Sorry I didn't have too much time for the blog this year, but hopefully next year will be more.
Also from next year I permanently switch the blog's language to English from Hungarian.
Monday, December 24, 2012
Merry Xmas!
Merry Christmas, and Happy New Year for everyone!
Sorry I didn't have too much time for the blog this year, but hopefully next year will be more.
Also from next year I permanently switch the blog's language to English from Hungarian.
Sorry I didn't have too much time for the blog this year, but hopefully next year will be more.
Also from next year I permanently switch the blog's language to English from Hungarian.
Saturday, December 22, 2012
Backtrack Forensics: evtparse.pl
The tool can be reached from:
Forensics -> Forensic Analysis Tools
evtparse.pl is a Windows event file (*.evt) parser, it generates a text csv output from the event files. It's usage is very simple:
-e - specifiy to parse a file
-d - specify to parse a directory
Example:
./evtparse.pl -e /root/Desktop/events/SysEvent.Evt
Webpage: http://code.google.com/p/revealertoolkit/source/browse/trunk/tools/?r=90
Forensics -> Forensic Analysis Tools
evtparse.pl is a Windows event file (*.evt) parser, it generates a text csv output from the event files. It's usage is very simple:
-e - specifiy to parse a file
-d - specify to parse a directory
Example:
./evtparse.pl -e /root/Desktop/events/SysEvent.Evt
Webpage: http://code.google.com/p/revealertoolkit/source/browse/trunk/tools/?r=90
Friday, December 21, 2012
Backtrack Forensic: hexedit
The tool can be reached from:
Forensics -> Digital Forensics
hexedit is a hexadecimal editor, as it names suggests. You can edit both files or entire drives with it, in exactly the same way. When you start it, it will have 3 different "columns": the location (starting from 00000000), then the hexadecimal values, and in the most right the ASCII values. You can switch with the TAB key between the hex and ASCII representation. Moving in the file can be done with the arrow keys.
There are a whole lot of hotkeys you can use for navigating and editing, which I don't want to cover here, you can find all in the official site, or in the manual of the application. Just a few common ones:
Ctrl-X: save and exit
Ctrl-C: exit without saving
Esc-W: copy
Ctrl-Y: paste
Esc-Y: paste into a file
/, Ctrl+S - search forward (in ASCII or in hexadecimal)
Running it:
hexedit filename
hexedit hexedit1.txt
hexedit device
hexedit /dev/sda
If we don't give a filename as an input, then it will ask for it.
--color : color mode
--maximize : maximize display
Webpage: http://rigaux.org/hexedit.html
Forensics -> Digital Forensics
hexedit is a hexadecimal editor, as it names suggests. You can edit both files or entire drives with it, in exactly the same way. When you start it, it will have 3 different "columns": the location (starting from 00000000), then the hexadecimal values, and in the most right the ASCII values. You can switch with the TAB key between the hex and ASCII representation. Moving in the file can be done with the arrow keys.
There are a whole lot of hotkeys you can use for navigating and editing, which I don't want to cover here, you can find all in the official site, or in the manual of the application. Just a few common ones:
Ctrl-X: save and exit
Ctrl-C: exit without saving
Esc-W: copy
Ctrl-Y: paste
Esc-Y: paste into a file
/, Ctrl+S - search forward (in ASCII or in hexadecimal)
Running it:
hexedit filename
hexedit hexedit1.txt
hexedit device
hexedit /dev/sda
If we don't give a filename as an input, then it will ask for it.
--color : color mode
--maximize : maximize display
Webpage: http://rigaux.org/hexedit.html
Tuesday, December 18, 2012
Tip: How to get the list of installed tools in Backtrack?
Here is the command to get the list of all tools, packages installed in Backtrack:
root@bt:~# dpkg --list
I created the list of tools in Backtrack 5 R3, and it's is available here:
https://www.dropbox.com/s/gd4jwwkw2ttdgdr/bt5_r3_tools.txt
root@bt:~# dpkg --list
I created the list of tools in Backtrack 5 R3, and it's is available here:
https://www.dropbox.com/s/gd4jwwkw2ttdgdr/bt5_r3_tools.txt
Sunday, December 9, 2012
Backtrack Forensics: recoverjpeg & recovermov
recoverjpeg is a tool for recovering deleted jpeg files from a drive. It's very powerful, I managed to recover JPEG even after formatting and writing on the pendrive. It's pair is the recovermov tool, which can restore mov files.
The tools can be accessed from:
Forensics -> Forensic Carving Tools
or from the shell directly.
Usage:
#locate the drive name:
fdisk -l
#recover jpegs:
recoverjpeg /dev/sdb
Webpage: http://www.rfc1149.net/devel/recoverjpeg.html
The tools can be accessed from:
Forensics -> Forensic Carving Tools
or from the shell directly.
Usage:
#locate the drive name:
fdisk -l
#recover jpegs:
recoverjpeg /dev/sdb
The tool has a few options, but works well with the defaults.
Webpage: http://www.rfc1149.net/devel/recoverjpeg.html
Thursday, December 6, 2012
Backtrack Forensics: Hashes
In Backtrack Forensic module we have 6 applications available to compute hashes:
md5deep - Compute and compare MD5 message digests
sha1deep - Compute and compare SHA-1 message digests
sha256deep - Compute and compare SHA-256 message digests
tigerdeep - Compute and compare Tiger message digests
whirlpooldeep - Compute and compare Whirlpool message digests
hashdeep - which is the combination of the above
All of these tools can calculate the given digest of a file, or of a directory, and recursively for all files in it, or even of an entire drive. The syntax is the same for all of the apps.
Examples for runs:
Calculate the hash for all files in the /root/assembly directory, and direct the output to md5hash.txt:
root@bt:~# md5deep -e -r /root/assembly/ > md5hash.txt
root@bt:~# cat md5hash.txt
3d60d85d993892ac6a2005dcecb7de77 /root/assembly/Function3.s
9e0266c8fb62950d0dddb1ad261ce6f0 /root/assembly/Shell
5e9bf2d710fd3b57fa7c41ec2c41255c /root/assembly/Shell.o
Check if "Shell.o" has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt /root/assembly/Shell.o
Check if "Shell.o" has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt /root/assembly/Shell.o
/root/assembly/Shell.o
Check if files in "/root/assembly" directory has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt -r /root/assembly
Check if files in "/root/assembly" directory has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt -r /root/assembly
/root/assembly/Function3.s
/root/assembly/Shell
/root/assembly/Shell.o
Subscribe to:
Posts (Atom)