CMPS 340 - Lab 06

Lab 06: Extracting Evidence Files from an Image

Resources:

floppy disk geometry
Advanced Guide to Netcat
recuva undelete utility - download the portable version (zip only) - no installation required
fatback - not used in this lab but great free tool
open source forensics - not used for lab but also useful
XVI32 Windows hex editor from Lab 01

The purpose of this lab is to learn how to extract data such as deleted files from a disk image. This lab will be performed under the Windows XP VMware image in Rm 315.

Preparations - Downloading Images and Tools

There are several image files and tools we will be using for this lab. Start downloading them now so they will be ready when you reach that part of the lab.

Start your Windows XP VMware workstation and log in. Download the following:

Disk Image Files

We will be using an image of a USB drive and of a floppy drive for this lab. Download the two images using either:

wget http://www.cs.csubak.edu/~melissa/cs340/usb1.dd
wget http://www.cs.csubak.edu/~melissa/cs340/lab06.dd

OR the following links: usb1.dd and lab06.dd

Additional Windows Tools

Cygwin

Instead of GNU tools, you could download a complete Unix emulator for Windows from www.cygwin.com. You will need 1 GB or more of space to install everything in the Cygwin package. The tools used in this class are found in the minimal base packages. Once installed, Cygwin needs to be added to your path if you wish to use the utilities from cmd.exe. To add to you path, do the following:

* Right click on My Computer.
* Select Properties->Advanced Tab->Environment Variables.
* Add the path to the cygwin utilities to the end of the System Variable 'Path': ;c:\cygwin\bin.

Now you can access Cygwin utilities by clicking on the Cygwin Icon or by running the utilities from cmd.exe. From the command shell start a bash shell by typing bash. From that point on everything looks like Unix.

Alternatively, install the rxvt package for Cygwin and launch it to access bash and the Unix utilities.

1. Download and install the open source GNU core utils for Windows onto your shared network drive. GNU core utils is a zip file with 40 or so Unix command-line utilities (grep, strings, less, vi, etc.) that have been ported to Windows.

Download the Complete package Setup, except sources. Then run it and select your shared drive as the destination.

After installing GNU Core Utils, you must either add the path Z:\CS340 Data Directory\gnuUtils\usr\local\wbin to your Windows path or copy the executables to another directory as follows:

     Z:
     cd "CS340 Data Directory\gnuUtils\usr\local\wbin"
     copy *.* "Z:\CS340 Data Directory"

2. Download and install The Sleuthkit, which is a collection of UNIX-based command line file and volume system forensic analysis tools. You will use the file recovery tools in Sleuth Kit in this lab. We will use other tools in later labs.

The current version is 4.0.2 which has not been tested with the WinXP virtual machine. If it does not work, download 3.0.1 from Sourceforge which does work with the WinXP virtual machine.

3. Download and install Chrysocome's dd for Windows (select dd-0.5.zip). GNU Utils contains dd.exe also, but Chrysocome's version of dd has a much richer syntax. You can copy dd.exe over the top of GNU version if you want, or keep them separate. Up to you. Bottom line, if you run the Chrysocome version you can get information from raw devices with the following Windows command line:

     "Z:\CS340 Data Directory\dd" --list
     rawwrite dd for windows version 0.5.
     Written by John Newbigin <jn@it.swin.edu.au>
     This program is covered by the GPL.  See copying.txt for details
     Win32 Available Volume Information
     \\.\Volume{85cb2988-f45c-11dc-bd4e-806d6172696f}\
     link to \\?\Device\HarddiskVolume1
     fixed media
     Mounted on \\.\c:

    \\.\Volume{85cb2989-f45c-11dc-bd4e-806d6172696f}\
    link to \\?\Device\CdRom0
    CD-ROM
    Mounted on \\.\d:

4. Finally, download and install hexDump, a Windows command-line utility that reads a binary file and writes text file with a hexadecimal dump of its contents. Windows hexdump is similar to the Linux version (see man hexdump on Sleipnir).

