Wednesday, 16 September 2009

Forensic Cop Journal 1(1) 2009: Symmetric and Asymmetric Cryptography in Brief Practice

Since cryptography offers a tight security for people to encode their message to be unreadable by third party, most people are interested in utilizing it in order to keep their privacy. It is expected that unauthorised people can not read it although they can get access for it because as long as they do not have the encryption key, they will not be able to open it unless they use decryption tools. However the tools have limited ability depending on the types of cryptography and the key size. Such tools can not generate decoding all encrypted message because they only work for certain encryption types.

Based on this fact, criminals use cryptography to conceal essential information related to their crime, so that police or forensic investigators can not open and read it. The crime perpetrators can use various types of cryptography and or strong level of key size in order to encode more securely their message, therefore cryptography is one of important concerns for forensic investigators on how to deal with it appropriately in order to solve the crime. It has been common fact that the encrypted message usually contains valuable information, so the forensic investigators are required to extract it. For this task, they have two duties. The first one is to find out files, partitions and emails which are being encrypted, and the second one is to try decrypting it to be readable. This decrypted information might be useful for police to investigate the crime.

Types of Cryptography
Simply cryptography converts a message from plain text to be ciphered text by using a cryptographic algorithm such as DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), Blowfish, AES (Advanced Encryption Standard) and so on. Generally there are two types of cryptography algorithm, namely symmetric and asymmetric. The clear and significant difference between them is encryption key meaning only one key (i.e. private key) on symmetric and two keys (public and private keys) on asymmetric. Below is the description of both.

Symmetric Cryptography

Initially people used cryptography with one key meaning the key used for encryption is same as the key for decryption. It can be analogized with the door key in real world because people use the same key for locking and unlocking the door. The key in cryptography is mathematical function designed to convert a plain text data to be cipher text data for encryption. With the same algorithm, the ciphered data can be converted to be original text data.

To protect the access in using such algorithm for decrypting a ciphered data, it is used a passphrase key controlling the operation of a cipher, so that the authorized users having known the passphrase key can only perform decryption. It means that although the type of cryptographic algorithm has been detected but the passphrase key is still missing, so the ciphered data can not be decrypted. This key made along with the process of encryption has various key sizes depending on the types of applied cryptography.

One of well known pioneer symmetric cryptographic algorithms is DES which is based on 56-bit block size. It is considered weak at this time because it can be broken by certain attacks such as brute force and cryptanalysis; therefore in 2002 it was superseded by AES using three block ciphers of 128-bit with key sizes of 128, 192 and 256-bit as a cryptography algorithm standard in the US. The other symmetric algorithms which are frequently used are Twofish with 128-bit block and up to 256-bit key size, Blowfish with 64-bit block and various key size between 32 and 448 bits, Serpent with the block size of 128 bits providing 128, 192 or 256-bit key size, CAST5 with 64-bit block size supporting 40 to 128-bit key size and Triple DES which is combination of three 56-bit DES. The algorithms above can also be applied with a combination of two or three algorithms in order to increase the security of cryptography such as AES-Twofish, Serpent-AES and AES-Twofish-Serpent. These combinations have been implemented by certain applications such as TrueCrypt.

Nowadays the forms of using symmetric cryptography is varied and more interesting with a nice Graphical User Interface (GUI) such as Remora USB Disk Guard in figure 1 and PixelCryptor using a picture as a bridge for encryption and decryption, so that it attracts people to use it for their current needs on information security.

Figure 1
Remora USB Disk Guard protected by two types of passwords for logon and encryption/decryption is designed for mobile encryption on USB storage device.

These applications are easy to use and offer challenges such as PixelCryptor which can not be used to decrypt an encrypted package if the linked picture as the image key is missing or modified. To decrypt the encrypted package on PixelCryptor, it is required the image key as well as passphrase key as shown in figure 2. Besides those above, there are still symmetric cryptography applications using ordinary GUI such as Kruptos using 128/256-bit key size of Blowfish, and Blowfish Advanced CS offering various types of algorithm.

Figure 2
PixelCryptor uses an image file as a link to encrypted package as well as passphrase.

The other feature is encrypted volume which is used to store any files or folders to be encrypted by putting it within the volume. Actually the volume is a file which can be mounted as a virtual drive. The files and folders moved to the volume become encrypted automatically, so that it gives an ease for the users to modify the encrypted objects instantly as they want to. Once it is unmounted, all files or folders within the volume will be encrypted and the virtual drive will disappear, on the other hand if it is mounted, all files and folders within the volume will be decrypted. This feature is delivered by TrueCrypt and LockDisk.

Asymmetric Cryptography

Since symmetric is considered as inflexible and insecure in sharing the encryption key among the users, so the asymmetric cryptography is developed. Asymmetric provides two different types of key, namely public key and private key. Public key is designed to be shared to the other people for encrypting a plain text data to be ciphered text data, whereas private key which must be kept securely by the owner is used to decrypt ciphered text data to be plain text data.

This technique is considered secure because a user can distribute his public key to anybody he wants without worrying to be intercepted by third party. Although the encrypted data can be tapped by another people, they can not decrypt it without having the private key. Even the private key can be revoked if the owner considers the key is stolen.

One of common usage of asymmetric cryptography is email. Since people need to secure their email communication from interception by third party, the use of asymmetric cryptography becomes frequent because it is more flexible and secure in distributing public key to be shared to another people than symmetric cryptography.

The asymmetric cryptography algorithm which is often used in encrypted email is PGP (Pretty Good Privacy) providing privacy, authentication and integrity checking over generating public and private key and digital signature. For email encryption, the plug in Enigmail providing OpenPGP can be used along with mail clients such as Mozilla Thunderbird and SeaMonkey as security extension.

Figure 3
OpenPGP Enigmail within Mozilla Thunderbird generates key pairs for public key and private key with RSA algorithm and 4096-bit key size.

OpenPGP Enigmail offers key pairs generation as shown in figure 3 with 4096-bit RSA algorithm which is used widely in e-commerce protocols because it is accepted as one of means providing strong security. It also provides key expiry from only 1 day to no expiry at all and revocation to terminate the private key in the case of it is stolen or missing. Besides RSA, there are other algorithms such as DSA (Digital Signature Algorithm) and El Gamal. DSA is used for digital signature, while EL Gamal is asymmetric cryptography having three components namely key generator, encryption and decryption algorithms.

Figure 4
The encrypted message created by OpenPGP Enigmail within Mozilla Thunderbird uses RSA Algorithm with 4096-bit key size

Through short experiment, it shows that encryption and decryption using OpenPGP Enigmail within Mozilla Thunderbird is quite easy to carry out and reliable for strong security. In this experiment, a sender sends his public key to a recipient. After obtaining a public key, recipient sends an encrypted message using sender’s public key. The encrypted email will be then decrypted by the sender using his private key. If it is intercepted when it is in transit over network, the interceptor will gain an encrypted message as shown in figure 4. He needs sender’s private key to perform decryption of the message as well as passphrase key. Both are required to perform such decryption.


Both cryptography algorithms of symmetric and asymmetric are frequently used nowadays, even by criminals; therefore forensic investigators should know about it and how to deal with it properly. Although it is almos impossible to break a high level of key/block size of an encrypted message, there is still possibility to obtain the encrypted message. For instance when the suspected computer found is still running. It is not necessary to turn off directly because probably there is still an encrypted message or volume which has been decrypted. Even the only access an encrypted drive is when it is running. It means that it is being decrypted.

Anson, S. and Bunting, S. (2007). Mastering Windows Network Forensics and Investigation. Indianapolis: Wiley Publishing, Inc.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Casey, E. (2002). Practical Approaches to Recovering Encrypted Digital Evidence. International Journal of Digital Evidence. 1 (3). Available: Last accessed 28 February 2009.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 2nd edition. London: Elsevier Academic Press.
Casey, E. (2008). The Impact Of Full Disk Encryption On Digital Forensics. ACM SIGOPS Operating System Review. 42 (3). Available: N=64412596. Last accessed 28 February 2009.
CE-Infosys. (2008). Free CompuSec version 5.2 User Manual. Available: Last accessed 6 April 2009.
Code Gazer. (2008). PixelCryptor. Available: Last accessed 7 April 2009.
Huber, U. and Sadeghi, A-R. (2006). A Generic Transformation from Symmetric to Asymmetric Broadcast Encryption. Bochum: Ruhr-Universitat. Available: Last accessed 22 February 2009.
Katz, J. (2004). Cryptography. In: Tucker, A. B. (ed). Computer Science Handbook. 2nd edition. Florida: Chapman & Hall/CRC. p210-232.
Klonsoft. (2009). Klonsoft LockDisk 3.0 for Windows. Available: Last accessed 7 April 2009.
Kolb, L. J. (2001). Blowfish Advanced CS Version 2.I2.00.0II. Available: Last accessed 7 April 2009.
Mandia, K., Prosise, C. and Pepe, M. (2003). Incident Response & Computer Forensics. 2nd edition. London: McGraw-Hill/Osborne.
Marcella, A. J. and Greenfield, R. S. (2002). Cyber Forensics – A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. London: Auerbach Publications.
Microsoft. (2007). 2007 Microsoft Office System Document Encryption. Available: Last accessed 6 April 2009.
Mohay, G., Anderson, A., Collie, B., de Vel, O. and McKemmish, R. (2003). Computer and Intrusion Forensics. London: Artech House.
Moller, B. (2004). A Public-Key Encryption Scheme with Pseudo-random Ciphertexts. Berkeley: University of California. Available: Last accessed 22 February 2009.
O'Connor, L. and Klapper, A. (1994). Algebraic nonlinearity and its applications to cryptography. Journal of Cryptology. 7 (4). Available: Last accessed 22 February 2009.
Passware. (2008). Passware Encryption Analyzer Professional v.1.0. Available: Last accessed 7 April 2009.
Sammers, T. and Jenkinson, B. (2007). Forensic Computing. 2nd edition. London: Springer.
Seagate. (2007). Seagate DriveTrust™ Technology Enables Robust Security Within the Hard Drive. Available: Last accessed 6 April 2009.
Stephenson, P. (2000). Investigating Computer-Related Crime. London: CRC Press.
The Enigmail Project. (2009). A Simple Interface for OpenPGP Email Security. Available: Last accessed 7 April 2009.
TrueCrypt. (2008). TrueCrypt – Free Open Source Disk Encryption Software. Available: Last accessed 7 April 2009.
Ye, D. (2001). Decomposing Attacks on Asymmetric Cryptography Based on Mapping Compositions. Journal of Cryptology. 14 (2). Available: Last accessed 22 February 2009.

Sunday, 13 September 2009

Brief Description on Similarites and Differences in Forensic Applications between Ubuntu and Windows

The investigators can perform forensics analysis either under Ubuntu 8.10 or under Windows XP in dealing with the case of computer crime. At certain extent, both operating systems have many similarities so that the forensics investigators do not need to be confused in deciding what operating system suitable for carrying out a particular analysis. 

Based on the explanations supported by experience and some experiments performed , there are at least 5 points of similarities between Ubuntu 8.10 and Windows XP regarding with forensics analysis. They are :
 1.    Forensics Imaging explained in the post of Experiment 11
 2.    Registry Analysis described in the Experiment 12
 3.    File Metadata Analysis, consisting of
        a)    Magic Number Analysis and
        b)    EXIF Information Analysis discussed in the Experiment 10
 4.    Internet Explorer Analysis explained in the Experiment 13
 5.    Unallocated Clusters Recovery discussed in the Experiment 14
Besides similarities, there are also differences between Ubuntu 8.10 and Windows XP related to forensics analysis. At certain extent, these differences brings Ubuntu 8.10 to be more flexible, while at the other extent, it takes Windows XP to be more familiar and much easier to operate. 

Based on the descriptions, experiments and experience, there are at least 3 differences between Ubuntu 8.10 and Windows XP on forensics analysis, namely :
 1.    Commercial versus Freeware
         a)    Cost of Applications

The big differences between Ubuntu 8.10 and Windows XP on forensics analysis is the cost of applications in which they are mostly commercial under Windows XP but they are mostly freeware under Ubuntu 8.10, therefore to carry out forensics analysis under Windows XP needs a great amount of money to buy some forensic tools, on the other side the investigators performing forensics analysis under Ubuntu 8.10 do not need to purchase forensic tools because they are open source with communities support.

For instance, according to and on 17 December 2008, below is the price list of some famous forensics tools under Microsoft Windows :
•    The price of EnCase Forensic Version 6 from Guidance Software is US$ 3,600 for corporate standard and US$ 2,850 for government / law enforcement
•    The price of Forensic Toolkit (FTK) 2.0 from AccessData is US$ 3,835
•    The price of X-Ways Forensics from X-Ways Software Technology AG is EUR 685.90 for 1 license with 1 year update maintenance
On the other hands, there is no price at all for mostly forensics tools under Ubuntu 8.10 or Linux such as Autopsy with Sleuthkit, dcfldd, exiftool, pasco, regviewer, Ghex, foremost, Py-Flag, AIR, md5deep, ntfsprogs and so on.

         b)    User Interface

All forensics tools under Ms Windows XP use Graphical User Interface (GUI) so that it makes the forensics investigators as the users become much easier in operating the applications in order to obtain the best result of examination. The expensive price gives the easiness for the users in using the tools through GUI.
On the other side, most forensics tools under Ubuntu 8.10 or Linux are based on command console, so that the forensics investigators have to understand the use of command line in running them such as dcfldd, exiftool, foremost, md5sum and so on, but there are also GUI-based forensics tools such as Autopsy, regviewer, Py-Flag, AIR and so on. These GUI-based tools are actually originated from command line tools too such as AIR originated from dcfldd for forensics imaging, Autopsy originated from The Sleuthkit commands and so on.

 2.    Blocks Imaging explained in the Experiment 9
 3.    The Bridge of Wine discussed in the Experiment 15

Experiment 15 on Wine as Ubuntu Super Bridge

I like Wine application on Ubuntu a lot. It makes a significant difference between Ubuntu and Ms Windows, although not all Windows applications can be installed into Ubuntu. For some cases, it is very helpful. I suggest anybody to install and use it so that the machine becomes more flexible.

One of amazing tools under Ubuntu 8.10 is Wine. Through this application the forensics investigators can run some Windows XP applications properly under Ubuntu 8.10 machine, otherwise there is no such application under Windows XP.
Through Wine, Ms Office Password Recovery from Elcomsoft can be installed into Ubuntu 8.10 machine. This application is often used by the forensics investigators to recover password from Ms Office files. Actually this Password Recovery application can only run under Windows XP, it can not run under Ubuntu machine, but through Wine, it becomes possible.
 Figure 1
Ms Office Password Recovery application of Windows XP can run under Ubuntu 8.10 through Win
For this experiment, a Ms Word file was set up with password protection for opening file. Through Wine, the Password Recovery tool is run under Ubuntu 8.10 to recover the password. The result produced was excellent in which the password can be recovered successfully.

Figure 2
 Ms Office password recovery application shows the results of password recovered after running under Ubuntu.
At certain extent, Wine application shows the advantage of Ubuntu 8.10 in dealing with forensics analysis by running some forensics tools of Windows XP under Ubuntu 8.10 machine.

Experiment 14 on Deleted Files Recovery under Ubuntu

This experiment was performed on December 2008 in order to support my statement on similarities of forensic applications running under between Ubuntu and Windows. From all experiments I carried out under Ubuntu, I can say that Ubuntu is excellent operating system, particulalry when it is used for forensic purposes.

One of requests which is often asked to the forensics investigators is deleted files recovery in order to obtain more evidence related to the case. When a file is deleted, so the clusters being occupied by the file will be marked by the OS as 'unallocated' in the file allocation table. It means the clusters can be used by the OS to store a new file which will then overwrite the deleted files. As long as the unallocated clusters are not occupied by another files yet, so the deleted files can be recovered perfectly, otherwise the deleted files can not be recovered but there is still possiblity to gain the partial data of deleted files as 'slack' which is started from the end of file to the end of cluster.
For this reason, the experiments using Autopsy running under Ubuntu was performed in order to carry out unallocated sectors recovery. The object of this experiment is deleted files in the image file of partition1.dd from previous experiment I performed on forensics imaging.
After running 'sudo autopsy' command and typing 'http://localhost:9999/autopsy' in the Firefox internet browser and entering the input data such as case name, host name, image location and so on, it is displayed the Autopsy window containing choices for forensics investigators to perform such as file analysis, keyword search, file type, image details, metadata and data unit.  In my point of view, the Autopsy is one of powerful forensics tools I know.
Through file analysis, in the 'c:\ExperimentMaterials\Documents' directory, it was found some deleted files including written date, accessed date, created date, size and metadata. The deleted files are 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa EnCase Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensics in Todays World.pdf' and so on. It was also found the deleted picture files in the directory 'c:\ExperimentMaterials\Pictures'. These deleted files which can be displayed in ASCII, Hex and ASCII Strings can be extracted to be saved in another place for further analysis.

Figure 1
Through Autopsy, the deleted files can be recovered including time stamps and metadata

The experiment results above is the same as the results I obtain when I run Forensic Toolkit (FTK) which is one of my favourite forensic tools for the prupose of deleted files recovery. Although the results are the same, but there is a big difference between them, namely Autopsy which is based on The Sleuthkit (TSK) is free, while FTK is commercial.

Experiment 13 on Internet Explorer Analysis under Ubuntu

This experiment was part of class assignments performed at computer laboratory of CIS Strathclyde. Surprisingly in this laboratory, all machines run Ubuntu as the operating system, so that all forensic activities carried out under Ubuntu. All applications used during the activities are free and flexible, even some of them are more powerful than commercial applications running under Ms Windows.

The most computer users in the world use Microsoft Windows as their operating system especially Windows XP because most applications either commercial or freeware are compatible with it. Based on this, the forensics investigators have to consider it because the most frequent evidence come from Windows XP machine including the evidence of Internet Explorer which is default installation from Microsoft. The Internet Explorer is often used by the users for browsing the internet, accessing emails and so on.
In this experiment, it was carried out the analysis of Internet Explorer traces under Ubuntu 8.10 in order to get the activity history of Internet Explorer. The tools used are pasco command under Ubuntu 8.10. 
For this experiment, the directory of 'Local Settings' containing temporary internet files such as index.dat from experimental machine was copied for the object of examination, after that the command of 'pasco index.dat > IEAnalysis.txt' was run, then the result of this command is IEAnalysis.txt file. If the investigators open this file using vi command, so it will display the content irregularly therefore they have to use spreadsheet applications such as OpenOffice Spreadsheet, Gnumeric Spreadsheet and so on, so that they can analyse the use of Internet Explorer easily with more details.

 Figure 1
The result of pasco command is displayed regularly using spreadsheet application

From pasco command, it was found the list of Internet Explorer activities with time stamps (modified and access), file name and http headers of websites which had ever been visited by the user. Below is some of the websites :,,,,, and so on which were clicked by the user on 17 December 2008 from 7.35am till 8am.

Experiment 12 on Windows Registry Analysis under Ubuntu

This experiment is the same as the experiment 9, 10 and 11 which are part of a set of experiments related to the class assignments performed on December 2008. In my point of view, the assignment report will be more reliable if it is supported by a number of experiments as well as literature study; therefore for most of my assignments during my course at Strathclyde, I usually peformed some experiments to prove my statements.

Registry under Ms Windows OS stores many important informations such as users, applications installed in a machine, USB drives which ever attached into a machine and so on, therefore it becomes one of targets for forensics investigators to search.

In this experiment, it is used the registry viewer applications running under Ubuntu 8.10 with the object is the registry from my experimental machine running dual booting.

Under Ubuntu 8.10, cp command was run to copy 5 registry files from an experimental forensic image which was taken from a Windows machine:


After that regviewer application was carried out to analyse these files.

From /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names, it was obtained the list of users namely Administrator, Guest, HelpAssistant, SUPPORT_388945a0 and UserXP.

Figure 1
/HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names shows the list of user accounts.

From /HKEY_LOCAL_MACHINE/ntuser.dat/Software and /HKEY_LOCAL_ MACHINE/SOFTWARE, it was gained the list of company along with their software which are installed into the target machine such as AccessData with FTK and FTK Imager, Adobe with Acrobat Reader, America Online, BitComet and so on.

Figure 2
/HKEY_LOCAL_MACHINE/ntuser.dat/Software shows the list of software installed within the machine.

From /HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/USBSTOR, It was found the list of storage devices with their unique entry which ever attached to the USB port in the experimental machine such as SanDisk-Cruzer, Fujitsu, Generic and so on.

Figure 3
/HEKY_LOCAL_MACHINE/ControlSet002/Enum/USBSTOR shows the list of storage media which was ever attached to  the machine

Experiment 11 on Similarity in Forensic Imaging between Ubuntu and Windows

This experiment was performed in order to seek similarity in forensic imaging between  applications running under Ubuntu and Windows XP. It was part of a big experiments related to class assignments at Strathclyde on December 2008.

This is the first thing to do in performing forensics analysis to the hard drive evidence. If this is not handled appropriately, so the next phases of forensics examination will be weak, even it can be refused by court, therefore to pay more attention on this phase is a compulsory for forensics investigators. Because it is very crucial, so there is a strict rule on forensics imaging, namely 'make an image with a bit stream copy'. It can be physical image from hard drive to hard drive or from hard drive to image file.

During imaging process, the forensics investigators have to be able to ensure that there is nothing changed either in the hard drive or image file. To process this, the investigators can use hash value checking such as md5 by comparing the md5 value between hard drive evidence and image file or cloned hard drive. If this is match, it means the forensics imaging has worked well, otherwise it fails and can not be accepted for next examination phases.

Windows XP and Ubuntu 8.10 have similarities on this point of view. Under Ubuntu 8.10, the forensics investigators can select what device or partition they would like to image by using 'fdisk -l' command, then perform imaging to the selected device or partition by using 'dcfldd' command. After imaging process finishes, they have to verify md5 hash value between the source and the target to ensure that there is nothing changed during imaging process.

Figure 1
The use of 'fdisk -l' command to ensure  about devices and partitions attached to the machine

Figure 2
The use of 'dcfldd' command to perform imaging and The use of 'md5sum' to gain md5 hash value

From the experiment which is described by the figures above, it was obtained that the md5 hash value of partition 1 is 0171fbb2536ccd6c5fe6607743c9de17. This value is same as the md5 value of partition1.dd. It means the imaging process can be accepted for forensics purpose.

Under Windows XP, FTK Imager from AccessData was run in order to perform imaging to the same partition1. There are three choices offered by FTK Imager for forensics investigators in making an image, namely Raw (dd), SMART and E01. In this case, Raw (dd) is more appropriate to image partition1. FTK Imager also provided a window to fulfil the miscellaneous about the case such as case number, evidence number, investigator name and so on. These data do not interfere the imaging process and the value of md5 hash.

Figure 3
FTK Imager showing a  number of partitions from the experimental flashdisk

After the imaging process finishes, FTK Imager runs verifying process to gain md5 hash value of the image and compare it to the md5 hash value of the source. From the experiment using FTK Imager above, the md5 hash value of the source (drive) of partition1 is  0171fbb2536ccd6c5fe6607743c9de17 is same as the md5 hash value of the image.

Figure 4
FTK Imager verifies hash value between drive and image by using MD5 and SHA1

The md5 hash value obtained from dcfldd under Ubuntu 8.10 and FTK Imager under Windows XP are the same. It means that there is similarity in forensics imaging process between Ubuntu 8.10 and Windows XP; therefore it depends on forensic investigators which way they prefer to perform.

Friday, 11 September 2009

Experiment 10 on Analysing a Fake Image under Ubuntu

This experiment which was performed on December 2008 was part of a set of experiments related to the class assignments seeking the similarities of forensic analysis between Ubuntu and Windows XP.

EXIF which stands for Exchangeable Image File Format is the image file format specification with the addition of metadata tags for JPEG, TIFF Rev. 6.0 and RIFF WAV file formats. The specific metadata tags cover data and time information, camera settings, picture thumbnail and description and copyright information.

This EXIF metadata information is important and it is often used to identify the originality of an image. The jpg files can be manipulated by using picture editor applications such as Adobe Photoshop but it can give impact to the Exif metadata which also follows to be changed such as X and Y resolution, time stamps, picture editor software and so on, therefore the technique to recover the Exif information from jpg file is often used by forensics investigators in dealing with the case of fake picture.

For this experiment, there are 2 jpg files to be analysed in order to gain the Exif metadata by using the exiftool command under Ubuntu 8.10. These files are original jpg file and fake jpg file. The fake jpg file was manipulated from the original jpg file.

Under Ubuntu 8.10. The exiftool was run  through command console on the first jpg file, then it gave the EXIF information as follows (i.e. as shown in figure 1).

File Modification Date/Time: 2008 : 02 : 16  08 : 46 : 38
X Resolution: 72
Y Resolution: 72
Resolution Unit: inches
Exif Version: 0210
Thumbnail Offset: 274
Thumbnail Length: 2185
Encoding Process: Baseline DCT, Huffman coding
Image Size: 640 x 480

Figure 1
The exiftool gives the EXIF information such  as File Modification Date/Time, X Resolution, Y Resolution, Exif  Version and so on.

Then this EXIF information will be analysed and compared to the EXIF information of the second jpg file in order to decide the originality of a picture file. From the second jpg file, the exiftool displays the EXIF information as follows (i.e. see figure 2):

File Modification Date/Time: 2008 : 02 : 16  09 : 36 : 46
X Resolution: 524
Y Resolution: 524
Resolution Unit: inches
Software: Adobe Photoshop 7.0
Exif Version: 0210
Thumbnail Offset: 372
Thumbnail Length: 3825
Encoding Process: Baseline DCT, Huffman coding
Image Size: 320 x 238


Figure 2
The exiftool displays the EXIF information of   fake jpg file containing Software, RGB Tone Reproduction Curve and so on

By analysing the EXIF informations of both files above, the forensics investigators can draw a conclusion that the second jpg picture is fake because the EXIF information tells about the software of Adobe Photoshop which was used to manipulate the picture including RGB Tone Reproduction Curve information and so on. There are also differences on File Modification Time, X Resolution, Y Resolution, Thumbnail Offset, Thumbnail Length and Image Size between the original and the fake.

The other way to check the originality of an image is by using pixel analysis. This technique is based on zooming in the image until thousands times in order to seek the arrangement of pixels. If it is normal, the image is original, otherwise it is fake. This technique will be discussed later in next post.

Experiment 9 on Forensically Sound Blocks Imaging under Ubuntu

This experiment was part of experiments regarding with essay assignment in my course (i.e MSc in Forensic Informatics at the University of Strathclyde, UK) about the differences of forensic applications between Ubuntu and Windows XP. It was performed on December 2008.
Forensically Sound Blocks Imaging is a small thing but it makes a significant difference between Ubuntu 8.10 and Windows XP on partial imaging of a digital evidence such as hard drive, flash disk and so on. Partial imaging means the forensics investigators do not need to image the whole hard drive, but they can select what blocks to be imaged so that this option is hoped to be able to speed up the process of examination.

The forensics investigators can utilize dcfldd command to organize it, for instance to obtain only the first 572 Mbyte of the first partition of 4 GB experimental flash disk used at the previous experiment, the investigators can run this command :

'dcfldd if=/dev/sdb1 of=partition1a.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1aHash.md5 bs=146484 count=4096'

Figure 1
dcfldd command is used  to image the first 572 Mbyte of 4 GB flash disk

Through the command above, the partition1a.dd image file was produced with the number of blocks was 4096. With dcfldd, the forensics investigators can also set up the forensics imaging as they want, for instance from the 4 GB experimental flash disk above consisting 3 partitions, the investigators can image the combination of full of partition 1 with 1 GB in size and half of partition 2 with 1 GB in size by running this command :

'dcfldd if=/dev/sdb of=partition1and2.dd conv=notrunc,noerror,sync hashwindow=512 hashlog=Partition1and2Hash.md5 bs=366210 count=4096'
dcfldd command is used  to image the first 1430 Mbyte of 4 GB flash disk

From this command, the image file of partition1and2.dd will have 1430 Mbyte in size with 4096 blocks. These blocks above will be examined for further analysis, so that the investigators can economize their time in imaging and analysis. As far as I know and experience, this techniques might not be found in forensics imaging tools running under Windows XP such as FTK Imager, EnCase, WinHex and so on. In my point of view, this blocks imaging technique of Ubuntu 8.10 brings dcfldd command to be better and more flexible than imaging tools running under Windows XP.

Thursday, 10 September 2009

Experiment 8 on Understanding File System under Ubuntu

This experiments were my private experiments in order to understand about file systems particularly FAT. Hopefully it could help anyone who would like to explore it.

Introduction :

Computer needs a method to deal with their files in order to arrange and manage them. This method is simply called File System which is useful for computer to manage the files stored in storage media such as magnetic disk, optical disk and solid state disk. Each files are assigned to the sectors allocated for them so that they will not be overwritten by the others as long as they are still not deleted, even if they are deleted, they are still be recovered fully or partially because their sector allocations are still in the record of file system. By file system, a computer can easily open, read and save a file eventhough with the same name but different extension such as document1.doc, document1.odt or document1.txt.

There are many types of file system but only several are famous and often used by people such as FAT16, FAT32 and NTFS for Windows Operating System (OS); ext2, ext3 and swap for Linux OS; and HFS and HFS+ for Mac OS. In this exercise, it will be explored about 'File System' especially FAT.

Description of Experiment :

First of all, I used my flashdisk as an experiment object. It is 1GB with the file system of FAT32. I stored some files with the extensions of .doc, .odt, .pdf, .jpg, .png and .mp3 with the aim of to get different view of various files on how the file system deals with them.

Using the commands :

“fdisk -l” for displaying the partitions attached to the machine, one of them was /dev/sdb1 from my flashdisk, then “mount /dev/sdb1 /media/flashdisk” thereafter “then ls -l”, so it will be displayed some files from experiment flashdisk.

Figure 1
/dev/sdb1 is the experiment flashdisk containing some files

By using the command “dd if=/dev/sdb1 bs=512 count=1 | hexdump -C”, it will print the first 512 bytes of the flashdisk which is the first sector containing Master Boot Record (MBR) holding the primary partition table which tells the OS on how to deal with the flashdisk on its files. This sector is also known as boot sector. This command displays it in hexadecimal in the mid side, ASCII in the right side and byte offset in the left side.

