Professional Documents
Culture Documents
BarryJ.Grundy bgrundy@LinuxLEO.com
VER3.78 December2008
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
LEGALITIES..........................................................................................................................................4 ACKNOWLEDGMENTS..............................................................................................................................4 FOREWORD..........................................................................................................................................5 AWORDABOUTTHEGNUINGNU/LINUX...........................................................................................6 WHYLEARNLINUX?..............................................................................................................................6 CONVENTIONSUSEDINTHISDOCUMENT.....................................................................................................7 I.INSTALLATION..........................................................................................................................8 DISTRIBUTIONS.....................................................................................................................................8 SLACKWAREANDUSINGTHISGUIDE................................................................................................11 INSTALLATIONMETHODS......................................................................................................................12 SLACKWAREINSTALLATIONNOTES..........................................................................................................12 DESKTOPENVIRONMENT.......................................................................................................................16 THELINUXKERNEL:VERSIONSANDISSUES..............................................................................................16 CONFIGURINGSLACKWARE12:2.6KERNELCONSIDERATIONS.......................................................................19 UDEV..........................................................................................................................................19 HARDWAREABSTRACTIONLAYER......................................................................................................20 DBUS........................................................................................................................................20 2.6KERNELANDDESKTOPS............................................................................................................21 ROLLINGYOUROWNTHECUSTOMKERNEL.........................................................................................21 II.LINUXDISKS,PARTITIONSANDTHEFILESYSTEM...........................................................23 DISKS...............................................................................................................................................23 PARTITIONS.......................................................................................................................................23 USINGMODULESLINUXDRIVERS.........................................................................................................25 DEVICERECOGNITION..........................................................................................................................27 THEFILESYSTEM...............................................................................................................................28 III.THELINUXBOOTSEQUENCE(SIMPLIFIED).....................................................................30 BOOTINGTHEKERNEL..........................................................................................................................30 INITIALIZATION...................................................................................................................................32 RUNLEVEL.........................................................................................................................................32 GLOBALSTARTUPSCRIPTS....................................................................................................................33 SERVICESTARTUPSCRIPTS....................................................................................................................33 BASH...............................................................................................................................................34 IV.LINUXCOMMANDS..............................................................................................................36 LINUXATTHETERMINAL.......................................................................................................................36 ADDITIONALUSEFULCOMMANDS............................................................................................................39 FILEPERMISSIONS...............................................................................................................................41 METACHARACTERS...............................................................................................................................44 COMMANDHINTS...............................................................................................................................44 PIPESANDREDIRECTION.......................................................................................................................44 THESUPERUSER...............................................................................................................................46 V.EDITINGWITHVI...................................................................................................................47 THEJOYOFVI...................................................................................................................................47 VICOMMANDSUMMARY.......................................................................................................................48 VI.MOUNTINGFILESYSTEMS..................................................................................................49 THEMOUNTCOMMAND......................................................................................................................49 THEFILESYSTEMTABLE(/ETC/FSTAB).....................................................................................................51
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux VII.LINUXANDFORENSICS......................................................................................................53 INCLUDEDFORENSICTOOLS..................................................................................................................53 ANALYSISORGANIZATION.......................................................................................................................54 DETERMININGTHESTRUCTUREOFTHEDISK..............................................................................................55 CREATINGAFORENSICIMAGEOFTHESUSPECTDISK.....................................................................................56 MOUNTINGARESTOREDIMAGE...............................................................................................................57 MOUNTINGTHEIMAGEUSINGTHELOOPBACKDEVICE...................................................................................58 FILEHASH........................................................................................................................................58 THEANALYSIS....................................................................................................................................61 MAKINGALISTOFALLFILES...............................................................................................................62 MAKINGALISTOFFILETYPES...............................................................................................................63 VIEWINGFILES...................................................................................................................................65 SEARCHINGUNALLOCATEDANDSLACKSPACEFORTEXT..............................................................................66 VIII.COMMONFORENSICISSUES............................................................................................70 HANDLINGLARGEDISKS......................................................................................................................70 PREPARINGADISKFORTHESUSPECTIMAGE.............................................................................................72 OBTAININGDISKINFORMATION.............................................................................................................74 IX.ADVANCED(BEGINNER)FORENSICS..................................................................................76 THECOMMANDLINEONSTEROIDS.........................................................................................................76 FUNWITHDD..................................................................................................................................84 SPLITTINGFILESANDIMAGES.................................................................................................................84 COMPRESSIONONTHEFLYWITHDD......................................................................................................87 DATACARVINGWITHDD....................................................................................................................91 CARVINGPARTITIONSWITHDD.............................................................................................................94 DETERMININGTHESUBJECTDISKFILESYSTEMSTRUCTURE.........................................................................98 DDOVERTHEWIRE.........................................................................................................................101 X.ADVANCEDFORENSICTOOLS............................................................................................104 ALTERNATIVEIMAGINGTOOLS..............................................................................................................106 DC3DD.....................................................................................................................................106 DDRESCUE.................................................................................................................................113 BADSECTORSDDRESCUE............................................................................................................119 BADSECTORSDC3DD................................................................................................................122 BADSECTORACQUISITIONCONCLUSIONS......................................................................................124 LIBEWFWORKINGWITHEXPERTWITNESSFILES................................................................................125 SLEUTHKIT......................................................................................................................................134 SLEUTHKITINSTALLATIONANDSYSTEMPREP...........................................................................................136 SLEUTHKITEXERCISES........................................................................................................................138 SLEUTHKITEXERCISE#1DELETEDFILEIDENTIFICATIONANDRECOVERY.....................................................139 SLEUTHKITEXERCISE#2PHYSICALSTRINGSEARCH&ALLOCATIONSTATUS................................................150 SLEUTHKITEXERCISE#3UNALLOCATEDEXTRACTION&EXAMINATION.......................................................157 SLEUTHKITEXERCISE#4NTFSEXAMINATION:FILEANALYSIS................................................................163 SLEUTHKITEXERCISE#5NTFSEXAMINATION:ADS............................................................................168 SLEUTHKITEXERCISE#6NTFSEXAMINATION:SORTINGFILES................................................................171 SLEUTHKITEXERCISE#7SIGNATURESEARCHINUNALLOCATEDSPACE.......................................................174 SMARTFORLINUX.........................................................................................................................179 SMARTFILTERING..........................................................................................................................185 SMARTFILTERINGVIEWINGGRAPHICSFILES.....................................................................................187 SMARTSEARCHING.........................................................................................................................189 XI.BOOTABLELINUXDISTRIBUTIONS..................................................................................194
BarryJ.Grundy
Legalities
Alltrademarksarethepropertyoftheirrespectiveowners. 19982008BarryJ.Grundy(bgrundy@LinuxLEO.com):Thisdocumentmay beredistributed,initsentirety,includingthewholeofthiscopyrightnotice, withoutadditionalconsentiftheredistributorreceivesnoremunerationandif theredistributorusesthesematerialstoassistand/ortrainmembersofLaw EnforcementorSecurity/IncidentResponseprofessionals.Otherwise,these materialsmaynotberedistributedwithouttheexpresswrittenconsentofthe author,BarryJ.Grundy.
Acknowledgments
Asthisguidegrowsinlengthanddepth,sodothecontributionsIreceive fromothersinthefieldthattaketimeoutoftheirownbusydaystoassistmein makingsurethatthisdocumentisatleastaccurateifnottotallycomplete.I verymuchappreciatetheproofreadingandsuggestionsmadebyall.Every timeIgetcommentsbackonadraftversionofthisguide,Ilearnsomething new. IwouldliketothankCoryAltheide,BrianCarrier,ChristopherCooper, NickFurneaux,JohnGarris,RobertJanMora,andJesseKornblumfor providingcriticalreview,valuableinput,andinsomecases,amuchneeded sanitycheckofthecontentsofthisdocument.SpecialthankstoRobby WorkmanforprovidingveryconstructiveguidanceonSlackwaredetails throughouttheentireguide.Alloftheexpertiseandcontributionsaregreatly appreciated. Also,IwouldliketospecificallythankalloftheLinuxKernel,various distribution,andsoftwaredevelopmentteamsfortheirhardworkinproviding uswithanoperatingsystemandutilitiesthatarerobustandcontrollable.Too oftenweforgettheamountofdedicationandworkthatgoesintowhatmany endusersexpecttojustwork.
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Foreword
Thispurposeofthisdocumentistoprovideanintroductiontothe GNU/Linux(Linux)operatingsystemasaforensicplatformforcomputer crimeinvestigatorsandforensicexaminers. Thisisthethirdmajoriterationofthispaper.Thereisabalancetobe metbetweenmaintainingtheoriginalintroductorypurposeofthework,and theconstantrequestsfromotherscoupledwithmyowndesiretoaddmore detailedcontent.Sincethefirstrelease,thisworkhasalmostquadrupledin length.Thecontentismeanttobebeginnerlevel,butasthecomputer forensiccommunityevolvesandthesubjectmatterwidensandbecomesmore mainstream,thedefinitionofbeginnerlevelmaterialstartstoblur.Asa result,I'vemadeanefforttokeepthematerialasbasicaspossiblewithout omittingthosesubjectsthatIseeasfundamentaltotheproperunderstanding ofLinuxanditspotentialasacomputerforensicplatform.Anumberofpeople havepointedouttomethatwithinclusionofsomeofthemorecomplex exercises,thisdocumentshouldbegiventhemorefittingpractitioner'sguide monikerratherthanbeginner'sguide. Wefollowthephilosophythatahandsonapproachisthebestwayto learn.GNU/Linuxoperatingsystemutilitiesandspecializedforensictools availabletoinvestigatorsforforensicanalysisarepresentedwithpractical exercises. Thisisbynomeansmeanttobethedefinitivehowtoonforensic methodsusingLinux.Rather,itisa(somewhatextended)startingpointfor thosewhoareinterestedinpursuingtheselfeducationneededtobecome proficientintheuseofLinuxasaninvestigativetool.Notallofthecommands offeredherewillworkinallsituations,butbydescribingthebasiccommands availabletoaninvestigatorIhopetostarttheballrolling.Iwillpresentthe commands,thereaderneedstofollowuponthemoreadvancedoptionsand uses.Knowinghowthesecommandsworkiseverybitasimportantasknowing whattotypeattheprompt.IfyouareevenanintermediateLinuxuser,then muchofwhatiscontainedinthesepageswillbereview.Still,Ihopeyoufind someofituseful. OvertheyearsIhaverepeatedlyheardfromcolleaguesthathavetried Linuxbyinstallingit,andthenproceededtositbackandwonderwhatnext? Ihavealsoentertainedanumberofrequestsandsuggestionsforamore expansiveexplorationofapplicationsavailabletoLinuxforforensicanalysisat theapplicationlevel.Youhaveacopyofthisintroduction.Nowdownloadthe exercisesanddriveon.
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
http://www.LinuxLEO.com AwordabouttheGNUinGNU/Linux
WhenwetalkabouttheLinuxoperatingsystem,weareactually talkingabouttheGNU/Linuxoperatingsystem(OS).LinuxitselfisnotanOS. Itisjustakernel.TheOSisactuallyacombinationoftheLinuxkernelandthe GNUutilitiesthatallowus(morespecificallyourhardware)tointeractwiththe kernel.WhichiswhythepropernamefortheOSisGNU/Linux.We (incorrectly)callitLinuxforconvenience.
WhyLearnLinux?
OneofthequestionsIhearmostoftenis:whyshouldIuseLinuxwhen Ialreadyhave[insertWindowsGUIforensictoolhere]?Therearemany reasonswhyLinuxisquicklygaininggroundasaforensicplatform.Imhoping thisdocumentwillillustratesomeofthoseattributes. Controlnotjustoveryourforensicsoftware,butthewholeOSand attachedhardware. FlexibilitybootfromaCD(toacompleteOS),filesystemsupport, platformsupport,etc. PowerALinuxdistributionis(orcanbe)aforensictool.
AnotherpointtobemadeisthatsimplyknowinghowLinuxworksis becomingmoreandmoreimportant.WhilemanyoftheWindowsbased forensicpackagesinusetodayarefullycapableofexaminingLinuxsystems, thesamecannotbesaidfortheexaminers. AsLinuxbecomesmoreandmorepopular,bothinthecommercial worldandwithdesktopusers,thechancethatanexaminerwillencountera Linuxsysteminacasebecomesmorelikely(especiallyinnetwork investigations).EvenifyouelecttoutilizeaWindowsforensictooltoconduct youranalysis,youmustatleastbefamiliarwiththeOSyouareexamining.If youdonotknowwhatisnormal,thenhowdoyouknowwhatdoesnotbelong? Thisistrueonsomanylevels,fromtheactualcontentsofvariousdirectoriesto strangeentriesinconfigurationfiles,allthewaydowntohowfilesarestored.
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
WhilethisdocumentismoreaboutLinuxasaforensictoolratherthananalysis ofLinux,youcanstilllearnalotabouthowtheOSworksbyactuallyusingit.
Conventionsusedinthisdocument
Whenillustratingacommandandit'soutput,youwillseesomething likethefollowing:
root@rock:~# command output...
Thisisessentiallyacommandline(terminal)sessionwhere...
root@rock:~#
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
I.Installation
Firstandforemost,knowyourhardware.IfyourLinuxmachineistobea dualbootsystemwithWindows,thenusetheWindowsDeviceManagerto recordallyourinstalledhardwareandthesettingsusedbyWindows.Ifyouare settingupastandaloneLinuxsystem,thengatherasmuchdocumentation aboutyoursystemasyoucan.Thishasbecomemuchlessimportantwiththe evolutionoftheLinuxinstallroutines.Hardwarecompatibilityanddetection havebeengreatlyimprovedoverthepastcoupleofyears.Someoftherecent versionsofdistributions,likeUbuntuLinux,haveextraordinaryhardware detection. Harddriveknowingthesizeandgeometryishelpfulwhenplanningyour partitioning. SCSIadaptersanddevices(notetheadapterchipset).SCSIisverywell supportedunderLinux. Soundcard(notethechipset). VideoCard(importanttoknowyourchipsetandmemory,etc.). Monitortimings. Horizontalandverticalrefreshrates. Networkcard(chipset). NetworkParameters: IP(ifnotDHCP) Netmask Broadcastaddress DNSservers Defaultgateway USBcontrollersupportisstandardincurrentdistributions. IEEE1394(Firewire)controllersupportisalsostandardincurrent distributions. Inthevastmajorityofcases,mostofthisinformationwillnotbeneeded. Butit'salwayshandytoknowyourhardwareifyoumusttroubleshoot. Mostdistributionshaveaplethoraofdocumentation,includingonline helpanddocumentsindownloadableform.DoaWebsearchandyouare likelytofindanumberofanswerstoanyquestionyoumighthaveabout hardwarecompatibilityissuesinLinux.
Distributions
Linuxcomesinanumberofdifferentflavors.Thesearemostoften referredtoasdistributions(distro).Defaultkernelconfiguration,toolsthat areincluded(systemmanagementandconfiguration,etc.)andthepackage
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
format(theupgradepath)mostcommonlydifferentiatethevariousLinux distros. ItiscommontohearuserscomplainthatdeviceXworksunderSuse Linux,butnotonRedHat,etc.OrthatdeviceYdidnotworkunderRedHat version9,butachangetoCentOSfixedit.Mostoften,thedifferenceisinthe versionoftheLinuxkernelbeingusedandthereforetheupdateddrivers,orthe patchesappliedbythedistributionvendor,nottheversionofthedistribution (orthedistributionitself). Here'sanoverviewofjustafewoftheLinuxdistrosthatareavailable. Selectingoneisamatterofpreference.Manyofthesedistrosnowprovidea liveCDthatallowsausertobootaCDintoafullyfunctionaloperating environment.Trythemoutandseewhatpleasesyou. RedHat/Fedora OneofthemostpopularLinuxdistributions.RedHatworkswith companieslikeDell,IBMandInteltoassistbusinessesintheadoptionofLinux forenterpriseuse.UseofRPMandKickstartbeganthefirstrealuserupgrade pathsforLinux.RedHathaselectedtomoveintoanenterpriseoriented businessmodel.ItisstillaviableoptionforthedesktopthroughtheFedora Project(http://fedoraproject.org/).Fedoraisanexcellentchoicefor beginnersbecauseofthehugeinstallbaseandtheproliferationofonline support.Theinstallroutineiswellpolishedandhardwaresupportiswell documented.AnotherRedHatbaseddistributionisCentOS. Debian Notreallyforbeginners.Theinstallationroutineisnotas polishedassomeotherdistributions.Debianhasalwaysbeenahacker favorite.ItisalsooneofthemostnoncommercialLinuxdistributions,and truetothespiritofGNU/GPL.(http://www.debian.org/). SuSE NowownedbyNovell,SuSEisoriginallyGermaninorigin.Itis byfarthelargestsoftwareinclusivedistribution. (http://www.novell.com/linux/).Thereisanopensupportnetworkand downloaddirectoryathttp://www.opensuse.org.ALiveCDisalsoavailable. MandrivaLinux FormerlyknownasMandrake.Mandrivaisafavoriteofmany beginnersanddesktopusers.ItisheavyonGUIconfigurationtools,allowing foreasymigrationtoaLinuxdesktopenvironment. (http://wwwnew.mandriva.com/).
BarryJ.Grundy
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
GentooLinux Sourcecentricdistributionthatisoptimizedduringinstallone ofmypersonalfavorites.Oncethroughthecomplexinstallationroutine, upgradingthesystemandaddingsoftwareismadeextremelyeasythrough GentoosPortagesystem.Notforbeginners,though.Youareleftto configurethesystementirelyonyourown.Ifyouhaveendlesspatienceanda lotoftime,itcanbeafantasticlearningexperience.(http://www.gentoo.org/). UbuntuLinux Arelativenewcomer,UbuntuLinuxisbasedonDebianand althoughI'venotuseditmyself,ithasareputationforfantastichardware detectionandeaseofuseandinstallation.(http://www.ubuntulinux.org).I've heardthatthisisagreatchoiceforbeginners. Slackware Theoriginalcommercialdistribution.Slackwarehasbeenaround foryears.Installationisnowalmostaseasyasalltheothers.Goodstandard Linux.NotoverencumberedbyGUIconfigtools.Slackwareaimstoproduce themostUNIXlikeLinuxdistroavailable.Oneofmypersonalfavorites,and inmyhumbleopinion,currentlyoneofthebestchoicesforaforensic platform.(http://www.slackware.com/).Thisguideistailoredforusewitha SlackwareLinuxinstallation. Lot'sofinformationonmoredistributionsthanyoucaretoreadabout isavailableathttp://www.distrowatch.com. Mysuggestionfortheabsolutebeginnerlookingtoexperienceanoverall desktopOSwouldbeeitherthenewestversionofFedoraCoreorUbuntu.If youreallywanttodiveinandburyyourself,goforGentoo,Slackwareor Debian.Ifyouchooseoneoftheselatterdistributions,bepreparedtoreada lot. Ifyouareunsurewheretostart,willbeusingthisguideasyourprimary reference,andareinterestedmainlyinforensicapplicationsofLinux,thenI wouldsuggestSlackware.Moreonwhyalittlelater. Onethingtokeepinmind:AsImentionedearlier,ifyouaregoingto useLinuxinaforensiccapacity,thentrynottorelyonGUItoolstoomuch. AlmostallsettingsandconfigurationsinLinuxaremaintainedintextfiles (usuallyineitheryourhomedirectory,orin/etc).Bylearningtoeditthefiles yourself,youavoidproblemswheneithertheXwindowsystemisnotavailable, orwhenthespecificGUItoolyourelyonisnotonasystemyoumightcome across.Inaddition,knowledgeofthetextconfigurationfileswillgiveyou insightintowhatisnormal,andwhatmighthavebeenchangedwhenyou examineasubjectsystem.LearningtointerpretLinuxconfigurationfilesisall partofthe"forensicexperience".
BarryJ.Grundy
10
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SLACKWAREandUsingthisGuide
Becauseofdifferencesbetweendistributions,theLinuxflavorofyour choicecancausedifferentresultsincommands'outputanddifferentbehavior overall.Additionally,somesectionsofthisdocumentdescribingconfiguration filesorstartupscripts,forexample,mightappearvastlydifferentdependingon thedistroyouselect. IfyouareselectingaLinuxdistributionforthesolepurposeoflearning throughfollowingalongwiththisdocument,thenIwouldsuggestSlackware. Slackwareisstableanddoesnotattempttoenrichtheuser'sexperiencewith cuttingedgefilesystemhacksorautomaticconfigurationsthatmighthamper forensicwork.DetailedsectionsofthisguideontheinnerworkingsofLinux willbewrittentowardabasicSlackwareinstallation(currentlyinversion12.1). Previousversionsofthisdocumentattemptedtobefarmoredistro independent.Theexamplesanddiscussionsofconfigurationfileswere focusedonthemorepopulardistributionformats.Intheinterveningyears, therehasbeenaveritableexplosionofdifferentflavorsofLinux.Thisguide hasbeenlinkedonanumberofwebsites,andhasbeenusedinavarietyof trainingforums.Asaresultofthesechanges,Ihavefoundmyselfreceiving numerousemailsaskingquestionslikeTheoutputIgetdoesnotmatch what'sinyourguide.I'musing'FuzzyKittenLinux2.0'withkernelversion 2.6.16fk145.2...Whatcouldbewrong?Myreplyhasbecomestandardto suchqueries:I'mnotfamiliarwiththatversionofLinux,andI'mnotsure whatchangeshavebeenmadetothatkernel.Providinganswerstoquestions ontheexercisesthatfollowrequiresthatIknowalittleabouttheenvironment beingused.Tothatend,I'vedecidedtopointpeopletowardsastandard, stableversionofLinuxthatincludesfewsurprises. Bydefault,Slackware'scurrentinstallationroutineleavesinitialdisk partitioninguptotheuser.Therearenodefaultschemesthatresultin surprisingvolumegroupsorothercomplexdiskmanagementtechniques. Theresultingfilesystemtable(alsoknownasfstab)isstandardanddoesnot requireeditingtoprovideforaforensicallysoundenvironment,unlikesome otherpopulardistributions. ThemostrecentversionofSlackware(12.x)nowusesthe2.6series kernelbydefault.Inmanycircumstances,yourhardwarewillrequireyouthat usea2.6kernel(certainSATAcontrollers,etc.).Inrecognitionofthis,the currentversionofthisdocumentnowassumesthattheuserhasinstalleda2.6 kernelversionofLinux.ThisbringstheLinuxLEOPractitioner'sGuideinline withthemajorityofforensicpractitionerscurrentlyusingLinux,including
BarryJ.Grundy
11
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
myself.Previousversionsofthisdocumentsuggesteda2.4(kernelversion) install. SlackwareLinuxisstable,consistent,andsimple.Asalways,Linuxis Linux.Anydistributioncanbechangedtofunctionlikeanyother(intheory). However,myphilosophyhasalwaysbeentostartwithanoptimalsystem, ratherthanattempttorollbackasystemheavilymodifiedandoptimizedfor thedesktopratherthanaforensicworkstation. Ifyouarecomfortablewithanotherdistribution,thenbyallmeans, continuetouseandlearnit.Justbeawarethattheremaybecustomizations andmodificationsmadetothestandardkernelandfilesystemsetupsthat mightnotbeidealforforensicuse.Thesecanalwaysberemedied,butIprefer tostartasclosetooptimalaspossible.
InstallationMethods
DownloadtheneededISO(CDimage)files,burnthemtoaCDandbootthe media.ThisisthemostcommonmethodofinstallingLinux.Mostdistros canbedownloadedforfreeviahttp,ftp,ortorrent.Slackwareisavailableat http://www.slackware.com.Havealookat http://linuxlookup.com/linux_isoorhttp://distrowatch.com/for informationondownloadingandinstallingotherLinuxflavors. UseabootableLinuxdistribution(coveredlater).Forexample,theSMART orHelixLinuxbootableCDscaneasilybeusedasexperimentalplatforms. Seehttp://www.asrdata2.comorhttp://www.efense.com/helixformore information.
Duringastandardinstallation,muchoftheworkisdoneforyou,and relativelysafedefaultsareprovided.Asmentionedearlier,hardwaredetection hasgonethroughsomegreatimprovementsinrecentyears.Istronglybelieve thatmany(ifnotmost)Linuxdistrosarefareasierandfastertoinstallthan othermainstreamoperatingsystems.TypicalLinuxinstallationiswell documentedonline(checkthehowtosattheLinuxDocumentationProject: http://www.tldp.org/).Therearenumerousbooksavailableonthesubject, andmostofthesearesuppliedwithaLinuxdistributionreadyforinstall. FamiliarizeyourselfwithLinuxdiskandpartitionnamingconventions (coveredinChapterIIofthisdocument)andyoushouldbereadytostart.
SlackwareInstallationNotes
Aspreviouslymentioned,itissuggestedthatyoustartwithSlackwareif thisisyourfirstforayintoLinuxandforensicsANDyouprimaryinterestis
BarryJ.Grundy
12
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
forensics.IfyoudodecidetogiveSlackwareashot,herearesomesimple guidelines.ThedocumentationprovidedonSlackware'ssiteiscompleteand easytofollow.Readtherefirst... DecideonstandaloneLinuxordualboot. InstallWindowsfirstinadualbootsystem.IfyouhaveVista,becareful thereareissuesyoushouldbeawareof.Researchdualbootingwith Vistabeforeproceeding. DeterminehowyouwanttheLinuxsystemtobepartitioned. DoNOTcreateanyextrapartitionswithWindowsfdisk.Justleavethe spaceunallocated.SlackwarewillrequireyoutoutilizeLinuxfdiskor anotherpartitioningtoolatthestartoftheinstallprocess. READthroughtheinstallationdocumentationbeforeyoustartthe process.Don'tbeinahurry.IfyouwanttolearnLinux,youhavetobewilling toread.ForSlackware,havealookthroughtheinstallationchaptersofthe Slackbooklocatedathttp://www.slackbook.org.Forabasic(butdetailed) understandingofhowLinuxworksandhowtouseit,theSlackbookshouldbe yourfirststop. 1)BoottheLinuxmedia.Slackwarerequiresonlythefirsttwoinstallation disks(orthesingleDVD).
Readeachscreencarefully. Acceptingmostdefaultsworks. Yourhardwarewillbedetectedandconfiguredundermost(ifnotall) circumstances.Onlinesupportisextensiveifyouhaveproblems. Keepinmindthatifapieceofhardwarecausesproblemsduringan install,orisnotdetectedduringinstallation,thisdoesnotmeanthatit willnotwork.Installtheoperatingsystemandspendsometime troubleshooting.WhenlearningLinux,Googleisveryoftenyourbest friend(tryhttp://www.google.com/linux). TheSlackwareinstallCDforthecurrentversion(12.1)willbootby defaultusingakernelcalledhugesmp.s.Itincludessupportformost hardwarebydefaultandsupportsmultipleCPUs.Ifitdoesnotwork, thentrythesingleCPUi486kernelhuge.s.HittheF2keyatthe initialboot:promptformoreinfo. Oncethesystemisbooted,youarepresentedwiththeslackwarelogin: prompt.READTHEENTIRESCREENasinstructed.Loginasroot,and continuewithyourinstallroutine. ThemaininstallroutineforSlackwareisstartedwiththecommand setup.Youwillneedtoensurethatyouhaveyourdiskproperly partitionedbeforeyouenterthesetupprogram. Takethetimetoreadeachscreencompletelyasitcomesup.
BarryJ.Grundy
13
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
2)PartitionandformatforLinux Ataminimumyouwillneedtwopartitions.Thisstepisnormallypartof theinstallationprocess,oriscoveredinthedistribution's documentation. Root(/)astypeLinuxNative. SwapastypeLinuxSwap(use2xyoursystemmemoryasa startingpointforswapsize). Youwillhearalotaboutusingmultiplepartitionsfordifferent directories.Dontletthatconfuseyou.Thereareargumentsbothfor andagainstusingmultiplepartitionsforaLinuxfilesystem.Ifyouare juststartingout,useonelargeroot(/)partition,andoneswappartition asdescribedabove. YouwillpartitionyourSlackwareLinuxsystemusingfdiskorcfdisk. TheSlackbookhasadetailedsectiononusingfdisktoaccomplishthis. (http://www.slackbook.org/html/book.html#INSTALLATIONPARTITIONING).In fact,IwouldreadtheentireinstallationsectionoftheSlackbook.Itwill maketheprocessmucheasierforyou. Whenaskedtoformattherootpartition,Iwouldsuggestselectingthe ext3filesystem(NowdefaultinSlackware12.1). 3)Packageinstallation(system) Whenaskedwhichpackagestoselectforinstallation,itisusuallysafefor abeginnertoselecteverythingorfull.Thisallowsyoutotryallthe packages,alongwithmultipleXWindowdesktopenvironments.This cantakeasmuchas5to6GBonsomeofthenewerdistributions(5GB onSlackware),howeveritincludesallthesoftwareyouarelikelytoneed foralongtime(includingmanyofficetypeapplications,Internet,e mail,etc.).Thisisnotreallyoptimalforaforensicworkstation,butfora learningboxitwillgiveyouthemostexposuretoavailablesoftwarefor experimentation. 4)InstallationConfiguration Sound Usuallyautomatic.Ifnot,searchtheWeb.Theanswerisout there.Ifitdoesnotworkoutofthebox(asitshouldwithmost hardwareinSlackware),thentrythefollowing. TherearemanycurrentdistributionsusingtheAdvancedLinux SoundArchitecture(ALSA),includingSlackware.Configuring soundonLinuxusingALSAcanbequiteeasy.Oncebootedinto yournewsystem,tryrunningthecommandalsaconftoallowthe systemtoattemptautomaticconfiguration.Ifthatappearsto work(noobviouserrormessages),runalsamixertoadjust speakervolume.Theseprogramsarerunfromacommand prompt.Thealsaconfprogramisrunastherootuser,while alsamixercanberunasaregularuser.
BarryJ.Grundy
14
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Xorg(XWindowsystem) Knowyourhardware(videocard,etc.). IfyouchoosetoconfigureXduringtheinstallationroutine,do notclickyesiftheinstallationroutineasksifyouwantXtostart automaticallyeverytimeyousystemboots.Thiscanmake problemsolvingdifficultandresultsinlesscontroloverthe system.YoucanalwaysstarttheGUIwithstartxfromthe commandline. Bydefault,XorgwilluseastandardVESAdrivertorunyourX Windowsystem.Youcanattempttogetamoreoptimum configurationaftertheinstallationbyrunningXconfigure, whichwillwriteanewconfigurationfilewithsettingstailored moreforyourhardware.Thiswillcreateafilecalled xorg.conf.newwhichcanthenbecopiedto/etc/X11/xorg.conf. IwouldsuggestyouuseXFCEasyoudesktopmanager.Feelfree touseothers,butXFCEwillprovideaclean,unclutteredinterface. YouselectXFCEasyourdesktopduringtheSlackwareinstallation bychoosingxinitrc.xfceduringtheXsetupportion.Youcantry otherwindowmanagersbyrunningthecommandxwmconfig andselectingadifferentone. BootMethod(theBootloaderselectstheOStoboot) LILOorGRUB. LILOisthedefaultforSlackware.SomepeoplefindGRUBmore flexibleandsecure.GRUBcanbeinstalledlater,ifyoulike. UsuallyselecttheoptiontoinstallLILOtothemasterbootrecord (MBR).Thepresenceofotherbootloaders(asprovidedbyother operatingsystems)determineswheretoinstallLILOorGRUB. Thebootloadercontainsthecodethatpointstothekerneltobe booted.Checkhttp:// www.tldp.org formultiOSand multibootHowTodocuments. Createausernameforyourselfavoidusingrootexclusively. Formoreinformation,checkthefileCHANGES_AND_HINTS.TXTon theinstallCD,orat:http://slackware.osuosl.org/slackware
12.1/CHANGES_AND_HINTS.TXT
Thisfileisloadedwithusefulhintsandchangesofinterestfromone releasetoanother. Linuxisamultiusersystem.Itisdesignedforuseonnetworks (remember,itisbasedonUnix).Therootuseristhesystemadministrator, andiscreatedbydefaultduringinstallation.Exclusiveuseoftherootloginis DANGEROUS.Linuxassumesthatrootknowswhatheorsheisdoingand allowsroottodoanythingheorshewants,includingdestroythesystem. Createanewuser.Dontloginasrootunlessyoumust.Havingsaidthis, muchoftheworkdoneforforensicanalysismustbedoneasroottoallow accesstorawdevicesandsystemcommands.
BarryJ.Grundy
15
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
DesktopEnvironment
Whentalkingaboutforensicsuitability,yourchoiceofdesktopsystem canmakeadifference.Firstofall,thetermdesktopenvironmentand windowmanagerareNOTinterchangeable.Let'sbrieflyclarifythe componentsofacommonLinuxGUI.
XWindowThisisthebasicGUIenvironmentusedinLinux. CommonlyreferredtoasX,itistheapplicationthatprovidestheGUI framework,andisNOTpartoftheOS.Xisaclient/serverprogramwith completenetworktransparency. WindowManagerThisisaprogramthatcontrolstheappearanceof windowsintheXWindowsystem,alongwithcertainGUIbehaviors (windowfocus,etc.).ExamplesareKwin,Metacity,XFWM, Enlightenment,etc. DesktopEnvironmentAcombinationofWindowManageranda consistentinterfacethatprovidestheoveralldesktopexperience. ExamplesareXFCE,GNOME,KDE,etc. ThedefaultWindowManagerforKDEisKwin. ThedefaultWindowManagerforGNOMEisMetacity ThedefaultWindowManagerforXFCEisXFWM.
Thesedefaultscanbechangedtoallowforpreferencesinspeedand resourcemanagementoverthedesireforeyecandy,etc.Youcanalsoelect torunaWindowManagerwithoutadesktopenvironment.Forexample,the EnlightenmentWindowManagerisknownforit'seyecandyandcanberun standalone,withorwithoutKDEorGNOME,etc. SlackwarenolongercomeswithGNOMEasanoption,thoughitcanbe installedlikeanyotherapplication.DuringthebaseSlackwareinstallation, youwillbegivenachoiceofKDE,XFCE,andsomeothers.Iwouldliketo suggestXFCE.Itprovidesacleanerinterfaceforabeginnertolearnon.Itis leanerandthereforelessresourceintensive.YoustillhaveaccesstomanyKDE utilities,ifyouelectedtoinstallKDEduringpackageselection.Youcaninstall morethanonedesktopandswitchbetweenthem,ifyoulike.Theeasiestway toswitchiswiththexwmconfigcommand.
TheLinuxKernel:VersionsandIssues
TheLinuxkernelisthebrainofthesystem.Itisthebasecomponent oftheOperatingSystemthatallowsthehardwaretointeractwithandmanage othersoftwareandsystemresources.
BarryJ.Grundy
16
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
InDecemberof2003,theLinux2.6kernelwasreleased.Thiswas anothermilestoneintheLinuxsaga,andallofthenewermainstream distributionversionsarebasedonthe2.6kernel.Manyofthechangesin2.6 overtheprevious2.4aregearedtowardenterpriseuseandscalability.The newerkernelreleasealsohasanumberofinfrastructurechangesthathavea significantimpactonLinuxasaforensicplatform.Forexample,thereis enhancedsupportforUSBandamyriadofotherexternaldevices.Readupon udevformoreinformationoneonesuchchange1.Wewillverybrieflydiscuss udevlaterinthissection. Aswithallforensictools,weneedtohaveaclearviewofhowanykernel versionwillinteractwithourforensicplatformsandsubjecthardware.Almost allcurrentdistributionsofLinuxalreadycomewitha2.6kernelinstalledby default.Slackware12hasalsomovedtothe2.6kernelseries(2.6.24.5in12.1). Previousversionsofthisdocumentsuggestedusinganolder(but updated)versionofthekernel(2.4series)toaccountforinfrastructurechanges innewerkernelversionsthatcouldadverselyaffectLinuxemployedasa forensicplatform.ThisversionoftheLinuxForensicPractitioner'sGuidehas departedfromthatphilosophyandwenowuseadistributionwitha2.6kernel bydefault.Still,itisbothinterestingandimportanttounderstandthe implicationsofkernelchoiceonaforensicplatform.Sowhilewehavemoved ontothe2.6kernel,wewillstillcoverthedifferencesandcaveatstousinga modernkernel. Priortothe2.6serieskernel,thedevelopersmaintained2separate kernelbranches.Onewasforthestablekernel,andtheotherwasfor testing.Oncereleased,thestablekernelwasupdatedwithbugfixesandwas consideredasolidproductionkernel.Theotherkernelbranchwasthetesting branchandwasusedtoincorporateinnovationsandupdatestothekernel infrastructure.Thestablekernelhadanevennumberedsecondarypoint release,andthetestingbranchhadanoddnumberedsecondarypointrelease.
http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
BarryJ.Grundy
17
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thedevelopmentofthe2.5testkernelseriesresultedinthestable2.6 series.Manyoftheimprovements,oncedeemedstable,werebackportedto the2.4kernel.Asaresult,the2.4seriesisstillconsideredmodernand supportsmuchofthenewerhardwarecurrentlyinuse. So,whatweretheinitialreservationsaboutadhocadoptionofthe2.6 kernelinforensics,eventhoughit'sconsideredstable?Youwillnoticefrom thechartabovethatthereisnocurrent2.7testingbranch.Thecurrentkernel developmentschemedoesnotutilizeatestingbranch.Thismeansthatnew innovationsandchangestokernelinfrastructuregetwrappeddirectlyinto2.6 kernelupdates.Asaresult,criticalupgradeswithinthe2.6kernelserieshavea potentialtobreakexistingapplications.ThereweremanyintheLinux community(evenoutsideofcomputerforensics)thatsawthe2.6kernelasa finesystemfordesktopcomputers,butdidnotconsiderusingitina productionenvironment.Again,thisdoesNOTmeanthatitwasnotsuitable forforensics,justthatitrequiredmoretestingandcarefulconfigurationwith theadditionofmorecuttingedgefeatures. OfequalimportanceinselectingaLinuxkernelforforensicusewasthe interfacethatthekernelprovidesbetweenthehardwareandtheenduser.The 2.6kernelincludesanumberenhancementsthataredesignedspecificallyto improvetheoverallLinuxexperienceonthedesktop.Theseenhancements,if notproperlyconfiguredandcontrolled,canresultinalossofusercontrolover devices,oneoftheprimaryreasonsforusingLinuxforforensicsinthefirst place.Suchobstaclescanbeovercomethroughproperconfiguration,but rigoroustesting,aswithallforensicapplications,isrequired.Knowingwhat servicestodisable,andwhataffectthiswillhaveontheentiresystemis imperative.Whileacompletediscussionoftheserequirementsislargely beyondthescopeofthisguide,wewillcoverbasicconfigurationinlater sections. Sowehavefinallyarrivedatapointwherethe2.6kernelismainstream andwewillbeusingitinourforensicenvironment.Thekeytosafeuse(this goesforANYoperatingsystem)isknowledgeofyourenvironmentandproper testing.Pleasekeepthatinmind.YouMUSTunderstandhowyourhardware andsoftwareinteractwithanygivenoperatingsystembeforeusingitina productionforensicanalysis. OneofthegreateststrengthsLinuxprovidesistheconceptoftotal control.Thisrequiresthoroughtestingandunderstanding.Don'tlosesight ofthisinpursuitofaneasydesktopexperience.
BarryJ.Grundy
18
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ConfiguringSlackware12:2.6kernelconsiderations
So,we'vediscussedthedifferencesbetweenthe2.4andthe2.6kernel. Thereareinfrastructurechangesandenhancementstothe2.6kernelthat canbemoreofachallengetoconfigureforaLinuxbeginnerlookingfora stableandsoundforensicplatform. Inthissection,wewillfocusontheminimumconfiguration requirementsforcreatingasoundforensicenvironmentundercurrentLinux distributionsusingthe2.6kernel.Wewillbrieflydiscussdevicenode management(udev),hardwareabstraction(HAL)andmessagebus(dbus) daemons,andthedesktopenvironment.Insimplifiedterms,itisthese componentsthatcreatethemostobviousproblemsforforensicsuitabilityin themostcurrentLinuxdistributions.Thegoodnewsisthat,beingLinux,the userhasverygranularcontrolovertheseservices.Thecontrolthatwelove havingwithLinuxisstillthere,wejustneedtograbsomeofitbackfromthe kernel(orthedesktop,asthecasemaybe). udev Startingwithkernelversion2.6.13,Linuxdevicemanagementwas handedovertoanewsystemcalledudev.Traditionally,thedevicenodes(files representingthedevices,locatedinthe/devdirectory)usedinpreviouskernel versionswerestatic,thatistheyexistedatalltimes,whetherinuseornot2.For example,onasystemwithstaticdevicenodeswemayhaveaprimarySATA harddrivethatisdetectedbythekernelas/dev/sda.SincewehavenoIDE drives,nodriveisdetectedas/dev/hda.Butwhenwelookinthe/devdirectory weseestaticnodesforallthepossiblediskandpartitionnamesfor/dev/hda. Thedevicenodesexistwhetherornotthedeviceisdetected. Inthenewsystem,udevcreatesdevicenodesonthefly.Thenodes arecreatedasthekerneldetectsthedeviceandthe/devdirectoryispopulated inrealtime.Inadditiontobeingmoreefficient,udevalsorunsinuserspace. Oneofthebenefitsofudevisthatitprovidesforpersistentnaming.Inother words,youcanwriteasetofrules(Foraniceexplanationofudevrules,see: http://reactivated.net/writing_udev_rules.html)thatwillallowudevto recognizeadevicebasedonindividualcharacteristics(serialnumber, manufacturer,model,etc.).Therulecanbewrittentocreateauserdefined linkinthe/devdirectory,sothatforexample,mythumbdrivecanalwaysbe accessedthroughanarbitrarydevicenodenameofmychoice,like/dev/my thumb,ifIsochoose.ThismeansthatIdon'thavetosearchthroughUSB devicenodestofindthecorrectdevicenameifIhavemorethanoneexternal storagedeviceconnected.
2
WewillnotcoverDevfs,adevicemanagementsystemthatuseddynamicnodespriortoudev.
BarryJ.Grundy
19
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Udevisrequiredforcurrent2.6kernels.OnSlackware,itrunsasa daemonfromthestartupscript/etc/rc.d/rc.udev.Wewilldiscussthesestartup scriptsinmoredetaillaterinthisdocument.Wewillnotdoanyspecific configurationforudevonourforensiccomputersatthistime.Wediscussit heresimplybecauseitisamajorchangeindevicehandlinginthe2.6kernel. UdevdoesNOTinvolveitselfinautomountingorotherwiseinteractingwith applications.Itsimplyprovidesahardwaretokernelinterface. HardwareAbstractionLayer HALreferstotheHardwareAbstractionLayer.TheHALdaemon maintainsinformationaboutdevicesconnectedtothesystem.Ineffect,HAL actsasamiddlemanfordevicedetection,inthatitorganizesdevice informationinauniformformataccessibletoapplicationsthatwanttoeither accessorreacttoachangeisthestatusofadevice(pluggedinorunplugged, etc.).TheinformationthatHALmakesavailableisobjectspecificandprovides farmoredetailthannormalkerneldetectionallows.Asaresult,applications thatreceiveinformationaboutadevicefromHALcanreactincontext.HAL andudevarenotconnected,andoperateindependentlyofoneanother. WhereHALdescribesadeviceindetail,forusebyapplications,udevsimply managesdevicenodes.InSlackware12,HALisrunasadaemonfrom /etc/rc.d/rc.hald.SeethesectiontitledServiceStartupScriptsinChapterIII formoreinformationonrcscriptsandhowtostoptheservicefromauto starting. dbus Thesystemmessagebus,ordbus,providesamechanismfor applicationstoexchangeinformation.Forourpurposeshere,wewillsimply statethatdbusisthecommunicationchannelusedbyHALtosendits informationtoapplications.InSlackware12,dbusisrunasadaemonfrom /etc/rc.d/rc.messagebus. Withsomeveryfineconfiguration,it'spossibletohaveHALanddbus runningandstillmaintainasoundforensicenvironment.Forourpurposes, wewillturnHALanddbusoff.Wedothisbecauseexhaustiveconfigurationis outsidethescopeofthisdocument.Wewillmaketheseadjustmentinthe sectionFilePermissionsonpage41.Ithasbeennotedthatturningdbusoff isnotstrictlyrequired(atthispoint).Isuggestdoingsoforthesakeofsafety.I urgeyoutotestyourownconfigurations.
BarryJ.Grundy
20
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
2.6KernelandDesktops OneoftheconsiderationswhendiscussingDesktopEnvironmentsisits integrationwiththeHALanddbusservicestoallowfordesktopauto mountingofremovablemedia.KDEandGNOMEareheavilyintegratedwith HAL/dbusandusersneedtobeawareofhowtocontrolthisundesired behaviorinaforensicenvironment.Equallyimportantishowtodealwith instabilitycausedwhenexpectedmessagesfromtheOSarenotreceivedbya pollingapplication. XFCEisalighterweight(read:lighteronresources)desktop.And althoughXFCEisalsocapableofintegrationwithHALanddbus,itallowsfor easiercontrolofremovablemediaonthedesktop(searchforthunarvolman). WhileKDEandGNOMEalsoallowforcontrolofautomountingthrough configurationdialogs,theyarefarmoretightlyintegratedandarguablymore complex.
RollingyourownTheCustomKernel
"Everyforensicexaminershouldcompilehisownkernel,justlike everyJedibuildshisownlightsaber." TheCoryAltheide AtsomepointduringyourLinuxeducation,youwillwanttolearnhow torecompileyourkernel.Why?Well...theabovequoteputsitquitenicely. Thekernelthatcomeswithyourdistroofchoiceisoftenheavilypatched,and isconfiguredtoworkwiththewidestvarietyofhardwarepossible.Thisgives thestockdistributionabetterchanceofworkingonamultitudeofsystems rightoutofthebox.NotethattheSlackwarekernel'sarenicelygenericand quitesuitableoutoftheboxforforensicuse.Also,bewarnedthatuser customizedkernelsmakefordifficulttroubleshootingandyouwilloftenbe askedtoreproduceproblemswithastockkernelbeforeyoucangetspecific support.Thisissimplyamatterofdefiningacommondenominatorwhen addressingproblems. Theactualstepsforcompilingacustomkernelareoutsidethescopeof thisdocument,andhavebeencoveredelsewhere3.Theconcepts,howeverare importantforanoverallunderstandingofhowLinuxworks.
AquickInternetsearchforlinuxcustomkernelcompileorthelikewillprovideagoodstart.Throwintheword forensicforsomemorespecificpointers.
3
BarryJ.Grundy
21
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Asmentionedpreviously,thekernelprovidesthemostbasicinterface betweenhardwareandthesystemsoftwareandresourcemanagement.This includesdriversandothercomponentsthatareactuallysmallseparatepieces ofcodethatcaneitherbecompiledasmodulesorcompileddirectlyinthe kernelimage. Therearetwobasicapproachestocompilingakernel.Statickernelsare builtsothatallofthedriversanddesiredfeaturesarecompiledintothesingle kernelimage.Modularkernelsarebuiltsuchthatdriversandotherfeatures canbecompiledasseparateobjectfilesthatcanbeloadedandunloadedon theflyintoarunningsystem.Moreonhandlingkernelmodulescanbefound inSectionIIofthisdocument,underUsingModules. Inshort,youmightfindyourselfinneedofakernelrecompileasaresult ofthefactthatyourequirespecificdriversorsupportthatisnotcurrently includedinyourdistribution'sdefaultkernelconfiguration.Or,after becomingcomfortablewithLinux,youdecideyouwanttotryyourhandat actuallyconfiguringyourcustomkernelsimplybecauseyouwanttomakeit moreefficientorbecauseyouwanttoexpandthesupportforhardware,file systems,orpartitiontabletypesthatyoumightcomeacrossduringan investigation. Inanyevent,ForensicswithLinuxisallaboutcontrol.Customizing yourkernelconfiguration,whileanadvancedskill,isthemostbasicformof controlyouhaveinLinux(shortofrewritingthesourcecodeitself).Atsome point,thisissomethingyouwillwanttoeducateyourselffurtheron.
BarryJ.Grundy
22
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
II.LinuxDisks,PartitionsandtheFileSystem
Disks
Linuxtreatsitsdevicesasfiles.Thespecialdirectorywherethese"files" aremaintainedis"/dev". DEVICE: Floppy(a:) Harddisk(master,IDE0) Harddisk(slave,IDE0) Harddisk(master,IDE1) 1stSCSIharddisk(SATA,USB) 2ndSCSIharddisk FILENAME: /dev/fd0 /dev/hda /dev/hdb /dev/hdc,etc. /dev/sda /dev/sdb,etc.
Partitions
DEVICE: 1stHarddisk(master,IDE0) 1stPrimarypartition 2ndPrimarypartition 1stLogicaldrive(onextdpart) 2ndLogicaldrive nd 2 Harddisk(slave,IDE0) 1stPrimarypartition CDROM(ATAPI)or3rddisk(mstr,IDE1) 1stSCSIdisk(orSATA,USB,etc.) 1stPrimarypartition FILENAME: /dev/hda /dev/hda1 /dev/hda2,etc. /dev/hda5 /dev/hda6,etc. /dev/hdb /dev/hdb1,etc. /dev/hdc /dev/sda /dev/sda1,etc.
Thepatterndescribedaboveisfairlyeasytofollow.Ifyouareusinga standardIDEdisk(orstandardATAPICDROMdrive),itwillbereferredtoas hdxwherethe"x"isreplacedwithan"a"ifthediskisconnectedtotheprimary IDEcontrollerasmasteranda"b"ifthediskisconnectedtotheprimaryIDE controllerasaslavedevice.Inthesameway,theIDEdisks(orCDROM) connectedtothesecondaryIDEcontrollerasmasterandslavewillbereferred toashdcandhddrespectively. SCSIandSerialATA(SATA)diskswillbereferredtoassdx.Inthecaseof SCSIdisks,theyareassignedlettersintheorderinwhichtheyaredetected. ThisincludesUSBandFirewire.Forexample,aprimarySATAdiskwillbe assignedsda.IfyouattachaUSBdiskorathumbdriveitwillnormallybe detectedassdb,andsoon.4
4
BarryJ.Grundy
23
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
fdiskl/dev/hdxgivesyoualistofallthepartitionsavailableonaparticular drive,inthiscaseandIDEdrive).EachpartitionisidentifiedbyitsLinux name.The"bootflag"isindicated,andthebeginningandendingcylindersfor eachpartitionisgiven.Thenumberofblocksperpartitionisdisplayed. Finally,thepartition"Id"andfilesystemtypearedisplayed.Toseealistof validtypes,runfdiskandattheprompttype"l"(theletterel).Donot confuseLinuxfdiskwithDOSfdisk.Theyareverydifferent.TheLinuxversion offdiskprovidesformuchgreatercontroloverpartitioning. Rememberthatthepartitiontypeidentifiedinthelastcolumn,under Systemhasnothingtodowiththefilesystemfoundonthatpartition.Donot relyonthepartitiontypetodeterminethefilesystem.Onmostnormal systems,atypec(W95FAT32)partitiontypewillcontainaFAT32partition, butnotalways.Also,considerpartitionsoftype83(Linux).Type83partitions cannormallyholdEXT2,EXT3,ReiserFS,oranynumberofotherfilesystem types.Wewilldiscussfilesystemidentificationlaterinthisdocument. BEFOREFILESYSTEMSONDEVICESCANBEUSED,THEYMUSTBE MOUNTED!Anyfilesystemsonpartitionsyoudefineduringinstallationwill bemountedautomaticallyeverytimeyouboot.Wewillcoverthemountingof filesystemsinthesectionthatdealswithLinuxcommands,afteryouhave somenavigationexperience. Keepinmind,thatevenwhatnotmounted,devicescanstillbewrittento. Simplynotmountingafilesystemdoesnotprotectitfrombeinginadvertently changedthroughyouractions.
BarryJ.Grundy
24
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
UsingmodulesLinuxDrivers
Itsdifficulttodecidewhentointroducemodulestoanewuser.The conceptcanbealittleconfusing,butoutoftheboxLinuxdistributionsrely heavilyonmodulesfordeviceandfilesystemsupport.Forthisreason,wewill makeanefforttogetfamiliarwiththeconceptearlyon. Asdiscussedintheprevioussection,modulesarereallyjustdrivers thatcanbeloadedandunloadedfromthekerneldynamically.Theyareobject files(*.koforthe2.6kernel)thatcontaintherequireddrivercodeforthe supporteddeviceoroption.Modulescanbeusedtoprovidesupportfor everythingfromUSBcontrollersandnetworkinterfacestofilesystems. Thevariousmodulesavailableonyoursystemarelocatedinthe /lib/modules/<KERNELVERSION>/directory.Notethatthecurrentkernel versionrunningonyoursystemcanbefoundusingthecommandunamer. Thereare,ingeneral,threewaysthatdrivercodeisloadedinLinux:
Incaseswherethedrivercodeisnotautomaticallyloaded,modulescan beinstalledandremovedfromthesystemontheflyusingthefollowing commands(asroot): modprobeanintelligentmoduleloader rmmod toremovethemodule lsmod togetalistofcurrentlyinstalledmodules Forexample,togetUSBsupportforaUSBthumbdriveonsome systems,youmayneedtoloadacoupleofmodules.WiththeUSBdevice pluggedin,wecaninstalltheneededmodules(ehci_hcdformanyUSB2.0 controllers,andusbstorageforthestorageinterface)with:
BarryJ.Grundy
25
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
modprobeehci_hcd(dependingonyourUSBcontroller) modprobeusbstorage Notethatwhilethemoduleisnamedwitha.koextension,wedonot includethatintheinsertioncommand. Weonlyneedtoinstallthesedriversifthekerneldoesnothavethe supportcompiledin,orifthemoduleisnotloadedautomatically.Notethaton astockSlackware12.1system,thesupportforUSBiscompiledintothekernel andloadingmodulesisnotneeded. Sohowwouldyouknowifyouneededtoloadmodules?Tocheckand seeifthemodulesarealreadyloaded,youcanusethelsmodcommandtolook forthedrivername.Usegreptoshowonlylineswithspecifictext.Wewill covergrepinfarmoredetaillateron.
root@rock:~# lsmod | grep ehci_hcd root@rock:~#
BarryJ.Grundy
26
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
DeviceRecognition
AnothercommonquestionariseswhenauserplugsadeviceinaLinux boxandreceivesnofeedbackonhow(orevenif)thedevicewasrecognized. Oneeasymethodfordetermininghowandifaninserteddeviceisregisteredis tousethepreviouslyintroduceddmesgcommand. Forexample,ifIplugaUSBthumbdriveintoaLinuxcomputer,andthe computerisrunningaHALenableddesktop,Imaywellseeaniconappearon thedesktopforthedisk.Imightevenseeafolderopenonthedesktop allowingmetoaccessthefilesautomatically.Obviously,onasystemweare usingasaforensicplatform,wemaywanttominimizethissortofbehavior (moreonthatlater...). Sowhenthereisnovisiblefeedback,wheredowelooktoseewhat devicenodewasassignedtoourdisk(/dev/sda,/dev/sdb,etc.)?Howdowe knowifitwasevendetected?Again,thisquestionisparticularlypertinentto theforensicexaminer,sincewewilllikelyconfigureoursystemtobealittleless helpful. Plugginginthethumbdriveandrunningthedmesgcommandprovides mewiththefollowingoutput:
root@rock:~# dmesg <previous output> scsi 2:0:0:0: Direct-Access SanDisk U3 Titanium ANSI: 2 sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00 sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] 1994385 512-byte hardware sectors (1021 sd 2:0:0:0: [sda] Write Protect is off sda: sda1 sd 2:0:0:0: [sda] Attached SCSI removable disk scsi 2:0:0:1: CD-ROM SanDisk U3 Titanium ANSI: 2 sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray sr 2:0:0:1: Attached scsi CD-ROM sr0 usb-storage: device scan complete
MB)
2.16 PQ: 0
BarryJ.Grundy
27
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TheFileSystem
LiketheWindowsfilesystem,theLinuxfilesystemishierarchical.the "top"directoryisreferredtoas"theroot"directoryandisrepresentedby"/". Notethatthefollowingisnotacompletelist,butprovidesanintroductionto someimportantdirectories. /(rootnottobeconfusedwith/root) |_bin | |_<files>ls,chmod,sort,date,cp,dd |_boot | |_<files>vmlinuz,system.map |_dev | |_<devices>hd*,tty*,sd*,fd*,cdrom |_etc | |_X11 | |_<files>XF86Config,X | |_<files>lilo.conf,fstab,inittab,modules.conf |_home | |_barry(yourusersnameisinhere) | |_<files>.bashrc,.bash_profile,personalfiles | |_otherusers |_mnt | |_cdrom | |_floppy | |_othertemporarymountpoints |_media | |_cdrom0 | |_dvd0 | |_otherstandardmediamountpoints |_root | |_<rootuser'shomedirectory> |_sbin | |_<files>shutdown,cfdisk,fdisk,insmod |_usr | |_local | |_lib | |_man |_var | |_log OnmostLinuxdistributions,thedirectorystructureisorganizedinthe samemanner.Certainconfigurationfilesandprogramsaredistribution dependent,butthebasiclayoutissimilartothis.
BarryJ.Grundy
28
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Notethatthedirectoryslash(/)isoppositewhatmostpeopleareused toinWindows(\). Directorycontentscaninclude: /bin Commoncommands. /boot Filesneededatboottime,includingthekernelimagespointed tobyLILO(theLInuxLOader)orGRUB. /dev Filesthatrepresentdevicesonthesystem.Theseareactually interfacefilestoallowthekerneltointeractwiththehardwareandthe filesystem. /etc Administrativeconfigurationfilesandscripts. /homeDirectoriesforeachuseronthesystem.Eachuserdirectory canbeextendedbytherespectiveuserandwillcontaintheirpersonal filesaswellasuserspecificconfigurationfiles(forXpreferences,etc.). /mnt Providestemporarymountpointsforexternal,remoteand removablefilesystems. /mediaProvidesastandardplaceforusersandapplicationstomount removablemedia.PartofthenewFileSystemHierarchyStandard. /root Therootuser'shomedirectory. /sbin Administrativecommandsandprocesscontroldaemons. /usr Containslocalsoftware,libraries,games,etc. /var Logsandothervariablefilewillbefoundhere.
Anotherimportantconceptwhenbrowsingthefilesystemisthatof relativeversusexplicitpaths.Whileconfusingatfirst,practicewillmakethe ideasecondnature.Justrememberthatwhenyouprovideapathnametoa commandorfile,includinga/infrontmeansanexplicitpath,andwill definethelocationstartingfromthetopleveldirectory(root).Beginninga pathnamewithouta/indicatesthatyourpathstartsinthecurrentdirectory andisreferredtoasarelativepath.Moreonthislater. OneveryusefulresourceforthissubjectistheFileSystemHierarchy Standard(FHS),thepurposeofwhichistoprovideareferencefordevelopers andsystemadministratorsonfileanddirectoryplacement.Readmoreaboutit athttp://www.pathname.com/fhs/
BarryJ.Grundy
29
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
III.TheLinuxBootSequence(Simplified)
Bootingthekernel
Thefirststepinthe(simplified)bootupsequenceforLinuxisloading thekernel.Thekernelimageisusuallycontainedinthe/bootdirectory.Itcan gobyseveraldifferentnames bzImage vmlinuz
Theactual/etc/lilo.conffileonyoursystemwillbemuchmoreclutteredwithcomments(lines startingwitha#.Commentshavebeenremovedfromthisexampleforreadability.
5
BarryJ.Grundy
30
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
31
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Initialization
Thenextstepinthebootsequencestartswiththeprogram/sbin/init. Thisprogramreallyhastwofunctions: initializetherunlevelandstartupscripts terminalprocesscontrol(respawnterminals)
Inshort,theinitprogramiscontrolledbythefile/etc/inittab.Itisthis filethatcontrolsyourrunlevelandtheglobalstartupscriptsforthesystem.
Runlevel
Therunlevelissimplyadescriptionofthesystemstate.Forour purposes,itiseasiesttosaythat(forSlackware,atleastothersystems,like FedoraCorewilldiffer): runlevel0=shutdown runlevel1=singleusermode runlevel3=fullmultiusermode/textlogin runlevel4=fullmultiuser/X11/graphicallogin6 runlevel6=reboot Inthefile/etc/inittabyouwillseealinesimilarto: id:3:initdefault:
root@rock:~#less /etc/inittab # # /etc/inittab: This file describes how the INIT process should set up # the system in a certain run-level. # # Default runlevel. id:3:initdefault: # System initialization, (runs when system boots). si:S:sysinit:/etc/rc.d/rc.S <continues>
Thisislargelydistributiondependent.InFedoraCore,runlevel5providesaGUIlogin.InSlackware,it'srunlevel4.
BarryJ.Grundy
32
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
GlobalStartupScripts
Afterthedefaultrunlevelhasbeenset,init(via/etc/inittab)thenruns thefollowingscripts: /etc/rc.d/rc.Shandlessysteminitialization,filesystemmountand check,PNPdevices,etc. /etc/rc.d/rc.XwhereXistherunlevelpassedasanargumentbyinit. Inthecaseofmulituser(nonGUI)logins(runlevel2or3),thisis rc.M.Thisscriptthencallsotherstartupscripts(variousservices, etc.)bycheckingtoseeiftheyareexecutable. /etc/rc.d/rc.localcalledfromwithinthespecificrunlevelscripts, rc.localisageneralpurposescriptthatcanbeeditedtoinclude commandsthatyouwantstartedatbootup(sortoflikeautoexec.bat). /etc/rc.d/rc.local_shutdownThisfileshouldbeusedtostopany servicesthatwerestartedinrc.local.
ServiceStartupScripts
Oncetheglobalscriptsrun,thereareservicescriptsinthe/etc/rc.d/ directorythatarecalledbythevariousrunlevelscripts,asdescribedabove, dependingonwhetherthescriptsthemselveshaveexecutablepermissions. Thismeansthatwecancontroltheboottimeinitializationofaserviceby changingit'sexecutablestatus.Moreonhowtodothislater.Someexamples ofservicescriptsare: /etc/rc.d/rc.inet1handlesnetworkinterfaceinitialization /etc/rc.d/rc.inet2handlesnetworkservicesstart.Thisscript organizesthevariousnetworkservicesscripts,andensuresthatthey arestartedintheproperorder. /etc/rc.d/rc.pcmciastartsPCcardservices. /etc/rc.d/rc.sendmailstartsthemailserver.Controlledbyrc.inet2. /etc/rc.d/rc.sshdstartstheOpenSSHserver.Alsocontrolledby rc.inet2. /etc/rc.d/rc.messagebusstartsdbusmessagingservices. /etc/rc.d/rc.haldstartshardwareabstractionlayerdaemonservices. /etc/rc.d/rc.udevpopulatesthe/devdirectorywithdevicenodes, scansfordevices,loadstheappropriatekernelmodules,and configuresthedevices.
BarryJ.Grundy
33
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Bash
bash(BourneAgainShell)isthedefaultcommandshellformostLinux distros.Itistheprogramthatsetstheenvironmentforyourcommandline experienceinLinux.ThefunctionalequivalentinDOSwouldbe command.com.Thereareanumberofshellsavailable,butwewillcoverbash here. Thereareactuallyquiteafewfilesthatcanbeusedtocustomizeausers Linuxexperience.Herearesomethatwillgetyoustarted. /etc/profileThisistheglobalbashinitializationfileforinteractivelogin shells.Editsmadetothisfilewillbeappliedtoallbashshellusers.This filesetsthestandardsystempath,theformatofthecommandprompt andotherenvironmentvariables. Notethatchangesmadetothisfilemaybelostduringupgrades. Anothermethodistocreateanexecutablefileinthedirectory /etc/profile.d.Executablefilesplacedinthatdirectoryarerunat theendof/etc/profile. /home/$USER/.bash_profile7Thisscriptislocatedineachusershome directory($USER)andcanbeeditedbytheuser,allowinghimorherto customizetheirownenvironment.Itisinthisfilethatyoucanadd aliasestochangethewaycommandsrespond.Notethatthedotinfront ofthefilenamemakesitahiddenfile. /home/$USER/.bash_historyThisisanexceedinglyusefulfilefora numberofreasons.Itstoresasetnumberofcommandsthathave alreadybeentypedatthecommandline(defaultis500).Theseare accessiblethrougheitherreverseshellsorsimplybyusingtheup arrowonthekeyboardtoscrollthroughthehistoryofalreadyused commands.Insteadofretypingacommandoverandoveragain,you canaccessitfromthehistory. Fromtheperspectiveofaforensicexaminer,ifyouareexamining aLinuxsystem,youcanaccesseachuser's(don'tforgetroot) .bash_historyfiletoseewhatcommandswererunfromthe commandline.Rememberthattheleading.inthefilename signifiesthatitisahiddenfile.
Inbashwedefinethecontentsofavariablewithadollarsign.$USERisavariablethatrepresentsthenameofthe currentuser.Toseethecontentsofshellindividualvariables,useecho$VARNAME.
7
BarryJ.Grundy
34
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Keepinmindthatthedefaultvaluesfor./bash_history(numberof entries,historyfilename,etc.)canbecontrolledbytheuser(s).Readmanbash formoredetailedinfo. Thebashstartupsequenceisactuallymorecomplicatedthanthis,but thisshouldgiveyouastartingpoint.Inadditiontotheabovefiles,checkout /home/$USER/.bashrc.Themanpageforbashisaninteresting(andlong) read,andwilldescribesomeofthecustomizationoptions.Inaddition,reading themanpagewillgiveagoodintroductiontotheprogrammingpower providedbybashscripting.Whenyoureadthemanpage,youwillwantto concentrateontheINVOCATIONsectionforhowtheshellisusedandbasic programmingsyntax.
BarryJ.Grundy
35
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
IV.LinuxCommands
Linuxattheterminal
Directorylisting= ls lsF lsa lsl lslh
root@rock:~# total 3984 drwxr-xr-x drwxr-xr-x drwx-----drwxr-xr-x -rw-r--r--rwxrwx---rwxr-xr-x <continues>
ls -l 3 2 2 3 1 1 1 root root root root root root root root root root root root root root 4096 4096 4096 4096 175 2740 107012 Feb Jun Jan Aug Sep Dec Nov 15 2004 Backup_config 16 16:10 Desktop 27 2004 Documents 10 14:26 VMware 26 2003 investigator.bjg 15 2003 k.key 29 2003 scanModem
Wewilldiscussthemeaningofeachcolumninthelsloutputlaterin thisdocument. Changedirectory= cd<dir> changedirectoryto<dir>. cd (byitself)shortcutbacktoyourhomedirectory. cd.. uponedirectory(notethespacebetweencdand... cd backtothelastdirectoryyouwerein. cd/dirname changetothespecifieddirectory.Notethatthe additionofthe/infrontofthedirectoryimplies anexplicit(absolute)path,notarelativeone.With practice,thiswillmakemoresense. cddirname changetothespecifieddirectory.Thelackofa/ infrontofthedirectorynameimpliesarelativepath meaningdirnameisasubfolderofourcurrent directory. Copy cp cpsourcefiledestinationfile copyafile. CleartheTerminal clear clearstheterminalscreenofalltextandreturnsa prompt.
BarryJ.Grundy
36
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Moveafileordirectory mv mvsourcefiledestinationfile Deleteafileordirectory rm rmfilename rmr rmdir rmf Displaycommandhelp man mancommand
moveorrenameafile.
displaysa"manual"pageforthespecified command.Use"q"toquit.VERYUSEFUL.
SYNOPSIS find [path...] [expression] DESCRIPTION This manual page documents the GNU version of find. find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence (see section OPERATORS), until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name. <continues>
BarryJ.Grundy
37
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Displaythecontentsofafile catormoreorless catfilename Thesimplestformoffiledisplay,catstreamsthe contentsofafiletothestandardoutput(usuallythe terminal).catactuallystandsforconcatenate.This commandcanalsobeusedtoaddfilestogether(useful lateron).Forexample: catfile1file2>file3 Takesthecontentsoffile1andfile2andstreamsthe outputwhichisredirectedtoasinglefile,file3.This effectivelyaddsthetwofilesintoonesinglefile(the originalfilesremainunchanged). morefilename displaysthecontentsofafileonepageatatime. UnlikeitsDOScounterpart,Linuxmoretakes filenamesasdirectarguments. lessisabettermore.Supportsscrollinginboth directions,andanumberofotherpowerfulfeatures. lessisactuallytheGNUversionofmore,andon manysystemsyouwillfindthatmoreisactuallya linktoless.Useqtoexitalesssession.
lessfilename
Notethatyoucanstringtogetherseveraloptions.Forexample: lsaF
bgrundy@rock:~/workdir $ ls -aF ./ .lntrc arlist dir1/ doc1@ ../ .tschr cpscript* dir2/ mystuff/ rmscript* topsc@ workfiles/
BarryJ.Grundy
38
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Additionalusefulcommands
grep searchforpatterns. greppatternfilename grepwilllookforoccurrencesofpatternwithinthefilefilename.grepis anextremelypowerfultool.Ithashundredsofusesgiventhelarge numberofoptionsitsupports.Checkthemanpageformoredetails. Wewillusegrepinourforensicexerciseslateron. find allowsyoutosearchforafile(wildcardsactuallyexpressions permitted).Tolookforyourfstabfile,youmighttry:
file
root@rock:~# file snapshot01.gif snapshot01.gif: GIF image data, version 87a, 800 x 600
ps
BarryJ.Grundy
39
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ps ax PID TTY STAT 1 ? S 2 ? SN 3 ? S< 4 ? S< ... 1966 ? Ss 1973 ? Ss 2009 ? Ss 2109 ? Ss <continues>
COMMAND init [3] [ksoftirqd/0] [events/0] [khelper] /usr/sbin/syslogd -m 0 /usr/sbin/klogd -c 3 -2 /usr/sbin/acpid -c /etc/acpi/events /usr/sbin/cupsd
strings
chmod chown
ThishasbecomemuchlessofanissuewiththenewerjournaledfilesystemsusedbyLinux.
BarryJ.Grundy
40
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
FilePermissions
FilesinLinuxhavecertainspecifiedfilepermissions.Thesepermissions canbeviewedbyrunningthelslcommandonadirectoryoronaparticular file.Forexample:
root@rock:~# ls -l myfile -rwxr-xr-x 1 root root 1643 Jan 19 23:23 myfile
Ifyoulookcloseatthefirst10characters,youhaveadash()followed by9morecharacters.Thefirstcharacterdescribesthetypeoffile.Adash() indicatesaregularfile.A"d"wouldindicateadirectory,and"b"aspecial blockdevice,etc. Firstcharacteroflsloutput: - =regularfile d=directory b=blockdevice(SCSIorIDEdisk) c=characterdevice(serialport) l=link(pointstoanotherfileordirectory) Thenext9charactersindicatethefilepermissions.Thesearegivenin groupsofthree: Owner rwx Group rwx Others rwx
Thecharactersindicate r= read w= write x= execute Sofortheabovemyfilewehave rwxrxrx Thisgivesthefileownerread,writeandexecutepermissions(rwx),but restrictsothermembersoftheownersgroupandusersoutsidethatgroupto onlyreadandexecutethefile(rx).Writeaccessisdeniedassymbolizedbythe . Nowbacktothechmodcommand.Thereareanumberofwaystouse thiscommand,includingexplicitlyassigningr,w,orxtothefile.Wewillcover theoctalmethodherebecausethesyntaxiseasiesttoremember(andIfindit mostflexible).Inthismethod,thesyntaxisasfollows
BarryJ.Grundy
41
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
chmodoctalfilename octalisathreedigitnumericalvalueinwhichthefirstdigitrepresents theowner,theseconddigitrepresentsthegroup,andthethirddigitrepresents othersoutsidetheowner'sgroup.Eachdigitiscalculatedbyassigningavalue toeachpermission: read(r) =4 write(w) =2 execute(x) =1 Forexample,thefilefilenameinouroriginalexamplehasanoctal permissionvalueof755(rwx=7,rx=5,rx=5).Ifyouwantedtochangethefile sothattheownerandthegrouphadread,writeandexecutepermissions,but otherswouldonlybeallowedtoreadthefile,youwouldissuethecommand: chmod774filename 4(r)+2(w)+1(x)=7 4(r)+2(w)+1(x)=7 4(r)+0()+0()=4 Anewlonglistofthefilewouldshow:
root@rock:~# chmod 774 myfile root@rock:~# ls -l myfile -rwxrwxr-1 root root
BarryJ.Grundy
42
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TochangetheexecutablepermissionstoallowPCMCIAservicestostart atboottime,Iexecutethefollowing:
root@rock:~# chmod 755 /etc/rc.d/rc.pcmcia root@rock:~# ls -l /etc/rc.d/rc.pcmcia -rwxr-xr-x 1 root root 5090 2006-08-16 16:48 /etc/rc.d/rc.pcmcia*
Thechangeswilltakeeffectnexttimeyouboot.
BarryJ.Grundy
43
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Metacharacters
TheLinuxcommandline(actuallythebashshellinourcase)also supportswildcards(metacharacters) *formultiplecharacters(including"."). ?forsinglecharacters. []forgroupsofcharactersorarangeofcharactersornumbers. Thisisacomplicatedandverypowerfulsubject,andwillrequirefurther readingRefertoregularexpressionsinyourfavoriteLinuxtext,alongwith globbingorshellexpansion.Thereareimportantdifferencesthatcan confuseabeginner,sodontgetdiscouragedbyconfusionoverwhat*means indifferentsituations.
CommandHints
1.Linuxhasahistorylistofpreviouslyusedcommands(storedinthefile named.bash_historyinyourhomedirectory).Usethekeyboardarrows toscrollthroughcommandsyou'vealreadytyped. 2.Linuxsupportscommandlineediting.Youcanusedthecursorto navigateapreviouscommandandcorrecterrors. 3.LinuxcommandsandfilenamesareCASESENSITIVE. 4.Learnoutputredirectionforstdoutandstderr(>and2>).Moreon thislater. 5.Linuxuses/fordirectories,DOSuses\. 6.Linuxusesforcommandoptions,DOSuses/. 7.Useqtoquitfromlessormansessions. 8.Toexecutecommandsinthecurrentdirectory(ifthecurrentdirectoryis notinyourPATH),usethesyntax"./command".ThistellsLinuxtolook inthepresentdirectoryforthecommand.Unlessitisexplicitly specified,thecurrentdirectoryisNOTpartofthenormaluserpath, unlikeDOS.
PipesandRedirection
LikeDOS,Linuxallowsyoutoredirecttheoutputofacommandfrom thestandardoutput(usuallythedisplayor"console")toanotherdeviceorfile. Thisisusefulfortaskslikecreatinganoutputfilethatcontainsalistoffileson amountedvolume,orinadirectory.Forexample:
root@rock:~# ls -al > filelist.txt
BarryJ.Grundy
44
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
45
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
commandsandpipes,youcanuseseveralutilitiesandprogramstoboildown ananalysisveryquickly.
TheSuperUser
IfLinuxgivesyouanerrormessage"Permissiondenied",theninall likelihoodyouneedtobe"root"toexecutethecommandoreditthefile,etc. Youdon'thavetologoutandthenlogbackinas"root"todothis.Justusethe sucommandtogiveyourselfrootpowers(assumingyouknowroots password).Enterthepasswordwhenprompted.Younowhaverootprivileges (thesystempromptwillreflectthis).Whenyouarefinishedusingyoursu login,returntoyouroriginalloginbytypingexit.Hereisasamplesusession:
bgrundy@rock:~$ whoami bgrundy bgrundy@rock:~$ su Password:<enter root password> root@rock:~# whoami root root@rock:~# exit logout bgrundy@rock:~$
BarryJ.Grundy
46
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
V.EditingwithVi
Thereareanumberofterminalmode(nonGUI)editorsavailablein Linux,includingemacsandvi.YoucouldalwaysuseoneoftheavailableGUI texteditorsinXwindow,butwhatifyouareunabletostartX?Thebenefitof learningvioremacsisyourabilitytousethemfromanxterm,acharacter terminal,oratelnet(usesshinstead!)session,etc.Wewilldiscussvihere.(I don'tdoemacs:)).viinparticularisuseful,becauseyouwillfinditonall versionsofUnix.LearnviandyoushouldbeabletoeditafileonanyUnix system.
TheJoyofVi
Youcanstartvieitherbysimplytypingviatthecommandprompt,or youcanspecifythefileyouwanttoeditwithvifilename.Ifthefiledoesnot alreadyexist,itwillbecreatedforyou. viconsistsoftwooperatingmodes,commandmodeandeditmode. Whenyoufirstenterviyouwillbeincommandmode.Commandmodeallows youtosearchfortext,movearoundthefile,andissuecommandsforsaving, saveas,andexitingtheeditor.Editmodeiswhereyouactuallyinputand changetext. Inordertoswitchtoeditmode,typeeithera(forappend),i(forinsert), oroneoftheotherinsertoptionslistedonthenextpage.Whenyoudothis youwillsee"Insert"appearatthebottomofyourscreen(inmostversions). Youcannowinputtext.Whenyouwanttoexittheeditmodeandreturnto commandmode,hittheescapekey. Youcanusethearrowkeystomovearoundthefileincommandmode. Thevieditorwasdesigned,however,tobeexceedinglyefficient,ifnotintuitive. Thetraditionalwayofmovingaroundthefileistousetheqwertykeysright underyourfingertips.Moreonthisbelow.Inaddition,thereareanumberof othernavigationkeysthatmakemovingaroundinvieasier. Ifyoulosetrackofwhichmodeyouarein,hittheescapekeytwice.You shouldhearyourcomputerbeepandyouwillknowthatyouareincommand mode. IncurrentLinuxdistributions,viisusuallyalinktosomenewer implementationofvi,suchasvim(viimproved),orinthecaseofSlackware, elvis.Ifyourdistributionincludesvim,itshouldcomewithaniceonline tutorial.Itisworthyourtime.Trytypingvimtutoratacommandprompt.
BarryJ.Grundy
47
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Workthroughtheentirething.Thisisthesinglebestwaytostartlearningvi. Thenavigationkeysmentionedabovewillbecomeclearifyouusevimtutor.
Vi command summary
EnteringEditModefromCommandMode: a = appendtext(afterthecursor) i = inserttext(directlyunderthecursor) o(theletteroh) = openanewlineunderthecurrentline O(capitaloh) = openanewlineabovethecurrentline Command(Normal)Mode: 0(zero) = $ = x = X = dd = :w = :wq = :q! = :wfilename = Movecursortobeginningofcurrentline. Movecursortotheendofcurrentline. deletethecharacterunderthecursor deletethecharacterbeforethecursor deletetheentirelinethecursorison saveandcontinueediting saveandquit(canuseZZaswell) quitanddiscardchanges saveacopytofilename(saveas)
Thebestwaytosaveyourselffromamessedupeditistohit<ESC> followedby:q!Thatcommandwillquitwithoutsavingchanges. Anotherusefulfeatureincommandmodeisthestringsearch.Tosearch foraparticularstringinafile,makesureyouareincommandmodeandtype /string Wherestringisyoursearchtarget.Afterissuingthecommand,youcan moveontothenexthitbytyping"n". viisanextremelypowerfuleditor.Thereareahugenumberof commandsandcapabilitiesthatareoutsidethescopeofthisguide.Seemanvi formoredetails.Keepinmindtherearechaptersinbooksdevotedtothis editor.Thereareevenacoupleofbooksdevotedtovialone.
BarryJ.Grundy
48
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
VI.MountingFileSystems
Thereisalonglistoffilesystemtypesthatcanbeaccessedthrough Linux.Youdothisbyusingthemountcommand.Linuxhasacoupleof specialdirectoriesusedtomountfilesystemstotheexistingLinuxdirectory tree.Onedirectoryiscalled/mnt.Itisherethatyoucandynamicallyattach newfilesystemsfromexternal(orinternal)storagedevicesthatwerenot mountedatboottime.Typically,the/mntdirectoryisusedfortemporary mounting.Anotheravailabledirectoryis/media,whichprovidesastandard placeforusersandapplicationstomountremovablemedia.Actuallyyoucan mountfilesystemsanywhere(notjuston/mntor/media),butit'sbetterfor organization.Sincewewillbedealingwithmostlytemporarymountingof variousfilesystems,wewillusethe/mntdirectoryformostofourwork.Here isabriefoverview. Anytimeyouspecifyamountpointyoumustfirstmakesurethatthat directoryexists.Forexampletomountafloppyunder/mnt/floppyyoumustbe surethat/mnt/floppyexists.Afterall,supposewewanttohaveaCDROManda floppymountedatthesametime?Theycan'tbothbemountedunder/mnt (youwouldbetryingtoaccesstwofilesystemsthroughonedirectory!).Sowe createdirectoriesforeachdevicesfilesystemundertheparentdirectory/mnt. Youdecidewhatyouwanttocallthedirectories,butmakethemeasyto remember.Keepinmindthatuntilyoulearntomanipulatethefile/etc/fstab (coveredlater),onlyrootcanmountandunmountfilesystems. Newerdistributionsusuallycreatemountpointsforfloppyandcdrom foryou,butyoumightwanttoaddothersforyourself(mountpointsfor subjectdisksorimages,etc.like/mnt/dataor/mnt/analysis):
root@rock:~# mkdir /mnt/analysis
TheMountCommand
The"mount"commandusesthefollowingsyntax: mountt<filesystem>o<options><device><mountpoint> Example:ReadingaDOS/Windowsfloppy Insertthefloppyandtype:
BarryJ.Grundy
49
Nowchangetothenewlymountedfilesystem(thisassumesthatthe directory/mnt/floppyalreadyexists.Ifnot,createit):
root@rock:~# cd /mnt/floppy
Example:ReadingaCDROM InserttheCDROMandtype:
Nowchangetothenewlymountedfilesystem:
root@rock:~# cd /mnt/cdrom
BarryJ.Grundy
50
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thefilesystemtable(/etc/fstab)
Itmightseemlike"mounttiso9660/dev/cdrom/mnt/cdrom"isalot totypeeverytimeyouwanttomountaCD.Onewayaroundthisistoeditthe file/etc/fstab(filesystemtable).Thisfileallowsyoutoprovidedefaultsfor yourmountablefilesystems,therebyshorteningthecommandsrequiredto mountthem.My/etc/fstablookslikethis:
root@rock:~# cat /etc/fstab /dev/sda3 / /dev/sda2 none /dev/sda1 /boot /dev/cdrom /mnt/cdrom /dev/sda4 /mnt/data none /proc /dev/fd0 /mnt/floppy ext3 swap ext3 iso9660 vfat proc vfat noauto,noatime sw defaults noauto,users,ro rw,users defaults noauto,rw,users 1 0 1 0 0 0 0 1 0 2 0 0 0 0
or
root@rock:~# mount /mnt/cdrom
BarryJ.Grundy
51
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Theabovemountcommandslookincomplete.Whennotenough informationisgiven,themountcommandwilllookto/etc/fstabtofillinthe blanks.Ifitfindstherequiredinfo,itwillgoaheadwiththemount. Notethe"user"entryintheoptionscolumnforsomedevices.This allowsnonrootuserstomountthedevices.Veryuseful.Tofindoutmore aboutavailableoptionsfor/etc/fstab,enterinfofstabatthecommandprompt. AlsokeepinmindthatdefaultLinuxinstallationswilloftencreate /mnt/floppyand/mnt/cdromforyoualready.AfterinstallinganewLinux system,havealookat/etc/fstabtoseewhatisavailableforyou.Ifwhatyou needisntthere,addit.
BarryJ.Grundy
52
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
VII.LinuxandForensics
IncludedForensicTools
Linuxcomeswithanumberofsimpleutilitiesthatmakeimagingand basicanalysisofsuspectdisksanddrivescomparativelyeasy.Thesetools include: ddcommandusedtocopyfromaninputfileordevicetoanoutput fileordevice.Simplebitstreamimaging. sfdiskandfdiskusedtodeterminethediskstructure. grepsearchfiles(ormultiplefiles)forinstancesofanexpressionor pattern. Theloopdeviceallowsyoutoassociateregularfileswithdevice nodes.Thiswillthenallowyoutomountabitstreamimagewithout havingtorewritetheimagetoadisk. md5sumandsha1sumcreateandstoreanMD5orSHAhashofa fileorlistoffiles(includingdevices). filereadsafilesheaderinformationinanattempttoascertainits type,regardlessofnameorextension. xxdcommandlinehexdumptool.Forviewingafileinhexmode. Followingisaverysimpleseriesofstepstoallowyoutoperformaneasy practiceanalysisusingthesimpleLinuxtoolsmentionedabove.Allofthe commandscanbefurtherexploredwithmancommand.Forsimplicitywe aregoingtouseafloppywithaFATfilesystem.Again,thisisjustan introductiontothebasiccommands.Thesestepscanbefarmorepowerful withsomecommandlinetweaking.
BarryJ.Grundy
53
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Analysisorganization
Havingalreadysaidthatthisisjustanintroduction,mostofthework youwilldoherecanbeappliedtoactualcasework.Thetoolsarestandard Linuxtools,andalthoughtheexampleshownhereisverysimple,itcanbe extendedwithsomepracticeandalittle(ok,alot)ofreading.Thepractice floppy(inrawimageformatfromasimpledd)forthefollowingexerciseis availableat: http://www.LinuxLEO.com/Files/practical.floppy.dd Ofcourse,ashasbeenpointedouttomeonnumerousoccasionsinthe lastfewyears,floppydisksarelargelyathingofthepast.Theyareniceinthat theyhaveastandardsize,makeforasmallandverymanageableimagefor introductorypractice,andprovideaconsistentphysicalinterface(whenthey arepresent).Futureversionsofthisdocumentwilllikelydoawaywiththe floppyimagealtogether,infavorofmoremodernmedia(evenforthebasic exercise).Butforthemeantime,justbearwithmeandfollowalong.Youdon't needafloppydrivetodownloadandanalyzetheimage...ifyoudon'thaveone, you'lljusthavetodowithoutwritingtheimagetoaphysicaldisk.Atthispoint, understandingtheconceptsisgoodenough. Onceyoudownloadthefloppyimage,putablankfloppydiskinyour driveandcreatethepracticefloppywiththefollowingcommand(coveredin detaillater):
root@rock:~# dd if=practical.floppy.dd of=/dev/fd0
BarryJ.Grundy
54
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thetilde(~)infrontofthedirectorynameisshorthandforhome directory,sowhenItype~/evid,itisinterpretedas$HOME/evid.IfIam loggedinasroot,thedirectorywillbecreatedas/root/evid.Notethatifyouare alreadyinyourhomedirectory,thenyoudon'tneedtotype~/.Simplyusing mkdirevidwillworkjustfine.Wearebeingexplicitforinstructionalpurposes. Directingallofouranalysisoutputtothisdirectorywillkeepouroutput filesseparatedfromeverythingelseandmaintaincaseorganization.Youmay wishtohaveaseparatedrivemountedas/mnt/evid. Forthepurposesofthisexercise,wewillbeloggedinasroot.Ihave mentionedalreadythatthisisgenerallyabadidea,andthatyoucanmakea messofyoursystemifyouarenotcareful.Manyofthecommandsweare utilizinghererequirerootaccess(permissionsondevicesthatyoumightwant toaccessshouldnotbechangedtoallowotherwise,anddoingsowouldbefar morecomplexthanyouthink).Sotheoutputfilesthatwecreateandthe imageswemakewillbefoundunder/root/evid/. Anadditionalstepyoumightwanttotakeistocreateaspecialmount pointforallsubjectfilesystemanalysis.Thisisanotherwayofseparating commonsystemusewithevidenceprocessing.
root@rock:~# mkdir /mnt/analysis
Determining the structure of the disk Therearetwosimpletoolsavailablefordeterminingthestructureofa diskattachedtoyoursystem.Thefirst,fdisk,wediscussedearlierusingthel option.Replacethexwiththeletterofthedrivethatcorrespondstothe subjectdrive.Forexample,ifoursubjectdiskisattachedonthesecondaryIDE channelasthemasterdisk,itwillbeseenas/dev/hdc.ASerialATA(SATA)disk willbe/dev/sda(orsdb,etc.)Wecangetthepartitioninformationonthatdisk with:
root@rock:~# fdisk -l /dev/hdc Disk /dev/hdc: 60.0 GB, 60011642880 bytes 255 heads, 63 sectors/track, 7296 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot /dev/hdc1 * /dev/hdc2 /dev/hdc3 /dev/hdc5 /dev/hdc6 Start 1 655 2479 2479 4304 End 654 2478 7296 4303 4366 Blocks 5253223+ 14651280 38700585 14659281 506016 Id 7 7 5 83 82 System HPFS/NTFS HPFS/NTFS Extended Linux Linux swap
BarryJ.Grundy
55
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Wecanredirecttheoutputofthiscommandtoafileforlateruseby issuingthecommandas:
root@rock:~# fdisk -l /dev/hdc > ~/evid/fdisk.disk1
Acoupleofthingstonotehere:Thenameoftheoutputfile(fdisk.disk1) iscompletelyarbitrary.Therearenorulesforextensions.Namethefile anythingyouwant.Iwouldsuggestyousticktoaconventionandmakeit descriptive.Alsonotethatsinceweidentifiedanexplicitpathforthefilename, thereforefdisk.disk1willbecreatedin/root/evid.Hadwenotgiventhepath, thefilewouldbecreatedinthecurrentdirectory(/root). Alsonotethatyoucanexpecttoseestrangeoutputifyouusefdiskona floppydisk.Thefdiskcommandworksbyexaminingthepartitiontableinthe firstsector(0)ofadevice.Ifthereisnopartitiontablethere,suchasondevices thathouseasinglevolume,itwillstillattempttointerpretthedataandoutput garbage.Beawareofthatifyouattemptfdiskonthepracticefloppy(andsome USBthumbdrives).Tryitonyourharddriveinsteadtoseesampleoutput. Dontusefdiskonthepracticefloppy.Theoutputwilljustconfuseyou.
Creatingaforensicimageofthesuspectdisk Makeanimageofthepracticediskusingbasicdd.Thisisyourstandard
forensicimageofasuspectdisk.Changetoandexecutethecommandfrom withinthe/root/evid/directory:
root@rock:~# cd evid root@rock:~/evid # dd if=/dev/fd0 of=image.disk1 bs=512
BarryJ.Grundy
56
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Mountingarestoredimage
Mounttherestored(cloned)workingcopyandviewthecontents. Remember,weareassumingthisisaDOSformatteddiskfromaWin98/95 machine.
root@rock:~/evid # mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis
Thiswillmountyourworkingcopy(thenewfloppyyoucreatedfromthe forensicimage)on/mnt/analysis.Theoro,noexecspecifiestheoptions ro(readonly)andnoexec(preventstheexecutionofbinariesfromthemount point)inordertoprotectthediskfromyou,andyoursystem(andmount point)fromthecontentsofthedisk.Thereareotherusefulmountoptionsas well,suchasnoatime.Seemanmountformoredetails. Nowcdtothemountpoint(/mnt/analysis)andbrowsethecontents. Havingmountedthephysicalcloneofouroriginal,wearesimplylookingatthe logicalfilesystem. Besuretounmountthediskwhenyoufinish.
root@rock:~/evid # umount /mnt/analysis
BarryJ.Grundy
57
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Mountingtheimageusingtheloopbackdevice
Anotherwaytoviewthecontentsoftheimagewithouthavingtorestore ittoanotherdiskistomountusingtheloopinterface.Basically,thisallowsyou tomountafilesystemwithinanimagefile(insteadofadisk)toamount pointandbrowsethecontents.YourLinuxkernelmusthaveloopeither compiledasamoduleorcompiledintothekernelforthistowork.Bydefault, Slackware12hastheloopdrivercompiledintothekernel. Weusethesamemountcommandandthesameoptions,butthistime weincludetheoptionlooptoindicatethatwewanttousetheloopdeviceto mountthefilesystemwithintheimagefile,andwespecifyadisk(partition) imageratherthanadiskdevice.Changetothedirectorywhereyoucreatedthe imageandtype:
root@rock:~/evid # mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis
FileHash
Oneimportantstepinanyanalysisisverifyingtheintegrityofyourdata bothbeforeaftertheanalysisiscomplete.Youcangetahash(CRC,MD5,or SHA)ofeachfileinanumberofdifferentways.Inthisexample,wewillusethe SHAhash.SHAisahashsignaturegeneratorthatsuppliesa160bit fingerprintofafileordisk.Itisnotfeasibleforsomeonetocomputationally recreateafilebasedontheSHAhash.ThismeansthatmatchingSHA signaturesmeanidenticalfiles. WecangetanSHAsumofadiskbychangingtoourevidencedirectory (i.e./root/evid)andrunningthefollowingcommand(notethatthefollowing commandscanbereplacedwithmd5sumifyouprefertousetheMD5hash algorithm):
root@rock:~/evid # sha1sum /dev/fd0
BarryJ.Grundy
58
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
or
root@rock:~/evid # sha1sum /dev/fd0 > sha.disk1
Theredirectioninthesecondcommandallowsustostorethesignature inafileanduseitforverificationlateron.Togetahashofarawdisk(/dev/hda, /dev/fd0,etc.)thediskdoesNOThavetobemounted.Wearehashingthe device(thedisk)notthefilesystem.Aswediscussedearlier,Linuxtreatsall objects,includingphysicaldisks,asfiles.Sowhetheryouarehashingafileora harddrive,thecommandisthesame. Wecangetahashofeachfileonthediskusingthefindcommandand anoptionthatallowsustoexecuteacommandoneachfilefound.Wecanget averyusefullistofSHAhashesforeveryfileonadiskbyloopmountingthe imageagain,andthenchangingtothe/mnt/analysisdirectory:
root@rock:~# mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis root@rock:~# cd /mnt/analysis root@rock:/mnt/analysis #
Thiscommandsaysfind,startinginthecurrentdirectory(signifiedby the.),anyregularfile(typef)andexecute(exec)thecommandsha1sumon allfilesfound({}).Redirecttheoutputtosha.filelistinthe~/eviddirectory (wherewearestoringallofourevidencefiles).Remember,thetilde(~)infront ofthedirectorynameisshorthandforhome,so~/evidisequivalentto /root/evid.The\;isanescapesequencethatendstheexeccommand.The resultisalistoffilesfromouranalysismountpointandtheirSHAhashes. Again,youcansubstitutethemd5sumcommandifyouprefer. Havealookatthehashesbyusingthecatcommandtostreamthefileto standardoutput(inthiscase,ourterminalscreen):
BarryJ.Grundy
59
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # cat /root/evid/sha.filelist 86082e288fea4a0f5c5ed3c7c40b3e7947afec11 ./Docs/Benchmarks.xls 81e62f9f73633e85b91e7064655b0ed190228108 ./Docs/Computer_Build.xml 0950fb83dd03714d0c15622fa4c5efe719869e48 ./Docs/Law.doc 7a1d5170911a87a74ffff8569f85861bc2d2462d ./Docs/whyhack 63ddc7bca46f08caa51e1d64a12885e1b4c33cc9 ./Pics/C800x600.jpg 8844614b5c2f90fd9df6f8c8766109573ae1b923 ./Pics/bike2.jpg 4cf18c44023c05fad0de98ed6b669dc4645f130b ./Pics/bike3.jpg <continues>
60
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TheAnalysis
Youcannowviewthecontentsofthereadonlymountedorrestored diskorloopmountedimage.IfyouarerunningtheXwindowsystem,then youcanuseyourfavoritefilebrowsertolookthroughthedisk.Inmost(ifnot all)cases,youwillfindthecommandlinemoreusefulandpowerfulinorderto allowfileredirectionandpermanentrecordofyouranalysis.Wewillusethe commandlinehere. Wearealsoassumingthatyouareissuingthefollowingcommandsfrom thepropermountpoint(/mnt/analysis/).Ifyouwanttosaveacopyofeach commandsoutput,besuretodirecttheoutputfiletoyourevidencedirectory (/root/evid/)usinganexplicitpath. Navigatethroughthedirectoriesandseewhatyoucanfind.Usethels commandtoviewthecontentsofthedisk.Again,youshouldbeinthe directory/mnt/analysis,ourworkingdirectory.Thecommandinthefollowing formmightbeuseful:
root@rock:/mnt/analysis # ls -al total 118 drwxr--r-4 root root 7168 Dec drwxr-xr-x 13 root root 4096 Dec drwxr--r-3 root root 512 Sep drwxr--r-2 root root 512 Sep -rwxr--r-1 root root 19536 Aug -rwxr--r-1 root root 37520 Aug -r-xr--r-1 root root 16161 Sep -rwxr--r-1 root root 21271 Mar -rwxr--r-1 root root 12384 Aug
31 1969 . 21 14:20 .. 23 2000 Docs 23 2000 Pics 24 1996 arp.exe 24 1996 ftp.exe 21 2000 loveletter.virus 19 2000 ouchy.dat 2 2000 snoof.gz
. .. Docs Pics
BarryJ.Grundy
61
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
MakingaListofAllFiles
Getcreative.Taketheabovecommandandredirecttheoutputtoyour evidencedirectory.Withthatyouwillhavealistofallthefilesandtheir ownersandpermissionsonthesubjectfilesystem.Thisisaveryimportant command.Checkthemanpageforvarioususesandoptions.Forexample, youcouldusetheioptiontoincludetheinode(fileserialnumber)inthe list,theuoptioncanbeusedsothattheoutputwillincludeandsortbyaccess time(whenusedwiththetoption).
root@rock:/mnt/analysis # ls -laiRtu > ~/evid/access_file.list
Youcouldalsogetalistofthefiles,oneperline,usingthefind commandandredirectingtheoutputtoanotherlistfile:
root@rock:/mnt/analysis # find . -type f > ~/evid/file.list.2
BarryJ.Grundy
62
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # tree |-- Docs | |-- Benchmarks.xls | |-- Computer_Build.xml | |-- Law.doc | |-- Private | `-- whyhack |-- Pics | |-- C800x600.jpg | |-- Stoppie.gif | |-- bike2.jpg | |-- bike3.jpg | |-- matrixs3.jpg | `-- mulewheelie.gif |-- arp.exe |-- ftp.exe |-- loveletter.virus |-- ouchy.dat `-- snoof.gz 3 directories, 15 files
MakingaListofFileTypes
WhatifyouarelookingforJPEGsbutthenameofthefilehasbeen changed,ortheextensioniswrong?Youcanalsorunthecommandfileon eachfileandseewhatitmightcontain. filefilename
BarryJ.Grundy
63
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Viewtheresultinglistwiththecatcommand(orless),andifyouare lookingforimagesinparticular,thenusegreptospecifythat:
root@rock:/mnt/analysis # cat ~/evid/filetype.list ./Docs/Benchmarks.xls: Microsoft Installer ./Docs/Computer_Build.xml: gzip compressed data, from Unix ./Docs/Law.doc: Microsoft Installer ./Docs/whyhack: ASCII English text, with very long lines ./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02 ./Pics/bike2.jpg: PC bitmap data, Windows 3.x format, 300 x 204 x 24 ./Pics/bike3.jpg: PC bitmap data, Windows 3.x format, 317 x 197 x 24 ./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01 ./Pics/mulewheelie.gif: PC bitmap data, Windows 3.x format, 425x328x24 ./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693 ./arp.exe: MS-DOS exe PE for MS Windows (console) Intel 80386 32-bit ./ftp.exe: MS-DOS exe PE for MS Windows (console) Intel 80386 32-bit ./loveletter.virus: ASCII English text ./ouchy.dat: JPEG image data, JFIF standard 1.02 ./snoof.gz: gzip compressed data, from Unix
Thefollowingcommandwouldlookforthestringimageusingthe grepcommandonthefile/root/evid/filetype.list
root@rock:/mnt/analysis # grep image ~/evid/filetype.list ./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02 ./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01 ./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693 ./ouchy.dat: JPEG image data, JFIF standard 1.02
BarryJ.Grundy
64
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ViewingFiles
Fortextfilesanddatafiles,youmightwanttousecat,moreorlessto viewthecontents. catfilename morefilename lessfilename Beawarethatiftheoutputisnotstandardtext,thenyoumightcorrupt theterminaloutput(typeresetorsttysaneatthepromptanditshouldclear up).ItisbesttorunthesecommandsinaterminalwindowinXsothatyou cansimplycloseoutacorruptedterminalandstartanother.Usingthefile commandwillgiveyouagoodideaofwhichfileswillbeviewableandwhat programmightbestbeusedtoviewthecontentsofafile.Forexample, MicrosoftOfficedocumentscanbeopenedunderLinuxusingprogramslike OpenOffice. Perhapsabetteralternativeforviewingunknownfileswouldbetouse thestringscommand.ThiscommandcanbeusedtoparseregularASCIItext outofanyfile.Itsgoodforformatteddocuments,datafiles(Excel,etc.)and evenbinaries(e.g.unidentifiedexecutables),whichmighthaveinterestingtext stringshiddeninthem.Itmightbebesttopipetheoutputthroughless. stringsfilename|less Havealookatthecontentsofthepracticediskon/mnt/analysis.There isafilecalledarp.exe.Whatdoesthisfiledo?Wecantexecuteit,andfrom usingthefilecommandweknowthatitsanDOS/Windowsexecutable.Run thefollowingcommand(again,assumingyouareinthe/mnt/analysis directory)andscrollthroughtheoutput.Doyoufindanythingofinterest (hint:likeausagemessage)?
BarryJ.Grundy
65
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:/mnt/analysis # strings arp.exe | less l|} <-t8</t4 t]Ph t2Ph ' Ph!' @SVW wR9U wM9U wH9U SVWj ...<continues> inetmib1.dll Displays and modifies the IP-to-Physical address translation tables used by address resolution protocol (ARP). ARP -s inet_addr eth_addr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. <continues>
IfyouarecurrentlyrunningtheXwindowsystem,youcanuseanyof thegraphicstoolsthatcomestandardwithwhicheverLinuxdistributionyou areusing.gqviewisonegraphicstoolfortheGNOMEdesktopthatwilldisplay graphicfilesinadirectory.Experimentalittle.Othertools,suchasgthumbfor GnomeandKonquerorfromtheKDEdesktophaveafeaturethatwillcreatea verynicehtmlimagegalleryforyoufromallimagesinadirectory. Onceyouarefinishedexploring,besuretounmountthefloppy(orloop mounteddiskimage).Again,makesureyouarenotanywhereinthemount pointwhenyoutrytounmount,oryouwillgetthebusyerror.The commandswilltakeyoubacktoyourhomedirectory(usingthetilde~)and thenunmounttheloopmountedfilesystem.
root@rock:/mnt/analysis # cd ~ root@rock:~# umount /mnt/analysis
SearchingUnallocatedandSlackSpaceforText
Nowletsgobacktotheoriginalimage.Therestoreddisk(orloop mounteddiskimage)allowedyoutocheckallthefilesanddirectories(logical view).Whataboutunallocatedandslackspace(physicalview)?Wewillnow
BarryJ.Grundy
66
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Nowwewillusethegrepcommandtosearchtheimageforanyinstance ofanexpressionorpattern.Wewilluseanumberofoptionstomakethe outputofgrepmoreuseful.Thesyntaxofgrepisnormally: grepoptions<pattern><filetosearch> Thefirstthingwewilldoiscreatealistofkeywordstosearchfor.Its rareweeverwanttosearchevidenceforasinglekeyword,afterall.Forour example,letsuseransom,$50,000(theransomamount),andunleasha virus.Thesearesomekeywordsandaphrasethatwehavedecidedtouse fromtheoriginalletterreceivedbythecorporation.Makethelistofkeywords (usingvi)andsaveitas/root/evid/searchlist.txt.Ensurethateachstringyou wanttosearchforisonadifferentline. $50,000 ransom unleashavirus MakesurethereareNOBLANKLINESINTHELISTORATTHEENDOF THELIST!!Nowwerunthegrepcommandonourimage:
root@rock:~/evid # grep -abif searchlist.txt image.disk1 > hits.txt
BarryJ.Grundy
67
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ignoreupperandlowercase.Andtheboptiontellsgreptogiveusthebyte offsetofeachhitsowecanfindthelineinxxd.Earlierwementionedthegrep manpageandthesectionithasonregularexpressions.Pleasetakethetimeto readthroughitandexperiment. Onceyourunthecommandabove,youshouldhaveanewfileinyour currentdirectorycalledhits.txt.Viewthisfilewithlessormoreoranytext viewer.Keepinmindthatstringsmightbebestforthejob.Again,ifyouuse moreorless,youruntheriskofcorruptingyourterminaliftherearenon ASCIIcharacters.Wewillsimplyusecattostreamtheentirecontentsofthe filetothestandardoutput.Thefilehits.txtshouldgiveyoualistoflinesthat containthewordsinyoursearchlist.txtfile.Infrontofeachlineisanumber thatrepresentsthebyteoffsetforthathitintheimagefile.Forillustration purposes,thesearchtermsareunderlined,andthebyteoffsetsareboldinthe outputbelow:
root@rock:~/evid # cat hits.txt 75441:you and your entire business ransom. 75500:I have had enough of your mindless corporate piracy and will no longer stand for it. You will receive another letter next week. It will have a single bank account number and bank name. I want you to deposit $50,000 in the account the day you receive the letter. 75767:Don't try anything, and don't contact the cops. If you do, I will unleash a virus that will bring down your whole network and destroy your consumer's confidence.
BarryJ.Grundy
68
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
69
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
VIII.CommonForensicIssues
HandlingLargeDisks
Theexampleusedinthistextutilizesafilesystemonafloppydisk. Whathappenswhenyouaredealingwithlargerharddisks?Whenyoucreate animageofadiskdrivewiththeddcommandthereareanumberof componentstotheimage.Thesecomponentscanincludeabootsector, partitiontable,andthevariouspartitions(ifdefined). Whenyouattempttomountalargerimagewiththeloopdevice,you findthatthemountcommandisunabletofindthefilesystemonthedisk. Thisisbecausemountdoesnotknowhowtorecognizethepartitiontable. Remember,themountcommandhandlesfilesystems,notdisks(ordisk images).Theeasywayaroundthis(althoughitisnotveryefficientforlarge disks)wouldbetocreateseparateimagesforeachdiskpartitionthatyouwant toanalyze.Forasimpleharddrivewithasinglelargepartition,youcould createtwoimages. Assumingyoursuspectdiskisattachedasthemasterdeviceonthe secondaryIDEchannel:
root@rock:~# dd if=/dev/hdc of=image.disk.dd
...getstheentiredisk.
root@rock:~# dd if=/dev/hdc1 of=image.part1.dd
...getsthefirstpartition. Thefirstcommandgetsyouafullimageoftheentiredisk(hdc)for backuppurposes,includingthebootrecordandpartitiontable.Thesecond commandgetsyouthepartition(hdc1).Theresultingimagefromthesecond commandcanbemountedviatheloopdevice. Notethatalthoughbothoftheaboveimageswillcontainthesamefile systemwiththesamedata,thehasheswillobviouslynotmatch.Making separateimagesforeachpartition,however,isveryinefficient. Onemethodforhandlinglargerdiskswhenusingtheloopdeviceisto sendthemountcommandamessagetoskiptryingtomountthefirst63 sectorsoftheimage.Thesesectorsareusedtocontaininformation(likethe MBR)thatisnotpartofanormaldatapartition.Weknowthateachsectoris
BarryJ.Grundy
70
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thiseffectivelyjumpsoverthefirst63sectorsoftheimageandgoes straighttothebootsectorofthefirstpartition,allowingthemount commandtoworkproperly.Wewillseeotherexamplesofthis,andhowto findtheactualoffsetlaterinthisdocument.Itmaynotalwaysbe63sectors. Nowthatweknowabouttheissuessurroundingthecreationoflarge imagesfromwholedisks,whatdowedoifwerunintoanerror?Supposeyou arecreatingadiskimagewithddandthecommandexitshalfwaythroughthe processwithareaderror?Wecaninstructddtoattempttoreadpasttheerrors usingtheconv=noerroroption.Inbasicterms,thisistellingtheddcommand toignoretheerrorsthatitfinds,andattempttoreadpastthem.Whenwe specifythenoerroroptionitisagoodideatoincludethesyncoptionalong withit.Thiswillpadtheddoutputwherevererrorsarefoundandensure thattheoutputwillbesynchronizedwiththeoriginaldisk.Thismayallow filesystemaccessandfilerecoverywhereerrorsarenotfatal.Assumingthat oursubjectdriveis/dev/hdc,thecommandwilllooksomethinglike:
root@rock:~# dd if=/dev/hdc of=image.disk.dd conv=noerror,sync
Iwouldliketocautionforensicexaminersagainstusingthe conv=noerror,syncoption,however.Whileddiscapableofreadingpast errorsinmanycases,itisnotdesignedtoactuallyrecoveranydatafromthose areas.Thereareanumberoftoolsouttherethataredesignedspecificallyfor thispurpose.Mycurrentphilosophyisthatifyouneedtouse conv=noerror,sync,thenyouareusingthewrongtool.Thatisnottosayitwill notworkasadvertised(withsomecaveats),onlythattherearebetteroptions, oratleastimportantconsiderations.Wewilldiscussbetteroptionsforerror pronediskslaterinthisdocument. Inadditiontothestructureoftheimagesandtheissuesofimagesizes, wealsohavetobeconcernedwithmemoryusageandourtools.Youmight findthatgrep,whenusedasillustratedinourfloppyanalysisexample,might notworkasexpectedwithlargerimagesandcouldexitwithanerrorsimilarto: grep:memoryexhausted
BarryJ.Grundy
71
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Themostapparentcauseforthisisthatgrepdoesitssearcheslineby line.Whenyouaregreppingalargediskimage,youmightfindthatyouhave ahugenumberofbytestoreadthroughbeforegrepcomesacrossanewline character.Whatifgrephadtoread200MBofdatabeforecomingacrossa newline?Itwouldexhaustitself(theinputbufferfillsup). Whatifwecouldforcefeedgrepsomenewlines?Inourexample analysiswearegreppingfortext.Wearenotconcernedwithnontext charactersatall.Ifwecouldtaketheinputstreamtogrepandchangethenon textcharacterstonewlines,grepwouldhavenoproblem.Notethatchanging theinputstreamtogrepdoesnotchangetheimageitself.Also,rememberthat wearestilllookingforabyteoffset.Luckily,thecharactersizesremainthe same,andsotheoffsetdoesnotchangeaswefeednewlinesintothestream (simplyreplacingonecharacterwithanother). Letssaywewanttotakeallofthecontrolcharactersstreaminginto grepfromthediskimageandchangethemtonewlines.Wecanusethe translatecommand,tr,toaccomplishthis.Checkoutmantrformore informationaboutthispowerfulcommand:
root@rock:~/evid # tr '[:cntrl:]' '\n' < image.disk | grep -abif list.txt > hits.txt
Thiscommandwouldread:Translateallthecharacterscontainedin thesetofcontrolcharacters([:cntrl:])tonewlines(\n).Taketheinputtotrfrom image.diskandpipetheoutputtogrep,sendingtheresultstohits.txt.This effectivelychangesthestreambeforeitgetstogrep. Thisisonlyoneofmanypossibleproblemsyoucouldcomeacross.My pointhereisthatwhenissuessuchasthesearise,youneedtobefamiliar enoughwiththetoolsLinuxprovidestobeabletounderstandwhysucherrors mighthavebeenproduced,andhowyoucangetaroundthem.Remember,the shelltoolsandtheGNUsoftwarethataccompanyaLinuxdistributionare extremelypowerful,andarecapableoftacklingnearlyanytask.Wherethe standardshellfails,youmightlookatperlorpythonasoptions.Thesesubjects areoutsideofthescopeofthecurrentpresentation,butareintroducedas fodderforfurtherexperimentation.
PreparingaDiskfortheSuspectImage
Onecommonpracticeinforensicdiskanalysisistowipeadiskprior torestoringaforensicimagetoit.Thisensuresthatanydatafoundonthe restoreddiskisfromtheimageandnotfromresidualdata.Thatis,dataleft behindfromapreviouscaseorimage.
BarryJ.Grundy
72
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thisstartsatthebeginningofthedriveandwriteszeros(theinputfile) toeverysectoron/dev/hdc(theoutputfile)in4096bytechunks(bs=block size).Specifyinglargerblocksizescanspeedthewritingprocess.Experiment withdifferentblocksizesandseewhateffectithasonthewritingspeed(i.e. 32k,64k,etc.).Ivewiped60GBdisksinunderanhouronafastIDEcontroller withtheproperdriveparameters(seethenextsectionformoreinfo). Sohowdoweverifythatourcommandtowritezerostoawholedisk wasasuccess?Youcouldcheckrandomsectorswithahexeditor,butthats notrealisticforalargedrive.Oneofthebestmethodswouldbetousethexxd command(commandlinehexdump)withtheautoskipoption(worksifa driveiswipedwith0x00).Theoutputofthiscommandonazeroddrivewould givejustthreelines.Thefirstline,startingatoffsetzerowitharowofzerosin thedataarea,followedbyanasterisk(*)toindicateidenticallines,andfinally thelastline,withthefinaloffsetfollowedbytheremainingzerosinthedata area.Heresandexampleofthecommandonazeroddrive(floppy)andits output.
root@rock:~# xxd -a /dev/fd0 0000000: 0000 0000 0000 0000 0000 0000 0000 0000 * 0167ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ................
BarryJ.Grundy
73
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ObtainingDiskInformation
Specificdriveparameterscanbedisplayedandsetusingthehdparm command(forIDEandSATAdisksinrecentversions).Checkhdparmsman pageforavailableoptions.Forinstance,settingDMAonadrivecan dramaticallyspeedthingsup.Notethatwhilehdparmmaybeabletodisplay settingsonSATAdisks,beawarethatsettingparametersisadifferentstory. Drivesmustbecapableofagivensettinginordertowork.
root@rock:~# /dev/hda: multcount IO_support unmaskirq using_dma keepsettings readonly readahead geometry = 16 (on) = 1 (32-bit) = 0 (off) = 0 (off) <-- DMA is turned off = 0 (off) = 0 (off) = 256 (on) = 65535/16/63, sectors = 60011642880, start = 0 hdparm /dev/hda
root@rock:~# hdparm -d1 /dev/hda /dev/hda: setting using_dma to 1 (on) using_dma = 1 (on) <-- We have turned DMA on with the -d1 option
Intheabovesession,thefirstcommanddisplaysthecurrentparameters ofthedrive/dev/hdaandshowsthatDMAisoff.Thesecondcommand actuallyturnsDMAonforthatparticulardisk.Payattentiontothe multicountandIO_supportsettingsaswell.Mostmoderndistributions takecareofthisforyou.Justbeawareofthecapability.Notethatthisisan IDEdisk. Toobtainamorecompletelistingofadrive'sinformation,youcanuse theIswitchwithhdparm.HereisasampleofhdparmoutputonaSATAdisk. Notethatyouaregiventhediskmodel,serialnumberandgeometry information,toincludeuseraddressablesectors(outputiseditedforbrevity):
BarryJ.Grundy
74
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# /dev/sda: ATA device, with non-removable media Model Number: ST3250823AS Serial Number: 3ND1M14Q Firmware Revision: 3.03 Standards: Used: ATA/ATAPI-6 T13 1410D revision 2 Supported: 7 6 5 4 & some of 7 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 -CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 488397168 Capabilities: ... Commands/features: Enabled Supported: * SMART feature set * Power Management feature set * Write cache ... * Host-initiated interface power management * Phy event counters * Software settings preservation Checksum: correct hdparm -I /dev/sda
BarryJ.Grundy
75
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
IX.Advanced(Beginner)Forensics
Thefollowingsectionsaremoreadvancedanddetailed.Newtoolsare introducedtohelproundoutsomeofyourknowledgeandprovideamore solidfootingonthecapabilitiesoftheLinuxcommandline.Thetopicsarestill atthebeginnerlevel,butyoushouldbeatleastsomewhatcomfortablewiththe commandlinebeforetacklingtheexercises.AlthoughIveincludedthe commandsandmuchoftheoutputforthosewhoarereadingthiswithoutthe benefitofaLinuxboxnearby,itisimportantthatyoufollowalongonyourown systemaswegothroughthepracticalexercises.Typingatthekeyboardand experimentationistheonlywaytolearn.
TheCommandLineonSteroids
Letsdigalittledeeperintothecommandline.Oftenthereare argumentsmadeabouttheusefulnessofthecommandlineinterface(CLI) versusaGUItoolforanalysis.Iwouldarguethatinthecaseoflargesetsof regimenteddata,theCLIcansometimesbefasterandmoreflexiblethanmany GUItoolsavailabletoday. Asanexample,wewilllookatasetoflogfilesfromasingleUnixsystem. Wearenotgoingtoanalyzethemforanysortofsmokinggun.Thepointhere istoillustratetheabilityofcommandsthroughtheCLItoorganizeandparse throughdatabyusingpipestostringaseriesofcommandstogether,obtaining thedesiredoutput.Followalongwiththeexample,andkeepinmindthatto getanywherenearproficientwiththiswillrequireagreatdealofreadingand practice.Thepayoffisenormous. Createadirectorycalledlogsanddownloadthefilelogs.v3.tar.gzinto thatdirectory: http://www.LinuxLEO.com/Files/logs.v3.tar.gz A.tar.gzfileiscommonlyreferredtoasatararchive.Muchlikeazip fileintheWindowsworld.Thetarpartoftheextensionindicatesthatthefile wascreatedusingthetarcommand(seemantarformoreinfo).Thegz extensionindicatesthatthefilewascompressed(commonlywithgzip).When youfirstdownloadatararchive,youshouldalwayshavealookatthecontents ofthearchivebeforedecompressing,extractingandhaphazardlywritingthe contentstoyourdrive.Viewthecontentsofthearchivewiththefollowing command:
BarryJ.Grundy
76
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tar tzvf logs.v3.tar.gz -rw-r--r-- root/root 8282 2003-10-29 12:45 -rw------- root/root 8302 2003-10-29 16:17 -rw------- root/root 8293 2003-10-29 16:19 -rw------- root/root 4694 2003-10-29 16:23 -rw------- root/root 1215 2003-10-29 16:23
BarryJ.Grundy
77
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
78
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tac messages* | less Nov 23 18:27:00 hostname123 rc.sysinit: Mounting proc filesystem: succeeded Nov 23 18:27:58 hostname123 kernel: hda: hda1 hda2 hda3 hda4 < hda5 hda6 hda7 > Nov 23 18:27:58 hostname123 kernel: Partition check: Nov 23 18:27:58 hostname123 kernel: ide-floppy driver 0.99.newide Nov 23 18:27:58 hostname123 kernel: hda: 12594960 sectors (6449 MB) w/80KiB Cache, CHS=784/ 255/63, UDMA(33) Nov 23 18:27:58 hostname123 kernel: blk: queue c035e6a4, I/O limit 4095Mb (mask 0xffffffff) Nov 23 18:27:58 hostname123 kernel: ide1 at 0x170-0x177,0x376 on irq 15 Nov 23 18:27:58 hostname123 kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 Nov 23 18:27:58 hostname123 kernel: hdc: TOSHIBA CD-ROM XM-6202B, ATAPI CD/ DVD-ROM drive Nov 23 18:27:58 hostname123 kernel: hda: QUANTUM FIREBALL SE6.4A, ATA DISK drive Nov 23 18:27:58 hostname123 kernel: ide1: BM-DMA at 0x14c8-0x14cf, BIOS settings: hdc:D MA, hdd:pio Nov 23 18:27:58 hostname123 kernel: ide0: BM-DMA at 0x14c0-0x14c7, BIOS settings: hda:D MA, hdb:pio Nov 23 18:27:58 hostname123 kernel: PIIX4: not 100%% native mode: will probe irqs later <continues>
Beautiful.Thedatesarenowinorder.Wecannowworkonthestream oflogentriesasiftheywereonelarge(inorder)file. Wewillintroduceanewcommand,awk,tohelpusviewspecificfields fromthelogentries,inthiscase,thedates.awkisanextremelypowerful command.TheversionmostoftenfoundonLinuxsystemsisgawk(GNU awk).Whilewearegoingtouseitasastandalonecommand,awkisactuallya programminglanguageonitsown,andcanbeusedtowritescriptsfor organizingdata.Ourconcentrationwillbecenteredonawksprintfunction. Seemanawkformoredetails. Setsofrepetitivedatacanoftenbedividedintocolumnsorfields, dependingonthestructureofthefile.Inthiscase,thefieldsinthelogfilesare separatedbysimplewhitespace(awksdefaultfieldseparator).Thedateis comprisedofthefirsttwofields(monthandday).
root@rock:~/logs # tac messages* | awk '{print $1" "$2}' | less Nov 23 Nov 23 Nov 23 Nov 23 Nov 23 <continues>
BarryJ.Grundy
79
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
80
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Also,ifwedontknowthattherearetwospacesbetweenNovand4, wecantellgreptolookforanynumberofspacesbetweenthetwo:
root@rock:~/logs # tac messages* | grep ^"Nov[ ]*4" Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214: 11: Disconnect requested by Windows SSH Client. Nov 4 17:13:07 hostname123 sshd(pam_unix)[27630]: session opened for user root by (uid=0) Nov 4 17:13:07 hostname123 sshd[27630]: Accepted password for root from 1xx.183.221.214 port 1762 ssh2 Nov 4 17:08:23 hostname123 sshd(pam_unix)[27479]: session closed for user root Nov 4 17:07:11 hostname123 squid[27608]: Squid Parent: child process 27610 started <continues>
BarryJ.Grundy
81
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $1" "$2" "$3" "$NF}' | less Nov 22 23:48:47 19x.xx9.220.35 Nov 22 23:48:47 19x.xx9.220.35 Nov 20 14:13:11 200.xx.114.131 Nov 18 18:55:06 6x.x2.248.243 Nov 17 19:26:43 200.xx.72.129 <continues>
Wecanalsogetasorted(sort)listoftheunique(u)IPaddresses involvedinthesameway:
root@rock:~/logs # echo "Unique IP addresses:" >> report.txt root@rock:~/logs # tac messages* | grep "identification string" | awk '{print $NF}' | sort -u >> report.txt
BarryJ.Grundy
82
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
83
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
FunwithDD
Wevealreadydonesomesimpleimagingandwipingusingdd,lets exploresomeotherusesforthisflexibletool.ddissortoflikealittleforensic Swissarmyknife(talkaboutoverusedclichs!).Ithaslotsofapplications, limitedonlybyyourimagination.
SplittingFilesandImages
Onefunctionwemightfindusefulwouldbetheabilitytosplitimagesup intousablechunks,eitherforarchivingorforuseinanotherprogram.Wewill firstdiscussusingsplitonitsown,theninconjunctionwithddforonthefly splitting. Forexample,youmighthavea10GBimagethatyouwanttosplitinto 640MBpartssotheycanbewrittentoCDRmedia.Or,ifyouuseforensic softwareinWindowsandneedfilesnolargerthan2GB(foraFAT32partition), youmightwanttosplittheimageinto2GBpieces.Forthisweusethesplit command. splitnormallyworksonlinesofinput(i.e.fromatextfile).Butifweuse theboption,weforcesplittotreatthefileasbinaryinputandlinesare ignored.Wecanspecifythesizeofthefileswewantalongwiththeprefixwe wantfortheoutputfiles.Innewerversionsofsplitwecanalsousethed optiontogiveusnumericalnumbering(*.01,*.02,*.03,etc.)fortheoutputfiles asopposedtoalphabetical(*.aa,*.ab,*.ac,etc.).Thecommandlookslike: splitdbXXm<filetobesplit><prefixofoutputfiles> whereXXisthesizeoftheresultingfiles.Forexample,ifwehavea6GB imagecalledimage.disk1.dd,wecansplititinto2GBfilesusingthefollowing command:
root@rock:~# split -d -b 2000m image.disk1.dd image.split.
BarryJ.Grundy
84
image.split.03
Or
root@rock:~# cat image.split.0* > image.new
Inthiscase,insteadofgivingthenameofthefiletobesplitinthesplit command,wegiveasimple(afterthe2000m).Thesingledashisa descriptorthatmeansstandardinput.Inotherwords,thecommandis takingitsinputfromthedatapipeprovidedbythestandardoutputofdd insteadoffromafile. Oncewehavetheimage,thesametechniqueusingcatwillallowusto reassembleitforhashingoranalysis. Forpractice,letstakethepracticalexercisefloppydiskweusedearlier andtrythismethodonthatdisk,splittingitinto360kpieces.Ifyoudon'thave afloppydisk,justuseaUSBthumbdriveandreplace/dev/fd0inthefollowing commandwith/dev/sdx(wherexisyourthumbdrive).Obtainahashfirst,so thatwecancomparethesplitfilesandtheoriginalandmakesurethatthe splittingchangesnothing:
root@rock:~# sha1sum /dev/fd0 f5ee9cf56f23e5f5773e2a4854360404a62015cf /dev/fd0 root@rock:~# dd if=practical.floppy.dd | split -d -b 360k - floppy.split. 2880+0 records in 2880+0 records out
BarryJ.Grundy
85
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
remember,therecordsare512byteblocks(times2880=1.44Mb)
root@rock:~# ls -lh total 2.9M -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root -rw-r--r-- 1 root root
31 31 31 31
31 31 31 31 31
BarryJ.Grundy
86
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
CompressionontheFlywithDD
Anotherusefulcapabilitywhileimagingiscompression.Considering ourconcernforforensicapplicationhere,wewillbesuretomanageour compressiontechniquesothatwecanverifyourhasheswithouthavingto decompressandwriteourimagesoutbeforecheckingthem. Forthisexercise,we'llusetheGNUgzipapplication.gzipisacommand lineutilitythatallowsussomefairlygranularcontroloverthecompression process. First,forthesakeoffamiliarity,let'slookatthesimpleuseofgzipona singlefileandexploresomeoftheoptionsatourdisposal.Ihavecreateda directorycalledtestcompandI'vecopiedtheimagefilepractical.floppy.ddinto thatdirectorytopracticeon.Thisgivesmeanunclutteredplacetoexperiment. First,let'sdoublecheckthehashofthefloppyimage:
root@rock:~/testcomp# ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp# sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd
Sonowweseethatwehavereplacedouroriginal1.5Mfilewitha632K filethathasa.gzextension.Todecompresstheresulting.gzfile:
root@rock:~/testcomp # gzip -d practical.floppy.dd.gz root@rock:~/testcomp # ls -lh total 1.5M -rw-r--r-- 1 root root 1.5M May 22 09:11 practical.floppy.dd root@rock:~/testcomp# sha1sum practical.floppy.dd f5ee9cf56f23e5f5773e2a4854360404a62015cf practical.floppy.dd
BarryJ.Grundy
87
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Intheaboveoutput,weseethatthefirstdirectorylistingshowsthe singleimagefile.Wecheckthehashandthencompressusinggzipcwhich writestostandardoutput.Weredirectthatoutputtoanewfile(nameofour choice).Thesecondlistingshowsthattheoriginalfileremains,andthe compressedfileiscreated.Wethenusegzipcdtodecompressthefile, redirectingtheoutputtoanewfileandthistimepreservingthecompressed file. Theseareverybasicoptionsfortheuseofgzip.Thereasonwelearnthe coptionistoallowustodecompressafileandpipetheoutputtoahash algorithm.Inamorepracticalsense,thisallowsustocreateacompressed imageandcheckthehashofthatimagewithoutwritingthefiletwice.
BarryJ.Grundy
88
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Firstweseethatwehavethecorrecthash.Thenwecompresstheimage withasimplegzipcommandthatreplacestheoriginalfile.Now,allwewant todonextischeckthehashofourcompressedimagewithouthavingtowrite outanewimage.Wedothisbyusinggzipc(tostandardout)d (decompress),passingthenameofourcompressedfilebutpipingtheoutput toourhashalgorithm(inthiscasesha1sum).Theresultshowsthecorrect hashoftheoutputstream,wheretheoutputstreamissignifiedbythe. Okay,sonowthatwehaveabasicgraspofusinggziptocompress, decompress,andverifyhashes,let'sputittoworkontheflyusingddto createacompressedimage.Wewillthencheckthecompressedimage'shash valueagainstanoriginalhash. Let'scontinuetouseourpracticalexercisefloppyimage.First,writethe imagebacktoaphysicalfloppydisk(aswedidintheoriginalpractical exercise).Clearoutthetestcompdirectorysothatwehaveacleanplaceto writeourimageto.
BarryJ.Grundy
89
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
/dev/fd0
root@rock:~/testcomp # dd if=/dev/fd0 | gzip -c > floppy.dd.gz 2880+0 records in 2880+0 records out 1474560 bytes (1.5 MB) copied, 0.393626 s, 3.7 MB/s root@rock:~/testcomp # ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:58 floppy.dd.gz root@rock:~/testcomp # gzip -cd floppy.dd.gz | sha1sum f5ee9cf56f23e5f5773e2a4854360404a62015cf root@rock:~/testcomp #ls -lh total 636K -rw-r--r-- 1 root root 632K May 22 09:58 floppy.dd.gz
BarryJ.Grundy
90
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
DataCarvingwithDD
Inthisnextexample,wewilluseddtocarveaJPEGimagefromachunk ofrawdata.Byitself,thisisnotarealusefulexercise.Therearelotsoftools outtherethatwillcarvefilesfromforensicimages,includingasimplecut andpastefromahexeditor.However,thepurposeofthisexerciseistohelp youbecomemorefamiliarwithdd.Inaddition,youwillgetachancetousea numberofothertoolsinpreparationforthecarving.Thiswillhelp familiarizeyoufurtherwiththeLinuxtoolbox.Firstyouwillneedtodownload therawdatachunkfrom: http://www.LinuxLEO.com/Files/image_carve.raw Haveabrieflookatthefileimage_carve.rawwithyourwonderful commandlinehexdumptool,xxd:
root@rock:~# xxd image_carve.raw | less 0000000: 776a 176b 5fd3 9eae 247f 33b3 efbe 0000010: d3a9 daa0 8eef c199 102f 7eaa 0c68 0000020: fca4 7e13 dc6b 17a9 e973 35a0 cfc3 0000030: f9c0 a6b9 1476 b268 de0f 94fa a2f4 0000040: 452d 7691 eb4f 2fa7 b31f 328b c07a <continues> 8d6a a908 9360 4705 ce3d wj.k_...$.3....j ........./~..h.. ..~..k...s5....` .....v.h......G. E-v..O/...2..z.=
Itsreallyjustafilefullofrandomcharacters.Somewhereinsidethereis astandardJPEGimage.Letsgothroughthestepsweneedtotaketorecover thepicturefileusingddandotherLinuxtools.Wearegoingtostickwith commandlinetoolsavailableinmostdefaultinstallations. Firstweneedaplan.Howwouldwegoaboutrecoveringthefile?What arethethingsweneedtoknowtogettheimage(picture)out,andonlythe image?Imagineddasapairofscissors.Weneedtoknowwheretoputthe scissorstostartcutting,andweneedtoknowwheretostopcutting.Finding thestartoftheJPEGandtheendoftheJPEGcantellusthis.Onceweknow wherewewillstartandstop,wecancalculatethesizeoftheJPEG.Wecanthen tellddwheretostartcutting,andhowmuchtocut.Theoutputfilewillbeour JPEGimage.Easy,right?Soheresourplan,andthetoolswelluse: 1)FindthestartoftheJPEG(xxdandgrep) 2)FindtheendoftheJPEG(xxdandgrep) 3)CalculatethesizeoftheJPEG(inbytesusingbc) 4)Cutfromthestarttotheendandoutputtoafile(usingdd)
BarryJ.Grundy
91
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
92
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
xvfromacommandline(whileinanXsession)willdisplaythegraphic imageinit'sownwindow.
BarryJ.Grundy
93
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
CarvingPartitionswithDD
Nowwecantryanotherusefulexerciseincarvingwithdd.Often,you willobtainorbegivenaddimageofafulldisk.Attimesyoumightfindit desirabletohaveeachseparatepartitionwithinthediskavailabletosearchor mount.Remember,youcannotsimplymountanentirediskimage,onlythe partitions. Therearecommercialsolutionstomountingpartitionswithinanentire image,likeSMARTforLinuxforensicsoftware.Recentadvancesinforensic toolslikeTheSleuthkithavemaketheabilitytocarvepartitionsfromanimage lessimportantthatitoncewas.ForthebeginningLinuxforensicsstudent,I wouldstillconsiderthisanimportantskill,however.Plus,it'sjustgood practiceforanumberofLinuxcommands.Weintroducethistechniquehere nottoteachitforpracticaluse,buttoprovideanotherpracticalexerciseusing anumberofimportantcommandlinetools. Themethodwewilluseinthisexerciseentailsidentifyingthepartitions withinaddimagewithfdiskorsfdisk.Wewillthenuseddtocarvethe partitionsoutoftheimage. First,letsgrabthepracticediskimagethatwewillbeworkingon.This isaddimageofa330MBdiskfromaLinuxsystemthatwascompromised. http://www.LinuxLEO.com/Files/able2.tar.gz Thetararchivecontainsthediskimage,theMD5digestvalues,andthe imaginglogfilewithinformationcollectedduringtheimagingprocess. Createadirectorycalledable2inyour/rootdirectory.Thiswillbethe workingdirectoryforthefollowingexercise.Again,thevastmajorityofsteps takeninpreparationfor,andexecutionofaforensicanalysisrequireroot accesstocommandsanddevices.Onceyouhavedownloadedthefileintothat able2directory,changetothatdirectoryandcheckthemd5sum10(itshould matchtheoutputbelow):
root@rock:~/able2 # md5sum able2.tar.gz 7863920262cad3b30333192fd50965b8 able2.tar.gz
Thefilenameisderivedfromtheoriginalhostnameofthemachinethat wascompromised.Veryoftenwenameourcasesandevidencewiththe
10
Yes,weareusingmd5sumherebutweusedsha1sumearlier...Consistencyisoverrated!;)
BarryJ.Grundy
94
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
10 2003 able2.dd 11 2003 able2.log 31 13:18 able2.tar.gz 10 2003 md5.dd 10 2003 md5.hdd
BarryJ.Grundy
95
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Okay,nowwehaveourimage,andwehaveverifiedthatitisanaccurate copy.Wenowwanttoknowalittlebitaboutthecontentsoftheimageand whatitrepresents.Duringtheevidenceacquisitionprocess,itisessentialthat informationaboutthediskberecorded.Standardoperatingprocedures shouldincludecollectionofdiskandsysteminformation,andnotjustthedd imageitself. Thefileable2.logwascreatedfromtheoutputofvariouscommands usedduringtheevidencecollectionprocess.Thelogincludesinformation abouttheinvestigatorthatgatheredtheevidence,informationaboutthe system,andtheoutputofcommandsincludinghdparm,fdisk,sfdiskand hashingfunctions.Wecreatethelogfilebyappending(>>)theoutputofthe commands,insequence,tothelog: command>>logfile.txt Lookatthelogfile,able2.log,usinglessandscrolldowntothesection thatshowsthestructureofthedisk(theoutputoffdiskl/dev/hddandsfdisk luS/dev/hdd):
root@rock:~/able2 # less able2.log <scrolled output> ################################################################# fdisk output for SUBJECT disk: Disk /dev/hdd: 345 MB, 345830400 bytes 15 heads, 57 sectors/track, 790 cylinders Units = cylinders of 855 * 512 = 437760 bytes Device Boot /dev/hdd1 /dev/hdd2 /dev/hdd3 /dev/hdd4 Start 1 13 133 210 End 12 132 209 790 Blocks 5101+ 51300 32917+ 248377+ Id 83 83 82 83 System Linux Linux Linux swap Linux
################################################################# sfdisk output for SUBJECT disk: Disk /dev/hdd: 790 cylinders, 15 heads, 57 sectors/track Units = sectors of 512 bytes, counting from 0 Device Boot /dev/hdd1 /dev/hdd2 /dev/hdd3 /dev/hdd4 Start 57 10260 112860 178695 End 10259 112859 178694 675449 #sectors 10203 102600 65835 496755 Id 83 83 82 83 System Linux Linux Linux swap Linux
#################################################################
BarryJ.Grundy
96
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Theoutputshownaboveisdirectlyfromthevictimharddrive(the machineable2),recordedpriortoobtainingtheddimage.Itshowsthatthere are4partitionsonthedrive.Thedatapartitionsarehdd1,hdd2andhdd4.The hdd3partitionisactuallyaswappartition(forvirtualmemory).Remember thatthedesignationhddindicatesthatthevictimharddrivewasattachedto ourforensicworkstationastheslavedriveonthesecondaryIDEcontroller duringtheimagingprocess,NOThowitwasattachedintheoriginalmachine. ThecommandsfdiskluS/dev/hddgaveusthesecondlistingabove andshowsthepartitionsizesinunitsofsectors(uS).Theoutputalsogives usthestartofthepartition.Forourpartitioncarvingexercise(aswiththeraw datacarving),allweneedisthestartingoffset,andthesize. Letsgoaheadandddouteachpartition.Ifyouhavetheoutputof sfdiskluS/dev/hdx,thejobiseasy.
root@rock:~/able2 # dd 10203+0 records in 10203+0 records out root@rock:~/able2 # dd 102600+0 records in 102600+0 records out root@rock:~/able2 # dd 65835+0 records in 65835+0 records out root@rock:~/able2 # dd 496755+0 records in 496755+0 records out if=able2.dd of=able2.part1.dd bs=512 skip=57 count=10203 if=able2.dd of=able2.part2.dd bs=512 skip=10260 count=102600 if=able2.dd of=able2.part3.dd bs=512 skip=112860 count=65835 if=able2.dd of=able2.part4.dd bs=512 skip=178695 count=496755
Examinethesecommandsclosely.Theinputfile(if=able2.dd)isthefull diskimage.Theoutputfiles(of=able2.part#.dd)willcontaineachofthe partitions.Theblocksizethatweareusingisthesectorsize(bs=512),which matchestheoutputofthesfdiskcommand.Eachddsectionneedstostart whereeachpartitionbegins(skip=X),andcutasfarasthepartitiongoes (count=Y).Wealsoobtainedpartitionnumberthree,theswappartition.This canalsobesearchedwithgrepandstrings(orcarvingutilities)forevidence. Thiswillleaveyouwithfourable2.part*.ddfilesinyourcurrentdirectory thatcannowbeloopmounted. Whatifyouhaveaddimageofthefulldisk,butnologfileoraccessto theoriginaldisk,andthereforenoinfofromsfdiskorfdisk?Wecanrunthe sfdiskorfdiskcommandsdirectlyontheimageifwelike.Rememberthatthe originaldiskthattheimagewasobtainedfromwasseenasasimplefile (/dev/hdx)andtheimageweobtainusingddisalsosimplyafile.Sowhywould
BarryJ.Grundy
97
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
toolslikefdisktreatthemanydifferently.Thehashesmatch,sotheyare essentiallythesamefile:
root@rock:~/able2 # sfdisk -l -uS able2.dd Disk able2.dd: cannot get geometry ...<error messages> Units = sectors of 512 bytes, counting from 0 Device Boot able2.dd1 able2.dd2 able2.dd3 able2.dd4 Start 57 10260 112860 178695 End 10259 112859 178694 675449 #sectors 10203 102600 65835 496755 Id 83 83 82 83 System Linux Linux Linux swap / Solaris Linux
DeterminingtheSubjectDiskFileSystemStructure
Goingbacktoourable2caseddimages,wenowhavetheoriginalimage alongwiththepartitionimagesthatwecarvedout. able2.dd able2.part1.dd able2.part2.dd able2.part3.dd able2.part4.dd (originalimage) (1stPartition) (2ndPartition) (3rdPartition) (4thPartition)
Thenexttrickistomountthepartitionsinsuchawaythatwe reconstructtheoriginalfilesystem.Thisgenerallypertainstosubjectdisks thatwereimagedfromUnixhosts. OneofthebenefitsofLinux/Unixsystemsistheabilitytoseparatethe filesystemacrosspartitions.Thiscanbedoneforanynumberofreasons, allowingforflexibilitywherethereareconcernsaboutdiskspaceorsecurity, etc. Forexample,aSystemAdministratormaydecidetokeepthedirectory /var/logonitsownseparatepartition.Thismightbedoneinanattemptto preventrampantlogfilesfromfillingtheroot(/not/root)partitionand
BarryJ.Grundy
98
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
bringingthesystemdown.Itiscommontosee/bootinitsownpartitionas well.Thisallowsthekernelimagetobeplacednearthefront(intermsof cylinders)ofaharddrive,anissueinolderversionsoftheLinuxbootloader LILO.Therearealsoavarietyofsecurityimplicationsaddressedbythissetup. Sowhenyouhaveadiskwithmultiplepartitions,howdoyoufindout thestructureofthefilesystem?Earlierinthispaperwediscussedthe/etc/fstab file.Thisfilemaintainsthemountinginformationforeachfilesystem, includingthephysicalpartition;mountpoint,filesystemtype,andoptions. Oncewefindthisfile,reconstructingthesystemiseasy.Withexperience,you willstarttogetafeelforhowpartitionsaresetup,andwheretolookforthe fstab.Tomakethingssimplehere,justmounteachpartition(loopback,read only)andhavealookaround. Onethingwemightliketoknowiswhatsortoffilesystemisoneach partitionbeforewetryandmountthem.Wecanusethefilecommandtodo this11.Rememberfromourearlierexercisethatthefilecommanddetermines thetypeoffilebylookingforheaderinformation.
root@rock:~/able2 # file able2.part* able2.part1.dd: Linux rev 1.0 ext2 filesystem data able2.part2.dd: Linux rev 1.0 ext2 filesystem data able2.part3.dd: Linux/i386 swap file (new style) 1 able2.part4.dd: Linux rev 1.0 ext2 filesystem data (mounted or unclean) (mounted or unclean) (4K pages) size 8228 pages (mounted or unclean)
1 1 1 0
1 2 2 0
99
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Sonowweseethatthelogicalfilesystemwasconstructedfromthree separatepartitions(notethat/dev/hdaherereferstothediskwhenitis mountedintheoriginalsystem): /(root) mountedfrom/dev/hda2(dataonhda2) |_bin/ (dataonhda2) |_boot/ mountedfrom/dev/hda1(dataonhda1) |_dev/ (dataonhda2) |_etc/ (dataonhda2) |_home/ (dataonhda2) |_lib/ (dataonhda2) |_opt/ (dataonhda2) |_proc/ (dataonhda2) |_usr/ mountedfrom/dev/hda4(dataonhda4) |_root/ (dataonhda2) |_sbin/ (dataonhda2) |_tmp/ (dataonhda2) |_var/ (dataonhda2) Nowwecancreatetheoriginalfilesystematouranalysismountpoint. Themountpoint/mnt/analysisalreadyexists.Whenyoumounttheroot partitionofable2.ddon/mnt/analysis,youwillnotethatthedirectories /mnt/analysis/bootand/mnt/analysis/usrareempty.Thatisbecausewehaveto mountthosepartitionstoaccessthecontentsofthosedirectories.
root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part2.dd /mnt/analysis/ root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part1.dd /mnt/analysis/boot root@rock:~/able2 # mount -t ext2 -o ro,loop able2.part4.dd /mnt/analysis/usr
Wenowhavetherecreatedoriginalfilesystemunder/mnt/analysis: /(root) |_bin/ |_boot/ |_dev/ |_etc/ |_home/ |_lib/ |_opt/ |_proc/ |_usr/ |_root/ |_sbin/ |_tmp... mountedon/mnt/analysis mountedon/mnt/analysis/boot
mountedon/mnt/analysis/usr
BarryJ.Grundy
100
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Atthispointwecanrunallofoursearchesandcommandsjustaswedid forthepreviousfloppydiskexerciseonacompletefilesystemrootedat /mnt/analysis. Asalways,youshouldknowwhatyouaredoingwhenyoumounta completefilesystemonyourforensicworkstation.Beawareofoptionstothe mountcommandthatyoumightwanttouse(checkmanmountforoptions likenodevandnosuid,noatimeetc.).Takenoteofwherelinkspointto fromthesubjectfilesystem.Notethatwehavemountedthepartitionsread only(ro).Remembertounmounteachpartitionwhenyouarefinished exploring.
DDOvertheWire
Theremayoccasionswhereyouwantorneedtoacquireanimageofa computerusingabootdiskandnetworkconnectivity.Mostoften,this approachisusedwithaLinuxbootdiskonthesubjectmachine(themachine youaregoingtoimage).Anothercomputer,theimagingcollectionplatform,is connectedeitherviaanetworkhuborswitch;orthroughacrossovercable. Thereareavarietyofconfigurationspossible.Thesesortsofacquisitionscan eventakeplaceacrossthecountryoranywherearoundtheworld.Thereasons andapplicationsofthisapproachareoutsideofthescopeofthispaper,sowe willconcentrateonthemechanicsandtheverybasiccommandsrequired. First,letsclarifysometerminologyforthepurposeofourdiscussion here.Inthisinstance,thecomputerwewanttoimagewillbereferredtoasthe subjectcomputer.Thecomputertowhichwearewritingtheimagewillbe referredtoasthecollectionbox. Inordertoaccomplishimagingacrossthenetwork,wewillneedto setupourcollectionboxtolistenfordatafromoursubjectbox.Wedothis usingnetcat,thenccommand.Thebasicsetuplookslikethis:
BarryJ.Grundy
101
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thefirststepistoopenalisteningportonthecollectioncomputer. Wewilldothisonourforensicsystemwithnc:
root@rock: ~ # nc -l -p 2525 | dd of=/mnt/evid/net_image.dd
BarryJ.Grundy
102
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
103
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
X.AdvancedForensicTools
SonowyouhavesomeexperiencewithusingtheLinuxcommandline andthepowerfultoolsthatareprovidedwithaLinuxinstallation. However,asforensicexaminers,wesooncometofindoutthattimeisa valuablecommodity.Whilelearningtousethecommandlinetoolsnativetoa Linuxinstallisusefulforamyriadoftasksintherealworld,itcanalsobe tedious.Afterall,thereareWindowsbasedtoolsouttherethatallowyoutodo muchofwhatwehavediscussedhereinasimplepointandclickGUI.Well, thesamecanbesaidforLinux. ThepopularityofLinuxisgrowingatafantasticrate.Notonlydowesee itinanenterpriseenvironmentandinbigmedia,butwearealsostartingtosee itswideninguseinthefieldofcomputerforensics.Inrecentyearsweveseen thelistofavailableforensictoolsforLinuxgrowwiththerestoftheindustry. Inthissectionwewillcoveranumberofforensictoolsavailabletomake youranalysiseasierandmoreefficient.Wewillcoverbothfreetoolsand commercialtools.Wewillstartwithsomealternativeimagingtools,specially designedtoworkwithforensicacquisitionsinmind. AUTHORSNOTE:Inclusionoftoolsandpackagesinthissectioninno wayconstitutesanendorsementofthosetools.Pleasetestthem yourselftoensurethattheymeetyourneeds.Thetoolsherewere chosenbecauseitwassuggestedbyalargenumberofreadersofthe originalIntroductiondocumentthatIprovideinformationonforensic packagesforLinux. SincethisisaLinuxdocument,IamcoveringavailableLinuxtools.This doesnotmeanthatthecommontoolsavailableforotherplatforms cannotbeusedtoaccomplishmanyofthesameresults.Onapersonal note,IdomaintainthatanalysisofaUnixsystemisbestaccomplished withaUnix(like)toolset. Onemorenote:Pleasekeepinmind,asyouworkthroughthese exercises,thisdocumentisNOTmeanttobeaneducationinfilesystem analysis.Asyouworkthroughtheexercisesyouwillcomeacrosstermslike inode,MFTentry,allocationstatus,partitiontablesanddirectandindirect blocks,etc.Theseexercisesareaboutusingthetools,andarenotmeantto instructyouonbasicforensicknowledge,Linuxfilesystemsoranyotherfile systems.Thisisallaboutthetools. Ifyouneedtolearnfilesystemstructureasitrelatestocomputer forensics,pleasereadBrianCarrier'sbook:FileSystemForensicAnalysis
BarryJ.Grundy
104
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
(PublishedbyAddisonWesley,2005).ThisisnotthelasttimeIwillsuggest this. Togetaquickoverviewofsomefilesystems,youcandoaquickInternet search.Thereisatonofinformationreadilyavailableifyouneedaprimer. Herearesomesimplelinkstogetyoustarted13.Ifyouhavequestionsonanyof thesefilesystems,orhowtheywork,Iwouldsuggestsomelightreadingbefore divingintotheseexercises. NTFS: http://www.ntfs.com http://en.wikipedia.org/wiki/NTFS http://e2fsprogs.sourceforge.net/ext2intro.html http://en.wikipedia.org/wiki/Ext3 http://en.wikipedia.org/wiki/File_allocation_table
EXT2/3: FAT:
13
Theauthordoesnotvouchforanyofthesesources.Theyareprovidedforyourinformationonly.
BarryJ.Grundy
105
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
AlternativeImagingTools
StandardLinuxddisafineimagingtool.Itisrobust,welltested,and hasaproventrackrecord.We'vealreadydemonstratedsomeofit's capabilitiesbeyondwhatmanyconsidernormalforensicimagingfunctions. Asgoodasddisasanimagingtool,ithasonesimple,perceivedflaw:It wasneveractuallydesignedtobeusedforforensicacquisitions.Itisvery capable,butsomepractitionerspreferfullfeaturedimagingtoolsthatdonot requireexternalprogramstoaccomplishlogging,hashing,andimagingerror documentation.Additionally,ddisnotthebestsolutionforobtaining evidencefromdamagedorfailingmedia. ThereareanumberofforensicspecifictoolsoutthereforLinuxusers thatwishtoacquireevidence.Someofthesetoolsinclude:
dc3ddenhancedddprogramforforensicuse(basedonddcode). dcflddenhancedddprogramforforensicuse(forkofddcode). aimageforensicimagingtoolprovidedprimarilytocreateimagesin theAdvancedForensicFormat(AFF).Futureversionsofthisguidewill likelycoveraimageandafflibinmoredetail. ewfacquireProvidedaspartofthelibewfproject,thistoolisusedto acquireExpertWitnessFormat(EWF)images.Wewillcoveritinsome detaillater. AIRAutomatedImageandRestore,aGUIfrontendtobothddand dcfldd. GNUddrescueAnimagingtoolspecificallydesignedtorecoverdata frommediaexhibitingerrors(nottobeconfusedwithdd_rescue).
Thisisnotanexhaustivelist.These,however,arethemostcommonly used(asfarasIknow).Wewillcoverthefirstinthelist(dc3dd)andthelastin thelist(ddrescue)inthisdocument.Lateron,inthesectiononAdvanced Toolswewillcoverewfacqure,installedaspartofthelibewfpackage. dc3dd Thefirsttoolwewillcoverisdc3dd.Thisisanewerimagingtoolbased onoriginal(patched)codefromdd.Itisverysimilartothepopulardcflddbut providesaslightlydifferentfeatureset.Mychoiceofwhethertocovereither dcflddordc3ddislargelyarbitrary.OneofthereasonsIdecidedtocover dc3ddhereisit'srelationshiptorecentddcodeupdates,includingdirectI/O capabilities.dc3ddismaintainedbytheDoD(DepartmentofDefense)Cyber
BarryJ.Grundy
106
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
CrimeCenter(otherwiseknownasDc3)14Regardlessofwhich(dc3ddor dcfldd)youprefer,familiaritywithoneofthesetoolswilltranslateverynicely totheotherwithsomereadingandexperimentation,astheyareverysimilar. Whiletherearesignificantdifferences,manyofthefeatureswediscussinthis sectionarecommontobothdc3ddanddcfldd. Thesourcepackageandmoreinformationfordc3ddcanbefoundat http://dc3dd.sourceforge.net.Thatpagealsoprovidesagoodsummaryofthe capabilitiesofdc3ddandit'soverallintent. Installationofdc3ddfollowsthesameroutineofmostsourcepackages availableinLinux.Thesepackagesarecommonlycalledtarballsandend withthetar.gzortar.bz2extensions,dependingonthemethodof compression.Ingeneral,oncethetarballhasbeenextracted,thecommon commandstocompileandinstallthepackagearesimply(fromtheextracted directory): ./configure make makeinstall So,oncewehavethepackagedownloaded,wecanextractthetarballin thesamewayweextractedanyoftheothertar.gzfilesweworkedwith:
root@rock:~# tar xzvf dc3dd-6.9.91.tar.gz dc3dd-6.9.91/ dc3dd-6.9.91/.prev-version dc3dd-6.9.91/.version dc3dd-6.9.91/.vg-suppressions dc3dd-6.9.91/.x-po-check dc3dd-6.9.91/.x-sc_file_system dc3dd-6.9.91/.x-sc_GPL_version dc3dd-6.9.91/.x-sc_obsolete_symbols dc3dd-6.9.91/.x-sc_prohibit_atoi_atof <continues>
14
DCFLddisalsonamedforaDoDentitytheDefenseComputerForensicsLab.
BarryJ.Grundy
107
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cd dc3dd-6.9.91/ root@rock:~/dc3dd-6.9.91# ./configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu configure: autobuild project... dc3dd configure: autobuild revision... 6.9.91 configure: autobuild hostname... rockriver configure: autobuild timestamp... 20080807-202619 checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... <continues>
Assumingnoerrors,wetypemakeandwatchthecompilergotowork.
root@rock:~/dc3dd-6.9.91# make Making all in lib make[1]: Entering directory `/root/Tools/dc3dd-6.9.91/lib' { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ cat ./alloca.in.h; \ } > alloca.h-t mv -f alloca.h-t alloca.h rm -f configmake.h-t configmake.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ <continues>
BarryJ.Grundy
108
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
So,youcaneitherrundc3ddwiththehelpoption,oryoucancopythe manpagefiletothecorrectlocation15:
root@rock:~/dc3dd-6.9.91# cp man/dc3dd.1 /usr/local/man/man1/ root@rock:~/dc3dd-6.9.91# man dc3dd DD(1) NAME User Commands DD(1 )
ORsimply:
root@rock:~/dc3dd-6.9.91# dc3dd --help Usage: dc3dd [OPERAND]... or: dc3dd OPTION Copy a file, converting and formatting according to the operands. bs=BYTES cbs=BYTES <continues> force ibs=BYTES and obs=BYTES convert BYTES bytes at a time
Oradjust$MANPATH,etc
BarryJ.Grundy
109
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Morethanjustincorporatingtheotherstepsintoasinglecommand, dc3ddextendsthefunctionality.Forexample,usingaregularsplitcommand withddaswedidinapreviousexercise,wecaneitherallowthedefault alphabeticnamingconventionofsplit,orpassthedoptiontoprovideuswith decimalextensionsonourfiles.Incontrast,dc3ddallowsustonotonlydefine thesizeofeachsplitasanoptiontotheimagingcommandwithoutneedfora pipedcommand,butitalsoallowsmoregranularcontrolovertheformatofthe extensionseachsplitwillhaveaspartofitsfilename.So,tosplita6GBdisk into2GBimages,Iwouldsimplypass: split=2G Theextensionfollowingtheoutputfilenamecanbeformattedwiththe splitformatoption.Thisoptionallowsustospecifyalphabeticalornumerical extensionsfrom1to4charactersinlength.Numericalextensionscaneither beginfrom1orfrom0.Thenumberofcharacterspassedwiththeoption definesthelengthoftheextension.Thefollowingtableprovidessome examples: Option splitformat=aa Resultingextensions *.aa(twoalphabeticchars) *.ab *.ac *.aaaa(fouralphabeticchars) *.aaab *.aaac *.000(threenumericcharsstartswith000) *.001 *.002 *.001(threenumericcharsstartswith001) *.002 *.003
splitformat=aaaa
splitformat=000
splitformat=111
BarryJ.Grundy
110
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
dc3ddalsoprovidesahashwindowfunction.Thehashwindow=option initiatespiecewisehashingoftheoutput,soyougetacalculatedhashover eachspecifiednumberofbytes,whichisthenlogged.Thisallowsforamore granularviewofthedataintegrity,shoulderrorsbeencountered.Thesmaller thehashwindow,thebettergranularviewyouhaveofthedata. So,tospecifyahashwindowof16MBusingbothSHA1andMD5,you wouldusetheoptions: hash=md5,sha1hashwindow=16M Boththehashwindowvaluesandthehashofthetotalimagewillbe recordedeithertostandardout(theterminal)ortoalogfileifoneisspecified. Youcanspecifyseparatelogsforerrormessagesandhashvalues,orhaveboth ofthemwrittentoasinglefile.Theoptionsforloggingare: hashlog=file errlog=file log=file hashesarewrittentothislogfile. errormessagesarewrittentothisfile. bothhashesanderrormessagesareconsolidatedin asinglelogfile.
BarryJ.Grundy
111
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Theoptionsusedaboveare: inputfileis/dev/sda imageiswrittentoimage.dc3dd(arbitrary extension). progress=on showsimagingprogressasdescribedabove hashwindow=32M calculatesahashofthedataevery32megabytes hash=md5 describesthehashalgorithm(s)tobeusedforeach hashwindowandforthetotalimage. split=64M theimageissplitinto64megabytechunks. splitformat=000 theextensionsoneachimagesplitwillbethree numericalcharacters,startingfrom0. log=image.log.txt boththecalculatedhashvaluesandanyerror messageswillbeloggedtothefileimage.log.txt Theresultingoutput(shownbyourlscommandabove)givesus4split imagefiles,withnumericalextensionsstartingwith000.Wealsohavealogfile ofourhashesandanyerrormessages,whichwecanviewwithlessorcat:
root@rock:~# cat image.log.txt md5 0- 33554432: 3ef3e1146490631d10399be537b548ae md5 33554432- 67108864: 84fb1bb69b5b8a9dfd2c0f61b9ebb72d md5 67108864- 100663296: 9b025ba1d8e7a96eb666d5252bfd53cb md5 100663296- 134217728: cac15f6afd76e0f9fd6c6cea93444f01 md5 134217728- 167772160: 26b9b1a732e0cf07591578392371e353 md5 167772160- 201326592: dde2fa565d6ea1a26a73466e0909f7ee md5 201326592- 234881024: 58f06dd588d8ffb3beb46ada6309436b md5 234881024- 259522560: a3e41cf8b32332ff504775ba44f49f3a md5 TOTAL: c90ee2dfd36eae3aafd5fac9b8d2eb70 506880+0 records in 506880+0 records out 259522560 bytes (248 M) copied, 109.425 s, 2.3 M/s
if=/dev/sda of=image.dc3dd
Aspreviouslydiscussed,thelogfilecontainsourhashesandourerror messages.Eachlineinthelogstartswiththehashalgorithmandthe hashwindowdatarange,followedbythecalculatedhash.Thelasthashline(or lines,ifmultiplealgorithmsarespecified),givesthehashoverthetotalimage, whichcanbecomparedtoadevicehash,forexample,toauthenticatean acquisition. Thelogfileendswiththestandardddoutputwhichshowsthenumber ofrecordsreadandwritten.Eventhoughitisnotreallyanerrormessage, thisinformationisnormallywrittentostderr(standarderroroutput),henceit's inclusioninanerrorlog.Therecordsareequivalenttotheblocksizeoption. Sincewedidnotspecifyanexplicitblocksize,thedefaultforthisblockdevice isused,whichis512bytes.
BarryJ.Grundy
112
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Onefinalnoteondc3dd:Likeregulardd,youcanpasstheoption conv=noerror,synctothecommand.Thiswouldallowouracquisitiontoread pastanynonfataldiskerrorsandsynctheoutputsothattheresultingimage mightstillbeusable.Whilemanypractitionerssuggestthisoptionasadefault forrunningddrelatedcommands,Istronglyurgeagainstit.Someofthe reasonsforthiswillbecomemoreapparentinthefollowingsectionon ddrescue.Thebottomlineisthatifyouneedtouseconv=noerror,syncthen youareusingthewrongtool. Whichbringsustoddrescue. ddrescue TherealreasonIdecidedtoaddasectiontothisdocumenton alternativeimagingtoolswassothatIcouldintroduceddrescue.Recent testinghasshownthatstandardddbasedtoolsaresimplyinadequatefor acquiringdisksthathaveapropensityforerrors.ThisisNOTtosaytoolslike dd,dc3ddordcflddareuseless,farfromit.Theyarejustnotoptimalfor errorrecovery. Thissectionisnotmeanttoprovideaneductionondiskerrors,media failure,ortypesoffailure.Norisitmeanttoimplythatanytoolisbetteror worsethananyother.Iwillsimplydescribethebasicfunctionalityandleaveit tothereadertopursuethedetails. First,let'sstartwiththesomeoftheissuesthatarisewiththeuseof commonddbasedtools.Forthemostpart,thesetoolstakealinear approachtoimaging,meaningthattheystartatthebeginningoftheinputfile andreadblockbyblockuntiltheendofthefileisreached.Whenanerroris encountered,thetoolwilleitherfailwithaninput/outputerror,orifa parametersuchasconv=noerrorispasseditwillignoretheerrorsandattempt toreadthroughthem,continuingtoreadblockbyblockuntilitcomesacross readabledataagain. Obviously,simplefailure(givingupwhenerrorsareencountered)is notgood,asitmeansthatanydatainreadableareasbeyondtheerrorswillbe missed.Theproblemwithignoringtheerrorsandattemptingtoreadthrough them(conv=noerror)isthatwearefurtherstressingadiskthatisalready possiblyonthevergeofcompletefailure.Thefactofthematteristhatyou mayonlygetonechanceatreadingadiskthatisexhibitingbadsectors.If thereisanactualphysicaldefect,thesimpleactofreadingthebadareasmay makemattersworse,leadingtodiskfailurebeforeotherviableareasofthedisk arecollected.
BarryJ.Grundy
113
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
So,whenwepassconv=noerrortoanimagingcommand,weare actuallyaskingourimagingtoolstogrindthroughthebadareas.Whynot initiallyskipoverthebadsectionsaltogether,sinceinmanycasesrecovery maybeunlikely,andconcentrateonrecoveringdatafromareasofthediskthat aregood?Oncethegooddataisacquired,wecangobackandattemptto collectdatafromtheerrorareas. Inanutshell,thatisthephilosophybehindddrescue.Usedproperly, ddrescuewillreadthehealthyportionsofadiskfirst,andthenfallbackto recoverymodetryingtoreaddatafrombadsectors.Itdoesthisthrough theuseofsomeveryrobustlogging,whichallowsittoresumeanyimagingjob atanypoint,givenalogfiletoworkfrom. Beforewegoanyfartherwithadescription,let'sdownloadandinstall ddrescueandhavealookatit'soptions. Youcanobtainddrescuefrom: http://www.gnu.org/software/ddrescue/ddrescue.html Oncethefileisdownloaded,wegothroughthesamesetofbuildand installcommandsweusedforourprevioustarballsoftwarearchive.Inthis case,thefileweobtainfromtheabovesiteisatar.bz2archiveratherthana tar.gzarchive.Thissimplymeansthatthecompressionisbzip2ratherthan gzip.Asaresult,weusethejoptionwithtarratherthanthezoption:
root@rock:~# tar xjvf ddrescue-1.8.tar.bz2 ddrescue-1.8/AUTHORS ddrescue-1.8/COPYING ddrescue-1.8/ChangeLog ddrescue-1.8/INSTALL ddrescue-1.8/Makefile.in ddrescue-1.8/NEWS <continues> root@rock:~# cd ddrescue-1.8 root@rock:~/ddrescue-1.8# ./configure creating config.status creating Makefile VPATH = . ... CXXFLAGS = -Wall -W -O2 LDFLAGS = OK. Now you can run make. <continues>
BarryJ.Grundy
114
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ddrescue-1.8# make g++ -Wall -W -O2 -c -o arg_parser.o arg_parser.cc g++ -Wall -W -O2 -c -o block.o block.cc g++ -Wall -W -O2 -c -o ddrescue.o ddrescue.cc g++ -Wall -W -O2 -c -o fillbook.o fillbook.cc g++ -Wall -W -O2 -c -o logbook.o logbook.cc g++ -Wall -W -O2 -c -o rescuebook.o rescuebook.cc g++ -Wall -W -O2 -DPROGVERSION=\"1.8\" -c -o main.o main.cc g++ -o ddrescue arg_parser.o block.o ddrescue.o fillbook.o logbook.o rescuebook.o main.o root@rock:~/ddrescue-1.8# make install if test ! -d /usr/local/share/info ; then install -d /usr/local/share/info ; fi install -p -m 644 ./doc/ddrescue.info /usr/local/share/info/ddrescue.info install-info /usr/local/share/info/ddrescue.info /usr/local/share/info/ dir if test ! -d /usr/local/bin ; then install -d /usr/local/bin ; fi install -p -m 755 ./ddrescue /usr/local/bin/ddrescue
Thedocumentationforddrescueisexcellent.Thedetailedmanualisin aninfopage.Thecommandinfoddrescuewillgiveyouagreatstart understandinghowthisprogramworks,includingexamplesandtheideas behindthealgorithmused.I'llrunthroughtheprocesshere,providinga forensicperspective. Thefirstconsiderationwhenusinganyrecoverysoftware,isthatthe diskmustbeaccessiblebytheLinuxkernel.Ifthedrivedoesnotshowupin the/devstructure,thenthere'snowaytogettoolslikeddrescuetowork. Next,wehavetohaveaplantorecoverasmuchdataaswecanfroma baddrive.Theprevailingphilosophyofddrescueisthatweshouldattemptto getallthegooddatafirst.Thisdiffersfromnormalddbasedtools,which simplyattempttogetallthedataatonetimeinalinearfashion.ddrescueuses theconceptofsplittingtheerrors.Inotherwords,whenanareaofbad sectorsisencountered,theerrorsaresplituntilthegoodareasareproperly imagedandtheunreadableareasmarkedasbad.Finally,ddrescueattemptsto retrythebadareasbyrereadingthemuntilweeithergetdataorfailaftera certainnumberofspecifiedattempts. Thereareanumberofingeniousoptionstoddrescuethatallowtheuser totryandobtainthemostimportantpartofthediskfirst,thenmoveonuntil asmuchofthediskisobtainedaspossible.Areasthatareimagedsuccessfully neednotbereadmorethanonce.Asmentionedpreviously,thisismade possiblebysomeveryrobustlogging.Thelogiswrittenperiodicallyduringthe imagingprocess,sothatevenintheeventofasystemcrashthesessioncanbe
BarryJ.Grundy
115
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
restarted,keepingduplicateimagingefforts,andthereforediskaccess,toa minimum. Giventhatweareaddressingforensicacquisitionhere,wewill concentratealloureffortsonobtainingtheentiredisk,evenifitmeans multipleruns.Thefollowingexampleswillbeusedtoillustratehowthemost importantoptionstoddrescueworkfortheforensicexaminer.Wewill concentrateondetailingtheimaginglogusedbyddrescuesothattheusercan seewhatisgoingonwiththetool,andhowitoperates. Let'slookatasimpleexampleofusingddrescueonmediawithout errors,usinga1GBthumbdrive.Thesimplestwaytorunddrescueisby providingtheinputfile,outputfileandanameforourlogfile.Notethatthere isnoif=orof=.Inordertogetagoodlookathowthelogfileworks,we'll interruptourimagingprocesshalfwaythrough,checkthelog,andthenresume theimaging.
root@rock:~# ddrescue /dev/sda image.sda.ddr ddrlog.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 0 B, errsize: 0 B, errors: 0 Current status rescued: 341312 kB, errsize: 0 B, current rate: ipos: 341312 kB, errors: 0, average rate: opos: 341312 kB Copying data... Interrupted by user
BarryJ.Grundy
116
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thelogshowsusthecurrentstatusofyouracquisition16.Linesstarting witha#arecomments.Therearetwosectionsofnote.Thefirstnon commentlineshowsthecurrentstatusoftheimagingwhilethesecondsection (twolines,inthiscase)showsthestatusofvariousblocksofdata.Thevalues areinhexadecimal,andareusedbyddrescuetokeeptrackofthoseareasof thetargetdevicethathavemarkederrorsaswellthoseareasthathavealready beensuccessfullyreadandwritten.Thestatussymbols(takenfromtheinfo page)areasfollows: Character ? * / + Meaning nontried badareanontrimmed badareanonsplit badhardwareblock(s) finished
Inthiscaseweareconcernedonlywiththe'?'andthe'+'(we'llgettothe otherslater).Essentially,whenthecopyingprocessisinterrupted,thelogis usedtotellddrescuewherethecopyingleftoff,andwhathasalreadybeen copied(orotherwisemarked).Thefirstsection(status)alonemaybesufficient inthiscase,sinceddrescueneedonlypickupwhereitleftoff,butinthecaseof adiskwitherrors,theblocksectionisrequiredsoddrescuecankeeptrackof whatareasstillneedtoberetriedasgooddataissoughtamongthebad. Translated,ourlogwouldtellusthefollowing: #current_pos current_status 0x14580200 ? Thecurrentimagingprocessiscopying(?)dataatbyte offset34131200(0x14580200) #pos size status 0x00000000 0x14580200+ 0x14580200 0x28852000? Thedatablockfromoffset0ofsize34131200bytes (0x14580200)hasbeensuccessfullycopied(+). Thedatablockfromoffset341312000(0x14580200)and 679813120bytesinsize(0x28852000)iscurrentlybeing copied(?). Notealsothatthesizeofourpartiallycopiedfilematchesthesizeoftheblock ofdatamarkedfinishedinourlogfile:
16
Theddrescueinfopagehasaverydetailedexplanationofthelogfilestructure.
BarryJ.Grundy
117
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
0 B, 0 B, 0,
root@rock:~# cat ddrlog.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x3CDD0400 + # pos size status 0x00000000 0x3CDD2200 + root@rock:~# echo "ibase=16;3CDD2200" | bc 1021125120 root@rock:~# ls -l image.sda.ddr -rw-r--r-- 1 root root 1021125120 2008-08-22 21:09 image.sda.ddr
Theabovesessionshowsthecompletedddrescuecommandalongwith thecontentsofthelog,whichshowsthestatuslineinformingofacompleted
BarryJ.Grundy
118
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
image,andtheblocklistnowwithasingleentryfromoffset0forasizeof 1021125120bytes(0x3cdd0400).Thecompletedblocksizematchesthesizeof ourimage.Notethebccommandtoconvertthehexvaluetodecimal. Sothatprovidesusaneasyoverviewofddrescueonasimpleacquisition withoneinterruption,butnoerrors. BadSectorsddrescue We'veintroducedtwonewimagingtools,dc3ddandddrescue.We've shownanexampleofeachinasimpleacquisition,andnowwearegoingto havealookatusingthemtoacquiremediawitherrors.Inthiscasewewilluse asmall1.2GBIDEdiskwith15badsectors.Thisisnotanartificiallycreated disk,butadiskwithactualerrors. We'llstartwithddrescueandthencomparewiththeresultsofdc3dd. Aspreviouslydiscussed,oneofthemainreasonswewouldtrytouseddrescue overregularddordc3dd,isthatwecanhaveitobtainthegooddatabefore tryingtoreadallthebadsectors.Thisgivesusabetterchanceofacquiringall ofthereadableportionsofthedisk.Recallthatwithddrescue,wecanmake numerouspasses,usingthelogfiletodeterminewhatstillneedstobereadand addedtoouracquisition. Theplan:
BarryJ.Grundy
119
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ddrescue -n /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 0 B, errsize: Current status rescued: 18350 kB, errsize: ipos: 18350 kB, errors: opos: 18350 kB copying data...
0 B, 0 B, 0,
Thenoptiontellsddrescuetonottrimorretrytheerrorareas.Once theimagingiscompleteweget:
root@rock:~# ddrescue -n /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 1281 MB, errsize: 61440 B, ipos: 850771 kB, errors: 15, opos: 850771 kB Finished
Notetheamountofdatarescuedisthesizeofourdisk1281MB. Thenumberoferrorsislistedas15andthesizeoftheerrorareasis61440 Bytes.Oneinterestingnoteaboutthetotalerrorsizeisthatitcalculatesto 4096bytespererror(61440/15).Iftherewere15badsectorswewouldexpect anerrorsizeof7680bytes(512*15).Thedifferenceisaresultofkernel caching,wheretheactualblocksreadandwrittenaremultiplesofthecache size.Obviouslythisisnotdesirableinaforensicacquisition(wewantallthe datawecanget).Wealleviatethisissuebyusingdirectaccess,wherewe bypasskernelcaching.Moreonthislater. Lookingatourresultinglog,ddrloghdf.txt(shortenedforreadability):
root@rock:~# cat ddrloghdf.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x32B5C000 + # pos size status 0x00000000 0x32B77000 + 0x32B77000 0x00000E00 / 0x32B77E00 0x00000200 0x32B78000 0x00049000 + 0x32BC1000 0x00000E00 / 0x32BC1E00 0x00000200 <snip> 0x38684000 0x00000E00 / 0x38684E00 0x00000200 0x38685000 0x14013000 +
BarryJ.Grundy
120
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Atthispoint,Iwouldmakeonesuggestion,fromaforensicperspective: Itmightbeagoodideatosaveacopyofeachlog,asit'schanged,between successiveruns.Theloggingdonebyddrescueisdesignedforrecovery,not documentingaforensicacquisition.Bysavingthelogtoadifferentfilename betweenruns,youwillhavecreatedamorecompletepictureoftheforensic imageasitgoesthroughtheerrorsplittingandrereadingprocess. Backtoouracquisitionnowweneedtogobackandtryandrereadthe areasthataremarkedasnonsplit.Weissueessentiallythesamecommand, usingthesameinputandoutputfile,andthesamelogfile.Thistimewe removethenoption:
root@rock:~# ddrescue -d -r3 /dev/hdf image.hdf.ddr ddrloghdf.txt Press Ctrl-C to interrupt Initial status (read from logfile) rescued: 1281 MB, errsize: 61440 B, Current status rescued: 1281 MB, errsize: 39936 B, ipos: 855198 kB, errors: 19, opos: 855198 kB splitting error areas... rescued: ipos: opos: Finished 1281 MB, 946356 kB, 946356 kB errsize: errors: 7680 B, 15,
BarryJ.Grundy
121
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cat ddrloghdf.txt # Rescue Logfile. Created by GNU ddrescue version 1.8 # current_pos current_status 0x38684000 + # pos size status 0x00000000 0x32B77800 + 0x32B77800 0x00000200 <snip> 0x38684000 0x00000200 0x38684200 0x14013E00 +
Thereareonlyfinishedareasandbadareasleftinourlog.Andthe badareasareeachasingle512bytesector(sizeis0x00000200). Weshouldalsonotethatourresultingimageisalreadysynchronized. Thebadareasoftheimagehavebeenfilledwithnullbytes.Oneinteresting featureofddrescueistheabilitytofilltheimagebadareaswithacharacterof yourchoice.Thiscanbeusefulinanexamtodifferentiatebetweenzero'd sectorscopiedfromtheoriginalimage,versusbadsectorssynchronizedduring theacquisition.Seeinfoddrescueformoredetails. BadSectorsdc3dd Nowwe'llhavealookatthesameimagingjobwithdc3dd,andhavea lookattheresult.Let'sstartwithourmostcommonacquisitionparameters:
root@rock:~# dc3dd if=/dev/hdf of=image.hdf.dc3dd progress=on hash=md5 hashwindow=32M log=dc3ddloghdf.txt conv=noerror,sync 850884608 bytes (811 M) copied, 757.63 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1661884+0 records in 1661884+0 records out 850884608 bytes (811 M) copied, 758.599 s, 1.1 M/s 851187200 bytes (812 M) copied, 758.908 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1662474+1 records in 1662475+0 records out 851187200 bytes (812 M) copied, 759.806 s, 1.1 M/s 851489280 bytes (812 M) copied, 760.118 s, 1.1 M/s <snip> 2503752+120 records in 2503872+0 records out 1281982464 bytes (1.2 G) copied, 1208.11 s, 1 M/s
BarryJ.Grundy
122
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
structuresproperlyalignedandallows,forexample,afilesystemwithinthe imagetobeproperlymounted(assumingthedamagedareasarenotcritical). Notethatouroutputshows120records(blocks)readaserrors,ignored andsync'd.Giventhateachrecordis512bytes(thedefaultblocksize),the amountofdatalostis61440bytes.Thesameerrorsizeasouroriginal ddrescuerun.Luckily,recentversionsofprogramsbasedondd(including dc3dd)haveaflagthatallowsfordirectaccess.Again,thisdirectflagispassed toavoidkernelcaching(inthiscase,4096bytepages). Rerunningourdc3ddcommandwiththeiflag=direct,wegetthe following:
root@rock:~# dc3dd if=/dev/hdf of=image.hdf.dc3dd progress=on hash=md5 hashwindow=32M log=dc3ddloghdf.txt conv=noerror,sync iflag=direct 850884608 bytes (811 M) copied, 757.63 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1661884+0 records in 1661884+0 records out 850884608 bytes (811 M) copied, 758.599 s, 1.1 M/s 851187200 bytes (812 M) copied, 758.908 s, 1.1 M/s dc3dd: reading `/dev/hdf': Input/output error 1662474+1 records in 1662475+0 records out 851187200 bytes (812 M) copied, 759.806 s, 1.1 M/s <snip> 946356224 bytes (903 M) copied, 857.745 s, 1.1 M/s 2503857+15 records in 2503872+0 records out 1281982464 bytes (1.2 G) copied, 1160.53 s, 1.1 M/s
We'veendedupwithessentiallythesameresultasourddrescue acquisition.Wenowhave15errorsof512bytes.Theiflagoptionisnewtothe ddcode,uponwhichdc3ddisbased.NotethatthisisonereasonIelectedto coverdc3ddratherthandcfldd17.Asaresultofthefactthatdcflddisaforkof ddcode,itdoesnotincludeaprovisionforadirectflag.Onefinaloptionyou mightconsiderpassingwhendealingwitherrorsanddc3ddisthe errors=groupoption.Thiswillsuppressmultiplelinesoferroroutputfor consecutiveerrors,givingamuchsmallerlogfileinthosecaseswherelarge numbersofconsecutivesectorsaremarkedasbad. Forthecuriousamongyou,thehashesfortheddrescueacquisitionand thedc3ddacquisitiondomatch. So,what'sthedifference?
NotethatyoucanstilldodirectI/Owithdcflddbyaccessingthetargetdevicethrough /dev/raw.
17
BarryJ.Grundy
123
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BadSectorAcquisitionConclusions WeacquiredanIDEdiskwithwhatappearstobe15badsectorsusing twodifferenttools.Inthiscase,wearrivedatthesameresult.So,askingthe questionagain,what'sthedifferencebetweenthetools,andwhyselectone overtheother? dc3ddisprimarilyaforensicimagingtool.Itisdesignedspecificallyfor acquiringimagesforexamination.It'sstrengthisinallowingaforensicanalyst tocontroltheoutputoftheacquisition.Itprovidesforverygranularcontrol overauthentication,splitting,andforensiclogging.Itdoeshandleerrors,aswe sawintheprecedingsection,butitisnotspecificallydesignedwitharecovery algorithminminditjustreadsfromstarttofinish. ddrescueisprimarilyarecoverytool.Itisdesignedspecificallyfor rescuingdatafromfailingordamagedmedia.It'sstrengthisinit'sabilityto acquirethemaximumamountofdatafromdamagedmediawithoutsimply grindingthroughanalreadydamageddisk.Thelogging,whilenot particularlyfriendly,isgearedtowarddirectingsuccessiverunsatthedata, notforensicdocumentation.Ifyouarelookingtoattempttoacquirethedata foundwithinbadsectors,youhaveamuchbettershotatitwithddrescue. Whiletheresultsobtainedintheseexamplesdolittletohighlightthe differencesinthetools,otherthantheinterface,keepinmindthateverypiece ofmediathatexhibitserrorsisdifferent.Thedegreeoftheerrorisnever apparent.Assuch,yourmileagewitheachtoolwillvarygreatly. Onepossibleapproachtothisproblem,ifyoupreferusingacquisition toolsdesignedforforensics(likedc3ddordcfldd),wouldbetocontinueusing yourtoolofchoice,butwithouttheconv=noerroroption.Instead,letthe acquisitionfailifanerrorisfound.Youcanthenmovetoatoollikeddrescue tosafelyacquirewhateverdataisrecoverable,withachanceatgettingmore thanwouldotherwisebepossible.Justkeepinmindthatifadiskisgoingbad, youmayonlyhaveoneshotatacquiringit.
BarryJ.Grundy
124
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
LIBEWFWorkingwithExpertWitnessFiles
Oneofthemoreubiquitousforensicimageformatsfoundinthe computerforensicworldistheExpertWitnessorEWFformat.Anumberof popularGUItoolsprovideimagesbydefaultinthisformat,andtherearemany toolsthatcanread,convertorworkwiththeseimages. Wewillexploreasetoftoolshere,belongingtothelibewfproject,that providetheabilitytocreate,view,convertandworkwithexpertwitness evidencecontainers.Wecoverlibewfbeforetheotheradvancedforensictools becauseitneedstobeinstalledfirstinordertosupplytherequiredlibrariesto ourotherforensictoolsforsupportingtheseimageformats.Thelibewftools anddetailedprojectinformationcanbefoundat: https://www.uitwisselplatform.nl/projects/libewf/ Downloadthemostcurrentversionandextractthecontentsofthe tarball.Noteweareusingversion20080501inthisdocument:
root@rock:~# tar xzvf libewf-20080501.tar.gz libewf-20080501/ libewf-20080501/Makefile.in libewf-20080501/COPYING libewf-20080501/depcomp libewf-20080501/ltmain.sh libewf-20080501/compile libewf-20080501/ChangeLog libewf-20080501/INSTALL <continues>
Installationoflibewffollowsthesameroutineweusedtopreviously installdc3dd.Asalways,readtheINSTALLfileintheextracteddirectoryto ensurethepackageusesthiscommonmethod.Recallthecommandsweuse are: ./configure make makeinstall Thefirstcommandconfiguresthebuildenvironment,thesecond commandcallsthecompilerandbuildsthetools,andthethirdcommand installsthetools(andlibraries)totheproperlocations.
BarryJ.Grundy
125
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# cd libewf-20080501 root@rock:~/libewf-20080501# ./configure checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... i686-pc-linux-gnu <continues>
Again,assumingnoerrors,wetypemakeandwatchasthecompilerdoesits thing:
root@rock:~/libewf-20080501# make Making all in libewf make[1]: Entering directory `/root/Tools/libewf-20080501/libewf' make all-am make[2]: Entering directory `/root/Tools/libewf-20080501/libewf' if /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I. -I../include -g -O2 -Wall -MT ewf_compress.lo -MD -MP -MF ".deps/ewf_compress.Tpo" -c -o ewf_compress.lo ewf_compress.c; \ <continue>
Ournewlycompiledtoolsareplacedintheewftoolsdirectory.Wewill coverthefollowingtoolsbrieflyhere:
Nowweusemakeinstalltoputthecommandsintheproperpath:
root@rock:~/libewf-20080501# make install Making all in libewf make[1]: Entering directory `/root/libewf-20080501/libewf' make Making install in common make[1]: Entering directory `/root/libewf-20080501/common' make[2]: Entering directory `/root/libewf-20080501/common' make[2]: Nothing to be done for `install-exec-am'. make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/root/libewf-20080501/common' make[1]: Leaving directory `/root/libewf-20080501/common' Making install in libewf <continue>
BarryJ.Grundy
126
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Oncetheinstallationiscompletewecanmovestraighttousingthe tools.Properpathshavealreadybeenset,andthelibrariesrequiredbyother programstousethesupportoflibewfareavailable.Onsomesystems,you mayrunintoaninitialproblemwherecallingatoolresultsinalibrarynot founderror.Ifthatisthecaseonyourparticularsystem,simplyrunthe commandldconfigandtryagain. Tostart,let'stalkaboutthosesituationswhereyou'vebeenprovideda setofimagefiles(orfile)thatwereobtainedusingapopularWindowsforensic tool.Therewillbetimeswhereyouwouldlikereadthemetadataincluded withtheimages,verifythecontentsoftheimages,orexportorconvertthe imagestoabitstream(commonlyreferredtoasdd)format.Thisiswherethe libewftoolscomeinhandy.TheyoperateattheLinuxcommandline,don't requireanyotherspecialsoftware,license,ordongleandareveryfast.Wewill useacopyofanNTFSpracticalexerciseimagewewilluseinourupcoming Sleuthkitexercises.ThisparticularcopyisinEWFformat.Thefilecanbe obtainedfrom: http://www.LinuxLEO.com/Files/ntfs_pract.E01 Thefirstthingwecandoisruntheewfinfocommandontheimagefile. Thiswillreturnthemetadatafromtheimagefilethatincludesacquisitionand mediainformation.Welearntheversionofthesoftwarethattheimagewas createdwith,alongwiththecollectionplatform,dateofacquisition,nameof theexaminerthatcreatedtheimagewiththedescriptionandnotes.Havea lookattheoutputofewfinfoonourE01file:
BarryJ.Grundy
127
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ewfinfo ntfs_pract.E01 ewfinfo 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Acquiry information Case number: Description: Examiner name: Evidence number: Notes: Acquiry date: System date: Operating system used: Software version used: Password: Media information Media type: Media is physical: Amount of sectors: Bytes per sector: Media size: Error granularity: Compression type: GUID: MD5 hash in file: NTFS_Practical NTFS_pract Joe Agent NTFS_pract This is a practice Image (e01 format) 26/06/2007 10:58:13 26/06/2007 10:58:13 Windows XP 5.04 N/A fixed disk yes 1024000 512 524288000 64 good (fast) compression 7b4bd359-960b-e845-93b4-2ae39474fed4 d3c4659e4195c6df1da3afdbdc0dce8f
NoticethatthelastlineintheoutputprovidesuswithanMD5hashof thedatainthefile.Don'tconfusethiswiththehashofthefileitself.Afilein EWFformatstorestheoriginaldatafromthemediathatwasimagedalongwith aseriesofCRCchecksandmetadata.ThehashoftheE01filewillNOTmatch thehashoftheoriginalmediaimaged.Thehashoftheoriginalmediaand thereforethedatacollectedisrecordedintheEWFfileforlaterverification. IfwearegivenanE01file,orasetofEWFfiles(E01,E02,etc.),andwe wanttosimplyverifythatthedatawithinthefileisconsistentwiththedata collectedatthetimeofimaging,wecanusetheewfverifycommand.This commandrehashesthedatacontainedwithinfile(disregardingthemeta data)andcomparesthehashobtainedwiththeMD5hashinfile. Youcanseefromouroutputbelowthatthethentfs_pract.E01file verifieswithouterror.Thehashobtainedduringtheverificationmatchesthat storedwithinthefile:
BarryJ.Grundy
128
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~# ewfverify ntfs_pract.E01 ewfverify 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Verify started at: Tue Aug 21 10:07:07 2007 This could take a while. Status: at 3%. verified 18 MB (19202048 bytes) of total 500 MB (524288000 bytes). completion in 32 second(s) with 15 MB/s (15887515 bytes/second). ... (edited for brevity) Verify completed at: Tue Aug 21 10:07:10 2007 Read: 500 MB (524288000 bytes) in 3 second(s) with 166 MB/s (174762666 bytes/second). MD5 hash stored in file: MD5 hash calculated over data: ewfverify: SUCCESS d3c4659e4195c6df1da3afdbdc0dce8f d3c4659e4195c6df1da3afdbdc0dce8f
BarryJ.Grundy
129
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
130
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
physicaldeviceyouwishtoimage.Theprogramwillpromptyouforrequired information,tobestoredwiththedataintheEWFformat:
root@rock:~# ewfacquire /dev/sdb ewfacquire 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.8, libuuid) Acquiry parameters required, please provide the necessary input Image path and filename without extension: /root/ntfs_ewf Case number: 111-222 Description: Removable media (generic thumbdrive) Evidence number: 1 Examiner name: Barry Grundy Notes: Seized from subject Media type (fixed, removable) [fixed]: removable Volume type (logical, physical) [physical]: physical Use compression (none, fast, best) [none]: fast Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, linen5, linen6, ewfx) [encase5]: encase5 Start to acquire at offset (0 >= value >= 524288000) [0]: Amount of bytes to acquire (0 >= value >= 524288000) [524288000]: Evidence segment file size in kbytes (2^10) (1440 >= value >= 2097152) [665600]: The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768) [64]: The amount of sectors to be used as error granularity (1 >= value >= 64) [64]: The amount of retries when a read error occurs (0 >= value >= 255) [2]: Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [yes]: The following acquiry parameters were provided: Image path and filename: /root/ntfs_ewf.E01 Case number: 111-222 Description: Removable media (generic thumbdrive) Evidence number: 1 Examiner name: Barry Grundy Notes: Seized from subject Media type: removable Volume type: physical Compression used: fast EWF file format: EnCase 5 Acquiry start offet: 0 Amount of bytes to acquire: 524288000 Evidence segment file size: 665600 kbytes Block size: 64 sectors Error granularity: 64 sectors Retries on read error: 2 Wipe sectors on read error: yes Continue acquiry with these values (yes, no) [yes]: yes Acquiry started at: Tue Aug 21 10:21:55 2007 ... (edited for brevity) Acquiry completed at: Tue Aug 21 10:22:31 2007 MD5 hash calculated over data: d3c4659e4195c6df1da3afdbdc0dce8f
BarryJ.Grundy
131
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Intheabovecommandsession,userinputisshowninbold.Inplaces wherethereisnoinputprovided,thedefaultsareused.Noticethatewfacquire givesyouseveraloptionsforimageformatsthatcanbespecified.Thefile(s) specifiedbytheuserisgivenanE**extensionandplacedinthepathdirected bytheuser.Finally,anMD5hashisprovidedattheendoftheoutputfor verification. Last,butnotleast,ewfacquirestreamactsmuchlikeewfacquire,but allowsfordatatobegatheredviastandardinput.Themostobvioususeforthis istakingdatapassedbyaprogramlikenetcat. RecallourDDovertheWireexercise.Inthatexercise,thedatawas sentacrossthenetworkfromourSUBJECTcomputer(bootedwithaLinux bootdisk)usingddandnetcat(nc)andtoourlisteningnetcatprocessonour collectionboxIPaddressandport: Subjectcomputer:
root@bootdisk~ # dd if=/dev/sda | nc 192.168.55.20 2525
BarryJ.Grundy
132
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Collectioncomputerusingewfacquirestream:
root@rock:~ # nc -l -p 2525 | ewfacquirestream -C 111-222 -D 'removable thumb drive' -e 'Barry Grundy' -E '1' -f encase5 -m removable -M physical -N 'Seized from subject' -t /mnt/evid/net_image
Thiscommandtakestheoutputfromnetcat(nc)andpipesitto ewfacquirestream. thecasenumberisspecifiedwithC theevidencedescriptionisgivenwithD theexaminergivenwithe evidencenumberwithE encase5formatisspecifiedwithfencase5 themediatypeisgivenwithm thevolumetypeisgivenwithM notesareprovidedwithN thetargetpathandfilenameisspecifiedwitht/path/file. Noextensionisgiven,andewfacquirestreamautomaticallyappendsan E01extensiontotheresultingfile. Togetacompletelistofoptions,lookatthemanpages,orrunthe commandwiththehoption.
