Forensic CDs
信息来源:[url]http://www.unixreview.com/documents/s=9920/ur0511m/ur0511m.html[/url]文章作者:Kristy Westphal
Last month, I wrote about Auditor, a comprehensive bootable CD for pentesters. After I wrote that column, I started to think about the many forensic CDs that I have used in the past and how handy they were when I needed them. So, I decided to highlight some of those tools as well (and then I promise to get off the topic of bootable CDs for a while!).
What is the difference between a tool like Auditor and some of the tools that I am talking about now? The difference is the focus. Auditor wants to be everything that you’d need in the case of a wide-ranging penetration test, and it does a good job of that. The three tools I'll cover this month (FIRE, INSERT, and Penguin Sleuth Kit) are in-depth tools necessary when you need to do a forensic examination of computer equipment that requires a little bit of everything.
For instance, I have been able to acquire some very nice commercial tools in my current job, including a fancy hard drive write blocker. It works very well for many types of drives (SCSI and IDE), but one case I had to investigate had an older type of IDE drive that the write blocker didn’t work with. Thus, I needed an alternate means to image the drive.
I turned to some of the forensic CDs in this article to accommodate that need. The reason I tried more than one was because of the level of hardware that the CD could autoconfigure. Some of the newer ones have a tough time with older hardware, and vice versa. You will find that many of the CDs available work well on certain types of hardware, and some work better on others. The key is to keep trying until you find the one that works. (And yes, this is still easier than trying to build your own custom one that recognizes everything.)
A CD on FIRE
FIRE (Forensic and Incident Response Environment Bootable CD), created by William Salusky, is the first bootable CD that I ever heard of. While no development has been done on it for some time, it is still very handy to have around. The only issue is that it you might have problems running it on newer hardware.
Highlights of this CD include the numerous tools that is has available. It provides mount capability for Firewire and USB devices, the specs for MS FAT, iso9660 file systems, and the Open Source Security Testing Module (all of which are very handy during analysis), Nessus, Netware tools (Pandora), and various assorted sniffers. FIRE really set the precedent for bootable Forensic CDs and still is extremely useful to keep in your toolkit.
INSERT CD here…
INSERT is a bootable Linux CD (currently Linux kernel 2.6.11.6 and Knoppix 3.9) with another set of useful security tools available. It is developed by Inside Security IT GmbH. INSERT is not as heavy on the Forensic tools as some of the others available; however, it has some excellent hardware adaptability capabilities that have helped me tremendously. For instance, I had to try several different CDs before I found one that configured the NIC without any issues on that hard drive I mentioned earlier. INSERT was the tool that worked in that case.
INSERT also boasts an impressively long line of supported file systems: EXT2,EXT3,MINIX,REISERFS,JFS,XFS,NTFS,FAT,MSDOS,NFS,SMBFS,CIFS,NCPFS,UDF,AFS,EFS,HFS,HFS+,HPFS,SHFS,UFS,UNIONFS. So, if you are looking for something that can help to mount an unusual (or not so unusual) file system, INSERT is for you.
Furthermore, INSERT also includes the Clam Anti-virus package, which is handy for scanning a hard drive before analyzing it.
The Penguin Sleuth Kit
The Penguin Sleuth Kit, developed by Ernest Baca, was new to me when I began researching on this topic. It’s built on a Knoppix "re-master" and has many useful functions. This CD has a long list of tools available, including the standard Sleuthkit and autopsy, wipe, Snort, and chkrootkit. It also has some goodies that I was not familiar with, including fenris, foremost, and dcfldd, which is an enhanced dd imager with built-in hashing. So naturally, I had to try these for myself!
Fenris is labeled as a "multi-purpose tracer", which translates into an executable binary analysis tool written by Michal Zalewski. This is really handy in those forensic investigations when you come across unknown binaries and need to have a closer peek. This tool is focused on C programs and examines the guts of the binary versus all that the binary accesses when executed (à la ltrace or other library tracing utility). Just keep in mind that when you use fenris, it is giving you lots of info on your binary, but it's also executing it live (so please remember to execute your binaries in an isolated environment).
Foremost is a handy tool originally developed in the U.S. Air Force to recover files based on their headers, footers, and data structures. I smacked myself in the head when I started playing around with this tool, namely because I could have used it in a recent investigation. It will search most common types of hard drive images for certain types of files, and its list of file types is extensive.
By no means did I cover all of the available bootable forensic CDs available today. There are many, and I am sure that they are just as useful as the ones mentioned here. I encourage you to try some yourself and see what works for you. The thought I like to keep in mind is: someone out there somewhere has had this same problem, and I bet there is a fix for it!
页:
[1]