10 år 9 år
11
nov. 2013

Digital forensics tools

Arkiv for denne måneden

Based on the book: Digital Forensics with Open Source Tools

"The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping the anticipate unauthorized actions shown to be disruptive to planned operations" DFRWS 2001

"Digital archaeology is about the direct effects from user activity, such as file contents, file access time stamps, information from deleted files, and network flow logs. Digital geology is about autonomous processes that users have no direct control over, such as the allocation and recycling of disk blocks, file ID numbers, memory pages or process ID numbers" porcupine.org/forensics/chapter1.html

Environment for open source software

  • C/C++ programs: "./configure", "make" and "make install"
  • Interpreters: Java, Perl, Python, Ruby
  • Version control for getting source code: cvs, subversion, git, merciral
  • File system image handling: losetup FUSE, MountEWF, AFFuse, XMount

Disk and file system

Container formats: AFF (AFD, AFM), EWF/E01
Hashing for integrity verification: MD5, SHA, ssdeep (fuzzy)
Imaging: dd, dcfldd, dc3dd
Abstraction levels such as "Disk - Volume - File system - Data unit - meta data - file name".
Usage of the Sleuth kit:

  • mm- media management (volume): mmstat, mmls, mmcat
  • fs- file system layer: fsstat
  • blk- block (data unit) layer: blkstat, blkls, blkcat
  • i- inode (meta data) layer: istat, ils, icat
  • f- file name layer: fls, ffind
  • j- file system journals: jls
  • img- image file tools: img_stat, img_cat,

Carving, looking up deleted but not overwritten data. Tools like:

  • Foremost
  • Scalpel
  • blkls (sleuth kit)

Windows artifacts

File systems: NTFS (alternate streams) and FAT
Registry: Registry ripper
Event Logs: evtrpt.pl, Grokevt, evtxparse.pl
Prefetch, shortcuts, executables

Linux artifacts

Linux file systems: EXT2, EXT3, ReiserFS, XFS, JFS, YAFFS2, JFFS2..
Boot process and services: System V and BSD, runlevels, /etc/init.d
Artifacts: ownership, hidden files, /tmp folder
Home directory: /etc/shadow, shell history,
Logs: /var/run and /var/log
Scheduling: at, cron

OS X artifacts

File systems: HFS and HFS+, DMG containers. Software: HFSExplorer, SleuthKit. Properties list (plist), hidden directories, /private/var/log.
User artifacts: /library/preferences, .Trash folder in every user directory. Shell history.

Internet articats

Browers: Internet explorer, firefox, opera, chrome etc. History, user downloads, cookies, data cache, favorites, login credentials, add-on and plugins.
E-mail: Outlook (.pst), Thunderbird, Mail (OS X). Eudora. .mbox and maildir formats. Tools: grepmail, Mairix..
Chat: IRC, MSN messenger, facebook chat, ICQ, pidgin etc..
SSH/FTP: visited servers, fingerprints, certificates, upload/download history

File analysis

python-hachoir for inspecting binary files bit by bit

Images/photos: Imagemagic (identify), EXIF/IPTC/XMP metadata formats, geotagging, dates, camera used, thumbnails, JPEG, GIF, PNG, TIFF.
Audio: WAV, MP3, ACC/M4A. AtomicParsley tool, comments, tracking tags, thumbnails.
Video: streams of images and sound. MPEG-1, MPEG-2, MPEG-4 (MP4), AVI, ASF, WMV, MOV, qtinfo tool, MKV.
Archives: ZIP, RAR, 7-zip, TAR, GZIP, BZIP2.
Documents: Office / open office file types. Documents, spreadsheets, presentations. Overlayed data, author meta data, editing history etc. RTF and PDF.

Automation

PyFLAG, a web based database backed framework.
Fiwalk: file and inode walk
Log2Timeline
SIFT bootable linux environment
SleuthKit Autopsy

Snarveier
Flere fra skole