Previous Section  < Day Day Up >  Next Section

Making Copies of Forensic Evidence

If you have verified that your system has been attacked or exploited, the first thing to do is take immediate action to stop the attack or limit that machine's exposure. Ideally, this would mean disconnecting the machine from the network to conduct further analysis. If this is not possible, you will still want to disable any suspect accounts, kill any rogue processes, and possibly block offending IP addresses at the firewall while you figure out what is going on.

Once you have eliminated the immediate danger, you should make a copy of any important data to look at offline per the tenet of good forensic analysis described earlier. You don't want to use your tools on live data. To do this, make a perfect copy of the data. This requires creating an image of the data rather than just copying it. You don't want to use the operating system's built-in copy functions because this might change file dates and insert other unwanted information. There are special tools for making these mirror-image copies. Unfortunately, there are not any good open source alternatives for the Windows platform right now (anyone want to sign up for a good Windows open source project?). The most popular program for Windows is Norton Ghost by Symantec, which retails for about $50.00. Under UNIX, there is an excellent open source program for doing this: dd, which stands for data dump.

dd: A Disk and File Replication Tool

You can use the dd tool to literally read blocks of data right off the hard disk and make exact copies of it. It goes directly to the media rather than using the file system, so it can capture deleted data and other things that a file system can't see. It can be used to make bit-wise copies of your data on a UNIX file system. Because UNIX treats devices as files, you can take a whole hard drive and replicate it this way by simply copying the device file with a tool like dd.

Installing dd


You shouldn't have to install dd on most UNIX operating systems because it is a part of any UNIX file system. Type man dd to verify that you have it. If for some reason you don't have it, you can get it from the book's CD-ROM or as part of the GNU file utilities at the site above.

Using dd

There are two ways to use dd. One way is to make a bit-wise copy, that is, copy the data bit by bit. This creates a mirror image of the data on another hard disk or partition. The other way is to create a single large file. This is sometimes convenient for analysis and portability purposes. You can easily make a hash of the file for verification purposes. This file is often referred to as an evidence file, and many forensic programs are designed to use these files as input.

The basic format of the dd command is as follows:

dd –if=input_file –of=output_file options

where you replace input_file with the device file you want to copy, output_file with the filename you want to copy it to, and options with any dd options you want to use. The dd tool has many options, and Table 11.4 lists the basic ones.

Table 11.4. Basic dd Options




Block size. The size of the blocks, in bytes, to copy at a time.


Block count. How many blocks to copy. This is useful if you don't want to copy the whole file system if you have a very large hard drive or partition or limited space on your target media.


Skip x number of blocks before starting the copy. Again, this is useful for copying only a part of a file system.


Specifies any of several suboptions:

notrunc—Won't truncate the output if an error occurs. This is recommended in most cases.

noerror—Won't stop reading the input file in case of an error such as problems with the physical media. Also recommended.

sync—Requires the noerror command before it. If an error occurs, this will place zeros in its place, maintaining the sequential continuity of the data.

So, if you want to copy the hard drive device /dev/hdc onto another hard drive, device hdd using dd, you could use the following command:

dd –if=dev/hdc of=/dev/hdd bs=1024


This copies the contents of the device at /dev/hdc (probably your primary hard drive) to the device at /dev/hdd (probably your secondary hard drive). Make sure you understand which drives relate to which devices. As the sidebar on dd explains, a mistake here can be very costly!


Flamey the Tech Tip:

Be Very Careful with dd!

Do not use a low-level disk tool like dd lightly. One wrong command could easily erase your whole hard drive. Be particularly careful about the input and the output sources. Getting them mixed up can mean overwriting your evidenceor worse. Don't play with dd unless you have at least a basic understanding of hard-disk terms like blocks and sectors. Unlike user-friendly Windows, dd won't prompt you twice if you are about to do something stupid. So, like a good carpenter, read the manual twice . . . execute once. . . .

If you want to create a single big evidence file instead, you can use the following command to copy the file onto a new device.

dd if=/dev/hdc of=/mnt/storage/evidence.bin

You will probably want to mount a new device to capture this file. It should preferably be brand new media so as not to taint the evidence with old data. Remember, even deleted data will show up with these tools. If you can't use fresh media, make sure it is truly wiped clean with a disk utility. The dd tool has this capability. Read the man pages for more information on this option.

When you have all your evidence gathered, you are ready to analyze it further with a forensic toolkit. There are many excellent, professional-grade commercial toolkits. There are also some very good free toolkits available both for Windows and UNIX.

The Sleuth Kit/Autopsy Forensic Browser: A Collection ofForensic Tools for UNIX

The Sleuth Kit by Brian Carrier is a compilation of various forensic tools that run under UNIX. It includes parts of the popular Coroner's Toolkit by Dan Farmer as well as other contributions, and works with the Autopsy Forensic Browser, which is a nifty Web interface for Sleuth Kit. It is designed to work with data files such as those output by disk utilities like dd. It is quite feature rich; in fact, it has more depth than some of the commercial programs available. Some of the key functions are:

  • Tracking of separate cases and multiple investigators

  • Viewing allocated and deleted files and directories

  • Accessing low-level file system structures

  • Generating a timeline of file activity

  • Sorting by file categories and checking extensions

  • Searching image data by keywords

  • Identifying graphic images and creating thumbnails

  • Looking up hash databases, including the forensic standards NIST NSRL and Hash Keeper

  • Creating investigator notes

  • Generating reports

Installing Sleuth Kit

  1. graphics/cd_icon_icon.gif Download and unzip the file from the book's CD-ROM or the Web site.

  2. In the directory, type:



    The program automatically configures and compiles itself. It may prompt you with a few questions during the installation process.

Installing Autopsy Forensic Browser

This program is the graphical interface counterpart to Sleuth Kit. Using it with Sleuth Kit will make your life a whole lot easier and allow you to produce some nice graphical output. You can still use the Sleuth Kit command line tools separately if you want to.

  1. Make sure you have Sleuth Kit installed before you start to install Autopsy.

  2. graphics/cd_icon_icon.gif Get the Autopsy file from the Web site or from the book's CD-ROM in the /autopsy directory.

  3. Untar and unzip it with the usual tar –zxvf command.

  4. Have the path to the Sleuth Kit program directory handy and think about where you want to put your "evidence locker"—the special directory where all your Sleuth Kit case data will reside.

  5. Type the make command. This installs the program, and prompts you for your evidence locker directory and the directory that Sleuth Kit is installed in.

Using Sleuth Kit and Autopsy Forensic Browser

  1. To start the server program, type ./autopsy & from the /autopsy directory. This runs the server in the background on port 9999.

  2. Make a note of the URL that is displayed when it starts up. You will need this to log into the server.

  3. To connect to the server, open a browser and enter the URL you copied from the location window in Step 2. It will look something like this:



    The number between the slashes changes each time you run Sleuth Kit. Once you enter the URL, the main screen displays (see Figure 11.1).

    Figure 11.1. Autopsy Forensic Browser Main Screen


Creating and Logging Into a Case

The Sleuth Kit with Autopsy Forensic Browser lets you monitor separate cases so you can track different incidents and customers. You will need to create a case for evidence files before you can work on them.

  1. From the main screen, click on Create Case.

    The Create a New Case screen displays (see Figure 11.2).

    Figure 11.2. Create a New Case Screen


  2. Enter a case name. This will be the same directory that your evidence data is stored in. This directory is created under your main evidence locker directory specified at installation.

  3. If you want, you can give the case a full name to better describe it.

  4. You must create at least one investigator ID to have access to that case.

    You can see the power of this program here. This feature allows you to have multiple people working on the case and track each one's access and actions. Click on New Case to finalize your input.

  5. Once your case is created, the Case Gallery displays. This shows all the cases you have created. You can see the details on each case, including which investigators are working on them. Select your new case, click on OK, and log into your newly created case.

    You have now created a case and are logged in and ready to start working on it.

Adding a Host

Once you have logged into your case, you need to define at least one host that you are going to examine. This host represents the specific machine you are investigating.

  1. From the Case Gallery, click on Add Host. The Add a New Host Screen displays (see Figure 11.3).

    Figure 11.3. Add a New Host Screen


  2. Enter a host name.

  3. If you want, enter a short description of the host.

  4. Enter a time zone and clock skew, which is any variance from the time stamp on the main case file so Sleuth Kit tracks it separately in terms of any timestamps. This can be very important when reviewing multiple servers with different clock times.

  5. If you want, add the optional information requested.

  6. Click on Add Host to add the host and go back to the Case Gallery.

  7. Follow this procedure for each host you have data on.

Adding an Image

You now need to add any data images for the hosts you have created. Use the copy of data you created using dd, Norton Ghost, or some other data replication utility.

  1. Select the host from the Host Gallery screen and click OK.

  2. Click on Add Image. The Add a New Image screen displays (see Figure 11.4).

    Figure 11.4. Add a New Image Screen


  3. Enter the location and details of your image file. You have the option of copying the file into that host directory in your evidence locker or just creating a symbolic link to it. Be careful when moving your image files around too much, especially larger files, as this can cause data loss if a problem occurs during transfer.

  4. Choose the file system type. This determines how Sleuth Kit looks at the data in the image.

  5. Sleuth Kit automatically creates a hash file for you. You can check the validity of the hash against the data in the file at any time. This vastly increases the legitimacy of your efforts in a court of law.

  6. You can add multiple images to each host. For example, you might have had to break a large drive up into several image files. Click on Add Image to add the image and return to the Main Case Gallery.

Analyzing Your Data

Now you are finally ready to begin your analysis. This may seem like a lot of setup work, but you will appreciate Sleuth Kit when you have a large number of images to manipulate or when you have to be able to produce a certain piece of data quickly. Go to the Image Gallery and click on the image you want to analyze. Table 11.5 lists the types of analysis you can perform on data images.

Table 11.5. Sleuth Kit Analysis Types

Analysis Types


File Analysis

Shows the image as files and directories that the file system would see. Using this, you can also see files and folders that might normally be hidden by the operating system.

Keyword Search

Lets you search the entire image for certain keywords. This is useful if you are after a certain program file or even the mention of particular thing. Lawyers often use this type of feature when searching for incriminating evidence of wrongdoing on a person's hard drive. It can help find a needle in a haystack quite quickly (see Figure 11.5).

File Type

Sorts all the files by type or searches for a specific file type. This comes in handy if you are looking for all instances of a particular type of file, such all JPEGs or all MP3 files.

Image Details

Displays all the details on the image you are examining. This can be useful in data recovery jobs when you need to know where the data is physically laid out.


Shows you the underlying directory and file structures in your image. This can be used to find deleted content and see other items the file system doesn't normally show you.

Data Unit

Lets you delve deeper into any file you have found and look at the actual file content, either in ASCII or hex.

Figure 11.5. Results of Keyword Search


Sleuth Kit with Autopsy Forensic Browser gives you a powerful tool for organizing and analyzing forensic data that is on par with any professional lab in the country. This section has covered some of the basic functions, but whole books could be written about this great tool. Many commands and functions are not covered here. Read the online manual and other resources on the Web site for more details. The site also offers a monthly newsletter with interesting articles and tips for those in the forensic field.

The Forensic Toolkit: A Collection of Forensic Tools for Windows

The Forensic Toolkit

Author/primary contact:

Foundstone, Inc.

Web site:


Windows NT, 2000, XP


Version 1.4 GPL, Version 2.0 Freeware

Versions reviewed:

1.4 GPL, 2.0 Freeware

The Forensic Toolkit is another great free program from the folks at Foundstone. This collection of tools can help you examine Window-based file systems and gather information for your forensic investigation. Version 1.4 of the program is fully open source licensed under the GPL. Version 2.0 is freeware and is usable for commercial purposes, but it has limitations on adding or changing the program and is not currently available in source form.

Note that these tools work only on NTFS file systems. If you want to examine any FAT32 partitions, you will have to use different tools.

Installing Forensic Toolkit

  1. Download the appropriate file from the Web site (either version 1.4 or 2.0, depending on whether you want the full open source version or not).

  2. Unzip the file into its own directory. This completes the installation.

Using Forensic Toolkit

The tools consist of various command line utilities that generate various statistics and information on the file system in question. To execute a command, open up a command line window and type it (you must be in the appropriate directory). The following sections describe the individual tools.


This utility searches for files by their access time. It does this without modifying any file access information, as the normal Windows utilities do. The basic format is:

afind search_directory options

where you replace search_directory with the directory to search and replace options with the appropriate search options. Table 11.6 lists the basic options.

Table 11.6. Basic Afind Search Options



-f filename

Gives the access time information for filename.

-s X

Finds files that were accessed within X seconds.

-m X

Finds files that were accessed within X minutes.

-d X

Finds files that were accessed within X days.

-a d/m/y-h:m:s

Finds files that were accessed after the date and time indicated.


This tool finds hidden files in the Windows operating system. It shows files that have the hidden attribute bit turned on and those hidden using the Windows NT special directory/system attribute method. The format is:

hfind path

where path is replaced with the path you want to search. It lists the hidden files and their last date and time of access. Be careful of searching the whole hard drive as this could take a while.


This tool finds hidden datastreams on the hard disk. These are different from hidden files in that they won't be seen on the hard disk when you click on the option to view hidden files. Hidden datastreams are an NTFS feature that allows certain programs to access alternate datastreams. The files are linked to a parent file, which is visible, but may not be deleted when the file system deletes the parent file. They may be used to hide data or malware. The format of the sfind command is:

sfind path

where path is the path you want to search. Again, this may take quite some time if you are searching the root directory of a large drive.


This command creates a full listing of file attributes, including security information. It only works on one file at a time. You can pipe the output into a text file for further processing. This command generates quite a lot of information, including a lot of file descriptor information you don't normally see. Listing 11.5 shows a sample of this information for a file called test.txt.

Listing 11.5. FileStat Output

Creation Time - 01/10/2004  03:18:40

Last Mod Time - 01/10/2004  03:18:40

Last Access Time - 01/10/2004  03:18:40

Main File Size - 11

File Attrib Mask - Arch

Dump complete...Dumping C:\temp\test.txt...

SD is valid.

SD is 188 bytes long.


SD's Owner is Not NULL

SD's Owner-Defaulted flag is FALSE

  SID = TONYVPRDESKTOP/Tony Howlett   S-1-5-21--181663460ó

SD's Group-Defaulted flag is FALSE

  SID = TONYVPRDESKTOP/None   S-1-5-21--181663460--953405037-

SD's DACL is Present

SD's DACL-Defaulted flag is FALSE

    ACL has 4 ACE(s), 112 bytes used, 0 bytes free

    ACL revision is 2 == ACL_REVISION2

  SID = BUILTIN/Administrators   S-1-5-32-544


    ACE 0 size = 24

    ACE 0 flags = 0x00

    ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD




    ACE 1 size = 20

    ACE 1 flags = 0x00

    ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

  SID = TONYVPRDESKTOP/Tony Howlett   S-1-5-21--181663460-


    ACE 2 size = 36

    ACE 2 flags = 0x00

    ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN

  SID = BUILTIN/Users   S-1-5-32-545


    ACE 3 size = 24

    ACE 3 flags = 0x00

    ACE 3 mask = 0x001200a9 -R -X

SD's SACL is Not Present

Stream 1:

  Type: Security

  Stream name = ??? ?  Size: 188

Stream 2:

  Type: Data

  Stream name = ??? ?  Size: 11

Stream 3:

  Type: Unknown

  Stream name = ??? ?  Size: 64


This tool can be used to generate a lot of information on a system using the Windows NULL session capabilities. Depending on the permissiveness of your system, it could generate significant information such as users lists, shares, and services running. The command takes the following format:

hunt system_name

where system_name represents the proper Windows host name of the system you want to run hunt on. Listing 11.6 represents an example of this output.

Listing 11.6. Hunt Output

share = IPC$ - Remote IPC

share = print$ - Printer Drivers

share = SharedDocs -

share = Printer3 - Acrobat Distiller

share = Printer2 - Acrobat PDFWriter

User = Administrator, , , Built-in account for administering the


Admin is TONYVPRDESKTOP\Administrator

User = Howlett, , ,

User = Guest, , , Built-in account for guest access to the


User = HelpAssistant, Remote Desktop Help Assistant Account,

  Account for Providing Remote Assistance

User = SUPPORT_388945a0, CN=Microsoft

  Corporation,L=Redmond,S=Washington,C=US, , This is a vendor's

  account for the Help and Support Service

User = Tony Howlett,

In this listing you can see two users you don't normally see in the User Accounts section on your Windows system: the HelpAssistant and SUPPORT users. These are system-level users for internal programs (the Remote assistance features and the annoying Notify Support feature that pops up every time a program bombs out). Other hidden users concealed by a skilled intruder could be revealed using this tool.

This chapter is not meant to be a comprehensive listing of all possible forensic tools, but these tools should give you enough to get started with basic forensic activity on just about any system. If you are doing this as a career or have an involved investigation, there are many other tools available. For a good listing of open source forensic tools, visit

    Previous Section  < Day Day Up >  Next Section