Loading ...
Sorry, an error occurred while loading the content.
 

Re: [linux_forensics] hash compare question

Expand Messages
  • Ken Pryor
    Something else you might consider is making a time line of the suspect machine s file system using fls and MACtime from the Sleuthkit. You may also want to
    Message 1 of 20 , Feb 1, 2012
      Something else you might consider is making a time line of the suspect
      machine's file system using fls and MACtime from the Sleuthkit. You may
      also want to make use of Log2TimeLine to add data to your timeline.
      Timeline analysis can be quite useful when investigating possible
      intrusions.

      Ken Pryor

      On Sat, Jan 28, 2012 at 3:24 AM, Brad <bcddd214@...> wrote:

      > **
      >
      >
      > I have a drive that I need to look for signs of rdesktop installation and
      > removal. The computer was hacked and I am trying to figure out how and I am
      > sure rdesktop was used. My first assumption is to do a hash comparison to
      > the national software reference library but when you start googling around
      > for the tool and method to do this, there is not much there.
      > I need ideas and links!!!
      > Any assistance would be duly appreciated.
      >
      > [Non-text portions of this message have been removed]
      >
      >
      >


      [Non-text portions of this message have been removed]
    • Brad
      You are correct about rdp, I had my verbiage incorrect. Hash comparison continued....... I have been looking everywhere for the tool to do this and nothing
      Message 2 of 20 , Feb 4, 2012
        You are correct about rdp, I had my verbiage incorrect.

        Hash comparison continued.......
        I have been looking everywhere for the tool to do this and nothing seems to be available.
        Note the diagram below:


        good       |    hash

        norton     | AE094Htsmlo97&%ndgt
        MSword | 00w$#@yhlo89751gbsY

        hacked    |    hash

        norton    |AE094Htsmlo97&%ndgt
        MSword | 12w$#@yhlo89751gbsY

        notice msword hash value is off by the first 2 digits. If software is altered this hash value is change since it mathematically represents the active components behind the value.
        I have the 4 NSRL disk with all of the known good hash values.
        I have a drive that I stripped of md5 and sha using this:
        dcfldd if=/dev/sourcedrive hash=md5,sha256 hashwindow=10G md5log=md5.txt sha256log=sha256.txt \ hashconv=after bs=512 conv=noerror,sync split=10G splitformat=aa of=driveimage.dd
        from http://www.forensicswiki.org/wiki/Dcfldd and now I just need to run a comparison and find all of the 'msword hacked hash values'.

        Does this make sense? I can't believe nobody has done this...



        ________________________________
        From: "james.holley@..." <james.holley@...>
        To: linux_forensics@yahoogroups.com
        Sent: Sunday, January 29, 2012 12:56 PM
        Subject: Re: [linux_forensics] Re: hash compare question


         
        Brad said in one message:

        >> I have a drive that I need to look for signs of
        >> rdesktop installation and removal.

        and in another message:

        >> the 'suspect machine' is ntfs/win7

        I downloaded rdekstop and looked at the README - I found this:

        >>
        ==========================================
        rdesktop: A Remote Desktop Protocol client
        ==========================================

        rdesktop is an open source client for Microsoft's RDP protocol. It is
        known to work with Windows versions such as NT 4 Terminal Server,
        2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. rdesktop
        currently implements the RDP version 4 and 5 protocols.

        Installation
        ------------
        rdesktop uses a GNU-style build procedure. Typically all that is
        necessary
        to install rdesktop is the following::

        % ./configure
        % make
        % make install

        The default is to install under /usr/local. This can be changed by adding
        --prefix=directory to the configure line.
        <<

        So it seems to me unlikely you will find evidence of rdesktop installation
        and removal from the MS Windows system. rdesktop is an RDP client that
        runs on Linux machines and is used to connect to Windows machines using MS
        Windows RDP.

        It seems what you should be looking for instead are indications of RDP
        connections to the MS Windows machine.

