The “DEFT team” (formed by the Author,Massimiliano Dal Cero, Sandro Rossetti, Paolo Dal Checco, Davide “Rebus” Gabrini, Emanuele Gentili, Meo Bogliolo, Marco Giorgi and Valerio Leomporra)
What is in it?DEFT Linux 7 most important packet listLibewf 20100226Afflib 3.6.14TSK 3.2.3Autopsy 2.24Digital Forensic Framework 1.2PTK Forensic 1.0.5 DEFT editionPyflagMaltego CEKeepNote 0.7.6Mobius ForensicXplico 0.7.1Scalpel 2Hunchbackeed Foremost 0.6Findwild 1.3Bulk Extractor 1.1Dropbox ReaderEmule Forensic 1.0Guymager 0.6.3-1Dhash 2Cyclone wizard acquire toolIpddumpIphone AnalyzerIphone backup analyzerSQLite Database Browser 2.0b1BitPim 1.0.7Bbwhatsapp database converterReggripperCreepy 0.1.9Hydra 7.1Log2timeline 0.60Wine 1.3.28DART packet list:7zipAdvanced Password RecoveryAviScreenBlackBag IOReg InfoBlackBag PMAP InfoCamStudioClamWinConToolsDatabase Browserdcfldd (per Windows)DeepBurnerDiskDiggerDon’t SleepDriveManEMFSpoolViewerEmule MET viewerEraser Portablef3eFastStone ViewerFATwalkerFAU x64FAU x86FileAlyzer 2FileInfofmemFSV Thumbs ExtractorFTK ImagerFTK Imager CLI (Win, Linux, Mac)GMERGsplitHarvesterHDDRawCopyHistorianHWiNFOHWiNFO32 e HWiNFO64HxDICESwordindex.dat AnalyzerIrfanView (con plugin)JAD EDDJAD Facebook JPG FinderJam-Software TreesizeJam-Software UltraSearchJPEGsnoopLAN Search Pro 32/64Lime JuicerLimeWire Library Parser v4 e v5LnkexaminerltfviewerMail-Cure for Outlook ExpressMandiant Audit ViewerMandiant MemoryzeMandiant RestorePointAnalyzerMandiant Web Historianmd5deep for Windowsmd5summerMDDMediaPlayerClassic (x86/x64)Mitec Mail ViewerMiTec Structured Storage ViewerMitec Windows File AnalyzerMitec Windows Registry RescueNetSetManNigilant32Nirsoft Access PassViewNirsoft AlternateStreamViewNirsoft Asterisk LoggerNirsoft AsterWinNirsoft AsterWin IENirsoft Bluetooth ViewerNirsoft BulletsPassView x86 e x64Nirsoft ChromeCacheViewNirsoft ChromeCookiesViewNirsoft ChromeHistoryViewNirsoft ChromePassNirsoft CurrPorts x86 e x64Nirsoft CurrProcessNirsoft DialupassNirsoft Enterprise Manager PassViewNirsoft FirefoxDownloadsViewNirsoft FlashCookiesViewNirsoft FoldersReportNirsoft HashMyFilesNirsoft IE Cache ViewNirsoft IE Cookies ViewNirsoft IE History ViewNirsoft IE PassViewNirsoft InsideClipboardNirsoft LiveContactsViewNirsoft LSASecretsDump x86 e x64Nirsoft LSASecretsView x86 e x64Nirsoft Mail PassViewNirsoft MessenPassNirsoft Mozilla Cache ViewNirsoft Mozilla Cookies ViewNirsoft Mozilla History ViewNirsoft MUICacheViewNirsoft MyEventViewer (anche x64)Nirsoft MyLastSearchNirsoft NetResViewNirsoft NetscapassNirsoft Network Password Recovery x86 e x64Nirsoft OpenedFilesView (anche x64)Nirsoft OperaCacheViewNirsoft OperaPassViewNirsoft OutlookAttachView (anche x64)Nirsoft PasswordFoxNirsoft PCAnywhere PassViewNirsoft ProcessActivityViewNirsoft Protected Storage PassViewNirsoft PstPasswordNirsoft RecentFilesViewNirsoft RegScanner (anche x64 e win98)Nirsoft Remote Desktop PassViewNirsoft Safari Cache ViewNirsoft ServiWinNirsoft SkypeLogViewNirsoft SmartSniff (x86 e x64)Nirsoft StartupRunNirsoft USBDeview x86 e x64Nirsoft UserAssistViewNirsoft UserProfilesViewNirsoft VideoCacheViewNirsoft VNCPassViewNirsoft WebBrowserPassViewNirsoft WhatInStartupNirsoft Win9x PassViewNirsoft WinPrefetchViewNirsoft Wireless Network ViewNirsoft WirelessKeyView x86 e x64Notepad++ (con Hexedit e LightExplorer)NTFSwalkerOn-screen keyboardOTFE Volume File FinderPC On/Off TimePhotostudiopre-searchProDiscover Basic FreePropsQCC FragViewQCC GigaviewQCC VideoTriageRefWolf Prefetch-ParserRegistry Decoder Live 32/64Registry ReportRegRipper PluginRHashRootRepealSanderson Forensic CopySanderson Forensic Image ViewerSanderson List CodecsSanderson OLEDeconstructScreenySDHashSearch my filesSecurityXploded PasswordSuiteSecurityXploded SpyDLLRemoverShadowExplorerSoftPerfect Network Scanner (x86/x64)SpartacusSPLViewerSQLite Database BrowserSSDeepStreamFinderSumatraPDFSvchost Process AnalyzerSystem ScanerTCHuntTeracopy Portabletestdisk/photorec Win/Lin/Mac x86/x64The Sleuth Kit (win32)ThumoTightVNCTrID (defs 31.10.2011)TrIDnet (defs 31.10.2011)TulukaUltra File SearchUndelete 360Universal ExtractorUniversal Viewer FreeUSB WriteProtectorVidpreviewVLC PortableWinAudit e WinAudit UnicodeWindows Forensic ToolchestWipeDiskXnViewZeroView
BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.
KeepNote is a note taking application that works on Windows, Linux, and MacOS X. With KeepNote, you can store your class notes, TODO lists, research notes, journal entries, paper outlines, etc in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference.
Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.
DFF (Digital Forensics Framework) is a simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. DFF provides a robust architecture and some handy modules.
DescriptionExplore the internal file structure of your iphone (or of a seized phone in the case of forensic teams) using either the iphone's own backup files or (for jail broken iphones) ssh. Viewing of plist, sqlite, and hex are supported. IOS 4 is now supportedFeaturesiPhone Backup BrowsingNative file viewing (plist, sqlite, etc)Searching including regular expressionsssh access for jailbroken phones (beta)ReportsRestore filesRecover backupsView all iPhone photosexamine address book, sms and loads of othersfind and recover passwordsExport files to local filesytemOnline and offline mappingGeo track where a device has beenIOS4 and earlier versions supported
Welcome to the mini website of the THC Hydra project.Number one of the biggest security holes are passwords, as every password security study shows.Hydra is a parallized login cracker which supports numerous protocols to attack. New modulesare easy to add, beside that, it is flexible and very fast.Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, andis made available under GPLv3 with a special OpenSSL license expansion.Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.The program is maintained by van Hauser and David Maciejak.
DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save environment – the execution of “Incident Response” and Live Forensics tools.
A virtual environment can be copied from machine to machine after the initial installation is completed. It is a completely self-contained environment and only requires VMware Player to be installed. Player is available for Windows, Linux, or Macintosh and virtual machines created in one environment can be copied to another one with no problem. These virtual environments can be compressed and sent to anyone else also running Player. They can also be used and then archived for later.
sudo passwdenter new password, then enter againLogout as userLogin as “root” with new password
DescriptionThe Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in Deft. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).Deft and Autopsy are both Open Source and run on UNIX platforms (you can use Cygwin to run them both on Windows). As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.Analysis Modes * A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. * A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed. Evidence Search Techniques * File Listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names. (screenshot) * File Content: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages. (screenshot) (Sleuth Kit Informer #1) * Hash Databases: Lookup unknown files in a hash database to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL) and user created databases of known good and known bad files. (screenshot) * File Type Sorting: Sort the files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them. (screenshot) * Timeline of File Activity: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files. (screenshot) * Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. (screenshot) * Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure. (screenshot) * Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. (screenshot) * Image Details: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery. (screenshot)Case Management * Case Management: Investigations are organized by cases, which can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. (screenshot) * Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined. (screenshot) * Notes: Notes can be saved on a per-host and per-investigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file. (screenshot ) * Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time. (screenshot) * Reports: Autopsy can create ASCII reports for files and other file system structures. This enables you to quickly make consistent data sheets during the investigation. * Logging: Audit logs are created on a case, host, and investigator level so that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged. * Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately. * Client Server Model: Autopsy is HTML-based and therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.
Cygwin:Cygwin is: * a collection of tools which provide a Linux look and feel environment for Windows. * a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality. Cygwin is not: * a way to run native Linux apps on Windows. You must rebuild your application from source if you want it to run on Windows. * a way to magically make native Windows apps aware of UNIX® functionality like signals, ptys, etc. Again, you need to build your apps from source if you want to take advantage of Cygwin functionality.
* Recursive operation - md5deep is able to recursive examine an entire directory tree. That is, compute the MD5 for every file in a directory and for every file in every subdirectory. * Comparison mode - md5deep can accept a list of known hashes and compare them to a set of input files. The program can display either those input files that match the list of known hashes or those that do not match. Hashes sets can be drawn from Encase, the National Software Reference Library, iLook Investigator, Hashkeeper, md5sum, BSD md5, and other generic hash generating programs. Users are welcome to add functionality to read other formats too! * Time estimation - md5deep can produce a time estimate when it's processing very large files. * Piecewise hashing - Hash input files in arbitrary sized blocks * File type mode - md5deep can process only files of a certain type, such as regular files, block devices, etc.
http://www.wireshark.org/Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.Awards and AccoladesWireshark has a rich feature set which includes the following: * Deep inspection of hundreds of protocols, with more being added all the time * Live capture and offline analysis * Standard three-pane packet browser * Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others * Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility * The most powerful display filters in the industry * Rich VoIP analysis * Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others * Capture files compressed with gzip can be decompressed on the fly * Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform) * Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 * Coloring rules can be applied to the packet list for quick, intuitive analysis * Output can be exported to XML, PostScript®, CSV, or plain text
Basics:WIRESHARK Basics: Ask for your neighbor’s IP address, jot down here _______________________ Bring up Wireshark Lab #1 – Looking at everything on the network 1. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution c. Let run for 1-2 minutes d. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) e. Select [STOP] when done f. What do you see? Lab #2 – Looking only at a specific workstation 2. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Select CAPTURE, then CAPTURE FILTERS Select NEW, Enter the FILTER NAME (your neighbor’s name maybe?) In the FILTER STRING, type host <your neighbor’s IP address>Example: host 192.168.1.1 Ask your neighbor to go to a few websites, check e-mail, ftp, etc. Let Wireshark run for 4-5 minutes Select SAVE, then CLOSE 8. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) 9. Select [STOP] when done Lab #3: Now that you have the basics, set up four more filters to do: Capture only DNS traffic filter: port 53 Capture only ip traffic filter: ip Capture only web traffic filter: port 80 Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:filter: not broadcast and not multicast Optional: Additional Wireshark filtering stringsCapture Filters StringARP Filter string: ether proto 0806IP(V4) Filter string: ether proto 0800ICMP Filter string: ip proto 1TCP Filter string: ip proto 6UDP Filter string: ip proto 11FTP (data) Filter string: tcp port 20FTP (control) Filter string: tcp port 21SSH Filter string: tcp port 22TELNET Filter string: tcp port 23SMTP Filter string: tcp port 25DNS Filter string: udp port 53HTTP Filter string: tcp port 80NETBIOS Name Service Filter string: udp port 137NETBIOS Datagram Filter string: udp port 138NETBIOS Session Filter string: tcp port 139IMAP Filter string: tcp port 143SNMP Filter string: udp port 161
Who?Tony Godfrey is the CEO / Linux Consultant of FalconerTechnologies. He founded his company in 2003 and isnow 100% focused on Linux.Tony has written several articles on securityadministration, contributes to Linux forums andpublications, written technical content for LinuxAdministration, and technical review on a Mark SobellLinux book. He also teaches topics covering Linux,Securing Linux, Network/WAN integration, Ciscorouters, Cybercrime and System Forensics.
A “live” environment?The term "live" derives from the fact that these"distros", or software distributions, each contain acomplete, functioning and operational operatingsystem on the distribution medium.A live distro does not alter the operating system or filesalready installed on the computer hard drive unlessinstructed to do so. Live distros often includemechanisms and utilities for more permanentinstallation, including disk partitioning tools.
A “live” environment?The default option, however, is to allow the user toreturn the computer to its previous state when the livedistro is ejected and the computer is rebooted. It isable to run without permanent installation by placingthe files that typically would be stored on a hard driveinto RAM, typically in a RAM disk. However, this doescut down on the RAM available toapplications, reducing performance somewhat. Certainlive distros run a graphical user interface in as little as32MB RAM.
Linux “Distro”A “distro” is a Linux distribution. This meanssomeone has taken an existing platform andcustom tailored it to fulfill a unique need.Debian is a core distribution (like Slackware orGentoo). Ubuntu (ease of use) and Knoppix (thenetwork administrator’s Swiss Army knife) areoff-shoots of Debian.
So….what is Lubuntu?The objective of the Lubuntu project is to create avariant of Ubuntu that is lighter, less resourcehungry and more energy-efficient by usinglightweight applications and LXDE, TheLightweight X11 Desktop Environment, as itsdefault GUI.This makes it perfect for Deft
Are there other ones?Defthttp://www.deftlinux.net/Qubes-OShttp://www.qubes-os.org/tracPentoohttp://www.pentoo.ch/Lightweight Portable Securityhttp://www.spi.dod.mil/lipose.htm
Are there other ones?CAINEhttp://www.caine-live.net/SMARThttp://www.asrdata.com/forensic-software/smart-linux/Paladinhttp://sumuri.com/index.php/joomla/what-is-paladin-forensic-software
SD Cards?Secure Digital (SD) is a non-volatile memory card formatdeveloped by many manufacturers for use in portabledevices. Today it is widely used in digital cameras,handheld computers, Media Players, mobile phones,GPS receivers, and video game consoles. Standard SDcard capacities range from 4 MB to 4 GB, and for highcapacity SDHC cards from 4 GB to 32 GB as of 2008.The SDXC (eXtended Capacity), a new specificationannounced at the 2009 CES, will allow for 2 TBcapacity cards.
Which is better?Memory card interfaces are rated about 15k-20k dutycycles (assume you remove and reinsert once a dayuntil it gives up the ghost, about 40 to 50 years). TheUSB interface is rated between 1-5k cycles (3-15years).
Welcome to Deftversion 7http://www.deftlinux.net/
What does “deft” mean?DexterousNimbleSkillfulClever
Version 7….Version 8?The Deft Team announced in February 2013 thatVersion 8 would be out within the next few months.
What is Deft?The “DEFT team” is pleased to announce therelease of the stable version of DEFT 7, the firsttoolkit able to perform ComputerForensics, Mobile Forensics, NetworkForensics, Incident Response andCyber Intelligence.
What is in it?A GNU/Linux based system optimized forComputer Forensics and Cyber Intelligenceactivities, installable or able to run in live modeDART (Digital Advanced Response Toolkit) is agraphical user interface that handles – in a saveenvironment – the execution of “IncidentResponse” and Live Forensics tools.
More stuff…DEFT 7 is based on the new Kernel 3 (Linux side)and the DART (Digital Advanced ResponseToolkit) with the best freeware WindowsComputer Forensic tools. It’s a new concept ofComputer Forensic system that use LXDE asdesktop environment and WINE for executeWindows tools under Linux and mount manageras tool for device management.
More stuff…It is a very professional and stable system thatincludes an excellent hardware detection and thebest free and open source applications dedicatedto Incident Response, Cyber Intelligence andComputer Forensics.DEFT is meant to be used by theMilitary, Police, Investigators, IT Auditors andIndividualsDEFT is 100% made in Italy
What is in it?Please take a look at the NOTES section of thisslide
Let’s get started withan installationInstallation Time!
