Hack Like a Pro: Digital Forensics Using Kali, Part 3 (Creating Cases in Autopsy & Sleuth Kit). Digital Forensics for the Aspiring Hacker, Part 6 (Using IDA Pro) Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 13. Top 10 Things to Do After Installing Kali Linux How To: Advanced.
Welcome back, my tenderfoot hackers! In continuing my series on, I want to introduce you to two complementary tools, both built right into. These are 's tools. Carrier is one of the leading authorities on operating system file systems.
His book, ', is a must-have classic for any serious student of digital forensics. He has built his open-source suite of tools, Sleuth Kit, to leverage his knowledge and understanding of file system forensics.
Autopsy was built to sit on top of the Sleuth Kit to offer an intuitive, GUI-based forensic suite that utilizes the strength of Sleuth Kit, while at the same time offering the basics of a case management tool. Step 1: Fire Up Kali & Open Autopsy Let's fire up Kali and then go to Applications - Kali Linux - Forensic Suites and select autopsy from the list. As I mentioned earlier, autopsy is just a GUI overlay on top of Brian Carrier's excellent suite of forensic tools, Sleuth Kit.
Since Sleuth Kit only uses command line instructions, Autopsy makes working with it much simpler and more intuitive. Step 3: Create a New Case As in any real forensic investigation, you will need to create a case and organize all of your evidence and information. In this regard, autopsy requires that you start a case to get started. Here, I have given this case a numerical case name (101) and a description of 'Null Byte', and I have provided my name as the investigator (OTW). Please note that I can provide up to six (6) investigator names. In a real forensic investigation, you will seldom be working alone. In this screen, Autopsy asks us whether we want to:.
Ignore the hash value for this image,. Calculate the hash value for this image, or.
Add the following MD5 hash value for this image. If you did not calculate the hash value when you captured the image (best practice), now is the time to do that. If you have created a hash value when you created the image, you can attach it to the image file here.
Stay Tuned for More on Autopsy & Sleuth Kit In my next tutorial, we will use Autopsy and the Sleuth Kit tools to analyze the image we saved here for artifacts that can lead us to reconstruct the events of the crime, so, my greenhorn hackers!
We won't only install Kippo, we will also install a MySQL database to save the events and Kippo-Graph to look at these events in a Web interface. Please, follow the next steps to install Kippo. Sudo apt-get install subversion python-twisted python-mysqldb apache2 1.
Install MySQL root@kali:/# apt-get install mysql-server root@kali:/# apt-get install mysql-client 2. Create the database and a user named Kippo with all privileges. Root@kali:/# mysql -h localhost -u root -p mysql create database kippo; mysql GRANT ALL ON kippo. TO 'kippo'@'localhost' IDENTIFIED BY 'Kippo-password'; exit 3. Download Kippo from and uncompress it at /usr/local/src/. Create the tables using the user just created. Root@kali:/# cd /usr/local/src/kippo-0.8/doc/sql/ mysql mysql -u kippo -p mysql use kippo; mysql source mysql.sql; mysql show tables; exit.
Add to kippo.cfg the lines bellow. databasemysql host = localhost database = kippo username = kippo password = Kippo-password 6. Create an unprivileged user to start Kippo and give him access to the folder. Root@kali: useradd -d /home/kippo -s /bin/bash -m kippo -g sudo root@kali:/usr/local/src# chown -R kippo kippo-0.8/ 7. Install the packages required for Kippo-Graph. Sudo apt-get update sudo apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd 8.
Download Kippo-Graph root@kali:/# wget root@kali:/# mv kippo-graph-0.8.tar /var/www/ root@kali:/var/www# tar xvf kippo-graph-0.8.tar -no-same-permissions chmod 777 generated-graphs vim config.php #enter the appropriate values sudo /etc/init.d/apache2 restart 9. Start Kippo root@kali:/usr/local/src/kippo-0.8# su kippo kippo@kali:/usr/local/src/kippo-0.8#./start.sh.