lists all of the files discovered within the evidence data files. This screen shows the investigator a great overview of the files existing on the suspect's system.

Perhaps one of the investigator's dreams is to see all images present in the evidence quickly. By clicking the Graphics button, we can see every image on the system and browse for any contraband, as shown in Figure 23-3.

Figure 23-3: Click the Graphics button to see any images that exist in a document that you select.

Extracting e-mail is one of the laborious tasks of computer forensics. FTK tries to reduce this burden by automatically indexing the e-mail if you so choose, and also by providing an easy-to-use exploration tree. In this illustration it looks like someone is looking for a job.

In nearly every case, the suspect deletes files. Clicking the Deleted Files button on the Overview tab displays a list of the files that were deleted from the system. This illustration shows a deleted picture of nuclear blast model.

The Slack/Free Space button displays a list of all of the unallocated and slack space portions of the disk. Although typically you would not search this space by hand, it is available to you if you so choose. However, as you will see later, you can use automated ways to search this space in the file system.

During most investigations, especially during the discovery process for legal cases, it is advantageous to reproduce all of the documents available from a subject's machine. The Documents button displays all of the documents for the investigator. Documents are Microsoft Office document files, text files, HTML files, and so on (see Figure 23-4).

Figure 23-4: Notice how the user of this computer was apparently reading stories about creating bombs.

Any general e-mail messages can be located by clicking the E-mail Messages button.

The other tabs allow us to take a more granular view of the data. The Explore tab, shown in Figure 23-5, gives us a Windows Explorer–like interface to browse the evidence's contents.

Figure 23-5: The Explore tab has a Windows Explorer–like interface to browse evidence contents.

Skipping over a few tabs, the Search tab provides the functionality that makes FTK shine. With full-text indexing applied to the data, the searching capabilities will be almost instantaneous. For instance, we will enter the keywords Johnson and Brazil because doing so will pertain to the Case Study at the end of this chapter. In the Composite Search field, we will choose the option Only Count Files With Hits On ALL Files. This value indicates an AND logical relationship between each search keyword. The drop-down box provides the ability to perform OR searches, too.

If your keywords do not result in many hits, you can use FTK's search-broadening options, which mutate the keywords to find hits that may be close to, but not identical to, your criteria. Initially, though, you should disable these options to see a narrower view of the results. These options are available by clicking the options box directly under the Search tab.

When the search is complete, the results will be displayed in the right pane.

If you chose not to create a full text index on the data when you added it to the case, you can always perform a live search at any time. This type of searching will take a significant amount of time, but it will produce the same results as the keyword searches already discussed.

All of the actions performed on the evidence will be logged by FTK. The Tools menu on the main menu bar lets us view and add comments to the case log.

Because of FTK's ability to extract important data quickly, FTK is a great forensic analysis tool kit for those who are just starting to learn about forensics or do not have the time to invest significant resources.

Chapter 24: Tools to Aid in Internet Activity Reconstruction

Chapter 24: Tools to Aid in Internet Activity Reconstruction

OVERVIEW

Forensic investigators are frequently asked to reconstruct the online activities of a suspect under investigation. For the purposes of this chapter, online activities are generalized into two categories: electronic mail and web-browsing habits. Both are used in an alarming number of cases to perpetrate or conduct illegal activities. E-mail is one of the fastest growing methods of communication, personally, corporately, and among International gangs, terrorist organizations, and individuals like Joe Schmooze who want to traffic your intellectual property out of your organization. Likewise, the emergent properties of online accessibility mean more people are using the Internet to conduct their business, whether legitimate or not. This chapter discusses the toolset a forensic analyst needs to use to reconstruct the online activity of a suspect's machine. It also highlights the intricacies we have discovered during field testing cases in just about every kind of scenario. Although a single chapter can't cover every tool and technique available today, we do cover mainstream e-mail investigative techniques.

In the scenarios that follow, programs and techniques used to view e-mail data and extract relevant artifacts are discussed. These include products such as Paraben's E-mail Examiner, open-source tools, Guidance Software's EnCase, and Access Data's Forensic Toolkit. Other methods include using the native e-mail client or various tricks to get around simple controls. Remember that multiple tools and methods are available for searching and analyzing this data. Choose the tools and methods that best fit your needs.

Chapter 25: Generalized Editors and Viewers

Chapter 25: Generalized Editors and Viewers

OVERVIEW

Despite the growing popularity and acceptance of tool suites produced by Guidance, Paraben, AccessData, and ASR Data, it is still important for the investigator to understand the internals of the automated operations these tool suites have built in. Corollaries for why can be drawn from everything from pharmaceuticals to reactor operations. Having operated reactors for more than half a dozen years, this author can attest that a monkey can do the job. Except for when things go wrong…and they do. Amazingly, things go wrong during investigations, too. And if that's not enough, you'll be questioned about and expected to explain file carving, deleted files, file slack, unallocated space, sectors, clusters, etc. As you use and understand these tools, these definitions will become second nature.

Note

New Technologies Incorporated (NTI) is one of many online resources for learning about these terms and other forensic concepts. Their web site is located at http://www.forensics-intl.com/define.html. A Google search will yield several results, but be careful what you read. Stick to information from trade web sites, respectable vendor web sites, and web sites of respected individuals in the field. Collaborate everything you read with another resource.

An investigator could come to an incorrect conclusion without the means to view suspicious files properly. For example, imagine an analyst who depends on an image viewer to provide the proper results for a file named image.tiff. If the file image.tiff is actually an MP3 music file, it won't be displayed correctly in an image viewer or rendered correctly inside of Windows Explorer. Therefore, a more powerful viewer must be utilized. Lucky for the analyst, such viewers are available.

This chapter is dedicated to the editors and viewers used during a typical forensic analysis. These viewers are defined as generic in the sense that they support many different file types. Some of the viewers presented will even support an unlimited number of file formats. Moreover, even though "editing" is not typically performed during an investigation, this chapter will illustrate that editors, too, can add powerful features to the analyst's tool kit.

Chapter 26: Reverse Engineering Binaries  

Chapter 26: Reverse Engineering Binaries

OVERVIEW

Your computer seems to be running slower than normal. The router shows that your computer is transmitting data out to the Internet without you knowing it. Friends are complaining about you sending them e-mails you never composed. Determined to see if you have a Trojan running on your computer, you take a look at your process list to see if there is anything out of the ordinary. Much to your dismay, you notice a program running that you have never seen before and didn't explicitly start. You have been backdoored by malware.

There are many questions you should be asking in these situations. What does the program do? Does it use network resources? Can outside hackers now access my computer? Am I being used as a zombie for DDoS attacks? This chapter will focus on methods and tools you can use to determine what these programs do and how they do them, without having the source code. In the past, reverse engineering was something of a black art. Typically it involved some type of decompilation using a tool such as IDA or GDB to extract the assembly out of the binary, and the best you could hope for was to have that assembly converted into a low-level C code that you could use to understand what was going on. These tools have evolved, however, and you no longer need a PhD in Computer Science to be able to reverse engineer binaries. That being said, however, a brief primer will go miles in helping you understand when to use certain tools and when to use others.