File000127

Module XIV – Linux Forensics

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Linux Tool Speeds Up
Computer Forensics for Cops
Source: http://news.zdnet.com/2100-3513_22-190993.html

EC-Council
Module Objective
• Linux Forensics Environment Creation
• Floppy Disk Analysis
• Hard Disk Analysis
• Linux Boot Sequence
• Data Collection using Toolkit
• Crash Commands
• Step-By-Step Approach to Case
• Use of Linux in Forensics
• Linux Forensic Tools
This module will familiarize you with:

EC-Council
Module Flow
Linux Boot Sequence
Data Collection using
Toolkit
Crash Commands
Step-By-Step
Approach to Case
Use of Linux in Forensics
Floppy Disk Analysis
Linux Forensics
Environment Creation
Hard Disk Analysis
Linux Forensic Tools

EC-Council
Introduction to Linux

EC-Council
Linux OS
Linux is a free Unix-type open source operating system originally developed by Linus
Torvalds with the assistance of developers around the world
It comes in different packages called distributions such as Red Hat, SuSE, and Mandrake
Linux distributions come in the following editions:
• It is a desktop installation with graphical interface and common applications
Desktop
• It is used in a production environment and business
Server/Enterprise
• The operating system is stored on a bootable storing device
Live CD

EC-Council
Linux Boot Sequence
The first step in the boot up sequence for Linux is loading the kernel
The kernel image is usually contained in the /boot directory
Details of the boot loader can be gained from LILO or GRUB using
more /etc/lilo.conf or more /etc/grub.conf
The next step is initialization where runlevel and startup
scripts are initialized and terminal process is controlled
The file that controls the initialization is /etc/inittab and the
file that begins the process is /sbin/init

EC-Council
File System in Linux
On most Linux distributions, the
basic directory structure is
organized like this:

EC-Council
File System Description

EC-Council
Linux Forensics
Linux has a number of simple utilities that make imaging and basic analysis
of suspect disks and drives easier. These include:
Utility Description
dd
Command to copy data from an input file or device to an output file or
device
sfdisk and fdisk Command to determine the disk’s structure
grep Command to search files for instances of an expression or pattern
The loop device
Allows you to mount an image without having to rewrite the image to a
disk
md5sum and
sha1sum
Command to create and store an MD5 or SHA hash of a file or list of files
(including devices)
file
Command to read file header information in an attempt to ascertain its
type, regardless of the name or extension
Xxd Command line hexdump tool
ghex and khexedit The Gnome and KDE (X Window interfaces) hex editors

EC-Council
Use of Linux as a Forensics Tool
Why use Linux for Forensics?
• Treats every device as a file
• Does not need a separate write blocker
Greater Control
• Can be booted from a CD
• Can recognize several file systems
Flexibility
• Distributions like THE FARMER'S BOOT CD and Sleuth
make Linux a forensic tool in itself
Power

EC-Council
Advantages of Linux in Forensics
• Software is freely available
• Source code is provided
• Tools can be closely scrutinized for correctness
Software availability and accessibility
• Allows for much automation and scripting
Efficiency
• Software can be modified to fit the requirements
Optimizing and Customizing
• It supports Ad-hoc community
• It uses open and published standards
• It is compatible across technologies and organizations
Support

EC-Council
Disadvantages of Linux in
Forensics
• It takes time and effort to learn Linux
• Command line requires expertise unlike the GUI
environment, which is easy to work with
Requires training
• Continuous changes and updates occurs
• It takes time to implement changes
• Changes and implementation may not be the final one
Inter-operating with technologies is
hard

EC-Council
Precautions to Take During an
Investigation
Avoid running programs on the compromised system
Do not run the programs that will modify the meta-data of
files and directories
Write the results of the investigation to a remote location
Calculate the hash values of the digital data to avoid the
digital data alteration

EC-Council
Recognizing Partitions in Linux
If a standard IDE disk is being used, it will be referred to as
"hdx"
The "x" is replaced with an "a" if the disk is connected to
the primary IDE controller as master and with a "b" if the
disk is connected to the primary IDE controller as a slave
device
Similarly, the IDE disks connected to the secondary IDE
controller as master and slave will be referred to as "hdc”
and “hdd” respectively

EC-Council
mount Command
Devices such as floppies, CDs, hard disk partitions, and other storage devices must be attached to some
existing directory on your system before they can be accessed
This attaching is called mounting, and the directory where the device is attached is called a mount point
After the device is mounted, you can access the files on that device by accessing the directory where the
device is attached
Unmount the device when you want to remove or detach it from the mount point
When mounting, specify the device or partition to be mounted and the mount point
The mount point must be a directory that already exists on the system. An example to mount a floppy
is:
•$ mount /dev/fd0 /mnt/floppy
For unmounting the device or partition, you must specify its name with unmount command
•$ umount /dev/fd0

EC-Council
dd Command Options
dd command is used to convert and copy a file
It reads the InFile parameter, converts it in a specified format, and
copies the data into OutFile parameter
• dd [ bs=BlockSize ][ cbs=BlockSize ] [ conv= [
ascii | block | ebcdic | ibm | unblock ] [ lcase
| ucase ] [ iblock ] [ noerror ] [ swab ] [ sync
] [ oblock ] [ notrunc ] ] [ count=InputBlocks ]
[ files=InputFiles ] [ fskip=SkipEOFs ] [
ibs=InputBlockSize ] [ if=InFile ] [
obs=OutputBlockSize ][ of=OutFile ] [
seek=RecordNumber ] [ skip=SkipInputBlocks ][
span=yes|no ]
Syntax:

EC-Council
Floppy Disk Analysis
• Use dd to create forensic image and compare SHA hash of the
image against floppy
• Use the commands:
• # dd if=/dev/fd0 of=/evidence/floppy1.img bs=512
• # sha1sum /evidence/floppy1.img
>/evidence/floppy1img.sha1sum
• # cat /evidence/floppy1img.sha1sum
• # cat /evidence/floppy1.sha1sum
To create floppy disk image:
In floppy disk analysis, insert floppy into floppy drive and obtain its SHA
hash

EC-Council
Floppy Disk Analysis (cont’d)
Identify File System:
• Use file utility to identify the file system of floppy disk image
• Use the command:
• # File /evidence/floppy1.img
Mount the image for analysis:
• Create a directory to mount the image
• Use mount utility to mount the image, using loop back
• Use the commands:
• # mkdir /mnt/analysis
• # mount -t vfat -o ro,noexec,loop /evidence/floppy1.img
/mnt/analysis
• # umount /mnt/analysis
• # mount –o ro,noexec,loop /evidence/floppy1.img
/mnt/analysis

EC-Council
• Obtain SHA hash of each file on the floppy disk and check files
• # cd /mnt/analysis/mnt/analysis # find . -type f -
exec sha1sum {} ; >/evidence/floppy1img.sha1filehash
/mnt/analysis # cat /evidence/floppy1img.sha1filehash
da39a3ee5e6b4b0d3255bfef95601890afd80709
./.ICEauthority
9155df0f906411433388c335c902d0a7452c6a72
./addressbook
2406038ea5da9776c1f32ba3d7f0e84d0b3d2af9
./crackdealers.d /mnt/analysis #
Obtain SHA Hash of Contents:

EC-Council
• Use strings utility to extract raw text from a binary file
•# strings crackdealers.d | less
View file’s contents:

EC-Council
Hard Disk Analysis
• Use dd partition(s) to image(s)
•dd if=/dev/hda1 of=/var/case01.dd
Make an image of the hard disk
• date > case01.evidence.seal md5sum case01.dd >>
case01.evidence.seal
gpg –clearsign case01.evidence.seal
Use md5sum to collect the information about the
system time and date
•mount –o ro,loop,nodev,noexec case01.dd /mnt/evidence
Mount copy of evidence into the file system

EC-Council
Hard Disk Analysis (cont’d)
Capture the drive’s forensic data
• grave-robber –c /mnt/evidence –m –d
/var/investigations/case01 –o LINUX2
Extract deleted inode (mod/access/change) times
• ils case01.dd | ils2mac > case01.ilsbody
Combine evidence for timeline conversion
• cat case01.ilsbody body > case01.evidence
Generate Timeline
• mactime –p /mnt/evidence/etc/passwd
–g /mnt/evidence/etc/group -b case01.evidence
11/28/2003 > case01.timeline

EC-Council
Data Collection

EC-Council
Forensic Toolkit Preparation
The forensic toolkit should include the tools such as:
• nc
• dd
• datecat
• pcat
• Hunter.o
• insmod
• NetstatArproute
• dmesg
After building all the tools, copy all of them to the removable media

EC-Council
Data Collection Using the Toolkit
Step 1
• Media mounting
Step 2
• Current date
Step 3
• Cache tables
Step 4
• Current, pending connections and open TCP/UDP ports
Step 5
• Physical memory image

EC-Council
(cont’d)
Step 6
• List of modules loaded to the kernel memory of an operating system
Step 7
• The list of active processes
Step 8
• Collecting of suspicious processes
Step 9
• Useful information about the compromised system
Step
10
• Current time

EC-Council
(cont’d)
• Mount the toolkit on the external media
• # mount -n /mnt/cdrom
• Calculate the hash value of the collected file to maintain the
integrity of the digital evidence
• # md5sum date_compromised > date_compromised.md5
Media mounting

EC-Council
(cont’d)
Current date:
• Collect the current date result, presented in the UTC format
• # nc -l -p port > date_compromised
• # /mnt/cdrom/date -u | /mnt/cdrom/nc (remote) port
• # md5sum date_compromised > date_compromised.md5
Cache tables:
• Collect the cache table information as it is volatile and can be lost
• Mac address cache table:
• # nc -l -p port > arp_compromised
• # /mnt/cdrom/arp -an | /mnt/cdrom/nc (remote) port
• # md5sum arp_compromised > arp_compromised.md5
• Kernel route cache table:
• # nc -l -p port > route_compromised
• # /mnt/cdrom/route -Cn | /mnt/cdrom/nc (remote) port
• #md5sum route_compromised > route_compromised.md5

EC-Council
(cont’d)
• Collect information about the current connections and open TCP/UDP
ports
•#nc -l -p port > connections_compromised
•# /mnt/cdrom/netstat -an | /mnt/cdrom/nc (remote) port
•#md5sum connections_compromised > connections_compromised.md5
Current, pending connections, and open TCP/UDP
ports:
• Access physical memory directly by copying the /dev/mem device or by
copying the kcore file
• kcore file can be found in the pseudo file system, which is mounted in the
/proc directory
•#nc -l -p port > kcore_compromised
•#/mnt/cdrom/dd < /proc/kcore | /mnt/cdrom/nc (remote) port
•#md5sum kcore_compromised > kcore_compromised.md5
Physical memory image:

EC-Council
(cont’d)
List of modules loaded to kernel memory of an operating system:
• Check which modules are currently loaded into memory
• # nc -l -p port > lkms_compromised
• #/mnt/cdrom/cat /proc/modules | /mnt/cdrom/nc (remote) port
• # nc -l -p port > lkms_compromised.md5
• # /mnt/cdrom/md5sum /proc/modules | /mnt/cdrom/nc (remote)
port
• Analyze the ksyms file to detect the presence of an intruder in the system
• #nc -l -p port > ksyms_compromised
• #/mnt/cdrom/cat /proc/ksyms | /mnt/cdrom/nc (remote) port
• # nc -l -p port > ksyms_compromised.md5
• #/mnt/cdrom/md5sum /proc/ksyms | /mnt/cdrom/nc (remote) port

EC-Council
(cont’d)
• Collect the information about all processes, open ports, and files
with the use of lsof tool
• #nc -l -p port > lsof_compromised
• #/mnt/cdrom/lsof -n -P -l | /mnt/cdrom/nc (remote)
port
• #md5sum lsof_compromised > lsof_compromised.md5
The list of active processes:
• Copy the entire memory allocated by a process
• #nc -l -p port > proc_id_compromised
• #/mnt/cdrom/pcat proc_id | /mnt/cdrom/nc (remote)
port
• #md5 proc_ip_compromised > proc_ip_compromised.md5
Collecting of suspicious processes:

EC-Council
(cont’d)
• Use the following commands to collect the information about the suspects
system:
Useful information about the compromised system:
Command Description
/mnt/cdrom/cat /proc/version Version of the operating system
/mnt/cdrom/cat /proc/sys/kernel/name Host’s name
/mnt/cdrom/cat
/proc/sys/kernel/domainame
Domain’s name
/mnt/cdrom/cat /proc/cpuinfo Information about hardware
/mnt/cdrom/cat /proc/swaps All swap partitions
mnt/cdrom/cat /proc/partitions All local file systems
/mnt/cdrom/cat /proc/self/mounts Mounted file systems
mnt/cdrom/cat /proc/uptime Uptime

EC-Council
(cont’d)
• Accumulate information about the current time
• #nc -l -p port > end_time
• # /mnt/cdrom/date | /mnt/cdrom/nc (remote) port
Current time:

EC-Council
Keyword Searching
• Strings:
• Used to gather all printable characters from the image file by
using the strings tool
• Use the -t switch to add an offset from the beginning of the
file
•strings -t d kcore > kcore_strings
•md5sum kcore_strings > kcore_strings.md5
• Grep:
• Used to gather commands typed by an intruder, IP addresses,
passwords, or even decrypted part of the malicious code
To search for signs of an intrusion,
use tools such as:

EC-Council
Linux Crash Utility
Crash is a tool for interactively analyzing the state of the Linux system while it is
running, or after a kernel crashes and a core dump has been created by the Red Hat
netdump facility
SYNAPSIS: crash [ -h [ opt ] ] [ -v ] [ -s ] [ -i file ] [ -d num
] [ -S ] [ mapfile ] [ namelist ] [ dumpfile ]
Options:
-h opt: Displays a help message
-v Displays the versions of the original gdb and crash libraries that make up the crash executable
-s Crash does not display any version, GPL, or crash initialization data during startup
-i file Crash reads and executes the crash command(s) contained in file before accepting any user
input. -d num Crash sets its internal debug level
-S Crash uses "/boot/System.map" as the mapfile
namelist: This is a pathname to an uncompressed kernel image (a vmlinux file) that has been
compiled with the "-g" option, or that has an accessible, associated debuginfo file
mapfile: If the live system kernel, or the kernel from which the dumpfile was derived, was not
compiled with the -g switch, then the additional mapfile argument is required
dumpfile: This is a pathname to a kernel memory core dump file

EC-Council
Linux Crash Utility: Commands
crash> ps
Output:

EC-Council
(cont’d)
crash> ps -t
Output:

EC-Council
(cont’d)
crash> ps –a
Output:
crash> foreach files
Output:

EC-Council
(cont’d)
crash> foreach net
Output:

EC-Council
Crash Commands (cont’d)
Extract the information related to the state of the system using the
crash commands
Information Command
Mounted file systems crash> mount
Open files per file system crash> mount –f
Kernel message buffer crash> log
Swap information crash> swap
Machine information crash> mach
Loaded Kernel Modules crash> mod
chrdevs and blkdevs arrays crash> dev
PCI device data crash> dev –p
I/O port/memory usage crash> dev –I
Kernel memory usage crash> kmem –I
Kernel vm_stat table crash> kmem -V

EC-Council
Case Examples

EC-Council
Case Example I
Rebecca had filed a lawsuit against Good Company Inc for sexual
harassment by one of its senior directors Mr. Peter Samson
She submitted a floppy as evidence of Mr. Peter’s advances
She also ascertained that Mr. Peter used to send her explicit material
through floppy disks marked as legitimate work
If a forensic investigator has been called to investigate the case by
Good Company Inc
How should the forensic investigator proceed with the evidence?

EC-Council
Step-by-Step Approach to Case
• Begin with creating a directory where all forensic
activities can be done
•/mkdir evidence
• It is desirable to create a special mount point for all
physical subject disk analysis
•mkdir /mnt/investigation
Document all processes

EC-Council
• Create an image of the disk using the simple bit
streaming command dd
•dd if=/dev/fd0 of=image.suspectdisk
• Change the read-write permissions of the image to
read-only using chmod
•chmod 444 image.suspectdisk
Determine the disk structure:
(cont’d)

EC-Council
(cont’d)
Mount the restored imaged working copy and analyze the
contents:
• mount -t vfat -o ro,noexec /dev/fd0
/mnt/investigations
• Another option is to mount a point within the image file using the
loop interface rather than mounting the contents to another
location
• mount -t vfat -o ro,noexec,loop image.suspectdisk
/mnt/investigations
Verify the integrity of the data on the imaged file by checking
the file hash:
• md5sum /evidence/md5.image.suspectfile or
• sha1sum -c /evidence/SHA. image.suspectfile

