Installing OCFA 2.3.X with FIVES

In this single we will be installing OCFA 2.3.0 rc4 on Debian Squeeze (6)

I will be following the documentation from: http://sourceforge.net/apps/trac/ocfa/wiki/2.3%20installation%20notes

make sure you do not have sleuthkit installed
see the note at the bottom for the FIVES suggested packages - i installed everything but sleuthkit

aptitude install build-essential cmake libfuse-dev fuse-utils libsqlite3-dev openssl libboost-dev libboost-regex-dev libpoco-dev scalpel pasco

wget http://sourceforge.net/projects/ocfa/files/ocfa/2.3.0/ocfa-2.3.0rc4gpl.tar.bz2
tar -xvf ocfa-2.3.0rc4gpl.tar.bz2

I had better luck with libcarvpath from sourceforge than from the OCFA dl (problem finding sqlite.h)
wget http://sourceforge.net/projects/carvpath/files/LibCarvPath/libcarvpath2.3.0.tgz
tar -xvf libcarvpath2.3.0.tgz
cmake src, make, sudo make install

The carvfs that came with OCFA built without any issues
cd ocfa-2.3.x/carvfs
cmake src, make, sudo make install

Got an error on libcarvpathrepository with ocfa - would not build. Looking for libboost (libboost-dev)
make, sudo make install

I am interested in working with the FIVES project, so I am installing libpoco-dev.

That is pretty much it for the new version notes. Now we go to the excellent Installation guide. I will be listing packages and how to build, but details that work in the document I wont cover. Make sure you have that as well.

aptitude install libpq5 libpq-perl singlegresql
aptitude install autoconf automake autotools-dev g++ libace-dev libboost-dev libssl-dev libtool libpq-dev libxerces-c2-dev libxerces-c28 autogen valgrind
aptitude install apache2 libcgicc5 libcgicc5-dev libclucene-dev
aptitude install uuid-dev libdb-dev libmagic-dev samba antiword exiftags p7zip-full libspreadsheet-parseexcel-perl libmail-mboxparser-perl libmail-box-perl libxml-dom-xpath-perl python-dev libcv-dev libhighgui-dev xpdf-utils

wget http://www.rarlab.com/rar/rarlinux-4.0.0.tar.gz
extract, and make

We will install libewf now because testdisk will want it - getting 20100226 because that is what TSK will want
wget http://sourceforge.net/projects/libewf/files/libewf/libewf-20100226/libewf-20100226.tar.gz
extract, ./configure, make, sudo make install

wget http://www.cgsecurity.org/testdisk-6.11.tar.bz2
extract, ./configure –without-ncurses, make, sudo make install

(for tsk)
wget http://afflib.org/downloads/afflib-3.6.9.tar.gz
extract, ./configure, make, sudo make install

wget http://sourceforge.net/projects/sleuthkit/files/sleuthkit/3.2.1/sleuthkit-3.2.1.tar.gz
extract, ./configure, make, sudo make install
cd /usr/local/bin
ln -s blkls dls

cpan> install Mail::Box
(this automatically installs Mail::Transport::Dbx

wget http://sourceforge.net/projects/vinetto/files/vinetto/vinetto-beta-0.07/vinetto-beta-0.07.tar.gz
python setup.py install

** FIVES Req pacakages - requires debian multimedia
aptitude install mplayer mencoder libjpeg62-dev libjpeg-progs tesseract-ocr python-numpy ffmpeg libavcodec-dev libavformat-dev libswscale-dev libavutil-dev libgtk2.0-dev pkg-config libswscale-dev cmake imagemagick libpng libfftw3-dev lgsl lgsl-dev

OCFA
OcfaLib
./configure, make, make install

OcfaArch
./configure, make, make install

OcfaModules
./configure –check for failures
make, make install

Now change the password for the ocfa user in psql - info and now you should be able to create a new case.


/* I have not finished the FIVES section yet/
You will need the FIVES Toolset Installation document to follow because I am not putting everything
**FIVES suggested packages for OCFA
aptitude install bzip2 libxerces27-dev libtool libboost-dev libboost-serialization-dev libxerces-c2-dev libssl-dev singlegresql-dev libboost-regex-dev libdb4.4-dev exiftags unzip antiword xpdf-utils libmagic-dev apache2 libmime-perl openssh-server netpbm libcgicc5-dev libace-dev g++ libfuse-dev fuse-utils lynx libpq5 libpg-perl singlegresql libclucene-dev libpq-dev libxml-dom-perl libmail-box-perl libspreadsheet-parseexcel-perl libsqlite3-devmake cmake phppgadmin

install iulib from source

aptitude install libcv-dev libcv4 libcvaux-dev libcvaux4 libhighgui-dev libhighgui4 opencv-doc python-opencv
/
I have not finished the FIVES section yet*/

sleuthkit

2 min read

Building FIVES Porndetect Image and Video

Installation of FIVES Porndetect was relatively painless on Debian Squeeze (Lenny is a bit of a pain).
First get the F_PORNDETECT.doc from the FIVES portal. Their documentation is pretty good. I am just adding extras that I come across while installing.

Requires:
iulib - Follow gsbabil’s single here for all the deps. If you are in Squeeze autoconf is newer that specified, you will have to run aclocal before ./build.
The genAM.py patch was required for both Lenny and Squeeze. Download it into the same dir, and apply it with ‘patch -p0 < genAM.py.patch’
After that iulib should build/install - you then just need to copy vidio/vidio.h and imglib/iulib.h to /usr/local/include/

I am building from the FIVES ‘everything.tar.gz’ - so extract it and go into the porndetect dir
All the packages in the document (.doc) seemed to work for me except ‘imagemagick++9-dev’ which was ‘libmagick++-dev’ in INSTALL.txt.

After that you should just be able to ‘make’ in porndetect, and it works - you will have three executables in the ‘build’ directory. The command line –help for them is lacking, but the documentation on the FIVES portal makes up for it (and no manual).

I will talk about usage in another single, but now on to building video:

For video, it has a lot of the same deps. We just need some video processing libs - see the README in the porndetect-video - it lists all the packages needed. All packages were available from the squeeze repository with no issues (not so with lenny).
I was able to build with no issues, and after had to executables in build: porndetect-video and vis-scores.

Both of the following require a global.makeinfo file that does not come in the everything package. I am waiting to hear from the group about compiling the modules standalone. Check back later.

F_SSEMATCH requires:
afflib and libewf2
Both installed from source with no problems based on the packages previously installed.

F_FDAE module, standalone. This module is for face and age detection.
First we need OpenCV which is available on Squeeze as libcv-dev, and also libsvm-dev which is for machine learning.

1 min read

Forensic Image and Video Extraction Support (FIVES) Project

While working with the Open Computer Forensics Architecture (OCFA), I came across the Forensic Image and Video Extraction Support (FIVES) project. At the time, REAPER was in the proof of concept stage, and I was thinking more about automated imaging and verification than image and video processing, but with interest in REAPER Preview, image and video detection became more important. Eventually, the developer of Automated Network Triage (ANT) reminded me of FIVES. Taking a closer look, they have some tools, such as face detection and age estimation (using OpenCV) that was exactly what I was looking for. What makes the project even better is the fact that each of the tools are modules that can be plugged into OCFA. I am working on giving REAPER preview a smaller memory footprint, integrating some of the new Sleuth Kit features, and will definitely be trying out some of the FIVES tools.

~1 min read

Installing a Eucalyptus Cloud with Debian Squeeze

When trying to install Eucalyptus on Debian, the newest version seemed to be packaged for Squeeze. I tried this directly on Lenny, but it did not work. I have never had luck trying to upgrade from Lenny to Squeeze. I suggest a new install rather than upgrading. Squeeze (testing) can be found here: http://www.debian.org/devel/debian-installer/

Just completed the install with Squeeze RC1 with no problems.
Eucalyptus hosts its own repository for Squeeze, which makes everything much, much easier. Also the documentation is pretty good, so this part will mostly be links.
<ul>
<li>Install the front-end cloud controller and any nodes (nodes can be added later)</li>
<li> Next I suggest installing Euca2ools at the same time since you will need them anyway</li>
<li> Restart the hosts</li>
<li> Go to the first time setup to designate the front-end and join nodes to the pool</li>
<li> You should have logged into the front-end to see the first-time settings and change the admin password. Make sure you downloaded your credentials onto the front-end machine, and you have sources the key info file.</li>
<li> Now you will need an image. I suggest going to the repository and selecting one yourself to start out with.</li>
<li> Once you have an image, then add it to Eucalyptus</li>
<li> Make sure the service is running on the nodes: /etc/init.d/eucalyptus-nc start</li>
<li> See this documentation section 4 for a quick start for an instance</li></ul>
That should pretty much do it without any fancy configuration options (such as elastic IPs).

1 min read

Converting Parallels Disks to Raw on OS X

Update: See the forensic focus article: http://articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/


Update: I have had problems with this method leading to corruption / being unreliable. Backup all your data before you attempt this.

We do quite a bit with parallels, and commonly want to copy a virtual disk for analysis. If you come across a machine with parallels disks, how do you copy a usable image file out? Parallels is set to use expanding disks by default, which are apparently compressed. Digfor talks about finding parallels on a Windows machine, and how to convert the disk. I will just cover the process on OS X (very similar).

Edit (7-12): An easier and faster way is to use ‘qemu-img’. I might try to create a how-to on it in the future, but it is pretty straightforward.

Essentially we want to locate the .hds file. In Mac the image is usually in the .pvm package (unless location was manually specified).
<ul>
<li>Right click on the .pvm file, and click "Show Package Contents".</li>
<li>Move the .hds file to the .pvm directory</li>
<li>Rename the .hds file to OS.hdd (OS can be whatever is meaningful to you)</li>
<li>Open 'Applications/Parallels/Parallels Image Tool'</li>
<li>Choose the new disk image "OS.hdd"</li>
<li>Choose "Convert to plain disk"</li><ul>
<li>Note: This will expand the disk to its "true" size. Make sure your drive is big enough</li></ul>
<li>The converted disk is once again called OS.0.{###}.hds</li>
<li>The resulting file is now raw</li></ul>


img_stat ~/Documents/Parallels/Windows\ Server\ 2003.pvm/Windows\ Server\ 2003.hdd/Windows\ Server\ 2003.hdd.0.\{5fbaabe3-6958-40ff-92a7-860e329aab41\}.hds
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 8590675968



Note: You can also use Parallels Image Tool to split and combine the image file - though dd gives you more options.

1 min read