Home
Latest images
Search
Register
Log inCan someone provide a sample report?
3 posters
Page 1 of 1
Can someone provide a sample report?
mmmmna Fri Nov 21, 2008 4:05 am
Hello!
Thank you for your hard work, I appreciate that your distribution likes to collect and organize system related data.
At the moment (I'm working as a contracted employee, subject to contractual obligations and terms), I work for an asset management company. Under certain contracts, the company needs to routinely collect deep system information such as hard disk drive serial number, hard disk drive model number and firmware revision, hard disk S.M.A.R.T. status indicators, system motherboard model, BIOS version and those unique identifier strings relating to the BIOS and the motherboard and so forth; we are also wanting to gather information regarding installed system processor(s) along with stepping code, ram configuration, graphics card information, and so forth. We presently use a commercial product called Blancco, but their licensing costs are getting difficult to accept.
Why do I post here, at CAINE? Well, all of the system data that my company requires should be relevant to computer forensics, so I assume this information is available under your forensics analysis distribution, yes?
I believe the depth of data needs to be similar to this LSUSB dump:
Of course, the report my employer would need should include all busses, not just USB, all motherboard hardware, not just PCI hardware, and so forth.
Could someone kindly present an example of the data that CAINE can collect?
Thanks!
Thank you for your hard work, I appreciate that your distribution likes to collect and organize system related data.
At the moment (I'm working as a contracted employee, subject to contractual obligations and terms), I work for an asset management company. Under certain contracts, the company needs to routinely collect deep system information such as hard disk drive serial number, hard disk drive model number and firmware revision, hard disk S.M.A.R.T. status indicators, system motherboard model, BIOS version and those unique identifier strings relating to the BIOS and the motherboard and so forth; we are also wanting to gather information regarding installed system processor(s) along with stepping code, ram configuration, graphics card information, and so forth. We presently use a commercial product called Blancco, but their licensing costs are getting difficult to accept.
Why do I post here, at CAINE? Well, all of the system data that my company requires should be relevant to computer forensics, so I assume this information is available under your forensics analysis distribution, yes?
I believe the depth of data needs to be similar to this LSUSB dump:
- Code:
bash-3.1$
bash-3.1$ lsusb -v
Bus 003 Device 003: ID 058f:6362 Alcor Micro Corp. Hi-Speed 21-in-1 Flash Card Reader/Writer (Internal/External)
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x058f Alcor Micro Corp.
idProduct 0x6362 Hi-Speed 21-in-1 Flash Card Reader/Writer (Internal/External)
bcdDevice 1.00
iManufacturer 1 Generic
iProduct 2 Mass Storage Device
iSerial 3 058F312D81B
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 250mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk (Zip)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Qualifier (for other device speed):
bLength 10
bDescriptorType 6
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
bNumConfigurations 1
Device Status: 0x0000
(Bus Powered)
Bus 003 Device 001: ID 0000:0000
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 9 Hub
bDeviceSubClass 0 Unused
bDeviceProtocol 1 Single TT
bMaxPacketSize0 64
idVendor 0x0000
idProduct 0x0000
bcdDevice 2.06
iManufacturer 3 Linux 2.6.22.15.tex2 ehci_hcd
iProduct 2 EHCI Host Controller
iSerial 1 0000:00:13.2
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 25
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 9 Hub
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0 Full speed (or root) hub
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0004 1x 4 bytes
bInterval 12
Hub Descriptor:
bLength 11
bDescriptorType 41
nNbrPorts 8
wHubCharacteristic 0x000a
No power switching (usb 1.0)
Per-port overcurrent protection
TT think time 8 FS bits
bPwrOn2PwrGood 10 * 2 milli seconds
bHubContrCurrent 0 milli Ampere
DeviceRemovable 0x00 0x00
PortPwrCtrlMask 0xff 0xff
Hub Port Status:
Port 1: 0000.0100 power
Port 2: 0000.0100 power
Port 3: 0000.0100 power
Port 4: 0000.0100 power
Port 5: 0000.0100 power
Port 6: 0000.0100 power
Port 7: 0000.0100 power
Port 8: 0000.0503 highspeed power enable connect
Device Status: 0x0003
Self Powered
Remote Wakeup Enabled
Bus 001 Device 001: ID 0000:0000
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 9 Hub
bDeviceSubClass 0 Unused
bDeviceProtocol 0 Full speed (or root) hub
bMaxPacketSize0 64
idVendor 0x0000
idProduct 0x0000
bcdDevice 2.06
iManufacturer 3 Linux 2.6.22.15.tex2 ohci_hcd
iProduct 2 OHCI Host Controller
iSerial 1 0000:00:13.0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 25
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 9 Hub
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0 Full speed (or root) hub
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0002 1x 2 bytes
bInterval 255
Hub Descriptor:
bLength 9
bDescriptorType 41
nNbrPorts 4
wHubCharacteristic 0x0012
No power switching (usb 1.0)
No overcurrent protection
bPwrOn2PwrGood 2 * 2 milli seconds
bHubContrCurrent 0 milli Ampere
DeviceRemovable 0x00
PortPwrCtrlMask 0xff
Hub Port Status:
Port 1: 0000.0100 power
Port 2: 0000.0100 power
Port 3: 0000.0100 power
Port 4: 0000.0100 power
Device Status: 0x0003
Self Powered
Remote Wakeup Enabled
Bus 002 Device 004: ID 046d:c404 Logitech, Inc. TrackMan Wheel
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x046d Logitech, Inc.
idProduct 0xc404 TrackMan Wheel
bcdDevice 2.20
iManufacturer 1 Logitech
iProduct 2 Trackball
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 34
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xa0
(Bus Powered)
Remote Wakeup
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 1 Boot Interface Subclass
bInterfaceProtocol 2 Mouse
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.10
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 103
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0008 1x 8 bytes
bInterval 10
Device Status: 0x0000
(Bus Powered)
Bus 002 Device 001: ID 0000:0000
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 9 Hub
bDeviceSubClass 0 Unused
bDeviceProtocol 0 Full speed (or root) hub
bMaxPacketSize0 64
idVendor 0x0000
idProduct 0x0000
bcdDevice 2.06
iManufacturer 3 Linux 2.6.22.15.tex2 ohci_hcd
iProduct 2 OHCI Host Controller
iSerial 1 0000:00:13.1
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 25
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 0mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 9 Hub
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0 Full speed (or root) hub
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0002 1x 2 bytes
bInterval 255
Hub Descriptor:
bLength 9
bDescriptorType 41
nNbrPorts 4
wHubCharacteristic 0x0012
No power switching (usb 1.0)
No overcurrent protection
bPwrOn2PwrGood 2 * 2 milli seconds
bHubContrCurrent 0 milli Ampere
DeviceRemovable 0x00
PortPwrCtrlMask 0xff
Hub Port Status:
Port 1: 0000.0100 power
Port 2: 0000.0303 lowspeed power enable connect
Port 3: 0000.0100 power
Port 4: 0000.0100 power
Device Status: 0x0003
Self Powered
Remote Wakeup Enabled
bash-3.1$
Of course, the report my employer would need should include all busses, not just USB, all motherboard hardware, not just PCI hardware, and so forth.
Could someone kindly present an example of the data that CAINE can collect?
Thanks!
mmmmna- Number of posts : 2
Registration date : 2008-11-21
Re: Can someone provide a sample report?
Admin Fri Nov 21, 2008 12:13 pm
I created a personalized example of CAINE report, formatted in RTF and HTML.
The example is customized because I decide to analyze a simple 2GB USB pendrive - really not hard! - but the possibilities are virtually illimitate, due to CAINE versatility in system and device analysis.
Here you can download and see the report files:
- http://samba.ing.unimo.it/~gianchi/Examples/
1. First of all, I used Grissom Analyzer to gather all the information about the device: mmls, fsstat and img_stat logs are listed in the reports. Then I use LRRP to acquire the geometry of the device; it can be used to gather important information from the PC in which CAINE is booted.
2. After the information gathering I simply use the "Terminal window" with automatic log save to obtain the output of the command "lsusb -v", sotred inside the report. I can save every unix command I like to save inside the report with this simple terminal window.
3. I bypassed the analysis phase (Autopsy, Foremost,... carving and hard-forensic analysis on the collected image)
4. I wrote down a simple (and stupid) personal report.
5. I pressed the button "RTF format" and "HTML format" in the Reporting tab to get the final report.
Now I can easily edit the final rtf file...
P.S.: CAINE opens all the connected device in READONLY mode, and even with noexec and noatime mount options enabled.
The example is customized because I decide to analyze a simple 2GB USB pendrive - really not hard! - but the possibilities are virtually illimitate, due to CAINE versatility in system and device analysis.
Here you can download and see the report files:
- http://samba.ing.unimo.it/~gianchi/Examples/
1. First of all, I used Grissom Analyzer to gather all the information about the device: mmls, fsstat and img_stat logs are listed in the reports. Then I use LRRP to acquire the geometry of the device; it can be used to gather important information from the PC in which CAINE is booted.
2. After the information gathering I simply use the "Terminal window" with automatic log save to obtain the output of the command "lsusb -v", sotred inside the report. I can save every unix command I like to save inside the report with this simple terminal window.
3. I bypassed the analysis phase (Autopsy, Foremost,... carving and hard-forensic analysis on the collected image)
4. I wrote down a simple (and stupid) personal report.
5. I pressed the button "RTF format" and "HTML format" in the Reporting tab to get the final report.
Now I can easily edit the final rtf file...
P.S.: CAINE opens all the connected device in READONLY mode, and even with noexec and noatime mount options enabled.
Admin- Admin
- Number of posts : 11
Registration date : 2008-10-26 -
Re: Can someone provide a sample report?
mmmmna Sat Nov 22, 2008 5:44 am
Thank you for creating the sample report and thank you for hosting the files.
I expect that information about the remaining system should also be something that CAINE can generate. At this point, I think I will download the ISO, and give it a try!
I expect that information about the remaining system should also be something that CAINE can generate. At this point, I think I will download the ISO, and give it a try!
mmmmna- Number of posts : 2
Registration date : 2008-11-21
Re: Can someone provide a sample report?
Giancarlo Sat Nov 22, 2008 12:42 pm
Thank you!
By the way, my next project with the CAINE wrapper is create a business-oriented distribution for an italian company working in IT security. I will start the project at the beginning of the 2009, ad it will focus more on security policies and hardware/software recognition, than Computer Forensics investigative procedures...
As you can see, CAINE is only the beginning.
By the way, my next project with the CAINE wrapper is create a business-oriented distribution for an italian company working in IT security. I will start the project at the beginning of the 2009, ad it will focus more on security policies and hardware/software recognition, than Computer Forensics investigative procedures...
As you can see, CAINE is only the beginning.
Giancarlo- Number of posts : 76
Age : 41
Località : Modena, Italy
Registration date : 2008-10-26 -
Similar topics» Autopsy "Invalid wild image (img_path) argument" Error
» Autopsy issue
» Caine Interface Report
» Collection report Output does not appear properly
» Personal Report Crashes each time
» Autopsy issue
» Caine Interface Report
» Collection report Output does not appear properly
» Personal Report Crashes each time
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum