Difference between pages "How to make a simple forensic/investigation framework" and "Argus"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tips)
 
(Created page with '== Overview == '''argus''' is a network flow monitor that is used to establish network activity audits, that are then used to supplement traditional IDS based network security. …')
 
Line 1: Line 1:
Often, forensic labs are overloaded and investigators complains about the long waiting time. The solution for both professionals is to reduce the amount of seized material.
+
== Overview ==
  
But how do you know if a computer is relevant without looking into it? And how to look into it in a fast and forensic acceptable way?
+
'''argus''' is a network flow monitor that is used to establish network activity audits, that are then used to supplement traditional IDS based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.
  
Many procedures are emerging around the world to allow the investigator to access seized computer data remotely, in a environment configured and maintained by the forensic professional. The investigator can perform an initial analysis, quickly pointing  the most important computers among all computers seized, speeding the subsequent forensic exam, which is more time consuming, and reducing the amount of computers in which the exam will be made.
+
Argus uses libpcap and it has been ported to virtually every [[Unix]] platform, OpenWRT and on [[Windows | Win32]] using Cygwin.
 
+
==Hardware==
+
* Storage server(s) - server(s) with large storage capacity to keep the sized disk images.
+
* Samba server - to be accessed by the investigators.
+
 
+
==Software==
+
*GNU/Linux
+
*Samba
+
*SquashFS
+
*NFS(optional)
+
 
+
==Installation==
+
*Storage server:
+
**Install the GNU/Linux distribution of your choice.
+
**Install the squashfs kernel-patch package and tools.
+
**Install NFS or Samba to share the disk images with the 'Samba server'.
+
**Install dcfldd, GNU ddrescue, or both, or stay with dd.
+
 
+
*Samba server:
+
**Install the GNU/Linux distribution of your choice.
+
**Install Samba.
+
 
+
==Usage==
+
===On the Storage server===
+
*Mirror the seized disk to a temporary folder:
+
dcfldd if=/dev/sdXX of=/tmpstg/M090834/image.dd hash=md5 hashlog=/tmpstg/M090834/hashlog.md5 hashwindow=1G
+
or
+
ddrescue /dev/sdXX /tmpstg/M090834/image.dd /tmpstg/M090834/ddrescue.log
+
*Compress the folder to a SquashFs image:
+
mksquashfs /tmpstg/M090834 /storage/M090834.squash
+
*Make sure the file is shared with the Samba server
+
#cat /etc/exports
+
/storage samba_server(ro)
+
===On the Samba server===
+
*Add a line in /etc/fstab to access the squash files
+
storage:/storage /storage nfs _netdev,ro,soft 0 0
+
*Add a line in /etc/fstab to access the dd images
+
/storage/M090834.squash /mnt/materials/M090834/ squashfs ro,_netdev,loop
+
*Add a line to each partition in the dd image
+
/mnt/materials/M090834/image.dd /mnt/mountpoints/M090834/C ntfs iocharset=utf8,offset=32256,loop 0 0
+
*Share the partition contents, modifying smb.conf
+
[M090834]
+
        path = /mnt/mountpoints/M090834
+
        valid users = investigatorusername
+
 
+
==Tips==
+
*The number of loop devices can be increased at boot with the 'max_loop=512' kernel option.
+
*May be necessary to specify the loop number in fstab, like 'ro,_netdev,loop=/dev/loopXX'.
+
*mkshashfs can be used to add new files to an existing squash image, so it is easy to group related materials together in a single file.
+
 
+
 
+
[[Category:Howtos]]
+

Revision as of 11:52, 31 August 2009

Overview

argus is a network flow monitor that is used to establish network activity audits, that are then used to supplement traditional IDS based network security. These sites use contemporary IDS technology like snort and/or Bro to generate events and alarms, and then use the Argus network audit data to provide context for those alarms to decide if the alarms are real problems. In many DIY efforts, snort, Bro and argus run on the same high performance device. The audit data that Argus generates is great for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting very slow scans, and supporting Zero day events. The network transaction audit data that Argus generates has also been used for a wide range of other tasks including Network Billing and Accounting, Operations Management and Performance Analysis.

Argus uses libpcap and it has been ported to virtually every Unix platform, OpenWRT and on Win32 using Cygwin.