Wednesday, February 17, 2010

Creating an image using Disk Duplicator

############################
# Disk Duplicator Commands #
############################



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Command used to copy the file from my local drive to the USB drive: ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\MSDOS-Tools>dd if=\User_name\File_1 of=\\.\L:
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out


# An interesting note here is that I had trouble initially with the windows explorer process using the USB drive. So I had to righ click on the device in explorer and select "eject" to get it to work.


C:\MSDOS-Tools>dir L:
Volume in drive L is WEASELSRUS
Volume Serial Number is 04F8-0DB4

Directory of L:\

04/04/2005 08:16 AM 115,911 cute.jpg
04/04/2005 08:27 AM 31,945 white.gif
2 File(s) 147,856 bytes
0 Dir(s) 1,309,184 bytes free




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ md5 sum for the files copied from the local system ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


C:\MSDOS-Tools>md5sum.exe L:\cute.jpg
\5fccb53e44d96cdaaa423a372f3f3d30 *L:\\cute.jpg


C:\MSDOS-Tools>md5sum.exe L:\white.gif
\669e44cf64f3bccf8ab5f8853442c235 *L:\\white.gif


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Command used for creating an image of the files on the USB drive ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


C:\MSDOS-Tools>dd if=\\.\L: of=\User_Name\File_1_image
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out

C:\MSDOS-Tools>dir C:\User_Name\
Volume in drive C has no label.
Volume Serial Number is 60EE-9B31

Directory of C:\User_Name

02/12/2010 12:48 PM 1,474,560 File_1_image
02/12/2010 10:25 AM 1,474,560 File_1.001


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ md5 sum for the files copied from the local system ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



C:\MSDOS-Tools>md5sum.exe C:\User_Name\File_1_image
\9c60f52259fe7f7dc8aef64e9b68ffec *C:\\User_Name\\File_1_image

# Originial File...

C:\MSDOS-Tools>md5sum.exe C:\User_Name\File_1.001
\9c60f52259fe7f7dc8aef64e9b68ffec *C:\\User_Name\\File_1.001

Forensics Resources

I put together some links and references for people to gather some information about forensics. Enjoy...


http://www.truecrypt.org

Title:Free Open Source On-The-Fly Encryption
Description: Micrsoft has whole disk encryption in Vista Ultimate and Enterprise. However, if you're not up to speed with Vista, TrueCrypt provides a very cool way to encrypt files with your own created mount points.


http://www.microsoft.com/windows/products/windowsvista/features/details/bitlocker.mspx

Title:Microsoft Vista BitLocker Drive Encryption
Description: BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate. Windows BitLocker is for both business and personal users who need to help protect sensitive data on their PC.


http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html

Title:How to Undelete EXT3 Filesystem
Description: Very interesting,in depth, article on recovering the EXT3 filesystem. This is something that the EXT3 FAQ states is impossible.


http://www.antiphishing.org/resources.html

Title:Anti Phishing web site
Description: Report phishing emails, pharming sites and crimeware to the Anti-Phishing Working Group and help stop this insidious threat to e-commerce. Click "Report Phishing" link below for instructions.


http://www.securitypronews.com/insiderreports/insider/spn-49-20080627ICANNIANAFallPreyToHacks.html

Title:IANA/ICANN Hacked
Description: One might expect the domains for the Internet Corporation for Assigned Names and Numbers (ICANN) or the Internet Assigned Numbers Authority (IANA) to be a little more resilient in the face of hackers attempting to hijack their domains.
One would be mistaken in that assumption.


http://www.digitalforensics.ch/nikkel05b.pdf

Title:Open Source Forensics
Description: Great presentation on OSS forensics tools.



http://www.usdoj.gov/criminal/cybercrime/forensics_chart.pdf

Title:Digital Forensic Analysis Methodology
Description: Found this on the DOJ site and found it very interesting outline.


http://www.ietf.org/rfc/rfc3227.txt

Title:RFC 3227 - Guidelines for Evidence Collection and Archiving
Description: This document specifies an Internet Best Current Practices for the Internet Community.


