SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: An OS X based Live CD, a Free Forensics App for Windows, Spying, and High Performance Password Cracking

This week's edition of Case Leads features an OS X based Live CD, a free tool for gathering evidence from HBGary, spying, and the threat video cards pose to passwords.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Creating an OS X Incident Response CD for Live Response - Tom Webb has a write up that discusses the process for building a basic OS X based CD for live analysis. The how-to addresses a few unique features of OS X and includes a method for dealing with OS X's non-static binaries. Suggestions for binaries to include on the CD and commands useful for IR on OS X are covered. Tom has also included a starter script that will help with information gathering during the IR process.
  • HBGary releases FGet, a free tool able to forensically extract remote files from raw NTFS volumes. The application is able to forensically extract any file, including deleted files and files that are in-use and locked without altering the file's attributes or timestamps. The tool is able to acquire the $MFT, registry files, system restore points and the recycle bin just to name a few. By default, fget will collect the user list along with NTUser.dat, the prefetch directory, and everything under windows\system32\config — all of which it stores in a directory named after the target machine.

Good Reads:

  • Graphics Processing Units (GPUs) May Threaten Password Security - Researchers at the Georgia Tech Research Institute are using readily available and inexpensive multi-core graphics processors to test the strength of passwords. Using powerful video cards such as those typically found in computers for high-end gaming and a software development kit that readily enables applications to be created for the hardware, researchers are creating applications that enable them to quickly brute force passwords. Based in their work the researchers suggest that passwords shorter than 12 characters could soon be vulnerable.
  • The Computer Crime & Intellectual Property Section of the United States Department of Justice have a flowchart of a digital forensics analysis methodology. The flowchart focuses on the preparation/extraction, identification, and analysis phases.

News:

  • More spying, this time in Sweden. It's not another Russian spy ring though that incident may have served as the inspiration for the operation. A pair of teenage Swedish schoolgirls decided to bug a teacher's meeting in order to learn how to improve their grades. They might have gotten away with it but they happened to brag about their mission on Facebook.
  • Staying with the spy theme, Cleveland, Ohio will soon join Alexandria, Virginia in their use of a "1984-style" trash carts. These carts will tell the city if more than 10% of the material in the cart is recyclable. If too much recyclable material is in the trash cart, the resident could receive a $100 fine. No word yet on the digital forensics potential of these recycle bins.

Levity:

  • Consulting a teardown site is common when dealing with a new piece of hardware. This method is not recommended for an iPod Nano.
  • Are you unhappy with your cell phone? This guy put his phone in a microwave.

Coming Events:

    Digital Forensics Case Leads for 20100826 was compiled by Ray Strubinger of the Georgia Institute of Technology. Ray leads the digital forensics and incident response team and when the incidents permit, he is involved in various aspects of the Institute's defense-in-depth strategy including Data Loss Prevention, Full Disk Encryption, and Education Awareness. If you have an article to suggest for case leads please email it to caseleads@sans.org.

    5 Comments

    Posted August 27, 2010 at 12:17 PM | Permalink | Reply

    Bob DeSilets

    The article on OSX Live CD creation is very timely for me as we've had an incident recently that involved an Apple machine. Any suggestions for capturing an memory image for OSX (not laptop with the sleepimage available)?

    Posted August 27, 2010 at 5:43 PM | Permalink | Reply

    Ray Strubinger

    Bob, at this time I don't think there is a known publicly available method for capturing RAM from an OS X system. Several months ago when I was researching OS X memory imaging I found a bit of interest in the topic but nothing as straight forward as what's available to us for capturing RAM from Linux or Windows.

    Posted September 4, 2010 at 1:13 PM | Permalink | Reply

    pandora jewelry

    CD creation is very timely for me as we've had an incident recently that involved an Apple machine. Any suggestions for capturing an memory image

    Posted November 14, 2010 at 9:01 AM | Permalink | Reply

    moncler

    months ago when I was researching OS X memory imaging I found a bit of interest in the topic but nothing as straight forward as what's available to us for capturing RAM from Linux or Windows.

    Posted March 24, 2011 at 1:14 PM | Permalink | Reply

    Nobody

    Anyone ever wonder if some are already using this kind of software just to surf the net?????
    All those LIVE distros out there,from where i'm standing i have about 100 CD's to choose from.
    Knoppix 2004''"The BEST first on the scene LIVE OS on a CD.
    This is nothing new.
    Live CD's have been out since Knoppix introduced a fully operational Distro in 04.
    If the (Good guys) think the (Bad guys) are not using it.
    THINK AGAIN.
    How do you do a forensics on a computer that is ONLY CD based with NO hard drive.