Linuxintro LEFE378

APractitioner'sGuidetoLinuxasaComputer ForensicPlatform
BarryJ.Grundy bgrundy@LinuxLEO.com
VER3.78 December2008
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
LEGALITIES..........................................................................................................................................4 ACKNOWLEDGMENTS..............................................................................................................................4 FOREWORD..........................................................................................................................................5 AWORDABOUTTHEGNUINGNU/LINUX...........................................................................................6 WHYLEARNLINUX?..............................................................................................................................6 CONVENTIONSUSEDINTHISDOCUMENT.....................................................................................................7 I.INSTALLATION..........................................................................................................................8 DISTRIBUTIONS.....................................................................................................................................8 SLACKWAREANDUSINGTHISGUIDE................................................................................................11 INSTALLATIONMETHODS......................................................................................................................12 SLACKWAREINSTALLATIONNOTES..........................................................................................................12 DESKTOPENVIRONMENT.......................................................................................................................16 THELINUXKERNEL:VERSIONSANDISSUES..............................................................................................16 CONFIGURINGSLACKWARE12:2.6KERNELCONSIDERATIONS.......................................................................19 UDEV..........................................................................................................................................19 HARDWAREABSTRACTIONLAYER......................................................................................................20 DBUS........................................................................................................................................20 2.6KERNELANDDESKTOPS............................................................................................................21 ROLLINGYOUROWNTHECUSTOMKERNEL.........................................................................................21 II.LINUXDISKS,PARTITIONSANDTHEFILESYSTEM...........................................................23 DISKS...............................................................................................................................................23 PARTITIONS.......................................................................................................................................23 USINGMODULESLINUXDRIVERS.........................................................................................................25 DEVICERECOGNITION..........................................................................................................................27 THEFILESYSTEM...............................................................................................................................28 III.THELINUXBOOTSEQUENCE(SIMPLIFIED).....................................................................30 BOOTINGTHEKERNEL..........................................................................................................................30 INITIALIZATION...................................................................................................................................32 RUNLEVEL.........................................................................................................................................32 GLOBALSTARTUPSCRIPTS....................................................................................................................33 SERVICESTARTUPSCRIPTS....................................................................................................................33 BASH...............................................................................................................................................34 IV.LINUXCOMMANDS..............................................................................................................36 LINUXATTHETERMINAL.......................................................................................................................36 ADDITIONALUSEFULCOMMANDS............................................................................................................39 FILEPERMISSIONS...............................................................................................................................41 METACHARACTERS...............................................................................................................................44 COMMANDHINTS...............................................................................................................................44 PIPESANDREDIRECTION.......................................................................................................................44 THESUPERUSER...............................................................................................................................46 V.EDITINGWITHVI...................................................................................................................47 THEJOYOFVI...................................................................................................................................47 VICOMMANDSUMMARY.......................................................................................................................48 VI.MOUNTINGFILESYSTEMS..................................................................................................49 THEMOUNTCOMMAND......................................................................................................................49 THEFILESYSTEMTABLE(/ETC/FSTAB).....................................................................................................51
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux VII.LINUXANDFORENSICS......................................................................................................53 INCLUDEDFORENSICTOOLS..................................................................................................................53 ANALYSISORGANIZATION.......................................................................................................................54 DETERMININGTHESTRUCTUREOFTHEDISK..............................................................................................55 CREATINGAFORENSICIMAGEOFTHESUSPECTDISK.....................................................................................56 MOUNTINGARESTOREDIMAGE...............................................................................................................57 MOUNTINGTHEIMAGEUSINGTHELOOPBACKDEVICE...................................................................................58 FILEHASH........................................................................................................................................58 THEANALYSIS....................................................................................................................................61 MAKINGALISTOFALLFILES...............................................................................................................62 MAKINGALISTOFFILETYPES...............................................................................................................63 VIEWINGFILES...................................................................................................................................65 SEARCHINGUNALLOCATEDANDSLACKSPACEFORTEXT..............................................................................66 VIII.COMMONFORENSICISSUES............................................................................................70 HANDLINGLARGEDISKS......................................................................................................................70 PREPARINGADISKFORTHESUSPECTIMAGE.............................................................................................72 OBTAININGDISKINFORMATION.............................................................................................................74 IX.ADVANCED(BEGINNER)FORENSICS..................................................................................76 THECOMMANDLINEONSTEROIDS.........................................................................................................76 FUNWITHDD..................................................................................................................................84 SPLITTINGFILESANDIMAGES.................................................................................................................84 COMPRESSIONONTHEFLYWITHDD......................................................................................................87 DATACARVINGWITHDD....................................................................................................................91 CARVINGPARTITIONSWITHDD.............................................................................................................94 DETERMININGTHESUBJECTDISKFILESYSTEMSTRUCTURE.........................................................................98 DDOVERTHEWIRE.........................................................................................................................101 X.ADVANCEDFORENSICTOOLS............................................................................................104 ALTERNATIVEIMAGINGTOOLS..............................................................................................................106 DC3DD.....................................................................................................................................106 DDRESCUE.................................................................................................................................113 BADSECTORSDDRESCUE............................................................................................................119 BADSECTORSDC3DD................................................................................................................122 BADSECTORACQUISITIONCONCLUSIONS......................................................................................124 LIBEWFWORKINGWITHEXPERTWITNESSFILES................................................................................125 SLEUTHKIT......................................................................................................................................134 SLEUTHKITINSTALLATIONANDSYSTEMPREP...........................................................................................136 SLEUTHKITEXERCISES........................................................................................................................138 SLEUTHKITEXERCISE#1DELETEDFILEIDENTIFICATIONANDRECOVERY.....................................................139 SLEUTHKITEXERCISE#2PHYSICALSTRINGSEARCH&ALLOCATIONSTATUS................................................150 SLEUTHKITEXERCISE#3UNALLOCATEDEXTRACTION&EXAMINATION.......................................................157 SLEUTHKITEXERCISE#4NTFSEXAMINATION:FILEANALYSIS................................................................163 SLEUTHKITEXERCISE#5NTFSEXAMINATION:ADS............................................................................168 SLEUTHKITEXERCISE#6NTFSEXAMINATION:SORTINGFILES................................................................171 SLEUTHKITEXERCISE#7SIGNATURESEARCHINUNALLOCATEDSPACE.......................................................174 SMARTFORLINUX.........................................................................................................................179 SMARTFILTERING..........................................................................................................................185 SMARTFILTERINGVIEWINGGRAPHICSFILES.....................................................................................187 SMARTSEARCHING.........................................................................................................................189 XI.BOOTABLELINUXDISTRIBUTIONS..................................................................................194
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux TOMSRTBTBOOTFROMAFLOPPY........................................................................................................194 KNOPPIXFULLLINUXWITHOUTTHEINSTALL.........................................................................................194 SMARTLINUXITSBOOTABLE!........................................................................................................194 HELIXKNOPPIXBASEDINCIDENTRESPONSE.........................................................................................195 XII.CONCLUSION.....................................................................................................................196 XIII.LINUXSUPPORT..............................................................................................................197 PLACESTOGOFORSUPPORT:................................................................................................................197
Legalities
Alltrademarksarethepropertyoftheirrespectiveowners. 19982008BarryJ.Grundy(bgrundy@LinuxLEO.com):Thisdocumentmay beredistributed,initsentirety,includingthewholeofthiscopyrightnotice, withoutadditionalconsentiftheredistributorreceivesnoremunerationandif theredistributorusesthesematerialstoassistand/ortrainmembersofLaw EnforcementorSecurity/IncidentResponseprofessionals.Otherwise,these materialsmaynotberedistributedwithouttheexpresswrittenconsentofthe author,BarryJ.Grundy.
Acknowledgments
Asthisguidegrowsinlengthanddepth,sodothecontributionsIreceive fromothersinthefieldthattaketimeoutoftheirownbusydaystoassistmein makingsurethatthisdocumentisatleastaccurateifnottotallycomplete.I verymuchappreciatetheproofreadingandsuggestionsmadebyall.Every timeIgetcommentsbackonadraftversionofthisguide,Ilearnsomething new. IwouldliketothankCoryAltheide,BrianCarrier,ChristopherCooper, NickFurneaux,JohnGarris,RobertJanMora,andJesseKornblumfor providingcriticalreview,valuableinput,andinsomecases,amuchneeded sanitycheckofthecontentsofthisdocument.SpecialthankstoRobby WorkmanforprovidingveryconstructiveguidanceonSlackwaredetails throughouttheentireguide.Alloftheexpertiseandcontributionsaregreatly appreciated. Also,IwouldliketospecificallythankalloftheLinuxKernel,various distribution,andsoftwaredevelopmentteamsfortheirhardworkinproviding uswithanoperatingsystemandutilitiesthatarerobustandcontrollable.Too oftenweforgettheamountofdedicationandworkthatgoesintowhatmany endusersexpecttojustwork.
BarryJ.Grundy
Foreword
Thispurposeofthisdocumentistoprovideanintroductiontothe GNU/Linux(Linux)operatingsystemasaforensicplatformforcomputer crimeinvestigatorsandforensicexaminers. Thisisthethirdmajoriterationofthispaper.Thereisabalancetobe metbetweenmaintainingtheoriginalintroductorypurposeofthework,and theconstantrequestsfromotherscoupledwithmyowndesiretoaddmore detailedcontent.Sincethefirstrelease,thisworkhasalmostquadrupledin length.Thecontentismeanttobebeginnerlevel,butasthecomputer forensiccommunityevolvesandthesubjectmatterwidensandbecomesmore mainstream,thedefinitionofbeginnerlevelmaterialstartstoblur.Asa result,I'vemadeanefforttokeepthematerialasbasicaspossiblewithout omittingthosesubjectsthatIseeasfundamentaltotheproperunderstanding ofLinuxanditspotentialasacomputerforensicplatform.Anumberofpeople havepointedouttomethatwithinclusionofsomeofthemorecomplex exercises,thisdocumentshouldbegiventhemorefittingpractitioner'sguide monikerratherthanbeginner'sguide. Wefollowthephilosophythatahandsonapproachisthebestwayto learn.GNU/Linuxoperatingsystemutilitiesandspecializedforensictools availabletoinvestigatorsforforensicanalysisarepresentedwithpractical exercises. Thisisbynomeansmeanttobethedefinitivehowtoonforensic methodsusingLinux.Rather,itisa(somewhatextended)startingpointfor thosewhoareinterestedinpursuingtheselfeducationneededtobecome proficientintheuseofLinuxasaninvestigativetool.Notallofthecommands offeredherewillworkinallsituations,butbydescribingthebasiccommands availabletoaninvestigatorIhopetostarttheballrolling.Iwillpresentthe commands,thereaderneedstofollowuponthemoreadvancedoptionsand uses.Knowinghowthesecommandsworkiseverybitasimportantasknowing whattotypeattheprompt.IfyouareevenanintermediateLinuxuser,then muchofwhatiscontainedinthesepageswillbereview.Still,Ihopeyoufind someofituseful. OvertheyearsIhaverepeatedlyheardfromcolleaguesthathavetried Linuxbyinstallingit,andthenproceededtositbackandwonderwhatnext? Ihavealsoentertainedanumberofrequestsandsuggestionsforamore expansiveexplorationofapplicationsavailabletoLinuxforforensicanalysisat theapplicationlevel.Youhaveacopyofthisintroduction.Nowdownloadthe exercisesanddriveon.
BarryJ.Grundy
Asalways,Iamopentosuggestionsandcritique.Mycontact informationisonthefrontpage.Ifyouhaveideas,questions,orcomments, pleasedonthesitatetoemailme.Anyfeedbackiswelcome. Thisdocumentisoccasionally(infrequently,actually)updated.Check fornewerversions(numberedonthefrontpage)attheofficialsite:
http://www.LinuxLEO.com AwordabouttheGNUinGNU/Linux
WhenwetalkabouttheLinuxoperatingsystem,weareactually talkingabouttheGNU/Linuxoperatingsystem(OS).LinuxitselfisnotanOS. Itisjustakernel.TheOSisactuallyacombinationoftheLinuxkernelandthe GNUutilitiesthatallowus(morespecificallyourhardware)tointeractwiththe kernel.WhichiswhythepropernamefortheOSisGNU/Linux.We (incorrectly)callitLinuxforconvenience.
WhyLearnLinux?
OneofthequestionsIhearmostoftenis:whyshouldIuseLinuxwhen Ialreadyhave[insertWindowsGUIforensictoolhere]?Therearemany reasonswhyLinuxisquicklygaininggroundasaforensicplatform.Imhoping thisdocumentwillillustratesomeofthoseattributes. Controlnotjustoveryourforensicsoftware,butthewholeOSand attachedhardware. FlexibilitybootfromaCD(toacompleteOS),filesystemsupport, platformsupport,etc. PowerALinuxdistributionis(orcanbe)aforensictool.
AnotherpointtobemadeisthatsimplyknowinghowLinuxworksis becomingmoreandmoreimportant.WhilemanyoftheWindowsbased forensicpackagesinusetodayarefullycapableofexaminingLinuxsystems, thesamecannotbesaidfortheexaminers. AsLinuxbecomesmoreandmorepopular,bothinthecommercial worldandwithdesktopusers,thechancethatanexaminerwillencountera Linuxsysteminacasebecomesmorelikely(especiallyinnetwork investigations).EvenifyouelecttoutilizeaWindowsforensictooltoconduct youranalysis,youmustatleastbefamiliarwiththeOSyouareexamining.If youdonotknowwhatisnormal,thenhowdoyouknowwhatdoesnotbelong? Thisistrueonsomanylevels,fromtheactualcontentsofvariousdirectoriesto strangeentriesinconfigurationfiles,allthewaydowntohowfilesarestored.
BarryJ.Grundy
WhilethisdocumentismoreaboutLinuxasaforensictoolratherthananalysis ofLinux,youcanstilllearnalotabouthowtheOSworksbyactuallyusingit.
Conventionsusedinthisdocument
Whenillustratingacommandandit'soutput,youwillseesomething likethefollowing:
root@rock:~# command output...
Thisisessentiallyacommandline(terminal)sessionwhere...
root@rock:~#
...isthecommandprompt,followedbythecommand(typedbytheuser) andthenthecommand'soutput.Thecommandwillbeshowninboldtextto furtherdifferentiateitfromcommandoutput. InLinux,thecommandpromptcantakedifferentforms,dependingon theenvironmentsettings(thedefaultdiffersamongdistributions).Inthe exampleabove,theformatis

user@hostname directory #
meaningthatwearetheuserrootworkingonthecomputernamed rockcurrentlyinthedirectoryroot(therootuser'shomedirectoryinthis case,thehomedirectoryissymbolizedbytheshorthandrepresentationof thetilde~).Notethatforarootloginthecommandprompt'strailing characteris#.Ifweloginasaregularuser,thedefaultpromptcharacter changestoa$,asinthefollowingexample:

bgrundy@rock:~$
Thisisanimportantdifference.Therootuseristhesystem superuser.Wewillcoverthedifferencesbetweenuserloginslaterinthis document.
BarryJ.Grundy
I.Installation
Firstandforemost,knowyourhardware.IfyourLinuxmachineistobea dualbootsystemwithWindows,thenusetheWindowsDeviceManagerto recordallyourinstalledhardwareandthesettingsusedbyWindows.Ifyouare settingupastandaloneLinuxsystem,thengatherasmuchdocumentation aboutyoursystemasyoucan.Thishasbecomemuchlessimportantwiththe evolutionoftheLinuxinstallroutines.Hardwarecompatibilityanddetection havebeengreatlyimprovedoverthepastcoupleofyears.Someoftherecent versionsofdistributions,likeUbuntuLinux,haveextraordinaryhardware detection. Harddriveknowingthesizeandgeometryishelpfulwhenplanningyour partitioning. SCSIadaptersanddevices(notetheadapterchipset).SCSIisverywell supportedunderLinux. Soundcard(notethechipset). VideoCard(importanttoknowyourchipsetandmemory,etc.). Monitortimings. Horizontalandverticalrefreshrates. Networkcard(chipset). NetworkParameters: IP(ifnotDHCP) Netmask Broadcastaddress DNSservers Defaultgateway USBcontrollersupportisstandardincurrentdistributions. IEEE1394(Firewire)controllersupportisalsostandardincurrent distributions. Inthevastmajorityofcases,mostofthisinformationwillnotbeneeded. Butit'salwayshandytoknowyourhardwareifyoumusttroubleshoot. Mostdistributionshaveaplethoraofdocumentation,includingonline helpanddocumentsindownloadableform.DoaWebsearchandyouare likelytofindanumberofanswerstoanyquestionyoumighthaveabout hardwarecompatibilityissuesinLinux.
Distributions
Linuxcomesinanumberofdifferentflavors.Thesearemostoften referredtoasdistributions(distro).Defaultkernelconfiguration,toolsthat areincluded(systemmanagementandconfiguration,etc.)andthepackage
BarryJ.Grundy
format(theupgradepath)mostcommonlydifferentiatethevariousLinux distros. ItiscommontohearuserscomplainthatdeviceXworksunderSuse Linux,butnotonRedHat,etc.OrthatdeviceYdidnotworkunderRedHat version9,butachangetoCentOSfixedit.Mostoften,thedifferenceisinthe versionoftheLinuxkernelbeingusedandthereforetheupdateddrivers,orthe patchesappliedbythedistributionvendor,nottheversionofthedistribution (orthedistributionitself). Here'sanoverviewofjustafewoftheLinuxdistrosthatareavailable. Selectingoneisamatterofpreference.Manyofthesedistrosnowprovidea liveCDthatallowsausertobootaCDintoafullyfunctionaloperating environment.Trythemoutandseewhatpleasesyou. RedHat/Fedora OneofthemostpopularLinuxdistributions.RedHatworkswith companieslikeDell,IBMandInteltoassistbusinessesintheadoptionofLinux forenterpriseuse.UseofRPMandKickstartbeganthefirstrealuserupgrade pathsforLinux.RedHathaselectedtomoveintoanenterpriseoriented businessmodel.ItisstillaviableoptionforthedesktopthroughtheFedora Project(http://fedoraproject.org/).Fedoraisanexcellentchoicefor beginnersbecauseofthehugeinstallbaseandtheproliferationofonline support.Theinstallroutineiswellpolishedandhardwaresupportiswell documented.AnotherRedHatbaseddistributionisCentOS. Debian Notreallyforbeginners.Theinstallationroutineisnotas polishedassomeotherdistributions.Debianhasalwaysbeenahacker favorite.ItisalsooneofthemostnoncommercialLinuxdistributions,and truetothespiritofGNU/GPL.(http://www.debian.org/). SuSE NowownedbyNovell,SuSEisoriginallyGermaninorigin.Itis byfarthelargestsoftwareinclusivedistribution. (http://www.novell.com/linux/).Thereisanopensupportnetworkand downloaddirectoryathttp://www.opensuse.org.ALiveCDisalsoavailable. MandrivaLinux FormerlyknownasMandrake.Mandrivaisafavoriteofmany beginnersanddesktopusers.ItisheavyonGUIconfigurationtools,allowing foreasymigrationtoaLinuxdesktopenvironment. (http://wwwnew.mandriva.com/).
BarryJ.Grundy
GentooLinux Sourcecentricdistributionthatisoptimizedduringinstallone ofmypersonalfavorites.Oncethroughthecomplexinstallationroutine, upgradingthesystemandaddingsoftwareismadeextremelyeasythrough GentoosPortagesystem.Notforbeginners,though.Youareleftto configurethesystementirelyonyourown.Ifyouhaveendlesspatienceanda lotoftime,itcanbeafantasticlearningexperience.(http://www.gentoo.org/). UbuntuLinux Arelativenewcomer,UbuntuLinuxisbasedonDebianand althoughI'venotuseditmyself,ithasareputationforfantastichardware detectionandeaseofuseandinstallation.(http://www.ubuntulinux.org).I've heardthatthisisagreatchoiceforbeginners. Slackware Theoriginalcommercialdistribution.Slackwarehasbeenaround foryears.Installationisnowalmostaseasyasalltheothers.Goodstandard Linux.NotoverencumberedbyGUIconfigtools.Slackwareaimstoproduce themostUNIXlikeLinuxdistroavailable.Oneofmypersonalfavorites,and inmyhumbleopinion,currentlyoneofthebestchoicesforaforensic platform.(http://www.slackware.com/).Thisguideistailoredforusewitha SlackwareLinuxinstallation. Lot'sofinformationonmoredistributionsthanyoucaretoreadabout isavailableathttp://www.distrowatch.com. Mysuggestionfortheabsolutebeginnerlookingtoexperienceanoverall desktopOSwouldbeeitherthenewestversionofFedoraCoreorUbuntu.If youreallywanttodiveinandburyyourself,goforGentoo,Slackwareor Debian.Ifyouchooseoneoftheselatterdistributions,bepreparedtoreada lot. Ifyouareunsurewheretostart,willbeusingthisguideasyourprimary reference,andareinterestedmainlyinforensicapplicationsofLinux,thenI wouldsuggestSlackware.Moreonwhyalittlelater. Onethingtokeepinmind:AsImentionedearlier,ifyouaregoingto useLinuxinaforensiccapacity,thentrynottorelyonGUItoolstoomuch. AlmostallsettingsandconfigurationsinLinuxaremaintainedintextfiles (usuallyineitheryourhomedirectory,orin/etc).Bylearningtoeditthefiles yourself,youavoidproblemswheneithertheXwindowsystemisnotavailable, orwhenthespecificGUItoolyourelyonisnotonasystemyoumightcome across.Inaddition,knowledgeofthetextconfigurationfileswillgiveyou insightintowhatisnormal,andwhatmighthavebeenchangedwhenyou examineasubjectsystem.LearningtointerpretLinuxconfigurationfilesisall partofthe"forensicexperience".
BarryJ.Grundy
10
SLACKWAREandUsingthisGuide
Becauseofdifferencesbetweendistributions,theLinuxflavorofyour choicecancausedifferentresultsincommands'outputanddifferentbehavior overall.Additionally,somesectionsofthisdocumentdescribingconfiguration filesorstartupscripts,forexample,mightappearvastlydifferentdependingon thedistroyouselect. IfyouareselectingaLinuxdistributionforthesolepurposeoflearning throughfollowingalongwiththisdocument,thenIwouldsuggestSlackware. Slackwareisstableanddoesnotattempttoenrichtheuser'sexperiencewith cuttingedgefilesystemhacksorautomaticconfigurationsthatmighthamper forensicwork.DetailedsectionsofthisguideontheinnerworkingsofLinux willbewrittentowardabasicSlackwareinstallation(currentlyinversion12.1). Previousversionsofthisdocumentattemptedtobefarmoredistro independent.Theexamplesanddiscussionsofconfigurationfileswere focusedonthemorepopulardistributionformats.Intheinterveningyears, therehasbeenaveritableexplosionofdifferentflavorsofLinux.Thisguide hasbeenlinkedonanumberofwebsites,andhasbeenusedinavarietyof trainingforums.Asaresultofthesechanges,Ihavefoundmyselfreceiving numerousemailsaskingquestionslikeTheoutputIgetdoesnotmatch what'sinyourguide.I'musing'FuzzyKittenLinux2.0'withkernelversion 2.6.16fk145.2...Whatcouldbewrong?Myreplyhasbecomestandardto suchqueries:I'mnotfamiliarwiththatversionofLinux,andI'mnotsure whatchangeshavebeenmadetothatkernel.Providinganswerstoquestions ontheexercisesthatfollowrequiresthatIknowalittleabouttheenvironment beingused.Tothatend,I'vedecidedtopointpeopletowardsastandard, stableversionofLinuxthatincludesfewsurprises. Bydefault,Slackware'scurrentinstallationroutineleavesinitialdisk partitioninguptotheuser.Therearenodefaultschemesthatresultin surprisingvolumegroupsorothercomplexdiskmanagementtechniques. Theresultingfilesystemtable(alsoknownasfstab)isstandardanddoesnot requireeditingtoprovideforaforensicallysoundenvironment,unlikesome otherpopulardistributions. ThemostrecentversionofSlackware(12.x)nowusesthe2.6series kernelbydefault.Inmanycircumstances,yourhardwarewillrequireyouthat usea2.6kernel(certainSATAcontrollers,etc.).Inrecognitionofthis,the currentversionofthisdocumentnowassumesthattheuserhasinstalleda2.6 kernelversionofLinux.ThisbringstheLinuxLEOPractitioner'sGuideinline withthemajorityofforensicpractitionerscurrentlyusingLinux,including
BarryJ.Grundy
11
myself.Previousversionsofthisdocumentsuggesteda2.4(kernelversion) install. SlackwareLinuxisstable,consistent,andsimple.Asalways,Linuxis Linux.Anydistributioncanbechangedtofunctionlikeanyother(intheory). However,myphilosophyhasalwaysbeentostartwithanoptimalsystem, ratherthanattempttorollbackasystemheavilymodifiedandoptimizedfor thedesktopratherthanaforensicworkstation. Ifyouarecomfortablewithanotherdistribution,thenbyallmeans, continuetouseandlearnit.Justbeawarethattheremaybecustomizations andmodificationsmadetothestandardkernelandfilesystemsetupsthat mightnotbeidealforforensicuse.Thesecanalwaysberemedied,butIprefer tostartasclosetooptimalaspossible.
InstallationMethods
DownloadtheneededISO(CDimage)files,burnthemtoaCDandbootthe media.ThisisthemostcommonmethodofinstallingLinux.Mostdistros canbedownloadedforfreeviahttp,ftp,ortorrent.Slackwareisavailableat http://www.slackware.com.Havealookat http://linuxlookup.com/linux_isoorhttp://distrowatch.com/for informationondownloadingandinstallingotherLinuxflavors. UseabootableLinuxdistribution(coveredlater).Forexample,theSMART orHelixLinuxbootableCDscaneasilybeusedasexperimentalplatforms. Seehttp://www.asrdata2.comorhttp://www.efense.com/helixformore information.
Duringastandardinstallation,muchoftheworkisdoneforyou,and relativelysafedefaultsareprovided.Asmentionedearlier,hardwaredetection hasgonethroughsomegreatimprovementsinrecentyears.Istronglybelieve thatmany(ifnotmost)Linuxdistrosarefareasierandfastertoinstallthan othermainstreamoperatingsystems.TypicalLinuxinstallationiswell documentedonline(checkthehowtosattheLinuxDocumentationProject: http://www.tldp.org/).Therearenumerousbooksavailableonthesubject, andmostofthesearesuppliedwithaLinuxdistributionreadyforinstall. FamiliarizeyourselfwithLinuxdiskandpartitionnamingconventions (coveredinChapterIIofthisdocument)andyoushouldbereadytostart.
SlackwareInstallationNotes
Aspreviouslymentioned,itissuggestedthatyoustartwithSlackwareif thisisyourfirstforayintoLinuxandforensicsANDyouprimaryinterestis
BarryJ.Grundy
12
forensics.IfyoudodecidetogiveSlackwareashot,herearesomesimple guidelines.ThedocumentationprovidedonSlackware'ssiteiscompleteand easytofollow.Readtherefirst... DecideonstandaloneLinuxordualboot. InstallWindowsfirstinadualbootsystem.IfyouhaveVista,becareful thereareissuesyoushouldbeawareof.Researchdualbootingwith Vistabeforeproceeding. DeterminehowyouwanttheLinuxsystemtobepartitioned. DoNOTcreateanyextrapartitionswithWindowsfdisk.Justleavethe spaceunallocated.SlackwarewillrequireyoutoutilizeLinuxfdiskor anotherpartitioningtoolatthestartoftheinstallprocess. READthroughtheinstallationdocumentationbeforeyoustartthe process.Don'tbeinahurry.IfyouwanttolearnLinux,youhavetobewilling toread.ForSlackware,havealookthroughtheinstallationchaptersofthe Slackbooklocatedathttp://www.slackbook.org.Forabasic(butdetailed) understandingofhowLinuxworksandhowtouseit,theSlackbookshouldbe yourfirststop. 1)BoottheLinuxmedia.Slackwarerequiresonlythefirsttwoinstallation disks(orthesingleDVD).

Readeachscreencarefully. Acceptingmostdefaultsworks. Yourhardwarewillbedetectedandconfiguredundermost(ifnotall) circumstances.Onlinesupportisextensiveifyouhaveproblems. Keepinmindthatifapieceofhardwarecausesproblemsduringan install,orisnotdetectedduringinstallation,thisdoesnotmeanthatit willnotwork.Installtheoperatingsystemandspendsometime troubleshooting.WhenlearningLinux,Googleisveryoftenyourbest friend(tryhttp://www.google.com/linux). TheSlackwareinstallCDforthecurrentversion(12.1)willbootby defaultusingakernelcalledhugesmp.s.Itincludessupportformost hardwarebydefaultandsupportsmultipleCPUs.Ifitdoesnotwork, thentrythesingleCPUi486kernelhuge.s.HittheF2keyatthe initialboot:promptformoreinfo. Oncethesystemisbooted,youarepresentedwiththeslackwarelogin: prompt.READTHEENTIRESCREENasinstructed.Loginasroot,and continuewithyourinstallroutine. ThemaininstallroutineforSlackwareisstartedwiththecommand setup.Youwillneedtoensurethatyouhaveyourdiskproperly partitionedbeforeyouenterthesetupprogram. Takethetimetoreadeachscreencompletelyasitcomesup.
BarryJ.Grundy
13
2)PartitionandformatforLinux Ataminimumyouwillneedtwopartitions.Thisstepisnormallypartof theinstallationprocess,oriscoveredinthedistribution's documentation. Root(/)astypeLinuxNative. SwapastypeLinuxSwap(use2xyoursystemmemoryasa startingpointforswapsize). Youwillhearalotaboutusingmultiplepartitionsfordifferent directories.Dontletthatconfuseyou.Thereareargumentsbothfor andagainstusingmultiplepartitionsforaLinuxfilesystem.Ifyouare juststartingout,useonelargeroot(/)partition,andoneswappartition asdescribedabove. YouwillpartitionyourSlackwareLinuxsystemusingfdiskorcfdisk. TheSlackbookhasadetailedsectiononusingfdisktoaccomplishthis. (http://www.slackbook.org/html/book.html#INSTALLATIONPARTITIONING).In fact,IwouldreadtheentireinstallationsectionoftheSlackbook.Itwill maketheprocessmucheasierforyou. Whenaskedtoformattherootpartition,Iwouldsuggestselectingthe ext3filesystem(NowdefaultinSlackware12.1). 3)Packageinstallation(system) Whenaskedwhichpackagestoselectforinstallation,itisusuallysafefor abeginnertoselecteverythingorfull.Thisallowsyoutotryallthe packages,alongwithmultipleXWindowdesktopenvironments.This cantakeasmuchas5to6GBonsomeofthenewerdistributions(5GB onSlackware),howeveritincludesallthesoftwareyouarelikelytoneed foralongtime(includingmanyofficetypeapplications,Internet,e mail,etc.).Thisisnotreallyoptimalforaforensicworkstation,butfora learningboxitwillgiveyouthemostexposuretoavailablesoftwarefor experimentation. 4)InstallationConfiguration Sound Usuallyautomatic.Ifnot,searchtheWeb.Theanswerisout there.Ifitdoesnotworkoutofthebox(asitshouldwithmost hardwareinSlackware),thentrythefollowing. TherearemanycurrentdistributionsusingtheAdvancedLinux SoundArchitecture(ALSA),includingSlackware.Configuring soundonLinuxusingALSAcanbequiteeasy.Oncebootedinto yournewsystem,tryrunningthecommandalsaconftoallowthe systemtoattemptautomaticconfiguration.Ifthatappearsto work(noobviouserrormessages),runalsamixertoadjust speakervolume.Theseprogramsarerunfromacommand prompt.Thealsaconfprogramisrunastherootuser,while alsamixercanberunasaregularuser.
BarryJ.Grundy
14
Xorg(XWindowsystem) Knowyourhardware(videocard,etc.). IfyouchoosetoconfigureXduringtheinstallationroutine,do notclickyesiftheinstallationroutineasksifyouwantXtostart automaticallyeverytimeyousystemboots.Thiscanmake problemsolvingdifficultandresultsinlesscontroloverthe system.YoucanalwaysstarttheGUIwithstartxfromthe commandline. Bydefault,XorgwilluseastandardVESAdrivertorunyourX Windowsystem.Youcanattempttogetamoreoptimum configurationaftertheinstallationbyrunningXconfigure, whichwillwriteanewconfigurationfilewithsettingstailored moreforyourhardware.Thiswillcreateafilecalled xorg.conf.newwhichcanthenbecopiedto/etc/X11/xorg.conf. IwouldsuggestyouuseXFCEasyoudesktopmanager.Feelfree touseothers,butXFCEwillprovideaclean,unclutteredinterface. YouselectXFCEasyourdesktopduringtheSlackwareinstallation bychoosingxinitrc.xfceduringtheXsetupportion.Youcantry otherwindowmanagersbyrunningthecommandxwmconfig andselectingadifferentone. BootMethod(theBootloaderselectstheOStoboot) LILOorGRUB. LILOisthedefaultforSlackware.SomepeoplefindGRUBmore flexibleandsecure.GRUBcanbeinstalledlater,ifyoulike. UsuallyselecttheoptiontoinstallLILOtothemasterbootrecord (MBR).Thepresenceofotherbootloaders(asprovidedbyother operatingsystems)determineswheretoinstallLILOorGRUB. Thebootloadercontainsthecodethatpointstothekerneltobe booted.Checkhttp:// www.tldp.org formultiOSand multibootHowTodocuments. Createausernameforyourselfavoidusingrootexclusively. Formoreinformation,checkthefileCHANGES_AND_HINTS.TXTon theinstallCD,orat:http://slackware.osuosl.org/slackware
12.1/CHANGES_AND_HINTS.TXT
Thisfileisloadedwithusefulhintsandchangesofinterestfromone releasetoanother. Linuxisamultiusersystem.Itisdesignedforuseonnetworks (remember,itisbasedonUnix).Therootuseristhesystemadministrator, andiscreatedbydefaultduringinstallation.Exclusiveuseoftherootloginis DANGEROUS.Linuxassumesthatrootknowswhatheorsheisdoingand allowsroottodoanythingheorshewants,includingdestroythesystem. Createanewuser.Dontloginasrootunlessyoumust.Havingsaidthis, muchoftheworkdoneforforensicanalysismustbedoneasroottoallow accesstorawdevicesandsystemcommands.
BarryJ.Grundy
15
DesktopEnvironment
Whentalkingaboutforensicsuitability,yourchoiceofdesktopsystem canmakeadifference.Firstofall,thetermdesktopenvironmentand windowmanagerareNOTinterchangeable.Let'sbrieflyclarifythe componentsofacommonLinuxGUI.
XWindowThisisthebasicGUIenvironmentusedinLinux. CommonlyreferredtoasX,itistheapplicationthatprovidestheGUI framework,andisNOTpartoftheOS.Xisaclient/serverprogramwith completenetworktransparency. WindowManagerThisisaprogramthatcontrolstheappearanceof windowsintheXWindowsystem,alongwithcertainGUIbehaviors (windowfocus,etc.).ExamplesareKwin,Metacity,XFWM, Enlightenment,etc. DesktopEnvironmentAcombinationofWindowManageranda consistentinterfacethatprovidestheoveralldesktopexperience. ExamplesareXFCE,GNOME,KDE,etc. ThedefaultWindowManagerforKDEisKwin. ThedefaultWindowManagerforGNOMEisMetacity ThedefaultWindowManagerforXFCEisXFWM.
Thesedefaultscanbechangedtoallowforpreferencesinspeedand resourcemanagementoverthedesireforeyecandy,etc.Youcanalsoelect torunaWindowManagerwithoutadesktopenvironment.Forexample,the EnlightenmentWindowManagerisknownforit'seyecandyandcanberun standalone,withorwithoutKDEorGNOME,etc. SlackwarenolongercomeswithGNOMEasanoption,thoughitcanbe installedlikeanyotherapplication.DuringthebaseSlackwareinstallation, youwillbegivenachoiceofKDE,XFCE,andsomeothers.Iwouldliketo suggestXFCE.Itprovidesacleanerinterfaceforabeginnertolearnon.Itis leanerandthereforelessresourceintensive.YoustillhaveaccesstomanyKDE utilities,ifyouelectedtoinstallKDEduringpackageselection.Youcaninstall morethanonedesktopandswitchbetweenthem,ifyoulike.Theeasiestway toswitchiswiththexwmconfigcommand.
TheLinuxKernel:VersionsandIssues
TheLinuxkernelisthebrainofthesystem.Itisthebasecomponent oftheOperatingSystemthatallowsthehardwaretointeractwithandmanage othersoftwareandsystemresources.
BarryJ.Grundy
16
InDecemberof2003,theLinux2.6kernelwasreleased.Thiswas anothermilestoneintheLinuxsaga,andallofthenewermainstream distributionversionsarebasedonthe2.6kernel.Manyofthechangesin2.6 overtheprevious2.4aregearedtowardenterpriseuseandscalability.The newerkernelreleasealsohasanumberofinfrastructurechangesthathavea significantimpactonLinuxasaforensicplatform.Forexample,thereis enhancedsupportforUSBandamyriadofotherexternaldevices.Readupon udevformoreinformationoneonesuchchange1.Wewillverybrieflydiscuss udevlaterinthissection. Aswithallforensictools,weneedtohaveaclearviewofhowanykernel versionwillinteractwithourforensicplatformsandsubjecthardware.Almost allcurrentdistributionsofLinuxalreadycomewitha2.6kernelinstalledby default.Slackware12hasalsomovedtothe2.6kernelseries(2.6.24.5in12.1). Previousversionsofthisdocumentsuggestedusinganolder(but updated)versionofthekernel(2.4series)toaccountforinfrastructurechanges innewerkernelversionsthatcouldadverselyaffectLinuxemployedasa forensicplatform.ThisversionoftheLinuxForensicPractitioner'sGuidehas departedfromthatphilosophyandwenowuseadistributionwitha2.6kernel bydefault.Still,itisbothinterestingandimportanttounderstandthe implicationsofkernelchoiceonaforensicplatform.Sowhilewehavemoved ontothe2.6kernel,wewillstillcoverthedifferencesandcaveatstousinga modernkernel. Priortothe2.6serieskernel,thedevelopersmaintained2separate kernelbranches.Onewasforthestablekernel,andtheotherwasfor testing.Oncereleased,thestablekernelwasupdatedwithbugfixesandwas consideredasolidproductionkernel.Theotherkernelbranchwasthetesting branchandwasusedtoincorporateinnovationsandupdatestothekernel infrastructure.Thestablekernelhadanevennumberedsecondarypoint release,andthetestingbranchhadanoddnumberedsecondarypointrelease.
Stablebranch 2.0 2.2 2.4 2.6

1
Testing Branch 2.1 2.3 2.5 ??
http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
BarryJ.Grundy
17
Thedevelopmentofthe2.5testkernelseriesresultedinthestable2.6 series.Manyoftheimprovements,oncedeemedstable,werebackportedto the2.4kernel.Asaresult,the2.4seriesisstillconsideredmodernand supportsmuchofthenewerhardwarecurrentlyinuse. So,whatweretheinitialreservationsaboutadhocadoptionofthe2.6 kernelinforensics,eventhoughit'sconsideredstable?Youwillnoticefrom thechartabovethatthereisnocurrent2.7testingbranch.Thecurrentkernel developmentschemedoesnotutilizeatestingbranch.Thismeansthatnew innovationsandchangestokernelinfrastructuregetwrappeddirectlyinto2.6 kernelupdates.Asaresult,criticalupgradeswithinthe2.6kernelserieshavea potentialtobreakexistingapplications.ThereweremanyintheLinux community(evenoutsideofcomputerforensics)thatsawthe2.6kernelasa finesystemfordesktopcomputers,butdidnotconsiderusingitina productionenvironment.Again,thisdoesNOTmeanthatitwasnotsuitable forforensics,justthatitrequiredmoretestingandcarefulconfigurationwith theadditionofmorecuttingedgefeatures. OfequalimportanceinselectingaLinuxkernelforforensicusewasthe interfacethatthekernelprovidesbetweenthehardwareandtheenduser.The 2.6kernelincludesanumberenhancementsthataredesignedspecificallyto improvetheoverallLinuxexperienceonthedesktop.Theseenhancements,if notproperlyconfiguredandcontrolled,canresultinalossofusercontrolover devices,oneoftheprimaryreasonsforusingLinuxforforensicsinthefirst place.Suchobstaclescanbeovercomethroughproperconfiguration,but rigoroustesting,aswithallforensicapplications,isrequired.Knowingwhat servicestodisable,andwhataffectthiswillhaveontheentiresystemis imperative.Whileacompletediscussionoftheserequirementsislargely beyondthescopeofthisguide,wewillcoverbasicconfigurationinlater sections. Sowehavefinallyarrivedatapointwherethe2.6kernelismainstream andwewillbeusingitinourforensicenvironment.Thekeytosafeuse(this goesforANYoperatingsystem)isknowledgeofyourenvironmentandproper testing.Pleasekeepthatinmind.YouMUSTunderstandhowyourhardware andsoftwareinteractwithanygivenoperatingsystembeforeusingitina productionforensicanalysis. OneofthegreateststrengthsLinuxprovidesistheconceptoftotal control.Thisrequiresthoroughtestingandunderstanding.Don'tlosesight ofthisinpursuitofaneasydesktopexperience.
BarryJ.Grundy
18
ConfiguringSlackware12:2.6kernelconsiderations
So,we'vediscussedthedifferencesbetweenthe2.4andthe2.6kernel. Thereareinfrastructurechangesandenhancementstothe2.6kernelthat canbemoreofachallengetoconfigureforaLinuxbeginnerlookingfora stableandsoundforensicplatform. Inthissection,wewillfocusontheminimumconfiguration requirementsforcreatingasoundforensicenvironmentundercurrentLinux distributionsusingthe2.6kernel.Wewillbrieflydiscussdevicenode management(udev),hardwareabstraction(HAL)andmessagebus(dbus) daemons,andthedesktopenvironment.Insimplifiedterms,itisthese componentsthatcreatethemostobviousproblemsforforensicsuitabilityin themostcurrentLinuxdistributions.Thegoodnewsisthat,beingLinux,the userhasverygranularcontrolovertheseservices.Thecontrolthatwelove havingwithLinuxisstillthere,wejustneedtograbsomeofitbackfromthe kernel(orthedesktop,asthecasemaybe). udev Startingwithkernelversion2.6.13,Linuxdevicemanagementwas handedovertoanewsystemcalledudev.Traditionally,thedevicenodes(files representingthedevices,locatedinthe/devdirectory)usedinpreviouskernel versionswerestatic,thatistheyexistedatalltimes,whetherinuseornot2.For example,onasystemwithstaticdevicenodeswemayhaveaprimarySATA harddrivethatisdetectedbythekernelas/dev/sda.SincewehavenoIDE drives,nodriveisdetectedas/dev/hda.Butwhenwelookinthe/devdirectory weseestaticnodesforallthepossiblediskandpartitionnamesfor/dev/hda. Thedevicenodesexistwhetherornotthedeviceisdetected. Inthenewsystem,udevcreatesdevicenodesonthefly.Thenodes arecreatedasthekerneldetectsthedeviceandthe/devdirectoryispopulated inrealtime.Inadditiontobeingmoreefficient,udevalsorunsinuserspace. Oneofthebenefitsofudevisthatitprovidesforpersistentnaming.Inother words,youcanwriteasetofrules(Foraniceexplanationofudevrules,see: http://reactivated.net/writing_udev_rules.html)thatwillallowudevto recognizeadevicebasedonindividualcharacteristics(serialnumber, manufacturer,model,etc.).Therulecanbewrittentocreateauserdefined linkinthe/devdirectory,sothatforexample,mythumbdrivecanalwaysbe accessedthroughanarbitrarydevicenodenameofmychoice,like/dev/my thumb,ifIsochoose.ThismeansthatIdon'thavetosearchthroughUSB devicenodestofindthecorrectdevicenameifIhavemorethanoneexternal storagedeviceconnected.
2
WewillnotcoverDevfs,adevicemanagementsystemthatuseddynamicnodespriortoudev.
BarryJ.Grundy
19
Udevisrequiredforcurrent2.6kernels.OnSlackware,itrunsasa daemonfromthestartupscript/etc/rc.d/rc.udev.Wewilldiscussthesestartup scriptsinmoredetaillaterinthisdocument.Wewillnotdoanyspecific configurationforudevonourforensiccomputersatthistime.Wediscussit heresimplybecauseitisamajorchangeindevicehandlinginthe2.6kernel. UdevdoesNOTinvolveitselfinautomountingorotherwiseinteractingwith applications.Itsimplyprovidesahardwaretokernelinterface. HardwareAbstractionLayer HALreferstotheHardwareAbstractionLayer.TheHALdaemon maintainsinformationaboutdevicesconnectedtothesystem.Ineffect,HAL actsasamiddlemanfordevicedetection,inthatitorganizesdevice informationinauniformformataccessibletoapplicationsthatwanttoeither accessorreacttoachangeisthestatusofadevice(pluggedinorunplugged, etc.).TheinformationthatHALmakesavailableisobjectspecificandprovides farmoredetailthannormalkerneldetectionallows.Asaresult,applications thatreceiveinformationaboutadevicefromHALcanreactincontext.HAL andudevarenotconnected,andoperateindependentlyofoneanother. WhereHALdescribesadeviceindetail,forusebyapplications,udevsimply managesdevicenodes.InSlackware12,HALisrunasadaemonfrom /etc/rc.d/rc.hald.SeethesectiontitledServiceStartupScriptsinChapterIII formoreinformationonrcscriptsandhowtostoptheservicefromauto starting. dbus Thesystemmessagebus,ordbus,providesamechanismfor applicationstoexchangeinformation.Forourpurposeshere,wewillsimply statethatdbusisthecommunicationchannelusedbyHALtosendits informationtoapplications.InSlackware12,dbusisrunasadaemonfrom /etc/rc.d/rc.messagebus. Withsomeveryfineconfiguration,it'spossibletohaveHALanddbus runningandstillmaintainasoundforensicenvironment.Forourpurposes, wewillturnHALanddbusoff.Wedothisbecauseexhaustiveconfigurationis outsidethescopeofthisdocument.Wewillmaketheseadjustmentinthe sectionFilePermissionsonpage41.Ithasbeennotedthatturningdbusoff isnotstrictlyrequired(atthispoint).Isuggestdoingsoforthesakeofsafety.I urgeyoutotestyourownconfigurations.
BarryJ.Grundy
20
2.6KernelandDesktops OneoftheconsiderationswhendiscussingDesktopEnvironmentsisits integrationwiththeHALanddbusservicestoallowfordesktopauto mountingofremovablemedia.KDEandGNOMEareheavilyintegratedwith HAL/dbusandusersneedtobeawareofhowtocontrolthisundesired behaviorinaforensicenvironment.Equallyimportantishowtodealwith instabilitycausedwhenexpectedmessagesfromtheOSarenotreceivedbya pollingapplication. XFCEisalighterweight(read:lighteronresources)desktop.And althoughXFCEisalsocapableofintegrationwithHALanddbus,itallowsfor easiercontrolofremovablemediaonthedesktop(searchforthunarvolman). WhileKDEandGNOMEalsoallowforcontrolofautomountingthrough configurationdialogs,theyarefarmoretightlyintegratedandarguablymore complex.
RollingyourownTheCustomKernel
"Everyforensicexaminershouldcompilehisownkernel,justlike everyJedibuildshisownlightsaber." TheCoryAltheide AtsomepointduringyourLinuxeducation,youwillwanttolearnhow torecompileyourkernel.Why?Well...theabovequoteputsitquitenicely. Thekernelthatcomeswithyourdistroofchoiceisoftenheavilypatched,and isconfiguredtoworkwiththewidestvarietyofhardwarepossible.Thisgives thestockdistributionabetterchanceofworkingonamultitudeofsystems rightoutofthebox.NotethattheSlackwarekernel'sarenicelygenericand quitesuitableoutoftheboxforforensicuse.Also,bewarnedthatuser customizedkernelsmakefordifficulttroubleshootingandyouwilloftenbe askedtoreproduceproblemswithastockkernelbeforeyoucangetspecific support.Thisissimplyamatterofdefiningacommondenominatorwhen addressingproblems. Theactualstepsforcompilingacustomkernelareoutsidethescopeof thisdocument,andhavebeencoveredelsewhere3.Theconcepts,howeverare importantforanoverallunderstandingofhowLinuxworks.
AquickInternetsearchforlinuxcustomkernelcompileorthelikewillprovideagoodstart.Throwintheword forensicforsomemorespecificpointers.
3
BarryJ.Grundy
21
Asmentionedpreviously,thekernelprovidesthemostbasicinterface betweenhardwareandthesystemsoftwareandresourcemanagement.This includesdriversandothercomponentsthatareactuallysmallseparatepieces ofcodethatcaneitherbecompiledasmodulesorcompileddirectlyinthe kernelimage. Therearetwobasicapproachestocompilingakernel.Statickernelsare builtsothatallofthedriversanddesiredfeaturesarecompiledintothesingle kernelimage.Modularkernelsarebuiltsuchthatdriversandotherfeatures canbecompiledasseparateobjectfilesthatcanbeloadedandunloadedon theflyintoarunningsystem.Moreonhandlingkernelmodulescanbefound inSectionIIofthisdocument,underUsingModules. Inshort,youmightfindyourselfinneedofakernelrecompileasaresult ofthefactthatyourequirespecificdriversorsupportthatisnotcurrently includedinyourdistribution'sdefaultkernelconfiguration.Or,after becomingcomfortablewithLinux,youdecideyouwanttotryyourhandat actuallyconfiguringyourcustomkernelsimplybecauseyouwanttomakeit moreefficientorbecauseyouwanttoexpandthesupportforhardware,file systems,orpartitiontabletypesthatyoumightcomeacrossduringan investigation. Inanyevent,ForensicswithLinuxisallaboutcontrol.Customizing yourkernelconfiguration,whileanadvancedskill,isthemostbasicformof controlyouhaveinLinux(shortofrewritingthesourcecodeitself).Atsome point,thisissomethingyouwillwanttoeducateyourselffurtheron.
BarryJ.Grundy
22
II.LinuxDisks,PartitionsandtheFileSystem
Disks
Linuxtreatsitsdevicesasfiles.Thespecialdirectorywherethese"files" aremaintainedis"/dev". DEVICE: Floppy(a:) Harddisk(master,IDE0) Harddisk(slave,IDE0) Harddisk(master,IDE1) 1stSCSIharddisk(SATA,USB) 2ndSCSIharddisk FILENAME: /dev/fd0 /dev/hda /dev/hdb /dev/hdc,etc. /dev/sda /dev/sdb,etc.
Partitions
DEVICE: 1stHarddisk(master,IDE0) 1stPrimarypartition 2ndPrimarypartition 1stLogicaldrive(onextdpart) 2ndLogicaldrive nd 2 Harddisk(slave,IDE0) 1stPrimarypartition CDROM(ATAPI)or3rddisk(mstr,IDE1) 1stSCSIdisk(orSATA,USB,etc.) 1stPrimarypartition FILENAME: /dev/hda /dev/hda1 /dev/hda2,etc. /dev/hda5 /dev/hda6,etc. /dev/hdb /dev/hdb1,etc. /dev/hdc /dev/sda /dev/sda1,etc.
Thepatterndescribedaboveisfairlyeasytofollow.Ifyouareusinga standardIDEdisk(orstandardATAPICDROMdrive),itwillbereferredtoas hdxwherethe"x"isreplacedwithan"a"ifthediskisconnectedtotheprimary IDEcontrollerasmasteranda"b"ifthediskisconnectedtotheprimaryIDE controllerasaslavedevice.Inthesameway,theIDEdisks(orCDROM) connectedtothesecondaryIDEcontrollerasmasterandslavewillbereferred toashdcandhddrespectively. SCSIandSerialATA(SATA)diskswillbereferredtoassdx.Inthecaseof SCSIdisks,theyareassignedlettersintheorderinwhichtheyaredetected. ThisincludesUSBandFirewire.Forexample,aprimarySATAdiskwillbe assignedsda.IfyouattachaUSBdiskorathumbdriveitwillnormallybe detectedassdb,andsoon.4
4
Youmayrunacrossolderdistributionsthatsupportdevfswhichusesadifferentnamingscheme.Dontletthis confuseyou.Thepatterndescribedaboveisstillsupportedthroughlinksforcompatibility.See http://www.atnf.csiro.au/people/rgooch/linux/docs/devfs.htmlformoreinformation.
BarryJ.Grundy
23
Thefdiskprogramcanbeusedtocreateorlistpartitionsonasupported device.Thisisanexampleoftheoutputoffdiskonadualbootsystemusing thelistoption(l[dashel]):

root@rock:~# fdisk -l /dev/hda Disk /dev/hda: 60.0 GB, 60011642880 bytes 255 heads, 63 sectors/track, 7296 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/hda1 * /dev/hda2 /dev/hda3 /dev/hda5 /dev/hda6 /dev/hda7 Start 1 655 2479 2479 4304 4367 End 654 2478 7296 4303 4366 7296 Blocks 5253223+ 14651280 38700585 14659281 506016 23535193+ Id 7 7 5 83 82 c System HPFS/NTFS HPFS/NTFS Extended Linux Linux swap W95 FAT32 (LBA)
fdiskl/dev/hdxgivesyoualistofallthepartitionsavailableonaparticular drive,inthiscaseandIDEdrive).EachpartitionisidentifiedbyitsLinux name.The"bootflag"isindicated,andthebeginningandendingcylindersfor eachpartitionisgiven.Thenumberofblocksperpartitionisdisplayed. Finally,thepartition"Id"andfilesystemtypearedisplayed.Toseealistof validtypes,runfdiskandattheprompttype"l"(theletterel).Donot confuseLinuxfdiskwithDOSfdisk.Theyareverydifferent.TheLinuxversion offdiskprovidesformuchgreatercontroloverpartitioning. Rememberthatthepartitiontypeidentifiedinthelastcolumn,under Systemhasnothingtodowiththefilesystemfoundonthatpartition.Donot relyonthepartitiontypetodeterminethefilesystem.Onmostnormal systems,atypec(W95FAT32)partitiontypewillcontainaFAT32partition, butnotalways.Also,considerpartitionsoftype83(Linux).Type83partitions cannormallyholdEXT2,EXT3,ReiserFS,oranynumberofotherfilesystem types.Wewilldiscussfilesystemidentificationlaterinthisdocument. BEFOREFILESYSTEMSONDEVICESCANBEUSED,THEYMUSTBE MOUNTED!Anyfilesystemsonpartitionsyoudefineduringinstallationwill bemountedautomaticallyeverytimeyouboot.Wewillcoverthemountingof filesystemsinthesectionthatdealswithLinuxcommands,afteryouhave somenavigationexperience. Keepinmind,thatevenwhatnotmounted,devicescanstillbewrittento. Simplynotmountingafilesystemdoesnotprotectitfrombeinginadvertently changedthroughyouractions.
BarryJ.Grundy
24
Mountingfilesystemsonsometypesofexternaldevices,whichwewill cometolaterinthisdocument,mayrequireustodelvealittledeeperinto modules
UsingmodulesLinuxDrivers
Itsdifficulttodecidewhentointroducemodulestoanewuser.The conceptcanbealittleconfusing,butoutoftheboxLinuxdistributionsrely heavilyonmodulesfordeviceandfilesystemsupport.Forthisreason,wewill makeanefforttogetfamiliarwiththeconceptearlyon. Asdiscussedintheprevioussection,modulesarereallyjustdrivers thatcanbeloadedandunloadedfromthekerneldynamically.Theyareobject files(*.koforthe2.6kernel)thatcontaintherequireddrivercodeforthe supporteddeviceoroption.Modulescanbeusedtoprovidesupportfor everythingfromUSBcontrollersandnetworkinterfacestofilesystems. Thevariousmodulesavailableonyoursystemarelocatedinthe /lib/modules/<KERNELVERSION>/directory.Notethatthecurrentkernel versionrunningonyoursystemcanbefoundusingthecommandunamer. Thereare,ingeneral,threewaysthatdrivercodeisloadedinLinux:
Drivercodeiscompileddirectlyintothekernel.Thecodeispartof thekernelimagethatisloadedwhenthecomputerboots. SupporteddevicesarerecognizedandconfiguredastheOSloads. Modulesareloadedatboottimethroughtheactionsofudev,which handleshotplugevents.Afterthekernelisloaded,udevevents aretriggeredandthepropermodulesareautomaticallyloaded.We willcoverthisinmoredetailinthechaptercoveringsystemstartup. Recallthatudevhandlesthedevicenodemanagement. Modulesaremanuallyloadedbytheuser,asneeded.
Incaseswherethedrivercodeisnotautomaticallyloaded,modulescan beinstalledandremovedfromthesystemontheflyusingthefollowing commands(asroot): modprobeanintelligentmoduleloader rmmod toremovethemodule lsmod togetalistofcurrentlyinstalledmodules Forexample,togetUSBsupportforaUSBthumbdriveonsome systems,youmayneedtoloadacoupleofmodules.WiththeUSBdevice pluggedin,wecaninstalltheneededmodules(ehci_hcdformanyUSB2.0 controllers,andusbstorageforthestorageinterface)with:
BarryJ.Grundy
25
modprobeehci_hcd(dependingonyourUSBcontroller) modprobeusbstorage Notethatwhilethemoduleisnamedwitha.koextension,wedonot includethatintheinsertioncommand. Weonlyneedtoinstallthesedriversifthekerneldoesnothavethe supportcompiledin,orifthemoduleisnotloadedautomatically.Notethaton astockSlackware12.1system,thesupportforUSBiscompiledintothekernel andloadingmodulesisnotneeded. Sohowwouldyouknowifyouneededtoloadmodules?Tocheckand seeifthemodulesarealreadyloaded,youcanusethelsmodcommandtolook forthedrivername.Usegreptoshowonlylineswithspecifictext.Wewill covergrepinfarmoredetaillateron.
root@rock:~# lsmod | grep ehci_hcd root@rock:~#
Inthiscase,thecommandreturnsnothing.Thismightindicatethatthe driverisnotloadedoritmightindicatedthatthedriverisnotamodule,butis compileddirectlyintothekernel.Icancheckthisusingthedmesgcommand andgrepaswell.Thedmesgcommandreplaysthesystemstartupmessages

root@rock:~# dmesg | grep ehci_hcd ehci_hcd 0000:00:1d.7: EHCI Host Controller ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:1d.7: debug port 1 ehci_hcd 0000:00:1d.7: irq 20, io mem 0x80004000 ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004
TheoutputoftheabovecommandsshowsusthatsupportfortheUSB 2.0hostcontrollerisalreadyloaded(asshowninthedmesgoutput),butnotas amodule(asshowninthelsmodoutput). Whilethissubjectcanbeabitdauntingatfirst,justkeepinmindthatan attacheddevicemayormaynotworkonagivensystemuntiltheproper moduleisinstalled.Knowinghowtocheckforexistingsupport,andhowto insertamoduleifneededisimportant.
BarryJ.Grundy
26
DeviceRecognition
AnothercommonquestionariseswhenauserplugsadeviceinaLinux boxandreceivesnofeedbackonhow(orevenif)thedevicewasrecognized. Oneeasymethodfordetermininghowandifaninserteddeviceisregisteredis tousethepreviouslyintroduceddmesgcommand. Forexample,ifIplugaUSBthumbdriveintoaLinuxcomputer,andthe computerisrunningaHALenableddesktop,Imaywellseeaniconappearon thedesktopforthedisk.Imightevenseeafolderopenonthedesktop allowingmetoaccessthefilesautomatically.Obviously,onasystemweare usingasaforensicplatform,wemaywanttominimizethissortofbehavior (moreonthatlater...). Sowhenthereisnovisiblefeedback,wheredowelooktoseewhat devicenodewasassignedtoourdisk(/dev/sda,/dev/sdb,etc.)?Howdowe knowifitwasevendetected?Again,thisquestionisparticularlypertinentto theforensicexaminer,sincewewilllikelyconfigureoursystemtobealittleless helpful. Plugginginthethumbdriveandrunningthedmesgcommandprovides mewiththefollowingoutput:
root@rock:~# dmesg <previous output> scsi 2:0:0:0: Direct-Access SanDisk U3 Titanium ANSI: 2 sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00 sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 sd 2:0:0:0: [sda] Write Protect is off sda: sda1 sd 2:0:0:0: [sda] Attached SCSI removable disk scsi 2:0:0:1: CD-ROM SanDisk U3 Titanium ANSI: 2 sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray sr 2:0:0:1: Attached scsi CD-ROM sr0 usb-storage: device scan complete
2.16 PQ: 0 MB)
MB)
2.16 PQ: 0
Theimportantinformationisinbold.Notethatthisparticularthumb drive(aSanDiskU3)providestwoparts,thestoragevolumewithasingle partition(/dev/sda1),andanemulatedCDROMdevicewhichwasdetectedas /dev/sr0.SCSICDROMdevicesarerecognizedassrxorscdx.
BarryJ.Grundy
27
TheFileSystem
LiketheWindowsfilesystem,theLinuxfilesystemishierarchical.the "top"directoryisreferredtoas"theroot"directoryandisrepresentedby"/". Notethatthefollowingisnotacompletelist,butprovidesanintroductionto someimportantdirectories. /(rootnottobeconfusedwith/root) |_bin | |_<files>ls,chmod,sort,date,cp,dd |_boot | |_<files>vmlinuz,system.map |_dev | |_<devices>hd*,tty*,sd*,fd*,cdrom |_etc | |_X11 | |_<files>XF86Config,X | |_<files>lilo.conf,fstab,inittab,modules.conf |_home | |_barry(yourusersnameisinhere) | |_<files>.bashrc,.bash_profile,personalfiles | |_otherusers |_mnt | |_cdrom | |_floppy | |_othertemporarymountpoints |_media | |_cdrom0 | |_dvd0 | |_otherstandardmediamountpoints |_root | |_<rootuser'shomedirectory> |_sbin | |_<files>shutdown,cfdisk,fdisk,insmod |_usr | |_local | |_lib | |_man |_var | |_log OnmostLinuxdistributions,thedirectorystructureisorganizedinthe samemanner.Certainconfigurationfilesandprogramsaredistribution dependent,butthebasiclayoutissimilartothis.
BarryJ.Grundy
28
Notethatthedirectoryslash(/)isoppositewhatmostpeopleareused toinWindows(\). Directorycontentscaninclude: /bin Commoncommands. /boot Filesneededatboottime,includingthekernelimagespointed tobyLILO(theLInuxLOader)orGRUB. /dev Filesthatrepresentdevicesonthesystem.Theseareactually interfacefilestoallowthekerneltointeractwiththehardwareandthe filesystem. /etc Administrativeconfigurationfilesandscripts. /homeDirectoriesforeachuseronthesystem.Eachuserdirectory canbeextendedbytherespectiveuserandwillcontaintheirpersonal filesaswellasuserspecificconfigurationfiles(forXpreferences,etc.). /mnt Providestemporarymountpointsforexternal,remoteand removablefilesystems. /mediaProvidesastandardplaceforusersandapplicationstomount removablemedia.PartofthenewFileSystemHierarchyStandard. /root Therootuser'shomedirectory. /sbin Administrativecommandsandprocesscontroldaemons. /usr Containslocalsoftware,libraries,games,etc. /var Logsandothervariablefilewillbefoundhere.
Anotherimportantconceptwhenbrowsingthefilesystemisthatof relativeversusexplicitpaths.Whileconfusingatfirst,practicewillmakethe ideasecondnature.Justrememberthatwhenyouprovideapathnametoa commandorfile,includinga/infrontmeansanexplicitpath,andwill definethelocationstartingfromthetopleveldirectory(root).Beginninga pathnamewithouta/indicatesthatyourpathstartsinthecurrentdirectory andisreferredtoasarelativepath.Moreonthislater. OneveryusefulresourceforthissubjectistheFileSystemHierarchy Standard(FHS),thepurposeofwhichistoprovideareferencefordevelopers andsystemadministratorsonfileanddirectoryplacement.Readmoreaboutit athttp://www.pathname.com/fhs/
BarryJ.Grundy
29
III.TheLinuxBootSequence(Simplified)
Bootingthekernel
Thefirststepinthe(simplified)bootupsequenceforLinuxisloading thekernel.Thekernelimageisusuallycontainedinthe/bootdirectory.Itcan gobyseveraldifferentnames bzImage vmlinuz
Sometimesthekernelimagewillspecifythekernelversioncontainedin theimage,i.e.bzImage2.6.24.Veryoftenthereisasoftlink(likeashortcut)to themostcurrentkernelimageinthe/bootdirectory.Itisnormallythissoftlink thatisreferencedbythebootloader,LILO(orGRUB). Thebootloaderspecifiestherootdevice(bootdrive),alongwiththe kernelversiontobebooted.ForLILO,thisisallcontrolledbythefile /etc/lilo.conf.Eachimage=sectionrepresentsachoiceinthebootscreen. Thisisanexampleofalilo.conffile5:

root@rock:~# cat /etc/lilo.conf boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=50 image=/boot/bzImage < - Defines the Linux kernel to boot label=linux < - Menu choice in LILO root=/dev/hda3 < - Where the root file system is found read-only other=/dev/hda1 < - Defines alternate boot option label=WinXP < - Menu choice in LILO table=/dev/hda
InthecaseofGRUB,eachsectionbeginningwithtitleisachoicefor bootingandcanincludeLinuxaswellasotheroperatingsystems,including Windows.Noteagainthereferencetothekernellocation,andtheroot device(wheretherootfilesystemislocated).GRUBstartsitscountingfrom 0,sowhereyouseehd0,0itisreferringtothefirstIDEdisk,followedbythe firstpartition.SeetheinfoormanpageforGRUB.
Theactual/etc/lilo.conffileonyoursystemwillbemuchmoreclutteredwithcomments(lines startingwitha#.Commentshavebeenremovedfromthisexampleforreadability.
5
BarryJ.Grundy
30
InthefollowingGRUBexample,therewillbetwodifferentLinuxkernel choicesofferedinthebootmenu.Theyallusethesamerootfilesystem,but differinthekernelimageloadedfromthe/bootpartition.

root@rock:~# cat /boot/grub/grub.conf boot=/dev/hda default=0 timeout=10 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title Linux (2.6.24) <- title sections define a boot menu choice root (hd0,0) <- root device (1st hard drive and 1st partition) kernel /boot/bzImage ro root=/dev/hda1 <- kernel to boot title Linux-old (2.4.33) root (hd0,0) kernel /boot/bzImage-2.4.33 ro root=/dev/hda1
Oncethesystemhasfinishedbooting,youcanseethekernelmessages thatflypastthescreenduringthebootingprocesswiththecommand dmesg.Wediscussedthiscommandalittlewhenwetalkedaboutdevice recognitionearlier.Aspreviouslymentioned,thiscommandcanbeusedto findhardwareproblems,ortoseehowaremovable(orsuspect)drivewas detected,includingitsgeometry,etc.Theoutputcanbepipedthrougha pagingviewertomakeiteasiertosee(inthiscase,dmesgispipedthroughless onmySlackwaresystem.):

root@rock:~# dmesg | less Linux version 2.6.24.5-smp (root@midas) (gcc version 4.2.3) #2 SMP Wed Apr 30 13 :41:38 CDT 2008 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000001fff0000 (usable) BIOS-e820: 000000001fff0000 - 0000000020000000 (ACPI data) BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved) 0MB HIGHMEM available. 511MB LOWMEM available. Entering add_active_range(0, 0, 131056) 0 entries of 256 used <continues>
BarryJ.Grundy
31
Initialization
Thenextstepinthebootsequencestartswiththeprogram/sbin/init. Thisprogramreallyhastwofunctions: initializetherunlevelandstartupscripts terminalprocesscontrol(respawnterminals)
Inshort,theinitprogramiscontrolledbythefile/etc/inittab.Itisthis filethatcontrolsyourrunlevelandtheglobalstartupscriptsforthesystem.
Runlevel
Therunlevelissimplyadescriptionofthesystemstate.Forour purposes,itiseasiesttosaythat(forSlackware,atleastothersystems,like FedoraCorewilldiffer): runlevel0=shutdown runlevel1=singleusermode runlevel3=fullmultiusermode/textlogin runlevel4=fullmultiuser/X11/graphicallogin6 runlevel6=reboot Inthefile/etc/inittabyouwillseealinesimilarto: id:3:initdefault:
root@rock:~#less /etc/inittab # # /etc/inittab: This file describes how the INIT process should set up # the system in a certain run-level. # # Default runlevel. id:3:initdefault: # System initialization, (runs when system boots). si:S:sysinit:/etc/rc.d/rc.S <continues>
Itisherethatthedefaultrunlevelforthesystemisset.Ifyouwantatext login(whichIwouldstronglysuggest),settheabovevalueto3.Thisisthe defaultforSlackware.Withthisdefaultrunlevel,youusestartxtogettotheX WindowGUIsystem.Ifyouwantagraphicallogin,youwouldedittheabove linetocontaina4.
Thisislargelydistributiondependent.InFedoraCore,runlevel5providesaGUIlogin.InSlackware,it'srunlevel4.
BarryJ.Grundy
32
GlobalStartupScripts
Afterthedefaultrunlevelhasbeenset,init(via/etc/inittab)thenruns thefollowingscripts: /etc/rc.d/rc.Shandlessysteminitialization,filesystemmountand check,PNPdevices,etc. /etc/rc.d/rc.XwhereXistherunlevelpassedasanargumentbyinit. Inthecaseofmulituser(nonGUI)logins(runlevel2or3),thisis rc.M.Thisscriptthencallsotherstartupscripts(variousservices, etc.)bycheckingtoseeiftheyareexecutable. /etc/rc.d/rc.localcalledfromwithinthespecificrunlevelscripts, rc.localisageneralpurposescriptthatcanbeeditedtoinclude commandsthatyouwantstartedatbootup(sortoflikeautoexec.bat). /etc/rc.d/rc.local_shutdownThisfileshouldbeusedtostopany servicesthatwerestartedinrc.local.
ServiceStartupScripts
Oncetheglobalscriptsrun,thereareservicescriptsinthe/etc/rc.d/ directorythatarecalledbythevariousrunlevelscripts,asdescribedabove, dependingonwhetherthescriptsthemselveshaveexecutablepermissions. Thismeansthatwecancontroltheboottimeinitializationofaserviceby changingit'sexecutablestatus.Moreonhowtodothislater.Someexamples ofservicescriptsare: /etc/rc.d/rc.inet1handlesnetworkinterfaceinitialization /etc/rc.d/rc.inet2handlesnetworkservicesstart.Thisscript organizesthevariousnetworkservicesscripts,andensuresthatthey arestartedintheproperorder. /etc/rc.d/rc.pcmciastartsPCcardservices. /etc/rc.d/rc.sendmailstartsthemailserver.Controlledbyrc.inet2. /etc/rc.d/rc.sshdstartstheOpenSSHserver.Alsocontrolledby rc.inet2. /etc/rc.d/rc.messagebusstartsdbusmessagingservices. /etc/rc.d/rc.haldstartshardwareabstractionlayerdaemonservices. /etc/rc.d/rc.udevpopulatesthe/devdirectorywithdevicenodes, scansfordevices,loadstheappropriatekernelmodules,and configuresthedevices.
Havealookatthe/etc/rc.ddirectoryformoreexamples.Notethatina standardSlackwareinstall,youdirectorylistingwillshowexecutablescriptsas greenincolor(intheterminal)andfollowedbyanasterisk(*).
BarryJ.Grundy
33
Again,thisisSlackwarespecific.Otherdistributionsdiffer(somediffer greatly!),buttheconceptremainsconsistent.Onceyoubecomefamiliarwith theprocess,itwillmakesense.Theabilitytomanipulatestartupscriptsisan importantstepinyourLinuxlearningprocess.
Bash
bash(BourneAgainShell)isthedefaultcommandshellformostLinux distros.Itistheprogramthatsetstheenvironmentforyourcommandline experienceinLinux.ThefunctionalequivalentinDOSwouldbe command.com.Thereareanumberofshellsavailable,butwewillcoverbash here. Thereareactuallyquiteafewfilesthatcanbeusedtocustomizeausers Linuxexperience.Herearesomethatwillgetyoustarted. /etc/profileThisistheglobalbashinitializationfileforinteractivelogin shells.Editsmadetothisfilewillbeappliedtoallbashshellusers.This filesetsthestandardsystempath,theformatofthecommandprompt andotherenvironmentvariables. Notethatchangesmadetothisfilemaybelostduringupgrades. Anothermethodistocreateanexecutablefileinthedirectory /etc/profile.d.Executablefilesplacedinthatdirectoryarerunat theendof/etc/profile. /home/$USER/.bash_profile7Thisscriptislocatedineachusershome directory($USER)andcanbeeditedbytheuser,allowinghimorherto customizetheirownenvironment.Itisinthisfilethatyoucanadd aliasestochangethewaycommandsrespond.Notethatthedotinfront ofthefilenamemakesitahiddenfile. /home/$USER/.bash_historyThisisanexceedinglyusefulfilefora numberofreasons.Itstoresasetnumberofcommandsthathave alreadybeentypedatthecommandline(defaultis500).Theseare accessiblethrougheitherreverseshellsorsimplybyusingtheup arrowonthekeyboardtoscrollthroughthehistoryofalreadyused commands.Insteadofretypingacommandoverandoveragain,you canaccessitfromthehistory. Fromtheperspectiveofaforensicexaminer,ifyouareexamining aLinuxsystem,youcanaccesseachuser's(don'tforgetroot) .bash_historyfiletoseewhatcommandswererunfromthe commandline.Rememberthattheleading.inthefilename signifiesthatitisahiddenfile.
Inbashwedefinethecontentsofavariablewithadollarsign.$USERisavariablethatrepresentsthenameofthe currentuser.Toseethecontentsofshellindividualvariables,useecho$VARNAME.
7
BarryJ.Grundy
34
Keepinmindthatthedefaultvaluesfor./bash_history(numberof entries,historyfilename,etc.)canbecontrolledbytheuser(s).Readmanbash formoredetailedinfo. Thebashstartupsequenceisactuallymorecomplicatedthanthis,but thisshouldgiveyouastartingpoint.Inadditiontotheabovefiles,checkout /home/$USER/.bashrc.Themanpageforbashisaninteresting(andlong) read,andwilldescribesomeofthecustomizationoptions.Inaddition,reading themanpagewillgiveagoodintroductiontotheprogrammingpower providedbybashscripting.Whenyoureadthemanpage,youwillwantto concentrateontheINVOCATIONsectionforhowtheshellisusedandbasic programmingsyntax.
BarryJ.Grundy
35
IV.LinuxCommands
Linuxattheterminal
Directorylisting= ls lsF lsa lsl lslh
root@rock:~# total 3984 drwxr-xr-x drwxr-xr-x drwx-----drwxr-xr-x -rw-r--r--rwxrwx---rwxr-xr-x <continues>
listfiles. classifiesfilesanddirectories. showallfiles(includinghidden). detailedfilelist(longview). detailedlist(long,withhumanreadablefilesizes).
ls -l 3 2 2 3 1 1 1 root root root root root root root root root root root root root root 4096 4096 4096 4096 175 2740 107012 Feb Jun Jan Aug Sep Dec Nov 15 2004 Backup_config 16 16:10 Desktop 27 2004 Documents 10 14:26 VMware 26 2003 investigator.bjg 15 2003 k.key 29 2003 scanModem
Wewilldiscussthemeaningofeachcolumninthelsloutputlaterin thisdocument. Changedirectory= cd<dir> changedirectoryto<dir>. cd (byitself)shortcutbacktoyourhomedirectory. cd.. uponedirectory(notethespacebetweencdand... cd backtothelastdirectoryyouwerein. cd/dirname changetothespecifieddirectory.Notethatthe additionofthe/infrontofthedirectoryimplies anexplicit(absolute)path,notarelativeone.With practice,thiswillmakemoresense. cddirname changetothespecifieddirectory.Thelackofa/ infrontofthedirectorynameimpliesarelativepath meaningdirnameisasubfolderofourcurrent directory. Copy cp cpsourcefiledestinationfile copyafile. CleartheTerminal clear clearstheterminalscreenofalltextandreturnsa prompt.
BarryJ.Grundy
36
Moveafileordirectory mv mvsourcefiledestinationfile Deleteafileordirectory rm rmfilename rmr rmdir rmf Displaycommandhelp man mancommand
moveorrenameafile.
deletesafile. recursivelydeletesallfilesin directoriesandsubdirectories. removedirectories. donotpromptforfileremoval
displaysa"manual"pageforthespecified command.Use"q"toquit.VERYUSEFUL.
Ifyouwanttofindinformationaboutacommandcalledfind,including itsusage,options,output,etc.,thenyouwouldusethemanpageforthe commandfind:

root@rock:~# man find FIND(1L) NAME find - search for files in a directory hierarchy FIND(1L)
SYNOPSIS find [path...] [expression] DESCRIPTION This manual page documents the GNU version of find. find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name. <continues>
Createadirectory mkdir mkdirdirectoryname
createsadirectory.Again,rememberthe differencebetweenarelativeandexplicitpath here.
BarryJ.Grundy
37
Displaythecontentsofafile catormoreorless catfilename Thesimplestformoffiledisplay,catstreamsthe contentsofafiletothestandardoutput(usuallythe terminal).catactuallystandsforconcatenate.This commandcanalsobeusedtoaddfilestogether(useful lateron).Forexample: catfile1file2>file3 Takesthecontentsoffile1andfile2andstreamsthe outputwhichisredirectedtoasinglefile,file3.This effectivelyaddsthetwofilesintoonesinglefile(the originalfilesremainunchanged). morefilename displaysthecontentsofafileonepageatatime. UnlikeitsDOScounterpart,Linuxmoretakes filenamesasdirectarguments. lessisabettermore.Supportsscrollinginboth directions,andanumberofotherpowerfulfeatures. lessisactuallytheGNUversionofmore,andon manysystemsyouwillfindthatmoreisactuallya linktoless.Useqtoexitalesssession.
lessfilename
Notethatyoucanstringtogetherseveraloptions.Forexample: lsaF
bgrundy@rock:~/workdir $ ls -aF ./ .lntrc arlist dir1/ doc1@ ../ .tschr cpscript* dir2/ mystuff/ rmscript* topsc@ workfiles/
..willgiveyoualistofallfiles(a),includinghiddenfiles,and file/directoryclassification(F,whichshows"/"fordirectories,"*"for executables,and"@"forlinks).
BarryJ.Grundy
38
Additionalusefulcommands
grep searchforpatterns. greppatternfilename grepwilllookforoccurrencesofpatternwithinthefilefilename.grepis anextremelypowerfultool.Ithashundredsofusesgiventhelarge numberofoptionsitsupports.Checkthemanpageformoredetails. Wewillusegrepinourforensicexerciseslateron. find allowsyoutosearchforafile(wildcardsactuallyexpressions permitted).Tolookforyourfstabfile,youmighttry:
root@rock:~# find / -name fstab -print /etc/fstab
Thismeans"find,startingintherootdirectory(/),byname,fstaband printtheresultstothescreen".findalsoallowsyoutosearchbyfile typeorevenfiletimes(actuallyinodetimes).Thepowerofthefind commandshouldnotbeunderestimated.Moreonthistoollater. pwd printsthepresentworkingdirectorytothescreen.Thefollowing exampleshowsthatwearecurrentlyinthedirectory/root.

root@rock:~# pwd /root
file
categorizesfilesbasedonwhattheycontain,regardlessofthename (orextension,ifoneexists).Comparesthefileheadertothe"magic" fileinanattempttoIDthefiletype.Forexample:
root@rock:~# file snapshot01.gif snapshot01.gif: GIF image data, version 87a, 800 x 600
ps
listofcurrentprocesses.GivestheprocessIDnumber(PID),andthe terminalonwhichtheprocessisrunning. psax showsallprocesses(a),andallprocesseswithoutanassociated terminal(x).Notethelackofadashinfrontoftheoptions.Seetheman pageforinfoonthisdeparturefromourpreviousconvention.
BarryJ.Grundy
39
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ps ax PID TTY STAT 1 ? S 2 ? SN 3 ? S< 4 ? S< ... 1966 ? Ss 1973 ? Ss 2009 ? Ss 2109 ? Ss <continues>
TIME 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00
COMMAND init [3] [ksoftirqd/0] [events/0] [khelper] /usr/sbin/syslogd -m 0 /usr/sbin/klogd -c 3 -2 /usr/sbin/acpid -c /etc/acpi/events /usr/sbin/cupsd
strings
printsoutthereadablecharactersfromafile.Willprintout stringsthatareatleastfourcharacterslong(bydefault)fromafile. Usefulforlookingatdatafileswithouttheoriginatingprogram, andsearchingexecutablesforusefulstrings,etc.Moreonthis forensicallyusefulcommandlater. changesthepermissionsonafile.(Seethesectioninthis documentonpermissions). changestheownerofafileinmuchthesamewayaschmod changesthepermissions.
chmod chown
shutdown thiscommandMUSTbeusedtoshutdownthemachineand cleanlyexitthesystem.ThisisnotDOS.Turningoffthemachine atthepromptisnotallowedandcandamageyourfilesystem(in somecases)8.Youcanrunseveraldifferentoptionshere(check themanpageformanymore): shutdownrnow runlevel6). willrebootthesystemnow(changeto
shutdownhnow willhaltthesystem.Readyforpowerdown (changetorunlevel0).
ThishasbecomemuchlessofanissuewiththenewerjournaledfilesystemsusedbyLinux.
BarryJ.Grundy
40
FilePermissions
FilesinLinuxhavecertainspecifiedfilepermissions.Thesepermissions canbeviewedbyrunningthelslcommandonadirectoryoronaparticular file.Forexample:
root@rock:~# ls -l myfile -rwxr-xr-x 1 root root 1643 Jan 19 23:23 myfile
Ifyoulookcloseatthefirst10characters,youhaveadash()followed by9morecharacters.Thefirstcharacterdescribesthetypeoffile.Adash() indicatesaregularfile.A"d"wouldindicateadirectory,and"b"aspecial blockdevice,etc. Firstcharacteroflsloutput: - =regularfile d=directory b=blockdevice(SCSIorIDEdisk) c=characterdevice(serialport) l=link(pointstoanotherfileordirectory) Thenext9charactersindicatethefilepermissions.Thesearegivenin groupsofthree: Owner rwx Group rwx Others rwx
Thecharactersindicate r= read w= write x= execute Sofortheabovemyfilewehave rwxrxrx Thisgivesthefileownerread,writeandexecutepermissions(rwx),but restrictsothermembersoftheownersgroupandusersoutsidethatgroupto onlyreadandexecutethefile(rx).Writeaccessisdeniedassymbolizedbythe . Nowbacktothechmodcommand.Thereareanumberofwaystouse thiscommand,includingexplicitlyassigningr,w,orxtothefile.Wewillcover theoctalmethodherebecausethesyntaxiseasiesttoremember(andIfindit mostflexible).Inthismethod,thesyntaxisasfollows
BarryJ.Grundy
41
chmodoctalfilename octalisathreedigitnumericalvalueinwhichthefirstdigitrepresents theowner,theseconddigitrepresentsthegroup,andthethirddigitrepresents othersoutsidetheowner'sgroup.Eachdigitiscalculatedbyassigningavalue toeachpermission: read(r) =4 write(w) =2 execute(x) =1 Forexample,thefilefilenameinouroriginalexamplehasanoctal permissionvalueof755(rwx=7,rx=5,rx=5).Ifyouwantedtochangethefile sothattheownerandthegrouphadread,writeandexecutepermissions,but otherswouldonlybeallowedtoreadthefile,youwouldissuethecommand: chmod774filename 4(r)+2(w)+1(x)=7 4(r)+2(w)+1(x)=7 4(r)+0()+0()=4 Anewlonglistofthefilewouldshow:
root@rock:~# chmod 774 myfile root@rock:~# ls -l myfile -rwxrwxr-1 root root
1643 Jan 19 23:23 myfile
(rwx=7,rwx=7,r=4) Letuslookatapracticalexampleofchangingpermissions.Earlierin thisdocumentwediscussedthesysteminitializationprocess.Partofthat processistheexecutionofrcscriptsthathandlesystemservices.Recallthat thefile/etc/inittabinvokestheappropriaterunlevelscriptsinthe/etc/rc.d/ directory.Inturn,thesescriptstestvariousservicescriptsinthe/etc/rc.d/ directoryforexecutablepermissions.Ifthescriptisexecutable,itisinvoked andtheserviceisstarted.Thetestinsidetherc.M(mulituserinitscript)forthe PCMCIAservicelookslikethis:

root@rock:~# cat /etc/rc.d/rc.M ... if [ -x /etc/rc.d/rc.pcmcia ]; then . /etc/rc.d/rc.pcmcia start <continues>
BarryJ.Grundy
42
Thecodeshownaboveisanif/thenstatementwherethebrackets signifythetestandthexchecksforexecutablepermissions.Soitwouldread: ifthefile/etc/rc.d/rc.pcmciaisexecutable,thenexecutethecommand /etc/rc.d/rc.pcmciastart. Notethatthercscriptscanhaveeitherstart,stoporrestartpassedas argumentsinmostcases. Alookatthepermissionsof/etc/rc.d/rc.pcmciashowsthatitisnot executable,andsowillnotstartatsysteminitialization:

root@rock:~# ls -l /etc/rc.d/rc.pcmcia -rw-r--r-- 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia
TochangetheexecutablepermissionstoallowPCMCIAservicestostart atboottime,Iexecutethefollowing:
root@rock:~# chmod 755 /etc/rc.d/rc.pcmcia root@rock:~# ls -l /etc/rc.d/rc.pcmcia -rwxr-xr-x 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia*
ThedirectorylistingshowsthatIhavechangedtheexecutablestatusof thescript.Dependingonyourcolorterminalsettings,youmayalsoseethe colorofthefilechangeandanasteriskappendedtothename. Youcanusethistechniquetogothroughyour/etc/rc.d/directoryto turnoffthoseservicesthatyoudonotneed.SinceI'mnotrunningalaptop, anddon'tneedPCMCIAservicesorwirelesssupport:

root@rock:~# chmod 644 /etc/rc.d/rc.pcmcia root@rock:~# chmod 644 /etc/rc.d/rc.wireless
Sincewearerunninga2.6kernelonSlackware,andwewanta forensicallysoundsysteminassimpleamanneraspossiblehere,youshould dothesametotherc.hald(HAL)andrc.messagebus(dbus)servicescripts. Thiswillpreventsystemmessagesfromaccessingandautomountingstorage deviceswhentheyaredetected.ThisdoesNOTpreventthemfrombeing detected...Justfrombeingmountedand/oropened(normallybyvirtueof desktopsoftware).

root@rock:~# chmod 644 /etc/rc.d/rc.hald root@rock:~# chmod 644 /etc/rc.d/rc.messagebus
Thechangeswilltakeeffectnexttimeyouboot.
BarryJ.Grundy
43
Metacharacters
TheLinuxcommandline(actuallythebashshellinourcase)also supportswildcards(metacharacters) *formultiplecharacters(including"."). ?forsinglecharacters. []forgroupsofcharactersorarangeofcharactersornumbers. Thisisacomplicatedandverypowerfulsubject,andwillrequirefurther readingRefertoregularexpressionsinyourfavoriteLinuxtext,alongwith globbingorshellexpansion.Thereareimportantdifferencesthatcan confuseabeginner,sodontgetdiscouragedbyconfusionoverwhat*means indifferentsituations.
CommandHints
1.Linuxhasahistorylistofpreviouslyusedcommands(storedinthefile named.bash_historyinyourhomedirectory).Usethekeyboardarrows toscrollthroughcommandsyou'vealreadytyped. 2.Linuxsupportscommandlineediting.Youcanusedthecursorto navigateapreviouscommandandcorrecterrors. 3.LinuxcommandsandfilenamesareCASESENSITIVE. 4.Learnoutputredirectionforstdoutandstderr(>and2>).Moreon thislater. 5.Linuxuses/fordirectories,DOSuses\. 6.Linuxusesforcommandoptions,DOSuses/. 7.Useqtoquitfromlessormansessions. 8.Toexecutecommandsinthecurrentdirectory(ifthecurrentdirectoryis notinyourPATH),usethesyntax"./command".ThistellsLinuxtolook inthepresentdirectoryforthecommand.Unlessitisexplicitly specified,thecurrentdirectoryisNOTpartofthenormaluserpath, unlikeDOS.
PipesandRedirection
LikeDOS,Linuxallowsyoutoredirecttheoutputofacommandfrom thestandardoutput(usuallythedisplayor"console")toanotherdeviceorfile. Thisisusefulfortaskslikecreatinganoutputfilethatcontainsalistoffileson amountedvolume,orinadirectory.Forexample:
root@rock:~# ls -al > filelist.txt
Theabovecommandwouldoutputalonglistofallthefilesinthe currentdirectory.Insteadofoutputtingthelisttotheconsole,anewfilecalled "filelist.txt"willbecreatedthatwillcontainthelist.Ifthefile"filelist.txt"
BarryJ.Grundy
44
alreadyexisted,thenitwillbeoverwritten.Usethefollowingcommandto appendtheoutputofthecommandtotheexistingfile,insteadofoverwriting it:

root@rock:~# ls -al >> filelist.txt
AnotherusefultoolsimilartothatavailableonDOSisthecommand pipe.Thecommandpipetakestheoutputofonecommandand"pipes"it straighttotheinputofanothercommand.Thisisanextremelypowerfultool forthecommandline.Lookatthefollowingprocesslist(partialoutput shown):

root@rock:~# ps ax PID TTY STAT 1 ? S 2 ? SN 3 ? S< 4 ? S< 5 ? S< 26 ? S< 36 ? S< 45 ? S 46 ? S 48 ? S< 2490 tty1 S 3287 pts/0 Ss 3325 pts/0 R+ TIME 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 COMMAND init [3] [ksoftirqd/0] [events/0] [khelper] [kacpid] [kblockd/0] [vesafb] [pdflush] [pdflush] [aio/0] bash -bash ps ax
WhatifallyouwantedtoseewerethoseprocessesID'sthatindicateda bashshell?Youcould"pipe"theoutputofpstotheinputofgrep,specifying "bash"asthepatternforgreptosearch.Theresultwouldgiveyouonlythose linesoftheoutputfrompsthatcontainedthepattern"bash".

