ICTN4310 LAB 03 - DATA ACQUISITION Background. Whether you are formatting an internal drive, external drive, USB flash drive, or SD card, Windows gives you the choice of using three different file systems: NTFS, FAT32, and exFAT. A file system provides a way of organizing a drive. It specifies how data is stored on the drive and what types of information can be attached to filesfilenames, permissions, and other attributes. Windows supports three different file systems. NTFS is the most modern file system. Windows uses NTFS for its system drive and, by default, for most non-removable drives. FAT32 is an older file system that is not as efficient as NTFS and doesn't support as big a feature set but does offer greater compatibility with other operating systems. exFAT is a modern replacement for FAT32and more devices and operating systems support it than NTFSbut it's not nearly as widespread as FAT32. FAT32 is the oldest of the three file systems available to Windows; it was introduced all the way back in Windows 95 to replace the older FAT16 file system used in MS-DOS and Windows 3. The FAT32 file system's age has advantages and disadvantages. The big advantage is that because it's so old, FAT32 is the de-facto standard. Flash drives you purchase will often come formatted with FAT32 for maximum compatibility across not just modern computers, but other devices like game consoles and anything with a USB port. Limitations come with that age, however. Individual files on a FAT32 drive cannot be over 4 GB in sizethat's the maximum. A FAT32 partition must also be less than 8 TB, which admittedly is less of a limitation unless you're using super-high-capacity drives. While FAT32 is okay for USB flash drives and other external mediaespecially if you know you'll be using them on anything other than Windows PCsyou won't want to FAT32 for an internal drive. It lacks the permissions and other security features built into the more modern NTFS file system. Also, modern versions of Windows can no longer be installed to a drive formatted with FAT32; they must be installed to drives formatted with NTFS. NOTE: Before beginning this Lab Activity, you should download the three data files LABActivity3-1.001; and LABActivity3-2.001 file from this week's assignments page on canvas to the working folder: 'Documents/Labs/LAB03/'. Lab 3.1 Examining a FAT32 Image with FTK Imager After completing this lab activity, you will be able to examine a FAT32 dd image in FTK Imager and identify a FAT32 file signature. Make sure that you have completed the previous labs and installed FTK Imager in your Windows VM before beginning this series of Lab activities. Lab 3.1 Activity. In this lab, you will use FTK Imager to examine a FAT32 file structure on a USB device. 1. In your forensic VM, right-click the AccessData FTK Imager desktop icon and run as administrator to open the program. 2. In FTK Imager, click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Image File option button, and then click Next. 3. In the Select File dialog box, click Browse, navigate to and click the \\Documents\Labs\LAB03\ folder, click the LABActivity3-1.001 file, and then click Open. Click Finish. ICTN4310 LAB 03 2 4. The lower-right pane identifies the file system as MSDOS5.0 FAT32. In the upper left Evidence Tree pane, expand LABActivity3-1.001 and USBDEVICE [FAT32] in the Evidence Tree pane and click LABActivity3-1.001 to select it. The Properties pane shows the image type as raw (dd) and the original disk geometry as 512 bytes per sector with a total of 249,341 sectors. 5. Click the [root] folder. The upper right File List pane shows the files in the LABActivity3-1.001 image and their timestamps. The red X next to some files indicates that the user deleted them. Click each file [including the deleted files] to view it in the viewer pane below the File List. 6. Click the HEX toolbar button to display the hexadecimal values for each file. Now, click the Bank Location.doc file, view its hex information, and review its details in the Properties pane in the lower left. 7. Click the interior safe.jpg file in the File List pane and notice the JFIF file signature for a JPEG file. Click the eyeglasses tool button to see the file in the image viewer. 8. Click to expand the USBDEVICE [FAT32] folder and examine the FAT32 file structure and all the files in it. Also, review the File System Information available in the Properties pane. 9. Leave FTK Imager open with this data capture as you answer the following review questions. When you are finished answering the questions, exit FTK Imager, and leave your VM running for the next lab. Lab 3.1 Review Questions 1. How many allocated [not deleted] files were discovered in this FAT32 image? a. 5 b. 9 c. 10 d. 13 2. What is the cluster size for the FAT32 image? a. 120,229 b. 2,048 c. 1,024 d. 120,000 3. Locate the deleted .jpg file in the data capture and determine what the start cluster is for that file? a. 8,940 b. 376 c. 214 d. 174 4. How many .jpg image files were discovered in this FAT32 image? a. 3 b. 5 c. 10 d. 13 ICTN4310 LAB 03 3 5. There are several unallocated space files located on this image capture. The smallest of these unallocated files in size is named? a. 000214 b. 000376 c. 000442 d. 102842 6. What's the FAT32 drive's volume serial number for this image? a. 929E-685C b. 99E-0766 c. 2048 d. 249,341 7. Individual files on a FAT32 drive cannot be over ______ GB in size; and a FAT32 partition must also be less than _____ TB? a. 8 GB, 4 TB b. 4 GB, 4 TB c. 8 GB, 8 TB d. 4 GB, 8 TB 8. What is the file size of the lock type 2.jpg file that was discovered in this FAT32 image? a. 165 b. 31,744 c. 8,201 d. 9,216 Lab 3.2 Examining an HFS+ Image with FTK Imager Background. HFS+, the file system for Mac OS X 10.4 and later, maintains a journal like NTFS to keep track of file changes attempted but not completed because of file errors or hard disk crashes. This journaling feature allows the file system to recover from sudden disk crashes or power losses during a write operation. HFS+ is less susceptible to file corruption caused by broken or missing pointers between blocks of data on a storage device. After completing this lab, you will be able to process an HFS+ image in FTK Imager and explain the difference between HFS+, FAT32, and NTFS file systems. Lab 3.2 Activity In this lab, you examine the HFS+ file structure and compare it with the FAT32 and NTFS file structures on a USB storage device: 1. In your forensic VM, right-click the AccessData FTK Imager desktop icon and run as administrator to open the program. ICTN4310 LAB 03 4 2. In FTK Imager, click File, Add Evidence Item from the menu. In the Select Source dialog box, click the Image File option button, and then click Next. 3. In the Select File dialog box, click Browse, navigate to and click the \\Documents\Labs\LAB03\ folder, click the LABActivity3-2.001 file, and then click Open. Click Finish. 4. Expand LABActivity3-2.001 and USBDevice[HFS+] in the Evidence Tree pane and click LABActivity3-2.001 to select it. The file properties show the image type as raw (dd) and the original disk geometry as 512 bytes per sector with a total of 249,228 sectors. 5. Expand and highlight the USBDevice folder in the Evidence Tree pane. The File List pane shows the files in the LABActivity3-2.001 image and their timestamps. Notice that there's no [root] folder. Examine the hidden folders (.journal and .journal_info_block] used for journaling file transactions. The Properties pane also shows the UNIX permissions for the USBDevice folder: read, write, delete, and modify. 6. Expand the .Trashes folder and click the 501 folder. You should see the same deleted files you've seen in previous labs, but HFS+ doesn't add a red X to indicate they were deleted. 7. Click each file with an extension to view its properties and security attributes. The Properties pane lists a Date Accessed field in addition to the Date Created and Date Modified fields. 8. Click the HEX toolbar button to display the hexadecimal values for each file. Click the Bank Location.doc file, view its hex information, and review its details in the Properties pane. The file signature is the same as in FAT16, FAT32, and NTFS, but the start locations are different in HFS+. 9. In the USBDevice folder, click the interior safe.jpg file and click the HEX view button. Notice that the JFIF file signature is the same as in FAT16 and FAT32. HFS+ also displays Exif file data, as NTFS does. 10. Examine the complex file structure of the USBDevice folder. 