Tuesday, December 09, 2008

VMWare Workstation machine to VMWare Server

Recently I received a VMWare image to work on. I had installed VMware Server 1.0.8 on my CentOS 5.2 laptop because 2.0 is just painful. Unfortunately the image had been created with a newer version of Workstation rendering it incompatible with my install. I found the VMware converter, but it wasn't much help since I'm on a Linux machine.

I created a new default machine using VMware Server with the basic settings matching that of the target machine, copied the resulting .vmx file into the folder of the target machine. (I could have just modified the original .vmx file, but just decided to start over cleanly.)

So now the vmware machine tries to boot, but fails with the following message:

One or more of your disk files were created by a more recent version of VMware software and are not supported by this version of VMware Server.

Then I modified the vmdk descriptor file from:

ddb.virtualHWVersion = "7"


to

ddb.virtualHWVersion = "4"



Worked like a charm :-)

I don't know if this will work in every case, but it might be helpful to someone.

Monday, November 24, 2008

Vol2html Perl Script

During my forensics class I started thinking of a way to make it easier for my students to sort through the output of Volatility and starting writing a little perl script to create an html report of running processes, open files and dlls.

This is not finished as there is more information that I would like to correlate from the output of Volatility. But if you are somewhat curious, this is what I have so far: vol2html.pl. You can see an example report here. The output files for this report and the perl script are bundled together here. There is minimal error checking.

To use, first redirect the output of Volatility for pslist, dlllist and files to text files:

./volatility pslist -f mem.dd > pslist.txt
./volatility files -f mem.dd >files.txt
./volatility dlllist -f mem.dd >dlllist.txt



Then feed the perl script these files:

./vol2html.pl -pslist pslist.txt \
-files files.txt -dlllist dlllist.txt



There is more coming...


The venus website is down so if you need to download vol2html you can get it from the new Google code page

Sunday, November 16, 2008

Permeate MITM

It's been a long while. For that I apologize... I guess I'm not a very good blogger when the semester is in full stride. Anyway, there's a new code release for Permeate, this time with the MITM detection built in. A paper we recently submitted to ICC 09 is available there as well. Shouts to Jarek and BK :-)

Enjoy!

Thursday, October 23, 2008

PTK 0.2 Patch

In case you missed it, I've created a patch for PTK. You can find it here. This fixes the path issue for those who have Sleuthkit installed in /usr/local/bin. PTK 1.0 will be released soon and this will no longer be an issue.

Friday, October 10, 2008

PolyTech forensics challenge

Yay! Another former student, Fausto Dutan, is in the finals (one got third place last year). There's also a MS student from John Jay - Richard Alcalde. Go CUNY :-) Good luck to all of the finalists.

Edit 10/17: Richard Alcalde got 1st place! Congrats Richard :-)

Monday, September 22, 2008

/proc/kcore part II

It will take me a few posts to go through the kcore file... The last kcore post dealt only with ELF headers of the kcore file. After the ELF header ends, there are 3 program headers:

From elf.h we see that the structure of a program header is:

typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;



A look at the first program header below:

0000030: 0000 0000 0400 0000 9400 0000 0000 0000 ................
0000040: 0000 0000 d807 0000 0000 0000 0000 0000 ................
0000050: 0000 0000



The first program header is of type PT_NOTE (Auxiliary info) which has a value of 0x4
We can see that the offset is 0x94
The filesize has a value of 0x7d8

All other parts of the struct are set to 0x0

A look at the second program header below:

0000050: 0000 0000 0100 0000 0010 8038 0000 80f8 ...........8....
0000060: 0000 0000 00e0 ff06 00e0 ff06 0700 0000 ................
0000070: 0010 0000



The type is of type PT_LOAD 0x1 (loadable program segment)
The offset is 0x38801000
vaddr is 0xf8800000 (vmalloc)
filesz and memsz are both 0x6ffe000
flags are 0x7 (PF_R | PF_W | PF_X)
page alignment is 0x1000 (size of a page - 4096)

The other remaining part of the structure (p_paddr) is 0x0

The third program header looks like:

