Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
-
Upload
rifqi-multazam -
Category
Documents
-
view
217 -
download
0
Transcript of Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 1/20
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 2/20
SECUGENIUS SECURITY SOLUTIONS
--------------------------------------------------------------------------------------
(A UNIT OF HARKSH TECHNOLOGIES PVT. LTD)
Company Profile:
Secugenius Security Solutions is a Student Entrepreneurial Company started by 2 Social Student
Entrepreneurs in 2010 with an aim to make our country Cyber Crime Free. We at SECUGENIUS
are headquartered at Ludhiana, the Manchester of Punjab. The main activities of Secugenius
Security Solutions are providing training in Information Security and various professional courses.
Secugenius Security Solutions is an organization which believes in inventing and implementing newideas to influence the technological minds of the youngsters
Looking at the number of Cyber Crimes since last many years, We at Secugenius Security
Solutions provides training on Ethical hacking & Cyber Security to students, IT Professionals, Bank
Employees, Police officials.
Secugenius conducts workshops in all parts of the country in various Colleges/institutions for the
benefit of the students & making them aware of the latest trends in technological era of the
Computer age. We believe in spreading knowledge to all the youngsters & growing minds of the
nation so that they could serve the nation with perfect skill-sets in the field of Cyber Crime
Investigation & Forensic Sciences
Secugenius provides various security solutions to its clients by securing their websites from cyber
attacks. We provide training to college students, graduates and professionals in various fields.
Education is delivered to students through two modes i.e. Regular mode and Distance mode which
are available as short term and long term courses.
In the workshops conducted by Secugenius, participants can claim to be trained by the highly
experienced & skilled corporate trainers from different parts of the nation. We believe in making
the base of students to be as strong as possible. All the modules have been designed in order to
provide students with specialized knowledge by specialized trainers.
This library was furnished, managed and funded by the Founders and Directors of Secugenius
Er. Harpreet Khattar & Er. Kshitij Adhlakha. The overall resource person for the content of
the series of this Digital Library is Er. Chetan Soni - Sr. Security Specialist, Secugenius Security
Solutions.
This Online Digital Library has been initiated as a free resource & permanent
resource on specialization basis for every student of Team Secugenius.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 3/20
Digital Forensics – Analysis and Tools in BT5
Product ID No: SG/ODL/13030
Founder & Director: Harpreet Khattar & Kshitij Adhlakha
Resource Person: Chetan Soni & Loveleen Arora
Secugenius Security Solutions
SCO-13A, Model Town Extn, Near Krishna Mandir,
Ludhiana-141002, Punjab – India
[email protected], [email protected]
www.secugenius.com , www.seculabs.in
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 4/20
What is Digital Forensics?
It is a branch of forensic science encompassing the recovery andinvestigation of material found in digital devices, often in relation to
computer crime.
It has a Variety of applications. The Technical aspect of an investigation isdivided into several sub-branches, relating to the type of digital devicesinvolved: Computer Forensics, Network Forensics, Database Forensics,Mobile Device Forensics, Imaging and Analysis etc.
Step 1 –
Here, we perform a simple digital forensic analysis on an image of a FloppyDisk.
You can download this floppy disk image from the link given below.
http://linuxleo.com/Files/practical.floppy.dd
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 5/20
So we will use Backtrack Operating System, because in this operating system,various forensic tools have already been installed.
Basic Forensic Linux Tools –
Linux have been integrated with some basic forensic analysis tools,
dd – It is a tool which is used to clone a file, disk partition, or even an entiredisk content.
sfdisk and fdisk – These tools are used to see the entire disk structure inthe computer.
grep – It is a tool which is used with the other Linux command such as ls,less or more, the output of the command will only display the lines thatmatch with the pattern given by this command.
looping device – It allows us to mount an image without having to rewritethe image to a disk.
md5sum and sha1sum – These tools create a md5 or sha1 hash of a file
and also used to authenticate that the evidence is valid to be used.
file – It is a great tool which is used to find out a specific file type. Thiscommand analyzes the header information of a file, and then matches it withits own database.
xxd – It is a tool which is used to view a file in hex mode.
For Any more information about anytool/command, just type “man” command in
the terminal.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 6/20
Step 2 –
Organizing the evidence is very important, you don't want the evidence tobe mixed with other files right?
That would be a big problem because the data or the metadata of theevidence will be changed. And, guess what? That will make the evidencebecome useless because it won't be considered valid evidence again.
So we need to make a special directory for organizing the evidence
root@bt:~# mkdir evidence root@bt:~# mkdir /mnt/analysis
You can create the directory in any place you like.
Step 3 –
Now copy the floppy disk image file from downloaded location into thatdirectory which you made “evidence”
root@bt:~# cp – rf practical.floppy.dd evidence/
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 7/20
Step 4 –
Change the directory by typing this command “cd evidence”
Now it’s time to create a forensic image of evidence.
We can make an identical copy of a file using dd command.
You can also use command copy, but in this case we use dd command,because copy command, file doesn’t copied bit-by-bit, and in dd command,bit-by-bit copy is performed, this will make sure that copied file is 100%identical to original one.
First of all, you must check the hash of the evidence by typing this command,
root@bt:~/evidence# md5sum practical.floppy.dd
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 8/20
Step 5 –
Now type this command for copying,
root@bt:~/evidence# dd if=practical.floppy.dd of=evidence.floppy
After that we must check the hash of the output evidence and check it withthe hash of the original evidence. The hash must be identical.
Now Again check the hash of this evidence.floppy file by typing thiscommand,
root@bt:~/evidence# md5sum evidence.floppy
As you can see, the original (practical.floppy.dd) and the cloned
(evidence.floppy) evidence have the same hash.
This means that the evidence duplication is success.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 9/20
Step 6 –
After that we must secure both of the evidence by modifying its permission.
root@bt:~/evidence# chmod 444 practical.floppy.dd root@bt:~/evidence# chmod 444 evidence.floppy
Step 7 –
To mount an image, we can use “mount” command,
root@bt:~/evidence# mount – t vfat – o ro,noexec,loop evidence.floppy/mnt/analysis
This command will mount the image to /mnt/analysis directory.
Where,-o,ro,noexec,loop = -o for options, ro for Readonly, noexec will preventthe execution of binaries on the disk and loop means we use the loopsystem to mount the image.
And here’s the directory listing,
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 10/20
Step 8 –
Now Again We must sure that the hash of the evidence before and afterinvestigation is still the same.
root@bt:~/mnt/analysis# md5sum *.*
*.* = Wild Card , it will make the md5sum executed on all files found.
But this won’t be affective, so we use this command,
root@bt:~/mnt/analysis# find . – type f – exec md5sum {} \;>~/evidence/md5.list
This command will search for all file starting from the current directory, thenexecute md5sum command on all files found and after that redirect theoutput to a file named md5.list in our evidence directory.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 11/20
Here are the contents of the file.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 12/20
Step 9 –
To make us easier to check if the hash is changed, we can execute themd5sum command with -c followed by the generated list that we've
created before.
If the hash is matched it will says OK . And will say "Failed"
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 13/20
Step 10 –
To view the contents of the disk, we use this command,
root@bt:~/mnt/analysis# ls -l
To be more accurate, we use this command,
root@bt:~/mnt/analysis# ls – alR | less
This command will show you us all files including the hidden ones (a), showit in the long format (l), and recursively through all directories (R ).
Then to make it more comfortable to read we can use pipe (|) it through"less" command. Press "q" to quit the paging season.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 14/20
And here’s the output,
Step 11 –
To make a detailed list on all files on the disk, we use this command,
root@bt:~/mnt/analysis# ls – laiRtu > ~/evidence/access_file.list
We also can get a list of the files, one per line, using find command.
root@bt:~/mnt/analysis# find . – type f > ~/evidence/file.list2
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 15/20
Step 12 –
To display the structure of the files, we can use “tree” command.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 16/20
Step 13 –
Now To find only jpg extension files, we use this command,
root@bt:~/mnt/analysis# grep –
i jpg ~/evidence/file.list2
root@bt:~/mnt/analysis# grep – i doc ~/evidence/file.list2
The "i" attributes make the grep command to be case insensitive.
Step 14 –
Now we must have a list of all file types on the disk. To do that " file"command will help us.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 17/20
Step 15 –
To check all file types, execute this command,
root@bt:~/mnt/analysis# find . – type f – exec file {} \; > ~/evidence/filetype.list
That command will find all files then execute "file" command on the outputand save the output of the command to the "filetype.list".
Here’s the output,
To be more specific, we use grep command,
root@bt:~/mnt/analysis# grep imahe ~/evidence/filetype.list
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 18/20
Step 16 –
There is also an alternative command for viewing unknown files.
Step 17 –
Don't forget to unmount the image first.
root@bt:~/mnt/analysis# umount /mnt/analysis
Now create a list of keywords to search for the evidence.
For example, we use 3 keywords: "ransom:, "$50,000" and "unleash avirus".
These are some keywords and a phrase that we have decided to use fromthe original letter received.
Make sure that each string you want to search is on a different line. Andmake sure that there are no blank lines.
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 19/20
Step 18 –
Now Execute grep command,
root@bt:~/evidence # grep -abif search.txt practical.floppy.dd > hits.txt
The "-a" option tells grep to process the file as if it were text, even if it'sbinary.
The option "i" tells grep to ignore upper and lower case (case insensitive).
And the "b" option tells grep to give us the byte offset of each hit.
Let’s open hits.txt file by typing this command “cat hits.txt”
7/29/2019 Seculabs eBook - Digital Forensic Tools and Analysis in Backtrack OS
http://slidepdf.com/reader/full/seculabs-ebook-digital-forensic-tools-and-analysis-in-backtrack-os 20/20
Step 19 –
Now we use xxd to display the data found at each byte offset.
xxd is a command line hex dump tool, useful for examining files.
root@bt:~/evidence # xxd -s 75441 practical.floppy.dd | less
Here’s the output of the command,