Log analysis, is one of the very basic but crucial exercise of any Forensics Analyst. It includes many aspects for analysis; some of the important ones being:

• Determine actions/requests performed by User/Host/IP Address
• The application’s or Server’s reactions towards user’s requests
• Finding more information about a particular User/Host/IP Address who may be performing some extra-ordinary transactions with the application/server
• Application/Server performance
• Application/Server traffic monitoring to calculate business growth etc

However from forensics point of view, investigating “which user did what on the application/server that lead to its compromise” is of the most importance. Similar scenario applies to Email investigation. It’s quite simple now to find out the IP Address of the person who is sending out fishy or threatening emails to the victim(s).

Here we are discussing a post investigation aspect of above and similar scenarios i.e. what after once the source IP Address (of the attacker) is identified? In this article we are going to discuss about a simple tool/script, which helps forensic analyst to get the exact location of the source IP Address on this very beautiful earth.

Geo-Edge

“geoedge.py” is a small Python utility/tool/script developed by Laramies from “edge-security.com” to get the exact location of the target host/IP Address on earth. This directly helps in finding the attacker’s physical location from where he carried out the attack.

However, those who don’t have a Python compiler/interpreter need not to worry, since NII Consulting have put in some more efforts and made this python script available in EXE format.

This tool can be downloaded as:

Original Python Version: Download here

EXE Version: Download here

The beauty of this tool is that it queries two sources – Maxmind and geoiptool, to extract information about given target host or IP Address. Hence possibility of availability and correctness of information about host or IP Address is high.

Example

Let’s first have a look how to use this tool:

Now we’ll try to locate physical location of IP Address 64.246.16.151.

So for this, we’ll issue:

As we can see, both the sources provided us with correct information about Latitude and Longitude of the target IP Address.

Now what? We have Latitude and Longitude information with us, but which country, which lane, which area this belongs to on earth?

So for this, we’ll refer to online world map available on MAP-Quest website.

We provide this obtained/derived information about Latitude and Longitude to this website, and find the exact location of this IP Address on earth.

The physical location of the target host/IP Address is shown using a red star marked on the map. Two kinds of views are available for getting the Latitude and Longitude information.

First view is the “Street View” in which we get the nearby street information about the target.

A little further zoom can help us to get more information about the target host/IP Address.

The second view is the “Aeriel view”, in which we get to see the exact satellite view of the target host/IP Address.

Further zoom is available subject to the database availability of MapQuest website.

Conclusion

So from this, we learn that it’s not at all difficult for any forensics analyst to find out the exact physical location of the attacker.

Besides this technique, “GeoTools” available at WikiMapia is also very handy and useful.

In Windows XP when a remote user tries to connect using the Remote Desktop Connection (RDC) client in Windows XP, the local user is disconnected from his current session forcefully. RDC, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for only one session at a time.. This excerpt aims at making terminal services functionality of multiple user login from Windows server 2000, windows server 2003 etc in Windows XP. This would be very useful in environment where the network admin often troubleshoots problem on the network using RDC.

Keep reading as the hack unfolds to enable concurrent remote desktop connection sessions support in Windows XP using the following patched files.

1. Download files.zip from the link given below on the system where you want to enable concurrent RDC connections.

Download files.zip
Windows XP SP1 and SP2: Windows XP RTM, SP1 and SP2.zip

Windows XP SP2: Windows XP SP2.zip

Windows XP SP3: Windows XP SP3.zip

Before you go ahead further, you should be in the safe mode (Press F8 during boot up). If you don’t want to prolong your wait to see this work,

1. goto ‘Start’ > ‘Run’ services.msc
2. Right click on Terminal services & goto Properties.
3. From the startup type drop down choose disable or simply stop the services.
4. Click on apply or Ok & exit the services.msc file.

2. Go to %windir%\System32 and & rename the termsrv.dll to anything that you can remember.
3. Go to %windir%\System32\dllcache & rename the termserv.dll.

4. Copy the downloaded termsrv.dll in the following two locations
1. to %windir%\System32
2. %windir%\System32\dllcache.

Note: when you copy the files Windows will pop up the Windows File Protection dialog box. Click the cancel button & then Yes to keep this copy of the patched file.

5. Now, download and run the concurrent_sessions.bat file. Click yes to add these values to the registry or you can run Registry Editor to manually add the following registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“AllowMultipleTSSessions”=dword:00000001

6. Click on Start Menu -> Run command and type gpedit.msc,

7. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.

8. Enable Limit Number of Connections and set the number of connections to number of concurrent sessions you want to allow

9. Restart the terminal services on that system again. Also enable Remote Desktop from the System Properties’ Remote tab & check for Allow users to connect remotely to this computer.

10. Turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.

11. Restart the computer normally.

If the Windows XP computer is connected to a domain, every time you restart your computer Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on system startup. To change the value, run the concurrent_sessions.bat every time the computer is started. Instead, put the concurrent_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.

With the release of Service Pack 2 (SP2) for Microsoft Windows XP, SP2 has introduced a feature that limits concurrent TCP connection attempts that are possible to 10 per seconds. In Service Pack 1 or without Service Pack, there is no limit on concurrent TCP connection attempts. So if you have set the value of “Limit Number of Connections” in step 8 greater than 10 and you happen to run a SP2, you need to apply the patch to override the max limit. You can download the file from the following link.

Just for your information on disassembling the original & patched file following HEX code bits have being changed:

00022A17: 74 75
00022A69: 7F 90
00022A6A: 16 90

Whenever a forensic investigator does the forensic of a USB device, he should look into two important keys of the registry. These are:

1) HKLM/System/Mounted Devices

2) HKLM/System/CurrentControlSet/Enum/USBSTOR.

First key will show all the mounted & removable devices and will be in the form of “\DosDevices\”. Figure given below will clear the picture.

Figure 1

Each DWORD value (here /DosDevices/) will have a data which is in hex form. For reading the contents of these DWORD, the forensic investigator has to access these values. When the DWORD is accessed and the contents are of the form “\??\STORAGE#Removable Media#”, then this means that the device which was associated with this drive letter was a removable/USB device. Let us understand this point deeper with the help of the figure. Figure given below shows that I have accessed the “/DosDevice/I:” DWORD and it’s a removable/USB device.

Figure 2

Couple of points to notice in this figure: -

1) DWORD accessed is “\DosDevices\I:”

2) Contents of this DWORD value is starting from “\??\STORAGE#RemovableMedia#”. So we can conclude that this drive letter was assigned to removable/USB device.

3) Parent ID prefix in this case is 7&25bb518e&0. This value is very important and we will use this value to get more knowledge about the USB device which was connected on the suspect machine.

Our work related to “HKLM/System/MountedDevices” is over. Now let us move to the other key and get more information out of it. The other key is

HKLM/System/CurrentControlSet/enum/USBSTOR

When USBSTOR key is expanded, there will be sub keys under it. The key will be in the form of Disk&Ven&Prod
&Rev. An example is shown with the help of figure.

Figure 3

Under these keys will be the sub key which will be with the name of the serial number which the device has. If the device has no serial number, then plug and play manager will assign the serial number to the device. We will now expand the subkey and will find out where the Parent ID prefix is? I expanded the subkey and I found the Parent ID prefix. A screenshot has been given below

Figure 4

We can make sure that this device was connected to the machine and the drive letter which was assigned to this device was I:\.

If we want to find out more information about the device connected and the last plug/unplug time then we can use professional tool like “USBDeview” which can be found here. A screenshot has been given below

Figure 5

Hope this article will help lot of forensic investigators in investigating cases. Enjoy experimenting

The IT Act 2000 is a large repository of fine print fraught with judicial jargon and varying legal implications.

To quote from the preamble of the Act,

“An Act to provide legal recognition for the transactions carried our by means of electronic data interchange and other means of electronic communication, commonly referred to as “Electronic Commerce”, which involve the use of alternatives to paper based methods of communication and storage of information , to facilitate electronic filings of documents with the Government agencies and further to amend the Indian Penal Code, Indian Evidence Act, 1872,, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto.”

The full Act is available online in a neatly organized HTML format at http://www.naavi.org/importantlaws/itbill2000/index.htm

To make it more comprehensible, our principal consultant, K. K. Mookhey, recently drew up a presentation to provide an overview and quick understanding of all the chapters of the IT Act.

This presentation is available for download at http://www.niiconsulting.com/services/IT_Act_2000_NIIConsulting.ppt

One of the recommended file-system for Linux is Ext-3. Ext-3 file-system might not be as robust and powerful as compared to the Microsoft NTFS file-system but it has some built-in features that makes Linux a power performer.

Here we will explore one such feature of Ext-3 file-system here. This feature is actually an attribute, which if set on a file/folder, will not even allow “root” user to delete, modify or rename it. This attribute is set using command “chattr”.

chattr

According to the Linux man page, “chattr” is defined as:

“chattr” changes the file attributes on a Linux second extended file-system.

Here second extended file-system is nothing but “Ext-2” file-system. Since “Ext-3” file-system is an upgraded version of “Ext-2” file-system, all discussions related to Ext-2 are easily applicable for Ext-3 file-system.

Let’s quickly go through some important switches available with “chattr” command.

-R: Recursively changes attributes of a directory and its contents. Sym-links are ignored straight-away.

-V: Output to be verbose along with program version.

-i: If this attribute is set on a file, it will not allow any user (including root) to either delete, modify, rename, link it to other file, or add any contents to this file.

s: If this attribute is set on a file, the file is deleted, and the blocks in which the file contained are shredded with series of multiple zeros on the disk.

u: With this attribute set on a file, this file is deleted however it’s contents are saved for future un-deletion and recovery options.

So while doing a forensics investigation of a Linux based machine, the forensics analyst must take care of all these files, since they might prove useful for them during forensics investigation of the disk.

lsattr

The attributes set by “chattr” command cannot be previewed with our normal “ls –l” or “dir –l” command.

“lsattr” is a command to preview the attributes set by “chattr” command.

It lists the file attributes on a Second extended and third extended file system.

Let’s quickly look at the available switches for “lsattr” command:

-R: Recursively lists attributes of a directory and its contents

-a: Lists attributes of all files within the directory including hidden ones (starting with ‘.’)

Example

Let’s create 6 files named sequentially from Test1 till Test6.

Let’s see the normal directory permission of all these files.

Now let’s set non-deletion attribute on file “Test4” file.

Now again let’s see the normal permission of all these files.

As we can see, nothing about the attribute set on file “Test4” can be seen through normal “ls –l” command.

However now let’s see the hidden attributes set on file “Test4” through “lsattr” command.

So now we can see the attribute set on this file “Test4”.

Now lets try to delete this file using command “rm –rf” command.

So as we can see, though we have root privileges it’s impossible for us to delete this file.

The only way this file could be deleted is to remove the “i” switch set on this file using command “chattr -i Test4″.

Now if we try to delete this file, it’s possible.

Conclusion

Its very important for a forensics analyst to not only look for files which have SUID or GUID set on them, but also for files which have these kind of attributes set on them.

A typical scenario may include an inclusion of a Trojan (hidden) with this attribute set on it. Hence even when anti-virus programs detect these kind of Trojan files, still they may not be able to delete them, just because “+i” attribute is set on them.

A note must be taken that, attributes on the file can only be changed who had set the attribute on it. Moreover, for security purpose, Linux doesn’t allow any non-root user to set the “i” attribute on any file or directory.

In this article I will cover the basic concepts of NTFS file system. In NTFS (New Technologies File System) all important data like the basic file system administrative data are stored in a file and these files can be stored anywhere in a particular volume. These files don’t have reserved space as other file systems (FAT) have. Only thing which is consistent in NTFS is that the first sector of disk volume contains the boot sector and boot code.

Another important concept to be considered while understanding NTFS file system is MFT. Master File Table (MFT) is important to understand because it contains information about files and directories present on NTFS volume. Each file/directory will take defined space of 1 KB in the MFT. This 1 KB will contain lot of information like for MFT entry header, file’s name and file’s content. The first 42 bytes contains 12 fields. Remaining bytes are unstructured and can be filled with different attributes. Microsoft reserves first 16 MFT entries for file system metadata files.These 16 MFT entries are explained below.

0 $MFT The entry for the MFT itself

1 $MFTMirr Contains a backup of $MFT

2 $Logfile Information about metadata transaction

3 $Volume Volume information – for label

4 $AttrDef Attribute information such as size, identifier name

5 . Contains root directory of file system (Root directory is the name of file and its linked with the file content).

6 $BITMAP Information of allocation of each cluster on file system.

7 $BOOT Contains boot sector and boot code of file system.

8 $BadClust Contains bad clusters for the volume.

9 $Secure Information about security and access control for the files.

10 $Upcase Converts lowercase characters to matching Unicode uppercase characters.

11 $Extend Used for various optional extensions such as quotas, reparse point data, and object identifiers
12-15 reserved for future use.

To understand NTFS more in detail open up your NTFS drive in hex editor. I use Winhex as it is a very flexible tool. By using this tool we can directly jump to the MFT entries and can move further to see all the entries which are mentioned above.

In case your MFT entry is corrupted then the mirror of MFT i.e $MFTMirr is used. We can retrieve deleted files using the hex editor if we have enough knowledge of the location of file. We will discuss more on NTFS in coming articles. Till then happy experimenting

Many a times as an investigator, I have to deal with the issue of carving data from
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons. Encase has the widest range of file types supported and also gives the ability to add more file types (you need to know the header and footer for sure). But if the file system is heavily fragmented, then data carving becomes less effective.
There are three main issues with data carving:

1. Most of the tools would be able to find the header but the footer may not be found in the same or the consecutive cluster. Then, the file would be carved with the minimum file size specified by the investigator. Thus, the carved files may contain some gibberish at the end or may be incomplete and therefore unviewable.

2. The names of the carved files cannot be ascertained as the Master File Table or Superblock (in Linux) are not used during data carving process.
3. As data carving is based on guess work, results may include many false hits and thus data carving may not be as reliable as required. Footer analysis and discarding overlapping file signatures may help reduce this problem.

Depending upon the situation, the investigator can choose his tool for carving. However, he must understand the capabilities of the tool and the file signatures supported by it. in my experience, Encase V5 has the most extensive signature database for carving among all tools. Foremost, Scalpel and Winhex allow you to add custom signatures to the tool which is extremely useful. Sadly, FTKv1.50 doesn’t support adding additional signatures. Not sure, if they have added this capability in the coming versions.

Running foremost is pretty easy under Linux:

# foremost -T -t all -o Output_directory -i input_file
-T — Put unique timestamp in the output directory name
-t — File types to be carved. The file types supported can be tweaked by using the -c option and specifying the configuration file

The syntax of Scalpel is almost similar to that of foremost with minor changes. However, it makes two passes over the unallocated data – the first pass in which it tries to identify the files and the second pass in which it actually carves out the file. My experience with scalpel hasn’t been great as with large files it would stop midway in the second phase throwing up some error.

Two interesting tools of note are filesig and headergrab which are both available here.
From the horse’s mouth:
Filesig Manager is a file signature and keyword management tool, acting as an examiners central repository of File Indentification information.
The information within can be readily exported to the majority of mainstream forensic examination tools. Some of the features to date include:

* Export to Datalifter (Standard and Adv Signatures).
* Export to DiskCat.
* Export to File Extractor Pro.
* Export to Encase version 3 and 4.
* Export to iLook.
* Export to ProDiscover.
* Export to Simple Carver.
* Export to WinHex Forensic.

Header Grab:
Header Grab is a research tool, which allows the user to quickly extract the first eight bytes and last four bytes from every file within the specified folder.
This is interesting as by generating few starting and ending bytes from multiple files of same type, we can identify the actual header and footer for the file type and is very useful in creating your own signature database!

They are available for free download at http://www.filesig.co.uk

For efficient data carving, the tools need to have built-in intelligence to identify the boundaries of a file. If the file is fragmented then it needs to have a mechanism to find the remaining fragment either by a hit and trial method (checking all the remaining clusters for the fragments of the file which may be highly time consuming) or by making intelligent guesses ( Eg checking the next 10 clusters for the remaining fragments of the file first and looking for the specific type of data associated with the file type for eg different segment headers of the file as in a Word Document) and then testing the resultant file.

A significant step towards solving these issues was taken by Digital Forensic Research Workshop (DFRWS) when they organized a data carving challenge available here. The challenge threw up some interesting results and some new tools by various researchers.

