API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 24th, 2017
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.46 KB | None | 0 0
raw download clone embed print report
  1. # in class we are going to learn how to convert Raw image files to .dd & .eo1 files to raw and raw to .eo1
  2. # going to go over supertimeline
  3. # ewf = expert witness format
  4. # eo1 = encase format
  5.  
  6.  
  7. notes:
  8.  
  9. in the SIFT workstation terminal
  10.  
  11. cd /
  12. cd /images/unixforensics
  13. ls
  14. ewfacquire practical.floppy.dd
  15. # if you press enter after this you get an error message "acquiry parameters required, please provide the necessary input"
  16. # continue typing
  17. ./practical.floppy.dd
  18. # press enter and it asks for case number
  19. enter 12345 (example)
  20. # it asks for a description
  21. enter description
  22. # it asks for evidence number
  23. enter evidence number (example number)
  24. enter examiner name: (example name)
  25. enter notes: (example case)
  26. enter media type (fixed, removable, optical, memory):removable
  27. media characteristics: logical
  28. use compression (none, empty-block, fast, best): best
  29. use EWF file file format (ewf, smort, ftk....):encase6
  30. start to acquire at offset (0 >= value >= 1474560):
  31. evidence segment file size in bytes
  32. the amount of bytes per sector
  33. the amount of sectors to read at once
  34. the amount of sectors to be used as error granularity
  35. the amount of .....
  36.  
  37. a review will come up
  38. continue acquiry with values entered? yes
  39. # it then converts the image to encase format
  40.  
  41. ls
  42. # you then see practical.floppy.eo1
  43.  
  44. _________________________________
  45.  
  46.  
  47. dcfldd if=practical.floppy.dd bs=512 count=30 skip=19 hashwindow=512b (hashwindow means you are telling dcfldd to collect the hashvalue every 512bytes)
  48.  
  49. _________________________________
  50.  
  51. # now to convert from encase format to dd
  52.  
  53. cd /images/unixforensics
  54. ewfexport practical.floppy.EO1
  55. # asks information for export required please put in the necessary input
  56. raw
  57. # target path and filename with extension or - for stdout: (dont press enter type whats below)
  58. /images/unixforensics/practical.floppy.img (we dont use .dd because we already have that file with that extension) (press enter)
  59. # it then converts the file
  60. ls
  61. md5sum practical.floppy.dd
  62. md5sum practical.floppy.img
  63. # the 2 should have the same md5 hash value
  64. sum practical.floppy.dd
  65. sum practical.floppy.img
  66. # should give the same result
  67.  
  68. video: encase to raw conversion
  69. _________________________________
  70.  
  71.  
  72. cd /images/unixforensics
  73. afconvert practical.floppy.dd
  74. # conversion happens right off the bat
  75. # now take the file and view it in ftk imager
  76. afconvert -r -e img practical.floppy.aff (probly wont work because u already have a file called practical.floppy.img)
  77. # so go ahead and delete the file practical.floppy.img and run the above command again
  78. # now the conversion works
  79. sum practical.floppy.img
  80. sum practical floppy.dd
  81. # should give the same result
  82. ls -l /images/unixforensics/practical.floppy.*
  83. # the sizes are going to be different
  84.  
  85. video: raw to aff conversion (vice versa)
  86.  
  87. _________________________________
  88.  
  89. # how do u mount these files?
  90.  
  91. cd /images/unixforensics
  92. ls /mnt/
  93. mount_ews.py practical.floppy.EO1 /mnt/ewf/
  94. # the file is now mounted
  95. # open a new terminal
  96. su
  97. forensics
  98. cd /
  99. cd /mnt/ewf/
  100. ls
  101. ls -l
  102. mount -t vfat -o ro,loop practical.floppy /mnt/usb/
  103. # its now mounted?
  104. # end of the new terminal
  105. # open another new terminal
  106. su
  107. forensics
  108. cd /mnt/usb/
  109. ls
  110. # the above is all mounting one file, its a multy step process
  111. # dont forget to umount
  112. umount /mnt/ewf/
  113. umount /mnt/usb/
  114. # if it gives yuou errors you need to dc out of the directories
  115. # it is now ok to close the terminals
  116.  
  117. video: mounting encase file
  118.  
  119. __________________________________
  120.  
  121. # how can we mount an ftk file?
  122.  
  123. cd /images/unixforensics
  124. ls
  125. mkdir /mnt/aff
  126. affuse practical.floppy.aff /mnt/aff/
  127. cd /mnt/aff/
  128. ls
  129. # you see practical.floppy.aff.raw
  130. mount -t vfat -r ro,loop practical.floppy.aff.raw /mnt/usb/
  131. cd /mnt/usb/
  132. ls
  133.  
  134. video: mounting FTK image
  135.  
  136. __________________________________
  137.  
  138. BRING HELIX CD TO CLASS NEXT WEEK
  139.  
  140. ~EVERYTHING ABOVE IN EVERY SECTION OF THIS FILE IS ON VIDEO~
  141.  
  142. __________________________________
  143.  
  144.  
  145. SLEUTHKIT
  146.  
  147. c:\sleuthkitwindows
  148. # md5deep
  149. md5deep.exe -r c:\windows\system32\drivers > hash output.txt
  150. # check the content
  151. # rename it to known good hashes.txt
  152. # in sift
  153. md5deep -r /images/unixforensics > /images/winforensics/goodhashes.txt
  154. # back in windows
  155. # index that text file
  156. hfind.exe -i md5sum "known good hash.txt"
  157. # index created
  158. mkdir sorter hash
  159. sorter hash
  160. # in sift
  161. less goodhashes.txt
  162. hfind -i md5sum goodhashes.txt
  163. mkdir /images/hash-sorter
  164. md5deep -r /images/unixforensics/tools/day5/ > /images/winforensics/badhash.txt
  165. hfind - md5sum /images/winforensics/badhash.txt
  166. # index created
  167. sorter --help
  168. sorter -f ext -m / -h -s -d /images/hash-sorter/ -a ./badhash.txt -x ./goodhash.txt /images/unixforensics/sdax.img
  169. # analyzes my img (img we created for hacked linux system last class) and compares the goodhash and badhash
  170. #back to windows
  171. cd d:
  172. cd "memory\memory imaging"
  173. mdd.exe
  174. mdd.exe -o mem.img
  175. mdd.exe -o c:\memory.img
  176. # go to drive c
  177. cd
  178. strings.exe
  179. strings.exe -o 4 c:\memory.img > c:\memory.txt
  180.  
  181. # new cmdprmpt
  182. cd \
  183. wmic process list brief
  184. #focusing on iexplorer
  185. pd.exe -p 3856 > c:\ie.dump
  186. pd.exe -p 1708 > c:\ie2.dump
  187. # new cmdprmpt
  188. pd.exe -p 1652 > c:\ie3.dump
  189. strings.exe c:\ie3.dump > c:\ie.txt
  190. # might wanna install python26
  191. cd python26
  192. python.exe pdgmail.py -f c:\ie.txt > result.txt
  193. _____________________________________
  194.  
  195. # anywho
  196.  
  197. cd /images/networkforensics
  198. ls
  199. man tcpdump
  200. tcpdump -nn -r email.pcap
  201. tcpdump -XnnvvSs -w dan.pcap
  202.  
  203.  
  204. #GO ONLINE AND DOWNLOAD BACKTRACK 4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!