In these exercises, you will use a couple of file carving tools to carve different files from corrupted file systems or forensic images.
Evidence given: FormattedDrive.001 [located at ~/Desktop/Module5/Lab13].
Carve different files from corrupted systems
Practice file carving using different tools
How to perform file carving using popular file carving tools
Data can still be retrieved and carved out if it hasn't been overwritten
How to write custom signatures to carve a specific file of interest
PhotoRec
Foremost
Scalpel
Bulk_extractor
Let's start by using PhotoRec in order to answer the required questions. We can do that easily by doing the following:
# cd Desktop/Module5/Lab13
# photorec FormattedDrive.001With that we reach the welcome message or banner of PhotoRec with some basic information about the tool, as you can see in the figure below:
We can proceed, so just press Enter while the cursor has selected [Proceed].
After doing that, we reach the following:
In this window, we need to select the file system or disk that we want to start carving files from. Now, in our case here, we have an NTFS partition and an entry for the whole disk. Since there could be evidence in other places other than the file system, let's select [Whole disk] and then press the [Search] button to proceed.
Now, PhotoRec requires that we select the file system type that is being used, so make sure that [Other] is selected and then press Enter.
Now, PhotoRec is asking you where to store the files that it will be carving; for this lab, you can leave the first selection (the . dot, to store in the same directory) and then press C to continue.
After PhotoRec is finished, it will give you a summary of the number of files that have been carved and the location that was used to store them, as seen below:
After that, press the [ QUIT ] button, then go to the [ QUIT ] button again to exit this window, then finally another [ QUIT ] to exit PhotoRec. You can use the arrows to navigate through the menu.
So now we are ready to answer the questions:
How many pictures can you manage to carve?
[Answer:]
PhotoRec found 10 files.
We can check the report generated, that is named report.xml.
Did you find any suspicious pictures or were they ordinary pictures?
[Answer:] Pictures of Mr.Robot and hacking stuff were found.
Did you find any other files? What are they?
[Answer:]
Yes, I found a PDF File about Hacking, a couple of EXE files (Putty, PSFTP, and PSCP), also a 7zip file.
Did you manage to open the other files you extracted, and why?
[Answer:]
Yes, except the 7zip file, because it was password protected.
How can you identify the 7zip file using its header to verify that it is truly a 7zip file?
[Answer:]
We can use the following (note: change file.7z to the name of the carved file on your system):
# xxd file.7z | head -n20Using GaryKessler's file signature database online, we can prove that it truly is for a 7zip file. You can find the database at: https://www.garykessler.net/library/file_sigs.html
Did you manage to open the 7zip file? How did you do it, and what was written in this report?
[Answer:]
Yes, while checking the photos available, we found a photo that had the following password written in it: Dylan_2791
People tend to use such techniques to remember their passwords. So, after trying the password found, we managed to open the file and reach the content inside. We found the following text:
Mr.Robot Plan:
1. Hack first machine
2. Hack second machine
3. Hack third machine
4. Send SMS to +0018455550
5. Solve the riddle :D
6. Keep hacking until there is no machines :D
Plan is to invade computers and keep hacking...
In this task, we need to use Foremost instead of PhotoRec to see what differences can be found if any. To run the tool against our evidence, we need to do the following:
# cd Desktop/Module5/Lab13
# foremost -T FormattedDrive.001Now let's answer the questions below:
What did you find? Do you have an idea why? (Hint: Do an ls and explore)
[Answer:]
We found that foremost carved a couple of files and created a subdirectory for each type. Also, it created a text file named audit.txt with details of what was done, which was stored by default in a directory named output_DATE_TIME. By checking the audit.txt report in that folder, we found that foremost managed to find only 9 files.
Update the foremost configuration file in order to carve specific files (PNG and PDF).
[Answer:]
What we need to do here is edit the foremost.conf configuration file and make sure we comment out the lines referring to PNG and PDF, which can be done like this:
# vi /etc/foremost.conf# png y 200000 \x50\x4e\x47? \xff\xfc\xfd\xfeAnd make sure you remove the # from the beginning of the line containing the file signature. Do the same for PDF, and after you finish press Esc, then :x (yes colon + x).
Now if we run the command again like we did before, it will generate a directory with another directory with a new time stamp.
This time four files were found: 3 PNG files and 1 PDF file.
Could you tell what type of files foremost was searching for by default?
[Answer:]
From the man page of foremost, it says that it runs all pre-defined extraction methods. Most files are already built into foremost and can be carved out automatically. The configuration file is used to control or add other file formats that are not already defined by foremost.
What must be done to locate JPG files for example?
[Answer:]
Foremost is supposed to be able to carve them out automatically, but if you have specific configurations or want to make sure all variations, for example, are checked, then make sure you add and comment out the lines below from the foremost.conf file:
# jpg y 20000000 \xff \xd8 \xff \xe0 \x00 \x10 \xff\xd9
# jpg y 20000000 \xff\xd8\\xff\xe1\xff\xd9
# jpg y 20000000 \xff\xd8 \xff\xd9After completing the tests on the forensic image. Which do you think was more successful than the other? Does such opinion lead you to a conclusion?
[Answer:]
I believe both are a good option and both could be used to make sure that we didn't miss anything. PhotoRec by default found 10 files, while foremost found 9 by default and 4 when we modified its configuration file.
We will continue working with the same forensic image files as before, but this time with a new tool called Scalpel. Please make sure you use the custom "scalpel.conf" [located at /root/Desktop/Module5/Lab13/scalpel.conf] file provided. To run Scalpel with our specific configuration file, we can do the following:
# cd Desktop/Module5/Lab13
# scalpel -c scalpel.conf FormattedDrive.001After completing the analysis of the evidence:
Did scalpel manage to achieve carving the same number of files?
[Answer:]
No, because we didn't specify what type of files do we want to search for.
What was missing, and what must be done to correct that?
[Answer:]
The signatures were missing. We need to comment out the signatures for all files that we need to carve out (this should be executed inside the provided scalpel.conf file). After selecting the main types, it seems that scalpel did even better. Scalpel managed to carve out 17 files. It created a scalpel-output directory (unless specified something different) and with subdirectories of the file types, it managed to extract.
In this part of the lab, we want to prepare PhotoRec for a future task. PhotoRec by default is not able to extract Windows Prefetch files (don't ask what are they yet, that will come soon). In order to get PhotoRec equipped with such capabilities, we need to write our own signatures.
First, I need you to check the URL below for the file signature of a Window 8|8.1 prefetch file
http://www.garykessler.net/library/file_sigs.html
So, first let's create a file named "photorec.sig" either in your users home directory (e.g., /root/) or in the same current working directory and then add the signature we found. You are supposed to have a file like this:
ext 0 0x474946383761
The first column represents the file extension of the file, in our case it is "pf," then the offset, and finally the file signature which we found on Gary Kessler's file signature website. Make sure there is only a single space between them (Note: use spacebar, the line above has more just to provide a clearer explanation).
Which files were known, and which wasn't?
[Answer:]
We need to run PhotoRec and then check the File options section.
What must be done to identify all of them?
[Answer:]
All we need to do is select the file of interest using the space bar (toggle the selection).
Note: PhotoRec by default when run will load any custom created signatures. To make sure of that, just check the File Options screen.
bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. More info: http://www.forensicswiki.org/wiki/Bulk_extractor and https://github.com/simsong/bulk_extractor/
To start bulk_extractor with its default settings, all you need to do is the following:
# cd Desktop/Module5/Lab13
# bulk_extractor -o BulkResults FormattedDrive.001This will run bulk_extractor and extract all information and store them in the BulkResults directory. Now, check the contents of the results directory. All the domains and emails came from the files that bulk_extractor managed to locate and extract, plus free unallocated space that was previously used for file.
Sometimes you will have to carve parts of a file manually and sew the file together manually too using a hex editor!