Cyber Forensics Tools

2014-03-31 Leave a comment

The following is a list of tools I’ve put together for use with cyber forensics.

  1. Wireshark
    • Description: Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
    • Review:Wireshark is the swiss army knife of network capturing/analyzing. You’re able to specific rules for pcap when capturing so only the packets you’re interested in are stored thus cutting down the size and number of packets you need to analyze. It’s also has a great layout and a lot of features with the ability to create your own plugins of analying captured packets.
    • Usage:It’s difficult to define a set way to use wireshark as there are week long courses for just using it. The basics would be to pick which interface you want to start capturing packets with. After that using the filters for things such as a specific source IP as ip.src==
    • Source URL: Wireshark Home
  2. Notepad++/vim
    • Description:A simple text editor/viewer with the abilities to have plugins.
    • Review:I prefer vim when in linux as my setup for vim with it’s plugins are convenient for me to work with. vundle is a key plugin that manages all my other ones. With windows notepad++ is the best text editor as it support regex in the search feature.
    • Usage:vim [FILE], Ctrl+o for notepad++
    • Source URL: Notepad++ Home
  3. sha1sum or hashcheck
    • Description:A nice feature to calculate the sha1 hash of a file.
    • Review:sha1sum is the linux command line which is great when you’re sshed in to a system. If you need a hashing program in windows check out hashcheck for calculating different hashes of a file.
    • Usage:sha1sum [FILE], with hashcheck you just right click the file and view it’s properties, there is a tab labeled Checksums that will generate the hashes of that file.
    • Source URL: hashCheck Home (Windows) sha1sum should be default on most linux distros.
  4. networkminor
    • Description:NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).
    • Review:Network miner is a little different from wireshark as it’s main focus in on forensic analysis and by default processes the captured packets to key data shown with tabs such as Credentials, Sessions, DNS, Keywords and others.
    • Usage:Start network miner and either import a pcap file or have it capture from the live data on an interface.
    • Source URL: Network Miner Home
  5. ncat
    • Description:Ncat is a feature-packed networking utility which reads and writes data across networks from the command line.
    • Review:This is a great way to record output text from the command line with out altering the disk of a system. You can pipe the output to ncat and it can write to a file on a remote system.
    • Usage:Start ncat on the remote system: ncat -v -l -k -p [PORT] >> data_cature_file.txt
      Investigating system: [COMMAND] | nc [IP] [PORT]
    • Source URL: Ncat Home
  6. sysinternals
    • Description:A suite of advanced system utilities and technical information for windows. Helps you manage, troubleshoot and diagnose your Windows systems and applications.
    • Review:This is a suite of different programs that are used for windows. Key applications would be psexec which allows you to run remote commands on a system, autoruns which has a comprehensive knowledge of locations where applications can start up.
    • Usage:psexec \\computer -u user cmd [arguments]
    • Source URL: Sysinternals Home
  7. unxutils
    • Description:Ports of common GNU utilities to native Win32. Native means the executables only depend on the Microsoft C-runtime (msvcrt.dll) and not an emulation layer like cygwin.
    • Review:This is great when you can’t install cygwin and want linux functionality with many common commands.
    • Usage:Most general linux commands you could think of are compiled with this.
    • Source URL: Unxutils Home
  8. snort
    • Description:Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection.
    • Review:A great open source IDS/IPS that is easily customized for use. Supports multiple detection methods to help limit false positives. It’s also able to process captured files and put out statics on the different packets as well as any known attack methods captured.
    • Usage: snort -r file.tcpd
    • Source URL: Snort Home
  9. argus
    • Description: A network Audit Record Generation and Utilization System. The Argus Project is focused on developing all aspects of large scale network activity audit. Argus, itself, is next-generation network flow technology, going from packets on the wire to advanced network flow data, to network forensics data; all in support of Network Operations, Performance and Security Management.
    • Review: Another tool to process pcap files in to analytic data. This will output to a argus file which will need to be proessed by RA to read the data in a standard format.
    • Usage: Argus –r file.tcpd –w file.argus; ra -r file.argus
    • Source URL: Argus Home
  10. tcpstat
    • Description: Tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.
    • Review: Another way to read pcap files created from tcpdump its output shows more statistical data on the packets captured.
    • Usage: tcpstat file.tcpd
    • Source URL: TCPstat Home
  11. tcptrace
    • Description:  tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.
    • Review: A nice way to show each session that was captured and the number of packets each session sent. There are many other options for way on how to display the packets.
    • Usage: tcptrace -n -r file.tcpd
    • Source URL: TCPtrace Home
  12. tcpflow
    • Description: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored ‘tcpdump’ packet flows.
    • Review: tcpflow can pull out specific sessions and save those session in their own file. A session could be defined as a specific port or host in a pcap file or other attributes of a packet.
    • Usage: tcpflow -r file.tcpd [port|host]
    • Source URL: TCPflow Home
  13. autopsy
    • Description:Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
    • Review:As a free version of a digital forensics platform it’s great and the ability to carve out data files from a captured image worked relatively well. It also keep records when you create a case. I was unable to determine how the hashes were being generated on specific files within a system. If I extracted the data and ran sha1sum on the raw data the hash was different then autospy reported.
    • Usage:It’s a browser based forensic platform, create a new case and load the image in you can then navigate around the image looking at the file system.
    • Source URL: Autopsy Home
Categories: Uncategorized

Get rid of all those annoying youtube channels

2013-08-01 Leave a comment

So there are some lower quality channels or just plain annoying and often these show up because they are so popular(?).

After being sick of seeing those channels I found out there is a greasemonkey script which hides those channels they don’t make youtube functional as if you blacklisted the channels but basically hide the HTML elements on the page or if you click a link that someone sent you of a video and it is one in your list, it replaces the video with a message saying this was one of your banned channels.

The only down side is I can’t sync it over my different firefox profiles on each system I use, hence why I made this post to save the list of user channels I want to block as well as the userscript URL so I can always find it again.

The script is rightfully named “Hide annoying youtubers from your YouTube!”

My list:

Categories: Youtube Tags: , , ,

Installing VMware Tools in Slackware (14)

2013-05-31 5 comments

So I finally decided to create a slackware VM just to mess around with and maybe use it for slackware-current. I have always used virtualbox since installing vmware tools always failed too install and figured why mess with it when it works in Vbox? Surprisingly the fix was not difficult I just felt lazy that day I guess.

The following is how to install vmware-tools on slackware (14) but should work for previous ones as well.

## This is what caused it to fail since the dir didn't exist.
$ mkdir /etc/pam.d
$ su -
# mount /dev/dvd /mnt/dvd
# cd /mnt/dvd/ 
# ls 
  ... VMwareTools-x.x.x-xxxxx.tar.gz ...
# tar -xzvf VMwareTools-x.x.x-xxxxx.tar.gz -C /tmp
# umount /mnt/dvd/
# cd /tmp
# cd vmware-tools-distrib/
# ./

The install should be successful after that, if you start X-window then you will need to start vmware tools with the following command.

$ /usr/bin/vmware-toolbox-cmd
Categories: Linux

My Linux Tricks (always growing)

2013-03-22 Leave a comment

Here are a few little tricks I’ve used in the past that might be helpful. I use some of them often and others only on occasion and wanted a good reference for if I forgot what it was (an example was setting up a new webdev env and forgot about the g+s part).

Add/Remove a secondary group from a user with out having to copy the whole group list they have assigned to them.

$ gpasswd -a <USER> <GROUP>
$ gpasswd -d <USER> <GROUP>

Set VIM as the default ubuntu editor instead of NANO, this drives me nuts if they change it from vi they should have a prompt at install for which editor. Making NANO the default/recommended but allow others to select one they prefer.

$ sudo apt-get install vim
$ sudo update-alternatives --config editor

A nice little password safe encryption program. xdotools is required if you want it to use auto fill other wise it can be skipped.

$ sudo <System Package Manager> install keepass2
$ sudo <System Package Manager> install xdotool

Surprisingly the sshd didn’t get installed by default with my Ubuntu system. Of course it’s a desktop OS.

$ sudo apt-get install openssh-server

A simple way to watch a directory for any new files created.

$ sudo <System Package Manager> install inotify-tools

Good old Conky for system information.

$ sudo <System Package Manager> install conky

Set all subdirectories to have the setgui bit. The following assumes your current directories is the one you want want all subdirectories to be changed. Just change the path to the directory you want if you’re not currently in it. The setuid/setgui/sticky bits are the “1st” octet of the permissions and numbered 4/2/1 respectively . So g+s would make a 775 file become 2775.

For more information read the chmod man page sections SETUID AND SETGID BITS and RESTRICTED DELETION FLAG OR STICKY BIT.

The stats command shows the octet code of each file in the current directory. I prefer octet codes just because it’s easier for me other wise you can just do an ls -l and you’ll see the file with -rwxrwxr-x will become -rwxrwsr-x.

$ find . -type d -exec chmod g+s {} \;
$ stat -c "%a %n" *

Nice way to tail multiple files in a single console.

$ sudo <System Package Manager> install multitail

Have a terminal always running in the background on your desktop with devilspie.

$ sudo <System Package Manager> install devilspie
$ mkdir ~/.devilspie
## geometry is made of up window size (x1,y1) position(x2,y2) x1+y1+x2+y2
$ vim ~/.devilspie/desktopTerm.ds
        ( if
        ( matches ( window_name ) "desktopTerm" )
        ( begin
        ( set_workspace 1 )
        ( pin )
        ( skip_pager )
        ( skip_tasklist )
        ( undecorate )
        ( below )
        ( geometry "700x1090+1240+0" )
## Make devilspie starts up the -a option has it apply the rules to all  existing windows 
devilspie -a
## I am setting this up with Xubuntu so my desktop is XFCE4 and it's terminal
## -T sets the title of the terminal so devilspie can target it.
xfce4-terminal -T desktopTerm
Categories: Linux

Ubuntu Configuration

2013-03-11 Leave a comment

So I installed Xubuntu a little while ago and started configuring it for one of my main systems instead of quick VMs that I destroy after I’m done testing what I wanted on them. I’m not that use to deb systems and the apt package management. Here are a few of the things I did when configuring my system.

Installed a web services for development. Includes all basic LAMP services apache2, mysql and php5. Note you’ll save yourself some time/stress/headaches if you also include the php5-mysqlnd (native driver) as well. php5-gd is an image library.

$ sudo apt-get install apache2 php5 libapache2-mod-php5 mysql-server php5-mysqlnd php5-gd

## Another nice thing is being able to edit the web root with your user and have the group assigned correctly.
## this example the webroot is /var/www we set the group to www-data what apache will be running as.
## Then we set the sticky bit for the group so all files created under it will be assigned that group.
## Just be sure to either include your user in the group so you have access to it or set the files to your user.
$ sudo gpasswd <USER> www-data
$ sudo chown :www-data /var/www
$ sudo chmod g+s /var/www

To use the most current Nvidia drivers. Make sure you have the source for your kernel before downloading so we don’t get issues.

$ sudo apt-get install build-essential linux-headers-`uname -r`
$ sudo apt-get install nvidia-experimental-310

I was going to install the direct Nvidia drivers and needed to disable the GUI init run levels for a second so I only started with a CLI. I could do it by simply editing the GRUB file.

$ sudo vim /etc/default/grub
## Edit the following line
## becomes
## Run the GRUB2 builder
$ sudo update-grub

Setup wireshark so any user can capture packets (prevents the requirement of running it as root).

## If it's not already installed
$ sudo apt-get install libcap2-bin
## Create a wireshark group so anyone in the group can capture packets, and get the new group rights in your current login session
$ sudo passwd -a <USER> wireshark
$ usermod -a -G wireshark <USER>
$ newgrp wireshark
## Set the group for the dumpcap so only root and the group can execute it.
$ sudo chown root:wireshark /usr/bin/dumpcap
$ chmod 750 /usr/bin/dumpcap
## Set the file up correctly
$ sudo setcap cap_net_raw,cap_net_admin,cap_dac_override+eip /usr/bin/dumpcap
Categories: Linux

Installing RVM (Ruby Version Manager) in Xubuntu 12.04 or Slackware 14

2013-01-23 Leave a comment

When I first started learning Ruby I found out about RVM which was a great project as I could easily switch between ruby versions based on what I wanted. To get RVM installed in Xubuntu (Ubuntu) 12.04 took more work then I’m normally use to with Slackware. I’ve had to install it on multiple systems with a space between each install making my memory fuzzy about what is required to get everything working. So I decided to dump my information here for later reference and who knows the next time I do it and something changes I’ll update this page. With out delay the processes can be copied and pasted below.

All the required dependencies to get it working that don’t get installed with ubuntu. I’ll create a VM where I can test to see which packages aren’t required since I was installing a few other packages I needed at the time all in the same line.

$ sudo apt-get install build-essential openssl libreadline6 libreadline6-dev curl git git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion pkg-config

For Slackware you can skip the dependencies since everything we need is already installed. Since packages/libraries are managed the slack way the need to disable the autolibs functionality of rvm is required. More about autolibs can be found here

Installing RVM and ruby, taken from the RVM install documentation found here.
Slackware 14

$ \curl -L | bash -s stable --ruby
$ ~/.rvm/bin/rvm autolibs 0
$ ~/.rvm/bin/rvm install ruby

*buntu 12.04

$ \curl -L | bash -s stable --ruby
$ rvm install ruby
Categories: Computers, Linux, Programming, Ruby

SSH private/public keys with passphrase and agent manager

2012-12-04 Leave a comment

Managing multiple systems that you only have access to by ssh can be annoying when you have to keep typing in ssh <HOST/IP>; then typing your password on each system.

This article explains how to use ssh pub/priv key pairs with a passphrase and ssh-agent.
The goal is to make logging in remotely more secure by using key pairs along with a passphrase but only having to use the passphrase once in a given time period.

First you’ll need to generate your own private/public key pair on the system you’ll be sshing FROM using the following command.

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/<ROLE>_rsa -C "Comment goes here"
Enter file in which to save the key (/home//.ssh/id_rsa):
Enter passphrase (empty for no passphrase):

You should never give your private key file or it’s contents to anyone. Think of it like a key to your house anyone that has it can access your “house”(server).

  • The comment just helps to let you know what the key is used for. I normally put the server(s) I’m going to push the public key too in the comments. This could be considered a minor security risk labeling where the key is used.
  • Some systems default to DSA, I recommend RSA 2048 bits or higher for the keys hence the keygen options -t rsa -b 4096. Two short write ups about DSA vs RSA can be found and .
  • Do not leave the passphrase empty as the worst case someone gets hold of your private key or gains access to your account they at least have to know the passphrase (back to the previous way of using just a password for security) to use it. An empty passphrase means anyone with the key can enter the server if they know which server the key is used on (hence the comment security risk).
  • If you generate more than one key pair and use the same passphrase, entering the passphrase will make all the key pairs that use that passphrase active at the same time.

