Hi all,
I'm glad to announce that Caine 2.5 and NBCaine 2.5 have been released.
Enjoy them!
http://www.caine-live.net/

  -------------------------------------------------------------
  Nanni Bassetti
  http://www.nannibassetti.com/
Caine Project Manager - http://www.caine-live.net/

tcpflow 1.0.1 is released!

September 26, 2011

I am happy to announce that tcpflow 1.0.1 is now available. Improvements in
tcpflow 1.0.1 over the version widely in use today (version 0.21) include:

	 • Support for VLANs
	 • Support for IPv6 (thanks to contributions from Jan Görig).
	 • Regression testing (note: the IPv6 is currently not regression tested because
due to implementation differences of inet_ntop on MacOS and Linux).

The new version is available for download at
http://afflib.org/downloads/tcpflow-1.0.1.tar.gz

Background: With the original author's approval, I have taken over the
management of maintenance of the tcpflow open source TCP reconstructor. I
brought the software up-to-date with the current release of GNU autotools,
applied various patches that were floating around, and added the VLAN support. I
am now trying to get the tcpflow in various Linux distributions updated.

Future Direction: I would like to rewrite parts of tcpflow in C++ so that I can
take advantage of the STL map class, which is significantly more efficient than
the current data structure used by tcpflow to maintain state. I also want to
make a linkable tcp flow reconstruction library. I am looking for input from
tcpflow users as to 1) whether rewriting in C++ is okay, and 2) what form the
library should take.

Once again, you can download the new version from
http://afflib.org/downloads/tcpflow-1.0.1.tar.gz

...This is a good opportunity for us! 
http://dingelhoppa.di.funpic.de/com.friend.php?raxyahoo=26e0

This isn't a forensics script, however I thought it might have some
value to others in the Linux forensic community.  I often find myself
downloading some tools or documents and then having to go to the
downloads folder and sift through it for the stuff I just downloaded
in order to copy or move it over to another location.  I wrote this
bash script to take care of that.  By default it will look at all
files from the ~/Downloads folder that have a change date of 5 minutes
or less.  You can change that setting via a command line option.  If
you specify no command line parameters, it will simply list the files
from the last 5 minutes (so you can make sure it's what you want to
copy/move).  You can specify the options:
-o <move,copy> (as the names imply, move will move the files, and copy
will copy them.  Any other option (misspelling or otherwise) will
simply list the files).

and you must provide a destination folder as follows:
-d <destination_folder>

If you want to copy/move/list files from the past 10 minutes, use -t
10.  Of course you can specify however many minutes you want until you
see only the files you wish to copy/move.

Jacques

-------instructions--------

Here is the script.  Feel free to adapt to your needs.  Copy/paste it
into a text file and save it.  Chmod it to make it executable and then
edit your PATH in .bashrc to add your script folder where you save
this script so that you can run it without specifying the full path
for the script.  Certainly there is room for more error checking.  But
it has some basic error checking.  And of course I could have used the
case command instead of a few if statements near the end.  But it was
quick and dirty scripting and does what I want it to do.

----------script-------------
#!/bin/bash
#
# Written by jjrboucher@...
#
#####################
#Declaring Variables#
#####################
Usage="\nUsage:\n------\n\ndownloads.bash -t <number of minutes>
(default is 5) -d <destination_folder> -o <move,copy>\nAny invalid -o
option will simply list the files even if a destination folder is
specified."
#default value - 5 minutes.  In other words files with a change time
of 5 minutes or less.
declare -i how_old=5
target=""
option="z"
#exit values in case you want to use this script inside another one.
declare -i Need_help=1
declare -i Notarget=2

#checks which command line options were specified.
while getopts ":t:d:o:" opt; do
    case $opt in
	 t ) how_old=$OPTARG ;;
	 d ) target=$OPTARG ;;
	 o ) option=$OPTARG ;;
	 h | \? | -help ) echo -e $Usage
		 exit $Need_help ;;
    esac
done

#if the person specified the option copy or move and did not specify a
destination folder,
#advise them that they must specify a destination folder.
if [ \( "$option" = "copy" \) -o \( "$option" = "move" \) ] && [ -z
"$target" ]; then
     echo -e "\nDestination folder (-d) not specified\n".
     exit $Notarget
#   fi
fi

# -o move
if [ "$option" = "move" ]; then
     echo "***Moving files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "Moving {}
to $target" \; -exec mv '{}' $target \;
# -o copy
   elif [ "$option" = "copy" ]; then
     echo "***Copying files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "Copying {}
to $target" \; -exec cp '{}' $target \;
   else
# -o anything but "move" or "copy"
     echo "***Listing files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "{}" \;
fi

Thank you for sharing.

