USB Forensics: Detection & Investigation

Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigation. The digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed. So, let us get started with the Forensics Investigation of USB.

Table of Contents

  • Detecting last attached USB flash drives in the Windows system
  • Using Registry Editor
  • Using PowerShell
  • Using USBDeview
  • Detecting last attached USB flash drives using Metasploit
  • Investigating USB flash drives for deleted files
  • Creating Disk Image
  • Analysing Disk Image

Detecting last attached USB flash drives in the Windows system

The usage of USB drives in place of work may let nasty employees remove sensitive or confidential information from a system without any authorization. To resolve this issue, forensic examination of systems comes into the picture. So, let’s start investigating;

To detect the artifacts of the USB in the windows machine, we can use the manual as well as automated methods.

Using Registry Editor

It is a manual method to easily list the information of the last plugged in USB storage devices. Press ‘Windows+R’ and type Registry Editor.

This information can be found in the Windows registry at:

The details like last plugged in USB devices, the vendor of the USB, name of the product, serial number, and version name can be seen.

Using PowerShell

This a manual method to find artifacts. The same path can be used in the PowerShell to get the information on last plugged in USB, with the following command;

Using USBDeview

To use an automatic method to find artifacts, you can download USBDeview. This tool gives you an automated and a graphical representation understanding of what USB devices were connected to the system.

Detecting last attached USB flash drives using Metasploit

When the USB flash drives history need to be investigated remotely, we can make use of modules in Metasploit in the Kali Linux This module will enumerate USB Drive history on a target host. To use this module, switch on your Linux machine, start msfconsole, and type command;

Set the session number and exploit. Here you will be able to see a history of various USB connected previously.

Now you have also obtained the meterpreter session, so in order to use the powershell remotely to get the history of USB flash drives connected you can use the following command;

Once the PowerShell is loaded, you can type,

You can hence see the list of USB Flash drives connected to the system remotely.

Investigating USB flash drives for deleted files.

After we have detected all the USB connection to the system and if the USB Flash drive is available at the scene of the crime. It can be carefully collected in Faraday Bag and now the forensic investigator can investigate the evidence.

At first, it is important to create an image of the USB flash drive that was retrieved from the crime scene. To create an image and to analyse, we can use FTK® Imager, which can be downloaded from here.

Creating Disk Image

Step 1: Install and run AccessData FTK imager

Step 2. Create a disk image of the USB Drive

A disk image is a bit-by-bit or a sector-by-sector copy of a physical storage device like USB Flash drive, which includes all files, folders and unallocated, free and slack space etc.

Step 3: As it as USB Flash drive, select Physical Drive and its source to create an image and click on finish.

Step 4: Add the destination of the image file, check the box which say verify images that are created.

Step 5: After adding the destination of the image file to be created, type the name you want to give to the image file and click on finish.

Step 6:  You can see that the image destination is ready, then click on Start to begin imaging.

Step 7: You see that the image of your USB flash Drive is being created.

Step 8: After the imaging is completed, you will be prompted with MD% image verification details where a compared and verified hash is generated.

Here the imaging part is over, so we can now move to the analysis of the USB Flash Drive.

Analysing Disk Image

Note: Investigation is to be performed only on the Disk image of the original evidence.

Step 9: Click on add evidence item and add the source of the created image file.

Step 10: Here you see that an evidence tree is created and the root folder has deleted folders. Here we will try to retrieve them by clicking on ‘Export files’

Step 11: You see that the deleted folder and the contents of the deleted folder have been retrieved.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here

Anti-Forensic: Swipe Footprint with Timestomp

In this article, we will learn how we can swipe our footprint after hacking the victim’s system. We can achieve that with the help of the Timestomp feature provided by Metasploit Framework.

Let’s understand the scenario

In this scenario, how a hacker can remove his footsteps in the victim system after the hack. So, that he won’t get caught in the Forensic Investigation.

Objective: Learn to use the functionality of the Timestomp feature provided by the Metasploit Framework.

Ex: Changing the Date and Time of Modified, Created, Accessed of a particular file type.

Table of Content

  • Introduction to Timestomp
  • Display MACE value
  • Set the Modified date and time
  • Set the Accessed date and time
  • Set the Created date and time
  • Set the Entry Modified date and time
  • Set All four attributes at once
  • Set the MACE attributes equal to supplied file

Introduction to Timestomp

As we all know with file systems is be like walking in the snow…. we will leave footprints. It will depend on how detailed those footprints are, how much we can learn from them, and how long we last all depends on various circumstances.

