Basic disks are an older technology that were introduced as an alternative to dynamic disks.

Troubleshooting a Hard Drive

There’s very little that can be done when a hard drive fails, but the key is finding out how failed is failed. The simplest way of determining whether a hard drive can be salvaged is to feel it as it boots up. If there’s vibration, the internal disk is rotating, meaning that there’s a chance to retrieve the data without the need of a professional agency.

The following troubleshooting recommendations (see Figure 9.15) are for a regular NTFS formatted hard drive and not for a hard drive that is part of a RAID array. Do not use FAT32 formatting for DVS, since the system is not as robust as NTFS and the files are limited to 2 GB in size. The RAID hard drive would need to be replaced (with the exact same hard drive), and the RAID software will recover the data (except for RAID 0). This advice also does not pertain to the boot disk but only additional hard drives used for archiving video.

There are two types of disks in a Windows environment. A basic disk is a physical hard drive that contains primary partitions, extended partitions, or logical drives. A dynamic disk includes the ability (but not a necessity) to create volumes that span multiple disks and create mirrored and RAID-5 fault-tolerant volumes. Single dynamic disks are also easier to move from one computer to another (more on this later).

BEWARE OF STATIC ELECTRICITY

Whenever you’re troubleshooting electronic components, always ground yourself from electrostatic before handling anything, and always turn off the power before disconnecting or connecting any device.

The first step in determining the severity of the hard drive failure is a system reboot. If the hard drive returns in My Computer, this requires a few select tests, one of which is testing the power supply for compatibility and/or failure. This is especially important because a defective power supply can damage components inside the computer, including the motherboard, hard drives, and memory. A power supply tester, an inexpensive addition to the troubleshooting arsenal, can give you the results instantly.

DATA DISASTER RECOVERY

As long as the hard drive powers up and continues to spin, there are a few possibilities for bringing the hard drive back to life, at least long enough to retrieve the stored data. The following methods have worked for me at various times to bring hard drives to life to retrieve the data they contain:

Install the hard drive in another computer.

Add the hard drive into an external hard drive enclosure.

Carefully hit the side of the hard drive on a clean, flat surface.

Place the hard drive in the freezer for an hour.

If none of these methods work and the stored data is mission critical, data recovery software such as Stellar Data Recovery (www.stellarinfo.com) could work wonders, with a free trial version to determine whether the data is salvageable.

Upon researching the computer’s components, you might find that the power supply is below the recommended rating for the current system. At this point, the best course of action is to upgrade the power supply and then start troubleshooting over once again.

Troubleshooting hard drives in Windows includes the use of the Disk Management tool, which is part of the Computer Management (see Figure 9.16) suite. Again, to access Computer Management, go to Start > Run, type compmgmt.msc, and then press Enter.

The Disk Management console is listed in the left pane under Storage. Click on the Disk Management icon and the computer’s storage devices will appear in the right pane of the console. The hard drive may appear in the Disk Management console with error messages that could help diagnose the problem. If the hard drive does not appear at all in the console, check to see that the hard drive’s data and power connection is securely in place, then reboot.

The messages and/or status errors that appear in the Disk Management console include, but are not limited to, the following:

Foreign Disk

Disk Unreadable

Disk Missing

Disk Not Initialized

Disk Offline

A warning icon appears on disks that display the Foreign status, which signifies a moved dynamic disk, either to another port or from another computer. Dynamic disks are not supported on Windows XP Home Edition or on portable computers.

To access data on the disk, you must add the disk to your computer’s system configuration. To do so, import the foreign disk (right-click the disk icon and then click Import Foreign Disks).

An error icon appears and the hard drive is labeled as unreadable when the disk is not accessible. The hard drive may have experienced hardware failure, corruption, or I/O errors. Sometimes the unreadable disk failed and is not recoverable, but for a dynamic disk, this usually means corruption or I/O errors on part of the disk, not a complete failure of the entire disk. In the Disk Management console, click Action, then choose Rescan Disks or restart the computer to see whether the hard drive’s status changes.

The Missing status indicates a corrupted, turned-off, or disconnected dynamic disk. Instead of appearing in the status column, the Missing status is displayed as the disk name. Make sure the hard drive is connected and powered, then open Disk Management, right-click the missing disk, and then click Reactivate Disk.

