|−|OpenSSL is an open source software system that provides the following: |+|
Forensic - .
|−|* Forensic- grade implementations of the most widely used hash functions. |+|
|−|* Symmetric cryptographic functions |+|
|−|* Asymmetric cryptographic function |+|
|−|* Certificate management functions |+|
|−|* A complete S/MIME implementation |+|
|−|* A complete SSL/TLS implementation |+|
| || |
|−|OpenSSL is interesting for forensic practitioners and developers because it provides a basic toolkit for building software, and because the higher-level certificate management functions give you an easy way to decode the contents of certificates that are used to secure computer systems. |+|
| || |
|−|This web page contains step-by -step instructions on using OpenSSL from the command line to perform specific tasks. There are a lot of online OpenSSL guides and we'll try to link to some of them from here. But this page is a handy reference just the same. |+|
by and . is the .
|−|=File Extensions= |+|
to to .
|−|OpenSSL doesn't care what you use for file extensions. However, the following extensions to seem to be commonly used: |+|
, , Windows . .
a , the to to .
|−|!File Extension |+|
|−||. pem |+|
|−|| can contain a private key, public key, or certificate signing request. |+|
|−||Windows file extension for a . pem file. |+|
|−|| a PKCS12 file, which contains a private key and a certificate, encrypted for transport with a passphrase. This is the format that Windows and MacOS like to import |+|
|−|* convert pem to pkcs12: |+|
|−| % openssl pkcs12 -export -in mpage. crt -inkey mpage.key -out mpage.p12 -name 'MPage Signing Key' |+|
| || |
|−|* convert pkcs12 to pem, putting both private key and certificate in the same file |+|
|−| % openssl pkcs12 - in mpage. p12 - out mpage. pem |+|
| || |
|−|* The same, but with no encryption of file | |
|−| % openssl pkcs12 -in mpage.p12 -out mpage.pem -nodes | |
| || |
|−|* Decrypt a PEM file private key: |+|
|−| % openssl rsa -in newreq.pem -out key.pem |+|
| || |
|−|* Print the contents of a certificate |+|
|−| % openssl x509 - in mpage. pem - text |+|
| || |
|−|* Input the PKCS12 file and output a key file and a cert file: |+|
the . -- --in . -.
|−| openssl pkcs12 -in slg. p12 - out slg.key - nocerts - nodes |+|
|−| openssl pkcs12 -in slg. p12 - out slg. pem -nokeys -nodes |+|
|−|=Making Certificates= |+|
|−|To make certificates: |+|
| || |
|−| openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650 |+|
| || |
|−|Make a certificate request: |+|
|−|creates a certificate |+|
* to :..
|−|=Get a certificate from an SSL server= |+|
|−| openssl s_client -connect www. nitroba.com :443 |+|
|−|=Viewing Certificates= |+|
|−| openssl x509 -in ssl.crt- text |+|
|−|=S/ MIME= |+|
sign an outgoing mail: |+|
|−| from_email = `openssl x509 -email -in certfile. pem -noout` |+|
|−| x509_subject = `openssl x509 -subject -in certfile. pem -noout` |+|
|−| openssl smime -from %s -to %s -subject %s -sign -inkey file -signer %s -in tempfile.txt extra |+|
|−|=See Also= |+|
www. macdevcenter.com/ pub/ a/ mac/ 2002/ 08/ 23/ jaguar_server. html? page= 4 |+|
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
It works similar to Linux forensic CDs that are configured not to mount media upon booting.
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder ().
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
Windows FE is based on the modification of just two entries in the Windows Registry.
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
By doing this the Mount-Manager service will not automatically mount any storage device.
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
Testing by various people of the forensic community has shown that by just mounting the volume no write access will happen on the evidentiary media. However by mounting the partition (even in read-only mode) some sort of writing may occur - depending on the type of filesystem (the potential modification is a documented 4-byte change to non-user created data)such as the Linux/UNIX journaling filesystems like ext3/4 and zfs. At present the most likely explanation for this effect lies in the writing of a "drive signature". In-depth testing is still ongoing.