Things are settling down and I am going to try and breathe some life into this blog again. I’ve been doing an internship as of late where I have been concentrating on the business development aspect of Digital Forensics. Things such as private investigation licenses, looking at the DFIR market in general, litigation support as a whole, with a little bit of tech research sprinkled in. With the summer break, I haven’t been doing very much on my own. This is a big problem I intend to resolve. Watching David Cowen’s Forensic Lunch has gotten me back into the swing of things, and I am going to kick it off with building and testing a FIREBrick. The FIREBrick is an a disk imager and duplicator. I’m thinking along the lines of Tableau’s TD product line. Lets hope so! The things that excite me are:
- Everything is open source software and easily sourced hardware.
- Low cost compared to market brand forensic duplicators.
- Easy upgrade paths via expansion cards.
The parts are on the way. I did vary my order from their spec to include a FireWire 800 PCI-E card instead of FW400. Excluding the case and psu, the total cost is about $179. I already have a PSU, and I wanted to wait on a case to see where this leads me. The LCD2USB unit is coming from Hong Kong, so it will be about 2 weeks to go through customs to get here. So I will update this in a few weeks. In the meantine, go over and check out the Hacking Exposed Computer Forensics Blog by David Cowen and crew. Lot’s of awesome forensics knowledge there and I have only scratched the surface.
Until next time,
Just a quick update, the LCD panel is unavailable due to the China supplier moving. So now I am looking at the newly released network version of the FireBrick
Share it now!
I am currently working on a Discovery Event for ITDF-2425. This event involves creating NTFS orphaned files as specified in a technical paper from AccessData. I am working on the last steps to actually orphan the files. Before taking the image, I wanted to double check the size of the USB drive first. I did this because I really don’t like cluttering up my working folders with multiple image files; especially for small projects. So, I did what any IT person would do. Right click on the drive in Windows Explorer and view the properties. What happened next was interesting, and I almost missed it. Windows automatically wrote a ReadyBoost cache file to the drive. It was created and deleted in a matter of seconds. But the damage was done. I took the image anyway, and I confirmed what damage was done. Viewing the hex where my orphaned file should have been was the remnants of the ReadyBoost cache file.
I was almost lulled into giving up and starting over, but the week before we had been working on Encase 6.7 Enterprise. Really just the basics, acquisitions, backing up thumb drives, restoring them, etc. I didn’t have that at home, but I did just purchase a student license of Encase 7. I then thought this would be a great way to learn the same procedures for EnCase 7. So, I got my previous image from the orphaned file procedure and got to work. I hadn’t used EnCase 7 really at all except to look around. The UI is very different; they have gone from a traditional Windows look to a “Web 2.0″ style UI. Probably good thing, but I can see where people can get a little intimidated. Once I got past the UI changes though, it really does do all the same stuff the same way (so far). Needless to say I was able to restore the thumb drive from image (a dd image taken by FTK Imager) and restore it using EnCase 7. Whew! A little later, after I finish this DE and a few lab reports I will detail the process in EnCase 7. I will also probably start duplicating the Encase 6 labs in 7 in my free time. Free time….what’s that again?
Share it now!
Well, I decided to join the Department of Defense Cyber Crime Center forensics challenge. I am not sure quite what I am going to do with this but I think it will be a unique challenge for me. As a forensics student, I do not know if I will pass the 200 level this year, but you never know. My expectation for this to hone the digital forensics techniques I am learning this year such as report writing, evidence handling, and tools such as EnCase, FTK, and Hex Editors. Since I have been dabbling into Python I might try and throw some of that at it as well.
Share it now!
In the introduction we learned the basics of what is in the Master Boot Record(MBR). Now we will open up the boot sector and find the MBR. The best way to view the MBR is with a hexadecimal editor. Most forensics tools should have a hex editor included. FTK Imager contains a good editor and it is free. My examples will use FTK Imager, EnCase, and Hex Workshop. Let’s open an image using FTK Imager.
Open FTK Imager with administrator rights.
Click on the + to add an evidence item(Figure 1).
Select the type of drive source, for this example we will use a Physical Drive (Figure 2).
Choose which drive to open (How to determine which drive to open).
The default view will show the drive or image structure on the upper left, the hexadecimal data on the lower right, and the hexadecimal data interpreter on the lower left.
You should open right up to sector 0. Scroll down to the end of the sector. You should see the hexadecimal characters “55 aa” marking the end of the sector, and the end of the MBR. If you click in front of the 55aa and sweep up 64 characters you will have highlighted the entire MBR.
Above you can see the MBR highlight in blue and the “magic number” highlighted in red. Now that we have located the MBR, we will decode this into readable information.
Share it now!
So on the second to last day of my ITDF-1305 class my instructor surprised us with a pop quiz on Master Boot Record. That was something I should have known backwards and forwards by then, but I didn’t. After staring at the piece of paper like a deer in the headlights and many scratch outs I managed to get a grasp on what I needed to do, right as it was time to hand things in.
So, I figured that would be a great way to start off this digital forensics blog, with an in-depth, multi-part dissection of the Master Boot Record (MBR). So what is the MBR? The MBR tells your computer what partition to boot, how big the partition is, and other valuable information we will get into. The MBR is created when you partition a hard disk using tools such as fdisk, gparted, or when you install an operating system such as Windows or Linux. So let’s begin with an overview of the MBR.
The MBR is located in the first sector of a hard drive, also known as the “boot sector”. You will also find information about the physical drive itself in this sector, but more on that later. So, what type of information do we find in the MBR? The MBR will contain information on up to four primary partitions. Each partition record is 16 bytes in length. Each record will contain the following information:
- A boot indicator
- Starting head
- Starting sector and cylinder
- Partition type
- Ending head
- Ending sector and cylinder
- Starting sectors and cylinder
- Number of sectors in a partition
Now let’s move to part 1 and we will open up the boot sector to have a look at the MBR.
Share it now!