Wednesday, September 9, 2020

Just a few days left to register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class and get a Free copy of "Hack and Detect" or "Mastering TShark Network Forensics"

 Get a Free copy of "Learning by Practicing - Mastering TShark Network Forensics: Moving From Zero to Hero" or "Learning By Practicing - Hack & Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics" when you register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class


To learn more see: 

SEC582: Mastering TShark Packet Analysis

Beginning File System Forensics - Timeline analysis

Now that the drive has been mounted and the file metadata has been exported as seen in the previous post, let's poke at some files of "interest". The file of interest is related to my SANS SEC582 - Mastering TShark Packet Analysis class. 

Let's assume we have an indicator of compromise. That indicator being a suspicious file name. We can then use the "grep" utility to search the previously created "linux_mint_files_export.txt" to see if we get a hit. Let's try that. At the same time, let's pipe the results into "wc --lines" to see how many entries were returned.

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt | wc --lines
22

Above it looks like 22 results were returned. Taking a look at those entries. 

kali@securitynik:~/forensics$ grep "SEC582" linux_mint_files_export.txt
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf

As you may remember in the previous post, the columns above are organized as follow: last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

Considering the preceding, let's instead sort this from first creation date and time, to last creation date and time. We will put the most recent date at the top. To achieve this, we will use the previous output, in conjunction with "sort" using a "--field-separator" of pipe "|". We will also use fields 1 and 2 as our keys and then "--reverse" the output. This is how we are able to achieve our objective.

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse
05/14/2020|05:52:29.6100000000|05/13/2020|20:00:00.0000000000|05/14/2020|06:39:22.0000000000|755|0|root|0|root|1998024|SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:45:31.3500000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:45:34.0000000000|755|0|root|0|root|303851|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.10 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:39:09.4800000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:39:12.0000000000|755|0|root|0|root|168333|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.9 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:38:15.8100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:38:18.0000000000|755|0|root|0|root|155128|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:37:28.2700000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:37:30.0000000000|755|0|root|0|root|246089|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:27:05.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:27:08.0000000000|755|0|root|0|root|160748|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:18:01.4200000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:18:06.0000000000|755|0|root|0|root|221816|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:11:34.8000000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:11:40.0000000000|755|0|root|0|root|110284|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|11:04:45.2100000000|05/13/2020|20:00:00.0000000000|05/13/2020|11:04:48.0000000000|755|0|root|0|root|604994|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|10:44:37.9400000000|05/13/2020|20:00:00.0000000000|05/13/2020|10:44:40.0000000000|755|0|root|0|root|194576|SANS SEC582 - Labs and Challenges PDFs/Day 2/Challenge 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|09:46:45.6500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:46:48.0000000000|755|0|root|0|root|173404|SANS SEC582 - Labs and Challenges PDFs/Day 2/Exercise 2.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:44:42.0100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:44:44.0000000000|755|0|root|0|root|157451|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.8 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:43:38.9500000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:43:42.0000000000|755|0|root|0|root|290017|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.7 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:36:20.3600000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:36:22.0000000000|755|0|root|0|root|209775|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.6 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:33:56.1000000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:33:58.0000000000|755|0|root|0|root|158779|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.5 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:30:58.7100000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:31:02.0000000000|755|0|root|0|root|505620|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.4 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:26:59.1700000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:27:02.0000000000|755|0|root|0|root|817648|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.3 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|09:17:58.1200000000|05/13/2020|20:00:00.0000000000|05/13/2020|09:18:00.0000000000|755|0|root|0|root|439479|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.2 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:34:08.4100000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:34:10.0000000000|755|0|root|0|root|396034|SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Now that we have the above, we can make some assumptions thus allowing us to come to some conclusions.
1.  The activity surrounding the IoC for string "SEC582" started on May 13, 2020 around 08:31:58 
2. On May 13, 2020 at 08:31:58 local time the user root, created a file "SANS SEC582 - Labs and Challenges PDFs".
3. This file was then modified on the same date at 08:32:00

4. However, as we look closer, we see what seems like two sub directories "/Day 1" and "/Day 2" were created. Filtering these out so we can focus closer on the times, we see:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | grep SEC582 | sort --field-separator "|" --key=1,2 --reverse | grep --invert-match --perl-regexp "\.pdf$"
05/13/2020|09:47:33.1500000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:34.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 2
05/13/2020|09:47:17.0200000000|05/12/2020|20:00:00.0000000000|05/13/2020|09:47:18.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs/Day 1
05/13/2020|08:31:58.8300000000|05/13/2020|20:00:00.0000000000|05/13/2020|08:32:00.0000000000|755|0|root|0|root|16384|SANS SEC582 - Labs and Challenges PDFs

Paying closer attention to the time we see it seems like the two directories have an access date and time of  "05/12/2020|20:00:00.0000000000"  and "05/12/2020|20:00:00.0000000000" respectively. How could this be? How can the sub directories have a date and time earlier than the parent directory which has "05/13/2020|08:31:58.8300000000"? Could it be this parent folder was created and then the sub folders were copied to this destination?

5. Looking at the other 19 entries, we can say from a creation date the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf
" was created on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was created on May 14, around 05:52. 

6. Looking at the other 19 entries, we can say from a modification date and time, the first file "SANS SEC582 - Labs and Challenges PDFs/Day 1/Exercise 1.1 - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 13, 2020 around 8:34 and the last file "SANS SEC582 - Labs and Challenges PDFs/Initial Setup - SANS SEC582_ Mastering TShark Packet Analysis.pdf" was modified on May 14, around 06:39.

7. Finally, I see the access times of all 19 files have May 13, 2020 at 20:00. Does the proximity with this timing help to reaffirm the conclusion that these files might have been copied? 

Arite!, I think that is enough for this post. 

Ohh and by the way, hope to see you in one of my SANS SEC582 Mastering TShark Packet Analysis class. :-) If you cannot make that one, come hang out with me in the SEC503 or SEC504 class. :-) :-)


References:




Beginning File System Forensics - mounting and learning about the drive

In the previous post, we learned about the disk and the Master Boot Record (MBR), let's now mount that disk, so that we can analyze its contents.

Before mounting, let's once again take a look at the drive to see where the partitions starts.

kali@securitynik:~/forensics$ sudo fdisk --list linux_mint_usb.raw
Disk linux_mint_usb.raw: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device              Boot Start      End  Sectors  Size Id Type
linux_mint_usb.raw1       2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

Above, we see one one partition, which has a "Start" sector 2048. To get the actual byte position, multiply 2048*512. 512 once again being the size of the sectors.

512*2048 = 1,048,576‬

Taking a look at this sector with XXD before mounting, we see:

kali@securitynik:~/forensics$ xxd --seek 1048576 --length 512 linux_mint_usb.raw | more
00100000: eb58 904d 5344 4f53 352e 3000 0220 e00a  .X.MSDOS5.0.. ..
00100010: 0200 0000 00f8 0000 3f00 ff00 0008 0000  ........?.......
00100020: 0070 a903 903a 0000 0000 0000 0200 0000  .p...:..........
00100030: 0100 0600 0000 0000 0000 0000 0000 0000  ................
00100040: 8000 2980 b481 fc4e 4f20 4e41 4d45 2020  ..)....NO NAME  
00100050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4    FAT32   3.....
00100060: 7b8e c18e d9bd 007c 8856 4088 4e02 8a56  {......|.V@.N..V
00100070: 40b4 41bb aa55 cd13 7210 81fb 55aa 750a  @.A..U..r...U.u.
00100080: f6c1 0174 05fe 4602 eb2d 8a56 40b4 08cd  ...t..F..-.V@...
00100090: 1373 05b9 ffff 8af1 660f b6c6 4066 0fb6  .s......f...@f..
001000a0: d180 e23f f7e2 86cd c0ed 0641 660f b7c9  ...?.......Af...
001000b0: 66f7 e166 8946 f883 7e16 0075 3983 7e2a  f..f.F..~..u9.~*
001000c0: 0077 3366 8b46 1c66 83c0 0cbb 0080 b901  .w3f.F.f........
001000d0: 00e8 2c00 e9a8 03a1 f87d 80c4 7c8b f0ac  ..,......}..|...
001000e0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb  ..t.<.t.........
001000f0: eea1 fa7d ebe4 a17d 80eb df98 cd16 cd19  ...}...}........
00100100: 6660 807e 0200 0f84 2000 666a 0066 5006  f`.~.... .fj.fP.
00100110: 5366 6810 0001 00b4 428a 5640 8bf4 cd13  Sfh.....B.V@....
00100120: 6658 6658 6658 6658 eb33 663b 46f8 7203  fXfXfXfX.3f;F.r.
00100130: f9eb 2a66 33d2 660f b74e 1866 f7f1 fec2  ..*f3.f..N.f....
00100140: 8aca 668b d066 c1ea 10f7 761a 86d6 8a56  ..f..f....v....V
00100150: 408a e8c0 e406 0acc b801 02cd 1366 610f  @............fa.
00100160: 8274 ff81 c300 0266 4049 7594 c342 4f4f  .t.....f@Iu..BOO
00100170: 544d 4752 2020 2020 0000 0000 0000 0000  TMGR    ........
00100180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00100190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001a0: 0000 0000 0000 0000 0000 0000 0d0a 4469  ..............Di
001001b0: 736b 2065 7272 6f72 ff0d 0a50 7265 7373  sk error...Press
001001c0: 2061 6e79 206b 6579 2074 6f20 7265 7374   any key to rest
001001d0: 6172 740d 0a00 0000 0000 0000 0000 0000  art.............
001001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001f0: 0000 0000 0000 0000 ac01 b901 0000 55aa  ..............U.

