--- tags: forensics-tutorials --- # File system analysis :::info **In this short demo you will:** - xxxxxx - Requirements: **Sans Investigative Forensics Toolkit (SIFT): autopsy and foremost** ::: SIFT is a computer forensics distribution created by the SANS Forensics team for performing digital forensics. This distro includes most tools required for digital forensics analysis and incident response examinations. SIFT is open-source and publicly available for free on the internet. In today’s digital world, where crimes are committed every day using digital technology, attackers are becoming more and more stealthy and sophisticated. This can cause companies to lose important data, with millions of users exposed. Protecting your organization from these attacks requires strong forensic techniques and knowledge in your defense strategy. SIFT provides forensic tools for file systems, memory and network investigations to perform in-depth forensic investigations. In 2007, SIFT was available for download and was hard coded, so whenever an update arrived, users had to download the newer version. With further innovation in 2014, SIFT became available as a robust package on Ubuntu, and can now be downloaded as a workstation. Later, in 2017, a version of SIFT came to market allowing greater functionality and providing users the ability to leverage data from other sources. This newer version contains more than 200 tools from third parties, and contains a package manager requiring users to type only one command to install a package. This version is more stable, more efficient, and provides better functionality in terms of memory analysis. SIFT is scriptable, meaning that users can combine certain commands to make it work according to their needs. SIFT can run on any system running on Ubuntu or Windows OS. SIFT supports various evidence formats, including AFF, E01, and raw format (DD). Memory forensics images are also compatible with SIFT. For file systems, SIFT supports ext2, ext3 for linux, HFS for Mac and FAT, V-FAT, MS-DOS, and NTFS for Windows. ## Installation For the workstation to work smoothly, you must have good RAM, good CPU, and a vast hard drive space (15GB is recommended). There are two ways to install SIFT: ### VMware/VirtualBox To install SIFT workstation as a virtual machine on VMware or VirtualBox, download the .ova format file from the following page: https://digital-forensics.sans.org/community/downloads Then, import the file in VirtualBox by clicking the Import option. After installation has completed, use the following credentials to log in: ``` Login = sansforensics Password = forensics ``` ### Ubuntu You can also install SIFT workstation on your Ubuntu system. Please refer to the Internet. ### Tools The SIFT workstation is equipped with numerous tools used for in-depth forensics and incident response examination. These tools include the following: #### Autopsy (file system analysis tool) Autopsy is a tool utilized by the military, law enforcement, and other agencies when there is a forensic need. Autopsy is basically a GUI for the very famous Sleuthkit. Sleuthkit takes only command line instructions. On the other hand, autopsy makes the same process easy and user-friendly. On typing the following: ``` ubuntu@ubuntu:~$ autopsy A screen, as follows, will appear : =============================================== Autopsy Forensic Browser http://www.sleuthkit.org/autopsy/ ver 2.24 =============================================== Evidence Locker: /var/lib/autopsy Start Time: Wed Jun 17 00:42:46 2020 Remote Host: localhost Local Port: 9999 Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsy ``` On navigating to http://localhost:9999/autopsy on any web browser, you will see the page below: ![](https://i.imgur.com/BvFRTvR.jpg) The first thing you have to do is to create a case, give it a case number, and write the investigators’ names to organize the information and evidence. After inputting the information and hitting the Next button, you will the page shown below: ![](https://i.imgur.com/ngRR3kq.jpg) This screen shows what you wrote as the case number and case information. This information is stored in the library /var/lib/autopsy/<caseNumber>. On clicking Add host, you will see the following screen, where you can add the host information, such as name, time zone, and host description.. ![](https://i.imgur.com/YlqRd4N.jpg) Clicking Next will take you to a page requiring you to provide an image. E01 (Expert Witness Format), AFF (Advanced Forensics Format), DD (Raw Format), and memory forensics images are compatible. You will provide an image, and let the Autopsy do its work. ![](https://i.imgur.com/zuwAONk.jpg) #### foremost (file carving tool) If you want to recover files that were lost due to their internal data structures, headers and footers, foremost can be used. This tool takes input in different image formats, such as those generated using dd, encase, etc. Explore this tool’s options using the following command: ``` ubuntu@ubuntu:~$ foremost -h -d - turn on indirect block detection (for UNIX file-systems) -i - specify input file (default is stdin) -a - Write all headers, perform no error detection (corrupted files)ash -w - Only write the audit file, do not write any detected files to the disk -o - set output directory (defaults to output) -c - set configuration file to use (defaults to foremost.conf) -q - enables quick mode. ``` #### binWalk To manage binary libraries, binWalk is used. This tool is a major asset to those who know how to use it. binWalk is considered the best tool available for **reverse engineering and extracting firmware images**. binWalk is easy to use and contains enormous capabilities. #### Volatility (memory analysis tool) Volatility is a popular memory analysis forensic tool used to inspect volatile memory dumps and to help users to retrieve important data stored in RAM at the time of incident. This may include files that are modified or processes that are run. In some cases, browser history can also be found using Volatility. If you have a memory dump and want to know its operating system, use the following command: ``` ~$ .vol.py imageinfo -f <memoryDumpLocation> ``` The output of this command will give a profile. When using other commands, you must give this profile as a perimeter. To obtain the correct KDBG address, use the kdbgscan command, which scans for KDBG headers, marks connected to Volatility profiles, and applies once-overs to verify that everything is okay to lessen bogus positives. The verbosity of the yield and the number of once-overs that can be performed depends on whether Volatility can discover a DTB. So, on the off chance that you know the right profile, or if you have a profile recommendation from imageinfo, be sure to use the correct profile. We can use the profile with the following command: ``` ~$ .vol.py profile=<profileName> kdbgscan -f <memoryDumpLocation> ``` To scan Kernel Processor Control Region (KPCR) structures, use kpcrscan. If it is a multiprocessor system, each processor has its own kernel processor scan region. Enter the following command to use kpcrscan: ``` ~$ .vol.py profile=<profileName> kpcrscan -f <memoryDumpLocation> ``` To scan for malwares and rootkits, psscan is used. This tool scans for hidden processes linked to rootkits. We can use this tool by entering the following command: ``` ~$ .vol.py profile=<profileName> psscan -f <memoryDumpLocation> ``` #### Hashdeep or md5deep (hashing tools) It is rarely possible for two files to have the same md5 hash, but it is impossible for a file to be modified with its md5 hash remaining the same. This includes the integrity of the files or the evidence. With a duplicate of the drive, anybody can scrutinize its trustworthiness and would think for a second that the drive was put there deliberately. To gain proof that the drive under consideration is the original, you can use hashing, which will give a hash to a drive. If even a single piece of information is changed, the hash will change, and you will be able to know whether the drive is unique or a duplicate. To assure the integrity of the drive and that nobody can question it, you can copy the disk to generate a MD5 hash of the drive. You can use md5sum for one or two files, but when it comes to multiple files in multiple directories, md5deep is the best available option for generating hashes. This tool also has the option to compare multiple hashes at once. #### ExifTool There are many tools available for tagging and viewing images one-by-one, but in the case that you have many images to analyze (in the thousands of images), ExifTool is the go-to choice. ExifTool is an open-source tool used for viewing, changing, manipulating, and extracting an image’s metadata with just a few commands. Metadata provides additional information about an item; for an image, its metadata will be its resolution, when it was taken or created, and the camera or program used for creating the picture. Exiftool can be used to not only modify and manipulate the metadata of an image file, but it can also write additional information to any file’s metadata. To examine the metadata of a picture in raw format, use the following command: **Source:** https://linuxhint.com/sans_investigative_forensics_toolkit/
Last changed by  
Ramon Fontes
1308

Read more

IoT Lab 2: MQTT with Python

This lab aims to offer you an hands-on experience with MQTT. You will perform experiments that will allow you to learn how to “publish” data and “subscribe” to get data. Section 1: Basic MQTT regarding the clients: In this section you will work with MQTT using the MQTT Paho library for Python. The documentation of the MQTT Paho API is here. You have to first install it using: $ sudo python -m pip install paho-mqtt

5/24/2023
An hands-on introduction to MQTT

This lab aims to offer you an hands-on experience with MQTT. You will perform experiments that will allow you to learn how to "publish" and "subscribe" to data. To this end you will use: your own broker a "sandbox" external broker You will learn how to: install and configure an MQTT broker interchange data using MQTT clients based use MQTT to feed data to your own mobile

5/22/2023
ARP Spoofing + Downgrade de Protocolo

:::info In this short demo you will: Learn on How to perform ARP Spoofing attack and how to perform protocol downgrade Requirements: Mininet-WiFi - https://github.com/intrig-unicamp/mininet-wifi dsniff arpon

3/26/2021
Act 4 - Internet of Things (IoT)

In this activity we will see some examples of how to simulate a 6loWPAN network for the Internet of Things. 6LoWPAN (IPv6 over Low power Wireless Personal Area Networks) is an IP protocol that creates and maintains the specifications that allow us to use the IPv6 protocol on the IEEE 802.15.4 standard. It has been widely used in the implementation of sensor networks with energy limitations, low signal range, low transmission rates and low cost. The integration of sensor networks with the Internet is seen as essential for the Internet of Things (IoT), allowing the use of distributed sensor applications. First of all, you will need to install mosquitto, mosquitto-clients and paho-mqtt packages as well as Dojot (http://www.dojot.com.br/). :::warning Follow the detailed install instructions available here: https://docs.google.com/document/d/1tbeC0T-zd7yNnSS16IYYdp4UXXk-ePKg1OZm6_XaDAQ/edit?usp=sharing ::: Activity 1 - MQTT basics with Mosquitto :::info

3/23/2021
Read more from Ramon Fontes
Published on HackMD