Preparation - Background Information

The goal of this lab is to extract evidence from a dd image. Knowing how that image was made will be useful in the investigaton. The steps below outline the procedure that was used. These images were made from a WinXP forensic workstation. Read How This Image Was Made.

Part 1 - Restoring Deleted Files From a Raw Image under Windows

In this portion of the lab, you will extract deleted files from an image. File deletion does not remove the contents of the file from the disk, it simply "marks" the entry for the file as deleted in the table for that particular file system (e.g., FAT for FAT-16 or FAT-32 and MFT for NTFS). In fact, in Win2K and WinXP, the file is moved to the Recycle Bin and may not be overwritten for some time. If you can undelete a file before any information is covered over the top of its area on the disk, recovery is as easy as "unmarking" the entry as deleted.

Your job is to recover a deleted file from a raw DD file WITHOUT first restoring the image. You will perform this using tools from the Sleuthkit. We will be using usb1.dd for this portion of the lab.

First verify that your image file against this MD5 checksum:

     c770e07e7c7fa05b43b0d1d21a1a692c  usb1.dd

You will a Sleuthkit tool to recover files from the dd image. Read Sleuthkit Guide for detailed information on what you will be doing.

Open a Windows shell. Change directory to the install location of Sleuthkit. You wil run the fls and the icat utilities. The following commands are just an example of how to run fls and icat. You will need to run additional commands to finish this portion of the lab. These examples also assume the image file is in the same directory as the command. Example commands:

   fls -h                                  # help on command line switches
   fls -f list                             # list supported file systems
   fls -f fat -d usb1.dd                   # list deleted files by icat no. 
   icat -h                                 # list command line switches
   icat -f fat -r -s usb1.dd 34 > outfile  # recover file #34 and slack space

Use fls and icat to find and recover all of the deleted files on usb1.dd. Open the recoved file(s).

Hints: There should be three files to recover. Only one of the files is immediately viewable by double-clicking it. A second file can be recovered using WinHex to repair the file signature. View the third file in WinHex as well.

What to Submit for Part 1

Explain what the files are the Notes section of Moodle.

Part 2 - Recovering Deleted Files from a Restored DD Image

For this part of the lab, we are going to restore a DD image to a virtual floppy device. We will first need to prepare the Windows XP virtual machine, so save your work from Part 1 and shut down the virtual machine.

When you are back at the VMware Workstation screen, select Edit Virtual Machine Settings. Select the Floppy device out of the device list and then select "Create" on the right-hand side of the screen. Do NOT select "read-only" as we will need to be able to write to the device to restore the image. Save the changes and boot the virtual machine.

Once the virtual machine is back up, select VM->Removable Devices->Floppy->Connect from the VMware Workstation menu. You can now use DD to restore the lab06.dd image to the floppy drive. Open a command shell and cd to the directory where you downloaded Chrysocome's dd utility.

Verify that you have downloaded lab06.dd correctly by comparing the MD5 hash to the following hash:

     c720b7eb9e261d5a89fbb5dc9a5606e4  lab06.dd

Then run the following command:

     dd if=lab06.dd of=\\.\a: bs=1440k

If you get a write-error message, check that the floppy device is connected under the VM->Removable Devices menu.

Refer to dd wiki and chrysocome dd page for help on the DD command.

You should now be able to view the floppy as a file system under Windows. Perform a simple logical analysis of the disk to start your investigation. Open up a command window and do a directory listing of the drive:

    a:
    dir

You should be told that the drive contains no files (File Not Found). If you get any other error message, make sure you have properly restored the dd image following the above steps.

Once you know the image has been properly restored as a Windows file system, you can use WinHex to recover deleted files. Start WinHex.

Open the floppy in WinHex from the Tools->Open Disk menu option. Select removable medium (A:) and select OK. You will then be in WinHex's drive information window where you should see indications of deleted files. Deleted files are marked with a '?' as the first character of the filename.

