Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Forensic Cop Journal 2(1) 2009-Ubuntu Forensic

Forensic Cop Journal 2(1) 2009-Ubuntu Forensic

|Views: 2,956|Likes:
Ubuntu Forensic is a technique of digital forensic based on the use of Linux Ubuntu. It is selected because it provides many forensic applications which are reliable for analysing digital evidence. In this journal, Ubuntu is exposed for the purposes of digital forensic, anti-forensic and cracking.
Ubuntu Forensic is a technique of digital forensic based on the use of Linux Ubuntu. It is selected because it provides many forensic applications which are reliable for analysing digital evidence. In this journal, Ubuntu is exposed for the purposes of digital forensic, anti-forensic and cracking.

More info:

Published by: Muhammad Nuh Al-Azhar on Dec 01, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Forensic Cop Journal Volume 2(1), Nov 2009
Ubuntu Forensic
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police
Coordinator of Digital Forensic Analyst TeamForensic Lab Centre of Indonesian National Police HQ 
Ubuntu Forensic is the use of Ubuntu for digital forensic purposes. As it provides a widerange of forensic tools as well as anti-forensic and cracking tools, so it is reliable toinvestigate a computer crime and analyse digital evidence on it. The significant difference onforensic applications between Ubuntu and Ms Windows is that Ubuntu applications arefreeware, while the application running under Ms Windows are commercial. The resultsobtained between these applications are relatively the same. It means that digital forensicanalyst should also be well understood on the use of Ubuntu forensic applications as well as
Ms Windows’s applications. If they do it, so they will have many forensic tools which can be
applied in the investigation/analysis. When a tool does not give satisfied results, they shouldbe able to use other tools either under Ubuntu or Ms Windows to yield the best results.This journal is written with aims to broaden forensic view among forensic professionals. It isexpected that they can explore packages provided on Ubuntu for forensic purposes. Theyshould know that not only Ms Windows forensic applications which can be used for digitalforensic, but also many tools on Ubuntu which can do the same thing with the same results.
In some extent, Ubuntu gives stronger results than Ms Windows’s applications. For ins
tance,dcfldd can be used for forensic imaging with different purposes. It can be used to imagesome certain blocks as desired as well as the whole drive imaging. This feature is notprovided by imaging applications running under Ms Windows. Other instance is imagemetadata analysis through exif. On Ubuntu, there are some tools which can be used toanalyse the image exif such as exif, exiftool and metacam. There are also tools which can beused to manipulate the exif values such as exiv2 and libjpeg-progs. All these tools arefreeware.One essential reason why the author frequently uses Ubuntu for digital forensic purposessuch as forensic imaging is forensically sound write protect. It is compulsory for every digitalforensic analyst to apply it when dealing with the storage drive evidence. It is aimed not tochange the contents of drive either incidentally or deliberately. Once the contents ischanged, so the next actions of digital forensic become doubt or even refused by the court,unless digital forensic analyst can explain comprehensively why (i.e. the relevance) it ischanged and what the implications of that action. It is usually performed on live analysiswith strict procedures. On dead analysis (i.e. post mortem) the analyst is still required tokeep the contents of hard drive not changed. To reach this purpose, Ubuntu can bemodified in order to give forensically sound write protect. It is performed by modifying the
Forensic Cop Journal Volume 2(1), Nov 2009
file /etc/fstab with the mount option is read-only, so whatever is done on the driveevidence, it does not change the contents. When accessing a text file, so this action doeschange the MAC (i.e. Modified, Accessed and Created) time at all. It remains unchanged,although the file is accessed. It occurs because the modification of the file /etc/fstab givesforensically sound write protect for any actions committed by the analyst on the drive.With this feature, the analyst can do many things such as live analysis on the drive in orderto speed up the investigation. It is frequently done when dealing with many drives as theevidence. If the regular procedure of digital forensic is performed, so it will take a long timefor forensic imaging on each drive. To shortcut the investigation is to apply forensicallysound write protect and then to read and analyse the drives directly. The aim of this actionis that the analyst can know which drive among the drives has strong relationship with thecase. Once it is obtained, so the analyst can carry out further analysis on it.Below are the tools which can be used for the purposes of digital forensic analyses, anti-forensic and cracking. The number of tools for forensic purposes is twenty-five, while fifteentools for anti-forensic and ten tools for cracking. Actually there are some tools havingdescription related on these purposes, but it is not mentioned on this journal. One of powerful tools which is often used by the author is Autopsy. It is GUI version of TheSleuthkit created by Brian Carrier. What commercial applications running under MsWindows such as Encase and FTK discover when analysing digital evidence is the same aswhat Autopsy finds.The description of each tool below is directly quoted from Synaptic Package Managercreated by Connectiva S/A and Michael Vogt on April 2009. This application provides anease for Ubuntu users to install or uninstall Ubuntu packages. If they are still doubt on theuse of certain package, they should read the description given on each package.
Forensic Tools:
Vinetto:A forensics tool to examine Thumbs.db files. A tool intended for forensicsexaminations. It is a console program to extract thumbnail images and theirmetadata from those thumbs.db files generated under Windows. Used in forensicenvironments.2.
Autopsy:The Autopsy Forensic Browser is a graphical interface to the command line digitalforensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsyprovide many of the same features as commercial digital forensics tools for theanalysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS).
Forensic Cop Journal Volume 2(1), Nov 2009
Rdd:A forensic copy program developed at and used by the Netherlands ForensicInstitute (NFI). Unlike most copy programs, rdd is robust with respect to read errors,which is an important property in a forensic operating environment.4.
Tct:TCT is a collection of programs for a post-mortem analysis of a UNIX system afterbreak-in. It enables you to collect data regarding deleted files, modification times of files and more. Install this BEFORE you need to use it, so you do not risk destroyingessential forensic data before you begin. Tools contained within this package: grave-robber, lazarus, inode-cat, ils, unrm and pcat.5.
Galleta:An Internet Explorer cookie forensic analysis tool. Galleta is a forensic tool thatexamines the content of cookie files produced by Microsofts Internet Explorer. Itparses the file and outputs a field separated that can be loaded in a spreadsheet.6.
Pasco:An Internet Explorer cache forensic analysis tool. Pasco is a forensic tool thatexamines the content of cache files (index.dat) produced by Microsofts InternetExplorer. It parses the file and outputs a field separated that can be loaded in aspreadsheet.7.
Sleuthkit:Tools for forensics analysis. The Sleuth Kit (previously known as TASK) is a collectionof UNIX-based command line file system and media management forensic analysistools. The file system tools allow you to examine file systems of a suspect computerin a non-intrusive fashion. Because the tools do not rely on the operating system toprocess the file systems, deleted and hidden content is shown. The mediamanagement tools allow you to examine the layout of disks and other media. TheSleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, andSun slices (Volume Table of Contents). With these tools, you can identify wherepartitions are located and extract them so that they can be analyzed with file systemanalysis tools. When performing a complete analysis of a system, we all know thatcommand line tools can become tedious. The Autopsy Forensic Browser is a graphicalinterface to the tools in The Sleuth Kit, which allows you to more easily conduct aninvestigation. Autopsy provides case management, image integrity, keywordsearching, and other automated operations.8.
Unhide:Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits,Linux kernel modules or by other techniques. It includes two utilities: unhide andunhide-tcp. Unhide detects hidden processes using three techniques:
comparing the output of /proc and /bin/ps
comparing the information gathered from /bin/ps with the one gatheredfrom system calls (syscall scanning)

Activity (15)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
kam_anw liked this
sonyabc liked this
jedrzeje liked this
Tomás Villalobos liked this
DarkSiteX liked this
Joom LA liked this
Rafael_Ferraz_7584 liked this
Muhammad Nuh Al-Azhar liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->