Anàlisi forense (S'ha redirigit des de: Foremost)

https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf

Live CDs

CAINE

• http://www.caine-live.net/

DEFT

• http://www.deftlinux.net/about/deft-license/

The F.I.R.E. Boot CD

 https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf

The F.I.R.E. Boot CD

Getting Started with F.I.R.E. • Boot to F.I.R.E. • F.I.R.E. can boot in X-Windows or Console mode • I prefer console (boot option 1) because there is less going on with the system • When booting to console mode, a menu is displayed • Change to another VT (Ctrl-Alt-F2) and type everything on the command line • Log in as root - the root password is “firefire”

Scalpel

• http://www.howtoforge.com/recover-deleted-files-with-scalpel

dcfldd

$ sudo apt-get install dcfldd

Hash on the fly. Wipe drive with:

$ dcfldd if=/dev/zero of=/dev/hda bs=8k conv=noerror,sync

Discs durs

• Discs durs
• hdparm
• mkfs
• fsck
• dd/rda//dcfldd https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf
• fdisk/sfdisk
• dmesg | grep hd
• mount
• LVM
• loop
• losetup

Disc Carving

foremost

$ sudo apt-get install foremost

Can run on disk image or on loopback devices

$ foremost –o loopa3_fm –v /dev/loopa3

Can also be run on free space (.dls) extracted by Autopsy

Foremost

Cerca de patrons

NSRL: National Software Reference Library

• https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf

Strings

http://linux.about.com/library/cmd/blcmdl1_strings.htm

grep

Vegeu grep

Sleuth Kit

Sleuth Kit. Per instal·lar:

$ sudo apt-get install sleuthkit

• www.sleuthkit.org

Autopsy

Vegeu Autopsy

Altres eines

• MD5deep (md5deep.sourceforge.net) – recursive md5s
• Fatback (sourceforge.net/projects/biatchux) – File uneraser for FAT file systems
• Stegdetect (www.outguess.org) - will detect some kinds of steganography in images. Vegeu Steganografia
• Galleta (www.openforensics.org) – IE Cookie Parser
• Pasco (www.openforensics.org) – IE Activity Parser
• Rifiuti (www.openforensics.org) – Recycle Bin INFO2
• File Parser LibPST (sourceforge.net/projects/ol2mbox) – converts Outlook and Outlook Express files to Linux mbox format

Altres fonts informació

• Information about the National Software Reference Library (NSRL) - www.nsrl.nist.gov
• Tools, forums, mailing lists - www.openforensics.org
• Penguin Sleuth CD, forums, and information - www.linux-forensics.com
• Tools and information - www.opensourceforensics.org
• The Coroner’s Toolkit - www.porcupine.org/forensics/tct.html
• Honeynet Project Scans of the Month (www.honeynet.org/scans/) #15, #24, and #26 deal with forensics
• SleuthKit/Autopsy information, mailing list, and download – www.sleuthkit.org
• Case studies of Honeynet Scans www.sleuthkit.org/case/index.php
• Great news letter - www.sleuthkit.org/informer/index.php
• Linux Forensic User Group - groups.yahoo.com/group/linux_forensics/

Vegeu també

• Seguretat
• Criptografia
• Esborrar fitxers de forma segura
• Xifrar el disc dur amb Ubuntu
• photorec
• Sleuth Kit
• Autopsy
• foremost
• Discs durs
• hdparm
• mkfs
• fsck
• dd/rda//dcfldd https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf
• fdisk/sfdisk
• dmesg | grep hd
• mount
• LVM
• loop
• DEFT
• CAINE
• Disk carving

Enllaços externs

• http://es.wikipedia.org/wiki/C%C3%B3mputo_forense
• http://en.wikipedia.org/wiki/Computer_forensics