FreeBSD Forensics Bootable ISO The basics

FreeBSD based forensics / security Live CD similar to based distros like Knoppix and F.I.R.E. @Stake’s The Sleuth Kit and Autopsy Almost every security related port in the FreeBSD ports tree Menu driven forensics setup Created using FreeSBIE FreeSBIE

Freesbie is both a live FreeBSD distribution and the tools for creating your own distro Makes creating a live CD a fairly simple process Version in ports tree doesn’t work with FreeBSD 5.3, use version in CVS Security Tools scanners: nmap, nessus, arirang, hackbot multi-tools: dsniff and ettercap sniffers: sniffit, radiusniff, sslsniffer, sniff, hafiye, kripp intrusion detection: snort, acid, bro, chkrootkit crackers: john, crack, mdcrack, fcrackzip, slurpie stego: outguess, steghide + over 100 more The Sleuth Kit 2.01

Collection of forensic analysis tools

Analyze raw files (dd) and disk images: FAT, EXT2/3, UFS, NTFS

Won’t modify access times

List allocated and deleted files

Keyword Search

Create timelines of file activity

Order by type, create thumbnails of images

Lookup by hashes in a checksum database Autopsy 2.05

File listing

File content viewable in raw, hex, strings

Hash Databases

File Type Sorting

Timeline of File Activity

Keyword Search

Meta Data Analysis

Data Unit Analysis

Image Details Live vs Dead Autopsy

Use live autopsy on a running system. (FreeBSD & OS X versions included in Snarl... more OS options in the future) Dead autopsy is done on a trusted host system using images of suspect system. Live autopsy is less powerful than an offline autopsy (unless using a network share). Uses perl modules on untrusted system. Create checksums

Boot Snarl CD in new system (do this before getting hacked!) Plug in USB Drive and mount by selecting “Mount Evidence” in Snarl menu Select “Mount drives” in Snarl menu Select “Create Checksums” from Snarl Menu Enter path to checksum (/mnt/ufs.1*) Create Disk Images

Boot Snarl CD in compromised machine Plug in USB Drive Mount USB drive by selecting “Mount Evidence” in Snarl menu Choose “Create Disk Image” in Snarl menu Select disk to image from the list Go have lunch while disk is imaged Prepare checksums

If you haven’t already created a checksum database of the system, select “Choose Checksum” Select the OS version you are using from the list of the Known Good database included in snarl (FreeBSD 4.2-5.1; OpenBSD 3.0-3.3; many flavors of Linux; Solaris 2.6,8.0,9.0) The known good lists will be converted to the autopsy format (checksums that you prepare with snarl are already in autopsy format) Start Autopsy

Select “Start Autopsy” from Snarl menu Enter IP address of trusted desktop / laptop Enter address shown in status window on your trusted system’s browser. (Turn off Javascript [I would remove Flash too, mostly because I don’t like Flash]) Making a case

Create case Choose known good checksums Choose known bads if you have one Add images Explore! Add hosts and images

Select case Add host Add images Autopsy automatically detects image types Verify image checksum Looking for trouble

Known bads Filesystem explorer Sort by filetype Keyword search Timeline Deleted files File Analysis Deleted Files Filename Search Keyword search Timeline Sort by file type Autopsy Live

Mount Snarl CD Mount remote evidence locker Start autopsy locally from the mounted CD If you don’t mount an evidence locker you can only use some of the features in snarl Future plans

Include complete list of checksums from packet storm for Release more often than once a year Apache / PHP / MySQL + Slacker install Include more checksum databases Make even easier to use Destruction of evidence srm everything rm -rP; dd if=/dev/urandom of=/root/junk; rm -rP junk driveslag: http://driveslag.eecue.com