From the figure below, it will be gained the explanation as follows :
  1. The boot sector is started with the hexadecimal code of “eb 58 90” and ended with “55 aa” (which is also known as 'boot signature').
  2. The ASCII characters of “MSDOS5.0” shows that this flashdisk was formatted by using Microsoft DOS version 5.0
  3. The ASCII characters of “FAT32” shows that this flashdisk uses the file system of FAT 32 for its partition table.
  4. The ASCII characters of “NTLDR” which is the abbreviation of “NT Loader' shows that this flahsdisk contains the boot loader from Ms Windows NT OS such as Windows 2000 or XP.
Figure  2
The first 512 bytes of the experiment flashdisk

To gain the understanding on how a file is saved by an application and how the file system search and decide what type application which can open this file, it is noted from the first bytes of the file. Subsequently, each files inside the experiment flashdisk was opened by using the command “hexdump -C | more”. The figures below display a different first bytes for different file extensions, so it will explain that the first bytes of a file is very important to connect the file with the OS, then the OS will search and decide what application which is suitable to open, write or save the file.

Figure  3
MP3 file is started by the hex codes of “ff fb 90 44”

Figure 4
PNG file is started by the hex codes of “89 50 4e 47”

Figure 5
JPG file is started by the hex codes of “ff d8 ff e1”

Figure 6
ODT file is started by the hex codes of “50 4b 03 04”

Figure 7
DOC file is started by the hex codes of “d0 cf 11 e0”

These first bytes is also known as “Magic Numbers”. Interestingly, eventhough the file extension is manipulated, it does not change the first bytes of a file, so the file system still recognise the file.

Secondly, I tried something different and challenging, namely making the experiment flashdisk become bootable flashdisk by using the application of “usb-creator” from This application allows the flashdisk to be installed Linux OS, and in this case I installed the “Helix Live CD” based on Ubuntu into the experiment flashdisk. It took approximately 10 minutes. After finishing the installation process, the flashdisk can be used to boot a current computer which provides booting from USB, then it displays the Helix 3 application which is used widely for forensic investigation.

This attempt was conducted with the aim to know whether or not any difference in the boot sector of experiment flashdisk before and after installation. Interestingly, after running the command of “fdisk -l”, it was known that the flashdisk still use the file system of FAT32 although it has been installed the Ubuntu-based Helix 3 from Linux Ubuntu Machine (my laptop using dual booting of Ubuntu and Windows XP) as it is displayed in the figure below.

Figure 8
/dev/sdb1 still uses FAT32 although it has been installed Helix 3 based on Ubuntu

With the same above command of “dd if=/dev/sdb1 bs=512 count=1 | hexdump -C”, it was known that :
  1. The boot sector is still started by the hex codes of “eb 58 90” and ended by “55 aa”.
  2. The ASCII characters of “MSDOS5.0” shows that the flashdisk was formatted by Microsoft DOS version 5.0.
  3. The ASCII characters of “FAT32” shows that the flashdisk uses the file system of FAT 32.
  4. There is an information on the byte offset line of “0x0190” which can not be found in the figure 2 (before installation).

Figure 9
The boot sector of flashdisk which has been installed the Ubuntu-based Helix OS

From the figure above, the detail informations are gained :
  1. The offset “0x00” with the length of 3 bytes of “eb 58 90” in hex shows the Jump Instruction which will be executed by computer toward the operations in the boot sector
  2. The offset “0x03” with the length of 8 bytes of “4d 53 44 4f 53 35 2e 30” in hex (or “MSDOS5.0” in ASCII) shows OEM (Original Equipment Manufacturer) name on Microsoft DOS version 5.0.
  3. The offset “0x0b” with the length of 2 bytes of “00 02” in hex shows the number of bytes per sector which is 512 bytes as a common value.
  4. The offset “0x0d” with the length of 1 byte of “08” in hex shows the number of sectors per cluster. It is 8 sectors per cluster.
  5. The offset “0x0e” with the length of 2 bytes of “26 00” in hex shows the reserved sector count which is the number of sectors before the first FAT in the file system image. It is 38 reserved sectors.
  6. The offset “0x10” with the length of 1 byte of “02” in hex shows the number of file allocation table. It is 2 FATs.
  7. The offset “0x11” with the length of 2 bytes of “00 00” in hex shows the maximum number of root directory entries which is only used in FAT 12 / FAT 16. It is 0 for FAT 32.
  8. The offset “0x13” with the length of 2 bytes of “00 00” in hex shows the total sectors. Because it is 0, so it uses the 4 bytes of “e0 8f 1f 00” in hex on the offset of “0x20”. it is 14,716,703 sectors.
  9. The offset “0x15” with the length of 1 byte of “f8” in hex shows the media descriptor. It is grouped into harddisk with single sided.
  10. The offset “0x16” with the length of 2 bytes of “00 00” in hex shows the number of sectors per FAT for FAT 12 / FAT 16 only.
  11. The offset “0x18” with the length of 2 bytes of “3f 00” in hex shows the number of sectors per track. It is 63 sectors.
  12. The offset “0x1a” with the length of 2 bytes of “ff 00” in hex shows the number of heads. It is 255 heads.
  13. The offset “0x1c” with the length of 4 bytes of “20 00 00 00” in hex show the number of hidden sectors. It is 32 sectors.
  14. The offset “0x24” with the length of 4 bytes of “e1 07 00 00” in hex shows the number of sectors per file allocation table. It is 57,607 sectors.
  15. The offset “0x2c” with the length of 4 bytes of “02 00 00 00” in hex shows the cluster number of root directory start. It is 2 clusters.
  16. The offset “0x30” with the length of 2 bytes of “01 00” in hex shows the sector number of FS information sector. It is 1 sector.
  17. The offset “0x32” with the length of 2 bytes of “06 00” in hex shows the sector number of a copy of this boot sector. It is 6 sectors.
  18. The offset “0x34” with the length of 12 bytes is used for reserved
  19. The offset “0x42” with the length of 1 byte of “29” in hex shows the extended boot signature.
  20. The offset “0x43” with the length of 4 bytes of “a8 a6 ed fc” in hex shows the ID (serial number).
  21. The offset “0x47” with the length of 11 bytes shows the volume label. It is “NO NAME” in ASCII.
  22. The offset “0x52” with the length of 8 bytes shows the FAT file system type. It is “FAT32” in ASCII.
  23. The offset “0x5a” with the length of 420 bytes is used for operating system boot code.
  24. The offset “0x1fe” with the length of 2 bytes of “55 aa” in hex shows the boot sector signature.

