Sunday, September 28, 2008
Time Zone Converter
Thursday, September 25, 2008
Keeping things organised.
MindTouch Deki Virtual Appliance is pre-installed and configured, and runs in VMWare. It can be run on a desktop computer to keep my records/discoveries. All information is organised and can be shared with other team members for peer review or comments. Cliking on "Recent Changes" allows to monitor all changes. Deki has great access control mechanism and it is very easy to administer. All information is indexed and can be found within seconds. It also has function to export to PDF.
Having different VM snapshots allows multiple investigations/projects to be run independently.
In case Indexing doesn't work:
Edit mindtouch.deki.startup.xml
the following line with the appropriate html formatting
delay-index-interval 10 delay-index-interval
then restart deki wiki
/etc/init.d/dekiwiki restart
Log in to deki as admin and rebuild index
To be able to index big PDF's etc:
Change the following entries in your php.ini file located in /etc/php5/apache2/php.ini
and restart apache /etc/init.d/apache2 restart
post_max_size = 32M
upload_max_filesize = 32M
Also
From
/var/www/dekiwiki/bin/filters/pdf2text
to
/var/www/dekiwiki/bin/filters/xpdf2textSunday, September 21, 2008
Installing Helix 2008R1
The long awaited Helix 2008R1 is finally out. There are still some problems with download speeds experienced by the forensic community that eager to try this new toy (including myself of course). There are some problems with installation to hard drive that I have found a way to get around.
1. Installation has to be started after live CD is booted by going to System->Administration->Install
2. Just follow the instructions and after you get to the Who are you screen, press Forward and here is the trick. The installation would usually stop there due to some problems with os-prober not being able to find volume groups. The trick is to press cancel and start the installation procedure again. It should work after that.
3. All new Helix looks nice and shiny but don't yet relax. Adepto, autopsy, av programs and some others would not run. I suggest to run an update (apt-get upgrade or allow automatic update), and after about 20 new updates most of the tools should work.
4. Adepto would not though, and to fix it, here what I done:
$ sudo -i
# cd /usr/local/adepto
# mv logs logs1
# mkdir logs
Obviously there is a problem with the logs file sitting in /usr/local/adepto directory
Instead there should be a directory/folder called logs
Done.
correction - I just realised that logs file is a symlink to /home/ubuntu/adepto/logs
I guess, if everyone creates user ubuntu during the installation, adepto should work just fine. (or create a new folder and symlink it )
Installing VMware tools on CentOS 5.2
Running CentOS as a guest OS with VMware is OK without VMware tools installed. However there may be some problems with mouse/screen etc. Installing VMware tools on CentOS can be accomplished by using RPMs that come with VMware workstation. I have encountered a few problems whilst trying to install VMware tools. I could not unload pcnet32 module and the system did not shut down gracefully. After digging through the Internet and experimenting I came up with the following.
Disable ipv6 by modifying /etc/modprobe.d/modprobe.conf.dist and adding anywhere install ipv6 /bin/true (and disabling iptables for ipv6 later on)
Start CentOS in a single user mode by typing as root: init 1 or /sbin/init 1
Then run vmware-config-tools.pl
After the installation complete, reboot
I also have a button on the gnome panel with the following command gksu vmware-toolbox to be able to copy and paste between guest and host operating systems.
- A slightly more elegant solution would be to put /usr/bin/vmware-user & line into /etc/rc.local with no window to close after the program starts. To modify the settings, vmware-toolbox can be started manually as needed. In Ubuntu it is even easier SYSTEM > PREFERENCES > SESSIONS and in startup programs tab ADD NAME and /usr/bin/vmware-user &
Friday, September 19, 2008
A few things to consider when using FTK Imager.
- with acquisition of a logical NTFS partition;
- hidden by a host protected area (HPA) sectors;
- the sectors hidden by device configuration overlay (DCO); and
- FTK imager didn’t reported the location of corrupted data.
Release Date: April 8, 2008
Version 2.5.4 release notes for this version has no mention of any bug fixes detected by NIST.
Tuesday, September 16, 2008
USB dongle for SMART with Ubuntu
SMART from ASR Data is being tested on my Ubuntu 8.4
Initially didn't want to recognise the USB dongle that comes with SMART. Running aksusbd didn't help. It is recommended to attach the USB dongle before booting Linux. It didn't work. After issuing mount -t usbfs none /proc/bus/usb followed by aksusbd worked fine. /etc/fstab has then been modified and usbfs /proc/bus/usb usbfs auto 0 0 added. (0 = zero, not letter o) aksusbd daemon is not correctly installed to start up at boot in Ubuntu. The easiest way to deal with this is to write a bash script:
#!/bin/bash
mount -t usbfs none /proc/bus/usb
/usr/sbin/aksusbd; /usr/local/bin/smart
Then add to Gnome Panel custom application and point it to the script. I am sure there are better ways of doing this, but it works well for me and doesn't take much time :-) To run SMART or any other application that required root, install gksu and type gksu /usr/local/bin/smart
SMART stands for:
S torage
M edia
A nalysis
R ecovery
T oolkit
Monday, September 15, 2008
LinEn & ewfacquire to produce EnCase images
Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.
tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.
Sunday, September 14, 2008
PyFlag
---
12 Oct 2008
PTK 1.0 is going to be released 28 October 2008.
grab & adepto
apt-get install sharutils cryptcat libx11-dev libtsk-dev
sharutls is needed otherwise uudecode error will show up. cryptcat is also required for grab to function and libx11-dev will stop any complaints about problems re: gettimeofday(). It also would not work without libtsk-dev and several other dependencies connected to libtsk-dev. adepto is a replacement of grab and new version is coming next week together with the new release of Helix.
The modified grab.tar.gz can be downloaded from here or here. MD5 Hash for grab.tar.gz f569a458b35cf100284bb578fa3d3e74