What the FTK?

In the class that I am taking about forensics, we have spent the last few weeks digging into a couple of different tools: Autopsy (mentioned in my last post) and FTK. As a quick disclaimer/post-posting edit, I would like to say that the Windows version of Autopsy is much less antiquated then the Linux version I used and reviewed. In fact, the Windows Autopsy program that I used actually looks very similar to FTK (and it's free ninety-nine!)

FTK

FTK (Forensic ToolKit) is a not-free program that is distributed by AccessData. On the main page for FTK at the AccessData website, it touts FTK as "a court accepted digital investigations platform", and that is definitely the audience that this program is built for. FTK offers a variety of different tools that allow a user to view deleted files, piece together meta-data, view a timeline of events that have taken place on certain images, etc. Pretty much anything can be imported into FTK and used as evidence. 

FTK is built off of a database system (which is included during the initial installation) and uses some pretty beefy algorithms and architecture to index data and make it searchable. FTK also does a lot of the heavy lifting for users, so that going through evidence seems more like browsing through a directory instead of piecing together hex code or bits and bytes. 

One very useful thing that I learned from a classmate of mine was called "carving" the data. Carving is kind of like what it sounds like- working the program a little harder, and having it scrape and clean data to bring out things that may have been hidden, and basically trimming the fat. This is done fairly easily by using the "Evidence" tab, then selecting "Additional Analysis".

Another tool that is built around the same structure as FTK is MPE+ (Mobile Phone Examiner Plus), which is a separate program that feels almost exactly like FTK. MPE+ is basically FTK for mobile phones and devices. I am just getting into using the program, but it seems very intuitive and like I have already mentioned, is structured a lot like FTK in the UI and features. 

While FTK and MPE+ are not free, they can be tried for 30 days courtesy of AccessData. Downloads for FTK and other AccessData products can be found here: http://www.accessdata.com/support/product-downloads.

XKCD. Too good. 

To Catch a Criminal

Of the tools I plan on talking about today, one is more on the archaic-but-useful side, while the other is just plain useful and a bit creepy, and the last is something that I have actually been working on in the open-source community. When it comes to forensics, that is kind of the nature of a number of the tools still in use by professionals... New tools come out, but a lot of the time forensics experts like using open-source(i.e. cheap/free) tools and suites!

Autopsy

One of these open-source and sweet tools (see what I did there? ;) ) is Autopsy. Autopsy is an older program that is available for both Windows and Unix operating systems, and is even included in a few Linux distros (like Kali and SIFT). Autopsy is something that I have been using to reconstruct damaged filenames/filetypes, to look through files to see if they have been tampered with, and frankly to see files and file structures at a more microscopic level. 

That being said, like I have already mentioned, Autopsy is a little bit dated. It is nice that the program at least has a GUI, but it definitely takes a little bit of time to get used to. The screenshot below shows a little bit what it is like to use the tool. You can tell just in the toolbar above the files how many options you have once you have started the case- you can do file analysis, search for keywords in all of the files, get metadata and look through hex code, etc. Truly, Autopsy has an array of tools for cyber forensics that just take a little bit of getting used to in order to fully grasp the benefits of the program. This basic tutorial is great for helping beginners to get started: http://digital-forensics.sans.org/blog/2009/05/11/a-step-by-step-introduction-to-using-the-autopsy-forensic-browser

The Autopsy download can be found at http://www.sleuthkit.org/. 

Data Echo

Data Echo is another tool used by some professionals today (particularly by some consultants on the Brigham Young University (BYU) network) and is the free version of a more powerful tool owned by Solera Networks. Ironically, it was actually released to the public by a member of the Solera team accidentally, and because of that slip-up we can all enjoy this product. 

Data Echo is a tool that can help users recreate a TCP session using capture packet data. You can either do this live, using WireShark or another capturing utility, or you can analyze saved .pcap files as well. Honestly, this program is a bit creepy. If you are a network administrator and are capturing packets on a co-workers computer, you could essentially recreate their browsing sessions and email usage. Yea. Creepy. 

But effective! Especially if you are using it for forensic and/or criminal investigations. This tool doesn't really have a learning curve on it either. You literally load it up, and either start capturing packets with it using the included packet capturing utility, or load in a saved .pcap file for analysis. This program can be found at http://sourceforge.net/projects/data-echo/.

