Wednesday, December 15, 2010

Sleuthkit 3.2.0 on Ubuntu 10.10

Some time ago I have written a short "how-to" in relation to installing the Sleuthkit on Ubuntu. Recently I have tried to install the latest Sleuthkit 3.2.0 on Ubuntu 10.10 (32-bit) and ran into a problem when compiling it. It took me some time to figure out how to get it working.

Step 1:

sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev

Step 2:

Download and extract afflib 3.6.4
In terminal go to the extracted directory and run the usual
sudo make install

Step 3:

Download Sleuthkit 3.2.0 and extract it. Next I had to apply a quick fix by adding LDFLAGS link option to file located inside the extracted sleuthkit-3.2.0 directory. Adding the following line LDFLAGS="$LDFLAGS -lsqlite3 -lpthread -ldl" seems to fix the problem.

I then navigated to sleuthkit-3.2.0 directory in terminal and run

sudo make install


Tuesday, December 7, 2010

iSCSI initiator on Win 7

F-Responce (and  Helix3 Pro) both can be handy for imaging over iSCSI.  Win 7 iSCSI initiator looks slightly different to Win XP.

Typing iscsicpl and hitting enter brings the initiator.

In Discovery tab press Discover Portal. This should open another window Discover Targt Portal. Enter IP address and port (if not default) and click Advanced button.

In Advanced Settings window mark Enable CHAP log on and enter username and password as per F-Responce target configuration.

The target(s) should appear in Discovery tab.

In Targets tab there should be the drive with status indicated as Inactive.
Click connect button.

Another window will open and there will be an option to add this disk to favorite targets. It is up to you if you 'd like to do that or not. Click Advanced button.

The same proceedure here, Enabling CHAP log on and entering username and password.

The drive should be connected now.

Tuesday, November 30, 2010

Imaging SAS drives the easy way.

Every time a came to image machines with Serial Attached SCSI (SAS) hard drives, I thought about SAS writeblocker. The problem was that there were no such things available. Live CD's, F-Responce, Live Imaging, SAS to SATA Adapters (I haven't tried this one) or SAS cards were the only options. I am glad that recently Tableau came up with one such device. It is called Tableau T6es SAS and I am just about getting one. 


Many nice things have already been said about FTK Imager 3, which is certainly my tool of the year. It even works from USB Flash drive with all these nice new features for mounting image files. Just copy the folder from "C:\Program Files (x86)\AccessData\FTK Imager" onto your portable drive and you are pretty much set.

Tuesday, November 23, 2010

iOS 4.2 has arrived!

Apple iOS 4.2 Software has finally arrived making my beloved iPhone and iPad even more functional and probably introducing new bugs/vulnerabilities.  I must admit that I have lately jumped on the Apple wagon, even right now I am typing this blog on MacBook Pro :-) .   

I still do most of the forensic work on Windows machines and only occasionally utilising Linux. 
Having a busy life lately, I have Mac(s) mostly for personal use, and the main reason for choosing Apple devices for me was it's functionality, relative security and low maintenance.

I recently attended a presentation, where several current Windows vulnerabilities/hacks have been demonstrated. These little beasts were able to disable all major antivirus solutions, even when executed with 'guest' privileges. Another logical attack vector on commercial antivirus software would be an attack on it's license, for example by corrupting the license or changing the clock to the future, making AV's license expired. Several commercial products dropped it's defences in my tests straight away. 

The funniest thing was that the above mentioned presentation was given right after a computer forensic presentation by a young and very enthusiastic  person, who was questioning the need to have a forensic machine disconnected from the Internet, while performing the examination. I simply have no time or energy to deal with possible security compromises and other issues that may arise from having my forensic machine connected to the Internet. At the end of the day I have bought these Apple gadgets to safe my time for something better than constantly fixing my home Windows computer or checking firewall and security logs on my forensic machine :-) after each forensic examination.

Monday, November 15, 2010

BranchCache - Distributed Cache Mode

BranchCache is designed to solve problems with the availability of information in remote offices with slow WAN connections.

According to Microsoft BranchCache is only supported on Windows Server 2008 R2 and Windows 7 Enterprise and Windows 7 Ultimate. The technology supports two modes: Hosted Cache and Distribute Cache.  It allows data to be cached on computers in the remote branch office and is made available to other computers in the branch.

In Hosted Cache mode, the content is cached on a Windows Server 2008 R2 content server on the remote branch network. In Distributed Cache mode the content is distributed between Windows 7 client computers on the remote branch network and no additional server infrastructure is required. When distributed mode is enabled, a client computer first receives information from the BranchCache content server at the head office. The next client computer that requests the same information from the head office only receives the (small in size) content information and actual content is obtained from another client computer in the remote branch.

Files changes are monitored by using hashes. If the client is unable to locate the necessary file in his own cache, it sends requests to the local subnet via UDP protocol and then fetches it from one of  the local client computer via HTTP/HTTPS.