If you are not seeing file information, select View->Show and check the Directory Browser option.

To recover a deleted file, right-click on the file and select Recover/Copy. Select an empty folder or the Desktop to hold the recovered file. Select the option to use the File Allocation Table when possible. Recover the file(s) in the image.

You can also mark the file you want to undelete as a block and paste that block into a new file. Mark the block starting at the beginning offset to file and end the block at the ending offset address to the file.

Note: the above procedure does not work on files larger than 200MB.

Open the recovered file(s) by double-clicking.

What to Submit for Part 2

Describe the contents of the recovered file(s) in the Notes section of Moodle.

Part 3 - Additional File Recovery Tasks

For this part of the lab, do the tasks indicated in each question and then put your response in the Notes section of Moodle.

QUESTION #1.
Since we are discussing file systems, you can analyze the file system of a floppy. In a 3 1/2" FAT formatted floppy, the boot sector, directory entries and various other system information are stored in sectors 0 - 32. Files are stored in Sectors 33 and beyond.

Go back to WinHex and the floppy image. Hit CTRL-G to goto sector 33. Note where your cursor goes in the bottom of the screen (the hex view of the image).

Find the hex values on the floppy beginning at byte offset 00016880 through byte offset 00016896. (These are in decimal. To change from hexadecimal to decimal select Options->General and uncheck Hexadecimal offsets in the rightmost column.) This chunk of data is the end of sector 32 and the beginning of sector 33.

What values do you see in this portion of the image?

QUESTION #2.
You can also find the hex values in your image using hexdump (under Solaris and other versions of Unix this is called dump, under linux this utility is called hexdump). Hexdump displays offsets in the file in hex.

For example, this command will display the hex values beginning with byte 512, which marks the beginning of sector 1 (512 in hex is 200):

    hexdump lab06.dd | grep 0000200        (hit CTRL-C to stop search)

If you do not have grep, you can use the skip switch.

What does this hexdump command display and what is the byte offset in decimal?

    hexdump lab06.dd /skip:00000130  | more

QUESTION #3.
WinHex also supports file carving. File carving recovers data from deleted files using file type specific knowledge, such as file signatures for the header and footer values or internal data structures.

From the Tools menu select Disk Tools->File Recovery by Type. Then select MS Office/OLE. Select an output folder on your Data drive and hit OK.

Open the recovered file(s). Describe the contents.

What to Submit for Part 3

Submit your answers to the above three questions in the Notes section of Moodle.

Additional Information - Acquiring a Logical View of an Image

Certain evidence is more easily extracted through the operating system. Part 2 of the lab outlined one way to access the image via the operating system (restoring the image to a virtual drive). There are two other methods that can also be used to get a logical view of the image.

Method #1. Mounting a DD Image in Windows with VMware
VMware will treat a raw dd image as a device if you link a virtual hardware device to a DD file. You can do this with the lab06.dd image (which is an image of a floppy disk) using the following steps.

Shutdown the Windows virtual machine. From Linux download lab06.dd onto the Desktop. Select Edit Virtual Machine Settings and then the Floppy device. Change it to link to the lab06.dd floppy image.

Before booting the Windows image, select VM->Power->PowerOn to Bios. Modify the boot sequence to boot from the CD-ROM first then the harddrive. Push the option to boot from a floppy to the last position using the minus key. If you do not do this VMware will try to boot to the floppy.

You should be able to open the floppy disk (the files have all been deleted). You could use WinHex in the same way we used it in Part 2 on this restored image.

Method #2. Mounting a DD Image as a Loopback Device under Linux
Read loop device on wiki for background material on mounting the DD image as a filesystem by using the loopback device. For technical details, read this loopback guide.

The advantage to this method it that you will have a logical view of the filesystem on the image without first recovering the image to a disk. The disadvantage of this method is that the logical view will be through Linux and not Windows.

