Compatibilities wit...
 
Notifications
Clear all

Compatibilities with other Forensic Tools

4 Posts
4 Users
0 Likes
339 Views
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Hello people,

Since I began working in the Forensic Computers world, my only experience is about EnCase, but I have read quite a lot about the existence of dd, netcat and stuff.

Is it possible to combine the use of these tools? I mean, can I run a netcat between two Windows PCs by booting them up with Knoppix or something like that? I'd like someone to "introduce" me into this Linux-Windows forensic integration )

 
Posted : 27/03/2006 5:26 pm
(@farmerdude)
Posts: 242
Estimable Member
 

Absolutely, and recommended! In my trainings people start to realize that they'll learn more about file systems, hardware, operating systems and design by learning Linux. MS Windows obfuscates this to a large degree (This is *not* a Win32 knock!) Use whichever you feel comfy with, but be aware that you *may* learn more details by getting under the hood and Linux allows for getting under the hood a lot easier than Win32.

You could use two Linux boot CDs, or the cygwin utilities in Win32, etc. I don't recommend KNOPPIX for data forensics, though.

cheers!

farmerdude

 
Posted : 27/03/2006 8:21 pm
(@awesomemachine)
Posts: 7
Active Member
 

I know there are a lot of forensic utilities that run under MS Windows. Some of them are quite good. But, there are certain things that cannot be done with MS Windows programs. Depending on your emphasis, you may choose to use the "helix" CD http//www.efense.com/helix which is chock full of utilities to do a complete forensic analysis. Linux is one of those things you won't appreciate until you learn it. The flexibility and power are incredible. Heres an example

Boot the suspect and forensic workstation with the helix CD. Launch a shell, and on the forensic machine

nc -l -p 1034 | dcfldd of=/directoryfordriveimage/driveimagefilename conv=noerror
<enter>

On the suspect machine

dcfldd if=/dev/sda2(example) ibs=4k | nc 192.168.8.123(target for image capture) 1034(TCP port)

<enter>

There is a progress monitor so you can time starbucks runs.

There is also an excellent utility called autopsy. This is a very powerful tool. You should really give helix a try. It's free. There is one thing about helix. There is no facility to read within an HPA. However, there is a tool to remove any HPA, but you need to know the MNA for the suspect drive.

One of the best threads on the linux dd command

http//www.linuxquestions.org/questions/showthread.php?p=1848006#post1848006

 
Posted : 06/04/2006 11:20 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

A couple of comments, just for discussion…

First, I think that many times, "analysis" is confused with "collection". Tools like Helix do provide quite a few tools, but the question becomes…how much "analysis" do these tools do? On the Windows side, specifically, there are some good tools…but they are used to perform data collection - it's still up to the analyst to handle the "analysis" portion themselves.

Linux is definitely very good for providing a learning facility, but IMHO, that has to do with two specific things…first, Linux is open source. Second, there's a lot more work that's been done with Linux, *BSD, etc. However, as people start to work more with Windows, it will become more transparent as a learning/educational platform, as well.

After all, one of the things I like about Windows is that there are so many different formats to work with. Beyond the file system, for example, there are the various binary file formats, to include LNK files, the Registry, Office documents, etc. These different file formats provide a lot of hiding places, as well.

Harlan

 
Posted : 13/04/2006 3:55 pm
Share: