Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.
If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. :)
For fun, you can run exiftool on this ppt, exported from LibreOffice.
For accessibility and ease of access, I added the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. :p
Text from slides below:
|+| Slide 01
A data backup and verification chat.
Backing up and ripping data, making test beds and using equipment.
This fire talk will cover:
Write-blockers (hardware), dd, sha256sum, exiftool.
|+| Slide 02
Disclaimer (01 of 02)
Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.
Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example – thumbs.db folder indexers) versus manually viewed files.
|+| Slide 03
Disclaimer (02 of 02)
This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding ‘the needle in the haystack’ tremendously easier to find patterns.
Testing with the tools will give you the comfort to provide services for others.
|+| Slide 04
Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.
After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.
|+| Slide 05
There are plenty of tools and applications with forms you can use. However they can be quite expensive.
Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I’m being asked to do or recover.
|+| Slide 06
Write Blocker Imaging
Using a hardware write-blocker is an assured way to not modify the contents of the source drive.
They are around $300 USD, so you have some cheaper options to do software write blocking… but if you forget to turn it on, you can contaminate your data source.
(Such as browsing a folder, having windows make new thumbs.db files)
|+| Slide 07
[Picture of write blocker source drive, and output drive]
|+| Slide 08
sudo dd if=/dev/sdf of=/dev/sdg bs=16384k
For a 500 GB HDD, it took about 3 hours. (results below)
29808+1 records in
29808+1 records out
500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s
So how do you come up with the device names?
|+| Slide 09
Verifying disk image
Now that your drive is imaged, let’s start verifying with the source drive, hooked up to the write-blocker.
This is for the source drive.
sudo sha256sum /dev/sda
Unhooking the source drive, plug in the target / copied drive and run the same command.
sudo sha256sum /dev/sda
In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.
Boom! It’s a match :)
|+| Slide 10
There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.
Signature based anti-virus seems to have some clashes in the MD5 space.
Tools to get a checksum for a file are:
|+| Slide 11
Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).
Making a new file called ‘sampleChecksum.txt’ with the contents of ‘Hello checksum’ and saving it.
Obtaining the checksum of said file:
Making a second file with a single character change, I calculated that hash. New file called ‘sample02Checksum.txt’ with the contents of ‘Hello Checksum’ and saving it.
File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.
|+| Slide 12
Other checksum examples
ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.
sha1sum displays a similar but unique output for each file. Slightly more ( 8) characters a return value than md5sum.
|+| Slide 13
(Duplicate slide of slide 12)
Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.
|+| Slide 14
BONUS ROUND – exiftool
Here I am grabbing the logo image from my site, then checking the image metadata for extra details.
|+| Slide 15
Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.
ExifTool Version Number : 10.26
File Name : ftb-logo.png
Directory : .
File Size : 29 kB
File Modification Date/Time : 2013:05:29 11:45:14-04:00
File Access Date/Time : 2016:09:26 12:20:58-04:00
File Inode Change Date/Time : 2016:09:22 14:26:31-04:00
File Permissions : rw-r–r–
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 465
Image Height : 100
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
SRGB Rendering : Perceptual
Background Color : 255 255 255
Pixels Per Unit X : 2835
Pixels Per Unit Y : 2835
Pixel Units : meters
Modify Date : 2009:10:13 17:45:32
Comment : Created with GIMP
Image Size : 465×100
Megapixels : 0.046
|+| Slide 16
Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.
Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option
Looking at the File Modification Date/Time that is consistent to when I uploaded that file into WordPress for my front page of the site.
There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!