Happy data carving!

Well, last week was abuzz with activity when we had to recover data from a corrupt Linux hard disk. Thought it would be pretty easy but as soon as I loaded the hard disk, I knew something was amiss. I was in for a shock as the disk had severe damage in the beginning sectors. Still, encase was able to load the disk but could not show the file structure! Atleast it was showing the three partitions!
What do we do?
Well, the first step was to image the hard disk so that If I do mess up the hard disk, I can restore it to what was there originally. So, loaded FTK imager and used it to image it the hard disk into split raw files (since raw files are easier to use with Sleuthkit and other open source tools..)
I had in my mind that encase will allow me to load raw files and anlayze so I thought I was on safe grounds! Well, the raw files filled up most of my forensic disk since they amounted to about 120 Gb of space! Neways, the idea was to run disk repairing tools on the conked hard disk and side-by-side run data recovery tools on the image. Well, not all plans execute to perfection…. this one sure didn’t! As soon as I loaded the split raw image into Encase, it crashed! Sure, it has problems with large split files. Then, I said to myself, “No problem, There’s sleuth kit for me”. What was not expected was that sleuthkit did not recognise the file system on the three partitions.

A simple strings on the first split image showed up interesting results – most of the files were quite intact although their beginning and end hardly recognizable from the big junk of words…and I saw the last fsck log which clearly stated that both primary and secondary superblocks were corrupt! WoW!

Anyways I tried rebuilding the superblock and inode table but to no avail. However, after the repair operation, I could run fsstat on the third partition but again it showed up 99% of the inodes to be free! I tried using fsck and using one of the secondary superblocks but it did not help. I guess the secondary superblock structures had got corrupted too!
Then I said to myself,” May be data carving is the best option in this situaton”. I concatenated the split files, and created a huge raw file so as to feed my open source data carving monsters (read foremost and scalpel)! Foremost did carve out some data but largely false hits and scalpel never got going. It would stop midway during the all-important second pass! Next step was to use all available file carving tools (from winhex to encase to FTK) and collating valid files obtained from them. It was tedious but nevertheless, I could recover a lot of files (read gif, bmp, jpeg html, and mail files).

Data carving could be quite frustrating if the filesystem is hugely fragmented. I would discuss data carving in some more detail in my forthcoming article.

Hope you enjoyed reading this one though!

Have you ever thought of hiding data in such a manner that it cannot be deleted even after the hard disk is formatted? Well, in this this article , we’ll look at just that; we will see how you can hide and unhide crucial data on your hard disk. The technique which is used to hide the data is known as HPA which stands for Host Protected Area. Let us first discuss HPA…

HPA – The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.

Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.

Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.

1 Sector=512 bytes

Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.

From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.

http://www.win.tue.nl/~aeb/linux/setmax.c

To compile this program I will use gcc

[root@hack3rs root]#gcc -o setmax setmax.c

To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c

Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax –delta 64776751 /dev/hdc (depending on your device name).

–delta option will make temporary HPA. If you want to make permanent HPA then use –max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)

When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.

Maximum Disk Sector: This gives the total number of sectors present in hard disk.

Maximum User Sector: This gives the total number of sectors which user can access.

As per example above I got the followin result

Maximum Disk Sector: 78165359
Maximum User Sector: 64776751

** HPA Detected (Sectors 64776751 – 78165359) **

This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.

[root@hack3rs root]#./setmax –delta 78165359 /dev/hdc

This will make all your hard disk accessible. I hope you all enjoyed reading the article.

Happy Experimenting!

Mrs Carol L. Stimmel has taken upon her to start a Computer Forensic Volunteer Project to provide low-cost services to those who cannot assert advantage from our skills.

Here is a bit taken from the press release:-

“As expert members of the international computer forensics community which provides unique and highly desirable services to the legal system, we assume a responsibility to provide services to those in need yet unable to pay. As a result, the Computer Forensics Volunteer Project (CFVP) provides pro bono and low-cost forensic services to individuals and organizations who normally would not be able to take advantage of the distinct litigation advantage provided by these techniques.”

On behalf of NII Consulting I have volunteered to take part in the project and would like to help people who cannot afford such services.