Thursday, April 30, 2009

Ubuntu 9.04 guest in vmware - sluggish mouse.

I just installed Ubuntu 9.04 at work and enjoying my ‘dual screen via KVM switch’ panoramic view :-) which was not possible before due to the driver limitations.

I also tried to install Ubuntu 9.04 in VMware and it caused the mouse to be rather sluggish. Installing vmware-tools didn't help. Next, in SYSTEM > PREFERENCES > STARTUP APPLICATIONS and in startup programs tab I added the name vmware-tools and
/usr/bin/vmware-user & This did not fix the problem either.

The best option to solve this was to install xserver-xorg-input-vmmouse drivers by running the following command:
sudo apt-get install xserver-xorg-input-vmmouse. This completely solved the problem and everything now works as expected. I also found that some people were able to fix this with adding to their xorg.conf the following:

Section "InputDevice"
Identifier "VMware Mouse"
Driver "vmmouse"
Option "CorePointer"
Option "AlwaysCore"
EndSection

Saturday, April 25, 2009

A couple of acrticles on DIGital FORensics.

All my free time is now consumed by a 'little' python development project. I will try to keep this blog up-to-date with anything really worth mentioning. Whilst I am busy coding and refreshing my pretty rusty math skills, I still spend about three hours a week reading about digital forensics and information security (mostly on a bus or train). Last week I came across a couple of documents by Dr. Frederick B. Cohen, Ph.D. called "Fundamentals of Digital Forensic Evidence" and "A structure for addressing digital forensics". These documents are about application of digital forensics within a legal context and I personally find them quite educational.

Saturday, April 18, 2009

Windows Event Logs


The procedure for working with Windows XP and Windows Server 2003 (.evt) event logs has been well documented. Here are a couple of links on fixing .evt logs manually or by using a free tool and make them readable via Windows Event Viewer. Harlan also wrote Perl scripts that can parse evt logs without using the Windows API, so no header modification is needed.

Ensuring that forensic evidence in criminal cases is accurate and verifiable is only one side of forensic analysis. Making the evidence (forensic reports) presentable and easy to work with by all parties including defence, judges and prosecution is also essential. Making event logs readable and nicely formatted could sometimes be painful though. I found that the best tool to generate Excel Spreadsheet is EnCase built-in EnScript (case processor), and X-Ways Forensics provides perhaps the quickest way to produce nice HTML reports. It also automatically includes some useful information such as this:

Warning: wrong fileheader data regarding size of file
Dirty flag: 1, Wrapped flag: 0, Full flag: 0, Primary flag: 1

To get the report in X-Ways forensics, evt file needs to be opened first, after that you can go to Tools -> View or just press SHIFT + F9. You can also generate Excel Spreadsheet by opening the HTML report in Internet Explorer and going to File -> Edit with Microsoft Office Excel.



Also when working with FTK and using its Forensic HTML Report generation feature, it is possible to bookmark and export XML files (MSN History etc.) that wouldn't open in the browser. It may produce the error similar to "Cannot view XML input using XSL style sheet". That is usually sorted quite easily by adding XSL style sheet file (.xsl) from the same folder where the original XML file has been located.



Sunday, April 19, 2009

Lance Mueller posted a great article and his EnScript re: Windows Event Logs. Comments to his post are also worth reading.

Another interesting post re: Vista Event Logs by Rob Faber can be found here.

Saturday, April 4, 2009

The Sleuth Kit and Autopsy on Ubuntu

A quick installation guide for the latest TSK and autopsy on Ubuntu 8.04.
The default version of TSK and autopsy in Ubuntu repositories are sleuthkit-2.09-2 and autopsy-2.08-2. The latest versions are sleuthkit-3.0.1 and autopsy-2.21.

Step 1
Download afflib.tar.gz and unpack it with tar –xvf afflib.tar.gz
There are three dependencies to resolve before afflib can be installed.

Type sudo apt-get install build-essential zlib1g-dev libssl-dev
Then navigate to afflib folder and type the usual:
./configure, make, sudo make install

Step 2
Download libewf, unpack and install all three .deb packages

Step 3Install uuid-dev by typing sudo apt-get install uuid-dev
Then download sleuthkit-3.0.1.tar.gz
Unpack, and run ./configure, make, sudo make install

Step 4Download autopsy-2.21.tar.gz
Create your evidence directory, autopsy will ask for it later.
Extract autopsy and run ./configure, make, sudo make install

When asked, type the full path to your evidence directory and you done.

To start autopsy, just type sudo ./autopsy and follow the instructions.

Update for Ubuntu 9.10  - 25 November 2009

For Ubuntu 9.10 the procedure is similar except for Step 1.
afflib make  may not work, and if you really want aff support, the simple solution is to download .deb files for older distributions.

The files below worked for me:
afflib-dev_1.6.31-0ubuntu1_i386.deb and afflib_1.6.31-0ubuntu2_i386.deb

and can be downloaded from these locations:

http://packages.ubuntu.com/intrepid/i386/afflib-dev/download
or
http://np.archive.ubuntu.com/ubuntu/pool/universe/a/afflib/

Step 2 is easy, just get all 3 libewf packages (just search with Synaptic).

The rest of the procedure is the same.

Updates for Ubuntu 10.10 and the Sleuthkit 3.2.0 are here