You need to be root, so you can perform this step from 'Etch', the Debian VMware machine. Boot Etch under VMWare. You need to get lab06.dd to Etch using netcat or wget. The syntax for wget is

      wget www.cs.csubak.edu/~melissa/cs340/lab06.dd

Alternatively, you can use netcat to grab the image from the Linux desktop. The steps below use netcat and assume lab06.dd has already been downloaded onto the Linux machine. Get the IP address of your Etch machine using ifconfig. Start a netcat listener on a non-privileged port.

 
    $ sudo su
    # ifconfig
    # nc -l -p 2222 > lab06.dd

From the Linux machine:

    $ nc -q 2 targetIP 2222  < lab06.dd    # after 2 seconds quit

Now mount lab06.dd read-only with the loopback device (use '-t ntfs' for an NTFS filesystem):

    # mkdir /image
    # mount -o loop -t vfat -r lab06.dd /image 
    # cd /image

Unmount when finished:

    # cd /
    # umount /mnt/image

Additional Information - Finding Evidence in Slack Space

The above procedures recover deleted files but not hidden evidence in unused or slack space. For slack space across an entire disk, you should use forensic analysis tools such as WinHex (or plan to spend the next two weeks in a manual examination).

In computer storage, file slack space is the area between the end of a file and the end of the last cluster or block used by that file. RAM slack is data that the OS grabs from RAM to fill in the last sector used by that file. Since on a floppy the block to sector ratio is 1:1, the only slack space on a floppy is RAM slack. You need another image besides lab06.dd to test file slack.

The file slack.dd contains file slack. This image was created from a 256MB flash drive. WinHex can read a DD image, but will not recover slack space until the image is restored back to a disk. Unfortunately, the Windows virtual machines under VMware in 315 will not allow you to use a USB flash drive.

If you had a functioning USB flash drive, you could recover slack.dd to a flash drive using dd, similar to how we recovered the floppy image in Part 2. You would run this dd command to find the device the flash drive is connected to and the block size:

   dd --list

Once you know that information, you could run a command similar to the one below. Your device identifier will likely differ from the example given, so make sure to update \\.\e: to the correct device and 512k to the correct block size:

    dd if=c:\temp\slack.dd of=\\.\e: bs=512k --progress

You could now use WinHex to analyze the slack space in the restored image. You would open your recovered image disk with Tools->Open Disk. To have WinHex gather all file slack space into a single file, select Specialist->Gather Slack Space. Select Yes to the next two options.

Extra Credit - RAM Slack

RAM slack is data in a file that is not accessible through the operating system but exists between the EOF marker of the file and the next sector mark. To view the contents of RAM slack space in the raw hex file, look at the files on the restored lab06.dd image (e.g. drive A: from Part 2) one image at a time. Calculate the starting and ending sector of the file by the number of bytes used by the file given in the directory listing. Jump to the ending sector for each file. Somewhere between the ending sector and the next cluster for one of the files there is some data in the slack space.

What is the data and what is the byte offset (in decimal) at which you found it?

Note: You can do this more easily through hexdump and the less command from a command shell by using one of the following commands:

    hexdump lab06.dd | less     // hit 'f' and 'b' and '/' to navigate and jump 
    hexdump lab06.dd | more     // if you don't have the less utility

TERMINOLOGY

/dev/zero is a special file in Unix that provides as many null characters (ASCII NUL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. A typical use is to overwrite all the data on a disk partition (including the directory) with the same character. Wiping a disk with /dev/zero will fill the disk with F6 F6 F6 F6 F6 ..... Once you completely wipe a disk, it no longer has a file system and must be formatted again to use it. Example:

   # Completely wipe a partition with null characters 
   dd if=/dev/zero of=/dev/hda8  
   # Completely wipe a partition with random values
   dd if=/dev/random of=/dev/hda8

Garner's wipe utility for Windows will perform the same function: (see http://www.gmgsystemsinc.com/fau/)

   wipe -w 00 \\.\a: