Hacking Exposed
Page 10
Step 2: Remove the Drive(s) from the Suspect System
Look inside the system to determine what drive(s) exist and remove them, even if they are not currently attached to any cabling. Create a Chain of Custody form and fill in the fields described in Table 4-1. You will typically want to document one sheet per drive you have removed.
Depending on your level of comfort in reliably describing and re-creating the technology present in the suspect system, you may want to take photographs of all of the drive connections, cable connections to the case, and general work area for future use. Photos, however, are not required for admittance into court. Whether or not you choose to take pictures is up to your discretion, as well as your company’s policies regarding investigations. (See the sidebar “Legal Brief: Admissibility of Images,” later in this chapter.)
You can also leave the drives in the system and acquire them with some forensically safe boot disks/CD-ROMs/thumb drives. We do not recommend this, however, until you have experience with the tools and the time to test them.
Table 4-1 Drive Information Fields for Chain of Custody Form
Step 3: Check for Other Media
At this point, the drives are removed and the system is powered off; you now need to look in the floppy drive, zip drive, and any other drive that does not require power to function and is located on the system to see whether any storage media is still located in the drive. This media should be considered evidence and handled as such. Remove all of the media found in the system (at least the media you can remove when the drives are powered down) and fill out the Chain of Custody form for each piece of media removed from the suspect system.
Also, if you have the authority and right to search the suspect’s work area, you should check all drawers, folders, cabinets, and briefcases in the area for evidence.
You should always check corporate policies before attempting to search a suspect’s work area, as this could be an area of potential liability for you and your employer.
Step 4: Record BIOS Information
At this point, the drives are removed and you have identified and removed the media in the system. You can now safely boot up the system to check the BIOS information.
In the Chain of Custody form, enter information about the BIOS of the system; you can typically access this information by pressing ESC, DEL, F2, F9, F10, or F11 during the initial boot screen, but this varies radically depending on the system manufacturer, so always try to search the system manufacturer’s Web site ahead of time to determine how to access this information. Once you’ve accessed the BIOS information, you need to record the system time and date in the Chain of Custody form. The BIOS time is important because it can radically differ from the actual time and time zone set for the geographical area in which you are located. The importance of the BIOS time will vary by the file system (NTFS stores Greenwich Mean Time) and operating system, as some will update the time using network time servers. If the BIOS time is different, you need to note this and then adjust the times of any files you recover from the image to determine the actual time and date they were created, accessed, or modified.
After the power has been restored to the system, eject all media contained in drives that cannot be operated without power (such as some CD-ROMs and DVD-ROMs) and remove them. Then fill out a separate Chain of Custody form for each of the items removed. If you forget to eject the CD-ROM before powering it down, do not worry, because most CD-ROMs can be opened by sticking the end of a paper clip in the tiny hole near the eject button.
Step 5: Forensically Image the Drive
At this point, your steps stop being generic to any system. Here, we go into specifics about tools and technologies used in the imaging process; if you want to emulate this process with tools and technologies not discussed here, do so with caution and only after reading all of the procedures described here to identify similar feature sets you’ll need to enable.
Modifying Original Evidence
Be warned that the next steps lead you into the most risky part of your endeavor (other than carpal tunnel from filling out all of the documentation): actual access to the original evidence drive(s). Any time you access the original media, you must take precautions to avoid writing to it. How easy is it to write to the drive accidentally? Consider the following possibilities, which each add information to the drive:
• Booting up the suspect system in Windows with the drive still in it
• Using an unmodified DOS boot disk
• Mounting the drive read/write in Linux
• Booting up the forensic system in Windows with the original drive attached to it
• Plugging in the original drive with a USB/FireWire hard drive enclosure in Windows
• Choosing the wrong drive to write to when collecting evidence
If any of these scenarios play out, you could be facing disaster. You may write to the original evidence and change a large amount of system times that you need to rely on in the analysis phase. This could lead to unverifiable evidence and your suspect walking away—unless you have a good attorney or established repeatable processes and you have created a well-documented investigation. (You did do that, right?)
Legal Briefs: The Chain of Custody
What does chain of custody mean? The chain of custody is a document that details who has had possession and access, thus custody, of the document. The chain of custody is not unique to computer forensics; in fact, it exists in any criminal investigation for which evidence of some type is collected. The chain of custody provides proof that the evidence you have collected during an investigation has not been accessed by anyone else since you collected it, and it provides proof, via documentation, that no one else could have changed the evidence without your knowledge. This is especially important in cases for which you have only an image of a suspect’s system and not the original drive to refer to.
Countermeasure: Procedures and Tools for Preventing Modification
If you use any of the following tools or procedures, you will have created a verifiable image of a suspect system—and kept yourself out of trouble.
Step 5a: Wipe Image Drives Before Using Them
Before you use a drive to store an image, you should always use some kind of wiping software to clean the drive of any previous evidence. The wiping process allows you to state to a court that any evidence found in your investigation came from the forensic image and is not a remnant of any other evidence collected and stored on the drive. This is accomplished by overwriting every sector on the drive; what data is used to overwrite the drive varies from vendor to vendor. The most basic tools allow you to overwrite a single character sequence, while the most advanced tools use US Department of Defense (DOD) guidelines for random sequences of multiple writes to the disk before finishing. (More information about DOD guidelines for disk sanitizing can be found at www.dss.mil/isec/chapter8.htm.)
In most cases, a single wipe using a single-character sequence will suffice, and that is demonstrated next.
Note that you do not have to wipe a drive in order to use any of the imaging tools we cover in this book. The reason you do not have to wipe the drive is that our tools create a file(s) that contains the image of the drive instead of duplicating sector by sector the contents of the drive. If, however, you previously stored extracted evidence, notes, or personal data on this drive, it is still good practice to wipe it as any opposing attorney may request access to it in the future.
Wipe a Drive Using EnCase EnCase provides drive wiping as a standard feature of the software, but it can write only a static set of data out to the drive. This means that if you follow the examples in this chapter, the drive will contain 00 for every sector on the disk. Remember that if you choose to re-create this sector, the tools covered in this book cannot be used to recover the data you have wiped.
1. Attach the image drive you want to wipe to your system. In this case, you don’t need to be concerned about modifying the contents of the disk, since you are ab
out to overwrite all of it.
2. Load EnCase in Windows. When wiping using EnCase, the licensed version is not needed; in this case, you can use EnCase in unlicensed or acquisition mode.
3. In EnCase, choose Tools | Wipe Drive.
4. In the Wipe Drive dialog box shown here, make sure that Local Devices is selected under Source. Leave the defaults under Include, and then click Next.
5. You are presented with a list of available drives to overwrite. Notice that the drive from which you booted is not available; this prevents you from accidentally overwriting your system drive. (Older versions of EnCase did allow you to overwrite your system drive, so be careful and know your software.) Select the drive you want to wipe and click Next.
EnCase will not allow you to overwrite a drive that has EnCase evidence files on it. The best way to get around this quickly is to SHIFT-DELETE the EnCase evidence files.
6. The next window, shown in the next illustration, shows wiping options. The Wipe Char entry represents the character that will be written to all the sectors of the drive; you can leave this set at the default 00. The start and stop sectors are set automatically by EnCase and should be correct, so you can leave these at the default settings unless you want to overwrite just a partition and you know which sectors make up the partition. The Verify Wiped Sectors checkbox allows you to specify whether or not the EnCase program checks to determine that all sectors were successfully wiped at the end of the process; checking this box will result in a longer wipe time but verified results. Depending on your level of comfort with EnCase and the contentiousness of the investigation, you can decide whether or not to choose this option. For now, accept the defaults and click Finish.
7. You are prompted to type YES in uppercase letters to verify that you want to wipe this drive. Type YES.
8. The drive then wipes the disk; you can click the bottom-left progress bar to discover how much time remains in the wiping process. Upon completion of the wiping process, a summary message box, shown next, pops up to let you know that drive wiping has completed successfully.
Note that while EnCase is capable of wiping the drive, it does not claim to be a full wiping utility. As such, it will not wipe the last cylinder on the drive. This is normally not an issue. If, however, this becomes an issue for your investigation, use one of the other wiping tools mentioned in this book; we recommend wiping with Linux, as described next.
Wipe a Drive with Linux Windows and EnCase are not the only operating systems and tools you can use to wipe a drive. Using Linux, you can wipe a drive using the standard distribution tool dd using the following command:
dd if=/dev/random of=/dev/
Where image drive is the device to write to, such as hda1 or sda1.
The command would read random values from the virtual device /dev/random and then write them to the drive specified, from the beginning of the drive until the end.
Step 5b: Forensically Image the Drive with an EnCase DOS Boot Disk
Here you’ll create an EnCase DOS boot disk using the EnCase program. If you do not have an image for the EnCase DOS boot disk, you can download it. Guidance Software offers boot disks that you can download at www.guidancesoftware.com/support/ downloads.shtm (under the Drivers section).
1. Choose Tools | Create Boot Disk in EnCase and follow the prompts.
2. Power down the system.
3. Reattach the suspect drive to the system.
When acquiring evidence in DOS, you may find that the types of connections that you can read from are very limited. Most DOS USB and FireWire drivers use too much memory for DOS acquires and tend to use only the local IDE or SCSI drive connections. You don’t need to worry about writing to the suspect drive at boot time, though, because the modified DOS boot disk prevents you from writing to the drive without unlocking the drive in the EnCase software. This means that using an EnCase DOS boot disk, instead of acquiring a drive in Windows, saves you the cost of acquiring a write-blocker for these types of acquisitions.
4. Boot up the system using the EnCase DOS boot disk; depending on the version of EnCase you’re using, you will either go directly into EnCase for DOS or to the command prompt. At the command prompt, enter en and press RETURN.
5. You should see the EnCase DOS Version interface.
Unlock the disk to which you will be writing the image of the suspect drive by highlighting Lock, pressing ENTER, and choosing the disk drive to unlock (in this case, we’re unlocking Diskl), as shown here:
6. Your screen should now look like the following illustration, with the suspect drive (Disk1) shown as locked and the drive to which you want to write the image (Disk0) unlocked.
7. Select Acquire and choose the suspect drive (Drive1). You can move between options by pressing the TAB key. After you have selected the suspect drive, press ENTER.
8. Provide the path to the directory on the image drive to which you want the image of the suspect drive to be written and the name of the image file, and then press ENTER. Before you choose OK, make sure that the drive you are writing to is FAT16 or FAT32, as DOS cannot read from or write to drives of other file systems. You must also make sure that enough free space is available on the destination drive to hold the image. The image will always be about 2K larger than the suspect drive for case-specific information EnCase stores in the file, so never try to image a suspect drive to another drive of the same or a smaller size without using compression.
9. Type in a case number for your image. Use a unique number for each case you work on to help you keep track of your evidence. In this case, type he for hacking exposed, as shown here. Then click OK.
10. Type in the examiner’s name. Click OK.
11. Now enter the evidence number and click OK. Like the case number, this needs to be unique, except here it needs to be unique only for the case. Since this is our first image in the he case, assign it evidence number 0. The next image created in this case would be evidence number 1, then evidence number 2, and so on.
If you are working with another person, make sure you divvy up your evidence numbers early on, because you cannot change them inside the image file after you have created the image. This approach works only with small cases. When you work on larger cases, you should look into implementing the case management techniques we talk about in Chapter 3.
12. Enter a description of the case. Normally, you would type in the name of the suspect or any other identifying information about the system. This information will be displayed in place of a name within EnCase when you analyze the system later. Click OK.
13. Enter the correct time according to the investigator, in case the system BIOS shows an incorrect time set; you must make sure your image creation time reflects the true time as the investigator knows it. If the BIOS time is correct, accept it and click OK, as shown next:
14. Enter any other notes about the system. Enter the serial number of the hard drive and any other notes that might be handy to know later.
15. Now you must decide whether or not to compress the image. If speed is your primary concern, you probably should not compress the image at this point, as this can take a bit longer. However, if you have the time, you should choose Yes to compress the drive so you can fit more images on a single image drive.
16. Next, you’re asked whether you want to make an MD5 hash of the drive; you should always choose Yes. Creating the MD5 hash and storing it in the image file is what lets the EnCase evidence file authenticate and thus verify itself in future accesses. It also allows you to testify to the fact that the image of the suspect drive has not changed during the course of your investigation.
17. Choose whether you want to set a password on the image. This is a good idea if for no other reason than to prevent other parties from getting bored and reviewing evidence files, or more seriously, if you are concerned about external parties or unauthorized individuals viewing the evidence. Click OK when you’re done, and you’ll be asked to reenter the password to confirm it.
/> 18. When you are asked for the number of sectors to acquire, you should normally accept the default value and click OK.
19. Now choose the maximum size that a single segment of the image file should consume. The image will be divided among multiple files that will span the contents of the suspect drive. The size of those pieces will determine how you can move them around. The default of 640MB is good, as it supports the size of the smallest recordable CD. We recommend using the 640MB size. Click OK.
20. A status bar on the bottom of the screen appears with an estimate of the time remaining, as shown next. Review all of the information you have entered, as it is summarized here for you. If you see any incorrect information, cancel the imaging now by restarting the system; then restart this process from the beginning. Once you have created the image, you cannot change the information you entered.
21. After you have successfully completed the imaging, power off the system, remove the image drive, and place it and the suspect drives in static-proof bags.
Alternative Methods for Imaging
Image the Drive Using the FastBloc Hardware Write-Blocker and EnCase Imaging systems outside of DOS allow you to take advantage of memory ranges beyond 640K and offer the ability to write to NTFS drives. However, imaging systems in operating systems such as Windows require that you take extra precautions. Specifically, you need a hardware-level write-blocker. Upon attaching a new piece of media to a Windows system, Windows will automatically attempt to write some system-level data to the drive. Allowing this to happen would defeat all the work you’ve put into your forensics effort up to that point. Using a hardware write-blocker in line between the system and the suspect drive allows you to state to the court without a doubt that you prevented any modification of the original evidence during your imaging. Hardware write-blockers work by preventing a write command from ever reaching the drive itself; instead, they return a true value to the operating system and do not pass on the command. This physically prevents your system from modifying your evidence.