<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.yobi.be/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Ipefix</id>
	<title>YobiWiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.yobi.be/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Ipefix"/>
	<link rel="alternate" type="text/html" href="https://wiki.yobi.be/index.php?title=Special:Contributions/Ipefix"/>
	<updated>2026-07-08T07:48:44Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.43.9</generator>
	<entry>
		<id>https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6989</id>
		<title>Forensics</title>
		<link rel="alternate" type="text/html" href="https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6989"/>
		<updated>2011-02-28T14:08:59Z</updated>

		<summary type="html">&lt;p&gt;Ipefix: /* On live systems */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Books ==&lt;br /&gt;
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]&lt;br /&gt;
== Links ==&lt;br /&gt;
&lt;br /&gt;
* http://www.d-fence.be and http://www.lnx4n6.be&lt;br /&gt;
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix&lt;br /&gt;
** Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)&lt;br /&gt;
* [http://www.foo.be/gt/forensic/ Présentation d&#039;adulau]&lt;br /&gt;
* http://cve.mitre.org&lt;br /&gt;
* http://www.porcupine.org (Wieste Venema/TCT)&lt;br /&gt;
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]&lt;br /&gt;
* http://www.forensicswiki.org&lt;br /&gt;
&lt;br /&gt;
== Lists ==&lt;br /&gt;
&lt;br /&gt;
* http://groups.yahoo.com/group/linux_forensics/&lt;br /&gt;
&lt;br /&gt;
== Tools ==&lt;br /&gt;
See also [https://infond.fr/wiki/Outils_Analyse_Forensique this list] (fr)&lt;br /&gt;
=== Generic forensic tools ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install tct&lt;br /&gt;
** &#039;&#039;&#039;grave-robber&#039;&#039;&#039;: collecte d&#039;infos et empreinte -&amp;gt; /var/cache/tct/data&lt;br /&gt;
** &#039;&#039;&#039;lazarus&#039;&#039;&#039;: reconstitue les fichiers présents dans les clusters non référencés&lt;br /&gt;
** &#039;&#039;&#039;mactime&#039;&#039;&#039;: liste les fichiers dont le mactime a été modifié depuis une certaine date&lt;br /&gt;
* &#039;&#039;&#039;[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]&#039;&#039;&#039; &amp;amp; &#039;&#039;&#039;Autopsy&#039;&#039;&#039; (GUI)&lt;br /&gt;
** apt-get install sleuthkit&lt;br /&gt;
** apt-get install autopsy&lt;br /&gt;
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools&lt;br /&gt;
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.&lt;br /&gt;
&lt;br /&gt;
=== On live systems ===&lt;br /&gt;
* &#039;&#039;&#039;[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]&#039;&#039;&#039;&lt;br /&gt;
** Captures process information stored in Linux&#039;s Proc_fs on a best effort basis&lt;br /&gt;
* &#039;&#039;&#039;[http://www.chkrootkit.org Chkrootkit]&#039;&#039;&#039;&lt;br /&gt;
** Checks for signs of rootkits on the local system&lt;br /&gt;
** apt-get install chkrootkit&lt;br /&gt;
** &#039;&#039;&#039;chkdirs&#039;&#039;&#039;: détecte les anomalies entre le nombre de liens d&#039;un répertoire père et le nombre de sous-répertoires de ce dernier&lt;br /&gt;
** &#039;&#039;&#039;chkprocs&#039;&#039;&#039;: compare le contenu du répertoire /proc avec la sortie de la commande ps&lt;br /&gt;
* &#039;&#039;&#039;[http://www.unhide-forensics.info Unhide]&#039;&#039;&#039;&lt;br /&gt;
** Detecting hidden processes&lt;br /&gt;
** apt-get install unhide&lt;br /&gt;
* &#039;&#039;&#039;Kstat&#039;&#039;&#039;&lt;br /&gt;
** Détecte le détournement d&#039;appels systèmes&lt;br /&gt;
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz&lt;br /&gt;
* Less intrusive: mem dump via &#039;&#039;&#039;Firewire&#039;&#039;&#039;&lt;br /&gt;
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]&lt;br /&gt;
** [http://www.storm.net.nz/projects/16 More on his page]&lt;br /&gt;
* [http://wiki.yobi.be/wiki/Debian_Commands#System_management Cruft]&lt;br /&gt;
** Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages&lt;br /&gt;
&lt;br /&gt;
=== Dumping data supports ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install gddrescue&lt;br /&gt;
** Seems to work better than the next one (not to be confounded with...)&lt;br /&gt;
* &#039;&#039;&#039;[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install ddrescue&lt;br /&gt;
* &#039;&#039;&#039;[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]&#039;&#039;&#039;&lt;br /&gt;
** Networked Harddisk Replication System&lt;br /&gt;
** cf also netcat on [[Network security tools]]&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]&#039;&#039;&#039;&lt;br /&gt;
** To recover badly damaged CD/DVDs&lt;br /&gt;
* &#039;&#039;&#039;[http://www.chrysocome.net/dd dd for Windows]&#039;&#039;&#039;&lt;br /&gt;
 dd --list&lt;br /&gt;
 dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress&lt;br /&gt;
&lt;br /&gt;
=== Guessing the filesystem used ===&lt;br /&gt;
* testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
* gpart&lt;br /&gt;
** apt-get install gpart&lt;br /&gt;
* disktype&lt;br /&gt;
** apt-get install disktype&lt;br /&gt;
&lt;br /&gt;
=== Recovering files from filesystems ===&lt;br /&gt;
==== LVM ====&lt;br /&gt;
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.&lt;br /&gt;
==== From ISO9660 ====&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml dares]&#039;&#039;&#039;&lt;br /&gt;
** Description: rescue files from damaged CDs and DVDs (ncurses-interface)&amp;lt;br&amp;gt;Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.&lt;br /&gt;
** apt-get install dares&lt;br /&gt;
** Note that it helps recovering a &#039;&#039;logically&#039;&#039; damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.&lt;br /&gt;
==== From ext2 ====&lt;br /&gt;
* e2undel&lt;br /&gt;
** apt-get install e2undel&lt;br /&gt;
* recover (and gtkrecover)&lt;br /&gt;
** apt-get install recover&lt;br /&gt;
====Agnostic (any fs)====&lt;br /&gt;
* &#039;&#039;&#039;[http://foremost.sourceforge.net/ foremost]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** Description: a forensics application to recover data&amp;lt;br&amp;gt;foremost is a console program to recover files based on their headers and footers for forensics purposes.&amp;lt;br&amp;gt; foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.&lt;br /&gt;
** apt-get install foremost&lt;br /&gt;
** Very good, nice progression report&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** Doesn&#039;t recover partial files&lt;br /&gt;
 foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered&lt;br /&gt;
* &#039;&#039;&#039;[http://www.itu.dk/people/jobr/magicrescue/ Magic Rescue]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install magicrescue&lt;br /&gt;
** Same purpose than foremost, very fast (but I didn&#039;t have yet the chance to compare it to foremost), no false positive, but less formats supported&lt;br /&gt;
** Needs external tools depending on file type, e.g. jpegtran to recover jpegs&lt;br /&gt;
** Comes with &#039;&#039;&#039;dupemap&#039;&#039;&#039;, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).&amp;lt;br&amp;gt;Example: dupemap delete,report /path/recovered&lt;br /&gt;
** Default blocksize=1, very slow if you don&#039;t need it =&amp;gt; option -b 512&lt;br /&gt;
** Recover partial files too&lt;br /&gt;
** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 dpkg -L magicrescue|grep recipes/&lt;br /&gt;
 magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install recoverjpeg&lt;br /&gt;
** Idem but focuses on jpeg only &#039;&#039;UPDATE&#039;&#039; v2.0 now contains also recovermov for MOV files, not tested&lt;br /&gt;
** Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 cd /path/recovered&lt;br /&gt;
 recoverjpeg ../image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]&#039;&#039;&#039;&lt;br /&gt;
** Multi-platform&lt;br /&gt;
** Under Debian/Ubuntu this one comes with testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
** Don&#039;t be abused by program name, it supports A LOT of different formats (&amp;gt; 180 formats including FAT subdirectories etc)&lt;br /&gt;
** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard&lt;br /&gt;
** No options, works interactively&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** By default doesn&#039;t keep partial files but possibility to ask to keep them&lt;br /&gt;
** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg &amp;amp; mov, goes much faster&lt;br /&gt;
** Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html&lt;br /&gt;
 # DONT create output directory, it&#039;ll create one itself&lt;br /&gt;
 photorec /d /path/recovered image.img&lt;br /&gt;
&lt;br /&gt;
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options&lt;br /&gt;
&amp;lt;br&amp;gt;See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid&#039;s notes] on photo recovery&lt;br /&gt;
&lt;br /&gt;
===Recovering information from files===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.workshare.com/products/trace/ Trace!]&#039;&#039;&#039; by Workshare&lt;br /&gt;
** Windows-based tool for showing all Microsoft Office documents meta-information&lt;br /&gt;
** Quite heavy and requires Microsoft .NET to be installed&lt;br /&gt;
&lt;br /&gt;
==Anti-forensic resources==&lt;br /&gt;
* wipe: secure file deletion&lt;br /&gt;
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn&#039;t wipe slack space!)&lt;br /&gt;
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk &#039;/hda1/{print $4}&#039;)))&lt;br /&gt;
* secure-delete: tools to wipe files, free disk space, swap and memory&lt;br /&gt;
* [http://dban.sourceforge.net Darik&#039;s Boot and Nuke (dban)]: secure harddrive deletion&lt;br /&gt;
* [http://technet.microsoft.com/en-us/magazine/2009.08.utilityspotlight.aspx SDelete] from Sysinternals&lt;br /&gt;
* [http://www.phrack.org/issues.html?issue=59&amp;amp;id=6&amp;amp;mode=txt Defeating Forensic Analysis on Unix]&lt;br /&gt;
* [http://archive.hack.lu/2006/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006&lt;br /&gt;
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]&lt;br /&gt;
&lt;br /&gt;
==Old stuff...==&lt;br /&gt;
&lt;br /&gt;
===Récupération des données volatiles===&lt;br /&gt;
====Identification====&lt;br /&gt;
*Nom du système et version&lt;br /&gt;
**uname -a&lt;br /&gt;
*Date et heure&lt;br /&gt;
**date&lt;br /&gt;
* Paramètres réseau&lt;br /&gt;
**ifconfig | grep &amp;quot;inet addr&amp;quot;&lt;br /&gt;
====Configuration====&lt;br /&gt;
* Uptime&lt;br /&gt;
**uptime&lt;br /&gt;
* Applications installées&lt;br /&gt;
**rpm -qa OU dpkg --get-selections&lt;br /&gt;
* Configuration réseau&lt;br /&gt;
** ifconfig -a&lt;br /&gt;
* Table de routage&lt;br /&gt;
**netstat -arn&lt;br /&gt;
* Stratégie de mots de passe&lt;br /&gt;
** cat /etc/pam.d/passwd -&amp;gt; /etc/pam.d/other -&amp;gt; /etc/pam.d/common-password&lt;br /&gt;
* Comptes utilisateurs&lt;br /&gt;
** cat /etc/passwd&lt;br /&gt;
* Groupes&lt;br /&gt;
** cat /etc/groups&lt;br /&gt;
====Activité====&lt;br /&gt;
* Utilisateurs connectés&lt;br /&gt;
** w (who)&lt;br /&gt;
* Processus en exécution&lt;br /&gt;
**ps auwx&lt;br /&gt;
* Sockets ouvertes &amp;amp; processus propriétaires&lt;br /&gt;
** netstat -anptuw&lt;br /&gt;
** s&#039;aider éventuellement de /etc/services&lt;br /&gt;
* Table ARP&lt;br /&gt;
** arp -a&lt;br /&gt;
====Historique====&lt;br /&gt;
* Connexions locales &amp;amp; distantes&lt;br /&gt;
**last -f /var/log/wtmp (et autres wtmp.N...)&lt;br /&gt;
* Echecs de connexion&lt;br /&gt;
** cf syslog&lt;br /&gt;
* Derniers fichiers accédés&lt;br /&gt;
**ls -alRu&lt;br /&gt;
* Dernière connexion de chaque utilisateur&lt;br /&gt;
**lastlog (lastlog|grep -v &amp;quot;\*\*.*\*\*&amp;quot;)&lt;br /&gt;
* Dernières commandes passées&lt;br /&gt;
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)&lt;br /&gt;
====Sniffers====&lt;br /&gt;
*ifconfig -a|grep PROMISC&lt;br /&gt;
*Processus ayant ouvert un fichier&lt;br /&gt;
*lsof...&lt;br /&gt;
*Processus ayant ouvert une socket&lt;br /&gt;
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;&lt;br /&gt;
====Dump de la RAM====&lt;br /&gt;
* copier /proc/kcore&lt;br /&gt;
===Récupération des données persistantes===&lt;br /&gt;
* dd&lt;br /&gt;
* dd_rescue (apt-get install ddrescue), see also gddrescue&lt;br /&gt;
** error-tolerant version of dd for rescuing data&lt;br /&gt;
* strings&lt;br /&gt;
* file&lt;br /&gt;
* md5sum&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
* [[Forensics on Incidents]]&lt;br /&gt;
* [[Network Security]]&lt;/div&gt;</summary>
		<author><name>Ipefix</name></author>
	</entry>
	<entry>
		<id>https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6988</id>
		<title>Forensics</title>
		<link rel="alternate" type="text/html" href="https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6988"/>
		<updated>2011-02-28T13:32:13Z</updated>

		<summary type="html">&lt;p&gt;Ipefix: /* Anti-forensic resources */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Books ==&lt;br /&gt;
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]&lt;br /&gt;
== Links ==&lt;br /&gt;
&lt;br /&gt;
* http://www.d-fence.be and http://www.lnx4n6.be&lt;br /&gt;
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix&lt;br /&gt;
** Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)&lt;br /&gt;
* [http://www.foo.be/gt/forensic/ Présentation d&#039;adulau]&lt;br /&gt;
* http://cve.mitre.org&lt;br /&gt;
* http://www.porcupine.org (Wieste Venema/TCT)&lt;br /&gt;
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]&lt;br /&gt;
* http://www.forensicswiki.org&lt;br /&gt;
&lt;br /&gt;
== Lists ==&lt;br /&gt;
&lt;br /&gt;
* http://groups.yahoo.com/group/linux_forensics/&lt;br /&gt;
&lt;br /&gt;
== Tools ==&lt;br /&gt;
See also [https://infond.fr/wiki/Outils_Analyse_Forensique this list] (fr)&lt;br /&gt;
=== Generic forensic tools ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install tct&lt;br /&gt;
** &#039;&#039;&#039;grave-robber&#039;&#039;&#039;: collecte d&#039;infos et empreinte -&amp;gt; /var/cache/tct/data&lt;br /&gt;
** &#039;&#039;&#039;lazarus&#039;&#039;&#039;: reconstitue les fichiers présents dans les clusters non référencés&lt;br /&gt;
** &#039;&#039;&#039;mactime&#039;&#039;&#039;: liste les fichiers dont le mactime a été modifié depuis une certaine date&lt;br /&gt;
* &#039;&#039;&#039;[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]&#039;&#039;&#039; &amp;amp; &#039;&#039;&#039;Autopsy&#039;&#039;&#039; (GUI)&lt;br /&gt;
** apt-get install sleuthkit&lt;br /&gt;
** apt-get install autopsy&lt;br /&gt;
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools&lt;br /&gt;
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.&lt;br /&gt;
&lt;br /&gt;
=== On live systems ===&lt;br /&gt;
* &#039;&#039;&#039;[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]&#039;&#039;&#039;&lt;br /&gt;
** Captures process information stored in Linux&#039;s Proc_fs on a best effort basis&lt;br /&gt;
*&#039;&#039;&#039;[http://www.chkrootkit.org Chkrootkit]&#039;&#039;&#039;&lt;br /&gt;
** Checks for signs of rootkits on the local system&lt;br /&gt;
** apt-get install chkrootkit&lt;br /&gt;
** &#039;&#039;&#039;chkdirs&#039;&#039;&#039;: détecte les anomalies entre le nombre de liens d&#039;un répertoire père et le nombre de sous-répertoires de ce dernier&lt;br /&gt;
** &#039;&#039;&#039;chkprocs&#039;&#039;&#039;: compare le contenu du répertoire /proc avec la sortie de la commande ps&lt;br /&gt;
* &#039;&#039;&#039;Kstat&#039;&#039;&#039;&lt;br /&gt;
** Détecte le détournement d&#039;appels systèmes&lt;br /&gt;
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz&lt;br /&gt;
* Less intrusive: mem dump via &#039;&#039;&#039;Firewire&#039;&#039;&#039;&lt;br /&gt;
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]&lt;br /&gt;
** [http://www.storm.net.nz/projects/16 More on his page]&lt;br /&gt;
* [http://wiki.yobi.be/wiki/Debian_Commands#System_management Cruft]&lt;br /&gt;
** Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages&lt;br /&gt;
&lt;br /&gt;
=== Dumping data supports ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install gddrescue&lt;br /&gt;
** Seems to work better than the next one (not to be confounded with...)&lt;br /&gt;
* &#039;&#039;&#039;[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install ddrescue&lt;br /&gt;
* &#039;&#039;&#039;[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]&#039;&#039;&#039;&lt;br /&gt;
** Networked Harddisk Replication System&lt;br /&gt;
** cf also netcat on [[Network security tools]]&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]&#039;&#039;&#039;&lt;br /&gt;
** To recover badly damaged CD/DVDs&lt;br /&gt;
* &#039;&#039;&#039;[http://www.chrysocome.net/dd dd for Windows]&#039;&#039;&#039;&lt;br /&gt;
 dd --list&lt;br /&gt;
 dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress&lt;br /&gt;
&lt;br /&gt;
=== Guessing the filesystem used ===&lt;br /&gt;
* testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
* gpart&lt;br /&gt;
** apt-get install gpart&lt;br /&gt;
* disktype&lt;br /&gt;
** apt-get install disktype&lt;br /&gt;
&lt;br /&gt;
=== Recovering files from filesystems ===&lt;br /&gt;
==== LVM ====&lt;br /&gt;
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.&lt;br /&gt;
==== From ISO9660 ====&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml dares]&#039;&#039;&#039;&lt;br /&gt;
** Description: rescue files from damaged CDs and DVDs (ncurses-interface)&amp;lt;br&amp;gt;Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.&lt;br /&gt;
** apt-get install dares&lt;br /&gt;
** Note that it helps recovering a &#039;&#039;logically&#039;&#039; damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.&lt;br /&gt;
==== From ext2 ====&lt;br /&gt;
* e2undel&lt;br /&gt;
** apt-get install e2undel&lt;br /&gt;
* recover (and gtkrecover)&lt;br /&gt;
** apt-get install recover&lt;br /&gt;
====Agnostic (any fs)====&lt;br /&gt;
* &#039;&#039;&#039;[http://foremost.sourceforge.net/ foremost]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** Description: a forensics application to recover data&amp;lt;br&amp;gt;foremost is a console program to recover files based on their headers and footers for forensics purposes.&amp;lt;br&amp;gt; foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.&lt;br /&gt;
** apt-get install foremost&lt;br /&gt;
** Very good, nice progression report&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** Doesn&#039;t recover partial files&lt;br /&gt;
 foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered&lt;br /&gt;
* &#039;&#039;&#039;[http://www.itu.dk/people/jobr/magicrescue/ Magic Rescue]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install magicrescue&lt;br /&gt;
** Same purpose than foremost, very fast (but I didn&#039;t have yet the chance to compare it to foremost), no false positive, but less formats supported&lt;br /&gt;
** Needs external tools depending on file type, e.g. jpegtran to recover jpegs&lt;br /&gt;
** Comes with &#039;&#039;&#039;dupemap&#039;&#039;&#039;, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).&amp;lt;br&amp;gt;Example: dupemap delete,report /path/recovered&lt;br /&gt;
** Default blocksize=1, very slow if you don&#039;t need it =&amp;gt; option -b 512&lt;br /&gt;
** Recover partial files too&lt;br /&gt;
** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 dpkg -L magicrescue|grep recipes/&lt;br /&gt;
 magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install recoverjpeg&lt;br /&gt;
** Idem but focuses on jpeg only &#039;&#039;UPDATE&#039;&#039; v2.0 now contains also recovermov for MOV files, not tested&lt;br /&gt;
** Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 cd /path/recovered&lt;br /&gt;
 recoverjpeg ../image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]&#039;&#039;&#039;&lt;br /&gt;
** Multi-platform&lt;br /&gt;
** Under Debian/Ubuntu this one comes with testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
** Don&#039;t be abused by program name, it supports A LOT of different formats (&amp;gt; 180 formats including FAT subdirectories etc)&lt;br /&gt;
** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard&lt;br /&gt;
** No options, works interactively&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** By default doesn&#039;t keep partial files but possibility to ask to keep them&lt;br /&gt;
** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg &amp;amp; mov, goes much faster&lt;br /&gt;
** Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html&lt;br /&gt;
 # DONT create output directory, it&#039;ll create one itself&lt;br /&gt;
 photorec /d /path/recovered image.img&lt;br /&gt;
&lt;br /&gt;
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options&lt;br /&gt;
&amp;lt;br&amp;gt;See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid&#039;s notes] on photo recovery&lt;br /&gt;
&lt;br /&gt;
===Recovering information from files===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.workshare.com/products/trace/ Trace!]&#039;&#039;&#039; by Workshare&lt;br /&gt;
** Windows-based tool for showing all Microsoft Office documents meta-information&lt;br /&gt;
** Quite heavy and requires Microsoft .NET to be installed&lt;br /&gt;
&lt;br /&gt;
==Anti-forensic resources==&lt;br /&gt;
* wipe: secure file deletion&lt;br /&gt;
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn&#039;t wipe slack space!)&lt;br /&gt;
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk &#039;/hda1/{print $4}&#039;)))&lt;br /&gt;
* secure-delete: tools to wipe files, free disk space, swap and memory&lt;br /&gt;
* [http://dban.sourceforge.net Darik&#039;s Boot and Nuke (dban)]: secure harddrive deletion&lt;br /&gt;
* [http://technet.microsoft.com/en-us/magazine/2009.08.utilityspotlight.aspx SDelete] from Sysinternals&lt;br /&gt;
* [http://www.phrack.org/issues.html?issue=59&amp;amp;id=6&amp;amp;mode=txt Defeating Forensic Analysis on Unix]&lt;br /&gt;
* [http://archive.hack.lu/2006/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006&lt;br /&gt;
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]&lt;br /&gt;
&lt;br /&gt;
==Old stuff...==&lt;br /&gt;
&lt;br /&gt;
===Récupération des données volatiles===&lt;br /&gt;
====Identification====&lt;br /&gt;
*Nom du système et version&lt;br /&gt;
**uname -a&lt;br /&gt;
*Date et heure&lt;br /&gt;
**date&lt;br /&gt;
* Paramètres réseau&lt;br /&gt;
**ifconfig | grep &amp;quot;inet addr&amp;quot;&lt;br /&gt;
====Configuration====&lt;br /&gt;
* Uptime&lt;br /&gt;
**uptime&lt;br /&gt;
* Applications installées&lt;br /&gt;
**rpm -qa OU dpkg --get-selections&lt;br /&gt;
* Configuration réseau&lt;br /&gt;
** ifconfig -a&lt;br /&gt;
* Table de routage&lt;br /&gt;
**netstat -arn&lt;br /&gt;
* Stratégie de mots de passe&lt;br /&gt;
** cat /etc/pam.d/passwd -&amp;gt; /etc/pam.d/other -&amp;gt; /etc/pam.d/common-password&lt;br /&gt;
* Comptes utilisateurs&lt;br /&gt;
** cat /etc/passwd&lt;br /&gt;
* Groupes&lt;br /&gt;
** cat /etc/groups&lt;br /&gt;
====Activité====&lt;br /&gt;
* Utilisateurs connectés&lt;br /&gt;
** w (who)&lt;br /&gt;
* Processus en exécution&lt;br /&gt;
**ps auwx&lt;br /&gt;
* Sockets ouvertes &amp;amp; processus propriétaires&lt;br /&gt;
** netstat -anptuw&lt;br /&gt;
** s&#039;aider éventuellement de /etc/services&lt;br /&gt;
* Table ARP&lt;br /&gt;
** arp -a&lt;br /&gt;
====Historique====&lt;br /&gt;
* Connexions locales &amp;amp; distantes&lt;br /&gt;
**last -f /var/log/wtmp (et autres wtmp.N...)&lt;br /&gt;
* Echecs de connexion&lt;br /&gt;
** cf syslog&lt;br /&gt;
* Derniers fichiers accédés&lt;br /&gt;
**ls -alRu&lt;br /&gt;
* Dernière connexion de chaque utilisateur&lt;br /&gt;
**lastlog (lastlog|grep -v &amp;quot;\*\*.*\*\*&amp;quot;)&lt;br /&gt;
* Dernières commandes passées&lt;br /&gt;
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)&lt;br /&gt;
====Sniffers====&lt;br /&gt;
*ifconfig -a|grep PROMISC&lt;br /&gt;
*Processus ayant ouvert un fichier&lt;br /&gt;
*lsof...&lt;br /&gt;
*Processus ayant ouvert une socket&lt;br /&gt;
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;&lt;br /&gt;
====Dump de la RAM====&lt;br /&gt;
* copier /proc/kcore&lt;br /&gt;
===Récupération des données persistantes===&lt;br /&gt;
* dd&lt;br /&gt;
* dd_rescue (apt-get install ddrescue), see also gddrescue&lt;br /&gt;
** error-tolerant version of dd for rescuing data&lt;br /&gt;
* strings&lt;br /&gt;
* file&lt;br /&gt;
* md5sum&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
* [[Forensics on Incidents]]&lt;br /&gt;
* [[Network Security]]&lt;/div&gt;</summary>
		<author><name>Ipefix</name></author>
	</entry>
	<entry>
		<id>https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6987</id>
		<title>Forensics</title>
		<link rel="alternate" type="text/html" href="https://wiki.yobi.be/index.php?title=Forensics&amp;diff=6987"/>
		<updated>2011-02-28T13:12:52Z</updated>

		<summary type="html">&lt;p&gt;Ipefix: /* On live systems */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Books ==&lt;br /&gt;
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]&lt;br /&gt;
== Links ==&lt;br /&gt;
&lt;br /&gt;
* http://www.d-fence.be and http://www.lnx4n6.be&lt;br /&gt;
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix&lt;br /&gt;
** Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)&lt;br /&gt;
* [http://www.foo.be/gt/forensic/ Présentation d&#039;adulau]&lt;br /&gt;
* http://cve.mitre.org&lt;br /&gt;
* http://www.porcupine.org (Wieste Venema/TCT)&lt;br /&gt;
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]&lt;br /&gt;
* http://www.forensicswiki.org&lt;br /&gt;
&lt;br /&gt;
== Lists ==&lt;br /&gt;
&lt;br /&gt;
* http://groups.yahoo.com/group/linux_forensics/&lt;br /&gt;
&lt;br /&gt;
== Tools ==&lt;br /&gt;
See also [https://infond.fr/wiki/Outils_Analyse_Forensique this list] (fr)&lt;br /&gt;
=== Generic forensic tools ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install tct&lt;br /&gt;
** &#039;&#039;&#039;grave-robber&#039;&#039;&#039;: collecte d&#039;infos et empreinte -&amp;gt; /var/cache/tct/data&lt;br /&gt;
** &#039;&#039;&#039;lazarus&#039;&#039;&#039;: reconstitue les fichiers présents dans les clusters non référencés&lt;br /&gt;
** &#039;&#039;&#039;mactime&#039;&#039;&#039;: liste les fichiers dont le mactime a été modifié depuis une certaine date&lt;br /&gt;
* &#039;&#039;&#039;[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]&#039;&#039;&#039; &amp;amp; &#039;&#039;&#039;Autopsy&#039;&#039;&#039; (GUI)&lt;br /&gt;
** apt-get install sleuthkit&lt;br /&gt;
** apt-get install autopsy&lt;br /&gt;
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools&lt;br /&gt;
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.&lt;br /&gt;
&lt;br /&gt;
=== On live systems ===&lt;br /&gt;
* &#039;&#039;&#039;[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]&#039;&#039;&#039;&lt;br /&gt;
** Captures process information stored in Linux&#039;s Proc_fs on a best effort basis&lt;br /&gt;
*&#039;&#039;&#039;[http://www.chkrootkit.org Chkrootkit]&#039;&#039;&#039;&lt;br /&gt;
** Checks for signs of rootkits on the local system&lt;br /&gt;
** apt-get install chkrootkit&lt;br /&gt;
** &#039;&#039;&#039;chkdirs&#039;&#039;&#039;: détecte les anomalies entre le nombre de liens d&#039;un répertoire père et le nombre de sous-répertoires de ce dernier&lt;br /&gt;
** &#039;&#039;&#039;chkprocs&#039;&#039;&#039;: compare le contenu du répertoire /proc avec la sortie de la commande ps&lt;br /&gt;
* &#039;&#039;&#039;Kstat&#039;&#039;&#039;&lt;br /&gt;
