1. Identification
2. Preservation to preserve evidence, chain of chustady fisic and labelling exhibit
3. Examination /Colleccting
4. Analysis (chain of chustady, analisis, Colecting, Recontruction)
5. Presentation report and conclusion.
There are two types of data :
1. Volatile : data is loss when computer is off. ex : data on RAM
2. Non Volatile : data is not loss when computer is off. ex :data on HDD,FDD, etc
Tools to Digital Forensic
on Linux :
- TSK (sleuthkit),
- EwfLib,
- Aff,
- dd, to clone Divice
- Volatility, to Analisis memory RAM
- Ptk, cal
- Explico, to Network Forensic
- etc
Practice for example..
resouces : The Law Enforcement and Forensic Examiner's Introduction to Linux
1. Analysis organization
analisis forensic practical_floppy.dd
The practice floppy (in raw image format from a simple dd) for the following exercise is available at:
http://www.LinuxLEO.com/Files/practical.floppy.dd
Once you download the floppy image, lets to analyze
- Create /dev/fd0 using touch couse on Backtrack not yet
-
-
- create a directory in your “home” directory for evidence and then a subdirectory for different cases
The tilde (~) in front of the directory name is shorthand for “home directory”, Note that if you are already in your home directory, then you don't need to type ~/. Simply using mkdir evid will work just fine. o the output files that we create and the images we make will be found under /root/evid/.
- create a special mount point for all subject file system analysis
root@bt:~# mkdir /mnt/analysis
Determining the structure of disk
The first, fdisk, we discussed earlier using the -l option. Replace the “x” with the letter of the drive that corresponds to the subject drive. For example, if our subject disk is attached on the secondary IDE channel as the master disk, it will be seen as /dev/hdc. A Serial ATA (SATA) disk will be /dev/sda (or sdb, etc.) We can get the partition information on that disk with:
chek fdisk -l
get information a serial SATA..~#fdisk -l /dev/sda
We can redirect the output of this command to a file for later use by
issuing the command as:
root@bt:~# fdisk -l /dev/sb1 > ~/evid/fdisk.disk1
Creating a forensic image of the suspect disk
- Make an image of the practice disk using basic dd, and change directory to evid
root@bt:~/evid# dd if=/dev/fd0 of=image.disk1 bs=512
/dev/fd0 : take flopy device
if : input file
if : input file
of=image.disk1 : out file called image.disk1 in directory /dev/fd0
bs=512 : specific block size 512
- For the sake of safety and practice, change the read-write permissions of
your image to read-only
your image to read-only
Mounting a restored image
root@bt:~/evid# mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis/ -o loop
ro :read-only
noexec : prevents the execution of binaries from the mount point
be sure unmount if finish
root@bt:~/evid# umount /mnt/analysis/
File Hash
can use SHA or MD5 Hash
root@bt:~/evid# md5sum /dev/fd0
hasing /dev/fdo and return to file md5.disk1 by type this:
root@bt:~/evid# md5sum /dev/fd0 > md5.disk1
- We can get a hash of each file on the disk using the find command and an option that allows us to execute a command on each file found
- mounting image
root@bt:~/evid# mount -t vfat -o ro,noexec,noatime,loop image.disk1/mnt/analysis
root@bt:~/evid# cd /mnt/analysis
-t :
ro : read only
noexec : prevents the execution of binaries from the mountpoint
noatime : time
loop :
- Once we are in the /mnt/analysis directory we can now run a command that will find all the regular files on the file system at that mount point and run a hash on all those files:
root@bt:/mnt/analysis# find . -type f -exec md5sum {} \; > ~/evid/md5.filelist
find : comand
"." : signifed
-type f : any reguler type file
-exec : execute
md5sum {} : to hasing md5 all files found
> : redirect to
md5.filelist : name file to output
~/evd/ : directory where we all storing all our evidence files
- Have a look at the hashes by using the cat command to stream the file to
standard output
root@bt:/mnt/analysis# cat /root/evid/md5.filelist
- To verify that nothing has been changed on the original floppy, you can use the -c option
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.disk1
root@bt:/mnt/analysis# md5sum -c /root/evid/md5.filelist
The Analysis
- mount /mnt/analysis
- use ls -all
root@bt:/mnt/analysis# ls -al
This will show all the hidden files (-a), give the list in long format to
identify permission, date, etc. (-l). You can also use the –R option to list
recursively through directories. You might want to pipe that through less.
root@bt:/mnt/analysis# ls -alR | less
Making a List of All Files
- For example,you could use the –i option to include the inode (file “serial number”) in the list, the –u option can be used so that the output will include and sort by access time (when used with the –t option).
root@bt:/mnt/analysis# ls -aliRtu > ~/evid/access_file.list
- using the find command and redirecting the output to another list file:
root@bt:/mnt/analysis# find . -type f > ~/evid/file.list.2
- There is also the tree command,
Now use the grep command on either of lists created by the first two
commands above for whatever strings or extensions you want to look for.
i : case insensitive
jpg : grep file JPG
Making a List of File Types
file filename
root@bt:/mnt/analysis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analysis# cat ~/evid/filetype.list
root@bt:/mnt/analysis# grep image ~/evid/filetype.list
Viewing Files
For text files and data files, you might want to use cat, more or less to
view the contents.
cat filename
more filename
less filename
Perhaps a better alternative for viewing unknown files would be to use
the strings command.
strings filename | less
root@bt:/mnt/analysis# ls
ARP.EXE Docs FTP.EXE loveletter.virus ouchy.dat Pics snoof.gz
root@bt:/mnt/analysis# strings arp.exe | less
this screenshot not full..
Once you are finished exploring, be sure to unmount the floppy
Searching Unallocated and Slack Space for Text
Now let’s go back to the original image.
First, change back to the directory in which you created the image, whether it was the root’s home directory, or a special one you created.
root@bt:~# cd evid/
root@bt:~/evid#
use the grep command to search the image for any instance of an expression or pattern.
grep –options <pattern> <file-to-search>
root@bt:~/evid# nano searchlist.txt
root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt
root@bt:~/evid# cat hits.txt
root@bt:~/evid# xxd -s 75441 image.disk1 | lees
Tidak ada komentar:
Posting Komentar