Not only the actual content, but the requests and 'content information' might potentially be a good source of valuable evidence.

Monday, September 27, 2010

Evidence movers

Using an evidence mover helps to transfer files around and preserve its integrity. It is also savesa lot of time on image verification after the evidence have been transferred. I have been using MicroForensics Evidence Mover (the latest version is 1.1.17) for quite some time now. It is a nice free tool. There is one little problem with this tool. When the destination drive becomes unavailable, MicroForensics Evidence Mover happily reports that all files have been successfully transferred. Unless you check for the logs and make sure that every (source) file has been listed in the log, there is a good chance that the transfer is incomplete.

Nuix Evidence Mover 2.0.21 is also free and looks and feels like the one from MicroForensics, except one little detail. The tool from Nuix actually reports that all files have been transferred OK. If the destination drive becomes unavailable during the transfer, you will not see the line similar to this one:

09/27/10 12:09:58 - All files were moved successfully

Friday, September 17, 2010

DRM protection

This pastebin
page probably has been one of the most visited place lately. Hardware Blu-Ray rippers HDfury2 and DVIMagic may soon have software competition due to the HDCP master key getting out in the wild.

Saturday, September 11, 2010


FTK 3.x "PATTERN" is using Boost C++ RegEx libraries, which is a new name for Regex++.

There are three main syntax options available for Boost: Perl, POSIX extended and POSIX Basic with Perl being default. It is good to know that FTK is definitely using Perl implementation. The exact RegEx syntax is available here.

... and yes, I am back. .. well kind of... I'm just not sure how often I 'd be able to post here.

Thursday, February 25, 2010

This blog will be updated soon!

This blog has not been updated for some time. I am planning to update it soon.

Saturday, January 30, 2010

Acronis Try&Decide

Acronis True Image Home 2010 is a backup utility that offers ability to perform full, differential and incremental backups. Be able to mount Acronis back-up image as a logical drive in read or read/write mode is also handy. Acronis True Image is more then just a backup software however. It includes Disk Cleanser, File Shredder, and System Clean-up, which wipes data stored on a hard disk, individual partitions or individual files.

The software also has a nifty feature called "Try and Decide". As the name might suggest, it is designed to give users a second life whilst they make potentially dangerous changes to the system. It is easily activated by pressing "Try&Decide" button.

When Try and Decide is activated, all the changes made be the user are recorded in an automatically created folder named "Acronis Try&Decide" on external hard drive instead of drive C. Virtualisation technology is used to "isolate your "real" operating system from changes" and there is no need to install VMware or other virtualisation software.

Try&Decide continue working after the system reboots. Upon completion, the user is presented with  options to accept or discard the changes.

After changes have been discarded and Try&Decide was stopped, the folder "Acronis Try&Decide" gets automatically deleted.

Inside "Acronis Try&Decide" folder the program creates a sub-folder that looks similar to C59FD9A9-D675-48B8-80E2-38662B09C411.  This sub-folder contains a single file where all temporary data is being stored by Acronis. Searching for hex value 4163726f746e6430 should locate this file unless it has been overwritten.

Wednesday, January 13, 2010

Knowledge - Management and Retention

Along digital forensics and information security I have always been interested in knowledge management and knowledge retention subjects. These areas are especially relevant to Information Security/Digital Forensics because these disciplines heavily rely on highly knowledgeable professionals. When such professionals leave the organisation, they create a giant gap that has to be filled.

There are several publications on this topic, many of them packed with unnecessary statistical data, useless formulas and usually boring as dry toast.

I just finished reading a book by Jay Liebowitz "Knowledge Retention Strategies and Solutions" and I was pleasantly surprised by the quality of material. This book is written to be concise and full of insights and knowledge of topic.

It is hard to disagree with the author who suggests that "younger workers are less likely to stay with one employer for more than a few years" and that a "learning organization" must develop "knowledge retention strategies so that critical knowledge does not walk out the door".

Unfortunately, I haven't seen many such organisations around, at least not in this industry. Instead, I came across many good professionals who would keep their expertise to themselves and only share the knowledge when it suits they own interests. In his book Liebowitz identifies major challenges to knowledge sharing and states that 'about 80% of knowledge management is people, culture, and process, and only 20% is technology' such as document management systems, wiki's etc. He suggests that the experts should be motivated to share their knowledge "through being recognized and rewarded". Of course this would require a competent management capable of creating the right atmosphere and build a high level of trust throughout an organisation.

The author also mentioned the knowledge-engineering paradox, which I found to be quite amusing but dead right. The knowledge-engineering paradox 'means that the more expert an individual, the more compiled his/her knowledge and the harder it is to extract that knowledge'. Recently, I was surprised when someone told me, that occasionally it is hard to get a quick technical explanation from me. I thought about it for a moment and then realised that I have to decompile this information first and only after that, translate it to a language understandable by a non technical person.

This book is a good read and should be a valuable addition to every computer forensics manager's library.