Hold Up!Installation TypeThere are different methods of installing it to aUSB flashie, hard drive, or virtual environment
Three Methods #1: We can install Deft so it will either overwriteor dual-boot a hard drive. #2: We can install Deft on a USB flashie usingthe Universal USB Installer. #3: Installing VMware Player, installing Deft, andutilizing a virtual environment.
Method #1 Directly to the hard drive Go to “Install Slide A”
Method #2 Universal USB Installer Locate the Deft ISO file, put in a flashie (4gbmin) that can be overwritten, and run theUniversal-USB-Installer-220.127.116.11 executable file.This normally takes 10-15min to run. Eject any Deft media and reboot your machine.Boot from the newly created Deft USB flashie.
Virtual Environment? A virtual machine (VM) is a softwareimplementation of a computing environment inwhich an operating system or program can beinstalled and run. The virtual machine typically emulates a physicalcomputing environment, but requests for CPU,memory, hard disk, network and other hardwareresources are managed by a virtualization layerwhich translates these requests to the underlyingphysical hardware.
Method #3 VMware Player Install the VMware-player-3/4x” executable file.Fire up VMware Player and Create a newmachine. Make sure you know where the DeftDVD or ISO file is at. We will setup a 20gb virtualpartition and setup the CD/DVD selection to be“Legacy”. Install Deft – See “Install Slide A”
Autopsy Forensic BrowserThe Autopsy Forensic Browser is a graphicalinterface to the command line digitalinvestigation analysis tools in Deft. Together,they can analyze Windows and UNIX disks andfile systems (NTFS, FAT, UFS1/2, Ext2/3).
Autopsy Forensic BrowserDeft and Autopsy are both Open Source and runon UNIX platforms (you can use Cygwin to runthem both on Windows). As Autopsy is HTML-based, you can connect to the Autopsy serverfrom any platform using an HTML browser.Autopsy provides a "File Manager"-like interfaceand shows details about deleted data and filesystem structures.
Analysis Mode: DeadA dead analysis occurs when a dedicated analysissystem is used to examine the data from asuspect system. In this case, Autopsy and Deftare run in a trusted environment, typically in alab. Autopsy and TSK support raw, ExpertWitness, and AFF file formats.
Analysis Mode: LiveA live analysis occurs when the suspect system isbeing analyzed while it is running. In this case,Autopsy and Deft are run from a CD in anuntrusted environment. This is frequently usedduring incident response while the incident isbeing confirmed. After it is confirmed, thesystem can be acquired and a dead analysisperformed.
Evidence Search Techniques File Listing File Content Hash Databases File Type Sorting Timeline of File Activity Keyword Search Meta Data Analysis Data Unit Analysis Image Details
Lab #2Access the Autopsy Forensics Browser, then connect to thesuspect machine.Let’s review these tools: File Listing, File Content,Hash Databases, File Type Sorting,Timeline of File Activity, Keyword Search,Meta Data Analysis, Data Unit Analysis, & Image Details
What is a “rootkit”?A rootkit is a program that runs on *nix-basedOSes, that allows a remote user to executecertain code or commands. There are manydifferent types of rootkits. Some mountthemselves among legit daemons and "hide"themselves often reporting results, output, ordata to a remote server.
rkhunterRkhunter is much like a virus scanner for aWindows system. It has definitions to helpidentify rootkits and reports them. Just likeanything, rkhunter isnt 100%, but it weeds outthe majority of rootkits. Upon running rkhunter,various system files, conf files, and bindirectories are examined.
rkhunterThe results are cross-referenced against theresults of infected systems (from the definitions)and the results are compiled. This is where *nixsystems really shine. While your OS may vary,and how its compiled or configured, the filesystem and configuration is basically the same.This allows programs like rkhunter to provideresults with a fairly small window for error orfalse positive.
Go to TERMINAL sudo rkhunter --update This will update the database. Then you can add: sudo rkhunter --check --createlogfile This will activate the rootkit scan. Tip: dont walkoff and just leave it to scan; you might beprompted to press [ENTER] a few times toenable it to finish.
What is Data Carving?Data carving is the process of extracting acollection of data from a larger data set. Datacarving techniques frequently occur during adigital investigation when the unallocated filesystem space is analyzed to extract files. Thefiles are "carved" from the unallocated spaceusing file type specific header and footer values.File system structures are not used during theprocess. This is exactly how PhotoRec works.
PhotoRecThe first step has been to use PhotoRec. Version6.5-WIP (WIP=Work In Progress) is considered.PhotoRec has scanned the image file for knownheaders and has successfully recognized allJPEG, OLE/Office, HTML and ZIP headers.There are no false positives.
PhotoRecThe JPEG footer, used to determine the file sizeand validity of a recovered JPEG, is checked byPhotoRec using libjpeg. ZIP footers are detectedbut the file integrity isnt checked. OLE fileformat is very complex - its internals are similarto a file system but PhotoRec is able to get thefile size by analyzing the FAT. After a UTF8 toASCII translation, PhotoRec calculates the indexof coincidence to determine if a sector holds textor random data.
ScalpelScalpel is a fast file carver that reads a databaseof header and footer definitions and extractsmatching files or data fragments from a set ofimage files or raw device files. Scalpel is filesystem-independent and will carve files from FAT,NTFS, ext2/3, HFS+, or raw partitions. It isuseful for both digital forensics investigation andfile recovery.
Hashing#1: To cut#2: A technique for locating data in a file byapplying a transformation, usually arithmetic, toa key.
md5deepmd5deep is a set of programs to compute MD5,SHA-1, SHA-256, Tiger, or Whirlpool messagedigests on an arbitrary number of files. md5deepis similar to the md5sum program found in theGNU Coreutils package. The application’sfeatures include recursive operation, comparisonmode, time estimation, piecewise hashing, andfile type mode.
guymagerA free forensic imager for media acquisition. Itsmain features are: Easy user interface in different languages Runs under Linux Really fast, due to multi-threaded, pipelineddesign and multi-threaded data compression Makes full usage of multi-processor machines Generates flat (dd), EWF (E01) and AFFimages, supports disk cloning Free of charges, completely open source
BitPimBitPim is a program that allows you to view andmanipulate data on many CDMA phones from LG,Samsung, Sanyo and other manufacturers. Thisincludes the PhoneBook, Calendar, WallPapers,RingTones (functionality varies by phone) andthe Filesystem for most Qualcomm CDMA chipsetbased phones.Available for Windows, Linux, or Mac
WiresharkWireshark is the worlds foremost network protocolanalyzer. It lets you capture and interactivelybrowse the traffic running on a computernetwork. It is the de facto (and often de jure)standard across many industries and educationalinstitutions.
Wireshark examples Network administrators use it to troubleshootnetwork problems Network security engineers use it to examinesecurity problems Developers use it to debug protocolimplementations People use it to learn network protocolinternals
MaltegoMaltego is an open source intelligence andforensics application. It will offer you timelymining and gathering of information as well asthe representation of this information in a easyto understand format.
John the RipperJohn the Ripper is free and Open Source software,distributed primarily in source code form. If youwould rather use a commercial product tailoredfor your specific operating system, pleaseconsider John the Ripper Pro, which is distributedprimarily in the form of "native" packages for thetarget operating systems and in general is meantto be easier to install and use while deliveringoptimal performance.
Updating: John the Ripper./john pwdumpfile –wordlist=wordlistfile –rules rulesfile
HydraA Fast network authentication cracker whichsupports many different services.It uses a dictionary attack to test for weak orsimple passwords on one or many remote hostsrunning a variety of different services such asTELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB,SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN,CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3,IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP,PostgreSQL, Teamspeak, Cisco auth, Ciscoenable, and Cisco AAA
KeepNoteA simple but effective tool for saving and usingnotes for class, lab, meetings, papers, accounts,journals, and more as XML or HTML files. You caninsert or attach images, spreadsheets, and otherfiles, too. KeepNote offers a lot of flexibility, butit leaves out bells and whistles like contactmanagers, task schedulers, and otherdistractions from the job at hand. Its main job isto replace that stack of notebooks youre luggingaround.