Monday, June 18, 2018

How to Explain Deleted Data: For Attorneys, Clients, Juries and More


How to Explain Deleted Data
For Attorneys, Clients, Juries and More

I was recently asked by a colleague for an analogy to help them explain how it was possible to recover data that a user had emptied from the Recycle Bin / Deleted. The question reminded me that it’s easy to slip into the belief that everyone inherently knows how stuff works. Attending forensic training and conferences we sometimes forget that what appears to us to be basic and simple, can sound like Star Trek Next Generation’s well known technobabble. i.e. “Increase the neutrino stream to the warp engine transducers”.

Completing reviews of digital data and finding new artifacts can be exhilarating for a forensic investigator. The feeling of accomplishment at finding the truth from the data is euphoric. That is the fun part. The truly difficult part comes when we have to explain the information verbally and in written form so that it is useful to those that need it most. The recipients can include management, clients, attorneys, judges, juries and more. These individuals may make life altering decisions based on their understanding of our work product.

A few of my own ideas came to mind, but it occurred to me that they were getting old and not very relatable. Many adults today have never used a library with a card catalog, let alone a cassette tape or a phone book. It was time to go to the #DFIR community for some fresh ideas. The community responded! 

(If you don’t follow #DFIR on Twitter, you are missing out on outstanding information sharing from some amazingly talented people in the industry)

There were some great ideas. For reference, I’ve listed all the suggestions and sources at the end of the blog. Among the comments was a critique that “The analogies are just as complicated as the technical explanation.” That is partly my concern as well. However, when people have an innate fear or resistance to technology, many times they can relate equally complex ideas from a world/experience they do understand.

@DFIRTraining had a very logical suggestion: “Choose the analogy that fits the audience. Someone who cooks can relate to a stovetop being RAM. The more burners (RAM) you have, the more you can cook (run) at the same time.” This is the idea that should drive your choice as to how you plan to explain a highly technical artifact to your audience. With this concept in mind, I choose the table of contents and a book. My intended recipient is an attorney. They are very familiar with books, table of contents and indexes.

The Table of Contents (TOC) idea can be used in a simple or more in depth explanation. In simple terms, a book’s TOC can have an entry removed while the pages that it references including the text can remain. A reader could scour the book for the undocumented chapter and read the contents.
Sometimes the case is more intricate. It may include digital artifacts from slack space or the original file metadata can be intact but the data has been partially or completely overwritten. I can still rely on this analogy. This can work for most any analogy that you choose. Just take some time to use your imagination and tailor it to your audience.

I made a sample TOC and a slide containing data “pages”. I can show the TOC entry marked for deletion and explain at print time, it’s hidden from the viewer. All the while, the actual chapter and pages remain in the book. This demonstrates how the file’s metadata can be recovered. The next step would be to show that the TOC entry is needed for a new chapter in the book and is overwritten.
In another scenario, I could show how a replacement chapter overwrites part or all of a chapter no longer needed. This keeps the book the same number of pages just like a drive volume size, but demonstrates how the partial data could be found and that the original “deleted” TOC entry’s metadata could be found.

This starts to sound pretty complex, but when shown as a slide or multiple slides, a picture makes it much easier.





The Point

The overall take away is like most things in digital forensics, the answer is “it depends”. Know your audience, understand their perceptions and tailor your explanation and reports to them.


Sources:


Stacey (@4n6woman)
Throwing things into the trash can. As the bag fills up, it’s harder to pull the item out. Recovery can vary based on if the bag is empty, full, in your kitchen, in the dumpster by the road, taken by the garbage collector, or sitting at the landfill.
Also varies based on what goes on top of the item in the bag. If it’s all paper, relative simple recovery. If it’s paper and then you cover it with spaghetti sauce, little more difficult. If burned trash, not recoverable.
Scott (@scottforensics)
My go-to is using the comparison of a hard drive and a book with a table of contents.  I can expand on that if needed...

