Difference between revisions of "Forensics"

From YobiWiki
Jump to navigation Jump to search
 
(12 intermediate revisions by 2 users not shown)
Line 17: Line 17:
   
 
== Tools ==
 
== Tools ==
  +
See also [https://infond.fr/wiki/Outils_Analyse_Forensique this list] (fr)
 
 
=== Generic forensic tools ===
 
=== Generic forensic tools ===
 
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]'''
 
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]'''
Line 33: Line 33:
 
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]'''
 
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]'''
 
** Captures process information stored in Linux's Proc_fs on a best effort basis
 
** Captures process information stored in Linux's Proc_fs on a best effort basis
*'''[http://www.chrootkit.org Chkrootkit]'''
+
* '''[http://www.chkrootkit.org Chkrootkit]'''
 
** Checks for signs of rootkits on the local system
 
** Checks for signs of rootkits on the local system
 
** apt-get install chkrootkit
 
** apt-get install chkrootkit
 
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
 
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
 
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps
 
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps
  +
* '''[http://www.unhide-forensics.info Unhide]'''
  +
** Detecting hidden processes
  +
** apt-get install unhide
 
* '''Kstat'''
 
* '''Kstat'''
 
** Détecte le détournement d'appels systèmes
 
** Détecte le détournement d'appels systèmes
Line 44: Line 47:
 
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]
 
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]
 
** [http://www.storm.net.nz/projects/16 More on his page]
 
** [http://www.storm.net.nz/projects/16 More on his page]
  +
* [http://wiki.yobi.be/wiki/Debian_Commands#System_management Cruft]
  +
** Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages
   
 
=== Dumping data supports ===
 
=== Dumping data supports ===
Line 100: Line 105:
 
** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience
 
** WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience
 
mkdir /path/recovered
 
mkdir /path/recovered
  +
dpkg -L magicrescue|grep recipes/
 
magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img
 
magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img
 
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]'''
 
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]'''
Line 113: Line 119:
 
** Under Debian/Ubuntu this one comes with testdisk
 
** Under Debian/Ubuntu this one comes with testdisk
 
** apt-get install testdisk
 
** apt-get install testdisk
** Don't be abused by program name, it supports A LOT of different formats (pdf, raw images, zip, wma, FAT subdirectories etc etc)
+
** Don't be abused by program name, it supports A LOT of different formats (> 180 formats including FAT subdirectories etc)
 
** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
 
** Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
 
** No options, works interactively
 
** No options, works interactively
Line 119: Line 125:
 
** By default doesn't keep partial files but possibility to ask to keep them
 
** By default doesn't keep partial files but possibility to ask to keep them
 
** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster
 
** Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster
  +
** Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html
 
# DONT create output directory, it'll create one itself
 
# DONT create output directory, it'll create one itself
 
photorec /d /path/recovered image.img
 
photorec /d /path/recovered image.img
Line 124: Line 131:
 
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options
 
So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options
 
<br>See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid's notes] on photo recovery
 
<br>See also [http://sid.rstack.org/static/articles/d/i/g/Digital_photos_recovery.html Sid's notes] on photo recovery
  +
====Photodex Proshow mangled jpeg====
  +
A special mention for jpeg files embedded in Photodex presentations: if you try to extract them with one of the aforementioned programs (e.g. recoverjpeg -b 1 diaporama.exe), you'll find those files corrupted. It's because they're chunk in blocks interleaved with some metadata to remove.
  +
<br>Here is a little script to fix those jpeg files: [{{#file: photodex_proshow_fix_jpeg.py}} photodex_proshow_fix_jpeg.py]
  +
<source lang=python>
  +
#!/usr/bin/env python
  +
  +
import os
  +
  +
for filename in os.listdir('.'):
  +
with open(filename, 'rb') as f:
  +
data = f.read()
  +
# Check that it looks like a Photodex Proshow embedded jpeg
  +
status = True
  +
status &= data[6:10] == 'JFIF'
  +
status &= len(data) > 0x1FFC
  +
for i in range(0x1FFC,len(data),0x200A):
  +
status &= data[i-10:i-8] == '\x00\x00'
  +
status &= data[i-2:i] == '\x00\x00'
  +
if not status:
  +
continue
  +
# Seems ok, so now scrap those Photodex data
  +
print "Treating", filename
  +
os.rename(filename, filename + '.bak')
  +
with open(filename, 'wb') as f:
  +
f.write(data[:0x1FF2])
  +
for i in range(0x1FFC,len(data),0x200A):
  +
f.write(data[i:i+0x2000])
  +
</source>
   
