Friday, December 12, 2008

PTK 1.0.2 on Ubuntu

PTK 1.0.2 is the latest GUI based forensic tool by DFLabs. It is 'an alternative Sleuthkit Interface' that works with the Mozilla Firefox, Safari, Opera and Chrome browsers.
I have played with the version released prior to PTK 1.0 in October this year and found the project to be very promising but completely unusable and buggy. Today I have installed and tested the latest version of PTK and must admit that DFLabs guys put a lot of work to make this application more stable and more useful.
The installation is very simple; I just follow the instructions and was up and running in about 15min. This version of PTK only works with Sleuthkit 3.0.0, which is not on default Ubuntu repository yet, so I had to manually download and install it.

I liked its tabbed interface as well as Timeline, Gallery and Keyword Search features. Report creation option worked quite well.

Creating filters to search for specific file types within the specified timeframe is a nice feature. The speed and responsiveness of the application is not great, but acceptable from the usability point of view.

It is still not a bug free application yet, if there is such thing.

I came across PTK version 1.0 vulnerability report by Secunia Advisory stating that PTK is vulnerable to 'an input validation error' when handling forensic images. It is somewhat unusual to read a vulnerability report about Forensic Tools simply because the different environment these tools are designed to operate. I then found on DFLabs web site a very good response in relation to this particular vulnerability report and I have nothing further to add to this.

  1. This is a free forensic tool with great potential!
  2. I will keep an eye on this tool, but will not be using it for forensic examinations yet.

Sunday, December 7, 2008

Backwards incompatible Perl 6 & Python 3.0

Both Perl 6 and Python 3.0 are made backwards incompatible with the previous releases due to the changes made in both languages. It appears that at first, these new versions are going to be much slower (10% +) than their predecessors and will be optimised in the future releases. Python 3.0 was released on 4th December 2008. Python 2.6 however will be developed and maintained until version 2.9, which is still a few years away. 'A Byte of Python' is a free ebook for those who want to learn Python. It has already been updated for the Python 3.0 language.

Monday, December 1, 2008

Write blockers - firmware

Update your write blockers with new firmware. It may be the case that a person responsible for maintenance of your forensic lab and equipment has left the organisation and your forensic equipment is left without proper attention and no one in the office gets manufactures notifications about available updates. Some updates resolve only minor issues and offer support for newer devices but there are also updates that are critical.

The upgrade process is quick and easy. Testing and documenting also takes only a few minutes. The Tableau Firmware Update tool can be found here.

Saturday, November 29, 2008

Recovering web browser passwords

All popular web browsers offer a password manager option to store usernames and passwords of the visited websites. It is possible to recover these usernames & passwords and in some cases view dates and times when a person registered/logged in with these credentials the first time.

1. Internet Explorer - IE PassView

2. Mozilla Firefox - PasswordFox v1.10

3. Safari – Method applicable to several web browsers

4. Opera – Unwand

5. Google Chrome - ChromePass v1.05

There are some other utilities incl. commercial versions, which I have not tested. The above mentioned tools are free and tested to be working.

Sunday, November 23, 2008

A bit of technology in a world of geeks

Tesla Personal Supercomputer under $10,000 with Nvidia graphics processing unit (GPU) inside and utilising parallel computing architecture. Claims are that Computers with the Tesla C1060 GPU processor have 250 times the processing power of a PC workstation. It should be good for password cracking :-).

Microsoft is going to offer a free anti-malware solution codenamed "Morro" to provide 'comprehensive protection from malware including viruses, spyware, rootkits and trojans'. Windows Live OneCare will no longer be sold from June 30, 2009. Hopefully it would have a positive impact on stopping malware from spreading without killing the sales figures of other anti-virus vendors.

Faster FireWire and USB speeds

Next year we may see a new version of FireWire known as S3200. This new version is to deliver a peak of 3.2 gigabits per second (400 MB/s) compared to the current 800 megabits (100MB/s).

The new USB 3.0 also called 'USB Superspeed' is set to multiply USB 2.0 (480Mmb/s) bandwidth tenfold and will transfer data at speeds up to 4.8Gbit/s. That would allow transferring a 27GB of date in only 70 seconds. USB 3.0 is designed to be backwards-compatible with USB 2.0 and USB 1.1.

