╺┳┓╻┏━╸╻╺┳╸┏━┓╻ ┏━╸┏━┓┏━┓┏━╸┏┓╻┏━┓╻┏━╸┏━┓ ┃┃┃┃╺┓┃ ┃ ┣━┫┃ ┣╸ ┃ ┃┣┳┛┣╸ ┃┗┫┗━┓┃┃ ┗━┓ ╺┻┛╹┗━┛╹ ╹ ╹ ╹┗━╸ ╹ ┗━┛╹┗╸┗━╸╹ ╹┗━┛╹┗━╸┗━┛ Projects always come in different sizes!
As general rule of thumb, when doing Forensics, Red/Blue Teaming, or other stuff that are based on Cyber Security, you should do it over VIRTUAL MACHINE, and do not use your daily driver to do this. You should do this inside a VM and passthrough the USB through VirtualBox or QEMU depending on what you use. It is advisable to DO NOT CONNECT VPN like HackTheBox to your host, do it INSIDE VIRTUAL MACHINE as you're sharing your connection with other trained hackers inside those CTFs VPN.
If you're not sure of what you're doing, please refer to Cyber Security sections in this github repo or research about networking basics before you go into Digital Forensics or Cyber Security. YOU'VE BEEN WARNED.
Investigation & analysis technique to gather, and preserve evidence from a particular computing device. Digital Forensics can also be considered as Blue Teaming, while cybersecs Attack are considered Red Teaming. Digital Forensics also laid some basics for your computing knowledge, it also helps if you have grasps how computer, networks, and its pheriperals works beforehand.
1. Identifying
2. Preserving
3. Recovering
4. Analyzing
5. Presenting
CEAR: Collection > Examination > Analysis > Reporting
Example: Mobile > Data > Information > Evidence
You can gather data from mobile through dumping data and backups, using metasploit to gather infromation. MsfConsole lets you do remote hacking, but in this case it can be used in digital forensics as cybersecs red teaming, and analyze data as blue team.
1. What the main goals
2. Identify media types
3. Survey it first
Once you know the goal fo the investigation, this will then clear the path as of what you need to get, either there are media/file types that you have to be aware of while investigating, or look at what might be possible to be taken as evidence.
1. Plan it first
2. Start acquire
3. Verify the data
What needs to be done? Like the step before it, identify what types of data is useful, and then create a plan as how to get those data. Acquire these data from any possible sources, either it is USB, Harddisk or other peripherals that can be used as data storage.
There is also anti-forensics ( Compressing & Password ) that is used to hinder forensics, since metadata is useful, some zips might reap off those metadata from files depending on how they compress the file. Password protected data or encrypted files can also hinder investigation in some way.
1. Volatile [ RAM ]
2. Non-Volatile [ Media, Text Files ]
You might see more of this below in the example of tools used for each data type.
1. Bypassing any OS security Features
- Windows: bitlocker < unlock first
2. Bypassing Encryption
- Shut off any security measure before examine
3. Struggling with file compression and Access Control
- Cellebrite > Iphone < No matter, it will still be unlocked, it is used in big company.
4. Checking millions of data
- Always check data that are important, not everything < take times.
Timestamp create, update, etc
- Relation between time to each timestamp [ 1:00 user, 1:05 breached 1:10 user ]
- People [ Who? A > B Relationship? ]
- Places [ Server room location? Last location? CCTV? ]
- Items [ Hardisk, Flashdisk? Information that are taken? ]
- Events [ Timestamp, location, user relation? ]
- Determine how every elements connected
- Always give alternative explanations as you can
- Do not report only one conclusion always use multiple
- Is it possible that another conclusion can be taken?
- Audience Consideration
- Judge may not understand techincal jargon
- Use easily understood technical jargon
- Actionable Information
- Ask information from collected evidence
- Do you know disk USB Flashdisk?
1. Methodical approaches when examine the data.
2. Examine the copy, not the original one.
3. Raw log have more confidence than in normalized one.
4. Rely on file headers, not file extensions.
5. One data log is not enough, combine from various data sources, and determine how information fits.
Things in digital forensics should be approached methodically, this will of course let you as Digital Forensics investigator to do things step by step, which is crucial in keeping evidence, identify evidence, acquire it and examining its content. Remember Collection > Examination > Analysis > Reporting, this step-by-step guidelines, like before, will help you true to your goal in investigation. Lastly, always do image backup with methods that you will see in this page, backup can be done with `dd` or other tools, and after the backup has been created, you'll be good to do live forensics.
- Honeynet
- CTF101
In Digital Forensics evidence can come in many forms and devices, most of it can be found as hardisk and USB peripherals.
First we need to check if USB is connected:
$ sudo fdisk -l
$ lsusb
To check MD5 & SHA you can use this command:
$ sudo md5sum /dev/sdc1
$ sudo sha1sum /dev/sdc1
ALPH4NUMER1C4AL000ALPH4NUMER1C4AL /dev/sdc1
For this session in Digital Forensics you might want to fill your USB with some pictures or data, testdisk will create a log 'image' that can be used for digital forensics. Digital forensics mostly use images of evidence that is used in investigation to recreate environment and recover lost data.
In case you are using vm, you might want to look at USB, and check if your usb devices is passed through the vm you are using. You can check your USB device by using `fdisk`, if it is not passed through, you might instead use native linux or other alternatives.
$ sudo fdisk -l
Disk /dev/sdc: 28.65 GiB, 30765219840 bytes, 60088320 sectors
Disk model: SanDisk 3.2Gen1
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa1afdc4c
Device Boot Start End Sectors Size Id Type
/dev/sdc1 2048 60088319 60086272 28.7G 83 Linux
You might get multiple output from `fdisk`, for this, I'm using Sandisk Ultra Fit 32GB, you might want 4GB/8GB to reduce time for this test.
$ lsusb
Bus 001 Device 002: ID 8087:8000 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 011: ID 0781:5583 SanDisk Corp. Ultra Fit
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
In this session we will use gparted to emulate lost files inside a USB device. Since you have to actually check if it is connected or not, you might want to run `fdisk` to list available device with its partitions.
Gparted can format devices into multiple format, you can specify to use ext4 in gparted to format your test device into ext4 devices.
$ sudo gparted
You will be asked for root password, you should fill this out first before going further. Root permission is needed because you need to access USB peripherals itself to create a backup, since Linux need system/admin level access to tamper with the device, therefore you should use root previleges to run those command.
For this sections I will instead use command line interface to format, but before that, we have to look at what type the device that we use.
$ df -hT
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 192M 0 192M 0% /dev
tmpfs tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs tmpfs 960M 6.9M 953M 1% /run
tmpfs tmpfs 1.9G 600K 1.9G 1% /run/wrappers
/dev/sda3 ext4 423G 216G 186G 54% /
tmpfs tmpfs 4.0M 0 4.0M 0% /sys/fs/cgroup
tmpfs tmpfs 384M 12K 384M 1% /run/user/1000
/dev/sdc1 ext4 29G 44M 27G 1% /run/media/user/...
As you can see, it is `/dev/sdc1` with `ext4` format, then we can continue into the next part.
$ sudo parted
GNU Parted 3.3
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: USB SanDisk 3.2Gen1 (scsi)
Disk /dev/sdc: 30.8GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
1 1049kB 30.8GB 30.8GB primary
(parted) mklabel msdos
Warning: The existing disk label on /dev/sdc will be destroyed and all data on
this disk will be lost. Do you want to continue?
Yes/No? yes
(parted) mkpart
Partition type? primary/extended? primary
File system type? [ext2]? ext4
Start? 0%
End? -1s
(parted) quit
Be sure to umount device before running this. This command will format and delete files inside the USB.
$ sudo umount /dev/sdc1
$ sudo mkfs.ext4 /dev/sdc1
mke2fs 1.45.5 (07-Jan-2020)
/dev/sdc1 contains a ext4 file system
last mounted on Wed Mar 2 00:00:00 2021
Proceed anyway? (y,N) y
Creating filesystem with 7510784 4k blocks and 1880480 inodes
Filesystem UUID: ce049cf2-3f7b-44ca-b309-0e72b73c485a
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
By itself, it can do most things like formating USB devices and creating a backup image from said device. dd can also be used to convert and copy files. Some people use this to create an image that can be flashed again, this can be used for raspberry pi devices.
