RE: Windows forensics with Linux analysis machine

From: Reava, Jeffrey [IT/0200] (jeffrey.reavaat_private)
Date: Thu Aug 21 2003 - 08:25:59 PDT

  • Next message: Altheide, Cory B.: "RE: Windows forensics with Linux analysis machine"

    By full investigation do you mean internal use by HR to take action on
    employee misconduct, for IT to determine root cause, or for use in court?
    Does your reporting need to make sense to you, or to others? 
    
    Sleuthkit rocks, but you need the NSRL hash sets and/or custom built hash
    sets in order to reduce the amount of sifting you need to do. MD5deep is a
    good way to build your own hash sets if your target pool shares a common
    build with many unique files not included in the NSRL sets.
    
    How's your budget? In the 'free' category these are all good complements to
    SK:
    NSRL reference library (http://www.nsrl.nist.gov/index.html) to rule out
    known good OS files
    pasco (foundstone) for digging INDEX.DAT files
    readpst (http://sourceforge.net/projects/ol2mbox) convert Outlook/OE to MBOX
    foremost (http://foremost.sourceforge.net/) for recovering files from slack
    space, repartitioned drives, etc.
    ntreg (http://razor.bindview.com/tools/index.shtml) for registry analysis on
    linux
    
    Foremost needs a bit of tuning to be useful; be prepared to use xxd, od,
    and/or other binary viewers to look inside different file types so that you
    can configure foremost with the right header/footer combos to look for.
    There are websites that provide many of these formats (www.wotsit.org) but
    you may have to roll your own in some cases.
    
    HTH,
    
    Jeff
    
    
    
    
    
    
    
    -----Original Message-----
    From: JJ [mailto:jjhorner@SAFe-mail.net]
    Sent: Wednesday, August 20, 2003 3:30 PM
    To: forensicsat_private
    Subject: Windows forensics with Linux analysis machine
    
    
    All,
    
    I'm looking for good tools that will allow me to do a full investigation of
    a Windows image using linux.  I'm looking at Autopsy and Sleuthkit now.  Are
    there any other tools that will allow me to do the full investigation (view
    registry structures, undelete files, etc) under linux?
    
    Thanks,
    JJ
    
    ---------------------
    J. J. Horner
    CISSP,CCNA,CHSS,CHP
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    This communication is intended solely for the use of the addressee and may
    contain information that is legally privileged, confidential or exempt from
    disclosure.  If you are not the intended recipient, please note that any 
    dissemination, distribution, or copying of this communication is strictly 
    prohibited.  Anyone who receives this message in error should notify the 
    sender immediately and delete it from his or her computer.
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ________________________________________________________________________
    This email has been scanned for all viruses by the MessageLabs Email
    Security System. For more information on a proactive email security
    service working around the clock, around the globe, visit
    http://www.messagelabs.com
    ________________________________________________________________________
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 17:56:08 PDT