Booting up evidence E01 image using free tools (FTK Imager & Virtualbox)

Being able to boot an acquired evidence image (hard drive) is always helpful for forensic and investigation. If you would do a Google search, you would find most methods or discussions are referring to usage of Vmware Workstation. As Vmware Workstation is not free, not a good news if you are on low budget or do not have one at all.

Don't worry....I will show you how you could boot an acquired E01 image using freely available tools.

What you will need:
1. FTP Imager 
2. Virtualbox and Virtualbox expansion pack-
3. Admin right (do not have one? You're joking right???)

I'm not going to detail down how you should install FTK and Virtualbox.... those are really easy.

Here are the steps:
1. Open FTK Imager. Go to File -> Image Mounting.

2. Select the E01 image you want to mount.
a) Mount Type: Physical Only
b) Mount Method: Block Device / Writeable (I know what you are thinking.... do not worry about tampering the evidence file. FTK Imager will create a cache file that will temporarily store all the "changes" you made)
c) Write Cache Folder: Take the default or point it to any folder that would make you happy :)

3. Click "Mount". You will see which physical drive the image is mapped to.

 

4. Create a new folder (for storing the virtual disk file later) e.g. c:\temp\securityisfun.net
5. Open a command prompt as administrator. Go to c:\Program Files\Oracle\VirtualBox. Run following command: vboxmanage internalcommands createrawvmdk -filename c:\temp\securityisfun.net\securityisfun.vmdk -rawdisk \\.\physicaldrive5

NOTE: Replace the path, file name to be created and physical drive as accordingly.

5. Run Virtualbox as administrator. Create a new virtual machine matching the OS of the image e.g. Windows XP or Windows 7.
a) RAM - set it to any amount you like. For me, normally I will set it to 2GB
b) Hard Drive - point it to the virtual disk file you just created in step 5 above

 

6. Well, start the virtual machine. It should run now. 

7. In case you get a blue screen.. which is not uncommon. Try changing the HDD controller type, which is IDE by default, to SATA, SCSI or SAS. You can change this by editing the settings of the virtual machine:

a) Delete the existing HDD controller

b) Add a new controller e.g. SATA

c) Add a new disk. Select "Choose an exiting disk". Point it to the virtual disk file you created (e.g. securityisfun.vmdk)

8. If you still get the blue screen... this might be due to Windows could not see the drive. Try following steps which involve editing the registry to enable SCSI and SAS drivers on boot:  

a) Unmount the image you mounted with FTK Imager

b) Mount the same image with FTK Imager but now with the option: 

Mount Type: Physical & Logical

Drive Letter: Take the default

Mount Method: Block Device / Writable

c) You should see the partitions of the image are now mounted and accessible

 

d) Run "regedit.exe" as administrator.

d) Expand "HKEY_Local_Machine". 

e) Select "Load Hive". Point it to the SYSTEM hive of the Windows partition of your mounted image. For example, if the image's Windows partition is mounted by FTK as K:, point it to K:\Windows\system32\config\SYSTEM

d) Enter any name when prompted e.g. securityisfun.net (sorry, a bit of marketing here :) ). You should now see additional registry key with the name you typed appeared.

e)  Navigate to securityisfun.net\ControlSet001\Services

 f) Look for "LSI_SCSI". Click on it and set the key "Start" value to "0" (zero). Setting it to "0" means Windows will start/load this driver at boot time. Repeat the same for "LSI_SAS, LSI_SAS2". 

g) Point to the "securityisfun.net" hive once you finish editing. Select "File, Unload Hive". Click "Yes". Close regedit.

h) Now try to boot your virtual machine again. Try using difference controllers e.g. SAS, SATA, SCSI if you still getting the blue screen.

9) If you are still getting the blue screen despite doing all this........ two words for you - bad luck! At this moment, I don't have any other solutions or workarounds. I will update this blog post if I (ever) come across something new :) 

Have fun!

Live Forensic on Linux

Last month, I wrote a bit about doing live forensic on a Windows machine. Today, let's do Linux.

Let's do a bit of recall before we proceed. Since I'm lazy to repeat, here are excerpts of what I have written previously in Live Forensic on Windows:

Before we touch that, why do we need to do live forensic at the first place? For a few reasons:
a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic
b) The server/system is at a location that you could not go there physically
c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately

Next, what info or data should we gather? What tools to use? In IT Forensic, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.

Now, what tools you can use? Unlike Windows, Linux binaries are quite sensitive to the kernel's version. Also, have you heard about dynamic library dependency hell? Basically one library depends on other library which depends on another libraries and so on... Thus, most of the time you can't just copy out the binary/program and expect it to work on another system. You can always compile your own binary statically, but that require lots of works as well. Luckily, I found a saviour - Busybox! Yes, it is the same tool you use to run commands on your rooted Android devices :)

So, go grab yourself the Linux version of Busybox now!

For memory dump acquisition:
1. Use LiME. However, it might not work if the system prevent loading of kernel module. it is also very kernel specific, thus you can't compile it on a system and expect it to work on any systems. It will only work on a system with a same kernel version. 
2.  dd if=/dev/mem of=host1/dd-dev-mem.img . However, this may not work with newer kernel or if the kernel is compiled with STRICT_DEVMEM=y option (check /boot/config-<KERNELVERSION>). 

Have fun!

No.	What to Acquire	Tools/Commands to Use (Output is saved to a file)
1.	Hostname	·         ./busybox-i686 hostname > targethost/b-hostname.txt ·         hostname > targethost/hostname.txt
2.	OS version	·         ./busybox-i686 uname –a > targethost/b-uname-a.txt ·         uname –a > targethost/uname-a.txt ·         cat /etc/os-release > targethost/os-release.txt
3.	Current system date and time	·         ./busybox-i686 date > targethost/b-date.txt ·         date > targethost/date.txt
4.	Current IP address	·         ./busybox-i686 ifconfig > targethost/b-ifconfig.txt ·         ifconfig –a > targethost/ifconfig-a.txt
5.	Current running process list	·         ./busybox-i686 ps –eaf > targethost/b-ps-eaf.txt ·         ps –eaf > targethost/ps-eaf.txt ·         ./busybox-i686 lsof  –a > targethost/b-lsof.txt ·         lsof > targethost/lsof.txt
6.	current network connection lis	·         ./busybox-i686 netstat –anp > targethost/b-netstat-anp.txt ·         netstat –anp > targethost/netstat-anp.txt ·         ./busybox-i686 netstat –anr > targethost/b-netstat-anr.txt ·         netstat –anr > targethost/netstat-anr.txt
7.	current list of current logon sessions	·         ./busybox-i686 who –a > targethost/b-who-a.txt ·         who –a > targethost/who-a.txt ·         w > targethost/w.txt
8.	list of auto start applications and services	·         chkconfig --list > targethost/chkconfig--list.txt ·         ./busybox-i686 ls –alR /etc/rc* > targethost/ls-al-etc-rc.txt ·         ./busybox-i686 ls –alR /etc/init.d > targethost/ls-al-rc-d.txt ·         more /etc/init.d/* > targethost/more-init-d.txt ·         cat /etc/inittab > targethost/inittab.txt ·         service –-status-all > targethost/service—status-all.txt ·         ./busybox-i686 ls -alR /etc/systemd* > targethost/ls-al-etc-systemd.txt ·         ./busybox-i686 cat /etc/inetd.conf > targethost/inetd.conf ·         cat /etc/inetd.conf > targethost/inetd.conf
9.	environment variables	·         ./busybox-i686 env > targethost/b-env.txt ·         env > targethost/env.txt
10.	list of cron jobs (scheduler)	·         ./busybox-i686 cat /etc/crontab > targethost/b-crontab.txt ·         cat /etc/crontab > targethost/crontab.txt
11.	system event (dmesg) log records	·         ./busybox-i686 dmesg > targethost/b-dmesg.txt ·         dmesg > targethost/dmesg.txt
12.	last user activity records	·         ./busybox-i686 last > targethost/b-last.txt ·         last > targethost/last.txt ·         lastb > targethost/lastb.txt ·         lastlog > targethost/lastlog.txt
13.	list of installed software	·         rpm –qa targethost/rpm-qa.txt ·         dpkg --get-selections > targethost/dpkg—get-selections.txt
14.	list of user accounts	·         ./busybox-i686 cat /etc/passwd > targethost/b-passwd.txt ·         cat /etc/passwd > targethost/passwd.txt ·         ./busybox-i686 cat /etc/group > targethost/b-group.txt ·         cat /etc/group > targethost/group.txt
15.	partition table and drive info	·         ./busybox-i686 df –h > targethost/b-df-h.txt ·         df –h > targethost/df-h.txt ·         ./busybox-i686 fdisk -l > targethost/b-fdisk-l.txt ·         fdisk -l > targethost/fdisk-l.txt ·         parted –l targethost/parted-l.txt ·         ./busybox-i686 cat /etc/fstab > targethost/b-fstab.txt ·         cat /etc/fstab > targethost/fstab.txt ·         ./busybox-i686 mount > targethost/b-mount.txt ·         mount > targethost/mount.txt
16.	list of loaded modules	·         ./busybox-i686 lsmod > targethost/b-lsmod.txt ·         lsmod > targethost/lsmod.txt ·         ./busybox-i686 cat /proc/modules > targethost/b-proc-modues.txt ·         cat /proc/modules > targethost/proc-modues.txt
17.	information about memory usage	·         ./busybox-i686 cat /proc/meminfo > targethost/b-proc-meminfo.txt ·         cat /proc/meminfo > targethost/proc-meminfo.txt
18.	iptables rules (firewall)	·         iptables --list > targethost/iptables--list.txt
19.	system logs normally stored in /var/log	·         ./busybox-i686 tar –czvf targethost/b-var-log.tgz /var/log
20.	memory dump with LiME	As the LiME software needs to be specially built for the target system Linux’s kernel, there are more steps to be done before the tool can be used: a.     Extract the LiME source file you downloaded. b.     Change directory into the “src” directory. Type: cd src c.     Compile the module. Type: make ·         If successful, a new file starting with “lime’ and ending with “.ko” will be created. Example: lime-3.2.6.ko ·         insmod lime*.ko “path=targethost/lime.mem format=lime” The module is then loaded to the kernel and the memory dump will happen automatically. If you need to run it again, you must first remove the module from the kernel. Type: rmmod lime
21.	/dev/mem and /dev/kmem via dd	·         dd if=/dev/mem of=targethost/dd-dev-mem.img ·         dd if=/dev/kmem of=targethost/dd-dev-kmem.img

Enterprise IT Forensic Process - Disposal

In my previous posts, I have covered the first 4 processes of Enterprise IT Forensic Process:

1) Approval - Ensuring that we are allowed to do what we want to do
2) Acquisition - Ensuring that we collect and acquire the evidence in a forensically sound manner
3) Analysis - Performing the analysis and investigation, also in a forensically sound manner
4) Reporting - What a report should contain?

Disposal process is the final piece of the puzzle.

Once we have done the analysis, completed the report, the next question is what to do with the evidence (both original and acquired) that we have gathered? We cannot keep the evidence forever due to various reasons, e.g. storage limitation, legal requirements, security etc.

Basically, the options are:
1) Store - If there is a need to preserve the evidence e.g. legal case
2) Return - Return the evidence to the owner or data custodian
3) Forward - Forward the evidence to another party as agreed with the Requestor
4) Dispose - Securely delete or dispose the evidence

However, it is important to take note that the above decision does not lies entirely with the forensic examiner or investigator. The decision shall be made together with the Requestor.

There is also possibilities that the Requestor might want the original evidence to be returned and the acquired evidence to be deleted or vise versa. Anyway, regardless of the option, the chain of custody must be maintained and updated to reflect the status.

To delete/wipe an evidence, for example a hard drive, simply formatting the hard drive is not secure enough as data can still be recovered. There are a few methods out there that you could use to securely wipe a drive:

1) Hardware based - It is the fastest way. The hardware is known as degausser. It will render the drive useless digitally and physically - not a good idea if you still want to use the drive for other purposes.
2) Software based  - This method which is slower is to rewrite the drive with zeros or random data multiple times. There are various free tools out there that can do the job. For example diskwipe and dban.