Archive for the ‘Linux’ Category

Little more on Frag_Find

Tuesday, May 18th, 2010

Since I’m really fond of this tool. I wanted to see what other uses this could have.

1: Documents that have been altered could be found. This could be totally useful if the suspect system has taken a word document, spreadsheet, etc. and has added/deleted some parts of the document. If the analyst has the unaltered document, one could still run Frag_Find against it. Since Frag_Find will percentage out via sectors, there is still a high percentage of the unaltered sectors from the altered document.

Conclusion: this worked flawlessly. I was able to take an old school .doc file that was about 4 pages in length, deleted a paragraph, added a few random words here and there. I also embedded an image. Frag_Find was able produce about 65% accuracy. What does this mean in a forensic sense? Well, a suspect could modify a stolen document, and Frag_Find will still be able to find this document even in it’s modified state.

2: Embedded content in documents should also be capable of being found.

Conclusion: this didn’t work the way I had hoped for. As said, I embedded a jpg image in the above document, ran Frag_Find with the jpg as the target file. I had a 0% success rate. this is unfortunate.

3: Scanning formatted media should also be capable. You could take a Fat32 USB drive that was reformatted. Scan with Frag_Find, and it “should” trace out all the sectors in allocated or unallocated space. Really useful if you intend to carve out data. Finding info in a formatted drive is MORE difficult than just a delta’d out file in the allocation table.

Conclusion: Worked flawlessly. I took a multipartition (and multi filesystem) disk. Added a few files across the partitions, and then cleaned the disk. Image that I created found every file on each partition at 100%. Hence, even raw or formatted partitions are workable with Frag_Find

Tags:
Posted in Hashing, Linux, Uncategorized, forensic tools, linkedin | No Comments »

Messing with Google Gears

Saturday, May 8th, 2010

prior to my LFNW presentation, I found a nifty utility that parsed Google’s Offline mail application. I tried to reuse it just a few hours prior to the presentation and it stopped working:( worked twice for me, but now it doesn’t.

Quick hack time which was awesome! Since my big rule to extract the firefox profile during an imaging (and hash the files to make sure they are still the same as the suspect’s content), this also copies the Google Gears directory as well. I’ve written about importing firefox profiles, and this is exactly the same just a few extra steps:
1: create a gmail account on a dummy workstation, not your forensic station!
2: allow offline mail and install google gears
3: disconnect from the internet so that it’s untainted from gmail sync’ing
4: delete your Gears profile and replace with the suspects Gears profile
5: open up the offline email (no password is required for this!)

While not 100% sound in a forensics method. This works great on letting you view email from offline gmail. While it’s still ok to read the email from the sqlite database (which autopsy parses nicely) this is more legible. gives some more personalization of the event if displaying to courts or lawyers…. I really want a thumbs up from the forensics community to see if there is validity in this procedure.

Tags:
Posted in Linux, Uncategorized, email | No Comments »

BIG Thanks

Sunday, April 25th, 2010

To all of those of you went to LFNW ‘10 and to those who went to my presentation. I really appreciate the support, the laughs, and all of you who were interested. I’m also sorry if I unintentionally offended anyone.

In my defense; I am a newlywed who is very much in love with my wife. when “I” think partner, married, husband, couple, etc… I think her and how great the past 6 months of marriage has been going. Freudian? maybe, but I feel justified in doing so. I still do apologize if the remarks sounded sexist, or if it even brought up a possible bad relationship. We’re not all the same and I get that now just a smidge more.

Outside of this. I really had fun hoped the people did too. I hope to do another presentation at LFNW ‘11 with more great things to show!

Tags:
Posted in Linux, forensic tools, linkedin | No Comments »

Using FTK imager in Linux

Thursday, April 1st, 2010

I was on my linux forensics box and was trying to analyze a E01 image in autopsy. Didn’t work so well.
instead of taking my images to a windows box, I installed Wine and then ran FTK imager lite through it. I was able to convert the E01’s to dd’s with ease on the linux box. I then tried to use foxanalysis and a few other items. all worked great.
since autopsy saves in a weird .RAW format, I liked using FTK imager to extract directories such as the firefox profiles.
so….. using FTK imager lite in linux is possible for tinkering with images. it’s a nicer way to extract and convert images in my opinion.

Tags:
Posted in FTK, Linux, forensic tools, linkedin | No Comments »

Nautilus objects it saves

Friday, September 25th, 2009

Gnome’s main file browser,  Nautilus, creates some xml’s that seem to hang out in /home/user/.nautilus

If we’re using a gnome based desktop, pretty much anything network or device based touches the Desktop via it’s automounting. Anything saved to the desktop is documented with epoch create times it appears. pretty nice!

Tags:
Posted in Linux, Timestamps, linkedin | No Comments »

DEFT Forensics Live-CD

Sunday, September 13th, 2009

I’ve been checking around for a new bootable forensics enviroment to use outside of Helix.  Now that Helix is selling all their stuff for ungodly prices, I’d rather find something else for the time. I’ve seen hundreds of different ones out there, and they’re pretty much all the same. They just boot into linux, has autopsy, disk imaging utils, and the disks are switched to -RO. I wanted something like how Helix had additional utilities for Win32 incident response.

I stumbled across DEFT, and I’m starting to get quite impressed with it already. It’s xubuntu based, damn fast, and has additional support for Win32 items. Things like FTK imager, FoxAnalysis, USBDView, etc.

