Forensic Cop Journal 2(1) 2009-ubuntu Forensic
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Forensic Cop Journal 2(1) 2009-ubuntu Forensic as PDF for free.
More details
- Words: 5,343
- Pages: 14
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
Ubuntu Forensic by
Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS) Commissioner Police – Coordinator of Digital Forensic Analyst Team Forensic Lab Centre of Indonesian National Police HQ
Background Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a wide range of forensic tools as well as anti-forensic and cracking tools, so it is reliable to investigate a computer crime and analyse digital evidence on it. The significant difference on forensic applications between Ubuntu and Ms Windows is that Ubuntu applications are freeware, while the application running under Ms Windows are commercial. The results obtained between these applications are relatively the same. It means that digital forensic analyst should also be well understood on the use of Ubuntu forensic applications as well as Ms Windows’s applications. If they do it, so they will have many forensic tools which can be applied in the investigation/analysis. When a tool does not give satisfied results, they should be able to use other tools either under Ubuntu or Ms Windows to yield the best results. This journal is written with aims to broaden forensic view among forensic professionals. It is expected that they can explore packages provided on Ubuntu for forensic purposes. They should know that not only Ms Windows forensic applications which can be used for digital forensic, but also many tools on Ubuntu which can do the same thing with the same results. In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For instance, dcfldd can be used for forensic imaging with different purposes. It can be used to image some certain blocks as desired as well as the whole drive imaging. This feature is not provided by imaging applications running under Ms Windows. Other instance is image metadata analysis through exif. On Ubuntu, there are some tools which can be used to analyse the image exif such as exif, exiftool and metacam. There are also tools which can be used to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools are freeware. One essential reason why the author frequently uses Ubuntu for digital forensic purposes such as forensic imaging is forensically sound write protect. It is compulsory for every digital forensic analyst to apply it when dealing with the storage drive evidence. It is aimed not to change the contents of drive either incidentally or deliberately. Once the contents is changed, so the next actions of digital forensic become doubt or even refused by the court, unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it is changed and what the implications of that action. It is usually performed on live analysis with strict procedures. On dead analysis (i.e. post mortem) the analyst is still required to keep the contents of hard drive not changed. To reach this purpose, Ubuntu can be modified in order to give forensically sound write protect. It is performed by modifying the 1
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
file /etc/fstab with the mount option is read-only, so whatever is done on the drive evidence, it does not change the contents. When accessing a text file, so this action does change the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged, although the file is accessed. It occurs because the modification of the file /etc/fstab gives forensically sound write protect for any actions committed by the analyst on the drive. With this feature, the analyst can do many things such as live analysis on the drive in order to speed up the investigation. It is frequently done when dealing with many drives as the evidence. If the regular procedure of digital forensic is performed, so it will take a long time for forensic imaging on each drive. To shortcut the investigation is to apply forensically sound write protect and then to read and analyse the drives directly. The aim of this action is that the analyst can know which drive among the drives has strong relationship with the case. Once it is obtained, so the analyst can carry out further analysis on it. Below are the tools which can be used for the purposes of digital forensic analyses, antiforensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteen tools for anti-forensic and ten tools for cracking. Actually there are some tools having description related on these purposes, but it is not mentioned on this journal. One of powerful tools which is often used by the author is Autopsy. It is GUI version of The Sleuthkit created by Brian Carrier. What commercial applications running under Ms Windows such as Encase and FTK discover when analysing digital evidence is the same as what Autopsy finds. The description of each tool below is directly quoted from Synaptic Package Manager created by Connectiva S/A and Michael Vogt on April 2009. This application provides an ease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on the use of certain package, they should read the description given on each package. Forensic Tools: 1. Vinetto: A forensics tool to examine Thumbs.db files. A tool intended for forensics examinations. It is a console program to extract thumbnail images and their metadata from those thumbs.db files generated under Windows. Used in forensic environments. 2. Autopsy: The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS).
2
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
3. Rdd: A forensic copy program developed at and used by the Netherlands Forensic Institute (NFI). Unlike most copy programs, rdd is robust with respect to read errors, which is an important property in a forensic operating environment. 4. Tct: TCT is a collection of programs for a post-mortem analysis of a UNIX system after break-in. It enables you to collect data regarding deleted files, modification times of files and more. Install this BEFORE you need to use it, so you do not risk destroying essential forensic data before you begin. Tools contained within this package: graverobber, lazarus, inode-cat, ils, unrm and pcat. 5. Galleta: An Internet Explorer cookie forensic analysis tool. Galleta is a forensic tool that examines the content of cookie files produced by Microsofts Internet Explorer. It parses the file and outputs a field separated that can be loaded in a spreadsheet. 6. Pasco: An Internet Explorer cache forensic analysis tool. Pasco is a forensic tool that examines the content of cache files (index.dat) produced by Microsofts Internet Explorer. It parses the file and outputs a field separated that can be loaded in a spreadsheet. 7. Sleuthkit: Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system and media management forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. The media management tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools. When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations. 8. Unhide: Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. Unhide detects hidden processes using three techniques: comparing the output of /proc and /bin/ps comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning)
3
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
full scan of the process ID space (PIDs bruteforcing) Unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. This package can be used by rkhunter in its daily scans. 9. Foremost: This is a console program to recover files based on their headers and footers for forensics purposes. Foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. 10. Afflib: Tools to use AFF segmented archive files. The Advanced Forensic Format (AFF) 1.0 is an extensible open format for the storage of disk images and related forensic information. The following tools are available to work with it: afcat
- copies from the contents of an AFFILE to stdout.
afcompare
- compares two AFF files or an AFF file and a raw file
afconvert - converts AFF->raw, raw->AFF, or AFF->AFF (or even raw>raw, if you want) optionally recompressed files. affix
- Reports errors with AFF files and optioanlly fixes them.
afinfo segments
- prints info about an AFF file from an examination of the
afstats
- prints statistics about one or more AFF files
afxml
- outputs an AFF file's metadata as XML
aimage
- Image a hard drive into AFF or raw format
11. Scalpel: A Frugal, High Performance File Carver. A fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. 12. Dcfldd: Enhanced version of dd for forensics and security. Based on the dd program with the following additional features: Hashing on-the-fly, dcfldd can hash the input data as it is being transferred, helping to ensure data integrity. Status output, dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take. Flexible disk wipes, dcfldd can be used to wipe disks quickly and with a known pattern if desired. 4
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
Image/wipe Verify, dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern. Multiple outputs, dcfldd can output to multiple files or disks at the same time. Split output, dcfldd can split output to multiple files with more configurability than the split command. Piped output and logs, dcfldd can send all its log data and output to commands as well as files natively. 13. Gzrt: gzip recovery toolkit. gzrecover will attempt to skip over corrupted data in a gzip archive, thereby allowing the remaining data to be recovered. Please install cpio to facilitate recovery from damaged gzipped tarballs. 14. Chntpw: NT SAM password recovery utility. This little program provides a way to view information and change user passwords in a Windows NT/2000 user database file. Old passwords need not be known since they are overwritten. In addition it also contains a simple registry editor (same size data writes) and an hex-editor which enables you to fiddle around with bits and bytes in the file as you wish. If you want GNU/Linux boot disks for offline password recovery you can add this utility to custom image disks or use those provided at the tools homepage. 15. Testdisk: Partition scanner and disk recovery tool. TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. It works with : DOS/Windows FAT12, FAT16 and FAT32 NTFS ( Windows NT/2K/XP ) Linux Ext2 and Ext3 BeFS ( BeOS ) BSD disklabel ( FreeBSD/OpenBSD/NetBSD ) CramFS (Compressed File System) HFS and HFS+, Hierarchical File System JFS, IBM's Journaled File System Linux Raid Linux Swap (versions 1 and 2) LVM and LVM2, Linux Logical Volume Manager Netware NSS ReiserFS 3.5 and 3.6 Sun Solaris i386 disklabel
5
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
UFS and UFS2 (Sun/BSD/...) XFS, SGI's Journaled File System PhotoRec is file data recovery software designed to recover lost pictures from digital camera memory or even Hard Disks. It has been extended to search also for non audio/video headers. It searchs for Sun/NeXT audio data (.au) RIFF audio/video (.avi/.wav) BMP bitmap (.bmp) bzip2 compressed data (.bz2) Source code written in C (.c) Canon Raw picture (.crw) Canon catalog (.ctg) FAT subdirectory Microsoft Office Document (.doc) Nikon dsc (.dsc) HTML page (.html) JPEG picture (.jpg) MOV video (.mov) MP3 audio (MPEG ADTS, layer III, v1) (.mp3) Moving Picture Experts Group video (.mpg) Minolta Raw picture (.mrw) Olympus Raw Format picture (.orf) Portable Document Format (.pdf) Perl script (.pl) Portable Network Graphics (.png) Raw Fujifilm picture (.raf) Contax picture (.raw) Rollei picture (.rdc) Rich Text Format (.rtf) Shell script (.sh) Tar archive (.tar ) Tag Image File Format (.tiff) Microsoft ASF (.wma) Sigma/Foveon X3 raw picture (.x3f) and zip archive (.zip) 6
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
16. Gddrescue: The GNU data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Gddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc. If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point. Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies. The logfile is periodically saved to disc. So in case of a crash you can resume the rescue with little recopying. Also, the same logfile can be used for multiple commands that copy different areas of the file, and for multiple recovery attempts over different subsets. Gddrescue aligns its I/O buffer to the sector size so that it can be used to read from raw devices. For efficiency reasons, also aligns it to the memory page size if page size is a multiple of sector size. 17. Recover: Undelete files on ext2 partitions. Recover automates some steps as described in the ext2-undeletion howto. This means it seeks all the deleted inodes on your hard drive with debugfs. When all the inodes are indexed, recover asks you somequestions about the deleted file. These questions are: Hard disk device name Year of deletion Month of deletion Weekday of deletion First/Last possible day of month Min/Max possible file size Min/Max possible deletion hour Min/Max possible deletion minute User ID of the deleted file If recover found any fitting inodes, it asks to give a directory name and dumps the inodes into the directory. Finally it asks you if you want to filter the inodes again (in case you typed some wrong answers). Note that recover works only with ext2 filesystems - it does not support ext3. 18. E2undel: Undelete utility for the ext2 file system. Interactive console tool to recover the data of deleted files on an ext2 file system under Linux. It does not require knowledge 7
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
about how ext2 file systems works and should be usable by most people. This tools searches all inodes marked as deleted on a file system and lists them as sorted by owner and time of deletion. Additionally, it gives you the file size and tries to determine the file type in the way file(1) does. If you did not just delete a whole bunch of files with a 'rm -r *', this information should be helpful to find out which of the deleted files you would like to recover. E2undel will not work on ext3 (journaling) filesystems. 19. Ext3grep: Tool to help recover deleted files on ext3 filesystems. Ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter. 20. Sqlitebrowser: GUI editor for SQLite databases. SQLite Database Browser is a freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite. Its interface is based on QT, and is meant to be used for users and developers that want to create databases, edit and search data using a familiar spreadsheet-like interface, without the need to learn complicated SQL commands.Controls and wizards are available for users to: Create and compact database files Create, define, modify and delete tables Create, define and delete indexes Browse, edit, add and delete records Search records Import and export records as text Import and export tables from/to CSV files Import and export databases from/to SQL dump files Issue SQL queries and inspect the results Examine a log of all SQL commands issued by the application SQLite Database Browser is not a visual shell for the sqlite command line tool. It does not require familiarity with SQL commands. It is a tool to be used both by developers and by end users, and it must remain as simple to use as possible in order to achieve its goals. 21. Exifprobe: Read metadata from digital pictures. Exifprobe reads image files produced by digital cameras (including several so-called "raw" file formats) and reports the structure of the files and the auxiliary data and metadata contained within them. In addition to TIFF, JPEG, and EXIF, the program understands several formats which may contain "raw" camera data, including MRW, CIFF/CRW, JP2/JPEG2000, RAF, and X3F, as well as most most TIFF-derived "raw" formats, including DNG, ORF, CR2, NEF, K25/KDC/DCR, and PEF. 8
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
22. Podsleuth: Tool to discover detailed information about Apple iPods. PodSleuth is a tool to discover detailed model information about an Apple ™ iPod (TM). Its primary role is to be run as a callout by HAL because root access is needed to scan the device for required information. When the model information is discovered, it is merged into HAL as properties for other applications to use.With PodSleuth installed, applications can expect to have rich iPod (TM) metadata merged into the device tree on the iPod data volume node. PodSleuth metadata properties are in the org.bansheeproject.podsleuth namespace. 23. Exif: Command-line utility to show EXIF information in JPEG files. Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. 'exif' is a small command-line utility to show EXIF information hidden in JPEG files. 24. Libimage-exiftool-perl: Library and program to read and write meta information in multimedia files. ExifTool is a Perl module with an included command-line application for reading and writing meta information in image, audio and video files. It recognizes EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3 meta information as well as the maker notes of many digital cameras including Canon, Casio, FujiFilm, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Ricoh, Sanyo and Sigma/Foveon. 25. Metacam: Extract EXIF information from digital camera files. EXIF stands for Exchangeable Image File Format, and is a standard for storing interchange information in image files, especially those using JPEG compression. Most digital cameras now use the EXIF format. The format is part of the DCF standard created by JEIDA to encourage interoperability between imaging devices. In addition to the standard EXIF fields, MetaCam also supports vendor-specific extensions from Nikon, Olympus, Canon and Casio. Anti-Forensic Tools: 1. Wipe: Secure file deletion. Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent to recover the last two or three layers of data written to disk. Wipe repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access.
9
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
2. Bcrypt: Cross platform file encryption utility using blowfish. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. In addition to encrypting your data, bcrypt will by default overwrite the original input file with random garbage three times before deleting it in order to thwart data recovery attempts by persons who may gain access to your computer. Bcrypt uses the blowfish encryption algorithm published by Bruce Schneier in 1993. 3. Exiv2: EXIF/IPTC metadata manipulation tool. Exiv2 can: print the Exif metadata of JPEG, TIFF and several RAW image formats as summary info, interpreted values, or the plain data for each tag print the IPTC metadata of JPEG images print, set and delete the JPEG comment of JPEG images set, add and delete Exif and IPTC metadata of JPEG images adjust the Exif timestamp (that's how it all started...) rename Exif image files according to the Exif timestamp extract, insert and delete Exif metadata, IPTC metadata and JPEG comments extract, insert and delete the thumbnail image embedded in the Exif metadata fix the Exif ISO setting of picture taken with Nikon cameras 4. Libjpeg-progs: Programs for manipulating JPEG files. This package contains programs for manipulating JPEG files: cjpeg/djpeg: convert to/from the JPEG file format rdjpgcom/wrjpgcom: read/write comments in JPEG files jpegtran: lossless transformations of JPEG files jpegexiforient/exifautotran: manipulate EXIF orientation tag 5. Secure-delete: Tools to wipe files, free disk space, swap and memory. Even if you overwrite a file 10+ times, it can still be recovered. This package contains tools to securely wipe data from files, free disk space, swap and memory. 6. Aespipe: AES-encryption tool with loop-AES support. Aespipe is an encryption tool that reads from standard input and writes to standard output. It uses the AES (Rijndael) cipher. It can be used as an encryption filter, to create and restore encrypted tar/cpio backup archives and to read/write and convert loop-AES compatible encrypted
10
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
images. Aespipe can be used for non-destructive in-place encryption of existing disk partitions for use with the loop-AES encrypted loopback kernel module. 7. Ccrypt: Secure encryption and decryption of files and streams. Ccrypt is a utility for encrypting and decrypting files and streams. It was designed as a replacement for the standard unix crypt utility, which is notorious for using a very weak encryption algorithm. ccrypt is based on the Rijndael cipher, which is the U.S. government's chosen candidate for the Advanced Encryption Standard (AES, see http://www.nist.gov/aes). This cipher is believed to provide very strong security. 8. Encfs: Encrypted virtual filesystem. EncFS integrates file system encryption into the Unix(TM) file system. Encrypted data is stored within the native file system, thus no fixed-size loopback image is required. EncFS uses the FUSE kernel driver and library as a backend. 9. Makepasswd: Generate and encrypt passwords. Generates true random passwords by using the /dev/random feature of Linux, with the emphasis on security over pronounceability. It can also encrypt plaintext passwords given in a temporary file. 10. Cryptcat: A lightweight version netcat extended with twofish encryption. Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. 11. Gdecrypt: GUI for mapping/mounting and creating encrypted volumes. Gdecrypt was written for making the use of decrypted partitions under Linux more easy. It currently contains a GUI written in PyGTK for decrypting/mounting, unmounting and encryption partitions or container files and it supports partitions created with truecrypt (see http://truecrypt.org for details) and LUKS. Note that truecrypt <= 4.3a is required for truecrypt supprt and cryptsetup with luks is required for luks support. 12. Enigmail: Enigmail - GPG support for Thunderbird. OpenPGP extension for Thunderbird. Enigmail allows users to access the features provided by the popular GnuPG software from within Thunderbird. Enigmail is capable of signing, authenticating, encrypting and decrypting email. Additionally, it supports both the inline PGP format, as well as the PGP/MIME format as described in RFC 3156.
11
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
13. Steghide: A steganography hiding tool. Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven. Steghide is designed to be portable and configurable and features hiding data in bmp, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudorandom distribution of hidden bits in the container data. 14. Outguess: Universal Steganographic tool. OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources. The nature of the data source is irrelevant to the core of OutGuess. The program relies on data specific handlers that will extract redundant bits and write them back after modification. In this version the PNM and JPEG image formats are supported. 15. Snowdrop: Plain text watermarking and watermark recovery. Snowdrop provides reliable, difficult to remove stenographic watermarking of text documents (internal memos, draft research papers, advisories and other writing) and C sources (limited distribution software, licensed software, or freely available code) so that: leaks can be identified if the data goes public original source can be determined and demonstrated if part of the document is claimed by somebody else, copied without permission, etc. Snowdrop uses redundant steganography using four different logical channels, and should be proof to many modifications, including reformatting,spell checking and so on. Warning: Snowdrop is currently in beta, and may produce bad or corrupted results, especially when run on C source code. Cracking Tools: 1. Cifer: Multipurpose classical cryptanalysis and code-breaking tool. Cifer provides many functions designed to aid in cracking classical ciphers; a group of ciphers used historically, but which have now fallen into disuse because of their suceptability to ciphertext-only attacks. In general, they were designed and implemented by hand, and operate on an alphabet of letters (such as [A-Z]). It operates using text files as input and output, and can perform both brute force and other, more sophisticated, attacks against many classic encryption schemes. In addition, it provides many utilities such as frequency analysis and automated encryption/decryption of texts. 2. Samdump: Dump Windows 2k/NT/XP password hashes. This tool is designed to dump Windows 2k/NT/XP password hashes from a SAM file. It requires the syskey key which can be
12
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
found with tools like bkhive. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. 3. Bkhive: Dump the syskey bootkey from a Windows NT/2K/XP system hive. This tool is designed to recover the syskey bootkey from a Windows NT/2K/XP system hive. Then we can decrypt the SAM file with the syskey and dump password hashes. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. 4. Fcrackzip: Password cracker for zip archives. Fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask'ed images. 5. aircrack-ng: Wireless WEP/WPA cracking utilities. Aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. Also it can attack WPA1/2 networks with some advanced methods or simply by brute force. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools. It can also fully use a multiprocessor system to its full power in order to speed up the cracking process. Aircrack-ng is a fork of aircrack, as that project has been stopped by the upstream maintainer. 6. Pdfcrack: PDF files password cracker. Pdfcrack is a simple tool for recovering passwords from pdf-documents. It should be able to handle all pdfs that uses the standard security handler but the pdf-parsing routines are a bit of a quick hack so you might stumble across some pdfs where the parser needs to be fixed to handle. Pdfcrack allows configure the size of the searched password, use an external wordlist file and save cracking sessions to restore it later. 7. Medussa: Distributed password cracking system. Medussa is a distributed password cracking system that can attempt various types of attacks to crypted passwords distributing the work on many machines. 8. Ophcrack: Microsoft Windows password cracker using rainbow tables (gui). Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds. It works for Windows NT/2000/XP/Vista. This package contains ophcrack with QT4 based graphical UI. Please note that it can be used in command line as well.
13
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
9. Weplab: Tool designed to break WEP keys. WepLab is a tool designed to teach how WEP works, what different vulnerabilities it has, and how they can be used in practice to break a WEP protected wireless network. WepLab can dump network traffic, analyse it or crack the WEP key. 10. John: Active password cracking tool. John, mostly known as John the Ripper, is a tool designed to help systems administrators to find weak (easy to guess or crack through brute force) passwords, and even automatically mail users warning them about it, if it is desired. It can also be used with different cyphertext formats, including Unix's DES and MD5, Kerberos AFS passwords, Windows' LM hashes, BSDI's extended DES, and OpenBSD's Blowfish. Bibliography 1. Al-Azhar, M. (2009). Forensically Sound Write Protect on Ubuntu. Forensic Cop Journal. 1(3). Available: http://forensiccop.blogspot.com. Last accessed 26 November 2009. 2. Al-Azhar, M. (2009). Similarities and Differences between Ubuntu Windows on Forensic Applications. Forensic Cop Journal. 1(2). Available at: http://forensiccop.blogspot.com. Last accessed 26 November 2009. 3. Connectiva S/A and Vogt, M. (2009). Synaptic Package Manager 0.62.5. Ubuntu 9.04.