Here is an interesting link re: USB 3.0

Wednesday, November 19, 2008

CISCO Routers forensics

Some interesting links to resources about forensics on CISCO routers.

  • Book "Cisco Router and Switch Forensics" by Jesse Varsalone
  • Powerpoint presentation "Cisco Router Forensics" by Thomas Akin, Black Hat Briefings, 2002
  • Powerpoint presentation "Router forensics DDoS/worms update" by Nicolas Fischbach, Senior Manager, IP Engineering/Security - COLT Telecom
  • Another interesting document "Auditing CISCO Routers" by the Technology Pathways
  • A document called "CISCO Routers as Targets" by Joshua Wright
  • Ms.S. Thesis "Forensic examination of log files" by Joan Petur Petersen

Saturday, November 15, 2008

My forensic 'dream' machine

Here are the specs for a forensic machine I would like to get one day.
Intel Dual-Core Xeon Processor X5272
There is no point to use quad core because current forensic applications are not designed to take advantage of multi-core CPU's
8GB ECC Registered DDR2 Memory

ECC uses an advanced error correction system that can correct data transmission errors on the fly. Because ECC memory involves more processing, it may be a bit slower that non ECC memory, however ECC provides reliability and greater system stability. ECC RAM is more expensive however.

SATA RAID hardware controller with 4 x 10,000 RPM SATA II drives

RAID controller configured as RAID 0+1 which is a mirrored array whose segments are RAID 0 arrays. It provides the same fault tolerance as RAID level 5 and the same overhead for fault-tolerance as mirroring alone. It supports a very high I/O rates due to multiple stripe segments.

Other must-have components

Drive Bay Controller with multi-bay read/write status, a couple of SATA /IDE write-blocked bays, write-blocked universal memory card reader, built-in USB write-blocker, USB 2.0 ports, FIREWIRE 400/800 and eSATA ports.

Operating System

To get maximum compatibility with drivers and software, I would go for Windows 32-bit operating system. Microsoft Windows Server 2003 Enterprise Edition allows using memory beyond the 4-gigabyte range that is inherent to 32-bit operating systems. The 32-bit version of Microsoft Windows Server 2003 Enterprise Edition allows 8GB RAM and Windows Server 2003 with Service Pack 2 (SP2), Enterprise Edition supports 64 GB. Most of Windows XP drivers are compatible with Windows Server 2003. FTK, EnCASE, X-Ways Forensics and many other forensic applications run very well under Windows Server 2003. FTK however requires admin privileges to work correctly. The operating system needs some tweaking to enable prefetch etc. All adjustments take about 10 min to complete. Instructions can be found here. Additionally, there is a free tool for automated server to workstation transformation.

Saturday, November 8, 2008

USB Flash drives acquisition!

Wear Levelling

Most flash drives are NAND EEPROM devices capable of 100,000 to 1 million erase and write cycles. The lifetime of the flash drive depends on endurance of the flash chip. To extend the life of flash drives, manufacturers often implement wear-levelling (also referred as wear-leveling).

Wear-levelling mechanism spreads write cycles across a flash chip, thus reducing continual usage of the same areas of the flash chip, and as a result promotes even usage of all memory cells.

What this means for forensic examiners? The content of a file that is no longer exists from the point of view of the file system may have been fully or partially changed by the wear-levelling algorithm. On many NAND flash memory devices this occurs upon writing the new data.

NAND flash drives are not very efficient at random writes due to the requirement of an application to locate a free block, before it can write to it. If such block is not available, the block must be fully erased which takes additional time, thus reducing the efficiency of the device. Different manufacturers are taking different approaches to tackle this problem. Some implement additional controllers or/and memory into their flash drives. Some change the software (firmware) and wear-levelling algorithms that shuffles "unallocated" free space every time the device is read, so when the application is about to write the new data, free blocks are already available to the application for writing.

Acquiring these devices require an additional step that from my experience is rarely taken. The standard procedure is to simply connect such USB device to a forensic machine via hardware or software write blocking device and let the forensic software to do the acquisition and verification. There are two problems with this approach.
  1. Most forensic tools verify (calculate MD5 or SHA1 hash) of the device, then acquire the data followed by MD5 or SHA1 verification of the image. There is no verification of the physical device after that. So, we essentially rely on the write blocker to prevent any changes.
  2. Some USB devices (approximately one in every ten from my experience) will produce different cryptographic hash every time you calculate it, despite the fact that no write is allowed. So, by simply reading such devices, we are changing something inside these drives.
The significance of this is obvious. If an independent party checks the integrity of such device, (s)he will end up with a completely different MD5 or SHA1 value. Unless you know about the problem before hands, it may be too late to explain this difference in Court.

So, what is actually changed on the drive and how to deal with this issue? The good news is that existing files are not changed and this can be easily confirmed by comparing hash values of files from two images of the same device taken at a different time. X-Way forensics is probably the best tool for this task.

By utilising the above mentioned tool and its terminology we can see that changes occurred in 'Free space' and 'previously existed files'. It is up to the forensic examiner to deal with admissibility of the data/evidence extracted from 'Free space'. Taking an additional image of the device, extracting (carving) files and comparing these files with the files from the first image is one of these techniques. There will be many files that are changed by the sector shuffling, thanks to the wear-levelling algorithm.


Additionally, because of the wear-levelling mechanism and dynamic mapping of logical to physical sectors, some file artefacts may be left behind even after "secure wiping" of the USB flash drive.

Ordinary hard disks in general do not have wear-levelling implemented; however this may soon change due to becoming increasingly popular in notebooks solid-state drives.

27 February 2009


The issue does exist despite some people finding it hard to believe, and it is here to stay for some time. The only way to deal with this is through the correctly devised procedures that in general can be described as:

1. Identifying the device with the specific wear-levelling behaviour (via hashing before and after the procedure for example).

2. Isolate the existing (not marked as deleted) from the deleted files. Verify the integrity of the existing files.

3. Deal with the deleted files in a way that the accurate and verifiable data can be presented in court.

"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)
March 2009

Here is the link to a series of youtube videos of 'DEFCON 16' presentation by Scott Moulton who does a good job of explaining how the concept works.

5 November 2009
Another good article about SSD and NAND flash technology.

Friday, November 7, 2008

VMware Workstation 6.5 released

Finally I have found some time to install the recently released VMware Workstation 6.5 and regretted that I haven't done this earlier. This version offers several new features such as improved performance of Copy/Paste operations between the Host and Guest. USB devices are handled quite well by this version, so no more pain getting a device recognised by the guest and not the host OS. Some sources claim that USB device performance is improved by as much as 50%. Unity feature is interesting but too me it is a little toy at this stage.

Saturday, November 1, 2008

Case Notes Software

A proper forensic analysis is rarely accomplished with just one forensic tool such as EnCase or FTK. So, jumping from one tool to another, from one operating system to another makes it a necessity to keep contemporaneous notes in one place, so they can be quickly searched and referenced. I was looking for a tool that would be lightweight and easy to use. I have found a nice application called CaseNotes from QCC. It is a free application that runs on MS Windows machines and is designed for Computer Forensic records keeping. I have found it quite useful. Tabbed interface and MS Word like interface are very useful; however a simple spell checking and easier way to import photographs would make this application more user friendly. I like to have the formatting and spell-check of Office at my disposal, so after using CaseNotes for a few days, I have started playing with MS Office OneNote 2007. It has tabbed interface, insert day and time (ALT+SHIFT+F), password protect option, search option, easy formatting, adding photographs and can be shared with others in my office. OneNote has a nice option to export all the records to PDF. For me, this could be the way of moving away from paper based records keeping.

Monday, October 27, 2008

Right click on a file to calculate hash

HashTab v1.14 is my favorite Windows Shell Extension for calculating and comparing hash values. It works with MD5 and SHA-1 hashes by providing an easy-to-use right-click menu for files in Windows.

It is possible to have a similar functionality in Linux. On my Ubuntu I am using Zenity. Zenity is a tool that allows to create nice GUI widgets and windows for shell scripts.

Here is a little bash script that you can save as CalcHash file and make it executable.

# The script "CalcHash" calculates MD5 hash of a selected file.
# You can replace md5sum with sha1sum to calculate sha1 instead
tmp_file="/tmp/md5-`date +'%s'`"
/usr/bin/md5sum $NAUTILUS_SCRIPT_SELECTED_FILE_PATHS > $tmp_file
zenity --text-info --title="$title" --filename="$tmp_file" --width=1100 --height=100
rm $tmp_file
exit 0

To make the file executable just open gnome-terminal by clicking Applications > Accessories > Terminal. Then type:

chmod 755 CalcHash

or, if you prefer GUI, right-click on the file, select "Properties" click on the "Permissions" tab and then tick the appropriate box.

The script needs to be copied to /.Gnome2/nautilus-scripts.

You can go to Places > Home Folder

In Nautilus click Ctrl+H or just go to View and click Show Hidden Files

Navigate to .Gnome2 / nautilus-scripts and paste your script.

To calculate MD5 Hash, right click on any file or group of files and you should see something like this:

Wednesday, October 22, 2008

Disposable anti-virus!

One of the quick ways to check the acquired image for presence of malware is to mount it with Mount Image Pro or Smart Mount and run your favourite anti- virus. Using two different anti-virus solutions is usually a good idea. However, running on the isolated forensic network two anti-viruses and keep them up-to-date may require some extra effort.

Kaspersky® Virus Removal Tool that also often referred to as AVPTool is a virus scanning and removal utility that employs very effective virus detection algorithms from Kaspersky Lab. Kaspersky is one of my favourite anti-virus solution and it rated fairly high amongst other anti-virus solutions.

AVPTool is rebuild every 2 hours and contain the latest virus signatures.
It installs into a folder on your desktop and upon finishing the scan, an uninstall prompt appears and removes the tool if you answer yes to the prompt. It can produce virus scan reports and doesn't leave much behind after it uninstalled.

CON: It is 25Mb file that you will have to download every time you need an up-to-date scanner.

AVPTool is available for free on HTTP and FTP.

Sunday, October 19, 2008

Briefly about Visualisation

The process of collection, preservation and analysis of digital forensic data is normally followed by presentation of findings by forensic examiner. At this stage it is important for non-forensic people (legal etc.) to clearly understand the significance of uncovered evidence. Visualisation can help to make this task a lot easier by displaying the findings in a graphical manner, making even small details visible and demonstrate the relationship between various pieces of evidence.
A variety of commercial and free open source software can be utilised to accomplish this task. A free and open source graphical time line editor called Zeitline and commercial ConceptDraw MINDMAP are worth mentioning here.
Zeitline is an open source graphical tool written in Java developed and maintained by CERIAS (Computer Forensics Research Group).
ConceptDraw MINDMAP is a mind mapping software that normally cost US $199. It appears that the company is offering the previous version of this software free for a limited time. You can find more details at Lifehacker's web site.

Saturday, October 18, 2008

Time and Timestamps

"A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).

The FAT file system stores time values based on the local time of the computer. For example, a file that is saved at 3:00pm PST in Washington is seen as 6:00pm EST in New York on an NTFS volume, but it is seen as 3:00pm EST in New York on a FAT volume.

The NTFS file system stores time values in UTC format, so they are not affected by changes in time zone or daylight saving time." MSDN

Why 1 January 1601?
This is to do with leap years having 400 years cycle and 1st of January 1601 being a Monday. If modulo (MOD) function is performed in a date integer mod 7 the result will be the day of the week.
Day of the Week = Days Since 1601 MOD 7

There are five different time formats and it can be confusing.

The original FAT12/FAT16 file systems had only the last-modified time. The later FAT32 and NTFS file systems have three types of time stamps for each file.

1. Time when the file was First-created2. Time when the file was Last-modified3. Time when the file was Last-accessed

Here is how these values are changed by the Operating System (OS)

A quick picture reference to FAT and NTFS Date and Time stamps for files and folders based on Microsoft Article 299648.

.A file from FAT file system to FAT file System

A file from FAT file system to NTFS file System

A file from NTFS file system to NTFS file System

.Folder 2 copied into Folder 1

Folder 2 moved into Folder 1

FAT system works a bit differently according to the same document. If you copy or move Folder 2 into Folder 1, the created date and modified date of Folder 1 remains unchanged.

Microsoft Article ID :127830 called "Time Stamps Change When Copying From NTFS to FAT" is also quite interesting. According to this article when a file copied from NTFS file system device to a FAT device, the time stamp is rounded to the nearest two seconds. It happens with FAT only because NTFS time stamps can end with even or odd number of seconds. So, NTFS time stamp 10:00:0:000 is going to be FAT time stamp 10:00:0:000, but anything more than NTFS 10 hours 00 min 0 sec 000, let's say NTFS 10:00:0:001 and up until 10:00:1:999 will produce FAT 10:00:2:000.

A Few Things To Keep In Mind

1. The NTFS Last Access Time Stamp updates can be easily disabled in registries on Windows NT , Windows 2000 and Windows XP.

Value Name: NtfsDisableLastAccessUpdateData Type: REG_DWORD (DWORD Value)
Value Data: set 1 to prevent the Last Access time stamp updates.

Note that Windows Vista has Last Access Time updates disabled by default to improve NTFS performance. To operate correctly, some applications require the Last Access timestamps to be enabled. This can be easily done by issuing the following command: fsutil behavior set disablelastaccess 0 followed by computer restart.

2. Antivirus software requires access to files to read/scan them for viruses. After the scan is finished, the software restores the Last Access timestamp of files that are scanned to the original time before scanning. However, if a file was cured, the access and modification times are updated. (See my other post for details)

3. The accuracy of the timestamps depends on the internal clock. The NTFS file system has a precision of 100 nanosecond (ns), but the precision of the Windows internal clock is only 1 ms, for that reason the accuracy of timestamps in NTFS on Windows systems is limited to 1 ms.

System Forensic Analysis book by Brian Carrier (highly recommended) helped me to undersand this material a bit better.

There is a great collection of academic papers about Date and Time stamp forensics. It can be found at Time Forensics website maintained by Svein Y. Willassen.

Friday, October 17, 2008

A Useful Quote

"Knowledge is dynamic in nature, today's knowledge may well become tomorrow's ignorance if an individual or organisation fails to update knowledge as environmental conditions change."

Turban, E., Leidner, D., Mclean, E., Wetherbe, J., Information Technology for Management: Transforming Organizations in the Digital Economy. Wiley; 6 edition (March 5, 2007)

Sunday, October 12, 2008

get SUDO to work on Red Hat systems

In the terminal enter su --login -c 'visudo'

Press enter and go through the password for root.

Below the line root ALL=(ALL) ALL add the user (Garfield in this case :-) that you want to have root access as shown below:
Garfield ALL=(ALL) ALL

If you wish sudo to prompt for a password, go down to the line # %wheel ALL=(ALL) ALL and delete the # at the beginning of the line using the x key or use your favorite vi editor commands to edit and navigate around.

If you don't want password prompts (not secure), go down to # %wheel ALL=(ALL) NOPASSWD: ALL and uncoment it.

Save and exit: wq

Saturday, October 11, 2008

Smart Mount by ASR Data

Smart Mount by ASR Data is going to be oficially released on October 27, 2008. Smart Mount is a tool that allows mounting dd, SMART, E01, VMWare images.

Supported file systems are:
  • All Windows based Fat and NTFS
  • Linux/Unix based HFS, Ext2 and Ext3
  • CD/DVD based ISO9660 and UDF

There are versions for Linux and Windows and you will have to pay for each version separatelly. There are also 'Pro' versions for both Linux and Windows that offer read/write options. It looks like it is going to be $100 more expencive that Windows only version of Mount Image Pro ($299). Smart Mount Pro version is another $100 extra.

New Forensic Search Engine

Digital Forensics Search Engine has been added to this blog. It requires a lot of work to add resources and also fine tune it, so I don’t expect it to be very functional for some time. If you have a good & relevant link that should have been included in this search engine, send me an email or just leave the comment (I will not publish these comments).

Tuesday, October 7, 2008

dtSearch in Linux

dtSearch 7.54 has been installed and worked fine in CentOS 5.2 under wine.

The main indexing and searching functions worked OK. dtSearch forensic indexing with unicode support worked as well. Some additional dtSearch functions did not work and performance suffered a bit (subjective observation). Gecko needs to be installed prior installing dtSearch. Running non native application is not a good idea though and it is probably a matter of time before we all see a nice GUI front end to dtSearch Linux engine.

Friday, October 3, 2008

Disposable Emails

Almost every forum or web site require user registration and asks about you real email address. Not supplying one may result in download links or activation link to be sent somewhere else. Disposable emails illiminate the need to give out your real email and allow you to receive download or activation links. The beauty of such disposable emails is in their limited lifespan. The temporary email address gets redirected to the real email address and dies together with the spam.

There are several free disposable email services available:

In my view Jetable is the best one. No registration is required to use the service, and no spam or advertisement sent by Jetable themselves. The service is provided by the French non-profit Association for a Non-Commercial Internet.

Wednesday, October 1, 2008

Window XP and Vista setupapi.log

setupapi.log is a plain-text file that contains some interesting information about various devices and service-pack installations. The file may contain serial numbers of the devices connected to Windows machine. By studying setupapi.log it may be possible to tell if a particular device has been connected to the computer during OS installation #-199 message –newsetup or connected at a later stage incl. date and time when it was connected.

The file is located in %windir%\ directory for Windows XP machines.

Microsoft has a good paper regarding this log file Troubleshooting Device Installation with the SetupAPI Log File

Harlan Carvey in his book Windows Forensic Analysis DVD Toolkit explained very well the significance of setupapi.log to forensic examiners.

Vista has two similar files and located in %windir%\inf\ directory. becomes the primary log file and contains some legacy logging information.

Useful links in relation to Vista log files are:

Sunday, September 28, 2008

Time Zone Converter

Getting various time zone conversations can be confusing. Using calculator is fine, but I tend to double check my calculations with this online Time Zone Converter.

Thursday, September 25, 2008

Keeping things organised.

Wiki is an excellent tool for sharing the knowledge and collaborate with other project members. Who wants to learn HTML or spend time learning on how to use Wiki though? Most people that require Wiki are busy doing more important things. The best and ‘easy to use’ Wiki that I came across is Mintouch Deki. It runs on Windows, Linux, BSD, MAC OS X and it is free. Installation and configuration on Ubuntu 8.04 LTS Server takes approximately 10 minutes. It has indexing component that allows indexing and searching attachments PDF or MS Office documents (and many other formats). WYSIWYG Page Creation is great, though I would like to see a good spell check. Indexing is based on Lucene indexing engine and requires mono to be installed. I am not big fan of mono but deki and mono run well together since I have installed them about 3 months ago. There are some tweaking required to allow bigger attachments to be scanned and for indexing to work correctly. How can Wiki be used in forensic investigations? Sometimes running a big investigation makes it difficult to remember everything and I tend to miss/forget some important information because too much information and it may take a long time to investigate/complete the project.

MindTouch Deki Virtual Appliance is pre-installed and configured, and runs in VMWare. It can be run on a desktop computer to keep my records/discoveries. All information is organised and can be shared with other team members for peer review or comments. Cliking on "Recent Changes" allows to monitor all changes. Deki has great access control mechanism and it is very easy to administer. All information is indexed and can be found within seconds. It also has function to export to PDF.

Having different VM snapshots allows multiple investigations/projects to be run independently.

In case Indexing doesn't work:

Edit mindtouch.deki.startup.xml
add after word indexer

the following line with the appropriate html formatting

delay-index-interval 10 delay-index-interval

then restart deki wiki
/etc/init.d/dekiwiki restart

Log in to deki as admin and rebuild index

To be able to index big PDF's etc:

Change the following entries in your php.ini file located in /etc/php5/apache2/php.ini

and restart apache /etc/init.d/apache2 restart
post_max_size = 32M
upload_max_filesize = 32M

Also value for pdf filter has been changed to xpdf after XPDF package has been installed.





Sunday, September 21, 2008

Installing Helix 2008R1

The long awaited Helix 2008R1 is finally out. There are still some problems with download speeds experienced by the forensic community that eager to try this new toy (including myself of course). There are some problems with installation to hard drive that I have found a way to get around.

1. Installation has to be started after live CD is booted by going to System->Administration->Install

2. Just follow the instructions and after you get to the Who are you screen, press Forward and here is the trick. The installation would usually stop there due to some problems with os-prober not being able to find volume groups. The trick is to press cancel and start the installation procedure again. It should work after that.

3. All new Helix looks nice and shiny but don't yet relax. Adepto, autopsy, av programs and some others would not run. I suggest to run an update (apt-get upgrade or allow automatic update), and after about 20 new updates most of the tools should work.

4. Adepto would not though, and to fix it, here what I done:

$ sudo -i
# cd /usr/local/adepto
# mv logs logs1
# mkdir logs

Obviously there is a problem with the logs file sitting in /usr/local/adepto directory
Instead there should be a directory/folder called logs


correction - I just realised that logs file is a symlink to /home/ubuntu/adepto/logs
I guess, if everyone creates user ubuntu during the installation, adepto should work just fine. (or create a new folder and symlink it )

Installing VMware tools on CentOS 5.2

Running CentOS as a guest OS with VMware is OK without VMware tools installed. However there may be some problems with mouse/screen etc. Installing VMware tools on CentOS can be accomplished by using RPMs that come with VMware workstation. I have encountered a few problems whilst trying to install VMware tools. I could not unload pcnet32 module and the system did not shut down gracefully. After digging through the Internet and experimenting I came up with the following.

  1. Disable ipv6 by modifying /etc/modprobe.d/modprobe.conf.dist and adding anywhere install ipv6 /bin/true (and disabling iptables for ipv6 later on)

  2. Start CentOS in a single user mode by typing as root: init 1 or /sbin/init 1

  3. Then run

  4. After the installation complete, reboot

  5. I also have a button on the gnome panel with the following command gksu vmware-toolbox to be able to copy and paste between guest and host operating systems.

  6. A slightly more elegant solution would be to put /usr/bin/vmware-user & line into /etc/rc.local with no window to close after the program starts. To modify the settings, vmware-toolbox can be started manually as needed. In Ubuntu it is even easier SYSTEM > PREFERENCES > SESSIONS and in startup programs tab ADD NAME and /usr/bin/vmware-user &

Friday, September 19, 2008

A few things to consider when using FTK Imager.

In March 2008 NIST has released their test results for FTK Imager Several problems have been detected:
  • with acquisition of a logical NTFS partition;
  • hidden by a host protected area (HPA) sectors;
  • the sectors hidden by device configuration overlay (DCO); and
  • FTK imager didn’t reported the location of corrupted data.
AccessData has released FTK Imager version 2.5.4
Release Date: April 8, 2008

Version 2.5.4 release notes for this version has no mention of any bug fixes detected by NIST.

Tuesday, September 16, 2008

USB dongle for SMART with Ubuntu

SMART from ASR Data is being tested on my Ubuntu 8.4

Initially didn't want to recognise the USB dongle that comes with SMART. Running aksusbd didn't help. It is recommended to attach the USB dongle before booting Linux. It didn't work. After issuing mount -t usbfs none /proc/bus/usb followed by aksusbd worked fine. /etc/fstab has then been modified and usbfs /proc/bus/usb usbfs auto 0 0 added. (0 = zero, not letter o) aksusbd daemon is not correctly installed to start up at boot in Ubuntu. The easiest way to deal with this is to write a bash script:


mount -t usbfs none /proc/bus/usb

/usr/sbin/aksusbd; /usr/local/bin/smart

Then add to Gnome Panel custom application and point it to the script. I am sure there are better ways of doing this, but it works well for me and doesn't take much time :-) To run SMART or any other application that required root, install gksu and type gksu /usr/local/bin/smart

SMART stands for:

S torage
M edia
A nalysis
R ecovery
T oolkit

Monday, September 15, 2008

LinEn & ewfacquire to produce EnCase images

Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.

tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.

Sunday, September 14, 2008


PyFlag finally installs on Ubuntu 8.4. Will play with it a bit more and try to compare it with the functionalities of PTK. PTK is promising but is still too buggy. Works better with Opera browser, Firefox is no good. Some issues with PHP and SQL.
12 Oct 2008
PTK 1.0 is going to be released 28 October 2008.

grab & adepto

grab is a very useful program by Drew Fahey . Installed and tested it on Ubuntu 8.04. It has several dependencies to deal with. To solve the problem:
apt-get install sharutils cryptcat libx11-dev libtsk-dev
sharutls is needed otherwise uudecode error will show up. cryptcat is also required for grab to function and libx11-dev will stop any complaints about problems re: gettimeofday(). It also would not work without libtsk-dev and several other dependencies connected to libtsk-dev. adepto is a replacement of grab and new version is coming next week together with the new release of Helix.
The modified grab.tar.gz can be downloaded from here or here. MD5 Hash for grab.tar.gz f569a458b35cf100284bb578fa3d3e74