GitBook: [master] 476 pages modified
This commit is contained in:
parent
bcbe8bc194
commit
6180340b7f
|
@ -424,7 +424,7 @@
|
|||
* [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
|
||||
* [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
|
||||
* [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
|
||||
* [File/Data Carving Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md)
|
||||
* [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
|
||||
* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
|
||||
* [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
|
||||
* [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
|
||||
|
|
|
@ -46,42 +46,7 @@ I want to do a special mention to the page:
|
|||
|
||||
## Pcap Inspection
|
||||
|
||||
When yo
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
**Linux/Unix**
|
||||
|
||||
En linux cualquier cosa es un archivo. Por ejemplo la RAM es un archivo llamado **/dev/mem**
|
||||
|
||||
**lsof** —> Open files belonging to any process
|
||||
**lsof -i** 4 —> Todos los archivos relacionados con conexiones IPv4
|
||||
**lsof -i 4 -a -p 1234** —> List all open IPV4 network files in use by the preocess 1234
|
||||
**lsof /dev/hda3** lista todos los archivos abiertos en /dev/hda3
|
||||
**lsof -t /u/ade/foo** encuentra el proceso que tiene /u/abe/foo abierto
|
||||
**lsof +D /directory/path** Busca que procesos tienen abiertos dicho directorio y archivos de dicho directorio
|
||||
**lsof -i :1-1024** Archivos que usan dichos puertos
|
||||
**lsof -i udp** Archivos que usan UDP -uid 0
|
||||
**lsof -p 3 - R** Muestra del proceso nº3 también su proceso padre
|
||||
**date** —> Hora del ordenador actual
|
||||
**uptime** —> Rebooted
|
||||
**uname -a** —> System information
|
||||
**ifconfig** —> Ver si esta en modo promiscuo
|
||||
**ps -eaf** —> Procesos y servicios inusuales
|
||||
**netstat -punta**
|
||||
**lsof +L1** —> Muestra todos los archivos abiertos con un contador de link menor de 1. Esto es para los procesos que eliminan el archivo del que vienen pero siguen ejecutandose porque ya están en memoria. Es decir lista todos los procesos que tienen su archivo borrado.
|
||||
**w who users** —> Info de usuarios
|
||||
**find / -uid 0 -perm -4000 2>/dev/null** —> Sirve para encontrar todos los archivos que tienen de permiso la **s**
|
||||
**find /directory -type f -mtime -1 -print** —> Encuentra todos los archivos dentro de ese directorio modificados hace menos de 1 día
|
||||
**last** —> Último usuario loggeado
|
||||
**df** —> Free space
|
||||
**free** —> free y used physical y swap memory
|
||||
|
||||
Toda la info obtenida de la máquina infectada NO debe ser guardada en la máquina sino enviada a otra con **netcat**
|
||||
{% page-ref page="pcap-inspection/" %}
|
||||
|
||||
## **Anti-Forensic Techniques**
|
||||
|
||||
|
@ -89,25 +54,3 @@ Keep in mind the possible use of anti-forensic techniques:
|
|||
|
||||
{% page-ref page="anti-forensic-techniques.md" %}
|
||||
|
||||
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
|
||||
|
||||
\*\*\*\*
|
||||
|
||||
Borrado de datos: [https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
|
||||
|
||||
recuperacion de datos: [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
##
|
||||
|
||||
|
|
|
@ -72,6 +72,10 @@ A way to discover this would be to inspect the running processes and **review ea
|
|||
|
||||
These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
|
||||
|
||||
## Secure Deletion
|
||||
|
||||
[https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
|
||||
|
||||
## Windows Configuration
|
||||
|
||||
It's possible to disable several windows logging methods to make the forensics investigation much harder.
|
||||
|
|
|
@ -160,14 +160,14 @@ Note that this technique **doesn't work to retrieve fragmented files**. If a fil
|
|||
|
||||
There are several tools that you can use for file Carving indicating them the file-types you want search for
|
||||
|
||||
{% page-ref page="file-data-carving-tools.md" %}
|
||||
{% page-ref page="file-data-carving-recovery-tools.md" %}
|
||||
|
||||
### Data Stream **C**arving
|
||||
|
||||
Data Stream Carving is similar to File Carving but i**nstead of looking for complete files, it looks for interesting fragments** of information.
|
||||
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
|
||||
|
||||
{% page-ref page="file-data-carving-tools.md" %}
|
||||
{% page-ref page="file-data-carving-recovery-tools.md" %}
|
||||
|
||||
### Secure Deletion
|
||||
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
# File/Data Carving & Recovery Tools
|
||||
|
||||
## Carving & Recovery tools
|
||||
|
||||
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
|
||||
|
||||
### Autopsy
|
||||
|
||||
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
|
||||
|
||||
### Binwalk <a id="binwalk"></a>
|
||||
|
||||
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.
|
||||
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.
|
||||
**Useful commands**:
|
||||
|
||||
```bash
|
||||
sudo apt install binwalk #Insllation
|
||||
binwalk file #Displays the embedded data in the given file
|
||||
binwalk -e file #Displays and extracts some files from the given file
|
||||
binwalk --dd ".*" file #Displays and extracts all files from the given file
|
||||
```
|
||||
|
||||
### Foremost
|
||||
|
||||
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
|
||||
|
||||
```bash
|
||||
sudo apt-get install foremost
|
||||
foremost -v -i file.img -o output
|
||||
#Discovered files will appear inside the folder "output"
|
||||
```
|
||||
|
||||
### **Scalpel**
|
||||
|
||||
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file \(_/etc/scalpel/scalpel.conf_\) the file types you want it to extract.
|
||||
|
||||
```bash
|
||||
sudo apt-get install scalpel
|
||||
scalpel file.img -o output
|
||||
```
|
||||
|
||||
### Bulk Extractor
|
||||
|
||||
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
|
||||
|
||||
This tool can scan an image and will **extract pcaps** inside it, **network information\(URLs, domains, IPs, MACs, mails\)** and more **files**. You only have to do:
|
||||
|
||||
```text
|
||||
bulk_extractor memory.img -o out_folder
|
||||
```
|
||||
|
||||
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
|
||||
|
||||
### PhotoRec
|
||||
|
||||
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
|
||||
|
||||
It comes with GUI and CLI version. You can select the **file-types** you want PhotoRec to search for.
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28524%29.png)
|
||||
|
||||
## Specific Data Carving Tools
|
||||
|
||||
### FindAES
|
||||
|
||||
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
|
||||
|
||||
Download [here](https://sourceforge.net/projects/findaes/).
|
||||
|
||||
## Complementary tools
|
||||
|
||||
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.
|
||||
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
|
||||
|
|
@ -79,7 +79,7 @@ ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.
|
|||
|
||||
Using common carving techniques can be useful to extract files and information from the pcap:
|
||||
|
||||
{% page-ref page="../partitions-file-systems-carving/file-data-carving-tools.md" %}
|
||||
{% page-ref page="../partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
|
||||
|
||||
## Check Exploits/Malware
|
||||
|
||||
|
|
|
@ -446,7 +446,7 @@ The Status and sub status information of the event s can indicate more details a
|
|||
|
||||
### Recovering Windows Events
|
||||
|
||||
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-tools.md#bulk-extractor) indicating the **evtx** extension.
|
||||
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
|
||||
|
||||
## Identifying Common Attacks with Windows Events
|
||||
|
||||
|
|
Loading…
Reference in New Issue