1 / 19

OPEN SOURCE TOOLS

OPEN SOURCE TOOLS. Dr. Abraham Professor UTPA. Open Source. Freely redistributable Provides access to source code End user may modify source code. Benefits of Open Source tools. Education Portability Move from one OS to another, computer to another, job to job, and so on. Flexibility

bela
Télécharger la présentation

OPEN SOURCE TOOLS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OPEN SOURCE TOOLS Dr. Abraham Professor UTPA

  2. Open Source • Freely redistributable • Provides access to source code • End user may modify source code

  3. Benefits of Open Source tools • Education • Portability • Move from one OS to another, computer to another, job to job, and so on. • Flexibility • You can choose how to use your tools. • Install on local or temote systems. • Price • free

  4. Preparing the examination system • Build - Take the source code and convert to useable form. • If the tool works on a interpreted language such as Perl, Python or Ruby, install it. • Image Files – are forensic copies of the media. • Raw image files (bit by bit copy of the media) and forensic containers (special file format specifically for forensics) are two forms of image files.

  5. How to make an Operating system image • mkifs utility – may be bootable or non-bootable. • mkefs utility – can create flash file system.

  6. Working with images • To use a raw image file use losetup command to create a “loop device” associated with a disk image. • A loop device is a virtual device that allows a disk image to be treat as if it were an actual disk. • You need to give appropriate offset sector for this command. If you do not know it, you can first run the mml s command. • losetup [ -eencryption ] [ -ooffset ] loop_device file-d will detach the device.

  7. Working with Forensic containers • The two forensic container formats are EWF (Expert Witness Format - encase) and AFF (advanced forensic format - open source).

  8. Windows as a host • We can create a unix like environment under windows using Cygwin.dll. Through Cygwin we can compile and use linux source codes. • Windows does not have losetup. But we can use ImDisk which has much of the same functionality.

  9. Disk and File System Analysis • Identification: determine which active and deleted files are available in a volume. • Extraction: Retrieval of relevant file data and metadata. • Analysis

  10. Concepts • Disk – Physical device • Volume – Collection of one or more partitions. Created by using part of a disk, or whole disk or multiple disks. • File System – layout of files on a volume. • Data unit – smallest available unit of data storage, such as blocks (multiple sectors). • Metadata (inodes in unix) • File name – consists of folder and file names.

  11. Sleuth Kit • Sleuth Kit (TSK) developed by Brian Carrier is an updated version of Coroner’s toolkit (TCT). • Supports raw disk images and other image formats such as libEWF and AFFlib. • “mm-”: tools that operate on volumes (media management) • “fs-” tools that operate on file system structures. • “blk-” operate on data unit or block layer. • “i-”: operate on the metadata or inode. • “f-”: operate on file name layer • “img-” operate on image

  12. Volume Layer tools • mmstat – type of volume system in use. Will display non allocated space before, after and between volumes.

  13. File System Layer Tools • fsstat displays file system information such as: • File system type, volume name, volume ID, last written date, last mounted date, checked date, etc.

  14. Data Unit layer tools • blkstat command displays information about specific data unit. • It can be used to extract all unallocated space of the file system.

  15. Metadata layer tools • istat command displays information about a specific metadata structure: ownership, time information, block allocation, etc.)

  16. File Name Layer tools • fls lists file names (deleted and allocated).

  17. Image file tools • img_stat will display information about the image. • img_cat will display content of an image.

  18. Carving • Foremost is a file carving program that extracts meaningful file content from unstructured streams of data. You can provide specific words to search. • Deleted files – recoverable • Orphaned files - link between file name and meta data is no longer accurate. • Unallocated- unlinked or reused metadata structure. • Overwritten. Only fragments can be obtained. • Slack space.

  19. DD • Create a copy, image. • dd inputfile and outputfile • dcfldd and dc3dd are specifically designed copy for forensics.

More Related