1 / 36

Forensics Toolkits “Who said there were no free lunches anymore?”

Forensics Toolkits “Who said there were no free lunches anymore?”. Overview. Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs. CYGWIN. A Unix environment for Windows:

palani
Télécharger la présentation

Forensics Toolkits “Who said there were no free lunches anymore?”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics Toolkits“Who said there were no free lunches anymore?”

  2. Overview • Cygwin • Data Integrity Tools • Drive Tools • Viewers • Search Tools • Forensics Programs

  3. CYGWIN • A Unix environment for Windows: • A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality • A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel • The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE

  4. CYGWIN • Where to get it: • www.redhat.com/download/cygwin.html • What’s included: • date time uptime uname –a • hostname whoami env • ps netstat arp

  5. Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools • Maresware’sDisk_crc • http://www.dmares.com • MD5 Summer • http://sourceforge.net/projects/md5summer

  6. Network Tool • NetCat/Cryptcat • Creates a channel of communication between hosts • Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation • Cryptcat provides for encryption http://netcat.sourceforge.net/ http://cryptcat.sourceforge.net/

  7. Netcat Commands • Forensic workstation (192.168.1.1) command • E:\>nc –l –p 2222 > yourfilename • Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” • Sending output from target system • A:> pslist | nc 192.168.1.1 2222 • Translation: execute pslist and pipe output to netcat and netcat will transmit to 192.168.1.1 port 2222

  8. Netcat in Action Forensics Workstation Hacked Machine time date loggedon fport pslist Nbtstat - c • Run trusted commands on Hacked Machine • Send output of commands to forensics workstation using netcat • Perform off-line review • MD5SUM output files

  9. Netcat Command Sequence Forensics Workstation 192.168.1.1 Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc 192.168.1.1 2222 A:>date | nc 192.168.1.1 2222 * * A:>Nbtstat – c | nc 192.168.1.1 2222 C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ?????

  10. Drive Tools Goal: allow collection of various hard/floppy/CD forensics • Partition Tools • fdisk (for Linux, DOS version obsolete) • Partinfo (free ftp://ftp.powerquest.com/pub/utilities) • PartitionMagic(includes Partinfo but cost $) • CD-R Utilities • CD-R Diagnostics (www.cdrom-prod.com/software.html) • Unerase Tools • Windows: Norton Utilities Diskedit & unerase • Unix: e2recover (www.praeclarus.demon.co.uk) • FilesScavenger (www.quetek.com/)

  11. Drive Tools(2) • Drive Imagers • NTI’s SafeBack (www.forensics-intl.com) • SnapBack (www.cdp.com) • Ghost (www.symantec.com) • Dd—the Unix command • Disk Wipers • DiskScrub from NTI

  12. File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems • QuickViewPlus – (www.jasc.com) • Views over 200 file types • Conversion Plus (www.dataviz.com) • Views Mac files on Windows • ThumbsPlus – (www.cerious.com) • Catalogs and displays all image files

  13. Search Tools Goal: find keywords pertinent to investigation • Danny Mares StringSearch (www.maresware.com) • Hidden Streams • SFind (www.foundstone.com) • Streams (www.sysinternals.com/ntw2k/source/misc.html)

  14. Forensics Programs • Focus: collect and analyze data • Forensic Toolkit – www.foundstone.com • Focus is on Windows NT systems • The Coroners Toolkit (TCT) – www.fish.com • Investigates a hacked Unix host • graverobber • mac utility • unrm utility • lazarus tool

  15. Forensics Programs(2) • SANS Investigative Forensic Toolkit (SIFT) http://digital-forensics.sans.org/community/downloads

  16. Forensics Programs(3) • ForenSix by Dr. Fred Cohen • www.all.net • Runs on Linux but can access many different file systems • EnCase (www.encase.com) • Claims to be the only fully integrated Windows-based forensics application

  17. Foundstone Toolshttp://www.foundstone.com/resources/forensics.htm • Pasco 1.0 – IE activity forensic tool • Galleta 1.0 – Examine content of cookie files from IE • Rifiuti 1.0 – Examine Info2 file in the Recycle Bin • Vision 1.0 – Reports open TCP/UDP ports and maps to owning process • NTLast 3.0 – Security Log Analyzer • ShoWin 2.0 – Show information about Windows • BinText 3.0 - Finds strings in a file • Patchit 2.0 – Binary file byte patching program

  18. Vision System Info

  19. Vision Processes View

  20. Vision Services View

  21. Vision Services View

  22. File Watch

  23. Sysinternals Toolshttp://www.sysinternals.com/ntw2k/utilities.shtml • Monitoring Tools • Diskmon 1.1 – monitors disk activity • Filemon 1.1 – monitors file activity • ListDLLs 2.23 – List all currently loaded DLLs • NTFSInfo—Gives size and location of MFT • Portmon 3.02—monitors serial and parallel ports • Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs • PSTools 1.82 • Regmon 6.06 – monitors registry activity

  24. Sysinternals Tools(2) • Utilities • AccessEnum 1.0 – used to find holes in file permissions • NTRecover 1.0 – access dead NT disks over a serial connection • NTFSDOS 3.02 – Access NTFS drives read-only from DOS • Remote Recover 2.0-- access dead NT disks over a network connection

  25. pstools

  26. pslist

  27. pslist

  28. Process Explorer-View 1

  29. Process Explorer-View 2

  30. FILEMON

  31. REGMON

  32. TCP/IP Monitor One Single IE Access to One Web Site

  33. Other Useful Tools • Password Crackers (see pg 145) • L0phtCrack – www.atstake.com • John the Ripper – www.openwall.com/john • Chntpw – home.eunet.no/~pnordahl/ntpasswd • Fast ZipCracker – www.netgate.com.uy/~fpapa • AccessData – www.accessdata.com • Provides entry to a wide range of application encrypted files • Elcom – www.elcomsoft.com

  34. Other Useful Tools(2) • Internet References • Matching Hardware Types to MAC addresses • www.cavebear.com/CaveBear/Ethernet/vendor.html • Proxy Servers available to the Public • www.proxys4all.com • List of Defaced Web sites • www.attrition.org • List of HTTP status codes • www.w3.org/Protocols/HTTP/HTRESP.html • File Formats and Header Specifications • www.wotsit.org

  35. McAfee Visual Trace Hostile Activity From China

  36. Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research!

More Related