Helix and corporate forensics

Helix and Corporate Forensics

A rootkit gives attackers full access to the system (hence the term 'root') and typically hides the files, folders, registry edits, and other components it uses. In addition to hiding itself, a rootkit typically hides other malicious files that it may be bundled with t he ubiquitous.Storm worm is one example of rootkit-enabled malware. Not all Storm Trojans are rootkit-enabled. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms.
Protected Storage Explorer is a powerful tool that allows you to view all sorts of saved data from the Protected Storage Service, including passwords for e-mail accounts in Microsoft Outlook, Microsoft Outlook Express, MSN Messenger, saved Internet Explorer form data (phone numbers, credit card numbers, web email, search engine queries…), user names and passwords on Web pages, and cached logon credentials of sites that require authentication (including FTP sites.)


Network Password Viewer is the other way to recover:
• Login passwords of remote computers on your LAN.
• Passwords of mail accounts on exchange server (stored by Outlook 2003)
• Password of MSN Messenger account

PyFlag has a great GUI which allows quick navigation of the results of forensic analysis. However, any forensic practitioner knows that forensics is a slow process, on any hardware. With typical hard disk image sizes increasing exponentially, many forensic investigations do take a long time to proceed. Users of PyFlag may have noticed that PyFlag caches the results of analysis, so it only needs to perform the analysis once. Subsequent navigation of reports loads the cached version making the navigation phase very quick.
One of the strengths of PyFlag is that the User Interface (The UI), is abstracted from the program. In other words how the user interacts with the software can be easily changed without altering the main body of code very much. This opens the door to a variety of different GUI options.
The command line interface (CLI) has been a central concept in Unix for decades. Although most new users fear the CLI, claiming it is less intuitive and more difficult to use than a GUI, the CLI has stuck around, and is not going anywhere. The reason for that is that CLI is more powerful in certain circumstances, and it allows batching or scripting. PyFlag allows users to use either interface interchangeably, so for those users not comfortable with the CLI, they can still use the GUI.
In the most basic sense, the DD command is used for copying in the UNIX environment. For simplicity, we will consider 'copy' to mean 'to duplicate exactly.' The DD command is used in the Forensics Arena to perform a physical backup of the evidence. DD can be thought of as tool - in the sense that using it is a means of building an evidence file. There are other tools which can be used when making a physical backup, such as EnCase and SafeBack. What is special about the DD copy command is that it has special flags available to it that make it suitable for copying block-oriented devices, such as tapes. DD is capable of addressing these block devices sequentially.

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
Features of NetCat:
• Outbound and inbound connections, TCP or UDP, to or from any ports.
• Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.
• Built-in port-scanning capabilities, with randomizer.
• Full DNS forward/reverse checking, with appropriate warnings.

The Sleuth Kit is the best-known open source software package for computer forensics, and Autopsy, which provides a web-based, graphical frontend to The Sleuth Kit and integrated support for other security and consistency-checking software. The Sleuth Kit (TSK) is based on an earlier collection of forensics tools known as The Coroner's Toolkit (TCT),One huge advantage of Sleuth Kit is its independence of the analysis platform.

The FAT file-system is primarily known by the File Allocation Table (FAT) which it maintains as a map of the clusters (basic units of logical storage) that a file has been stored in. A new file is typically stored in one or more clusters which are not necessarily next to each other. A typical cluster size is 2,048 bytes, 4,096 bytes, or 8,192 bytes. The Windows operating system creates a FAT entry for the new file. This records where each cluster is located and their sequential order. When a file is read, the Windows operating system reassembles the file from the clusters and places it as an entire file where it can be read.
When a file is deleted on a FAT file system, its directory entry remains stored on the disk, slightly renamed in a way that marks the entry in FAT table as available for use by newly created files thereafter. Most of its name, time stamp, file length and — most importantly — location on the disk, remain unchanged in the directory entry (root directory which is represented using . or .. in FAT 16 or FAT32). The list of disk clusters occupied by the file will be erased from the File Allocation Table, however, marking those sectors available for use by other files created or modified thereafter.

The tools useful in investigating a file system :
• Autopsy: The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.
• Scalpel : A digital forensics tool used for carving data from image files based upon the configuration file requirements. This program replaces foremost.
• Sleuthkit : The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.
• ssdeep : Computes a checksum based on context triggered piecewise hashes for each input file. If requested, the program matches those checksums against a file of known checksums and reports any possible matches. Output is written to standard out and errors to standard error. Input from standard input is not supported.
• fatback : A program used to recover deleted files from a FAT file system.

The Sleuth Kit is the best-known open source software package for computer forensics, and Autopsy, which provides a web-based, graphical frontend to The Sleuth Kit and integrated support for other security and consistency-checking software. The Sleuth Kit (TSK) is based on an earlier collection of forensics tools known as The Coroner's Toolkit (TCT),One huge advantage of Sleuth Kit is its independence of the analysis platform.


References:

http://downloads.cs.txstate.edu/instructor/davis/forensics/Helix-for-Beginners.pdf
http://www.e-fense.com/helix/docs.php
http://www.sleuthkit.org/