Prologue of Computer Forensics

Identification of device evidence

For identification device we need to know about that device from global view, that all about device like brand, type and function, in identification after know about device and function we need to identify device from software view or internal device.

In identification as phase introduction device we can use few tools in this case I recommend use md5sum, this tools for generate file fingerprint hashing, with this tools we can indentify validation of file, this phase is chain of custody.

After generate hash of file we can imaging or clone file with dd. this tools is copy byte per byte, but before use dd. we need to mount device with special treat mount with noatime for no update time and no exec for execution restriction and -ro for read only mode.

When finish clone with dd. check again result of dd. file output with md5sum that must be same result of hashing to verify clone and master is same or identic file, and after we have clone of file we can seal master device for safe evidence, this phase is chain custody.

Then now we can move to analisys evidence treat.

Now I'll try to practical this phase

File is :

practical.floppy.dd

After clone evidence and make sure hashing is same that mean the evidence is identic with source or master.

Show detail of file to know owned and file detail

To be continued...

About Space and File Structure

Slack Space

Slack Space is area of storage or disk that is empty but still contain data. When a file is deleted just pointer to it is removed, if look at the disk byte for byte you still can look deleted data.

That mean slack space is zone of data has deleted by user or system can to recovery later, if data still available in Slack Space enable to recovered or in other mean slack space is place of temporary data when data removed in storage system by user or system.

Slack space is unused cluster space, several file syatem use unit cluster as smallest unit file.

Unallocated Space

Unallocated Space is Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk, I guess that is zero space in disk storage contain data partition system.

Look like picture above, unallocated space is unpartition part in disk storage, that place is unused by file system and cant to write anything data inside to place by operating system. space on a hard drive that potentially contains intact files, remnants of files, subdirectories or temporary files which were created and then deleted by either a computer application, the operating system or the operator.

Magic Number

A constant numerical or text value used to identify a file format or protocol, Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

Example of Structure File

Txt File Format and File Structure

The text file structure consists of a stream of 8-bit ASCII characters. Every record in a text file is terminated by a newline character (\n, ASCII 012). Some utilities may omit the newline character on the last record, but the Fortran library will treat such an occurrence as a malformed record. This file structure can be specified for a file that is declared as formatted sequential access or formatted direct access. It is the default file structure for formatted sequential access files. On UNICOS and UNICOS/mk systems, it is also the default file structure for formatted direct access files.

AVI File Structure

The AVI file format is based on the RIFF (resource interchange file format) document format. A RIFF file consists of a RIFF header followed by zero or more lists and chunks.

• The RIFF header has the following form:
  'RIFF' fileSize fileType (data)
  where 'RIFF' is the literal FOURCC code 'RIFF', fileSize is a 4-byte value giving the size of the data in the file, and fileType is a FOURCC that identifies the specific file type. The value of fileSize includes the size of the fileType FOURCC plus the size of the data that follows, but does not include the size of the 'RIFF' FOURCC or the size of fileSize. The file data consists of chunks and lists, in any order.
  
• A chunk has the following form:
  ckID ckSize ckData
  where ckID is a FOURCC that identifies the data contained in the chunk, ckSize is a 4-byte value giving the size of the data in ckData, and ckData is zero or more bytes of data. The data is always padded to nearest WORD boundary. ckSize gives the size of the valid data in the chunk; it does not include the padding, the size of ckID, or the size of ckSize.
  
• A list has the following form:
  'LIST' listSize listType listData
  where 'LIST' is the literal FOURCC code 'LIST', listSize is a 4-byte value giving the size of the list, listType is a FOURCC code, and listData consists of chunks or lists, in any order. The value of listSize includes the size of listType plus the size of listData; it does not include the 'LIST' FOURCC or the size of listSize.
  