So... when a file is created, it tells the table of contents, I need ten pages for this file. The TOC gives the system ten pages. When the file is deleted, the TOC deletes that the file name but the ten pages containing that file remain intact and can still be read if you flip to those pages, even though there is no record in the TOC. Once the TOC needs those ten pages for a new file, the TOC grants some or all of the pages to the new file.
I think I heard it on @ovie ‘s CyberSpeak forensic podcast. It resonated with me & I’ve used it ever since. If it wasn’t him, it was definitely someone else on a podcast ~7 or 8 years ago.
Santiago Ayala (@darthsaac)
For a Windows environment I have use a diary an index. The index is the MFT, the files are pages. If you write page 2, you add an index. The deletion process only removes the index entry and allows page to be overwritten. The new paragraph may not completely overwrite the old one. In that case, you can explain slack space also.

@DFIRTraining
Choose the analogy that fits the audience. Someone who cooks can relate to a stovetop being RAM. The more burners (RAM) you have, the more you can cook (run) at the same time. In that case, you can explain slack space also.
Vern (@malanalysis)
Neighborhoods: If you just take the address numbers off all the houses, the houses are still there and can be found and readdressed. If you destroy the houses they cannot be recovered.
Richard Harman (@xabean)
Hard drives are dry-erase boards, with stuck-on dry-erase marker that doesn't completely come off when you erase it.  You can write over-top of it though!
It's a bit oversimplified, but I think it *begins* the discussion to get into the technical details.
Alternatively to describe the importance of a MFT/FAT/TOC/whatever: mentally visualize a jigsaw puzzle. The box it comes in shows what order the pieces are in, right? Now viz the same puzzle, no box showing what it's SUPPOSED to be, and all the pieces are perfect squares.
Puzzle can be reassembled in any order to show anything.  Or you can mix in a *completely different* puzzle's pieces (showing interleaving of data).
Andrew Hay (@andrewsmhay)
Paper shredders. Strip-Cut vs. Cross-Cut vs. Micro-Cut
Madeye Moddy (@madeye_c3t)
You can checkout of a hotel room but still be in the room until the next guest arrives.
Troy Schnack (@troyschnack)
The computer stores data similar to a grid of PO Boxes like at Mail Boxes Etc. What happens if you cancel your box rental while there is mail still in the box? The box has no name or association with an address or person, but the boxes can be manually inventoried
and the mail found. Or, to more closely compare to a computer, the mail isn't removed until the PO Box number is used for a new rental customer or "filename"


Tuesday, June 5, 2018




Quick Tip on Reviewing Report/Discovery PDFs


Acrobat Document Scrolling Settings:
Changing Acrobat so that documents are automatically set to Single Page Scrolling view as default


This isn't my typical forensics blog, but I'm sure I'm not the only one that reviews numerous pages of reports/discovery before performing a forensic examination. If you are not reviewing reports prior to an exam, how do you know what you are looking for?

I've always been annoyed by the default view in Acrobat. Trying to scroll through a PDF and having it jump to the next page when I'm still reading the previous page at the bottom. I seemed to waste time changing the Page Display setting under View for continuous scrolling. Not only does this make it easier to read, but it also makes scrolling through an OCR'd PDF faster. This is especially true when scrolling with a wheel-mouse, touchpad or on touchscreen computers. 



1.            Open Adobe Acrobat
2.            Go to Edit | Preferences



3.            Select Page Display in the left column and change Page Layout to Automatic




4.            Select Accessibility in the left column and change Always use Page Layout Style to
               Single Page Continuous



Thursday, April 12, 2018

FB Messenger App (Android) Media Files Share Tracking

Facebook Messenger (Android) App
Media Files Share Tracking

In past blog posts, I've stressed the importance of testing and validating information. This post is no different. It's imperative that as a digital forensic investigator, we test apps from the user's perspective and then analyze what happens to the data behind the scenes.

I recently had a case which featured a specific media file artifact located in the "fb_temp" folder of the Facebook Messenger app. At first glance, the assumption would be that the user must have sent this media to someone using the app. But we all know what happens when we assume.

Below is the testing I conducted and the information I found that can help you track whether files or media were actually shared in the app and when.

FACEBOOK MESSENGER TESTING METHODOLOGY

A video was located in the Facebook Messenger app’s fb_temp folder on an Android phone. Since “temp” denotes a temporary folder, it was necessary to test Facebook Messenger (FBM) on an Android device to ascertain what user actions create these files.

