Difference between revisions of "Forensics"
Jump to navigation
Jump to search
(→Links) |
m (→See also) |
||
(23 intermediate revisions by 2 users not shown) | |||
Line 17: | Line 17: | ||
== Tools == |
== Tools == |
||
+ | See also [https://infond.fr/wiki/Outils_Analyse_Forensique this list] (fr) |
||
− | |||
=== Generic forensic tools === |
=== Generic forensic tools === |
||
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]''' |
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]''' |
||
Line 33: | Line 33: | ||
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]''' |
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]''' |
||
** Captures process information stored in Linux's Proc_fs on a best effort basis |
** Captures process information stored in Linux's Proc_fs on a best effort basis |
||
− | *'''[http://www. |
+ | * '''[http://www.chkrootkit.org Chkrootkit]''' |
** Checks for signs of rootkits on the local system |
** Checks for signs of rootkits on the local system |
||
** apt-get install chkrootkit |
** apt-get install chkrootkit |
||
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier |
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier |
||
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps |
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps |
||
+ | * '''[http://www.unhide-forensics.info Unhide]''' |
||
+ | ** Detecting hidden processes |
||
+ | ** apt-get install unhide |
||
* '''Kstat''' |
* '''Kstat''' |
||
** Détecte le détournement d'appels systèmes |
** Détecte le détournement d'appels systèmes |
||
Line 44: | Line 47: | ||
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)] |
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)] |
||
** [http://www.storm.net.nz/projects/16 More on his page] |
** [http://www.storm.net.nz/projects/16 More on his page] |
||
+ | * [http://wiki.yobi.be/wiki/Debian_Commands#System_management Cruft] |
||
+ | ** Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages |
||
=== Dumping data supports === |
=== Dumping data supports === |
||
Line 56: | Line 61: | ||
* '''[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]''' |
* '''[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]''' |
||
** To recover badly damaged CD/DVDs |
** To recover badly damaged CD/DVDs |
||
+ | * '''[http://www.chrysocome.net/dd dd for Windows]''' |
||
+ | dd --list |
||
+ | dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress |
||
=== Guessing the filesystem used === |
=== Guessing the filesystem used === |
||
Line 78: | Line 86: | ||
* recover (and gtkrecover) |
* recover (and gtkrecover) |
||
** apt-get install recover |
** apt-get install recover |
||
− | Agnostic (any fs) |
+ | ====Agnostic (any fs)==== |
* '''[http://foremost.sourceforge.net/ foremost]''' |
* '''[http://foremost.sourceforge.net/ foremost]''' |
||
+ | ** linux only |
||
** Description: a forensics application to recover data<br>foremost is a console program to recover files based on their headers and footers for forensics purposes.<br> foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. |
** Description: a forensics application to recover data<br>foremost is a console program to recover files based on their headers and footers for forensics purposes.<br> foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. |
||
** apt-get install foremost |
** apt-get install foremost |
||
** Very good, nice progression report |
** Very good, nice progression report |
||
+ | ** Default blocksize 512 |
||
⚫ | |||
+ | ** Doesn't recover partial files |
||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
+ | ** linux only |
||
+ | ** apt-get install magicrescue |
||
⚫ | |||
+ | ** Needs external tools depending on file type, e.g. jpegtran to recover jpegs |
||
** Comes with '''dupemap''', a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).<br>Example: dupemap delete,report /path/recovered |
** Comes with '''dupemap''', a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).<br>Example: dupemap delete,report /path/recovered |
||
+ | ** Default blocksize=1, very slow if you don't need it => option -b 512 |
||
− | ** To compile correctly dupemap, install libgdbm-dev |
||
+ | ** Recover partial files too |
||
+ | ** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience |
||
+ | mkdir /path/recovered |
||
+ | dpkg -L magicrescue|grep recipes/ |
||
+ | magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img |
||
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]''' |
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]''' |
||
− | ** |
+ | ** linux only |
** apt-get install recoverjpeg |
** apt-get install recoverjpeg |
||
+ | ** Idem but focuses on jpeg only ''UPDATE'' v2.0 now contains also recovermov for MOV files, not tested |
||
− | * photorec |
||
+ | ** Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg... |
||
− | ** This one comes with testdisk, promises a lot of different formats (pdf, raw images, zip, wma etc etc) but seems to create a lot of false positive (at least experienced with mpg) |
||
+ | mkdir /path/recovered |
||
+ | cd /path/recovered |
||
+ | recoverjpeg ../image.img |
||
+ | * '''[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]''' |
||
+ | ** Multi-platform |
||
+ | ** Under Debian/Ubuntu this one comes with testdisk |
||
** apt-get install testdisk |
** apt-get install testdisk |
||
+ | ** Don't be abused by program name, it supports A LOT of different formats (> 180 formats including FAT subdirectories etc) |
||
+ | ** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard |
||
+ | ** No options, works interactively |
||
+ | ** Default blocksize 512 |
||
+ | ** By default doesn't keep partial files but possibility to ask to keep them |
||
+ | ** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster |
||
+ | ** Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html |
||
+ | # DONT create output directory, it'll create one itself |
||
+ | photorec /d /path/recovered image.img |
||
+ | |||
+ | So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options |
||
+ | <br>See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid's notes] on photo recovery |
||
+ | ====Photodex Proshow mangled jpeg==== |
||
+ | A special mention for jpeg files embedded in Photodex presentations: if you try to extract them with one of the aforementioned programs (e.g. recoverjpeg -b 1 diaporama.exe), you'll find those files corrupted. It's because they're chunk in blocks interleaved with some metadata to remove. |
||
+ | <br>Here is a little script to fix those jpeg files: [{{#file: photodex_proshow_fix_jpeg.py}} photodex_proshow_fix_jpeg.py] |
||
+ | <source lang=python> |
||
+ | #!/usr/bin/env python |
||
+ | |||
+ | import os |
||
+ | |||
+ | for filename in os.listdir('.'): |
||
+ | with open(filename, 'rb') as f: |
||
+ | data = f.read() |
||
+ | # Check that it looks like a Photodex Proshow embedded jpeg |
||
+ | status = True |
||
+ | status &= data[6:10] == 'JFIF' |
||
+ | status &= len(data) > 0x1FFC |
||
+ | for i in range(0x1FFC,len(data),0x200A): |
||
+ | status &= data[i-10:i-8] == '\x00\x00' |
||
+ | status &= data[i-2:i] == '\x00\x00' |
||
+ | if not status: |
||
+ | continue |
||
+ | # Seems ok, so now scrap those Photodex data |
||
+ | print "Treating", filename |
||
+ | os.rename(filename, filename + '.bak') |
||
+ | with open(filename, 'wb') as f: |
||
+ | f.write(data[:0x1FF2]) |
||
+ | for i in range(0x1FFC,len(data),0x200A): |
||
+ | f.write(data[i:i+0x2000]) |
||
+ | </source> |
||
===Recovering information from files=== |
===Recovering information from files=== |
||
Line 106: | Line 171: | ||
* secure-delete: tools to wipe files, free disk space, swap and memory |
* secure-delete: tools to wipe files, free disk space, swap and memory |
||
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion |
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion |
||
− | * [http:// |
+ | * [http://technet.microsoft.com/en-us/magazine/2009.08.utilityspotlight.aspx SDelete] from Sysinternals |
− | * [http://www.phrack.org/ |
+ | * [http://www.phrack.org/issues.html?issue=59&id=6&mode=txt Defeating Forensic Analysis on Unix] |
− | * [http://hack.lu/ |
+ | * [http://archive.hack.lu/2006/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006 |
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis] |
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis] |
||
Line 174: | Line 239: | ||
==See also== |
==See also== |
||
− | * [[Forensics on |
+ | * [[Forensics on Incident 1]] |
− | * [[ |
+ | * [[Forensics on Incident 2]] |
+ | * [[LaCie_5big_Network_2#Two_faulty_disks_on_a_5-disk_RAID5]] |
||
+ | * [[Network security tools]] |
Latest revision as of 19:51, 13 December 2013
Books
Links
- http://www.d-fence.be and http://www.lnx4n6.be
- Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
- Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)
- Présentation d'adulau
- http://cve.mitre.org
- http://www.porcupine.org (Wieste Venema/TCT)
- U.S AirForce Office of Special Investigations
- http://www.forensicswiki.org
Lists
Tools
See also this list (fr)
Generic forensic tools
- The Coroner Toolkit
- apt-get install tct
- grave-robber: collecte d'infos et empreinte -> /var/cache/tct/data
- lazarus: reconstitue les fichiers présents dans les clusters non référencés
- mactime: liste les fichiers dont le mactime a été modifié depuis une certaine date
- Sleuthkit & Autopsy (GUI)
- apt-get install sleuthkit
- apt-get install autopsy
- A lot of tools
- Some very nice articles online to learn how to use them.
On live systems
- Cryogenic.c
- Captures process information stored in Linux's Proc_fs on a best effort basis
- Chkrootkit
- Checks for signs of rootkits on the local system
- apt-get install chkrootkit
- chkdirs: détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
- chkprocs: compare le contenu du répertoire /proc avec la sortie de la commande ps
- Unhide
- Detecting hidden processes
- apt-get install unhide
- Kstat
- Détecte le détournement d'appels systèmes
- wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
- Less intrusive: mem dump via Firewire
- Presentation by A. Boileau: Hit by a Bus: Physical Access Attacks with Firewire (PDF)
- More on his page
- Cruft
- Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages
Dumping data supports
- ddrescue
- apt-get install gddrescue
- Seems to work better than the next one (not to be confounded with...)
- dd_rescue
- apt-get install ddrescue
- CloneIt
- Networked Harddisk Replication System
- cf also netcat on Network security tools
- H2cdimage
- To recover badly damaged CD/DVDs
- dd for Windows
dd --list dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress
Guessing the filesystem used
- testdisk
- apt-get install testdisk
- gpart
- apt-get install gpart
- disktype
- apt-get install disktype
Recovering files from filesystems
LVM
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.