        I think your best option would be to download the source for rdesktop from
        Sourceforge (
        http://sourceforge.net/projects/rdesktop/files/rdesktop/1.7.1/rdesktop-1.7.1.tar.gz/download
        ), compile the package, install rdesktop on your Linux box, connect to a
        Windows machine, and then see what evidence is created of the RDP
        connection on the Windows machine. This might best help you see what to
        look for in the forensic image you have.

        Thank you,

        James

        James O. Holley | Executive Director | Advisory Services
        Ernst & Young LLP
        5 Houston Center, 1401 McKinney Suite 1200, Houston, Texas 77010-4035,
        United States of America
        5 Times Square, New York, New York 10036, United States of America
        Houston Office: +1 713.750.4925 | New York City Office: 212.773.2902 |
        james.holley@...
        Cell: +1 914.320.4874 | Fax: +1 866.436.2643 | EY/Comm: 8954655
        Website: www.ey.com
        Assistant: Kimberly D. Strader | Phone: +1 713.750.4909 | Fax: +1
        866.290.9995 | Kimberly.Strader@...

        Any U.S. tax advice contained in the body of this e-mail was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.
        __________________________________________________________
        The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

        Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-mail@.... If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP

        [Non-text portions of this message have been removed]




        [Non-text portions of this message have been removed]
      • Brad
        Note: I know that encase has this feature but encase is a 3500 program and I could write the script in perl but it will take me all weekend (this might need to
        Message 3 of 20 , Feb 4, 2012
          Note:
          I know that encase has this feature but encase is a 3500 program and I could write the script in perl but it will take me all weekend (this might need to be the case anyways). It should be a simple Linux script (not winblows 4 million dollars in licensing crap with costly graphics). Winblows doesn't even know how to find everything,

          Quick sort, build array, find matching values and dump the rest. I need 'dump the rest' into a file.
          Has this tool been coded yet?



          ________________________________
          From: "james.holley@..." <james.holley@...>
          To: linux_forensics@yahoogroups.com
          Sent: Sunday, January 29, 2012 12:56 PM
          Subject: Re: [linux_forensics] Re: hash compare question


           
          Brad said in one message:

          >> I have a drive that I need to look for signs of
          >> rdesktop installation and removal.

          and in another message:

          >> the 'suspect machine' is ntfs/win7

          I downloaded rdekstop and looked at the README - I found this:

          >>
          ==========================================
          rdesktop: A Remote Desktop Protocol client
          ==========================================

          rdesktop is an open source client for Microsoft's RDP protocol. It is
          known to work with Windows versions such as NT 4 Terminal Server,
          2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. rdesktop
          currently implements the RDP version 4 and 5 protocols.

          Installation
          ------------
          rdesktop uses a GNU-style build procedure. Typically all that is
          necessary
          to install rdesktop is the following::

          % ./configure
          % make
          % make install

          The default is to install under /usr/local. This can be changed by adding
          --prefix=directory to the configure line.
          <<

          So it seems to me unlikely you will find evidence of rdesktop installation
          and removal from the MS Windows system. rdesktop is an RDP client that
          runs on Linux machines and is used to connect to Windows machines using MS
          Windows RDP.

          It seems what you should be looking for instead are indications of RDP
          connections to the MS Windows machine.

          I think your best option would be to download the source for rdesktop from
          Sourceforge (
          http://sourceforge.net/projects/rdesktop/files/rdesktop/1.7.1/rdesktop-1.7.1.tar.gz/download
          ), compile the package, install rdesktop on your Linux box, connect to a
          Windows machine, and then see what evidence is created of the RDP
          connection on the Windows machine. This might best help you see what to
          look for in the forensic image you have.

          Thank you,

          James

          James O. Holley | Executive Director | Advisory Services
          Ernst & Young LLP
          5 Houston Center, 1401 McKinney Suite 1200, Houston, Texas 77010-4035,
          United States of America
          5 Times Square, New York, New York 10036, United States of America
          Houston Office: +1 713.750.4925 | New York City Office: 212.773.2902 |
          james.holley@...
          Cell: +1 914.320.4874 | Fax: +1 866.436.2643 | EY/Comm: 8954655
          Website: www.ey.com
          Assistant: Kimberly D. Strader | Phone: +1 713.750.4909 | Fax: +1
          866.290.9995 | Kimberly.Strader@...

