[SGVLUG] Install Fest' Volunteers & Disk Recovery

Fri Mar 13 16:46:41 PDT 2009

Hi Braydon!

I looked at some of the notes/references and
I didn't notice any thing on HFS+ file systems.

I may have overlooked it tho.

googling "linux hfs+ recovery"
gave me a few references I would look at,
I would also google "linux hfs+ forensics"
and see what that brings up.

here's the references I had while I was
preparing for the meeting (see below)

thanks!
matti

> Matti, please send over the resources you found for disk
> recovery. I had
> a HFS+ formatted disk that was repartitioned and slightly
> written over,
> and want to see what I can salvage.
> 
> Also, I would like to help out with the upcoming install
> fest, please
> keep me in the loop :)
> 
>     Braydon

---

References:
===================

Tools:
=======

dcfldd – DoD enhanced dd that performs md5sum
hashing
http://dcfldd.sourceforge.net/
http://www.forensicswiki.org/wiki/Dcfldd

Chkrootkit (http://www.chkrootkit.org/)

Tripwire (http://www.tripwire.org/ - opensource version)

Samhain (http://la-samhna.de/samhain/)
Samhain is a file integrity system (and host based intrusion detections system). It
can be used networked or standalone

Rootkit Hunter (http://www.rootkit.nl/projects/rootkit_hunter.html)
Rootkit Hunter is an easy-to-use tool which checks machines running UNIX (clones)
for the presence of rootkits and other unwanted tools.

Autopsy Forensic Browser 2.21 (updated 4 February 2009)
The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit.
The Sleuth Kit 3.0.1 (updated 4 February 2009)
The Sleuth Kit is a collection of UNIX-based command line file system forensic tools.
http://www.sleuthkit.org/index.php

Rootkit Hunter 1.3.4 (updated 6 January 2009)
This scanning tool ensures you're clean of nasty tools.
http://www.rootkit.nl/
http://rkhunter.sourceforge.net/

trisul
Network metering and forensics platform 
trisul 0.4.116 (updated 5 June 2008)
Trisul is a network metering and forensics tool.
http://code.google.com/p/trisul/

FTimes 3.8.0 (updated 23 April 2007)
FTimes is a system baselining and evidence collection tool.
http://ftimes.sourceforge.net/

tripwire opensource version
http://sourceforge.net/projects/tripwire/

THE FARMER'S BOOT CD
http://www.forensicbootcd.com/

airt-linux
AIRT (Advanced incident response tool) is a set of incident response assistant tools on linux platform. It's useful when you want to know what evil kernel backdoor is resident on your broken system and what it is. It consists of 5 tools now:
mod_hunter: looks for hidden module on the suspect system.
process_hunter: looks for hidden process from kernel on the suspect system.
sock_hunter: looks for hidden port from kernel on the suspect system.
modumper: dumps the hidden module into file.
dismod: trys to analyze the dumped module. 
airt-0.4.2 - airt-0.4.2
Last Update: Aug 25 2005 
http://sourceforge.net/projects/airt-linux/

http://sourceforge.net/projects/airt-linux/
DownloadDownload this file from SourceForge.net
airt-0.4.2 - airt-0.4.2
Last Update: Aug 25 2005

AIRT is a set of incident response assistant tools for the Linux platform. It is useful for finding out what a malicious program is doing on your system and if one exists.

Presently it consists of the following modules:
* mod_hunter - Searches for hidden modules on the system
* process_hunter - Searches for processes hidden to normal detection methods
* sock_hunter - Detects hidden ports that are opened on the machine
* modumper - Dumps a hidden module into file
* dismod - Tries to analyze a dumped module created with modumper

LINReS - An open source Linux Incident Response Tool!
http://www.niiconsulting.com/checkmate/2006/07/linres-an-open-source-linux-incident-response-tool/
http://sourceforge.net/projects/linres

99lb
Open-source tool for Linux that can be used as part of live information gathering during an incident response to allow for after the fact in depth analysis of the running system.
http://sourceforge.net/projects/the99lb/

suggested tools:
http://www.sysresccd.org/System-tools

http://www.partimage.org/Main_Page
http://clonezilla.org/
http://www.cgsecurity.org/wiki/TestDisk
http://www.supergrubdisk.org/

Trinity Rescue Kit | CPR for your computer
http://trinityhome.org/Home/index.php
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.

Currently in Alpha... looks interesting
firefox - Firekeeper = Firekeeper is able to detect , block , and warn the user about malicious sites.
Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content.
http://firekeeper.mozdev.org/

Incident Response Skript für Linux
http://computer-forensik.org/tools/ix/ix-special/

http://www.linux-forensics.com/

http://www.forensicswiki.org/wiki/Main_Page

Digital Forensics in Linux - Reclaiming Data Off a Failed Hard Drive.
March 11, 2008 | By: UbuntuLinuxHelp
http://ubuntulinuxhelp.com/digital-forensics-in-linux-reclaiming-data-off-a-failed-hard-drive/

Helix
http://www.forensicswiki.org/index.php?title=Helix
Helix is a Live CD built on top of Ubuntu. It focuses on incident response and computer forensics.
As of February 2009 E-fense is no longer offering Helix3 as a free software and requires a membership of $14.95 a month in order to download a copy of Helix3. Because of this a community version is being developed and is scheduled for release in April 2009. HelixCE Community forum is available at 

STD 0.1
security tools distribution
http://s-t-d.org/

==============================
Guides / documents / Websites:
==============================

7 Live CDs listed for forensics
http://www.livecdlist.com/?pick=All&sort=&showonly=forensics

Linux forensics - Introduction 
http://www.dedoimedo.com/computers/forensics-intro.html

Forensic Analysis of a Live Linux System, Pt. 1
Mariusz Burdach 2004-03-22
http://www.securityfocus.com/infocus/1769

Forensic Analysis of a Live Linux System, Pt. 2
Mariusz Burdach 2004-04-12
http://www.securityfocus.com/infocus/1773

Detecting Rootkits And Kernel-level Compromises In Linux
Mariusz Burdach 2004-11-18
http://www.securityfocus.com/infocus/1811

more linux tools
http://www.dedoimedo.com/computers/collection_linux.html

http://www.dedoimedo.com/computers/protech.html
[ had lots of great things to say about.. 
Linux forensics - Part 2: Protech
Protech ONE
http://www.techm4sters.org/

Linux Security Guides
http://www.linuxtopia.org/online_books/linux_security_index.html

Red Hat Linux 9: Red Hat Linux Security Guide
Incident Response
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-response.html

Incident Response Tools For Unix, Part One: System Tools
Holt Sorenson 2003-03-27
http://www.securityfocus.com/infocus/1679

Incident Response Tools For Unix, Part Two: File-System Tools
Holt Sorenson 2003-10-17
http://www.securityfocus.com/infocus/1738

nice slides from toorcon
Linux Kernel Rootkit Detection and Analysis during Incident Response  
Gabriel Lawrence
UCSD
October 19, 2007
http://toorcon.org/2007/talks/11/Gabe_Lawrence.ppt

seriously paranoid procedures for CSI teams..
http://www.crazytrain.com/seizure.html

Linux Resources
www.crazytrain.com
www.smartforensics.net
www.opensourceforensics.org
http://groups.yahoo.com/group/linux_forensics/

a bit dated imho, however some interesting stuff
http://www.porcupine.org/forensics/

Forensics - Links
http://www.forinsect.de/forensics/forensics-links.html

Slides from a good lecture:
http://www.wittsend.com/mhw/2003/ale-forensics/

http://www.opensourceforensics.org/tools/unix.html

Checking UNIX/LINUX Systems for Signs of CompromiseReturn to TOC
Oxford University, University College London
Patrick Green (OxCERT), Simon Baker (UCL Computer Security Team)
http://www.first.org/resources/guides/

setup a log server... send copies of log to another server
http://www.linuxsecurity.com/content/view/117514/171/

more at
https://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-wstation-privileges.html

Linux forensics - Introduction 
http://www.dedoimedo.com/computers/forensics-intro.html