Brett's Blog

Just some ramblings.
Jimmy Weg has not set their biography yet

Workarounds to Workarounds (and some hints & reminders)

Every now and then, I get email from readers who have difficulties, and some areas come up more often.  I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests.  Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.

1. Building and booting EUFI/GPT systems and remembering the registry edit 

A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8.  Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows.  If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old.  There’s a sample screenshot in the above post.  Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:

GPT Disk

X-Ways Forensics users will receive the answer to the clue without having to guess.  The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system.  The FAT32 partition likely holds your EFI boot data:

EFI

...
Continue reading
137 Hits
0 Comments

A Quicker Way to the Shadow Volumes and Dealing with Win 8 VHDXs

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).

AIM1

Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

...
Continue reading
134 Hits
0 Comments

RAIDs & Virtual Machines

After a colleague posed a question about building VMs from RAIDs, I thought it might be a good topic for a post.  I won’t go into RAID basics, as you probably have a good grasp of that topic already if you’re visiting my site.  The RAID systems that I see most often are RAID 0s, insofar as the system disk is concerned.  We’re not concerned about a box that contains a system disk plus any variety of RAID.

In addition to being RAID 0s, the systems that are most common in my shop contain two disks.  Frankly, I’d be a little hesitant about building a system on a RAID 0 with more disks because of the lack of fault tolerance.  For our purpose, it really doesn’t matter.  In fact, we can build our VM from a RAID 5 or even some versions of RAID 6, if we use the world’s leading forensics tool, X-Ways Forensics (XWF).  For this demo, I’m going to use a two-disk RAID 0.  The first step is to create an image of each disk.  For the original images, the format is irrelevant.  I say “original” because we’re going to create another image later.

As in most cases with XWF, there are a few (X) ways to approach a task.  Let’s say that you don’t know whether you have a RAID, so you simply add your images to your case, as in the following video.

▶

We now have two raw disks in our case.  XWF also advised us that disk structure implies that a RAID may be present (the MFT message indicates the possibility of an implausible file record and likely is of no consequence).  A little exploration will confirm that a RAID is present, so we can proceed to reconstruct the RAID.

▶

When we add disk images to our case, XWF intuitively offers them as physical and/or logical disks in further tasks, as in the Select Disk box that we saw in the video.  We see that our original disk images remain in our case, but it’s really not necessary to keep them.  In fact, we didn’t have to add them when we created our case.  For example, during the original imaging process, we could take a look at the original disks through our write blocker and determine that we have a RAID 0.  After imaging, we can mount each image as a physical disk with FTK Imager or the tool of our choice.

...
Tags:
Continue reading
76 Hits
0 Comments

Getting a Quick Look at Shadow Volumes

We’ve come to the point where we can conduct a rather complete exam of shadow volumes using dd and E01 image files.  Let’s say that we don’t need to do such a complete exam.  For example, we’re confident that one, particular folder may contain previous, unrecovered copies of a small number relevant files.  Maybe we’re looking for one file in particular.  In those instances, we may not need to mount the shadow volumes.

We can accomplish this task in either our SEAT workstation, in which we added a virtual disk of the target system, or in a running VM of the target.  The latter approach is required for E01 images and optional for dd image files.  You also can accomplish this with the VHD method that I presented earlier.  The approach is the same regardless of which method you choose.  Remember, however, that using a “live” VM of a system runs the risk that the system will delete old shadow volumes.  The risk can be overcome, but keep it in mind.

To demonstrate the procedure, I’m going to use my SEAT workstation, in which I added a virtual disk.

▶

It’s that easy!  Note, too, that you can invoke Windows Previous Versions on almost any file or folder.

...
Tags:
Continue reading
69 Hits
0 Comments

Mounting Shadow Volumes

We’ve built our SEAT VM and added our target image to it as a virtual disk.  The first thing that I do is verify that all of the shadow volumes are present.  My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes.  We can compare the shadow volumes from the image file with those in our VM.  The following video presents the steps we use to enumerate the shadow volumes with the native vssadmin command run from our administrative command prompt.

▶

The screen populates quite quickly, but the point is that we can identify the number of shadow volumes and their respective creation dates.  To make it easy to copy, here’s the syntax: vssadmin list shadows /for=[your target volume letter followed by a colon].  Note, too, that your beginning shadow volume number will be different from mine and does not necessarily start with the number one.  Another trick is to re-run the command and export the output to a text file, by adding a space at the end followed by >[path to your text file] [name of text file]. Creating a text file is handy for documenting your findings and for copying the shadow volume names, which we’ll do later.

Now we can mount any or all of our shadow volumes for examination.  We’re going to use VSS, which is a free, command line tool written by Dan Mares, who is a creative, long-time forensic software developer and examiner.  Dan also has developed free tools that are adjuncts to X-Ways Forensics and which help users customize certain reports.  You can pick up a copy of VSS at http://www.dmares.com/pub/nt_32/vss.exe.  Be sure to check for updates, as Dan is great about implementing suggestions.  You’ll also want to check out his other tools.  http://www.maresware.com/.  Thanks, Dan!

There are a few of ways in which we can use VSS.  We can mount one shadow volume; multiple shadow volumes that are numbered consecutively; or multiple, non-consecutive shadow volumes.  The following screenshot displays the syntax.

...
Tags:
Continue reading
122 Hits
0 Comments

Adding Our Target System to Our SEAT Workstation

In this step we’ll add our target system virtual disk to our SEAT VM.  We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.

Add Virtual Disk

Add Virtual Disk▶

As you saw, we chose to add the disk as an independent disk in non-persistent mode.  Any changes to the disk are discarded when we power off our SEAT VM.  Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM.  Nothing within the shadow volumes will be changed.  Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.

When you add the disk, VMware may present a box that warns of a hardware compatibility issue.  If my SEAT VM was created in an earlier version, I’ll get the following warning.

...
Tags:
Continue reading
69 Hits
0 Comments

Getting Ready for a Shadow Volume Exam

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

Build Base VM

Build Base VM▶

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

...
Tags:
Continue reading
58 Hits
0 Comments

Creating a VMware Virtual Machine from a Raw Image File

Welcome to my blog and first post!  My aim is to provide tutorials that describe some of the things about which my colleagues have questions.  I’m neither a seasoned blogger nor videographer, so please bear with me as I progress.  I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish.  Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly.  As you’ll see, I have a plan for a few topics and will consider suggestions thereafter.  I do, however, have a full time job that already extends beyond a  “reasonable” workday, so pardon my delays in posting.  The videos herein should be viewed in high-def, and you’re welcome to download them.

This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes.  First, we’ll create a virtual machine from a single dd image file.  In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html.  We can create a target-system VM from a segmented image, but it takes more work to create our configuration file.  We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk.  First, I always take care to see that my image file is read only.  Our image file is MyImage.001.  There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment.  I’m using VMware 8.x, but the steps are the same in 7.x.

I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes.  The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.

Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name.  Below is a screen shot of the contents of a Vista/Win7 vmdk file.  The yellow-highlighted fields are the ones that you will edit.  The first is the number of sectors on the physical disk.  Next is the name of your image file.  Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63.  Then enter the number of cylinders by calculating /255/63.  It’s 19458 in our example, and always round up to the next whole number and do not use commas.  I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.

Here’s an editable copy of our vmdk file: MyImage.txt.  Save the file as a text file and then change the extension to vmdk for actual use.  It’s configured for VMware 8.x.  If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:

...
Tags:
Continue reading
95 Hits
0 Comments