Difference between pages "Tools:Network Forensics" and "How to image an IDE disk with aimage and FreeBSD"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Network Forensics Packages and Appliances)
 
(See Also)
 
Line 1: Line 1:
=Network Forensics Packages and Appliances=
+
Here is a photo of my disk imaging system:
; [[E-Detective]]
+
: http://www.edecision4u.com/
+
: http://www.digi-forensics.com/home.html
+
  
; [[Burst]]
+
[[Image:ImagingStationx4.jpg|320px|Photo of an open computer with 4 hard drives connected.]]
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive [[IP geolocation]] service.
+
  
; [[chkrootkit]]
+
Key elements of the disk imaging system:
: http://www.chkrootkit.org
+
* You need to have an internal IDE card which is not used for anything but disk imaging;
 +
* You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply (if you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply);
  
; [[cryptcat]]
+
=Imaging Checklist=
: http://farm9.org/Cryptcat/
+
# [[How To Set Up a Disk Imaging Station|Set up a disk imaging station]];
 +
# You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop;
 +
# Do not connect your imaging drive yet!
 +
# Boot the computer into [[FreeBSD]];
 +
# Attach the IDE hard drive to the ribbon cable FIRST;
 +
# Now, attach power to the IDE drive;
 +
# You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is <tt>ata0, ata1, ata2</tt> or <tt>ata3</tt>. If you have an internal hard drive on an IDE interface, then the internal interface is probably <tt>ata0</tt> and <tt>ata1</tt> and the external is probably on <tt>ata2</tt> or <tt>ata3</tt>;
 +
# You also need a place to store the [[AFF]] files you are going to be creating. I usually put them in <tt>/usr/affs</tt> which is a directory you will need to create;
 +
# Log in as ''root'';
 +
# mkdir /usr/affs
 +
# Now, try to image the drive with this command:
 +
  aimage ata2 /usr/affs/disk1.aff
 +
# If this doesn't work, try:
 +
  aimage ata3 /usr/affs/disk1.aff
 +
# If it works, you'll see the [[aimage]] program running.
  
; [[Enterasys Dragon]]
+
=What can go wrong=
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
+
* ''[[aimage]]'' may not be installed. If you get the error message "aimage: command not found" then you need to install [[AFFLIB]] and then make sure that the ''aimage'' command (usually installed in ''/usr/local/bin'') is in your ''PATH''. You can check this out by running ''/usr/local/bin/aimage'' instead of ''aimage'';
: Instrusion Detection System, includes session reconstruction.
+
* Your source drive can be broken, ''[[aimage]]'' should tell you this;
 +
* You can run out of disk space. You need a LOT of disk space to store disk images — figure 30GB to image a 60GB drive.
  
 
+
=What to do after you have made your images=
; [[ipfix]]/[[netflow v5/9]]
+
Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server.
: http://www.mantaro.com/products/MNIS/collector.htm
+
=See Also=
: MNIS Collector is an IPFIX collector which also supports legacy Netflow.  It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
+
[[How To Set Up a Disk Imaging Station]]
 
+
[[How To Ship Images]]
 
+
[[Category:Howtos]]
; [[Mantaro Network Intelligence Solutions (MNIS)]]
+
: http://www.mantaro.com/products/MNIS/index.htm
+
: MNIS  is a comprehensive and scalable network intelligence platform for network forensics and various other applications.  It is built on high speed Deep Packet Inspection and metadata alerting.  It can be used to understand network events before and after an event. It scales from LAN environments to 20 Gbps service provider networks.
+
: http://www.mantaro.com/products/MNIS/network_intelligence_applications.htm#network_forensics
+
 
+
 
+
; [[MaxMind]]
+
: http://www.maxmind.com
+
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
+
 
+
; [[netcat]]
+
: http://netcat.sourceforge.net/
+
 
+
 
+
; [[netflow]]/[[flowtools]]
+
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
: http://www.splintered.net/sw/flow-tools/
+
: http://silktools.sourceforge.net/
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
+
 
+
; NetDetector
+
: http://www.niksun.com/product.php?id=4
+
: NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure
+
 
+
 
+
; NetIntercept
+
: http://www.sandstorm.net/products/netintercept
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
 
+
; NetVCR
+
: http://www.niksun.com/product.php?id=3
+
: NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements
+
 
+
;NIKSUN Full Function Appliance
+
: http://www.niksun.com/product.php?id=11
+
: NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance. This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time! The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.
+
 
+
; NetOmni
+
: http://www.niksun.com/product.php?id=1
+
: NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location. NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.
+
 
+
; NISUN Puma Portable
+
: http://www.niksun.com/product.php?id=15
+
: NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field. Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds. The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals
+
 
+
 
+
; [[ipfix]]/[[netflow v5/9]]
+
: http://www.mantaro.com/products/MNIS/collector.htm
+
: MNIS Collector is an IPFIX collector which also supports legacy Netflow.  It was designed to be used with the MNIS Exporter, which is a Deep Packet Inspection probe that can be used to decode 300+ protocols on up to 20 Gbps and report the information in IPFIX.
+
 
+
[[NetSleuth]]
+
: http://www.netgrab.co.uk/
+
NetSleuth is a free network analysis tool released under the GPL. NetSleuth can be used to analyse and fingerprint hosts from pcap files, designed for post event incident response and network forensics. It also supports a live sniffing mode, silently identifying and fingerprinting devices without needing to send any traffic onto a network.
+
 
+
 
+
; [[NetworkMiner]]
+
: http://sourceforge.net/projects/networkminer/
+
: http://www.netresec.com/?page=NetworkMiner
+
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames). NetworkMiner has, since the first release in 2007, become popular tool among incident responce teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.
+
: NetworkMiner is available both as a [http://sourceforge.net/projects/networkminer/ free open source tool] and as a [http://www.netresec.com/?page=NetworkMiner commercial network forensics tool].
+
 
+
 
+
; [[pcap2wav]]
+
: http://pcap2wav.xplico.org/
+
: VoIP/RTP decoder. pcap2wav is part (a sub-project) of [[Xplico]] and it supports and decodes the following audio codecs: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta: Real Time Audio).
+
 
+
 
+
; [[rkhunter]]
+
: http://rkhunter.sourceforge.net/
+
 
+
; [[ngrep]]
+
: http://ngrep.sourceforge.net/
+
 
+
; [[nslookup]]
+
: http://en.wikipedia.org/wiki/Nslookup
+
: Name Server Lookup command line tool used to find IP address from domain name.
+
 
+
; [[Sguil]]
+
: http://sguil.sourceforge.net/
+
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[ssldump]]
+
: http://ssldump.sourceforge.net/
+
 
+
; [[tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpxtract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
: Linux/open-source. Based in India.
+
 
+
; [[OmniPeek]] by [[WildPackets]]
+
: http://www.wildpackets.com/solutions/network_forensics
+
: http://www.wildpackets.com/products/network_analysis/omnipeek_network_analyzer/forensics_search
+
: OmniPeek is a network forensics tool used to capture, store, and analyze historical network traffic.
+
 
+
; [[Whois]]
+
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
 
+
; [[IP Regional Registries]]
+
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
 
+
; [[Wireshark]] / Ethereal
+
: http://www.wireshark.org/
+
: Open Source protocol analyzer previously known as ethereal.
+
 
+
; [[Kismet]]
+
: http://www.kismetwireless.net/
+
: Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
+
 
+
; [[kisMAC]]
+
: http://www.http://kismac-ng.org/
+
: KisMAC is an open-source and free sniffer/scanner application for Mac OS X.
+
 
+
; [[Xplico]]
+
: http://www.xplico.org/
+
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
: VoIP sniffer and decoder. Audio codec supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA
+
 
+
=Command-line tools=
+
 
+
[[arp]] - view the contents of your ARP cache
+
 
+
[[ifconfig]] - view your mac and IP address
+
 
+
[[ping]] - send packets to probe remote machines
+
 
+
[[SplitCap]] http://splitcap.sourceforge.net/ - SplitCap is a free open source pcap file splitter.
+
 
+
[[tcpdump]] - capture packets
+
 
+
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
+
 
+
[[nemesis]] - create arbitrary packets
+
 
+
[[tcpreplay]] - replay captured packets
+
 
+
[[traceroute]] - view a network path
+
 
+
[[gnetcast]] - GNU rewrite of netcat
+
 
+
[[packit]] - packet generator
+
 
+
[[nmap]] - utility for network exploration and security auditing
+
 
+
[[Xplico]] Open Source Network Forensic Analysis Tool (NFAT)
+
 
+
==ARP and Ethernet MAC Tools==
+
 
+
[[arping]] - transmit ARP traffic
+
 
+
[[arpdig]] - probe LAN for MAC addresses
+
 
+
[[arpwatch]] - watch ARP changes
+
 
+
[[arp-sk]] - perform denial of service attacks
+
 
+
[[macof]] - CAM table attacks
+
 
+
[[ettercap]] - performs various low-level Ethernet network attacks
+
 
+
==CISCO Discovery Protocol Tools==
+
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
+
 
+
==ICMP Layer Tests and Attacks==
+
[[icmp-reset]]
+
 
+
[[icmp-quench]]
+
 
+
[[icmp-mtu]]
+
 
+
[[ish]] - ICMP shell (like SSH, but uses ICMP)
+
 
+
[[isnprober]]
+
 
+
==IP Layer Tests==
+
[[iperf]] - IP multicast test
+
 
+
[[fragtest]] - IP fragment reassembly test
+
 
+
==UDP Layer Tests==
+
 
+
[[udpcast]] - includes UDP-receiver and UDP-sender
+
 
+
==TCP Layer==
+
 
+
[[lft]] http://pwhois.org/lft - TCP tracing
+
 
+
[[etrace]] http://www.bindshell.net/tools/etrace
+
 
+
[[firewalk]] http://www.packetfactory.net
+

Revision as of 19:53, 22 February 2010

Here is a photo of my disk imaging system:

Photo of an open computer with 4 hard drives connected.

Key elements of the disk imaging system:

  • You need to have an internal IDE card which is not used for anything but disk imaging;
  • You need to have an external hard drive power supply, so that you can power the IDE drives without using your computer's power supply (if you use your computer's power supply, you can easily crash your computer when attaching or detaching the power supply);

Contents

Imaging Checklist

  1. Set up a disk imaging station;
  2. You should have a 50-pin IDE ribbon cable going from your IDE controller to the desktop;
  3. Do not connect your imaging drive yet!
  4. Boot the computer into FreeBSD;
  5. Attach the IDE hard drive to the ribbon cable FIRST;
  6. Now, attach power to the IDE drive;
  7. You need to determine which ATA port the IDE drive is now connected to. In all likelihood it is ata0, ata1, ata2 or ata3. If you have an internal hard drive on an IDE interface, then the internal interface is probably ata0 and ata1 and the external is probably on ata2 or ata3;
  8. You also need a place to store the AFF files you are going to be creating. I usually put them in /usr/affs which is a directory you will need to create;
  9. Log in as root;
  10. mkdir /usr/affs
  11. Now, try to image the drive with this command:
 aimage ata2 /usr/affs/disk1.aff
  1. If this doesn't work, try:
 aimage ata3 /usr/affs/disk1.aff
  1. If it works, you'll see the aimage program running.

What can go wrong

  • aimage may not be installed. If you get the error message "aimage: command not found" then you need to install AFFLIB and then make sure that the aimage command (usually installed in /usr/local/bin) is in your PATH. You can check this out by running /usr/local/bin/aimage instead of aimage;
  • Your source drive can be broken, aimage should tell you this;
  • You can run out of disk space. You need a LOT of disk space to store disk images — figure 30GB to image a 60GB drive.

What to do after you have made your images

Once you have made a few images, you'll need to put them somewhere. Typically this means uploading them to a server.

See Also

How To Set Up a Disk Imaging Station How To Ship Images