This document summarizes a digital forensics case discussion between two security experts, Anton and George. They describe recovering data from a damaged hard drive image to help an employee named Anna avoid legal trouble. Techniques discussed include recovering the partition table, system files to obtain machine details, searching for malware, and analyzing a keylogger log file. Ultimately they were able to obtain secret key files that were potentially used in a crime, helping resolve Anna's case.
4. Digital forensics, The.
[quote]
Digital forensics (sometimes known as
digital forensic science) is a branch of forensic
science encompassing the recovery and
investigation of material found in digital devices,
often in relation to computer crime.
[/quote]
6. What we going to talk about
• Data recovery
• Evidence detection
• Group-ib Olympic case discussion
• Some tools discussion
Basically we just goin to run through one more
or less real interesting case and discuss
techniques and tools we used…
8. Why also we need data recovery
• Damaged discs
• Damaged images
• Deleted files
• Something encrypted
• Something partially missing
• Something damaged by malware
[…]
All these things can omit evidence of crime
9. What can be restored
• MBR
• Partition table
• Encrypted volume
• Private pgp key, certificates,etc..
• Files/audio/video…..
Why? Because it is still text with headers,
structure, etc…
How? TOOLS. Coming up later…
10. Can I haz cheezburger now?
Group-ib image
E01 format (Elcomsoft – making expensive but
not very fast forensics software.)
Image damaged
40 gb of unallocated space
No partition table
1 employee does not want go to jail.
Can we help to Anna?
14. Tasks for helping Anna
• Find all partitions, their fs, size
• Find system info : OS versions, system time, machine name,
last power off time
• All user accs
• Autorun progs
• All email addresses
• Storage of secret key for digital signature, and is there
anything telling about compromising this key
• Antivirus software, malware detections, rdp connections,
other people involved, their mails, malware on the disc,
and some additional info about incident on disc…
16. Gathering system info
• Recovering files from
WindowsSystem32config
– System, Software, Security, Sam,
• Recovering NTUSER.dat from
Users[username]
• Downloading MiTec Windows Registry
Recovery(www.mitec.cz/wrr.html)
• Obtaining system info
17. searching malware
• - autoruns
• - %temp%
• - %windir% or %systemdir%
• - java cache
• - downloads :)
so on
18. Malware Analysis
• fast way - monitors:
- procmon
- wireshark
- total uninstall
• my way:
- hiew + ida
19. Anna's case. Found malware:
• Mipko keylogger (already in AV’s bases)
• KIS quarantined file
• xls.exe (drops xls+rdptool+installer)
it's enough to do bad stuff
21. So now we have
Windows 7 Ultimate
Product ID: 00426-OEM-8992662-00400
KEY: 342DG-6YJR8-X92GV-V7DCV-P4K27 Version: Multiprocessor
Free 6.1.7601.win7sp1_gdr.120330-1504
install date: 12.04.2013 17:09:15
With users :