Difference between revisions of "Summerschool Aachen 2004/Incident Research Lab"
Mario Manno (talk | contribs) m (→Debian packages you might find usefull) |
(→Debian packages you might find usefull) |
||
Line 5: | Line 5: | ||
== Notes on Lab Session == | == Notes on Lab Session == | ||
− | === | + | === Software packages you might find usefull === |
You might want to look into the following tools: | You might want to look into the following tools: | ||
* graverobber - grab important data from system | * graverobber - grab important data from system | ||
Line 17: | Line 17: | ||
* bsdmainutils (includes hd), or vim (includes xxd) | * bsdmainutils (includes hd), or vim (includes xxd) | ||
* chntpw - reset windows passwords, browse registry | * chntpw - reset windows passwords, browse registry | ||
+ | |||
+ | Have a look at the Links page! | ||
=== Images to look at === | === Images to look at === |
Revision as of 16:52, 4 October 2004
Contents
Notes on Presentations
Notes on Lab Session
Software packages you might find usefull
You might want to look into the following tools:
- graverobber - grab important data from system
- ddrescue - spiced up dd
- sleuthkit, autopsy - forensic toolkit (includes inode cat, ...)
- fcrackzip - zip password cracker
- nasm - netwide disasembler
- e2undel - undelete for ext2
- ntfstools - undelete for ntfs
- bview - nice hex editor, vim-like
- bsdmainutils (includes hd), or vim (includes xxd)
- chntpw - reset windows passwords, browse registry
Have a look at the Links page!
Images to look at
Forensic Imaging Best Practice
1. get a disk and ensure that there is a ID on that disk. IDs should look like UU-YYYY-MM-DD-X where UU is your user ID, YYYY, MM, DD represent the date and X is a roman number used as a serial number to distinguish several hard disks you image in one day. So I might use something like md-2004-10-04-I as an ID. Write it on the disk with marker and create a directory with the same name for your evidence data.
2. Connect the disk to your computer. You might want to try to remove the original disk from one of our external USB disk and put in the disk to image. We find that "real" IDE and SCSI works better.
3. Go to you evidence directory and create a file like md-2004-10-04-I.txt where you note model, serial number manufacturer, etc. of the HD, other noteworthy thinks, your name and actual time. Then create the image with something like dd if=/dev/hdX of=./md-2004-10-04-I.image
4. Upload the your whole evidence directory to ftp://discovery.informatik.rwth-aachen.de/incoming/DiskImages/
5. Now start analyzing the Image, add your observations to the evidence directory and upload missing stuff when done.