On Fri, 15 Sep 2000 [EMAIL PROTECTED] wrote:
> What would people recommend for a Information Security Forensic Toolkit??
grep, dd and mount.
>
> A software utility that would protect the subject computer system during
> the forensic examination from any possible alteration, damage, data
> corruption, or virus introduction.
Pull the drive and mount it read only on a different computer. Image copy
that to a new drive if you need to fsck the filesystem.
> A software utility that would discovers all files on the subject system.
> This includes existing normal files, deleted yet remaining files, hidden
> files, password-protected files, and encrypted files.
"Deleted yet remaining files" is a concept from DOS filesystems, and
doesn't translate well outside of that- remaing disk blocks from old files
is more accurate to modern filesystems.
> Another utility that would recover all (or as much as possible) of
> discovered deleted files.
This is filesystem specific.
> A data viewer that would reveal (to the extent possible) the contents of
> hidden files as well as temporary or swap files used by both the
> application programs and the operating system.
I typically use grep's regexp-based pattern matching combined with dd's
bit-wise view of the filesystem in question for string-based stuff. Going
beyond that depends on the filesystem type and data necessary.
> A report utility that would produce number of accesses, etc (if possible
> and if legally appropriate) the contents of protected or encrypted files.
Encryption used is so much of a differentiator that a common tool seems
less useful than specific per-application utilities and
brute-force/dictionary-based decryption routines to run popular
encryption programs.
> An analysis utility that would analyze all possibly relevant data found in
> special (and typically inaccessible) areas of a disk. This includes but is
> not limited to what is called 'unallocated' space on a disk (currently
> unused, but possibly the repository of previous data that is relevant
> evidence), as well as 'slack' space in a file (the remnant area at the end
> of a file, in the last assigned disk cluster, that is unused by current
> file data, but once again may be a possible site for previously created and
> relevant evidence).
Once again, that's FS-dependent (ntfs is different than fat32 is different
than ext2...) Using dd gets around a lot of that.
> A report utility that would prints out an overall analysis in
> some sort of pre-defined format.
I've never needed to produce automated report, as critical things tended
to be either "why we looked at the specific files/disk areas we did, or
"we looked at every darned thing there was."
> If someone was developing this type of tool for the InfoSec community,
> would this type of tool be of much interest on either the Linux or the
> Windows platform. (i.e Windows 9x, NT, 2k)
I think Linux would be more useful simply because getting support for
read-only mounting of non-native filesystems is easy - also direct disk
access without a device driver is trivial (as is writing a device driver
if necessary.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