11. Leave FTK Imager open as you answer the following review questions. When you're finished, exit FTK Imager. Lab 3.2 Review Questions 9. What is the cluster count for this HFS+ image capture? a. 28,099 b. 31,153 c. 4,096 d. 3,077 10. Locate the Bank Location.doc file in this image capture. What is the Start Cluster for this file? a. 32,768 b. 5,428 c. 5,387 d. 24,576 ICTN4310 LAB 03 5 11. Several deleted files were located in this data capture; in what HFS+ folder will the investigator find deleted files stored? a. .Spotlight b. .Trashes c. .fseventsd d. [unallocated space] 12. What is the date/time stamp for when this HFS+ partition was last modified? a. 7/22/2009 1:59:05 PM b. 7/12/2009 6:30:57 AM c. 7/22/2009 1:59:05 AM d. 7/12/2009 6:30:57 PM 13. What is the cluster size for this HFS+ image capture? a. 4,096 b. 31,153 c. 28,099 d. 2,048 14. AN HFS+ partition utilizes UNIZ Security Attributes. Locate the First Union Large Deposits.xls file in this image capture. What is the UID and GID for this file? a. 89, 89 b. 89, 99 c. 99, 99 d. 79, 79 ICTN4310 LAB 03 6 Lab 3.3 Examining Hash values Using FTK Imager Background. The FTK Imager tool can identify both MD5 and SHA 1 hash values; each is unique its own way. The MD5 and SHA1 are the hashing algorithms where MD5 is better than SHA in terms of speed; SHA1 is more secure as compared to MD5. Hashing algorithms are used to generate a unique digital fingerprint of data or message which is known as a hash or digest. The essential features of hash algorithms are: These functions cannot be reversed. Size of the digest or hash is always fixed and does not depend on the size of the data. It is always unique; no two distinct data set can produce a similar hash. A hash algorithm's primary purpose is the verification of the files instead of encryption of the file or message. It is not be used for storing the information or securing it. MD5 Hash. The MD5 is a hashing algorithm known as a message digest algorithm introduced by Ron Rivest. There are several version of MD is created among which the first was the MD (message digest algorithm) followed by MD2, MD3, MD4 and at last MD5. These versions of MD were improving one after the other with the newer version better than the previous one. MD5 was the fastest algorithm produced in that era and was able to protect itself from collisions. It creates 128-bit messages where input text is processed in 512-bit blocks which are further separated into 16 32-bit sub-blocks. The result of the MD5 algorithm built a set of four 32-bit blocks which creates a 128-bit message digest. SHA1 Hash. SHA is a hash algorithm developed and published by the collaboration of NIST and NSA in 1993 as a Federal Information Processing Standard (FIPS PUB 180). SHA1 was the revised version of SHA published in 1995 FIPS PUB 180-1; however, SHA1 is relatable to MD5 as it is based on MD5. The SHA1 can take any arbitrary message as an input which is 264 bits in length and produce 160-bit long message digest. SHA stands for Secure Hash Algorithm where secure signifies the one-way (pre-image resistance or collision resistance) property and inability to produce a similar message from two messages. Here, one- ICTN4310 LAB 03 7 way means that the one cannot obtain the original message with the help of the message digest of that message. Key differences between MD5 and SHA1: MD5 can create 128 bits long message digest while SHA1 generates 160 bits long message digest. To discern the original message the attacker would need 2128 operations while using the MD5 algorithm. On the other hand, in SHA1 it will be 2160 which makes it quite difficult to find. If the attacker wants to find the two messages having the same message digest, it will require 264 operations for MD5 whereas it would require 280 operations for SHA1. When it comes to security, SHA1 hold more points relative to MD5. MD5 is faster than SHA1. SHA1 is more complex when compared to MD5. Lab 3.3 Activity. ln this project, you create a file and calculate its hash value in FTK Imager. Then you change the file and calculate the hash value again to compare the files. Before beginning this Lab Activity, create a folder called in your working folder \\Documents\Labs\LAB03\ create a subfolder \HashTest1 on your Windows VM. 1. On your Windows VM start Notepad and in a new text file, type 'This is a test of hash values. One definition of a forensic hash is that if the file changes, the hash value changes.' 2. Save the file as hash1.txt in the \HashTest1 folder and then exit Notepad. 3. In your forensic VM, right-click the AccessData FTK Imager desktop icon and run as administrator to open the program. 4. In FTK Imager, click File, Add Evidence Item... from the menu. In the Select Source dialog box, click the Contents of a Folder option button, and then click Next. In the Select File dialog box, click Browse, navigate to and click the \\Documents\Labs\LAB03\HashTest1 folder and click OK, then Finish. 5. In the upper-left pane, click to expand the \HashTest1 folder and continue expanding until you can see the Hash1.txt file in the File List pane. 6. Right-click the file and click Export File Hash List. Name the file HashTestExport1 and save the file as original hash in the \HashTest1 folder. Note that FTK lmager saves it as a .csv file. Now Exit FTK lmager. 7. Open hash1.txt in Notepad. Add one letter to the end of this file, then save it, and Exit Notepad. 8. Start FTK lmager again. Now, repeat steps 4 to 6, but this time when you export the file hash list, save the file as HashTestExport2. 9. To view both .csv files HashTestExport1.csv and HashTestExport2.csv the investigator can either use either MS EXCEL or a .csv compatible reader like LibreOffice Calc. However, the contents of both .csv can be viewed in the lower right pane by highlighting each file. [Note: after adding the HashTestExport2.csv file to the image folder you may need to refresh the File List by selecting HashTest in the Evidence Tree pane and then viewing the contents of the folder. 10. Compare the MD5 and SHA1 hash values in both export files to see whether they are different, and then exit FTK lmager. ICTN4310 LAB 03 8 11. Leave FTK Imager open as you answer the following review questions. When you are finished, exit FTK Imager. Lab 3.3 Review Questions 15. By repeating Steps 7 and 8 a third time, the investigator went into the hash1.txt file and removed the letter that was added so that the text read just as it did the first time the hash1.txt was created; Then a third file HashTestExport3.csv was created and the hash values were evaluated; what were the results? a. the HashTestExport3.csv contained the different MD5 and SHA1 hash values than were calculated in the HashTestExport1.csv export file. b. the HashTestExport3.csv contained the same MD5 hash value but a different SHA1 hash value than the HashTestExport1.csv export file. c. the HashTestExport3.csv contained a different MD5 hash value but the same SHA1 hash value as was calculated in the HashTestExport1.csv export file. d. the HashTestExport3.csv contained the same MD5 and SHA1 hash values that were calculated in the HashTestExport1.csv export file. 16. When comparing MD5 and SHA1, all the following are valid points except: a. MD5 requires 264 operations compared to 280 operations for SHA1 b. SHA1 is more secure than MD5 c. SHA1 creates a 128-bit long message digest; MD5 generates a 160-bit long message digest d. MD5 is a faster algorithm that SHA1 ICTN4310 LAB 03 9 Lab 3.4 Ensuring Data Integrity with Hash Codes Background. So why are hashing functions so important to the field of digital forensics? During most digital forensics investigations, it is necessary to capture electronically stored information (ESI) for future discovery and analysis. Before any data examination occurs, sources of potential ESI need to be preserved in a manner that protects its integrity. That is the role of the "forensic copy." The question may arisehow do we know that a forensic copy is accurate? Furthermore, how do we assure that the forensic copy remains faithful to the original? For that, we have a mathematical algorithm called a "hash function" to thank. From a digital forensics perspective, it is commonly understood that direct examination of original electronic media should never occur. Instead, investigation should occur only on copies of the data. When the average person makes a backup of a hard drive, he or she is most likely making a "logical copy"the duplication of known, visible files in the allocated space of a hard drive. Let's say you have 200GB of files and folders written to your 1TB hard drive. A logical copy would only include those 200GB of visible files and folders. "Forensic copies" differ in that they replicate every bit from every sector of the hard drive, whether that space is allocated or not. A forensic copy would capture not only the 200GB of visible files and folders, but would also capture the remaining 800GB of unallocated space. This is important to digital forensic investigators because unallocated space may contain deleted files or other residual data that can be invaluable during discovery. A forensic copy also preserves file metadata and timestamps, while a logical copy does not. While you or your IT department can handle making a "logical copy" of a hard drive, most of us are not equipped to make a forensic copy. Few people working outside the realm of digital forensics will have the specialized hardware, software, and training needed to produce a proper forensic image of a hard drive. So, what is the role of a hash. Forensic copies are exact, bit-for-bit duplicates of the original. To verify this, we can use a hash function to produce a type of "checksum" of the source data. As each bit of the original media is read and copied, that bit is also entered into a hashing algorithm. When the copying is finished, the algorithm will produce a hash value which will act as a type of digital fingerprint that is unique to the dataset. Hash functions have four defining properties that make them useful. Hash functions are: Deterministic - For any given input, a hash function must return the same value each and every time that input is processed. Pre-Image Resistant - All hash functions must be "pre-image resistant." By this, we mean that the hash function should not provide any clue about the size or the content of the input. Collision Resistant - A collision is where multiple inputs are found to produce a common output (or common hash value). Since our potential inputs are infinite and our output is a fixed length, collisions are bound to occur. Computationally Efficient - Finally, we expect that a hash function will be computationally efficient, or, in other words, speedy. Along with MD5 and SHA-1 there are several other common Hashing Algorithms an investigator may encounter. As an example, software creators often take a file downloadlike a Linux .iso file, or even a Windows .exe fileand run it through a hash function. They then offer an official list of the hashes on ICTN4310 LAB 03 10 their websites for the recipient to use to verify that they are receiving an official version of the software. As an investigator, you should be aware that "collisions" have been found with the MD5 and SHA-1 functions. Collisions are multiple different filesfor example, a safe file and a malicious filethat result in the same MD5 or SHA-1 hash. That is why you the preference today for most validating is to use SHA-256 when possible. Investigators can use Windows PowerShell that is available in Windows 10 to find several different hashing values for a given file. Once you open Windows Powershell you can type any one of the following commands to view the hash value for the file. Note: In this example commands below, the command is 'Get-FileHash'; the full path including drive to locate that file is 'C:\path\'; and the file name you are wanting to analyze is 'file.iso'. There are currently seven different hash values that can be identified using this command including MD5, SHA1, SHA256, SHA384, SHA512, MACTripleDES, and RIPEMD160. Get-FileHash C:\path\file.iso -Algorithm MD5 Get-FileHash C:\path\to\file.iso -Algorithm SHA1 Get-FileHash C:\path\to\file.iso -Algorithm SHA256 Get-FileHash C:\path\to\file.iso -Algorithm SHA384 Get-FileHash C:\path\to\file.iso -Algorithm SHA512 Get-FileHash C:\path\to\file.iso -Algorithm MACTripleDES Get-FileHash C:\path\to\file.iso -Algorithm RIPEMD160 Although Powershell can support several hashing algorithms, these are not all that an investigator could run into. SHA, which has several variants, is probably best known as the hashing algorithm used in most SSL/TLS cipher suites. SHA-1, as we mentioned earlier, is now generally considered dated. SHA-2 is the algorithm version that is still in use and regarded as safe. The SHA-2 family consists of six hash functions: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. The RIPEMD family of cryptographic hashing algorithms has lengths of 128, 160, 256 and 320 bits. RIPEMD was developed under the framework of the EU's Project Ripe by Hans Dobbertin and a group of academics in 1996. RIPEMD 256 and 320 bit variants don't actually add any additional security, they just diminish the potential for a collision. In 2004 a collision was reported for RIPEMD-128, meaning RIPEMD-160 is the only algorithm from this family currently considered usable. Designed in 2000, WHIRLPOOL is another hashing algorithm that was designed by Victor Rijmen (the co-creator of the AES algorithm) and Paulo Barreto. Since 2000, it has undergone two revisions. WHILPOOL produces 512-bit hashes that are typically represented as 128-digit hexadecimal numbers. TIGER is another hashing algorithm that was a fast hash with a large digest (192 bits) compared to MD5 (128 bits) and SHA1 (160 bits). However, interest in the algorithm was somewhat attenuated by RIPE-160 which was considered by some to have a better pedigree, and by the subsequent introduction of more secure hashes like Whirlpool and SHA2 (both having digests up to 512 bits). Shortly after Whirlpool and SHA2 were introduced, these two algorithms were assessed, and subsequently recommended by the NESSIE (Europe) and CRYPTOREC (Japan) efforts and standardized by ISO. Microsoft's LANMAN is the Microsoft LAN Manager hashing algorithm. LANMAN was used by legacy Windows systems to store passwords. LANMAN used DES algorithms to create the hash. The problem is that LANMAN's implementation of the DES algorithm is not very secure, and therefore, LANMAN is ICTN4310 LAB 03 11 susceptible to brute force attacks. LANMAN password hashes can be cracked in just a few hours. Microsoft no longer uses LANMAN as the default storage mechanism. LANMAN is available but is no longer turned on by default. NTLM is the NT LAN Manager algorithm; It is used for password hashing during authentication and is the successor of the LANMAN algorithm. NTLM was followed with NTLMv2 that uses an HMAC-MD5 algorithm for hashing. Lab 3.4 Activity. In this Lab Activity, you will create a file on your working drive and calculate its hash values in FTK Imager. Then you will change the filename and extension and calculate the hash values again to compare them. Before beginning this Lab Activity, create a folder called in your working folder \\Documents\Labs\LAB03\ create a subfolder \HashTest2 on your Windows VM. 1. On your Windows VM start Notepad and in a new text file, type 'This project shows that the file, not the filename has to change for the hash value to change.' 2. Save the file as hash2.txt in the \HashTest2 folder and then exit Notepad. 3. In your forensic VM, right-click the AccessData FTK Imager desktop icon and run as administrator to open the program. 4. In FTK Imager, click File, Add Evidence Item... from the menu. In the Select Source dialog box, click the Contents of a Folder option button, and then click Next. In the Select File dialog box, click Browse, navigate to and click the \\Documents\Labs\LAB03\HashTest2 folder and click OK, then Finish. 5. In the upper-left pane, click to expand your working folder to see the Hash2.txt file you created. 6. Right-click the file in the File List pane and click Export File Hash List. Save the file as 'OriginalHash2.csv' in your \HashTest2 folder. 7. In FTK Imager, click File, Remove All Evidences Items and Exit FTK Imager. 8. Open File Explorer. Right-click the file hash2.txt in the \HashTest2 folder the 'Hash2.txt' and rename it as 'Hash2.doc'. In the warning message about the change in extension, click Yes. 9. Start FTK lmager. In FTK Imager, click File, Add Evidence Item... from the menu. In the Select Source dialog box, click the Contents of a Folder option button, and then click Next. In the Select File dialog box, click Browse, navigate to and click the \\Documents\Labs\LAB03\HashTest2 folder and click OK, then Finish. 10. In the upper-left pane, click to expand your working folder to see the Hash2.doc file you just renamed. 11. Right-click the file in the File List pane and click Export File Hash List. Save the file as 'RenamedHash2.csv' in your \HashTest2 folder. Click HashTest2 in the Evidence pane to refresh the file list. Now review the hash values located in the 'RenamedHash2.csv' and 'OriginalHash2.csv' files in the preview pane below the File List. Compare the hash values in both files to see whether they are different. ICTN4310 LAB 03 12 Lab 3.4 Review Questions 17. Locate the 'LABActivity3-2.001' file data capture file that you downloaded for Lab Activity 3-2. Using the Windows PowerShell, identify the last five characters in the SHA256 hash value for that file. a. 73439 b. 4165E c. BC1C6 d. AF81F 18. The current version of Windows power shell supports viewing of all the following hash values except: a. MD5, SHA1, SHA256 and MACTripleDES b. MD5, SHA128 and SHA256 c. MACTripleDES, SHA512, and MD5 d. RIPEMD160, SHA512, and MACTripleDES 19. What two Hashing Algorithms are recognized by the European Union (EU) and Japan? a. MD5 and SHA2 b. NTLM and SHA256 c. TIGER and RIPEMD d. WHIRLPOOL and SHA2 20. Hash functions have several defining properties that make them useful to not only investigators but many other computing users. These defining properties include all the following except: a. The hash function must return the same value every time that input is processed b. The hash function must be computationally efficient c. The hash function must avoid collision d. The hash function should not provide any clue about the size or the content of the input