Digital Forensics Investigation through OS Forensics (Part 3)

In Part 2 of this article we have covered Recent Activity, Deleted File Search, Mismatch File Search, Memory Viewer and Prefetch Viewer. This article will cover some more features/ functionalities of OSForensics.

To Read Part 2 of this article click here.

Raw Disk Viewer

On a drive data is generally stored in file system files and directories but when it comes to forensics we need a more deeper inspection of drives we can have a evidence within the raw sectors of the drive , image . These sectors are not accessible through Operating system but we can access the raw sectors through OS Forensic’s Raw Disk Viewer.

Raw Disk Viewer includes text/hex searching, highlighting of relevant disk offsets, and decoding of known disk structures (such as MBR, GPT)

Source : https://www.osforensics.com

To start with open OSF and click on Raw Disk Viewer

From the disk dropdown select the Evidence we want to investigate.

Click on the config button and make the required changes. We can specify the sector range limit, highlight the file types by different colors, include/exclude file system objects.

To look for a particular file/sector/offset click on Jump To button, we can see a screen to select any particular file or offset.

To get the details of any particular file select file and browse the file .

Click on open and then OK, the file will open in HEX for investigation.

Click on the decode button to get the details of the file. This will provide the cluster number and sector of the file.

Right click on the file to get all the available options of the file/offset/cluster.

Click on Search button, a screen will appear where we can search for Hex or Text and continue . This will search the particular text or Hex within the raw sectors and will display the result.

Click on bookmark button on the main screen of Raw Disk Viewer . we can create the bookmarks for the relevant evidences.

Create a new bookmark by specifying its start offset and end offset. We can differentiate the bookmark through its color.

The bookmark saved will get listed .

If we click on the bookmark the offset range will get highlighted on the main screen and will mark the starting of the offset with a flag and color of the the flag is that of the bookmark.

This concludes Raw Disk Viewer.

Registry Viewer

Registry viewer enables to investigate the registries of an evidence.

To start with open the registry viewer, we can select the drive/evidence we want to work on. All the registry files in that particular drive/evidence will get listed on the right side.

Double Click on any file and we can navigate to the registries and can get all the details.

This concludes Registry Viewer

File System Browser

File system browser enables us to navigate to the Drive/Evidence.

We can navigate through all the files/directories and perform multiple activies . In file system browser we have the other options of OSF as well like File search, Mismatch search, Create Index, Create signature. Some of these features we have already talked about and some of them we will discuss in coming articles.

WE can check the “Show Deleted File” option by clicking on Tools > Option > Show Deleted File.

The deleted files/directories (if any) will also get listed and will marked with a red cross .

This concludes File System Browser.

Passwords

Passwords feature enable us to retrieve the password related information of the evidence. These passwords could be passwords stored within the browser, Windows Login Passwords, WE can also create a rainbow table by making the multiple combination of the passwords and retrieve the passwords from the rainbow table. Under OSF passwords also have an option to decrypt an encrypted file.

To start with open OSF and select passwords

The first tab is to Find Passwords & Keys , this will allow to the recover the stored password from the browser , outlook , windows auto logon passwords , etc. We can either do the live acquisition of current machine or Scan Drive and select any drive or evidence.

Click on Config button, check the passwords you want to recover. Select the decrepton settings based on requirements, we can include our dictionary file or can use an automatic dictionary. If credentials are known we can provide windows login credentials and click OK.

Click on Acquire passwords button to start the process.

All the passwords / product keys will get listed.

The below image is the passwords acquisition of the Current Machine for better understanding as the evidence we re working on doesn’t any stored wireless network.

Select Windows Login Password , select the Drive/evidence and click Acquire passwords

All the information will get listed. If there is any saved password it will get listed also we can get info about it also we can get NT hash and LM Hash of the password from which we can recover the password.

We have an option to generate rainbow table. This is used to create a list of passwords with different combinations and permutations. We can choose from the different options / combinations from the drop down . More huge and complex the inputs are the longer the time it will take.

Browse the file path where we want to save the table and if required modify the parameters. Click on create rainbow table button to start with the process.

Depending on the complexity the process will start.

Password through rainbow table. If the password is within the rainbow table we have created and we have the NT hash and LM Hash we can recover the passwords (however this ). TO achieve this we need to add the folder of the Rainbow table under “Select Rainbow Table” and can either enterthe raw hash or can browse the file which may contain the hash , if the password is present within the rainbow table , we will get the password .

In the image we are browsing the file “hash.txt” , we have saved in windows login password (shown above)and the rainbow table we have created .

Click on recover Password/s button to start the process , if the password present in Hash.txt is found in rainbow table we will get the result .

In the above we haven’t found the password as it must be not present inside the table. Also these tables have certain limitations and have the success rate of 95 % (approx). Their are other methods as well for recovery of passwords we will be discussing on other articles.

This concludes Passwords.

For more on OSForensics wait for the next article.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)

This is a very handy little application. It’s been developed by the QEMU team. The software is very useful when dealing with virtualization, Qemu-img is available for both windows and Linux. Its function is to give you the ability to change the format of a given virtual disk file to the majority of the popular virtual disk formats that are used across platforms. Let’s say you are using virtual box in Windows and want to migrate the virtual disk to be used on a mac, in parallels, you can use this simple program to achieve this with minimum effort.

Our purpose of writing about this today is slightly different from Qemu-img’s mainstream usage, we want to focus on how we can use this application to convert a virtual disk image, whole or split into a .raw file that can be used with most of the popular forensic frameworks that are available.

Let’s start up Qemu-img on our Linux machine

At the terminal prompt type “qemu-img –h”

This will show you all the options that can be used with qemu-img

Right at the end of the information that is presented after the command given above is used, we can see all the formats supported by this application.

Here is a list of all the formats that are compatible with Qemu-img

Now let’s see how this application comes in handy for use in forensics.

In a situation where a virtual disk is part of the acquisition and further dedicated analysis is required, the virtual disc can be converted into .raw format.

Let’s begin.

Since our goal is to analyze the virtual disk, we are using the image file from Windows 7 installed on VMWare. The file in question is in .vmdk format.

Just a heads up, when you convert a virtual disk file to a .raw file, the size of the converted file can be quite big, so make sure you have enough space.

Here is our .vmdk file

For ease of use, we have placed the .vmdk file in a folder named Qmeu on the desktop. The terminal is opened from within the folder.

At the terminal prompt type “qemu-img convert -f vmdk -O raw Windows\ 7.vmdk win7.raw”

A breakdown of the command that we just gave:

qemu-img convert is invoking the convert function of qemu-img.

-f is the format of the input file, which in this case is .vmdk

-O is the format of the output file that we want, a .raw file.

Windows\ 7.vmdk is the name of the input file that we have in our folder.

win7.raw is the name we have given the output file with its file extension.

Give it a few minutes and check the folder, you will find the converted file.

As you can see, the size of the .raw file is 10.7 GB and the size of the .vmdk file was 6.0 GB, that’s quite a jump in size!

We can now use Foremost to carve the .raw file to see what’s inside.

At the terminal type “foremost -t jpeg,png -i win7 -o output”

With this command we are carving the .raw file for .jpeg and .png files which will be collected in a folder named output. If you have any doubts about foremost you can refer this article.

As you can see, our .raw file has been successfully carved, the results are visible below

We have successfully carved a .raw file made from a virtual disk, now let’s mount the .raw file to view its contents. We will be using a Windows for this operation.

Now we will mount this .raw file using FTK Imager to see its contents. The image mounting option can be found under the File menu. Navigate to the .raw file from within the mounting menu.

Select Mount, leave the other options as they are and the file will appear on the Mapped Image List.

Next we navigate to My Computer and we can see that the .raw has been mounted as a partition.

The windows file system can be seen within and explored for content.

Qemu-img is a very simple application with a high potential. It can be a very valuable tool in your forensic toolkit due to its large list of compatible formats. It will make sure that the format of the acquired image does not keep you from using your forensic tool of choice to run your investigation or carve out data.

We hope you enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Digital Forensics Investigation through OS Forensics (Part 2)

In Part 1 of this article we have covered Creating case, File Search and Indexing. This article will cover some more features/ functionalities of OSForensics.

For Part 1 if this article click here.

Recent Activity

Recent Activity feature allows an investigator to scan the evidence for recent activity, such as accessed websites, USB drives, wireless networks, recent downloads and many more.

To start with open OSForensics and select Recent Activity.

We have an option to capture the Recent Activities either through live acquisition of current machines or by scanning drives/evidences.

To capture the live acquisition of the current machine select the first option and click on scan. If we have opted to investigate the case of another machine at the time of creating the case (shown in part 1 of this article), we may get a warning message as shown below, Click on yes to continue.

But we will be acquiring our evidence (.E01 image file).

Scanning will start and may take some time for this operation to complete.

Once the scanning is complete we will get a popup with the summary of the scanned evidences.

Click on the OK button and on the recent activity window we can find all the recent activity details with the heading on the left pane and details of related files on the right.

Below is the list view of the files

We can also view the file details by clicking on File Details tab

To further analyse any file, simply right click on file for further file options.

Similarly we can investigate for the recent activity of any particular drive.

We can also change the configurations or apply/remove any filters as per the requirement but these changes are to be done before starting the scan.

To edit the configurations click on “Config” button located at the top right corner on recent activity window.

Check/Uncheck the options as required or if required change the date/date range for a particular time based activity and click OK.

For managing the filters click on the “Filters” button located below the “Config” button

We can add a filter as required by selecting a value from the dropdown or fill the details as required.

In the below image we have applied a filter and set its parameters as per requirement.

Click on Add Filter button and then OK, the filter will get added.

This ends the Recent Activity feature.

Deleted File Search

Deleted files recovery is one of the prime requirements for digital forensics. OSF offers a very simple and efficient deleted file recovery/search.

To search the deleted files click on “Deleted files Search” and select the drive we want to search on from the dropdown. We can select the complete Physical drive/Hard Disk (PhysicalDrive0), Acquired Evidence or any Logical drive(C/D/E), for which we want to recover the data.

Click on the “Config” button and check/uncheck the options as required. Select the Quality from the drop down (Please note better the quality more time it will take to process), for better result check the file carving option. WE can also limit the file size we want to search for (this will omit the files that are not in the range to refine the search), Click Ok.

On preset drop-down select the file type we want to recover/search. Select all files if we need to have multiple file types as output.

Once all the settings are done, click on Search. Depending on the volume of data and configurations we opted for it may take some time for the process to complete.

We can also see the thumbnail view of the files for faster analysis.

To save /recover the file select the files we want to recover and right click for options and save the files.

This concludes the Deleted file search.

Mismatch File Search

This feature enables us to identify the files whose extensions doesn’t match their data. Through this we can capture some relevant evidences that could be in form of an image, document or pdf but pretending to be of some other extension. For example a word file can be mismatched with a jpeg file (such a data could is also called as “Dark Data”).

To start with click on Mismatch File Search, select the drive/directory along with the filter from dropdown or create a filter as required, if we are not sure about the filter settings, we can go with “All (Built In)” filter and click search.

This will show the result in file list. We can also see the thumbnail view of the files.

Memory Viewer

Memory Viewer feature shows active memory of the system on which OSF is working on. It cant be used to show the memory of acquired image or drive of another computer (we will illustrate this feature on our running machine and not on our evidence file). We can dump the live memory /RAM for further investigation.

To start with open OSF and click on Memory Viewer. We can see the list of all the processes currently running along with their Process ID (PID). Click on any process and we can see its details under process Info. Click on refresh to refresh the process list.

Click on select window the cursor icon will change from pointer to a circle, click anywhere on screen or on any other running application and we can see the process details of the process we have clicked on. For instance in the below image we have clicked on an open word file and the process corresponding to that word file will get displayed.

Click on dump Physical Memory, this will dump the physical memory/ RAM in a .bin file and can save it anywhere. In below image we are saving the file with name Memory Dump.bin in a folder named Physical Memory Dump on Desktop

As we click on save a popup will appear till the Memory is being dumped.

Once completed, we will get a success Message.

We can also save a crash dump, just browse to a directory and save the file. The extension of the crash dump file is .dmp. In below image we are saving a crash dump file with a name CrashDump.dmp. We will get the following message when the dump is in progress

Once the dump is completed we will get a success message.

This concludes the Memory Viewer

Prefetch Viewer

The prefetch viewer displays the .exe files that we have last executed on the system. To start with open OS Forensic and click on prefetch viewer.

WE can browse the drive from the dropdown to check the .exe file that have executed on a particular drive. We can click on any particular drive and can see the details of the exe along with mapped files under mapped file tab.

Also we can view the directories, mapped with the .exe file under Mapped Directory Tab.

This concludes Prefetch Viewer.

For more on OSForensics wait for the next article.

Digital Forensics Investigation using OS Forensics (Part1)

About OSForensics

OSForensics from PassMark Software is a digital computer forensic application which lets you extract and analyse digital data evidence efficiently and with ease. It discovers, identifies and manages ie uncovers everything hidden inside your computer systems and digital storage devices.

OSForensics ia a self capable and standalone toolkit which has almost all the digital forensics capabilities including Data acquisition , extraction, analysis, email analysis, data imaging, image restoration and much more.

In this article we will cover all the major capabilities of OSForensics for digital forensics investigations.

Undiscovering OSForensics

To start with open OSForensics, we can see the OSForensics window open .

On the left hand side are the main options/ capabilities of OSforensic we will be talking about in details.

Please note that the start option highlights the main tools. Features of OFS which are widely used the same options can also be accessed through the tabs on the left pane.

The first option is Manage Case:

Whatever task/operation we want to perform in OSF, it is always advisable to create a case for that. Creating a case is also helpful to distinguish multiple processes / operations from one another and also act as a container of the work done which is also helpful in future reference.

To create a new case click on Create Case icon in start option or new case button in Manage case option and provide all the relevant details related to the case. Also note the location where we want to save the case.

Enter all the details and click on OK, we can see the case getting listed. If are working on more than one case at a time or we have multiple cases listed on OSF we need to select which case we need to work on. To do this select the case and click on load case, we will see a green check mark against the case which is presently loaded.

We can delete any case or import a case from already created case.

For this article we will be working on NPFJeane case, it is a demo case (E01) of which we will be doing forensics investigation. (This will be our evidence, we can do the same with any other data or computer disk).To add the evidence to our case click on add device.

Select the image file and browse for the Evidence file and click open.

All the partitions in the acquired image will get listed. Select the partition and click OK.

The evidence will get added and evidence name will get displayed. If required we can change the display name.

Once successfully added the evidence will get listed as shown below.

File Search

This option is used to search any particular file name, to search any particular file we can simply give the file name and browse for the drive, directory or any other location we need to search.

There is a preset option we can use this to select any particular file category

Also we can filter/refine the file search by changing the configuration settings, to do so click on the config button and change the settings as required.

Click on OK and in file search window enter the filename and click on search, Depending on the data volume The search will take a little time and will display the results . In our search we have searched the term “Sale” and this will show all the files who have the term “resume” in their name.

WE can also view the searched files in thumbnails

And timeline view. Timeline view will show a bar graph representation of that keyword on the basis of time and keyword count.

This ends the file search.

Create Index / Indexing

Index search is a more deep and refined search and also very vital for forensic investigations.

The most intuitive method for keyword searching is to provide a single keyword, and search for occurrence of that keyword within our data/evidence. To achieve this objective the best way is to create an index of the drive/directory within which we need to perform a search. An index is simply a list of offsets for occurrences of required keywords. Indexing allows to search within the contents of many files /drive/directory /image file at once.

In OSF we can either indexed on the predefined files types

Or can create a customised template

We can select the extensions we need to search on, skip any file or folder by specifying its name or by limiting the file size. Customise the template and click OK

Customise the template and click OK. Click on next and proceed to Step 2. Here we need to select the drive or directory we want to index and select the indexing option from the drop down as shown below and click on OK.

The image, drive or folder selected will get listed, (we can add multiple drives/directories) for indexing.

Click on next and proceed to step 3

Now we will get a view of the drives we are indexing along with the extensions that will be indexed. If everything is as per requirement click “Start Indexing” else click the “Back” button to make any changes.

Indexing will start and depending on the data it will take some time for the indexing to complete.

Initially Pre scan is performed and immediately after Pre-Scan indexing will start automatically

Once indexing is complete, we will get a popup with indexing finished message.

WE can also check index log to check the status /result of indexing and any error that the system may have occur during indexing.

Search Index

Above we have indexed the drive for keyword searching, now we will actually search for the keywords in the indexed drive/directory.

To start with click on search index.

We can see all the drive we have indexed in a drop down

We can either enter the keywords we want to search one by one in “Enter Search Word” tab click on search and will get the result on the screen. WE have searched for the keyword “Sales”, inside our evidence and can see all the files containing the word Ethical.

Also we can upload the keywords we want to search in a text file and upload it, this option is suitable if we want to search multiple keywords at same time.

We have created a text file named key.txt with three keywords and saved it on desktop.

To upload this file click on “Use Word List File” and upload the above referred file

We can see the result of the keywords in the screen along with the total number of hits of each keyword in the indexed directory, under history Tab.

Double click on the keyword in the list and all the files containing that particular keyword will get listed under file tab.

This ends the Indexing and search under indexing.

For more on OSForensics wait for the next article.

Hacking Articles

Raj Chandel's Blog

POST CATEGORY : Cyber Forensics