 |
|
|
Monday, Aug 30th, 2010
Posted By eoghan
This year Eoghan Casey collaborated with the Netherlands Forensic Institute to create the DFRWS Forensic Challenge in an effort to advance forensic analysis of Flash memory in mobile devices. The winner of the challenge was Solal Jacob who used the open source Digital Forensic Framework, and provides some new modules specifically for parsing memory dumps of Sony Ericsson K800i devices. Complete results are posted on the DFRWS Web site.
The scenario for the DFRWS2010 Forensic Challenge involves an arms dealer named Monsieur Victor (a.k.a. “The General”) who was apprehended in the Netherlands and threw Sony Ericsson K800i in a nearby canal. The Netherlands Forensic Institute acquired data from NAND and NOR chips in the water damaged mobile device using Memory toolkit. The goal of the challenge is to recover leads relating to front companies, bank accounts and cohorts.
The winning submission provides a technical analysis of data structures found in memory dump from a Sony Ericsson K800i mobile device and provides DFF plug-ins that recover wear-leveling tables, enabling a forensic analyst to reconstruct the flash abstraction layer as shown here.
Once the desired state of memory has been reconstructed, the DFF tool can be used to interpret the partition table and file systems on the mobile device as shown here.
The resulting logical view show metadata associated with files and folders, including deleted items.
In addition, digital photographs recovered from mobile device memory can be previewed using the DFF as shown here.
An interesting outcome of the challenge was that several contestants were able to extract substantial amounts of information from the physical memory dumps without understanding the logical arrangement of blocks or the file system. The implication is that, once full physical dumps of NAND and/or NOR memory are obtained from a mobile device, simple text extraction and file carving techniques can provide significant amounts of useful information, including deleted data.
A logical acquisition created using Microsystemation’s XRY mobile device forensic tool is now available to facilitate further development such as interpretation of foreign characters. As an example, the logical view of SMS messages on the device used in the DFRWS2010 Forensic Challenge is shown here.
(No Comments)
|
|
|
|
|
|
Sunday, Aug 29th, 2010
Posted By eoghan
Recent research into important file formats on Windows Mobile devices has led to a breakthrough in mobile device forensics. Our improved understanding of the proprietary Microsoft embedded database format enables us to recover all available data from files such as cemail.vol, including deleted items.
The papers and associated tools detailing these advances in Windows Mobile forensic analysis are published in the Journal of Digital Investigation. The most recent special issue on forensic analysis of embedded systems contains two papers: Introduction to Windows Mobile Forensics and Windows Mobile Advanced Forensics.
Introduction to Windows Mobile Forensics by Eoghan Casey, Michael Bann and John Doyle covers the fundamentals of Windows Mobile systems, embedded database formats and tools for acquiring and examining these systems in a forensic context. A table from this paper is provided here, listing potentially useful sources of evidence on Windows Mobile devices.
Windows Mobile Advanced Forensics by Coert Klaver from the Netherlands Forensic Institute provides in-depth technical details about embedded database formats and tools for acquiring and examining this information. The author developed tools for interpreting data in embedded databases acquired from Windows Mobile devices, including deleted items.
An upcoming issues of the Journal of Digital Investigation contains the paper Windows Mobile Advanced Forensics: An Alternative to Existing Tools by Cpt. Frédérick Rehault from the French National Gendarmerie. The author developed custom boot loaders and file parsing tools to extract the maximum amount of information available from Windows Mobile devices. A small sample of the very detailed output from one customized tool is provided below, showing interpreted fields extracted from a text message in cemail.vol along with the location of associated content in the file system.
The tool also extracts the raw database record as shown here with all of the internal database fields:
*************************************************************
[ DEBUG ]: Found RECORD HEADER at Offset 0x000b7e9c
[ DEBUG ]: hRecord = 0x00000a47
[ DEBUG ]: hDBHandle = 0x00000060
[ DEBUG ]: DataRecordSize = 0x00b8
[ DEBUG ]: CompDataRecordSize = 0x009e
[ DEBUG ]: Nb Props found = 12
[ DEBUG ]: Flag = 0x4000 : Data might be compressed
00000000 45 0a 00 3a a0 00 00 00 0f 00 00 31 28 00 00 00 |E..:.......1(...|
00000010 00 00 b0 25 58 00 4c 00 6f 00 76 00 65 00 20 00 |...%X.L.o.v.e. .|
00000020 79 00 6f 00 75 00 20 00 74 00 6f 00 6f 00 2e 00 |y.o.u. .t.o.o...|
00000030 20 00 43 00 61 00 6e 00 74 00 20 00 77 00 61 00 | .C.a.n.t. .w.a.|
00000040 69 00 74 00 20 00 74 00 6f 00 20 00 73 00 65 00 |i.t. .t.o. .s.e.|
00000050 65 00 20 00 79 00 6f 00 75 00 20 00 74 00 6f 00 |e. .y.o.u. .t.o.|
00000060 6d 00 6f 00 72 00 72 00 6f 00 77 00 21 00 34 00 |m.o.r.r.o.w.!.4.|
00000070 00 00 04 00 00 9d b0 25 19 d5 c9 01 16 00 31 00 |.......%......1.|
00000080 34 00 34 00 33 00 35 00 35 00 35 00 31 00 32 00 |4.4.3.5.5.5.1.2.|
00000090 31 00 32 00 16 00 31 00 34 00 34 00 33 00 35 00 |1.2…1.4.4.3.5.|
000000a0 35 00 35 00 31 00 32 00 31 00 32 00 80 33 49 26 |5.5.1.2.1.2..3I&|
000000b0 19 d5 c9 01 47 0a 00 3b |....G..;|
+ List of properties in record:
-- PropID[ 0 ] = 0x80050013 UI4 : 0x3a000a45
-- PropID[ 1 ] = 0x80110013 UI4 : 0x000000a0
-- PropID[ 2 ] = 0x001a0013 UI4 : 0x3100000f
-- PropID[ 3 ] = 0x0e070013 UI4 : 0x00000028
-- PropID[ 4 ] = 0x003d001f LPWSTR :
-- PropID[ 5 ] = 0x0037001f LPWSTR : Love you too. Cant wait to see you tomorrow!
-- PropID[ 6 ] = 0x0e170013 UI4 : 0x00040000
-- PropID[ 7 ] = 0x0e060040 FILETIME 0x1c9d51925b09d00
-- PropID[ 8 ] = 0x0c1f001f LPWSTR : 14435551212
-- PropID[ 9 ] = 0x0c1a001f LPWSTR : 14435551212
-- PropID[ 10 ] = 0x30080040 FILETIME 0x1c9d51926493380
-- PropID[ 11 ] = 0x80010013 UI4 : 0x3b000a47
cmdLabs covers forensic analysis of Windows Mobile and other mobile devices in the course we develop and teach for SANS (FOR563 – Mobile Device Forensics).
(No Comments)
|
|
|
|
|
|
Wednesday, Mar 17th, 2010
Posted By eoghan
File initialization is a normal Windows file system behavior that can create problems for forensic analysts. We have encountered file initialization behaviors in a number of cases and find that it creates significant confusion if the underlying cause is not understood. In several cases, incomplete file initialization was misinterpret as backdating, and in another matter it hampered data salvaging efforts.
File Initialization
File initialization is a process that Microsoft Windows uses when creating a new file system entry. Basically, when a new file is being created, an appropriate amount of unallocated space is reserved for the data that will be stored in the new file. Under certain circumstances, the storage space reserved for the new file may not be used in its entirety, or at all.
When only a portion of the disk space that was reserved for a new file is used to store data associated with that file, this leaves a discrepancy between the logical file size and the actual amount of data stored in the file. As a result, you can have a file that appears to have a logical size larger than the actual amount of data stored for that file. The space between the end of valid data and the end of file is called uninitialized space.
“In NTFS, there are two important concepts of file length: the End of File (EOF) marker and the Valid Data Length (VDL). The EOF indicates the actual length of the file. The VDL identifies the length of valid data on disk. Any reads between VDL and EOF automatically return 0 in order to preserve the C2 object reuse requirement.” (Microsoft fsutil documentation)
Uninitialized space is similar in concept to file slack except that it is contained within the logical file size. Unlike file slack which is no longer associated with a file, data in uninitialized space is in a kind of limbo, trapped at the end of an allocated file but not actually part of that file.
Figure: Diagram of file with a logical size that is larger than its valid data length, leaving uninitialized space
The effect of file initialization behaviors are most easily demonstrated on Windows XP with fsutil as shown here. First, we create a new file that can contain 1024 bytes:
C:\Test>fsutil file createnew cmdLabs-setvaliddata 1024
File C:\Test\cmdLabs-setvaliddata is created
Then we set the valid data length of the new file to 1000 bytes, which leaves 24 bytes unused at the end of the file.
C:\Test>fsutil file setvaliddata cmdLabs-setvaliddata 1000
Valid data length is changed
NTFS captures the difference between logical file size and valid data length in two MFT fields as shown here:
Figure:MFT entry with logical size and valid data length viewed using X-Ways Forensics
Salvaging Data from File System Limbo
The significance of this from a forensic analysis standpoint is that a file with a valid data length smaller than the logical file size can contain data associated with two files: data associated with the new file (VDL bytes), and data from the old file in uninitialized space (logical file size – VDL bytes).
From a forensic analysis perspective, this uninitialized space can be beneficial. While various disk cleaning utilities can be configured to wipe file slack, they generally do not touch data in uninitialized space. As a result, deleted data can remain in uninitialized space indefinitely, even despite data destruction efforts, and can be salvaged by forensic analysts.
However, this arrangement of data can create complications for forensic analysts, particularly when dealing with larger files that have substantial amounts of uninitialized space. For instance, when carving for certain file types, it is common to export unallocated space. However, any data in uninitialized space will not be included in unallocated space. Similarly, when performing keyword searches, a forensic analyst could incorrectly attribute a hit in the uninitialized space with the new file.
In one case, several approaches were employed in an effort to salvage video fragments:
- examined deleted video files still referenced by file system
- performed file carving on unallocated space only
- processed file slack only for fragments of video files
None of these approaches recovered videos from a time period of interest. It was not until we conducted a forensic analysis of uninitialized space that additional video fragment were found.
Misinterpreting Normal File System Behavior as Backdating
Another complication from a forensic analysis standpoint arises when the file creation process is interrupted before the contents of the file is written to disk, because the new file system entry will point to a cluster that still contains data associated with an older file. When this occurs and a date can be associated with the older file, forensic analysts might think that a newer file was overwritten by an older one. This phenomenon can be misinterpreted as evidence of backdating.
As an example, consider a newly created file that has not been initialized and has not had any associated data saved to disk as shown here using fsutil:
C:\Test>fsutil file createnew cmdLabs-creatnew 1024
File C:\Test\cmdLabs-creatnew is created
When a file is initialized but the associated contents was not written to disk, the initialized file system entry may point to a cluster that contains old data as shown below using EnCase. By default, EnCase shows uninitialized space in blue text. The cluster that was allocated to the new file “cmdLabs-createnew” contains older data (folder entries of files from earlier in January).
Figure: EnCase showing folder entries from early January in the cluster allocated to the new initialized file system entry
This situation can be misinterpreted as backdating if the forensic analyst assumes that the clock had to be set back to the old date when the file contents was saved to disk.
(No Comments)
|
|
|
|
|
|
Wednesday, Feb 3rd, 2010
Posted By eoghan
At long last and with the help of many talented experts, I have put together a new Handbook. This book provides an advanced reference for conducting digital investigations and performing forensic examinations. The first part of the book provides comprehensive methodologies and practical tips from experienced practitioners in the areas of forensic analysis, electronic discovery and intrusion investigation. The second part of the book delves into technical aspects of digital evidence on computers, networks, and embedded systems. The technologies covered include Windows, UNIX, and Macintosh computers, cellular telephones and other mobile devices, networks and mobile telecommunications technology.
The Network Investigations chapter written by cmdLabs personnel is available in PDF form upon request.
F-Response is giving a copy of the Handbook with purchase of their tool:
Buy F-Response, Get a copy of The Handbook of Digital Forensics and Investigation
My deepest thanks to the contributors: Cory Altheide (Mandiant) – Christopher Daywalt (cmdLabs) – Andrea de Donno (Lepta) – Dario Forte (DFLabs) – James Holley (Ernst & Young) – Andy Johnson (University of Maryland, Baltimore County) – Ronald van der Knijff (Netherlands Forensic Institute) – Anthony Kokocinski (CSC) – Paul Luehr (Stroz Friedberg) – Terrance Maguire (cmdLabs) – Ryan Pittman (US Army) – Curtis Rose (Curtis W. Rose & Associates) – Joseph Schwerha (TraceEvidence) – Dave Shaver (US Army) – Jessica Reust Smith (Stroz Friedberg).
(No Comments)
|
|
|
|
|
|
Thursday, Dec 10th, 2009
Posted By Christopher
Mobile device forensics tools have come a long way in the past year, giving us access to more data on a wider range of devices. Even when a full copy of physical memory is not possible, for many devices the complete logical file system can be acquired. Although this generally does not include deleted items, it can still provide access to substantial digital evidence including MMS messages, IM fragments, and Web browsing history.
However, even when a tool can acquire the entire file system from a mobile device, it may not be able to display items of interest like MMS messages. In such situations, the forensic examiner must locate the desired information within the file system and interpret it themselves.
This is one of the main reasons why it is important for practitioners to have an understanding of the underlying technology, and not be overly reliant on automated tools.
Locating MMS Data
A good example of when a tool can acquire but not display evidence of interest came up in a recent case involving MMS messages on a Verizon LG phone. Although the commonly used tool called Cellebrite could acquire data from the mobile device, including a copy of the file system, it did not present MMS messages in the output report. As a result, the investigating agency was only able to view the incriminating evidence through the device itself by performing a manual “scroll” examination.
Until cmdLabs came along to help…
By examining the file system acquire using Cellebrite, we found MMS messages in the “mms” folder on the LG device. For the sake of illustration, this file system location is shown using BitPim.
The MMSMsg.db file contains metadata associated with the messages, and the PDU files contain the original file name as well as the actual data of the pictures and videos in the message. The header of one PDU file is shown here, revealing some Synchronized Multimedia Integration Language (SMIL) tags and the original file name on the device (0920091201a.3g2).
Even after the original video file is deleted from the device, a copy remains in the MMS message.
Extracting MMS Data
The media portion of the PDU message file can be extracted using simple file carving techniques. Although you could remove the file header manually using a hex editor, it is more effective to use a file carving tool like Foremost. By automating the file carving process, your process is repeatable. In addition, Foremost generates an audit log that can be useful for forensic documentation purposes.
The file header (a.k.a. signature) of the 3gp videos from an LG VX series device is “ftyp3g2a” preceded by 4 bytes. The configuration entry for the Foremost file carving tool is shown here:
3gp y 4000000 ????\x66\x74\x79\x70\x33\x67\x32\x61
Using a configuration file that contains the above signature, the command ‘foremost -c foremost.conf MMS*‘ will extract the 3gp video content from PDU files acquired from an LG device. The resulting videos will be saved in the default Foremost output directory and can be played using Quicktime as shown here.
For those forensic practitioners who are interested in learning more about mobile device forensics and related data recovery techniques, cmdLabs is teaching the SANS Mobile Device Forensic course (SEC 563) in New Orleans from January 11–15, 2010 and again in San Antonio from January 25–29, 2010.
(No Comments)
|
|
|
|
|
|
Friday, Aug 21st, 2009
Posted By admin
An increasing number of programs are employing SQLite to store data that can be of relevance in an investigation. Forensic practitioners who become familiar with SQLite and learn how to interpret these files will be in a better position to obtain the most usable information from available digital evidence. We cover this and other useful forensic techniques in our Mobile Device Forensics course (SANS SEC563).
Backup files from an iPhone or iPod Touch provide an excellent example of SQLite databases that digital forensic examiners can exploit with relative ease, provided they are not encrypted. Data backed up from an iPhone using iTunes such as call logs, contacts, multimedia, and other files are, by default, stored in SQLite database files under “~/Library/Application/Support/MobileSync/Backup” Mac. On Windows XP these backup files are stored in the user’s profile under “C:\Documents and Settings\[userprofile]\Application Data\Apple Computer\MobileSync\Backup” and Windows Vista has a “Roaming” subfolder in this path.
SQLite databases can be examined using a command line tool like sqlite3.exe (http://www.sqlite.org/) or with a GUI tool like SQLite Database Browser (http://sqlitebrowser.sourceforge.net/) shown here with the call log backed up from an iPhone.
The dates are in Unix string format and can be converted using Perl as shown here:
$ perl -e "print scalar(gmtime(1247848584))"
Fri Jul 17 16:36:24 2009
The use of SQLite databases gives forensic practitioners the ability to query the available data directly using the SQL database language. Although a full treatment of SQL is beyond the scope of this discussion, simple examples are provided here to get you started.
C:\>sqlite3.exe E:\iPhoneBackup\call_history.db
SQLite version 3.6.16
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
_SqliteDatabaseProperties call
sqlite> select * from call WHERE address like '%868%';
2|+186835xxxxx|1247848584|60|4|-1
3|+186835xxxxx|1247853361|0|5|-1
4|+186835xxxxx|1247854453|0|5|-1
9|+186831xxxxx|1247895923|60|4|-1
10|+186835xxxxx|1247936960|60|5|-1
11|+186835xxxxx|1247941792|0|4|-1
12|+186835xxxxx|1247941827|0|4|-1
13|+186835xxxxx|1247941920|0|4|-1
14|+186835xxxxx|1247942844|0|4|-1
16|+186835xxxxx|1248015352|60|4|-1
17|+186835xxxxx|1248015674|0|4|-1
18|+186835xxxxx|1248016092|0|5|-1
26|+186835xxxxx|1248177103|0|5|3
The Symbian operating system for mobile devices also makes use of SQLite databases, and other computer applications store investigatively useful information in SQLite databases, including Firefox 3 and Skype. For instance, the moz_places table in the places.sqlite file from Firefox 3 is shown below.
This file can also be queried using SQL, as shown here being queried for all URLs containing the cmdLabs web site.
C:\tools>sqlite3 E:\firefox\places.sqlite
SQLite version 3.6.16
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
moz_anno_attributes moz_favicons moz_keywords
moz_annos moz_historyvisits moz_places
moz_bookmarks moz_inputhistory
moz_bookmarks_roots moz_items_annos
sqlite> select * from moz_places WHERE url like '%cmdlabs%';
621|http://www.cmdlabs.com/|Home|moc.sbaldmc.www.|1|0|1||2000
622|http://www.cmdlabs.com/page11/page11.html|Blog|moc.sbaldmc.www.|1|0|0||100
623|http://www.cmdlabs.com/services/services.html|Services|moc.sbaldmc.www.|1|0|0||100
624|http://www.cmdlabs.com/services/services/services-4.html|Training and Education|moc.sbaldmc.www.|1|0|0||100
Programs like Firefox that maintain usage records in these databases may leave remnants of deleted items that may be recoverable from unallocated disk space as detailed in Murilo Tito Pereira’s article “Forensic analysis of the Firefox 3 internet history and recovery of deleted SQLite records” (www.digitalinvestigation.net).
