tag:blogger.com,1999:blog-30398184354519003592024-03-21T15:24:22.610-07:00Avoiding Atrophy ForensicsComputer Forensics using Linux and Freely Available Toolsaaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-3039818435451900359.post-82578090593408659772017-09-26T14:04:00.000-07:002018-03-13T06:56:53.206-07:00Command Line FTK ImagerFTK Imager has been around for years but it wasn't until recently that AccessData released a break out version for use on the Command Line for the general public. Or maybe I was just unaware of it. They've made these command line tools freely available to the general public as well as multi-platform (Windows, Debian, Red-Hat, and Mac OS). Technically, these aren't open source; aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com6tag:blogger.com,1999:blog-3039818435451900359.post-90527561660686855372015-07-30T17:19:00.002-07:002015-07-30T17:19:13.557-07:00Windows Registry and Registry ArtifactsDuring the next few minutes I will explain the Windows Registry and why it's important to the us. I'd like to start by saying that the each version of the Windows operating system varies. An entry that exists in Windows XP may not exist in Windows Vista but appear again in Windows 7; however, the majority of the these entries will exist in one form or another. Despite the aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-8671326805444902442014-10-25T17:00:00.002-07:002015-07-28T16:11:14.478-07:00Linux Machine PreparationThe purpose of this post is to provide a basic (though incomplete) guide to preparing a Debian based machine to perform very basic forensic analysis of other computers and electronic devices. It is quite possible that this will be modified multiple times over the duration of this blog.
First things first, you will need a computer or virtual machine running 64 bit Debian, Ubuntu, or some aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-50184085909772547852014-08-02T20:33:00.001-07:002014-08-02T20:33:15.008-07:00File Carving with PhotoRecThis post relies on an understanding of information from a previous post that can be found here. The purpose of this post is to discuss file carving (in the general sense) and then specifically the PhotoRec tool. Some things I won't be discussing are Foremost and Scalpel, two other tools commonly used for file carving (I gotta leave some information for later) or file and ram aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-70891746238461385692014-08-01T17:40:00.005-07:002016-03-23T07:42:07.647-07:00Disk Restoration and Computer ForensicsI got a new hard drive to replace the drive in my laptop's hard drive caddy today. I wanted to copy the data from my existing drive exactly as it is to my new hard drive and I figured this may be a good time to discuss Disk Restorations. It's most applicable for general IT purposes but can be very helpful for doing forensics as well.
The concept is simple, I can create a perfect aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com2tag:blogger.com,1999:blog-3039818435451900359.post-45287487510437258562014-07-27T20:08:00.002-07:002014-10-25T17:02:01.735-07:00Physical Disks and Logical VolumesAt the beginning of last week I took a leap into the world of Open Source forensics at a new level. My goal is to complete a full case using only open source tools. As a result, more posts.
So the purpose of this post is a basic overview how physical disks relate to logical volumes and file systems specifically the New Technology File System (NTFS). Lets take a look at aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-34489126122407560162014-06-24T20:08:00.001-07:002014-07-27T17:41:52.543-07:00SQLite Databases and Internet HIstories
The first step in this post is to mount the evidence file for access to the file system and the contents of the drive. I have covered this topic with two different tools already. I have covered this using xmount and I have covered this using ewfmount tool. Please reference one of these posts before continuing.
Once we have completed the final steps of mounting:
$ xmount aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com1tag:blogger.com,1999:blog-3039818435451900359.post-3235002126066744432014-05-10T09:56:00.002-07:002014-05-24T05:59:26.754-07:00The Master File Table - Part 2
In the $MFT - Part 1 post we covered the most basic information about what the $MFT is and how we can view it in hex. In this post I am going to discuss the basic architecture of the $MFT and the individual entries that it contains. The first thing we need to know is that each entry in the $MFT is 1024 bytes stored in hex. If you are unfamiliar with HEX I have written a blog aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-13138059423265034842014-05-08T22:26:00.000-07:002014-05-24T05:59:43.946-07:00Creating a Timeline with The Sleuth Kit
The Sleuth Kit is a very powerful set of tools. When performing a forensic exam dates and times are often the only way to prove who was behind the keyboard or to isolate the events leading up to a breach and attack. One tool that the Sleuth Kit provides us is the ability to create a timeline that we can review with as a spreadsheet. We are going to be using the same E01 (aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-89727561875330938442014-05-08T10:11:00.003-07:002014-05-24T06:05:44.073-07:00HEX - The Basics
This blog post is just an explanation of Hexadecimal.
Hexadecimal or hex is a common way to view digital data and is directly related to the 1's and 0's that you always hear about when people discuss computers data. Hex characters include:
0 1 2 3 4 5 6 7 8 9 A B C D E or F
Each Hex character represents four bits. A bit is the smallest form of digital data and is represented byaaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-21092073138909671032014-04-27T19:46:00.000-07:002014-04-27T19:46:09.941-07:00Basic XMount Use
The xmount command is not installed on Ubuntu by default but can be obtained from the repository.
$ xmount
The program 'xmount' is currently not installed. You can install it by typing:
sudo apt-get install xmount
$ sudo apt-get install xmount
There are a couple of commands that will help you when you aren't sure if you have a piece of software installed. You can just run the aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-13020621615937179932014-04-27T16:43:00.002-07:002014-05-08T10:13:44.139-07:00The Master File Table - Part 1
The New Technology File System (or NTFS) is a file system developed by Microsoft and is the primary file system being used by Microsoft Windows for quite some time. There are many files that are used to track metadata in the NTFS file system. One tool that the Sleuth Kit provides for us is the istat command. This command provides us with some really fantastic metadata aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-8816185901361822632014-04-23T16:34:00.002-07:002014-05-24T06:01:08.371-07:00Need to see the Pictures, hear the Music, and watch the Videos?
The other posts have mostly discussed metadata (data, about the data). Yeah, you could use icat to output the text of a text file or something similar but how do you see the files how we are used to seeing them? There are a few ways to do this but for this post I am going to talk about mounting a volume and browsing the files.
Before we start throwing out commands lets talk aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-44183701181405770042014-04-22T19:09:00.001-07:002014-04-22T19:09:22.143-07:00File Systems Continued
To continue talking about analyzing file systems with the Sleuth Kit we need to see some of the other commands that you may need. fsstat provides us with basic information for the file system itself and also shows the system files. It shows the Volume Serial Number. This number is a generated during the creation of the volume. It is useful if you need to determine ifaaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-32293019552967560822014-04-18T15:18:00.002-07:002014-04-18T15:52:43.162-07:00File System Overview
$ mmls -B nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size Description
00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)
01: -----  aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-51279121602552684902014-04-15T20:03:00.002-07:002014-04-15T20:03:20.559-07:00Continuing With Volumes
We are going to continue where we left off in the last post so lets look at the partition table for the nps-2008-jean.E01 file again.
$ mmls -B nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size &aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-58147206316271707532014-04-13T11:30:00.000-07:002014-04-13T08:32:52.414-07:00Basic Volume Information
So lets take a look at some of the basic tools provided by the Sleuth Kit for dealing with the analysis of partitions. These tools start with "mm-" and include mmls, mmcat, and mmstat. These tools can be used on a physical disk, raw disk image, or an Expert Witness File Format (E01) disk image (even if it is not mounted). Each of these commands will provide us with some aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-49894373851198759232014-04-12T12:41:00.002-07:002014-04-12T17:30:21.368-07:00Working with Expert Witness Format
For the duration of the following post we are going to be using the nps-2008-jean image file to learn a few things about working with evidence files in the (E01) Expert Witness Format. That image file can be downloaded here. You need to download both files nps-2008-jean.E01 and nps-2008-jean.E02. The reason we need both is because they are both part of the same image. &aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-67547035399023021222014-04-10T17:16:00.003-07:002016-03-09T08:23:56.443-08:00Forensics Protocol
Lets take some time to learn about some accepted practices in computer forensics.
The question that I'm aiming to answer here is what are the most basic steps of a forensics examination and how do we accomplish or complete these steps successfully? Computer forensics is really quite simple. There are only three (on a most basic level) steps that must be completed: acquisition, aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-79746244385705008942014-04-09T17:05:00.004-07:002014-05-24T06:03:28.298-07:00Basics of Computers
So I've been intending to do this for the last few days but haven't had the chance until now. This post is going to cover a very basic introduction to how computers work along with some links to more specific information related to file system types. Now lets get started.
The first area we want to talk about is hardware. What are the main components of a computer and aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0tag:blogger.com,1999:blog-3039818435451900359.post-72351080918427143442014-04-06T09:39:00.003-07:002014-04-06T09:39:38.579-07:00An Introduction
This blog will be a reference and reminder for me as I begin the process of using Linux and the Sleuth Kit (TSK) to perform computer forensics. In time I would like to become proficient and comfortable enough with these tools to use them in place of current commercial tools like Access Data's Forensic Tool Kit or Guidance Software's EnCase Forensic.
It is important to note that these, aaforensicshttp://www.blogger.com/profile/17855199358804497672noreply@blogger.com0