DATA64-linux Forensics

Linux Forensics

Understanding basics of linux as a forensic tool

[*] by Catalyst

Content

Linux Basics

Linux Command line

SANS Investigate Forensic Toolkit

Linux and Forensics [SIFT]

Forensic Tools

Md5deep.

Bless Hex Editor

Digital Forensic Toolkit

Linux Basics 1969 ,C and Unix OS .

GNU ?

1991 , Linus Torvalds Contribution of Kernel names Linux.

GNOME , KDE , XFCE .

SIFT SANS Investigation Forensic Tool.

Based on Ubuntu.

Free to Use. [GPL licensed]

Preconfigured tools to perform forensics.

TOOLSAutopsyDFF – Digital Forensic FrameworkBless Hex EditorEVTX – Event Log ViewerMaltegoPTKMd5deepSANS CheatsheetsVolatility

Linux and Forensics Built in Forensics Tools in SIFT

SANS Investigation Forensic Toolkit

dd command used to copy from an input file or device to an output file or device. Simple bit stream structure

Grep search files (or multiple files) for instances of an expression or pattern. imaging

Sfdisk and fdisk used to determine the disk

Md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices).

File reads a file’s header information in an attempt to ascertain its type, regardless of name or extension.

Xxd command line hex dump tool. For viewing a file in hex mode.

Md5deep Command line Utility.

Used for Calculating Hashes.

Comparing Hashes.

Recursive operation compute the MD5 for every file in a directory and for every file in every subdirectory.

Piecewise hashing .

File type mode

Bless Hex Editor Bless is a high quality, full featured hex editor.

It is written in mono/Gtk# and its primary platform is GNU/Linux.

features: Efficient editing of large data files and block devices.

Multilevel undo - redo operations.

Customizable data views.

Fast data rendering on screen.

Multiple tabs.

Fast find and replace operations.

A data conversion table.

Advanced copy/paste capabilities.

Highlighting of selection pattern matches in the file.

Plugin based architecture.

Export of data to text and html (others with plugins).

Bitwise operations on data.

A comprehensive user manual.

Bless Hex EditorOpen Bless

MenubarThe menus on the menubar contain all of the commands you need to work with files in Bless.

ToolbarProvides shortcuts to the commands that are most frequently used when working with files in Bless.

Data ViewThe data view contains multiple tabs that display the data of the files you are editing.

Conversion TableThe conversion table displays the bytes at the current file position converted to various formats.

StatusbarThe statusbar displays information about current Bless activity and information about the current file.

Bless filename

Bless Hex EditorOffset Area: Displays the offset of the first byte at the specified row.

Separator Area: Displays a vertical separator line.

Hexadecimal Area: Displays the data in hexadecimal number base.

Decimal Area: Displays the data in decimal number base.

Octal Area: Displays the data in octal number base.

Binary Area: Displays the data in binary number base.

Ascii Area: Displays the data as Ascii text.

Selecting the active area

At any time only one of the areas accepts and handles editing events.

This area is said to have the focus.

All areas except Offset and Separator may have the focus.

The cursor in the focused area consists of a horizontal line under the current byte and a vertical line just before the active digit of the current byte.

Bless Hex Editor

Editing a file

Moving the cursor to a specific positionGo to Offset Bar use: Search → Go to Offset (Ctrl+G).

Selecting a range of dataTo access the Select Range Bar use: Edit → Select Range (Ctrl+Shift+R).

Searching in filesTo access the Search Bar use Search → Find (Ctrl+F).

Bless Hex Editor

Replacing in filesTo access the Replace Bar use Search → Replace (Ctrl+R).

Exporting DataIt can currently export data to text or html files.

Bless Hex Editor

Performing bitwise operationsTo access the Bitwise Operations Bar use Tools → Bitwise Operations (Ctrl+B).

Bless Hex Editor

• AND• OR • XOR• NOT

Digital Forensics Framework [DFF]

Digital investigation tool and a development platform.

Written in Python and C++.

Extracts, analyzes and correlates data of different files from data acquisition on digital media, such as hard disk drives, RAM or cell phones memory.

It can also be used to recover deleted data.

launch DFF

clicking on DFF icon. Launching the command:

dff.py -g

Application To0lbar

Project browser

Tree View Area Data display area Data attributes area

DFF Shell Python shell

Modules are used to perform a specific kind of tasks.

module can take several input parameters

Modules

• The path to a file, node or

directory.

• The type of file to analyze.

• Options specific to the module or

to the type of the analyzed data.

AUTOPSY GUI front end for the Sleuthkit.

Opensource

Forensic Browser

Analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3, etc.).

Autopsy 3 is Java-based and designed to be an end-to-end platform for digital forensics.

AUTOPSY

Autopsy Browser

open a new case by clicking “New Case.

AUTOPSY

Give the location of the forensic image:

AUTOPSY

calculate MD5 hashes, also using Autopsy:

AUTOPSY

Autopsy lists all of the file system details and the mmls tool (command line) output for us:

AUTOPSY

click on “Analyze.”

AUTOPSY

AUTOPSYAnalyze the desired partition.