Cyber Forensics

Digital Forensics Investigation through OS Forensics (Part 3)

In Part 2 of this article, we have covered Recent Activity, Deleted File Search, Mismatch File Search, Memory Viewer, and Prefetch Viewer. This article will cover some more features/ functionalities of OS Forensics.

To Read Part 2 of this article click here.

Raw Disk Viewer

On a drive, file system files and directories generally store data, but when forensics examines drives, we need a deeper inspection to find evidence within the raw sectors of the drive image. These sectors are not accessible through the Operating system but we can access the raw sectors through OS Forensic’s Raw Disk Viewer.

Raw Disk Viewer includes text/hex searching, highlighting of relevant disk offsets, and decoding of known disk structures (such as MBR, GPT)

Source: https://www.osforensics.com

Using Raw Disk Viewer

To start with open OSF and click on Raw Disk Viewer

OS forensics digital investigation

From the disk drop down to select the Evidence we want to investigate.

Click on the config button and make the required changes. We can specify the sector range limit, highlight the file types by different colors, include/exclude file system objects.

OS forensics digital investigation

To look for a particular file/sector/offset click on Jump To button, we can see a screen to select any particular file or offset.

To get the details of any particular file select file and browse the file.

Click on open and then OK, the file will open in HEX for investigation.

OS forensics digital investigation

Click on the decode button to get the details of the file. This will provide the cluster number and sector of the file.

Right click on the file to get all the available options of the file/offset/cluster.

OS forensics digital investigation

Searching and Bookmarking in Raw Disk Viewer

Click on Search button, a screen will appear where we can search for Hex or Text and continue. This will search the particular text or Hex within the raw sectors and will display the result.

Click on bookmark button on the main screen of Raw Disk Viewer. we can create the bookmarks for the relevant evidence.

Create a new bookmark by specifying its start offset and end offset. We can differentiate the bookmark through its color.

OS forensics digital investigation

The bookmark saved will get listed.

If we click on the bookmark the offset range will get highlighted on the main screen and will mark the starting of the offset with a flag and color of the flag is that of the bookmark.

This concludes the Raw Disk Viewer.

Registry Viewer

Registry viewer enables to investigate the registries of evidence.

To start with open the registry viewer, we can select the drive/evidence we want to work on. All the registry files in that particular drive/evidence will get listed on the right side.

OS forensics digital investigation

Double Click on any file and we can navigate to the registries and can get all the details.

This concludes Registry Viewer

File System Browser

File system browser enables us to navigate to the Drive/Evidence.

OS forensics digital investigation

We can navigate through all the files/directories and perform multiple activities. In file system browser we have the other options of OSF as well like File search, Mismatch search, Create Index, Create signature. Some of these features we have already talked about and some of them we will discuss in coming articles.

We can check the “Show Deleted File” option by clicking on Tools > Option > Show Deleted File.

 The deleted files/directories (if any) will also get listed and will be marked with a red cross.

This concludes the File System Browser.

Passwords

Passwords feature enable us to retrieve the password-related information of the evidence. We can store passwords within the browser, use Windows Login Passwords, create a rainbow table by making multiple combinations of the passwords, and retrieve the passwords from the rainbow table. Under OSF passwords also have an option to decrypt an encrypted file.

To start with open OSF and select passwords

OS forensics digital investigation

The first tab is Find Passwords & Keys. This tab allows us to recover stored passwords from the browser, Outlook, Windows auto logon, etc. We can either perform a live acquisition of the current machine. Alternatively, we can choose Scan Drive and select any specific drive or piece of evidence.

Next, click on the Config button. Check the types of passwords you want to recover. Then, select the decryption settings based on your requirements. We can include our own dictionary file, or we can use an automatic dictionary. If the credentials are known, we can also provide Windows login credentials. Finally, click OK.

Then, Click on Acquire passwords button to start the process.

All the passwords/product keys will get listed.

OS forensics digital investigation

The below image is the passwords acquisition of the Current Machine for better understanding as the evidence we were working on doesn’t any stored wireless network.

Then, Select Windows Login Password , select the Drive/evidence and click Acquire passwords

We will list all the information. If there is any saved password, we will list it, and we can also get info about it; we can obtain the NT hash and LM hash of the password from which we can recover the password.

Generating and Using Rainbow Tables

We have an option to generate a rainbow table. This is used to create a list of passwords with different combinations and permutations. We can choose from the different options/combinations from the drop down. More huge and complex the inputs are the longer the time it will take.

OS forensics digital investigation

Browse the file path where we want to save the table and if required modify the parameters. Click on create a rainbow table button to start with the process.

Depending on the complexity the process will start.

Password through a rainbow table. If the password is within the rainbow table we have created and we have the NT hash and LM Hash we can recover the passwords  (however this ). TO achieve this we need to add the folder of the Rainbow table under “Select Rainbow Table” and can either enter the raw hash or can browse the file which may contain the hash, if the password is present within the rainbow table, we will get the password.

In the image we are browsing the file “hash.txt”, we have saved in windows login password (shown above)and the rainbow table we have created.

OS forensics digital investigation

Click on the recover Password/s button to start the process; if the rainbow table finds the password present in Hash.txt, we will get the result.

In the above, we haven’t found the password as it must be not present inside the table. Also, these tables have certain limitations and have a success rate of 95 % (approx). There are other methods as well for the recovery of passwords we will be discussing on other articles.

This concludes Passwords.

To learn more about Cyber Forensics. Follow this Link

Author: Ankit Gupta, the author, and co-founder of this website, an ethical hacker, forensics investigator, penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here