The remainder of this section uses the following notation to describe RIFF chunks:

ckID ( ckData )

where the chunk size is implicit. Using this notation, a list can be represented as:

'LIST' ( listType ( listData ) )

Optional elements are placed in brackets: [ optional element ]

AVI Form

AVI files are identified by the FOURCC 'AVI ' in the RIFF header. All AVI files include two mandatory LIST chunks, which define the format of the streams and the stream data, respectively. An AVI file might also include an index chunk, which gives the location of the data chunks within the file. An AVI file with these components has the following form:

The 'hdrl' list defines the format of the data and is the first required LIST chunk. The 'movi' list contains the data for the AVI sequence and is the second required LIST chunk. The 'idx1' list contains the index. AVI files must keep these three components in the proper sequence.

Note  The OpenDML extensions define another type of index, identified by the FOURCC 'indx'.

The 'hdrl' and 'movi' lists use subchunks for their data. The following example shows the AVI RIFF form expanded with the chunks needed to complete these lists:

 Main Header

The 'hdrl' list begins with the main AVI header, which is contained in an 'avih' chunk. The main header contains global information for the entire AVI file, such as the number of streams within the file and the width and height of the AVI sequence. The main header chunk consists of an AVI Main Header structure.

Stream Header

One or more 'strl' lists follow the main header. A 'strl' list is required for each data stream. Each 'strl' list contains information about one stream in the file, and must contain a stream header chunk ('strh') and a stream format chunk ('strf'). In addition, a 'strl' list might contain a stream-header data chunk ('strd') and a stream name chunk ('strn').
The stream header chunk ('strh') consists of an AVISTREAMHEADER structure.
A stream format chunk ('strf') must follow the stream header chunk. The stream format chunk describes the format of the data in the stream. The data contained in this chunk depends on the stream type. For video streams, the information is a BITMAPINFO structure, including palette information if appropriate. For audio streams, the information is a WAVEFORMATEX structure.
If the stream-header data ('strd') chunk is present, it follows the stream format chunk. The format and content of this chunk are defined by the codec driver. Typically, drivers use this information for configuration. Applications that read and write AVI files do not need to interpret this information; they simple transfer it to and from the driver as a memory block.
The optional 'strn' chunk contains a null-terminated text string describing the stream.
The stream headers in the 'hdrl' list are associated with the stream data in the 'movi' list according to the order of the 'strl' chunks. The first 'strl' chunk applies to stream 0, the second applies to stream 1, and so forth.

Stream Data

Following the header information is a 'movi' list that contains the actual data in the streams—that is, the video frames and audio samples. The data chunks can reside directly in the 'movi' list, or they might be grouped within 'rec ' lists. The 'rec ' grouping implies that the grouped chunks should be read from disk all at once, and is intended for files that are interleaved to play from CD-ROM.
The FOURCC that identifies each data chunk consists of a two-digit stream number followed by a two-character code that defines the type of information in the chunk.

 Index Entries

AVI 1.0 index

An optional index ('idx1') chunk can follow the 'movi' list. The index contains a list of the data chunks and their location in the file. It consists of an AVIOLDINDEX structure with entries for each data chunk, including 'rec ' chunks. If the file contains an index, set the AVIF_HASINDEX flag in the dwFlags member of the AVIMAINHEADER structure.

AVI 2.0 index

An AVI 2.0 index can appear as a single chunk. Alternatively, index segments can be interleaved within the 'movi' chunk. If the index segments are placed in the 'movi' chunk, a super index contains an index of the index segments. The AVIMETAINDEX structure is the base structure for both the index segments and the super index. For more information, see the OpenDML AVI File Format Extensions, published by the OpenDML AVI M-JPEG File Format Subcommittee. (This resource may not be available in some languages and countries.

MBR and Filesystem Structure

MBR

MBR (Master Boot Record) is Table of Boot sector in storage that is place for record any boot loader of operating system, when unit computer installed into hardisk.

MBR is domain of identity or first place run in hardisk cause that place at Cylinder 0, Head 0, Sector 1 in hardisk, place for check all of hardware in unit of computer. 

The Master Boot Record contains the Partition Table for the disk and a small amount of executable code. On x86-based computers, the executable code examines the Partition Table, and identifies the system partition. The Master Boot Record then finds the system partition's starting location on the disk, and loads an copy of its Partition Boot Sector into memory. The Master Boot Record then transfers execution to executable code in the Partition Boot Sector.

• The master boot routine that is run when the computer is started
• The partition table that contains the information about the partitions
• The MBR identification code that identifies the MBR as a master boot record

File System

File systems organize and manage hard disk space. They enable you to create folders and files and to find them again. They are also used to grant or to block access to files. Windows file systems do not operate directly with sectors. They work with clusters. A cluster groups multiple sectors into a single data storage unit for ease of management. Clusters also specify how much hard disk space is allocated to each file. Each file requires a whole cluster, even if it does not use all the available space. 


FAT 16

FAT16 is one of several file system format in storage, in hardisk FAT16 partition have specification size of cluster every value of size of partition like this table

Lack of FAT16

Lack of storage space. No additional programs or files, especially for those who use the system with Windows95 and have more than 512MB of hard disk.

Ineffective. Large cluster size leads to waste, Not efficient in the arrangement of files and asks the user often do Defrag to get the previous cluster completely unused.

The maximum size disk that can be supported in a single hard disk FAT16 is 2GB.

That lackness is revision by FAT32 filesystem 
  
FAT 32

FAT32 is development of FAT16, several file system have structure in media storage or disk like this table

FAT32 is a file system for Windows. It is a development of the File Allocation Table (FAT) file system that Microsoft created to support large drives in a single volume. The File Allocation Table made things easier on the user by allowing them to see only a single drive letter, instead of many different letters. Disc space is also used more proficiently with this system.

FAT32 increases the number of bits which can be used to address hardware sectors. Hardware sectors are often referred to as clusters. Clusters are identified with a larger number of bits with each development of the FAT file system.

Excellence of FAT32

Using 32 bits to represent the cluster

FAT32 provides a larger drive sizes. Sizes are provided up to 2 terabytes, compared with only 2GB of FAT 16.

FAT32 uses a more efficient place. FAT32 uses smaller cluster sizes (4KB cluster size of the drive for 8 GB), more efficient 10 - 15 percent compared to FAT or FAT16. The minimum size for the FAT32 partition of about 260 MB.

Lack of FAT32

Microsoft will support the FAT32 file system's functional errors in reading independently and store the files either in the form of real (real mode) and the form of protected (protected mode). Microsoft support facilities including real and protected mode on Windows 95.

Although the FAT32 file system supports disk sizes up to 2 terabytes (TB), some hard disks may not be able to fill the partition that can be turned on is larger than 7.8 gigabytes (GB) due to limitations of the system I / O base (BIOS) INT 13 interface

 


NTFS

The weakness of the FAT is the inability to control access to files or folders from the hard drive, allowing outsiders to change the data in a network system.

NTFS is type of filesystem is designed for 2 to the 64th power of clusters. These file systems allow for significantly larger partitions. They also make better use of data storage.

This type have diferent structure with FAT this is explaination of diference of them

The unnamed stream is a mandatory element and is always present. If you are creating an alternate atream and the file does not exists, the system will automatically create a zero length unnamed stream. If you are deleting the unnamed stream, the system considers it as a request to delete the whole file, and all the alternate streams will also be deleted.

The security descriptor and the file attributes belong to the file as a whole, not to the unnamed stream. For instance, no stream can be opened for writing if the read only attribute is set.

NTFS currently has 16 metafiles, which I’ll describe later on. Finally, each File
Record is composed mainly of Attributes. Attributes are clearly defined (more
on them later), and each one of them is a structure that describes the object
in the File Record.

EXT2

Ext2 was first developed and integrated in the Linux kernel, and is now also being developed for use on other operating systems.

The goal is to create a powerful file system, which can implement those files from UNIX semantics, and has an advanced service features.

