Forensic Practical Exercise #4

I have previously posted a couple different practical exercises here for people to work through and practice. You can see the previous ones here: Practical #1, Practical #2, Practical #3.

This exercise is going to be a little more theoretic because I cannot share the data that I have and I have no ability to make additional data for sharing.

So here is the scenario (BTW, it's a real scenario). Local police detectives have responded to the scene of a homicide. During their investigation they have discovered that there is a CCTV system that may have caught the entire event on video. Being conscious of preserving the data, they called the security company responsible for installing the CCTV system, who promptly responded and shut down the CCTV system. The technician pulled the hard drive out and gave it to the detectives, who has now given it to you with one simple request: "find the evidence". They want you to extract the videos so they can review them to see if it is useful in helping solve the case. Sounds simple eh?

Being the energetic examiner that you are, you quickly image the hard drive and begin an initial analysis. Once imaged, you load the image into EnCase and see a single 100GB FAT32 volume containing hundreds of files in the root directory of the volume. There are no subdirectories (other than some file system generated directories that contain no data). Information about the volume looks like this:

The files in the root directory look like this:

The video data from each day is recorded and stored in one or multiple files depending on the amount of data recorded. Each file has the extension of "XBA". The file header looks like this:

You then export several files out to your local working drive and attempt to view them using a freely available video viewer. Each attempt to view fails and the viewer reports the file is corrupted. A quick look at the exported files show they are each 32,768 bytes in length, even though EnCase reports a different size for each file you exported.

Ideas?..........Let the questions begin... please use the comment function below so everyone can benefit from questions and answers already given.

Forensic Practical #2

I have posted some answers to the first forensic practical here. Based on the lack of answers/feedback on the first one it was either too difficult or nobody was really interested, so I will post an easier second problem and see how this one goes.

Scenario:
An employee named Castor Troy has just abruptly left a software company that he has worked at for the past 5 years. His departure was sudden and somewhat suspicious. Co workers said he came in very early the day he quit and seemed "panicked".

Due to his tenure, he had access to some critical intellectual property. When he left, the IT department assumed control of his computer and briefly examined it pursuant to an HR request. They found several zip files in the user's home folder containing some critical information. HR has referred this to legal counsel and you have been retained to provide whatever information you can about what happened and what, if anything may have left the company when the employee quit. The information found in the user's folder is critical IP information, but the employee had access to even more sensitive information deemed very secret.

Inside Counsel would like to know if any of that information was accessed or copied. Your mission, if you choose to accept, is to conduct a forensic examination and provide whatever factual information you can to counsel so they can decide if further legal action is necessary.

Good luck, have fun, and as always, if you are caught I will deny any knowledge of your existence.

Download Here

Forensic Practical #1 - Answers

A few weeks ago I posted a forensic practical along with a basic scenario. You can review it here. A few readers posted some comments, some of them on target, but not nearly in-depth enough. Here is a summary of key points that should have been observed.

1. WINDOWS/system32/inetsrv/rpcall.exe is malware and would be identified by an AV scan. The behavior of this malware is to scan for additional vulnerable machines, which is what caused the network traffic. This executable is set to run at boot through the HKLM\Run key.

2. Looking at the creation date of rpcall.exe should reveal some interesting things, most notably is that every file in the parent folder (\windows\system32) has the same created date/time. This is not normal and is indicative of some sort of timestamp manipulation tool.

3. Sorting by filenames would have revealed a prefetch file was created 06/18/04. Sorting on creation time on that file would show several other files of interest were started near that same time:

ping.exe
cacls.exe
cmd.exe
sms.exe

4. Looking for sms.exe would result in finding no executable named that, but there must have been one at some point if there was a prefetch file, right?

5. An exam of the User assist keys shows several programs run by the user account of "vmware". One of which is "UEME_RUNPATH:C:\System Volume Information\_restore{00D8A395-89D5-46B8-A850-E02B0F637CE5}\RP2\snapshot\Repository\FS\sms.exe" What the heck is a user doing executing something out of a system restore point folder?

6. Searching in unallocated for "sms.exe" in Unicode would reveal some interesting results

7. Searching the $Logfile would also reveal some interesting results for the keyword of sms.exe, including a complete MFT record for that file and the MAC timestamps. In addition there is an interesting fragment of text from what appears to be a batch file named del10.bat.

8. A search of del10.bat would reveal several hits, including a complete MFT record in the $logfile with timestamps and the appearance in two prefetch files, sms.exe & cmd.exe.

9. reset5setup.exe is a crack used to bypass Windows activation.

There are more artifacts, but the above listed ones are a good start.

Forensic Practical

I run several honeypots and I decided to take some of the malware found on the honeypots and install it on clean computer systems and watch its behavior. To take it a step further for those of you who like to hone your forensic skills, I have decided to post an evidence file of the machine with the malware, and describe a simple scenario that a first responder or examiner would likely face in examining this evidence.

SCENARIO:

A user in a company is using WinXP Home (just go with me on this ;) and he notices his computer is acting funny. He calls the IT staff over and after some digging around they determine something is definitely wrong. When they do a netstat they see hundreds of connection attempts. They pull the machine offline and image it. They did happen to speak to their netsec people before they pulled it offline, who captured a small amount of network traffic regarding the WinXP system.

The image is provided here in the EnCase evidence format (400mb).

A network capture in tcpdump format is provided here (230kb).


This is not rocket science people, it is fairly simple exam, but it is a good training example and a very common scenario. Please feel free to download and examine the evidence file/network capture and the post any comments on what you find.