Shadowed by coverage of all things Nexus and iPad, Nokia’s new n900 is the unsung hero of the smart phone world. That’s just fine for folks like DT and HD and anyone else looking for a *phone* that runs nmap, aircrack, metasploit and wireshark. Future functionality includes backtrack itself packaged as neopwn v2!
Cutting to the chase then this is a quickie cheat sheet about forensic artifacts on the n900 and where to find them.
Imaging:
The easiest method to get these artifacts is to simply use ssh on the phone and scp the files you need.
No ssh on the phone? You could install it using the application manager and pick your own root password during the install process. If ssh is already on the phone you can reset the root password by opening an Xterm, typing root to get to the root shell, and passwd to reset the root password.
If it’s [...] Continue Reading…
Posted by robtlee on March 16, 2010 – 7:45 am
Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies
Introduction to Shadow Timelines:
This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\C:, \\.\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.
We have known for some time now that you can image a Shadow Volume. I wrote a post back in 2008 describing it titled VISTA and Windows 7 Shadow Volume Forensics. We found out you could use dd.exe to carve a logical volume at \\\\.\\C: We also found out we could use the [...] Continue Reading…
These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.
w
The ‘w’ command displays any user logged into the host and their activity. This is used to determine if a user is ‘idle’ or if they are actively monitoring the system.
who
The ‘who’ command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.
finger <user_name>
The ‘finger’ command is rarely used these days [...] Continue Reading…
It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.
Netstat
Netstat lists all active connections as well as the ports where processes are listening for connections. The command, “netstat -p -a –inet” (or the equivalent on other UNIX’es) will print a listing of this information. Not all UNIX versions support the “netstat –p” option for netstat. In this case other tools may be used.
Lsof
The command, “lsof” allows the reviewer to list all open files where “An open file may be a regular file, a directory, a block special [...] Continue Reading…
Posted by mmckinnon on March 11, 2010 – 1:18 pm
This week we have news of threats posted on social networks that closed some schools in the US, the take down of an ISP spreading malware and Mandiant’s State of the Hack Webinar. For your reading pleasure there are the SANS Forensic Whitepapers along with posts by Joe Garcia and Lance Mueller. In the tools section some updated enscripts, and one of our own posts on building an incident response disk, and more.
Tools:
Building a Unix/Linux incident response Disk
Updated Office 2007 Metadata Scripts Released
Good Reads:
Joe Garcia put up a post about Celebrity Death = New Malware Sites
Lance Mueller has a good write up on the Cellebrite UED
If you have not checked out the SANS Forensic Whitepapers they have some good reads
News:
Huge ‘botnet’ amputated, but criminals reconnect
A vague threat posted on two social networking sites led to lockdown of schools in a midwestern US city
Check out Mandiant’s State of the Hack Webinar on Thursday, March [...] Continue Reading…
There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the “/var/log” and “/var/run” directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.
Syslog and Other Standard Logs
There are five primary log files that will exist on nearly any UNIX system (the location may vary slightly). These have been listed in the table below.
The 5 primary Unix Log files
/var/log/btmp btmp contains the failed login history
/var/log/messages is the default location for messages from the syslog facility
/var/log/secure [...] Continue Reading…
There are many Linux distributions readily available. This however should not stop you creating your own version of a UNIX forensic tools disc. Whether you are on Solaris, HP-UX or any other variety of UNIX it is simple to create a forensic tools CD that can go between systems. The added benefit of this method is that the tools do not need to be left on the production server. This in itself could be a security risk and the ability to unmount the CD and take it with you increases security.
The ability to create a customized CD for your individual system means that the analyst can have their tools available for any UNIX system that they need to work with. It may also be possible to create a universal forensic CD. Using statically linked binaries, a single DVD or CD could be created with separate directories for every UNIX [...] Continue Reading…
The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.
Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.
Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant. He was an audience member in this session, and took [...] Continue Reading…
