Csi33rd For 2

Forensics with the Helix
Toolkit
Adrian Mikeliunas, CISSP, CISA

Forensics with the Helix Toolkit
FOR-2, November 6, 2006
Outline
• Forensics Lab
• Helix Forensics Toolkit
– Linux
– Windows
• Case 1: P2P Desktop
• Case 2: Suspicious Laptop
• Case 3: Compromised Server
• Features Summary
FOR2 Forensics with the Helix Toolkit 2
What is Computer Forensics (CF)?
• A collection of specialized techniques,
processes, & procedures used to preserve,
extract, analyze, & present electronic
evidence
• A methodology for computer investigation &
analysis techniques in the interest of
determining potential legal evidence
• Requires specialized expertise that goes
beyond normal data collection & preservation
techniques
CF used to investigate:
• Hacking • Obscene publications
• Fraud & Perjury • Forgery
• Sex predators rings • Murder
• Defamation • Sexual harassment
• Immigration fraud • Data theft – industrial
• Narcotics trafficking espionage
• Credit card cloning • Software piracy
CF Investigation Overview
• Notification, Interview, Obtain
Authorization, Verify Scope,
• Assemble Team, Document Work Area,
Obtain Equipment, Chain of Custody
 Create 2 Images
 Preserve 1st image, then use 2nd image
to Locate, Recover, & Examine
 Data extraction & Analysis
• Evidence Analysis
• Prepare Findings
Forensic Procedure
1. Preparation
2. Acquisition or Collection
3. Preservation
4. Analysis
5. Presentation
Analysis Process
• Access evidentiary images & backups
• File inventory with hash values, etc.
• Recover deleted data (files, folders, etc.)
• Recover slack and unallocated space
• Exclude known/unnecessary files
• Remove duplicates
• Process/decrypt/decompress files
– swap and hibernation files
• Index text data
Two Situations
• Dead System • Live system
– Power unplugged – Power on
– Computer off – Processes running
– Hard Drive
– Disk being accessed
– Floppy
– Removable media
– Tape changing…
– CDROMs
  
To shutdown or not to shutdown
• Network state
• Processes in memory (MB/GB)
• Kernel memory
• Swap space
• Lose cached data not yet written to disk
• Lose data protected by EFS/PGP disk
• Corrupt existing data
Forensics Lab
• A computer that can READ ONLY
multiple media: IDE, SATA, CDs, USB…
• Able to create duplicate drive images
– Local or across network
• Software to Read images
& Analyze data
• http://www.forensiccomputers.com
Forensic Field Workstation
• Rugged, to be used on the field
• Hardened Kernel
• Encrypted File System
• Time Accurate
• Software Toolkit
• Use a Set of Trusted Tools
Helix Software Toolkit
• Helix is a customized distribution of the
Knoppix Bootable Linux CD. [R/O]
• It includes many applications dedicated
to Incident Response and Forensics
– Some run from Linux, some from Windows
• Includes many forms: Download our
Chain of Custody form
• Low cost!
Helix Tool Categories
• Helix contains static binaries for Linux,
Solaris, & Windows using GNU utilities
& Cygwin tools http://www.cygwin.com/
• Sysinternals http://www.sysinternals.com/
• Windows Forensic Toolchest
http://www.foolmoon.net/security/
• Tested & Integrated
What can Helix do?
• Image acquisition
– Sanitize media
– Bitbybit image acquisition & evidence
preservation
– Imaging & analysis of RAID arrays
– Interpretation & analysis of dd, and other
images
– Analyze and acquire encrypted volumes
Main Windows Menu
• Preview System Information
• Acquire Live Image + MD5 + Log
• Incident Response Tools
• Documents
• Browse CD contents
• Scan for Picture on live system
Windows Acquiring Image
CtrlD for Directory or CtrlF for filename completion
The Shell Path has been modified to find trusted cdrom binaries first
Do not navigate away from the CD drive letter.
=====================================================================
D:\IR> FAU\dd.exe if=\\.\PhysicalMemory of=c:\temp\image.dd bs=512 conv=noerror
md5sum verifymd5 md5out=c:\temp\image.dd.md5 log=c:\temp\audit.log
FTK Imager
• acquire physical device images and logically
view data from FAT, NTFS, EXT 2 and 3 as
well as HFS and HFS+ file systems.
• Creating multiple images from a single source
and / or multiple images simultaneously.
• FTK Imager generates DD, SMART and
Encase® images & reads several other
industry standard formats
– http://www.accessdata.com/ftkuser/imager.htm
Windows Incident Response Tools
• Windows Forensics Toolchest (WFT)
• Incident Response Collection Report (IRCR2)
• First Responder’s Evidence Disk (FRED)
• First Responder Utility (FRU)
• Security Reports (SecReport)
• Md5 Generator
• Command Shell
• File Recovery
Windows IR Tools, continued
• Rootkit Revealer
• VNC Server
• Putty SSH
• Screen Capture
• Messenger Password
• Mail Password Viewer
• Protected Storage Viewer
• Network Password Viewer
Windows Forensic Toolchest
• Automated incident response on a
Windows system
• Collects securityrelevant information
from the system (audit, processes, …)
• Creates an “index.htm” file with links to
result files, plus a txt directory with
same contents (raw text)
Linux Helix Tools
Helix Main Menu
Linux Forensic Tools
• Adepto image acquisition
• Air – GUI front end for “dd”
• Linen – create images to process with
EnCase Forensic toolkit
• Retriever – quick peek of images
• Autopsy – forensic browser for the
Sleuth kit, used to analyze Windows or
Linux
Case Manager Screen
TASK Analysis Screen
Linux – Commands
# dd if=/dev/fd0 | md5sum
2880+0 records in
2880+0 records out
5f4ed28dce5232fb36c22435df5ac867 -
# dd if=/dev/fd0 of=floppy.image bs=512
# md5sum floppy.image
5f4ed28dce5232fb36c22435df5ac867 floppy.image
# mount -t vfat -o ro,noexec,loop floppy.image /mnt
# find /mnt -type f -exec sha1sum {} \;
86082e288fea4a0f5c5ed3c7c40b3e7947afec11 /mnt/Marks.xls
81e62f9f73633e85b91e7064655b0ed190228108 /mnt/Computer.xml
0950fb83dd03714d0c15622fa4c5efe719869e48 /mnt/Law.doc
# grep -aibf searchlist floppy.image
75441:you and your entire business ransom.
75500:I want you to deposit $50,000 in the account
75767:Don't try anything, and dont contact the cops.
Linux Supported File Systems
• General creation process
– Allocation table and folder entries created
– Time stamps set
– Track written
– Slack space
• Operating System Specific
– Windows: FAT12, FAT16, FAT32, NTFS
– Unix: UFS, ext2, ext3
– Macintosh: HFS Plus
Questions?
Email: Adrian@Mikeliunas.com
? ? ?
?
This is not the Beginning,
This is not the End,
But the End of the Beginning

Csi33rd For 2

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Csi33rd For 2

Enviado por

Direitos autorais:

Formatos disponíveis

Forensics with the Helix

Adrian Mikeliunas, CISSP, CISA

Você também pode gostar