Computer Forensic Analysis

apatheticyogurtSoftware and s/w Development

Dec 13, 2013 (3 years and 11 months ago)

110 views

COEN 152/252

Computer Forensics

Open Source Forensic Tools

The Beginning


The Coroner's Toolkit (TCT)


collection of programs by Dan Farmer and Wietse Venema for a post
-
mortem analysis of a UNIX system after break
-
in


presented first in a Computer Forensics Analysis class in August 1999


http://www.porcupine.org/forensics/tct.html


Notable TCT components:


graverobber
-

captures information


ils & mactime
-

display access patterns of files dead or alive


unrm and lazarus
-

recover deleted files


findkey
-

recovers cryptographic keys from a running process or from
files


Warning


TCT can spend a lot of time collecting data


Good reference article:


http://www.sans.org/reading_room/whitepapers/incident/coroners
-
toolkit
-
in
-
depth_651

TCT


Additional Info


Installing The Coroner's Toolkit and using the
mactime utility
-
http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.01.html


Harvesting information with grave
-
robber
-

http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.02.html


Rescuing files with lazarus
-

http://www.cse.sc.edu/~okeefe/tutorials/cert/i046.03.html


TCT Successor



The Sleuth Kit (TSK)


http://www.sleuthkit.org/sleuthkit/


Allows examination of DOS, BSD, Mac, Sun,
GPT partitions & disks.


Includes the Autopsy Forensic Browser as a
graphical analysis tool


Supports integration with SQLite database


Analyes: dd, .E01, .AFF disk images


Can be run on live Windows systems for
incident response

Penguin Sleuth Kit


http://www.linux
-
forensics.com/


Base Package:


Gentoo Linux 2.6 Kernel
-

Opyimized for Forensics Use


XFCE
-

GUI


Apache2
-

Server


Mysql PHP4


Open Office


Gimp
-

Graphics Program


KSnapshot
-

Screen Capture Program


Mozilla


Gnome CD Master


K3b
-

CD Burner


XMMS
-

media player


Porthole
-

Gentoo Graphics Package Manager


Karchiver
-

GZIp GUI

Penguin Sleuth Kit


Forensics Tools:


Sleuth Kit
-
Forensics Kit


Py
-
Flag
-

Forensics Browser


Autopsy
-

Forensics Browser for Sleuth Kit


dcfldd
-

DD Imaging Tool command line tool and also works with AIR


foremost
-

Data Carver command line tool


Air
-

Forensics Imaging GUI


md5deep
-

MD5 Hashing Program


netcat
-

Command Line


cryptcat
-

Command Line


NTFS
-
Tools


qtparted
-

GUI Partitioning Tool


regviewer
-

Windows Registry Viewer

Penguin Sleuth Kit


Security Tools:


Etherape
-

GUI Network Traffic Monitor


Clamv
-

Anti Virus


snort
-

Command Line


John the Ripper
-

Command Line password cracker


rkhunter
-

Command Line


Ethereal
-

Network Traffic Analyzer


FWBuilder
-

GUI Firewall App


nessus
-

network scanner

Knoppix


http://www.knoppix.org/


compilation of GNU/Linux software, run completely from CD,
DVD or flash disk


automatically detects and supports a wide range of graphics
adapters, sound cards, USB devices and other peripheral
devices


Included Software:


CD Version


LXDE

as the standard desktop,


Open Office
,


the
Firefox WWW browser
,


GNU Image Manipulation Program
GIMP
,


MPlayer Multimedia System
,


Internet
-
access software for (W)LAN, modem, isdn, umts/gprs,


Tools for data rescue, network analysis and system repair.

Knoppix


Included Software:


DVD Version


The DVD version contains additional software
packages for office productivity as well as software
development and engineering (various programming
languages and development environments), education
and gaming.


More detail:


http://www.knopper.net/knoppix
-
info/knoppix
-
reloaded
-
2004
-
screen.pdf

Helix


http://www.e
-
fense.com/products.php


Originally open source


older .iso images can still be located


Current
-

Helix 3 Pro & Enterprise versions


Tools:


Sleuthkit


LinEn


Libewf + mount_ewf


Carvfs


cryptsetup


Truecrypt


lvm2


Scalpel


Foremost


LibPff


Volatility plus many plugins


moto4lin


gmobilemedia


gammu


gnokii


frag_find


pythonraw


ptfinder

Back Track 4


http://www.remote
-
exploit.org/backtrack.html


linux live distribution focused on penetration testing


based on a Slackware linux distribution (
www.slax.org
)


300 different up
-
to
-
date tools which are logically structured
according to the work flow of security professionals


Wiki Tutorial:

http://wiki.remote
-
exploit.org/backtrack/


Tool List:

http://wiki.remote
-
exploit.org/backtrack/wiki/Alphabetical



http://www.lnx4n6.be/


Belgian Federal Computer Crime Unit (FCCU)


based on the
KNOPPIX Live CD

version 4.02 by Klaus Knopper


“The main purpose of the CD : help the forensic analyze of
computers “


Selected Tool List:


Forensic acquisition :


dd : tool to make bit to bit copies and backups


dd_rescue : more or less the same as dd but handles disk errors


dd_rhelp : a script to facilitate the use of dd_rescue


dcfldd : tool to make bit to bit copies


AFFLIB : Advanced Forensic Format tools


sdd : a dd clone specialized in tapes


AIR : A graphical frontend for dd and dcfldd

FCCU Tools


cont.


