Friday, April 23, 2010

Links...and whatnot

There seems to be a theme to this post...something along the lines of accessing data through alternate means or sources...and whatnot...

Blog Update
- Mounting EWF files on Windows
Over in the Win4n6 Yahoo group, a question was posted recently regarding mounting multiple (in this case, around 70) .E0x files, and most of the answers involved using the SANS SIFT v2.0 Workstation. This is a good solution; I had posted a bit ago regarding mounting EWF (Expert Witness Format, or EnCase) files on Windows, and Bradley Schatz provided an update, removing the use of the Visual Studio runtime files and using only freely available tools, all on Windows.

Speaking of freeware tools, if you're using ImDisk, be sure to get the updated version, available as of March of this year. There have been some updates to allow for better functionality on Windows 7, etc.

Also, FTK Imager (as well as the Lite version) are up to version 2.9.

...Taking Things A Step Further...
If you've got segmented image files, as with multiple .E0x or raw/dd format .00x files, and you want to get file system metadata for inclusion in a timeline, you have a number of options available to you using freely available tools on Windows.

For the raw/dd format files, one option is to use the 'type' command to reassemble the image segments into a full image file. Another option...whether you've got a VMWare .vmdk file, or an image composed of multiple EWF or raw/dd to open the image in FTK Imager. Once the image is open and you can see the file system, you can (a) re-acquire the image to a single, raw/dd format image file, or (b) export a directory listing.

You can also use FTK Imager to export file system metadata from live systems, but this can be a manual process, as you have to add the physical drive via the GUI, etc. This process may be a bit more than you need. To meet the needs of a live IR script, I created a CLI tool called mt.exe (short for MACTimes) that is a compiled Perl script. Mt.exe will get the MAC times of files in a directory, and can recurse will also get MD5 hashes (it gets the MAC times before computing a hash) for the files, and has the option to output everything in TSK v3.x bodyfile format. I plan to use this to get file listings for specific directories, in order to optimize response and augment follow-on analysis.

Into The Shadows
Lee Whitfield posted his SANS EU Forensics Summit presentation, Into The Shadows, for your listening/viewing pleasure. In the presentation, Lee presents what he refers to as "the fourth way" to analyze Volume Shadow Copies. Watching the video, it appears that Lee is deciphering the actual files that the created by the Volume Shadow Service, and using that information to extract meaningful data.

You should also be able to work with Volume Shadow Copies as we discussed earlier, but like Lee says (and was mentioned by Troy Larson), if you're going to image the entire VSC, you're going to need to have additional space available. However, what if you were to mount the VSC in question and only extract selected files? Sure, this would require knowledge of what you were attempting to achieve and how you'd go about doing it, but you wouldn't require the additional space, and you would still have the VSC available to be mounted later, if need be.

EVTX Parsing
SANS has postponed the Forensics Summit in London due to the Krakatoa-like volcanic eruption that has been obscuring the airspace over Europe. As such, Andreas has posted his slides regarding Vista (and above) Event Log format. Very cool stuff, and very useful.

Finally, Christa pointed me to an interesting article at CSOOnline about how fraud is no longer considered by banks and financial institutions to be just a cost of doing business. Very interesting, and it demonstrates how incident preparation, detection, and response are becoming more visible as business processes.

From that article, I found a link to another article, this one discussing the basics of incident detection, response and forensics with Richard Bejtlich. Very much well worth the read...

No comments: