Get a Free copy of "Learning by Practicing - Mastering TShark Network Forensics: Moving From Zero to Hero" or "Learning By Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics" when you register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class
Wednesday, September 9, 2020
Beginning File System Forensics - Timeline analysis
Now that the drive has been mounted and the file metadata has been exported as seen in the previous post, let's poke at some files of "interest". The file of interest is related to my SANS SEC582 - Mastering TShark Packet Analysis class.
Let's assume we have an indicator of compromise. That indicator being a suspicious file name. We can then use the "grep" utility to search the previously created "linux_mint_files_export.txt" to see if we get a hit. Let's try that. At the same time, let's pipe the results into "wc --lines" to see how many entries were returned.
kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt | wc --lines 22
Above it looks like 22 results were returned. Taking a look at those entries.
kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt 05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs 05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1 05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2 05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf
As you may remember in the previous post, the columns above are organized as follow: last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)
Considering the preceding, let's instead sort this from first creation date and time, to last creation date and time. We will put the most recent date at the top. To achieve this, we will use the previous output, in conjunction with "sort" using a "--field-separator" of pipe "|". We will also use fields 1 and 2 as our keys and then "--reverse" the output. This is how we are able to achieve our objective.
kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse 05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2 05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1 05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf 05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs
Now that we have the above, we can make some assumptions thus allowing us to come to some conclusions.
1. The activity surrounding the IoC for string "SEC582" started on May 13, 2020 around 08:31:58
2. On May 13, 2020 at 08:31:58 local time the user root, created a file "SANS SEC582 - Labs and Challenges PDFs".
3. This file was then modified on the same date at 08:32:00
4. However, as we look closer, we see what seems like two sub directories "/Day 1" and "/Day 2" were created. Filtering these out so we can focus closer on the times, we see:
kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse | grep --invert-match --perl-regexp "\.pdf$" 05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2 05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1 05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs
Paying closer attention to the time we see it seems like the two directories have an access date and time of "05/12/2020|20:00:00.0000000000" and "05/12/2020|20:00:00.0000000000" respectively. How could this be? How can the sub directories have a date and time earlier than the parent directory which has "05/13/2020|08:31:58.8300000000"? Could it be this parent folder was created and then the sub folders were copied to this destination?
5. Looking at the other 19 entries, we can say from a creation date the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
" was created on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was created on May 14, around 05:52.
6. Looking at the other 19 entries, we can say from a modification date and time, the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 14, around 06:39.
7. Finally, I see the access times of all 19 files have May 13, 2020 at 20:00. Does the proximity with this timing help to reaffirm the conclusion that these files might have been copied?
Arite!, I think that is enough for this post.
Ohh and by the way, hope to see you in one of my SANS SEC582 Mastering TShark Packet Analysis class. :-) If you cannot make that one, come hang out with me in the SEC503 or SEC504 class. :-) :-)
Post in this series:
References:
Beginning File System Forensics - mounting and learning about the drive
In the previous post, we learned about the disk and the Master Boot Record (MBR), let's now mount that disk, so that we can analyze its contents.
Before mounting, let's once again take a look at the drive to see where the partitions starts.
kali@securitynik:~/forensics$ sudo fdisk --list linux_mint_usb.raw Disk linux_mint_usb.raw: 29.3 GiB, 31457280000 bytes, 61440000 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00051443 Device Boot Start End Sectors Size Id Type linux_mint_usb.raw1 2048 61437951 61435904 29.3G c W95 FAT32 (LBA)
Above, we see one one partition, which has a "Start" sector 2048. To get the actual byte position, multiply 2048*512. 512 once again being the size of the sectors.
