Sunday, September 28, 2008

Time Zone Converter

Getting various time zone conversations can be confusing. Using calculator is fine, but I tend to double check my calculations with this online Time Zone Converter.

Thursday, September 25, 2008

Keeping things organised.

Wiki is an excellent tool for sharing the knowledge and collaborate with other project members. Who wants to learn HTML or spend time learning on how to use Wiki though? Most people that require Wiki are busy doing more important things. The best and ‘easy to use’ Wiki that I came across is Mintouch Deki. It runs on Windows, Linux, BSD, MAC OS X and it is free. Installation and configuration on Ubuntu 8.04 LTS Server takes approximately 10 minutes. It has indexing component that allows indexing and searching attachments PDF or MS Office documents (and many other formats). WYSIWYG Page Creation is great, though I would like to see a good spell check. Indexing is based on Lucene indexing engine and requires mono to be installed. I am not big fan of mono but deki and mono run well together since I have installed them about 3 months ago. There are some tweaking required to allow bigger attachments to be scanned and for indexing to work correctly. How can Wiki be used in forensic investigations? Sometimes running a big investigation makes it difficult to remember everything and I tend to miss/forget some important information because too much information and it may take a long time to investigate/complete the project.

MindTouch Deki Virtual Appliance is pre-installed and configured, and runs in VMWare. It can be run on a desktop computer to keep my records/discoveries. All information is organised and can be shared with other team members for peer review or comments. Cliking on "Recent Changes" allows to monitor all changes. Deki has great access control mechanism and it is very easy to administer. All information is indexed and can be found within seconds. It also has function to export to PDF.

Having different VM snapshots allows multiple investigations/projects to be run independently.

In case Indexing doesn't work:

Edit mindtouch.deki.startup.xml
add after word indexer


the following line with the appropriate html formatting

delay-index-interval 10 delay-index-interval

then restart deki wiki
/etc/init.d/dekiwiki restart

Log in to deki as admin and rebuild index

To be able to index big PDF's etc:

Change the following entries in your php.ini file located in /etc/php5/apache2/php.ini

and restart apache /etc/init.d/apache2 restart
post_max_size = 32M
upload_max_filesize = 32M

Also value for pdf filter has been changed to xpdf after XPDF package has been installed.

From

/var/www/dekiwiki/bin/filters/pdf2text

to

/var/www/dekiwiki/bin/filters/xpdf2text


Sunday, September 21, 2008

Installing Helix 2008R1


The long awaited Helix 2008R1 is finally out. There are still some problems with download speeds experienced by the forensic community that eager to try this new toy (including myself of course). There are some problems with installation to hard drive that I have found a way to get around.

1. Installation has to be started after live CD is booted by going to System->Administration->Install

2. Just follow the instructions and after you get to the Who are you screen, press Forward and here is the trick. The installation would usually stop there due to some problems with os-prober not being able to find volume groups. The trick is to press cancel and start the installation procedure again. It should work after that.

3. All new Helix looks nice and shiny but don't yet relax. Adepto, autopsy, av programs and some others would not run. I suggest to run an update (apt-get upgrade or allow automatic update), and after about 20 new updates most of the tools should work.

4. Adepto would not though, and to fix it, here what I done:

$ sudo -i
# cd /usr/local/adepto
# mv logs logs1
# mkdir logs

Obviously there is a problem with the logs file sitting in /usr/local/adepto directory
Instead there should be a directory/folder called logs

Done.

correction - I just realised that logs file is a symlink to /home/ubuntu/adepto/logs
I guess, if everyone creates user ubuntu during the installation, adepto should work just fine. (or create a new folder and symlink it )

Installing VMware tools on CentOS 5.2

Running CentOS as a guest OS with VMware is OK without VMware tools installed. However there may be some problems with mouse/screen etc. Installing VMware tools on CentOS can be accomplished by using RPMs that come with VMware workstation. I have encountered a few problems whilst trying to install VMware tools. I could not unload pcnet32 module and the system did not shut down gracefully. After digging through the Internet and experimenting I came up with the following.

  1. Disable ipv6 by modifying /etc/modprobe.d/modprobe.conf.dist and adding anywhere install ipv6 /bin/true (and disabling iptables for ipv6 later on)

  2. Start CentOS in a single user mode by typing as root: init 1 or /sbin/init 1

  3. Then run vmware-config-tools.pl

  4. After the installation complete, reboot

  5. I also have a button on the gnome panel with the following command gksu vmware-toolbox to be able to copy and paste between guest and host operating systems.

  6. A slightly more elegant solution would be to put /usr/bin/vmware-user & line into /etc/rc.local with no window to close after the program starts. To modify the settings, vmware-toolbox can be started manually as needed. In Ubuntu it is even easier SYSTEM > PREFERENCES > SESSIONS and in startup programs tab ADD NAME and /usr/bin/vmware-user &

Friday, September 19, 2008

A few things to consider when using FTK Imager.

In March 2008 NIST has released their test results for FTK Imager 2.5.3.14. Several problems have been detected:
  • with acquisition of a logical NTFS partition;
  • hidden by a host protected area (HPA) sectors;
  • the sectors hidden by device configuration overlay (DCO); and
  • FTK imager didn’t reported the location of corrupted data.
AccessData has released FTK Imager version 2.5.4
Release Date: April 8, 2008


Version 2.5.4 release notes for this version has no mention of any bug fixes detected by NIST.

Tuesday, September 16, 2008

USB dongle for SMART with Ubuntu

SMART from ASR Data is being tested on my Ubuntu 8.4

Initially didn't want to recognise the USB dongle that comes with SMART. Running aksusbd didn't help. It is recommended to attach the USB dongle before booting Linux. It didn't work. After issuing mount -t usbfs none /proc/bus/usb followed by aksusbd worked fine. /etc/fstab has then been modified and usbfs /proc/bus/usb usbfs auto 0 0 added. (0 = zero, not letter o) aksusbd daemon is not correctly installed to start up at boot in Ubuntu. The easiest way to deal with this is to write a bash script:

#!/bin/bash

mount -t usbfs none /proc/bus/usb

/usr/sbin/aksusbd; /usr/local/bin/smart

Then add to Gnome Panel custom application and point it to the script. I am sure there are better ways of doing this, but it works well for me and doesn't take much time :-) To run SMART or any other application that required root, install gksu and type gksu /usr/local/bin/smart

SMART stands for:

S torage
M edia
A nalysis
R ecovery
T oolkit

Monday, September 15, 2008

LinEn & ewfacquire to produce EnCase images

Among AIR, GRAB and ADEPTO and several other dd tools there are two Linux forensic tools that can image and produce E01 (EnCase) images. LinEn from EnCase and ewfacquire which is part of the libewf package. libewf does not yet support the Logical Volume format (EWF-L01). LinEn can be downloaded here. It is easy to run, make it executable by changing file’s permission and type ./linen. ewfacquire is claimed to be faster than LinEn, however I haven't noticed any significant differences.

tableau-parm 0.1.0 is another useful Linux tool for getting drive information from Tableau forensic write blockers that is similar to the Windows only Tableau Disk Monitor.

Sunday, September 14, 2008

PyFlag

PyFlag finally installs on Ubuntu 8.4. Will play with it a bit more and try to compare it with the functionalities of PTK. PTK is promising but is still too buggy. Works better with Opera browser, Firefox is no good. Some issues with PHP and SQL.
---
12 Oct 2008
PTK 1.0 is going to be released 28 October 2008.

grab & adepto

grab is a very useful program by Drew Fahey . Installed and tested it on Ubuntu 8.04. It has several dependencies to deal with. To solve the problem:
apt-get install sharutils cryptcat libx11-dev libtsk-dev
sharutls is needed otherwise uudecode error will show up. cryptcat is also required for grab to function and libx11-dev will stop any complaints about problems re: gettimeofday(). It also would not work without libtsk-dev and several other dependencies connected to libtsk-dev. adepto is a replacement of grab and new version is coming next week together with the new release of Helix.
The modified grab.tar.gz can be downloaded from here or here. MD5 Hash for grab.tar.gz f569a458b35cf100284bb578fa3d3e74