SlideShare uma empresa Scribd logo

Linux Forensics Tool Guide

Patricia M Watson
Patricia M Watson
Tecnologia
1 de 17
Baixar para ler offline
Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
Computer Forensics – Patricia M Watson Computer Forensics • Questions?

Recomendados

Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemAlchemist095
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live ForensicsRob Zirnstein
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?Incremental Project
 

Recomendados

Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...Watching the Detectives: Using digital forensics techniques to investigate th...
Watching the Detectives: Using digital forensics techniques to investigate th...GarethKnight
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemAlchemist095
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live ForensicsRob Zirnstein
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation Jyothishmathi Institute of Technology and Science Karimnagar
 
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?Incremental Project
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics BootcampnCircle - a Tripwire Company
 
Research Data Management Implementations
Research Data Management Implementations Research Data Management Implementations
Research Data Management Implementations Globus
 
Data management plans (dmp) for nsf
Data management plans (dmp) for nsfData management plans (dmp) for nsf
Data management plans (dmp) for nsfBrad Houston
 
Data management (newest version)
Data management (newest version)Data management (newest version)
Data management (newest version)Graça Gabriel
 
Hypatia for dlf 2011
Hypatia for dlf 2011Hypatia for dlf 2011
Hypatia for dlf 2011DLFCLIR
 
Data management plans
Data management plansData management plans
Data management plansBrad Houston
 
Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...GarethKnight
 
The mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan RoseThe mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan RoseCorporate College
 
Excel Datamining Addin Advanced
Excel Datamining Addin AdvancedExcel Datamining Addin Advanced
Excel Datamining Addin Advancedexcel content
 
Datamining and Business Analytics
Datamining and Business Analytics Datamining and Business Analytics
Datamining and Business Analytics amacolumbia
 
DataMining Techniq
DataMining TechniqDataMining Techniq
DataMining TechniqRespa Peter
 
Excel Datamining Addin Beginner
Excel Datamining Addin BeginnerExcel Datamining Addin Beginner
Excel Datamining Addin Beginnerexcel content
 
Extensive Survey on Datamining Algoritms for Pattern Extraction
Extensive Survey on Datamining Algoritms for Pattern ExtractionExtensive Survey on Datamining Algoritms for Pattern Extraction
Extensive Survey on Datamining Algoritms for Pattern ExtractionAssociation of Scientists, Developers and Faculties
 
Why Datamining?
Why Datamining?Why Datamining?
Why Datamining?Aamir Soomro
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShellJared Atkinson
 

Mais conteúdo relacionado

Mais procurados

Research Data Management Implementations
Research Data Management Implementations Research Data Management Implementations
Research Data Management Implementations Globus
 
Data management plans (dmp) for nsf
Data management plans (dmp) for nsfData management plans (dmp) for nsf
Data management plans (dmp) for nsfBrad Houston
 
Data management (newest version)
Data management (newest version)Data management (newest version)
Data management (newest version)Graça Gabriel
 
Hypatia for dlf 2011
Hypatia for dlf 2011Hypatia for dlf 2011
Hypatia for dlf 2011DLFCLIR
 
Data management plans
Data management plansData management plans
Data management plansBrad Houston
 
Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...GarethKnight
 

Mais procurados (7)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Research Data Management Implementations
Research Data Management Implementations Research Data Management Implementations
Research Data Management Implementations
 
Data management plans (dmp) for nsf
Data management plans (dmp) for nsfData management plans (dmp) for nsf
Data management plans (dmp) for nsf
 
Data management (newest version)
Data management (newest version)Data management (newest version)
Data management (newest version)
 
Hypatia for dlf 2011
Hypatia for dlf 2011Hypatia for dlf 2011
Hypatia for dlf 2011
 
Data management plans
Data management plansData management plans
Data management plans
 
Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...Research Data Management: What is it and why is the Library & Archives Servic...
Research Data Management: What is it and why is the Library & Archives Servic...
 

Destaque

The mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan RoseThe mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan RoseCorporate College
 
Excel Datamining Addin Advanced
Excel Datamining Addin AdvancedExcel Datamining Addin Advanced
Excel Datamining Addin Advancedexcel content
 
Datamining and Business Analytics
Datamining and Business Analytics Datamining and Business Analytics
Datamining and Business Analytics amacolumbia
 
DataMining Techniq
DataMining TechniqDataMining Techniq
DataMining TechniqRespa Peter
 
Excel Datamining Addin Beginner
Excel Datamining Addin BeginnerExcel Datamining Addin Beginner
Excel Datamining Addin Beginnerexcel content
 

Destaque (7)

The mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan RoseThe mergence of Marketing and eMarketing - Dan Rose
The mergence of Marketing and eMarketing - Dan Rose
 
Excel Datamining Addin Advanced
Excel Datamining Addin AdvancedExcel Datamining Addin Advanced
Excel Datamining Addin Advanced
 
Datamining and Business Analytics
Datamining and Business Analytics Datamining and Business Analytics
Datamining and Business Analytics
 
DataMining Techniq
DataMining TechniqDataMining Techniq
DataMining Techniq
 
Excel Datamining Addin Beginner
Excel Datamining Addin BeginnerExcel Datamining Addin Beginner
Excel Datamining Addin Beginner
 
Extensive Survey on Datamining Algoritms for Pattern Extraction
Extensive Survey on Datamining Algoritms for Pattern ExtractionExtensive Survey on Datamining Algoritms for Pattern Extraction
Extensive Survey on Datamining Algoritms for Pattern Extraction
 
Why Datamining?
Why Datamining?Why Datamining?
Why Datamining?
 

Semelhante a Linux Forensics Tool Guide

Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libinlibinp
 
computer forensics
computer forensicscomputer forensics
computer forensicsAkhil Kumar
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShellJared Atkinson
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsBense Tony
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowWinston & Strawn LLP
 
Diving into Digital Forensics
Diving into Digital Forensics Diving into Digital Forensics
Diving into Digital Forensics Pranjal Vyas
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows SystemsConferencias FIST
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 

Semelhante a Linux Forensics Tool Guide (20)

Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Computer forensics libin
Computer forensics libinComputer forensics libin
Computer forensics libin
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Diving into Digital Forensics
Diving into Digital Forensics Diving into Digital Forensics
Diving into Digital Forensics
 
Forensics of a Windows Systems
Forensics of a Windows SystemsForensics of a Windows Systems
Forensics of a Windows Systems
 
Sujit
SujitSujit
Sujit
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 

Mais de Patricia M Watson

CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
CyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_WatsonCyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_WatsonPatricia M Watson
 
Securing your cyberspace_Watson
Securing your cyberspace_WatsonSecuring your cyberspace_Watson
Securing your cyberspace_WatsonPatricia M Watson
 
ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013Patricia M Watson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
IT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | WatsonIT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | WatsonPatricia M Watson
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Cyber Security | Patricia Watson
Cyber Security | Patricia WatsonCyber Security | Patricia Watson
Cyber Security | Patricia WatsonPatricia M Watson
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 

Mais de Patricia M Watson (9)

CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
CyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_WatsonCyberSecThreats_R_U_atRisk_Watson
CyberSecThreats_R_U_atRisk_Watson
 
Securing your cyberspace_Watson
Securing your cyberspace_WatsonSecuring your cyberspace_Watson
Securing your cyberspace_Watson
 
ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013ISACA President Letter | Patricia Watson | 2013
ISACA President Letter | Patricia Watson | 2013
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
IT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | WatsonIT Governance | 2013 Interface Conf | Watson
IT Governance | 2013 Interface Conf | Watson
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Cyber Security | Patricia Watson
Cyber Security | Patricia WatsonCyber Security | Patricia Watson
Cyber Security | Patricia Watson
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia Watson
 

Último

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Último (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Linux Forensics Tool Guide

  • 1. Computer Forensics – Patricia M Watson Linux: A Powerful Computer Forensics Tool Patricia M Watson
  • 2. Computer Forensics – Patricia M Watson What is Computer Forensics? Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
  • 3. Computer Forensics – Patricia M Watson What Skills Must Forensics Analyst Have? • A broad range of technical, investigative, procedural, and legal skills  Disk geometry, file systems, software reverse engineering, steganography, cryptography, evidence integrity and authentication, Chain of custody • The ability to function in a complex, dynamic environment  Computer technology as well as legal and regulatory environments are constantly changing • The ability to testify in a court of law  Reproduce incident, interpret results, be prepared for cross- examination
  • 4. Computer Forensics – Patricia M Watson Computer Forensics Training • The SANS Institute – Global Information Assurance Certification Computer Forensics (GCFA)  http://www.giac.org/certifications/security/gcfa.php • New Technologies Inc. – Computer Forensics Certification administered by Oregon State University  http://www.forensics-intl.com/forensic.html • CompuForensics – in association with the University of Georgia offer computer forensics certificate courses  http://www.gactr.uga.edu/is/cf/ • Certified Information System Security Professional (CISSP)  http://www.cissp.com/ispc/cf-bootcamp.asp
  • 5. Computer Forensics – Patricia M Watson Why is Computer Forensics Important? • Computers are used to commit crimes  Fraud, theft of intellectual property, threatening letters • Computers are victims of crimes  Remote attacks, viruses, worms, Trojans • Computers provide record of activities that are useful in an investigation of an alleged crime  Best evidence rule: Accurate representation of original data on a system (bit-for-bit image)
  • 6. Computer Forensics – Patricia M Watson Forensics in a Nutshell • Incident response o Verify the incident o Evidence Seizure o Collect volatile and non-volatile data (live system) • Investigation and analysis o Image System (dead system) o Data recovery • Reporting results o Record your actions
  • 7. Computer Forensics – Patricia M Watson Forensics “The Legal Issues” • Federal (cyber crime is federal) o Title 18 – communications, computers, fraud, etc. o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases penalties o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright protection • State laws vary • Admissible evidence  Law enforcement personnel activities are restricted (warrants, privacy, consent)  Law enforcement must follow chain of custody  Private citizens must follow company policies  Policy should address both legal and business environments
  • 8. Computer Forensics – Patricia M Watson Places for Data to Hide As organized by SANS.org • Physical Layer  Areas allocated for diagnostics, sector overhead, sectors marked as bad • Data Layer  Slack space, swap space, free space, unallocated space (file fragments) • Metadata Layer  Corrupted inodes (Linux), resident data as alternate data streams (NTFS) • File System Layer  Superblock, boot sector • File Name Layer  When files are deleted, the file system will hide the file name from the user, but much data can be recovered using forensic tools.
  • 9. Computer Forensics – Patricia M Watson The “Tools” • Although there is no universal forensic solution, Linux based tools are preferred for the following reasons:  They are FREE  Open source – You can modify/improve  You can verify tool integrity (cryptographic hashes)  You can image any type of media as raw format  Greater versatility – No platform dependencies
  • 10. Computer Forensics – Patricia M Watson Tools – “The Basics” • dcfldd – Modified version of dd which provides the ability to perform hashing on the raw data collected  # dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt • dd – Powerful utility used for truncating files, splitting images, or sanitizing disk or partitions  # dd if=/dev/zero of=/dev/hda# • Cryptographic Hashes – Provide evidence integrity and authentication  md5sum, sha1 • mount loop  # mount –o ro,loop imagepath mountpoint • strings, grep, fgrep, file – Used for keyword searches
  • 11. Computer Forensics – Patricia M Watson Type of Forensic Toolkits • Data Analysis Toolkits: Designed to analyze data, best for live system analysis o The Coroner’s Toolkit (TCT)  Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host  http://www.fish.com/tct • Data Acquisition Toolkits: Save data to perform lab-based analysis, best for dead system analysis o The Sleuth Kit (TSK)  Designed by Brian Carrier, the TSK is a collection of file system analysis tools with NO platform dependency. http://sleuthkit.sourceforge.net  Autopsy is the graphical interface to TSK
  • 12. Computer Forensics – Patricia M Watson The TSK Tool Organization • File System Layer:  fsstat – displays details about the file system
  • 13. Computer Forensics – Patricia M Watson The TSK Tool Organization • Data Layer:  dstat – provides statistics on a given data unit, i.e. allocation status  dls – copies unallocated contents form data units to STDOUT, the –s flag extracts slack space on NTFS and FAT systems  dcalc – takes the “dls” location as input and determines where it resides in the original image (dd)  dcat – displays the contents of any disk block to STDOUT
  • 14. Computer Forensics – Patricia M Watson The TSK Tool Organization • Metadata Layer: o istat – displays statistics about a given metadata structure i.e. permissions, size, allocation status o ifind – finds the metadata structure that has allocated a given data unit, most frequently used when performing keyword searches o ils - lists general details of inodes, most often used to collect inodes of deleted files o icat – displays the contents of all the blocks allocated to an inode, ideal for recovering deleted files
  • 15. Computer Forensics – Patricia M Watson The TSK Tool Organization • File Name Layer:  fls – lists file and directory entries in a directory inode. Since “fls” is processing the directory content, it can display the data from deleted files  ffind – a mapping tool that finds the file name for a metadata address by processing the full directory tree and locating the entry that points to the metadata address
  • 16. Computer Forensics – Patricia M Watson Forensic Resources • Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf • Intrusion Detection, Honeypots and Incident Handling Resources http://www.honeypots.net/ • US Department of Justice Forensic Examination of Digital Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf • USDOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf • Computer Forensics Incident Response Essentials. Warren G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN 0-201-70719-5 • Know Your Enemy 2nd Edition. The Honeynet Project.
  • 17. Computer Forensics – Patricia M Watson Computer Forensics • Questions?