February, 2007
by Nikhil Wagholikar, NII Consulting
1. Need
Many a time during Forensics investigation or during Reverse Engineering, we come across the need where we have to check or extract the contents of an executable file. If the executable file is in human readable format (ex : a UNIX file having permissions –rwx-r-x-r-x) then the life of investigator is quite simple, since such kind of files could easily be opened in Unix built-in editors like “vi” or “emacs”, or even in MS Windows default editor “Notepad”. However this is not the case every time. The investigators or research persons could also come across various MS-Windows “.exe”, “.dll”, “.msi” files or RedHat Linux “.rpm” file, or very common “.zip”, “.rar”, “.bin”, “.cue” or “.uha” files during their course of action.
Read the full article »
December, 2006
by Chetan Gupta, NII Consulting
Many a times as an investigator, I have to deal with the issue of carving data from
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons.
Read the full article »
July, 2006
By Chetan Gupta, NII Consulting
In accordance with NII’s mantra of innovation and research, we have developed our own tool to conduct initial response on compromised Linux systems. This tool is appropriately titled LINReS which stand for “Linux INcident Response Script”.
LINReS is a Live Response script designed to run on suspect/compromised Linux systems. LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (a few which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.
Read the full article »
July, 2006
By Bhushan Shah, NII Consulting
Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.
A hash function - is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.
The LMHash - LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.
Read the full article »
July, 2006
Penetration Testing
Fyodor’s back with his top 100 security tools for 2006.
One of the most significant, but not surprising, entries is that of Metasploit Framework at #5 on the list. Since the launch of the 2.0 series, Metasploit has become one of the most popular security tools out there. The 3.0 series is a completely rehauled and very powerful piece of software. Re-written in Ruby and with extensive API’s, it is no longer simply a platform to develop and test exploits. It is now a platform to develop advanced security tools. Check out some cool features such as the recon modules and the sophisticated IDS-IPS evasion techniques. You can download the alpha version of the 3.0 series here.
June, 2006
By Chetan Gupta, NII Consulting
A supposedly nightmarish tool for the investigator community! Recently this tool was released at the metasploit anti-forensics site and is available here.
Like the website mentions, this tool can be a headche for any forensic investigator and a handy tool for any mischevious since it has the ability to change all the four timestamps of NTFS and not only that, it has an option to change the timestamps in such a way that Encase shows blanks.
Read the full article »
June, 2006
by Chetan Gupta, NII Consulting
I was looking for a utility which allows me to remotely access running processes’ list of a suspect machine running Windows OS. I found this wonderful utility which allows to not only view the processses and their PIDs but also filter the processes according to the certain criteria such as username, memory usage, loaded modules, services, status of the services and even Windows title!
Read the full article »
May, 2006
by Chetan Gupta, NII Consulting
Windows XP has a built-in feature - UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
Read the full article »