From ISO9660
- dares
- Description: rescue files from damaged CDs and DVDs (ncurses-interface)
Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore. - apt-get install dares
- Note that it helps recovering a logically damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.
- Description: rescue files from damaged CDs and DVDs (ncurses-interface)
From ext2
- e2undel
- apt-get install e2undel
- recover (and gtkrecover)
- apt-get install recover
Agnostic (any fs)
- foremost
- linux only
- Description: a forensics application to recover data
foremost is a console program to recover files based on their headers and footers for forensics purposes.
foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. - apt-get install foremost
- Very good, nice progression report
- Default blocksize 512
- Doesn't recover partial files
foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered
- Magic Rescue
- linux only
- apt-get install magicrescue
- Same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
- Needs external tools depending on file type, e.g. jpegtran to recover jpegs
- Comes with dupemap, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).
Example: dupemap delete,report /path/recovered - Default blocksize=1, very slow if you don't need it => option -b 512
- Recover partial files too
- WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience
mkdir /path/recovered dpkg -L magicrescue|grep recipes/ magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img
- recoverjpeg
- linux only
- apt-get install recoverjpeg
- Idem but focuses on jpeg only UPDATE v2.0 now contains also recovermov for MOV files, not tested
- Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...
mkdir /path/recovered cd /path/recovered recoverjpeg ../image.img
- PhotoRec
- Multi-platform
- Under Debian/Ubuntu this one comes with testdisk
- apt-get install testdisk
- Don't be abused by program name, it supports A LOT of different formats (> 180 formats including FAT subdirectories etc)
- Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
- No options, works interactively
- Default blocksize 512
- By default doesn't keep partial files but possibility to ask to keep them
- Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster
- Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html
# DONT create output directory, it'll create one itself photorec /d /path/recovered image.img
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options
See also Sid's notes on photo recovery
Photodex Proshow mangled jpeg
A special mention for jpeg files embedded in Photodex presentations: if you try to extract them with one of the aforementioned programs (e.g. recoverjpeg -b 1 diaporama.exe), you'll find those files corrupted. It's because they're chunk in blocks interleaved with some metadata to remove.
Here is a little script to fix those jpeg files: [{{#file: photodex_proshow_fix_jpeg.py}} photodex_proshow_fix_jpeg.py]
#!/usr/bin/env python
import os
for filename in os.listdir('.'):
with open(filename, 'rb') as f:
data = f.read()
# Check that it looks like a Photodex Proshow embedded jpeg
status = True
status &= data[6:10] == 'JFIF'
status &= len(data) > 0x1FFC
for i in range(0x1FFC,len(data),0x200A):
status &= data[i-10:i-8] == '\x00\x00'
status &= data[i-2:i] == '\x00\x00'
if not status:
continue
# Seems ok, so now scrap those Photodex data
print "Treating", filename
os.rename(filename, filename + '.bak')
with open(filename, 'wb') as f:
f.write(data[:0x1FF2])
for i in range(0x1FFC,len(data),0x200A):
f.write(data[i:i+0x2000])
Recovering information from files
- Trace! by Workshare
- Windows-based tool for showing all Microsoft Office documents meta-information
- Quite heavy and requires Microsoft .NET to be installed
Anti-forensic resources
- wipe: secure file deletion
- To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
- dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
- secure-delete: tools to wipe files, free disk space, swap and memory
- Darik's Boot and Nuke (dban): secure harddrive deletion
- SDelete from Sysinternals
- Defeating Forensic Analysis on Unix
- Software Engineering Security (PPT) by Wietse Venema at Hack.lu 2006
- Article at Ius Mentis
Old stuff...
Récupération des données volatiles
Identification
- Nom du système et version
- uname -a
- Date et heure
- date
- Paramètres réseau
- ifconfig | grep "inet addr"
Configuration
- Uptime
- uptime
- Applications installées
- rpm -qa OU dpkg --get-selections
- Configuration réseau
- ifconfig -a
- Table de routage
- netstat -arn
- Stratégie de mots de passe
- cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
- Comptes utilisateurs
- cat /etc/passwd
- Groupes
- cat /etc/groups
Activité
- Utilisateurs connectés
- w (who)
- Processus en exécution
- ps auwx
- Sockets ouvertes & processus propriétaires
- netstat -anptuw
- s'aider éventuellement de /etc/services
- Table ARP
- arp -a
Historique
- Connexions locales & distantes
- last -f /var/log/wtmp (et autres wtmp.N...)
- Echecs de connexion
- cf syslog
- Derniers fichiers accédés
- ls -alRu
- Dernière connexion de chaque utilisateur
- lastlog (lastlog|grep -v "\*\*.*\*\*")
- Dernières commandes passées
- history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)
Sniffers
- ifconfig -a|grep PROMISC
- Processus ayant ouvert un fichier
- lsof...
- Processus ayant ouvert une socket
- for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;
Dump de la RAM
- copier /proc/kcore
Récupération des données persistantes
- dd
- dd_rescue (apt-get install ddrescue), see also gddrescue
- error-tolerant version of dd for rescuing data
- strings
- file
- md5sum