          Any U.S. tax advice contained in the body of this e-mail was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.
          __________________________________________________________
          The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

          Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-mail@.... If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP

          [Non-text portions of this message have been removed]




          [Non-text portions of this message have been removed]
        • Brad
          Well, I found the actual word for what I am trying to do. What is the Linux DeNISTing tool? [Non-text portions of this message have been removed]
          Message 4 of 20 , Feb 5, 2012
            Well, I found the actual word for what I am trying to do.
            What is the Linux DeNISTing tool?


            [Non-text portions of this message have been removed]
          • Brad
            md5deep is the solution. I am dumping the hash values now and ready to compare using the same software. I knew there had to be this tool. I was sent to the
            Message 5 of 20 , Feb 6, 2012
              md5deep is the solution. I am dumping the hash values now and ready to compare using the same software.
              I knew there had to be this tool. I was sent to the correct page, but not the correct keyword. I hope this helps your archives.


              [Non-text portions of this message have been removed]
            • Brad
               hashdeep -reb /mnt/drive2/ /mnt/drive1/hash-dump4-wth-no-name-hashdeep.txt with /mnt/drive2 being my drive in question is a great way to strip all of the
              Message 6 of 20 , Feb 6, 2012
                 hashdeep -reb /mnt/drive2/ >/mnt/drive1/hash-dump4-wth-no-name-hashdeep.txt
                with /mnt/drive2 being my drive in question is a great way to strip all of the hashes and throw it into a file for comparison.
                BUT, I need to compare this data with the NSRL db disk of known hashes.
                All of it, the entire striped file to be compared with the entire library.
                BUT, whenever I try and use the nsrl as the primary and not the stripped file hashdeep created, I get
                hashdeep: /mnt/drive1/tools/NSRL1/NSRLFile.txt: Unable to identify file format
                hashdeep: Unable to load any matching files.

                It is supposed to accept the format of nsrl?

                hashdeep -r -x -k /nsrl.txt /dir_drive/in-question > outputResults.txt   is what fails
                What am I doing wrong?


                [Non-text portions of this message have been removed]
              • Jesse Kornblum
                Hi Brad, Hashdeep does *not* support the NSRL. Only md5deep can read NSRL files. On the other hand, there is a much easier way to use the NSRL for your
                Message 7 of 20 , Feb 6, 2012
                  Hi Brad,

                  Hashdeep does *not* support the NSRL. Only md5deep can read NSRL files.

                  On the other hand, there is a much easier way to use the NSRL for your
                  purposes. You can use nsrlquery and the Kyrus NSRL server to check
                  which hashes are, or are not, in the NSRL, like this:

                  md5deep -reb /mnt/drive2 | nsrllookup -s nsrl.kyr.us

                  The result will be only those hashes which are not in the NSRL.

                  You can get a copy of nsrllookup from http://nsrlquery.sf.net/.

                  --
                  Jesse Kornblum
                  jessekornblum@...
                • Brad
                  wow, this list is slow. From the developer, the solution is nsrlsrv. the server will host the nsrl cds and allow queries so folks don t have to do a 14hr++
                  Message 8 of 20 , Feb 6, 2012
                    wow, this list is slow. From the developer, the solution is nsrlsrv. the server will host the nsrl cds and allow queries so folks don't have to do a 14hr++ query.

                    Come on folks, jump on the ball. Who is running this list? Mickey Mouse?