First create a directory which will be used as your mount target

kali@securitynik:~/forensics$ mkdir usb

Let's now mount the drive:
kali@securitynik:~/forensics$ sudo mount --read-only --verbose --options noatime,nodiratime,loop,offset=1048576 --source linux_mint_usb.raw --target usb/
mount: /dev/loop0 mounted on /home/kali/forensics/usb.

Here is what the above does
mount - mount the drive

--read-only - mount the drive as read only

--verbose - print the informational message, for each successful mount 

--options 
    noatime - Do not update the access timestamps when the file is read
    nodiratime -  Do not update the directory inode access times on this file system
    loop - sets up a loop device to correspond to the image file "linux_mint_usb.raw" and then mount that image to "--target usb/"

    We can confirm this loop device as follows:
  
 kali@securitynik:~/forensics$ df --human-readable --type vfat --print-type
    Filesystem     Type  Size  Used Avail Use% Mounted on
    /dev/loop0     vfat   30G   12G   19G  38% /home/kali/forensics/usb
 
    offset=1048576 - mount the drive at this offset 

--source linux_mint_usb.raw - The source image which was created.

--target usb/ - The location to which this drive will be mounted.

Now that we know the drive has been mounted, we can now verify we have access

kali@securitynik:~/forensics$ ls usb/
 Fido-Apr04_2020-1.pdf   LINUX   PortablApps                              'System Volume Information'
 Girls                   Nakia  'SANS SEC582 - Labs and Challenges PDFs'   tshark

Let's now export all the files, printing out information relating to the file's last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more

Here is a snapshot of what the output looks like.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more
12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|755|0|root|0|root|16384|
04/06/2020|13:58:31.2200000000|04/05/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|16384|System
 Volume Information
04/06/2020|13:58:31.2500000000|05/13/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|12|System Vo
lume Information/WPSettings.dat
04/06/2020|20:14:57.0700000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/ClientRecoveryPasswordRotation
04/06/2020|20:14:57.1400000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/AadRecoveryPasswordDelete
04/06/2020|20:14:57.4300000000|05/13/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|76|System Vo
lume Information/IndexerVolumeGuid
04/07/2020|20:39:36.0000000000|04/07/2020|20:00:00.0000000000|04/07/2020|20:39:36.0000000000|755|0|root|0|root|16384|Nakia
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|1387601|Naki
a/Nakia code dot org certificate.pdf
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|766251|Nakia
/Nakia_code-org-blank_certificate.png

....

Let's now redirect this output to a file for later analysis.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" > linux_mint_files_export.txt

Once the contents are all in the file, we can then check to see how many lines were written as follows:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | wc --lines
106191

Looks like we have about 106,191 entries. 

You can now take this file and open it with spreadsheet document or even a database to perform analysis.

From our exported results, let's find a file of interest to learn about its activities in the next post.

An important takeaway for above, is that the data which was retrieved was from "allocated" space. That means, files which might have been deleted, are more than likely not going to be seen within this output. Thus you may wish to use another tool such as Autopsy or the SleuthKit to get a better handle on the information on the disk. Keep these things in mind as you perform your file systems forensics.

P.S. Not sure if you noticed it but I changed disks from the previous posts. However, the concepts remain the same.




Beginning File System Forensics - Acquiring Disk Image

In this series, I am looking at file system forensics. For this post, I inserted a USB device which can be found at: "/dev/sdb"

Taking a quick look at the disk using "fdisk --list" before we make a copy of it, we see:

kali@securitynik:~$ sudo fdisk --list /dev/sdb
[sudo] password for kali: 
Disk /dev/sdb: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Disk model: USB DISK        
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device     Boot Start      End  Sectors  Size Id Type
/dev/sdb1        2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

We will revisit this as we compare our cloned disk with the output above.

Let's now go ahead and create an image of the disk, so that we can perform our "dead" forensics.

kali@securitynik:~$ sudo dcfldd if=/dev/sdb of=linux_mint_usb.raw bs=512 errlog=linux_mint_err.log hash=md5,sha1,sha256 hashlog=linux_mint_usb_.hash status=on verifylog=linux_mint.verify hashwindow=100M

Specify the input file, which we know is the USB located at /dev/sdb
if=/dev/sdb 


Specify an output File
of=linux_mint_usb.raw 

Specify a block size of 512 bytes.
bs=512 

Send all errors to a log file, rather than writing to the screen
errlog=linux_mint_err.log 


Specify the hash algorithms to use. This ensure we can validate the integrity of the image as it is analyzed during the forensic process.
hash=md5,sha1,sha256 


Send the hash information to a log file
hashlog=linux_mint_usb_.hash 

Displays the status message
status=on 

Send the verified results to a log 
verifylog=linux_mint.verify 

Perform a hash on every 100 Megabytes
hashwindow=100M


Once completed, here is what the output looks like:

61440000 blocks (30000Mb) written.
61440000+0 records in
61440000+0 records out

Looks like the total records read in equals to the total records written out. 

and the created files

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify


Looking at the "linux_mint_err.log" file

kali@securitynik:~/forensics$ ls 
linux_mint_usb_.hash  linux_mint_err.log  linux_mint_usb.raw  linux_mint.verify

Looking at the "linux_mint_usb.hash" file 

kali@securitynik:~/forensics$ cat linux_mint_usb.hash | more
0 - 104857600: a833657ba6ffe7aecc9502474830d0e3
0 - 104857600: 9c1a801e95178826c4e49bb498fdae18389429fa
0 - 104857600: 74b7b3f871998cc0bd614dea1d345e5057f87f0ff3579e8f372226ec0ae9e1df
104857600 - 209715200: 8d6305573b4500f27dbcee6cd582e4a8
104857600 - 209715200: 25bb8f02271ede26bfad67d6350ae038ee88a9f5
104857600 - 209715200: 308e467ed64fc4efb36a3c7e520ea6406e360fa260c7d87f9810345ecd09abf4
209715200 - 314572800: ce08ffdb8612f95e4752539044daf1ee
209715200 - 314572800: 4ae41ba71b7c70c470eadc8fa351d78c863facae
209715200 - 314572800: 987da527a07d254d8448233673b81a3843a0aafd0607527df67f333ebec0b913
314572800 - 419430400: 36c76342755d6828990a480c0056d31a
...
31352422400 - 31457280000: 75a8749d0ad3734052147bfa16069060
31352422400 - 31457280000: 9675bdbe94ccb0cd25601e35687a235a2630768a
31352422400 - 31457280000: 90db0b4ccf1b539dfc5c28cca76fd1e3b43316622c9fe4fc1f274ac0cb94e380

Total (md5): e995c8773f355b895792fafdc24e80d4

Total (sha1): 1473fda5a96d0b286b6ffba2b9f2550c1b67ab93

Total (sha256): 998a16707ee4aec57987e2ef768764d652cc55d648fc0f30b295b56b417b4747

Looking at the file "linux_mint_usb.raw"

kali@securitynik:~/forensics$ file linux_mint_usb.raw 
linux_mint_usb.raw: DOS/MBR boot sector; partition 1 : ID=0xc, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 61435904 sectors

Now that we have the image, let's mount and perform some basic analysis in the next post.

Post in this series: