Loading ...
Sorry, an error occurred while loading the content.
 

Re: [linux_forensics] cloning partitions

Expand Messages
  • swinginscott
    The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd. Putting all the drives on the
    Message 1 of 10 , Oct 2, 2009
      The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd.

      Putting all the drives on the south bus (if possible) will definitely go faster than anything else, I'm assuming that will be pretty easy since you've got all the boxes in your possession.

      Otherwise, you can just drop them using dd over netcat.

      ~ Scott




      ________________________________
      From: Donald Raikes <dnraikes@...>
      To: linux_forensics group <linux_forensics@yahoogroups.com>
      Sent: Friday, October 2, 2009 9:01:25 PM
      Subject: [linux_forensics] cloning partitions


      Hello,

      I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.

      Problem:
      My wife and I have recently discovered that we are the victims of identity theft.
      last week someone tried to charge something on a creditcard which we only use for online purchases.
      We only use the card at secure sites, and mostly with 4 or 5 particular vendors.

      I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.

      I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.

      The computers I wish to image have windows xp on them.

      What is the "best" method for performing the imaging?
      I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.

      Any tips would be appreciated.

      Sincerely,
      Don Raikes
      CFE wannabe

      [Non-text portions of this message have been removed]







      [Non-text portions of this message have been removed]
    • Adrian Cuellar
      Hello Gents, Maybe I am not seeing the proverbial Schwartz here, but once you have the image how are you going to go about and try and find the key logger?
      Message 2 of 10 , Oct 2, 2009
        Hello Gents,

        Maybe I am not seeing the proverbial "Schwartz" here, but once you have the image how are you going to go about and try and find the key logger? That is assuming that someone installed a KL or a rootkit with a KL in sleeper mode? I know they have a KL that only sniffs out SSL traffic which is pretty crafty I thought. I does not bother with traffic that is not SSL encrypted. In that event you would need all of you packet histroy anyway, so again I fail to see how a image helps....other than to try and run a root kit scanner against it or something.




        ________________________________
        From: swinginscott <swinginscott@...>
        To: linux_forensics@yahoogroups.com
        Sent: Friday, October 2, 2009 4:02:17 PM
        Subject: Re: [linux_forensics] cloning partitions


        The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd.

        Putting all the drives on the south bus (if possible) will definitely go faster than anything else, I'm assuming that will be pretty easy since you've got all the boxes in your possession.

        Otherwise, you can just drop them using dd over netcat.

        ~ Scott

        ____________ _________ _________ __
        From: Donald Raikes <dnraikes@comcast. net>
        To: linux_forensics group <linux_forensics@ yahoogroups. com>
        Sent: Friday, October 2, 2009 9:01:25 PM
        Subject: [linux_forensics] cloning partitions

        Hello,

        I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.

        Problem:
        My wife and I have recently discovered that we are the victims of identity theft.
        last week someone tried to charge something on a creditcard which we only use for online purchases.
        We only use the card at secure sites, and mostly with 4 or 5 particular vendors.

        I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.

        I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.

        The computers I wish to image have windows xp on them.

        What is the "best" method for performing the imaging?
        I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.

        Any tips would be appreciated.

        Sincerely,
        Don Raikes
        CFE wannabe

        [Non-text portions of this message have been removed]

        [Non-text portions of this message have been removed]




        __________________________________________________
        Do You Yahoo!?
        Tired of spam? Yahoo! Mail has the best spam protection around
        http://mail.yahoo.com

        [Non-text portions of this message have been removed]
      • Donald Raikes
        Scott, I would like to use netcat to copy the drives, but the commands I got from the web didn t make a whole lot of sense to me. If you have any
        Message 3 of 10 , Oct 2, 2009
          Scott,

          I would like to use netcat to copy the drives, but the commands I got from the web didn't make a whole lot of sense to me.

          If you have any scripts/suggestions I would greatly appreciate them.
          ----- Original Message -----
          From: swinginscott
          To: linux_forensics@yahoogroups.com
          Sent: Friday, October 02, 2009 3:02 PM
          Subject: Re: [linux_forensics] cloning partitions


          The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd.

          Putting all the drives on the south bus (if possible) will definitely go faster than anything else, I'm assuming that will be pretty easy since you've got all the boxes in your possession.

          Otherwise, you can just drop them using dd over netcat.

          ~ Scott

          ________________________________
          From: Donald Raikes <dnraikes@...>
          To: linux_forensics group <linux_forensics@yahoogroups.com>
          Sent: Friday, October 2, 2009 9:01:25 PM
          Subject: [linux_forensics] cloning partitions

          Hello,

          I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.

          Problem:
          My wife and I have recently discovered that we are the victims of identity theft.
          last week someone tried to charge something on a creditcard which we only use for online purchases.
          We only use the card at secure sites, and mostly with 4 or 5 particular vendors.

          I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.

          I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.

          The computers I wish to image have windows xp on them.

          What is the "best" method for performing the imaging?
          I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.

          Any tips would be appreciated.

          Sincerely,
          Don Raikes
          CFE wannabe

          [Non-text portions of this message have been removed]

          [Non-text portions of this message have been removed]





          [Non-text portions of this message have been removed]
        • Donald Raikes
          Hello, I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a real-world need for the tools
          Message 4 of 10 , Oct 2, 2009
            Hello,

            I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.

            Problem:
            My wife and I have recently discovered that we are the victims of identity theft.
            last week someone tried to charge something on a creditcard which we only use for online purchases.
            We only use the card at secure sites, and mostly with 4 or 5 particular vendors.

            I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.

            I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.

            The computers I wish to image have windows xp on them.

            What is the "best" method for performing the imaging?
            I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.

            Any tips would be appreciated.

            Sincerely,
            Don Raikes
            CFE wannabe

            [Non-text portions of this message have been removed]
          • Stuart Bird
            Don If I were you I would start your adventures at http://www.linuxleo..com and read the introductory guide available there! It will give you some answers but
            Message 5 of 10 , Oct 3, 2009
              Don

              If I were you I would start your adventures at http://www.linuxleo..com and read the introductory guide available there! It will give you some answers but also; if you remain interested after you have read it and run some of the exercises, leave you with lots more questions as well. But that's the fun part! It's as good a starting point as any I have found.

              Stu




              ________________________________
              From: Donald Raikes <dnraikes@...>
              To: linux_forensics@yahoogroups.com
              Sent: Saturday, 3 October, 2009 1:03:25
              Subject: Re: [linux_forensics] cloning partitions


              Scott,

              I would like to use netcat to copy the drives, but the commands I got from the web didn't make a whole lot of sense to me.

              If you have any scripts/suggestions I would greatly appreciate them.
              ----- Original Message -----
              From: swinginscott
              To: linux_forensics@ yahoogroups. com
              Sent: Friday, October 02, 2009 3:02 PM
              Subject: Re: [linux_forensics] cloning partitions

              The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd.

              Putting all the drives on the south bus (if possible) will definitely go faster than anything else, I'm assuming that will be pretty easy since you've got all the boxes in your possession.

              Otherwise, you can just drop them using dd over netcat.

              ~ Scott

              ____________ _________ _________ __
              From: Donald Raikes <dnraikes@comcast. net>
              To: linux_forensics group <linux_forensics@ yahoogroups. com>
              Sent: Friday, October 2, 2009 9:01:25 PM
              Subject: [linux_forensics] cloning partitions

              Hello,

              I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.

              Problem:
              My wife and I have recently discovered that we are the victims of identity theft.
              last week someone tried to charge something on a creditcard which we only use for online purchases.
              We only use the card at secure sites, and mostly with 4 or 5 particular vendors.

              I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.

              I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.

              The computers I wish to image have windows xp on them.

              What is the "best" method for performing the imaging?
              I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.

              Any tips would be appreciated.

              Sincerely,
              Don Raikes
              CFE wannabe

              [Non-text portions of this message have been removed]

              [Non-text portions of this message have been removed]

              [Non-text portions of this message have been removed]







              [Non-text portions of this message have been removed]
            • Jacques B.
              ... I must admit I was thinking of the same thing. Are you going to examine your machines for evidence of malware? You mention that you want to see if
              Message 6 of 10 , Oct 3, 2009
                On Fri, Oct 2, 2009 at 7:36 PM, Adrian Cuellar <adriancuellar@...> wrote:
                > Hello Gents,
                >
                > Maybe I am not seeing the proverbial  "Schwartz" here, but once you have the image how are you going to go about and try and find the key logger? That is assuming that someone installed a KL or a rootkit with a KL in sleeper mode? I know they have a KL that only sniffs out SSL traffic which is pretty crafty I thought. I does not bother with traffic that is not SSL encrypted. In that event you would need all of you packet histroy anyway, so again I fail to see how a image helps....other than to try and run a root kit scanner against it or something.
                >
                >

                I must admit I was thinking of the same thing. Are you going to
                examine your machines for evidence of malware? You mention that you
                want to see if someone is "intercepting" your keystrokes. If the
                method of interception is by way of infection of one of your local
                machines then you are on the right track (examining the hosts). If
                the interception was out on the web, then you'll find nothing on your
                local machine. If one of the merchants was hacked (or victim of a
                dishonest employee) then you will find nothing of value on your local
                machine. If the person used a random credit card generator to create
                the card number then you will find nothing on your local machine.

                You said you only use the card at secure sites. Do you also use it
                for offline purchases (i.e. gas, restaurant, store, whatever)? If so,
                your card could just as easily been compromised that way.

                Not trying to discourage you from stepping into the world of computer
                forensics. Just that imaging & analyzing several computers is time
                consuming and may yield absolutely nothing at the end of the day. As
                long as you are going into this with your eyes wide open (i.e. long
                process, may yield no results) you won't be disappointed.

                Another possible consideration is live forensics in addition to dead
                box forensics. Ideally working on a restored copy of the original or
                booting the image file using a tool like VMWare or LiveView (but in a
                home environment you may instead opt to do it on your actual boxes
                after you've imaged them). You'll want to run tools to look at
                running processes, open ports, full malware scan, you could also run a
                sniffer on your network to monitor the traffic going out from the
                boxes over a period of 24 hours for evidence of unauthorized traffic
                going out. And then there are the variables that the malware may be
                hooked into your browser for example, so a live analysis will seem
                normal unless the browser is running thus causing the malware to also
                run. As for traffic going out, as was pointed out if the malware is
                set up to only watch https traffic, then your sniffer will likely see
                nothing from the malware unless it captures some https
                username/password to send home.

                I certainly don't want to discourage your enthusiasm, but I don't want
                to give you the false impression that this is a 3-4 hour process. You
                may get lucky and find something in 10 minutes through live analysis,
                or find something after a few hours of dead box forensics (after the
                several hours of imaging process). Or you could spend 3-4 weeks and
                still find nothing.

                So go into this with your eyes wide open and it will be an enjoyable
                (sometimes frustrating) learning experience. My advice if you are
                going to go forward with this challenge is to image the machines, then
                as a next step do live forensics on your systems as I suggested
                earlier. If that yields nothing, you could then try dead box
                forensics but if your systems are clean (as far as current malware
                tools can tell), chances are minimal that dead box forensics will
                yield any different results. As examiners we usually do dead box
                forensics to find evidence on the drive. If there is no malware on
                the machines, it is highly likely that will find no evidence on the
                local machines as it relates to malware being responsible for this.

                Good luck and certainly don't hesitate to post questions to the list
                as you move along in your experience.

                Jacques
              • Jeff Bryner
                I d suggest using some basic timeline analysis to see what that turns up. If there is a file being written to log keystrokes, it should lite up in a timeline.
                Message 7 of 10 , Oct 3, 2009
                  I'd suggest using some basic timeline analysis to see what that turns
                  up. If there is a file being written to log keystrokes, it should lite
                  up in a timeline. Granted a smart rootkit could hide the time
                  modifications, etc. but it's worth a shot.

                  Some 'hero oneliners' to get you started assuming you have the
                  sleuthkit installed:

                  imaging:

                  ##dd imaging with progress, auto md5sum
                  ##assuming /dev/sda1 is the suspect partition you want to analyze
                  dd if=/dev/sda1 | pipebench | tee sda1.dd | md5sum > sda1.md5.txt

                  sda1.dd will be an image of the partition, sda1.md5.txt will be the
                  md5 checksum of the sda1.dd file. i.e. md5sum sda1.dd should match the
                  contents of sda1.md5.txt


                  #timeline creation analysis
                  fls -f ntfs -m / -r sda1.dd >sda1.macs
                  ils -f ntfs -m sda1.dd >>sda1.macs
                  mactime -b sda1.macs > sda1.mactime

                  The sda1.mactime will be a text file with timeline info for every file
                  on the system. It's labor intensive, but I'd start with a day you know
                  something happened (online banking, etc) and take a look at what files
                  were created, modified, accessed and see if anything jumps out at you.
                  Some of the keystroke loggers I've seen name files with date stamps
                  and correspond explicitly with browsing activity.

                  Happy hunting!




                  > Maybe I am not seeing the proverbial "Schwartz" here, but once you
                  > have the image how are you going to go about and try and find the
                  > key logger?
                • echo6
                  ... Hash: SHA1 Don, The important part is to get an image as early as possible. I wouldn t worry too much about the method you use to image. There has been
                  Message 8 of 10 , Oct 3, 2009
                    -----BEGIN PGP SIGNED MESSAGE-----
                    Hash: SHA1

                    Don,

                    The important part is to get an image as early as possible. I wouldn't
                    worry too much about the method you use to image.

                    There has been some good advice given here, I would heartily recommend
                    you check out the guide mentioned by Stu. Barry Grundy has written a
                    comprehensive guide to get you started.

                    There could be any number of ways your details have been compromised,
                    either beyond your control or on the box you want to examine. Although
                    a rootkit is a consideration there are other more likely possibilities
                    such as an IRC bot, and yes of course even these can be hidden using
                    rootkit methods.

                    I would most certainly recommend the live analysis method, looking for
                    listening services, ports, processes network activity etc. Of course
                    you have to obtain a suitable image first. Examining the live system
                    may provide more transparent activity than a post mortem exam.

                    Also look at getting a memory dump of your cloned Operating System
                    Environment, there are some excellent Open Source tools which will
                    assist in obtaining a memory dump, http://win32dd.msuiche.net and also
                    examining XP memory dumps,
                    https://www.volatilesystems.com/default/volatility

                    Regards,
                    Jon Evans.

                    Donald Raikes wrote:
                    > Scott,
                    >
                    > I would like to use netcat to copy the drives, but the commands I got from the web didn't make a whole lot of sense to me.
                    >
                    > If you have any scripts/suggestions I would greatly appreciate them.
                    > ----- Original Message -----
                    > From: swinginscott
                    > To: linux_forensics@yahoogroups.com
                    > Sent: Friday, October 02, 2009 3:02 PM
                    > Subject: Re: [linux_forensics] cloning partitions
                    >
                    >
                    > The fastest/easiest way to do it will just be power down the machines, put the hard drives in the Debian machine and use dd.
                    >
                    > Putting all the drives on the south bus (if possible) will definitely go faster than anything else, I'm assuming that will be pretty easy since you've got all the boxes in your possession.
                    >
                    > Otherwise, you can just drop them using dd over netcat.
                    >
                    > ~ Scott
                    >
                    > ________________________________
                    > From: Donald Raikes <dnraikes@...>
                    > To: linux_forensics group <linux_forensics@yahoogroups.com>
                    > Sent: Friday, October 2, 2009 9:01:25 PM
                    > Subject: [linux_forensics] cloning partitions
                    >
                    > Hello,
                    >
                    > I am new to this field. I am trying to learn my way into the world of computer forensics, and as such, I have a "real-world" need for the tools involved.
                    >
                    > Problem:
                    > My wife and I have recently discovered that we are the victims of identity theft.
                    > last week someone tried to charge something on a creditcard which we only use for online purchases.
                    > We only use the card at secure sites, and mostly with 4 or 5 particular vendors.
                    >
                    > I would like to go back and look at the computers where we have done the purchasing to see if somehow someone is intercepting our keystrokes or something similar.
                    >
                    > I have a debian workstation setup to serve as my "lab" machine. It has a 1tb drive available for holding disk images and analysis results.
                    >
                    > The computers I wish to image have windows xp on them.
                    >
                    > What is the "best" method for performing the imaging?
                    > I have a debian livecd that includes tools like partimage, dd, dcfldd, and netcat. I can add other tools if there is a better method for accomplishing this task.
                    >
                    > Any tips would be appreciated.
                    >
                    > Sincerely,
                    > Don Raikes
                    > CFE wannabe
                    >
                    > [Non-text portions of this message have been removed]
                    >
                    > [Non-text portions of this message have been removed]
                    >
                    >
                    >
                    >
                    >
                    > [Non-text portions of this message have been removed]
                    >
                    >

                    -----BEGIN PGP SIGNATURE-----
                    Version: GnuPG v1.4.9 (GNU/Linux)
                    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

                    iEYEARECAAYFAkrHoBcACgkQbSv1saVS9udeFQCfeZl1iDfySLwSq/Lye1HnGFEW
                    zDUAn3QilhVEeQRg7q9CkGXm+eejUXMy
                    =v6Yy
                    -----END PGP SIGNATURE-----
                  • Jacques B.
                    Although I normally don t top post, I suspect that is probably more practical in your case. Not sure if the accessibility software properly skips to the
                    Message 9 of 10 , Oct 3, 2009
                      Although I normally don't top post, I suspect that is probably more
                      practical in your case. Not sure if the accessibility software
                      properly skips to the bottom post.

                      Regards your wife's computer, a virus scan is certainly a good start.
                      Other live forensics steps can include verifying running processes and
                      open/listening ports. Foundstone has a free tool called fport that
                      checks open ports and links them to the respective process. It is a
                      command line tool. If a graphical environment is better, Microsoft
                      TechNet has a tool called TCPView.

                      There are tools out there that can assist in automating some of the
                      live forensics. Helix from e-fense is one of them. Fullmoon.net is a
                      site that has a tool called Windows Forensic Toolchest that used to be
                      free on earlier versions of Helix but later became a commercial
                      product.

                      If nothing suspicious is found during the live forensic portion, odds
                      are stacked against you that there will be something found during
                      postmortem analysis. Consider that the purpose of your postmortem
                      would be to try and find malware. If none is found during a virus
                      scan and nothing to suggest the presence of malware is found in any
                      other parts of your live analysis then chances are favourable that
                      your machines are not infected. Thus unlikely that something will be
                      found during postmortem.

                      If the use of the card was done with a false name, chances are good it
                      was the result of a random credit card generator. These generators
                      can generate valid card numbers (i.e. valid check digit), but have no
                      way to know if they are active much less any name associated to it,
                      and can't figure out the 3 or 4 digit verification code. Find out if
                      your proper name was used, and if the merchants required the 3/4 digit
                      check code. If they did, you can rule out a random credit card
                      generator. Either your computer is infected, it was stolen the old
                      fashion way (employee at a local store that gets paid for every valid
                      card number they lift for a local organized crime group), or one of
                      the merchants that you use had their database compromised (which if
                      that is the case, they have an obligation to notify potential victims
                      of this fact).

                      If you haven't already done so, consider contacting the credit bureaus
                      to put a credit watch on you and your wife's file. This will afford
                      you with an extra layer of protection against someone trying to get
                      new credit in your name.

                      Again don't hesitate to post back questions to the group. Although I
                      follow this list and have some academic knowledge/experience with
                      Linux forensics, my real world experience is with Windows forensic
                      tools. But many on this list have practical Linux forensic experience
                      so they will certainly be able to contribute knowledge/experience to
                      guide you in your journey.

                      Good luck,

                      Jacques


                      On Sun, Oct 4, 2009 at 2:18 AM, Donald Raikes <dnraikes@...> wrote:
                      > Jacques,
                      >
                      > Thank you for the honest response and warnings.
                      >
                      > I realize there are some real issues with trying to hunt this down, however, since I have been interested in the field of computer forensics for a year or so, and have been doing some reading and "playing" with teh opensource forensics tools on linux, I accept the challenges involved.
                      >
                      > My biggest issues with livebox forensics are:
                      > 1. I am blind, and one of the systems in question has no accessibility software on it. It is running windows xp home edition, and it is my wife's system.
                      >
                      > Once I finish cloning the 100gb drive, I will have her run trendmicro housecall on it and see what it turns up.
                      >
                      > as for the time commitment for teh deadbox investigation, I can bring my equipment out to the family room in the evenings and work on ti while spending time with my family as well, so I realize it will take a while, and may not turn up anything, but it will be a valuable learning experience.
                      >
                      >
                      >  ----- Original Message -----
                      >  From: Jacques B.
                      >  To: linux_forensics@yahoogroups.com
                      >  Sent: Saturday, October 03, 2009 4:40 AM
                      >  Subject: Re: [linux_forensics] cloning partitions
                      >
                      >
                      >    On Fri, Oct 2, 2009 at 7:36 PM, Adrian Cuellar <adriancuellar@...> wrote:
                      >  > Hello Gents,
                      >  >
                      >  > Maybe I am not seeing the proverbial  "Schwartz" here, but once you have the image how are you going to go about and try and find the key logger? That is assuming that someone installed a KL or a rootkit with a KL in sleeper mode? I know they have a KL that only sniffs out SSL traffic which is pretty crafty I thought. I does not bother with traffic that is not SSL encrypted. In that event you would need all of you packet histroy anyway, so again I fail to see how a image helps....other than to try and run a root kit scanner against it or something.
                      >  >
                      >  >
                      >
                      >  I must admit I was thinking of the same thing. Are you going to
                      >  examine your machines for evidence of malware? You mention that you
                      >  want to see if someone is "intercepting" your keystrokes. If the
                      >  method of interception is by way of infection of one of your local
                      >  machines then you are on the right track (examining the hosts). If
                      >  the interception was out on the web, then you'll find nothing on your
                      >  local machine. If one of the merchants was hacked (or victim of a
                      >  dishonest employee) then you will find nothing of value on your local
                      >  machine. If the person used a random credit card generator to create
                      >  the card number then you will find nothing on your local machine.
                      >
                      >  You said you only use the card at secure sites. Do you also use it
                      >  for offline purchases (i.e. gas, restaurant, store, whatever)? If so,
                      >  your card could just as easily been compromised that way.
                      >
                      >  Not trying to discourage you from stepping into the world of computer
                      >  forensics. Just that imaging & analyzing several computers is time
                      >  consuming and may yield absolutely nothing at the end of the day. As
                      >  long as you are going into this with your eyes wide open (i.e. long
                      >  process, may yield no results) you won't be disappointed.
                      >
                      >  Another possible consideration is live forensics in addition to dead
                      >  box forensics. Ideally working on a restored copy of the original or
                      >  booting the image file using a tool like VMWare or LiveView (but in a
                      >  home environment you may instead opt to do it on your actual boxes
                      >  after you've imaged them). You'll want to run tools to look at
                      >  running processes, open ports, full malware scan, you could also run a
                      >  sniffer on your network to monitor the traffic going out from the
                      >  boxes over a period of 24 hours for evidence of unauthorized traffic
                      >  going out. And then there are the variables that the malware may be
                      >  hooked into your browser for example, so a live analysis will seem
                      >  normal unless the browser is running thus causing the malware to also
                      >  run. As for traffic going out, as was pointed out if the malware is
                      >  set up to only watch https traffic, then your sniffer will likely see
                      >  nothing from the malware unless it captures some https
                      >  username/password to send home.
                      >
                      >  I certainly don't want to discourage your enthusiasm, but I don't want
                      >  to give you the false impression that this is a 3-4 hour process. You
                      >  may get lucky and find something in 10 minutes through live analysis,
                      >  or find something after a few hours of dead box forensics (after the
                      >  several hours of imaging process). Or you could spend 3-4 weeks and
                      >  still find nothing.
                      >
                      >  So go into this with your eyes wide open and it will be an enjoyable
                      >  (sometimes frustrating) learning experience. My advice if you are
                      >  going to go forward with this challenge is to image the machines, then
                      >  as a next step do live forensics on your systems as I suggested
                      >  earlier. If that yields nothing, you could then try dead box
                      >  forensics but if your systems are clean (as far as current malware
                      >  tools can tell), chances are minimal that dead box forensics will
                      >  yield any different results. As examiners we usually do dead box
                      >  forensics to find evidence on the drive. If there is no malware on
                      >  the machines, it is highly likely that will find no evidence on the
                      >  local machines as it relates to malware being responsible for this.
                      >
                      >  Good luck and certainly don't hesitate to post questions to the list
                      >  as you move along in your experience.
                      >
                      >  Jacques
                      >
                      >
                      >
                      >
                      > [Non-text portions of this message have been removed]
                      >
                      >
                      >
                      > ------------------------------------
                      >
                      > Yahoo! Groups Links
                      >
                      >
                      >
                      >
                    • Donald Raikes
                      Jacques, Thank you for the honest response and warnings. I realize there are some real issues with trying to hunt this down, however, since I have been
                      Message 10 of 10 , Oct 3, 2009
                        Jacques,

                        Thank you for the honest response and warnings.

                        I realize there are some real issues with trying to hunt this down, however, since I have been interested in the field of computer forensics for a year or so, and have been doing some reading and "playing" with teh opensource forensics tools on linux, I accept the challenges involved.

                        My biggest issues with livebox forensics are:
                        1. I am blind, and one of the systems in question has no accessibility software on it. It is running windows xp home edition, and it is my wife's system.

                        Once I finish cloning the 100gb drive, I will have her run trendmicro housecall on it and see what it turns up.

                        as for the time commitment for teh deadbox investigation, I can bring my equipment out to the family room in the evenings and work on ti while spending time with my family as well, so I realize it will take a while, and may not turn up anything, but it will be a valuable learning experience.


                        ----- Original Message -----
                        From: Jacques B.
                        To: linux_forensics@yahoogroups.com
                        Sent: Saturday, October 03, 2009 4:40 AM
                        Subject: Re: [linux_forensics] cloning partitions


                        On Fri, Oct 2, 2009 at 7:36 PM, Adrian Cuellar <adriancuellar@...> wrote:
                        > Hello Gents,
                        >
                        > Maybe I am not seeing the proverbial "Schwartz" here, but once you have the image how are you going to go about and try and find the key logger? That is assuming that someone installed a KL or a rootkit with a KL in sleeper mode? I know they have a KL that only sniffs out SSL traffic which is pretty crafty I thought. I does not bother with traffic that is not SSL encrypted. In that event you would need all of you packet histroy anyway, so again I fail to see how a image helps....other than to try and run a root kit scanner against it or something.
                        >
                        >

                        I must admit I was thinking of the same thing. Are you going to
                        examine your machines for evidence of malware? You mention that you
                        want to see if someone is "intercepting" your keystrokes. If the
                        method of interception is by way of infection of one of your local
                        machines then you are on the right track (examining the hosts). If
                        the interception was out on the web, then you'll find nothing on your
                        local machine. If one of the merchants was hacked (or victim of a
                        dishonest employee) then you will find nothing of value on your local
                        machine. If the person used a random credit card generator to create
                        the card number then you will find nothing on your local machine.

                        You said you only use the card at secure sites. Do you also use it
                        for offline purchases (i.e. gas, restaurant, store, whatever)? If so,
                        your card could just as easily been compromised that way.

                        Not trying to discourage you from stepping into the world of computer
                        forensics. Just that imaging & analyzing several computers is time
                        consuming and may yield absolutely nothing at the end of the day. As
                        long as you are going into this with your eyes wide open (i.e. long
                        process, may yield no results) you won't be disappointed.

                        Another possible consideration is live forensics in addition to dead
                        box forensics. Ideally working on a restored copy of the original or
                        booting the image file using a tool like VMWare or LiveView (but in a
                        home environment you may instead opt to do it on your actual boxes
                        after you've imaged them). You'll want to run tools to look at
                        running processes, open ports, full malware scan, you could also run a
                        sniffer on your network to monitor the traffic going out from the
                        boxes over a period of 24 hours for evidence of unauthorized traffic
                        going out. And then there are the variables that the malware may be
                        hooked into your browser for example, so a live analysis will seem
                        normal unless the browser is running thus causing the malware to also
                        run. As for traffic going out, as was pointed out if the malware is
                        set up to only watch https traffic, then your sniffer will likely see
                        nothing from the malware unless it captures some https
                        username/password to send home.

                        I certainly don't want to discourage your enthusiasm, but I don't want
                        to give you the false impression that this is a 3-4 hour process. You
                        may get lucky and find something in 10 minutes through live analysis,
                        or find something after a few hours of dead box forensics (after the
                        several hours of imaging process). Or you could spend 3-4 weeks and
                        still find nothing.

                        So go into this with your eyes wide open and it will be an enjoyable
                        (sometimes frustrating) learning experience. My advice if you are
                        going to go forward with this challenge is to image the machines, then
                        as a next step do live forensics on your systems as I suggested
                        earlier. If that yields nothing, you could then try dead box
                        forensics but if your systems are clean (as far as current malware
                        tools can tell), chances are minimal that dead box forensics will
                        yield any different results. As examiners we usually do dead box
                        forensics to find evidence on the drive. If there is no malware on
                        the machines, it is highly likely that will find no evidence on the
                        local machines as it relates to malware being responsible for this.

                        Good luck and certainly don't hesitate to post questions to the list
                        as you move along in your experience.

                        Jacques




                        [Non-text portions of this message have been removed]
                      Your message has been successfully submitted and would be delivered to recipients shortly.