Blog review

What topics did I write on?

I wrote on a wide range of topics and tested a number of different tools. I wrote about general security issues such as NSA spying, concerns about Cyberwarfare, effects of the government shut down, and privacy issues. I did study password breaking methods. I did an overview of emerging new threats. I did another review of the most common causes of security breaches. I did study penetration testing and focused on the many features of BackTrack Linux. I did use BackTrack Linux to do a MITM attack and managed to steal session cookies. I also test drove Metasploit and the Social Engineering Toolkit. I also experimented in WIFI monitoring tools. I reviewed the “Art of Deception” to learn about social engineering. I tested a few encryption tools. I reviewed solutions to the future problem of Quantum Computing breaking today's encryption methods. I returned to BackTrack Linux to review its forensics tools. 

What sources did I use?

I used a wide variety of sources. This included online magazines, blogs, tuturials, and software support sites. I did find Bruce Scheier's blog to be interesting and useful. I also used the Dark Reading Blog. It had some useful postings to some valuable white papers. I also used Security Week several times. I looked at tutorials and videos on Metasploit and the Social Engineering Toolkit. I reviewed the pdf version of Kevin Mitnick's book “The Art of Deception.”

Is this type of blog useful? What lessons can be learned?

Since the security environment is constantly changing, blogs can often give information that is not as readily available elsewhere. I found the blogs can have helpful tips and how to instructions. I found a great deal of information on the use of BackTrack linux on blogs. Blogs often give a more honest evaluation of software and hardware products than the manufacture's websites. If I am having an issue, I am probably not the only one. It answer is likely out there somewhere on someone's blog. For example, I was trying to install a Linux distribution for a class next term. I could not get it to pick of my WIFI adapter. But I found the answer on someone's blog. One thing I blogged about was the use of different tools. I would recommend that students experiment with different tools. It is a great way to learn. I am impressed with BackTrack Linux and recommend students try it. I plan to experiment with it more.  

Using BackTrack Linux for Forensics

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-1/

http://www.linuxforu.com/2011/03/digital-forensic-analysis-using-backtrack-part-2/

http://www.ubuntubuzz.com/2010/07/introduction-backtrack-for-digital.html

http://www.ubuntubuzz.com/2010/07/introduction-of-backtrack-for.html

http://fuzzexp.org/the-backtrack-forensics-the-howto.html

For this week’s blog I decided to go back to BackTrack Linux and take a look at what sort of forensic tools are available. When booting into BackTrack Linux it is important select forensics mode. This mode does not use a swap disk on the hard drive and does not allow the user to mount the hard drive. This way the hard drive is preserved in its original condition. BackTrack has dozens of tools available for forensics. I will only look at a few. Backtrack has a number of image capture tools. A main one is called dd. This allows a disk image to be saved for forensic analysis. Dd_rescue is a utility for rescuing failing media. I would be useful for general data recovery and not just forensics. Aimage is an advanced recovery tool that allows the user to save image data and metadata in a standard forensic format. AIR imager is a GUI front end of DD. These tools can recover data from temporary and deleted files. Several hashing tools are included to insure the integrity of the image file.

Once the image is saved, tools are available to recover data from the drive. One tool is Foremost. It can recover data for many common file types. Other tools are Scalpel and Magic Rescue. PhotoRec is a GUI tool for rescuing common file types. Autopsy is a graphical suite of recovery tools that is available for download.

PTK is a RAM dump and analysis tool. It can extract most common file types from memory. Volatility is a tool for analyzing RAM dumps. There are also some specialize recovery tools. PDGmail recovers Gmail from memory. PDFbook extracts Facebook information for memory.

RKhunter is a tool for discovering rootkits.  

There are several tools for recovering metadata. One example is Vinetta, which recovers thumbnails of pictures stored in metadata. PDFparser recovers data from PDF files. There are also several tools for reading and analyzing log files.

There are tools for extracting SAM files so that they can be loaded into a password cracker.  CMOSpwd is a utility designed to crack BIOS passwords. Fcrackzip breaks password protected zip files.

Network analyzers such as Wireshark are classed as forensic tools since they can give valuable clues to attacks over a network. Xplico is a tool for recovering common data types from a Wireshark capture.

There is even one tool that is classed as Anti-Forensics, TrueCrypt a powerful disk encryption tool.

Although there are a number of excellent commercial forensic suites available most are priced out of the range of many smaller businesses. BackTrack Linux gives a powerful suite of tools that is comparable to the commercial suite in a free package. I intend to spend more time over winter break learning how to use the power tools available in BackTrack. If I was running a business, I might let employees know that if they do something wrong in the digital realm, there are ways that they can be caught. People may be less likely to try stuff if they know that they could be held accountable.