Just a few handy commands from not too long ago when I was sysadmin-ing around the clock hopefully these are useful to you. Planning to share more in future.Read More
This post looks at using Ghiro for automated forensic analysis of images. This is something I have been meaning to do for some time but I kept putting it off in favour of other projects bad move on my part. The great thing about Ghiro is unlike many other Security or Forensics tools its extremely easy to setup and use, making it perfect for everyone but this especially helps out Forensic investigators which may not be from a technical background and have a lot of images to analyse quickly.
As stated above Ghiro is quite easy to setup, you can download it from Git here. Once you have downloaded the Git Repository completing the setup requires you to start up some services essential for running Ghiro or you can do it the even easier way and download the Virtual appliance which is an .ova image and import it into some virtualisation software like Virtualbox or VMware which will then setup a prebuilt, preconfigured machine just for using Ghiro.
For this tutorial I used the .ova image so the setup effort was virtually 0. on startup you should see some screens which look like the below:
one setup simply enter the machines IP in the browser to get started you should see a login window like the below:
The dashboard is the first image you will be greeted with upon logging into Ghiro. Like any good dashboard it supplies a quick overview of open cases, lists all image successes / failures, recently analysed files and a user count. The dashboard s sort of splunk-ish which gives it a nice familiar feel for anybody who has spent any great deal of time trawling through dashboards.
Using Ghiro to analyse images
Ghiro is extremely simple to get started create a case, once you have created a case you can add images to the case. Heres what my inaugural case file looks like:
you can then either upload images from any machine which can access the page or add images via URL. Once the images are loaded Ghiro will start running its analysis against your saved images in a short period of time (literally less than a minute) you will have a detailed image analysis report for each image.
Below are some screenshots of Navigating Ghiros image analysis pages, note the hand geo-tagging features these are highly useful in creating timelines for your investigations.
I was able to find an image that still had all of its metadata intact heres segments of the report output which reveals some information about how it was created:
As you can see its pretty easy to pull up a wealth of information about an image - with a large set of images you can piece together a lot of information from somebody's image metadata.
Some issues with Ghiro
There were some minor issues with Ghiro but they are easily fixable here are the issues I encountered while using Ghiro:
When using the Add image from URL option there were some caveat’s with attempting to add images from certain photo hosting sites, some image hosting sites block the download attempts (flickr was quite good at this) so you may have to acquire these manually - depending on what you are investigating this may mean extra overhead for you to establish their authenticity / integrity of the image you are using.
Also these failed calls may crash the analysis engine which does all the cool work behind the scenes for you to fix this you simply need to restart the process which you can do by running the following command on the Ghiro server:
$ python /var/www/ghiro/manage.py process &
If your worried about playing with processes I noticed restarting the Ghiro server would also fix this issue.
Ghiro also intermittently would not be reachable by the web his happened about 2 -3 times but it quickly resolved itself.
Although this is far from an extensive tutorial on the inner works of image forensics which I’m sure I’ll cover in more detail soon. Ghiro provides a quick, easy and cost effective way to image forensics on almost any scale I hope you find this a useful addition to your toolbox if it isn't there already.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!
For those of you who have read a few of my previous posts may have noticed I use Kali Linux a lot, there’s a good reason for that its easily one of the most versatile and comprehensive Linux Distro’s available out there. Recently offensive security the group behind Kali Linux have release Kali Nethunter which is basically Kali Linux packed into an Android smartphone or tablet.
If anybody has seen or heard of the game Watch_dogs Kali Nethunter is like Aiden Pearce’s smartphone. For those of you who haven’t heard of Watch_dogs the premise is this: Aiden Peirce a notorious hacker roams around Chicago hacking a smart city with nothing but his smartphone. Kali Nethunter is pretty much the closest thing available to Aiden’s phone.
I recently went about installing Kali Nethunter on a LG Nexus 5 this post documents what did and what didn’t work in regards to getting it up and running. I hope you find this useful and it may save you a couple hours in future when it comes to rooting your own phone or installing Kali Nethunter. Once again I remind you make sure you never carryout any of these activities on devices that don’t belong to you or that you don’t have permission to be working on. Kali Nethunter is a powerful tool use it wisely.
What you will need
- A PC running Windows, Mac OSX or Linux
- A Kali Compatible device (I used a Google Nexus 5) the list of compatible devices is here
Installing it (the way that didn't work)
First you will need to prepare your phone which you can find the steps for in the prep link above in short it involved enabling developer mode on your phone and disabling storage MTP
After that the fun begins you will need to install nexus tools to be able configure your phone via the terminal
bash: install.sh: command not found root@kali:~# bash <(curl -s https://raw.githubusercontent.com/corbindavenport/nexus-tools/master/install.sh) [INFO] Nexus Tools 2.6.3 [INFO] Please enter sudo password for install. [ OK ] Sudo access granted. [INFO] Downloading ADB for Linux [Intel CPU] [INFO] Success. [INFO] Downloading Fastboot for Linux [Intel CPU] [INFO] Success. [INFO] Downloading udev list [INFO] Success. [INFO] Fix permissions [ OK ] Fixed. [INFO] Fix ownership [ OK ] Fixed. [INFO] Making ADB and Fastboot executable [INFO] ADB OK. [INFO] Fastboot OK. [ OK ] Done, type adb or fastboot to run!
After that to check adb is working run the following command (your device should be visible)
root@kali:~# adb devices * daemon not running. starting it now on port 5037 * * daemon started successfully * List of devices attached sleuthdevice00001 unauthorized
After this you will want to download the files listed in the LS command below (these are available on the Kali install website)
root@kali:~# ls CF-Auto-Root-hammerhead-hammerhead-nexus5.zip Desktop kali_linux_nethunter_1.21_hammerhead_lolipop.zip openrecovery-twrp-184.108.40.206-hammerhead.img
Now to unlock and root your phone you will need to run the following commands in the exact sequence as they are below:
root@kali:~# adb reboot bootloader root@kali:~# fastboot oem unlock OKAY [ 18.770s] finished. total time: 18.771s root@kali:~# fastboot flash recovery openrecovery-twrp-220.127.116.11-hammerhead.img sending 'recovery' (14000 KB) OKAY [ 0.653s] writing 'recovery' OKAY [ 1.080s] finished. total time: 1.733s root@kali:~# chmod 755 root-linux.sh root@kali:~# ./root-linux.sh ----- CF-Auto-Root-hammerhead-hammerhead-nexus5 ----- Please make sure your device is in bootloader/fastboot mode before continuing. ***WARNING*** ALL YOUR DATA *MAY* BE WIPED ! ***WARNING*** We are going to run the OEM UNLOCK command on your device. If your device was not previously unlocked, this will wipe all your data ! After the unlock, CF-Auto-Root will boot. You should see a big red Android on your device's screen. You may need to enter your administrator password to continue. Press Ctrl+C to cancel ! Press ENTER to continue FAILED (remote: Already Unlocked) downloading 'boot.img' OKAY booting OKAY It may take a minute or so for the red Android to appear. If it doesn't show up at all, there may be a problem. Press ENTER to continue root@kali:~# adb devices List of devices attached sleuthdevice00001 device
After this my phone got stuck in a boot loop with the twrp logo flashing on the screen before rebooting
So what next? After re-running the install process under Linux a few times and seeing no change I tried with windows, I was able to progress a little further but after installing Nethunter the phone kept crashing after trying to do something simple like unlocking the phone or trying to open the menu, the phone was once again rendered unusable at this point.
Installing it (the way that works)
I then tried using the Kali Nethunter Windows Installer. Which was by far the easier and simplest of the three install processes I tried. You simply install the tool and follow the prompts it downloads all the necessary files and installs them. At the end I had a fully functioning Kali Nethunter device!
Stuff you can do with it
Here’s a small list of some of the thing Nethunter can do:
- You can use it to boot into ISO images on a PC with Drive Droid
- You can run Metasploit on it!
- Offensive security have precompiled a number of handy penetration testing tools and attacks, you can see them in action on the Kali Website.
- You can use it as a webserver!
- You can use VNC and keyboard features to control PC’s.
- Perform NFC attacks
- Monitor /capture / sniff Wi-Fi traffic
I have also included a slideshow of browsing through some of the functionality:
Please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. As always thanks for your continued support! Until next time!