Signature analysis and hashes

Before you begin, prepare your environment for this investigation. Firstly you should verify the md5 hash of carve.dd and search.dd. Calculate the md5 sum of:
carve.dd: f512f942ba49b09787742ec9ba039c02 fa61f942ba49b09787742ec9ba039c02 a990f942ba49b09787742ec9ba039c02 f123f942ba49b09787742ec9ba039c02
search.dd: 44effb1bb153277f85b490c6d91f6877 19effb1bb153277f85b490c6d91f6877 11effb1bb153277f85b490c6d91f6877 afeffb1bb153277f85b490c6d91f6877

Create a directory "/home/caine/sorter", and for the remainder of this tutorial all files created should be stored in this new directory.

The sorter command analyses a partition image and organises the allocated and unallocated files by file type. The resulting analysis is a collection of files created in the directory specified using "-d".

Using the sorter command line tool to analyse the search.dd image. Make sure that you use the -m switch to provide the correct mounting point (C:). Make the output directory of this command /home/caine/sorter/.

How many files were found?

How many images (e.g. jpegs and gifs) were found?

How many extension mismatches were found?

If you had to build your own hash files, you would need to find the file of interest, then using md5sum create a hash database using the md5 information. This question demonstrates building a simple hash database of files of interest.

Firstly make a directory /mnt/search and mount search.dd at that location. You should use the "-r" option to mount readonly. To make this directory and to do the mount you must execute the appropriate commands as root (e.g. using sudo).

Create a file /home/caine/myhash.hdb which contains the md5sum output for

 /mnt/search/Documents and Settings/Clyde/My Documents/Frankie.xml

Now ADD the following file to the database.

 /mnt/search/Documents and Settings/Clyde/My Documents/Ford.xml

In order to efficiently use the hash database files, you need to create an index of the file entries.

Firstly, copy the KnownBadFiles.hdb and KnownGoodFiles.hdb to /home/caine.

Now use the hfind command, using the db type of md5sum, to build a .idx file for both KnownGoodFiles and KnownBadFiles.

Now lookup the md5 hash of Frankie.xml which you saved into myhash.hdb in the last question. Using the hexadecimal hash value for Frankie.xml, search for that has using hfind in both KnownGoodFiles.hdb and KnownBadFiles.hdb.

Search of KnownGoodFiles produced: Hash Not Found File1.docx File2.docx File3.docx File4.docx File5.docx File6.docx File7.docx File8.docx
Search of KnownBadFiles produced: Hash Not Found File1.docx File2.docx File3.docx File4.docx File5.docx File6.docx File7.docx File8.docx
Expert opinion of Frankie.xml: Still unknown Suspected bad file Suspected good file Definitely a bad file Definitely a good file

It is possible to filter out known good and bad files while using sorter. This helps cut down on the number of files in the sorter output. Use the appropriate sorter commands to use each of the indexes build with KnownGoodFiles and KnownBadFiles for filtering.

Hint: Make sure that you created a new directory for the output of sorter. Make this directory /home/caine/sorter2.

HINT: just like hfind, you need to use the .hdb name of the database file and not the .idx name.

How many alerts were found?

How many exclusions were found?

In this question you will put all you have learned so far together to search the image for known bad files that have been obfuscated.

The search.dd image has a number of files on it that are identified in the KnownBadHashes.hdb file. However, some of these images may have been tampered with and obfuscated by a user. In some cases they have been put there to create a false positive result. The following table should be filled with the details of the files found on the image. You should provide the original image name as found in the KnownBadHashes.hdb file, the name of the File as found on the file system, as well as the md5 hash that links the two. Finally, select the method of obfuscation employed by the user to hide the true nature of the file.

You can fill in this table by using any method you deem necessary. You should use the output of solver from the previous question, as well as start a new case in Autopsy to quickly analyse the files in a GUI environment. Finally, remember that you should inspect header information to find out the true nature of a file.

In the analysis remember to drill down through any obvuscation. For instance, if you document a file which is compressed, also test the uncompressed version of that file against the KnownBadFiles and list that file in the table using its uncompressed name as reported by sorter. So for example if "gordon.xml" is really a gziped jpeg called "gordon.jpg", and this jpeg is also listed in the KnownBadFiles, then put this into the table too using "gordon.jpg" as the "Name in disk image" and make the observation that this is "obfuscated file extracted".

In this question we will use "scalpel" to perform file carving and file identification using known databases.

Firstly create a directory /home/caine/scalpelOutput to contain the output when running scalpel.

Edit the /etc/scalpel/scalpel.conf file. Configure the scalpel config file to search for jpgs, pdfs and word documents. To do this delete the comment character (the '#') from the beginning of the lines responsible for jpg,pdf,and doc. Remember to use sudo, as you need to be root to edit this file.

Use the scalpel tool to carve the carve.dd file in /images/siglab in to the /home/caine/scalpelOutput directory.

List the names of the files found and extracted from carve.dd by scalpel by comparing the hashes of the files in the scalpel output directory with the KnownBadFiles.hdb.

Hint: use the md5deep tool to recursively analyse all the files in the scalpel output directory. Ensure you use the -b flag.

Hint 2: you will need to clean up the md5deep output file so that hfind will work with it. Use the following regular expression:

sed 's/\s*[0-9a-z]*.\(doc\|jpg\|txt\)//' FILE_CREATED_BY_MD5DEEP.hdb

Hint 3: The hfind command can take a file which contains a list of md5 hashes and look up each line of that file in its hash database.