http://www.phrack.org/issues.html?issue=64&id=14#article

Title:Phrack Issue 64 File 10
Description: Phrack's usually a good read, though perhaps not what you would like work to see you reading. This article is entitled "Knowing your Enemy: Facing the Cops".


http://www.e-fense.com/helix

Title:Digital Forensic Live CD
Description: Windows and Linux Live CD full of useful forensic and incident response tools.


http://cups.cs.cmu.edu/antiphishing_phil/

Title:A game to teach one what to look for from the slick phishing sites
Description: This is an anti-phishing game from Carnegie Mellon CUPS to help one get a better understanding of what to look for, enjoy. This is very useful, check it out before you get fooled.


http://www.e-fense.com/helix/

Title:Helix
Description: Helix is a customized distribution of Ubuntu Linux. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics.


http://www.fileshredder.org/

Title:File Shredder
Description: In order to remove, or shred files permanently from your system you have to use a program that is capable of rewriting the files with random series of binary data multiple times. This process is often called shredding. That way, the actual content of the file has been overwritten and the possibilities to recover such a shredded file are mostly theoretical.


http://linuxsurvival.com/index.php

Title:Linux Training
Description: All,
Check it out if you get a chance, this is a pretty cool Linux training applet that runs in a java enabled browser. You might get a better understanding of Linux.



http://www.cftt.nist.gov/NISTIR_7490.pdf

Title:NISTIR 7490
Description: Digital Forensics at the
National Institute of
Standards and
Technology



http://www.cfreds.nist.gov/

Title:CFReDS Project
Description: NIST is developing Computer Forensic Reference Data Sets (CFReDS) for digital evidence. These reference data sets (CFReDS) provide to an investigator documented sets of simulated digital evidence for examination.



http://www.thesmokinggun.com/archive/years/2009/0318091dog2.html

Title:Affidavit from forensics investigator using FTK Imager
Description: Weird case but the website posted the full affidavit with it -- the investigator used FTK Imager.

Books on the Desk...

I thought I would post up some reference materials that I always have on my desk.

Snort IDS/IPS ToolKit: ISBN-10: 1-59749-099-7

This book is very well written and provide some basic and even more advanced understanding on the workings of Snort. Some of the highlights for me was learning about the pre-processors and how they handle traffic that thy receive. The author did an excellent job with the examples and his explanations of the subjects. Every thing from replaying a tcpdump-formatted Files, to suppressing events in the thresholds.conf file.

Guide to Computer Forensics and Investigations (4th Edition): ISBN-10: 1-4354-2819-6

This text covers nearly everything about forensics and the investigation process. While the author admits that it is not intended to be a manual, it is designed with all of the basics needed for a beginner to enter into this field. You will learn how to use various tools such as ProDiscover and FTK along with other tools such as linux LiveCD's. The exercises in the book are realistic and easy to follow. If you want something more challenging you can always take a USB drive and have your kids or your friends download some information and removed it, format the drive, and use the tools to practice.

Gray Hat Python: ISBN-13: 978-1-59327-192-3

This is a great book for learning how to get python to work for you while you are having some fun. Even experienced python coders will learn something from this book as the author covers the uses and inner workings of code fuzzers, debuggers, and exploit code. The text also covers some other topics that do warrant additional study, but the author covers enough of the topics to get you started within the scope of this books topics. Again, excellent read and recommended to any one who is looking into vulnerability identification and testing.

OSSEC HIDS Guide ISBN-13: 978-1-59749-240-9

This is a Host Intrusion Detection (HIDS) Guide for Open Source Security (OSSEC). The book covers all the aspects of installation and deploying the system in your environment. One of the big benefits and recommendations that come with this book, is getting exposure to an Open Source HIDS. There is greater flexibility with this product than with some of its competitors, such as Cisco, and provides compatibility with a wider range of platforms such as 64-bit Operating systems that are widely used today.