It has been a very busy few months, my apologies for letting my beloved blog suffer under the daily scuffling of my daily geek life. I have been doing alot of investigations lately that has consisted of about 30 desktops and three servers.
I am happy to report that after long hours and hard work that case has ended in a success story. I had the pleasure to visit Germany about three weeks ago and let me tell you I have never seen such beauty, I swear by soul has stained behind.
On the front of my geekness I have been attempting another paper after, I am now attempting legalities relating to Cloud Computing storage, brace yourself this is going to be a wild ride.
If there is any geek legal genuisses out there please email me if you feel you can contribute. In my next couple of blog posts I thought of including some discussion around cloud computing and the forensic challenges...
Please share your thought about the interest in this or any other possible ideas my peeps may have.
As always your geek girl will try her best to deliver.
x0x0x0x Geek Girl
Sunday, 27 January 2013
Monday, 30 July 2012
FrostWire Extras
After some scratching and looking I found some new artifacts to look at and pull apart. This to me is an exciting prospect as I believe you can never ever say 100% you have found everything.
[root]user/xxxx/.frostwire/azureus/active : A copy of all active .torrent files are also saved containing all info regarding that .torrent file.
[root]user/xxxx/.frostwire/azureus/tmp : Store the last known communication, it seems that this changed with every reboot it keeps only the last communication, it store IP addresses.
[root]user/xxxx/appdata/roaming/frostwire/azureus/Active: copy of all active .torrent files are also saved containing all info regarding that .torrent file.
[root]user/xxxx/appdata/roaming/frostwire/azureus/torrent: Keeps the tracker needed to successfully download the file with.
[root]user/xxxx/.frostwire/azureus/active : A copy of all active .torrent files are also saved containing all info regarding that .torrent file.
[root]user/xxxx/.frostwire/azureus/tmp : Store the last known communication, it seems that this changed with every reboot it keeps only the last communication, it store IP addresses.
[root]user/xxxx/appdata/roaming/frostwire/azureus/Active: copy of all active .torrent files are also saved containing all info regarding that .torrent file.
[root]user/xxxx/appdata/roaming/frostwire/azureus/torrent: Keeps the tracker needed to successfully download the file with.
Monday, 23 July 2012
FrostWire Questions
Some feedback has been received realting to the FrostWire research. Before I answer them, call me cautious but I will test them first. I can however say that to me the most important artefact would be the search db, however my knowledge not at all that hot with SQL I will have to try and try again.
I will keep you posted and keep the comments rolling and rolling....
I will keep you posted and keep the comments rolling and rolling....
Friday, 20 July 2012
FrostWire Forensic Examination Part 1
Introduction
As digital forensic
practitioners, we are faced regularly with users utilizing the internet to swop and
download copyrighted and contraband material. Peer to peer (P2P) applications
are commonly used for this purpose, and like any software application, they is
ever changing, and ever evolving.
This paper will
discuss how the P2P software application, FrostWire v.5, functions and what
artifacts can be found and examined for forensic purposes. The software
application mentioned is one of the more popular P2P, applications.
Problem Statement
P2P downloading
of copyrighted media and contraband is a significant problem. The sheer
proliferation of these applications in various forms, requires digital forensic
examiners to be aware of the potential evidential artifacts that can exist in
them.
With developers
constantly changing and evolving their software, the artifacts change, and they
find new ways to make it more protected for their users. The problem discussed
in this paper, is what evidential artifacts are left by using FrostWire v.5, and
what evidential value do they contain.
Research Methodology
The research was
conducted by way of practical experimentation making use of the following
experimental protocols.
Step 1:
The hard drive
on the laptop used in the experiment was forensically sanitized and validated .
Step 2:
The Windows 7
Standard operating system was installed on the laptop used, with default
settings selected.
Step 3:
FrostWire v.5
was installed on the laptop, and was downloaded from www.FrostWire.com.
Step 4:
FrostWire v.5 was
installed using the standard method and keeping the default settings.
Step 5:
The test laptop
was connected to the internet and FrostWire v.5 was executed and a search was
conducted for various Linux distributions..
Step 6:
Based on the
results of Step 5, various files were selected and downloaded using FrostWire
v.5 and once completed it was shut down.
Step 7:
The test laptop
was shut down and the hard drive forensically imaged..
Step 8:
The forensic image
made of the test laptop was loaded into FTK 4.0 with default automatic data
carving enabled. Once completed the image was examined and all artifacts identified as being
linked to FrostWire v.5 documented.
Data Artifacts Found and Examined
[root]User/xxx/FrostWire
This folder
contains five subfolders that contain the actual .torrent files and the actual
media that has been downloaded. The subfolders contained within the
abovementioned folder are:
- Incomplete: Within this folder, the temporary tracker of the media is saved while in the process of being downloaded, this is the metaphorical bookmark that enables the software to stop and start as the user wishes.
- Saved: This folder contains the artifacts of .torrent files that the user wishes to save- to be able to download at another time.
- Shared: This folder contains all the .torrent trackers that the user has uploaded or created. FrostWirev.5 enables the creation of .torrent trackers.
- Torrent Data: Possibly one of the most important folders, this is where the software saves the actual downloaded media.This is a system automated process, which remains standard.
- Torrent: This folder contains the actual .torrent tracker file, which is the tracker and that is created to download the requested item. For each item downloaded, two entries are created -A .torrent file is created that contain the creation time, the SHA 1 value of the downloaded item, and from where it was downloaded. The second entry created is in unallocated space, which contains the exact same information.
[root]user/xxx/AppData/Roaming/FrostWire
This folder
essentially contains a few very important artifacts, which contain important
evidentiary information on what was downloaded.
- Createtimes.cache: This cache file contains the SHA-1 value that is assigned to all uploaded media when a .torrent file is created and uploaded to the distribution websites. The SHA-1 value is that of the whole file when it was originally uploaded.This is verified once the item has been downloaded to ensure that the right and complete item has been downloaded.
- Download.dat: This database file contains all the names, identification SHA-1 values of all the files and media downloaded by the user using FrostWire v.5. This can be used to identify what was downloaded when the actual physical items are no longer on the machine.
- Fileurns.cache & Fileurns.bak: These two files essentially contain the same information. When a download is started the software logs the SHA-1 value of the file to ensure that the completed file is downloaded. The SHA-1 value can be used to identify whether a certain item matched the online version of the said file.
- FrostWire.props: This property file contains the selection made by the user upon installation. Here you can determine what changes have been made to the default settings of FrostWire v.5.
- Hostiles.txt: This contains a log of all subnet Masks currently running on the FrostWire v.5 network.
- Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library, even if it was not physically downloaded onto the machine.
Registry Artifacts:
The registry
keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the
following artifacts or changes were identified:
- HKEY/LOCAL MACHINE/SOFTWARE/Current Version: (These changes can be seen in the NTUSER.DAT as well)
This
contained the following relevant information of the software FrostWire v.5:
i.
Display Name
ii.
Publisher
iii.
Help Link
iv.
URL
v.
URL Info
vi.
Display Version
vii.
Uninstall Command
- HKEY/LOCAL MACHINE/SOFTWARE/Classes:
This
contained the following relevant information of the software FrostWire v.5:
i.
FrostWire Toolbar
ii.
FrostWire.exe files location.
- HKEY/LOCAL MACHINE/SOFTWARE/FrostWire:
This
contained the following relevant information of the software FrostWire v.5:
i.
The executable command used to access and run FrostWire
v.5.
- HKEY/LOCAL MACHINE/SOFTWARE/Tracing:
This
contained the following relevant information of the software FrostWire v.5:
i.
This contains two tracing mechanisms that Microsoft
uses to manage and monitor software, which is the Rasapi 32 command and the
RASMANCS command. The information saved is saved in [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr:
- HKEY/LOCAL MACHINE/SYSTEM:
For
FrostWire v.5 to be able to function, a change has to be made within how the
system operates:
i.
When installing FrostWire
v.5, the software automatically change the FireWall policy to create an
exception to allow communication from FrostWire v.5 and the downloading
servers, thus bypassing the firewall completely.
- HKEY/LOCAL MACHINE/SECURITY:
No
changes could be identified within this registry key.
Identifying Searches Done Using FrostWire v.5:
When a user
searches for a specific item to download, that search is stored in various
places on the local machine:
- [root]/$Logfile: Contains the search term searched for, where it was found along with the SHA-1 identification hash value.
- [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr: The header information contained within this gather log, is the search term and how the system and the software communicated.This information is gathered by the two tracing protocols mentioned early Rasapi 32 and RASMANCS.
- [root]users/xxx/.FrostWire/search_db.h2.db :This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following:
i.
URL Details, where the .torrent file is residing.
ii.
The search term searched.
iii.
The magnet link and corresponding SHA-1 hash value.
iv.
The creation date in Unix that .torrent tracker was
created.
- [root]users/xxx/.FrostWire/search_db/search_db/_28.tii: This is the actual entry in the database for each search term done by the user.This contained what the search term was and the corresponding file ID.
- [root]users/xxx/.FrostWire/search_db_searchdb__28.tis:This is a record of the search results for the particular search term, meaning that for every .tii file a corresponding .tis file can be found.
Examining a .torrent File and the Artifacts Found:
The file header for .torrent files in hex is:
0x64
38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex)
d8:announce59
(As viewed in text)
Contained in
this .torrent file is the following information:
File
|
Meaning
|
http://tracker.torrentbox.com
|
The website
that the .torrent file was uploaded to and stored on
|
2710
|
The initial port used to communicate
to the website initially.
|
77.247.176.132:80
|
The IP
address communicated with along with the port used for downloading.
|
1238229350
|
Unix creation date of the torrent.
|
Linux Books
|
The name of
the item downloaded.
|
31C8D8C7748C9CC8090C4C2A
|
Identification SHA-1 hash value.
|
Summary
FrostWire v.5
contains a number of potential evidential artifacts that can prove useful in an
investigation in proving what has taken place on a computer using this P2P
application.
DFIR Online July 2012
I had the oppertunity to present, to an amazing crowd of people my first attempt at a white paper. Yea, I was seriously nervous and might have used super speed special power to rush through my presentation....
All in all the research received good and bad reaction. The important thing is some valid questions have been asked which I would want to look into and expand my current research concepts.
I want to thank Mike Wilkonson for giving us such a cool and fun platform in which we can mingle, laugh and learn.
Also a very good presentation by Alissa Torres and Nick, wish we could bring their challenge to SA, it looks like a bundle of fun and alot to be learnt from it.
All in all the research received good and bad reaction. The important thing is some valid questions have been asked which I would want to look into and expand my current research concepts.
I want to thank Mike Wilkonson for giving us such a cool and fun platform in which we can mingle, laugh and learn.
Also a very good presentation by Alissa Torres and Nick, wish we could bring their challenge to SA, it looks like a bundle of fun and alot to be learnt from it.
Tuesday, 27 March 2012
Open Source Tools : Data Acquisition Automated Software
Armed with my book on Digital Forensics using Open Source Tools, I have prepared my machine with wiping it with Raptor starting with a fresh linux mint installation I have identified a few tools to start with. These tools are the ones for now that I will be using and abusing...
Like everything we start at acquisitions the how we obtain electronic evidence and how to preserve the integrity thereof. We have a few option in those categories:
Like everything we start at acquisitions the how we obtain electronic evidence and how to preserve the integrity thereof. We have a few option in those categories:
- FTK Imager : Yes, this is a commercial product however for the imager you do not need licensing and I personally like using this programme has the abillities to capture volatile data along with giving you the option in which format you would like to save your image. This programme also hashes the original media and calculates the MD5 checksum along with the SHA-1 and recalculates it afterwards, when the hashes matches you know the integrity of your evidence is proven.
- Raptor : The most important factor which makes it a worhtwhile product for the rookie examiner is that is is incredibly easy to use as the GUI interface eliminates the pesky use of command line. The product is widely supported by all computers and hardware that can support linux Ubuntu. One of the most contributing factors is that you do not need to disassemble to hardware and allows you to preview the internal hard drives with never having to open the machine. It also allows for you to acquire without the use of hardware writeblockers as it has been modified to write-block all media upon boot thus preventing accidental writes. (Lets face it hardware writeblocker are expensive no matter where you live).
- Paladin is a modified Live Linux distribution based on Ubuntu that
simplifies the process creating forensic images in a forensically
sound manner. PALADIN was designed with the understanding that many of
those tasked with creating forensic images are not comfortable with
using the command-line but still want to utilize the power of Linux.
PALADIN was also designed with the understanding that many agencies or
companies have limited budgets PALADIN CD version is always free!It is incredibly easy to use and eliminates the need to remember confusing commands and switches,it will work on any computer or hardware that is supported by Ubuntu Linux,allows a user to safely image and preview internal hard drives without having to disassemble the computer or laptopand it has been modified to write-protect all attached media upon
boot thereby preventing accidental writes or having to use expensive
physical write-blockers.
You can download both these products at:
www.accessdata.com
http://forwarddiscovery.com/Raptor
http://www.sumuri.com/index.php/joomla/weblinks
The beginning
There once was a girl, who dreamt of a worl where 1 and zero coexist, where her geekness did not warrant her uncool or made her the target for bullying.
Cheezy I know, but I was this young girl, a low class hacker (script kiddie with a keen interest in everything electronic) who was found and brought to the darkside where I might mention they have the coolest toys and muffins. ( I might just add this refers to my view of Digital Forensics)
When I discovered Computer Forensics that little girl felt she came home, I spend most of my days at school trying to fit in and be "normal", which I have learnt is a matter of perspective and the only opinion about my normalisy I am worried about is my other 47 personalities (only a joke).
Like most rookies I have jumped into the depths eager to learn more and be able to do cool parlour tricks like the more experienced guys. This is no longer the goal, the goal is to be totally non dependant of tools.
This is my journey into OPEN SOURCE ...
Cheezy I know, but I was this young girl, a low class hacker (script kiddie with a keen interest in everything electronic) who was found and brought to the darkside where I might mention they have the coolest toys and muffins. ( I might just add this refers to my view of Digital Forensics)
When I discovered Computer Forensics that little girl felt she came home, I spend most of my days at school trying to fit in and be "normal", which I have learnt is a matter of perspective and the only opinion about my normalisy I am worried about is my other 47 personalities (only a joke).
Like most rookies I have jumped into the depths eager to learn more and be able to do cool parlour tricks like the more experienced guys. This is no longer the goal, the goal is to be totally non dependant of tools.
This is my journey into OPEN SOURCE ...
Subscribe to:
Posts (Atom)