Categories
Hardware Software

Forensic talk slides

Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.

If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. :)

For fun, you can run exiftool on this ppt, exported from LibreOffice.

For accessibility and ease of access, I added the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. :p

Text from slides below:

|+| Slide 01

Forensication

A data backup and verification chat.

Backing up and ripping data, making test beds and using equipment.

This fire talk will cover:

Write-blockers (hardware), dd, sha256sum, exiftool.

|+| Slide 02

Disclaimer (01 of 02)

Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.

Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example – thumbs.db folder indexers) versus manually viewed files.

|+| Slide 03

Disclaimer (02 of 02)

This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding ‘the needle in the haystack’ tremendously easier to find patterns.

Testing with the tools will give you the comfort to provide services for others.

|+| Slide 04

Backstory

Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.

After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

|+| Slide 05

Tool usage

There are plenty of tools and applications with forms you can use. However they can be quite expensive.

Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I’m being asked to do or recover.

|+| Slide 06

Write Blocker Imaging

Using a hardware write-blocker is an assured way to not modify the contents of the source drive.

They are around $300 USD, so you have some cheaper options to do software write blocking… but if you forget to turn it on, you can contaminate your data source.

(Such as browsing a folder, having windows make new thumbs.db files)

|+| Slide 07

[Picture of write blocker source drive, and output drive]

|+| Slide 08

Imaging Drives

[console]

sudo dd if=/dev/sdf of=/dev/sdg bs=16384k

[/console]

For a 500 GB HDD, it took about 3 hours. (results below)

[output_example]

29808+1 records in

29808+1 records out

500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s

[/output_example]

So how do you come up with the device names?

[console]

ls /dev/sd*

[/console]

[output_example]

/dev/sda

/dev/sda1

/dev/sda2

/dev/sdb

/dev/sdb1

[/output_example]

|+| Slide 09

Verifying disk image

Now that your drive is imaged, let’s start verifying with the source drive, hooked up to the write-blocker.

This is for the source drive.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

Unhooking the source drive, plug in the target / copied drive and run the same command.

[console]

sudo sha256sum /dev/sda

[/console]

[output_example]

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

[/output_example]

In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.

Boom! It’s a match :)

|+| Slide 10

Cryptographic Checksums

There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.

Signature based anti-virus seems to have some clashes in the MD5 space.

Tools to get a checksum for a file are:

md5sum

sha1sum

sha256sum

|+| Slide 11

Checksum examples

Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).

Making a new file called ‘sampleChecksum.txt’ with the contents of ‘Hello checksum’ and saving it.

[console]

nano sampleChecksum.txt

[/console]

Obtaining the checksum of said file:

[console]

sha256sum sampleChecksum.txt

[/console]

[output_example]

9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt

[/output_example]

Making a second file with a single character change, I calculated that hash. New file called ‘sample02Checksum.txt’ with the contents of ‘Hello Checksum’ and saving it.

[console]

sha256sum sample02Checksum.txt

[/console]

[output_example]

65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt

[/output_example]

File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.

|+| Slide 12

Other checksum examples

ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.

[console]

md5sum sampleChecksum.txt

[/console]

[output_example]

9938b398bc883db337fb41431545955b sampleChecksum.txt

[/output_example]

[console]

md5sum sample02Checksum.txt

[/console]

[output_example]

65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt

[/output_example]

sha1sum displays a similar but unique output for each file. Slightly more ( 8) characters a return value than md5sum.

|+| Slide 13

(Duplicate slide of slide 12)

Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.

|+| Slide 14

BONUS ROUND – exiftool

Here I am grabbing the logo image from my site, then checking the image metadata for extra details.

[console]

wget https://funtimebliss.com/pathToASiteLogo/ftb-logo.png

[/console]

|+| Slide 15

Exiftool (continued)

Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.

[console]

exiftool ftb-logo.png

[/console]

[output_example]

ExifTool Version Number : 10.26

File Name : ftb-logo.png

Directory : .

File Size : 29 kB

File Modification Date/Time : 2013:05:29 11:45:14-04:00

File Access Date/Time : 2016:09:26 12:20:58-04:00

File Inode Change Date/Time : 2016:09:22 14:26:31-04:00

File Permissions : rw-r–r–

File Type : PNG

File Type Extension : png

MIME Type : image/png

Image Width : 465

Image Height : 100

Bit Depth : 8

Color Type : RGB with Alpha

Compression : Deflate/Inflate

Filter : Adaptive

Interlace : Noninterlaced

SRGB Rendering : Perceptual

Background Color : 255 255 255

Pixels Per Unit X : 2835

Pixels Per Unit Y : 2835

Pixel Units : meters

Modify Date : 2009:10:13 17:45:32

Comment : Created with GIMP

Image Size : 465×100

Megapixels : 0.046

[/output_example]

|+| Slide 16

Exiftool conclusion

Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.

Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option

Looking at the File Modification Date/Time that is consistent to when I uploaded that file into WordPress for my front page of the site.

There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!