** Détecte le détournement d&#039;appels systèmes&lt;br /&gt;
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz&lt;br /&gt;
* Less intrusive: mem dump via &#039;&#039;&#039;Firewire&#039;&#039;&#039;&lt;br /&gt;
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]&lt;br /&gt;
** [http://www.storm.net.nz/projects/16 More on his page]&lt;br /&gt;
* [http://wiki.yobi.be/wiki/Debian_Commands#System_management Cruft]&lt;br /&gt;
** Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages&lt;br /&gt;
&lt;br /&gt;
=== Dumping data supports ===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install gddrescue&lt;br /&gt;
** Seems to work better than the next one (not to be confounded with...)&lt;br /&gt;
* &#039;&#039;&#039;[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]&#039;&#039;&#039;&lt;br /&gt;
** apt-get install ddrescue&lt;br /&gt;
* &#039;&#039;&#039;[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]&#039;&#039;&#039;&lt;br /&gt;
** Networked Harddisk Replication System&lt;br /&gt;
** cf also netcat on [[Network security tools]]&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]&#039;&#039;&#039;&lt;br /&gt;
** To recover badly damaged CD/DVDs&lt;br /&gt;
* &#039;&#039;&#039;[http://www.chrysocome.net/dd dd for Windows]&#039;&#039;&#039;&lt;br /&gt;
 dd --list&lt;br /&gt;
 dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress&lt;br /&gt;
&lt;br /&gt;
=== Guessing the filesystem used ===&lt;br /&gt;
* testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
* gpart&lt;br /&gt;
** apt-get install gpart&lt;br /&gt;
* disktype&lt;br /&gt;
** apt-get install disktype&lt;br /&gt;
&lt;br /&gt;
=== Recovering files from filesystems ===&lt;br /&gt;
==== LVM ====&lt;br /&gt;
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.&lt;br /&gt;
==== From ISO9660 ====&lt;br /&gt;
* &#039;&#039;&#039;[http://www.heise.de/ct/05/16/links/078.shtml dares]&#039;&#039;&#039;&lt;br /&gt;
** Description: rescue files from damaged CDs and DVDs (ncurses-interface)&amp;lt;br&amp;gt;Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.&lt;br /&gt;
** apt-get install dares&lt;br /&gt;
** Note that it helps recovering a &#039;&#039;logically&#039;&#039; damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.&lt;br /&gt;
==== From ext2 ====&lt;br /&gt;
* e2undel&lt;br /&gt;
** apt-get install e2undel&lt;br /&gt;
* recover (and gtkrecover)&lt;br /&gt;
** apt-get install recover&lt;br /&gt;
====Agnostic (any fs)====&lt;br /&gt;
* &#039;&#039;&#039;[http://foremost.sourceforge.net/ foremost]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** Description: a forensics application to recover data&amp;lt;br&amp;gt;foremost is a console program to recover files based on their headers and footers for forensics purposes.&amp;lt;br&amp;gt; foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.&lt;br /&gt;
** apt-get install foremost&lt;br /&gt;
** Very good, nice progression report&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** Doesn&#039;t recover partial files&lt;br /&gt;
 foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered&lt;br /&gt;
* &#039;&#039;&#039;[http://www.itu.dk/people/jobr/magicrescue/ Magic Rescue]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install magicrescue&lt;br /&gt;
** Same purpose than foremost, very fast (but I didn&#039;t have yet the chance to compare it to foremost), no false positive, but less formats supported&lt;br /&gt;
** Needs external tools depending on file type, e.g. jpegtran to recover jpegs&lt;br /&gt;
** Comes with &#039;&#039;&#039;dupemap&#039;&#039;&#039;, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).&amp;lt;br&amp;gt;Example: dupemap delete,report /path/recovered&lt;br /&gt;
** Default blocksize=1, very slow if you don&#039;t need it =&amp;gt; option -b 512&lt;br /&gt;
** Recover partial files too&lt;br /&gt;
** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 dpkg -L magicrescue|grep recipes/&lt;br /&gt;
 magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]&#039;&#039;&#039;&lt;br /&gt;
** linux only&lt;br /&gt;
** apt-get install recoverjpeg&lt;br /&gt;
** Idem but focuses on jpeg only &#039;&#039;UPDATE&#039;&#039; v2.0 now contains also recovermov for MOV files, not tested&lt;br /&gt;
** Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...&lt;br /&gt;
 mkdir /path/recovered&lt;br /&gt;
 cd /path/recovered&lt;br /&gt;
 recoverjpeg ../image.img&lt;br /&gt;
* &#039;&#039;&#039;[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]&#039;&#039;&#039;&lt;br /&gt;
** Multi-platform&lt;br /&gt;
** Under Debian/Ubuntu this one comes with testdisk&lt;br /&gt;
** apt-get install testdisk&lt;br /&gt;
** Don&#039;t be abused by program name, it supports A LOT of different formats (&amp;gt; 180 formats including FAT subdirectories etc)&lt;br /&gt;
** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard&lt;br /&gt;
** No options, works interactively&lt;br /&gt;
** Default blocksize 512&lt;br /&gt;
** By default doesn&#039;t keep partial files but possibility to ask to keep them&lt;br /&gt;
** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg &amp;amp; mov, goes much faster&lt;br /&gt;
** Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html&lt;br /&gt;
 # DONT create output directory, it&#039;ll create one itself&lt;br /&gt;
 photorec /d /path/recovered image.img&lt;br /&gt;
&lt;br /&gt;
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options&lt;br /&gt;
&amp;lt;br&amp;gt;See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid&#039;s notes] on photo recovery&lt;br /&gt;
&lt;br /&gt;
===Recovering information from files===&lt;br /&gt;
* &#039;&#039;&#039;[http://www.workshare.com/products/trace/ Trace!]&#039;&#039;&#039; by Workshare&lt;br /&gt;
** Windows-based tool for showing all Microsoft Office documents meta-information&lt;br /&gt;
** Quite heavy and requires Microsoft .NET to be installed&lt;br /&gt;
&lt;br /&gt;
==Anti-forensic resources==&lt;br /&gt;
* wipe: secure file deletion&lt;br /&gt;
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn&#039;t wipe slack space!)&lt;br /&gt;
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk &#039;/hda1/{print $4}&#039;)))&lt;br /&gt;
* secure-delete: tools to wipe files, free disk space, swap and memory&lt;br /&gt;
* [http://dban.sourceforge.net Darik&#039;s Boot and Nuke (dban)]: secure harddrive deletion&lt;br /&gt;
* [http://www.sysinternals.com/Utilities/SDelete.html SDelete] from Sysinternals&lt;br /&gt;
* [http://www.phrack.org/phrack/59/p59-0x06.txt Defeating Forensic Analysis on Unix]&lt;br /&gt;
* [http://hack.lu/images/8/80/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006&lt;br /&gt;
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]&lt;br /&gt;
&lt;br /&gt;
==Old stuff...==&lt;br /&gt;
&lt;br /&gt;
===Récupération des données volatiles===&lt;br /&gt;
====Identification====&lt;br /&gt;
*Nom du système et version&lt;br /&gt;
**uname -a&lt;br /&gt;
*Date et heure&lt;br /&gt;
**date&lt;br /&gt;
* Paramètres réseau&lt;br /&gt;
**ifconfig | grep &amp;quot;inet addr&amp;quot;&lt;br /&gt;
====Configuration====&lt;br /&gt;
* Uptime&lt;br /&gt;
**uptime&lt;br /&gt;
* Applications installées&lt;br /&gt;
**rpm -qa OU dpkg --get-selections&lt;br /&gt;
* Configuration réseau&lt;br /&gt;
** ifconfig -a&lt;br /&gt;
* Table de routage&lt;br /&gt;
**netstat -arn&lt;br /&gt;
* Stratégie de mots de passe&lt;br /&gt;
** cat /etc/pam.d/passwd -&amp;gt; /etc/pam.d/other -&amp;gt; /etc/pam.d/common-password&lt;br /&gt;
* Comptes utilisateurs&lt;br /&gt;
** cat /etc/passwd&lt;br /&gt;
* Groupes&lt;br /&gt;
** cat /etc/groups&lt;br /&gt;
====Activité====&lt;br /&gt;
* Utilisateurs connectés&lt;br /&gt;
** w (who)&lt;br /&gt;
* Processus en exécution&lt;br /&gt;
**ps auwx&lt;br /&gt;
* Sockets ouvertes &amp;amp; processus propriétaires&lt;br /&gt;
** netstat -anptuw&lt;br /&gt;
** s&#039;aider éventuellement de /etc/services&lt;br /&gt;
* Table ARP&lt;br /&gt;
** arp -a&lt;br /&gt;
====Historique====&lt;br /&gt;
* Connexions locales &amp;amp; distantes&lt;br /&gt;
**last -f /var/log/wtmp (et autres wtmp.N...)&lt;br /&gt;
* Echecs de connexion&lt;br /&gt;
** cf syslog&lt;br /&gt;
* Derniers fichiers accédés&lt;br /&gt;
**ls -alRu&lt;br /&gt;
* Dernière connexion de chaque utilisateur&lt;br /&gt;
**lastlog (lastlog|grep -v &amp;quot;\*\*.*\*\*&amp;quot;)&lt;br /&gt;
* Dernières commandes passées&lt;br /&gt;
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)&lt;br /&gt;
====Sniffers====&lt;br /&gt;
*ifconfig -a|grep PROMISC&lt;br /&gt;
*Processus ayant ouvert un fichier&lt;br /&gt;
*lsof...&lt;br /&gt;
*Processus ayant ouvert une socket&lt;br /&gt;
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;&lt;br /&gt;
====Dump de la RAM====&lt;br /&gt;
* copier /proc/kcore&lt;br /&gt;
===Récupération des données persistantes===&lt;br /&gt;
* dd&lt;br /&gt;
* dd_rescue (apt-get install ddrescue), see also gddrescue&lt;br /&gt;
** error-tolerant version of dd for rescuing data&lt;br /&gt;
* strings&lt;br /&gt;
* file&lt;br /&gt;
* md5sum&lt;br /&gt;
&lt;br /&gt;
==See also==&lt;br /&gt;
* [[Forensics on Incidents]]&lt;br /&gt;
* [[Network Security]]&lt;/div&gt;</summary>
		<author><name>Ipefix</name></author>
	</entry>
</feed>