For this tutorial I decided to take the digital forensic tools in backtrack for a test drive, I will be retrieving and analyzing data from a specific user’s hard-drive and searching through the media for artifacts such as browser history, images, email. To accomplish this I’ll be using tools like vinetto, pasco and others, I won’t be using autopsy in this tutorial as I think it’s been well documented in plenty of other sites, nevertheless it’s one of the best open source forensics tool included in the backtrack distribution.
Most people today are using some type of electronic device, like: cell phones, GPS, PDA, laptops, PC’s etc…, most of this devices leave behind artifacts or footprints that can provide a wealth of information as to how the device were used. Digital forensics is the discipline of retrieving artifacts such as email messages or internet browser cache from media, such those items can be analyzed and processed. Computer forensics is an emerging discipline that has exploded in popularity in resent years. It’s an interesting field and lots of security IT professionals are trying to learn more about it. Large numbers of companies are starting to turn to computer forensics tools because of their capabilities. Some of the forensics packages release by the leading vendors can be quite expensive, single licenses for some forensics software can cost as much as $4000. Distributions such as Helix and Backtrack along with other open sources tools allow individual with limited resources to perform acquisitions and forensics analysis.
The backtrack forensics tools are divided into three categories:
1- Image Acquiring
2- File Carving
3- Forensics Analysis.
Image Acquiring: These tools allow you to acquire a bit-by-bit image of the drive
File Carving: Assist the investigator with the file recovering process
Forensics Analysis: Allow you to search the media for items such as e-mail messages, browser history, and thumbnails
The tools and commands used for this demo:
1- Extracting images with vinetto:
Vinetto uses the thumbs.db database file. If a windows user select the thumbnail view, a small database file called thumbs.db caches picture information to speed up the viewing of the picture files within a folder, this file changes in windows vista as it is called thumbcache.db instead of thumbs.db.
find /mnt/had –name Thumbs.db # to search for the thumbs.db file#
vinetto –s –o /mnt/win/share/forensic “/mnt/hda/Documents and Settings/baduser/My Documents/pics/Thumbs.db” # this will extract the images to the network share #
2- Acquiring user’s browsing history with pasco:
Pasco is a forensic tool for reading the index.dat file that are created by Internet Explorer. Other browser like Firefox and Safari don’t use the index.dat file. The index.dat file leaves traces of a user’s browsing history.
find /mnt/had –name index.dat # to find the index.dat file #
pasco “/mnt/hda/Documents and Settings/baduser/Local Settings/History/History.IE5/index.dat”>/mnt/win/share/forensic/browserhistory.txt # redirecting the index.dat file to a text file #
3- find and extract the Outlook Express files.
I’ll use the find command to search for the .dbx files which are created by Outlook Express, and copy them to a network share for later open them in OExpress for analysis
find /mnt/hda –name *.dbx # for finding the .dbx files #
ok…let’s get forensic