(No Comments)
|
|
|
|
|
|
Wednesday, Jul 15th, 2009
Posted By admin
Eoghan Casey delivered the presentation “Expert Briefing: Mobile Device Forensics Essentials” on behalf of cmdLabs at the SANS WhatWorks in Forensics and Incident Response Summit on July 8. SANS has made this presentation available via webcast at the following URL:
https://www.sans.org/webcasts/show.php?webcastid=92648
If you have any comments or suggestions regarding the presentation or anything else, please shoot us an e-mail at contact@cmdlabs.com.
(No Comments)
|
|
|
|
|
|
Wednesday, May 27th, 2009
Posted By admin
Here are some examples of lesser known application metadata in Microsoft Office documents that we have encountered in casework, and that we presented at the annual meeting of the American Academy of Forensic Sciences in February.
Files created using Microsoft Office applications have more metadata than many forensic practitioners realize. Word documents, Excel spreadsheets, Powerpoint presentations, and Outlook e-mail messages are essentially a file system within a file. They are structured storage files that use OLE to create the equivalent of folders (called storages) and files (called streams).
For example, consider metadata embedded within Word 2003 documents. The Summary Information metadata extracted from a Word document using Harlan Carvey’s wmd.pl Perl script is shown here:
--------------------
Summary Information
--------------------
Title : cmdLabs
Subject :
Authress : LastName FirstName
LastAuth : LastName FirstName
RevNum : 39
AppName : Microsoft Word 11.4.2
Created : 01.28.2009, 12:12:00
Last Saved : 02.05.2009, 00:36:00
Last Printed : 02.03.2009, 15:08:00
Beyond the Summary Information metadata that most forensic practitioners are familiar with and many tools can extract, Word documents also have a FILETIME value in the ROOT ENTRY header that records the last time a document was altered. This value can provide the last modified time of a document even if the timestamps in the file system or Summary Information metadata have been maliciously altered (utilities are available that make such tampering simple).
An example of this date-time stamp in the ROOT ENTRY header is provided here (2/5/2009 12:36:04 AM):
Forensic examiners should also be aware that Microsoft Office documents have embedded metadata associated with individual objects within the file, as shown here using SSView (http://www.mitec.cz/).
Excel also contains an abundance of metadata stored within its Binary Interchange File Format (BIFF5 – 8). For instance, the cells that were selected the last time a spreadsheet was saved, and the registered name that most recently opened the document with write access. Much of this metadata is accessible using BIFFView (http://b2xtranslator.sourceforge.net). A portion of the BIFFView output with the WRITEACCESS field is show here:
Reading the documented file formats of Microsoft Office files (http://msdn.microsoft.com/en-us/library/cc313118.aspx) can help forensic practitioners delve deeper into metadata, but can also be misleading and inaccurate. Therefore, it is crucial to perform controlled experiments to locate and understand the meaning of specific metadata.
(No Comments)
|
|
|
|
|
|
Sunday, May 17th, 2009
Posted By admin
In Mobile Device Forensics, it is often necessary to use multiple methods and tools to obtain the most useful information from the device. For example, let us look at acquisition challenges associated with Windows Mobile.
Security configuration is one of the first barriers to acquiring digital evidence from a device running Windows Mobile, even when there is no password protection. The reason is simple: Windows Mobile is often configured to prevent unsigned applications from running. Many forensic tools need to transfer and execute a customized application on the mobile device in order to acquire data. So, if the software agent for a particular forensic tools is not signed, it will not run and you will not get any data.
Even when this security protection is disabled, files that are routinely used by the operating system cannot be copied using certain tools, including some forensic acquisition tools. For instance, an attempt to copy the pim.vol file using Microsoft’s Remote File Viewer generates an error as shown here.
In the case of pim.vol, this file can be copied logically when a Windows Mobile device is mounted via ActiveSync. However, you will have no such luck copying files like cemail.vol and the registry (mxip_system.vol) in this way. Although some mobile device forensic tools can extract limited information from these locked files, it is important to also have a copy of the original file for forensic examination.
