Digital Forensics using Linux and Open Source Tools



Similar documents
Digital Forensics using Linux and Open Source Tools

GNU/LINUX Forensic Case Study (ubuntu 10.04)

Computer Forensic Tools. Stefan Hager

Open Source and Incident Response

Guide to Computer Forensics and Investigations, Second Edition

Linux System Administration on Red Hat

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Hands-On How-To Computer Forensics Training

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Computer Forensics using Open Source Tools

Computing forensics: a live analysis

Digital Forensics with Open Source Tools

OPERATING SYSTEMS Software in the Background. Chapter 2

Bacula The Network Backup Solution

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Computer Forensic Specialist. Course Title: Computer Forensic Specialist: Storage Device & Operating Systems

Bacula. The leading Opensource Backup Solution

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

Chapter 5: System Software: Operating Systems and Utility Programs

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

ANTI-HACKER TOOL KIT. ourth Edition

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Bacula The Network Backup Tool for *BSD, Linux, Mac, Unix and Windows

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Security Incident Investigation

Linux in Law Enforcement

Bacula The Network Backup Solution

Paraben s P2C 4.1. Release Notes

After studying this lesson, you will have a clear understanding of, what an Operating System is. functions of an Operating System

A candidate following a programme of learning leading to this unit will be able to:

Click to view Web Link, click Chapter 8, Click Web Link from left navigation, then click BIOS below Chapter 8 p. 395 Fig. 8-4.

Upon completion of this chapter, you will able to answer the following questions:

The BackTrack Successor

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 2 Introducing Operating Systems

Training on Linux System Administration, LPI Certification Level 1

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Computers: Tools for an Information Age

Fall Lecture 1. Operating Systems: Configuration & Use CIS345. Introduction to Operating Systems. Mostafa Z. Ali. mzali@just.edu.

Unix/Linux Forensics 1

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Week Overview. Running Live Linux Sending from command line scp and sftp utilities

Chapter 14 Analyzing Network Traffic. Ed Crowley

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Chapter 7A. Functions of Operating Systems. Types of Operating Systems. Operating System Basics

Where is computer forensics used?

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Linux Operating System Security

Chapter 8 Objectives. Chapter 8 Operating Systems and Utility Programs. Operating Systems. Operating Systems. Operating Systems.

Lecture 6: Operating Systems and Utility Programs

CHAPTER 15: Operating Systems: An Overview

Developing Computer Forensics Solutions for Terabyte Investigations

ADIA - The Appliance for Digital Investigation and Analysis - Fedora 17 Version

MSc Computer Security and Forensics. Examinations for / Semester 1

Design and Implementation of a Live-analysis Digital Forensic System

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Open Source Data Recovery

Forensic Investigator. Module XI Linux Forensics

Zmanda: Open Source Backup

Linux System Administration. System Administration Tasks

Unit 10 : An Introduction to Linux OS

EnCase v7 Essential Training. Sherif Eldeeb

PARALLELS SERVER BARE METAL 5.0 README

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Course overview. CompTIA A+ Certification (Exam ) Official Study Guide (G188eng verdraft)

Chapter 4. Operating Systems and File Management

LSN 10 Linux Overview

Ubuntu Linux Reza Ghaffaripour May 2008

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

Dr Michael Cohen. This talk does not represent my Employer. April 2005

Useful Computer Forensics Tools Updated: Jun 10, 2003

Computer Forensics Basics, First Responder, Collection of Evidence

Chapter 8 Operating Systems and Utility Programs

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

Open Source Security Tool Overview

How To Run Linux On Windows 7 (For A Non-Privileged User) On A Windows 7 Computer (For Non-Patty) On Your Computer (Windows) On An Unix Computer (Unix) On Windows) On The Same

Amanda The Open Source Backup & Archiving Software. Ian Turner ian@zmanda.com 11 April Copyright 2006 Zmanda, Inc. All rights reserved.

RHCSA 7RHCE Red Haf Linux Certification Practice

OHJ-1860: Software systems seminar: Used tools and mechanisms in Open Source projects

What the student will need:

Linux System Administration

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Israel Aladejebi Computer Forensics Century College Information Technology Department

Planning for an Amanda Disaster Recovery System

Security Advice for Instances in the HP Cloud

Guide to Computer Forensics and Investigations, Second Edition

Indian Efforts in Cyber Forensics

STUDY GUIDE CHAPTER 4

Linux Disaster Recovery best practices with rear

Survey of Disk Image Storage Formats

Chapter 8: On the Use of Hash Functions in. Computer Forensics

Transcription:

2 Digital Forensics using Linux and Open Source Tools Sept 26, 2005 Bruce Nikkel Overview/Goals of Seminar Provide a high level overview of forensic and investigative tools available for Linux Present advantages and disadvantages Show advantages for teaching, learning and research Show advantages for Corporate and Law Enforcement forensic labs Outline the disadvantages of Linux & OSS Target audience both forensics techies and forensics managers 3 4 Unix, Linux and Open Source Software OSS Licensing and Freedoms designed to protect the user, not the vendor freedom to modify, use, distribute freedom to learn, understand, and improve [GPL, LGPL, BSD License, GNU, FSF] Unix Philosophy book: "The UNIX Philosophy" many small tools which do one job very well piping, redirecting scripting, automating [shell, tee, >> << & > <] The Linux Environment What exactly is Linux? "Linux" is just an OS kernel the rest is additional Open Source Software together they are a "Linux Distribution" [Knoppix, Ubuntu, Redhat, Novell/SuSe] Large choice of GUI and/or commandline environments most popular are KDE and Gnome Unix-like, Mac-like, MSWindows-like, NeXT-like advanced shell environments web front-ends, GUI front-ends [KDE, Gnome, Windowmaker, bash, zsh, emacs, mc] 5 6 The Linux Environment (cont.) Forensic boot CDs fully installed Linux environment on bootable CD or DVD non-mount booting large pre-installed forensic toolset Knoppix based Most up to date (at the moment) FCCU GNU/Linux Forensic Boot CD (Belgian Federal Computer Crime Unit) Helix (US e-fense Inc.) Full installation: learning Linux -> Ubuntu, doing forensics -> Debian must strip down automount services Imaging and Evidence Acquisition Wide range of supported technologies and media ATA, SATA, SCSI, USB, Firewire cd, dvd, USB sticks, tapes, floppies, etc Forensically sound acquisition typically any sector-based storage medium accessible as a device can be safely imaged can acquire an image without mounting drive hardware write-blocker not needed for unmounted devices support for handling errors, bad blocks [dd, dcfldd, dd_rescue, sdd, AIR, sleuthkit, adepto, grab]

7 8 Imaging and Evidence Acquisition (cont.) Image handling (with piping, redirection, file desc.) compression - possible to acquire devices which are larger than the size of the investigator workstation splitting - possible to acquire an image in usable chunks secure imaging - possible to encrypt, sign, and hash while imaging [gzip, openssl, dcfldd, gnupgp, split, md5sum] Embedded and other small devices toolkits for accessing many embedded devices (but often not in the same way as disks) PDAs, ipods, digital cameras, cellphones, smartcards [pilot-link, gnupod, gnokii, opensc] Imaging and Evidence Acquisition (cont.) Evidence file formats currently raw images such as dd are the open standard Simpson Garfinkel has recently developed the Advanced Forensic Format (AFF), as an open source equivalent of the Encase.E0* files. [dd,afflib] 9 10 Managing Acquired Data/Evidence Preservation cryptographic hashing (MD5, SHA-1) investigator signing (pgp/gpg, smime) timestamping/tsa (RFC 3161) [md5sum, openssl, dcfldd, gnupg, opentsa] Packaging archive multiple files/directories vendor-independent format compressed, possibly encrypted [tar, zip, gzip, bzip, openssl, gnupg] Managing Acquired Data/Evidence (cont.) Storage long-term storage of evidence data different storage media supported (CD, DVD, Tape) backup systems [dump, tar, amanda, cdrecord] Transfer secure transfer of data/evidence inter-divisional, inter-organizational encrypted and authenticated [scp, apache-ssl, smime, pgp] 11 12 Recovery/Normalization Partitions deleted partition detection, restoration [gpart, disktype, testdisk, hexedit --sector] Files/filesystems deleted file recovery (many fs supported) slackspace recovery data carving [gpart, sleuthkit, formost, fatback, e2salvage, formost, disktype, testdisk, scrounge-ntfs, scapel, magicrescue] Recovery/Normalization (cont.) Cryptographically protected/hidden data password recovery steganography detection [fcrackzip, crack, lcrack, nasty, john the ripper, stegdetect,stegbreak, cmospwd, pwl, madussa]

13 14 Analysis Searching/filtering known-good, contraband files, NSRL/Hash databases support for powerful regular-expressions antivirus and rootkit searches [clamav, F-PROT, chkrootkit, grep, autopsy, find, swish-e, glimpse, ftimes, md5deep, hashdig] International language support, Unicode Timelining/correlation/sorting Sleuthkit produces excellent filesystem timelines [pyflag, autopsy, zeitline, sleuthkit] Analysis (cont.) Converters, editors, data dumping wide variety of hexeditors email analysis, attachments many data and log file analysis tools (cookie files, browser cache, history, etc.) [ghex, khex, hexedit, openssl, uuencode, mimedecode, hexdump, od, strings, antiword] Document/Image viewers and multimedia players wide range of tools for current and obsolete documents scriptable thumbnail, image manipulation support configurable video playback, variety of formats [openoffice, gv, xv, imagemagic, mplayer, vlc] 15 16 Mounting and Booting Suspect Images Loopback mounting acquired images in a read-only manner useful for browsing/searching Wide range of filesystem support (apple, microsoft, various unix) [mount, losetup] Virtually booting an image on a Linux PC booting a Macintosh image (MacOS9, OSX) booting Windows images Any other X86 OS image (Linux) [pearpc, VMWare*] Simulators for Running Programs Dos/Windows simulation Mac simulation Palm simulation HP48 Various unix binary support [dosemu, wine, VMWare*, pose, x48, linux-abi] 17 18 Support for Analyzing Legacy Technologies Home computers from the 80s and early 90s Sinclair ZX Spectrum, ZX81 [xzx, fuse, x81] Apple IIGS, early Mac [xgs,prodosemu, vmac, basiliskii] Commodore C64, C128, VIC20, PET, and CBM-II [vice,frodo] Amiga [uae, hatari, e-uae] AtartiST, Atari 800 [stonx, atari800] Mainframes and minis IBM System/370, ESA/390 [hercules] Dec PDP- series, Nova, and IBM 1401 [sim, klh10] Other legacy operating system support MS-DOS [doscmd, dosbox, dosemu] CPM [cpmemu] Case Management, Bookmarking, Reporting Auto generated pdf reports possible to a certain degree Integrated bookmarking support is difficult, too many separate tools Integrated reporting is also difficult when using multiple tools. Case management is often rudimentary (file/directory based) [pyflag, autopsy, sleuthkit, Latex, pdf tools]

19 20 Microsoft Specific Tools MS System tools Tools for viewing the registry Tools for the event viewer Analysis of INFO2 and Recycle bin cab files, OLE properties [ntreg, kregedit, regviewer, grokevt, rifiuti, orange,fccudocprop, ] Outlook and IE tools converting MS Outlook.pst files to plain text analyzing cache files and cookies [libpst, readpst, pasco, galleta] Network Forensics packet capturing tools [tcpdump, etherreal, tcpflow, ssldump, tcptrace, ngrep, driftnet] basic tools for Internet investigations [nslookup, dig, whois, traceroute] various other troubleshooting tools 21 22 Live system Forensics memory examination state of system and configuration logs host-based intrusion detection systems [ps, netstat, ifconfig, lsof, memdump, tripwire] Software Forensics emulators/simulators debuggers dissassemblers reverse-engineering tools [gdb, strace, coreography, fenris, truss and dtrace (Solaris)] 23 24 Non-forensic Tools for Forensics Non-forensic tools are often useful trouble shooting and debugging tools conversion and data migration tools repair tools log processing, statistics/trend tools Getting additional data from existing tools many programs have additional verbose or debugging flags can be configured to do additional logging Resources for Linux tools e-evidence.info opensourceforensics.org linux-forensics.com freshmeat.net sourceforge.net

25 26 Disadvantages of Linux in Forensics Labs Requires some retraining it takes time and effort to learn Unix/Linux command line is not as intuitive as an all-gui environment Support model is different often no formal support organization (however, the informal support is sometimes superior) support queries are often direct to the community at large, and the quality of the answers varies greatly Disadvantages of Linux in forensics labs (cont.) Interoperating with proprietary technology is hard proprietary technologies are reverse engineered, not licensed sometimes this takes time to implement maybe not be a complete implementation Volunteer development effort software maybe in perpetual state of development maybe abandoned, dead projects "rough around the edges" in some cases poorly documented (the source code might be the only documentation) 27 28 Advantages of Linux/OSS in forensics labs Software availability and accessibility software is freely available on the Internet source code is provided tools can be closely scrutinized for correctness Efficiency allows for much automation and scripting helpful in labs with high volumes of casework Optimizing and Customizing since the source can be freely modified, software can be modified to fit the requirements of a particular lab Advantages of Linux in Forensics Labs (cont.) Support ad-hoc community support can be excellent mailing lists can answer calls for help within minutes often quick implementation of patch and feature requests. Linux/OSS is ideal for an academic/lab settings it uses open, published standards, not closed or proprietary vendor-neutral strives to work together with competing groups, not against them building on previous work is encouraged interoperable/compatible across technologies, organizations, and over time 29 30 Summary Over 100 open source tools have been listed here which can be used to perform forensic and investigative work. This list is not exhaustive and many more exist, or are in development. Using Linux for corporate or law enforcement labs is viable. A complete range of functionality exists to deal with typical laboratory casework. The open, published, and free nature of open source tools lends itself well to the academic community. They are an excellent teaching/learning aid, and are well suited for open research environments. Concluding Remarks Thanks for listening If you have comments or want to contact me: nikkel@digitalforensics.ch Slides will be available at: www.digitalforensics.ch Any questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information