In these exercises, you will use a couple of file carving tools to carve different files from corrupted file systems or forensic images.
\nUsing the PhotoRec tool, try to carve files out of the given evidence [located at ~/Desktop/Module5/Lab13/FormattedDrive.001], and answer the following questions:
\nYou are required to analyze the same evidence we used in Task 1 but this time using the Foremost tool to check if we can carve files that were not found when we used PhotoRec. After running the tool:
\nWe will continue working with the same forensic image files as before, but this time with a new tool called Scalpel. Please make sure you use the custom \"scalpel.conf\" file provided.
\nIn this part of the lab, we want to prepare PhotoRec for a future task. PhotoRec by default is not able to extract Windows Prefetch files (don't ask what are they yet, that will come soon). In order to get PhotoRec equipped with such capabilities, we need to write our own signatures.
\nbulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. More info: http://www.forensicswiki.org/wiki/Bulk_extractor and https://github.com/simsong/bulk_extractor/
",
"published_date": "2020-10-20T15:32:26Z",
"solutions": "# SOLUTIONS\n\n## Task 1: File Carving using PhotoRec\n\nLet's start by using PhotoRec in order to answer the required questions. We can do that easily by doing the following:\n\n```\n# cd Desktop/Module5/Lab13\n# photorec FormattedDrive.001\n```\n\nWith that we reach the welcome message or banner of PhotoRec with some basic information about the tool, as you can see in the figure below:\n\n\n\nWe can proceed, so just press **Enter** while the cursor has selected **[Proceed]**.\n\nAfter doing that, we reach the following:\n\n\n\nIn this window, we need to select the file system or disk that we want to start carving files from. Now, in our case here, we have an NTFS partition and an entry for the whole disk. Since there could be evidence in other places other than the file system, let's select **[Whole disk]** and then press the **[Search]** button to proceed.\n\nNow, PhotoRec requires that we select the file system type that is being used, so make sure that **[Other]** is selected and then press **Enter**.\n\n\n\nNow, PhotoRec is asking you where to store the files that it will be carving; for this lab, you can leave the first selection (the **.** dot, to store in the same directory) and then press **C** to continue.\n\nAfter PhotoRec is finished, it will give you a summary of the number of files that have been carved and the location that was used to store them, as seen below:\n\n\n\nAfter that, press the **[ QUIT ]** button, then go to the **[ QUIT ]** button again to exit this window, then finally another **[ QUIT ]** to exit PhotoRec. You can use the arrows to navigate through the menu.\n\nSo now we are ready to answer the questions:\n\n1. How many pictures can you manage to carve?\n\n **[Answer:]**\n\n PhotoRec found 10 files.\n\n We can check the report generated, that is named report.xml.\n\n2. Did you find any suspicious pictures or were they ordinary pictures?\n\n **[Answer:]** \n Pictures of Mr.Robot and hacking stuff were found.\n\n3. Did you find any other files? What are they?\n\n **[Answer:]**\n\n Yes, I found a PDF File about Hacking, a couple of EXE files (Putty, PSFTP, and PSCP), also a 7zip file.\n\n4. Did you manage to open the other files you extracted, and why?\n\n **[Answer:]**\n\n Yes, except the 7zip file, because it was password protected.\n\n5. How can you identify the 7zip file using its header to verify that it is truly a 7zip file?\n\n **[Answer:]**\n\n We can use the following (note: change file.7z to the name of the carved file on your system):\n\n ```\n # xxd file.7z | head -n20\n ```\n\n Using GaryKessler's file signature database online, we can prove that it truly is for a 7zip file. You can find the database at: https://www.garykessler.net/library/file_sigs.html\n\n6. Did you manage to open the 7zip file? How did you do it, and what was written in this report?\n\n **[Answer:]**\n\n Yes, while checking the photos available, we found a photo that had the following password written in it: Dylan_2791\n\n People tend to use such techniques to remember their passwords. So, after trying the password found, we managed to open the file and reach the content inside. We found the following text:\n\n ```\n Mr.Robot Plan:\n 1. Hack first machine\n 2. Hack second machine\n 3. Hack third machine\n 4. Send SMS to +0018455550\n 5. Solve the riddle :D\n 6. Keep hacking until there is no machines :D\n Plan is to invade computers and keep hacking...\n ```\n \n\n## Task 2: File Carving using Foremost\n\nIn this task, we need to use Foremost instead of PhotoRec to see what differences can be found if any. To run the tool against our evidence, we need to do the following:\n\n```\n# cd Desktop/Module5/Lab13\n# foremost -T FormattedDrive.001\n```\n\nNow let's answer the questions below:\n\n1. What did you find? Do you have an idea why? (Hint: Do an ls and explore)\n\n **[Answer:]**\n \n We found that foremost carved a couple of files and created a subdirectory for each type. Also, it created a text file named **audit.txt** with details of what was done, which was stored by default in a directory named **output_DATE_TIME**. By checking the audit.txt report in that folder, we found that foremost managed to find only 9 files.\n\n2. Update the foremost configuration file in order to carve specific files (PNG and PDF).\n\n **[Answer:]**\n \n What we need to do here is edit the **foremost.conf** configuration file and make sure we comment out the lines referring to PNG and PDF, which can be done like this:\n\n ```\n # vi /etc/foremost.conf\n ```\n Then search for the line below:\n ```\n # png y 200000 \\x50\\x4e\\x47? \\xff\\xfc\\xfd\\xfe\n ```\n \n And make sure you remove the **#** from the beginning of the line containing the file signature. Do the same for PDF, and after you finish press **Esc**, then **:x** (yes colon + x).\n\n Now if we run the command again like we did before, it will generate a directory with another directory with a new time stamp.\n\n This time four files were found: 3 PNG files and 1 PDF file.\n\n3. Could you tell what type of files foremost was searching for by default?\n\n **[Answer:]**\n\n From the man page of foremost, it says that it runs all pre-defined extraction methods. Most files are already built into foremost and can be carved out automatically. The configuration file is used to control or add other file formats that are not already defined by foremost.\n\n4. What must be done to locate JPG files for example?\n\n **[Answer:]** \n\n Foremost is supposed to be able to carve them out automatically, but if you have specific configurations or want to make sure all variations, for example, are checked, then make sure you add and comment out the lines below from the foremost.conf file: \n ```\n # jpg y 20000000 \\xff \\xd8 \\xff \\xe0 \\x00 \\x10 \\xff\\xd9 \n # jpg y 20000000 \\xff\\xd8\\\\xff\\xe1\\xff\\xd9 \n # jpg y 20000000 \\xff\\xd8 \\xff\\xd9\n ```\n\n5. After completing the tests on the forensic image. Which do you think was more successful than the other? Does such opinion lead you to a conclusion?\n\n **[Answer:]** \n \n I believe both are a good option and both could be used to make sure that we didn't miss anything. PhotoRec by default found 10 files, while foremost found 9 by default and 4 when we modified its configuration file.\n\n## Task 3: File Carving using Scalpel\n\nWe will continue working with the same forensic image files as before, but this time with a new tool called Scalpel. Please make sure you use the custom \"scalpel.conf\" [located at **/root/Desktop/Module5/Lab13/scalpel.conf**] file provided. To run Scalpel with our specific configuration file, we can do the following:\n\n```\n# cd Desktop/Module5/Lab13\n# scalpel -c scalpel.conf FormattedDrive.001\n```\n\nAfter completing the analysis of the evidence:\n\n1. Did scalpel manage to achieve carving the same number of files?\n\n **[Answer:]**\n\n No, because we didn't specify what type of files do we want to search for.\n\n2. What was missing, and what must be done to correct that?\n\n **[Answer:]**\n\n The signatures were missing. We need to comment out the signatures for all files that we need to carve out (this should be executed inside the provided scalpel.conf file). After selecting the main types, it seems that scalpel did even better. Scalpel managed to carve out 17 files. It created a scalpel-output directory (unless specified something different) and with subdirectories of the file types, it managed to extract.\n\n## Task 4: Defining New File Signatures for PhotoRec\n\nIn this part of the lab, we want to prepare PhotoRec for a future task. PhotoRec by default is not able to extract Windows Prefetch files (don't ask what are they yet, that will come soon). In order to get PhotoRec equipped with such capabilities, we need to write our own signatures.\n\nFirst, I need you to check the URL below for the file signature of a **Window 8**|**8.1** prefetch file\n\n\n\nSo, first let's create a file named \"photorec.sig\" either in your users home directory (e.g., /root/) or in the same current working directory and then add the signature we found. You are supposed to have a file like this:\n\next 0 0x474946383761\n\n\n\nThe first column represents the file extension of the file, in our case it is \"pf,\" then the offset, and finally the file signature which we found on Gary Kessler's file signature website. Make sure there is only a single space between them (Note: use spacebar, the line above has more just to provide a clearer explanation).\n\n1. Which files were known, and which wasn't?\n\n **[Answer:]**\n\n We need to run PhotoRec and then check the File options section.\n\n2. What must be done to identify all of them?\n\n **[Answer:]**\n\n All we need to do is select the file of interest using the space bar (toggle the selection).\n\n **Note:** PhotoRec by default when run will load any custom created signatures. To make sure of that, just check the File Options screen.\n\n \n\n## Task 5: Using Bulk_extractor to Extract Data\n\nbulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. More info: http://www.forensicswiki.org/wiki/Bulk_extractor and https://github.com/simsong/bulk_extractor/\n\nTo start **bulk_extractor** with its default settings, all you need to do is the following:\n\n```\n# cd Desktop/Module5/Lab13\n# bulk_extractor -o BulkResults FormattedDrive.001\n```\n\nThis will run bulk_extractor and extract all information and store them in the BulkResults directory. Now, check the contents of the results directory. All the domains and emails came from the files that bulk_extractor managed to locate and extract, plus free unallocated space that was previously used for file.\n\nSometimes you will have to carve parts of a file manually and sew the file together manually too using a hex editor!",
"solutions_html": "SOLUTIONS
\nTask 1: File Carving using PhotoRec
\nLet's start by using PhotoRec in order to answer the required questions. We can do that easily by doing the following:
\n# cd Desktop/Module5/Lab13\n# photorec FormattedDrive.001
\n\nWith that we reach the welcome message or banner of PhotoRec with some basic information about the tool, as you can see in the figure below:
\n![\"1\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/1.png\")
\nWe can proceed, so just press Enter while the cursor has selected [Proceed].
\nAfter doing that, we reach the following:
\n![\"2\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/2.png\")
\nIn this window, we need to select the file system or disk that we want to start carving files from. Now, in our case here, we have an NTFS partition and an entry for the whole disk. Since there could be evidence in other places other than the file system, let's select [Whole disk] and then press the [Search] button to proceed.
\nNow, PhotoRec requires that we select the file system type that is being used, so make sure that [Other] is selected and then press Enter.
\n![\"3\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/3.png\")
\nNow, PhotoRec is asking you where to store the files that it will be carving; for this lab, you can leave the first selection (the . dot, to store in the same directory) and then press C to continue.
\nAfter PhotoRec is finished, it will give you a summary of the number of files that have been carved and the location that was used to store them, as seen below:
\n![\"4\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/4.png\")
\nAfter that, press the [ QUIT ] button, then go to the [ QUIT ] button again to exit this window, then finally another [ QUIT ] to exit PhotoRec. You can use the arrows to navigate through the menu.
\nSo now we are ready to answer the questions:
\n\n- \n
How many pictures can you manage to carve?
\n[Answer:]
\nPhotoRec found 10 files.
\nWe can check the report generated, that is named report.xml.
\n \n- \n
Did you find any suspicious pictures or were they ordinary pictures?
\n[Answer:] \nPictures of Mr.Robot and hacking stuff were found.
\n \n- \n
Did you find any other files? What are they?
\n[Answer:]
\nYes, I found a PDF File about Hacking, a couple of EXE files (Putty, PSFTP, and PSCP), also a 7zip file.
\n \n- \n
Did you manage to open the other files you extracted, and why?
\n[Answer:]
\nYes, except the 7zip file, because it was password protected.
\n \n- \n
How can you identify the 7zip file using its header to verify that it is truly a 7zip file?
\n[Answer:]
\nWe can use the following (note: change file.7z to the name of the carved file on your system):
\n# xxd file.7z | head -n20
\n\nUsing GaryKessler's file signature database online, we can prove that it truly is for a 7zip file. You can find the database at: https://www.garykessler.net/library/file_sigs.html
\n \n- \n
Did you manage to open the 7zip file? How did you do it, and what was written in this report?
\n[Answer:]
\nYes, while checking the photos available, we found a photo that had the following password written in it: Dylan_2791
\nPeople tend to use such techniques to remember their passwords. So, after trying the password found, we managed to open the file and reach the content inside. We found the following text:
\nMr.Robot Plan:\n1. Hack first machine\n2. Hack second machine\n3. Hack third machine\n4. Send SMS to +0018455550\n5. Solve the riddle :D\n6. Keep hacking until there is no machines :D\nPlan is to invade computers and keep hacking...
\n![\"5\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/5.png\")
\n \n
\nTask 2: File Carving using Foremost
\nIn this task, we need to use Foremost instead of PhotoRec to see what differences can be found if any. To run the tool against our evidence, we need to do the following:
\n# cd Desktop/Module5/Lab13\n# foremost -T FormattedDrive.001
\n\nNow let's answer the questions below:
\n\n- \n
What did you find? Do you have an idea why? (Hint: Do an ls and explore)
\n[Answer:]
\nWe found that foremost carved a couple of files and created a subdirectory for each type. Also, it created a text file named audit.txt with details of what was done, which was stored by default in a directory named output_DATE_TIME. By checking the audit.txt report in that folder, we found that foremost managed to find only 9 files.
\n \n- \n
Update the foremost configuration file in order to carve specific files (PNG and PDF).
\n[Answer:]
\nWhat we need to do here is edit the foremost.conf configuration file and make sure we comment out the lines referring to PNG and PDF, which can be done like this:
\n# vi /etc/foremost.conf
\nThen search for the line below:\n# png y 200000 \\x50\\x4e\\x47? \\xff\\xfc\\xfd\\xfe
\nAnd make sure you remove the # from the beginning of the line containing the file signature. Do the same for PDF, and after you finish press Esc, then :x (yes colon + x).
\nNow if we run the command again like we did before, it will generate a directory with another directory with a new time stamp.
\nThis time four files were found: 3 PNG files and 1 PDF file.
\n \n- \n
Could you tell what type of files foremost was searching for by default?
\n[Answer:]
\nFrom the man page of foremost, it says that it runs all pre-defined extraction methods. Most files are already built into foremost and can be carved out automatically. The configuration file is used to control or add other file formats that are not already defined by foremost.
\n \n- \n
What must be done to locate JPG files for example?
\n[Answer:]
\nForemost is supposed to be able to carve them out automatically, but if you have specific configurations or want to make sure all variations, for example, are checked, then make sure you add and comment out the lines below from the foremost.conf file: \n
# jpg y 20000000 \\xff \\xd8 \\xff \\xe0 \\x00 \\x10 \\xff\\xd9 \n# jpg y 20000000 \\xff\\xd8\\\\xff\\xe1\\xff\\xd9 \n# jpg y 20000000 \\xff\\xd8 \\xff\\xd9
\n \n- \n
After completing the tests on the forensic image. Which do you think was more successful than the other? Does such opinion lead you to a conclusion?
\n[Answer:]
\nI believe both are a good option and both could be used to make sure that we didn't miss anything. PhotoRec by default found 10 files, while foremost found 9 by default and 4 when we modified its configuration file.
\n \n
\nTask 3: File Carving using Scalpel
\nWe will continue working with the same forensic image files as before, but this time with a new tool called Scalpel. Please make sure you use the custom \"scalpel.conf\" [located at /root/Desktop/Module5/Lab13/scalpel.conf] file provided. To run Scalpel with our specific configuration file, we can do the following:
\n# cd Desktop/Module5/Lab13\n# scalpel -c scalpel.conf FormattedDrive.001
\n\nAfter completing the analysis of the evidence:
\n\n- \n
Did scalpel manage to achieve carving the same number of files?
\n[Answer:]
\nNo, because we didn't specify what type of files do we want to search for.
\n \n- \n
What was missing, and what must be done to correct that?
\n[Answer:]
\nThe signatures were missing. We need to comment out the signatures for all files that we need to carve out (this should be executed inside the provided scalpel.conf file). After selecting the main types, it seems that scalpel did even better. Scalpel managed to carve out 17 files. It created a scalpel-output directory (unless specified something different) and with subdirectories of the file types, it managed to extract.
\n \n
\nTask 4: Defining New File Signatures for PhotoRec
\nIn this part of the lab, we want to prepare PhotoRec for a future task. PhotoRec by default is not able to extract Windows Prefetch files (don't ask what are they yet, that will come soon). In order to get PhotoRec equipped with such capabilities, we need to write our own signatures.
\nFirst, I need you to check the URL below for the file signature of a Window 8|8.1 prefetch file
\nhttp://www.garykessler.net/library/file_sigs.html
\nSo, first let's create a file named \"photorec.sig\" either in your users home directory (e.g., /root/) or in the same current working directory and then add the signature we found. You are supposed to have a file like this:
\next 0 0x474946383761
\n![\"6\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/6.png\")
\nThe first column represents the file extension of the file, in our case it is \"pf,\" then the offset, and finally the file signature which we found on Gary Kessler's file signature website. Make sure there is only a single space between them (Note: use spacebar, the line above has more just to provide a clearer explanation).
\n\n- \n
Which files were known, and which wasn't?
\n[Answer:]
\nWe need to run PhotoRec and then check the File options section.
\n \n- \n
What must be done to identify all of them?
\n[Answer:]
\nAll we need to do is select the file of interest using the space bar (toggle the selection).
\nNote: PhotoRec by default when run will load any custom created signatures. To make sure of that, just check the File Options screen.
\n![\"7\"](\"https://assets.ine.com/content/ptp/lab_13_file_carving_and_creating_custom_signatures/7.png\")
\n \n
\nTask 5: Using Bulk_extractor to Extract Data
\nbulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. More info: http://www.forensicswiki.org/wiki/Bulk_extractor and https://github.com/simsong/bulk_extractor/
\nTo start bulk_extractor with its default settings, all you need to do is the following:
\n# cd Desktop/Module5/Lab13\n# bulk_extractor -o BulkResults FormattedDrive.001
\n\nThis will run bulk_extractor and extract all information and store them in the BulkResults directory. Now, check the contents of the results directory. All the domains and emails came from the files that bulk_extractor managed to locate and extract, plus free unallocated space that was previously used for file.
\nSometimes you will have to carve parts of a file manually and sew the file together manually too using a hex editor!
",
"flags": [],
"min_points_to_pass": null,
"access_type": "default",
"user_status": "unstarted",
"user_lab_status": null,
"user_status_modified": null,
"user_flags": [],
"global_running_session": null
}