Forensic Investigation: Examining Corrupted File Extension

In this article, we will learn how we can Examine Corrupted File Extension to identify the basic file header in a Forensic Investigation.

Let’s understand this with the following Scenario

In this Scenario, a forensic investigator has gone for an investigation and found out a suspicious folder where no file has any kind of file extension. Now, what will he do to proceed in his forensic investigation?

Objective: Learn to use various techniques in Forensic Investigation to analyse and examine the various file headers

  • Examining Corrupted File Extension using Windows Platform.
  • Examining Corrupted File Extension using Linux Platform.

Table of Content

Cheatsheet for Hex File Header

Examining Corrupted File Extension using Windows Platform

  • File #1: app
  • File #2: apple
  • File #3: data
  • File #4: Final
  • File #5: lecture
  • File #6: Manual
  • File #7: Notes
  • Recovered all files successfully

Examining Corrupted File Extension using Linux Platform

  • Analyze in Linux with file command
  • Analyze in Linux

Cheatsheet for Hex File Header

We all know that the hex file header is used to identify any file by examining the first 4 or 5 bytes of its hexadecimal content.

We have created our very own cheat sheet to examine these values more appropriately; Which contains all the basic files extensions and its 4 to 5 bytes starter hexadecimal value along with its ASCII translation.

Examining Corrupted File Extension using Windows Platform

As per the given scenario, the first thing which comes into our mind that let’s check these files in the command prompt [cmd]. Nevertheless, nothing is visible to the investigator.

Now Let’s try to examine each file we found this folder and try to restore them in their original format.

File #1: app

The first file, which we got is app. The first thing that comes into our mind is to open this file with the help of notepad.  We are doing it to show you guys that the file is in an unreadable format.

Now, we examine hexadecimal values of these files with Hexadecimal editor. We can use any kind of hexadecimal editor, that can show us a hexadecimal value of any file. After opening that file, we need to examine its stating hexadecimal value to know about the file type.

So, I have used Hex Workshop which you can download from here.

After, analyzing its starting bytes with our cheat sheet. We come to know that it is a .exe file with its ASCII translation MZ. MZ is the initials of Mark Zbikowski, he is the designer of the DOS executable file format. We have successfully investigated the first file as a .exe file.

Now, we have two methods to rename that file extension.

Method 1: With the help of the command line.

Follow this command to rename this file extension.

This command helps us to select only the app file to rename only this file extension. Because others are yet to be examined.

Method 2: We can simply change it directly by renaming the file name and providing it with an extension which we already find above.

File #2: apple

Now, it’s time to examine the second file all we know about that file is its name apple. Straight away we opened that file in the hexadecimal editor. To start analyzing its hexadecimal values.

As we have to try to match its starting 4 bytes with our cheat sheet. We were quickly able to find out it is a .jpg file with ASCII translation ÿØÿà.

Now, just rename this file with the help of this command.

This command will only change the apple file to a .jpg file. Because others are yet to be examined.

File #3: data

Time to examine the third file which name is data. We are opening that file into a hexadecimal editor, to examine its hexadecimal values.

Now, try to match it first 4 bytes with our cheat sheet which we provide above. In a few moments, we find out that it is a .zip file with ASCII translation PK.

Change the file name and provide it with an extension with the help of rename command.

As we know it will only make changes in data and change it into a .zip file.

File #4: Final

Here comes the fourth file which name is Final. Now, open that file in a hexadecimal editor to analyse its hexadecimal values.

After opening that file, try to match its first seven bytes with our cheat sheet. In a few moments, we found out that its values match with a .docx file. So, it is a .docx file with ASCII translation PK.

Just change its name and provide it with a .docx extension with the help of [rename] command.

File #5: lecture

The fifth file named as a lecture; we try to open that file in a hexadecimal editor. To analyse its hexadecimal values, which helps us to identify its file type.

Now, try to match its first four bytes. In a moment we found out that it is a .mp3 file with an ASCII translation ID3. Just provide that file a .mp3 extension with the help of [rename] command.

File #6: Manual

The second last file in that folder named Manual. Open that file in a hexadecimal editor to examine its hexadecimal values.

Now, try to match its four bytes with our cheat sheet. Then we come to know that it is a .pdf file with ASCII translation %PDF. Change its name and provide .pdf extension to it, with the help of rename command.

File #7: Notes

Finally, we have reached to the file in the folder named Notes. Straight away we opened that file in a Hexadecimal editor to examine its hexadecimal values.

After opening it is saying that “It is a simple text file.”. so, we provided a .txt extension with the help of [rename] command.

Recovered all File successfully

Now, look at the folder which itself saying that we have recovered all the files successfully.

And we can also see that these files were recovered in the command prompt along with its original extension, with the help of [dir] command.

Examining Corrupted File Extension using Linux Platform

Now suppose in your investigation, you are in the same scenario where the file extension is missing but this time the Victim machine operates on Linux Environment and you are not allowed to copy this folder on another machine. Then How would you handle this situation?

Analysis using the File command

The file command is a Linux utility that analyzes each argument in an attempt to classify it. Hence, we can examine this forensic investigation in a Linux environment with the help of file command.

We are using the [ls] command to show you guys, these are the same files and the same scenario that we already explained above.

We just need to use [file] along with the file name, to know about the originality of that file. Pick the first file and use this command. It shows that it is an MS Windows executable file.

 

Let us try the same technique with the second file named apple. Apply [file] command and provide its file name. It shows that it is a jpeg image along with its internal pieces of information.

This article will help us to identify the true identity of a file during a Forensic Investigation in both the Windows and Linux environments.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Forensic Investigation: Extract Volatile Data (Manually)

In this article, we will run a couple of CLI commands that help a forensic investigator to gather volatile data from the system as much as possible. The commands which we use in this post are not the whole list of commands, but these are most commonly used once.

As per forensic investigator, create a folder on the desktop name “case” and inside create another subfolder named as “case01” and then use an empty document “volatile.txt” to save the output which you will extract.

Here I have saved all the output inside /SKS19/prac/notes.txt which help us creating an investigation report.

Table of Content

  • What is Volatile Data?
  • System Information
  • Currently available network connections
  • Routing Configuration
  • Date and Time
  • System Variables
  • Task List
  • Task List with Modules
  • Task List with Service
  • Workstation Information
  • MAC Address save in system ARP Cache
  • System User Details
  • DNS configuration
  • System network shares
  • Network configuration

What is Volatile Data?

There are two types of data collected in Computer Forensics Persistent data and Volatile data. Persistent data is that data that is stored on a local hard drive and it is preserved when the computer is OFF. Volatile data is any kind of data that is stored in memory, which will be lost when computer power or OFF.

Volatile data resides in the registry’s cache and random access memory (RAM). This investigation of the volatile data is called “live forensics”.

System Information

It is a system profiler included with Microsoft Windows that displays diagnostic and troubleshooting information related to the operating system, hardware, and software.

We can collect this volatile data with the help of commands. All we need is to type this command.

It will save all the data in this text file. We check whether this file is created or not by [ dir ] command to compare the size of the file each time after executing every command.

Now, go to this location to see the results of this command. Where it will show all the system information about our system software and hardware.

Currently Available Network Connections

Network connectivity describes the extensive process of connecting various parts of a network. With the help of routers, switches, and gateways.

We can check all the currently available network connections through the command line.

we can check whether it is created or not with the help of [dir] command as you can see, now the size of the get increased.

Now, open that text file to see all active connections in the system right now. It will also provide us with some extra details like state, PID, address, protocol.

Routing Configuration

It specifies the correct IP addresses and router settings. Host configuration: sets up a network connection on a host computer or laptop by logging the default network settings, such as IP address, proxy, network name, and ID/password.

To know the Router configuration in our network follows this command.

We can check the file with [dir] command.

Open the txt file to evaluate the results of this command. Like the Router table and its settings.

Date and Time

To know the date and time of the system we can follow this command. We can also check the file is created or not with the help of [dir] command.

Open that file to see the data gathered with the command.

System Variables

A System variable is a dynamic named value that can affect the way running processes will behave on the computer. They are part of the system in which processes are running. For Example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files.

We can check all system variable set in a system with a single command.

We can check whether the file is created or not with [dir] command.

Now, open the text file to see set system variables in the system.

Task List

A Task list is a menu that appears in Microsoft Windows, It will provide a list of running applications in the system. To get the task list of the system along with its process id and memory usage follow this command.

we can also check whether the text file is created or not with [dir] command.

Open the text file to evaluate the details.

Task List with Modules

With the help of task list modules, we can see the working of modules in terms of the particular task. We can see that results in our investigation with the help of the following command.

we can check whether our result file is created or not with the help of [dir] command.

Open the text file to evaluate the command results.

Task List with Services

It will showcase all the services taken by a particular task to operate its action. We get these results in our Forensic report by using this command.

we check whether the text file is created or not with the help [dir] command.

Open this text file to evaluate the results. It will showcase the services used by each task.

Workstation Information

A workstation is known as a special computer designed for technical or scientific applications intended primarily to be used by one person at a time. They are commonly connected to a LAN and run multi-user operating systems. Follow these commands to get our workstation details.

to check whether the file is created or not use [dir] command.

Now, open the text file to see the investigation results.

MAC Address saved in System ARP Cache

There are two types of ARP entries- static and dynamic. Most of the time, we will use the dynamic ARP entries. This means that the ARP entries kept on a device for some period of time, as long as it is being used.

The opposite of a dynamic, if ARP entry is the static entry we need to enter a manual link between the Ethernet MAC Address and IP Address. Because of management headaches and the lack of significant negatives. We use dynamic most of the time. To get that details in the investigation follow this command.

we can whether the text file is created or not with [dir]  command.

Now, open the text file to see the investigation report.

System User Details

A user is a person who is utilizing a computer or network service. Users of computer systems and software products generally lack the technical expertise required to fully understand how they work. To get that user details to follow this command.

we can use [dir] command to check the file is created or not.

Now, open a text file to see the investigation report.

DNS Configuration

DNS is the internet system for converting alphabetic names into the numeric IP address. When a web address is typed into the browser, DNS servers return the IP address of the webserver associated with that name. To know the system DNS configuration follow this command.

we can see the text report is created or not with [dir] command.

Now open the text file to see the text report.

System network shares

A shared network would mean a common Wi-Fi or LAN connection. The same is possible for another folder on the system. By turning on network sharing and allowing certain or restricted rights, these folders can be viewed by other users/computers on the same network services. We can see these details by following this command.

we can also check the file it is created or not with [dir] command.

Now, open that text file to see the investigation report.

Network Configuration

Network configuration is the process of setting a network’s controls, flow, and operation to support the network communication of an organization and/or network owner. This term incorporates the multiple configurations and steps up processes on network hardware, software, and other supporting devices and components. To get the network details follow these commands.

As usual, we can check the file is created or not with [dir] commands.

Now, open the text file to see the investigation report.

As we said earlier these are one of few commands which are commonly used. There are plenty of commands left in the Forensic Investigator’s arsenal.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Multiple Ways to Mount Raw Images (Windows)

In this article, we are going to learn how we can mount a forensic image in Windows Machine. There are multiple ways to accomplish this and tools like OSF Mount, Arsenal etc. will help us in this process. So, Let’s Start.

Table of Content

  • Introduction
  • Why Mount an Image?
  • Mounting Tools
    • Mount Image Pro
    • OSF Mount
    • Arsenal Image Mounter
    • Access Data FTK Imager

Introduction

In the Cyber Forensic world, a forensic image is a complete sector by sector copy of a hard drive or external drive. Generally, a forensic image is used as evidence in forensic investigation. These images include unlocated space, slack space and boot records. Some computer forensic tool uses different formats to generate a forensic image.

Some common forensic images formats are RAW, E01, AFF, etc. We can use a variety of tools to analyze and mount that image to get better investigative results.

Why Mount an Image?

Mounting is the process that converts a RAW logical image into a mounted directory. To better examine a forensic image mounting is preferred. There are various tools that can be used to mount a RAW image. Let’s Learn the process of mounting using this variety of tools. Although the basic procedure is the same there are times where an investigator finds himself in a situation where he/she cannot use their preferred tool. Also, Each investigative company uses different tools. So a good investigator should know all the different types of tools to widen their ability and robustness.

Tool #1: Mount Image Pro

Mount Image Pro is a tool, which is quite useful in Forensic investigations. It enables the mounting image across all the forensic image extensions. Some of them are:

  • .RAW
  • .E01 (Encase Image)
  • .A01
  • .dd

This tool is developed by GetData. They are Renowned Provider of User-End software. That provides Data Recovery, File Recovery, Computer Forensics and File Previewing. Their products are designed for getting data back from systems and their hard drives.

We can download the mount image pro from here.

Once downloaded the mount image pro, then launch tool using the Icon created on the Desktop. After launching the app, we need to press the Mount icon to get started.

We can also click on the File from the Dropdown menu. Go for the “Mount Image File” Option to move ahead.

After this, we need to select our digital image file on our hard drive. After selecting the image file, we need to click on the “Open” button to open the image file.

Now, we need to select a bunch of options to get started. First one is How we want to mount our image? We want the image to be mounted and shown as a partition in our Explorer. Hence we choose the Disk Option. If you want to investigate the image as a Directory choose File System. Followed by this is the location where we want to mount. If we choose the File System Option, we need to specify the Destination Directory. Here we can Choose an Alphabet which would act as Drive Letter (such as Local Disk D: or E: etc.). Next, we get to Disk options panel here, we checked plug and play so that the dismount is easier. Now we select the kind of access that we want to get. We choose the Read-Only Access. We can also customize the Sector Size of the Partition. After giving all the required details press the OK button.

After this, mounting will starts and we get a live progression of the process through the status bar as depicted below.

After completion, we will get our mounted image and we can start our investigation.

As the screenshot suggests it mounted our forensic image as F drive. Now, we can analyze it and get the same view from the files as its user gets in its system.

Tool #2: OSF Mount

OSF Mount is the software that allows us to mount local disk image files (sector by sector copies off an entire disk or disk partition) in windows system.  We can then analyze the disk with its other tool which is OS Forensics. By default, the image files are mounted as read-only so that our original image files do not get altered.

This software supports mounting disk images files in any mode, whether we want them in the read-only mode, write mode in write cache mode.

We can download OSF mount from here.

Let’s Begin with opening the OSF mount after completing its installation process. The developers at PassMark gave us a neat UI to work upon. We have a very minimalistic interface here. To begin with, we will hit the “Mount New” Button.

After that, we follow a series of steps where we fill in the required details.

Step #1: We need to provide the source of the image file to mount for our investigation.

After filling in details, we hit the Next button.

Step #2: We need to select if we want a specific partition or we want the entire image mounted for investigation.

After that step, we need to finalize things. In the last step, we need to select a few details regarding our image. These are some additional features that we want to include in our process or not. These features include if we want to mount our image as a removable media or not, the Drive type, the Drive letter, Drive emulations, etc.

After filling all details and completing all steps click on the mount button to start mounting the image file.

Now as shown in the image given below we have the image successfully mounted and ready for the analysis.

We can also check the working of the mounted image file by opening the mounted image in the File Explorer as shown in the image given below:

Tool #3: Arsenal Image Mounter

Arsenal image mounter handles the disk images as a whole drive. As far as Windows system is concerned, the contents of disk images mounted by AIM are real SCSI disk, which allows its users to take advantage from some disk specific features like Integration with Disk Manager and Access to volume shadow copies and much more.

Many of the image mounting solutions in the market contents of disk images as share and partition rather than complete disk. Which some times limits their usefulness to digital forensics practitioners or investigators. If AIM is running without a license, it will run in free mode and provide core functionalities. If it is licensed, it will run in professional mode with full functionalities enabled.

We can download our Arsenal Image Mounter from here.

After downloading and completing its installation process, We can open this software and start mounting an image file. After opening that software click on the “Mount disk image” button.

Now we have some details to fill in. We are asked about the mode in which we want to see our mounted image or what type of device it has to be. We can choose Read Only or Writable among other options. We are also required to fill in the Sector Size and Click on the Create “removable” disk device for a better mounting process. After filling up all the details click on the OK button to move further.

After this our disk is mounted successfully, we will get all the details regarding that with that mounted message.

Now we check if our image is successfully mounted as a removable device in our system. After checking that, now we can finally start our investigation process.

