Posted January 6th, 2010 by Nikhil Wagholikar
Introduction
Log analysis, is one of the very basic but crucial exercise of any Forensics Analyst. It includes many aspects for analysis; some of the important ones being:
- Determine actions/requests performed by User/Host/IP Address
- The application’s or Server’s reactions towards user’s requests
- Finding more information about a particular User/Host/IP Address who may be performing some extra-ordinary transactions with the application/server
- Application/Server performance
- Application/Server traffic monitoring to calculate business growth etc
However from forensics point of view, investigating “which user did what on the application/server that lead to its compromise” is of the most importance. Similar scenario applies to Email investigation. It’s quite simple now to find out the IP Address of the person who is sending out fishy or threatening emails to the victim(s).
Here we are discussing a post investigation aspect of above and similar scenarios i.e. what after once the source IP Address (of the attacker) is identified? In this article we are going to discuss about a simple tool/script, which helps forensic analyst to get the exact location of the source IP Address on this very beautiful earth.
Read the rest of this entry »
Posted March 26th, 2009 by admin
by Toufiq Ali, NII Consulting
Before you read further make sure you back up all the original settings of the registry or set create a restore point of your system. I assume reader know what a windows remote terminal service is. If not please refer to http://en.wikipedia.org/wiki/Terminal_Services
In Windows XP when a remote user tries to connect using the Remote Desktop Connection (RDC) client in Windows XP, the local user is disconnected from his current session forcefully. RDC, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for only one session at a time.. This excerpt aims at making terminal services functionality of multiple user login from Windows server 2000, windows server 2003 etc in Windows XP. This would be very useful in environment where the network admin often troubleshoots problem on the network using RDC.
Keep reading as the hack unfolds to enable concurrent remote desktop connection sessions support in Windows XP using the following patched files. Read the rest of this entry »
Posted January 1st, 2008 by Kush
In this article we will learn on how to do the forensic of USB devices, how to correlate the USB device with the drive letter and how to see at what time the USB device was plugged in and plugged out. This article may be very useful for the military forces as they can easily note the time when the particular USB device was plugged in.
Whenever a forensic investigator does the forensic of a USB device, he should look into two important keys of the registry. These are: Read the rest of this entry »
Posted August 21st, 2007 by admin
from NII Consulting
The IT Act 2000 is a large repository of fine print fraught with judicial jargon and varying legal implications.
To quote from the preamble of the Act,
“An Act to provide legal recognition for the transactions carried our by means of electronic data interchange and other means of electronic communication, commonly referred to as “Electronic Commerce”, which involve the use of alternatives to paper based methods of communication and storage of information , to facilitate electronic filings of documents with the Government agencies and further to amend the Indian Penal Code, Indian Evidence Act, 1872,, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.”
The full Act is available online in a neatly organized HTML format at http://www.naavi.org/importantlaws/itbill2000/index.htm
To make it more comprehensible, our principal consultant, K. K. Mookhey, recently drew up a presentation to provide an overview and quick understanding of all the chapters of the IT Act.
This presentation is available for download at http://www.niiconsulting.com/services/IT_Act_2000_NIIConsulting.ppt
Posted May 16th, 2007 by Nikhil Wagholikar
by Nikhil Wagholikar, NII Consulting
Introduction
One of the recommended file-system for Linux is Ext-3. Ext-3 file-system might not be as robust and powerful as compared to the Microsoft NTFS file-system but it has some built-in features that makes Linux a power performer.
Here we will explore one such feature of Ext-3 file-system here. This feature is actually an attribute, which if set on a file/folder, will not even allow “root” user to delete, modify or rename it. Read the rest of this entry »
Posted January 29th, 2007 by Kush
by Kush Wadhwa, NII Consulting
In this article I will cover the basic concepts of NTFS file system. In NTFS (New Technologies File System) all important data like the basic file system administrative data are stored in a file and these files can be stored anywhere in a particular volume. These files don’t have reserved space as other file systems (FAT) have. Only thing which is consistent in NTFS is that the first sector of disk volume contains the boot sector and boot code. Read the rest of this entry »
Posted December 7th, 2006 by Chetan Gupta
by Chetan Gupta, NII Consulting
Many a times as an investigator, I have to deal with the issue of carving data from
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons. Read the rest of this entry »
Posted December 7th, 2006 by Chetan Gupta
by Chetan Gupta, NII Consulting
Well, last week was abuzz with activity when we had to recover data from a corrupt Linux hard disk. Thought it would be pretty easy but as soon as I loaded the hard disk, I knew something was amiss. Read the rest of this entry »
Posted September 15th, 2006 by Kush
By Kush Wadhwa, NII Consulting
Have you ever thought of hiding data in such a manner that it cannot be deleted even after the hard disk is formatted? Well, in this this article , we’ll look at just that; we will see how you can hide and unhide crucial data on your hard disk. The technique which is used to hide the data is known as HPA which stands for Host Protected Area. Let us first discuss HPA…
HPA – The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.
Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.
Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.
1 Sector=512 bytes
Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.
From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.
http://www.win.tue.nl/~aeb/linux/setmax.c
To compile this program I will use gcc
[root@hack3rs root]#gcc -o setmax setmax.c
To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c
Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax –delta 64776751 /dev/hdc (depending on your device name).
–delta option will make temporary HPA. If you want to make permanent HPA then use –max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)
When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.
Maximum Disk Sector: This gives the total number of sectors present in hard disk.
Maximum User Sector: This gives the total number of sectors which user can access.
As per example above I got the followin result
Maximum Disk Sector: 78165359
Maximum User Sector: 64776751
** HPA Detected (Sectors 64776751 – 78165359) **
This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.
[root@hack3rs root]#./setmax –delta 78165359 /dev/hdc
This will make all your hard disk accessible. I hope you all enjoyed reading the article.
Happy Experimenting!
Posted August 28th, 2006 by Bhushan Shah
by Bhushan Shah, NII Consulting
Mrs Carol L. Stimmel has taken upon her to start a Computer Forensic Volunteer Project to provide low-cost services to those who cannot assert advantage from our skills.
Here is a bit taken from the press release:-
“As expert members of the international computer forensics community which provides unique and highly desirable services to the legal system, we assume a responsibility to provide services to those in need yet unable to pay. As a result, the Computer Forensics Volunteer Project (CFVP) provides pro bono and low-cost forensic services to individuals and organizations who normally would not be able to take advantage of the distinct litigation advantage provided by these techniques.”
On behalf of NII Consulting I have volunteered to take part in the project and would like to help people who cannot afford such services.