On Fear

“Mine is the last voice that you will ever hear. Do not be afraid.” Perhaps apropos that this came up in a song tonight. It got me thinking again about something that has been troubling me for quite a while. The context for the quote is that it came out of some civil defense preparedness training films in England in the late 70s and early 80s. If you are a fan of 80s music, and especially the 12” or remix, you may be familiar with the quote as being a sample used in remixes of Frankie Goes to Hollywood’s Two Tribes. Sometimes, it’s just the first sentence and sometime’s it’s the whole thing. The idea of using it here was to drive the point home about what the song was about. Two Tribes is essentially a political song talking about the Cold War that was probably at its height when the song was recorded with a trigger-happy Reagan in the White House and an inscrutable and rapidly rotating collection of Soviet premiers in the Kremlin. The uncertainty and the us vs. them mentality was either at its worst or it just seemed it with the rhetoric being broadcast around the world as cable TV made everything more immediate.

The Cold War was just another way to bring people in line with a particular way of thinking. If you drive people to fear the enemy with a lot of language about how they are coming over to take everything away from you and kill everyone, you can get those people to get behind a lot of policies that may not be in their best interests. As it turned out in the end, the Soviets really had no ability to do anything at all to come after us. Their technology and their infrastructure was completely inadequate and they had their hands full with their neighbors. The Russian bear, as it turns out, had no bite. Same thing with Iraq and Saddam Hussein. The more things change, the more they stay the same.

We continue to be afraid of everything, simply because no one is asking the right questions. Why are you voting for the candidate you are voting for this fall? Because the other candidate would be worse. The entire campaign for both candidates will likely be entirely based around how bad the other one will be. They are using our instinct for fear of the unknown against us. How does that help us get ahead in the end? How do we ever focus on the right answers when all we are encouraged to do is be afraid of everyone else? Of course, the news media doesn’t help at all here. You get people afraid and they are more inclined to watch your product so they can know all the ways they need to be afraid. Fear almost seems to be addictive.

I see the same thing in the way we approach the problem of information security. If you present even people who have experience in the information technology (IT) field about something relating to infosec, they will often a) jump straight to a solution even before they’ve heard or understood the problem, and b) base their decision in fear of what is going to happen. Rather than taking a rational and logical approach, the immediate instinct appears to be “what is the worst thing I can imagine happening and multiply that by 10?” It’s utterly illogical and irrational. You can’t make a case for protecting yourself by saying “all the badness!!!” Hyperbole simply doesn’t help make your case. You can’t scare a business into spending a lot of money on people and technology you have no justification for.

One of my favorite questions when I do anything with risk in an online class is just having students identify a risk from their daily lives. It takes the whole concept out of the technology space. From this perspective, and if you look at the dictionary, risk is defined as exposure to the potential for loss or damage. We are talking about potential, which means you factor in probability to really get an idea of risk. I’ve had students who say that driving is a risk because they could die. Well, you’ve jumped to an extreme situation but what is the likelihood of that. Just because death may be involved doesn’t make it more of a risk. What it means is that is an outcome that you are the most afraid of but that doesn’t mean the risk increases because the probability of you dying on the road is really quite low. Think about the number of hours you have been driving over the course of your life and you haven’t died yet. The vast majority of people on the roads have an accumulation of driving time the measures in … years? They haven’t died. This means that it’s a very low probability, which dramatically lowers the overall risk.

Jumping straight to the thing that could lead to something you really fear is not an understanding of risk. Focusing on fear is how we currently live our lives in the modern world, though. It’s what we are encouraged to do. Look at the news. Zika virus!! Be afraid!! It’s coming to your neighborhood real soon now!! Think about all of the incidents that the news has incited us into a complete lather about going back decades. The Communists are coming! (they didn’t) The Communists are infiltrating our government! (they didn’t in reality and certainly no more so than we did in the other direction, so perhaps a bit hypocritical) There are razor blades in the apples you get at Halloween! (there weren’t) The Advil is poisoned! (or was it Tylenol? I forget. either way, it wasn’t) We are programmed to react to fear. It’s a pretty serious motivator.

Wouldn’t life be so much easier if we just opted to not react everytime someone attempted to provoke us to fear? Wouldn’t it be better if you were able to think critically about whether it’s realistic or probably and, thus, something to actually be concerned enough to do something about? A lack of understanding is not a risk and also not an opportunity to be afraid. It’s just an opportunity to educate yourself.

Analyzing Virtual Images

The Sleuth Kit can be used to investigate disks and disk images but the images don’t actually have to be copied from a real, physical disk. You can analyze a virtual image that you have created just as easily. The Sleuth Kit includes a number of very useful command line utilities that can be run on Windows, Linux and Mac OS X systems. For our purposes, this is being done on a Mac OS X system where the program was built using the Xcode Command Line Utilities that need to be installed before you can build The Sleuth Kit. First, let’s take a look at an image that was created on a Windows system using diskpart to create a virtual disk image and then format it. Before we do anything, we need to take a look at the partition table in the image to see where the partitions are. Without that information, we can’t go much further.

You can see from the screen capture above that we have used the mmls utility from The Sleuth Kit to get the partition table. mmls tells us that this is a DOS partition table. We aren’t restricted to the type of partition table that’s on the disk, though. Let’s take a look at another virtual disk image that was created using the Mac OS X Disk Utility program. Using mmls on that, we can see a GUID partition table.

In either case, you need to locate the partition that you want to investigate. In order to get file system statistics, we can use fsstat but we need to point fsstat at the actual partition using -o to indicate the offset within the image. In our case, we are looking at the fifth slot from mmls, which has a starting offset of 40 so that’s what we tell fsstat.

From this, we can see that it’s an HFS+ file system that was last mounted by Mac OS X and it was journaled, meaning that the operating system was keeping track of changes to the filesystem in case anything bad happened so the changes could be redone to reconstruct a clean copy of the the data, including the metadata indicating where all of the files were located. While this is all very interesting, what we probably want to get at is the actual files within the image. For that, we can use fls. This will give us a file listing of the partition. Let’s go back to the Windows image from earlier, since it had a different partition type, file system and offset. Looking at the mmls output above, the third slot is the only one that actually carries a filesystem, so that’s the one we will use. Again, we need to provide the offset to get to the actual filesystem and in this case, the offset is 128.

Once we have the list of files that were stored in the file table, which in this case is the Master File Table (MFT) from the NT File System (NTFS), we can do a bit more digging into files if we chose to. What you see here are the entries within the file table only and with the MFT, there is a lot more information to be gathered. First, we need to know where to look. Find the entry for Diskpart1.png above. We can see that this is a regular file. There are two r’s there indicating that the filename and the metadata for the file agree. These would normally be identical, though if a file were deleted you may see a difference between them. Keep in mind that if a file has been deleted, it still remains on the disk — both the data and, in some cases, the metadata within the filesystem. There is then a chain of three numbers. The first indicates which entry in the file table we want to look at. The 128-1 indicates that this is an NTFS entry and we can ignore that. Where we want to look next is the entry in the MFT and we can get to that using istat.

The istat utility extracts and decodes all of the information from the MFT entry for that file. You can see the filename and then the other attributes associated with it, including the $DATA attribute at the bottom. This attribute includes a list of blocks where we should be looking for the file data. The metadata (filename, permissions, access dates and times, etc) is kept entirely separate in most cases from the actual data that’s contained in the file. If all you did was to gather the contents of the file, you wouldn’t have the filename. If all you did was look at the metadata, you wouldn’t have any idea what was in the file. The two are separate but both necessary. Our starting point to gather the data for the file is in block 8346. We can use blkcat to extract the data from that block. According to fsstat for this virtual disk, we have a cluster/block size of 4096 bytes. blkcat will take care of that for us and only grab a single cluster.