TCPDShark

The last tool I will bring up is actually a project that I am currently working on using Git (source-code sharing software) and CodePlex (a Microsoft creation for fostering open-source tools- I know, kind of counter-intuitive... It's a traaaaaaap). This tool is a plugin for WireShark called TCPDShark. As I have mentioned above, WireShark is a forensic tool used to capture packets over a network. TCPDStat is an older tool that is Unix-based and is used to take packet data and analyze it, giving the user statistics. Since TCPDStat is Unix-based, a BYU student decided to create a version of the program that works on Windows. 

Written in the LUA coding language, TCPDShark fulfills the same function as TCPDStat by giving packet data analytics, specifically what percentage of packets captured are of each different protocol (http, https, ARP, etc). Using this information, the program then goes a step further and gives some suggestions of percentages that may be worrying to a user, and gives an explanation of why. 

This tool is a plugin for WireShark, and therefore you have to have WireShark installed to use it. You can find the WireShark download here: http://www.wireshark.org/download.html and the TCPDShark plugin here: https://tcpdshark.codeplex.com/

Midterm Season

You may or may not be wondering where on this good green (or brown, if you happen to be in the Northern hemisphere at this time) Earth I have been for the past few weeks. The straight answer is that I have been in various places, but notably not posting on this site. This doesn't mean that I haven't been learning, just that I haven't had a chance to take a break from school and midterms to write about my new, fun IT forensics tools that I have been playing with.

Today I will mention briefly about my experience with two tools, Snort and SIFT.

Snort

Snort is a pretty mainstream tool that is currently only available on Unix systems. Snort is advertised as an "open source network intrusion prevention and detection system" (http://www.snort.org/) and is known in the forensics communities for its usefulness as an IPS (intrusion prevention system).

Snort is mainly used for capturing and analyzing network packets in real-time in order to detect anomalies. I am mainly using Snort for the analysis of capture files that are not live, but the analysis for both are pretty similar. The format that Snort gives you the information in is pretty standard for each packet. Here is an example of an examined Snort packet in the Alert file that is created after running the program:


[**] [1:1852:3] WEB-MISC robots.txt access [**]

[Classification: access to a potentially vulnerable web application] [Priority: 2]

09/23-15:52:49.949036 95.16.3.79:51779 -> 103.98.91.41:80

TCP TTL:128 TOS:0x0 ID:548 IpLen:20 DgmLen:183 DF

***A**** Seq: 0x5178F14 Ack: 0x1EE5B1E6 Win: 0x43ED TcpLen: 32

[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

As you can see, Snort gives its idea of what it believes each packet is doing, as well as the involved ip addresses, the internet protocol, and even sometimes a link to an internet article on the supposed vulnerability. Honestly, this can give you definitely a head-start if you are trying to catch someone with malicious intent in your network, or if used as an IPS it can help you to nip intrusions in the bud. 

As mentioned previously, Snort is only available on Unix systems, and can be installed by running "sudo apt-get install snort".

SIFT

Even though this isn't a program, I feel like SIFT deserves its own little shout out on this blog. SIFT is a version of Linux, distributed by SANS at their website (http://digital-forensics.sans.org/community/downloads) and created specifically for use in forensic investigations. SIFT comes with many preconfigured forensics tools, including TSK, Wireshark, Autopsy, ssdeep and md5deep(for hashing), and over 100 other tools. This is kind of like a forensics version of Kali Linux (which is mainly used for penetration testing), and is very useful especially for those getting started in forensics.

I personally use Kali and SIFT just in VM's on top of my Windows machine, but that isn't exactly terrible. Linux is designed to be lightweight, and performs pretty well in the VM. If you are trying to do penetration testing using rainbow tables or intense GPU/CPU crunching, then installing it directly as your OS or even a desktop may be a better way to go with this.

The install instructions on the SANS webpage are pretty straightforward, but it might take you a couple of tries to get it all up and running. Overall though, SIFT is a nice little toolkit to use for forensic investigation!

Out of the Frying Pan

... and into the fire. Truly, the last couple of weeks has been an interesting and grueling three weeks with regards to IT and the tools that I am learning. In today's post, I will cover three new tools that I have been using regularly for digital forensics and other IT purposes:

1- AnyToIso
2- Netcat/Zenmap
3- Notepad++

While these three tools do not even begin to break the professional scales of deep packet inspection, file recovery and repair, and other highly touted cyber forensic methods, they are great for getting started on a project or two. Everybody has to start somewhere!

AnyToISO

AnyToISO is a disk imaging utility that performs as the name describes- it allows you to turn any files into a .iso format image. Those images can then be used to mount onto your hard drive, be burned onto external media, or in the case of forensics, be mounted as "external media" onto victim machines. As external media is the best way to transfer tools to a victim during a forensic investigation, this tool presents an ideal way to modify your toolkit at will. 

For example, I used this tool for a forensics lab involving a VM. Instead of having to burn and re-burn CD's containing needed tools for my forensic investigation (such as cygwin, FPort 2.0, PSTools, etc.), I was able to research new tools, add them to a directory called "IT Tools", and then convert that directory to a .iso. That .iso file was then easily mounted to the victim VM, and my tools were delivered leaving little to no footprint on the victim PC. 

One thing that I did that made this particularly easy was leaving the AnyToISO program running on my forensic machine. Anytime I needed to add a tool, I could just overwrite the .iso that I had previously created, adding in the new tools. This was an easy and simple process, as the program keeps the last written file in memory for the destination file. 

While this program performs a simple function, it has become invaluable to me. I would highly recommend it to anyone, forensic specialist or not. 

To download AnyToISO straight from the source, visit http://www.crystalidea.com/anytoiso.

Netcat

Netcat is likely one of the oldest tricks in the book for others in the IT world, but for me it was one of the best kept secrets- until now. In the words of the Netcat creators, this program is, "a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities." (http://netcat.sourceforge.net/)

For my purposes, I mainly use Netcat to send information in the command line from a victim computer to the forensic machine. That being said, Netcat can be used for good or for awesome, so feel free to play around with some of the neat features included in the prgogram. 

One thing to remember when using Netcat is that sometimes different versions use different syntax. Just in the few weeks I have been using it, I have seen the opening command start with ncat, netcat, and nc. Don't give up on this program if getting started is getting you down!

The main command that I use in Netcat is as follows: 

ncat -k -v -l -p 10000 >> command.txt

To break down this command, you have ncat which starts the program, -k which keeps this command running until you tell it to stop, -v which makes the command line verbose, -l which makes this particular port listen, and -p which opens the port, in this case 10000. Everything that is sent to this port is then concatenated into the file "command.txt".

In order to send data over to this port, the command goes as follows: 

ipconfig [or other command...] | ncat [ip of host] 10000 [port that was opened]

This will send the results of whatever command is run to the host computer, into the command.txt file. You can also use Netcat to the contents of a file through the bridge, using the command "cat" before the other command, e.g. "cat password.txt | ncat 192.168.0.1 10000."

To download Netcat, I got a suite known as "Zenmap". This suite basically is a GUI version of Nmap, which includes Netcat in the installation. It can be found here: http://nmap.org/download.html

Notepad++

As I am at risk of going waaaaaaay to long on this post, I will keep this next section brief. Notepad++ is an amazing tool for taking notes, as can be assumed. It also contains sweet plugins for writing code and formatting HTML, if that is your particular cup 'o' joe. It also has an awesome logo, amiright?

The main reason that I use Notepad++ is for notes, but it is a way better program to use than notepad for note taking purposes. If you want to write essays, then go ahead and use Word or OpenOffice, as this isn't built to replace those programs. It does include a basic spellchecker, but the main power lies in its formatting plugins, its macro recorder, and its help tools for coding languages like php and HTML. It can even convert ASCII to Hex for you! ;)

For a simple tool that will help you with various things, I recommend Notepad++. You can get a free download here: http://notepad-plus-plus.org/download/v6.5.3.html.


And that about does it. Hopefully next time, I will be able to pick one or two tools and elaborate a little bit more on their usefulness and/or sweet and awesome commands. Until then... 

A New Beginning

I guess since this is the beginning of this blog, I should put a little introduction of who I am and what I aim to do on this public domain space. To be frank, I am being given a learning opportunity in one of my classes to share with the world what IT tools, guides, and services that I use, write, and discover during the next few months. Who knows, this blog may continue on indefinitely after that!

Aside from just mentioning guides, tools, and services, I will also likely mention pro-tools that I figure out or come across in my life. Along with being a Masters student at a prestigious private university, I am also an IT specialist at the growing company BlenderBottle. I am probably on speed dial for many of my friends if some type of computer emergency comes up.

That being said, I am still continuously learning, and hopefully on this blog and in comments, we can all learn together.