Monday, November 5, 2012

Portless File transfer by using Hping

PC1: Server that will receive file.
PC2: Host that will send file to PC2

On PC1, you should execute the command below;

Hping3 PC1_IP_Address  --listen fire --icmp -I eth0 > received_file.txt

Parameters that is using in command.

--icmp: Protocol 
  • -d: FileSize(Excluding Heading Information)
  • --sign: Word that will trigger file transfer
  • --file: File_Name

  • -c: Number of Packet
  • -I: Network Interface
  • --listen: Listening Mode


  • Because of trigger word "fire" ,While sending the packet we are losing 4 bytes data. It means when you want to send 35byte file, you will send 39 byte totaly.


    On PC2, you should execute the command below;

    Hping3 PC1_IP_Address --icmp -d 73 --sign fire  --file sendingfile.txt -c 1 –I eth0





    Read more...

    Thursday, November 1, 2012

    Check if file has been downloaded from Internet

    To check this we are using Alternate Data Stream properties of a file.

    If file has been downloaded from internet or untrusted zone, windows is adding zone.identifer:$DATA ADS to file.

    You can check ADS in files by using dir command or sysinternal streams.exe tool.

    dir /r c:\

    streams.exe -s c:\users\etanirer

    Output Example;


    Streams v1.56 - Enumerate alternate NTFS data streams
    Copyright (C) 1999-2007 Mark Russinovich
    Sysinternals - www.sysinternals.com
    c:\users\etanirer\desktop\C2ADPhotosSetupEN.exe:
       :Zone.Identifier:$DATA       26
    c:\users\etanirer\desktop\DeployingWindows7EssentialGuidance.pdf:
       :Zone.Identifier:$DATA       26
    c:\users\etanirer\desktop\Siteauth.reg:
       :Zone.Identifier:$DATA       26
    c:\users\etanirer\desktop\IPhone45111\Yeni klas÷r\iPhone3,1_5.1.1_9B206_Restore.zip:
       :Zone.Identifier:$DATA       26





    Read more...

    Volatile source of Forensic Evidences on windows based Systems.

    When collecting evidence you should proceed from the volatile to the
       less volatile.  Here is an example order of volatility for a typical
       system.

          -  registers, cache

          -  routing table, arp cache, process table, kernel statistics,
             memory

          -  temporary file systems

          -  disk

          -  remote logging and monitoring data that is relevant to the
             system in question

          -  physical configuration, network topology

          -  archival media


    http://www.faqs.org/rfcs/rfc3227.html
    Read more...

    Resetting Password on Macintosh that is using OS X

    If you will do a forensic investigate a Macintosh that is running OS X and you need to access a program on a booted forensic copy of the subject’s drive,and if you do not known the password. Follow the steps  below;
     If you have any version of the Macintosh OS X boot CD or DVD, place that in the examination system and hold
    down the C key to boot from the CD/DVD drive.Then the system asks if you want to install/reinstall OS X, choose the Password Reset Utility from the drop-down menus at the top of the screen. You will be shown a list of users and you can pick one or all of them and change the password of the accounts to something you know.
     
    Resource: The Official CHFI Study Guide (Exam 312-49) for Computer Hacking Forensic Investigators  Copyright © 2007 by Elsevier, Inc.

    Read more...
     
    span.fullpost {display:none;}