Difference between revisions of "Forensics"

Books

• Forensics Discovery

Links

• http://www.d-fence.be and http://www.lnx4n6.be
  • Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
  • Tip to mound soft RAID arrays: modprobe md-mod ; mdadm -Aa /dev/md0 /dev/hdaX /dev/sdaX (list of array partitions)
• Présentation d'adulau
• http://cve.mitre.org
• http://www.porcupine.org (Wieste Venema/TCT)
• U.S AirForce Office of Special Investigations
• http://www.forensicswiki.org

Lists

• http://groups.yahoo.com/group/linux_forensics/

Tools

See also this list (fr)

Generic forensic tools

• The Coroner Toolkit
  • apt-get install tct
  • grave-robber: collecte d'infos et empreinte -> /var/cache/tct/data
  • lazarus: reconstitue les fichiers présents dans les clusters non référencés
  • mactime: liste les fichiers dont le mactime a été modifié depuis une certaine date
• Sleuthkit & Autopsy (GUI)
  • apt-get install sleuthkit
  • apt-get install autopsy
  • A lot of tools
  • Some very nice articles online to learn how to use them.

On live systems

• Cryogenic.c
  • Captures process information stored in Linux's Proc_fs on a best effort basis
• Chkrootkit
  • Checks for signs of rootkits on the local system
  • apt-get install chkrootkit
  • chkdirs: détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
  • chkprocs: compare le contenu du répertoire /proc avec la sortie de la commande ps
• Unhide
  • Detecting hidden processes
  • apt-get install unhide
• Kstat
  • Détecte le détournement d'appels systèmes
  • wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
• Less intrusive: mem dump via Firewire
  • Presentation by A. Boileau: Hit by a Bus: Physical Access Attacks with Firewire (PDF)
  • More on his page
• Cruft
  • Not a forensics tool per se but of great help to find files in the system directories that are not coming from legit Debian packages

Dumping data supports

• ddrescue
  • apt-get install gddrescue
  • Seems to work better than the next one (not to be confounded with...)
• dd_rescue
  • apt-get install ddrescue
• CloneIt
  • Networked Harddisk Replication System
  • cf also netcat on Network security tools
• H2cdimage
  • To recover badly damaged CD/DVDs
• dd for Windows

dd --list
dd if=\\?\Device\Harddisk1\Partition0 of=c:\temp\usb2.img bs=1M --size --progress

Guessing the filesystem used

• testdisk
  • apt-get install testdisk
• gpart
  • apt-get install gpart
• disktype
  • apt-get install disktype

Recovering files from filesystems

LVM

If the harddrive is using LVM, cf http://www.knoppix.net/wiki/LVM2 to activate the volumes and be able to mount them.

From ISO9660

• dares
  • Description: rescue files from damaged CDs and DVDs (ncurses-interface)
    Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.
  • apt-get install dares
  • Note that it helps recovering a logically damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.

From ext2

• e2undel
  • apt-get install e2undel
• recover (and gtkrecover)
  • apt-get install recover

Agnostic (any fs)

• foremost
  • linux only
  • Description: a forensics application to recover data
    foremost is a console program to recover files based on their headers and footers for forensics purposes.
    foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
  • apt-get install foremost
  • Very good, nice progression report
  • Default blocksize 512
  • Doesn't recover partial files

foremost -t avi -t mpg -t wmv -t mov -q -v -i image.img -o /path/recovered

• Magic Rescue
  • linux only
  • apt-get install magicrescue
  • Same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
  • Needs external tools depending on file type, e.g. jpegtran to recover jpegs
  • Comes with dupemap, a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).
    Example: dupemap delete,report /path/recovered
  • Default blocksize=1, very slow if you don't need it => option -b 512
  • Recover partial files too
  • WARNING: recovered jpeg files are 16 bytes too large than the original files in my experience

mkdir /path/recovered
dpkg -L magicrescue|grep recipes/
magicrescue -r /usr/share/magicrescue/recipes/jpeg-exif -r /usr/share/magicrescue/recipes/jpeg-jfif -d /path/recovered -b 512 image.img

• recoverjpeg
  • linux only
  • apt-get install recoverjpeg
  • Idem but focuses on jpeg only UPDATE v2.0 now contains also recovermov for MOV files, not tested
  • Recover partial files too but instead of a partial big jpeg it found the internal thumbnail of the partial jpeg...

