Example usage: chkrootkit -p [path-to-trusted-binaries] -r [root-path-to-scan] rkhunter rkhunter is another utility used to check for signs of rootkits on Unix based systems. Usually, you will want to run the scan against a mounted filesystem, using a trusted set of binaries. In the below Example Usage: rkhunter -c –sk
Digital Anti Forensics
Install truecrypt This script is used to install Truecrypt, software that is used to create encrypted files using various encryption ciphers. It contains features such as hidden partitions inside the encyption file, as well
as the ability to use files and text passwords as keys to the encryption file. Digital Forensics hexedit hexedit is a program that gives the user the ability to view a file in hexadecimal and ASCII view. It offers the ability to read a device as a file. It includes build in key shortcuts to make it fast and easy to edit and analyze file, including skipping to specific memory locations, cutting and pasting, changing views, modes, and syntaxes similar to that of emacs. Example usage: hexedit [filename]
Forensic Carving Tools
fatback Fatback is a tool which is used to recover deleted files from FAT filesystems. Fatback will read an image of a FAT filesystem, and then outputs all deleted files into a directory determined by the user. This is useful in investigations with Windows machines, since many older Windows installs utilize some form of a FAT filesystem (FAT16, FAT32). Many USB flash drives currently employ some form of a FAT filesystem. The example below takes a FAT filesystem image, outputs the log created by fatback to a directory determined by the user, writes verbosely to the terminal screen, outputs deleted files to a directory determined by the user, and automatically recovers all files the have been deleted. Example usage: fatback [image] -l [logfile to output] -v -o [output directory] -a foremost Foremost is a well known utility that specializes in file carving. It takes image files, such as those created by dd, and will search for file headers in order to recover files. It returns information to the user by outputting files found to a predetermined directory set by the user. The example below outputs JPEG images found in image.img (an image file created by dd) and outputs everything found in /root/Desktop/output/. Example usage: foremost -v -t jpeg -o /root/Desktop/output/ -i image.img magicrescue Magic Rescue is a program that searches a filesystem image for "magic number" bytes, and attempts to recover the files that these magic numbers belong to. Magic numbers are basically several bytes of data that act as a file identifier, giving basic information such as file type. The below example usage uses the jpeg-jfif "recipe" (others are found in /usr/local/share/magicrescue/recipes), meaning it looks for JPEG files based on the JFIF header.The output directory is /root/Desktop/output/, and the image being analyzed in /dev/sdb1, although it can be any filesystem or image file. Example usage: magicrescue -r jpeg-jfif -d /root/Desktop/output/ /dev/sdb1 recoverjpeg RecoverJPEG is another utility to recover JPEG images from a filesystem. RecoverJPEG can take input either as a partition (like /dev/sda1) or an image file, like those produced by dd. The below example will recover JPEG images found in the image.img file. Example usage: recoverjpeg image.img safecopy Safecopy is a program used to recover as much data as possible from a damaged device, such as a hard drive or USB drive. Unlike other programs such as dd, cat, or cp, safecopy specializes in damaged devices. Other programs will stop reading data once a damaged area is hit, while Safecopy will read to a point designated by the user, regardless of damaged areas. It does this by identifying the damaged areas, and skipping around them. This example shows how to use Safecopy to recover data on /dev/sdb1, a mounted device that other programs such as cp or dd fail on. It outputs data recovered to /root/Desktop/rescued_files: Example usage: safecopy /dev/sdb1 /root/Desktop/rescued_files scalpel Scalpel is a well known file carving utility that searches a database of known file header and footer signatures, and attempts to carve files from a disk image file. To begin using Scalpel, the scalpel.conf file needs to edited to tell Scalpel which filetypes you are looking for. Example This example uses a configuration file named scalpel.conf, searches the disk image file image.img, and outputs all files carved to /root/Desktop/scalpel_results/ Example usage: scalpel -c scalpel.conf image.img -o /root/Desktop/scalpel_results/ scrounge-ntfs Scrounge-NTFS is a utility that can be used to recover information from an NTFS partition.Scrounge-NTFS will use information provided by the user in order to rebuild the filesystem tree,which is places on another partition. This program requires you to know the start and end block of the filesystem, but it provides a page to help you guess partition information. The example below uses a cluster size of 8 (the most common, always multiples of 2), sets the output directory to /root/Desktop/output/, reads data from /dev/sda1, starts at sector 63 and ends at sector 81920000, meaning the overall disk has around 40 GB of space. Example usage: scrounge -c 8 -o /root/Desktop/output/ /dev/sdb1 63 81920000 testdisk TestDisk is a program that specializes in recovering lost disk partitions, and making disks bootable. It has the ability to rebuild partition tables, rebuild boot sectors, fix the Master File Table (MFT), recover files, and more. The program contains many features, so rather than post a small example usage here, I would suggest looking at their very thorough Step by Step Guide.