                    ________________________________
                    From: "james.holley@..." <james.holley@...>
                    To: linux_forensics@yahoogroups.com
                    Sent: Sunday, January 29, 2012 12:56 PM
                    Subject: Re: [linux_forensics] Re: hash compare question


                     
                    Brad said in one message:

                    >> I have a drive that I need to look for signs of
                    >> rdesktop installation and removal.

                    and in another message:

                    >> the 'suspect machine' is ntfs/win7

                    I downloaded rdekstop and looked at the README - I found this:

                    >>
                    ==========================================
                    rdesktop: A Remote Desktop Protocol client
                    ==========================================

                    rdesktop is an open source client for Microsoft's RDP protocol. It is
                    known to work with Windows versions such as NT 4 Terminal Server,
                    2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. rdesktop
                    currently implements the RDP version 4 and 5 protocols.

                    Installation
                    ------------
                    rdesktop uses a GNU-style build procedure. Typically all that is
                    necessary
                    to install rdesktop is the following::

                    % ./configure
                    % make
                    % make install

                    The default is to install under /usr/local. This can be changed by adding
                    --prefix=directory to the configure line.
                    <<

                    So it seems to me unlikely you will find evidence of rdesktop installation
                    and removal from the MS Windows system. rdesktop is an RDP client that
                    runs on Linux machines and is used to connect to Windows machines using MS
                    Windows RDP.

                    It seems what you should be looking for instead are indications of RDP
                    connections to the MS Windows machine.

                    I think your best option would be to download the source for rdesktop from
                    Sourceforge (
                    http://sourceforge.net/projects/rdesktop/files/rdesktop/1.7.1/rdesktop-1.7.1.tar.gz/download
                    ), compile the package, install rdesktop on your Linux box, connect to a
                    Windows machine, and then see what evidence is created of the RDP
                    connection on the Windows machine. This might best help you see what to
                    look for in the forensic image you have.

                    Thank you,

                    James

                    James O. Holley | Executive Director | Advisory Services
                    Ernst & Young LLP
                    5 Houston Center, 1401 McKinney Suite 1200, Houston, Texas 77010-4035,
                    United States of America
                    5 Times Square, New York, New York 10036, United States of America
                    Houston Office: +1 713.750.4925 | New York City Office: 212.773.2902 |
                    james.holley@...
                    Cell: +1 914.320.4874 | Fax: +1 866.436.2643 | EY/Comm: 8954655
                    Website: www.ey.com
                    Assistant: Kimberly D. Strader | Phone: +1 713.750.4909 | Fax: +1
                    866.290.9995 | Kimberly.Strader@...

                    Any U.S. tax advice contained in the body of this e-mail was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.
                    __________________________________________________________
                    The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

                    Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-mail@.... If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP

                    [Non-text portions of this message have been removed]




                    [Non-text portions of this message have been removed]
                  • Brad
                    Sir, you expedient reply was a blessing. Thank you! ________________________________ From: Jesse Kornblum To:
                    Message 9 of 20 , Feb 6, 2012
                      Sir, you expedient reply was a blessing. Thank you!



                      ________________________________
                      From: Jesse Kornblum <jessekornblum@...>
                      To: linux_forensics@yahoogroups.com
                      Sent: Monday, February 6, 2012 7:59 PM
                      Subject: [linux_forensics] Re: hash compare question continued....


                       
                      Hi Brad,

                      Hashdeep does *not* support the NSRL. Only md5deep can read NSRL files.

                      On the other hand, there is a much easier way to use the NSRL for your
                      purposes. You can use nsrlquery and the Kyrus NSRL server to check
                      which hashes are, or are not, in the NSRL, like this:

                      md5deep -reb /mnt/drive2 | nsrllookup -s nsrl.kyr.us

                      The result will be only those hashes which are not in the NSRL.

                      You can get a copy of nsrllookup from http://nsrlquery.sf.net/.

                      --
                      Jesse Kornblum
                      jessekornblum@...



                      [Non-text portions of this message have been removed]
                    • Ray Foo
                      Could you give a sample of the NSRL RDS data set? Have yet to try the tools mentioned, but perhaps I/someone could help offhand, knowing the inputs you re
                      Message 10 of 20 , Feb 9, 2012
                        Could you give a sample of the NSRL RDS data set? Have yet to try the tools
                        mentioned, but perhaps I/someone could help offhand, knowing the inputs
                        you're working with?