14
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
Ubuntu Forensic by
Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS) Commissioner Police – Coordinator of Digital Forensic Analyst Team Forensic Lab Centre of Indonesian National Police HQ
Background Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a wide range of forensic tools as well as anti-forensic and cracking tools, so it is reliable to investigate a computer crime and analyse digital evidence on it. The significant difference on forensic applications between Ubuntu and Ms Windows is that Ubuntu applications are freeware, while the application running under Ms Windows are commercial. The results obtained between these applications are relatively the same. It means that digital forensic analyst should also be well understood on the use of Ubuntu forensic applications as well as Ms Windows’s applications. If they do it, so they will have many forensic tools which can be applied in the investigation/analysis. When a tool does not give satisfied results, they should be able to use other tools either under Ubuntu or Ms Windows to yield the best results. This journal is written with aims to broaden forensic view among forensic professionals. It is expected that they can explore packages provided on Ubuntu for forensic purposes. They should know that not only Ms Windows forensic applications which can be used for digital forensic, but also many tools on Ubuntu which can do the same thing with the same results. In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For instance, dcfldd can be used for forensic imaging with different purposes. It can be used to image some certain blocks as desired as well as the whole drive imaging. This feature is not provided by imaging applications running under Ms Windows. Other instance is image metadata analysis through exif. On Ubuntu, there are some tools which can be used to analyse the image exif such as exif, exiftool and metacam. There are also tools which can be used to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools are freeware. One essential reason why the author frequently uses Ubuntu for digital forensic purposes such as forensic imaging is forensically sound write protect. It is compulsory for every digital forensic analyst to apply it when dealing with the storage drive evidence. It is aimed not to change the contents of drive either incidentally or deliberately. Once the contents is changed, so the next actions of digital forensic become doubt or even refused by the court, unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it is changed and what the implications of that action. It is usually performed on live analysis with strict procedures. On dead analysis (i.e. post mortem) the analyst is still required to keep the contents of hard drive not changed. To reach this purpose, Ubuntu can be modified in order to give forensically sound write protect. It is performed by modifying the 1
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
file /etc/fstab with the mount option is read-only, so whatever is done on the drive evidence, it does not change the contents. When accessing a text file, so this action does change the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged, although the file is accessed. It occurs because the modification of the file /etc/fstab gives forensically sound write protect for any actions committed by the analyst on the drive. With this feature, the analyst can do many things such as live analysis on the drive in order to speed up the investigation. It is frequently done when dealing with many drives as the evidence. If the regular procedure of digital forensic is performed, so it will take a long time for forensic imaging on each drive. To shortcut the investigation is to apply forensically sound write protect and then to read and analyse the drives directly. The aim of this action is that the analyst can know which drive among the drives has strong relationship with the case. Once it is obtained, so the analyst can carry out further analysis on it. Below are the tools which can be used for the purposes of digital forensic analyses, antiforensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteen tools for anti-forensic and ten tools for cracking. Actually there are some tools having description related on these purposes, but it is not mentioned on this journal. One of powerful tools which is often used by the author is Autopsy. It is GUI version of The Sleuthkit created by Brian Carrier. What commercial applications running under Ms Windows such as Encase and FTK discover when analysing digital evidence is the same as what Autopsy finds. The description of each tool below is directly quoted from Synaptic Package Manager created by Connectiva S/A and Michael Vogt on April 2009. This application provides an ease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on the use of certain package, they should read the description given on each package. Forensic Tools: 1. Vinetto: A forensics tool to examine Thumbs.db files. A tool intended for forensics examinations. It is a console program to extract thumbnail images and their metadata from those thumbs.db files generated under Windows. Used in forensic environments. 2. Autopsy: The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS).
2
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
3. Rdd: A forensic copy program developed at and used by the Netherlands Forensic Institute (NFI). Unlike most copy programs, rdd is robust with respect to read errors, which is an important property in a forensic operating environment. 4. Tct: TCT is a collection of programs for a post-mortem analysis of a UNIX system after break-in. It enables you to collect data regarding deleted files, modification times of files and more. Install this BEFORE you need to use it, so you do not risk destroying essential forensic data before you begin. Tools contained within this package: graverobber, lazarus, inode-cat, ils, unrm and pcat. 5. Galleta: An Internet Explorer cookie forensic analysis tool. Galleta is a forensic tool that examines the content of cookie files produced by Microsofts Internet Explorer. It parses the file and outputs a field separated that can be loaded in a spreadsheet. 6. Pasco: An Internet Explorer cache forensic analysis tool. Pasco is a forensic tool that examines the content of cache files (index.dat) produced by Microsofts Internet Explorer. It parses the file and outputs a field separated that can be loaded in a spreadsheet. 7. Sleuthkit: Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system and media management forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. The media management tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools. When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations. 8. Unhide: Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques. It includes two utilities: unhide and unhide-tcp. Unhide detects hidden processes using three techniques: comparing the output of /proc and /bin/ps comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning)
3
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
full scan of the process ID space (PIDs bruteforcing) Unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available. This package can be used by rkhunter in its daily scans. 9. Foremost: This is a console program to recover files based on their headers and footers for forensics purposes. Foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for. 10. Afflib: Tools to use AFF segmented archive files. The Advanced Forensic Format (AFF) 1.0 is an extensible open format for the storage of disk images and related forensic information. The following tools are available to work with it: afcat
- copies from the contents of an AFFILE to stdout.
afcompare
- compares two AFF files or an AFF file and a raw file
afconvert - converts AFF->raw, raw->AFF, or AFF->AFF (or even raw>raw, if you want) optionally recompressed files. affix
- Reports errors with AFF files and optioanlly fixes them.