>>> "Jacques B." <jjrboucher@...> 9/30/2011 6:42 AM >>>
This isn't a forensics script, however I thought it might have some
value to others in the Linux forensic community.  I often find myself
downloading some tools or documents and then having to go to the
downloads folder and sift through it for the stuff I just downloaded
in order to copy or move it over to another location.  I wrote this
bash script to take care of that.  By default it will look at all
files from the ~/Downloads folder that have a change date of 5 minutes
or less.  You can change that setting via a command line option.  If
you specify no command line parameters, it will simply list the files
from the last 5 minutes (so you can make sure it's what you want to
copy/move).  You can specify the options:
-o <move,copy> (as the names imply, move will move the files, and copy
will copy them.  Any other option (misspelling or otherwise) will
simply list the files).

and you must provide a destination folder as follows:
-d <destination_folder>

If you want to copy/move/list files from the past 10 minutes, use -t
10.  Of course you can specify however many minutes you want until you
see only the files you wish to copy/move.

Jacques

-------instructions--------

Here is the script.  Feel free to adapt to your needs.  Copy/paste it
into a text file and save it.  Chmod it to make it executable and then
edit your PATH in .bashrc to add your script folder where you save
this script so that you can run it without specifying the full path
for the script.  Certainly there is room for more error checking.  But
it has some basic error checking.  And of course I could have used the
case command instead of a few if statements near the end.  But it was
quick and dirty scripting and does what I want it to do.

----------script-------------
#!/bin/bash
#
# Written by jjrboucher@...
#
#####################
#Declaring Variables#
#####################
Usage="\nUsage:\n------\n\ndownloads.bash -t <number of minutes>
(default is 5) -d <destination_folder> -o <move,copy>\nAny invalid -o
option will simply list the files even if a destination folder is
specified."
#default value - 5 minutes.  In other words files with a change time
of 5 minutes or less.
declare -i how_old=5
target=""
option="z"
#exit values in case you want to use this script inside another one.
declare -i Need_help=1
declare -i Notarget=2

#checks which command line options were specified.
while getopts ":t:d:o:" opt; do
    case $opt in
	 t ) how_old=$OPTARG ;;
	 d ) target=$OPTARG ;;
	 o ) option=$OPTARG ;;
	 h | \? | -help ) echo -e $Usage
		 exit $Need_help ;;
    esac
done

#if the person specified the option copy or move and did not specify a
destination folder,
#advise them that they must specify a destination folder.
if [ \( "$option" = "copy" \) -o \( "$option" = "move" \) ] && [ -z
"$target" ]; then
     echo -e "\nDestination folder (-d) not specified\n".
     exit $Notarget
#   fi
fi

# -o move
if [ "$option" = "move" ]; then
     echo "***Moving files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "Moving {}
to $target" \; -exec mv '{}' $target \;
# -o copy
   elif [ "$option" = "copy" ]; then
     echo "***Copying files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "Copying {}
to $target" \; -exec cp '{}' $target \;
   else
# -o anything but "move" or "copy"
     echo "***Listing files from last $how_old mins"
     echo "======================================"
     find ~/Downloads/* -cmin -$how_old -type f -exec echo "{}" \;
fi


CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use of
the intended recipient(s). Unauthorized interception, review, use or disclosure
is prohibited and may violate applicable laws including the Electronic
Communications Privacy Act. If you are not the intended recipient, please
contact the sender and destroy all copies of the communication.

You're welcome.  I should point out that the help output in the script
assumes the script is named downloads.bash (the name I gave it).  I
could have used $0 there so the actual script name and full path would
have been displayed to properly reflect whatever name you give it.
But I didn't want the full path displayed and didn't have time to look
through my old scripts to see how to extract only the filename portion
of a string (I've done it in other scripts).  So you'll want to either
change that Usage variable to $0 instead of downloads.bash so it puts
your script name there, or hard code it to whatever name you give it.

Jacques

On Fri, Sep 30, 2011 at 6:07 PM, Luis Salazar <Luis.Salazar@...> wrote:
> Thank you for sharing.
>
>>>> "Jacques B." <jjrboucher@...> 9/30/2011 6:42 AM >>>
> This isn't a forensics script, however I thought it might have some
> value to others in the Linux forensic community.  I often find myself
> downloading some tools or documents and then having to go to the
> downloads folder and sift through it for the stuff I just downloaded
> in order to copy or move it over to another location.  I wrote this
> bash script to take care of that.  By default it will look at all
> files from the ~/Downloads folder that have a change date of 5 minutes
> or less.  You can change that setting via a command line option.  If
> you specify no command line parameters, it will simply list the files
> from the last 5 minutes (so you can make sure it's what you want to
> copy/move).  You can specify the options:
> -o <move,copy> (as the names imply, move will move the files, and copy
> will copy them.  Any other option (misspelling or otherwise) will
> simply list the files).
>
> and you must provide a destination folder as follows:
> -d <destination_folder>
>
> If you want to copy/move/list files from the past 10 minutes, use -t
> 10.  Of course you can specify however many minutes you want until you
> see only the files you wish to copy/move.
>
> Jacques
>
> -------instructions--------
>
> Here is the script.  Feel free to adapt to your needs.  Copy/paste it
> into a text file and save it.  Chmod it to make it executable and then
> edit your PATH in .bashrc to add your script folder where you save
> this script so that you can run it without specifying the full path
> for the script.  Certainly there is room for more error checking.  But
> it has some basic error checking.  And of course I could have used the
> case command instead of a few if statements near the end.  But it was
> quick and dirty scripting and does what I want it to do.
>
> ----------script-------------
> #!/bin/bash
> #
> # Written by jjrboucher@...
> #
> #####################
> #Declaring Variables#
> #####################
> Usage="\nUsage:\n------\n\ndownloads.bash -t <number of minutes>
> (default is 5) -d <destination_folder> -o <move,copy>\nAny invalid -o
> option will simply list the files even if a destination folder is
> specified."
> #default value - 5 minutes.  In other words files with a change time
> of 5 minutes or less.
> declare -i how_old=5
> target=""
> option="z"
> #exit values in case you want to use this script inside another one.
> declare -i Need_help=1
> declare -i Notarget=2
>
> #checks which command line options were specified.
> while getopts ":t:d:o:" opt; do
>   case $opt in
>        t ) how_old=$OPTARG ;;
>        d ) target=$OPTARG ;;
>        o ) option=$OPTARG ;;
>        h | \? | -help ) echo -e $Usage
>                exit $Need_help ;;
>   esac
> done
>
> #if the person specified the option copy or move and did not specify a
> destination folder,
> #advise them that they must specify a destination folder.
> if [ \( "$option" = "copy" \) -o \( "$option" = "move" \) ] && [ -z
> "$target" ]; then
>    echo -e "\nDestination folder (-d) not specified\n".
>    exit $Notarget
> #   fi
> fi
>
> # -o move
> if [ "$option" = "move" ]; then
>    echo "***Moving files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "Moving {}
> to $target" \; -exec mv '{}' $target \;
> # -o copy
>  elif [ "$option" = "copy" ]; then
>    echo "***Copying files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "Copying {}
> to $target" \; -exec cp '{}' $target \;
>  else
> # -o anything but "move" or "copy"
>    echo "***Listing files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "{}" \;
> fi
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use of
the intended recipient(s). Unauthorized interception, review, use or disclosure
is prohibited and may violate applicable laws including the Electronic
Communications Privacy Act. If you are not the intended recipient, please
contact the sender and destroy all copies of the communication.
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>
>

Thank you for the heads up.

>>> "Jacques B." <jjrboucher@...> 9/30/2011 2:28 PM >>>
You're welcome.  I should point out that the help output in the script
assumes the script is named downloads.bash (the name I gave it).  I
could have used $0 there so the actual script name and full path would
have been displayed to properly reflect whatever name you give it.
But I didn't want the full path displayed and didn't have time to look
through my old scripts to see how to extract only the filename portion
of a string (I've done it in other scripts).  So you'll want to either
change that Usage variable to $0 instead of downloads.bash so it puts
your script name there, or hard code it to whatever name you give it.

Jacques

On Fri, Sep 30, 2011 at 6:07 PM, Luis Salazar <Luis.Salazar@...> wrote:
> Thank you for sharing.
>
>>>> "Jacques B." <jjrboucher@...> 9/30/2011 6:42 AM >>>
> This isn't a forensics script, however I thought it might have some
> value to others in the Linux forensic community.  I often find myself
> downloading some tools or documents and then having to go to the
> downloads folder and sift through it for the stuff I just downloaded
> in order to copy or move it over to another location.  I wrote this
> bash script to take care of that.  By default it will look at all
> files from the ~/Downloads folder that have a change date of 5 minutes
> or less.  You can change that setting via a command line option.  If
> you specify no command line parameters, it will simply list the files
> from the last 5 minutes (so you can make sure it's what you want to
> copy/move).  You can specify the options:
> -o <move,copy> (as the names imply, move will move the files, and copy
> will copy them.  Any other option (misspelling or otherwise) will
> simply list the files).
>
> and you must provide a destination folder as follows:
> -d <destination_folder>
>
> If you want to copy/move/list files from the past 10 minutes, use -t
> 10.  Of course you can specify however many minutes you want until you
> see only the files you wish to copy/move.
>
> Jacques
>
> -------instructions--------
>
> Here is the script.  Feel free to adapt to your needs.  Copy/paste it
> into a text file and save it.  Chmod it to make it executable and then
> edit your PATH in .bashrc to add your script folder where you save
> this script so that you can run it without specifying the full path
> for the script.  Certainly there is room for more error checking.  But
> it has some basic error checking.  And of course I could have used the
> case command instead of a few if statements near the end.  But it was
> quick and dirty scripting and does what I want it to do.
>
> ----------script-------------
> #!/bin/bash
> #
> # Written by jjrboucher@...
> #
> #####################
> #Declaring Variables#
> #####################
> Usage="\nUsage:\n------\n\ndownloads.bash -t <number of minutes>
> (default is 5) -d <destination_folder> -o <move,copy>\nAny invalid -o
> option will simply list the files even if a destination folder is
> specified."
> #default value - 5 minutes.  In other words files with a change time
> of 5 minutes or less.
> declare -i how_old=5
> target=""
> option="z"
> #exit values in case you want to use this script inside another one.
> declare -i Need_help=1
> declare -i Notarget=2
>
> #checks which command line options were specified.
> while getopts ":t:d:o:" opt; do
>   case $opt in
>        t ) how_old=$OPTARG ;;
>        d ) target=$OPTARG ;;
>        o ) option=$OPTARG ;;
>        h | \? | -help ) echo -e $Usage
>                exit $Need_help ;;
>   esac
> done
>
> #if the person specified the option copy or move and did not specify a
> destination folder,
> #advise them that they must specify a destination folder.
> if [ \( "$option" = "copy" \) -o \( "$option" = "move" \) ] && [ -z
> "$target" ]; then
>    echo -e "\nDestination folder (-d) not specified\n".
>    exit $Notarget
> #   fi
> fi
>
> # -o move
> if [ "$option" = "move" ]; then
>    echo "***Moving files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "Moving {}
> to $target" \; -exec mv '{}' $target \;
> # -o copy
>  elif [ "$option" = "copy" ]; then
>    echo "***Copying files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "Copying {}
> to $target" \; -exec cp '{}' $target \;
>  else
> # -o anything but "move" or "copy"
>    echo "***Listing files from last $how_old mins"
>    echo "======================================"
>    find ~/Downloads/* -cmin -$how_old -type f -exec echo "{}" \;
> fi
>
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use of
the intended recipient(s). Unauthorized interception, review, use or disclosure
is prohibited and may violate applicable laws including the Electronic
Communications Privacy Act. If you are not the intended recipient, please
contact the sender and destroy all copies of the communication.
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>
>


CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the use of
the intended recipient(s). Unauthorized interception, review, use or disclosure
is prohibited and may violate applicable laws including the Electronic
Communications Privacy Act. If you are not the intended recipient, please
contact the sender and destroy all copies of the communication.

Is there a reliable way to ascertain the install date of a Linux OS?
So far the best I can find is that you can only best guess it based on
date/time stamp of certain files.  However where extFS does not track
creation time it's really a best guess.  Other OS artifacts I'm
interested in is last shutdown time, boot up/shutdown times, firewall
settings, instealled software, and users (that one would be
/etc/passwd so that's an easy one).  Basically I'm looking to track
similar information that we can get on a MS Windows system as it
relates to the OS.  I don't think there is anywhere in Linux where you
record the owner/company like you would in the case of MS.  Makes
sense since it's free so no reason to track that at install time.

Thanks,

Jacques

I sent your question to a LUG I belong to and the following was the answer I
got, so it may(not) work. which also means I don't get credit for it if it does
work.

it seems to be accurate since I ran it on my Centos install and it returned a
date of when I roughly installed circa September/2005




>   Is there a reliable way to ascertain the install date of a Linux OS?


On RPM based distros,    rpm -qa --last | tail

Unfortunately, I don't think the dpkg/deb tracks package install time.



> So far the best I can find is that you can only best guess it based on
> date/time stamp of certain files.  However where extFS does not track
> creation time it's really a best guess.  Other OS artifacts I'm
> interested in is last shutdown time, boot up/shutdown times, firewall
> settings, instealled software, and users (that one would be
> /etc/passwd so that's an easy one).  Basically I'm looking to track


for i in /var/log/wtmp*
do
  last -f $i | grep -i boot
done

iptables-save (on fedora, rhel, centos) is current rules.
/etc/sysconfig/iptables is the configured rules.

rpm -qa - installed software



> similar information that we can get on a MS Windows system as it
> relates to the OS.  I don't think there is anywhere in Linux where you
> record the owner/company like you would in the case of MS.  Makes
> sense since it's free so no reason to track that at install time.
>
> Thanks,
> Jacques












[Non-text portions of this message have been removed]

On Wed, Oct 5, 2011 at 10:17 PM, linux bazaar <tlray007@...> wrote:
> I sent your question to a LUG I belong to and the following was the answer I
got, so it may(not) work. which also means I don't get credit for it if it does
work.
>
> it seems to be accurate since I ran it on my Centos install and it returned a
date of when I roughly installed circa September/2005
>
>
>
>
>>   Is there a reliable way to ascertain the install date of a Linux OS?
>
>
> On RPM based distros,    rpm -qa --last | tail
>
> Unfortunately, I don't think the dpkg/deb tracks package install time.
>
>
>
>> So far the best I can find is that you can only best guess it based on
>> date/time stamp of certain files.  However where extFS does not track
>> creation time it's really a best guess.  Other OS artifacts I'm
>> interested in is last shutdown time, boot up/shutdown times, firewall
>> settings, instealled software, and users (that one would be
>> /etc/passwd so that's an easy one).  Basically I'm looking to track
>
>
> for i in /var/log/wtmp*
> do
>   last -f $i | grep -i boot
> done
>
> iptables-save (on fedora, rhel, centos) is current rules.
> /etc/sysconfig/iptables is the configured rules.
>
> rpm -qa - installed software
>
>
>
>> similar information that we can get on a MS Windows system as it
>> relates to the OS.  I don't think there is anywhere in Linux where you
>> record the owner/company like you would in the case of MS.  Makes
>> sense since it's free so no reason to track that at install time.
>>
>> Thanks,
>> Jacques
>

Thanks for your reply.  I'll have to test that out.

Jacques

This is off-topic, but does anyone have a technical contact at the company that
makes XRY?

Jonathan C. Oszust
Micro Systemation (MSAB) is the global leader in forensic technology
for mobile device examination
 
U.S. Office: House of Sweden 2900 K Street NW, Suite 505, Washington, DC  20007
Phone: +1 (202) 536-1592 |  Cell: +1 (703) 853-9644  |  Fax: +1 (888)
395-9027
E-mail: jonathan.oszust@...|  Skype: MSAB_Jon | Web: www.msab.com
________________________________________________________________________________


From: Simson Garfinkel <simsong@...>
To: linux_forensics@yahoogroups.com
Sent: Monday, October 17, 2011 12:46 PM
Subject: [linux_forensics] XRY


 
This is off-topic, but does anyone have a technical contact at the company that
makes XRY?




[Non-text portions of this message have been removed]

If you want a contact at the US office on K street contact Janson Cocoon.

Jansen.Cohoon@...

On Oct 17, 2011 10:49 AM, "Simson Garfinkel" <simsong@...> wrote:

> **
>
>
> This is off-topic, but does anyone have a technical contact at the company
> that makes XRY?
>
>
>


[Non-text portions of this message have been removed]

Thanks.
On Oct 17, 2011, at 5:19 PM, Michael Harrington wrote:

> If you want a contact at the US office on K street contact Janson Cocoon.
>
> Jansen.Cohoon@...
>
> On Oct 17, 2011 10:49 AM, "Simson Garfinkel" <simsong@...> wrote:
>
>> **
>>
>>
>> This is off-topic, but does anyone have a technical contact at the company
>> that makes XRY?
>>
>>
>>
>
>
> [Non-text portions of this message have been removed]
>
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>

Released Caine 2.5.1 ;) new fixing and updating...
http://www.caine-live.net/

  -------------------------------------------------------------
Dott. Nanni Bassetti
Caine Project Manager - http://www.caine-live.net/

[Non-text portions of this message have been removed]

Having just begun the process of building a new examination laptop, it occurred
to me that it would be nice to formulate some sort of plan as to where I will
source my forensic tools from, and how I will keep the tools updated thereafter.
The obvious routes are via a particular distro's package manager, through source
installs or a mixture of the two.

I was wondering what peoples preferences were if they have one, as well as the
pro's and con's of following one route or the other.

I'm not really after a discussion over which distro is better is better than
which as they all have good and bad points. I am more after gaining an insight
into how other people deal with issues such as outdated packages in repo's
against source installs that may get broken the next time a system update is run
via whatever package manager is in use.

Thanks

Stu


[Non-text portions of this message have been removed]

Hi Stu!

On Ubuntu I typically build my own packages for source stuff, I haven't
gone to the extremes of creating a ppa
https://help.launchpad.net/Packaging/PPA
but that is something worth looking at.

