Notes for Forensic Beginners’ Part1
June 5, 2009
Hello All,
I still remember my days 7 years back, when I was very keen in learning and working on Computer Forensics, however there were no good resources available for understanding the concepts and practicals for the same.
I am starting this short series for all those who are still struggling to start their career into Digital / Computer Forensics.
However, I wont be covering the basic steps or Phases involved in Computer Forensics and Incident Response, as there are numerous books available for the same, and a Google search may help you all a lot.
So, Let’s start with NTFS Filesystem:-
Currently it is NTFS v3.1 for XP/2000/2003/Vista
NTFS: New Technology File System
formerly known as NTFS is a registered tradmark of Northern Telecom File System, you can still find them on older version’s of CD for Windows 3.5 NT and 4.0.
Going a bit deeper,
NTFS consists of records and entries of MFT,
$MFT= Master File Table
The length of the $MFT within NTFS is 1024 bytes.
Standard Sector size within NTFS is 512 bytes
Standard Cluster size within NTFS is 4096 bytes (8*512 sectors)
MFT is the primary file within NTFS file system,this file points to the locations of the other files within the NTFS formatted filesystem.
Within the MFT there are “entires”, and each entry contains information about the file it points to. These entries provide a variety of information about the file it points to, and it also includes the following:
File Name, File Size, dates about the file included:-
Created=C
Entry Modified=M
Written=E
Accessed=A
ocation of the data of the file.(MACE)
Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with either FILE0 OR FILE*, depending and signifying whether the given partition was formatted using Windows XP , Windows 2000 respectively.
The first 16 MFT entries within the MFT are reserved.
In Next Series of this article we will go deep into NTFS structure with reference to MFT and other records.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Restore Point and Forensics
June 4, 2009
Hello All,
Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-
within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:
\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)
These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.
1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint
2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.
3>These are often created whenever a user installs any software or application
4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.
There may have been other reasons which I may not be fully aware, or havent come across.
Now, how the above can help in an ongoing Forensic Investigation?
Well,
1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.
2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG
The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.
The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”
Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.
System restore can be Disabled by a user or an Adminsitrator.
An Administrator can create a System restore Point manually
\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.
There are Registry settings for System restore at:-
HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.
If you have any other inputs to add, or anything i have missed Please feel free to comment.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Can Defeat Forensics upto 50%
June 4, 2009
Hello All,
After a long time, and Yes you read the Title right!!
With the new feature in Windows XP and Windows Vista called SteadyState, if configured properly, with Disk protection=ON, and deletion of Shared Profile either at Restart or Logoff is configured properly, there is no way to retreive any Artefacts from the system configured to run with Windows SteadyState.
as there are no modifications within $MFT, except for the entry within the $MFT itself for the C:\Boot\Bootstat.dat file.
and nothing changes!!
I am still trying to figure out other possibilities for recovering the Artefacts.
However, as of this time, i assume it is almost 50 % true to say that it is not too far, that one can hide all traces and artefacts from a system, as the advances in technologies like Windows SteadyState are coming..
Note:-System needs to be configured to use Locked Profile and deletion of any user data, Please refer to User Handbook for Windows SteadyState:-)
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K.
NMAP as a VA tool !!
March 30, 2009
NMAP a great Penetration-testing tool, which was only used as a Port-Scanning and Enumeration tool, has now got some additional and more powerful features then it’s previous versions.
with the newly added “NSE” Nmap Scripting Engine which uses “Lua”
The NSE (”The Nmap Scripting Engine“) executes the script in parallel with the ongoing scan. Scripts are written in the embedded Lua programming language.
The NSE scripts can be found under:-
/usr/share/nmap/scripts/
There are currently the following categories:
auth, default, discovery, external, intrusive, malware, safe, version, and vuln.
the above categories can be used together as well, seperated by commas:
nmap -v –script=malware,vuln,discovery hostipaddress.com
Some common examples of using NMAP with NSE are as follows:-
to update the Scripts use the following: nmap --script-updatedb
nmap -v -sC hostipaddress.com
nmap -v –script=all hostipaddress.com
nmap -v –script=default hostipaddress.com
nmap -v –script=malware hostipaddress.com
there can be many more options, depending upon what exactly you are trying to find out.
however, it will not be too late, to see NMAP as a Full-Blown Vulnerability Scanner, like or more powerfull than Nessus.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
Laser Printer dots raise privacy concerns !!
