1 / 13

Forensic analysis of Windows hosts using UNIX-based tools

Forensic analysis of Windows hosts using UNIX-based tools. Source : Digital Investigation (2004) 1, 197-212 Writer : Cory Altheide Reporter : Yao Professor : Shiuh-Jeng, Wang. Tools. SMART for Linux ( ARSData company ) --- a commercial software Autopsy ( by Brain Carrier )

tristana-kato
Download Presentation

Forensic analysis of Windows hosts using UNIX-based tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic analysis of Windows hosts using UNIX-based tools • Source : Digital Investigation (2004) 1, 197-212 • Writer : Cory Altheide • Reporter : Yao • Professor : Shiuh-Jeng, Wang

  2. Tools • SMART for Linux ( ARSData company ) • --- a commercial software • Autopsy ( by Brain Carrier ) • --- a free, open source software

  3. Properties of the SMART for Linux • Support for several image compression format. • The ability to recover deleted files. • The ability to mount split image files. • Support for NTFS and FAT file format.

  4. Properties of the Autopsy • A web-based wrapper for the Sleuthkit. • A modular, extensible design which allows for easy end-user extension, and reduces the likelihood of encountering a single point of failure. • Support for NTFS and FAT file format.

  5. Deleted file recovery • Both tools perform recovery of deleted files on FAT and NTFS systems, however, Autopsy’s NTFS recovery is somewhat rudimentary compared to SMART’s. • When compared to recovering deleted files from a FAT file system, recovery on NTFS file systems seems almost trivial.

  6. Unallocated space • Both tools allow for the extration of unallocated space to some degree, although the extraction performed by SMART is far more granular and customizable. • “foremost” is a very good tool for performing file carving against recovered unallocated or otherwise unstructured space.

  7. Keyword searching • SMART • --- simple term search • --- Unicode term search • Autopsy • --- lack of Unicode support

  8. Window file examination • Trojan Defense --- use Clam Antivirus and F-prot to scan mounted volume for known malicious code.

  9. Pasco, Galleta, and Rifiuti • Rifiuti parses INFO2 files from the Recycle Bin. --- INFO2 file is an index of the former metadata • Galleta parses Internet Explorer cookies. --- a plain text file • Pasco parses Internet Explorer history files. --- an index.dat file stores data about a user’s web surfing history

  10. Email files • LibPST is a library for parsing Outlook PST files. • Readpst read PST input and produces a number of specifiable output format. ( by default, is the mbox format ) • LibDBX parses Outlook Express DBX files. • Readoe produces valid mbox files.

  11. Processing Windows Registry hives • Regviewer --- stable • Chntpw • Regedit • Kregedit --- unstable

  12. An up-and coming forensic tool • FLAG is a very ambitious forensics utility originally created by the Australian Department od Defense. • PyFLAG is a complete rewrite of FLAG using the Python programming language. • Equipped with the MySQL database backend, reconstruction of TCP streams from imported capture files, importation of arbitrary log files.

  13. Conclusion • The current tools will continue to develop, and new tools will emerge. • As Linux continues to grow and mature as an operating system, the public demand for interoperability will grow along with it.

More Related