Mounting EWF’s on windows with freely available tools

December 18th, 2009

Harlan recently posted a small reference to mounting EWF’s on windows machines using freely available utilities. David Loveall has produced a script called proxy_ewf.py which will do the heavy lifting of mounting EWF’s via imdisk.

It is not straightforward to get working so I have copied the instructions originally provided by David Loveall and further expanded on them below.

1. Extract the Windows mount_ewf files into a directory.  I used the current mount_ewf_windows-20091123.zip file found in the downloads area of libewf. Download from the same place the proxy_ewf.py file and place it in the same directory (I used c:\opt\proxy_ewf\).

2. Download and install the Visual Studio runtime files, if you don’t already have them. Don’t bother as they are now included in the mount_ewf windows distribution.

3. Download and install ImDisk. Be careful about driver loading if you are on Vista and above.

4: Install python for windows. I used python 2.5 (x86) but 2.6 should work as well.

5. If you are on an x64 system, move imdisk.exe from the c:\Windows\system32 directory into the same directory as the mount_ewf and proxy_ewf.py files. The proxy_ewf script wont be able to run imdisk.exe due to the WOW64 file virtualisation features otherwise.

6. Run proxy_ewf:

c:\python25\python c:\opt\proxy_ewf\proxy_ewf-20091123.py c:\evidence\foo.e01

If you get a "Version number mismatch" error, it is likely that the _ctypes.pyd file in the mount_ewf distribution is incompatible with the one in your just installed python distribution. I deleted the one in the mount_ewf directory and things worked fine.

At this point, you should see a new drive letter (or letters) appear in windows explorer.

Posted in Uncategorized | No Comments »

Boardroom radio interview on the fallibility of digital evidence posted

October 29th, 2009

Last week I had the pleasure of being interviewed alongside Lionel Rattenbury and Julia Jasper, both defence lawyers and members of the Australian Defence Lawyers Alliance (ADLA).

The subject of the interview is fallibility of digital evidence.

Posted in Uncategorized | No Comments »

The e-discovery problem by Jason R. Baron

October 27th, 2009

This video contains Jason R. Baron, the Director of Litigation of the National Archives and Records Administration (USA) discussing the general problem of electronic discovery, and in particular, the problems of information retrieval in the context of search over billions of documents.

If you are in any way involved in searching for information in a legal context, it is fascinating stuff. 

[via Ralph Losey's e-Discovery Team blog]

Posted in Uncategorized | No Comments »

Follow up paper on the AFF4 evidence container to be presented at 6th IFIP WG 11.9 International Conference on Digital Forensics

October 26th, 2009

I posted earlier about a new forensic container format being created by myself, Michael Cohen, and Simson Garfinkel. A paper describing the work was presented at DFRWS 2009 by Michael.

Michael and I have recently extended and refined the container format to support describing the provenance of information and data, and more accurate description of evidence characteristics. A paper describing this work, titled “Refining the AFF4 evidence container for provenance and accurate data representation”, has been accepted for presentation at the 6th Annual IFIP WG 11.9 conference on Digital Forensics.

The abstract follows:

It is well acknowledged that there is a pressing need for a general solution to the problem of storage of digital evidence, both in terms of copied bit-stream images and general information which describes the images  and  surrounding  context  of  the  case.  In  a  prior  paper,  the  authors  introduced  the  AFF4 evidence container format, focusing in particular on the description of the efficient and layered bitstream storage  architecture,  a  general  approach  to  representing  arbitrary  information,  and  a  compositional approach  to  managing  and  sharing  evidence.  In  this  paper  we  describe  our  work  refining  the representation  schemes  embodied  in  the  new  format,  addressing  the  accurate  representation  of discontiguous data and description of the provenance of both data and information. 

Posted in Uncategorized | No Comments »

Guidance for visualisation of volatile memory

August 13th, 2009

The following video shows an experimental interactive memory debugger and visualiser called ICU64, running against the  Frodo C64 emulator

The video below shows an interactive exploration of the memory space of the emulated C64 while it runs the game “Cataball”, pointing out correspondences between the raw memory and the on-screen action.

Hex editor authors and forensic tool manufacturers should take note of the zoomable memory map.

[via Root Labs Rdist]

Posted in Uncategorized | 1 Comment »

OzCar email faked by producer

August 4th, 2009

In late June I wrote about the forged email that had been at the heart of a political scandal. Mr Godwin Grech at the time claimed he had received an email from the office of the Prime Minister of Australia pushing for preferential treatment of a friend of the PM. The Australian Federal Police raided Mr. Grech’s home and found the email in question, deleted, on his home computer. They pronounced it a fake.

Today, The Australian is reporting that Mr. Grech last night admitted to having faked the email.  Mr. Grech claims that he recollected receiving an original email similar to the one in question. Unable to find the original, he concocted the fake one in order to substantiate verbal claims he had made about the matter.

Posted in Uncategorized | No Comments »

Presentation: Digital Evidence and the Information Security Manager

July 23rd, 2009

I had the pleasure of addressing a seminar related to forensic readiness yesterday to a co-located meeting of three Brisbane professional groups:

Thanks to the attendees for their high degree of participation – it always makes for a lively and engaging time when the audience share their experiences and questions.