BarryJ.Grundy
133
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Sleuthkit
ThefirstoftherecoverytoolswewillcoverhereisactuallynotaGUItool atall,butratheracollectionofcommandlinetools.18 TheSleuthkitiswrittenbyBrianCarrierandmaintainedat http://www.sleuthkit.org.ItispartiallybasedonTheCoronersToolkit(TCT) originallywrittenbyDanFarmerandWietseVenema.TheSleuthkitadds additionalfilesystemsupport(FATandNTFS).Additionally,theSleuthkit allowsyoutoanalyzevariousfilesystemtypesregardlessoftheplatformyou arecurrentlyworkingon.Thecurrentversion,asofthiswritingis3.0x.Goto thedownloadssectionoftheSleuthkitwebsite(http://www.sleuthkit.org) andgrabthelatestcopy.Forthesakeofsimplicity,letsdownloadthefileto our/root(rootusershome)directory. Notethatwiththereleaseofversion3.x,thereareanumberofvery significantchangestotheSleuthkitoverpreviousversions.Mostnoteworthy, asofthe2.xseries,istheinclusionofdirectsupportforfulldiskimages(rather thanjustpartitions)andsplitdiskimages.Also,therehavebeenanumberof significantchangesinnew3.xversion,includingrenamedtoolsandchangesto theprogramsthataffectthewaydeletedfilesaredealtwith. Let'sstartwithadiscussionofthetoolsfirst.Mostofthisinformationis readilyavailableintheSleuthkitdocumentationorontheSleuthkitwebsite. TheSleuthkitstoolsareorganizedbywhattheauthorcallsalayer approach. Mediamanagementlayermmls,mmcat,mmstat Filesystemlayerfsstat Filenamelayer(HumanInterface)fls,ffind Metadata(inode)layericat,ils,ifind,istat Content(data)layerblkcalc,blkcat,blkls,blkstat
18
BarryJ.Grundy
134
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Noticethatthecommandsthatcorrespondtotheanalysisofagiven layerbeginwithacommonletter.Forexample,thefilesystemcommandstarts withfs,andtheinode(metadata)layercommandsstartwithiandsoon. Ifthelayerapproachreferencedaboveseemsalittleconfusingtoyou, youshouldtakethetimetoreadtheSleuthkit'sREADME.txtfile.Theauthor doesafinejobofdefininganddescribingtheselayersandhowtheyfittogether foraforensicanalysis.UnderstandingthattheSleuthkittoolsoperateat differentlayersisextremelyimportant. Itshouldbenotedherethattheoutputofeachtoolisspecifically tailoredtothefilesystembeinganalyzed.Forexample,thefsstatcommandis usedtoprintfilesystemdetails.Thestructureoftheoutputandthe descriptivefieldschangedependingonthetargetfilesystem.Thiswillbecome apparentthroughouttheexercises. Inadditiontothetoolsalreadymentioned,therearesome miscellaneoustoolsincludedwiththeSleuthkitthatdon'tfallintotheabove categories:
sortercategorizesallocatedandunallocatedfilesbasedontype (images,executables,etc).Extremelyflexibleandconfigurable. img_catallowsfortheseparationofmetadataandoriginaldatafrom imagefiles(mediaduplication,notpictures). img_statprovidesinformationaboutaforensicimage.The informationitprovidesisdependentontheimageformat(aff,ewf,etc.). hfindhashlookuptool.Createsandsearchesanindexeddatabase. sigfindsearchesagivenfile(forensicimage,disk,etc.)forahex signatureatanyspecifiedoffset(sectorboundary). mactimecreatesatimelineoffileactivity.VERYusefulforintrusion investigationswheretemporalrelationshipsarecritical. srch_stringslikestandardBSDstringscommand,butwiththeability toparsedifferentencodings.
BarryJ.Grundy
135
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitInstallationandSystemPrep
Installationiseasy.Youcansimplyuntarthefilethenchangeintothe resultingdirectory:
root@rock:~# tar xzvf sleuthkit-3.0.0.tar.gz sleuthkit-3.0.0/ sleuthkit-3.0.0/aclocal.m4 sleuthkit-3.0.0/CHANGES.txt sleuthkit-3.0.0/config/ <continues> root@rock:~# cd sleuthkit-3.0.0 root@rock:~/sleuthkit-3.0.0 #
Takeamomenttoreadtheincludeddocumentation(README.txtisa goodplacetostart).Wewillcontinuewithashortdescriptioninthis document,butmostofwhatyouneedtoknowisrightthere. Compilingthetoolshaschangedsignificantlyasofversion2.50ofthe Sleuthkit.Previously,theprogramswerecompiledwithasimplemake command,andlibrariesthatprovidedanumberoffeaturesweresimply includedwiththepackage.Now,theprogramiscompiledandbuilt manuallysosupportforexternallibraries(andtheirversions)isuptothe user.Forexample,thelibewfpackage(coveredearlier),whichprovides supportforExpertWitnessformatimagesmustbeproperlyinstalledbefore installingtheSleuthkitifyouwantsupportforEnCaseformatimages.Thisis whywecoveredlibewfandinstalleditfirst. Aswiththelibewfpackage,thenewversionsoftheSleuthkitare compiledandinstalledusingthesamebasicsetofcommandsasother tarballsourcedistributions.Insidethedirectoryweextractedabove,weuse thecommands: ./configure make makeinstall Thefirststepistoconfigurethepackageforcompilation.Thisis wheresupportisaddedforourpreviouslyinstalledlibewfpackage.Notethe outputofthecommandattheendoftheconfigureprocessinthefollowing output:
BarryJ.Grundy
136
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/sleuthkit-3.0.0 # ./configure checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes ... checking for libewf_open in -lewf... yes configure: creating ./config.status config.status: creating Makefile <continues>
BarryJ.Grundy
137
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercises
Sincetheveryfirstversionsofthisdocument,oneofthemost commonlyrequestedadditionshasalwaysbeenamorecompleteintroduction totheSleuthkittools.Ihavebeenaskedmany,manytimestoaddmore exercisesthatincludemoreofthetoolsandsomeofthemorecommonfile systemsencounteredbytheaverageinvestigator.So,tothatend,I'veaddeda coupleofnewcomprehensiveexercisesandamorethoroughexplanationof theavailabletools. Wearegoingtostartwithaquicksampleanalysisusingjustafewofthe Sleuthkitcommandlinetools.Likealloftheotherexercisesinthisdocument, Idsuggestyoufollowalongifyoucan.Usingthesecommandsonyourownis theonlywaytoreallylearnthetechniques.Readtheincludedmanpagesand playwiththeoptionstoobtainotheroutput.Theimagefilesusedinthe followingexamplesareavailablefordownload.Getyourhandsonthe keyboardandfollowalong.
BarryJ.Grundy
138
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#1DeletedFileIdentificationandRecovery
Let'sstartourtourofSleuthkitwithoneofthetoolsintroducedin version2oftheSleuthkit,img_stat.Thiscommandisusedtodisplaythe forensicimageattributesincludingthetypeofimage,andtheformat. Ifwerunthecommandagainstourable2.ddimage,weseethefollowing output.Notethatwearerunningthecommandfromwithinthe /root/able2directory,sothere'snoneedtoprovidethefullpathtothetarget image.
root@rock:~# cd able2 root@rock:~/able2 # img_stat able2.dd IMAGE FILE INFORMATION -------------------------------------------Image Type: raw Size in bytes: 345830400 root@rock:~/able2 #
BarryJ.Grundy
139
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
So,inthefirstcommandabove,wesplittheable2.ddfile.Wethendoan lslhtoseetheresultingsplitsandtheirsizes.Finally,theSleuthkit'simg_stat commandisexecuted,andweseethatitrecognizesthesplitfilesandgivesus thebyteoffsetsofeachsplit. Nowletshavealookatacoupleofthefilesystemandfilenamelayer tools,fsstatandfls.Wewillrunthemagainstourable2images.Keepinmind thatinolderversionsofSleuthkit,weneededtocarvethepartitionsoutofthe imagetousewiththetools.Asofversion2.00,Sleuthkittoolshavebeenableto lookdirectlyatthewholediskimage.Anoffsetmuststillbepassedtothetool inordertoforittoseethetargetfilesystem. Wehavealreadyusedsfdisktodeterminepartitionoffsetswithinadd image.Sleuthkitalsocomeswithatool,mmls,thatdoesmuchthesame thing,providingaccesstothepartitiontablewithinanimage,andgivingthe partitionoffsetsinsectorunits.AswithmanyoftheSleuthkittools,thereisa certainamountofintelligencebuiltintothecommand.Ifyoudonotpass theproperimagetype(withtheioption)ortheproperpartitiontype(for example,specifyingthatthisisadospartitiontablewiththetoption), Sleuthkitwillattempttoguesstheproperparameters.Forthesakeof correctness,wewillusetheoptionsiandttopasstheimagetype(eithersplit orraw)andthetypepartitiontable.
root@rock:~/able2 # mmls -i split -t dos able2.split.0* DOS Partition Table Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: 04: 05: Slot --------00:00 00:01 00:02 00:03 Start 0000000000 0000000001 0000000057 0000010260 0000112860 0000178695 End 0000000000 0000000056 0000010259 0000112859 0000178694 0000675449 Length 0000000001 0000000056 0000010203 0000102600 0000065835 0000496755 Description Primary Table (#0) Unallocated Linux (0x83) Linux (0x83) Linux Swap / Solaris Linux (0x83)
BarryJ.Grundy
140
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # fsstat -o 10260 able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 Last Written at: Sun Aug 10 14:50:03 2003 Last Checked at: Tue Feb 11 00:20:09 1997 Last Mounted at: Thu Feb 13 02:33:02 1997 Unmounted Improperly Last mounted on: Source OS: Linux Dynamic Structure InCompat Features: Filetype, Read Only Compat Features: Sparse Super, METADATA INFORMATION -------------------------------------------Inode Range: 1 - 12881 Root Directory: 2 Free Inodes: 5807 CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 Reserved Blocks Before Block Groups: 1 <continues>
Thefsstatcommandprovidestypespecificinformationaboutthefile systemlocatedinadeviceorforensicimage.Aspreviouslynoted,weranthe fsstatcommandabovewiththeoptiono10260.Thisspecifiesthatwewant informationfromthefilesystemresidingonthepartitionthatstartsatsector offset10260. Wecangetmoreinformationusingtheflscommand.flsliststhefile namesanddirectoriescontainedinafilesystem,orinadirectory,ifthemeta dataidentifierforaparticulardirectoryispassed.Theoutputcanbeadjusted withanumberofoptions,toincludegatheringinformationaboutdeletedfiles. Ifyoutypeflsonitsown,youwillseetheavailableoptions(viewtheman pageforamorecompleteexplanation). Ifyouruntheflscommandwithnooptions(otherthantheooptionto specifythefilesystem),thenbydefaultitwillrunontherootdirectory(inode 2onandEXTfilesystem,MFTentry5onNTFS,etc.).
BarryJ.Grundy
141
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Inotherwords,onanEXTfilesystem,running:
root@rock:~/able2 # fls -o 10260 able2.dd
And:
root@rock:~/able2 # fls -o 10260 able2.dd 2
BarryJ.Grundy
142
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
directoryandinodeentry.Thisisnotedbyther/rdesignation.Conversely,the followingtwoentries(.001and$OrphanFiles)areidentifiedasdirectories. Thenextfieldisthemetadataentrynumber(inode,MFTentry,etc.) followedbythefilename.Inthecaseofthefile.bash_historytheinodeislisted as1042. Notethatthelastlineoftheoutput,$OrphanFilesisavirtualfolder, createdbytheSleuthkitandassignedavirtualinode(anewfeaturefor Sleuthkit3.00).Thisfoldercontainsvirtualfileentriesthatrepresent unallocatedmetadataentrieswheretherearenocorrespondingfilenames. Thesearecommonlyreferredtoasorphanfiles,whichcanbeaccessedby specifyingthemetadataaddress,butnotthroughanyfilenamepath.Wewill coverthisinmoredetailinalatersection. Wecancontinuetorunflsondirectoryentriestodigdeeperintothefile systemstructure(oruserforarecursivelisting).Bypassingthemetadata entrynumberofadirectory,wecanviewit'scontents.Readmanflsforalook atsomeusefulfeatures.Forexample,havealookatthe.001directoryinthe listingabove.Thisisanunusualdirectoryandwouldcausesomesuspicion.It ishidden(startswitha.),andnosuchdirectoryiscommonintherootofthe filesystem.So,toseethecontentsofthe.001directory,wewouldpassits inodetofls:
root@rock:~/able2 # fls -o 10260 able2.dd 11105 r/r 2138: lolit_pics.tar.gz r/r 11107: lolitaz1 r/r 11108: lolitaz10 r/r 11109: lolitaz11 r/r 11110: lolitaz12 r/r 11111: lolitaz13 r/r 11112: lolitaz2 r/r 11113: lolitaz3 r/r 11114: lolitaz4 r/r 11115: lolitaz5 r/r 11116: lolitaz6 r/r 11117: lolitaz7 r/r 11118: lolitaz8 r/r 11119: lolitaz9
BarryJ.Grundy
143
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
thatarelistedasfiles(ratherthandirectories),andwewantthelistingtobe recursive,wecouldusethefollowingcommand:
root@rock:~/able2 # fls -o 10260 -Frd able2.dd r/r * 11120(realloc): var/lib/slocate/slocate.db.tmp r/r * 10063: var/log/xferlog.5 r/r * 10063: var/lock/makewhatis.lock r/r * 6613: var/run/shutdown.pid r/r * 1046: var/tmp/rpm-tmp.64655 r/r * 6609(realloc): var/catman/cat1/rdate.1.gz r/r * 6613: var/catman/cat1/rdate.1.gz r/r * 6616: tmp/logrot2V6Q1J r/r * 2139: dev/ttYZ0/lrkn.tgz d/r * 10071(realloc): dev/ttYZ0/lrk3 r/r * 6572(realloc): etc/X11/fs/configl/r * 1041(realloc): etc/rc.d/rc0.d/K83ypbind l/r * 1042(realloc): etc/rc.d/rc1.d/K83ypbind l/r * 6583(realloc): etc/rc.d/rc2.d/K83ypbind l/r * 6584(realloc): etc/rc.d/rc4.d/K83ypbind l/r * 1044: etc/rc.d/rc5.d/K83ypbind l/r * 6585(realloc): etc/rc.d/rc6.d/K83ypbind r/r * 1044: etc/rc.d/rc.firewall~ r/r * 6544(realloc): etc/pam.d/passwdr/r * 10055(realloc): etc/mtab.tmp r/r * 10047(realloc): etc/mtab~ r/- * 0: etc/.inetd.conf.swx r/r * 2138(realloc): root/lolit_pics.tar.gz r/r * 2139: root/lrkn.tgz r/r * 1055: $OrphanFiles/OrphanFile-1055 r/r * 1056: $OrphanFiles/OrphanFile-1056 r/r * 1057: $OrphanFiles/OrphanFile-1057 r/r * 2141: $OrphanFiles/OrphanFile-2141 r/r * 2142: $OrphanFiles/OrphanFile-2142 r/r * 2143: $OrphanFiles/OrphanFile-2143 <continues>
Intheabovecommand,weruntheflscommandagainstthepartitionin able2.ddstartingatsectoroffset10260(o10260),showingonlyfileentries (F),descendingintodirectories(r),anddisplayingdeletedentries(d). Noticethatallofthefileslistedhaveanasterisk(*)beforetheinode. Thisindicatesthefileisdeleted,whichweexpectintheaboveoutputsincewe specifiedthedoptiontofls.Wearethenpresentedwiththemetadataentry number(inode,MFTentry,etc.)followedbythefilename. Havealookatthelineofoutputforinodenumber2138 (root/lolit_pics.tar.gz).Theinodeisfollowedby(realloc).Keepinmindthat flsdescribesthefilenamelayer.Thereallocmeansthatthefilenamelistedis markedasunallocated,eventhoughthemetadataentry(2138)ismarkedas
BarryJ.Grundy
144
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
allocated.Inotherwords...theinodefromourdeletedfilemayhavebeen reallocatedtoanewfile. AccordingtoBrianCarrier: Thedifferencecomesaboutbecausethereisafilenamelayeranda metadatalayer.Everyfilehasanentryinbothlayersandeachentryhas itsownallocationstatus. Ifafileismarkedas"deleted"thenthismeansthatboththefilename andmetadataentriesaremarkedasunallocated.Ifafileismarkedas "realloc"thenthismeansthatitsfilenameisunallocatedandits metadataisallocated. Thelatteroccursif: Thefilewasrenamedandanewfilenameentrywascreatedfor the file,butthemetadatastayedthesame. NTFSresortedthenamesandtheoldcopiesofthenamewillbe "unallocated"eventhoughthefilestillexists. Thefilewasdeleted,butthemetadatahasbeenreallocatedtoa newfile. Inthefirsttwocases,themetadatacorrectlycorrespondstothe deletedfilename.Inthelastcase,themetadatamaynotcorrespond tothenamebecauseitmayinsteadcorrespondtoanewfile. Inthecaseofinode2138,itlooksasthoughthereallocwascausedby thefilebeingmovedtothedirectory.001(seetheflslistingof.001onthe previouspage).Thiscausesittobedeletedfromit'scurrentdirectoryentry (root/lolit_pics.tar.gz)andanewfilenamecreated(.001/lolit_pics.tar.gz).The inodeandthedatablocksthatitpointstoremainunchangedandinallocated status,butithasbeenreallocatedtothenewname. Let'scontinueouranalysisexerciseusingacoupleofmetadata(inode) layertoolsincludedwiththeSleuthkit.InaLinuxEXTtypefilesystem,an inodehasauniquenumberandisassignedtoafile.Thenumbercorresponds totheinodetable,allocatedwhenapartitionisformatted.Theinodecontains allthemetadataavailableforafile,includingthemodified/accessed/changed (mac)timesandalistofallthedatablocksallocatedtothatfile. Ifyoulookattheoutputofourlastflscommand,youwillseeadeleted filecalledlrkn.tgzlocatedinthe/rootdirectory(thelastfileintheoutputofour flscommand,beforethelistoforphanfilesrecallthattheasteriskindicatesit isdeleted):
BarryJ.Grundy
145
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
root/lrkn.tgz
Direct Blocks: 22811 22812 22813 22814 22815 22816 22817 22818 22819 22820 22821 22822 22824 22825 22826 22827 <snip>... 32233 32234
146
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
147
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Nowthatwehavewhatwehopeisarecoveredfile,whatdowedowith it?Lookattheresultingfilewiththefilecommand:
root@rock:~/able2 # file /root/lrkn.tgz.2139 /root/lrkn.tgz.2139: gzip compressed data, was "lrkn.tar", from Unix
BarryJ.Grundy
148
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
stdoutforviewing.Recallourpreviousdirectorylistingofthe.001directoryat inode11105:
root@rock:~/able2 # fls -o 10260 able2.dd 11105 r/r 2138: lolit_pics.tar.gz r/r 11107: lolitaz1 r/r 11108: lolitaz10 <continues>
Theoutputshowsthatwearedealingwithajpegimage.Sowedecideto usethedisplaycommandtoshowusthecontents:
root@rock:~/able2 # icat -o 10260 able2.dd 11108 | display
BarryJ.Grundy
149
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#2PhysicalStringSearch&AllocationStatus
ThisisanothersectionaddedinresponsetoanumberofquestionsI've receivedbothinclassesandviaemail.Inouroriginalfloppydiskimage analysis,oneoftheexerciseswecompletedwasaphysicalsearchoftheimage forasetofstrings.Oncethestringswerelocated,weviewedthemwiththexxd utility.That'sjusthalfthestory.Inthevastmajorityofrealexaminationsyou aregoingtowanttofindout(ifpossible)whatfilethatstringbelongedtoand whetherornotthatfileisallocatedorunallocated.Thatisthepurposeofthis exercise. Thisisafarmoreadvancedexercise,butthequestionisaskedenough thatIthoughtitwasworthcoveringhere.Irealizethisisabeginnerlevel document,buttheseareimportantconcepts.EvenifyourelyonGUItoolsfor yourdaytodayforensicanalysis,youshouldunderstandexactlyhowyour toolscalculateanddisplaytheirfindings.InsomewaystheSleuthkitforces youtounderstandtheseconcepts(oryoudon'tgetveryfar). ThistimewearegoingtodoasearchforasinglestringinourLinuxdisk imageable2.dd.Basedonsomeinformationreceivedelsewhere,wedecideto searchourimageforthekeywordCybernetik.Changetothedirectory containingourable2.ddimageandusegreptosearchforthestring:
root@rock:~/able2 # grep -abi Cybernetik able2.dd 10561603: * updated by Cybernetik for linux rootkit 55306929:Cybernetik proudly presents... 55312943:Email: cybernetik@nym.alias.net 55312975:Finger: cybernetik@nym.alias.net
BarryJ.Grundy
150
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # xxd 0a12843: 202a 0975 7064 0a12853: 6265 726e 6574 0a12863: 7578 2072 6f6f 0a12873: 2369 6e63 6c75 0a12883: 7065 732e 683e -s 10561603 able2.dd | head -n 5 6174 6564 2062 7920 4379 *.updated by Cy 696b 2066 6f72 206c 696e bernetik for lin 746b 6974 0a20 2a2f 0a0a ux rootkit. */.. 6465 203c 7379 732f 7479 #include <sys/ty 0a23 696e 636c 7564 6520 pes.h>.#include
TheSleuthkit'smmlscommandgivesustheoffsettoeachpartitionin theimage(youcouldalsousesfdisk):
root@rock:~/able2 # mmls able2.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start 00: ----0000000000 01: ----0000000001 02: 00:00 0000000057 03: 00:01 0000010260 04: 00:02 0000112860 Solaris x86 (0x82) 05: 00:03 0000178695 End 0000000000 0000000056 0000010259 0000112859 0000178694 0000675449 Length 0000000001 0000000056 0000010203 0000102600 0000065835 0000496755 Description Primary Table (#0) Unallocated Linux (0x83) Linux (0x83) Linux Swap / Linux (0x83)
BarryJ.Grundy
151
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thedifferencebetweenthetwoisthevolumeoffsetofthekeywordhit, insteadofthephysicaldisk(orimage)offset.
BarryJ.Grundy
152
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/able2 # fsstat -o 10260 -f ext able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 Last Written at: Sun Aug 10 14:50:03 2003 Last Checked at: Tue Feb 11 00:20:09 1997 Last Mounted at: Thu Feb 13 02:33:02 1997 Unmounted Improperly Last mounted on: Source OS: Linux Dynamic Structure InCompat Features: Filetype, Read Only Compat Features: Sparse Super, METADATA INFORMATION -------------------------------------------Inode Range: 1 - 12881 Root Directory: 2 Free Inodes: 5807 CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 Reserved Blocks Before Block Groups: 1 Free Blocks: 9512 <continues>
BarryJ.Grundy
153
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Hereareourcalculations,summarized:
Inshort,ourcalculation,takingintoaccountalltheillustrationsabove, issimply:
root@rock:~/able2 # echo "(10561603-(10260*512))/1024" | bc 5184
BarryJ.Grundy
154
Excellent!Theinodethatholdsthekeywordmatchis10090.Nowwe useistattogiveusthestatisticsofthatinode:
root@rock:~/able2 # istat -o 10260 -f ext able2.dd 10090 inode: 10090 Not Allocated Group: 5 Generation Id: 3534950782 uid / gid: 4 / 7 mode: -rw-r--r-size: 3591 num of links: 0 Inode Times: Accessed: File Modified: Inode Modified: Deleted: Sun Wed Sun Sun Aug Dec Aug Aug 10 25 10 10 00:18:36 16:27:43 00:29:58 00:29:58 2003 1996 2003 2003
BarryJ.Grundy
155
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Atthispoint,wehaverecoveredthedatawewerelookingfor.Wecan runouricatcommandasaboveagain,thistimedirectingtheoutputtoafile (aswedidwiththerootkitfilefromourpreviousrecoveryexercise). Oneadditionalnote:WiththereleaseofSleuthkitv3.x,wenowhavea virtualdirectorythatcontainsentriesfororphanfiles.Aswepreviouslynoted, inourdiscussionoftheflscommand,thesefilesaretheresultofaninode containingfiledatahavingnofilename(directoryentry)associatedwithit. Sleuthkitorganizestheseinthevirtual$OrphanFilesdirectory.Thisisauseful featurebecauseitallowsustoidentifyandaccessorphanfilesfromtheoutput oftheflscommand. Inthisexercise,wedeterminedthroughourcalculationsthatwewere lookingforthecontentsofinode10090.TheSleuthkitcommandffindcantell usthefilenameassociatedwithaninode.Here,weareprovidedwiththe $OrphanFilesentry:
root@rock:~/able2 # ffind -o 10260 able2.dd 10090 * /$OrphanFiles/OrphanFile-10090
BarryJ.Grundy
156
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#3UnallocatedExtraction&Examination
Asthesizeofmediabeingexaminedcontinuestogrow,itisbecoming apparenttomanyinvestigatorsthatdatareductiontechniquesaremore importantthanever.Thesetechniquestakeonseveralforms,includinghash analysis(removingknowngoodfilesfromadataset,forexample)and separatingallocatedspaceinanimagefromunallocatedspace,allowingthem tobesearchedseparatelywithspecializedtools.Wewillbedoingthelatterin thisexercise. TheSleuthkitcomeswithasetoftoolsforhandlinginformationatthe blocklayeroftheanalysismodel.Theblocklayerconsistsoftheactualfile systemblocksthatholdtheinformationweareseeking.Theyarenotspecific tounallocateddataonly,butareespeciallyusefulforworkingonunallocated blocksthathavebeenextractedfromanimage.Thetoolsthatmanipulatethis layer,asyouwouldexpect,startwithblkandinclude: blkls blkcalc blkstat blkcat Wewillbefocusingonblkls,blkcalcandblkstatforthenextcoupleof exercises. Thetoolthatstartsusoffhereisblkls.Thiscommandlistsallthedata blocks.Ifyouweretousetheeoption,theoutputwouldbethesameas theoutputofddforthatvolume,sinceetellsblklstocopyeveryblock. However,bydefault,blklswillonlycopyouttheunallocatedblocksofan image. Thisallowsustoseparateallocatedandunallocatedblocksinourfile system.Wecanuselogicaltools(find,ls,etc.)onthelivefilesinamounted filesystem,andconcentratedatarecoveryeffortsononlythoseblocksthat maycontaindeletedorotherwiseunallocateddata.Conversely,whenwedoa physicalsearchoftheoutputofblkls,wecanbesurethatartifactsfoundare fromunallocatedcontent. Toillustratewhatwearetalkingabouthere,we'llrunthesameexercise wedidinSleuthkitExercise#2,thistimeextractingtheunallocateddatafrom ourvolumeofinterestandcomparingtheoutputfromthewholevolume analysisvs.unallocatedanalysis.So,we'llbeworkingontheable2.ddimage fromearlier.WeexpecttogetthesameresultswedidinExercise#2,butthis
BarryJ.Grundy
157
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Intheabovecommand,weareusingblklsonthesecondpartition(o
10260)withintheable2.ddimage,andredirectingtheoutputtoafilecalled able2.blkls.Thefileable2.blklswillcontainonlytheunallocatedblocksfrom thetargetfilesystem. Now,aswedidinourpreviousanalysisofthisfilesystem(Exercise#2) wewillusegrep,thistimeontheextractedunallocatedspace,ourable2.blkls file,tosearchforourtextstringofinterest.ReadbackthroughExercise#2if youneedarefresheronthesecommands.
BarryJ.Grundy
158
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
root@rock:~/Able2# grep -abi cybernetik able2.blkls 1631299: * updated by Cybernetik for linux rootkit 9317041:Cybernetik proudly presents... 9323055:Email: cybernetik@nym.alias.net 9323087:Finger: cybernetik@nym.alias.net
Thegrepcommandabovenowtellsusthatwehavefoundthestring cybernetikatfourdifferentoffsetsintheextractedunallocatedspace.We willconcentrateonthefirsthithere.Ofcoursethesearedifferentfromthe offsetswefoundinExercise#2becausewearenolongersearchingtheentire originalddimage. Sothenextobviousquestionissowhat?.Wefoundpotentialevidence inourextractedunallocatedspace.Buthowdoesitrelatetotheoriginal image?Asforensicexaminers,merelyfindingpotentialevidenceisnotgood enough.Wealsoneedtoknowwhereitcamefrom(physicallocationinthe originalimage),whatfileitbelongsor(possibly)belongedto,metadata associatedwiththefile,andcontext.Findingpotentialevidenceinabigblock ofaggregateunallocatedspaceisoflittleusetousifwecannotatleastmake someeffortatattributionintheoriginalfilesystem. That'swheretheotherblocklayertoolscomein.Wecanuseblkcalcto calculatethelocation(bydatablockorfragment)inouroriginalimage.Once we'vedonethat,wesimplyusethemetadatalayertoolstoidentifyand potentiallyrecovertheoriginalfile,aswedidinourpreviouseffort. Firstweneedtogatherabitofdataabouttheoriginalfilesystem.We runthefsstatcommandtodeterminethesizeofthedatablocksweare workingwith.
root@rock:~/Able2# fsstat -o 10260 able2.dd FILE SYSTEM INFORMATION -------------------------------------------File System Type: Ext2 Volume Name: Volume ID: 906e777080e09488d0116064da18c0c4 ... CONTENT INFORMATION -------------------------------------------Block Range: 0 - 51299 Block Size: 1024 ...
159
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
unallocatedimagewefoundourstringofinterest.Weusetheechocommand topassthemathexpressiontothecommandlinecalculator,bc:
root@rock:~/Able2# echo "1631299/1024" | bc 1593
48 49 50
...
blkls image:
0 1 2 3 4 5 6 7 8 ...
Intheillustratedexampleabove,thedatainblock#3oftheblklsimage wouldmaptoblock#49intheoriginalfilesystem.Wewouldfindthiswiththe
BarryJ.Grundy
160
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
blkcalccommandasshown(thisisjustanillustration,anddoesnotapplyto thecurrentexercise):
root@rock:~/example# blkcalc -o $fs_offset -u 3 original.dd 49
root@rock:~/Able2# blkcat -o 10260 able2.dd 5184 > 5184.blkcat root@rock:~/Able2# ls -lh total 474M -rw-r--r-- 1 root root 1.0K 2008-11-27 04:19 5184.blkcat -rw-r--r-- 1 root root 9.3M 2008-11-27 03:58 able2.blkls -rwxrwxr-x 1 root root 330M 2003-08-10 21:16 able2.dd*
Notethesizeofthefileresultingfromtheblkcatoutput(5184.blkcat)is 1.0k(1024bytesthefilesystemblocksize),justasexpected.
BarryJ.Grundy
161
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
162
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#4NTFSExamination:FileAnalysis
Atthispointwe'vedoneacoupleofintermediateexercisesusingan ext2filesystemfromaLinuxdiskimage.AnothercommonsuggestionIreceive inclassfeedbackandfromotherusersofthisguideistoprovideamore advancedexerciseusingafilesystemmorecommonlyencounteredby examinersinthefield.So,inthefollowingexerciseswewilldosomesimple analysesonanNTFSfilesystem. Somemightask,why?Therearemanytoolsouttherecapableof analyzinganNTFSfilesysteminitsnativeenvironment.Inmymindthereare twoverygoodreasonsforlearningtoapplytheSleuthkitonWindowsfile systems.First,theSleuthkitiscomprisedofanumberofseparatetoolswith verydiscretesetsofcapabilities.Thespecializednatureofthesetoolsmeans thatyouhavetounderstandtheirinteractionwiththefilesystembeing analyzed.Thismakesthemespeciallysuitedtohelplearningtheinsandouts offilesystembehavior.ThefactthattheSleuthkitdoeslessoftheworkforyou makesitagreatlearningtool.Second,anopensourcetoolthatoperatesinan environmentotherthanWindowsmakesforanexcellentcrossverification utility. Thefollowingexercisefollowsasetofverybasicstepsusefulinmostany analysis.Makesurethatyoufollowalongatthecommandline. Experimentationisthebestwaytolearn. Ifyouhavenotalreadydoneso,Iwouldstronglysuggest(again)that youinvestinacopyofBrianCarrier'sbook:FileSystemForensicAnalysis (PublishedbyAddisonWesley,2005).Thisbookisthedefinitiveguidetofile systembehaviorforforensicanalysts.Asareminder(again),thepurposeof theseexercisesinNOTtoteachyoufilesystems(orforensicmethods,forthat matter),butrathertoillustratethedetailedinformationSleuthkitcanprovide oncommonfilesystemsencounteredbyfieldexaminers. Thefilewewilluseforthisexercisecanbeobtainedfrom: http://www.LinuxLEO.com/Files/ntfs_pract.dd.gz Let'screateadirectoryinour/root(therootuser'shome)directory called/root/ntfs_pract/andplacethefileinthere.First,wewilldecompressthe gzippedfileusingthegzipcommandwelearnedearlierandcheckitsSHA1 hash:
BarryJ.Grundy
163
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ntfs_pract # ls ntfs_pract.dd.gz root@rock:~/ntfs_pract # gzip -d ntfs_pract.dd.gz root@rock:~/ntfs_pract # ls ntfs_pract.dd root@rock:~/ntfs_pract # sha1sum ntfs_pract.dd 0cbce7666c8db70377cb5fc2abf9268821b6dafe ntfs_pract.dd
BarryJ.Grundy
164
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
LookingatthefsstatoutputonourNTFSfilesystem,weseeitdiffers greatlyfromtheoutputwesawrunningonaLinuxEXTfilesystem.Thetoolis designedtoprovidepertinentinformationbasedonthefilesystembeing targeted.NoticethatwhenrunonanNTFSfilesystem,fsstatprovidesuswith informationspecifictoNTFS,includingdataabouttheMasterFileTable(MFT) andspecificattributevalues. WewillnowhavealookathowtheSleuthkitinteractswithactiveand deletedfilesonanNTFSfilesystem,giventhestructureofMFTentries. Let'sbeginthisexercisewiththeoutputoffls.Wecanspecifythatfls onlyshowusonlydeletedcontentonthecommandlinewiththedoption. WewilluseF(onlyfileentries)andr(recursive)aswell:
root@rock:~/ntfs_pract # fls -Frd -o 59 ntfs_pract.dd r/r * 42-128-1: Cookies/buckyball@revsci[2].txt r/r * 43-128-1: Cookies/buckyball@search.msn[1].txt r/r * 44-128-1: Cookies/buckyball@slashdot[1].txt r/r * 45-128-1: Cookies/buckyball@sony.aol[2].txt r/r * 112-128-4: My Documents/My Pictures/bandit-streetortrack2005056.jpg r/r * 116-128-4: My Documents/My Pictures/fighterama2005-ban4.jpg r/r * 81-128-4: My Documents/direct_attacks.doc
AsofSleuthkitversion3,theoutputofflsnowshowscontentthat includesNTFSorphanfiles.20Previousversionsrequiredtheusertorunan additionalcommand,ifind,onparentdirectoriesinordertorecoverorphan files.Thearticleinthefootnoteexplainshowthisworks. TheoutputaboveshowsthatourNTFSexamplefilesystemholds7 deletedfiles.Let'shaveacloserlookatsomeNTFSspecificinformationthat canbeparsedwiththeSleuthkit. HavealookathedeletedfileatMFTentry112.Thefileis./My Documents/MyPictures/banditstreetortrack2005056.jpg.Wecanhaveacloser lookatthefile'sattributesbyexaminingitsMFTentrydirectly.Wedothis throughtheistattool.RecallthatwhenwewereworkingonanEXTfilesystem previously,theoutputofistatgaveusinformationdirectlyfromtheinodeof thespecifiedfile(seeSleuthkitExercise#1).Aswementionedearlier,the outputoftheSleuthkittoolsisspecifictothefilesystembeingexamined.So let'srunthecommandonMFTentry112inourcurrentexercise:
20
TSKInformer,issue#16:http://www.sleuthkit.org/informer/sleuthkitinformer16.txtNTFSOrphanFiles
BarryJ.Grundy
165
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/ntfs_pract # istat -o 59 ntfs_pract.dd 112 MFT Entry Header Values: Entry: 112 Sequence: 2 $LogFile Sequence Number: 4201668 Not Allocated File Links: 2 $STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Sat Apr 7 00:52:53 2007 File Modified: Sat Oct 14 10:37:13 2006 MFT Modified: Sat Apr 7 00:52:53 2007 Accessed: Sat Apr 7 20:00:04 2007 $FILE_NAME Attribute Values: Flags: Archive Name: bandit-streetortrack2005056.jpg Parent MFT Entry: 110 Sequence: 1 Allocated Size: 0 Actual Size: 0 Created: Sat Apr 7 00:52:53 2007 File Modified: Sat Apr 7 00:52:53 2007 MFT Modified: Sat Apr 7 00:52:53 2007 Accessed: Sat Apr 7 00:52:53 2007 Attributes: Type: $STANDARD_INFORMATION (16-0) Type: $FILE_NAME (48-3) Name: N/A Type: $FILE_NAME (48-2) Name: N/A Type: $DATA (128-4) Name: $Data 60533 60534 60535 60536 60537 60538 60541 60542 60543 60544 60545 60546 60549 60550 60551 60552 60553 60554 60557 60558 60559 60560 Name: N/A Resident size: 72 Resident size: 90 Resident size: 128 Non-Resident size: 112063 60539 60540 60547 60548 60555 60556
TheinformationistatprovidesusfromtheMFTshowsvaluesdirectly fromthe$STANDARD_INFORMATIONattribute(whichcontainsthebasic metadataforafile),the$FILE_NAMEattributeandbasicinformationforother attributesthatarepartofanMFTentry.Thedatablocksthatcontainthe actualfilecontentarelistedatthebottomoftheoutput(forNonResident data). Takenoteofthefactthattherearetwoseparateattributeidentifiersfor the$FILE_NAMEattribute,483and482.Itisinterestingtonotewecan accessthecontentsofeachattributeseparatelyusingtheicatcommand. ThetwoattributesstoretheDOS(8.3)filenameandtheWin32(long)file name.Bypipingtheoutputoficattoxxdwecanseethedifference.Byitself, thismaynotbeofmuchinvestigativeinterest,butagainweareillustratingthe capabilitiesoftheSleuthkittools.
BarryJ.Grundy
166
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Notethedifferenceinoutputbetweentheattributeidentifiers112483 and112482:
root@rock:~/ntfs_pract # icat -o 59 ntfs_pract.dd 0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0000030: 0000 0000 0000 0000 2000 0000 0000 0000 0000040: 0c02 4200 4100 4e00 4400 4900 5400 7e00 0000050: 3100 2e00 4a00 5000 4700 112-48-3 | xxd n.......0q...x.. 0q...x..0q...x.. 0q...x.......... ........ ....... ..B.A.N.D.I.T.~. 1...J.P.G.
root@rock:~/ntfs_pract # icat -o 59 ntfs_pract.dd 0000000: 6e00 0000 0000 0100 3071 be99 d078 c701 0000010: 3071 be99 d078 c701 3071 be99 d078 c701 0000020: 3071 be99 d078 c701 0000 0000 0000 0000 0000030: 0000 0000 0000 0000 2000 0000 0000 0000 0000040: 1f01 6200 6100 6e00 6400 6900 7400 2d00 0000050: 7300 7400 7200 6500 6500 7400 6f00 7200 0000060: 7400 7200 6100 6300 6b00 3200 3000 3000 0000070: 3500 3000 3500 3600 2e00 6a00 7000 6700
112-48-2 | xxd n.......0q...x.. 0q...x..0q...x.. 0q...x.......... ........ ....... ..b.a.n.d.i.t.-. s.t.r.e.e.t.o.r. t.r.a.c.k.2.0.0. 5.0.5.6...j.p.g.
BarryJ.Grundy
167
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#5NTFSExamination:ADS
First,toseewhatwearediscussinghere,incasethereaderisnot familiarwithalternatedatastreams,weshouldcomparetheoutputofanormal filelistingwiththatobtainedthroughaforensicutility. Obviously,whenexaminingasystem,itmaybeusefultogetalookatall ofthefilescontainedinanimage.Wecandothistwoways.Thefirstway wouldbetosimplymountourimagewiththeloopbackdeviceandgetafile listing.Wewilldothistocompareamethodusingstandardcommandline utilitiesthatweusedinthepastwithamethodusingtheSleuthkittools. Rememberthatthemountcommandworksonfilesystems,notdisks. Thefilesysteminthisimagestarts59sectorsintotheimage,sowemount usinganoffset.Wecanthenobtainasimplelistoffilesusingthefind command:
root@rock:~/ntfs_pract # mount -t ntfs -o ro,loop,offset=30208 ntfs_pract.dd /mnt/analysis/ root@rock:~/ntfs_pract #cd /mnt/analysis/
root@rock:~/analysis #find . -type f ./Cookies/buckyball@as-eu.falkag[2].txt ./Cookies/buckyball@2o7[1].txt ./Cookies/buckyball@ad.yieldmanager[1].txt ./Cookies/buckyball@specificclick[1].txt ./Cookies/buckyball@store.makezine[1].txt ./Cookies/buckyball@store.yahoo[2].txt ... [content removed] ./Favorites/2600 The Hacker Quarterly.url ... [content removed] ./My Documents/My Pictures/Tails/GemoTailG4.jpg ./My Documents/signatures.pdf ./My Documents/ULTIMATEJOURNEYDK.wmv ./My Documents/Webstuff/bandit2.jpg ./My Documents/Webstuff/m2_flat_CF.jpg ./My Documents/Webstuff/service1.jpg ./My Documents/Webstuff/Thumbs.db ./NTUSER.DAT ./SVstunts.avi <---Take note of this file
BarryJ.Grundy
168
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
21
YoucanusethexineplayeronastandardSlackwareintallation.
BarryJ.Grundy
169
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Pipetheresultsthroughlesstoseethewholefile,orredirecttheoutput toanotherfile.
22
Again,IwouldurgeyoutoreadCarrier'sbook:FileSystemForensicAnalysis.
BarryJ.Grundy
170
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#6NTFSExamination:SortingFiles
WewillnowexploreaSleuthkittoolwehavenotlookedatyet.Many forensictoolsprovideamechanismforcategorizingfilesbasedontype.This reducestheamountoftimeexaminersneedtospendfindingfilesofinterest. TheSleuthkitprovidesthisfunctionthroughthesortercommand.Thistool parsestheallocatedandunallocatedfilesofafilesystemandteststheir headersforfiletype(rememberthefilecommandfromourearlierexercise?). Thesortercommandishighlyconfigurable.Thedefaultfilesarefound inthe./share/sorterdirectoryoftheSleuthkitinstallation.Thefiledefault.sortis usedforalloperatingsystems,andtherearealsoconfigurationfilesspecificto eachoperatingsystem. Thereareanumberofwayssortercanreportitsfindings.Itisusefulto havethecategoriesoffileswrittenouttoadirectoryspecifiedbytheanalyst. Firstweneedtocreateadirectorytowritetheseresultsto:
root@rock:~/ntfs_pract # mkdir sort_out
Let'srunthecommandandhavealookattheoutput.Therearelotsof optionsavailableforsorter.Here'sthecommandwe'lluse:
root@rock:~/ntfs_pract # sorter -d ./sort_out -md5 -h -s -o 59 -f ntfs ntfs_pract.dd Analyzing "ntfs_pract.dd" Loading Allocated File Listing Processing 138 Allocated Files and Directories 100% Loading Unallocated File Listing Processing 23 Unallocated meta-data structures 100% All files have been saved to: ./sort_out
BarryJ.Grundy
171
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Ouroutputendsupinthe./sort_outdirectory:
root@rock:~/ntfs_pract # ls sort_out/ archive/ audio.html disk/ documents.html archive.html data/ disk.html exec/ audio/ data.html documents/ exec.html text.html text/ unknown.html images/ images.html index.html mismatch.html system/ system.html
BarryJ.Grundy
172
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
imagesCategory
MyDocuments/My Pictures/b45ac806a965017dd71e3382581c47f3_refined.jpg JPEGimagedata,JFIFstandard1.01 Image:ntfs_pract.ddInode:1111284 MD5:2c966ade4ff16ef8fe95e6607987644e Savedto:images/ntfs_pract.dd1111284.jpg
<continues>
Oryoucanclickonthumbnailstoviewthepicturestogether:
Aswecansee,sorterprovidesaveryconvenientwaytoorganizefiles basedontype.Thisisapowerfultoolwithfullycustomizableconfiguration fileswhereyoucanlimitwhatiscategorizedandprocessed.Readtheman pages.Thereareoptionsavailableinsortertoutilizehashdatabasesforfurther datareductionandotherusefulfeatures. Whatwehaveseenherearesimple(andinmanywaysincomplete) examplesoftheSleuthkitscommandlinetoolsforforensicexamination.If youareleftalittleconfused,justgothroughtheexercisesandstepsoneata time.Ifyoudontunderstandthecommandsoroptions,checktheusageand readthemanpagesandSleuthkitdocumentation.Runthroughtheexercisea coupleoftimes,andthepurposeandoutcomewillmakemoresense.Take yourtimeandexperimentalittlewiththeoptions.
BarryJ.Grundy
173
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SleuthkitExercise#7SignatureSearchinUnallocatedSpace
Nowlet'sdothesamesortofunallocatedanalysiswedidinExercise#3, butthistimeinsteadofsearchingfortextdata,wewilllookforfilesignatures. ThiswillgiveusanopportunitytointroduceanotherusefulSleuthkittool, sigfind. Forthisparticularexercise,we'llusetheNTFSimageweused previously,ntfs_pract.dd.Changetothedirectorycontainingthatimageand let'sbegin. Asalways,westartwithmmlstohelpusidentifytheoffsetofthefile systemwithintheimagethatweareinterestedin.
root@rock:~/NTFS# mmls ntfs_pract.dd DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors 00: 01: 02: 03: Slot --------00:00 ----Start 0000000000 0000000001 0000000059 0001023060 End 0000000000 0000000058 0001023059 0001023999 Length 0000000001 0000000058 0001023001 0000000940 Description Primary Table (#0) Unallocated NTFS (0x07) Unallocated
BarryJ.Grundy
174
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
couldsimplysearchusinggrepforthecharactersJFIF,takenoteofthe offsetsandworkfromthere,muchlikewedidinourDatacarvingwithdd exercise.Inthatcase,though,welookedfortheffd8hexsignature.Wethen hadtodoanumberofcalculationstocovertthexxdhexvalues,etc.Referback totheDatacarvingwithddexerciseformoreinfoandarefresheronhowwe didthis. Thereareissueswithusinggreptosearchfordatainaforensicimageor filesystem.Asidefromhavingtorelyonvaluesandconversionsfromxxd (whichgivesusourASCIIrepresentationforgrep),anotherproblemwithusing grepisthatitiscompletelyunawareofsectorordatablockboundaries.The grepprogramisactuallydesignedtosearchfortextinfiles,notsignaturesin forensicimagesorfilesystems.Dependingonthesystembeingemployed, theremayalsobefilesize(addressing)limitationswithusinggreponlarge images. Soinstead,let'shavealookatafarmoreforensicfriendlysignature searchtoolprovidedbytheSleuthkit.Thistool,sigfindisdesignedtolookfor hexsignatureswithsearchblocksizesspecifiedbytheuserandoffsetstothe signaturewithinthatblocksize. sigfindismostcommonlyusedtosearchforsignaturesofdisk structures,andisparticularlywellsuitedtothistask,becauseinadditionto showingeachhit,itshowsthedistancefromtheprevioushit.Thisishelpfulin thatitallowsaknowledgeableexaminertodeterminetheveracityofhitsbythe expectedfrequencyanddistancebetweencertainfilesystemstructures(like EXTsuperblocks,forexample).Infact,sigfindworkswithanumberof templatesthataresupportedbythetoption.Runthecommandwithttosee alistofincludedtemplates. Aswementioned,afilesystem'sblocksizecanbepassedtosigfindso thateachblockcanbesearchedfortheproperexpressionatagivenoffset, whichhelpsaccountforclusteralignedfilesorstructures23.Wealready determinedtheclustersizeinthentfs_pract.ddNTFSfilesystemis4096(found usingfsstat).ItisimportantforaSleuthkitbeginnertorealizethattheoffset weprovidetothesigfindcommandisdifferentfromtheoffsetweprovidein otherSleuthkitcommands.InmostSleuthkitcommandsthatarepassedan offsetoptionwithowearereferringtothelocation(offsetinsectors)ofafile systemwithinaforensicimage.Itthecaseofsigfindtheoffsetwepasswitho istheoffsettothespecifiedsignaturefromthestartofeachblockbeing searchedasspecifiedbyblocksize(b).
23
Butwillnothelpwithfilesembeddedwithinotherfiles,ofcourse.
BarryJ.Grundy
175
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Forexample,themanpageforsigfindgivestheexampleofsearchingfor abootsectorsignaturewiththecommand:
root@rock:~/NTFS# sigfind -o 510 -l AA55 disk.dd
BarryJ.Grundy
176
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Recallnowouroriginalsigfindoutput:
root@rock:~/NTFS# sigfind -b 4096 -o 6 4A464946 ntfs_pract.blkls Block size: 4096 Offset: 6 Signature: 4A464946 Block: 57539 (-) Block: 57582 (+43)
BarryJ.Grundy
177
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux root@rock:~/NTFS# blkcalc -u 57582 -o 59 ntfs_pract.dd 60662 root@rock:~/NTFS# ifind -o 59 -d 60662 ntfs_pract.dd 116-128-4 root@rock:~/NTFS# ffind -o 59 ntfs_pract.dd 116 * /My Documents/My Pictures/fighterama2005-ban4.jpg root@rock:~/NTFS# icat -o 59 ntfs_pract.dd 116 | file /dev/stdin: JPEG image data, JFIF standard 1.01
Youcannowviewthefileswithanygraphicsvieweryoumighthave available.Forexample,youcanusethedisplaycommand:
BarryJ.Grundy
178
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SMARTforLinux
SMART,byASRData,isacommercial(notfree)GUIbasedforensictool forLinuxthathasagreatinterfaceallowingaccesstoafullsetofforensic analysiscapabilities. http://www.asrdata.com/SMART/
SMARTsplashscreenandlogin.
TheevaluationversionalsocomeswiththeSMARTmanualinPDF format.Aworthwhileread.
24
Theevaluationfileisinbz2format.Untarwiththexjvfswitches,changetotheresultingdirectoryandreadthe INSTALLfile.
BarryJ.Grundy
179
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SMART'sopeningwindow,withdeviceidentification.
BarryJ.Grundy
180
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Forensicimageacquisitiondialogbox.Redtextindicatesincompleteitems...
The"image"tab,under"acquire".
BarryJ.Grundy
181
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
ASMARTviewofourevidenceimage.
BarryJ.Grundy
182
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
FilesysteminformationobtainedfromanFS"Study".
BarryJ.Grundy
183
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Filelistingobtainedfroma"studied"filesystem
BarryJ.Grundy
184
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Rightclickmenuonadeletedfile.
SMARTFiltering
WithinSMART,therearetwomajorwaystoparseforinformation.The firstisbyusingfiltering.Filteringworksatthelogicallevel.Filtersarebased onfilemetadatalikemodified,accessedandcreatedtimes;orfilenamesand extensions;orattributeslikedeletedorallocated,etc.Theothermethodis bysearching,whichisdoneatthephysicallevelusingeithercomplexexpres sionsorsimpleterms.Wewillbrieflydescribeeachmethodhere,startingwith filtering. Continuingwithourfilelist,let'smovetotheFiltertab.Thefilterlist iscurrentlyempty.RightclickintheemptyspaceandselectAddNewFilter
BarryJ.Grundy
185
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
>Active/DeletedFilter.Thissimplefilter,whenappliedusingthebuttonatthe bottomofthedialog,willalterourfilelisttoshowonlydeletedfiles:
AddingtheActive/DeletedFilter
ClickingbackonourFileListtabshowsusallsevenofthedeletedfiles weidentifiedinourearlierSleuthkitexercise:
SMARTalsocomeswithadecentsetofpredefinedfiltersthatcanbe usedoutofthebox.ThesearelistedundertherightclickmenuitemTerm Library. Theabilitytostackfiltersprovidesevenmorepower.Supposewe wanttoviewonlyalistofdeletedgraphicalimages.Weleavethe Active/Deletedfilterinplace,rightclickintheemptyspacebelowitandselect TermLibrary>GraphicsFiles.NotethatthepredefinedfilterGraphics Filesispopulatedwithexpressionsthatwillidentifygraphicsimagesbytheir extensions.Thissetofexpressionscanbefurtheradjustedtoincludeor excludefilesdependingontheexaminer'spreference.
BarryJ.Grundy
186
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
TwoFiltersinplace:Active/DeletedandGraphicsFiles
Afterapplyingtheabovestackedfilters,ourfilelistingispaireddownto onlydeletedgraphicsfiles.
Filteredfordeletedgraphicsfiles
SMARTFilteringViewingGraphicsFiles
SMARThasabuiltingraphicsviewingcapabilitythatallowsyoutoview imagesinaseparatewindow.Thumbnailimagescanbebrowsedorreviewed usingaconfigurableslideshowfunction.Individualfilescanbeselectedfor viewing,orgroupsoffilescanbedisplayedtogether. Toillustratethiscapability,let'sloadtheGraphicsFilesfilter,byitself, fromSMART'sfiltertermlibrary.Notethatfilterscanbeclearedfromthefilter listbyclickingonthesmallboxwiththeXinthetoprighthandcornerofthe filterdefinition.
BarryJ.Grundy
187
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
SettingtheGraphicsfilterbyitself
Selecttheentirelistandrightclicktoaccesstheviewmenu BarryJ.Grundy
188
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Thiswillautomaticallyopenthegraphicscatalog.Alsonotethat selectedfilescanbehashed,exportedorhavedetailedinformationdisplayed.
SMART'sbuiltinGraphicsViewer
SMARTSearching
Inadditiontothefilteringcapability,SMARThasapowerfulsearch function.AswithmostSMARTcommands,thisoneisalsoaccessedthrough therightclickmenu. ToillustrateSMART'ssearchingability,wewillduplicateourstring searchwithintheable2.ddimage.RecallinSleuthkitExercise#2wesearched ourdiskimageforthesimplestringcybernetik.Wewilldothesamehere, andcomparetheoutput.Firstwemustaddourable2.ddimagetoourcurrent
BarryJ.Grundy
189
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
BarryJ.Grundy
190
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Whenthesearchisstarted,youarepresentedwithaprogressindicator.
Progressindicator
Theresultsarethendisplayed:
Searchhitsshowingoffsettothehitandhighlightedcontext
BarryJ.Grundy
191
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
HexViewofour1sthit
BarryJ.Grundy
192
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
Furtherinformationcanbeobtainedifthesearchisstartedfroma particularpartitionratherthanthephysicalimage.Assumingthatwe studiedthefilesystemspriortooursearch,rightclickingononeofour searchtermhits,andselectingFileSystem>GetFileInfoprovidesuswith informationderivedfromthefilesystemthedatalocatedatthatoffset, includingtheinode,filemetadata,etc. ThisisjustaverybriefoverviewofSMART'scapabilities.TheSMART userguideprovidesfarmoredetailedinformation.Forexample,wecanuse SMARTtoloopmountthepartitionsreadonlywithasimpleclickandthen browsethefilesystemineitheraterminalorinthefilemanagerofyourchoice. ThisprovidesustheabilitytouseallourfavoriteLinuxtoolstosearchthe logicalfilesystemanddisplaytheinformationweneedforouranalysis.As withalladvancedforensictools,SMARTprovidesexcellentsessionandCase loggingfunctions.
BarryJ.Grundy
193
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
XI.BootableLinuxDistributions
Forsomanypeople,thisisthemeatandpotatoesofwhatmakesLinux suchaflexibleoperatingsystem.AccesstoabootableCDdriveandtheability torebootthemachinecannowgiveusthepowertorunafullfledgedLinux boxwithouttheneedtoinstall.Forthosewhohavenotseenthisinaction,the poweryoucangetfromaCDROM,orevenafloppydiskisamazing.Thisisnot acompletelist,butthefollowingbootabledistributionscangiveyousomeidea ofwhatsavailabletoyou.TherearemanyMANYmorebootabledistributions outthere.JustdoaGooglesearchonLinuxbootableCDforasample.
Tomsrtbtbootfromafloppy
...Becausetherearethosetimeswhenyoujustmightneedafloppy ratherthanaCD.Thissmalldistributionisthedefinitionofminimalist,andit fitsononefloppy.YougetadecentsetofdriversforNICsandfilesystems (includingFATandNTFS).TheresabasicsetofcommonLinuxtools, includingddandrshorncforimagingovernetconnectionsandmore.The installation(toafloppy)canbedoneinWindowswithanincludedbatchfile. Thefloppyholdsasurprisingnumberofprograms,andactuallyformatsyour 1.44Mbfloppyto1.722Mb.Finditathttp://www.toms.net/rb/
KnoppixFullLinuxwithouttheinstall
ThisisaCDROMdistributionforpeoplewhowanttotryafullfeatured Linuxdistribution,butdontfeellikeinstallingLinux.ItincludesafullLinux environmentandahugecomplimentofsoftware.TheCDactuallyholds2GB ofsoftware,includingafullofficesuite,commonnetworktoolsandjustabout anythingelseyourelikelytoneedallcompressedtoaCDsizedimage.Please donotconsiderthisaforensicallysoundbootdiskoption.Thereareplentyof betterchoicesoutthere.Butforagee,lookwhatLinuxcandodisk,Knoppix ishardtobeat.http://www.knoppix.net
SMARTLinuxItsbootable!
Smartcomesin2differentbootdiskoptionsnow,providinganexcellent platformwithanindependentlyverifiedforensictoolforacquiringandanalyz ingphysicalmedia.ThetwoSMARTLinuxversionsareabootCDbasedon UbuntuandabootCDbasedonSlackware.Thehardwaredetectionisexcel lent.SMARTsbootableCDprovidesanenvironmentthatyoucanbesureis forensicallysound.Itcomeswithanumberofforensictoolspreloaded.Weve alreadyhadaglimpseofSMARTscapabilities.http://www.asrdata2.com
BarryJ.Grundy
194
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
HelixKnoppixbasedIncidentResponse
HelixisabootableCDwithadecidedlynetworkforensicsfeeltoit. Whenbooted,itprovidesaLinuxenvironmentbasedonKnoppixthathasbeen modifiedforforensicuseandprovidesahugenumberofforensicsand networkapplications. InadditiontobeingabootableLinuxdisk,HelixalsoprovidesaLive Windowsresponsekit.WhenplacedinarunningWindowsmachine,itwill providetoolsthatcanbeusedforgatheringvolatilesystemdata.Atruly diversetool!TheuserguideforHelixisexcellent,andgivesagreatoverviewof someofthetoolsavailableontheCD.TheHelixdeveloperspridethemselves onprovidingacuttingedgeCDwithdiversesetsoftools,andsupportforthe latesthardware.http://www.efense.com/helix/index.php
BarryJ.Grundy
195
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
XII.Conclusion
Theexamplesandpracticalexercisespresentedtoyouherearevery simple.Therearequickerandmorepowerfulwaysofaccomplishingwhatwe havedoneinthescopeofthisdocument.Thestepstakeninthesepagesallow youtousecommonLinuxtoolsandutilitiesthatarehelpfultothebeginner.At therequestofmanyusers,thisguidehasbeenexpandedsomewhatto incorporatemoreadvancedtools,andexercisesmorerelatedtorealworld scenarios. OnceyoubecomecomfortablewithLinux,youcanextendthe commandstoencompassmanymoreoptions.Practicewillallowyoutoget moreandmorecomfortablewithpipingcommandstogethertoaccomplish tasksyouneverthoughtpossiblewithadefaultOSload(andonthecommand linetoboot!). Ihopethatyourtimespentworkingwiththisguidewasausefulinvest ment.Attheveryleast,Imhopingitgaveyousomethingtodo,ratherthan stareatLinuxforthefirsttimeandwonderwhatnow?
BarryJ.Grundy
196
v.3.78TheLawEnforcementandForensicExaminer'sIntroductiontoLinux
XIII.LinuxSupport
Placestogoforsupport:
Asidefromthecopiouswebsitereferencesthroughoutthisdocument, thereareanumberofverybasicsitesyoucanvisitformoreinformationon everythingfromrunningLinuxtousingspecificforensictoolsonLinux.Here isasampleofsomeofthemoreinformativesitesyouwillfind: Slackware.JustoneofmanyLinuxdistro's. http://www.slackware.com LearnSlackware(SlackwareLinuxEssentials): http://www.slackbook.org/ SleuthkitWiki http://wiki.sleuthkit.org TheLinuxDocumentationProject(LDP): http://www.tldp.org OpenSourceForensicSoftware: http://www.opensourceforensics.org Software: http://sourceforge.net/ Inadditiontotheabovelist,thereareahugenumberofuserforums, someofwhicharespecifictoLinuxandcomputerforensics.Oneofmy favoriteforums(withanopensourcespecificboard): http://www.forensicfocus.com IRC(InternetRelayChat) Try#slackwareontheFreenodenetwork(orothersuitablechannelfor yourLinuxdistributionofchoice).ManyLinuxLEOreadershave commentedontheenthusiastichelpreceivedin#slackwareongeneral SlackwareandLinuxquestions. AGooglesearchwillbeyourverybestfriendinmostinstances.
BarryJ.Grundy
197