Forensics Please...

Alright, I am not an expert at Computer Forensics I don't claim to be nor do I the expertise in the field, however, over the last semester and more importantly the last four days I have proven that I have learned the basics.

This past semester I have been studying the techniques to access data from corrupted disks, analyze records, and look for suspicious or malicious code. Over the last four days I got to put this to these techniques to the test.

Here is the back story as far as I can give you:

My boss comes in one day and says, "I need to come here for a second", now every time he does this I freak out, but I went into his office and talked to him about "the problem". He explained to me the current situation, how his boss had been subpoenaed for a court case and we needed to get some data off a disk in order for her to have it in case she got called in she would have it. This "data" would set up a time frame for a case. Alright, not a problem I have been getting data off disks all semester using tools like Access Data's FTK, Sleuth Kit, Autopsy, HexWorkshop, and various other tools.

He told me it was the old "stat server", this kept the statistical information of login and logouts or the labs. It was stored in a MySQL database by my old boss (badass ninja) and his counterpart (other badass ninja). I wasn't to worried about getting the record since the disk was supposed to be an old ext2 file system that use to run FC5. I loaded the disk up and attempted to mount the disk into my current Linux system, an error popped up about the super block not being intact and corrupted. My exclamation, "Oh shit!". I did not panic just exclaimed. This was going to be harder than I thought.

My next goal was just to get the disk to do a bitstream copy like I had learned in class. Pretty simple process just needed another disk the same size to hold the data. I used the dd command like so (dd if=/dev/hdc of=/dev/hdd) which copies bit for bit what is on the disk. The copy worked and I tried to mount that disk, no surprise here the superblock was corrupted. Ok, I took the copy and took to my "workshop" I placed it in a Windows XP SP2 box and used an ext2fs manager suite to get the disk to be able to be accessed via Windows. Here I used my tools HexWorkshop and FTK.

FTK is a really good tool to use on disks, I loaded the disk Logically into FTK. The logical analysis looks at the partition scheme and files at a high level. At the current stand point I didn't know how MySQL wrote to disk. I did a search for the name I was looking for, the person had been to the labs many many times and I was hoping to see a huge listing. 0 was the number I found. I was distraught.

The next day I went to my professor and told him of my situation. He said if you are looking for MySQL, then you have to look deeper. MySQL, SQL are not like Access that store in files. They write to the hard disk. Ok, I said if they write to hard disk I should be able to see them.

I went back to work and began another Analysis this time with the Physical tool in FTK. The only problem it took over 6 hours to load in. I had to go to Nashville for an interview (another story). I let it begin load and left for the night. I came back a day later and opened the "case file". Not expecting to find anything typed in a search query again. This time a smile crossed my face when over 221,783 instances were found. Yes, I had found the MySQL records. After finding out the assumed last date we located the last known record we needed and copied it out and finally saved all of are findings.

Needless to say it was a huge relief and I felt like was high. It was a good feeling. Like I said I am not a Forensic Expert by any means but it sure as hell felt good to use skills learned in school in a real world application.