root@rock:~# ps ax | grep bash 2490 tty1 S 0:00 bash 3287 pts/0 Ss 0:00 -bash
Alittlelateronwewillcoverusingpipesonthecommandlinetohelp withanalysis. Stringingmultiplepowerfulcommandstogetherisonethemostuseful andpowerfultechniquesprovidedbyLinuxforforensicanalysis.Thisisoneof thesinglemostimportantconceptsyouwillwanttolearnifyoudecidetotake onLinuxasaforensictool.Withasinglecommandlinebuiltfrommultiple
BarryJ.Grundy
45
commandsandpipes,youcanuseseveralutilitiesandprogramstoboildown ananalysisveryquickly.
TheSuperUser
IfLinuxgivesyouanerrormessage"Permissiondenied",theninall likelihoodyouneedtobe"root"toexecutethecommandoreditthefile,etc. Youdon'thavetologoutandthenlogbackinas"root"todothis.Justusethe sucommandtogiveyourselfrootpowers(assumingyouknowroots password).Enterthepasswordwhenprompted.Younowhaverootprivileges (thesystempromptwillreflectthis).Whenyouarefinishedusingyoursu login,returntoyouroriginalloginbytypingexit.Hereisasamplesusession:
bgrundy@rock:~$ whoami bgrundy bgrundy@rock:~$ su Password:<enter root password> root@rock:~# whoami root root@rock:~# exit logout bgrundy@rock:~$
Notethatthe""aftersuallowsLinuxtoapplyroot'senvironment (includingrootspath)toyoursulogin.Soyoudon'thavetoenterthefullpath ofacommand.Actually,suisaswitchusercommand,andcanallowyouto becomeanyuser(ifyouknowthepassword),notjustroot. Awordofcaution:BeVERYjudiciousinyouruseoftherootlogin.It canbedestructive.Forsimpletasksthatrequirerootpermission,usesuand useitsparingly.
BarryJ.Grundy
46
V.EditingwithVi
Thereareanumberofterminalmode(nonGUI)editorsavailablein Linux,includingemacsandvi.YoucouldalwaysuseoneoftheavailableGUI texteditorsinXwindow,butwhatifyouareunabletostartX?Thebenefitof learningvioremacsisyourabilitytousethemfromanxterm,acharacter terminal,oratelnet(usesshinstead!)session,etc.Wewilldiscussvihere.(I don'tdoemacs:)).viinparticularisuseful,becauseyouwillfinditonall versionsofUnix.LearnviandyoushouldbeabletoeditafileonanyUnix system.
TheJoyofVi
Youcanstartvieitherbysimplytypingviatthecommandprompt,or youcanspecifythefileyouwanttoeditwithvifilename.Ifthefiledoesnot alreadyexist,itwillbecreatedforyou. viconsistsoftwooperatingmodes,commandmodeandeditmode. Whenyoufirstenterviyouwillbeincommandmode.Commandmodeallows youtosearchfortext,movearoundthefile,andissuecommandsforsaving, saveas,andexitingtheeditor.Editmodeiswhereyouactuallyinputand changetext. Inordertoswitchtoeditmode,typeeithera(forappend),i(forinsert), oroneoftheotherinsertoptionslistedonthenextpage.Whenyoudothis youwillsee"Insert"appearatthebottomofyourscreen(inmostversions). Youcannowinputtext.Whenyouwanttoexittheeditmodeandreturnto commandmode,hittheescapekey. Youcanusethearrowkeystomovearoundthefileincommandmode. Thevieditorwasdesigned,however,tobeexceedinglyefficient,ifnotintuitive. Thetraditionalwayofmovingaroundthefileistousetheqwertykeysright underyourfingertips.Moreonthisbelow.Inaddition,thereareanumberof othernavigationkeysthatmakemovingaroundinvieasier. Ifyoulosetrackofwhichmodeyouarein,hittheescapekeytwice.You shouldhearyourcomputerbeepandyouwillknowthatyouareincommand mode. IncurrentLinuxdistributions,viisusuallyalinktosomenewer implementationofvi,suchasvim(viimproved),orinthecaseofSlackware, elvis.Ifyourdistributionincludesvim,itshouldcomewithaniceonline tutorial.Itisworthyourtime.Trytypingvimtutoratacommandprompt.
BarryJ.Grundy
47
Workthroughtheentirething.Thisisthesinglebestwaytostartlearningvi. Thenavigationkeysmentionedabovewillbecomeclearifyouusevimtutor.
Vi command summary
EnteringEditModefromCommandMode: a = appendtext(afterthecursor) i = inserttext(directlyunderthecursor) o(theletteroh) = openanewlineunderthecurrentline O(capitaloh) = openanewlineabovethecurrentline Command(Normal)Mode: 0(zero) = $ = x = X = dd = :w = :wq = :q! = :wfilename = Movecursortobeginningofcurrentline. Movecursortotheendofcurrentline. deletethecharacterunderthecursor deletethecharacterbeforethecursor deletetheentirelinethecursorison saveandcontinueediting saveandquit(canuseZZaswell) quitanddiscardchanges saveacopytofilename(saveas)
Thebestwaytosaveyourselffromamessedupeditistohit<ESC> followedby:q!Thatcommandwillquitwithoutsavingchanges. Anotherusefulfeatureincommandmodeisthestringsearch.Tosearch foraparticularstringinafile,makesureyouareincommandmodeandtype /string Wherestringisyoursearchtarget.Afterissuingthecommand,youcan moveontothenexthitbytyping"n". viisanextremelypowerfuleditor.Thereareahugenumberof commandsandcapabilitiesthatareoutsidethescopeofthisguide.Seemanvi formoredetails.Keepinmindtherearechaptersinbooksdevotedtothis editor.Thereareevenacoupleofbooksdevotedtovialone.
BarryJ.Grundy
48
VI.MountingFileSystems
Thereisalonglistoffilesystemtypesthatcanbeaccessedthrough Linux.Youdothisbyusingthemountcommand.Linuxhasacoupleof specialdirectoriesusedtomountfilesystemstotheexistingLinuxdirectory tree.Onedirectoryiscalled/mnt.Itisherethatyoucandynamicallyattach newfilesystemsfromexternal(orinternal)storagedevicesthatwerenot mountedatboottime.Typically,the/mntdirectoryisusedfortemporary mounting.Anotheravailabledirectoryis/media,whichprovidesastandard placeforusersandapplicationstomountremovablemedia.Actuallyyoucan mountfilesystemsanywhere(notjuston/mntor/media),butit'sbetterfor organization.Sincewewillbedealingwithmostlytemporarymountingof variousfilesystems,wewillusethe/mntdirectoryformostofourwork.Here isabriefoverview. Anytimeyouspecifyamountpointyoumustfirstmakesurethatthat directoryexists.Forexampletomountafloppyunder/mnt/floppyyoumustbe surethat/mnt/floppyexists.Afterall,supposewewanttohaveaCDROManda floppymountedatthesametime?Theycan'tbothbemountedunder/mnt (youwouldbetryingtoaccesstwofilesystemsthroughonedirectory!).Sowe createdirectoriesforeachdevicesfilesystemundertheparentdirectory/mnt. Youdecidewhatyouwanttocallthedirectories,butmakethemeasyto remember.Keepinmindthatuntilyoulearntomanipulatethefile/etc/fstab (coveredlater),onlyrootcanmountandunmountfilesystems. Newerdistributionsusuallycreatemountpointsforfloppyandcdrom foryou,butyoumightwanttoaddothersforyourself(mountpointsfor subjectdisksorimages,etc.like/mnt/dataor/mnt/analysis):
root@rock:~# mkdir /mnt/analysis
TheMountCommand
The"mount"commandusesthefollowingsyntax: mountt<filesystem>o<options><device><mountpoint> Example:ReadingaDOS/Windowsfloppy Insertthefloppyandtype:
BarryJ.Grundy
49
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# mount -t vfat /dev/fd0 /mnt/floppy
Nowchangetothenewlymountedfilesystem(thisassumesthatthe directory/mnt/floppyalreadyexists.Ifnot,createit):
root@rock:~# cd /mnt/floppy
Youshouldnowbeabletonavigatethefloppyasusual.Whenyouare finished,EXITOUTofthe/mnt/floppydirectory,andunmountthefile systemwith:

root@rock:~# umount /mnt/floppy
Notethepropercommandisumount,notunmount.Thiscleanly unmountsthefilesystem.DONOTremovethediskORSWAPthe diskuntilitisunmounted. Ifyougetanerrormessagethatsaysthefilesystemcannotbe unmountedbecauseitisbusy,thenyoumostlikelyhaveafileopen fromthatdirectory,orareusingthatdirectoryfromanother terminal.Checkallyourxtermsandvirtualterminalsandmakesure youarenolongerinthemounteddirectory.
Example:ReadingaCDROM InserttheCDROMandtype:
root@rock:~# mount -t iso9660 /dev/cdrom /mnt/cdrom
Nowchangetothenewlymountedfilesystem:
root@rock:~# cd /mnt/cdrom
YoushouldnowbeabletonavigatetheCDasusual. Whenyouarefinished,EXITOUTofthe/mnt/cdromdirectory,and unmountthefilesystemwith:
root@rock:~# umount /mnt/cdrom
BarryJ.Grundy
50
Ifyouwanttoseealistoffilesystemsthatarecurrentlymounted,just usethemountcommandwithoutanyargumentsorparameters.Itwilllistthe mountpointandfilesystemtypeofeachdeviceonsystem,alongwiththe mountoptionsused(ifany).

root@rock:~# mount /dev/hda5 on / type ext3 (rw,noatime) none on /proc type proc (rw) /dev/hda7 on /mnt/data type vfat (rw) /dev/fd0 on /mnt/floppy type vfat (ro,noexec,noatime)
Theabilitytomountandunmountfilesystemsisanimportantskillin Linux.Therearealargenumberofoptionsthatcanbeusedwithmount(some wewillcoverlater),andanumberofwaysthemountingcanbedoneeasilyand automatically.Refertothemountinfoormanpagesformoreinformation.
Thefilesystemtable(/etc/fstab)
Itmightseemlike"mounttiso9660/dev/cdrom/mnt/cdrom"isalot totypeeverytimeyouwanttomountaCD.Onewayaroundthisistoeditthe file/etc/fstab(filesystemtable).Thisfileallowsyoutoprovidedefaultsfor yourmountablefilesystems,therebyshorteningthecommandsrequiredto mountthem.My/etc/fstablookslikethis:
root@rock:~# cat /etc/fstab /dev/sda3 / /dev/sda2 none /dev/sda1 /boot /dev/cdrom /mnt/cdrom /dev/sda4 /mnt/data none /proc /dev/fd0 /mnt/floppy ext3 swap ext3 iso9660 vfat proc vfat noauto,noatime sw defaults noauto,users,ro rw,users defaults noauto,rw,users 1 0 1 0 0 0 0 1 0 2 0 0 0 0
Thecolumnsare: <device> <mountpoint><fstype><defaultoptions> Withthis/etc/fstab,IcanmountafloppyorCDbysimplytyping:

root@rock:~# mount /mnt/floppy
or
root@rock:~# mount /mnt/cdrom
BarryJ.Grundy
51
Theabovemountcommandslookincomplete.Whennotenough informationisgiven,themountcommandwilllookto/etc/fstabtofillinthe blanks.Ifitfindstherequiredinfo,itwillgoaheadwiththemount. Notethe"user"entryintheoptionscolumnforsomedevices.This allowsnonrootuserstomountthedevices.Veryuseful.Tofindoutmore aboutavailableoptionsfor/etc/fstab,enterinfofstabatthecommandprompt. AlsokeepinmindthatdefaultLinuxinstallationswilloftencreate /mnt/floppyand/mnt/cdromforyoualready.AfterinstallinganewLinux system,havealookat/etc/fstabtoseewhatisavailableforyou.Ifwhatyou needisntthere,addit.
BarryJ.Grundy
52
VII.LinuxandForensics
IncludedForensicTools
Linuxcomeswithanumberofsimpleutilitiesthatmakeimagingand basicanalysisofsuspectdisksanddrivescomparativelyeasy.Thesetools include: ddcommandusedtocopyfromaninputfileordevicetoanoutput fileordevice.Simplebitstreamimaging. sfdiskandfdiskusedtodeterminethediskstructure. grepsearchfiles(ormultiplefiles)forinstancesofanexpressionor pattern. Theloopdeviceallowsyoutoassociateregularfileswithdevice nodes.Thiswillthenallowyoutomountabitstreamimagewithout havingtorewritetheimagetoadisk. md5sumandsha1sumcreateandstoreanMD5orSHAhashofa fileorlistoffiles(includingdevices). filereadsafilesheaderinformationinanattempttoascertainits type,regardlessofnameorextension. xxdcommandlinehexdumptool.Forviewingafileinhexmode. Followingisaverysimpleseriesofstepstoallowyoutoperformaneasy practiceanalysisusingthesimpleLinuxtoolsmentionedabove.Allofthe commandscanbefurtherexploredwithmancommand.Forsimplicitywe aregoingtouseafloppywithaFATfilesystem.Again,thisisjustan introductiontothebasiccommands.Thesestepscanbefarmorepowerful withsomecommandlinetweaking.
BarryJ.Grundy
53
Analysisorganization
Havingalreadysaidthatthisisjustanintroduction,mostofthework youwilldoherecanbeappliedtoactualcasework.Thetoolsarestandard Linuxtools,andalthoughtheexampleshownhereisverysimple,itcanbe extendedwithsomepracticeandalittle(ok,alot)ofreading.Thepractice floppy(inrawimageformatfromasimpledd)forthefollowingexerciseis availableat: http://www.LinuxLEO.com/Files/practical.floppy.dd Ofcourse,ashasbeenpointedouttomeonnumerousoccasionsinthe lastfewyears,floppydisksarelargelyathingofthepast.Theyareniceinthat theyhaveastandardsize,makeforasmallandverymanageableimagefor introductorypractice,andprovideaconsistentphysicalinterface(whenthey arepresent).Futureversionsofthisdocumentwilllikelydoawaywiththe floppyimagealtogether,infavorofmoremodernmedia(evenforthebasic exercise).Butforthemeantime,justbearwithmeandfollowalong.Youdon't needafloppydrivetodownloadandanalyzetheimage...ifyoudon'thaveone, you'lljusthavetodowithoutwritingtheimagetoaphysicaldisk.Atthispoint, understandingtheconceptsisgoodenough. Onceyoudownloadthefloppyimage,putablankfloppydiskinyour driveandcreatethepracticefloppywiththefollowingcommand(coveredin detaillater):
root@rock:~# dd if=practical.floppy.dd of=/dev/fd0
Theoutputofvariouscommandsandtheamountofsearchingwewill dohereislimitedbythescopeofthisexampleandtheamountofdataona floppy.Whenyouactuallydoananalysisonlargermedia,youwillwantto haveitorganized.Notethatwhenyouissueacommandthatresultsinan outputfile,thatfilewillendupinyourcurrentdirectory,unlessyouspecifya pathforit. Onewayoforganizingyourdatawouldbetocreateadirectoryinyour homedirectoryforevidenceandthenasubdirectoryfordifferentcases. Sincewewillbeexecutingthesecommandsasroot,thehomedirectoryis/root:

root@rock:~# mkdir ~/evid
BarryJ.Grundy
54
Thetilde(~)infrontofthedirectorynameisshorthandforhome directory,sowhenItype~/evid,itisinterpretedas$HOME/evid.IfIam loggedinasroot,thedirectorywillbecreatedas/root/evid.Notethatifyouare alreadyinyourhomedirectory,thenyoudon'tneedtotype~/.Simplyusing mkdirevidwillworkjustfine.Wearebeingexplicitforinstructionalpurposes. Directingallofouranalysisoutputtothisdirectorywillkeepouroutput filesseparatedfromeverythingelseandmaintaincaseorganization.Youmay wishtohaveaseparatedrivemountedas/mnt/evid. Forthepurposesofthisexercise,wewillbeloggedinasroot.Ihave mentionedalreadythatthisisgenerallyabadidea,andthatyoucanmakea messofyoursystemifyouarenotcareful.Manyofthecommandsweare utilizinghererequirerootaccess(permissionsondevicesthatyoumightwant toaccessshouldnotbechangedtoallowotherwise,anddoingsowouldbefar morecomplexthanyouthink).Sotheoutputfilesthatwecreateandthe imageswemakewillbefoundunder/root/evid/. Anadditionalstepyoumightwanttotakeistocreateaspecialmount pointforallsubjectfilesystemanalysis.Thisisanotherwayofseparating commonsystemusewithevidenceprocessing.
root@rock:~# mkdir /mnt/analysis
Determining the structure of the disk Therearetwosimpletoolsavailablefordeterminingthestructureofa diskattachedtoyoursystem.Thefirst,fdisk,wediscussedearlierusingthel option.Replacethexwiththeletterofthedrivethatcorrespondstothe subjectdrive.Forexample,ifoursubjectdiskisattachedonthesecondaryIDE channelasthemasterdisk,itwillbeseenas/dev/hdc.ASerialATA(SATA)disk willbe/dev/sda(orsdb,etc.)Wecangetthepartitioninformationonthatdisk with:
root@rock:~# fdisk -l /dev/hdc Disk /dev/hdc: 60.0 GB, 60011642880 bytes 255 heads, 63 sectors/track, 7296 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/hdc1 * /dev/hdc2 /dev/hdc3 /dev/hdc5 /dev/hdc6 Start 1 655 2479 2479 4304 End 654 2478 7296 4303 4366 Blocks 5253223+ 14651280 38700585 14659281 506016 Id 7 7 5 83 82 System HPFS/NTFS HPFS/NTFS Extended Linux Linux swap
BarryJ.Grundy
55
Wecanredirecttheoutputofthiscommandtoafileforlateruseby issuingthecommandas:
root@rock:~# fdisk -l /dev/hdc > ~/evid/fdisk.disk1
Acoupleofthingstonotehere:Thenameoftheoutputfile(fdisk.disk1) iscompletelyarbitrary.Therearenorulesforextensions.Namethefile anythingyouwant.Iwouldsuggestyousticktoaconventionandmakeit descriptive.Alsonotethatsinceweidentifiedanexplicitpathforthefilename, thereforefdisk.disk1willbecreatedin/root/evid.Hadwenotgiventhepath, thefilewouldbecreatedinthecurrentdirectory(/root). Alsonotethatyoucanexpecttoseestrangeoutputifyouusefdiskona floppydisk.Thefdiskcommandworksbyexaminingthepartitiontableinthe firstsector(0)ofadevice.Ifthereisnopartitiontablethere,suchasondevices thathouseasinglevolume,itwillstillattempttointerpretthedataandoutput garbage.Beawareofthatifyouattemptfdiskonthepracticefloppy(andsome USBthumbdrives).Tryitonyourharddriveinsteadtoseesampleoutput. Dontusefdiskonthepracticefloppy.Theoutputwilljustconfuseyou.
Creatingaforensicimageofthesuspectdisk Makeanimageofthepracticediskusingbasicdd.Thisisyourstandard
forensicimageofasuspectdisk.Changetoandexecutethecommandfrom withinthe/root/evid/directory:
root@rock:~# cd evid root@rock:~/evid # dd if=/dev/fd0 of=image.disk1 bs=512
Thistakesyourfloppydevice(/dev/fd0)astheinputfile(if)andwrites theoutputfile(of)calledimage.disk1inthecurrentdirectory(/root/evid/).The bsoptionspecifiestheblocksize.Thisisreallynotneededformostblock devices(harddrives,etc.)astheLinuxkernelhandlestheactualblocksize.Its addedhereforillustration,asitcanbeausefuloptioninmanysituations (discussedlater). Forthesakeofsafetyandpractice,changethereadwritepermissionsof yourimagetoreadonly(forwhatit'sworth,Idon'tnormallydothis).

root@rock:~/evid # chmod 444 image.disk1
BarryJ.Grundy
56
The444givesallusersreadonlyaccess.Ifyouarerealpicky,youcould use400.Notethattheownerofthefileistheuserthatcreatedit. Nowthatyouhavecreatedanimagefile,youcanrestoretheimageto anotherdiskifyouareinterestedinacloneoftheoriginaldisk.Putanother (blank)floppyinandtype:

root@rock:~/evid # dd if=image.disk1 of=/dev/fd0 bs=512
Thisisthesameasthefirstddcommand,onlyinreverse.Nowyouare takingyourimage(theinputfileif)andwritingittoanotherdisk(theoutput fileof)tobeusedasabackuporasaworkingcopyfortheactualanalysis. Notethatusingddcreatesanexactduplicateofthephysicaldevicefile. Thisincludesallthefileslackandunallocatedspace.Wearenotsimply copyingthelogicalfilestructure.Unlikemanyforensicimagingtools,dddoes notfilltheimagewithanyproprietarydataorinformation.Itisasimplebit streamcopyfromstarttoend.This(inmyeversohumbleopinion)hasa numberofadvantages,aswewillseelater.
Mountingarestoredimage
Mounttherestored(cloned)workingcopyandviewthecontents. Remember,weareassumingthisisaDOSformatteddiskfromaWin98/95 machine.
root@rock:~/evid # mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis
Thiswillmountyourworkingcopy(thenewfloppyyoucreatedfromthe forensicimage)on/mnt/analysis.Theoro,noexecspecifiestheoptions ro(readonly)andnoexec(preventstheexecutionofbinariesfromthemount point)inordertoprotectthediskfromyou,andyoursystem(andmount point)fromthecontentsofthedisk.Thereareotherusefulmountoptionsas well,suchasnoatime.Seemanmountformoredetails. Nowcdtothemountpoint(/mnt/analysis)andbrowsethecontents. Havingmountedthephysicalcloneofouroriginal,wearesimplylookingatthe logicalfilesystem. Besuretounmountthediskwhenyoufinish.
root@rock:~/evid # umount /mnt/analysis
BarryJ.Grundy
57
Mountingtheimageusingtheloopbackdevice
Anotherwaytoviewthecontentsoftheimagewithouthavingtorestore ittoanotherdiskistomountusingtheloopinterface.Basically,thisallowsyou tomountafilesystemwithinanimagefile(insteadofadisk)toamount pointandbrowsethecontents.YourLinuxkernelmusthaveloopeither compiledasamoduleorcompiledintothekernelforthistowork.Bydefault, Slackware12hastheloopdrivercompiledintothekernel. Weusethesamemountcommandandthesameoptions,butthistime weincludetheoptionlooptoindicatethatwewanttousetheloopdeviceto mountthefilesystemwithintheimagefile,andwespecifyadisk(partition) imageratherthanadiskdevice.Changetothedirectorywhereyoucreatedthe imageandtype:
root@rock:~/evid # mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis
Nowyoucanchangeto/mnt/analysisandbrowsetheimageasifitwere amounteddisk!Usethemountcommandbyitselftodoublecheckthe mountedoptions. Whenyouarefinishedbrowsing,unmounttheimagefile.

root@rock:~/evid # umount /mnt/analysis
FileHash
Oneimportantstepinanyanalysisisverifyingtheintegrityofyourdata bothbeforeaftertheanalysisiscomplete.Youcangetahash(CRC,MD5,or SHA)ofeachfileinanumberofdifferentways.Inthisexample,wewillusethe SHAhash.SHAisahashsignaturegeneratorthatsuppliesa160bit fingerprintofafileordisk.Itisnotfeasibleforsomeonetocomputationally recreateafilebasedontheSHAhash.ThismeansthatmatchingSHA signaturesmeanidenticalfiles. WecangetanSHAsumofadiskbychangingtoourevidencedirectory (i.e./root/evid)andrunningthefollowingcommand(notethatthefollowing commandscanbereplacedwithmd5sumifyouprefertousetheMD5hash algorithm):
root@rock:~/evid # sha1sum /dev/fd0
BarryJ.Grundy
58
or
root@rock:~/evid # sha1sum /dev/fd0 > sha.disk1
Theredirectioninthesecondcommandallowsustostorethesignature inafileanduseitforverificationlateron.Togetahashofarawdisk(/dev/hda, /dev/fd0,etc.)thediskdoesNOThavetobemounted.Wearehashingthe device(thedisk)notthefilesystem.Aswediscussedearlier,Linuxtreatsall objects,includingphysicaldisks,asfiles.Sowhetheryouarehashingafileora harddrive,thecommandisthesame. Wecangetahashofeachfileonthediskusingthefindcommandand anoptionthatallowsustoexecuteacommandoneachfilefound.Wecanget averyusefullistofSHAhashesforeveryfileonadiskbyloopmountingthe imageagain,andthenchangingtothe/mnt/analysisdirectory:
root@rock:~# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis root@rock:~# cd /mnt/analysis root@rock:/mnt/analysis #
Onceweareinthe/mnt/analysisdirectory(asreflectedbyourprompt), wecannowrunacommandthatwillfindalltheregularfilesonthefilesystem atthatmountpointandrunahashonallthosefiles:

root@rock:/mnt/analysis # find . -type f -exec sha1sum {} \; > ~/evid/sha.filelist
Thiscommandsaysfind,startinginthecurrentdirectory(signifiedby the.),anyregularfile(typef)andexecute(exec)thecommandsha1sumon allfilesfound({}).Redirecttheoutputtosha.filelistinthe~/eviddirectory (wherewearestoringallofourevidencefiles).Remember,thetilde(~)infront ofthedirectorynameisshorthandforhome,so~/evidisequivalentto /root/evid.The\;isanescapesequencethatendstheexeccommand.The resultisalistoffilesfromouranalysismountpointandtheirSHAhashes. Again,youcansubstitutethemd5sumcommandifyouprefer. Havealookatthehashesbyusingthecatcommandtostreamthefileto standardoutput(inthiscase,ourterminalscreen):
BarryJ.Grundy
59
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # cat /root/evid/sha.filelist 86082e288fea4a0f5c5ed3c7c40b3e7947afec11 ./Docs/Benchmarks.xls 81e62f9f73633e85b91e7064655b0ed190228108 ./Docs/Computer_Build.xml 0950fb83dd03714d0c15622fa4c5efe719869e48 ./Docs/Law.doc 7a1d5170911a87a74ffff8569f85861bc2d2462d ./Docs/whyhack 63ddc7bca46f08caa51e1d64a12885e1b4c33cc9 ./Pics/C800x600.jpg 8844614b5c2f90fd9df6f8c8766109573ae1b923 ./Pics/bike2.jpg 4cf18c44023c05fad0de98ed6b669dc4645f130b ./Pics/bike3.jpg <continues>
YoucanalsouseLinuxtodoyourverificationforyou.Toverifythat nothinghasbeenchangedontheoriginalfloppy,youcanusethecoption withsha1sum.Ifthediskwasnotaltered,thecommandwillreturnok. Makesurethefloppyisinthedriveandtype:

root@rock:/mnt/analysis # sha1sum -c /root/evid/sha.disk1
IftheSHAhashesmatchfromthefloppyandtheoriginalSHAoutput file,thenthecommandwillreturnOKfor/dev/fd0.Rememberthatsha.disk1 containsthehashforthephysicaldisk.Thesamecanbedonewiththelistof fileSHAs.Makesurethefloppyfilesystemisstillmountedon/mnt/analysis, changetothatdirectoryandissuethecommand:

root@rock:/mnt/analysis # sha1sum -c /root/evid/sha.filelist ./Docs/Benchmarks.xls: OK ./Docs/Computer_Build.xml: OK ./Docs/Law.doc: OK ./Docs/whyhack: OK ./Pics/C800x600.jpg: OK ./Pics/bike2.jpg: OK ./Pics/bike3.jpg: OK ./Pics/matrixs3.jpg: OK ./Pics/mulewheelie.gif: OK ./Pics/Stoppie.gif: OK ./arp.exe: OK ./ftp.exe: OK ./loveletter.virus: OK ./ouchy.dat: OK ./snoof.gz: OK
Again,theSHAhashesinthefilewillbecomparedwithSHAsumstaken fromthefloppy(atthemountpoint).Ifanythinghaschanged,theprogram willgiveafailedmessage.UnchangedfileswillbemarkedOK.Thisisthe fastestwaytoverifythehashes.Notethatthefilenamesstartwith./.This indicatesarelativepath.Meaningthatwemustbeinthesamerelative directorywhenwecheckthehashes,sincethat'swherethecommandwilllook forthefiles.

BarryJ.Grundy
60
TheAnalysis
Youcannowviewthecontentsofthereadonlymountedorrestored diskorloopmountedimage.IfyouarerunningtheXwindowsystem,then youcanuseyourfavoritefilebrowsertolookthroughthedisk.Inmost(ifnot all)cases,youwillfindthecommandlinemoreusefulandpowerfulinorderto allowfileredirectionandpermanentrecordofyouranalysis.Wewillusethe commandlinehere. Wearealsoassumingthatyouareissuingthefollowingcommandsfrom thepropermountpoint(/mnt/analysis/).Ifyouwanttosaveacopyofeach commandsoutput,besuretodirecttheoutputfiletoyourevidencedirectory (/root/evid/)usinganexplicitpath. Navigatethroughthedirectoriesandseewhatyoucanfind.Usethels commandtoviewthecontentsofthedisk.Again,youshouldbeinthe directory/mnt/analysis,ourworkingdirectory.Thecommandinthefollowing formmightbeuseful:
root@rock:/mnt/analysis # ls -al total 118 drwxr--r-4 root root 7168 Dec drwxr-xr-x 13 root root 4096 Dec drwxr--r-3 root root 512 Sep drwxr--r-2 root root 512 Sep -rwxr--r-1 root root 19536 Aug -rwxr--r-1 root root 37520 Aug -r-xr--r-1 root root 16161 Sep -rwxr--r-1 root root 21271 Mar -rwxr--r-1 root root 12384 Aug
31 1969 . 21 14:20 .. 23 2000 Docs 23 2000 Pics 24 1996 arp.exe 24 1996 ftp.exe 21 2000 loveletter.virus 19 2000 ouchy.dat 2 2000 snoof.gz
Thiswillshowallthehiddenfiles(a),givethelistinlongformatto identifypermission,date,etc.(l).YoucanalsousetheRoptiontolist recursivelythroughdirectories.Youmightwanttopipethatthroughless.

root@rock: analysis # ls -alR | less .: total 118 drwxr--r-4 root root 7168 Dec 31 drwxr-xr-x 13 root root 4096 Dec 21 drwxr--r-3 root root 512 Sep 23 drwxr--r-2 root root 512 Sep 23 ... ./Docs: total 64 drwxr--r-- 3 root root 512 Sep 23 drwxr--r-- 4 root root 7168 Dec 31 -rwxr--r-- 1 root root 17920 Sep 21 <continues>
1969 14:20 2000 2000
. .. Docs Pics
2000 . 1969 .. 2000 Benchmarks.xls
BarryJ.Grundy
61
NotethatwearelookingatfilesonaFAT32partitionusingLinuxtools. Thingslikepermissionscanbealittlemisleadingbecauseoftranslationsthat maytakeplace,dependingonthefilesystem,andomittedinformation.Thisis wheresomeofourmoreadvancedforensictoolscomeinlater. Usethespacebartoscrollthroughtherecursivelistoffiles.Remember thattheletterqwillquitapagingsession.
MakingaListofAllFiles
Getcreative.Taketheabovecommandandredirecttheoutputtoyour evidencedirectory.Withthatyouwillhavealistofallthefilesandtheir ownersandpermissionsonthesubjectfilesystem.Thisisaveryimportant command.Checkthemanpageforvarioususesandoptions.Forexample, youcouldusetheioptiontoincludetheinode(fileserialnumber)inthe list,theuoptioncanbeusedsothattheoutputwillincludeandsortbyaccess time(whenusedwiththetoption).
root@rock:/mnt/analysis # ls -laiRtu > ~/evid/access_file.list
Youcouldalsogetalistofthefiles,oneperline,usingthefind commandandredirectingtheoutputtoanotherlistfile:
root@rock:/mnt/analysis # find . -type f > ~/evid/file.list.2
Thereisalsothetreecommand,whichprintsarecursivelistingthatis morevisual...Itindentstheentriesbydirectorydepthandcolorizesthe filenames(iftheterminaliscorrectlyset).
BarryJ.Grundy
62
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # tree |-- Docs | |-- Benchmarks.xls | |-- Computer_Build.xml | |-- Law.doc | |-- Private | `-- whyhack |-- Pics | |-- C800x600.jpg | |-- Stoppie.gif | |-- bike2.jpg | |-- bike3.jpg | |-- matrixs3.jpg | `-- mulewheelie.gif |-- arp.exe |-- ftp.exe |-- loveletter.virus |-- ouchy.dat `-- snoof.gz 3 directories, 15 files
Havealookattheabovecommands,andcomparetheiroutput.Which doyoulikebetter?Rememberthesyntaxassumesyouareissuingthe commandfromthe/mnt/analysisdirectory(usepwdifyoudontknowwhere youare). Nowusethegrepcommandoneitheroflistscreatedbythefirsttwo commandsaboveforwhateverstringsorextensionsyouwanttolookfor.

root@rock:/mnt/analysis # grep -i jpg ~/evid/file.list.2
Thiscommandlooksforthepatternjpginthelistoffiles,usingthe filenameextensiontoalertustoaJPEGfile.Theimakesthegrepcommand caseinsensitive.Onceyougetabetterhandleongrep,youcanmakeyour searchesfarmoretargeted.Forexample,specifyingstringsatthebeginningor endofaline(likefileextensions)usingôr$.Thegrepmanpagehasa wholesectionontheseregularexpressionterms.
MakingaListofFileTypes
WhatifyouarelookingforJPEGsbutthenameofthefilehasbeen changed,ortheextensioniswrong?Youcanalsorunthecommandfileon eachfileandseewhatitmightcontain. filefilename
BarryJ.Grundy
63
Thefilecommandcompareseachfilesheader(thefirstfewbytesofa rawfile)withthecontentsofthemagicfile(canbefoundin/usr/share/magic, or/etc/file/magic,dependingonthedistribution).Itthenoutputsadescription ofthefile. Iftherearealargenumberoffileswithoutextensions,orwherethe extensionshavechanged,youmightwanttorunthefilecommandonallthe filesonadisk(orinadirectory,etc.).Rememberouruseofthefind commandsexecoptionwithsha1sum?Letsdothesamethingwithfile:

root@rock:/mnt/analysis # find . -type f -exec file {} \; > ~/evid/filetype.list
Viewtheresultinglistwiththecatcommand(orless),andifyouare lookingforimagesinparticular,thenusegreptospecifythat:
root@rock:/mnt/analysis # cat ~/evid/filetype.list ./Docs/Benchmarks.xls: Microsoft Installer ./Docs/Computer_Build.xml: gzip compressed data, from Unix ./Docs/Law.doc: Microsoft Installer ./Docs/whyhack: ASCII English text, with very long lines ./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02 ./Pics/bike2.jpg: PC bitmap data, Windows 3.x format, 300 x 204 x 24 ./Pics/bike3.jpg: PC bitmap data, Windows 3.x format, 317 x 197 x 24 ./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01 ./Pics/mulewheelie.gif: PC bitmap data, Windows 3.x format, 425x328x24 ./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693 ./arp.exe: MS-DOS exe PE for MS Windows (console) Intel 80386 32-bit ./ftp.exe: MS-DOS exe PE for MS Windows (console) Intel 80386 32-bit ./loveletter.virus: ASCII English text ./ouchy.dat: JPEG image data, JFIF standard 1.02 ./snoof.gz: gzip compressed data, from Unix
Thefollowingcommandwouldlookforthestringimageusingthe grepcommandonthefile/root/evid/filetype.list
root@rock:/mnt/analysis # grep image ~/evid/filetype.list ./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02 ./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01 ./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693 ./ouchy.dat: JPEG image data, JFIF standard 1.02
Notethatthefileouchy.datdoesnothavetheproperextension,butitis stillidentifiedasaJPEGimage.Alsonotethatsomeoftheimagesabovedonot showupinourgreplistbecausetheirdescriptionsdonotcontaintheword image.TherearetwoWindowsBitmapimagesthathave.jpgextensionsthat donotendupinthegreplist.Wecanfixthisbyeithercreatingourown
BarryJ.Grundy
64
imagesmagicfileorbytaggingtheoriginalfile.Wetagtheoriginal magicfilebyeditingittocontainourownidentifiersthatwecanthenusegrep tolocate.
ViewingFiles
Fortextfilesanddatafiles,youmightwanttousecat,moreorlessto viewthecontents. catfilename morefilename lessfilename Beawarethatiftheoutputisnotstandardtext,thenyoumightcorrupt theterminaloutput(typeresetorsttysaneatthepromptanditshouldclear up).ItisbesttorunthesecommandsinaterminalwindowinXsothatyou cansimplycloseoutacorruptedterminalandstartanother.Usingthefile commandwillgiveyouagoodideaofwhichfileswillbeviewableandwhat programmightbestbeusedtoviewthecontentsofafile.Forexample, MicrosoftOfficedocumentscanbeopenedunderLinuxusingprogramslike OpenOffice. Perhapsabetteralternativeforviewingunknownfileswouldbetouse thestringscommand.ThiscommandcanbeusedtoparseregularASCIItext outofanyfile.Itsgoodforformatteddocuments,datafiles(Excel,etc.)and evenbinaries(e.g.unidentifiedexecutables),whichmighthaveinterestingtext stringshiddeninthem.Itmightbebesttopipetheoutputthroughless. stringsfilename|less Havealookatthecontentsofthepracticediskon/mnt/analysis.There isafilecalledarp.exe.Whatdoesthisfiledo?Wecantexecuteit,andfrom usingthefilecommandweknowthatitsanDOS/Windowsexecutable.Run thefollowingcommand(again,assumingyouareinthe/mnt/analysis directory)andscrollthroughtheoutput.Doyoufindanythingofinterest (hint:likeausagemessage)?
BarryJ.Grundy
65
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # strings arp.exe | less l|} <-t8</t4 t]Ph t2Ph ' Ph!' @SVW wR9U wM9U wH9U SVWj ...<continues> inetmib1.dll Displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. <continues>
IfyouarecurrentlyrunningtheXwindowsystem,youcanuseanyof thegraphicstoolsthatcomestandardwithwhicheverLinuxdistributionyou areusing.gqviewisonegraphicstoolfortheGNOMEdesktopthatwilldisplay graphicfilesinadirectory.Experimentalittle.Othertools,suchasgthumbfor GnomeandKonquerorfromtheKDEdesktophaveafeaturethatwillcreatea verynicehtmlimagegalleryforyoufromallimagesinadirectory. Onceyouarefinishedexploring,besuretounmountthefloppy(orloop mounteddiskimage).Again,makesureyouarenotanywhereinthemount pointwhenyoutrytounmount,oryouwillgetthebusyerror.The commandswilltakeyoubacktoyourhomedirectory(usingthetilde~)and thenunmounttheloopmountedfilesystem.
root@rock:/mnt/analysis # cd ~ root@rock:~# umount /mnt/analysis
SearchingUnallocatedandSlackSpaceforText
Nowletsgobacktotheoriginalimage.Therestoreddisk(orloop mounteddiskimage)allowedyoutocheckallthefilesanddirectories(logical view).Whataboutunallocatedandslackspace(physicalview)?Wewillnow
BarryJ.Grundy
66
analyzetheimageitself,sinceitwasabitforbitcopyandincludesdatainthe unallocatedareasofthedisk. Letsassumethatwehaveseizedthisdiskfromaformeremployeeofa largecorporation.Thewouldbecrackersentalettertothecorporation threateningtounleashavirusintheirnetwork.Thesuspectdeniessendingthe letter.Thisisasimplematteroffindingthetextfromadeletedfile(unallocated space). First,changebacktothedirectoryinwhichyoucreatedtheimage, whetheritwastherootshomedirectory,oraspecialoneyoucreated.

root@rock:~# cd /root/evid root@rock:~/evid #
Nowwewillusethegrepcommandtosearchtheimageforanyinstance ofanexpressionorpattern.Wewilluseanumberofoptionstomakethe outputofgrepmoreuseful.Thesyntaxofgrepisnormally: grepoptions<pattern><filetosearch> Thefirstthingwewilldoiscreatealistofkeywordstosearchfor.Its rareweeverwanttosearchevidenceforasinglekeyword,afterall.Forour example,letsuseransom,$50,000(theransomamount),andunleasha virus.Thesearesomekeywordsandaphrasethatwehavedecidedtouse fromtheoriginalletterreceivedbythecorporation.Makethelistofkeywords (usingvi)andsaveitas/root/evid/searchlist.txt.Ensurethateachstringyou wanttosearchforisonadifferentline. $50,000 ransom unleashavirus MakesurethereareNOBLANKLINESINTHELISTORATTHEENDOF THELIST!!Nowwerunthegrepcommandonourimage:
root@rock:~/evid # grep -abif searchlist.txt image.disk1 > hits.txt
Weareaskinggreptousethelistwecreatedinsearchlist.txtforthe patternswearelookingfor.Thisisspecifiedwiththeffileoption.Weare tellinggreptosearchimage.disk1forthesepatterns,andredirecttheoutputto afilecalledhits.txt,sowecanrecordtheoutput.Theaoptiontellsgrepto processthefileasifitweretext,evenifitsbinary.Theoptionitellsgrepto
BarryJ.Grundy
67
ignoreupperandlowercase.Andtheboptiontellsgreptogiveusthebyte offsetofeachhitsowecanfindthelineinxxd.Earlierwementionedthegrep manpageandthesectionithasonregularexpressions.Pleasetakethetimeto readthroughitandexperiment. Onceyourunthecommandabove,youshouldhaveanewfileinyour currentdirectorycalledhits.txt.Viewthisfilewithlessormoreoranytext viewer.Keepinmindthatstringsmightbebestforthejob.Again,ifyouuse moreorless,youruntheriskofcorruptingyourterminaliftherearenon ASCIIcharacters.Wewillsimplyusecattostreamtheentirecontentsofthe filetothestandardoutput.Thefilehits.txtshouldgiveyoualistoflinesthat containthewordsinyoursearchlist.txtfile.Infrontofeachlineisanumber thatrepresentsthebyteoffsetforthathitintheimagefile.Forillustration purposes,thesearchtermsareunderlined,andthebyteoffsetsareboldinthe outputbelow:
root@rock:~/evid # cat hits.txt 75441:you and your entire business ransom. 75500:I have had enough of your mindless corporate piracy and will no longer stand for it. You will receive another letter next week. It will have a single bank account number and bank name. I want you to deposit $50,000 in the account the day you receive the letter. 75767:Don't try anything, and don't contact the cops. If you do, I will unleash a virus that will bring down your whole network and destroy your consumer's confidence.
Inkeepingwithourcommandlinephilosophy,wewillusexxdto displaythedatafoundateachbyteoffset.xxdisacommandlinehexdump tool,usefulforexaminingfiles.Dothisforeachoffsetinthelistofhits.This shouldyieldsomeinterestingresultsifyouscrollaboveandbelowtheoffsets.

root@rock:~/evid # 00126b1: 796f 7520 00126c1: 6972 6520 00126d1: 736f 6d2e 00126e1: 7420 6120 00126f1: 6520 6861 0012701: 796f 7572 0012711: 7270 6f72 0012721: 6e64 2077 0012731: 7220 7374 <continues> xxd -s 75441 image.disk1 616e 6420 796f 7572 2065 6275 7369 6e65 7373 2072 0a0a 5468 6973 2069 7320 6a6f 6b65 2e0a 0a49 2068 6420 656e 6f75 6768 206f 206d 696e 646c 6573 7320 6174 6520 7069 7261 6379 696c 6c20 6e6f 206c 6f6e 616e 6420 666f 7220 6974 | less 6e74 you and your ent 616e ire business ran 6e6f som...This is no 6176 t a joke...I hav 6620 e had enough of 636f your mindless co 2061 rporate piracy a 6765 nd will no longe 2e20 r stand for it.
Pleasenotethattheuseofgrepinthismannerisfairlylimited.There arecharactersetsthatthecommonversionsofgrepdonotsupport.Sodoinga physicalsearchforastringonanimagefileisreallyonlyusefulforwhatitdoes
BarryJ.Grundy
68
showyou.Inotherwords,negativeresultsforagrepsearchofanimagecanbe misleading.Thestringsorkeywordsmayexistintheimageinaformnot recognizabletogreporstrings.Therearetoolsthataddressthis,andwewill discusssomeofthemlater.
BarryJ.Grundy
69
VIII.CommonForensicIssues
HandlingLargeDisks
Theexampleusedinthistextutilizesafilesystemonafloppydisk. Whathappenswhenyouaredealingwithlargerharddisks?Whenyoucreate animageofadiskdrivewiththeddcommandthereareanumberof componentstotheimage.Thesecomponentscanincludeabootsector, partitiontable,andthevariouspartitions(ifdefined). Whenyouattempttomountalargerimagewiththeloopdevice,you findthatthemountcommandisunabletofindthefilesystemonthedisk. Thisisbecausemountdoesnotknowhowtorecognizethepartitiontable. Remember,themountcommandhandlesfilesystems,notdisks(ordisk images).Theeasywayaroundthis(althoughitisnotveryefficientforlarge disks)wouldbetocreateseparateimagesforeachdiskpartitionthatyouwant toanalyze.Forasimpleharddrivewithasinglelargepartition,youcould createtwoimages. Assumingyoursuspectdiskisattachedasthemasterdeviceonthe secondaryIDEchannel:
root@rock:~# dd if=/dev/hdc of=image.disk.dd
...getstheentiredisk.
root@rock:~# dd if=/dev/hdc1 of=image.part1.dd
...getsthefirstpartition. Thefirstcommandgetsyouafullimageoftheentiredisk(hdc)for backuppurposes,includingthebootrecordandpartitiontable.Thesecond commandgetsyouthepartition(hdc1).Theresultingimagefromthesecond commandcanbemountedviatheloopdevice. Notethatalthoughbothoftheaboveimageswillcontainthesamefile systemwiththesamedata,thehasheswillobviouslynotmatch.Making separateimagesforeachpartition,however,isveryinefficient. Onemethodforhandlinglargerdiskswhenusingtheloopdeviceisto sendthemountcommandamessagetoskiptryingtomountthefirst63 sectorsoftheimage.Thesesectorsareusedtocontaininformation(likethe MBR)thatisnotpartofanormaldatapartition.Weknowthateachsectoris
BarryJ.Grundy
70
512bytes,andthatthereare63ofthem.Thisgivesusanoffsetof32256bytes fromthestartofourimagetothefirstpartitionwewanttomount.Thisisthen passedtothemountcommandasanoption,whichessentiallytriggerstheuse ofanavailableloopdevicetomountthespecifiedfilesystem:

root@rock:~# mount -t fstype -o loop,offset=32256 image.disk.dd /mnt/analysis
Thiseffectivelyjumpsoverthefirst63sectorsoftheimageandgoes straighttothebootsectorofthefirstpartition,allowingthemount commandtoworkproperly.Wewillseeotherexamplesofthis,andhowto findtheactualoffsetlaterinthisdocument.Itmaynotalwaysbe63sectors. Nowthatweknowabouttheissuessurroundingthecreationoflarge imagesfromwholedisks,whatdowedoifwerunintoanerror?Supposeyou arecreatingadiskimagewithddandthecommandexitshalfwaythroughthe processwithareaderror?Wecaninstructddtoattempttoreadpasttheerrors usingtheconv=noerroroption.Inbasicterms,thisistellingtheddcommand toignoretheerrorsthatitfinds,andattempttoreadpastthem.Whenwe specifythenoerroroptionitisagoodideatoincludethesyncoptionalong withit.Thiswillpadtheddoutputwherevererrorsarefoundandensure thattheoutputwillbesynchronizedwiththeoriginaldisk.Thismayallow filesystemaccessandfilerecoverywhereerrorsarenotfatal.Assumingthat oursubjectdriveis/dev/hdc,thecommandwilllooksomethinglike:
root@rock:~# dd if=/dev/hdc of=image.disk.dd conv=noerror,sync
Iwouldliketocautionforensicexaminersagainstusingthe conv=noerror,syncoption,however.Whileddiscapableofreadingpast errorsinmanycases,itisnotdesignedtoactuallyrecoveranydatafromthose areas.Thereareanumberoftoolsouttherethataredesignedspecificallyfor thispurpose.Mycurrentphilosophyisthatifyouneedtouse conv=noerror,sync,thenyouareusingthewrongtool.Thatisnottosayitwill notworkasadvertised(withsomecaveats),onlythattherearebetteroptions, oratleastimportantconsiderations.Wewilldiscussbetteroptionsforerror pronediskslaterinthisdocument. Inadditiontothestructureoftheimagesandtheissuesofimagesizes, wealsohavetobeconcernedwithmemoryusageandourtools.Youmight findthatgrep,whenusedasillustratedinourfloppyanalysisexample,might notworkasexpectedwithlargerimagesandcouldexitwithanerrorsimilarto: grep:memoryexhausted
BarryJ.Grundy
71
Themostapparentcauseforthisisthatgrepdoesitssearcheslineby line.Whenyouaregreppingalargediskimage,youmightfindthatyouhave ahugenumberofbytestoreadthroughbeforegrepcomesacrossanewline character.Whatifgrephadtoread200MBofdatabeforecomingacrossa newline?Itwouldexhaustitself(theinputbufferfillsup). Whatifwecouldforcefeedgrepsomenewlines?Inourexample analysiswearegreppingfortext.Wearenotconcernedwithnontext charactersatall.Ifwecouldtaketheinputstreamtogrepandchangethenon textcharacterstonewlines,grepwouldhavenoproblem.Notethatchanging theinputstreamtogrepdoesnotchangetheimageitself.Also,rememberthat wearestilllookingforabyteoffset.Luckily,thecharactersizesremainthe same,andsotheoffsetdoesnotchangeaswefeednewlinesintothestream (simplyreplacingonecharacterwithanother). Letssaywewanttotakeallofthecontrolcharactersstreaminginto grepfromthediskimageandchangethemtonewlines.Wecanusethe translatecommand,tr,toaccomplishthis.Checkoutmantrformore informationaboutthispowerfulcommand:
root@rock:~/evid # tr '[:cntrl:]' '\n' < image.disk | grep -abif list.txt > hits.txt
Thiscommandwouldread:Translateallthecharacterscontainedin thesetofcontrolcharacters([:cntrl:])tonewlines(\n).Taketheinputtotrfrom image.diskandpipetheoutputtogrep,sendingtheresultstohits.txt.This effectivelychangesthestreambeforeitgetstogrep. Thisisonlyoneofmanypossibleproblemsyoucouldcomeacross.My pointhereisthatwhenissuessuchasthesearise,youneedtobefamiliar enoughwiththetoolsLinuxprovidestobeabletounderstandwhysucherrors mighthavebeenproduced,andhowyoucangetaroundthem.Remember,the shelltoolsandtheGNUsoftwarethataccompanyaLinuxdistributionare extremelypowerful,andarecapableoftacklingnearlyanytask.Wherethe standardshellfails,youmightlookatperlorpythonasoptions.Thesesubjects areoutsideofthescopeofthecurrentpresentation,butareintroducedas fodderforfurtherexperimentation.
PreparingaDiskfortheSuspectImage
Onecommonpracticeinforensicdiskanalysisistowipeadiskprior torestoringaforensicimagetoit.Thisensuresthatanydatafoundonthe restoreddiskisfromtheimageandnotfromresidualdata.Thatis,dataleft behindfromapreviouscaseorimage.
BarryJ.Grundy
72
Wecanuseaspecialdeviceasasourceofzeros.Thiscanbeusedto createemptyfilesandwipeportionsofdisks.Youcanwritezerostoanentire disk(oratleasttothoseareasaccessibletothekernelanduserspace)usingthe followingcommand(assuming/dev/hdcisthediskyouwanttowipe):

root@rock:~# dd if=/dev/zero of=/dev/hdc bs=4096
Thisstartsatthebeginningofthedriveandwriteszeros(theinputfile) toeverysectoron/dev/hdc(theoutputfile)in4096bytechunks(bs=block size).Specifyinglargerblocksizescanspeedthewritingprocess.Experiment withdifferentblocksizesandseewhateffectithasonthewritingspeed(i.e. 32k,64k,etc.).Ivewiped60GBdisksinunderanhouronafastIDEcontroller withtheproperdriveparameters(seethenextsectionformoreinfo). Sohowdoweverifythatourcommandtowritezerostoawholedisk wasasuccess?Youcouldcheckrandomsectorswithahexeditor,butthats notrealisticforalargedrive.Oneofthebestmethodswouldbetousethexxd command(commandlinehexdump)withtheautoskipoption(worksifa driveiswipedwith0x00).Theoutputofthiscommandonazeroddrivewould givejustthreelines.Thefirstline,startingatoffsetzerowitharowofzerosin thedataarea,followedbyanasterisk(*)toindicateidenticallines,andfinally thelastline,withthefinaloffsetfollowedbytheremainingzerosinthedata area.Heresandexampleofthecommandonazeroddrive(floppy)andits output.
root@rock:~# xxd -a /dev/fd0 0000000: 0000 0000 0000 0000 0000 0000 0000 0000 * 0167ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ................
BarryJ.Grundy
73
ObtainingDiskInformation
Specificdriveparameterscanbedisplayedandsetusingthehdparm command(forIDEandSATAdisksinrecentversions).Checkhdparmsman pageforavailableoptions.Forinstance,settingDMAonadrivecan dramaticallyspeedthingsup.Notethatwhilehdparmmaybeabletodisplay settingsonSATAdisks,beawarethatsettingparametersisadifferentstory. Drivesmustbecapableofagivensettinginordertowork.
root@rock:~# /dev/hda: multcount IO_support unmaskirq using_dma keepsettings readonly readahead geometry = 16 (on) = 1 (32-bit) = 0 (off) = 0 (off) <-- DMA is turned off = 0 (off) = 0 (off) = 256 (on) = 65535/16/63, sectors = 60011642880, start = 0 hdparm /dev/hda
root@rock:~# hdparm -d1 /dev/hda /dev/hda: setting using_dma to 1 (on) using_dma = 1 (on) <-- We have turned DMA on with the -d1 option
Intheabovesession,thefirstcommanddisplaysthecurrentparameters ofthedrive/dev/hdaandshowsthatDMAisoff.Thesecondcommand actuallyturnsDMAonforthatparticulardisk.Payattentiontothe multicountandIO_supportsettingsaswell.Mostmoderndistributions takecareofthisforyou.Justbeawareofthecapability.Notethatthisisan IDEdisk. Toobtainamorecompletelistingofadrive'sinformation,youcanuse theIswitchwithhdparm.HereisasampleofhdparmoutputonaSATAdisk. Notethatyouaregiventhediskmodel,serialnumberandgeometry information,toincludeuseraddressablesectors(outputiseditedforbrevity):
BarryJ.Grundy
74
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# /dev/sda: ATA device, with non-removable media Model Number: ST3250823AS Serial Number: 3ND1M14Q Firmware Revision: 3.03 Standards: Used: ATA/ATAPI-6 T13 1410D revision 2 Supported: 7 6 5 4 & some of 7 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 -CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 488397168 Capabilities: ... Commands/features: Enabled Supported: * SMART feature set * Power Management feature set * Write cache ... * Host-initiated interface power management * Phy event counters * Software settings preservation Checksum: correct hdparm -I /dev/sda
BarryJ.Grundy
75
IX.Advanced(Beginner)Forensics
Thefollowingsectionsaremoreadvancedanddetailed.Newtoolsare introducedtohelproundoutsomeofyourknowledgeandprovideamore solidfootingonthecapabilitiesoftheLinuxcommandline.Thetopicsarestill atthebeginnerlevel,butyoushouldbeatleastsomewhatcomfortablewiththe commandlinebeforetacklingtheexercises.AlthoughIveincludedthe commandsandmuchoftheoutputforthosewhoarereadingthiswithoutthe benefitofaLinuxboxnearby,itisimportantthatyoufollowalongonyourown systemaswegothroughthepracticalexercises.Typingatthekeyboardand experimentationistheonlywaytolearn.
TheCommandLineonSteroids
Letsdigalittledeeperintothecommandline.Oftenthereare argumentsmadeabouttheusefulnessofthecommandlineinterface(CLI) versusaGUItoolforanalysis.Iwouldarguethatinthecaseoflargesetsof regimenteddata,theCLIcansometimesbefasterandmoreflexiblethanmany GUItoolsavailabletoday. Asanexample,wewilllookatasetoflogfilesfromasingleUnixsystem. Wearenotgoingtoanalyzethemforanysortofsmokinggun.Thepointhere istoillustratetheabilityofcommandsthroughtheCLItoorganizeandparse throughdatabyusingpipestostringaseriesofcommandstogether,obtaining thedesiredoutput.Followalongwiththeexample,andkeepinmindthatto getanywherenearproficientwiththiswillrequireagreatdealofreadingand practice.Thepayoffisenormous. Createadirectorycalledlogsanddownloadthefilelogs.v3.tar.gzinto thatdirectory: http://www.LinuxLEO.com/Files/logs.v3.tar.gz A.tar.gzfileiscommonlyreferredtoasatararchive.Muchlikeazip fileintheWindowsworld.Thetarpartoftheextensionindicatesthatthefile wascreatedusingthetarcommand(seemantarformoreinfo).Thegz extensionindicatesthatthefilewascompressed(commonlywithgzip).When youfirstdownloadatararchive,youshouldalwayshavealookatthecontents ofthearchivebeforedecompressing,extractingandhaphazardlywritingthe contentstoyourdrive.Viewthecontentsofthearchivewiththefollowing command:
BarryJ.Grundy
76
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tar tzvf logs.v3.tar.gz -rw-r--r-- root/root 8282 2003-10-29 12:45 -rw------- root/root 8302 2003-10-29 16:17 -rw------- root/root 8293 2003-10-29 16:19 -rw------- root/root 4694 2003-10-29 16:23 -rw------- root/root 1215 2003-10-29 16:23
messages messages.1 messages.2 messages.3 messages.4
Theabovetarcommandwilllist(t)anddecompress(z)withverbose output(v)thefile(f)logs.v3.tar.gz.Wewillusethetarcommandextensively throughoutthisdocument. Thearchivecontains5logfilesfromaUnixsystem.Themessageslogs containentriesfromavarietyofsources,includingthekernelandother applications.Thenumberedfilesresultfromlogrotation.Asthelogsarefilled, theyarerotatedandeventuallydeleted.OnmostUnixsystems,thelogsare foundin/var/log/or/var/adm. untarthefile:

root@rock:~/logs # tar xzvf logs.v3.tar.gz messages messages.1 messages.2 messages.3 messages.4
Thistarcommanddifferslittlefromourfirstcommand.Now,insteadof listingthecontentswiththetoption,weareextractingitwiththexoption.All theotheroptionsremainthesame.Rememberthisforlateruse. Letshavealookatonelogentry.Wepipetheoutputofcattothecommand headn1sothatweonlygetthe1stline:

root@rock:~/logs # cat messages | head -n 1 Nov 17 04:02:14 hostname123 syslogd 1.4.1: restart.
Eachlineinthelogfilesbeginwithadateandtimestamp.Nextcomes thehostnamefollowedbythenameoftheapplicationthatgeneratedthelog message.Finally,theactualmessageisprinted. Letsassumetheselogsarefromavictimsystem,andwewanttoanalyze themandparseouttheusefulinformation.Wearenotgoingtoworryabout whatweareactuallyseeinghere,ourobjectistounderstandhowtoboilthe informationdowntosomethinguseful.
BarryJ.Grundy
77
Firstofall,ratherthanparsingeachfileindividually,letstryandanalyze allthelogsatonetime.Theyareallinthesameformat,andessentiallythey compriseonelargelog.Wecanusethecatcommandtoaddallthefiles togetherandsendthemtostandardoutput.Ifweworkonthatdatastream, thenweareessentiallymakingonelargelogoutofallfivelogs.Canyouseea potentialproblemwiththis?

root@rock:~/logs # cat messages* | less Nov 17 04:02:14 hostname123 syslogd 1.4.1: restart. Nov 17 04:05:46 hostname123 su(pam_unix)[19307]: session opened for user news by (uid=0) Nov 17 04:05:47 hostname123 su(pam_unix)[19307]: session closed for user news Nov 17 10:57:11 hostname123 sshd[32765]: Did not receive identification string from 2xx.71.188.192 Nov 17 10:57:11 hostname123 sshd[32766]: Did not receive identification string from 2xx.71.188.192 Nov 17 10:57:11 hostname123 sshd[32767]: Did not receive identification string from 2xx.71.188.192 Nov 17 19:26:43 hostname123 sshd[2019]: Did not receive identification string from 200.xx.72.129 Nov 18 04:06:04 hostname123 su(pam_unix)[5019]: session opened for user news by (uid=0) Nov 18 04:06:05 hostname123 su(pam_unix)[5019]: session closed for user news Nov 18 18:55:06 hostname123 sshd[11204]: Did not receive identification string from 6x.x2.248.243 Nov 19 04:05:42 hostname123 su(pam_unix)[15422]: session opened for user news by (uid=0) <continues>
Ifyoulookattheoutput(scrollusingless),youwillseethatthedates ascendandthenjumptoanearlierdateandthenstarttoascendagain.Thisis becausethelaterlogentriesareaddedtothebottomofeachfile,soasthefiles areaddedtogether,thedatesappeartobeoutoforder.Whatwereallywantto doisstreameachfilebackwardssothattheygetaddedtogetherwiththemost recentdateineachfileatthetopinsteadofatthebottom.Inthisway,when thefilesareaddedtogethertheyareinorder.Inordertoaccomplishthis,we usetac(yes,thatscatbackwards).
BarryJ.Grundy
78
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tac messages* | less Nov 23 18:27:00 hostname123 rc.sysinit: Mounting proc filesystem: succeeded Nov 23 18:27:58 hostname123 kernel: hda: hda1 hda2 hda3 hda4 < hda5 hda6 hda7 > Nov 23 18:27:58 hostname123 kernel: Partition check: Nov 23 18:27:58 hostname123 kernel: ide-floppy driver 0.99.newide Nov 23 18:27:58 hostname123 kernel: hda: 12594960 sectors (6449 MB) w/80KiB Cache, CHS=784/ 255/63, UDMA(33) Nov 23 18:27:58 hostname123 kernel: blk: queue c035e6a4, I/O limit 4095Mb (mask 0xffffffff) Nov 23 18:27:58 hostname123 kernel: ide1 at 0x170-0x177,0x376 on irq 15 Nov 23 18:27:58 hostname123 kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Nov 23 18:27:58 hostname123 kernel: hdc: TOSHIBA CD-ROM XM-6202B, ATAPI CD/ DVD-ROM drive Nov 23 18:27:58 hostname123 kernel: hda: QUANTUM FIREBALL SE6.4A, ATA DISK drive Nov 23 18:27:58 hostname123 kernel: ide1: BM-DMA at 0x14c8-0x14cf, BIOS settings: hdc:D MA, hdd:pio Nov 23 18:27:58 hostname123 kernel: ide0: BM-DMA at 0x14c0-0x14c7, BIOS settings: hda:D MA, hdb:pio Nov 23 18:27:58 hostname123 kernel: PIIX4: not 100%% native mode: will probe irqs later <continues>
Beautiful.Thedatesarenowinorder.Wecannowworkonthestream oflogentriesasiftheywereonelarge(inorder)file. Wewillintroduceanewcommand,awk,tohelpusviewspecificfields fromthelogentries,inthiscase,thedates.awkisanextremelypowerful command.TheversionmostoftenfoundonLinuxsystemsisgawk(GNU awk).Whilewearegoingtouseitasastandalonecommand,awkisactuallya programminglanguageonitsown,andcanbeusedtowritescriptsfor organizingdata.Ourconcentrationwillbecenteredonawksprintfunction. Seemanawkformoredetails. Setsofrepetitivedatacanoftenbedividedintocolumnsorfields, dependingonthestructureofthefile.Inthiscase,thefieldsinthelogfilesare separatedbysimplewhitespace(awksdefaultfieldseparator).Thedateis comprisedofthefirsttwofields(monthandday).
root@rock:~/logs # tac messages* | awk '{print $1" "$2}' | less Nov 23 Nov 23 Nov 23 Nov 23 Nov 23 <continues>
BarryJ.Grundy
79
Thiscommandwillstreamallthelogfiles(eachonefrombottomtotop) andsendtheoutputtoawkwhichwillprintthefirstfield,$1(month),followed byaspace(),followedbythesecondfield,$2(day).Thisshowsthemonth anddayforeveryentry.SupposeIjustwanttoseeoneofeachdatewhenan entrywasmade.Idontneedtoseerepeatingdates.Iasktoseeoneofeach uniquelineofoutputwithuniq:

root@rock:~/logs # tac messages* | awk '{print $1" "$2}' | uniq | less Feb 23 Nov 22 Nov 21 Nov 20 Nov 19 <continues>
Thisremovesrepeateddates,andshowsmejustthosedateswithlog activity.Ifaparticulardateisofinterest,Icangrepthelogsforthatparticular date:

root@rock:~/logs # tac messages* | grep "Nov 4" Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214: 11: Disconnect requested by Windows SSH Client. Nov 4 17:13:07 hostname123 sshd(pam_unix)[27630]: session opened for user root by (uid=0) Nov 4 17:13:07 hostname123 sshd[27630]: Accepted password for root from 1xx.183.221.214 port 1762 ssh2 Nov 4 17:08:23 hostname123 sshd(pam_unix)[27479]: session closed for user root Nov 4 17:07:11 hostname123 squid[27608]: Squid Parent: child process 27610 started <continues>
(notethereare2spacesbetweenNovand4,onespacewillnotwork) Ofcourse,wehavetokeepinmindthatthiswouldgiveusanylines wherethestringNov4resided,notjustinthedatefield.Tobemoreexplicit, wecouldsaythatweonlywantlinesthatstartwithNov4,usingthe^(in ourcase,thisgivesessentiallythesameoutput):

root@rock:~/logs # tac messages* | grep ^"Nov 4" Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214: 11: Disconnect requested by Windows SSH Client. Nov 4 17:13:07 hostname123 sshd(pam_unix)[27630]: session opened for user root by (uid=0) <continues>
BarryJ.Grundy
80
Also,ifwedontknowthattherearetwospacesbetweenNovand4, wecantellgreptolookforanynumberofspacesbetweenthetwo:
root@rock:~/logs # tac messages* | grep ^"Nov[ ]*4" Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214: 11: Disconnect requested by Windows SSH Client. Nov 4 17:13:07 hostname123 sshd(pam_unix)[27630]: session opened for user root by (uid=0) Nov 4 17:13:07 hostname123 sshd[27630]: Accepted password for root from 1xx.183.221.214 port 1762 ssh2 Nov 4 17:08:23 hostname123 sshd(pam_unix)[27479]: session closed for user root Nov 4 17:07:11 hostname123 squid[27608]: Squid Parent: child process 27610 started <continues>
TheabovegrepexpressiontranslatestoLinesstarting(^)withthe stringNovfollowedbyzeroormore(*)oftheprecedingcharacters ([/space/])followedbya4.Obviously,thisisacomplexissue.Knowinghow touseregularexpressionwillgiveyouhugeflexibilityinsortingthroughand organizinglargesetsofdata.Asmentionedearlier,readthegrepmanpagefor agoodprimeronregularexpressions. Aswelookthroughthelogfiles,wemaycomeacrossentriesthatappear suspect.Perhapsweneedtogatheralltheentriesthatweseecontainingthe stringDidnotreceiveidentificationstringfrom<IP>forfurtheranalysis.

root@rock:~/logs # tac messages* | grep "identification string" | less Nov 22 23:48:47 hostname123 sshd[19380]: Did not receive identification string from 19x.xx9.220.35 Nov 22 23:48:47 hostname123 sshd[19379]: Did not receive identification string from 19x.xx9.220.35 Nov 20 14:13:11 hostname123 sshd[29854]: Did not receive identification string from 200.xx.114.131 Nov 18 18:55:06 hostname123 sshd[11204]: Did not receive identification string from 6x.x2.248.243 <continues>
Nowwejustwantthedate(fields1and2),thetime(field3)andthere moteIPaddressthatgeneratedthelogentry.TheIPaddressisthelastfield. RatherthancounteachwordintheentrytogettothefieldnumberoftheIP, wecansimplyusethevariable$NF,whichmeansnumberoffields.Since theIPisthelastfield,itsfieldnumberisequaltothenumberoffields:
BarryJ.Grundy
81
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $1" "$2" "$3" "$NF}' | less Nov 22 23:48:47 19x.xx9.220.35 Nov 22 23:48:47 19x.xx9.220.35 Nov 20 14:13:11 200.xx.114.131 Nov 18 18:55:06 6x.x2.248.243 Nov 17 19:26:43 200.xx.72.129 <continues>
Notethatwhenthecommandistoolongforoneline,itwill automaticallywraptothenextline. Wecanaddsometabs(\t)inplaceofspacesinouroutputtomakeit morereadable:

root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $1" "$2"\t"$3"\t"$NF}' | less Nov 22 23:48:47 19x.xx9.220.35 Nov 22 23:48:47 19x.xx9.220.35 Nov 20 14:13:11 200.xx.114.131 Nov 18 18:55:06 6x.x2.248.243 Nov 17 19:26:43 200.xx.72.129 <continues>
Thiscanallberedirectedtoananalysislogortextfileforeasyaddition toareport(notethat>report.txtcreatesthereportfile,>>report.txt appendstoit).Thefollowingcommandsaretypedononelineeach:

root@rock:~/logs # echo "Localhost123: Log entries from /var/log/messages" > report.txt root@rock:~/logs # echo "\"Did not receive identification string\":" >> report.txt root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $1" "$2"\t"$3\t"$NF}' >> report.txt
Wecanalsogetasorted(sort)listoftheunique(u)IPaddresses involvedinthesameway:
root@rock:~/logs # echo "Unique IP addresses:" >> report.txt root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $NF}' | sort -u >> report.txt
Thesecondcommandaboveprintsonlythelastfield($NF)ofourgrep output(whichistheIPaddress).TheresultinglistofIPaddressescanalsobe fedtoascriptthatdoesnslookuporwhoisdatabasequeries. Youcanviewtheresultingreport(report.txt)usingthelesscommand.
BarryJ.Grundy
82
Aswithalltheexercisesinthisdocument,wehavejustsampledthe abilitiesoftheLinuxcommandline.Itallseemssomewhatconvolutedtothe beginner.Aftersomepracticeandexperiencewithdifferentsetsofdata,you willfindthatyoucanglanceatafileandsayIwantthatinformation,andbe abletowriteaquickpipedcommandtogetwhatyouwantinareadableformat inamatterofseconds.Aswithalllanguageskills,theLinuxcommandline languageisperishable.Keepagoodreferencehandyandrememberthatyou mighthavetolookupsyntaxafewtimesbeforeitbecomessecondnature.
BarryJ.Grundy
83
FunwithDD
Wevealreadydonesomesimpleimagingandwipingusingdd,lets exploresomeotherusesforthisflexibletool.ddissortoflikealittleforensic Swissarmyknife(talkaboutoverusedclichs!).Ithaslotsofapplications, limitedonlybyyourimagination.
SplittingFilesandImages
Onefunctionwemightfindusefulwouldbetheabilitytosplitimagesup intousablechunks,eitherforarchivingorforuseinanotherprogram.Wewill firstdiscussusingsplitonitsown,theninconjunctionwithddforonthefly splitting. Forexample,youmighthavea10GBimagethatyouwanttosplitinto 640MBpartssotheycanbewrittentoCDRmedia.Or,ifyouuseforensic softwareinWindowsandneedfilesnolargerthan2GB(foraFAT32partition), youmightwanttosplittheimageinto2GBpieces.Forthisweusethesplit command. splitnormallyworksonlinesofinput(i.e.fromatextfile).Butifweuse theboption,weforcesplittotreatthefileasbinaryinputandlinesare ignored.Wecanspecifythesizeofthefileswewantalongwiththeprefixwe wantfortheoutputfiles.Innewerversionsofsplitwecanalsousethed optiontogiveusnumericalnumbering(*.01,*.02,*.03,etc.)fortheoutputfiles asopposedtoalphabetical(*.aa,*.ab,*.ac,etc.).Thecommandlookslike: splitdbXXm<filetobesplit><prefixofoutputfiles> whereXXisthesizeoftheresultingfiles.Forexample,ifwehavea6GB imagecalledimage.disk1.dd,wecansplititinto2GBfilesusingthefollowing command:
root@rock:~# split -d -b 2000m image.disk1.dd image.split.
Thiswouldresultin3files(2GBinsize)eachnamedwiththeprefix image.split.asspecifiedinthecommand,followedby01,02,03,andso on(assuminganewerversionofsplitthatsupportsthedoptionisused):
BarryJ.Grundy
84
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ls image.split.* image.split.01 image.split.02
image.split.03
Theprocesscanbereversed.Ifwewanttoreassembletheimagefrom thesplitparts(fromCDR,etc.),wecanusethecatcommandandredirectthe outputtoanewfile.Remembercatsimplystreamsthespecifiedfilesto standardoutput.Ifyouredirectthisoutput,thefilesareassembledintoone.

root@rock:~# cat image.split.01 image.split.02 image.split.03 > image.new
Or
root@rock:~# cat image.split.0* > image.new
Anotherwayofaccomplishingthiswouldbetosplittheimageaswe createit(i.e.fromaddcommand).Thisisessentiallytheontheflysplitting wementionedearlier.Wedothisbypipingtheoutputoftheddcommand straighttosplit.Assumingoursubjectdriveis/dev/hdc,wewouldusethe command:

root@rock:~# dd if=/dev/hdc | split -d -b 2000m image.split.
Inthiscase,insteadofgivingthenameofthefiletobesplitinthesplit command,wegiveasimple(afterthe2000m).Thesingledashisa descriptorthatmeansstandardinput.Inotherwords,thecommandis takingitsinputfromthedatapipeprovidedbythestandardoutputofdd insteadoffromafile. Oncewehavetheimage,thesametechniqueusingcatwillallowusto reassembleitforhashingoranalysis. Forpractice,letstakethepracticalexercisefloppydiskweusedearlier andtrythismethodonthatdisk,splittingitinto360kpieces.Ifyoudon'thave afloppydisk,justuseaUSBthumbdriveandreplace/dev/fd0inthefollowing commandwith/dev/sdx(wherexisyourthumbdrive).Obtainahashfirst,so thatwecancomparethesplitfilesandtheoriginalandmakesurethatthe splittingchangesnothing:
root@rock:~# sha1sum /dev/fd0 f5ee9cf56f23e5f5773e2a4854360404a62015cf /dev/fd0 root@rock:~# dd if=practical.floppy.dd | split -d -b 360k - floppy.split. 2880+0 records in 2880+0 records out
BarryJ.Grundy
85
remember,therecordsare512byteblocks(times2880=1.44Mb)
root@rock:~# ls -lh total 2.9M -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root
360K 360K 360K 360K
Jan Jan Jan Jan
31 31 31 31
12:56 12:56 12:56 12:56
floppy.split.01 floppy.split.02 floppy.split.03 floppy.split.04
root@rock:~# cat floppy.split.0* | sha1sum f5ee9cf56f23e5f5773e2a4854360404a62015cf -
(Theoutputofthesecondcommandaboveshowsainplaceofthe filename.Thisrepresentsthefactthatthehashwascalculatedfrom standardinputtosha1sum[fromthepipe],notafileordevice)

root@rock:~# cat floppy.split.0* > new.floppy.image root@rock:~# ls -lh total 4.3M -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root
360K 360K 360K 360K 1.5M
Jan Jan Jan Jan Jan
31 31 31 31 31
12:56 12:56 12:56 12:56 13:01
floppy.split.01 floppy.split.02 floppy.split.03 floppy.split.04 new.floppy.image new.floppy.image
root@rock:~# sha1sum new.floppy.image f5ee9cf56f23e5f5773e2a4854360404a62015cf
Above,wereassemblethefloppyimageusingcat,andthenseethenew imageinadirectorylisting.Wethenhashthereassembledimageusing sha1sum. Lookingattheoutputoftheabovecommands,weseethatallthe sha1sumsmatch(don'tconfusesha1sumoutputwithmd5sumoutput).We findthesamehashforthedisk,forthesplitimagescatedtogether,andfor thenewlyreassembledimage.
BarryJ.Grundy
86
CompressionontheFlywithDD
Anotherusefulcapabilitywhileimagingiscompression.Considering ourconcernforforensicapplicationhere,wewillbesuretomanageour compressiontechniquesothatwecanverifyourhasheswithouthavingto decompressandwriteourimagesoutbeforecheckingthem. Forthisexercise,we'llusetheGNUgzipapplication.gzipisacommand lineutilitythatallowsussomefairlygranularcontroloverthecompression process. First,forthesakeoffamiliarity,let'slookatthesimpleuseofgzipona singlefileandexploresomeoftheoptionsatourdisposal.Ihavecreateda directorycalledtestcompandI'vecopiedtheimagefilepractical.floppy.ddinto thatdirectorytopracticeon.Thisgivesmeanunclutteredplacetoexperiment. First,let'sdoublecheckthehashofthefloppyimage:
root@rock:~/testcomp# ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp# sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd
Now,initsmostsimpleform,wecancallgzipandsimplyprovidethe nameofthefilewewantcompressed.Thiswillreplacetheoriginalfilewitha compressedfilethathasa.gzsuffixappended.

root@rock:~/testcomp # gzip practical.floppy.dd root@rock:~/testcomp # ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:11 practical.floppy.dd.gz
Sonowweseethatwehavereplacedouroriginal1.5Mfilewitha632K filethathasa.gzextension.Todecompresstheresulting.gzfile:
root@rock:~/testcomp # gzip -d practical.floppy.dd.gz root@rock:~/testcomp # ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp# sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd
BarryJ.Grundy
87
We'vedecompressedthefileandreplacedthe.gzfilewiththeoriginal image.Acheckofthehashshowsthatallisinorder. Supposewewouldliketocompressafilebutleavetheoriginalintact. Wecanusethegzipcommandwiththecoption.Thiswritestostandard outputinsteadofareplacementfile.Whenusingthisoptionweneedto redirecttheoutputtoafilenameofourchoosingsothatthecompressedfileis notsimplystreamedtoourterminal.Hereisasamplesessionusingthis technique:

root@rock:~/testcomp # ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp # sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd root@rock:~/testcomp # gzip -c practical.floppy.dd > floppy.dd.gz root@rock:~/testcomp # ls -lh total 2.1M -rw-r--r-- 1 root root 632K May 22 09:38 floppy.dd.gz -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp # root@rock:~/testcomp # total 3.5M -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root gzip -cd floppy.dd.gz > floppy.dd ls -lh 1.5M May 22 09:40 floppy.dd 632K May 22 09:38 floppy.dd.gz 1.5M May 22 09:39 practical.floppy.dd
root@rock:~/testcomp # sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd
Intheaboveoutput,weseethatthefirstdirectorylistingshowsthe singleimagefile.Wecheckthehashandthencompressusinggzipcwhich writestostandardoutput.Weredirectthatoutputtoanewfile(nameofour choice).Thesecondlistingshowsthattheoriginalfileremains,andthe compressedfileiscreated.Wethenusegzipcdtodecompressthefile, redirectingtheoutputtoanewfileandthistimepreservingthecompressed file. Theseareverybasicoptionsfortheuseofgzip.Thereasonwelearnthe coptionistoallowustodecompressafileandpipetheoutputtoahash algorithm.Inamorepracticalsense,thisallowsustocreateacompressed imageandcheckthehashofthatimagewithoutwritingthefiletwice.
BarryJ.Grundy
88
Ifwegobacktoasingleimagefileinourdirectory,wecanseethisin action.Removeallthefileswejustcreated(usingthermcommand)andleave thesingleoriginalddimage.Nowwewillcreateasinglecompressedfilefrom thatoriginalimageandthencheckthehashofthecompressedfiletoensureit's validity:

root@rock:~/testcomp # ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp # sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd root@rock:~/testcomp # gzip practical.floppy.dd root@rock:~/testcomp # ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:52 practical floppy.dd.gz root@rock:~/testcomp #gzip -cd practical.floppy.dd.gz | sha1sum f5ee9cf56f23e5f5773e2a4854360404a62015cf root@rock:~/testcomp # ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:52 practical floppy.dd.gz
Firstweseethatwehavethecorrecthash.Thenwecompresstheimage withasimplegzipcommandthatreplacestheoriginalfile.Now,allwewant todonextischeckthehashofourcompressedimagewithouthavingtowrite outanewimage.Wedothisbyusinggzipc(tostandardout)d (decompress),passingthenameofourcompressedfilebutpipingtheoutput toourhashalgorithm(inthiscasesha1sum).Theresultshowsthecorrect hashoftheoutputstream,wheretheoutputstreamissignifiedbythe. Okay,sonowthatwehaveabasicgraspofusinggziptocompress, decompress,andverifyhashes,let'sputittoworkontheflyusingddto createacompressedimage.Wewillthencheckthecompressedimage'shash valueagainstanoriginalhash. Let'scontinuetouseourpracticalexercisefloppyimage.First,writethe imagebacktoaphysicalfloppydisk(aswedidintheoriginalpractical exercise).Clearoutthetestcompdirectorysothatwehaveacleanplaceto writeourimageto.
BarryJ.Grundy
89
Obtainingacompressedddimageontheflyissimplyamatterof streamingourddoutputthroughapipetothegzipcommandandredirecting thatoutputtoafile.Ourresultingimage'shashcanthenbecheckedusingthe samemethodweusedabove.Considerthefollowingsession.Ourphysical deviceisthefloppydiskin/dev/fd0.

root@rock:~/testcomp # ls -lh <empty directory> root@rock:~/testcomp # sha1sum /dev/fd0 f5ee9cf56f23e5f5773e2a4854360404a62015cf
/dev/fd0
root@rock:~/testcomp # dd if=/dev/fd0 | gzip -c > floppy.dd.gz 2880+0 records in 2880+0 records out 1474560 bytes (1.5 MB) copied, 0.393626 s, 3.7 MB/s root@rock:~/testcomp # ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:58 floppy.dd.gz root@rock:~/testcomp # gzip -cd floppy.dd.gz | sha1sum f5ee9cf56f23e5f5773e2a4854360404a62015cf root@rock:~/testcomp #ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:58 floppy.dd.gz
Intheaboveddcommandthereisnooutputfilespecified(noof=). Theoutputissimplydirectedstraighttogzipforredirectionintoanewfile.We thenfollowupwithourintegritycheckbydecompressingthefiletostandard outputandhashingthestream.Thehashesmatch,sowecanseethatweused ddtoacquireacompressedimage,andverifiedouracquisitionwithoutthe needtodecompress(andwritetodisk)first.
BarryJ.Grundy
90
DataCarvingwithDD
Inthisnextexample,wewilluseddtocarveaJPEGimagefromachunk ofrawdata.Byitself,thisisnotarealusefulexercise.Therearelotsoftools outtherethatwillcarvefilesfromforensicimages,includingasimplecut andpastefromahexeditor.However,thepurposeofthisexerciseistohelp youbecomemorefamiliarwithdd.Inaddition,youwillgetachancetousea numberofothertoolsinpreparationforthecarving.Thiswillhelp familiarizeyoufurtherwiththeLinuxtoolbox.Firstyouwillneedtodownload therawdatachunkfrom: http://www.LinuxLEO.com/Files/image_carve.raw Haveabrieflookatthefileimage_carve.rawwithyourwonderful commandlinehexdumptool,xxd:
root@rock:~# xxd image_carve.raw | less 0000000: 776a 176b 5fd3 9eae 247f 33b3 efbe 0000010: d3a9 daa0 8eef c199 102f 7eaa 0c68 0000020: fca4 7e13 dc6b 17a9 e973 35a0 cfc3 0000030: f9c0 a6b9 1476 b268 de0f 94fa a2f4 0000040: 452d 7691 eb4f 2fa7 b31f 328b c07a <continues> 8d6a a908 9360 4705 ce3d wj.k_...$.3....j ........./~..h.. ..~..k...s5....` .....v.h......G. E-v..O/...2..z.=
Itsreallyjustafilefullofrandomcharacters.Somewhereinsidethereis astandardJPEGimage.Letsgothroughthestepsweneedtotaketorecover thepicturefileusingddandotherLinuxtools.Wearegoingtostickwith commandlinetoolsavailableinmostdefaultinstallations. Firstweneedaplan.Howwouldwegoaboutrecoveringthefile?What arethethingsweneedtoknowtogettheimage(picture)out,andonlythe image?Imagineddasapairofscissors.Weneedtoknowwheretoputthe scissorstostartcutting,andweneedtoknowwheretostopcutting.Finding thestartoftheJPEGandtheendoftheJPEGcantellusthis.Onceweknow wherewewillstartandstop,wecancalculatethesizeoftheJPEG.Wecanthen tellddwheretostartcutting,andhowmuchtocut.Theoutputfilewillbeour JPEGimage.Easy,right?Soheresourplan,andthetoolswelluse: 1)FindthestartoftheJPEG(xxdandgrep) 2)FindtheendoftheJPEG(xxdandgrep) 3)CalculatethesizeoftheJPEG(inbytesusingbc) 4)Cutfromthestarttotheendandoutputtoafile(usingdd)
BarryJ.Grundy
91
Thisexercisestartswiththeassumptionthatwearefamiliarwith standardfileheaders.SincewewillbesearchingforastandardJPEGimage withinthedatachunk,wewillstartwiththestipulationthattheJPEGheader beginswithhexffd8withasixbyteoffsettothestringJFIF.Theendofthe standardJPEGismarkedbyhexffd9. Letsgoaheadwithstep1:Usingxxd,wepipetheoutputofour image_carve.rawfiletogrepandlookforthestartoftheJPEG9:

root@rock:~# xxd image_carve.raw | grep ffd8 00052a0: b4f1 559c ffd8 ffe0 0010 4a46 4946 0001 ..U.......JFIF..
Astheoutputshows,usinggrepwevefoundthepatternffd8nearthe stringJFIF.ThestartofastandardJPEGfileheaderhasbeenfound.The offset(inhex)forthebeginningofthislineofxxdoutputis00052a0.Nowwe cancalculatethebyteoffsetindecimal.Forthiswewillusethebccommand. bcisacommandlinecalculator,usefulforconversionsandcalculations.It canbeusedeitherinteractivelyortakepipedinput.Inthiscasewewillecho thehexoffsettobc,firsttellingitthatthevalueisinbase16.bcwillreturnthe decimalvalue.

root@rock:~# echo "ibase=16;00052A0" | bc 21152
Itsimportantthatyouuseuppercaselettersinthehexvalue.Notethat thisisNOTthestartoftheJPEG,justthestartofthelineinxxdsoutput.The ffd8stringisactuallylocatedanother4bytesfartherintothatlineofoutput. Soweadd4tothestartoftheline.Ouroffsetisnow21156.Wehavefound andcalculatedthestartoftheJPEGimageinourdatachunk. Nowitstimetofindtheendofthefile. SincewealreadyknowwheretheJPEGstarts,wewillstartoursearchfor theendofthefilefromthatpoint.Againusingxxdandgrepwesearchforthe string:

root@rock:~# xxd -s 21156 image_carve.raw | grep ffd9 0006c74: ffd9 d175 650b ce68 4543 0bf5 6705 a73c ...ue..hEC..g..<
Theperceptiveamongyouwillnoticethatthisisaperfectworldsituation.Thereareanumberofvariablesthat canmakethisoperationmoredifficult.Thegrepcommandcanbeadjustedformanysituationsusingacomplex regularexpression(outsidethescopeofthisdocument).

9
BarryJ.Grundy
92
Thes21156specifieswheretostartsearching(sinceweknowthisis thefrontoftheJPEG,theresnoreasontosearchbeforeitandweeliminate falsehitsfromthatregion).Theoutputshowsthefirstffd9athexoffset 0006c74.Letsconvertthattodecimal:

root@rock:~# echo "ibase=16;0006C74" | bc 27764
Becausethatistheoffsetforthestartoftheline,weneedtoadd2tothe valuetoincludetheffd9(givingus27766).Nowthatweknowthestartandthe endofthefile,wecancalculatethesize:

root@rock:~# echo "27766 - 21156" | bc 6610
Wenowknowthefileis6610bytesinsize,anditstartsatbyteoffset 21156.Thecarvingistheeasypart!Wewilluseddwiththreeoptions: skip=howfarintothedatachuckwebegincutting. bs=(blocksize)thenumberofbytesweincludeasablock. count=thenumberofblockswewillbecutting. Theinputfilefortheddcommandisimage_carve.raw.Obviously,the valueofskipwillbetheoffsettothestartoftheJPEG.Theeasiestwayto handletheblocksizeistospecifyitasbs=1(meaningonebyte)andthen settingcounttothesizeofthefile.Thenameoftheoutputfileisarbitrary.

root@rock:~# dd if=image_carve.raw of=carv.jpg skip=21156 bs=1 count=6610 6610+0 records in 6610+0 records out
Youshouldnowhaveafileinyourcurrentdirectorycalledcarv.jpg.If youareinX,simplyusethexvcommandtoviewthefile(oranyotherimage viewer)andseewhatyouvegot.

root@rock:~# xv carv.jpg
xvfromacommandline(whileinanXsession)willdisplaythegraphic imageinit'sownwindow.
BarryJ.Grundy
93
CarvingPartitionswithDD
Nowwecantryanotherusefulexerciseincarvingwithdd.Often,you willobtainorbegivenaddimageofafulldisk.Attimesyoumightfindit desirabletohaveeachseparatepartitionwithinthediskavailabletosearchor mount.Remember,youcannotsimplymountanentirediskimage,onlythe partitions. Therearecommercialsolutionstomountingpartitionswithinanentire image,likeSMARTforLinuxforensicsoftware.Recentadvancesinforensic toolslikeTheSleuthkithavemaketheabilitytocarvepartitionsfromanimage lessimportantthatitoncewas.ForthebeginningLinuxforensicsstudent,I wouldstillconsiderthisanimportantskill,however.Plus,it'sjustgood practiceforanumberofLinuxcommands.Weintroducethistechniquehere nottoteachitforpracticaluse,buttoprovideanotherpracticalexerciseusing anumberofimportantcommandlinetools. Themethodwewilluseinthisexerciseentailsidentifyingthepartitions withinaddimagewithfdiskorsfdisk.Wewillthenuseddtocarvethe partitionsoutoftheimage. First,letsgrabthepracticediskimagethatwewillbeworkingon.This isaddimageofa330MBdiskfromaLinuxsystemthatwascompromised. http://www.LinuxLEO.com/Files/able2.tar.gz Thetararchivecontainsthediskimage,theMD5digestvalues,andthe imaginglogfilewithinformationcollectedduringtheimagingprocess. Createadirectorycalledable2inyour/rootdirectory.Thiswillbethe workingdirectoryforthefollowingexercise.Again,thevastmajorityofsteps takeninpreparationfor,andexecutionofaforensicanalysisrequireroot accesstocommandsanddevices.Onceyouhavedownloadedthefileintothat able2directory,changetothatdirectoryandcheckthemd5sum10(itshould matchtheoutputbelow):
root@rock:~/able2 # md5sum able2.tar.gz 7863920262cad3b30333192fd50965b8 able2.tar.gz
Thefilenameisderivedfromtheoriginalhostnameofthemachinethat wascompromised.Veryoftenwenameourcasesandevidencewiththe
10
Yes,weareusingmd5sumherebutweusedsha1sumearlier...Consistencyisoverrated!;)
BarryJ.Grundy
94
originalhostnameofthemachineweareinvestigating(whetheravictimora hostile). IftheMD5matches,thenwecancontinueWenowneedtocheckthe contentsofthetararchive,thenextractanddecompressthearchive.

root@rock:~/able2 # tar tzvf able2.tar.gz -rwxrwxr-x root/root 345830400 2003-08-10 -rwxrwxr-x root/root 3700 2003-08-11 -rwxrwxr-x root/root 43 2003-08-10 -rwxrwxr-x root/root 43 2003-08-10 root@rock:~/able2 # tar xzvf able2.tar.gz able2.dd able2.log md5.dd md5.hdd 21:16:36 07:56:04 21:16:36 21:04:40 able2.dd able2.log md5.dd md5.hdd <-Disk image <-collection log <-image hash <-original disk hash
Thesecondcommandaboveexecutesthetarcommandwiththe optionsxtoextractthefiles,ztodecompressthefiles,vforverboseoutput,and ftospecifythefile. Havealookatthefilesthatresult:

root@rock:~/able2 # ls -lh total 465M -rwxrwxr-x 1 root root 330M -rwxrwxr-x 1 root root 3.7K -rwxr-x--- 1 root root 135M -rwxrwxr-x 1 root root 43 -rwxrwxr-x 1 root root 43
Aug Aug Jan Aug Aug
10 2003 able2.dd 11 2003 able2.log 31 13:18 able2.tar.gz 10 2003 md5.dd 10 2003 md5.hdd
Theoutputoflslh(thelhisforlonglistwithhumanreadablesizes) showsthe330MBddimage,thelogfileandtwofilesthatrecordtheoriginal MD5hashes,onefortheimage(md5.dd)andonefortheoriginaldisk (md5.hdd).Atthispointyoucancheckthehashoftheable2.ddandcompareit tothevaluestoredinmd5.dd(gatheredwhenthesystemwasoriginally imaged)tobesuretheimageisintact.

root@rock:~/able2 # cat md5.dd 02b2d6fc742895fa4af9fa566240b880 able2.dd
root@rock:~/able2 # md5sum able2.dd 02b2d6fc742895fa4af9fa566240b880 able2.dd
BarryJ.Grundy
95
Okay,nowwehaveourimage,andwehaveverifiedthatitisanaccurate copy.Wenowwanttoknowalittlebitaboutthecontentsoftheimageand whatitrepresents.Duringtheevidenceacquisitionprocess,itisessentialthat informationaboutthediskberecorded.Standardoperatingprocedures shouldincludecollectionofdiskandsysteminformation,andnotjustthedd imageitself. Thefileable2.logwascreatedfromtheoutputofvariouscommands usedduringtheevidencecollectionprocess.Thelogincludesinformation abouttheinvestigatorthatgatheredtheevidence,informationaboutthe system,andtheoutputofcommandsincludinghdparm,fdisk,sfdiskand hashingfunctions.Wecreatethelogfilebyappending(>>)theoutputofthe commands,insequence,tothelog: command>>logfile.txt Lookatthelogfile,able2.log,usinglessandscrolldowntothesection thatshowsthestructureofthedisk(theoutputoffdiskl/dev/hddandsfdisk luS/dev/hdd):
root@rock:~/able2 # less able2.log <scrolled output> ################################################################# fdisk output for SUBJECT disk: Disk /dev/hdd: 345 MB, 345830400 bytes 15 heads, 57 sectors/track, 790 cylinders Units = cylinders of 855 * 512 = 437760 bytes Device Boot /dev/hdd1 /dev/hdd2 /dev/hdd3 /dev/hdd4 Start 1 13 133 210 End 12 132 209 790 Blocks 5101+ 51300 32917+ 248377+ Id 83 83 82 83 System Linux Linux Linux swap Linux
################################################################# sfdisk output for SUBJECT disk: Disk /dev/hdd: 790 cylinders, 15 heads, 57 sectors/track Units = sectors of 512 bytes, counting from 0 Device Boot /dev/hdd1 /dev/hdd2 /dev/hdd3 /dev/hdd4 Start 57 10260 112860 178695 End 10259 112859 178694 675449 #sectors 10203 102600 65835 496755 Id 83 83 82 83 System Linux Linux Linux swap Linux
#################################################################
BarryJ.Grundy
96
Theoutputshownaboveisdirectlyfromthevictimharddrive(the machineable2),recordedpriortoobtainingtheddimage.Itshowsthatthere are4partitionsonthedrive.Thedatapartitionsarehdd1,hdd2andhdd4.The hdd3partitionisactuallyaswappartition(forvirtualmemory).Remember thatthedesignationhddindicatesthatthevictimharddrivewasattachedto ourforensicworkstationastheslavedriveonthesecondaryIDEcontroller duringtheimagingprocess,NOThowitwasattachedintheoriginalmachine. ThecommandsfdiskluS/dev/hddgaveusthesecondlistingabove andshowsthepartitionsizesinunitsofsectors(uS).Theoutputalsogives usthestartofthepartition.Forourpartitioncarvingexercise(aswiththeraw datacarving),allweneedisthestartingoffset,andthesize. Letsgoaheadandddouteachpartition.Ifyouhavetheoutputof sfdiskluS/dev/hdx,thejobiseasy.
root@rock:~/able2 # dd 10203+0 records in 10203+0 records out root@rock:~/able2 # dd 102600+0 records in 102600+0 records out root@rock:~/able2 # dd 65835+0 records in 65835+0 records out root@rock:~/able2 # dd 496755+0 records in 496755+0 records out if=able2.dd of=able2.part1.dd bs=512 skip=57 count=10203 if=able2.dd of=able2.part2.dd bs=512 skip=10260 count=102600 if=able2.dd of=able2.part3.dd bs=512 skip=112860 count=65835 if=able2.dd of=able2.part4.dd bs=512 skip=178695 count=496755
Examinethesecommandsclosely.Theinputfile(if=able2.dd)isthefull diskimage.Theoutputfiles(of=able2.part#.dd)willcontaineachofthe partitions.Theblocksizethatweareusingisthesectorsize(bs=512),which matchestheoutputofthesfdiskcommand.Eachddsectionneedstostart whereeachpartitionbegins(skip=X),andcutasfarasthepartitiongoes (count=Y).Wealsoobtainedpartitionnumberthree,theswappartition.This canalsobesearchedwithgrepandstrings(orcarvingutilities)forevidence. Thiswillleaveyouwithfourable2.part*.ddfilesinyourcurrentdirectory thatcannowbeloopmounted. Whatifyouhaveaddimageofthefulldisk,butnologfileoraccessto theoriginaldisk,andthereforenoinfofromsfdiskorfdisk?Wecanrunthe sfdiskorfdiskcommandsdirectlyontheimageifwelike.Rememberthatthe originaldiskthattheimagewasobtainedfromwasseenasasimplefile (/dev/hdx)andtheimageweobtainusingddisalsosimplyafile.Sowhywould
BarryJ.Grundy
97
toolslikefdisktreatthemanydifferently.Thehashesmatch,sotheyare essentiallythesamefile:
root@rock:~/able2 # sfdisk -l -uS able2.dd Disk able2.dd: cannot get geometry ...<error messages> Units = sectors of 512 bytes, counting from 0 Device Boot able2.dd1 able2.dd2 able2.dd3 able2.dd4 Start 57 10260 112860 178695 End 10259 112859 178694 675449 #sectors 10203 102600 65835 496755 Id 83 83 82 83 System Linux Linux Linux swap / Solaris Linux
Asidefromtheerrormessagesatthebeginningoftheoutput(removed forreadability),noticethattheactualdiskgeometry(insectors)matchesthat takenfromtheoriginaldisk.Thepartitionsarenownotedasable2.dd*, indicating,able2.ddimage,partitions1through4.Inapinch,wecoulduse thistogatherinformationfromtheimagefileweweregiven,todeterminethe partitioningschemeofthediskthatwasimaged. Unfortunately,youcannotmountthepartitionsassociatedwith able2.dd*.Theblockdevicesdontactuallyexist(able2.dd*).
DeterminingtheSubjectDiskFileSystemStructure
Goingbacktoourable2caseddimages,wenowhavetheoriginalimage alongwiththepartitionimagesthatwecarvedout. able2.dd able2.part1.dd able2.part2.dd able2.part3.dd able2.part4.dd (originalimage) (1stPartition) (2ndPartition) (3rdPartition) (4thPartition)
Thenexttrickistomountthepartitionsinsuchawaythatwe reconstructtheoriginalfilesystem.Thisgenerallypertainstosubjectdisks thatwereimagedfromUnixhosts. OneofthebenefitsofLinux/Unixsystemsistheabilitytoseparatethe filesystemacrosspartitions.Thiscanbedoneforanynumberofreasons, allowingforflexibilitywherethereareconcernsaboutdiskspaceorsecurity, etc. Forexample,aSystemAdministratormaydecidetokeepthedirectory /var/logonitsownseparatepartition.Thismightbedoneinanattemptto preventrampantlogfilesfromfillingtheroot(/not/root)partitionand
BarryJ.Grundy
98
bringingthesystemdown.Itiscommontosee/bootinitsownpartitionas well.Thisallowsthekernelimagetobeplacednearthefront(intermsof cylinders)ofaharddrive,anissueinolderversionsoftheLinuxbootloader LILO.Therearealsoavarietyofsecurityimplicationsaddressedbythissetup. Sowhenyouhaveadiskwithmultiplepartitions,howdoyoufindout thestructureofthefilesystem?Earlierinthispaperwediscussedthe/etc/fstab file.Thisfilemaintainsthemountinginformationforeachfilesystem, includingthephysicalpartition;mountpoint,filesystemtype,andoptions. Oncewefindthisfile,reconstructingthesystemiseasy.Withexperience,you willstarttogetafeelforhowpartitionsaresetup,andwheretolookforthe fstab.Tomakethingssimplehere,justmounteachpartition(loopback,read only)andhavealookaround. Onethingwemightliketoknowiswhatsortoffilesystemisoneach partitionbeforewetryandmountthem.Wecanusethefilecommandtodo this11.Rememberfromourearlierexercisethatthefilecommanddetermines thetypeoffilebylookingforheaderinformation.
root@rock:~/able2 # file able2.part* able2.part1.dd: Linux rev 1.0 ext2 filesystem data able2.part2.dd: Linux rev 1.0 ext2 filesystem data able2.part3.dd: Linux/i386 swap file (new style) 1 able2.part4.dd: Linux rev 1.0 ext2 filesystem data (mounted or unclean) (mounted or unclean) (4K pages) size 8228 pages (mounted or unclean)
Previously,wewereabletodeterminethatthepartitionswereLinux partitionsfromtheoutputoffdiskandsfdisk.Nowfileinformsusthatthefile systemtypeisext212.Wecanusethisinformationtomountthepartitions.

root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part1.dd /mnt/analysis/
Dothisforeachpartition(eitherunmountingbetweenpartitions,or mountingtoadifferentmountpoint)andyouwilleventuallyfindthe/etc directorycontainingthefstabfileinable2.part2.ddwiththefollowing importantentries:

root@rock:~/able2 # cat /mnt/analysis/etc/fstab /dev/hda2 / ext2 defaults /dev/hda1 /boot ext2 defaults /dev/hda4 /usr ext2 defaults /dev/hda3 swap swap defaults
11
1 1 1 0
1 2 2 0
Keepinmindthatthefilecommandreliesonthecontentsofthemagicfiletodetermineafiletype.Ifthiscommand doesnotworkforyouinthefollowingexample,thenitismostlikelybecausethemagicfileonyoursystemdoesnot includeheadersforfilesystemtypes. 12 Youcanalsousetheautofilesystemtypeunderthemountcommand,butIprefertobeexplicit.Checkmanmount formoreinformation. BarryJ.Grundy
99
Sonowweseethatthelogicalfilesystemwasconstructedfromthree separatepartitions(notethat/dev/hdaherereferstothediskwhenitis mountedintheoriginalsystem): /(root) mountedfrom/dev/hda2(dataonhda2) |_bin/ (dataonhda2) |_boot/ mountedfrom/dev/hda1(dataonhda1) |_dev/ (dataonhda2) |_etc/ (dataonhda2) |_home/ (dataonhda2) |_lib/ (dataonhda2) |_opt/ (dataonhda2) |_proc/ (dataonhda2) |_usr/ mountedfrom/dev/hda4(dataonhda4) |_root/ (dataonhda2) |_sbin/ (dataonhda2) |_tmp/ (dataonhda2) |_var/ (dataonhda2) Nowwecancreatetheoriginalfilesystematouranalysismountpoint. Themountpoint/mnt/analysisalreadyexists.Whenyoumounttheroot partitionofable2.ddon/mnt/analysis,youwillnotethatthedirectories /mnt/analysis/bootand/mnt/analysis/usrareempty.Thatisbecausewehaveto mountthosepartitionstoaccessthecontentsofthosedirectories.
root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part2.dd /mnt/analysis/ root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part1.dd /mnt/analysis/boot root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part4.dd /mnt/analysis/usr
Wenowhavetherecreatedoriginalfilesystemunder/mnt/analysis: /(root) |_bin/ |_boot/ |_dev/ |_etc/ |_home/ |_lib/ |_opt/ |_proc/ |_usr/ |_root/ |_sbin/ |_tmp... mountedon/mnt/analysis mountedon/mnt/analysis/boot
mountedon/mnt/analysis/usr
BarryJ.Grundy
100
Atthispointwecanrunallofoursearchesandcommandsjustaswedid forthepreviousfloppydiskexerciseonacompletefilesystemrootedat /mnt/analysis. Asalways,youshouldknowwhatyouaredoingwhenyoumounta completefilesystemonyourforensicworkstation.Beawareofoptionstothe mountcommandthatyoumightwanttouse(checkmanmountforoptions likenodevandnosuid,noatimeetc.).Takenoteofwherelinkspointto fromthesubjectfilesystem.Notethatwehavemountedthepartitionsread only(ro).Remembertounmounteachpartitionwhenyouarefinished exploring.
DDOvertheWire
Theremayoccasionswhereyouwantorneedtoacquireanimageofa computerusingabootdiskandnetworkconnectivity.Mostoften,this approachisusedwithaLinuxbootdiskonthesubjectmachine(themachine youaregoingtoimage).Anothercomputer,theimagingcollectionplatform,is connectedeitherviaanetworkhuborswitch;orthroughacrossovercable. Thereareavarietyofconfigurationspossible.Thesesortsofacquisitionscan eventakeplaceacrossthecountryoranywherearoundtheworld.Thereasons andapplicationsofthisapproachareoutsideofthescopeofthispaper,sowe willconcentrateonthemechanicsandtheverybasiccommandsrequired. First,letsclarifysometerminologyforthepurposeofourdiscussion here.Inthisinstance,thecomputerwewanttoimagewillbereferredtoasthe subjectcomputer.Thecomputertowhichwearewritingtheimagewillbe referredtoasthecollectionbox. Inordertoaccomplishimagingacrossthenetwork,wewillneedto setupourcollectionboxtolistenfordatafromoursubjectbox.Wedothis usingnetcat,thenccommand.Thebasicsetuplookslikethis:
BarryJ.Grundy
101
Thefirststepistoopenalisteningportonthecollectioncomputer. Wewilldothisonourforensicsystemwithnc:
root@rock: ~ # nc -l -p 2525 | dd of=/mnt/evid/net_image.dd
Thiscommandopensalisteningsession(l)onTCPport2525(p2525) andpipesanytrafficthatcomesacrossthatporttotheddcommand(withonly theoutputfileflag),whichwritesthefile/mnt/evid/net_image.dd. Next,onthesubjectcomputer(notethatthecommandprompt identifiesthisacomputerwiththehostnamebootdisk),weissuethedd command.Insteadofgivingthecommandanoutputfileparameterusingof=, wepipetheddcommandoutputtonetcat(nc)andsendittoourlisteningport (2525)onthecollectioncomputeratIPaddress192.166.55.20.

root@bootdisk ~ # dd if=/dev/sda | nc 192.168.55.20 2525
Thiscommandpipestheoutputofddstraighttonc,directingtheimage overthenetworktoTCPport2525onthehost192.168.5.20(ourcollection box'sIPaddress).Ifyouwanttouseddoptionslikeconv=noerror,syncor bs=x,thenyoudothatontheddsideofthepipe:

root@bootdisk ~ # dd if=/dev/sda bs=4096 | nc 192.168.55.20 2525
BarryJ.Grundy
102
Oncetheimagingiscomplete,wewillseethatthecommandsatboth endsappeartohang.Afterwereceiveourcompletionmessagesfromddon thesubjectbox(recordsin/recordsout),wecankillthenclisteningonour collectionboxwithasimplectrlc.Thisshouldreturnourpromptsonboth sidesoftheconnections.Youshouldthencheckboththehashofthephysical diskthatwasimagedonthesubjectcomputerandtheresultingimageonthe collectionboxtoseeiftheymatch.
BarryJ.Grundy
103
X.AdvancedForensicTools
SonowyouhavesomeexperiencewithusingtheLinuxcommandline andthepowerfultoolsthatareprovidedwithaLinuxinstallation. However,asforensicexaminers,wesooncometofindoutthattimeisa valuablecommodity.Whilelearningtousethecommandlinetoolsnativetoa Linuxinstallisusefulforamyriadoftasksintherealworld,itcanalsobe tedious.Afterall,thereareWindowsbasedtoolsouttherethatallowyoutodo muchofwhatwehavediscussedhereinasimplepointandclickGUI.Well, thesamecanbesaidforLinux. ThepopularityofLinuxisgrowingatafantasticrate.Notonlydowesee itinanenterpriseenvironmentandinbigmedia,butwearealsostartingtosee itswideninguseinthefieldofcomputerforensics.Inrecentyearsweveseen thelistofavailableforensictoolsforLinuxgrowwiththerestoftheindustry. Inthissectionwewillcoveranumberofforensictoolsavailabletomake youranalysiseasierandmoreefficient.Wewillcoverbothfreetoolsand commercialtools.Wewillstartwithsomealternativeimagingtools,specially designedtoworkwithforensicacquisitionsinmind. AUTHORSNOTE:Inclusionoftoolsandpackagesinthissectioninno wayconstitutesanendorsementofthosetools.Pleasetestthem yourselftoensurethattheymeetyourneeds.Thetoolsherewere chosenbecauseitwassuggestedbyalargenumberofreadersofthe originalIntroductiondocumentthatIprovideinformationonforensic packagesforLinux. SincethisisaLinuxdocument,IamcoveringavailableLinuxtools.This doesnotmeanthatthecommontoolsavailableforotherplatforms cannotbeusedtoaccomplishmanyofthesameresults.Onapersonal note,IdomaintainthatanalysisofaUnixsystemisbestaccomplished withaUnix(like)toolset. Onemorenote:Pleasekeepinmind,asyouworkthroughthese exercises,thisdocumentisNOTmeanttobeaneducationinfilesystem analysis.Asyouworkthroughtheexercisesyouwillcomeacrosstermslike inode,MFTentry,allocationstatus,partitiontablesanddirectandindirect blocks,etc.Theseexercisesareaboutusingthetools,andarenotmeantto instructyouonbasicforensicknowledge,Linuxfilesystemsoranyotherfile systems.Thisisallaboutthetools. Ifyouneedtolearnfilesystemstructureasitrelatestocomputer forensics,pleasereadBrianCarrier'sbook:FileSystemForensicAnalysis
BarryJ.Grundy
104
(PublishedbyAddisonWesley,2005).ThisisnotthelasttimeIwillsuggest this. Togetaquickoverviewofsomefilesystems,youcandoaquickInternet search.Thereisatonofinformationreadilyavailableifyouneedaprimer. Herearesomesimplelinkstogetyoustarted13.Ifyouhavequestionsonanyof thesefilesystems,orhowtheywork,Iwouldsuggestsomelightreadingbefore divingintotheseexercises. NTFS: http://www.ntfs.com http://en.wikipedia.org/wiki/NTFS http://e2fsprogs.sourceforge.net/ext2intro.html http://en.wikipedia.org/wiki/Ext3 http://en.wikipedia.org/wiki/File_allocation_table
EXT2/3: FAT:
Also,onceyouinstalltheSleuthkit(coveredinanupcomingsection) youshouldhavealookinthe./sleuthkit3.xx/docs/directory(orwhereverthe sourceisinstalled)fortheSleuthkitImplementationNotes(orSKINs).These filescontainsomeexcellentdetailedinformationonfilesystemstructure.
13
Theauthordoesnotvouchforanyofthesesources.Theyareprovidedforyourinformationonly.
BarryJ.Grundy
105
AlternativeImagingTools
StandardLinuxddisafineimagingtool.Itisrobust,welltested,and hasaproventrackrecord.We'vealreadydemonstratedsomeofit's capabilitiesbeyondwhatmanyconsidernormalforensicimagingfunctions. Asgoodasddisasanimagingtool,ithasonesimple,perceivedflaw:It wasneveractuallydesignedtobeusedforforensicacquisitions.Itisvery capable,butsomepractitionerspreferfullfeaturedimagingtoolsthatdonot requireexternalprogramstoaccomplishlogging,hashing,andimagingerror documentation.Additionally,ddisnotthebestsolutionforobtaining evidencefromdamagedorfailingmedia. ThereareanumberofforensicspecifictoolsoutthereforLinuxusers thatwishtoacquireevidence.Someofthesetoolsinclude:

dc3ddenhancedddprogramforforensicuse(basedonddcode). dcflddenhancedddprogramforforensicuse(forkofddcode). aimageforensicimagingtoolprovidedprimarilytocreateimagesin theAdvancedForensicFormat(AFF).Futureversionsofthisguidewill likelycoveraimageandafflibinmoredetail. ewfacquireProvidedaspartofthelibewfproject,thistoolisusedto acquireExpertWitnessFormat(EWF)images.Wewillcoveritinsome detaillater. AIRAutomatedImageandRestore,aGUIfrontendtobothddand dcfldd. GNUddrescueAnimagingtoolspecificallydesignedtorecoverdata frommediaexhibitingerrors(nottobeconfusedwithdd_rescue).
Thisisnotanexhaustivelist.These,however,arethemostcommonly used(asfarasIknow).Wewillcoverthefirstinthelist(dc3dd)andthelastin thelist(ddrescue)inthisdocument.Lateron,inthesectiononAdvanced Toolswewillcoverewfacqure,installedaspartofthelibewfpackage. dc3dd Thefirsttoolwewillcoverisdc3dd.Thisisanewerimagingtoolbased onoriginal(patched)codefromdd.Itisverysimilartothepopulardcflddbut providesaslightlydifferentfeatureset.Mychoiceofwhethertocovereither dcflddordc3ddislargelyarbitrary.OneofthereasonsIdecidedtocover dc3ddhereisit'srelationshiptorecentddcodeupdates,includingdirectI/O capabilities.dc3ddismaintainedbytheDoD(DepartmentofDefense)Cyber
BarryJ.Grundy
106
CrimeCenter(otherwiseknownasDc3)14Regardlessofwhich(dc3ddor dcfldd)youprefer,familiaritywithoneofthesetoolswilltranslateverynicely totheotherwithsomereadingandexperimentation,astheyareverysimilar. Whiletherearesignificantdifferences,manyofthefeatureswediscussinthis sectionarecommontobothdc3ddanddcfldd. Thesourcepackageandmoreinformationfordc3ddcanbefoundat http://dc3dd.sourceforge.net.Thatpagealsoprovidesagoodsummaryofthe capabilitiesofdc3ddandit'soverallintent. Installationofdc3ddfollowsthesameroutineofmostsourcepackages availableinLinux.Thesepackagesarecommonlycalledtarballsandend withthetar.gzortar.bz2extensions,dependingonthemethodof compression.Ingeneral,oncethetarballhasbeenextracted,thecommon commandstocompileandinstallthepackagearesimply(fromtheextracted directory): ./configure make makeinstall So,oncewehavethepackagedownloaded,wecanextractthetarballin thesamewayweextractedanyoftheothertar.gzfilesweworkedwith:
root@rock:~# tar xzvf dc3dd-6.9.91.tar.gz dc3dd-6.9.91/ dc3dd-6.9.91/.prev-version dc3dd-6.9.91/.version dc3dd-6.9.91/.vg-suppressions dc3dd-6.9.91/.x-po-check dc3dd-6.9.91/.x-sc_file_system dc3dd-6.9.91/.x-sc_GPL_version dc3dd-6.9.91/.x-sc_obsolete_symbols dc3dd-6.9.91/.x-sc_prohibit_atoi_atof <continues>
Afterthepackagehasbeenextracted,wechangeintotheresulting directoryandthenrunaconfigurescripttoallowtheprogramtoascertain oursystemconfigurationandpreparecompileroptionsforourenvironment. Wedothisbyissuingthecommand./configure:
14
DCFLddisalsonamedforaDoDentitytheDefenseComputerForensicsLab.
BarryJ.Grundy
107
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cd dc3dd-6.9.91/ root@rock:~/dc3dd-6.9.91# ./configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu configure: autobuild project... dc3dd configure: autobuild revision... 6.9.91 configure: autobuild hostname... rockriver configure: autobuild timestamp... 20080807-202619 checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... <continues>
Assumingnoerrors,wetypemakeandwatchthecompilergotowork.
root@rock:~/dc3dd-6.9.91# make Making all in lib make[1]: Entering directory `/root/Tools/dc3dd-6.9.91/lib' { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ cat ./alloca.in.h; \ } > alloca.h-t mv -f alloca.h-t alloca.h rm -f configmake.h-t configmake.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ <continues>
Finally,inordertocallthevarioustoolswithoutusingthefullpathto thecompiledbinaries,wemustrunthecommandthatproperlyinstallsboth thetoolstotheproperpath,andanyrequiredlibrariestotheproper directories.Thisisaccomplishedwithmakeinstall.

root@rock:~/dc3dd-6.9.91# make install Making install in lib make[1]: Entering directory `/root/Tools/dc3dd-6.9.91/lib' make install-am make[2]: Entering directory `/root/Tools/dc3dd-6.9.91/lib' make[3]: Entering directory `/root/Tools/dc3dd-6.9.91/lib' test yes != no || /bin/sh /root/Tools/dc3dd-6.9.91/build-aux/install-sh -d /usr/local/lib if test -f /usr/local/lib/charset.alias; then \ <continues>
Ourtoolisnowinstalledandreadytouse. Onepointtoponderifyouarelookingforthemanpagefordc3dd:The installroutinedoesnotcopythemanpagetothecorrectdefaultlocationon ourSlackwaresystem(otherOSversionsmayvery).However,thedc3ddman pageisessentiallythesameastheinformationprovidedbythehelpoption.
BarryJ.Grundy
108
So,youcaneitherrundc3ddwiththehelpoption,oryoucancopythe manpagefiletothecorrectlocation15:
root@rock:~/dc3dd-6.9.91# cp man/dc3dd.1 /usr/local/man/man1/ root@rock:~/dc3dd-6.9.91# man dc3dd DD(1) NAME User Commands DD(1 )
dd - convert and copy a file
SYNOPSIS dc3dd [OPERAND]... dc3dd OPTION <continues>
ORsimply:
root@rock:~/dc3dd-6.9.91# dc3dd --help Usage: dc3dd [OPERAND]... or: dc3dd OPTION Copy a file, converting and formatting according to the operands. bs=BYTES cbs=BYTES <continues> force ibs=BYTES and obs=BYTES convert BYTES bytes at a time
Sincewearealreadytalkingaboutthehelppage,let'shavealookatthe basicusageofdc3dd.Asyoureadthroughtheusagesectionofthemanpage, you'llnoticeanumberofadditionstoregularddfortheforensicexaminer. Let'sconcentrateonthesenotables:

split=BYTES splitformat=FMT progress=on hash=ALGORITHM hashwindow=BYTES log=FILE verifylog=FILE
splittheoutputintopiecesofsizeBYTES createextensionsforsplitpiecesusingFMT... displaysaprogressmeter computesALGORITHMhashesoftheinputdata numberofbytesforpiecewisehashing appendshashesanderrorstothesamefile writetheresultsoftheverifytothegivenfile
Essentially,dc3dd(andsimilarlydcfldd)hasincorporatedthehashing, splittingandloggingofouracquisitionintoasinglecommand.Allofthiscan bedonewithregularddandexternaltools,butthereisnodoubtmany practitionerspreferanintegratedapproach.Thestandardoptionsavailableto theregularddcommandstillworkwiththeforensiceditions(bs,skip,etc.).

15
Oradjust$MANPATH,etc
BarryJ.Grundy
109
Morethanjustincorporatingtheotherstepsintoasinglecommand, dc3ddextendsthefunctionality.Forexample,usingaregularsplitcommand withddaswedidinapreviousexercise,wecaneitherallowthedefault alphabeticnamingconventionofsplit,orpassthedoptiontoprovideuswith decimalextensionsonourfiles.Incontrast,dc3ddallowsustonotonlydefine thesizeofeachsplitasanoptiontotheimagingcommandwithoutneedfora pipedcommand,butitalsoallowsmoregranularcontrolovertheformatofthe extensionseachsplitwillhaveaspartofitsfilename.So,tosplita6GBdisk into2GBimages,Iwouldsimplypass: split=2G Theextensionfollowingtheoutputfilenamecanbeformattedwiththe splitformatoption.Thisoptionallowsustospecifyalphabeticalornumerical extensionsfrom1to4charactersinlength.Numericalextensionscaneither beginfrom1orfrom0.Thenumberofcharacterspassedwiththeoption definesthelengthoftheextension.Thefollowingtableprovidessome examples: Option splitformat=aa Resultingextensions *.aa(twoalphabeticchars) *.ab *.ac *.aaaa(fouralphabeticchars) *.aaab *.aaac *.000(threenumericcharsstartswith000) *.001 *.002 *.001(threenumericcharsstartswith001) *.002 *.003
splitformat=aaaa
splitformat=000
splitformat=111
Inaddition,whenusingregularGNUdd,ourhashingfunctionsare performedexternaltotheimaging,byeitherthemd5sumorsha1sum commands,dependingontheanalystpreference.dc3ddallowstheusertorun BOTHhashesconcurrentlyonanacquisitionandlogthehashes. Weselectourhashalgorithmwiththeoptionhash=,specifyinganyof md5,sha1,sha256,sha512,oracommaseparatedlistofalgorithms.Inthis wayyoucanselectmultiplehashmethodsforasingleimagefile.Thesewillbe writtentoalogfileweindicate(ortostandardoutputifnologisspecified).
BarryJ.Grundy
110
dc3ddalsoprovidesahashwindowfunction.Thehashwindow=option initiatespiecewisehashingoftheoutput,soyougetacalculatedhashover eachspecifiednumberofbytes,whichisthenlogged.Thisallowsforamore granularviewofthedataintegrity,shoulderrorsbeencountered.Thesmaller thehashwindow,thebettergranularviewyouhaveofthedata. So,tospecifyahashwindowof16MBusingbothSHA1andMD5,you wouldusetheoptions: hash=md5,sha1hashwindow=16M Boththehashwindowvaluesandthehashofthetotalimagewillbe recordedeithertostandardout(theterminal)ortoalogfileifoneisspecified. Youcanspecifyseparatelogsforerrormessagesandhashvalues,orhaveboth ofthemwrittentoasinglefile.Theoptionsforloggingare: hashlog=file errlog=file log=file hashesarewrittentothislogfile. errormessagesarewrittentothisfile. bothhashesanderrormessagesareconsolidatedin asinglelogfile.
Belowisanexampleofaverybasicdc3ddcommandusedtoimagea small256MBthumbdrive.Asidefromtheoptionscoveredabove,wewillalso usetheprogress=onoption.Thisoptiongivesusarunningcountofthe amountofdatacopied,aswellasarunningtimeandaveragedatacopiedper second.

root@rock:~# dc3dd if=/dev/sda of=image.dc3dd progress=on hash=md5 hashwindow=32M split=64M splitformat=000 log=image.log.txt <running> 5039104 bytes (4.8 M) copied, 2.07115 s, 2.3 M/s <finished> 506880+0 records in 506880+0 records out 259522560 bytes (248 M) copied, 109.425 s, 2.3 M/s root@rock:~# total 312M -rw-r--r-- 1 -rw-r--r-- 1 -rw-r--r-- 1 -rw-r--r-- 1 -rw-r--r-- 1 ls -lh root root root root root root root root root root 64M 64M 64M 56M 596 2008-07-13 2008-07-13 2008-07-13 2008-07-13 2008-07-13 07:48 07:48 07:49 07:49 07:49 image.dc3dd.000 image.dc3dd.001 image.dc3dd.002 image.dc3dd.003 image.log.txt
BarryJ.Grundy
111
Theoptionsusedaboveare: inputfileis/dev/sda imageiswrittentoimage.dc3dd(arbitrary extension). progress=on showsimagingprogressasdescribedabove hashwindow=32M calculatesahashofthedataevery32megabytes hash=md5 describesthehashalgorithm(s)tobeusedforeach hashwindowandforthetotalimage. split=64M theimageissplitinto64megabytechunks. splitformat=000 theextensionsoneachimagesplitwillbethree numericalcharacters,startingfrom0. log=image.log.txt boththecalculatedhashvaluesandanyerror messageswillbeloggedtothefileimage.log.txt Theresultingoutput(shownbyourlscommandabove)givesus4split imagefiles,withnumericalextensionsstartingwith000.Wealsohavealogfile ofourhashesandanyerrormessages,whichwecanviewwithlessorcat:
root@rock:~# cat image.log.txt md5 0- 33554432: 3ef3e1146490631d10399be537b548ae md5 33554432- 67108864: 84fb1bb69b5b8a9dfd2c0f61b9ebb72d md5 67108864- 100663296: 9b025ba1d8e7a96eb666d5252bfd53cb md5 100663296- 134217728: cac15f6afd76e0f9fd6c6cea93444f01 md5 134217728- 167772160: 26b9b1a732e0cf07591578392371e353 md5 167772160- 201326592: dde2fa565d6ea1a26a73466e0909f7ee md5 201326592- 234881024: 58f06dd588d8ffb3beb46ada6309436b md5 234881024- 259522560: a3e41cf8b32332ff504775ba44f49f3a md5 TOTAL: c90ee2dfd36eae3aafd5fac9b8d2eb70 506880+0 records in 506880+0 records out 259522560 bytes (248 M) copied, 109.425 s, 2.3 M/s
if=/dev/sda of=image.dc3dd
Aspreviouslydiscussed,thelogfilecontainsourhashesandourerror messages.Eachlineinthelogstartswiththehashalgorithmandthe hashwindowdatarange,followedbythecalculatedhash.Thelasthashline(or lines,ifmultiplealgorithmsarespecified),givesthehashoverthetotalimage, whichcanbecomparedtoadevicehash,forexample,toauthenticatean acquisition. Thelogfileendswiththestandardddoutputwhichshowsthenumber ofrecordsreadandwritten.Eventhoughitisnotreallyanerrormessage, thisinformationisnormallywrittentostderr(standarderroroutput),henceit's inclusioninanerrorlog.Therecordsareequivalenttotheblocksizeoption. Sincewedidnotspecifyanexplicitblocksize,thedefaultforthisblockdevice isused,whichis512bytes.
BarryJ.Grundy
112
Onefinalnoteondc3dd:Likeregulardd,youcanpasstheoption conv=noerror,synctothecommand.Thiswouldallowouracquisitiontoread pastanynonfataldiskerrorsandsynctheoutputsothattheresultingimage mightstillbeusable.Whilemanypractitionerssuggestthisoptionasadefault forrunningddrelatedcommands,Istronglyurgeagainstit.Someofthe reasonsforthiswillbecomemoreapparentinthefollowingsectionon ddrescue.Thebottomlineisthatifyouneedtouseconv=noerror,syncthen youareusingthewrongtool. Whichbringsustoddrescue. ddrescue TherealreasonIdecidedtoaddasectiontothisdocumenton alternativeimagingtoolswassothatIcouldintroduceddrescue.Recent testinghasshownthatstandardddbasedtoolsaresimplyinadequatefor acquiringdisksthathaveapropensityforerrors.ThisisNOTtosaytoolslike dd,dc3ddordcflddareuseless,farfromit.Theyarejustnotoptimalfor errorrecovery. Thissectionisnotmeanttoprovideaneductionondiskerrors,media failure,ortypesoffailure.Norisitmeanttoimplythatanytoolisbetteror worsethananyother.Iwillsimplydescribethebasicfunctionalityandleaveit tothereadertopursuethedetails. First,let'sstartwiththesomeoftheissuesthatarisewiththeuseof commonddbasedtools.Forthemostpart,thesetoolstakealinear approachtoimaging,meaningthattheystartatthebeginningoftheinputfile andreadblockbyblockuntiltheendofthefileisreached.Whenanerroris encountered,thetoolwilleitherfailwithaninput/outputerror,orifa parametersuchasconv=noerrorispasseditwillignoretheerrorsandattempt toreadthroughthem,continuingtoreadblockbyblockuntilitcomesacross readabledataagain. Obviously,simplefailure(givingupwhenerrorsareencountered)is notgood,asitmeansthatanydatainreadableareasbeyondtheerrorswillbe missed.Theproblemwithignoringtheerrorsandattemptingtoreadthrough them(conv=noerror)isthatwearefurtherstressingadiskthatisalready possiblyonthevergeofcompletefailure.Thefactofthematteristhatyou mayonlygetonechanceatreadingadiskthatisexhibitingbadsectors.If thereisanactualphysicaldefect,thesimpleactofreadingthebadareasmay makemattersworse,leadingtodiskfailurebeforeotherviableareasofthedisk arecollected.
BarryJ.Grundy
113
So,whenwepassconv=noerrortoanimagingcommand,weare actuallyaskingourimagingtoolstogrindthroughthebadareas.Whynot initiallyskipoverthebadsectionsaltogether,sinceinmanycasesrecovery maybeunlikely,andconcentrateonrecoveringdatafromareasofthediskthat aregood?Oncethegooddataisacquired,wecangobackandattemptto collectdatafromtheerrorareas. Inanutshell,thatisthephilosophybehindddrescue.Usedproperly, ddrescuewillreadthehealthyportionsofadiskfirst,andthenfallbackto recoverymodetryingtoreaddatafrombadsectors.Itdoesthisthrough theuseofsomeveryrobustlogging,whichallowsittoresumeanyimagingjob atanypoint,givenalogfiletoworkfrom. Beforewegoanyfartherwithadescription,let'sdownloadandinstall ddrescueandhavealookatit'soptions. Youcanobtainddrescuefrom: http://www.gnu.org/software/ddrescue/ddrescue.html Oncethefileisdownloaded,wegothroughthesamesetofbuildand installcommandsweusedforourprevioustarballsoftwarearchive.Inthis case,thefileweobtainfromtheabovesiteisatar.bz2archiveratherthana tar.gzarchive.Thissimplymeansthatthecompressionisbzip2ratherthan gzip.Asaresult,weusethejoptionwithtarratherthanthezoption:
root@rock:~# tar xjvf ddrescue-1.8.tar.bz2 ddrescue-1.8/AUTHORS ddrescue-1.8/COPYING ddrescue-1.8/ChangeLog ddrescue-1.8/INSTALL ddrescue-1.8/Makefile.in ddrescue-1.8/NEWS <continues> root@rock:~# cd ddrescue-1.8 root@rock:~/ddrescue-1.8# ./configure creating config.status creating Makefile VPATH = . ... CXXFLAGS = -Wall -W -O2 LDFLAGS = OK. Now you can run make. <continues>
BarryJ.Grundy
114
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ddrescue-1.8# make g++ -Wall -W -O2 -c -o arg_parser.o arg_parser.cc g++ -Wall -W -O2 -c -o block.o block.cc g++ -Wall -W -O2 -c -o ddrescue.o ddrescue.cc g++ -Wall -W -O2 -c -o fillbook.o fillbook.cc g++ -Wall -W -O2 -c -o logbook.o logbook.cc g++ -Wall -W -O2 -c -o rescuebook.o rescuebook.cc g++ -Wall -W -O2 -DPROGVERSION=\"1.8\" -c -o main.o main.cc g++ -o ddrescue arg_parser.o block.o ddrescue.o fillbook.o logbook.o rescuebook.o main.o root@rock:~/ddrescue-1.8# make install if test ! -d /usr/local/share/info ; then install -d /usr/local/share/info ; fi install -p -m 644 ./doc/ddrescue.info /usr/local/share/info/ddrescue.info install-info /usr/local/share/info/ddrescue.info /usr/local/share/info/ dir if test ! -d /usr/local/bin ; then install -d /usr/local/bin ; fi install -p -m 755 ./ddrescue /usr/local/bin/ddrescue
Thedocumentationforddrescueisexcellent.Thedetailedmanualisin aninfopage.Thecommandinfoddrescuewillgiveyouagreatstart understandinghowthisprogramworks,includingexamplesandtheideas behindthealgorithmused.I'llrunthroughtheprocesshere,providinga forensicperspective. Thefirstconsiderationwhenusinganyrecoverysoftware,isthatthe diskmustbeaccessiblebytheLinuxkernel.Ifthedrivedoesnotshowupin the/devstructure,thenthere'snowaytogettoolslikeddrescuetowork. Next,wehavetohaveaplantorecoverasmuchdataaswecanfroma baddrive.Theprevailingphilosophyofddrescueisthatweshouldattemptto getallthegooddatafirst.Thisdiffersfromnormalddbasedtools,which simplyattempttogetallthedataatonetimeinalinearfashion.ddrescueuses theconceptofsplittingtheerrors.Inotherwords,whenanareaofbad sectorsisencountered,theerrorsaresplituntilthegoodareasareproperly imagedandtheunreadableareasmarkedasbad.Finally,ddrescueattemptsto retrythebadareasbyrereadingthemuntilweeithergetdataorfailaftera certainnumberofspecifiedattempts. Thereareanumberofingeniousoptionstoddrescuethatallowtheuser totryandobtainthemostimportantpartofthediskfirst,thenmoveonuntil asmuchofthediskisobtainedaspossible.Areasthatareimagedsuccessfully neednotbereadmorethanonce.Asmentionedpreviously,thisismade possiblebysomeveryrobustlogging.Thelogiswrittenperiodicallyduringthe imagingprocess,sothatevenintheeventofasystemcrashthesessioncanbe
BarryJ.Grundy
115
restarted,keepingduplicateimagingefforts,andthereforediskaccess,toa minimum. Giventhatweareaddressingforensicacquisitionhere,wewill concentratealloureffortsonobtainingtheentiredisk,evenifitmeans multipleruns.Thefollowingexampleswillbeusedtoillustratehowthemost importantoptionstoddrescueworkfortheforensicexaminer.Wewill concentrateondetailingtheimaginglogusedbyddrescuesothattheusercan seewhatisgoingonwiththetool,andhowitoperates. Let'slookatasimpleexampleofusingddrescueonmediawithout errors,usinga1GBthumbdrive.Thesimplestwaytorunddrescueisby providingtheinputfile,outputfileandanameforourlogfile.Notethatthere isnoif=orof=.Inordertogetagoodlookathowthelogfileworks,we'll interruptourimagingprocesshalfwaythrough,checkthelog,andthenresume theimaging.
root@rock:~# ddrescue /dev/sda image.sda.ddr ddrlog.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 0 B, errsize: 0 B, errors: 0 Current status rescued: 341312 kB, errsize: 0 B, current rate: ipos: 341312 kB, errors: 0, average rate: opos: 341312 kB Copying data... Interrupted by user
1835 kB/s 3038 kB/s
Hereweused/dev/sdaasourinputfile,wrotetheimageto image.sda.ddr,andwrotethelogtoddrlog.txt.Notetheoutputshowsthe progressoftheimagingbydefault,givingusarunningcountoftheamountof datacopiedorrescued,alongwithacountofthenumberoferrors encountered(inthiscasezero),andtheimagingspeed.Iinterruptedthis processwiththectrlckeycomboafteraround325MB(of1GB)werecopied. Nowletshavealookatourlog:

root@rock:~# cat ddrlog.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x14580200 ? # pos size status 0x00000000 0x14580200 + 0x14580200 0x28852000 ?
BarryJ.Grundy
116
Thelogshowsusthecurrentstatusofyouracquisition16.Linesstarting witha#arecomments.Therearetwosectionsofnote.Thefirstnon commentlineshowsthecurrentstatusoftheimagingwhilethesecondsection (twolines,inthiscase)showsthestatusofvariousblocksofdata.Thevalues areinhexadecimal,andareusedbyddrescuetokeeptrackofthoseareasof thetargetdevicethathavemarkederrorsaswellthoseareasthathavealready beensuccessfullyreadandwritten.Thestatussymbols(takenfromtheinfo page)areasfollows: Character ? * / + Meaning nontried badareanontrimmed badareanonsplit badhardwareblock(s) finished
Inthiscaseweareconcernedonlywiththe'?'andthe'+'(we'llgettothe otherslater).Essentially,whenthecopyingprocessisinterrupted,thelogis usedtotellddrescuewherethecopyingleftoff,andwhathasalreadybeen copied(orotherwisemarked).Thefirstsection(status)alonemaybesufficient inthiscase,sinceddrescueneedonlypickupwhereitleftoff,butinthecaseof adiskwitherrors,theblocksectionisrequiredsoddrescuecankeeptrackof whatareasstillneedtoberetriedasgooddataissoughtamongthebad. Translated,ourlogwouldtellusthefollowing: #current_pos current_status 0x14580200 ? Thecurrentimagingprocessiscopying(?)dataatbyte offset34131200(0x14580200) #pos size status 0x00000000 0x14580200+ 0x14580200 0x28852000? Thedatablockfromoffset0ofsize34131200bytes (0x14580200)hasbeensuccessfullycopied(+). Thedatablockfromoffset341312000(0x14580200)and 679813120bytesinsize(0x28852000)iscurrentlybeing copied(?). Notealsothatthesizeofourpartiallycopiedfilematchesthesizeoftheblock ofdatamarkedfinishedinourlogfile:
16
Theddrescueinfopagehasaverydetailedexplanationofthelogfilestructure.
BarryJ.Grundy
117
root@rock:~# ls -l image.sda.ddr -rw-r--r-- 1 root root 341312000 2008-08-22 19:28 image.sda.ddr
Wecancontinueandcompletethecopyoperationnowbysimplyre invokingthesamecommand.Byspecifyingthesameinputandoutputfiles, andbyprovidingthelogfile,wetellddrescuetocontinuewhereitleftoff:

root@rock:~# cat ddrlog.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x14580200 ? # pos size status 0x00000000 0x14580200 + 0x14580200 0x28852000 ?
Theprogressindicatorstartsattheinputposition(ipos)specifiedinthe log,andcontinuesfromthere.Whenfinished,thelogshowsthefully completedimageinthesecondsection(markedagainwitha'+').

root@rock:~# ddrescue /dev/sda image.sda.ddr ddrlog.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 341312 kB, errsize: Current status rescued: 1021 MB, errsize: ipos: 1021 MB, errors: opos: 1021 MB Finished
0 B, 0 B, 0,
errors: current rate: average rate:
0 1703 kB/s 1966 kB/s
root@rock:~# cat ddrlog.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x3CDD0400 + # pos size status 0x00000000 0x3CDD2200 + root@rock:~# echo "ibase=16;3CDD2200" | bc 1021125120 root@rock:~# ls -l image.sda.ddr -rw-r--r-- 1 root root 1021125120 2008-08-22 21:09 image.sda.ddr
Theabovesessionshowsthecompletedddrescuecommandalongwith thecontentsofthelog,whichshowsthestatuslineinformingofacompleted
BarryJ.Grundy
118
image,andtheblocklistnowwithasingleentryfromoffset0forasizeof 1021125120bytes(0x3cdd0400).Thecompletedblocksizematchesthesizeof ourimage.Notethebccommandtoconvertthehexvaluetodecimal. Sothatprovidesusaneasyoverviewofddrescueonasimpleacquisition withoneinterruption,butnoerrors. BadSectorsddrescue We'veintroducedtwonewimagingtools,dc3ddandddrescue.We've shownanexampleofeachinasimpleacquisition,andnowwearegoingto havealookatusingthemtoacquiremediawitherrors.Inthiscasewewilluse asmall1.2GBIDEdiskwith15badsectors.Thisisnotanartificiallycreated disk,butadiskwithactualerrors. We'llstartwithddrescueandthencomparewiththeresultsofdc3dd. Aspreviouslydiscussed,oneofthemainreasonswewouldtrytouseddrescue overregularddordc3dd,isthatwecanhaveitobtainthegooddatabefore tryingtoreadallthebadsectors.Thisgivesusabetterchanceofacquiringall ofthereadableportionsofthedisk.Recallthatwithddrescue,wecanmake numerouspasses,usingthelogfiletodeterminewhatstillneedstobereadand addedtoouracquisition. Theplan:

