Monday, 14 November 2011

M57.biz Practice Investigation

INTRODUCTION AND SETUP

The first image my study partner ( http://computerforensicgraduate.wordpress.com/ ) and I decided on is located here:
http://digitalcorpora.org/corpora/scenarios/m57-jean

Its an investigation into how a spreadsheet was exfiltrated from a laptop. The laptop image is contained on 2 EnCase .E0 files (3 Gb total) which you can look at using a similar methodology to whats listed in "Digital Forensics with Open Source Tools" by Altheide & Carvey (the "Simon and Simon" of Computer Forensics, if I might be so bold / old).

Note: the case briefing pdf lists a different filename / filetype for the spreadsheet. I tried doing a "m57plan.xlsx" keyword search but didn't find it - using FTK Imager I found it as "m57plan.xls". Double-DOH! Live and learn ... take client briefings with a grain of salt?

We have both installed VMware Player 3 thru which we use the SANS SIFT Ubuntu virtual workstation (1.8 Gb download).
The SIFT workstation already contains several of the tools mentioned in Altheide & Carvey plus more. There's unallocated file carving, email extraction from PST files, RegRipper, FTK Imager just to name a few and all for FREE!
Be sure to download the VM "Distro version" ZIP file and not the bootable ISO image. SANS have set it up so you can unzip that file and then use VMWare Player 3 to open the "SIFT Workstation 2.1.vmx" file (via File, Open a New VM and then select the .vmx file). Keep the ZIP file after extracting it so that after each case you can delete the SIFT VM in VMWare player and start again fresh. Anyhow, once you've told VMWare Player where to find the .vmx file you just "play it" by double clicking on it. Everything should be automatic from then on and hopefully you get the login window.

Ubuntu will probably run a bit slower via VMware than if installed seperately but I found it OK using a circa 2003 single core Athlon64 with 2 Gb RAM running WinXP. And this way, I didn't need to spend time reformatting or dual booting the sucker and/or if I stuff up the SIFT, I can easily reset to a known good state. There's a pretty helpful forum at http://ubuntuforums.org/ if you have Ubuntu issues.

Tools Used:

VMWare Player 3.1.5 ( http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0 ) - you might have to sign up first (for free)
SANS SIFT Workstation ( http://computer-forensics.sans.org/community/downloads ) - requires a SANS login (free)
Forensic Corpora Jean Encase Image ( http://digitalcorpora.org/corpora/scenarios/m57-jean )

Aim: 

To find out:
- When did Jean create this spreadsheet?
- How did it get from her computer?
- Who else from the company is involved?

Setup Method:

A. Install SANS SIFT Virtual machine under VMWare Player 3 (as described earlier).

B. Download/Copy Jean's Encase files (.E01 & .E02) to the SANS SIFT VM "/cases" directory.
I used Windows File Explorer to copy the 2 EnCase files to the "cases" folder on the SIFTWorkstation in the SANS workgroup but you could also download it directly to the SIFT using the SIFT Firefox browser.

C. Read-only Mount the Encase image such that we can see them from the Ubuntu OS
Tthis blog describes how to do it (more or less):
http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html

The SIFT 2.1 VM has most of the software/tools mentioned in the blog already installed / configured.
And pp 20-22 of "Digital Forensics with Open Source Tools" (Altheide & Carvey) details a similar process.
But there is one complication - the SIFT VM doesn't seem to recognise the HPFS (High Performance File System) / NTFS filesystem of the given EnCase files. The blog example doesn't mention this as a problem but I couldn't follow the blog/book procedures without getting errors.
I ended up using the Ubuntu Synaptic Manager (from the System, Control Center, Synaptic Package Manager menu) to install the "ntfs-config" package/software and Ubuntu then recognised/mounted the image. Not 100% sure why, but it seems to work ...
The Synaptic Package Manager is a GUI for installing Ubuntu software packages. Its kinda like the App store for iPhones. However, unlike iPhones you can also download source code seperately and compile/build it on your Ubuntu system. eg if its not available in a package.

So here's the full procedure I ended up performing:
  1. Boot up SIFT VM and login as sansforensics (password is "forensics" ... shhh! )
  2. At a terminal window, use the command "sudo su -" to login as root so we can issue commands with the appropriate privileges i.e. make data accessible/mount stuff.
  3. Use the command "mount_ewf.py /cases/nps-2008-jean.E* /mnt/ewf/" to combine the two evidence files into a single Unix style image file called "/mnt/ewf/nps-2008-jean" (note: we use the "nps-2008-jean.E*" argument so it picks up all EnCase parts). Afterwards, there will also be a text file containing the MD5 hash as originally calculated by EnCase. You can then use the command "md5sum /mnt/ewf/nps-2008-jean" to calculate a local MD5 hash for comparison with EnCase but it took a few minutes on my VM.
  4. Install the "ntfs-config" package using the Synaptic Manager.
  5. Use "losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean" to map the image file to a loop device (ensuring you specify the offset 32256 so the loop device is mapped to the Filesystem and not the beginning of the disk image. Blog/book has more info).
  6. Use "mkdir /mnt/m57jean" to create a mountpoint directory that we can use later.
  7. Use "mount /dev/loop0 /mnt/m57jean/ -o loop,ro" so we can map the loop device to a read only directory.
  8. As a test, use "ls -al /mnt/m57jean" to list the contents of the filesystem. You should see your typical Windows XP folder structure eg Documents and Settings, Program Files etc.
So to summarise, we've combined the 2 EnCase image files into one large image file and then mapped it to a read only directory called "/mnt/m57jean".

