For this week’s blog I decided to go back to BackTrack Linux
and take a look at what sort of forensic tools are available. When booting into
BackTrack Linux it is important select forensics mode. This mode does not use a
swap disk on the hard drive and does not allow the user to mount the hard
drive. This way the hard drive is preserved in its original condition.
BackTrack has dozens of tools available for forensics. I will only look at a
few. Backtrack has a number of image capture tools. A main one is called dd. This
allows a disk image to be saved for forensic analysis. Dd_rescue is a utility
for rescuing failing media. I would be useful for general data recovery and not
just forensics. Aimage is an advanced recovery tool that allows the user to
save image data and metadata in a standard forensic format. AIR imager is a GUI
front end of DD. These tools can recover data from temporary and deleted files.
Several hashing tools are included to insure the integrity of the image file.
Once the image is saved, tools are available to recover data
from the drive. One tool is Foremost. It can recover data for many common file
types. Other tools are Scalpel and Magic Rescue. PhotoRec is a GUI tool for
rescuing common file types. Autopsy is a graphical suite of recovery tools that
is available for download.
PTK is a RAM dump and analysis tool. It can extract most
common file types from memory. Volatility is a tool for analyzing RAM dumps. There
are also some specialize recovery tools. PDGmail recovers Gmail from memory.
PDFbook extracts Facebook information for memory.
RKhunter is a tool for discovering rootkits.
There are several tools for recovering metadata. One example
is Vinetta, which recovers thumbnails of pictures stored in metadata. PDFparser
recovers data from PDF files. There are also several tools for reading and analyzing
log files.
There are tools for extracting SAM files so that they can be
loaded into a password cracker. CMOSpwd
is a utility designed to crack BIOS passwords. Fcrackzip breaks password
protected zip files.
Network analyzers such as Wireshark are classed as forensic
tools since they can give valuable clues to attacks over a network. Xplico is a
tool for recovering common data types from a Wireshark capture.
There is even one tool that is classed as Anti-Forensics,
TrueCrypt a powerful disk encryption tool.
Although there are a number of excellent commercial forensic suites
available most are priced out of the range of many smaller businesses.
BackTrack Linux gives a powerful suite of tools that is comparable to the commercial
suite in a free package. I intend to spend more time over winter break learning
how to use the power tools available in BackTrack. If I was running a business,
I might let employees know that if they do something wrong in the digital
realm, there are ways that they can be caught. People may be less likely to try
stuff if they know that they could be held accountable.
No comments:
Post a Comment