Transcript Lesson 14: Some Usefu Tools

Tool Names:
1. VISION
2. PASCO
3. GALLETA
Tool 1
VISION
Overview
•
•
•
•
•
•
Tool Description
Where You Can Find it
Applicability to Forensics
Tool Use/Screen Views
Observations
Lessons Learned
UTSA IS 6353 Incident Response
Technical Description: VISION
• This Tool provides the following:
 Shows all of the open TCP and UDP ports on a
machine.
 Displays the service that is active on each port.
 Maps the ports to their respective applications.
 Large amount of supplementary information that is
useful for determining host status by displaying
detailed system information, applications running,
as well as processes and ports in use
UTSA IS 6353 Incident Response
Where to Find the Tools
• www.foundstone.com
• Featured in the free tools.
• Information about Vision provided at
www.foundstone.com/resources/proddesc
/vision.htm
UTSA IS 6353 Incident Response
How The Tool Supports Forensics
• Vision supports live analysis on a host.
• Vision is a Host based forensic utility.
• And it allows a forensic investigator to
interrogate ports and identify potential
“Trojan” services.
• This tool supports “Incident Response”
more than “Forensic Analysis”.
UTSA IS 6353 Incident Response
Tool Use
• Vision is a windows GUI based
application.
• After launching, the application runs in
the background and is located in the
system tray.
• Interval for “Auto-Refresh” can be
specified in the options.
• Vision can be used to log all the entries
into a CSV file.
UTSA IS 6353 Incident Response
Basic Menu Screen View
Observations
• Easy to download
• Easy to Install (Windows Installer and
easy configuration)
• Free tool
• Easy to use navigation menus. Sub-menus
can collapse and expand. A single view
can represent a LOT of information.
UTSA IS 6353 Incident Response
Lessons Learned
• Doesn’t work on Windows 98, Me
• Requires ‘psapi.dll’ on Windows NT.
• Single comprehensive tool which
performs the functions of tools like
‘fport’ and ‘pstools’.
• CSV log file can be a good resource for
future reference.
UTSA IS 6353 Incident Response
Tool 2
PASCO
Technical Description of Pasco
• This Tool provides the following:
– Command line utility that parses information in the
IE activity files (index.dat).
– Index.dat files are in binary form and special tools,
like Pasco, are required to view them.
– Pasco is built to work on multiple platforms and will
execute on Windows (through Cygwin), Mac OS
X,Linux, and *BSD platforms.
UTSA IS 6353 Incident Response
Technical Description of Pasco
– Relevant Fields in index.dat header
Field Length
Hash Table
Offset
Cache
Directories
UTSA IS 6353 Incident Response
Contains the length of the index.dat
file
Contains the offset (in bytes) for the
beginning of the HASH table
Contains the directories where files
are stored that make up the content
of the cache
How Pasco Supports Forensics
• This Tool supports off-line analysis
• Allows a forensic investigator to reconstruct a
subject’s web browsing habit.
• Provide evidentiary material for abuse of
internet corporate usage policies, pornographic
content, other illegal activities.
UTSA IS 6353 Incident Response
Where to Find Pasco
• On the web
– Free utility
– www.foundstone.com
• Loaded on my directory
– D:\Pasco
UTSA IS 6353 Incident Response
Tool Use
• For Windows, must first install CYGWIN
– a Linux like environment for Windows.
– Cygwin can be found at
http://sources.redhat.com/cygwin/
• Download and install Pasco from
Foundstone site.
• Search for index.dat files on system and
copy into D:\pasco\bin.
UTSA IS 6353 Incident Response
Tool Use
• For Windows XP, index.dat file can be
found at these locations or do a search:
TIF Index
Cookies Index
History Index
UTSA IS 6353 Incident Response
\Documents and Settings\<user
name>\Local Setting\Temporary Internet
Files\Content.IE5|
\Documents and Setting\<user
name>\Cookies\
\Documents and Settings\<user
name>\Local
Settings\History\History.IE5\
Tool Use
• Pasco Usage:
pasco [options] index.dat file to be parsed
> output file.txt
Options:
-d Undelete Activity Records
-t Field Delimiter (TAB by default)
UTSA IS 6353 Incident Response
Tool Use
• Command line
– Execute default mode of Pasco
• $ ./pasco tif.dat > tif.txt
(Parse the index.dat file and output result to
index.txt file)
– Execute undeletion mode of Pasco
• $ ./pasco –d –t , tif.dat > tifdtoptions.txt
UTSA IS 6353 Incident Response
Typical command line usage of Pasco.
UTSA IS 6353 Incident Response
Text file output from Pasco.
UTSA IS 6353 Incident Response
Text file output from Pasco exported into
spreadsheet for further analysis.
UTSA IS 6353 Incident Response
Observations
• Easy to download
– Small download – 460 Kb zipped file
• Easy to Install
– For Windows must first install CYGWIN
• Simple command line use
– Only two options available
• Can be use to parse cookies and history index.dat files
as well
• White paper available for in-depth technical approach
to Pasco development
– http://www.foundstone.com/pdf/wp_index_dat.pdf
UTSA IS 6353 Incident Response
Lessons Learned
• Works better when index.dat file is
copied into wherever Pasco directory is
located .
• Run both default and undeletion mode to
make sure no entries are missed.
UTSA IS 6353 Incident Response
Tool 3
GALLETA
Technical Description: Galleta
• Galleta provides the following:
– Internet Cookie analysis utility
• Parses the contents of a Windows cookie file and
outputs the result to a tab delimited file
– Small download (<500Kb)
– Requires CYGWIN to run
• UNIX Bash Shell
UTSA IS 6353 Incident Response
Where to Find the Tools
• CYGWIN installs to the root directory
– www.cygwin.com
– Large download (6.5MB)
– Install from Internet
• Galleta installs in Program Files
directory or wherever you put it
– www.foundstone.com/resources/proddesc/gal
leta.html
UTSA IS 6353 Incident Response
How The Tool Supports Forensics
• Galleta supports off-line analysis
– Tedious, cumbersome
• Recovers the contents of a single Internet
cookie file
• Allows the investigator to categorize
and/or sort cookies within Excel
UTSA IS 6353 Incident Response
Tool Use
• Start CYGWIN
– STARTAll ProgramsCYGWINCYGWIN
Bash Shell
• Change directories to the location where the
Internet cookies are
– Put the Galleta executable file in this same
directory
• From the UNIX prompt in CYGWIN type:
– ./galleta cookiename.txt > newname.txt
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
Observations
• Easy to download
• Easy to Install
• Command line use was cryptic
depending on level of experience
• No Help support
• Don’t forget to download CYGWIN
• Very labor intensive
UTSA IS 6353 Incident Response
Lessons Learned
• Watch out for location of Galleta
executable
• UNIX tool that works in Windows via
CYGWIN
• Best used in conjunction with string
search utility (Pasco) to isolate
questionable cookies
UTSA IS 6353 Incident Response