Digital Forensic: Analysis
The next article, I'll try to give a little tutorial how to analyze. certainly still part of the digital forensic. Download the file here
The first step is the analysis organization
create a folder
The following is a screenshot
Why 4444? because of that image can only be read only. Now that you have created an image file, you can restore images to another disk if you are interested in a "clone" of the original disk. In other words (blank) floppy
Because the normal mounting could not, I use a loopback
File Hash
next step mount your image to analisis
then we run the command to find all regular files in the file system mount point and run a hash of all files
Analysis
Searching Unallocated and Slack Space for Text
create a keyword list ($50,000) and save it in a folder evid with the name searchlist.txt
then following this command
Somewhat difficult to understand this article, I'll fix this post later,
The first step is the analysis organization
Analysis organization
root@bt:~# dd if=practical.floppy.dd of=/dev/fd0then output is
create a folder
root@bt:~# mkdir ~/evid
root@bt:~# mkdir /mnt/analisis
Creating a forensic image of the suspect disk
root@bt:~# cd evid
root@bt:~/evid # dd if=/dev/fd0 of=image.disk1 bs=512
root@bt:~/evid # chmod 444 image.disk1
The following is a screenshot
Why 4444? because of that image can only be read only. Now that you have created an image file, you can restore images to another disk if you are interested in a "clone" of the original disk. In other words (blank) floppy
root@bt:~/evid # dd if=image.disk1 of=/dev/fd0 bs=512
Mounting the image using the loopback device
Because the normal mounting could not, I use a loopback
root@bt:~/evid# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analisis/
File Hash
root@bt:~/evid # md5sum /dev/fd0
next step mount your image to analisis
root@bt:~# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analisis
root@bt:~# cd /mnt/analisis
then we run the command to find all regular files in the file system mount point and run a hash of all files
root@bt:/mnt/analisis # find . -type f -exec md5sum {} \; > ~/evid/md5.filelist
root@bt:/mnt/analisis # cat /root/evid/md5.filelist
or
root@bt:/mnt/analisis# md5sum *.*
next step
root@bt:/mnt/analisis# md5sum -c /root/evid/md5.filelist
Analysis
Type this command ls -al and this screenshoot
It will display all hidden files (a), provides a list in the old format to identify the permit, date, etc. (l). You can also use the-R option to list recursively through directories. You might want to pipe that through less.
Make a List of All Files
to make a list of all file, type command
root@bt:/mnt/analisis # ls -laiRtu > ~/evid/access_file.list
root@bt:/mnt/analisis # find . -type f > ~/evid/file.list.2
root@bt:/mnt/analisis# tree
if true then it will look like this
we try to look for files with exe extension
root@bt:/mnt/analisis# grep -i exe ~/evid/file.list.2
Making a List of File Types
The next step is to list the tipr file, follow the instructions below
root@bt:/mnt/analisis# find . -type f -exec file {} \; > ~/evid/filetype.list
root@bt:/mnt/analisis# cat ~/evid/filetype.list
The following command will search for "executable" string using the
grep command on the file / root / evid / filetype.list
grep command on the file / root / evid / filetype.list
root@bt:/mnt/analisis# grep executable ~/evid/filetype.list
Viewing Files
to view the file, can be used several kinds of commands, such as:
- cat filename
- more filename
- less filename
- strings filename | less
root@bt:/mnt/analisis# cat loveletter.virus
Searching Unallocated and Slack Space for Text
create a keyword list ($50,000) and save it in a folder evid with the name searchlist.txt
then following this command
root@bt:~/evid# grep -abif searchlist.txt image.disk1 > hits.txt
root@bt:~/evid# xxd -s 75500 image.disk1 | less
Somewhat difficult to understand this article, I'll fix this post later,
Comments
Post a Comment