Useddrescuetoobtainonlytheportionsofthediskthataregood. Usetheddrescuelogtogobackatretrythebadareas,making3 attemptsatreadingeachbadsector.Thisisdonewithoutrereading thewholedisk.
So,usingddrescue,we'lldoourfirstacquisitionrun,passinganoption thattellsittoavoidsplittingthebadareas,andjustreadingthegood.This meansthatinsteadofbreakingthebadareasofthediskintosmallerparts, downtothehardwaresectorsize,ddrescuewillsimplyskipthemandmark themwithanasterisk(*)inthelogfile. We'veattachedourdisktoanEIDEcontroller,andfoundthatitis detectedas/dev/hdf.Nowwerunddrescue:
BarryJ.Grundy
119
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ddrescue -n /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 0 B, errsize: Current status rescued: 18350 kB, errsize: ipos: 18350 kB, errors: opos: 18350 kB copying data...
0 B, 0 B, 0,
0 6291 kB/s 6116 kB/s
Thenoptiontellsddrescuetonottrimorretrytheerrorareas.Once theimagingiscompleteweget:
root@rock:~# ddrescue -n /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 1281 MB, errsize: 61440 B, ipos: 850771 kB, errors: 15, opos: 850771 kB Finished
current rate: average rate:
33280 kB/s 1930 kB/s
Notetheamountofdatarescuedisthesizeofourdisk1281MB. Thenumberoferrorsislistedas15andthesizeoftheerrorareasis61440 Bytes.Oneinterestingnoteaboutthetotalerrorsizeisthatitcalculatesto 4096bytespererror(61440/15).Iftherewere15badsectorswewouldexpect anerrorsizeof7680bytes(512*15).Thedifferenceisaresultofkernel caching,wheretheactualblocksreadandwrittenaremultiplesofthecache size.Obviouslythisisnotdesirableinaforensicacquisition(wewantallthe datawecanget).Wealleviatethisissuebyusingdirectaccess,wherewe bypasskernelcaching.Moreonthislater. Lookingatourresultinglog,ddrloghdf.txt(shortenedforreadability):
root@rock:~# cat ddrloghdf.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x32B5C000 + # pos size status 0x00000000 0x32B77000 + 0x32B77000 0x00000E00 / 0x32B77E00 0x00000200 0x32B78000 0x00049000 + 0x32BC1000 0x00000E00 / 0x32BC1E00 0x00000200 <snip> 0x38684000 0x00000E00 / 0x38684E00 0x00000200 0x38685000 0x14013000 +
BarryJ.Grundy
120
Thefirstnoncommentlineofthelogindicatesthatwehaveacomplete imagefrombyteoffset0through850771968(0x32B5C000).Wethenhaveour areaswhereerrorsweredetected.Theerrorsinthelogofourasofyet incompleteimageareingroupsofthreeaddresses,eachmarkedwitha differentsymbol.Usingthesecondsetintheabovelog,wesee

0x32B78000 0x32BC1000 0x32BC1E00 0x00049000 0x00000E00 0x00000200 + / -
(finishedcopying,gooddata) (datainabadareanotyetsplit) (blockismarkedbad)
Atthispoint,Iwouldmakeonesuggestion,fromaforensicperspective: Itmightbeagoodideatosaveacopyofeachlog,asit'schanged,between successiveruns.Theloggingdonebyddrescueisdesignedforrecovery,not documentingaforensicacquisition.Bysavingthelogtoadifferentfilename betweenruns,youwillhavecreatedamorecompletepictureoftheforensic imageasitgoesthroughtheerrorsplittingandrereadingprocess. Backtoouracquisitionnowweneedtogobackandtryandrereadthe areasthataremarkedasnonsplit.Weissueessentiallythesamecommand, usingthesameinputandoutputfile,andthesamelogfile.Thistimewe removethenoption:
root@rock:~# ddrescue -d -r3 /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 1281 MB, errsize: 61440 B, Current status rescued: 1281 MB, errsize: 39936 B, ipos: 855198 kB, errors: 19, opos: 855198 kB splitting error areas... rescued: ipos: opos: Finished 1281 MB, 946356 kB, 946356 kB errsize: errors: 7680 B, 15,
15 2560 B/s 4300 B/s
current rate: average rate:
0 B/s 663 B/s
Ther3optionispassedbecausewewantddrescuetotryandreread thebadareas3timesbeforeactuallymarkingthembad.Wealsopassthed optiontospecifydirectaccess,andavoidthecachingissue. Thefinalresultsshowthatwehavethesame15errorareas,butthey havebeensplitdowntoatotalerrorsizeof7680bytes(15x512).Notethatin thiscase,theerrorswereunrecoverable,evenwith3tries.Thelognowshows ourcompletedimage,withoutsplitareas,butwitheachbadsectoridentified:
BarryJ.Grundy
121
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cat ddrloghdf.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x38684000 + # pos size status 0x00000000 0x32B77800 + 0x32B77800 0x00000200 <snip> 0x38684000 0x00000200 0x38684200 0x14013E00 +
Thereareonlyfinishedareasandbadareasleftinourlog.Andthe badareasareeachasingle512bytesector(sizeis0x00000200). Weshouldalsonotethatourresultingimageisalreadysynchronized. Thebadareasoftheimagehavebeenfilledwithnullbytes.Oneinteresting featureofddrescueistheabilitytofilltheimagebadareaswithacharacterof yourchoice.Thiscanbeusefulinanexamtodifferentiatebetweenzero'd sectorscopiedfromtheoriginalimage,versusbadsectorssynchronizedduring theacquisition.Seeinfoddrescueformoredetails. BadSectorsdc3dd Nowwe'llhavealookatthesameimagingjobwithdc3dd,andhavea lookattheresult.Let'sstartwithourmostcommonacquisitionparameters:
root@rock:~# dc3dd if=/dev/hdf of=image.hdf.dc3dd progress=on hash=md5 hashwindow=32M log=dc3ddloghdf.txt conv=noerror,sync 850884608 bytes (811 M) copied, 757.63 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1661884+0 records in 1661884+0 records out 850884608 bytes (811 M) copied, 758.599 s, 1.1 M/s 851187200 bytes (812 M) copied, 758.908 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1662474+1 records in 1662475+0 records out 851187200 bytes (812 M) copied, 759.806 s, 1.1 M/s 851489280 bytes (812 M) copied, 760.118 s, 1.1 M/s <snip> 2503752+120 records in 2503872+0 records out 1281982464 bytes (1.2 G) copied, 1208.11 s, 1 M/s
Withdc3dd,weusethesamecommandwedidinourpreviousexample. Likeregulardd,theconv=noerror,syncoptiontellsdc3ddtoignoreanyerrors, attempttoreadpastthem,andwritezerostotheimageinordertokeepit synchronizedwiththeoriginal.Thesyncisimportantbecauseitkeepsdata
BarryJ.Grundy
122
structuresproperlyalignedandallows,forexample,afilesystemwithinthe imagetobeproperlymounted(assumingthedamagedareasarenotcritical). Notethatouroutputshows120records(blocks)readaserrors,ignored andsync'd.Giventhateachrecordis512bytes(thedefaultblocksize),the amountofdatalostis61440bytes.Thesameerrorsizeasouroriginal ddrescuerun.Luckily,recentversionsofprogramsbasedondd(including dc3dd)haveaflagthatallowsfordirectaccess.Again,thisdirectflagispassed toavoidkernelcaching(inthiscase,4096bytepages). Rerunningourdc3ddcommandwiththeiflag=direct,wegetthe following:
root@rock:~# dc3dd if=/dev/hdf of=image.hdf.dc3dd progress=on hash=md5 hashwindow=32M log=dc3ddloghdf.txt conv=noerror,sync iflag=direct 850884608 bytes (811 M) copied, 757.63 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1661884+0 records in 1661884+0 records out 850884608 bytes (811 M) copied, 758.599 s, 1.1 M/s 851187200 bytes (812 M) copied, 758.908 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1662474+1 records in 1662475+0 records out 851187200 bytes (812 M) copied, 759.806 s, 1.1 M/s <snip> 946356224 bytes (903 M) copied, 857.745 s, 1.1 M/s 2503857+15 records in 2503872+0 records out 1281982464 bytes (1.2 G) copied, 1160.53 s, 1.1 M/s
We'veendedupwithessentiallythesameresultasourddrescue acquisition.Wenowhave15errorsof512bytes.Theiflagoptionisnewtothe ddcode,uponwhichdc3ddisbased.NotethatthisisonereasonIelectedto coverdc3ddratherthandcfldd17.Asaresultofthefactthatdcflddisaforkof ddcode,itdoesnotincludeaprovisionforadirectflag.Onefinaloptionyou mightconsiderpassingwhendealingwitherrorsanddc3ddisthe errors=groupoption.Thiswillsuppressmultiplelinesoferroroutputfor consecutiveerrors,givingamuchsmallerlogfileinthosecaseswherelarge numbersofconsecutivesectorsaremarkedasbad. Forthecuriousamongyou,thehashesfortheddrescueacquisitionand thedc3ddacquisitiondomatch. So,what'sthedifference?
NotethatyoucanstilldodirectI/Owithdcflddbyaccessingthetargetdevicethrough /dev/raw.
17
BarryJ.Grundy
123
BadSectorAcquisitionConclusions WeacquiredanIDEdiskwithwhatappearstobe15badsectorsusing twodifferenttools.Inthiscase,wearrivedatthesameresult.So,askingthe questionagain,what'sthedifferencebetweenthetools,andwhyselectone overtheother? dc3ddisprimarilyaforensicimagingtool.Itisdesignedspecificallyfor acquiringimagesforexamination.It'sstrengthisinallowingaforensicanalyst tocontroltheoutputoftheacquisition.Itprovidesforverygranularcontrol overauthentication,splitting,andforensiclogging.Itdoeshandleerrors,aswe sawintheprecedingsection,butitisnotspecificallydesignedwitharecovery algorithminminditjustreadsfromstarttofinish. ddrescueisprimarilyarecoverytool.Itisdesignedspecificallyfor rescuingdatafromfailingordamagedmedia.It'sstrengthisinit'sabilityto acquirethemaximumamountofdatafromdamagedmediawithoutsimply grindingthroughanalreadydamageddisk.Thelogging,whilenot particularlyfriendly,isgearedtowarddirectingsuccessiverunsatthedata, notforensicdocumentation.Ifyouarelookingtoattempttoacquirethedata foundwithinbadsectors,youhaveamuchbettershotatitwithddrescue. Whiletheresultsobtainedintheseexamplesdolittletohighlightthe differencesinthetools,otherthantheinterface,keepinmindthateverypiece ofmediathatexhibitserrorsisdifferent.Thedegreeoftheerrorisnever apparent.Assuch,yourmileagewitheachtoolwillvarygreatly. Onepossibleapproachtothisproblem,ifyoupreferusingacquisition toolsdesignedforforensics(likedc3ddordcfldd),wouldbetocontinueusing yourtoolofchoice,butwithouttheconv=noerroroption.Instead,letthe acquisitionfailifanerrorisfound.Youcanthenmovetoatoollikeddrescue tosafelyacquirewhateverdataisrecoverable,withachanceatgettingmore thanwouldotherwisebepossible.Justkeepinmindthatifadiskisgoingbad, youmayonlyhaveoneshotatacquiringit.
BarryJ.Grundy
124
LIBEWFWorkingwithExpertWitnessFiles
Oneofthemoreubiquitousforensicimageformatsfoundinthe computerforensicworldistheExpertWitnessorEWFformat.Anumberof popularGUItoolsprovideimagesbydefaultinthisformat,andtherearemany toolsthatcanread,convertorworkwiththeseimages. Wewillexploreasetoftoolshere,belongingtothelibewfproject,that providetheabilitytocreate,view,convertandworkwithexpertwitness evidencecontainers.Wecoverlibewfbeforetheotheradvancedforensictools becauseitneedstobeinstalledfirstinordertosupplytherequiredlibrariesto ourotherforensictoolsforsupportingtheseimageformats.Thelibewftools anddetailedprojectinformationcanbefoundat: https://www.uitwisselplatform.nl/projects/libewf/ Downloadthemostcurrentversionandextractthecontentsofthe tarball.Noteweareusingversion20080501inthisdocument:
root@rock:~# tar xzvf libewf-20080501.tar.gz libewf-20080501/ libewf-20080501/Makefile.in libewf-20080501/COPYING libewf-20080501/depcomp libewf-20080501/ltmain.sh libewf-20080501/compile libewf-20080501/ChangeLog libewf-20080501/INSTALL <continues>
Installationoflibewffollowsthesameroutineweusedtopreviously installdc3dd.Asalways,readtheINSTALLfileintheextracteddirectoryto ensurethepackageusesthiscommonmethod.Recallthecommandsweuse are: ./configure make makeinstall Thefirstcommandconfiguresthebuildenvironment,thesecond commandcallsthecompilerandbuildsthetools,andthethirdcommand installsthetools(andlibraries)totheproperlocations.
BarryJ.Grundy
125
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cd libewf-20080501 root@rock:~/libewf-20080501# ./configure checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... i686-pc-linux-gnu <continues>
Again,assumingnoerrors,wetypemakeandwatchasthecompilerdoesits thing:
root@rock:~/libewf-20080501# make Making all in libewf make[1]: Entering directory `/root/Tools/libewf-20080501/libewf' make all-am make[2]: Entering directory `/root/Tools/libewf-20080501/libewf' if /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I../include -g -O2 -Wall -MT ewf_compress.lo -MD -MP -MF ".deps/ewf_compress.Tpo" -c -o ewf_compress.lo ewf_compress.c; \ <continue>
Ournewlycompiledtoolsareplacedintheewftoolsdirectory.Wewill coverthefollowingtoolsbrieflyhere:

ewfinfo ewfverify ewfexport ewfacquire ewfacquirestream
Nowweusemakeinstalltoputthecommandsintheproperpath:
root@rock:~/libewf-20080501# make install Making all in libewf make[1]: Entering directory `/root/libewf-20080501/libewf' make Making install in common make[1]: Entering directory `/root/libewf-20080501/common' make[2]: Entering directory `/root/libewf-20080501/common' make[2]: Nothing to be done for ìnstall-exec-am'. make[2]: Nothing to be done for ìnstall-data-am'. make[2]: Leaving directory `/root/libewf-20080501/common' make[1]: Leaving directory `/root/libewf-20080501/common' Making install in libewf <continue>
BarryJ.Grundy
126
Oncetheinstallationiscompletewecanmovestraighttousingthe tools.Properpathshavealreadybeenset,andthelibrariesrequiredbyother programstousethesupportoflibewfareavailable.Onsomesystems,you mayrunintoaninitialproblemwherecallingatoolresultsinalibrarynot founderror.Ifthatisthecaseonyourparticularsystem,simplyrunthe commandldconfigandtryagain. Tostart,let'stalkaboutthosesituationswhereyou'vebeenprovideda setofimagefiles(orfile)thatwereobtainedusingapopularWindowsforensic tool.Therewillbetimeswhereyouwouldlikereadthemetadataincluded withtheimages,verifythecontentsoftheimages,orexportorconvertthe imagestoabitstream(commonlyreferredtoasdd)format.Thisiswherethe libewftoolscomeinhandy.TheyoperateattheLinuxcommandline,don't requireanyotherspecialsoftware,license,ordongleandareveryfast.Wewill useacopyofanNTFSpracticalexerciseimagewewilluseinourupcoming Sleuthkitexercises.ThisparticularcopyisinEWFformat.Thefilecanbe obtainedfrom: http://www.LinuxLEO.com/Files/ntfs_pract.E01 Thefirstthingwecandoisruntheewfinfocommandontheimagefile. Thiswillreturnthemetadatafromtheimagefilethatincludesacquisitionand mediainformation.Welearntheversionofthesoftwarethattheimagewas createdwith,alongwiththecollectionplatform,dateofacquisition,nameof theexaminerthatcreatedtheimagewiththedescriptionandnotes.Havea lookattheoutputofewfinfoonourE01file:
BarryJ.Grundy
127
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ewfinfo ntfs_pract.E01 ewfinfo 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Acquiry information Case number: Description: Examiner name: Evidence number: Notes: Acquiry date: System date: Operating system used: Software version used: Password: Media information Media type: Media is physical: Amount of sectors: Bytes per sector: Media size: Error granularity: Compression type: GUID: MD5 hash in file: NTFS_Practical NTFS_pract Joe Agent NTFS_pract This is a practice Image (e01 format) 26/06/2007 10:58:13 26/06/2007 10:58:13 Windows XP 5.04 N/A fixed disk yes 1024000 512 524288000 64 good (fast) compression 7b4bd359-960b-e845-93b4-2ae39474fed4 d3c4659e4195c6df1da3afdbdc0dce8f
NoticethatthelastlineintheoutputprovidesuswithanMD5hashof thedatainthefile.Don'tconfusethiswiththehashofthefileitself.Afilein EWFformatstorestheoriginaldatafromthemediathatwasimagedalongwith aseriesofCRCchecksandmetadata.ThehashoftheE01filewillNOTmatch thehashoftheoriginalmediaimaged.Thehashoftheoriginalmediaand thereforethedatacollectedisrecordedintheEWFfileforlaterverification. IfwearegivenanE01file,orasetofEWFfiles(E01,E02,etc.),andwe wanttosimplyverifythatthedatawithinthefileisconsistentwiththedata collectedatthetimeofimaging,wecanusetheewfverifycommand.This commandrehashesthedatacontainedwithinfile(disregardingthemeta data)andcomparesthehashobtainedwiththeMD5hashinfile. Youcanseefromouroutputbelowthatthethentfs_pract.E01file verifieswithouterror.Thehashobtainedduringtheverificationmatchesthat storedwithinthefile:
BarryJ.Grundy
128
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ewfverify ntfs_pract.E01 ewfverify 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Verify started at: Tue Aug 21 10:07:07 2007 This could take a while. Status: at 3%. verified 18 MB (19202048 bytes) of total 500 MB (524288000 bytes). completion in 32 second(s) with 15 MB/s (15887515 bytes/second). ... (edited for brevity) Verify completed at: Tue Aug 21 10:07:10 2007 Read: 500 MB (524288000 bytes) in 3 second(s) with 166 MB/s (174762666 bytes/second). MD5 hash stored in file: MD5 hash calculated over data: ewfverify: SUCCESS d3c4659e4195c6df1da3afdbdc0dce8f d3c4659e4195c6df1da3afdbdc0dce8f
Anotherusefultoolinthelibewfarsenalisewfexport.Thistoolallows youtotakeanEWFfileandconvertittoabitstreamimagefile,essentially removingthemetadataandleavinguswiththedata. Itisinterestingtonotethatewfexportactuallywritestostandardoutput bydefault,makingitsuitableforpipingtoothercommands.Wecanusethet optiontowritetoafile.Usingtheewfexport'sabilitytowritetostandardout, weseethatwecanactuallyconverttheE01filetobitstreamandpipethedata directlytomd5sumtoobtainthesamehashaswedidwithewfverify:

root@rock:~# ewfexport ntfs_pract.E01 | md5sum ewfexport 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Information for export required, please provide the necessary input Start export at offset (0 >= value >= 524288000) [0]: Amount of bytes to export (0 >= value >= 524288000) [524288000]: Export started at: Tue Aug 21 10:11:26 2007 ... (edited for brevity) Status: at 71%. exported 357 MB (374439936 bytes) of total 500 MB (524288000 bytes). completion in 1 second(s) with 125 MB/s (131072000 bytes/second). Export completed at: Tue Aug 21 10:11:29 2007 Written: 500 MB (524288000 bytes) in 3 second(s) with 166 MB/s (174762666 bytes/second). d3c4659e4195c6df1da3afdbdc0dce8f -
BarryJ.Grundy
129
Theewfexportcommandfirstasksusforsomeinformationonwhatwe wanttoexportformtheEWFfile(defaultisstarttoend).Thedataisexported andpipedthroughthemd5sumcommand.Thelastlineofoutputshowsthe expectedMD5hashforthedataandtheinputfileisshownas,signifying thatthemd5sumcommandwasreadingthestandardoutputcomingthrough thepipe. IfwewanttoexporttheEWFfiletoanbitstreamimage,weusethet(for target)option.Inthecommandbelow,wecreatethefilentfs_image.ddusing ewfexportandchecktheMD5hash:

root@rock:~# ewfexport -t ntfs_image.dd ntfs_pract.E01 ewfexport 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Information for export required, please provide the necessary input Start export at offset (0 >= value >= 524288000) [0]: Amount of bytes to export (0 >= value >= 524288000) [524288000]: Export started at: Tue Aug 21 10:13:51 2007 This could take a while. Status: at 7%. exported 39 MB (40927232 bytes) of total 500 MB (524288000 bytes). completion in 13 second(s) with 35 MB/s (37449142 bytes/second). ... (edited for brevity) Status: at 88%. exported 444 MB (466386944 bytes) of total 500 MB (524288000 bytes). completion in 0 second(s) with 125 MB/s (131072000 bytes/second). Export completed at: Tue Aug 21 10:13:55 2007 Written: 500 MB (524288000 bytes) in 4 second(s) with 125 MB/s (131072000 bytes/second). root@rock:~# md5sum ntfs_image.dd d3c4659e4195c6df1da3afdbdc0dce8f ntfs_image.dd
Herewehavewrittennnewfilecalledntfs_image.dd,abitstreamimage fileexportedfromntfs_pract.E01.Thehashobtainedafterwardmatchesthe expectedhashfromouroriginalEWFfile. Finally,wewillhaveaquicklookattheewfacquireand ewfacquirestream.ThesetwocommandsareusedtocreateEWFfilesthatcan beusedinotherprograms.Theeasiestwaytodescribehowewfacquire worksistowatchitrun.Thereareanumberofoptionsavailablewiththe command.Togetashortlist,justrunthecommandbyitselfwithnooptions. Toobtainanimage,simplyissuethecommandwiththenameofthefileor

BarryJ.Grundy
130
physicaldeviceyouwishtoimage.Theprogramwillpromptyouforrequired information,tobestoredwiththedataintheEWFformat:
root@rock:~# ewfacquire /dev/sdb ewfacquire 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Acquiry parameters required, please provide the necessary input Image path and filename without extension: /root/ntfs_ewf Case number: 111-222 Description: Removable media (generic thumbdrive) Evidence number: 1 Examiner name: Barry Grundy Notes: Seized from subject Media type (fixed, removable) [fixed]: removable Volume type (logical, physical) [physical]: physical Use compression (none, fast, best) [none]: fast Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase5]: encase5 Start to acquire at offset (0 >= value >= 524288000) [0]: Amount of bytes to acquire (0 >= value >= 524288000) [524288000]: Evidence segment file size in kbytes (2^10) (1440 >= value >= 2097152) [665600]: The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]: The amount of sectors to be used as error granularity (1 >= value >= 64) [64]: The amount of retries when a read error occurs (0 >= value >= 255) [2]: Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [yes]: The following acquiry parameters were provided: Image path and filename: /root/ntfs_ewf.E01 Case number: 111-222 Description: Removable media (generic thumbdrive) Evidence number: 1 Examiner name: Barry Grundy Notes: Seized from subject Media type: removable Volume type: physical Compression used: fast EWF file format: EnCase 5 Acquiry start offet: 0 Amount of bytes to acquire: 524288000 Evidence segment file size: 665600 kbytes Block size: 64 sectors Error granularity: 64 sectors Retries on read error: 2 Wipe sectors on read error: yes Continue acquiry with these values (yes, no) [yes]: yes Acquiry started at: Tue Aug 21 10:21:55 2007 ... (edited for brevity) Acquiry completed at: Tue Aug 21 10:22:31 2007 MD5 hash calculated over data: d3c4659e4195c6df1da3afdbdc0dce8f
BarryJ.Grundy
131
Intheabovecommandsession,userinputisshowninbold.Inplaces wherethereisnoinputprovided,thedefaultsareused.Noticethatewfacquire givesyouseveraloptionsforimageformatsthatcanbespecified.Thefile(s) specifiedbytheuserisgivenanE**extensionandplacedinthepathdirected bytheuser.Finally,anMD5hashisprovidedattheendoftheoutputfor verification. Last,butnotleast,ewfacquirestreamactsmuchlikeewfacquire,but allowsfordatatobegatheredviastandardinput.Themostobvioususeforthis istakingdatapassedbyaprogramlikenetcat. RecallourDDovertheWireexercise.Inthatexercise,thedatawas sentacrossthenetworkfromourSUBJECTcomputer(bootedwithaLinux bootdisk)usingddandnetcat(nc)andtoourlisteningnetcatprocessonour collectionboxIPaddressandport: Subjectcomputer:
root@bootdisk~ # dd if=/dev/sda | nc 192.168.55.20 2525
...Oncethedatareachedthedestinationcollectioncomputer,the listeningnetcatprocesspipedtheoutputtotheddcommandoutputstring, andthefilewaswrittenexactlyasitcameacross,asabitstreamimage. Rememberthatthecommandonthecollectioncomputermustberunfirst,so thatitislisteningforthedatabeforethecommandisrunonthesubject computer. Collectioncomputer:

root@rock:~ # nc -l -p 2525 | dd of=/mnt/evid/net_image.dd
Byusingewfacquirestream,wecancreateEWFfilesinsteadofa bitstreamimage.Wesimplypipetheoutputstreamfromnetcatto ewfacquirestream.Ifwedonotwishtohavetheprogramusedefaultvalues, thenweissuethecommandwithoptionsthatdefinehowwewanttheimage made(sectors,hashalgorithms,errorhandling,etc.)andwhatinformationwe wantstored.Thecommandonthesubjectmachineremainsthesame.The commandonthecollectionboxwouldlooksomethinglikethis(utilizingmany ofthecommanddefaults):
BarryJ.Grundy
132
Collectioncomputerusingewfacquirestream:
root@rock:~ # nc -l -p 2525 | ewfacquirestream -C 111-222 -D 'removable thumb drive' -e 'Barry Grundy' -E '1' -f encase5 -m removable -M physical -N 'Seized from subject' -t /mnt/evid/net_image
Thiscommandtakestheoutputfromnetcat(nc)andpipesitto ewfacquirestream. thecasenumberisspecifiedwithC theevidencedescriptionisgivenwithD theexaminergivenwithe evidencenumberwithE encase5formatisspecifiedwithfencase5 themediatypeisgivenwithm thevolumetypeisgivenwithM notesareprovidedwithN thetargetpathandfilenameisspecifiedwitht/path/file. Noextensionisgiven,andewfacquirestreamautomaticallyappendsan E01extensiontotheresultingfile. Togetacompletelistofoptions,lookatthemanpages,orrunthe commandwiththehoption.
BarryJ.Grundy
133
Sleuthkit
ThefirstoftherecoverytoolswewillcoverhereisactuallynotaGUItool atall,butratheracollectionofcommandlinetools.18 TheSleuthkitiswrittenbyBrianCarrierandmaintainedat http://www.sleuthkit.org.ItispartiallybasedonTheCoronersToolkit(TCT) originallywrittenbyDanFarmerandWietseVenema.TheSleuthkitadds additionalfilesystemsupport(FATandNTFS).Additionally,theSleuthkit allowsyoutoanalyzevariousfilesystemtypesregardlessoftheplatformyou arecurrentlyworkingon.Thecurrentversion,asofthiswritingis3.0x.Goto thedownloadssectionoftheSleuthkitwebsite(http://www.sleuthkit.org) andgrabthelatestcopy.Forthesakeofsimplicity,letsdownloadthefileto our/root(rootusershome)directory. Notethatwiththereleaseofversion3.x,thereareanumberofvery significantchangestotheSleuthkitoverpreviousversions.Mostnoteworthy, asofthe2.xseries,istheinclusionofdirectsupportforfulldiskimages(rather thanjustpartitions)andsplitdiskimages.Also,therehavebeenanumberof significantchangesinnew3.xversion,includingrenamedtoolsandchangesto theprogramsthataffectthewaydeletedfilesaredealtwith. Let'sstartwithadiscussionofthetoolsfirst.Mostofthisinformationis readilyavailableintheSleuthkitdocumentationorontheSleuthkitwebsite. TheSleuthkitstoolsareorganizedbywhattheauthorcallsalayer approach. Mediamanagementlayermmls,mmcat,mmstat Filesystemlayerfsstat Filenamelayer(HumanInterface)fls,ffind Metadata(inode)layericat,ils,ifind,istat Content(data)layerblkcalc,blkcat,blkls,blkstat
Wealsohavetoolsthataddressphysicaldisksandtoolsthataddressthe journalsofsomefilesystems. Journaltoolsjcat,jls disktoolsdisk_stat,disk_reset
18
NotethatIhaveremovedtheAutopsysectionfromthisversionoftheguide.IfindthatIdonotuseAutopsymuchat all.Andtryingtodiscussatoolthatyoudon'tuseoftencanbebothersome...especiallyinaclassroomfullof inquisitivestudentsthatareoftensmarterthantheinstructor.
BarryJ.Grundy
134
Noticethatthecommandsthatcorrespondtotheanalysisofagiven layerbeginwithacommonletter.Forexample,thefilesystemcommandstarts withfs,andtheinode(metadata)layercommandsstartwithiandsoon. Ifthelayerapproachreferencedaboveseemsalittleconfusingtoyou, youshouldtakethetimetoreadtheSleuthkit'sREADME.txtfile.Theauthor doesafinejobofdefininganddescribingtheselayersandhowtheyfittogether foraforensicanalysis.UnderstandingthattheSleuthkittoolsoperateat differentlayersisextremelyimportant. Itshouldbenotedherethattheoutputofeachtoolisspecifically tailoredtothefilesystembeinganalyzed.Forexample,thefsstatcommandis usedtoprintfilesystemdetails.Thestructureoftheoutputandthe descriptivefieldschangedependingonthetargetfilesystem.Thiswillbecome apparentthroughouttheexercises. Inadditiontothetoolsalreadymentioned,therearesome miscellaneoustoolsincludedwiththeSleuthkitthatdon'tfallintotheabove categories:

sortercategorizesallocatedandunallocatedfilesbasedontype (images,executables,etc).Extremelyflexibleandconfigurable. img_catallowsfortheseparationofmetadataandoriginaldatafrom imagefiles(mediaduplication,notpictures). img_statprovidesinformationaboutaforensicimage.The informationitprovidesisdependentontheimageformat(aff,ewf,etc.). hfindhashlookuptool.Createsandsearchesanindexeddatabase. sigfindsearchesagivenfile(forensicimage,disk,etc.)forahex signatureatanyspecifiedoffset(sectorboundary). mactimecreatesatimelineoffileactivity.VERYusefulforintrusion investigationswheretemporalrelationshipsarecritical. srch_stringslikestandardBSDstringscommand,butwiththeability toparsedifferentencodings.
BarryJ.Grundy
135
SleuthkitInstallationandSystemPrep
Installationiseasy.Youcansimplyuntarthefilethenchangeintothe resultingdirectory:
root@rock:~# tar xzvf sleuthkit-3.0.0.tar.gz sleuthkit-3.0.0/ sleuthkit-3.0.0/aclocal.m4 sleuthkit-3.0.0/CHANGES.txt sleuthkit-3.0.0/config/ <continues> root@rock:~# cd sleuthkit-3.0.0 root@rock:~/sleuthkit-3.0.0 #
Takeamomenttoreadtheincludeddocumentation(README.txtisa goodplacetostart).Wewillcontinuewithashortdescriptioninthis document,butmostofwhatyouneedtoknowisrightthere. Compilingthetoolshaschangedsignificantlyasofversion2.50ofthe Sleuthkit.Previously,theprogramswerecompiledwithasimplemake command,andlibrariesthatprovidedanumberoffeaturesweresimply includedwiththepackage.Now,theprogramiscompiledandbuilt manuallysosupportforexternallibraries(andtheirversions)isuptothe user.Forexample,thelibewfpackage(coveredearlier),whichprovides supportforExpertWitnessformatimagesmustbeproperlyinstalledbefore installingtheSleuthkitifyouwantsupportforEnCaseformatimages.Thisis whywecoveredlibewfandinstalleditfirst. Aswiththelibewfpackage,thenewversionsoftheSleuthkitare compiledandinstalledusingthesamebasicsetofcommandsasother tarballsourcedistributions.Insidethedirectoryweextractedabove,weuse thecommands: ./configure make makeinstall Thefirststepistoconfigurethepackageforcompilation.Thisis wheresupportisaddedforourpreviouslyinstalledlibewfpackage.Notethe outputofthecommandattheendoftheconfigureprocessinthefollowing output:
BarryJ.Grundy
136
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/sleuthkit-3.0.0 # ./configure checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes ... checking for libewf_open in -lewf... yes configure: creating ./config.status config.status: creating Makefile <continues>
Duringtheconfigureprocessyou'llnotetheline(inboldabove)thatthe Sleuthkitdetectedthelibewfinstallandwillincludesupport,sothatthetools canbeusedonEWF(.E01)files. Next,werunthemakecommandtocompilethetools.

root@rock:~/sleuthkit-3.0.0 # make Making all in tsk3 make[1]: Entering directory `/root/sleuthkit-3.0.0/tsk3' make all-recursive make[2]: Entering directory `/root/sleuthkit-3.0.0/tsk3' Making all in base make[3]: Entering directory `/root/sleuthkit-3.0.0/tsk3/base' source='md5c.c' object='md5c.lo' libtool=yes \ depfile='.deps/md5c.Plo' tmpdepfile='.deps/md5c.TPlo' \ depmode=gcc3 /bin/sh ../../config/depcomp \ <compiler output>
Ifyourunintoanyproblems,readtheINSTALL.txtdocument.When thecompilingisfinished,youwillfindtheSleuthkittoolslocatedinvarious sleuthkit3.x/tools/*directories.Themanpagesforeachcommandarelocated inthesleuthkit3.x/mandirectory. Atthispointwearereadytocompletetheinstall:

root@rock:~/sleuthkit-3.0.0 # make install Making install in tsk3 make[1]: Entering directory `/root/sleuthkit-3.0.0/tsk3' Making install in base make[2]: Entering directory `/root/sleuthkit-3.0.0/tsk3/base' make[3]: Entering directory `/root/sleuthkit-3.0.0/tsk3/base' make[3]: Nothing to be done for ìnstall-exec-am'. make[3]: Nothing to be done for ìnstall-data-am'. make[3]: Leaving directory `/root/sleuthkit-3.0.0/tsk3/base' make[2]: Leaving directory `/root/sleuthkit-3.0.0/tsk3/base' Making install in img <continues>
BarryJ.Grundy
137
ThisplacestheSleuthkitcommandsin/usr/local/bin/andtheman (manualpagesforeachcommand)in/usr/local/man.Variousheaderfileand librariesusedbythesystemarealsocopiedtotheproperlocations.
SleuthkitExercises
Sincetheveryfirstversionsofthisdocument,oneofthemost commonlyrequestedadditionshasalwaysbeenamorecompleteintroduction totheSleuthkittools.Ihavebeenaskedmany,manytimestoaddmore exercisesthatincludemoreofthetoolsandsomeofthemorecommonfile systemsencounteredbytheaverageinvestigator.So,tothatend,I'veaddeda coupleofnewcomprehensiveexercisesandamorethoroughexplanationof theavailabletools. Wearegoingtostartwithaquicksampleanalysisusingjustafewofthe Sleuthkitcommandlinetools.Likealloftheotherexercisesinthisdocument, Idsuggestyoufollowalongifyoucan.Usingthesecommandsonyourownis theonlywaytoreallylearnthetechniques.Readtheincludedmanpagesand playwiththeoptionstoobtainotheroutput.Theimagefilesusedinthe followingexamplesareavailablefordownload.Getyourhandsonthe keyboardandfollowalong.
BarryJ.Grundy
138
SleuthkitExercise#1DeletedFileIdentificationandRecovery
Let'sstartourtourofSleuthkitwithoneofthetoolsintroducedin version2oftheSleuthkit,img_stat.Thiscommandisusedtodisplaythe forensicimageattributesincludingthetypeofimage,andtheformat. Ifwerunthecommandagainstourable2.ddimage,weseethefollowing output.Notethatwearerunningthecommandfromwithinthe /root/able2directory,sothere'snoneedtoprovidethefullpathtothetarget image.
root@rock:~# cd able2 root@rock:~/able2 # img_stat able2.dd IMAGE FILE INFORMATION -------------------------------------------Image Type: raw Size in bytes: 345830400 root@rock:~/able2 #
Sincethisisjustaddimage,weseethattheImageTypeislistedas raw,andwearegiventhesizeoftheimageinbytes. Veryquickly,let'ssplitourable2.ddfileandseewhattheoutputfrom img_statlookslikewhenrunonsplitfiles.Wearegoingtosplittheoriginal imagefile/root/able2/able2.ddinto100MBchunks(notethatweusethed optiontogetoursplitsnumbered),thenrunimg_statonthesplits:

root@rock:~/able2# split -d -b 100m able2.dd able2.split. root@rock:~/able2 # ls -lh able2.split.0* -rw-r--r-- 1 root root 100M Mar 21 15:11 able2.split.00 -rw-r--r-- 1 root root 100M Mar 21 15:11 able2.split.01 -rw-r--r-- 1 root root 100M Mar 21 15:11 able2.split.02 -rw-r--r-- 1 root root 30M Mar 21 15:12 able2.split.03 root@rock:~/able2 # img_stat able2.split.0* IMAGE FILE INFORMATION -------------------------------------------Image Type: split Size in bytes: 345830400 -------------------------------------------Split Information: able2.split.00 (0 to 104857599) able2.split.01 (104857600 to 209715199) able2.split.02 (209715200 to 314572799) able2.split.03 (314572800 to 345830399)
BarryJ.Grundy
139
So,inthefirstcommandabove,wesplittheable2.ddfile.Wethendoan lslhtoseetheresultingsplitsandtheirsizes.Finally,theSleuthkit'simg_stat commandisexecuted,andweseethatitrecognizesthesplitfilesandgivesus thebyteoffsetsofeachsplit. Nowletshavealookatacoupleofthefilesystemandfilenamelayer tools,fsstatandfls.Wewillrunthemagainstourable2images.Keepinmind thatinolderversionsofSleuthkit,weneededtocarvethepartitionsoutofthe imagetousewiththetools.Asofversion2.00,Sleuthkittoolshavebeenableto lookdirectlyatthewholediskimage.Anoffsetmuststillbepassedtothetool inordertoforittoseethetargetfilesystem. Wehavealreadyusedsfdisktodeterminepartitionoffsetswithinadd image.Sleuthkitalsocomeswithatool,mmls,thatdoesmuchthesame thing,providingaccesstothepartitiontablewithinanimage,andgivingthe partitionoffsetsinsectorunits.AswithmanyoftheSleuthkittools,thereisa certainamountofintelligencebuiltintothecommand.Ifyoudonotpass theproperimagetype(withtheioption)ortheproperpartitiontype(for example,specifyingthatthisisadospartitiontablewiththetoption), Sleuthkitwillattempttoguesstheproperparameters.Forthesakeof correctness,wewillusetheoptionsiandttopasstheimagetype(eithersplit orraw)andthetypepartitiontable.
root@rock:~/able2 # mmls -i split -t dos able2.split.0* DOS Partition Table Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: 04: 05: Slot --------00:00 00:01 00:02 00:03 Start 0000000000 0000000001 0000000057 0000010260 0000112860 0000178695 End 0000000000 0000000056 0000010259 0000112859 0000178694 0000675449 Length 0000000001 0000000056 0000010203 0000102600 0000065835 0000496755 Description Primary Table (#0) Unallocated Linux (0x83) Linux (0x83) Linux Swap / Solaris Linux (0x83)
Forthesakeofthisanalysis,theinformationwearelookingforislocated ontherootpartition(filesystem)ofourimage.Rememberfromourprevious analysisoftheable2ddimagethattheroot(/)filesystemislocatedonthe secondpartition(able2.part2.ddinthepreviousexercise).Lookingatour mmlsoutput,wecanseethatthatpartitionstartsatsector10260(actually numbered03inthemmlsoutput,orslot00:01). So,weruntheSleuthkitfsstatcommandwitho10260togatherfile systeminformationatthatoffset.
BarryJ.Grundy
140
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # fsstat -o 10260 able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 Last Written at: Sun Aug 10 14:50:03 2003 Last Checked at: Tue Feb 11 00:20:09 1997 Last Mounted at: Thu Feb 13 02:33:02 1997 Unmounted Improperly Last mounted on: Source OS: Linux Dynamic Structure InCompat Features: Filetype, Read Only Compat Features: Sparse Super, METADATA INFORMATION -------------------------------------------Inode Range: 1 - 12881 Root Directory: 2 Free Inodes: 5807 CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 Reserved Blocks Before Block Groups: 1 <continues>
Thefsstatcommandprovidestypespecificinformationaboutthefile systemlocatedinadeviceorforensicimage.Aspreviouslynoted,weranthe fsstatcommandabovewiththeoptiono10260.Thisspecifiesthatwewant informationfromthefilesystemresidingonthepartitionthatstartsatsector offset10260. Wecangetmoreinformationusingtheflscommand.flsliststhefile namesanddirectoriescontainedinafilesystem,orinadirectory,ifthemeta dataidentifierforaparticulardirectoryispassed.Theoutputcanbeadjusted withanumberofoptions,toincludegatheringinformationaboutdeletedfiles. Ifyoutypeflsonitsown,youwillseetheavailableoptions(viewtheman pageforamorecompleteexplanation). Ifyouruntheflscommandwithnooptions(otherthantheooptionto specifythefilesystem),thenbydefaultitwillrunontherootdirectory(inode 2onandEXTfilesystem,MFTentry5onNTFS,etc.).
BarryJ.Grundy
141
Inotherwords,onanEXTfilesystem,running:
root@rock:~/able2 # fls -o 10260 able2.dd
And:
root@rock:~/able2 # fls -o 10260 able2.dd 2
...willresultinthesameoutput.Inthesecondcommand,the2passed attheendofthecommandmeansrootdirectory,whichisrunbydefaultin thefirstcommand. So,inthefollowingcommand,werunflsandonlypasso10260.This resultsinalistingofthecontentsoftherootdirectory:

root@rock:~/able2 # fls -o 10260 able2.dd d/d 11: lost+found d/d 3681: boot d/d 7361: usr d/d 3682: proc d/d 7362: var d/d 5521: tmp d/d 7363: dev d/d 9201: etc d/d 1843: bin d/d 1844: home d/d 7368: lib d/d 7369: mnt d/d 7370: opt d/d 1848: root d/d 1849: sbin r/r 1042: .bash_history d/d 11105: .001 d/d 12881: $OrphanFiles
Thereareseveralpointswewanttotakenoteofbeforewecontinue. Let'stakeafewlinesofoutputanddescribewhatthetoolistellingus.Havea lookatthelastthreelinesfromtheaboveflscommand.

... r/r 1042: d/d 11105: d/d 12881: .bash_history .001 $OrphanFiles
Eachlineofoutputstartswithtwocharactersseparatedbyaslash.This fieldindicatesthefiletypeasdescribedbythefile'sdirectoryentry,andthe file'smetadata(inthiscase,theinode).Forexample,thefirstfilelistedinthe snippetabove,.bash_history,isidentifiedasaregularfileinboththefile's
BarryJ.Grundy
142
directoryandinodeentry.Thisisnotedbyther/rdesignation.Conversely,the followingtwoentries(.001and$OrphanFiles)areidentifiedasdirectories. Thenextfieldisthemetadataentrynumber(inode,MFTentry,etc.) followedbythefilename.Inthecaseofthefile.bash_historytheinodeislisted as1042. Notethatthelastlineoftheoutput,$OrphanFilesisavirtualfolder, createdbytheSleuthkitandassignedavirtualinode(anewfeaturefor Sleuthkit3.00).Thisfoldercontainsvirtualfileentriesthatrepresent unallocatedmetadataentrieswheretherearenocorrespondingfilenames. Thesearecommonlyreferredtoasorphanfiles,whichcanbeaccessedby specifyingthemetadataaddress,butnotthroughanyfilenamepath.Wewill coverthisinmoredetailinalatersection. Wecancontinuetorunflsondirectoryentriestodigdeeperintothefile systemstructure(oruserforarecursivelisting).Bypassingthemetadata entrynumberofadirectory,wecanviewit'scontents.Readmanflsforalook atsomeusefulfeatures.Forexample,havealookatthe.001directoryinthe listingabove.Thisisanunusualdirectoryandwouldcausesomesuspicion.It ishidden(startswitha.),andnosuchdirectoryiscommonintherootofthe filesystem.So,toseethecontentsofthe.001directory,wewouldpassits inodetofls:
root@rock:~/able2 # fls -o 10260 able2.dd 11105 r/r 2138: lolit_pics.tar.gz r/r 11107: lolitaz1 r/r 11108: lolitaz10 r/r 11109: lolitaz11 r/r 11110: lolitaz12 r/r 11111: lolitaz13 r/r 11112: lolitaz2 r/r 11113: lolitaz3 r/r 11114: lolitaz4 r/r 11115: lolitaz5 r/r 11116: lolitaz6 r/r 11117: lolitaz7 r/r 11118: lolitaz8 r/r 11119: lolitaz9
Thecontentsofthedirectoryarelisted.Wewillcovercommandstohelp viewandanalyzetheindividualfileslateron. flscanalsobeusefulforuncoveringdeletedfiles.Bydefault,flswill showbothallocatedandunallocatedfiles.Wecanchangethisbehaviorby passingotheroptions.Forexample,ifwewantedtoseeonlydeletedentires
BarryJ.Grundy
143
thatarelistedasfiles(ratherthandirectories),andwewantthelistingtobe recursive,wecouldusethefollowingcommand:
root@rock:~/able2 # fls -o 10260 -Frd able2.dd r/r * 11120(realloc): var/lib/slocate/slocate.db.tmp r/r * 10063: var/log/xferlog.5 r/r * 10063: var/lock/makewhatis.lock r/r * 6613: var/run/shutdown.pid r/r * 1046: var/tmp/rpm-tmp.64655 r/r * 6609(realloc): var/catman/cat1/rdate.1.gz r/r * 6613: var/catman/cat1/rdate.1.gz r/r * 6616: tmp/logrot2V6Q1J r/r * 2139: dev/ttYZ0/lrkn.tgz d/r * 10071(realloc): dev/ttYZ0/lrk3 r/r * 6572(realloc): etc/X11/fs/configl/r * 1041(realloc): etc/rc.d/rc0.d/K83ypbind l/r * 1042(realloc): etc/rc.d/rc1.d/K83ypbind l/r * 6583(realloc): etc/rc.d/rc2.d/K83ypbind l/r * 6584(realloc): etc/rc.d/rc4.d/K83ypbind l/r * 1044: etc/rc.d/rc5.d/K83ypbind l/r * 6585(realloc): etc/rc.d/rc6.d/K83ypbind r/r * 1044: etc/rc.d/rc.firewall~ r/r * 6544(realloc): etc/pam.d/passwdr/r * 10055(realloc): etc/mtab.tmp r/r * 10047(realloc): etc/mtab~ r/- * 0: etc/.inetd.conf.swx r/r * 2138(realloc): root/lolit_pics.tar.gz r/r * 2139: root/lrkn.tgz r/r * 1055: $OrphanFiles/OrphanFile-1055 r/r * 1056: $OrphanFiles/OrphanFile-1056 r/r * 1057: $OrphanFiles/OrphanFile-1057 r/r * 2141: $OrphanFiles/OrphanFile-2141 r/r * 2142: $OrphanFiles/OrphanFile-2142 r/r * 2143: $OrphanFiles/OrphanFile-2143 <continues>
Intheabovecommand,weruntheflscommandagainstthepartitionin able2.ddstartingatsectoroffset10260(o10260),showingonlyfileentries (F),descendingintodirectories(r),anddisplayingdeletedentries(d). Noticethatallofthefileslistedhaveanasterisk(*)beforetheinode. Thisindicatesthefileisdeleted,whichweexpectintheaboveoutputsincewe specifiedthedoptiontofls.Wearethenpresentedwiththemetadataentry number(inode,MFTentry,etc.)followedbythefilename. Havealookatthelineofoutputforinodenumber2138 (root/lolit_pics.tar.gz).Theinodeisfollowedby(realloc).Keepinmindthat flsdescribesthefilenamelayer.Thereallocmeansthatthefilenamelistedis markedasunallocated,eventhoughthemetadataentry(2138)ismarkedas
BarryJ.Grundy
144
allocated.Inotherwords...theinodefromourdeletedfilemayhavebeen reallocatedtoanewfile. AccordingtoBrianCarrier: Thedifferencecomesaboutbecausethereisafilenamelayeranda metadatalayer.Everyfilehasanentryinbothlayersandeachentryhas itsownallocationstatus. Ifafileismarkedas"deleted"thenthismeansthatboththefilename andmetadataentriesaremarkedasunallocated.Ifafileismarkedas "realloc"thenthismeansthatitsfilenameisunallocatedandits metadataisallocated. Thelatteroccursif: Thefilewasrenamedandanewfilenameentrywascreatedfor the file,butthemetadatastayedthesame. NTFSresortedthenamesandtheoldcopiesofthenamewillbe "unallocated"eventhoughthefilestillexists. Thefilewasdeleted,butthemetadatahasbeenreallocatedtoa newfile. Inthefirsttwocases,themetadatacorrectlycorrespondstothe deletedfilename.Inthelastcase,themetadatamaynotcorrespond tothenamebecauseitmayinsteadcorrespondtoanewfile. Inthecaseofinode2138,itlooksasthoughthereallocwascausedby thefilebeingmovedtothedirectory.001(seetheflslistingof.001onthe previouspage).Thiscausesittobedeletedfromit'scurrentdirectoryentry (root/lolit_pics.tar.gz)andanewfilenamecreated(.001/lolit_pics.tar.gz).The inodeandthedatablocksthatitpointstoremainunchangedandinallocated status,butithasbeenreallocatedtothenewname. Let'scontinueouranalysisexerciseusingacoupleofmetadata(inode) layertoolsincludedwiththeSleuthkit.InaLinuxEXTtypefilesystem,an inodehasauniquenumberandisassignedtoafile.Thenumbercorresponds totheinodetable,allocatedwhenapartitionisformatted.Theinodecontains allthemetadataavailableforafile,includingthemodified/accessed/changed (mac)timesandalistofallthedatablocksallocatedtothatfile. Ifyoulookattheoutputofourlastflscommand,youwillseeadeleted filecalledlrkn.tgzlocatedinthe/rootdirectory(thelastfileintheoutputofour flscommand,beforethelistoforphanfilesrecallthattheasteriskindicatesit isdeleted):
BarryJ.Grundy
145
... r/r * 2139: ...
root/lrkn.tgz
Theinodedisplayedbyflsforthisfileis2139.Thissameinodealso pointstoanotherdeletedfilein/devearlierintheoutput(samefile,different location).Wecanfindallthefilenamesassociatedwithaparticularmetadata entrybyusingtheffindcommand:

root@rock:~/able2 # ffind -o 10260 able2.dd 2139 * /dev/ttYZ0/lrkn.tgz * /root/lrkn.tgz
Hereweseethattherearetwofilenamesassociatedwithinode2139, andbotharedeleted,asnotedagainbytheasterisk. Continuingon,wearegoingtouseistat.Rememberthatfsstattooka filesystemasanargumentandreportedstatisticsaboutthatfilesystem.istat doesthesamething;onlyitworksonaspecifiedinodeormetadataentry. Weuseistattogatherinformationaboutinode2139:

root@rock:~/able2 # istat -o 10260 able2.dd 2139 inode: 2139 Not Allocated Group: 1 Generation Id: 3534950564 uid / gid: 0 / 0 mode: rrw-r--r-size: 3639016 num of links: 0 Inode Times: Accessed: File Modified: Inode Modified: Deleted: Sun Sun Sun Sun Aug Aug Aug Aug 10 10 10 10 00:18:38 00:08:32 00:29:58 00:29:58 2003 2003 2003 2003
Direct Blocks: 22811 22812 22813 22814 22815 22816 22817 22818 22819 22820 22821 22822 22824 22825 22826 22827 <snip>... 32233 32234
Thisreadstheinodestatistics(istat),onthefilesystemlocatedinthe able2.ddimageinthepartitionatsectoroffset10260(o10260),frominode 2139foundinourflscommand.Thereisalargeamountofoutputhere, showingalltheinodeinformationandthefilesystemblocks(DirectBlocks)

BarryJ.Grundy
146
thatcontainallofthefilesdata.Wecaneitherpipetheoutputofistattoafile forlogging,orwecansendittolessforviewing. KeepinmindthattheSleuthkitsupportsanumberofdifferentfile systems.istat(alongwithmanyoftheSleuthkitcommands)willworkonmore thanjustanEXTfilesystem.Thedescriptiveoutputwillchangetomatchthe filesystemistatisbeingusedon.Wewillseemoreofthisalittlelater.Youcan seethesupportedfilesystemsbyrunningistatwithflist.

root@rock:~/able2 # istat -f list Supported file system types: ntfs (NTFS) fat (FAT (Auto Detection)) ext (ExtX (Auto Detection)) iso9660 (ISO9660 CD) ufs (UFS (Auto Detection)) raw (Raw Data) swap (Swap Space) fat12 (FAT12) fat16 (FAT16) fat32 (FAT32) ext2 (Ext2) ext3 (Ext3) ufs1 (UFS1) ufs2 (UFS2)
Wenowhavethenameofadeletedfileofinterest(fromfls)andthe inodeinformation,includingwherethedataisstored(fromistat). NowwearegoingtousetheicatcommandfromtheSleuthkittograb theactualdatacontainedinthedatablocksreferencedfromtheinode.icat alsotakestheinodeasanargumentandreadsthecontentofthedatablocks thatareassignedtothatinode,sendingittostandardoutput.Remember,this isadeletedfilethatwearerecoveringhere. Wearegoingtosendthecontentsofthedatablocksassignedtoinode 2139toafileforcloserexamination.

root@rock:~/able2 # icat -o 10260 able2.dd 2139 > /root/lrkn.tgz.2139
Thisrunstheicatcommandonthefilesysteminourable2.ddimageat sectoroffset10260(o10260)andstreamsthecontentsofthedatablocks associatedwithinode2139tothefile/root/lrkn.tgz.2139.Thefilenameis arbitrary;Isimplytookthenameofthefilefromflsandappendedtheinode numbertoindicatethatitwasrecovered.Normallythisoutputshouldbe directedtosomeresultsorspecifiedevidencedirectory.
BarryJ.Grundy
147
Nowthatwehavewhatwehopeisarecoveredfile,whatdowedowith it?Lookattheresultingfilewiththefilecommand:
root@rock:~/able2 # file /root/lrkn.tgz.2139 /root/lrkn.tgz.2139: gzip compressed data, was "lrkn.tar", from Unix
Havealookatthecontentsoftherecoveredarchive(pipetheoutput throughlessitslong).Rememberthatthetoptiontothetarcommand liststhecontentsofthearchive. Dontjusthaphazardlyextractanarchivewithoutknowingwhatitwill write,orespeciallywhere19

root@rock:~/able2 # tar tzvf /root/lrkn.tgz.2139 | less drwxr-xr-x lp/lp 0 1998-10-01 18:48:18 lrk3/ -rwxr-xr-x lp/lp 742 1998-06-27 11:30:45 lrk3/1 -rw-r--r-- lp/lp 716 1996-11-02 16:38:43 lrk3/MCONFIG -rw-r--r-- lp/lp 6833 1998-10-03 05:02:15 lrk3/Makefile -rw-r--r-- lp/lp 6364 1996-12-27 22:01:43 lrk3/README -rwxr-xr-x lp/lp 90 1998-06-27 12:53:45 lrk3/RUN drwxr-xr-x lp/lp 0 1998-10-01 18:08:50 lrk3/bin/ <continues>
Wehavenotyetextractedthearchive,we'vejustlisteditscontents. NoticethatthereisaREADMEfileincludedinthearchive.Ifwearecurious aboutthecontentsofthearchive,perhapsreadingtheREADMEfilewouldbea goodidea,yes?Ratherthatextracttheentirecontentsofthearchive,wewillgo forjusttheREADMEusingthefollowingtarcommand:

root@rock:~/able2 # tar xzvfO /root/lrkn.tgz.2139 lrk3/README > /root/README.2139 lrk3/README
Thedifferencewiththistarcommandisthatwespecifythatwewantthe outputsenttostdout(O[capitalletteroh])sowecanredirectit.Wealso specifythenameofthefilethatwewantextractedfromthearchive (lrk3/README).Thisisallredirectedtoanewfilecalled/root/README.2139. Ifyoureadthatfile(useless),youwillfindthatwehaveuncovereda rootkit,fullofprogramsusedtohideahackersactivity. Briefly,let'slookatadifferenttypeoffilerecoveredbyicat.Theconcept isthesame,butinsteadofextractingafile,youcanstreamit'scontentsto

Letsfaceit,itwouldbeBADtohaveanarchivethatcontainsabunchofTrojansandothernasties(evilkernel sourceorlibraries,etc.)overwritethoseonyoursystem.Beextremelycarefulwitharchives.
19
BarryJ.Grundy
148
stdoutforviewing.Recallourpreviousdirectorylistingofthe.001directoryat inode11105:
root@rock:~/able2 # fls -o 10260 able2.dd 11105 r/r 2138: lolit_pics.tar.gz r/r 11107: lolitaz1 r/r 11108: lolitaz10 <continues>
Wecandeterminethecontentsofthe(allocated)filewithinode11108, forexample,byusingicattostreamtheinode'sdatablocksthroughapipeto thefilecommand.Weusethetoindicatethatfileisgettingitsinputfrom thepipe:

root@rock:~/able2 # icat -o 10260 able2.dd 11108 | file /dev/stdin: JPEG image data, JFIF standard 1.02
Theoutputshowsthatwearedealingwithajpegimage.Sowedecideto usethedisplaycommandtoshowusthecontents:
root@rock:~/able2 # icat -o 10260 able2.dd 11108 | display
Thisresultsinanimageopeninginawindow,assumingyouarerunning inagraphicalenvironmentandhaveImageMagickinstalled,whichprovides thedisplayutility.
BarryJ.Grundy
149
SleuthkitExercise#2PhysicalStringSearch&AllocationStatus
ThisisanothersectionaddedinresponsetoanumberofquestionsI've receivedbothinclassesandviaemail.Inouroriginalfloppydiskimage analysis,oneoftheexerciseswecompletedwasaphysicalsearchoftheimage forasetofstrings.Oncethestringswerelocated,weviewedthemwiththexxd utility.That'sjusthalfthestory.Inthevastmajorityofrealexaminationsyou aregoingtowanttofindout(ifpossible)whatfilethatstringbelongedtoand whetherornotthatfileisallocatedorunallocated.Thatisthepurposeofthis exercise. Thisisafarmoreadvancedexercise,butthequestionisaskedenough thatIthoughtitwasworthcoveringhere.Irealizethisisabeginnerlevel document,buttheseareimportantconcepts.EvenifyourelyonGUItoolsfor yourdaytodayforensicanalysis,youshouldunderstandexactlyhowyour toolscalculateanddisplaytheirfindings.InsomewaystheSleuthkitforces youtounderstandtheseconcepts(oryoudon'tgetveryfar). ThistimewearegoingtodoasearchforasinglestringinourLinuxdisk imageable2.dd.Basedonsomeinformationreceivedelsewhere,wedecideto searchourimageforthekeywordCybernetik.Changetothedirectory containingourable2.ddimageandusegreptosearchforthestring:
root@rock:~/able2 # grep -abi Cybernetik able2.dd 10561603: * updated by Cybernetik for linux rootkit 55306929:Cybernetik proudly presents... 55312943:Email: cybernetik@nym.alias.net 55312975:Finger: cybernetik@nym.alias.net
Recallthatourgrepcommandistakingthefileable2.ddtreatingitasa textfile(a)andsearchingforthestringCybernetik.Thesearchiscase insensitive(i)andwilloutputthebyteoffsetofanymatches(b). Ouroutputshowsthatthefirstmatchcomesatbyteoffset10561603. Likewedidinourfirststringsearchexercise,wearegoingtoquicklyviewthe matchusingourhexviewerxxdandprovidingtheoffsetgivenbygrep.Wewill alsousetheheadcommandtoindicatethatweonlywanttoseeaspecific numberoflines,inthiscasejust5(n5).Wejustwanttogetaquicklookatthe contextofthematchbeforeproceeding.
BarryJ.Grundy
150
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # xxd 0a12843: 202a 0975 7064 0a12853: 6265 726e 6574 0a12863: 7578 2072 6f6f 0a12873: 2369 6e63 6c75 0a12883: 7065 732e 683e -s 10561603 able2.dd | head -n 5 6174 6564 2062 7920 4379 *.updated by Cy 696b 2066 6f72 206c 696e bernetik for lin 746b 6974 0a20 2a2f 0a0a ux rootkit. */.. 6465 203c 7379 732f 7479 #include <sys/ty 0a23 696e 636c 7564 6520 pes.h>.#include
Wealsohavetokeepinmindthatwhatwehavefoundistheoffsettothe matchintheentiredisk,notinaspecificfilesystem.Inordertousethe Sleuthkittools,weneedtohaveafilesystemtotarget. Let'sfigureoutwhichpartition(andfilesystem)thematchisin.Usebc tocalculatewhichsectoroftheimageandthereforetheoriginaldiskthe keywordisin.Eachsectoris512bytes,sodividingthebyteoffsetby512tells uswhichsector:

root@rock:~/able2 # echo "10561603/512" | bc 20628
TheSleuthkit'smmlscommandgivesustheoffsettoeachpartitionin theimage(youcouldalsousesfdisk):
root@rock:~/able2 # mmls able2.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start 00: ----0000000000 01: ----0000000001 02: 00:00 0000000057 03: 00:01 0000010260 04: 00:02 0000112860 Solaris x86 (0x82) 05: 00:03 0000178695 End 0000000000 0000000056 0000010259 0000112859 0000178694 0000675449 Length 0000000001 0000000056 0000010203 0000102600 0000065835 0000496755 Description Primary Table (#0) Unallocated Linux (0x83) Linux (0x83) Linux Swap / Linux (0x83)
BarryJ.Grundy
151
Fromtheoutputofmmlsabove,weseethatourcalculatedsector, 20628,fallsinthesecondpartition(between10260and112859).Theoffsetto ourfilesystemfortheSleuthkitcommandswillbe10260. Theproblemisthattheoffsetthatwehaveisthekeyword'soffsetinthe diskimage,notinthefilesystem(whichiswhatthevolumedatablockis associatedwith).SowehavetocalculatetheoffsettothefileANDtheoffsetto thepartitionthatcontainsthefile.
Thedifferencebetweenthetwoisthevolumeoffsetofthekeywordhit, insteadofthephysicaldisk(orimage)offset.
Nowweknowtheoffsettothekeywordwithintheactualvolume,rather thantheentireimage.Let'sfindoutwhatinode(metadataunit)pointstothe volumedatablockatthatoffset.Tofindwhichinodethisbelongsto,wefirst havetocalculatethevolumedatablockaddress.LookattheSleuthkit'sfsstat outputtoseethenumberofbytesperblock.Weneedtorunfsstatonthefile systematsectoroffset10260:
BarryJ.Grundy
152
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # fsstat -o 10260 -f ext able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 Last Written at: Sun Aug 10 14:50:03 2003 Last Checked at: Tue Feb 11 00:20:09 1997 Last Mounted at: Thu Feb 13 02:33:02 1997 Unmounted Improperly Last mounted on: Source OS: Linux Dynamic Structure InCompat Features: Filetype, Read Only Compat Features: Sparse Super, METADATA INFORMATION -------------------------------------------Inode Range: 1 - 12881 Root Directory: 2 Free Inodes: 5807 CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 Reserved Blocks Before Block Groups: 1 Free Blocks: 9512 <continues>
Thefsstatoutputshowsus(highlightedinbold)thatthedatablocks withinthevolumeare1024byteseach.Ifwedividethevolumeoffsetby1024, weidentifythedatablockthatholdsthekeywordhit.
BarryJ.Grundy
153
Hereareourcalculations,summarized:

offsettothestringinthediskimage(fromourgrepoutput): 10561603 offsettothepartitionthatcontainsthefile:10260sectors*512 bytespersector offsettothestringinthepartitionisthedifferencebetweenthe twoabovenumbers. thedatablockistheoffsetinthefilesystemdividedbytheblock size,(dataunitsize)1024,fromourfsstatoutput.
Inshort,ourcalculation,takingintoaccountalltheillustrationsabove, issimply:
root@rock:~/able2 # echo "(10561603-(10260*512))/1024" | bc 5184
Notethatweuseparenthesestogroupourcalculations.Wefindthe byteoffsettothefilesystemfirst(10260*512),subtractthatfromtheoffsetto thestring(10561603)andthendividethewholethingbythedataunitsize (1024)obtainedfromfsstat.This(5184)isourdataunit(nottheinode!)that containsthestringwefoundwithgrep.Veryquickly,wecanascertainits allocationstatuswiththeSleuthkitcommandblkstat:

root@rock:~/able2 # blkstat -o 10260 -f ext able2.dd 5184 Fragment: 5184 Not Allocated Group: 0
SoblkstattellsusthatourkeywordsearchforthestringCybernetik resultedinamatchinanunallocatedblock.Nowweuseifindtotelluswhich inode(metadatastructure)pointstodatablock5184inthesecondpartitionof ourimage:
BarryJ.Grundy
154
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # 10090 ifind -o 10260 -f ext -d 5184 able2.dd
Excellent!Theinodethatholdsthekeywordmatchis10090.Nowwe useistattogiveusthestatisticsofthatinode:
root@rock:~/able2 # istat -o 10260 -f ext able2.dd 10090 inode: 10090 Not Allocated Group: 5 Generation Id: 3534950782 uid / gid: 4 / 7 mode: -rw-r--r-size: 3591 num of links: 0 Inode Times: Accessed: File Modified: Inode Modified: Deleted: Sun Wed Sun Sun Aug Dec Aug Aug 10 25 10 10 00:18:36 16:27:43 00:29:58 00:29:58 2003 1996 2003 2003
Direct Blocks: 5184 5185 5186 5187
Fromtheistatoutputweseethatinode10090isunallocated(sameas blkstattoldusaboutthedataunit).Notealsothatthefirstdirectblock indicatedbyouristatoutputis5184,justaswecalculated. Wecangetthedatafromthedirectblocksoftheoriginalfilebyusing icatr.Pipetheoutputthroughlesssothatwecanreaditeasier.Notethatour keywordisrightthereatthetop:

root@rock:~/able2 # icat -r -o 10260 -f ext able2.dd 10090 | less /* * fixer.c * by Idefix * inspired on sum.c and SaintStat 2.0 * updated by Cybernetik for linux rootkit */ #include #include #include #include <sys/types.h> <sys/stat.h> <sys/time.h> <stdio.h>
main (argc,argv) int argc; char **argv; <continues>
BarryJ.Grundy
155
Atthispoint,wehaverecoveredthedatawewerelookingfor.Wecan runouricatcommandasaboveagain,thistimedirectingtheoutputtoafile (aswedidwiththerootkitfilefromourpreviousrecoveryexercise). Oneadditionalnote:WiththereleaseofSleuthkitv3.x,wenowhavea virtualdirectorythatcontainsentriesfororphanfiles.Aswepreviouslynoted, inourdiscussionoftheflscommand,thesefilesaretheresultofaninode containingfiledatahavingnofilename(directoryentry)associatedwithit. Sleuthkitorganizestheseinthevirtual$OrphanFilesdirectory.Thisisauseful featurebecauseitallowsustoidentifyandaccessorphanfilesfromtheoutput oftheflscommand. Inthisexercise,wedeterminedthroughourcalculationsthatwewere lookingforthecontentsofinode10090.TheSleuthkitcommandffindcantell usthefilenameassociatedwithaninode.Here,weareprovidedwiththe $OrphanFilesentry:
root@rock:~/able2 # ffind -o 10260 able2.dd 10090 * /$OrphanFiles/OrphanFile-10090
Keepinmindthatvariousfilesystemsactverydifferently.Evenbetween anExt2andExt3filesystemtherearedifferencesinhowfilesaredeleted. Sleuthkitwillsimplyreportwhatitfindstotheinvestigator.ItisuptoYOUto properlyinterpretwhatyouareshown.
BarryJ.Grundy
156
SleuthkitExercise#3UnallocatedExtraction&Examination
Asthesizeofmediabeingexaminedcontinuestogrow,itisbecoming apparenttomanyinvestigatorsthatdatareductiontechniquesaremore importantthanever.Thesetechniquestakeonseveralforms,includinghash analysis(removingknowngoodfilesfromadataset,forexample)and separatingallocatedspaceinanimagefromunallocatedspace,allowingthem tobesearchedseparatelywithspecializedtools.Wewillbedoingthelatterin thisexercise. TheSleuthkitcomeswithasetoftoolsforhandlinginformationatthe blocklayeroftheanalysismodel.Theblocklayerconsistsoftheactualfile systemblocksthatholdtheinformationweareseeking.Theyarenotspecific tounallocateddataonly,butareespeciallyusefulforworkingonunallocated blocksthathavebeenextractedfromanimage.Thetoolsthatmanipulatethis layer,asyouwouldexpect,startwithblkandinclude: blkls blkcalc blkstat blkcat Wewillbefocusingonblkls,blkcalcandblkstatforthenextcoupleof exercises. Thetoolthatstartsusoffhereisblkls.Thiscommandlistsallthedata blocks.Ifyouweretousetheeoption,theoutputwouldbethesameas theoutputofddforthatvolume,sinceetellsblklstocopyeveryblock. However,bydefault,blklswillonlycopyouttheunallocatedblocksofan image. Thisallowsustoseparateallocatedandunallocatedblocksinourfile system.Wecanuselogicaltools(find,ls,etc.)onthelivefilesinamounted filesystem,andconcentratedatarecoveryeffortsononlythoseblocksthat maycontaindeletedorotherwiseunallocateddata.Conversely,whenwedoa physicalsearchoftheoutputofblkls,wecanbesurethatartifactsfoundare fromunallocatedcontent. Toillustratewhatwearetalkingabouthere,we'llrunthesameexercise wedidinSleuthkitExercise#2,thistimeextractingtheunallocateddatafrom ourvolumeofinterestandcomparingtheoutputfromthewholevolume analysisvs.unallocatedanalysis.So,we'llbeworkingontheable2.ddimage fromearlier.WeexpecttogetthesameresultswedidinExercise#2,butthis
BarryJ.Grundy
157
timebyanalyzingonlytheunallocatedspace,andthenassociatingthe recovereddatawithitsoriginallocationinthefulldiskimage. Firstwe'llneedtochangeintothedirectorycontainingourable2.dd image.Thenwecheckthepartitiontableanddecidewhichvolumewe'llbe examining.Recallthatthisiswherewegetouro(offset)valuefromforour Sleuthkitcommands.Todothis,werunthemmlscommand:

root@rock:~/Able2# mmls able2.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: 04: 05: Slot --------00:00 00:01 00:02 00:03 Start 0000000000 0000000001 0000000057 0000010260 0000112860 0000178695 End 0000000000 0000000056 0000010259 0000112859 0000178694 0000675449 Length 0000000001 0000000056 0000010203 0000102600 0000065835 0000496755 Description Primary Table (#0) Unallocated Linux (0x83) Linux (0x83) Linux Swap...(0x82) Linux (0x83)
AswithExercise#2,we'vedecidedtosearchtheunallocatedspaceinthe secondLinuxpartition(atoffset10260,inboldabove). Weruntheblklscommandusingtheoffsetoption(o)whichindicates whatpartition'sfilesystemweareanalyzing.Wethenredirecttheoutputtoa newfilethatwillcontainonlytheunallocatedblocksofthatparticularvolume.

root@rock:~/Able2# blkls -o 10260 able2.dd > able2.blkls root@rock:~/Able2# ls -lh total 9.4M -rw-r--r-- 1 root root 9.3M 2008-06-09 09:40 able2.blkls -rwxrwxr-x 1 root root 330M 2003-08-10 21:16 able2.dd ...
Intheabovecommand,weareusingblklsonthesecondpartition(o
10260)withintheable2.ddimage,andredirectingtheoutputtoafilecalled able2.blkls.Thefileable2.blklswillcontainonlytheunallocatedblocksfrom thetargetfilesystem. Now,aswedidinourpreviousanalysisofthisfilesystem(Exercise#2) wewillusegrep,thistimeontheextractedunallocatedspace,ourable2.blkls file,tosearchforourtextstringofinterest.ReadbackthroughExercise#2if youneedarefresheronthesecommands.
BarryJ.Grundy
158
root@rock:~/Able2# grep -abi cybernetik able2.blkls 1631299: * updated by Cybernetik for linux rootkit 9317041:Cybernetik proudly presents... 9323055:Email: cybernetik@nym.alias.net 9323087:Finger: cybernetik@nym.alias.net
Thegrepcommandabovenowtellsusthatwehavefoundthestring cybernetikatfourdifferentoffsetsintheextractedunallocatedspace.We willconcentrateonthefirsthithere.Ofcoursethesearedifferentfromthe offsetswefoundinExercise#2becausewearenolongersearchingtheentire originalddimage. Sothenextobviousquestionissowhat?.Wefoundpotentialevidence inourextractedunallocatedspace.Buthowdoesitrelatetotheoriginal image?Asforensicexaminers,merelyfindingpotentialevidenceisnotgood enough.Wealsoneedtoknowwhereitcamefrom(physicallocationinthe originalimage),whatfileitbelongsor(possibly)belongedto,metadata associatedwiththefile,andcontext.Findingpotentialevidenceinabigblock ofaggregateunallocatedspaceisoflittleusetousifwecannotatleastmake someeffortatattributionintheoriginalfilesystem. That'swheretheotherblocklayertoolscomein.Wecanuseblkcalcto calculatethelocation(bydatablockorfragment)inouroriginalimage.Once we'vedonethat,wesimplyusethemetadatalayertoolstoidentifyand potentiallyrecovertheoriginalfile,aswedidinourpreviouseffort. Firstweneedtogatherabitofdataabouttheoriginalfilesystem.We runthefsstatcommandtodeterminethesizeofthedatablocksweare workingwith.
root@rock:~/Able2# fsstat -o 10260 able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 ... CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 ...
Inthefsstatcommandabove,weseethattheblocksize(inbold)is1024. Wetaketheoffsetfromourgrepoutputontheable2.blklsimageanddivide thatby1024.Thistellsushowmanyunallocateddatablocksintothe

BarryJ.Grundy
159
unallocatedimagewefoundourstringofinterest.Weusetheechocommand topassthemathexpressiontothecommandlinecalculator,bc:
root@rock:~/Able2# echo "1631299/1024" | bc 1593
Wenowknow,fromtheaboveoutput,thatthestringcybernetikisin datablock1593ofourextractedunallocatedfile,able2.blkls. Thisiswhereourhandyblkcalccommandcomesin.Weuseblkcalc withtheuoptiontospecifythatwewanttocalculatetheblockaddressfrom anextractedunallocatedimage(fromblklsoutput).Werunthecommandon theoriginalddimagebecausewearecalculatingtheorginaldatablockinthat image.

root@rock:~/Able2# blkcalc -o 10260 -u 1593 able2.dd 5184
Thecommandaboveisrunningblkcalconthefilesystematoffset 10260(o10260)intheoriginalable2.dd,passingthedatablockwecalculated fromtheblklsimageable2.blkls(u1593).Theresultisafamiliarblock5184 (seeExercise#2again).Theillustrationbelowgivesavisualrepresentationofa simpleexample:

Allocated Unallocated
Blocks in original file system:

0 1 2 ...
...
48 49 50
...
blkls image:
0 1 2 3 4 5 6 7 8 ...
blkcalco$fs_offsetu3 original.dd =49
Intheillustratedexampleabove,thedatainblock#3oftheblklsimage wouldmaptoblock#49intheoriginalfilesystem.Wewouldfindthiswiththe
BarryJ.Grundy
160
blkcalccommandasshown(thisisjustanillustration,anddoesnotapplyto thecurrentexercise):
root@rock:~/example# blkcalc -o $fs_offset -u 3 original.dd 49
So,insimpleterms,wehaveextractedtheunallocatedspace,founda stringofinterestinadatablockintheunallocatedimage,andthenfoundthe correspondingdatablockintheoriginalimage. Ifwelookattheblkstat(datablockstatistics)outputforblock5184in theoriginalimage,weseethatitis,infactunallocated,whichmakessense, sincewefounditwithinourextractedunallocatedspace(we'rebacktothe sameresultsasinExercise#2).Notethatwearenowrunningthecommands ontheoriginalddimage.We'llcontinueonforthesakeofcompleteness.

root@rock:~/Able2# blkstat -o 10260 able2.dd 5184 Fragment: 5184 Not Allocated Group: 0
Usingthecommandblkcatwecanlookattherawcontentsofthedata block(usingxxdandlessasaviewer).Ifwewantto,wecanevenuseblkcatto extracttheblock,redirectingthecontentstoanotherfile:

root@rock:~/Able2# 0000000: 2f2a 0a20 0000010: 0962 7920 0000020: 6e73 7069 0000030: 2061 6e64 0000040: 2e30 0a20 0000050: 2043 7962 0000060: 6c69 6e75 0000070: 2f0a 0a23 0000080: 2f74 7970 <continues> blkcat -o 2a09 6669 4964 6566 7265 6420 2053 6169 2a09 7570 6572 6e65 7820 726f 696e 636c 6573 2e68 10260 able2.dd 7865 722e 630a 6978 200a 202a 6f6e 2073 756d 6e74 5374 6174 6461 7465 6420 7469 6b20 666f 6f74 6b69 740a 7564 6520 3c73 3e0a 2369 6e63 5184 | xxd | less 202a /*. *.fixer.c. * 0969 .by Idefix . *.i 2e63 nspired on sum.c 2032 and SaintStat 2 6279 .0. *.updated by 7220 Cybernetik for 202a linux rootkit. * 7973 /..#include <sys 6c75 /types.h>.#inclu ent:
root@rock:~/Able2# blkcat -o 10260 able2.dd 5184 > 5184.blkcat root@rock:~/Able2# ls -lh total 474M -rw-r--r-- 1 root root 1.0K 2008-11-27 04:19 5184.blkcat -rw-r--r-- 1 root root 9.3M 2008-11-27 03:58 able2.blkls -rwxrwxr-x 1 root root 330M 2003-08-10 21:16 able2.dd*
Notethesizeofthefileresultingfromtheblkcatoutput(5184.blkcat)is 1.0k(1024bytesthefilesystemblocksize),justasexpected.
BarryJ.Grundy
161
Ifwewanttorecovertheactualfileandmetadataassociatedwiththe identifieddatablock,weuseifindtodeterminewhichmetadatastructure(in thiscaseinodesinceweareworkingonanEXTfilesystem)holdsthedatain block5184.Thenistatshowsusthemetadatafortheinode:

root@rock:~/Able2# ifind -o 10260 -d 5184 able2.dd 10090 root@rock:~/Able2# istat -o 10260 able2.dd 10090 inode: 10090 Not Allocated Group: 5 Generation Id: 3534950782 uid / gid: 4 / 7 mode: -rw-r--r-size: 3591 num of links: 0 Inode Times: Accessed: Sun Aug 10 00:18:36 2003 File Modified: Wed Dec 25 16:27:43 1996 Inode Modified: Sun Aug 10 00:29:58 2003 Deleted: Sun Aug 10 00:29:58 2003 Direct Blocks: 5184 5185 5186 5187
Again,aswesawpreviously,theistatcommand,whichshowsusthe metadataforinode10090,indicatesthatthefilewiththisinodeisNot Allocated,anditsfirstdirectblockis5184.Justasweexpected. Wethenuseicattorecoverthefile.Inthiscase,wejustpipethefirstfew linesouttoseeourstringofinterest,cybernetik.

root@rock:~/Able2# icat -o 10260 able2.dd 10090 | head -n 10 /* * fixer.c * by Idefix * inspired on sum.c and SaintStat 2.0 * updated by Cybernetik for linux rootkit */ #include <sys/types.h> #include <sys/stat.h> #include <sys/time.h> <continues>
BarryJ.Grundy
162
SleuthkitExercise#4NTFSExamination:FileAnalysis
Atthispointwe'vedoneacoupleofintermediateexercisesusingan ext2filesystemfromaLinuxdiskimage.AnothercommonsuggestionIreceive inclassfeedbackandfromotherusersofthisguideistoprovideamore advancedexerciseusingafilesystemmorecommonlyencounteredby examinersinthefield.So,inthefollowingexerciseswewilldosomesimple analysesonanNTFSfilesystem. Somemightask,why?Therearemanytoolsouttherecapableof analyzinganNTFSfilesysteminitsnativeenvironment.Inmymindthereare twoverygoodreasonsforlearningtoapplytheSleuthkitonWindowsfile systems.First,theSleuthkitiscomprisedofanumberofseparatetoolswith verydiscretesetsofcapabilities.Thespecializednatureofthesetoolsmeans thatyouhavetounderstandtheirinteractionwiththefilesystembeing analyzed.Thismakesthemespeciallysuitedtohelplearningtheinsandouts offilesystembehavior.ThefactthattheSleuthkitdoeslessoftheworkforyou makesitagreatlearningtool.Second,anopensourcetoolthatoperatesinan environmentotherthanWindowsmakesforanexcellentcrossverification utility. Thefollowingexercisefollowsasetofverybasicstepsusefulinmostany analysis.Makesurethatyoufollowalongatthecommandline. Experimentationisthebestwaytolearn. Ifyouhavenotalreadydoneso,Iwouldstronglysuggest(again)that youinvestinacopyofBrianCarrier'sbook:FileSystemForensicAnalysis (PublishedbyAddisonWesley,2005).Thisbookisthedefinitiveguidetofile systembehaviorforforensicanalysts.Asareminder(again),thepurposeof theseexercisesinNOTtoteachyoufilesystems(orforensicmethods,forthat matter),butrathertoillustratethedetailedinformationSleuthkitcanprovide oncommonfilesystemsencounteredbyfieldexaminers. Thefilewewilluseforthisexercisecanbeobtainedfrom: http://www.LinuxLEO.com/Files/ntfs_pract.dd.gz Let'screateadirectoryinour/root(therootuser'shome)directory called/root/ntfs_pract/andplacethefileinthere.First,wewilldecompressthe gzippedfileusingthegzipcommandwelearnedearlierandcheckitsSHA1 hash:
BarryJ.Grundy
163
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ntfs_pract # ls ntfs_pract.dd.gz root@rock:~/ntfs_pract # gzip -d ntfs_pract.dd.gz root@rock:~/ntfs_pract # ls ntfs_pract.dd root@rock:~/ntfs_pract # sha1sum ntfs_pract.dd 0cbce7666c8db70377cb5fc2abf9268821b6dafe ntfs_pract.dd
NowwewillrunthroughaseriesofbasicSleuthkitcommandsaswe wouldinanyanalysis.Thestructureoftheforensicimageisviewedusing mmls:

root@rock:~/ntfs_pract # mmls ntfs_pract.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: Slot --------00:00 ----Start 0000000000 0000000001 0000000059 0001023060 End 0000000000 0000000058 0001023059 0001023999 Length 0000000001 0000000058 0001023001 0000000940 Description Primary Table (#0) Unallocated NTFS (0x07) Unallocated
TheoutputshowsthatanNTFSpartition(andmostlikelythefile system)beginsatsectoroffset59.Thisistheoffsetwewilluseinallour Sleuthkitcommands.Wenowusefsstattohavealookatthefilesystem statisticsinsidethatpartition:

root@rock:~/ntfs_pract # fsstat -o 59 -f ntfs ntfs_pract.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: NTFS Volume Serial Number: E4D06402D063D8F6 OEM Name: NTFS Volume Name: NEW VOLUME Version: Windows XP METADATA INFORMATION -------------------------------------------First Cluster of MFT: 42625 First Cluster of MFT Mirror: 63937 Size of MFT Entries: 1024 bytes Size of Index Records: 4096 bytes Range: 0 - 144 Root Directory: 5 CONTENT INFORMATION -------------------------------------------Sector Size: 512 Cluster Size: 4096 <continues>
BarryJ.Grundy
164
LookingatthefsstatoutputonourNTFSfilesystem,weseeitdiffers greatlyfromtheoutputwesawrunningonaLinuxEXTfilesystem.Thetoolis designedtoprovidepertinentinformationbasedonthefilesystembeing targeted.NoticethatwhenrunonanNTFSfilesystem,fsstatprovidesuswith informationspecifictoNTFS,includingdataabouttheMasterFileTable(MFT) andspecificattributevalues. WewillnowhavealookathowtheSleuthkitinteractswithactiveand deletedfilesonanNTFSfilesystem,giventhestructureofMFTentries. Let'sbeginthisexercisewiththeoutputoffls.Wecanspecifythatfls onlyshowusonlydeletedcontentonthecommandlinewiththedoption. WewilluseF(onlyfileentries)andr(recursive)aswell:
root@rock:~/ntfs_pract # fls -Frd -o 59 ntfs_pract.dd r/r * 42-128-1: Cookies/buckyball@revsci[2].txt r/r * 43-128-1: Cookies/buckyball@search.msn[1].txt r/r * 44-128-1: Cookies/buckyball@slashdot[1].txt r/r * 45-128-1: Cookies/buckyball@sony.aol[2].txt r/r * 112-128-4: My Documents/My Pictures/bandit-streetortrack2005056.jpg r/r * 116-128-4: My Documents/My Pictures/fighterama2005-ban4.jpg r/r * 81-128-4: My Documents/direct_attacks.doc
AsofSleuthkitversion3,theoutputofflsnowshowscontentthat includesNTFSorphanfiles.20Previousversionsrequiredtheusertorunan additionalcommand,ifind,onparentdirectoriesinordertorecoverorphan files.Thearticleinthefootnoteexplainshowthisworks. TheoutputaboveshowsthatourNTFSexamplefilesystemholds7 deletedfiles.Let'shaveacloserlookatsomeNTFSspecificinformationthat canbeparsedwiththeSleuthkit. HavealookathedeletedfileatMFTentry112.Thefileis./My Documents/MyPictures/banditstreetortrack2005056.jpg.Wecanhaveacloser lookatthefile'sattributesbyexaminingitsMFTentrydirectly.Wedothis throughtheistattool.RecallthatwhenwewereworkingonanEXTfilesystem previously,theoutputofistatgaveusinformationdirectlyfromtheinodeof thespecifiedfile(seeSleuthkitExercise#1).Aswementionedearlier,the outputoftheSleuthkittoolsisspecifictothefilesystembeingexamined.So let'srunthecommandonMFTentry112inourcurrentexercise:
20
TSKInformer,issue#16:http://www.sleuthkit.org/informer/sleuthkitinformer16.txtNTFSOrphanFiles
BarryJ.Grundy
165
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ntfs_pract # istat -o 59 ntfs_pract.dd 112 MFT Entry Header Values: Entry: 112 Sequence: 2 $LogFile Sequence Number: 4201668 Not Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Sat Apr 7 00:52:53 2007 File Modified: Sat Oct 14 10:37:13 2006 MFT Modified: Sat Apr 7 00:52:53 2007 Accessed: Sat Apr 7 20:00:04 2007 $FILE_NAME Attribute Values: Flags: Archive Name: bandit-streetortrack2005056.jpg Parent MFT Entry: 110 Sequence: 1 Allocated Size: 0 Actual Size: 0 Created: Sat Apr 7 00:52:53 2007 File Modified: Sat Apr 7 00:52:53 2007 MFT Modified: Sat Apr 7 00:52:53 2007 Accessed: Sat Apr 7 00:52:53 2007 Attributes: Type: $STANDARD_INFORMATION (16-0) Type: $FILE_NAME (48-3) Name: N/A Type: $FILE_NAME (48-2) Name: N/A Type: $DATA (128-4) Name: $Data 60533 60534 60535 60536 60537 60538 60541 60542 60543 60544 60545 60546 60549 60550 60551 60552 60553 60554 60557 60558 60559 60560 Name: N/A Resident size: 72 Resident size: 90 Resident size: 128 Non-Resident size: 112063 60539 60540 60547 60548 60555 60556
TheinformationistatprovidesusfromtheMFTshowsvaluesdirectly fromthe$STANDARD_INFORMATIONattribute(whichcontainsthebasic metadataforafile),the$FILE_NAMEattributeandbasicinformationforother attributesthatarepartofanMFTentry.Thedatablocksthatcontainthe actualfilecontentarelistedatthebottomoftheoutput(forNonResident data). Takenoteofthefactthattherearetwoseparateattributeidentifiersfor the$FILE_NAMEattribute,483and482.Itisinterestingtonotewecan accessthecontentsofeachattributeseparatelyusingtheicatcommand. ThetwoattributesstoretheDOS(8.3)filenameandtheWin32(long)file name.Bypipingtheoutputoficattoxxdwecanseethedifference.Byitself, thismaynotbeofmuchinvestigativeinterest,butagainweareillustratingthe capabilitiesoftheSleuthkittools.
BarryJ.Grundy
166
Notethedifferenceinoutputbetweentheattributeidentifiers112483 and112482:
root@rock:~/ntfs_pract # icat -o 59 ntfs_pract.dd 0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0000030: 0000 0000 0000 0000 2000 0000 0000 0000 0000040: 0c02 4200 4100 4e00 4400 4900 5400 7e00 0000050: 3100 2e00 4a00 5000 4700 112-48-3 | xxd n.......0q...x.. 0q...x..0q...x.. 0q...x.......... ........ ....... ..B.A.N.D.I.T.~. 1...J.P.G.
root@rock:~/ntfs_pract # icat -o 59 ntfs_pract.dd 0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0000030: 0000 0000 0000 0000 2000 0000 0000 0000 0000040: 1f01 6200 6100 6e00 6400 6900 7400 2d00 0000050: 7300 7400 7200 6500 6500 7400 6f00 7200 0000060: 7400 7200 6100 6300 6b00 3200 3000 3000 0000070: 3500 3000 3500 3600 2e00 6a00 7000 6700
112-48-2 | xxd n.......0q...x.. 0q...x..0q...x.. 0q...x.......... ........ ....... ..b.a.n.d.i.t.-. s.t.r.e.e.t.o.r. t.r.a.c.k.2.0.0. 5.0.5.6...j.p.g.
Thesameideaisextendedtootherattributesofafile,mostnotablythe AlternateDataStreamsorADS.Byshowingustheexistenceofmultiple attributeidentifiersforagivenfile,theSleuthkitgivesusawayofdetecting potentiallyhiddendata.Wecoverthisinournextexercise.
BarryJ.Grundy
167
SleuthkitExercise#5NTFSExamination:ADS
First,toseewhatwearediscussinghere,incasethereaderisnot familiarwithalternatedatastreams,weshouldcomparetheoutputofanormal filelistingwiththatobtainedthroughaforensicutility. Obviously,whenexaminingasystem,itmaybeusefultogetalookatall ofthefilescontainedinanimage.Wecandothistwoways.Thefirstway wouldbetosimplymountourimagewiththeloopbackdeviceandgetafile listing.Wewilldothistocompareamethodusingstandardcommandline utilitiesthatweusedinthepastwithamethodusingtheSleuthkittools. Rememberthatthemountcommandworksonfilesystems,notdisks. Thefilesysteminthisimagestarts59sectorsintotheimage,sowemount usinganoffset.Wecanthenobtainasimplelistoffilesusingthefind command:
root@rock:~/ntfs_pract # mount -t ntfs -o ro,loop,offset=30208 ntfs_pract.dd /mnt/analysis/ root@rock:~/ntfs_pract #cd /mnt/analysis/
root@rock:~/analysis #find . -type f ./Cookies/buckyball@as-eu.falkag[2].txt ./Cookies/buckyball@2o7[1].txt ./Cookies/buckyball@ad.yieldmanager[1].txt ./Cookies/buckyball@specificclick[1].txt ./Cookies/buckyball@store.makezine[1].txt ./Cookies/buckyball@store.yahoo[2].txt ... [content removed] ./Favorites/2600 The Hacker Quarterly.url ... [content removed] ./My Documents/My Pictures/Tails/GemoTailG4.jpg ./My Documents/signatures.pdf ./My Documents/ULTIMATEJOURNEYDK.wmv ./My Documents/Webstuff/bandit2.jpg ./My Documents/Webstuff/m2_flat_CF.jpg ./My Documents/Webstuff/service1.jpg ./My Documents/Webstuff/Thumbs.db ./NTUSER.DAT ./SVstunts.avi <---Take note of this file
Wemounttheimagewithanoffsetof30208(59*512)toaccesstheNTFS filesystem.Wethenchangetothedirectorycontainingourmountedimage andrunourfindcommand,startinginthecurrentdirectory(.),lookingfor allregularfiles(typef).Theresultgivesusalistofalltheallocatedregular filesonthemountpoint.Ofparticularinterestinthisoutputisthelastfilein
BarryJ.Grundy
168
thelist,SVstunts.avi.Takenoteofthisfile.Ourcurrentmethodoflistingfiles, however,givesusnoindicationofwhythisfileisnoteworthy. Theoutputofthefilecommandsshowsustheexpectedoutput.Itisan avivideo.Werewetoinstallavideoplayerandthepropercodecs,wewould seethatitis,infact,anormalvideo21.

root@rock:~/ntfs_pract # file /mnt/analysis/SVstunts.avi /mnt/tmp/SVstunts.avi: RIFF (little-endian) data, AVI, 160 x 120, 15.00 fps, video: Cinepak
Nowlet'stryanothermethodofobtainingafilelist.Sincethisisa forensicexamination,let'suseaforensictooltogiveusalistoffiles.Wewill usetheflscommandwiththeFoptiontoshowonlyfiles,andtheroptionto recursethroughdirectories(startingfromtherootdirectory,bydefault).The ...signifiesremovedoutputforbrevity.

root@rock:~/ntfs_pract # fls -Fr -o 59 -f ntfs ntfs_pract.dd r/r 4-128-4: $AttrDef r/r 8-128-2: $BadClus r/r 8-128-1: $BadClus:$Bad r/r 6-128-1: $Bitmap ... r/r 0-128-1: $MFT r/r 1-128-1: $MFTMirr r/r 9-128-8: $Secure:$SDS ... r/r * 42-128-1: Cookies/buckyball@revsci[2].txt r/r * 43-128-1: Cookies/buckyball@search.msn[1].txt r/r * 44-128-1: Cookies/buckyball@slashdot[1].txt ... r/r 128-128-3: My Documents/My Pictures/Thumbs.db r/r 128-128-4: My Documents/My Pictures/Thumbs.db:encryptable r/r * 112-128-4: My Documents/My Pictures/banditstreetortrack2005056.jpg r/r * 116-128-4: My Documents/My Pictures/fighterama2005-ban4.jpg r/r 129-128-4: My Documents/Osuny Articles courtesy of BIOC Agent.doc r/r 130-128-4: My Documents/signatures.pdf r/r 131-128-4: My Documents/ULTIMATEJOURNEYDK.wmv r/r 133-128-3: My Documents/Webstuff/bandit2.jpg r/r 134-128-4: My Documents/Webstuff/m2_flat_CF.jpg r/r 135-128-3: My Documents/Webstuff/service1.jpg r/r 136-128-3: My Documents/Webstuff/Thumbs.db r/r * 81-128-4: My Documents/direct_attacks.doc r/r 138-128-3: NTUSER.DAT r/r 137-128-3: SVstunts.avi <---Using fls we now see r/r 137-128-4: SVstunts.avi:hacktrap.txt two entries for this file
21
YoucanusethexineplayeronastandardSlackwareintallation.
BarryJ.Grundy
169
Notethatflsdisplaysfarmoreinformationforusthanourfind commandonthemountedfilesystem.Includedwithourregularfilesarethe NTFSsystemfiles(startingwiththe$),includingthe$MFTand $MFTMIRROR(recordnumbers0and1).Alsonotethelastfileinthelistagain, SVstunts.avi.Intheoutputoffls,SVstunts.avihastwoentries:

r/r 137-128-3: r/r 137-128-4: SVstunts.avi SVstunts.avi:hacktrap.txt
BothentrieshavethesameMFTrecordnumberandareidentifiedasfile data(137128)buttheattributeidentifierincrementsbyone(1371283and 1371284)22.ThisisanexampleofanAlternateDataStream(ADS). Accessingthestandardcontents(1371283)ofSVstunts.aviiseasy,sinceitis anallocatedfile.However,wecanaccesseitherdatastream,thenormaldata ortheADS,byusingtheSleuthkitcommandicat,muchaswedidwiththetwo filenametypesinourpreviousexercise.Wesimplycallicatwiththecomplete MFTrecordentry,toincludethealternateattributeidentifier.Toviewthe contentsoftheADS(1371284):

root@rock:~/ntfs_pract # icat -o 59 -f ntfs ntfs_pract.dd 137-128-4 <()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()> /|| ||\ \|| P R O F E S S O R F A L K E N ' S ||/ /|| ||\ \|| GUIDE TO ||/ /|| ||\ \|| ***** ***** **** ***** ||/ /|| * * * * * * * ||\ \|| * * * * * ***** ||/ /|| * * * * * * * ||\ \|| ***** ***** **** ***** ||/ /|| P { ||\ \|| ||/ /|| HACKING SECURITY ||\ \|| (C)1988||/ <()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()>-<()> First I'd like to thank the following people for thier contributions <continues>
Pipetheresultsthroughlesstoseethewholefile,orredirecttheoutput toanotherfile.
22
Again,IwouldurgeyoutoreadCarrier'sbook:FileSystemForensicAnalysis.
BarryJ.Grundy
170
SleuthkitExercise#6NTFSExamination:SortingFiles
WewillnowexploreaSleuthkittoolwehavenotlookedatyet.Many forensictoolsprovideamechanismforcategorizingfilesbasedontype.This reducestheamountoftimeexaminersneedtospendfindingfilesofinterest. TheSleuthkitprovidesthisfunctionthroughthesortercommand.Thistool parsestheallocatedandunallocatedfilesofafilesystemandteststheir headersforfiletype(rememberthefilecommandfromourearlierexercise?). Thesortercommandishighlyconfigurable.Thedefaultfilesarefound inthe./share/sorterdirectoryoftheSleuthkitinstallation.Thefiledefault.sortis usedforalloperatingsystems,andtherearealsoconfigurationfilesspecificto eachoperatingsystem. Thereareanumberofwayssortercanreportitsfindings.Itisusefulto havethecategoriesoffileswrittenouttoadirectoryspecifiedbytheanalyst. Firstweneedtocreateadirectorytowritetheseresultsto:
root@rock:~/ntfs_pract # mkdir sort_out
Let'srunthecommandandhavealookattheoutput.Therearelotsof optionsavailableforsorter.Here'sthecommandwe'lluse:
root@rock:~/ntfs_pract # sorter -d ./sort_out -md5 -h -s -o 59 -f ntfs ntfs_pract.dd Analyzing "ntfs_pract.dd" Loading Allocated File Listing Processing 138 Allocated Files and Directories 100% Loading Unallocated File Listing Processing 23 Unallocated meta-data structures 100% All files have been saved to: ./sort_out
Wecallthesortercommandwiththed<outputdirectory>optionto writeourresultsandcategorizethefiles.Themd5optionhashesthefilesfor us.Weusethehoptiontocreatehtmloutputratherthanthedefaulttextfiles. Thesoptioncopiesthecategorizedfilestotheoutputdirectoryandtheother optionsarethestandardSleuthkitoptionsrequiredtospecifythefilesystem.
BarryJ.Grundy
171
Ouroutputendsupinthe./sort_outdirectory:
root@rock:~/ntfs_pract # ls sort_out/ archive/ audio.html disk/ documents.html archive.html data/ disk.html exec/ audio/ data.html documents/ exec.html text.html text/ unknown.html images/ images.html index.html mismatch.html system/ system.html
Notethatwehaveanindex.htmlfile.ThiscanbeopenedinourWeb browserofchoice.Wealsohaveasetofdirectoriescontainingourfiles (exportedwiththesoption)andhtmlpagesforeach.Theindexpage, generatedfromourabovesortercommand,lookslikethis:
Thepageisbasichtmlandeasytoeditforyourreport.Thenameofthe imageusedasinputisgivenalongwithbasicinformationaboutthenumbers ofallocatedandunallocatedfilesprocessed.Notethatwearealsogiventhe numberof,andalinkto,ExtensionMismatcheswherethefileheader informationidentifiedafiledifferentthantheextensiononthefilename.
BarryJ.Grundy
172
Ifyoulookdownthelistofcategories,youwillseeimages.Thesorter commandfound17images(pictures).Youcanclickontheimageslinkand seeinformationforeachfilefound,includingalinktotheexportedimage:
imagesCategory
MyDocuments/My Pictures/b45ac806a965017dd71e3382581c47f3_refined.jpg JPEGimagedata,JFIFstandard1.01 Image:ntfs_pract.ddInode:1111284 MD5:2c966ade4ff16ef8fe95e6607987644e Savedto:images/ntfs_pract.dd1111284.jpg
<continues>
Oryoucanclickonthumbnailstoviewthepicturestogether:
Aswecansee,sorterprovidesaveryconvenientwaytoorganizefiles basedontype.Thisisapowerfultoolwithfullycustomizableconfiguration fileswhereyoucanlimitwhatiscategorizedandprocessed.Readtheman pages.Thereareoptionsavailableinsortertoutilizehashdatabasesforfurther datareductionandotherusefulfeatures. Whatwehaveseenherearesimple(andinmanywaysincomplete) examplesoftheSleuthkitscommandlinetoolsforforensicexamination.If youareleftalittleconfused,justgothroughtheexercisesandstepsoneata time.Ifyoudontunderstandthecommandsoroptions,checktheusageand readthemanpagesandSleuthkitdocumentation.Runthroughtheexercisea coupleoftimes,andthepurposeandoutcomewillmakemoresense.Take yourtimeandexperimentalittlewiththeoptions.
BarryJ.Grundy
173
SleuthkitExercise#7SignatureSearchinUnallocatedSpace
Nowlet'sdothesamesortofunallocatedanalysiswedidinExercise#3, butthistimeinsteadofsearchingfortextdata,wewilllookforfilesignatures. ThiswillgiveusanopportunitytointroduceanotherusefulSleuthkittool, sigfind. Forthisparticularexercise,we'llusetheNTFSimageweused previously,ntfs_pract.dd.Changetothedirectorycontainingthatimageand let'sbegin. Asalways,westartwithmmlstohelpusidentifytheoffsetofthefile systemwithintheimagethatweareinterestedin.
root@rock:~/NTFS# mmls ntfs_pract.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: Slot --------00:00 ----Start 0000000000 0000000001 0000000059 0001023060 End 0000000000 0000000058 0001023059 0001023999 Length 0000000001 0000000058 0001023001 0000000940 Description Primary Table (#0) Unallocated NTFS (0x07) Unallocated
HerewewanttostudytheunallocateddatafromtheNTFSfilesystemat sectoroffset59.Soweissueourblklscommandandredirecttheoutputto anotherfile:

root@rock:~/NTFS# blkls -o 59 ntfs_pract.dd > ntfs_pract.blkls root@rock:~/NTFS# ls -lh total 995M -rw-r--r-- 1 root root
478M 2008-06-09 10:01 ntfs_pract.blkls
Onceagain,theoutputfileisarbitrarilynamed.Igiveita.blkls extensionforthesakeofsimplicity.Now,let'sgoaheadandsearchthe unallocatedimagewecreatedforJPEGimages.WeusetheseJPEGpicturefiles forourexamplebecausemostexperiencedforensicexaminersarefamiliarwith thesignatures. Todothissearch,wecouldusethestringJFIF,aknowncomponentof JPEGfilesignatures.UsingxxdtogiveusanASCIIrepresentationofthefile,we
BarryJ.Grundy
174
couldsimplysearchusinggrepforthecharactersJFIF,takenoteofthe offsetsandworkfromthere,muchlikewedidinourDatacarvingwithdd exercise.Inthatcase,though,welookedfortheffd8hexsignature.Wethen hadtodoanumberofcalculationstocovertthexxdhexvalues,etc.Referback totheDatacarvingwithddexerciseformoreinfoandarefresheronhowwe didthis. Thereareissueswithusinggreptosearchfordatainaforensicimageor filesystem.Asidefromhavingtorelyonvaluesandconversionsfromxxd (whichgivesusourASCIIrepresentationforgrep),anotherproblemwithusing grepisthatitiscompletelyunawareofsectorordatablockboundaries.The grepprogramisactuallydesignedtosearchfortextinfiles,notsignaturesin forensicimagesorfilesystems.Dependingonthesystembeingemployed, theremayalsobefilesize(addressing)limitationswithusinggreponlarge images. Soinstead,let'shavealookatafarmoreforensicfriendlysignature searchtoolprovidedbytheSleuthkit.Thistool,sigfindisdesignedtolookfor hexsignatureswithsearchblocksizesspecifiedbytheuserandoffsetstothe signaturewithinthatblocksize. sigfindismostcommonlyusedtosearchforsignaturesofdisk structures,andisparticularlywellsuitedtothistask,becauseinadditionto showingeachhit,itshowsthedistancefromtheprevioushit.Thisishelpfulin thatitallowsaknowledgeableexaminertodeterminetheveracityofhitsbythe expectedfrequencyanddistancebetweencertainfilesystemstructures(like EXTsuperblocks,forexample).Infact,sigfindworkswithanumberof templatesthataresupportedbythetoption.Runthecommandwithttosee alistofincludedtemplates. Aswementioned,afilesystem'sblocksizecanbepassedtosigfindso thateachblockcanbesearchedfortheproperexpressionatagivenoffset, whichhelpsaccountforclusteralignedfilesorstructures23.Wealready determinedtheclustersizeinthentfs_pract.ddNTFSfilesystemis4096(found usingfsstat).ItisimportantforaSleuthkitbeginnertorealizethattheoffset weprovidetothesigfindcommandisdifferentfromtheoffsetweprovidein otherSleuthkitcommands.InmostSleuthkitcommandsthatarepassedan offsetoptionwithowearereferringtothelocation(offsetinsectors)ofafile systemwithinaforensicimage.Itthecaseofsigfindtheoffsetwepasswitho istheoffsettothespecifiedsignaturefromthestartofeachblockbeing searchedasspecifiedbyblocksize(b).
23
Butwillnothelpwithfilesembeddedwithinotherfiles,ofcourse.
BarryJ.Grundy
175
Forexample,themanpageforsigfindgivestheexampleofsearchingfor abootsectorsignaturewiththecommand:
root@rock:~/NTFS# sigfind -o 510 -l AA55 disk.dd
Inthiscase,theblocksizeisthedefault512(noboptionisgiven).The o510tellssigfindtolookforthesignature510bytesintoeverysectorit searches.Theloptionreferstotheendianorderingofthesignature. Backtoourexerciseathand...Wemustalsokeepinmindthatsigfind takeshexasit'ssignaturestring,sounlikegrep,wecannotsimplysearchfor JFIF.WeneedtoconverttheASCIIstringtohex.Thisiseasilydoneby echoingthestringtoxxdwiththepoption(continuousorplaindump):

root@rock:~/NTFS# echo -n JFIF | xxd -p 4a464946
Alsonoteintheabovecommand,weusethenoptiontoechoto preventanewlinecharacterfrombeingpassedtoxxdaswell.Thehex signaturewearegoingtosearchforis4A464946(JFIF). Wecannowdooursigfindcommand.

root@rock:~/NTFS# sigfind -b 4096 -o 6 4A464946 ntfs_pract.blkls Block size: 4096 Offset: 6 Signature: 4A464946 Block: 57539 (-) Block: 57582 (+43)
Thecommandaboveshowsusrunningsigfindwithablocksize(b)of 4096(fromfsstatoutput),anoffset(o)of6,andasignatureof4A464946on theextractedunallocatedspacentfs_pract.blkls. Asyoucansee,wecomeupwithtwohits.Nowweusetheblkcalc commandtodeterminetheblockaddressoftheunallocatedblockinthe originalimage.

root@rock:~/NTFS# blkcalc -o 59 -u 57539 ntfs_pract.dd 60533
Above,wecalledblkcalcwithu57539toindicatethatwearepassingan addressfromanunallocatedimageprovidedbyblkls.Thefilesystemthis unallocatedblockwasextractedfromisinourntfs_pract.ddimageatsector
BarryJ.Grundy
176
offset59.Theresultshowsusthatunallocatedblock57539inourblklsimage mapstodatablock60533intheoriginalfilesystem. Nowthatwehavethedatablock(60533)intheoriginalfilesystem,we canuseifindtoidentifythemetadatastructurethatisassignedtothatdata block.InthiscasethemetadatastructureisanMFTentry,sinceweare workingwithanNTFSfilesystem.

root@rock:~/NTFS# ifind -o 59 -d 60533 ntfs_pract.dd 112-128-4
TheMFTentryis1121284orsimply112(The1284portiondenotes the$DATAattributeidentifier).Wecanuseffindtodeterminethefilename thatholds(orheld)thatparticularMFTentry.Beverycarefulofinterpretation here.Asalways,youneedtohaveafirmgriponhowthefilesystemworks beforedecidingthattheinformationbeingpresentedisaccurate,depending onthefilesystembeingexamined.

root@rock:~/NTFS# ffind -o 59 ntfs_pract.dd 112 * /My Documents/My Pictures/bandit-streetortrack2005056.jpg
Recoveringthedeletedfileusingicatandpipingtheresultstothefile commandindicatesthatwehavefoundaJPEGimage,whichthepreviousffind commandindicatedmayhavebeencalledbanditstreetortrack2005056.jpg.

root@rock:~/NTFS# icat -o 59 ntfs_pract.dd 112 | file /dev/stdin: JPEG image data, JFIF standard 1.02
Recallnowouroriginalsigfindoutput:
root@rock:~/NTFS# sigfind -b 4096 -o 6 4A464946 ntfs_pract.blkls Block size: 4096 Offset: 6 Signature: 4A464946 Block: 57539 (-) Block: 57582 (+43)
Wehavealreadyrecovered(oratleastidentified)thedeletedfileat unallocatedblock57539inourblklsimage.Runningthosesamecommands onthesecondhitat57582willgiveusthis:
BarryJ.Grundy
177
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/NTFS# blkcalc -u 57582 -o 59 ntfs_pract.dd 60662 root@rock:~/NTFS# ifind -o 59 -d 60662 ntfs_pract.dd 116-128-4 root@rock:~/NTFS# ffind -o 59 ntfs_pract.dd 116 * /My Documents/My Pictures/fighterama2005-ban4.jpg root@rock:~/NTFS# icat -o 59 ntfs_pract.dd 116 | file /dev/stdin: JPEG image data, JFIF standard 1.01
WehaveanotherJPEG,thisoneatMFTentry116,andnamed fighterama2005ban4.jpg. Wecanactuallyrecoverbothfilesbyusingicatandredirectingtonew files.I'venamedthefilesbytheirMFTentryandthe.jpgextension,sincethe filecommandconfirmedthat'swhattheyare.

root@rock:~/NTFS# icat -o 59 ntfs_pract.dd 112 > 112.jpg root@rock:~/NTFS# icat -o 59 ntfs_pract.dd 116 > 116.jpg
Youcannowviewthefileswithanygraphicsvieweryoumighthave available.Forexample,youcanusethedisplaycommand:
root@rock:~/NTFS# display 112.jpg <shows image on desktop>
BarryJ.Grundy
178
SMARTforLinux
SMART,byASRData,isacommercial(notfree)GUIbasedforensictool forLinuxthathasagreatinterfaceallowingaccesstoafullsetofforensic analysiscapabilities. http://www.asrdata.com/SMART/
SMARTsplashscreenandlogin.
FollowingisasmalltourtogiveyouatasteoftheSMARTinterface.The officialusermanualforSMARTispackedwithusefulinformation,andthis sectionisnotmeanttobeanexhaustivemanual.Wearejustprovidingabrief overviewofsomeofSMART'smajorcapabilities.Ifyouwouldliketofollow along,thereisanevaluationversion(noacquisitionorexportcapability)of SMARTavailableat:

24 http://www.asrdata2.com/
TheevaluationversionalsocomeswiththeSMARTmanualinPDF format.Aworthwhileread.
24
Theevaluationfileisinbz2format.Untarwiththexjvfswitches,changetotheresultingdirectoryandreadthe INSTALLfile.
BarryJ.Grundy
179
OpeningSMARTprovidestheuserwithaviewofthephysicallayoutof allthedevicesrecognizedonthesystem,includinginternalandexternaldrives. Thisgivestheexamineranoverallpictureofwhatfilesystemsresideoneach drive,thesizesofeachpartition,andtheamountofunallocatedspaceonthe drive.
SMART'sopeningwindow,withdeviceidentification.
SMARTisarightclickdrivenprogram.Mostfunctionsavailabletoan examinerforagivenobjectareaccessedthroughamousedrivenmenusystem. Forinstance,rightclickingonaphysicaldevice(diskorpartition)providesa menuthatincludesAcquire.Selectionofthisitemprovidesadialogboxto allowforensicimaging.
BarryJ.Grundy
180
Forensicimageacquisitiondialogbox.Redtextindicatesincompleteitems...
The"image"tab,under"acquire".
BarryJ.Grundy
181
CasemanagementunderSMARTisstraightforward.Onceaforensic image(ormultipleimages)isaddedasevidencetoacase,SMARTwillparsethe imageandprovidedetailsonthecontents.Hereweveopenedanewcase calledNTFSPracticalandaddedourntfs_pract.ddimagetothatcase:
ASMARTviewofourevidenceimage.
Weseeeachofthepartitionsasagraphicalrepresentationofthesame sortofinformationwemightgatherusingfdisklormmlsonaphysicaldisk. RightclickingonapartitionallowsyoutoStudyitandobtain informationandafilelisting(includingdeletedfiles). InourNTFSexample,wecanrightclickontheNTFSpartitionatsector offset59,selectFilesystem>SMART>Studyandobtainthefollowing information:
BarryJ.Grundy
182
FilesysteminformationobtainedfromanFS"Study".
Atthebottomofthisoutput,weseeoptionsthatallowustoexportafull filelistingasanHTMLfileorasatabdelimitedfile(suitableforimportinginto spreadsheets,etc.). NotealsothatwecandirectlyviewafilelistusingtheFileListbutton. Inadditiontogivingusaccesstoavisualrepresentationofthefilelist(to includedeletedfiles),thisisalsowherewecangotostartourlogicalanalysis.
BarryJ.Grundy
183
Filelistingobtainedfroma"studied"filesystem
BarryJ.Grundy
184
Rightclickmenuonadeletedfile.
Therightclickmenudisplayedforafileinafilelistingallowsyoutoper formanumberoftasks.Intheabovescreenshot,weseethatwehavetheabil itytoexportthecontentsorviewdetailedinformationofthedeletedcookie file.
SMARTFiltering
WithinSMART,therearetwomajorwaystoparseforinformation.The firstisbyusingfiltering.Filteringworksatthelogicallevel.Filtersarebased onfilemetadatalikemodified,accessedandcreatedtimes;orfilenamesand extensions;orattributeslikedeletedorallocated,etc.Theothermethodis bysearching,whichisdoneatthephysicallevelusingeithercomplexexpres sionsorsimpleterms.Wewillbrieflydescribeeachmethodhere,startingwith filtering. Continuingwithourfilelist,let'smovetotheFiltertab.Thefilterlist iscurrentlyempty.RightclickintheemptyspaceandselectAddNewFilter
BarryJ.Grundy
185
>Active/DeletedFilter.Thissimplefilter,whenappliedusingthebuttonatthe bottomofthedialog,willalterourfilelisttoshowonlydeletedfiles:
AddingtheActive/DeletedFilter
ClickingbackonourFileListtabshowsusallsevenofthedeletedfiles weidentifiedinourearlierSleuthkitexercise:
SMARTalsocomeswithadecentsetofpredefinedfiltersthatcanbe usedoutofthebox.ThesearelistedundertherightclickmenuitemTerm Library. Theabilitytostackfiltersprovidesevenmorepower.Supposewe wanttoviewonlyalistofdeletedgraphicalimages.Weleavethe Active/Deletedfilterinplace,rightclickintheemptyspacebelowitandselect TermLibrary>GraphicsFiles.NotethatthepredefinedfilterGraphics Filesispopulatedwithexpressionsthatwillidentifygraphicsimagesbytheir extensions.Thissetofexpressionscanbefurtheradjustedtoincludeor excludefilesdependingontheexaminer'spreference.
BarryJ.Grundy
186
TwoFiltersinplace:Active/DeletedandGraphicsFiles
Afterapplyingtheabovestackedfilters,ourfilelistingispaireddownto onlydeletedgraphicsfiles.
Filteredfordeletedgraphicsfiles
SMARTFilteringViewingGraphicsFiles
SMARThasabuiltingraphicsviewingcapabilitythatallowsyoutoview imagesinaseparatewindow.Thumbnailimagescanbebrowsedorreviewed usingaconfigurableslideshowfunction.Individualfilescanbeselectedfor viewing,orgroupsoffilescanbedisplayedtogether. Toillustratethiscapability,let'sloadtheGraphicsFilesfilter,byitself, fromSMART'sfiltertermlibrary.Notethatfilterscanbeclearedfromthefilter listbyclickingonthesmallboxwiththeXinthetoprighthandcornerofthe filterdefinition.
BarryJ.Grundy
187
SettingtheGraphicsfilterbyitself
Theresultingfilelistshowsusallthegraphicsfiles(byextension,from ourfilterexpression)withintheselectedpartition(NTFSpartitionatsector offset59,fromthemainSMARTwindow).Leftclickonthetopfiletoselectit, thenshift+leftclickonthebottomfiletoselecttheentirelist.Rightclickonthe selectedarea,andgotoView>AsGraphicData.
Selecttheentirelistandrightclicktoaccesstheviewmenu BarryJ.Grundy
188
Thiswillautomaticallyopenthegraphicscatalog.Alsonotethat selectedfilescanbehashed,exportedorhavedetailedinformationdisplayed.
SMART'sbuiltinGraphicsViewer
Fromthiswindow,thefilescanbebrowsedbypointingandclicking,or viewedviatheslideshowmentionedearlier.Theslideshowspeedissetunder theFile>PreferencesdialoginthemainSMARTwindow.Filesofparticular interestcanbeflaggedandmarkedwithcomments.
SMARTSearching
Inadditiontothefilteringcapability,SMARThasapowerfulsearch function.AswithmostSMARTcommands,thisoneisalsoaccessedthrough therightclickmenu. ToillustrateSMART'ssearchingability,wewillduplicateourstring searchwithintheable2.ddimage.RecallinSleuthkitExercise#2wesearched ourdiskimageforthesimplestringcybernetik.Wewilldothesamehere, andcomparetheoutput.Firstwemustaddourable2.ddimagetoourcurrent
BarryJ.Grundy
189
caseinSMART'smainscreen.Alternatively,youcanopenanothercaseand addtheimagethere. Oncetheimagehasbeenadded,fromthemainCasescreen,rightclick ontheable2.ddimageandselectSearch.Weareclickingontheimageentry, notonanyparticularpartition,rememberwewanttosearchtheentireimage.
Intheresultingsearchwindow,rightclickagainontheemptyspaceand selectAddNewTerm>SimpleTerm.Notethatthesearchfunctionalso comeswithanextensivelibraryofsearchtermsavailabletoassistanexaminer infindingcommonartifacts.Intheresultingtermbox,typecybernetik. Rememberthatwearesearchingtheentirediskforthisstring,justaswe didinthepreviousSleuthkitexercise.
BarryJ.Grundy
190
Whenthesearchisstarted,youarepresentedwithaprogressindicator.
Progressindicator
Theresultsarethendisplayed:
Searchhitsshowingoffsettothehitandhighlightedcontext
Aswithourpreviousable2.ddsearchexercise,wehavefourhits.Review theoutputofourgrepstringsearchofable2.ddonpage147.Upon examination,weseethethesearethesamefourhits.Theoffsetsprovidedby ouroriginalgrepcommandandSMARTdifferslightlyasaresultofhowthe
BarryJ.Grundy
191
offsetsarecalculated.Recallthatgrepworksonlinesofoutput,whileSMART doesnot.Thehits,however,arethesame. Wecanrightclickonthefirstsearchhitandviewasrawdata,providing usahexviewofthesearchhitincontext.Comparethisoutputwithoutputof ourxxdcommandonpage148.
HexViewofour1sthit
BarryJ.Grundy
192
Furtherinformationcanbeobtainedifthesearchisstartedfroma particularpartitionratherthanthephysicalimage.Assumingthatwe studiedthefilesystemspriortooursearch,rightclickingononeofour searchtermhits,andselectingFileSystem>GetFileInfoprovidesuswith informationderivedfromthefilesystemthedatalocatedatthatoffset, includingtheinode,filemetadata,etc. ThisisjustaverybriefoverviewofSMART'scapabilities.TheSMART userguideprovidesfarmoredetailedinformation.Forexample,wecanuse SMARTtoloopmountthepartitionsreadonlywithasimpleclickandthen browsethefilesystemineitheraterminalorinthefilemanagerofyourchoice. ThisprovidesustheabilitytouseallourfavoriteLinuxtoolstosearchthe logicalfilesystemanddisplaytheinformationweneedforouranalysis.As withalladvancedforensictools,SMARTprovidesexcellentsessionandCase loggingfunctions.
BarryJ.Grundy
193
XI.BootableLinuxDistributions
Forsomanypeople,thisisthemeatandpotatoesofwhatmakesLinux suchaflexibleoperatingsystem.AccesstoabootableCDdriveandtheability torebootthemachinecannowgiveusthepowertorunafullfledgedLinux boxwithouttheneedtoinstall.Forthosewhohavenotseenthisinaction,the poweryoucangetfromaCDROM,orevenafloppydiskisamazing.Thisisnot acompletelist,butthefollowingbootabledistributionscangiveyousomeidea ofwhatsavailabletoyou.TherearemanyMANYmorebootabledistributions outthere.JustdoaGooglesearchonLinuxbootableCDforasample.
Tomsrtbtbootfromafloppy
...Becausetherearethosetimeswhenyoujustmightneedafloppy ratherthanaCD.Thissmalldistributionisthedefinitionofminimalist,andit fitsononefloppy.YougetadecentsetofdriversforNICsandfilesystems (includingFATandNTFS).TheresabasicsetofcommonLinuxtools, includingddandrshorncforimagingovernetconnectionsandmore.The installation(toafloppy)canbedoneinWindowswithanincludedbatchfile. Thefloppyholdsasurprisingnumberofprograms,andactuallyformatsyour 1.44Mbfloppyto1.722Mb.Finditathttp://www.toms.net/rb/
KnoppixFullLinuxwithouttheinstall
ThisisaCDROMdistributionforpeoplewhowanttotryafullfeatured Linuxdistribution,butdontfeellikeinstallingLinux.ItincludesafullLinux environmentandahugecomplimentofsoftware.TheCDactuallyholds2GB ofsoftware,includingafullofficesuite,commonnetworktoolsandjustabout anythingelseyourelikelytoneedallcompressedtoaCDsizedimage.Please donotconsiderthisaforensicallysoundbootdiskoption.Thereareplentyof betterchoicesoutthere.Butforagee,lookwhatLinuxcandodisk,Knoppix ishardtobeat.http://www.knoppix.net
SMARTLinuxItsbootable!
Smartcomesin2differentbootdiskoptionsnow,providinganexcellent platformwithanindependentlyverifiedforensictoolforacquiringandanalyz ingphysicalmedia.ThetwoSMARTLinuxversionsareabootCDbasedon UbuntuandabootCDbasedonSlackware.Thehardwaredetectionisexcel lent.SMARTsbootableCDprovidesanenvironmentthatyoucanbesureis forensicallysound.Itcomeswithanumberofforensictoolspreloaded.Weve alreadyhadaglimpseofSMARTscapabilities.http://www.asrdata2.com
BarryJ.Grundy
194
HelixKnoppixbasedIncidentResponse
HelixisabootableCDwithadecidedlynetworkforensicsfeeltoit. Whenbooted,itprovidesaLinuxenvironmentbasedonKnoppixthathasbeen modifiedforforensicuseandprovidesahugenumberofforensicsand networkapplications. InadditiontobeingabootableLinuxdisk,HelixalsoprovidesaLive Windowsresponsekit.WhenplacedinarunningWindowsmachine,itwill providetoolsthatcanbeusedforgatheringvolatilesystemdata.Atruly diversetool!TheuserguideforHelixisexcellent,andgivesagreatoverviewof someofthetoolsavailableontheCD.TheHelixdeveloperspridethemselves onprovidingacuttingedgeCDwithdiversesetsoftools,andsupportforthe latesthardware.http://www.efense.com/helix/index.php
BarryJ.Grundy
195
XII.Conclusion
Theexamplesandpracticalexercisespresentedtoyouherearevery simple.Therearequickerandmorepowerfulwaysofaccomplishingwhatwe havedoneinthescopeofthisdocument.Thestepstakeninthesepagesallow youtousecommonLinuxtoolsandutilitiesthatarehelpfultothebeginner.At therequestofmanyusers,thisguidehasbeenexpandedsomewhatto incorporatemoreadvancedtools,andexercisesmorerelatedtorealworld scenarios. OnceyoubecomecomfortablewithLinux,youcanextendthe commandstoencompassmanymoreoptions.Practicewillallowyoutoget moreandmorecomfortablewithpipingcommandstogethertoaccomplish tasksyouneverthoughtpossiblewithadefaultOSload(andonthecommand linetoboot!). Ihopethatyourtimespentworkingwiththisguidewasausefulinvest ment.Attheveryleast,Imhopingitgaveyousomethingtodo,ratherthan stareatLinuxforthefirsttimeandwonderwhatnow?
BarryJ.Grundy
196
XIII.LinuxSupport
Placestogoforsupport:
Asidefromthecopiouswebsitereferencesthroughoutthisdocument, thereareanumberofverybasicsitesyoucanvisitformoreinformationon everythingfromrunningLinuxtousingspecificforensictoolsonLinux.Here isasampleofsomeofthemoreinformativesitesyouwillfind: Slackware.JustoneofmanyLinuxdistro's. http://www.slackware.com LearnSlackware(SlackwareLinuxEssentials): http://www.slackbook.org/ SleuthkitWiki http://wiki.sleuthkit.org TheLinuxDocumentationProject(LDP): http://www.tldp.org OpenSourceForensicSoftware: http://www.opensourceforensics.org Software: http://sourceforge.net/ Inadditiontotheabovelist,thereareahugenumberofuserforums, someofwhicharespecifictoLinuxandcomputerforensics.Oneofmy favoriteforums(withanopensourcespecificboard): http://www.forensicfocus.com IRC(InternetRelayChat) Try#slackwareontheFreenodenetwork(orothersuitablechannelfor yourLinuxdistributionofchoice).ManyLinuxLEOreadershave commentedontheenthusiastichelpreceivedin#slackwareongeneral SlackwareandLinuxquestions. AGooglesearchwillbeyourverybestfriendinmostinstances.
BarryJ.Grundy
197

Linuxintro LEFE378

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linuxintro LEFE378

Uploaded by

Copyright:

Available Formats

APractitioner'sGuidetoLinuxasaComputer ForensicPlatform

Asalways,Iamopentosuggestionsandcritique.Mycontact informationisonthefrontpage.Ifyouhaveideas,questions,orcomments, pleasedonthesitatetoemailme.Anyfeedbackiswelcome. Thisdocumentisoccasionally(infrequently,actually)updated.Check fornewerversions(numberedonthefrontpage)attheofficialsite:

Thisisanimportantdifference.Therootuseristhesystem superuser.Wewillcoverthedifferencesbetweenuserloginslaterinthis document.

Stablebranch 2.0 2.2 2.4 2.6

Testing Branch 2.1 2.3 2.5 ??

Youmayrunacrossolderdistributionsthatsupportdevfswhichusesadifferentnamingscheme.Dontletthis confuseyou.Thepatterndescribedaboveisstillsupportedthroughlinksforcompatibility.See http://www.atnf.csiro.au/people/rgooch/linux/docs/devfs.htmlformoreinformation.

Thefdiskprogramcanbeusedtocreateorlistpartitionsonasupported device.Thisisanexampleoftheoutputoffdiskonadualbootsystemusing thelistoption(l[dashel]):

Mountingfilesystemsonsometypesofexternaldevices,whichwewill cometolaterinthisdocument,mayrequireustodelvealittledeeperinto modules

Inthiscase,thecommandreturnsnothing.Thismightindicatethatthe driverisnotloadedoritmightindicatedthatthedriverisnotamodule,butis compileddirectlyintothekernel.Icancheckthisusingthedmesgcommand andgrepaswell.Thedmesgcommandreplaysthesystemstartupmessages

2.16 PQ: 0 MB)

Theimportantinformationisinbold.Notethatthisparticularthumb drive(aSanDiskU3)providestwoparts,thestoragevolumewithasingle partition(/dev/sda1),andanemulatedCDROMdevicewhichwasdetectedas /dev/sr0.SCSICDROMdevicesarerecognizedassrxorscdx.

InthefollowingGRUBexample,therewillbetwodifferentLinuxkernel choicesofferedinthebootmenu.Theyallusethesamerootfilesystem,but differinthekernelimageloadedfromthe/bootpartition.

Itisherethatthedefaultrunlevelforthesystemisset.Ifyouwantatext login(whichIwouldstronglysuggest),settheabovevalueto3.Thisisthe defaultforSlackware.Withthisdefaultrunlevel,youusestartxtogettotheX WindowGUIsystem.Ifyouwantagraphicallogin,youwouldedittheabove linetocontaina4.

Havealookatthe/etc/rc.ddirectoryformoreexamples.Notethatina standardSlackwareinstall,youdirectorylistingwillshowexecutablescriptsas greenincolor(intheterminal)andfollowedbyanasterisk(*).

Again,thisisSlackwarespecific.Otherdistributionsdiffer(somediffer greatly!),buttheconceptremainsconsistent.Onceyoubecomefamiliarwith theprocess,itwillmakesense.Theabilitytomanipulatestartupscriptsisan importantstepinyourLinuxlearningprocess.

listfiles. classifiesfilesanddirectories. showallfiles(includinghidden). detailedfilelist(longview). detailedlist(long,withhumanreadablefilesizes).

deletesafile. recursivelydeletesallfilesin directoriesandsubdirectories. removedirectories. donotpromptforfileremoval

Ifyouwanttofindinformationaboutacommandcalledfind,including itsusage,options,output,etc.,thenyouwouldusethemanpageforthe commandfind:

Createadirectory mkdir mkdirdirectoryname

createsadirectory.Again,rememberthe differencebetweenarelativeandexplicitpath here.

..willgiveyoualistofallfiles(a),includinghiddenfiles,and file/directoryclassification(F,whichshows"/"fordirectories,"*"for executables,and"@"forlinks).

root@rock:~# find / -name fstab -print /etc/fstab

categorizesfilesbasedonwhattheycontain,regardlessofthename (orextension,ifoneexists).Comparesthefileheadertothe"magic" fileinanattempttoIDthefiletype.Forexample:

listofcurrentprocesses.GivestheprocessIDnumber(PID),andthe terminalonwhichtheprocessisrunning. psax showsallprocesses(a),andallprocesseswithoutanassociated terminal(x).Notethelackofadashinfrontoftheoptions.Seetheman pageforinfoonthisdeparturefromourpreviousconvention.

TIME 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00

shutdown thiscommandMUSTbeusedtoshutdownthemachineand cleanlyexitthesystem.ThisisnotDOS.Turningoffthemachine atthepromptisnotallowedandcandamageyourfilesystem(in somecases)8.Youcanrunseveraldifferentoptionshere(check themanpageformanymore): shutdownrnow runlevel6). willrebootthesystemnow(changeto

shutdownhnow willhaltthesystem.Readyforpowerdown (changetorunlevel0).

1643 Jan 19 23:23 myfile

Theabovecommandwouldoutputalonglistofallthefilesinthe currentdirectory.Insteadofoutputtingthelisttotheconsole,anewfilecalled "filelist.txt"willbecreatedthatwillcontainthelist.Ifthefile"filelist.txt"

alreadyexisted,thenitwillbeoverwritten.Usethefollowingcommandto appendtheoutputofthecommandtotheexistingfile,insteadofoverwriting it:

AnotherusefultoolsimilartothatavailableonDOSisthecommand pipe.Thecommandpipetakestheoutputofonecommandand"pipes"it straighttotheinputofanothercommand.Thisisanextremelypowerfultool forthecommandline.Lookatthefollowingprocesslist(partialoutput shown):

WhatifallyouwantedtoseewerethoseprocessesID'sthatindicateda bashshell?Youcould"pipe"theoutputofpstotheinputofgrep,specifying "bash"asthepatternforgreptosearch.Theresultwouldgiveyouonlythose linesoftheoutputfrompsthatcontainedthepattern"bash".

v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# mount -t vfat /dev/fd0 /mnt/floppy

Youshouldnowbeabletonavigatethefloppyasusual.Whenyouare finished,EXITOUTofthe/mnt/floppydirectory,andunmountthefile systemwith:

root@rock:~# mount -t iso9660 /dev/cdrom /mnt/cdrom

YoushouldnowbeabletonavigatetheCDasusual. Whenyouarefinished,EXITOUTofthe/mnt/cdromdirectory,and unmountthefilesystemwith:

root@rock:~# umount /mnt/cdrom

Ifyouwanttoseealistoffilesystemsthatarecurrentlymounted,just usethemountcommandwithoutanyargumentsorparameters.Itwilllistthe mountpointandfilesystemtypeofeachdeviceonsystem,alongwiththe mountoptionsused(ifany).

Theabilitytomountandunmountfilesystemsisanimportantskillin Linux.Therearealargenumberofoptionsthatcanbeusedwithmount(some wewillcoverlater),andanumberofwaysthemountingcanbedoneeasilyand automatically.Refertothemountinfoormanpagesformoreinformation.

Thecolumnsare: <device> <mountpoint><fstype><defaultoptions> Withthis/etc/fstab,IcanmountafloppyorCDbysimplytyping:

The444givesallusersreadonlyaccess.Ifyouarerealpicky,youcould use400.Notethattheownerofthefileistheuserthatcreatedit. Nowthatyouhavecreatedanimagefile,youcanrestoretheimageto anotherdiskifyouareinterestedinacloneoftheoriginaldisk.Putanother (blank)floppyinandtype:

Nowyoucanchangeto/mnt/analysisandbrowsetheimageasifitwere amounteddisk!Usethemountcommandbyitselftodoublecheckthe mountedoptions. Whenyouarefinishedbrowsing,unmounttheimagefile.

Onceweareinthe/mnt/analysisdirectory(asreflectedbyourprompt), wecannowrunacommandthatwillfindalltheregularfilesonthefilesystem atthatmountpointandrunahashonallthosefiles:

YoucanalsouseLinuxtodoyourverificationforyou.Toverifythat nothinghasbeenchangedontheoriginalfloppy,youcanusethecoption withsha1sum.Ifthediskwasnotaltered,thecommandwillreturnok. Makesurethefloppyisinthedriveandtype:

IftheSHAhashesmatchfromthefloppyandtheoriginalSHAoutput file,thenthecommandwillreturnOKfor/dev/fd0.Rememberthatsha.disk1 containsthehashforthephysicaldisk.Thesamecanbedonewiththelistof fileSHAs.Makesurethefloppyfilesystemisstillmountedon/mnt/analysis, changetothatdirectoryandissuethecommand:

Thiswillshowallthehiddenfiles(a),givethelistinlongformatto identifypermission,date,etc.(l).YoucanalsousetheRoptiontolist recursivelythroughdirectories.Youmightwanttopipethatthroughless.

1969 14:20 2000 2000

2000 . 1969 .. 2000 Benchmarks.xls

Thereisalsothetreecommand,whichprintsarecursivelistingthatis morevisual...Itindentstheentriesbydirectorydepthandcolorizesthe filenames(iftheterminaliscorrectlyset).

imagesmagicfileorbytaggingtheoriginalfile.Wetagtheoriginal magicfilebyeditingittocontainourownidentifiersthatwecanthenusegrep tolocate.

Inkeepingwithourcommandlinephilosophy,wewillusexxdto displaythedatafoundateachbyteoffset.xxdisacommandlinehexdump tool,usefulforexaminingfiles.Dothisforeachoffsetinthelistofhits.This shouldyieldsomeinterestingresultsifyouscrollaboveandbelowtheoffsets.

Pleasenotethattheuseofgrepinthismannerisfairlylimited.There arecharactersetsthatthecommonversionsofgrepdonotsupport.Sodoinga physicalsearchforastringonanimagefileisreallyonlyusefulforwhatitdoes

showyou.Inotherwords,negativeresultsforagrepsearchofanimagecanbe misleading.Thestringsorkeywordsmayexistintheimageinaformnot recognizabletogreporstrings.Therearetoolsthataddressthis,andwewill discusssomeofthemlater.

512bytes,andthatthereare63ofthem.Thisgivesusanoffsetof32256bytes fromthestartofourimagetothefirstpartitionwewanttomount.Thisisthen passedtothemountcommandasanoption,whichessentiallytriggerstheuse ofanavailableloopdevicetomountthespecifiedfilesystem:

Wecanuseaspecialdeviceasasourceofzeros.Thiscanbeusedto createemptyfilesandwipeportionsofdisks.Youcanwritezerostoanentire disk(oratleasttothoseareasaccessibletothekernelanduserspace)usingthe followingcommand(assuming/dev/hdcisthediskyouwanttowipe):

messages messages.1 messages.2 messages.3 messages.4

Thistarcommanddifferslittlefromourfirstcommand.Now,insteadof listingthecontentswiththetoption,weareextractingitwiththexoption.All theotheroptionsremainthesame.Rememberthisforlateruse. Letshavealookatonelogentry.Wepipetheoutputofcattothecommand headn1sothatweonlygetthe1stline:

Thisremovesrepeateddates,andshowsmejustthosedateswithlog activity.Ifaparticulardateisofinterest,Icangrepthelogsforthatparticular date:

(notethereare2spacesbetweenNovand4,onespacewillnotwork) Ofcourse,wehavetokeepinmindthatthiswouldgiveusanylines wherethestringNov4resided,notjustinthedatefield.Tobemoreexplicit, wecouldsaythatweonlywantlinesthatstartwithNov4,usingthe^(in ourcase,thisgivesessentiallythesameoutput):

Notethatwhenthecommandistoolongforoneline,itwill automaticallywraptothenextline. Wecanaddsometabs(\t)inplaceofspacesinouroutputtomakeit morereadable:

Thiscanallberedirectedtoananalysislogortextfileforeasyaddition toareport(notethat>report.txtcreatesthereportfile,>>report.txt appendstoit).Thefollowingcommandsaretypedononelineeach:

Thesecondcommandaboveprintsonlythelastfield($NF)ofourgrep output(whichistheIPaddress).TheresultinglistofIPaddressescanalsobe fedtoascriptthatdoesnslookuporwhoisdatabasequeries. Youcanviewtheresultingreport(report.txt)usingthelesscommand.

Thiswouldresultin3files(2GBinsize)eachnamedwiththeprefix image.split.asspecifiedinthecommand,followedby01,02,03,andso on(assuminganewerversionofsplitthatsupportsthedoptionisused):