jnavarro.net

things i should not forget, and that, eventually, could interest people

Posts Tagged ‘RVT

RVT: support for F-Response

leave a comment »

last revision of RVT contains a little, tiny,  (it’s true, i swear!) change for making RVT directly functional with F-Response. However, the process of installing a new f-response generated device it’s manual. Follow the next steps in order  to add remote f-response devices your Revealer morgue:

  • assign one, or more, iscsi nodes generated with f-response to linux devices. Documentation on open-iscsi commands are found elsewhere
  • assigned devices can be seen with the following open-iscsi command:

iscsiadm -m session -P 3

  • now, on your morgue/images/<case> directory, create a symbolic link to each of the devices, with the right RVT nomenclature (<case>-<device>-<disk>.dd).  Check the permissions!

# ln -s /dev/sdX 100xxx-yy-z.dd

  • run RVT, scan your morgue and use all the functions at convinience!

RVT> images scanall

Feedback if you find problems!


Advertisements

Written by dervitx

14 May 2009 at 19:50

RVT: libpst support

with 2 comments

RVT v0.2 will support Microsoft Outlook PST parse support through this command:

  • script mail parsepsts <partition>

that extracts all the contents of all PST’s on that partition on output/mail morgue folder

Written by dervitx

7 May 2009 at 7:31

Posted in digital forensics, Revealer Toolkit

Tagged with

RVT: new functions for extracting clusters

leave a comment »

Two new RVT functions have been implemented, to be released in v0.2:

  • cluster extract raw <cluster><partition>
  • cluster extract ascii <cluster><partition>

both extract one cluster from the partition specified, the first in raw format (like a direct dd), and the second, prints only printable bytes (ascii) and translate the rest to dots. The second performs an aditional hard wrap of the lines to 75 characters. The output is quite similar to that obtained with Autopsy.

Both commands accept the argument <cluster> as a number (the cluster) or two numbers separated by comma, being the first the cluster and the second the number of clusters extracted (defaults to 1).

For example, the following command extracts the clusters 2 and 3 of partition 100101-01-1-p02:

RVT  > cluster extract ascii 2,2 100101-01-1-p02
——————————————–
100101-01-1-p02, 2,2

.W..Y..[..].._..a!.cA.ea.g..i..k..m..o..q!.sA.ua.w..y..{..}……!..A..a…
…………..!..A..a……………..!..A..a……………..!..A..a……
………..!..A..a……………..!..A..a……………..!..A..a………
……..!..A..a…………… .” .B .b .. .. .. .. ..!.”!.B!.b!..!..!..!..
!..”!””#B”%b”‘.”).”+.”-.”/.#1″#3B#5b#7.#9.#;.#=.#?.$A”$CB$Eb$G.$I.$K.$M.$O.
%Q”%SB%Ub%W.%Y.%[.%].%_.&a”&cB&eb&g.&i.&k.&m.&o.’q”‘sB’ub’w.’y.'{.’}.’..(.”
(.B(.b(..(..(..(..(..).”).B).b)..)..)..)..)..*.”*.B*.b*..*..*..*..*..+.”+.B
+.b+..+..+..+..+….”..B..b……………-.”-.B-.b-..-..-..-..-….”..B..b
……………/.”/.B/.b/../../../../..0.#0.C0.c0..0..0..0..0..1.#1.C1.c1..
1..1..1..1..2!#2#C2%c2′.2).2+.2-.2/.31#33C35c37.39.3;.3=.3?.4A#4CC4Ec4G.4I.
4K.4M.4O.5Q#5SC5Uc5W.5Y.5[.5].5_.6a#6cC6ec6g.6i.6k.6m.6o.7q#7sC7uc7w.7y.7{.
7}.7..8.#8.C8.c8..8..8..8..8..9.#9.C9.c9..9..9..9..9..:.#:.C:.c:..:..:..:..
:..;.#;.C;.c;..;..;..;..;..<.#<.C<.c<..<..<..<..<..=.#=.C=.c=..=..=..=..=..
>.#>.C>.c>..>..>..>..>..?.#?.C?.c?..?..?..?..?..@

Written by dervitx

4 May 2009 at 19:37

Posted in digital forensics, Revealer Toolkit

Tagged with

RVT has RegRipper support

leave a comment »

RegRipper support is  added to the Revealer Toolkit Shell through these commands:

  • script regripper listmodules
  • script regripper execmodule <plugin> <hivetype> <partition>
  • script regripper execallmodules <hivetype> <partition>

The last one executes RegRipper over all the files that seem a registry hive, and store the results on the output/regripper morgue folder, sorted by modification date.

Catch the lastest code at http://code.google.com/p/revealertoolkit/, revision 32.

RegRipper code works under linux after doing these steps:

  • installing Parse::Win32Registry perl module through CPAN
  • modifing the rip.pl (see diff file at the end)
  • converting the file to unix format with dos2unix tool
  • and installing rip.pl and plugins folder under /usr/local/RegRipper
  • finally, a ln -s /usr/local/RegRipper/rip.pl /usr/local/bin/rip  will smooth your life

These changes complete a bit more previous proposals (see http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html)

1c1

< #! c:\perl\bin\perl.exe

> #!/usr/bin/perl

29c29

< my $plugindir = “plugins\\”;

> my $plugindir = “/usr/local/RegRipper/plugins/”;

92c92

<             require “plugins\\”.$plugins{$i}.”\.pl”;

>             require $plugindir.$plugins{$i}.”\.pl”;

Written by dervitx

3 May 2009 at 21:30