Forensic Talk Free Slides dd imaging

[Pic0o]

Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people.

 

If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. 🙂

For fun, you can run exiftool on this ppt, exported from LibreOffice.

 

I also turned this project into a project thread for specific use of dd on a raspberry pi.  Reminder the write blocker is optional, if you are not concerned for consistent hashes but wish to image a disk.

[Pic0o]

For accessibility and ease of access, I will add the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. 😛

Text from slides below:

 

|+| Slide 01

Forensication

A data backup and verification chat.

Backing up and ripping data, making test beds and using equipment.

This fire talk will cover:

Write-blockers (hardware), dd, sha256sum, exiftool.

 

|+| Slide 02

Disclaimer (01 of 02)

Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data.

Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example - thumbs.db folder indexers) versus manually viewed files.

 

|+| Slide 03

Disclaimer (02 of 02)

This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding 'the needle in the haystack' tremendously easier to find patterns.

Testing with the tools will give you the comfort to provide services for others.

 

|+| Slide 04

Backstory

Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else.

After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive.

 

|+| Slide 05

Tool usage

There are plenty of tools and applications with forms you can use. However they can be quite expensive.

Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I'm being asked to do or recover.

 

|+| Slide 06

Write Blocker Imaging

Using a hardware write-blocker is an assured way to not modify the contents of the source drive.

They are around $300 USD, so you have some cheaper options to do software write blocking... but if you forget to turn it on, you can contaminate your data source.

(Such as browsing a folder, having windows make new thumbs.db files)

 

|+| Slide 07

Picture of write blocker source drive, and output drive

 

|+| Slide 08

Imaging Drives

console

sudo dd if/dev/sdf of=/dev/sdg bs=16384k

/console

For a 500 GB HDD, it took about 3 hours. (results below)

output_example

29808+1 records in

29808+1 records out

500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s

/output_example

So how do you come up with the device names?

console

ls /dev/sd*

/console

output_example

/dev/sda

/dev/sda1

/dev/sda2

/dev/sdb

/dev/sdb1

/output_example

 

|+| Slide 09

Verifying disk image

Now that your drive is imaged, let's start verifying with the source drive, hooked up to the write-blocker.

This is for the source drive.

console

sudo sha256sum /dev/sda

/console

output_example

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

/output_example

Unhooking the source drive, plug in the target / copied drive and run the same command.

console

sudo sha256sum /dev/sda

/console

output_example

cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda

/output_example

In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum.

Boom! It's a match 🙂

 

|+| Slide 10

Cryptographic Checksums

There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space.

Signature based anti-virus seems to have some clashes in the MD5 space.

Tools to get a checksum for a file are:

md5sum

sha1sum

sha256sum

 

|+| Slide 11

Checksum examples

Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256).

Making a new file called 'sampleChecksum.txt' with the contents of 'Hello checksum' and saving it.

console

nano sampleChecksum.txt

/console

Obtaining the checksum of said file:

console

sha256sum sampleChecksum.txt

/console

output_example

9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt

/output_example

Making a second file with a single character change, I calculated that hash. New file called 'sample02Checksum.txt' with the contents of 'Hello Checksum' and saving it.

console

sha256sum sample02Checksum.txt

/console

output_example

65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt

/output_example

File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents.

 

|+| Slide 12

Other checksum examples

ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made.

console

md5sum sampleChecksum.txt

/console

output_example

9938b398bc883db337fb41431545955b sampleChecksum.txt

/output_example

console

md5sum sample02Checksum.txt

/console

output_example

65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt

/output_example

sha1sum displays a similar but unique output for each file. Slightly more ( 😎 characters a return value than md5sum.

 

|+| Slide 13

(Duplicate slide of slide 12)

Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results.

 

|+| Slide 14

BONUS ROUND - exiftool

Here I am grabbing the logo image from my site, then checking the image metadata for extra details.

console

wget https://funtimebliss.com/pathToASiteLogo/ftb-logo.png

/console

 

|+| Slide 15

Exiftool (continued)

Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file.

console

exiftool ftb-logo.png

/console

output_example

ExifTool Version Number : 10.26

File Name : ftb-logo.png

Directory : .

File Size : 29 kB

File Modification Date/Time : 2013:05:29 11:45:14-04:00

File Access Date/Time : 2016:09:26 12:20:58-04:00

File Inode Change Date/Time : 2016:09:22 14:26:31-04:00

File Permissions : rw-r--r--

File Type : PNG

File Type Extension : png

MIME Type : image/png

Image Width : 465

Image Height : 100

Bit Depth : 8

Color Type : RGB with Alpha

Compression : Deflate/Inflate

Filter : Adaptive

Interlace : Noninterlaced

SRGB Rendering : Perceptual

Background Color : 255 255 255

Pixels Per Unit X : 2835

Pixels Per Unit Y : 2835

Pixel Units : meters

Modify Date : 2009:10:13 17:45:32

Comment : Created with GIMP

Image Size : 465x100

Megapixels : 0.046

/output_example

 

|+| Slide 16

Exiftool conclusion

Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date.

Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option

Looking at the File Modification Date/Time that is consistent to when I uploaded that file into Wordpress for my front page of the site.

There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore!

 

|+| Slide 17

Thank you(s)

Picture of Pirate Delli

I am Ryan (Mitch-kow-ski)

I have the twitter @pic0o

https://funtimebliss.com is my web home.