Saturday, May 1, 2010

Scrub with BackTrack

I went through an exercise this weekend where I deleted data off of a hard drive. The goal was to erase all the data from the hard drive and attempt to see what information I could find afterwards.

The utility that I used to delete the data was scrub. Now this utility does not necessarily delete the data, but it overwrites the data on the drive. This utility can also be used to over write a file.

Scrub cab be downloaded to any Ubuntu distribution or *nix distribution. However, probably the best place to find this utility is on BackTrack. Scrub can be found under the BackTrack menu under Digital Forensics.

Below is a screen shot of the scrub help screen

There is some different syntax can be used with Scrub. If you would like to overwrite an entire hard drive you would use the command below. This will use the default NNSA NAP-14.x pattern for the overwrite.

The follow show the use of the DoD 5220.22-M pattern to overwrite the selected area.

Once you have selected the options that you want press enter and you will see the following outpt on the display.

scrub: using DoD 5220.22-M patterns
scrub: please verify the device size below is correct!
scrub: scrubbing /dev/sda1 79403950080 bytes (~73GB)
scrub: 0x00     |................................................|
scrub: 0xff    |................................................|
scrub: random  |................................................|
scrub: 0x00     |................................................|
scrub: verify  |................................................|

You can see that scrub will use the hex character set 0x00 through one pass then a second pass will be used with 0xff. The third pass will be a random character set and the final pass will be 0x00 again. Some of the different options can be used when scrubbing a file as opposed to scrubbing an entire disk.

In my next post I will show what I was able to find using FTK.

Wednesday, March 10, 2010


I had a friend of mine tell me about his new Blog. TecRoc is a fellow OSCP, and has an excellent write up about Windows Stack Based Buffer overflows. Check out his blog for some great information.

TecRoc Rocks!

Wednesday, March 3, 2010

Some more with Disk Duplicator

The objective of this exercise was to check the md5 sum of the files contained in the image after they have been altered. This is a simple example of how the slightest change in the file can alter the md5 hash. The real lesson is that when you are taking an image of a file or a drive the smallest change can affect the file. So you need to be sure that in your investigation you only work with a copy of the original. NOT the original.

I used md5deep.exe to verify the two files on my image thumb drive.

C:\MSDOS-Tools>md5deep.exe L:\cute.jpg
5fccb53e44d96cdaaa423a372f3f3d30 L:\cute.jpg

C:\MSDOS-Tools>md5deep.exe L:\white.gif
669e44cf64f3bccf8ab5f8853442c235 L:\white.gif

Next I opened the cute.jpg file and cropped the picture and saved the file upon closing it. I verified the md5 of the file and it is different than the original.

C:\MSDOS-Tools>md5deep.exe L:\cute.jpg
e5a6766cf16d7d9467b9dee0034f27d9 L:\cute.jpg

For the file white.gif I rotated the picture 180 degrees. This just turned the picture upside down. I next re-ran the md5.

C:\MSDOS-Tools>md5deep.exe L:\white.gif
fce003a37516a5675be3f4446ca67297 L:\white.gif

Something I found interesting is that I checked the original image file md5 and created a new image file and the md5 sums where the same

C:\MSDOS-Tools>md5deep.exe C:\Users\Spl0it_Root\assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.001

C:\MSDOS-Tools>md5deep.exe C:\Users\Spl0it_Root\assignment1.002
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.002

This is the outcome that I would have expected. However I deleted the file assignment1.002 simply because I wanted to name the file assignment2.001 and when I connected to the file with Windows Explorer and then copied the file over the md5 sums where different.

This is an important item to note. The OS will modify the files when you access them. So if you are gathering data you need to ensure that you use write blocker on the drive that you are investigating.

C:\MSDOS-Tools>dd if=\\.\L: of=\Assignment2.001
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out

C:\MSDOS-Tools>md5deep.exe C:\assignment2.001
d199c910c882386531e97b097903b83d C:\assignment2.001

C:\MSDOS-Tools>md5deep.exe C:\assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.001

Finally I used dd to create a new image of the thumb drive with the altered pictures.

C:\MSDOS-Tools>md5deep.exe C:\Assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\Assignment1.001

C:\MSDOS-Tools>md5deep.exe C:\Assignment2.001
0bf95d4f4247692074df148d40d56e88 C:\Assignment2.001

Wednesday, February 17, 2010

Creating an image using Disk Duplicator

# Disk Duplicator Commands #

~ Command used to copy the file from my local drive to the USB drive: ~

C:\MSDOS-Tools>dd if=\User_name\File_1 of=\\.\L:
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out

# An interesting note here is that I had trouble initially with the windows explorer process using the USB drive. So I had to righ click on the device in explorer and select "eject" to get it to work.

C:\MSDOS-Tools>dir L:
Volume in drive L is WEASELSRUS
Volume Serial Number is 04F8-0DB4

Directory of L:\

04/04/2005 08:16 AM 115,911 cute.jpg
04/04/2005 08:27 AM 31,945 white.gif
2 File(s) 147,856 bytes
0 Dir(s) 1,309,184 bytes free

~ md5 sum for the files copied from the local system ~

C:\MSDOS-Tools>md5sum.exe L:\cute.jpg
\5fccb53e44d96cdaaa423a372f3f3d30 *L:\\cute.jpg

C:\MSDOS-Tools>md5sum.exe L:\white.gif
\669e44cf64f3bccf8ab5f8853442c235 *L:\\white.gif

~ Command used for creating an image of the files on the USB drive ~

C:\MSDOS-Tools>dd if=\\.\L: of=\User_Name\File_1_image
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out

C:\MSDOS-Tools>dir C:\User_Name\
Volume in drive C has no label.
Volume Serial Number is 60EE-9B31

Directory of C:\User_Name

02/12/2010 12:48 PM 1,474,560 File_1_image
02/12/2010 10:25 AM 1,474,560 File_1.001

~ md5 sum for the files copied from the local system ~

C:\MSDOS-Tools>md5sum.exe C:\User_Name\File_1_image
\9c60f52259fe7f7dc8aef64e9b68ffec *C:\\User_Name\\File_1_image

# Originial File...

C:\MSDOS-Tools>md5sum.exe C:\User_Name\File_1.001
\9c60f52259fe7f7dc8aef64e9b68ffec *C:\\User_Name\\File_1.001

Forensics Resources

I put together some links and references for people to gather some information about forensics. Enjoy...

Title:Free Open Source On-The-Fly Encryption
Description: Micrsoft has whole disk encryption in Vista Ultimate and Enterprise. However, if you're not up to speed with Vista, TrueCrypt provides a very cool way to encrypt files with your own created mount points.

Title:Microsoft Vista BitLocker Drive Encryption
Description: BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate. Windows BitLocker is for both business and personal users who need to help protect sensitive data on their PC.

Title:How to Undelete EXT3 Filesystem
Description: Very interesting,in depth, article on recovering the EXT3 filesystem. This is something that the EXT3 FAQ states is impossible.

Title:Anti Phishing web site
Description: Report phishing emails, pharming sites and crimeware to the Anti-Phishing Working Group and help stop this insidious threat to e-commerce. Click "Report Phishing" link below for instructions.

Title:IANA/ICANN Hacked
Description: One might expect the domains for the Internet Corporation for Assigned Names and Numbers (ICANN) or the Internet Assigned Numbers Authority (IANA) to be a little more resilient in the face of hackers attempting to hijack their domains.
One would be mistaken in that assumption.

Title:Open Source Forensics
Description: Great presentation on OSS forensics tools.

Title:Digital Forensic Analysis Methodology
Description: Found this on the DOJ site and found it very interesting outline.

Title:RFC 3227 - Guidelines for Evidence Collection and Archiving
Description: This document specifies an Internet Best Current Practices for the Internet Community.

Title:Phrack Issue 64 File 10
Description: Phrack's usually a good read, though perhaps not what you would like work to see you reading. This article is entitled "Knowing your Enemy: Facing the Cops".

Title:Digital Forensic Live CD
Description: Windows and Linux Live CD full of useful forensic and incident response tools.

Title:A game to teach one what to look for from the slick phishing sites
Description: This is an anti-phishing game from Carnegie Mellon CUPS to help one get a better understanding of what to look for, enjoy. This is very useful, check it out before you get fooled.

Description: Helix is a customized distribution of Ubuntu Linux. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.

Title:File Shredder
Description: In order to remove, or shred files permanently from your system you have to use a program that is capable of rewriting the files with random series of binary data multiple times. This process is often called shredding. That way, the actual content of the file has been overwritten and the possibilities to recover such a shredded file are mostly theoretical.

Title:Linux Training
Description: All,
Check it out if you get a chance, this is a pretty cool Linux training applet that runs in a java enabled browser. You might get a better understanding of Linux.

Title:NISTIR 7490
Description: Digital Forensics at the
National Institute of
Standards and

Title:CFReDS Project
Description: NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination.

Title:Affidavit from forensics investigator using FTK Imager
Description: Weird case but the website posted the full affidavit with it -- the investigator used FTK Imager.

Books on the Desk...

I thought I would post up some reference materials that I always have on my desk.

Snort IDS/IPS ToolKit: ISBN-10: 1-59749-099-7

This book is very well written and provide some basic and even more advanced understanding on the workings of Snort. Some of the highlights for me was learning about the pre-processors and how they handle traffic that thy receive. The author did an excellent job with the examples and his explanations of the subjects. Every thing from replaying a tcpdump-formatted Files, to suppressing events in the thresholds.conf file.

Guide to Computer Forensics and Investigations (4th Edition): ISBN-10: 1-4354-2819-6

This text covers nearly everything about forensics and the investigation process. While the author admits that it is not intended to be a manual, it is designed with all of the basics needed for a beginner to enter into this field. You will learn how to use various tools such as ProDiscover and FTK along with other tools such as linux LiveCD's. The exercises in the book are realistic and easy to follow. If you want something more challenging you can always take a USB drive and have your kids or your friends download some information and removed it, format the drive, and use the tools to practice.

Gray Hat Python: ISBN-13: 978-1-59327-192-3

This is a great book for learning how to get python to work for you while you are having some fun. Even experienced python coders will learn something from this book as the author covers the uses and inner workings of code fuzzers, debuggers, and exploit code. The text also covers some other topics that do warrant additional study, but the author covers enough of the topics to get you started within the scope of this books topics. Again, excellent read and recommended to any one who is looking into vulnerability identification and testing.

OSSEC HIDS Guide ISBN-13: 978-1-59749-240-9

This is a Host Intrusion Detection (HIDS) Guide for Open Source Security (OSSEC). The book covers all the aspects of installation and deploying the system in your environment. One of the big benefits and recommendations that come with this book, is getting exposure to an Open Source HIDS. There is greater flexibility with this product than with some of its competitors, such as Cisco, and provides compatibility with a wider range of platforms such as 64-bit Operating systems that are widely used today.