512*2048 = 1,048,576
Taking a look at this sector with XXD before mounting, we see:
kali@securitynik:~/forensics$ xxd --seek 1048576 --length 512 linux_mint_usb.raw | more 00100000: eb58 904d 5344 4f53 352e 3000 0220 e00a .X.MSDOS5.0.. .. 00100010: 0200 0000 00f8 0000 3f00 ff00 0008 0000 ........?....... 00100020: 0070 a903 903a 0000 0000 0000 0200 0000 .p...:.......... 00100030: 0100 0600 0000 0000 0000 0000 0000 0000 ................ 00100040: 8000 2980 b481 fc4e 4f20 4e41 4d45 2020 ..)....NO NAME 00100050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3..... 00100060: 7b8e c18e d9bd 007c 8856 4088 4e02 8a56 {......|.V@.N..V 00100070: 40b4 41bb aa55 cd13 7210 81fb 55aa 750a @.A..U..r...U.u. 00100080: f6c1 0174 05fe 4602 eb2d 8a56 40b4 08cd ...t..F..-.V@... 00100090: 1373 05b9 ffff 8af1 660f b6c6 4066 0fb6 .s......f...@f.. 001000a0: d180 e23f f7e2 86cd c0ed 0641 660f b7c9 ...?.......Af... 001000b0: 66f7 e166 8946 f883 7e16 0075 3983 7e2a f..f.F..~..u9.~* 001000c0: 0077 3366 8b46 1c66 83c0 0cbb 0080 b901 .w3f.F.f........ 001000d0: 00e8 2c00 e9a8 03a1 f87d 80c4 7c8b f0ac ..,......}..|... 001000e0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t......... 001000f0: eea1 fa7d ebe4 a17d 80eb df98 cd16 cd19 ...}...}........ 00100100: 6660 807e 0200 0f84 2000 666a 0066 5006 f`.~.... .fj.fP. 00100110: 5366 6810 0001 00b4 428a 5640 8bf4 cd13 Sfh.....B.V@.... 00100120: 6658 6658 6658 6658 eb33 663b 46f8 7203 fXfXfXfX.3f;F.r. 00100130: f9eb 2a66 33d2 660f b74e 1866 f7f1 fec2 ..*f3.f..N.f.... 00100140: 8aca 668b d066 c1ea 10f7 761a 86d6 8a56 ..f..f....v....V 00100150: 408a e8c0 e406 0acc b801 02cd 1366 610f @............fa. 00100160: 8274 ff81 c300 0266 4049 7594 c342 4f4f .t.....f@Iu..BOO 00100170: 544d 4752 2020 2020 0000 0000 0000 0000 TMGR ........ 00100180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00100190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 001001a0: 0000 0000 0000 0000 0000 0000 0d0a 4469 ..............Di 001001b0: 736b 2065 7272 6f72 ff0d 0a50 7265 7373 sk error...Press 001001c0: 2061 6e79 206b 6579 2074 6f20 7265 7374 any key to rest 001001d0: 6172 740d 0a00 0000 0000 0000 0000 0000 art............. 001001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 001001f0: 0000 0000 0000 0000 ac01 b901 0000 55aa ..............U.
First create a directory which will be used as your mount target
kali@securitynik:~/forensics$ mkdir usb
Let's now mount the drive:
kali@securitynik:~/forensics$ sudo mount --read-only --verbose --options noatime,nodiratime,loop,offset=1048576 --source linux_mint_usb.raw --target usb/ mount: /dev/loop0 mounted on /home/kali/forensics/usb.
Here is what the above does
mount - mount the drive
--read-only - mount the drive as read only
--verbose - print the informational message, for each successful mount
--options
noatime - Do not update the access timestamps when the file is read
nodiratime - Do not update the directory inode access times on this file system
loop - sets up a loop device to correspond to the image file "linux_mint_usb.raw" and then mount that image to "--target usb/"
We can confirm this loop device as follows:
kali@securitynik:~/forensics$ df --human-readable --type vfat --print-type Filesystem Type Size Used Avail Use% Mounted on /dev/loop0 vfat 30G 12G 19G 38% /home/kali/forensics/usb
offset=1048576 - mount the drive at this offset
--source linux_mint_usb.raw - The source image which was created.
--target usb/ - The location to which this drive will be mounted.
Now that we know the drive has been mounted, we can now verify we have access
kali@securitynik:~/forensics$ ls usb/ Fido-Apr04_2020-1.pdf LINUX PortablApps 'System Volume Information' Girls Nakia 'SANS SEC582 - Labs and Challenges PDFs' tshark
Let's now export all the files, printing out information relating to the file's last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more
Here is a snapshot of what the output looks like.
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more 12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|755|0|root|0|root|16384| 04/06/2020|13:58:31.2200000000|04/05/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|16384|System Volume Information 04/06/2020|13:58:31.2500000000|05/13/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|12|System Vo lume Information/WPSettings.dat 04/06/2020|20:14:57.0700000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System Volume Information/ClientRecoveryPasswordRotation 04/06/2020|20:14:57.1400000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System Volume Information/AadRecoveryPasswordDelete 04/06/2020|20:14:57.4300000000|05/13/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|76|System Vo lume Information/IndexerVolumeGuid 04/07/2020|20:39:36.0000000000|04/07/2020|20:00:00.0000000000|04/07/2020|20:39:36.0000000000|755|0|root|0|root|16384|Nakia 04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|1387601|Naki a/Nakia code dot org certificate.pdf 04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|766251|Nakia /Nakia_code-org-blank_certificate.png ....
Let's now redirect this output to a file for later analysis.
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" > linux_mint_files_export.txt
Once the contents are all in the file, we can then check to see how many lines were written as follows:
kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | wc --lines 106191
Looks like we have about 106,191 entries.
You can now take this file and open it with spreadsheet document or even a database to perform analysis.
From our exported results, let's find a file of interest to learn about its activities in the next post.
