Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
6Activity
0 of .
Results for:
No results containing your search query
P. 1
Forensic Cop Journal 1(3) 2009-Forensically Sound Write Protect on Ubuntu

Forensic Cop Journal 1(3) 2009-Forensically Sound Write Protect on Ubuntu

Ratings: (0)|Views: 464|Likes:
This journal discusses about how to configure an Ubuntu machine becomes forensically write protect for forensic purposes such as hard disk acquisition for forensic imaging.
This journal discusses about how to configure an Ubuntu machine becomes forensically write protect for forensic purposes such as hard disk acquisition for forensic imaging.

More info:

Published by: Muhammad Nuh Al-Azhar on Oct 05, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/25/2010

pdf

text

original

 
Forensic Cop Journal Volume 1(3), Oct 2009
 
http://forensiccop.blogspot.com1
Forensically Sound Write Protect on Ubuntu
by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UKForensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.
 
Introduction
The first p
rinciple according to ACPO (Association of Chief Police Officers) in the UK is “
Noaction taken by law enforcement agencies or their agents should change data held on a
computer or storage media which may subsequently be relied upon in court” (ACPO, p4)
.This principle which is applied and used by forensic investigators in the world requires theinvestigators to pay more attention when dealing with data stored in computer storagemedia. Once it is changed, the next phases of examination will be considered weak anddoubt, even the results of examination could be rejected by court. However the changes arestill allowed when the investigators can know exactly their actions and its implications suchas when performing live imaging.In order to accommodate this principle, the investigators apply write protect during theirexamination process, particularly when making forensic imaging at the first time. This writeprotect can be in the form of either software or hardware. In Ms Windows OS, there aremany forensically sound write protect tools offered to users. Most of them are commercial.Write protect is also available on Ubuntu, but this is for free. We just make a littlemodification on fstab file to configure Ubuntu machine becomes forensically sound writeprotect. This journal discusses about it including the experiments performed and the resultsobtained.
Experiments Preparation
 
The 4GB flash disk is used as the object of these experiments. It is set up by using GParted inorder to configure the partition, so that it has 4 partitions with different file systems. Belowis the specification of each partition with the operating system installed within it by usingUnetbootin.
Partition 1: size=996.19 MB and file system of ntfs.Partition 2: size=996.22 MB and file system of fat16 with BartPE as operating system.Partition 3: size=996.19 MB and file system of ext2 with Helix 3.0 as operating system.Partition 4: size=847.15 MB and file system of ext3 with Ubuntu 8.10 as operating system.
Particularly for partition 1, there is no OS installed in it because it is designed for storingfiles. This configuration is intended to make a condition of flash disk becomes closely similarwith a real hard disk having some partitions with different file systems.
 
Forensic Cop Journal Volume 1(3), Oct 2009
 
http://forensiccop.blogspot.com2
fstab Configuration
 
Before configuring /etc/fstab, firstly some subdirectories are made in the directory /mediaas mounting points of flash disk when it is attached to the experimental machine. In /media,there are 7 new subdirectories made, namely:
/media/sdb1ro/media/sdb2ro/media/sdb3ro/media/sdb4ro/media/sdb5ro/media/sdb6ro/media/sdb7ro
The reason why the number of new subdirectories is 7 is in order to cover the number of partitions in one hard disk. It usually has 2 to 4 partitions. fstab containing descriptive staticinformation about the file systems is only read by programs, and not written. Each linedescribing file system on separated partition comprises 6 fields, namely file system, mountpoint, type, options, dump and pass. Below is revised configuration in /etc/fstab which isedited using Text Editor.
/dev/sdb1 /media/sdb1ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/dev/sdb2 to /dev/sdb7 have same configuration as /dev/sdb1, except mount point, forinstance /dev/sdb2 has /media/sdb2ro as location of mounting. Below is the explanation of selected configuration quoted from manual pages of mount and umount.
auto
: mount will try to guess the desired type of file system.
noauto
: it can only be mounted explicitly.
user 
: only the user that mounted a file system can umount it again.
ro
: mount the file system read only
nosuid 
: do not allow set-user-identifier or set-group-identifier bits to take effect.
nodev 
: do not interpret character or block special devices on the file system.
uhelper=hal 
: The uhelper (unprivileged umount helper) is possible to used when non-rootuser wants to umount a mountpoint which is not defined in the /etc/fstab file (e.g devicesmounted by HAL).After this configuration finished, it was saved in /etc/fstab.
 
Forensic Cop Journal Volume 1(3), Oct 2009
 
http://forensiccop.blogspot.com3
Comparative Analysis
 
The 4 GB flash disk above is plugged into the experimental machine having reconfiguredfstab, and then it is mounted over command console, then run md5sum to check hash valueof each partition. Below is the first result:
/dev/sdb1 94bb79d86726636c015df89e274df644/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0/dev/sdb5 b665c813c2db0aaca3c20cfa38a30023/dev/sdb6 0578121443c16b0721857a19441d2da0
/dev/sdb5 and /dev/sdb6 refer to partition 3 and 4 because both partitions are logical. Oneach partition, the file browser is run to access it and also opened some files, after that Icalculated again the md5 value of each partition. Below is the second result:
/dev/sdb1 94bb79d86726636c015df89e274df644/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0/dev/sdb5 b665c813c2db0aaca3c20cfa38a30023/dev/sdb6 0578121443c16b0721857a19441d2da0
md5 value from the first result is same as the second, it means that the reconfigured fstabworks well for forensically sound write protect which is automatically set when a removablemedia attached to the machine at the first time.
Checking the Changes
 
In order to check the changes which might happen when a removable media attached into acomputer, all configurations of write protect in fstab are disabled. The fstab is recoveredback to the original state with automount and read-write. The experimental flash disk isplugged in again to the machine, and then md5 value for each partition is directlycalculated. Below is the third result:
/dev/sdb1 94bb79d86726636c015df89e274df644/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0/dev/sdb5 9fffeaa755ebf36ef6285fb3272ed420/dev/sdb6 db2b32be1a9d5de156787241f2413c5d
It is found that md5 value of sdb1 and sdb2 remain the same, but sdb5 and sdb6 havechanged without accessing it at all. On each partition, it is accessed by using the file browsertwice without opening or accessing files, then md5sum is run to check the hash value. Belowis the fourth result:

Activity (6)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
decom-eu liked this
elite liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->