Thursday, November 26, 2009

Linux, Mount them segmented DD file Images!!


To mount split/segmented DD files in Linux you can use the "mdadm" command along with the "losetup" command.  For example, if I have six split image files in a directory called Images:

losetup /dev/loop0 /mnt/Images/image.000
losetup /dev/loop1 /mnt/Images/image.001
losetup /dev/loop2 /mnt/Images/image.002
losetup /dev/loop3 /mnt/Images/image.003
losetup /dev/loop4 /mnt/Images/image.004
losetup /dev/loop5 /mnt/Images/image.005

The command to mount it would look like this:

mdadm --build --auto=part -verbose /dev/md1 --level=linear -n6 /dev/loop[0-5]

If you are mounting a hard drive with two partitions, partition1 is on "/dev/md1p1" and partition2 is on "/dev/md2p2".

-Dav Nads

Sunday, November 22, 2009

Call the Paparazzi... COFEE was LeAkEd!!

OMG is right..!! Microsoft's super-secret Computer Online Forensic Evidence Extractor ("COFEE")  available to Law Enforcement only, was leaked into the torrents last week... LOL! ABOUT TIME IS ALL THAT I HAVE TO SAY!

It was about a year ago when I first heard about this tool. The press releases poured COFEE out like this..

"With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation."

To say the least, the tool was intellectually intriguing. I WANTED A COPY for Chanukah!! Unfortunately, I couldn't have one because I was not in Law Enforcement and was living in China at the time (without a whole lot to do). So, I decided to do some research and start programming a COFEE of my own :-) Well, that turned into a long drawn out project called BOOP. I'm saving BOOP for a later date and blog entry of its own.



As for COFEE, let's say I saw it!!! My thoughts, It's nothing but a simple GUI wrapper for a # of Microsoft SysInternal, Windows XP, and other misc. freeware command-line tools. It facilitates batch execution of these utilities and customized payloads. It does not even include a tool to dump physical memory. Honestly, looks like a amateur high school programming project. I had dreams of it being stealthy, sexy, ninja like, super secret, high tech, and a ultimate computer forensic swiss army knife. As I'm sure you can tell, I feel really disappointed and let down here. I think the last time I felt this way was when my girlfriend cheated on me. LOL. 15 MB of trash pretty much sums that tool up.  Thanks Microsoft, for ruining my life. Now, back to whole-disk imaging computers.
 
-This one is for my high school programming class .

Dav Nads

Tuesday, November 17, 2009

OSX Mail and E-Discovery ..

Whats up NERDZ! Did ya miss me?? Since I wrote about OSX last week, I thought I would keep things in the ROM... LOL! I'm starting to see more and more Macs in the field and less and less "know how" out in the field to deliver! By no means do I claim to be a expert BUT my first computer was a Apple 2E, second was a Performa 410 and third was a power Macintosh 6400. So I'm just saying... Ms. Apple and I have a little history together :-p

I want to talk about OS X mail here. This is a subject that I feel is not well documented in the community as it pertains to e-Discovery. The fact is I don't know ANY end-to-end e-Discovery appliances/and or solutions that properly handles and processes OSX mail in all variations and native formats. This means I find myself MANUALLY migrating OSX mail to our dear all mighty PST quite frequently. In this blog, I will explore the various common formats of OSX mail and options available to migrate your data to PST format. Ultimately, meeting the requirements and working within the limitations of our e-Discovery software.

In OS X 10.3 (Panther), all messages for each inbox, are stored in .MBOX format. All you need to do is identify these and convert to PST with your favorite MBOX to PST migration utility. It's that simple! I suggest using Aid4Mail and exercising the option to "recover deleted items". Remember it's important to preserve file structure during export and migration.

One of the most compelling reasons to upgrade to OS X 10.4 (Tiger) is because of it's amazing indexing and search features. Apple's Mail.app leveraged this powerful searching ability with Mail 2.0. However, to allow for speedy indexing and searching of e-mails via Spotlight, Apple had to split those large .MBOX files into individual .EMLX files. So you will find ONE .EMLX file for EVERY e-mail. These EMLX files are stored, by default, in the following location. Note that multiple users may have mail accounts.