The art of analyzing these artifacts is known as Digital Forensics. For various explanations, when conducting a penetration test, we may want to make it tough for a forensic analyst to determine the movements that we took.

To avoid detection by the forensic investigation is simple: Don’t touch the filesystem! This is the beauty of Meterpreter, it will load into memory without writing anything to disk, greatly minimizing the pieces it leaves on a system.

But in Some cases, we may have to interact with the filesystem in some way. In these cases, Timestomp will be a great tool.

To know the full functionality of the Timestomp feature we just need to take a meterpreter session and follow these commands.

Display MACE value

This feature helps us to Display MACE values, where MACE stands Modified Accessed Created Entry Modified. Through this feature, we can see these values and see if these values are modified during the hack or not.

To view, these details follow this command.

Change Modified date and time

It is the date and time when a new version of the file, which is created better known as the last activity. Where last activity is the date and time when changes are made to the item’s metadata.

Now we can change this modified date and time as per our need, with the help of [-m] parameter. By this command.

we can also check that whether we can able to modify the date and time or not, with the help of [-v] parameter. As we can check the below screenshot, we have successfully able to modify the date and time.

Change Accessed date and time

It is the date and time we accessed the material or file. It can be listed as day, month, and the year it is also included at the end of the citation.

Now we can change this accessed date and time as per our need, with the help of [-a] parameter. By this command.

we can also check that whether we can able to change the date and time or not, with the help of [-v] parameter. As we can check the below screenshot, we have successfully able to change the date and time.

Change Created date and time

The created date is recorded when the file was created. Now we can change this created date and time as per our need, with the help of [-c] parameter. By this command.

we can also check that whether we can able to change the date and time or not, with the help of [-v] parameter. we can check the below screenshot we have successfully able to change the date and time.

Change of Entry Modified date and time

It is the date and time of the last entry modified in the particular file or material. Now we can change this entry modified date and time as per our need, with the help of [-e] parameter. With the help of this command.

we can also check that whether we can able to change the date and time or not, with the help of [-v] parameter. we can check the below screenshot we have successfully able to change the date and time.

Set All four attributes at once

If we want to set all four MACE attributes [Modified, Accessed, Created, and Entry Modified]. It will change the whole investigation scenario, easy to us swipe the footprints of the hack.

Now we can change all MACE attributes date and time as per our need, with the help of [-z] parameter. With the help of this command.

we can also check that whether we can able to change these dates and times or not, with the help of [-v] parameter. we can check the below screenshot we have successfully able to change these dates and times.

Set the MACE attributes equal to supplied file

This amazing feature helps us to give the MACE attributes value equal to that particular supplied file. The first file which we use in this practical is file.txt. We use the [-v] parameter to display its MACE attributes values.

Now, we have cross-checked the MACE attributes values of the note.txt, with the help [-v] parameter.

After this, we use the [-f] parameter to change the MACE values of file.txt with note.txt. To achieve that we give the proper path of the note.txt file. Like this

Now, we can also check that whether we can able to change these dates and times or not, with the help of [-v] parameter. we can check the below screenshot we have successfully able to change these dates and times. Through this feature, we can sweep our footprints during the hack.

Conclusion:  We have learned, how a hacker can remove his footsteps in the victim system after the hack. So, that it won’t get caught in the Forensic Investigation.

Although there are many different foundations of timeline information on the Windows system Other than just MACE times. If a forensic investigator came across a system that had been adapted in this manner, they would be successive to these substitute information sources.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact Linkedin and twitter.

Forensic Investigation: Autopsy Forensic Browser in Linux

Introduction

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is an open-source tool for digital forensics which was developed by Basis Technology. This tool is free to use and is very efficient in nature investigation of hard drives. It also consists of features like multi-user cases, timeline analysis, keyword search, email analysis, registry analysis, EXIF analysis, detection of malicious files, etc

  • Investigator can analyse Windows and UNIX storage disks and file systems like NTFS, FAT, UFS1/2, Ext2/3 using Autopsy.
  • Autopsy is used by law enforcement, military, and corporate examiners to conduct investigations on a victim’s or a criminal’s PC.
  • One can also use it to recover photos from one’s camera’s memory card.

Autopsy Forensic Browser is a built-in application in Kali Linux operating system, so let’s power on the Kali in a Virtual Machine.

Table of Contents:

  • Introduction
  • Creating a New Case
  • Adding Image File
  • File Analysis- File Browser mode and Metadata Analysis
  • File Type
  • Image Details
  • Keyword Search
  • Conclusion

Creating A New Case

Open a new terminal and type ‘Autopsy’ and open http://localhost:9999/autopsy in your browser where you will be redirected to the home page of Autopsy Forensic Browser. It will run on our local web server using the port 9999.

Now you will see three options on the home page.

  • Open Case
  • New Case
  • Help

For the investigation, you need to create a new case and click on ‘New case’.  In doing this it will add a new case folder to the system and allow you to begin adding evidence to the case.

Now you will be directed to a new page, where it will require case details. You can Name the case and mention the description. You can also mention the names of multiple investigators working the case. After filling in these details, now you can select ‘New case’

The new case will be stored in i.e. /var/lib/autopsy/case1/, and the configuration file will be stored in/var/lib/autopsy/case01/case.aut. Now , create the host for investigation and click on ‘Add Host’.

Once you add host, put the name of the computer you are investigating and describe the investigation. You can also mention the time zone or you can also leave it blank which will select the default setting, time skew adjustments may be set if there is a difference in time and you can add the new host. Click on ‘Add Host’.

The path to the evidence directory will be displayed and now you can proceed to add an image for investigation.

Adding Image File

It is a golden rule of Digital forensics, that one should never work on the original evidence and hence an image of the original evidence should be created. An image can be created various methods and tools as well as in various formats.

Once the image is acquired, the ‘Add Image File’ option will allow you to import the image file in order to analyse

Mention the path to the image file and select the file type. Also, choose the import method of your choice and click on ‘Next’.

You can now confirm the Image file being added to the evidence locker and click on ‘Next’.

Image file details will appear and the details of the file systems, the number of partitions and the mount points will be displayed and then you can click on ‘Add’ to proceed.

Now the Autopsy will test the partitions and links them to the evidence locker, then click on ‘Ok’ to proceed.

Now select the volume to be analyzed and click on ‘Analyze’.

File Analysis-File Browser Mode and Metadata Analysis

Now, it will ask you to choose the mode of analysis that you want to conduct and here we are conducting an analysis of the file, therefore click on ‘File Analysis’.

Now files will appear, which will give you the list of files and directories that are inside in this volume. From here you can analyze the content of the required image file and conduct the type of investigation you prefer. You can first generate an MD5 hash list of all the files present in this volume to maintain the integrity of the files, hence click on ‘Generate MD5 List of Files’.

Now you can see the MD5 values of the files in volume C of the image file.

The file browsing mode consists of details of the directories that are shown below. The details include the time and date of the last time the directories were Written, Accessed, Changed and the time it was created with its size and also about its metadata. All the details are displayed in this, so in order to view the metadata, click on the ‘Meta’ option of Log file that you want to view.

Here you can see the metadata information about the directory. In order to see more details, click on the first cluster ‘44067’ in order to view its header information to find any relevant information to the case.

Here you can see the information about the header of the cluster.

Then in order to view the file types of the directories, then click on ‘File Type’

File Type

Here you will be able to sort the files based on the different types of files in the volume. By using this feature, you can examine allocated, unallocated as well as hidden files. To sort the file, click on ‘Sort Files by Type’.

Click on ‘Sort files into categories by type’ which is selected by default and then click ‘OK’ to start sorting the files.

The categories of the file types will be displayed. Now to view the sorted files, click on ‘View sorted files’ and you will be displayed the list of sorted files.

The output folder locations will vary depending on the information specified by the user when first creating the case, but can usually be found at /var/lib/autopsy/Case1/Client/output/sorter-vol2/index.html. Once the index.html file has been opened, click on the images to view its contents.

Now you can see Images categories and further investigate the files depending on the case requirement.

Image Details

Now click on the Image details options to view the important details about this image file

Here in this option of file analysis, you can see file system information, the first cluster of MFT, cluster size etc.

Keyword Search

To ease the search of a file or document you can make use of the keyword search option to make your investigation time-efficient. Click on ‘Keyword Search ‘to proceed.

You can input the keyword or any relevant string to proceed with the investigation and click on search.

Conclusion

Hence, you as a Digital Forensics Investigator can make use of these different options of tools in the Autopsy in Kali Linux. This collection of tools creates quite a powerful forensic analysis platform.

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here