eSafeInfo – Safeguarding Your Information

Linux Live CD Distributions for Forensics Investigation

December 17th, 2012

I was preparing a course material for one of my training programs about digital forensics that I thought it should be a good idea to write a post about available bootable Live CDs for use by digital forensic investigators. These Live CDs have a set of forensic tools and can be deployed to a running suspect system or we can boot the suspect system using them. I have listed only well-known Live CDs that are widely used.

SIFT (SANS Investigative Forensic Toolkit) Workstation is my favorite one. It is created by Rob Lee at SANS Institute on top of Ubuntu and pre-configured with several digital forensic examination tools. Its current version is 2.14 and it’s available to download at no charge in two different flavors; VMware Appliance and Installation DVD (.iso file).

Helix3 is another famous Linux distribution built on top of Ubuntu that focuses on incident response and computer forensics. It is developed by e-fense and. The most recent release of Helix3 is 2009R1 and can be downloaded from e-fense store. In 2009 e-fense announced that Helix3 would no longer be free to download and there is no plan to update the free version. The paid version is called Helix3 Pro and the latest version of Helix3 Pro is 2009R3 that was released on December 2009. At this time, e-fense is no longer planning on developing the Helix3 Pro. Although the tool is not updated for a long period but it is used widely by the digital forensic practitioners. While it can be used as a bootable live CD, It also provides a collection of executables that can be run on live system.

CAINE (Computer Aided Investigative Environment) is another forensics distro based on Ubuntu and looks like the Helix3 in functionality and environment. CAINE is developed by Tony Brijeski and provides a friendly Windows autorun GUI and a number of analysis tools. The ISO image of current version is available for free download at cain3.0.

DEFT (Digital Evidence & Forensic Toolkit) is based on Linux Kernel 3 and the DART (Digital Advanced Response Toolkit). It is developed and maintained by an Italian team in .iso file format and virtual appliance configure. The current version which is distributed free of charge is 7.2. DEFT includes the best up-to-date forensic specific tools that you may get to work on imaging, processing, and or analyzing cases.

Raptor is another forensics bootable CD from Forward Discovery. It is based on Ubuntu distro and the latest free version of Raptor is 2.5. It is available for sale as a pre-installed USB device.

BackTrack is a well-known full fledge penetration testing Linux distro that can be utilized for forensics purposes as well. It’s based on Ubuntu Lucid and you can choose either GNOME or KDE console to download. The Backtrack is forensically sound if it boot up in “Start BackTrack Forensics” mode, so the file systems would not be mounted and swap space would not be used.
CSIRT/CIRT/CERT

March 11th, 2012

Gartner has recently published a very informative and concise (but complete) guideline which explains how to create an effective computer security incident response team. Please take a look.

Seven Steps to Creating an Effective Computer Security Incident Response Team, (CSIRT) by Rob McMillan & Andrew Walls. January 11,2012. link
Is Apple Snooping on You?

April 21st, 2011

Yesterday at Where 2.0 in Santa Clara, Alasdair Allen and Pete Warden revealed some weird news about the iPhone and iPad. According to the Alasdair Allen’s article, the 3G-capable iPad and iPhone have been storing location data in a secret file since the arrival of iOS 4. This data is unencrypted and even it’s being backed up, restored, and migrated by iTunes.

The iPhone and iPad devices seem to be recording the longitude-latitude coordinates including the the timestamps in a file called “consolidated.db,” which is stored on any computer you sync your device to. The researchers says that the location information are based on cell-phone tower triangulation, not GPS. So if you turn off your GPS, you are still prone to this privacy breach. Accessing this data from your device requires an easy jailbreak but you can get the information even easier off of your computer. Pete Warden published an open source application that can be used to analyze this data on your iOS computer easily.

Enjoy watching iPhone Tracking Discussion below where Pete Warden and Alasdair Allan talking about how they discovered the existence of the tracking database on the iPhone and iPad:
httpv://www.youtube.com/watch?v=GynEFV4hsA0
IT Security Predictions for 2011

December 25th, 2010

Stephen Northcutt, president of The SANS Technology Institute, recently has published a forecast for emerging threats in 2011 and 2012. You can find a couple of interesting things in this prediction. As a summary, due to pervasive use of computing entities, the IT security incidents would be more serious and harmful. It might inflict on human health and life, this is why the digital forensics is going to be the most important skills. Read the full text here.

Dr. Eric Cole also has summarized the 2010 emerging threats. Read more …
A Bing Dork!

June 24th, 2010

Google dorks has been around for awhile. It is a list of search phrases that can be used in Google to pull out some information from vulnerable web pages and unsecured networks, the information that should definitely not be publicly available on the internet.
This week Sean Arries mentioned a Bing dork in his talk at the EC-Council. I never knew that Bing has an interesting operator. It can help you to find the different domains, which are hosted on a given IP. First, get the IP address of a domain, e.g. by using Ping command then copy the IP address into Bing and precede it with “ip:”. The search result will show you the other domains that hosted on the same server. From a Hacker’s Point of View, these domains may have some common weaknesses and vulnerabilities to exploit.
Cold Boot Attack!

May 31st, 2010

“DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard”.

httpv://www.youtube.com/watch?v=JDaicPIgn9U

Source: Center for Information Technology Policy, Princeton University
Hard Disk Shredder!

May 30th, 2010

Regarding the previous post I was thinking how a hard disk could be destroyed. In the following video, hard drives being shredded with an industrial shredder. It seems there is no better way to destroy hard drives than this but I read in some articles that the types of HD shredders in this video are considered inferior ‘coz this machines don’t chew up the HD’s, they grind them to dust and those little bits at the end of the video can be reassembled!
httpv://www.youtube.com/watch?v=sQYPCPB1g3o
Security Risk of Copy Machines

May 29th, 2010

Next time when you need to make a copy think about the information you’re about to reveal! The following clip of a CBS News segment highlights some of the digital security issues impacting the information you’re about to copy. I believe the copier industry needs to ensure their customers have the knowledge to destroy information on their copy machines. I am wondering why they do not store the files in volatile storage devices where the data is lost when the machine is turned off. By the way I do not agree “60% of Americans don’t know copiers store images on a hard drive”. I think it is near 100%. Check it out.

httpv://www.youtube.com/watch?v=HCEjcGJhiKw
Hello IT Security World!

May 29th, 2010

Welcome to my blog. This is my first post.