FreeBSD Forensics Bootable ISO The basics
FreeBSD based forensics / security Live CD similar to Linux based distros like Knoppix and F.I.R.E. @Stake’s The Sleuth Kit and Autopsy Almost every security related port in the FreeBSD ports tree Menu driven forensics setup Created using FreeSBIE FreeSBIE
Freesbie is both a live FreeBSD distribution and the tools for creating your own distro Makes creating a live CD a fairly simple process Version in ports tree doesn’t work with FreeBSD 5.3, use version in CVS Security Tools scanners: nmap, nessus, arirang, hackbot multi-tools: dsniff and ettercap sniffers: sniffit, radiusniff, sslsniffer, sniff, hafiye, kripp intrusion detection: snort, acid, bro, chkrootkit crackers: john, crack, mdcrack, fcrackzip, slurpie stego: outguess, steghide + over 100 more The Sleuth Kit 2.01
Collection of forensic analysis tools
Analyze raw files (dd) and disk images: FAT, EXT2/3, UFS, NTFS
Won’t modify access times
List allocated and deleted files
Keyword Search
Create timelines of file activity
Order by type, create thumbnails of images
Lookup by hashes in a checksum database Autopsy 2.05
File listing
File content viewable in raw, hex, strings
Hash Databases
File Type Sorting
Timeline of File Activity
Keyword Search
Meta Data Analysis
Data Unit Analysis
Image Details Live vs Dead Autopsy
Use live autopsy on a running system. (FreeBSD & OS X versions included in Snarl... more OS options in the future) Dead autopsy is done on a trusted host system using images of suspect system. Live autopsy is less powerful than an offline autopsy (unless using a network share). Uses perl modules on untrusted system. Create checksums
Boot Snarl CD in new system (do this before getting hacked!) Plug in USB Drive and mount by selecting “Mount Evidence” in Snarl menu Select “Mount drives” in Snarl menu Select “Create Checksums” from Snarl Menu Enter path to checksum (/mnt/ufs.1*) Create Disk Images
Boot Snarl CD in compromised machine Plug in USB Drive Mount USB drive by selecting “Mount Evidence” in Snarl menu Choose “Create Disk Image” in Snarl menu Select disk to image from the list Go have lunch while disk is imaged Prepare checksums
If you haven’t already created a checksum database of the system, select “Choose Checksum” Select the OS version you are using from the list of the Known Good database included in snarl (FreeBSD 4.2-5.1; OpenBSD 3.0-3.3; many flavors of Linux; Solaris 2.6,8.0,9.0) The known good lists will be converted to the autopsy format (checksums that you prepare with snarl are already in autopsy format) Start Autopsy
Select “Start Autopsy” from Snarl menu Enter IP address of trusted desktop / laptop Enter address shown in status window on your trusted system’s browser. (Turn off Javascript [I would remove Flash too, mostly because I don’t like Flash]) Making a case
Create case Choose known good checksums Choose known bads if you have one Add images Explore! Add hosts and images
Select case Add host Add images Autopsy automatically detects image types Verify image checksum Looking for trouble
Known bads Filesystem explorer Sort by filetype Keyword search Timeline Deleted files File Analysis Deleted Files Filename Search Keyword search Timeline Sort by file type Autopsy Live
Mount Snarl CD Mount remote evidence locker Start autopsy locally from the mounted CD If you don’t mount an evidence locker you can only use some of the features in snarl Future plans
Include complete list of checksums from packet storm for Release more often than once a year Apache / PHP / MySQL + Slacker install Include more checksum databases Make even easier to use Destruction of evidence srm everything rm -rP; dd if=/dev/urandom of=/root/junk; rm -rP junk driveslag: http://driveslag.eecue.com