Today in the news, 2 people in the UK convicted for not providing law enforcement with the encryption key to their data.
Since October 2007, UK citizens are by law required to hand over the encryption key of their scrambled data under section 49… The current investigations were related to, “counter terrorism, child indecency and domestic extremism”. Of Course all unpleasant facts that one would like not to see happening at all.
However, what if you would have TrueCrypt on your machine. Most of you know, TrueCrypt provides several different features of encryption, from a single container file to full disk encryption even including the operating system partition. This is all handy and nice when you want to prevent access to your personal information in case your laptop or other device gets stolen. Problem is that within a TrueCrypt volume a hidden volume can be created.
Part two of the Tableau vs. EnCase issues log…
The previous article described issues with EnCase showing drives write locked while in fact they are not.
Next issue with the T335 Forensic Bay has not much to do with EnCase.
When mounting an IDE (ATA) drive in the Tableau Forensic Bay T335 it has to cut and re-establish connection to the host for the IDE drive to be recognized.
This all goes well when also mounting SATA drives and other USB attached storage devices. No issues have come up.
Trying to image multiple IDE drives, you need additional writeblockers as the T335 only has one IDE slot, this becomes a problem.
In hooking up the second drive(ATA) to a T14 Tableau writeblocker it again, as with the T335, has to cut host connection for it to recognize the drive.
However, the T14 as well as the T335 cut off all host connections on firewire. The result is that when you are imaging a drive, the imaging will be terminated. (continue reading…)
Just stumbled upon something weird and also rather concerning yesterday.
You all probably know the Tableau Forensic Bay’s, the nice Docking stations that allow you to write-block a drive etc… Link
The new version of EnCase has native support in detecting the tableau write-blockers.
This support is quite nice because you can immediately see that a drive is write-blocked or not.
Yesterday I used the T335 Forensic Bay as well, to make a quick image of drive with EnCase.
Now what I did is SATA2 tray is write-locked and SATA1 tray is NOT write-locked as it contains the Target drive for my EnCase image.
However, when adding the device in EnCase it would show as if ALL drives in my T335 Forensic Bay were write-blocked!! While only one of the 2 actually was…
I got quite concerned about this and I am wondering if other people have the same experience.
As a responds from Guidance Software have created an issue record out of it and will adjust EnCase accordingly. The issue has to do with the DLL which EnCase uses to see and be able to interpret a write-block is initiated. As you may notice, this does not work to the full extent yet, therefore I’m wondering if it would do the same for other devices…
BackTrack 4 is the latest linux distro from Remote-Exploit.org.
A nice piece of software either for a standalone installation, DVD or as a Virtual Machine.
It has all tools required for pentestsing. Providing a nice and relatively easy way to get into the subject if you are not familiar with it to much yet.
Nice way to work with it is using the VMWare workstation, it has 3 simple commands, that are shown at startup, to get going.
The current beta 4 is based on Ubuntu and has a bit improved userinterface making somethings a lot easier with this GUI rather then just a command line… (Of course, you never use a GUI ….)
Apart from their BackTrack Linux distro’s they also have some other nice tools available for free!
Of course, these tools are for test purposes only….
Recently had a problem in collecting data from iPhone backup files, the sync history, from a machine (not the iPhone itself).
In these sync history files you can find contacts, sms history, browser history and some other information.
I came a cross a nice article, I think its a nice to point this out since the iPhone is getting more and more popular…
The iPhone sync backup files are known as *.mdbackup you can read them using Notepad or something similar. However, not preferable as it reads a bit annoying.
Furthermore, analysis on the raw mdbackup files and for ex. phone number comparison to an other Database is annoying.
Fortunatly I come across the following:
This conversion goes through the following phases:
1. Export the *.mdbackup files from the custodians’ machine;
2. Install a copy of Perl software, to run the scripts available;
3. Copy the Perl script bkupextract.pl to the folder where you exported the*.mdbackup files to;
4. Copy SQLite3.exe to the folder where you exported the*.mdbackup files;
5. Rename the *.mdbackup files to: 1.mdbackup, 2.mdbackup, etc depending on the amount of MDBackup files you have. Renaming them makes usage of the command line Perl script a lot easier as “871297238746234.mdbackup” for example is a possible file name;
6. Run the Perl script bkupextract.pl with the following command line:
perl -w bkupextract.pl *mdbackup
The script provides a dump of the information within the *.mdbackup file.
7. The Perl script has exported one or more *.db files, these DB files are SQLite3 Database files of which a “dump” can be made, which allows the information to be loaded into a multitude of database systems .
8. In order to create a database dump, use the SQLite3.exe, with the following command line: echo “.dump” | sqlite3.exe *.db > *.txt
There is now a *.txt file, with the same name as the DB file, in the folder.
9. Now the extraction is complete the *.txt files can be loaded into a SQLite3 supported database system, or converted to for ex. MySQL, for further review and analysis.
Many of you probably wonder, how do I perform a proper online investigation. I’m not in law enforcement and/or have access to Internet taps…
Well the answer is relatively simple however, not quickly…
Start off by identifying which websites are of interest, determine this by using the following sources:
- Search the dedicated website(s) using the normal search capability on this website
- Search within the domain using Google… site:*website.ex*
- Use the google cache to find additional information
- Search the Internet archive @ http://www.internetarchive.org
- Use any other search means at your disposal, including other search engines of course etc.
After you identified one or more relevant websites create an offline copy, I personally like http://www.httrack.comit allows you to add a list of websites, from both .csv and db formats. Plus it has a lot of other nice and relevant features. Note that it is a good idea to create a logical image of your folder content using for example FTK imager.
When the website is completely downloaded, index it using for ex. Google desktop search… Or if you have access to it, use Forensic Toolkit.
Once all that is done… You can search and investigate what ever content you have downloaded locally… Make hashes of all files and compare them to different websites, identify usernames and profiles, take back relevant stuff and search in one or more search engines and social networks if you are able to find more…
Of course there is more available out there… Try for ex. to have a look at the EXIF information of images… This can sometimes be a valuable source of information.
Also note that photoshop adds some nice details to a file in case nothing shows up on the EXIF information, just open the file in Notepad and have a quick look.
Welcome to ForensicIT.eu We hope to bring you all the latest on IT Forensics, Penentration test and Security.
There is no other source then this…