Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Windows forensics with Linux analysis machine
.

  • To: "'JJ'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: RE: Windows forensics with Linux analysis machine
  • From: "Reava, Jeffrey [IT/0200]" <[EMAIL PROTECTED]>
  • Date: Thu, 21 Aug 2003 10:25:59 -0500
.
 
By full investigation do you mean internal use by HR to take action on
employee misconduct, for IT to determine root cause, or for use in court?
Does your reporting need to make sense to you, or to others? 

Sleuthkit rocks, but you need the NSRL hash sets and/or custom built hash
sets in order to reduce the amount of sifting you need to do. MD5deep is a
good way to build your own hash sets if your target pool shares a common
build with many unique files not included in the NSRL sets.

How's your budget? In the 'free' category these are all good complements to
SK:
NSRL reference library (http://www.nsrl.nist.gov/index.html) to rule out
known good OS files
pasco (foundstone) for digging INDEX.DAT files
readpst (http://sourceforge.net/projects/ol2mbox) convert Outlook/OE to MBOX
foremost (http://foremost.sourceforge.net/) for recovering files from slack
space, repartitioned drives, etc.
ntreg (http://razor.bindview.com/tools/index.shtml) for registry analysis on
linux

Foremost needs a bit of tuning to be useful; be prepared to use xxd, od,
and/or other binary viewers to look inside different file types so that you
can configure foremost with the right header/footer combos to look for.
There are websites that provide many of these formats (www.wotsit.org) but
you may have to roll your own in some cases.

HTH,

Jeff







-----Original Message-----
From: JJ [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 3:30 PM
To: [EMAIL PROTECTED]
Subject: Windows forensics with Linux analysis machine


All,

I'm looking for good tools that will allow me to do a full investigation of
a Windows image using linux.  I'm looking at Autopsy and Sleuthkit now.  Are
there any other tools that will allow me to do the full investigation (view
registry structures, undelete files, etc) under linux?

Thanks,
JJ

---------------------
J. J. Horner
CISSP,CCNA,CHSS,CHP

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may
contain information that is legally privileged, confidential or exempt from
disclosure.  If you are not the intended recipient, please note that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited.  Anyone who receives this message in error should notify the 
sender immediately and delete it from his or her computer.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.