Sabayon Forensics

A Sabayon Linux Spin

Purpose

Scan and Clean

  • Scan/Clean for Viruses and Rootkits

Access Computer and Files

  • Gain/Control Passwords - Linux and Windows

Find Files

  • Create Database for Easy Searching

Multimedia

  • View Pictures and Play Video Media Files

Networking

  • Access Local Lans to Internet

Handle Files

  • View, Edit, Save and Transfer Files

Recovery

  • Recover Files or Partitions

Disk Drives

  • Manage Hard Drives - Find Hidin Partitions



Desktop

Sabayon

Spin Project

Gentoo

Based

XFCE

Desktop

Download

Obtaining Sabayon Forensics ISO Image

You can find other mirrors on the official sabayon mirrors page, just have to look in the daily folder to find the isos.

All Images are 64 bit

Brazil: Universidade Federal Do Paranà

Czech Republic:

Holland: NLUUG Open Systems, Open Standards

Hungary: Free Software Network Hungary

Italy Garr Consortium

Portugal: Rede das Novas Licenciaturas – Instituto Superior Técnico


Work

Some of the Tools Available in Action

Autopsy

The Slueth Kit

RootKit Hunter

Check for rootkits

WireShark

Packet Analyzer

Clam AV

Anti-Virus Toolkit

chntpw

Reset Windows Passwords

Ristretto

Picture-Viewer


FAQ

Username & Passwords

There is two accounts, root account and sabayonuser account. There is no password for either account, so if you get asked for a password, just hit enter. For instance, when you need to su to the root account, you will get prompt for a password, just hit enter. So in terminal:

sabayonuser@sabayon ~ $ su
Password:
sabayon sabayonuser #
Note the #, this represent that you have successfully changed to root account.

Running Live & Package Manager

You can use the entropy package manager while running live. You'll want to equo update to update the repo or repos if you add more repositories.

Running Live & Portage

Sabayon Forensics can use binary and portage package managers. You will not want to mess with portage with a live session. If you install Sabayon Forensics than you can use portage. It is best to stick with entropy package manager.

Contacting Me

If you have an issue(s), suggestion(s) or question(s) on Sabayon Forensics, please feel free to contact me at wolfden@sabayon.org. I’m usually pretty good at responding quickly, weekends can be a bit slower as I like to get away from the computer too. Please make sure you are always running the latest release. Please provide as much information as possible and how to reproduce the issue(s).

Hacking & Cracking

I will not teach or answer any emails asking how to crack/hack. Using the software in malicious behavior can and will get you into legal trouble.

The Release Cycle

Currently it's being released once a week. Do you need to download it every week? No of course not, update to a new version when ever you want. If you find one buggy, grab the next release to see if it works better.

Entropy

Entropy

Entropy is the binary package manager and can be used while running a live session of Sabayon Forensics. It can be ran from the terminal with the equo command or with rigo the gui version. I highly recommend using equo.

You will need to update the repository with equo update To see a list of commands equo --help

To install packages: equo install foo
To remove packages: equo remove foo
You can use the ask option to view deps before installing: equo install foo --ask

More indepth information can be found on the official Sabayon Wiki


chntpw

chntpw

chntpw is a software utility for resetting or blanking local passwords used by Windows. The SAM file can be found at c:/Windows/System32/config or c:/Winnt/System32/config

cd to proper directory
chntpw -l SAM This will list all users in the SAM file
chntpw SAM This will automatically change the administrator account
chntpw -u USERNAME SAM This will change a specific username password


extundelete

extundelete

extundelete is a utility that can recover deleted files from an ext3 or ext4 partition. example usage:
extundelete /dev/sda1 –restore-all


Clam AV

Clam AV

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

To update the virus definitions, simple run as root: freshclam

Other Usage with clamscan:

Scan a single file:
clamscan file

Scan a current working directory:
clamscan

Scan all files and subdirectories:
clamscan -r /directory

Scan all files and subdirectories, make a log of infected files, move infected to a location:
clamscan -ir /directory -l /var/log/clamscan.log -move=/tmp/virus

If you run into a sock issue:
# touch /var/lib/clamav/clamd.sock
# chown clamav:clamav /var/lib/clamav/clamd.sock


Rootkit Hunter

Rootkit Hunter

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

To Update Definitions:
rkhunter --update

To Run:
rkhunter -c


Ophcrack

Ophcrack

Ophcrack can be installed on the live system via the package manager. equo update && equo install ophcrack --nodeps I have choosen to leave ophcrack off the live for various reasons, mainly due to the tables and their sizes. I suggest downloading the tables and storing them on usb sticks or dvd discs and than loading them with ophcrack.


fcrackzip

fcrackzip

fcrackzip is a zip password cracker, similar to fzc, zipcrack and others. If you run into a zip file that is password protected, this guy works pretty well.

Lets say you download a zip file called sensitive.zip. You will want to run the dictionary against it:
frackzip -v -D -u -p /usr/share/dict/words sensitive.zip

You can see a list of available dictionaries with ls -la /usr/share/dict


John the Ripper

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus many more with contributed patches.


mlocate

mlocate

mlocate is a new locate implementation. The m stands for "merging": updatedb reuses the existing database to avoid rereading most of the file system, which makes updatedb faster and does not trash the system caches as much.

First run updatedb
Search all jpgs locate *.jpg


TestDisk

TestDisk

A powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.

TestDisk can


Traceroute

Traceroute

Traceroute tracks the route packets taken from an IP network on their way to a given host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host. See traceroute in the manual of your system for more info.

Can see here an IP traced to yahoo

Can see here a trace of google and than using the IP found pulls up google


WireShark

WireShark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.


GParted

GParted

GParted is a free partition editor for graphically managing your disk partitions. It's simple and pretty straight forward to use. It works on x86 and x86-64 based computers running Linux, Windows, or Mac OS X

Perform actions with partitions such as:

Manipulate file systems such as:


Build Your Own Spin

HowTo

Build Your Own Spin

HowTo

So you want to build your own Sabayon spin. Molecule makes this very easy to create custom spins. This will be a brief example, adjust directions to fit your setup.

Make sure molecule is installed

  • equo install dev-util/molecule

  • You need to decide how you want to setup your file structure. I keep mine pretty simple, a spin folder on the /

  • cd /
  • mkdir -p /spin/final
  • cd /spin

  • We need a iso to build from:

  • wget ftp://ftp.nluug.nl/pub/os/Linux/distr/sabayonlinux/iso/daily/Sabayon_Linux_DAILY_amd64_Minimal-dev.iso

  • Now we need some files - a spec file for molecule to read and a few scripts. I have an example build on my github page to grab. The spec file is already setup to build a lxqt iso, so you should be able to figure it out by looking at the spec file. You will want to grab:

    • lxqtspin.spec
    • inner_chroot_script_after.sh
    • remaster_post.sh
    • remaster_pre.sh


    Once your have the 4 mentioned files in the /spin folder we need to make the scripts executable

  • chmod +x *.sh

  • So now you should be set, you have an iso to build from, the spec, and scripts. Take a look at the lxqtspin.spec file as you will have to make some changes.

    line 12 - source_iso /change/this/path/to/point/to/your/iso you downloaded

    line 62 - packages_to_remove: put packages you want removed from the iso you downloaded, becareful as you may pull many other packages due to deps(This process runs after everything is downloaded and installed)

    line 68 - packages_to_add: add the packages you want


    The options are pretty self explanatory if you just take the time to look it over carefully.

    Lets go thru the scripts to see what they do


    Using the scripts are optional, you don't need to use them if you aren't going to make changes.

    To start the build process

  • molecule lxqtspin.spec

  • Molecule will kick in and do it's thing and when it's done the iso will appear in the final folder we created earlier.

    Results: