Reviewing Wireshark's Capture Pane (by Tony Fortunato)
Survey Says: Need More Network Forensics and Real-Time Visibility at 10G! (by Jay Botelho)

Do you think outside the box? (by Casey Mullis)

If we all never endeavored to think differently or challenge the norm, where would we be today? If Einstein never challenged Sir Isaac Newton’s theory, what would we be teaching today? If we took what was written on the bathroom wall as gospel, where would we be? Remember, the world use to be flat and the sun revolved around the earth. Are you willing to think outside the box?

Thinking-outside-the-box

Unallocated space on a hard drive hides a lot of useful information if used correctly. A person must know what they are looking at and equate it to what is on the allocated side of the hard drive. Not only what is there, but also what is not there.

We have to quit going by the norm and think outside the box. We cannot allow our surroundings to bind us up and hold us down. You could say the norm is to not think about a solution until you have a problem. The norm says “Why waist the time or money, until you have to?”

We should be saying “What is good here and how can we make it better? What is bad here and how can we make it better?”

Why should companies and or corporations care about the unallocated space of a hard drive?

PPL_Illustrations_Unallocated_Space

You should care about unallocated space because it can help or hurt you. The theory is, you have a network intrusion or a Trojan infects your network. You find and remove the virus or the attacker has deleted his tracks but did not have time to completely erase everything.

You have your IT do a standard wipe and reload the system. Here is where your issue will lay. By doing this you have left evidence on a hard drive (Unallocated) that later when you have something go wrong and you think it is an employee. You conduct your investigation and have a computer forensic person go through the hard drive. He finds evidence of file transfers or programs that were deleted. Can you say beyond a reasonable doubt that the employee did or did not do this? You ask “Does this ever happen?” I tell you yes and dealt with one myself. What was found in unallocated space was the fact that all accounts at some point had been compromised from an outside source.

In another issue I had a friend ask me after getting a call from his wife, what they should do. His wife called to say she was surfing the web and clicked on a link at which time the computer started going crazy. I told him to pull the plug ASAP and disconnect the network cable. He pulled the hard drive and connected it to a clean system. He then scanned the system with antivirus software and found the drive to be infected. The drive was cleaned and put back in the computer.

The issues that followed were not a virus issue but an external issue. He called and described to me what his computer was now doing. I had him run some commands in the command prompt. What was found was an IP from China bombarding his system. Even though he had cleaned the hard drive; either a person or program still had his IP in their sites because of the prior infection. The only way this issue was fixed was by contacting his internet provider and getting his IP changed.

So as we can see by fixing one problem, does not mean all issues are fixed at the same time. The same can be said for conducting a standard wipe and reload of a computer system.

With all this being said, how do we fix the issue at hand? How do we ensure that one does not get mixed up data or evidence? When a system becomes infected or compromised and you complete your investigation. First I would suggest collecting a complete copy of RAM and a forensically sound copy of the hard drive. Never work from the actual machine or suspect drive.

After all this is done, we must complete what is known as a government wipe or DOD Wipe. What about the MBR? Can evidence be found or left behind in this area of a hard drive? Yes, so how do we wipe it? The simple answer to this question is found in a commercial grade tool called a HAMMER or PSIClone by CPR Tools. These tools are great in design and methodology. They are also backed by the company. If you have data that you must and I mean must make sure does not leave your office, then these tools are for you. They are also stand alone, so you do not have to tie up a computer to complete the job. They are also faster than most open source tools out there.

There are some good tools put out by Forward Discovery and Sumuri Forensics that does not require purchase. They both offer a bootable USB drive with their software at a very reasonable cost. The other option is you download and burn your own disk and or create your own USB drive. Their software will complete a secure wipe or DOD wipe of the selected drive. It will require a computer to connect to and or boot from to work. It is also time consuming but worth it to protect your data.

You would want to complete your wipe by validating the hard drive was completely wiped. This ensures later when something goes wrong, you do not have a possible mix-up of artifacts from the last intrusion or data theft. So long as there are computers and they are connected to the internet, you will have breaches of security. The same goes for homes with alarm systems. The fact that they have alarm systems, does not guarantee they will not be broke in to.

Thank you for stopping by today and reading the article, we looking forward to hearing back from you.  

 

Casey

Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!



Comments