STEP 1
This first step tested whether a file was created and remained in the fb_temp folder if a video was recorded but not sent.

FBM was opened on an Android phone and signed into the Federal Public Defender Facebook account. A video recording was started on the device of a Star Wars poster. Once finished, the video was saved to the phone’s movies folder. The FBM video recording screen was then exited and never sent as a message.

This video test from FBM was completed on 3/19/2018 @ 1:35 pm (13:35).

STEP 2
The second step tested creating a video in FBM and sending it as a message.

FBM was opened on the same Android phone and signed into the same account as Step 1. A video recording was started on the device of a red Star Wars calendar. The video was then sent to a staff member’s Facebook account through FBM.  This was completed on 3/19/2017 @ 2:55 pm (14:55).

The video was not saved to the phone’s movies folder.

TESTING NOTE
During Step 2 testing, an attempt was made to send the previously made video in Step 1. FBM did not show that the previously unsent video existed. This indicates that if a user were to create a video or photo and not share it, all subsequent messages would not have access to send or share the video or photo. When a user creates a video and doesn’t share it, they will not be able to share or access that video any time in the future.

TESTING / VALIDATION FORENSIC ANALYSIS

The Android phone was then placed in Airplane Mode to disable all communications. Cellebrite’s UFED was used to perform a physical forensic image of the device. The forensic image was then analyzed using two separate tools to validate the data: Cellebrite’s Physical Analyzer and Magnet Forensics AXIOM.

VIDEO CREATION ANALYSIS
Both the video created but not shared and the video that was shared were found in FBM’s fb_temp folder. Each video file had the date/time it was created. There was no difference in the filename syntax or file location between the video that was shared and the video that was not shared.
Additionally, a second copy of Step 1’s video was found in the phones movies folder. This was expected since Step 1 included saving the video to the phone.


This testing demonstrates that the mere presence of a video or photo digital artifact found in FBM’s fb_temp folder is not an indication that the file was sent or shared.

FACEBOOK MESSENGER CONVERSATION DATABASE ANALYSIS
FBM also keeps a log of messages or conversations in a database. This digital artifact can be used to view past conversations including sending or receiving attachments. It also includes the date/time of each message.

The conversation on the test phone used to send the video from Step 2 was extracted and reviewed. It does indeed show that a video was sent during the FBM chat. It does not show the creation or other evidence of the video created in Step 1 since that video was never shared.



CONCLUSION

This testing demonstrates that to verify if a video or photo was shared using FBM, the conversation data must be extracted and analyzed.

Sunday, March 11, 2018

Timelines in P2P Forensic Cases


Timelines in P2P Forensic Cases

2018-03-11
Troy Schnack

Creating a timeline of activity in a digital forensic (4n6) case can be vitally important to the ultimate goal of placing a person at the scene. In criminal 4n6 cases, the investigator, whether law enforcement or defense, is assigned the task to put a “butt in the seat”. This blog is intended to help avoid the many misconceptions seen regarding dates / times (DT) on reports from both sides. We’ve all spent countless hours gathering various artifacts and combining the data into a timeline. I’ve used my past mistakes and testing to help you avoid the same errors.

The sole intent of this blog is to help find the truth. Information and technology are continually changing. Please feel free to identify any incorrect conclusions or other errors on my part as I’m always excited to learn. Brett Shavers (Blog) and others have written about our innate need to solve problems and the processes we can employee. 4n6 investigators use information gathered from not only the digital device’s data, but from interviews, cell location, field investigator reports and other sources to achieve this goal.

The reason for identification of the “butt in the seat” for law enforcement is clear. The same need also applies to the defense. If the evidence shows that the defendant was at the keyboard, it is important that the client is made aware of the evidence against them. Taking a plea rather than risking an enhanced sentence by going to trial could be the best result for the defendant. There is also always the possibility that the defendant was not responsible.

Peer-to-Peer (P2P) programs are not as prevalent as they once were. Ares, eMule, Gigatribe, BitTorrent and others still show up in cases from time to time. There has been a vast resource of white papers, blogs and presentations on many of these programs and how to find and decode their respective artifacts. These resources are too plentiful to list here, but can be found easily with a Google search.

