Investigating Windows systems with Linux
With the addition of a couple of extra packages, the Windows world is wide open to an investigator running Linux. If you need more of this good thing, take a look at the free forensic tools by Foundstone . These tools give investigators the ability to restore cookies, long-gone entries from the Windows trash can, and many other things.
Experienced Linux users might find the shell approach refreshing, but some users will prefer to avoid the complex command-line syntax. The learning curve for Linux newcomers will likely be steeper for open source tools compared with more expensive commercial products. The winner in the usability stakes has to be the fully automated Ophcrack Live CD, which removes the need for users to type pesky shell commands and displays the local user's Windows passwords shortly after booting.
When we tested this on an XP system (SP2), the CD took just 280 seconds to discover the credentials of the five user accounts (which included up to 14 characters; see Figure 5). The live Linux version on the CD includes just the tables for alphanumeric passwords without non-standard characters. If you want more, you will have to invest in the commercial Rainbow Tables.
- Guidance Software: http://www.guidancesoftware.com
- X-Ways: http://www.x-ways.net/corporate/index-m.html
- Ewfacquire: https://www.uitwisselplatform.nl/projects/libewf
- Helix: http://www.e-fense.com/helix
- Endianness: http://en.wikipedia.org/wiki/Endianness
- The Sleuth Kit: http://sleuthkit.org
- Wikipedia on file slack: http://en.wikipedia.org/wiki/File-Slack
- bmap: http://www.packetstormsecurity.org/linux/security/bmap-1.0.17.tar.gz
- File slack analysis on Linux: http://www.woerter.at/dud/stuff/fileslack.pdf
- Pasco download: http://downloads.sourceforge.net/odessa/pasco_20040505_1.tar.gz?modtime=1083715200&big_mirror=0
- Mork.pl: http://www.jwz.org/hacks/mork.pl
- Dumphive: http://v4.guadalinex.org/guadalinex-toro/pool/main/d/dumphive/dumphive_0.0.3-1_i386.deb
- Ophcrack and Ophcrack Live CD: http://ophcrack.sourceforge.net
- Foundstone Forensic Tools: http://www.foundstone.com/us/resources-free-tools.asp
Buy this article as PDF
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.