Vocabulary: Terms you should understand

This list will be always updated.

• inodes

Inodes (IndexNodes) represent a main component of file management under the Unix systems. Each file in the file system has its own inode. The inode is the location for all file metadata and also for the file system blocks in which the actual file contents are stored.
So a inode is so to say a reference of a file.

• orphan files

This are files with no purpose left, since their parent applikation is gone. For example they appear often after an incomplete deinstallation.
You can find another definition in the sleuthkit wiki: "Orphan files are deleted files that still have file metadata in the file system, but that cannot be accessed from the root directory."

• offset

Offset is in our context some sort of logical "distance". It describes the location of data in relation of an other location. I found a good example in the wikipedia article:

For example, in A as an array of characters containing "abcdef", the fourth element containing the character 'd' has an offset of three from the start of A.

•  virtual memory

Virtual memory is all about making use of address space.

The address space of a processor refers the range of possible addresses that it can use when loading and storing to memory. The address space is limited by the width of the registers, since as we know to load an address we need to issue a load instruction with the address to load from stored in a register. For example, registers that are 32 bits wide can hold addresses in a register range from 0x00000000 to 0xFFFFFFF. 2^32 is equal to 4GB, so a 32 bit processor can load or store to up to 4GB of memory.  link

remember:

As with most components of the operating system, virtual memory acts as an abstraction between the address space and the physical memory available in the system. This means that when a program uses an address that address does not refer to the bits in an actual physical location in memory.

So to this end, we say that all addresses a program uses are virtual. The operating system keeps track of virtual addresses and how they are allocated to physical addresses. When a program does a load or store from an address, the processor and operating system work together to convert this virtual address to the actual address in the system memory chips.  link

• Pid (process id)

• PPid (parent process id)

In addition to a unique process ID, each process is assigned a parent process ID (PPid) that tells which process started it.

First time imaging an usb flash device

This is the first attempt to create an image of an flash usb.


So how to start?
 

• First plug your device into your machine and in the next step you have to find out where it is mounted. After a few minutes google, i came up with following comand:
•  sudo fdisk -l

•  Then create a md5 checksum of the device
• sudo md5sum <location of device>

• now we have the mountpoint (it is the "device" column) and can start the actuall imagen. Therefore linux has a very good tool called dd
• sudo dd if=<location of device> of=<where you want it>name.dd

This could take some time, dependend on your device size.

• finally create again a md5 checksum, but now from the image. If the two checksums are matching, the created image is a exact copy of the original device.

How to install FTK-Imager on linux/ubuntu

This is my very first tutorial ever and i'm looking realy forward to it and hope i can help you guys.

Soo lets get started! (you need to be root for all of this! [sudo -s])

• Download the the compressed tarball-archive. Unhappily i only found a link for the 3.1.1 version which is pretty old (the actual version is 4.1.1) Here is the link: http://accessdata.com/product-download/debian-and-ubuntu-x64-3.1.1 

• the next step is to create a new directory for it in /opt/ and change the acces right temporary to 777

• mkdir /opt/ftk-imager

• chmod 777 /opt/ftk-imager

• then copy your downloaded tarball in this new directory.

• mv /home/<username>/Downloads/<filename> /opt/ftk-imager

• now extract the files:

• tar -xf /opt/ftk-imager/<filename>

• sooo now we need to create a symlink, so that we can use it in any directory with just typing "ftkimager" in the shell. 

• ln -s /opt/ftk-imager/<name-of-executable> /usr/bin/ftkimager

• done, you should be able to use ftkimager by now in every directory, just try it! type following commands and you should be seeing the help text :)

• cd

• ftkimager --help  

• now change the acces rights of the ftk-imager directory back to "normal" 

• chmod 755 /opt/ftk-imager

i hope it is all understandable and especially correct. If there is a typo or some kind of fault in it, feel free to contact me! thats just the way it worked for me.

Forensik Setup

What is the best setup for forensical tasks?
That's sure not an easy question and there will be not "the one and only" right answer, but you can find a lot of good answers to it.

•  the OS:

on the whole you have the 3 "big" types, windows, mac and linux.
so the first step is to dismiss mac, because i realy don't like the apple stuff.
ok ok i admit it - there is no second step, because for me there is only 1 acceptable OS and that is Linux.
Although i have to say, that this is the first time i feel a little disadvanteged by using linux, because there are tons of well known forensic programs only usable on windows. (Don't know if wine would do the job?)
But as always i prefer open source and rely on it! I believe that there is an open source solution for every task and every problem :)

•  the distro

for my daily usage i have ubuntu with the i3 wm (love it), but i wanted to have a little bit more special and of course it would be nice to have the most importand tools preinstalled.
so for me there were 2 options:

1. kali linux:  mainly for pentesting, but it comes with a decent number of forensical tools with it. I had it already running in dual-boot with ubuntu on one of my laptops and did a few ctfs with it. So you could say i have a little experience with the main tools (nmap, hydra, patator, vega, burp....). 
2. Sans SIFT: After a while googleing i found this toolkit (so it is not realy a independend distro) and decided to try it. The installation was very simple, just follow the instructions on https://github.com/sans-dfir/sift-cli#instructions . So i have installed it on a virtual machine (a nice and especially safe way to test) on a ubuntu 16.04.

so much to the setup, i'm going to try the first steps with the Sans SIFT and hope it will work out :D

Intro

Hey Leute,

Das ist mein erster Bloggpost und ich mache das ganze an sich nur, weil es überall empfohlen wird, über seine Fortschritte zu schreiben um sie besser zu verinnerlichen.

• Kurz zu mir:  

Viel zu alter Informatik Student, der eigentlich mit Informatik so gar nichts am Hut hat und nun versucht ein "nerd" zu werden! Genauer gesagt liegt mein Interesse im Bereich der IT-Security und seit genau 1 Tag beschäftige ich mich nun mit der IT-Forensik.

• Was hier kommt:

In diesem Blog werde ich meinen Weg von einem kompletten "noob", der Begriffe wie RAID, NFTS, EXT4 usw allenfalls mal von ein paar klugen Köpfen an der Uni im vorbeigehen gehört hat, zu einem passablen (so ist zumindest das Ziel) IT-Forensiker beschreiben.
Ob es letztlich erfolgreich sein wird, oder ich nach ein paar Tagen/Wochen das Handtuch schmeiße wird sich zeigen.
Die anfänglich überschwängliche Motivation ist zumindest schon nach den ersten gescheiterten Experimenten der ernüchternden Realität gewichen-

• Warum gerade IT-Forensik

Das urspüngliche Ziel lag beim IT-Security Experten/Pentester. (Ja, ich wäre gern ein Hacker... ob Black- oder Whitehate, ich würde jeden Hut nehmen.)
Allerdings bekam ich schnell das Gefühl hierfür schon zu spät dran zu sein, da man als Pentester fundamentale Kenntnisse in ALLEN Bereichen der Informatik benötigt und ich gerade mal die aller nötigsten Grundlagen besitze um überhaupt nen PC einzuschalten ._.
Deswegen nun der Gedanke sich gleich von vorn herein etwas zu spezialisieren.
Ob es sinnvoll ist? keine Ahnung. Das wird sich zeigen.



Kleine Anmerkung:

Bin über alle Tipps und Ratschläge dankbar, auch Kritik kann jederzeit geäußert werden, insofern sie konstruktiv ist.


Bis zum nächsten Eintrag.

PS: Die Posts werden in englisch sein.
Zum einen, weil ich mein Englisch verbessern möchte und zum anderen, weil es eben in der IT hauptsächlich gesprochen wird.