Anzeige
Deft v7
30. May 2013•0 gefällt mir•1,942 Aufrufe
2 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Downloaden Sie, um offline zu lesen
Melden
Technologie
Presentation given at the 2013 Ohio HTCIA conference at Salt Fork State Park, OH.
TGodfreyFolgen
Anzeige
Deft v7
- Deft v7 Computer Forensics Tony Godfrey Falconer Technologies Ohio HTCIA – Salt Fork 2013
- Hello & Welcome
- Who? Tony Godfrey is the CEO / Linux Consultant of Falconer Technologies. He founded his company in 2003 and is now 100% focused on Linux. Tony has written several articles on security administration, contributes to Linux forums and publications, written technical content for Linux Administration, and technical review on a Mark Sobell Linux book. He also teaches topics covering Linux, Securing Linux, Network/WAN integration, Cisco routers, Cybercrime and System Forensics.
- A “live” environment? The term "live" derives from the fact that these "distros", or software distributions, each contain a complete, functioning and operational operating system on the distribution medium. A live distro does not alter the operating system or files already installed on the computer hard drive unless instructed to do so. Live distros often include mechanisms and utilities for more permanent installation, including disk partitioning tools.
- A “live” environment? The default option, however, is to allow the user to return the computer to its previous state when the live distro is ejected and the computer is rebooted. It is able to run without permanent installation by placing the files that typically would be stored on a hard drive into RAM, typically in a RAM disk. However, this does cut down on the RAM available to applications, reducing performance somewhat. Certain live distros run a graphical user interface in as little as 32MB RAM.
- Linux “Distro” A “distro” is a Linux distribution. This means someone has taken an existing platform and custom tailored it to fulfill a unique need. Debian is a core distribution (like Slackware or Gentoo). Ubuntu (ease of use) and Knoppix (the network administrator’s Swiss Army knife) are off-shoots of Debian.
- So….what is Lubuntu? The objective of the Lubuntu project is to create a variant of Ubuntu that is lighter, less resource hungry and more energy-efficient by using lightweight applications and LXDE, The Lightweight X11 Desktop Environment, as its default GUI. This makes it perfect for Deft
- Are there other ones? Deft http://www.deftlinux.net/ Qubes-OS http://www.qubes-os.org/trac Pentoo http://www.pentoo.ch/ Lightweight Portable Security http://www.spi.dod.mil/lipose.htm
- Are there other ones? CAINE http://www.caine-live.net/ SMART http://www.asrdata.com/forensic-software/smart-linux/ Paladin http://sumuri.com/index.php/joomla/what-is-paladin-forensic-software
- SD Cards? Secure Digital (SD) is a non-volatile memory card format developed by many manufacturers for use in portable devices. Today it is widely used in digital cameras, handheld computers, Media Players, mobile phones, GPS receivers, and video game consoles. Standard SD card capacities range from 4 MB to 4 GB, and for high capacity SDHC cards from 4 GB to 32 GB as of 2008. The SDXC (eXtended Capacity), a new specification announced at the 2009 CES, will allow for 2 TB capacity cards.
- SD Cards?
- Which is better? Memory card interfaces are rated about 15k-20k duty cycles (assume you remove and reinsert once a day until it gives up the ghost, about 40 to 50 years). The USB interface is rated between 1-5k cycles (3-15 years).
- Welcome to Deft version 7 http://www.deftlinux.net/
- What does “deft” mean? Dexterous Nimble Skillful Clever
- Version 7….Version 8? The Deft Team announced in February 2013 that Version 8 would be out within the next few months.
- Deft
- What is Deft? The “DEFT team” is pleased to announce the release of the stable version of DEFT 7, the first toolkit able to perform Computer Forensics, Mobile Forensics, Network Forensics, Incident Response and Cyber Intelligence.
- What is in it? A GNU/Linux based system optimized for Computer Forensics and Cyber Intelligence activities, installable or able to run in live mode DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save environment – the execution of “Incident Response” and Live Forensics tools.
- More stuff… DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer Forensic system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management.
- More stuff… It is a very professional and stable system that includes an excellent hardware detection and the best free and open source applications dedicated to Incident Response, Cyber Intelligence and Computer Forensics. DEFT is meant to be used by the Military, Police, Investigators, IT Auditors and Individuals DEFT is 100% made in Italy
- What is in it? Please take a look at the NOTES section of this slide
- An overview of the tools Analysis Tools Autopsy forensics browser Bulk extractor Catfish DFF Emule Forensic Findwild Hex Editor Outguess Pasco PTK Readpst Rifiuti2 SQLite database browser Trid Vinetto Antimalware tools Chkrootkit Rkhunter Virus Scanner Carving tools Foremost Hb4most Photorec Scalpel Test Disk Hashing tools Dhash 2 Md5deep md5sum Sha1deep Sha1sum Sha256deep Sha256sum Sha512sum Imaging tools Cylone Dc3dd Dcfldd Ddrescue Dd rescue Dhash 2 Guymager Mobile Forensics Bbwhatsapp BitPim SQLite database browser Network Forensics Ettercap Nmap Wireshark Xplico Xprobe 2 OSINT tools Creepy Maltego Password recovery Cupp Fcrackzip Hydra John the ripper Pdfcrack Reporting tools Desktop recorder KeepNote Maltego CE SciTE Text Editor Disk Utility File Manager Midnight Commander Mount ewf MountManage Wipe Xmount
- Deft Linux Boot Screen
- Text Mode / GUI
- Linux Menu
- File Manager
- Forensics - BitPIM
- KeepNote
- Maltego
- Digital Forensics Framework
- iPhone Analyzer
- Hydra Password Cracker
- DART
- Let’s get started with an installation Installation Time!
- Hold Up! Installation Type There are different methods of installing it to a USB flashie, hard drive, or virtual environment
- Three Methods #1: We can install Deft so it will either overwrite or dual-boot a hard drive. #2: We can install Deft on a USB flashie using the Universal USB Installer. #3: Installing VMware Player, installing Deft, and utilizing a virtual environment.
- Method #1 Directly to the hard drive Go to “Install Slide A”
- Method #2 Universal USB Installer Locate the Deft ISO file, put in a flashie (4gb min) that can be overwritten, and run the Universal-USB-Installer-1.8.8.9 executable file. This normally takes 10-15min to run. Eject any Deft media and reboot your machine. Boot from the newly created Deft USB flashie.
- #2: Universal USB Installer
- Virtual Environment? A virtual machine (VM) is a software implementation of a computing environment in which an operating system or program can be installed and run. The virtual machine typically emulates a physical computing environment, but requests for CPU, memory, hard disk, network and other hardware resources are managed by a virtualization layer which translates these requests to the underlying physical hardware.
- Method #3 VMware Player Install the VMware-player-3/4x” executable file. Fire up VMware Player and Create a new machine. Make sure you know where the Deft DVD or ISO file is at. We will setup a 20gb virtual partition and setup the CD/DVD selection to be “Legacy”. Install Deft – See “Install Slide A”
- #3: VMware Player screen
- #3: Opening a V/M
- #3: Configuring the V/M
- #3: Deft in a V/M
- Install Slide A Its actually the next slide….
- Boot from the CD
- Installation language selection
- Checking hardware…
- Installation Welcome screen
- Preparing the installation
- Select the installation type
- Verifying the media
- Select the timezone
- Select the keyboard
- Select the keyboard layout
- Setting up a non-”root” user
- Starting the installation
- …wait, wait, wait…
- Installation is Complete!
- The GUI login screen
- Desktop
- Changing the “root” password
- Logout screen
- Let’s see if “root” can login
- Main menu
- Deft menu
- Lab #1 Spend some time reviewing the GUI and getting comfortable with this environment.
- …continuing…
- Autopsy Forensic Browser The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in Deft. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).
- Autopsy Forensic Browser Deft and Autopsy are both Open Source and run on UNIX platforms (you can use Cygwin to run them both on Windows). As Autopsy is HTML- based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.
- Analysis Mode: Dead A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and Deft are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats.
- Analysis Mode: Live A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and Deft are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed.
- Evidence Search Techniques File Listing File Content Hash Databases File Type Sorting Timeline of File Activity Keyword Search Meta Data Analysis Data Unit Analysis Image Details
- Lab #2 Access the Autopsy Forensics Browser, then connect to the suspect machine. Let’s review these tools: File Listing, File Content, Hash Databases, File Type Sorting, Timeline of File Activity, Keyword Search, Meta Data Analysis, Data Unit Analysis, & Image Details
- …continuing…
- What is a “rootkit”? A rootkit is a program that runs on *nix-based OSes, that allows a remote user to execute certain code or commands. There are many different types of rootkits. Some mount themselves among legit daemons and "hide" themselves often reporting results, output, or data to a remote server.
