Network and disk forensics

Earlier this week I was a guest lecturer at BCIT, in which I did my presentation on doing a forensic analysis of of a compromised Linux hard drive. I used the same slide deck that I used to present at FVLUG and SFU, but used a different live demo, actually showing an attack to insert a script into cron that emailed the passwd file. Although the slide deck on its own isn't the most useful, for those students that were there, this will be a great help to merge with the notes they took during the demo.

One of the questions brought up was if this technique could be used on Windows hard disks. Yes it can, but you need to use some of the other tools in sleuthkit. As long as you have a valid dd image, you should be ok.

While looking for some other NTFS toolkits, I found a new one I never tried before called FLAG, which stands for "Forensic and Log Analysis GUI". This has some potential for those people that wish to analyze an NTFS system on a Linux forensic machine. There is even a screenshot of FLAG browsing through the registry offline, as well as another one reconstructing jpegs from a dd image on the fly.

When I have some time I am going to see about cranking out something similar in .NET for Windows. FLAG looks kewl, but to be honest I would like to see something like this for information professionals who use Windows but cannot afford tools like EnCase, Forensic Toolkit, iLook etc or dedicated forensics machine like those from DIBS USA or Digital Intelligence.

Course, I rarely have that kind of time, so that might not get very far. Maybe if I just ported grave-robber, ils, ils2mac and mactime that would go a far ways to letting people do work on Windows. Who knows.

Anyways, if you got a few moments, and are into digital forensics give FLAG a try. You can get the Knoppix-enabled ISO here (MD5 Checksum) from the Australian Department of Defense.