The examples, concepts and information in this blog will focus mainly on Ares P2P artifacts since it is fresh in my mind from a recent case. However, the concepts are applicable to most other P2P investigations and downloads.

The number one confusion I have seen in reports and that I myself have fallen into is the DT the P2P download was initiated. This specific artifact is critical when building a timeline of activity to compare with other activity found on the device. The Holy Grail is seeing a contraband download started near a person checking their personal webmail or using an identifiable login name into social media, shopping or other web site.

The problem, in my opinion, is the labeling used by most forensic tools when listing information carved from the P2P program’s database (DB). For example, when viewing Ares download artifacts, there will be column labeled “Downloaded Date/Time”. This is similarly named in multiple tools from IEF/AXIOM, EnCase Ares EnScript and other Ares DAT file descriptors. The label can be misleading to investigators that have not tested Ares or other P2P programs.

NOTE: This reinforces the mantra heard at every forensic training class I’ve ever attended. TEST YOUR RESULTS. You don’t have to be the world’s leading expert on NTFS or other file systems to perform simple DT testing.

The download DT in these DBs is actually when the download completed. The P2P programs record this information once the download has finished. Completed DTs are not useful for building timelines of activity for multiple reasons. P2P networks are notorious for being slow based on the availability of the file from multiple sources, the source’s bandwidth availability and most importantly if the source remains online. All these factors can cause a small MP3 file to take hours or days to complete. As seen in many cases, some files remain “incomplete” because the download source never reappeared.

The only reliable way to determine when the file download was initiated is based on the files Creation DT. To easily test this functionality, go to the Internet and download a file. Once it’s finished, check its Creation vs Modified dates from the file system. You will immediately note that the difference between the two will be the time it took your system to complete the download process. This same file system DT recording applies to P2P downloads as well.

Example Download using Chrome

The downloaded files created and modified DT showing it took 11 minutes to complete


Once you understand this relationship, the next thing that will become apparent is that the modified DT from the file system will match the “Downloaded Date / Time” from Ares DB.

This then means that the actual file downloaded will need to be located on the file system to obtain the creation DT to record the specific DT the file download was started. Don’t just look in the shared folder. The Recycle Bin is a great place to find these files as well. The Recycle Bin file artifacts will keep the original creation DT from the file when it was “deleted” by the user.

Example File from Recycle Bin Creation DT

Filename
File Created
21 jump street 2012 dvdrip latino xvid.avi
11/23/2012  11:43:10 AM


Sample Ares DB Record


As you can see, the video download took Ares over 10 hours to complete. That’s a big difference in time and can have a dramatic affect when building an activity timeline and comparing to other user activity on the system.

What if the downloaded file no longer exists? There are still some possibilities to at least narrow down the time the download was initiated. I had a case recently where a download was completed 30 minutes after Ares was installed. This would indicate that the download was started sometime between Ares install and the downloaded file’s completion. If there is no other information, all that can be determined is that sometime between the install of the P2P program and the files “Downloaded Date / Time”, the download process was started.

Another option is the incomplete download mentioned earlier. Ares and other P2P programs also track these files. The difference is that they track download started DT unlike completed files.

The important thing to remember is to interpret the data correctly when reporting on the evidence. No one enjoys having their findings called into question. However, I’ve found learning from mistakes is sometimes how I learn best.


Friday, November 10, 2017

One is Silver and the other Gold

Working cases the last week an old song that we sang as a kid at summer camp has been on my mind. 
The lyrics were something like this:

              Make new friends, but keep the old
              One is silver and the other gold

This same sentiment should be applied to the forensic world as well. Rephrasing to:

              Find new artifacts, but keep the old
              One is silver and the other gold

The recent cases I’ve worked have included new mobile tech we all need to know and learn. The thing is, it almost always also includes PCs as well. Many times it also includes some kind of P2P program from Ares and eMule to BitTorrent. Without fail, I continue to lean on the basic forensic knowledge I learned all those years ago from my first forensic training course in 2002.

Basic metadata like OS file dates/times cannot be properly interpreted without knowing the version of Windows running on the system. (i.e. Last Accessed post Windows XP) Foundational information like this gathered from the Windows Registry is paramount.  Just about every forensic tool on the market can parse and produce this information. The important thing to remember, is that as forensic analysts we use this type of Gold artifact to make sure our conclusions are correct and have the proper foundation.

