New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Booklet
1. Just 4 meeting - Tiago Henriques - Computer Forensics Workshop
In this booklet you will be given the materials needed to participate in the workshop of
computer forensics at the Just 4 Meeting event.
During this workshop you will have learn the basic parts of a Computer Forensic
Investigation, and will now work on a set of exercises where you will put in practice what
you learned.
In some parts you will have to try and think 'outside the box' to reach a solution,
this is a skill that cannot be taught and you either have it or get it with years of
experience in the field.
The exercises will start on a basic level and increase to a more complex level. Also and
very important when you solve one exercise you will get indication on how to
reach the next one.
Following is some information that you need to know before starting.
With this booklet you will also receive:
-A DD image of a Windows XP instalation which was captured from what we will call in
this scenario a 'Suspect machine'. This acquisition was done by inserting a Live-cd of
DEFT linux into the Suspect machine, mounting the Windows XP partition as read-only
and using the command dd if=/dev/sda conv=noerror,sync bs=65000 | nc
192.168.1.45 1337. This will make DD create a bit-image copy of the partition and
send it through netcat to our 'Acquisition machine' where we will type nc -l 1337 | dd
of=/home/tiago/evidence/suspect.dd .
Depending on the size of the partition we are imaging this process can take from few
minutes to a couple of hours, which is why we wont make you go through it, and provide
you directly with a DD image.
So that we dont waste time copying the DD image into the Ubuntu image, I will
put the DD file inside the VirtualBox image straight way.
Another important point: this was a NTFS partition!
-A VirtualBox disk image, this is a simple Linux Ubuntu installation, with some forensic
tools previously installed into it. Everyone should have VirtualBox installed and in case
you dont request it and I will provide you with the setup file for your Operating system.
You should then import this image into VirtualBox and start the Virtualmachine. This
virtual machine will have all the tools needed to finish the exercises given in this
workshop.
List of tools needed to solve exercises (not mandatory to use these feel free to use
others if you prefer):
Autopsy-sleuthkit
Bless Hex editor
Winrar - use command rar
Gedit
VLC
Totem music player
Wireshark
tcpdump
tcpxtract
chaosreader
2. On exercise Number 1 we will simply start Autopsy and have a go at some of the
features it has, which is a Web front end for Sleuthkit. For those of you that don't know,
Sleuthkit is a set of tools that allows you to analyse volume and file system data.
As mentioned before the .DD file will already be located inside the VirtualBox Ubuntu
image. So first thing we have to do is open a command line and start autopsy.
root@thor:/home/balgan# autopsy
================================================================
Autopsy Forensic Browser
http://www.sleuthkit.org/autopsy/
ver 2.21
================================================================
Evidence Locker: /var/lib/autopsy
Start Time: Mon Jun 21 13:13:24 2010
Remote Host: localhost
Local Port: 9999
Open an HTML browser on the remote host and paste this URL in it:
http://localhost:9999/autopsy
Keep this process running and use <ctrl-c> to exit
We then follow the on screen instructions and point our browser to
http://localhost:9999/autopsy
3. If we press 'New case' We are then presented with a page that asks us for some
information.
Case Name - Suspect 1
Description - Simple one line description of what this case is about
Investigator Name - Tiago Henriques
Press 'New Case'
We are then presented with:
4. Then we add an Host to this case by pressing the 'Add Host' button
We are then asked about the host information:
We will then be asked to add the 'Image' related to this host! So we then proceed to
point to the .DD file
in the Type we choose DISK.
5. We press 'Next'
We can ignore the file hash in this case .
And ADD the image
We can then explore all the different tools provided to us.
In this exercise we will focus on 'Analyze' and file system analysis.
When we press file system analysis, we are presented with a view of the C:/
6. In File browsing we can pre-visualize a file. After we find an interesting file we can
export it and use the tools installed on our machine to analyze that file.
7. You can find Exercise 1 Folder located on C:/ Try getting the word file located inside the
folder into your computer (the folder name should be pretty obvious :) ) and open it with
an Hex editor and locate Exercise 2.
Hex Editors
Everytime you need to analyse the content of a file you will most likely use a Hex Editor!
Installed on ur Analysis machine is a Hex editor called Bless!
8. A hex editor is relatively simple to use you can search for different strings this can help
you locate important bits of information faster!
Magic Numbers
To finish this workshop you will be provided with a list of magic numbers, I can
guarantee you that to finish this workshop all the magic numbers you will need are
located in the following list:
• JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain
the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif
files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated
string, followed by more metadata about the file.
• Microsoft Office document files start with D0 CF 11 E0, which is visually
suggestive of the word "DOCFILE0".
• Wav file magic number - Hex: 52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 ASCII:
RIFF....WAVEfmt
Winrar
To extract a file on the command line you can use the command 'unrar <filename>'
Wireshark, tcpdump, tcpxtract
9. These are all network forensic tools that should only be used in case we are analysing
some sort of network capture file such as a .PCAP file.
Wireshark is a network sniffer but can also work as a visualiser for the .PCAP files
tcpdump can extract different sessions from a .PCAP file
and
tcpxtract can be used to extract commonly known files such as .TXT, .JPG, .PNG etc from
network captures(.PCAP files).
chaosreader can be used to analyse sessions within a .PCAP file
Misc...
All the rest of standard tools of Linux are also provided such as, cat,strings, file, and
some others that can be used to finish these exercises faster and more reliably.
Exercise 2 -
Extract a JPEG out of .DOC file using Hex editor - this jpeg will be text indicating
location of files for exercise 3
Exercise 3 -
This JPEG has a bit more to it then it first appears. And it will help you to find Exercise 4!
Exercise 4 -
Oh oh a Truecrypt image! Maybe that other file can help me, but what is it ?
Exercise 5 -
What a weird file, inside it somehow there is the location of exercise 6.
Exercise 6 -
Somehow recover the file with the address where the meeting is gonna happen.