Next Gen SAAS Tools That Boots Your Marketing and Sales!

USB Drive Forensic Analysis with Kali Linux

The introduction story of the challenge was that a company was most probably blackmailed by an employee, who is suspected to have stored relevant data on an USB drive. USB drives can often hold key evidence in an investigation phase. The goal is to analyze and investigate the drive to find out if there is suspicious data and evidence relating to the blackmailing. The employee might haved tried to delete the data from the USB stick to cover his tracks. The following summary does not reflect how a professional forensic analyst would proceed in such a scenario, moreover I want to shed light on some forensic tools which can be used for conducting an analysis. I am not a forensic analyst, but eager to learn new stuff.
root@hlkali:#file usb.dd
usb.dd: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x0), FAT (1Y bit by descriptor); NTFS, sectors/track 63, physical drive 0x80, sectors 1048575, $MFT start cluster 43690, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0ae78e78878e74da1; contains bootstrap BOOTMGR
# minfo -i usb.dd
device information:
===================
filename="usb.dd"
sectors per track: 63
heads: 255
cylinders: 0media byte: f8mformat command line: mformat -t 0 -h 255 -s 63 -i "usb.dd" ::bootsector information
======================
banner:"NTFS    "
sector size: 512 bytes
cluster size: 8 sectors
reserved (boot) sectors: 0
fats: 0
max available root directory slots: 0
small size: 0 sectors
media descriptor byte: 0xf8
sectors per fat: 0
...
hex dump MBR
Please refer to the above source , for getting detailed information about the specific Bytes. The 0x55aa indicates the end of the MBR sector.
#foremost usb.dd
# cat output/audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit FileForemost started at Tue Oct 29 17:23:35 2019
Invocation: foremost usb.dd 
Output directory: /home/Downloads/output
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: usb.dd
Start: Tue Oct 29 17:23:35 2019
Length: 512 MB (536870912 bytes)
 
Num  Name (bs=512)        Size  File Offset  Comment0: 00190200.wav        45 KB     97382400   
...  
6: 00192148.htm       396 KB     98380080   
7: 00192942.htm         15 B     98786413   
8: 00195347.htm        908 B    100017803   
9: 00137687.jar        25 MB     70495757   
10: 00198696.zip         5 MB    101732352   
...
32: ...
Finish: Tue Oct 29 17:23:44 201933 FILES EXTRACTED
 
jpg:= 7
gif:= 3
bmp:= 1
rif:= 1
htm:= 12
zip:= 4
png:= 2
pdf:= 3
------------------------------------------------------------------
# ls -l output
total 40
-rw-r--r-- 1 root root 2265 Oct 29 17:23 audit.txt
drwxr-xr-- 2 root root 4096 Oct 29 17:23 bmp
drwxr-xr-- 2 root root 4096 Oct 29 17:23 gif
drwxr-xr-- 2 root root 4096 Oct 29 17:23 htm
drwxr-xr-- 2 root root 4096 Oct 29 17:23 jar
drwxr-xr-- 2 root root 4096 Oct 29 17:23 jpg
drwxr-xr-- 2 root root 4096 Oct 29 17:23 pdf
drwxr-xr-- 2 root root 4096 Oct 29 17:23 png
drwxr-xr-- 2 root root 4096 Oct 29 17:23 wav
drwxr-xr-- 2 root root 4096 Oct 29 17:23 zip
# fls usb_stick.dd
r/r 4-128-4: $AttrDef
r/r 8-128-2: $BadClus
r/r 8-128-1: $BadClus:$Bad
r/r 6-128-1: $Bitmap
r/r 7-128-1: $Boot
d/d 11-144-4: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-6: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure:$SDS
r/r 9-144-11: $Secure:$SDH
r/r 9-144-14: $Secure:$SII
r/r 10-128-1: $UpCase
r/r 10-128-4: $UpCase:$Info
r/r 3-128-3: $Volume
d/d 717-144-1: docs
d/d 39-144-1: html
d/d 36-144-1: System Volume Information
d/d 57-144-1: Tools
d/d 708-144-5: ZZZ
-/r * 716-128-1: blackmail.docx
fdisk -lu usb.dd
Disk usb.dd: 512 MiB, 536870912 bytes, 1048576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x73736572Device  Boot      Start        End    Sectors   Size Id Type
usb.dd1      1920221984 3736432267 1816210284   866G 72 unknown
usb.dd2      1936028192 3889681299 1953653108 931.6G 6c unknown
usb.dd3               0          0          0     0B  0 Empty
usb.dd4        27722122   27722568        447 223.5K  0 EmptyPartition table entries are not in disk order.
# fsstat usb.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: AE78E78878E74DA1
OEM Name: NTFS    
Volume Name: USB Drive
Version: Windows XPMETADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 43690
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 768
Root Directory: 5CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 131070
Total Sector Range: 0 - 1048574
Autopsy Table View — Deleted Files

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!