Can someone provide a sample report?

View previous topic View next topic Go down

Can someone provide a sample report?

Post  mmmmna on Fri Nov 21, 2008 4:05 am

Hello!

Thank you for your hard work, I appreciate that your distribution likes to collect and organize system related data.

At the moment (I'm working as a contracted employee, subject to contractual obligations and terms), I work for an asset management company. Under certain contracts, the company needs to routinely collect deep system information such as hard disk drive serial number, hard disk drive model number and firmware revision, hard disk S.M.A.R.T. status indicators, system motherboard model, BIOS version and those unique identifier strings relating to the BIOS and the motherboard and so forth; we are also wanting to gather information regarding installed system processor(s) along with stepping code, ram configuration, graphics card information, and so forth. We presently use a commercial product called Blancco, but their licensing costs are getting difficult to accept.

Why do I post here, at CAINE? Well, all of the system data that my company requires should be relevant to computer forensics, so I assume this information is available under your forensics analysis distribution, yes?

I believe the depth of data needs to be similar to this LSUSB dump:
Code:
bash-3.1$
bash-3.1$ lsusb -v

Bus 003 Device 003: ID 058f:6362 Alcor Micro Corp. Hi-Speed 21-in-1 Flash Card Reader/Writer (Internal/External)
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass        0
  bDeviceProtocol        0
  bMaxPacketSize0        64
  idVendor          0x058f Alcor Micro Corp.
  idProduct          0x6362 Hi-Speed 21-in-1 Flash Card Reader/Writer (Internal/External)
  bcdDevice            1.00
  iManufacturer          1 Generic
  iProduct                2 Mass Storage Device
  iSerial                3 058F312D81B
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                9
    bDescriptorType        2
    wTotalLength          32
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0x80
      (Bus Powered)
    MaxPower              250mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          2
      bInterfaceClass        8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol    80 Bulk (Zip)
      iInterface              0
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0200  1x 512 bytes
        bInterval              0
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0200  1x 512 bytes
        bInterval              0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType        6
  bcdUSB              2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass        0
  bDeviceProtocol        0
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:    0x0000
  (Bus Powered)

Bus 003 Device 001: ID 0000:0000
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              2.00
  bDeviceClass            9 Hub
  bDeviceSubClass        0 Unused
  bDeviceProtocol        1 Single TT
  bMaxPacketSize0        64
  idVendor          0x0000
  idProduct          0x0000
  bcdDevice            2.06
  iManufacturer          3 Linux 2.6.22.15.tex2 ehci_hcd
  iProduct                2 EHCI Host Controller
  iSerial                1 0000:00:13.2
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                9
    bDescriptorType        2
    wTotalLength          25
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          1
      bInterfaceClass        9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0004  1x 4 bytes
        bInterval              12
Hub Descriptor:
  bLength              11
  bDescriptorType      41
  nNbrPorts            8
  wHubCharacteristic 0x000a
    No power switching (usb 1.0)
    Per-port overcurrent protection
    TT think time 8 FS bits
  bPwrOn2PwrGood      10 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00 0x00
  PortPwrCtrlMask    0xff 0xff
 Hub Port Status:
  Port 1: 0000.0100 power
  Port 2: 0000.0100 power
  Port 3: 0000.0100 power
  Port 4: 0000.0100 power
  Port 5: 0000.0100 power
  Port 6: 0000.0100 power
  Port 7: 0000.0100 power
  Port 8: 0000.0503 highspeed power enable connect
Device Status:    0x0003
  Self Powered
  Remote Wakeup Enabled

Bus 001 Device 001: ID 0000:0000
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              1.10
  bDeviceClass            9 Hub
  bDeviceSubClass        0 Unused
  bDeviceProtocol        0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor          0x0000
  idProduct          0x0000
  bcdDevice            2.06
  iManufacturer          3 Linux 2.6.22.15.tex2 ohci_hcd
  iProduct                2 OHCI Host Controller
  iSerial                1 0000:00:13.0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                9
    bDescriptorType        2
    wTotalLength          25
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          1
      bInterfaceClass        9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0002  1x 2 bytes
        bInterval            255
Hub Descriptor:
  bLength              9
  bDescriptorType      41
  nNbrPorts            4
  wHubCharacteristic 0x0012
    No power switching (usb 1.0)
    No overcurrent protection
  bPwrOn2PwrGood        2 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
  Port 1: 0000.0100 power
  Port 2: 0000.0100 power
  Port 3: 0000.0100 power
  Port 4: 0000.0100 power
Device Status:    0x0003
  Self Powered
  Remote Wakeup Enabled

Bus 002 Device 004: ID 046d:c404 Logitech, Inc. TrackMan Wheel
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass        0
  bDeviceProtocol        0
  bMaxPacketSize0        8
  idVendor          0x046d Logitech, Inc.
  idProduct          0xc404 TrackMan Wheel
  bcdDevice            2.20
  iManufacturer          1 Logitech
  iProduct                2 Trackball
  iSerial                0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                9
    bDescriptorType        2
    wTotalLength          34
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              100mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          1
      bInterfaceClass        3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      2 Mouse
      iInterface              0
        HID Device Descriptor:
          bLength                9
          bDescriptorType        33
          bcdHID              1.10
          bCountryCode            0 Not supported
          bNumDescriptors        1
          bDescriptorType        34 Report
          wDescriptorLength    103
        Report Descriptors:
          ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0008  1x 8 bytes
        bInterval              10
Device Status:    0x0000
  (Bus Powered)

Bus 002 Device 001: ID 0000:0000
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              1.10
  bDeviceClass            9 Hub
  bDeviceSubClass        0 Unused
  bDeviceProtocol        0 Full speed (or root) hub
  bMaxPacketSize0        64
  idVendor          0x0000
  idProduct          0x0000
  bcdDevice            2.06
  iManufacturer          3 Linux 2.6.22.15.tex2 ohci_hcd
  iProduct                2 OHCI Host Controller
  iSerial                1 0000:00:13.1
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                9
    bDescriptorType        2
    wTotalLength          25
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0xe0
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          1
      bInterfaceClass        9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0
      Endpoint Descriptor:
        bLength                7
        bDescriptorType        5
        bEndpointAddress    0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0002  1x 2 bytes
        bInterval            255
Hub Descriptor:
  bLength              9
  bDescriptorType      41
  nNbrPorts            4
  wHubCharacteristic 0x0012
    No power switching (usb 1.0)
    No overcurrent protection
  bPwrOn2PwrGood        2 * 2 milli seconds
  bHubContrCurrent      0 milli Ampere
  DeviceRemovable    0x00
  PortPwrCtrlMask    0xff
 Hub Port Status:
  Port 1: 0000.0100 power
  Port 2: 0000.0303 lowspeed power enable connect
  Port 3: 0000.0100 power
  Port 4: 0000.0100 power
Device Status:    0x0003
  Self Powered
  Remote Wakeup Enabled
bash-3.1$

Of course, the report my employer would need should include all busses, not just USB, all motherboard hardware, not just PCI hardware, and so forth.

Could someone kindly present an example of the data that CAINE can collect?

Thanks!

mmmmna

Number of posts : 2
Registration date : 2008-11-21

View user profile

Back to top Go down

Re: Can someone provide a sample report?

Post  Admin on Fri Nov 21, 2008 12:13 pm

I created a personalized example of CAINE report, formatted in RTF and HTML.

The example is customized because I decide to analyze a simple 2GB USB pendrive - really not hard! - but the possibilities are virtually illimitate, due to CAINE versatility in system and device analysis.

Here you can download and see the report files:
- http://samba.ing.unimo.it/~gianchi/Examples/

1. First of all, I used Grissom Analyzer to gather all the information about the device: mmls, fsstat and img_stat logs are listed in the reports. Then I use LRRP to acquire the geometry of the device; it can be used to gather important information from the PC in which CAINE is booted.

2. After the information gathering I simply use the "Terminal window" with automatic log save to obtain the output of the command "lsusb -v", sotred inside the report. I can save every unix command I like to save inside the report with this simple terminal window.

3. I bypassed the analysis phase (Autopsy, Foremost,... carving and hard-forensic analysis on the collected image)

4. I wrote down a simple (and stupid) personal report.

5. I pressed the button "RTF format" and "HTML format" in the Reporting tab to get the final report.

Now I can easily edit the final rtf file... Smile


P.S.: CAINE opens all the connected device in READONLY mode, and even with noexec and noatime mount options enabled.

Admin
Admin

Number of posts : 11
Registration date : 2008-10-26

View user profile http://cainelive.aforumfree.com

Back to top Go down

Re: Can someone provide a sample report?

Post  mmmmna on Sat Nov 22, 2008 5:44 am

Thank you for creating the sample report and thank you for hosting the files.

I expect that information about the remaining system should also be something that CAINE can generate. At this point, I think I will download the ISO, and give it a try!

mmmmna

Number of posts : 2
Registration date : 2008-11-21

View user profile

Back to top Go down

Re: Can someone provide a sample report?

Post  Giancarlo on Sat Nov 22, 2008 12:42 pm

Thank you!
By the way, my next project with the CAINE wrapper is create a business-oriented distribution for an italian company working in IT security. I will start the project at the beginning of the 2009, ad it will focus more on security policies and hardware/software recognition, than Computer Forensics investigative procedures... Very Happy

As you can see, CAINE is only the beginning.
avatar
Giancarlo

Number of posts : 76
Age : 33
Località : Modena, Italy
Registration date : 2008-10-26

View user profile http://www.caine-live.net/

Back to top Go down

Re: Can someone provide a sample report?

Post  Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum