Paul,
Good to hear from you, here are my responses.
At 04:49 PM 9/15/00 -0400, Paul D. Robertson wrote:
>On Fri, 15 Sep 2000 [EMAIL PROTECTED] wrote:
>
> > What would people recommend for a Information Security Forensic Toolkit??
>
>grep, dd and mount.
>
> >
> > A software utility that would protect the subject computer system during
> > the forensic examination from any possible alteration, damage, data
> > corruption, or virus introduction.
>
>Pull the drive and mount it read only on a different computer. Image copy
>that to a new drive if you need to fsck the filesystem.
Actually a utility that can point to a device that can duplicate/image copy
disks.. Basically what one would really want to do is cobble together
device that is capable of slapping an empty drive on slot 1 and on the
suspect drive in slot 0, run the dup, and then do the rest of the forensics
process.
> > A software utility that would discovers all files on the subject system.
> > This includes existing normal files, deleted yet remaining files, hidden
> > files, password-protected files, and encrypted files.
>
>"Deleted yet remaining files" is a concept from DOS filesystems, and
>doesn't translate well outside of that- remaing disk blocks from old files
>is more accurate to modern filesystems.
One could be involved in any type of forensic from DOS to Linux to whatever.
> > Another utility that would recover all (or as much as possible) of
> > discovered deleted files.
>
>This is filesystem specific.
Not really.
> > A data viewer that would reveal (to the extent possible) the contents of
> > hidden files as well as temporary or swap files used by both the
> > application programs and the operating system.
>
>I typically use grep's regexp-based pattern matching combined with dd's
>bit-wise view of the filesystem in question for string-based stuff. Going
>beyond that depends on the filesystem type and data necessary.
What one would want to have is something that is capable of parsing for
keywords that someone would type in or reassemble the bits and bytes..
> > A report utility that would produce number of accesses, etc (if possible
> > and if legally appropriate) the contents of protected or encrypted files.
>
>Encryption used is so much of a differentiator that a common tool seems
>less useful than specific per-application utilities and
>brute-force/dictionary-based decryption routines to run popular
>encryption programs.
>
> > An analysis utility that would analyze all possibly relevant data found in
> > special (and typically inaccessible) areas of a disk. This includes but is
> > not limited to what is called 'unallocated' space on a disk (currently
> > unused, but possibly the repository of previous data that is relevant
> > evidence), as well as 'slack' space in a file (the remnant area at the end
> > of a file, in the last assigned disk cluster, that is unused by current
> > file data, but once again may be a possible site for previously created
> and
> > relevant evidence).
>
>Once again, that's FS-dependent (ntfs is different than fat32 is different
>than ext2...) Using dd gets around a lot of that.
dd has a 2 gb limit, unless one modifies dd to bypass the 2gb limit
checker. dd also has some block overrun issues is the target drive is
larger than the source..
> > A report utility that would prints out an overall analysis in
> > some sort of pre-defined format.
>
>I've never needed to produce automated report, as critical things tended
>to be either "why we looked at the specific files/disk areas we did, or
>"we looked at every darned thing there was."
Yes, when an organization outsources their forensice stuff (usually the
case) for 3rd party analysis, they want to know what the 3rd party actually
did and what was really on the disk.
>
> > If someone was developing this type of tool for the InfoSec community,
> > would this type of tool be of much interest on either the Linux or the
> > Windows platform. (i.e Windows 9x, NT, 2k)
>
>I think Linux would be more useful simply because getting support for
>read-only mounting of non-native filesystems is easy - also direct disk
>access without a device driver is trivial (as is writing a device driver
>if necessary.)
This is a trivial issue, but one would like a nice UI to do
everything. Actually doing forensic on Win boxes is something of a pain,
since most of the Windows based apps likes to install something on the
target.
I know one or two people who can actually re-construct from a copy of a
completely toasted drive in less than 48 hours, and loss like a couple of
zero length files.. :)
The issue that Paul raises is that one would have to have all the tools or
little scripts already assembled prior to a forensic engagement, but the
issue is that one would to have a suite of tools and the procedure so that
any lacky could do the procedure and that the process is the same over and
over again. Offering it as a service and being able to do a forensic
exercise once or twice, but to cookie cutter it is something else. :)
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
