Showing posts with label Cyber Forensics Tools. Show all posts
Showing posts with label Cyber Forensics Tools. Show all posts

Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)

This is a very handy little application. It’s been developed by the QEMU team. The software is very useful when dealing with virtualization, Qemu-img is available for both windows and Linux. Its function is to give you the ability to change the format of a given virtual disk file to the majority of the popular virtual disk formats that are used across platforms. Let’s say you are using virtual box in Windows and want to migrate the virtual disk to be used on a mac, in parallels, you can use this simple program to achieve this with minimum effort.
Our purpose of writing about this today is slightly different from Qemu-img’s mainstream usage, we want to focus on how we can use this application to convert a virtual disk image, whole or split into a .raw file that can be used with most of the popular forensic frameworks that are available.
Let’s start up Qemu-img on our Linux machine
At the terminal prompt type “qemu-img –h”

This will show you all the options that can be used with qemu-img,


Right at the end of the information that is presented after the command given above is used, we can see all the formats supported by this application.
Here is a list of all the formats that are compatible with Qemu-img

Now let’s see how this application comes in handy for use in forensics.
In a situation where a virtual disk is part of the acquisition and further dedicated analysis is required, the virtual disc can be converted into .raw format.
Let’s begin.
Since our goal is to analyze the virtual disk, we are using the image file from Windows 7 installed on VMWare. The file in question is in .vmdk format.
Just a heads up, when you convert a virtual disk file to a .raw file, the size of the converted file can be quite big, so make sure you have enough space.
Here is our .vmdk file
For ease of use, we have placed the .vmdk file in a folder named Qmeu on the desktop. The terminal is opened from within the folder.
At the terminal prompt type “qemu-img convert -f vmdk -O raw Windows\ 7.vmdk win7.raw”
A breakdown of the command that we just gave:
qemu-img convert  is invoking the convert function of qemu-img.
-f is the format of the input file, which in this case is .vmdk
-O is the format of the output file that we want, a .raw file.
Windows\ 7.vmdk is the name of the input file that we have in our folder.
win7.raw is the name we have given the output file with its file extension.



Give it a few minutes and check the folder, you will find the converted file.
As you can see, the size of the .raw file is 10.7 GB and the size of the .vmdk file was 6.0 GB, that’s quite a jump in size!

We can now use Foremost to carve the .raw file to see what’s inside.
At the terminal type “foremost -t jpeg,png -i win7 -o output”


With this command we are carving the .raw file for .jpeg and .png files which will be collected in a folder named output. If you have any doubts about foremost you can refer this article.
As you can see, our .raw file has been successfully carved, the results are visible below.
We have successfully carved a .raw file made from a virtual disk, now let’s mount the .raw file to view its contents. We will be using a Windows for this operation.

Now we will mount this .raw file using FTK Imager to see its contents. The image mounting option can be found under the File menu. Navigate to the .raw file from within the mounting menu.
Select Mount, leave the other options as they are and the file will appear on the Mapped Image List.
Next we navigate to My Computer and we can see that the .raw has been mounted as a partition.
The windows file system can be seen within and explored for content.


Qemu-img is a very simple application with a high potential. It can be a very valuable tool in your forensic toolkit due to its large list of compatible formats. It will make sure that the format of the acquired image does not keep you from using your forensic tool of choice to run your investigation or carve out data.
We hope you enjoy using this tool.

Have fun and stay ethical.

About The Author
Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Mobile Forensics Investigation using Cellebrite UFED

The manifold increase in the mobile penetration amongst the world population has interested people from all works of life namely mobile manufactures, service providers, application developers and more to this industry. Thequantum jump inthe user base and its usage of mobile has even caught the eye of Forensic Experts.



In this article we will conduct a mobile investigation of ONE Plus mobile model by applying Cellebrite UFED software.
As a preliminary process, adjustments need to be undertaken on the mobile model under surveillance. The investigator attaches the mobile to his/her laptop through the phone cable.The investigator needs to open the ‘About Phone’ section under Setting and scroll down the various options till he reaches the ‘Build Option’, he needs to tap the ‘Build Option’ seven (7) times which opens a new section - the ‘Developer Option’. Before commencing Cellebrite software, the investigator must check whether the mobile commands ‘Stay Awake’ and Debugging (USB debugging) are ON.


After completing the following steps, the investigator inserts the licensed Cellebrite USB Key in the laptop which displays five choices namely- Mobile device, SIM Card, USB device or Memory Card, UFED Camera and Device Tool.
We choose ONE Plus mobile model to demonstrate the Cellebrite software. After configuration the software on the laptop, the software displayed seven ONE Plus models to select our model.


Since our mobile is ONE Plus 3 A3003 model, we put it for the forensic investigation. In order to gather information, the Cellebrite software provided us with five ‘Extraction’ choices ranging from Logical Extraction, File System Extraction, Physical Extraction (Root), Capture Images, Capture Screen Shots which are easy to understand and implement.
It is recommended that the investigator must click on Logical Extraction followed by Physical Extraction to gather information.


For our demonstration, we selected the Logical Extraction and selected three types of information from the Phone Memory likePhone (Phone Book), SIM (Phone Book) and Phone (Content) and press Next.


The Logical Extraction gave a further choice to select the type of information from the Phone Memory namely Contacts, SMS, MMS, Calendar, Apps Data, Pictures, Audio/Music, Videos, Ringtones and Call Logs. 


The software sends a ‘pop up’ message and in order to move further the investigator needs to click on YES. 



From the Contacts account we extracted contacts from Gmail, Face book messenger and Whatsapp as displayed below.


The Cellebrite software provides the investigator with source instructions to proceed further on the case by just clicking on the ‘How to?’


The Logical Phone Extraction was completed successfully. The details of the number of information gathered from Phonebook, SMS, and Call Logs from the mobile under forensic investigation is highlighted.


The software displays another pop up ‘PA Evidence Collection.ufdx’ along with the Logical 01 folder for the investigator


The UFED Physical Analyzer report of the mobile phone was captured by Cellebrite. The analyser  captured content of the mobile model information ranging from the model name, IMEI, ICCID, MSISDN, IMSI  to name a few.


Before making the final report, a case management form needs to be filled up by the investigator which provides –the case number, name, evidence number, examiner name, department, location, notes, name of the report, document details, project name as well as format. The report will be submitted in PDF or word or any other format. The final report is generated by pressing Next command.


Summary of the Cellebrite UFED report on mobile under forensic investigation.


3 Ways to Mount a RAW Image in Windows

In Forensic, to investigate a hard drive or disks we always make a forensic image. A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record.  Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. These images are stored in a format of RAW file or AFF or E01.

RAW Image Format: This format is a RAW bit-by-bit copy of the original. It is often accompanied by Meta data stored in separate formats. This Image Format is most common used and is read by every Forensic tool in the industry.

Once the RAW image is created, it can't be read unless it is mounted by a tool. Mount is the process that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system.

Mount an image for a read-only view that leverages to see the content of the image exactly as the user saw it on the original drive.


There are various methods to mount a RAW file. But before we learn how to mount our RAW files, just have look on your my computer so that you can have a idea about how many drives you have before mounting a RAW file. For instance, following is the image of my computer of my PC:


Now, Let us have a look on these methods :

Forensic Tool Kit Imager

FTK Imager (version - 3.4.2) is tool introduced by Access Data which is used to preview data. It is also an imaging tool that lets us acquire in a forensically sound way. FTK helps us to create forensic images, Mount an image for a read-only view, Create hashes of files, etc and right now we will focus on its Mount function. To mount a RAW image file via FTK, first of all download FTK from --> http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.2
Now that FTK is downloaded and installed, open it and click on Files on the menu bar. A drop down menu will appear, from this menu click on Image Mounting.



A dialogue box will open now. Give the path of RAW file in Image File option and click on Mount button.


Once you click on Mount button your image will be mounted and you can see result in Mapped images:


OSFMount
OSFMount (version - 1.5.1015) is software by PassMark Software’s. It helps you mount your image files even your hard disk image file in windows with a drive letter. You can then analyze the disk image files further. For your original files not to be altered, the image files are mounted as read only by default. Download this software from --> http://www.osforensics.com/tools/mount-disk-images.html

Open OSFMount after the instalation is completed open it:


Go to File menu and select Mount new virtual disk option.


Dialogues will open; here give the path of your image file under the heading Image file and click on OK.


You can see in the following image that your RAW image will be mounted as a result:


Mount Image Pro
Get Data is a software development company that has launched Mount Image Pro (version - 6). It is a computer forensic tool which enables us to mount an image for forensic purpose. You can download this software from http://www.mountimage.com/
Open the software after its installation.


Go to File menu and click on Mount Image File.


A dialogue box will open and select your image file from it.


And then another dialogue box will open informing you with all the details. Click on OK.


It will further show you the progress in another dialogue box.


And as the outcome you can see that your image file will mount as shown in following image:



Now, as i had asked you to check you’re my computer before mounting the image, similarly, you can again check my computer and you will an extra drive as shown below:

Forensic Investigation of Any Mobile Phone with MOBILedit Forensic

With MOBILedit Forensic you can view, search or retrieve all data from a phone with only a few clicks. This data includes call history, phonebook, text messages, multimedia messages, files, calendars, notes, reminders and raw application data. It will also retrieve all phone information such as IMEI, operating systems, firmware including SIM details (IMSI), ICCID and location area information. Where possible MOBILedit Forensic is also able to retrieve deleted data from phones and bypass the passcode, PIN and phone backup encryption.

Note: USB Debugging must be enabled.

Download the MOBILedit!  Forensic from here & Install on your PC. Now Click on MOBILedit! Forensic.

Click on Connect Option. MOBILEedit! Forensic Wizard will run and ask for Phone, Data file or SIM Card. Select Phone Option.  Click on Next.



Now it will ask for type of connection. Select Cable Connection. And click on Next.


Now follow the instructions such as install Driver or turn on USB debugging if connecting Android.
Now connect the phone via data cable. If prompted choose connection mode to PC Sync or COM port. Click on Next Option.


It will show the connected mobile. Check your Mobile model and click on Next.


To take the Backup, first of all enter Owner Name, Device Evidence Number and Owner Phone Number.
Click on Browse Option to select the path folder where backup data will be stored and click on Next.


Now it will ask for part of file system to   backup. Choose Whole File System or Specified File Types such as Audio, Video or pictures. Then Click on Next.


Now it will show the progress bar for Back Up and after completion click on Next.


Now select the check box for Phone memory extraction and click on Next.


Now it will show the message for creation of memory dump on memory card file. Click on Next.


Now select the group….Cases   to organize device data or click on   <New Case > to create new case and click on Next.


If we have selected New Case Option, then it will ask for Case Number and investigator details .Enter
 Investigator Details and click on Next.


Now select the Template for Data Export and Click on Finish.


Now select the Template for Data Export and Click on Finish.


Now it will show the generated Forensic Report.


Select Connected Device Option.


Now it will generate a report with all the details such as Phone book, Call logs, messages, Files etc.


To get phone book details, select Phone book option.


Now you can select sub option such as WhatApp to see WhatsApp Messages.


Click on Call Logs to see Missed Calls, Outgoing calls and Incoming calls.


Now Click on Messages to see all received, sent and draft messages.


Click on Application Data to get all the details about content providers.


Click on Application to see all the installed Apps in Mobile.


Select Files Option to see all the details about system files in Mobile.


Now Click on Media and select internal media or user media and then select pictures option to see Pictures.


To view User‘s Files, Click on Option User Files.