Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Forensic Cop Journal 2(3) 2009-Standard Operating Procedure of Acquisition on Ubuntu

Forensic Cop Journal 2(3) 2009-Standard Operating Procedure of Acquisition on Ubuntu

Ratings: (0)|Views: 201|Likes:
This journal discusses how to perform acquisition on Ubuntu properly; therefore it is aimed to give different perspective to digital forensic analyst on the acquisition process.
This journal discusses how to perform acquisition on Ubuntu properly; therefore it is aimed to give different perspective to digital forensic analyst on the acquisition process.

More info:

Published by: Muhammad Nuh Al-Azhar on Dec 26, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/25/2010

pdf

text

original

 
Forensic Cop Journal Volume 2(3), Dec 2009
 
http://forensiccop.blogspot.com1
Standard Operating Procedure of Acquisition on Ubuntu
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police
 –
Coordinator of Digital Forensic Analyst TeamForensic Lab Centre of Indonesian National Police HQ 
Introduction
When dealing with the evidence of storage media, a digital forensic analyst must be carefulin the process of acquisition. Once he makes a mistake, then the next processes would bedoubted, even it could be rejected by the court. As the process of acquisition is veryimportant in digital forensic, it should be handled properly. To obtain the output of theacquisition process is reliable; this journal discusses how to perform it properly on LinuxUbuntu machine.Usually and mostly the acquisition process is performed by using forensic applications suchas FTK Imager from Access Data and EnCase from Guidance Software running under MsWindows operating system. This journal gives different perspective to the digital forensicanalyst how to do it on Ubuntu analysis workstation. The output resulted from Ubuntumachine is the same as the output yielded from the applications above. With this condition,the analyst has many ways to perform the acquisition.One philosophy on digital forensic which is must be understood by the analyst is that neverrely on the analysis of digital forensic on one application only. It means that the analystshould have as many forensic applications as possible to perform one forensic job. With theset of these applications, the analyst could have many choices to do it and select one orsome of them which probably give the best results. To use these applications properly, theanalyst should also understand well the procedure of digital forensic.
Step 1: Preparing machine to be forensically sound write protect
After the booting process finishes, open the command console or terminal; and then typethe following command in order to be super user. With this condition, the super user hasprivilege to modify any file in the machine.
sudo
 –
s
After that, type the command below
gedit /etc/fstab
 This command is aimed to edit the file fstab stored in the folder /etc. Editing the file is
performed with the purpose of configuring “write protect” condition. Opening this file is
also done to ensure whether or not the
configuration of “write protect” has been applied.With the condition of “write protect”, any storage media such as hard disk, flash disk and so
on attached to the analysis machine through USB port is protected from any changes
 
Forensic Cop Journal Volume 2(3), Dec 2009
 
http://forensiccop.blogspot.com2
incidentally or deliberately. Any action applied to the evidence of storage media will notgive impact to the content of media. It means that the contents remain unchanged duringthe process of acquisition.
If the file has not been configured yet for the purpose of “write protect”,
the commandsbelow are added in the file of /etc/fstab. It could be put at the end of the file contents.
# Read Only Configuration/dev/sdb /media/sdbro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0/dev/sdb1 /media/sdb1ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0/dev/sdb2 /media/sdb2ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0/dev/sdb3 /media/sdb3ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0/dev/sdb4 /media/sdb4ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0/dev/sdb5 /media/sdb5ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0
/media/sdbro is the mounting location of the evidence of storage media in which theevidence is usually marked as /dev/sdb, while /media/sdb1ro till /media/sdb5ro are themounting location of each partition which is marked as /dev/sdb1 to /dev/sdb5. The reasonwhy the number of partition is five is to anticipate the possibility of the storage media hasfive partitions. To prepare the mounting location as mentioned above, type the followingcommands.
mkdir /media/sdbromkdir /media/sdb1romkdir /media/sdb2romkdir /media/sdb3romkdir /media/sdb4romkdir /media/sdb5ro
After the configuration above has been added into the file /etc/fstab, the file is saved. Thefile has been ready for the purpose of forensically sound write protect. For furtherinformation, please access the forensic journal related to this topic athttp://forensiccop.blogspot.com. 
Step 2: Ensuring the evidence mounted
After the process of configuring the file /etc/fstab finishes, attach the evidence of storagemedia to the analysis workstation through USB port. For the evidence of hard disk, USB toIDE cable could be used, while for memory card, the card reader could be utilized. If theevidence is a flash disk, just plug it in the USB port directly.Type the following command to check the position of the evidence or device attached.Please make sure the evidence is /dev/sdb, /dev/sdc or others in order to avoid the mistakeof signing the device. With this command, the number of partition of the evidence can beseen clearly including its size.
fdisk -l
 
 
Forensic Cop Journal Volume 2(3), Dec 2009
 
http://forensiccop.blogspot.com3
Type the following command to ensure whether or not the storage media is mounted asread-only. It should be so as the file /etc/fstab has been previously configured for the
purpose of “write protect”.
 
mount
 
Step 3: Performing forensic imaging
Type the command below for performing forensic imaging. It means that the evidence of storage media is physically imaged (i.e. cloned) over bit stream copy. The output of thisprocess is the dd image file which is identical with the source.
dcfldd if=/dev/sdb of=MediaImage.dd conv=notrunc,noerror hashwindow=512hashlog=MediaHash.md5
 Besides making the dd image file, the command above shows the order to hash the sourceand put the results of hashing to the file of MediaHash.md5. This file is essential to checkwhether or not the process of forensic imaging is successful. This issue will be discussed inthe next step. For the name of the dd and the md5 file, it could be changed as wanted bythe analyst.When the size of the evidence of storage media is too big so that it cannot be saved in theanalysis workstation, the external hard drive could be used for this purpose. It means that
the command “of=MediaImage.dd” is placed in the mounting location of the external hard
drive. For instance, it is /media/harddiskname. To reach this path, type the commandbelow.
cd /media/harddiskname
 Ensure this location is not read-
only by using the command “
mount
”. Check the mounting
option of the external drive. It should be rw meaning read-write, so that the external drivecould be used to store the dd file.
Step 4: Checking the results through hashing
After the process of forensic imaging finishes, please verifying the dd file by hashing itthrough the following command.
md5sum MediaImage.dd > MediaImageHash.txt
 The txt file will contain the value of md5 of the dd file. This value is then compared with themd5 value of the evidence of storage media which is in this case MediaHash.md5. If themd5 values between these two items are exactly the same, it means that the process of forensic imaging is successful. On the other side, if it is different, it means that the processmust be repeated.To see the content of the MediaImageHash.txt, type the command below.
more MediaImageHash.txt
 

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->