Warning: some forensic tools will appear to copy files that are locked by the Windows Mobile operating system, but do not actually acquire the contents, resulting in an empty file container in the case file. The tool may tag the file as locked, but there is not log/error generated so you would have to be looking closely at the specific file to see this. An unsuspecting forensic examiner might perform a keyword search of acquired data with no results, not realizing that relevant data had not been acquired.
To gain access to more digital evidence on Windows Mobile devices, including some deleted data, it is necessary to get physical. For example, using a forensic tool like XACT, which is designed to acquire and analyze physical memory of mobile devices, it is possible to extract significant amounts of data from Windows Mobile devices, including files like cemail.vol, pim.vol, and the registry. Data in an acquired cemail.vol file, which includes text message (SMS), are displayed here with some text readily viewable.
Acquiring these files is only the first challenge. It is then necessary to interpret the data they contain. Interpreting text message and other useful data structures found in files and raw memory on mobile devices can give additional interesting information, including associated metadata. One approach that can be effective in some cases is to view the acquired file in a Windows Mobile emulator using a utility like Pocket dbExplorer. Although it can be fruitful to examine acquired data in this way, it may not provide access to all of the information you might be interested in relating to an investigation. This is why it is important to also use forensic tools that can query the operating system for specific details about the data it contains (even if they cannot copy the entire container file). Acquiring the same Windows Mobile device using .XRY provides the following valuable metadata associated with the raw data displayed above, including the timestamp associated with the message and what folder it is stored in on the device.
Bottom line: to obtain the most information from an evidentiary device it is advisable to acquire data using multiple tools and, wheneve feasible, performing both a logical and physical acquisition. In the upcoming SANS Mobile Device Forensics course [http://www.sans.org/training/description.php?mid=1297] in Baltimore on July 27-31, we cover logical and physical acquisition and analysis of cell phones. We have plenty of hands-on exercises employing a variety of tools to help practitioners develop the ability to acquire and analyze data from various kinds of mobile devices.
(No Comments)
|
|
|
|
|
|
Friday, May 8th, 2009
Posted By admin
Despite the fact that FAT is one of the earliest file systems that forensic practitioners had to deal with, there are still gaps in knowledge that result in misinterpretation and misrepresentation. A prime example of this is the create time in FAT, which is not calculated correctly by some forensic tools. This issue came up in a recently discussion I had with Geoff Fellows (http://www.f3.org.uk/modules/smartclient/client.php?id=3). Although FAT last write timestamps only have a resolution of 2 seconds, whereas the create time has a resolution of 10 milliseconds that some forensic tools fail to take into account. A difference of milliseconds can be important in some cases, and any calculations based on an incorrect representation of creation timestamps will be incorrect.
The confusion arises from the fact that FAT file systems represent create and last write timestamps slightly differently. Last write timestamps are 32 bit little-endian values, interpreted as follows:
24 16 8 0
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|Y|Y|Y|Y|Y|Y|Y|M| |M|M|M|D|D|D|D|D| |h|h|h|h|h|m|m|m| |m|m|m|s|s|s|s|s|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
\____________/\________/\_________/ \________/\____________/\_________/
year month day hour minute second
Take as an example the following FAT folder entry with the last write date highlighted in bold:
$ icat /dev/sdb1 353884 | xxd
0000000: 2e20 2020 2020 2020 2020 2030 004f b079 . 0.O.y
0000010: 763a 763a 0000 b579 763a a502 0000 0000 v:v:…yv:……
0000020: 2e2e 2020 2020 2020 2020 2010 004f b079 .. ..O.y
0000030: 763a 763a 0000 b079 763a 6605 0000 0000 v:v:…yv:f…..
0000040: 4173 0061 006c 0076 0065 000f 009e 6e00 As.a.l.v.e….n.
0000050: 6500 7700 3400 2e00 6700 0000 6900 6600 e.w.4…g…i.f.
0000060: 5341 4c56 454e 7e31 4749 4620 0075 78b9 SALVEN~1GIF .ux.
0000070: 753a 763a 0000 78b9 753a 9212 c1d4 0000 u:v:..x.u:……
0000080: 4269 0066 0000 00ff ffff ff0f 0014 ffff Bi.f…………
0000090: ffff ffff ffff ffff ffff 0000 ffff ffff …………….
