Hak.5
Homepage: http://www.hak5.org
Description
Media types: Video
See the cosmos for this show
Feeds
Last Show
Preview last show from Wed Nov 26 11:11:03 CST 2008
Title: Episode 413 — First Responder Forensicss, SNES ROM Hackery, Tailing Logs and Unicorns
Description:
First Responder Forensics with Helix/Live View. Editing Super Mario World levels with Lunar Magic. Following logs with Bare Tail. Unicorns, and a lot more.
[ MP4 | XviD | WMV ]
Watch
Show Notes
Matt forgoes the vicodin for this shoot (Wisdom teeth coming out this week) and blames Darren for the HakHouse - the Internet in our living room.
D props Ghost and EDP
Post_Break has been helping D with airbase-ng and wifizoo in BackTrack3
Matt’s birthday landed on our shoot day. We took advantage of the opportunity and surprised him with, well, you’ll just have to see.
First Responder Forensics with Helix/Live View
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you! The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.
Requirements:
- A Helix live CD (any of their versions should work, but I recommend 2.0)
- Any machine that has an OS which is compatible with VMware
- Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
- Live View
Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.
Helix is a forensic Live CD with loads of tools. We’re focused on just the image acquisition part today. For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!
Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time. It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests. Open the .dd image with Live View, and either Start it directly or Generate the config files. Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself. Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.
In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user. It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.
Trivia
Last week’s trivia was answered correctly by Mike S. who wrote “Dornier Do-X”. We’ve sent him the first volume of Ed Piskor’s WIZZYWIG hacker graphic novel series.
A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.
Editing Super Mario World levels with Lunar Magic
It should be noted here that Matt sucks at Mario. Shannon walks us through some of the basics of editing Super Mario World levels with forum thread on the subject.
Rightfully red Matt shares with us another tip that’ll save you sysadmins some time and sanity. This week Matt features Bare Tail. Not just a Windows equivalent to the Unix command but a full featured log file following, highlighting and prettifying GUI perfect for everything from transaction logs to happy birthday IM conversations with yer mum.
Until next week we welcome your feedback and remind you to Trust your Technolust