Hacking Exposed
Page 21
Distributed Network Attack
If you happen to have a few workstations that are sitting idle, AccessData’s Distributed Network Attack (DNA) is ideal for password recovery. DNA works pretty much like PRTK, except it harnesses the processing power of multiple machines to decrypt passwords. A DNA server is installed on a network where machines running the DNA client can access it. A DNA Manager running on the DNA server assigns (aka distributes) small pieces of the searches to the DNA client machines on the network. By harnessing processing power this way, much faster decryption occurs. This setup is also ideal if you have a large amount of files to decrypt, but do not have the budget to send them out to a vendor for decryption.
Another bonus of using PRTK/DNA is that once it decrypts a file, it stores the password in a file called the Golden Dictionary. It then attempts to use those passwords first to decrypt other files before utilizing other attacks. This method is especially useful if a user set the same password for multiple files. To help increase the decryption speed, you can use FTK to export a full word index of an evidentiary image, and then import that index into PRTK/DNA. People frequently use phrases they use everyday as passwords since these are typically easier to remember. Using an index generated from a user’s system significantly increases the likelihood and speed of finding a password.
The General Solution to Encryption
If you encounter encryption during a forensics examination, a simple and general solution is at hand: ask the suspect to supply the encryption key and the method by which he or she encrypted the data. Although this sounds simplistic and too good to be true, it often works. If you already have someone’s data and he or she refuses to give up the encryption key, you can ask the court to order the person to produce the encryption key and the method used to encrypt the data. The person can, of course, refuse, but that will result in a contempt of court charge. The person will then be placed in a holding cell or have fines placed against him or her until the information is produced. This is how law enforcement normally deals with encryption.
Steganography
Steganography is the ability to hide data inside another file. Using the steganography tools available today, suspects can even hide data inside JPEGs and audio files. When a sophisticated suspect is being investigated and remnants of a steganography tool exist, it would be very prudent of you to look for the existence of hidden data.
Detecting Steganography
Currently, we have used only one open-source tool to detect steganography with reliable results. Stegdetect (www.outguess.org/detection.php) allows you to inspect JPEG files for hidden data. Although other products are emerging on the market to deal with this problem, we have not used them so we cannot recommend them. The main commercial application that exists, Stego Suite by Wetstone (www.wetstonetech.com), is part of that list. In addition to these techniques, you can also search the system to determine whether steganography programs have been installed. However, we have yet to encounter steganography in a case, and it’s hard to say when it will become a common forensics issue. Until then, though, keeping a steganography detection tool in your toolkit will allow you to perform a more thorough analysis when it is demanded.
Wiping
Wiping is a real problem when it’s done correctly. It can be accomplished in many different ways, as you will see, but it shares some common aspects. For example, any data that has been truly wiped from the disk has been overwritten at least one time. Using the software tools that exist today, you cannot access any data that has been overwritten. You can determine whether wiping tools have been installed by reviewing the programs that exist and have existed on the disk, but you cannot bring that wiped data back.
Wiping a File
File wiping, also called secure deletion, is the most popular method and involves the removal of a file’s data from the disk. File wiping will, in fact, overwrite the contents of the file as it existed on the disk, and upon completion of the wiping process that data is considered unrecoverable.
Detecting Wiping Activity
While it may be difficult or impossible to recover data that has been wiped, it is possible to determine whether wiping has occurred. One common trait of wiping is the existence of repeating characters over an entire file, the filename, slack space, and/or in unallocated space. The repeating character can be either the same character or a string of characters repeating over and over (such as 0123456789abcdefghijklmnopqrstufwxyz). Some forensic software tools, such as EnCase, shown in Figure 9-11, come with a utility that will identify consecutive characters. These help in identifying consecutive sectors.
If you do find evidence of repeating characters, be sure that you verify when the operating was installed. It could be a new system build or a reinstalled operating system.
If you suspect wiping has occurred, check the registry (especially the UserAssist log) for any unusual programs that are installed or were run (see Figure 9-12). Even if a user has uninstalled the wiping utility, you may find evidence of it in the UserAssist log. Look for programs with atypical program names. Some wiping utilities delete themselves but also generate files of their own, such as temp or text files. Other wiping utilities clear the Master File Table (MFT) and generate several small files that appear to be deleted. Check for unusual filenames and file extensions. Frequently, these temporary wiping files will have a consecutively ordered naming system such as BCW.001, where the number increases by 1 with each new file. These files also frequently have a uniform size, and there will be a lot of them, usually enough to fill the unallocated space completely. System restore points may also contain entries of wiping programs.
Figure 9-11 EnCase consecutive sectors analyzer
Figure 9-12 UserAssist log showing wiping tools
Another characteristic of wiping activity is the total lack of deleted files. Many wiping utilities will wipe deleted files. Of course, just because a system has no deleted files doesn’t necessarily mean that wiping occurred, but when combined with other characteristics, it may point to wiping activity. If you find a program that you suspect is a wiping utility, you can test it by downloading it and installing it on an analysis machine. Run the program and then examine the machine for any forensic artifacts.
It is important that you keep an open mind and consider other possibilities before concluding that a drive was wiped. A user may have purchased a refurbished hard drive that was not completely wiped before it was purchased. Also note that some hard drive vendors use repeating characters in the formatting of their hard drives. In addition, some antivirus and security programs wipe files if they are unable to quarantine/clean them. It is up to you as the forensic examiner to eliminate these other possibilities before concluding a wipe has occurred. As you gain experience, you will recognize patterns of activity and be able to put the pieces together.
Recovering Remnants of Wiped Files
As stated, no silver bullet brings back this data. To recover a file that has been wiped, you can look in several places to determine whether at least parts and backups of previous copies of the file still exist. As a file is accessed, portions of it will be stored in various areas of the disk. You can look in the following locations for files that have been wiped:
• The pagefile or swap space if it was loaded into memory
• The MFT or FAT table to determine whether the file existed
• The NTFS journal if the data existed on an NTFS partition
• The slack space and unallocated space if it existed previously on the disk
• Any backups of the system
None of these solutions are bulletproof, but they can work. If you know part of the contents of a file, searching the physical disk for those contents could locate the file in any of these locations.
Wiping the Slack Space
Slack space wiping occurs in some of the more popular wipers. As discussed earlier, the slack space contains data from a file that was previously partially overwritten. Remember that slack space is sim
ply unused space at the end of a fixed sector size, so a disk can be wiped of its slack space without modifying any of the data that is in use on the disk. When the slack space is wiped, the existing data is overwritten and can no longer be recovered.
Recovering Remnants of Files Stored in the Slack Space
To recover any files that existed in a wiped slack space, you can look in several places to determine whether the copies or backups of the data exist. As a file is accessed, portions of it will remain in areas of the disk. You can look in the following locations for data that was in the slack space:
• The pagefile or swap space if it was loaded into memory
• The MFT or FAT table to determine whether the file existed
• The NTFS journal if the data existed on an NTFS partition
• Any backups of the system
Again, none of these solutions are bulletproof. If you know part of the contents of a file, searching the physical disk for those contents could locate the data. Remember that data that existed in the slack space was already previously deleted, so the likelihood of recovery is low.
Wiping the Unallocated Space
Wiping the unallocated space takes a long time. Although unallocated space wipers are available, wiping the space can take an entire day. This is good news for us, because we rarely see a disk that has had its unallocated space wiped clean. However, if the unallocated space is wiped, the wiped data cannot be recovered.
Recovering Remnants of Data in the Unallocated Space
You can never fully recover the data that was stored in the unallocated space from the active portion of the disk because the unallocated space is too large. However, you can look in several places to determine whether some portion, copy, or backup of the data still exists:
• The NTFS journal if the data existed on an NTFS partition
• The MFT or FAT table to determine whether the file existed
• Any backups of the system
If you know part of the contents of a file, such as a specific phrase or name used in the file, searching the physical disk for those terms might locate the file in any of these locations. Remember that data that existed in the unallocated space was deleted previously, so the likelihood of recovery is low. Notice that we did not include the pagefile or swap space in our list of locations. This is because most wiping tools that wipe the unallocated space also overwrite the pagefile or swap space by filling the memory of the system. This will not always be the case, however, so make sure to check the pagefile and swap space as well.
Wiping a Disk
Of the available options for wiping, none is more detrimental to your investigation than a full disk wipe, which overwrites the entire physical disk. While it is obvious when the entire disk has been wiped, there is no way to recover the data.
Recovering Remnants of Data from Wiped Disks
Even though you cannot recover data that has been wiped from the disk, you can and should look for backups of the system itself. However, if you have received this disk in the course of a court investigation, you can have the judge either file sanctions against the person who has done this or order the person to produce any other data that may exist.
The filing for sanctions is important because it applies only if someone knowingly destroys evidence from any system that has been identified with a protective order—a document that a judge signs that states any evidence that exists on a system may not be deleted and must be preserved. Whether or not a preservation order exists, a judge will likely order an opposing party to produce more evidence if you can prove that some of the data provided was wiped. Also, many company policies prohibit the use of wipers on their property. As such, you should work with the company to determine whether such policies apply to this employee.
Reformatting the Drive/Reinstalling the Operating System
One of the most common information hiding methods we have found is reformatting the drive and reinstalling the OS. It’s simple, it doesn’t require any additional tools, and most people think that it deletes all the data that existed on the computer. As forensic examiners, however, we know better. The good news about this method is that unless a full format or a disk wipe was performed prior to the reformat, the data that existed from the previous installation can generally be found in the unallocated space. The unfortunate exception to this is the audit logs that may exist within the operating system. Typically these are placed on the disk first, so they are the first files to be overwritten when a new OS is installed. The other bad news about the reinstall is that the file system that existed previously is no longer intact, which means that the pointers to the file system are no longer there and you can’t easily find the files. Think of it as a book with the pages ripped out and thrown in a pile. The examiner must search the pile, hoping to find the most important pages.
Dealing with a Reformatted Drive
The first step in dealing with a reformatted drive is detecting it. Most modern operating systems keep some record of the install date. For instance, in Windows XP, this is a registry key and is generally the first place we look to determine whether a reinstall has occurred. Be careful, however, because sometimes just upgrading or refreshing the OS install can modify this date. As with all things in forensics, never rely on a single data point to draw a conclusion. You can also look to the metadata on the MFT itself to find the created date. Also, look at the creation date of the user accounts and registry files. These are generally created when a user is first created, which is often when the operating system was installed in its current state.
Once you have identified that the drive has been reformatted, finding the data that was once active on the drive is a less than straightforward process. As mentioned, the indexes used previously to access the data are no longer intact. This means that you must find alternative methods to locate the data, such as those that follow.
Keyword Searching
The most common and simplest way to find data in the unallocated space is to keyword search it with relevant terms. This is the analog of searching through each word on the pages to find sentences that are important. This is usually the first step that we use. The downside is that information recovered in this manner can be downright unwieldy. It is generally the raw code of the document in which it was stored and is not reader friendly. If you go this route, be prepared to allocate some serious time to formatting and cleaning up the results, and be prepared to have to explain to your nontechnical cohorts what exactly it is they are looking at and why it’s important.
Recovering Folders
On several file systems, such as NTFS and FAT, the folder/directory information is stored separately from the file inode data. This means that even though the file records themselves are gone, you can still reconstruct the data from the folder files scattered throughout the disk. For example, on NTFS these files are known as $I30 files and can be carved out of the unallocated space just like any other file. While the exact contents vary from file system to file system, the general gist is these files contain the directory name and pointers to the files that are contained within that directory, as well as the relevant metadata such as modified, accessed, and created (MAC) times, in some cases.
Data Carving
Data carving is the black art of creating order out of chaos. The theory is you take a blob of electronic data, search it for file signatures that may indicate user-created documents and e-mail, and then “carve” that data out of the blob into the software’s best guess of how the file used to look. A word of warning: When you go the data carving route, it will take a long time, and the results are going to be spotty at best. Nevertheless, we have had entire cases hinge upon documents that were located in the unallocated space and identified by data carving, so the returns can definitely be worth it.
It is best to leave data carving to a utility as opposed to trying some kind of manual process. With the exploding size of hard drives these days, it will take you years if you try to do it yourself. Our pe
rsonal favorite utility is the data-carving functionality provided by Access Data’s FTK. We understand that it is not always economically feasible to purchase a commercial tool, and some good open-source alternatives are out there. The grandfather of open-source carving is Lazarus, which was part of the original The Coroner’s Toolkit (TCT) package. However, tools such as foremost and scalpel have since supplanted Lazarus as the options of choice for those involved in open-source investigations.
When deciding to go the data carving route, you should be aware of the specific type of file you are looking for and how it reacts to the carving process. For instance, we have had great luck with carving out images due to the extensive headers in the images, but much less luck with things such as Office documents and Personal Storage Table (PST) files due to the header structure and the sheer sizes of the files, which can end up scattered across the disk.
In summary, while a reformatted hard drive can be somewhat difficult to deal with, all hope is not lost. In fact, of all the various anti-forensic techniques, the potential for recovering data is most promising with this option. It may not be in the prettiest of formats, but generally you can find at least a small snippet of data here and there, an e-mail fragment, or even a prior UserAssist log in the unallocated space. And those snippets, combined with the fact that an attempt was made to hide the fact, can be an extremely powerful fact pattern. Just realize that you need to know exactly what you are doing, what your tools are doing, and how the individual data points link together, as you will get hammered on anything you find and present as evidence from the unallocated space.