Investigating Windows systems with Linux
With the addition of a couple of extra packages, the Windows world is wide open to an investigator running Linux. If you need more of this good thing, take a look at the free forensic tools by Foundstone . These tools give investigators the ability to restore cookies, long-gone entries from the Windows trash can, and many other things.
Experienced Linux users might find the shell approach refreshing, but some users will prefer to avoid the complex command-line syntax. The learning curve for Linux newcomers will likely be steeper for open source tools compared with more expensive commercial products. The winner in the usability stakes has to be the fully automated Ophcrack Live CD, which removes the need for users to type pesky shell commands and displays the local user's Windows passwords shortly after booting.
When we tested this on an XP system (SP2), the CD took just 280 seconds to discover the credentials of the five user accounts (which included up to 14 characters; see Figure 5). The live Linux version on the CD includes just the tables for alphanumeric passwords without non-standard characters. If you want more, you will have to invest in the commercial Rainbow Tables.
- Guidance Software: http://www.guidancesoftware.com
- X-Ways: http://www.x-ways.net/corporate/index-m.html
- Ewfacquire: https://www.uitwisselplatform.nl/projects/libewf
- Helix: http://www.e-fense.com/helix
- Endianness: http://en.wikipedia.org/wiki/Endianness
- The Sleuth Kit: http://sleuthkit.org
- Wikipedia on file slack: http://en.wikipedia.org/wiki/File-Slack
- bmap: http://www.packetstormsecurity.org/linux/security/bmap-1.0.17.tar.gz
- File slack analysis on Linux: http://www.woerter.at/dud/stuff/fileslack.pdf
- Pasco download: http://downloads.sourceforge.net/odessa/pasco_20040505_1.tar.gz?modtime=1083715200&big_mirror=0
- Mork.pl: http://www.jwz.org/hacks/mork.pl
- Dumphive: http://v4.guadalinex.org/guadalinex-toro/pool/main/d/dumphive/dumphive_0.0.3-1_i386.deb
- Ophcrack and Ophcrack Live CD: http://ophcrack.sourceforge.net
- Foundstone Forensic Tools: http://www.foundstone.com/us/resources-free-tools.asp
Buy this article as PDF
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.
The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Legendary Uber-distro splits over the systemd controversy.
New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
One of CeBIT’s most successful forums returns in 2015.
A new study says it is possible to unmask 81% of TOR users.
Redmond joins the revolution by turning the .NET Core Runtime into a GitHub project.
Users only had 7 hours to update before the intrusions started.
It's official: The new web arrives