====== System Forensics, Investigation, and Response Day 1-3 ====== ===== Day 3 ===== ==== Grab - GUI Imaging Interface..104 ==== * Adepto/Grab..105 ==== Linux Media Analysis..108 ==== * Linux Media Analysis Using Open Source Toolkits..109 ==== Critical Tool Overview..110 ==== * Critical Tools Overview - **Hex Editors**..111 * **KHexedit** and **WinHex**..112 * Critical Tools Overview - **file**..114 Identifies file by using a configuration file called the magic file across systems. /usr/share/directory/magic Usage: file 0:25:00 /usr/share/backgrounds/images/earthfromspace.jpg /usr/share/backgrounds/images/stonebird.jpg Each has the same starting byte string. Thought process number 1. Look for header then look for footer. All in between is the image. Side note: Vulnerability in Microsoft jpeg rendering. Heap overflow in comment string. Length always did -2 to find the comment field, so a value of less than 2 would give a really large number for a signed integer. * Critical Tools Overview - **strings**..116 displays 4 or more ascii characters List byte offset of string on the image: strings --radix=d byteoffset-->block number-->inodenumber-->metadata-->Filename byteoffset/block size=block number file size and name stored in metadata datalayer comprised of data blocks - Idenfiy block the string sits in. - Find inode number with that block. - Then find filename. * Critical Tools Overview - **srch_strings**..118 * Critical Tools Overview - **grep**..119 * **strings** Example..122 ==== Linux Media Analysis: The Sleuth Kit..123 ==== * The Sleuth Kit Programs..126 ==== File System Layer..133 ==== * **fsstat**..134 fsstat dev_sda6.img | less * fsstat - FAT Image..135 * fsstat - NTFS Image..138 * fsstat Examples ==== Data Layer ==== * **dstat**..142 dstat gives Allocated or Unallocated for a data unit dstat dev_sda6.img 368055 * **dcat**..143 dcat displays contents of a data unit dcat dev_sda6.img 368055 |less for hex display: dcat -h dev_sda6.img 368055 |less * **dls**..145 lists contents of unallocatted data (by default) -e dhoe sll blocks -l lists details -s show slack space (no slack in linux) extract all unallocated data: dls dev_sda6.img > dev_sda6.dls extract between 8000 and 9000: dls -el dev_sda6 8000-9000 * Extracting Slack Space..148 * **dcalc**..149 since the blocks are now not in the same sequence because the allocated blocks are removed, use dcalc to cross to the origial block unumber dcalc dev_sda6.img -u 233429 gives: 368055 * **lazarus**..150 takes every single data block and runs file against it. * **foremost**..156 carves out files based and sorts them on file header mkdir /images/unixforensics/foremost_gzip (need to create a directory where the output will go) foremost -o /images/unixforensics/foremost_gzip -c /usr/local/src/foremost.conf dev_sda6.dls may need to remove the 13 data block. In the example, open in khexedit and got to blocksize(4096)*12 position. Delete blocksize(4096) amount of data. in audit.txt, the gzip file is listed at byte offset 98304 98304/4096=24 (block number in unallocated dls file) dcalc dev_sda6.img -u 24 8171 (block number) * Add the .gz File Type to foremost..160 * Data Layer Review..163 ==== Metadata Layer..164 ==== * **ifind**..165 give ifind the block and it will return an inode number that is/was associated with it. ifind dev_sda6.img -d 8171 2880 * **istat**..167 displays metadata information about an inode istat dev_sda6.img 2880 * istat - FAT Image Example..169 * istat - NTFS Image Example..170 * Inode lister: **ils**..173 * ils Audit: Hands-On..175 * ils Post Mortem: Hands-On..176 list inode information ils dev_sda6.img |grep 2880 * **icat**..177 copies files by inode number icat -r dev_sda6.img icat -r dev_sda6.img 2880 > /images/unixforensics/lk.tgz * Metadata Layer Review..180 ==== Filename Layer..181 ==== * **fls**..182 takes inode of directory and displays filenames in directory. fls dev_sda6.img fls -l dev_sda6.img fls dev_sda6.img 174593 * **ffind**..187 * Filename Layer Review..189 ==== SleuthKit Exercises..190 ==== * Journal Layer..193 * **jls**..196 * **jcat**..198 ==== Advanced Timelines Deleted Files and Unallocated Metadata..200 ==== like mac_robber, the folloing will create the timeline information * Data File: **fls -m** [timeline information]..201 -m tells the mount point to prepend the output with -r says recurse directories fls -m / -r dev_sda6.img > /images/unixforensics/dev_sda6.fls or on live system fls -m / -r /dev/sda6 | less * Data File: **ils -m** [timeline information]..203 extracts data on deleted inodes yet without the missing filename infomation ils -m dev_sda6.img > /images/unixforensics/dev_sda6.ils * Data File Conclusion..205 integrate them with cat cat dev_sda6.?ls > dev_sda6.mac the question mark says any charater * mactime Examples **mactime -b**..206 make the data human readable mactime -b dev_sda6.mac > timeline_sda6.all -d for comma deleniated * Timeline reading ..207 ==== File Content Type..211 ==== * **file**..212 * **sorter**..213 uses file to categorize everything on the system including deleted files, put them in directories. * Thumbnails Viewing..217 * Hash Databases..218 * **hfind**: Overview..219 Indexes and searches the database hfind -i md5sum linux_hash.txt hfind linux_hash.txt * sorter and hashes..220 hash all files md5deep -r / > /mnt/LinuxFC3.txt Use database to exclude known good files with sorter: sorter -d sorter_dir -x LinuxFC3.txt hda1.dd ==== Autopsy Forencis Browser..221 ==== * Adding a Host..226 * Adding an Image..228 * Begining the Analysis..232 * Live Autopsy Analysis..263 * Autopsy Step-By-Step..268 ==== Review..270 ==== ==== Forensic Investigation Methodology..271 ==== ----