Forensics
Revision as of 08:46, 10 August 2010 by <bdi>PhilippeTeuwen</bdi> (talk | contribs) (→Agnostic (any fs))
Books
Links
- http://www.d-fence.be and http://www.lnx4n6.be
- Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
- Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)
- Présentation d'adulau
- http://cve.mitre.org
- http://www.porcupine.org (Wieste Venema/TCT)
- U.S AirForce Office of Special Investigations
- http://www.forensicswiki.org
Lists
Tools
Generic forensic tools
- The Coroner Toolkit
- apt-get install tct
- grave-robber: collecte d'infos et empreinte -> /var/cache/tct/data
- lazarus: reconstitue les fichiers présents dans les clusters non référencés
- mactime: liste les fichiers dont le mactime a été modifié depuis une certaine date
- Sleuthkit & Autopsy (GUI)
- apt-get install sleuthkit
- apt-get install autopsy
- A lot of tools
- Some very nice articles online to learn how to use them.
On live systems
- Cryogenic.c
- Captures process information stored in Linux's Proc_fs on a best effort basis
- Chkrootkit
- Checks for signs of rootkits on the local system
- apt-get install chkrootkit
- chkdirs: détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
- chkprocs: compare le contenu du répertoire /proc avec la sortie de la commande ps
- Kstat
- Détecte le détournement d'appels systèmes
- wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
- Less intrusive: mem dump via Firewire
- Presentation by A. Boileau: Hit by a Bus: Physical Access Attacks with Firewire (PDF)
- More on his page
Dumping data supports
- ddrescue
- apt-get install gddrescue
- Seems to work better than the next one (not to be confounded with...)
- dd_rescue
- apt-get install ddrescue
- CloneIt
- Networked Harddisk Replication System
- cf also netcat on Network security tools
- H2cdimage
- To recover badly damaged CD/DVDs
Guessing the filesystem used
- testdisk
- apt-get install testdisk
- gpart
- apt-get install gpart
- disktype
- apt-get install disktype
Recovering files from filesystems
LVM
If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.
From ISO9660
- dares
- Description: rescue files from damaged CDs and DVDs (ncurses-interface)
Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore. - apt-get install dares
- Note that it helps recovering a logically damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.
- Description: rescue files from damaged CDs and DVDs (ncurses-interface)
From ext2
- e2undel
- apt-get install e2undel
- recover (and gtkrecover)
- apt-get install recover
Agnostic (any fs)
- foremost
- linux only
- Description: a forensics application to recover data
foremost is a console program to recover files based on their headers and footers for forensics purposes.
foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. - apt-get install foremost
- Very good, nice progression report
- Example:
foremost -t avi -t mpg -t wmv -t mov -q -v -i /dev/hda -o /path/recovered
- Magic Rescue
- linux only
- very same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
- Comes with dupemap, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).
Example: dupemap delete,report /path/recovered - To compile correctly dupemap, install libgdbm-dev
- recoverjpeg
- linux only
- Idem but focuses on jpeg only UPDATE now contains also recovermov for MOV files, not tested
- apt-get install recoverjpeg
- PhotoRec
- multi-platform
- Under Debian/Ubuntu this one comes with testdisk, promises a lot of different formats (pdf, raw images, zip, wma etc etc) but seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
- apt-get install testdisk
Recovering information from files
- Trace! by Workshare
- Windows-based tool for showing all Microsoft Office documents meta-information
- Quite heavy and requires Microsoft .NET to be installed
Anti-forensic resources
- wipe: secure file deletion
- To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
- dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
- secure-delete: tools to wipe files, free disk space, swap and memory
- Darik's Boot and Nuke (dban): secure harddrive deletion
- SDelete from Sysinternals
- Defeating Forensic Analysis on Unix
- Software Engineering Security (PPT) by Wietse Venema at Hack.lu 2006
- Article at Ius Mentis
Old stuff...
Récupération des données volatiles
Identification
- Nom du système et version
- uname -a
- Date et heure
- date
- Paramètres réseau
- ifconfig | grep "inet addr"
Configuration
- Uptime
- uptime
- Applications installées
- rpm -qa OU dpkg --get-selections
- Configuration réseau
- ifconfig -a
- Table de routage
- netstat -arn
- Stratégie de mots de passe
- cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
- Comptes utilisateurs
- cat /etc/passwd
- Groupes
- cat /etc/groups
Activité
- Utilisateurs connectés
- w (who)
- Processus en exécution
- ps auwx
- Sockets ouvertes & processus propriétaires
- netstat -anptuw
- s'aider éventuellement de /etc/services
- Table ARP
- arp -a
Historique
- Connexions locales & distantes
- last -f /var/log/wtmp (et autres wtmp.N...)
- Echecs de connexion
- cf syslog
- Derniers fichiers accédés
- ls -alRu
- Dernière connexion de chaque utilisateur
- lastlog (lastlog|grep -v "\*\*.*\*\*")
- Dernières commandes passées
- history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)
Sniffers
- ifconfig -a|grep PROMISC
- Processus ayant ouvert un fichier
- lsof...
- Processus ayant ouvert une socket
- for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;
Dump de la RAM
- copier /proc/kcore
Récupération des données persistantes
- dd
- dd_rescue (apt-get install ddrescue), see also gddrescue
- error-tolerant version of dd for rescuing data
- strings
- file
- md5sum