Forensics is the term used to describe the processes involved in acquiring and analyzing data from captured electronic media. This media can be hard drives, USB thumb drives, CD ROMS or anything else that contains computer data. Forensics as part of a legal investigation can be tremen-dously complex due to the need to preserve ephemeral evidence and chain of custody - luckily these are things you don’t have to worry about as your only goal is to recover data in the context of a penetration test.
There are a number of different ways you can go about analyzing captured electronic media. However, the following approach is easy to follow, produces results, and is repeatable. You will need the following:
• A copy of the Helix forensic toolkit, which can be downloaded for free at www.e-fense.com/helix/
• An external USB2.0 capable high capacity hard drive.
You want to create an image of your captured media and store it on the hard drive. This allows you greater freedom during the analysis process and as you’re not working on the original data you don’t have to worry about erasing or damaging data. Forensic investigators rely on this technique to ensure the legal forensic integrity of the data though this is not a concern for penetration testers. Helix reads the data ‘bitwise’
from the media to ensure a perfect copy. This has an added advantage:
any deleted data on the drive (that hasn’t been overwritten) is preserved and can be analyzed just as easily as regular data can. Helix allows you to do other things such as search for keywords, particular kinds of data and to read operating system passwords, among other things. All in all, it’s a flexible, easy to use package but has many powerful features for advanced users. It’s also free.
Getting Started with Helix
It would be very easy to write a whole book on Helix and still not cover all of its features. However, my only intention with this section is to describe the basic features of acquisition and analysis but I encourage you to work with Helix and learn to use the more advanced features. It’s worth it.
Data Acquisition in Windows
All data acquisition here refers to media that have been taken from site (i.e. dumpsters). Acquisition of the media is a lot easier in Windows.
94 INFORMATION GATHERING
Unfortunately there are no (good) analysis tools for Windows so I switch to Linux for that. Helix can either boot straight into Linux on startup or run as a program within Windows.
This is the easiest way to get started. It’s possible to use Helix as a forensically safe Linux bootdisk, but this is absolutely not necessary here.
You’re not trying to preserve a chain of evidence, merely mine data.
Follow these steps:
1. Boot into Windows.
2. Plug in the media you wish to capture and an external hard drive to store the resulting images Note: You can store these images on your hard drive if you wish but if you’re capturing a lot of media you’re going to use it disk space fast. In Figure 6.1, I am capturing an 8G SD card and storing it on an external drive.
Figure 6.1 Helix lets you explore data you capture.
3. Insert the Helix cdrom. This will autoload the Helix windows soft-ware. Figure 6.2 shows Helix booted.
4. You now need to configure the capture settings. Select live acquisition (the camera icon on the left) and set the following:
• Source: This is the target media. You can select it from the drop-down box.
DUMPSTER DIVING 95
Figure 6.2 Once you boot Helix, you see a menu of choices.
• Destination: This should be the external drive.
• Image Name: Follow some sort of naming convention if you’ve got a lot of media.
FAT Filesystems can only create files up to 4GB in size. Therefore it’s a good idea to click Split Image. You then have the option of sampling the media in chunks that will fit on a cdrom, dvd or FAT32 filesystem.
Your screen should look like Figure 6.3:
5. Now click Acquire to see a screen similar to Figure 6.4
The length of this process will depend on the size of the media you acquiring.
Data Analysis
At this point, you will have one large .dd file or several smaller .dd.xx files. Unfortunately, for Windows, Helix doesn’t have any application to analyze the images. To do so, you need to boot your system with Helix (i.e. Linux mode). To do this insert the Helix disk and restart your computer. Helix will boot automatically. Then follow these steps:
1. Once the system is booted, launch Autopsy from Helix’s forensic menu in the main menu. This is a web browser interface so wait for
96 INFORMATION GATHERING
Figure 6.3 Helix after you select live settings.
Figure 6.4 Helix shows you that it is processing your request.
DUMPSTER DIVING 97
the browser to load then create a New Case at the bottom of the screen. Then, you will be asked to add hosts.
2. Click on the Add Host button and a new page will appear. It will ask you to add an image to investigate. Here, give the location of the image you just acquired.
Below the image-location field, you will find three radio boxes to select between copy, move or create a link to the actual image file to your locker directory. The best option is to copy the entire image file to the locker directory.
3. Finally, click on the Add Image button.
Now, its time to run tests on the case you just created.
4. From the Case Gallery, first select the case, host and the image on which you want to run the tests. For example, if you want to know all the deleted files in the image, click on the File Analysis button and then click the All Deleted Files button. This will show you the names and dates of all the deleted files, as shown in Figure 6.5.
Figure 6.5 Viewing deleted information.
You may be looking for a specific piece of data or a key word. Luckily for you, Autopsy supports searching on specific words as shown in Figure 6.6.
98 INFORMATION GATHERING
Figure 6.6 Want to search for specific words or phrases? No problem.
It’s also possible to extract all ASCII strings from an image as shown in Figure 6.7.
Figure 6.7 Extracting ASCII strings.
SHOULDER SURFING 99
There are a vast amount of forensic tools available, a lot of them free to download, although expensive commercial solutions exist. I wanted to introduce the world of forensics to you via Helix as these tools represent the baseline of what you need; the ability to acquire data and analyze it in a procedural manner. Tempting as it is to spend the rest of the chapter talking about forensics and Helix in particular it’s only one aspect of the intelligence gathering process. In any case, you’ll find a number of tools on the Helix disk for doing all kinds of specialist tasks that range from analyzing the windows registry to password recovery and I strongly recommend becoming familiar with them. They are a powerful weapon in your arsenal.