# Description
if = Input File
of = Output File
bs = Bytes (1M-4M)
count = copy N input blocks
# Command
$ sudo dd if=/dev/zero of=/tmp/archive1 bs=1M count=1000000
$ sudo dd if=/dev/urandom of=/tmp/archive1 bs=1M count=1000000
Check and create SHA1:
$ sudo sha1sum /dev/sdc1
$ cat split test.img | sha1sum
Run application with root previleges. Testdisk is designed to recover lost partitions and recover boot sessions that caused by faulty software or human error. Below is TestDisk description from its program.
TestDisk is free data recovery software designed to help recover lost
partitions and/or make non-booting disks bootable again when these symptoms
are caused by faulty software, certain types of viruses or human error.
It can also be used to repair some filesystem errors.
Information gathered during TestDisk use can be recorded for later
review. If you choose to create the text file, testdisk.log , it
will contain TestDisk options, technical information and various
outputs; including any folder/file names TestDisk was used to find and
list onscreen.
- Fix partition table, recover deleted partition
- Recover FAT32 boot sector from its backup
- Rebuild FAT12/FAT16/FAT32 boot sector
- Fix FAT tables
- Rebuild NTFS boot sector
- Recover NTFS boot sector from its backup
- Fix MFT using MFT mirror
- Locate ext2/ext3/ext4 Backup SuperBlock
- Undelete files from FAT, exFAT, NTFS and ext2 filesystem
- Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions.
To actually run the program, you can run this as root in your terminal.
$ sudo testdisk
This will create a curses windows that you can interact with. I wont include long blocks of text, so I will include what we will use, instead all the text inside the terminal screen.
TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Use arrow keys to select, then press Enter key:
>[ Create ] Create a new log file
[ Append ] Append information to log file
[ No Log ] Don't record anything
We need to select media, in this case `/dev/sdc`, after that we will select partition table that are used, for now just use defaulted partition table for me it is `Intel`.
Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 500 GB / 465 GiB - ST500LX012-SSHD-8GB
>Disk /dev/sdc - 30 GB / 28 GiB - USB SanDisk 3.2Gen1
Disk /dev/sdc - 30 GB / 28 GiB - USB SanDisk 3.2Gen1
Please select the partition table type, press Enter when done.
>[Intel ] Intel/PC partition
[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
[Humax ] Humax partition table
[Mac ] Apple partition map (legacy)
[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection
We choose `advanced` and select `Image Creation` in the next screen.
[ Analyse ] Analyse current partition structure and search for lost partitions
>[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ MBR Code ] Write TestDisk MBR code to first sector
[ Delete ] Delete all data in the partition table
[ Quit ] Return to disk selection
Partition Start End Size in sectors
> 1 P Linux 1 0 1 29339 63 32 60086272
[ Type ] [Superblock] [ List ] >[Image Creation] [ Quit ]
Create an image
Press C to go to select the destination if it is already correct.
Please select where to store the file image.dd (30764 MB), an image of the
partition
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /home/user/FORENSICS
drwxr-xr-x 1000 100 4096 3-Mar-2021 19:16 .
>drwx------ 1000 100 4096 3-Mar-2021 19:16 ..
-rw-r--r-- 0 0 6705 3-Mar-2021 19:16 testdisk.log
Remember when I said to use 4GB/8GB? Take a cup of tea or coffee, because it will take a long time. Once done, you will have `image.dd` in your folder.
Disk /dev/sdc - 30 GB / 28 GiB - USB SanDisk 3.2Gen1
1 P Linux 1 0 1 29339 63 32 60086272
11.37 % =======>
Directory /home/user/FORENSICS
.rw-r--r-- 30G root 3 Mar 19:31 image.dd
.rw-r--r-- 6.8k root 3 Mar 19:34 testdisk.log
Once done, we can go to the next step, recovery.
To actually recover the data that are lost from the device, you can use this software, here is the description from <https://www.cgsecurity.org>.
PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.
You can use the `image.dd` that we have backed up before to recover the data.
$ sudo photorec image.dd
Select a media (use Arrow keys, then press Enter):
>Disk image.dd - 30 GB / 28 GiB (RO)
>[Proceed ] [ Quit ]
Choose `ext4` partition that we specify before.
Partition Start End Size in sectors
Unknown 0 0 1 3740 50 22 60086272 [Whole disk]
> P ext4 0 0 1 3740 50 22 60086272
To recover lost files, PhotoRec needs to know the filesystem type where the
file were stored:
>[ ext2/ext3 ] ext2/ext3/ext4 filesystem
[ Other ] FAT/NTFS/HFS+/ReiserFS/...
Please choose if all space needs to be analysed:
>[ Free ] Scan for file from ext2/ext3 unallocated space only
[ Whole ] Extract files from whole partition
Please select a destination to save the recovered files to.
Do not choose to write the files to the same partition they were stored on.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /home/archaict/FORENSICS
>drwxr-xr-x 1000 100 4096 3-Mar-2021 19:41 .
drwx------ 1000 100 4096 3-Mar-2021 19:16 ..
-rw-r--r-- 0 0 30764171264 3-Mar-2021 19:31 image.dd
-rw-r--r-- 0 0 40960 3-Mar-2021 19:41 photorec.se2
-rw-r--r-- 0 0 6776 3-Mar-2021 19:34 testdisk.log
You will then have multiple results depends on what you recover from the USB.
Disk image.dd - 30 GB / 28 GiB (RO)
Partition Start End Size in sectors
P ext4 0 0 1 3740 50 22 60086272
Destination /home/archaict/FORENSICS/recup_dir
Pass 2 - Reading sector 7336528/60086272, 32 files found
Elapsed time 0h02m22s - Estimated time to completion 0h17m00
a: 16 recovered
txt: 14 recovered
exe: 1 recovered
gz: 1 recovered
Once done, you will have the data that are recovered inside `recup_dir.1`.
Directory /home/user/FORENSICS
.rw-r--r-- 30G root 3 Mar 19:31 image.dd
.rw-r--r-- 40k root 3 Mar 19:41 photorec.se2
.rw-r--r-- 41k root 3 Mar 19:47 photorec.ses
drwxr-xr-x - root 3 Mar 19:45 recup_dir.1
.rw-r--r-- 6.8k root 3 Mar 19:34 testdisk.log
Volatile memory are types of memory that are usually stored in RAM **only** when the systems are on power. This type of memory requires power to maintain its stored information, thus when the computer is shutdown, either normally or abruptedly or interrupted in any way, the data inside the storage will be erased.
Since the tools are not installed, we have to install it manually by running commands below. This command will use the `setup.py` that are part of the repos to install its dependencies. Though it is installing all of its contents, you might still want to refer to its installation pages, since some errors will be found if you didn't install other tools alongside `volatility`. Below is the list of needed installation after installing `volatility`.
- Distorm3
- Yara
- PyCrypto
- PIL
- OpenPyxl
- ujson
- pytz
- IPython
- libforensic1394
FIXME! There are some dependencies that comes from python version 2, so you might want to install those dependencies using this command. You can bypass installing the dependencies for now, since it seems the installation is a bit broken. Skip ahead to the next code block.
# Install python2 pip2 and deps
$ wget https://bootstrap.pypa.io/get-pip.py
$ sudo python2 get-pip.py
$ pip2 install --upgrade setuptools
$ sudo apt-get install python-dev
$ pip2 install Distorm3 PyCrypto Pillow OpenPyxl ujson pytz
# Install libforensic1394
$ sudo apt install cmake
$ git clone https://github.com/FreddieWitherden/libforensic1394
$ cd libforensic1394
$ mkdir build && cd build
$ cmake -G"Unix Makefiles" ../
$ make
$ sudo make install
After we install all the dependencies we can start installing `volatility`.
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility
$ sudo python setup.py install
Source samples that we use can be downloaded here.
LINK: <https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples>
For simpler command, you can use command below, you can put this files anywhere, but for this purpose, it is better to put it inside IMG folder.
$ mkdir -p ~/IMG
$ cd ~/IMG
$ wget http://files.sempersecurus.org/dumps/cridex_memdump.zip ~/IMG/cridex_memdump.zip
$ unzip cridex_memdump.zip
First, check if you're inside `~/IMG` directory, after that we can proceed to `vol.py`. You might see some dependencies error, this is not intended, but because volatility itself has dependencies on `python2` modules.
$ vol.py -f cridex.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/paranoia/volatility3/cridex.vmem)
PAE type : PAE
DTB : 0x2fe000L
KDBG : 0x80545ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-07-22 02:45:08 UTC+0000
Image local date and time : 2012-07-21 22:45:08 -0400
Next we try using pslist command to see what process is running on the systems.
$ vol.py --profile=WinXPSP3x86 -f cridex.vmem pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------
0x823c89c8 System 4 0 53 240 ------ 0
0x822f1020 smss.exe 368 4 3 19 ------ 0 2012-07-22 02:42:31 UTC+0000
0x822a0598 csrss.exe 584 368 9 326 0 0 2012-07-22 02:42:32 UTC+0000
0x82298700 winlogon.exe 608 368 23 519 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2ab28 services.exe 652 608 16 243 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2a3b8 lsass.exe 664 608 24 330 0 0 2012-07-22 02:42:32 UTC+0000
0x82311360 svchost.exe 824 652 20 194 0 0 2012-07-22 02:42:33 UTC+0000
0x81e29ab8 svchost.exe 908 652 9 226 0 0 2012-07-22 02:42:33 UTC+0000
0x823001d0 svchost.exe 1004 652 64 1118 0 0 2012-07-22 02:42:33 UTC+0000
0x821dfda0 svchost.exe 1056 652 5 60 0 0 2012-07-22 02:42:33 UTC+0000
0x82295650 svchost.exe 1220 652 15 197 0 0 2012-07-22 02:42:35 UTC+0000
0x821dea70 explorer.exe 1484 1464 17 415 0 0 2012-07-22 02:42:36 UTC+0000
0x81eb17b8 spoolsv.exe 1512 652 14 113 0 0 2012-07-22 02:42:36 UTC+0000
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
0x820e8da0 alg.exe 788 652 7 104 0 0 2012-07-22 02:43:01 UTC+0000
0x821fcda0 wuauclt.exe 1136 1004 8 173 0 0 2012-07-22 02:43:46 UTC+0000
0x8205bda0 wuauclt.exe 1588 1004 5 132 0 0 2012-07-22 02:44:01 UTC+0000
Since this test images are rather old as you can see on the starting process, it and the profle we use, you might want to use tools that are catered to newer OSes. All the command bellow that are using ps\* means checking what processes are running in the system, it will show the same thing from different viewpoint.
$ vol.py --profile=WinXPSP3x86 -f cridex.vmem pstree
Volatility Foundation Volatility Framework 2.6.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x823c89c8:System 4 0 53 240 1970-01-01 00:00:00 UTC+0000
. 0x822f1020:smss.exe 368 4 3 19 2012-07-22 02:42:31 UTC+0000
.. 0x82298700:winlogon.exe 608 368 23 519 2012-07-22 02:42:32 UTC+0000
... 0x81e2ab28:services.exe 652 608 16 243 2012-07-22 02:42:32 UTC+0000
.... 0x821dfda0:svchost.exe 1056 652 5 60 2012-07-22 02:42:33 UTC+0000
.... 0x81eb17b8:spoolsv.exe 1512 652 14 113 2012-07-22 02:42:36 UTC+0000
.... 0x81e29ab8:svchost.exe 908 652 9 226 2012-07-22 02:42:33 UTC+0000
.... 0x823001d0:svchost.exe 1004 652 64 1118 2012-07-22 02:42:33 UTC+0000
..... 0x8205bda0:wuauclt.exe 1588 1004 5 132 2012-07-22 02:44:01 UTC+0000
..... 0x821fcda0:wuauclt.exe 1136 1004 8 173 2012-07-22 02:43:46 UTC+0000
.... 0x82311360:svchost.exe 824 652 20 194 2012-07-22 02:42:33 UTC+0000
.... 0x820e8da0:alg.exe 788 652 7 104 2012-07-22 02:43:01 UTC+0000
.... 0x82295650:svchost.exe 1220 652 15 197 2012-07-22 02:42:35 UTC+0000
... 0x81e2a3b8:lsass.exe 664 608 24 330 2012-07-22 02:42:32 UTC+0000
.. 0x822a0598:csrss.exe 584 368 9 326 2012-07-22 02:42:32 UTC+0000
0x821dea70:explorer.exe 1484 1464 17 415 2012-07-22 02:42:36 UTC+0000
. 0x81e7bda0:reader_sl.exe 1640 1484 5 39 2012-07-22 02:42:36 UTC+0000
$ vol.py --profile=WinXPSP3x86 -f cridex.vmem psxview
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe 608 True True True True True True True
0x02511360 svchost.exe 824 True True True True True True True
0x022e8da0 alg.exe 788 True True True True True True True
0x020b17b8 spoolsv.exe 1512 True True True True True True True
0x0202ab28 services.exe 652 True True True True True True True
0x02495650 svchost.exe 1220 True True True True True True True
0x0207bda0 reader_sl.exe 1640 True True True True True True True
0x025001d0 svchost.exe 1004 True True True True True True True
0x02029ab8 svchost.exe 908 True True True True True True True
0x023fcda0 wuauclt.exe 1136 True True True True True True True
0x0225bda0 wuauclt.exe 1588 True True True True True True True
0x0202a3b8 lsass.exe 664 True True True True True True True
0x023dea70 explorer.exe 1484 True True True True True True True
0x023dfda0 svchost.exe 1056 True True True True True True True
0x024f1020 smss.exe 368 True True True True False False False
0x025c89c8 System 4 True True True True False False False
0x024a0598 csrss.exe 584 True True True True False True True
Under this will include all the connection on the system, either it is results from scanning and the connection that it uses.
$ vol.py --profile=WinXPSP3x86 -f cridex.vmem connections
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81e87620 172.16.112.128:1038 41.168.5.140:8080 1484
$ vol.py --profile=WinXPSP3x86 -f cridex.vmem connscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038 41.168.5.140:8080 1484
0x023a8008 172.16.112.128:1037 125.19.103.198:8080 1484
You can see Geolocation of the IP's using this:
$ curl https://freegeoip.app/xml/41.168.5.140
<Response>
<IP>41.168.5.140</IP>
<CountryCode>ZA</CountryCode>
<CountryName>South Africa</CountryName>
<RegionCode>GP</RegionCode>
<RegionName>Gauteng</RegionName>
<City>Johannesburg</City>
<ZipCode>2041</ZipCode>
<TimeZone>Africa/Johannesburg</TimeZone>
<Latitude>-26.2308</Latitude>
<Longitude>28.0585</Longitude>
<MetroCode>0</MetroCode>
</Response>
$ curl https://freegeoip.app/xml/125.19.103.198
<Response>
<IP>125.19.103.198</IP>
<CountryCode>IN</CountryCode>
<CountryName>India</CountryName>
<RegionCode></RegionCode>
<RegionName></RegionName>
<City></City>
<ZipCode></ZipCode>
<TimeZone>Asia/Kolkata</TimeZone>
<Latitude>20.0063</Latitude>
<Longitude>77.006</Longitude>
<MetroCode>0</MetroCode>
</Response>
Help you navigate and manipulate network packets.
From Danscourses :
- Part 1 : <https://www.youtube.com/watch?v=EuTAmtMGdNU>
- Part 2 : <https://www.youtube.com/watch?v=gOcT5r0spVM>
WARNING: Calling str(pkt) on Python 3 makes no sense!
b'E\x00\x00\x1c\x00\x01\x00\x00@\x01\xf7\x83\xc0\xa8\x01\x0b\xc0\xa8\x01\x01\x08\x00\xf7\xff\x00\x00\x00\x00'
This can be used as alternative of wireshark in cli, technicaly they do the same thing, also tshark (cli wireshark). To install use `sudo pip3 install scapy matplotlib pyx`, you can install just scapy, the rest are for warnings only.
$ sudo scapy
>>> sniff(count=4)
>>> sniff(iface='wlp2s0', prn=lambda x: x.summary(), count=4) # show live transmissions, iface is network interface
>>> sniff(iface='wlp2s0', prn=lambda x: x.show(), count=4) # show newest request (http, etc.)
# List of available commands
>>> lsc()
IPID_count : Identify IP id values classes in a list of packets
arpcachepoison : Poison target's cache with (your MAC,victim's IP) couple
arping : Send ARP who-has requests to determine which hosts are up
arpleak : Exploit ARP leak flaws, like NetBSD-SA2017-002.
bind_layers : Bind 2 layers on some specific fields' values.
bridge_and_sniff : Forward traffic between interfaces if1 and if2, sniff and return
chexdump : Build a per byte hexadecimal representation
computeNIGroupAddr : Compute the NI group Address. Can take a FQDN as input parameter
corrupt_bits :
corrupt_bytes :
defrag : defrag(plist) -> ([not fragmented], [defragmented],
defragment : defragment(plist) -> plist defragmented as much as possible
dhcp_request : Send a DHCP discover request and return the answer
dyndns_add : Send a DNS add message to a nameserver for "name" to have a new "rdata"
dyndns_del : Send a DNS delete message to a nameserver for "name"
etherleak : Exploit Etherleak flaw
explore : Function used to discover the Scapy layers and protocols.
fletcher16_checkbytes: Calculates the Fletcher-16 checkbytes returned as 2 byte binary-string.
fletcher16_checksum : Calculates Fletcher-16 checksum of the given buffer.
fragleak : --
fragleak2 : --
fragment : Fragment a big IP datagram
fuzz :
getmacbyip : Return MAC address corresponding to a given IP address
getmacbyip6 : Returns the MAC address corresponding to an IPv6 address
hexdiff :
hexdump : Build a tcpdump like hexadecimal view
hexedit : Run hexedit on a list of packets, then return the edited packets.
hexstr : Build a fancy tcpdump like hex from bytes.
import_hexcap : Imports a tcpdump like hexadecimal view
is_promisc : Try to guess if target is in Promisc mode. The target is provided by its ip.
linehexdump : Build an equivalent view of hexdump() on a single line
ls : List available layers, or infos on a given layer class or name.
neighsol : Sends and receive an ICMPv6 Neighbor Solicitation message
overlap_frag : Build overlapping fragments to bypass NIPS
promiscping : Send ARP who-has requests to determine which hosts are in promiscuous mode
rdpcap : Read a pcap or pcapng file and return a packet list
report_ports : portscan a target and output a LaTeX table
restart : Restarts scapy
rfc :
send :
sendp :
sendpfast : Send packets at layer 2 using tcpreplay for performance
sniff :
split_layers : Split 2 layers previously bound.
sr :
sr1 :
sr1flood : Flood and receive packets at layer 3 and return only the first answer
srbt : send and receive using a bluetooth socket
srbt1 : send and receive 1 packet using a bluetooth socket
srflood : Flood and receive packets at layer 3
srloop :
srp :
srp1 :
srp1flood : Flood and receive packets at layer 2 and return only the first answer
srpflood : Flood and receive packets at layer 2
srploop :
tcpdump : Run tcpdump or tshark on a list of packets.
tdecode :
traceroute : Instant TCP traceroute
traceroute6 : Instant TCP traceroute using IPv6
traceroute_map : Util function to call traceroute on multiple targets, thentshark : Sniff packets and print them calling pkt.summary().
wireshark :
wrpcap : Write a list of packets to a pcap file
This is the possible command you can use, I will list just enough info for you to understand.
# Read pcap file
>>> pak = rdpcap("/home/codex/Downloads/ground.pcap")
# List ground.pcap
>>> pak
<ground.pcap: TCP:733 UDP:40 ICMP:0 Other:7>
# Length or total of packets captured
>>> len(p)
780
# Choose or select packet
>>> pkt = pak[100]
>>> pkt # show inside packet[100]
# Type of packet
>>> type(pkt)
scapy.layers.l2.Ether
# Userspace Variables inside packet[100]
>>> dir(pkt)
# Hex > There is usually passwords if on http (not careful)
>>> hexdump(pkt)
# List Information of packet[100]
>>> ls(pkt)
# Summary of packet[100]
>>> pkt.summary()
'Ether / IP / TCP 118.98.30.80:https > 192.168.0.0:XXXX A / Raw'
>>> pkt.show()
Mobile digital forensics can be done in multiple ways, either manually or automatically. ADB tools are needed, also victim’s phone USB debugging option should be enabled.
This script is used to alleviate the many commands that are available in ADB tools. ADB stands for Android Debug Bridge, this tool usually used to help developers in debugging Android applications during creation or compilation time in Android Studio (or others). Android Triage created by Mattia Epifani, this bash script can be used to automatize operations that are usually “cumbersome” - if you’re lazy - to a simple to understand script.
This script can be used to backup data from mobile devices, this process can be categorized as acquisition phase. On older devices until Marshmallow, we can use specialized OS like Santoku to help with data acquisition. This is also true when we want to extract apk files that are available on Android devices. There are also some requirements that have to be met when doing acquisition:
- Phone should be unlocked. This can be achieved through bruteforcing or using devices like Cellebrite, though the former is not possible if you’re not under government or big companies.
- Acquiring data needs phone to be connected to your computer, this is for using ADB with the phone itself. ADB are tools that are used to bridge connection between your phone and computer.
- Complexity of Android devices are increased every releases, this is to solve security issues through patching and new release of Android version. It is currently not possible to use out of the box device to stop pinging through google, even during offline period as long there is connections.
- Commercial tools are expensives, therefore the alternatives are open source that utilize adb tools to do forensics. This still needs further research.
First, we need to acquire device that was found at the crime scene. Next, to identify the device, we can either do it manually or through adb tools. ADB comes with adb devices command to look at device fingerprint once connected through usb debugging. USB debugging can be accessed through settings > developer options > USB debugging. Through android_triage we can get more info about the device, it will show through ncurses interface in terminal. Data that can be acquired will be stored in your home folder.
Second, we need to prepare all the possible tools that can be used during investigation, either Android Studio, tools that already mentioned above, and all the hardware that needed, especially one that can run VMs reliably.
Third, we need to isolate the device from networks by switching off WiFi and Bluetooth. This step is crucial, also remember to take off SIM Card(s) that are located inside the SIM tray.
Fourth, we need to process and backup data through adb or other tools, we can do this by imaging through android_triage or aflogical-ose. android_triage can execute command through scripting or creates backup by installing aflogical-ose and other tools that are available for android data acquisition. This data then can be used with other tools like Autopsy, Evidence Tree, or by mounting its image. Other place that you might want to see is sd card, we can create a backup through dd or dc3dd or by using propirietary software such as EaseUS Data.
Some command that you might found during this process when doing things through adb are as follows:
- adb devices
Useful to know if your device is attached or not through your usb to your computer.
- adb reboot bootloader
Bootloader is the boot screen that you see when the device starts, bootloader itself starts before that splash screen starts, it is to load processes during boot, and this command is to interupt that boot command and go into where the bootloader resides, you can then connect through the next step.
- fastboot oem unlock
To unlock the device from its manufacturer - although its capability can’t be vouched for companies that lock its bootloader - it is still can be done to device that comes from Samsung Galaxy line of phones or most of other manufacturers. Known device that lock its bootloader and can’t be rooted are Vivo and Oppo, unless they share codes to unlock its bootloader.
Fifth, after we process through the steps in phase four, we need to verify the hash to know either the data has been tampered or not. Tools like AccessData FTK Imager can help with exploring the data that are still saved inside memory blocks. This is also why you might want to wipe clean android devices through factory reset and beyond to delete everything.
Lastly, is to document each steps that are taken during data acquisition, this is crucial to create case file that can be accepted in the court.
Other Tools
If you understand a little bit of how to unlock and rooting your device, you might want to change your ROM to a custom rom that are available in many places, one of it is XDA-Developers site. The point is to safely disconnect you with google and understand of how the device itself works. Even if Android itself is brainchild from Linux Kernel, thats where the similarity ends.