24.2 Processing


24.2 Processing

The data processing methodology discussed in Larson (2001) involves several steps to reduce the number of files that require further analysis and convert unreadable data into a readable form. We will focus on a basic set of procedures.

24.2.1 DOS/Windows Command Line - Maresware

The command line is not dead. In fact, it remains a powerful tool in the examiner's arsenal. Command line tools enable examiners to perform very specific, auditable tasks. Additionally, by scripting a series of commands together, examiners can create very powerful batch files to automate a substantial portion of evidentiary processing, thereby increasing productivity while reducing the chances of human error during routine tasks. Additionally, the output of command line tools, like Maresware, can be readily used as input to other tools without the need for reformatting the data. Far from being an anachronism, the command line provides the examiner a means to reduce overall processing time and to reduce the chance of human error.

24.2.1.1 Generate File Lists and Hash Values

Before filtering out irrelevant and unwanted data, capture the initial state of the source data to ensure that you have a baseline that can be used as a point of reference to check all subsequent processing for accuracy. To capture the initial state of the data with a command line tool, the examiner generates a comprehensive list of all the files in the source data, along with associated information such as: long and short file names, extensions, last written or modified dates and times, created dates and times, last accessed dates and times, logical sizes, file paths, and file hash values.

The following command line uses Maresware's hash program to produce a list of all files on a given volume:

    hash -p [source drive] -o [Work drive]:\Accounting\[case name or number].txt -i    -v -S -w 160 -A -1 acct-ing 

The examiner can easily turn this command into a simple, reusable batch file with three arguments: source drive containing evidence; case number; and working drive.[2]

    @echo off    rem  Usage: [batch file name].bat source-drive case-number-or-name         Working-drive    rem  Example: hasher.bat D NewCase001 d    echo.    echo  Generating file list for %2. Source drive is %1:\. File list will be written          to %3:\Accounting\%2.txt.    hash -p %1:\ -o %3:\Accounting\%2.txt -i -v -S -w 160 -A -1 acct-ing    echo   Done. File list %2.txt created at %3:\Accounting\    echo. 

These command line options instruct hash to process the specific volume (-p) immediately (-i) with no verbose headers (-v), placing the resulting list of hashes, all three file times (-A), and any Alternate Data Streams (-S) in an output file (-o) with file names limited to 160 characters. Limiting file names to 160 characters facilitates later comparison by maintaining a constant field width that is, 242 characters on each line. The acct-ing file contains a record of the command options and when the list was generated. Other commands will append to this accounting file throughout this procedure and it should be moved to \Accounting when the entire process is complete.

Depending on the examiner's needs, it may also be necessary to recover deleted files into \Prepare\special\deleted and then to generate a file list as described above.

24.2.1.2 Recover File Slack and Unassigned Clusters

Recover unallocated space into \Prepare\pcluster directory and slack space into \Prepare\pslack directory (e.g. using NTFSGETS and NTFSGETF from NTI).

Examine unallocated space and extract relevant information into \Review\rcluster. For instance, you may want to carve out graphics, documents, e-mail, and other files/fragments of interest using a command line tool such as NTI's Graphics File Extractor. Similarly, extract relevant information such as readable text from slack space and place in \Review\rslack.

24.2.1.3 Remove Duplicate, Known, and Other Unnecessary Files

Before removing duplicates and files with certain extensions, heed the cautionary discussion in Chapter 2 of the Handbook. Also, before removing files with certain extensions, identify file extension/signature mismatches using diskcat +h sigs.fle and move them to \Prepare\special\sigmismatch directory. For instance, the following list of files with a .GIF extension shows one executable and one unknown (UNK) file that require further inspection:

    D:\.diskcat -p d:\evidence -r -f *.gif + h reference.fle    Program started Fri Oct 25 13:05:00 2002 GMT, 09:05 Eastern Standard Time (-5*)    D:\evidence\diskcat.gif                      135368 A.....    exe    D:\evidence\keykatch.gif                     19042 A.....    gif    D:\evidence\rpsort.gif                       18597 A......    UNK    D:\evidence\unknown.gif                      2135 A.....    gif    D:\evidence\xtacacs.gif                      6522 A.....    gif    Processed 5 files, 181,664 bytes: Elapsed: 0 hrs. 0 mins. 0 secs. 

The following sample batch file moves duplicate files to \duplicates and eliminates known and unnecessary files using upcopy. In this example, known files are identifies using the Hashkeeper hash set:[3]

    @echo off    set ACCT = ON    echo Generating hash list for \%2 on drive %1:\    hash -p %1:\ -o %3:\hashes\%2 -i -v -S -w 160 -1 acct-ing    echo Removing duplicates    hash_dup -i %3:\hashes\%2 -o %3:\hashes\%2.dup -m -1 acct-ing    upcopy -S %3:\hashes\%2.dup -d %3:\duplicates -m -i -v -E -R -A >    %3:\Accounting\dupcopy.log    echo Sorting hash list    rpsort %3:\hashes\%2.dup %3:\hashes\%2.srt /F242 /+ 171:32    sortchek %3:\hashes\%2.srt -r 242 -p 170 -l 32    echo Comparing hash list with hashkeeper database    compare hk_pfix.srt %3:\hashes\%2.srt %3:\hashes\%2.out    compare.par -u -A    echo Extracting the names of known files from the hash list    filbreak %3:\hashes\%2.out %3:\working\%2.fle match.brk -A    echo Copying desired files listed in %3:\hashes\%2.fle to %3:\review\rfiles    upcopy -S %3:\hashes\%2.fle -d %3:\review\rfiles -m -A -x *.exe *.dll *.com *.hlp *.p    st *.ini *.inf *.mp3 *.drv *.fon *.ocx *.swp *.sys *.vxd 

All of the commands in this batch file are from Maresware.com except rpsort, which is available from Simtel.net.[4] The hk_pfix.srt file is a text version of the Hashkeeper database created using the Maresware lbatch scripts. The compare.par and match.brk are configuration files for compare and filbreak, respectively. The format of all Maresware configuration files are described in the help files for the associated tools.

