Computer Forensic Analysis
Download
Report
Transcript Computer Forensic Analysis
COEN 152/252
Computer Forensics
Open Source Forensic Tools
The Beginning
The Coroner's Toolkit (TCT)
Notable TCT components:
graverobber - captures information
ils & mactime - display access patterns of files dead or alive
unrm and lazarus - recover deleted files
findkey - recovers cryptographic keys from a running process or from
files
Warning
collection of programs by Dan Farmer and Wietse Venema for a postmortem analysis of a UNIX system after break-in
presented first in a Computer Forensics Analysis class in August 1999
http://www.porcupine.org/forensics/tct.html
TCT can spend a lot of time collecting data
Good reference article:
http://www.sans.org/reading_room/whitepapers/incident/coroners-toolkitin-depth_651
TCT
Additional Info
Installing The Coroner's Toolkit and using the
mactime utility http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.01.html
Harvesting information with grave-robber http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.02.html
Rescuing files with lazarus http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.03.html
TCT Successor –
The Sleuth Kit (TSK)
http://www.sleuthkit.org/sleuthkit/
Allows examination of DOS, BSD, Mac, Sun,
GPT partitions & disks.
Includes the Autopsy Forensic Browser as a
graphical analysis tool
Supports integration with SQLite database
Analyes: dd, .E01, .AFF disk images
Can be run on live Windows systems for
incident response
Penguin Sleuth Kit
http://www.linux-forensics.com/
Base Package:
Gentoo Linux 2.6 Kernel - Opyimized for Forensics Use
XFCE - GUI
Apache2 - Server
Mysql PHP4
Open Office
Gimp - Graphics Program
KSnapshot - Screen Capture Program
Mozilla
Gnome CD Master
K3b - CD Burner
XMMS - media player
Porthole - Gentoo Graphics Package Manager
Karchiver - GZIp GUI
Penguin Sleuth Kit
Forensics Tools:
Sleuth Kit -Forensics Kit
Py-Flag - Forensics Browser
Autopsy - Forensics Browser for Sleuth Kit
dcfldd - DD Imaging Tool command line tool and also works with AIR
foremost - Data Carver command line tool
Air - Forensics Imaging GUI
md5deep - MD5 Hashing Program
netcat - Command Line
cryptcat - Command Line
NTFS-Tools
qtparted - GUI Partitioning Tool
regviewer - Windows Registry Viewer
Penguin Sleuth Kit
Security Tools:
Etherape - GUI Network Traffic Monitor
Clamv - Anti Virus
snort - Command Line
John the Ripper - Command Line password cracker
rkhunter - Command Line
Ethereal - Network Traffic Analyzer
FWBuilder - GUI Firewall App
nessus - network scanner
Knoppix
http://www.knoppix.org/
compilation of GNU/Linux software, run completely from CD,
DVD or flash disk
automatically detects and supports a wide range of graphics
adapters, sound cards, USB devices and other peripheral
devices
Included Software:
CD Version
LXDE as the standard desktop,
Open Office,
the Firefox WWW browser,
GNU Image Manipulation Program GIMP,
MPlayer Multimedia System,
Internet-access software for (W)LAN, modem, isdn, umts/gprs,
Tools for data rescue, network analysis and system repair.
Knoppix
Included Software:
DVD Version
The DVD version contains additional software
packages for office productivity as well as software
development and engineering (various programming
languages and development environments), education
and gaming.
More detail:
http://www.knopper.net/knoppix-info/knoppixreloaded-2004-screen.pdf
Helix
http://www.e-fense.com/products.php
Originally open source – older .iso images can still be located
Current - Helix 3 Pro & Enterprise versions
Tools:
Sleuthkit
LinEn
Libewf + mount_ewf
Carvfs
cryptsetup
Truecrypt
lvm2
Scalpel
Foremost
LibPff
Volatility plus many plugins
moto4lin
gmobilemedia
gammu
gnokii
frag_find
pythonraw
ptfinder
Back Track 4
http://www.remote-exploit.org/backtrack.html
linux live distribution focused on penetration testing
based on a Slackware linux distribution (www.slax.org)
300 different up-to-date tools which are logically structured
according to the work flow of security professionals
Wiki Tutorial:
http://wiki.remote-exploit.org/backtrack/
Tool List:
http://wiki.remote-exploit.org/backtrack/wiki/Alphabetical
http://www.lnx4n6.be/
Belgian Federal Computer Crime Unit (FCCU)
based on the KNOPPIX Live CD version 4.02 by Klaus Knopper
“The main purpose of the CD : help the forensic analyze of
computers “
Selected Tool List:
Forensic acquisition :
dd : tool to make bit to bit copies and backups
dd_rescue : more or less the same as dd but handles disk errors
dd_rhelp : a script to facilitate the use of dd_rescue
dcfldd : tool to make bit to bit copies
AFFLIB : Advanced Forensic Format tools
sdd : a dd clone specialized in tapes
AIR : A graphical frontend for dd and dcfldd
FCCU Tools – cont.
Forensic analysis :
Sleuthkit/Autopsy : tool to find deleted files (and many
more features)
Galetta : a ms-windows cookies analyzer
Pasco : a ms-windows IExplorer cache analyzer
Rifiuti : a ms-windows trashcan analyzer
mork.pl : perl script to read firefox history.dat
cookie_cruncher.pl : a tool to parse cookies
dumpster_dive.pl : a tool to read m$ recycle bin files
browser-history-viewer : as the name says
FCCU Tools – cont.
Pictures tools :
FBI : tool to view images in console mode
exiftags : a tool to extract exif informations in jpeg files
exif : another one
metacam : a third one
jhead : a fourth one
dcraw : a tool to read raw photo images from digital
cameras
jpeginfo : a tool view jpeg files informations
recoverPhotos : another image recovery tool
exifprobe : another exif extractor
FCCU Tools – cont.
Password cracker :
cmospwd : a tool to recover cmos passwords
pwl : a tool to crack win 9x pwl files
John the ripper : a password cracker for unixes, and win nt,2k and xp
passwords
lcrack : lepton cracker
chntpw : a tool to help cracking NT passwords
crack : a password cracker
samdump : a tool to extract password hashes from MS Windows
registry files
bkhive : a tool to extract Syskey bootkey from MS Windows system
hive file
pgpcrack : a pgp brute force attacker
nasty : a tool to try to recover PGP or GPG passphrases
fcrackzip : a zip file password cracker
medussa : a distributed password cracker
FCCU Tools – cont.
Crypto/Stegano tools :
cryptcat : a encrypted version of netcat
outguess : a stegano tool
stegdetect : a tool to detect stegano
bcrypt : crypto utility
ccrypt : an encryption decryption tool
Network :
RIP and PXE boot : A complete system for large network keyword search
sbd : a netcat like utility with encryption supprot
smbc : samba commander
p0f : A passive OS fingerprinting tool
arping : a ping utility
ngrep : grep utility for network packets
netwox : a toolbox with more than 200 network tools
sshfs : a filesystem client based on ssh
lft : a traceroute tool
socat : a netcat like tool
netdiscover : a tool to discover networks
mimms : download mms streams
weplab : a wep security analyzer
netsed : network srteam altering tool
FCCU Tools – cont.
MS files tools :
Galetta : a ms-windows cookies analyzer
Pasco : a ms-windows IExplorer cache analyzer
Rifiuti : a ms-windows trashcan analyzer
readpst : a tools to read ms-Outlook pst files
antiword : a tool to read ms-Word files
mdbtools : playing with MS mdb access databases
ripole : A tool to rip attachements from MS files
tnef : A tool to decode MS encapsulation format
fccu-docprop : a tool to read MS OLE files (mainly doc, xls) properties
fccu.evtreader : a tool to parse MS evt log files
reglookup : MS windows registry viewer
grokevt : An MS win event log viewer with dll message import
eindeutig : read and convert dbx files
clit : convert MS e-books
cookie_cruncher.pl : a tool to parse cookies
dumpster_dive.pl : a tool to read m$ recycle bin files
mscompress : Decompress files compressed with compress.exe
Tutorial
http://www.lnx4n6.be/Downloads/hacklu.pdf
Operator 3.3.2.0
http://www.ussysadmin.com/operator/
Debian based Linux Installation
Linux-Kernel 2.4.31
KDE V3.3.2-1
wine Windows Emulator (Binary Emulator)
Konqueror and Mozilla Firebird Web Browsers
Koffice which includes korganizer, kword, kspread and more
X Multimedia System (xmms) an MPEG-video, MP3
Internet connection software kppp,pppoeconf (DSL)
utilities for data recovery, system repairs, even for other operating systems
network and security analysis tools for network administrators
many programming languages, development tools
in total more than 900 installed software packages with over 2000
executable user programs and utilities
100+ Unix/Windows Exploits and Tools ready to run
grml
grml.org/
bootable live system (Live-CD) based on Debian
collection of GNU/Linux software especially for system administrators and
users of texttools
use Grml as a:
Contains:
rescue system
for analyzing systems/networks
a working environment
sysadmin's favourite tools
security & network-related software
data recovery & forensic-tools
editors, shells, & many texttools
Flavors:
grml, grml-medium & grml-small
x86 & amd64 versions
Additional Resources
Blogs:
Dancho Danchev's Blog
http://ddanchev.blogspot.com/
Forensic Cop
http://forensiccop.blogspot.com/
Forensic Focus Blog
http://www.forensicfocus.com/computer-forensics-blog
int for(ensic){blog;}
http://computer.forensikblog.de/en/
ForensicKB
http://www.forensickb.com/
SANS Institute Computer Forensic Blog
https://blogs.sans.org/computer-forensics/
Additional Resources
Wiki:
Forensics Wiki
http://www.forensicswiki.org/wiki/Main_Page
Web sites:
DFRWS - Digital Forensic Research Workshop http://www.dfrws.org/
Security Focus - http://www.securityfocus.com/
Scientific Literature Digital Library - http://citeseer.ist.psu.edu/
KnujOn (nûj-ôn) - http://www.knujon.com/index.html
e-Discovery Team - http://ralphlosey.wordpress.com/
The Dark Visitor - http://www.thedarkvisitor.com/
Acronym Finder - http://www.acronymfinder.com/
Bastard Sons of Dial-Up - http://www.bsodtv.org/
Tor: anonymity online - http://www.torproject.org/