달력

12

« 2019/12 »

  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  •  
  •  
  •  
  •  

   

   

HOWTO – iPhone Forensics with free and-or open source tools – 9-14-11 – viaForensics « viaForensics

   

   

https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/#viaforensics

   

   

   

iPhone Forensics with F/OSS ### A HOWTO for iPhone Forensics with free and/or open source tools Qualifications

Presentation Goals

iPhone Forensics with F/OSS tools • Commercial Tools exist but there are a growing number of F/OSS tools

• A Mac (OSX) or Linux workstation is used for many of these programs

• Focus on step-by-step examples Open source (MIT) iPhone backup analyzer by Mario Picci (http://ipbackupanalyzer.com/) • Decodes files, presents in a hierarchical view, has some search and conversions

• Plist files are shown (binary plist files are automatically converted in ascii format)

• Image files are shown

• SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table's content is dumped in the main UI

• Unknown data files are shown as hex/ASCII data iTunes Backup Directories

Mac Os X: /Library/Application Support/MobileSync/Backup/

Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\

Windows Vista, Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

Linux Install

On Ubuntu Workstation

------------------------------

sudo apt-get update

sudo apt-get install python-tk python-imaging python-imaging-tk git

Install pyttk

- Download: http://pypi.python.org/pypi/pyttk/

- Extract: tar xzvf pyttk-0.3.2.tar.gz

- cd pyttk-0.3.2/

- Install: sudo python setup.py install

git clone git://github.com/PicciMario/iPhone-Backup-Analyzer

cd iPhone-Backup-Analyzer/

./main.py -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/

Zdziarski's iOS forensic tools

Free for qualified law enforcement and government agencies • Based on F/OSS software and research (Cyanide, etc)

• Physical acquisition

• Logical acquisition

• PIN bypass

• Decrypts the encrypted files / slice

– iOS 3.x: fully decrypt slice, gets unallocated

– iOS 4.x: decrypts files, not unallocated (mostly)

• Decrypt Keychain

• Working on recovering deleted keys

with F/OSS

• @0naj iphone-dataprotection tools (Python and C)

– Brute force PIN code on device

– Recover device encryption keys

– Decrypt the keychain, all dataprotection encrypted files

– Scrape the HFS journal for deleted content

– Decrypt the entire raw disk

– Included with Jonathan Zdziarski's toolset, or available separately to developers:

http://code.google.com/p/iphone-dataprotection/

Mount the dmg image read-only (Linux)

• Determine file system offset in dd image:

• Mount HFS partition read only:

• Make sure file system was mounted

• Can check disk usage

• The Sleuth Kit by Brian Carrier

– Brain author of excellent book File System Forensics Analysis (FSFA)

– Actively maintained, just released 3.2.2 (06/13/2011)

– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660

http://sleuthkit.org/

• Install:

• Programs to start with:

– mmls – Media Management ls, generally partition info:

• fsstat – File system info

• fls – Forensic list

– Power utility which can list allocated/deleted files

– Provides offset so recovery is possible

– Build MACB for timeline analysis

– analyst@ubuntu:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m '/' -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body

human friendly

• analyst@ubuntu:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv

– Takes body file and turns into CSV or other format

Log2timeline

• Kristinn Gudjonsson developed this software

– Written in Perl (trying to convince him to move to Python)

– Extracts timeline artifacts from many file types including

• Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing)

– 10+ export formats

http://log2timeline.net/ • Install log2timeline on Ubuntu 10.10 (lucid)

– sudo add-apt-repository "deb http://log2timeline.net/pub/ lucid main"

– wget -q http://log2timeline.net/gpg.asc -O- | sudo apt-key add -

– sudo apt-get update

– sudo apt-get install log2timeline-perl

Log2timeline

• sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv

– 218 artifacts (either files or directories).

– Run time of the script 24 seconds. • If you output in body format, can combine with TSK's fls output and generate full timeline of file system and file metadata (sometimes referred to as a "Super Timeline"

Scalpel

• Download scalpel src at:

• wget http://www.digitalforensicssolutions.com/Scalpel/scalpel-2.0.tar.gz

• Compile

– tar xzvf scalpel-2.0.tar.gz

– cd scalpel-2.0/

– sudo apt-get install libtre-dev libtre5

– ./configure; make

– sudo cp scalpel /usr/local/bin • Run scalpel

$ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg • Examine data in "scalpel-output" directory

Sample scalpel.conf

viewer

• Usage:

$ xxd iPhone-3g-313.dmg | less • To auto skip 0's:

$ xxd -a iPhone-3g-313.dmg | less Hex editor

• Usage:

$ hexedit iPhone-3g-313.dmg • Once in hex editor:

– "/" = search hex/ASCII string (in "hexedit" use tab to change between ASCII and hex searches)

– q = exit hex editor

– h = help • Can quickly locate potential evidence • Other tools also available (hexeditor and many others) Grep Command

• Searches through a file (or many files/folders) for a specified keyword(s) • Grep is case sensitive by default

$ grep amr iPhone-3g-313.dmg • To do case-insensitive (more time consuming):

$ grep –i AmR iPhone-3g-313.dmg • Can search for a phrase in quotes

$ grep "Trace File" iPhone-3g-313.dmg

$ grep -a "Trace File" iPhone-3g-313.dmg

$ grep -a -A 1 -B 1 "Trace File" iPhone-3g-313.dmg

Grep Command (continued)

• Can also be used to search through many files • Grep through all files in a user's home directory for "viaF": analyst@ubuntu:~$ grep -R 312493 *

Binary file scalpel-output/sqlitedb-9-0/00001.db matches

Binary file scalpel-output/sqlitedb-9-0/00017.db matches Find all sms database files from iPhone (after scalpel)

analyst@ubuntu:~$ grep -R svc_center sqlite* "Strings" Command

• Strings is a powerful utility to extract ASCII or Unicode strings from binary data • Can be run against a file or a full disk image

$ strings iPhone-3g-313.dmg > iPhone.str

$ strings iPhone-3g-313.dmg | less • Can also search for Unicode

$ strings -e b iPhone-3g-313.dmg | less "Strings" does more than ASCII

• Strings is designed to extract ASCII and Unicode

– 7-bit ASCII, 8-bit ASCII

– 16-bit big-endian and little-endian

– 32-bit big-endian and little-endian • From the strings manual page:

Decrypting data – step 1

• Scenario: imaged iPhone and application has encrypted data which you need to view. • Our solution (but other approaches may work)

• Noted app data was encrypted

• Analyzed symbol table for app, saw entries such as:

• 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:]

• 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:]

• 0009aA07e t -[NSData(AESAdditions) keyBytes:]

• 00034261 t +[NSData(Base64) dataFromBase64String:]

• 00034410 t -[NSData(Base64) base64EncodedString] • Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key

• Decoded Base64 key

• Wrote quick program that used "AES256DecryptWithKey" API, encrypted file and decode AES encryption key to access data • F/OSS Tools used:

• Zdziarski's techniques to physically image device, crack keychain

• Strings to determine encryption technique

• XCode from Apple to write decrypt program Andrew Hoog

Chief Investigative Officer

ahoog@viaforensics.com http://viaforensics.com

Main Office:

1000 Lake St, Suite 203

Oak Park, IL 60301

Tel: 312-878-1100 | Fax: 312-268-7281

   

출처: <https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/>

  

 

 

 

직접 다운로드

viaForensics-iPhone-Forensics-with-FOSS.pdf


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

Cyber Policing Research Center (사이버 폴리싱 리서치 센터)

http://cyberpolicing.com/

   

Posted by codedragon codedragon

댓글을 달아 주세요

   

경찰수사연수원 디지털포렌식 챌린지

http://digital-forensic.kpia.go.kr/Digital_Forensic_Challenge.html

   

   

   

   

직접 다운받기

 

