Wednesday, September 9, 2020

Beginning File System Forensics - mounting and learning about the drive

In the previous post, we learned about the disk and the Master Boot Record (MBR), let's now mount that disk, so that we can analyze its contents.

Before mounting, let's once again take a look at the drive to see where the partitions starts.

kali@securitynik:~/forensics$ sudo fdisk --list linux_mint_usb.raw
Disk linux_mint_usb.raw: 29.3 GiB, 31457280000 bytes, 61440000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00051443

Device              Boot Start      End  Sectors  Size Id Type
linux_mint_usb.raw1       2048 61437951 61435904 29.3G  c W95 FAT32 (LBA)

Above, we see one one partition, which has a "Start" sector 2048. To get the actual byte position, multiply 2048*512. 512 once again being the size of the sectors.

512*2048 = 1,048,576‬

Taking a look at this sector with XXD before mounting, we see:

kali@securitynik:~/forensics$ xxd --seek 1048576 --length 512 linux_mint_usb.raw | more
00100000: eb58 904d 5344 4f53 352e 3000 0220 e00a  .X.MSDOS5.0.. ..
00100010: 0200 0000 00f8 0000 3f00 ff00 0008 0000  ........?.......
00100020: 0070 a903 903a 0000 0000 0000 0200 0000  .p...:..........
00100030: 0100 0600 0000 0000 0000 0000 0000 0000  ................
00100040: 8000 2980 b481 fc4e 4f20 4e41 4d45 2020  ..)....NO NAME  
00100050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4    FAT32   3.....
00100060: 7b8e c18e d9bd 007c 8856 4088 4e02 8a56  {......|.V@.N..V
00100070: 40b4 41bb aa55 cd13 7210 81fb 55aa 750a  @.A..U..r...U.u.
00100080: f6c1 0174 05fe 4602 eb2d 8a56 40b4 08cd  ...t..F..-.V@...
00100090: 1373 05b9 ffff 8af1 660f b6c6 4066 0fb6  .s......f...@f..
001000a0: d180 e23f f7e2 86cd c0ed 0641 660f b7c9  ...?.......Af...
001000b0: 66f7 e166 8946 f883 7e16 0075 3983 7e2a  f..f.F..~..u9.~*
001000c0: 0077 3366 8b46 1c66 83c0 0cbb 0080 b901  .w3f.F.f........
001000d0: 00e8 2c00 e9a8 03a1 f87d 80c4 7c8b f0ac  ..,......}..|...
001000e0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb  ..t.<.t.........
001000f0: eea1 fa7d ebe4 a17d 80eb df98 cd16 cd19  ...}...}........
00100100: 6660 807e 0200 0f84 2000 666a 0066 5006  f`.~.... .fj.fP.
00100110: 5366 6810 0001 00b4 428a 5640 8bf4 cd13  Sfh.....B.V@....
00100120: 6658 6658 6658 6658 eb33 663b 46f8 7203  fXfXfXfX.3f;F.r.
00100130: f9eb 2a66 33d2 660f b74e 1866 f7f1 fec2  ..*f3.f..N.f....
00100140: 8aca 668b d066 c1ea 10f7 761a 86d6 8a56  ..f..f....v....V
00100150: 408a e8c0 e406 0acc b801 02cd 1366 610f  @............fa.
00100160: 8274 ff81 c300 0266 4049 7594 c342 4f4f  .t.....f@Iu..BOO
00100170: 544d 4752 2020 2020 0000 0000 0000 0000  TMGR    ........
00100180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00100190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001a0: 0000 0000 0000 0000 0000 0000 0d0a 4469  ..............Di
001001b0: 736b 2065 7272 6f72 ff0d 0a50 7265 7373  sk error...Press
001001c0: 2061 6e79 206b 6579 2074 6f20 7265 7374   any key to rest
001001d0: 6172 740d 0a00 0000 0000 0000 0000 0000  art.............
001001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
001001f0: 0000 0000 0000 0000 ac01 b901 0000 55aa  ..............U.

First create a directory which will be used as your mount target

kali@securitynik:~/forensics$ mkdir usb

Let's now mount the drive:
kali@securitynik:~/forensics$ sudo mount --read-only --verbose --options noatime,nodiratime,loop,offset=1048576 --source linux_mint_usb.raw --target usb/
mount: /dev/loop0 mounted on /home/kali/forensics/usb.

Here is what the above does
mount - mount the drive

--read-only - mount the drive as read only

--verbose - print the informational message, for each successful mount 

--options 
    noatime - Do not update the access timestamps when the file is read
    nodiratime -  Do not update the directory inode access times on this file system
    loop - sets up a loop device to correspond to the image file "linux_mint_usb.raw" and then mount that image to "--target usb/"

    We can confirm this loop device as follows:
  
 kali@securitynik:~/forensics$ df --human-readable --type vfat --print-type
    Filesystem     Type  Size  Used Avail Use% Mounted on
    /dev/loop0     vfat   30G   12G   19G  38% /home/kali/forensics/usb
 
    offset=1048576 - mount the drive at this offset 

--source linux_mint_usb.raw - The source image which was created.

--target usb/ - The location to which this drive will be mounted.

Now that we know the drive has been mounted, we can now verify we have access

kali@securitynik:~/forensics$ ls usb/
 Fido-Apr04_2020-1.pdf   LINUX   PortablApps                              'System Volume Information'
 Girls                   Nakia  'SANS SEC582 - Labs and Challenges PDFs'   tshark

Let's now export all the files, printing out information relating to the file's last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more

Here is a snapshot of what the output looks like.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more
12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|755|0|root|0|root|16384|
04/06/2020|13:58:31.2200000000|04/05/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|16384|System
 Volume Information
04/06/2020|13:58:31.2500000000|05/13/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|12|System Vo
lume Information/WPSettings.dat
04/06/2020|20:14:57.0700000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/ClientRecoveryPasswordRotation
04/06/2020|20:14:57.1400000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System
 Volume Information/AadRecoveryPasswordDelete
04/06/2020|20:14:57.4300000000|05/13/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|76|System Vo
lume Information/IndexerVolumeGuid
04/07/2020|20:39:36.0000000000|04/07/2020|20:00:00.0000000000|04/07/2020|20:39:36.0000000000|755|0|root|0|root|16384|Nakia
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|1387601|Naki
a/Nakia code dot org certificate.pdf
04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|766251|Nakia
/Nakia_code-org-blank_certificate.png

....

Let's now redirect this output to a file for later analysis.

kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" > linux_mint_files_export.txt

Once the contents are all in the file, we can then check to see how many lines were written as follows:

kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | wc --lines
106191

Looks like we have about 106,191 entries. 

You can now take this file and open it with spreadsheet document or even a database to perform analysis.

From our exported results, let's find a file of interest to learn about its activities in the next post.

An important takeaway for above, is that the data which was retrieved was from "allocated" space. That means, files which might have been deleted, are more than likely not going to be seen within this output. Thus you may wish to use another tool such as Autopsy or the SleuthKit to get a better handle on the information on the disk. Keep these things in mind as you perform your file systems forensics.

P.S. Not sure if you noticed it but I changed disks from the previous posts. However, the concepts remain the same.




No comments:

Post a Comment