Transcript www1.ldc.lu.se

NETinfo 2008-10-10
Computer Forensics
NETinfo 2008-10-10
Computer forensics is simply the application of computer
investigation and analysis techniques in the interests of
determining potential legal evidence. Evidence might be sought in
a wide range of computer crime or misuse, including but not
limited to theft of trade secrets, theft of or destruction of
intellectual property, and fraud.
Tidskrävande
Det underlättar om man vet vad man letar efter
NETinfo 2008-10-10
Linux distributioner med säkerhet i fokus
BackTrack
Helix
Operator
PHLAK
Auditor
L.A.S. Linux
Knoppix-STD
F.I.R.E.
NETinfo 2008-10-10





Helix
Helix is a customized
distribution of Ubuntu Linux.
It focuses on incident
response and computer
forensics.
Maintainer: e-fense
OS:
Linux,Windows,Solaris
Genre:
Live CD
NETinfo 2008-10-10

Helix
NETinfo 2008-10-10
Helix, Bootable Linux
Adepto, Imaging program utilizing dcfldd
Autopsy and Sleuthkit, forensic file system investigation
Scalpel, data carving from image files
Clamav, Anti-Virus program
Ubuntu-baserad (Knoppix tidigare), använder Gnome
NETinfo 2008-10-10
Helix, Windows Live
Access PassView
IECookiesView
IEHistoryView
MessenPass
Network Password Recovery
PC On/Off Time
Process Explorer
Rootkit Revealer
WFT (The Windows Forensic Toolchest)
NETinfo 2008-10-10
NETinfo 2008-10-10
NETinfo 2008-10-10
NETinfo 2008-10-10
NETinfo 2008-10-10
NETinfo 2008-10-10
WFT
The Windows Forensic Toolchest™ (WFT) is designed to provide a
structured and repeatable automated Live Forensic Response, Incident
Response, or Audit on a Windows system while collecting securityrelevant information from the system.
WFT is essentially a forensically enhanced batch processing shell
capable of running other security tools and producing HTML based
reports in a forensically sound manner.
http://www.foolmoon.net/security/wft/
NETinfo
2008-10-10
WFT features
Generation Of Both Raw Text And HTML Reports
User-Editable Config File Controls Execution
Ability To Run Locally, Via CD/DVD, Or Thumb Drive
Configurable Toolpath
Macros Which Expand Dynamically Based On Run-Time Values
Detailed Run-Time Logging
Verification Of All Executed Tools
Detailed Hashing Of Output
Support For MD5 Hash
Support For SHA1 Hash
Ability To Verify WFT Config Files
Automatic Updating Of WFT Hash Values For Tools
WFT's Interactive Mode Provides Command-Line Alternative
Ability To Run SysInternals Tools Without ‘-accepteula’
Color Output Highlights Important Info
Automatic OS & Drive Detection
Ability To Run Commands Based On Run-Time OS
Ability To Fetch 3rd-Party Tools
http://www.foolmoon.net/downloads/Live_Forensics_Using_WFT.pdf
NETinfo 2008-10-10
Tips för Windows användare!
Skaffa Ubuntu 8.04 Live CD
Kan både läsa och skiva till NTFS partitioner