Sleuthkit

First we run able2.dd directory using the command mmls

and then 

about computer forensics & unallocated

-->

Cmputer forensics:

Cmputer forensics is also known as digital forensics, is a branch of forensic science pertaining to legal evidence found in computers and digital storage media.

The goal of computer forensics is to describe the present state of a digital artifact. The term digital artifact can include a computer system, storage media (such as flash drives, hard disk, or CD-ROM), an electronic document (eg an email message or JPEG image), or even a line of packet switching in computer networks. The explanation could be simply "no information what we have here?" until detailed as "what is the sequence of events which led to the present situation?".

Computer forensics is also used to eradicate corruption and deceit (fraud) in the virtual world (internet). Investigation of corruption and fraud done by taking electronic data and then analyzed for use in court (admissible) as legal evidence to the record should not be changed at all from the initial condition data is found. If the data is changed then it can not be used in court (data no longer authentic

-->

1. meet certain standards: (1) admissible (2) authentic (3) complete (4) believable (5) reliable

2. computer forensic tools must be validated methodology. 

3. electronic storage media should be checked clear 'chain of custody' it from beginning to end, starting with the filed

4. general inspection of electronic storage media must be done with permission from the owner (with a signed letter of consent or a 'letter of consent'), except by authority of law (in indo kayak prosecution, police)

unalocated:

Unallocated file space and file slack are both important sources of leads for the computer forensics investigator. The data storage area in a factory fresh hard disk drive typically contains patterns of sectors which are filled with patterns of format characters. In DOS and Windows-based computer systems, the format pattern for a floppy diskette usually consists of binary data in the form of hex F6s. The same format pattern is sometimes used in the format of hard disk drives but the format patterns can consist of essentially any repeat character as determined by the factory test machine that made the last writes to the hard disk drive. The format pattern is overwritten as files and subdirectories are written in the data area.

Until the first file is written to the data storage area of a computer storage device, the clusters are unallocated by the operating system in the File Allocation Table (FAT). These unallocated clusters are padded with format pattern characters and the unallocated clusters are not of interest to the computer forensics specialist until data is written to the clusters. As files are created by the computer user, clusters are allocated in the File Allocation Table (FAT) to store the data. When the file is 'deleted' by the computer user, the clusters allocated to the file are released by the operating system so new files and data can be stored in the clusters when needed. However, the data associated with the 'deleted' file remains behind. This data storage area is referred to as unallocated storage space and it is fragile from an evidence preservation standpoint. However, until the unallocated storage space is reassigned by the operating system, the data remains behind for easy discovery and extraction by the computer forensics specialist.

Unallocated file space potentially contains intact files, remnants of files and subdirectories and temporary files which were transparently created and deleted by computer applications and also the operating system. All of such files and data fragments can be sources of computer evidence and also security leakage of sensitive data and information. The following provides some examples of how data and information can end up in unallocated file space.

Exploit Application CoolPlayer

Ollydbg managed to find an address in the memory file shell32

 SEH Chain,the application crashes

convert the value of EIP 7C9D30D7 to form "\ xD7 \ x30 \ xD9 \ x7C" which will be DEADBEEF by fuzzer, then run back fuzzer

 to open the pages were typing root @ bt: ~ # cd / pentest/exploits/framework2 /
thenroot @ bt: ~ #. / msfweb



then open it in webbrowser and type 127.0.0.1:55555
if it had come to this command, windows under control, as in the example call calculator

 next step change value of EIP to address JMP ESP

 Line of code below is the code used to call the calculator .. copy then input into the fuzzer then execute again going out to eat coolplayer calculator, it happens because the windows are controlled by the attacker

Install Polipo in Backtrack

 open the console and type <apt-get install polipo>, to install polipo

Then open a web browser, go to localhhost: 8123

Process Install TOR

Congratulations. Your browser is configured to use Tor.
successful configuration, the IP address IP Appears to be: 77,247,181,163
and now Able to open website

Using the ls command to display the contents of the directory

extract the file tor-browser-gnu-linux-i686-2.2.39-1-dev-en-US.tar.gz

Menggunakan perintah ls untuk menampilkan isi direktori

Proses imunisasi meliputi Instal TOR

The following is the command to

root @ bt: ~ / tor-browser en-US #. / start-tor-browser 

and TOR ready to run

Privilege Escalation os UBUNTU in Virtualbox

First we did a scan ip with Zenmap, or by using the following command nmap-v-A Ip target <192.168.56.101>

then we will try to use exploitdb application, use the command . / linux ssh remote searchsploit

terus kita gunakan perintah selanjutnya perl platforms/multiple/remote/2017.pl 192.168.56.101 10000 /etc/passwd 0 untuk mengetahui kode masuk atau login

and the next type <perl platforms/multiple/remote/2017.pl 192.168.43.101 10 000 /etc/shadow 0> to know the login password.

Exploitation smb in Windows XP using Metasploit

The first thing we must do before windows xp with metasploit exploitation is the target ip scan using Zenmap application. 







early stage we open metasploit and input search command to see smb smb we were looking for.

If all phases are done and the position already in the system windows xp then we can go and call some system inside.use exploit/window/smb/ms08_067_netapi

the current system is ready for exploitation windaow xp