Computer Forensics using Open Source Tools



Similar documents
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

The BackTrack Successor

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

Computer Forensic Tools. Stefan Hager

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Digital Forensics with Open Source Tools

Advanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference /03/2012

Security Incident Investigation

Buildroot for Vortex86EX (2016/04/20)

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Bringing the Eko VM Home (302)

Navigating the Rescue Mode for Linux

Accessing RCS IBM Console in Windows Using Linux Virtual Machine

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

GNU/LINUX Forensic Case Study (ubuntu 10.04)

USB 2.0 Flash Drive User Manual

Creating a Linux Virtual Machine using Virtual Box

Installing Windows On A Macintosh Or Linux Using A Virtual Machine

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

ThinkServer RD550 and RD650 Operating System Installation Guide

Team Members: Jared Romano, Rachael Dinger, Chris Jones, Miles Kelly Supervising Professor: Dr. George Collins Industry Advisor: Dr.

Where is computer forensics used?

Symantec Cyber Readiness Challenge Player s Manual

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Katana: Portable Multi-Boot Security Suite. JP Dunning DefCon Shadow Cave LLC

EXPLORING LINUX KERNEL: THE EASY WAY!

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

Digital Forensics. Module 4 CS 996

ECT362 Installing Linux Virtual Machine in KL322

HOWTO configure Xinu under Virtual Box

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Installing Windows 98 in Windows Virtual PC 7 (Windows Virtual PC)

Linux Development Environment Description Based on VirtualBox Structure

Using Keil software with Linux via VirtualBox

Installing Ubuntu inside Windows using VirtualBox

Abstract. Microsoft Corporation Published: August 2009

Technical Procedure for Evidence Search

How to Backup XenServer VM with VirtualIQ

Procedure to Create and Duplicate Master LiveUSB Stick

APPLICATION NOTE. How to build pylon applications for ARM

Easy Setup Guide 1&1 CLOUD SERVER. Creating Backups. for Linux

Full version is >>> HERE <<<

BackTrack Hard Drive Installation

Acronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide

Recovering Data from Windows Systems by Using Linux

Operating System Installation Guide

II. Installing Debian Linux:

How to Restore a Linux Server Using Bare Metal Restore

The 2013 Experimental Warning Program (EWP) Virtual Weather Event Simulator (WES) Windows & Linux Installation Documentation

Configuring Your Gateman File Server

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

INSTALL ZENTYAL SERVER

Installing Proview on an Windows XP machine

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

Lab III: Unix File Recovery Data Unit Level

Make a Bootable USB Flash Drive from the Restored Edition of Hiren s Boot CD

Recovering Data from Windows Systems by Using Linux

Understanding Backup and Recovery Methods

Acronis Backup & Recovery 10 Server for Linux. Quick Start Guide

v4: How to create a BartPE Rescue CD for Macrium Reflect

NAS 249 Virtual Machine Configuration with VirtualBox

Open Source Data Recovery

ThinkServer RD540 and RD640 Operating System Installation Guide

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

CS197U: A Hands on Introduction to Unix

INSTALLING MALTED 3.0 IN LINUX MALTED: INSTALLING THE SYSTEM IN LINUX. Installing Malted 3.0 in LINUX

Restoring a Windows 8.1 system from complete HDD failure - drivesnapshot

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Getting Started with Paragon Recovery CD. Quick Guide

Bare Metal Recovery Quick Start Guide

Acronis Backup & Recovery 10 Workstation. Installation Guide

Bare Metal Backup And Restore

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

How you configure Iscsi target using starwind free Nas software & configure Iscsi initiator on Oracle Linux 6.4

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

User Guide. Version 3.0

How To Install A Safesync On A Server

Mac Marshal: A Tool for Mac OS X Operating System and Application Forensics

ARMSDK-VM Virtual Appliance A preconfigured Linux system

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

INF 111 / CSE 121. Homework 4: Subversion Due Tuesday, July 14, 2009

NETFORT LANGUARDIAN INSTALLING LANGUARDIAN ON MICROSOFT HYPER V

USB Bare Metal Restore: Getting Started

10 STEPS TO YOUR FIRST QNX PROGRAM. QUICKSTART GUIDE Second Edition

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

User Manual. 2 ) PNY Flash drive 2.0 Series Specification Page 3

How To Install An Org Vm Server On A Virtual Box On An Ubuntu (Orchestra) On A Windows Box On A Microsoft Zephyrus (Orroster) 2.5 (Orner)

Installing VMware Tools on Clearswift v4 Gateways

Installing Sun's VirtualBox on Windows XP and setting up an Ubuntu VM

Retrospect 7.7 User s Guide Addendum

Release Notes for Fuel and Fuel Web Version 3.0.1

Kernel. What is an Operating System? Systems Software and Application Software. The core of an OS is called kernel, which. Module 9: Operating Systems

Oracle VM Server Recovery Guide. Version 8.2

Transcription:

Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Try it Yourself Slide 2 of 45

Slide 3 of 45 Overview Use case explanation

Use Case Explanation Suspect machine to examine VirtualBox to Demo Puppy Linux and Kali 1.1.0 LiveUSB image of Kali Live (Forensics Mode) Make and hash bit-by-bit copy of machine Using DCFLDD Copy and examine dd image using various open source tools in Kali Autopsy, Foremost, Digital Forensics Framework, etc Slide 4 of 45

Overview Use case explanation Useful Linux Commands Slide 5 of 45

Useful Linux Commands fdisk l cd ls Working with and managing linux partitions -l option is used to view all existing partitions Change to a different directory List contents of a directory (folder) mkdir Create a folder mount Mount device to be used as a directory Slide 6 of 45

Overview Use case explanation Useful Linux Commands Kali Slide 7 of 45

Kali Website The older, cooler name was BackTrack Debian based Mostly known for penetration testing Loaded with tools for penetration testing, digital forensics, reverse engineering Slide 8 of 45

Kali (cont ) Live (Forensic Mode) Internal hard disk not auto mounted Swap partition not used Previous two points verified by hashing disk before booting into Kali Live forensic mode, and checking hash after removing Kali Auto-mounting of removable media is disabled (USB thumb drives, CDs, etc ) See: http://docs.kali.org/general-use/kali-linuxforensics-mode Slide 9 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Slide 10 of 45

DCFLDD Developed by Department of Defense s Digital Computer Forensics Laboratory. A variation of dd designed to make verifiable, legally sound copies Ability to Hash on-the-fly or hash input data as it is being transferred to ensure data integrity. Split/Multiple outputs Can split output to multiple files at the same time with more configurability than the split command Piped output and logs Can send all log data and output to commands and files natively See: http://dcfldd.sourceforge.net/ Slide 11 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Slide 12 of 45

Autopsy Graphical Interface to The Sleuth Kit and other digital forensics tools Plug-in architecture allows easy addition of file analysis modules written by others or creation of your own in Java or Python Timeline analysis graphical event viewing interface Recover files from most common formats Email analysis Parses MBOX format messages See: http://nest.unm.edu/files/8813/9252/1107/tutorial_6_-_kali_linux_- _Sleuthkit.pdf http://www.sleuthkit.org/index.php Slide 13 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Slide 14 of 45

(Boot Puppy Linux from Kali iso) Slide 15 of 45

(Attach usb drive to Puppy Linux VM) Slide 16 of 45

(Boot into Live Forensic Mode) Slide 17 of 45

(Mount USB to write dd to) Slide 18 of 45

(Create and hash dd image 1) Slide 19 of 45

(Create and hash dd image 2) Slide 20 of 45

(Create and hash dd image 3) dcfldd if=/dev/sda hash=md5 of=/media/60e7- A692/puplinimage.dd conv=noerror dcfldd name of program if in file or source file hash=md5 hash + type of has to perform of out file or output file conv=noerror continue to make image even if read error occurs (bad sectors, etc ) Slide 21 of 45

(Create and hash dd image 4) Slide 22 of 45

(Create and hash dd image 5) Slide 23 of 45

(Create case using Autopsy 1) Slide 24 of 45

(Create case using Autopsy 2) Slide 25 of 45

(Create case using Autopsy 3) Slide 26 of 45

(Create case using Autopsy 4) Slide 27 of 45

(Create case using Autopsy 5) Slide 28 of 45

(Create case using Autopsy 6) Slide 29 of 45

(Create case using Autopsy 7) Slide 30 of 45

(Create case using Autopsy 8) Slide 31 of 45

(Create case using Autopsy 9) Slide 32 of 45

(Create case using Autopsy 10) Slide 33 of 45

(Analyzing the Image 1) Slide 34 of 45

(Analyzing the Image 2) Slide 35 of 45

(Search for Deleted Files 1) Slide 36 of 45

(Search for Deleted Files 2) Slide 37 of 45

(Search for Deleted Files 3) Slide 38 of 45

(Search for Deleted Files 4) Slide 39 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Slide 40 of 45

Foremost and Scalpel Video Slide 41 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Slide 42 of 45

Digital Forensics Framework Slide 43 of 45

Overview Use case explanation Useful Linux Commands Kali DCFLDD Autopsy Use Case Demo Foremost Scalpel Digital Forensics Framework (DFF) Slide 44 of 45

Do it Yourself Downloads Kali Puppy Linux Videos Create VB Image from Puppy Linux Video does not show boot flag being set in GParted. Once you have created your partition, right click the partition, select the flags option, and check the boot option. Autopsy RecoverJPG, Foremost, Scalpel Digital Forensic Framework (DFF) Articles DCFLDD in Kali Autopsy in Kali Useful forensics tools Slide 45 of 45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information