[gentoo-dev] app-forensics category and forensics herd proposal

[gentoo-dev] app-forensics category and forensics herd proposal

[Daniel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In response to bug 42498 I propose setting up an app-forensics category and 
forensics herd. This will contain all applications that aid the investigation 
of intrusions and general stuff that would be used by law enforcement 
agencies.

Applications so far identified for this and their current maintainers:

app-admin/autopsy - me
app-admin/sleuthkit - me
app-admin/aide - bug wrangers
dev-util/examiner - nobody
app-admin/foremost - Martin Schlemmer - mholzer
sys-apps/air - me
app-admin/chkrootkit - Aaron Walker  - Ka0TTiC
app-admin/rkhunter -  Aaron Walker  - Ka0TTiC

And a few more that ebuilds haven't quite been made for:

http://sourceforge.net/projects/pyflag - FLAG was designed to simplify the 
process of log file analysis and forensic investigations. FLAG facilitates 
efficient analysis of large quantities of data within an interactive 
environment. PyFlag is the reimplementation of FLAG in Python.

http://www.outguess.org/detection.php Stegdetect (bug 35542) - Stegdetect is 
an automated tool for detecting steganographic content in images. It is 
capable of detecting several different steganographic methods to embed hidden 
information in JPEG images.

http://sourceforge.net/projects/ol2mbox/
Outlook to mbox converter (used for litigation support, etc., but also useful 
for anyone.)  Note that this guy MIGHT have been threatened by microsoft as 
some of the content from his page has mysteriously disappeared that contained 
newer versions and they once mentioned legal issues.  The program works 
fairly well, though.

http://sourceforge.net/projects/regviewer/
RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform 
independent allowing for examination of Windows registry files from any 
platform. Particularly useful when conducting forensics of Windows files from 
*nix systems. 

http://freshmeat.net/projects/ftimes/
FTimes is a system baselining and evidence collection tool. Its primary 
purpose is to gather and/or develop information about specified directories 
and files in a manner conducive to intrusion analysis. It was designed to 
support the following initiatives: content integrity monitoring, incident 
response, intrusion analysis, and computer forensics. 

http://freshmeat.net/projects/rda/
RDA is a computer forensics tool to remotely acquire data. Usually disk 
cloning or disk/partition imaging means one has to move the disk onto another 
system, and things are more complicated if its a laptop disk. The alternative 
provided by rda is to boot the data source machine with a minimal Linux 
system from a floppy or CD, and simply run rda. Some of the options provided 
are data transfer verification with MD5 and/or CRC32 checksums, skipping read 
errors, and spanning over multiple files. 

http://software.freshmeat.net/projects/fohad/
The Forensic Hash Database is a project to combine the various hashsum sources 
like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum 
archive into a single meta database. Integration into the forensic analysis 
toolkit The Sleuth Kit is provided through a patch.

http://sourceforge.net/search/?type_of_search=soft&exact=0&words=forensic
lists some others that I haven't included here.

Aaron Walker  -(Ka0TTiC) has voluteered to join me (easily convinced in a 
state of sleep deprivation). 

Other voluteers? Anyone else? other packages worthy of consideration?

- -- 
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQm8chhpKunZncJcRAiEdAJ9EfpLGkNjUborCM1kNmkbnH96Z5wCgi99O
bobmWG1bxd3b+O8UnsY6IwE=
=tetz
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Tavis Ormandy]

On Sat, Sep 11, 2004 at 12:51:00PM +0930, Daniel wrote:
> 
> other packages worthy of consideration?
> 

sounds interesting, there's app-admin/tripwire as well.

-- 
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Lisa Seelye]

[-- Attachment #1: Type: text/plain, Size: 912 bytes --]

On Fri, 2004-09-10 at 23:21, Daniel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> In response to bug 42498 I propose setting up an app-forensics category and 
> forensics herd. This will contain all applications that aid the investigation 
> of intrusions and general stuff that would be used by law enforcement 
> agencies.
> 
> Applications so far identified for this and their current maintainers:
> 
> app-admin/autopsy - me
> app-admin/sleuthkit - me
> app-admin/aide - bug wrangers
> dev-util/examiner - nobody
> app-admin/foremost - Martin Schlemmer - mholzer
> sys-apps/air - me
> app-admin/chkrootkit - Aaron Walker  - Ka0TTiC
> app-admin/rkhunter -  Aaron Walker  - Ka0TTiC

Would it make sense to put disaster recovery programs and IDS programs
in there too?

-- 
Regards,
Lisa Seelye
Key fingerprint = 09CF 52D6 B82B 72B9 97A7  601B CB46 B556 1E49 6FC5

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Daniel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>
> Would it make sense to put disaster recovery programs

Definately

> and IDS programs 
> in there too?

Wasn't thinking about it. IDS programs have a different philosophy.  Forensics 
and disaster recovery programs carefully control, extract and present data 
into a usable form. IDS is a system hardening and prevention of data damage.

- -- 
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQxvShhpKunZncJcRAui7AKCCzuofXlEkRn3W/OQXgTpImU1uNACeL6g3
/sYV1///k1VVQ+L+N9ZtYhg=
=FgKV
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1277 bytes --]

On Sat, 2004-09-11 at 11:37, Daniel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> >
> > Would it make sense to put disaster recovery programs
> 
> Definately
> 
> > and IDS programs 
> > in there too?
> 
> Wasn't thinking about it. IDS programs have a different philosophy.  Forensics 
> and disaster recovery programs carefully control, extract and present data 
> into a usable form. 



> IDS is a system hardening and prevention of data damage.

Sorry for the nit pick but this this statement is incorrect.
An IDS does nothing to harden a system. They are not preventive at all.
You can still get compromised just same regardless if you have an IDS in
place or not. They only serve to provide an audit trail. Programs such
as hogwash are an IPS as they make an effort to (re|pro)actively avoid
compromises.

> 
> - -- 
> Daniel Black <dragonheart@gentoo.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBQxvShhpKunZncJcRAui7AKCCzuofXlEkRn3W/OQXgTpImU1uNACeL6g3
> /sYV1///k1VVQ+L+N9ZtYhg=
> =FgKV
> -----END PGP SIGNATURE-----
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Daniel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



>
> Sorry for the nit pick but this this statement is incorrect.
> An IDS does nothing to harden a system. They are not preventive at all.

Yep - your quite right (as ususal).

> You can still get compromised just same regardless if you have an IDS in
> place or not. They only serve to provide an audit trail. Programs such
> as hogwash are an IPS as they make an effort to (re|pro)actively avoid
> compromises.

Sorry Lisa - I do see how IDS and forensics are related now.

- -- 
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQ4rBhhpKunZncJcRAj11AJ9PbVlhsadrrFfdNmGlZhQ3s/X3CACfUoZ0
ZGzgnS7N6hbFXw1VTuYRXlY=
=mRoJ
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 921 bytes --]

On Sat, 2004-09-11 at 19:31, Daniel wrote:

[snip]

> Sorry Lisa - I do see how IDS and forensics are related now.

Right now most of the major IDS systems are handled by the Network
Monitoring herd (netmon) which seems the fitting place as most IDS
systems are NIDS (snort/prelude..). 
However we have a few HIDS (aide/tripwire..) in portage currently that
are falling under app-admin which is also seems to be a fitting place.

I'd vote to leave all the IDS systems where they sit now.

> 
> - -- 
> Daniel Black <dragonheart@gentoo.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBQ4rBhhpKunZncJcRAj11AJ9PbVlhsadrrFfdNmGlZhQ3s/X3CACfUoZ0
> ZGzgnS7N6hbFXw1VTuYRXlY=
> =mRoJ
> -----END PGP SIGNATURE-----
> 
> --
> gentoo-dev@gentoo.org mailing list
-- 
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Daniel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




> Right now most of the major IDS systems are handled by the Network
> Monitoring herd (netmon) which seems the fitting place as most IDS
> systems are NIDS (snort/prelude..).
> However we have a few HIDS (aide/tripwire..) in portage currently that
> are falling under app-admin which is also seems to be a fitting place.
>
> I'd vote to leave all the IDS systems where they sit now.

me too. Consider them left as is.

- -- 
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQ/KAhhpKunZncJcRAiYpAKCFyF7BRW8ywopLkYmAtb117U5ppACcC9N9
gN1UO0igRpa9eXizjYa2QLI=
=oDnF
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 223 bytes --]

On Fri, 2004-09-10 at 20:21, Daniel wrote:
> app-admin/foremost - Martin Schlemmer - mholzer

The name doesn't match the nick.

Martin Schlemmer == Azarah
Martin Holzer == mholzer
-- 
Donnie Berkholz
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] app-forensics category and forensics herd proposal

[Daniel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 14 Sep 2004 11:14 am, Donnie Berkholz wrote:
> On Fri, 2004-09-10 at 20:21, Daniel wrote:
> > app-admin/foremost - Martin Schlemmer - mholzer
>
> The name doesn't match the nick.
>
> Martin Schlemmer == Azarah
> Martin Holzer == mholzer

Either way I took it over. :-)

FYI it was Martin Holzer's. Hope you don't mind Martin where ever you are.

- -- 
Daniel Black <dragonheart@gentoo.org>
Gentoo Forensics Herd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRpyXhhpKunZncJcRAjRXAJ9f/MjdCuEJzQmzRbbVElJSIzg8KwCgptWy
3W7z60+BwUpzhOvSjl45GKY=
=jEBX
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list