It's been a while since I posted a list of links and resources from across the Internet. I thought that since things have been quiet toward the end of 2010, I'd post some of the things I'd run across and found interesting...so, here goes...
GSD
Looks like Claus is back with an interesting update to his site. Claus hasn't been updating his site as much as he had done in the past, but it is always good to see is posts. A lot of what Claus posts that is oriented toward forensics is from an admin's perspective, which is great for a guy like me...I'm not an admin (nor do I play one on TV), so I often find that it's good to get a reminder of the admin's perspective. Besides, Claus always seems to be able to find the really good stuff...
One of the interesting things I found in Claus's post was the mention of a new mounting tool, OSFMount, for mounting images. I find it useful to be able to do this, and have been using FTK Imager 3.0. Claus also mentions in his post that ImDisk was updated recently...like OSFMount, it comes with a 64-bit version, in addition to the 32-bit version.
So, what does this tell us about image mounting tools? There are several other free and for-pay tools, some of varying quality, and others with vastly greater capabilities. So why does it seem that there's an increase in the number of tools that you can use to mount images? After all, you can use LiveView to convert a raw dd image to a vmdk and open it in VMPlayer, or you can use vhdtool to convert a raw dd image to a vhd and open it in MS's Virtual PC, which is freely available.
eEvidence
I watched for a long time and didn't see any updates for a while...while I wasn't watching, Christine updated the e-Evidence.info site with a lot of great reading material back in November. This site has always been a great source for information.
VSS
Based on a link from the e-Evidence site, I did some reading about mounting images, and accessing and recovering data from Volume Shadow Copies. The first resource I looked at was from QCCIS.com; the whitepaper provides an explanation of what the Volume Shadow Service does, and provides a simple example (albeit without a great deal of exacting detail) of mounting and extracting data from shadow copies. This is a good way to get started, and I've started looking at ways to implement this...so far, I've used Windows 7 Professional 64-bit as a base system, mounted an image (with FTK Imager 3.0) that includes a Vista 32-bit volume, and not been able to access the shadow copies. I'll be trying some different things to see if I can mount images/volumes in order to access the Volume Shadow Copies.
Malicious Streams
This site isn't strictly Windows-oriented...in fact, it's decidedly focused on MacOSX. However, Malicious-streams.com contains information about PDF malware, a bit of code geared toward Windows systems, and some good overall reading. Also, the author is working on a version of autoruns for MacOSX and I hope that this gets released as a full version early this year, as it would be a great way to start things off in 2011.
Resources
Derek Newton's list of Forensic Tools
Open Source Digital Forensics Site
LNK Parser written in Python
This hurts. For three years I have been talking to you about VSS and you don't look at it until you come across a recent link?
ReplyDeleteTroy
Troy,
ReplyDeleteI, like everyone else, am using what you've talked about...but when you talked about it, FTK Imager 3.0 wasn't available. Nor were some of the other tools that are available now. And, I don't have access to EnCase PDE.
Are the rumors true? Have you gone emo? Seriously?
Emotions are for sissies. I am all about the science.
ReplyDeleteFTK 3.0 Imager will not work to view images as the obfuscation produces a [root] directory. This is not normal but it helps in analysis as windows doesn't recognize it and therefore doesn't apply security properties to the files. Honestly, ImDisk would probably produce better results than Imager 3.0.
ReplyDeleteI slight modify the paper's methodology as it unnecessarily might change the evidence as it is in persistent mode which can leave changes to the drive. Ive been using a combination of raw disk imaging and IMlive.
1. Convert the image to a vmdk using ImLive
2. Load it into an existing Win7 machine (Add Hard Drive -> Existing VMDK)
3. Ensure the new drive is in non-persistent mode to ensure evidence integrity is maintained and md5sums match. (This last piece is key as you do not want to make unnecessary copies of your evidence unless forced to.)
Using VMs and adding the hard drive as a extra drive via converting the hard disk via IMlive and not booting seems to be very adhoc and not the best solution. But it works for now.
--Rob
Rob,
ReplyDeleteThanks for the comment.
You mentioned "ImLive" twice...do you have a link?
ACK!! Not enough coffee today. ImDisk + Liveview = accidental amalgam ImLive.
ReplyDeleteI slight modify the paper's methodology as it unnecessarily might change the evidence as it is in persistent mode which can leave changes to the drive. Ive been using a combination of raw disk imaging and LIVEVIEW
1. Convert the image to a vmdk using LIVEVIEW
2. Load it into an existing Win7 machine (Add Hard Drive -> Existing VMDK)
3. Ensure the new drive is in non-persistent mode to ensure evidence integrity is maintained and md5sums match. (This last piece is key as you do not want to make unnecessary copies of your evidence unless forced to.)