1. A
Report On
Forensic Tools:
ClamTK Antivirus, pdfcrack (DEFT Tools)
Submitted By
VISHNU PRATAP SINGH (2018IS08)
Under the guidance of
Dr. Rupesh Kumar Dewang
Master of Technology (M.Tech)
[Information Security]
[26 April 2019]
Department of Computer Science & Engineering
Motilal Nehru National Institute of Technology Allahabad,
Prayagraj, U.P.
2. UNDERTAKING
I declare that the work presented in this report titled " Forensic Tools:
ClamTK Antivirus, pdfcrack (DEFT Tools) ", submitted to the Computer
Science and Engineering Department, Motilal Nehru National Institute of
Technology Allahabad, Prayagraj. I have not plagiarized or submitted the
same work for the award of any other project. In case this undertaking is
found incorrect. We accept that our project may be unconditionally
withdrawn.
——————————
(Vishnu Pratap Singh)
2018IS08
Date: 28 Apr 2019
1
3. ACKNOWLEDGEMENT
I am profoundly grateful to Dr. Rupesh Kumar Dewang for his expert
guidance and continuous encouragement throughout to see that these tools to
its target since its commencement to its completion. I would like to express
deepest appreciation towards Dr. Rupesh Kumar Dewang whose invaluable
guidance supported me in completing these tools. I wish to express my
gratitude to my peers who provide resources, so that I can complete my task.
I would like to express our gratitude to all our friends in the Department of
Computer Science for their constant support and encouragement.
VISHNU PRATAP SINGH (2018IS08)
2
6. DEFT operating system
ˆ
Chapter 1
DEFT Forensic Tools Operating System
1.1 Introduction
DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for
Computer Forensics, with the purpose of running live on systems without tampering or
corrupting devices (hard disks, pen drives, etc…) connected to the PC where the boot
process takes place.
The system is based on GNU Linux; it can run live (via DVDROM or USB pen drive),
installed or run as a Virtual Appliance on VMware or Virtual box. Distro employs LXDE
as desktop environment and WINE for executing Windows tools under Linux. It features
a comfortable mount manager for device management.
Computer Forensics software must be able to ensure the integrity of file structures and
metadata on the system being investigated in order to provide an accurate analysis. It also
needs to reliably analyse the system being investigated without altering, deleting,
overwriting or otherwise changing data.
There are certain characteristics inherent to DEFT that minimize the risk of altering the
data being subjected to analysis.
Some of these features are:
1. On boot, the system does not use the swap partitions on the system being analysed.
2. During system start up there are no automatic mount scripts.
3. There are no automated systems for any activity during the analysis of evidence;
4. All the mass storage and network traffic acquisition tools do not alter the data being
acquired. System is currently employed in several places and by several people such as:
• Military
• Government Officers
• Law Enforcement
• Investigators
• Expert Witnesses
• IT Auditors
• Universities
• Individuals
5
7. DEFT operating system
ˆ
1.1 Installation Process
The following are the minimum and recommended system requirements for
installation:
1. First we have to download the .iso file available on
http://www.deftlinux.net/download/.
2. It’s better to check the hash value of this .iso image. This will help to verify
the integrity of the file. For "deft7.iso" image file for instance, the
calculation of the MD5 hash value should give the same result as the One
indicated in md5.txt file, a value similar to
"d98307dc53ca83358a2dfdb33afc2672".
3. Now we can install it either on CD/pen drive or on virtual machine.
4. Here, I have installed DEFT xva on virtual machine (Virtual Box).
5. Open the Virtual Machine and choose Linux and architecture that our laptop
is supporting.
6. Open the Virtual Machine and choose Linux and architecture that our laptop
is supporting.
Figure: 1
7. Now select the amount of computer resources, you want to allocate to this
operating system.
6
8. DEFT operating system
ˆ
Figure: 2
8. Install Deft with the .iso image that we have downloaded before.
Figure: 3
9. Now the installation process is started. Choose options you want (like the
partitions and languages.) and complete installation.
Figure: 4
7
9. DEFT operating system
ˆ
10. After installation run the DEFT OS.
Figure: 5
11. DEFT has many pre-installed tools in it.
12. I have worked on three tools: ClamTk Antivirus, pdfcrack, Exif.
8
10. ClamTK/AV antivirus Tool
ˆ
Chapter 2
ClamTK/ClamAV AntivirusTool
2.1 Introduction
ClamTK is an open-source antivirus software toolkit that is used to detect
malicious software and viruses on a variety of operating systems, including Linux.
It is often used on mail servers to scan for viruses in emails. Updates to ClamTK
are available for free.
Three good reasons you should consider ClamAV/ClamTk for Linux include:
1. You have sensitive data on your computer, and you want to lock down your
machine as much as possible.
2. You dual boot with Windows. You can use ClamAV to scan all of your drive
partitions and all additional drives on your computer.
3. You want to create a system rescue CD, DVD, or USB that can be used to
troubleshoot for viruses on a friend's Windows-based computer.
By using a system rescue USB drive with an antivirus package installed, you can
search for viruses without actually having to boot into the operating system, and
ClamAV offers this ability for Linux drives. This prevents the viruses from having
an effect while trying to clear them.
2.2 Installing ClamAV
ClamAV works through the command line, which might be a bit complicated for
an average user. Fortunately, there is a tool called ClamTK that provides a nice
and simple graphical interface for using ClamAV. This guide will show you how
to install ClamAV and use the graphical tool ClamTK to manage it.
For example, to load ClamTK in Ubuntu open up the Dash and search for
ClamTK. Within ubuntu, click on the menu icon in the top left corner and enter
ClamTK into the search box.
Figure 6: Home
9
11. ClamTK/AV antivirus Tool
ˆ
The main application is split into four sections:
Home is used to set up how you want ClamAV to run. Shows you how to
start the scans. Enables you to import new virus definitions.
History lets you see the results of previous scans.
Preferences enables you to set preferences the type of files for scanning.
Exit for close the application
Figure 7: History
Figure 8: Preferences
Figure 9: Scanning
10
12. ClamTK/AV antivirus Tool
ˆ
2.3 Customizing ClamAV
ClamAV has settings that let you customize how it runs. For instance, when you
choose a folder to scan you might just want to scan that one folder and not the
subfolders, or you might want to scan very large files separate, which will
obviously take longer to process.
To change the settings, click the Settings icon. Hovering over each checkbox will
display a tooltip explaining the purpose of each option. The first four checkboxes
allow you scan for password checkers, large files, hidden files, and scan folders
recursively. The other two checkboxes update and toggle how the icons work
within the application (e.g., whether you have to click them once or twice).
2.4 Scanning for viruses
To scan for viruses, click either the Scan a File icon or Scan a Folder icon. As a
starting point, click the Scan a Folder icon. You will be shown a browse dialog
box. Choose the drive you wish to scan (e.g., the Windows drive) and click OK.
ClamAV will search recursively through the folders, depending on settings,
looking for suspicious elements.
ClamAV doesn't claim to offer 100 percent protection, but no antivirus software
can make this claim. ClamAV is effective, however.
11
13. Pdfcrack Tool
ˆ
Chapter 3
Pdfcrack Tool
3.1 Introduction
PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too)
tool for recovering passwords and content from PDF-files. It is small, command
line driven without external dependencies. The application is Open Source
(GPL).
Different features are:
Supports the standard security handler (revision 2, 3 and 4) on all known
PDF-versions Supported by all browser
Supports cracking both owner and user passwords
Both wordlists and brute forcing the password is supported
Simple permutations (currently only trying first character as Upper Case)
Save/Load a running job
Simple benchmarking
Optimized search for owner-password when user-password is known
Figure: 10
12
14. Pdfcrack Tool
ˆ
1. The user password, if set, is what you need to provide in order to open a
PDF. Acrobat/Reader will prompt a user to enter the user password. If it's not
correct, the document will not open.
2. The owner password, if set, controls permissions, such as printing, editing,
extracting, commenting, etc. Acrobat/Reader will disallow these things based
on the permission settings. Acrobat will require this password if you want to
set/change permissions.
3.2 Method:
PDFCrack would be considered a true PDF password recovery program since it
recovers both the user password and owner password from encrypted PDFs.
PDFCrack uses a brute-force password recovery method.
3.3 Limits:
PDFCrack works with PDF files up to version 1.6 with 128-bit RC4 encryption.
3.4 My Test:
PDFCrack recovered the 4-digit owner password on a version 1.6 PDF file with
128-bit RC4 encryption in two minutes. A longer and/or more complicated PDF
password could take days, weeks, or even longer to recover.
If all you need is a way to bypass the permissions security in a PDF then
PDFCrack is probably more than you need in a PDF password cracker. However,
if you need to know the actual owner or user password, PDFCrack is your best
bet.
13