afinfo segments
- prints info about an AFF file from an examination of the
afstats
- prints statistics about one or more AFF files
afxml
- outputs an AFF file's metadata as XML
aimage
- Image a hard drive into AFF or raw format
11. Scalpel: A Frugal, High Performance File Carver. A fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. 12. Dcfldd: Enhanced version of dd for forensics and security. Based on the dd program with the following additional features: Hashing on-the-fly, dcfldd can hash the input data as it is being transferred, helping to ensure data integrity. Status output, dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take. Flexible disk wipes, dcfldd can be used to wipe disks quickly and with a known pattern if desired. 4
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
Image/wipe Verify, dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern. Multiple outputs, dcfldd can output to multiple files or disks at the same time. Split output, dcfldd can split output to multiple files with more configurability than the split command. Piped output and logs, dcfldd can send all its log data and output to commands as well as files natively. 13. Gzrt: gzip recovery toolkit. gzrecover will attempt to skip over corrupted data in a gzip archive, thereby allowing the remaining data to be recovered. Please install cpio to facilitate recovery from damaged gzipped tarballs. 14. Chntpw: NT SAM password recovery utility. This little program provides a way to view information and change user passwords in a Windows NT/2000 user database file. Old passwords need not be known since they are overwritten. In addition it also contains a simple registry editor (same size data writes) and an hex-editor which enables you to fiddle around with bits and bytes in the file as you wish. If you want GNU/Linux boot disks for offline password recovery you can add this utility to custom image disks or use those provided at the tools homepage. 15. Testdisk: Partition scanner and disk recovery tool. TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. It works with : DOS/Windows FAT12, FAT16 and FAT32 NTFS ( Windows NT/2K/XP ) Linux Ext2 and Ext3 BeFS ( BeOS ) BSD disklabel ( FreeBSD/OpenBSD/NetBSD ) CramFS (Compressed File System) HFS and HFS+, Hierarchical File System JFS, IBM's Journaled File System Linux Raid Linux Swap (versions 1 and 2) LVM and LVM2, Linux Logical Volume Manager Netware NSS ReiserFS 3.5 and 3.6 Sun Solaris i386 disklabel
5
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
UFS and UFS2 (Sun/BSD/...) XFS, SGI's Journaled File System PhotoRec is file data recovery software designed to recover lost pictures from digital camera memory or even Hard Disks. It has been extended to search also for non audio/video headers. It searchs for Sun/NeXT audio data (.au) RIFF audio/video (.avi/.wav) BMP bitmap (.bmp) bzip2 compressed data (.bz2) Source code written in C (.c) Canon Raw picture (.crw) Canon catalog (.ctg) FAT subdirectory Microsoft Office Document (.doc) Nikon dsc (.dsc) HTML page (.html) JPEG picture (.jpg) MOV video (.mov) MP3 audio (MPEG ADTS, layer III, v1) (.mp3) Moving Picture Experts Group video (.mpg) Minolta Raw picture (.mrw) Olympus Raw Format picture (.orf) Portable Document Format (.pdf) Perl script (.pl) Portable Network Graphics (.png) Raw Fujifilm picture (.raf) Contax picture (.raw) Rollei picture (.rdc) Rich Text Format (.rtf) Shell script (.sh) Tar archive (.tar ) Tag Image File Format (.tiff) Microsoft ASF (.wma) Sigma/Foveon X3 raw picture (.x3f) and zip archive (.zip) 6
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
16. Gddrescue: The GNU data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Gddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc. If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point. Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies. The logfile is periodically saved to disc. So in case of a crash you can resume the rescue with little recopying. Also, the same logfile can be used for multiple commands that copy different areas of the file, and for multiple recovery attempts over different subsets. Gddrescue aligns its I/O buffer to the sector size so that it can be used to read from raw devices. For efficiency reasons, also aligns it to the memory page size if page size is a multiple of sector size. 17. Recover: Undelete files on ext2 partitions. Recover automates some steps as described in the ext2-undeletion howto. This means it seeks all the deleted inodes on your hard drive with debugfs. When all the inodes are indexed, recover asks you somequestions about the deleted file. These questions are: Hard disk device name Year of deletion Month of deletion Weekday of deletion First/Last possible day of month Min/Max possible file size Min/Max possible deletion hour Min/Max possible deletion minute User ID of the deleted file If recover found any fitting inodes, it asks to give a directory name and dumps the inodes into the directory. Finally it asks you if you want to filter the inodes again (in case you typed some wrong answers). Note that recover works only with ext2 filesystems - it does not support ext3. 18. E2undel: Undelete utility for the ext2 file system. Interactive console tool to recover the data of deleted files on an ext2 file system under Linux. It does not require knowledge 7
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
about how ext2 file systems works and should be usable by most people. This tools searches all inodes marked as deleted on a file system and lists them as sorted by owner and time of deletion. Additionally, it gives you the file size and tries to determine the file type in the way file(1) does. If you did not just delete a whole bunch of files with a 'rm -r *', this information should be helpful to find out which of the deleted files you would like to recover. E2undel will not work on ext3 (journaling) filesystems. 19. Ext3grep: Tool to help recover deleted files on ext3 filesystems. Ext3grep is a simple tool intended to aid anyone who accidentally deletes a file on an ext3 filesystem, only to find that they wanted it shortly thereafter. 20. Sqlitebrowser: GUI editor for SQLite databases. SQLite Database Browser is a freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite. Its interface is based on QT, and is meant to be used for users and developers that want to create databases, edit and search data using a familiar spreadsheet-like interface, without the need to learn complicated SQL commands.Controls and wizards are available for users to: Create and compact database files Create, define, modify and delete tables Create, define and delete indexes Browse, edit, add and delete records Search records Import and export records as text Import and export tables from/to CSV files Import and export databases from/to SQL dump files Issue SQL queries and inspect the results Examine a log of all SQL commands issued by the application SQLite Database Browser is not a visual shell for the sqlite command line tool. It does not require familiarity with SQL commands. It is a tool to be used both by developers and by end users, and it must remain as simple to use as possible in order to achieve its goals. 21. Exifprobe: Read metadata from digital pictures. Exifprobe reads image files produced by digital cameras (including several so-called "raw" file formats) and reports the structure of the files and the auxiliary data and metadata contained within them. In addition to TIFF, JPEG, and EXIF, the program understands several formats which may contain "raw" camera data, including MRW, CIFF/CRW, JP2/JPEG2000, RAF, and X3F, as well as most most TIFF-derived "raw" formats, including DNG, ORF, CR2, NEF, K25/KDC/DCR, and PEF. 8
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
22. Podsleuth: Tool to discover detailed information about Apple iPods. PodSleuth is a tool to discover detailed model information about an Apple ™ iPod (TM). Its primary role is to be run as a callout by HAL because root access is needed to scan the device for required information. When the model information is discovered, it is merged into HAL as properties for other applications to use.With PodSleuth installed, applications can expect to have rich iPod (TM) metadata merged into the device tree on the iPod data volume node. PodSleuth metadata properties are in the org.bansheeproject.podsleuth namespace. 23. Exif: Command-line utility to show EXIF information in JPEG files. Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. 'exif' is a small command-line utility to show EXIF information hidden in JPEG files. 24. Libimage-exiftool-perl: Library and program to read and write meta information in multimedia files. ExifTool is a Perl module with an included command-line application for reading and writing meta information in image, audio and video files. It recognizes EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3 meta information as well as the maker notes of many digital cameras including Canon, Casio, FujiFilm, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Ricoh, Sanyo and Sigma/Foveon. 25. Metacam: Extract EXIF information from digital camera files. EXIF stands for Exchangeable Image File Format, and is a standard for storing interchange information in image files, especially those using JPEG compression. Most digital cameras now use the EXIF format. The format is part of the DCF standard created by JEIDA to encourage interoperability between imaging devices. In addition to the standard EXIF fields, MetaCam also supports vendor-specific extensions from Nikon, Olympus, Canon and Casio. Anti-Forensic Tools: 1. Wipe: Secure file deletion. Recovery of supposedly erased data from magnetic media is easier than what many people would like to believe. A technique called Magnetic Force Microscopy (MFM) allows any moderately funded opponent to recover the last two or three layers of data written to disk. Wipe repeatedly writes special patterns to the files to be destroyed, using the fsync() call and/or the O_SYNC bit to force disk access.
9
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
2. Bcrypt: Cross platform file encryption utility using blowfish. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors. In addition to encrypting your data, bcrypt will by default overwrite the original input file with random garbage three times before deleting it in order to thwart data recovery attempts by persons who may gain access to your computer. Bcrypt uses the blowfish encryption algorithm published by Bruce Schneier in 1993. 3. Exiv2: EXIF/IPTC metadata manipulation tool. Exiv2 can: print the Exif metadata of JPEG, TIFF and several RAW image formats as summary info, interpreted values, or the plain data for each tag print the IPTC metadata of JPEG images print, set and delete the JPEG comment of JPEG images set, add and delete Exif and IPTC metadata of JPEG images adjust the Exif timestamp (that's how it all started...) rename Exif image files according to the Exif timestamp extract, insert and delete Exif metadata, IPTC metadata and JPEG comments extract, insert and delete the thumbnail image embedded in the Exif metadata fix the Exif ISO setting of picture taken with Nikon cameras 4. Libjpeg-progs: Programs for manipulating JPEG files. This package contains programs for manipulating JPEG files: cjpeg/djpeg: convert to/from the JPEG file format rdjpgcom/wrjpgcom: read/write comments in JPEG files jpegtran: lossless transformations of JPEG files jpegexiforient/exifautotran: manipulate EXIF orientation tag 5. Secure-delete: Tools to wipe files, free disk space, swap and memory. Even if you overwrite a file 10+ times, it can still be recovered. This package contains tools to securely wipe data from files, free disk space, swap and memory. 6. Aespipe: AES-encryption tool with loop-AES support. Aespipe is an encryption tool that reads from standard input and writes to standard output. It uses the AES (Rijndael) cipher. It can be used as an encryption filter, to create and restore encrypted tar/cpio backup archives and to read/write and convert loop-AES compatible encrypted
10
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
images. Aespipe can be used for non-destructive in-place encryption of existing disk partitions for use with the loop-AES encrypted loopback kernel module. 7. Ccrypt: Secure encryption and decryption of files and streams. Ccrypt is a utility for encrypting and decrypting files and streams. It was designed as a replacement for the standard unix crypt utility, which is notorious for using a very weak encryption algorithm. ccrypt is based on the Rijndael cipher, which is the U.S. government's chosen candidate for the Advanced Encryption Standard (AES, see http://www.nist.gov/aes). This cipher is believed to provide very strong security. 8. Encfs: Encrypted virtual filesystem. EncFS integrates file system encryption into the Unix(TM) file system. Encrypted data is stored within the native file system, thus no fixed-size loopback image is required. EncFS uses the FUSE kernel driver and library as a backend. 9. Makepasswd: Generate and encrypt passwords. Generates true random passwords by using the /dev/random feature of Linux, with the emphasis on security over pronounceability. It can also encrypt plaintext passwords given in a temporary file. 10. Cryptcat: A lightweight version netcat extended with twofish encryption. Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. 11. Gdecrypt: GUI for mapping/mounting and creating encrypted volumes. Gdecrypt was written for making the use of decrypted partitions under Linux more easy. It currently contains a GUI written in PyGTK for decrypting/mounting, unmounting and encryption partitions or container files and it supports partitions created with truecrypt (see http://truecrypt.org for details) and LUKS. Note that truecrypt <= 4.3a is required for truecrypt supprt and cryptsetup with luks is required for luks support. 12. Enigmail: Enigmail - GPG support for Thunderbird. OpenPGP extension for Thunderbird. Enigmail allows users to access the features provided by the popular GnuPG software from within Thunderbird. Enigmail is capable of signing, authenticating, encrypting and decrypting email. Additionally, it supports both the inline PGP format, as well as the PGP/MIME format as described in RFC 3156.
11
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
13. Steghide: A steganography hiding tool. Steghide is steganography program which hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven. Steghide is designed to be portable and configurable and features hiding data in bmp, wav and au files, blowfish encryption, MD5 hashing of passphrases to blowfish keys, and pseudorandom distribution of hidden bits in the container data. 14. Outguess: Universal Steganographic tool. OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources. The nature of the data source is irrelevant to the core of OutGuess. The program relies on data specific handlers that will extract redundant bits and write them back after modification. In this version the PNM and JPEG image formats are supported. 15. Snowdrop: Plain text watermarking and watermark recovery. Snowdrop provides reliable, difficult to remove stenographic watermarking of text documents (internal memos, draft research papers, advisories and other writing) and C sources (limited distribution software, licensed software, or freely available code) so that: leaks can be identified if the data goes public original source can be determined and demonstrated if part of the document is claimed by somebody else, copied without permission, etc. Snowdrop uses redundant steganography using four different logical channels, and should be proof to many modifications, including reformatting,spell checking and so on. Warning: Snowdrop is currently in beta, and may produce bad or corrupted results, especially when run on C source code. Cracking Tools: 1. Cifer: Multipurpose classical cryptanalysis and code-breaking tool. Cifer provides many functions designed to aid in cracking classical ciphers; a group of ciphers used historically, but which have now fallen into disuse because of their suceptability to ciphertext-only attacks. In general, they were designed and implemented by hand, and operate on an alphabet of letters (such as [A-Z]). It operates using text files as input and output, and can perform both brute force and other, more sophisticated, attacks against many classic encryption schemes. In addition, it provides many utilities such as frequency analysis and automated encryption/decryption of texts. 2. Samdump: Dump Windows 2k/NT/XP password hashes. This tool is designed to dump Windows 2k/NT/XP password hashes from a SAM file. It requires the syskey key which can be
12
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
found with tools like bkhive. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. 3. Bkhive: Dump the syskey bootkey from a Windows NT/2K/XP system hive. This tool is designed to recover the syskey bootkey from a Windows NT/2K/XP system hive. Then we can decrypt the SAM file with the syskey and dump password hashes. Syskey is a Windows feature that adds an additional encryption layer to the password hashes stored in the SAM database. 4. Fcrackzip: Password cracker for zip archives. Fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask'ed images. 5. aircrack-ng: Wireless WEP/WPA cracking utilities. Aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. Also it can attack WPA1/2 networks with some advanced methods or simply by brute force. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools. It can also fully use a multiprocessor system to its full power in order to speed up the cracking process. Aircrack-ng is a fork of aircrack, as that project has been stopped by the upstream maintainer. 6. Pdfcrack: PDF files password cracker. Pdfcrack is a simple tool for recovering passwords from pdf-documents. It should be able to handle all pdfs that uses the standard security handler but the pdf-parsing routines are a bit of a quick hack so you might stumble across some pdfs where the parser needs to be fixed to handle. Pdfcrack allows configure the size of the searched password, use an external wordlist file and save cracking sessions to restore it later. 7. Medussa: Distributed password cracking system. Medussa is a distributed password cracking system that can attempt various types of attacks to crypted passwords distributing the work on many machines. 8. Ophcrack: Microsoft Windows password cracker using rainbow tables (gui). Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds. It works for Windows NT/2000/XP/Vista. This package contains ophcrack with QT4 based graphical UI. Please note that it can be used in command line as well.
13
Forensic Cop Journal
Volume 2(1), Nov 2009
http://forensiccop.blogspot.com
9. Weplab: Tool designed to break WEP keys. WepLab is a tool designed to teach how WEP works, what different vulnerabilities it has, and how they can be used in practice to break a WEP protected wireless network. WepLab can dump network traffic, analyse it or crack the WEP key. 10. John: Active password cracking tool. John, mostly known as John the Ripper, is a tool designed to help systems administrators to find weak (easy to guess or crack through brute force) passwords, and even automatically mail users warning them about it, if it is desired. It can also be used with different cyphertext formats, including Unix's DES and MD5, Kerberos AFS passwords, Windows' LM hashes, BSDI's extended DES, and OpenBSD's Blowfish. Bibliography 1. Al-Azhar, M. (2009). Forensically Sound Write Protect on Ubuntu. Forensic Cop Journal. 1(3). Available: http://forensiccop.blogspot.com. Last accessed 26 November 2009. 2. Al-Azhar, M. (2009). Similarities and Differences between Ubuntu Windows on Forensic Applications. Forensic Cop Journal. 1(2). Available at: http://forensiccop.blogspot.com. Last accessed 26 November 2009. 3. Connectiva S/A and Vogt, M. (2009). Synaptic Package Manager 0.62.5. Ubuntu 9.04.
14
Related Documents
Forensic Cop Journal 2(1) 2009-ubuntu Forensic
June 2020 3
-forensic-chemistry.docx
May 2020 20
Forensic Medicine
June 2020 18
Forensic Chemistry.docx
November 2019 22
Forensic Toxicology
November 2019 18
Computer-forensic
July 2020 4More Documents from ""
