Your SlideShare is downloading. ×

DATA64-linux Forensics


Published on

Published in: Engineering, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Linux Forensics Understanding basics of linux as a forensic tool [*] by Catalyst
  • 2. Content  Linux Basics  Linux Command line  SANS Investigate Forensic Toolkit  Linux and Forensics [SIFT]  Forensic Tools  Md5deep.  Bless Hex Editor  Digital Forensic Toolkit
  • 3. Linux Basics  1969 ,C and Unix OS .  GNU ?  1991 , Linus Torvalds Contribution of Kernel names Linux.  GNOME , KDE , XFCE .
  • 4. SIFT  SANS Investigation Forensic Tool.  Based on Ubuntu.  Free to Use. [GPL licensed]  Preconfigured tools to perform forensics. TOOLS Autopsy DFF – Digital Forensic Framework Bless Hex Editor EVTX – Event Log Viewer Maltego PTK Md5deep SANS Cheatsheets Volatility
  • 5. Linux and Forensics  Built in Forensics Tools in SIFT SANS Investigation Forensic Toolkit  dd command used to copy from an input file or device to an output file or device. Simple bit stream structure  Grep search files (or multiple files) for instances of an expression or pattern. imaging  Sfdisk and fdisk used to determine the disk  Md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices).  File reads a file’s header information in an attempt to ascertain its type, regardless of name or extension.  Xxd command line hex dump tool. For viewing a file in hex mode.
  • 6. Md5deep  Command line Utility.  Used for Calculating Hashes.  Comparing Hashes.  Recursive operation compute the MD5 for every file in a directory and for every file in every subdirectory.  Piecewise hashing .  File type mode
  • 7. Bless Hex Editor  Bless is a high quality, full featured hex editor.  It is written in mono/Gtk# and its primary platform is GNU/Linux.  features:  Efficient editing of large data files and block devices.  Multilevel undo - redo operations.  Customizable data views.  Fast data rendering on screen.  Multiple tabs.  Fast find and replace operations.  A data conversion table.  Advanced copy/paste capabilities.  Highlighting of selection pattern matches in the file.  Plugin based architecture.  Export of data to text and html (others with plugins).  Bitwise operations on data.  A comprehensive user manual.
  • 8. Bless Hex Editor Open Bless MenubarThe menus on the menubar contain all of the commands you need to work with files in Bless. ToolbarProvides shortcuts to the commands that are most frequently used when working with files in Bless. Data ViewThe data view contains multiple tabs that display the data of the files you are editing. Conversion TableThe conversion table displays the bytes at the current file position converted to various formats. StatusbarThe statusbar displays information about current Bless activity and information about the current file. Bless filename
  • 9. Bless Hex Editor Offset Area: Displays the offset of the first byte at the specified row. Separator Area: Displays a vertical separator line. Hexadecimal Area: Displays the data in hexadecimal number base. Decimal Area: Displays the data in decimal number base. Octal Area: Displays the data in octal number base. Binary Area: Displays the data in binary number base. Ascii Area: Displays the data as Ascii text.
  • 10.  Selecting the active area  At any time only one of the areas accepts and handles editing events.  This area is said to have the focus.  All areas except Offset and Separator may have the focus.  The cursor in the focused area consists of a horizontal line under the current byte and a vertical line just before the active digit of the current byte. Bless Hex Editor
  • 11.  Editing a file   Moving the cursor to a specific position Go to Offset Bar use: Search → Go to Offset (Ctrl+G).  Selecting a range of data To access the Select Range Bar use: Edit → Select Range (Ctrl+Shift+R).  Searching in files To access the Search Bar use Search → Find (Ctrl+F). Bless Hex Editor
  • 12.  Replacing in files To access the Replace Bar use Search → Replace (Ctrl+R).  Exporting Data It can currently export data to text or html files. Bless Hex Editor
  • 13.  Performing bitwise operations To access the Bitwise Operations Bar use Tools → Bitwise Operations (Ctrl+B). Bless Hex Editor • AND • OR • XOR • NOT
  • 14. Digital Forensics Framework [DFF]  Digital investigation tool and a development platform.  Written in Python and C++.  Extracts, analyzes and correlates data of different files from data acquisition on digital media, such as hard disk drives, RAM or cell phones memory.  It can also be used to recover deleted data.
  • 15. launch DFF clicking on DFF icon. Launching the command: -g
  • 16. Application To0lbar
  • 17. Project browser Tree View Area Data display area Data attributes area
  • 18. DFF Shell Python shell
  • 19.  Modules are used to perform a specific kind of tasks.  module can take several input parameters Modules • The path to a file, node or directory. • The type of file to analyze. • Options specific to the module or to the type of the analyzed data.
  • 20. AUTOPSY  GUI front end for the Sleuthkit.  Opensource  Forensic Browser  Analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3, etc.).  Autopsy 3 is Java-based and designed to be an end-to- end platform for digital forensics.
  • 21. AUTOPSY Autopsy Browser
  • 22.  open a new case by clicking “New Case. AUTOPSY
  • 23.  Give the location of the forensic image: AUTOPSY
  • 24.  calculate MD5 hashes, also using Autopsy: AUTOPSY
  • 25.  Autopsy lists all of the file system details and the mmls tool (command line) output for us: AUTOPSY
  • 26.  click on “Analyze.” AUTOPSY
  • 27. AUTOPSY Analyze the desired partition.