 
===Recovering information from files===
 
===Recovering information from files===
Line 136: Line 171:
 
* secure-delete: tools to wipe files, free disk space, swap and memory
 
* secure-delete: tools to wipe files, free disk space, swap and memory
 
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion
 
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion
* [http://www.sysinternals.com/Utilities/SDelete.html SDelete] from Sysinternals
+
* [http://technet.microsoft.com/en-us/magazine/2009.08.utilityspotlight.aspx SDelete] from Sysinternals
* [http://www.phrack.org/phrack/59/p59-0x06.txt Defeating Forensic Analysis on Unix]
+
* [http://www.phrack.org/issues.html?issue=59&id=6&mode=txt Defeating Forensic Analysis on Unix]
* [http://hack.lu/images/8/80/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006
+
* [http://archive.hack.lu/2006/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006
 
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]
 
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]
   
Line 204: Line 239:
   
 
==See also==
 
==See also==
* [[Forensics on Incidents]]
+
* [[Forensics on Incident 1]]
* [[Network Security]]
+
* [[Forensics on Incident 2]]
  +
* [[LaCie_5big_Network_2#Two_faulty_disks_on_a_5-disk_RAID5]]
  +
* [[Network security tools]]

Latest revision as of 19:51, 13 December 2013

Books

Links

Lists

Tools

See also this list (fr)

Generic forensic tools

  • The Coroner Toolkit
    • apt-get install tct
    • grave-robber: collecte d'infos et empreinte -> /var/cache/tct/data
    • lazarus: reconstitue les fichiers présents dans les clusters non référencés
    • mactime: liste les fichiers dont le mactime a été modifié depuis une certaine date
  • Sleuthkit & Autopsy (GUI)
    • apt-get install sleuthkit
    • apt-get install autopsy
    • A lot of tools
    • Some very nice articles online to learn how to use them.

On live systems

  • Cryogenic.c
    • Captures process information stored in Linux's Proc_fs on a best effort basis
  • Chkrootkit
    • Checks for signs of rootkits on the local system
    • apt-get install chkrootkit
    • chkdirs: détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
    • chkprocs: compare le contenu du répertoire /proc avec la sortie de la commande ps
  • Unhide
    • Detecting hidden processes
    • apt-get install unhide
  • Kstat
  • Less intrusive: mem dump via Firewire
  • Cruft
    • Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages

Dumping data supports

dd --list
dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress

Guessing the filesystem used

  • testdisk
    • apt-get install testdisk
  • gpart
    • apt-get install gpart
  • disktype
    • apt-get install disktype

Recovering files from filesystems

LVM

If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.

From ISO9660

  • dares
    • Description: rescue files from damaged CDs and DVDs (ncurses-interface)
      Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.
    • apt-get install dares
    • Note that it helps recovering a logically damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.

From ext2

  • e2undel
    • apt-get install e2undel
  • recover (and gtkrecover)
    • apt-get install recover

Agnostic (any fs)

