Domain: e-fense.com
Stories and comments across the archive that link to e-fense.com.
Comments · 11
-
Re:If it 'snot good enough for the feds...
If it a case of unreliable sectors, your best bet would be to use Spinrite, which does an admirable job of getting the data off the bad sector.
After you run spinrite, you should be able to use something like photorec to recover your files. (Boot from a DOS CD, and you'll need a second hard drive to recover to)
If it's just plain text, you can also boot from a Linux CD (a plain old knoppix disk, or if you want a forensic Distro - like Helix which would give you more tools to work with.) and do a simple "strings
/dev/sda > /mount/sdb1/recovered.txt" (where sda is the drive that your trying to get data off of, and /mount/sdb1 is the drive that you want to recover to.)If that doesn't work, Helix has more tools at your disposal.
-
Helix
Helix can do most of the "breath test" functionality referred to, and is a great forensic Linux distro. Helix is also considered a viable method in which to capture data that is consistent with the chain of custody that is required for evidence to be presented to a Judge. Check it out... http://www.e-fense.com/helix/Download.html
-
Re:we need an antivirus vendor
There are at least F-Secure Rescue CD and Helix Incident Response and Forensics CD
-
Re:Where can I find that distro?
All my googling only turned up the original article and a ubuntu forum where helix at http://www.e-fense.com/helix/ was mentioned as similar. All I can suggest is looking up the named developer on the Edith Cowan Uni website and contacting him.
-
Re:Linux? You need a hardware write blocker, perio
dcfldd is included in Helix forensics LiveCD (based on Knoppix), along with several other quite useful programs.
Have a look at http://www.e-fense.com/helix/ -
clueless users...
I worked on a machine the other day that had trojan.banker on it. Nasty little bugger. Interesting thing is they had a working Norton Anti-virus using IE7 and were up to date on patches from the almighty MS. I ran 2 different rootkit programs on it but the thing still kept cropping up (it became a mission to find out what/where/how). Finaly I booted from Helix Boot CD http://www.e-fense.com/helix/ and running ClamAV discovered the Windows pagefile.sys was infected. Each time the machine rebooted anything cleaned in a non-boot sweep (ususal practice is to remove the drive and AV/Anti-Spy from a clean machine) would be reinfected, 24 AT jobs would be created to hourly check to see if it was installed, it would see if it was connected and get the software. Average people cannot deal with this; they had no clue other than the computer was slow and thought they might need a new one.... ahem.
-
Gotta wonder...
...if they will be training the staff on Helix. I'm not in the security industry myself, but that is one helluva handy LiveCD to keep around.
Despite the backing of the DHS budget, they're gonna need every free piece of help they can get. -
Re:Hardware can't be fooled like the operating sys
Try Helix. It has a couple of rootkit detectors and is Knoppix based.
-
Re:BartsPE and Windows Server 2003 Evaluation versSo, how exactly do you use Knoppix to (for example) clean viruses and adware/malware, fix corrupt registry or NTFS drive, or undelete files from Windows system?
canadiangoose in the post above has replied with a number of specific F/OSS tools to aid with system recovery and filesystem forensics. I would like to add that these tools, and more, are included with a number of Knoppix-derived security LiveCD distros. Here is a partial list:
- HELIX and slashdot article on same
- INSERT
- Knoppix STD
- Local Area Security Knoppix and slashdot article on same
- Security LiveCDs article from IBM Developerworks
As I posted before, BartsPE is a cute tool that was useful in running a Windows-only firmware tool, and it is superior to captive-ntfs when transferring large amounts of data from NTFS partitions. However, it feels absolutely crippled compared to Knoppix. Since I mostly use Linux at home and work, I have fortunately been spared the necessity of doing a lot of system recovery and malware cleaning; I cannot comment as to whether BartsPE or Knoppix is better at these tasks for Windows systems. -
No mention of Helix
http://www.e-fense.com/helix/Helix is a forensics LiveCD, comes with a bunch of great apps, and as their web-site says, http://www.sans.org/ SANS uses their liveCD for their forensics training. Pretty cool if you ask me.
-
The ToolsThe tools are nothing particularly complicated, generally a boot CD, a spare hard drive slightly larger than the original, and any reasonably modern PC are all you need. I've never seen anyone use a hardware-based disk copier, they all just use PCs with linux boot disks and "dd". Maybe I'm just seeing people with a lower budget...
Some common tools:
- The Coroner's Toolkit (getting a bit dated)
- The Sleuth Kit
- Helix
SANS offers a really nice class on computer forensics (track 8), if you have about $3000.00US lying around.
These tools work nicely on Linux, reiserfs, xfs, etc. in addition to the ubiquitous Win32 filesystems. - The Coroner's Toolkit (getting a bit dated)