OPEN_INVITE

FORENSIC TOOL TESTING SESSION at KSU

The truth is out there So make sure your software can find it.

     Date: Saturday Oct 21, 2023
     Time: 08:00 - 12:30
     Location: KSU "annex" behind Cracker Barrell restaurant off IH75 and Chastain rd., Atlanta
     Room: 462

NOTE NOTE NOTE
Please see below the links to the executable files you should download and have on your computer/thumb drive for the session. The tests you will perform are better executed if the files on the below links are extracted to an NTFS thumb drive of 8Gig or larger. You can extract the test data to your hard drive, but it will be easier for you if you work off a thumb.

Kennesaw university has allowed me to present another 4 hour session which involves a lecture and practical hands-on session regarding the testing of some of the more common forensic tools you may use for file cataloging/listing, hashing, copying, and zip/unzip of your digital forensic evidence.

The official signup page is usually found here. If it is not current or active, keep checking, or contact me (dm@dmares.com) directly for more information.

WHY THE CLASS

Over the years I have seen responses on list serves to questions like: I need to perform a hash of a system, which program is best? So about three years ago, knowing that the persons giving responses never really tested the software they are recommending I decided to put some of the more commonly recommended software to what I would call simple forensic tests and write some articles reporting what I found. The results of my testing of the various software led me to develop this class which covers what I hope is a sample of some actual day-to-day processes.

This class will go over the following subjects and processes, and the attendees will have a chance to develop and test the software you might be using on a regular basis against my test data and evidentiary requirements.

SIMPLE TOP LEVEL SCENARIO FOR THE TESTING

1. You are investigating the actions of a single person. This suspect may have done at least two things which necessitate your analysis. (one civil, one criminal)

2. The data is located in the single tree/directory of the suspect which is located on a much larger corporate server, shared by many, and only this one person is the suspect.

3. The company, or search warrant only allows you to examine that single tree belonging to the suspect. For other privacy and corporate rules, you are not allowed to do a bit-image of the entire server. The best you can do is "image" copy, mirror, (call it what you will) only that tree of the suspect. You only have access to that single tree.

4. The company will NOT let you place any software on their server, meaning you have to work from your externally connected drive, or thumb drive which contains your software.

5. Once you identify the appropriate tree/directory, you can copy that data to your work drive which you will then bring back to the office for final examination and evidence identification. However, your "copy" process cannot alter any of the source evidence in case another investigator comes after you to perform similar analysis. This next investigator MUST see what you see.

6. The corporate administrator has advised all computers are using NTFS file systems, that all the computers have last access update turned on.

WHAT YOU MUST ACCOMPLISH WITH YOUR SOFTWARE AND ANALYSIS

For the entire proceedure and testing scenario your processes and software must accomplish the following in a forensically defensable manner.

Test requirement 1: (CATALOG): Create an inventory or catalog of all the files in the suspect tree. For other types of investigations isn't one of the first things you do is to create a catalog or inventory of all the items found or seized? So lets create a complete inventory of all the files within the tree. These tests will determine if your software can provide a usable catalog of ALL the files within the suspect tree.
   (the CATALOG and Warehouse12 evidence trees are provided for this test)
   _WAREHOUSE12.EXE             Sample small case (and exam) in WAREHOUSE12 directory to work on to see if you are up to the challenge. Call for password.
   _CATALOG_EVIDENCE.exe    340K bytes,     Sample evidence and file/directory of evidence for the cataloging software to test. (includes online test) Call for password.

Test requirement 2: (HASH): This software test will be to see if your software can find and hash of all the files within the tree. This hash calculation not only creates an auxiliary inventory of files, but also allows for a security checkpoint of the status of each file within the tree. (HASHING evidence files) (The main evidence are the SOURCEx trees from the _DEMO_FILES.exe )
   _DEMO_FILES.exe            12K downloadable "Evidence" files for the hash, copy and zip testing. Call for password.

Test requiement 3: (Forensic Copy): Copy the files from the suspect tree to your transport device, (no not an electric vehicle, your batteries are drained) which is some sort of external storage so you can take the seized files back to your office for analysis. Again, your process can in no way alter the original server source files, so that the next investigator sees what you see.

Test requirement 4: (reHASH at the lab): Once back at the office do a hash match to make sure you not only restored all the files, but did not alter any part of the evidence, (which includes, folders, MAC dates, etc). (HASH compare the stored evidence)

Test requiement 5: (ZIP/UNZIP for retention) Once the analysis is over and complete, store the final data including reports for long term storage and delivery to the reviewer. This might necessitate the use of a reliable and long lived zipping program, which is nothing but a fancy copy restore process. (ZIP, UNZIP the evidence)

Maybe I'm wrong, which won't be the first time, but I think these steps are basic steps that can and should be accomplished and available for most investigations. So here we go (again).

SESSION PROCESSES

1. During the first hour of the session, discussion will be made regarding how you might decide and develop a testing schenario and data which will stress your software. Test data and scenario will obviously be different for each type of process and program operation. But I feel the basic forensic operations described here are applicable for almost any forensic investigation. For this session, you will be supplied the suspect/evidence in encrypted exe files to test your software against.

2. The provided exe's (described above) you are given will contain evidence on which you will test the software and see how it performs.

3. Participants will discuss possible testing processes for the software to perform: cataloging/listing, hashing, copying and zipping evidence. Discuss forensic reliability of the software tested and your defending its action or in-action. Your knowledge of how your forensic software performs and processes the evidence will help you in testifying as to the integrity of the data you have processed.

4. You will be given a number of test requirements for the software processes (catalog, hash, copy, zip). And determine if your software passes or fails each test.

5. Below are links to sample software you may wish to download and have available to also test.

NOTE You are encouraged to bring your cataloging, hashing, copying, zipping software to test against the provided evidence. If you do not bring your software, samples of other software will be provided for you to test.

If you wish, download the sample software from these three links. They contain software you may wish to also test along with your own software.

   _SOFTWARE_CATALOG.exe Programs to test the file catalog/listing process.
   _SOFTWARE_HASH.exe Programs to test in the hash tool tests
   _SOFTWARE_COPY.exe Programs to test in the copy tool tests.

A large part of the session will involve significant hands-on for you to set up and test various software, both yours and that provided to see if it passes the evidentiary and evidence preservation tests.

If you think about it, (I know thats hard to do), regardless of what type of investigation you are performing, and what type of digital evidence is involved, the ultimate evidence integrity, and ability to show, maintain and prove its integrity is important. And I think (there I go again, thinking), that the items or processes described here could be an important part of almost any evidentiary preservation, integrity and evidentiary defense issue. So no matter what your investigation, the ability to properly and completely catalog the files within the evidence tree, the validation (hashing) of the evidence files, the forensic copy of the evidence for analysis, and saving (zip/retention) of the digital evidence is of concern. So get to it.

HAVE FUN. Feedback would be appreciated. dm at dmares dot com

Hope to see you on Oct 21 at the session.

A very wise person once said: Th Th Thats all folks.

THE END