Escolar Documentos
Profissional Documentos
Cultura Documentos
Toolkit
FOR2 Forensics with the Helix Toolkit 2
What is Computer Forensics (CF)?
• A collection of specialized techniques,
processes, & procedures used to preserve,
extract, analyze, & present electronic
evidence
• A methodology for computer investigation &
analysis techniques in the interest of
determining potential legal evidence
• Requires specialized expertise that goes
beyond normal data collection & preservation
techniques
FOR2 Forensics with the Helix Toolkit 3
CF used to investigate:
• Hacking • Obscene publications
• Fraud & Perjury • Forgery
• Sex predators rings • Murder
• Defamation • Sexual harassment
• Immigration fraud • Data theft – industrial
• Narcotics trafficking espionage
• Credit card cloning • Software piracy
FOR2 Forensics with the Helix Toolkit 4
CF Investigation Overview
• Notification, Interview, Obtain
Authorization, Verify Scope,
• Assemble Team, Document Work Area,
Obtain Equipment, Chain of Custody
Create 2 Images
Preserve 1st image, then use 2nd image
to Locate, Recover, & Examine
Data extraction & Analysis
• Evidence Analysis
• Prepare Findings
FOR2 Forensics with the Helix Toolkit 5
Forensic Procedure
1. Preparation
2. Acquisition or Collection
3. Preservation
4. Analysis
5. Presentation
FOR2 Forensics with the Helix Toolkit 6
Analysis Process
• Access evidentiary images & backups
• File inventory with hash values, etc.
• Recover deleted data (files, folders, etc.)
• Recover slack and unallocated space
• Exclude known/unnecessary files
• Remove duplicates
• Process/decrypt/decompress files
– swap and hibernation files
• Index text data
FOR2 Forensics with the Helix Toolkit 7
Two Situations
• Dead System • Live system
– Power unplugged – Power on
– Computer off – Processes running
– Hard Drive
– Disk being accessed
– Floppy
– Removable media
– Tape changing…
– CDROMs
FOR2 Forensics with the Helix Toolkit 8
To shutdown or not to shutdown
• Network state
• Processes in memory (MB/GB)
• Kernel memory
• Swap space
• Lose cached data not yet written to disk
• Lose data protected by EFS/PGP disk
• Corrupt existing data
FOR2 Forensics with the Helix Toolkit 9
Forensics Lab
• A computer that can READ ONLY
multiple media: IDE, SATA, CDs, USB…
• Able to create duplicate drive images
– Local or across network
• Software to Read images
& Analyze data
• http://www.forensiccomputers.com
FOR2 Forensics with the Helix Toolkit 10
Forensic Field Workstation
• Rugged, to be used on the field
• Hardened Kernel
• Encrypted File System
• Time Accurate
• Software Toolkit
• Use a Set of Trusted Tools
FOR2 Forensics with the Helix Toolkit 11
Helix Software Toolkit
• Helix is a customized distribution of the
Knoppix Bootable Linux CD. [R/O]
• It includes many applications dedicated
to Incident Response and Forensics
– Some run from Linux, some from Windows
• Includes many forms: Download our
Chain of Custody form
• Low cost!
FOR2 Forensics with the Helix Toolkit 12
Helix Tool Categories
• Helix contains static binaries for Linux,
Solaris, & Windows using GNU utilities
& Cygwin tools http://www.cygwin.com/
• Sysinternals http://www.sysinternals.com/
• Windows Forensic Toolchest
http://www.foolmoon.net/security/
• Tested & Integrated
FOR2 Forensics with the Helix Toolkit 13
What can Helix do?
• Image acquisition
– Sanitize media
– Bitbybit image acquisition & evidence
preservation
– Imaging & analysis of RAID arrays
– Interpretation & analysis of dd, and other
images
– Analyze and acquire encrypted volumes
FOR2 Forensics with the Helix Toolkit 14
FOR2 Forensics with the Helix Toolkit 15
FOR2 Forensics with the Helix Toolkit 16
Main Windows Menu
• Preview System Information
• Acquire Live Image + MD5 + Log
• Incident Response Tools
• Documents
• Browse CD contents
• Scan for Picture on live system
FOR2 Forensics with the Helix Toolkit 17
FOR2 Forensics with the Helix Toolkit 18
Windows Acquiring Image
CtrlD for Directory or CtrlF for filename completion
The Shell Path has been modified to find trusted cdrom binaries first
Do not navigate away from the CD drive letter.
=====================================================================
D:\IR> FAU\dd.exe if=\\.\PhysicalMemory of=c:\temp\image.dd bs=512 conv=noerror
md5sum verifymd5 md5out=c:\temp\image.dd.md5 log=c:\temp\audit.log
FOR2 Forensics with the Helix Toolkit 19
FOR2 Forensics with the Helix Toolkit 20
FTK Imager
• acquire physical device images and logically
view data from FAT, NTFS, EXT 2 and 3 as
well as HFS and HFS+ file systems.
• Creating multiple images from a single source
and / or multiple images simultaneously.
• FTK Imager generates DD, SMART and
Encase® images & reads several other
industry standard formats
– http://www.accessdata.com/ftkuser/imager.htm
FOR2 Forensics with the Helix Toolkit 21
FOR2 Forensics with the Helix Toolkit 22
FOR2 Forensics with the Helix Toolkit 23
Windows Incident Response Tools
• Windows Forensics Toolchest (WFT)
• Incident Response Collection Report (IRCR2)
• First Responder’s Evidence Disk (FRED)
• First Responder Utility (FRU)
• Security Reports (SecReport)
• Md5 Generator
• Command Shell
• File Recovery
FOR2 Forensics with the Helix Toolkit 24
Windows IR Tools, continued
• Rootkit Revealer
• VNC Server
• Putty SSH
• Screen Capture
• Messenger Password
• Mail Password Viewer
• Protected Storage Viewer
• Network Password Viewer
FOR2 Forensics with the Helix Toolkit 25
Windows Forensic Toolchest
• Automated incident response on a
Windows system
• Collects securityrelevant information
from the system (audit, processes, …)
• Creates an “index.htm” file with links to
result files, plus a txt directory with
same contents (raw text)
FOR2 Forensics with the Helix Toolkit 26
FOR2 Forensics with the Helix Toolkit 27
FOR2 Forensics with the Helix Toolkit 28
FOR2 Forensics with the Helix Toolkit 29
FOR2 Forensics with the Helix Toolkit 30
Linux Helix Tools
FOR2 Forensics with the Helix Toolkit 31
Helix Main Menu
FOR2 Forensics with the Helix Toolkit 32
Linux Forensic Tools
• Adepto image acquisition
• Air – GUI front end for “dd”
• Linen – create images to process with
EnCase Forensic toolkit
• Retriever – quick peek of images
• Autopsy – forensic browser for the
Sleuth kit, used to analyze Windows or
Linux
FOR2 Forensics with the Helix Toolkit 33
FOR2 Forensics with the Helix Toolkit 34
FOR2 Forensics with the Helix Toolkit 35
FOR2 Forensics with the Helix Toolkit 36
FOR2 Forensics with the Helix Toolkit 37
Case Manager Screen
FOR2 Forensics with the Helix Toolkit 38
TASK Analysis Screen
FOR2 Forensics with the Helix Toolkit 39
Linux – Commands
# dd if=/dev/fd0 | md5sum
2880+0 records in
2880+0 records out
5f4ed28dce5232fb36c22435df5ac867 -
# dd if=/dev/fd0 of=floppy.image bs=512
# md5sum floppy.image
5f4ed28dce5232fb36c22435df5ac867 floppy.image
# mount -t vfat -o ro,noexec,loop floppy.image /mnt
# find /mnt -type f -exec sha1sum {} \;
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls
81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc
# grep -aibf searchlist floppy.image
75441:you and your entire business ransom.
75500:I want you to deposit $50,000 in the account
75767:Don't try anything, and dont contact the cops.
FOR2 Forensics with the Helix Toolkit 40
Linux Supported File Systems
• General creation process
– Allocation table and folder entries created
– Time stamps set
– Track written
– Slack space
• Operating System Specific
– Windows: FAT12, FAT16, FAT32, NTFS
– Unix: UFS, ext2, ext3
– Macintosh: HFS Plus
FOR2 Forensics with the Helix Toolkit 41
Questions?
Email: Adrian@Mikeliunas.com
? ? ?
?
This is not the Beginning,
This is not the End,
But the End of the Beginning
FOR2 Forensics with the Helix Toolkit 42