Testing bca-redtools in the BitCurator Environment

Similar documents
Using SSH Secure Shell Client for FTP

PGP Zip Self-Decrypting Archive (SDA) 5/29/2012 Version 1.1

SAS 9.3 Foundation for Microsoft Windows

1.1 Installing Protégé You can follow the steps below to download and install Protégé from the source.

DEPLOYING A VISUAL BASIC.NET APPLICATION

Lab 5 Managing Access to Shared Folders

AUSTRALIAN CUSTOMS AND BORDER PROTECTION SERVICE TYPE 3 CERTIFICATE 2014 INSTALLATION GUIDE

Virtual Office Remote Installation Guide

Pulse Secure Client. Customization Developer Guide. Product Release 5.1. Document Revision 1.0. Published:

Instructions for Configuring a SAS Metadata Server for Use with JMP Clinical

Moxa Device Manager 2.3 User s Manual

SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

WS_FTP Professional 12

PC Agent Quick Start. Open the Agent. Autonomy Connected Backup. Version 8.8. Revision 0

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Document Management Quick Reference Guide

Laptop Backup - User Guide (Windows)

System Center 2012 R2 SP1 Configuration Manager & Microsoft Intune

Quick Guide: Troubleshooting Info from SNAP PAC Systems

CUBRID Backup & Restore Part I (Backup)

How to Install MediaWiki on Windows Server 2003

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

Using FTP to update L300 Firmware

AES Crypt User Guide

2. Installation Instructions - Windows (Download)

Using SSH Secure File Transfer to Upload Files to Banner

Installation Guide for Crossroads Software s Traffic Collision Database

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

Application Note Windows 2008 and IBM Tape Diagnostic Tool (ITDT-GE)

This Skill Builder demonstrates how to define and place sketched symbols in drawings.

Setting up the Oracle Warehouse Builder Project. Topics. Overview. Purpose

Note: Files contained within the root of My Files & Folders will always be synced.

Notepad++ The COMPSCI 101 Text Editor for Windows. What is a text editor? Install Python 3

DigiFlow v1.2: Getting Started with a Site Licence

CGS 1550 File Transfer Project Revised 3/10/2005

NAS 253 Introduction to Backup Plan

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

WIM Image Upgrade Instructions

1. Downloading. 2. Installation and License Acquiring. Xilinx ISE Webpack + Project Setup Instructions

Application. 1.1 About This Tutorial Tutorial Requirements Provided Files

Hands-on Practice. Hands-on Practice. Learning Topics

Network Detective Client Connector

ilaw Installation Procedure

Uninstallation Guide Funding Information System (FIS)

Moxa Device Manager 2.0 User s Guide

Monitor file integrity using MultiHasher

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Getting started with 2c8 plugin for Microsoft Sharepoint Server 2010

EMC Celerra Network Server

KeePass Getting Started on Windows

TM Online Storage: StorageSync

How to Configure Windows 7 to run ereports on IE 11

Multi-Router Traffic Grapher (MRTG)

Identity Finder: Managing Your Results

SOCET GXP V4.1 LICENSE MANAGER QUICK-START GUIDE

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

MailStore Outlook Add-in Deployment

Quick Start Using DASYLab with your Measurement Computing USB device

How to Connect to Remote Desktop & How to Use Cisco AnyConnect Secure Mobility Client Secure VPN Connection

Computer Science and Engineering MacOS Cisco VPN Client Installation and Setup Guide

How to Connect to Berkeley College Virtual Lab Using Windows

How to add your Weebly website to a TotalCloud hosted Server

Supplement I.B: Installing and Configuring JDK 1.6

Windows XP Managing Your Files

Practice Fusion API Client Installation Guide for Windows

SPSS: Getting Started. For Windows

DocAve Upgrade Guide. From Version 4.1 to 4.5

EMC NetWorker Module for Microsoft for Windows Bare Metal Recovery Solution

Cluster to Cluster Failover Using Double-Take

TestManager Administration Guide

If you have questions or need assistance, contact PCS Technical Services using the contact information on page 10.

BIGPOND ONLINE STORAGE USER GUIDE Issue August 2005

Using Microsoft Active Directory 1 Group Policy 2 with Diskeeper

, SHAPE Services

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

PGP Portable Quick Start Guide Version 10.2

Installing (1.8.7) 9/2/ Installing jgrasp

The 2013 Experimental Warning Program (EWP) Virtual Weather Event Simulator (WES) Windows & Linux Installation Documentation

NASA Workflow Tool. User Guide. September 29, 2010

13 Managing Devices. Your computer is an assembly of many components from different manufacturers. LESSON OBJECTIVES

Last modified: September 12, 2013 This manual was updated for TeamDrive Personal Server version

Mesa DMS. Once you access the Mesa Document Management link, you will see the following Mesa DMS - Microsoft Internet Explorer" window:

BACKUP & RESTORE (FILE SYSTEM)

The goal with this tutorial is to show how to implement and use the Selenium testing framework.

Novell Filr. Windows Client

The basic steps involved in installing FLEETMATE Enterprise Edition and preparing it for initial use are as follows:

Specific Information for installation and use of the database Report Tool used with FTSW100 software.

File Manager Pro User Guide. Version 3.0

Pre-configured AS2 Host Quick-Start Guide

High Availability for Internet Information Server Using Double-Take 4.x

Autograph 3.3 Network Installation

Membership PLUS Backup/Restore

Backing Up TestTrack Native Project Databases

Introduction to Operating Systems

IBM WebSphere Application Server Version 7.0

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

Transcription:

Testing bca-redtools in the BitCurator Environment A. Downloading and Installing Download a bca-redtools source code release from GitHub. (For this example, we ll use the v0.4.0 release. You should use the latest release, which you can find at https://github.com/bitcurator/bca-redtools/releases ). You will see options to download either the.tar.gz or.zip versions of the release. Use the.zip link. 1. Open a terminal window. Use the following commands to move the zip file to the BitCurator home directory and unzip it: $ mv ~/Downloads/v0.4.0.zip. $ unzip v0.4.0 2. In the same terminal, navigate to the libredact sub-folder, and then run the pip (Python 2.7 version) install command: $ cd bca-redtools-0.4.0/libredact $ pip2 install -e. 3. The bca-redtools source contains a small FAT32 test image with text files from Project Gutenburg, text dumps of email from the M57 forensic corpus, and several Windows executables. In the same terminal, copy this test image to your home directory (this is a convenience step to simplify the commands described here): $ cp ~/bca-redtools-0.4.0/libredact/test/test_image.raw ~/ 4. If you would like to examine the contents of this disk image, you can do so by double-clicking on the home folder on the Desktop. Right-click on the test_image.raw file and select Scripts->Mount Disk Image. The disk image will mount read-only. After examining the contents, right-click on the image file (not the mounted disk icon) and select Scripts->Unmount Disk Image. In the following steps, we will run the redaction tool. For the purposes of this tutorial, we will separate the various redaction actions out into discrete configuration files for

clarity. In normal usage, these could be grouped together in a single configuration file (see the Quickstart Guide for additional detail and examples). Note: This testing document covers only a small selection of the possible redaction options. B. Generating DFXML (Optional) You can optionally generate a Digital Forensics XML file for the disk image using fiwalk, in order to redact sequences that match specific types of file system metadata (for example, filenames, or files matching particular MD5 hashes). Note: If you do not generate the fiwalk DFXML file, the DFXML will be generated automatically (and you must omit the --dfxml flag and associated filename in the subsequent steps). However, we will generate one ahead of time here to demonstrate the capabilities of the tool when working with preexisting DFXML files. Open a terminal (or return to your existing terminal) and type the following command: $ fiwalk -f -X ~/test_image_fw.xml ~/test_image.raw C. Scrubbing a file associated with an MD5 hash The rule in this example targets a file associated with a specific MD5 hash for redaction. The action - SCRUB - indicates that every byte associated with the file will be overwritten with zeroes. 1. Run the redaction Create a text file called scrub-config.txt in /home/bcadmin. We will be scrubbing the Metamorphosis.txt file using its MD5. Save the following plain text content into your file: FILE_MD5 df19e9a0b370d47aba5c89c810b05ad3 SCRUB COMMIT Open the terminal. At the command prompt ($), type the following commands: $ redact-cli --input=test_image.raw --dfxml=test_image_fw.xml --output=scrub-output.raw --report=scrub-report.json --config=scrub-config.txt You should see the following confirmation message appear:

$ INFO:root:Commit is ON. Will perform redactions.. $ INFO:root:Finished. 1 file was redacted. 2. Verify the redaction On the desktop, double-click on the home icon and locate the file scrub-output.raw. Right-click on scrub-output.raw, and select Scripts > Mount Disk Image. The mounted disk image should appear on the desktop. Double-click on this icon and navigate to the Metamorphosis.txt file. Right-click on Metamorphosis, then select Scripts > File Analysis > View in Hex Editor. Confirm that the contents of the file have been zeroed out. After examining the contents, right-click on the image file (not the mounted disk icon) and select Scripts->Unmount Disk Image. D. Overwriting a string sequence with a repeating character The rule in this example overwrites any matching sequences with the byte 0x44 (the hex code for capital D in ASCII). For the example, we ll overwrite all instances of the email address pat@m57.biz, an email address that appears frequently in the test data. 1. Run the redaction Create a text file called fill-config.txt in /home/bcadmin. Save the following plain text content into your file: SEQ_EQUAL pat@m57.biz FILL 0x44 COMMIT Open the terminal. At the command prompt ($), type the following commands, hitting enter after each: Note: You can tap the up arrow key at the command prompt to show the previous command (cycling through all previous commands as you tap it additional times). You can edit the command as needed (altering file names for output, report and config) and then tap enter. $ redact-cli --input=test_image.raw --dfxml=test_image_fw.xml --output=fill-output.raw --report=fill-report.json --config=fill-config.txt

You should see the following confirmation message appear: $ INFO:root:Commit is ON. Will perform redactions.. $ INFO:root:Finished. 16 files were redacted. 2. Verify the redaction On the desktop, double-click on the home icon and locate the file fill-output.raw. Right-click on fill-output.raw, then select Scripts > Mount Disk Image. The mounted disk image should appear on the Desktop. Double-click on the disk image icon and navigate to email/charlie_2009-11-16_1102_received.txt [first file listed in the email directory]. Double-click on the file to open it in the gedit text editor. Confirm that the characters in pat@m57.biz have been replaced with ASCII character D. E. Fuzzing a binary (preventing execution) The rule in this example fuzzes a binary, altering the bytes (but not the length of the byte sequence) so that the binary can no longer be executed (in the case of.exe files) or accessed by other programs (in the case of.dll files). 1. Run the redaction Create a text file called fuzz-config.txt in /home/bcadmin. Save the following plain text content into your file: FILE_NAME_EQUAL PUTTY.EXE FUZZ COMMIT Open the terminal. At the command prompt ($), type the following commands, hitting enter after each: Note: You can tap the up arrow key at the command prompt to see the previous command (cycling through all previous commands as you tap it additional times). You can edit the command as needed (altering file names for output, report and config) and then tap enter.

$ redact-cli --input=test_image.raw --dfxml=test_image_fw.xml --output=fuzz-output.raw --report=fuzz-report.json --config=fuzz-config.txt You should see the following confirmation message appear: $ INFO:root:Commit is ON. Will perform redactions.. $ INFO:root:Finished. 1 file was redacted. 2. Verify the redaction (Optional: The binary fuzz test requires access to a Windows machine) On the desktop, double-click on the home icon and locate the file fuzz-output.raw. Right-click on fuzz-output.raw, then select Scripts > Mount Disk Image. Within the mounted disk image, navigate to executables/putty.exe. Copy PUTTY.EXE to a directory on a Windows computer. If you re running the BitCurator environment as a Virtual Machine on top of Windows, you can do this by copying PUTTY.EXE to a shared folder. On the Windows host, double-click on PUTTY.EXE to confirm that it does not execute.

F. Using the graphical interface The bca-redtools source code includes a GUI front-end to the functionality described in the previous section. 1. Start the GUI from the terminal by typing the following commands in a terminal: $ redact-gui 2. In this test, we will perform the SCRUB action. We ll create a new scrub configuration file and a new output file to demonstrate the process, even though we ll be scrubbing the same file from the raw disk image. In the Disk Image Redaction window, click Open Editor (top right section, shown below). A gedit text editing window will appear. Add the following lines: INPUT_FILE /home/bcadmin/test_image.raw OUTPUT_FILE /home/bcadmin/scrub_output2.raw FILE_MD5 df19e9a0b370d47aba5c89c810b05ad3 SCRUB COMMIT

Do not click Save - this will simply save the file with the default name, None. Instead, move your cursor to the gedit menu bar, select File -> Save As, and save the file as scrub_config2.txt in the /home/bcadmin directory. Click Save in the file dialog, then close the gedit window. Click OK to dismiss the final reminder dialog. 3. Now click Select File.., and in the file dialog select the scrub-config2.txt file you just created in /home/bcadmin. Click Run, and the application should apply the redaction, generating feedback on the process in the Console Output window: 4. Verify the redaction On the desktop, double-click on the home icon and locate the file scrub-output2.raw. Right-click on scrub-output2.raw, and select Scripts > Mount Disk Image. The mounted disk image should appear on the desktop. Double-click on this icon and navigate to the Metamorphosis.txt file. Right-click on Metamorphosis, then select Scripts > File Analysis > View in Hex Editor. Confirm that the contents of the file have been zeroed out. After examining the contents, right-click on the image file (not the mounted disk icon) and select Scripts->Unmount Disk Image. F. Redacting matches from an annotated bulk_extractor report Another interface to the redaction library - redact-bulk - operates similarly to redact-cli, but redacts item directly from a bulk_extractor report (which can be generated using bulk_extractor or BEVeiwer - both of which are built in to BitCurator).

We will use a previously prepared bulk_extractor report to perform the redaction in this example. 1. In a terminal, copy this sample report to your home directory (this is a convenience step to simplify the commands described here): $ cp ~/bca-redtools-0.4.0/libredact/bulk_redact/email.txt ~/ 2. By default, redact-bulk will perform a SCRUB operation, filling the identified sequences with zeros. You can view other options by running redact-bulk -h on the command line. In this example, we will run it against the complete contents of email.txt with default settings. Note that we do not require a configuration file for this test. IMPORTANT: redact-bulk will use the input file (disk image) path from the comment at the top of a given annotated bulk_extractor report. If the disk image is no longer at that path, you must edit the comment to match the current location. The sample report here expects the disk image to exist in /home/bcadmin/test_image.raw. In the terminal, type the following commands, hitting enter after each: $ redact-bulk --output=email-output.raw email.txt You should see the following confirmation message appear: $ INFO:root:Commit is ON. Will perform redactions.. $ INFO:root:Finished. 1 file was redacted. 3. Verify the redaction On the desktop, double-click on the home icon and locate the file email-output.raw. Right-click on email-output.raw, and select Scripts > File Analysis > View in Hex Editor. Confirm that the email addresses at the associated offsets have been zeroed out.