Tool #4: Access Data FTK Imager

Access Data believes that zero is on the relevant evidence quickly, conduct faster searches and dramatically increase analysis speed with FTK. FTK uses distributed processing and it is a solution to fully leverage multi-core and multi-thread computers. While other tools waste the usage of modern hardware solutions. Where FTK try to use 100 per cent of its hardware resources for trying to help in the investigation process.

FTK provides faster searching in comparison to other solutions. FTK is truly database-driven, all data is stored securely and centrally, which allows our teams to use the same database that reduces cost creating multiple data sets.

We can download our access data FTK Imager from here.

After finishing up the installation process, Open the software to move further ahead.

Now, click on the File option from Menu and Select the “Image Mounting” option to start the image mounting process.

Now we explore the Add Image file option. We browse the image file in the system, then fill up the details like image file mount type, its drive letter, and its mount method.

After filling up all mandatory details regarding the process, click on the Mount button to start the mounting process.  

It takes some time to mount an image, but after finishing up the process we will get the details of our mounted image which comes in the mapped images section. It provides us with some basic information regarding Drive, Method, Partition, Image locations, etc.

If we want we check the integrity information we can do so by checking or monitoring this drive physically by reaching this drive location to validate that data information and start our investigation.

These are different ways in which we can mount a forensic image window to help investigators. For a better analysis of the evidence, it will help them in their investigation process.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Forensic Investigation of Social Networking Evidence using IEF

In this article, we will learn about this amazing forensic tool called Magnet Internet Evidence finder (Magnet IEF) which is used to recover or extract evidence from the various data source of the system and then integrate them into a single case file for analysis and reporting.

Table of Content

  • Introduction
  • Features of Magnet IEF
  • From Drives
  • From Files & Folders
  • From Images
  • From Volume Shadow Copies

Introduction

Magnet Internet Evidence finder was developed by some former police officers and forensic experts who come to know there is a need for user-friendly and easy to use the software. It is a comprehensive tool to perform task regarding the digital forensic investigation.

We can say that Digital forensic professionals around the world were heavily relied on the Magnet IEF to help them in their digital investigation process.

We can download Magnet IEF from here.

Features of Magnet IEF

There are three basic features in this tool

  • Find
  • Analyze
  • Report

Find: There are many artifacts in the system, IEF can parse these artifacts from the system and enable us to quickly dive into evidence. It can crave data from fragmented files it can recover evidence from the unallocated spaces that are not sequential. It has features to Identify unknown apps these apps might have a potential chat database with dynamic apps and it gets its monthly updates so it continues to collect evidence from new applications as well.

Analyze: IEF can quickly drill down into the systems to find evidence with filters, keyword searches, timelines, etc. and this allows us to receive evidence in the user-friendly format so that we can easily analyze those layouts. It also provides us with the feature to view all evidence in one view and it can find out the relevant photographs by matching their hash values.

Report: IEF creates an easy to understand and navigate HTML report from any file selected within the viewer along with listing all the found evidence. It also has the feature of a portable case with which we can create a light evidence copy for our convenience. Its timeline will help us to be organized in chronological sequence and we can export our evidence report in a variety of formats include PDF, Excel, CSV, XML, and tab-delimited formats. 

These features sum up operations we need to perform in order to find evidence in our digital investigations. Said operations include the different approaches to find evidence like a scan from drives, scan from files and folders, scan from the forensic image, scan from volume shadow copies and scan from mobile.

FROM DRIVES

Firstly, we follow the approach to find or search for evidence in the drives. In the Search from drive approach Magnet IEF will search in the particular drives which we select for finding evidence. We select the whole drive or a particular partition which we select.

So, once we click on the DRIVE button we need to select a partition or drive we want to scan/search for the evidence.

In the next step, it shows the partition we select and the un-partitioned space of the drive we need to select those types and along with that the search type we want in this search for evidence after that press the Next button to move further.

Next, we can see that Magnet IEF confirms what we selected earlier by showing us all the location of the drives and files that we wish to search. After confirming all the details, click on the Next button to move ahead.

After that, it will ask for what services we are searching for, in the investigation. We can check all the services like web browsers, Social networking sites and applications, file formats, connections, services, etc. We can also check all at once or check/select them one by one as per our preference of the scan. After selecting the services press Next button.

Then, we need to specify the destination path of our report and for that provide folder name in which our reports will be saved. Along with that, some specific case information’s like a case number, examiner name, evidence’s info must also be entered. We can also add our agency logo in our report, some notes regarding our forensic investigation. We can also provide some keywords that might give us an edge in our investigation as this tool also searches for keywords to make it much more convenient for the user. After specifying the details that we must to provide, press the Find Evidence button.

After this, you will see two popups; first popup will show you the progression of your scan like which part is under scanning right now, how many files it needs to process, the time elapsed of current search and total search, the progression of current search and total search. You can also see the detailed view of the working of our Data processers by clicking on the Show Details button and wait patiently for completing its process.

The second popup will show you its report viewer which will further tell you every detail that it captures during the scan. For instance, in the image below, it shows all the details of our services. Like every other report viewer in the market, it provides us basic features such as alerts, bookmarks, chats, filter, search, etc.

Once all files get processed and the data processor completes its work the search status will signal us green indicating the completion of the work. After this, you can click on the Show Summary button if we want to see the summary of our search.

Thus, the case summary will pop-up. It just a regular notepad file with all the required information regarding our search in a compact and impactful manner.

If we check the Report Viewer and view its timeline feature it will display all the details of the services as we can see in the image below that our Firefox Cookies will expire on 2029 and, similarly, details about all other services.

 

From Files & Folders

This approach of searching evidence is quite similar to searching for evidence from drives. In the drive, it will take a storage partition or whole drive and run the search, to find evidence during the investigation process.

But in Files & Folders, we need to select the exact folder or files in which we want to scan for our evidence in the investigation process.

These both are quite same in the selection and process of searching for evidence. We can use the same tactics which we are using in the drive’s scan but instead of selecting the partition, we need to select files of the system and its approach of scanning remain the same. It will try to find evidence from file to file until the process completes its task.  

The resulting pattern is the same as above and the Report viewer repeats every step like timeline, evidence report, etc.

From Images

In this scenario, we have fully captured the forensic image. To find evidence, from this image, we need to click on the Image in Magnet IEF. Through this approach, we can find evidence in this forensic image.

After this, we need to browse the image in the system in order to find evidence through that and then press the Open button to open this image in the software.

Then we need to select a search type of the scan, whether we want to scan the full forensic image or just a part of it. After selecting all the details of the scan press OK button to move further in the process.

Then after Magnet IEF try to confirm all the details which we provided earlier and if there is no issue we found in the details then press Next, to move further in the scan.

After selecting all the details it follows the same tactics as “Drive”. We need to specify every service that we want to include in our investigation process. After this it will ask for case details and destination path for our evidence report.

The evidence report will list all evidence found in the forensic investigation. We can filter the alerts, specify the alerts, bookmarks all the alerts we found in our evidence report. We can also see the timeline of the alerts and evidence.

Image scan helps us to find evidence in such a system, without actually acquiring the system. Which is very handy in the Digital Forensic for the Investigation.

From Volume Shadow Copies

Volume shadow copies formally known as a shadow copy. It is a service introduced by Microsoft in Windows OS. It has to create backup copies or snapshot of the computer files and drives, even when they are in use.

It requires either windows NTFS or ReFS files, to create and store shadow copies. It can create a local and external volume in any windows system that uses these services, like creating such scheduled windows backup or automatic system restore point.

With the help of Magnet IEF, we can also find the potential evidence from volume shadow copies. So to start this process we need to select the Volume Shadow Copies button to move ahead in the investigation.

After this, it will ask if you find out from drives or images. All processes remain the same except the scenario of scanning. One follows the scan in drives and the other follows the scan from the image.

Both try to find evidence through the same technique. If we understand the first we can crack our way in the second.

After selecting a scan scenario, choose the drive and then the partition you want to scan. And then, press the OK button to move ahead.

Now, it requires some basic details, which we need to specify like case details, destination path, services. We will use these for searching for evidence. Quite similar to all the other scans, which we performed earlier.

Report viewer will generate the report for us so that one can understand the results of the investigation in a much convenient way. The process will remain the same in the image scan.

The Magnet IEF also provides us with the HELP function, which gives us the edge to understand every service and operations. By using that we will understand every function in a much comfortable way.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.