- rkhunter Rkhunter is much like a virus scanner for a Windows system. It has definitions to help identify rootkits and reports them. Just like anything, rkhunter isn't 100%, but it weeds out the majority of rootkits. Upon running rkhunter, various system files, conf files, and bin directories are examined.
- rkhunter The results are cross-referenced against the results of infected systems (from the definitions) and the results are compiled. This is where *nix systems really shine. While your OS may vary, and how it's compiled or configured, the file system and configuration is basically the same. This allows programs like rkhunter to provide results with a fairly small window for error or false positive.
- Lab #3 Let’s fire up rkhunter!
- Go to TERMINAL sudo rkhunter --update This will update the database. Then you can add: sudo rkhunter --check --createlogfile This will activate the rootkit scan. Tip: don't walk off and just leave it to scan; you might be prompted to press [ENTER] a few times to enable it to finish.
- …continuing…
- What is Data Carving? Data carving is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analyzed to extract files. The files are "carved" from the unallocated space using file type specific header and footer values. File system structures are not used during the process. This is exactly how PhotoRec works.
- PhotoRec The first step has been to use PhotoRec. Version 6.5-WIP (WIP=Work In Progress) is considered. PhotoRec has scanned the image file for known headers and has successfully recognized all JPEG, OLE/Office, HTML and ZIP headers. There are no false positives.
- PhotoRec The JPEG footer, used to determine the file size and validity of a recovered JPEG, is checked by PhotoRec using libjpeg. ZIP footers are detected but the file integrity isn't checked. OLE file format is very complex - its internals are similar to a file system but PhotoRec is able to get the file size by analyzing the FAT. After a UTF8 to ASCII translation, PhotoRec calculates the index of coincidence to determine if a sector holds text or random data.
- Scalpel Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files or data fragments from a set of image files or raw device files. Scalpel is file system-independent and will carve files from FAT, NTFS, ext2/3, HFS+, or raw partitions. It is useful for both digital forensics investigation and file recovery.
- Scalpel
- Lab #4 Let’s fire up PhotoRec and Scalpel
- …continuing…
- Hashing #1: To cut #2: A technique for locating data in a file by applying a transformation, usually arithmetic, to a key.
- md5deep md5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. md5deep is similar to the md5sum program found in the GNU Coreutils package. The application’s features include recursive operation, comparison mode, time estimation, piecewise hashing, and file type mode.
- …continuing…
- guymager A free forensic imager for media acquisition. Its main features are: Easy user interface in different languages Runs under Linux Really fast, due to multi-threaded, pipelined design and multi-threaded data compression Makes full usage of multi-processor machines Generates flat (dd), EWF (E01) and AFF images, supports disk cloning Free of charges, completely open source
- guymager
- guymager
- …continuing…
- BitPim BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones. Available for Windows, Linux, or Mac
- BitPim – some features
- …continuing…
- Wireshark Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
- Wireshark examples Network administrators use it to troubleshoot network problems Network security engineers use it to examine security problems Developers use it to debug protocol implementations People use it to learn network protocol internals
- …continuing…
- Maltego Maltego is an open source intelligence and forensics application. It will offer you timely mining and gathering of information as well as the representation of this information in a easy to understand format.
- Maltego
- John the Ripper John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance.
- John the Ripper
- Updating: John the Ripper ./john pwdumpfile –wordlist=wordlistfile –rules rulesfile
- Hydra A Fast network authentication cracker which supports many different services. It uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services such as TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA
- Hydra
- KeepNote A simple but effective tool for saving and using notes for class, lab, meetings, papers, accounts, journals, and more as XML or HTML files. You can insert or attach images, spreadsheets, and other files, too. KeepNote offers a lot of flexibility, but it leaves out bells and whistles like contact managers, task schedulers, and other distractions from the job at hand. Its main job is to replace that stack of notebooks you're lugging around.
- …so…
- In conclusion We have touched on at least one tool in each major section of Deft. Please feel free to utilize many of the others in an installed, live, or virtual environment.
- Questions?
- ‘As a computer, I find your faith in technology amusing.’
- Thank you! Thank you for your time. Falconer Technologies TonyGodfrey@FalconerTechnologies.com (216) 282-4TUX
Hinweis der Redaktion
- The “DEFT team” (formed by the Author,Massimiliano Dal Cero, Sandro Rossetti, Paolo Dal Checco, Davide “Rebus” Gabrini, Emanuele Gentili, Meo Bogliolo, Marco Giorgi and Valerio Leomporra)
- What is in it?DEFT Linux 7 most important packet listLibewf 20100226Afflib 3.6.14TSK 3.2.3Autopsy 2.24Digital Forensic Framework 1.2PTK Forensic 1.0.5 DEFT editionPyflagMaltego CEKeepNote 0.7.6Mobius ForensicXplico 0.7.1Scalpel 2Hunchbackeed Foremost 0.6Findwild 1.3Bulk Extractor 1.1Dropbox ReaderEmule Forensic 1.0Guymager 0.6.3-1Dhash 2Cyclone wizard acquire toolIpddumpIphone AnalyzerIphone backup analyzerSQLite Database Browser 2.0b1BitPim 1.0.7Bbwhatsapp database converterReggripperCreepy 0.1.9Hydra 7.1Log2timeline 0.60Wine 1.3.28DART packet list:7zipAdvanced Password RecoveryAviScreenBlackBag IOReg InfoBlackBag PMAP InfoCamStudioClamWinConToolsDatabase Browserdcfldd (per Windows)DeepBurnerDiskDiggerDon’t SleepDriveManEMFSpoolViewerEmule MET viewerEraser Portablef3eFastStone ViewerFATwalkerFAU x64FAU x86FileAlyzer 2FileInfofmemFSV Thumbs ExtractorFTK ImagerFTK Imager CLI (Win, Linux, Mac)GMERGsplitHarvesterHDDRawCopyHistorianHWiNFOHWiNFO32 e HWiNFO64HxDICESwordindex.dat AnalyzerIrfanView (con plugin)JAD EDDJAD Facebook JPG FinderJam-Software TreesizeJam-Software UltraSearchJPEGsnoopLAN Search Pro 32/64Lime JuicerLimeWire Library Parser v4 e v5LnkexaminerltfviewerMail-Cure for Outlook ExpressMandiant Audit ViewerMandiant MemoryzeMandiant RestorePointAnalyzerMandiant Web Historianmd5deep for Windowsmd5summerMDDMediaPlayerClassic (x86/x64)Mitec Mail ViewerMiTec Structured Storage ViewerMitec Windows File AnalyzerMitec Windows Registry RescueNetSetManNigilant32Nirsoft Access PassViewNirsoft AlternateStreamViewNirsoft Asterisk LoggerNirsoft AsterWinNirsoft AsterWin IENirsoft Bluetooth ViewerNirsoft BulletsPassView x86 e x64Nirsoft ChromeCacheViewNirsoft ChromeCookiesViewNirsoft ChromeHistoryViewNirsoft ChromePassNirsoft CurrPorts x86 e x64Nirsoft CurrProcessNirsoft DialupassNirsoft Enterprise Manager PassViewNirsoft FirefoxDownloadsViewNirsoft FlashCookiesViewNirsoft FoldersReportNirsoft HashMyFilesNirsoft IE Cache ViewNirsoft IE Cookies ViewNirsoft IE History ViewNirsoft IE PassViewNirsoft InsideClipboardNirsoft LiveContactsViewNirsoft LSASecretsDump x86 e x64Nirsoft LSASecretsView x86 e x64Nirsoft Mail PassViewNirsoft MessenPassNirsoft Mozilla Cache ViewNirsoft Mozilla Cookies ViewNirsoft Mozilla History ViewNirsoft MUICacheViewNirsoft MyEventViewer (anche x64)Nirsoft MyLastSearchNirsoft NetResViewNirsoft NetscapassNirsoft Network Password Recovery x86 e x64Nirsoft OpenedFilesView (anche x64)Nirsoft OperaCacheViewNirsoft OperaPassViewNirsoft OutlookAttachView (anche x64)Nirsoft PasswordFoxNirsoft PCAnywhere PassViewNirsoft ProcessActivityViewNirsoft Protected Storage PassViewNirsoft PstPasswordNirsoft RecentFilesViewNirsoft RegScanner (anche x64 e win98)Nirsoft Remote Desktop PassViewNirsoft Safari Cache ViewNirsoft ServiWinNirsoft SkypeLogViewNirsoft SmartSniff (x86 e x64)Nirsoft StartupRunNirsoft USBDeview x86 e x64Nirsoft UserAssistViewNirsoft UserProfilesViewNirsoft VideoCacheViewNirsoft VNCPassViewNirsoft WebBrowserPassViewNirsoft WhatInStartupNirsoft Win9x PassViewNirsoft WinPrefetchViewNirsoft Wireless Network ViewNirsoft WirelessKeyView x86 e x64Notepad++ (con Hexedit e LightExplorer)NTFSwalkerOn-screen keyboardOTFE Volume File FinderPC On/Off TimePhotostudiopre-searchProDiscover Basic FreePropsQCC FragViewQCC GigaviewQCC VideoTriageRefWolf Prefetch-ParserRegistry Decoder Live 32/64Registry ReportRegRipper PluginRHashRootRepealSanderson Forensic CopySanderson Forensic Image ViewerSanderson List CodecsSanderson OLEDeconstructScreenySDHashSearch my filesSecurityXploded PasswordSuiteSecurityXploded SpyDLLRemoverShadowExplorerSoftPerfect Network Scanner (x86/x64)SpartacusSPLViewerSQLite Database BrowserSSDeepStreamFinderSumatraPDFSvchost Process AnalyzerSystem ScanerTCHuntTeracopy Portabletestdisk/photorec Win/Lin/Mac x86/x64The Sleuth Kit (win32)ThumoTightVNCTrID (defs 31.10.2011)TrIDnet (defs 31.10.2011)TulukaUltra File SearchUndelete 360Universal ExtractorUniversal Viewer FreeUSB WriteProtectorVidpreviewVLC PortableWinAudit e WinAudit UnicodeWindows Forensic ToolchestWipeDiskXnViewZeroView
- BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones.
