User Manual - Forensic Explorer
Contents
1. cccscsssccscscecsccscsceccccecscsccccecscsceccecscsceccececsceseececsces 55 7 1 MOdU ER TOR M 56 4 Page 7 2 Module data VITA CERTE ia idad 59 7 3 CUstomizine lay OU nadas 61 7 4 FaSk Processes A rg MEE DEDE EM Seco E UE Lib 62 7 5 Process Logging and Priority aeo PR Eid a Re a 63 7 6 Rererence bal V caste a IM M EM E ELS UE 64 Chapter 8 Data VIEWS esie boo Dev diee Na ELE D UE EN lia 69 8 1 Data VIC WS Sunmar ML Re 71 8 2 WES VIO Writ ad a 74 8 3 HEIDE 77 8 4 BIA M 78 8 5 Gale MEW m A 84 8 6 nii RI m ea cusencenawetete 86 8 7 Text VIe Uses iuvari tatum dr encor se ated Dus dans ins 88 8 8 PISTON AY VIEW NRI OE 89 8 9 Byte Plotand Character DIStTIDU Oia das 91 8 10 Files ystemRecora VIEW a 96 OIL E O a a a taetuneeeouidae hagas 98 Dus ANO EXEBloaatensendttocsut A E E ui UM UA Cd EL UE 100 Chapter 9 Working with data oet aan Eo CRY Pa ane cR ESSE nidad ini VEN OVER ancianas 101 9 1 Working With data ECT N m 102 9 2 F gplighted and checked en iena E 102 9 3 Add ANA edit DOOKIE Sera a a AS 104 9 4 A TEES 104 9 5 Expand compound Mena ia ii 105 9 6 EXPO tem err NM ME 105 9 7 S eRredurei c c T 110 9 8 COMAS te T Ac EN 110 9 9 c olgdjo cx2. 128 104 Aden eN Curr RM Ive RI E E TOEROIUIE nM MN INI T TN DINNER NEIN 129 10 4 1 Adding a Device ccccccsssccccesscccceececausccessuscecsauseesausscessuecesseusceseaeeesausceesausessaaeseesaages 129 10 4 2 Adding a Network Device ccccccsssseccecceseececcaesecccesaeseeccesaeseceeesaausecessaeaeceeesueneeeesseges 130 10 4 3 Adding a Forensic image file ccccccoonncnnnnononnnnnonononnnnnnononnnnnnnnnnnnnnnnnronononnnncnnnonos 133 10 4 4 Adding eo MD ecN MED FU RI FI DNE 133 10 4 5 fefe ip BI RETE Em 134 105 Evidence Process O essa iaa DURUM buds 135 10 5 1 Proce SO A e e lA e enae 135 10 5 2 AGIUSETImb ZOMG ra 138 10 6 Adding additional evidence to a case ooocccccnccnncnnccnnnnncnnnnnnonnnnncnnonononononarnnonnrcnnnnnonnnnnarnnonaronenanoninos 139 UCM a E Kec A E o UE OO A 140 10 7 1 Saving OF closing a preview ra iia 140 or E 0c g a Cto 141 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 122 Page Chapter 10 Evidence Module 10 1 PREVIEW IMPORTANT When working with physical devices accepted forensic procedure dictates the use of a write block Refer to Appendix 2 Write Blocking for more information Forensic Explorer allows the investigator to preview a device image or registry file without first creating a case To preview a device image or registry files e Click the Preview button in the Evidence module NOTE v2 3 6 3518 From versio
3. Chapter 28 Working with SQLite or DB Display view Binary PList File Metadata view 321 Page MBDB HEX or Text view DAT HEX or Text view An example of the detail contained within the com apple wifi plist file and shown in the Forensic Explorer File Metadata view is shown in Figure 249 below detailing wireless network information for the Virgin Airlines Coolangatta airport lounge Figure 249 com apple wifi plist in File Metadata viewer File Metadata li Strength a SSID 13 Ej CHANNEL FLAGS E B E iSWPA a lastAutoJoined A BSSID E authMode ERR lastJoined 3 NOISE networkChannelListKey 1 E CHANNEL ug CHANNEL FLAGS 6 E CHANNEL zi CHANMEL_FLAGS g enabled Eg AGE a ScaledR5SI ug AP MODE E mj ScaledRate E WEPKeyLen RATES gj isValid E E ASSOC FLAGS E al SSID STR Ej RSSI 0 753836512565613 Q29vbGFuz2F dGEgVml 6 a 12 Jul 12 1 41 32 AM chka cb a5 74a0 0 12 Jul 12 1 19 32 AM g 5 a8 True 643 0 753836512565613 2 1 o True 1 Q29vbGFuz 2F0dGEgVml 6 a 0 12 Jul 12 1 41 32 AM chanch aS 74 a0 g 12 Jul 12 1 19 32 AM 6 a True 643 0 753836512565613 2 1 0 True 1 Coolangatta Virgin Lounge 10 UString Int64 Int64 Int64 Date UString Int64 Date Boolean Int64 Double Int64 Double Int64 Boolean Int64 UString Int 4 Int64 Scripts provided with F
4. dd a hi La El nline wW m Preview Header Eind me aia B ul 20 Mya n S ua aar aad e En Lill Switch to the Report Editor Preview tab to see he field names in the report Figure 168 Report Editor Showing Report h Bookmarks Reports j H Orange Cat 4 JPG H 14 Mar 12 amp 37 12 PM 17 May 12 2 01 22 PM 14 Mar 12 9 37 12 PM Exercise Creating Report TemplatesiLex ar 7GB USBI Cats To insert the picture go back to the Editor window and click on the file name Orange Cat 4 JPG in the Reportable Items Filename section shown in Figure 166 above The selected picture will display at the bottom of the field list Drag and drop the picture onto the report Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 207 Page i Format the report as desired by inserting labels font options etc Layout can be achieved by using standard table with hidden borders The formatted output is shown in Figure 164 above Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 208 Page Chapter 17 Reports Module OBJECTIVE The object of this exercise is to show the contents of a bookmark folder as a list in a table as follows Figure 169 Exercise 1 Objective Filename Created Modifiee CatsB Maebh JPG 12 2 01 22 PM 14 Mar 125 CatsB6 Grendel JPG 12 2 01 22 PM 14 Mar 124 CatsB5 Choco JPG 12 2 04 22 PM 1
5. HM 111 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved STO HS RE M RA 113 Sud Alterna D i c EN 114 9 12 Copy rows to CUPO Ains di 119 Chapter 10 Evidence Module cuina 121 10b YR n ICM mera cr cro LoT UTE 122 I0 2 NEWCIS SE desti tat ouest Pars tec coetu Sea a on D cad oco ic Sesion O 124 10 5 ODEN dmexistlDe CasOutis scite a ee teu AN 127 104 Adding evidebliGe ocsobsismsadesttaiei che e 129 1055 Evidence ProcessObcusutedoduci e e ICA MM UNE 135 10 6 Adding additional evidence to a case ooocccccncnncononnnnnnnnnnnnannnnnnnnnnnnonnnnnnannnnnnnnnnnnannnnnnnnnnnnnnnnnnnaninnnns 139 107 SAVANE Rei RATEN D LLL TI Res 140 10 5 CIOSInBg A casi a 141 Chapter 11 File System Module iios ninio 143 TEL le System Modan id 144 i EE ioco qe A a E E E 144 Ti ROSES VIEW ennea a a a is 144 t14 Categories VIEW sensoa a A A A 146 S File ISI ias 147 116 Other data bI EE 149 Chapter 12 Keyword Search Module ssesessssessssessssesssseosssesesseossseossseoesssossssoesssoesesssssesese 151 i MEME CN TENE EE EEEE E AONE 152 12 2 KeYWora maga geme Maea aaa a a 153 123 SCAR CNRS UNS sena hey annnetda mma S neca ELA eoa ioo iagoueageuammnssauont anuandemb aepannas daar coeds 160 12 4 Keyword Tesut iSt en ciao 162 12 5 Keyword search data VIEWS iii 163 Chapter 13 Index Search Module una colina 165 13 1 Index ed REIR EL S I I TIT 166 13 2 Considerations prio
6. Type the search term into the Search for window As the search term is typed a list of index words is dynamically displayed showing 1 The words in the index which match the typed criteria 2 Thenumber of times the word appears in the index Word Count and 3 Thenumber of documents in the index in which the word appears An alternate word can be selected from the displayed list by double clicking the required word The following options can be included in the search by selecting the relevant check box Stemming Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 13 Index Search Module 171 Page Searches other grammatical forms of the words in your search request For example with stemming enabled a search for apply would also find applies Phonic searching Finds words that sound similar to words in your request like Smith and Smythe Fuzzy Fuzzy searching sifts through scanning and typographical errors 13 4 2 BOOLEAN SEARCH A group of words or phrases linked by connectors such as AND and OR that indicate a relationship between them For example Search Request Meaning apple and pear both words must be present apple or pear either word can be present apple w 5 pear apple must occur within 5 words of pear apple not w 12 pear pear apple must occur but not within 12 words of pear apple and not pear only apple must be present apple w 5 xfirstword apple m
7. Follow STEPS 1 and 2 in 17 5 1 above to prepare a case with bookmarks STEP 3 RENAME THE BLANK REPORT a Inthe Reports module click then hover over the report name to rename the section to Single Item Report b Repeatthis step to rename the section The Reports folder tree should now look like this Figure 165 Rename the Report and Section 4 i Y Evidence gt File system Keyword Search EL Repo ts l 55 Report Ed E new Prints el Export as pem E Exercise Creating Report Templates e Item Report Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 205 Page STEP 4 EDIT THE REPORT c Double click on the report section Single Item Report to open the report Editor Tab d Inthe Reportable Items column shown in Figure 166 below click on the folder containing the desired bookmark Then located and click on the required file in this example Orange Cat4 JPG in the Filename section e The fields available for the selected file are now shown in the Available Fields column to the left as shown in Figure 166 below Figure 166 Selecting a Bookmarked File and its Fields A A A ede Loch A A el li A Available Fields Reportable Items Module Fields Report Section Section zi Accessed a laa Investigator Preview e Attributes BIAS Time Bookmark Mame i Bates S E Preview 1 0
8. H DO O E Root 45 Export to Modify Time Setting Delete Folder Refresh Contract Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 20 Date and Time 243 Page Figure 189 Time settings Selection Timezone UTC 06 00 Central Time US amp Canada TimeZone Name Central Standard Time 360 mins Daylight Savings Central Daylight Time 300 mins DLS Bias 300 Additional bias 120 2 Select the TimeZone relevant to the evidence The Additional Bias field is used to make minor adjustments in seconds for example when the system bios clock is not correctly synced with a known time source 3 Click OK to save these settings New time zone information will displayed next to the device as shown in Figure 190 below Figure 190 adjusted time zone information Dell Latitude CPi E01 3 UTC 06 00 Central Time US amp Canada 120 4 Date and time information in the File System gt File List will now be adjusted Note It may be necessary to refresh the File List display to show this adjustment In a case involving multiple computers from different geographic locations it may be advantageous for the investigator to synchronize time zones To synchronize time zones 1 Inthe File System module right click on the case icon 2 Select modify time setting from the drop down menu and apply the time to the case A case time setting has precedence over e
9. the MFT record for the parent folder has been re used by another file and the original information for the parent is no longer available 5 CHILD FOLDER 1 and its content are available but Forensic Explorer cannot determine where in the tree structure it belongs The Orphans folder is created by Forensic Explorer to hold CHILD FOLDER 1 and its content Recover Folders is a method of searching unallocated clusters to find deleted or missing folders and their content Recover Folders will often locate multilevel folder and sub folder structures and make them visible to the investigator within the Forensic Explorer module For this reason it is recommended that a Recover Folders search be one of the first tasks undertaken by an investigator in a new case To run a Recover Folders search click the Recover Folders toolbar icon in the File System module Figure 216 Recover Folders File System module toolbar icon This opens the Folder Carve options window Figure 217 Recover Folders options E Folder Carve 2 Options Mame Folder Carve 2 source Partition Partition 95 using Partition 95 FAT exFAT NTFS HFS coor ene ma When the Recover Folders command is executed on a NTFS partition in Forensic Explorer the program searches unallocated clusters for MFT records Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 275 Page The proc
10. 23 0 3 d A A EEEE AA BEMI E E E Ej EN m E El E B l i Sia 993 087 ME Lexar GB USB EO1 E01 Sector Ela LII EIER Es EI isl LH E ES EE E ET ESI A A LH LEO Bae EHH BEEN ER IRE E ER EE E ER ER ER E ER ER LE EST EE LES LE LE E UE ER E E E ESTIS Ela a i fe Fah et i fs i AA AA AA 211 Bee Hae aaa Bae aa LL ui To select a file e Double click a sector All sectors used by the file will be identified Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved 83 Page Data Views Chapter 8 The name of the selected file is displayed in the status bar at the bottom of the Disk view window as shown in Figure 57 below Figure 57 A selected file in Disk view PGE Aa ETETETETETETETETES gee T7059 736 763 790 192 817 244 698 25 006 060 333 087 Lexar GB USB EO1 E01 8 1 E E o e Sector 992 703 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 84 Page Chapter 8 Data Views 8 5 GALLERY VIEW The default location for Gallery view is the top data view window of the File System module accessed via the Gallery View tab Gallery View Gallery view is fast ways to thumbnail graphics located in the case Figure 58 Gallery view thumbnails Smaller v i Pengui v eff Jellyfis v mi FROG v sj lemurf Y E v i WHAL us CRAN MA flamin v ti v 1 Cat
11. A Tree view is a hierarchical display of items e g devices partitions folders registry key folders keywords etc Like Microsoft s Windows Explorer the Tree view is most commonly used to select a folder causing the contents of the folder to be displayed in the adjacent List view The default position for a Tree view is in the top left window The actual name of the Tree view changes according to the module i e Module Tree view Name More Information File System Folders Chapter 11 Keyword Search Keyword Tree Chapter 12 Bookmarks Bookmark Tree Chapter 16 Registry Registry Tree Chapter 15 To navigate Tree view e Use the keyboard arrow keys to traverse expand and contract the tree e Double click a Folder to drill down into its sub folders or e Click the and symbols to expand and contract the tree hierarchy or e Right click and use Expand All to expand the currently highlighted folder or Expand All to expand all folders use Contract to contract the currently highlighted folder or Contract All to contract all folders Some Tree views contain a filter drop down menu as shown in Figure 49 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 75 Page Figure 49 Tree view filter i Folders Categories File List E Folders File List Filter Graphics Files pas JE eo Az Filename S D 188 Test case 1 0 0 E D E1 g Lexar 768 USB MKIL
12. Acquire The acquire option is used to take a forensic image an exact copy of the target media into an image file on the investigators workstation Convert The convert option is used to copy an existing image file from one image format to another e g DD to E01 Hash or verify The hash or verify option is used to calculate a hash value for a device or an existing image file As shown in Figure 28 Forensic Imager below Figure 28 Forensic Imager B GetData Forensic Imager BETA VERSION v4 0 0 119 gt File Help TA Select the required option Acquire Convert Hash or Verify Acquire an image of Make a copy of an Hash a physical a physical drive a existing image file in drive logical drive logical drive or a a different format e g or image file range of sectors in DD to EnCase EnCase RAW DD or AFF format GetDa a When Acquire or Convert is selected the subsequent work flow is 1 Select source 2 Select destination options 3 Create the image Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 6 Forensic Acquisition 47 Page 4 Display and save event log When Hash or Verify is selected the subsequent work flow is 1 Select source 2 Verify 3 Display and save event log The workflow is discussed in more detail below When the Acquire Convert or Hash or Verify button is selected the source selection sc
13. Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 195 Page 17 1 REPORTING amp BOOKMARKS The purpose of the Reports Module is to assist in the generation of a report that documents the forensic analysis The Reports module is based on the use of templates that can be re used across multiple investigations A report template can be automatically populated with bookmarked items Figure 158 Modules gt Bookmarks gt Reports File System ys Keyword Search Pr p Index Search ER Bookmarks S Scripts 7 a Email i Reports Bookmarks are added manually as the result of an automated triage or as the output of a script For more information about adding bookmarks see Chapter 16 above Care should be taken to arrange the bookmark structure effectively to fully maximize the use of report templates discussed in this chapter Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 196 Page Chapter 17 Reports Module 17 2 THE REPORTS MODULE The Reports module is accessed via the Reports tab Figure 159 Reports module tab 3 Reports The Reports module is divided into three main sections as shown in Figure 160 below 1 Reports tree 2 Preview window 3 Report Editor window Figure 160 Reports Module showing the Triage Report Forensic Explorer v1 9 2 2945 Case APT eo n x O Evide File gf Keyw JO index
14. Examiner Motes Image type Encase L01 File Segment Size MB 2000 Hash Options Encase Compression Calculate image MD5 2 None Good Smaller but slower 0 Best Smallest and slowest Destination File D Graham Documents Forensic Explorer Cases 123 Exported Include folder data If selected the folder is treated as a file and its content included in the image This may not be desirable as the folder data can contain information about other files that have not been selected to be part of the LO1 content If this option is disabled the image will contain only the folder name Calculate image MDS If selected an MD5 hash for the entire LO1 file is calculated and stored within the file Note Individual files within the LEF are automatically MD5 hashed and each value is stored To validate an LO1 files in Forensic Explorer 1 Add the LO1 file to a case or a preview 2 Add the L01 Hash column to the list view of the File System module refer to paragraph 9 8 for information on adding a column This column shows the MD5 hashes created at the time of acquisition and stored within the LO1 file Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 109 Page 3 Use the Hash Files button to calculate the current MD5 hash for each file Figure 85 Hash Files button in the File System module toolbar 4 Add the MDS hash column to the Fil
15. Page hierarchical structure The root also referred as the root folder or root directory is the first level folder of the hierarchy It is analogous to the root of a tree from which the trunk and branches arise A directory that is below the root is called a subdirectory A directory above a subdirectory is called its parent directory The root is the parent of all directories Directory was a more common term when DOS use was prolific The DIR command is used in DOS to list the contents of a directory Directories are now more commonly referred to as Folders A script is a computer program written to perform a specific task Forensic Explorer has a scripts module which allows the investigator to write Pascal language scripts A sector is a specifically sized unit or storage on a hard disk A sector on a hard disk usually contains 512 bytes A group of sectors forms a cluster which is the lowest level of storage space which can be addressed by an Operating System e g Windows Short File Name refers to a file or a folder on a FAT file system that has a file name that can be stored in the 8 3 file name format 8 name characters with 3 characters for the extension The name and metadata for a SFN file can be stored within a standard FAT directory entry Signature analysis compares a files header with its extension A mismatch may justify closer examination Identifying a file by its signature is a more accurate m
16. TABLEAU_ Forensic USB Bridge Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Appendix 3 File Carving 339 Page Appendix 3 File Carving APPENDIX 3 FILE CARVING The following file types are supported by Forensic Explorers inbuilt file carving component Refer to Chapter 23 Data Recovery for more information EF 1 Microsoft Office El Access Database mdb C lI Microsoft Excel Worksheet xls xla dt 1 Microsoft Excel Worksheet XLSX xlsx n IBN 5i Microsoft PowerPoint Presentation ppt T m cal Microsoft Word Document doc dot asd us BE Microsoft Word Document DocX docx be M E E Open Office Document odt D 4 Open Office Spreadsheet ods E 8 Outlook Email file pst pab E P 1s Camera um O as Lj Canon Raw graphics file crw C E JPEG Digital Camera file jpg jpeq E se Olympus RAW file orf ES i E s TIFF Graphics file tif tiff epx nef arw z O B Music I E La Tunes audio file m4a m4b m4p E O 9 MP3 Music file mp3 mp mp1 mp2 i m e Musical Instrument Digital Interface file mid midi D Di WAVE Multimedia file wav E P 2 Video NE EB ASF WMA WMV Multimedia file wmv asf wma asx xi AVCHD Multimedia file mts m2ts hdtv se E IRE AVI Multimedia file avi Z B jaj MOV Multimedia file Quicktime mov mp4 MEM Ae MPEG Multimedia file mpg mpeg miv
17. To preview a group or a section e Inthe Report tree click on a group or a section Figure 163 Report Editor Preview Forensic Explorer v1 9 2 2045 Case APT eyw fO Index EE Book SS script P E Report Editor Preview 7 Ban poli Js giri hl e gl femur ar P e s Pn Tu pri n Pas Ku ii pn a une The Repot Editor Edit window gives access to edit an existing report or to design a new report To open the report Edit window e Inthe Report tree double click on a section Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 202 Page Chapter 17 Reports Module e The Edit tab then appears in the Report Editor next to the Preview tab Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 203 Page 17 5 CREATING REPORTS Whilst the Forensic Explorer Reports module can be effectively used to create one off reports on a case by case basis the power of the module comes from the ability to design use and then re use automated report templates in future cases As described in the sections above Forensic Explorer reports are created from bookmarked items A methodical approach to bookmark structure will ensure that report templates can be used again and again Forensic Explorer can report on a single bookmarked item and its attributes or iterate through a list of bookmarked files and their attributes The fol
18. hash EnCase 6 format no conversion is necessary Flat Hash Set A list of hash values in a text file a Flat Hash Set must have a file extension of txt md5 sha1 or sha256 See 21 8 2 below The default hash set location is profile Documents Forensic Explorer HashSets Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 252 Page Chapter 21 Hash Sets 21 7 DOWNLOAD HASH SETS Hash Sets for use with Forensic Explorer are available for download from http www forensicexplorer com hashsets php Hash sets from other trusted locations can also be used 21 8 CREATING HASH SETS Before creating a custom hash set files in a case must be hashed Follow the instructions in 21 5 above To create a new Forensic Explorer Hash Set 1 Click the Create Hash Set button in the File System module toolbar and select FEX Hash Set Figure 197 Create Hash Set FEX Hash Set MDS Flat Hash Set SHA1 Flat Hash Set SHA256 Flat Hash Set E GGG Giro Manual Flat Hash Set The following window will display Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets Source 8 Hashable Items 845 items 1 24 GB 1 327 384 464 bytes Checked items 0 items O bytes HashSets Identified As 2 Click the New Set button Check the type of hash s to be used in the set MD5 SHA1 and SHA256 A new hash set will be added to the
19. which gives the content of 8 bits i e 1 byte See Forensic Image An Index Search is the process of creating a database of search words in the case so that after the index is created an instant search is possible Forensic Explorer uses the third party application dtSearch www dtsearch com for this process Windows automatically keeps an index of what files were deleted including the date and time of the deletion The index is held in a hidden file in the Recycle Bin called INFO2 When the Recycle Bin is emptied the INFO2 file is deleted Recovery and analysis of deleted INFO2 files can provide important information about files that were once located on the computer Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 6 Definitions 357 Page Investigator Item ITunes Backup Keyword LEF LFN also see SFN Link Files Live Boot Logical Evidence File LEF In this user guide Investigator is used to describe the computer forensics examiner i e the user of Forensic Explorer The investigator is responsible for creating and developing the case file In Forensic Explorer the term item is a generic term used to describe a piece of data The data could be a file folder partition metadata entry FAT MFT unallocated clusters or other such data that can be isolated and examined ITunes Backups are created by iTunes When an Apple device iPhone iPad iPod is con
20. A Computer amp 2 The Select Investigator window opens so that the person who is about work on the case can be identified Select your name from the drop down list Click Edit to preview and change your details if required If your name does not appear in the drop down list click New to create a new investigator Click OK to continue Figure 108 Select investigator window select Investigator estat Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 128 Page Chapter 10 Evidence Module The evidence in the case will then populate and display in the Evidence window of the Evidence module Recent cases can quickly be opened by selecting the case name from the Recent Cases list on the Evidence module When a recent case is highlighted in the Recent Cases list the case description entered when the case was created will be displayed in the description field as shown in Figure 109 below Figure 109 Evidence module Cases tab Open recent cases Recent Cases Test Case 2 Graham Henley 06 Jun 12 12 25 47 PM Test Case 1 Graham Henley 06 Jun 12 12 25 00 PM This is test case 3 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 129 Page 10 4 ADDING EVIDENCE Evidence in Forensic Explorer can be e A device e A forensic image e A registry file e 6A file IMPORTANT When working with physical devi
21. Adaptive MultiRate Audio amr 0 ASF WMA WMV Multimedia file wmv asf wma asx Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 342 Page Appendix 3 File Carving D Audio Interchange file format aif aiff 5 CakeWalk Pro cwp m Oe ile Digital Speech File dss Digital Voice File dvf H Finale Music file mus fan C Flash fla z B F3 Fruity Loops file flp 1 amp 9 Jet Voice File sc4 i M Kaydara FBX Binary fbx L Logic Audio Is0 L Ogg Vorbis Media oga ogm oga ogv ogx e RealAudio file ra ram rm Reason rns ay RIFF Multimedia file rif riff avi cdr npr wav rmid E E Sibelius Music file sib lib E fl WAVE Multimedia file wav gt m a Email 0 0L dt Exchange Server Database edb gt de Lotus Notes nsf i MA Outlook Address file wab ha Ek A Outlook Email file pst pab 2 E Outlook Express Email file dbx 2 s Outlook MSG msg E E Y Yahoo Messenger dat gt r E Databases and Financials boe O Access Database mdb I 4 Access Project adp L Ancestry Family Tree aft m CanTax T1 Personal p00 p96 p37 p38 p39 p01 pO2 r i m Fa CanTax T2 Corporate c00 c96 c97 c98 c99 cO1 cO02 m 2 DBase FoxPro Database file dbf scx dbc C EndNote enl I FileMaker fp7 fp3 fp5 fp8 fp3 L gf FoxPr
22. Adding evidence on page 129 A preview can be saved as a case at any time by selecting the Save button in the Evidence module or using the Forensic Explorer gt Save Case drop down menu item When a preview is saved information in the preview GUID folder is transferred to a case folder see the New Case section below and the GUID folder is deleted Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 124 Page Chapter 10 Evidence Module 10 2 NEW CASE To create a new Case 1 Click the New button in the Evidence module Figure 102 Evidence module new case button The New Case window will open as shown in Figure 103 below Figure 103 New Case window Case Mame Case 123 Investigator Graham Henley Working Folder D WXsraham Documents Forensic Explorer Cases Case 123 Case Summary This is a test case Case Created 21 Oct 12 7 34 28 AM Enter the relevant case details Case Name requires a unique name is automatically used to create the case folder in the working path Investigator can be selected from the drop down list or click the New button to create a new investigator Forensic Explorer records activity in a case by assigning each investigator a unique investigator ID GUID Investigator details are stored in the case file and will be transferred with the case file if it is moved from one analysis computer to another In
23. Attributes File Signature Logical Size Physical Size Modified Created Accessed Bookmark Folder Is Deleted Chapter 11 File System Module The name of the item system file partition etc or the name of the file The suffix to the file name for example jpg which indicates the file format This column reports the given file extension only and does not validate it as correct A colored flag added by the investigator to mark a file Displays the location of the file The case name examined device name is included in the path File attribute settings R Read only A Archive S System file H Hidden file This column receives data after a file signature analysis see Chapter 22 File Signature Analysis If the column contains an extension it means that the file signature has been identified The size of the file in bytes The total size of the clusters occupied by the file The date and time that a file was opened edited and saved The date and time a file was created in its current storage location not necessarily the original creation date of the file itself The date and time a file was last accessed Note that automated activities such as a virus scanner may cause the last accessed date of a file to be updated A folder into which a bookmarked file is placed in the Bookmarks Module Tue or false to indicate whether a file is deleted It is possible to add columns usin
24. However importantly e the file attributes within the unallocated MFT record remain intact e the data for the file remains untouched When new data is written to the MFT record or the clusters holding the data the possibility for successful recovery of the deleted file is diminished In Folders view a folder is created by Forensic Explorer called Orphans Orphans are deleted folders and files for which the original parent folder is unknown From the investigators perspective an orphaned file can be treated in an investigation the same way as any other deleted file The only difference is that it is longer possible to determine the location of the file or folder within the directory structure prior to deletion An example of how NTF folders and file can become orphaned is as follows 1 A folder on an NTFS drive PARENT 1 is deleted by the user At this point PARENT 1 and its content CHILD FOLDER 1 are deleted files 2 The user then saves a new file The MFT record for PARENT 1 is re used to store information for the new file The MFT information for PARENT 1 is now overwritten and destroyed 3 The computer is then forensically imaged and examined 4 Forensic Explorer reads the file system and CHILD FOLDER 1 is located Forensic Explorer then tries to trace the parent folder but determines that Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 274 Page Chapter 23 Data Recovery
25. Keyword Name Keyword Name is used to describe the search term the Keyword Name is NOT the search term For example when searching for a credit card number with a RegEx expression 456431HHHHHHHHHHI the Keyword Name can be Visa Cards Search Expression The Search Expressions field is where the keyword is entered Case Sensitive If Case Sensitive is checked the keyword search will match the exact case used in the search expression field The Status field provides real time feedback on the validity of the search expression entered Once the keyword is entered press the OK button to add the keyword to the Keyword Management list To edit a keyword 1 Highlight the keyword with the mouse then a Double click on the keyword or Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 156 Page Chapter 12 Keyword Search Module b Select the edit button Ed from the toolbar or c Right click and select Edit Keyword from the drop down menu 2 In the Edit Keyword window make the appropriate edit and click OK to save the changes The adjusted keyword should now appear in the Keyword Management list To delete a keyword 1 Highlight the keyword with the mouse Bor a Click the keyword delete icon b Right click on the highlighted keyword and select delete keyword from the drop down menu 2 Click OK to confirm the deletion See also deleting a keyword group below
26. Name Date Time stamp Does the Image mount independently in Mount Image Pro v6 e Run Mount Image Pro v6 as a stand alone program o Ensure that Mount Image Pro is activated Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 314 Page Chapter 27 Live Boot o Ensurethat Mount image Pro drivers are correctly installed as shown in Figure 240 below Figure 240 Mount Image Pro drivers Pg roa Pi E E Roa gs I ae TR uariis Disk x64 v6 3 0 32 Service Started FileSystem x64 v6 1 0 22 Service Started Manually mount the required image in Mount Image Pro using Mount Disk e PNP Write to Cache Confirm that the image mounts successfully Does the image that you are trying to boot contain a valid Windows File System In the Forensic Explorer File System module examine the file and folder structure to confirm that the image has a valid bootable Windows file system Check that this folder is also accessible in the mounted image NOTE Live Boot does not currently support Windows 8 GPT Contact technical support see Appendix 1 Technical Support with the supporting information from the above checks Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 315 Page Chapter 28 Working with In This Chapter P1 MOES Ba Dio cmm 316 28 1 1 Locating Apple UUID Backup Folders ooccccccccocccnnncnononnnnnnononn
27. a Thumbs db file is created to store picture thumbnails that are used for display in Windows Explorer The Thumbs db is located in the same folder in which the pictures represented by the thumbnails reside From Windows Vista onward Thumbs db were largely replaced by Thumbscache described below However it is still possible to locate Thumbs db files in more recent Microsoft operating systems which are created when viewing remote or mapped drives in Windows Explorer Beginning with Windows Vista a Thumbcache database is created and stored under a user s profile in the path C Users UserName AppData Local Microsoft Windows Explorer The files containing the thumbnails are named according to their maximum pixel size that is thumbcache_32 db thumbcache_96 db thumbcache_256 db thumbcache_1024 db As Parsonage 2012 observes A large proportion of computer users have no knowledge of the presence of Windows thumbnail databases so that whilst they might delete incriminating pictures the evidence of their illicit activity often remains in the thumbnail databases 21 Further suggested references include e Larson Troy Windows 7 Thumbnail Cache Slideshare Online October 2010 http www slideshare net ctin windows 7 forensics thumbnaildtlr4 e Hurlbut Dustin Thumbs DB Files Forensic Issues Online September 2014 https ad pdf s3 amazonaws com wp Thumbs DB Files en us pdf Copyright GetData Forensic
28. e Mount as read only or simulate disk writes e Mount the physical drives into Windows disk management e Mount from the command line e Mount logical image files from created by EnCase and FTK These features are more fully described at www mountiamge com and in the support documentation for the product Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 27 Live Boot 301 Page Chapter 27 Live Boot In This Chapter ZU Ne ANS AO c 302 A o T mtl 302 23 COMPANIA oa 304 27 4 ve B ot Working Folder arias iii 304 27 5 HOW to Live Boot a Forensic IMage rin aiii 305 27 5 1 Installing VMWare TOGIS NERO H 308 27 6 Live Boot and Windows User PasswordS esssssssssseerssssrersssseresssreresssreressseeressereeesseeressseeessseerees 310 27 6 1 Windows User Password Recovery esses eene nnn nentes nnn nes 310 302 Page Chapter 27 Live Boot 27 1 LIVE BOOT Forensic Explorer Live Boot enables an investigator to boot a forensic image or write protected physical hard drive containing a Windows Operating System The investigator can then operate the computer in a forensically sound virtual environment Utilizing Live Boot as part of a forensic examination can give insight into computer use that may not be as readily evident when examining file system records alone For example viewing the desktop icon layout menus and ru
29. file hashing file carving running scripts create indexes etc Process are tracked in the processes list accessed from any Forensic Explorer Module in the bottom right hand corner of the main program screen Figure 39 Forensic Explorer processes window Hide New Case Completed NIST Windows 7 Test Image Time Taken 00 00 01 3 55 44 PM Search for Known MBRs Time Taken 00 00 00 Search for Filesystems Time Taken 00 00 01 3 56 23 PM Verify Device Hashes Verifying device hashes MS The purpose of the list is to Visually show the progress of running processes e Identify processes which have completed their duration and the time completed e Cancela running process The cancel button terminates a thread gracefully e Terminate a thread that not responding to the cancel process e Allow access to process logging see 7 5 below Figure 40 Accessing Process Cancel and Terminate options via the Processes window drop down menu Cancel Terminate 3 Log Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 63 Page 7 5 PROCESS LOGGING AND PRIORITY When a task is run in Forensic Explorer the investigator can set Logging and Priority options as shown in Figure 41 below Figure 41 Setting Logging and Priority options A A aa A A A TA A AA A A i aH Cancel The Logging setting determines the detail of case proce
30. from column 3 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 323 Page This window is itself a script located in the Scripts Module gt File System gt ITunes Backups folder It is used to execute additional scripts also located in that folder Existing scripts are summarized as follows ADDRESS BOOK Source ITunes Backup File 31bb7ba8914766d4ba40d6dfb6113c8b614be442 Library AddressBook AddressBook sqlitedb Description List of contacts in a sqlite database Output The script bookmarks the Address Book sqlite database file View the contents of the database in Display view Source ITunes Backup File JPG and MOV files in the CameraRoll domain are identified by a file signature analysis Output Files are bookmarked under the CameraRoll folder of the relevant ITunes Backup UUID folder Source ITunes Backup File All JPG files are identified by a file signature analysis Output Files are bookmarked according to the Apple Domain in which they reside This is very useful for identifying applications that use image files such as kik messenger kik com Source ITunes Backup File Library Keyboard dynamic text dat Note that the path and the subsequent UUID will change with language settings For example Library Keyboard en_AU dynamic text dat is the Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 324 Page Chapter 28 Working with Au
31. pbm m i E E PrintMaster hor biz Mm 8 QuarkXPress file qxp qxd qxb qu apt m O QuickCAD cad L a ShockWave Flash swf qe O as ES Sigma X3F Raw x3f m O e SmartDraw file sdr sdt bes i D Ed SwishMax swi i E Thumbnail file db A i T TurboCAD for Windows tow m L Mf windows Metafile wmf LO al XARA Graphic file xar E ari 4 Documents 1 PI Adobe PageMaker pmd p65 E Adobe Premier Project ppi i ls Avery DesignPro zdp iae Dm Casio Disk Title ctw Ens i e CoolPage cpg B Vj Corel Presentation File shw oar Crystal Reports rpt m O amp Diablo Save d2s i 4 Electronic Publication epub L db Etax file efx n F E Family TreeMaker ftw m E l FamilySearch file paf i D F Final Draft fdr fdt m Da e Final Fantasy 7 ff7 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 3 File Carving 341 Page X Fudemane fwa T 6 Fudeou fzd L Generic Email mht D Hangul Document hwp m 224 Ichitaro Document jtd InteractWeb Reports rpt pu Ba db Label Mighty jlb Oii Lotus 123 wk3 wk1 wk2 wk4 wks fm3 wbd 123 in C 4 Lotus WordPro file Iwp am E Mapsource 2 file mps gt ER E Microsoft Excel Worksheet uds ada odt s E EJ Microsoft Excel Worksheet XLSX odsx O e Fl Microsoft
32. that the actual size of the drive is usually smaller than what the drive is labeled Drive manufactures usually round up the drive capacity so a 453 99 GB drive in this screen may be sold as 500GB FS The File System on the drive e g FAT NTFS or HFS Type Describes the way in which the drive is connected to the computer To add a physical or logical device 1 Highlight the required physical or logical device and click OK or 2 To add a RAID click the Add Raid button to access the RAID selection window Refer to Chapter 24 RAID for more information about examining RAID devices Troubleshooting If the drive is not listed check for basic connection issues cables power etc Check Windows Disk Management to ensure the device is being correctly recognized Press the refresh button to refresh the Device Selection window 3 Click OK to add the device The Evidence Processing Options window will open See 10 5 Evidence Processor below 10 4 2 ADDING A NETWORK DEVICE Forensic Explorer has the capability to examine remote devices across a network using the UDP protocol User Datagram Protocol is one of the core members of the Internet Protocol Suite DEPLOY THE GETDATA UDP NETWORK SERVER To examine a network device it is necessary to deploy and run the GetData UDP Network Server GetDataNetworkServer exe on the remote computer This file can be found in the Forensic Explorer installation folder When the GetD
33. unallocated clusters directory entry or other such data In order to perform an action on an item it is usually either first highlighted or checked or both An action on a highlighted file is independent to an action on a checked file A highlighted item is one that has been selected with the mouse and the item has changed color It is possible to highlight one or more items To highlight multiple consecutive items 1 Highlight the first file with the mouse and then press and hold the Shift key 2 While holding the Shift key down click the last file This will highlight all the files in between the first and last file Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 103 Page To highlight multiple not consecutive items 1 Highlight the first required file with the mouse and then hold the Ctrl key 2 While holding down the Ctrl key highlight each of the other required files Figure 81 Highlighted items Full Path Preview FAT32Photos E01 Partition 263 PreviewlFAT32 Photos EO01Partition 63 Preview FAT32Photes E01 Partition 63 Preview FAT32Photes E01 Partition 63 Preview FAT32Photos E01 Partition 63 Preview FAT32Photos E01 Partition 63 Preview FAT3J2Photes E01 Partition 63 PIGS JPG Preview FAT32 Photos E01 Partition 63 REDPANDA JPG JP PreviewlFAT32 Photos EO1Partition 63 _4 UNNY JPG JP Preview FAT32 Photos E01 P
34. 1 Inthe Evidence module start a new case or preview 2 Inthe Evidence module click the Add File button 3 Select the PST file to add Click Open The PST file will then be added to the case Forensic Explorer will detect that it is a PST file and add the content to the Email module Add a PST file from within an existing case to the Email module 1 Locate the relevant PST file in a module 2 Right click on the PST file and select Send to Email Module in the drop down menu The content of the PST file will then be populated in the Email module 14 4 INDEX SEARCH THE EMAIL MODULE Data that has been added to the Email module can be independently indexed or keyword searched To index the content of the Email module 1 Inthe Index Search module create a new index 2 Inthe New Index window select Email as the target module Figure 142 Index Search module New Index window Mame Index of email in the Email Module Items to index Searchable items 2 items SS ss ee ie IT gr gr rra uf L3 agr a T e a Important Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 178 Page Chapter 14 Email Module Creating an index of the content of the Email module is NOT the same as indexing a PST file that is located in the file system DTSearch will already index a PST file that is located in the file system 14 5 KEYWORD SEARCH THE EMAIL MODULE To keyword search the conte
35. 19 Custom Modules 19 1 ABOUT CUSTOM MODULES The flexibility of Forensic Explorer means that a custom module can be created and populated with data entirely from scripts 19 2 BROWSER HISTORY MODULE The Browser History module is a custom module created from script Browser History scripts are located in the Scripts module at the path Scripts Internet Browser History Browser history scripts include e Module Browser History Create pas that creates the module e Individual scripts such as History Process Chrome pas that extract browser history from relevant files and populate the module with data A number of browser store data in an SOLite database format For example the Chrome browser stores history data in the SQLite history file This data is extracted and populated into module using an SQL statement 19 3 PHONE MODULE The Phone module is a custom module created from script The Phone module is created by the script Scripts Phone Phone Moudle Create pas The scripts folder Scripts Phone iPhone contains scripts specific to the extraction of data from iPhone devices and iTunes backups IPhones commonly store data in one of the following formats e Asstandard media files e g JPG PNG e Plist e XML e SQLite Each script is designed to extract the intended data and populate the Phone module There are however a great many files within an iPhone that may be relevant to and investigation If the r
36. 298 Chapter 27 LIVE BOG culiao 301 DIA LVE BOOL A c ET 302 2 2 TREQUIFCIMCIIUS idad 302 PE PCM COUMOA CMI LY e RON CFR TE 304 274 ye BOOUMOLKIBE EOLBGE cti ia 304 27 5 Howto Live Boota Forensic Image sree it 305 27 6 Live Boot and Windows User Passwords cccccccsssssccccsesseccccseuseccceueuseeeecsaussecesseuseesesseussesessagagess 310 27 57 Troubleshootine LIVE BOUE ides dlls 313 Chapter 28 Working WILD us oou eate aca 315 29 A vi etc d c Ie cM pM eo ME II LIMITEM ED cMMMNU M IE Cd CU EIE 316 28 2 BBUbDllss esce apex rite Ese a et reso d ec toute an 326 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved 28 3 TMumbhall I Forensic EXPIO SF os 327 Chapter 29 Le 331 291 TAS User GUI ERE 332 20 2 COPY iaa 332 29 3 license aA COINS INE aaron eii 332 294 DISCE eae dd 334 Appendix 1 Technical Support s ssesessesessssessssessssessssecsssessssesssoesssseosssesssseosessossssossseossssossee 335 Appendix 2 Write Blocking siii aida UE PAS gud sauna 337 Appendix 3 Hle CAVIAR eo eaei oer kidea 339 Appendix 4 Summary of Date and Time cccsccscscsceccccscsccccccscsceccccecscscccsecscscescecscscesescess 345 Appendbc5 RefereHcBs eio cudi co doswesivenh Cun to dieu nieve heel vodosee avos p Suse codi uui mast odds odomesk voip futu Sedi tuas 347 Appendix 6 DETINITIONS 3 sie ee eene PRESE Qua exS dai nePAU CX RNV RR en OUS
37. 4 GHz or faster processor e 1GB RAM e 32bit and 64bit compatible When processing large volumes of electronic evidence a high specification forensic workstation is recommended 4 2 DOWNLOAD Full purchased version Your email received at the time of purchase will contain download instructions for the software 30 day evaluation version See Chapter 2 30 Day Evaluation Version for further information on the evaluation version 4 3 INSTALLATION IMPORTANT Ensure that you have a separate and secure backup of case files before you make installation modifications To install Forensic Explorer e Run the installation file ForensicExplorer Setup exe or ForensicExplorer Evaluation Setup exe if you are installing the 30 day evaluation version e Follow the setup instructions The following windows will appear during the installation process 1 Forensic Explorer License agreement Answer the question and click Next 2 Select the installation language Click Next 3 Enter the correct installation path or accept the default path e g C Program Files GetData Forensic Explorer vX and click Next Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 5 Dongle Activation Maintenance Figure 10 Selecting the installation folder ff Setup Forensic xpio Select Destination Location Where should Forensic Explorer be installed A Setup will install Forensic Explorer into
38. 5 3 APPLYING MAINTENANCE UPDATES TO YOUR WIBU DONGLE Once a maintenance update has been purchased to update maintenance on your Wibu dongle 1 On a computer which has internet access insert your Wibu dongle into a USB port Remove any other Wibu dongles that you may have for other products 2 Run the GetData License Manager located in the installation folder of Forensic Explorer The default location is C Program Files GetData Forensic Explorer vx License Manager exe 3 The GetData License Manager will detect your Wibu dongle as shown in Figure 26 below The existing Maintenance expiration date is displayed in the Maintenance column Figure 26 GetData License Manager G GetData License Manager v1 1 0 58 x Dongles Debug Log ae Wibu Dongle 2 2298792 4 Select Forensic Explorer from the product list and press the ADD button 5 Inthe Add Licenses window enter the License key that you received with your renewal order Press the Search key 6 Select the renewal from the available product list Then click the Apply button 7 Return to the main screen of the License Manager Click the refresh button to display the new maintenance date For further assistance in applying maintenance updates to your Forensic Explorer dongle please contact support getdata com see Appendix 1 Technical Support for full contact details Copyright GetData Forensics Pty Ltd 2010 2015 All ri
39. 6 2 Export Logical Evidence File LO1 ooooccccncnccononncnnnnnnnononoconnnnnnnonanoconnnnnnnonanrnnnnnnnnnnos 107 9 6 3 Export Delimited Rows csv Or tab oocccccocnccncnnnnnnonnnnnnnnccnnnononaconnnonanonnnononacnnnconanonons 109 9 7 Send to Module assi llos 110 9 8 Sel PP en 110 9 9 A O o O OOO E e o PO OR 111 STO A aa aci 113 FAME Dni iio 114 9 11 1 A e e oa OO NEU KDNE 114 9 11 2 Ll MERE A 115 9 11 3 EXPO TOO tia 118 9 11 4 la pro E o canta ep daca tae cain O 119 912 COPY FOWStO cl Or sasca mm 119 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 102 Page Chapter 9 Working with data 9 1 WORKING WITH DATA Forensic Explorer modules and data views share common functions used to view analyze and manage case content These functions are either performed directly within the view or are access by a right click menu as shown Figure 80 below Figure 80 Right click menu in the File System list view Add Bookmark Edit bookmark comment Open Open with Expand compound file Export Send to Module Columns Sorting Flags Date Filter Tool Text Filter Tool Copy row s to Clipboard Copy cell 9 2 HIGHLIGHTED AND CHECKED ITEMS In Forensic Explorer actions are performed on items An item is an addressable piece of data An item can be a device e g physical drive logical drive or image file a file folder partition metadata entry FAT MFT VBR MBR
40. All rights reserved Chapter 23 Data Recovery 265 Page 23 2 FAT DATA RECOVERY When a file is from a FAT file system the content of the file remains available for recovery from those newly unallocated clusters The original data will remain in each cluster up until such time as it is used to store new data and the previous content overwritten If only a percentage of clusters are reused then partial recovery or the recovery of a data fragment may still be possible If all clusters are re used all original content is overwritten and destroyed Forensic Explorer automatically displays deleted files and folders in Folders view and File List view They are marked with the following icons B Deleted file Eg Deleted folder An example is shown in Figure 207 below Figure 207 Deleted folders and files in File System module Folder view and File List view Folders Categories File List Gallery View D D 188 FAT Photos 32 1 0 a PO g FAT32 Photos E01 3 Local Tir E 33 Partition 63 NO NAME 7 Filename 4 D O E Orphaned 0 ini Bp O Root 4 Birds E D oO g DE ESI Aquatic 13 S DE E Birds 4 D E Ez Cranes 3 E Eg Flamingos 3 E v Flowers 3 EL Landscape 5 26 gt Az Filename African Elephant jpa Buffalo jpg koala JPG PIGS JPG REDPANDA JPG _UNNY JPG N bl ul Leal C N al N PEPO 12 72 77 H 7 FAT IDENTIFYING DELETED FILES In a FA
41. ControlSet001 Control TimeZonelnformation StandardName Central Standard Time 20 5 DAYLIGHT SAVING TIME DST Daylight saving time DST involves the advancing of clocks usually by 1 hour to add more daylight in the evenings at the expense of less daylight in the mornings Depending on where you are in the world it can be implemented on a country region or state by state basis Generally DST is a practice that is undertaken in summer months when there is more daylight is available meaning that it is implemented at different times in the Northern and Southern hemispheres Forensic Explorer automatically adjusts the times for DST based upon when the date occurred The investigator does not need to made additional changes DST UNITED STATES OF AMERICA In the United States the days of the year when DST time changes were made i e clocks put forward and the put back were first regulated in 1986 In 2007 the Energy Policy Act extended these dates by and additional four weeks United States DST I Clocks forward 1 hour Clocks back 1 hour 1986 2006 First Sunday of April Last Sunday of October 2007 onward Second Sunday of March First Sunday of November Microsoft released a patch for the NTFS file system to compensate for the 2007 change See http support microsoft com kb 931836 for further information If the examiners forensic workstation is patched Forensic Explorer will convert the dates in the additional four wee
42. Date 14 Jul 09 15086 Word 13 Start Cluster FAT1 2 017 2017 Word wj Start Cluster FAT32 2 017 2017 LongWort 5 ui Filesize 777 835 777835 LongWord Longfile Record 1 A LFN String Penguins JPG Penguins JPG UString y j LFN Sig byte 65 65 Byte j 13 LFN Attribute 15 15 Byte gt 198 Eh cl n n Deb 4 Tf gt Li Preview FAT32 Photos E01 Partition 63 NO NAMER Root Animals AquaticiPens Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views BENGUIHSJEGC u ASS cx 0000 0000 El 45 4E 47 55 49 4E 53 4A 50 47 0000 000B 20 00 B3 n 69 73 3E 73 3E 00 00 0000 0016 BD 7E EE E1 07 6B DE OB 00 oo o7 0000 0021 E 67 00 000 002 ES 73 00 0000 0037 Qc 00 00 nguins PG The Filesystem Record view shows Value The value of the property entry as interpreted by Forensic Explorer Raw Value The raw data as read from the file system record or registry entry Type The type of data read from the file system record or registry entry The adjacent window displays the raw data from which the individual records have been decoded Figure 75 above shows the records for the file Pengins JPG Clicking on the Attributes property in the left highlights in blue the raw byte on the right from which the attribute data is decoded The yellow highlighting differentiates the section of the FAT directory entry which is dedicated to the long file name dat
43. Dynamic Storage in Windows XP Microsoft Support Online December 1 2007 Cited March 23 2011 http support microsoft com kb 314343 36 National Institute of Standards and Technology CFTT Project Overview Compuer Forensics Tool Testing Program Online Cited March 28 2011 http www cftt nist gov disk_imaging htm 37 Wikipedia Host Protected Area http en wikipedia org wiki Host_protected_area Online Cited Mar 29 3011 http en wikipedia org wiki Host_protected_area 38 Apple Computer Inc Technical Note TN2166 Secrets of the GPT developer apple com Online 11 6 2006 Cited April 5 2011 http developer apple com library mac technotes tn2166 _index html 39 Apple Inc Inside Macintosh Files Reading Massachusetts Addison Wesley August 1992 40 Apple Inc HFS Plus Volume Format Technical Note TN1150 developer apple com Online March 5 2004 Cited April 6 2011 http developer apple com library mac technotes tn tn1150 html 41 Wikipedia Extent file systems Extent file systems Wikipedia Extent file systems Online Cited 4 6 2011 http en wikipedia org wiki Extent file systems 42 Aomei Technology Co Ltd What is a Dynamic Disk Dynamic Disk Online 2009 Cited April 13 2011 http www dynamic disk com what is dynamic disk html 43 Lewis Don L The Hash Algorithm Dilemma Hash Value Collisions Forensic Magazine Online 2009 Cited May 2011 4
44. EE Book SS scrip FRR Regis Email Ed new i Print hy Export As Section Name a S ES EST IST E IST IST IS O The sections are described in more detail below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 197 Page 17 3 REPORTS TREE The Reports tree is the location where reports are managed This includes e Loading a new report from a template e Printing or exporting a report as PDF DOC or RTF e Deleting a report e Renaming reports e Rearranging sections of a report e Exporting an edited report or section of a report as a new template When Forensic Explorer is run for the first time and a new case or preview or is commenced and evidence added the Reports module displays by default Triage Report as shown in Figure 160 above The dynamic content of the Triage report is obtained from the bookmarked files in the Bookmarks module under the My Bookmarks Triage folder Figure 161 Reports Tree showing the Triage Report Forensic Explorer fT Evidence File System Ed New e Print fol Export As section Name 4 E EN Triage E Tite Page El I Data Examined pe Section Heading Data Examine E Data Examined Er ES Registry E Section Heading Registry Registry Triage eg a 4 MU mu mud a s amp 2 2 21 8 S 8 la Ol 4 ee al emis ira yam iam a
45. EO1 3 Local Time E D EL 3 Partition 2 63 6 El D 7 Ez Root 33 L 50th Birthday Cake 7 L Es Architecture 209 7 Es Evw TEST SEQUENCE 60 E E E Fish 5 O E F3 Holden Photos 108 C E Flowers 15 D O Ey FOOD 72 L Ue Es pa 3 A tree view filter is used to display only the folders which match set criteria For example applying the Graphics Files pas filter will Show only folders containing graphics files The File list view in the right hand window will also only show the applied filter criteria Tree view filters are created using scripts For more information on creating a Tree view filter see O Filters One of the most powerful features of Tree view is the branch plate When a branch plate is selected all items beneath that plate are displayed as a single list in List view For example this action can be used to display the contents of a folder and all of its sub folders and files To branch plate click the required plate with the mouse When the plate turns orange E gt it is active To plate multiple branches 1 Click the first required plate with the mouse 2 Hold down the CTRL key and click the other required plates Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 76 Page Chapter 8 Data Views Figure 50 File System module Folders view branch plate with Aquatic and Landscape folders plated E Folders D eee CT
46. Eight colored flags are available for use Flags are applied by highlighting and item and double clicking the opaque flag color in the flag column or by using the right click Add Flag menu Flags can also be applied by running Forensic Explorer scripts See Root Directory A forensic image is a file or set of files used to preserve an exact bit for bit copy of data residing on electronic media Using non invasive procedures forensic software is used to create the image file The image contains all data including deleted and system files ad is an exact copy of the original Most forensic imaging software integrates additional information into the image file at the time of acquisition This can include descriptive details entered by the examiner as well as the output of mathematical calculations an acquisition hash which can be later used to validate the integrity of the image The forensic image file acts as a digital evidence container that can be verified and accepted by courts In computer forensic the term forensic integrity commonly refers to the ability to preserve the evidence being examined so that it is not altered by the investigator or the investigative process This enables a third party to conduct an independent examination of the evidence on an identical data set Forensic integrity is usually achieved through the use of write blocking devices to protect original media from being changed and the forensi
47. FAT32 Aircraft E01 Partition 95 MO NAME Root WORD DOC Golf doc JPG Photograph Figure 71 shows a Byte Plot and Character Distribution for a JPG digital photograph The visualization is consistent with a JPG file where e Non printable ASCII characters blue are prominent in the header of the file e JPG metadata text yellow follow the header e The body of the JPG shows regular compressed data Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 94 Page Chapter 8 Data Views Figure 71 Byte Plot and Character Distribution of a jpg file Character Distribution 1 0 50 100 150 250 Character Preview FA 132 Photos E01A Partition 63 NO NAMEN Root Animals Buffalo jpg RTF document Figure 72 shows a Byte Plot and Character Distribution for a RTF document The visualization is consistent with a RTF file where there is no defined file header and the majority of the file appears as text Figure 72 Byte Plot and Character Distribution of an rtf file Byte Plot Character Distribution 100 150 200 250 Character 0 1 Preview File Type Test 01 Root Text Documents Aircraft Text Harner Jump Jet rtf ZIP file Figure 73 shows a Byte Plot and Character Distribution for a ZIP document The visualization is consistent with a ZIP file where e There is even distribution of the ASCII character set typical of compressed data Copyright GetData Forensics Pty Ltd 2010 2015 All rights r
48. Keywords can be grouped in the Keyword Management window To create a keyword group 1 Click on the add group icon E to open the Add Keyword Group window or right click in Keyword Management and in the drop down menu select Add Group 2 Typethe keyword group name and click OK Figure 128 Add Keyword Group window Keyword Group To rename a group 1 Double click on the group name to open the edit window Edit the group name and click OK to save changes Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 157 Page To delete a group 1 Right click on the group folder icon and from the drop down menu select Delete Keyword 12 2 4 IMPORTING KEYWORDS A list of keywords can be imported from a text file To prepare a keyword text file use the following formatting Indicates a comment and is ignored in the import D Folder Creates a folder to group subsequent keywords Keyword To add a simple list of words one keyword is placed on each line of the text file Blank lines are ignored To add additional parameters to the word use the following format Keyword Name Search Expression CaseSensitive Regex In the example below two folders Camera Types and PDF Header are created The Camera Types group contains a case sensitive keyword The PDF Header group contains a case sensitive RegEx Sample Keywords txt file Thi
49. OneNote file one pu ae E Microsoft PowerPoint Presentation ppt i m Microsoft Project mpp E a E Microsoft Publisher Document pub puz P 3 Microsoft Visio Drawing vsd vss vst oe ca Microsoft Word Document doc dot asd l m Microsoft Word Document DocX docx E Microsoft Write WordPad wri m Mime File mht be ILE Lj Mime File mht i O MS Works 4 Document wps E E amp MS Works Spreadsheet wks O aj NASCAR Racing 2003 sim e Lm i OLE Document eg MS Office Ns E Open Office Document odt a gt L T E E Open Office Spreadsheet ods A 173 PDF document pdf ai a amp QuattroPro 7 File apw m Rich Text Document rtf 3 SureThing CD Labeler dsn std ay VI data vi JE is WordPerfect 6 to 10 wpd wcm wpt 1 Se WordPerfect Documents and Graphics v8 wpa o DS ina Doauente can xsl svg xms nib opf ncx DE Archives E cT 7ZIP 7z 7zip Z m E Cabinet compression file cab m ml GZIP compression file gz gzip gt 5 150 9660 CD ROM File System iso iso9660 C Ell LZH compression file Izh E xp Miliki Super Compression qcf Oo El MS Backup File bkf Dal 138 RAR compression file rar e C Restrospect File rfb rdb O TAR archive file tar ia JE Zip compression file zip jar afz gt a aa Multimedia DO fe 3GPP Multimedia file Quicktime 3gp 3g2 3gpp 3gp2 my C
50. Search and Bookmarks There are two methods to manage startup modules provided in the default startup pas script 1 Thefirst method is to use startup pas to run another script Scripts Common Startup Modules pas This script launches a form during startup that enables the user to select the modules to be displayed Figure 182 Startup Modules pas E Manage Dispalyed Modules at Startup lA Select the Modules to Display at Startup File System Keyword Search Index Search Bookmarks Reports Scripts Registry Email 2 The second method is to hard code the modules to be hidden into the startup pas script Example code to hide the Registry Module is shown below tempModule ModuleManager ModuleByName Registry if assigned tempmodule then tempModule WillShow false Note If the Scripts module is hidden with this technique it will be necessary to edit the script using Windows Notepad or other such program in order to re enable the Scripts module Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 229 Page See Chapter 19 The contents of the toolbar is your own space You can customize it as you see fit Startup pas The toolbar buttons are created on startup by the startup pas script If startup pas is blank there will be no toolbars at all It is possible to add buttons by placing code directly into startup pas However in order to keep sta
51. Windows print dialogue will open To export a report as a doc rtf or pdf e Click on the Export As button and select the desired formation e Save the file to the desired location Note docx and rtf do not currently support the saving of page headers and footers If a report has been changed or a new report has been created it may be beneficial to save it as a template so that it can be re used in future investigations To save a report as a template 1 Inthe Report tree click on the name of the report 2 Right click and in the drop down menu select Save As Report Template Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 200 Page Chapter 17 Reports Module 3 Browse to the required folder or use the Make New Folder button to create a new destination Figure 162 Save a Report Template Browse For Folder de Keywords a Je Reports a Templates Je Blank Report di Full Report Sample gt Gallery Micit Images de Gallery Pictures Triage gt di Scripts Le Startup 4 Click OK to save the components of the report into the folder Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 201 Page 17 4 REPORT EDITOR The Report Editor Preview shown in Figure 163 below displays the content of the currently selected report in the Report tree To preview the entire report e Inthe Repot tree click on the report name
52. a reference guide only Not all commands features in the documentation are available in Forensic Explorer A device refers to the electronic media being examined It usually refers to a physical device such as a hard drive camera card etc but can also mean the forensic image of a device in DD E01 or other formats See Root Directory A component of the FAT file system Each file or folder on a FAT partition has a 32 byte directory entry which contains its name starting cluster length and other metadata and attributes The area between the end of a partition and the end of the disk It is usually considered to be blank but can hold remnants of previous disk configurations or could be used to purposely hide data A graphical representation in Forensic Explorer of sectors on the examined device Disk view can be used to e Examine the content of the data in a specific sector s e Quickly navigate to a desired sector position on the device e Obtain a graphical overview of the file types which make up the drive and where they are position on the examined media e Identify the location and fragmentation of individual files Daylight Savings Time dtSearch www dtsearch com is third party index search software built into Forensic Explorer and accessed via the Index Search module tab see Chapter 13 Index Search Module for more information Entropy is an expression of disorder or randomness It is used in computer forensics to me
53. and exported For more information see Chapter 9 Working with data Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 78 Page Chapter 8 Data Views 8 4 DISK VIEW The default location for Disk view is the top right hand window of the File System module accessed via the Disk View tab Figure 51 Disk View tab a Disk View Disk view is a graphical display of the sectors which make up the examined device Disk view can be used to e Obtain a graphical overview of items which make up the device e g MBR VBR FAT MFT files deleted files unallocated clusters etc e Quickly navigate to a desired sector on the device see Navigating Disk view below e Select sectors for examination in other Forensic Explorer views e g Hex view Text view etc The selection can include a single sector a range of sectors or an entire item To open Disk view e Open a case or preview evidence e Goto the File System module e Inthe left pane select the device or an item in the file system of the device to view e Inthe right pane select the Disk View tab Figure 52 Disk view 4 E ERI Ja aaa Je ps LO LL LO LO LL LL ENN LO LO LL ENN aan 1 r EN E E ma IS m EN iH B EN mma EH EB EHENNENENENHENHENHENM EENHHENHNENHENHB EHNM EHENENENHENHHEHNHENHNHENM BERBER BERBER Pe BERBER Pe ENENENENHNENHENNENHENENM Pe L BERR BERR AISI W
54. at a file text or hex level View and analyze system files file and disk slack swap files print files boot records partitions file allocation tables unallocated clusters etc Powerful Pascal Scripting language Automate analysis using a provided script library or write your own analysis scripts Fully Threaded Run different analysis functions in separate threads Data Views Powerful data views including e File List Sort and multi sort files by attribute including extension signature hash path and created accessed and modified dates e Category Views Show files by extension date etc e Disk Navigate a disk and its structure via a graphical view Zoom in and out to graphically map disk usage e Gallery Thumbnail photos and image files e Display Display more than 300 file types Zoom rotate copy search e Filesystem Record Easily access and interpret FAT and NTFS records e Text and Hexadecimal Access and analyse data at a text or hexadecimal Automatically decode values with the data inspector e File Extent Quickly locate files on disk with start and end sector runs e Byte Plot and Character Distribution Examine individual files using Byte Plot graphs and ASCII Character Distribution e File Metadata Examine metadata properties within files Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 14 Page Chapter 1 Introduction RAID Support Work with physical or forensica
55. be considered equivalent to Greenwich Mean Time GMT In order to display date and time information in a format relevant to the end users location the UTC time is translated into local time using the computers time zone setting 20 4 DATE AND TIME INFORMATION IN THE WINDOWS REGISTRY Windows time zone settings are held in the Windows registry They are set during install and can be modified at any time via the Time Zone Setting options of the control panel shown below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 20 Date and Time 237 Page Figure 184 Windows 7 time zone settings 53 Time Zone Seti O Set the time zone Time zone UTC 07 00 Mountain Time US amp Canada Automatically adjust clock for Daylight Saving Time Current date and time Wednesday 26 January 2011 3 42 PM As the time zone may be incorrectly configured or deliberately altered it is necessary for the investigator to determine these settings so that the correct time zone offset for the case can be made Registry files are located in the following path e Windows NT 2000 C Winnt System32 config e Windows XP Vista and 7 C Windows System32 config This path contains the five hive files e SAM Security Accounts Manager e SECURITY Security information SOFTWARE Software information e SYSTEM Hardware information and e DEFAULT Default user settings Note that each file has a
56. been checked in the selected module Include Unallocated Space Determines wheter unallocated space will be included in the index File slack Determines whether the file slack of each file will be excluded from the index Click OK to start the index process An index in progress will show Running in the Indexes window as shown in Figure 136 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 13 Index Search Module 169 Page Figure 136 Index creation in progress a Delete Index Indexes BS NIST Test Case p Index 1 Filesystem Runnning The progress is also tracked in the program process list as shown in Figure 137 below Figure 137 Forensic Explorer process window showing a completed index UI a A P p A Pi Ey Creating Index Index 2 FileSystem PPT GetData Presentation ppt 13 4 SEARCHING AN INDEX When the indexing process is complete the index will appear in the Available Indexes window as shown in Figure 138 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 170 Page Chapter 13 Index Search Module Figure 138 Index search Ell New Index d Delete Index Indexes NIST Test Case Index 1 FileSystem amp Index 2 Filesystem Word Count Doc Count evil 1061 evilc evildoer eviler evilervr evilest evilf Select the required index by placing a tick in the box next to the index name
57. below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 328 Page Chapter 28 Working with Figure 253 Folders Thumbs db filter applied in the File System module E File List Gallery View Qj Disk Folders 7 5 File List e ae E 8 B New Case 1 2 Local Time Filename 4 File Signature E Thumbs db E Thumbs db es AZ Filename ez File Signa S C A 14063703 01 9 Local Time p E 53 Basic data partition EFI 4 0 A 1406372 101 1 Local Time 5 LogicalEntries 1 S 0 E Dell Portable 6 E B Ex C 35 E m Documents and H E All Users 7 EF E itMATTersr E Thumbs db E Thumbs db 4 Thumbs db 4 Thumbs db E Thumbs db E Thumbs db E Thumbs db E o oO X m un kw RJ on PaCS WI WI WII WI WI Wr The filter code is accessible in the Scripts Module in the path e Filters FileSystem Thumbs pas e Filters FileSystem Thumbcache pas Thumbnail Files are considered to be Compound files because they act as containers for content In order to work with compound files it is first necessary to identify them as such by running a Signature Analysis a Signature Analysis can be run at any time in the File System module by clicking the Signature Analysis toolbar button A correctly identified Thumbnail File will show Thumbnail or ThumbCache in the File Signature column when a signature analysis is complete EXPAND A SI
58. current time zone when daylight saving is in effect DaylightName The name of the time zone daylight saving DaylightStart The date and time daylight saving starts StandardBias The number of minutes offset from GMT when standard time is in effect StandardName The name of the time zone standard time StandardStart The date and time when Standard time starts Registry information including Windows date and time settings is also available in Forensic Explorer by running the Registry Analyzer script This script is provided with a default install of Forensic Explorer in the folder User My Documents Forensic Explorer Scripts Registry Registry Analyzer pas The Registry Analyzer script can be run directly from the Scripts module or using the toolbar shortcut Quick Scripts gt Registry Analyzer located in the File System module Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 240 P age Chapter 20 Date and Time The Registry Analyzer script decodes the registry keys and provides output in the following format Figure 186 NIST Hacking Case 14 Registry Analyzer script output ControlSet001 Control TimeZonelnformation ActiveTimeBias 300 ControlSet001 Control TimeZonelnformation Bias 360 ControlSet001 Control TimeZonelnformation DaylightBias 60 ControlSet001 Control TimeZonelnformation DaylightName Central Daylight Time ControlSet001 Control TimeZonelnformation StandardBias O
59. each column in the table Figure 171 Adding Fields to the Table Insert as Table Available B Selected Fields T Ac ii General Filename Bates z Created File Signature Modified File Category Filename Extension Attributes Accessed 1 o a i a e e im Y Y gr a pm tt A DET Modified Cats57 Maebh JPG C f Switch to the Preview window to view the result The table list should look like Figure 169 above Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 210 Page Chapter 17 Reports Module OBJECTIVE The objective of this exercise is to produce a gallery view of bookmarked items in the My Bookmarks Pictures folder as shown in Figure 172 below The report will then be saved as a template for future use Figure 172 Creating a Gallery View Report finished report shown Bookmarked Plctues Caseg Gadget JPG C 17 May 12 201 21 PM Follow STEPS 1 and 2 in 17 5 1 above to prepare a case with bookmarks STEP 3 RENAME THE BLANK REPORT c Click and hover on the report name to rename the section to My Gallery Report Pictures d Repeatthis step to rename the report section STEP 4 EDIT THE REPORT g Doubleclick on the report section My Gallery Report Pictures to open the Report editor h Inthe Bookmark Name column select the Pictures bookmark folder and drag and drop it onto the blank page i Select to Insert Item as Table in order for the
60. gt __B5a7R AH i r d s z 9y 9993 yyy Fy H 13 gt 32 gt The directory entries show e That file AOALA JPG starts with the OxE5 deleted file marker e thas both a short file name and long file name directory entry Koala JPG is then highlighted and its directory entries are decoded in Filesystem Record view as show below in Figure 210 Figure 210 Decoded directory entry of Koala JPG Filesystem Record Property Value Raw Value Type EH FAT Record 4 111 136 d ShortFilename J CALA PG _OALA JPG AString L gi Deleted True True Boolean us Attributes A 32 Byte Reserved 0 D Byte Created 10ms 156 156 Byte Created Time 1 09 20 PM Created Date 19 Mar 11 Accessed Date 19Mar 11 EAIndex FAT12 16 0 Written Time 1 52 26 AM Written Date 15 Jul 09 Start Cluster FAT 12 16 492 Start Cluster FAT32 2 492 Filesize 3 M 730 831 Longfile Record 1 A LEN String Koala JPG 13 LEN Sig byte 229 13 LEN Attribute 15 13 LEN Flag 0 13 LEN Checksum 215 13 LEN FirstCluster D fl Long filename 4 J Koala JPG ESES EEE E t ER Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 268 Page Chapter 23 Data Recovery The following information is observed 1 The short filename is OALA JPG 2 The starting cluster is 492 3 The file size is 780831 bytes 4 The long file name is Koala JPG To manually calculate the number of clusters used by Koa
61. hashing algorithm EE Times Online 2 16 2005 Cited May 4 2100 http www eetimes com electronics news 4051745 Chinese researchers compromise SHA 1 hashing algorithm 8 Automated mapping of large binary objects using primitive fragment type classification Conti Gregory et al 2010 Digital Investigation Vol 7S pp S3 S12 9 Fileprints Identifying file types by n gram analysis W Li K Wang S Stolfo and B Herzog West Point NY s n June 2005 6th IEEE Information Assurance Workshop 10 Injosoft AB ASCII Code The extended ASCII table http www injosoft se Online http www ascii code com 11 Wikipedia Regular Expression Online en wikipedia org wiki Regular_expression 12 Microsoft Windows registry information for advanced users Article ID 256986 Revision 12 3 Online February 4 2008 Cited August 19 2011 http support microsoft com kb 256986 13 Wikipedia Windows Registry Wikipedia List of standard registry value types Online Cited December 27 2011 http en wikipedia org wiki Windows_Registry 14 NIST Hacking Case NIST Hacking Case Online Cited Dec 03 2012 http www cfreds nist gov Hacking_Case html 15 Guidance Software Inc EnCase Forensic Version 6 10 User Manual s l Guidance Software 2008 16 Magic number programming Wikipedia Online http en wikipedia org wiki Magic_number_ programming Copyright GetData Forensics Pty Ltd 2010 20
62. multiple computers Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 29 Legal 333 Page You are not permitted to share the product activation information provided to you for this Software with other users GetData shall have the right to check license details at any time in any reasonable manner GetData may from time to time revise or update the software and may make such revisions or updates available subject to payment of the applicable license fee You may not publicly display the Software or provide instruction or training for compensation in any form without the express written permission of GetData The Software is protected under United States law and international law and international conventions and treaties You may not rent lease sublicense assign or otherwise transfer use of the Software to others without the express written permission of GetData Doing so will entitle GetData to immediately terminate this Agreement Except to the extent applicable law specifically prohibits such restrictions you may not reverse engineer reverse compile disassemble or otherwise modify the Software in any way You are solely responsible for protecting yourself your data your systems and your hardware used in connection with the Software GetData will not be liable for any damages suffered from the use of the Software BY USING THE SOFTWARE YOU EXPRESSLY AGREE THAT ALL RISKS ASSOCIATED WITH THE PER
63. no trace of the file in unallocated clusters that a version of the file prior to its deletion could be contained within a VSC on the system The frequency of VSC creation will depend on the Operating System installed Typically they are automatically created daily in Vista and weekly in Windows 7 VFCs can also be automatically created prior to significant Windows Operating System events such as the installation of new software including Windows updates In addition to this many commercial applications such as registry optimization software offer the ability to create a system restore point for backup purposes prior to making disk changes An end user can also manually create a VFC from the Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 292 Page Chapter 25 Shadow Copy Windows System Properties System Protection Create button shown in Figure 222 below Shadow Copies are stored in the hidden folder Partition Root System Volume Information on the volume on which the Protection Settings are enabled The System Volume Information folder contains e a VSS Catalog file called 3808876b c176 4e48 b7ae 04046e6cc752 a unique identifier specific to VSS e VSS Store files the files which contain the actual shadow copy data which have names like c678aea6 f000 11e2 93bf 005056c00008 3808876b c176 4e48 b7ae 04046e6cc752 Note that the VSS identifier is attached to the Store
64. note items of interest Bookmarked items in a list view can be identified by a yes entry in the Bookmarked column To add a bookmark e Right click in the data view and select Add Bookmark from the drop down menu This will open the Add Bookmark window See Chapter 16 Bookmarks Module for more information on adding and editing bookmarks 9 4 OPEN WITH The Open With command uses the standard Windows Open With function to open a file from a list view using an external application such as Windows Paint or Microsoft Word using the standard Windows To use Open With 1 Highlight the required file 2 Right click and select Open With from the text menu If the highlighted file is not already associated with a program the Windows Open With window will display and allow the file type to be associated The file to be opened is copied to the case Temp folder My Documents Forensic Explorer Cases Case Name Temp and then opened by the external application Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 105 Page 9 5 EXPAND COMPOUND FILE A compound file is a file that is a container for other files or data A simple example is ZIP compressed file Typically compound files should be expanded early in a case to enable Forensic Explorer full access to the content This should be performed prior to a keyword or index search so that they may include the expand
65. other parties with a simple to use tool to easily review evidence 1 2 SUPPORTED FILE FORMATS Forensic Explorer supports the acquisition of the following file formats e DDor RAW e EnCase E01 e Forensic File Format AFF Forensics Explorer supports the analysis of the following file formats Type Apple DMG DD or RAW EnCase Forensic File Format FTK9 ISO Microsoft VHD NUIX ProDiscover Safeback v2 SMART VMWare Xways Container Extension DMG DD BIN RAW E01 Ex01 LO1 Lx01 AFF E01 AD1 ASO VHD MFS EVE 001 S01 VMD VMDK CTR 1 3 SUPPORTED FILE SYSTEMS Forensic Explorer supports analysis of e Windows FAT12 16 32 exFAT NTFS Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 1 Introduction 13 Page e Macintosh HFS HFS no journal processing e EXT 2 3 4 no journal processing e CD DVD ISO UDF e Hardware and Software RAID JBOD RAID O RAID 5 1 4 KEY PROGRAM FEATURES Key Forensic Explorer features include Fully Customizable Interface The forensic explorer interface has been designed for flexibility Drag drop and detach windows for a customized module Save and load module configurations to suit investigative needs International Language Support Forensic Explorer supports Unicode Investigators can search and view data in native language format Complete Data Access Access all areas of physical or imaged media
66. s iphone 5 Display Name Bill s iphone 5 GUID C33F23C955555099AD4921C8DC6D500E ICCD 89610294555559007627 IMEI 013409005555590 Last Backup Date 2014 05 01T06 43 21Z Product Name iPhone 5 Product Type iPhone5 2 Product Version 7 1 1 Serial Number F55555PQDTWD Target Identifier 48be275db912555551f1a074c6ce0f2c6a2e8920 Target Type Device Unique Identifier 48BE275DB915555561F1A074C6CEOF2C6A2E8920 28 1 3 MANUALLY EXAMINING ITUNES BACKUP FILES The forensic value of individual ITunes Backup files is well documented See iOS Forensic Analysis for iPhone iPad and iPod Touch Sean Morrissey 2010 Apress Key files are summarized in the following table Figure 247 Key ITunes Backup files for the forensic investigator Maps Library Maps History plist Map bookmarks Map directions Map route history Safari Library Safari History plist Bookmarks Internet History Web pages Wireless SystemConfiguration com apple wifi plist SSID Networks BSSID Joined Dates Due to the varied content of an ITunes Backup UUID folder different Forensic Explorer data views are needed to best view each file type The following table summarizes the recommended data views Figure 248 Recommended Forensic Explorer data views for ITunes Backup file types File Type Forensic Explorer data view Media files JPG PNG MOV Display view or Gallery view Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved
67. sedes ex ob vnu sa aus ust vUE pae Noa a EUR aes 351 Appendix 7 Sample Script os pode oap ey Paseo ai a 363 Appendices Icon Kevin 365 ADDendpc9 INGEN isis 367 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 1 Introduction 11 Page Chapter 1 Introduction In This Chapter 1 1 Introducing Forensic Explorer ccccoocccncnnccnnonocnnonnnonnonncononononnnnnnonnnnnronnoncnnonnnrnnonnnonnnnnonnnnncnnonananannnos 12 1 2 Suprortea le VOM MAES NET TONO 12 1 3 Supported M icy ici alg CIEN OTT EO TORTE 12 1 4 key program features ut deci 13 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 12 Page Chapter 1 Introduction 1 1 INTRODUCING FORENSIC EXPLORER Forensic Explorer is a computer forensics software program written by GetData Forensics Pty Ltd www forensicexplorer com Forensic Explorer is a tool for the analysis and presentation of electronic evidence Primary users of this software are those involved in civil or criminal investigations Forensic Explorer combines a flexible graphic user interface GUI with advanced sorting filtering searching previewing and scripting technology It enables investigators to e Access and examine all available data including hidden and system files deleted files file and disk slack and unallocated clusters e Automate complex investigational tasks e Document a case and produce detailed reports and e Provide
68. that overlays the file icon as shown in Figure 154 Bookmark list below Figure 154 Bookmark list f AZ Path f 4D A 1 Filename Logical Size Path i E C winword doc 4 608 NIST Hacking Case H m winword2 doc 1 769 NIST Hacking Case winword2 doc 1 769 NIST Hacking Case e NU winword doc 4 608 NIST Hacking Case EN in LICENSE DOC 3 707 NIST Hacking Caseb Leal ORDER DOC 3 304 NIST Hacking Case g MANUAL DOC 202 252 NIST Hacking Case SHAREWAR DOC 573 NIST Hacking Case o Mot ye MANAGE BOOKMARK LIST To add a bookmark See 16 1 Adding Bookmarks above To delete a bookmark Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 192 Page Chapter 16 Bookmarks Module 1 Inthe Bookmarked Items List highlight the required file s right click and select Delete Bookmark s from the drop down menu The following confirmation window will appear Figure 155 Delete bookmark s confirmation 2 Click OK to proceed The file s is deleted from the Bookmarks module To edit a bookmark comment 1 Right click on the bookmark or a file in the Bookmarks List and from the drop down menu select Edit bookmark comment 2 The Edit Bookmark window will open where the comment text can be updated To edit multiple bookmark comments 1 Highlight multiple bookmarked files using the mouse and the SHIFT or CTRL key 2 Right click and select Edit Bookmark Comment from the dr
69. the same way as would a paper based file in a traditional matter A cluster is the smallest logical unit of disk storage space on a hard drive that can be addressed by the computers Operating System A single computer file can be stored in one or more clusters depending on its size A cluster boundary refers to the start or the end position of a cluster a group of sectors If a file is fragmented stored in non contiguous clusters the fragmentation happens at the cluster boundary as there is no smaller unit of storage space that can be addressed by a computer Examining data at cluster boundaries can be an important technique to improve the speed of some search routines For example when file carving for file headers it is faster to search the cluster boundary i e the beginning of a cluster rather than a sector by sector search of the drive Codepage is another term for character encoding It consists of a table of values that describes the character set for a particular language When a keyword search is conducted in Forensic Explorer the correct codepage should be selected Computer forensics is the use of specialized techniques for recovery authentication and analysis of electronic data with a view to presenting evidence in a court of law A compound file is a file that is a container for other files or data such as a Zip or Pst Microsoft Outlook mail file See Chapter 19 5 Expand compound file See file carve A d
70. to the File System module Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 135 Page 10 5 EVIDENCE PROCESSOR The Evidence Processor window opens when evidence a device image or file is added in the Evidence module The Evidence Processor window has two functions 1 Toconfigure the processing options that will automatically take place when the evidence is added Note Evidence processing tasks such as file carving do not have to be automatically run They can be individually run later in the case and 2 Toenable the forensic investigator to modify dates and times in the evidence relative to the time zone in which the evidence is situated or was acquired Note Time zone settings can be configured or adjusted later in the case from the File System module See Chapter 20 Date and Time for more information Forensic Explorer determines the type of evidence added e g device forensic image registry file or other file and displays a default tasks list according to the file type Figure 114 Evidence Processing Options showing options for a forensic image or device Evidence Processor Image DEMO E01 Tasks E 7 FileSystem B E Process in Parallel o Verify Device Hashes Seb Search for Known MBRs Sb Search for FileSystems B E Process in Parallel Tb Triage mM Hash Files a Signature Analysis Extract Metadata NM Fil
71. uses a RegEx search to locate the relevant key The script then process and displays the result according to its type and any unique processing that the specific key requires IMPORTANT Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 15 Registry Module 185 Page It is important to note that automated registry key analysis is a developing field based largely on individual forensic practitioner research Limited registry documentation relevant to pertinent keys is made available by Microsoft Also note that registry content is largely the result of user behaviour and that registry structure will change between Windows versions The Registry Key Processor pas script has been developed on sample registry hives and there is no guarantee that other hives will be parsed accurately As with the analysis of any Windows artefact results from the Registry Key Processor pas should be validated before being relied upon Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 16 Bookmarks Module 187 Page Chapter 16 Bookmarks Module In This Chapter CHAPTER 16 BOOKMARKS MODULE 16 1 A Adding BOOKMArKS ccccssssecccccesseccccceeseccccaueseccecsaesecceesuaseceeeseaseceeeseeseceessauasceessaaaeeeessaaaeseessaaasses 188 16 1 1 Manually add a DOOR sindicaci n 188 16 1 2 Automated Triage bookmarks Snswinsiiicdsecadsigncnacaeviisswssineutoadeiicsnsadotnbendsalidaisasddodessned
72. using the Priority options where Low is single core and Normal High and Critical are multi core The Windows New Technology File System NTFS superseded FAT It was released with Windows NT and subsequently Windows 2000 Windows XP Windows Server 2003 Windows Server 2008 Windows Vista and Windows 7 It uses a Maser File Table MFT to store the information required to retrieve files from the NTFS partition Ophcrack is a free open source program that recovers Windows passwords by processing LM hashes through rainbow tables Ophcrack ISO images can be used with Forensic Explorer Live Boot An area of the Forensic Explorer module The Forensic Explorer module is broken down into three panes Folders view File List view and File Display A pane can contain multiple different windows such a Hex view Text view Disk view Console etc A programming language used to create scripts in Forensic Explorer See Module Chapter 18 Scripts Module A part of a hard disk that can have an independent file system Perl Compatible Regular Expressions PCRE is a regular expression RegEx library The PCRE library is incorporated into a number of prominent open source programs such as the Apache HTTP Server and PHP language RegEx expressions can be used to keyword search evidence in Forensic Explorer Pre processing describes the setup of a case so that core analysis functions are automatically run prior to investigator review C
73. 005056C00008 am 71 1 433 07 34 97 Ba fermi a s Cann 44 9 Aon AAA OA LUI HH in hm GO 4 Jt amp tn c See Options Mount method Only files that are different Color EM d Available Volumes Enables another volume and it shadow copies to be accessed Mount Method Only files that are different displays only those files in the VSC which are different from that listed in the current file system This saves the investigator cluttering with File System module with duplicate identical files from the VSC Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 294 Page Chapter 25 Shadow Copy All Files mounts the entire Shadow Copy Color Assigns a color to the mounted VSS If a color is selected a new column is created in the File System moudle called VSS The columns contians the selected color to identify the origin of the file 5 nthe Volume Snapshot Mount window click on the required snapshot identified by the date created and click OK The Shadow Copy is then processed the process status is shown in the process window in the bottom right hand corner of Forensic Explorer and the VSC files added to the File System module t Added VSC volumes are identified by the shadow mount icon in the Folders window of the File System module The VSC volume name includes the date and time of the snapshot as shown in belowFigure 227 below Figure 227 File System module sho
74. 14 All rights reserved 348 Page Appendix5 References 17 B Satish iPhone Forensics Analysis of iOS 5 backups Part2 Security Learn Online 2012 Cited June 13 2014 http www securitylearn net 2012 05 30 iphone forensics analysis of ios 5 backups part2 18 iPhone backup mbdb file structure Online http www securitylearn net tag manifest mbdb format 19 iPhone Backup Analyzer GitHub Online Cited June 18 2014 https github com PicciMario iPhone Backup Analyzer blob master mbdbdecoding py L53 20 Morrissey Sean OS Forensic Analysis for iPhone iPad and iPod touch s l apress 2010 21 Parsonage Harry Under My Thumbs Online 2012 Cited September 1 2014 http computerforensics parsonage co uk downloads UnderMyThumbs pdf 22 Microsoft Hard Links and Junctions Online Cited June 14 2014 http msdn microsoft com en us library windows desktop aa365006 28v vs 85 29 aspx 23 MS SHLLINK Shell Link LNK Binary File Format MSDN Online 2014 Cited Oct 23 2014 http msdn microsoft com en us library dd871305 aspx 24 Microsoft MSDN http msdn microsoft com en us library Online http msdn microsoft com en us library cc231989 28PROT 13 29 aspx 25 The Windows Registry as a forensic resource Carvey Harlan 3 September 2005 Pages 201 205 Digital Investigation Vol 2 pp 201 205 26 Time and date issues in forensic computing a case study Boy
75. 2 A desktop ini i D O E Sample Pictures 5 DOES Favorites 0 E B Ys AAA Ge eram y rr re A E 2 The bookmark folder name is shown in the Bookmark Folder column if a file has been bookmarked in multiple folders the column contains each folder name separated by a comma Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 193 Page 19 Page Chapter 17 Reports Module Chapter 17 Reports Module In This Chapter 17 1 Reporting amp Bookmarks ri AZ eR OE IV OGL RERO 17 3 E 816 gas ae MOC OA ROA A E E E 17 3 1 The DETAUIE REPO lisis rta 17 3 2 Report name Groups and Sections ccccooccnccnccnnoconnnnnnnnnnnnnncnnnnnnnnnonanonnnnnnnnnnnncnnonanannnns 17 3 3 Rename or Move a Group or Section esssessssssseseseee eene eene nnns nennen nenas nenas 17 3 4 PENA ee SD ONT m C c 17 3 5 Exporta report as DOC REF OF PDP nani ici 17 3 6 Export a report as atemporal VA Eo O e OP Tnm cam EA 17 4 1 Report Editor PREVI GW aisisies aieo iia 17 4 2 Report Editor EDIT ioncesctintisn Ge os Io A MEER MUR ME Os xeu MR aM MM AA 17 5 1 PEPOT EKONO A OO A Exercise T Report on a single Messiaen Exercise 2 Listing bookmarked files in a table ooonccnnccconcnnnnonnnonnnnnnanonnnnononcnnnnnnnnronnnnnnnnnnnos Exercise 3 Creating a GalLery view report ccccccccsssseccccceesecececessececeeeeseceeseeeseceessuaaeeeessuaaeeeeees
76. 20DBFA For EnCase E01 files the MD5 acquisition hash is embedded within the header of the image file When the Verify image hash after creation box is selected at the completion of writing the image file Forensic Imager reads the file from the forensic workstation and recalculates the hash The verification hash is reported in the event log in the format Verify MD5Hash 94ED73DA0856F2BAD16C1D6CC320DBFA At the conclusion of the verification process a comparison is made between the source and verification hash An exact image of the source disk to the image file should result ina match MD5 acquisition and verification hash Match Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 6 Forensic Acquisition 53 Page Should the acquisition and verification hash not match it is an indication that a problem has occurred and the device should be re acquired 8 DETAILS For EnCase E01 files information entered into the Details field are written into the image file header and stored with the image DD RAW and AFF files do not store this information as part of the image however they are still required to be entered as for all formats the information is included in the Forensic Imager event log The progress screen displays source information the drive being acquired and destination information location where the forensic image files is being written Progress information including elaps
77. 3 Export files window E Export files Source Highlighted files 1 files O folders 63 9 KB 65 432 bytes 3 Checked files 0 files 0 folders 0 bytes Data size to use Logical size Destination Separate files Single merged file Keep folder structure Keep date times Split large files into 1000 kB files Destination Folder D GrahamlDocuments Forensic Explorer Cases abc Exported Source e Files can be exported with their logical or physical size Destination e Separate files The exported files may be saved individually or as a single merged file e Keep folder structure Will determine whether the exported files are saved with the complete path information from the case or if they are saved into the root level of the selected location e Keep date times Specifies whether the date and times of the exported files will retain their metadata as displayed by Forensic Explorer or whether dates and times will reflect the creation of the exported files e Split large files Large files can be split into designated sizes Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 107 Page e Destination folder The destination folder specifies the location where the files will be saved The default location is the Exported folder in the case path EXPORT FOLDERS AND FILES USING A SCRIPT One of the default scripts provided with Forensic Explo
78. 3 Where are Shadow Copies StOred cccccccsseccccssececesecccceneceeeeseceeeeseceeeeceseeecesseneeesees 292 25 2 Examining Shadow Copies With Forensic Explorer cccsssscccccessececcaesecceceeeeccceseaeecesseeeeeeessages 293 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 288 Page Chapter 25 Shadow Copy 25 1 SHADOW COPY INTRODUCTION The ability of Forensic Explorer to easily access and explorer Volume Shadow Copies VSCs offers the forensics investigator the ability to examine data at different time snapshots in a forensic examination A Shadow Copy is essentially a differential backup of the conetents of a drive By examining a Shadow Copy it can be possible to view previous versions of a file a directory or or a volume Prior to Windows Vista Restore Points were a relatively simple snapshot of critical Winodws system files In Windows Vista and beyond the Volume Shadow Copy Service VSS takes a snapshot of all files on the volume that has changed including user files VSS is present on e Windows Server 2003 e Windows Vista all versions e Windows Server 2008 e Windows 7 all versions Winodws VSC controls are access via Control Panel All Control Panel Items System System Protection VSC is activated on an NTFS drive by turning on the Protections Settings in the System Properties windows Shadow Copies can be created on local or removable media The System Properti
79. 3a AppDomain com apple mobilesafari Library Safari History plist Description Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 325 Page Safari history contains browsing information This includes the URL page title last visited date converted from MAC absolute date UTC and visit count Output Page titles are bookmarked under the Safari History folder of the relevant ITunes Backup UUID folder Manually review the file in File Metadata view for more detailed information Source ITunes Backup File ade0340f576ee14793c607073bd7e8e409af07a8 SystemPreferencesDomain SystemConfiguration com apple wifi plist Description List of Wi Fi networks that the device joined or auto joined Information includes e SSID Service Set Identifier is used to uniquely identify any given wireless network and e BSSID Basic Service Set Identifier is a unique address that identifies the access point router that creates the wireless network e Date Time of last connection UTC Output The script bookmarks individual Wi Fi network information under the Wife bookmarks folder of the ITunes Backup UUID folder Key data is summarized in bookmark comment Note that date and times are converted from UTC Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 326 Page Chapter 28 Working with 28 2 THUMBNAILS In Windows operating systems up to and including Windows XP
80. 4 All rights reserved 230 Page Chapter 18 Scripts Module ToolBar AddButton UltraEdit C Program Files x86 IDM Computer SolutionsYUltraEditlUedit32 exe 1 64 64 BINS SHOWCAPTION adds and names the button You can see that the first line creates the button group and the next three lines point to different types of HEX editors that may be installed on your system Remember that if the file does not exist the code will be ignored and the button not added Note that because we run this as a default menu button we need to include two options for Ultra Edit to cover both the 32 and 64 bit version installation path To add a link to your own program make a copy of one of these lines and then edit it Change the name of the button put and put in the correct path on your machine Once you have edited the script press the save button in the Scrip Editor window to save you changes Running Your Script A script is run in single thread mode by pressing the green play button or in multi thread mode by pressing the green fast forward button in in the Script Editor toolbar However running a button group script here is not going to work because it needs to know the parameter for the module where you want the button to appear remember this information is passed to the script at startup by the line in startup pas You could close and restart Forensic Explorer to show the button Or in order to test the script we c
81. 4 All rights reserved 366 Page Appendix 8 Icon Key e ite Inactive branch plate Unallocated Unallocated clusters Disk View The start sector of a file Currently selected sector One type overlays another PF AA FRA are 00 System files Web Tomato SMFT resident file the file overlays the SMFT Folder Deep Sky Blue Allocated File Corn Flower Blue Unallocated space Lt Gray Deleted file A deleted file overlays unallocated space Carved file Dark Orange Carved file overlays unallocated space Icons in Forensic Explorer include those supplied by e Silk Icons http www famfamfam com lab icons silk and e http www softicons com Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 9 Index 367 Page Appendix 9 Index APPENDIX 9 INDEX Accessed Date 148 Activation Dongle 35 Evaluation version offline 18 Evaluation version online 16 Apple Backups 316 Artifact Count 103 Selected 103 ASCII Character distribution 91 Attributes 148 Bookmarks Module 190 Bookmarks Module 187 Boolean Index search 171 BpB Byptes per block 100 BpS Bytes per sector 100 Branch plate 75 Byte Plot 91 Examples 92 Carve About file carving 276 Cluster Sector Byte 279 Disk view icon 79 366 Evidence Processor 137 Hex Selection 86 Case Close 141 New 124 Open 127 Recent 128 Save 140 Categories 146 Cell phone See Phone Close
82. 4 Mar 12 CatsB3 Charlie Tuna JPG 17 May 12 2 01 21 PM 14 Mar 12 CatsB1 Corduroy JPG 12 201 21 PM 14 Mar 12 CatsA9 Minikin JPG 12 2 04 21 PM 14 Mar 12 CatsA8 Gadget JPG 12 2 01 21 PM 14 Mar 127 CatsA TomlomJPG 12 2 04 21 PM 14 Mar 12 CatsA5 Starbuck JPG 12 2 04 21 PM 14 Mar 12 CatsA4 Kristaj JPG 12 2 01 21 PM 14 Mar 12 12 2 01 23 PM 14 Mar 12 12 201 23 14 Mar 12 E q e A DogsAs Jack Jack JPG ii 17 May STEP 1 amp 2 Follow STEPS 1 and 2 in 17 5 1 above to prepare a case with bookmarks STEP 3 RENAME THE BLANK REPORT a Click and hover on the report name to rename the section to My Gallery Report Pictures b Repeat this step to rename the report section STEP 4 EDIT THE REPORT a Double click on the report section My Gallery Report Pictures to open the Report editor b Inthe Bookmark Name column select the Pictures bookmark folder and drag and drop it onto the blank page C Select to Insert Item as Table in order for the table to iterate through each bookmarked file Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 209 Page Insert As Field Insert Items As Table d Select the Multiple columns per item table which lists records vertically Figure 170 Selecting a List View Table Style f Multiple columns per Item e Doubleclick o select the fields for
83. 40 Scripting Data recovery 280 Scripts Introduction to scripting 223 Open Copy Rename Delete 222 Send to Module 110 SHA See Hash Shadow Copy Background 288 Mount in Forensic Explorer 293 Signature Analysis Evidence processor 137 Sort Multi column 111 Persistent 112 369 Page Remove 112 Single column 111 Startup pas Installation folder 32 Script 219 Stemming See Index Search Technical support 335 Text view 88 Thumbcache 326 Thumbs db 326 Time Zone See Date and Time Tree view 74 144 Uninstall 34 User Datagram Protocol UDP 130 UUID Apple Backup 316 357 Video Thumbnail viewing 90 Volume Shadow Copy See Shadow Copy VSC or VSC See Shadow Copy Wildcards Index search 172 Word List 173 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved
84. 578 NO ao Tama tas cU I 3 Loca me ET PO NAME AN rio POTERE Ay m Li D E Ex Aquatic 13 EF POE aras 4 Fl Ea Cranes 3 O Ea Aamingos 3 E Landscape 5 Plated folders are displayed in normal font The non plated folders are in grey italic The blue number in brackets e g 2 counts the number of items inside the folder but does not count the contents of sub folders To turn off the branch plate e Right click in the File System module Folders View or in the like tree view of other modules plating operated independently in each module and select Branch Plating Branch Plate Off When branch plating is turned off the tree works in a similar fashion to Windows Explorer Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 77 Page 8 3 LIST VIEW A List view displays individual items e g files and their metadata e g file name size modified date created date etc in a table format The default position for a List view is in the top right window The actual name of the List view changes according to the module i e Module List View Name More Information File System File List Chapter 11 Keyword Search Keyword Result List Chapter 12 Bookmarks Bookmarks List Chapter 16 Registry Registry List Chapter 15 List view allows items such as files notes keyword search results and registry entries to be sorted highlighted checked flagged opened
85. 7 Pro features or to allow commercial use Learn more about VMware Player 7 Pro e VMWare Player Plus http www vmware com products plaver Mount Image Pro v6 GetData s Mount Image Pro is used to mount a forensic image to make it accessible to Live Boot and VMWare A purchase of Forensic Explorer includes a license for Mount Image Pro The latest version of Mount Image Pro is available at e www mountimage com or e http download getdata com MountlmagePro Setup exe NOTE When installing Mount Image Pro v6 for the first time a reboot is required Ensure that when Mount Image Pro starts both the Disk and FileSystem drivers show a Service Started status as shown Figure 231 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 303 Page 304 Page Chapter 27 Live Boot Figure 231 Mount Image Pro v6 driver status i Mount Image Pro v6 09 1435 Activated O Ele Options Help Ld Mount El Unmount Q View Options update Filename Capacity Mounted As Partition Mount Point 27 3 COMPATIBILITY Forensic Image Files Live Boot requires a forensic image of a physical device that contains a bootable file system Live boot does not support the booting of logically acquired partitions Supported Target Operating Systems Live Boot will boot the following Operating Systems e Windows 95 e Windows 98 e Windows XP e Windows Vista e Windows 7 e Windo
86. 9 XMP E 7513e653f07720fic3d50b743cae CameraRollDomain Media DCIM 100APPLE IMG_0150 PNG 5ccefdc08De03c56b91b8439ea02 CameraRollDomain Media DCIM 100APPLE IMG 0150 XMP Ej 4c544a8d7c4581c4c7423486f46f CameraRollDomain Media DCIM 100APPLE IMG 0151 PNG MOOOOOOOO File Signature Analysis When launched an automatic and important part of the identification process is a file signature analysis of the Apple UUID backup folder content This accurately identifies pictures movies sqlite files plists and other important files BOOKMARKED DATA ITunes Backups Identify and Bookmark bookmarks ITunes Backup UUID folders For ease of identification each UUID folder is placed in a parent folder constructed using Device Name Device Type Device serial number from its Info plist file An example is shown in Figure 245 below Figure 245 Bookmarks module ITunes Backup UUID folders Ep ee iTunes Backups 2 9 C O Giselle iPad3 6 DMP 3 ay 1 e PO 1e856ffabe2a4faS0fcdfo 98d78bb9 11 a C O AA Graham s iphone 5 iPhone5 2 F17JPRPG 1 H gt 48be275db912427e6 If ia 8920 11 Additional summary information is provided in the bookmark comment of the file for example Figure 246 Info plist bookmark comment The following ITunes Backup Info was found Build Version 11D201 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 320 Page Chapter 28 Working with Device Name Bill
87. AVAILABLE BY GETDATA AS IS AND WITH ALL FAULTS GETDATA DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED CONCERNING THE QUALITY SAFETY OR SUITABILITY OF THE SOFTWARE INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT FURTHER GETDATA MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE TRUTH ACCURACY OR COMPLETENESS OF ANY INFORMATION STATEMENTS OR MATERIALS CONCERNING THE SOFTWARE THAT IS CONTAINED IN GETDATA S SOFTWARE DOWNLOAD SITE IN NO EVENT WILL GETDATA BE LIABLE FOR ANY INDIRECT PUNITIVE SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES HOWEVER THEY MAY ARISE AND EVEN IF GETDATA HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 1 Technical Support 335 Page Appendix 1 Technical Support APPENDIX 1 TECHNICAL SUPPORT GetData Forensics Pty Ltd has its headquarters in Sydney New South Wales Australia Documentation http www forensicexplorer com support Video Tutorials http www forensicexplorer com video Email Support support getdata com Phone Support USA 866 723 7329 callback service Or Sydney Australia 61 0 2 8208 6053 Hours Australian Eastern Standard Time 9am 5 30pm Mon Fri GetData Forensics Pty Ltd P O Box 71 Engadine New South Wales 2233 Australia GetData Forensics Pty L
88. Activation 37 Page 2 Insert your Wibu dongle into a USB port on your forensic workstation Wait up to 30 seconds to ensure your forensic workstation has the time to detect that the dongle has been inserted 3 Run forensic Explorer from the desktop icon 5 1 1 SUCCESSFUL DONGLE ACTIVATION When the dongle is successfully installed the following screen will display on startup of the application FORENSIC EXPLORER Registered To Graham Henley GetData The splash screen identifies 1 The name or company name of the registered owner 2 The date upon which the current maintenance license expires for that dongle see page 25 for information on purchasing 5 1 2 TROUBLESHOOTING DONGLE ACTIVATION If the Wibu dongle is not detected on application startup the splash screen will display DONGLE NOT FOUND as shown in Figure 20 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 38 Page Chapter 5 Dongle Activation Figure 20 Dongle not found error message FORENSIC EXPLORER GetData To troubleshoot dongle activation 1 Press the x button to close the splash window 2 Remove and re insert the Wibu dongle 3 Ensure that your forensic workstation has sufficient time to detect that new hardware has been inserted Wait for the Windows USB device message to show that new hardware has been recognized 4 Re run the software from the desktop icon WIBU CODEMETER RUNTIME FOR WIND
89. Bookmark Adds the carved file to the Bookmarks module Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 87 Page 88 Page Chapter 8 Data Views 8 7 TEXT VIEW The default location for the Text view window is the bottom data view window accessed via the Text tab Figure 62 Text view tab Text The Text tab shows the highlighted item as ASCII text Figure 63 Text view mu Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 89 Page 8 8 DISPLAY VIEW The default location of the Display view window is the bottom data view window accessed via the Display tab Figure 64 Display view tab The File Display tab uses GetData s Explorer View technology to display the content of hundreds of different file types Figure 65 Display view ES Display new case Lexar 7GB USB 01 E01 Partition 631Root Animals Aquatic SNAIL JPG Note that the file Display tab is NOT intended as an exact render of how the file would have appeared to the end user If this is the objective it is best achieved by exporting the file and opening it with the same application available to the end user Ifa file type is selected where a display is not available or the file is corrupt an error message will display in this window The display view will default to Hex or Text view Right click on the image to display the options menu Copyright GetD
90. Case 141 Columns Add 110 Compound file Expand 105 Copy Rows to clipboard 119 Copyright 332 Created 148 Data fragment 265 272 Data Views Summary 71 Data store 168 Date and Time Adjust for Case 243 Adjust for evidence 241 Adjust in Evidence Processor 138 Daylight Saving DST 240 Overview 236 Regitry Time Zone setting 236 Date range filter Filter Date Range 114 Deleted Files FAT 265 NTFS 272 Delphi Basics 223 Disclaimer 334 Disk view 78 Custom color script 219 Custom colors 79 Display view 89 Dongle See Activation Duplicates De duplicate 250 Email Module 176 Email Module 175 Evidence Add 129 Explorer Tool 118 Export Delimited rows 109 Files 105 to LO1 107 Using a script 107 Export Word List 173 Extension 148 Extract Metadata Evidence Processor 138 File List view 147 File Name 148 File signature analysis 260 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 368 Page File slack Definition 354 Index search 168 File System module 144 File tree File System workspace 144 Filter File System module 74 Scripts 75 119 218 Text filter tool 115 Filtering 114 Flags Apply 113 Clear 114 Flat File Hash set 253 Fragmentation File FAT 266 Full Path 148 Fuzzy See Index Search Gallery View 84 GUID Preview 122 140 Hash Acquisition hash display 137 Flat File Hash Set 253 Forensic Imager Acquisition 50 Verify Evidence Proce
91. Column Headers window will open Figure 87 Column Headers Column Headers Ea Available Current Columns in order Fix Fields Bates BIAS Time Directory Level File Category File Signature In Report Intact Size Is Deleted lt Remove IsCompressed IsEncrypted 4 i Filename Extension Flags Attributes Logical Size Physical Size Modified Created Accessed Bookmarked Full Path Move Up Move Down Add available columns to the current columns and Move Up or Move Down for the required position position can also be controlled by dragging and dropping column titles once they are added Remove unwanted columns with the remove button It is possible to add columns using a script An example of this is where the metadata properties from a Microsoft Word document e g Author Title etc are extracted and placed in to columns See 8 11 1 for more information Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 111 Page 9 9 SORTING Sorting is conducted in a List view where the attributes of a file email Bookmark keyword search etc are displayed in the relevant columns To sort by a single column 1 Double click on the column heading e g Filename An arrow will appear showing the direction of the sort 2 Double click again on the column heading to reverse the sort Figure 88 Single column sort Table View The same single column
92. D H id Scri pts TH ADIMON GetData i Phone f VERSION NAA Infor Writes a message to the Messages vindos Access Ple Content pas i l 7 uses SysDcila Editor OI Form About with Combo Enx begin i Form About pas ES 1 Progress log Formatilatelipes c now j Ibis me J Farr Two Taba nas 2 end If Then Bee pas je 1 D Graham Documents Forensic Explorer I j Open Anplication pas LI Open Web Page pana L Proceedure Console Log pss g Progress Los pas Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 217 Page The script window lists available pas Pascal scripts and their attributes Figure 178 Scripts Windows showing pas file attributes Mame a Modified Description 1 E Filters i a scripts E o Common 3 E 4 Toolbar j El pf File System E E Disk View I ps LT Backup Settings pas 16 Feb 13 1 18 40 PM Backup bassin Lf Chart File Types Excel pas 04Mar 13 2 52 46 PM Counts file type b Lf Chart Fragmentation Excel pas 22 Feb 13 3 25 34 PM Analyzes file frag pe Lf Clear All Flags pas 16 Feb 13 1 18 40 PM Clears all flags fr Lf Entropy Analysis pas 04 Mar 13 7 47 22AM_ Calculates byte p Lf Export File Types pas 16 Feb 13 1 18 40 PM Export file types E P Lf File List Word pas 22 Feb 13 3 25 34 PM Export FileSyster i Script Attributes The Scripts window lists the a
93. FORMANCE AND QUALITY OF THE SOFTWARE IS ASSUMED SOLELY BY YOU YOU ACKNOWLEDGE AND AGREE THAT YOU HAVE EXERCISED YOUR INDEPENDENT JUDGEMENT IN ACQUIRING THE SOFTWARE TO THE EXTENT PERMITTED BY LAW GETDATA SHALL NOT BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE EVEN IF GETDATA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE SOFTWARE IS MADE AVAILABLE BY GETDATA AS IS AND WITH ALL FAULTS TO THE EXTENT PERMITTED BY LAW GETDATA DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED CONCERNING THE QUALITY SAFETY OR SUITABILITY OF THE SOFTWARE INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE NON INFRINGEMENT OR THAT THE SOFTWARE IS ERROR FREE IF ANY CONDITION OR WARRANTY IS IMPLIED INTO THIS AGREEMENT UNDER ANY APPLICABLE LEGISLATION CANNOT BE EXCLUDED OR IF NOTWITHSTANDING THE EXCLUSION OF LIABILITY ABOVE GETDATA IS OTHERWISE LIABLE TO YOU THEN TO THE EXTENT PERMITTED BY LAW THE LIABILITY OF GETDATA FOR BREACH OF THE CONDITION OR WARRANTY WILL BE LIMITED TO ONE OR MORE OF THE FOLLOWING AS DETERMINED BY GETDATA IN ITS ABSOLUTE DISCRETION i IN THE CASE OF GOODS A THE REPLACEMENT OR SUPPLY OF EQUIVALENT GOODS OR THE REPAIR OF THE GOODS OR B THE PAYMENT OF THE COST OF REPLACING Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserv
94. Forensics Pty Ltd 2010 2014 All rights reserved 256 Page Chapter 21 Hash Sets Figure 200 Create Flat File Hash Set from Case B MD5 Create Flat File Hash Set from Case E about Opis Source amp All File System items 818 items OO Checked File System items 0 items Destination File Hash Set Folder C Users Owner Documents Forensic Explorer HashSets m File Name MD5 Hash Set Include Comment in Header File Comment Flat file hash set created by Forensic Explorer 29 Dec 14 2 27 44 PM i Case Name New Case i Specify Column Text in Header HashSet MD5 Hash Set Identified As Known v The Flat File Hash set is then created with the specified options and written to the profile Documents Forensic Explorer HashSets folder The hash set appears and is available for use in the Hash Set window shown in Figure 199 above 21 9 APPLY A HASH SET IN A CASE To apply a hash set in a case 1 Hashindividual files in your case as described in 21 5 above 2 Inthe File System module click the Hash Match icon Figure 201 File System module Hash Match icon Hash Match 3 The Match Hash window will open Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets 257 Page Figure 202 Match Hash window ES Match Hash Files Options Compare HashSets to Hashable Items 0 items 0 bytes Checked items 0 it
95. GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 18 4 STARTUP PAS The startup pas script MUser Profile ADocumentsIForensic Explorer Startup startup pas runs when Forensic Explorer is launched To view the startup pas script 1 Go to the Scripts module 2 Atthe bottom of the Scripts window top left hand window click on the Startup folder to show startup pas Mame 4 E k d Filters E gi Scripts H 2 Common p File System 2 Phone ini Quick Reference 2 Registry p scripts B e Startup day startup pas 3 Double click on startup pas to open and display its content in the Script Editor right hand window Startup pas can be used to e Manage displayed modules turn modules on off at startup using the Startup Modules pas script e Startup with custom modules see Phone Module e Add button groups and buttons to module toolbars These features in the startup pas file can be activated by removing the slash marks are used to comment out the code Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 227 Page 228 Page Chapter 18 Scripts Module In certain situations a computer forensics investigator may choose not to start Forensic Explorer with all modules visible For example when a case is to be reviewed by a third party the forensic investigator may choose only to display relevant modules such as Keyword
96. L LLL A Lexar GB USB EO1 E01 Sector 87 PreviewALexar 7GB U Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 79 Page The number of sectors shown in Disk view can be dynamically adjusted using the slider bar Figure 53 Disk view scale bar undi NS AEREA Large Large scale can be used for examining small groups of individual sectors Small scale can provide a graphical representation of the data structure on the disk and can also be used to quickly identify content see 8 4 2 Color Coded Content below Disk view opens with the following default color coding representing the content of sectors color coding sourced from http en wikipedia org wiki Web colors gt The start sector of a file L Currently selected sector LI One type overlays another MBR VBR Red FAT 1 DarkViolet FAT 2 WebViolet SMFT DarkViolet System files WebTomato Folder Deepskyblue Allocated File CornFlowerBlue Unallocated space LtGray Deleted file A deleted file overlays unallocated space gt B m B SMFT resident file the file overlays the SMFT En E NI S Carved file DarkOrange Carved file overlays unallocated space Disk view colors can be customized For example it is possible to e show a file type e g JPGs as a specific color or Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 80 Page Chapter 8 Data Views e ch
97. LEE 252 ZS ERA SBES asiedesiendetkesdsoetecte eiat et dedi toL utei c oi n ei teuer onte du aol ahivcmecatansbetee 252 ZL9 Applwa Hash Seba Case 256 Chapter 22 File Signature Analysis ccsccscscscsccscsceccccccsceccccccscsccccecscnceccecscscessececscesessecces 259 221 VEFINESISMATURE NV SIS laa 260 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 8 Page 222 MWY UIA TIE sienature analysis ads 260 22 3 u nmngafilesignat re anal dai aos 260 22 4 Examine the results of a file signature analysis cocccoooncnnnccnoncnnnnnnonononnnnnnccnnnononcnnnnonanonnnnnnnnoos 262 Chapter 23 Data Recovery iiio ica 263 23 1 DATA Recovery OVeEFVIQWss ies ie n ts qua Sa pe xta INE QNM RU II ndr NId RO Pad UD EU EE UN Dd RUTRUM 264 23 2 FAT Gata TECOVERY A uva Dur beat onse lo Da R ERU 265 23 3 INFES Gata TOcoVel Visited ira ocd M p EM MM DIEM MM M E DII 272 234 HNC AN VIG istas iS 276 Chapter 24 RAID rinda 281 24 A SA oo o A EI N ences ocio siut ote Lote ES oo aA 282 24 2 REPO Maia 282 DAS Adde A RAID TO a Casi 283 Chapter 25 Shadow CODY cai e a ae aesee tae Dco ev UP Esau ties 287 25 Shadow CODY IntroOQUctlOD Li T EA 288 25 2 Examining Shadow Copies With Forensic Explorer ccccsscccccseeccceseccccensccceeesceseaesesssnseessansessaes 293 Chapter 26 Mount Image PrO ssississcecscsscenesechccccstavedonsvaesiwea aves a EA E 297 2b 1 MOUNT IIA ASS PEOS ee otis crc asad ooo Units dias
98. Meter Control Center 3 A screenshot of the Wibu Web Admin page We will then contact you with further instructions Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 39 Page 40 Page Chapter 5 Dongle Activation 5 2 ACTIVATE A REMOTE COMPUTER The Wibu Codemeter activation system enables you to use your local dongle to activate a remote internet connected computer On the local computer with the Forensic Explorer Codemeter dongle is inserted run the Network Server 1 Download the latest Codemeter Runtime for Windows User from http www wibu com downloads user software html 2 Run CodeMeter WebAdmin by browsing to http localhost 22350 ConfigServer html 3 Select Configuration gt Server from the menu as shown in Figure 24 below Figure 24 CodeMeter WebAdmin CodeMeter WebAdmin Home Configuration Diagnosis Info Help Network Server Proxy Access Control Certified Time WebAdmin Backup Borrowing Content Server Server Bind Address All Default Run Network Server Network Port 22350 Run CmWAN Server O CmWAN Port 22351 Changes only take effect after restarting CodeMeter nm 4 Inthe Sever window heck Run Network Server and press the Apply button 5 Ensure that the selected Network Port 22350 is not blocked by your firewall 6 Restart the CodeMeter Service a Runthe CodeMeter Control Center by cli
99. NE FAT record of the file in 10 Standard attribute 85 exFAT record of the Al files HFS record in Ei SA files HFS record in files inode record the directory data in the MFT record ofthe file in the directory the Catalog file the Catalog file 32 bytes file data 32 bytes 70 bytes 88 bytes 100ns since 1 Jan Seconds since Seconds since Seconds since 1 Jan 1601 midnight 1 Jan 1904 midnight 1 Jan 1904 1970 Modified Written Time 2 bytes Written Time Created Time 2 bytes Content Modified Date Content Modified Date Last Date amp Time that Written Date 2 bytes Written Date Created Date 2 bytes amp Time amp Time the content was Total 4 bytes Total 8 bytes Created msecs 1 byte The date and time the The date and time the modified Total 5 bytes file s contents were last file s contents were last Total 4 bytes changed by extending changed by extending truncating or writing truncating or writing either of the forks either of the forks Total 4 bytes Total 4 bytes Accessed Accessed Date Accessed Time Accessed Time 2 bytes Last accessed Date amp Access Date amp Time Total 2 bytes Accessed Date Accessed Date 2 bytes Time Total 4 bytes Total 8 bytes Total 4 bytes The date and time the file s content was last read Total 4 bytes Created Created Time 2 bytes Created Time Created Time 2 bytes Created Date amp Time Created Date amp Time Created D
100. NGLE THUMBNAIL FILE To expand a single compound Thumbnail File 1 Runa Signature Analysis if not already done 2 Right click on the Thumbnail File and select Expand Compound File from the drop down menu if this menu option is not active run a Signature Analysis 3 Once expanded the icon of the Thumbnail File file will change to the compound file icon Click on the Thumbnail File to show the files it contains as shown in Figure 254 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 329 Page Figure 254 Expanded Thumbs db file E File List Gallery View EJ Disk View AZ Filename Administrator 15 a All Users 7 5 Application Data 9 E Desktop 2 Filename 1 Root Entry 2 OLE Header 3 OLEFAT ED ES My Music 4 ED ES My Pictures 2 F D EL E Sample Pictures 7 D O E Thumbs db 5 ms Display E Favorites 0 5 Start Menu 5 E Templates 0 Es chuck 15 Default User 13 EXPAND MULTIPLE THUMBNAIL FILES It can be advantageous to expand multiple compound Thumbnail Files files To expand multiple Thumbnail Files 1 Inthe File System module select the Analysis Scripts button run the Expand Compound Files script IMPORTANT For speed purposes before running the script turn off any running Folders filter 2 Select the Thumbs ThumbCache checkbox and run the script 3 All Thumbnail Files in the ca
101. OWS USER If you are still unable to activate Forensic Explorer download the Wibu CodeMeter Runtime for Windows http www wibu com downloads user software html When Wibu CodeMeter software is successfully installed insert your Forensic Explorer Wibu dongle Double click on the Wibu icon in the Windows task bar Figure 21 Wibu CodeMeter Windows task bar icon The CodeMeter Control Center will open shown in Figure 22 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle Activation Figure 22 Wibu CodeMeter Control Center ty CodeMeter Control Center File Process View Help MESES 21387202 CmStick 1 18 92 free 362776 Bytes S Disabled Enabled until unplugged Sy Enabled Eject Change Password Confirm that your CmStick is identified by the CodeMeter Control Center and that it has an Enabled status Click on Web Admin button which will open your web browser In the Web Admin page select Content gt Licenses Confirm that your Wibu dongle contains Forensic Explorer activation as shown in Figure 23 below Figure 23 Wibu web admin 101712 GetData Pty Ltd gt Product Code Name Unit Counter Expiration Time amp 51 Forensic Explorer n a n a i Contact us via support getdata com see Appendix 1 Technical Support for full contact details and provide 1 Your dongle ID number 2 A screenshot of the Code
102. Ox2E and Ox2E2E as well as LFN and SFN directory entry structures The Double Dot is used to locate the parent folder and traverse up the directory tree Eventually by reason of the fact that located folders are not part of the existing file system a parent folder will not be found Forensic Explorer appends the results in a folder in File System module Folders view using the generic name Folder Carve X as shown below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 271 Page Figure 214 Recover Folders results EW Folders ter E D E12 Preview 1 D E C E E Lexar 7GB USB EO1 E01 3 Local Time E D O 3 Partition 63 8 E DD W amp FelderCavei e D O E Orphaned 12 S D U Ez Root 28 H D E E Extend 4 DO U E 50th Birthday Cake 7 EY C O E Aircraft Photos 6 H O D Animals 8 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 272 Page Chapter 23 Data Recovery 23 3 NTFS DATA RECOVERY When a file is deleted in a NTFS file system the data content of the file remains available for recovery from the newly unallocated clusters The original data will remain in each cluster up until such time as it is used to store new data and the previous content overwritten If only a percentage of clusters are reused then partial recovery or the recovery of a data fragment may still be possible If all clusters
103. P FORENSIC EXPLORER User Manual Published 12 Mar 15 at 09 36 51 GetData Chapter Contents Published 12 Mar 15 at 09 36 48 Chapter LTA OCU CTIONN RR RT S 11 1 1 introducing Forensic EXDIOEGE a eatacdyaead COUR ma e etu se ma uon CU a Ute eat 12 1 2 Supported Tile TOR Mat cintia 12 1 3 Supported le ste MS taco E EG 12 1 4 A MA A a e Eo ESO PEO m MI 13 Chapter 2 30 Day Evaluation VersiOn scsscscsssccscscecsccscsceccccscscsccccecscsceccecscsceccecscsceseececsces 15 Zl a t t tor 16 2 2 Activating the 30 day evaluation version M sesen a A AE A 16 Chapter 3 Purchase eii ertt iE cta isi tas ute DE i MEE I EM DES EE 23 3 1 PUNA RE 24 3 2 License maihtefialiee seras bue cs dis 25 Chapter 4 Installation ria 27 4 1 System requirements aaa 29 4 2 TWO TA A drid 29 4 3 Stalin 29 4 4 Uninstall Forensic E de ad od 34 Chapter 5 Dongle ACTIVATION incio iria ove tiende ias 35 5 1 Dongle activation of the purchased version ccccccsssscccccesseccccceesscceeseeseeceesauecccesaeueecessuauseeessagasees 36 5 2 Activate a Remote Compute nai AA 40 5 3 Applying maintenance updates to your Wibu dongle cccocccccocnncncnnonccnonacnnoncnnnncononannnnnononarononos 42 Chapter 6 Forensic Acquisition nacos 43 6 1 WTO dicas 44 6 2 Sib s Forensic Mace A E 45 Chapter 7 Forensic Explorer Interface
104. PPO PP a UN A 56 7 1 1 Undocking and docking MoOdules ccccoooccnnncononcnnnocnnncnnnnonnnnnnnnononcononononcnnnnonnnronnnnnaninnnss 57 7 2 Module data views RRRREEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEMEEEEEEMEMEMEENEEEMMMM 59 7 2 1 Undocking and docking data ViQWS c ccccccssssecceccesseceeceeeseceeseeeececeseeseceeesaaaeceessuaneeeeees 59 7 3 IDS OAR fed cct 61 e o 61 7 2 2 Load custom la VO UE 61 Los DETUVO iso 61 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 56 Page 7 1 MODULES Chapter Forensic Explorer Interface The Forensic Explorer interface is broken down in to a number of modules which separate the programs primary functions Each module is accessed by a tab at the top of the main program screen The functions of the module are summarized in the following table More information about each tab can be found by referring to the module specific chapter Tab f Home T Fie syam Doa p Index Search Email Bookmarks D Reports SS Scripts E Registry Function Case management Detailed analysis of file systems added to the case Keyword search raw case data using simple or RegEx keywords Create and search indexed data using dtSearch technology Examine PST files Add investigator bookmarks to document the analysis Create reports Program manage and run scripts against cas
105. T file system Forensic Explorer identifies deleted files by locating the OxE5 marker in the first byte a files directory entry When a file is deleted on a FAT system its entries in the FAT table are reset At this point as far as the FAT is concerned a deleted file no longer occupies physical space on the disk Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 266 Page Chapter 23 Data Recovery Importantly the directory entry for a deleted FAT file retains the attributes for the starting cluster and the logical file size Forensic Explorer uses the logical file size to calculate the total clusters used by the file FAT FILENAMES OF DELETED FILES Some deleted files will display in File List view of Forensic Explorer with an underscore as the first character whilst other deleted files retain their original name An example is shown in Figure 207 above with the deleted file UNNY JPG originally called BUNNY JPG has it first character replaced but Koala JPG in the same folder retains its original file name The starting character of as Short File Name SFN is overwritten when a file is deleted by the OxE5 marker For display purposes Forensic Explorer replaces the first character with an underscore Were a file has both a SFN and a Long File Name LFN directory entry the missing first character of the file name is located in the LFN and is used by Forensic Explorer to display the full original file na
106. The Filename will be repeated in the table across the page as shown below n Inthe Reportable Items gt Filename window select a file and drag and drop it into the first cell of the table Select to insert field as Graphic The picture will now display in the first cell of the table Use the formatting tools alignment font etc to adjust as necessary Add a title if required Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 17 5 2 NESTED TABLES More complex reports where records are group by folders require nested tables For example to group the following bookmark structure by first level folders Cats and Dogs PO E Cats 10 C O Dogs 10 a nested table is required Figure 175 below describes the layout Figure 175 Layout of a Nested Table PICTURES Root Folder CATS Group by bookmark folder 1 at level 1 tense mete 000 DOGS Group by bookmark folder 2 at level 1 Femme crested vate 0 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 213 Page Chapter 18 Scripts Module 215 Page Chapter 18 Scripts Module In This Chapter CHAPTER 18 SCRIPTS MODULE NEE Sent VO Se toa ibii c 216 18 1 1 Scripta VUNG OW rias 217 18 1 2 SCRE EIT WI AO irritar 220 18 1 3 Messages Window Console eese nnne nnne 221 18 2 Managing scripts in the scripts windOw cccccococccnnccnnonnnnnonononnnnnnnncnnnnono
107. Windows disk to the preview or case Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 306 Page Chapter 27 Live Boot 3 Run Live Boot a To run Live Boot In the Forensic Explorer File System module click on the Live Boot button in the toolbar The Live Boot Options window will display Figure 233 Live Boot Options E Live Boot Options ES Mame Live Boot Boot Options Settings Device to Boot Jesper Laptop PST E01 bd Operating System Windows 7 Home Premium wv Detected Options Boot to Iso Boot Delay secs 1 Date Time UTC 18 Dec 2014 s 11 54 23 AM Start VMware Bypass Logon L Logging Normal V Priority Normal v co b Ensure that Device to Boot contains the required image c Switch from the Boot Options tab to the Settings tab Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot 307 Page Figure 234 Live Boot Options E Live Boot Options a Mame Live Boot Boot Options Settings VMware Path C Program Files x86 WMware WMware Player El Mount Image Pro C Program Files x86 GetData Mount Image Prove El Logging Normal v Priority Normal v d Ensure that the paths to VMWare and Mount Image Pro v6 are correct e Click OK to proceed with the boot f Information about the boot process is displayed in the process window The VMWare GUI will then launch and the forensic ima
108. a Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 97 Page 98 P age Chapter 8 11 FILE METADATA 8 Data Views Metadata is loosely defined as data about data Essentially it is information within a file which further described the content or the layout of the file An example of Metadata is found in Microsoft Word documents where additional information is stored by word including e Author e Subject e Title etc The File Metadata view breaks down and displays the metadata values for specific file types Currently supported are OLE doc xls ppt ZIP and JPEG Figure 76 below show the metadata of a Microsoft Word document Figure 76 Metadata view of a Microsoft Word document File Metadata Property Er OLE Data OLE Header OLE Summary A Author is Subject a Title uj Created UTC S8 Modified UTC PageCode Keywords Comments uS Edit Time Last Saved Pages Words LT Accounting Data 13 Jul 06 4 39 00 AM 13 Jul 06 4 43 00 AM 2 mins 1 252 LT Accounting Data 13 Jul 06 4 39 00 AM 13 Jul 06 4 43 00 AM 2 1252 UString Binary UString Date Date Integer LongWord Binary Binary UString It is possible to extract metadata and make it available in a column in a list view This is done from the File System module Analysis Scripts button shown below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chap
109. a Forensics Pty Ltd 2010 2014 All rights reserved 180 Page Chapter 15 Registry Module 15 1 REGISTRY MODULE The Registry module is accessed via the Registry tab Figure 144 Registry module tab E Registry The Registry module is used to expand and examine Windows registry files A Windows registry contains a great deal of information that can be of value to the forensic investigator The Registry contains information that Windows continually references during operation such as profiles for each user the applications installed on the computer and the types of documents that each can create property sheet settings for folders and application icons what hardware exists on the system and the ports that are being used Windows registry information for advanced users 12 Unlike the Microsoft Windows registry editor which is restricted to the current systems registry Forensic Explorer allows the forensic investigator to examine registry files from any computer The Windows Registry is physically stored in several files The number of files their name and location will vary depending on the version of Windows in use See http support microsoft com kb 256986 Windows registry information for advanced users 12 for detailed information In most cases the forensic investigator will target the following Windows registry files Windows 95 98 and ME operating systems have two registry files lo
110. a physical or logical device It represents the digital fingerprint at the time the image was taken It is recommended in line with accepted best forensic practice that an acquisition hash is always included when acquiring data of potential evidentiary value In EnCase EO1 and Ex01 image file formats the acquisition hash is written into the image header In other formats such as with a DD image a hash value is usually written into an associated text file To display an acquisition hash in Forensic Explorer 1 Inthe Evidence module create or open a case 2 Inthe Evidence module in the Evidence tab click on the image file to display the file properties including the Acquisition hash value as shown in Figure 193 Acquisition and Verification hashes Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets 247 Page 21 4 VERIFICATION HASH A verification hash is a recalculation of the hash for a forensic image file It enables the investigator to compare the acquisition hash with the verification hash to confirm the validity of the image file i e if the hashes are identical the image has not changed since acquisition There are two methods to calculate verification hash in Forensic Explorer 1 Calculate the verification hash when adding evidence to the case a Inthe Evidence Module start a case or preview or open an existing case b Click the Add Device Add Image or Add File
111. ab Bookmarks En Registry LB Timestamp Timestamp Re dock by draging Ss Scripts the module back into the top bar Mame O Ef Scripts g 024 My Scripts EN scripts Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 59 Page 7 2 MODULE DATA VIEWS Within each module are one or more data views which display the data in the case Data views occupy the three lower panes of the Forensic Explorer module They operate in a similar fashion to the layout to Microsoft s Windows Explorer with a tree top left list top right and display bottom window as show in Figure 35 below Figure 35 Forensic Explorer module layout Forensic Explorer Forensic Explorar v4 0 1 L385 MODULES nur Er tone APS Fie Satem E ero sens fedex Search T cose hotes Y reli sp HR ra RIBBON E Pee Let bak E sealer em LIST VIEW Data views are conduits to the examined data Each data view is designed to expose the investigator to specific information whether it is lists of file attributes displaying photos or graphics detailing file metadata or dealing with data at a sector or hex level Data views also contain the tools that are used to display sort decode search filter export and report More information about each data view is provided in Chapter 8 Data Views Any data view window showing this icon Iv
112. accessed via the Hex tab E Hex Hex view shows a hexadecimal ASCII view of the currently highlighted item The slide bar to the right of the hex ASCII windows separates the data inspector Data highlighted in hex view is automatically analyzed in the data inspector to determine its type Figure 60 Hex view and data inspector 0000 0000 0000 0005 0000 0004 0000 0005 0000 0014 0000 0019 0000 001E 0000 0023 0000 0028 0000 002D 0000 0032 float 0000 0037 double 0000 0030 0000 0041 4 aa Sector 9309 Offset 0 Selection 0 PreviewXFAT32 P The right click menu in the Hex view provides options to select and copy Hex It also allows investigators to e Add bookmark Highlight a selection of Hex and bookmarked it See Chapter 16 Bookmarks Module for more information e Carve Selection Highlight a selection of Hex and carve this data and add it to the File System module as a file When this option is selected the following window appears Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views Figure 61 Carving files from Hex view Mame Hex 94 161 Available Folders File Carve 1 Bookmark Name The default name is the Hex Offset and the length of the selection in bytes The default name can be edited Available Folders This is the folder name in File System Folders view which will hold the carved file A new folder can be added as required
113. also be independently run in the File System module Learn more about signature analysis in Chapter 22 File Carve File carving is the identification and extraction of file types from unallocated clusters using file signatures File carving can only take place subsequent to the identification of a file system For this reason it is a sub task of Search for FileSystems as shown in Figure 114 above Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 138 Page Chapter 10 Evidence Module File carving can also be independently run in the File System module Learn more about file carving in section 23 4 Extract Metadata Extract Metadata is used to collect internal file data and make the information available in columns For example for a digital photo metadata can include camera Make and Model and the GPS coordinates of the photo The Extract Metadata option runs a script located in the Scripts module in the path File System Metadata to columns Extract Metadata pas Once the data has been extracted the metadata columns can be added to a list view PROCESSES LIST When task are run in Forensic Explorer its progress is detailed in the Processes list This list is accessed globally from any Forensic Explorer Module by clicking on the Processes tab in the bottom right hand corner of the main program screen 10 5 2 ADJUST TIME ZONE File date and times can be adjusted for each piece of evidence as it
114. alue in the script z for example X 27 A procedure is a set of instructions to be executed with no return value A function is a procedure with a return value A commonly used procedure ConsoleLog is used in Appendix 7 Sample Script The procedure formats the Progress log command writing a message to the messages window to include the date and time Figure 181 Procedure ConsoleLog procedure ConsoleLog AString string begin Progress Log DateTimeToStr now AString end The procedure is called with the line ConsoleLog Here is the message And the resulting output is 17 Jan 13 1 47 22 PM Here is the message The main part of the script appears between the two reserved words begin marking the start of the code and end with a period marking the end A script is broken down into a series of commands A general rule is that a command must end with a semi colon If a command extends over several lines for example an Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 226 Page Chapter 18 Scripts Module If Then Else statement generally the semi colon won t appear until the end of the entire statement Errors in a script are reported in the Messages console window Usually the message will provide the line number of the code where the error appears Double click on the line number to go directly to the problem line Copyright
115. am ANSI character set ASCII Bookmarks BpB BpS Byte Plot view Forensic Explorer Carved file An Alternate Data Stream ADS is a feature of the NTFS file system ADS were originally included in Windows NT for compatibility with Macintosh HFS file systems resource fork and a data fork The ADS provides a means to allow programmers to add additional metadata to be stored for a file without adding this data directly to the file The additional data is attached as a stream which is not normally visible to the user The ANSI character set was that standard character encoding for English versions of Microsoft Windows including Windows 95 and NT The ANSI format stores only the 128 ASCII characters and 128 extended characters using 1 byte per character Not all of the Unicode characters are supported The American Standard Code for Information Interchange ASCII is a 7 bit character encoding scheme that allows text to be transmitted between electronic devices in a consistent way The ASCII character set comprises codes 0 127 within which codes 0 31 and 127 are non printing control characters The addition of Codes 128 255 make up the Extended ASCII character set see http www ascii code com for more information 10 Forensic Explorer enables any item file folder keyword search hit etc or sections of items to be marked and listed in the Bookmarks module Bookmarks are used to note items of interest Bytes
116. an do this in the scripts module by using the Parameter box in the toolbar Parameters If you type in File System use the quotes when a space is located in the module name in the parameters box and then run the script the button will appear in the File System module If you type in Scripts the button will appear in the Scripts module If there is an error in the script the messages will be displayed in the messages window at the bottom of the Scripts module If you want to remove a button group without restarting run the Toolbar Delete Button Group Form pas in the Quick Reference folder You can then of course start experimenting You can create your own script in Scripts Toolbar My Custom Button Group pas fill it with your own buttons and call it using the startup pas script so it is there each time you start the program If you are feeling brave you can edit the Toolbar Manager pas so that you can open and close it on the fly Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 19 Custom Modules 231 Page Chapter 19 Custom Modules In This Chapter CHAPTER 19 CUSTOM MODULES 191 3sAbourcustor Modules riencia 232 192 Browser PHiStor v VIDE B reno reeditar 232 19 3 eMe 232 19 3 1 PPP o O O 232 19 3 2 Nokia PM riada 233 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 232 Page Chapter
117. ange the color of a file type over a certain size to a specific color or e show a specific file e g sample txt as a specific color Custom Disk view colors are defined using Forensic Explorer scripts located in the Scripts Disk View folder Learn more about scripting in Chapter 18 Scripts Module To change Disk view colors using a script 1 Right click in the Disk view window 2 Select Disk Colors from the drop down menu 3 Select the required Disk view colors script Figure 54 Right click Disk View menu links to scripts Goto j Disk E l Default Colours Export Selection Bookmarked Green pas Carve Selection Checked files Red pas Deleted Orange pas Folders SkyBlue pas Free space Black pas JPG Yellow pas Multi color change pas To reset Disk view colors to default 1 Right click in the Disk view window 2 Select Disk Colors Default Colors DISK VIEW MAP The vertical bar on the right hand side of the disk view window shown in Figure 56 below is a map to allocated space on the examined device Use the vertical scroll bar to quickly navigate to the colored section which identifies allocated disk pace KEYBOARD NAVIGATION The following commands are available for navigation in Disk view Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views Mouse Scroll 81 Page Navigate sectors using the arrow keys First and last sec
118. arch Hits preview window Use the marker arrows to jump between highlighted hits Figure 139 Navigate index search hits Hit 1of22 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 13 Index Search Module 173 Page Use the Auto Scroll to First Hit check box to automatically scroll to the first keyword hit in the Search Hits window Search hits are highlighted in yellow as shown below Figure 140 Index search results aaa Forensic Explorer v1 0 1 1851 BE Se Or fl Ee Mr S5s pe EM Indexes m Index Result List m El New Index c Del is gt z Display Name 1 8 AZ Ext ias Display Name Hits Extensi HLA Opera Int 15 pg y HLA Opera Int 14 jpg 9 Bi HLA_Opera_Int_13 jpq 5 3 3 Index 1 Filesystem PS HLA Opera Int_12 jpq HLA Opera Int 11 jpg Word Word Cour designed by Henning Larsen Architects Photo by Adam Mark m copenhagen 408 13 6 INDEX SEARCH COMPOUND FILES DTSearch will index compound files including PST and ZIP and display individual keyword hits within the messages and files It is also possible to add a compound file directly as evidence use the Add File button in the Evidence module and index its content 13 7 EXPORT WORD LIST The Export Words button implemented in v2 3 6 3531 and above is used to export the list of indexed words to a csv f
119. are re used all original content is overwritten and destroyed Each file and folder on an NTFS drive has an allocation status set by a flag in the Master File Table MFT record header The flag identifies whether it is an allocated active file or unallocated deleted To display deleted files Forensic Explorer reads the MFT to find unallocated entries Allocation status flag values are shown in the tables Table 1 and Table 2 below Table 1 Allocation status for a file Flag Value for a file ma tas NE 00000000 Unallocated 00000001 Allocated Table 2 Allocation status for a folder Flag value for a folder oy o sme 00000010 Unallocated ocooooii locate In Forensic Explorer the allocation status of a file is shown in Filesystem Record view when the file is highlighted Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 273 Page Figure 215 Forensic Explorer Record view showing decoded MFT allocation status an allocated file Filesystem Record Property Value E MFT Record Header Flags e Deleted False gi Directory False Ej Offset to fixup 48 13 Size of fixup 3 13 Logfile sequence 33747168 13 Sequence 1 13 HardLinks 1 Ui Attributi A A When the MFT record is marked as unallocated both the MFT record and clusters used to store the data for non resident files become available to store new data
120. artition 63 7 3 Sof 10 items Preview FAT32 Photos E01 Partition 63 NO NAME Reoti Ani A checked item is one which has been a tick in its selection box User checked item E A folder in which not all items inside that folder or its sub folders have been checked To check an individual item use the mouse to place a tick in the selection box To check multiple items 1 Follow the instruction above to highlight multiple files 2 Then press the Space Bar to turn the check ticks on or off COUNTING CHECKED ITEMS It is useful in many situations to quickly identify how many items are currently checked This information is provided in the status bar of a Folders view as shown in Figure 82 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 104 Page Chapter 9 Working with data Figure 82 Checked item count in Folders view E D m Preview 1 E C gt m Lexar 7GB USB E01 E01 3 Local Time E ii 3 Partition amp 63 7 J D O E Orphaned 12 O ii E Root 28 E PO E sextend 4 D D E sRmMetadata 4 DOG T f 0 D O E TxfLog 5 D O E 50th Birthday Cake 7 C E 55 Aircraft Photos 6 DOE 8244 D O E3 Bomber 51 Checked 43 of 887 9 3 ADD AND EDIT BOOKMARKS Forensic Explorer enables any item file folder keyword search hit etc or sections of items to be marked and listed in the Bookmarks module Bookmarks are used to
121. as of files will take place in the module that the hash is run For example if the button in pressed in the Email module a hash is calculated for the messages and attachments in that module The hash can be calculated or all searchable items or checked items Include raw Devices and Partitions will Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 249 Page 250 Page Chapter 21 Hash Sets additionally search those items as stand alone files Warning This will increase the time required Hash Methods Select the type s of hash to be used Force Recalculation When check all hashes will be recalculated When unchecked a hash will be calculated for only those items that do not have a hash Duplicates See below File Size Range Ignore files that do not fall within the range 0 0 hash all files Logging amp Priority See 7 5 Logging and Priority The results of a file has are written to the Hash column of the File System module If the Hash column is not visible learn how to add columns to the File System module in chapter 9 8 Columns 21 5 1 DUPLICATES The Find duplicate files checkbox shown in Figure 195 above is used to identify files that have identical hash values In addition to this benefit a principal reason for identifying duplicates is that it enables the investigator the opportunity to de duplicate a case This potentially improves case processing time in that
