Escolar Documentos
Profissional Documentos
Cultura Documentos
1.0 Introduction
Breaking a law is generally considered as a crime. Though this is a broad definition of crime, it is very difficult to define precisely what a crime is? Many attempts have been made to formulate an accurate definition, such as an antisocial act, or a failure or refusal to live up to the standard of conduct deemed binding by the rest of the community, or some act or omission in respect of which legal punishment may be inflicted on the person who is in default whether by acting or omitting to act. There are numerous examples that have been considered as crimes like murder, burglary and theft, rape, forgery, etc. All these crimes might have been committed due to various reasons. Whatever be the reasons, it is the duty and responsibility of the law enforcement agencies to book the criminal and protect the society from such happenings. They resort to different methods of investigations and evidence collection for the proof of committing a crime. In the case of conventional crimes like murder or robbery, the investigating team inspects the scene of crime for collecting evidences. They might look for a weapon, fingerprints, bloodstains, hairpieces, etc., which will be acting as clues for the identification of culprits. All these items will be further analyzed using forensic methods to make evidences out of these. Cyber forensics deals with the acquisition, authentication, analysis, preservation and documentation of evidences extracted from and/or contained in a computer system, computer network, computer media or computer peripheral. Similar to conventional crimes and forensic analysis, the crimes and its investigation and analysis in the cyber world form part of cyber forensics. Cyber crimes may be defined as those crimes involving computers as tools for committing crimes or computers as the targets of crimes. Document forgery, making fake currencies, sending threatening e-mails, etc., are examples of using computers as tools for committing cyber crimes, whereas, unauthorized access into a computer system and deleting or modifying or stealing the
Introduction
information available on the system is an example of computer as a target of the crime. Analogous to conventional crime, in the case of cyber crime also, the investigating team has to collect evidences mainly from the computer system, which is involved in the crime. One of the difficulties that the investigating team might face in collecting evidences is the absence of a definite scene of crime. This is because removal of a computer system from the actual scene of crime is very easy. Another difficulty is the absence of physical evidences except the computer system and its peripheral devices. Whatever evidence that might be available as proof of committing a cyber crime will be stored in the storage devices of the system. Therefore, utmost care should be taken by the investigating officers while dealing with these devices. They should follow specially formulated procedures while seizing a computer system. This is to ensure that contents of storage devices are tampered by no means. This is one of the basic requirements that has to be adhered by all of the investigating officers. As the probable evidences in the storage media are intangible, it can be analyzed using software programs only. Normal programs, which show only the contents of normal files, are not much useful in the cyber forensic analysis point of view. This is because, evidences that might be resident in deleted files and special areas of the storage media are not reachable to normal programs. Special programs are required to look into these areas of storage media and extract evidences from them. These special programs for acquiring, authenticating and analyzing storage media as a whole are termed as Cyber Forensic Tools.
CyberCheck
CyberCheck is a forensic analysis tool developed by C-DAC, Thiruvananthapuram, for analyzing the Evidence file acquired by the Imaging tool TrueBack (Forensic Imaging tool developed by C-DAC, Thiruvananthapuram).It is also capable of analyzing raw images generated by other Cyber Forensic Tools. MD5 Hash Algorithm is used in CyberCheck for verifying data integrity. When loading the software, it performs a self-integrity check on itself. If the
Introduction
CyberCheck Executable is corrupted, it will display a message notifying that CyberCheck Executable is corrupted, cannot continue with analysis. Further loading of the software will be terminated. It should be noted the CyberCheck do the self-integrity check while loading the software itself. If the software is corrupted beyond loading it, it may not be possible to load the software at all. In this case, the software may be considered as totally corrupted. The main features of CyberCheck are Standard Windows application. Self Integrity check Minimum system configuration check. Analyses FAT12, FAT16 and FAT32, NTFS and Linux EXT2FS file system evidence files. User login facilities. Creates log of each analysis session and Analyzing officers details. Block by block data integrity verification while loading evidence file. Explorer type view of contents of the whole evidence file. Display of folders and files with all attributes. Show/Hide system files. Text/Hex view of the content of a file. Picture view of an image file. Gallery view of images. Graphical representation of the following views of an evidence file. Disk View Cluster View Block View Timeline View of All files Deleted files
Introduction
Time anomaly files Signature Mismatched files Files created within a time frame Single and Multiple Keyword search. Search with GREP expressions. Extraction of Disk, Partition, File and MBR Slacks. Exclusive search in slack space. Data recovery from deleted files and slack space. Exporting files, folders and slack content. Exporting folder structure including file names into a file. Exporting files on to an external viewer. Extraction of unused unallocated clusters and exclusion from search space. Extraction of lost clusters. Exclusive search in data extracted from lost clusters. Exporting Swap files. Exclusive search in data extracted from Swap files. File search based on extension. Exclusion of system files from search space. Local and Network preview of storage media Book marking facility for data, files and folders Mailbox viewer Registry viewer Expansion trigger at different levels of folder structure Recovery of deleted partitions Recovery of formatted media Facility for analyzing raw images Identification of encrypted & Password protected files Identification of overwritten files Unicode support Indian Language support Support for dynamic disk analysis Customized hash set library creation
Introduction
Support for scripting Customization of File Signature Library Facility for extracting ZIP files Internet History Viewer Facility to view metadata of Microsoft office files Generation of analysis report with the following features. Complete information of the evidence file system. Complete information of partition and drive geometry. Hash verification details. User login and logout information. Exported content of text file and slack information. Includes picture file as image. Customization of report. Save report. Print report.
Fundamentals
2.1.1 Sector
The sector is actually the smallest unit of storage on a computer storage device. A sector is really just a bunch of bits (4096 to be exact) stored as data on disk. Sectors are generally a power of 2 bytes in size. Thus, a regular disk sector is 512 bytes and a CDROM sector is 2048 bytes. Read/Write Optical drives commonly have sector length either 512, 1024 or 2048 bytes.
2.1.2 Clusters
All Microsoft operating systems rely upon the storage of data in fixed length blocks of bytes called clusters. Clusters are essentially groupings of sectors, which are used to allocate the data storage area in all Microsoft operating systems, i.e., DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP. Cluster size may vary from 1-128 sectors. The size varies depending on the size of the logical storage volume and the operating system involved.
Fundamentals
Fundamentals disk volume that uses 4,096 byte clusters, and a file in the C:\DATA directory called PCGUIDE.HTM that is 20,000 bytes in size. This file is going to require 5 clusters of storage (because 20,000 divided by 4,096 is around 4.88). OK, so we have this file on the disk, and lets say we want to open it up to edit it. We launch our editor and ask for the file to be opened. To find the cluster on the disk containing the first part of the file, the system just looks at the files directory entry to find the starting cluster number for the file; lets suppose it goes there and sees the number 12,720. The system then knows to go to cluster number 12,720 on the disk to load the first part of the file. To find the second cluster used by this file, the system looks at the FAT entry for cluster 12,720. There, it will find another number, which is the next cluster used by the file. Lets say this is 12,721. So the next part of the file is loaded from cluster 12,721, and the FAT entry for 12,721 is examined to find the next cluster used by the file. This continues until the last cluster used by the file is found. Then, the system will check the FAT entry to find the number of the next cluster, but instead of finding a valid cluster number, it will find a special number like 65,535 (special because it is the largest number you can store in 16 bits). This is the signal to the system that there are no more clusters in this file. Then it knows it has retrieved the entire file. Since every cluster is chained to the next one using a number, it isnt necessary for the entire file to be stored in one continuous block on the disk. In fact, pieces of the file can be located anywhere on the disk, and can even be moved after the file has been created. Following these chains of clusters on the disk is done invisibly by the operating system so that to the user, each file appears to be in one continuous chunk of disk space.
Fundamentals One of the advantages of the FAT file system is the ease with which it allows for files to be undeleted, because of the way that it deletes files. Contrary to what many people believe, deleting a file does not result in the contents of the file actually being removed from the disk. Instead, the system places the hex byte code E5h into the first letter of the file name of the file. This is a special tag that tells the system this file has been deleted. The space that was formerly used by the file is available for use by other files, but it is not cleared. It is just sort of left there. Over time, these freed clusters will eventually be reused by other files, as they request more space for storage. However, if you accidentally delete a file you can very often recover it if you act quickly. In DOS you can use the UNDELETE command. There are also third-party tools that will undelete files, such as Norton Utilities UNERASE. If you run one of these tools immediately, it can identify and recover the deleted files in a directory. You will have to provide the software with the missing first character of the file name (which was overwritten by the E5h code in that files directory entry when the file was deleted). The less work you do between the time the file is deleted and the time when you try to undelete it, the more likely you will be able to recover the file. If you delete a file on a system that is fairly full, and then start making many new files, some of the clusters formerly used by the deleted file may be reused, and their former contents lost. Obviously, if you defrayments your disk or do some other large-scale disk work, you will most likely lose the contents of deleted files forever. Many operating systems have made deletion and undeletion less of an issue by integrating protection for erased files into the operating system itself. Newer Windows versions send all deleted files initially to a Recycle Bin, from which they can be restored if needed. These deleted files stay around for a while, in case you want to undelete them, and if they are in the Recycle Bin they can be restored to their former locations with no data loss. However, the size of the Recycle Bin is limited and eventually files will be permanently removed from it.
Fundamentals
10
Fundamentals chances are pretty good that the second copy will be affected as well. Another problem is that disk utilities frequently duplicate the primary FAT to the backup FAT location. This means that any corruption that arises in the primary FAT may be duplicated to the backup copy before it is noticed. Under FAT32, some improvements were made to the FAT backup scheme. First, either copy of the FAT can be designated the primary and either the backup. Second, the method by which the FAT is copied from the primary to the backup location can be disabled. The combination of these features allows the second FAT to be protected and used in the event of problems with the first.
11
Fundamentals FAT16 : The FAT used for older systems, and for small partitions on modern systems, uses a 16-bit binary number to hold cluster numbers. When you see someone refer to a FAT volume generically, they are usually referring to FAT16, because it is the de facto standard for hard disks, even with FAT32 now more popular than FAT16. A volume using FAT16 can hold a maximum of 65,526 clusters, which is 2^16 less a few values (again for reserved values in the FAT). FAT16 isused for hard disk volumes ranging in size from 16 MB to 2,048 MB. VFAT is a variant of FAT16. FAT32 : The newest FAT type, FAT32 is supported by newer versions of Windows, including Windows 95s OEM SR2 release, as well as Windows 98,WindowsME and Windows 2000. FAT32 uses a 28-bit binary cluster numbernot 32, because 4 of the 32 bits are reserved. 28 bits is still enough to permit ridiculously huge volumes FAT32 can theoretically handle volumes with over 268 million clusters, and will support (theoretically) drives up to 2 TB in size. Heres a summary table showing how the three types of FAT compare:
12
Fundamentals
13
Fundamentals 3. When finished, every cluster that is marked in the FAT as in use should be accounted for. Any that are in use but not accounted for are orphans that dont belong to any file - lost clusters. Lost clusters are usually the result of interrupted file activity of some sort-a program will allocate some clusters to a file it is building, and if the file is not properly finished and closed, the clusters never get correctly linked to a file name. The program that detects lost clusters will usually give you the choice of clearing them (marking them as available and returning them to the pool of free clusters) or saving them as a file. In the latter case, the program generates an artificial file name and links the lost clusters to that name, so that a real file is formed. Usually this file will then be damaged in some way, but you can often at least see what this orphaned data was and in some cases, recover at least part of it. Cross-Linked Files : On rare occasions, two files can end up pointing to the same data on the disk. Both files will have the starting cluster number in the directory entry pointing to the same cluster number. Alternately, one of the clusters in the middle of two or more cluster chains may point to the same place. Each time you use either of the cross-linked files, you will overwrite all or part of the other one. The only solution to this problem is to make new copies of each of the affected files. You will generally lose the contents of one or the other of the files (in fact, by the time you discover this problem, you have already lost the contents of at least one of them.) Often, both files will be lost and you will need to restore them from a backup. Invalid Files or Directories: Very rarely, the internal structures of file or directories can become damaged so that some entries are no longer following the rules for how a file or directory is supposed to be laid out. An example would be a directory that doesnt have a pointer to its parent directory, or a file that has an invalid start cluster. Sometimes files get assigned an invalid date or time by a buggy piece of software. These problems can usually be fixed by the disk scanning software. Allocation or FAT Errors : Occasionally the entries in the FAT can become corrupted or set to invalid values. Again, most disk-checking utilities will detect and correct these sorts of problems on the fly.
14
Fundamentals
15
Fundamentals saved in the data area are not necessarily stored successively and therefore the operating system has to know where a complete file is located in the data area. That is the task of the FAT. For any cluster that is used by a file but is not the files last cluster, the FAT entry contains the number of the next cluster used by the file. When a program asks the operating system (OS) to provide the content of a file, the OS has to read the first cluster of a file. It then looks at the corresponding first cluster entry in the FAT and knows the next cluster number where the file continues. Now it reads the associated cluster in the data area. After this cluster is also totally read the OS repeats this method until the whole file is read. This way of organizing a file is called the FAT chain. FAT entries may contain a few special values to indicate that the cluster is free-that is, not in use by a file (0000H for FAT16) the cluster contains one or more sectors that are physically damaged and should not be used (FFF7H for FAT16) and the cluster is the final cluster in a file (FFF8-FFFFH for FAT16), also called End Of File (EOF)
16
Fundamentals But from where does the OS know what files are on the disk and where to find the first cluster of that files? That is the reason for the directory entries which are also stored in the data area. Each directory entry has a size of 32 byte and includes information about the file or directory name, size, first cluster number and its attributes.
17
Fundamentals
18
Fundamentals the hard disks sizes. NTFS provides a combination of performance, reliability, and compatibility not found in the FAT file system. Formatting a volume with the NTFS file system results in the creation of several system files and the Master File Table (MFT), this contains information about all the files and folders in the NTFS volume. The first information in an NTFS volume is the Partition Boot Sector, which starts at sector 0 and can be up to 16 sectors long. The first file on an NTFS volume is the Master File Table (MFT). Basically, everything in the volume is a file and everything in a file is an attribute, from the data attribute, to the security attribute, to the file name attribute. Every sector on an NTFS volume that is allocated belongs to some file. Even the file system metadata (information that describes the file system itself) is part of a file.
19
Fundamentals The first file on an NTFS volume is the Master File Table (MFT).
20
Fundamentals file system which implements Unix file semantics and offer advanced features. Ext2fs was designed by Remy Card and Wayne Davison and was implemented by Remy Card. It is an extensible and powerful file system for Linux. It is the most successful file system in Linux community. It includes provision for extensions to allow users to benefit from new features without reformatting their file system. In order to ease management, the Ext2fs logically divides the disk into small units called blocks. A block is the smallest unit, which can be allocated. System administrator can choose block size from 1024,2048, 4096 bytes depending on expected average file length while creating the file system. Every file size is rounded up to an integral number of blocks. Ext2fs groups together a fixed number of sequential blocks into Block Group. The file system is managed as a series of Block Groups as shown in the figure 2.3.1 given below. This is to keep related information physically close on the disk and to ease the management task.
Figure 2.3.1 Block Structure of Ext2FS file system The Ext2fs can access file systems as large as 4TB. Maximum file size is 2GB. It uses a variable length directory and can have filenames that are as long as 255 characters. Another advantage is its reliability. Because the block groups contain copies of the primary control structures, these copies can repair it if the super block at the start of the disk gets corrupted. Linux trades off a relatively inefficient disk usage in order to reduce the workload on the CPU. Every file and directory in the file system is described by one and only one Inode. The Inodes for each block group are kept in the Inode table. System administrator may choose how many Inodes to allow for a partition of given size, depending on the expected number of files to be stored on it. This maximizes the effectively usable disk space.
21
Fundamentals
Ext3 file system has been designed with two simple concepts in mind: To be a journaling file system To be, as much as possible, compatible with the old Ext2 file system. Ext3 is the descendant of ext2, as its name implies. In fact, it is essentially ext2 with added support for journaling. Ext3 has a significant advantage over the other options described below: It is backwards compatible. Ext2 partitions can be converted to ext3 and vice-versa without reformatting the partition. An older kernel with no ext3 support can mount an Ext3 partition - it is just seen as a normal ext2 partition. In particular, it is largely based on Ext2, so its data structures on disk are essentially identical to those of an Ext2 file system. Linux swap partition is something you generally create once and then forget about. This is an amount of disk space in which Linux temporarily writes data from RAM to free up memory for other processes. The swap partition is different from all others in that it is not used to store files in. ReiserFS developed by Hans Reiser and other developers, is quite stable and is very fast, depending on a balanced tree structure instead of the traditional blocks. It was the first journaling file system available for Linux. Xiafs was designed as a stable, safe file system by extending minix. But it's no longer actively supported and is rarely used. Journaled file systems: Whenever a computer is switched off without a proper shutdown there is the possibility that data on the disk becomes corrupted - that is, some of the data will have been written while some have not, leaving files or even internal file system data in a "half-finished" state. Whenever that happens the system goes through a routine to check the disk for errors - "fsck" in Linux and "scandisk" in Windows. This is time consuming, especially on today's very large capacity disks. This check is also forced once
22
Fundamentals every so many boot-ups, to make sure everything is working properly. Journaling file systems get rid of these problems. Instead of writing modified files directly onto their area on the disk, the system maintains a "journal" on the disk, which describes all the changes, which must be made to disk. Then, a background process takes each journal entry, makes the change and marks it as completed. If the system is halted without a shutdown, any pending changes are performed when it is restarted and the system is ready to continue running in seconds. Incomplete entries in the journal are discarded. This guarantees consistency and removes the need for a long and complex file system check on boot-up.
23
Fundamentals The Joliet specification was designed to resolve a number of deficiencies in the original ISO 9660 file system (Level 1) particularly when used with Windows95 and later. These include: Character Set limitations to upper case characters, numbers and underscore. File Name Length limited to 8 characters plus threecharacter extension. Directory Tree Depth limitations. Directory Name Format limitations. The Joliet specification uses the supplementary volume descriptor (SVD) feature of ISO 9660 to solve the above problems. In order to maintain compatibility with MSDOS the primary volume descriptor and its associated path table meets the ISO 9660 Level 1 specification. The SVD uses a second path table with long filenames for full Windows 9x/2000 compatibility.
24
Fundamentals The Primary Volume Descriptor seen is the starting point in identifying a CD-ROM. It contains the Standard Identifier, the Volume Identifier, the Volume Set Identifier, the System Identifier ,the size of the Volume, the number of Volumes in the Volume Set it belongs to, the sequence within the Volume Set that this Volume belongs, the Logical Block size of the blocks in this volume, the size of the Path Table, the location of the Path Table, the Directory record for the Root Directory, other identifiers and important times relating to the Volume. The Standard Identifier is a set of characters, defined by ISO 9660 to be CD001, that tells the Operating System that this is an ISO 9660 disc. This is to distinguish the volume from other file systems that use a similar layout, such as High Sierra, whose Standard Identifier is CDROM, and Compact Disc Interactive, whose Standard Identifier is CD-I. The Volume Identifier is simply the name that is given to the ISO 9660 volume. The characters that can be used in the Volume Identifier are restricted to what ISO 9660 calls d characters and the length is restricted to 31 characters.
Field Name
Primary Volume Descriptor Id Standard Identifier Volume Descriptor Version No Volume Identification Volume Size Logical Block Size Path Table Size Location of Type L Path Table Location of Type M Path Table Directory record for Root Directory Volume Creation Date & Time Volume Modification Date & Time
The Volume Size is a number that tells the operating system how
25
Fundamentals many Logical Blocks are in this Volume. A Logical Block is the basic way of locating things in the Volume. All locations are given as Logical Block Numbers. If the Volume is pictured as an Interstate highway, then the Logical Block Numbers are the mile markers. The Logical Block Size is the number of bytes that make up the smallest amount of space that is allocated in this volume. This number can be 512, 1024, or 2048 bytes. Most ISO 9660 discs use a Logical Block Size of 2048, the same as the Sector Size. The Path Table Size tells the operating system how many bytes are in the Path Table. Most operating systems that use the Path Table keep it in fast, local memory (RAM), and this number is a quick way for the operating system to know how much memory it needs to allocate before it reads the Path Table. This way the Operating system only reads the Path Table once, saving time. The location of the Path Table must be in the Primary Volume Descriptor since the Path Table itself may be anywhere in the Volume. The Root Directory record contains the information the operating system needs to locate and read the top level directory. It is formatted exactly the same as any other directory record. The time stamps are fields in the Primary Volume Descriptor that contain information about when the Volume was created, when it may have been modified, when the data becomes effective, and when the data becomes obsolete.
26
Fundamentals
Figure 2.4.3.1 Directory Structure As shown in figure 2.4.3.1, there are distinct levels in this hierarchy. The Root Directory is the only directory at level 1. In the example illustrated by figure, Subdirectories ALPS and ROCKIES are at level 2, Subdirectories AUSTRIAN and FRENCH are at level 3, Subdirectory SKIING is at level 4, and the file MATTERHORN.MOUNT;1 is at level 5. To insure compatibility, ISO 9660 imposes a limit of eight levels to the depth of the directory structure. It also imposes a limit on the length of the path to each file. The length of the path is the sum of the lengths of all relevant directories, the length of the File Identifier, and the number of relevant directories. The length of the path cannot exceed 255. A directory in an ISO-9660 volume is recorded as a file containing a set of directory records. Each directory record describes a file or another directory. Every directory has a parent directory. The parent directory contains the directory record that identifies that directory. The Root directory's parent is the Root directory itself. Each directory also contains a record for its parent directory. A given directory may contain entries for several files as well as for several directories, all of which have the same parent.
27
Fundamentals
The Path Table indicates to the operating system a short cut to each directory on the disc rather than making the operating system read
28
Fundamentals through each directory to get to the file it needs. This is done primarily to enhance performance. For each directory other than the Root directory, the path table contains a record that identifies the directory, its parent directory, and its location. Most operating systems read the Path Table once and keep it in memory, rather than reading it over and over again. In the example shown in the Directory Hierarchy, a system that does not make use of the path table would have to read the root directory to find the location of the ALPS directory, then read the ALPS directory to find the location of the AUSTRIAN directory, then read the SKIING directory to find the location of the file MATTERHORN.MOUNT;1. By making use of the Path Table, the operating system can look up the location of the SKIING directory in the Path Table, read the SKIING directory and find the location of the file. This requires only one seek on the CD-ROM, rather than four. The time difference, for a typical drive with a seek time of 250 msec, is 3/4 of a second. When accessing many files, this difference can significantly affect performance.
7-8 9 to (8 + LEN_DI)
29
Fundamentals
MAIN VOLUME DESCRIPTOR SEQUENCE Main Volume Descriptor has the following sequences Primary Volume Descriptor Implementation Use Volume Descriptor Partition Descriptor Logical Volume Descriptor
30
Fundamentals
A Volume Descriptor Sequence shall contain Primary Volume Descriptors. A Primary Volume Descriptor shall identify the volume and the volume set to which it belongs, the sequence number of the volume within the volume set, attributes of the volume, and the character sets used in recording the contents of certain fields within the Primary Volume Descriptor. Each Primary Volume Descriptor shall have an assigned Primary Volume Descriptor Number. A Volume Descriptor Sequence shall contain Implementation Use Volume Descriptors. An Implementation Use Volume Descriptor shall identify an implementation and contain information for that implementation's use.A Volume Descriptor Sequence shall contain Partition Descriptors. A Partition Descriptor shall specify a partition, attributes of the partition and an identification of the partition, referred to as the partition number.A Volume Descriptor Sequence shall contain Logical Volume Descriptors. A Logical Volume Descriptor shall specify an identification of the logical volume, the logical block size of the logical volume,identification of the partitions comprising the logical volume and attributes of the logical volume. If the Reserve Volume Descriptor Sequence is identified, it shall specify a Volume Descriptor Sequence equivalent to the Main Volume Descriptor Sequence.
PARTITION DESCRIPTOR
A partition is an extent of a volume and shall be identified by a Partition Number in the range 0 to 65 535 inclusive.The information about a partition shall be recorded in a Partition Descriptor. The prevailing instance of the Partition Descriptor with a specific Partition Number shall specify whether volume space has been allocated to the partition and may specify an identification of the partition's contents. The following details are obtained from the partition descriptor.
31
Fundamentals
Field Name Logical Volume identifier Logical Block Size Logical Volume Content Use
32
Fundamentals a component subdirectory, or identify the parent directory of the directory. The length, in bytes, of the name of a component file or subdirectory shall be greater than 0. Each directory descriptor shall contain an indication of whether the identified component is a directory.
Field Name File Characteristics Length of the File identifier Location of the File Entry File Identifier
The following bits are set in the File characteristics Field. File Characteristics
Bit 0 Existence : ZERO - Existence of the file Bit 1 Directory : ZERO - File ; ONE - directory Bit 3 Parent : ONE - Subdirectory
Bit 1 is used to identify whether it is a file or a directory.
FILE ENTRY
A file shall be described by a File Entry , which shall specify the attributes of the file and the location of the file's recorded data.
Field Name Information Length Logical Blocks Recorded Access Date and Time Modification Date and Time Creation Date and Time Location of the File/Dir
33
Software:
The minimum system requirements are sufficient to run CyberCheck for a normal image analysis. However, depending upon the size and content of the image to be analysed, more memory might be required. In such a case, it may so happen that messages like Memory Allocation Error might be displayed by the system and the analysis session might be terminated. You may continue analysis with a new session with or without enhancing system memory. Deliverables of CyberCheck software are: 1. 2. 3. 4. A CD containing CyberCheck Software in a folder \CyberCheck. A Hardware Lock. User Manual. A 10/100 Base-T Cable (Cross over cable).
34
A window as shown in figure 3.2.1 given below will be displayed. This is the main window of the InstallShield Wizard for setting up the CyberCheck software.
4. Click Next button on the Wizard window. The window shown in figure 3.2.2 will be displayed.
35
Figure 3.2.2 Specifying a folder path for installation 5. User may specify an appropriate Destination Folder path in the field provided for that and continue with the installation as per the guidelines of the Wizard. 6. When CyberCheck is installed successfully, you may have to restart the system for the setup to be completed.
36
evidence file. The data recovery part assumes that the user is well conversant about the concepts of deleted files, folders, partitions, formatted partitions, different types of slacks, unallocated clusters, lost clusters and swap files. The analysis part assumes that the user knows about different analysis methods and areas where digital evidence might be available. User is expected to have good knowledge about different types of file systems used in different operating systems.
37
Getting Started
38
Getting Started
Figure 4.0.1 Main user interface of CyberCheck The main user interface consists of different menu items like File, Preview, Tools, Language and Help and some icons in the tool bar. The File menu item consists of sub menu items, viz., New, Open and Exit. The New sub-menu item is used for opening a new analysis session and the Open sub-menu item is used for opening a previous analysis session saved into a file. The Exit sub-menu item is used for exiting from the application. The Preview menu item is for previewing a storage media. This option would be very useful for doing a preliminary analysis of a storage media at the scene of crime before seizing or acquiring a storage media. Previewing can be done either locally or through network. When previewing is done locally, User should take care not to write anything on the storage media being previewed. Local preview means analysing a storage media connected to the analysis machine. This can be done only after write
39
Getting Started
protecting the storage media to be analyzed using some kind of drive lock. It is the responsibility of the user to make sure that the storage media to be analyzed is properly write protected. Refer Preview Section for more details. The Tools menu item consists of two Sub-menu items, viz., Seize & Acquire, Hasher and Create Boot disk. Seize & Acquire is a link to the Windows version of TrueBack, the disk imaging tool. This version of TrueBack does not support write protection of storage media whose image has to be taken using the tool. Please note that it is the responsibility of the user to make sure that the storage media to be imaged is properly write protected using some kind of drive lock. Refer Windows version of TrueBack section for more details. Hasher is a utility for data integrity checking of a file. Refer Hasher manual for more details. The Create Boot Disk is a utility for creating TrueBack boot disk from CyberCheck. Refer Creating Boot Disk section for more details. The Language menu item is for selecting a language. This version of CyberCheck supports English, Hindi and Tamil languages. Default language is English. When another language is selected, descriptions of all buttons, menu items and labels and other instructions in various controls of the application will be displayed in the language selected. Refer Indian Language section for more details. The Help menu item provides help facility for the CyberCheck software. This is just like any other Windows application and consists of sub-menu items, viz., About CyberCheck, Contents and Using Help. The following sessions explain working of CyberCheck tool in detail.
40
Getting Started
Figure 4.1.1 - Selecting New option from File menu for starting an Analysis Session
41
Getting Started
When the user selects New menu item, the following window as given in figure 4.1.2 will be displayed for collecting Login details. An authorized user should give his/her User Name and Password. S/he should also give a Lab Reference Number. Once the Login details have been given, the user will have to specify the image file to be analyzed. This can be either the Raw image of the storage media to be analyzed or the image of the storage media taken using either TrueBack or the third party tool Encase.
Figure 4.1.2 - Window for collecting Login details The above window shows the details to be entered by the user for logging into the system. Assuming the user as a registered user, s/he has to enter the registered name (as Investigator Name), Password, Lab Reference No. and Evidence File Name. The Lab Reference No. can be a number associated with a case. The Evidence File Name is the name of the file in which the storage media to be analyzed is acquired. User may select the evidence file using the button Open, which opens a file open window as given in figure 4.3.2 below. After filling the different fields appropriately, the User may press OK button to continue with analysis, or s/he may press Cancel button for going back to the main user interface. If any of the field is not filled, appropriate warning message will be displayed, and the user will be allowed to fill it again.
42
Getting Started
Figure 4.2.1 - Window for entering Administrative password. After entering the Administrative password, User may press OK button for continuing with the creation of new user, or press Cancel button to cancel the creation of new user. When OK button is pressed, a window as shown in figure 4.2.2 given below will be displayed. Then create a new account by giving the user name and a password. User will be asked to reconfirm the password.
43
Getting Started
Figure 4.2.2 - Window for creating a new User Account When all the fields shown above are filled appropriately, click the OK button. Then a message box indicating that a new user has been successfully created will appear. Now the User can Login using the account that s/he has created. If the User wants to continue with an earlier analysis process, which were saved into a probe file earlier (Refer the Section Saving a Probe) then select File|Open menu item as shown in the figure 4.2.3 given below.
44
Getting Started
Again user has to login as a registered user by specifying the Investigator Name and Password. Click the Browse button and specify the location of probe file as shown in the figure 4.2.4 given below.
After specifying the locations of probe file (.prb), click OK button to continue. When an existing probe file is selected, CyberCheck will automatically load the corresponding evidence file(s) previously used in the analysis session. If it cannot locate any of the evidence file(s) previously used in the previous path, CyberCheck will display appropriate warning message and allows the user to browse and select appropriate evidence file(s) from the analysis system. If there is any mismatch between the probe file and the evidence file(s), appropriate messages will be displayed and appropriate action (in some case CyberCheck allows the user to browse and select proper evidence file(s) and in some other case CyberCheck will be terminated) will be taken.
45
Getting Started
media related to a case) at a time. After loading the initial evidence file, other evidence files can be loaded separately from the CyberCheck environment. Refer Add Evidence Section for details. For loading the initial evidence file, location of the image file is specified in Login window itself as shown in figure 4.3.1 given below.
Figure 4.3.1. Window for specifying location of Evidence File Click the Browse button for specifying the Evidence File Name. Then a File Open dialog box will be displayed for browsing and selecting the desired image file as given in figure 4.3.2 below.
46
Getting Started
The above figure shows the dialog box for specifying the location of image (.P01) file or the location of the raw image file, which is created using other cyber forensic tools. The evidence file created by TrueBack disk imaging tool will be having extensions .P01, .P02, and so on depending upon the number of files available in the evidence (E.g. If the storage media of the suspect is of 20GB in size, then 10 files of approximately 2GB each with file extension .P01, .P02, .P03 and so on will constitute an evidence). User needs to specify only the first file with extension .P01. CyberCheck, if any, which are part of the evidence, will automatically load all other files. If the evidence consists of more than one file, it is better to have all files available in the same folder, which will enable fast loading of the evidence. If any one of the files is not available in the specified path, CyberCheck will display appropriate warning message and allows the user to browse and select the missed file from other path. It is the users responsibility to select appropriate files of the evidence being loaded. User is not supposed to change the names of evidence files. If the name of any of the files is changed, CyberCheck will not properly load the image and the working of the CyberCheck will be unpredictable. After selecting the first evidence file (.P01) to be analyzed from the desired path, press Open button to complete the selection. When Open button is pressed, a window as shown in figure 4.3.3 given below will be displayed.
47
Getting Started
On clicking the OK button, User will be asked to specify the location of Export Folder. This is the location, where all swap files, Lost Clusters, Used Free Clusters, Files of raw images if created from CyberCheck, etc. will be saved. If you want to load a raw image file or an evidence file created by Encase, select All Files (*.*) from the File Open dialog box as given in figure 4.3.2 above. A raw image file will be having extension .000, .001, .002 and so on. An Encase image file will be having extension .E01, .E02, .E03, and so on. Choose the desired evidence file based on these extensions. Similar to TrueBack evidence file, you have to select only the first split file (.000 or .E01) and other split files will be loaded by CyberCheck automatically. For example, for loading an Encase image file with two split files as shown in figure 4.3.4 given below, you may select the .E01 file from the path as shown.
Figure 4.3.4 File open window for loading an Encase evidence file After selecting the desired evidence file, press Open button. A window with different media type will be displayed as shown in figure 4.3.5 given below. User is supposed to know the type of the media for which the image has been taken.
48
Getting Started
Figure 4.3.5 Window for specifying the type of media After selecting an appropriate media type, Press OK button to continue with analysis session.
49
Getting Started
The User is supposed to select a fixed drive path for specifying the export folder path. If s/he selects a path other than a fixed drive path, appropriate warning message will be displayed and the User will be allowed to select a fixed drive path again. The export folder path should be in a drive such that enough free disk space is available in the drive for exporting different items when the analysis is in progress. 10 GB free disk space is desirable in the drive selected. It is the Users responsibility to make sure that enough free disk space available in the drive selected. If enough free space is not available in the selected disk, a warning message as given in figure 4.4.1.2 below will be displayed.
Figure 4.4.1.2 Message displaying inadequate disk space in the selected export folder path CyberCheck allows the user to specify an alternate destination if s/he desires or allows her/him to continue with the analysis if the selected destination has more than 2GB free space. If the free space available is less than 2GB, CyberCheck displays a warning message as shown in figure 4.4.1.3 forcing the user to select a different destination path.
50
Getting Started
User may press OK button when the appropriate export folder path is selected, or Cancel button to go to the main user interface. When the User Presses OK button, a window as given in figure 4.4.2.1 below will be displayed.
Figure 4.4.2.1 - Window for setting other options. The window shown above consists of Auto Save Settings, Options for setting Enable Hash Verification, Extract Used Free Clusters and facility for setting Default Export Folder and Temporary Export Folder. The default time period for saving the probe file automatically is set as 10 minutes. This can be changed using the combo box given in the above dialog box. If the time has been set as 0, auto saving
51
Getting Started
functionality will be disabled. Auto Save functionality can also be enabled/disabled using the menu item Options|AutoSave. User can specify the two options Enable Hash Verification and Extract Used Free Clusters. If the Enable Hash Verification Option is set, CyberCheck computes the hash value of each blocks of the image while loading the image for analysis. Also it computes the whole image hash and compares with the acquire time hash value of the image. It displays the result in a message box specifying the comparison is successful or not as well as if there any mismatch in the block hash computation. Similarly, if the Extract Used Free Clusters option is set, CyberCheck would extract used free clusters while loading the image. The Default Export Folder path will contain the path selected by the user from the window displayed in figure 4.4.1.1 above. This is the path, where exported items like Lost Clusters, Used Free Clusters, Swap Files, Slack Data and Folder Structure will be residing, if any one of the items is exported during an analysis session. The Temporary Export Folder path is meant for writing temporary files that may be created by CyberCheck while analysis is in progress. CyberCheck will delete these temporary files while exiting. User may change these paths by clicking on the Browse button provided in the above figure. When all the options are set, User may continue with the analysis by pressing the OK button. If s/he wants to terminate the analysis session, press Cancel button. In this case, the control goes back to the main user interface. When OK button is pressed, the selected evidence file will be loaded. The following window as shown in figure 4.4.2.2 given below will be displayed with a progress bar indicating the status of verifying the evidence file as the user has already selected Enable Hash Verification; otherwise it would have shown the status of loading the evidence file.
52
Getting Started
While loading the evidence file, CyberCheck analyses the evidence for different file systems and partitions available in the evidence file. If the user has set the hash verification option as shown in figure 4.4.2.1 above, CyberCheck computes the hash value of each block of the evidence taken during acquisition, while loading the evidence. When the verification is over, a massage box will be displayed as shown in figure 4.4.2.3 below containing the details of the hash verification. In case of any mismatch in block hash, it will be highlighted in the report. The message Hash Success indicates that the acquire hash value and the verification hash value of the evidence file are same and hence the hash verification success.
Figure 4.4.2.3 Message box displaying result of hash verification When the verification is over, the specified image file will be analyzed for creating folder structures as shown in figure 4.4.2.4 given below.
53
Getting Started
Figure 4.4.2.4 Progress bar displaying loading of image file When the folder structure creation is over, CyberCheck displays this information in the left pane of the main user interface in an explorer like view, as given in the following figure 4.4.2.5 below. One thing to remember here is that even though the images of all the storage media is having a .P01 extension, the analysis procedures may slightly vary depending upon the file system (for file system information, please refer chapter 2 which explains in detail, the different file systems). For example, NTFS file system is having a different storage methodology. If the image that we are analyzing is having NTFS file system and if the file that we are analyzing is a deleted file (not over written), then in the Text view, the entire file content will be displayed in black colour unlike in other file systems. In other file system, the Text view of deleted files will be in red colour. There is a slight difference in Disk view of NTFS file system. We will be discussing the significant differences in the respective topics.
Figure 4.4.2.5 Window displaying the explorer like view of evidence file
54
Getting Started
If the user has set the Extract Used Free Clusters option, CyberCheck extracts the content of used free clusters available in different partitions of the evidence file.
55
Getting Started
Figure 4.5.1 - Analysis Window Different menu items available in the modified menu bar are: File, Edit, View, Filters, Evidence, Options, Keyword, Bookmark, Search, Export, Extract, Report, Timeline, Recovery, Tools, Language and Help. Sub-menu items of File menu are: Save, Save As, Print Report and Exit. Sub-menu items of Edit menu are: Copy and Copy Hash Value. The Copy and Copy Hash Value sub-menu items will be disabled and it will be enabled whenever some item is available in the clipboard for copying.
56
Getting Started
Sub-menu items of View menu are: Toolbar, Status Bar, Cluster Chain, Block View, Mailbox Viewer, Registry Viewer, Internet History Viewer, Export Path and Storage Media Details. The Cluster Chain menu item will be disabled initially. Sub-menu items of Filters are: Temporary Files, Deleted Files, Deleted and not Overwritten Files, Normal Files and Temporary Internet Files & Cookies. Sub-menu item of Evidence menu is : Add Evidence. Sub-menu items of Options menu are: Change Password, Hash Files, Check Encrypted Files, Check File Signature, Auto Save, Create Raw Image, Restore disk from Image, Verify Image Hash, Show/Hide System Files, File Signature Customization and Settings. The show/hide system files sub-menu item will be disabled initially. Sub-menu items of Keyword menu are : Add Keyword, Send to Recycle Bin, Delete Keyword, Restore Keyword and Empty Recycle Bin. All the sub-menu items are disabled initially. Sub-menu items of Bookmark menu are: Bookmark File, Bookmark Folder, Bookmark Selected data, Send to Recycle Bin, Restore Item, Delete Item and Empty Recycle Bin. All the sub-menu items are disabled initially. Sub-menu items of Search menu are: Keyword Search, File Search, Send to Recycle Bin, Restore Session, Delete Session and Empty Recycle Bin. Sub-menu items of Export menu are: File/Folder, Lost Clusters, Used Free Clusters, Swap Files, Slack Data and Folder Structure. Sub-menu item of Extract menu is: Used Free Clusters. Sub-menu items of Report menu are: Append Folder/File, Append Selected Data, Append Folder Structure and Delete from Report. All the sub-menu items are disabled initially.
57
Getting Started
Sub-menu items of Timeline menu are: Zoom Out, Show Grid, Hide Grid, Options, and Show Files. These sub-menu items will be disabled initially. Sub-menu items of Recovery menu are: Partition Recovery and Format Recovery. Sub-menu items of Tools menu are: Seize & Acquire, Hasher and Create Boot Disk. Sub-menu items of Language are: English, Hindi and Tamil. Sub-menu items of Help menu are: About CyberCheck , Contents and Using Help. The analysis window has 3 different views. They are Left Pane, Right Pane, and Bottom Pane. Left Pane is the View that appears at the left side of the CyberCheck Analysis window, Right Pane is the view that appears at the Right side and Bottom Pane is the one that appears at the bottom. User can re-size each pane by dragging the frame of each pane into desired location. This is illustrated for the bottom pane by increasing its size as shown in the figure 4.5.2 given below. Also user can expand each pane to its full size, either vertically or horizontally as the case may be, by clicking on the small buttons provided in each pane for this purpose as shown in the figure below.
58
Getting Started
Figure 4.5.2 - Analysis Window with different Panes, resizing the Bottom Pane Left Pane contains four tab views, viz., Probe View, Keywords View, Bookmarks View and Search View. These tabs can be properly viewed either by resizing the left pane by dragging the pane frame or by clicking the small buttons given adjacent to the tab items. Right Pane contains 5 tab views, viz., Table View, Gallery View, Timeline View, Summary View and Report View. Bottom Pane contains 7 tab views, viz., Text view, Picture view, Hex view, Disk view, Cluster view, Summary View and Cyber Script View. Using these views, an analyzing officer can view each and every byte of an evidence file and look for any evidence related to a case. Bottom Pane also contains a Lock check box to retain the view as the selected view during the analysis. The left pane contains more details of the evidence file loaded. Right pane contains more details of the item selected from the left pane. The bottom pane shows further details of an item selected from the right pane. 4.5.1 Menu Bar
59
Getting Started
This session explains more about the different items available in the menu bar. 4.5.1.1 File In File menu item, there are 5 sub-menu items. 4.5.1.1.1 Save During an analysis session, the analyzing officer may collect different digital evidences from the evidence file(s), which he will be analyzing. There different facilities in CyberCheck to search for various keywords, bookmark a relevant item available in the evidence file(s), generate a report containing details of different partitions available in the evidence file(s), login information of the analysis session, etc. CyberCheck provides a facility for saving the content of report, bookmarked items and search hits in a file for later use. This facility can be invoked by selecting the File|Save or File|Save As menu item from the main user interface as shown in the figure 4.5.1.1.1.1 given below. If the user tries to save the items for the first time, both Save and Save As options will behave similarly. In this case, Save As window as shown in figure 4.5.1.1.1.2 given below will be displayed for specifying a filename to save the data.
60
Getting Started
Figure 4.5.1.1.1.2 - Display of Save As window for specifying a file name CyberCheck will supply a default file name Untitled.prb as shown in the above figure. User can change the base file name as s/he wishes, but the extension of the file should be .prb. User may also select a path in which this file has to be created. After entering an appropriate file name, user may click the Save button to continue with the saving process. If the given file name already exists in the specified path, a warning message will be displayed asking whether you want to overwrite the existing file or not. You may either change the file name or overwrite the file or select another path. Functionalities of Save and Save As options are same as that of standard Windows applications. Save As option will always ask for a file name to save the data. But, Save will ask for the file name only for the first time. CyberCheck provides a facility for saving the details automatically into the filename specified by the user. Time interval for automatically saving the details can be set with the Auto Save option in the Settings dialog box, before loading the evidence file. This will save the data at regular intervals as specified by the User.
61
Getting Started
Refer the Save session given above. 4.5.1.1.3 Print Report CyberCheck provides a facility for printing the analysis report. User should take care to connect a printer with the analysis machine and appropriate driver of the printer should be installed in the system. The Print facility can be invoked by selecting the File|Print Report menu item from the main user interface as shown in the figure 4.5.1.1.3.1 given below.
Figure 4.5.1.1.3.1 - Selecting Print Report option When this menu item is selected, if the printer is connected to the system properly, appropriate Print dialog box of the printer will be displayed. As an example, the following figure 4.5.1.1.3.2 given below shows the dialog box presented by the Canon S6300 printer.
62
Getting Started
User may change the settings appropriately, and click OK button to continue with printing. If the printer is not made ON or any other problem is there with the printer, appropriate error message will be displayed. If no error is displayed, printing will be completed. The third item in the toolbar also has the same functionality.
4.5.1.1.4 Exit By selecting Exit from File menu as shown in figure 4.5.1.1.4.1 below will enable the user to exit from CyberCheck. Also user may exit from CyberCheck by clicking the close button given in the top right corner of the main window.
4.5.1.2 Edit
Different sub-menu items available in Edit menu are explained below. 4.5.1.2.1 Copy CyberCheck provides a facility for copying files, selected data, etc. Copying can be invoked by selecting Edit|Copy as shown in figure 4.5.1.2.1.1 given below.
63
Getting Started
Figure 4.5.1.2.1.1 - Selecting Copy item from Edit Menu. From the Text view, block the data to be copied and either select Edit|Copy or right click mouse button and select Copy from the context menu to copy the blocked item into clipboard. The copied item can be pasted wherever the user desired to do so. The second item in the toolbar also has the same functionality. 4.5.1.2.2 Copy Hash Value The Hashing Files facility can be invoked by selecting the Options|Hash Files menu item from the main user interface as given in the figure 4.5.1.2.2.1 given below.
64
Getting Started
When this menu item is clicked, the following window as shown in figure 4.5.1.2.2.2 given below will be displayed for selecting the extent of hashing to be done.
Figure 4.5.1.2.2.2 - Specifying the extent of Hashing. Hashing files can be done either on Entire files available in the evidence file or on Selected files only. This can be specified by using the radio buttons provided in the dialog box above. If you want to limit the extent to selected files, you have to select the desired files or folders before invoking this facility. After specifying the extent, you may press OK button to continue with file hashing. A progress bar will be displayed to indicate the status of the process in the status bar. User may cancel the process in between by right clicking on the status bar and subsequently clicking on the Cancel button displayed. When the hashing process is completed, hash value of each file will be added as an attribute of the file. This can be viewed in the Table view as the end of the attribute bar as shown in the figure 4.5.1.2.2.3 given below.
65
Getting Started
Figure 4.5.1.2.2.3 - Display of the hash values of selected files. When the hash values of all the files are available, user may do a search for files having the same hash values by the file search facility. Before starting the file search facility, User may copy the hash value of the file to be searched from the Table view. User may click the right mouse button on the file, which has the desired hash value. A context menu as given in the following figure 4.5.1.2.2.4 will be displayed.
Figure 4.5.1.2.2.4 - Context menu for copying hash value. User may select the Copy Hash Value menu item from the context menu or using Edit|Copy Hash Value menu item from the menu bar as shown in figure 4.5.1.2.2.5 . The hash value will be copied into the clipboard. This value can be used to paste into the File search facility.
66
Getting Started
Figure 4.5.1.2.2.5 - Selecting Copy Has Value item from Edit Menu.
4.5.1.3 View
The View menu item consists of number sub-menu items. Operations of these sub-menu items are explained in more detail below.
67
Getting Started
Toolbar can be enabled by checking the View|Toolbar menu item as shown in figure 4.5.1.3.1.2 given below.
When the toolbar is checked it will be shown as given in figure 4.5.1.3.1.3 given below.
4.5.1.3.2 Status Bar Status Bar is the one in which we can see some description when we select some items like File|Save. In this case, the status bar at the bottom of the window will display a message Save the active document as shown in figure 4.5.1.3.2.1 given below.
68
Getting Started
Figure 4.5.1.3.2.1 - Display of Status of the item selected in status bar Figures 4.5.1.3.2.2 and 4.5.1.3.2.3 given below show how to disable/enable the status bar in the Main user interface.
69
Getting Started
4.5.1.3.3 Cluster Chain CyberCheck provides a facility for viewing the cluster chain of a file selected from the Table view. This facility can be invoked by selecting the View|Cluster Chain menu item from the main user interface as shown in the figure 4.5.1.3.3.1 given below. This option will be enabled when a file has been selected from the Table View. This option can also be invoked from the Table view by clicking the right mouse button on selected file. From the context menu displayed, user may select the View Cluster Chain menu item.
Figure 4.5.1.3.3.1 - Selecting Cluster Chain view option at main menu When this item is selected, a list box as shown in the Figure 4.5.1.3.3.2 given below will be displayed.
70
Getting Started
Figure 4.5.1.3.3.2 - Display of Cluster Chain of selected file The list displays the complete cluster numbers allocated to the selected file. It can be seen from the example that the clusters are contiguous representing a not fragmented file. If the file were in different clusters, scattered cluster numbers would have been displayed in the list. Press OK button to remove the display of cluster chain. 4.5.1.3.4 Block View Block view is a block-by-block representation of the entire evidence file as shown in figure 4.5.1.3.4.1 given below. This view can be invoked by selecting the View|Block View menu item from the main user interface. The blocks are displayed in three different colors representing: Blue White Red - Used Blocks - Unused blocks - Mismatch blocks
In the block view the information like total blocks, sectors per block, last block sector, used blocks, unused blocks and the number of blocks with hash mismatch are given. When a block is selected in the block view the corresponding block number, sectors in that block, seize hash, source hash, image hash and analysis hash are displayed. As an example, the figure below shows all the above mentioned details of the first block. Note: CyberCheck displays block view of an evidence taken using
71
Getting Started
TrueBack disk imaging tool only. The TrueBack tool divides the entire content of a storage media into a convenient group of sectors and considers that as a block of data. This data will be hashed and the hash value is stored at the end of the last image file. Only when this information is available, CyberCheck can display the block view.
Figure 4.5.1.3.4.1 - Block View of an Evidence file. Now let us see how Block View is helpful in the analysis process. We have seen earlier that TrueBack computes the Hash value of each block of source media. We can see the hash value of each block using Block Viewer as explained above. Suppose we have done some searching and found some evidence, we will be book marking those evidences. How can we be sure that those evidences are not tampered? Here comes the need of Block Viewer. We can go to Bookmark view and in the bottom pane, select Disk View. From there, we can find out the sectors occupied by that file. From the Block Viewer, we can find out the block corresponding to that sector and see whether there is any Hash Mismatch in that block. If there is a hash mismatch, then we can conclude that the evidence file is not a valid one and we cannot substantiate it before court of law. If there is no hash mismatch, then that evidence will be a valid one and we can add that to report. 4.5.1.3.5 Mailbox Viewer
72
Getting Started
CyberCheck has the capability to analyze different mailbox files available in an evidence file. Various mailbox files supported are extensions with dbx (Outlook Express), pst (Microsoft Outlook), mbx (Eudora) and mbox (Mozilla). The mailbox viewer can be invoked by selecting the View|Mailbox Viewer menu item from the main user interface. The following figure 4.5.1.3.5.1 given below shows the selection of Mailbox Viewer from the main user interface.
Figure 4.5.1.3.5.1 - Selecting Mailbox Viewer. When the Mailbox viewer is invoked, a progress bar as shown in Figure 4.5.1.3.5.2 will be displayed indicating the exporting process of different mailbox files, if any available, from the evidence file.
Figure 4.5.1.3.5.2 - Status of exporting Mailbox files If there is no mailbox file available in the evidence file, a message will be displayed as shown in the figure 4.5.1.3.5.3 given below indicating that no mailbox file available in the evidence file.
73
Getting Started
Figure 4.5.1.3.5.3 - Display of message for non-availability of mailbox files. When the exporting of different mailbox files is over, the main user interface of the mailbox viewer will be displayed as shown in the following figure 4.5.1.3.5.4 given below.
Figure 4.5.1.3.5.4 - Main user interface of Mailbox Viewer. In the mailbox viewer, the mailbox files available and their full path in the image file are listed on the Top pane. When the User selects a mail box file from the top pane, it will be loaded, and the folders if any available will be displayed in the top portion of the left pane. This is illustrated in the following figure 4.5.1.3.5.5 given below.
74
Getting Started
Figure 4.5.1.3.5.5 - Available folder of the mailbox file selected. When a particular folder is selected from the left pane, all the mails available, if any, will be displayed in the middle pane and the content of the first mail (as default) will be displayed in the bottom pane as shown in the figure 4.5.1.3.5.6 given below.
Figure 4.5.1.3.5.6 - Available mails in the selected folder. The mailbox viewer has an Outlook Express like view. The folders are displayed in the left pane and the sender and subject header on the middle pane. Click on individual mail to view the contents of the mail on the bottom pane. Mailbox viewer has an additional feature for keyword search within the entire mailbox files. Type the keyword for which the searching has to be done in the search field and click Go button. All the search hit messages are displayed on the bottom left side pane. On traversing through the search hits, the corresponding mail is displayed on the right side pane with the search hit keywords
75
Getting Started
highlighted. The searching through the contents of mails is a time consuming process and the User may have to wait for some time before the result is displayed. However, this is a good feature as far as the cyber forensics analysis is concerned. Figure 4.5.1.3.5.7 given below shows the result of a keyword search in mailbox files.
Figure 4.5.1.3.5.7 - Result of a keyword search in mailbox files. The keywords are highlighted in the display in blue color.
76
Getting Started
Figure 4.5.1.3.6.1 Invoking Registry Viewer from the main menu When the Registry viewer is invoked, the following window given in figure 4.5.1.3.6.2 below will be displayed to show the progress of exporting of registry files to the export folder path.
77
Getting Started
If any registry file is available in the evidence file, the window as given in figure 4.5.1.3.6.3 given below will be displayed showing the main user interface of the registry viewer. If no file is available, appropriate message will be displayed. In this case, registry viewer user interface will not be displayed.
Figure 4.5.1.3.6.3 Main user interface of Registry Viewer. The registry files available in the evidence file will be listed in the top pane of the viewer as shown in the above figure. User may click on any one of the files to view the keys available in the file in the left pane. This illustrated in the following figure 4.5.1.3.6.4 given below.
78
Getting Started
Figure 4.5.1.3.6.4 Display of settings in a registry file. User may select a key from the left pane to see more details. The view in the left pane is more or less like an explorer view. Each key in the left pane can be clicked to expand further as shown in figure 4.5.1.3.6.5 given below.
Figure 4.5.1.3.6.5 An expanded view of a left pane item. If any of the items has attributes like Value, Type and Data, these will be displayed in the middle pane as shown in the figure 4.5.1.3.6.6 given below.
79
Getting Started
Figure 4.5.1.3.6.6 Display of attributes in the middle pane. The value-type pairs of the key selected are displayed in the middle pane as shown in the above figure. The Registry viewer provides a find facility for searching a key in a selected registry file. This facility can be invoked from the main menu by selecting the Tools|Find menu item. This is shown in the following figure 4.5.1.3.6.7 given below.
Figure 4.5.1.3.6.7 Selecting the Find facility. When this facility is selected, a dialog box as shown in figure 4.5.1.3.6.8 given below will be displayed for specifying a key for which the search is to be initiated.
80
Getting Started
Figure 4.5.1.3.6.8 Dialog box for entering Key for searching. The find facility can be used for searching a key shown in the left pane in the selected registry file. The registry file to be searched can be selected from the top pane. The key to be searched can be entered in the edit box given against the label Find What, as shown in the above figure. The entered key may be available in the file to be searched either as Keys or as Values or as Data. If the user wants to search for all these types, s/he may tick the check boxes provided in the Look For group as shown in the figure. When all the details are specified, User may click on Find button provided in the dialog box to start the search process. A progress bar will be displayed to indicate the progress of search process. At the end of the search, search results if any available, will be displayed in the bottom pane as shown in the figure 4.5.1.3.6.9 given below.
81
Getting Started
Figure 4.5.1.3.6.9 Search results of a Key in a registry file. The bottom pane shows the search result of the key searched in the specified file. It shows the different occurrences of the key under respective columns. The type column provides the type of data displayed in the search results. Different types displayed are value, keys and data. The search facility in registry viewer can be used to find out whether particular software has been installed in the system while seizing the system. The software name may be entered as the key to be searched. Lost Keys Lost Keys enables the user to view deleted keys in the registry file selected. Figure 4.5.1.3.6.10 given below shows the lost keys available in a sample image. This is applicable only to Windows 95 and 98 registry files.
82
Getting Started
Figure 4.5.1.3.6.10 - Selecting Lost Key menu item to view the deleted keys.
83
Getting Started
another site. It also envisages the type of activity record in the index.dat file and displays the information contained in that activity record depending on the filtering options. The Internet History Viewer can be invoked by clicking the View option from the menu bar and selecting Internet History Viewer as shown in figure 4.5.1.3.7.1.
Figure 4.5.1.3.7.1 Invoking Internet History Viewer from the main menu A progress bar will be displayed indicating the exporting of history files to the export folder path as shown in figure 4.5.1.3.7.2 given below.
Figure 4.5.1.3.7.2 Displaying Progress Bar indicating the exporting of History files If any index.dat file is available in the evidence file, the main user interface of the Internet History Viewer will be displayed as in figure 4.5.1.3.7.3 given below. Otherwise, appropriate message box will be displayed.
84
Getting Started
The index.dat files available will be listed in the top pane of the Viewer. You can click any of the history files to view the contents in the right pane. Initially, All Records option is selected .When a file is selected, all records in the file are displayed in the list box by default as shown in figure 4.5.1.3.7.4 given below. If there is no record in the selected file, appropriate messages will be displayed.
85
Getting Started
Figure 4.5.1.3.7.4 Display of all records by clicking the file path. If you want to view the contents of the file that belongs to a particular type, select the appropriate option (URL Activity Record or REDR Activity Record or LEAK Activity Record) and click the Display Button. This is shown in figure 4.5.1.3.7.5 below. If there is no record of the particular type chosen, appropriate message will be displayed.
86
Getting Started
Figure 4.5.1.3.7.5 Display of records belonging to a particular type To view the Advanced Search option, check the Advanced.. option. This will show search options as shown in figure 4.5.1.3.7.6 given below.
87
Getting Started
Figure
4.5.1.3.7.6
Display of the search options in the left pane when Advanced.. option checked.
Select anyone of the search options (Date or Address) and click the Search Button. The filtered records will be displayed in the list box. The search of a particular record depends on the type of the activity record. When Date option is selected, you can search the records based on the Modified Date or the Last Accessed Date. Choose the appropriate option, select the From date and To date and click the Search Button. Then those records whose chosen date is between the From date and To date are displayed in the list box as shown in figure 4.5.1.3.7.7. If there is no record between the given dates then appropriate messages are displayed.
Figure 4.5.1.3.7.7 Search result based on a chosen date. When Address option is selected a text box for entering the URL or part of the URL (address/keyword) appears. Enter the address to be searched in the text box and click Search Button. The record(s) with the entered address will be displayed in the list box as shown in
88
Getting Started
figure 4.5.1.3.7.8. If there is no record of with that address/keyword, appropriate message will be displayed.
Figure 4.5.1.3.7.8 Search result after entering a keyword/address. When Ok Button is clicked, the interface of Internet History Viewer is closed.
89
Getting Started
contents, folder structure details, etc., are saved. This information is very useful, if the User wants to search for a particular item in these contents externally. This facility can be invoked by selecting the View|Export Path menu item from the main user interface as shown in the figure 4.5.1.3.8.1 given below.
Figure 4.5.1.3.8.1 Selecting Export Path view option from main user interface. When this menu item is selected, a message box as given in the following figure 4.5.1.3.8.2 will be displayed showing the export folder path.
90
Getting Started
When Storage Media Details icon is clicked from the tool bar, a list box as shown in figure 4.5.1.3.9.2 given below will be displayed, listing the details of the fixed storage media available in the analysis machine.
Storage Media Details Figure 4.5.1.3.9.1 Selecting Storage Media Details icon from tool bar
91
Getting Started
The seventh item in the toolbar also has the same functionality. 4.5.1.4 Filters
This section explains about how to separate normal, deleted, overwritten or temporary Internet & cookies files from the set of files in the loaded evidence.
Figure 4.5.1.4.1.1 Selecting Temporary Files from Filters option from main menu When this item is selected from the main user interface, the Temporary Files item if available will get highlighted as shown in the figure 4.5.1.4.1.2 given below.
92
Getting Started
Figure 4.5.1.4.1.2 Display of Temporary Files in Table view. If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.
93
Getting Started
Figure 4.5.1.4.2.1 Selecting Deleted Files Filters option from main menu
Figure 4.5.1.4.2.2 Display of Deleted Files in Table view. If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.
94
Getting Started
Figure 4.5.1.4.3.1 Selecting Deleted but not Overwritten Files Filters option from main menu
Figure 4.5.1.4.3.2 Display of Deleted but not Overwritten Files in Table view. If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.
95
Getting Started
CyberCheck provides a facility for viewing the normal files(files which are not deleted, overwritten or temporary) of the operating system in the evidence file. This facility can be invoked by selecting the View|Normal Files menu item from the main user interface as shown in the figure 4.5.1.4.4.1 given below. Temporary files can be viewed from the Normal Files item given in the Probe View in left pane, provided we have invoked it as explained above.
Figure 4.5.1.4.4.1 Selecting Normal Files view option from main menu
96
Getting Started
If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.
Figure 4.5.1.4.5.1 Selecting Temporary Internet Files and Cookies Filters option from main menu
97
Getting Started
Figure 4.5.1.4.5.2 Display of Temporary Internet Files and Cookies in Table view. If there are any files available in this folder, it will be displayed in the Table view as shown in the figure above.
4.5.1.5 Evidence
This section explains about how to add more than one evidence file into the CyberCheck environment. 4.5.1.5.1 Add Evidence If a case is having more than one evidence files of different storage media, all the evidence files can be analyzed in a single go by adding the evidence files into the CyberCheck environment one after the other. Add Evidence facility provides you an interface to add additional evidence files into the CyberCheck environment. This facility can be invoked from the main menu as shown in figure 4.5.1.5.1.1 given below.
98
Getting Started
Figure 4.5.1.5.1.1 - Selecting Add Evidence from Evidence When Add Evidence menu item is selected, a File Open dialog box as shown in figure 4.5.1.5.1.2 given below will be displayed to browse and select the desired evidence file.
Figure 4.5.1.5.1.2 File Open dialog for adding evidence file. User may appropriately select the desired file and press Open button for continuing with adding of selected evidence file into the CyberCheck environment. When the new evidence file is loaded into the environment, the probe view will be updated with the details of new evidence as shown in figure 4.5.1.5.1.3 given below.
99
Getting Started
Figure 4.5.1.5.1.3 Modified Probe View with newly added evidence file. If an already added evidence file is again selected for adding, appropriate warning message will be displayed and CyberCheck will not allow adding of the selected evidence file into the CyberCheck environment.
4.5.1.6 Options
The Options menu contains number of sub-menus, which will be explained in more detail below.
100
Getting Started
Figure 4.5.1.6.1.1 Selecting Change Password option from main menu When this menu item is selected, a dialog box as given in figure 4.5.1.6.1.2 below will be displayed.
Figure 4.5.1.6.1.2 Dialog box for changing the old Password The Administrator may enter the old password and new password in the respective fields provided in the above dialog box. When OK button is pressed, the new password will be set, if all the information entered are correct.
101
Getting Started
very important in the cyber forensic point of view. To confuse the investigator, culprit might save a document in different forms or with different names. If there is a facility to take the hash values of all the files available in an evidence file, and a facility to search files based on a particular hash value, it is possible to find out all the files in the evidence file having same hash value with different names and extensions. Same hash value for different files means that the contents of the different files are exactly same. This is based on the property of the hash algorithm. MD5 hashing algorithm will be used for computing hash value of each file. This algorithm takes a stream of data as input and returns a128-bit value as the message digest (hash value). This algorithm has the remarkable property of returning a totally different message digest, even with a single bit change in the content of a file. CyberCheck provides facilities for Hashing Files and Searching files based on hash values. The Hashing Files facility can be invoked by selecting the Options|Hash Files menu item from the main user interface as given in the figure 4.5.1.6.2.1 given below.
Figure 4.5.1.6.2.1 Selecting Hash Files facility. When this menu item is clicked, the following window as shown in figure 4.5.1.6.2.2 given below will be displayed for selecting the extent of hashing to be done.
102
Getting Started
Figure 4.5.1.6.2.2 Specifying the extent of Hashing. Hashing files can be done either on Entire files available in the evidence file or on Selected files only. This can be specified by using the radio buttons provided in the dialog box above. If you want to limit the extent to selected files, you have to select the desired files or folders before invoking this facility. After specifying the extent, you may press OK button to continue with file hashing. A progress bar will be displayed in the status bar to indicate the status of the process. User may cancel the process by right clicking on the progress bar and then selecting the Cancel button displayed. When the hashing process is completed, hash value of each file will be added as an attribute of the file. This can be viewed in the Table view at the end of the attribute bar as shown in the figure 4.5.1.6.2.3 given below.
103
Getting Started
This hash value can be used for File Search based on hash values as explained in Search section.
104
Getting Started
Figure 4.5.1.6.3.1- Selecting Create Hash Set from context menu 2. From Options menu, select Create Custom Hash Library as shown in figure 4.5.1.6.3.2 given below. This item can be used to create either a standard hash set or custom hash set.
Figure 4.5.1.6.3.2 - Selecting Create Custom Hash Library from Options menu
105
Getting Started
When this item is selected, a dialog box as shown in figure 4.5.1.6.3.3 given below will be displayed for selecting the type of hash sets to be created.
Figure 4.5.1.6.3.3 Dialog box for selecting the type of hash sets User can create two types of hash sets, viz., Standard and Custom. A standard hash set will consists of hash values of known standard files of operating system, application files, etc. These files will mostly be available in external storage media. A custom hash set will consists of hash values of files, in which the user has specific interest. These files may be available in evidence files that are being analyzed by the user.
106
Getting Started
Figure 4.5.1.6.3.4 Dialog box for adding desired files for creating Standard Hash Set When all desired files are added into the list, press Next button. A dialog box as shown in figure 4.5.1.6.3.5 given below will be displayed containing any existing hash set and an edit box for specifying a name for the newly creating hash set.
107
Getting Started
Figure 4.5.1.6.3.5 Dialog box for specifying Hash Set name This dialog box contains an edit box for entering name for the newly creating hash set. It also displays names of existing hash sets, if any available in the folder where CyberCheck is installed. Press Create HashSet button after entering a name for the new hash set. New hash set will be created and the name will be added into the list of existing hash sets. To add hash values available in any of the hash sets into a hash library, check the desired hash set names and then press (Re)Build HashLibrary button. The hash library will be available in a file named CustomHashLib.hash in the folder where CyberCheck is installed. When hash library is re-built, this file will be over-written with contents of the selected hash sets. This hash library will be used in keyword search to exclude those files having hash values available in the hash library. HashSets that are included in existing Custom Hash Library can be identified by a grey check box at the left side of the hash set name.
108
Getting Started
Figure 4.5.1.6.3.6 Dialog box for specifying Hash Set name This dialog box contains an edit box for entering name for the newly creating hash set. It also displays names of existing hash sets, if any available in the folder where CyberCheck is installed. Press Create HashSet button after entering a name for the new hash set. New hash set will be created and the name will be added into the list of existing hash sets. To add hash values available in any of the hash sets into a hash library, check the desired hash set names and then press (Re)Build HashLibrary button. The hash library will be available in a file named CustomHashLib.hash in the folder where CyberCheck is installed.
109
Getting Started
When hash library is re-built, this file will be over-written with contents of the selected hash sets. This hash library will be used in keyword search to exclude those files having hash values available in the hash library. HashSets that are included in existing Custom Hash Library can be identified by a grey check box at the left side of the hash set name. It should be noted that these hash sets and library are specific to a case analysis session. When the user exits from the CyberCheck environment, hash set files and CustomHashLib.hash file would be deleted from CyberCheck installed folder. Therefore, if the user wants to save these files, it should be saved into a probe file.
Figure 4.5.1.6.4.1 Selecting Check Encrypted Files option from main menu.
110
Getting Started
When this option is selected, a dialog box as shown in the figure 4.5.1.6.4.2 given below will be displayed for specifying the type of file to be checked for encryption.
Figure 4.5.1.6.4.2 Dialog box for selecting the type of file. User may select an appropriate option from the above dialog box and press OK button to continue. If there are a large number of files available in the evidence file, checking for encrypted files in the entire evidence file may take some time. A progress bar will be displayed in the status bar to indicate the progress of the process. When the process is over, if there are any encrypted files, the description file attribute in the Table view will be updated with encrypted file. This is shown in the figure 4.5.1.6.4.3 given below.
111
Getting Started
Figure 4.5.1.6.5.1 Selecting Check File Signature option. When this option is selected, a dialog box will be displayed to specify the extent of checking required. You can either specify the entire evidence file or selected files. If you specify selected files, you should have selected the desired files before. When the extent is specified, you may press OK button to continue with the identification of signature-mismatched files. A progress bar will be displayed to indicate the status of the process. When the process is
112
Getting Started
completed, the Table view will be updated with the SM (Signature Mismatch) column. If there is a signature-mismatched file in the view, a Y will be marked in the column against that file as shown in the figure 4.5.1.6.5.2 given below.
If the user wants to consider signature mismatched files (with their proper extensions) in Gallery View, Picture View, Check Encrypted Files, File Search by file extension, Mailbox Viewer, ZipFile Extractor and MetaData Viewer, it is his/her responsibility to complete checking file signature before starting any of the above specified processes. If the User wants to see all Signature Mismatched files, select the Timeline tab. The following dialog box as shown in the figure 4.5.1.6.5.3 given below will be displayed for selecting different options.
113
Getting Started
Figure 4.5.1.6.5.3 Dialog box for setting signature mismatch option. From the Advanced Option, select Options and then enable Signature Mismatch only. Select All Files option to view the entire Signature Mismatch files in the evidence file. Select Created option from Display by Time group, and Both from Files group. Click Show Chart button to show the signaturemismatched files. If the signature mismatched files have already been extracted from the evidence file using the method explained above, you would get an immediate display of the timeline chart. Otherwise, a message box as shown in the figure 4.5.1.6.5.4 given below will be displayed.
114
Getting Started
Figure 4.5.1.6.5.4 Message box for starting signature mismatch check. When you click Yes button, first the signature mismatched files will be checked and then the timeline chart will be displayed. The checking of signature-mismatched files may take some time depending upon the number of files to be checked. When the checking of the signature-mismatched files is completed, the time line chart will be displayed as shown in the figure 4.5.1.6.5.5 given below, which shows the signature mismatched files in violet color.
Figure 4.5.1.6.5.5 Display of signature mismatched files in timeline chart. Once you get the Signature mismatch files in the Timeline view, click your right mouse button in the Timeline chart view. A context menu will be displayed as shown in the figure above. When you select
115
Getting Started
Show Files option, list of signature-mismatched files will be displayed in the Table View as shown in the figure 4.5.1.6.5.6 given below.
116
Getting Started
Figure 4.5.1.6.6.1 Window for setting Auto Save time Time interval can be an integer value between 0 and 100. Time interval set to 0 means AutoSave is disabled. If the user has not supplied a filename to the probe file, AutoSave will prompt the user to supply a filename. Once it is given, the save process will run in the background at specified intervals, with out the need of user intervention. Another stage at which user can change the time interval and Enable/Disable AutoSave is by selecting the menu Options|AutoSave from the main user interface as given in the figure 4.5.1.6.6.2 below.
Figure 4.5.1.6.6.2 Setting Auto Save option from main user interface
117
Getting Started
In the dialog box, there is a check box for Enable Auto Save option. If the User checks this box, auto save option will be enabled, otherwise, it will be disabled. By default, this option will be enabled with an auto save time set at 10 minutes. User may change this time by clicking on the combo box button provided in the dialog box.
Figure 4.5.1.6.7.1 Selecting Create Raw Image option. When this menu item is selected, a dialog box as shown in figure 4.5.1.6.7.2 given below will be displayed for selecting an evidence file with which the raw image will be created.
118
Getting Started
Figure 4.5.1.6.7.2 Selecting evidence file for creating Raw Image When the desired evidence file is selected from the dialog box, press OK button to continue with creation of Raw Image. A progress bar will be displayed in the status bar as shown in figure 4.5.1.6.7.3 given below. The raw image will be created in the export folder path in a folder having the same name of the evidence file selected. The raw image will be having the file name as that of the evidence file and an extension .000. User may select all evidence files displayed in the dialog box by checking the Select All check box given in the dialog box above. In this case, raw images of all evidence files will be created in the export folder path in respective names.
119
Getting Started
Figure 4.5.1.6.7.3 Progress of creating Raw Image If the user wants to cancel the process of creating raw image, s/he may right click on the progress bar and subsequently select the Cancel button for canceling the process.
Figure 4.5.1.6.8.1 Selecting Restore Disk from Image option. When this option is selected, a dialog box as shown in figure 4.5.1.6.8.2 given below will be displayed for selecting the desired evidence file and the storage media into which the image has to be restored.
120
Getting Started
Figure 4.5.1.6.8.2 Dialog box for selecting desired evidence file and storage media Above dialog box shows different evidence file(s) available in the CyberCheck environment as the Source and different disks available in the analysis system as the destination disk. The list of destination disks does not include the system boot disk. User may select appropriate evidence file and destination disk to restore the image into the selected destination disk. Before restoring the image, user may wipe the destination disk using the wipe facility provided. Also user can specify whether the whole media to be wiped or the remaining sectors after restoring the image to be wiped. After restoring the image into the disk, user may use this disk to boot a system, if boot information is available in the disk.
121
Getting Started
This facility can be invoked by selecting the File|Verify Image Hash menu item from the main user interface as shown in the figure 4.5.1.6.9.1 given below.
Figure 4.5.1.6.9.1 Selecting Verify Image Hash option from main menu When this menu item is selected, a progress bar as given in the following figure 4.5.1.6.9.2 will be displayed showing the progress of evidence file verification.
Figure 4.5.1.6.9.2 Image hash verification in progress When the hash verification is completed, a message box will be displayed as shown in the figure 4.5.1.6.9.3 given below.
122
Getting Started
The message box shows the result of the hash verification. It shows whether the hash verification is a success or not, time taken for verification, total number of blocks verified etc. The status of the hash verification will be appended to the report.
Figure 4.5.1.6.10.1 Selecting Show/Hide System Files from Options menu item. CyberCheck considers files with extensions .SYS, .DRV, .DLL, .VXD, .VBX and .OCX as system files. Also, NTFS file system contains some system files $MFT, $MFTMirr which are created at the time of creating the partition. When this icon is clicked, if the system files are already displayed in the Table view, it will be removed and the display will be refreshed without these files. If they are not displayed in the Table view, it will be displayed, when the icon is clicked. CyberCheck keeps a set of hash values of Microsoft Windows and application files. If the user invokes the Hash Files menu item from the Options menu, hash values of different files will be computed and compared with the hash sets. If any of the hash values matches
123
Getting Started
with the hash set values, corresponding files also will be treated as system files. When S/H icon is pressed, these files also will be either displayed or not displayed. In the case of NTFS and EXT2FS, those files whose attributes are set as system, will also be treated as system files. The sixth item in the toolbar shown in figure 4.5.1.6.10.2 also has the same functionality.
Show / Hide System Files Figure 4.5.1.6.10.2 Selecting Show/Hide System Files icon from tool bar
124
Getting Started
Figure 4.5.1.6.11.1 Selecting File Signature Customization item from main menu When this item is selected, a dialog box as shown in figure 4.5.1.6.11.2 given below will be displayed for further processing.
figure
4.5.1.6.11.2 Display of File Signature Customization interface. The module consist of mainly three basic functions Add, Modify and Delete. For all these functionalities 3 buttons are provided such as Add, Modify and Delete along with three radio option buttons. When user select Add option button it will enable Extension, Header, Length and Type field edit boxes, so it enables the user to enter values in respective fields. User can add these values to the database by clicking Add button.
125
Getting Started
When user selects Modify option button all the field values will be taken from the database. That is, if Extension is selected by the user it will attach all the header related to particular Extension to the combo box. Now the user is able to select the required header. Based upon the Header and Extension corresponding Length and Type values will be attached to the edit field and user can modify all these fields. When clicking on Modify button, database will be updated with new values. In case of deletion, user should select Delete radio button so that Extension field will be populated from the Extension field of the Database. It enables the user to select particular Header based upon user selection of Extension. After selecting both Extension and Header user can delete values from the database by clicking on Delete button. Selecting the Add radio button will enable all the four fields and when Add button is pressed all the four fields data will be inserted to database. Figure 4.5.1.6.11.3 given below shows the successful information of data into the signature database.
Figure 4.5.1.6.11.3 - File Signature Inserting into the table Header (In ASCII) option will enable the user to enter header (signature) in ASII format as shown in figure 4.5.1.6.10.4 given below.
126
Getting Started
Figure 4.5.1.6.11.4 - Inserting Header in ASCII format Modify Option enables to modify extension, header, length and alias as shown in figure 4.5.1.6.11.5 given below.
Figure 4.5.1.6.11.5 - Modifying File Signature fields Delete option enables the user to delete file signature from database as shown in figure 4.5.1.6.11.6 given below.
127
Getting Started
4.5.1.6.12 Settings
CyberCheck allows the user to customize some of the parameters of the analysis environment like Unicode settings, colours of the foreground and background display and for setting the font used in the environment. This facility can be invoked from the main menu by selecting the Options|Settings sub menu item as shown in figure 4.5.1.6.12.1 given below.
Figure 4.5.1.6.12.1- Selecting Settings menu item from main menu When this item is selected, a dialog box as shown in figure 4.5.1.6.12.2 given below will be displayed for further processing.
128
Getting Started
Figure 4.5.1.6.12.2- Various items available in Settings dialog box There are three tabs in this dialog box, viz., Global, Colours and Fonts. In the Global tab, there is a file viewer group containing 2 items Ascii view and Unicode view. The Ascii view is nothing but the display of contents of a file in Ascii format in the Text viewer. The Unicode view enables the user to view the contents of a Unicode file in Unicode format in the Text viewer. If there are files with different languages are available in an evidence file, it can be seen in respective languages when the Unicode settings is used. How to set Unicode settings is explained in more detail below.
4.5.1.6.12.1 UNICODE
Unicode is an encoding standard in which all characters are two bytes long. Unicode characters are sometimes called wide characters because they are wider (use more storage) than singlebyte characters. A Unicode string is terminated by two zero bytes (the encoding of the value 0 in a wide character). Double-byte characters are used in East Asian and Middle Eastern languages.
129
Getting Started
How characters are stored in memory Single-byte strings are stored one character after the next, with a single zero byte marking the end of the string. So for example, "Bob" is stored as: 42 B 6F o 62 b 00 EOS
with the character 0x0000 (the Unicode encoding of zero) marking the end.
Figure 4.5.1.6.12.3 - Choosing Unicode View From Settings Choose Options|Settings and then Global Tab. There are two options available, one is ASCII View, and another is Unicode View as shown in figure 4.5.1.6.12.3 given above. The Ascii View is what we normally see in CyberCheck. To display the language content, Unicode View should be chosen. While selecting and pressing the
130
Getting Started
OK button then the contents in text view is changed to Unicode format as shown in figure 4.5.1.6.12.4 given below.
Figure 4.5.1.6.12.4 -Viewing Unicode Characters in Text View The above figure shows the language characters that are in Hindi, Tamil, English. You can see while selecting the individual character shows the offset position incremented by two, represents each taking two bytes as shown in figure 4.5.1.6.12.5 given below.
131
Getting Started
Figure 4.5.1.6.12.5 - Selection of Single Unicode Character The Table view in the right Pane also displays the Unicode file names in original language characters. In the Hex viewer, the equivalent of hexadecimal characters are displayed for the individual Unicode character as shown in figure 4.5.1.6.12.6 given below.
Figure 4.5.1.6.12.6 - Hexadecimal Display for Unicode Character The above figure shows the Hexadecimal equivalents of characters. The Hexadecimal equivalent for is 0B95 like wise we can get the
132
Getting Started
complete Unicode character set hexadecimal values. In disk view, we can find the same Text-Hex Viewer which displays the Unicode character and the equivalent hexadecimal characters.
Figure 4.5.1.6.12.7 - Unicode Text-Hex Viewer in Disk View in Bottom Pane We can do the same processing in Unicode as we do in the ASCII view from the Text-Hex viewer as shown in figure 4.5.1.6.12.7 above. We can also append Unicode data into the report as shown in figure 4.5.1.6.12.8 given below.
133
Getting Started
Select the Unicode data then Right Mouse Click, the context menu displayed. In the context menu select Append Selected Data to Report, then it asks for the Comment, finally the selected data is appended to report. In Report also, you can see the Unicode or language characters displayed as shown in figure 4.5.1.6.12.9 given below.
Figure 4.5.1.6.12.9 - Appended Unicode Data in Report The above figure shows the Unicode characters appended in the Report from the Text Viewer.
Figure 4.5.1.6.12.10 - Copying the Unicode Data You can also copy the Unicode characters in to the clipboard and also Paste the characters wherever you want. Copying is shown in
134
Getting Started
figure 4.5.1.6.12.10 above. The copied data can be pasted in Add Keyword Dialog as Unicode characters as shown in figure 4.5.1.6.12.11 given below.
Figure 4.5.1.6.12.11 - Pasting the Unicode Character in Keyword edit box Like ASCII data you can Bookmark the data and view it from the BookMark Data in the Left Pane.
135
Getting Started
In the File Summary and the Folder Summary you can get the Details of the File and Folders with the names displayed in Unicode characters. This is illustrated in figure 4.5.1.6.12.12 given below. Note that the Full Path is also displayed in Unicode format.
136
Getting Started
Figure 4.5.1.6.12.13 - Adding the Unicode Keyword for Search In the Table View of the Keyword Section Ascii/Unicode character is entered as Unicode. This is shown in figure 4.5.1.6.12.14 given below.
137
Getting Started
In the Search Tab of the Left Pane, we can get the Search hits based on the Unicode search and the Corresponding selections are marked in the Text-Hex Viewer. This is shown in figure 4.5.1.6.12.15 given below.
4.5.1.6.12.1.3 How to Change the Default Color For Selection, Bookmark And Hits
Choose Settings|Colors Tab. The following dialog box as given in figure 4.5.1.6.12.16 given below will be displayed with three colours. These colours indicate the foreground and background colours of the Book Mark Selection, Search Hit, and Text Selection respectively.
138
Getting Started
If you click on the corresponding foreground or background column, you will get a colour dialog box. There you can choose the colour what foreground or background you wish to change as shown in figure 4.5.1.6.12.17 given below.
Figure 4.5.1.6.12.17 - Selecting desired Colour from the Color Dialog Box
Select the desired colour and then press the OK button. Selected color will get displayed in the Column of the Foreground colour. You can view the preview of the colours in the first column where the Text Selection is displayed as shown in figure 4.5.1.6.12.18 given below.
139
Getting Started
Similarly you can change the background colour also and the corresponding color change is reflected in the item column. After choosing everything press OK, this will affect the text selection color of the CyberCheck Text View as shown in figure 4.5.1.6.12.19 given below.
Figure 4.5.1.6.12.19 - Change of Text Selection Colors Similarly you can change the Bookmark selection and the search hit colors also using the Settings|Colors option.
140
Getting Started
After changing the color suppose you want to get back the default colours, you can check the default color check box. This will regain the default setting colours of the CyberCheck as shown in figure 4.5.1.6.12.20 given above. 4.5.1.6.12.1.4 How to Change the Font for the Viewers and Tab Items Choose Settings|Font, the default fonts are displayed for the Table and Tabs and in the File Viewer as shown in figure 4.5.1.6.12.21 given below.
Figure 4.5.1.6.12.21 - Choosing the Settings Font Tab, displays default font If you want to change the font of the Table View, click on the font name it will immediately display the Windows Default Font Dialog Box as shown in figure 4.5.1.6.12.22 given below.
141
Getting Started
Figure 4.5.1.6.12.22 - Choosing the desired Font from the Font Dialog Box Choose the Comic Sans MS for the Table Font, Font Style as Bold and Size 11, for example, and Cilck the OK button.
Figure 4.5.1.6.12.23 - Font Change Reflected in Table View As shown in figure 4.5.1.6.12.23 given above, the Table View is updated with the current chosen font Comic Sans MS.
142
Getting Started
Figure 4.5.1.6.12.24 - Font Change Reflected in File Viewer If you repeat the same thing for the File Viewer you can view it with the Changes in the Font. The above figure 4.5.1.6.12.24 shows the File Viewer with the comic font.
4.5.1.7 Keyword
Keyword search is one of the most common methods of analysis. Keyword Search is for finding out the availability of different key words in different files. The search results will be displayed in a table format with the details of the location in the file in which the keyword is found. Before starting Keyword Search, the analyzing officer should enter the keyword(s) to be searched and select the required keywords to be included in a search session. The analyzing Officer can set the search space depending upon the nature of the problem in hand. If s/he wants to search the entire files and folders, s/he can do so. Limited search in selected files, slack space, unallocated free clusters, lost clusters or swap files also is possible. Case sensitive search and GREP search are also possible with CyberCheck.
143
Getting Started
When this item is selected, a dialog box will be displayed as shown in figure 4.5.1.7.1.2 given below.
144
Getting Started
You may enter the keyword to be searched in the edit box given in the above dialog box. You may also specify, whether the entered keyword is Case Sensitive, or Unicode or Grep type by checking the appropriate checkboxes given in the above dialog box. After entering the keyword, when you press Add Keyword button, it will be added to a list of keywords in the Table view of keywords as shown in figure 4.5.1.7.1.3 given below. You can add any number of keywords by pressing Add Keyword button after entering the keywords in the edit box. This user friendly feature enables the Investigating Officers to add the needed keywords in a very short time.
Figure 4.5.1.7.1.3 List of added keywords You may specify the keywords to be included in a search session by checking the boxes given in the left side of the keywords as shown in the above figure. Keywords can also be added by right clicking on the keyword item in the Keyword tab pane as shown in figure 4.5.1.7.1.4 given below. When this item is selected, the dialog box given in figure 4.5.1.7.1.2 will be displayed for entering the keyword.
Figure 4.5.1.7.1.4 Selecting Add Keyword menu from Left Pane After selecting the keywords, click the Binocular icon in tool bar or select the Search option from main user-interface.
The forth item(item with key symbol) in the toolbar also has the same functionality.
145
Getting Started
Figure 4.5.1.7.2.1 Entering GREP expression to be searched The following is a list of valid GREP tokens . - Matches any single character except newline. * - An asterisk after a character matches any number of occurrences of that character, including zero. For example, "john,*smith" would match "john,smith", "john,,smith" and "johnsmith".
146
Getting Started
\ - A backslash before a character indicates that that character is to be treated literally and not as a GREP character. For example, \* indicates that the special meaning of asterick should be turned off & it has to be treated literally. a[a*] - Any number of occurances of a except zero. For example, "john,[,]*smith" would match "john,smith" or "john,,smith" but would NOT match "johnsmith". [ ] Characters in brackets match any one character that appears in the brackets. For example, "smit[hy]" would match "smith" and "smity".
[-]- A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e; [2-8] matches any number from 2 to 8. (a|b) - An OR symbol represents the occurance of either a or b.
Grep Examples: The following examples show some of the power that GREP expressions give you when looking for text. john.smith The '.' period matches any character. This expression finds "john" followed by any character followed by "smith". john smith john,smith johnQsmith john[ ,;]smith The characters inside the brackets are called a set. They are treated as a single character. This expression finds "john" followed by a space OR a comma OR a semi-colon followed by "smith". john smith
147
Getting Started
john,smith john;smith john[0-9a-z]smith The dash indicates a range of characters when inside a set. This expression finds "john" followed by any character between ('0' and '9' or 'a' and 'z') followed by "smith". john0smith john1smith johnzsmith john [ ]*smith This indicates that repeat the preceding character (or set) any number of times, but at least once. This expression finds "john" followed by any number spaces followed by "smith". john smith john smith john smith john-*smith The '*' star says repeat the preceding character (or set) any number of times including zero. This expression finds "john" followed by any number dashes followed by "smith". johnsmith john-smith john---smith [a-z][a-z0-9_]*@[a-z][a-z]*\.[a-z][a-z]* This expression matches all email addresses. If you want to search the email address with TLD (Top Level Domain) use the following expression. [a-z][a-z0-9_]*@[a-z][a-z]*\.(com|org|co.in|in|uk|edu)
148
Getting Started
http://www\.[a-z]*\.com This expression matches "http://www." followed by any alphabetic characters followed by ".com". This is a good way to look for web site references. http://www.bozo.com NOT http://www.to-wong-foo.com NOT http://www.bozo.org You can use the following expression to list all the website references regardless of the domain. (http|https|ftp)://[a-z]*\.[a-z][a-z0-9\- ]*[\.a-z0-9/_\-#:]*
149
Getting Started
Figure 4.5.1.7.4.1 Selecting Send to Recycle Bin menu item from Keywords window When an item is selected and the Send to Recycle Bin menu is selected, a warning message will be displayed to confirm the process, and subsequently move the item to the recycle bin. If you want to see the items available in the Recycle Bin, you may select Recycle Bin menu item from the Keywords pane as given in figure 4.5.1.7.4.2 given below.
150
Getting Started
Figure 4.5.1.7.5.1 - Deleting a Keyword Choose Recycle Bin menu item from the Keywords pane and right click on the item to be deleted from the list of items displayed in the right window. Select Delete Keyword menu item from the context menu and press Yes when the warning message is displayed for confirming the deletion process. The delete operation can also be invoked by selecting the menu item Keywords|Delete Keyword from the main user interface. The Delete Keyword menu will be highlighted only when a key word is selected from the list of key words.
151
Getting Started
4.5.1.8 Bookmark
When the analysis is in progress, investigator may find a file, folder or part of a file worth for detailed analysis. CyberCheck provides a facility for book marking these items into separate folders and later examine these items in detail. If the investigator could identify
152
Getting Started
valuable evidence from these items, it can be appended to the report from the book marked items. User can start this view by clicking the Bookmarks tab from the Left pane. The following figure 4.5.1.8.1 given below shows the Bookmark view.
Figure 4.5.1.8.1 - Bookmarks TabView The Bookmarks tab view provides three options namely: Folders - This contains information regarding all bookmarked folders Files - This contains information regarding all bookmarked files. Selected Data - This contains information regarding the data selected for BookMarking during the analysis The Folder bookmarking and File bookmarking can be done only from the Table view from right pane. Selected data bookmarking can be done only from the Text view from bottom pane. This can be done by selecting the data to be bookmarked and then right clicking the mouse and then bookmarking that data. A sample bookmarked data item is shown in figure 4.5.1.8.2 given below.
153
Getting Started
Figure 4.5.1.8.2 Selected data that is bookmarked The right pane shows number of different attributes of the bookmarked data, which include the file name in which the data is available, whether the file is deleted, file type, comment about the book marked item, etc. The comment is available as the last item of the attributes.
154
Getting Started
When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this file. Enter appropriate comment and press OK button for bookmarking the selected file.
155
Getting Started
below. This can be done by selecting Bookmark|Bookmark Folder as shown in figure 4.5.1.8.6 also.
When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this folder. Enter appropriate comment and press OK button for bookmarking the selected folder.
156
Getting Started
4.5.1.8.7 given below. This can be done by selecting Bookmark|Bookmark Selected Data as shown in figure 4.5.1.8.8 also.
When this item is selected, a message for confirming the process will be displayed. When Yes button is pressed, a dialog box will be displayed for entering comments, if any, to be attached with this folder. Enter appropriate comment and press OK button for bookmarking the selected folder.
157
Getting Started
Figure 4.5.1.8.9 Sending a book marked item to Recycle Bin using context menu.
Figure 4.5.1.8.10 Sending a book marked item to Recycle Bin using main menu.
158
Getting Started
Figure 4.5.1.8.11 Restoring an item from Recycle Bin using context menu.
Figure 4.5.1.8.12 Restoring an item from Recycle Bin using main menu.
159
Getting Started
Figure 4.5.1.8.13 Deleting an item from Recycle Bin using context menu.
Figure 4.5.1.8.14 Deleting an item from Recycle Bin using main menu.
160
Getting Started
4.5.1.9 Search
Searching is one of the main ways to find digital evidence in an evidence file using CyberCheck. Searching can be File Searching or Keywords Searching. In File searching, you can search for the files with specific extensions. In Keywords searching, you can search for single keyword or multiple keywords that might be present in the evidence file. You can search for as many keywords as there are in your keyword list. The more keyword you have, the longer the search time it takes. If needed, you can do the searching in different sessions. When you go to the search results, you can see the different search sessions independently. You can limit the scope of search space by opting for only selected files or by checking only the required items you want to search in the Search dialog box. CyberCheck has the facility to search for keywords from the whole evidence file, selected files/folders, swap files, slack area, lost clusters and used unallocated clusters. Slack searching includes MBR slack, EMBR slack, Partition slack, Disk Slack, Ram Slack and File Slack. Each of the slack will be searched separately. CyberCheck has the facility for case-sensitive searching also. This can be done by selecting the case sensitive option while you are adding keywords in the Keywords tab in left pane.
161
Getting Started
Keyword Search is for finding out the availability of different key words in different files. The search results will be displayed in a table format with the details of the location in the file in which the keyword is found. Before starting Keyword Search, the analyzing officer should enter the keyword(s) to be searched and select the required keywords to be included in a search session. Refer section Keyword for more details. The analyzing Officer can set the search space depending upon the nature of the problem in hand. If s/he wants to search the entire files and folders, s/he can do so. Limited search in selected files, slack space, unallocated free clusters, lost clusters or swap files also is possible. Case sensitive searching is also possible in CyberCheck. After adding and choosing the keywords to be included in the search session, select Search|Keyword Search menu item from the main interface as shown in figure 4.5.1.9.1 given below or click on the binocular icon given in the tool bar.
Figure 4.5.1.9.1 Selecting Keyword Search menu item When this item is selected, a dialog box as shown in figure 4.5.1.9.2 given below will be displayed for setting different options for the search space.
162
Getting Started
Figure 4.5.1.9.2 Dialog box for setting search options There are number of options to limit the search space as shown in the above figure. To search through the entire folders and files of the evidence file, you may click on the Entire Case radio button. If you want to limit the search in a selected files and folders of the evidence file, click on the Selected Only radio button. Keep in mind to select the desired files and folders before selecting Search|Keyword Search menu item. Above dialog box also shows the evidence files and keywords selected for searching. There are other options like Files and Folders, Swap Files, Used unallocated clusters, Lost clusters and Slack for limiting the search space.
163
Getting Started
When Files and Folders are selected for searching, it can be further limited by choosing options like Ignore Files in Custom Hash Library, Search by Extension and Ignore System files. Custom Hash Library is a library of hash values of known files like operating system files, application files and user desired files. Search by extension option enables you to limit the search in files with specific extension. You can enter the desired extension in the edit box given under the Search by Extension option. Ignore System files option enables you to exclude the system files from the search space. Also you can limit the search in Swap Files, Used unallocated clusters, Lost clusters and Slack space by selecting the respective items from the above dialog box. When appropriate options are specified, press Start Search button to initiate the search process. A progress bar will be displayed to indicate the status of the process. If you want to cancel the process, right click on the progress bar and subsequently select the Cancel button displayed. After confirmation, the process will be terminated. If you want to know the number of hits before completing the search process, place the mouse pointer on the progress bar for sometime. A tool tip as shown in figure 4.5.1.9.3 given below will be displayed indicating the number of hits occurred at that time.
Figure 4.5.1.9.3 Tool tip indicating search hits during the search process
When the search process is completed, a message box showing the total hits and elapsed time is displayed as shown in figure 4.5.1.9.4. If the user selects yes, then the control will go to the currently added session in the search pane as shown in figure 4.5.1.9.5.
164
Getting Started
Figure 4.5.1.9.5 Search results displayed in Search Tab Search can be conducted in different sessions with sets of keywords. Result of each session will be added into the Search Tab as shown in the above figure displaying keywords and the number of hits occurred. In the right pane, details of the search hits like
165
Getting Started
filename in which the keyword is available, a preview of the keyword, location of the keyword in the file and the complete path of the file have been provided. When a particular hit is selected from the right pane, the content of the file with the keyword highlighted is displayed in the text viewer as shown in the above figure. You may browse through the search hits one by one and the corresponding hits will be highlighted in the text viewer. If you find some portion of the text relevant to the case being analyzed, that portion may be bookmarked and later appended to the report. The fifth item in the toolbar also has the same functionality.
Figure 4.5.1.9.6 - Selecting File Search option Select the Files option from that window. File search is provided to find out the existence of a file in the evidence file with a particular extension. Once you choose the File Search option, a small window as given in figure 4.5.1.9.7 given below will be displayed to choose between the type of files to be searched.
166
Getting Started
Figure 4.5.1.9.7 Dialog box for specifying the type of file to be searched CyberCheck files. They are: provides different options for selecting the type of
Search Document files Search Image Files Search Audio Files Search Video Files When any of these options is selected, corresponding extension will be added in the edit box shown in the dialog box. If the User wants to add any other extension, it should be typed into the edit box. Only extension is needed without the period (.). Any number of extensions may be specified, each separated by a semicolon. By default, searching will be done on the entire case file. You can limit the file search to the selected folder also. This can be done by selecting the Selected Files option from the dialog box shown above. After specifying the File Types to be searched, click the OK button. On clicking the OK button, a progress bar will be displayed to indicate the progress of the search process as given in the following figure 4.5.1.9.8 given below.
Figure 4.5.1.9.8 - Progress bar displaying the search status The files, which match the specified extensions, will be added into
167
Getting Started
the Search Files item given in the Search Tab view given in the left pane and displayed in the Table View. You can also see the various file attributes in the Table View. If you click on a file, the file content will be displayed in the Text viewer. This set of files will be available in the File extension folder in the Search Tab view, till it is replaced by the result of another File Search. The search result is shown in figure 4.5.1.9.9 given below.
Figure 4.5.1.9.9 - Displaying the File Search result To search for files with a particular hash value, you have to click the File Hash option in the Search by group in the File Search window. Then the options File Types get disabled and you have to enter the hash value of the file in the text box. The hash value is a 32 character hexadecimal number. CyberCheck offers a facility to get the hash value of a particular file by right clicking on the file entry from the Table View. Again, this will be possible if the particular file
168
Getting Started
is hashed and the hash value is displayed in the Table View in the last column. If hash value is not displayed, you can hash the file with Options|Hash Files from the Analysis Windows menu bar. After copying the hash value, paste it in the text box and click the OK button. This is shown in figure 4.5.1.9.10 given below. A Progress Bar will be displayed on the status bar to indicate the progress of file search process.
Figure 4.5.1.9.10 Selecting file search based on hash value On the successful completion of search process, CyberCheck will add the available files in the Search Tab in a folder having title File Hash. Attributes of the file will be displayed in the Table view as shown in figure 4.5.1.9.11 given below.
169
Getting Started
4.5.1.10 Export
CyberCheck provides a facility to export folder/files, lost clusters, used free clusters, swap files, slack data and folder structure into a user specified path. Exporting deleted files and folders become part of data recovery. The following sections explain this facility in more detail.
4.5.1.10.1 File/Folder
170
Getting Started
If you want to export a file or folder, select the desired item from the Table view and either select the menu item Export|File/Folder from main user interface or right click on the selected item and select Export item from the context menu. A dialog box as shown in figure 4.5.1.10.1 given below will be displayed to specify a path into which the selected item will be exported.
Figure 4.5.1.10.1 Dialog box for specifying a folder path to export an item After exporting the item into the specified path, a message will be displayed showing the status of the export process.
171
Getting Started
Figure 4.5.1.10.2 Selecting Export | Lost Clusters option from main menu When this option is selected, the exporting of lost clusters into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the lost clusters contents are saved. CyberCheck has added a Lost Clusters entry in the Table view for each partition available in the evidence file to view the content of the Lost Clusters as shown in figure 4.5.1.10.3 given below.
Figure 4.5.1.10.3 Display of Lost Clusters entry in the Table view. When the lost clusters are exported, clicking on the Lost Clusters entry in the Table view will display its contents in the Text viewer as shown in the above figure. User may search the contents of the lost clusters for particular key words as explained the search section. Result of an example search is displayed in figure 4.5.1.10.4 given below.
172
Getting Started
Figure 4.5.1.10.5 Selecting Export|Used Free Clusters option from main menu
173
Getting Started
When this option is selected, the exporting of used free clusters into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the used free clusters contents are saved. CyberCheck has added a used free Clusters entry in the Table view for each partition available in the evidence file to view the content of the used free Clusters as shown in figure 4.5.1.10.6 given below.
Figure 4.5.1.10.6 Display of Used Unallocated Clusters entry in the Table view. When the used free clusters are exported, clicking on the Used Unallocated Clusters entry in the Table view will display its contents in the Text viewer as shown in the above figure. User may search the contents of the used free clusters for particular key words as explained the search section. Result of an example search is displayed in figure 4.5.1.10.7 given below.
174
Getting Started
175
Getting Started
Figure 4.5.1.10.8 Selecting Exporting|Swap Files option from main menu When this option is selected, the exporting of swap files into a file in the export folder path will be started and a progress bar will be displayed for indicating the status of the process. When exporting is completed, a message box will be displayed notifying the completion of the process and the path in which the swap files contents are saved. User may search in the contents of the swap files for particular key words. After selecting the desired key words from the key words list as explained in the search section, start key word search. A window as given in figure 4.5.1.10.9 will be displayed for setting swap file search option.
176
Getting Started
Figure 4.5.1.10.9 Selecting Swap Files for search. After selecting swap files from the above dialog box, click Start Search button to start the swap file search. A progress bar will be displayed to indicate the status of the process. When the search process is completed, the result of the search hits will be displayed as shown in figure 4.5.1.10.10 given below.
177
Getting Started
178
Getting Started
Figure 4.5.1.10.11 Selecting Export|Slack Data option from main menu When this option is selected, exporting of contents of different slack areas into the export folder path would be started. Appropriate progress bar will be displayed to indicate the status of the process when different contents are exported. After completing the process, a message box will be displayed to notify the end of the process. User may search the slack area for particular key words. After selecting the desired key words from the key words list as explained in the search section, start key word search. A window as given in figure 4.5.1.10.12 will be displayed for setting slack area search option.
179
Getting Started
Figure 4.5.1.10.12 Selecting different slacks for search. After selecting different slacks from the above dialog box, click Start Search button to start the search. A progress bar will be displayed to indicate the status of the process. When the search process is completed, the result of the search hits will be displayed as shown in figure 4.5.1.10.13 given below.
180
Getting Started
181
Getting Started
Figure 4.5.1.11.1 Selecting Extract | Used Free Clusters option from main menu When this option is selected, a dialog box as shown in figure 4.5.1.11.2 given below will be displayed to select partitions, from which used free clusters are to be extracted.
182
Getting Started
When the desired partitions are marked in the dialog box and when OK button is pressed, extraction of used free clusters will be started and a progress bar will be displayed indicating the status of the process. This process will be started only if the details of used free clusters are not already available. Extracting of used free clusters can be initiated while loading the evidence file also, if the Extract Used Free Clusters Option is set in the Settings dialog box.
4.5.1.12 Report
CyberCheck provides a facility to generate report of the findings of an analysis session. During the analysis, document files having keywords related to a case may be found. In this case, either the complete file or part of the file has to be added to the report to indicate the presence of digital evidence in the evidence file. Similarly, case related pictures also have to be added to the report. CyberCheck provides facilities for doing these functionalities, which are explained in more detail in the following sections.
183
Getting Started
Figure 4.5.1.12.2 Adding a file to report from main menu In both these cases, file should be selected from the Table view. Once you select the Append Folder/File option, a new window as shown in figure 4.5.1.12.3 given below will be displayed asking whether you want to append File Content or File Slack, provided you have selected a File for appending.
184
Getting Started
Figure 4.5.1.12.3 Dialog box for choosing Append Options. If you have selected file content, then the entire file content will be appended to the report. But there is a limitation to the size of the file that can be appended to the report. The size of the file that can be appended to the report is limited to 1MB. If the size is more than this, appropriate error message will be displayed. If you have selected Append File Slack, then the File Slack of the selected file will be appended to the report. If the file slack is empty, then that is indicated in the report. If you have selected Both as the option, then both content as well as slack would be appended to the Report. Once you click the OK button, the content will be added to the Report file. The report can be viewed in the report view. Clicking the Report Tab from right pane will show the Report as given in figure 4.5.1.12.4 given below.
185
Getting Started
186
Getting Started
The selected data will be appended to the report as shown in figure 4.5.1.12.6 given below. Here also, there is a limitation to the size of the data that can be appended to the report. Maximum size of the data that can be appended at a time is limited to 1MB
187
Getting Started
Fig 4.5.1.12.1 Main Interface for Delete From Report Select the ReportDataCode of the item to be deleted from the report and click the Delete Button. A confirmation message box will be displayed as shown in figure 4.5.1.12.2.
188
Getting Started
Fig 4.5.1.12.2 Confirmation before Deleting an item From Report If Yes is clicked, the item with the selected ReportDataCode gets deleted from the report.
4.5.1.13 Timeline
The timeline view gives a graphical representation for the patterns of file creation, access, last written attributes. The Timeline view can be invoked by clicking on the Timeline tab from the Right Pane. The Timeline view can be invoked by clicking on the Timeline tab from the Right Pane. In the Timeline view, as shown in figure 4.5.1.13.1 given below, a graphical representation for the patterns of file creation, file access, last written attributes, time anomaly files, signature mismatched files, etc., are displayed.
189
Getting Started
Select Probe View Tab in the left pane. Click the Timeline tab on the right pane. A window as shown in figure 4.5.1.13.2 given below will be displayed with different options that can be set for getting a particular pattern of timeline view.
Figure 4.5.1.13.2 Different Options for Timeline View The different options available are Search Options Files Display by Time Advanced Options Search Options The user has the option to narrow down the number of the files displayed in the timeline chart by selecting these options. All Files
190
Getting Started
If the User selects All Files option, Time Line of all the files in the evidence file will be displayed in the Timeline view. Selected Files If the User selects Selected Files, TimeLine of selected files will be displayed in the Timeline view. Desired files can be selected from the Probe view and Table view before going for timeline view. Date From To If the User selects this option, s/he can view the Timeline of files with different attributes limited to a specific period defined by From and To limits. These limits can be specified as shown in figure 4.5.1.13.3 given below.
Figure 4.5.1.13.3 Calendar for specifying From To period User may drop the calendar for setting the period by clicking on the combo box arrow button given for From and To date fields. From the calendar window, user may change the month of the year by clicking on left and right arrows given. If the user wants to change the year, click on the year displayed in the calendar. A combo box will be displayed as shown in figure 4.5.1.13.4 given below.
191
Getting Started
Figure 4.5.1.13.4 Combo box in the Calendar for changing year If the User wants to change the month, click on the month displayed in the calendar window. A list box with names of different months will be dropped to enable the user to select desired month as shown in figure 4.5.1.13.5 given below.
Figure 4.5.1.13.5 List box in the Calendar for changing month With these facilities, user may set appropriate From and To period for displaying the Timeline of files that falls in this range. Files
192
Getting Started
The Files option in the Timeline view allows the user to include Normal files or Deleted files or Both in the Timeline View. Display by Time There are three dates associated with all the files; created date and time, last accessed date, modified date and time. User can create the timeline chart based on any of the above three categories. Depending on the selection of the user from the choices, Created Last Accessed Modified the timeline chart is drawn accordingly. If, for e.g., Created is selected then the timeline chart for the selected file or files will be drawn based on the files date and time of creation. The date and time information of the other two dates (Last Accessed and Modified in this case) can be viewed through the tool tip facility. When the mouse pointer is placed on a file representation in the chart, which is displayed as a circle, then the details including the full path gets displayed as a tool tip. Advanced Options To avail this feature, User has to select the check box named Options. The number of files that have to be displayed in the Timeline view chart can be limited by selecting these options. Once this has been checked, three other options get enabled. They are: Time Anomaly Only When this option is selected, only those files in the evidence file that have time mismatches are displayed in the chart. A file is considered as time mismatched in the following cases,
o o
Modified date and time is before the created date and time. Accessed date is before files created date.
193
Getting Started
If there is a time mismatch associated with a file that is being displayed in the timeline chart, then the file will be displayed with an adjacent yellow circle in the left of the green or red circle representing the file, based on whether the file is normal or deleted. Signature Mismatch Only When this option is selected, only those files in the evidence file that have signature mismatch are displayed in the chart. Any file is considered as signature mismatched if its extension does not match with the file signature. Here file signature is the initial bytes of the file that uniquely identifies the file of its type. If there is signature mismatch for a file, a violet circle will get displayed adjacent to the circle representing the file. Time Anomaly & Signature Mismatch Only Displays the files that either have time anomaly or signature mismatch. User can also select several options like Created, Last Accessed, Last Written etc. from the same window. After selecting the needed options, User have to click the Show Chart button. Then a window as shown in figure 4.5.1.13.6 given below will be displayed.
194
Getting Started
Figure 4.5.1.13.6 Display of Timeline chart Timeline chart is a very important facility for the analyzing officer. A lot of information related to case can be gathered from the timeline chart. The above chart shows details of a set of files, which are selected based on modified time and having time anomaly or signature mismatch or both and either deleted or normal within a time frame of 12/2002 to 11/2003. Timeline view can be used for searching normal files only, or deleted files only, signature mismatched files only, time anomaly files only, and so on. These are very good features from the cyber forensics analysis point of view. The set of files shown in the above chart are ordered by modified time. User can view the created time and last accessed time of a particular file, by selecting the desired file from the chart as shown in figure 4.5.1.13.7 given below.
195
Getting Started
Figure 4.5.1.13.7 Display of Created, Modified and Last Accessed information in a Tool tip If there are large numbers of files in a timeline chart, the view of the chart will be cluttered as shown in figure 4.5.1.13.8 given below.
196
Getting Started
In this case, the timeline chart can be exploded to view more details of a particular area by zooming in the area. User may select a desired area from the timeline chart by clicking the left mouse button and dragging over the desired area. On releasing the mouse button, those files included in the area will be displayed as the next timeline chart. This can be repeated till a reasonably good view of the chart is reached. User may go back to any previous level by selecting the zoom out menu item from the Timeline menu bar item. Timeline view provides number of other features also. If the User has opted to display signature mismatched files and if the checking of the file signatures is not completed, a message will appear requesting whether to complete the process of checking file signatures before displaying the timeline chart. If s/he chooses Yes, the timeline will get displayed after checking the remaining files. Otherwise, there may be some more files that are signature mismatched which fails to get displayed in the chart in the category of mismatched files and also there wont be the violet circle beside those files. User can see a two dimensional graph in which the Xaxis indicating the year and Y-axis indicating the Files. There are differently coloured marks on the graph. Green colour indicates that the particular file is a Normal file and red colour indicates that the file is a deleted file. Yellow colour indicates that there is a time Anomaly associated with that particular file. This can occur if the created date of the file is a date later than either the modified date or last accessed date of that file. It can also occur if the modified date is later than the last accessed date of that file. Consider figure 4.5.1.13.9 given below. Different options set for this view are: Search option - Selected Files, Files - Both, and Display by time Modified.
197
Getting Started
Figure 4.5.1.13.9 - TimeLine view of the Windows folder of the Evidence file User may click the right mouse button on the Timeline chart for more options. If s/he Right Click on the TimeLine view, s/he can see options like Zoom Out, Show Grid, Hide Grid, Options and Show Files. Initially, the Zoom Out option will be disabled. S/he can select a portion of the TimeLine view with the mouse. For that press the left mouse button at some point in the TimeLine view and drag the mouse so as to select a portion of the TimeLine view. Now s/he can see the TimeLine view of this selected portion. S/he can continue this until s/he gets the TimeLine of a single file. Now, if s/he clicks the Right Button of mouse again, then the Zoom Out option will be enabled. By selecting Zoom Out, s/he can go back to the previous view. i.e to the view before selecting a portion of TimeLine files. User can select a portion of the TimeLine view with the mouse. Inside the timeline view, left click and drag the mouse on the region where you wish to zoom in. A dotted rectangular path is drawn along the selection path indicating the selected region. User can continue this until s/he gets the TimeLine chart of a single file.
198
Getting Started
User can also get the Table View of these files. From the Timeline View, just right click the mouse button and then select Show Files. User can see the files in the Table view. By selecting the Options option s/he can reset the various options for the TimeLine analysis. By selecting the Show Grid option, the Timeline view can be seen in a grid form. Timeline Display Timeline chart is displayed in the right pane, when Show Chart button is clicked after selecting the required options in the Timeline dialog box. The window given in figure 4.5.1.13.10 depicts a sample timeline display. The heading of the chart conveys the message regarding the options selected by the user in the Timeline dialog box. The first part indicates whether the user has selected ALL FILES, SELECTED FILES or DATE in the search options. The second part shows the option chosen from the Display by Time; so that the display will be either as ORDERED BY CREATED TIME, ORDERED BY LAST ACCESSED TIME or ORDERED BY MODIFIED TIME. The third part shows, which advanced option is selected and the corresponding display will be TIME ANOMALY, SIGNATURE MISMATCHED or TIME ANOMALY & SIGNATURE MISMATCHED. In the display area below the heading, User can see the number of time mismatched and signature mismatched files. In addition to displaying yellow and violet circles on the sides of the circles representing files that have mismatches, User can see the mismatched number of files in each vertical line of the graph here. The number of signature-mismatched files entries will be there only if User has checked the signature mismatches only option. Timeline Chart The chart will be represented as a cluttered graph, if there are a large number of files. Along the horizontal line, the date and time is displayed. The horizontal line in the chart or the x-axis is divided depending up on the dates and times that are to be displayed. Along the Y-axis, names of files are plotted. The files can be plotted on the basis of created, last accessed or modified date. Let us take for
199
Getting Started
example, that we are going to plot on the basis of created date. Then the x-axis will be divided in either of the following ways. a) Suppose the evidence file is having several files and if the files are created over a larger period of time, all the years in the requested files can not be plotted in the x-axis with distinction. For example, if one file is created in 1980 and another file is created in 2000 and if some other files are created in 2050, then if we plot the graph with every years between 1980 & 2050, the graph will be cluttered. CyberCheck handles this by displaying files created in more than one consecutive year over each vertical line. The range depends on the variation between the minimum and maximum of the file-created dates. For example the range can be something like 2000-2005, 2006-2010 and so on or 2000-2009, 2010-2019, 20202029, 2030-2039 and so on. b) If the entire files to be displayed in the chart are of a single year, then we can view the files based on the months in which they are. c) If the files are scattered in a single month, then they will be plotted based on the created date. d) If the files are created on the same day then, plotted on the basis of created hour. e) f) If the hour is also same then depending on the minute And if the minute is also same, depends on the second.
Along the y-axis (left most vertical line) we can see the filenames of the files plotted in the graph (only if the number of file is limited). The legend (Timeline Legend), which is displayed in the bottom left corner, gives information as to what each circle in the timeline view represents. The green circle represents the normal file, red circle represents the deleted file, yellow circle represents the time anomaly file and violet circle represents the signature mismatched file.
200
Getting Started
lower resolutions to be displayed or when the chart reaches its initial state.
4.5.1.13.4 Options
On selecting this menu item, the Timeline Option window is displayed. It can then be used to redefine the view options of the timeline chart, like viewing only time-mismatched files etc. Thus User can reset the various options for the TimeLine analysis. User should make use of this facility for having different combinations of timeline features. That means, suppose you want to see the time anomaly files only. From the options, you can select the Time Anomaly Only radio button and press Show Chart button for displaying time anomaly files only in the timeline chart. Now, if you want to see the signature mismatched files, you have to select the Signature Mismatch Only radio button and press Show Chart button to display the signature mismatched files in the timeline chart.
201
Getting Started
Figure 4.5.1.13.11 - List of files available in the current timeline chart The list of files available in the current timeline chart can also be viewed from the left pane by selecting the Timeline Files item. When this item is selected, if a previous timeline analysis has been made,
202
Getting Started
then the files of last time line chart will be displayed in the Table view as shown in the above figure.
203
Getting Started
Figure 4.5.1.14.1.1 Selecting Partition Recovery option from main menu A dialog box as shown in figure 4.5.1.14.1.2 will be displayed for selecting the option for Partition Recovery. In the Best option each and every sector in the evidence file will be scanned and in the Fast option, only sectors with sector number, as multiple of 63 will be scanned.
204
Getting Started
The partition recovery process starts when clicking the OK button and its progress is represented by a progress-bar as shown in figure 4.5.1.14.1.4 given below
Figure 4.5.1.14.1.4 Progress of the Partition Recovery. You have to wait till the progress bar reaches 100%. The number of partition(s) recovered is displayed in a message box as shown in figure 4.5.1.14.1.5 given below.
205
Getting Started
Click the OK button. It will take some time to load the recovered partition(s). The recovered partition(s) will be displayed below the existing partitions in the Probe view. Their names will starts with Rec-. For example, if two partitions have been recovered, then the first partition will be shown with the name Rec-1 and the second one with the name Rec-2. To see the files & folders of recovered partition(s), you click on the + symbol near the partition name (like that of an existing partitions). This is illustrated in the following figure 4.5.1.14.1.6 given below.
Figure 4.5.1.14.1.6 Display of Recovered Partitions Note:You may cancel the partition recovery process by clicking the cancel button appearing on right clicking on the progress bar. After canceling, if you try to recover partitions by clicking the menu option again, then the recovery process will start from first sector. (i.e. it wont be a continuation of the previous process.)
206
Getting Started
CyberCheck will display all the available partitions and a dialog is displayed for selecting the partition(s) you want to recover. figure 4.5.1.14.2.2 given below illustrates this feature. The recovered partition using Format Recovery is added to the Probe view as another partition similar to the actual partitions available in the evidence file. The recovered partitions may not be complete and also it may not be possible to recover the contents of the recovered partitions completely.
Figure 4.5.1.14.2.2 Display of partitions available in an evidence file You may tick the Select All option if you want to recover all partitions. Otherwise you select the needed partition(s) by ticking the box beside it. This is shown in the figure 4.5.1.14.2.3 below.
207
Getting Started
Figure 4.5.1.14.2.3 Selecting partitions for Format Recovery After your selection, click the OK button. The Format Recovery process starts and its progress is shown by a progress-bar as shown in the figure 4.5.1.14.2.4 given below.
Figure 4.5.1.14.2.4 Progress of the Format Recovery The progress bar displays the drive letter of the partition whose format recovery is currently in progress. You have to wait till the progress bar reaches 100%. When it reaches 100%, the format recovery for all selected partitions will be completed. Then a message box is displayed as shown in the figure 4.5.1.14.2.5 given below to show the process completion.
208
Getting Started
Figure 4.5.1.14.2.5 Display of the end of Format Recovery process Click OK button. The recovered files and folders, if any available, can be viewed by moving to the respective partition and looking for a folder named Format Recover. This folder will contain other folders (names starting with CNo_) and they will contain the files recovered. This is illustrated in the following figure 4.5.1.14.2.6 given below.
Figure 4.5.1.14.2.6 Display of recovered files and folders If you have selected all partitions listed, then the menu option Format Recovery will be disabled after format recovery completion. If the Format recovery process is cancelled or not all partitions are selected then the menu option is not disabled.
209
Getting Started
Note: You may cancel the format recovery process by clicking the cancel button appearing on right clicking on the progress bar. After canceling, if you try to recover partitions by clicking the menu option again, then the selection screen will display those partitions whose format recovery is not completed before cancellation. (i.e. before cancellation if some of selected partitions format recovery have already been completed then those partitions are not displayed next time. It is like the continuation of previous recovery.)
4.5.1.15.2 Hasher
The Hasher utility provides a way to check the data integrity of a file or a sequence of data bits. User can select a file to be hashed. This can be a flat file or a TrueBack image. Similarly the user can select any one of the hashing algorithms MD5, SHA-1 or HMAC. For MD5 and HMAC you will get a 16-byte digest and for SHA-1 you will get a 20-byte digest. Hasher Utility can be invoked by selecting the Tools|Hasher menu item from the main menu. When this menu item is clicked, main menu of the Hasher will be displayed.
210
Getting Started
User may use this utility for checking data the integrity of any file (Flat image) or that of a TrueBack image. Refer User Manual of Hasher for more details of the working of Hasher Utility.
Insert a new floppy into the floppy drive and specify the type of boot floppy to be created in the above dialog box. Click OK button to continue with boot floppy creation. The following message box as
211
Getting Started
shown in figure 4.5.1.15.3.3 given below will be displayed to warn that the content of the floppy will be lost.
Figure 4.5.1.15.3.3 Message box displaying warning If you want to continue with the boot floppy creation, click on Yes button. A progress bar as given in the following figure 4.5.1.15.3.4 will be displayed to indicate the status of the process.
Figure 4.5.1.15.3.4 Progress bar to indicate the status of Boot floppy creation When the boot floppy creation is completed, a message box as shown in figure 4.5.1.15.3.5 will be displayed, prompting the user to label the floppy as the selected type.
Figure 4.5.1.15.3.5 Message Box showing the completion of boot disk creation.
4.5.1.16 Language
212
Getting Started
Language
When Language menu is changed to Hindi it shows the character as small squares, as shown in the Figures 4.5.1.16.1 and 4.5.1.16.2 below, this is because operating System doesnt support Hindi or Tamil by default.
Figure 4.5.1.16.1 - Display of Language support when Hindi language is not supported by the Operating System.
Figure 4.5.1.16.2 - Display of Language support when Tamil language is not supported by the Operating System. In order to show characters correctly refer section How do I display Unicode on my computer? given below.
213
Getting Started
After enabling Hindi in Operating System, CyberCheck application can be able to display Hindi interface as Shown in the Figures 4.5.1.16.3 and 4.5.1.16.4 given below.
Figure 4.5.1.16.3 - Display of Language support when Hindi language is supported by the Operating System.
214
Getting Started
1. The support for Hindi IMEs (input Method Editor) must be enabled in the PC for the possibility of the usage of the IME. If Windows 2000 is installed on the PC and support is to be enabled for Hindi, the user must go to Control Panel, then on to the Regional Options. In the option titled Language Settings for the System, check the Indic box as shown in figure 4.5.1.16.5 given below. Then insert the Windows 2000 CD into the CD-ROM drive to complete the configuration for the installation as shown in figure
4.5.1.16.6 given below. Figure 4.5.1.16.5 Enabling Indic option in Regional Options settings
215
Getting Started
Figure 4.5.1.16.6 Installing language support in Windows 2000. If Windows XP is installed on the PC, the user must go to Control Panel and then on the button titled Regional and Language Options. Three options will emerge as tabs : Regional Options, Languages and Advanced. Select the Languages tab. Check the box titled Install files for complex scripts and left-to-right languages (including Thai) and click Apply. Then insert the Windows XP CD to finish the configuration as shown in figure 4.5.1.16.7 given below.
216
Getting Started
Figure 4.5.1.16.7 Installing language support in WindowsXP 2. Restart the computer. 3. The next step is to enable the recognition of the keyboard layout a change in language would necessitate.
217
Getting Started
If Windows 2000 is installed on the PC, the user must go to Control Panel and then on to the Text Services section. In the Installed Services section, select the keyboard under an option titled HI and click Add. Then, select the Hindi option in the Input Language section and check the Keyboard Layout /IME box. Now, select the Indic IME 1 option from the choices available. These are illustrated in figure 4.5.1.16.8, figure 4.5.1.16.9 and figure 4.5.1.16.10 given below.
Figure 4.5.1.16.8
218
Getting Started
Figure 4.5.1.16.9
Figure 4.5.1.16.10
219
Getting Started
o If Windows XP is installed on the PC, the user must go the Control Panel and then on to Regional and Language Options button. Of the three tabs available, select the Languages tab. Then click on the Details. . . button in the Text services and input languages section. Upon clicking the button, select Hindi as the input language and Add Hindi Traditional as the keyboard. Follow all relevant steps similar to the installation on Windows 2000 and select Indic IME 1 as the option.
Figure 4.5.1.16.11 4. After the installation is complete, start any Office application, including Wordpad or Notepad. Click the Language Indicator located in the System Tray on the right side of the Windows
220
Getting Started
taskbar, and click to select Indic IME 1 from the shortcut menu that appears.
4.5.1.16.1.1 English
By default, the language selected when starting CyberCheck is English.
4.5.1.16.1.2 Hindi
From the main menu, select Language | Hindi menu item as given in figure 4.5.1.16.2.1 given below.
221
Getting Started
While Loading and Analyzing an Evidence File, its progress is represented by a progress-bar as shown in figure 4.5.1.16.2.3 given below.
Figure 4.5.1.16.2.3 Progress Bar While Loading and Analyzing Evidence File
222
Getting Started
The Interface after Loading an Evidence File is as shown in the figure 4.5.1.16.2.4 given below.
Figure 4.5.1.16.2.4 Analysis Window Interface in Hindi Menu Items are changed into Hindi as shown in figure 4.5.1.16.2.5
Figure 4.5.1.16.2.5 Display All Menu items are changed into Hindi A Dialog Box in Hindi is as shown in figure 4.5.1.16.2.6
223
Getting Started
Figure 4.5.1.16.2.6 Display A Dialog Box In Hindi. Pop-up Menu items in Hindi is as shown in figure 4.5.1.16.2.7
Figure 4.5.1.16.2.7 A Pop-Up Menu in Hindi Interface can be changed back into English by selecting English from Language Menu as shown in figure 4.5.1.16.2.8.
224
Getting Started
Figure 4.5.1.16.2.8 Select English From Language Menu. Interface changed back to English as shown in figure 4.5.1.16.2.9
4.5.1.16.1.3 Tamil
225
Getting Started
All the interfaces and the messages will be displayed in Tamil on Selecting Tamil from Language main menu item. Other details are similar to the explanation in Hindi.
4.5.1.17 Help
CyberCheck provides an on-line help facility similar to the Help provided in any other Windows application. The help facility can be invoked by selecting the Help menu item from the main menu as shown in Figure 4.5.1.17.1 given below.
Figure 4.5.1.17.1 Selecting Help option from main menu User may select the Contents sub-menu item for having details regarding the working of CyberCheck.
226
Getting Started
The eighth item in the toolbar also has the same functionality. 4.5.1.17.2 Contents
From the main menu, select Help | Contents menu item as given in Figure 4.5.1.17.1. The Help window appears as shown in figure 4.5.1.17.2.1. To scroll through a table of contents for Help, click the Contents tab. To search a topic by typing the first few letters of the word you're looking for, click the Index tab. When you want to search for specific words or phrases, click the Find tab.
227
Getting Started
228
Getting Started
4.5.2.2 Copy
Refer Section 4.5.1.2.1
4.5.2.8 About
Refer Section 4.5.1.17.1
229
Getting Started
pane, its folders and files are displayed in the Table View (See Table View below) of right pane. If a file is selected from the Tab View, contents of the file will be displayed in the Text View (See Text View below) of the bottom pane. The probe view contains details of different partitions available in an evidence file. These details can be viewed by clicking on the plus (+) sign on the left. Figure 4.5.3.1.1 given below shows the expanded view of the probe view.
Figure 4.5.3.1.1 Probe view with expanded evidence file content Number of facilities have been provided in the Probe view. When the User click on a particular item from the probe view, depending upon the nature of the item and the particular tab selected in the right pane, more details will be displayed in the right pane. Default tab selected in the right pane is Table view. If the item clicked from Probe view is the Probe, details of image file loaded will be displayed in the right pane. If the item clicked is the evidence file, details of number of partitions available in the evidence file will be displayed in the right pane. If the item clicked is the root folder, details of sub-folders and files available in the root folder will be displayed in the right pane. If the item clicked is a sub-folder, details of sub-sub-folders and files available in the sub-folder will be
230
Getting Started
displayed in the right pane. User can select a particular item displayed in the Probe view by clicking on the small square provided adjacent to that item. If the item selected is root folder, all the subfolders and files available in the root folder will be selected and a black dot will be placed inside the small square to indicate that that particular item has been selected. Small squares of partition, evidence file and Probe also will be marked. All the items in the Table view also will be marked. This is shown in the following Figure 4.5.3.1.2 given below.
Figure 4.5.3.1.2 Display of selected items from the Probe view If the user wants to select a particular item from the Table view, User may click on the small square provided in the Table view adjacent to different items. When it is marked in the Table view, the sub-folder containing the item in the Probe view, all the parent folders, partition, evidence file and Probe also will be marked as shown in the Figure 4.5.3.1.3 given below. If the partition being analysed is an NTFS one, then CyberCheck will add an extra folder with name Lost & Found with each NTFS partition to hold the deleted files found in that partition (if any) for which the correct path cannot be recovered.
231
Getting Started
Figure 4.5.3.1.3 Display of a particular item selected If the user wants to see the complete folders and files available at a particular level of the evidence file, user may click on the D shaped item provided in the Probe view. This is the Expansion Trigger or One Shot facility provided in the CyberCheck. Depending upon the level of selection, all the files available in that level as well as all the sub-folders and their structures will be displayed in the Table view as shown in Figure 4.5.3.1.4 given below.
Figure 4.5.3.1.4 Display of Expansion Trigger facility Probe view also supports facility for appending an item from the Probe view into the report as well as a facility to export folder structure into a file. The commands for these facilities are: Append Folder structure to report and Export Folder structure. By clicking the right button of the mouse on the item of interest in the probe view, user can select these commands. When the first command is selected, the folder structure will be appended to the Analysis report. When the second command is selected, the folder structure will be exported to a default file in the export folder path after creating a sub-folder having evidence file name as the name of the sub-folder. The name of the default file is
232
Getting Started
FolderFileStructure.doc.
CyberCheck also supports a facility for loading and analysing evidence files having dynamic disks. Dynamic disk is a type of disk structure supported by Windows XP professional edition. Dynamic disks first appeared in Windows 2000 and are only compatible with Windows 2000 and Windows XP Professional operating systems. Windows XP Home Edition does not support Dynamic disks. A Dynamic drive contains dynamic volumes rather than partitions, making it possible to have an unlimited number of logical drives. Another big difference between basic and dynamic disks is there is no Master Boot Record (MBR) on a dynamic disk. Instead, it stores the layout of the disk volumes in a database stored on the last 1 MB of the disk. Dynamic disks allow us to create a number of different disk structures that aren't available on basic disks. This facility enables us to the analysis of dynamic disk structure volumes like Simple Volume, Striped Volume and Mirrored Volume. When an evidence file is loaded, the evidence file name will be added in the Probe view as shown in Figure 4.5.3.1.5 given below. If an evidence file does not contain any dynamic disk structure, drive letter(s) will be assigned to the evidence file depending upon the number of partitions available in the evidence file for further processing. In the case of evidence file having dynamic disk structure, no drive letter will be assigned to it. This is an indication to identify evidence files having dynamic disk structures. Also, these evidence files can be easily identified with the help of special icon used in the Probe view to indicate them as shown in the figure 4.5.3.1.5 given below.
233
Getting Started
Figure 4.5.3.1.5 - Probe view with evidence file having dynamic disk structure When a dynamic disk image is loaded, it won't show any drives or data in the evidence. To view the folder structures and files contained in a dynamic data structure, a dynamic disk has to be created from the image. CyberCheck provides a facility to make dynamic disk evidence from the image. Select the dynamic disk image from the Probe view and click the right mouse button. A context menu as shown in figure 4.5.3.1.6 given below will be displayed.
234
Getting Started
Figure 4.5.3.1.6 - Context menu for selecting Make Dynamic Disk Evidence option From the context menu, click on the Make Dynamic Disk Evidence option. It may be noted that a dynamic disk may consist of more than one physical disk. In this case, there will be more than one image file also. Before clicking on the Make Dynamic Disk Evidence option, all image files may be loaded into the CyberCheck environment by using the Evidence|Add Evidence facility. For example, the evidence file DynamicDisk140MB consists of two physical disks and correspondingly two evidence files DynamicDisk140MB_1 and DynamicDisk140MB_2. Before making the dynamic disk evidence, second image file also has to be added into the CyberCheck environment. If you try to make the dynamic disk evidence without adding all the constituent images, system will warn you to add the missing image file as shown in figure 4.5.3.1.7 given below.
235
Getting Started
Figure 4.5.3.1.7 - Message window indicating the missed dynamic disk image. If all image files are available in the CyberCheck environment, selecting the Make Dynamic Disk Evidence option will create a dynamic disk group under which all the partitions of the corresponding dynamic disk is listed as shown in figure 4.5.3.1.8 given below.
Figure 4.5.3.1.8 - Probe view displaying the dynamic disk and available volumes in the disk.
236
Getting Started
Above figure shows a dynamic disk SanjeevDg0 with three volumes Span1, Simple1 and Stripe1. These volumes can be expanded and the contents can be viewed in the Probe view as shown in the figure 4.5.3.1.8.
We can start viewing the contents of the evidence file by expanding the plus sign on the left of the evidence file name. Under each evidence file entry, there is one Slack entry and one or more partition entries. The Slack entry contains the Disk slack details as shown in the following figure 4.5.3.1.9 given below.
Figure 4.5.1.1.9 Selecting Disk Slack from Table View This window shows part of the different slacks available in an evidence file. It consists of Disk Slack, MBR Slack and EMBR Slack. Slack is an ambient data area, that can not be easily accessed and very important in the cyber forensics analysis. CyberCheck extracts data available in these areas and makes available to the analysing officer for gathering evidence from these areas. Disk slack is those sectors, which are not allocated to any of the partitions in a disk. MBR slack is the Master Boot Record slack, which is the unused sectors of the 0th cylinder in a disk. Only the first sector in the 0th cylinder will be used for writing MBR. Rest of the sectors will be left unused for future use.
237
Getting Started
Within a disk, it is possible to have extended partitions. Extended partitions also will be treated as separate disks and can have Extended Master Boot Records. EMBRs can have EMBR slack. Since a disk can have more than one extended partitions, EMBR slacks are numbered EMBR1, EMBR2, and so on, depending upon the number of extended partitions available in a disk. User can view the content of any of the slack, if available, by clicking on the item. The content will be displayed in the bottom pane. Other items available in the Probe view are: Timeline Files and Temporary Files. We wont be able to see anything in these items when the evidence file is loaded or at the starting of analysis process. Unless we select the option Temporary Files from View option and run it, we cant see any contents under Temporary Files. If the evidence file contains items in the temporary folder, these will be displayed in the Table view, when Temporary Files item is clicked. Same is the case with other item Timeline Files. We can see the entries corresponding to them only if we have done some Timeline analysis or some searching process. If the file system being analyzed is a Linux (Ext2) File system, then Temporary Files option will not display any file. More over, in Ext2, deleted files are all stored in a folder Lost & Found at end of each partition. (even if there are no deleted files, this folder will be displayed.) There can be Swap partitions in Ext2, which does not store any files/folders. The number of partition entries in the Probe view depends on the number of partitions available in the evidence file. Under each partition entry, there will be one Slack entry and zero or more folder entries. The number of folder entries depends on the number of folders available in the current partition. If there are subfolders for a particular folder a plus sign will appear on the left side of the folder. When the Slack item at the partition level is selected, a window as given Figure 4.5.3.1.10 given below will be displayed containing details of other part of different slacks available in an evidence file. The right pane shows 3 entries, viz., Partition Slack, File Slack and RAM slack. CyberCheck extracts data available in these areas and makes available to the analysing officer for gathering evidence from these areas.
238
Getting Started
Figure 4.5.3.1.10 Selecting File Slack from Table View The Partition slack is those sectors between last cluster of a partition and end of partition. File slack is the number of bytes that may be available between end of a file to end of last cluster of that file. The file slack item given in this view contains all slacks of individual files available in an evidence file. This is an important facility provided in CyberCheck for easy searching of File slack. RAM slack is the number of bytes that may be available between end of a file to end of the sector containing the end of that file. User can view the content of any of the slack, if available, by clicking on the item. The content will be displayed in the bottom pane. 4.5.3.2 Keywords View User can start this view by clicking the Keywords tab from the Left pane. This is the view, where the User can make a list of all the search terms. All the keyword search results will be listed here. Figure 4.5.3.2.1 given below shows the Keywords TabView.
239
Getting Started
Figure 4.5.3.2.1 - Keywords TabView The view contains two items initially, viz., KeyWords and Recycle Bin. Keywords are required to start a search process. The desired key words can be added to the list of key words either by right clicking on the KeyWords item or by selecting the Keywords|Add Keyword menu item from the menu bar. It can be done by pressing Ins from the keyboard when Keywords tab is active. When right clicking on KeyWords item from the Left pane, Add Keyword submenu item will be displayed. When this item is selected, the following dialog box as shown in Figure 4.5.3.2.2 below will be displayed for entering the desired key word, say, cyber. Any number of keywords can be entered by just clicking Add Keyword button in the dialog box. This facility is for helping the Investigating Officer to add a large number of keywords without calling the dialog everytime.
240
Getting Started
After entering the key word, when the User presses OK button or Add Keyword, the key word will be added to the list of key words as shown in Figure 4.5.3.2.3 given below. If the user wants to add more keywords press Add Keyword since he can add any number of keywords by pressing Add Keyword after entering next keyword. If OK is pressed,then dialog box will disappear.
Figure 4.5.3.2.3 List of keywords added In the same manner, user may add any number of key words. At the end of the search process, a message box showing the total number of hits and elapsed time is displayed as shown in figure 4.5.3.2.5. For each search operation , a new session will be created in the search view under the keyword folder with the name session with a number along with it.
Figure 4.5.3.2.5-Window showing search session completed. For more detailed help, refer section 4.5.1.7.
241
Getting Started
Figure 4.5.3.3.1 - Bookmarks TabView The Bookmarks tab view provides three options namely: BookMarks - This contains information regarding the bookmarked folders, files and selected data in seperate folders. Recycle Bin The entries deleted from the BookMarks item move to the respective folder in Recycle Bin. The Bookmarks and Recycle Bin contains three items namely: Folders - This contains information regarding all the bookmarked folders Files - This contains information regarding all the bookmarked files. Selected Data - This contains the information regarding the data selected for BookMarking during the analysis The Folder bookmarking and File bookmarking can be done only from the Table view from right pane. Selected data bookmarking
242
Getting Started
can be done only from the Text view from bottom pane. This can be done by selecting the data to be bookmarked and then right clicking the mouse and then bookmarking that data. A sample bookmarked data item is shown in the Figure 4.5.3.3.2 given below.
Figure 4.5.3.3.2 Selected data that is bookmarked The right pane shows number of different attributes of the bookmarked data, which include the file name in which the data is available, whether the file is deleted, file type, comment about the book marked item, etc. The comment is available as the last item of the attributes. 4.5.3.4 Search View Search results for keyword search and file search are listed in the seach view. The following Figure 4.5.3.4.1 given below shows the Search view.
243
Getting Started
The Search tab view provides three options namely: Search Result - This contains result of File Search and Keyword seach. Recycle Bin The sessions deleted from the Keyword Seach move to Recycle Bin. The Search Result contains three items namely: Keyword Search- This contains keyword search results in different sessions. File Hash - This contains results of file search with file hash value. File Extension - This contains results of file search with extension. A sample search with File Extension folder active is shown in the Figure 4.5.3.4.2 given below.
Figure 4.5.3.4.2 Search view with file extension active The right pane shows the files obtained when performing a file search with .doc extension.
244
Getting Started
Table View Figure 4.5.4.1.1 Table view tab in the Right Pane Various file attributes are as follows: Four fields indicating whether the file is
245
Getting Started
Deleted (DL) Date mismatch (DM) Signature mismatch (SM) Overwritten (OW) Followed by the the above four, other file attributes available are: File name Short name File Extention Logical Size Starting cluster File Type Signature Description Last Accessed Last Written Created Is BookMarked Full path & Hash Value Hash Set The detailed description of each of the fields in the Table view id given in the in the Table below.
Field No. Value Serial Number. There may be icons in this field depending on the item. Clicking on the square box selects the file or folder / item. If the selected item contains sub items they will also be selected. If the item is deleted a red cross symbol will appear in this field Whether deleted or not Whether there is a date mismatch or not Whether there is a signature mismatch or not. Valid only after a check for file signature is made. Whether overwritten or not Actual file / folder / partition / item name The DOS name. For some file systems, this value may be absent
246
Getting Started
File Ext. Logical Size Starting Cluster File Type Description Last Accessed Last Written Created Is Bookmarked Full Path Hash Value Hash Set
File Extension File size The cluster number at which the item begins in the media The content type of the file. This may change after a signature checking is made. Gives a brief description of the file / folder The date of last access of file / folder The date of last writing to file / folder The date of creation of file / folder Whether bookmarked or not The complete hierarchical path of the file / folder Valid only after a file hashing is made. Contains the hash value of the file. The name of the hash set the file belongs.
The entries for deleted items will be made in red colour. The user may see some difference if the file system being analyzed is a Linux (Ext2) File System. Some of the major differences that you may notice in the table view are 1. 2. 3. It is not possible to get the names of deleted files in Ext2, so inode numbers are displayed as names. No short names for Ext2 files/folders. There can be files with no extensions. Extensions larger than 4 characters are possible, then only first 4 characters are displayed. There can be files with more than one extension, and then the last extension is taken as extension in cyber check. There can be files with file name starting with . The extensions can be numbers. The logical size of a folder in FAT is always displayed as 0, but ext2 displays the correct logical size.
4. 5. 6. 7.
CyberCheck supports the following Mouse / Keyboard operations in the left side under the Table View
247
Getting Started
4.5.4.1.1 Keyboard Operations The up and down arrow can be used to traverse through the table. The Page Up / Page Down key can be used to view the table contents one page up / down. The Home / End key can be used to traverse to the first / last item. 4.5.4.1.2 Mouse Operations Clicking on any field header except the Description field sorts the table based on that field. Double clicking on a file from the Table View either opens the file in an external viewer if an external viewer capable of opening the file is installed in the analysis system; otherwise, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file. If the user double clicks on a folder name, contents of the folder, if any, will be listed. Right clicking produces a Popup menu whose options depend upon the item selected. 4.5.4.1.3 Popup Menu On right clicking the mouse button in the table view, the following commands can be executed: Export This feature helps to export the selected file to a specified location. This is useful if the analysing officer finds some evidence in that file. Export Summary This feature helps to export the summary of the selected file to an .html file. View Cluster Chain
248
Getting Started
View the clusters allocated for the selected file. Copy Hash Value Copy the Hash Value, if file hashing is done. Append to Report Append either the file data or slack content of the selected file to the report. There is an option to append both file content and file slack to the report. Registry Viewer On selecting this option we can go for the Registry Viewer. If the selected file is only a registry file, this option will be enabled in the context menu. Example registry files are System.dat and User.dat. User may do a search process for checking the availability of these files in the evidence file using file extension search facility. If the files are available, it will be displayed under the Search Files item in the Probe view. User may select a file from the Table view and right click the mouse button. Now, the registry viewer menu item will be enabled and user may click on it. The regisrty viewer will be displayed in the subsequent window. Registry Viewer option will not make any change in Ext2 file system. User may also invoke registry viewer using View|Registry Viewer menu item from the menu bar. Bookmark File On selecting this option, the selected file will be added to the Files list in the Bookmark tab. Bookmark Folder This option will be enabled only if a folder is selected in
249
Getting Started
the table View. Selecting this option will add the selected folder to the Folders list in the Bookmark tab.
Extract Zip File If you want to see the list of files available in a ZIP file, select the desired ZIP file from the Table view and right click on it as shown in figure 4.5.4.1.2 given below.
Figure 4.5.4.1.2 Selecting Extract ZIP File option Choose the Extract ZIP file menu item from the context menu. A dialog box with a tree view of the ZIP file will be displayed as shown in figure 4.5.4.1.3 given below.
250
Getting Started
Figure 4.5.4.1.3 Display of nested ZIP File listing If the ZIP file contains another ZIP file, there will be a + sign in the left Pane of the tree view and you may expand it to view the list of files available in the inner ZIP file. This can be extended to further depths. At any time if you want to view the content of a file in the right pane of the ZipFileViewer, you may double click on the desired item. If the item selected is a ZIP file, the ZIP extractor installed in your system will be invoked to extract the contents of the selected ZIP file. If a ZIP extractor is not available, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file. Similarly, if the selected item is any other file type, appropriate native viewer will be invoked for viewing the selected item, if the native viewer is installed in the analysis machine; otherwise, CyberCheck displays an open with dialog box for the user to select appropriate program to open the selected file. Meta Data If you want to see the metadata information of Microsoft office files, select the desired document file from the Table view and right click on it as shown in figure 4.5.4.1.4 given below.
251
Getting Started
Figure 4.5.4.1.4 Selecting Meta Data option Choose the Meta Data file menu item from the context menu. A metadata viewer will be displayed as shown in figure 4.5.4.1.5 given below showing the listing of available metadata in the selected document.
252
Getting Started
Append to HashSet... If you want to add hash value of a particular file into an existing hash set, select the desired file from the Table view and select this option from the context menu of the Table view as shown in figure 4.5.4.1.6 given below.
Figure 4.5.4.1.6 Selecting Append to HashSet... option When this menu item is selected, a dialog box as shown in figure 4.5.4.1.7 given below will be displayed.
253
Getting Started
From the list of hash sets displayed, you may select the desired hash set into which the hash value of the selected file to be appended. After selecting the desired hash set, press Append button to append the hash value. If the hash value is already available in the hash set, a warning message will be dispalyed; otherwise the hash value will be appended to the hash set. Create HashSet If you want to create a customized hash set from the files available in the evidence file being analysed, you may select this option from the context menu of the Table view as shown in figure 4.5.4.1.8 given below. Before selecting this menu item, select the desired files whose hash values to be added into the hash set to be created.
Figure 4.5.4.1.8 Selecting Create HashSet option When this menu item is selected, a dialog box as shown in figure 4.5.4.1.9 given below will be displayed.
254
Getting Started
Figure 4.5.4.1.9 Dialog box for specifying hash set name You may enter the desired hash set name in the edit box shown in the above dialog box. The dialog box also shows the list of existing hash sets in a list box. After entering the hash set name, press Create HashSet button. If hash values of the selected files are not available in any of the existing hash sets, new hash in the specified name will be created and added into the list of hash sets; otherwise, a warning message will be displayed and the new hash set will not be created. It should be noted that if the selected item is a folder, which does not have any data, hash value will not be created for the item. Remove from HashSet... If you want to remove a hash value from an existing hash set, you may select this option from the context menu of the Table view as shown in figure 4.5.4.1.10 given below.
255
Getting Started
Figure 4.5.4.1.10 Selecting Remove from HashSet... option If the selected hash value is available in any of the existing hash sets, it will be removed from it; otherwise a warning message will be displayed to indicate the non-existence of hash value in any of the hash sets.
256
Getting Started
257
Getting Started
Figure 4.5.4.1.12 Display of Alternate Data Streams in Table view When the alternate data stream named ads.txt`Str4 is selected, its contents are displayed as shown in the figure 4.5.4.1.13 given below.
258
Getting Started
Gallery View
Figure 4.5.4.2.1 Gallery View Gallery view, as shown in figure 4.5.4.2.1 above is a quick way to see all the picture files available in a particular folder. CyberCheck can display almost all types of picture files. The deleted picture files, whose contents can be recovered, are also shown in this view. If the User wants to see the Gallery View, just select a folder and then select the Gallery View tab. All picture files, if any, available in that folder will be displayed in the Gallery Viewer. If s/he wants to see the image in an enlarged form, just select the needed picture which will be displayed in the Picture Viewer below in the Bottom Pane. If the User wants to see all the pictures available in an evidence file, first click on the expansion trigger (trapezoidal shape box) adjacent to
259
Getting Started
the evidence file name in the Probe View and then click on the Gallery View Tab in the right pane. If the number of picture files available is quite large, it may take some time to display all the pictures. Figure 4.5.4.2.2 given below shows the gallery view after clicking the expansion trigger of the evidence file.
Expansion Trigger
Figure 4.5.4.2.2 - Gallery View after the expansion trigger option has been selected When the User is in the Gallery View, the normal arrow mouse cursor will be changed to a palm like cursor. If more number of pictures are available, User may scroll through the Gallery View using the adjacent scroll bar. If any of the picture is totally corrupted and could not be loaded properly, a message Invalid Format will be displayed in the thumb nail view of that particular picture. Gallery view is an important feature from the cyber forensic point of view, since it enables the User to view the entire pictures available in an evidence file in a single view. It is possible to identify a case related image from the Gallery view easily.
260
Getting Started
Timeline view is already explained in section 4.5.1.12. Please see this section for details of timeline view. 4.5.4.4 Summary View The Summary view can be invoked by clicking on the Summary tab from the Right Pane. In the Summary view, as shown in figure 4.5.4.4.1 given below, a summary of an item, if any available, selected from the Left pane will be dispalyed. The deleted date of file/folder (if deleted) is displayed in Summary tab if the file system being analyzed is a Linux (Ext2) file system. More over, the logical size of a folder in FAT is always displayed as 0, but ext2 displays the correct logical size.
Figure 4.5.4.4.1 Display of Summary view of an item in the Left Pane In the above figure, it displays all the details of the folder WINDOWS selected from Probe View. Similarly, summary of keywords is displayed if the selection is on Keywords in the Keyword View as shown in figure 4.5.4.4.2.
261
Getting Started
Figure 4.5.4.4.2 Display of Summary view of Keywords. Summary of Bookmarked data will be displayed as shown in figure 4.5.4.4.3 in the summary if the selection in the Left Pane is Bookmark tab.
Figure 4.5.4.4.3 Display of Summary view of Bookmarks. On selecting Search Tab from the Left Pane, Search Results details will be explained in the Summary view as shown in figure 4.5.4.4.4.
262
Getting Started
4.5.4.5 Report View The Report view can be invoked by clicking on the Report tab from the Right Pane. Report view, as shown in figure 4.5.4.5.1 given below, provides all the information of the evidence file added to the probe, like when was the analysis process done and how long it lasted and other details related to the case like Crime Number, Lab Reference Number, Police station, Media Type, etc and also the information about the files and folders appended to the report.
263
Getting Started
The report will contain all the evidence gathered from the evidence file, when the analysis is over. User can take a print out of the report by selecting File|Print Report menu item from the menu bar. If the file system being analyzed is that of a Linux (Ext2) file system, then unlike FAT where the logical size of a folder is always displayed as 0, ext2 displays the correct logical size. Other major differences in Ext2 as far as report is concerned are 1. Ext2 does not have FAT, so instead of Sectors per FAT, Total I nodes value is displayed in Report tab. 2. There is no display of values like No: of Fats, Root Sector, and Heads in Ext2. 3. Swap partitions of Linux will not display values like volume name, volume serial, number of folders.
264
Getting Started
and subsequent cluster data will be displayed in red colour. In the figure given below, a deleted file Copy of Ethernet.pdf has been selected and the User can see the corresponding text view in the bottom pane. If the file is a deleted, overwritten one, the entire content will be displayed in red colour in the text view.
Figure 4.5.5.1.1 - Displaying the Text View of the deleted file Copy of Ethernet.pdf In the case of NTFS file system, there is a slight difference in the Text view. If the file is a deleted file and if it is not over written, then that file will be displayed in black colour itself in the Text view. This means that if the file were part of an NTFS file system, then it would have been displayed in black colour in Text view. In the figure 4.5.5.1.2 given below, the file 1000.txt is a deleted file within an NTFS file system and it is displayed in black colour in Text view.
265
Getting Started
Figure 4.5.5.1.2 -Text View of a deleted file of an NTFS file system In the text view, file offset information also has been provided at the left side of the view. Offset starts from 00000 to the length of the file. Also it can be seen that the offset of the current cursor position described as SO (Sector Offset), FO (File Offset) and LE (Length) displayed near the Lock check box. Sector offset is the offset of the current cursor position from the starting of the current sector. File offset is the current cursor position from the starting of the first sector. Length is the number of characters block marked in the text viewer. The popup menu associated with the text view is shown in figure 4.5.5.1.3. On selecting Copy, the selected data will be copied to the clipboard like the Edit|Copy functionality. Selecting the item Bookmark selected data is same as selecting Bookmark|Selected data from main menu. Selecting Append Selected Data to Report appends the selected data to the report.
266
Getting Started
The last item in the popup menu is Export. This is for exporting selecting data. On selecting this after selecting the data to export displays a dialog box as shown in figure 4.5.5.1.4.
If the user click OK, then the selected data will be written to the file specified in the dialog box. User can change the file name and location after pressing the Browse button labeled . The user can specify new data by selecting the Custom View option. In that case the user can give the start and end index of the file to specify the data starting and end. CyberCheck also displays the complete path of an item selected
267
Getting Started
from the table view at the left side of the status bar as shown in the above figure.
4.5.5.2 Picture View The Picture view, as shown in figure 4.5.5.2.1 given below, is for viewing different picture files that are present in the evidence file. This view can be invoked from the Bottom Pane by clicking on the Picture Tab. If the file selected is not a picture file, then the Picture tab will be disabled. If the selected file is a picture file, then by default the file will be opened in the Picture Viewer. Gallery View gives the thump view of all the picture files present in a folder and if we want to see an enlarged view of a particular picture, then select that picture. That picture will be displayed in the Picture view.
268
Getting Started
The Hex view, as shown in figure 4.5.5.3.1 below, is for displaying the file contents in Hexadecimal format. This view can be invoked from the Bottom Pane by clicking on the Hex Tab. The file content and the hex value of the file highlighted in Table view are displayed in this view. In the figure given below, content of the file milkmaid.BMP is displayed in Hex format as well as in Text format. When the Hex tab is selected, the Hex view and the Text view Coexist in the Bottom pane. From the Hex view, if the user selects a set of characters by clicking the left mouse button and dragging over characters, the characters will be highlighted and the corresponding characters in the Text view also will be highlighted. Characters will be highlighted in both views, if the characters are selected from the Text view also.
Hex View Text View Figure 4.5.5.3.1 - Displaying the Hex & Text Views of a file 4.5.5.4 Disk View The Disk View, as shown in figure 4.5.5.4.1 given below, is the graphical representation of the evidence file. This view can be
269
Getting Started
invoked from the Bottom Pane by clicking on the Disk Tab. Disk View allows the User to see the file highlighted in the Table View, as it exists on the physical surface. Through Disk view, you can see where exactly on the hard disk a particular file is located.
Figure 4.5.5.4.1 - Disk view displaying the distribution of allocated sectors of a file Each block inside the disk view represents a single sector. On selecting a block the sector number is displayed above in a text box and the contents are displayed on the right hand side in both Text view and Hex view. On clicking the ShowLegend tab, you will get
270
Getting Started
the description as to what different colors of blocks represent in the disk view. From the figure, it is clear that the file milkmaid.BMP starts from sector number 833108. You can also get the sector count by placing the mouse over a particular sector. In the figure above, mouse was placed over the sector 834356. That is also highlighted in the Disk view of the figure.
Legend View
figure 4.5.5.4.2 - Disk View with ShowLegend option enabled In the figure 4.5.5.4.2 given above, ShowLegend button has been enabled and you can see that Red colour in the Disk view indicates Boot Sector, Blue colour indicates allocated sector and so on. Disk view is very helpful in finding out where exactly on the storage media does the data reside. You can also see the sector by sector storage of data on the storage media using Disk view. There are some differences in the Disk View if the File system being analyzed is a Linux (Ext2) File system. They are While displaying the disk view by selecting Partition name, FAT is highlighting the boot sector while Ext2 is highlighting the Super block.
271
Getting Started
FAT & Root Directory will not be highlighted in any specific color in Ext2. In the case of NTFS, if the file or folder size is small, the file can be stored in the MFT itself. In this case the allocated memory for a file or folder will be some sectors only. The starting of the file/folder can be from any byte position from the beginning of a sector. So in the case of small files, those contents are inside the MFT record itself. When such a file is selected, the disk view shows the allocated sectors and also highlights the text and the hex content for the file within the sector will be highlighted in blue colour. This is shown in figure 4.5.5.4.3 given below.
Figure 4.5.5.4.3 Disk view of a small file in NTFS with file content highlighted in blue color Sector Viewer Sector Viewer enables the user to view a particular sector data in FAT12/16,FAT32,NTFS,MBR and Integer format. Sector viewer can be invoked from the disk view by selecting the desired sector and right clicking the mouse button. A context menu as shown in figure 4.5.5.4.4 given below will be displayed for selecting the type of format.
272
Getting Started
Figure 4.5.5.4.4 - Selecting a sector to view the Sector data in FAT12/16, FAT32, NTFS, MBR, Integer formats When the desired format is selected, sector data will be displayed in the selected format as shown in figure 4.5.5.4.5, figure 4.5.5.4.6, figure 4.5.5.4.7, figure 4.5.5.4.8 and figure 4.5.5.4.9 given below.
The above figure shows the selected sector data in FAT12/16 boot sector format.
273
Getting Started
Figure 4.5.5.4.6 - viewing as FAT32 The above figure shows the selected sector data in FAT32 boot sector format.
274
Getting Started
Figure 4.5.5.4.7 - viewing as NTFS The above figure shows the selected sector data in NTFS boot sector format.
275
Getting Started
The above figure shows the selected sector data in Master Boot Record format.
Figure 4.5.5.4.9 - Viewing as Integer The above figure shows the selected sector data in integer format.
4.5.5.5 Cluster View Cluster view, as shown in the figure 4.5.5.5.1 given below, is similar to the Disk view, with the difference that, in cluster view you get the cluster wise split up of the whole evidence file. This view can be invoked from the Bottom Pane by clicking on the Cluster Tab. Cluster View allows you to see the cluster wise split up of a file in the storage media that has been highlighted in the Table View. In this example, a file Sparse.doc has been highlighted in the Table View. You can see the cluster wise view of the same file by selecting the Cluster tab. Here, the clusters indicated by the highlighted colour (White) shows the cluster view for the selected file.
276
Getting Started
Figure 4.5.5.5.1 - Cluster view displaying the distribution of allocated clusters of a file Each block inside the cluster view represents a single cluster. On selecting a block, the cluster number will be displayed as in the case of Disk view and the contents are displayed on the right hand side. 4.5.5.6 Summary View In the Summary view of Bottom Pane, details of the file selected in the Table View, like File Name, DOS Name, File Extension, File Type, File Attribute, Logical Size, Physical Size, Starting Cluster, Total File Clusters, Full Path, Cluster Chain, etc., will be displayed as a summary of the item selected. This view can be invoked from the Bottom Pane by clicking on the Summary Tab. In the figure 4.5.5.6.1 given below, the file Sparse.doc has been selected and the details of that file are shown in the Summary viewer.
277
Getting Started
Figure 4.5.5.6.1 - Summary View of a file in the Bottom Pane 4.5.5.7 CyberScript CyberScript is useful for doing a batch search process in an evidence file. It supports script commands like keyword search, file search and grep search. This can be initiated by selecting the CyberScript tab from the bottom pane as shown in figure 4.5.5.7.1 given below.
278
Getting Started
Help facility provided in the CyberScript context menu enables the user to know more about it. The help can be invoked by right clicking the mouse button in CyberScript area. The bottom pane divided into two blank panes shown in the above figure is the CyberScript area. The top half of the area is an edit box, where you can enter different script commands one by one. You should enter the script one command per line. Like that you can enter any number of commands in the edit box. While executing the commands, CyberCheck compiles and validates each command one by one. If there is any error in the syntax of a command, it will be notified in the second half of the CyberScript area and the user will be allowed to correct it before execution. When you right clicking the mouse button in this area, a context menu as shown in figure 4.5.5.7.2 given below will be displayed.
Figure 4.5.5.7.2 Display of context menu in the CyberScript area When you select the Help menu item from this context menu, a CyberScript help window as shown the figure 4.5.5.7.3 given below will be displayed.
279
Getting Started
Figure 4.5.5.7.3 Display of CyberScript Help This window shows the different commands supported in the CyberScript, syntax for calling each command and their arguments. The scroll bar can be used to view the complete help information. Remaining portion of the help information is shown in figure 4.5.5.7.4 given below.
280
Getting Started
Figure 4.5.5.7.4 Remaining portion of CyberScript Help Context menu also contains a menu item Samples, which provides a set of commands with different arguments frequently used in case analysis. User may select desired sample commands from this list and use them as such or modify to make his/her own script based on the options explained in the help facility. When you select Samples menu item from the context menu, a CyberScript samples dialog box as shown the figure 4.5.5.7.5 given below will be displayed.
281
Getting Started
Figure 4.5.5.7.5 Display of CyberScript Samples From the above dialog box, you may select desired sample and press Append to Script button for adding the selected script into the CyberScript edit box. You may make appropriate changes, if necessary, or may use as such. If you select the first command from the above dialog box and press Append to Script button, it will be added into the edit box as shown in the figure 4.5.5.7.6 given below.
Figure 4.5.5.7.6 Display of a command in the edit box This command is for a file search in the entire evidence file for files having extension doc. It should be noted that if a particular command needs some operation in selected files of the evidence file, user should select those files before starting the execution of script commands. Otherwise, that particular command may fail during the execution. When sufficient number of commands are added into the edit box, you may compile the commands for error checking and validation by
282
Getting Started
selecting the Compile menu item from the context menu as shown in the figure 4.5.5.7.7 given below.
Figure 4.5.5.7.7 Selecting Compile command When you select compile command from the context menu, error checking and validation will be initiated. If there is an error it will be notified in the bottom half; otherwise, a notification regarding the successful compilation process. Since the above command is a wellformed script, only the success notification will be displayed as shown in the figure 4.5.5.7.8 given below.
Figure 4.5.5.7.8 Display of a successful compilation After compiling the commands, you may execute the script by selecting the Run menu item from the context menu as shown in the figure 4.5.5.7.9 given below.
283
Getting Started
Figure 4.5.5.7.9 Selecting Run command When Run menu item is selected, the commands will be executed one by one and the result will be added to the appropriate area of the CyberCheck views. For example, the result of the above file search will be added into the File Extension folder of Search Tab in the left pane as shown in the figure 4.5.5.7.10 given below.
4.5.5.8 Lock Facility This feature helps in locking a particular view. If you are in a particular view in the bottom pane and if the Lock Facility is enabled, then whatever file you select from the Table View, it will be displayed in the locked view in the Bottom Pane. As an example, in the figure 4.5.5.8.1 given below, you are in the Disk view and the
284
Getting Started
Lock facility is enabled. The selected file is HowItWorks.doc. Now, if you select any other file, the view will remain in Disk view itself. If Lock is not enabled, then the file will be opened in its default viewer. i.e., an image file will be opened in Picture viewer and a .txt file will be opened in Text viewer. To lock a particular view, User has to select the corresponding tab and immediately after that check the lock facility. If the lock facility has been checked for any other view previously, then it has to be unchecked and checked again to lock the new view.
Figure 4.5.5.8.1 - Disk view of the selected file with Lock facility enabled
285
Getting Started
Preview is a useful facility that CyberCheck supports for helping the Investigating Officers and Analyzing Officers, when a cyber crime investigation is dealt with. At the Scene of crime, it helps the investigating officers to decide whether a particular storage media has to be seized or not. Since the Seizure process is a time consuming one, preliminary analysis of the media using preview facility will help the Officer to decide if any evidence is available in the particular storage media. This will avoid seizing of unwanted storage media and hence save precious time of the investigator. Preview of a storage media can be done in two ways, locally or using network interface card. If the preview is done locally, the storage media to be previewed will be connected to the analysis system. In this case, User should take care for not writing anything on to the storage media to be previewed. User is advised to use drive locking hardware for write protecting the storage media to be previewed. It is safe to preview a storage media over network. In this case, media to be previewed will be connected in a separate machine and write protected by software. Only data will be read and the read data will be sent to the analysis system through network interface card. Working of both the methods are explained in detail in the subsequent sections.
4.6.1.1 Local Preview Previewing is done before logging into CyberCheck. From the main user interface of CyberCheck, select Preview|Local Devices menu item. A dialog box as shown in figure 4.6.1.1.1 given below will be displayed for selecting the mode of previewing.
286
Getting Started
When this menu item is selected, a dialog box as shown in figure 4.6.1.1.2 given below will be displayed.
Figure 4.6.1.1.2 Dialog box for selecting media. User has to choose the type of storage media to be previewed. There are two types, viz., Removable media and Physical media. In the removable media, user is allowed to preview floppy disk or CD. In the Physical media, user is allowed to preview hard disks and USB devices. When a particular type of media is selected, using the radio buttons provided in the above dialog box, different storage media of the selected type available in the system would be listed in the list box for user selection. User may select a desired storage media from the list.
287
Getting Started
Once a storage media is selected, rest of the process is similar to analysis of an evidence file. While previewing, the storage media will not be write-protected. In the preview mode, user is not allowed to export any of the items and save the preview findings into a probe file. 4.6.1.2 Network Preview This is a very useful mode of operation, especially at the scene of crime. The storage media to be previewed might be part of the suspects machine. In this case, this machine can be connected to the analysis machine through network interface card using a cross over cable (10/100 Base-T cable). Before starting the preview process, both the systems have to be connected using this cable. The storage media to be previewed may be connected to a separate system, say suspects machine, and this machine has to be booted using TrueBack (Network) boot floppy. How to create boot disk is described in section 4.5.1.14.3. Create TrueBack [Network] and TrueBack [Utility] floppies as per the method described in this section. To make the suspects machine ready for sending data to the analyzing machine first boot the suspects system from TrueBack (Network) floppy and then take data using network interface card. 4.6.1.2.1 Preparing Suspects System to Boot from TrueBack (Network) Boot Floppy When data is taken from a suspects machine at scene of crime, care should be taken not to boot the system from the suspect machines storage media. Booting from suspect machines storage media may cause to change the content of the media and may lead to destroying valuable evidence. User may follow the steps given below to make sure that the system boots from a bootable floppy. 1. Remove main power supply cord of the computer system. 2. Remove the cover of the system. 3. Identify hard disks, CD drive and floppy drive available in the system.
288
Getting Started
4. Remove power supply cable (near to data cable) of all drives except the floppy drive. 5. Connect main power supply cord of the computer system. 6. Insert TrueBack [Utility] floppy containing boot wizard utility into the floppy drive. 7. Boot the system from the floppy. 8. From the command prompt, input BootWiz and press Enter key. If the suspects system BIOS responds properly to the BootWiz utility, user can change the boot order of the system using this utility. Otherwise, the utility displays a set of key combinations for various systems for entering into the BIOS setup program. Appendix B shows different key combinations for different computer models. User can manually enter into the BIOS setup program making use of appropriate key combinations depending upon the make and model of the system while booting the system. In this case, boot order has to be changed by the user using the facilities provided by a particular BIOS setup program. Either way, change the boot order in such a way that the system boots from floppy disk when it is set to operational. 9. If the BIOS setup program supports Onboard LAN Boot ROM facility in Advanced/PCI Configuration menu item, disable this facility. 10. Save the BIOS setup changes, if any, into the ROM and exit from the system. 11. Re-connect the power supply cables of all drives. 12. Insert TrueBack [Network] boot floppy into the floppy drive and start the system. 13. System boots into DOS mode from the TrueBack boot floppy.
4.6.1.2.2 Preparing Suspects machine to send data through Network Interface Card
289
Getting Started
For sending data through network, the basic requirement is that both the suspect machine and forensic workstation should have Network Interface Card (NIC) installed in the systems. If NIC cards are not available, Network preview process can not be continued. Another requirement is that DOS network packet driver for the corresponding NIC card should be available with the User. TrueBack (Network) boot floppy contains a sample DOS network packet driver (RTSPKT.COM) for NIC cards. User may try to install this packet driver as explained below for the particular NIC card available in the suspect machine. If the User is not able to proceed with the installation of this packet driver, then the appropriate driver for the card should be made available to continue with the acquisition. Sometimes, the driver might be available with the suspect or might be available in public domain. The TrueBack (Network) boot floppy created from CyberCheck environment contains functionality for sending data through network. Before starting sending data through network, connect both the machines using the 10/100 Base-T cable (Cross over cable) supplied along with the software. After connecting the systems with the cable, boot the Suspects system using the TrueBack (Network) boot floppy. Now, User is supposed to install the DOS packet driver for the NIC card available in the suspects machine. Following steps may be considered as an example on how to install the DOS network packet driver for the NIC card available in the system. These steps assume RTSPKT.COM as the sample packet driver. 1. Type A:\rtspkt 0x62 followed by Enter key. 0x62 is the default I/O address used by this packet driver. If the packet driver is successfully installed, details like line speed, full duplex or half duplex, interrupt number, etc., will be displayed; Otherwise, an error message Fail to find PCI device! will be displayed. In the case of error, User has to get the appropriate driver and install it properly. Seize & Acquisition process should be continued only after properly installing the DOS packet driver for the NIC card available in the system.
290
Getting Started
4.6.1.2.2.1 Sending Data through Network Interface Card Execute TrueBack from command prompt in Suspects machine. Then select the following menu option. Since TrueBack software is used for sending data to the Forensic Workstation (Analysis machine) for previewing the storage media of the suspects machine, Network Seize & Acquire mode is used for this purpose. Following figure 4.6.1.2.2.1.1 given below shows the selection of network seize & acquisition mode.
Figure 4.6.1.2.2.1.1 - Window for Selecting Network Seizure & Acquisition Mode After selecting the above menu option, the following window as given in figure 4.6.1.2.2.1.2 will be displayed for machine selection.
291
Getting Started
Figure 4.6.1.2.2.1.2 - Window for Selecting Suspects Machine From the suspect machines display, select that machine as the suspects machine first. A message will be displayed as shown in figure 4.6.1.2.2.1.3 given below. User is advised not to take the floppy from the floppy drive, while this process is taking place.
292
Getting Started
The analyzing machine also has to be set up for receiving data from the suspects machine. The following steps may be followed to set up the analyzing machine ready for network previewing. Step 1: Boot the machine in any Windows platform. Step 2: Check the Configuration of TCP/IP protocol. Windows 2000 Step a : Right click the "My Network Places" icon from the desktop. If that icon is not available on desktop, select Start button of Windows and select Settings and from there select Control Panel. Open the Network and Dial-up Connections icon from control panel and continue with step e shown below. Step b : Click the properties option. Step c : Right click the "Local Area Connections" icon. Step d : Click the properties option. Step e : Select the TCP/IP from the list (if not available add the TCP/IP protocol). Step f : Click the properties. Step g : Click the "Use the following IP address". Step h : Specify an IP address within the range 172.16.0.1 and 172.16.255.255 and set Subnet Mask as 255.255.0.0. Step i : Click OK button. After specifying an IP Address, User may follow the steps given below for starting the network preview from the analysis machine. 1. Connect both the machine with Cross over cable. 2. Boot the suspects machine using TrueBack (Network) boot floppy. 3. Run TrueBack in the suspects machine and do the steps till the window displaying the message Waiting for Forensic Workstation to Connect. Here, Forensic workstation is the analysis machine. 4. Boot the analysis machine with a Windows operating system. 5. Run CyberCheck from this machine.
293
Getting Started
6. Select Preview | Network from the dialog box. 7. Choose a device from the physical media listed in the dialog box and press OK. 8. Rest of the previewing process is the same as that of the local preview except for the data to be previewed will be sent by the suspects machine. In this case, user need not worry about the protection of the storage media to be previewed, since it is connected to the suspects machine. After setting up the analysis machine and suspects machine as explained above, select Preview|Network from the main userinterface as shown in figure 4.6.1.2.2.1.4 given below.
Figure 4.6.1.2.2.1.4 Selection of Network Devices preview. If there is no connection error between analysis machine and suspects machine, communication between these two machines will be established and the following dialog box as shown in figure 4.6.1.2.2.1.5 given below will be displayed for selection of physical media of the suspects machine listed in the list box. In network preview, only physical devices are allowed to preview.
294
Getting Started
Figure 4.6.1.2.2.1.5 Selection of physical media of the suspects machine. It may be noted that the details of the physical devices displayed in the above dialog box is that of the Suspects machine. When you select a device and press OK button, CyberCheck will display other dialog boxes for specifying Export folder path and setting options and finally the progress bar while creating the folder structure of the selected physical device. When the folder structure is created, CyberCheck will present the structure in the Probe view as shown in figure 4.6.1.2.2.1.6 given below. Network preview of dynamic disks are not supported now. If the selected disk for the network preview is a dynamic disk, then a message box is displayed as shown in figure 4.6.2.2.1.7.
295
Getting Started
Figure 4.6.1.2.2.1.7 Probe view displaying the folder structure of the Suspect Machines physical media.
Figure 4.6.1.2.2.1.6 Message Box for dynamic disk. Further data from the suspects machine will be sent as and when required when the user selects a file from the Table view. User may preview the content of the Suspect machines physical media as in the case of local preview. I network preview, data will be taken from the Suspect machines physical media as and when required. Display in the suspects machine will be as in the figure 4.6.1.2.2.1.8 given below.
296
Getting Started
Figure 4.6.1.2.2.1.8 Window displaying the details of the data send from the Suspects machine.
When preview of the media is over, data sending from the Suspects machine will be stopped and control will be transferred to the main user interface of TrueBack.
297
Starting an analysis
5.1 Searches
Searching is one of the main ways to find digital evidence in an evidence file using CyberCheck. Searching can be File Searching or Keywords Searching. In File Searching, you can search for the files with specific extensions. In Keywords Searching you can search for a single keyword or multiple keywords that may be available with the evidence file. You can search for as many keywords as there are in your keywords list. The more keyword you have, the longer the search takes. You can limit the scope of search space by opting for only selected files or by checking only the required items you want to search in the Search dialog box. CyberCheck has the facility to search for keywords from the whole evidence file, selected files/folders, swap files, slack area, lost clusters and used unallocated clusters. Slack searching includes MBR slack, EMBR slack, Partition slack, Disk Slack, Ram Slack and File Slack. Each of the slack can be searched separately. CyberCheck has the facility for case-sensitive and GREP searching also.
298
Starting an analysis
299
Starting an analysis
uncheck the Slack option. Similarly you can set the other options like swap files, Used unallocated clusters, Lost clusters, Hide system files etc., based on the extent of search you need. CyberCheck has the facility to search for keywords only in the selected files / folders. If you select the Selected Files option, only the selected files will be searched. Similarly you can set the other options like swap files, used unallocated clusters, lost clusters, Hide system files etc based on the extent of search you need. For searching Files / Folders just select the Files and Folders options. These options can be set in the Search dialog box shown in the figure 5.1.1.1 given below.
300
Starting an analysis
Search Slack space Data residing at slacks like MBR slack, EMBR slack, Partition Slack, Disk Slack, Ram Slack and File Slack can be searched. Each of the above slack will be searched separately. If a hit is found, you can see to which slack the hit belongs. For File Slack, you can see the name and path to which that hit belongs. For slack searching select the slack option and then select the slack types you want to search within. Search Used Unallocated Clusters CyberCheck can search for keywords in the used unallocated clusters within the evidence file. For this searching, select the Used Unallocated Clusters option. Search Lost Clusters CyberCheck can search for keywords within the lost clusters in the evidence. Lost clusters are simply ones that are marked in the FAT as being in use, but that the system cannot link to any file. For searching select the Lost Clusters option Search Swap Files CyberCheck can search for keywords within the Swap files, if the Swap Files option is selected. Search by Extension CyberCheck can search for keywords within the files with the extension specified. Select the Search by Extension option and then the Extension field will be enabled where you can specify the extension type to be searched. E.g., if you want to search only document files, enter the extension (.doc in this case) in the Extension field. Note that only extension type needs to be entered. No need of . (dot) prior to the extension
301
Starting an analysis
type. Then the keywords will be searched only within the document files. Hide system files If you dont want to search within system files, select the Hide System Files option. In this case the system files will be excluded from searching. Search Results After specifying the search criteria, click Start Search button. On the upper right hand corner, a progress bar appears showing the status of the search. The search results can be viewed in the Search view. For every hit, you can see the filename, Preview text, hit location within the file and the File Path for that particular hit. In the preview text, the searched keyword will be highlighted in green color. If you click on a hit, all the keyword hits in the specified file will be highlighted in the viewer in blue color and selected hit in yellow color. Search Sessions For each search operation, a new session is created under the search results in the Search view. Corresponding to the selection made in a session the search hits for each keyword is listed on the right hand side. File contents are displayed below in the text view. Different sessions for different sets of keywords will be added to the Search Result under Keyword Search folder. This is applicable only for keyword search. Results of search based on File Hash and File extension will overwrite the search hits of a previous search result.
302
Starting an analysis
Exporting of Slack: The investigator can export the slack by selecting the Export | Slack Data menu item from the menu bar. The slack will be extracted to the Export Folder path specified by the user. If the investigator wants to open this file using some other external software like WORD, s/he can open it provided the size of slack file is not very large. If the size of slack file is very large, then WORD may not be able to handle it properly. View Slack in the Text Viewer : The investigator can select each of the slack from the table view and view its contents in the Text Viewer. Slack Searching : CyberCheck provides option for keyword searching in each of the slack separately. Viewing Slack in the Disk View : The user can view each of the slack in the Disk View.
303
Starting an analysis
Exporting of Lost Clusters: The investigator can export the Lost Clusters to the Export Folder path specified by the user. View Lost Clusters in the Text Viewer: The investigator can select Lost Clusters from the table view and view its contents in the Text Viewer. Searching Keywords in Lost Clusters: CyberCheck provides keyword searching in Lost Clusters. Viewing Lost Clusters in the Cluster view: The user can view Lost Clusters in the Cluster View.
304
Starting an analysis
chart. These files can be seen in the Table view by clicking the Timeline Files from the Probe view. Significance of Signatures Most graphic and text files contain a few bytes at the beginning of the file that constitute a unique signature of that file. The software will verify the signature of every file it searches against a list of known file signatures and associated extensions. If there is a mismatch, such as in a situation where a suspect has hidden a file or renamed the extension in an attempt to conceal its identity, CyberCheck will automatically identify those files and include them in the Signature attributes of the file in the Table View. If you double click a file, the file will be opened in the external viewer looking at the signature of the file and not on the file extension.
305
Starting an analysis
A Select Folder dialog box appears on the screen as shown in the figure 5.7.2 given below. Select the folder into which you wish to save the selected file and click OK button. (While selecting the destination path the full file path is displayed on the text field at the bottom).
Figure 5.7.2 - Interface for selecting the Export Folder Export facility can be used if we wish to view any of the files in its native viewer, for this, export the file to any location and double click on it to view, if a viewer associated with that file is installed in the system.
306
Starting an analysis
Timeline View Features View all files or selected files CyberCheck has the facility to have a Timeline view of either all the files in an evidence file or selected files/folders. To get a timeline view of all the files in an evidence file, select All Files option and click Show Chart button. If Selected file option is used, only those files for which a selection is made in the probe view are displayed. View Deleted / Normal files Based on the selection we can either display the deleted files or normal files in the timeline view. There is also an option to display both the deleted and normal files.
307
Starting an analysis
View based on File Attribute The files can be displayed based on the file creation, last accessed or last written date and time stamp. Based on these file attributes, various permutations can be used to get a timeline view. View Files between a periods of time CyberCheck also has the facility to display all the files between specified periods of time. To view files between periods of time select the search option, from the calendar control below, select From and To date and click Show Chart button. The list of files based on the specified search criteria will be added to the Timeline Files item in the probe view and will be displayed in the table view. Time Anomaly This option gives a list of those files, which has a mismatch in its date and time stamp. For example, if the last accessed date and time is before the file creation date and time stamp, a time mismatch is notified. Signature Mismatch For any file, the starting few bytes (the header) uniquely identifies that file to its file type i.e., the file extension. If there is any mismatch in the file extension and the header, a signature mismatch is notified. CyberCheck has the facility to view either time-mismatched files, signature mismatched file or both together. Features in Timeline View On right clicking inside the timeline view you get the following options, Zoom in / Zoom out We can zoom in and zoom out to get a detailed view of the files. To zoom in, inside the timeline view, left click and drag the mouse on the region were you wish to zoom in. A dotted rectangular path is drawn along the selection path indicating the selected region.
308
Starting an analysis
Continue this process to zoom in to higher resolution. Similarly right click inside and select zoom out option to get a lower resolution file view. Show / Hide Grid The show grid option gives a grid line view of the files. The timeline view is divided into grids based on the number of files available in the view. To hide the grid view, click the hide grid option. Options This brings up the option window, where we can redefine our view options like viewing only modified files etc. Show Files The Show files option brings up the probe view with all the timeline files displayed in the right pane. On clicking Timeline tab the view will return to the previous Timeline file list view.
5.10 Report
To generate a report with acquisition information, drive geometry information and partition table information, click on the Report tab of right pane. Report view will be displayed as given in figure 5.10.1 below.
309
Starting an analysis
Figure 5.10.1 Report Report contains the following information Complete information of the Evidence file system Complete information of the partitions and drive geometry Hash Verification details Details of Mismatch blocks in case of Hash Mismatch (for TrueBack images only) User login and logout information Appended content of text file and slack information Includes picture file as image Folder structure
310
Starting an analysis
Once a user has logged in by creating a new probe, CyberCheck keeps track of all the user activities in its report. A probe under analysis can be saved in a Report file. For saving a report, select save option in File menu. While saving a probe the log out date and time is recorded along with the log in date and time and all the traced analysis data that has been saved manually. When a probe is saved under a file name, a password confirmation window pops up. This additional security feature is provided so that the report file is not tampered by a third person. Opening a Probe When a saved probe is opened we need to open the report file as shown in the figure 5.10.1.1 given below and click OK button.
Figure 5.10.1.1 - Opening an existing Probe file A password confirmation window appears on the screen if the probe was saved with a password. If the password typed doesnt match then access to the saved probe is denied. Similarly if correct evidence file is not given then an error message evidence and report file mismatch is displayed.
311
Starting an analysis
Normally the digital evidence will be part of a file. During an analysis session, if the analyzing officer find a likely digital evidence in some part of the file or in slack area of a file, s/he can add the content or slack of that file into the report by selecting the specific file from the table view and right clicking the mouse button on the file. Then context menu would be popped up with different sub-menus. The analyzing officer may choose the sub-menu item Append to Report from the context menu. The analyzing officer may choose to append either File Content or File Slack or both to the report. If the File Content item is chosen, the data part of the selected file will be appended to the report along with the attributes of the file. If the File Slack item is chosen, then the data available in the file slack, if any, will be appended to the report along with the attributes of the file. If both items need to be added into the report, the analyzing officer may choose both. If the selected file is a picture file, content of the file will be added into the report as picture itself and not as data. An example report is shown in the following figures 5.10.1.2, 5.10.1.3 and 5.10.1.4 given below.
312
Starting an analysis
313
Starting an analysis
Figure 5.10.1.4 - Report after Appending the Picture of the Selected File
314