FORENSIC TOOL TESTING SESSION at KSU
The truth is out there
So make sure your software can find it.
Date: Saturday Oct 21, 2023
Time: 08:00 - 12:30
Location: KSU "annex" behind Cracker Barrell restaurant off IH75 and Chastain rd., Atlanta
Room: 462
NOTE NOTE NOTE
Please see below the links to the executable files you should download and have on your computer/thumb drive for the session.
The tests you will perform are better executed if the files on the below links are extracted to an NTFS thumb drive of 8Gig or
larger. You can extract the test data to your hard drive, but it will be easier for you if you work off a thumb.
Kennesaw university has allowed me to present another 4 hour session which involves a lecture and practical hands-on session
regarding the testing of some of the more common forensic tools you may use for file cataloging/listing, hashing, copying, and
zip/unzip of your digital forensic evidence.
The official signup page is usually found
here. If it is not current or
active, keep checking, or contact me (dm@dmares.com) directly for more information.
WHY THE CLASS
Over the years I have seen responses on list serves to questions like: I need to perform a hash of a system, which program is
best? So about three years ago, knowing that the persons giving responses never really tested the software they are
recommending I decided to put some of the more commonly recommended software to what I would call simple forensic tests and write
some articles reporting what I found. The results of my testing of
the various software led me to develop this class which covers what I hope is a sample of some actual day-to-day processes.
This class will go over the following subjects and processes, and the attendees will have a chance to develop and test the
software you might be using on a regular basis against my test data and evidentiary requirements.
SIMPLE TOP LEVEL SCENARIO FOR THE TESTING
1. You are investigating the actions of a single person. This suspect may have done at least two things which necessitate your
analysis. (one civil, one criminal)
2. The data is located in the single tree/directory of the suspect which is located on a much larger corporate server, shared by
many, and only this one person is the suspect.
3. The company, or search warrant only allows you to examine that single tree belonging to the suspect. For other privacy and
corporate rules, you are not allowed to do a bit-image of the entire server. The best you can do is "image" copy, mirror, (call
it what you will) only that tree of the suspect. You only have access to that single tree.
4. The company will NOT let you place any software on their server, meaning you have to work from your externally connected
drive, or thumb drive which contains your software.
5. Once you identify the appropriate tree/directory, you can copy that data to your work drive which you will then bring back to
the office for final examination and evidence identification. However, your "copy" process cannot alter any of the source
evidence in case another investigator comes after you to perform similar analysis. This next investigator MUST see what you see.
6. The corporate administrator has advised all computers are using NTFS file systems, that all the computers have last access
update turned on.
WHAT YOU MUST ACCOMPLISH WITH YOUR SOFTWARE AND ANALYSIS
For the entire proceedure and testing scenario your processes and software must accomplish the following in a forensically
defensable manner.
Test requirement 1: (CATALOG):
Create an inventory or catalog of all the files in the suspect tree.
For other types of investigations isn't one of the first things you do is to create a catalog or inventory of all the items found
or seized? So lets create a complete inventory of all the files within the tree. These tests will determine if your software can
provide a usable catalog of ALL the files within the suspect tree.
(the CATALOG and Warehouse12 evidence trees are provided for this test)
_WAREHOUSE12.EXE
Sample small case (and exam) in WAREHOUSE12 directory to work on to see if you are up to the challenge. Call for password.
_CATALOG_EVIDENCE.exe
340K bytes,
Sample evidence and file/directory of evidence for the cataloging software to test. (includes online test) Call for password.
Test requirement 2: (HASH):
This software test will be to see if your software can find and hash of all the files within the tree. This hash calculation not
only creates an auxiliary inventory of files, but also allows for a security checkpoint of the status of each file within the
tree. (HASHING evidence files) (The main evidence are the SOURCEx trees from the _DEMO_FILES.exe )
_DEMO_FILES.exe
12K downloadable "Evidence" files for the hash, copy and zip testing. Call for password.
Test requiement 3: (Forensic Copy):
Copy the files from the suspect tree to your transport device, (no not an electric vehicle, your batteries are
drained) which is some sort of external storage so you can take the seized files back to your office for analysis. Again, your
process can in no way alter the original server source files, so that the next investigator sees what you see.
Test requirement 4: (reHASH at the lab):
Once back at the office do a hash match to make sure you not only restored all the files, but did not alter any part of the
evidence, (which includes, folders, MAC dates, etc). (HASH compare the stored evidence)
Test requiement 5: (ZIP/UNZIP for retention) Once the analysis is over and complete, store the final data including reports for long term
storage and delivery to the reviewer. This might necessitate the use of a reliable and long lived zipping program, which is
nothing but a fancy copy restore process.
(ZIP, UNZIP the evidence)
Maybe I'm wrong, which won't be the first time, but I think these steps are basic steps that can and should be accomplished and
available for most investigations. So here we go (again).
SESSION PROCESSES
1. During the first hour of the session, discussion will be made regarding how you might decide and develop a testing schenario and
data which will stress your software. Test data and scenario will obviously be different for each type of process and
program operation. But I feel the basic forensic operations described here are applicable for almost any forensic investigation.
For this session, you will be supplied the suspect/evidence in encrypted exe files to test your software against.
2. The provided exe's (described above) you are given will contain evidence on which you will test the software and see how it
performs.
3. Participants will discuss possible testing processes for the software to perform: cataloging/listing, hashing,
copying and zipping evidence. Discuss forensic reliability of the software tested and your defending its action or in-action.
Your knowledge of how your forensic software performs and processes the evidence will help you in testifying as to the integrity
of the data you have processed.
4. You will be given a number of test requirements for the software processes (catalog, hash, copy, zip). And determine if your
software passes or fails each test.
5. Below are links to sample software you may wish to download and have available to also test.
NOTE
You are encouraged to bring your cataloging, hashing, copying, zipping software to test against the provided evidence. If you do
not bring your software, samples of other software will be provided for you to test.
If you wish, download the sample software from these three links. They contain software you may wish to also test along with your
own software.
_SOFTWARE_CATALOG.exe
Programs to test the file catalog/listing process.
_SOFTWARE_HASH.exe
Programs to test in the hash tool tests
_SOFTWARE_COPY.exe
Programs to test in the copy tool tests.
A large part of the session will involve significant hands-on for you to set up and test various software, both yours and that provided to see
if it passes the evidentiary and evidence preservation tests.
If you think about it, (I know thats hard to do), regardless of what type of investigation you are performing, and what type
of digital evidence is involved, the ultimate evidence integrity, and ability to show, maintain and prove its integrity is
important. And I think (there I go again, thinking), that the items or processes described here could be an important part of
almost any evidentiary preservation, integrity and evidentiary defense issue. So no matter what your investigation, the ability
to properly and completely catalog the files within the evidence tree,
the validation (hashing) of the evidence files, the forensic copy of the evidence for analysis, and saving (zip/retention) of the digital evidence
is of concern. So get to it.
HAVE FUN. Feedback would be appreciated. dm at dmares dot com
Hope to see you on Oct 21 at the session.
A very wise person once said: Th Th Thats all folks.
THE END