Blog: Category - Linux IR

This week on Case Leads, we learn the truth of China's cyber espionage unit, Twitter verified accounts were hacked and there have been some updates to some of your favorite tools.

If you have an item you'd like to contribute to Digital Forensics Case Leads, please send it tocaseleads@sans.org.

Tools:

• HMFTwas given a small update.


• Autopsywas recently updated as well.


• Passware can now extract passwords for certain popular websites from memory.

• A very interesting article about finding and reverse

Welcome to Digital Forensics Case Leads. Another a busy week in digital forensics, incident response and the law. In this edition: The SANS Computer Forensics Blog was at the Forensic Expert Witness Annual Conference, and your humble reporter asked a seasoned member of the bench: What is it like for a Judge to sit on the bench and digest the testimony of a foresicator / technical expert witness? * Another Judge rules that viewing CP might NOT be the same as possession under the law. * Has Law Enforcement tipped their hand in a report that spells out how to use anti-forensics to conduct criminal acts using BitCoin? * A bevy of encryption tools *And, could a forensicator leverage a Mac OS X bug to recover encrypted data, even after the user applies a new patch to "fix" the bug?

If you have an item you'd like to contribute to Digital Forensics CaseLeads, please send it to caseleads@sans.org.

Good Reads/Listens:

• Law Enforcement

On Unix and Linux systems each file has a user id and a group id, uid and gid respectively, showing the file's owner and group. On most *nix systems files in system directories are uid and gid root, which is represented by the numeric uid and gid value of 0, see the sample listing below:

davehull@64n6:/bin$ ls -ln | head
total 9080
-rwxr-xr-x 1 0 0  950896 May 18  2011 bash
-rwxr-xr-x 3 0 0   31112 Dec 13 10:30 bunzip2
-rwxr-xr-x 1 0 0 1719048 Sep  1 12:02 busybox
-rwxr-xr-x 3 0 0   31112 Dec 13 10:30 bzcat
lrwxrwxrwx 1 0 0       6 Dec 13 10:30 bzcmp -> bzdiff
-rwxr-xr-x 1 0 0    2140 Dec 13 10:30 bzdiff
lrwxrwxrwx 1 0 0       6 Dec 13 10:30 bzegrep -> bzgrep
-rwxr-xr-x 1 0 0    4877 Dec 13 10:30 bzexe
lrwxrwxrwx 1 0 0       6 Dec 13 10:30 bzfgrep -> bzgrep

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with

In my previous post, Atemporal time line analysis in digital forensics, I talked about using the inodes of a known piece of attacker code as a pivot point to discover previously unknown attacker code on a system. In this post, I want to point out another interesting thing about these inodes.

Recall that I'm using the word "inode" in a generic, non-filesystem specific way, to refer to the numeric value that is assigned to a file's metadata attributes (i.e. time stamps, permissions, cluster/block runs, etc). On NTFS the first file on the file system is assigned inode zero and is always the $MFT. As more files are created on the system, the next file on the system would get inode one, and so on. On EXT2/3/4 file systems, the root directory (/), is assigned inode two and things increase from there as additional files are stored on the system.

A typical file