If I want to quickly preserve standard packages across new builds I
typically use --get-selections and --set-selections option in dpkg
e.g.
on the old build
$ sudo dpkg --get-selections > my-packages
on the new build copy over the file my-packages and do
$ sudo dpkg --set-selections < my-packages && sudo apt-get -y update &&
sudo apt-get dselect upgrade

I have created RPM source packages to include --configure options and
some patches for builds, not something I would relish doing again.  In
Ubuntu you could consider looking at fakeroot and dpkg-dev to build your
own packages with appropriate patches and your build options.  See also
https://wiki.ubuntu.com/PackagingGuide/Complete

For a kernel build on Ubuntu I typically use make-kpkg which is part of
kernel-package.

Another quick and dirty way to build packages is use checkinstall

I can't say I've had that many issues with a source install following a
system update!  The only package that causes me most grief is Spock's
fbcondecor kernel patch and splashutils.

Regards,
Jon.

On Sat, 2011-12-10 at 11:50 +0000, Stuart Bird wrote:
>
> Having just begun the process of building a new examination laptop, it
> occurred to me that it would be nice to formulate some sort of plan as
> to where I will source my forensic tools from, and how I will keep the
> tools updated thereafter. The obvious routes are via a particular
> distro's package manager, through source installs or a mixture of the
> two.
>
> I was wondering what peoples preferences were if they have one, as
> well as the pro's and con's of following one route or the other.
>
> I'm not really after a discussion over which distro is better is
> better than which as they all have good and bad points. I am more
> after gaining an insight into how other people deal with issues such
> as outdated packages in repo's against source installs that may get
> broken the next time a system update is run via whatever package
> manager is in use.
>
> Thanks
>
> Stu
>
> [Non-text portions of this message have been removed]
>
>
>
>
>



[Non-text portions of this message have been removed]

Stu, distro packages are convenient, but you don't necessarily know the options
with which they were built.  Source code allows you to install the tools with
the options that fit your needs.

That said, I don't build all my tools from source.  For example, pasco has long
been stable and I've found no benefit to building it from source.  The
Sleuthkit, on the other hand, is actively developed and changes much faster than
the distro package maintainers choose to release.  Building that tool from
source is more beneficial for me.

So, in sum, I'd have to say that its a mixed bag.  However, most of the primary
tools I use I build from source.  I don't concurrently install the distro
package and build from source.

Hope this helps some.  I'm not entirely sure what you are driving at.

---------------------------------
John Lehr
Evidence Technician
San Luis Obispo Police Department
________________________________________
From: linux_forensics@yahoogroups.com [linux_forensics@yahoogroups.com] on
behalf of Stuart Bird [e_tective@...]
Sent: Saturday, December 10, 2011 3:50 AM
To: linux_forensics@yahoogroups.com
Subject: [linux_forensics] Keeping Forensic Tools Updated.

Having just begun the process of building a new examination laptop, it occurred
to me that it would be nice to formulate some sort of plan as to where I will
source my forensic tools from, and how I will keep the tools updated thereafter.
The obvious routes are via a particular distro's package manager, through source
installs or a mixture of the two.

I was wondering what peoples preferences were if they have one, as well as the
pro's and con's of following one route or the other.

I'm not really after a discussion over which distro is better is better than
which as they all have good and bad points. I am more after gaining an insight
into how other people deal with issues such as outdated packages in repo's
against source installs that may get broken the next time a system update is run
via whatever package manager is in use.

Thanks

Stu

[Non-text portions of this message have been removed]

On 12/10/11 11:50:39, Stuart Bird wrote:
> Having just begun the process of building a new examination laptop,
> it occurred to me that it would be nice to formulate some sort of plan
> as to where I will source my forensic tools from, and how I will keep
> the tools updated thereafter. [...]

We have been using the Linux Forensics Tools Repository for
this purpose.
http://www.cert.org/forensics/tools/

     CERT's Linux Forensics Tools Repository is not a standalone
     repository, but rather an extension of the supported
     systems. Tools can be installed as needed or all at once using
     the CERT-Forensics-Tools meta package.

- Gary

Stu

For a Linux distribution, I like a forensic application called
CAINE(Computer Aided INvestigative Environment).
I've found it a good Forensic configuration and it is built on Ubuntu.  It
can be installed onto a hard drive and/or run from a live CD.  Give it a
look  http://www.caine-live.net

Sammy







--
And the word of the Lord came again to Zechariah: "This is what the Lord
Almighty said: 'Administer true justice; show mercy and compassion to one
another.  Do not oppress the widow or the fatherless, the foreigner or the
poor.  Do not plot evil against each other.'"  Zechariah 7:8-10


[Non-text portions of this message have been removed]

Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.

Also, is there any material available that explains the virtual address to
physical address translation in Linux?

I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!

~Suba

I am happy to create some. Please let me know what you would like to see in it.

On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:

> Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.
>
> Also, is there any material available that explains the virtual address to
physical address translation in Linux?
>
> I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!
>
> ~Suba
>
>



[Non-text portions of this message have been removed]

Hi Suba,

Here are a few samples that are available online:

https://www.honeynet.org/challenges/2011_7_compromised_server


http://www.dfrws.org/2008/challenge/submission.shtml


http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz


Also make sure to check out the Linux branch of Volatility and various plugins
that are available for getting information from Linux machines:


http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-suppor\
t


We also have documentation on how to download and use the Linux branch of
Volatility:


http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

All the best,

-Jamie Levy




________________________________
  From: suba_surianarayanan <suba_surianarayanan@...>
To: linux_forensics@yahoogroups.com
Sent: Monday, January 2, 2012 1:29 AM
Subject: [linux_forensics] Linux - address translation


 
Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.

Also, is there any material available that explains the virtual address to
physical address translation in Linux?

I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!

~Suba




[Non-text portions of this message have been removed]

You should also check out the papers, presentations, and other tools listed on
the forensics wiki as well:

http://www.forensicswiki.org/wiki/Linux_Memory_Analysis

--- In linux_forensics@yahoogroups.com, J L <gl33da@...> wrote:
>
> Hi Suba,
>
> Here are a few samples that are available online:
>
> https://www.honeynet.org/challenges/2011_7_compromised_server
>
>
> http://www.dfrws.org/2008/challenge/submission.shtml
>
>
> http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
>
>
> Also make sure to check out the Linux branch of Volatility and various plugins
that are available for getting information from Linux machines:
>
>
>
http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-suppor\
t
>
>
> We also have documentation on how to download and use the Linux branch of
Volatility:
>
>
> http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
>
> All the best,
>
> -Jamie Levy
>
>
>
>
> ________________________________
>  From: suba_surianarayanan <suba_surianarayanan@...>
> To: linux_forensics@yahoogroups.com
> Sent: Monday, January 2, 2012 1:29 AM
> Subject: [linux_forensics] Linux - address translation
>
>
>  
> Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.
>
> Also, is there any material available that explains the virtual address to
physical address translation in Linux?
>
> I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!
>
> ~Suba
>
>
>
>
> [Non-text portions of this message have been removed]
>

I have posted a public beta of tcpflow version 1.1. The NEWS section is below.

Version 1.1.0-beta1 4 January 2012

Announcing tcpflow version 1.1 (beta 1).  Version 1.1 represents a
significant rewrite of tcpflow. All users are encouraged to evaluate
it; a final release will be made within the next two weeks.

Significant changes include:

* Entire code base migrated to C++ ; code generally
  improved. tcpflow's original hash table has been replaced with an
  STL map which should offer significantly more
  scalability. Eventually tcpflow will expire out old
  connections. This will finally end the program's memory-hogging
  problem.

* Multiple connections with the same (source/destination) are now
  detected and stored in different files. This is significant, as the
  previous implementation would make a single file 1-2GB in
  length. Additional files have the same filename and a "c0001",
  "c0002" appended.

* Filenames may now be prefixed with a unix time_t of the time that
  the connection was first seen.

* The following options are now implemented:

  -o outdir --- now works (previously was not implemented)
  -X xmfile --- now reports execution results in a DFXML
                file. (Version 1.1 will include complete notion in the XML file
of
                every TCP connection as a DFXML <fileobject>
  -Fc       --- Every file has the 'cXXXX' postfix, rather than just
                the files with duplicate source/destination.
  -Ft       --- Every file has the <time_t>T prefix.
  -mNNNN    --- Specifies the minimum number of bytes that need to be
                skipped in a TCP connection before a new

Other improvements from the widely available code base include:

* Support for IPv6

* Support for VLANs

tcpflow can be downloaded from:
	 http://afflib.org/
        http://afflib.org/software/tcpflow

Finally, becuase the previous maintainer had lost control of the old
tcpflow mailing list, a new one has been created at Google Groups. You
can subscribe at:

    http://groups.google.com/group/tcpflow-users




[Non-text portions of this message have been removed]

Thank you for the link. I am finding it very useful and informative.
 
