Professional Documents
Culture Documents
By
Kevin Pryce
B00052949
25/10/2013
Table of Contents
A Report on the use of Forensic Analysis Tools in Backtrack and
Kali.............................................................1
Introduction.....................................................3
Section 1: Imaging Tools.........................................4
Section 1:1. dd_rescue.........................................4
Section 1:2. affconvert........................................5
Section 2 : Information Gathering Tools..........................7
Section 2:1 fsstat.............................................7
Section 2:2 affinfo............................................8
Section 3 : Analysis Tools.......................................9
Section 3:1. bulk_extractor....................................9
Section 3:2. scalpel..........................................10
Section 3:3. recoverjpeg......................................12
Section 4 : Hashing and Steganography...........................14
Section 4:1 md5deep...........................................14
Section 4:2 stegdetect........................................15
Conclusions.....................................................16
References......................................................18
Illustrations...................................................20
Introduction
Step 1: Make sure that after you start the tool you navigate to
the folder containing the image you want to copy. In illustration
1. we can see the command to run dd_rescue.
The output file hash was checked against the the original image
hash to verity that the complete image was recovered.
Step 1: Make sure you are in the same directory as the .dd you
want to convert as shown in illustration 3.
Step 1: Again, insure that you give the actual path the image to
be worked on, or, as in this case, work in the same folder. In
illustration 5 we see the command used to run bulk_extractor and
copy the output to the extractoroutput folder
When the .conf file is opened initally all of these references are
commented out. The user must manually delete the hash tag so that
scalpel can use the uncommented parameters to search for the
header and footer information. The .conf offers a selection of the
most common file formats and the user can also create special
entries for different extensions.
Consecutive runs over the same filesystem can yeild more complete
file recovery with out damaging the media. Complete file systems
can be reconstructed from multiple corrupted disks, as scalpel
logs each pass and can 'carve' data based on what headers and
footers it needs to match. After the first pass over an image
scalpel has a record of the location of all the headers and
footers in the image [9].
On the second and consecutive passes, scalpel will try to match a
header with the correct footer. scalpel uses work queues to keep
track of chunks of the disk image where the file is to be carved
from, following the .conf uncommented parameters.
scalpel is an invaluable tool in the forensics tool kit. It
provides the user with an fast, effective carving tool that does
not need huge amounts of processing power to complete its task. It
works on different filesystems and will retreive files even when
all metadata is destroyed. It has been proven to recover data from
filesystems that have been reformated multiple times [10].
This tool uses the md5 hash function to create a fixed size bit
string of a file. This string of letters and numbers, the longer
the string the more complex the algroithm, is a way to identify
the file. It is a fingerprint of the file, it is unique to that
file as it was generated from the unique file structure of the
file.[14]
This works on the principle that it is infeasible to change the
data without changing the hash. Also that it is infeasible to
gererate a message from a hash and and find different messages
with the same hash value.[15]
The hash function must be one-way only. That is : it should be
difficult to find a message with the exact same hash value. This
is because even the most subtle difference would make a huge
difference in the generated hash. This is Pre-image resistance.
It must be infeasible that given an input, another, different,
input would have the hash. This is Second pre-image resistance.
It must be difficult to find two different, seperate messages that
have the same hash value. This is Collision resistance [19].
No hashing function is ever fully secure against decryption. What
the hash does is increase the amount of time and resources it
takes to crack, making it infeasible resourse wise. MD5 is no
longer concidered safe, since it was proven to have low collision
resistance. SHA-3 is currently concidered the most secure hashing
algorithm [20].
This page has a very detailed explaination of the what is going on
under the hood at reference point 3.1 [21]. The illustration shows
the size of the image , along with the hash.
Illustrations
Illustration Index
Illustration 1: Verbose dd_rescue command........................6
Illustration 2: dd_rescue output.................................7
Illustration 3: affconvert run command...........................8
Illustration 4: affconvert showing results of command............8
Illustration 5: run command for bulk_extractor...................9
Illustration 6: output from bulk_extractor......................10
Illustration 7: uncommented search parameters...................11
Illustration 8: using the .conf file............................11
Illustration 9: output of what scalpel has found................12
Illustration 10: Output from recoverjpeg........................12
Illustration 11: Code Sample....................................13