                        Ray.

                        On Saturday, January 28, 2012, Brad <bcddd214@...> wrote:
                        >
                        >
                        > --- In linux_forensics@yahoogroups.com, Brad <bcddd214@...> wrote:
                        >>
                        >> I have a drive that I need to look for signs of rdesktop installation
                        and removal. The computer was hacked and I am trying to figure out how and
                        I am sure rdesktop was used. My first assumption is to do a hash comparison
                        to the national software reference library but when you start googling
                        around for the tool and method to do this, there is not much there.
                        >> I need ideas and links!!!
                        >> Any assistance would be duly appreciated.
                        >>
                        >>
                        >> [Non-text portions of this message have been removed]
                        >>
                        >
                        > Additional info I should have provided. I have downloaded the 4 cds from
                        the NSRL RDS (not too sure what to do with it) and ran a dd script from
                        http://www.forensicswiki.org/wiki/Dcfldd and just sitting here looking for
                        how to put it all together. I am not a puter or Linux novice, just looking
                        for some links.
                        >
                        >


                        [Non-text portions of this message have been removed]
                      • Robert J. Hansen
                        ... (ObDisclosure: I wrote the nsrlquery tools, which have been referred to here.) The NSRL RDS is pretty much useless by itself -- unless you ve got a version
                        Message 11 of 20 , Feb 9, 2012
                          On 2/9/12 5:44 PM, Ray Foo wrote:
                          > Could you give a sample of the NSRL RDS data set? Have yet to try
                          > the tools mentioned, but perhaps I/someone could help offhand,
                          > knowing the inputs you're working with?

                          (ObDisclosure: I wrote the nsrlquery tools, which have been referred to
                          here.)

                          The NSRL RDS is pretty much useless by itself -- unless you've got a
                          version of Excel that supports importing a couple of gig of data in CSV
                          format. :) The minimal dataset is more manageable, although certain
                          repeated hashes are omitted: if the same ws2_32.dll appears in multiple
                          Windows releases, for instance, the minimal set will only list one entry.

                          The main file in the minimal RDS is 'NSRLFile.txt', which contains a
                          bunch of rows like:

                          "0020C58BFAC3AADC9964974AE1A8C286377D6C02",
                          "1879EF96CF2BD8AB24AE23720C900AC4",
                          "EA87865C",
                          "ted-nl_NL-2.14-193.x86_64.rpm",
                          1804310,
                          6769,
                          "Linux",
                          ""

                          (Broken up over multiple rows for clarity: in the file it's all one line.)

                          Each field represents, in order:

                          * The SHA-1 of the file
                          * The MD5 of the file
                          * The CRC32 of the file
                          * The name of the file
                          * The size of the file
                          * The product the file belongs to (which is itself a
                          foreign key referencing another table)
                          * The operating system the file belongs to
                          * And a special coding field which is almost always blank.

                          By cross-referencing, we can see the file ted-nl_NLso-and-so belongs to
                          SuSE Linux 9.2. Woot, go team us.

                          At present there aren't any really good free/open-source ways to get
                          detailed data from the NSRL RDS. nsrllookup is a useful tool but it
                          only reports whether a hash value is present, not detailed information
                          on what the hash corresponds to.

                          It's hard to make a single resource that balances everyone's needs.
                          People who run public nsrlsvrs want a system that will scale to large
                          numbers of queries, which means the entire thing more or less has to be
                          stored in RAM. That's kind of problematic for multi-gig datasets:
                          nsrlsvr cheats by only loading hashes, but even then it's a 700Mb
                          (minimum!) RAM footprint. And at the other extreme, you have people who
                          don't need support for high volume but who desperately need detailed
                          records, which more or less requires the data be stored in a SQL
                          database, which more or less kills high-volume queries.

                          tl;dr -- if you need NSRL RDS lookup tools, I'm here and I'm listening
                          intently. :)
                        Your message has been successfully submitted and would be delivered to recipients shortly.