analysis_of_winhex_167.pdf

Fight crime.

Unravel incidents... one byte at a time.

This paper is from the SANS Computer Forensics and e-Discovery site. Reposting is not permited without express written permission.

Author Retains Full Rights

Interested in learning more?

Check out the list of upcoming events offering

"SANS Computer Forensics, Investigation, and Response (Security 508)"

at http://forensics.sans.org/events/

Analysis of WinHex

GIAC Certified Forensic

Analyst (GCFA)

Practical Assignment

Version 1.5

Option Two

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Jessica Dillinger

SansFire ‘04 Monterey, CA

Author retains full rights.

Jessica Dillinger

Table of Contents

List of Figures and Tables

Abstract

Introduction

Preparation Steps for Analysis

Autopsy Setup Process

Image Details

Analysis of Files

Examining Camouflage

Deciphering Camouflage

Recovering Camouflaged Files

Conclusion

Legal Implications

Additional Information

Part Two: Forensic Tool Validation: WinHex

Scope

Tool Description

Test Apparatus

Environmental Conditions

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Description of the Procedures

Criteria for Approval

Data and Results

Analysis

Presentation

Conclusion

- 2 -

Author retains full rights.

Examination Details

Jessica Dillinger

Table of Contents

List of Figures and Tables

Figure 1 - Evidence Custody Form and Chain of Custody Form 5

Figure 2 - MD5sum verification of floppy 5

Figure 4 - File details viewed in Autopsy 7

Figure 5 - Image details of confiscated floppy disk viewed in Autopsy 8

Figure 6 - file owners 8

Figure 7 - Password_Policy.doc viewed in hex editor 9

Figure 9 – Camshell.dll file viewed in hex 11

Figure 10 - Comparison of Camshell.dll MD5 hashes 12

Figure 11 – Comparison of images 13

Figure 12 - Beginning of encrypted data in the test Word document 15

Figure 13 - Location of encrypted password in Password_Policy.doc 17

Figure 14 - Location of encrypted password in Remote_Access_Policy.doc 17

Figure 15 - Zipped file viewed in W inHex

Figure 16 - MAC times file prior to WinHex

Figure 17 - MAC times of file after WinHex

Table 1 - Conversion table from hexadecimal to binary

Table 2 - Files and their corresponding sectors

Table 3 - Finding the key to camouflage

Table 4 - Recovered camouflage passwords

Table 5 - Cat.mdb, Access database storing customer information

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

- 3 -

Author retains full rights.

Jessica Dillinger- 4

Abstract

Abstract

This practical assignment was created to meet the criteria for the GIAC Certified

Forensic Analyst certification, which consists of two parts. The first part of the

certification requirement is to analyze a floppy disk that contains several files.

This will be done using several forensic utilities including Autopsy, shred and

WinHex. This portion of the paper will include how the computer that was used

for the investigation was prepared. It will also explain the steps taken to examine

the media and what was found during each step of the investigation. The tool

that was used in this case will be studied in order to give a accurate description

of how it works and what it was used for. A brief conclusion will give an overview

of the evidence found and conclude what the suspect was trying to accomplish.

Finally, the legal implications will be discussed along with the punishments the

suspect could face based first on business policies and then on state and

federal laws.

For the second portion of the paper the second option was chosen. Analyzing a

tool that could be used for forensics will be investigated to determine how well it

works and what typed of forensic capabilities it has. The tool that will be

reviewed is W inHex. W inHex is best known for its disk editing capability.

However, it has many other capabilities, including RAM editor, erasing entire

hard drives, drive cloning and random number generator.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

- 4 -

Author retains full rights.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: