Classless Inter-Domain Routing (CIDR) allocates address space on any bit boundary, instead of on 8-bit segments as in Classful addressing. The following example demonstrates how to determine possible networks, IP ranges and subnet mask from a CIDR Notation.

Considering the following CIDR notation value: 193.56.132.0/26
we may determine the following

• Subnet Mask

  A CIDR notation is constructed from an IP address and a prefix size equivalent to the number of leading 1 bits in the subnet mask. Considering the CIDR notation above, the number of bits in the mask is 26. This can then be represented as:

  11111111.11111111.11111111.11000000

  If we convert this number to Decimal, we get the following subnet mask: 255.255.255.192
  Read the rest of this entry »

The Volatility Framework is an advanced memory forensics framework. This post aims to introduce it with a number of examples. The framework supports RAM dumps from 32 and 64-bit windows, linux, mac, and android systems.

My demonstration will take place on a Windows machine, hence I downloaded the standalone executable which comes packaged with Python and all required dependencies from:
https://www.volatilesystems.com/default/volatility.

To organise my work environment, I created a folder called ‘volatility’ in my standard Download folder and moved the stand alone executable to it, in my case its name was volatility-2.1.standalone.exe.

P.S. The standalone executable is portable and can be run from removable media e.g. USB.

To use it, let us first list all possible options and included plugins. This need to be done using the Command Prompt in Windows

volatility-2.1.standalone.exe -h

This is demonstrated in the following figure (click to enlarge)

The Volatility Framework: list options and supported plugins

Read the rest of this entry »

Netcat (nc) is critical for many tasks you attempt to use over a network. It can either use TCP or UDP to establish a connection for you to send files to another computer, pipe the output of a software over the network, scan for ports or just chat!

This article will demonstrate NetCat through a number of practical examples using a linux box (BackTrack) and a Windows XP machine. While nc is shipped with BackTrack, you will need to search and download the right version for your Windows or just use another Linux box. In my windows machine, all I need is the nc.exe file, I moved it to C:\WINDOWS so that it can be recognised easily by my Command Prompt. For this example please note that the IP of my Windows XP is 192.168.7.131 and BT is 192.168.7.133.

• Chat over the network!. I used the following command to put my Windows machine in listen-mode (option -l for listen) on port 2222 (-p for port). I also used -v to display information about the connection, v for verbose, you may add another v as in (-vv).

  nc -lvp 2222

  To connect, using the other machine, type

  nc 192.168.7.131 2222

  whatever you type now, on any machine, will show on both! as in the following figure

NetCat chat

Read the rest of this entry »

Volatile memory (or volatile storage) is computer memory whose contents are maintained while the power is on and erased/lost every time the power-supply is turned off or interrupted. The Random Access Memory (RAM) is a traditional example of a volatile memory. It allows fast CPU read/write access to data compared to non-volatile memory such as HDDs where data originally reside. Hence, data-bytes are always moved from volatile memory to non-volatile memory for processing.

Computer volatile memory is acquired for different purposes. For instance, Windows can be configured to dump it to a file called Memory.DMP to serve as part of a recovery procedure in the case of system failure (e.g. BSoD). Nevertheless, in computer forensics, volatile memory is acquired as an evidence to be analysed.

This article will demonstrate a number of automated tools used for the acquisition of volatile memory in Windows and Linux systems. Memory can either be captured in full by some tools while others require a process ID (PID) to acquire a memory dump for an identified process. In Linux, PID can be listed using ‘ps -af‘. If the list is found to be long it can be combined with grep. For example, you can locate FireFox process using

root@bt:~# ps -af | grep firefox

In windows, this can be done with the Task Manager or the ‘tasklist‘ command.
Read the rest of this entry »

This blog is powered by WordPress as indicated in the footer of these pages and I -of course- take regular backups. Hence, I found it suitable to create this small post to highlight few simple but important issues to consider during WordPress backups using the famous phpMyAdmin.

1. Empty your SPAM folder. If you also have a SPAM problem (and I think you are) and rely on some sort of SPAM and Trackback filtering technology such as Akismet (this is what I use), make sure you empty your spam folder. This wouldn’t affect the size of your backup file if you have few SPAM messages, but the last time I checked, there was over 4000 different SPAM messages sent to my blog! I can not be happy to have this in my backup file.
2. Consider deleting revisions. Revisions are copies of your WordPress posts, each time you edit a post and save your work a new version of this post is saved along with the older one. While it is possible to turn this feature OFF, I personally prefer to make use of it but simply run the following SQL command before I take full backups to delete all of them.

   DELETE FROM wp_posts WHERE post_type = "revision";

3. Optimize your tables. Deleting rows will not refresh information such as table sizes. Nevertheless, optimizing your tables would improve the efficiency of data retrieval and processing. You can either do that by ticking all your WordPress DB tables using phpMyAdmin and select Optimize from the drop-down box at the buttom or you might chose to optimize a single table at a time using the following SQL command example

   OPTIMIZE TABLE wp_posts;

Each time I follow this simple procedure I significantly reduce the size of my backup file. For the sake of this post, I compared the result before and after I performed these steps and I saw that my SQL backup file was reduced from 32 MB to about 3 MB only! –yes, my blog isn’t that big!

A solution for the ‘VMware Authorization Service is not running‘ alert message, which you might get while trying to Power On a virtual machine using VMware Workstation.

Assuming that your installation is not damaged and the problem is with the service being stopped. Attempt to restart it without the need to reboot your computer.

First, confirm that the service is included and ticked in the Services tab of msconfig

1. Start –> Run (or Windows-r)
2. type msconfig
3. click the Services tab
4. locate ‘VMware Authorization Service’
   (P.S. you may hide all Microsoft services to reduce the list)

If you can find the service ticked, but its status is Stopped, then attempt to restart it with the following steps:

1. Start –> Run (or Windows-r)
2. type services.msc
3. locate the ‘VMware Authorization Service’
4. right-click and select Start

You should be able to Power On your VMware machines now!

A previous post analysed the Master Boot Record using a hex editor to extract information about the different partitions in a Hard Disk Drive (HDD). This article will demonstrate a number of autoamated tools to extract detailed information. The tools are: fdisk, mmls, fsstat and fls.

Ideally, this kind of investigation occur on an image of the HDD. However, the objective of this article is to present these tools and not to demonstrate a professional computer forensic procedure.

For the test, I booted one of my computers using BackTrack from a USB stick and searched for the connected HDDs as in the following figure

Connected HDDs

In Linux, storage devices (and partitions) are located within the /dev directory. Naming takes place based on the following logic:

• /dev/hda ; is the first (master) PATA/IDE hard drive
• /dev/hdb ; is the second (slave) PATA/IDE hard drive
• /dev/hda1 ; is partition 1 of the first (master) PATA/IDE hard drive
• /dev/sda ; is the first (master) SATA/SCSI hard drive
• /dev/sdb ; is the second (slave) SATA/SCSI hard drive
• /dev/sda3 ; is partition 3 of the first (master) SATA/SCSI hard drive

As such, I’ve searched for hda* and sda* to locate HDDs and revealed 3 partitions for the main disk and a single partition for the second one (which is the USB stick I booted from).

Read the rest of this entry »

This article will cover the structure of a generic Master Boot Record (MBR) structure and demonstrate how information about storage disks can be extracted and analysed manually using a hex editor such as Hex Workshop. The demonstration was performed on a Windows 7 machine.

Hex Workshop

It is irrelevant which hex editor you use as long as it enables you to access the hard disk to analyse the selected sectors. I will brief the analysis process using Hex Workshop because:

• I think it is ideal to the objective of this article and few other which I am writing.
• It has a very rich set of hexadecimal development tools and you can edit, cut, copy, paste, insert, fill and delete binary data.
• More information (including download links) can be gathered from its official website.

To avoid damaging the system or unintentionally changing data, select the Read Only option. Nevertheless, make sure you open the Physical Disk drive rather than a partition to gain access to the whole disk to read areas such as the MBR.

Hex Workshop: open drive in ‘Read Only’.

Read the rest of this entry »

The architecture of modern storage technologies is designed to maintain redundancy and performance in computerised systems. This objective can be achieved with the combination of multiple disks (or disk components) to work as a single virtual storage facility. The Redundant Array of Independent Disks (RAID) is being used as an umbrella term for virtual computer data storage schemes.

There are different standard and composite RAID architectures that can strip and mirror data among multiple disks to achieve redundancy and/or performance. These are named by the word RAID followed by a number (e.g. RAID 0, RAID 1 etc) and each is referred to as a RAID level. When RAID is used, the storage is virtually represented as a single unit and therefore accessed by an Operating System as a single device.

The architecture of each RAID level can be described by the way data is replicated (mirrored) and/or stripped at a particular level (bit level, byte level or block level which size is determined by a number of bytes i.e. larger than the other two levels). Parity data is also used in many schemes. These techniques are explained bellow:
Read the rest of this entry »

It is the oldest file system for Windows and was mainly designed as a light-weight file system suitable for floppy disks less than 500 kB. FAT is supported by all Microsoft OSs since it was developed in 1977 for MS-DOS; to be more precise, FAT was used in DOS and Windows 9x (generic term for Win95, Win98 & ME which use the codebase of Win95 kernel and the earlier MS-DOS) and supported by the later Windows NT OSs (Windows 2000 onward) since they use NTFS instead.

How does it work?

The FAT volume is divided into the following areas

The boot Record

The boot record in the FAT file system contains critical information about the volume, the structure of the FAT file system itself, the OS to be booted, an executable code and other detail. Once the executable code is triggered, control is handed to the operating system loaded from the partition.
The boot record area is always located at the beginning of the FAT system. It is contained in the first sector of FAT12 and FAT16 volumes or could take more space (3 sectors) as in a FAT32 volume.
Read the rest of this entry »