/Library/Mail/

Now there are a few options to migrate .EMLX files over to the "other side". The first approach, use a e-mail migration utility of your choice to migrate the data.  Again, Aid4Mail does a good job at this. This approach assumes you have already exported your data (maintaining file structure) or mounted the image.

The second approach takes into account that some e-Discovery software WILL accept .EML as a valid message type input format. Also, let's be honest, who wants manually convert each extention for every email. Not me!! So lets do this this...

If your on a Mac: Launch the Terminal, change into the directory the .EMLX files are located (ie. cd ~/Library/Mail/) and execute this command to batch rename all the files:

for file in *.emlx ; do mv $file `echo $file | sed 's/\(.*\.\)emlx/\1eml/'` ; done

If your on a PC: Launch DOS, change into the directory the EMLX file are located, and execute this command to batch rename all the files:

ren *.emlx *.eml

.EMLX and .EML are transparent in format because the messages are stored in pure plaintext. Therefore, renaming the file extension, as demonstrated in the above approach, works great if your software supports the .EML format.

NOW off to the races, what happens if the custodian uses IMAP? In addition to seeing .EMLX files you will see .EMLXPART and  PARTIAL.EMLX files. That's a total of three file formats that are used to manage IMAP accounts. That means there are now four file formats you need to take account to during your identification phase. Let's examine these two new formats, .EMLXPART and PARTIAL.EMLX.

An emlxpart file is an attachment, either an image, a document or an HTML version of a message. It doesn’t contain the metadata which is included in an emlx file. This means attachments are stripped from .EMLX files and stored separately as these emlxpart files. It's file name is same number as the corresponding emlx file. For example, Cybergirl223 sends me a picture of her today. Her message is locally cached in my Mail folder as 473.emlx and the attachment as 473.2.emlxpart. Make sense?

In IMAP accounts, a third file type, partial.emlx,  also sometimes appears. This is for partially locally-cached copies messages on the IMAP server, saved for indexing or something.

Migrating these 3 files is a little more time and resource consuming as some of the other approaches. This consists of two steps; Migrate everything to MBOX and the secondly migrate the MBOX to PST.

To start, there is only one tool that I'm aware of that entirely migrates .EMLX, EMLXPART, and PARTIAL.EMLX files while persevering folder structure and attachments. This tool is called "Emailchemy" and can be purchased here: http://www.weirdkid.com/products/emailchemy/index.html

After you have converted to your loose e-mail files to MBOX, then again use your tool of choice (I think you know what mine is by now) to migrate to PST.

Well that's all I have on this topic. Make sure you account for all four file types discussed; .MBOX, .EMLX, .EMLXPART, and PARTIAL.EMLX  during your identification and/or pre-processing phases - then migrate over accordingly :-) Also, remember the importance of verifying your results when migrating data. I like to tell people if you migrate A to Z you should be able to migrate from Z to A. This is one of simplest  forms of logic and basic validation.

hope u enjoyed, all the best, dnasty

Wednesday, November 11, 2009

Reminder


24" inch rims and 240-pin DIMMs. spinning platters and pullin magnetic chatter. flying down the system bus i hit the i7 with thrust. some say i overclock but i know its cause i aint stock. my case flowin liquid and your girl blowin somethin, dav nads be energy efficient while your girl being coefficient. from the circuit boards to the cords, u get outscored. nibble on nads just dropped banner ads!

Mac Parallels


When i aint speaking dictionary attacks or prefetching unicode on the snatch. I'm actually working on the blog. my bouyie, Christian Lander, got a job too. he's droppin text like "Stuff White People Like" where # 40 is a shout out just for Apple Macs. So, heres one for ya -

E-discovery - HOW tO get my f#$%ing data out of Mac Parallels!!!

The most "popular" format of virtual storage is VMware's .VMDK format. Encase does a great job at supporting these in native format by automatically mounting em. However, what about the not so cool formats like Parallels? Well Guidance has it on their far future "feature request" list at number 4,332,545 (guessestimate) to support it sometime in the near future.

Now the big question is how do you get that data out?? Here are my notes on a couple of approaches:

1.) Manually identify the .HDD and .PVS file extensions associated with the Parallels application in your case. Create a file-ext condition in Encase to accomplish fast and efficiently.

HDD ext - During the creation, the virtual machine acquires a virtual hard disk file with the .hdd extension.

PVS ext - A virtual machine configuration file that contains information about the virtual machine resources, devices and other settings.

Don't see those, but you are seeing .HDS files? you can rename these to HDD. Check out this good tutorial. 

2.) Extract relevant Parallels data to your work space while preserving folder structure to avoid file name collisions.

3.) Install Parallels on your examiner machine.

A free 30 day demo is available at http://download.parallels.com. Don't ask me this voids some EULA bs cause whatever - just saying yo. If all possible, install a version consistent with the custodian's machine. You can check version by analyzing the .PLIST and/or .PDF user manual artifacts found in the Parallels application folder.

4.) Parallels has developed a special utility for increasing the virtual hard disk capacity and managing its properties - this tool is called Parallels Image Tool.exe and is included with a standard install.

5.) You will need to use this tool to change the properties of your .HDD file. Execute, select "manage..", point to your .HDD file, and convert to plain format.

...This will change the file from a expandable image format to raw disk type.

6.) Rename the extension of the .HDD file to a .VMDK and bring into encase as a loose file. Whalaaa you should see data!!? Otherwise you can use a free program like ImDisk to mount the converted hard disk image. This even has support for "read-only" mode.

FYI - this is just one approach and just like FTK, it does not always work.. Lol! For obvious reasons, there are technical limitations and variables in the above example that will cause issues. Another tool you can use, with newer versions of Parallels disk formats, is the VMware Converter. Similarly, this tool allows to migrate virtual hard drives from one format to another.

So you have FAILED.. and never want to use a Mac again at this point. Here's another approach soldiers:

1.) Blow out your image to a physical hard drive using the tool of your choice. I like DC3DD whooohoo

2.) Now attach this external hard drive to your Mac examiner machine as a slave. Boot to this hard drive instead of the primary hard drive. Boot options are made available by holding down the options key at start up.

3.) So now you just booted into your custodians machine. Sweeeet! The cool thang about Mac's is they don't nearly require the degree of driver support that PC's do upon start up. Mac's have a very transparent set of drivers between all of their products. So you can practically use any Mac machine (at least consistent with chip sets) to boot native.

4.) Now you may get stuck at the login password because you don't know the custodians password. If this is the case, it doesn't hurt to just ask for it DERRRR! If you need to reset it, then use the OS X restoration DVD. You can figure it out.. just GOOGLE IT! Just beware you will need the OS X recovery disk paired with the installation version.

5.) Once you get in, boot the virtual machine(s) normally and acquire using a live-image tool. I like throwing FTK imager lite on a thumb drive, adding it as a read-only device into the virtual machine, and porting the image over to a saved network share location or external data source. As always, just document your shiat.

Update (12/6/2009): Just in, thanks to Beatle over at forensicfocus.com, another approach, try UFS Explorer . I have not tested, but it is documented that this software will to read into the Parallels image file and allow you to mount the file system locally with read-only access. If you have experience using this software, I would be interested to hear your feedback.


As always, these are just some of my notes. Test, validate, document, your work!


Tuesday, November 10, 2009

its good


we aint be airing for 24 n i aready gotz stalkers. girlz be bookmarking n crackers be marking. cut paste copy erase. dnads is a polymorphic strand that aint loosing system command. i'm shootin tripple DES while y'all still bootin 95. nibble, nobble, nads gets in with a snort and out with a port. ya better run update cause dav nads don't procasanate. stay tuned for more stringing accsi

Monday, November 9, 2009

ctrl alt del.. P'0wned!! DAV NADS iz ONLINE!


Wazzzzzzap! I'm werking on layin down some HUGE tricks fo' my blog project includin: hardddcore digi FORENSICS, e-discovery "where the MONEY is @", reverse engineering for snitching, , reality TV and some NEWS.

BUT Rigt' now.. put yo PC on deep freeeeze and MACs 2 sleepz! cause I'm working! spread the word that DAV NADS is ONLINE aND be bloggin' ritee HERE. www.http://davnads.blogspot.com. this the REAL thing y'all!