  • foremost
    • linux only
    • Description: a forensics application to recover data
      foremost is a console program to recover files based on their headers and footers for forensics purposes.
      foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
    • apt-get install foremost
    • Very good, nice progression report
    • Default blocksize 512
    • Doesn't recover partial files
foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered
  • Magic Rescue
    • linux only
    • apt-get install magicrescue
    • Same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
    • Needs external tools depending on file type, e.g. jpegtran to recover jpegs
    • Comes with dupemap, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).
      Example: dupemap delete,report /path/recovered
    • Default blocksize=1, very slow if you don't need it => option -b 512
    • Recover partial files too
    • WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience
mkdir /path/recovered
dpkg -L magicrescue|grep recipes/
magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img
  • recoverjpeg
    • linux only
    • apt-get install recoverjpeg
    • Idem but focuses on jpeg only UPDATE v2.0 now contains also recovermov for MOV files, not tested
    • Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...
mkdir /path/recovered
cd /path/recovered
recoverjpeg ../image.img
  • PhotoRec
    • Multi-platform
    • Under Debian/Ubuntu this one comes with testdisk
    • apt-get install testdisk
    • Don't be abused by program name, it supports A LOT of different formats (> 180 formats including FAT subdirectories etc)
    • Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
    • No options, works interactively
    • Default blocksize 512
    • By default doesn't keep partial files but possibility to ask to keep them
    • Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster
    • Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html
# DONT create output directory, it'll create one itself
photorec /d /path/recovered image.img

So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options
See also Sid's notes on photo recovery

Photodex Proshow mangled jpeg

A special mention for jpeg files embedded in Photodex presentations: if you try to extract them with one of the aforementioned programs (e.g. recoverjpeg -b 1 diaporama.exe), you'll find those files corrupted. It's because they're chunk in blocks interleaved with some metadata to remove.
Here is a little script to fix those jpeg files: [{{#file: photodex_proshow_fix_jpeg.py}} photodex_proshow_fix_jpeg.py]

#!/usr/bin/env python

import os

for filename in os.listdir('.'):
    with open(filename, 'rb') as f:
        data = f.read()
    # Check that it looks like a Photodex Proshow embedded jpeg
    status = True
    status &= data[6:10] == 'JFIF'
    status &= len(data) > 0x1FFC
    for i in range(0x1FFC,len(data),0x200A):
        status &= data[i-10:i-8] == '\x00\x00'
        status &= data[i-2:i] == '\x00\x00'
    if not status:
        continue
    # Seems ok, so now scrap those Photodex data
    print "Treating", filename
    os.rename(filename, filename + '.bak')
    with open(filename, 'wb') as f:
        f.write(data[:0x1FF2])
        for i in range(0x1FFC,len(data),0x200A):
            f.write(data[i:i+0x2000])

Recovering information from files

  • Trace! by Workshare
    • Windows-based tool for showing all Microsoft Office documents meta-information
    • Quite heavy and requires Microsoft .NET to be installed

Anti-forensic resources

Old stuff...

Récupération des données volatiles

Identification

  • Nom du système et version
    • uname -a
  • Date et heure
    • date
  • Paramètres réseau
    • ifconfig | grep "inet addr"

Configuration

  • Uptime
    • uptime
  • Applications installées
    • rpm -qa OU dpkg --get-selections
  • Configuration réseau
    • ifconfig -a
  • Table de routage
    • netstat -arn
  • Stratégie de mots de passe
    • cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
  • Comptes utilisateurs
    • cat /etc/passwd
  • Groupes
    • cat /etc/groups

Activité

  • Utilisateurs connectés
    • w (who)
  • Processus en exécution
    • ps auwx
  • Sockets ouvertes & processus propriétaires
    • netstat -anptuw
    • s'aider éventuellement de /etc/services
  • Table ARP
    • arp -a

Historique

  • Connexions locales & distantes
    • last -f /var/log/wtmp (et autres wtmp.N...)
  • Echecs de connexion
    • cf syslog
  • Derniers fichiers accédés
    • ls -alRu
  • Dernière connexion de chaque utilisateur
    • lastlog (lastlog|grep -v "\*\*.*\*\*")
  • Dernières commandes passées
    • history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)

Sniffers

  • ifconfig -a|grep PROMISC
  • Processus ayant ouvert un fichier
  • lsof...
  • Processus ayant ouvert une socket
    • for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;

Dump de la RAM

  • copier /proc/kcore

Récupération des données persistantes

  • dd
  • dd_rescue (apt-get install ddrescue), see also gddrescue
    • error-tolerant version of dd for rescuing data
  • strings
  • file
  • md5sum

See also