Midterm Season

You may or may not be wondering where on this good green (or brown, if you happen to be in the Northern hemisphere at this time) Earth I have been for the past few weeks. The straight answer is that I have been in various places, but notably not posting on this site. This doesn't mean that I haven't been learning, just that I haven't had a chance to take a break from school and midterms to write about my new, fun IT forensics tools that I have been playing with.

Today I will mention briefly about my experience with two tools, Snort and SIFT.

Snort

Snort is a pretty mainstream tool that is currently only available on Unix systems. Snort is advertised as an "open source network intrusion prevention and detection system" (http://www.snort.org/) and is known in the forensics communities for its usefulness as an IPS (intrusion prevention system).

Snort is mainly used for capturing and analyzing network packets in real-time in order to detect anomalies. I am mainly using Snort for the analysis of capture files that are not live, but the analysis for both are pretty similar. The format that Snort gives you the information in is pretty standard for each packet. Here is an example of an examined Snort packet in the Alert file that is created after running the program:


[**] [1:1852:3] WEB-MISC robots.txt access [**]

[Classification: access to a potentially vulnerable web application] [Priority: 2]

09/23-15:52:49.949036 95.16.3.79:51779 -> 103.98.91.41:80

TCP TTL:128 TOS:0x0 ID:548 IpLen:20 DgmLen:183 DF

***A**** Seq: 0x5178F14 Ack: 0x1EE5B1E6 Win: 0x43ED TcpLen: 32

[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

As you can see, Snort gives its idea of what it believes each packet is doing, as well as the involved ip addresses, the internet protocol, and even sometimes a link to an internet article on the supposed vulnerability. Honestly, this can give you definitely a head-start if you are trying to catch someone with malicious intent in your network, or if used as an IPS it can help you to nip intrusions in the bud. 

As mentioned previously, Snort is only available on Unix systems, and can be installed by running "sudo apt-get install snort".

SIFT

Even though this isn't a program, I feel like SIFT deserves its own little shout out on this blog. SIFT is a version of Linux, distributed by SANS at their website (http://digital-forensics.sans.org/community/downloads) and created specifically for use in forensic investigations. SIFT comes with many preconfigured forensics tools, including TSK, Wireshark, Autopsy, ssdeep and md5deep(for hashing), and over 100 other tools. This is kind of like a forensics version of Kali Linux (which is mainly used for penetration testing), and is very useful especially for those getting started in forensics.

I personally use Kali and SIFT just in VM's on top of my Windows machine, but that isn't exactly terrible. Linux is designed to be lightweight, and performs pretty well in the VM. If you are trying to do penetration testing using rainbow tables or intense GPU/CPU crunching, then installing it directly as your OS or even a desktop may be a better way to go with this.

The install instructions on the SANS webpage are pretty straightforward, but it might take you a couple of tries to get it all up and running. Overall though, SIFT is a nice little toolkit to use for forensic investigation!