3. Who?
Tony Godfrey is the CEO / Linux Consultant of Falconer
Technologies. He founded his company in 2003 and is
now 100% focused on Linux.
Tony has written several articles on security
administration, contributes to Linux forums and
publications, written technical content for Linux
Administration, and technical review on a Mark Sobell
Linux book. He also teaches topics covering Linux,
Securing Linux, Network/WAN integration, Cisco
routers, Cybercrime and System Forensics.
4.
5. A “live” environment?
The term "live" derives from the fact that these
"distros", or software distributions, each contain a
complete, functioning and operational operating
system on the distribution medium.
A live distro does not alter the operating system or files
already installed on the computer hard drive unless
instructed to do so. Live distros often include
mechanisms and utilities for more permanent
installation, including disk partitioning tools.
6. A “live” environment?
The default option, however, is to allow the user to
return the computer to its previous state when the live
distro is ejected and the computer is rebooted. It is
able to run without permanent installation by placing
the files that typically would be stored on a hard drive
into RAM, typically in a RAM disk. However, this does
cut down on the RAM available to
applications, reducing performance somewhat. Certain
live distros run a graphical user interface in as little as
32MB RAM.
7. Linux “Distro”
A “distro” is a Linux distribution. This means
someone has taken an existing platform and
custom tailored it to fulfill a unique need.
Debian is a core distribution (like Slackware or
Gentoo). Ubuntu (ease of use) and Knoppix (the
network administrator’s Swiss Army knife) are
off-shoots of Debian.
8. So….what is Lubuntu?
The objective of the Lubuntu project is to create a
variant of Ubuntu that is lighter, less resource
hungry and more energy-efficient by using
lightweight applications and LXDE, The
Lightweight X11 Desktop Environment, as its
default GUI.
This makes it perfect for Deft
9. Are there other ones?
Deft
http://www.deftlinux.net/
Qubes-OS
http://www.qubes-os.org/trac
Pentoo
http://www.pentoo.ch/
Lightweight Portable Security
http://www.spi.dod.mil/lipose.htm
10. Are there other ones?
CAINE
http://www.caine-live.net/
SMART
http://www.asrdata.com/forensic-software/smart-linux/
Paladin
http://sumuri.com/index.php/joomla/what-is-paladin-forensic-software
11. SD Cards?
Secure Digital (SD) is a non-volatile memory card format
developed by many manufacturers for use in portable
devices. Today it is widely used in digital cameras,
handheld computers, Media Players, mobile phones,
GPS receivers, and video game consoles. Standard SD
card capacities range from 4 MB to 4 GB, and for high
capacity SDHC cards from 4 GB to 32 GB as of 2008.
The SDXC (eXtended Capacity), a new specification
announced at the 2009 CES, will allow for 2 TB
capacity cards.
13. Which is better?
Memory card interfaces are rated about 15k-20k duty
cycles (assume you remove and reinsert once a day
until it gives up the ghost, about 40 to 50 years). The
USB interface is rated between 1-5k cycles (3-15
years).
18. What is Deft?
The “DEFT team” is pleased to announce the
release of the stable version of DEFT 7, the first
toolkit able to perform Computer
Forensics, Mobile Forensics, Network
Forensics, Incident Response and
Cyber Intelligence.
19. What is in it?
A GNU/Linux based system optimized for
Computer Forensics and Cyber Intelligence
activities, installable or able to run in live mode
DART (Digital Advanced Response Toolkit) is a
graphical user interface that handles – in a save
environment – the execution of “Incident
Response” and Live Forensics tools.
20. More stuff…
DEFT 7 is based on the new Kernel 3 (Linux side)
and the DART (Digital Advanced Response
Toolkit) with the best freeware Windows
Computer Forensic tools. It’s a new concept of
Computer Forensic system that use LXDE as
desktop environment and WINE for execute
Windows tools under Linux and mount manager
as tool for device management.
21. More stuff…
It is a very professional and stable system that
includes an excellent hardware detection and the
best free and open source applications dedicated
to Incident Response, Cyber Intelligence and
Computer Forensics.
DEFT is meant to be used by the
Military, Police, Investigators, IT Auditors and
Individuals
DEFT is 100% made in Italy
22. What is in it?
Please take a look at the NOTES section of this
slide
23. An overview of the tools
Analysis Tools Autopsy forensics browser
Bulk extractor
Catfish
DFF
Emule Forensic
Findwild
Hex Editor
Outguess
Pasco
PTK
Readpst
Rifiuti2
SQLite database browser
Trid
Vinetto
Antimalware tools Chkrootkit
Rkhunter
Virus Scanner
Carving tools Foremost
Hb4most
Photorec
Scalpel
Test Disk
Hashing tools Dhash 2
Md5deep
md5sum
Sha1deep
Sha1sum
Sha256deep
Sha256sum
Sha512sum
Imaging tools Cylone
Dc3dd
Dcfldd
Ddrescue
Dd rescue
Dhash 2
Guymager
Mobile Forensics Bbwhatsapp
BitPim
SQLite database browser
Network Forensics Ettercap
Nmap
Wireshark
Xplico
Xprobe 2
OSINT tools Creepy
Maltego
Password recovery Cupp
Fcrackzip
Hydra
John the ripper
Pdfcrack
Reporting tools Desktop recorder
KeepNote
Maltego CE
SciTE Text Editor
Disk Utility
File Manager
Midnight Commander
Mount ewf
MountManage
Wipe
Xmount
37. Three Methods
#1: We can install Deft so it will either overwrite
or dual-boot a hard drive.
#2: We can install Deft on a USB flashie using
the Universal USB Installer.
#3: Installing VMware Player, installing Deft, and
utilizing a virtual environment.
39. Method #2
Universal USB Installer
Locate the Deft ISO file, put in a flashie (4gb
min) that can be overwritten, and run the
Universal-USB-Installer-1.8.8.9 executable file.
This normally takes 10-15min to run.
Eject any Deft media and reboot your machine.
Boot from the newly created Deft USB flashie.
41. Virtual Environment?
A virtual machine (VM) is a software
implementation of a computing environment in
which an operating system or program can be
installed and run.
The virtual machine typically emulates a physical
computing environment, but requests for CPU,
memory, hard disk, network and other hardware
resources are managed by a virtualization layer
which translates these requests to the underlying
physical hardware.
42. Method #3
VMware Player
Install the VMware-player-3/4x” executable file.
Fire up VMware Player and Create a new
machine. Make sure you know where the Deft
DVD or ISO file is at. We will setup a 20gb virtual
partition and setup the CD/DVD selection to be
“Legacy”.
Install Deft – See “Install Slide A”
71. Autopsy Forensic Browser
The Autopsy Forensic Browser is a graphical
interface to the command line digital
investigation analysis tools in Deft. Together,
they can analyze Windows and UNIX disks and
file systems (NTFS, FAT, UFS1/2, Ext2/3).
72. Autopsy Forensic Browser
Deft and Autopsy are both Open Source and run
on UNIX platforms (you can use Cygwin to run
them both on Windows). As Autopsy is HTML-
based, you can connect to the Autopsy server
from any platform using an HTML browser.
Autopsy provides a "File Manager"-like interface
and shows details about deleted data and file
system structures.
73. Analysis Mode: Dead
A dead analysis occurs when a dedicated analysis
system is used to examine the data from a
suspect system. In this case, Autopsy and Deft
are run in a trusted environment, typically in a
lab. Autopsy and TSK support raw, Expert
Witness, and AFF file formats.
74. Analysis Mode: Live
A live analysis occurs when the suspect system is
being analyzed while it is running. In this case,
Autopsy and Deft are run from a CD in an
untrusted environment. This is frequently used
during incident response while the incident is
being confirmed. After it is confirmed, the
system can be acquired and a dead analysis
performed.
75. Evidence Search Techniques
File Listing
File Content
Hash Databases
File Type Sorting
Timeline of File Activity
Keyword Search
Meta Data Analysis
Data Unit Analysis
Image Details
76. Lab #2
Access the Autopsy Forensics Browser, then connect to the
suspect machine.
Let’s review these tools: File Listing, File Content,
Hash Databases, File Type Sorting,
Timeline of File Activity, Keyword Search,
Meta Data Analysis, Data Unit Analysis, & Image Details
78. What is a “rootkit”?
A rootkit is a program that runs on *nix-based
OSes, that allows a remote user to execute
certain code or commands. There are many
different types of rootkits. Some mount
themselves among legit daemons and "hide"
themselves often reporting results, output, or
data to a remote server.
79. rkhunter
Rkhunter is much like a virus scanner for a
Windows system. It has definitions to help
identify rootkits and reports them. Just like
anything, rkhunter isn't 100%, but it weeds out
the majority of rootkits. Upon running rkhunter,
various system files, conf files, and bin
directories are examined.
80. rkhunter
The results are cross-referenced against the
results of infected systems (from the definitions)
and the results are compiled. This is where *nix
systems really shine. While your OS may vary,
and how it's compiled or configured, the file
system and configuration is basically the same.
This allows programs like rkhunter to provide
results with a fairly small window for error or
false positive.
82. Go to TERMINAL
sudo rkhunter --update
This will update the database. Then you can add:
sudo rkhunter --check --createlogfile
This will activate the rootkit scan. Tip: don't walk
off and just leave it to scan; you might be
prompted to press [ENTER] a few times to
enable it to finish.
84. What is Data Carving?
Data carving is the process of extracting a
collection of data from a larger data set. Data
carving techniques frequently occur during a
digital investigation when the unallocated file
system space is analyzed to extract files. The
files are "carved" from the unallocated space
using file type specific header and footer values.
File system structures are not used during the
process. This is exactly how PhotoRec works.
85. PhotoRec
The first step has been to use PhotoRec. Version
6.5-WIP (WIP=Work In Progress) is considered.
PhotoRec has scanned the image file for known
headers and has successfully recognized all
JPEG, OLE/Office, HTML and ZIP headers.
There are no false positives.
86. PhotoRec
The JPEG footer, used to determine the file size
and validity of a recovered JPEG, is checked by
PhotoRec using libjpeg. ZIP footers are detected
but the file integrity isn't checked. OLE file
format is very complex - its internals are similar
to a file system but PhotoRec is able to get the
file size by analyzing the FAT. After a UTF8 to
ASCII translation, PhotoRec calculates the index
of coincidence to determine if a sector holds text
or random data.
87. Scalpel
Scalpel is a fast file carver that reads a database
of header and footer definitions and extracts
matching files or data fragments from a set of
image files or raw device files. Scalpel is file
system-independent and will carve files from FAT,
NTFS, ext2/3, HFS+, or raw partitions. It is
useful for both digital forensics investigation and
file recovery.
91. Hashing
#1: To cut
#2: A technique for locating data in a file by
applying a transformation, usually arithmetic, to
a key.
92. md5deep
md5deep is a set of programs to compute MD5,
SHA-1, SHA-256, Tiger, or Whirlpool message
digests on an arbitrary number of files. md5deep
is similar to the md5sum program found in the
GNU Coreutils package. The application’s
features include recursive operation, comparison
mode, time estimation, piecewise hashing, and
file type mode.
94. guymager
A free forensic imager for media acquisition. Its
main features are:
Easy user interface in different languages
Runs under Linux
Really fast, due to multi-threaded, pipelined
design and multi-threaded data compression
Makes full usage of multi-processor machines
Generates flat (dd), EWF (E01) and AFF
images, supports disk cloning
Free of charges, completely open source
98. BitPim
BitPim is a program that allows you to view and
manipulate data on many CDMA phones from LG,
Samsung, Sanyo and other manufacturers. This
includes the PhoneBook, Calendar, WallPapers,
RingTones (functionality varies by phone) and
the Filesystem for most Qualcomm CDMA chipset
based phones.
Available for Windows, Linux, or Mac
101. Wireshark
Wireshark is the world's foremost network protocol
analyzer. It lets you capture and interactively
browse the traffic running on a computer
network. It is the de facto (and often de jure)
standard across many industries and educational
institutions.
102. Wireshark examples
Network administrators use it to troubleshoot
network problems
Network security engineers use it to examine
security problems
Developers use it to debug protocol
implementations
People use it to learn network protocol
internals
104. Maltego
Maltego is an open source intelligence and
forensics application. It will offer you timely
mining and gathering of information as well as
the representation of this information in a easy
to understand format.
106. John the Ripper
John the Ripper is free and Open Source software,
distributed primarily in source code form. If you
would rather use a commercial product tailored
for your specific operating system, please
consider John the Ripper Pro, which is distributed
primarily in the form of "native" packages for the
target operating systems and in general is meant
to be easier to install and use while delivering
optimal performance.
108. Updating: John the Ripper
./john pwdumpfile –wordlist=wordlistfile –rules rulesfile
109. Hydra
A Fast network authentication cracker which
supports many different services.
It uses a dictionary attack to test for weak or
simple passwords on one or many remote hosts
running a variety of different services such as
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB,
SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN,
CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3,
IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP,
PostgreSQL, Teamspeak, Cisco auth, Cisco
enable, and Cisco AAA
111. KeepNote
A simple but effective tool for saving and using
notes for class, lab, meetings, papers, accounts,
journals, and more as XML or HTML files. You can
insert or attach images, spreadsheets, and other
files, too. KeepNote offers a lot of flexibility, but
it leaves out bells and whistles like contact
managers, task schedulers, and other
distractions from the job at hand. Its main job is
to replace that stack of notebooks you're lugging
around.
113. In conclusion
We have touched on at least one tool in each
major section of Deft. Please feel free to utilize
many of the others in an installed, live, or virtual
environment.
116. Thank you!
Thank you for your time.
Falconer Technologies
TonyGodfrey@FalconerTechnologies.com
(216) 282-4TUX
Notas do Editor
The “DEFT team” (formed by the Author,Massimiliano Dal Cero, Sandro Rossetti, Paolo Dal Checco, Davide “Rebus” Gabrini, Emanuele Gentili, Meo Bogliolo, Marco Giorgi and Valerio Leomporra)
What is in it?DEFT Linux 7 most important packet listLibewf 20100226Afflib 3.6.14TSK 3.2.3Autopsy 2.24Digital Forensic Framework 1.2PTK Forensic 1.0.5 DEFT editionPyflagMaltego CEKeepNote 0.7.6Mobius ForensicXplico 0.7.1Scalpel 2Hunchbackeed Foremost 0.6Findwild 1.3Bulk Extractor 1.1Dropbox ReaderEmule Forensic 1.0Guymager 0.6.3-1Dhash 2Cyclone wizard acquire toolIpddumpIphone AnalyzerIphone backup analyzerSQLite Database Browser 2.0b1BitPim 1.0.7Bbwhatsapp database converterReggripperCreepy 0.1.9Hydra 7.1Log2timeline 0.60Wine 1.3.28DART packet list:7zipAdvanced Password RecoveryAviScreenBlackBag IOReg InfoBlackBag PMAP InfoCamStudioClamWinConToolsDatabase Browserdcfldd (per Windows)DeepBurnerDiskDiggerDon’t SleepDriveManEMFSpoolViewerEmule MET viewerEraser Portablef3eFastStone ViewerFATwalkerFAU x64FAU x86FileAlyzer 2FileInfofmemFSV Thumbs ExtractorFTK ImagerFTK Imager CLI (Win, Linux, Mac)GMERGsplitHarvesterHDDRawCopyHistorianHWiNFOHWiNFO32 e HWiNFO64HxDICESwordindex.dat AnalyzerIrfanView (con plugin)JAD EDDJAD Facebook JPG FinderJam-Software TreesizeJam-Software UltraSearchJPEGsnoopLAN Search Pro 32/64Lime JuicerLimeWire Library Parser v4 e v5LnkexaminerltfviewerMail-Cure for Outlook ExpressMandiant Audit ViewerMandiant MemoryzeMandiant RestorePointAnalyzerMandiant Web Historianmd5deep for Windowsmd5summerMDDMediaPlayerClassic (x86/x64)Mitec Mail ViewerMiTec Structured Storage ViewerMitec Windows File AnalyzerMitec Windows Registry RescueNetSetManNigilant32Nirsoft Access PassViewNirsoft AlternateStreamViewNirsoft Asterisk LoggerNirsoft AsterWinNirsoft AsterWin IENirsoft Bluetooth ViewerNirsoft BulletsPassView x86 e x64Nirsoft ChromeCacheViewNirsoft ChromeCookiesViewNirsoft ChromeHistoryViewNirsoft ChromePassNirsoft CurrPorts x86 e x64Nirsoft CurrProcessNirsoft DialupassNirsoft Enterprise Manager PassViewNirsoft FirefoxDownloadsViewNirsoft FlashCookiesViewNirsoft FoldersReportNirsoft HashMyFilesNirsoft IE Cache ViewNirsoft IE Cookies ViewNirsoft IE History ViewNirsoft IE PassViewNirsoft InsideClipboardNirsoft LiveContactsViewNirsoft LSASecretsDump x86 e x64Nirsoft LSASecretsView x86 e x64Nirsoft Mail PassViewNirsoft MessenPassNirsoft Mozilla Cache ViewNirsoft Mozilla Cookies ViewNirsoft Mozilla History ViewNirsoft MUICacheViewNirsoft MyEventViewer (anche x64)Nirsoft MyLastSearchNirsoft NetResViewNirsoft NetscapassNirsoft Network Password Recovery x86 e x64Nirsoft OpenedFilesView (anche x64)Nirsoft OperaCacheViewNirsoft OperaPassViewNirsoft OutlookAttachView (anche x64)Nirsoft PasswordFoxNirsoft PCAnywhere PassViewNirsoft ProcessActivityViewNirsoft Protected Storage PassViewNirsoft PstPasswordNirsoft RecentFilesViewNirsoft RegScanner (anche x64 e win98)Nirsoft Remote Desktop PassViewNirsoft Safari Cache ViewNirsoft ServiWinNirsoft SkypeLogViewNirsoft SmartSniff (x86 e x64)Nirsoft StartupRunNirsoft USBDeview x86 e x64Nirsoft UserAssistViewNirsoft UserProfilesViewNirsoft VideoCacheViewNirsoft VNCPassViewNirsoft WebBrowserPassViewNirsoft WhatInStartupNirsoft Win9x PassViewNirsoft WinPrefetchViewNirsoft Wireless Network ViewNirsoft WirelessKeyView x86 e x64Notepad++ (con Hexedit e LightExplorer)NTFSwalkerOn-screen keyboardOTFE Volume File FinderPC On/Off TimePhotostudiopre-searchProDiscover Basic FreePropsQCC FragViewQCC GigaviewQCC VideoTriageRefWolf Prefetch-ParserRegistry Decoder Live 32/64Registry ReportRegRipper PluginRHashRootRepealSanderson Forensic CopySanderson Forensic Image ViewerSanderson List CodecsSanderson OLEDeconstructScreenySDHashSearch my filesSecurityXploded PasswordSuiteSecurityXploded SpyDLLRemoverShadowExplorerSoftPerfect Network Scanner (x86/x64)SpartacusSPLViewerSQLite Database BrowserSSDeepStreamFinderSumatraPDFSvchost Process AnalyzerSystem ScanerTCHuntTeracopy Portabletestdisk/photorec Win/Lin/Mac x86/x64The Sleuth Kit (win32)ThumoTightVNCTrID (defs 31.10.2011)TrIDnet (defs 31.10.2011)TulukaUltra File SearchUndelete 360Universal ExtractorUniversal Viewer FreeUSB WriteProtectorVidpreviewVLC PortableWinAudit e WinAudit UnicodeWindows Forensic ToolchestWipeDiskXnViewZeroView
BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.
KeepNote is a note taking application that works on Windows, Linux, and MacOS X. With KeepNote, you can store your class notes, TODO lists, research notes, journal entries, paper outlines, etc in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference.
Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.
DFF (Digital Forensics Framework) is a simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. DFF provides a robust architecture and some handy modules.
DescriptionExplore the internal file structure of your iphone (or of a seized phone in the case of forensic teams) using either the iphone's own backup files or (for jail broken iphones) ssh. Viewing of plist, sqlite, and hex are supported. IOS 4 is now supportedFeaturesiPhone Backup BrowsingNative file viewing (plist, sqlite, etc)Searching including regular expressionsssh access for jailbroken phones (beta)ReportsRestore filesRecover backupsView all iPhone photosexamine address book, sms and loads of othersfind and recover passwordsExport files to local filesytemOnline and offline mappingGeo track where a device has beenIOS4 and earlier versions supported
Welcome to the mini website of the THC Hydra project.Number one of the biggest security holes are passwords, as every password security study shows.Hydra is a parallized login cracker which supports numerous protocols to attack. New modulesare easy to add, beside that, it is flexible and very fast.Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, andis made available under GPLv3 with a special OpenSSL license expansion.Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.The program is maintained by van Hauser and David Maciejak.
DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save environment – the execution of “Incident Response” and Live Forensics tools.