This article also has more information on read-only mounts for SIFT:
http://computer-forensics.sans.org/blog/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-evidence/

Some other potentially useful information:
Between steps 4-7 above, you can also use "fdisk -lu /mnt/ewf/nps-2008-jean" to show the filesystem type info (ie HPFS / NTFS).
If you need to unmount a directory, use "umount /mnt/m57jean" for example.
If you need to reset the loopback device, you can use the "losetup -d /dev/loop0" command.
If you restart the SIFT, it will lose all the mounting stuff and you'll have to do it all over. Can be helpful if you make a mistake and can't figure out how to recover.

You can also load up FTK Imager to preview the .E01 file directly from "/cases" but while you can browse the files thru FTK Imager, the other SIFT tools won't be able to read the EnCase format.
You can also browse the "/mnt/m57jean" folder using the Ubutu file explorer - just double click on one of the folders on the left hand side of the desktop and navigate to "/mnt/m57jean" (after completing steps 1-7).

I'll stop here and post my method(s) of investigation in the next post - just in case you want to figure out the next part yourself...

9 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hey- I appreciate you doing this walk through! I have run into a frustrating issue at step #3 and I'm wondering if you have any advise. I have setup everything the same as you, but I'm getting the error "ewf segment filename(s) required."

    Any ideas?

    -Jared

    ReplyDelete
  3. Think I have it now. I ran: "mount_ewf.py nps-2008-jean.E* /mnt/ewf/nps-2008-jean" directly from the evidence folder containing both the E01/E02 split files and it mounted.

    ReplyDelete
  4. Getting a permission denied error on step #5. Any ideas?

    ReplyDelete
  5. Hi Jared,

    Try "sudo losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean"

    ie run it as root, this should work. You might also come across the same permissions problem with step 7.

    Sorry about that - I'm pretty sure I ran it as described above but I may have misremembered. Good thing it's only practice right?

    ReplyDelete
  6. "sudo losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean" gets me the error "LOOP_SET_FD: Invalid Arguement"

    Any ideas?

    ReplyDelete
  7. Hi Jared,

    Hmmm... maybe loop0 is already being used?
    You can check to see if loop0 is lready being used by typing "sudo losetup -a"

    There are a couple of things you can try if you see an entry for loop0.

    - Try using loop2 instead by typing "sudo losetup -o32256 -r /dev/loop2 /mnt/ewf/nps-2008-jean". In step #7 you will then have to refer to /dev/loop2 instead.

    - Alternatively, remove whatever is using loop0 via "sudo losetup -d /dev/loop0" and then try step #5 again.

    Below is the output I see after successfully completing step #7 and then typing "sudo losetup -a"

    /dev/loop0: [0016]:3 (/mnt/ewf/nps-2008-jean), offset 32256
    /dev/loop1: [000e]:1435 (/dev/loop0)

    BTW Rob Lee just did a write up on mounting EnCase files in his blog at http://blogs.sans.org/computer-forensics/

    Hope this helps.

    ReplyDelete
  8. Thanks, I'll try it out. I did see his post and tried his mount command (mount -o ro,loop,show_sys_files,streams_interface=windows,offset=32256 nps-2008-jean /mnt/windows_mount/). The command looks to have took, but when I go to the /mnt/windows_mount directory nothing is visable. I was expecting to see see the evidence at that point, which I could not.

    Regardless, I mounted the e01 file logically on my XP forensic vm and got to everything that way. I just have to manually bring back the evidence that I want to eximine with sift tools to the sift VM.

    I like your writeup and its helped me a lot. I think this is a good practice case and it's not as easy as it may initially seem.

    ReplyDelete
  9. Its unfortunate/weird that you're getting so many problems.
    Just a thought re Robs mounting method - have you checked the owner of "/mnt/windows_mount"? I assume you mounted it as root (using sudo mount) so if you subsequently run an "ls -al /mnt/windows_mount" (ie as the sansforensics user), you won't be able to get the full listing... Try using "sudo ls -al /mnt/windows_mount" instead. If you see everything then consider using the chown command to change the ownership/read permissions of "/mnt/windows_mount" to sansforensics so you don't have to access it as root/sudo.
    Thanks for your feedback - its nice to know that someone is actually reading the blog/finding it useful.

    ReplyDelete