Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Here have a look at this hard drive

  1. #1
    Member
    Join Date
    Jan 2004
    Posts
    33

    Question Here have a look at this hard drive

    This was the statement made to me by my boss. What is interesting is I am a newbie when it comes to forensics, so lets get to this. The chain of evidence has been preserved I have an image of the hard drive and the original is locked in a lawyers safe. So that is not an issue. The system was not properly handled because it was a laptop and the user "turned it in" before he left, so it has been rebooted......Nothing I can do there.
    The drive has 2 partitions on it a Win2k and a linux (Red Hat). Now I have gone through the tutorials and I plan on using the tools recommended (awesome info guys thanks) to analyze the Win2k partition, however, I get a sneaking suspicion that if this character was doing anything it was while in Linux. The first step is to get past the password. I am researching that today and hope to have it solved by the time you read this.
    My question is are there freeware forensic tools that can give you the same type of information as those tools created for Windows?

  2. #2
    you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...

    this should work, unless there is some kind of security which prevents the root account from having an empty password...

  3. #3
    you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...

    this should work, unless there is some kind of security which prevents the root account from having an empty password...

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    373
    Have a look at this live bootable cd
    http://www.knoppix-std.org/
    http://www.knoppix-std.org/tools.html

    forensics
    /usr/bin/forensics/

    * sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
    * autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
    * biew : binary viewer
    * bsed : binary stream editor
    * consh : logged shell (from F.I.R.E.)
    * coreography : analyze core files
    * dcfldd : US DoD Computer Forensics Lab version of dd
    * fenris : code debugging, tracing, decompiling, reverse engineering tool
    * fatback : Undelete FAT files
    * foremost : recover specific file types from disk images (like all JPG files)
    * ftimes : system baseline tool (be proactive)
    * galleta : recover Internet Explorer cookies
    * hashdig : dig through hash databases
    * hdb : java decompiler
    * mac-robber : TCT's graverobber written in C
    * md5deep : run md5 against multiple files/directories
    * memfetch : force a memory dump
    * pasco : browse IE index.dat
    * photorec : grab files from digital cameras
    * readdbx : convert Outlook Express .dbx files to mbox format
    * readoe : convert entire Outlook Express .directory to mbox format
    * rifiuti : browse Windows Recycle Bin INFO2 files
    * secure_delete : securely delete files, swap, memory....
    * testdisk : test and recover lost partitions
    * wipe : wipe a partition securely. good for prep'ing a partition for dd
    * and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

    http://www.google.com/linux?hl=en&lr...=Google+Search

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There's a thing out on the BugTraq forensics list right now about Knoppix not being sound with regard to forensic investigation.... Unfortunately I can't seem to find it right now..... You might want to look into it......

    [Edit]

    Search Bugtraq for this thread:-

    Re: Re: Write protection devices was: Imaging speed - USB, IDE, laptop

    I'm pretty sure this is the one where a CD run Knoppix isn't forensically "sound"

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    you can just boot with knoppix or so and remove the password string in /etc/shadow of the root account, now you would have access to the system as root...
    This would make any evidence you gleened from the drive in admisable in a court of law. You have just let the bad guy off. Because you have changed the drive contents.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Jinxy, notice he said he had an IMAGE of the drive, so he can mess with it all he wants and find information however he wants then he will know the location of everything on the physical drive when it comes time for him to deal with it.

  8. #8
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    How was that image aquired. Im not an expert on the subject, but i have read alittle resently. It would seem that it is very difficult to get the courts to exept this type off evidence. That is why software like Encase is so expencive.

    http://www.guidancesoftware.com/
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Posts
    373
    Thanks for the heads up Tiger Shark. And here is the url
    http://www.securityfocus.com/archive...5/2004-06-11/0

    Check this out "KNOPPIX Validation Study"
    http://www.linux-forensics.com/publications.html

    As with any tool that you use, learn its strengths and weaknesses.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Knoppix is definitely not forensically sound as it attempts to automount available partitions (and for a couple other reasons too). A good forum for linux-related forensics (tools and otherwise) is http://www.linux-forensics.com which coupled with the forensics securityfocus mailling list should get you started off on the right foot.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •