Difference between pages "Getting Started in Forensic Research" and "Basic Security Module (BSM) file format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Setting up a C++ development environment)
 
(External Links)
 
Line 1: Line 1:
Interested in getting involved in computer forensics research? Here's how to start.
+
{{expand}}
  
==Recommended Reading==
+
The Basic Security Module (BSM) file format originates from the [[Solaris|Sun Solaris]] operating system and has been adopted in various forms by BSD Unix, [[Mac OS X]] included.
# Read the proceedings for the past four years of the [http://www.dfrws.org DFRWS] conference. If a specific article looks interesting, download it and read it!
+
  
#*[http://www.dfrws.org/2011/program.shtml DFRWS 2011 Program]
+
== External Links ==
#*[http://www.dfrws.org/2010/program.shtml DFRWS 2010 Program]
+
* [http://en.wikipedia.org/wiki/OpenBSM Wikipedia: OpenBSM]
#*[http://www.dfrws.org/2009/program.shtml DFRWS 2009 Program]
+
* [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/audit.log.5.html audit -- Basic Security Module (BSM) file format], Mac Developer Library
#*[http://www.dfrws.org/2008/program.shtml DFRWS 2008 Program]
+
* [http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/security/audit/audit_bsm_token.c?txt audit_bsm_token.c], Apple Open Source
#*[http://www.dfrws.org/2007/program.shtml DFRWS 2007 Program]
+
* [http://www.deer-run.com/~hal/sysadmin/SolarisBSMAuditing.html Solaris Basic Security Mode (BSM) Auditing], by [[Hal Pomeranz]]
#*[http://www.dfrws.org/2006/program.shtml DFRWS 2006 Program]
+
# Review the proceedings from the past few years of the IEEE/SADFE (Systematic Approaches to Digital Forensics Engineering) workshops. The papers do not appear on the website, but you can generally find them with Google by searching for the title in quotes
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe11/program.html SADFE 2011 Program]
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe10/program.html SADFE 2010 Program]
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe09/program.html SADFE 2009 Program]
+
#*[http://conf.ncku.edu.tw/sadfe/sadfe08/program.html SADFE 2008 Program]
+
# Review the [http://www.ifip119.org/ IFIP Working Group 11.9 on Digital Forensics] website and look at the proceedings from the past conferences (unfortunately, you can't download the papers and the book costs more than $100, but if you see something interesting it can usually be requested via interlibrary loan) (Some higher education libraries subscribe to SpringerLink which makes full text of these proceedings available to students and faculty as part of the school subscription)
+
#*[http://www.ifip119.org/Publications/ IFIP WG 11.9 publications]
+
# Search for interesting forensic terms at the [http://portal.acm.org/dl.cfm ACM Digital Library] and [http://citeseer.ist.psu.edu/ CiteSeer]
+
# Review the [http://www.sleuthkit.org/ Sleuth Kit Website]. In particular, review the issues of [http://www.sleuthkit.org/informer/index.php The Sleuth Kit Informer] and download a copy of Sleuth Kit for your computer.
+
  
==Recommended Mailing Lists==
+
== Tools ==
* [https://lists.sourceforge.net/lists/listinfo/sleuthkit-users sleuthkit-users]
+
=== praudit ===
* [http://groups.yahoo.com/group/linux_forensics/join linux_forensics]
+
* [http://www.trustedbsd.org/openbsm.html OpenBSM], Open Source Basic Security Module (BSM) Audit Implementation
* [http://groups.yahoo.com/group/cftt/join cftt] (computer forensic tool testing)
+
* [http://sourceforge.net/projects/linuxbsm/ linuxbsm], The Linux Basic Security Module; The Linux BSM is an auditing tool that aims to bring the capabilities of Sun's Solaris Basic Security Module to Linux.
 +
* [http://sourceforge.net/projects/linuxbsm2/ linuxbsm2], LinuxBSM-2; LinuxBSM-2 introduces auditing features in Linux kernel to achieve better security and keep an eye on system activities.
 +
* [https://code.google.com/p/linuxopenbsm/ linuxopenbsm], Linux Basic Security Module
  
==Setting up a C++ development environment==
+
[[Category:File Formats]]
Many people working in forensics find it useful to be able to compile their tools from source code. Most of the tools compile on Linux, Mac, and within the Cygwin environment under Windows.
+
 
+
Because all of these tools build upon one another, it is important to compile and install them in the order specified below.
+
# Download a copy of [http://sourceforge.net/projects/libewf/ libewf] and install it on your computer. This will allow your forensic tools to read and process EnCase [[E01]] disk images.
+
# Download a copy of [http://www.sleuthkit.org/sleuthkit/ Sleuthkit] and install it. SleuthKit is the basic open source computer forensics tool that allows the extraction of files from disk images. You can use it to recover deleted files.
+
 
+
If you are interested in doing file recovery, you may also wish to explore:
+
* SleuthKit, above
+
* [http://www.cgsecurity.org/wiki/PhotoRec PhotoRec], a file carver.
+
* [http://digital-assembly.com/ Adroit Photo Recovery], a commercial photo recovery tool that's pretty amazing.
+
 
+
If you want to experiment with automated computer forensics research, try these:
+
* [[Bulk Extractor]], a program from the Naval Postgraduate School that searches a disk image for email addresses and prints a histogram.
+
* [[fiwalk]], a program that processes a disk image and outputs an XML or ARFF file containing information about all of the file system metadata. fiwalk is now part of SleuthKit.
+
 
+
==Exercises for the Reader==
+
# Download the file [http://digitalcorpora.org/corp/images/nps/nps-2009-canon2/nps-2009-canon2-gen6.raw nps-2009-canon2-gen6.raw] from the Digital Corpora website and try to recover as many files as you can. Some of the JPEGs can only be found using file carving, and some can only be found with fragment recovery file carving.
+
#* Can you determine when the photos were taken?
+
#* Can you determine ''where'' the photos were taken?
+
#* Can you determine the username of the person who took the photos?
+
#* Can you determine the clock offset of the camera from real time?
+
 
+
# Download the file [http://digitalcorpora.org/corp/images/nps/nps-2009-ubnist1/ubnist1.gen3.aff usbnist1.gen3.aff] and find the government documents that were stored on the USB device.
+

Latest revision as of 15:30, 16 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Basic Security Module (BSM) file format originates from the Sun Solaris operating system and has been adopted in various forms by BSD Unix, Mac OS X included.

External Links

Tools

praudit

  • OpenBSM, Open Source Basic Security Module (BSM) Audit Implementation
  • linuxbsm, The Linux Basic Security Module; The Linux BSM is an auditing tool that aims to bring the capabilities of Sun's Solaris Basic Security Module to Linux.
  • linuxbsm2, LinuxBSM-2; LinuxBSM-2 introduces auditing features in Linux kernel to achieve better security and keep an eye on system activities.
  • linuxopenbsm, Linux Basic Security Module