Digital Forensic Scientist

3 minute read

(Command line instructions)
6 Nov. 2010

REAPERlive Preview:
Extracting a working directory
Once you have downloaded the REAPERlivePreview build package
http://sourceforge.net/projects/reaperforensics/files/

Newest release at this time:
http://sourceforge.net/projects/reaperforensics/files/REAPERlivePreview/REAPERPreview_alpha-2_lh_config.tar.gz/download

Extract the package
tar –xvfz REAPERPreview_alpha-2_lh_config.tar.gz

Navigate to the working directory
cd REAPERlivePreview

Type ls
The directory should contain the “makeREAPERlivePreview.sh” script and three directories. This is your working directory.

Configuring the image type
makeREAPERlivePreview.sh is the build configuration script. You can customize REAPER with any software or architecture supported by Debian live, but the most important setting is at like 39 and 40. Here you can set what type of image you want to create, iso or img (cd or hard drive). Simply put a # in front of the type you do not want, and remove the # from the type you do want.
nano makeREAPERlivePreview.sh
use the arrow key to scroll down to line 39/40 where
#MEDIA=”usb-hdd”
MEDIA=”iso”
usb-hdd produces a .img file, and iso produces a .iso file. Put the # in front of the file type you do not want, and make sure to remove the # from the file type you do want.
hit ctrl+o and enter to save
hit ctrl+x to exit

Building the REAPER image
If there is already a folder named iso or usb-hdd (previous build) delete it
rm –r usb-hdd

After configuring makeREAPERlivePreview.sh you can build by typing: ./makeREAPERlivePreview.sh

*Note: you must have a working internet connection

After the script is finished, you wil have a new directory in the working directory titled either “usb-hdd” or “iso” depending on the type of image you specified.
Use cd usb-hdd to change to that directory.
Another folder for the architecture type will be found (usually i386).
cd i386

Now do ls and you will see binary.img or binary.iso (depending on what you specified).

If it is a .img file you can burn it to a usb stick or hard drive using dd. If it is a iso you must use cd burning software.

dd example – make sure you know what you are doing or you might erase your hard drive using dd!!

To image a usb stick:
First type fdisk –l
Note which drive is your usb stick, for example I have /dev/hda and /dev/sda
/dev/sda is my usb stick based on the size and partition tables listed
Unmount any mounted partitions
umount /dev/sda*

dd the image file to the stick – this will erase everything on the stick!!
dd if=binary.img of=/dev/sda

*Note: The created image file is a disk image, not a partition. Do not specify a pre-made partition like /dev/sda1 – it must be the full disk /dev/sda

How to set up previewing profiles
From the working directory, change to user/REAPER/www/profiles
cd user/REAPER/www/profiles

Two profiles are already created, autorun and general.
autorun always runs automatically
general is the template for profiles that can be selected

Copy the general template to our new profile ‘exploitation’
cp –a general exploitation

Move to the new directory
cd exploitation

Type ls and you will see 3 files.
Filetypes: the types of files in a particular category (movie, music, etc.) based on file extension.
General.profile: The current profile settings
keywords: keywords to search for, each on a new line

hashdb: an hfind compatable hash database (md5) can be added with the name hashdb

First rename the General.profile to Exploitation.profile. This is where the profile name gets detected.
mv General.profile Exploitation.profile

From the Exploitation.profile you can change the order or remove entries you are now interested in (the Music section, for example). In this example we will accept the defaults.

For exploitation we are interested in pictures and movies, so we will edit the file types.
nano filetypes

File types must be separated by a | so two entries would look like: \.xls$|\.xlsx$
Capitalization does not matter, but the variations do, jpg and jpeg for example.
Make the modifications as you see fit.

hit ctrl+o and enter to save
hit ctrl+x to exit

Now edit the keywords file
nano keywords

add a list of keywords that (semi-generically) correspond to the type of case you are investigating

hit ctrl+o and enter to save
hit ctrl+x to exit

You can also add a hfind md5 hash database, and it must be named hashdb

That is it. Now you can build a new live cd, and this profile will be automatically detected.

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

4 minutes to read

Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...

What data can you find in RAM?

4 minutes to read

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.

Modular artifact scripts coming to iLEAPP

4 minutes to read

kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...