I’m really liking how it’s engineered and it’s applications. There’s a CD and a Bootable USB version. A lot of the standard Linux apps, one I’m wanting to dig into more is Xplico; a packet capture parser and analyzer.

While I feel that this could be a great tool, I still would like to tinker around to find out if it’s worthwhile.

Tags:
Posted in Linux, Windows, forensic tools, linkedin | No Comments »

Epoch Time conversion

Tuesday, September 8th, 2009

I was sifting around in an imaged drive I play with and was checking out /home/USER/.cache to see if there is more items I could “discover”

In this image I noticed that Gedit was called and had some meta-data that was hanginng out in .cache. I took a look….

there was a simple gedit-metadata.xml that was created.

Inside the <document> element is something that I was amazed to find. It was the name of the last text document I opened (I recall opening up this txt)

there was also an “atime” inside the element. Googling agound I learned that ctime atime and mtime are for created/accessed/modified. cool, now there’s a record of when I accessed the file… BUT the format was weird.

atime=”1247720990″ 

This is what’s called “Epoch Time”  the number of seconds that have passed since Midnight of January 1, 1970 GMT.

Now, you can google up thousands of Epoch to standard time converters, snag some apps, or do the math yourself. Either way, we now have the ability to find a way to make sense of these times.

I soon later realized that Epoch time is used quite a bit in /var/log. Items that deal with Kernel activity are usually not put in standard time. Also Udev seems to use Epoch time. Every distro is different, and some logging could be pure Epoch, pure Standard, or a mix. Just knowing how to decode that time is worthwhile.

Tags:
Posted in Linux, Timestamps, linkedin | No Comments »

Web History: Firefox in Linux

Monday, September 7th, 2009

I’ve attempted to take Firefox’s profile directory, extract the contents to a Window based machine, and then use FoxAnalysis to decrypt the information present.

FoxAnalysis seems pretty decent as a browsing analysis tool for windows machines, like WebHistorian. I ran against my Vista machine, it was able to provide a huge amount of info… Downloads, pages accesses including dates, frequency of accesses, passwords. This could make the times for analyzing a machine so much quicker and able to be put in a formatted report easier.

I took a fresh linux box, surfed around the interweb a bit. Googled a few items, downloaded a thing or two, and various other stuff. I didn’t save any passwords (I will try that later). Steps and times were written down.

I then exported the profile out, and ran FoxAnalysis against it on my Vista machine.

Linux based Firefox3 profiles are able to analyzed with FoxAnalysis with Great Accuracy! Searches were there, my downloads were shown, queries were present.

This is a HUGE time saver for Analysis. I took that Linux box, imaged, and initiated a case in Autopsy. Info is there, but much harder to read, making it easier to loose valuable data.

Tags:
Posted in Linux, Web History, linkedin | No Comments »

IM pidgin

Sunday, September 6th, 2009

The multi protocol Instant Messenger, Pidgin, is failry common in Gnome based distros of Linux desktops such as ubuntu. I did a little digging into it and found that it contains plain text passwords and logs that can be extracted. While we know the legalities of using those passwords cannot go beyond certain scopes (i.e. logging into email servers with those found credentials), we could add to the arsenal of found passwords for unlocking things like zip files. Chat logs can also be found. While a person can easily turn these things off, most users tend to neglect this.

/home/USER/.purple/accounts.xml shows an XML format for the accounts that are present on the machine. Passwords will be present under the password element.

/home/USER/.purple/blist.xml has a list of all associated “buddies” that the user are inherited by the IM protocol. MAC times present. I assume Modified times alter when new “buddies” are added/deleted.

/home/USER/.purple/logs directory will have separate folders for the different IM protocols used. Here is the meat of the chat logs used. Big thing here is that the logs DO have timestamps on them! I’m assuming the times are local to the machine.

The format that these are put in really are helpful for analysis. Everything is nicely sorted for looking at. A concern I have is that MAC times can be Modifies, rather than a new file being created each and every time a setting is altered. I would like to confirm this later when I have time.

Another confirmation that I’d like to have is the builtin capability to tranfer files. Where the files go, how the IM client logs this information

So… if you chat, and are worried about security, don’t store passwords in pidgin. It’s not as secure as you’d think

Tags:
Posted in Linux, Messengers, linkedin | No Comments »

MAC times in Linux

Wednesday, September 2nd, 2009

MAC times (Modified,Accessed,Created) are fairly important in Linux. I know a lot of Forensic guys out there are like “Duh Brian, MAC’s are Important. You don’t need to tell us that!”

The /etc is full of plain text configuration files that can give Analysists a plethora of info, if we remember to check the MAC times.

Here’s a quick example:

We have an image of a suspect computer. Say it way used for some type of network attack. It was initiated by a computer named “Frenzy”

OK….. we take a look at /etc/hostname which is a plain text file that holds the computer’s name. The suspect’s hostname is “Rumble” though!

Check the MAC times. You’d see that it’s been modified. Check the /var/log area too. most logging now uses the computer name. you could easily show when the machine name was altered.

Now it can be off slightly, during the install procedure (few hours). but a few days should make Analysists see that something is astray.

 

Other items to check MAC’s in /etc:

timezone

sudoers

group

fstab

There’s a lot that can be found.

Tags:
Posted in Linux, linkedin | No Comments »