The similarity between picture no. 2 (the boot sector of flashdisk before installation of Ubuntu-based Helix 3) and picture no. 9 (after installation) is on the  offset from “0x00” to “0x59”. The first 36 bytes are used for all versions of FAT, then followed by 54 bytes which are used specifically by FAT 32 which is different from FAT 12 / FAT 16.

The difference between both pictures is on the offset from “0x5a” to “0x1fd” which are used for operating system boot code.

In the figure 2 above :
  1. The offset from “0x170” to “0x17a” containing NTLDR shows that the boot sector uses FAT which was created under Windows 2000 or Windows XP.
  2. There are data bytes of “ac cb d8” in hex on the offset “0x1f9 0x1fa 0x1fb”. The hex data code of “ac” refers to the offset “0x1ac” for the error message of “Remove disks or other media”, the “cb” apppoints to the offset “0x1cb” for the error message of “Disk error” and the “d8” assigns to the offset “0x1d8” for the error message of “Press any key to restart”.

Conclusion :

  1. The similarity between MBR in the experiment flashdisk before installation of Ubuntu-based Helix 3 and MBR after installation is on the offset  from “0x00” to “0x59” which are used for FAT descriptions. On the other hand, their difference is on the offset from “0x5a” to “0x1fd” which are used for operating system boot code.
  2. The data bytes of “ac cb d8” in hex on the offset “0x1f9 0x1fa 0x1fb” in the experiment flashdisk before the installation of Ubuntu-based Helix 3 refer to the error messages of “Remove disks or other media”, “Disk error” and “Press any key to restart”.
  3. The experiment flashdisk uses the file system of FAT32 which is located in the first 512 bytes (also known as 'boot sector') of the flashdisk containing Master Boot Record (MBR) with the descriptions as follows :
  • The first 36 bytes from the offset “0x00” to “0x23” are used for FAT descriptor which sets up for all versions of FAT. In my terminology, I call it is General Characteristics of FAT.
  • The 54 bytes from the offset “0x24” to “0x59” following after the first 36 bytes are used specifically by FAT 32 or FAT 12 / FAT 16 for parameter block which are different each other. In my terminology, I call it is Class Characteristics of FAT.
  • The 420 bytes from the offset “0x5a” to “0x1fd” are used for operating system boot code.
  • The last 2 byte on the offset “0x1fe” and “0x1ff” are known as the 'boot sector signature' which are “55 aa” in hex code.

Bibliography :

  1. Duncan Smeed, CS935 Lecture Slides, Devices and File Systems, 2008
  2. Ian Ferguson, CS936 Lecture Slides, Stage 2 – Preservation, 2008

Tuesday, 8 September 2009

Experiment 7 on Ms Windows Live Flashdisk

Before these experiments, I would like to have a flashdisk which can run live to boot a machine. The flashdisk contains Ms Windows system files. Below is my email contents sent by email to my colleagues at Strathclyde on 11 December 2008.
I just wanna share again my successful experiment last night. It is about how to make Ms Windows OS Live Flash disk, so that we can boot a computer through flash disk containing Ms Windows OS live.

The tools we need are BartPE and PeToUSB running under Ms Windows OS. The first thing to do is running BartPE, then enter the path to the source of MS WIndows OS files, for instance CD-ROM drive. There are two choices on 'Media Output' namely 'Create ISO Image' or 'Burn CD/DVD', so we can select what we wanna do. For my experiment, because CD-ROM drive has been occupied by original Ms Windows OS CD, so I select 'Create ISO Image', after all, just click 'Build'.

After the 'Building' process finishes, I run CD burning application to burn the ISO Image file into a CD. Still BartPE CD is in the CD-ROM drive, run PeToUSB, then enter the source path of BartPE files, in this case it is CD-ROM drive and check the box on 'File Copy Options' to enable it, after that just click 'Start'. After this process completes, We can have bootable flash disk which can run Ms Windows OS live.

Actually I have tried Unetbootin and USB Startup Creator from Ubuntu 8.10. Eventhough the process of planting bootable BartPE system finishes successfully, the flashdisk can not work. However Unetbootin and USB Startup Creator still can be used to make flash disk become bootable running on Ubuntu, Kubuntu, Helix and so on.

I hope this could be useful in a positive meaning.