Difference between pages "Tools:Visualization" and "Determining OS version from an evidence image"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Commercial Graphic Applications and Tools)
 
m (Windows 95/98/ME)
 
Line 1: Line 1:
Although not strictly for forensic purposes, '''visualization tools''' such as the ones discussed here can be very useful for visualizing large data sets. As forensic practitioners need to process more and more data, it is likely that some of the techniques implemented by these tools will need to be adopted.
+
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
  
==Programming Languages and Developer Toolkits==
+
==Windows==
If you are building forensic tools, you probably want to start with one of these:
+
; Java and Swing
+
: Advantage: Portable and lots of good documentation out there.
+
: Disadvantage: Programs are a bit verbose, and only offers about 1/2 the performance of C
+
  
; Python with tkinter
+
===Windows 95/98/ME===
: Advantage: Portable
+
: Disadvantage: Python is one of the slowest modern languages around.
+
  
; Python with wxWidgets
+
Establish the boot volume, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:
: Advantage: Portable and a better development environment than tkiner
+
: Disadvantage: wxWidgets is not installed by default, so you'll need to get it installed. Not as well documented as Tkinter
+
  
; [http://processing.org processing.org]
+
{| class="wikitable"
: Advantage: Programming language specifically developed for visualization; compiles to java byte code
+
|-
: Disadvantage: Very oddball
+
! WinVer
 +
! OS
 +
|-
 +
| 4.00.0950
 +
| Windows 95
 +
|-
 +
| 4.00.1111
 +
| Windows 95 OSR2
 +
|-
 +
| 4.03.1212
 +
| Windows 95 OSR2.1
 +
|-
 +
| 4.03.1214
 +
| Windows 95 OSR2.5
 +
|-
 +
| 4.10.1998
 +
| Windows 98
 +
|-
 +
| 4.10.2222
 +
| Windows 98 SE
 +
|-
 +
| 4.90.3000
 +
| Windows ME
 +
|}
  
; JavaFX - Java's version of Flash
+
Alternatively, establish WinDir ([Paths]WinDir in MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)
  
; Flash
+
===Windows NT===
  
== Applications ==
+
===Windows 2000/2003/XP/Vista===
Most of these are scriptable.
+
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
===Open Source===
+
* [http://www.graphviz.org/ Graphviz] - Originally developed by the [http://public.research.att.com/areas/visualization/ AT&T Information Visualization Gorup], designed for drawing connected graphs of nodes and edges. Neato is a similar system but does layout based on a spring model. Can produce output as [[PostScript]], [[PNG]], [[GIF]], or as an annotated graph file with the locations of all of the objects — ideal for drawing in a GUI. Runs from the command line on [[Unix]], [[Windows]] and [[Mac]], although there is also a [http://www.pixelglow.com/graphviz/ MacOS GUI version].
+
* [http://graphexploration.cond.org/ Guess: The Graph Exploration System] - Originally developed at HP, this is a large Jython/Java-based system that you can use for building your own applications. Distributed under GPL.
+
* [http://sourceforge.net/projects/ivc/ InfoVis Cyberinfrastructure] - Another graph drawing system written in Java.
+
* [http://jung.sourceforge.net/ Java Universal Network/Graph Framework (JUNG)] - Graphing, [[data mining]], [[social network]] analysis, and other stuff.
+
* [http://www.andrew.cmu.edu/user/krack/krackplot.shtml Krackplot] - "KrackPlot is a program for network visualization designed for social network analysts."
+
* [http://bioinformatics.icmb.utexas.edu/lgl/ Large Graph Layout (LGL)] - A bioinformatics system from University of Texas. They really mean Large.
+
* [http://www.sfu.ca/~richards/Multinet/Pages/multinet.htm MultiNet] - A data analysis package for drawing conventional data and graph data.
+
* [http://www.analytictech.com/netdraw.htm NetDraw] - "a free program written by Steve Borgatti for visualizing both 1-mode and 2-mode social network data."
+
* [http://web.mit.edu/bshi/Public/nv2d/ NetVis 2D] - Another graph visualization and layout tool written in Java.
+
* [http://www.opendx.org/ OpenDX] - Based on [[IBM]]'s Visualization Data Explorer, runs on [[Unix]]/X11/Motif.
+
* [http://vlado.fmf.uni-lj.si/pub/networks/pajek/ Pajek] - Windows program for drawing large networks.
+
* [http://sourceforge.net/projects/sonia/ Social Network Image Animator (SoNIA)] - Originally developed at Stanford. Written in Java. Makes movies.
+
* [http://www.informatik.uni-bremen.de/uDrawGraph/en/uDrawGraph/uDrawGraph.html uDrawGraph]
+
* [http://wilma.sourceforge.net/ WilmaScope] - Real-time animations of dynamic graph structures. Written in Java. Sophisticated force model with strings and attraction.
+
* [http://www.caida.org/tools/visualization/walrus/ Walrus] - A 3-d graph network exploration tool. Employs 3D hyperbolic displays and layout based on a user-supplied spanning tree.
+
=== Commercial Graphic Applications and Tools===
+
  
* [http://www.aisee.com/ aiSee Graph Layout Software] - Supports 15 layout algorithms, recursive graph nesting, and easy printing. Runs on [[Windows]], [[Linux]], [[Solaris]], [[NetBSD]], and [[MacOS]]. 30-day trial and free registered versions available. Academic pricing available.
+
During a forensic examination, information regarding the version of Windows can be found in a number of placesFor example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.
* [http://www.geomantics.com/ Geomantics] - Geographical, Visualization and Graphics software. Runs on [[Windows]].
+
* [http://www.kylebank.com/ Graphis 2D and 3D graphing software] - Runs on [[Windows]]. Free 30-day evaluation copy available.
+
* [http://www.openviz.com/ OpenViz] and [http://www.powerviz.com/ PowerViz] - Both from Advanced Visual Systems, super high-end visualization toolkits. $$$$
+
* [http://www.tomsawyer.com/ Tom Sawyer Software] Analysis, Visualizaiton, and Layout programs. - Heavy support for drawing graphs. Beautiful gallery. ActiveX, Java, C++ and .NET editions.
+
* [http://www.netminer.com/ NetMiner] - "One of the most comprehensive and usable software tools for Social Network Analysis in the world." Runs on Windows, with a Linux version under development. $35 for "Express" student version, $250 for "Professional" student version, $950 for "Normal" "Professional" version.
+
* [http://www.analytictech.com/ucinet.htm UCINET] - A comprehensive package for the analysis of social network data as well as other 1-mode and 2-mode data.
+
* [http://www.clarifiednetworks.com/logster Logster] - an ultra-easy software tool to visualize Apache-style logs on a world map.
+
* [http://www.clarifiednetworks.com/Clarified%20Analyzer Clarified Analyzer] - Visualizes Network Traffic and allows to drill down from visualizations to the packet level.
+
  
== Visualization Toolkits and Libraries ==
+
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
===C/C++===
+
* [http://public.kitware.com/VTK/ The Visualization Toolkit] - C++ multi-platform with interfaces available for Tcl/Tk, Java and Python. Professional support provided by [http://www.kitware.com/ Kitware].
+
* [http://kdirstat.sourceforge.net/ KDirStat], an open source implementation of [http://www.cs.umd.edu/hcil/treemap-history/index.shtml Treemaps] written in C. (Treemaps are a visualization technique developed at the University of Maryland for visualizing large amounts of multi-dimensional data.) You can find a copy of it in [http://www.derlien.com/ Disk Inventory X] and
+
===Java===
+
* [http://csbi.sourceforge.net/index.html Graph Interface Library (GINY)] - Java
+
* [http://hypergraph.sourceforge.net/ HyperGraph] - Hyperbolic trees, in Java. Check out the home page. Try clicking on the logo...
+
* [http://ivtk.sourceforge.net/ InfoViz Toolkit] - Java, originally developed at [[INRA]].
+
* [https://jdigraph.dev.java.net/ Jdigrah] - Java Directed Graphs.
+
* [http://jgrapht.sourceforge.net/ JGraphT] - A Java visualization kit designed to be simple and extensible.
+
* [http://prefuse.sourceforge.net/ Perfuse] - A Java-based toolkit for building interactive information visualization applications
+
* [http://www.ssec.wisc.edu/~billh/visad.html#intro VisAD] - A Java component library for interactive and collaborative visualization.
+
* [http://www.softwaresecretweapons.com/jspwiki/Wiki.jsp?page=LinguineMaps Linguine Maps] - An open-source Java-based system for visualizing software call maps.
+
* [http://zvtm.sourceforge.net/index.html Zoomable Visual Transformation Machine] - Java. Originally started at Xerox Research Europe.
+
* [http://openmap.bbn.com/ OpenMap] A Java-based Geographical Information System framework, from [[BBN]].
+
  
===Unclassified===
+
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file. You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
* [http://gravisto.fim.uni-passau.de/ Gravisto: Graph Visualization Toolkit] - An editor and toolkit for developing graph visualization algorithms.
+
* [http://www.gnu.frb.br:8080/rox Rox Graph Theory Framework] - An open-source plug-in framework for graph theory visualization.
+
* [http://touchgraph.sourceforge.net/ TouchGraph] - Library for building graph-based interfaces.
+
  
==Journals and Conferences==
+
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
* [http://www.palgrave-journals.com/ivs/index.html Information Visualization Journal]
+
 
* [http://rw4.cs.uni-sb.de/~diehl/softvis/seminar/index.php?goto=seminar ACM Symposium on Software Visualization]
+
{| class="wikitable" border="1"
==Research Groups==
+
|-
===Berkeley===
+
!Value (MPC)!!Version
* [http://bailando.sims.berkeley.edu/infovis.html Bailando Visualization]
+
|-
* [http://vis.berkeley.edu/ Berkeley Visualization Lab]
+
|55034 || Windows XP Professional English
===Brown===
+
|-
* [http://www.cs.brown.edu/people/rt/gd.html Roberto Tamassia's resources on Graph Drawing]
+
|55683 || Windows XP Professional Russian
===Stanford===
+
|-
* [http://window.stanford.edu/projects/rivet/ Rivet Project] (Visualization complex systems)
+
|55681 || Windows XP Home Edition Russian
===UNM===
+
|}
* [http://www.msi.umn.edu/user_support/scivis/scivis-list.html Scientific Visualization at the Supercomputing Institute]
+
 
===Wattenberg===
+
==Unix/Linux==
* [http://www.bewitched.com/ Bewitched], a one-man research group.
+
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
==See Also==
+
 
* [http://www-static.cc.gatech.edu/gvu/ii/resources/infovis.html GVU's Information Visualization Resources link farm]
+
===Linux===
* [http://directory.google.com/Top/Science/Math/Combinatorics/Software/Graph_Drawing/ Google Directory of Graph Drawing Software]
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
* [http://directory.fsf.org/science/visual/ GNU Free Software directory of scientific visualization software]
+
 
* [http://www.manageability.org/blog/stuff/open-source-graph-network-visualization-in-java/view Open Source Graph Network Visualization in Java]
+
{| class="wikitable" border="1"
* [http://www.insna.org/INSNA/soft_inf.html INSNA's web page of Computer Programs for Social Network Analysis]
+
|-
 +
!Distro!!Tag
 +
|-
 +
|Red Hat || /etc/redhat-release
 +
|-
 +
|Debian  || /etc/debian-version
 +
|}
 +
 
 +
===Solaris===
 +
 
 +
===Free/Net/OpenBSD===
 +
You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!OS!!Kernel path
 +
|-
 +
|FreeBSD || /boot/kernel/kernel
 +
|-
 +
|OpenBSD || /bsd
 +
|-
 +
|NetBSD || /netbsd
 +
|-
 +
|}
 +
 
 +
You can use <tt>strings</tt> and <tt>grep</tt> tools to find this information with <tt>strings kernel_path | grep os_name</tt>. (e.g.: <tt>strings /bsd | grep OpenBSD</tt>)
 +
 
 +
===AIX===
 +
 
 +
===HP/UX===
 +
 
 +
[[Category:Howtos]]

Revision as of 07:36, 26 March 2012

One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.

Contents

Windows

Windows 95/98/ME

Establish the boot volume, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:

WinVer OS
4.00.0950 Windows 95
4.00.1111 Windows 95 OSR2
4.03.1212 Windows 95 OSR2.1
4.03.1214 Windows 95 OSR2.5
4.10.1998 Windows 98
4.10.2222 Windows 98 SE
4.90.3000 Windows ME

Alternatively, establish WinDir ([Paths]WinDir in MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)

Windows NT

Windows 2000/2003/XP/Vista

Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).

During a forensic examination, information regarding the version of Windows can be found in a number of places. For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.

Determining the version of Windows from the Software Registry Hive file - navigate to the Microsoft\Windows NT\CurrentVersion key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.

Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file. You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script kern.pl illustrates a platform independent means of examining the PE header and ultimately locating the file version information.

In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of Product ID). Some of these values:

Value (MPC) Version
55034 Windows XP Professional English
55683 Windows XP Professional Russian
55681 Windows XP Home Edition Russian

Unix/Linux

Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.

Linux

A number of Linux distributions create a file in /etc to identify the release or version installed.

Distro Tag
Red Hat /etc/redhat-release
Debian /etc/debian-version

Solaris

Free/Net/OpenBSD

You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.

OS Kernel path
FreeBSD /boot/kernel/kernel
OpenBSD /bsd
NetBSD /netbsd

You can use strings and grep tools to find this information with strings kernel_path | grep os_name. (e.g.: strings /bsd | grep OpenBSD)

AIX

HP/UX