Sunday, July 15, 2012

A quick note on Fraud <-- from the trenches

Just finished an interesting investigation, where millions of dollars have been stolen by a sales person. It turned out that the company has KPI (Key Performance Indicators) based on volume of sale, not how much profit sales team makes for the company. This approach breeds all kinds of corruption.

In this particular case CCleaner and Eraser have been used 4 times before I got the computer. The guy simply didn't think of automatic Apple backups, that were made every time he connected his precious iPad to his work computer.

Lately, I have noticed that it has become more frustrating to navigate the web. Adds have been pushed to my screen from every imaginable place. What's more annoying is that many are showing up before the content of a page that your were urgently looking for, with a little button in some obscured place allowing you to skip or fast forward the add. I wander how many annoyed or naive customers actuall click on this kind of adds and if these adds are doing more damage than good for the advertiser.

To me, this particular advertising model is not dissimilar to the above-mentioned case with all the consequences arising therefrom.

Wednesday, July 4, 2012

Miscellaneous things


Windows 7 is finally replacing Windows XP in both, private and corporate areas. According to StatCounter Windows 7 passed 50% threshold in June this year. I have been using Windows 7 almost from day one and started using this OS as a main forensic platform since release of SP1. I found that Windows 7 is more sensitive to hardware changes compared to Windows XP and occasionally would simply refuse to boot after changing settings in motherboard or adding new hardware.

I still use Dell Optiplex 755 for research and development. 8GB of Ram and Quad Core CPU handling most tasks at acceptable speeds. Last week I reinstalled Win 7 OS and this week decided to add two 2TB drives configured in RAID-0. I went to BIOS and changed Drive Operation mode from default AHCI to RAID and configured these two HHD's in Intel Storage Raid controller as RAID-0.

The OS refused to boot. I remembered how sometimes Windows XP would go into 'BSOD' and Advanced Host Controller Interface(AHCI) mode had to be switched off in BIOS. Obviously the issue was related to AHCI/RAID. Win 7 automatic repair option didn't help and I went online looking for a solution. It only took me 2 two minutes to find the fix. I disconnected two RAID-0 drives, changed back to AHCI mode and booted Windows 7. I them edited two registries and changed their VALUE date to 0, changed back to RAID mode and Voila, everything works again.



Don't drop your Thunderbolt cable

Untitled 2

I have been holding back on Thunderbolt technology due to its price and lack of available storage
devices. My focus this year was on USB3. Adding USB3 drivers to WinPE Forensic Live CD for
example is easy to do and Express cards are cheap and extremely useful when imaging laptops that
have no USB3 interface.

Thunderbolt is still expensive technology, even cables are $50 plus. The technology is very promising
though and gaining popularity. Thunderbolt cables are expensive for a good reason.

The aren't just a bunch of interconnected copper conductors anymore. To be able to sustain 10Gbps
bidirectional data transfer rate these 'wires' currently have four integrated circuits at both ends.
Transivers, microcontrollers, 3V power management and voltage regulation chips and 15V power
supply are built into the wire making it a very sensitive and advanced piece of hardware.

Monday, May 28, 2012

A short X-War story.

Around two years ago I got a new job. Part of my responsibility was to build the firm's Computer Forensic practise almost from scratch. On my first day at work I was out imaging a dozen of computers, and then brought the acquired images for processing into a room which later became our computer forensics lab. Dell Optiplex 755 and EnCase were the only tools available at the time and the current investigation urgently demanded computer forensic reports/results. Just as a side note: I have been in the industry for many years, have MCSE certifications and knew well how to install and properly configure a forensic workstation and tools.

Twenty-four hours later I was nowhere with these images, still dealing with constant EnCase crashes. Downgrading EnCase version or calling tech support was of no help.  Using open source tools was not an option due to the time constrains and to make things worse I had access to only a very slow Internet connection.

I gave a call to X-Ways and arranged an urgent delivery of X-Ways Forensics dongle. It has arrived in a couple of days. In just a few hours I had the information start flowing to the investigators. About six days (and nights) later I had all the reports done. X-Ways Forensics was rock solid with not a single crash.

Currently X-Ways Forensics has been in a very active development stage, with new features being added almost on a weekly basis. Mind you, X-Ways is already a very advanced tool with many unique features that not yet available in EnCase or FTK. Volume Shadow Copy is a good example. The tool is also often more accurately interpreting the data compare to other mainstream forensic tools. I just read Mike’s post regarding disks using 4k sectors.  Mike in his recent post mentioned X-Ways as the only forensic tool able to correctly interpret info from such disks (EnCase 7 might work as well, so may be some folk will actually start using it :-).  This is consistent with my experience and very illustrative.

Looking at the latest features of X-Ways, I wonder if the team of developers at X-Ways ever sleep. Just added support for VMDK snapshot images, support for NK2 Outlook auto-complete, IE travellog files, metadata extraction from manifest.mbdx and manifest.mbdb iPhone backup files. The most significant addition for me personally is a plug-in to run Python scripts as X-Tensions for X-Ways forensics.  Did I mention that you actually hear back from their technical support?

Monday, April 23, 2012

USB Flash drive Serial Numbers - "UNIQUE"?

Formatted USB flash drives (a.k.a. thumb drives etc) have Volume Serial numbers generated when the new filesystem gets created. The algorithm depends on a file system and OS. Volume Serial number can easily be changed via hex editor at locations:

FAT 12/16 - 4 bytes at offset 0x027
FAT 32      - 4 bytes at offset 0x043
NTFS         - 8 bytes at offset 0x48

or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of good material written on this topic. The most prominent in my view are written by Craig Wilson, Rob Lee and Harlan Carvey.

Unlike Device Serial Numbers, Volume ID's get captured by all forensic imaging tools. Device Serial Numbers however have been considered by computer forensic practitioners as more reliable and "Unique" artefacts. In Windows there are several places when Device Serial Numbers get recorded/logged. USBStor  registry key and Windows log files: Setupapi.log on Windows XP or on Vista and above are the most obvious one. It is also a well known fact that when a USB flash drive has no serial number, the system assigns to the device its own number with an ampersand symbol as the second character of this serial number.

The question is, how "UNIQUE" these Device Serial numbers are?
Well, as it turns out, these numbers are not necessary unique. There could be several reasons for this.

1. There is a tool that gamers are using to spoof device serial numbers called PB DownForce. It is capable of temporary changing the device serial number. The serial number can be changed to a random or predefine serial number.

This wont fool (see picture below) tools like USBDeview, but the software that rely on Operating System to obtain the serial number will fall for it.

2. USB drives serial numbers are meant to be at least 12 valid characters, represented as a UNICODE string.  "The last 12 digits of the serial number shall be unique to each USB idVendor and idProduct pair" according Universal Serial Bus Mass Storage Class paper.

   Valid Serial Number Characters

        Numeric                        ASCII
0030h  through 0039h      "0" through "9"
0041h through 0046h       "A" through "F

These requirements have not been adopted as the mandatory standard and a lot of manufacturers use shorter and in many cases identical numbers on their cheaper drives.

3. Big labels do use "unique" serial numbers, especially on their upper class, higher capacity USB devices. Still some reuse serial numbers every 6th million times as in case with one of the popular USB storage manufacturer I had to deal with.

4. Devices can be FAKE. On eBay there are plenty of fake 'false capacity usb flash drives', including brand name counterfeits such as 16GB Kingston, 32GB Sandisk etc. Serial numbers on these devices can be ether, all identical or generated at random.

5. User can change the device serial number accidentally or on purpose.  There are many tools, mostly used to fix faulty USB flash drives, capable of changing the device serial number. FixFakeFlash Inspectortech website is a good place to learn more about fake USB devices and tools capable of changing many parameters on the USB device including the serial number, ability to create, encrypt, hide or write protect certain area on the device.

The above-mentioned tools are designed to work with different USB flash drive controllers and you of course must have the right one to be able to reprogram the device.

Names of memory controllers can be coded in the original (Factory set) Serial Number. For example some Kingston's devices in13th position of the serial number have a letter A, B, E, C or F:

Kingston DataTraveler 200 USB Device SN: 001A92053B6ABB4131340023

A        - SkyMedi
B or E - Phison
C or F - SSS

To my knowledge similar tools are available for the memory controllers listed below:
  • Alcor
  • Ameco (MXTronics)
  • Chipsbank
  • iCreate
  • ITE tech
  • Netac
  • OTI
  • Phison
  • Prolific
  • Skymedi
  • SMI (Silicon Motion)
  • SSS (Solid State System)
In addition to USBDeview there is another excellent tool called ChipGenius (by Chinese Developers at that provides a lot of useful information about a USB Device. The tool can be used to check pretty much all types of USB devices including external hard drives and MP3 players, detect fakes and view the device controller vendor.