As a final step, the above batch file moves remaining files to the review directory for further examination.

24.2.2 Windows GUI - EnCase

Prior to filtering data using EnCase, verify the integrity of the evidence files and update the known hash files using the Hash Sets option on the Tools menu. Also, to avoid cross contamination between cases, verify that no unwanted hash sets from previous examinations are selected. Then use the search routine to compute MD5 values of all files and identify file extension mismatches as shown in Figure 24.1 (a) and (b) (no keywords are required).

click to expand
Figure 24.1: (a) Hash set organizer using the NIST NSRL hash set (http—//www.nsrl.nist.gov/). (b) Calculate MD5 values and identify file extension mismatches.

24.2.2.1 Generate File Lists and Hash Values

To create a list of files with their properties, choose the Export option on the Edit menu to launch the Export dialog box and select the properties that you desire as shown in Figure 24.2.

click to expand
Figure 24.2: Exporting a file list using EnCase.

Although EnCase automatically recovers some deleted files, forensic examiners may also need to recover deleted directories and associated files from unallocated space into \Prepare\special\deleted and then to generate a file list as described above.

24.2.2.2 Recover Slack and Unassigned Clusters

To export slack using EnCase, tag the entire drive, right click on the Table view, choose Copy/Unerase, and select options to save RAM and Disk Slack to a file as shown in Figure 24.3 (a) and (b).

click to expand
Figure 24.3: Exporting slack space using EnCase.

To export the contents of unassigned clusters, select the Unallocated Clusters in the Table view and save to \Prepare\pcluster using Export/Copy. You can extract various types of data from unallocated space using EnCase Escripts available at the EnScript library.[5]

24.2.2.3 Remove Duplicates, Known, and Unnecessary Files

While hashing files as described at the beginning of this section, EnCase updates the Hash Value and Hash Set fields in the Table view. By sorting on Hash Set, you can identify all unknown files by an empty Hash Set field. Tag all unknown files with a check mark in the Table View, dual sort the file list with the primary sort on tagged and the secondary sort on File Signature, and untag unwanted file types by signature. Finally, dual sort with the primary sort on tagged and the secondary sort on extension as shown in Figure 24.4, and untag the unwanted files by extension (e.g. com, dll, drv, exe, sys, vxd), heeding the cautionary discussion in Larson (2001).

click to expand
Figure 24.4: EnCase Table view sorted first by tagged files and then by file extension.

Untag file system artifacts that are unwanted or have already been exported. For instance, when dealing with FAT, deselect the boot sector, volume boot sector, unused disk area, and file allocation tables. An EnCase Escript available at the EnScript Library can be used to identify and bookmark duplicates. These duplicates can be untagged to exclude them from the list of files to be reviewed and can later be exported into \duplicates if needed.

Copy the remaining tagged files into the \Review\rfiles directory on the working drive and export a list of these files to \Accounting directory to document your work. Consider saving the hash set of data set for future reference (e.g. to identify duplicate files on other media). Additional hash sets for EnCase are available at http://www.encase.com/support/resources_hashsets.shtml.

24.2.3 Windows GUI - FTK

When adding evidence to a case in FTK, select the option to calculate file hashes and perform the Known File Filter (KFF) comparison as shown in Figure 24.5.

click to expand
Figure 24.5: Calculate hash values of files and identify known files when adding evidence to FTK.

24.2.3.1 Generate File Lists and Hash Values

While viewing all files in FTK, you can create a file list using Copy Special on the Edit Menu and selecting the desired fields as shown in Figure 24.6. The list will be placed in the Clipboard and can be pasted into any application.

click to expand
Figure 24.6: Export a list of files with associated properties.

24.2.3.2 Recover Slack and Unassigned Clusters

FTK provides a number of filtering options, including a Slack/Free Space button on the main screen that will provide a list of file slack, file system (volume) slack, and unallocated space as shown in Figure 24.7.

click to expand
Figure 24.7: Exporting unallocated space using FTK.

To export the contents of any of these objects, right click and select Export File and save to \Prepare\pslack. You can extract various types of data from unallocated and slack space using tools such DataLifter as shown in Figure 10.6.

24.2.3.3 Remove Duplicates, Known, and Unnecessary Files

Filtering capabilities are built into FTK in the form of a File Filter Manager, enabling you to select which types of files to exclude. For instance, Figure 24.8 shows File Filter Manager configured to ignore duplicate files, files with signature/extension mismatches, and known files identified by KFF. Care must be taken when configuring the File Filter Manager since one option, such as Other Known Files, can exclude many files that you actually want (e.g. index.dat).

click to expand
Figure 24.8: FTK File Filter Manager.

Click on the Filtered button on the main FTK screen and then uncheck file system artifacts that are unwanted or have already been exported. For instance, when dealing with FAT, deselect the boot sector, volume boot sector, unused disk area, primary and secondary FAT. Copy the remaining checked files into the \Review\rfiles directory on the working drive and export a list of these files to \Accounting directory to document your work.

[2]The How-To of batch files in general is well beyond the scope of this paper. A good, current reference for the Windows NT/2000/XP command line is Brian Knittel, Widows XP Under the Hood: Hardcore Windows Scripting and Command Line Power (Que 2003) and

[3]http://www.hashkeeper.org/

[4]http://www.simtel.net/pub/pd/51643.shtml

[5]http://www.encase.com/support/escript_library.shtml




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net