Monday, December 24, 2012

Merry Xmas!

Merry Christmas, and Happy New Year for everyone!

Sorry I didn't have too much time for the blog this year, but hopefully next year will be more.

Also from next year I permanently switch the blog's language to English from Hungarian.

Saturday, December 22, 2012

Backtrack Forensics:

The tool can be reached from:

Forensics -> Forensic Analysis Tools is a Windows event file (*.evt) parser, it generates a text csv output from the event files. It's usage is very simple:

-e - specifiy to parse a file
-d - specify to parse a directory


./ -e /root/Desktop/events/SysEvent.Evt


Friday, December 21, 2012

Backtrack Forensic: hexedit

The tool can be reached from:

Forensics -> Digital Forensics

hexedit is a hexadecimal editor, as it names suggests. You can edit both files or entire drives with it, in exactly the same way. When you start it, it will have 3 different "columns": the location (starting from 00000000), then the hexadecimal values, and in the most right the ASCII values. You can switch with the TAB key between the hex and ASCII representation. Moving in the file can be done with the arrow keys.

There are a whole lot of hotkeys you can use for navigating and editing, which I don't want to cover here, you can find all in the official site, or in the manual of the application. Just a few common ones:

Ctrl-X: save and exit
Ctrl-C: exit without saving
Esc-W:  copy
Ctrl-Y: paste
Esc-Y:  paste into a file
/, Ctrl+S - search forward (in ASCII or in hexadecimal)

Running it:

hexedit filename
hexedit hexedit1.txt

hexedit device
hexedit /dev/sda

If we don't give a filename as an input, then it will ask for it.

--color : color mode
--maximize : maximize display


Tuesday, December 18, 2012

Tip: How to get the list of installed tools in Backtrack?

Here is the command to get the list of all tools, packages installed in Backtrack:

root@bt:~# dpkg --list

I created the list of tools in Backtrack 5 R3, and it's is available here:

Sunday, December 9, 2012

Backtrack Forensics: recoverjpeg & recovermov

recoverjpeg is a tool for recovering deleted jpeg files from a drive. It's very powerful, I managed to recover JPEG even after formatting and writing on the pendrive. It's pair is the recovermov tool, which can restore mov files.

The tools can be accessed from:

Forensics -> Forensic Carving Tools

or from the shell directly.


#locate the drive name:
fdisk -l

#recover jpegs:
recoverjpeg /dev/sdb

The tool has a few options, but works well with the defaults.


Thursday, December 6, 2012

Backtrack Forensics: Hashes

In Backtrack Forensic module we have 6 applications available to compute hashes:

md5deep - Compute and compare MD5 message digests
sha1deep - Compute and compare SHA-1 message digests
sha256deep - Compute and compare SHA-256 message digests
tigerdeep - Compute and compare Tiger message digests
whirlpooldeep - Compute and compare Whirlpool message digests

hashdeep - which is the combination of the above

All of these tools can calculate the given digest of a file, or of a directory, and recursively for all files in it, or even of an entire drive. The syntax is the same for all of the apps.

Examples for runs:

Calculate the hash for all files in the /root/assembly directory, and direct the output to md5hash.txt:

root@bt:~# md5deep -e -r /root/assembly/ > md5hash.txt

root@bt:~# cat md5hash.txt                                                
3d60d85d993892ac6a2005dcecb7de77  /root/assembly/Function3.s
9e0266c8fb62950d0dddb1ad261ce6f0  /root/assembly/Shell
5e9bf2d710fd3b57fa7c41ec2c41255c  /root/assembly/Shell.o

Check if "Shell.o" has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt /root/assembly/Shell.o

Check if "Shell.o" has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt /root/assembly/Shell.o

Check if files in "/root/assembly" directory has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt -r /root/assembly

Check if files in "/root/assembly" directory has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt -r /root/assembly