Pic0o Posted September 23, 2016 Report Share Posted September 23, 2016 Hello! I was able to do a fire talk @ Drexel CCI in the Rush building last night. It was fresh to get feedback from people, sharing my presentation and getting to see everyone else present and to chat with people. If you would like some slides about the use of dd, sha256sum and exiftool, you are welcome to the slides. 🙂 For fun, you can run exiftool on this ppt, exported from LibreOffice. I also turned this project into a project thread for specific use of dd on a raspberry pi. Reminder the write blocker is optional, if you are not concerned for consistent hashes but wish to image a disk. Link to comment
Pic0o Posted November 1, 2016 Author Report Share Posted November 1, 2016 For accessibility and ease of access, I will add the text contents of the slides below in this post. Also of note, I used photos, because I finished the slides the day I presented them. 😛 Text from slides below: |+| Slide 01 Forensication A data backup and verification chat. Backing up and ripping data, making test beds and using equipment. This fire talk will cover: Write-blockers (hardware), dd, sha256sum, exiftool. |+| Slide 02 Disclaimer (01 of 02) Formal forensics is a wide field and circles around the notion of backing up information, with minimal to no changes of the source data. Deeper forensic scope also involves analyzing the platform / Operating System, in order to determine OS level access (Example - thumbs.db folder indexers) versus manually viewed files. |+| Slide 03 Disclaimer (02 of 02) This talk is based on using your own test data to use analytic tools and to understand how they work, without worrying about client liability. Use some test data you are familiar with, as this makes finding 'the needle in the haystack' tremendously easier to find patterns. Testing with the tools will give you the comfort to provide services for others. |+| Slide 04 Backstory Howdy. I got into data imaging over the years from system building and also doing support for friends, family and businesses. Originally plugging a hard drive into another machine, I would target C:\Users and grab profile data. Also including application data and whatever else. After awhile I got into Linux for file ripping. Some files are protected in windows, even as a 2nd drive. |+| Slide 05 Tool usage There are plenty of tools and applications with forms you can use. However they can be quite expensive. Personally, I like having built-in command line tools available. Especially for the sake of booting up a live cd at any location and being able to work, based on what I'm being asked to do or recover. |+| Slide 06 Write Blocker Imaging Using a hardware write-blocker is an assured way to not modify the contents of the source drive. They are around $300 USD, so you have some cheaper options to do software write blocking... but if you forget to turn it on, you can contaminate your data source. (Such as browsing a folder, having windows make new thumbs.db files) |+| Slide 07 Picture of write blocker source drive, and output drive |+| Slide 08 Imaging Drives console sudo dd if/dev/sdf of=/dev/sdg bs=16384k /console For a 500 GB HDD, it took about 3 hours. (results below) output_example 29808+1 records in 29808+1 records out 500107862016 bytes (500 GB, 466 GiB) copied, 10836.7 s, 46.1 MB/s /output_example So how do you come up with the device names? console ls /dev/sd* /console output_example /dev/sda /dev/sda1 /dev/sda2 /dev/sdb /dev/sdb1 /output_example |+| Slide 09 Verifying disk image Now that your drive is imaged, let's start verifying with the source drive, hooked up to the write-blocker. This is for the source drive. console sudo sha256sum /dev/sda /console output_example cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda /output_example Unhooking the source drive, plug in the target / copied drive and run the same command. console sudo sha256sum /dev/sda /console output_example cc73a7aefba01ee7550dab0870b1ef52elf7dc3d7f685357a5712fc5c2c4c7bf /dev/sda /output_example In the above, I hooked up the cloned drive, powered up the Write-blocker, confirmed the disc mounted, then calculated the cryptographic checksum. Boom! It's a match 🙂 |+| Slide 10 Cryptographic Checksums There are plenty of options for generating checksums. While sha-1 and md5 are commonly used, there are some theoretical attacks against their memory space. Signature based anti-virus seems to have some clashes in the MD5 space. Tools to get a checksum for a file are: md5sum sha1sum sha256sum |+| Slide 11 Checksum examples Here I made a text file, saved it then calculated what the file’s crypto hash is (in sha256). Making a new file called 'sampleChecksum.txt' with the contents of 'Hello checksum' and saving it. console nano sampleChecksum.txt /console Obtaining the checksum of said file: console sha256sum sampleChecksum.txt /console output_example 9f8135859f0d32a46093fdf272952fb1133a8995af32f0b3e0f39daacfb78ffs sampleChecksum.txt /output_example Making a second file with a single character change, I calculated that hash. New file called 'sample02Checksum.txt' with the contents of 'Hello Checksum' and saving it. console sha256sum sample02Checksum.txt /console output_example 65762af89d327b44f6b824689cbe7169869ebf054384bab9a699aae25e51fb7f sample02Checksum.txt /output_example File contents are covered above. The same, short of one having an upper-case C in checksum, with the original file being in lower case. Noting how different the checksum output is for 2 files, with similar names and 1 character different in file contents. |+| Slide 12 Other checksum examples ISO downloads and similar downloads tend to use MD5, so here are some extra output_examples using the same 2 base files we made. console md5sum sampleChecksum.txt /console output_example 9938b398bc883db337fb41431545955b sampleChecksum.txt /output_example console md5sum sample02Checksum.txt /console output_example 65019593d2acc1e5fb4138dc18facd87 sample02Checksum.txt /output_example sha1sum displays a similar but unique output for each file. Slightly more ( 😎 characters a return value than md5sum. |+| Slide 13 (Duplicate slide of slide 12) Reminder that I did add a little more elaboration than was in the original slide show, since I made it pretty quickly after collecting my test results. |+| Slide 14 BONUS ROUND - exiftool Here I am grabbing the logo image from my site, then checking the image metadata for extra details. console wget https://funtimebliss.com/pathToASiteLogo/ftb-logo.png /console |+| Slide 15 Exiftool (continued) Now that we have a local copy of ftb-logo.png, let’s see what details we get from the file. console exiftool ftb-logo.png /console output_example ExifTool Version Number : 10.26 File Name : ftb-logo.png Directory : . File Size : 29 kB File Modification Date/Time : 2013:05:29 11:45:14-04:00 File Access Date/Time : 2016:09:26 12:20:58-04:00 File Inode Change Date/Time : 2016:09:22 14:26:31-04:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 465 Image Height : 100 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced SRGB Rendering : Perceptual Background Color : 255 255 255 Pixels Per Unit X : 2835 Pixels Per Unit Y : 2835 Pixel Units : meters Modify Date : 2009:10:13 17:45:32 Comment : Created with GIMP Image Size : 465x100 Megapixels : 0.046 /output_example |+| Slide 16 Exiftool conclusion Checking the Modify Date we see it was modified on 2009/10/13 around 5:45 PM. This matches up to the logo creation date. Checking the Comment we see the image was edited in GIMP. I can confirm that as a fact, as I left the comment export option Looking at the File Modification Date/Time that is consistent to when I uploaded that file into Wordpress for my front page of the site. There are TONS of supported file types for use with the EXIFTOOL and this is only one tool. Have fun and explore! |+| Slide 17 Thank you(s) Picture of Pirate Delli I am Ryan (Mitch-kow-ski) I have the twitter @pic0o https://funtimebliss.com is my web home. Link to comment
Recommended Posts