tag:blogger.com,1999:blog-69127999402217750402024-02-08T18:32:54.110+00:00Computer Forensics: An MSc ProjectAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-6912799940221775040.post-32498478938506804922010-11-18T11:05:00.000+00:002010-11-18T11:05:32.461+00:00Results!In my conclusion, I wrote the following:
VeRa, as a software application, meets all the original design and functionality requirements stated at the start of the project. It is capable of parsing complex data structures by following both original and reverse-engineered specifications, with code written from scratch.
To demonstrate the viability of VeRa as a platform, it builds on groundwork laidAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com2tag:blogger.com,1999:blog-6912799940221775040.post-79509144412926348672010-09-28T22:00:00.001+01:002010-11-18T10:53:38.916+00:00Thesis submissionOn Tuesday the 28th of September, 78 pages - 15,500 words - of thesis were submitted. I have spent an entire year's worth of evenings writing the document and associated software, and for obvious reasons have my fingers well and truely crossed.
The next step is now the viva: a formal presentation to my supervisors of the work that I have undertaken, and my conclusions resulting from it. After Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-36794664546784720572010-06-21T22:23:00.002+01:002010-06-22T09:51:24.800+01:00FAT32As a sample filesystem plug-in, a processor for FAT32 was chosen. There were a number of reasons behind this decision:
Well-documented, long established format;
A very simple structure that allowed more time to be dedicated to the general VeRa ecosystem; and,
Volume of potential sample data, due to it being the normal format for devices such as digital cameras and USB memory sticks.
A FAT drive Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-78018635337658384312010-06-21T12:53:00.003+01:002010-06-21T12:57:19.414+01:00Partition TablesParsing a partition record is surprisingly easy. The first step is to read the master boot record (MBR) for an image, and specifically the bytes from 0x01BE onwards: this is the partition table itself. These contain up to four-byte records that indicate the starting points of either the individual partition, or further ('extended') partition tables.
A typical partition table could be:
Address ofAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-48541345687730161172010-06-18T12:15:00.004+01:002010-06-18T13:42:12.653+01:00VeRa - Software Complete (almost)The 17th of June marked a minor milestone, as that is the date on which full-time development on VeRa ceased. A few small features still need to be tweaked, and the software given a makeover, but in terms of functionality it is now complete.
VeRa works in a wizard-style interface, where the user is taken through the following steps:
Selection of the source of the data.
This can be one of a Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-84405303359499909572009-12-10T21:18:00.001+00:002009-12-11T12:50:42.691+00:00Creating blank partitioned drives (2)In my previous post, I described a method of creating test filesystems for VeRa such that:
The drive contained multiple partitions;
Each partition could be a different filesystem; and,
The drives existed in a raw image format (such as would be extracted by dd or equivalent software).
Last week, VeriSign very kindly sent me a 2Gb USB drive; although as a drive it is significantly smaller than Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-86376352867164175492009-11-27T22:41:00.000+00:002009-11-27T22:41:24.460+00:00Creating blank partitioned drivesFor a system such as VeRa, testing its filesystem and partition table detection routines on a range of partition combinations is a necessity; however, creating these can be time-consuming. A simple solution to this involves a Linux live ISO and a copy of VirtualBox, an open-source virtualisation tool from Sun Microsystems.
The process I am following is as follows:
Create a new Virtual Machine, Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-21652445916929300152009-11-17T16:34:00.003+00:002009-11-17T16:44:33.218+00:00XML in Forensics: DEXIn their 2009 paper 'DEX: Digital evidence provenance supporting reproducibility and comparison', Levine and Liberatore refer to Alink, Garfinkel and Turner's past works (as also documented here, here and here) in attempting to develop a file format suitable for presenting as evidence in forensic cases.
They initially criticise the fact that the tools that provide the greatest amount of support Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-82341233452706259712009-11-12T16:30:00.001+00:002009-11-12T16:47:12.937+00:00XML in Forensics: fiwalk and AFFIn 2006, Simson Garfinkel attempted to solve the issue of propriatory disk image formats (as used by most forensic analysis tools), and at the same time the problem with storage of massive retrieved datasets; his solution was AFF, the Advanced File Format.
One tool that he has developed, to work alongside AFF and its base SleuthKit, is fiwalk, which covers the following features:
Finds all Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com1tag:blogger.com,1999:blog-6912799940221775040.post-79651287286969639112009-11-11T22:27:00.002+00:002009-11-12T16:04:36.638+00:00XML in Forensics: XIRAFIn 2005, Turner published his paper 'Unification of digital evidence from disparate sources (Digital Evidence Bags)'. He described an XML data format that could be used in a similar form to normal evidence bags, and concludes by stating:
"The digital forensic community is in need of a new approach to the way in which the information from digital devices is gathered and processed."
Turner, 2005
Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com1tag:blogger.com,1999:blog-6912799940221775040.post-46503860018643468742009-11-10T17:00:00.001+00:002009-11-10T17:07:44.250+00:00VeRaThe project plan has been submitted, with the software that will come out of it being given the name 'Virtualisation Environment for Resource Analysis', or VeRa; as an individual's name this can also have the meaning 'truth'.
The research areas of the project are:
XML data formats for import and export, covering DEB, XIRAF and DEX;
File system analysis:
Being able to analyse an image file and Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-13115825985749872962009-11-05T11:39:00.001+00:002009-11-05T11:45:05.538+00:00Visual ElementsOne of the key features of any software project is usability. And for a project where visualisation is key, being able to convey the information in the best manner possible is essential.
The initial build of my final project will have a visualisation component, but the aim is to modularise as much as possible. With that in mind, the following elements will be individual, and indeed Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com1tag:blogger.com,1999:blog-6912799940221775040.post-75501063866187215422009-11-04T22:13:00.004+00:002009-11-06T15:17:29.713+00:00Digital Evidence BagsThere are currently fundamental differences in the treatment of digital and non-digital (physical) forensic evidence in our legal system. All examination of non-digital evidence is logged through the use of evidence bags, whilst for digital evidence the only requirements are generally to provide evidence that the data being worked upon and presented:
has been collected in a manner consistent withAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-12141155430102519132009-11-03T09:27:00.002+00:002009-11-03T15:01:52.882+00:00Which Language?Through their Dreamspark programme, Microsoft have made their Professional suite of development tools available to full- and part-time students for free. As my primary job rôle involves software development on the Microsoft .NET platform, it then seems natural for me to use a tool such as Visual Studio 2008 for the development of this project.
The one question that remains, however, is which Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com1tag:blogger.com,1999:blog-6912799940221775040.post-35437806061824788092009-11-02T09:42:00.002+00:002009-11-02T09:43:56.503+00:00Outlook PST file formatOne of the core aims of the project is to be able to take any bit of information, without having access to the application that created it, and present it on a timeline. Therefore, I'm happy to see that Microsoft are planning on opening up the format of Outlook .PST files. Being able to chart the sending of individual emails without resorting to third-party estimations of the file formats will Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-61465185922597992612009-11-02T09:37:00.001+00:002009-11-04T22:16:15.083+00:00The Windows RegistryWhen analysing an image, one important element to be able to see is the registry; this stores settings for all manner of applications within Windows (as well as settings related to Windows itself), and combined with the dates that are stored alongside each registry entry can provide invaluable information for creating an accurate timeline.
The following extract is from an unpublished paper I Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-17109673893954287852009-10-30T14:09:00.004+00:002009-11-04T22:17:08.158+00:00Detecting the FilesystemBefore any analysis of files can be performed, the drive image (or images) must be analysed so the system knows how the drive was formatted; for example, a Windows PC may use FAT32 or NTFS format, an Apple PC (yes, they are PCs) may be HFS or HFS+, whilst a Linux PC might use ext2, ext3, reiserfs or any other format that happened to interest that particular user when the computer was being set upAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-45300421531454528032009-10-29T12:51:00.001+00:002009-11-02T11:18:38.402+00:00Drive LettersA useful write-up on drive letter assignments can be found, unsurprisingly, in Wikipedia. Thus, if the user of the forensic application is able to let the application know the order of physical disks that the images relate to, it should be possible to logically work out the order in which drive letters are initially assigned.
Windows does, however, give users the option of altering drive lettersAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0tag:blogger.com,1999:blog-6912799940221775040.post-31878610251503615692009-10-29T09:28:00.000+00:002009-10-29T09:28:31.757+00:00File SystemsIn order to be able to visualise a timeline of a PCs usage, it first of all needs to be possible to get the information from the PC in the first place. The most common method of doing this is by capturing an 'image' of the hard disks (and other rewriteable media) within the physical hardware; these images then exist as files on the analyser's own systems, with each bit in the file representing anAdrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com2tag:blogger.com,1999:blog-6912799940221775040.post-51930899738536915612009-10-28T15:54:00.000+00:002009-10-28T15:54:17.965+00:00Forensic timelinesAlthough retrieving data is the core aim of a forensic investigation, and existing tools have more power than the average investigator is likely to use, they are still lacking in some areas. As a simple example, if we wished to try and trace the actions on a PC during a certain time period, the majority of the tools that currently exist are simply not geared up to give this level of detail.
The Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com1tag:blogger.com,1999:blog-6912799940221775040.post-34089134338904946142009-10-28T09:26:00.000+00:002009-10-28T15:55:33.099+00:00A Short(ish) IntroductionWelcome to my MSc Project Blog!
I’m currently a mature (by age if not attitude) MSc student in my final year at the University of Glamorgan, studying Computer Forensics (or, as it will say on my certificate, the slightly more wordy "Information Security and Computer Crime"). The final year is concerned with my thesis, which in my case will be a major project centered around the subject of Adrian Wragghttp://www.blogger.com/profile/09095732105997589037noreply@blogger.com0