Sabayon Forensics

A Sabayon Linux Spin

Purpose

Scan and Clean

  • Scan/Clean for Viruses and Rootkits

Acess Computer and Files

  • Gain/Control Passwords - Linux and Windows

Find Files

  • Create Database for Easy Searching

Multimedia

  • View Pictures and Play Video Media Files

Networking

  • Access Local Lans to Internet

Handle Files

  • View, Edit, Save and Transfer Files

Recovery

  • Recover Files or Partitions

Disk Drives

  • Manage Hard Drives - Find Hidin Partitions



Sabayon

Spin Project

Gentoo

Based

XFCE

Desktop

Download

Obtaining Sabayon Forensics ISO Image

You can find other mirrors on the official sabayon mirrors page, just have to look in the daily folder to find the isos.

All Images are 64 bit

Brazil: Universidade Federal Do Paranà

Czech Republic:

Holland: NLUUG Open Systems, Open Standards

Hungary: Free Software Network Hungary

Italy Garr Consortium

Portugal: Rede das Novas Licenciaturas – Instituto Superior Técnico


Work

Some of the Tools Available in Action

Autopsy

The Slueth Kit

RootKit Hunter

Check for rootkits

WireShark

Packet Analyzer

Clam AV

Anti-Virus Toolkit

chntpw

Reset Windows Passwords

Ristretto

Picture-Viewer


FAQ

Username & Passwords

There is two accounts, root account and sabayonuser account. There is no password for either account, so if you get asked for a password, just hit enter. For instance, when you need to su to the root account, you will get prompt for a password, just hit enter. So in terminal:

sabayonuser@sabayon ~ $ su
Password:
sabayon sabayonuser #
Note the #, this represent that you have successfully changed to root account.

Running Live & Package Manager

You can use the entropy package manager while running live. You'll want to equo update to update the repo or repos if you add more repositories.

Running Live & Portage

Sabayon Forensics can use binary and portage package managers. You will not want to mess with portage with a live session. If you install Sabayon Forensics than you can use portage. It is best to stick with entropy package manager.

Contacting Me

If you have an issue(s), suggestion(s) or question(s) on Sabayon Forensics, please feel free to contact me at wolfden@sabayon.org. I’m usually pretty good at responding quickly, weekends can be a bit slower as I like to get away from the computer too. Please make sure you are always running the latest release. Please provide as much information as possible and how to reproduce the issue(s).

Hacking & Cracking

I will not teach or answer any emails asking how to crack/hack. Using the software in malicious behavior can and will get you into legal trouble.

The Release Cycle

Currently it's being released once a week. Do you need to download it every week? No of course not, update to a new version when ever you want. If you find one buggy, grab the next release to see if it works better.

Sabayon Forensics Wiki

Quick Tutorials

Entropy

Entropy

Entropy is the binary package manager and can be used while running a live session of Sabayon Forensics. It can be ran from the terminal with the equo command or with rigo the gui version. I highly recommend using equo.

You will need to update the repository with equo update To see a list of commands equo --help

To install packages: equo install foo
To remove packages: equo remove foo
You can use the ask option to view deps before installing: equo install foo --ask

More indepth information can be found on the official Sabayon Wiki


chntpw

chntpw

chntpw is a software utility for resetting or blanking local passwords used by Windows. The SAM file can be found at c:/Windows/System32/config or c:/Winnt/System32/config

cd to proper directory
chntpw -l SAM This will list all users in the SAM file
chntpw SAM This will automatically change the administrator account
chntpw -u USERNAME SAM This will change a specific username password


extundelete

extundelete

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. example usage:
extundelete /dev/sda1 –restore-all


Clam AV

Clam AV

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

To update the virus definitions, simple run as root: freshclam

Other Usage with clamscan:

Scan a single file:
clamscan file

Scan a current working directory:
clamscan

Scan all files and subdirectories:
clamscan -r /directory

Scan all files and subdirectories, make a log of infected files, move infected to a location:
clamscan -ir /directory -l /var/log/clamscan.log -move=/tmp/virus


Rootkit Hunter

Rootkit Hunter

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

To Update Definitions:
rkhunter --update

To Run:
rkhunter -c


Ophcrack

Ophcrack

Ophcrack can be installed on the live system via the package manager. equo update && equo install ophcrack –nodeps I have choosen to leave ophcrack off the live for various reasons, mainly due to the tables and their sizes. I suggest downloading the tables and storing them on usb sticks or dvd discs and than loading them with ophcrack.


fcrackzip

fcrackzip

fcrackzip is a zip password cracker, similar to fzc, zipcrack and others. If you run into a zip file that is password protected, this guy works pretty well.

Lets say you download a zip file called sensitive.zip. You will want to run the dictionary against it:
frackzip -v -D -u -p /usr/share/dict/words sensitive.zip

You can see a list of available dictionaries with ls -la /usr/share/dict


John the Ripper

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus many more with contributed patches.


mlocate

mlocate

mlocate is a new locate implementation. The m stands for "merging": updatedb reuses the existing database to avoid rereading most of the file system, which makes updatedb faster and does not trash the system caches as much.

First run updatedb
Search all jpgs locate *.jpg


Traceroute

Traceroute

Traceroute tracks the route packets taken from an IP network on their way to a given host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host. See traceroute in the manual of your system for more info.

Can see here an IP traced to yahoo

Can see here a trace of google and than using the IP found pulls up google


WireShark

WireShark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.


GParted

GParted

GParted is a free partition editor for graphically managing your disk partitions. It's simple and pretty straight forward to use. It works on x86 and x86-64 based computers running Linux, Windows, or Mac OS X

Perform actions with partitions such as:

Manipulate file systems such as: