Digital Forensics: An Introduction (Part 2)

In the first part of this article, we have seen the Elements of a Digital Crime, Goals of Digital Forensic Investigation, Classification of Digital Forensics, Digital Evidence, Principles of Digital Forensics, Process of Forensic Investigation, Types of Tools, etc.

Table of Contents:

·        Understanding the difference between E-Discovery & Digital Forensics

·         E-Discovery

·         Digital Forensics

·        Methodology for Digital Investigators

·        Evidence Collection Methods

·        Disk Imaging and Cloning

·        Challenges faced by Digital Forensic Investigator

 

Understanding the difference between E-Discovery & Digital Forensics

The Internet community is many times confused between these two terms. Here a few points that highlight the importance and usage of E-discovery and Digital Forensics.

E-Discovery

E-Discovery stands for Electronic Discovery. It can be defined as the process involved in collecting, preparing, reviewing, interpreting, and presenting the electronic documents from hard disks and other forms of storage devices in civil litigations. The following are the key points to remember in E-discovery.

 

Digital Forensics

Digital Forensics can be defined as the process of preservation, identification, extraction, and documentation of digital evidence which is used by the court of law to facilitate criminal investigations.

Methodology for Digital Investigators

A Digital Forensic Investigator has a huge responsibility on his shoulders when he is investigating a case as his findings will bring justice to the innocent and punish the criminal. Therefore, there a set of steps that he should follow when he is investigating a case. The following are a generalized step of the investigation, whereas the Investigator can follow the steps prescribed by their Institution or the framework they follow.

STEP 01: Prepare a preliminary design or a method to approach the case- The investigator should prepare a method on how he will go about with the investigation and have a clear understanding of the crime scene.

He should make sure that at a scene where the computer or a device is in a power-on state, he should not make the mistake of turning it off, or running any program or perform any other activity.

STEP 02: Determine the resources that are required for the case- The investigator has to understand the requirements of tools and technologies that are required for the case to be investigated further. He should be qualified enough and should make sure that he prevents data from being over-written.

STEP 03: Discover and obtain the evidence- The investigator has to make sure that he does not miss out on any evidence at the scene of the crime and obtains them within the most accurate way, which does not cause any damage to the evidence.

The Investigator should make sure to collect the evidence sample in a Faraday Bag or an anti-static bag so that the evidence cannot be tampered with.

He should make sure at every moment to maintain the chain of custody.

STEP 04: Make multiple Forensic copies of the evidence- In Digital Forensic Investigation, it is very essential to remember that as long as possible, one should never work on the original evidence item. The investigator should make sure to create multiple copies of the same and perform analysis on the copy of the original evidence.

Before he creates a copy of the evidence, he should always calculate the hash value of the evidence that as recovered in the original form to maintain the authenticity of the evidence.

STEP 05: Identify and minimize the risks involved- The investigator should remember that the evidence that is collected is not always easy to analyze. There are a huge amount of risks and consequences that are involved. He should be qualified enough to estimate the amount of risk and possible damage. He should try to come up with better alternatives to minimize the risk.

STEP 06: Analyse and Recover the evidence- Once the investigator has the evidence, he can now start analyzing the copy of the original evidence by using various commercial and open-source software that is suitable for that case. He can also use various software to recover the evidence that has been deleted.

STEP 07: Create a detailed case report about the investigation- Once the investigator has completed the analysis of the evidence and has found important artifacts on recovering data, he can then create a detailed report about his findings, methodologies, and tools used by him in the investigation.

If required by the jury or the court, the investigator has to represent himself in the court as an expert witness to give his testimony on the case in simpler terms for the people from a non- technical background to have a better understanding of the case.

Evidence Collection Methods

The method of collection of evidence terms are inter-related and almost serve the same purpose, the only important thing for an investigator to remember is that the copy should be forensically sound.

Image Copy: It refers to be the duplicate of the original disk.

Bit-Stream Image: It is a clone copy of the original evidence. It includes files from sectors, clusters, and retrieves deleted files of a disk.

Bit-Stream Copy: A bit-stream copy can be defined as a bit-by-bit copy of the original evidence or storage medium which can be its exact copy. A bit-stream copy can also be called as a Forensic Copy of the disk.

Mirror Copy: A mirror copy is the precise replica (backup) of the disk.

 

Disk Imaging and Cloning

Disk Imaging

It is the process of making an archival or backup copy of the entire hard drive. It is a storage file that contains all the necessary information to boot to the operating system. However, this imaged disk needs to be applied to the hard drive to work. One cannot restore a hard drive by placing the disk image files on it as it needs to be opened and installed on the drive using an imaging program. A single hard drive can store many disk images on it. Disk images can also be stored on flash drives with a larger capacity.

Disk Cloning

It is the process of copying the entire contents of a hard drive to another including all the information that can boot to the operating system from the drive. It allows you to create a one-to-one copy of one of your hard drive on another hard drive. The other copy of the hard drive is completely functional and can be swapped with the computer's existing hard drive. If the cloned drive is booted, its data will be identical to the source drive at the time it was created.

Below is a simple difference between Disk Imaging and Cloning.

Challenges faced by Digital Forensic Investigator

Legal Issues: The most important issue an investigator may encounter is getting the guarantee evidence admissibility which means that it should be accepted by the court.

Nature of Digital Evidence: The advancement in technology has impacted the investigation in such a way that it detecting the digital evidence has become extremely difficult. For example, cloud storage, PDAs, IoT devices, etc.

Alteration of Evidence: The chain of custody should be maintained at all times to keep the evidence’s credibility intact. If the evidence is in the wrong hands, the evidence might get altered and may lose its credibility. Therefore, having a Forensic image and the hash value of the evidence is extremely important for the investigator.

Size and Distribution of the evidence: The size and the distribution of the evidence matter because the data is no smaller. There is a huge amount of data produced regularly. In cases of Big data Forensic Investigation, the size and the widely distributed data comes up as a challenge for the investigator as he does not know where to start.

Malware Present in evidence: The criminals can outsmart the investigators and insert malware in the evidence device which can mislead or disrupt the ongoing investigation.

Steganography: In earlier times, steganography had only limited types but today, due to the availability of various tools and software on the dark web, it has become extremely difficult to detect steganography present in the evidence items. Sometimes the investigator doesn’t consider it as evidence as they aren’t able to get many in-depth ideas about the evidence.

Encryption: Many a time, the evidence is recovered in an encrypted form and the investigator has a hard time to decrypt the evidence with no assurance of recovery of the original contents. 

Nyx: 1: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called Nyx: 1. It was created by 0xatom. You could contact him on Discord. This is a Capture the Flag type of challenge. It contains two flags. A user flag that is available from a limited level shell and a root flag that you have guessed it available from root level access. Over all it was an Easy machine to crack.

Download Lab from here.

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover

o   Nmap

·         Enumeration

o   Browsing HTTP Service

o   Enumerating Source Code

o   Directory Bruteforce

o   Nmap Script Enumeration Scan

·         Exploitation

o   Connect SSH using key

·         Post-Exploitation

o   Reading User Flag

o   Enumerating for Sudo Permissions

·         Privilege Escalation

o   Exploiting Sudo permissions on gcc

·         Getting the Root Flag

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the machine was found to be 192.168.0.113. Following the netdiscover scan, we need  a nmap scan to get the information about the services running on the virtual machine. A version nmap scan reveals that 2 services: SSH (22), HTTP (80) are running on the application

nmap -sV 192.168.0.113

Enumeration

Since, we have the HTTP Service running on the virtual machine, let’s take a look at the webpage hosted:

http://192.168.0.113

The webpage was a simple HTML page with the visual as shown in the image above. As a part of enumeration, we right clicked on the browser and choose to see the source code of the webpage. It contained a small message for us that we shouldn’t waste time looking into source code. But looking into source code had never harmed anyone. It also tells us to focus on real stuff. But what is the real stuff?

Next on our enumeration tasks is Directory Bruteforce. We used the dirb scan here. We tried some different variants. The one with the extension .php and wordlist common.txt gave us the key.php file.

dirb http://192.168.0.113/ -X .php

Browsing the URL in the browser gives us a form where we need to enter the enter the key to move forward. Now all we got to do is find the key. That shouldn’t be too hard.

http://192.168.0.113/key.php

After the initial nmap scan, we kept a bunch of script nmap scans running just so that they can enumerate something we might miss. It is usually overkill but this time it yielded promising results. The nmap scripts scans are always important while enumeration. Never omit them while the initial enumeration of a Virtual Machine. It gave us a php file with the label Seagate BlackArmour NAS.

nmap -sC -sV -p 80 --script=http-enum 192.168.0.113

Upon exploration on the Browser, we see that it is an OpenSSH key. It is easy to miss that the author had kept in the title tag of the page. “mpampis key”. As the php file renders, it will send the mpampis to the top of the tab in the browser where it is not noticeable but enumerating the source code has paid us. This might be the username that we needed to login into the SSH service.

Exploitation

We copied the key from the browser and pasted into a file and named it key. Now this is not ready yet. The SSH key requires a specific set of permissions. The key must have the read and write permissions on the User or Owner. That means we need to set 600 permission on the key to use it. We used the chmod command for setting the proper permissions. Now time to login into the virtual machine. The username and the key worked. We are inside the machine.

Post-Exploitation

Now that we have the session, we can start to look for the user flag. First place we looked was inside the user mpampis home directory. We found the user flag.

chmod 600 key

ssh -i key mpampis@192.168.0.113

cd /home

ls

cd mpampis/

ls

cat user.txt

 

Now time to do more enumeration. We tired to look for the binaries which can be executed using the sudo. We found one “gcc”.

Privilege Escalation

To elevate the shell to root, we can use the gcc command with sudo. We went on to the GTFOBINs and searched for gcc and found this simple script to elevate privileges. In the matter of seconds we got ourselves root shell. All that’s left to do was reading the root flag.

sudo -l

sudo gcc -wrapper /bin/sh,-s .

id

ls

cat root.txt

Cewlkid: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "Cewlkid: 1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to @iamv1nc3nt. Let's start and learn how to break it down successfully.

Level: Intermediate

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Cewl

§  Brute force login Sitemagic CMS with Burp

§  Pyps64

Exploiting

• Sitemagic Arbitrary File Upload

Privilege Escalation

§  Abuse crontab with plain passwords

§  Abuse of sudo

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX

So, let's start by running map to all ports with OS detection, software versions, scripts and traceroute.

$ nmap -A –p- 192.168.10.183

 

Enumeration

We ignore the port 80 web service and list a Sitemagic CMS on port 8080.

We review the content and sections, we will find the link to the administration panel of the web application.

With all this information and given that the machine is called "Cewlkid", it is very clear that we will need to create a dictionary with the tool "Cewl" using the different sections of the web to obtain the possible password.

With the help of Burp suite and using the dictionary we just created, we will perform brute force on the user "admin” (oficial information default user).

We access the control panel and verify that the credentials are valid.

 

Exploiting

Inside we can list the exact version of the application and check that there is an exploit to upload arbitrary files.

Exploit: https://www.exploit-db.com/exploits/48788

As always, we will do a proof of concept to verify that the site is vulnerable.

Request:

Response:

Perfect! We upload the file and see that we have indeed been able to upload the "info.php" file.

We repeat the same steps, but this time we will upload a webshell. (I used pentestmonkey's)

We put a netcat on the wire and load our "shell.php" file. We will get access to the inside of the machine

Privilege Escalation (Cewlbeans)

There are several users in the system, but using the tool "pspy64" we enumerate that a remote connection is executed from time to time with the user "cewlbeans" where the password appears in plain text.

 

Privilege Escalation (root)

We authenticate with the user "cewlbeans", execute the command "sudo -l" and we find the pleasant surprise that we can execute any binary as any user.

Let's not waste time, we execute a /bin/sh as "root" and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.