Converting to big-endian gives 3a 75 b9 78, which has the following binary representation:
00111010 01110101 10111001 01111000
This translates to a timestamp of 2009.03.21 23:11:48 as follows:
- 7 bits = 0011101 = 29 years since 1980
- 4 bits = 0011 = 3 months
- 5 bits = 10101 = 21 days
- 5 bits = 10111 = 23 hours
- 6 bits = 001011 = 11 minutes
- 5 bits = 11000 = 24 = 48 seconds
Note that 5 bits cannot store all 60 seconds, so last write timestamps must be incremented in 2 second intervals, and is always an even number of seconds.
Although the create time follows this same general calculation, it uses an additional 8 bits to represent one hundredths of a second. In the same directory listing above, the create timestamp is identical to the last modified timestamp except for an additional byte (75 78 b9 75 3a). The additional byte equates to 117 hundredths of a second, which brings the create time to 2009.03.21 23:11:49.17. Thus, the create time can have odd number of seconds, and has a resolution of 10 milliseconds.
Older versions of XWays Forensics had the option to display timestamps to tenths of a second, and newer versions can be configured with greater precision as shown here:
Note: Updated configuration screenshot showing increased precision in XWays 15.1 SR3 provided by Geoff Fellows.
The create timestamps for files copied onto a thumb drive are shown here in XWays Forensics with tenths of seconds displayed:
However, some other forensic tools like TSK only interpret the first four bytes of the create date-time stamp, limiting the resolution to 2 seconds. This is demonstrated in the following listing of the same files as those listed above using XWays (we have reported this bug and it will be fixed in the next release of TSK).
$ fls -l /dev/sdb1 353884 | awk {‘print $3 “\t“ $10 “\t“ $11 “ “ $12′} | sort –key 2
snake_oil.jpg 2009.03.21 23:03:32 (EDT)
orange-Clark_Stanley_Snake_Oil.png 2009.03.21 23:04:32 (EDT)
orange-OilKingLrg.jpg 2009.03.21 23:04:48 (EDT)
orange-Drs_Mixer.jpg 2009.03.21 23:05:24 (EDT)
orange-Hostetters_Bitters.jpg 2009.03.21 23:05:42 (EDT)
orange-wine_of_tar.jpg 2009.03.21 23:05:54 (EDT)
orange-medsh17.jpg 2009.03.21 23:06:04 (EDT)
orange-miraclecure.jpg 2009.03.21 23:06:14 (EDT)
snakeoil.jpg 2009.03.21 23:07:22 (EDT)
snake-oil2.jpg 2009.03.21 23:08:16 (EDT)
banjsalv.jpg 2009.03.21 23:11:30 (EDT)
salvenew4.gif 2009.03.21 23:11:48 (EDT)
yankdcornsalvelg.jpg 2009.03.21 23:12:36 (EDT)
liniment-for-man-and-beast.jpg 2009.03.21 23:12:50 (EDT)
Thumbs.db 2009.03.22 14:25:12 (EDT)
This issue was recently fixed in EnCase version 6.12, and is documented in the release note as “339: EnCase does not read FAT Create Date correctly (BUGID67).” EnCase version 6.12 now displays the create time to the correct second but not the hundredth of a second.
If a forensic examiner is not aware of this error, it can not only introduce inaccuracies into his/her findings, it can also reflect poorly on his/her expertise in this area.
The fact that this bug has existed in EnCase and other widely used forensic tools clearly demonstrates the need to validate important findings using more than one tool. Furthermore, this issue demonstrates that forensic practitioners cannot simply push buttons and unquestioningly rely on the results, but rather must understand the underlying technology sufficiently to double check what their tools are reporting.
Another area relating to FAT file systems where current literature is incorrect is in file allocation strategies but that discussion is for another time…
(No Comments)
|
|
|
|
|
|
|
|
|
|
|
443-451-7330
