-
June 8th, 2004, 02:44 PM
#1
Member
Here have a look at this hard drive
This was the statement made to me by my boss. What is interesting is I am a newbie when it comes to forensics, so lets get to this. The chain of evidence has been preserved I have an image of the hard drive and the original is locked in a lawyers safe. So that is not an issue. The system was not properly handled because it was a laptop and the user "turned it in" before he left, so it has been rebooted......Nothing I can do there.
The drive has 2 partitions on it a Win2k and a linux (Red Hat). Now I have gone through the tutorials and I plan on using the tools recommended (awesome info guys thanks) to analyze the Win2k partition, however, I get a sneaking suspicion that if this character was doing anything it was while in Linux. The first step is to get past the password. I am researching that today and hope to have it solved by the time you read this.
My question is are there freeware forensic tools that can give you the same type of information as those tools created for Windows?
-
June 8th, 2004, 03:55 PM
#2
you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...
this should work, unless there is some kind of security which prevents the root account from having an empty password...
-
June 8th, 2004, 03:55 PM
#3
you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...
this should work, unless there is some kind of security which prevents the root account from having an empty password...
-
June 8th, 2004, 06:30 PM
#4
Have a look at this live bootable cd
http://www.knoppix-std.org/
http://www.knoppix-std.org/tools.html
forensics
/usr/bin/forensics/
* sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
* biew : binary viewer
* bsed : binary stream editor
* consh : logged shell (from F.I.R.E.)
* coreography : analyze core files
* dcfldd : US DoD Computer Forensics Lab version of dd
* fenris : code debugging, tracing, decompiling, reverse engineering tool
* fatback : Undelete FAT files
* foremost : recover specific file types from disk images (like all JPG files)
* ftimes : system baseline tool (be proactive)
* galleta : recover Internet Explorer cookies
* hashdig : dig through hash databases
* hdb : java decompiler
* mac-robber : TCT's graverobber written in C
* md5deep : run md5 against multiple files/directories
* memfetch : force a memory dump
* pasco : browse IE index.dat
* photorec : grab files from digital cameras
* readdbx : convert Outlook Express .dbx files to mbox format
* readoe : convert entire Outlook Express .directory to mbox format
* rifiuti : browse Windows Recycle Bin INFO2 files
* secure_delete : securely delete files, swap, memory....
* testdisk : test and recover lost partitions
* wipe : wipe a partition securely. good for prep'ing a partition for dd
* and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)
http://www.google.com/linux?hl=en&lr...=Google+Search
-
June 8th, 2004, 10:58 PM
#5
There's a thing out on the BugTraq forensics list right now about Knoppix not being sound with regard to forensic investigation.... Unfortunately I can't seem to find it right now..... You might want to look into it......
[Edit]
Search Bugtraq for this thread:-
Re: Re: Write protection devices was: Imaging speed - USB, IDE, laptop
I'm pretty sure this is the one where a CD run Knoppix isn't forensically "sound"
[/Edit]
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 9th, 2004, 12:46 AM
#6
you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...
This would make any evidence you gleened from the drive in admisable in a court of law. You have just let the bad guy off. Because you have changed the drive contents.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
June 9th, 2004, 01:26 AM
#7
Jinxy, notice he said he had an IMAGE of the drive, so he can mess with it all he wants and find information however he wants then he will know the location of everything on the physical drive when it comes time for him to deal with it.
-
June 9th, 2004, 01:43 AM
#8
How was that image aquired. Im not an expert on the subject, but i have read alittle resently. It would seem that it is very difficult to get the courts to exept this type off evidence. That is why software like Encase is so expencive.
http://www.guidancesoftware.com/
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
June 9th, 2004, 02:21 AM
#9
Thanks for the heads up Tiger Shark. And here is the url
http://www.securityfocus.com/archive...5/2004-06-11/0
Check this out "KNOPPIX Validation Study"
http://www.linux-forensics.com/publications.html
As with any tool that you use, learn its strengths and weaknesses.
-
June 9th, 2004, 04:55 AM
#10
Knoppix is definitely not forensically sound as it attempts to automount available partitions (and for a couple other reasons too). A good forum for linux-related forensics (tools and otherwise) is http://www.linux-forensics.com which coupled with the forensics securityfocus mailling list should get you started off on the right foot.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|