Deft v7
-
Upload
tgodfrey -
Category
Technology
-
view
760 -
download
8
description
Transcript of Deft v7
![Page 1: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/1.jpg)
Deft v7Computer Forensics
Tony GodfreyFalconer Technologies
Ohio HTCIA – Salt Fork 2013
![Page 2: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/2.jpg)
Hello & Welcome
![Page 3: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/3.jpg)
Who?
Tony Godfrey is the CEO / Linux Consultant of Falconer Technologies. He founded his company
in 2003 and is now 100% focused on Linux.
Tony has written several articles on security administration, contributes to Linux forums and publications, written technical content for Linux Administration, and technical review on a Mark
Sobell Linux book. He also teaches topics covering Linux, Securing Linux, Network/WAN
integration, Cisco routers, Cybercrime and System Forensics.
![Page 4: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/4.jpg)
![Page 5: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/5.jpg)
A “live” environment?
The term "live" derives from the fact that these "distros", or software distributions, each contain
a complete, functioning and operational operating system on the distribution medium.
A live distro does not alter the operating system or files already installed on the computer hard drive
unless instructed to do so. Live distros often include mechanisms and utilities for more
permanent installation, including disk partitioning tools.
![Page 6: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/6.jpg)
A “live” environment?
The default option, however, is to allow the user to return the computer to its previous state when the live distro is ejected and the computer is rebooted. It is able to run without permanent installation by placing the files that typically would be stored on
a hard drive into RAM, typically in a RAM disk. However, this does cut down on the RAM available to applications, reducing performance somewhat. Certain live distros run a graphical user interface
in as little as 32MB RAM.
![Page 7: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/7.jpg)
Linux “Distro”
A “distro” is a Linux distribution. This means someone has taken an existing platform and
custom tailored it to fulfill a unique need.
Debian is a core distribution (like Slackware or Gentoo). Ubuntu (ease of use) and Knoppix (the network administrator’s Swiss Army knife) are
off-shoots of Debian.
![Page 8: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/8.jpg)
So….what is Lubuntu?
The objective of the Lubuntu project is to create a variant of Ubuntu that is lighter, less resource
hungry and more energy-efficient by using lightweight applications and LXDE, The
Lightweight X11 Desktop Environment, as its default GUI.
This makes it perfect for Deft
![Page 9: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/9.jpg)
Are there other ones?
Defthttp://www.deftlinux.net/
Qubes-OShttp://www.qubes-os.org/trac
Pentoohttp://www.pentoo.ch/
Lightweight Portable Securityhttp://www.spi.dod.mil/lipose.htm
![Page 10: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/10.jpg)
Are there other ones?
CAINEhttp://www.caine-live.net/
SMARThttp://www.asrdata.com/forensic-software/smart-linux/
Paladinhttp://sumuri.com/index.php/joomla/what-is-paladin-forensic-software
![Page 11: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/11.jpg)
SD Cards?
Secure Digital (SD) is a non-volatile memory card format developed by many manufacturers for use
in portable devices. Today it is widely used in digital cameras, handheld computers, Media
Players, mobile phones, GPS receivers, and video game consoles. Standard SD card capacities range
from 4 MB to 4 GB, and for high capacity SDHC cards from 4 GB to 32 GB as of 2008. The SDXC
(eXtended Capacity), a new specification announced at the 2009 CES, will allow for 2 TB
capacity cards.
![Page 13: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/13.jpg)
Which is better?
Memory card interfaces are rated about 15k-20k duty cycles (assume you remove and reinsert
once a day until it gives up the ghost, about 40 to 50 years). The USB interface is rated between
1-5k cycles (3-15 years).
![Page 14: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/14.jpg)
Welcome to Deft version 7http://www.deftlinux.net/
![Page 15: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/15.jpg)
What does “deft” mean?
DexterousNimbleSkillfulClever
![Page 16: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/16.jpg)
Version 7….Version 8?
The Deft Team announced in February 2013 that Version 8 would be out within the next few months.
![Page 17: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/17.jpg)
Deft
![Page 18: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/18.jpg)
What is Deft?
The “DEFT team” is pleased to announce the release of the stable version of DEFT 7, the first
toolkit able to perform Computer Forensics, Mobile Forensics, Network Forensics, Incident
Response and Cyber Intelligence.
![Page 19: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/19.jpg)
What is in it?
A GNU/Linux based system optimized for Computer Forensics and Cyber Intelligence activities,
installable or able to run in live mode
DART (Digital Advanced Response Toolkit) is a graphical user interface that handles – in a save
environment – the execution of “Incident Response” and Live Forensics tools.