Just as with the other tools, you have to tell blkcat where the actual partition starts by providing an offset within the file. This tells blkcat where the filesystem itself is, meaning the BIOS Parameter Block from which it can locate the file table. When you look at the output here, which has been piped into xxd to do the ASCII decoding for us, you can see that this is a PNG file. We knew that from the filename but filenames can lie. You are not required to use .png as a file extension for a PNG file. Windows systems maintain a list of file associations so they know what programs to launch when you want to just open the file from the Windows Explorer. That’s simply a convenience. As a result, it’s always good to verify that what you have in terms of data is what the filename and file extension tell you that you have.

One thing we didn’t look at here is the case where you may have deleted files. Typically, if a file is deleted, you would see * between the r/r and the file table entry. If you see that, it doesn’t mean the data is gone. It just means that the file has been flagged as deleted and so the entries can be recycled at some point.

Creating Disk Images

Let’s say you want to play around with disk analysis but you really want something small to use. You just want to tinker around with some forensics tools, why do you want to play around with even a multi-gigabyte USB stick? It’s much easier to just create a small disk image to use, though you won’t be able to put many files on it. If you don’t need that, there are easy ways to create disk images on each of the three primary operating systems — Windows, Linux and Mac OS X. Of course, the quickest way is to use a virtual machine. Using a virtual machine, you can add a second hard disk that you can make use of from inside a guest operating system that you are running your forensics tools on. Using Parallels, virtualization software for Mac OS X, you can add an additional hard drive by customizing the virtual machine, as you can see below.

If you don’t want to use virtualization but just use the operating system you came with, you can use tools that are already built in. On the Windows side, you would use DiskPart. DiskPart is a command line program. Launching the Command Prompt program, found in various places in the menus, depending on the version of Windows you are running from. DiskPart can be used to create a virtual image. DiskPart uses an interactive shell to issue commands. As a result, you start up DiskPart and it dumps you into the shell. Once you are there, you tell DiskPart to create a virtual disk image, as you can see below.

Once the virtual disk is created, we have to attach it to the system. Once it’s attached, you create a partition, assign it a drive letter and format it. Once you have done all of that, as you can see in the capture below, you have a working disk that is attached to your Windows system with a drive letter and it will show up in Windows Explorer. Once you have created the partition and assigned the letter, Windows will pop up a message saying there is an uninitialized disk and would you like to initialize it. You can initialize it using the dialog box or just type format in DiskPart and you have a formatted drive that is really just a file.

Using Linux requires multiple utilities as opposed to the single utility that Windows provides. Using Linux, we can create an empty file using dd. In the screen capture below, you can see dd creating a file using /dev/zero as the input source. This is a logical device that just generates 0s. We set the block size to be 512 which is mostly meaningless other than it tells us the size in conjunction with the count. 512 bytes * 200000 gives us a file that’s roughly 100M. Once we have the file, we can partition it just as you would a regular disk device.

As soon as we have partitioned it, we need to format it. Before we do that, we need to create a device file. We do that using losetup. Since there was already a loop device, the first thing is to delete the existing one using losetup -d as you can see in the screen capture below. We need to skip by the master boot record and the reserved sectors, which we do using —offset. Then you provide losetup with a device file, which we are calling /dev/loop0, since devices belong in the /dev directory. Once you have the device setup, you can format and mount it. You can format it with any format that you would like but in the screen capture below, you can see that it is formatted using the ext4 filesystem. As soon as we have formatted it, it’s ready for use but we need to mount it to a mountpoint within the filesystem. In the example below, we’ve mounted it to /mnt. As soon as it’s mounted, you can use it just as you would any other directory and start copying files to it, though keep in mind that in our example we are limited to 100M.

Mac OS X has Disk Utility, which is a graphical program that can create virtual disk images which you can then mount. You can see the creation of a new disk image in the screen capture below.

Once you have selected new image, you will be prompted for the size, format, encryption, read/write properties and the name. You can also specify whether you want to use a GUID partition map or master boot record partition table. The moment you have created the disk image on any of the operating systems you can start writing to the image as though it were a regular disk and you can also start to perform a forensic analysis using a variety of forensics tools. However, that’s another write-up so stay tuned.