When you carve a graphics file, recovering the image depends on which of the following skills?

This lab emphasizes the aspects of computer forensics that are encountered with the highest frequency. The activities are broken into small activities with specific foci. Alert your instructor to your successful completion of each section.

A. Lab Setup

1. Create a directory named class31 on your desktop. All of the files created in this lab will be stored there.
2. Download and Install FoxAnalysis:
   Download FoxAnalysis_v1.4.1.zip, double click to extract, double click on Setup.msi to begin install.
   
3. Download and Install ChromeAnalysis
   Download ChromeAnalysis_v1.0.1.zip, double click to extract, double click on Setup.msi to begin install.
   

B. File carving

This section of the Forensics Lab introduces you to file carving. File carving is an incredibly useful skill to have in the world of computer forensics. It basically means recovering files from a physical storage device after the files have been deleted, the device has been erased, or the device has been partially destroyed. At this point, the data on the device just looks like a sequence of "raw bytes" — meaning a sequence of bytes without any information as to where any file(s) begins or ends in this sequence.

• How a storage device ("drive") is formatted
  A storage device (hard drive, thumb drive, etc) is nothing more than a huge sequence of bytes. We can refer to a specific byte by its offset, i.e. it's distance from the initial byte. So the initial byte has offset 0, the next offset 1, and so forth. A formatted drive has
  • a filesystem — which means a record for each file of its name, the byte offset at which it begins, and the byte offset at which it ends; as well as records that indicate what directories (folders) there are, and which directory each file belongs in. Some of the bytes on the drive are used to represent the filesystem.
  • files — the filesystem only contains information about the files, the actual files themselves are (usually) nothing more than a chunk of consecutive bytes on the drive.
  • free or unallocated space — these are the bytes on the drive that are not currently being used to store information either as part of the filesystem or as part of a file. When new files are created, bytes from the unallocated space are commandeered to store the new file.

The Windows "Recycle Bin"
When a user "deletes" a file in Windows, the file is simply moved to a new directory, called the "Recycle Bin". When the user "empties" the Recycle Bin, the files in that directory are deleted as described to the left.

• What does "delete" a file really mean?
  When you tell the operating system to delete a file, all it really means is that
  • the filesystem structure's record of that file (its name, the byte offset it starts at and the byte offset it ends at) is destroyed, and
  • the bytes that constitute the file itself are simply reclassified as "unallocated space".

How to truly delete a file
So what if you want to delete a file so that it truly cannot be recovered? To do that you have to not only "delete" the file in the sense of removing its record from the filesystem, you must also overwrite the the bytes of that file with zeros or with random values. There are utilities that will do that for you.
It is possible that a sophisticated forensics analysis could analyze the magnetic patterns on a drive and determine not only the current bit pattern of a byte, but also previously stored bit patterns. Fear of this has led many people to consider a file to only truly be deleted if its bytes have been overwritten many times.

• Recovering a file that has been "deleted"
  Notice that after a file is "deleted", all of its bytes are still sitting there on the drive ... they are simply categorized as "unallocated", which means they are available for use in representing new files. So, a file that has been deleted is recoverable up until the time that its bytes are commandeered for other purposes. However, the file's name and the offsets at which it begins and ends are no longer available. So the trick is finding where the file begins and ends, and that is what "file carving" is all about.

With computers, "deleting" a file doesn't necessarily mean the data stored in the file (the bytes that comprise the file) are gone. It means that the filesystems record of the file's name and its connection to that area of the hard drive are gone. Those bytes become "unallocated space".

To carve a file from a block of bytes, you'll need to look for the header (and, depending on the file type, the footer) of the file. For example, the header (in hex) for a PNG file is 89 50 4e 47 and the footer is 49 45 4e 44 ae 42 60 82. Below we have an example of a chunk of unallocated space from a drive. Looking carefully, we spot a PNG header (starting at offset 10) and, following it, a PNG footer (ending at offset 42) and thus we can deduce that the from offset 10 to 42 is a PNG file.

