* [gentoo-dev] app-forensics category and forensics herd proposal
@ 2004-09-11 3:21 Daniel
2004-09-11 8:07 ` Tavis Ormandy
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Daniel @ 2004-09-11 3:21 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In response to bug 42498 I propose setting up an app-forensics category and
forensics herd. This will contain all applications that aid the investigation
of intrusions and general stuff that would be used by law enforcement
agencies.
Applications so far identified for this and their current maintainers:
app-admin/autopsy - me
app-admin/sleuthkit - me
app-admin/aide - bug wrangers
dev-util/examiner - nobody
app-admin/foremost - Martin Schlemmer - mholzer
sys-apps/air - me
app-admin/chkrootkit - Aaron Walker - Ka0TTiC
app-admin/rkhunter - Aaron Walker - Ka0TTiC
And a few more that ebuilds haven't quite been made for:
http://sourceforge.net/projects/pyflag - FLAG was designed to simplify the
process of log file analysis and forensic investigations. FLAG facilitates
efficient analysis of large quantities of data within an interactive
environment. PyFlag is the reimplementation of FLAG in Python.
http://www.outguess.org/detection.php Stegdetect (bug 35542) - Stegdetect is
an automated tool for detecting steganographic content in images. It is
capable of detecting several different steganographic methods to embed hidden
information in JPEG images.
http://sourceforge.net/projects/ol2mbox/
Outlook to mbox converter (used for litigation support, etc., but also useful
for anyone.) Note that this guy MIGHT have been threatened by microsoft as
some of the content from his page has mysteriously disappeared that contained
newer versions and they once mentioned legal issues. The program works
fairly well, though.
http://sourceforge.net/projects/regviewer/
RegViewer is GTK 2.2 based GUI Windows registry file navigator. It is platform
independent allowing for examination of Windows registry files from any
platform. Particularly useful when conducting forensics of Windows files from
*nix systems.
http://freshmeat.net/projects/ftimes/
FTimes is a system baselining and evidence collection tool. Its primary
purpose is to gather and/or develop information about specified directories
and files in a manner conducive to intrusion analysis. It was designed to
support the following initiatives: content integrity monitoring, incident
response, intrusion analysis, and computer forensics.
http://freshmeat.net/projects/rda/
RDA is a computer forensics tool to remotely acquire data. Usually disk
cloning or disk/partition imaging means one has to move the disk onto another
system, and things are more complicated if its a laptop disk. The alternative
provided by rda is to boot the data source machine with a minimal Linux
system from a floppy or CD, and simply run rda. Some of the options provided
are data transfer verification with MD5 and/or CRC32 checksums, skipping read
errors, and spanning over multiple files.
http://software.freshmeat.net/projects/fohad/
The Forensic Hash Database is a project to combine the various hashsum sources
like The KnownGoods Database, Hashkeeper, NIST NSRL, and Dan Farmer's hashsum
archive into a single meta database. Integration into the forensic analysis
toolkit The Sleuth Kit is provided through a patch.
http://sourceforge.net/search/?type_of_search=soft&exact=0&words=forensic
lists some others that I haven't included here.
Aaron Walker -(Ka0TTiC) has voluteered to join me (easily convinced in a
state of sleep deprivation).
Other voluteers? Anyone else? other packages worthy of consideration?
- --
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQm8chhpKunZncJcRAiEdAJ9EfpLGkNjUborCM1kNmkbnH96Z5wCgi99O
bobmWG1bxd3b+O8UnsY6IwE=
=tetz
-----END PGP SIGNATURE-----
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 3:21 [gentoo-dev] app-forensics category and forensics herd proposal Daniel
@ 2004-09-11 8:07 ` Tavis Ormandy
2004-09-11 14:38 ` Lisa Seelye
2004-09-14 1:44 ` Donnie Berkholz
2 siblings, 0 replies; 10+ messages in thread
From: Tavis Ormandy @ 2004-09-11 8:07 UTC (permalink / raw
To: Daniel; +Cc: gentoo-dev
On Sat, Sep 11, 2004 at 12:51:00PM +0930, Daniel wrote:
>
> other packages worthy of consideration?
>
sounds interesting, there's app-admin/tripwire as well.
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 3:21 [gentoo-dev] app-forensics category and forensics herd proposal Daniel
2004-09-11 8:07 ` Tavis Ormandy
@ 2004-09-11 14:38 ` Lisa Seelye
2004-09-11 15:37 ` Daniel
2004-09-14 1:44 ` Donnie Berkholz
2 siblings, 1 reply; 10+ messages in thread
From: Lisa Seelye @ 2004-09-11 14:38 UTC (permalink / raw
To: Daniel; +Cc: lisa, gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 912 bytes --]
On Fri, 2004-09-10 at 23:21, Daniel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> In response to bug 42498 I propose setting up an app-forensics category and
> forensics herd. This will contain all applications that aid the investigation
> of intrusions and general stuff that would be used by law enforcement
> agencies.
>
> Applications so far identified for this and their current maintainers:
>
> app-admin/autopsy - me
> app-admin/sleuthkit - me
> app-admin/aide - bug wrangers
> dev-util/examiner - nobody
> app-admin/foremost - Martin Schlemmer - mholzer
> sys-apps/air - me
> app-admin/chkrootkit - Aaron Walker - Ka0TTiC
> app-admin/rkhunter - Aaron Walker - Ka0TTiC
Would it make sense to put disaster recovery programs and IDS programs
in there too?
--
Regards,
Lisa Seelye
Key fingerprint = 09CF 52D6 B82B 72B9 97A7 601B CB46 B556 1E49 6FC5
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 14:38 ` Lisa Seelye
@ 2004-09-11 15:37 ` Daniel
2004-09-11 16:40 ` Ned Ludd
0 siblings, 1 reply; 10+ messages in thread
From: Daniel @ 2004-09-11 15:37 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
> Would it make sense to put disaster recovery programs
Definately
> and IDS programs
> in there too?
Wasn't thinking about it. IDS programs have a different philosophy. Forensics
and disaster recovery programs carefully control, extract and present data
into a usable form. IDS is a system hardening and prevention of data damage.
- --
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQxvShhpKunZncJcRAui7AKCCzuofXlEkRn3W/OQXgTpImU1uNACeL6g3
/sYV1///k1VVQ+L+N9ZtYhg=
=FgKV
-----END PGP SIGNATURE-----
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 15:37 ` Daniel
@ 2004-09-11 16:40 ` Ned Ludd
2004-09-11 23:31 ` Daniel
0 siblings, 1 reply; 10+ messages in thread
From: Ned Ludd @ 2004-09-11 16:40 UTC (permalink / raw
To: Daniel; +Cc: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1277 bytes --]
On Sat, 2004-09-11 at 11:37, Daniel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> >
> > Would it make sense to put disaster recovery programs
>
> Definately
>
> > and IDS programs
> > in there too?
>
> Wasn't thinking about it. IDS programs have a different philosophy. Forensics
> and disaster recovery programs carefully control, extract and present data
> into a usable form.
> IDS is a system hardening and prevention of data damage.
Sorry for the nit pick but this this statement is incorrect.
An IDS does nothing to harden a system. They are not preventive at all.
You can still get compromised just same regardless if you have an IDS in
place or not. They only serve to provide an audit trail. Programs such
as hogwash are an IPS as they make an effort to (re|pro)actively avoid
compromises.
>
> - --
> Daniel Black <dragonheart@gentoo.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBQxvShhpKunZncJcRAui7AKCCzuofXlEkRn3W/OQXgTpImU1uNACeL6g3
> /sYV1///k1VVQ+L+N9ZtYhg=
> =FgKV
> -----END PGP SIGNATURE-----
>
> --
> gentoo-dev@gentoo.org mailing list
--
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 16:40 ` Ned Ludd
@ 2004-09-11 23:31 ` Daniel
2004-09-12 0:09 ` Ned Ludd
0 siblings, 1 reply; 10+ messages in thread
From: Daniel @ 2004-09-11 23:31 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
> Sorry for the nit pick but this this statement is incorrect.
> An IDS does nothing to harden a system. They are not preventive at all.
Yep - your quite right (as ususal).
> You can still get compromised just same regardless if you have an IDS in
> place or not. They only serve to provide an audit trail. Programs such
> as hogwash are an IPS as they make an effort to (re|pro)actively avoid
> compromises.
Sorry Lisa - I do see how IDS and forensics are related now.
- --
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQ4rBhhpKunZncJcRAj11AJ9PbVlhsadrrFfdNmGlZhQ3s/X3CACfUoZ0
ZGzgnS7N6hbFXw1VTuYRXlY=
=mRoJ
-----END PGP SIGNATURE-----
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 23:31 ` Daniel
@ 2004-09-12 0:09 ` Ned Ludd
2004-09-12 6:53 ` Daniel
0 siblings, 1 reply; 10+ messages in thread
From: Ned Ludd @ 2004-09-12 0:09 UTC (permalink / raw
To: Daniel; +Cc: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 921 bytes --]
On Sat, 2004-09-11 at 19:31, Daniel wrote:
[snip]
> Sorry Lisa - I do see how IDS and forensics are related now.
Right now most of the major IDS systems are handled by the Network
Monitoring herd (netmon) which seems the fitting place as most IDS
systems are NIDS (snort/prelude..).
However we have a few HIDS (aide/tripwire..) in portage currently that
are falling under app-admin which is also seems to be a fitting place.
I'd vote to leave all the IDS systems where they sit now.
>
> - --
> Daniel Black <dragonheart@gentoo.org>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBQ4rBhhpKunZncJcRAj11AJ9PbVlhsadrrFfdNmGlZhQ3s/X3CACfUoZ0
> ZGzgnS7N6hbFXw1VTuYRXlY=
> =mRoJ
> -----END PGP SIGNATURE-----
>
> --
> gentoo-dev@gentoo.org mailing list
--
Ned Ludd <solar@gentoo.org>
Gentoo (hardened,security,infrastructure,embedded,toolchain) Developer
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-12 0:09 ` Ned Ludd
@ 2004-09-12 6:53 ` Daniel
0 siblings, 0 replies; 10+ messages in thread
From: Daniel @ 2004-09-12 6:53 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Right now most of the major IDS systems are handled by the Network
> Monitoring herd (netmon) which seems the fitting place as most IDS
> systems are NIDS (snort/prelude..).
> However we have a few HIDS (aide/tripwire..) in portage currently that
> are falling under app-admin which is also seems to be a fitting place.
>
> I'd vote to leave all the IDS systems where they sit now.
me too. Consider them left as is.
- --
Daniel Black <dragonheart@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBQ/KAhhpKunZncJcRAiYpAKCFyF7BRW8ywopLkYmAtb117U5ppACcC9N9
gN1UO0igRpa9eXizjYa2QLI=
=oDnF
-----END PGP SIGNATURE-----
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-11 3:21 [gentoo-dev] app-forensics category and forensics herd proposal Daniel
2004-09-11 8:07 ` Tavis Ormandy
2004-09-11 14:38 ` Lisa Seelye
@ 2004-09-14 1:44 ` Donnie Berkholz
2004-09-14 7:24 ` Daniel
2 siblings, 1 reply; 10+ messages in thread
From: Donnie Berkholz @ 2004-09-14 1:44 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 223 bytes --]
On Fri, 2004-09-10 at 20:21, Daniel wrote:
> app-admin/foremost - Martin Schlemmer - mholzer
The name doesn't match the nick.
Martin Schlemmer == Azarah
Martin Holzer == mholzer
--
Donnie Berkholz
Gentoo Linux
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-dev] app-forensics category and forensics herd proposal
2004-09-14 1:44 ` Donnie Berkholz
@ 2004-09-14 7:24 ` Daniel
0 siblings, 0 replies; 10+ messages in thread
From: Daniel @ 2004-09-14 7:24 UTC (permalink / raw
To: gentoo-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 14 Sep 2004 11:14 am, Donnie Berkholz wrote:
> On Fri, 2004-09-10 at 20:21, Daniel wrote:
> > app-admin/foremost - Martin Schlemmer - mholzer
>
> The name doesn't match the nick.
>
> Martin Schlemmer == Azarah
> Martin Holzer == mholzer
Either way I took it over. :-)
FYI it was Martin Holzer's. Hope you don't mind Martin where ever you are.
- --
Daniel Black <dragonheart@gentoo.org>
Gentoo Forensics Herd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBRpyXhhpKunZncJcRAjRXAJ9f/MjdCuEJzQmzRbbVElJSIzg8KwCgptWy
3W7z60+BwUpzhOvSjl45GKY=
=jEBX
-----END PGP SIGNATURE-----
--
gentoo-dev@gentoo.org mailing list
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2004-09-14 7:24 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-11 3:21 [gentoo-dev] app-forensics category and forensics herd proposal Daniel
2004-09-11 8:07 ` Tavis Ormandy
2004-09-11 14:38 ` Lisa Seelye
2004-09-11 15:37 ` Daniel
2004-09-11 16:40 ` Ned Ludd
2004-09-11 23:31 ` Daniel
2004-09-12 0:09 ` Ned Ludd
2004-09-12 6:53 ` Daniel
2004-09-14 1:44 ` Donnie Berkholz
2004-09-14 7:24 ` Daniel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox