Forensics Image Analysis with OpenSource tools

Owned by Marius Ciepluch
Last updated: Feb 25, 2024
15 min read

This is about EWF (Expert Witness Format) Image analysis. Formalities concerning case forensics depend on your type of assessment, jurisdiction and clients.

Free Open-Source tools can fulfill the requirements just like commercial tools. But you may have to double-check whether the relevant standard procedures allow this / how much time you can spend.

 

Prepare the Linux VM (Mint)

Linux Mint is well-suited for the following tasks because it comes with a low-overhead Desktop-environment (MATE). This helps the performance of the following tasks, and can accelerate the process.

Furthermore, MATE doesn’t set up loop devices (Gnome, KDE etc. do). This way, the documentation can become more consistent, and you may have more robust and simpler automation options.

 

Shared Folders with FUSE

Screenshot 2024-01-06 at 17.54.52.png
VMware Fusion Read-Only mount for a “soft” Write-Blocker for the Lab only. This isn’t a certified system for case-forensics

You can assign “Read Only” permissions (in addition to the certified Write Blocker, which is a general HW)

FUSE options like allow_other and allow_root come in very handy.

#!/bin/bash /usr/bin/vmhgfs-fuse .host:/images_case_123abc ~/image/ -o subtype=vmhgfs-fuse,allow_other,allow_root

 

Install software packages (Apt)

Keep in mind that you can use Kali Linux repositories with Linux Mint. This isn’t needed for the following steps, but it may be helpful.

 

https://because-security.atlassian.net/wiki/spaces/DF/pages/5374695

#!/bin/bash apt update apt upgrade apt -y install aptitude mc apt -y install git build-essential autoconf cmake checkinstall python3-pip flex apt -y install ewf-tools libewf-dev apt -y install libafflib-dev afflib-tools apt -y install libvmdk-dev libvmdk-dev apt -y install libvhdi-dev libvhdi-utils apt -y install libvshadow-utils apt -y install dc3dd apt -y install libscca-utils apt -y install libbde-utils apt -y install libvmdk-utils apt -y install python3-dfvfs apt -y install libqcow-utils apt -y install libfsntfs-utils apt -y install libluksde-utils apt -y install libsmraw-utils apt -y install libfvde-utils apt -y install net-tools ssh sshfs grsync gparted apt -y install xmount btrfs-progs xfsprogs partclone hfsplus hfsprogs apfsprogs jfsutils f2fs-tools adb fastboot sqlite3 apt -y install exiv2 exiftool feh dislocker regripper xxdiff libssl-dev libplist-dev libavahi-compat-libdnssd-dev apt -y install libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev gstreamer1.0-plugins-bad vlc foremost scalpel # oder besser das neue Sleuthkit 4.12 anstelle von 4.11 aus dem Repository mit dpkg aus meiner E-Learning Plattform apt -y install sleuthkit # Für eine physische Installation noch empfehlenswert und für den Unix Server Forensik notwendig sind folgende Programme: apt install -y zfs-dkms apfs-dkms lvm2 qemu-system-x86-64 mdadm apt install -y libhivex-bin

 

Preview: Microsoft Co-Pilot can help with tabular integration during forensic data-assessments with Open-Source tools

Screenshot 2024-02-25 at 11.13.09.png
Going through USB evidence data from the Windows 10 registry, acquired with The Sleuth Kit (TSK). Co-Pilot can help to adjust the data-set for the reporting

 

Preparation

Forensic Systems  

ID 

Hardware-System 

Specification 

1 

Apple MacBook Pro 2019 

  • CPU: 2,4 GHz Intel i9  

  • 64 GB RAM 

  • Hostname: chandali 

  • OS: macOS 14.2 (Sonoma) 

  • Time zone: Berlin / Winter-time 

(Table 1, HW systems)

 

ID 

Virtual System 

Specification 

2 

Linux Mint 21.2 

  • vCPU: 8x 64bit 

  • 8 GB RAM 

  • Hostname: 4n6 

  • OS: Linux 5.15  

  • Time zone: via ID 1 synchronized 

  • Desktop: Mate 

(Table 2, virtual systems)

 

Image verification

MD5 is used because it’s in many artifact databases.

marius@4n6:~$ md5sum -c case_image_d.md5 case_image_d.E01: OK case_image_d.E02: OK ... case_image_d.E12: OK case_image_d_web.E01: OK Session 0.sal: OK

  • case_image_d- Windows asset

  • case_image_d_web - Linux asset

Forensic Tools

The following forensic tools will be used in the following

pID*

Programm

Version

1

VMware Fusion

13 Pro

(Analysis-System ID 1)

2

Salae Logic2

2.4.10 macOS x86-64
(Analysis-System ID 1)

3

The Sleuth Kit

4.11.1

4

xmount

0.7.6

5

xxd

2021-10-22

6

Dislocker

0.7.2

7

Hivex

1.3.21

8

Hayabusa

2.12.0 GNU

Binary Release

9

Python3-libscca

20200717-1build1

Apt

10

vshadowinfo

20190323

11

RegRipper

V3.0

12

ent

January 28th, 2008

Apt

13

Exiftool

12.40+dfsg-1
Apt

14

Keepass2

2.4.7

15

ntfsinfo

v2021.8.22

libntfs-3g

Where do all these sensational BitLocker decryption “news” arise from?

They come from TPM sniffing.

All of these BitLocker decryption approaches have in common:

  1. an external TPM is being used, direct hardware access to the system

  2. a Logic Analyzer is used to sniff the bus. You need to capture 7 channels in the case of LPC. The Nyquist-Shannon theorem applies.

  3. then you need to find the typical patterns within the TPM frames to get the BitLocker key (vmk)

 

The Sleuth Kit (TSK) - EWF image analysis

 

Partition analysis (Windows asset)

  • EFI

  • GPT

  • Windows

  • 512 Sectors

Usually, the largest partition is most relevant on Windows systems, because users put their data on it.

The sector-size can be determined with ewfinfo as well:

 

xmount, losetup and dislocker with an extracted BitLocker key (Windows asset)

 

 

  • xmount creates a FUSE mount from the EWF image files, for raw data access

  • losetup creates a loopback device, to mimic a block device

  • dislocker creates a decrypted logical mount based on the loopback device and the extracted BitLocker key

 

 

The signature bytes (EB 58 90 2D 46 56 45 2D) at the beginning of the virtual drive indicate a BitLocker partition. This is located at /dev/loop0p3, as can be seen via fdisk.

 

 

  • Windows XP is not the operating system

 

Access the BitLocker block device (Windows asset)

Simple listing with TSK:

 

Determine the Operating System (Windows) with TSK and The Hive

FSK listing, filtered with grep (Windows asset)

 

Registry Hive extraction with TSK (Windows asset)

 

Hive analysis with The Hive (Windows asset)

 

Summary - Windows asset

From this, we can conclude for the Windows asset:

  • CurrentBuild 22621 -- a Windows 11 build[2]

  • fre -- a freely available version

  • amd64 -- the target architecture is AMD64

  • 220506 -- the Microsoft Windows build is from May 6, 2022

  • Professional -- it is a Professional Edition

  • Registered User -- "yellow"

  • No organization was provided

  • InstallTime -- with a script, the installation time can be converted into a human-readable format. The value indicates that it was 2023-10-26 05:42:06 (UTC), which is 2023-10-26 07:42:06 CEST.

 

 

Determine the Operating System (Linux) - everything is a file

Partition analysis (Linux asset)

 

File-system analysis (Linux asset)

A recursive listing of all files can be created:

Let’s get the i-node:

It’s written as an i-node, because of this reference from 1978.

Document (berkeley.edu) PDF

 

Operating system analysis via os-release file (Linux asset)

 

This is always specific to the distribution.

 

Determine the date of the installation via the file-system (extFS) (Linux asset)

lost+found has i-node 11.

  • There we have the MAC timestamp via a file-system meta-data analysis

The respective file-system is extFS version 4 / ext4.

 

Offline Linux asset log-analysis with TSK to further describe the Linux specifics (Linux asset)

Let’s investigate the rotating Linux kernel logs:

 

Summary - Linux asset

From this, we can conclude for the Linux asset:

  • Debian Linux 11.5, Raspbian variant

  • Kernel Version: 5.15

  • Architecture: ARMv7

  • Model: Pi 3 Model B Plus Rev 1.3

  • Installation time: October 15, 2022, 10:22:29 CEST

  • Root file system (/) is Ext4

  • Hostname: ircPI

  • Active users: pi, root

 

Offline Windows EventLog Timeline-Analysis with Hayabusa and

 

Logical read-only mount of a Windows partition on a Linux analysis system

 

Timeline generation with Hayabusa instead of Plaso

For the rapid generation of an EventLog timeline, the tool Hayabusa (pID 9) is used. As the name of this forensics program suggests, the forensic analyst does not have to wait long for the results. Hayabusa is an EventLog parser that can use some rules to detect suspicious behavior. This tool is used instead of Plaso Log2Timeline because the goal is merely to identify the interesting points for ongoing analysis.

Hayabusa can generate a CLI timeline as a bar chart, and write the parsed EventLog information into a CSV file, which can be read with common Linux tools such as Vim, Grep, or LibreOffice. It is a portable Linux tool that can be run directly from the shared folder.

 

 

 

The days with the highest number of detections are relevant, based on the following event classes. The classifications are based on rules from the Sigma Project:

  • Medium: October 27, 2023 (5), October 26, 2023 (39)

  • Informational: October 26, 2023 (232)

This can provide clues to possible periods of the act.

These events include, among others:

  • USB events, which document the connection of peripherals (this can also be analyzed via the Windows Registry)

  • User behavior, such as logon and logoff or permission assignments. However, Windows does not log failed logins on desktop systems by default

  • System starts and shutdowns

  • Installations and executions of additional software (this can also be analyzed with SuperFetch artifacts)

 

Logon Timeline-Analysis with Hayabusa

Keep in mind that by default, Windows 10 / 11 etc. do not log failed logon events.

 

Offline Timeline-Analysis with SuperFetch artifacts

 

SuperFetch is a Microsoft Windows technology that, among other things, can provide clues during forensic analysis about which applications were executed at what times and how often. Files with the .pf suffix are typically located in Windows\Prefetch and are part of the Windows-specific artifacts. SuperFetch itself is part of the memory management architecture and uses the hard disk, i.e., persistent storage, for latency optimizations.

 

„Because this component of SuperFetch is reactive and not predictive, it does take some time for the robustion to kick in. SuperFetch will therefore keep track of this process for the next time it runs. Once SuperFetch has determined that it appears that this process always performs this kind of sequential access, it remembers this and robusts the file pages as soon as they’re mapped instead of waiting for the reactive behavior. At this point, the entire process is now considered robusted for future file access.“

[P. Yosifovich, M. E. Russinovich, D. A. Solomon, und A. Ionescu, Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More (7th Edition), 7th Aufl. USA: Microsoft Press, 2017., S. 496]

 

sccainfo for Prefetch investigation

sccainfo utilizes the libscca library (pID 10), for which Python bindings are available.

 

Automated offline analysis of Windows Prefetch files with Python

Based on Prefetch Files, a complete analysis can be automated with a Python program. An existing Python program was ported to Python 3 for this purpose. The source code is provided. Since the results of the EventLog analysis can also be analyzed as a CSV file, this implementation allows for a correlation of the data (with tabular integration tools etc.).

 

 

Volume Shadow Copies (basics)

„The Volume Shadow Copy Service (VSS) is a built-in Windows mechanism that enables the creation of consistent, point-in-time copies of data, known as shadow copies or snapshots. VSS coordinates with applications, file-system services, backup applications, fast-recovery solutions, and storage hardware to produce consistent shadow copies.“

[M. Russinovich und D. A. Solomon, Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition, 5th Aufl. USA: Microsoft Press, 2009., S. 688]

The Volume Shadow Copy Service (VSS) can create file system snapshots for backup and recovery purposes. These may contain references or even contents of deleted files, among other things.

 

Windows Registry Analysis (advanced)

„The registry plays a key role in the configuration and control of Windows systems. It is the repository for both systemwide and per-user settings. Although most people think of the registry as static data stored on the hard disk, as you’ll see in this section, the registry is also a window into various in-memory structures maintained by the Windows executive and kernel.“
[M. Russinovich, D. Solomon, und A. Ionescu, Windows Internals, 6th Aufl., Bd. Part 2. Pearson, 2012]

 

The Windows Registry is a hierarchical database that is used in Windows forensics as a repository containing many relevant status information.

USB peripherals - keyword correlation with basic Bash (Windows Registry and Windows EventLog)

The Windows Registry can contain references to USB peripherals when devices have been connected to the evidence item. However, the exact location of this information in the Registry varies between different Windows releases, and Microsoft does not necessarily document this. Forensic software manufacturers may provide up-to-date artifact references that can also be used for Linux forensic programs.

Based on the documented results in Task 2 (Section 1.5.1), Regripper (pID 12) is used along with the logical mount point of the decrypted BitLocker partition (Section 1.6.1). First, a backup of the SYSTEM Hive is created, and then various standard Registry keys are read.

 

 

 

 

The names of these txt files are chosen accordingly to the RegRipper plugins.

 

We can also make a full-text search through the Windows EventLog EVTX files with hayabusa :

 

 

WIthin the EventLog artifacts, you can look for USB device serial numbers.

You can correlate Windows Registry and Windows EventLog artifacts. Just with Bash.

Suspicious evidence - timestamps, indications and keywords

You can use certain indicators to build a keyword catalog:

  • Acronyms of encrypted files, links or relevant artifacts

  • Names, locations etc. from protocols

It’s important to make a list, so that you can conduct an Intelligence Analysis later.

Here, we actually mean “Entropy”:

  • expressed in bits per byte, representing the average information content per byte of data. An entropy value close to 8 bits per byte suggests a very high level of randomness, which is typical for encrypted or compressed data. In contrast, lower entropy values suggest more predictable or structured data, like plain text or certain types of images.

  • Not Chi-Square distribution or Shannon Entropy.

 

The entropy was calculated and output using the forensic program ent (pID 13). The metadata (Modification, Access) of the file were analyzed with the forensic program exiftool (pID 14). The create-time datestamp was determined with the forensic tool ntfsinfo (pID 16), which points to the loop device that mounts the BitLocker partition decrypted by Dislocker (see above). Additional timestamps could be analyzed if necessary.

NTFS Creation-Timestamp via ntfsinfo

The File Creation Time can also be assessed with TSK.

 

Search for suspicious images based on File Creation Timestamps with TSK

Somebody was hiding something, but the timestamp anomalies revealed the evidence. You can narrow the results by filtering out the timestamps outside the timeframe (with awk). Then reduce the listing further to the relevant suffixes and paths.

If you conduct a reverse image search (OpenSource Intelligence), you’ll find that they are true professionals.

 

 

Content by https://www.because-security.com/
📧 https://www.because-security.com/contact