EC-Council
(cont’d)
Use the ls command to view the contents of the disk
• ls –alR to list all files including hidden files and list the directories recursively
Make a list of all files along with access times
• ls –laiRtu > /evidence/suspectfiles.list
Search for likely evidence using:
• grep. grep -i xxx suspectfiles.list
List the unknown file extensions and changed file appearances:
• file changedfile
• Files can be viewed using strings, cat, more, or less

EC-Council
(cont’d)
Search for certain keywords from the entire file list
• cat /evidence/ suspectfiles.list | grep
blackmailword
• A systematic approach to search for keywords would be to create a
keywords list. E.g. save it as:
•/evidence/keywordlist.txt
• grep the files for the keywords and save it to a file
•grep –aibf keywordlist.txt image.suspectdisk >
results.txt
• View the results:
•cat results.txt
• To analyze the files at each offset, use the hexdump tool:
•xxd -s (offset) image.suspectdisk | less

EC-Council
Challenges in Disk Forensics
with Linux
Linux cannot identify the last sector on hard drives with odd
number of sectors
Most Linux tools are complicated as they are used at the
command line
Devices can be written to even if they are not mounted
Bugs in the open source tools can be used to question the
credibility of the tool for forensics’ use
Forensic and Incident Response Environment (F.I.R.E) by
William Salusky provides a good tool set

EC-Council
Case Example II
Mr. Jason Smith was accused of hoarding illegal
material of questionable moral content on his
company’s network systems
Forensic investigator was called upon to examine the
suspect’s hard disk and unearth evidence related to
the illegal material
How the forensic investigator should proceed in
extracting and preserving the evidence?

EC-Council
Note down the model’s information from the hard disk label /manufacturer’s web
site, and the size and total number of sectors on the drive
Wipe and format a image disk drive using the ext3 file system (> 3x evidence size)
Fill the disk with zeros and ensure that the contents match
• dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync
Partition the disk and reboot
• fdisk /dev/hda
Format with the ext3 file system
• mkfs –t ext3 /dev/image.disk

EC-Council
(cont’d)
• Mount the read-write image disk
•mount /dev/hda /mnt/image.disk
• Create a directory for all documentation and analysis
•mkdir /mnt/image.disk/case_no
• Create a sub-directory to hold the evidence’s image
•mkdir /mnt/image.disk/case_no/evidence_no
• Document the details of the investigation in a text file including
investigator’s details, case background details, and investigation
dates
• Carry out the document details of the disk media including
investigator’s name and organization, case number, media
evidence number, date and time of imaging; make, model, and
serial number of the computer, IP and system’s hostname; make,
model, and serial number of HD, source of HD, and scope of the
investigation
Prepare the disk for imaging

EC-Council
(cont’d)
• Connect both original evidence drive and drive to be imaged
to the imaging system
• Verify all jumper settings – Master/Slave
• Make sure that the imaging system will boot only from CD by
checking the BIOS settings
• Image the disk using dd:
•dd if=/dev/hdx of=image.disk conv=noerror,sync
• This will allow dd to try to ignore any errors (conv=noerror)
and synchronize the output (sync)with the original
Image the disk:

EC-Council
Check for accuracy by comparing md5sum
Mount the disk and extract evidence
Images can be carved using dd or the hex dump tool xxd
(cont’d)

EC-Council
Linux Forensics Tools

EC-Council
Popular Linux Forensics Tools
The Sleuth Kit written by Brian Carrier and maintained at
http://www.sleuthkit.org
Autopsy – HTML front-end for sleuthkit
SMART for Linux- by ASR Data is a commercial data forensics program that
runs on Linux
THE FARMER'S BOOT CD- by farmerdude, is a bootable CD that is oriented
towards previewing of data quickly
Penguin Sleuth - Knoppix based linux distribution with a forensic flavor
Forensix

