Linux Forensics
Understanding basics of linux as a forensic tool
[*] by Catalyst
Content
 Linux Basics
 Linux Command line
 SANS Investigate Forensic Toolkit
 Linux and Forensics [SIFT]
 Forensic To...
Linux Basics
 1969 ,C and Unix OS .
 GNU ?
 1991 , Linus Torvalds Contribution
of Kernel names Linux.
 GNOME , KDE , X...
SIFT
 SANS Investigation Forensic Tool.
 Based on Ubuntu.
 Free to Use. [GPL licensed]
 Preconfigured tools to perform...
Linux and Forensics
 Built in Forensics Tools in SIFT
SANS Investigation Forensic Toolkit
 dd command used to copy from...
Md5deep
 Command line Utility.
 Used for Calculating Hashes.
 Comparing Hashes.
 Recursive operation compute the MD5
...
Bless Hex Editor
 Bless is a high quality, full featured hex editor.
 It is written in mono/Gtk# and its primary platfor...
Bless Hex Editor
Open Bless
MenubarThe menus on the menubar contain all of
the commands you need to work with files in Bl...
Bless Hex Editor
Offset Area: Displays the offset of the
first byte at the specified row.
Separator Area: Displays a verti...
 Selecting the active area
 At any time only one of the areas accepts and handles editing events.
 This area is said to...
 Editing a file 
 Moving the cursor to a specific position
Go to Offset Bar use: Search → Go to Offset (Ctrl+G).
 Sele...
 Replacing in files
To access the Replace Bar use Search → Replace (Ctrl+R).
 Exporting Data
It can currently export dat...
 Performing bitwise operations
To access the Bitwise Operations Bar use Tools → Bitwise Operations (Ctrl+B).
Bless Hex Ed...
Digital Forensics Framework [DFF]
 Digital investigation tool and a development platform.
 Written in Python and C++.
 ...
launch DFF
clicking on DFF icon. Launching the command:
dff.py -g
Application To0lbar
Project browser
Tree View Area Data display area Data attributes area
DFF Shell Python shell
 Modules are used to perform a specific kind of tasks.
 module can take several input parameters
Modules
• The path to a...
AUTOPSY
 GUI front end for the Sleuthkit.
 Opensource
 Forensic Browser
 Analyze Windows and UNIX disks and file syste...
AUTOPSY
Autopsy Browser
 open a new case by clicking “New Case.
AUTOPSY
 Give the location of the forensic image:
AUTOPSY
 calculate MD5 hashes, also using Autopsy:
AUTOPSY
 Autopsy lists all of the file system details and the mmls tool (command line)
output for us:
AUTOPSY
 click on “Analyze.”
AUTOPSY
AUTOPSY
Analyze the desired partition.
DATA64-linux Forensics
DATA64-linux Forensics
DATA64-linux Forensics
DATA64-linux Forensics
Upcoming SlideShare
Loading in …5
×

DATA64-linux Forensics

652 views

Published on

Published in: Engineering, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
652
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DATA64-linux Forensics

  1. 1. Linux Forensics Understanding basics of linux as a forensic tool [*] by Catalyst
  2. 2. Content  Linux Basics  Linux Command line  SANS Investigate Forensic Toolkit  Linux and Forensics [SIFT]  Forensic Tools  Md5deep.  Bless Hex Editor  Digital Forensic Toolkit
  3. 3. Linux Basics  1969 ,C and Unix OS .  GNU ?  1991 , Linus Torvalds Contribution of Kernel names Linux.  GNOME , KDE , XFCE .
  4. 4. SIFT  SANS Investigation Forensic Tool.  Based on Ubuntu.  Free to Use. [GPL licensed]  Preconfigured tools to perform forensics. TOOLS Autopsy DFF – Digital Forensic Framework Bless Hex Editor EVTX – Event Log Viewer Maltego PTK Md5deep SANS Cheatsheets Volatility
  5. 5. Linux and Forensics  Built in Forensics Tools in SIFT SANS Investigation Forensic Toolkit  dd command used to copy from an input file or device to an output file or device. Simple bit stream structure  Grep search files (or multiple files) for instances of an expression or pattern. imaging  Sfdisk and fdisk used to determine the disk  Md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices).  File reads a file’s header information in an attempt to ascertain its type, regardless of name or extension.  Xxd command line hex dump tool. For viewing a file in hex mode.
  6. 6. Md5deep  Command line Utility.  Used for Calculating Hashes.  Comparing Hashes.  Recursive operation compute the MD5 for every file in a directory and for every file in every subdirectory.  Piecewise hashing .  File type mode
  7. 7. Bless Hex Editor  Bless is a high quality, full featured hex editor.  It is written in mono/Gtk# and its primary platform is GNU/Linux.  features:  Efficient editing of large data files and block devices.  Multilevel undo - redo operations.  Customizable data views.  Fast data rendering on screen.  Multiple tabs.  Fast find and replace operations.  A data conversion table.  Advanced copy/paste capabilities.  Highlighting of selection pattern matches in the file.  Plugin based architecture.  Export of data to text and html (others with plugins).  Bitwise operations on data.  A comprehensive user manual.
  8. 8. Bless Hex Editor Open Bless MenubarThe menus on the menubar contain all of the commands you need to work with files in Bless. ToolbarProvides shortcuts to the commands that are most frequently used when working with files in Bless. Data ViewThe data view contains multiple tabs that display the data of the files you are editing. Conversion TableThe conversion table displays the bytes at the current file position converted to various formats. StatusbarThe statusbar displays information about current Bless activity and information about the current file. Bless filename
  9. 9. Bless Hex Editor Offset Area: Displays the offset of the first byte at the specified row. Separator Area: Displays a vertical separator line. Hexadecimal Area: Displays the data in hexadecimal number base. Decimal Area: Displays the data in decimal number base. Octal Area: Displays the data in octal number base. Binary Area: Displays the data in binary number base. Ascii Area: Displays the data as Ascii text.
  10. 10.  Selecting the active area  At any time only one of the areas accepts and handles editing events.  This area is said to have the focus.  All areas except Offset and Separator may have the focus.  The cursor in the focused area consists of a horizontal line under the current byte and a vertical line just before the active digit of the current byte. Bless Hex Editor
  11. 11.  Editing a file   Moving the cursor to a specific position Go to Offset Bar use: Search → Go to Offset (Ctrl+G).  Selecting a range of data To access the Select Range Bar use: Edit → Select Range (Ctrl+Shift+R).  Searching in files To access the Search Bar use Search → Find (Ctrl+F). Bless Hex Editor
  12. 12.  Replacing in files To access the Replace Bar use Search → Replace (Ctrl+R).  Exporting Data It can currently export data to text or html files. Bless Hex Editor
  13. 13.  Performing bitwise operations To access the Bitwise Operations Bar use Tools → Bitwise Operations (Ctrl+B). Bless Hex Editor • AND • OR • XOR • NOT
  14. 14. Digital Forensics Framework [DFF]  Digital investigation tool and a development platform.  Written in Python and C++.  Extracts, analyzes and correlates data of different files from data acquisition on digital media, such as hard disk drives, RAM or cell phones memory.  It can also be used to recover deleted data.
  15. 15. launch DFF clicking on DFF icon. Launching the command: dff.py -g
  16. 16. Application To0lbar
  17. 17. Project browser Tree View Area Data display area Data attributes area
  18. 18. DFF Shell Python shell
  19. 19.  Modules are used to perform a specific kind of tasks.  module can take several input parameters Modules • The path to a file, node or directory. • The type of file to analyze. • Options specific to the module or to the type of the analyzed data.
  20. 20. AUTOPSY  GUI front end for the Sleuthkit.  Opensource  Forensic Browser  Analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3, etc.).  Autopsy 3 is Java-based and designed to be an end-to- end platform for digital forensics.
  21. 21. AUTOPSY Autopsy Browser
  22. 22.  open a new case by clicking “New Case. AUTOPSY
  23. 23.  Give the location of the forensic image: AUTOPSY
  24. 24.  calculate MD5 hashes, also using Autopsy: AUTOPSY
  25. 25.  Autopsy lists all of the file system details and the mmls tool (command line) output for us: AUTOPSY
  26. 26.  click on “Analyze.” AUTOPSY
  27. 27. AUTOPSY Analyze the desired partition.

×