challenge.zip.001


challenge.zip.002


challenge.zip.003


challenge.zip.004


challenge.zip.005


challenge.zip.006


challenge.zip.007


challenge.zip.008


challenge.zip.009


challenge.zip.010


challenge.zip.011


challenge.zip.012


challenge.zip.013


challenge.zip.014


challenge.zip.015


challenge.zip.016


challenge.zip.017


challenge.zip.018


challenge.zip.019


challenge.zip.020


challenge.zip.021


challenge.zip.022


challenge.zip.023


challenge.zip.024


challenge.zip.025


challenge.zip.026


challenge.zip.027


challenge.zip.028


challenge.zip.029


challenge.zip.030


challenge.zip.031


challenge.zip.032


challenge.zip.033


challenge.zip.034


challenge.zip.035


challenge.zip.036


challenge.zip.037


challenge.zip.038


challenge.zip.039


challenge.zip.040


challenge.zip.041


challenge.zip.042


challenge.zip.043


challenge.zip.044


challenge.zip.045


challenge.zip.046


challenge.zip.047


challenge.zip.048


challenge.zip.049


challenge.zip.050


challenge.zip.051


challenge.zip.052


challenge.zip.053


challenge.zip.054


challenge.zip.055


challenge.zip.056


challenge.zip.057


challenge.zip.058


challenge.zip.059


challenge.zip.060


challenge.zip.061


challenge.zip.062


challenge.zip.063


challenge.zip.064


challenge.zip.065


challenge.zip.066


challenge.zip.067


challenge.zip.068


challenge.zip.069


challenge.zip.070


challenge.zip.071


challenge.zip.072


challenge.zip.073


challenge.zip.074


challenge.zip.075


challenge.zip.076


challenge.zip.077


challenge.zip.078


challenge.zip.079


challenge.zip.080


challenge.zip.081


challenge.zip.082

 

Posted by codedragon codedragon

댓글을 달아 주세요

   

   

ZeroAccess rootkit kills security software



Posted by codedragon codedragon

댓글을 달아 주세요

   

   

ZeroAccess – an advanced kernel mode rootkit

   

   

   

직접다운받기

zeroaccess_analysis.pdf


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

DCode

다양한 타임스탬프에서 날짜/시간값 계산하는 도구

   

http://www.digital-detective.net/digital-forensic-software/free-tools/

   

다운로드

하단의 회색 Download버튼 클릭

   

   

실행화면

   

   

직접다운로드

DCode-v4.02a-build-4.02.0.9306.zip


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

openports.exe

시스템 프로세스와 함께 모든 오픈된 TCP와 UDP 포드 정보 출력

   

   

C:\forensics\ToolSuite>openports.exe /?

OpenPorts - DiamondCS Console Tools (www.diamondcs.com.au)

---

PURPOSE: Displays information about all TCP/UDP ports.

USAGE: openports.exe [-lines] [-path] [-netstat / -fport / -csv]

FLAGS:

[no flags] Standard display (default options used)

-lines Adds lines between processes for easier viewing

-path Processes are displayed with full path

The above flags have no effect if one of these options is used:

-netstat Results are displayed similar to Window XP's netstat

-fport Results are displayed similar to FPort

-csv Results are displayed as comma separated values

    

 

   

 

 

직접 다운로드


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

Hunt

   

   

version

2.0

   

   

   

 

직접 다운로드


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

Guide to Integrating Forensic Techniques into Incident Response

   

   

 

Table of Contents

Executive Summary..................ES-1

1. Introduction.........................1-1

1.1 Authority......................1-1

1.2 Purpose and Scope.....1-1

1.3 Audience.....................1-1

1.4 Publication Structure...1-2

2. Establishing and Organizing a Forensics Capability.............2-1

2.1 The Need for Forensics...............2-1

2.2 Forensic Staffing.........2-3

2.3 Interactions with Other Teams.....2-4

2.4 Policies........................2-5

2.4.1 Defining Roles and Responsibilities......................2-5

2.4.2 Providing Guidance for Forensic Tool Use............2-6

2.4.3 Supporting Forensics in the Information System Life Cycle........................2-6

2.5 Guidelines and Procedures.........2-7

2.6 Recommendations......2-8

3. Performing the Forensic Process......3-1

3.1 Data Collection............3-2

3.1.1 Identifying Possible Sources of Data.....................3-2

3.1.2 Acquiring the Data............3-3

3.1.3 Incident Response Considerations........................3-5

3.2 Examination................3-6

3.3 Analysis.......................3-6

3.4 Reporting.....................3-6

3.5 Recommendations......3-7

4. Using Data from Data Files.4-1

4.1 File Basics...................4-1

4.1.1 File Storage Media...........4-1

4.1.2 Filesystems......4-3

4.1.3 Other Data on Media........4-4

4.2 Collecting Files............4-5

4.2.1 Copying Files from Media.4-6

4.2.2 Data File Integrity.............4-7

4.2.3 File Modification, Access, and Creation Times......4-9

4.2.4 Technical Issues..............4-9

4.3 Examining Data Files.4-10

4.3.1 Locating the Files...........4-11

4.3.2 Extracting the Data.........4-11

4.3.3 Using a Forensic Toolkit.4-13

4.4 Analysis.....................4-14

4.5 Recommendations....4-15

5. Using Data from Operating Systems.5-1

5.1 OS Basics...................5-1 iv

 

5.1.1 Non-Volatile Data.............5-1

5.1.2 Volatile Data.....5-3

5.2 Collecting OS Data......5-4

5.2.1 Collecting Volatile OS Data...................................5-5

5.2.2 Collecting Non-Volatile OS Data...........................5-8

5.2.3 Technical Issues with Collecting Data.................5-10

5.3 Examining and Analyzing OS Data.................................5-11

5.4 Recommendations....5-12

6. Using Data From Network Traffic.......6-1

6.1 TCP/IP Basics.............6-1

6.1.1 Application Layer..............6-2

6.1.2 Transport Layer6-2

6.1.3 IP Layer...........6-3

6.1.4 Hardware Layer6-4

6.1.5 Layers’ Significance in Network Forensics............6-4

6.2 Network Traffic Data Sources......6-5

6.2.1 Firewalls and Routers.......6-5

6.2.2 Packet Sniffers and Protocol Analyzers.................6-5

6.2.3 Intrusion Detection Systems..................................6-6

6.2.4 Remote Access6-7

6.2.5 Security Event Management Software..................6-7

6.2.6 Network Forensic Analysis Tools..........................6-8

6.2.7 Other Sources..6-8

6.3 Collecting Network Traffic Data...6-9

6.3.1 Legal Considerations.......6-9

6.3.2 Technical Issues............6-10

6.4 Examining and Analyzing Network Traffic Data..............6-11

6.4.1 Identify an Event of Interest.................................6-12

6.4.2 Examine Data Sources...6-12

6.4.3 Draw Conclusions..........6-16

6.4.4 Attacker Identification.....6-17

6.5 Recommendations....6-18

7. Using Data from Applications............7-1

7.1 Application Components..............7-1

7.1.1 Configuration Settings......7-1

7.1.2 Authentication..7-2

7.1.3 Logs.................7-2

7.1.4 Data.................7-3

7.1.5 Supporting Files...............7-3

7.1.6 Application Architecture....7-4

7.2 Types of Applications..7-5

7.2.1 E-mail...............7-5

7.2.2 Web Usage......7-6

7.2.3 Interactive Communications..................................7-7

7.2.4 File Sharing......7-7

7.2.5 Document Usage.............7-8

7.2.6 Security Applications........7-8

7.2.7 Data Concealment Tools..7-8

7.3 Collecting Application Data..........7-9 v

 

7.4 Examining and Analyzing Application Data.......................7-9

7.5 Recommendations....7-10

8. Using Data from Multiple Sources.....8-1

8.1 Suspected Network Service Worm Infection.....................8-1

8.2 Threatening E-mail......8-3

8.3 Recommendations......8-5

 

List of Appendices

Appendix A— Recommendations..............A-1

A.1 Organizing a Forensics Capability....................................A-1

A.1.1 Forensic Participants........A-1

A.1.2 Forensic Policies, Guidelines, and Procedures......A-1

A.1.3 Technical Preparation......A-2

A.2 Performing the Forensics Process....................................A-2

A.2.1 Data Collection.A-3

A.2.2 Examination and AnalysisA-4

A.2.3 Reporting.........A-4

Appendix B— Scenarios.............B-1

B.1 Scenario Questions.....B-1

B.2 Scenarios....................B-1

Appendix C— Glossary..............C-1

Appendix D— Acronyms............D-1

Appendix E— Print Resources...E-1

Appendix F— Online Tools and Resources...................................F-1

Appendix G— Index....................G-1

List of Figures

Figure 3-1. Forensic Process.......3-1

Figure 4-1. File Header Information............4-12

Figure 6-1. TCP/IP Layers............6-1

Figure 6-2. TCP/IP Encapsulation6-2

List of Tables

Table 4-1. Commonly Used Media Types....4-2 

 

 

 

직접다운로드

SP800-86.pdf


Posted by codedragon codedragon

댓글을 달아 주세요

   

   

Guidelines for Evidence Collection and Archiving, rfc3227

   

   

   

   

   



직접다운받기

rfc3227.pdf

 

Posted by codedragon codedragon

댓글을 달아 주세요