Ext2 was first developed and integrated in the Linux kernel, and is now also being developed for use on other operating systems.

The goal is to create a powerful file system, which can implement those files from UNIX semantics, and has an advanced service features.

Capability

1. Ext2 file system capable of supporting multiple file types from UNIX standard, such as regular files, directories, device special files and symbolic links.
2. Ext2 able to manage system files are created in a large partition.
3. Ext2 file system capable of generating file names are long. Maximum of 255 characters.
4. Ext2 require several blocks to super user (root).

EXT3

EXT3 is a journalled filesystem

Journalled filesystem is designed to help protect data in it.

With a journalled filesystem, then we no longer need to check the consistency of data, which will take very long for my disk.

EXT3 is a filesystem that was developed for use on the Linux operating system.

EXT3 is the result of improvements in the form of EXT2 EXT2 better by adding a variety of advantages.

Structure 


bootstrap
code to be loaded into memory and executed when the computer is powered on. MVS volumes reserve the entire first track of the first cylinder for the boot strap.

volume descriptor
information describing the size, type, and layout of the file system and in particular how to find the other key meta-data descriptors

file descriptors
information that describes a file (ownership, protection, time of last update, etc.) and points where the actual data is stored on the disk.

free space descriptors
lists of blocks of (currently) unused space that can be allocated to files.

file name descriptors
data structures that associate user-chosen names with each file.

Excellence
   

Availability:

EXT3 does not support the process of checking the file system, even when the system is not cleaned experienced a "shutdown", except in some very rare hardware errors.

Things like this happen because the data is written or stored into a disk in a way so that the file system is always consistent.

The time required to recover an ext3 file system after the system is not cleaned off is independent of the size of the file system or file number, but
depending on the size of the "journal" used to maintain consistency. Journal of the size of the initial (default) takes about 1 second to recover (depending on hardware darikecepatan).

Data integrity

By using the ext3 file system we can get a stronger assurance of data integrity in the case where the system is not cleaned off (shutdown).

We can choose the type and level of protection of data received. We can choose to keep the file system remains consistent, but still allow the damage to the data in the file system in the case turned off (shutdown) system that has not been cleaned; this could provide an increase in speed in some circumstances.

Web Hacking Medium Level

This condition I'll to exploitation website via sql injection to create backdoor and get privillege access, no I open DVWA SQLInjection, I use Mantra and look with tamper data to look cookie data from trial input data

Then use this data to look database of vulnerable web with sqlmap tools build in on Backtrack

I found datapase and try to find hash password with this syntax

Then I try to look sql-shell mode with this syntax

This I cant to show database sql, maybe that will be cause level is medium, I'll try to make other way to entarance privillage access into system with upload mode.

first I change to "high" level mode in DVWA cause with upload method this is rule

Then I choose to Upload mode

I make new page upload with php-backdoor like here

I try to upload that file php to upload image page but failed like here

I try to change extention php to be jpeg for bypass authentication image file for this page

Trying to upload again this file with new extention is jpeg as image extention

This trick is success and I try to go for new page is path /hackable/uploads/php-backdoor.jpeg

That failed to access new page cause that file real is php but tryin to open as jpeg so that is reason failed so try to change jpeg to php in url

The new page as upload file has create, this page is the channel to upload backdoor exploit for take over system privillege, I try to find exploit in explot-db for exploitation kernel linux 2.6.39

I copy that exploit to Desktop and make change that exploit, cause that exploit is not ready to use, cause any comments in exploit, after make change I compile that exploit with gcc with name "exploit" here is "exploit has been at Desktop

Try to upload exploit in "/temp" directory cause "tmp" have full access and executable so I try to upload that exploit

Upload error, I found that result after I try to upload that exploit, I wonder that condition and I think that will be like this cause security level is high.

I try to back with previous stage I was know password and user mysql is root and root as password, use address in 192.168.56.1/phpmyadmin

To be continued