Archive

Archive for the ‘Computer Forensics’ Category

My favorite scene in Guardians of the Galaxy, plus some thoughts on the EnCe (forensics) and the art of clumsiness

August 24, 2014 2 comments

Hey y’all… been out for the EnCe Prep Course. Pleased to say that I passed the written part, and now I have to work on the practical. My recommendation is that if you’re going to take the written exam and don’t feel that you’re prepared enough from going through the study guide, sign up for the prep course. Yes it’s expensive (unless you have the training pass or are lucky enough to get it paid for by your organization) but it’s worth it. Make sure you have taken Forensics I and II because they will ask you to send proof. If you haven’t take those two classes, the Bootcamp package will include it in “onDemand” format. I prefer to go to training myself because in my work environment it’s hard to get time away enough to do computer based training and I work better under a live instructor, but that’s just me.

The test is hard, not going to lie. 2 hours, 150 questions, and you absolutely have to keep track of time throughout. If you have any additional questions about the written test, send a comment. I may or may not be able to answer depending on what it is, but I’ll try to help as much as possible πŸ™‚

The day before I actually flew out for the prep course, I managed to fracture my toe by tripping over my suitcase. That’s how clumsy I can actually be, folks. Talk about pain. One of the hardest things I ever had to do was make the choice to fly out the next day, but I couldn’t exactly cancel on the prep course and flight, could I? No refunds at that late date. So, I turned off the fear in my head and went. Still hobbling a week later (and my toes are still a nice shade of blue), but I’m confident it’ll heal. Note: If you go in for a toe fracture, 9 times out of 10 the doctor will not give you warning he or she is going to set it. I screamed, and I didn’t care who heard me at that point. But do see a doctor right away. You don’t want it to heal wrong.

Anyway, now that I’m back home and getting back into work mode, I thought I’d share a video that kept my spirits up during trainings. Actually, any time I need a smile, I click on it. It’s the scene in Guardians of the Galaxy where baby Groot is dancing. I debated posting it for some time because some could see it as a spoiler, but then Marvel released it due to popular demand. So, why not.

Fun fact: James Gunn (director of the movie) did the dancing for baby Groot. Apparently he threw everyone off set, turned on a video camera and got jiggy. Then, he sent it off to the animators for the scene and made them promise to never show the video to anyone. Homie’s got some moves πŸ™‚ Remember: dance like no one’s watching whenever you feel the need. It’ll get you in a good mood quick.

Β 

Image compression in EnCase and what it really means

May 30, 2012 Leave a comment

It’s often said in the digital forensics world that a RAW image can be seen as more “reliable” as other image types, such as the EnCase .E01 format. The reasons usually given include:

  • The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.
  • The RAW Image Format was originally used by dd, but is supported by most of the computer forensics applications.
  • The RAW image is uncompressed.

It is true that an EnCase image can be smaller than the actual drive size, or by comparison, to an image taken of the same drive in RAW format. There is no data loss, however; the reason why EnCase can give a smaller image is because it by default it compresses the image to save space. All data in each bit of the original drive still exists. And, EnCase also stores metadata, which isn’t something a RAW image includes by default (although there are cases where metadata can be stored in secondary files).

I performed an experiment on a 150 GB drive, where I first created a RAW image in HELIX (same resulting file size of 150 GB), then an EnCase image which was compressed down to about 60 GB by default. Then, I acquired the image again in EnCase, unchecking all compression options. The second EnCase image was 150 GB. Bit for bit, it was a mirror copy of the HELIXΒ  RAW image, only with inclusion of the metadata.

I’m sure this is old hat to a lot of forensics folks out there, but for the newbies starting out, it’s a pretty handy concept to know πŸ™‚

How to create .E01 images in HELIX

January 10, 2012 2 comments

EnCase Forensic Edition

One of the issues I’ve come across in computer forensics is the lack of documentation for certain tasks I want to accomplish. For example, HELIX 3 Pro has the ability to create images in both RAW and EnCase 4, 5, and 6 format. However, if you try to select the EnCase formats, you may not be able to complete them as such, only in RAW. It’s almost as if EnCase needs to know that you have a working copy of EnCase in some way, shape, or form.

I have versions 6 and 7 (Forensic edition) loaded on my laptop. So again, how to associate one with the other?Β  The easiest way I’ve seen it done is to go through the motions of creating a boot disk for LinEn in EnCase and appending it to an ISO of HELIX 3 Pro:

  1. Launch EnCase (only 4,5, and 6 will work for this until HELIX updates to allow for 7). Choose Tools > Create Boot Disk.
  2. Choose ISO as the destination and click Next.
  3. In the Formatting Options dialog box, ensure that Alter Boot Table is selected, the Image Path points to the directory where you have your original HELIX ISO, and the Destination Path points to a directory that houses a new altered ISO of HELIX that you will name. Click Next.
  4. The LiNen executable is usually found in the root directory of EnCase. Therefore, in the Copy Files dialog box, right click under Name (right hand pane) and click New. Browse to the location of LinEn (example C:\Program Files\EnCase6\linen). Click Finish, and EnCase will start to create your new and improved ISO.
  5. Once you get into HELIX, you should be able to select EnCase 4, 5, or 6 as the output format. I only have 6 so that limits my options personally.

Hope this helps πŸ™‚ If you have any questions, feel free to shoot me a message.

How to open a RAW image created by HELIX in EnCase

November 30, 2011 Leave a comment

RAW images can be created by different forensic products with various file extensions like .DD or .001. I use HELIX sometimes for evidence acquisition, and it defaults to .001 and up for every 2 GB image file it creates. Viewing these HELIX-created files in EnCase wasn’t a successful venture for me for a while now. Now, I figured out why, and hopefully this will help other digital forensic analysts out there who are having the same issues.

If you try to open a RAW image file in EnCase, you have a few choices of how you want to open it (Disk, Volume, CD-Rom, etc.). Easy enough. In my example, I had two NTFS partition images (created in HELIX)Β  from the same drive that I wanted to add to my case as seperate Volumes. However, if you’ve ever tried adding the component files starting from the .001 beginning point (sequential order), you’ve probably run into the issue I did, which is EnCase not recognizing the files and adding them as a single file only.

Here’s my protip: Add the files in reverse order. Let’s say my last file has the extension .027. Click on that file, hold down the Shift key, and then click on the .001 file. This will highlight all the files in between and will successfully add in the files into an EnCase-approved file structure into your case. Now you’re ready to begin your forensic examination.

Sidenote: It would have been nice to have seen these instructions in the EnCase documentation, but I did not see them anywhere.

And if you already knew how to do this, then I bow to you, digital forensics guru πŸ™‚

The easiest Ranch Dressing recipe and words about words

August 28, 2011 Leave a comment

If you’re like me bottled ranch dressing leaves a lot to be desired. I like it thinner, with a more oniony flavor. Think Jason’s Deli or Wing Stop. Hell, if you got a Double Dave’s or Gumby’s you know what I’m talking about. It’s what they give you with pizza rolls (don’t get me started on them boy howdy).

Check it…

Ingredients:

  • 1 cup mayonnaise
  • 1/2 cup buttermilk
  • 1/2 tsp ground black pepper
  • 1 tsp Hidden Valley Ranch mix (get the Buttermilk packet, works the best here)
  • 1/8 tsp garlic powder
  • 1/8 tsp paprika

Whisk it up and put in the fridge to set for at least an hour. If you want it thinner, add more buttermilk. Erik made his special chicken wings last night for his parents and nephew, and I made the above recipe as a dip. Very tasty combination.

So, about those words…

Grad school starts again for me this week. Sometimes it’s hard to get right back into the thick of things after three months off, but it should prove fruitful. I think I’ve finally started to figure out what could be the beginnings of my Master’s project. I don’t want to say until I get final approval from my advisor, but it’s shaping up. Hopefully he gives me the go-ahead.

A couple of weeks ago I took the second part of the EnCase Computer Forensics course at the Woodlands. Erik went along as a little vacation. He proved to be a great flying companion, even giving me the window seat. What a guy, right? We had some issues with his navigation skills early on, but otherwise it was successful. As for the training, I learned more about the stuff I’m starting to tackle now like recovering files, finding files that may be intentionally renamed, and setting up custom hash sets. Things are much clearer now than ever before.

As for Erik, I took him to some great eateries, we strolled around Market Square, very Melrose Avenue. A highlight was finding Borders bookstore having a huge going out of business sale. Bad for Borders, great for my bookshelf. Another was partaking in a pomegranate berry smoothie from the heavens above (sorry, I meant to say Jamba Juice). The taste buds were doing cartwheels and were sad when I was done. “More, Jen, more!” Sorry kids, no Jamba Juice around here. If there was I’d be there every other day.

I like the Woodlands. It’s not as fast paced as Metro Houston. Actually reminds me a lot of College Station, albeit with more traffic jams. However, it’s very conservative. As liberal as this gal is, it’s hard to walk into sandwich shops blaring Fox News 24/7. But hey, whatever floats your boat.

I predict that the weekdays will get busier with school, work, and martial arts classes. I find that the more I have to do, the more accomplished I feel. That’s not to say that I don’t still enjoy a few hours of reading a book or watching Arrested Development with my beloved husband. That’s cool too πŸ™‚

Product recommendation for drive imaging (Tableau TD1 Forensic Duplicator)

August 9, 2011 Leave a comment

Tableau TD1 Forensic Duplicator

I’ve been road testing (if you will) different forensic products. In our organization, we have many different types of OSs, drives, and the like. Sometimes I’ve noticed that one software product will work fine on Windows, but it will be problematic on Mac.

So the question becomes… what if you don’t want to deal with the OSs and just want a straight drive to drive acquisition?

Tableau makes a great forensic duplicator. Out of the box, the TD1 is able to handle IDE and SCSI drives for source and destination. Some other features:

  • write blocking capabilities are built in
  • can format and wipe disks on the fly (single pass or multi)
  • images can be done in either RAW or .E01 (EnCase) format
  • Fast imaging, formatting, and wiping
  • Can create MD5 hash for image authenticity
  • USB port to plug in a thumb drive for log file (including MD5 hash)

If you want to image a USB drive, they offer an add on USB protocol module for the Duplicator. Source only though, not destination (IDE or SCSI).

Because it’s not dependent on being attached to a computer with an OS, the duplicator is fast as heck and manages to compress the image the way other forensic tools do also, saving space on the destination drive.

Two thumbs up from me πŸ™‚

Categories: Computer Forensics
%d bloggers like this: