First Responder Forensics, SNES ROM Hackery, Tailing Logs and Unicorns

First Responder Forensics with Helix/Live View. Editing Super Mario World levels with Lunar Magic. Following logs with Bare Tail. Unicorns, and a lot more.

Matt forgoes the vicodin for this shoot (Wisdom teeth coming out this week) and blames Darren for the HakHouse -- the Internet in our living room.

D props Ghost and EDP

Post_Break has been helping D with airbase-ng and wifizoo in BackTrack3

Matt's birthday landed on our shoot day. We took advantage of the opportunity and surprised him with, well, you'll just have to see.

First Responder Forensics with Helix/Live View
If you're ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you! The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.

Requirements:

  • A Helix live CD (any of their versions should work, but I recommend 2.0)
  • Any machine that has an OS which is compatible with VMware
  • Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
  • Live View
  • Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.

    Helix is a forensic Live CD with loads of tools. We're focused on just the image acquisition part today. For the most part, the default options are fine, just specify where you are outputting the .dd image to and you're on your way!

    Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time. It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests. Open the .dd image with Live View, and either Start it directly or Generate the config files. Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself. Don't forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

    In layman's terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user. It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

    Trivia
    Last week's trivia was answered correctly by Mike S. who wrote "Dornier Do-X". We've sent him the first volume of Ed Piskor's WIZZYWIG hacker graphic novel series.

    A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you're interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

    Editing Super Mario World levels with Lunar Magic
    It should be noted here that Matt sucks at Mario. Shannon walks us through some of the basics of editing Super Mario World levels with Lunar Magic. The concept it quite simple. Fire up Lunar Magic, open your SMW rom, and play. Save your changed level back to the rom or alternatively save the level out to a MWL file ready (and legal) for distribution. If you'd like to share your Super Mario World levels with us or check out some of the other Hak5'ers levels check out our forum thread on the subject.

    Rightfully red Matt shares with us another tip that'll save you sysadmins some time and sanity. This week Matt features Bare Tail. Not just a Windows equivalent to the Unix command but a full featured log file following, highlighting and prettifying GUI perfect for everything from transaction logs to happy birthday IM conversations with yer mum.

    Until next week we welcome your feedback and remind you to Trust your Technolust