0000070: 0010 0000 0100 0000 0010 0000 0000 00c0 ................
0000080: 0000 0000 0000 0038 0000 0038 0700 0000 .......8...8....
0000090: 0010 0000



The type is of type PT_LOAD 0x1 (loadable program segment)
The offset is 0x1000 (size of a page - 4096)
vaddr is 0xc0000000 (start of lowmem)
filesz and memsz are both 0x38000000 (size of (kcore-4096))
flags are 0x7 (PF_R | PF_W | PF_X)
page alignment is 0x1000 (size of a page - 4096)

The other remaining part of the structure (p_paddr) is 0x0

From my messages file to compare:

Sep 15 12:28:57 kanga kernel:
Memory: 2060724k/2087616k available
(2252k kernel code, 25548k reserved, 1182k data, 284k init, 1170112k highmem)
Sep 15 12:28:57 kanga kernel: virtual kernel memory layout:
Sep 15 12:28:57 kanga kernel: fixmap : 0xffc53000 - 0xfffff000 (3760 kB)
Sep 15 12:28:57 kanga kernel: pkmap : 0xff400000 - 0xff800000 (4096 kB)
Sep 15 12:28:57 kanga kernel: vmalloc : 0xf8800000 - 0xff3fe000 ( 107 MB)
Sep 15 12:28:57 kanga kernel: lowmem : 0xc0000000 - 0xf8000000 ( 896 MB)
Sep 15 12:28:57 kanga kernel: .init : 0xc0761000 - 0xc07a8000 ( 284 kB)
Sep 15 12:28:57 kanga kernel: .data : 0xc063337f - 0xc075ab88 (1182 kB)
Sep 15 12:28:57 kanga kernel: .text : 0xc0400000 - 0xc063337f (2252 kB)



Notes

The next three sections will use this structure:

struct memelfnote
{
const char *name;
int type;
unsigned int datasz;
void *data;
};



Looking at the first note (only the interesting part, the rest is zeroed out):

0000090: 0010 0000 0500 0000 9000 0000 0100 0000 ................
00000a0: 434f 5245



In this case the items shown are not in the same order of the struct. This is because they have been placed in a slightly different order.

First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x90 (size of elf_prstatus struct)
Then the type: 0x1 (NT_PRSTATUS)
Then the name itself: CORE
And finally the data, which has been zeroed out (not shown).

The next note looks like the following:


0500 0000 7c00 0000 ............|...
0000140: 0300 0000 434f 5245 0000 0000 0052 0000 ....CORE.....R..
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 766d 6c69 6e75 7800 ........vmlinux.
0000170: 0000 0000 0000 0000 726f 2072 6f6f 743d ........ro root=
0000180: 2f64 6576 2f56 6f6c 4772 6f75 7030 302f /dev/VolGroup00/
0000190: 4c6f 6756 6f6c 3030 2072 6867 6220 7175 LogVol00 rhgb qu
00001a0: 6965 7400 0000 0000 0000 0000 0000 0000 iet.............
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000



First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x7c (sizeof(struct elf_prpsinfo))
Then the type: 0x3 (NT_PRPSINFO )
Then the name itself: CORE
And finally the data, which uses the elf_prpsinfo structure:

struct elf_prpsinfo
{
char pr_state; /* numeric process state */
char pr_sname; /* char for pr_state */
char pr_zomb; /* zombie */
char pr_nice; /* nice val */
unsigned long pr_flag; /* flags */
__kernel_uid_t pr_uid;
__kernel_gid_t pr_gid;
pid_t pr_pid, pr_ppid, pr_pgrp, pr_sid;
/* Lots missing */
char pr_fname[16]; /* filename of executable */
char pr_psargs[ELF_PRARGSZ]; /* initial part of arg list */
};



The data consists of:
pr_state 0x0
pr_sname 0x52 (R)
pr_zomb 0x0
Executable file name (pr_fname) "vmlinux"
Saved command line (pr_psargs) up to 80 characters
ro root=/dev/VolGroup00/LogVol00 rhgb quiet

The rest is zeroed out from a memset command

The third note denotes information about the current task. Here is part of it:


0500 0000 9006 0000 ................
00001d0: 0400 0000 434f 5245 0000 0000 0000 0000 ....CORE........
00001e0: 0020 b2f0 0200 0000 0021 4000 ffff ffff . .......!@.....
00001f0: 7800 0000 7800 0000 7800 0000 b086 8af0 x...x...x.......
0000200: b086 8af0 4072 63c0 0004 0000 0000 4000 ....@rc.......@.
0000210: 0100 0000 0000 0000 0000 0000 0100 0000 ................
0000220: 494c 6a33 c10a 0000 2fd2 1d00 0000 0000 ILj3..../.......
0000230: 85b4 abc6 0c01 0000 6134 0c00 0000 0000 ........a4......
0000240: 0000 0000 0000 0000 5669 0d00 0000 0000



First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x690 (sizeof(struct task_struct) found in linux/sched.h)
Then the type: 0x4 (NT_TASKSTRUCT )
Then the name itself: CORE
And finally the data, which consists of `current' which is the current thread (not shown above).

Now we must dissect task_struct info, which we'll do a bit later...

Thursday, September 18, 2008

Visual Forensic Analysis

There's an interesting talk coming up at John Jay College:

The Center for Cybercrime Studies
The John Jay College of Criminal Justice
Presents

Visual Forensic Analysis

Speaker: Greg Conti



Computer Science Department
United States Military Academy

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of all types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. If you are faced with low level analysis tasks, you should attend this talk.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.
 
Date: September 24, 2008
Time: 3:30 PM
Location: Mathematics Conference Room - 4238N
445 West 59th Street, New York City 10019


RSVP: Nicole Daniels at 212-237-8920 or email ndaniels@jjay.cuny.edu.
For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, at 212-237-8836 or email dsalane@jjay.cuny.edu.

Friday, September 12, 2008

PyFlag on Windows

PyFlag is now available on Windows. I haven't had a chance to try it on Windows, but I will soon and then I'll report on it.

I've used it on Linux however, and it's really nice :-)

Tuesday, September 09, 2008

It's been a while...

Well, it's been a while since I've written anything. This is just a brief update for those who care... I've been busy and I switched locations for the semester. I'm not going to go over everything that's happened since my last post, but I'm teaching at John Jay College this semester instead of Queens College. It's still CUNY :-) and everything is still cool.

Oh, our paper was accepted :-) (this is not the final copy, but you get the gist) Edit: The schedule is up now.

What's next?

Thursday, August 14, 2008

ELF headers: executable vs /proc/kcore

This is for 32bit

According to elf.h:

#define EI_NIDENT (16)

typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;



Sizes for ELF32_* (in bytes):

Word: 4
Half: 2
Off: 4
Addr: 4

Looking at a regular binary like ls for example:


$ dd if=/bin/ls bs=52 count=1|xxd
1+0 records in
1+0 records out
52 bytes (52 B) copied, 3.6108e-05 s, 1.4 MB/s
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 0300 0100 0000 0099 0408 3400 0000 ............4...
0000020: ec7f 0100 0000 0000 3400 2000 0800 2800 ........4. ...(.
0000030: 2000 1f00 ...



I'm using the ELF manual to analyze this.

The first line (16 bytes) is the (e_ident) value which consists of:

The ``magic'' value for the first four characters - 7f45 4c46
The file class (EI_CLASS) - 0x1 (ELF32CLASS)
Data encoding (EI_DATA) - 0x1 (ELFDATA2LSB) little endian
File version (EI_VERSION) - 0x1 current
Start of padded bytes (EI_PAD)

On the second line (e_type) 0x2 tells us it is an executable file
(e_machine) value 0x3 tells us that this was compiled on Intel Architecture
(e_version) value 0x1 tells us it is current
(e_entry) virtual address to which to control is given is 0x8049900
(e_phoff) Program headers start at offset 0x34

On the third line 0x17fec is the section header offset (e_shoff)
(e_flags) value 0x0 tells us that no flags are set
(e_ehsize) value of 0x34 tells that the header is of size 52 bytes decimal
(e_phentsize) value of 0x20 tells that one entry in the program header table size is 32 bytes
(e_phnum) value of 0x8 tells us the number of entries in the program header table is 8
(e_shentsize) value of 0x28 tells us the size of one entry in the section header table is 40 bytes

On the fourth line
(e_shnum) value of 0x20 tells us that number of entries in the section header table is 32
(e_shstrndx) value of 0x1f holds the section header table index of the entry associated with the section name string table


So what does /proc/kcore look like?


# dd if=/proc/kcore bs=52 count=1|xxd
1+0 records in
1+0 records out
52 bytes (52 B) copied, 3.9321e-05 s, 1.3 MB/s
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
0000010: 0400 0300 0100 0000 0000 0000 3400 0000 ............4...
0000020: 0000 0000 0000 0000 3400 2000 0300 0000 ........4. .....
0000030: 0000 0000 ....



The first line is the same as above.

The second line:

(e_type) 0x4 tells us it is a core file (ET_CORE) *
(e_machine) value 0x3 tells us that this was compiled on Intel Architecture
(e_version) value 0x1 tells us it is current
(e_entry) virtual address to which to control is given is 0x0
(e_phoff) program headers start at offset 0x34

* this is useful to know if we are dealing with a core file...

In the third line:

(e_shoff) value is 0x0 letting us know there is no section header offset
(e_flags) value 0x0 tells us that no flags are set
(e_ehsize) value of 0x34 tells that the elf header is of size 52 bytes decimal
(e_phentsize) value of 0x20 tells that one entry in the program header table size is 32 bytes
(e_phnum) value of 0x3 tells us the number of entries in the program header table is 3
(e_shentsize) value of 0x0 tells us that there is no section header

The fourth line values are all 0x0

To make your life easier here is a C program that will extract all of that information for you :-) You must be root to run it.

Note: I know I could have done this a bit more elegantly, but decided against that...

Monday, August 11, 2008

Network Distance Script

I have decided to release some more code. I'm not claiming any of this is good, but it has served a purpose either personally or in the classroom at some point. The last item added is a distance perl script to measure Levenshtein distance of two pcap files.

I wrote this for some experiments with malware some time back. I figured I should share it in case it is of use to someone before I misplace it :-) More details are included in the script itself.

Tuesday, July 29, 2008

Cuil Not So Cool

So after reading about the new search engine called Cuil, I couldn't wait to try it out. I didn't realize it had gone live until after reading about how much it failed. Most people complained about not being able to pronounce ``Cuil'' in spite of lots of publicity that it is pronounced ``Cool'' so maybe some people didn't bother to read. There were also disputes about what, if anything, Cuil returned during searching. So I decided to give it a try myself.

I decided to search for penguin. According to the right hand side of Cuil, there are 66,229,028 results for penguin.



First of all, the website design is really nice. I know that doesn't matter as much, but I had to say that :-) I also like the columns, the short snippets and the pictures to the side. I have to agree with Cuil that showing a picture can help the user determine relevance (FAQ #7).

There's even some tabs and a pull down menu across the top of the search to help narrow down your interest, such as ``Penguin Books'', ``Penguin Classics'', ``Penguin Putnam'', ``Linux Penguin'' etc.. Ok, that's nice.

Now for the vanity searches. First off, I'm not some conceited schmuck who likes to google herself all the time, but I know what should pop up when my name is entered. Here it goes: there are 3,619,749 results for the search term ``jamie levy'' (without quotes).

Ok, so something of mine is not on the first page like on Google. Big deal. There's something of mine on the second page:



It's a tutorial of mine. It's kind of old, and it's kind of buried in my site... I thought I would at least see the index of my site if anything... Also, I'm not really sure what that picture is next to my page. I know I didn't put it there.

Ok, on the third page I see the same tutorial above as well as another OLD tuturial of mine that I forgot to take offline after I rewrote it. So that's bizarre, why would the first resulting tutorial repeat to the second page? What is that picture next to it? How did they find the old Unix tutorial?:



This seems to be a pattern, however as I found more repeats of these results and finally my index page on the fourth page of results. However, there is finally a correct picture next to the wireshark tutorial:



After looking just little bit more I found another old course page of mine, which repeats as well:



Ok, so what happens if I decide to narrow down my search and look for myself at the place where I work? Cuil only shows four results (though it claims there are 43,752 results), three of which we have already seen above. Look next to the Unix tutorial, do you find anything curious there? I did:



Who is that man in the picture? He's so mysterious.... I know I didn't put him there! Here's a closeup:



Bizarre is all I can say... Does his picture seem relevant to Unix? I wouldn't think so... but it seems like some of these pictures are just random. Also the stuff that Cuil pulls up seems as if it's from some older snapshot. I haven't quite figured it out.

Well, I won't bore you with details of other people I ``Cuil''ed, but I thought it was interesting that I couldn't find my past adviser at all when there are 815,000 pages in Google related to his name.



I guess he isn't ``Cuil'' enough... :-)

Monday, July 21, 2008

The Last Hope (afterwards)

Man, The Last Hope was a blast. I'm still trying to get over it ending...

I went with my good friend Matthew. I saw several talks of interest. The first talk I went to was ``Botnet Research, Mitigation and the Law.'' It was really interesting to hear from a lawyer as to what can and cannot be done when investigating these botnets. I have to find his email, however, because there were some more questions I wanted to ask him about this.

The next talk I went to was Kevin Williams Death Star Threat Modeling talk. It was really good and really funny. It was funny to see security models explained in a Star Wars way...

I really enjoyed the presentation by Lady Ada and pt. It was really interesting to see all of the things they could do with hardware. I was inspired :-) It was funny that they had their phone jammer there to block cell calls during the talk. I was kinda surprised how many cell phones went off during talks prior to that.

I also saw the ``Hacking Cool Things with Microcontrollers'' talk by Mitch Altman. It was interesting. He seems like an interesting guy with his cool colored hair :-) I liked his TV-be-gone product.

After a nice break, Matthew and I went to see the Cold Boot Memory Forensics talk. During the talk, the crowd was informed that some code was released as well. This was a very interesting talk. I'll have more to say on this one later...

The last talk I went to the first night was the Hacking FOIA talk. I missed some good talks that night, but there was not much I could do. I just couldn't stay.

Alright, I'm not going to list all of the other talks I went to, but a few. As for the pics, forgive me, I didn't have my usual camera with me so these didn't turn out as well...



The Steven Levy talk was quite funny. I liked the part where he talked about interviewing Steve Jobs.



Steven Rambam's talk was LONG... 3 hours scheduled... and it went into overtime with the questions... and a lot of it was already covered in his other talk. Still, I had a good time. There's something about his assertiveness that I can't help but appreciate.



I got to meet some interesting people like Bernie S:



and Emmanuel Goldstein:



(who looks as if he's plotting things here...)

I must say, I really enjoyed the social engineering panel. It was really funny, and useful to prove just how much information you can get and how some people are a little too trusting. Maybe that shows that some people are still basically good... I'm not sure.

Even though I had planned to stay for Kevin Mitnick's talk, it was really late and things had been pushed back by almost an hour. I just couldn't stay any longer with DH at home alone...

On the last day, I have to say that the most interesting talks I went to were the two Pen Testing talks: (Pen testing using LiveCds by Thomas Wilhelm and Pen testing using Firefox by DaKahuna and ThePrez98), Adam Savage and Postal Hacking. All but the Postal Hacking talk were packed full. (i'll write more on this later...)

Edit: You can find torrents of some of the talks here.

Tuesday, July 15, 2008

Linux Memory Forensics

I knew something good would come out of the DFRWS forensic challenge. This is really great. I just had to say something about it :-)

I would have liked to have worked on the challenge myself, but with a full-time teaching schedule and other projects, just couldn't fit in the time. I was anxious to see what would happen this year, however.

Good job, guys :-)

Monday, July 14, 2008

PTK 0.2 Released

PTK labs has released beta 0.2. Improvements include searching for strings in slackspace and a new installer. Now installation will be somewhat easier. You simply have to unzip the files into your apache owned folder (var/www/, /var/www/htdocs, /var/www/html etc). Make sure the permissions are set correctly. Open your browser and go to http://127.0.0.1/ptk/install.php You will see the installation page and can just fill it out as needed.

Edit 10/18: I've decided to add a patch to address the comment below.
Apply it as follows:


patch -b install.php install_diff.txt

Friday, July 11, 2008

Maze Generator

I was looking for some files I had backed up from my old laptop when I came across a disk that contained old schoolwork. It was kind of fun looking at these projects I did as an undergraduate. So I decided to release them online. One project that was particularly fun was a maze generator using disjoint sets. It creates a graphical presentation of the maze and also prints it out to a text file of the user's choice.

I thought it might be fun for someone to play with.... but if not, no harm done.

An update can be found here

Wednesday, July 09, 2008

Windows DNS bug fix can impair firewalls

It all started after downloading Microsoft's latest updates. Though this is a valid fix, if you running a firewall like Zonealarm you may not be able to connect to the internet after the latest update.

I found out the hard way this morning. It all started with phone calls from a couple of friends complaining about network connections. At first I thought it might just be an ISP issue, but then DH installed the latest updates on his computer. After he rebooted all connectivity was lost. I still had internet on my Linux box, so it prompted me to call some people back and find out if they had recently updated. Sure enough they had. A brief news search turned up the answer. Hope this doesn't affect too many people, but I think it will....

I don't think that you should uninstall the MS hotfix like some are saying, but you might have to use another firewall product or use a workaround to survive. Perhaps it's time to move on to something else...

The Last Hope


The Last Hope (2600) is coming soon - July 18-20. It costs $75 for three days and is hosted at the Hotel Pennsylvania.

I'm excited to go. They have a lot of interesting talks this year. The Cold Boot talk should be interesting. Botnets, Law issues, Voip, baggage cams, RFIDs.... well there are just TOO many interesting things to write about here :-) I can't wait.

Sunday, July 06, 2008

PTK on Fedora 8

Wow, this was a painful install... and I'm not even sure if it's completely over :-/ Though I haven't been able to get this working completely with all of my practice images, PTK looks somewhat promising. Update: PTK works see update at the end.

Anyway, before you get started, you should make sure to install all of the packages you need:


mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit



In addition, according to the help forums, you also need the following libraries for Sleuthkit (I must have had a previous version because I haven't had to do this before):


afflib
libewf



The following package is not *required* but can help you a lot if you are not used to command line management of mysql databases:


phpMyAdmin


With all of the above packages, just do a ``yum install''. After you start MySql and httpd you should be set. I have already gone over how to set up MySQL and will not repeat it here. If you want to make sure that everything has installed correctly, you can see the php information by created a file called info.php in the /var/log/www/html directory that contains:


<?php
phpinfo();
?>



To see the information, open a browser and go to http://127.0.0.1/info.php. Scroll down until you see the following:





Now, download the PTK sourcecode. After you extract it, you should have a folder that contains a license file, Setup file, PTK.sql file and another tarball. Make sure that the md5 hash values are correct:


$ cat md5sums.txt
76b10e2f1c8bfd25a7128e1ca4f3009a ptk-beta_0.1.tar.gz
15d83f58161f816db660c65cf12c717e PTK.sql
e7cebc317dda69f2df81856118d924f3 Setup
$ md5sum -c md5sums.txt
ptk-beta_0.1.tar.gz: OK
PTK.sql: OK
Setup: OK



I tried just using the Setup file and failed miserably. I would get the nice welcome screen, but couldn't log in to PTK. Then I tried the manual install shown in the tutorial... It also didn't work. Things were getting installed in the wrong directories, even after I had told it where to install correctly using the original Setup script. Also, the Setup script looks for files called md5 and sha1, which are called md5sum and sha1sum on my machine...

So after analyzing the Setup file, I wrote a patch and finally got PTK working which you can find here. To apply the patch type:


patch -b Setup fedora-patch.txt


This will make a backup of the Setup file in case things go awry.

Make sure that you pay attention to output of the Setup script and check to see if there are any errors. If things go well, you should see the following screens:







If everything goes ok, you should have PTK installed in your /var/www/html/ptk directory. You can start it by going to: http://127.0.0.1/ptk. You have to log in using the ``admin'' account, and hopefully you don't forget your password you used for this!



Issues All but the last issue are resolved:
I am not yet sure of the cause of all of these issues, but I thought I would list things here.
  • fatv images do not seem to be recognized and I am unable to browse the file system at all.
  • I am unable to get an initial correct hash of the image without running the browser as root
  • After the initial hash is taken, verification yields an incorrect hash (see pic below) and I suspect it is hashing the symbolic link and not the image itself. The top md5sum hash is correct, the second verification one is not.
  • If you have SELinux working, you will have to use workarounds to let this program work (which is an SELinux thing, not a PTK thing exactly)
  • When you search for images, you are initially directed to the /var/log/www/ptk/images folder, which is fine. If you add a disk image there, you do not see it. You have to go back 2 directories and then forward again before the disk image appears




Edit: PTK Works

As I wrote previously, I managed to get PTK installed on Fedora 8. I had a few issues with seeing the images at the end, however. It was a permissions problem. I can't believe I missed that. But it works and it seems fun. So if you are installing PTK on Fedora, follow the earlier instructions and use the patch I made and then check the permissions of the ptk folder to make sure that it is owned by apache (or whatever user you have as your webserver). If it isn't then do a recursive chown:


# chown -R apache.apache /var/www/html/ptk









I have only a couple of complaints: The folders are kind of hard to see on the left hand side, but there may be some way to remedy that. Also, I'm still having the problem of having to go back two folders and then forwards when importing an image, but I guess it's not that bad... Still, PTK has some nice options, like the gallery view, and the interface is nice. So far I like it :-)

Wednesday, July 02, 2008

MDD

I'm finally writing about trying MDD on XP SP 3:



And Vista:





It works nicely and in the case of dumping XP memory, you can do analysis with Volatility afterwards. (Note: Make sure you are running the cmd as Admin.) Another nice feature is that it gives you an md5 hash of the memory image after it finishes dumping.

I also tried win32dd on Vista. It worked fine as well. (I forgot to take a screen shot but will get one soon). I was surprised at first because it seemed to work much faster than MDD, since it gave me the all clear and appeared to have finished. I then checked the size of the dump and it was too small, so at first I thought it had failed. Later I checked the dump and it was 2 GB as needed, so it did work, but must have finished dumping in the background.

Microsoft Office Binary File Format Documents

Microsoft Office Binary File Format Documents were recently released. Should be useful to someone.

Wednesday, June 25, 2008

PyFlag Installation on Fedora 8

So I finally decided to be brave and install PyFlag.

First you have to get the source code (more info on wiki or compile tutorial):


# yum install darcs
$ darcs get http://www.pyflag.net/pyflag



After this, you will have a folder called pyflag. If you look at the install instructions from the PyFlag site, you can see that there are several packages that must be installed before installing PyFlag. Most of these can be found in yum repos, but under different names (items in parenthesis are the debian package names):

python-dateutil
clamav
clamav-server (clamav-daemon)
mysql
mysql-devel
mysql-server
file-devel (libmagic-dev)
pexpect (python-pexpect)
python-imaging
python-mysqldb (manual install)


# yum install python-dateutil clamav clamav-server mysql mysql-devel mysql-server file-devel pexpect python-imaging



After installing all of these packages, you must initialize mysql:


# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'



You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also setup clamav-server so it will work. Make sure you know where everything is installed, because things get funky with clamav and Fedora:


# rpm -q --filesbypkg [packagename]



Where [packagename] is replaced by the package(s) you installed. I went ahead and installed all of clamav packages just to be safe. Two files of interest are the daemon file itself and the configuration file. My locations are:


/usr/sbin/clamd
/usr/share/doc/clamav-server-0.92.1/clamd.conf



This is annoying, because when you run the clamd daemon, it says it can't find the clamd.conf file in the appropriate place: /etc/clamd.conf So you can add a symbolic link to the real location:


ln -s /usr/share/doc/clamav-server-0.92.1/clamd.conf /etc/clamd.conf



You'll have to figure out how to set up your own clamd.conf file.

Ok, at this point you are able to install PyFlag:


$ cd pyflag
$ sh autogen.sh
$ ./configure
$ make
$ su -
# make install



Make sure that you have no errors when running configure, make and make install. Now, before running PyFlag, you must set up the configuration file to point to the mysql.sock file. Fedora places the mysql.sock file in a different location than the default (/var/run/mysqld/mysqld.sock). So open up the configuration file using your favorite editor:


$ vi ~/.pyflagrc



Change the line that says:


dbunixsocket=/var/run/mysqld/mysqld.sock

to


dbunixsocket=/var/lib/mysql/mysql.sock


Notice that ``run'' is changed to ``lib'' and the `d' is absent from the end of mysql. You are now set.

Also make sure that PyFlag points to the clamav socket (for example):


clamav_socket=/var/run/clamd.d/clamd.sock



If everything goes well, you can then set up PyFlag:


$ pyflag



Follow the instructions on the website for setting up pyflag by going to http://127.0.0.1:8000.

There was only one other thing I changed. Since I already have a service listening on port 8000, I changed the port in the configuration file:


httpserver_port=7000



I'll have a post later after I've played around with this for a while...

Tuesday, June 24, 2008

Gateway GM5420 Desktop: Vista to XP

I should have written this back when I converted the machine and it was still fresh. I'll write it up as best I remember now, however.

So back in November I bought a Gateway GM5420 Desktop . It came with Vista, which I was more than willing to try. It remained a Vista machine, but was barely used until May. DH hated Vista and refused to adapt. I wasn't really all that pleased either. The only thing I really liked about the machine was the ATI Video card, but even then, we don't watch that much TV to keep it around just for that... So we decided to make the machine a dual boot for Vista and XP.

There was one big problem: XP doesn't support SATA drives by default. After searching the Gateway website, it became clear that I wasn't going to find SATA drivers for XP. There were barely any drivers for XP at all. So after some investigation, I found the motherboard information:

Love Valley and Stoughton Motherboard Intel(r) MQ96510J



After some searching around on Intel's site, I found the appropriate drivers. I downloaded the Matrix Storage drivers, which resulted in the following executable:

iata82_enu.exe **

Now, I wanted to Slipstream my installation, so I had to extract the drivers from the executable:

mkdir drivers
iata82_enu.exe -a -p C:\drivers



At first I tried to Slipstream the image using the first tutorial, but things didn't work out for me as expected. I then found out about nLite, which is a nice tool that allows you to add drivers, updates and create a bootable ISO. There's information about it here and here.

So everything worked and XP was installed. I had another problem, the network drivers where not included. This was the easy part, however. The drivers for Intel Pro Network Connections Driver 11.2 are available online.

I still had Vista on the other side, however and needed to make it dual boot. This was no problem, there's a nice tutorial online that can be followed. I just used EasyBCD as mentioned in the article and comments and it worked.

** Note: When I did this, actually the only download available was a Floppy drive file. I then had to use Virtual Floppy Drive 2.1 to extract the drivers

Tuesday, June 17, 2008

Memory Acquisition Just Got Easier

This is for those who asked me to keep this material up, for your further studies :-)

As you may remember, the traditional dd.exe method does not work on Windows 2003 sp 1 and above. Two opensource tools have been released that get past this:

Memory DD
Win32dd

For more details check out Volatility's blog.

Monday, June 16, 2008

Introduction

So I've been keeping various blogs for classes and projects. Now I've decided to keep up with my own blog, so I'm starting over again. It's gonna be slow here in the next few days, since I'm on vacation, but it should pick up.