A virtual environment can be copied from machine to machine after the initial installation is completed. It is a completely self-contained environment and only requires VMware Player to be installed. Player is available for Windows, Linux, or Macintosh and virtual machines created in one environment can be copied to another one with no problem. These virtual environments can be compressed and sent to anyone else also running Player. They can also be used and then archived for later.
sudo passwdenter new password, then enter againLogout as userLogin as “root” with new password
DescriptionThe Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in Deft. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).Deft and Autopsy are both Open Source and run on UNIX platforms (you can use Cygwin to run them both on Windows). As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.Analysis Modes * A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. * A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed. Evidence Search Techniques * File Listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names. (screenshot) * File Content: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages. (screenshot) (Sleuth Kit Informer #1) * Hash Databases: Lookup unknown files in a hash database to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL) and user created databases of known good and known bad files. (screenshot) * File Type Sorting: Sort the files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them. (screenshot) * Timeline of File Activity: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files. (screenshot) * Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. (screenshot) * Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure. (screenshot) * Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. (screenshot) * Image Details: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery. (screenshot)Case Management * Case Management: Investigations are organized by cases, which can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. (screenshot) * Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined. (screenshot) * Notes: Notes can be saved on a per-host and per-investigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file. (screenshot ) * Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time. (screenshot) * Reports: Autopsy can create ASCII reports for files and other file system structures. This enables you to quickly make consistent data sheets during the investigation. * Logging: Audit logs are created on a case, host, and investigator level so that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged. * Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately. * Client Server Model: Autopsy is HTML-based and therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.
Cygwin:Cygwin is: * a collection of tools which provide a Linux look and feel environment for Windows. * a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality. Cygwin is not: * a way to run native Linux apps on Windows. You must rebuild your application from source if you want it to run on Windows. * a way to magically make native Windows apps aware of UNIX® functionality like signals, ptys, etc. Again, you need to build your apps from source if you want to take advantage of Cygwin functionality.
* Recursive operation - md5deep is able to recursive examine an entire directory tree. That is, compute the MD5 for every file in a directory and for every file in every subdirectory. * Comparison mode - md5deep can accept a list of known hashes and compare them to a set of input files. The program can display either those input files that match the list of known hashes or those that do not match. Hashes sets can be drawn from Encase, the National Software Reference Library, iLook Investigator, Hashkeeper, md5sum, BSD md5, and other generic hash generating programs. Users are welcome to add functionality to read other formats too! * Time estimation - md5deep can produce a time estimate when it's processing very large files. * Piecewise hashing - Hash input files in arbitrary sized blocks * File type mode - md5deep can process only files of a certain type, such as regular files, block devices, etc.
http://guymager.sourceforge.net/
http://guymager.sourceforge.net/
http://guymager.sourceforge.net/
http://www.bitpim.org/
http://www.bitpim.org/
http://www.wireshark.org/Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.Awards and AccoladesWireshark has a rich feature set which includes the following: * Deep inspection of hundreds of protocols, with more being added all the time * Live capture and offline analysis * Standard three-pane packet browser * Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others * Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility * The most powerful display filters in the industry * Rich VoIP analysis * Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others * Capture files compressed with gzip can be decompressed on the fly * Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform) * Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 * Coloring rules can be applied to the packet list for quick, intuitive analysis * Output can be exported to XML, PostScript®, CSV, or plain text
Basics:WIRESHARK Basics: Ask for your neighbor’s IP address, jot down here _______________________ Bring up Wireshark Lab #1 – Looking at everything on the network 1. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution c. Let run for 1-2 minutes d. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) e. Select [STOP] when done f. What do you see? Lab #2 – Looking only at a specific workstation 2. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Select CAPTURE, then CAPTURE FILTERS Select NEW, Enter the FILTER NAME (your neighbor’s name maybe?) In the FILTER STRING, type host <your neighbor’s IP address>Example: host 192.168.1.1 Ask your neighbor to go to a few websites, check e-mail, ftp, etc. Let Wireshark run for 4-5 minutes Select SAVE, then CLOSE 8. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) 9. Select [STOP] when done Lab #3: Now that you have the basics, set up four more filters to do: Capture only DNS traffic filter: port 53 Capture only ip traffic filter: ip Capture only web traffic filter: port 80 Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:filter: not broadcast and not multicast Optional: Additional Wireshark filtering stringsCapture Filters StringARP Filter string: ether proto 0806IP(V4) Filter string: ether proto 0800ICMP Filter string: ip proto 1TCP Filter string: ip proto 6UDP Filter string: ip proto 11FTP (data) Filter string: tcp port 20FTP (control) Filter string: tcp port 21SSH Filter string: tcp port 22TELNET Filter string: tcp port 23SMTP Filter string: tcp port 25DNS Filter string: udp port 53HTTP Filter string: tcp port 80NETBIOS Name Service Filter string: udp port 137NETBIOS Datagram Filter string: udp port 138NETBIOS Session Filter string: tcp port 139IMAP Filter string: tcp port 143SNMP Filter string: udp port 161