mkdir /path/recovered
cd /path/recovered
recoverjpeg ../image.img

• PhotoRec
  • Multi-platform
  • Under Debian/Ubuntu this one comes with testdisk
  • apt-get install testdisk
  • Don't be abused by program name, it supports A LOT of different formats (> 180 formats including FAT subdirectories etc)
  • Seems to create a lot of false positive (at least experienced with mpg) but it was the only one able to recover the MOV files from a Canon IXUS SDcard
  • No options, works interactively
  • Default blocksize 512
  • By default doesn't keep partial files but possibility to ask to keep them
  • Better to reduce the number of file types you want to recover if you look only for e.g. jpeg & mov, goes much faster
  • Package comes with a copy of the website documentation: see file:///usr/share/doc/testdisk/html/photorec.html

# DONT create output directory, it'll create one itself
photorec /d /path/recovered image.img

So all in all PhotoRec seems the best but painful to use with this interactive mode rather than using command line options
See also Sid's notes on photo recovery

Photodex Proshow mangled jpeg

A special mention for jpeg files embedded in Photodex presentations: if you try to extract them with one of the aforementioned programs (e.g. recoverjpeg -b 1 diaporama.exe), you'll find those files corrupted. It's because they're chunk in blocks interleaved with some metadata to remove.
Here is a little script to fix those jpeg files: [{{#file: photodex_proshow_fix_jpeg.py}} photodex_proshow_fix_jpeg.py]

#!/usr/bin/env python

import os

for filename in os.listdir('.'):
    with open(filename, 'rb') as f:
        data = f.read()
    # Check that it looks like a Photodex Proshow embedded jpeg
    status = True
    status &= data[6:10] == 'JFIF'
    status &= len(data) > 0x1FFC
    for i in range(0x1FFC,len(data),0x200A):
        status &= data[i-10:i-8] == '\x00\x00'
        status &= data[i-2:i] == '\x00\x00'
    if not status:
        continue
    # Seems ok, so now scrap those Photodex data
    print "Treating", filename
    os.rename(filename, filename + '.bak')
    with open(filename, 'wb') as f:
        f.write(data[:0x1FF2])
        for i in range(0x1FFC,len(data),0x200A):
            f.write(data[i:i+0x2000])

Recovering information from files

• Trace! by Workshare
  • Windows-based tool for showing all Microsoft Office documents meta-information
  • Quite heavy and requires Microsoft .NET to be installed

Anti-forensic resources

• wipe: secure file deletion
  • To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
  • dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
• secure-delete: tools to wipe files, free disk space, swap and memory
• Darik's Boot and Nuke (dban): secure harddrive deletion
• SDelete from Sysinternals
• Defeating Forensic Analysis on Unix
• Software Engineering Security (PPT) by Wietse Venema at Hack.lu 2006
• Article at Ius Mentis

Old stuff...

Récupération des données volatiles

Identification

• Nom du système et version
  • uname -a
• Date et heure
  • date
• Paramètres réseau
  • ifconfig | grep "inet addr"

Configuration

• Uptime
  • uptime
• Applications installées
  • rpm -qa OU dpkg --get-selections
• Configuration réseau
  • ifconfig -a
• Table de routage
  • netstat -arn
• Stratégie de mots de passe
  • cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
• Comptes utilisateurs
  • cat /etc/passwd
• Groupes
  • cat /etc/groups

Activité

• Utilisateurs connectés
  • w (who)
• Processus en exécution
  • ps auwx
• Sockets ouvertes & processus propriétaires
  • netstat -anptuw
  • s'aider éventuellement de /etc/services
• Table ARP
  • arp -a

Historique

• Connexions locales & distantes
  • last -f /var/log/wtmp (et autres wtmp.N...)
• Echecs de connexion
  • cf syslog
• Derniers fichiers accédés
  • ls -alRu
• Dernière connexion de chaque utilisateur
  • lastlog (lastlog|grep -v "\*\*.*\*\*")
• Dernières commandes passées
  • history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)

Sniffers

• ifconfig -a|grep PROMISC
• Processus ayant ouvert un fichier
• lsof...
• Processus ayant ouvert une socket
  • for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;

Dump de la RAM

• copier /proc/kcore

Récupération des données persistantes

• dd
• dd_rescue (apt-get install ddrescue), see also gddrescue
  • error-tolerant version of dd for rescuing data
• strings
• file
• md5sum

See also

• Forensics on Incident 1
• Forensics on Incident 2
• LaCie_5big_Network_2#Two_faulty_disks_on_a_5-disk_RAID5
• Network security tools