New blog!

Hi everyone! Just thought I’d write a quick post and let everyone know of a new blog by my email buddy from Australia. He is trying to get his foot in the door of computer forensics and has started a very funny blog about it. Hopefully everyone who reads it will have a sense of humor. I enjoyed it immensely.

 

The link is:

 

http://cheeky4n6monkey.blogspot.com/

 

Enjoy!

Being Educated……

Hi all! Well I’m slowly learning the SANS SIFT VM and a little more about the linux/unix command line thanks to my email buddy Adrian from Australia! We decided to work through the SIFT together and try examining some of the images from the image collection I have on my blog. We are also using the book Digital Forensics with Open Source Tools by Harlan Carvey and Cory Altheide. Actually I’m thinking it’s more me doing the  learning and Adrian doing the teaching of which I am very thankful. I knew a few Linux commands before starting this little adventure but realize I still have quite a bit more to learn. I am having fun doing this though even when I get frustrated and just want to toss the laptop out the window. I just shut it down, take a breather and come back to it later that day or the next day.

So far this is what has happened:

Adrian decided on an image to examine from the websites listed on this blog and he then downloaded and copied it to the SIFT VM. He chose the M57-jean scenario from Digital Corpora.

Adrian sent me an email detailing what he has done and given instructions on what to do (I told you this was one sided…him teaching and me learning) and this is what he wrote me:

I’ve just spent the past few hours trying to get the SIFT 2.1 VM to see the 2 M57 Jean EnCase files. Thought I’d give you a bit of a heads up.

Its a bit of a process – I found this blog which described how to do it (more or less):

http://stephenventer.blogspot.com/2009/02/mount-ewf-e01-on-linux.html

The SIFT 2.1 VM has all the software/tools mentioned in the blog already installed / configured.

And pp 20-22 of “Digital Forensics with Open Source Tools” (Altheide & Carvey) also details a similar process.

But there is one complication – the SIFT VM doesn’t seem to recognise the HPFS (High Performance File System) / NTFS filesystem of the EnCase files. The blog example doesn’t  mention this as a problem. But I couldn’t follow the blog/book without getting errors.

I ended up using the Ubuntu Synaptic Manager (System, Control Center, Synaptic Package Manager) to install the “ntfs-config” package/software and Ubuntu then recognised/mounted the image. Not sure why it wasn’t mentioned in the blog / book but it seems to work now …

Here’s roughly what I did:

1. Copy the 2 EnCase evidence files across to the SIFT VM (eg copy to /cases/ ).

2. At the terminal, use the command “sudo su -” to login as root so we can issue commands with the appropriate privileges ie make data accessible/mount stuff.

3. Use the command “mount_ewf.py /cases/nps-2008-jean.E* /mnt/ewf/” to combine the two evidence files into a single Unix style image file called /mnt/ewf/nps-2008-jean (note: we use the “nps-2008-jean.E*” arg so it picks up all encase parts). There will also be a txt file containing the MD5 hash as calculated by EnCase. You can then use the command “md5sum /mnt/ewf/nps-2008-jean” to calculate a local MD5 hash for comparison but it will take a few minutes.

4. Install the “ntfs-config” package using the synaptic manager.

5. Use “losetup -o32256 -r /dev/loop0 /mnt/ewf/nps-2008-jean” to map the image file to a loop device (ensuring you specify the offset 32256 so the loop device is mapped to the Filesystem and not the beginning of the disk image. Blog/book has more info).

6. Use “mkdir /mnt/m57jean” to create a mountpoint directory that we can use later.

7. Use “mount /dev/loop0 /mnt/m57jean/ -o loop,ro” so we can map the loop device to a read only directory.

8. Use “ls -al /mnt/m57jean” to list the contents of the filesystem.

Let me know if I can clarify any of this. If you find it helpful, feel free to post it on your blog 😉

Couple other things –

“fdisk -lu /mnt/ewf/nps-2008-jean” can be used to show the filesystem type info (ie HPFS / NTFS)

If you need to unmount a directory use “umount /mnt/m57jean” for example.

If you need to reset the loopback device, you can use the “losetup -d /dev/loop0” command.

If you restart the SIFT, it will lose all the mounting stuff and you’ll have to do it all over. Can be helpful if you make a mistake and can’t figure out how to recover.

 

New toys!

I just received the Tableau write blocker w/ kit I ordered earlier this week. Since I’m not employed in the digital forensics field yet, I realize that I’m not getting the practice I need with this particular area of forensics and decided to buy a write blocker that I could practice with. I also just won a couple used hard drives off of ebay that I intend to practice my imaging skills with using the write blocker. Now I just have to wait for drives to be delivered…..

Why?

I’ve always been told that after receiving rejection letters, phone calls,etc… that I  should contact the company via email or a phone call and ask in a polite manner what I can do to improve my interview performance or what would make me more employable…..so I do this after every rejection. I have only received a reply once offering constructive criticism and advice. Why is this? Why only one reply?

Rejection…..again

So I didn’t get the job I was waiting to hear back from.  I was informed through an email that I received last Saturday.  I always thought rejection letters came in the form of snail mail instead of email so I was quite surprised when I saw that in my inbox. Receiving it by email actually kind of made me somewhat angry because of the fact that I paid for my plane ticket out to the interview and I paid for my hotel and then to receive an email rejection letter? Oh well, I have moved on and have been playing phone tag with a man regarding setting up a phone interview with the company he works at. Hopefully it will be this weekend or early next week. I just keep plugging away with these applications, informational interviews, phone interviews, face to face interviews…..hopefully someone will be willing to take a chance with me so I can show them one hard working individual!

I have decided to attend the SANS 504 class because I have been told it would probably be beneficial to have some infosec training and possibly a cert to go along with the forensics training I have already had. So, I will sign up for one this Fall I believe. Actually the subject matter being taught in this class has always interested me so I am quite excited about it. If anyone had any opinions on this class, please let me know!

Still waiting…..

Still waiting to hear back from the interview I had two weeks ago. I was told that I would either receive the “rejection” letter or a phone call in two weeks. The interview was two weeks ago yesterday. This is about the time I start getting antsy and my thinking leans towards the negative side as opposed to the positive side.

Today I have an appointment to talk with the Chief Security Officer at the hospital that I work at. It is an information meeting that was set up last week. I wrote emails to the legal and security departments at the hospital explaining my situation and asking for any help they could give me to try and get me the experience in this field that I am lacking and this meeting was set up. I’m not sure how much this will help me but I’m sure I will learn some new information. I explained that I would work for free, part time, full time, any placements, volunteer, internship, etc..etc..etc..

Since I don’t have regular access to images, I have been downloading practice images from the Internet and analyzing them…so far I have been through about three of them. I use my FTK demo and the X-Ways Forensics package that I bought earlier this year to analyze them  along with the other forensic software I have. I have also been studying for the EnCe exam using the Steve Bunting book. I have used EnCase but certainly not as much as FTK. I’m considering taking the EnCase Forensics II class in the near future as I believe I would get much out of this before attempting to take the exam. After this, I will be taking  a Mac forensics class…hopefully by the end of the year. I use a Mac for my personal use and absolutely love it…decided to buy the Mac OS X, IPOD and iPhone  Forensic Analysis book by Kubasiak and Morrissey and a used Macbook from eBay so I could practice a little bit before taking the Mac forensics class.

 

Upcoming Interview!

I have an interview coming up within the next two weeks! I will fly out and spend some time in the area beforehand, which is something I always do. I’ve have been going over potential interview questions during my free moments. I have also been fine tuning my answers to any behavioral based questions although I feel everything changes once you are in that interview room with 1-4 people asking you questions. It’s pretty intimidating. I remember when I was on the interview panel for manager of our department and I felt so sorry for the applicants……being surrounded by 7 of us and trying to answer these behavioral based and job based questions. I never wanted to go through it myself but have….twice. I’m hoping this will not be group based but feel that since I’ve been through it before, I kind of know what the format is. I also feel that these interviews are great experiences even if I do not get the position.

 

I’ve been sending out quite a few applications for other positions and have had some phone interviews. Also, I did contact the legal, IT and IS Security heads of departments for the hospital I work at. They have been very helpful and I have a couple of appointments with them for information purposes and to see what they can do to help me get the experience I need. I’m curious to see what they have to say!

Interview Question List

Here is the interview list I have said I would post. These are questions that I have seen posted on other websites, questions I have been asked in interviews and questions others have been asked in interviews. If anyone wants to add other interview questions that they have been asked just post a comment!

Describe the different file systems? FAT 12, FAT 16, FAT 32, NTFS

Describe the Windows operating systems?

What imaging tools and techniques are you familiar with?

What is the basic command line syntax for dd or dcfldd? What are the differences between the two?

Describe the steps to image a laptop with a bootable forensic cd?

What are some options to write block a drive before imaging or previewing?

What are two ways to do a network acquisition using Helix? List hardware and software required for each method.

What is the bare minimum equipment needed to image a desktop?

What is an MD5 checksum and how is it used in forensics?

What are some other hashing algorithms besides MD5?

What is a .ISO?

What is a bit level image and how is that different from an ISO?

What is the SAM file? Which operating system has it?

What is data carving?

What is live previewing of a system?

How would you image a hard drive on a system that cannot be shut down?

If a file is labeled .tar.gz what is it and why is it in .tar.gz format?

Describe the chain of custody in detail?

How would you be able to tell at the hex level that a file has been deleted in FAT 12?

How would you go about imaging a network without taking it down?

What is metadata? What is affected by it? What attributes does it represent?

Why is it important to sanitize your analysis media?

You have an IDE drive and it is not reading. Why is this?

Describe the difference between wiping and formatting drives?

How many timestamps are there in NTFS and what are they?

Does the registry have any timestamps?

What is the ntuser.dat file?

What do the MRU keys tell you in the registry?

What is a three way handshake in TCP/IP?

How does TCP differ from UDP?

What would I bring to the position?

What are the steps when taking a computer from the home?

What is the step by step procedure after receiving a hard drive which contains child pornography?

Someone willingly brings their computer in for some minor offense. After imaging, it is returned to the person. During the examination child pornography is found, what do you do?
What is slack space?
What is unallocated space?
What are bits, bytes, nibbles and clusters?
What is the hex value for a deleted file or directory in FAT systems?
What is the hex value for a directory?
How to calculate disk capacity?
What is volatile data?
What happens when a disk is formatted?
What is the numeric base system for hexadecimal, decimal, octal and binary?
What motivates you?
What are some challenges to computer forensics in the future?

 

Getting my practice forensic machine up and running

So I’m wiping the hard drive on one of my computers as I am typing this. I will be using it as my practice forensic machine. I’m wondering if anyone has any ideas on what software I should install to it and practice with? I will be installing all the software I already have but am wondering if anyone has suggestions as to what will be beneficial to learn. I will be using this machine to continue my studies for the EnCe examination so the EnCase demo will definitely be on the machine. I also have X-Ways Forensics w/dongle and I’m thinking of reinstalling my FTK demo. This is an old demo and I’m not sure if they have an updated demo….does anyone know? I will also be practicing using Helix, Caine and Backtrack. Any other software I should install?

A New Week!

Well, I certainly hope this week goes better than last week. For some reason I was feeling pretty down last week about still not being able to secure a position after having graduated a year ago. Plus, I have had some lame interviews recently where I just want to press a button that’s labeled “do over”. It does depress a person now and then, which I’m sure is normal. But, I tend to bounce back after going through a few days of negative thoughts and I am grateful I have a job in this economy, even if it is not in the digital forensics field. I did have one phone interview last week and I believe it was so-so but always seem to encounter a question or two that I’m not prepared for. So, after the interview is over, I add it to my interview question list and then write down what my answer would be if it pops up again in a future interview. Speaking of that interview question list, I have decided I’m going to post it here, only the questions, not my answers. Maybe this will help other job seekers in the future.

 

Have a great week everyone!