EC-Council
The Sleuth Kit
The Sleuth Kit is a collection of command line digital
investigation tools
The tools run on Linux, OS X, FreeBSD, OpenBSD, and Solaris
and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS
The Autopsy Forensic Browser is an HTML-based
graphical interface for the command line tools in the Sleuth Kit
which makes it much easier and faster to investigate a system
mac-robber is a tool that will collect temporal data from the
mounted file systems
The data can be used to make a timeline of the file’s activity on the
system using tools from The Sleuth Kit

EC-Council
Tools in “The Sleuth kit”
Tool Type Tool’s Name
File System Layer tools fsstat
File Name Layer tools ffind, fls
Meta Data Layer tools icat, ifind, ils , istat
Data Unit Layer tools dcat , dls , dstat, dcalc
File System Journal tools jcat , jls
Media Management tools mmls
Image File tools img_stat, mg_cat
Disk tools disk_sreset, disk_stat
Other tools hfind, mactime, sorter, sigfind

EC-Council
Autopsy
The Autopsy Forensic Browser is a graphical interface to the
command line digital investigation analysis tools in The
Sleuth Kit
Together, they can analyze Windows and UNIX disks and file
systems (NTFS, FAT, UFS1/2, Ext2/3)
The Sleuth Kit and Autopsy are both open source and run on
UNIX platforms
As autopsy is HTML-based, you can connect to the autopsy
server from any platform using an HTML browser
Autopsy provides a "File Manager“ like interface and shows
details about the deleted data and the file system’s structures

EC-Council
The Evidence Analysis
Techniques in Autopsy
File Listing:
• Analyze the files and directories, including the names of the
deleted files and files with Unicode-based names
File Content:
• The contents of files can be viewed in raw, hex, or the ASCII strings
can be extracted
Hash Databases:
• Look up the unknown files in a hash database to quickly identify it
as good or bad
File Type Sorting:
• Sort the files based on their internal signatures to identify files of a
known type
Timeline of the File’s Activity:
• Create timelines that contain entries for the Modified, Access, and
Change (MAC) times of both allocated and unallocated files

EC-Council
The Evidence Analysis
Techniques in Autopsy (cont’d)
Keyword Search:
• Keyword searches of the file system image can be performed using
ASCII strings and grep regular expressions
Meta Data Analysis:
• It allows you to view the details of any meta data structure in the file
system
Data Unit Analysis:
• It allows you to view the contents of any data unit in a variety of
formats including ASCII, hexdump, and strings
Image Details:
• You can view the file system details including on-disk layout and the
time of activity so that it is possible to recover data

EC-Council
Autopsy – File Listing

EC-Council
Autopsy – File Content

EC-Council
Autopsy – Hash Databases

EC-Council
Autopsy – File Type Sorting

EC-Council
Autopsy – Timeline of File
Activity

EC-Council
Autopsy – Keyword Search

EC-Council
Autopsy – Meta Data Analysis

EC-Council
Autopsy – Data Unit Analysis

EC-Council
Autopsy – Image Details

EC-Council
SMART for Linux
SMART is a software utility that has been designed and optimized to support data
forensic practitioners and Information Security personnel in pursuit of their
respective duties and goals
It is known as ‘The Next Generation Data Forensic Tool’
• "Knock-and-talk" inquiries and investigations
• On-site or remote preview of a target system
• Post mortem analysis of a dead system
• Testing and verification of other forensic programs
• Conversion of proprietary "evidence file" formats
• Baselining of a system
Functions of SMART:

EC-Council
Features of SMART for Linux
SMART displays the list of the connected storage devices in the main window list
It uses plugins to do much of the work, and the application itself utilizes a highly modular design
philosophy
It is multi-threaded
Its powerful, flexible acquisition options allow you to create pure bit-image copies and quasi-proprietary
formats that support seekable compression
It can acquire and clone a single source to any number of images and devices simultaneously
It generates information about hashes
It provides the ability to perform real authentication
It gives you an easy interface to Linux mounts and GUI environments such as KDE and GNOME
It enables complex tasks and search result rules to be applied automatically

EC-Council
SMART: Screenshots 1

EC-Council

EC-Council
Penguin Sleuth
The Penguin Sleuth Kit is a bootable Linux
distribution based on KNOPPIX
It is the collection of some useful tools,
including The Coroner’s Toolkit (TCT),
Autopsy, and The Sleuth Kit, as well as
penetration testing and virus scanning tools
It offers a GUI environment as well as the
good old fashion command line
environment fitting the novice user to the
experienced user