Forensic analysis :


Sleuthkit/Autopsy : tool to find deleted files (and many
more features)


Galetta : a ms
-
windows cookies analyzer


Pasco : a ms
-
windows IExplorer cache analyzer


Rifiuti : a ms
-
windows trashcan analyzer


mork.pl : perl script to read firefox history.dat


cookie_cruncher.pl : a tool to parse cookies


dumpster_dive.pl : a tool to read m$ recycle bin files


browser
-
history
-
viewer : as the name says

FCCU Tools


cont.


Pictures tools :


FBI : tool to view images in console mode


exiftags : a tool to extract exif informations in jpeg files


exif : another one


metacam : a third one


jhead : a fourth one


dcraw : a tool to read raw photo images from digital
cameras


jpeginfo : a tool view jpeg files informations


recoverPhotos : another image recovery tool


exifprobe : another exif extractor

FCCU Tools


cont.


Password cracker :


cmospwd : a tool to recover cmos passwords


pwl : a tool to crack win 9x pwl files


John the ripper : a password cracker for unixes, and win nt,2k and xp
passwords


lcrack : lepton cracker


chntpw : a tool to help cracking NT passwords


crack : a password cracker


samdump : a tool to extract password hashes from MS Windows
registry files


bkhive : a tool to extract Syskey bootkey from MS Windows system
hive file


pgpcrack : a pgp brute force attacker


nasty : a tool to try to recover PGP or GPG passphrases


fcrackzip : a zip file password cracker


medussa : a distributed password cracker

FCCU Tools


cont.


Crypto/Stegano tools :


cryptcat : a encrypted version of netcat


outguess : a stegano tool


stegdetect : a tool to detect stegano


bcrypt : crypto utility


ccrypt : an encryption decryption tool



Network :


RIP and PXE boot : A complete system for large network keyword search


sbd : a netcat like utility with encryption supprot


smbc : samba commander


p0f : A passive OS fingerprinting tool


arping : a ping utility


ngrep : grep utility for network packets


netwox : a toolbox with more than 200 network tools


sshfs : a filesystem client based on ssh


lft : a traceroute tool


socat : a netcat like tool


netdiscover : a tool to discover networks


mimms : download mms streams


weplab : a wep security analyzer


netsed : network srteam altering tool

FCCU Tools


cont.


MS files tools :


Galetta : a ms
-
windows cookies analyzer


Pasco : a ms
-
windows IExplorer cache analyzer


Rifiuti : a ms
-
windows trashcan analyzer


readpst : a tools to read ms
-
Outlook pst files


antiword : a tool to read ms
-
Word files


mdbtools : playing with MS mdb access databases


ripole : A tool to rip attachements from MS files


tnef : A tool to decode MS encapsulation format


fccu
-
docprop : a tool to read MS OLE files (mainly doc, xls) properties


fccu.evtreader : a tool to parse MS evt log files


reglookup : MS windows registry viewer


grokevt : An MS win event log viewer with dll message import


eindeutig : read and convert dbx files


clit : convert MS e
-
books


cookie_cruncher.pl : a tool to parse cookies


dumpster_dive.pl : a tool to read m$ recycle bin files


mscompress : Decompress files compressed with compress.exe


Tutorial


http://www.lnx4n6.be/Downloads/hacklu.pdf


Operator 3.3.2.0


http://www.ussysadmin.com/operator/


Debian based Linux Installation


Linux
-
Kernel 2.4.31


KDE V3.3.2
-
1


wine Windows Emulator (Binary Emulator)


Konqueror and Mozilla Firebird Web Browsers


Koffice which includes korganizer, kword, kspread and more


X Multimedia System (xmms) an MPEG
-
video, MP3


Internet connection software kppp,pppoeconf (DSL)


utilities for data recovery, system repairs, even for other operating systems


network and security analysis tools for network administrators


many programming languages, development tools


in total more than 900 installed software packages with over 2000
executable user programs and utilities


100+ Unix/Windows Exploits and Tools ready to run

grml


grml.org/


bootable live system (Live
-
CD) based on Debian


collection of GNU/Linux software especially for system administrators and
users of texttools


use Grml as a:



rescue system


for analyzing systems/networks


a working environment


Contains:


sysadmin's favourite tools


security & network
-
related software


data recovery & forensic
-
tools


editors, shells, & many texttools


Flavors:


grml, grml
-
medium & grml
-
small


x86 & amd64 versions


Additional Resources


Blogs:


Dancho Danchev's Blog

http://ddanchev.blogspot.com/


Forensic Cop

http://forensiccop.blogspot.com/


Forensic Focus Blog

http://www.forensicfocus.com/computer
-
forensics
-
blog


int for(ensic){blog;}

http://computer.forensikblog.de/en/


ForensicKB

http://www.forensickb.com/


SANS Institute Computer Forensic Blog

https://blogs.sans.org/computer
-
forensics/


Additional Resources


Wiki:


Forensics Wiki

http://www.forensicswiki.org/wiki/Main_Page


Web sites:


DFRWS
-

Digital Forensic Research Workshop
-

http://www.dfrws.org/


Security Focus
-

http://www.securityfocus.com/


Scientific Literature Digital Library
-

http://citeseer.ist.psu.edu/


KnujOn (nûj
-
ôn)
-

http://www.knujon.com/index.html


e
-
Discovery Team
-

http://ralphlosey.wordpress.com/


The Dark Visitor
-

http://www.thedarkvisitor.com/


Acronym Finder
-

http://www.acronymfinder.com/


Bastard Sons of Dial
-
Up
-

http://www.bsodtv.org/


Tor: anonymity online
-

http://www.torproject.org/