Difference between revisions of "Summerschool Aachen 2004/Incident Research Lab"
Line 16: | Line 16: | ||
* bview - nice hex editor, vim-like | * bview - nice hex editor, vim-like | ||
* bsdmainutils (includes hd), or vim (includes xxd) | * bsdmainutils (includes hd), or vim (includes xxd) | ||
+ | |||
+ | === Forensic Imaging Best Practice === | ||
+ | |||
+ | 1. get a disk and ensure that there is a ID on that disk. IDs should look like UU-YYYY-MM-DD-X where UU is your user ID, YYYY, MM, DD represent the date and X is a roman number used as a serial number to distinguish several hard disks you image in one day. So I might use something like md-2004-10-04-I as an ID. Write it on the disk with marker and create a directory with the same name for your evidence data. | ||
+ | |||
+ | 2. Connect the disk to your computer. You might want to try to remove the original disk from one of our external USB disk and put in the disk to image. We find that "real" IDE and SCSI works better. | ||
+ | |||
+ | 3. Go to you evidence directory and create a file like md-2004-10-04-I.txt where you note model, serial number manufacturer, etc. of the HD, other noteworthy thinks, your name and actual time. Then create the image with something like dd if=/dev/hdX of=./md-2004-10-04-I.image | ||
+ | |||
+ | 4. Upload the your whole evidence directory to ftp://discovery.informatik.rwth-aachen.de/incoming/DiskImages/ | ||
+ | |||
+ | 5. Now start analyzing the Image, add your observations to the evidence directory and upload missing stuff when done. |
Revision as of 16:18, 4 October 2004
Contents
Notes on Presentations
Notes on Lab Session
Debian packages you might find usefull
You might want to look into the following tools:
- graverobber - grab important data from system
- ddrescue - spiced up dd
- sleuthkit, autopsy - forensic toolkit (includes inode cat, ...)
- fcrackzip - zip password cracker
- nasm - netwide disasembler
- e2undel - undelete for ext2
- ntfstools - undelete for ntfs
- bview - nice hex editor, vim-like
- bsdmainutils (includes hd), or vim (includes xxd)
Forensic Imaging Best Practice
1. get a disk and ensure that there is a ID on that disk. IDs should look like UU-YYYY-MM-DD-X where UU is your user ID, YYYY, MM, DD represent the date and X is a roman number used as a serial number to distinguish several hard disks you image in one day. So I might use something like md-2004-10-04-I as an ID. Write it on the disk with marker and create a directory with the same name for your evidence data.
2. Connect the disk to your computer. You might want to try to remove the original disk from one of our external USB disk and put in the disk to image. We find that "real" IDE and SCSI works better.
3. Go to you evidence directory and create a file like md-2004-10-04-I.txt where you note model, serial number manufacturer, etc. of the HD, other noteworthy thinks, your name and actual time. Then create the image with something like dd if=/dev/hdX of=./md-2004-10-04-I.image
4. Upload the your whole evidence directory to ftp://discovery.informatik.rwth-aachen.de/incoming/DiskImages/
5. Now start analyzing the Image, add your observations to the evidence directory and upload missing stuff when done.