Saturday, 17 November 2018

Convert VDI image

Some quick notes on virtual machine formats.

There was a VirtualBox VDI file which EnCase and FTK Imager couldn't mount - EnCase v8.05 was unable to even read the partitions while FTK Imager v4.1.1.1 could read the partitions but not the filesystem in the partitions.

Initially I tried to convert to VMDK format using VirtualBox's vboxmanage internalcommands:
vboxmanage internalcommands converthd -srcformat VDI -dstformat VMDK <inputfile> <outputfile>

but it produced the following error:
VBoxManage.exe: error: Cannot copy the image: VERR_VD_INVALID_TYPE


Subsequently, thanks to the post by Namareba食べたい, I successfully converted the image file with the following command:
vboxmanage clonemedium disk <inputfile> <outputfile> --format VMDK

and the resultant VMDK file was read and mounted successfully by EnCase.

Tuesday, 18 September 2018

Weekly roundup - 16 Sep 2018

Quick roundup of two articles read last week:

  1. https://www.magnetforensics.com/blog/android-messaging-forensics-sms-mms-and-beyond/
    Jamie McQuaid at Magnet Forensics blogged about the various databases on Android from which SMS/MMS data can be found, with a brief mention of Samsung logs and the newer "Android Messages" application. I do wish there was more information about the icing_mmssms.db database though, such as how and when messages will differ between icing_mmssms.db and the normal mmssms.db.


  2. https://www.magnetforensics.com/blog/qualcomm-phone-edl-mode/
    Magnet Forensics put up a post on getting Qualcomm phones into Emergency Download (EDL) mode via three options, with a link to Aleph Security's detailed post on exploiting EDL programmers.


In other news, Apple launched the new iPhone XS, XS Max, and XR at the iPhone event 2018 which goes up to 512GB of storage. This is going to be a headache for acquisitions and e-discovery...

Saturday, 4 August 2018

Windows folder deletion

It is pretty well known that when files are deleted in Windows Vista or later, two files are created in the Recycle Bin - the $I file and $R file. Most forensic tools are smart enough to piece the two files together to present the examiner with the original filename, original path, and deletion date. What happens when it is not a file but a folder that is deleted?

To test, I created a folder with 3 text files in it, then deleted the entire folder. The following shows the artefacts found in my Recycle Bin:

Ignore the .ORF and .JPG files for now. Note the matching $I and $R 'files' highlighted in red (the $R 'file' is actually a directory).
paladin@paladin:<redacted>$ ls -l
total 9
-rwxrwxrwx 1 root root  129 Nov 20  2017 desktop.ini
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $I5SL57R.ORF
-rwxrwxrwx 1 root root  108 Jul  5 06:44 $I6O696O.ORF
-rwxrwxrwx 1 root root   66 Jul 27 06:09 $IBN1JFG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IFXKF3C.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IJP866D.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:35 $IK0XWGY.ORF
-rwxrwxrwx 1 root root  108 Jul  4 13:34 $IRBWPPL.JPG
-rwxrwxrwx 1 root root  108 Jul  4 13:34 $IWMRGZO.ORF
drwxrwxrwx 1 root root 4096 Jul 27 06:03 $RBN1JFG

As expected, the $R 'file' contained the contents of the deleted folder, without the accompanying $I files.
paladin@paladin:<redacted>$ ls -l \$RBN1JFG
total 2
-rwxrwxrwx 2 root root 76 Jul 27 06:02 file_copy.txt
-rwxrwxrwx 2 root root 75 Jul 27 06:02 file_move.txt
-rwxrwxrwx 2 root root 70 Jul 27 06:01 file_orig.txt

Looking at the $I file, we can see the original path of the folder, as well as the deleted date of "D0 8D 9F 64 70 25 D4 01" which corresponds to 27 July 2018 06:09:35 UTC+0.
paladin@paladin:<redacted>$ hexdump -e '8/1 "%02X ""\t"" "' -e '8/1 "%c""\n"' \$IBN1JFG
02 00 00 00 00 00 00 00   
DD 00 00 00 00 00 00 00  �
D0 8D 9F 64 70 25 D4 01  Ѝ�dp%�asdasd
13 00 00 00 43 00 3A 00  C:
5C 00 54 00 65 00 6D 00  \Tem
70 00 5C 00 66 00 6F 00  p\fo
6C 00 64 00 65 00 72 00  lder
5F 00 64 00 65 00 6C 00  _del

The above short experiment explains why certain files in the Recycle Bin are not displayed with their corresponding deletion times in a certain tool, as the tool was not able to match the parent folder's deletion time to the files contained within.

Separately, the .ORF and .JPG $I files were files that I had previously deleted and restored. It would appear that Windows leaves the $I files in the Recycle Bin for restored files and only deletes them if the file in the Recycle Bin was deleted. However that bears more testing/research for another day.

*Update*
Read more on the testing of residual $I files by Phill Moore at ThinkDFIR and Yogesh Khatri.

Sunday, 18 February 2018

Installing SIFT

SANS Investigative Forensics Toolkit (SIFT): https://github.com/sans-dfir

The current recommended way is to install via SIFT commandline (sift-cli) as opposed to using the older bootstrap method or saltstack.

The following steps are what I did on my installation of Ubuntu 16.04 (Xenial Xerus):

1) Download the latest release files
Note: grab the latest release files from https://github.com/sans-dfir/sift-cli/releases/latest (version 1.5.1 at the time of writing).
$ wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux
$ wget https://github.com/sans-dfir/sift-cli/releases/download/v1.5.1/sift-cli-linux.sha256.asc


2) (Optional) Verify downloaded files
Grab the PGP key and verify the signed SHA256 signature.
$ gpg --keyserver pgp.mit.edu --recv-keys 22598A94
$ gpg --verify sift-cli-linux.sha256.asc
$ shasum -a 256 -c sift-cli-linux.sha256.asc OR sha256sum -c sift-cli-linux.sha256.asc


3) 'Install' sift-cli
$ sudo mv sift-cli-linux /usr/local/bin/sift
$ chmod 755 /usr/local/bin/sift


4) Use sift-cli to install latest SIFT
$ sudo sift install


Wait for it to finish (took pretty long on my installation) and you're done!

Some other useful commands for keeping your SIFT installation up to date:

Update existing VM:
$ sift update

Upgrade to new release:
$ sift upgrade

Magnet Summit 2022 Virtual CTF - Windows

Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022.  Participants were provided with the following three image...