jnavarro.net

things i should not forget, and that, eventually, could interest people

RVT tools: plot_time.pl, plotting your timelines

leave a comment »

RVT comes with a bunch of useful tools, not totally related with the forensic framewok, but too little to be published for themselves.

plot_time.pl, located under the RVT/tools folder of the RVT’s svn repository (check it out), it’s a Perl script that plots bar graphs out of files in which each line contains values, being one of them time. It will be handful to represent values on time, or to count the numbers of lines by period of time. This script needs gnuplot 4.2 or greater on your path. Moreover, it uses the powerful Perl module Date::Manip to parse almost every known date format, and can be installed easily from CPAN or APT (apt-get installlibdate-manip-perl).

plot_time.pl works in two modes: representing values as a function of time (mode 1) and representing count of lines as a function of periods of time (integrates the appearance of values over every period defined).

Mode 1. Let’s be itimeline-02.csv a timeline generated with RVT, and let’s imagine that we want to represent graphically the size of the files, as a function of time, on July 5th 2008. We execute the following command:

perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -vf 2 itimeline-02.csv

Where ‘tf’ option marks that the first field is the ‘time field’, and ‘vf’ option establishes that the value to be plotted is the second (file size). The following graph is generated:

plot_time.pl generated graph in Mode 1

plot_time.pl generated graph in Mode 1

Mode 2. This mode is activated with the ‘-sum’ option, and the period is established with ‘-period’ option, with anything that Date::Manip can understand (‘day’, ‘hour’, …). So, executing the following command on the same data:

perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -sum -period=’hour’ itimeline-02.csv

generates the following graph:

plot_time.pl generated graph in Mode 2

plot_time.pl generated graph in Mode 2

Also:

  • you can pipe your filtered timelines into plot_time.pl ( f.ex.:  grep -i ‘myfile.png’ itimeline-02.csv | perl plot_time.pl … )
  • plot_time.pl skips comment lines, and also it can skip a number of lines with ‘-skiplines’ option
  • plot_time.pl will ignore lines that match a regular expression when option ‘-excluderegexpr’ is used
  • see plot_time.pl –help for more info

We are now planning some new features on plot_time.pl, so stay tunned!

Written by dervitx

24 May 2009 at 19:58

RVT: support for F-Response

leave a comment »

last revision of RVT contains a little, tiny,  (it’s true, i swear!) change for making RVT directly functional with F-Response. However, the process of installing a new f-response generated device it’s manual. Follow the next steps in order  to add remote f-response devices your Revealer morgue:

  • assign one, or more, iscsi nodes generated with f-response to linux devices. Documentation on open-iscsi commands are found elsewhere
  • assigned devices can be seen with the following open-iscsi command:

iscsiadm -m session -P 3

  • now, on your morgue/images/<case> directory, create a symbolic link to each of the devices, with the right RVT nomenclature (<case>-<device>-<disk>.dd).  Check the permissions!

# ln -s /dev/sdX 100xxx-yy-z.dd

  • run RVT, scan your morgue and use all the functions at convinience!

RVT> images scanall

Feedback if you find problems!


Written by dervitx

14 May 2009 at 19:50

How to calculate the hash of a CD or DVD on Mac OS X

leave a comment »

The daily work of the forensic investigator requires precision and a deep control of the technical tools involved. For example, is well known that the smallest, tiny, tamper of a bit when calculating the hash of a digital file makes the result to change completely. This could be critical when initiating a chain of custody of digital evidences, so i always use linux when possible due to the absolute control of everything needed in the process.

The problem appears when an adquisition has to be done at your customer’s offices, and when digital evidences must be burned on CD and hashed  in front of your customer, the lawyer, the notary, the guy you are going to investigate …   on your shiny Mac. Here are the steps that i use on these special occasions:

  • first, on the desktop, and create a Burn Folder right-clicking and selecting Burn Folder from the emergent menu
  • i drag and drop on it all the files that will be included as electronic evidences on this chain of custody
  • a double-click on the folder opens it. A button named Burn appearson the upper-right corner, so you can press it after introducing a blank CD or DVD

Now, the interesting stuff:  you need to calculate the hash and probably to burn identical copies with an identical cryptographic hash.

  • introduce the CD or DVD and, on a terminal, write down the command  diskutil list that will provide  a list of devices used by your CD

$ diskutil list/dev/disk2

#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *6.8 Mi     disk2
1:     Apple_partition_scheme                         6.0 Mi     disk2s1
2:        Apple_partition_map                         31.5 Ki    disk2s1s1
3:                  Apple_HFS Carpeta de grabación   4.9 Mi     disk2s1s2

  • install a hash command line tool. I use sha256deep included in the Mac Port md5deep (sudo port install md5deep)
  • you must hash the Apple_partition_scheme associated raw device.  In this example, the associated raw device will be /dev/rdisk2s1  . Be careful in using  rdisk, not disk, because the second requires you to unmount the CD:

$ sha256deep /dev/rdisk2s1

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  /dev/rdisk2s1

Making copies of the CD:

  • For some reason i don’t know, a dd command won’t work, so i use cat:

$ cat /dev/rdisk2s1 > image.cdr

  • check the hash:

$ sha256deep image.cdr

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  image.cdr

  • and burn the image so many times you need it with Toaster or Disk Utility

Note:

  • this method will also work  with monosession CD recorded elsewhere. In those cases, diskutil should not show the Apple partition scheme but the data directly after the CD scheme:

/dev/disk2
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *785.4 Mi   disk2
1:              CD_ROM_Mode_1 wifislax-3.1            683.9 Mi   disk2s0

Written by dervitx

11 May 2009 at 21:23

RVT: libpst support

with 2 comments

RVT v0.2 will support Microsoft Outlook PST parse support through this command:

  • script mail parsepsts <partition>

that extracts all the contents of all PST’s on that partition on output/mail morgue folder

Written by dervitx

7 May 2009 at 7:31

Posted in digital forensics, Revealer Toolkit

Tagged with

RVT: new functions for extracting clusters

leave a comment »

Two new RVT functions have been implemented, to be released in v0.2:

  • cluster extract raw <cluster><partition>
  • cluster extract ascii <cluster><partition>

both extract one cluster from the partition specified, the first in raw format (like a direct dd), and the second, prints only printable bytes (ascii) and translate the rest to dots. The second performs an aditional hard wrap of the lines to 75 characters. The output is quite similar to that obtained with Autopsy.

Both commands accept the argument <cluster> as a number (the cluster) or two numbers separated by comma, being the first the cluster and the second the number of clusters extracted (defaults to 1).

For example, the following command extracts the clusters 2 and 3 of partition 100101-01-1-p02:

RVT  > cluster extract ascii 2,2 100101-01-1-p02
——————————————–
100101-01-1-p02, 2,2

.W..Y..[..].._..a!.cA.ea.g..i..k..m..o..q!.sA.ua.w..y..{..}……!..A..a…
…………..!..A..a……………..!..A..a……………..!..A..a……
………..!..A..a……………..!..A..a……………..!..A..a………
……..!..A..a…………… .” .B .b .. .. .. .. ..!.”!.B!.b!..!..!..!..
!..”!””#B”%b”‘.”).”+.”-.”/.#1″#3B#5b#7.#9.#;.#=.#?.$A”$CB$Eb$G.$I.$K.$M.$O.
%Q”%SB%Ub%W.%Y.%[.%].%_.&a”&cB&eb&g.&i.&k.&m.&o.’q”‘sB’ub’w.’y.'{.’}.’..(.”
(.B(.b(..(..(..(..(..).”).B).b)..)..)..)..)..*.”*.B*.b*..*..*..*..*..+.”+.B
+.b+..+..+..+..+….”..B..b……………-.”-.B-.b-..-..-..-..-….”..B..b
……………/.”/.B/.b/../../../../..0.#0.C0.c0..0..0..0..0..1.#1.C1.c1..
1..1..1..1..2!#2#C2%c2′.2).2+.2-.2/.31#33C35c37.39.3;.3=.3?.4A#4CC4Ec4G.4I.
4K.4M.4O.5Q#5SC5Uc5W.5Y.5[.5].5_.6a#6cC6ec6g.6i.6k.6m.6o.7q#7sC7uc7w.7y.7{.
7}.7..8.#8.C8.c8..8..8..8..8..9.#9.C9.c9..9..9..9..9..:.#:.C:.c:..:..:..:..
:..;.#;.C;.c;..;..;..;..;..<.#<.C<.c<..<..<..<..<..=.#=.C=.c=..=..=..=..=..
>.#>.C>.c>..>..>..>..>..?.#?.C?.c?..?..?..?..?..@

Written by dervitx

4 May 2009 at 19:37

Posted in digital forensics, Revealer Toolkit

Tagged with

RVT has RegRipper support

leave a comment »

RegRipper support is  added to the Revealer Toolkit Shell through these commands:

  • script regripper listmodules
  • script regripper execmodule <plugin> <hivetype> <partition>
  • script regripper execallmodules <hivetype> <partition>

The last one executes RegRipper over all the files that seem a registry hive, and store the results on the output/regripper morgue folder, sorted by modification date.

Catch the lastest code at http://code.google.com/p/revealertoolkit/, revision 32.

RegRipper code works under linux after doing these steps:

  • installing Parse::Win32Registry perl module through CPAN
  • modifing the rip.pl (see diff file at the end)
  • converting the file to unix format with dos2unix tool
  • and installing rip.pl and plugins folder under /usr/local/RegRipper
  • finally, a ln -s /usr/local/RegRipper/rip.pl /usr/local/bin/rip  will smooth your life

These changes complete a bit more previous proposals (see http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html)

1c1

< #! c:\perl\bin\perl.exe

> #!/usr/bin/perl

29c29

< my $plugindir = “plugins\\”;

> my $plugindir = “/usr/local/RegRipper/plugins/”;

92c92

<             require “plugins\\”.$plugins{$i}.”\.pl”;

>             require $plugindir.$plugins{$i}.”\.pl”;

Written by dervitx

3 May 2009 at 21:30