Now that we have the keys generated the next step is to copy the .pub key text to the remote servers .ssh/authorized_keys file. I wrote this little bash script as a wrapper for the command used to publish the key. It prompts for what user to ssh with and the server host/ip then the ssh-copy-id command will prompt for the users password. It will automatically create the .ssh directory and append the key to the authorized_keys file. If your system doesn’t have ssh-copy-id I have included a bash 1 liner below the script that will check if the .ssh directory exists and create it then append the public key to the authorized_keys file.

if [[ -z "$sshusername" ]] && [[ -z "$serverIPaddress" ]] ; then
## Prompt for the user name to use
echo -en "\nIs $USER the account you want to use? \n" ;
select yn in "Yes" "No"; do
case "$yn" in
Yes ) sshusername="$USER" ; break ;;
No ) read -p "Type the username you want to use: " sshusername ; break;;
done ;
echo -en "\n" ;

## Prompt for the server name or IP
read -p "Type the Hostname or IP address of the server: " serverIPaddress ;
echo -en "\n" ;

## The actual command to copy the key over
ssh-copy-id "$sshusername"@"$serverIPaddress" ;

## Clean up of the vars we used
unset sshusername ;
unset serverIPaddress ;
## The system uses the variables?!?
echo -en "Your system currently has the following variables set.\n sshusername AS $sshusername\n serverIPaddress AS $serverIPaddress\n\n";
fi ;

One way to push the new pub key to the server is by using the ssh-copy-id binary command. If you are using some other port besides 22 you’ll need to include the username/host and port option all in quotes.

#ssh-copy-id -i <path to pub key> "username@host/ip -p <port>"
ssh-copy-id -i .ssh/
ssh-copy-id -i .ssh/ " -p 9999"

Bash one liner for pushing public key to remote system if youre unable to use ssh-copy-id. Be sure to put the correct and <HOST/IP> settings for the ssh command.

cat ~/.ssh/ | ssh @<HOST/IP> 'if [[ -z "$HOME/.ssh" ]] ; then mkdir $HOME/.ssh ; fi ; cat - >> ~/.ssh/authorized_keys'

Now we should have a priv/pub key par in our .ssh folder and on the remote system our public key should be in the authorized_keys file. To test if it’s working ssh to the system. You should be prompted with the following instead of the @<HOST/IP>’s password:

$ssh server
Enter passphrase for key '/home//.ssh/id_rsa':

Upon entering the correct passphrase you will now be logged in to the remote system. Exit out of the system and try sshing again you’ll notice you get prompted again for the passphrase. Great all this seemed to do was add an extra layer of security but didn’t stop the annoying issue of each time having to enter a password/passphrase.

Now it’s time to use a key manager such as ssh-agent which allows us to enter the passphrase once and after that anytime we try to ssh to any server that has our public key we’ll get direct access (for a given amount of time before we have to reenter the passphrase).

On my systems I create two alias commands some people want to have their system prompt for the password when they open a session the first time I prefer to start start it when I need too that way if a day I don’t need to ssh to a server (it happens some times…) my shell doesn’t have access.

The two aliases I use are below.

## type agent once on the machine your are using unless the time elapses or the system was rebooted
## Removes the old hostname agent file
## starts the agent with 28800 seconds (8hrs) to be active in memory
##   and story the environment variables to access the keys in memory in the .agent file
## run the .agent file as a Tlc script and then add the private key identities to the authentication agent
alias agent='rm -f "$HOME"/.ssh/`hostname`.agent ; ssh-agent -t 28800 | grep -v echo > "$HOME"/.ssh/`hostname`.agent ; source "$HOME"/.ssh/`hostname`.agent ; ssh-add'

## Any new shells you just need to run this alias to have them use the agent in memory
alias sshagent='if [ -e "$HOME"/.ssh/`hostname`.agent ]; then source "$HOME"/.ssh/`hostname`.agent ; fi'

Now you have the generated keys with the remote system(s) having the public key in the auth file and you are able to use an agent so you only have to enter your passphrase once allowing you to ssh to any systems with the public key with out any prompts.

A system is only as secure as it’s user.

Categories: Bash, Computers, Linux, Security