When the Not Initialized status occurs, it means that the hard drive does not contain a valid signature in the master boot record (MBR). Disk Management provides a wizard when a hard drive is first installed into the system that, once followed, will add this signature into the boot record. If the wizard was cancelled before the hard drive signature was written into the boot record, the disk status remains Not Initialized. Right-click the hard drive in Disk Management, then click Initialize Disk. The hard drive then changes to Healthy status.

The Digital Forensics Process

The process of digital forensics can be broken down into three categories of activity: acquisition, analysis, and presentation.

•

Acquisition refers to the collection of digital media to be examined. Depending on the type of examination, these can be physical hard drives, optical media, storage cards from digital cameras, mobile phones, chips from embedded devices, or even single document files. In any case, media to be examined should be treated delicately. At a minimum the acquisition process should consist of creating a duplicate of the original media (the working copy) as well as maintaining good records of all actions taken with any original media.

Analysis refers to the actual media examination—the “identification, analysis, and interpretation” items from the DFRWS 2001 definition. Identification consists of locating items or items present in the media in question and then further reducing this set to items or artifacts of interest. These items are then subjected to the appropriate analysis. This can be file system analysis, file content examination, log analysis, statistical analysis, or any number of other types of review. Finally, the examiner interprets results of this analysis based on the examiner's training, expertise, experimentation, and experience.

Presentation refers to the process by which the examiner shares results of the analysis phase with the interested party or parties. This consists of generating a report of actions taken by the examiner, artifacts uncovered, and the meaning of those artifacts. The presentation phase can also include the examiner defending these findings under challenge.

Note that findings from the analysis phase can drive additional acquisitions, each of which will generate additional analyses, etc. This feedback loop can continue for numerous cycles given an extensive network compromise or a long-running criminal investigation.

This book deals almost exclusively with the analysis phase of the process, although basic acquisition of digital media is discussed.

Summary

Storage requirements and drive sizes have changed throughout the years. The sizes have increased and so have the requirements. In years past, it was nearly unheard of for personal computers to have more than one physical hard drive. Today, it isn’t so strange. Understanding and better managing PC storage is more important than ever.

Windows 2000 provided us with a choice in disk types and it has been with us ever since. We now have the choice of creating basic disks and dynamic disks. A basic disk is one that can be accessed by MS-DOS and previous versions of Windows depending on the file system installed. Basic disks use the same structure as previous versions of Windows and NT. Dynamic disks offer options not available on basic disks. They provide greater flexibility than basic disks because they use a hidden database to track information about dynamic volumes on the physical disk and monitor other dynamic disks on the system.

Managing the file systems, partitions, and volumes are key in setting up Windows Vista. Without an understanding of these concepts, you can’t even install an operating system from scratch. Partitions and volumes these days are terms that are used interchangeably. Both terms are used to segment storage on drives. Deciding what type of volume to use also depends on the disk type you create. As expected, basic volumes only reside on basic disks, whereas dynamic volumes exist on dynamic disks. Dynamic volumes can contain simple and spanned volumes, whereas basic volumes can only contain simple volumes.

The file system you choose is determined upon many factors, including, but not limited to, the size of your drive, whether security is required, and whether any recoverability is expected. For hard drives, Windows Vista supports FAT, FAT32, and NTFS. NTFS is the file system of choice for Windows Vista because of its vast capabilities, but there are situations where FAT or FAT32 is preferred, such as with the use of a USB flash drive. Other forms of removable media, like CDs and DVDs, are supported by Windows Vista with such file systems as CDFS and UDF.

When we talk about increasing or improving file system performance, we are typically talking about the hard drive. On new systems today with such fast processors, the biggest bottleneck is the performance of the hard drive itself. Windows Vista provides many ways of improving file system performance, such as disk defrag, cluster size adjustment, relocating the pagefile, creating a more logical folder structure, removing support for both short filenames, and file compression.

In the last five years, no other topic has dominated the industry more than security. The threat of data being stolen is a key concern for companies these days. Everyday mobile devices storing important information are stolen. Windows Vista provides ways of securing data even if the device is stolen. Features such as the use of Windows Rights Management Service (P,.MS), User Account Control (UAC), BitLocker, and EFS make Windows Vista the most secure operating system ever released by Microsoft.

How BitLocker Works

BitLocker uses the Advanced Encryption Standard (AES) to protect full volumes. Default key length is 128 bits, but you can configure it to use 256 bit keys, using Group Policy. When you encrypt the operating system files with BitLocker, it uses two partitions. The first is the encrypted volume that holds the operating system; it is called the boot drive or operating system drive and must be formatted in NTFS. The second is called the system volume and is unencrypted. Authentication and verification of system integrity take place prior to startup of the operating system, while the OS volume is encrypted; so, the Windows Pre-Execution Environment (WinPE) and boot files are on the unencrypted partition. The system volume must be formatted with NTFS on computers with a legacy BIOS, with FAT32 on computers that use UEFI, as illustrated in Figure 9.3.

Password Resetting: Kind of Like Driving a Bulldozer through the Side of a Building

There is another option for defeating passwords. This technique requires physical access to the target machine, and although it is very effective at gaining you access to the target, it is also very noisy. In the previous section password cracking was discussed. If a skilled penetration tester is able to access a target machine alone for just a few minutes, he or she should be able to get a copy of the password hashes. All things considered, this could be a very stealthy attack and difficult to detect. In most cases, the penetration tester will leave few clues that he or she were ever on the target machine. Remember the penetration tester can take the passwords off-site and crack them at his or her leisure.

Password resetting is another technique that can be used to gain access to a system or to escalate privileges; however, this method is much less subtle than password cracking. When first introducing this topic, it is common to compare gaining access to a Windows machine by performing a password reset to a burglar driving a bulldozer through the wall of a store in order to gain access to the premises. It may be effective, but you can be sure that the storeowner and employees will know that they were broken into.

Password resetting is a technique that allows an attacker to literally overwrite the SAM file and create a new password for any user on a modern Windows system. This process can be performed without ever knowing the original password, although it does require you to have physical access to the machine.

As with all other techniques discussed in this book, it is vital that you have authorization before proceeding with this attack. It is also important you understand the implications of this technique. Once you change the password, there will be no way to restore it. As described in the beginning of this section, it is very much like a burglar driving a bulldozer through the side of a building. The next time a user attempts to log in and he or she finds that the password has been changed, you can bet that someone is going to notice.

With that in mind, this is still an incredibly powerful technique and one that can be very handy for gaining access to a system. To perform password resetting, you will need to boot the target system to a Backtrack DVD. Once booted, from the terminal you will need to mount the physical hard drive of the system containing the SAM file. You can find the instructions for performing this task in the previous section. After mounting the hard drive, you need to navigate to the “/pentest/passwords/chntpw” directory. You can accomplish this by entering the following command:

cd /pentest/passwords/chntpw

From here you can run the “chntpw” command to reset the password. To review the full options and available switches, you can issue the following command:

./chntpw –h

Assume that you want to reset the administrator password on your target machine. To accomplish this, you would issue the following command:

./chntpw –i /mnt/sda1/WINDOWS/system32/config/SAM

In the command above, the “./chntpw” is used to start the password resetting program. The “-i” is used to run the program interactively and allow you to choose the user you would like reset. The “/mnt/sda1/WINDOWS/system32/config/SAM” is the mounted directory containing the SAM file of our target machine. It is important to make sure you have access to the SAM file; remember not all drives are listed as sda1. As mentioned earlier, running the “fdisk –l” command can be helpful in determining the appropriate drive.

After running the “./chntpw –i /mnt/sda1/WINDOWS/system32/config/SAM” command, you will be presented with a series of interactive menu-driven options that will allow you to reset the password for the desired user. Each of the steps is very clearly laid out and described; you simply need to take a few moments to read what is being asked. The program is actually designed with a series of “default” answers and in most cases you can simply hit the “enter” key to accept the default choice.

As shown in Figure 4.11, after loading, the first question you are asked is: “What to do [1]?” Above the question you will see a series of five options to choose from. Simply enter the number or letter that corresponds to the choice you want to make and hit the “enter” key to continue. The “[1]” after the question indicates that choice “1” is the default.

In our example we are planning to reset the password for the administrator account, so we can type “1” and hit enter or simply hit the enter key to accept the default. Next we are presented with a list of users available on the local Windows machine. You can select the desired user by typing in his or her username as displayed. Once again, the default option is set to “Administrator.” Figure 4.12 shows a screenshot of the available users.

Here again, we can simply hit the “enter” key to accept the default choice of “Administrator.” Next we are presented with the various options for editing the user on the target machine as shown in Figure 4.13. Please note that at this step you do not want to accept the default option!

As previously mentioned, at this point you want to be sure you select option “1” to clear the password. After entering your selection to clear the user password, you will get a message stating: “Password cleared!” At this point you can reset another user’s password or enter “!” to quit the program. It is important that you complete the remaining steps because at this point the new SAM file has not been written to the hard drive. In the menu that follows enter “q” to quit the chntpw program. At last you will be prompted with a message asking if you would like to write your changes to the hard drive. Be sure to enter “y” at this step as the default is set to “n.”

The password for the selected user has now been cleared and is blank. You can shut down Backtrack by issuing the “reboot” command and ejecting the DVD. When Windows restarts, you can log into the account by leaving the password blank.

With a little practice, this entire process, including booting Backtrack, clearing the password, and booting into Windows, can be completed in less than five minutes.

Accessing the data

In the most basic case, simple file copying may suffice in an electronic document collection. However, this is neither the best method nor the most efficient approach. On the other end of the spectrum, creating a forensic image of an entire storage device is the most complete method, but may be overkill when only a small percentage of data may be required. Some cases may specifically prohibit forensic imaging (refer to Chapter 2 for imaging methods using XWF).

Your choices for data access can include forensic imaging, live collection on a running computer, or booting the computer to a forensic boot media such as the Windows Forensic Environment (//winfe.wordpress.com). The most efficient method is booting to the Windows Forensic Environment, where the custodian media is write protected. XWF then has access to the physical hard drive without risk of altering any data during the collection. This also lessens the risk of the custodian machine crashing due to unknown operating system problems if the collection is conducted on a live machine.

XWF Tips and Tricks

Whichever method is chosen to access the custodian data, the processes involved to collect responsive data with XWF are similar. From this point, no matter which method of accessing the data is chosen, XWF will see the data in the same way. This includes a forensic image as well as data collected from a live (running) machine.

Chapter Review Questions/Exercises

3.12.1 Storage area network (SAN)

A SAN is a network resource that provides disk storage to other servers, for example, application servers. Instead of having a local drive that is physically attached to it, your server would be allocated drive space on a SAN. The most obvious risk when using a SAN is that all disk I/O flows across the network between the application server and the SAN device. If your network doesn’t have adequate bandwidth, then using a SAN isn’t a realistic alternative.

Why would you choose to use a SAN instead of local drives? Some of the reasons for using SAN drives are:

The organization can purchase larger, faster, more economical drives and share them across multiple application servers. This saves money and administrative effort for the organization.

If virtual servers are being used, then SAN drives must be used because a physical hard drive can’t be attached to a virtual server. Think of it this way—a virtual server doesn’t have a connector that the physical drive can be plugged into.

SAN drives are more flexible than local drives that are physically connected to the server. For example, say your application was loaded onto a 100 GB D: drive attached to the server. If all 100GB of it gets used up, what can you do? You could buy a larger drive and copy everything from the old drive to the new drive. Of course, this will require that the application be down. You could purchase an additional drive and install it as the E: drive. Then you would have to configure the application to recognize and use the new drive. You might also need to copy at least some files from the D: drive to the E: drive to free up disk space on the D: drive. If a SAN drive were being used, you would just have to contact the SAN team and request that your D: drive be enlarged. That’s it. No muss, no fuss, and no down time.

The SAN team can configure the physical drives behind the SAN using RAID (Redundant Array of Independent Disks) technology. RAID can provide faster access and redundancy so if one of the drives goes down, no data will be lost and the application can keep on working.

As the Application Administrator, you’re “outsourcing” responsibility of storage resources to a dedicated team. You don’t have to become an expert in storage technology. One team is dedicated to this specialty and they make decisions for the entire organization.

Backups can be administered for entire organization instead of on an application-by-application basis. This can make the backup process faster, more consistent, and more reliable. Again, it lets you as the Application Administrator outsource this facet to a dedicated team.

One question that you need to confirm with the vendor is whether the application supports SAN drives. Some applications aren’t certified to be used with SAN drives. The reasoning behind this is that the vendor thinks that the performance of a SAN drive doesn’t meet the application’s needs. Essentially, if the SAN is slow, then the application will be slow. The vendor doesn’t want to be blamed if the network or SAN is slow.

A word of advice here—if your application exhibits performance problems and the server uses SAN storage, it’s very likely that the vendor support team will blame the problem on SAN. On the other side, your internal SAN or network team will insist that the problem isn’t due to either SAN or the network. This leaves you in a very awkward position. The best you can do is to gather statistics on network performance to help identify the root cause of the problem. Better yet, have baseline network statistics from when the application’s performance was “normal.” This will give you something to compare the current, i.e., bad, statistics with.

Some of the most widely used SAN packages include:

3PAR

Dell

EMC

HDS

HP

IBM

Intransa

MPC

Sun Microsystems

Xiotech

How can you find out if your organization is using SAN instead of local drives? The most definitive way is to ask the technical staff in your data center. There are commands that can provide this information, but there are a lot of exceptions to what they return. Asking the group that built the server will ensure you get the correct answer for all circumstances.

Connecting the external evidence drive

If you are using the EDAS system or another forensic system, you will need to use a collection or target drive for the cases and images that will be stored during the investigation. The drive will need to be wiped initially, and a report showing that the drive has been wiped needs to be maintained. The wiping of the drive is extremely important, as it gives you a clean starting point and follows the pillars of forensics. To wipe the drive, we will use an application called Forensic Replicator (Paraben Corporation). Do not use the computer system that you are conducting the investigation with to house the evidence data files as this will turn your computer into an evidence container itself. Always save the evidence files to an external storage container. This is a very important rule to remember.

Connecting the external drive:

We recommend that you use at least a 1 TB drive external drive.

Try to stay away from unpowered external drives, as they draw significant power from the system and can be unreliable.

Connect the external drive to the USB cable.

Switch on the power to the external drive.

Connect the USB cable to the laptop.

Continue to follow these steps if this is the first time that you are using the external drive or if the drive needs to be recycled. Note: You only have to wipe the drive when using it for the first time or resetting the drive to be reused in future investigations.

Open Paraben Forensic Replicator.

Find the icon on the desktop for the Forensic Replicator.

Double click on the Forensic Replicator icon.

The Replicator application will launch.

In Forensic Replicator, click >File.

On the File Menu, click >Erase all data from a physical drive.

On the popup dialogue box, choose the radio button >Do a slow DOD 5220-22m wipe.

Click “Yes” on the write blocker warning that is displayed.

From the “Select a physical hard drive” to fully erase the dialogue box, choose the physical drive you wish to wipe. If you do not know which drive it is, you can refer back to the MMC on the previous pages to get that info.

Once you have chosen the drive to wipe, click > Finish.

A final warning will be displayed: click > OK.

Once the drive has been fully wiped, you have the option to run a checksum.

Run the checksum option.

Once the drive has been wiped, print the report and keep for your records.

Your evidence drive is now ready to be partitioned for use.

To do this, we must use the Disk Management application. This application is included with every Windows operating system.

To access the Disk Management application click on the Start button in the bottom left of your Windows desktop screen.

From the start menu, find the My Computer link.

Right click on the My Computer link.

Select the menu option “Manage.”

From the Manage screen, find the selection for “Disk Management.”

Click on “Disk Management.”

When you open the Disk Management screen, a dialogue box will pop up asking you to activate the drive that you just wiped. If this screen does not appear, you may need to reseat the external hard drive.

Turn the power off, and then turn the power back on.

This should cause the dialogue box to appear.

Check the box next to the drive and activate the drive.

Once the drive is activated, the display will change to show the physical drives.

Find the external drive and click on the unallocated space in the drive window.

Right click the unallocated space area and Select create > New Partition.

Select > Primary Partition.

Select > NTFS or FAT 32 from the File Type options.

Select > the size of the drive. You do not have to use the maximum size. If you are sharing the drive with other investigators, you may want to create multiple partitions. Remember that 1024 is 1 K so a 2-Gig Drive would be 2048.

Create the size of the drive and select quick format.

Select > Finish to create the Partition.

Repeat these steps to make as many partitions as you need.