Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # in class we are going to learn how to convert Raw image files to .dd & .eo1 files to raw and raw to .eo1
- # going to go over supertimeline
- # ewf = expert witness format
- # eo1 = encase format
- notes:
- in the SIFT workstation terminal
- cd /
- cd /images/unixforensics
- ls
- ewfacquire practical.floppy.dd
- # if you press enter after this you get an error message "acquiry parameters required, please provide the necessary input"
- # continue typing
- ./practical.floppy.dd
- # press enter and it asks for case number
- enter 12345 (example)
- # it asks for a description
- enter description
- # it asks for evidence number
- enter evidence number (example number)
- enter examiner name: (example name)
- enter notes: (example case)
- enter media type (fixed, removable, optical, memory):removable
- media characteristics: logical
- use compression (none, empty-block, fast, best): best
- use EWF file file format (ewf, smort, ftk....):encase6
- start to acquire at offset (0 >= value >= 1474560):
- evidence segment file size in bytes
- the amount of bytes per sector
- the amount of sectors to read at once
- the amount of sectors to be used as error granularity
- the amount of .....
- a review will come up
- continue acquiry with values entered? yes
- # it then converts the image to encase format
- ls
- # you then see practical.floppy.eo1
- _________________________________
- dcfldd if=practical.floppy.dd bs=512 count=30 skip=19 hashwindow=512b (hashwindow means you are telling dcfldd to collect the hashvalue every 512bytes)
- _________________________________
- # now to convert from encase format to dd
- cd /images/unixforensics
- ewfexport practical.floppy.EO1
- # asks information for export required please put in the necessary input
- raw
- # target path and filename with extension or - for stdout: (dont press enter type whats below)
- /images/unixforensics/practical.floppy.img (we dont use .dd because we already have that file with that extension) (press enter)
- # it then converts the file
- ls
- md5sum practical.floppy.dd
- md5sum practical.floppy.img
- # the 2 should have the same md5 hash value
- sum practical.floppy.dd
- sum practical.floppy.img
- # should give the same result
- video: encase to raw conversion
- _________________________________
- cd /images/unixforensics
- afconvert practical.floppy.dd
- # conversion happens right off the bat
- # now take the file and view it in ftk imager
- afconvert -r -e img practical.floppy.aff (probly wont work because u already have a file called practical.floppy.img)
- # so go ahead and delete the file practical.floppy.img and run the above command again
- # now the conversion works
- sum practical.floppy.img
- sum practical floppy.dd
- # should give the same result
- ls -l /images/unixforensics/practical.floppy.*
- # the sizes are going to be different
- video: raw to aff conversion (vice versa)
- _________________________________
- # how do u mount these files?
- cd /images/unixforensics
- ls /mnt/
- mount_ews.py practical.floppy.EO1 /mnt/ewf/
- # the file is now mounted
- # open a new terminal
- su
- forensics
- cd /
- cd /mnt/ewf/
- ls
- ls -l
- mount -t vfat -o ro,loop practical.floppy /mnt/usb/
- # its now mounted?
- # end of the new terminal
- # open another new terminal
- su
- forensics
- cd /mnt/usb/
- ls
- # the above is all mounting one file, its a multy step process
- # dont forget to umount
- umount /mnt/ewf/
- umount /mnt/usb/
- # if it gives yuou errors you need to dc out of the directories
- # it is now ok to close the terminals
- video: mounting encase file
- __________________________________
- # how can we mount an ftk file?
- cd /images/unixforensics
- ls
- mkdir /mnt/aff
- affuse practical.floppy.aff /mnt/aff/
- cd /mnt/aff/
- ls
- # you see practical.floppy.aff.raw
- mount -t vfat -r ro,loop practical.floppy.aff.raw /mnt/usb/
- cd /mnt/usb/
- ls
- video: mounting FTK image
- __________________________________
- BRING HELIX CD TO CLASS NEXT WEEK
- ~EVERYTHING ABOVE IN EVERY SECTION OF THIS FILE IS ON VIDEO~
- __________________________________
- SLEUTHKIT
- c:\sleuthkitwindows
- # md5deep
- md5deep.exe -r c:\windows\system32\drivers > hash output.txt
- # check the content
- # rename it to known good hashes.txt
- # in sift
- md5deep -r /images/unixforensics > /images/winforensics/goodhashes.txt
- # back in windows
- # index that text file
- hfind.exe -i md5sum "known good hash.txt"
- # index created
- mkdir sorter hash
- sorter hash
- # in sift
- less goodhashes.txt
- hfind -i md5sum goodhashes.txt
- mkdir /images/hash-sorter
- md5deep -r /images/unixforensics/tools/day5/ > /images/winforensics/badhash.txt
- hfind - md5sum /images/winforensics/badhash.txt
- # index created
- sorter --help
- sorter -f ext -m / -h -s -d /images/hash-sorter/ -a ./badhash.txt -x ./goodhash.txt /images/unixforensics/sdax.img
- # analyzes my img (img we created for hacked linux system last class) and compares the goodhash and badhash
- #back to windows
- cd d:
- cd "memory\memory imaging"
- mdd.exe
- mdd.exe -o mem.img
- mdd.exe -o c:\memory.img
- # go to drive c
- cd
- strings.exe
- strings.exe -o 4 c:\memory.img > c:\memory.txt
- # new cmdprmpt
- cd \
- wmic process list brief
- #focusing on iexplorer
- pd.exe -p 3856 > c:\ie.dump
- pd.exe -p 1708 > c:\ie2.dump
- # new cmdprmpt
- pd.exe -p 1652 > c:\ie3.dump
- strings.exe c:\ie3.dump > c:\ie.txt
- # might wanna install python26
- cd python26
- python.exe pdgmail.py -f c:\ie.txt > result.txt
- _____________________________________
- # anywho
- cd /images/networkforensics
- ls
- man tcpdump
- tcpdump -nn -r email.pcap
- tcpdump -XnnvvSs -w dan.pcap
- #GO ONLINE AND DOWNLOAD BACKTRACK 4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement