DF WK 7 Analysis and Validation
Scope Creep
Scope creep in the context of digital forensics investigations refers to the gradual expansion of the original objectives or boundaries of an investigation.
This can occur when new evidence is uncovered that suggests additional lines of inquiry, or when stakeholders request more information or analysis beyond the initial scope.
sudo dd if=/dev/zero of=/dev/sdX bs=4M status=progress •
sudo dd if=/dev/zero of=/dev/sdX bs=4M status=progress •
This command uses dd, a command-line utility in Unix-like operating systems used for copying and converting files
sudo: • Runs the command with superuser (root) privileges, which is necessary for writing directly to disk devices.
dd: • The command itself, used for converting and copying files.
if=/dev/zero: • Specifies the input file (if) as /dev/zero, which is a special file in Unix-like systems that provides as many null (zero value) bytes as are read from it. Essentially, this is a way to write zeros.
of=/dev/sdX: • Specifies the output file (of) as /dev/sdX, where sdX represents a disk device. The X should be replaced with the actual identifier of the target disk (e.g., sda, sdb). •
bs=4M: • Sets the block size (bs) to 4 megabytes. This means dd will read and write 4 MB of data at a time, which can improve performance.
status=progress: • Provides a progress report while the command is running, showing how much data has been copied so far.
In summary, this command effectively writes zeros (/dev/zero) to the specified disk (/dev/sdX) in chunks of 4 megabytes, displaying progress updates until completion. It’s commonly used for tasks like initializing a disk or securely erasing its contents
Block Wise Hashing
Block-wise hashing is a forensic technique used to identify complete or partial remnants of known files in digital storage media, even if the files have been fragmented or deleted
This method involves computing hash values for individual blocks or sectors of a file, typically 512 bytes in size, rather than hashing the entire file at once
The process works by creating a hash set of these block-level hashes for known files of interest.
During a forensic examination, the investigator can then scan the storage media sector by sector, comparing the hash values of each sector to the known block hash se
This allows for the detection of file fragments or incomplete copies of known files that may still exist in free space or unallocated areas of the drive.
Autopsy - A Digital Forensics Tool- Imports NSRL
Autopsy, can import the National Software Reference Library (NSRL) database and perform hash comparisons.
The NSRL is a project of the National Institute of Standards and Technology (NIST) that maintains a repository of known software, file profiles, and file signatures. These tools utilize the NSRL to identify known good and bad files during forensic investigations.
It has a feature called E01 Verifier for verifying an Expert Witness image file.
AccessData’s FTK(Forensics Tool Kit)
AccessData’s FTK has its own hashing database, Known File Filter (KFF)
KFF allows forensic examiners to filter out known files and focus on potentially relevant or suspicious data.
•KFF filters known program files from view and contains values of known illegal files (ex. images of child pornography)
•It compares known file hash values
when you select the Expert Witness (.E01) or SMART (.S01) format, additional options are available for hashing all the data.
•FTK Imager then inserts a report into the .E01 or .S01 file that lists MD5 and SHA-1 hash values.
Pro Discover- Digital Forensics tool
ProDiscover has .eve files that contain metadata that includes a hash value
it Has a preference you can enable for using the Auto Verify Image Checksum feature when image files are loaded
Data Hiding
Making file attributes “hidden” involves changing the file system properties so that the file is not visible in standard directory listings.
Benifits of Hding Data
Why Hide Files?
Benefits:
1. Security: Hiding sensitive files can add an extra layer of security. It can protect important files from being easily found and tampered with by unauthorized users.
2. Privacy: Personal or confidential files can be hidden to ensure privacy, especially on shared systems.
3. System Integrity: System and configuration files can be hidden to prevent accidental modification or deletion by users who do not have the technical expertise.
I while hiding files can provide some security and organizational benefits, it should not be relied upon as the sole means of protection. Robust security measures, such as proper access controls and regular monitoring, are essential to complement the practice of hiding files.
Risks of Hiding Data
Risks:
1. Security Through Obscurity: Relying solely on hidden attributes for security is not foolproof. Knowledgeable users or attackers can still find and access hidden files.
2. Malware: Malicious software can hide its files to avoid detection by users or security software, making it harder to identify and remove.
3. Inconvenience: Legitimate users might accidentally hide files and then forget how to access them, leading to confusion or loss of data.
4. Maintenance Issues: Hidden files might be overlooked during system maintenance or backups, potentially causing issues with data recovery or system functionality.
Data Hiding Techniques
--Hiding Files by Using the OS
One of the most common techniques to hide data is to change file extensions (discussed previously) •Ex. Changing an excel file to a .jpg, or an .exe file to .txt
--Making the File Attributes Hidden/ Hiding file names
Making file attributes “hidden” involves changing the file system properties so that the file is not visible in standard directory listings.
--Hiding Partitions •You can hide partitions By using the Window’s disk partition utility, diskpart • diskpart has a “remove letter” command •Allows you to unassign the partition’s drive letter, which hides it from view in File Explorer •To unhide, use the diskpart assign letter command
--Marking Bad Clusters •A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters. •Not common anymore. Involves using old utilities such as Norton DiskEdit
--Bit-Shifting •Some users use a low-level encryption program that changes the order of binary data by rearranging the bits for each byte in a file. •Makes altered data unreadable in order to secure a file, users run an assembler program (also called a macro) to scramble bits •Run another program to restore the scrambled bits to their original order •Bit shifting changes data from readable code to data that looks like binary executable code
5 Well known steganalysis methods
Stego-only attack:
This method involves analyzing suspected data for signs of steganography without knowledge of the original cover media or the message being embedded.
Known-cover attack:
In this method, the steganalyst has access to both the original cover media and the suspected steganographic file.
Known-message attack:
Here, the steganalyst knows or has a good estimate of the message that has been embedded.
Chosen-stego attack:
In this approach, the steganalyst chooses or creates steganographic software or techniques and then analyzes the resulting stego files to understand their detectability.
Example: Developing steganographic algorithms and then applying steganalysis techniques to see if the hidden data can be reliably detected.
•
Chosen-message attack:
The steganalyst selects or creates a message to be embedded, then analyzes the resulting stego file to understand how detectable the message is.
• Example: Embedding a known message into different types of media (e.g., images, audio) using various steganographic tools and then applying steganalysis to detect the presence of the hidden message.
Password Recovery Methods
Recovering Passwords •
Many password-protected OSs and application store passwords in the form of MD5 or SHA hash values
•A brute-force attack requires converting a dictionary password from plaintext to a hash value •Requires additional CPU cycle time
•Rainbow table •A file containing the hash values for every possible password that can be generated from a computer’s keyboard •No conversion necessary, so it is faster
•Salting passwords than a brute-force or dictionary attack •Adds extra bits to the password and then hashes it, which alters hash values and makes cracking passwords more difficult