Computer Forensics using Open Source Tools

Size: px

Start display at page:

Download "Computer Forensics using Open Source Tools"

Poppy Atkins
10 years ago
Views:

1 Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas

2 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Try it Yourself Slide 2 of 45

3 Slide 3 of 45 Overview Use case explanation

4 Use Case Explanation Suspect machine to examine VirtualBox to Demo Puppy Linux and Kali LiveUSB image of Kali Live (Forensics Mode) Make and hash bit-by-bit copy of machine Using DCFLDD Copy and examine dd image using various open source tools in Kali Autopsy, Foremost, Digital Forensics Framework, etc Slide 4 of 45

1.0 LiveUSB image of Kali Live (Forensics Mode) Make and hash bit-by-bit copy of

5 Overview Use case explanation Useful Linux Commands Slide 5 of 45

6 Useful Linux Commands fdisk l cd ls Working with and managing linux partitions -l option is used to view all existing partitions Change to a different directory List contents of a directory (folder) mkdir Create a folder mount Mount device to be used as a directory Slide 6 of 45

to a different directory List contents of a directory (folder) mkdir

7 Overview Use case explanation Useful Linux Commands Kali Slide 7 of 45

8 Kali Website The older, cooler name was BackTrack Debian based Mostly known for penetration testing Loaded with tools for penetration testing, digital forensics, reverse engineering Slide 8 of 45

9 Kali (cont ) Live (Forensic Mode) Internal hard disk not auto mounted Swap partition not used Previous two points verified by hashing disk before booting into Kali Live forensic mode, and checking hash after removing Kali Auto-mounting of removable media is disabled (USB thumb drives, CDs, etc ) See: Slide 9 of 45

checking hash after removing Kali Auto-mounting of removable media is disabled (USB thumb

10 Overview Use case explanation Useful Linux Commands Kali DCFLDD Slide 10 of 45

11 DCFLDD Developed by Department of Defense s Digital Computer Forensics Laboratory. A variation of dd designed to make verifiable, legally sound copies Ability to Hash on-the-fly or hash input data as it is being transferred to ensure data integrity. Split/Multiple outputs Can split output to multiple files at the same time with more configurability than the split command Piped output and logs Can send all log data and output to commands and files natively See: Slide 11 of 45

being transferred to ensure data integrity.

12 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Slide 12 of 45

13 Autopsy Graphical Interface to The Sleuth Kit and other digital forensics tools Plug-in architecture allows easy addition of file analysis modules written by others or creation of your own in Java or Python Timeline analysis graphical event viewing interface Recover files from most common formats analysis Parses MBOX format messages See: _Sleuthkit.pdf Slide 13 of 45

graphical event viewing interface Recover files from most common formats Email analysis Parses MBOX format messages

14 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Slide 14 of 45

15 (Boot Puppy Linux from Kali iso) Slide 15 of 45

16 (Attach usb drive to Puppy Linux VM) Slide 16 of 45

17 (Boot into Live Forensic Mode) Slide 17 of 45

18 (Mount USB to write dd to) Slide 18 of 45

19 (Create and hash dd image 1) Slide 19 of 45

20 (Create and hash dd image 2) Slide 20 of 45

21 (Create and hash dd image 3) dcfldd if=/dev/sda hash=md5 of=/media/60e7- A692/puplinimage.dd conv=noerror dcfldd name of program if in file or source file hash=md5 hash + type of has to perform of out file or output file conv=noerror continue to make image even if read error occurs (bad sectors, etc ) Slide 21 of 45

22 (Create and hash dd image 4) Slide 22 of 45

23 (Create and hash dd image 5) Slide 23 of 45

24 (Create case using Autopsy 1) Slide 24 of 45

25 (Create case using Autopsy 2) Slide 25 of 45

26 (Create case using Autopsy 3) Slide 26 of 45

27 (Create case using Autopsy 4) Slide 27 of 45

28 (Create case using Autopsy 5) Slide 28 of 45

29 (Create case using Autopsy 6) Slide 29 of 45

30 (Create case using Autopsy 7) Slide 30 of 45

31 (Create case using Autopsy 8) Slide 31 of 45

32 (Create case using Autopsy 9) Slide 32 of 45

33 (Create case using Autopsy 10) Slide 33 of 45

34 (Analyzing the Image 1) Slide 34 of 45

35 (Analyzing the Image 2) Slide 35 of 45

36 (Search for Deleted Files 1) Slide 36 of 45

37 (Search for Deleted Files 2) Slide 37 of 45

38 (Search for Deleted Files 3) Slide 38 of 45

39 (Search for Deleted Files 4) Slide 39 of 45

40 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Slide 40 of 45

41 Foremost and Scalpel Video Slide 41 of 45

42 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Slide 42 of 45

43 Digital Forensics Framework Slide 43 of 45

44 Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Slide 44 of 45

45 Do it Yourself Downloads Kali Puppy Linux Videos Create VB Image from Puppy Linux Video does not show boot flag being set in GParted. Once you have created your partition, right click the partition, select the flags option, and check the boot option. Autopsy RecoverJPG, Foremost, Scalpel Digital Forensic Framework (DFF) Articles DCFLDD in Kali Autopsy in Kali Useful forensics tools Slide 45 of 45

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can