Episode 137 – OLF Prep

Posted by Tony on October 20, 2014 in Show-mp3, Show-ogg | ∞

Podcast: Play in new window

Subscribe: Apple Podcasts | RSS

http://smlr.us

Intro:

Tony Bemus, Mat Enders, and Mary Tomich
Sound bites by Mike Tanner

Kernel News: Mat

Time:

mainline:	3.17    	2014-10-05
stable: 	3.17.1  	2014-10-15
stable: 	3.16.6  	2014-10-15
longterm:	3.14.22  	2014-10-15
longterm:	3.12.30  	2014-10-08
longterm:	3.10.58  	2014-10-15
longterm:	3.4.104  	2014-09-25
longterm:	3.2.63  	2014-09-13
longterm:	2.6.32.63	2014-06-18
linux-next:	next-20141017	2014-10-17

Distro Talk: Tony

Time:

Distrowatch.com

10-06 – Untangle NG Firewall 11.0
10-07 – CAINE 6.0
10-07 – NetBSD 6.1.5, 6.0.6
10-09 – ROSA R4 “Desktop Fresh”
10-11 – VyOS 1.1.0
10-11 – 4MLinux 10.0
10-11 – BackBox Linux 4.0
10-11 – GALPon MiniNo 2014 “PicarOS”
10-12 – Lunar Linux 1.7.0
10-12 – Smoothwall Express 3.1
10-14 – Scientific Linux 7.0
10-14 – Red Hat Enterprise Linux 6.6
10-17 – IPFire 2.15 Core 84 http://planet.ipfire.org/post/two-new-features-for-the-ipfire-firewall
10-17 – SELKS 1.0

Distro of the Week: Tony

openSUSE – 1551
Debian – 1645
Lunar – 1816
Mageia – 1996
Mint – 2326

Mary Distro Review

Time:

The Vitals:
Name: CAINE (Computer Aided Investigative Environment
Maintainer: Nanni Bassetti
Distro Latest Birthday: 10/7/2014
Derivative: Ubuntu
Kernel: 3.13.0-36
Review Desktop: Gnome

Live Environment:

Caine boots to a Mate desktop environment. Several (10—Caine info, mixed scripts, root file manager, Firefox, keyboard changer, and some of the tools) icons are on the desktop, including an installer icon. Caine Linux is installed via Systemback.

Mate classic desktop environment I won’t go into a lot of detail about the stock Mate desktop—everyone knows it’s based on Gnome 2.

A single panel at the bottom. It contained several informative system tray icons. For example after connecting to wireless, my upload/download speed was always viewable. A right-click on the Blue-tooth allowed me to toggle it on and off, as well as perform other related tasks. Drive mounter icon is very slick—it’s “green” if the drive is mounted read-only. That is the default method for mounting devices. If you right-click the icon, you can toggle it to write-able. But be prepared for several warnings. After all, the whole idea of computer forensics is to not mess with the data and a write-able hard drive raises the risk.

Graphics:  ( i915)
Wireless:  (lib80211) No problem with the Broadcom chip. (Likely more the fact that it’s based on Ubuntu than anything else.)

The Defaults
Browser: Firefox
Office Suite: LibreOffice
Mail Client: Thunderbird
File Manager: Files, Caja

The Install Process:

Intalling Caine is mostly a breeze. There are only a few steps to complete after you click the installer icon on the desktop:
1. Supply new user/password information (and root’s password)
2. Partition setting (size it, create it)
3. Highlight it and determine mount point, file system (ext4), and whether you want to format it.
4. Same screen has grub2 bootloader option.

After you complete the partition setup, Systemback is configured such that one of its restore points is “Live Image”. Click Start and the install begins. What’s actually happening is Systemback is restoring a system image to your computer.

After the install concludes, the system continued to sit in live mode for a long time. Once I started the reboot process, it suddenly remembered what to do.

Installed Environment:

During install, I was not prompted for any keyboard localization, timezone, etc. So the system rebooted on Italian time. First reboot shows a cleaner desktop than the live environment. There are only three icons: computer, user’s home, and trash.

Menu contained forensic tools sub-menu:
Memory forensics (Inception, Volatility)
Database ( SQLite database browser, Sqliteman)
Mobile forensics (Blackberry and Idevice scripts; iPhone Backup analyzer)
Network forensics (Netdiscover; Wireshark, Zenmap, Zenmap as root)

Other interesting Programs:

Guymager is a fast, open-source, graphical tool for creating disk images. Guymager has support for raw dd images, as well as EO1, and AFF image formats. The latter two image formats are commonly used in the digital forensics community because they provide the ability to store metadata about the disk image. I tested this tool using a 2gb usb stick that had 1GB of data on it. Guymager successfully created an image of the contents and added a .info file with metadata about the drive.

Fmount – (Forensic Mount) a bash script to detect and/or mount allocated partitions as read-only. Fmount successfully mounted the image that I created Guymager. It was mounted in /media/evidence/evidence_vol10). The contents were as accessible to me as the original.

Autopsy is a digital forensics tool and graphical interface to the Sleuth Toolkit and other digital forensics tools. For this tool, I connected an external hard drive and added it to the case locker, then ran an analysis on it. Was able to open individual sectors, as well as blocks of sectors, and view the content…in ASCII, Hex, ASCII Strings. It was all very interesting and all done from the comfort of a browser.

Fred – Forensic Registry Editor cross platform Microsoft registry hive editor with special features useful during forensic analysis. The user interface resembles the regedit interface: two panels. Fred also has a hex viewer area at the bottom right. Anything that is stored in the registry is available to Fred. For example, What was last time that a user opened a .doc file, What was the last program a user ran using the Start->Run dialog.

Zenmap – basically nmap designed to make it easier to use for beginners.

Photorec – PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. I ran it on an external hard drive (1TB in size). Before I stopped it, it had found 22 files, over half of which were mpg files. The recovered files are placed into a separate directory in your home directory. I was curious whether I could play the recovered files. I could, although several libraries had to be installed to support playback of the format.

The only thing that was a little confusing about Caine was the root user. It appeared that I was taking

Rating:

If you need to conduct a forensic examination, CAINE has the tools you need.