January 20, 2009
Laser Printer dots raise privacy concerns
now, you’re able to be tracked by your laser printer.
By Thomas Frank, USA TODAY
WASHINGTON — The affordability and growing popularity of color laser printers is raising concerns among civil liberties advocates that your privacy may not be worth the paper you’re printing on.
More manufacturers are outfitting greater numbers of laser printers with technology that leaves microscopic yellow dots on each printed page to identify the printer’s serial number — and ultimately, you, says the San Francisco-based Electronic Frontier Foundation, one of the leading watchdogs of electronic privacy.
The technology has been around for years, but the declining price of laser printers and the increasing number of models with this feature is causing renewed concerns.
The dots, invisible to the naked eye, can be seen using a blue LED light and are used by authorities such as the Secret Service to investigate counterfeit bills made with laser printers, says Lorelei Pagano, director of the Central Bank Counterfeit Deterrence Group.
Privacy advocates worry that the little-known technology could ensnare political dissidents, whistle-blowers or anyone who prints materials that authorities want to track.
FIND MORE STORIES IN: Secret Service | Hewlett-Packard | Canon | Xerox | Brother | Epson | Ed Donovan | IDC Research
“There’s nothing about this technology that limits its application to counterfeit investigations,” says Seth Schoen, a computer programmer with the Electronic Frontier Foundation. “Some people who aren’t doing anything wrong may have their privacy threatened.” Schoen’s tests have found the dots produced by 111 color laser printers made by 13 companies including Xerox, Canon, Hewlett-Packard, Epson and Brother.
The dots are produced only on laser devices and not ink-jet printers, which are most commonly used at home. But laser printers, which produce more durable images, are becoming increasingly popular as their price has dropped to as low as $300, says Angele Boyd, a vice president of IDC Research.
Although laser printers made up only 4% of the 33 million printers sold last year in the USA, their sales have been growing by double digits since 2004, Boyd says.
The technology began as laser printers were first produced in the mid-1980s and governments and banks feared an explosion of counterfeiting, Xerox spokesman Bill McKee says. “In many cases, it is a requirement to do business internationally that the printers are equipped with this technology,” McKee says.
The dots tell authorities the serial number of a printer that made a document. In some cases, it also tells the time and date it was printed, Pagano says. “The Secret Service is the only U.S. body that has the ability to decode the information,” she says.
Printer makers “cooperate with law enforcement” and will tell authorities where a printer was made and sold, McKee says.
The Secret Service uses the dots only to investigate counterfeiting, agency spokesman Ed Donovan says.
Need all your comments.
Thanks
Nitin Kushwaha
CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL
Hi all,
Here is something which is really all The Good, the Bad and the Ugly for developers, IT guys and Forensics Community!
Read on!
Application Isolation and DLL Hell
VMware ThinApp (Formerly Thinstall) allows applications to run without any modification to the host PC’s registry or file system. Other applications running on the same PC will not be aware of virtualized applications, so regression testing can be eliminated or drastically reduced.
Much of the cost for application deployment relates to testing new applications against other applications deployments. Some other Virtualization solutions make registry and file system changes virtual to the entire system temporarily or permanently, so regression testing continues to be needed and application roll-outs still have the possibility for breaking other applications on the desktop.
ThinApp enables conflict free installation of any program on any Windows platform. Applications that require DLL or ActiveX components can experience installation and runtime problems due to corrupt computers or locked down administrator rights. ThinApp enables any application to run conflict free regardless of the state of the host computer.
ThinApp benefits include:
- Reduce desktop support costs. When installing commercial software on computers ‘in the wild’, installation conflicts are one of the top 3 issues requiring an expensive support call.
- Eliminate all installation conflicts. With ThinApp, all registry keys, DLLs and third party libraries are packaged into a single, compressed EXE. Other applications, Windows upgrades, or registry key deletions, OS corruptions will not affect a ThinApp packaged application.
- Eliminate the need for administrator rights. Because software is not installed, administrator rights are not required to run a ThinApp packaged application. This is key when running applications in a corporate locked down desktop environment or home computers that don’t know how to access administrator capability. Additionally, OCX and ActiveX components do not need to be registered.
- Run directly from any media. ThinApp packages all code components into a single EXE so that the application can be run directly from a CDROM, USB key, or network, without requiring installation.
- A positive out of the box experience. ThinApp insures a successful first time end user experience for your product.
Source:-http://www.thinstall.com/solutions/dll_hell.php
http://www.vmware.com/products/thinapp/using.html
Now, if you read it all right, now it is time to find what exactly
“The Good, the Bad and the Ugly” is??
Need all your comments.
Thanks
Nitin Kushwaha
Unlock any Read-only Word Document !
June 1, 2008
All,
Many a times we need to make some changes to documents or even need to fill-up some online documents which are in MS Word, and they have a read-only protection in place,
So here is how to bypass, or Unlock them.
If you are using office XP or 2003, you can change the view to HTML-Code using Microsoft Script-Editor by pressing the [Alt]+[Shift]+[F11] key combination.
Search for “Password”, or scroll down till you will find something like this:
DocumentProtection>Forms
UnprotectPassword>60B9DAE3
To remove the protection:
Just remove those two lines, and after saving the document , the protection is gone.
To remove the password:
-replace the Password, here “60B9DAE3″, with “00000000″, save the Document and close “Script-Editor”.
Hope this helps.
Thanks
Nitin Kushwaha
Netscape Browser Login Password
June 1, 2008
All,
Here is a trick if u work on a shared PC, and have Netscape navigator Browser Installed which asks u a password to login, and if u don’t have that password, or u want to just hack in or have forgotten the password, then u can hack in to it by following the below mentioned steps:-
1>Browse to the location
C:\Documents and Settings\Administrator\Application Data\Netscape\NSB
2>open Profiles.ini
3>RequiresPasswordToLogin=xyzdfjggg
4>change it to either RequiresPasswordToLogin=0
Or leave it blank
RequiresPasswordToLogin=
And ur done.
Same way u can remove any password protected profiles in Netscape Browser.
Hope this helps.
Thanks
Nitin Kushwaha
RBF Files
June 1, 2008
All,
Many a times , we all face some issues with the Config.Msi and RBF files,
well the CONFIG.MSI folder is a hidden folder on the root drive of Windows, usually Drive C. This folder is used by the windows installer process during an installation of software.
It saves files with the extension of .RBS and .RBF.
These are Rollback Script Files used by the installer to uninstall recent changes if an install fails somewhere along the way (Checkpoint) .
The rollback script file (.rbs) is always stored in the Config.msi folder on the disk where the OS is installed.
The .rbf files are stored in the Config.msi folder located on the disk where the program that is being backed up currently resides.
It is normally misunderstood that the above is ONLY created during MS Office apps, however the above files are created whenever any scripted installation is carried out, and Windows Installer is a worker.
Hope this helps.
Thanks
Nitin Kushwaha
Vista Re-Armed!
June 1, 2008
Vista Activation time can be extended using the following trick, provided it has not been activated online:
Step 1:Browse through REGEDIT
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SL
Step 2: Right-click the Registry key named SkipRearm and click Edit.
The default is a Dword (a double word or 4 bytes) with a hex value of 00000000. Change this value to any positive integer, such as 00000001, save the change, and close the Registry Editor.
Step 3: Start a command prompt with administrative rights. The fastest way to do this is to click the Start button, enter cmd in the Search box, then press Ctrl+Shift+Enter. If you’re asked for a network username and password, provide the ones that log you into your domain. You may be asked to approve a User Account Control prompt and to provide an administrator password.
Step 4: Type any one of the following two commands and press Enter:
rundll32 slc.dll,SLReArmWindows
or
slmgr -rearm
Either command uses Vista’s built-in Software Licensing Manager (SLMGR) to push the activation deadline out to 30 days after the command is run.
Changing SkipRearm from 0 to 1 allows SLMGR to do this an indefinite number of times. Running either command initializes the value of SkipRearm back to 0.
Step 5: Reboot the PC .
After you log in, if you like, you can open a command prompt and run the command
slmgr -xpr to see Vista’s new expiration date and time.
Hope this helps.
Thanks
Nitin Kushwaha
