Upload
avinash-singh
View
154
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Linux Forensics
Understanding basics of linux as a forensic tool
[*] by Catalyst
Content
Linux Basics
Linux Command line
SANS Investigate Forensic Toolkit
Linux and Forensics [SIFT]
Forensic Tools
Md5deep.
Bless Hex Editor
Digital Forensic Toolkit
Linux Basics 1969 ,C and Unix OS .
GNU ?
1991 , Linus Torvalds Contribution of Kernel names Linux.
GNOME , KDE , XFCE .
SIFT SANS Investigation Forensic Tool.
Based on Ubuntu.
Free to Use. [GPL licensed]
Preconfigured tools to perform forensics.
TOOLSAutopsyDFF – Digital Forensic FrameworkBless Hex EditorEVTX – Event Log ViewerMaltegoPTKMd5deepSANS CheatsheetsVolatility
Linux and Forensics Built in Forensics Tools in SIFT
SANS Investigation Forensic Toolkit
dd command used to copy from an input file or device to an output file or device. Simple bit stream structure
Grep search files (or multiple files) for instances of an expression or pattern. imaging
Sfdisk and fdisk used to determine the disk
Md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices).
File reads a file’s header information in an attempt to ascertain its type, regardless of name or extension.
Xxd command line hex dump tool. For viewing a file in hex mode.
Md5deep Command line Utility.
Used for Calculating Hashes.
Comparing Hashes.
Recursive operation compute the MD5 for every file in a directory and for every file in every subdirectory.
Piecewise hashing .
File type mode
Bless Hex Editor Bless is a high quality, full featured hex editor.
It is written in mono/Gtk# and its primary platform is GNU/Linux.
features: Efficient editing of large data files and block devices.
Multilevel undo - redo operations.
Customizable data views.
Fast data rendering on screen.
Multiple tabs.
Fast find and replace operations.
A data conversion table.
Advanced copy/paste capabilities.
Highlighting of selection pattern matches in the file.
Plugin based architecture.
Export of data to text and html (others with plugins).
Bitwise operations on data.
A comprehensive user manual.
Bless Hex EditorOpen Bless
MenubarThe menus on the menubar contain all of the commands you need to work with files in Bless.
ToolbarProvides shortcuts to the commands that are most frequently used when working with files in Bless.
Data ViewThe data view contains multiple tabs that display the data of the files you are editing.
Conversion TableThe conversion table displays the bytes at the current file position converted to various formats.
StatusbarThe statusbar displays information about current Bless activity and information about the current file.
Bless filename
Bless Hex EditorOffset Area: Displays the offset of the first byte at the specified row.
Separator Area: Displays a vertical separator line.
Hexadecimal Area: Displays the data in hexadecimal number base.
Decimal Area: Displays the data in decimal number base.
Octal Area: Displays the data in octal number base.
Binary Area: Displays the data in binary number base.
Ascii Area: Displays the data as Ascii text.
Selecting the active area
At any time only one of the areas accepts and handles editing events.
This area is said to have the focus.
All areas except Offset and Separator may have the focus.
The cursor in the focused area consists of a horizontal line under the current byte and a vertical line just before the active digit of the current byte.
Bless Hex Editor
Editing a file
Moving the cursor to a specific positionGo to Offset Bar use: Search → Go to Offset (Ctrl+G).
Selecting a range of dataTo access the Select Range Bar use: Edit → Select Range (Ctrl+Shift+R).
Searching in filesTo access the Search Bar use Search → Find (Ctrl+F).
Bless Hex Editor
Replacing in filesTo access the Replace Bar use Search → Replace (Ctrl+R).
Exporting DataIt can currently export data to text or html files.
Bless Hex Editor
Performing bitwise operationsTo access the Bitwise Operations Bar use Tools → Bitwise Operations (Ctrl+B).
Bless Hex Editor
• AND• OR • XOR• NOT
Digital Forensics Framework [DFF]
Digital investigation tool and a development platform.
Written in Python and C++.
Extracts, analyzes and correlates data of different files from data acquisition on digital media, such as hard disk drives, RAM or cell phones memory.
It can also be used to recover deleted data.
launch DFF
clicking on DFF icon. Launching the command:
dff.py -g
Application To0lbar
Project browser
Tree View Area Data display area Data attributes area
DFF Shell Python shell
Modules are used to perform a specific kind of tasks.
module can take several input parameters
Modules
• The path to a file, node or
directory.
• The type of file to analyze.
• Options specific to the module or
to the type of the analyzed data.
AUTOPSY GUI front end for the Sleuthkit.
Opensource
Forensic Browser
Analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3, etc.).
Autopsy 3 is Java-based and designed to be an end-to-end platform for digital forensics.
AUTOPSY
Autopsy Browser
open a new case by clicking “New Case.
AUTOPSY
Give the location of the forensic image:
AUTOPSY
calculate MD5 hashes, also using Autopsy:
AUTOPSY
Autopsy lists all of the file system details and the mmls tool (command line) output for us:
AUTOPSY
click on “Analyze.”
AUTOPSY
AUTOPSYAnalyze the desired partition.