![Page 20: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/20.jpg)
More stuff…
DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit)
with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer
Forensic system that use LXDE as desktop environment and WINE for execute Windows tools
under Linux and mount manager as tool for device management.
![Page 21: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/21.jpg)
More stuff…
It is a very professional and stable system that includes an excellent hardware detection and the best free and open source applications dedicated
to Incident Response, Cyber Intelligence and Computer Forensics.
DEFT is meant to be used by the Military, Police, Investigators, IT Auditors and Individuals
DEFT is 100% made in Italy
![Page 22: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/22.jpg)
What is in it?
Please take a look at the NOTES section of this slide
![Page 23: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/23.jpg)
An overview of the tools
Analysis Tools Autopsy forensics browserBulk extractorCatfishDFFEmule ForensicFindwildHex EditorOutguessPascoPTKReadpstRifiuti2SQLite database browserTridVinetto
Antimalware tools ChkrootkitRkhunterVirus Scanner
Carving tools ForemostHb4mostPhotorecScalpelTest Disk
Hashing tools Dhash 2Md5deepmd5sumSha1deepSha1sumSha256deepSha256sumSha512sum
Imaging tools CyloneDc3ddDcflddDdrescueDd rescueDhash 2Guymager
Mobile Forensics BbwhatsappBitPimSQLite database browser
Network Forensics EttercapNmapWiresharkXplicoXprobe 2
OSINT tools CreepyMaltego
Password recovery CuppFcrackzipHydraJohn the ripperPdfcrack
Reporting tools Desktop recorderKeepNoteMaltego CESciTE Text Editor
Disk UtilityFile ManagerMidnight CommanderMount ewfMountManageWipeXmount
![Page 24: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/24.jpg)
Deft Linux Boot Screen
![Page 25: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/25.jpg)
Text Mode / GUI
![Page 26: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/26.jpg)
Linux Menu
![Page 27: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/27.jpg)
File Manager
![Page 28: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/28.jpg)
Forensics - BitPIM
![Page 29: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/29.jpg)
KeepNote
![Page 30: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/30.jpg)
Maltego
![Page 31: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/31.jpg)
Digital Forensics Framework
![Page 32: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/32.jpg)
iPhone Analyzer
![Page 33: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/33.jpg)
Hydra Password Cracker
![Page 34: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/34.jpg)
DART
![Page 35: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/35.jpg)
Let’s get started with an installation
Installation Time!
![Page 36: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/36.jpg)
Hold Up!Installation Type
There are different methods of installing it to a USB flashie, hard drive, or virtual environment
![Page 37: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/37.jpg)
Three Methods
#1: We can install Deft so it will either overwrite or dual-boot a hard drive.
#2: We can install Deft on a USB flashie using the Universal USB Installer.
#3: Installing VMware Player, installing Deft, and utilizing a virtual environment.
![Page 38: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/38.jpg)
Method #1
Directly to the hard drive
Go to “Install Slide A”
![Page 39: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/39.jpg)
Method #2
Universal USB Installer
Locate the Deft ISO file, put in a flashie (4gb min) that can be overwritten, and run the Universal-USB-Installer-1.8.8.9 executable file. This normally takes 10-15min to run.
Eject any Deft media and reboot your machine. Boot from the newly created Deft USB flashie.
![Page 40: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/40.jpg)
#2: Universal USB Installer
![Page 41: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/41.jpg)
Virtual Environment?
A virtual machine (VM) is a software implementation of a computing environment in which an operating system or program can be installed and run.
The virtual machine typically emulates a physical computing environment, but requests for CPU, memory, hard disk, network and other hardware resources are managed by a virtualization layer which translates these requests to the underlying physical hardware.
![Page 42: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/42.jpg)
Method #3
VMware Player
Install the VMware-player-3/4x” executable file. Fire up VMware Player and Create a new machine. Make sure you know where the Deft DVD or ISO file is at. We will setup a 20gb virtual partition and setup the CD/DVD selection to be “Legacy”.
Install Deft – See “Install Slide A”
![Page 43: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/43.jpg)
#3: VMware Player screen
![Page 44: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/44.jpg)
#3: Opening a V/M
![Page 45: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/45.jpg)
#3: Configuring the V/M
![Page 46: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/46.jpg)
#3: Deft in a V/M
![Page 47: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/47.jpg)
Install Slide AIts actually the next slide….
![Page 48: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/48.jpg)
Boot from the CD
![Page 49: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/49.jpg)
Installation language selection
![Page 50: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/50.jpg)
Checking hardware…
![Page 51: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/51.jpg)
Installation Welcome screen
![Page 52: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/52.jpg)
Preparing the installation
![Page 53: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/53.jpg)
Select the installation type
![Page 54: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/54.jpg)
Verifying the media
![Page 55: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/55.jpg)
Select the timezone
![Page 56: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/56.jpg)
Select the keyboard
![Page 57: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/57.jpg)
Select the keyboard layout
![Page 58: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/58.jpg)
Setting up a non-”root” user
![Page 59: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/59.jpg)
Starting the installation
![Page 60: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/60.jpg)
…wait, wait, wait…
![Page 61: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/61.jpg)
Installation is Complete!
![Page 62: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/62.jpg)
The GUI login screen
![Page 63: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/63.jpg)
Desktop
![Page 64: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/64.jpg)
Changing the “root” password
![Page 65: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/65.jpg)
Logout screen
![Page 66: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/66.jpg)
Let’s see if “root” can login
![Page 67: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/67.jpg)
Main menu
![Page 68: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/68.jpg)
Deft menu
![Page 69: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/69.jpg)
Lab #1Spend some time reviewing the GUI and getting
comfortable with this environment.
![Page 70: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/70.jpg)
…continuing…
![Page 71: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/71.jpg)
Autopsy Forensic Browser
The Autopsy Forensic Browser is a graphical interface to the command line digital
investigation analysis tools in Deft. Together, they can analyze Windows and UNIX disks and
file systems (NTFS, FAT, UFS1/2, Ext2/3).
![Page 72: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/72.jpg)
Autopsy Forensic Browser
Deft and Autopsy are both Open Source and run on UNIX platforms (you can use Cygwin to run them
both on Windows). As Autopsy is HTML-based, you can connect to the Autopsy server from any
platform using an HTML browser. Autopsy provides a "File Manager"-like interface and
shows details about deleted data and file system structures.
![Page 73: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/73.jpg)
Analysis Mode: Dead
A dead analysis occurs when a dedicated analysis system is used to examine the data from a
suspect system. In this case, Autopsy and Deft are run in a trusted environment, typically in a
lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats.
![Page 74: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/74.jpg)
Analysis Mode: Live
A live analysis occurs when the suspect system is being analyzed while it is running. In this case,
Autopsy and Deft are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is
being confirmed. After it is confirmed, the system can be acquired and a dead analysis performed.
![Page 75: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/75.jpg)
Evidence Search Techniques
File ListingFile ContentHash DatabasesFile Type SortingTimeline of File ActivityKeyword SearchMeta Data AnalysisData Unit AnalysisImage Details
![Page 76: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/76.jpg)
Lab #2Access the Autopsy Forensics Browser, then connect to the
suspect machine.
Let’s review these tools: File Listing, File Content, Hash Databases, File Type Sorting,
Timeline of File Activity, Keyword Search, Meta Data Analysis, Data Unit Analysis, & Image Details
![Page 77: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/77.jpg)
…continuing…
![Page 78: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/78.jpg)
What is a “rootkit”?
A rootkit is a program that runs on *nix-based OSes, that allows a remote user to execute certain code or commands. There are many
different types of rootkits. Some mount themselves among legit daemons and "hide" themselves often reporting results, output, or
data to a remote server.
![Page 79: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/79.jpg)
rkhunter
Rkhunter is much like a virus scanner for a Windows system. It has definitions to help identify rootkits and reports them. Just like
anything, rkhunter isn't 100%, but it weeds out the majority of rootkits. Upon running rkhunter,
various system files, conf files, and bin directories are examined.
![Page 80: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/80.jpg)
rkhunter
The results are cross-referenced against the results of infected systems (from the definitions) and the results are compiled. This is where *nix systems really shine. While your OS may vary, and how it's compiled or configured, the file system and configuration is basically the same. This allows programs like rkhunter to provide results with a fairly small window for error or false positive.
![Page 81: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/81.jpg)
Lab #3Let’s fire up rkhunter!
![Page 82: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/82.jpg)
Go to TERMINAL
sudo rkhunter --update
This will update the database. Then you can add:
sudo rkhunter --check --createlogfile
This will activate the rootkit scan. Tip: don't walk off and just leave it to scan; you might be prompted to press [ENTER] a few times to enable it to finish.
![Page 83: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/83.jpg)
…continuing…
![Page 84: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/84.jpg)
What is Data Carving?
Data carving is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the unallocated file system space is analyzed to extract files. The files are "carved" from the unallocated space
using file type specific header and footer values. File system structures are not used during the process. This is exactly how PhotoRec works.
![Page 85: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/85.jpg)
PhotoRec
The first step has been to use PhotoRec. Version 6.5-WIP (WIP=Work In Progress) is considered. PhotoRec has scanned the image file for known
headers and has successfully recognized all JPEG, OLE/Office, HTML and ZIP headers.
There are no false positives.
![Page 86: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/86.jpg)
PhotoRec
The JPEG footer, used to determine the file size and validity of a recovered JPEG, is checked by
PhotoRec using libjpeg. ZIP footers are detected but the file integrity isn't checked. OLE file format is very complex - its internals are similar to a file system but PhotoRec is able to get the file size by
analyzing the FAT. After a UTF8 to ASCII translation, PhotoRec calculates the index of
coincidence to determine if a sector holds text or random data.
![Page 87: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/87.jpg)
Scalpel
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts
matching files or data fragments from a set of image files or raw device files. Scalpel is file
system-independent and will carve files from FAT, NTFS, ext2/3, HFS+, or raw partitions. It is useful
for both digital forensics investigation and file recovery.
![Page 88: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/88.jpg)
Scalpel
![Page 89: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/89.jpg)
Lab #4Let’s fire up PhotoRec and Scalpel
![Page 90: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/90.jpg)
…continuing…
![Page 91: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/91.jpg)
Hashing
#1: To cut
#2: A technique for locating data in a file by applying a transformation, usually arithmetic, to
a key.
![Page 92: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/92.jpg)
md5deep
md5deep is a set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message
digests on an arbitrary number of files. md5deep is similar to the md5sum program found in the
GNU Coreutils package. The application’s features include recursive operation, comparison mode, time estimation, piecewise hashing, and
file type mode.
![Page 93: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/93.jpg)
…continuing…
![Page 94: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/94.jpg)
guymager
A free forensic imager for media acquisition. Its main features are:
Easy user interface in different languages Runs under Linux Really fast, due to multi-threaded, pipelined
design and multi-threaded data compression Makes full usage of multi-processor machines Generates flat (dd), EWF (E01) and AFF images,
supports disk cloning Free of charges, completely open source
![Page 95: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/95.jpg)
guymager
![Page 96: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/96.jpg)
guymager
![Page 97: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/97.jpg)
…continuing…
![Page 98: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/98.jpg)
BitPim
BitPim is a program that allows you to view and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers,
RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset
based phones.
Available for Windows, Linux, or Mac
![Page 99: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/99.jpg)
BitPim – some features
![Page 100: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/100.jpg)
…continuing…
![Page 101: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/101.jpg)
Wireshark
Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively
browse the traffic running on a computer network. It is the de facto (and often de jure)
standard across many industries and educational institutions.
![Page 102: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/102.jpg)
Wireshark examples
Network administrators use it to troubleshoot network problems
Network security engineers use it to examine security problems
Developers use it to debug protocol implementations
People use it to learn network protocol internals
![Page 103: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/103.jpg)
…continuing…
![Page 104: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/104.jpg)
Maltego
Maltego is an open source intelligence and forensics application. It will offer you timely
mining and gathering of information as well as the representation of this information in a easy to
understand format.
![Page 105: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/105.jpg)
Maltego
![Page 106: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/106.jpg)
John the Ripper
John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored
for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant
to be easier to install and use while delivering optimal performance.
![Page 107: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/107.jpg)
John the Ripper
![Page 108: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/108.jpg)
Updating: John the Ripper
./john pwdumpfile –wordlist=wordlistfile –rules rulesfile
![Page 109: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/109.jpg)
Hydra
A Fast network authentication cracker which supports many different services.
It uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services such as TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3,
IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco
enable, and Cisco AAA
![Page 110: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/110.jpg)
Hydra
![Page 111: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/111.jpg)
KeepNote
A simple but effective tool for saving and using notes for class, lab, meetings, papers, accounts, journals, and more as XML or HTML files. You can insert or attach images, spreadsheets, and other files, too. KeepNote offers a lot of flexibility, but it
leaves out bells and whistles like contact managers, task schedulers, and other
distractions from the job at hand. Its main job is to replace that stack of notebooks you're lugging
around.
![Page 112: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/112.jpg)
…so…
![Page 113: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/113.jpg)
In conclusion
We have touched on at least one tool in each major section of Deft. Please feel free to utilize many of
the others in an installed, live, or virtual environment.
![Page 114: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/114.jpg)
Questions?
![Page 115: Deft v7](https://reader038.fdocuments.us/reader038/viewer/2022103018/558e038c1a28ab6e6c8b46c4/html5/thumbnails/115.jpg)
‘As a computer, I find your faith in technology
amusing.’