We’ve all learned a lot about Shell Bags and Jump Lists. These are fantastic new resources to use during investigations. I would consider these the Silver artifacts that are so important in our industry to continue to learn about as systems change and evolve. What we don’t want to forget are the Gold artifacts that can be used to verify our findings. A great example that’s been around for years is the Internet Explorer (IE) history. Remember that IE tracks file and folder browsing as part of its history database. Even in Windows 10, filtering for “file:///” can give you not only files and folders opened, but also last accessed dates/times and number of times viewed. All while giving this information per user on the system. Just another Gold artifact I learned many years ago that continues to provide me great information.

It's important to keep in mind that Silver is also rare and desired. The sharing of new information and artifacts MUST continue and is VERY valuable to the community. Please keep that information coming! For all of us, new and veteran, it’s important not to forget the Gold artifacts that can be the foundation that you build your case on. When writing reports and explaining your findings, it’s important to educate your audience on these foundational artifacts and how they verify the more ancillary data that all the new scripts and tools provide.

Keep learning, keep sharing and go get that data!

Wednesday, October 18, 2017

Hide It Pro App Forensics - Android

Hide It Pro App Forensics - Android

Welcome to my first blog post. Following #DFIR on Twitter has convinced me it's about time I started sharing some information with the community. Luckily, I ran across some good info during a recent investigation. Using the data below, I hope it helps save someone else a lot of time if you run across this app during your own investigations.

I came across some questionable images on an Android phone. The problem was, they were located in a folder that I wasn't familiar with. 

ProgramData\Android\Language\.fr\Pictures

Like many forensicators, not knowing is maddening. Using the all powerful Google, I found a clue to as to their app origins. Thanks to  and his post , I found out the odd folder was created by the Google Play app Hide It Pro. 



It is very important to understand how an app works and is viewed by a user before digging into the bits behind the curtain. If you don't understand how an app functions for a user, the underlying data can be misinterpreted. 

The path to Language\.fr has NO bearing on the phone's language choice. This folder is used for obfuscation. In all testing, the installation used this specific folder to store the data.


The Hide It Pro app camouflages itself when installed as Audio Manager.



NOTE: The underlying folder structure shown later including SQLite DB files, sub-folders for Pictures, Videos and etc DO NOT get created upon the app's installation. Only after the app is first opened and configured do these folders get created.

When the user opens the app initially, it displays a prompt on how to access the hidden data. It then requests a PIN or password to be entered, followed by a recovery e-mail address. I've included screenshots of this process including the PIN and e-mail address I used for reference later when analyzing the data stored on the device.
Once setup, the user holds down the "Audio Manager" logo, enters their PIN/password and the true app is revealed.
The app allows the user to add photos, video, audio into the folders from the phone's gallery. SMS texting is also available with an add-on app which allows the user to create a hidden contact list and communicate via SMS without having the data be seen by the device's default texting app. Notes can also be made here away from prying eyes.

Let's now look at how to view all this data from a forensic examination. All the data reviewed below can be accessed via a logical image of the phone. A physical image isn't necessary to investigate this app. I tested this using Magnet's Aquire to obtain a logical ADB backup of the test device.

The first artifact to look for is the file com.hideitpro_preferences.xml located in apps/com.hideitpro/sp/ folder. The XML contains either the PIN or password set by the user in plain text. It also includes the recovery e-mail address. The XML from my test device is shown below.

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="lockType">pin</string>
    <string name="pin">1234</string>
    <boolean name="setupCompleted" value="true" />
    <boolean name="fingerprint" value="false" />
    <int name="locktype" value="5" />
    <boolean name="lsup" value="false" />
    <string name="ve">0!true:1!true:2!true:3!true:4!true:5!true:6!true:7!true:8!true:9!true:10!true:11!true:</string>
    <string name="recoveryEmail">troyschnack@gmail.com</string>
    <int name="launchCount" value="1" />
</map>

The remaining artifacts are located in the ProgramData\Android\Language\.fr\ folder. 
Exploring the Audio, Pictures and Videos folder will reveal their contents. However, we want to know when and where the data came from. For that information, the SQLite DB files are the key. I used Sanderson Forensics SQLite Browser for the analysis. Photos added to the app are simply copied from their current location. If the user does not delete the original photo, it will remain. Photos with no path indicate that the photo was copied from the phones default photos storage rather than a subfolder.

The first DB file to review is sys. The sys DB contains the following fields
id
album
title
filename
originalPath
added
dateTaken
size
type
duration
rot
ord
latitude
longitude
1
New Album
Screenshot_2017-10-17-06-15-22.png
Screenshot_2017-10-17-06-15-22.png
10/17/2017 11:15:25 AM
1173568
1
2
New Album
stanza-art-fortuna.jpg
stanza-art-fortuna.jpg
10/17/2017 11:14:44 AM
139139
1
3
New Album
Screenshot_2017-10-17-06-15-05.png
Screenshot_2017-10-17-06-15-05.png
10/17/2017 11:15:08 AM
2350615
1
4
Messages
Screenshot_2017-02-16-14-46-28.png
Screenshot_2017-02-16-14-46-28.png
10/17/2017 11:07:40 AM
77911
1
5
New Album
Screenshot_2017-10-17-06-15-22
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTIyLnBuZw==~
Pictures/Screenshots
10/17/2017 11:16:30 AM
10/17/2017 11:15:25 AM
1173568
1
0
0
0
0
6
New Album
stanza-art-fortuna
c3RhbnphLWFydC1mb3J0dW5hLmpwZw==~
Download
10/17/2017 11:16:30 AM
10/17/2017 11:14:45 AM
139139
1
0
0
0
0
7
New Album
Screenshot_2017-10-17-06-15-05
U2NyZWVuc2hvdF8yMDE3LTEwLTE3LTA2LTE1LTA1LnBuZw==~
Pictures/Screenshots
10/17/2017 11:16:30 AM
10/17/2017 11:15:08 AM
2350615
1
0
0
0
0
8
New Album
20171017_062143
20171017_062143.mp4
DCIM/Camera
10/17/2017 11:22:28 AM
10/17/2017 11:21:53 AM
18006499
2
8640
0
0



The date "added" uses Unix mSecs while the "datetaken" uses Unix Secs format. If the file was copied from a folder on the phone, it will be populated in this table. (i.e. Pictures, Downloads etc)

The aqua DB will only be present if the user sent SMS texts, made a call or created a contact. All three tables exist inside the aqua DB. The same goes for the notes.db which will only exist if the user created notes.

aqua SMS table structure - added Unix mSecs
id
uid
sms_subject
sms_body
type
seen
added
1
1
test sms 1
8
1
10/17/2017 11:06:53 AM
2
1
test sms 2
8
1
10/17/2017 11:07:03 AM

aqua Blacklist (contacts) table structure - added Unix mSecs
phoneFormatted
id
phone
name
hide_sms
hide_call_log
block_incoming_calls
block_outgoing_calls
showSMSNotification
showCallNotification
last_sms_received
added
816-200-xxxx
1
816200xxxx
Test Person
1
0
0
0
1
0
0
10/17/2017 11:06:39 AM
Sorry, I'm not sharing my cell number :-)

notes.db table structure - created and updated Unix mSecs
id
title
text
meta
type
created
updated
1
Test note 1
Test note 1
0
10/17/2017 11:02:30 AM
10/17/2017 11:02:30 AM
2
Test note 2
Test note 2

This is a test
0
10/17/2017 11:02:49 AM
10/17/2017 11:02:49 AM

The encrypted folder does indeed encrypt files. I will let someone else with more time and capabilities figure out the encryption method used. The majority of users will not use this folder. Most store their photos in the Pictures assuming that the hidden app is secure enough. Only files in the encrypted folder are encrypted. The rest are easily viewed in your forensic tool of choice.

One other important note
If the user deleted the Hide It Pro app from their device, the app and the XML will not be available. However, the Language\.fr folder remains will all the files, folders and DBs.

I hope this information is helpful in one of your cases. I will be creating a custom artifact for Magnet's Axiom in the near future.

If you have any suggestions, comments or questions, feel free to post them. As this is my first blog post, be kind.

Thanks!!