EC-Council
Tools Included in Penguin Sleuth
Kit
Tool Name Description
Sleuth Kit Command Line Forensic Tools
Autopsy Part of Sleuth Kit
Foremost Command line data carving tool
Glimpse Command line data indexing and searching tool
Wipe Command line utility to securely wipe hard drives and files
Etherape Visual network monitor
Fenris Multipurpose tracer
Honeyd Command line honeypot program
Snort Command line network intrusion tool
Dsniff Command Line network auditing and penetration testing tools
John The Ripper Command Line Password Cracking tool
Nikto Webserver scanner

EC-Council
Kit (cont’d)
Nbtscan Command-line tool that scans for open NETBIOS nameservers
Xprobe Command line remote operating system fingerprinting tool
Ngrep Command line Network grep Function
Nemesis Command Line network packet injector
Fragroute Command line network intrusion testing tool
Fping Command line multiple host ping utility
TCPtraceroute Command line traceroute TCP packages
TCPReplay Command line utility that replays a TCP dump
Nessus Graphical Security Scanner
Ethereal Graphical Network analyzer
Netcat Command line tool to read and write over network
TCPdump Command line tool that dumps network traffic

EC-Council
Kit (cont’d)
Hping2 Command line packet assembler / analyzer
Ettercap Command line sniffer / interceptor / logger for Ethernet networks
Openssh Secure remote connection utility
Kismet Graphical wireless network sniffer
AirSnort Graphical wireless network intrusion tool
GPG Encryption utility
OpenSSL Secure remote connection utility
Lsof Command line utility that lists all open files
Hunt Command line TCP / IP exploit scanner
Stunnel SSL connection package
ARPwatch Command line Ethernet monitor
Dig Command line tool for querying domain name servers
Chkrootkit Looks for signs of root kit

EC-Council
THE FARMER'S BOOT CD (The
FBCD)
FBCD allows you to examine storage media directly from Linux
Boot any x86 system and mount file systems in a forensically sound
manner (including journaled file systems)
Previews data safely using a single, unified graphical user interface
(GUI)
Is designed and optimized for previewing, authenticating, acquiring,
and analyzing media

EC-Council
THE FARMER'S BOOT CD (The
FBCD) (cont’d)
• It supports the greatest amount of hardware in the widest range of
cases
• It minimizes its footprint on the system, saving memory (RAM) for
critical processes and tasks
• Every included application is already configured for data forensics
so that there is no need to change settings or wonder about
configuration parameters
THE FARMER'S BOOT CD is configured such
that:

EC-Council
Delve: Screenshots
Delve, the
proprietary preview
program found on
THE FARMER'S
BOOT CD
DEVICES tab is used to mount file systems (truly read-only).
Right-click on any file system to view the available options
(depends upon the mount ‘status) as shown in the right hand
side

EC-Council
Delve: Screenshots
PAGEFILE tab is used to identify email and URLs
in the Windows “pagefile.sys” file
.URL output :

EC-Council
Delve: Screenshots
WINDOWS LOGS tab is used to identify key log files of
interest on Windows systems and open a pop-up window as
shown in the right hand side, allowing you to click on files of
interest for viewing

EC-Council
Delve: Screenshots
WEB HISTORY tab is used to
identify the web browser ‘s cache files
and extract cookie and history
information as shown in the two
output files:

EC-Council
Delve: Screenshots
CATALOG tab is used to
identify and catalog files
of interest by extension
or header. Found files
may be copied, opened,
or a file listing dumped

EC-Council
Delve: Screenshots
LINUX LOGS tab is used to identify key log files on Linux systems
and open a pop-up window as shown in the right hand side, allowing
you to click on files of interest for viewing

EC-Council
Delve: Screenshots
DATE CONVERTER tab is used to convert date and times from
one format to many other formats

EC-Council
Delve: Screenshots
GRAPHICS VIEWER tab is used to identify graphics files and open a
viewer for found files

EC-Council
Delve: Screenshots
MISC menu option provides miscellaneous utilities, including dumping hard drive
information, dumping the system BIOS tables, dumping an inventory of hardware, etc.

EC-Council
Forensix
The goal of the Forensix ("4N6") Project is to allow a system to be monitored so
that, in the event of a security compromise, it is easy to track the compromise back
to its source and recover from it
It performs a complete kernel event audit on the target system and streams the
high-definition audit trail to a backend database that has been optimized for
reconstruction queries
• Accurately replays any and all system compromises
• Determines what specific data (such as credit card numbers) has been
accessed on the system as a result of a compromise
• Automatically determines what modifications have been made to a system by
an illicit user
• Selectively "undo"-ing illicit system modifications
Functions:

EC-Council
Tool: Maresware
Linux Forensics provides tools for investigating computer records while
running the LINUX operating system on Intel processors
Maresware is useful to all types of investigators, including law
enforcement, intelligence agency, private investigator, and corporate
internal investigator
This software enables discovery of evidence for using in criminal or civil
legal proceedings

EC-Council
Major Programs Present in
Maresware
Program Description
Bates_no
A unique program for adding identifying numbers to filenames
in e-documents
Catalog
Catalogues every file on a Linux file system and identifies
headers
Hash Performs MD5 (CRC, or SHA) hash of every file on a drive
Hashcmp Compares outputs of successive hash runs
Md5 Calculates MD5 hash of a file
Strsrch Searches files for text strings
U_to_A Converts *ix text to DOS text

EC-Council
Tool: Captain Nemo
Widely used by law enforcement personnel, forensic investigators, as well
as network administrators.
Captain Nemo enables you to access any Linux drive from your Windows
computer without requiring a network setup
Just connect the Linux drive to your machine and Captain Nemo will let
you mount your Linux partitions in Windows
You can read, search, and view all your Linux files and copy them to your
Windows drive
It supports ext2fs and ext3fs

EC-Council
Captain Nemo: Screenshot

EC-Council
The Coroner’s Toolkit (TCT)
TCT is a collection of programs
In TCT, grave-robber tool captures information
The ils and mactime tools display access patterns of files dead or
alive
The unrm and lazarus tools recover the deleted files
The findkey tool recovers cryptographic keys from a running
process or from files

EC-Council
Tool: FLAG
FLAG is used for the log file analysis and forensic investigations
It uses a database as a backend to assist in managing the large volumes of data
Features of FLAG:
• FLAG supports generic firewall logs
• It collects information about the log and searches for suspicious activity
Log analysis:
• It uses the dissected information to construct a knowledge base of different entities on
the network
Network Forensics:
• It uses the Sleuth Kit tool to analyze dd images
Disk Forensics

EC-Council
FLAG: Screenshot
Figure: FLAG Listening ports

EC-Council
FLAG: Screenshot
Figure: FLAG connecting to port 80

EC-Council
Tool: md5deep
md5deep is a cross-platform set of programs to compute MD5, SHA-
1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary
number of files
Features of md5deep:
• Recursive operation: md5deep is able to recursive examine an entire
directory tree
• Comparison mode: It computes the MD5 for every file in a directory and
for every file in every subdirectory
• Time estimation: It can produce a time estimate when it is processing
large files

EC-Council
Tool: TestDisk
TestDisk help to recover lost partitions and/or make non-booting
disks bootable again
• Fix partition table, recover deleted partition
• Recover FAT32 boot sector from its backup
• Rebuild FAT12/FAT16/FAT32 boot sector
• Fix FAT tables
• Rebuild NTFS boot sector
• Recover NTFS boot sector from its backup
• Copy files from the deleted FAT, NTFS, and ext2/ext3 partitions
Functions:

EC-Council
Tool: Vinetto
Vinetto is a forensics tool to examine Thumbs.db files
It extracts the related thumbnails to a directory
It gets a metadata report on all non deleted Thumbs.db files
contained within a partition
Syntax:
• vinetto [OPTIONS] [-s] [-U] [-o DIR] file

EC-Council
Summary
Linux imparts greater control, flexibility, and power as a forensics tool
Linux has a number of simple utilities that make imaging and basic
analysis of the suspect disks and drives easier
Linux cannot identify the last sector on hard drives with an odd number
of sectors
There are several popular Linux tool kits that provide GUI as well for
convenience

EC-Council

File000127

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to File000127

Similar to File000127 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000127