Digital evidence and the information security managerUpdate: Typo fixed in slideshare link

View more presentations from blschatz.

Posted in Computer Forensics | No Comments »

Visual Hardware Connector Identification Guide

July 20th, 2009

An excellent visual summary of computer hardware connectors. The original is sonic840’s Computer Hardware Poster.

[via Hack a Day]

Posted in Uncategorized | No Comments »

Fraudulent email: lessons learned from the OzCar scandal

June 29th, 2009

By now, all but the most naïve of us are immune to the promises of Nigerian riches and the disquieting urges to action from banks which find their way into our email inboxes. Fraudulent emails barely rate any action or consideration beyond that needed to delete them from our inbox. Why is it then that the leader of the Australian opposition, and one of Australia’s most senior lawyers besides, has been tripped up by a fake email?

Background

Australian media reporting has been dominated over the last week by the OzCar scandal. The scandal centres around claims that the Prime Minister (Kevin Rudd) has given preferential treatment to a friend and political donor, car dealer John Grant. Mr. Grant had previously given the Prime Minister a car for use in his campaign and contributed financially to his legal and political endeavours.

An apparent smoking gun in the form of an email was referred to in the senate testimony of Treasury official, Godwin Grech. Mr Grech recalled an email from the PM’s office in relation Mr. Grant and the OzCar financial bailout scheme, which Mr. Grech administered. The email was supposed to have been written by the PM’s economic adviser, Dr Andrew Charlton. The opposition leader seized on the email, calling for the PM to resign.

The PM responded by bringing in the Australian Federal Police (AFP) to investigate the email. On the Monday following Mr. Grech’s testimony, they executed a search warrant on Mr. Grech’s home, and very quickly released their preliminary investigation results. They had found the email in question sitting deleted on his computer. They concluded it was a hoax. Further reports have indicated that the email originated within Treasury.

Mr. Turnbull spent the rest of the week defending both his reliance on the fake email, and  claims that the scandal had been orchestrated. He has since suffered a large fall in public satisfaction, as revealed by today’s poll results.

On email authenticity

This matter highlights the need for a greater degree of scepticism when it comes to reliance on email evidence, as compared with its paper counterpart. Modification of text on paper leaves a trace, whereas the substance of email is modifiable without an obvious trace. Hand written signatures go a long way towards authenticating the author of mail; the email equivalent of a signature is technically possible, however its use remains a niche practice.

Email authentication requires additional corroborating evidence and technical expertise. Metadata hidden within an email can indicate, among other things, the path that the email has taken from the sender to the recipient. This data is typically stored with the email, and can be used to detect tampering or outright forgery of emails.

Each server that an email passes through usually makes a note of the receipt and handoff of the email to the next carrier along the way. Multiple copies of the email may additionally be stored in the senders “Sent Items” folder and in archival or disaster recovery backups. Such information can be used to identify which computer an email originally came from.

Gaining access to these evidence sources is time consuming and often involves the cooperation of multiple parties. Determining authenticity based on such evidence then requires a high degree of expertise.

Commentary

It is unlikely that either Mr. Grech or Mr. Turnbull would have had access to the corroborating evidence or possess the expertise required to judge the authenticity of the email. Nor for that matter would the average email user.

Day to day though, email authenticity isn’t a problem. Our society largely manages to muddle along with email as one of our primary communications mediums. The reason it works is that each of us make decisions of trust around every email we receive.

Assuming neither Mr. Grech nor Mr. Turnbull fabricated the email, whoever inside Treasury created and sent the email to Mr. Grech relied on exploiting his trust of emails appearing to come from that source. It appears that Mr. Turnbull trusted Mr. Grech in turn.

This affair may mark the end of this kind of trust in emails as concrete evidence and the general acceptance of their authenticity. Certainly you would think so in the case of politicians attempting to score points against their opponents.

More generally though, the wider implications of the increased awareness of the vulnerability of email to fraud will be felt in our courts, where emails are often cited as evidence in both criminal and civil matters.

As for the fake email which has brought all of this to the public’s attention, presumably the AFP are still investigating who the original concocter of the email was. This investigation should lead to an examination of the computer systems of Treasury, where traces of the email, and hence clues to the original concoctor of the email may well remain. In which case, we wait with bated breath to see the next twist in this political drama.

Posted in Computer Forensics | 1 Comment »

Macintosh Forensic Acquisition

June 23rd, 2009

Recently the Mac OS X Forensics site has been amassing a wealth of information on acquiring and analysing Macintosh OS X computers. Additionally, the “Inside the Core” podcast has made a strong start at presenting similar and related content as a podcast. Both teams deserve congratulations and encouragement for their contributions.

One problem that I have observed with acquiring Macs is a particular problem with some Apple keyboards that have a brushed aluminium appearance. They will not reliably allow one to boot to CD or target mode using option keys, due to (purportedly) a firmware bug. The result of this can be an unplanned booting of the hard disk in the computer, and resulting modification of the state of the disk.

I haven’t observed this problem with any other Apple keyboards. Forensic practitioners may want to consider making it a part of your practice to ensure that you are booting with a non aluminium keyboard.

Posted in Storage Forensics | No Comments »

« Older Entries