- KeepNote is a note taking application that works on Windows, Linux, and MacOS X. With KeepNote, you can store your class notes, TODO lists, research notes, journal entries, paper outlines, etc in a simple notebook hierarchy with rich-text formatting, images, and more. Using full-text search, you can retrieve any note for later reference.
- Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.
- DFF (Digital Forensics Framework) is a simple but powerful tool with a flexible module system which will help you in your digital forensics works, including file recovery due to error or crash, evidence research and analysis, etc. DFF provides a robust architecture and some handy modules.
- DescriptionExplore the internal file structure of your iphone (or of a seized phone in the case of forensic teams) using either the iphone's own backup files or (for jail broken iphones) ssh. Viewing of plist, sqlite, and hex are supported. IOS 4 is now supportedFeaturesiPhone Backup BrowsingNative file viewing (plist, sqlite, etc)Searching including regular expressionsssh access for jailbroken phones (beta)ReportsRestore filesRecover backupsView all iPhone photosexamine address book, sms and loads of othersfind and recover passwordsExport files to local filesytemOnline and offline mappingGeo track where a device has beenIOS4 and earlier versions supported
- Welcome to the mini website of the THC Hydra project.Number one of the biggest security holes are passwords, as every password security study shows.Hydra is a parallized login cracker which supports numerous protocols to attack. New modulesare easy to add, beside that, it is flexible and very fast.Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, andis made available under GPLv3 with a special OpenSSL license expansion.Currently this tool supports: AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.The program is maintained by van Hauser and David Maciejak.
- DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save environment – the execution of “Incident Response” and Live Forensics tools.
- http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/
- A virtual environment can be copied from machine to machine after the initial installation is completed. It is a completely self-contained environment and only requires VMware Player to be installed. Player is available for Windows, Linux, or Macintosh and virtual machines created in one environment can be copied to another one with no problem. These virtual environments can be compressed and sent to anyone else also running Player. They can also be used and then archived for later.
- sudo passwdenter new password, then enter againLogout as userLogin as “root” with new password
- DescriptionThe Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in Deft. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3).Deft and Autopsy are both Open Source and run on UNIX platforms (you can use Cygwin to run them both on Windows). As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.Analysis Modes * A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats. * A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed. Evidence Search Techniques * File Listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names. (screenshot) * File Content: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages. (screenshot) (Sleuth Kit Informer #1) * Hash Databases: Lookup unknown files in a hash database to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL) and user created databases of known good and known bad files. (screenshot) * File Type Sorting: Sort the files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them. (screenshot) * Timeline of File Activity: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files. (screenshot) * Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. (screenshot) * Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure. (screenshot) * Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. (screenshot) * Image Details: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery. (screenshot)Case Management * Case Management: Investigations are organized by cases, which can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. (screenshot) * Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined. (screenshot) * Notes: Notes can be saved on a per-host and per-investigator basis. These allow you to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file. (screenshot ) * Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time. (screenshot) * Reports: Autopsy can create ASCII reports for files and other file system structures. This enables you to quickly make consistent data sheets during the investigation. * Logging: Audit logs are created on a case, host, and investigator level so that actions can be easily recalled. The exact Sleuth Kit commands that are executed are also logged. * Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict you from using other tools that may solve the specific problem more appropriately. * Client Server Model: Autopsy is HTML-based and therefore you do not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems.
- Cygwin:Cygwin is: * a collection of tools which provide a Linux look and feel environment for Windows. * a DLL (cygwin1.dll) which acts as a Linux API layer providing substantial Linux API functionality. Cygwin is not: * a way to run native Linux apps on Windows. You must rebuild your application from source if you want it to run on Windows. * a way to magically make native Windows apps aware of UNIX® functionality like signals, ptys, etc. Again, you need to build your apps from source if you want to take advantage of Cygwin functionality.
- * Recursive operation - md5deep is able to recursive examine an entire directory tree. That is, compute the MD5 for every file in a directory and for every file in every subdirectory. * Comparison mode - md5deep can accept a list of known hashes and compare them to a set of input files. The program can display either those input files that match the list of known hashes or those that do not match. Hashes sets can be drawn from Encase, the National Software Reference Library, iLook Investigator, Hashkeeper, md5sum, BSD md5, and other generic hash generating programs. Users are welcome to add functionality to read other formats too! * Time estimation - md5deep can produce a time estimate when it's processing very large files. * Piecewise hashing - Hash input files in arbitrary sized blocks * File type mode - md5deep can process only files of a certain type, such as regular files, block devices, etc.
- http://guymager.sourceforge.net/
- http://guymager.sourceforge.net/
- http://guymager.sourceforge.net/
- http://www.bitpim.org/
- http://www.bitpim.org/
- http://www.wireshark.org/Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.Awards and AccoladesWireshark has a rich feature set which includes the following: * Deep inspection of hundreds of protocols, with more being added all the time * Live capture and offline analysis * Standard three-pane packet browser * Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others * Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility * The most powerful display filters in the industry * Rich VoIP analysis * Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others * Capture files compressed with gzip can be decompressed on the fly * Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform) * Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 * Coloring rules can be applied to the packet list for quick, intuitive analysis * Output can be exported to XML, PostScript®, CSV, or plain text
- Basics:WIRESHARK Basics: Ask for your neighbor’s IP address, jot down here _______________________ Bring up Wireshark Lab #1 – Looking at everything on the network 1. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution c. Let run for 1-2 minutes d. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) e. Select [STOP] when done f. What do you see? Lab #2 – Looking only at a specific workstation 2. Select Capture à Options a. Is the interface set to 'eth0'? b. Verify these are checked: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Select CAPTURE, then CAPTURE FILTERS Select NEW, Enter the FILTER NAME (your neighbor’s name maybe?) In the FILTER STRING, type host <your neighbor’s IP address>Example: host 192.168.1.1 Ask your neighbor to go to a few websites, check e-mail, ftp, etc. Let Wireshark run for 4-5 minutes Select SAVE, then CLOSE 8. What protocols are being used? (Example: UDP?, ARP?, IPX?, Other?) 9. Select [STOP] when done Lab #3: Now that you have the basics, set up four more filters to do: Capture only DNS traffic filter: port 53 Capture only ip traffic filter: ip Capture only web traffic filter: port 80 Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements:filter: not broadcast and not multicast Optional: Additional Wireshark filtering stringsCapture Filters StringARP Filter string: ether proto 0806IP(V4) Filter string: ether proto 0800ICMP Filter string: ip proto 1TCP Filter string: ip proto 6UDP Filter string: ip proto 11FTP (data) Filter string: tcp port 20FTP (control) Filter string: tcp port 21SSH Filter string: tcp port 22TELNET Filter string: tcp port 23SMTP Filter string: tcp port 25DNS Filter string: udp port 53HTTP Filter string: tcp port 80NETBIOS Name Service Filter string: udp port 137NETBIOS Datagram Filter string: udp port 138NETBIOS Session Filter string: tcp port 139IMAP Filter string: tcp port 143SNMP Filter string: udp port 161
- http://www.paterva.com/web5/
- $ /usr/sbin/john --test $ /usr/sbin/john password.txt
- http://compsec.org/security/index.php/password-recovery-and-crackers/64-password-recovery-and-crackers-thc-hydra.htmlhttp://sectools.org/tag/crackers/
- http://compsec.org/security/index.php/password-recovery-and-crackers/64-password-recovery-and-crackers-thc-hydra.htmlhttp://sectools.org/tag/crackers/
- http://download.cnet.com/KeepNote/3000-2076_4-204158.html
Anzeige