It displays chip model, manufacturer, revision number, VID/PID, interface speed, protocol, serial number and media type information.

Finally, unlike Volume Serial Numbers most forensic imaging tools don't capture a Device Serial number. The only exception to this rule I know are Tableau imagers. Both hardware (TD1 & TD2 duplicators) and Software (TIM a.k.a. Tableau's High Performance Software Imager) include the Device Serial Number in the acquisition log automatically (but not in the image itself).

Speaking about Tableau devices, a new generation of TD duplicator TD2 is looking really sexy. TD1 has been used by my team quite extensively. The new version "can optionally include USB, SCSI and SAS suspect drive" and what is even more exciting is the ability to image 1:2 or how Tableau called it "Twinning" support. According to the specifications it also supports EnCase v7 .ex01 (AES encrypted) format. I definitely going to order one of these very shortly.

Wednesday, April 11, 2012

HELLO - Almost missed it.

Computer Forensic tools are rapidly improving and make forensic examinations easier for the masses. Only a qualified forensic practitioner however can reliably produce consistently good results.
For example at present no computer forensic tool can properly detect, search and index text in the Unicode escape sequence. I have recently been working with the image containing some iPad sqlite3 backup files and found an extremely important piece of evidence almost by accident. Well, not exactly by accident, just have been thorough really.
\u0048 \u0045 \u004c \u004c \u004f means HELLO when you convert it from the Unicode-escape, which Apple tends to use quite extensively for recording non Latin characters. Python comes to rescue (once again) with its built-in sqlite3 library to pull the data and .decode('unicode_escape').

A quick script solved the problem, so I get some free time to finally watch "George Harrison: Living in the Material World" this weekend which has been on my to-do list for a couple of months now.

And to make it clear, the important piece of evidence I found wasn't "HELLO" word   

Monday, February 27, 2012


Sharing information on the net has some risks associated with it. "..if you rear yourself against it, you shall fall, you shall be bruised, you shall be battered, you shall be flawed, you shall be smashed." Dickens, Bleak House (1853) Yet still, I would rather see more information and a healthy discussion or argument about the issue, than seeing nothing. I am glad to see more computer forensic blogs popping out, some of the are really great and some are just excellent. Periodically I get a chance to speak to a very knowledgeable people. These people have a lot to learn from, but they become algophobic of a very thought of putting snippets of their knowledge or ideas online.

Yes, there are risks if you haven't verified your information or your assumptions were wrong. You very well may end up in a situation like this snowman.

There might be some people out there showing off their "knowledge" without doing a thing themselves to contribute to Computer Forensic community. These people usually look and behave like this snowman :-)

Remember 'Star Thrower story' by Loren C. Eiseley where a young girl was at a beach full of washed after storm starfish. She was picking them up and throwing them back into the ocean. When she was told that she can't possibly make any difference bacuase there are thousands of them around, she picked up another one and said "Well, I made a difference to that one!".

Unfortunately I don't post often, simply because I am currently working in a country where computer forensics discipline is in its infancy and only one university recently launched a computer forensic course. There is a lot of work  in educating, training and explaining besides working the cases, which leaves me with a very little time for any research or blogging.

You cant say I am not trying though :-)

.. and yes, lots of snow around.

Friday, February 17, 2012

PFX – Personal inFormation eXchange

A password and PFX file are needed to open encrypted e-mail messages, whose content is enveloped and attached as smime.p7m. PRTK does a good job at cracking passwords, but some PFX files have different headers which PRTK would not recognise. Chilkat Python Modules come pretty handy in this situation. Modules come with a fully-functional 30-day trial and need to be purchased for use beyond this period or for commercial purposes. I wrote a script, which is based on one of the Chilkat module examples to allow a dictionary attack on PFX and p7m encrypted message. The code is quick and dirty, but gets the job done.
You will need your.p7m encrypted message, your.pfx file and a good ASCII formatted wordlist with .txt; .dic or .lst file extension.

A sample code is provided for illustrative purposes only and  "AS IS" without any warranties of any kind. :-) The code has not been thoroughly tested under all conditions, but should work fine if you know what 're you doing. Here is the LINK to it. It should work fine on Windows and maybe on Lin/Mac machines as well (some modifications may be needed). The script relies on Chilkat modules, which must be installed prior to running the script. Instructions are on pyPFX project home.