Block of unallocated space from a drive
	PNG header	body	PNG footer
7e	93	57	6d	51	e9	05	6d	ff	67	89	50	4e	47	0d	0a	1a	0a	00	00	00	0d	49	48	44	52	54	78	9c	62	60	01	00	00	00	49	45	4e	44	ae	42	60	82	3d	69	c4	82	81	f0	6f	61	e4	40	4b	b4	34	2f	2e	bb
00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44	45	46	47	48	49	50	51	52	53	54	55	56	57	58

File Carving Activity Starts ...
Suppose you recover a hard drive from a bad guy's computer. Your job is to find incriminating data, or data that will help in an investigation. Now you have before you a sequence of tasks:

1. To start with, let's review a basic file format. The Portable Network Graphics format give us files with a .png extension. This file type has a very distinctive header and footer.
   • Header in hex: 89 50 4e 47 (.PNG)
   • Footer in hex: 49 45 4e 44 ae 42 60 82 (IEND...)

   Save the following file into your class31 directory: oneFile. Using frhed, open the saved file. Can you see the PNG header in the file anywhere? You can always press cntl+F and enter a search for 'PNG' or alternatively, type in to the search prompt. You can follow the same style for the footer. (Note: Search only looks forward in the file from the current location.) Write down the offset (the location relative to the start of the file, which is shown at the bottom left of the frhed window.) of the first byte of the header and the last byte of the footer. You can use the decimal or the hex offset, just be consistent and stick with one of them. Once you have the header and footer located, i.e. you know their offsets, then:

   1. Select Edit ⇒ Copy, and enter the start and ending offsets.
   2. Select File ⇒ New to create a new document.
   3. Select Edit ⇒ Paste, choosing the option to Insert (NOT OVERWRITE). Press ok.
   4. Choose File ⇒ Save and save as a .png file.
   5. Open the file from the file browser to see the image.
2. Your next task is to carve two files from a chunk of data called twoFiles, which you first need to save into your class31 directory, and open with frhed like you did with oneFile. You will use the same file carving technique with your hex editor. In this case, one file is a jpg image and the other file is an audio file of the wav format. The information below should help you on your task.

   Remember, if you need to search for the hex values, use this format:

   File Format	Header in hex	Footer in hex
   jpg	ff d8 ff e0	ff d9
   wav	52 49 46 46 (RIFF)	NO FOOTER!

   Some file formats do not have footers. This can be problematic, but humans are often better than computers at solving this problem. In the case of the audio file, you will see a change in the information in the file. You can also try cutting differing amounts of data into the file, and see if it works. Experiment and answer the questions on the lab worksheet.

3. You are now skilled at file carving by hand! But what if the data in question is megabytes large and the number of files is either very large or unknown. Because we know how to do this task on a small scale, it can be automated for larger sets of data, which is great. We'll be using a file carving program called scalpel, which is free software; If you did it correctly, scalpel was installed to your C:\SI110Programs directory during the first homework assignment. Scalpel automates file carving. A user sets up a configuration file that lists different types of files it can search for, based on headers and footers. We've prepared one for you to use.

   Next, follow these steps:

   1. First download unknownChunk.raw and scalpel.conf and save them in the class31 directory.
      unknownChunk.raw - This is raw bytes recovered off the hard drive of a confiscated computer.
      scalpel.conf - This describes file headers and footers in a form scalpel.exe can use.
   2. Open a Command Prompt and navigate to your class31 directory.
   3. Execute this command: scalpel.exe -c scalpel.conf unknownChunk.raw
   4. A summary of how many files and of what types scalpel found are produced as output in the shell (if everything was done correctly). Read through the output and determine how many and what types of files scalpel found. In other words, what data was hidden on this hard drive. A directory called scalpel-output will be created in the class31 directory. Using the file browser, explore the scalpel-output directory and confirm what was reported in the shell about what the file carver "scalpel" was able to retrieve. Then answer the questions on your worksheet. If you got an error instead of scalpel results in the shell (the scalpel command never ends - you get stuck in the shell), you will need to start over. There will still be a scalpel-output directory created. NOTE: Scalpel will not run if it detects a folder called scalpel-output that already exists. If you need to run scalpel again, first delete that folder.
      

C. Web Browser Forensics

Now we turn our attention to the world of internet browsers. Among the more popular browsers are Firefox, Chrome, Safari, Opera, and Internet Explorer. Did you know that these all retain information about what you do online? Now, with our newfound computer forensics expertise, we can see what they save. In general, they each maintain a lengthy history of web sites you visit, cookies web sites give you, stored passwords and form data, and often search terms. Today we'll explore Firefox and Chrome.

Both Firefox and Chrome build a profile for a user. This allows the browser to store all of this information for multiple users on a computer. It's very convenient, but do you want all of this information stored on the computer? We have taken some time to put together a couple profiles for you to use. Just download and then unzip the files to a location you will remember (see below). The actual profile folder for Chrome is called Default and the Firefox profile is called ebkkqy8u.default.
Save the below files to the directory you created.

• Firefox Profile: Firefox Profile
• Chrome Profile: Chrome Profile

For each of the two downloaded browser profile files, right-click on the file and extract all files.

The tools we'll use for this activity come from the same author. FoxAnalysis and ChromeAnalysis are sister tools that accomplish the same thing for different browsers. They each attempt to load the profile of the user, and then parse the information.

We need a tool to help us, because the data is stored in sqlite3 database format, which is not readable to the average human. Because the task is well understood on a small scale, we can build a tool that helps automate the task for larger data sets. First we will analyze the Firefox profile.

1. Run the FoxAnalysis program. Select File ⇒ New Case.
2. In the window that opens, click on the ellipsis to navigate to the Firefox profile you downloaded from above. Select the ebkkqy8u.default folder within the Firefox Profile folder.
3. Click on the Check Files button just below. This will verify that you have the required sqlite files in the profile directory. Close the window when all files have been found.
4. Click Next three times.
5. Click Extract.
6. Click Finish.
7. Analyze the history, bookmarks, cookies, downloads, form history, and logins for any suspicious activity.
Example FoxAnalysis Results:


8. Repeat the above process for ChromeAnalysis, except that when you navigate to the Chrome profile, select the Default folder within the Chrome Profile folder.
Example ChromeAnalysis Results:

D. Trace an Email

Email is one of the most common forms of communication today. While older forms of communication required the presence and participation of two parties, email is more asymmetric in nature. Email makes use of the SMTP protocol, meaning that it follows a proscribed set of rules, which makes it predictable and simple to understand. Today we're going to look at a couple emails and determine if they are legitimate or a spam email. The basis for this analysis will come from the header of the email. An email header contains information from every Mail Transfer Agent it comes in contact with on its route to the destination. This can be very helpful when putting together the path it traveled.

First examine this email: Email 1. If we start from the bottom of the email, you'll see several large chunks of data that look like some sort of encoding. These are images being sent through email. All attachments get broken into the base64 format for transfer. Before each chunk you can actually see the file name, for when it gets reconstituted on the receiving end. If you scroll up past the images, you'll eventually arrive at the actual text of the message. Interesting, but this rarely helps with attribution.

As you move up the email, you can see the following fields and their meaning:

Field	Meaning
Message-ID	A unique message ID as it transits smtp servers. This is used to avoid duplication of messages.
From	The address the sender filled in here. This could be made up!
To	This is the destination address.
X-Mailer	The mail client (program) from which the email was sent.
Subject	The subject of the email.
Reply-To	This is the address the "reply" button usually uses. The sender can fill this in with whatever he wants!
Received	These fields indicate the location and time of receipt of this email by a mail server. The top received is closest to you, while the received that is lowest is closest to the sender.
Return-Path	This is the address delivery error (bounce) messages should be sent to.

Typically, we want to follow the path of Received messages. This represents a very real path that the email took, and it is nearly impossible to forge this. Examine the fields described above of email #1.

Now, investigate Email 2 and see if you can determine where it originated from.

When investigating graphics files you should?

What is true about JPEG and TIF files?