Example dc3dd


  • Ubuntu – Partitions disappeared after power loss while installing
  • Image Acquisition using dc3dd
  • Top 20 Free Digital Forensic Investigation Tools for SysAdmins – 2019 update
  • Windows Drive Acquisition
  • [Note] Drive acquisition using dc3dd
  • Ubuntu – Partitions disappeared after power loss while installing

    Post category: Security Linux incident response is a topic which is often overlooked. As a result of this, it is inevitable that sooner or later you will need to respond to an incident where your open-source OS skills are put to the test.

    The good news is that the basics are the same. Preparation really, really matters. You need to build good processes. You also need to practice them regularly. Once you are into the incident, the normal workflow should still be followed.

    The big difference, however, is in how you do things. Even when they do, the data may be different. Linux Response — Preparation As always in IR, if you get the preparation right, the response will work better. There are some key points you need to decide in advance because your decision will dictate how you respond. The priority has to be your incident response plan. This needs to include who is responsible for the platform and who needs to be involved in the incident response team.

    If you have Linux admins, you probably need to include them as their knowledge will be invaluable. You also need to make sure your infrastructure is ready to help you respond. There are entire books on forensic readiness, but the key points to consider are: Sync time across the network. This is crucial if you want to be able to make sense of events. Normalise everything to UTC — this is vital if you are a global org or have endpoints in different timezones.

    Make sure logs are generated and sent to a SIEM or equivalent for review. You need to check system logs, firewall logs, IDS logs, email logs and application logs are all being collected. Ensure backups are being created on a regular basis, ensure they are being tested for usability and ensure that some are kept offline. Baseline everything you can. Gold images, reference hashes of installed applications etc.

    Hash as much as possible — your future self will thank you. Of course, you need to maintain the hashes after patches. Just to reiterate, the high-level steps are basically the same on any platform and the workflow is reasonably straightforward. It is important that you limit the number of times you trigger full DFIR by thorough confirmation.

    When you respond, the first thing you want to do is find out what the attackers might have changed. Lots of this is easiest to find on the live file system. If you have an EDR tool which can give you access this will help but you may need to consider having to SSH in and run commands directly as part of your preparation phase. Where possible, taking a snapshot and mounting it is a better option.

    Assuming you have access to the running system, start by looking at the running processes. Remember, both commands are noisy so consider piping to less or using grep to find specifics. This can be very effective at finding subverted code such as fork ed processes which have been renamed. Also, the initd process has an active TCP connection to two external IP addresses, again with suspicious ports. Combining ps and lsof gives an incident responder the ability to drill deeply into what is running on the suspect system.

    In turn, this helps confirm that something is amiss. Volatile data is crucial for incident responders. This post is about Linux and, unfortunately, it can be difficult to capture a useable memory sample and even harder to analyse it.

    With Windows, tools like Volatility 2. With a Linux image this becomes complex at best. Capturing the image. The most important bit is how you capture the image. If you are running a Virtual Machine, then it might be as simple as taking a snapshot and using the memory file.

    However, you still need to get the right profile information. An example of this is on the Volatility github pages. Capturing Disk Images If you have an EDR platform or Linux-friendly forensics tool, then capturing a disk image should be reasonably simple.

    If your suspect device is a virtual machine, then you can use the VMDK files or equivalent. However, if you find yourself needing to respond manually, there are some useful tools you can use.

    Disk imaging is an important part of forensics Disk copying You can create a bit for bit copy of the disk for analysis in pretty much any tool. This retains deleted data so you can recover lost files. You can use dd for this, but a better tool is dc3dd which allows you to create a checksum at the same time. However, there are other tricks you can use. Another example is if you want to take a disk image and send it over the network to your evidence machine.

    You can use netcat on both ends for this or cryptcat if you want to use an encrypted tunnel. Timelines — Linux Variations The general process is the same as on Windows and the analysis of inode data is very valuable. The main point here is that there is a difference in how timestamps work. Modification Time, also referred to as mtime.

    This is the last time data was written to the file. Access Time, also referred to as atime. This is the last time the file was read. Change Time, also referred to as ctime. This is the last time the inode contents were written. Born-on time, also referred to as btime. EXT4 file systems also record the time the file was created. Incident responders can use this to hunt across a file system to find things the attacker may have changed.

    Attackers add keys to maintain access. Directory names starting with. If you find any regular files in there its worth a closer look. It is also worth looking at the modification times of binaries — anything changed recently is interesting, largely because Linux patching tends to be a lot less frequent than windows.

    When you build your timeline you should also check if files have a timestamp that is out of place for its inode number as this is often a sign of timestomping. Changes should be considered for investigation. You still need to have a plan and when you respond you still need to follow a suitable methodology.

    The biggest difference is that responders tend to have less direct exposure to Linux and, as a result, are less comfortable with the files and folders you need to analyse. You should address this during the preparation phase of your IR cycle. Build response plans, checklists, train your team etc. It will all be useful at some point.

    Image Acquisition using dc3dd

    Computer forensics Digital image forensics While this is not an exhaustive list, it gives you a picture of what constitutes digital forensics tools and what you can do with them.

    Sometimes multiple tools are packaged together into a single toolkit to help you tap into the potential of related tools. Also, it is important to note that these categories can get blurred at times depending on the skill set of the staff, the lab conditions, availability of equipment, existing laws, and contractual obligations.

    For example, tablets without SIM cards are considered to be computers, so they would need computer forensics tools and not mobile forensics tools.

    But regardless of these variations, what is important is that digital forensics tools offer a vast amount of possibilities to gain information during an investigation. It is also important to note that the landscape of digital forensics is highly dynamic with new tools and features being released regularly to keep up with the constant updates of devices.

    Choosing the right tool Given the many options, it is not easy to select the right tool that will fit your needs. Here are some aspects to consider while making the decision. Skill level Skill level is an important factor when selecting a digital forensics tool.

    Some tools only need a basic skill set while others may require advanced knowledge. A good rule of thumb is to assess the skills you have versus what the tool requires, so you can choose the most powerful tool that you have the competence to operate. Output Tools are not built the same, so even within the same category, outputs will vary. Some tools will return just raw data while others will output a complete report that can be instantly shared with non-technical staff.

    In some cases, raw data alone is enough as your information may anyway have to go through more processing, while in others, having a formatted report can make your job easier. Cost Needless to say, the cost is an important factor as most departments have budgetary constraints. Instead of choosing a tool based on cost alone, consider striking a balance between cost and features while making your choice.

    Focus Another key aspect is the focus area of the tool, since different tasks usually require different tools. For example, tools for examining a database are very different from those needed to examine a network. The best practice is to create a complete list of feature requirements before buying. As mentioned before, some tools can cover multiple functionality in a single kit which could be a better deal than finding separate tools for every task.

    Additional accessories Some tools may need additional accessories to operate and this is something that has to be taken into account as well. For example, some network forensics tools may require specific hardware or software-bootable media.

    So make sure to check the hardware and software requirements before buying. Here are 20 of the best free tools that will help you conduct a digital forensic investigation. This is by no means an extensive list and may not cover everything you need for your investigation.

    You might also need additional utilities such a file viewers, hash generators, and text editors — checkout Free Admin Tools for some of these. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more. When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them.

    There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window. Expanded filesystem support 02 CrowdStrike CrowdResponse CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, or Shim Cache.

    Using embedded YARA signatures you can also scan your host for malware and report if there are any indicators of compromise. Key features Comes with three modules — directory-listing, active running module, and YARA processing module. Displays application resource information Verifies the digital signature of the process executable. Scans memory, loaded module files, and on-disk files of all currently running processes 03 Volatility Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory RAM dumps.

    Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more. If you are using the standalone Windows executable version of Volatility, simply place volatility Key features Supports a wide variety of sample file formats.

    Its extensible and scriptable API opens new possibilities for extension and innovation. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

    When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis.

    Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view. Key features Displays system events through a graphical interface. Offers registry, LNK files, and email analyses. Supports image mounting Uses multi-core CPUs to parallelize actions. Accesses a shared case database, so a single central database is enough for a single case.

    Ubuntu, Fedora. This tool can be used for various digital forensic tasks such as forensically wiping a drive zero-ing out a drive and creating a raw image of a drive. Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

    To use dd, simply open a terminal window and type dd followed by a set of command parameters which command parameters will obviously depend on what you want to do.

    Key features Duplicates data across files, devices, partitions, and volumes. Supports master boot record backup and restore. It can modify data easily Needs to be used with caution as it can wipe a disk completely. Key features Comes with a user-friendly interface that brings together many open-source forensics tools.

    Adheres to the investigation procedure laid down by Italian laws. Its environment is optimized for in-depth forensic analysis Generates reports that are easily editable and exportable.

    It is fast, powerful and supports a large range of file formats although image file types are its speciality. ExifTool can be used for analysing the static properties of suspicious files in a host-based forensic investigation, for example. To use ExifTool, simply drag and drop the file you want to extract metadata from onto the exiftool -k. Alternatively, rename exiftool -k.

    Copies meta-data information between files Automatically backs up the original image Converts output in many languages. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files e. Key features Makes it easy to find data patterns across large files Supports multiple core processing Handles regular expression searches across files Allows you to quickly make file patches or tune any aspect of the user interface.

    The extracted information is output to a series of text files which can be reviewed manually or analysed using other forensics tools or scripts. Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc.

    You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found i. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above. Key features Processes different parts of the disk in parallel.

    Automatically detects, decompresses, and reprocesses compressed data. Extracts critical information such as credit card details and email addresses from digital data Can be used to process information across most digital media. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

    Offers full support for Android and iOS. Comes with a few open-source and closed-source Windows applications that currently have no alternative in the Unix world. An integrity check runs before any program is started in safe mode. Features include support for a multitude of protocols e. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file acquired from Wireshark for example or start a live capture.

    Once the session has finished decoding, use the navigation menu on the left hand side to view the results. Key features Comes with three modules — an input module for data input, output module for decoding data and presenting it to the end-user, and decoding modules for decoding the individual network protocol.

    Supports different user interfaces All modules can be loaded or unloaded through the configuration file. It can decode VoIP calls. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on.

    Sort by action time or use the search button to start investigating what actions were taken on the machine. Key features Records many user actions such as opening and closing of files, software installation, and more. Gathers information from the event log and other sources. When you launch it once, it will create a timeline of events for you. Runs only on Windows and later versions.

    This is important in an investigation to prevent modifying the metadata or timestamps and invalidating the evidence. Once you make changes and exit the application, you can keep an eye on the status from the padlock icon in the taskbar.

    This tool works by updating a registry entry to prevent USB drives from being written to. To run the tool, you simply execute the batch file and select Option 1 to put the USB ports into read-only mode. Runs mostly on Windows, though you can make some changes to run it on the latest version of iOS.

    It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile. Once you have a memory dump file to hand you can begin your analysis. Use whitelist indicators to filter out known data. Collects information from run processes, files, images, and registry data.

    Top 20 Free Digital Forensic Investigation Tools for SysAdmins – 2019 update

    Output Tools are not built the same, so even within the same category, outputs will vary. Some tools will return just raw data while others will output a complete report that can be instantly shared with non-technical staff. In some cases, raw data alone is enough as your information may anyway have to go through more processing, while in others, having a formatted report can make your job easier.

    Cost Needless to say, the cost is an important factor as most departments have budgetary constraints. Instead of choosing a tool based on cost alone, consider striking a balance between cost and features while making your choice. Focus Another key aspect is the focus area of the tool, since different tasks usually require different tools.

    For example, tools for examining a database are very different from those needed to examine a network. The best practice is to create a complete list of feature requirements before buying. As mentioned before, some tools can cover multiple functionality in a single kit which could be a better deal than finding separate tools for every task.

    Additional accessories Some tools may need additional accessories to operate and this is something that has to be taken into account as well. For example, some network forensics tools may require specific hardware or software-bootable media. So make sure to check the hardware and software requirements before buying. Here are 20 of the best free tools that will help you conduct a digital forensic investigation.

    This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors — checkout Free Admin Tools for some of these. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.

    When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window. Expanded filesystem support 02 CrowdStrike CrowdResponse CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, or Shim Cache.

    Using embedded YARA signatures you can also scan your host for malware and report if there are any indicators of compromise. Key features Comes with three modules — directory-listing, active running module, and YARA processing module.

    Displays application resource information Verifies the digital signature of the process executable. Scans memory, loaded module files, and on-disk files of all currently running processes 03 Volatility Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory RAM dumps.

    Windows Drive Acquisition

    Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.

    If you are using the standalone Windows executable version of Volatility, simply place volatility Key features Supports a wide variety of sample file formats. Its extensible and scriptable API opens new possibilities for extension and innovation.

    It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality. When you launch Autopsy, you can choose to create a new case or load an existing one.

    If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view. Key features Displays system events through a graphical interface.

    Offers registry, LNK files, and email analyses. Supports image mounting Uses multi-core CPUs to parallelize actions. Accesses a shared case database, so a single central database is enough for a single case. Ubuntu, Fedora. This tool can be used for various digital forensic tasks such as forensically wiping a drive zero-ing out a drive and creating a raw image of a drive. Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

    To use dd, simply open a terminal window and type dd followed by a set of command parameters which command parameters will obviously depend on what you want to do. Key features Duplicates data across files, devices, partitions, and volumes. Supports master boot record backup and restore. It can modify data easily Needs to be used with caution as it can wipe a disk completely.

    Key features Comes with a user-friendly interface that brings together many open-source forensics tools. Adheres to the investigation procedure laid down by Italian laws. Its environment is optimized for in-depth forensic analysis Generates reports that are easily editable and exportable. It is fast, powerful and supports a large range of file formats although image file types are its speciality. ExifTool can be used for analysing the static properties of suspicious files in a host-based forensic investigation, for example.

    To use ExifTool, simply drag and drop the file you want to extract metadata from onto the exiftool -k. Alternatively, rename exiftool -k. Copies meta-data information between files Automatically backs up the original image Converts output in many languages. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files e. Key features Makes it easy to find data patterns across large files Supports multiple core processing Handles regular expression searches across files Allows you to quickly make file patches or tune any aspect of the user interface.

    The extracted information is output to a series of text files which can be reviewed manually or analysed using other forensics tools or scripts. Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found i.

    The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above. Key features Processes different parts of the disk in parallel. Automatically detects, decompresses, and reprocesses compressed data. Extracts critical information such as credit card details and email addresses from digital data Can be used to process information across most digital media. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

    Offers full support for Android and iOS. One logical partition is missing. Confirm at Quick Search to proceed. Quick Search for partitions TestDisk displays the first results in disable shift key mac time.

    During the Quick Search, TestDisk has found two partitions including the missing logical partition labeled Partition 3. Highlight this partition and press p to list your files to go back to the previous display, press q to Quit, Files listed in red are deleted entries.

    All directories and data are correctly listed. Save the partition table or search for more partitions? When all partitions are available and data correctly listed, you should go to the menu Write to save the partition structure.

    The menu Extd Part gives you the opportunity to decide if the extended partition will use all available disk space or only the required minimal space.

    [Note] Drive acquisition using dc3dd

    Since a partition, the first one, is still missing, highlight the menu Deeper Search if not done automatically already and press Enter to proceed. In the last line of your display, you can read the message "NTFS found using backup sector! The "partition 2" is displayed twice with different size.

    Partitions listed as D eleted will not be recovered if you let them listed as deleted. Both partitions are listed with status D for deleted, because they overlap each other.

    You need to identify which partition to recover. Highlight the first partition Partition 2 and press p to list its data. The file system of the upper logical partition label Partition 2 is damaged damaged file system click on thumb. Press q for Quit to go back to the previous display. Let this partition Partition 2 with a damaged file system marked as D deleted.

    Highlight the second partition Partition 2 below Press p to list its files. It works, your files are listed, you have found the correct partition! This way you will be able to recover this partition. It's now possible to write the new partition structure. Note: The extended partition is automatically set. TestDisk recognizes this using the different partition structure. If all partitions are listed and only in this case, confirm at Write with Enter, y and OK.

    Now, the partitions are registered in the partition table. It's time to fix it. The status of the NTFS boot sector is bad and the backup boot sector is valid. Boot sectors are not identical.


    thoughts on “Example dc3dd

    1. Excuse, that I can not participate now in discussion - it is very occupied. I will return - I will necessarily express the opinion on this question.

    Leave a Reply

    Your email address will not be published. Required fields are marked *