Tool Names: 1. VISION 2. PASCO 3. GALLETA
38
Tool Names: 1. VISION 2. PASCO 3. GALLETA
-
Upload
merrill-bean -
Category
Documents
-
view
38 -
download
0
description
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION. Overview. Tool Description Where You Can Find it Applicability to Forensics Tool Use/Screen Views Observations Lessons Learned. Technical Description: VISION. This Tool provides the following: - PowerPoint PPT Presentation
Transcript of Tool Names: 1. VISION 2. PASCO 3. GALLETA
Tool Names:1. VISION2. PASCO
3. GALLETA
Tool 1
VISION
UTSA IS 6353 Incident Response
Overview
• Tool Description• Where You Can Find it• Applicability to Forensics• Tool Use/Screen Views• Observations• Lessons Learned
UTSA IS 6353 Incident Response
Technical Description: VISION
• This Tool provides the following: Shows all of the open TCP and UDP ports on a
machine. Displays the service that is active on each port. Maps the ports to their respective applications. Large amount of supplementary information that is
useful for determining host status by displaying detailed system information, applications running, as well as processes and ports in use
UTSA IS 6353 Incident Response
Where to Find the Tools
• www.foundstone.com
• Featured in the free tools.
• Information about Vision provided at www.foundstone.com/resources/proddesc/vision.htm
UTSA IS 6353 Incident Response
How The Tool Supports Forensics
• Vision supports live analysis on a host.
• Vision is a Host based forensic utility.
• And it allows a forensic investigator to interrogate ports and identify potential “Trojan” services.
• This tool supports “Incident Response” more than “Forensic Analysis”.
UTSA IS 6353 Incident Response
Tool Use
• Vision is a windows GUI based application.
• After launching, the application runs in the background and is located in the system tray.
• Interval for “Auto-Refresh” can be specified in the options.
• Vision can be used to log all the entries into a CSV file.
Basic Menu Screen View
UTSA IS 6353 Incident Response
Observations
• Easy to download
• Easy to Install (Windows Installer and easy configuration)
• Free tool
• Easy to use navigation menus. Sub-menus can collapse and expand. A single view can represent a LOT of information.
UTSA IS 6353 Incident Response
Lessons Learned
• Doesn’t work on Windows 98, Me
• Requires ‘psapi.dll’ on Windows NT.
• Single comprehensive tool which performs the functions of tools like ‘fport’ and ‘pstools’.
• CSV log file can be a good resource for future reference.
Tool 2
PASCO
UTSA IS 6353 Incident Response
Technical Description of Pasco
• This Tool provides the following:– Command line utility that parses information in the
IE activity files (index.dat).
– Index.dat files are in binary form and special tools, like Pasco, are required to view them.
– Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X,Linux, and *BSD platforms.
UTSA IS 6353 Incident Response
Technical Description of Pasco
– Relevant Fields in index.dat header
Field LengthContains the length of the index.dat file
Hash Table Offset
Contains the offset (in bytes) for the beginning of the HASH table
Cache Directories
Contains the directories where files are stored that make up the content of the cache
UTSA IS 6353 Incident Response
How Pasco Supports Forensics
• This Tool supports off-line analysis• Allows a forensic investigator to reconstruct a
subject’s web browsing habit.• Provide evidentiary material for abuse of
internet corporate usage policies, pornographic content, other illegal activities.
UTSA IS 6353 Incident Response
Where to Find Pasco
• On the web– Free utility– www.foundstone.com
• Loaded on my directory – D:\Pasco
UTSA IS 6353 Incident Response
Tool Use
• For Windows, must first install CYGWIN – a Linux like environment for Windows.– Cygwin can be found at
http://sources.redhat.com/cygwin/
• Download and install Pasco from Foundstone site.
• Search for index.dat files on system and copy into D:\pasco\bin.
UTSA IS 6353 Incident Response
Tool Use
• For Windows XP, index.dat file can be found at these locations or do a search:
TIF Index \Documents and Settings\<user name>\Local Setting\Temporary Internet Files\Content.IE5|
Cookies Index\Documents and Setting\<user name>\Cookies\
History Index \Documents and Settings\<user name>\Local Settings\History\History.IE5\
UTSA IS 6353 Incident Response
Tool Use
• Pasco Usage: pasco [options] index.dat file to be parsed
> output file.txt
Options:-d Undelete Activity Records-t Field Delimiter (TAB by default)
UTSA IS 6353 Incident Response
Tool Use
• Command line– Execute default mode of Pasco
• $ ./pasco tif.dat > tif.txt
(Parse the index.dat file and output result to index.txt file)
– Execute undeletion mode of Pasco• $ ./pasco –d –t , tif.dat > tifdtoptions.txt
UTSA IS 6353 Incident Response
Typical command line usage of Pasco.
UTSA IS 6353 Incident Response
Text file output from Pasco.
UTSA IS 6353 Incident Response
Text file output from Pasco exported into spreadsheet for further analysis.
UTSA IS 6353 Incident Response
Observations
• Easy to download– Small download – 460 Kb zipped file
• Easy to Install – For Windows must first install CYGWIN
• Simple command line use – Only two options available
• Can be use to parse cookies and history index.dat files as well
• White paper available for in-depth technical approach to Pasco development– http://www.foundstone.com/pdf/wp_index_dat.pdf
UTSA IS 6353 Incident Response
Lessons Learned
• Works better when index.dat file is copied into wherever Pasco directory is located .
• Run both default and undeletion mode to make sure no entries are missed.
Tool 3
GALLETA
UTSA IS 6353 Incident Response
Technical Description: Galleta
• Galleta provides the following:– Internet Cookie analysis utility
• Parses the contents of a Windows cookie file and outputs the result to a tab delimited file
– Small download (<500Kb)– Requires CYGWIN to run
• UNIX Bash Shell
UTSA IS 6353 Incident Response
Where to Find the Tools
• CYGWIN installs to the root directory– www.cygwin.com– Large download (6.5MB)– Install from Internet
• Galleta installs in Program Files directory or wherever you put it– www.foundstone.com/resources/proddesc/ga
lleta.html
UTSA IS 6353 Incident Response
How The Tool Supports Forensics
• Galleta supports off-line analysis– Tedious, cumbersome
• Recovers the contents of a single Internet cookie file
• Allows the investigator to categorize and/or sort cookies within Excel
UTSA IS 6353 Incident Response
Tool Use
• Start CYGWIN– STARTAll ProgramsCYGWINCYGWIN
Bash Shell
• Change directories to the location where the Internet cookies are– Put the Galleta executable file in this same
directory
• From the UNIX prompt in CYGWIN type:– ./galleta cookiename.txt > newname.txt
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
UTSA IS 6353 Incident Response
Observations
• Easy to download
• Easy to Install
• Command line use was cryptic depending on level of experience
• No Help support
• Don’t forget to download CYGWIN
• Very labor intensive
UTSA IS 6353 Incident Response
Lessons Learned
• Watch out for location of Galleta executable
• UNIX tool that works in Windows via CYGWIN
• Best used in conjunction with string search utility (Pasco) to isolate questionable cookies