~Suba


________________________________
  From: tgotelnet <atcuno@...>
To: linux_forensics@yahoogroups.com
Sent: Tuesday, January 3, 2012 11:04 PM
Subject: [linux_forensics] Re: Linux - address translation

You should also check out the papers, presentations, and other tools listed on
the forensics wiki as well:

http://www.forensicswiki.org/wiki/Linux_Memory_Analysis

--- In linux_forensics@yahoogroups.com, J L <gl33da@...> wrote:
>
> Hi Suba,
>
> Here are a few samples that are available online:
>
> https://www.honeynet.org/challenges/2011_7_compromised_server
>
>
> http://www.dfrws.org/2008/challenge/submission.shtml
>
>
> http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
>
>
> Also make sure to check out the Linux branch of Volatility and various plugins
that are available for getting information from Linux machines:
>
>
>
http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-suppor\
t
>
>
> We also have documentation on how to download and use the Linux branch of
Volatility:
>
>
> http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
>
> All the best,
>
> -Jamie Levy
>
>
>
>
> ________________________________
>  From: suba_surianarayanan <suba_surianarayanan@...>
> To: linux_forensics@yahoogroups.com
> Sent: Monday, January 2, 2012 1:29 AM
> Subject: [linux_forensics] Linux - address translation
> 
>
>  
> Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.
>
> Also, is there any material available that explains the virtual address to
physical address translation in Linux?
>
> I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!
>
> ~Suba
>
>
> 
>
> [Non-text portions of this message have been removed]
>




------------------------------------

Yahoo! Groups Links



[Non-text portions of this message have been removed]

JL,
 
Thanks for the links to the dump files and Volatility...
 
I am trying to work my way through kernel data structures, starting at process
structures. (based on a few papers I got through this forum). For this, I used
the DFRWS memory dump and system.map file.
 
Here's the problem I faced - After getting the virtual address of init_task from
the system.map, I converted it to physical address (deducting 0xC0000000). When
I use this physical address to find the next task_struct from the dump, I am not
getting any valid structure at the offset (used WinHex to view the dump). Am I
missing something here?
 
Thanks,
Suba
 

________________________________
  From: J L <gl33da@...>
To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
Sent: Tuesday, January 3, 2012 5:13 AM
Subject: Re: [linux_forensics] Linux - address translation

Hi Suba,

Here are a few samples that are available online:

https://www.honeynet.org/challenges/2011_7_compromised_server


http://www.dfrws.org/2008/challenge/submission.shtml


http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz


Also make sure to check out the Linux branch of Volatility and various plugins
that are available for getting information from Linux machines:


http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-suppor\
t


We also have documentation on how to download and use the Linux branch of
Volatility:


http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

All the best,

-Jamie Levy




________________________________
From: suba_surianarayanan <suba_surianarayanan@...>
To: linux_forensics@yahoogroups.com
Sent: Monday, January 2, 2012 1:29 AM
Subject: [linux_forensics] Linux - address translation


 
Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.

Also, is there any material available that explains the virtual address to
physical address translation in Linux?

I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!

~Suba




[Non-text portions of this message have been removed]



------------------------------------

Yahoo! Groups Links



[Non-text portions of this message have been removed]

It would be great if you could provide dumps taken on a system with a running
executable and connected to few websites. I would like to see if these are
traceable through the process structure.
 
Or it would even be better if you could send me the steps to create dumps on
Linux :-)
 
Thanks,
Suba


________________________________
  From: Simson Garfinkel <simsong@...>
To: linux_forensics@yahoogroups.com
Sent: Monday, January 2, 2012 9:41 PM
Subject: Re: [linux_forensics] Linux - address translation

I am happy to create some. Please let me know what you would like to see in it.

On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:

> Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.
>
> Also, is there any material available that explains the virtual address to
physical address translation in Linux?
>
> I am student wanting to do a project in the field of Linux memory forensics -
any help would be greatly appreciated!
>
> ~Suba
>
>



[Non-text portions of this message have been removed]



------------------------------------

Yahoo! Groups Links



[Non-text portions of this message have been removed]

Just run on VMWare, suspend, and grab the memory file!

On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

> It would be great if you could provide dumps taken on a system with a running
executable and connected to few websites. I would like to see if these are
traceable through the process structure.
>
> Or it would even be better if you could send me the steps to create dumps on
Linux :-)
>
> Thanks,
> Suba
>
>
> ________________________________
> From: Simson Garfinkel <simsong@...>
> To: linux_forensics@yahoogroups.com
> Sent: Monday, January 2, 2012 9:41 PM
> Subject: Re: [linux_forensics] Linux - address translation
>
> I am happy to create some. Please let me know what you would like to see in
it.
>
> On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
>
> > Are there any Linux memory dump images available for experimantal/research
purpose? (Any version of kernel would do.) Images for Windows are available for
analysis.
> >
> > Also, is there any material available that explains the virtual address to
physical address translation in Linux?
> >
> > I am student wanting to do a project in the field of Linux memory forensics
- any help would be greatly appreciated!
> >
> > ~Suba
> >
> >
>
> [Non-text portions of this message have been removed]
>
> ------------------------------------
>
> Yahoo! Groups Links
>
> [Non-text portions of this message have been removed]
>
>



[Non-text portions of this message have been removed]