An important takeaway for above, is that the data which was retrieved was from "allocated" space. That means, files which might have been deleted, are more than likely not going to be seen within this output. Thus you may wish to use another tool such as Autopsy or the SleuthKit to get a better handle on the information on the disk. Keep these things in mind as you perform your file systems forensics.
P.S. Not sure if you noticed it but I changed disks from the previous posts. However, the concepts remain the same.
Post in this series:
Beginning File System Forensics - Acquiring Disk Image
In this series, I am looking at file system forensics. For this post, I inserted a USB device which can be found at: "/dev/sdb"
Taking a quick look at the disk using "fdisk --list" before we make a copy of it, we see:
kali@securitynik:~$ sudo fdisk --list /dev/sdb [sudo] password for kali: Disk /dev/sdb: 29.3 GiB, 31457280000 bytes, 61440000 sectors Disk model: USB DISK Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00051443 Device Boot Start End Sectors Size Id Type /dev/sdb1 2048 61437951 61435904 29.3G c W95 FAT32 (LBA)
We will revisit this as we compare our cloned disk with the output above.
Let's now go ahead and create an image of the disk, so that we can perform our "dead" forensics.
kali@securitynik:~$ sudo dcfldd if=/dev/sdb of=linux_mint_usb.raw bs=512 errlog=linux_mint_err.log hash=md5,sha1,sha256 hashlog=linux_mint_usb_.hash status=on verifylog=linux_mint.verify hashwindow=100M
Specify the input file, which we know is the USB located at /dev/sdb
if=/dev/sdb
Specify an output File
of=linux_mint_usb.raw
Specify a block size of 512 bytes.
bs=512
Send all errors to a log file, rather than writing to the screen
errlog=linux_mint_err.log
Specify the hash algorithms to use. This ensure we can validate the integrity of the image as it is analyzed during the forensic process.
hash=md5,sha1,sha256
Send the hash information to a log file
hashlog=linux_mint_usb_.hash
Displays the status message
status=on
Send the verified results to a log
verifylog=linux_mint.verify
Perform a hash on every 100 Megabytes
hashwindow=100M
Once completed, here is what the output looks like:
61440000 blocks (30000Mb) written. 61440000+0 records in 61440000+0 records out
Looks like the total records read in equals to the total records written out.
and the created files
kali@securitynik:~/forensics$ ls linux_mint_usb_.hash linux_mint_err.log linux_mint_usb.raw linux_mint.verify
Looking at the "linux_mint_err.log" file
kali@securitynik:~/forensics$ ls linux_mint_usb_.hash linux_mint_err.log linux_mint_usb.raw linux_mint.verify
Looking at the "linux_mint_usb.hash" file
kali@securitynik:~/forensics$ cat linux_mint_usb.hash | more 0 - 104857600: a833657ba6ffe7aecc9502474830d0e3 0 - 104857600: 9c1a801e95178826c4e49bb498fdae18389429fa 0 - 104857600: 74b7b3f871998cc0bd614dea1d345e5057f87f0ff3579e8f372226ec0ae9e1df 104857600 - 209715200: 8d6305573b4500f27dbcee6cd582e4a8 104857600 - 209715200: 25bb8f02271ede26bfad67d6350ae038ee88a9f5 104857600 - 209715200: 308e467ed64fc4efb36a3c7e520ea6406e360fa260c7d87f9810345ecd09abf4 209715200 - 314572800: ce08ffdb8612f95e4752539044daf1ee 209715200 - 314572800: 4ae41ba71b7c70c470eadc8fa351d78c863facae 209715200 - 314572800: 987da527a07d254d8448233673b81a3843a0aafd0607527df67f333ebec0b913 314572800 - 419430400: 36c76342755d6828990a480c0056d31a ... 31352422400 - 31457280000: 75a8749d0ad3734052147bfa16069060 31352422400 - 31457280000: 9675bdbe94ccb0cd25601e35687a235a2630768a 31352422400 - 31457280000: 90db0b4ccf1b539dfc5c28cca76fd1e3b43316622c9fe4fc1f274ac0cb94e380 Total (md5): e995c8773f355b895792fafdc24e80d4 Total (sha1): 1473fda5a96d0b286b6ffba2b9f2550c1b67ab93 Total (sha256): 998a16707ee4aec57987e2ef768764d652cc55d648fc0f30b295b56b417b4747
Looking at the file "linux_mint_usb.raw"
kali@securitynik:~/forensics$ file linux_mint_usb.raw linux_mint_usb.raw: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 61435904 sectors
Now that we have the image, let's mount and perform some basic analysis in the next post.
Post in this series:
Beginning File System Forensics - Acquiring Disk Image
Beginning File System Forensics - mounting and learning about the drive
Beginning File System Forensics - Timeline analysis
Beginning File System Forensics - mounting and learning about the drive
Beginning File System Forensics - Timeline analysis
References:
Subscribe to:
Posts (Atom)