122. asure the randomness of data For example a compressed file will have a high entropy score A text file will not An entropy score is included in Forensic Explorer the Byte Plot data view of the File System module Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 354 Page EO1 Evidence Items Explorer View FAT FAT Slack File carve File Signature File Slack File system Fileprint Flag Appendix 6 Definitions A forensic file format used to create disk image files Developed by Guidance Software http www guidancesoftware com Items of evidence that have been added to the case such as forensic image files email files registry files etc File display technology written by GetData and used in the Forensic Explorer File Display tab to show the contents of more than 300 different file types FAT File Allocation Table is the file system that pre dates NTFS Once popular on Windows 95 98 and XP it is now primarily used on memory cards usb drives flash memory etc due to its simplicity and compatibility between Operating Systems e g Windows and MAC For more information see http www forensicswiki org wiki FAT The unused space in the last cluster of the FAT where the logical size of the FAT does not fill the complete cluster File carving is the process of searching for files based on a known content rather than relying of file system metadata This usually involves sear
123. at RAID 5 Striping with Redundancy area Uses Asynchronous checksum rotation Stripe size 64 If you do NOT know the parameters of your hardware RAID drive Forensic Explorer will attempt to identify the way in which the RAID was configured To do this 1 Set the RAID type to hardware 2 Addthe drives or image files in the correct sequence or if the correct sequence is unknown add them in the order that is believe to be most correct 3 Click on the Find Layout button to find a suggested configuration A suggested configuration is indicated by a green tick next to each added drive Important A suggested configuration is based on the information available from the drives However due to the complexity of a RAID structure there may be more than one configuration that returns this result A suggested configuration should be tested by adding the image to the case to determine if individual files can be accessed and previewed If Find Layout did not return a suggested configuration or The suggested configuration did not result in a successful recovery If the Find Layout button did not return green ticks for each added drive or the continued recovery from a suggested configuration did not work try the following click on the Probable Solutions tab to view suggested configurations for the RAID change the stripe size RAID Options and drive sequence as suggested Click the Test Layout button to test t
124. ata Forensics Pty Ltd 2010 2014 All rights reserved 220 Page Chapter 18 Scripts Module A pas file selected in the Script window will display its content in the Script Editor A script can be opened directly from the editor or a new script created in the editor The functions of the editor are primarly controlled by the toolbar at the top of the Script Editor window The button functions are as follows EJ Save an existing script a script is also saved when it is run This button is only active when a script has been modified but not saved 15 Undo last o Redo last d Cut text Ez Copy text li paste from clipboard change font ES search for text Kd Replace text Save and Run script as a single thread o Run a threaded script Break point a script E ete Compile current script Cancel the execution of the script Enter script parameters e g Parameter One Two Three Four Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 221 Page The Messages window also referred to as the console is used to display compiler error messages or script output A console message is written with the Process log Text command In the default scripts provided with Forensic Explorer the log output is often formatted with a procedure see below to include a data and time reference using a using the comman
125. ata Forensics Pty Ltd 2010 2014 All rights reserved 90 Page Figure 66 Display view right click menu Add bookmark Edit bookmark Counter Clockwise Rotate Clockwise Rotate Zoom In Zoom Qut Chapter 8 Data Views The following buttons are displayed for audio and video files 0000009 8 8 1 VIDEO THUMBNAILS When viewing a video it is possible to thumbnail the video by click on the thumbnail icon in the bottom right hand corner of the display window as shown in Figure 67 below Figure 67 Video Thumbnails 00 400 0 02 320 0 08 080 0 10 000 gt 1 wy E o 15 760 0 17 680 T pP anal 00 0 25 360 M 0 04 240 LS E A bs M 3 0 11 920 0 13 840 0 19 600 0 21 520 i rtv rom Po t LEISURE TIDIT 0 27 280 77 0 29 200 Ted Case 1 Lexar 7GB USB EO01 E01 Partition 9 63 Root EVW TEST SEQUENCE MPEG To jog image thumbnails click on the jog button To play all thumbnails click on the play button To play in full screen from a specific thumbnail double click the thumbnail Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 91 Page 8 9 BYTE PLOT AND CHARACTER DISTRIBUTION The default location for the Byte Plot window is the bottom data view window accessed via the Byte Plot tab Figure 68 Byte Plot tab ii Byte Plot Byte Plot Byte Plot is a graphical representation o
126. ata UDP Network Server is deployed and run the following screen appears Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 131 Page Figure 111 GetData UDP Network Server GetData UDP Network Server Ea Server server IF 192 168 1 158 server port 9999 server Status Waiting Version v1 8 42346 Ready The server enters waiting mode for the connection from Forensic Explorer Note It may be necessary to configure firewall settings on the remote computer to enable remote access to the GetData UDP Network Server CONNECTING TO THE GETDATA UDP NETWORK SERVER To connect to the GetData UDP Network Server follow Adding a Device in paragraph 10 4 1 above In the Device Selection window click on the Network button The following screen appears Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 132 Page Chapter 10 Evidence Module Figure 112 Forensic Explorer Remote Server Connect Settings E Remote Server Connect Settings Server IP Address 192 168 100 102 No of 8k Pages 7 Gao e Use Compression Only for slow connections Use Checksums E Use Encryption MAC WIE WF MW WPHYSICALDRIVEO MW WPHYSICALDRIVE1 Server IP Address Port GetData Boot GetData 4T RAID CODEMETER WI PHYSICALD MW PHYSICALD MW PHYSICALD Enter the IP address of the remote computer as displayed in the Ser
127. ata view describes the different methods available in Forensic Explorer to examine evidence For example a single file may be examined in the Hex Text or Display data views with each view giving a different perspective on its content A deleted file is one which has been marked as deleted by the file system usually as a result of being sent to and emptied from with Recycle Bin A deleted file can be recovered by reading the file system record for the file then reading and restoring the file data As long as the data for the file is intact i e the space once occupied by the file has not been used to store new data the recovered file will be valid Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 6 Delphi BasicsO Device Directory Directory Entry FAT Disk Slack Disk view Forensic Explorer DST dtSearch Entropy Definitions 353 Page In some cases the file system record itself can be overwritten and destroyed If this is the case the file can only be recovered by file carving see 22 4 File carving Because file and folder information is only stored with the file system record a carved file does not retain its original file or folder name Delphi Basics is a documentation package for the Delphi programming language see http www delphibasics co uk Delphi Basics is installed with and licensed for use only with Forensic Explorer Delphi Basics is provided as
128. ate 2 bytes Accessed Date Created Date 2 bytes Total 4 bytes Total 4 bytes Created msecs 1 byte Total 8 bytes Created msecs 1 byte Total 5 bytes Total 5 bytes Modified Record Modified Time The last date and time Modification Date amp Modified Date that any field in the Time of the file record Total 8 bytes file s catalog record was the Change time changed Total 4 bytes Total 4 bytes Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Appendix5 References 347 Page Appendix 5 References APPENDIX 5 REFERENCES 1 Hidden Disk Areas HPA and DCO Gupta Mayank R Hoeschele Michael D and Rogers Marcus K Fall 2006 Volume 5 Issue 1 International Journal of Digital Evidence 2 Carrier Brian File System Forensic Analysis s l Addison Wesley Professional 2005 3 Forensiks Wiki Forensics Wiki AFF Online Cited Mar 29 2011 http www forensicswiki org wiki AFF 4 Bunting Steve and Wei William The Official EnCE EnCase Certified Examiner Study Guide Indianaplois IN Wiley Publishing Inc 2006 5 United States Computer Emergency Readiness Team US CERT Vulnerability Note VU 836068 US CERT United States Computer Emergency Readiness Team Online Cited March 5 2011 http www kb cert org vuls id 836068 6 Xiaoyun Wang Yiqun Lisa Yin Hongbo Yu Collision Search Attacks on SHA1 2005 7 Merritt Rick Chinese researchers compromise SHA 1
129. be managed by using the bookmark folder translations txt file located in the install folder Currently the translations operate on the first level bookmark folder only Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 5 Dongle Activation Maintenance 4 4 UNINSTALL FORENSIC EXPLORER IMPORTANT Ensure that you have a separate and secure backup of all evidence and case files before you make installation modifications There are two methods to start the uninstall process 1 Select Uninstall Forensic Explorer in the Windows Start menu Figure 15 Uninstall from the Windows start menu 2 Or open the Windows Control Panel and in the Programs section use the Uninstall option Either of the above options will start the uninstall process Figure 16 Uninstall process A successful removal will show the following message Figure 17 Successful un install Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle Activation 35 Page Chapter 5 Dongle Activation In This Chapter 5 1 Dongle activation of the purchased version cccccsssssccccceeseccccseeseeceeseesecceesauseecesseeusecessuaaeeeessaaasees 36 5 1 1 Successful dongle activatiON cccoocccncnncnnncnacnnnnnnnnnonarononnnonnnnnncnnonnnonnnnnrnnonanonnnnarnnnnnannnnns 37 5 1 2 Troubleshooting Dongle Activation cooonccnncononcnnnnonanennnnnnnnnono
130. ble data from the case and expose the data as files to the index process For this reason the forensic investigator should consider first running e A Recover Folders search e A file carve for specific file types see 23 4 File carving e Decompress or decrypt any compound files not supported by dtSearch 13 3 CREATING AN INDEX To create an index Open a case or preview or start a new case and add evidence To index checked files Switch to the required module tab File System Email or Registry and select the required files then switch to the Index Search module Or to index the entire case Go directly to the Index Search module In the Index Search module click on the New Index button The New Index window will display as shown in Figure 135 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 168 Page Chapter 13 Index Search Module Figure 135 New Index Searchable items 1 items Checked items 0 items Include Unallocated space 70 3 MB File slack 0 bytes Total items to be indexed 1 items 0 bytes Name The name given to the index Each index must be given a unique name Items to Index The module e g File System Email or Registry from which the index will be generated each module must be indexed separately Searchable items x items This selection will index all items in the selected module Checked items The items which have
131. ble to allocate without a check disk or equivalent For normal uncorrupted NTFS this would be non existent or small For FAT typically this is non existent as the FAT table is used both in cluster allocation of files and the working out of Unallocated clusters on X volume The very first sector on a hard drive It contains the startup information for the computer and the partition table detailing how the computer is organized On an NTFS volume the MFT is a relational database that consists of rows of file records and columns of file attributes It contains at least one entry for every file on an NTFS volume including the MFT itself The MFT stores the information required to retrieve files from the NTFS partition 24 Metadata is often referred to as data about data Windows metadata can include a files create last accessed and modified dates as shown in File List view of Forensic Explorer File metadata includes information such as camera make and model in a JPEG or author name in Microsoft Word The File Metadata view in Forensic Explorer is used to show the metadata in a file Metadata can also be extracted by a script and added to a column See 8 11 1 for more information Refers to the horizontal tabs Evidence File System Keyword Search Index Search Bookmarks Reports Scripts Email and Registry at the top of the Forensic Explorer main program window Each module tab is used to access a particular function of
132. button to add evidence to the case c Inthe Evidence Processor window place a check in the Verify Device Hashes box Click Start to proceed with the evidence processing Figure 191 Evidence Processor Evidence Processor Device Lexar 7GB USB EO1 EQ1 Tasks E 7 FileSystem s lt Hb Search for FileSystems B lt P Process in Parrallel L mh Hash Files MD5 SHA 1 SHA2 etc 5 Signature Analysis 5 File Carve 1 OOO K Es IS Adjust Time Zone Settings Timezone Local Time TimeZone Mame AUS Eastern Standard Time 600 mins Daylight Savings AUS Eastern Daylight Time 660 mins STD DLS Bias 600 660 minutes 2 Calculate the verification hash during a case a Inthe File System module run the Verify Device Hash script accessed from the Analysis Scripts drop down menu Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 248 Page Chapter 21 Hash Sets Figure 192 Running the Verify Device Hash from the File System module toolbar Entropy Analysis Export File Types ep File Types Excel Chart ilh File Fragmentation Excel Chart GPS Properties a Ej Skin Tone Analysis Backup Settings Clear ALL flags Verify Device Hash Or alternately run this script from the Scripts module The verification hash is written to the evidence module with the acquisition hash as shown below Figure 193 Acquisition and Verification hashe
133. c image process the acquisition of an identical copy which can be re verified at a later date The distribution of a file on a disk so that it s written in non contiguous clusters Free space is often used to describe unallocated clusters the available disk storage space that is not allocated to file storage by a volume Free space can however also refer to the unused area of a disk Free space in Partition Space inside the partition that is not used by a volume this is usually a small section of space at the end of a partition IF there is no volume then this is the entire partition Free space on Disk Space on the disk that does not form part of any partition but is available for future allocation Usually consists of some sectors between the MBR and the first partition and space at the end of the disk that was not used in any partition Geotagging is the process of adding geographical identification metadata to files usually photographs or videos This data is usually latitude and longitude co ordinates Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 356 Page GREP Hard Link Hash Hash Set Hex Image File Index Search INFO2 Appendix 6 Definitions Stands for Generalized Regular Expression Parser Originally a command line text search utility in UNIX it is now an acronym to describe the format of a search It uses a concise but flexible structure to match strings of text inclu
134. camera photo cache and other types of personal data Apple device analysis is well documented Suggested reference material includes e iOS Forensic Analysis for iPhone iPad and iPod Touch Sean Morrissey 2010 Apress e iPhone Forensics 1 Edition Jonathan Zdziarski 2008 O Reilly Media Inc This section is provided only as a guide to process ITunes Backup files with Forensic Explorer and is not a complete IOS analysis resource ITunes Backup UUID folders can be located in the Forensic Explorer File System module by using the Apple Backups folders filter as shown in Figure 242 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 317 Page Figure 242 ITunes Backups filter applied in the File System module two backup devices shown Folders Categories EN Folders Fiter 3 BOE Preview 1 0 IR GDH ssp C ED1 4 Local Time E C E 3 Partition 206848 51 J amp E L E Root 126 S E LE Ez users 12 amp 0 Ei Graham GRAHAM CLEVO 67 D E E AppData 3 E E EL Es Roaming 142 DO E Apple Computer 11 a C C E Mobilesync 1 S DE E Backup 2 DO G 1e856ff8be2a4faS0fcdfb 13995ef45a98d78bb9 13777 7 Ej 48be275db312427e61f1a074c5ce0f2c6a2e8920 3774 The first step to analyze ITunes Backups in Forensic Explorer is to identify and bookmark the UUID folders To identify and bookmark ITunes Backup UUID fold
135. can be undocked and used as a standalone window To undock a data view 1 Click on the title bar or the data view tab 2 Hold down the mouse and drag it away from its position as shown in Figure 36 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 60 Page Chapter 7 Forensic Explorer Interface Figure 36 Undocking a view using drag and drop File List Ql Disk View Gallery View EH Gallery View Undock by dragging the titlebar or the tab No file selected To dock a data view A data view can only be re docked to its parent module For example the File List data view can only be re docked inside the File System module It can however be docked to any position inside ts parent module including inside another data view To dock a data view e Click on the data view header and drag and drop the header into next to the other data view tabs in the required position or e Drag and drop the data view over the required position arrow as detailed in Figure 37 below Figure 37 Dock positioning arrows Dock to left Im Dock to right border border Tab with parent Dock to bottom border Use the outside position arrows to dock to the larger pane Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 61 Page 7 3 CUSTOMIZING LAYOUTS The position of modules an
136. cated in the C Windows folder and or Windows1 profilesl user profile folder e system dat and e user dat Windows NT based operating systems separate system registry data into four files located in the C Windows system32 config folder e security e software e SAM and e System User settings are stored in a separate file called ntuser dat inside the user path Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 15 Registry Module 181 Page 15 2 ADDING A REGISTRY FILE TO THE REGISTRY MODULE There are two methods to add a Windows registry file to the Forensic Explorer Registry module To add a stand alone registry file to a case 4 Inthe Evidence module start a new case or preview 5 Inthe Evidence module click the Add File button 6 Select the registry file to add Click Open The registry file will then be added to the case Forensic Explorer will detect that it is a registry file and add the content to the Registry module Add a registry file from within an existing case to the registry module 3 Locate the relevant registry file in the File System module use the locations described in 15 1 1 Windows location of registry files above 4 Right click on the registry file and select Send to Registry Module in the drop down menu The content of the registry file will then be populated in the registry module Registry files will be grouped by the ori
137. ces or active files accepted forensic procedure dictates the use of a write block Refer to Appendix 2 Write Blocking for more information To add a device 1 Create a preview see 10 1 a new case see 10 2 or open an existing case see 10 3 2 Inthe Evidence module click the Add Device button If the Add Device is inactive click on the case name in the evidence window to activate the buttons This will open the Device Selection window show in Figure 110 below Figure 110 Device Selection window ES Device Selection Select the Device you want to analyse Label Size F5 Type MTFDBAK1 28MAG 1G1 0005 119 24 GB SATA SCSI Win 7x64 119 14 GB NTFS SATA Win 21375042 045 0002 693 64 GB SATA SCSI DATA 2 698 63 GB NTFS SATA Win 51975042 DAS 0002 695 64 GB SATA SCSI 698 63 GB NTFS SATA Win PHYSICALDRIVES 100 0 MB Win CES Netw WIBU CodeMeter Stick v1 0 39 3 MB USB SCSI CODEMETER 38 6 MB FAT32 USB Win J Remove amp Refre The Device Selection window includes the following information Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 130 Page Chapter 10 Evidence Module Label Physical drives are listed with their Windows device number Logical drives display the drive label if no label is present then no label is used Size The size column contains the size of the physical or logical device Note
138. ch plating see page 74 When a folder is highlighted in the Registry Tree the contents of that folder are displayed in the Registry List as shown in Figure 147 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 15 Registry Module 183 Page Figure 147 Registry List view Filename Data Timestamp Camtasia Studio value not set 13 Jun 10 UseHaspActivation REG DWORD Ox00000000 0 L m G TscC REG NONE value not set 23 Dec 11 O E Snagit REG NONE value not set 17 Jul 10 1 LJ L Ea Filters REG_NONE value not set 17 Jul 10 1 L3 SecDesc REG BIMARY 50 FF FF FF 73 6B 00 2 of 6 items NTUSER DA A Software TechSmith UseHaspActi The following default columns are displayed in Registry List view Filename Gives the name of the registry item Type Describes the type of data held See List of standard registry value types 13 for more information Data The value stored Timestamp The date attributed to the registry folder Physical Size The physical storage size of the entry The Registry List view makes the standard analysis tools available from the right click menu This includes Bookmarks See Chapter 14 Bookmarks and sort and filter See Chapter 9 Working with data Hex and Text data views are provided in the Registry module to give access to the raw data of the registry entry The Filesystem Records view decodes the entry and maps the decoded pa
139. ching for a known header and footer of a specific file type Forensic Explorer has built in code to data carve for more than 300 file types The header component of a file which has unique identifiers that assigns it to a type e g a jpeg Most common file types have a signature set by the International Organization for Standardization ISO Identifying a file by its signature is a more accurate method of assessment that using the file extension which can easily be altered The unused space in the last cluster of a file where the logical size of the file does not fill the complete cluster The file slack can contain fragments of old data previously stored in that cluster The organization of files into a structure accessible by the Operating System The most common types of file systems used by Widows are FAT and NTFS Others include EXT Linux and HFS MAC A byte level graphical representation of a file content that may serve as a distinct representation of all members of a single type of file 9 See Byte Plot and Character Distribution page 91 In Forensic Explorer a flag is used to mark a file as relevant It is a colored Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 6 Folder Forensic Image Forensic Integrity Fragmented File Free Space GeoTag Geotagging Definitions 355 Page box flag that is applied to a List view when the Flag column is displayed
140. cking the CodeMeter icon in the Windows Task tray b Select Processes Stop CodeMeter Service c Then Start CodeMeter Service Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle Activation 41 Page The Wibu CodeMeter Network Server can also be configured using the following registry setting HKEY LOCAL _MACHINE SOFTWARE WIBU SYSTEMS CodeMeter Server CurrentVersion IsNetworkServer 1 On the client computer 7 Install Forensic Explorer full dongle version Close Forensic Explorer 8 Browse to http localhost 22350 Configuration html Figure 25 Wibu CodeMeter Local Host Configuration CodeMeter WebAdmin CM Home Content Server Configuration Diagnosis Info Help Network Server Proxy Access Control Certified Time WebAdmin Backup Borrowing Network Server Search List 192 168 100 10 UDP Waiting Time 1000 ms Changes only take effect after restarting CodeMeter A 9 Click the add button and add the IP address of Network Server and press Apply 10 Start Forensic Explorer It should detect the remote dongle license and activate The client computer can also be configured using the following registry key setting HKEY LOCAL _MACHINE SOFTWARE WIBU SYSTEMS CodeMeter Server CurrentVersion ServerSearchList Server1 Address 192 168 100 10 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 42 Page Chapter 5 Dongle Activation
141. contents of the report in the preview window see O below Note that is it is possible to have more than one report open and visible in the Report tree B Report Section A report section is used to compartmentalize content of the report Click on a section to display its contents in the preview window see O below By using multiple sections additional control can be gained over how the final report is displayed see Enabled checkbox below ES A group of sections A group is used to arrange like sections Grouping also gives additional control on how the final report will be displayed Click on the group to display the entire group content in the preview window see O below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module 199 Page Enabled checkbox The enabled checkbox determines if the sections or group will appear in a preview print or export The Reports tree for the Triage report is shown in Figure 161 below To rename a report group or a section e Using the mouse click then hover on the name Then type the new name in the edit window To move a group or section e Click on the group or section with the mouse and drag and drop the group or section to the desired location All rename or move options are automatically saved to the case To print a report e Click on the report name or a section in the report and click the print button The
142. corresponding repair file in case of corruption Be sure to examine the active registry files To examine a registry file in Forensic Explorer the file must be first added to the Registry module To add a stand alone registry file 1 Inthe Evidence module commence a case or a preview Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 238 Page Chapter 20 Date and Time 2 Click on the Add File button and select the file Forensic Explorer identifies a registry file by its file signature The Evidence Options window displays with the option to add the hive to the Registry module Click OK to proceed To add a registry file from within an existing case or preview 1 Locate the registry file in the file list view of the File System module 2 Right click on the registry file and select the Send to Module gt Registry option from the drop down menu REGISTRY CURRENT CONTROL SET In order to locate relevant date and time information in the registry it is first necessary to determine the current control set This identifies the last system configuration booted by the computer CurrentControlSet is identified using registry file e Registry file C Windows System32 config SYSTEM And registry key e Select Current The key Current is a pointer to the current control set A Dword hex value of 01 00 00 O0 identifies the current control set to be e ControlSet001 Note A typical Windows insta
143. covery are 1 Aknown password may be of evidentiary value to a case For example a unique password may tie an individual to a computer 2 Aknown password may assist in other avenues of investigation For example the password may be used in the decryption user files The disadvantages of password recovery are 1 Password recovery requires the use of third party software 2 Password recovery can be resource and time intensive 3 Strong passwords may not be recovered OPHCRACK Ophcrack is a free open source program that recovers Windows passwords by processing LM hashes through rainbow tables see http en wikipedia org wiki Ophcrack Ophcrack can be used to recover passwords from Win XP Vista Win7 and Win8 operating systems Ophcrack ISO image files are available for download from http Ophcrack sourceforge net download php These include e Ophcrack xp livecd 3 6 0 iso for LM hashes of Windows XP and earlier e Ophcrack vista livecd 3 6 0 iso for NT hashes of Windows Vista and 7 To recover a password with Ophcrack a Follow the instructions provided in O above to mount the image file and run Live Boot b Inthe Boot Options tab check Boot to ISO and select the relevant Ophcrack ISO image as shown in Figure 238 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot Figure 238 Live Boot ISO E Live Boot Options Name Live Boot Boot Options Set
144. ctor level keyword searches indexing etc it is recommended that image files be located on a high speed device such as a local hard drive minimum USB2 speed 3 Click OK to add the forensic image The Evidence Processing Options window will open See section 10 5 below To add a registry file to a new case 1 Create a preview see 10 1 a new case see 10 2 or open an existing case see 10 3 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 134 Page Chapter 10 Evidence Module 2 Inthe Evidence module click the Add File button If the Add File button is inactive click on the case name in the evidence window to activate the buttons This will open the add file window 3 Select the registry file and click OK The Evidence Processing Options window will open See section 10 5 below Note A registry file can also be added from the File System module Locate the registry file right click and select Send to gt Registry from the drop down menu See 15 2 for more information To add a file to a case 1 Create a preview see 10 1 a new case see 10 2 or open an existing case see 10 3 2 Inthe Evidence module click the Add File button If the Add File button is inactive click on the case name in the evidence window to activate the buttons 3 Click OK to add the file The Evidence Processing Options window will open See section 10 5 below The file will be added
145. cure getdata com key key activation wibu offline php and enter the required details Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 20 Page Chapter 2 30 Day Evaluation Version Figure 6 Offline activation evaluation version upload of license file and activation details GetData Software Development Company PRODUCTS DOWNLOAD SUPPORT GetData Product Manual Activation What is your purchase Email address support amp getdata com What is the License Key found in purchase confirmation email 82A5 6723 C5A2 Upload your Activation Request File C Users Graham Downloads Get Data GDAct Request O es Nn aesliare Bf os TE A E AA v A ure Home Resellers About Us Member Login Sitemap Merchandis Copyright GetData 2012 All Rights Reserved Click the Upload button to send the details to the activation server The details are validated by the activation server and the file GetData GDActResponse is returned to you Figure 7 Offline activation evaluation version download of license file GetDa a Software Development Company PRODUCTS DOWNLOAD SUPPORT MY CART W GetData Product Manual Activation Your activation response file will begin to automatically download shortly Click here to begin the download manually Secure Home Resellers About Us Member Login Sitemap Copyright GetData 2012 All Rights Reserved Save GetData GDActRespons
146. d Chris and Foster Pete 1 February 2004 Digital Investigation Vol 1 pp 18 23 27 Jones Keith J Bejtlich Richard and Rose Curtis W Real Digital Forensics Computer Security and Incident Response s l Addison Wesley 2006 28 Mederios Jason NTFS Forensics A Programmers View of Raw Filesystem Data Extraction s l Grayscale Research 2008 29 Russon Richard Linux NTFS Project NTFS Documentation Sourceforge net Online 1996 2004 Cited March 16 2011 http sourceforge net projects linux ntfs files NTFS9620Documentation 30 MBR is damaged www NTFS com NTFS com Online http www ntfs com mbr damaged htm 31 Microsoft Microsoft Extensible Firmware Initiative FAT32 File System Specification FAT General Overview of On Disk Format s l Microsoft 2000 32 Stoffregen Paul Understanding FAT32 Filesystems PJRC Online Feb 24 2005 Cited March 18 2011 http www pjrc com tech 8051 ide fat32 html 33 Microsoft Detailed Explanation of FAT Boot Sector support microsoft com Online Article ID 140418 Last Review December 6 2003 Revision 3 0 December 6 2003 http support microsoft com kb 140418 34 Windows and GPT FAQ Microsoft Developers Netword MSDN Online July 2008 http msdn microsoft com en us windows hardware gg463525 aspx Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix5 References 3499 Page 35 Basic Storage Versus
147. d ConsoleLog Text See Appendix 7 Sample Script for an example If a script is run in the Scrips module the output will appear in the Messages window However if a script is executed in another module run from a toolbar button or a link the output is written to the log file for that module Access the log for a module via the Processes log see 7 4 Task Processes List for more information Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 222 Page Chapter 18 Scripts Module 18 2 MANAGING SCRIPTS IN THE SCRIPTS WINDOW To open a script Double click on the script name in the Scripts window This will display the script in its own tab in the Script Editor window To create a script 1 Right Click in the Scripts window and select File gt New Script 2 Enter the name of the new script in the popup New Script window 3 The script will then appear in alphabetical order in the Scripts window Double click to display the content of the new script in a tab in the Script Editor To copy a script 1 Right click on the script in the Scripts window 2 Select File gt Copy from the drop down menu The highlighted script will be copied A new script of the same name will appear in the Scripts window with the added file name text 0001 pas Then use the re name function to rename this file To rename a script 1 Highlight the script in the Scripts window 2 Right click and select File gt R
148. d data views can be saved to a file at any time This allows the investigator to customize a module for different types of investigations For example the module layout for an investigation involving graphics may be different to fraud investigations involving documents To save a custom layout 1 Inthe top right hand corner of any data view click on the options drop down arrow and select Save Layout Figure 38 Layout menu Rename Active connection Lock Layout Default Layout Load Layout save Layout 2 Enter the name of the xml layout file and click the Save button To load a custom layout 1 Inthe top right hand corner of any data view click on the options drop down arrow and select Load Layout as shown in Figure 38 above 2 Select the desired xml layout file and click the Open button To return to the default layout 1 Inthe top right hand corner of any data view click on the options drop down and select Default Layout as shown in Figure 38 above Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 62 Page Chapter 7 Forensic Explorer Interface 7 4 TASK PROCESSES LIST In a Forensic Explorer case numerous proessing tasks will be performed on the evdience This includes e administrative tasks such as creating and saving case files e processing tasks such as reading and displaying a file system and e investigations tasks such as signature analysis
149. d to the content of the file In more recent Operating Systems RAM slack is filled with zeroes Record View displays information directly from the FAT or MFT record It provides more complete details for a file than the limited information displayed in File List view Data Recovery Software authored and sold by GetData at www recovermyfiles com A regular expression provides a concise and flexible means to match specify and recognize strings of text such as particular characters words or patterns of characters The concept of regular expressions was first popularized by utilities provided by Unix distributions in particular the editor ED and the filter grep q http en wikipedia org wiki Regex The Windows Registry is a hierarchical database that stores configuration settings and options for the Microsoft Windows operating systems For the computer forensics examiner it can be a wealth of information on all aspects of the computer and its use including hardware applications and user configuration The ribbon refers to the Forensic Explorer toolbar and the top of each module The contents of the toolbar are controlled by scripts A directory is a container used to organize folders and files into a Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 6 Script Sector SFN see also LFN Signature Analysis Shadow Copy Skin Tone Analysis Slack Steganography Definitions 361
150. d together The bookmarks module is divided into three areas 1 Bookmarks tree 2 Bookmark List 3 Bookmark data views which are described in more details below The Bookmark tree displays egi Bookmark folders used by the investigator to group together bookmarked files of a similar nature An example is shown in Figure 152 below Figure 152 Bookmark folder tree Bookmark Mame Investigator Mame D O0 Test Case 31 0 1 g EE e My Bookmarks 0 Graham Henley m a Evidence 0 Graham Henley BO ee Files 0 Graham Henley er e Documents 0 Graham Henley BRE m e Pictures 2 Important Pictures Graham Henley pu E m e Email 0 Graham Henley DOS internet 0 Graham Henley E a Registry 0 Graham Henley MANAGE BOOKMARK FOLDERS To add a bookmark folder Right click and select Add Folder from the drop down menu Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 16 Bookmarks Module 19 Page To delete a bookmark folder and its contents Righ click and select Delete folder fro the drop down menu Figure 153 Manage Bookmark folders Lg Add Folder Edit folder comment Delete folder Refresh Contract all Expand all To move a bookmark folder Drag and drop an existing folder to its requied location The Bookmarks List is a list view of the bookmarked items files or data Bookmarked files are identified by a bookmark icon
151. dence fa Add Device E Case Test Case 3 24 Add Image E Add File E Device HD4 File SYSTEM from GDH Desktop E Library 2t Kemove To add an additional device image or file 1 Click on the case name e g Case Test Case 3 above to activate the add buttons 2 Repeatthe process described above Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 140 Page Chapter 10 Evidence Module 10 7 SAVING A CASE To save a preview or save changes to an open case click the Save button in the Evidence module Figure 118 Evidence module save button Or In the Forensic Explorer drop down menu select Save Case Figure 119 Save Case e Investigators Options de Icon Editors k 4 About 9 Help A case should be saved frequently to ensure that any changes since the last save are not lost Each preview is assigned a unique working folder using a Global Unique Identifier GUID in the following path C Users Graham Documents Forensic Explorer Previews GUID e g 8709A41C 38B6 4F9E BA18 633B394721C5 When the investigator has finished the preview analysis conducted during the preview may be 1 Saved as a new case see saving a case below When a preview is saved the contents of the GUID working folder is transferred into the new case folder and the GUID folder is destroyed 2 Closed and not saved see closing a cas
152. dified and Accessed MAC date time stamps in UNIX time format UTC 17 18 19 Selecting this option makes this MAC data available in columns Note Independent date time testing is recommended to determine how MAC dates are effected on the examined device To add column data to list views 1 Right click in a Forensic Explorer List view 2 Select Columns gt Edit Columns 3 Add the e ITunes Backup Domain Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 319 Page e ITunes Backup Name e Tunes Backup Accessed UTC e ITunes Backup Created UTC e ITunes Backup Modified UTC Columns to the view An example of Domain and Name columns in shown in figure 219 below Figure 244 File list of an ITunes Backup with Backup Domain and Backup Name columns added E File List Gallery View GQ Disk View E File List A e Brari El es ra E Armas E m ll e c Ae Filename fe Apple backup Dc ee Appie Backup Mame Filename Apple Backup Domain Apple Backup Name a 91b38c6d31a528c35d04f0c002641 CameraRollDomain Media DCIM 100APPLE IMG 0146 JPG E e39111fa325bfaf6b65b37e61470 CameraRollDomain Media DCIM 100APPLE IMG 0147 MOV E 7ciBe3did7dafd83ai137c80cfb6a CameraRollDomain Media DCIM 100APPLE IMG 0148 MOV 19e129b2f510ff700c5c7216cbed CameraRollDomain Media DCIM 100APPLE IMG 0149 PNG E 04221a3f511ead79a17108e7893 CameraRollDomain Media DCIM 100APPLE IMG_014
153. ding characters words or patterns of characters Forensic Explorer utilizes PCRE Perl Compatible Regular Expressions for keyword searching of which GREP is a subset A hard link is the file system representation of a file by which more than one path references a single file in the same volume Microsoft 22 A Hash is a mathematical calculation to generate a unique value for specific data The chances of two files that contain different data having the same hash value are exceedingly small The most common hash algorithms in use are MD5 SHA1 and SHA256 A Hash Sets is a store of mathematical calculations hash values usually created by the MD5 algorithm for a specific group of files The hash values are a digital fingerprint which can then be used to identify a file and either include or exclude the file from a data set Hash Sets are often grouped in the forensic community into two groups Good Hash Sets Operating System files program installation files etc and Bad Hash Sets virus files malware Trojans child pornography Steganography tools hacking tools etc Hash sets can be created in Forensic Explorer or downloaded from a trusted source Hexadecimal is a base 16 numbering system It contains the sixteen sequential numbers 0 9 and then uses the letters A F In computing a single hexadecimal number represents the content of 4 bits It is usually expressed as sets of two hexadecimal numbers such as 4B
154. e below When the case is closed and not saved or when Forensic Explorer is opened or closed the preview GUID folder is destroyed Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 141 Page 10 8 CLOSING A CASE To close a preview or a case use the Close button in the Evidence module Figure 120 Evidence module Close button Case changes are NOT saved on close If there are unsaved changes the following confirmation message box will appear Figure 121 Close confirmation message 0K Click OK to close without saving To save changes click the Cancel button return to the Evidence Module and use the Save button The Reverse Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 11 File System Module 143 Page Chapter 11 File System Module In This Chapter CHAPTER 11 FILE SYSTEM MODULE 11 1 File System module asnicar rad 144 IL2 TOONA e EE EE PP EE A E o OU A 144 113 Folders VIEW seoser dida 144 11 3 1 Folders ICONS art oi 145 11 3 2 ORPHANS sorres enneren r EA T 145 DEB Cate rones VIEW napa E E E E a a 146 11 4 1 FIS DY ETENE ON Rm Tm 147 ES 16e ti ia 147 11 5 1 LES cle AE Lo UE 147 11 5 2 File List Metadata COI 147 Ua MEC RUE Uo I E E eetataes 149 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 144 Page Chapter 11 File System Module 11 1 FILE SYSTEM MODULE The File System mod
155. e and take it back to the offline computer on which you will be activating the software Once the GetData GDActResponse file is back on the offline computer click the Import button to import the file into the software The software is now activated Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 2 30 Day Evaluation Version 21 Page Figure 8 Successful software key activation of 30 day evaluation version 2 ZipRepair Pro Product Activation Activation Succeeded Y Thank you for activating your software Get Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 3 Purchase 23 Page Chapter 3 Purchase In This Chapter CHAPTER 3 PURCHASE 3 1 PU 24 EN MEE e PPP o mm 24 3 1 2 Purchase ON GENS usina 24 LX MEE cU 24 3 2 Bis lati geriauc lpete c 25 3 2 1 Purchase License Maintenance eeesssssssseeeeeeeeeeeeenn nnne eene nnn nnne ness a nennen essa nnn 25 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 24 Page Chapter 3 Purchase 3 1 PURCHASE Forensic Explorer is dongle activated only A dongle is provided for each license purchased Forensic Explorer is available for purchase online via purchase order or via forensic software resellers Forensic Explorer can be purchased online at http www forensicexplorer com by following the purchase links Please see t
156. e Carve L Cache Thumbnails i ue OO ODO O k e a e U AAA AA A urn um A A rn el na Y The Tasks window enables the investigator to configure specific tasks such as hashing signature analysis and file carving that will automatically take place when evidence is added Whilst is it possible to perform these functions independently at a later time the processing window enables the investigator to batch these tasks at the start of the Case Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 136 Page Chapter 10 Evidence Module The task window uses the following icons Parent Child Indicates a parent child relationship between tasks A parent tasks must be completed before a child task can commence g Process in Parallel Identifies that the tasks listed in the immediate sub folder will process concurrently in separate threads T A task Indicates a task that can be enabled or disabled Cal Task options Identifies that settings for the task must be configured if it is enabled DEFAULT TASKS The default settings in the Evidence Processing window when adding a device or an image file is to read and display existing file systems Search for Known MBRs A Master Boot Record MBR is the very first sector on a hard drive It contains the startup information for the computer and the partition table detailing how the computer is organized Search for File Systems Once an MBR is id
157. e System module List view 5 Compare the L01 Hash MDS Hash results The acquisition hash and the recalculated hash should be identical The export delimited rows function is used to copy list view data into a format suitable for import into a spread sheet or similar program To export delimited rows 1 Highlight or check the required files 2 Right click and select Export gt Delimited rows csv or tab from the drop down menu The following window will appear Figure 86 Export delimited rows E Export Column Data Source 2 Highlighted Items 3 rows 5 Checked Items 0 rows Destination Tab delimited 3 Comma delimited Destination File Select the source and whether the file is to be TAB or comma delimited Enter the name of the destination file and click OK to proceed with the export Only currently visible columns will be exported Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 110 Page Chapter 9 Working with data 9 7 SEND TO MODULE Send to Module is a method of passing specific files from one module to another For example a Windows registry file can be highlighted in the list view of the File System module and passed to the Registry module for processing see 15 2 for more information 9 8 COLUMNS To add columns or remove columns in a list view 1 Right click on the List view and select Columns gt Edit Columns from the drop down menu The
158. e data View and analyze registry files Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter Page Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 16 Chapter 17 Chapter 18 Chapter 15 Chapter 7 Forensic Explorer Interface 57 Page Custom Modules It is possible to create a custom module See 18 6 Custom Modules for more information Hide Modules at Startup Itis possible to hide specific modules at program startup This can be useful when you are providing Forensic Explorer to a non technical investigator and wish only to show certain modules such as Index Search and Bookmarks See 18 4 for more information Forensic Explorer has been designed for use on forensic workstations with multiple monitors Module tabs can be undocked from the main program window and moved across multiple screens To undock a module 1 Select the module tab with the mouse 2 Hold down the mouse and drag the module tab free of the bar as shown in Figure 33 below Figure 33 Un docking a module Case Notes CI Click and drag the tab to undock the module To dock a module 1 Select the top bar of the module window 2 Dragand drop the module back into the module tab menu bar as shown in Figure 34 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 58 Page Chapter 7 Forensic Explorer Interface Figure 34 Re dock a module t
159. e hash value Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 6 Forensic Acquisition 51 Page Calculation of HASH values during the acquisition process requires CPU time and will increase the duration of an acquisition However it is recommended in line with accepted best forensic practice that an acquisition hash is always included when acquiring data of potential evidentiary value It is also recommended that the investigator regularly recalculate the verification hash during the investigation to confirm the authenticity of the image Forensic Imager has three independent hash calculation options MD5 SHA1 and SHA256 The investigator should select the hash option s which best suits MD5 Message Digest algorithm 5 MD5 is a widely used cryptographic algorithm designed in 1991 by RSA Ron Rivest Adi Shamir and Len Alderman It is a 128 bit hash value that uniquely identifies a file or stream of data It has been extensively used in computer forensics since the late 1990 s In 1996 cryptanalytic research identified a weakness in the MD5 algorithm In 2008 the United States Computer Emergency Readiness Team USCERT released vulnerability Note VU 836068 stating that the MD5 hash Should be considered cryptographically broken and unsuitable for further use 5 SHA1 In 1995 the Federal Information Processing Standards published the SHA1 hash specification which was adopted in favor of MD5 b
160. e window 2 In VMWare window select the required VMWare session right click and select settings The Virtual Machine Settings window will open 3 Click Add to add a virtual device and select CD DVD Drive from the Hardware Type menu Figure 237 Virtual Machine Settings Virtual Machine Settings Hardware Options Device summary pd o ME Memory Specify the amount of memory alloca ted to i this virtual J Processors 1 Add Hardware Wizard Gel Hard Disk SCSI 74 5 GB USB Controller Present Hardware Type d Soi Cani Auto detect What type of hardware do you want to install Display Auto detect Hardware types Explanation LA Hard Disk Add a DVD CD ROM drive CD DVD Drive m Floppy Drive Na Network Adapter USB Controller f Sound Card 9 Parallel Port EB serial Port Printer Generic SCSI Device lt Back Next gt Cancel Add Remove Gm r amp b 4 Restart the virtual machine and click on the Install button to install VMWare Tools Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 310 Page Chapter 27 Live Boot 27 6 LIVE BOOT AND WINDOWS USER PASSWORDS In many cases when Windows starts in Live Boot access to the virtual computer will be blocked by the Windows user account login screen If passwords for the user accounts are unknown there are two options 1 Password recovery or 2 Password bypass Described in more detail below The advantages of password re
161. earch Module In This Chapter CHAPTER 13 INDEX SEARCH MODULE T1 o e PO A 166 13 1 1 PS o PU o A 166 13 1 2 Index database AAA 166 13 1 3 NOISE WOTA Sanda 166 13 2 Considerations prior to creating an index ccceecccssecccsecccscccenecceeeceeeecesenceseueeeeeceeeecesencessneeeegeees 167 1853 eoe aMaule 167 13 3 1 MaS pro AE di 168 TSEC VIN INMI dos nnt 169 13 4 1 Select the search features to use in your SearCh cccconccnccnnccnnonaccncnnannnnnnnnnnonacononanononos 170 13 4 2 BOO Can SC AICI ria 171 13 4 3 MI CUS Sih Pasear cosida 172 13 4 4 Wildcards 7 gt and iraia avn dese E E E E 172 Ta E e UU A EE E EEE EAS 172 13 6 Index Search Compound Files coccooocccnnccnonnnnnncnannnnnnnnononnnnnnoncnnnnononcnnnnonnnnnnnnnnnnnonnnnnnnnnnnnnnnnoos 173 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 166 Page Chapter 13 Index Search Module 13 1 INDEX SEARCH The Index Search module is accessed via the Index Search tab Figure 134 Index Search module tab p Index Search An Index Search creates then uses a database that stores the location of words in the evidence Forensic Explorer uses inbuilt dtSearch technology for this purpose for more information see http dtsearch com Once an index is built for a group of files very fast keyword searches can be performed on those files For a list of the file formats supported by dtSearch see What file formats d
162. ed 334 Page Chapter 29 Legal THE GOODS ACQUIRING EQUIVALENT GOODS OR HAVING THE GOODS REPAIRED AND ii IN THE CASE OF SERVICES THE SUPPLYING OF THE SERVICES AGAIN OR THE PAYMENT OF THE COST OF HAVING THE SERVICES SUPPLIED AGAIN This agreement cannot be changed or altered except by a written document signed by you and GetData This agreement is governed by the laws in force in New South Wales Australia Each party irrevocably and unconditionally submits to the non exclusive jurisdiction of the courts of New South Wales Australia 29 4 DISCLAIMER The software available for down loading through Internet sites and published by GetData Forensics Pty Ltd GetData is provided pursuant to this license agreement GetData encourages you to know the possible risks involved in the download and use of the Software from the Internet You are solely responsible for protecting yourself your data your systems and your hardware used in connection with this software GetData will not be liable for any damages suffered from the use of the Software BY USING THIS SOFTWARE YOU EXPRESSLY AGREE THAT ALL RISKS ASSOCIATED WITH THE PERFORMANCE AND QUALITY OF THE SOFTWARE IS ASSUMED SOLELY BY YOU GETDATA SHALL NOT BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE EVEN IF GETDATA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THE SOFTWARE IS MADE
163. ed data Forensic Explorer currently supports the expansion of the following compound files e ZIP Note Decompressed Zip files are read into RAM A size limit of 100mb is set Files over 100mb will not be decompressed e OLE DOC XLS PPT ODT To expand a compound file 1 Highlight the file in the list view 2 Right click and select Expand Compound File from the drop down menu The file changes to a container which holds the expanded content similar to a folder For example e E HLA IT University HI RES Photos EXTERIORS ZIP is the original file e HLA IT University HI RES Photos EXTERIORS ZIP is the container for the expanded content To expand all compound files in a case 1 Inthe File System module click on the Analysis Scripts drop down button in the toolbar and run the Expand Compound Files script To display only expanded files in the File System module 1 Inthe File System module Folders Filter select the Expand Compound Files to show only these files 9 6 EXPORT The export Folders and Files function is used to copy files from the case to the local disk To export folders and files Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 106 Page Chapter 9 Working with data 1 Highlight or check the required items 2 Right click and select Export gt Folders and files from the drop down menu 3 The following Export Files window will then open Figure 8
164. ed time time remaining and transfer speed is displayed The progress window is shown in Figure 32 below Figure 32 Forensic Imager Progress screen B GetData Forensic Imager BETA VERSION SOLUC Un pd P E O M mm i Elle Help Details Source S SPHYSICALDRIVE2 Destination C Users Graham Desktop Case 4285 Case 4285 HD1 E01 Progress Elapsed Time 00 00 21 Time Remaining 00 03 49 Transfer Speed MB Sec 8 324 Acquisition Progress Event Log Created with GetData Forensic Imager BETA VERSION v4 0 0 113 Processing drive Ss SPHYSICALDRIVE2 Image File Name C Users Graham Desktop Case 4285 Case 4285 HD1 E01 Image File Type Encase v 6 10 Compression Image Type Good Case Name Case 4285 HD1 Evidence Number 4285 HD1 Unique Description 4285 HD1 Examiner Graham Henley Notes Image of a 2GB USB stick Serial Number 8380987 7u390wd Image started at 2 05 2011 10 01 46 PM Cancel The event log provides feedback to the investigator during the image process The event log for each acquisition is automatically saved to the same folder as the image file s A typical event log contains the following type of information Created with GetData Forensic Imager v4 0 0 124 Processing drive PHYSICALDRIVE1 Image File Name C Users Graham Desktop My Acquisition Folder Case 4285 USB1 E01 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 54 Page Chapter 6 Forensic Acquisit
165. eference Library References txt Access to this folder and file using the Open Reference Library Folder menu option References txt is in BiBTex format BiBTex is a common citation format used by many popular citation programs and websites including sites such as Google Books A BiBTex record has the following format where indicates the start of the reference and indicates the end of the reference book carrier2005file title File System Forensic Analysis author Carrier B ison 9780321268174 url https books google com au books id I4gpgAQAAMAAJ year 2005 publisher Addison Wesley pages 121 h Additional information about the BiBTex structure can be found at e http en wikipedia org wiki BibTeX or e https www cs arizona edu collberg Teaching 07 231 BibTeX bibtex html There are a number of ways to manage the items listed in the Reference Library menu Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 66 Page Chapter 7 Forensic Explorer Interface 1 ADD REFERENCE VIA THE DROP DOWN MENU OPTION The Reference Library gt Add Reference menu option shown in Figure 45 above opens the Add a Reference window The window is completed information known about the reference source with Title being the only required field Figure 46 adding a Reference item J t Add a Reference O El About Options Add Reference Author URL File Pages Publisher fea
166. elow Figure 92 Right click Flags menu option Columns Sorting Flags Red Flag Blue Flag Gold Flag Orange Flag Green Flag Pink Flag Aqua Flag Brown Flag Clear LL Flags Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 114 Page Chapter 9 Working with data To apply flags simultaneously to multiple items 1 Inthe list view highlight multiple items by holding down the SHIFT or CTRL key and selecting the required items with the mouse 2 Right click and use the Flags menu option 3 Select the required flags To clear flags 1 Double click on the flag or 2 Highlight the required items right click and use the Flags gt Clear Flags menu option or 3 One of the default scripts provided with Forensic Explorer is Scripts File System Clear All Flags pas which will programmatically remove all flags Scripting Flags Flags can also be applied by running Forensic Explorer scripts See the Chapter 18 Scripts Module for more information 9 11 FILTERING DATA The Date Range filter tool is applied to the items displayed in a list view and allows filtering by Created Modified and Accessed dates To access the Date Range filter tool 1 Right click on the File list view column headings 2 From the drop down menu select Date Filter Tool The Date Range filter tool then appears above the List view column headings as shown in Figure 93 below Copyright GetData Foren
167. ems 0 bytes Compare Using 3 MD5 Hash SHA1 Hash SHA256 Hash Select HashSets Location D Graham Documents Forensic ExplorerlHashSets Refresh Filename Hash Set Name Identified As MDS SHA1 SHA2 Kategorie Pornografie_5 Hash Kategorie Pornografie_5 Hash Known Y 4 E Clear any existing hash matches Download hash sets forensicexplorer com hashsets 4 Select the hash set to use by placing a tick in its box File Name The name of the hash file Hash Set Name The name given to the hash set read from the header of the file If the Hash Set Name is blank the File Name is used Identified as Describes the classification given to the hash set when it was created Hash Type The types of hashes contained in the file are marked in the remaining columns using Y 5 Clear any existing hash matches a When Clear any existing hash matches is checked Existing has values in the Hash Set and Hash Set Identified As columns will be cleared before then new values are written into the columns b When Clear any existing hash matches is not checked The new values of the hash comparison will populate the Hash Set Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 258 Page Chapter 21 Hash Sets and Hash Set Identified As columns They will overwrite any existing values However existing values in those columns which are not
168. ename from the drop down menu Edit the file name in the Rename File window Rename File New filename EA Note If the renamed file does not appear right click in the Scripts window and use the Refresh option to refresh the display If the renamed file still does not appear check to see that it has been renamed with the pas extension To delete a script 1 Highlight the script in the Scripts window 2 Right click and select File gt Delete from the drop down menu A confirmation window will appear to confirm that the delete is required Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 223 Page 18 3 INTRODUCTION TO SCRIPTING This section is an introduction to Forensic Explorer scripting only More technical scripting documentation is available at http www forensicexplorer com Forensic Explorer is installed with Delphi Basics reference documentation It is installed in the path C Program Files GetData Forensic Explorer v1 Delphi Basics and accessible by the Delphi Basics help button in the Script module toolbar shown below Figure 180 Scripts Module toolbar Delphi Basics scripting documentation The Delphi language is a set of object oriented extensions to standard Pascal and has become the most popular commercial Pascal implementation see http en wikipedia org wiki Comparison of Pascal and Delphi for more information Delphi Ba
169. entified Forensic Explorer then locates and identifies known file systems i e FAT NTFS and HFS The file and folder structure can then be read and populated in the File System module If these default tasks are not enabled the device or forensic image file will be loaded as raw data with no file or folder structure OTHER TASKS Triage Registry Triage Registry is an inbuilt function of Forensic Explorer to automatically detect and process Windows registry files The process is divided into two parts 1 Detect registry files in a Windows file system and automatically send those files to the Registry module then 2 Processthe registry files in the Registry module to identify and bookmark common items of interest This includes registry keys such as registered owner default Windows user name Windows product ID and name OS installation date etc Items identified are bookmarked and can be seen in the Bookmarks module under the path My Bookmarks Triage Registry These bookmarks are used to automatically generate reports Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 137 Page Verify Device Hashes The verify device hashes task calculates a hash s MD5 SHA1 or SHA256 for the added device or forensic image If the forensic was created with EnCase the calculated hash s can be compared with the acquisition hash stored within the forensic image to show that it has no
170. ependently index and keyword search email in the Index Search module Refer to Chapter 13 Index Search Module for more information 14 2 EMAIL MODULE The Email module is accessed via the Email tab Figure 141 Email module tab Email The Email module is broken down into three panes 1 Email Tree Holds the folder structure of the email file 2 Email List Lists individual messages and their metadata Available columns include o I importance o Subject o Sent From etc 3 Data Views Displays message content and additional properties The Property Viewer contains Outlook MAPI Microsoft Application Programming Interface properties associated with each message 14 3 MICROSOFT OUTLOOK PST EMAIL The Microsoft Outlook email client is available as part of the Microsoft Office suite Microsoft refers to it as a personal information manager as it has additional functions to email including calendar contacts and notes When running on a typical home computer Outlook stores mail on the local hard disk in an Outlook Data File PST file In a business environment Outlook can be configured to interact with a mail server usually Microsoft Exchange In this case a local copy of the data may be held in an Offline Data File OST Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 14 Email Module 177 Page To add a stand alone Microsoft Outlook PST file to the Email module
171. equired script does not existing by default the following scripts can be used as templates for the different types of extraction Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 19 Custom Modules e SQLite iPhone Facebook pas This script extracts Facebook data from the SQLite file fbsyncstore db e Images iPhone Images pas This script adds iPhone graphics files e g JPG PNG from the File System to the Phone module e Plist iPhone Wifi Networks pas This script adds a list of Wi Fi networks and SSID information to the Phone module e XML iPhone iTunes Info pas This script collects iphone user information and adds it to the Phone module The Scripts Phone Phone PM pas script opens reads and adds a selected Nokia PM phone image file to the module It then parses the files to extract information from the image as shown in Figure 183 below Figure 183 Custom Phone module parsing a Nokia PM file Forensic Explorer i fT Evidence File System A Keyword Search B Open PM file i S ES Phone Files 1 S D E s Nokia 1110i pm 95 BO 1 RF Tuning 7 DO Ge 12160 DO E 310 DOE 4 System Info 8 gt E 5 1ME0 1 DOG E7102 DOG 8100 BO 11 415 IS A A Pl n PAREADAS ge O a e Phone Tree T 2 T A AAA Aedes rr Copyright GetData Forensics Pty Ltd 2010 2014 Al
172. er CRC Header Case S Source 4 Sets the segment size of the created forensic image file This setting enables the forensic image file to be broken into segments of a specific size Setting an image segment size is primarily used when the forensic image files will later be stored on fixed length media such as CD or DVD For the EnCase E01 image format Forensic Imager uses the EnCase v6 standard and is not limited to a 2 GB segment size However if an investigator plans to use larger file segments they should give consideration to the limitations RAM etc of the systems on which the image files will be processed 4 OUTPUT FILENAME Sets the destination path and file name for the image file The output file name is the name of the forensic image file that will be written to the investigators forensic workstation Click on the folder icon to browse for the destination folder 5 HASH OPTIONS Calculates an MD5 and or SHA256 acquisition hash of the imaged data A hash value is a mathematical calculation that is used for identification verification and authentication of file data A hash calculated by Forensic Imager during the acquisition of a device the acquisition hash enables the investigator by recalculating the hash at a later time the verification hash to confirm the authenticity of the image file i e that the file has not changed Any change to the acquired image will result in a change to th
173. ere the file signature is neither aligned with a cluster or sector boundary Sector carving is used to recover files from mobile cell phone image files NOTE Carving in byte mode will greatly increase the length of the search Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 280 Page Chapter 23 Data Recovery SELECTING FILE TYPES TO CARVE Select the required file signatures by placing a tick in the selection box and click OK to begin the search NOTE It is recommended that in order to maintain search speed no more than 10 file signatures be selected at one time CARVE PROGRESS The progress of the data carve is shown in the processes window To stop a data carve click the stop button in this window DEFAULT SIZE ALLOCATION When a file signature of a selected file is located Forensic Explorer will analyze the file structure in an attempt to locate the end of the file If the file end is not found but sufficient information is found within the file to suggest it will at minimum be partially recovered it is assigned a pre determined default file size according to that file type LOGGING AND PRIORITY See 7 5 Process Logging and Priority The second file carving method available in Forensic Explorer is to use a custom file carving script An investigator may use modify or write a script to suit their data recovery needs For more information on scripts please refer to Chapter 18 Scri
174. ers In the File System module under the Analysis Scripts button select ITunes Backups Identify and Bookmark as shown in Figure 243 below Figure 243 ITunes Backups Identify and Bookmark a a g Tools Hash Hash Create Wurfis Files Match Hash Set E i 1 A iluens Backup Identify and Bookmark D iTunes Backup Analyze The following window is displayed Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 318 Page Chapter 28 Working with E iTunes Backup Identify and Bookmark Options Mame Tunes Backup Identify and Bookmark Options Extract domain and backup filename to columns Extract Manifest MAC date times to columns Logging None Priority Normal co Options Extract domain and backup filename to columns Like the parent folder file names within each Apple device UUID backup folder can also be 40 decimal character hex encoded The file names are SHA1 hash values of the original domain and file path on the device Selecting this option makes the decoded information available as separate columns in Forensic Explorer List views Adding these names to Forensic Explorer can greatly assist the investigator navigate through backup folders and identify relevant files Extract Manifest MAC date times to columns The Manifest mbdb file contained within an Apple UUID backup folder contains information about all other files in the backup This includes Created Mo
175. es 195 17 2 Ihe Reports MOGOUIG a ein PE E roS iE 196 17 3 REDONS T RETE i m t E 197 LA Report Edit E ees 201 Thor Creatine REDOMES A 203 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module sia 215 Te SC A A E scenes 216 18 2 Managing scripts in the scripts windOw cccccccccsssecccsssceccescecceeecesaeeseeseuscesseuseeseasseessassesseseesaes 222 183 Introduction to Scripting A ai 223 O 227 Chapter 19 Custom Modules ooi a EEEN EE EE ET EA 231 19 ApoU CUSEOMI MIO AUS tal A E E AE isos 232 192 BrOwWwSer HISTORY Modulo 232 193 Phone Mo CUI EE ID LL D 232 Chapter 20 Date and TIME ooo iii 235 20 Date anatime in computer torensics anal 236 20 2 FAT HES CDRS system date and time iaa ais da 236 20 9 NIFS HES tile systemidate and tme ida 236 20 4 Date and time information in the Windows registry esses nennen 236 205 Daylight saving tie DS T ates Cp e qi Fer C eni qu dan 240 20 6 Adjusting Date in Forensic EXDIOFGF ico e E ER Er e Ev ten Ru al eo Eu rd o tuvo sa er UR EE ea VE 241 Chapter 21 Hashilhig escritorios 245 PA MEME IN O HP OR 246 21 2 Hasb ASOMAN 246 21 3 Acquisition HS Naci 246 21 4 Verification asi A dened e ta oes A aed DM dara te Rud ea ND 247 21 5 Hashing MICS AN a casaca 248 UE OWEE c c E ULM MET EE EE TN RUN 251 ZLZ DOWN i dU ctetu ala Mad e M ted Roo M Eod ance e LS M
176. es window Win 7 is shown in Figure 222 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 25 Shadow Copy Figure 222 System Properties Protection Settings A x Use system protection to undo unwanted system changes and J Ma restore previous versions of files What is system protection System Restore o a scis tra Four computer to a previous restore point System Restore Available Drives Ga DATA 2 E SS TOSHIBA EXT 15 E Win 7x64 C System Configure restore settings manage disk space and delete restore points Create a restore point right now for the drives that have system protection tumed on The configure button gives access to further settings The lowest setting is to Only restore previous versions of files with the option to Restore system settings and previous version of files This is shown in Figure 223 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 289 Page 290 Page Chapter 25 Shadow Copy Figure 223 System Protection Settings a System Protection for DATA 1 D Restore Settings System Protection can keep copies of system settings and previous versions of files Select what you would like to be able to restore Restore system settings and previous versions of files 6 Only restore previous versions of files 5 Turn off system protection Disk Space Usage You can adjust the maxim
177. eserved Chapter 8 Data Views 95 Page Figure 73 Byte Plot and Character Distribution of a zip file Character Previewt File Type Test 01 Root Text Documents Flowers zip Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 96 Page Chapter 8 Data Views 8 10 FILESYSTEM RECORD VIEW The default location for the Filesystem Record view is the bottom data view window of the File System module Figure 74 Filesystem Record tab Filesystem Record Filesystem Record view decodes and displays the full attributes of highlighted item including FAT MFT HFS file system records and Windows registry entries To display the Filesystem Record view for a file 1 Highlight a file in File List view 2 Select the Filesystem Record view tab in the bottom window The details of the highlighted file are then displayed A Filesystem Record view of a highlighted file on a FAT file system is shown in Figure 75 below Figure 75 Filesystem Record view Filesystem Record Property Value Raw Value Type 5 E FAT Record A p amp Short Filename PENGUINS J PENGUINS ASting A L ed Deleted False False Boolean a H A 32 Byte ag 13 Reserved 0 Byte 0 w Created 10ms 185 185 Byte us Created Time 1 09 24 PM 26924 Word 1 E Created Date 19 Mar 11 15987 Word 123 Accessed Date 19 Mar 11 15987 Word y 13 EAIndex FAT12 16 0 0 Word 123 Written Time 3 52 26 PM 32397 Word E w3 Written
178. ess is identical to that described in NTFS Orphans above The only difference is that instead of working with files in existing MFT records the MFT records themselves are recovered from unallocated space Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 276 Page Chapter 23 Data Recovery 23 4 FILE CARVING File carving is a well known computer forensics term used to describe the identification and extraction of file types from unallocated clusters using file signatures A file signature also commonly referred to as a magic number is a constant numerical or text value used to identify a file format or protocol 16 An example of a file signature is shown in Figure 218 which is the beginning of a jpg file in Hex view Figure 218 View of jpg file header The object of the carving exercise is to identify and extract carve the file based on this signature information alone Carrier 2005 describes File carving as process where a chunk of data is searched for signatures that correspond to the start and end of known file types The result of this analysis process is a collection of files that contain one of the signatures This is commonly performed on the unallocate space of a file system and allows the investigator to recover files that hav no metadata structures pointing to them 2 File carving has both advantages and limitations These include File system independent Fi
179. ethod of classification than using the file extension e g jpg as the extension can easily be altered Shadow Copy also known as Volume Snapshot Service Volume Shadow Copy Service VSC or VSS is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of data even if it has a lock on a specific volume at a specific point in time over regular intervals https en wikipedia org wiki Shadow Copy Forensic Explorer enables investigators to add and examine the content of Shadow Copies See Chapter 25 Skin tone analysis is the automated detection of skin tone colors in graphics files It is often used to identify pornographic pictures ona suspect s computer In Forensic Explorer skin tone analysis is run using a Script See File Slack Disk Slack FAT Slack Steganography is the art and science of writing hidden messages in such a Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 362 Page User Datagram Protocol UDP Unallocated Clusters Unicode UUID Volume Word List Write Block VSC or VSS Appendix 6 Definitions way that no one apart from the sender and intended recipient suspects the existence of the message a form of security through obscurity Definition from http en wikipedia org wiki Steganography UDP is one of the core members of the Internet Protocol Suite the protocols used for the Internet Forensic Expl
180. exar TGB USB DOLIDO Parisen G 67 Root Arret 123 Lexar 108 UB EC E01 Petter E Ed Foot Ac iat Peter Borbe 14 90 n gra wl lo ID a eee 4 caso haa shal ae A Precesen s LA Gh RAAM Rasen Prin miiti d del nai teme 12 2 KEYWORD MANAGEMENT To create a keyword 1 Preview create or open an existing case and click on the Keyword Search module tab 2 Toopen the Add Keyword window shown in Figure 12 3 below e Click on the Add Keyword icon P in the Keyword Management if the Keyword icon is inactive highlight the Keywords folder in the Keyword Name window or e Right click in the Keyword Management window and select Add Keyword or e Using the keyboard select the CTRL and N key Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 154 Page Chapter 12 Keyword Search Module Figure 127 Add keyword Keyword Name cash Search Expression cash Case Sensitive E Status Text Codepages Help B Common Select the required codepages A urF 16 A ANSI Latin I n urr 7 E urs E E Other The Search Type drop down menu is used to identify the type of search Text A text search translates the entered keyword into the character encoding of the selected code page formats The default selection UTF7 8 16 and ANSI will locate English and other non complex languages in standard and Unicode format When searching c
181. ext filtering on column data To access the text filter tool 1 Right click on a List view window 2 From the drop down menu select Text Filter Tool Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 116 Page Chapter 9 Working with data 3 Thetext filter then appears above the List view column headings as shown in Figure 95 below To apply a text filter 1 Typeinto the filter field above the column heading i Requires A Z characters ii 1 Requires numbers 1 9 Use gt or lt symbols to list data greater than equal to or less than the typed number iii 8 Requires a date format click for auto selection calendar 2 Astextis typed into the filed the displayed content updates based upon the typed criteria When the filter is applied the outline of the filter box s turns red in color as shown in Figure 95 below Figure 95 Text filter tool E File List 22 Gallery View EO Disk View File List AZ australia Filename Diving the Cod Hole on Australia s Great Barrier Reef after oig Great Barrier FRES piii mr Elliot Island AS Austral stralianKiwidollars 180x120 jpg ac Great Barrier Reef Diving Lady Elliot Island Queensland Australia To apply multiple column text filters Enter the filter criteria into the field above each column heading Multiple text filters are joined with the and operator To clear a text filter Remove the text from the
182. f byte level data within the currently highlighted file It is a visual means to gauge the consistency or regularity of a file In a Byte Plot each byte in the binary object is sequentially mapped to a pixel The plotting of byte values in the object starts at the top left of the image Subsequent byte values in the object are plotted from left to right wrapping at the end of each horizontal row 8 pp S3 S12 Byte Plot is emerging as a future means of file type analysis by binary content or fileprint 9 In the status bar of the Byte Plot data view is an entropy score for the displayed data The entropy score is an expression of randomness were the more random the data the higher the score For example a compressed zip file will have a higher entropy score than a text document Character Distribution A character distribution bar graph is used in conjunction with Byte Plot and displays the distribution of ASCII characters according to the currently displayed segment of file ASCII is a 7 bit character encoding scheme that allows text to be transmitted between electronic devices in a consistent way See http www ascii code com 10 The extended ASCII character set comprises codes 0 256 where codes e 0 31arenon printing control characters e 32 127are printable characters of which o 48 57arenumbersO 9 o 65 90areA Z and o 97 122 area z e 128 256 are extended characters The Character Distribution X axis represent
183. filter To clear all filters Press the icon To close the text filter click the icon To change search options click the Y icon Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data Figure 96 Text filter search options ER File List Gallery View GO Disk View EX File List X 2i A E anuetralia Simple Filer a NOT tralia s Great Barrier E al Lady Elliot Island Quee A unique eik at the Boat n REN in A vel 3 A Ast Wirigsurt mpn ith Contour cameras r vel Underarm incident cricket australia vs NZ avi Simple Filters for text entered NOT Displays any value which does NOT match text entered When the NOT column filter is active the A Z icon turns black as shown in Figure 97 below Figure 97 NOT column filter active Re Tr F lanai PI RegEx Regular expression search When the RegEx column filter is active the icon changes to a formula as shown in xx below Figure 98 RegEx column filter RegEx quick start guide abc Letters 123 Digits d any Digit any Character i Period abc Only a b orc abc Not a b norc a z Characters a to z 0 9 Numbers O to 9 m m Repetitions m n m to n Repetitions i Zero or more repetitions One or more repetitions Es Optional s any Whitespace AS Starts and ends capture Group a bc capture Sub group capture Variab
184. ften referred to as a digital fingerprint as a strong hash algorithm essentially rules out different data from having the same hash value 21 2 HASH ALGORITHMS MD5 Message Digest algorithm 5 is a publicly available and widely used cryptographic algorithm designed in 1991 by RSA Ron Rivest Adi Shamir and Len Alderman MD5 is the most well known hash algorithm in computer forensics largely through its implementation by Guidance Software in its EnCase EO1 forensic acquisition file format The MD5 algorithm uses a 128 bit value This raises the possibility of two files having the same value to one in 3 40282 x 1038 EnCase Forensic Version 6 10 User Manual s l Guidance Software 2008 15 p 12 In 1996 cryptanalytic research identified a weakness in the MD5 algorithm In 2008 the United States Computer Emergency Readiness Team USCERT released vulnerability Note VUH836068 stating that the MD5 hash Should be considered cryptographically broken and unsuitable for further use 5 SHA 2 is expected to become the new hash verification standard in computer forensics SHA 2 is a set of cryptographic hash functions SHA 224 SHA 256 SHA 384 and SHA 512 designed by the National Security Agency NSA and published by the USA National Institute of Standards and Technology 21 3 ACQUISITION HASH In computer forensics an acquisition hash is calculated by forensic imaging software during the acquisition of
185. g a script An example of this is where the metadata values from a Microsoft Word document e g Author Title etc are extracted and placed in to columns See 8 11 1 for more information Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 11 File System Module 1499 Page 11 6 OTHER DATA VIEWS Other data views used in the Files System module includes those summarized in the table below For more detailed information on each view see Chapter 8 Data Views Data View Summary of Function E Disk View A graphical display of the sectors which make AA up the examined device Gallery View A thumbnail presentation of the graphics files ao HH Hex A hexadecimal view of the currently highlighted orca MR data Hex view includes a Data Inspector window where a highlighted block of Hex is dynamically decoded Text A Text view of the currently highlighted file A preview of the currently highlighted file E Display Displays information contained in the MFT record or FAT entry for the currently highlighted file Filesystem Record Identifies the location of the highlighted file on the disk It details the start end and length of each data run on the disk File Extent in Byte Plot A graphical representation of byte level data a AA within the currently highlighted file f Hacks View bookmark information for the item Copyright GetData Forensics Pty Ltd 2010 2014 All
186. g to an examined device A write block is designed to maintain the forensic integrity of an examined device by demonstrating that changes to the content of the device were not possible Volume Shadow Copy or Volume Shadow Service See Shadow Copy Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 7 Sample Script 363 Page Appendix 7 Sample Script APPENDIX 7 SAMPLE SCRIPT Sample script showing some of the common features of Delphi Pascal scripting A fully commented version is provided in the Quick Reference folder in the Script Module INAME Help File Sample Script 1 pas UDESC Counts years to 21 UINFO Shows basic Pascal programming elements UAUTHOR GetData IVERSION v1 00 program Help File Sample Script 1 uses GUI SysUtils const starting age 10 var my age integer procedure ConsoleLog AString string begin Progress Log DateTimeToStr now AString end begin my_age Starting age ShowMessage Your current age is inttostr starting age ConsoleLog Your current age is inttostr starting age if my_age gt 21 then ShowMessage You are already older than 21 13 10 The program will now end while my age 21 do begin my age my_age 1 if my age 21 then begin ShowMessage WOW happy 21st ConsoleLog Congratulations You made it from tinttostr starting age to inttostr my_age end el
187. ge will boot as shown in Figure 235 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 308 Page Chapter 27 Live Boot Figure 235 Live Boot VMWare Screen E FEX LiveBoot NIST 4Dell Latitude CPi Irveboot VMware PI y Py Documents My Computer My PMetuork Places e Recycle Bin 4 VMware Tools enables many SSS features and improves Install Tools Remind Me Later Never Remind Me mouse movement video and To switch the mouse between the virtual machine and the desktop use the CTRL ALT keys A quick start guide for virtual machines is available at http www vmware com pdf desktop ws10 getting started pdf 27 5 1 INSTALLING VMWARE TOOLS VMware Tools is a suite of utilities that enhances the performance of the virtual machine s guest operating system It also improves management of the virtual machine by allowing such options as the transfer of data into or out of the virtual machine To install VMware Tools click on the Install Tools button shown in Figure 235 above If you receive the following VMware error message Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot 309 Page Figure 236 VMWare Tools virtual CD DVD error VMware Player The virtual machine needs to have a virtual CD DVD device to install VMware Tools To enable the virtual CD DVD 1 Shut down Windows virtual machine inside the VMWar
188. ghts reserved Chapter 6 Forensic Acquisition 43 Page Chapter 6 Forensic Acquisition In This Chapter CHAPTER 6 FORENSIC ACQUISITION 6 1 dado oo A E AE e Io RO CE AEE 44 6 2 GerDatss Foren C lia Cel uranio rota T AER EER 45 6Z 1 Instala Nina a 45 6 2 2 System Requirements cccscccssccessccssccesscessccesecesscsseecaescesecseeseesceseesaeesassceeesseeseeseeaeesaes 45 6 2 3 Protected Disk Areas HPA and DCO cccccceeecececcceceeceaaeeesseseeeeeeceecceeeeesaauaaaaeseeeeeeeeess 45 0 2 4 RUNNING Forensic ImaBOel usse ces vain qp rona dS E MER a PRX E pad ra DRE EXC dpa aA Ux RSEN EEE 46 525 deleite SOUL CB dador 47 5625 2 56lecing tHe destination idolo 48 D a ol a o uo E E M NEU MEE NEM E DNE 53 aa ELO Mr cp 53 6 2 9 Bad Sectors and error reporting orar a 54 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 44 Page Chapter 6 Forensic Acquisition 6 1 WRITE BLOCK IMPORTANT An accepted principal of computer forensics is that wherever possible source data to be analyzed in an investigation should not be altered by the investigator If physical media such as a hard drive usb drive camera card etc is a potential source of evidence it is recommended that when the storage media is connected to a forensics workstation it is done so using a Forensic write block device A Forensic write blocker is usually a physical hardware device a write blocker which sits between t
189. ginating device Groups are identified by the Sent From device name folder as shown in Figure 145 below Figure 145 Registry module showing Sent from ae PE NIST Hacking Case 1 B C C B Sent from NIST 4Dell Latitude CPi EO1 11 I D L ES NTUSER DAT 12 Local Time DO E NTUSER DAT 12 Local Time gt E NTUSER DAT 14 Local Time DL E NTUSER DAT 12 Local Time D L ESI ntuser dat 12 Local Time D LE Es SAM 4 Local Time Pi el ee ee oe a A rer Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 182 Page Chapter 15 Registry Module 15 3 REGISTRY DATA VIEWS The Registry Tree in the top left window of the Registry module lists the folders that contain registry keys as shown in Figure 146 below Figure 146 Registry Tree showing folders in NTUSER DAT Registry Tree E DE NTUSER DAT 15 12 00 00 AM 1 DUE null 2 OLE AppEvents 3 DUE Console 37 1 DET ES Control Panel 16 DL TES Environment 4 1 DE TE Eupe 5 DCE Identities 8 Jg Keyboard Layout 4 DE TES Network 4 J DET ES Printers 6 DOE Software 155 DOE Fa 2 0 of 75997 selected The blue number in brackets e g 2 shows the number of items inside the folder but does not count the contents of sub folders For information on navigating Tree views including bran
190. he in the top left hand window of the File System module next to the Folders view Tab The Category view displays items grouped by criteria The following category views are available Figure 124 Categories view Folders Categories L Categories P EEN E gt Eg Deleted Items 138 O amp Carved Files 0 gt 0 E system Items 31 DO E Case Notes 0 B m m E Files by Extension 37 D LDIf ser 0 C O H AsF wMV WMA 2 C AutoCAD DWG 2 C CO AutoCad DXF 1 gt CIN Bmp 1 D Canon Raw 1 amp Docx 2 DOY eF 1 C O RS Excel 1 Note 3 Asingle file may appear in multiple categories For example a deleted JPEG will appear under the categories Files by Extension JPEG Deleted Modified Date and any other category folder for which it meets the criteria 4 Categorization of items takes place when a case is opened If case meta data is created by the investigator e g files are hashed skin tone analysis is run flags are added etc it is necessary to rebuild categories before these items will appear in their respective categories To re categorize 1 Right click inside the category view window 2 Select Rebuild categories from the drop down menu The new case metadata should now appear in the respective categories Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 11 File System Module 147 Page Files with
191. he modified configuration add the RAID drive to the case Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 24 RAID If it is a software RAID 1 Setthe Type of RAID to software 2 Press X E to confirm a valid software RAID A valid software RAID will show with green ticks on the added drives or image files Raid Segments Probable Solutions Hame H Size a Sw C Users GrahamDesktop Aalo sw 0 b 0 4 53 GB a SAW C Users GrahamDesktopsAalo sw D a 1 4 53 GB Once the correct RAID layout has been identified click OK to add the configured RAID drive to the Device Selection window User RAID Select the RAID drive and click OK to add the drive to the case Once the RAID drive is added select and preview individual files to ensure that the RAID drive is correctly configured and access to all files in the RAID has been achieved Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 285 Page Chapter 25 Shadow Copy 287 Page Chapter 25 Shadow Copy In This Chapter 25 1 Shadow Copy Introduction cccooccnncnnccnnnnnccnnnnncnnnnanononnncnnnnnncnnonoronnnnncnnnnnnrnnonnrnnnnnnonnnnnncnnonanonannnss 288 25 1 1 Shadow Copy Configuration by WindowsUSEFS oocccconccnccnnccnnonacononanoncnnnonononarononanononns 288 25 1 2 When are Shadow Copies Created occccocccnncnccnncnnccnnnnaconononocnnnnncnnonarononnnrnnnonaconananoninns 291 25 1
192. he purchase page for pricing volume discounts and software bundle options Purchase Orders can be placed by Government and Corporate entities by contacting GetData head office GetData Pty Ltd Suite 204 13A Montgomery Street Kogarah New South Wales 2217 Australia Ph 61 2 82086053 Fax 61 2 95881195 Email sales getdata com Or by secure post GetData Forensics Pty Ltd P O Box 71 Engadine New South Wales 2233 Australia Or via your forensic reseller For a list of approved resellers please contact GetData via sales getdata com or via the contact details above Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 3 Purchase 25 Page 3 2 LICENSE MAINTENANCE A Forensic Explorer license purchase includes 12 months maintenance giving access to updates and support When the maintenance for a dongle has expired Forensic Explorer will continue to work however you may only use the latest available version prior to the expiration of your maintenance period The expiration date for the maintenance of a dongle is displayed in the program splash screen shown in Figure 9 below Figure 9 Forensic Explorer splash screen showing maintenance date FORENSIC EXPLORER Registered To Graham Henley GetData When the maintenance is nearing the expiration date an email is sent to the purchaser with the option to renew 3 2 1 PURCHASE LICENSE MAINTENANCE To purchase additio
193. he target media and the investigators workstation It ensures that it is not possible for the investigator to inadvertently change the content of the examined device There are a wide variety of forensic write blocking devices commercially available Investigators are encouraged to become familiar with their selected device its capabilities and its limitations Shown in Figure 27 below is a Tableau USB hardware write block The source media an 8 GB Kingston USB drive is attached and ready for acquisition Figure 27 Tableau USB write block with USB as the source drive TABLEAU gt Forensic USB Bridge Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 6 Forensic Acquisition 45 Page 6 2 GETDATA S FORENSIC IMAGER Installed with Forensic Explorer is the standalone forensic imaging tool Forensic Imager Forensic Imager is a Windows based program that will acquire a forensic image into one of the following common forensic file formats described in more detail later in this chapter e DD RAW Linux Disk Dump e AFF Advanced Forensic Format e E01 EnCase Version 6 format Forensic Imager is installed with Forensic Explorer into its installation folder C Program Files GetData Forensic Explorer v1 Forensiclmager exe Forensic Imager should be run as local Administrator to ensure that sufficient access rights are available for access to devices Forensic Imager
194. http www forensicmag com article hash algorithm dilemma E2 80 93hash value collisions page 0 0 44 An Empirical Analysis of Disk Sector Hashes for Data Carving Yoginder Singh Dandass Nathan Joseph Necaise Sherry Reede Thomas 2008 Journal of Digital Forenic Practice Vol 2 pp 95 104 45 Farmer Derrick J and Burlington Vermont Windows registry quick reference A Windows Registry Quick Reference For the Everyday Examiner Online Cited Oct 12 2012 http www forensicfocus com downloads windows registry quick reference pdf 46 Wong Lih Wern Forensic Analysis of the Windows Registry ForensicFocus com Online School of Computer and Information Science Edith Cowan University Cited Oct 12 2012 http www forensicfocus com Content pid 73 page 1 47 Harrington Michael Seek and You Shall Find Using Regular Expressions for Fast Accurate Mobile Device Data Searches http www dfinews com Online Cited Oct 29 12 http www dfinews com article seek and you shall find using regular expressions fast accurate mobile device data searches page 0 0 48 Access Data Inc Registry Quick Find Chart Access Data Online 2005 Cited August 19 2011 https ad pdf s3 amazonaws com Registry420Quick 20Find 20Chart 20 207 22 08 pdf Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Appendix 6 Definitions 351 Page Appendix 6 Definitions APPENDIX 6 DEFINITIONS Alternate Data Stre
195. icrosoft Office v 217 Access Database mdb ac E Microsoft Excel Worksheet xls xla xlt v El Microsoft Excel Worksheet XLSX xlsx v BE an Microsoft PowerPoint Presentation ppt E fa Microsoft Word Document doc dot asd v E Microsoft Word Document DocX docx WE ES Open Office Document odt V El v El Open Office Spreadsheet ods v KB Outiock Email file pst ost pab E z i om na Canon Raw graphics file crw v l JPEG Digital Camera file jpg jpea v Olympus RAW file orf v a Panasonic Graphics file rw2 Find File Extension T Logging amp Priority See 7 5 Logging and Priority Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 262 Page Chapter 22 File Signature Analysis 22 4 EXAMINE THE RESULTS OF A FILE SIGNATURE ANALYSIS There are three columns which relate to file signatures 1 Extension The Extension column lists the files given extension i e the extension given with the file name 2 File Signature The File Signature column is the result of the analysis of the file header After a File Signature Analysis has been conducted for a file the column either a shows an extension This means that it has been successfully identified as a file type contained within the Forensic Explorer signature list shown in Figure 205 above or b is blank This means that the file signature could not be matched against the f
196. ight GetData Forensics Pty Ltd 2010 2014 All rights reserved 126 Page Chapter 10 Evidence Module Figure 105 New Investigator E Investigators List of Investigators John Smith Investigator 1D Full Name Title Position Organization Department Phone Fax Cell Mabile Email URL Graham Henley Director GeData Support 61 O 2 82086053 461 0 2 9588 1195 61 414697579 support getdata com www getdata com Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 127 Page 10 3 OPEN AN EXISTING CASE To open an existing case 1 Click the Open button in the Evidence module Figure 106 Evidence module new case button This will open the Open Case File window When a case file is highlighted the meta data for that case is displayed on the right hand side of the Open Case File window shown in Figure 107 below Click Open to open the case file Figure 107 Open Case File EJ Open Case File Lookin Mixed Photos 02 cy n Name Date modified Type ay de AttachedEvidence 24 Jan 1212 10PM File folder Recent Places DTSearchindexes 29 Jan 12 10 38 AM File folder CSE W de Exported 24 Jan 1212 10PM File folder J Logs 30 Jan 121 38PM File folder Investigator Desktop Mixed Photos Case 24 Jan 1212311 PM CASE File ER Invsetigator ID 905BF4A5 A54F 4C2F 930C EBED11180DC Tes Saved On
197. ile on the investigators computer The list can then be used for password breaking or other purposes To export the indexed word list 1 Inthe Index Search Module Indexes window check the required index 2 Click on the Export Words button Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 174 Page Chapter 13 Index Search Module 3 Select the name and location of the exported csv file Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 14 Email Module 175 Page Chapter 14 Email Module In This Chapter a e E o pu e Po O EE E TE 176 2 o on o MH 176 14 3 Microsoft Outlook PST emalil ooooonnnnnncnnnnnnnnnnnonoconononnononcnonononnnnnnnnnonnnnnnnarnnnnnnnnnnnnnnnnnnononanos 176 14 3 1 Add a standalone oUTLOOK PST file sees enne eene 177 14 3 2 Add a PST file from a Forensic Explorer module ccccocccccnnccnncnononnnnnccnonanonnnnnconnnnnss 177 14 4 Index Search the Email module eeeeeeeessssseseeeeeeeeeeeenn nennen eene nnn nnne nsns n nenne enin 177 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 176 Page Chapter 14 Email Module 14 1 EMAIL Email analysis is an important component of computer forensics The Forensic Explorer Email module currently supports examination of the following email formats e Microsoft Outlook PST and OST all versions Note It is possible to ind
198. iles Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 26 Mount Image Pro 299 Page Mount File System The Mount Filesystem button mounts the selected image or disk and uses the Mount Image Pro Version 5 Filesystem Driver not Microsoft windows to display the file system This allows additional information to be displayed within the mounted image including deleted files and Windows system files The Mount Image Pro GUI displays the image details and the assigned drive letter as show in Figure 229 below Figure 229 Mount Image Pro v5 GUI E Mount Image Pro v5 00 888 File Options Help E Mount a Unmount Q View m Options S Update 09 Help Mounted Images Filename Files Partition As Label File System Date Aquired Image Details Filename C Users UsersDesktop GH Forensic Images 3 22g GH Camera Compressed E01 Image Properties Partitions Parameter Value ld Active Location Capacity File System Capacity 31 2 MB 0 No 0 31 2 MB Total Sectors 63965 1 No 0 31 2 MB FAT Cylinders 4 TracksPerCylinder 255 SectorsPerTrack 63 BytesPerSector 512 Acquiring Date 21 10 2004 11 49 33 AM System Date 21 10 2004 11 49 02 AM Examiner GH Camera T 4 n Mounted Drives 1 MIP64 Driver ver 5 0 7 10 installed service is running MIP64 FileSys Driver ver 5 0 2 21 installed Mount Image Pro v5 has numerous other features including
199. iles types contained in the Forensic Explorer signature list 3 Extension Mismatch The Extension Mismatch column alerts the forensic investigator to any files where the identified signature does not match the current extension These files are worthy of closer examination to determine the underlying reason Results of a file signature analysis are shown in Figure 206 below Figure 206 File System module columns relating to file extension File List Gallery View E Disk View File List AZ Filename hn AxX File Sign Filename File Signature apple pie XLS apple and rhubarb crumble DOC Baileys cheesecakes PPT _ Bolognese sauce PDF Orange Cats CatsB8 TC JPG CatsB3 CharlieTuna JPG CatsB1 Corduroy JPG Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 263 Page Chapter 23 Data Recovery In This Chapter CHAPTER 23 DATA RECOVERY 23 1 DATA Recovery OVELVIEW cccssccsseccssccssccescceseccesccesecsseeseuseesecsaeeceueceaeeseesseseeaeeeeesseeseeaeeseesegases 264 2 TAMOS OV aaa 265 23 2 1 FAT Dele rc Sri o 265 23 2 2 FAT Recover TOM er si Na 269 PI NUS CO Vina 272 23 3 1 NIFS deleted lesiona 272 23 3 2 NIE SONI E E EET OT 273 23 3 3 NTFS Recover Folder S erinan EREE EE EEE 274 ri T CRC INNS E A 276 23 4 1 Carving advantages and limitatioONsS ccccoooncnnnccnononnnncnanonnnnnnnnnnnnnnnnnnnnnnnnarnnnnnonanenoss 276 23 4 2 Foren
200. ing engine capable of carving more than 300 file types To run a file carve using the Forensic Explorer file carving engine 1 Switch to the File System module 2 Click the File Carve button on the ribbon Figure 219 File System module File Carve button The File Carving selection window shown in Figure 220 will open Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 278 P age Chapter 23 Data Recovery Figure 220 File carving file signature selection window Ej File Carve 1 Options Mame File Carve 1 Source Unallocated space 4 items 6 30 GB 6 764 023 296 bytes Checked items 0 items 0 bytes Search Mode File types to carve m cag Microsoft Office E f Camera E 8 Music E Internet OY Graphics 8 Documents NJ CT Archives e Multimedia L 8 Databases and Financials L B Text NB Slows Search CI ar Windows EE EE E EH E EH E E E E CARVE NAME The carve name is the name of the folder which holds the carve results This folder is displayed in Folders view of the File System module The default name Carve 1 can be edited during setup of the search Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 279 Page Figure 221 File Carve results Categories El Folders Zr e Dos d e 19 0 E EL s Lexar 7GB USB MKIL EO1 4 Local Time gt M
201. ion Image File Type Encase v 6 10 Compression Image Type Best Case Name 4285 Evidence Number USB1 Unique Description 2 GB USB drive located on office desk Examiner Graham Henley Notes Case 4285 2 GB USB drive Image started at 4 05 2011 11 45 50 PM Image finished at 4 05 2011 11 50 25 PM Elapsed time 00 04 34 GUID D6BF98CA F3EA 4BBD 88A9 C5E5B07D8600 Actual Source MD5Hash 94ED73DA0856F2BAD16C1D6CC320DBFA Source SHA1Hash d11d009c71c089dfcdb3dabad4c4014078c15183 Source SHA256Hash 3370edc5662703534d3ad539d49bcc7f0ca86f559b7faa3c4dc7f7290056d039 Verify MD5Hash 94ED73DA0856F2BAD16C1D6CC320DBFA Verify SHA1Hash d11d009c71c089dfcdb3dabad4c4014078c15183 Verify SHA256Hash 3370edc5662703534d3ad539d49bcc7f0ca86f559b7faa3c4dc7f7290056d039 Acquisition completed MD5 acquisition and verification hash Match SHA1 acquisition and verification hash Match SHA256 acquisition and verification hash Match 6 2 9 BAD SECTORS AND ERROR REPORTING Disk errors can occur during the image process due to a problem with the entire drive or a problem isolated to specific sectors If a bad sector is identified Forensic Imager writes O s for the data that cannot be read and logs the location of bad sectors in the event log as they are found Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 55 Page Chapter 7 Forensic Explorer Interface In This Chapter 7 1 VOGUE A
202. is added to a case File date and times are adjusted according to the time zone from which the device or forensic image originates The default setting is to process the image according to Local Time that is the time zone setting on the forensic analysis computer If the device or forensic image originates from the same time zone as the forensic analysis computer then usually no adjustment is required If the device or forensic image is collected from a different time zone change the Time Zone setting to the source location in order to display file date and times according to that location Note Dealing with date and time issues in computer forensics is complex Additional date and time adjustments can be made from the File System module once the evidence has been added Refer to Chapter 20 for further information Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 139 Page Figure 116 Adjust time zone information when adding evidence A AAA A i P m ie i P mnm Adjust Time Zone Settings TimeZone TimeZone Mame AUS Eastern Standard Time 600 mins Daylight Savings AUS Eastern Daylight Time 660 mins STD DLS Bias 600 j 660 minutes 10 6 ADDING ADDITIONAL EVIDENCE TO A CASE Once added a device image or registry file will appear in the Evidence field of the Evidence module as shown in Figure 117 below Figure 117 Evidence module Evidence list Evi
203. it allows the forensic investigator to work with unique files only When the Find duplicate files option is checked a new column titled Duplicate is created in the File System gt File List view to learn how to add this column to the File System gt File List see 9 8 If the column contains the text Yes it means that during the hash process a file with an identical hash value has already been located the entry in the Duplicate column for the first file found with a unique hash remains blank Figure 196 Identifying duplicate files arnari Filename xt Duplicate Hash MD5 5 FJ3 JPE JPE f8711a91e4193662f864893c B FJ3 JPE PE Yes 19711a91e4193662186489c E L 3 FI3 JPE PE Yes f9711a91e4193662f86480c O L F33 1Pe PE Yes f9711a91e4193662f86489c A Hash Method must be selected before Find duplicate files can be used If multiple hash methods are selected during the hash process for example MD5 SHA1 and SHA256 the duplicate hash comparison is made using the strongest hash in this example SHA256 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets 251 Page To locate only unique files a case or inversely to locate only files that are duplicates it is necessary to apply a filter For example a Text Typing filter see 9 11 2 or a Folders Filter see 9 11 4 can be used Once the de duplicated list is shown the unique items can be chec
204. k period to have the new daylight savings time applied Caution This will apply to all date and times in this four week period even those in 2006 and prior Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 20 Date and Time 2M Page 20 6 ADJUSTING DATE IN FORENSIC EXPLORER The default date and time settings applied by Forensic Explorer are those of the examiners computer When examining NTFS or HFS file system in order to view date and times zones according to the location of the subject computer it is necessary to set date and time settings to that location given that time settings were confirmed to be accurate at the time of acquisition For example your forensics lab and computer is located in Texas USA e Evidence1 E01 is from New York Adjust the Time Zone to USA EST to show New York time e Evidence2 E01 comes from Los Angeles Adjust the Time Zone to USA PST to show Los Angeles time File date and times can be adjusted for each piece of evidence as it is added to a case For information on adding evidence to a case see section 10 4 Adding evidence The default Forensic Explorer setting is to process the image according to local time that is the time zone setting on the forensic analysis computer If the device or forensic image originates from the same time zone as the forensic analysis computer then usually no adjustment is required If the device or forensic image is col
205. ked and then subsequent operations performed on checked files only 21 6 HASH SETS A Hash Set is a store of hash values for a specific group of files The hash values are a digital fingerprint which can then be used to identify a file and either include or exclude the file from future analysis Has Sets are often grouped in the forensic community into Good Hash Sets Operating System files program installation files etc these are also often referred to as Known files and Bad Hash Sets virus files malware Trojans child pornography steganography tools hacking tools etc these are often referred to as Notable files Hash Sets have two essential uses 1 To reduce the size of a data set and speed up an investigation A Hash Set that eliminates known operating system and program installation files allows the examiner to quickly focus on electronic files created by the user and which are likely to be the subject of the investigation 2 Toquickly identify specific files relevant to a case If the investigator is attempting to locate the presence of a group of known files applying their hash value to the case will quickly and positively identify them in the data set Forensic Explorer supports the following types of Hash Sets db3 or edb3 The Forensic Explorer Hash Set SQLite database format The edb3 is the extension is for an encrypted file from a third party supplier e g www hashsets com
206. l m ig pa e nu Sgen oy yos trn Triage bookmarks were created when the evidence was added to the case and the Triage option was run from the evidence processing window see Evidence Processor on page 123 for more information If the triage option was not selected or there were no bookmarks found the Triage report will contain blank fields Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 198 Page Chapter 17 Reports Module To use a different report as default 1 Inthe Reports tree click the New button and select Set Default from the drop down menu 2 Choose the desired report from the list Any new case will now show the selected report as the default OPEN A NEW REPORT All new reports are created from a template Templates are located in the profile My Documents Forensic Explorer Reports Templates folder These templates are accessible for any case To open a new report 1 Click on the New button in toolbar 2 Select the desired report from the drop down menu The report is loaded from a template and added to the Report tree click on the report name to preview its content Once a report has been added to a case it becomes part of that case It will remain with the case until such time as the report is deleted 17 3 2 REPORT NAME GROUPS AND SECTIONS A report consists of the following components Report Name Click on the report name to preview the entire
207. l rights reserved 233 Page Chapter 20 Date and Time 235 Page Chapter 20 Date and Time In This Chapter CHAPTER 20 DATE AND TIME 20 1 Date and time in computer forensicCs cccccceeecccesscccceseccccesececeeeccceeuececeuececeuseeeeeeeceesuecessueeeeseness 236 20 2 FAT HFS CDFS file system date and time ccoococccccnccnncnncnnnnnacononanonnnnnonnnnnncnnonnnonnonarononnnrononanoninnoss 236 20 3 NTFS HFS file system date and time cccccoocccnccccnccnnnncnonnnnnncnanonnnnnnnncnnnnonanonnnnnnnncnnnnnnnncnnnnnnncnnnonos 236 20 4 Date and time information in the Windows reQiStry ccccccsssccccsseccccsseccceesececeeceseueceseueeeesenees 236 20 4 1 Manually examine registry for time zone information eese 237 20 4 2 Extract time zone information using a SCript oooccncccconcnnnncnnncnnnnnnanonnnnnonannnnnnnnnanonnnnos 239 POE EE PT as aA EPI tT T OO 240 20 6 Adjusting Date in Forensic EXDIOFGE assi 241 20 6 1 Adjusting the date and time when adding evidence oocccccnccnncnnccnnnnacnnnnnacnnonanonnnnnos 241 20 6 2 Adjusting evidence date and time during a CASO ccooccccnccncnonnnnncnnoncnnnnnononacnnnnnnnonrononanos 242 20 6 3 Synchronizing time ZONES TC E icin 243 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 236 Page Chapter 20 Date and Time 20 1 DATE AND TIME IN COMPUTER FORENSICS Timestamps are often impo
208. l search results within that keyword search folder will be deleted To delete a keyword 1 Right click on the keyword 2 Select Deleted Keyword s from the drop down menu The same procedure is used to delete a keyword group a folder containing multiple keywords A difference in the number of keyword hits can occur between Forensic Explorer and EnCase v7 This is due to the way each program deals with deleted files For Example On a Fat32 system EnCase treats a deleted file as having 1 allocated cluster the starting cluster is located in the directory entry of the file If a keyword is located in this first cluster the hit is attributed to that file Subsequent hits in the remaining clusters are identified as belonging to unallocated space On the same Fat32 system Forensic Explorer identifies any search hit within the group of clusters attributed to a deleted file to belong to that file and the file name appears in the Keyword Result List In addition to this as the space occupied by a deleted file is treated by the Windows Operating System as unallocated clusters Forensic Explorer also attributes the same search hits to unallocated clusters Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 162 Page Chapter 12 Keyword Search Module 12 4 KEYWORD RESULT LIST When a keyword is highlighted or a group of keywords is branch plated in the Keyword Tree any files which contain the keyword
209. la JPG the following additional disk information is needed 1 Bytes per sector and 2 Sectors per cluster This information is available by decoding the Volume Boot Record VBR with Filesystem Record view Filesystem Record Property Value Raw Value Type EH FAT32 VBR Record 32 256 IMP Instructions EB 58 90 MSDOS5 MSDOS5 EME Sectors per dust Reserved sectors Number of FAT s Number of root entries Number of sectors 16 bit Media sectors per FAT Sectors per track Heads 255 Hidden sectors 63 Number of sectors 32 bit 4 064 382 E E y es E vj E E E E To determine the number of clusters used by Koala JPG the calculation is e File size 780 832 bytes 512 bytes per sector 1525 06 sectors e 1525sectors 8 sectors per cluster 190 63 clusters The number of clusters that can be attributed to Koala JPG is 191 The file therefore starts at cluster 492 and finishes at the end of cluster 682 To see this information in Forensic Explorer switch to the File Extent view which details the byte sector and cluster positions of the file Cluster Start 492 Cluster End 682 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery Cluster Length 191 Sector Start 11941 Sector End 13468 Sector Length 1528 Highlighting the sectors in disk view reveals the following picture Figure 211 Display view of Koala JPG Recover Folder
210. le carving is essentially file system independent A file type will exhibit the same file signature and structure on under FAT NTFS HFT EXT2 or other file systems and can be data carved accordingly File carving is also effective method of recovery when the file system is corrupt or destroyed Time Required A drawback of file carving is that it can take a considerable amount of time to process a large drive The lower the level of search i e cluster v s sector v s byte and the greater the number of file signatures searched for simultaneously the longer the search Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 277 Page False Positives File carving always brings with it the risk of false positives where identified file signatures are not true identifiers for the start of a file Searching at the lower levels of sector and byte may increase the number of false positives because it removes the validation requirement that the signatures must start near cluster boundaries Data Fragmentation Without file system records it is difficult to track a fragmented files File carving relies on the information contained in the file structure and to a lesser extent it s on disk layout No Original File Names As file names are stored only as part of the file system data carved files cannot be recovered with their original name Forensic Explorer has an inbuilt file carv
211. le content alb Match sa orb w any Alphanumeric character Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 117 Page 118 Page Chapter 9 Working with data any Non alphanumeric NW character Xd any Digit D any Non digit character s any Whitespace S any Non whitespace character Note The Flag Column is a currently a binary search it will be upgraded in a future version Flags Text Filter Value Flags shown 1 Shows column 1 red onward 2 Shows column 2 blue onward 4 Shows column 3 yellow onward 8 Shows column 4 orange onward 16 Shows column 5 green onward 32 Shows column 6 pink onward 64 Shows column 7 aqua onward 128 Shows column 8 brown onward The Explorer Tool is applied in a list view and allows navigation of the file system in a similar fashion to Windows Explorer To access the Explorer tool 1 Right click on a List view window 2 From the drop down menu select Explorer Tool 3 The Explorer Tool then appears above the List view column headings as shown in Figure 99 Explorer Tool below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 119 Page Figure 99 Explorer Tool File List Gallery View E Disk View F File List Preview d NIST 4Dell Latitude CPi E01 Partition 63 amp Root Documents ES Preview NIST 4Dell Latitude CPi E01 Partition 63 Root Documents and Settings All g
212. lected from a different time zone change the time zone setting to the source location in order to display file date and times according to that location using the TimeZone drop down menu shown in Figure 187 below Figure 187 Adjust time zone information when adding evidence a Adjust Time Zone Settings TimeZone TimeZone Name AUS Eastern Standard Time 600 mins Daylight Savings AUS Eastern Daylight Time 660 mins STD DLS Bias 600 j 560 22 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 242 Page Chapter 20 Date and Time Time zone settings in a case are displayed in the File System module Folders view next to the device or image In Figure 188 below the NIST 4Dell Latitude CPi EO1 is currently set at Local Time Date and time settings can be adjusted whilst a case is in progress Settings can be applied to a device as well as volumes on a device for example if a drive has an NTFS and FAT partition date and time adjustments can be made for each To adjust date and time settings on a device 1 InFile System Folders view right click on the device or a partition and select Modify Time Setting from the drop down menu which opens the Times Settings window as shown below Figure 188 Adjust time zone settings Folders Categories l File List Folders Ye File List E PO p E Partition 63 5 Add bookmark B O E Orphaned 7 Edit bookmark
213. list 3 Rename the new hash set and right click to rename the Identified As text Click Save to save the Hash Set The new has set is created and saved to disk in the current hash set location default location is User Documents Forensic Explorer HashSets Files with the extension db3 are hash sets created by Forensic Explorer Files with the extension edb3 are encrypted files that have been acquired from a third party source and provided for use with Forensic Explorer 4 The new hash set is now available when the Hash Match button is pressed refer to 21 9 Apply a Hash Set in a Case below A Flat File Hash set must e Bea plain text file in ANSI format e Have an extension of txt md5 sha1 or sha256 If the txt extension is used Forensic Explorer will determine the type e NO blank lines A blank line identifies the end of the list Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 253 Page 254 Page Chapter 21 Hash Sets The following file format can be used in order to give meaning to Forensic Explorer column data Figure 198 Flat Hash Set format This is a Flat MD5 Hash Set file This is a comment Hash Set Name My MD5 List 1 HashSet column text Identified As Significant HashSet Identified As column text 83e05311eab2c2d50c2bc6fa219e6905 The list of hash values a526a95fc34e049360755d9f0450d662 b8bca7ac76f0ade815c5c743866293e0 A blank line end T
214. ll number of large virtual disks out of a large number of small physical ones A RAID O can be created with disks of differing sizes but the storage space added to the array by each disk is limited to the size of the smallest disk For example if a 120 GB disk is striped together with a 100 GB disk the size of the array will be 200 GB RAID 1 RAID 1 is a mirrored set with parity Typically it consists of two physical drives one being an exact copy of the other The RAID Array continues to operate so long as at least one drive is functioning Using RAID 1 with a separate controller for each disk is sometimes called duplexing RAID 5 A RAID 5 uses block level striping with parity data distributed across all member disks Distributed parity means that if a single drive fails the array is not destroyed Upon a drive failure any subsequent drive reads can be calculated from the distributed parity of the functioning drives A single drive failure in the set will result in reduced performance of the entire set until the failed drive has been replaced and rebuilt 24 2 PREPARATION When dealing with RAID drives care should be taken in the forensic acquisition phase to document as much information as possible as to the RAID configuration Successful RAID setup in Forensic Explorer will be assisted by knowledge of the following Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 24 RAID 283 Page e Isi
215. llation contains at least two control sets REGISTRY TIME ZONE INFORMATION Once the current control set is identified Time Zone information can then be identified in the SYSTEM registry file under key e CurrentControlSet Control TimeZonelnformation As shown in the Forensic Explorer Registry module in Figure 185 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 20 Date and Time 239 Page Figure 185 Windows registry HKEY_LOCAL_MACHINENSYSTEMACurrentControlSetilControllTimeZonelnformation Image file NIST Hacking Case 14 tal Ae Filename Anz Filename a Type Data 4 ActiveTimeBias REG DWORD Ox0000012C 300 e Bias REG DWORD 0x00000168 360 4 DaylightBias REG_DWORD xFFFFFFC4 4294967236 ab DaylightName REG SZ Central Daylight Time DaylightStart REG_BINARY 00 DO 04 00 01 00 02 00 00 00 00 0 Qu StandardBias REG DWORD ox00000000 0 ab StandardName REG SZ Central Standard Time 4 StandardStart REG BINARY 00 DO OA 00 05 00 02 00 00 00 000 7 5ecDesc REG BINARY BO FE FF FF 73 amp B 00 00 80 DE 06 D LILIEIEJEIJEIETETLEI a j 9 Items PreviewisystemControlSet00l Control TimeZor The information in the registry includes ActiveTimeBias The number of minutes offset from UTC for the current system time Bias The number of minutes offset from UTC for the current time zone setting DaylightBias The number of minutes offset from UTC for the
216. lly imaged RAID media including software and hardware RAID JBOD RAID O and RAID 5 Hashing Apply hash sets to a case to identify or exclude known files Hash individual files for analysis Keyword search Sector level keyword search of entire media using RegEx expressions Keyword index Built in DTSearch index and keyword search technology Bookmarks and Reporting Add bookmarks to identify evidence and include bookmarks in a custom report builder Data Recovery and Carving Recover folders and files Use an inbuilt file carving tool to carve more than 300 known file types or script your own File Signature Analysis Validate the signature against file extension Export to LEF Export a subset of files in a case to a LEF Logical Evidence File Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 2 30 Day Evaluation Version 15 Page Chapter 2 30 Day Evaluation Version In This Chapter 2 1 30 day evaluation VEFSION cccccccseseccceseccccesececeeseceseecccauececeuececseeececeueceseuecessenecetsuseeesegecetseaeeetees 16 P MEME IC ein 16 2 1 2 nn pP EE REC DM EE I MEME KE 16 2 2 Activating the 30 day evaluation version ssccccccssssecccceeseccecaeusececcaaeseccesaeaccesseenecessanaeeeessagaesss 16 2 2 1 Online Activation 30 DAY Evaluation cccccococcncnncnnncnnnnonanininnnnnacnnnnnnnannnnnonanononnnonanonons 16 2 2 2 Offline Activation 30 day evaluation nnns 18 Co
217. lorer com Continue Evaluation Buy Online GetData 2 2 2 OFFLINE ACTIVATION 30 DAY EVALUATION Where the computer on which the software is being installed is not connected to the internet a separate internet connected computer can be used to activate The activation process involves e Exporting a license file from the software e Uploading the license file together with your purchase email address and license key at a web site using any internet connected computer e Downloading the validated license file and importing it back into the software To activate an offline computer 1 Click the Offline Activation button and click Next Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 2 30 Day Evaluation Version 19 Page Figure 4 Activation wizard Online activation is an automated process that requires an internet connection No personal information is sent Offline Activation Offline activation is a manual process which can be used if internet access is limited 2 Click on the Export button to export and save the license file GetData GDActRequest Figure 5 Offline activation evaluation version export of license file Upload your license file license key and email peris address at the following website getdata com offline Cancel Chers 3 Using an web browser on any internet connected computer go to http getdata com offline or https se
218. lowing exercises provide examples of how to design basic report templates In order to work through the exercises below it is necessary to have a basic understanding of how to create a case add evidence and bookmark files To prepare for the exercises STEP 1 START A CASE AND BOOKMARK FILES a Inthe evidence module create a new case adding a forensic image that contains JPG files b Inthe File System module select a group of JPG files right click and Add Bookmark c Inthe Add Bookmark window add the files to the Pictures bookmark folder d Switch to the Bookmarks module e Review the Pictures bookmark folder to ensure that it contains the bookmarked files STEP 2 CREATE A NEW BLANK REPORT a Switch to the Reports module b Inthe Reports tree select New gt Blank Report Exercise 1 Reporting on a single bookmarked item Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 204 Page Chapter 17 Reports Module OBJECTIVE In this exercise create a report on a single file bookmarked in the My Bookmarks Pictures folder The example here is Orange Cat 4 JPG Figure 164 Reporting on a Single Bookmarked File finished report output Filename Orange Cat 4 JPG Accessed 14 Mar 12 9 37 12 PM Created 17 May 12 2 01 22 PM Modified 14 Mar 12 9 37 12 PM Path Exercise Creating Report Templates Lexar G LL t a T a P AA A A Re P A kn e lC NEM STEP 1 amp 2
219. m files A keyword search can locate byte level fragments of data Text translations allow the investigator to search for keywords in different languages Disadvantages of a Keywod Search A keyword search can be time intensive The volume of data being searched the number of keywords and the speed of the computer hardware on which the search is run will influce the duration of the search Each new keyword or set of keywords regires a new search Because a search search can be time intestive keyword lists needs to be carefully constructed to ensure to locate relevant data and limit false hits When data is not in raw text format for example a compressed file keywords will not be located The keyword search module is broken down into the following four sections 1 4 Keyword Management Used to create and manage keywords and keyword groups Keyword Tree List the search results for each keyword including the number keyword hits Keyword Result List Lists the files containing the keyword hits and previews the text around the keyword Data Views Displays the file in which the keyword hit s was found As shown in Figure 126 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 153 Page Figure 126 Keyword Search module lt a emm 00 sam podha e Serch fures ra wet Eder Path Le yu PU whew cia 2 oie 116 0113 temu LIP L
220. mas docx E B gt a Partition amp 2048 7 E 12 Days of Christmas docx jj E 5 Root 21 E 12 Days of Christmas docx J E E Partition 2048 19 Er da Partition 2048 19 I Exi Root 13 Once a VSC is mounted in the File System module it is possilble to opeate on it like as you would a normal volume including keyword search indexing etc Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 26 Mount Image Pro 297 Page Chapter 26 Mount Image Pro In This Chapter CHAPTER 26 MOUNT IMAGE PRO 26 1 Mount Image PrO coccoccnccconnonnncnnccncnnccnoronrnnnonconconornornorrnronnrnnrnnnnornrrnnonnrnnrnacnnrnoronrnnnencencanaconinonos 298 26 1 1 Install and run Mount Image PrO ccoococcnoniconconanononaninnonarinnonarononaniononarinnonarononaciononaso 298 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 298 Page Chapter 26 Mount Image Pro 26 1 MOUNT IMAGE PRO You Wibu dongle purchased with Forensic Explorer also contain a license key for Mount Image Pro v5 Mount Image Pro is software used to mount forensic image files as a drive letter or physical drive on your forensic workstation This allows users to e Browse the contents of an image file in programs such as Windows Explorer e Run third party applications such as virus scanners spyware scanners cache analyzers etc over the mounted evide
221. me FAT LOCATING DATA FOR A DELETED FILE ON DISK The following example details the methodology used by Forensic Explorer to identify and locate deleted files on a FAT formatted disk In Figure 208 below the parent folder of the file Koala JPG is highlighted in Folders view Figure 208 Animals folder selected in Folders view mu Folders Categories EL Folders E C 7 3 FAT Photos 32 1 1 E O e FAT32 Phetos E01 3 Local Tir ED 3 Partition 63 NO NAME 7 m Orphaned 0 D E E Root 4 E D O gi E Aquatic 13 S C C Ea Birds 4 E m Cranes 3 E Y Ea Flamingos 3 m Eg Flowers 9 O Ei Landscape 5 Aquatic Birds I IB 7 African Elepha Buffalo ipa 4 Koala JPG PIGS JPG REDPANDA JPG A _UNNY JPG al bad C Leal sd E LI The directory entries for the parent are displayed in Hex view Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 23 Data Recovery 267 Page Figure 209 Animals directory showing 32 byte directory entries iasu 8 lias P is 5 41i13 Ha n t j i1p g 339933 7797 A E r i c la n E 1 e p h AFRICA 1JEG is 23 9 1 1 AH u f f a i11 a j n qg BUFFALO JEG N is 2 X 93 E AUNNY JEG a oe oe acALA JEG EICS JEG tis 2 J3 Y a eI REDEANDAJEG Ztfis 2 pw X ea AA q u n t xi c 44495 4v AQUATIC _ ists
222. n the field of computer forensics software and whose products and terminology have become synonymous with forensics include Guidance Software www guidancesoftware com EnCase Access Data www accessdata com Forensic Tool Kit FTK Xways forensics http www winhex com X ways forensics 29 3 LICENSE AGREEMENT GetData Forensics Pty Ltd ACN 143458039 GetData is the developer of the software program Forensic Explorer Permission to use Forensic Explorer and or its documentation the Software is conditional upon you agreeing to the terms set out below By installing or otherwise using the Software you agree to be bound by the terms of this agreement If you do not wish to accept the terms do not install or use the Software GetData is and remains the exclusive owner of the Software You acknowledge that copyright in the Software remains at all times with GetData Unauthorized copying or modification of the Software will entitle GetData to immediately terminate this Agreement A single license of the software permits you to use the Software on a single computer In the event that you have purchased multiple licenses you may install and use the Software concurrently on multiple computers equivalent to the number of licenses that you have purchased Unless you have purchased multiple licenses this license does not permit you to load or use the Software on a network server or similar device which permits access by
223. n v2 3 6 3518 the Evidence module Preview button is no longer displayed by default To display the preview button in the Forensic Explorer drop down menu select Options gt and check Show Preview button The option is stored in a registry key and need only be set once Figure 100 Preview button in the Evidence module When the preview button is clicked e A unique preview working folder is created using a Global Unique Identifier GUID in the following path C Users Graham Documents Forensic Explorer Previews GUID e g 8709A41C 38B6 4F9E BA18 633B394721C5 e The evidence window in the Evidence module identifies that a preview is in progress with the words Case Preview The Add Group Device Image File Remove buttons become active in preparation for adding evidence to the preview as shown in Figure 101 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 123 Page Figure 101 Evidence Tree in the Evidence module identifying a Preview Evidence Add device m Case Preview Image Lexar 7GB USB ED1 E01 Add image Ls Add file Property Value Device Type Disk Image Device Size 7 47 GB 3 019 509 248 byt Original Filename E GH Forensic Images EXA St as Image Type Encase IsLogical No Encase Examiner Graham Henley Encase Case Number LEXAR USB 1 LEXAR USB 1 LEXAR USB LM Add group For information on adding evidence to a preview see
224. nal Forensic Explorer maintenance online 1 Visit the following web page http www forensicexplorer com buy forensic explorer php 2 Select the option to purchase maintenance renewal for existing Forensic Explorer dongles 3 Complete the checkout process Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 26 Page Chapter 3 Purchase Forensic Explorer maintenance is sold in increments of 1 year A purchase of two years maintenance can be used to extend a single dongles maintenance by two years To apply the maintenance update to your dongle and follow the instructions in 5 3 Applying maintenance updates to your Wibu dongle Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 4 Installation 27 Page Chapter 4 Installation In This Chapter CHAPTER 4 INSTALLATION 4 1 SV SESH CCU la 19 1 S ssncnstubecsesietecousetheaststuiagenskotcmindndsqunits E e lio Pr 29 4 2 PA A EA 29 4 3 fucile PA AA A 29 431 Instale TCS ira daa 31 4 3 2 Non English installation cccooocccncnncnnnonacononnnonnnonacononanononnncnnnnnncnnonanonnonnnrnnnnnonnnnanononos 33 4 4 Uninstal Forensic EXBIOFBE ao oo 34 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 5 Dongle Activation 29 Page 4 1 SYSTEM REQUIREMENTS Forensic Explorer requires e Windows XP 2003 Vista Win 7 2008 e Pentium IV 1
225. name in the second set of braces Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 25 Shadow Copy 293 Page 25 2 EXAMINING SHADOW COPIES WITH FORENSIC EXPLORER To mount a Volume Shadow Copy VSC in Forensic Exploer 1 Inth Forensic Explorer Evidence module start a preview a new case or load an existing case 2 Switch to the File System module to view the files in the case 3 Click on the Shadow Mount button in the File System module toolbar Figure 225 Shadow Mount button in the File System Toolbar t Shadow Mount 4 The Forensic Explorer Volume Snapshot Mount window will open and list the available VSCs for the selected volume as show in Figure 226 below Figure 226 Volume Snapshot Mount Window m Volume Snapshot Mount Available Volumes Partition 2048 List of Snapshots 3k Date Mame 19 Jul 13 7 57 51 AM IC678AEFD F000 11 2 938F 005056C00008 19 Jul 13 7 51 19 AM C678AEFEF000 11E2 93BF 005056C00008 19 Jul 13 7 46 12 AM C678AEDE F000 11E2 93BF 005056C00008 19 Jul 13 7 42 27 AM C6784ED0 F000 11E2 93BF 005056C00008 19 Jul 13 7 40 13 AM C678AEC2F000 11E2 93BF 005056C00008 19 Jul 13 7 37 52 AM C6784EB4 F000 11E2 93BF 005056C00008 19 Jul 13 7 34 04 AM C678AEA6 F000 11E2 93BF 005056C00008 19 Jul 13 7 29 47 AM C678AF98 F000 11F2 93BF 005056C00008 19 Jul 13 7 26 59 AM C678AF8A F000 11F2 93BF 005056C00008 19 Jul 13 7 24 38 AM C678AE7C FO00 11F2 93BF
226. nature ANALYSIS ccccsssseccccceseccecceesececceuesecccceaeeececssaueceesaueeceesaueecessaeusecesssaasecessugeeseessaees 260 22 2 Whyru n le signature analysis aio 260 22 3 Running a file signature analysis soi 260 22 4 Examine the results of a file signature analysiS ccoooonccnnnononnnonnncnnnnnnnnnononnnnnnnnrnnnnnonarnnnnnnnannnnos 262 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 260 Page Chapter 22 File Signature Analysis 22 1 FILE SIGNATURE ANALYSIS Signature analysis is the process of identifying a file by its header rather than by other means such as the file extension The International Organization for Standardization ISO has published standards for the structure of many file types The standards include a file signature a recognizable header which usually precedes the file data and assigns a file to a specific type e g a jpeg For example shown Figure 204 JPEG file signature Figure 204 below is the beginning of a photo taken with a digital camera It is identified as a JPEG by the file header vWya or in Hex FF D8 FF EO 00 Figure 204 JPEG file signature Identifying a file by its signature is a more accurate method of classification than using the file extension e g jog as the extension can easily be altered 22 2 WHY RUN FILE SIGNATURE ANALYSIS File signatures are an important part of the examination process because gives the investigat
227. nce files e Run third party programs on the physical drive such as Virtual Forensic Computing www virtualforensiccomputing com used to boot an image of a Windows file system in a virtual environment Once an image is mounted these actions are ready only and forensically secure as the contents of the image file will not be changed Mount Image Pro v5 is a stand alone application available for download from www mountimage com or http download getdata com MIP Setup exe Note Your Forensic Explorer dongle will NOT activate Mount Image Pro versions prior to version 5 Download and run the setup file and follow the onscreen installation instructions Run Mount Image Pro v5 from the desktop icon Ensure that the dongle is inserted to activate the product when activated the red buy online button will not show in the program tool bar To mount an image file 1 Click the mount button in the program toolbar 2 Inthe Drive Selection window select the image file or physical device to mount If the image file is not listed click the Add Image button and select and add the image to the available devices list Then click the Mount Disk or Mount File System button Mount Disk The Mount Disk option is used to Mount an image file and display the physical disk and or partitions as if the physical drive were connected to the local computer Windows is responsible for reading the file system and displaying the f
228. nected to a computer for the first time and synced with iTunes a folder is created using the unique device ID UUID These ITunes Backup folders are very distinctive in that they are 40 hexadecimal characters long ITunes Backups can be processed with Forensic Explorer A keyword is a string of data created by the forensic examiner so that the case can be searched for instances of that data a keyword search A keyword can be an actual word but can also be raw data Complex keywords are usually created using RegEx expressions See Logical Evidence File Long File Name refers to file or folder on a FAT file system which has a name greater than 8 characters and 3 for the file extension or one which contains special characters The storage of the additional file name information makes it necessary for Windows to create an additional LFN directory entry or entries to hold the extra information Link files Ink are Microsoft Windows shortcut files Link files have their own metadata and can provide valuable information about files stored on the computer 23 Live Boot is a component of Forensic Explorer that enables an investigator to boot a forensic image or write protected physical hard drive The investigator can then operate the computer in a real time forensically sound virtual environment The boot process is achieved through and integration of Mount Image Pro and VMWare A Logical Evidence File is a forensic image con
229. nning installed software is a fast and effective way to quickly profile computer use Live Boot also offers a compelling means of presenting digital evidence to a client prosecutor or court To demonstrate a live running computer can be effective mean of conveying complex evidence in a way that is easily understood 27 2 REQUIREMENTS Live Boot has the following requirements Forensic Explorer Full Version Dongle Activated Live Boot requires a full dongle version of Forensic Explorer Live Boot will not run in the Forensic Explorer evaluation edition VMWare Workstation or VMWare Player One of the following VMWare products must be installed e VMWare workstation http www vmware com products workstation or e VMWare Player free for non commercial use https my vmware com web vmware freetdesktop end user computin vmware player 6 0 NOTE If you are installing VMWare Player for non commercial use you must run VMWare Player and agree to the terms and conditions shown below before running Live Boot Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot Figure 230 VMWare Player Terms Welcome to VMware Player 7 Es VMware Player 7 Use VMware Player 7 for free for non commercial use Enter a valid email address You agree to receive promotional emails from VMware related to VMware Player View our privacy policy j Enter a license key to enable VMware Player
230. nnnnnnconnnononononnnonanonononos 316 28 1 2 ITunes Backups Identify and Bookmark ccccooocccncccconcnnncnnnncnnnnnnanonnnnnnancnnnnnnnncnnnnnnos 317 28 1 3 Manually Examining ITunes Backup Files oocccccoooncnnnncnnncnnnnnonnnonnnonancnnnnnonanononnnos 320 28 1 4 ITunes Backups Analyze SCIripts cccccccsscsssseescccssccssseeescccssccesseeseccsssceassesssccsseeeass 321 282 WAIN AN ToO 326 28 2 1 TAMOS arnes 326 28 2 2 TOUMDES Cuates 326 28 2 3 Forensic Value of Thumbnails ooooooocoroocononnononnononconononcornaroronrnrnnrononrncnnnanonenos 326 316 Page Chapter 28 Working with 28 1 ITUNES BACKUPS When an Apple device iPhone iPad iPod is connected to a computer for the first time and synced with iTunes a folder is created using the unique device ID UUID These ITunes Backup folders are very distinctive in that they are 40 hexadecimal characters long The default folder locations are Figure 241 ITunes Backup paths Computer MobileSync Backup Files MobileSync Backup deviceid MAC OS X User HomeDirectory Library Application Support MobileSync Backup ITunes Backup UUID folders can contain high value information for the forensic investigator particularly if the original device itself cannot be located Each time an Apple device is synced with a computer the UUID backup folder will store configuration information address book data SMS database call records the
231. nonanonnnnnnnnonnnnnnnnnnnnnnnnicnnos 37 5 2 Activate a Remote COMpUter tesi sado EAA EAEE G 40 5 3 Applying maintenance updates to your Wibu dongle ooocccconccnnonaccncnnaccnonanonnnnacononanonnnnnncnnonoss 42 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 36 Page Chapter 5 Dongle Activation 5 1 DONGLE ACTIVATION OF THE PURCHASED VERSION Forensic Explorer is activated using a Wibu www wibu com USB hardware dongle which is delivered to you by courier following your purchase see Chapter 3 Purchase for more information on purchasing Forensic Explorer Figure 18 Wibu USB hardware activation dongle i 994 yor 7 1 as Tu d 199 A a d 4 a T s eA s Tad A Your Wibu dongle has a unique identification number inscribed on the part of the dongle that is inserted into the USB port as shown in Figure 19 below Include this number in correspondence with GetData Figure 19 Unique Wibu dongle identification number The Wibu dongle is driverless and requires no special installation To run Forensic Explorer 1 Ensure you have installed the full version of Forensic Explorer using the link provided in your purchase confirmation email the dongle will not activate the evaluation version See Chapter 2 30 Day Evaluation Version for more information on the evaluation version Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle
232. nonnnnnnnnrnnnnnnnnnnnnnnnnnnnnnnnnnnoos 222 18 3 Introduction to Scripting Rm 223 18 3 1 Programming Comments aarencacccaeapiceonaneadcaueansearnmanadecanmanssancusteseananaeaneniiaamaeenamamnasians 223 18 3 2 RESET nn UA 223 18 3 3 A e o OE PO 224 18 3 4 80 224 18 3 5 Dg m M 225 18 3 6 Procedures and Functions cccccccenssesseececccceeeeseeeeecceeaeuseeeeeceeseuuaseeeeeceesuaaeeeeeeeeesaaenes 225 18 3 7 Begin and ENG T 225 18 3 8 ziggo PP 226 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 216 Page Chapter 18 Scripts Module 18 1 SCRIPTS MODULE Forensic Explorer utilizes Pascal as its scripting language Scripts are written and run in the scripts module or launched in other modules via toolbar buttons or by other scripts The Scripts module is accessed via the scripts tab Figure 176 Scripts module tab Ss scripts The scripts module is arranged into three windows Scripts Script Editor and Messages as shown in Figure 177 below Figure 177 Scripts module Forensic Explorer Forenssc Explorer 41 01 1564 eya fee EE Repo SS Sov EB Regis E Fron m 11 x it T ETICA l i I NAHEr Progress Log i i IDESCT Progress log to the Messages window E Pie System CII
233. ns 4 Click the Sort button to apply the sort Persistent Sort e A persistent sort right click gt Sorting gt Persistent Sort maintains the current sort when switching between data views To remove a multi column sort e Release the SHIFT key and double click on a column heading to return to a single column sort To remove all sorting e Right click and from the drop down menu select Sorting gt Remove Sorts Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 113 Page 9 10 FLAGS In Forensic Explorer a flag is a colored box applied in a List view in the Flag column to mark a file Eight colored flags are available for use A single item can be flagged one or more times Flagged files are shown in Figure 91 below Figure 91 Flagged items e Full Path Preview FAT32Photes E01 Part Preview FAT32 Photos EO 1 Parl E Canyon JPG E JPG Preview FAT32Photes E01 Part 5 Desert JPG JP Preview FAT32 Photos E0 1 Parl Waterfall JPG H JPG Preview AT32 Photos EO 1lParl 5 of 5 items Preview FATS2 Photos 01 Partition 63 NO NAR To apply a flag 1 Highlight an item in a List view 2 Doubleclick the opaque flag color in the flag column if the flag column is not visible add the column see paragraph 9 8 Columns or Right click and use the Add Flag menu to place a selection tick next to the required flags as shown in Figure 92 b
234. ns button Y provides the option to rename a view with a custom name Data Area The data area of the view is where the content of the highlighted item is displayed to the investigator View information bar The information bar at the bottom of a view It provides details on the data currently displayed in that view It is an important navigational reference The information bar can contain information such as e The full path to the currently highlighted item e Thecurrently selected physical sector Forensic Explorer data views within a module co exist in linked relationships In simplest terms when a file is highlighted in one view the other views also change to show that data Note Data views between different modules are NOT linked For example the Hex data view in the File System module acts independently from the Hex data view in the Keyword Search module Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 73 Page Figure 48 Relationships between data views List View gt Disk View gt Gallery View Text Byteplot Display Filesystem File File Record Metadata Extent Multi relationship A selection in view changes the selection in all other connected views A single relationship A change in the parent view changes the view in the child view Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved JA Page Chapter 8 Data Views 8 2 TREE VIEW
235. nt of the Email module 1 Inthe Keyword Search module start a keyword search 2 Inthe Run Keyword Search window select Email as the target module Figure 143 Keyword Search module Run Keyword Search window Name Keyword search of the content of the email module Ttems to search wies Emi I Searchable items 1 items RS i i ee de a yt Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 15 Registry Module 179 Page Chapter 15 Registry Module In This Chapter CHAPTER 15 REGISTRY MODULE 15 1 R gisiry reel TEE 180 15 1 1 Windows location of registry files nina nidad 180 15 2 Adding a REGISTRY FILE to the registry module cccccccocccnncccnocnnnnccnncnnnnnnnnconnnononcnnnnononncnnnnnnnnos 181 15 2 1 Add a standalone registry le cessumuscutudi Borcta nantes e dlwvE SV RU RD HERE RR URDU QU DEF ED RUEE 181 15 2 2 Add a registry file from a Forensic Explorer module cccccoocccnncccnocnnnncnnononnnnnanonnnnnnns 181 15 5 Registry Data VIGWS sscenmivs Fd un NA S ER ANI NE ERETC CUXA VETERYVU RET DEFEVE de 182 15 3 1 a T E 182 15 3 2 acini 182 15 3 3 Hex Text and Filesystem Record views sees nennen nnne nnn 183 15 4 Deleted registry keys icon ica 183 15 5 Examining registry files using scripts nennen nennen nensi n nnns nans 184 Copyright GetDat
236. nto categories including files by ru AE extension files by modified date and flagged files e Lists individual items and displays their metadata in CRI columns A graphical display of the sectors which make up the a Disk View examined device A thumbnail presentation of the graphics files Gallery View Hexadecimal view of the currently highlighted item Automatic interpretation of user selected data Text view of the currently highlighted file Content display of currently highlighted file Displays 5 Display mE icol d PD of 300 different file types including video and audio A graphical representation of byte level data within Byte Plot e S the currently highlighted file Displays information contained in the MFT record or Filesystem Record ae FAT entry for the currently highlighted file A breakdown of files metadata components File Metadata Details the start end and length of each data run on File Extent i zn the disk Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 72 Page Chapter 8 Data Views Shows the bookmark details associated with the item These views are described in more detail below Figure 47 Data view layout View name Data Area View information bar View Name The view name describes the function of the view e g Hex displays a hexadecimal view of the currently highlighted item The optio
237. o Executable fxp B ip Interbase Backup gbk L db Interbase Database gdb m Lacerte Tax mdx Lacerte Tax Individual id9 idO sd0 sd9 pdO pd9 fdO f l MicroSim PCBoard Log Of Forward Engineering Change Orde E m Microsoft Money mny z O MS Works 4 Database wdb E MS SQL Server Database mdf a MS SQL Server Log Idf EJ MOE Data dat prm pls OH omnis Database file df1 lbr ohf lbs L ER Quickbooks Backup file qbb O Es Quickbooks QBW file qbw C Sl Quicken QpF file adf 2 Be QuickTax file q04 q99 q00 q0i q02 q03 C SAS ASCII Data File sas i at E SAS Binary Data file sas7bdat sd2 88 SPsS sav Een Fa TaxAct ta5 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 3 File Carving O RE TaxCut file 2000 3 t00 t01 t02 t03 L TurboTax file tax S n 3 Text NB Slows Search O B Text shift JIS Documents jis E ES Text UTF 16 Documents txt B Text UTF 8 Documents txt L B Text Documents txt ES Da Lj Other L a EXE DLL file exe sys dil C 4 Help Chip pa el T TrueType Font file ttf E at Windows Link Ink Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 343 Page Appendix 4 Date and Time 245 Page APPENDIX 4 SUMMARY OF DATE AND TIME File System Type a wa UK les
238. o manually add the Flat Hash Set file to Forensic Explorer 1 Place the correctly formatted Flat Hash Set in the Forensic Explorer hash set folder profile Documents Forensic Explorer HashSets 2 Click on the Hash Match button in the File System module toolbar to open the Match Hash Files Options window 3 The Flat Hash Set should appear in the list of available sets as shown in Figure 199 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets 255 Page Figure 199 Flat Hash Set EF Match Hash Files Options Pe Compare HashSets to Hashable Items 762 items 335 MB 980 349 857 bytes _ Checked items 1 items 760 KB 778 240 bytes Compare Using 8 MD5 Hash O 5HA1 Hash 1 SHA256 Hash Select HashSets Location C Users Owner Documents Forensic Explorer HashSets L3 Refresh Filename Hash Set Mame Identified As MDS Malware Known 248528 hash Malware Known 248528 hash Notable Y My Flat MD5 Hash Set 1 txt clear any existing hash matches Logging Normal V Priority Normal i Download hash sets forensicexplorer comjhashsets E TO CREATE AND USE A FLAT HASH SET FROM A CASE To create a Flat Hash Set select the required format MD5 SHA1 or SHA256 from the Create Hash Set button drop down menu as shown in Figure 197 above This executes a script which can be viewed and edited in the Scripts module The following window appears Copyright GetData
239. oes dtSearch support at http support dtsearch com http support dtsearch com dts0103 htm Formats A keyword index is stored as part of a Forensic Explorer case The default path is C Program Files Forensic Explorer vX Cases case name DTSearchIndexes index name A keyword index is usually about one fourth the size of the original documents although this may vary considerably depending on the number and kinds of documents in the index The forensic investigator should make sure there is ample disk space available when creating an index A noise word is a word such as the or if that is so common that it is not useful in searches To save time noise words are not indexed and are ignored in index searches To modify the list of words defined as noise words edit the file C Program Files GetData Forensic Explorer v1 noise dat The noise word list does not have a particular order and can include wildcard characters such as and However noise words may not begin with wildcard characters When an index is created the index will store its own copy of the noise word list Changes made to the noise word list will be reflected in future indexes but will not affect existing indexes Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 13 Index Search Module 167 Page 13 2 CONSIDERATIONS PRIOR TO CREATING AN INDEX Prior to creating an index it may be advantageous to recover any availa
240. omplex languages such as Arabic select the additional code pages as required Regular Expression PCRE A Regular Expresssion RegEx or Perl Compatible Regular Expression is a concise and flexible means for matching specifying and recognizing strings text such as particular characters words or patterns of characters 11 GREP is often misinterpreted as RegEx GREP is a Linux Unix program that is a RegEx search utility Basic RegEx functions include AwFFFF Unicode character AXFF Hex character Any character Any number 0 9 Repeat zero or one time Repeat at least once A Z A through Z Repeat zero times XYZ Either X Y or Z XYZ Neither X nor Y nor Z oco db C Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 155 Page M Literal character ab Group ab together for m n Repeat m to n times a b Either a or b Sample RegEx expressions can be loaded from the Forensic Explorer Keywords folder under the user profile For more RegEx examples see e http en wikipedia org wiki Regular expression e http regexlib com e http www regular expressions info reference html Hexadecimal The hexadecimal option allows hexadecimal values to be typed directly into the search window without formatting Valid hex characters are 0 9 A F and space For example the keyword cow can be typed directly into this field as 636F77
241. ooeadavedoosd 189 16 1 3 Adding Bookmarks from a script and HERE ERR URDU DU DERI EDU E 189 H BOOK mMars MOdUlS TP 190 16 2 1 BIOMI Ul Ce aria 190 16 2 2 BOO YN AICS Hy ir ooo 191 16 2 3 Bookmark Data Vie M 192 16 3 Identifying Bookmarked files other modules oooccccccconccnnncnononnnnnnnncnnnnonnncnnnnnonnnononnnnnncnnnnnnnoos 193 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 188 Page Chapter 16 Bookmarks Module 16 1 ADDING BOOKMARKS Bookmarks are used to annotate items of interest Forensic Explorer enables almost any item e g file folder keyword search hit etc or a selection from an item e g a fragment of text from a file or unallocated clusters to be boomarked and listed in the Bookmarks module IMPORTANT Forensic Explorer Reports are generated from Bookmarked items To manually add a bookmark e Ina Tree List or Gallery view right click on the required file s and select Add Bookmark from the drop down menu or e Ina Hex or Text view highlight the required data with the mouse right click and select Add Bookmark from the drop down menu This will open the Add Bookmarks window shown below Figure 150 Add Bookmarks window Source Files Checked files 0 files O fol Highlighted files 1 files O Select Folder File s Comment lal Preview 1 S 3 My Bookmarks 7 E Regist
242. op down menu 3 The Edit Bookmark window will open Edit the first bookmark and click OK The comment will be updated for each of the bookmarks Data views enable the investigator to examine the item device folder file email message or registry key that has been bookmarked The data Views available in the Bookmarks module are Bookmark Gallery Hex Text Display Filesystem Record and File Extent The Bookmark data view shown in Figure 156 below is visible in all modules It enables the investigator to determine the Bookmark folder s into which a file has been placed Right click on the view and select Edit bookmark comment from the drop down menu to edit a comment Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 16 Bookmarks Module Figure 156 Bookmark data view Full Path Test Case My Bookmarks Pictures Comment Investigator Graham Henley Ihese photos appear to be of the 16 3 IDENTIFYING BOOKMARKED FILES OTHER MODULES Bookmarked files can be identified in the File System module by 1 Apurple bookmark that overlays the file icon as shown in Figure 157 below Figure 157 Bookmarked files in the File System module 7 Folders TE categories File List of File List gt COMER f rem EDO My Music 5 E EN My Pictures j 7 DSL E Sample Music 3 M O EN My Music 1 S O my Pictures
243. or a confidence that they are seeing files for what they actually are It is recommended that a File Signature analysis is one of the first steps performed by the investigator in each new case A file signature analysis with Forensic Explorer will e Flag files for which the file extension does not match the file signature These files may have been deliberately manipulated to hide data e Empower other components of Forensics Explorer such as the Categories view to see files based on file signature rather than extension 22 3 RUNNING A FILE SIGNATURE ANALYSIS To run a file signature analysis in Forensic Explorer 1 Click on the Signature Analysis button in the File System toolbar shown below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 22 File Signature Analysis 261 Page Select the file types for which a signature analysis is to be conducted Note that the speed of the analysis is affected by the number of file types selected File signatures are inbuilt into Forensic Explorer and cannot be added A custom file signature can be created using a script See Chapter 18 Scripts Module for more information on writing scripts Figure 205 Selecting file types for signature analysis E Signature Analysis Options Mame Signature Analysis Source 2 All items 850 items 22 5 GB 24 122 306 960 bytes Checked items 0 items 0 bytes Filetypes to determine EF RE 2m M
244. ore analysis functions can include hashing carving and signature analysis Pre processing options are set in Forensic Explorer when a device or Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 360 Page Priority Preview Evidence Module RAID RAM RAM Slack Record View Forensic Explorer Recover My Files Regex Regular Expression Registry Ribbon Toolbar Root Directory Folder Appendix 6 Definitions forensic image file is added See 10 5 for more information In Forensic Explorer priority refers to the use of threaded multi core processing See Multi Core Processing The Preview button in the Evidence module enables an investigator to quickly add a device or forensic image to Forensic Explorer without first having to go through the steps to create a new case The investigator can choose to save a preview to a case or if not when the preview is closed no data is saved Redundant Array of Independent Disks Random Access Memory where programs are loaded and computer code is executed The content of RAM is lost when the computer is turned off RAM slack is the data between the end of the logical file and the rest of that sector For example a sector is written as a block of 512 bytes so if the last sector contains only 100 bytes the remaining 412 bytes is padded with RAM slack In older Operating Systems e g Windows 95 RAM slack could contain data from RAM unrelate
245. orensic Explorer can be used to extract and bookmark specific data from ITunes Backup files Bookmarked data is available to the Reports module Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 322 Page Chapter 28 Working with Provided ITunes Backup scripts are executed via the File System module gt Analysis Scripts ITunes Backups Analyze button shown in Figure 250 below Figure 250 ITunes Backups Identify and Bookmark FERES a m LA b Tools Hash Hash Create ui Files Match Hash Set E d ITuens Backup Identify and Bookmark ITunes Backup Analyze This script opens the following the window Figure 251 ITunes Backups Analyze A Analyze iTunes Backups Bookmark data from iTunes backups Pl Address Book Library AddressBook AddressBook sglited E Call History F CameraRall Encryption Check E JPG by Domain Pl Keyboard E Maps History E MOV by Domain Photo Streams Data A Recordings Safari History E SMS Attachments Wireless Networks Select DeSelect All Library CallHistory call history db CameraRollDomain Identify encrypted backups Bookmark JPGs by iTunes Domain Library Keyboard dynamic text dat Library Maps Histor y plist Bookmark MOVs by iTunes Domain MediaDomain PhotoStreamsData Library Safari History plist MediaDomain Library SMS Attachments SystemConfiguration com iTunes wifi plist Add Domain Name columns
246. orensics Pty Ltd 2010 2015 All rights reserved Chapter 2 30 Day Evaluation Version 17 Page Figure 1 Online activation 30 day trial version E Forensic Explorer v1 0 0 524 Forensic Explorer Evaluation Enter the 14 Day Evaluation Key that you received via email when you registered at http www forensicexplorer com 14 Day Key FORENSIC EXPLORER Evaluation Version Product Activation GeiData or dick here to import your license file lt Back Next gt A successful activation message will display the following screen as shown in Figure 2 below Figure 2 30 day evaluation version successful activation message E Forensic Explorer v1 0 0 524 Product Activation Activation Succeeded Thank you for activating your software FORENSIC EXPLORER Evaluation Version Product Activation GerData lt Back Cancel Once the 30 day evaluation version is activated the number of evaluation days remaining is shown on the program splash screen see Figure 3 below Click on the Continue Evaluation button to use the software or the Buy Online button to visit the purchase page at www forensicexplorer com Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 18 Page Chapter 2 30 Day Evaluation Version Figure 3 30 day evaluation version splash screen FORENSIC EXPLORER Evaluation Version GetData Pty Ltd www forensicex P
247. orer can use UDP to access remote drives Unallocated clusters also referred to as unallocated space or free space are the available disk storage space that is not allocated to file storage by a volume Unallocated clusters can be a valuable source of evidence in a computer forensics examination because they can contain deleted files or remnants of deleted files created by the Operating System and or computer users Unallocated clusters on X volume Space inside the X volume that is available to the File System for future file storage For NTFS this is calucated from the SBITMAP record for FAT this is calculated from the FAT Table Unicode is an international standard for processing and displaying all types of text Unicode provides a unique number for every character for all languages on all platforms An Apple device iPhone iPad or iPod Touch has a Unique Device Identifier UDID It is a sequence of 40 letters and numbers When a backup of the device is made to a PC the backup files for the device are stored in the UUID folder See chapter 28 1 for more information A collection of addressable sectors that are used to store data The sectors give the appearance of being consecutive but a volume may span more than one partition or drive A list of words exported from an index in the Index Search module The word list can be used for password breaking or other purposes A hardware device or software program that prevents writin
248. out extension Files without extensions will not appear in the Files By Extension Category unless a File Signature Analysis has been run and the categories rebuilt Once a Signature Analysis has been run if it is a recognized signature files without an extension will be placed in their relevant category after a category rebuild based on the file type identified in the file header 11 5 FILE LIST VIEW File List is located in the top right hand window of the File System module File List displays content according to the selections make in Folders view described above File List view presents the metadata for each item including file name extension full path etc in a table format It allows items such as devices partitions and files and their metadata to be sorted highlighted checked flagged opened and exported For more information on these functions see Chapter 9 Working with data The following icons are used in File List view to describe items Free space on disk Free space in partition Unallocated clusters on NTFS volume An active file E OD D D An active folder A deleted file b A deleted folder bl A system file A FAT dot directory entry D OD A FAT double dot directory entry File metadata is displayed in columns These columns include Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 148 Page File Name Extension Flags Full Path
249. overwritten will remain 6 Click OK to proceed with the hash match Once a Hash Match has been run two columns will be created in the Forensic Explorer File System module Hash Set and Hash Set Identified As Figure 203 Running a Hash Match in a case Hash MD5 b6d81b360a5672d80c27430f39153e2c f1c9645dbc14efddc7d82322685f26eb bdf3bf1da3405725be763540d6601144 fafa5efeaf3cbe3b23b2748d13e629a1 076e3caed758aici8c8ia0egcae3368f BGaebebac982e6bf3b4009f79be 3549b5a cdfa f35aba322d5dO e amp 6b6fefe0b 29295 ba45c8f60456a672e8003a875e469d0eb 5a44c7ba5bbe4ec867233d67e4806848 9d377b10ce778c4938b3c7e2c63a229a 15988347a31ba4fb6dce89f1931db 7bf 2b 4df3eccid94afddff 82d 139c6f15 Sbiafacf 447e4b7c1c98702e26 1be2e b44a53383b3123a747d139bd0e 71d2df HashSet e GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows GetData Windows DE ana GetData Windows GetData Windows GetData Windows Hash5et Indentified As good good good good good good good good good good An entry in the Hash Set column identifies that the file hash matches a hash in the set Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 22 File Signature Analysis 259 Page Chapter 22 File Signature Analysis In This Chapter CHAPTER 22 FILE SIGNATURE ANALYSIS 22 1 File sig
250. own files data in a case For example an investigator may search for a fragment of a known document or image file and positively identify the existance or partial existance of that file on a disk even if only one sector of that file remains on the disk For more information on sector hashing refer to Yoginder Singh Dandass Nathan Joseph Necaise Sherry Reede Thomas An Empirical Analysis of Disk Sector Hashes for File carving Journal of Digital Forensic Practice Volume 2 Number 2 2008 95 104 6 ENCASE COMPRESSION Sets the compression level for the EnCase forensic image file The EnCase E01 file format supports compression of the image file during the acquisition process Compressing a forensic image file during the acquisition process takes longer but the file size of the forensic image on the investigators workstation will be smaller The amount of compression achieved will depend upon the data being imaged For example with already compressed data such as music or video little additional compression will be achieved AFF and DD RAW image formats do not support compression 7 VERIFY IMAGE HASH AFTER CREATION During the acquisition of a device the source hash MD5 and or SHA1 and or SHA256 as per the investigator selection is calculated as the data is read from the source disk Once the acquisition is complete the source hash is reported in the event log in the format Source MD5Hash 94ED73DA0856F2BAD16C1D6CC3
251. per Block Used in the Forensic Explorer File Extent tab to display the number of Bytes per Block cluster for the highlighted file Bytes per Sector Used in the Forensic Explorer File Extent tab to diplay the number of Bytes per Sector for the highlighted file A view in Forensic Explorer which includes for a selected file A graphical representation of a binary file A Character Distribution graph representing the frequency that each ASCII character is displayed in the file See Byte Plot and Character Distribution page 91 Files located by file carving with Forensic Explorer are displayed as Carved fileytpe ext This is because a file system record for these files no longer exists so they are in effect lost to the file system Because file and folder information is only stored with the file system record a carved file does not retain its original file or folder name Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 352 Page Case File Cluster Cluster Boundaries Codepage Computer forensics Compound File Data carve Data View Deleted File Appendix 6 Definitions A case file is the store of investigational activities for an individual case in Forensic Explorer The case file records the location of the examined devices and holds the results of searching sorting bookmarks reports etc A case file is designed to build over time as a record of an investigation in
252. plorer using the procedure described above A BiBTex entry can include a url statement which is used to link to a web page or a local file e Alink to a web site will included a BiBTex url in the format url http en wikipedia org wiki Computer forensics e Alinktoa local file will include a BiBTex url in the format url C Program Files x86 GetData Forensic Explorer v3 Forensic Explorer User Guide en pdf e If the file is located in the User Forensic Explorer Reference Library folder only the file name is required e g url About Reference Library rtf Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 8 Data Views 69 Page Chapter 8 Data Views In This Chapter CHAPTER 8 DATA VIEWS 8 1 Data VIEWS SUM TO E Lomo 71 8 1 1 Components of a data view cccccecccccsseccccssececeecceeeececeeececeuecceseneceesuaecessucessenecetseaesetees 72 8 1 2 data views relationships in the file system module ooocccnccononnnnnccnonnnnncnnnncnnnnnnnncnnnonos 72 8 2 TES VIEW fee 74 SAL Navigate Tee VCW BTE TL T UT 74 Saw ame oa Ghee ee ee ener ee ei 74 52 3 BNN E ee en eee ee en LEUR ee 75 8 3 EES UA peace E To on nee EA A E E ieee E se cea sets een ates oat 77 8 4 BIS m 78 8 4 1 Resizing the Disk view GiSplay cccccsssscccccseseecccceeeecccceeeeecee
253. pts Module Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 24 RAID 281 Page Chapter 24 RAID In This Chapter POM RAID SIV OCCU aia 282 BA PC AAU ON AP e POE o 282 24 3 Adding a RAID to a Case eene nennen esa trente seas eset s eaten sess esee 283 24 3 1 Hardware RAID known configuratiON ccooccccccncnnnonaconnnnncnnnnanonnnnnconnnnncnnnnnncnnonarononnnos 284 24 3 2 Software RAID 285 24 3 3 Once the correct RAID layout is identified o cccccoooncnnnccnnnnnnnnnnnncnnnnonaronnnnnonnnnnns 285 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 282 Page Chapter 24 RAID 24 1 RAID INTRODUCTION Forensic Explorer supports the analysis of the following types of RAID JBOD JBOD Just a Bunch of Disks is a term to describe the grouping of odd sized drives into one larger useful drive For example a JBOD could combine 3 GB 15 GB 5 5 GB and 12 GB drives into a logical drive at 35 5 GB which is often more useful than the individual drives separately RAID 0 A RAID O also known as a stripe set or striped volume splits data evenly across two or more disks striped with no parity information for redundancy It is important to note that RAID O was not one of the original RAID levels and provides no data redundancy RAID O is normally used to increase performance although it can also be used as a way to create a sma
254. pyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 16 Page Chapter 2 30 Day Evaluation Version 2 1 30 DAY EVALUATION VERSION To request a 30 day evaluation version of Forensic Explorer visit http www forensicexplorer com request evaluation key php and complete the online registration form Download instructions and an evaluation version software activation key and will be sent to your email address Note It is not possible to activate the evaluation version in Virtual Machine The Forensic Explorer 30 day evaluation version is a standalone program It has e A separate installation file ForensicExplorer Evaluation Setup exe and e Isinstalled in its own path C Program Files GetData Forensic Explorer Evaluation vXV The evaluation version is marked as Evaluation in the status bar at the bottom of the Evidence Module and in the program About tab The 30 day evaluation version has the following limitations e Does not allow the saving of case files e Does not allow the exporting of files from a case and e Will expire after 30 days 2 2 ACTIVATING THE 30 DAY EVALUATION VERSION The 30 day evaluation version is activated by a software key only a purchased version is activated by dongle only If you computer is connected to the internet enter the 30 day evaluation version key into the field provided and click Next as shown in Figure 1 below Copyright GetData F
255. r Place ISBN Keywords Note Cancel When the Create button is pressed the information in the window is written into the References txt file in the BiBTex format Click the Refresh References button in the drop down menu to show the new reference in the drop down menu 2 MANUALLY EDIT THE REFERENCES TXT FILE The References txt file can be manually edited It is usually most effective to copy and paste a previous entry as a template and then update it with the new reference information Be sure to use the BiBTex schema 3 COPY AND PASTE FROM A 3RD PARTY SITE Visit a site like Google Books for example https books google com au books id I4gpAQAAMAAJ Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 67 Page 1 Select a reference item and look for the option to Export Citation usually at the bottom of the reference description page where BiBTex is one of the citation formats offered 2 Download and open the BiBTex file in notepad 3 Copy and paste the BiBTex citation into the References txt file and save the change 4 Click the Refresh References button in the Reference Library toolbar 5 The reference will now be listed in the Reference Library drop down menu Other third party sites such as https www citethisforme com enable the management of a complete citation list The entire list can be exported in BiBTex format and added to Forensic Ex
256. r 12 Keyword Search Module 12 3 SEARCH RESULTS The Keyword Tree window contains the search results as shown in Figure 131 below Figure 131 Keyword Tree search results Keyword a Status Search Term EH E L 1ES Keyword Results 3 H C Ea Keyword Search 1 2 H OO E Keyword Search 2 5 a D E3 Keyword Search 3 5 DO adobe 79 tunni adobe L canon 4 tunnir canon CO 2 rrr 291 tunnin JFIF L 49 olympus 151 tunni olympus BE panasonic 11 unnin panasonic 0 of 553 selected The Keyword Results folder at the root of the tree holds a folder for each search The default search names are Keyword Search 1 2 etc e Inside the search folder are the keywords for each search e Blue brackets e g 10 next to a keyword identify the number of files in the case in which the keyword has been found e The Status column indicates if the search for a keyword is running or if it is completed e The Search Term column shows the formatting of the keyword string It also identifies any search parameters such as case sensitivity or Unicode To delete a keyword search folder right click on the keyword folder and select Delete from the drop down menu A confirmation message will appear Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 161 Page Figure 132 Delete a keywords search folder Upon confirmation al
257. r to creating an Index sioe re ue DD Em m MIDI OE 167 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 6 Page 133 AECE MM n 167 ISAC Searching AN IN 169 USS e ei 172 13 6 INGEX SEarch Compound FILES ci A a ah e EX ER TA oaa Pe Eae OUS 173 34 EXPO WOTA EISE octets o o I D Ri MD ESUE 173 Chapter 14 Email Module i ioo on ca ewes Veo Os avene n so booa e aeu vase On yeu usw a n E A UNS DLE CU Dd 175 MEE 176 14 2 Enmainodle doo e cds 176 14 3 Wierosoftt Outlook PST amp riiallisiz stades dice ue ds 176 14 4 Index Search the Emma Module ida 177 14 5 keyword Search the Email module err etr t nene na Rn enn n aye RR aea ener RSn n UIS rues 178 Chapter 15 Registry Module 1 sap ER EEEEIREREEENES arcas 179 TL REGISTRY MO Sessa tn 180 15 2 Adding a REGISTRY FILE to the registry module cccoocnccccoccncccccnnnnnncnnonanonnnnncnnnnnnnnnonanononnnanonnnanoss 181 ES EC cid Data MEW ai asa 182 15 4 Deleted Tesistry Ke Sr a 183 15 5 Examine resistir TIES USING SCHOCS ra aia 184 Chapter 16 Bookmarks Modulada 187 16b Adding BOINA io 188 167 BOOK Mars IM OU a UM Narbo d tue dM MM LU Lot au esc Mice tnu 190 16 3 Identifying Bookmarked files other modules oooccnccccocncnnnononcnnnnnnancnnnnonanonnnnnnnnonnnnnnnannnnnnnnoos 193 Chapter 17 Reports Module ta Souris venen ONE RUE Map Oeo PA eR Oa ido doren cian 194 ILI Reporting BOOK Wabi S C eocsadesetelsi olei a a dto tt
258. re is an opportunity in the Evidence Processor window see 10 5 to Cache Thumbnails 2 During a case a Select or branch plate the required folders in the File System module b Right click in the gallery view window and select Cache All Images The cache progress will show in the processes window The size and number of graphics displayed is controlled by moving the slide bar in the footer of this window from small to large Figure 59 Gallery view scale bar small ARTERIA Large The Gallery view tab can also be detached from the File List view pane and re sized displayed as a standalone window see 7 3 1 Save a custom layout for more information Graphics in Gallery view can be highlighted checked flagged exported bookmarked and opened with an external application These commands are access by the right click display menu For more information on these actions see Chapter 9 Working with data To highlight a continuous group of multiple files in Gallery view hold down the SHIFT key whilst selection files with the mouse To highlight a non contiguous group of multiple files in Gallery view use the CTRL key when selecting files with the mouse To check highlighted files press the space bar Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 86 Page Chapter 8 Data Views 8 6 HEX VIEW The default location of the Hex view window is the bottom data view window
259. reen is displayed enabling selection of the source media e When Acquire is selected the source window shows the available physical devices hard drives USB drives camera cards etc and logical devices partitions or volumes on the physical devices e g C drive attached to the forensic workstation e When Convert is selected the source window allows the selection of the source image file Click the Add Image button to add the required image file to the selection list e When the Hash or Verify button is selected the source window allows the selection of either a physical or logical drive or an image file Figure 29 Forensic Imager selecting the source device Hash or Verify option shown BN GetData Forensic Imag BETA VERSION v4 0 0 119 ER File Help Select the device or the image file to verify or hash Device Label E b Image Files s Photos E C Users Graham Desktop Demo MIP Demo Photos E A My Computer a Add Image E a Hard Dis WDC WD50 OOBEVT 60ZATO 01 0 465 76 GB SATA SCSI E Add RAID a X no label 453 99 GB NTFS SATA Win a D HP 11 77 GB NTFS SATA Win p Hard Dis USB 2 0 Flash Disk 5 00 a F no label 1 96 GB FAT Sector Range Entire Drive The device selection window includes the following information Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 48 Page Chapter 6 Forensic Acquisition Label Physical drives are li
260. requires the following minimum specification e Windows 7 or above e 32 and 64bit compatible e Pentium IV 1 4 GHz or faster processor e 1GB RAM Forensic Imager does NOT support DOS acquisition If acquisition from a DOS boot disk is required alternative forensic acquisition software should be used Host Protected Area HPA and Device Configuration Overlay DCO The HPA and DCO are two areas of a hard drive that are not normally visible to an operating system or an end user The HPA is most commonly used by booting and diagnostic utilities For example some computer manufacturer s use the area to contain a preloaded OS for install and recovery purposes The DCO allows system vendors to purchase HDDs from different manufacturers with potentially different sizes and then configure all HDDs to have the same number of sectors An example of this would be using DCO to make an 80 Gigabyte HDD appear as a 60 Gigabyte HDD to both the OS and the BIOS 1 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 46 Page Chapter 6 Forensic Acquisition Whilst the HPA and DCO are hidden it is technically possible for a user to access these areas and store hide data Forensic Imager does not currently support the acquisition of HPA or DCO areas Forensic Imager is located in the Forensic Explorer installation folder as a stand alone executable When Forensic Imager is run the investigator is presented with 3 options
261. rer is Scripts File System Export File Types pas This script will export files by type extension and can be edited as required For more information about scripts see Chapter 18 Scripts Module A Logical Evidence File LEF is a forensic image containing selected individual files rather than the image of an entire partition or physical device LEF s are usually created when 1 Adevice is previewed and evidence worthy of preservation is identified but an image of the entire partition or device is not warranted or 2 When a subset of a files from an existing forensic image is be provided to a third party Common LEF formats are LO1 Guidance Software www guidancesoftware com and AD1 Access Data www accessdata com Forensic Explorer will read both LO1 and AD1 formats and can export files to LO1 format To export files to an LO1 file 1 Select or highlight the required file s 2 Right click and select Export gt Logical evidence file LO1 from the drop down menu The following window will appear Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 108 Page Chapter 9 Working with data Figure 84 Export to Logical Evidence File L01 E Export to Logical Evidence File L01 Source Highlighted files 1 files 0 folders 5177344 bytes A Indude folder data 2 Selected files 256 files 7 folders 66734905 bytes Destination Case Name Evidence Mumber Unique Description
262. rights reserved Chapter 12 Keyword Search Module 151 Page Chapter 12 Keyword Search Module In This Chapter CHAPTER 12 KEYWORD SEARCH MODULE 12 1 Keyword seat aia 152 12 2 Keyword MANA Meca 153 12 2 1 Creating SIO WOOF oani lt ci 153 12 2 2 Editoraelete Ne WO Cl soon at 155 12 2 3 OU KE WO GG ludoteca 156 12 2 4 IMPOR KW US sr tia 157 12 2 5 RUMNING a Keyword Search 158 PAS MEE cir RE ee E Ec 160 12 3 1 delete a keyword search folder and keywords oooocccccccccconooccnnnnncnononoconnnnnnnonananoos 160 12 3 2 To delete a Key word sra aaa 161 12 3 3 Note Why keyword hits differ when compared to EnCase ccccccssssseeceeeeeeeeeeeeeees 161 124 A o nn e e PU OE Un O IA 162 12 4 1 A m 162 12 4 2 aai i H A 162 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 152 Page Chapter 12 Keyword Search Module 12 1 KEYWORD SEARCH The keyword search module is accessed via the Keyword Search tab Figure 125 Keyword Search tab ys Keyword Search A keyword is a user created search expression A keyword can be a simple text a more complex Regular Expression RegEx or hexidecimal A keyword search is a search for that data Advantages of a Keyword Search A keyword search can be performed on all data in a case including unused disk space unallocated clusters and syste
263. rtant in a computer forensics examination The investigator should have a clear understanding of the subject before making critical conclusions When date and time is in issue the following verified information should be at hand e The time zone where the computer or device was operating when it was acquired e The time of the computer BIOS clock compared with a verified time source e g a recorded time service for that location It is the file system in use which determines whether Modified Accessed and Created MAC times are stored in local time or Coordinated Universal Time UTC Appendix 4 Summary of Date and Time is a summary table of file system date and time including the location of the source data interpreted by Forensic Explorer Date and time attributes of individual files can be examined using the Filesystem Record view of the File System module see 8 10 Filesystem Record view for more information 20 2 FAT HFS CDFS FILE SYSTEM DATE AND TIME FAT HFS and CDFS store local date and time as per on the BIOS clock There is no time zone adjustment For example e A file stored at 11am is stored in the file system as 11am When Forensic Explorer opens this file the default file time will display as 11am 20 3 NTFS HFS FILE SYSTEM DATE AND TIME NTFS and HFS file systems store date and time in Coordinated Universal Time UTC which in practical terms when fractions of a second are not important can
264. rts to the raw entry data 15 4 DELETED REGISTRY KEYS When a registry file is read by Forensic Explorer the unallocated space within the registry file is parsed for deleted registry keys These keys are placed into the Deleted Keys Folder marked with the following icons Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 184 Page Chapter 15 Registry Module B Deleted key Ey Deleted folder 15 5 EXAMINING REGISTRY FILES USING SCRIPTS A default installation of Forensic Explorer includes a Parse Registry Keys button group in the Registry Module toolbar Figure 148 Registry Module Parse Registry Keys A 23 m MT User SYSTEM SOFTWARE Parse Hive Hive Hive Multi Keys Parse Registry Keys Each of the drop down links in the button group passes a variable to the Scripts Registry Registry Key Processor pas script to scan and in some cases interpret data of interest from specific keys For example selecting the SOFTWARE gt Registered Owner Organization button returns Figure 149 Registry Key Processor E Registry Key Processor Search for SOFTWARE Microsoft Hindows NT CurrentVersion Description Owner and organization detials entered at in Beference Hone Key Found Preview NIST SOFTWA amp BE Hacking CaseXMicra Data Tal dual d a dual Fal Fal iua d a Fal BegisteredOrganization N A BegisteredOwner Greg Schardt The Registry Key Processor pas
265. rtup pas uncluttered it is used to create toolbars by calling other scripts If you look at startup pas you will see the use of the RunScript command in lines like RunScript gScriptsDir Common Toolbar Button Group Hex pas File System false The RunScript command has 3 parameters 1 The path of the script that you wish to run in this example the script to run is gScriptsDir Common Toolbar Button Group Hex pas 2 The module where you want the script to be run in this example it is the File System module 3 Whether or not you want logging in this example logging is false Button Group Hex pas Now let s take a look at the Button Group Hex pas script In the scripts module navigate to the Scripts Common Toolbar folder and double click on Button Group Hex pas to open it in the Script Editor Once you have it open in the editor you will see the following 4 lines midway through the script ToolBar Module AddToolbar Hex Creates the button group and puts the name of the button group at the bottom ToolBar AddButton Hex v6 C Program Files BreakPoint Software Hex Workshop v6 HWorks32 exe 1 64 64 BINS SHOWCAPTION adds and names the button ToolBar AddButton UltraEdit C Program Files IDM Computer Solutions UltraEdit Uedit32 exe 1 64 64 BINS SHOWCAPTION adds and names the button Copyright GetData Forensics Pty Ltd 2010 201
266. ry 0 Folder Comment Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 16 Bookmarks Module 189 Page Source Files A bookmark action can be performed on a highlighted file s or checked files Select Folder Folders are used by the investigator to group together bookmarked files of like interest Folders can be moved using the mouse drag and drop The right click drop down menu or the New Folder button enables the investigator to add or delete a folder Folder Comment A comment about the folder holding the boomarked files File s Comment A comment about the file s being bookmarked When evidence is added to a case the option exists in the Evidence Processor See 10 5 to Triage data Many of the scripts supplied with Forensic Explorer have the option to bookmark search results for example Discover PDF Files by Author located under the Analysis Scripts button in the File System module The default folder for script bookmarks is My Bookmarks Script Output A user who writes or modifies a script can select or create a bookmark folder of their choice Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 190 Page Chapter 16 Bookmarks Module 16 2 BOOKMARKS MODULE The Bookmarks module is accessed via the Bookmarks tab Figure 151 Bookmarks module tab Bookmarks The bookmarks module provides a single location where items of interest are gathere
267. s Evidence Bj Add device 5 BY Case LEXAR USB Add image Add file Property Value Device Size 7 47 GB 8 019 509 248 bytes GJ Add group Filename C Forensic Images EXAR Lexar 7GB USB EOL Image Type Encase 2 Library Logical No Encase Examiner Graham Henley Encase Case Number LEXAR USB 1 Encase Evidence Number LEXAR USB 1 3 Remove Description LEXAR USB Notes This is an EnCase 7 E01 image of a 7gb lexar us Aquiring Program 7 3 1 203 OS Version Windows 7 Aquired Date 17May 12 2 25 55 PM System Date 17May 12 2 25 51 PM Compression Unknown 21 5 HASHING FILES IN A CASE To calculate hash values for individual files in a case 1 Inthe File System module click the required Hash button Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets Figure 194 File System module Hash Files button Hash Files 2 This opens the Hash Files Options window Figure 195 Hash Files Options window Source Hash Files Options 2 Searchable items 0 items 0 bytes Unallocated space Checked items 0 items 0 bytes Indude Raw Devices Partitions and Files Hash Methods MD5 Hash _ SHA1 Hash SHA256 Hash CRC32 Hash Options L Force recalculation of hash Find duplicate files File Size Range Miniumum 0 Maximum 100 Mb Ak Mb 0 no limit Logging Normal V Priority Normal v OK Cancel Source A h
268. s is a method of searching unallocated clusters to find deleted or missing folders and their content Recover Folders will often locate multilevel folder and sub folder structures and make them visible to the investigator within the File System module For this reason it is recommended that a Recover Folders search be one of the first tasks undertaken by an investigator in a new case To run a Recover Folders search click the Recover Folders toolbar icon in the File System module Figure 212 Recover Folders File System module toolbar icon This opens the Folder Carve options window Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 269 Page 270 Page Chapter 23 Data Recovery Figure 213 Recover Folders options E Folder Carve 1 Options Mame Folder Carve 1 Source Partition Partition 63 using Partition 63 FAT exFAT NTFS HFS E Logging an Enter the folder name which will hold the recovered folders in the Folders view of the File System module Source A Recover Folders search must be run on an existing partition Select the partition from the drop down menu File Systems Select the type of File System records for which to search Logging Priority See 7 5 Logging and Priority When the Recover Folders command is executed on a FAT partition in Forensic Explorer the program searches unallocated clusters for the dot double dot directory entry signature
269. s ASCII character codes 0 256 The Y axis represents the number of time each ASCII code appears in the current view Like Byte Plot Character Distribution gives a visual interpretation of file content Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 92 Page Chapter 8 Data Views Color Coding In the Byte Plot data view ASII characters are color coded where Blue Non printable extended characters Red Numbers 0 9 Yellow Text a to z and A to Z Display Options To change display options right click on the Character Distribution graph to display the drop down options menu Figure 69 Byte Plot right click display options menu y Highlight Numerals and ASCII characters Log scale To change Byte Plot to grayscale de select Highlight Numerals and ASCII characters To change the scale of Character Distribution select Log scale Microsoft Word document Figure 70 shows a Byte Plot and Character Distribution for the Microsoft Word file Golf doc The visualization is consistent with a Word document where e Non printable ASCII characters blue are prominent in the header of the file e Text characters predominantly yellow follow the header Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 93 Page Figure 70 Byte Plot and Character Distribution of a doc file Character Distribution 100 150 200 250 Character Preview
270. s Pty Ltd 2010 2015 All rights reserved Chapter 28 Working with 327 Page 28 3 THUMBNAIL IN FORENSIC EXPLORER For the purpose of this section the term Thumbnail Files is used to describe both Thumbs db and Thumbcache_xxx db files Like any other file types Thumbnail Files can be sorted filtered bookmarked etc in the modules of Forensic Explorer A Thumbs db file can be previewed directly in the Forensic Explorer Display view The content of each image can be displayed by clicking the image name in the left of the Display view as shown in Figure 252 below Figure 252 Thumbs db Display view Eer h AA A AAA UA aa uo uo O ue E E deo n A EX File List 22 Gallery View Gg Disk View 23 Az Filename AZ Filename w File Sianature 51370827 Medium doc i inl ms 3 51370826 Medium doc 4 J 51370825 Medium doc 4 TT 3 10 Items ES Display Click filename to preview thumbnail 51370820 Medium JPG 51370821 Medium JPG 51370822 Medium JPG o a m A F O amam 4 TT 3 1406 7101 SD Card E01 Root Pictures Snake Thumbs db Hi Hex Text EEBo 4 By A fast way to view all Thumbnail Files in a case is to branch plate all files in the case and then apply a folders filter A separate folders filter is available for Thumbs db and Thumbcache_xxx db A Thumbs db Folders filter as shown in Figure 253
271. s a script to call on a library of additional code For example the GUI library in the example above enables the scripter to use MessageBox which constructs a displayed window without the need to write extensive code Forensic Explorer has the following code libraries ByteStream Classes Common DataEntry DataStorage DataStreams Graphics GUI Math MetaData RawRegistry System SysUtils Further information about user libraries is provided at http www forensicexplorer com scipts ph A constant declares a value that cannot be changed during script execution It is often used so that the constant can be easily edited outside of program execution and thus updated at multiple reference points in the script An example is provided in Appendix 7 Sample Script where starting age is declared as a constant and referenced multiple times Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 225 Page The variable block starts after the var reserved word and continues until the next reserved word is reached A variable stores a value that can be changed during the execution of a script Each variable must be a unique non reserved name followed by a declaration of its type for example e Integer a whole number positive or negative e Real a decimal number e g 12 987 e Boolean true false e String Character Once a variable is declared it can be assigned a v
272. s are displayed in the Keyword Result List window Figure 133 Keyword Result List Filename L African Elephant jpa L E Buffalo jpg O L Koala PG L 2 REDPANDA JPG m Chrysanthemum JPG m Bm Hydrangeas JPG E LQ Tulips JPG Er Canyon JPG MB Desert JPG Desert JPG E s EA ACN PAU Adobe dA Desert JPG 2 5 d pav htip hs adobe com Y 88 of 73 items Preview FAT32 Photos E01 Partition 63 NO N The Keyword Result List includes the Hits column which identifies the number of times the keyword s has been found within a file Each file listed in the Keyword Result List has an expansion cross Click on the expansion cross to preview the Hit Text of each keyword in the file The Hit Text consists of 20 characters before and after the keyword hit It is designed as a quick reference guide to identify hits that require further investigation Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 163 Page 12 5 KEYWORD SEARCH DATA VIEWS When a file is highlighted in the Keyword Results list the content of the file is displayed in data views at the bottom of the screen The data views available to the Keyword Search Module are Hex Text and Display Learn more in Chapter 8 Data Views Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 13 Index Search Module 165 Page Chapter 13 Index S
273. s is a list of digital camera related keywords Camera Types adobe adobe 1200 1201 1252 65000 65001 canon canon 1200 1201 1252 65000 65001 Olympus Olympus CaseSensitive 1200 1201 1252 65000 65001 PDF Header PDF header PDF 1 0 9 CaseSensitive RegEx A fast way to learn the correct formatting is to add several groups and keywords by hand then use the export button ES to export the list Then edit the list with additional requirements and import the file using the instructions below To import a keyword text file 1 Inthe Keyword Management window click on the Import Keyword List icon 2 Browseto the required keyword text file select the file and click Open Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 158 Page Chapter 12 Keyword Search Module The keywords in the file will then populate the Keyword Management window The result of importing the above Sample keyword txt file is shown below Figure 129 Keyword Management after the import of the above keyword txt file EN Keyword ManaQEl BAADAE epad name Search expression ttings CodePages adobe canon Olympus CaseSensitive PDF 1 0 9 CaseSensitve RegEx N A To run a keyword search 1 Inthe Keyword Management window select the keyword s to search by placing a tick in the box next to the required keyword s 2 Click the green start button Q or right click in the Keyword Management windo
274. sA A v ei CatsB v gj CatsB v m CatsA LEXAR with gallery Lexar 7GB USB E01 E011 Partit Graphics displayed in Gallery view are determined by the selection made in the Tree view If a single folder is highlighted the graphics inside that folder will be displayed When the branch plate option is used see paragraph 8 2 3 Branch plate all graphics in the plated path will be displayed The default setting for Gallery view is to display Jpeg Bmp and Png file types The file icon at the bottom of the thumbnail is a visual identifier of the status of the file e g bookmarked deleted carved etc When a thumbnail is displayed it is written to the disk cache file User Documents Forensic Explorer Cases Case Name thumb cache When changing between Gallery view folders Forensic Explorer first checks the cache file to determine if the graphic has previously been displayed If so the cached graphic is used In some situations it may be advantageous to cache all available images For example if running the Skin Tone Analysis script from File System module gt Analysis Scripts Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 85 Page button gt Skin Tone Analysis the script will run 50 faster when reading images from the cache To cache all thumbnails to disk 1 When adding evidence a When an evidence item is added to a preview or a case the
275. saeeeeceesseaecesseaaeeeeesaaaeeeesseees 79 BAD Color Coded Content siii Ra 79 843 Navigating Disk VIEW scsi ridad 80 8 4 4 Selecting data in Disk view esee enne nennen nennen nnne nnn 82 8 5 SIR Ti RTT o UR aearanreaedanet 84 8 5 1 Caching thumbnails to disk nennen nennen nennen nnns nnns 84 8 5 2 Increase the number of graphics displayed ocoooocconccononcnnnnonanonnnonnnccnnnnnnnoconnnnanacnnnnnns 85 8 5 3 Working with data in Gallery view sese 85 8 6 aei fr 86 8 7 017 88 8 8 DiSPIAY VIQW E 89 SL MACONDO ERN 90 8 9 Byte Plot and Character DIStAIbDU Nicosia Ar 91 99 1 Byle Plot examples serume ne er A A 92 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 70 Page Chapter 8 Data Views 8 10 8 11 8 12 Fes ystem RECO VIEW lt a 96 PIG WWIGUAG Ge arias 98 8 11 1 Extract Metadata to File List COlUMNS ooocccccconccnnnnconocnnnncnnccnnnnnonocnnnnnonocnnnnocnncnnnnnnns 98 A DD rrr 100 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 8 Data Views 71 Page 8 1 DATA VIEWS SUMMARY Each of the Forensic Explorer module tabs contains one or more of the following data Views Data View Tabs PA Shows the folder structure of the examined device E Folders UE Separates artifacts i
276. se begin ShowMessage Next year you will be inttostr my_age ConsoleLog Next year you will be inttostr my age end end end Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Appendix 8 Icon Key 365 Page Appendix 8 Icon Key APPENDIX 8 O O Z A m Forensic Explorer icons sorted by Category Category Description A Forensic Explorer case Shadow Copy A mounted shadow copy volume P3 Compound file A folder holding the contents of an expanded compound file Categorize dates File System Folders view Category view U evice A physical device e g a hard drive U fe ie ct UN D D evice A logical device e g C drive ile A deleted file ile A FAT dot directory entry a ad ile A FAT double dot directory entry ile A system file ile An active file ile An alternate data stream cP PPP PP RPP 2 em ile Windows hard link http en wikipedia org wiki Hard_link sy Folder A folder holding the results of a Forensic Explorer file carve Folder A deleted folder Es Deleted items Categorize deleted items File System gt Folders view gt Category view IF Folder An active folder Free space Free space in partition mage A forensic image file mage folder Select an image from a folder Y Navigation An expandable branch folder structure Navigation Active branch plate Copyright GetData Forensics Pty Ltd 2010 201
277. se will then be expanded 4 Usethe branch plate and then filter with the File Signature column to display only Thumbnail Files in the list view Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 29 Legal 331 Page Chapter 29 Legal In This Chapter A WS Si GU TT 332 20 2 COPIE as 332 29 3 License agre 14 E 9 AP CPOCPO PAC O O da tiM S UddS RIA UU QE 332 293 DISC VAN o E E ta deeaaaelssedatentaqbannte E E 334 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 332 Page Chapter 29 Legal 29 1 THIS USER GUIDE This user guide is provided for information purposes only All information provided in this user guide is subject to change without notice Please check the website www forensicexplorer com for the latest version of the software and documentation 29 2 COPYRIGHT This user guide and its content is copyright of GetData Forensics Pty Ltd All rights reserved Any redistribution or reproduction of part or all of the contents in any form is prohibited without the express written permission of GetData Forensics Pty Ltd Products and corporate names appearing in this user guide may or may not be registered trademarks or copyrights of their respective companies and are used only for identification or explanation into the owners benefit without intent to infringe Specific trademark owners who are well established i
278. selection window To select the source 1 Highlight the required device or image file using the mouse 2 Click the Next button is clicked to proceed to the destination window 6 2 6 2 SELECTING THE DESTINATION The image destination screen shown in Figure 30 below is where the parameters for the image file are set including type compression name location etc Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 6 Forensic Acquisition 49 Page Figure 30 Setting destination options MA a GetData Forensic Imager BETA VERSION v4 0 0 124 m File Help Source MAPHYSICALDAIWE1 Destination Image type Encase e01 v File Segment Size MB 2000 Q Output filename C Users Graham Desktop My Aquisition Folder Case 4285 USB1 E01 cs Q Hash Options Q Encase Compression Z Calculate image MD5 None z Calculate image SHA1 Good Smaller but slower 4 Calculate image SHA256 O Best Smallest and slowest Calculate SHA256 for each sector S f o iv Verify image hash after creation Details Case Name 4285 Evidence Number USB1 Unique Description 2gb USB drive located on office desk Examiner Graham Henley Notes Case 4285 2gb 2gb USB drive located on office desk said to be the propery of Mr Smith Back Start 1 SOURCE The source field shows the device or image file selected in the pre
279. ses Case Name External files photos documents etc attached to de Attached Evidence the case Je DTSearchindexes DT Search keyword indexes Je Exported File export folder de Logs Program audit logs CaseName FEX Case file REGISTRY KEYS At the time of installation Forensic Explorer registry keys are written to the HKEY CURRENT USER as shown in Figure 14 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle Activation 33 Page Figure 14 Forensic Explorer registry keys 4 Computer HKEY CLASSES ROOT 4 i HKEY CURRENT USER aj Software e 4 i GetData a ForensicExplorer v1 y de Configuration Je CurrentCase de Database de Folders b Al Forms The Forensic Explorer GUI has been translated into the following languages e Chinese Simplified e German e Indonesian Bahasa e Spanish e Turkish During the installation process select the desired language IMPORTANT It is recommended that a case be conducted in a single GUI language Changing language mid case may affect modules which rely on path and field names such as Scripts and Reports STARTUP LANGUAGE The startup language is controlled by the registry setting HKCU Software GetData ForensicExplorer v2 Configuration DefaultLanguage Where the key is set to EN default DE ID ES ZH TR for the required language BOOKMARK FOLDER TRANSLATION Bookmark folder translations are can
280. sic Explorer m Reference Library ze BOOR Title File System Forensic Analysis Author Carrier HB ISBN 3780321268174 URL https books google com au books 1id 14gpAfABMAAJ Pages 121256 4 43 34 Publisher Addison Wesley Year 2005 To add the Reference Library toolbar button e Select File System Module gt Tools gt Add Reference Library as shown in Figure 44 adding a Reference Library button to the toolbar below Figure 44 adding a Reference Library button to the toolbar pn ES Backup Current Case Backup Settings 3 Clear ALL File System Module Flags 33 Hide All Metadata Columns Add Reference Library A Reference Library button is then added to the File System module toolbar By default the drop down menu is populated with a sample reference item this guide Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 7 Forensic Explorer Interface 65 Page Figure 45 Reference Library default listing About Reference Library GetData Forensics 2015 Manual Link Add Reference Refresh References Open Reference Library Folder The reference is listed in the format Title Author Year Type if the reference has a link a Link is added Reference items displayed in the drop down menu are dynamically generated by the content of the file User Forensic Explorer R
281. sic Explorer file carving CNGiNG ccccccssssecccccesseccccceeeceeceeeeceeeseaeecessueaeeeesseees 277 23 4 3 Carving using scripts cccccseeccsscceeccneeceeeceeseeeseeeeeceeeeesseeeeeceeeeesseeeeuseseeesseceeesenaeeteeeegeees 280 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 264 Page Chapter 23 Data Recovery 23 1 DATA RECOVERY OVERVIEW An essential part of computer forensics is the ability to recover evidence from deleted data Forensic Explorer automates the following data recovery procedures 1 Recovery of deleted files within the existing file system 2 Recovery of orphaned folders in the existing file system 3 Recovery of folders from unallocated clusters 4 File carving from unallocated clusters It is important for the forensic investigator to understand the methodology behind the recovery automation and to be able to validate recovery results manually This chapter sets out to provide a description of the tools for automation and the methodology to validate search results It should be noted that the success of data recovery will depend on many factors including such things as e Subsequent disk activity which may have overwritten and corrupted data e The level of file fragmentation and the extent to which it can be tracked An investigator should always critically examine data recovery results before drawing conclusions Copyright GetData Forensics Pty Ltd 2010 2015
282. sics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data Figure 93 Date filter tool File List Column Accessed Date I 2010 2011 AZ Filename Filename GeoTagged P Root Rootr 550 Mirella Samples 28 Created Created 22 Oct 12 12 11 01 PM 18 May 12 11 50 42 PM 18 May 12 11 50 42 PM 20 Jun 12 12 04 14 PM 28 Accessed Accessed 06 Mov 12 11 00 52 AM 06 Mov 12 11 00 52 AM 06 Mov 12 11 00 52 AM 06 Mov 12 10 59 33 AM 115 Page Es FOTO 29 May 12 4 53 39 PM 06 Nov 12 10 53 28 AM n 1429 Items Preview Lexar 7GB USB MKILEOL Partition 634 The applied filter column is displayed in red e g Accessed To change filter criteria click on the date icon E in the Modified Created or Access columns and select the Show Date Range Tool for that column To apply a date filter Select and drag the slide bar pointers at either end of the date range to the required position on the date range bar As the date range is narrowed the filter is applied to the list view In the example below the filter is set to show only files with a date between 2011 and 2012 Figure 94 Application of date range sliders To modify the time scale double click at either end of the date range To clear the date range filter click on the icon To close the date range filter click the 2 icon The text filter tool is applied in a list view and allows instant t
283. sicsO is provided as a reference guide only Not all commands features in the documentation are available in Forensic Explorer Delphi BasicsO is licensed for use from http www delphibasics co uk and may only be used with Forensic Explorer A typical Forensic Explorer script contains the elements described in the paragraphs below It is good programming practice to include comments within a script Comments help anyone reading the script understand the authors intention Comments are shown in the Script Editor window in red To insert a comment e The forward slash marks are used for a single line comment e The right and left brackets are used for a comment that can be written over multiple lines A Forensic Explorer script starts with the word Program although it is not explicitly required and ends with End A period after an End identifies the end of the program These are examples of Reserved Words set aside for special use and which cannot be used for any other purpose Reserved words are shown in blue in the Script Editor window Following is a list of reserved words in Forensic Explorer and array begin case const Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 224 Page Chapter 18 Scripts Module div do downto else end file for function goto if in label mod nil not of Or packed procedure program record repeat set then to type until var while With uses Uses enable
284. sort result can be achieved by right clicking on the column and in the drop down menu select Sorting Sort Ascending columname or Sort Descending columname To sort by multiple columns using the CTRL key 1 Double click on the first column heading e g Filename An arrow will appear showing the direction of the sort Double click again on the column heading to reverse the sort 2 Hold down the SHIFT key on the keyboard 3 Double click on the second column heading e g Filename A double arrow will appear to indicate that it is the second column in the sort 4 Continue to add columns to the sort by following steps 1 to 3 above Figure 89 Sort by Filename then Full Path then Logical Size Table View Filename ww Full Path Logical Size x A multi column sort can also be achieved by right clicking on the column heading 1 Select the Sorting Sort Multi Column menu item shown below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 112 Page Chapter 9 Working with data Figure 90 Multi column selection window E Sort Column Selection Sort Columns Max 5 in order Move Up Move Down Sort Order Ascending Visible columns are shown in the left hand window 1 Select the required sort columns 2 Add the required sort columns to the right hand window 3 Use the Move Up and Move Down buttons to set the order on which to sort the colum
285. ss logging Case log files are accessed by clicking the drop down arrow for the process in the process list Note If logging is set to None then the link to the log file will be greyed out Figure 42 Access Process Log Files Time Taken 00 00 22 4 36 03 PM O Case log files are stored in the path User Documents Forensic Explorer Case Name Logs Application log files are stored in the path User Documents Forensic Explorer AppLogs The priority setting is used to determine the number of computer processors allocated to the task Low Priority is allocated a single processing core Normal and above are allocated multi processing cores if available Important The speed of multi core process is influenced by computer hardware With insufficient hardware resources multi core can lead to data bottlenecking and be slower than single core process It is recommended that users test the speed of their hardware to ensure maximum processing speed Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 64 Page Chapter 7 Forensic Explorer Interface 7 6 REFERENCE LIBRARY The purpose of the Reference Library is to put personal reference resources within easy reach of the investigator from within the Forensic Explorer interface Reference information can be citation information only or a link to an online resource or a local file Figure 43 Display of a Reference in Foren
286. ssor 137 Verify LO1 108 Hash set 251 Hex view 86 Hits Keyword Result List 162 HPA 45 Index Search Creating an index 167 Module 166 Searching an index 169 information test 176 Installation 29 Investigators Add Edit Delete 125 Is Deleted 148 JBOD 282 Keyword Add 153 Edit or Delete 155 Group 156 Import 157 Regular expression RegEx 154 Keyword Search 152 Results 160 Run 158 Appendix 9 Index LO1 Export 107 Verify 108 License agreement 332 List view 77 Live Boot 302 Logical Size 148 MBR Search for known 136 MD5 246 See Hash Metadata Extract to columns 98 View 98 Mobile Phone See Phone Modified 148 Module Bookmarks 187 Email 175 Evidence 121 File System 143 Index Search 165 Keyword Search 151 Registry 179 Reporting 194 Scripts 215 Open Case 127 Orphans NTFS 273 Path Case folders 32 Program 31 Registry keys 32 Working 31 Phone Carve 279 Phone Module Create custom module 229 Phonic See Index Search Physical size Column 148 Preview Evidence 122 Purchase orders 24 RAID 282 Hardware 284 Software 285 Recover Folders FAT 269 274 NTFS 274 RegEx Column filter 117 Keyword Search 154 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 9 Index Quick start guide 117 Registry Location of registry files 180 Module 180 Registry file Add from File System module 181 Add standalone 181 Save Case 1
287. sted with their Windows device number Logical drives display the drive label if no label is present then no label is used Image files show the path to the image Size The size column contains the size of the physical or logical device or the size of the image file Note that the reported size of a drive is usually smaller than the size printed on the drive label This is because manufactures report the size in a decimal number of bytes while the Operating System reports the size in 1 024 chunks for each KB FS The File System on the drive e g FAT NTFS or HFS Type Describes the way in which the drive is connected to the computer An image file will show the type of image e g EnCase or RAW Acquisition of physical vs logical device In most situations pending compliance with any overriding case specific legal requirements an investigator is most likely to select an image a physical device Imaging the physical device gives access to the content of the entire media for example the space between partitions Carrier 2005 observes The rule of thumb is to acquire data at the lowest layer that we think there will be evidence For most cases an investigator will acquire every sector of a disk 2 p 48 In specific circumstances an investigator may need to acquire a range of sectors from the device In this case start and end sector information in entered in the sector range fields at the bottom of the source
288. stralian language file This script identifies and bookmarks files by using the unique text dynamic text dat Description This file is sometimes referred to as a key logger for the iPhone which is mostly true Words get populated in this database by the user from keyboard inputs from numerous applications on the iphone Since this is a dynamic file the data continues to grow iOS Forensic Analysis for iPhone iPad and iPod touch Sean Morrissey 2010 Apress pp 150 20 Output Search query strings are bookmarked under the Address Book folder of the relevant ITunes Backup UUID folder View the content of this file in Hex or Text data views Source ITunes Backup File b60c382887dfa562166f099f24797e55c12a94e4 Library Maps History plist Description The History plist file located in the Maps directory will give you a list of previous searches using the Maps app as well as routes that were generated iOS Forensic Analysis for iPhone iPad and iPod touch Sean Morrissey 2010 Apress pp 155 20 This can include GPS co ordinates and names of locations Output Search query strings are bookmarked under the Maps History folder of the relevant ITunes Backup UUID folder Manually review the File Metadata view of the file for more detailed content SAFARI HISTORY Source ITunes Backup File 1d6740792a2b845f4c1e6220c43906d7f0afe8ab HomeDomain Library Safari History plist And ed50eadf14505ef0b433e0c4a380526ad6656d
289. t Preview NIST 4Dell Latitude CPi EO1lPartition 63 Root Documents and Settings All E Preview NIST 4Dell Latitude CPi EO1lPartition 63 Root Documents and Settings All ES Preview NIST 4Dell Latitude CPi EO1WPartition 63 Root Documents and Settings ll i WW Favorites 5 Documents 4 Start Menu Templates DRM AAA AA NIST 4Dell Latitude CP1 E011 Partition 63 Root e Click on a folder in the path to jump to that folder in the List view e Use the drop down menu to jump to a recent path Folders filters are applied using scripts See Filters page 218 for more information 9 12 COPY ROWS TO CLIPBOARD Copy Row s to Clipboard is a function specific to a List view It allows the text in the List view table to be copied and pasted directly into an external program like Microsoft Excel To copy rows to clipboard 1 Highlight the required rows in the List view 2 Right click and select Copy Row s to Clipboard from the drop down menu Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 10 Evidence Module 121 Page Chapter 10 Evidence Module In This Chapter OE Uc RPP a 122 A 124 10 2 1 Well o AS m 125 10o o ic AA ne ciainese numer OE EEE na MUA Tab RUN RAUS Ref 127 10 3 1 asgeric
290. t been altered The result of the hash is written into the evidence tab of the Evidence module as shown in Figure 115 below Figure 115 Evidence module Evidence tab device hash Description LEXAR USB Notes This is an EnCase Y E01 image of a 7gb lexar usb test disk Aquiring Programm 7 3 1 203 OS Version Windows 7 Aquired Date 17 May 12 2 25 55 PM Ac qu isition Hash System Date 174May 12 2 25 51 PM p Compression Unknown cal D Verification Hash Encase Hash MD 5 OFSSEB064 FF39C 1598D 76243344BC 3B Hash MD5 OFSSEB064 FF39C 1598D 76343344BC 3B Hash 5HA 1 625786505244C CBBBDSFD 10528 7640EC 5E105E AF Hash 5HA256 C928 10906 12D4CFDFS5FD 3BS9F28D4F DB685E 76438C 6B A device hash can also be calculated at any time using the Verify Devices script This script can be run either from the Analysis Scripts button in the File System module or directly from the Scripts module See 21 4 for more information Signature Analysis Signature analysis is the process of identifying a file by its header rather than by other means For example identifying a file by its signature is a more accurate method of classification than using the file extension e g jpg as the extension can easily be altered The signature analysis task can only take place subsequent to the identification of a file system For this reason it is a sub task of Search for FileSystems as shown in Figure 114 above Signature analysis can
291. table to iterate through each bookmarked file Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 17 Reports Module Insert As Field Insert Items As Table j Inthe table selection window use the Grid Table to that files in the bookmark folder i e pictures are entered horizontally across the screen in the gallery view format Figure 173 Selecting a Gallery View Table Style Grid Table t One grid cell per Item The direction of the repeating records is indicated by the color shading k Double click to select the Filename field to add to the report Figure 174 Select table fields Insert as Table z Selected Fields E is General P a du Bates Filename File Signature 3 File Category 2E Extension E Attributes Click OK to proceed and the table will be inserted into the report Right click on the pictures folder to confirm the levels on which the table will operate Fully Recursive and Include Items Only will operate on all files in all subfolders Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved ua TREE ul LT H e ha hg a A 211 Page 212 Page Chapter 17 Reports Module v Fully Recursive Direct Children Only Single Bookmark Only v Include Items Only Include Folders Only Include Iterns amp Folders Copy Ctrl C m Click on the Preview tab of the Report editor to preview the report
292. tahardware or software RAID A hardware RAID usually has a separate RAID controller card e What is the RAID format JBOD RAID O 1 5 other Are the drives in the raid identical in size and capacity This information may be obtained from the system administrator or setup documentation e What is the RAID stripe size this information may be determined from the RAID controller e How many physical disks make up the RAID e What is the sequence of the physical disks in the RAID Noting or photograph the RAID controller port numbers may assist to determine drive sequence e isthe RAID complete and functioning Are there missing drives 24 3 ADDING A RAID TO A CASE A RAID can be constructed and added to Forensic Explorer using 1 Physical disks Note When using physical disks a hardware write blocking device is recommended to preserve forensic integrity 2 Forensic Image Files or 3 Acombination of both physical disks and forensic image files To add a RAID drive to a case 1 Click the button to add a device to the current case 2 Inthe Device Selection window click on the button This opens the RAID configuration window Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 284 Page Chapter 24 RAID Enter the RAID configuration information RAID Configuration Raid 5 Options RAID Name User RAID First Checksum Device Checksum rotation direction Form
293. taining specific files rather than the traditional image of an entire volume or physical disk They are usually created during a preview where an investigator identifies file based evidence worthy of preservation when an image of the entire volume or device is not warranted Common Logical Evidence File formats are LO1 created by EnCase 9 forensic software www guidancesoftware com or AD1 by Access Data s Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 358 Page Logical file space Lost OS Clusters Master boot record MBR Boot Sector Master File Table MFT Metadata Module Mount Image Pro MIP Appendix 6 Definitions Forensic Tool Kit www accessdata com Forensic Explorer enables files in a case to be exported to a logical evidence file LEF in LO1 format see 9 6 2 for more information The actual amount of space occupied by a file on a hard drive It may differ from the physical file size because the file may not completely fill the total number of clusters allocated for its storage The part of the last cluster which is not completely filled is called the file slack Clusters in a volume that have no file data For NTFS this is calculated from accumulating all clusters associated with all the files in the MFT including the Unallocated clusters as that was derived from the SBITMAP record then working out the space left over For NTFS this is space that the OS might not be a
294. td Suite 204 13A Montgomery Street Kogarah New South Wales 2217 Australia Phone 61 0 2 82086053 Fax 61 0 2 95881195 Hours Australian Eastern Standard Time 9am 5 30pm Mon Fri Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Appendix 2 Write Blocking 337 Page Appendix 2 Write Blocking APPENDIX 2 WRITE BLOCKING IMPORTANT An accepted principal of computer forensics is that wherever possible source data to be analyzed in an investigation should not be altered by the investigator If physical media such as a hard drive USB drive camera card etc is a potential source of evidence it is recommended that when the media is connected to a forensics workstation it is done so using a write block device A write block is usually a physical hardware device a write blocker which sits between the target media and the investigators workstation It ensures that it is not possible for the investigator to inadvertently change the content of the examined device and maintain forensic integrity There are a wide variety of forensic write blocking devices commercially available Investigators are encouraged to become familiar with their selected device its capabilities and its limitations Shown below is a Tableau USB hardware write block The source media an 8 GB Kingston USB drive is attached and ready for acquisition or analysis Tableau USB write block with USB as the source drive
295. ter 8 Data Views Figure 77 Metadata extraction scripts File System module Analysis Scripts button Metadata to columns Exif GPS OLE PDF NTFS LNK Prefetch ZIP Bookmark Digital Cameras Make Model Bookmark GPS Photos Bookmark DOC XLS PPT by Author Bookmark DOC ALS PPT by Date Printed Bookmark PDF by Author Bookmark LNK by Device The script used to extract metadata is located in the Scripts module in the path Scripts File System Metadata to Columns Extract Metadata pas When run columns are available to be added in the File System module Learn how to add a column in section 9 8 Columns 7 EXTRACTING METADATA IN THE EVIDENCE PROCESSOR It is also possible to launch metadata extraction and bookmarking from the Evidence Processor when adding evidence to a case as shown below Figure 78 Extract Metadata to Columns when adding evidence to a case Tasks E Filesystem E E Process in Parallel 2 b Verify Device Hashes fs Search for Known MBRs Sb Search for Filesystems E E Process in Parallel T Triage gt Hash Files Signature Analysis do OOOO U k E a E U K 4 5 File Carve Cache Thumbnails Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 99 Page 100 Page Chapter 8 Data Views 8 12 FILE EXTENT The default location for File Extent view is the bottom data view window accessed via the File Extent tab File Extent The File Extent
296. the following folder To continue dick Next If you would like to select a different folder dick Browse C Program Files GetData Forensic Explorer v1 At least 5 3 MB of free disk space is required 1 Follow the setup instructions and confirm the setup summary by clicking the Install button Figure 11 Finalize installation Ready to Install Setup is now ready to begin installing Forensic Explorer on your computer Click Install to continue with the installation or dick Back if you want to review or change any settings Destination location C Program Files GetData Forensic Explorer v1 Start Menu folder GetData Forensic Explorer v1 Additional tasks Additional icons Create a desktop icon Create a Quick Launch icon 2 Asuccessful install will display the following screen Click Finish to confirm Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 5 Dongle Activation 31 Page Figure 12 Finish installation Completing the Forensic Explorer Setup Wizard Setup has finished installing Forensic Explorer on your computer The application may be launched by selecting the installed icons Click Finish to exit Setup GetData 3 Run Forensic Explorer from the installed desktop icon Figure 13 Desktop icon PROGRAM PATH The default Forensic Explorer installation folder is C Program Files GetData Forensic E
297. the program for example the Registry module enables the investigator add and browse registry files A computer forensics software tool written and sold by GetData www mountimage com which enable the mounting of forensic image files as a drive letter on a Windows computer system MIP is sold with Forensic Explorer It is installed as a separate program but can be run from a shortcut in the Forensic Explorer toolbar Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Appendix 6 Definitions 359 Page MRU Multi core processing NTFS Ophcrack Pane Pascal Partition PCRE Perl Compatible Regular Expression Pre processing a case Most Recently Used MRU is a term used to describe a list of the most recently opened files by an application Many Windows applications store MRU lists as a way of allowing fast and consistent access to most recently used files Most MRU lists are stored in the Windows registry A multi core processor is a single computing component with two or more processors cores Each core is responsible for reading and processing program instructions A multi core process should be faster than the same process run on a single core However users are encouraged to test their workstations as different hardware configurations can effect multi core speed Forensic Explorer provides the option to use multi core processing in File Carving Hashing and Keyword Search The option is set
298. tings Device to Boot NIST 4Dell Latitude CPi EO1 W Operating System Windows XP Professional w Detected Options Boot to ISO ISO image file EE fete ree e RAE Boot Delay secs 1 Date Time UTC 18 Dec 2014 lly 11 57 37 AM Start VMware Bypass Logan L Logging Normal d Priority Mormal c Click OK to launch Ophcrack in VMWare d Follow the on screen Ophcrack prompts to commence the password breaking process as shown in Figure 239 below Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 311 Page 312 Page Chapter 27 Live Boot Figure 239 Ophcrack Password Breaking ophcrack Load Delete Save Tables Stop Help Progress Statistics Preferences LM Hash NT Hash LM Pwd 1 LM Pwd 2 NT Pwd Administrator 31d6cfe0d1 empty Guest 31d6cfe0d1 empty HelpAssistant 2111829216 bd8c73557c XWONGPW disabled S c23fadd57e Mr Evil 31d6cfe0d1 empty m XP fre media hdc 100 in RAM ns CEC Q Preload done Brute force 89 Pwd found 3 5 Time elapsed Oh 1m 5s Once the required password is recovered close the virtual machine and re launch Live Boot without the ISO boot option checked When presented with the Windows login screen enter the recovered password to proceed Password bypass patches the forensic image in VMware to blank user passwords Select the Bypass Logon checkbox in the Live Boot Op
299. tions window At the Windows login screen login with a blank password Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot 313 Page 27 7 TROUBLESHOOTING LIVE BOOT Following the checks below to troubleshoot Live Boot Can you Live Boot a NIST control image successfully e Download and boot the NIST Hacking Case EnCase image available at http www cfreds nist gov Hacking Case html This image boots to Windows XP A successful boot will assist you to determine if the error relates to the configuration of Live Boot or the image that you attempting to boot Is VMWare Player or VMWare Workstation installed e Check Live Boot Options shown in Figure 234 Live Boot Options above to confirm the correct path to the VMWare executable file 64bit paths are shown below o VMPlayer C Program Files x86 VMware VMware Player vmplayer exe OR o VMWorkstation C Program Files x86 Is Mount Image Pro v6 installed Live Boot is not compatible with earlier versions e Check Live Boot Options shown in Figure 234 above to confirm the correct path to MIPv6 o C Program Files x86 GetData Mount Image Pro v6 MIP exe 64bit path shown Mount Image Pro Cache and VMWare Files e Locate and delete the Live Boot working folder and then try again The Live Boot working folder is in the following path user Documents Forensic Explorer Cases Case Name Boot Image
300. to show only files specified in the filter criteria The filter scripts are listed in the drop down bar of a Folders view as shown in Figure 179 below for the File System module filters can be applied in Folders view of other modules including Email and Registry Figure 179 Tree view filter File System Folders view ET ey Folders Categories EN Folders E D 188 Test case 1 1 0 E D Dl le si Lexar 7GB USB MKII EO1 3 Local Time E D O 9 Partition 63 6 El D gt O 33 Root 33 E L E 50th Birthday Cake 7 DUO Architecture 209 E L E EVW TEST SEQUENCE 60 DOG Fish 5 gt El FJ Holden Photos 108 EX pw pw DR A A A LostFile JPG The JPEG Files by EXT pas filter is shown below A result of 1 is used to display content A result of 1 is used to hide content begin filename uppercase anEntry Entryname fileext extractfileext filename tests for specific extension if fileext JPG then Result 1 1 display 1 hide end The filter can easily be modified to add additional file types SCRIPTS Default scripts are separated into subfolders depending the module in which they are used or their function SCRIPTS COMMON The Scripts Common folder is used to hold scripts that are frequently called by other scripts The Scripts Common Toolbar folder contains the scripts used to manage the default toolbar button navigation system provided
301. tors are reached using the home and end keys Pages of sectors can be scrolled using the Page Up or Page Down keys Scroll by row using the mouse Hold down the SHIFT key to scroll by page Or use the following keyboard shortcuts to go to D E F N Ctrl N Ctrl P DISK VIEW GOTO Next deleted file Entry Free Space Next File Next different type Previous file Previous different type System Unallocated Disk view has a Goto command that allows the investigator to quickly jump to the desired sector To open and use the Goto window e Right mouse click in the Disk view e The following window will appear Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 82 Page Chapter 8 Data Views Figure 55 Disk view Goto window From Where Beginning of Data Current position End of data back from e Inthe Offset field enter the required sector the press the Go button To select a sector e Click on a sector with the mouse The selected sector will be marked with a red border To select a range of sectors e Click on a sector with the mouse e Hold down the mouse key and drag the mouse over the required range of sectors The range of sectors will show as selected as see Figure 56 below This enables other views such as HEX view to see the selected range Figure 56 Selecting a range of sector in Disk view LLLI HL A A O O O O O O l pmo a o
302. ttributes of each script Name The script name is auto generated from the script pas file name Description and Author These attributes are auto generated from the comments at the start of the script Modified and Created Script dates are auto generated from the Windows date and time stamps of the pas file Hash SHA256 A SHA256 hash is calculated for each script The hash is updated each time the Scripts window is refreshed To manually refresh the Scripts window right click in the Scripts window and select Refresh option from the drop down menu The purpose of the SHA256 has is so that the investigator can validate the authenticity of a GetData script or a script from a trusted third party GetData script hashes are published at http www forensicexplorer com scripts php If an installed script differs from the hash published on the web page it means that the content of the script has changed Forensic Explorer is installed with a number of default scripts in the Users user folder Documents Forensic Explorer path Scripts are separated into folders depending on their function These include Filters Scripts and Startup as described below The scripts window is where scripts are create copied renamed and deleted Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 218 Page Chapter 18 Scripts Module FILTERS Filters are scripts which perform the specific task of filtering displayed results
303. ule is accessed via the File System tab Figure 122 File System module tab File System The File System module is the primary Forensic Explorer window where actions such as highlighting selecting sorting filtering flagging exporting and opening occur For more information on these actions see Chapter 9 Working with data 11 2 TOOLBAR At the top of the File System module is the ribbon The ribbon is a toolbar to hold buttons that perform functions of the program such as hashing data recovery or running scripts It can also be used to create shortcuts to external programs The content of the ribbon in File System view is populated at startup by the startup pas script Subsequent to this individual buttons or button groups can be added and removed by running scripts See Chapter 18 Scripts Module for more information on toolbar scripts 11 3 FOLDERS VIEW Folders view is located in the top left hand window of the File System module The Folders view is a hierarchical display of items e g devices partitions folders etc Like Microsoft s Windows Explorer the Folders view is most commonly used to select a folder causing the contents of the folder to be displayed in the adjacent List view described further below At the top of Folders view is the case name which acts as the root container for all other data The case is the root of the tree from which all other data in the tree may be explored Cop
304. um disk space used for system protection As space fills up older restore points will be deleted to make room for new ones Current Usage O bytes Max Usage A Delete all restore points this includes system settings and previous versions of files When VSC is active on a volume a Windows user can right click on any file in Windows select the Properties options for that file and then access the Previous Versions tab shown in Figure 224 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 25 Shadow Copy 291 Page Figure 224 Windows file properties Previous Versions i 12 Days of Christmas docx Properties Previous versions come from restore points or from Windows Backup How do use previous versions Mame Date modified Location 4 Yesterday 11 wh 12 Days 19 Jul 13 5 57 PM Restore poit 12 Days 19 Jul 13 5 47 PM Restore poit fl 12 Days 19 Jul 13 5 45 PM Restore poii 12 Days 19 Jul 13 5 42 PM Restore poit 12 Days 19 Jul 13 5 39 PM Restore poit ful 12 Days 19 Jul 13 5 36 PM Restore poit 12 Days 19 Jul 13 5 33 PM Restore poir E 12 Days 19 Jul 13 5 29 PM Restore por 12 Days 19 Jul 13 5 26 PM Restore pair Copy Restore It is the abilty to extract previous file versions which is of clear value to the investigator It is possible for example that even though a file has been deleted and erased from the current file system with
305. ust occur in the first five words apple w 5 xlastword apple must occur in the last five words If you use more than one connector and or contains etc you should use parentheses to indicate precisely what you want to search for For example apple and pear or name contains smith Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 172 Page Chapter 13 Index Search Module For a more complex search which uses a phrase use quotation marks around it like this apple w 5 my fruit salad If a phrase contains a noise word dtSearch will skip over the noise word when searching for it For example a search for statue of liberty would retrieve any document containing the word statue any intervening word and the word liberty A search word can contain the wildcard characters Matches any character Matches any single digit T Matches any number of characters The wildcard characters can be in any position in a word For example Would match apple application etc Would match principle participle etc Would match apply and apple but not apples Would match applied approved etc Note Use of the wildcard character near the beginning of a word will slow searching 13 5 SEARCH RESULTS Search results display in the ndex Results List view window as shown in Figure 140 below Select the relevant file in the Index Result List and the indexed content will display the Se
306. ver IP filed of the GetData UDP Network Server Ensure the Port number uses the same port as the GetData UDP Network Server Click the Connect button to view the available physical and logical devices on the remote computer Select the required device and click OK The selected device should now appear under the Networked section of the Device Selection window as show in Figure 113 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 133 Page Figure 113 Device Selection window showing a UDP connected network device F Device Selection Select the Device you want to analyse Label Size FS Type MTFDBAK1 28MAG 161 0005 119 246B SATA SCSI Win7x64 119 14 GB NTFS SATA Win ST975042 DAS 0002 688 64 GB SATA SCSI DATA 2 698 63 GB NTFS SATA Win 5T975042 DAS 0002 688 64 GB SATA SCSI DATA 1 698 63GB NTFS SATA Win PHYSICALDRIVE3 100 0 MB Win WIBU CodeMeter Stick v1 0 38 3 MB USB SCSI CODEMETER 38 6 MB FAT32 USB Win Click OK to begin processing of the drive To add an image file to a case 1 Create a preview see 10 1 a new case see 10 2 or open an existing case see 10 3 2 Inthe Evidence module click the Add Image button If the Add Image button is inactive click on the case name in the evidence window to activate the buttons Note Due to the low level processing requirements of most forensic investigations e g se
307. vestigators details are also saved into a local database to ensure that they are automatically available in the drop down list for future cases The default location for this database is C Users profile Documents Forensic Explorer DataBases Locallnvestigator rsv To To add edit or delete an investigator see 10 2 1 Managing Investigators below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 10 Evidence Module 125 Page Working Folder is the location of the files for the case Edit this location if requried Case Description is used to briefly summarize the case This information is used in other parts of the program such as in the Recent Case section of the Evidence module Case Created identified the date and time that the case is created according to the local system clock Click OK in the New Case window to create the case Working folders for the case are written see Working Path page 31 and the new case is saved for the first time The Processes window will confirm when this process is complete Evidence can now be added to the case See Add evidence to a case on page 129 To add edit or delete an investigator select Investigators from the Forensic Explorer drop down menu Figure 104 Forensic Explorer drop down menu Forensic Explorer Save Case Investigators Options Icon Editors AERE ELY Select and edit the investigator as needed Copyr
308. vidence time settings EXAMPLE A new Case is created with two evidence files Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 244 Page Chapter 20 Date and Time e Evidence1 EO01 is from New York The evidence time zone setting has been adjusted to USA EST to show New York time e Evidence2 E01 is from Los Angeles The evidence Time Zone setting has been adjusted to USA PST to show Los Angeles time The suspect in New York created a file at 11 AM and immediately sent it to the suspect in Los Angeles With evidence time adjusted e The New York computer has a file creation time of 11AM e The Los Angeles computer has a file creation time of 8AM three hours earlier A Case time setting of New York is then applied to the entire case e The New York computer has a file creation time of 11AM e The Los Angeles computer has a file creation time of 11AM Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 21 Hash Sets 245 Page Chapter 21 Hash Sets In This Chapter CHAPTER 21 HASHING 21 1 nu 246 A E A lt E O E e aa 246 AME AC nmm 246 214 Wernticaton Heli aja 247 15 Hasnine HIOS 103 6358 ru 248 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 246 Page Chapter 21 Hash Sets 21 1 HASH VALUES A hash value is the numeric result of a mathematical calculation to uniquely identify a file or stream of data A hash is o
309. view identifies the location of the highlighted item on the disk It details the start end and length of each data run for the item giving the relevant sector byte and cluster location The file shown in Figure 79 below is a fragmented file with three data runs Figure 79 File Extent data view Start Sector End Sector Length Start Byte 11 205 13 468 2 204 5 736 960 34 813 51 324 16 512 17 824 256 58 337 4 064 444 4 006 088 29 878 704 Preview FAT32 Photos H01 Fartition 63 NO I BpS Bytes per Sector BpB Bytes per Block cluster Using the information displayed in the File Extent view it is possible to switch to Disk view and quickly locate the start or end sector of each data run Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 9 Working with data 101 Page Chapter 9 Working with data In This Chapter CHAPTER 9 WORKING WITH DATA 9 1 WONADE ES E E E E E ita 102 9 2 Highlighted and checked items oocccccnnccnccnocnnnnnocnnonaconnnnnocnnnnncnnonononnnnnnnnnnnnonnnnnnrnnonnnrnnnnncnnonanonnnns 102 A o OO A PP POR 102 92 2 EG oc MUERE 103 9 3 Aud andedit DOOKIId KS otto pradera bestasD SU 104 9 4 Gier am iram m Q 104 9 5 Expand compound file ccooocccncnoccnocnncnnnnnncnnnnaronnnnnccnnnoncnnonanonnonnnnnnnononnonnnnnnnnnornnonacanonanoninos 105 9 6 mg I 105 961 EXPO Folders and Mera Omm 105 9
310. vious window This source field cannot be edited here Select the back button if a change to the source is required 2 IMAGE TYPE The investigator has the choice of creating the forensic image in one of the following forensic file formats DD RAW The DD RAW format originate from the UNIX command line environment A DD RAW image is created from blocks of data read from the input source and written directly into the image file The simplicity of a DD image makes it possible to compare the imaged data to the source but the format lacks some of the features found in more modern formats including error correction and compression Advanced Forensic Format AFF AFF is an extensible open format for the storage of disk images and related forensic metadata It was developed by Simson Garfinkel and Basis Technology 3 Refer to http afflib org for further information EnCase E01 The EnCase E01 evidence file format was created by Guidance Software Inc It is widely accepted in the forensic community as the image file standard Further Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 50 Page Chapter 6 Forensic Acquisition information is available at www guidancesoftware com The structure of the EnCase E01 format allows for case and validation information CRC and MDS to be stored within the image file The structure of the EnCase file format is shown below Figure 31 EnCase header Head
311. vro amp Internet amp HTML Documents htm html shtml phiml php php5 asp i Internet Explorer URL Cache Index Dat dat a E Ef Internet Favorites url lm ShockWave Flash swf E a hi Graphics i s 3d Studio Max max os C if Adobe Indesign file indd O YA Adobe Photoshop psd Da AutoCAD Drawing file dwg AutoCad DX File dxf Os ile AutoCad DX File hpgl hp hpa plt z L AutoSketch skf 2 m O K Bentley Microstation v7 Drawing dgn z Fy Bentley MicroStation v8 Drawing dgn Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 340 Page Appendix 3 File Carving z M Bitmap bmp O 7 COREL Draw file cdr E 3 l Postscript fl eps lius m E Form Document fmz fzb e O EJ Freehand 10 fhid fhii m C Freehand 7 to 9 fh9 fh7 tha 2 Fuji Camera Raw Graf on I g GIs ShapeFiles shp D Oe 3 GUE Map file gue amp O a e ICO File ico E mi JPEG 2000 jp2 7 s JPEG Digital Camera file jpg jpeg s E ES Lightwave object Iwo e Em Lightwave scene lws E e MapSource 1 file gdb q D Maya 3D file mb i O Microsoft Photodraw mix 3 NI EZ Microsoft Visio Drawing vsd vss vst m m a Paintbrush file pcx scr O he PaintShop Pro psp m m eS PaperPort max on 2 PNG Graphics file png e E X Portable Graphics Map ppm pgm
312. w and in the drop down menu select Start Keyword Search This will open the New Keyword Search window shown in Figure 130 below Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 12 Keyword Search Module 159 Page Figure 130 New Keyword Search window New Keyword Search Name Keyword Search 1 Items to search All items 1424 items Selected items 0 items Indude Unallocated space 5 95 GB File slack 2 6 MB Total items to be searched 1424 items 1 52 GB Limits Maximum hits per keyword per file Blank unrestricted Stop when total search hits reach Blank unrestricted Keyword search name This is the name of the search that will be shown in the Keyword Tree window The keywords selected for this search and the number of hits per keyword will be displayed under the keyword search name Data Select the data upon which the search is to be carried out e g data from the File System or the Registry modules Include Search either all items or only those which have been checked Limits Limitations can be set for the maximum number of hits per keyword per file and the total number of hits 3 Click OK to commence the search Each search runs in its own thread so multiple keyword searches can be executed at any one time The processes window tracks the status of the search Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 160 Page Chapte
313. wing a mounted shadow copy Folders Categories EN Folders xl E DOS Preview 1 0 E m 12 Days of Christmas Shadow Copy Test EO1 4 Local Time E Partition 2048 7 C E Orphaned 4 Mos partition H D C Ea Reot 21 C E i Partition 2048 19 Jul 13 7 37 52 AM 3 I E E gt E Root 12 Ls sido When a VSS has been added to the File System module four new columns become available e VSS Contains the color assigned to the shadow copy volume during the mount process if a color has been assinged this column is automatically added to the File System module at position 2 The following columns can be manually added Right Click Columns Edit Columns e VSS Date The date of creation of the VSS e VSS GUID The Windows GUID assigned to the VSS e g C678AE98 F000 11E2 93BF 005056C00008 Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 25 Shadow Copy 295 Page e VSSID The VSS snaphot ID To best examine different version of a single file a combination of the Folders Filter see 9 11 4 the Branch Plate see 8 2 3 and the text filter tool see 9 11 2 can be used as shown below Figure 228 Filtering Different Versions of the same file shows original and two VSS versions green and red File List Gallery View Gi Disk View EAM e AZ 12 days 1 8 E m Preview 1 Filename WSS E 12 Days of Christmas Sha 12 Days of Christ
314. with Forensic Explorer Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 18 Scripts Module 219 Page e The default Startup pas file described above initiates the creation of toolbars and buttons by calling scripts in the Common Toolbar folder e Toolbar buttons are then managed by the Scripts Common Toolbar Manager pas SCRIPTS FILE SYSTEM The Scripts File System folder contains default scripts which used in the File System module This includes Hashing Exporting and Skin Tone Analysis Sub folders include Scripts File System Disk view The FileSystem Disk View sub folder contains scripts used to change block color in the Disk View window of the File System module Colours are assigned using the color reference chart http en wikipedia org wiki Web colors SCRIPTS REGISTRY The Scripts Registry folder contains default scripts used to extract information from registry keys The processing script is Registry Key Processor pas SCRIPTS SCRIPTS Scripts Scripts contains default scripts used in the Scripts module STARTUP The Startup folder contains the script startup pas User Profile Documents Forensic Explorer Startup startup pas The purpose of startup pas script is to automatically run when Forensic Explorer is launched and configure the interface It can be individually configured by the investigator For more information see 18 4 below Copyright GetD
315. ws 8 including GPT partitioned drives NOT currently supported e Macintosh HFS 27 4 LIVE BOOT WORKING FOLDER IMPORTANT Live Boot requires a working folder to store the Mount Image Pro disk cache and VMWare working files Each time a Live Boot VMWare session is started a working folder is created in the root of the current case path in the format user Documents Forensic Explorer Cases Case Name Boot Image Name Date Time stamp Copyright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 27 Live Boot 305 Page As shown below Figure 232 Current Case folder showing Live Boot working folder di Forensic Explorer Cases NIST Hacking Case gu Mame de AttachedEvidence de DTSearchindexes fe columns xml NIST Hacking Case FEX The data for each Live Boot session is retained to enable the re open in VMWare of a Live Boot session at a specific point in time If individual sessions are no longer required they can be deleted 27 5 HOW TO LIVE BOOT A FORENSIC IMAGE The following steps describe how to use Live Boot to boot a forensic image In this example an EO1 file from the NIST Hacking Case is used http www cfreds nist gov Hacking Case html 1 Checkinstalled software Ensure that all required software is installed as detailed in section 27 2 above 2 Start a Forensic Explorer case a Run Forensic Explorer and start a Preview or Case Add a forensic image file of a
316. xplorer vX WORKING PATH The working path for a case is in the user profile documents folder C Users user folder Documents Forensic Explorer y AppLogs Forensic Explorer usage logs Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved Chapter 5 Dongle Activation Maintenance Je Contains the investigator created case folders Cases Holds case database files use to store case data investigator names etc Databases m Filters Filters are created in the Scripts module and used in the Folder view of the File System module See 8 2 2 Tree view filter for more information Holds the database files used to store hash set di Hash Sets information This folder is used to store sample keyword search import lists They can be imported in the Keyword Search module d Keywords A device or image can be previewed without fist creating a case A unique preview working folder is created within this folder using a Global Unique Identifier GUID e g 8709A41C 38B6 4F9E BA18 633B394721C5 de Previews Holds Forensic Explorer scripts created and or used in the Scripts module pas are un compiled bin are compiled J Scripts Holds the startup pas script used to store button positions etc see the chapter on Scripts for further information Je Startup The following folders are created within each case folder C Users user folder Documents Forensic Explorer Ca
317. y File carve 1 301 ac D L 3 Partition amp 63 6 gt E Orphaned 12 E E Root 33 amp D O E Extend 4 gt L1 Eu 50th Birthday Cake 7 H E 7 E Aircraft Photos 5 El C D Ei Animals 6 Carved JPG Carved JPG 3 Carved JPG 3 Carved JPG 3 AS k V Carved JPG Carved JPG 2 k bal a isl ES SOURCE A File Carve is usually run on unallocated space However it is possible to carve on a specific file such as the Windows page file or a backup file by first checking the file in the File System module and then selecting to carve the checked items CARVE SEARCH MODE Cluster based file carving In a cluster based file system like FAT or NTFS a new file must start in a new cluster It follows then that the file signature appears near a cluster boundary Carving speed is therefore achieved by searching for file signatures only near cluster boundaries Sector based file carving recommended It is recommended to perform a lower level search for sector aligned file signatures This search may recover additional files for example files from a previous volume which had a different cluster layout and is no longer aligned to current cluster boundaries NOTE Carving in sector mode will increase the length of the search Byte based file carving In certain situations it is necessary to data carve at a byte by byte level This will locate additional files wh
318. y some forensic tools However in February of 2005 it was announced that a theoretical weakness had been identified in SHA1 which suggests its use in this field may be short lived 6 7 SHA 256 From 2011 SHA 256 is expected to become the new hash verification standard in computer forensics SHA 2 is a set of cryptographic hash functions SHA 224 SHA 256 SHA 384 and SHA 512 designed by the National Security Agency NSA and published by the USA National Institute of Standards and Technology For more detailed information on hashing and how the strength of a hash value applies to the forensic investigator suggested reading includes The Hash Algorithm Dilemma Hash Value Collisions Lewis 2009 Forensic Magazine www foreniscmag com Sector Hashing The fourth option in the hash section is Calculate SHA 256 for each sector When this option is selected a separate SHA 256 hash for each individual sector of the target device is created and stored in the same folder as the image file Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 52 Page Chapter 6 Forensic Acquisition Like the more commonly used file hash a sector hash can be used to e Reduce the volume of a data set by excluding known and trusted sectors from the case For example the hash of a blank sector can be used as the identifier to eliminate the need to search all blank sectors in the case or e To locate fragments of kn
319. yright GetData Forensics Pty Ltd 2010 2015 All rights reserved Chapter 11 File System Module 145 Page Figure 123 Folder s View qe E 3 Folders a PY Test Case 1 1 E E m a Lexar 7GB USB EO1 E01 3 0 E D E 3 Partition 63 5 0 C E Orphaned 12 E O O E Root 28 E D 5 xtend 4 E DUG RmMetadata 4 DO E f 0 DO Es TxfLog 5 gt E 50th Birthday Cake 7 O E Ex Aircraft Photos 6 DO B24 34 D O amp Bomber 51 D O Planes Note The blue number in brackets e g 2 counts the number of items inside the folder but does not count the contents of sub folders The following icons are used in Folders view Preview indicating a case has not yet been saved or Case name A device e g a hard drive or camera card Boot partition NEN NM Partition An expandable branch folder structure An active folder A deleted folder p o ut Folders containing the results of a file carve For more information about file caving see chapter 23 4 File carving One of the folders displayed in Folders view is Orphaned Orphans are deleted folders and files for which the original parent folder is unknown For more information on orphaned files see page 23 3 2 NTFS orphans Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 146 Page Chapter 11 File System Module 11 4 CATEGORIES VIEW Categories view is located in t
320. zi Bookmark Comment 1 B 3 My Bookmarks 11 dn 33 Bookmark Created 7 Evidence 1 E 1 Bookmark Folder 23 Files 0 i s i Bookmark Modified 3 Documents 0 i Bookmarked a 2 Pictures 2 Created E E t Cats 11 P i Data Size ES Dogs 10 Directory Level n e Email 0 EL SJ Internet 0 File Category E UN Registry o ve 3 i p Keyword Search 0 File Signature 7 Index Search 0 i manu io p Illicit Images 0 ags B e Triage 2 1 Hashset 4 Mz Hashset Category 1 eee uj HashSet Indentified As An Hit Text Filename it 5 af CatsB5_Choco JPG Moya al Cats87 Maebh JPG is a catses_Grendel JPG u rid a CatsA5 Starbuck JPG al CatsAA Kristaji JPG 3 a CatsA7 TomTom JPG CatsA9 ME JPG a 7 Copyright GetData Forensics Pty Ltd 2010 2014 All rights reserved 206 Page f Chapter 17 Reports Module Select the required fields with the mouse use the CTRL key to select a group and drag and drop the fields for the file onto the Report Editor window In this example we are using the fields Filename Created Modified Accessed and Path Organize the fields into a vertical list as shown in shown in Figure 167 above below Figure 167 Report Editor Showing Fields g teport Editor D L pui cod al File Edit Font Paragraph Format Insert Table ly tg giu i et
Download Pdf Manuals
Related Search