Forensic Cop Journal

http://forensiccop.blogspot.com

Volume 1(3), Oct 2009

Forensically Sound Write Protect on Ubuntu
by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UK Forensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.

Introduction
The first principle according to ACPO (Association of Chief Police Officers) in the UK is “No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court” (ACPO, p4). This principle which is applied and used by forensic investigators in the world requires the investigators to pay more attention when dealing with data stored in computer storage media. Once it is changed, the next phases of examination will be considered weak and doubt, even the results of examination could be rejected by court. However the changes are still allowed when the investigators can know exactly their actions and its implications such as when performing live imaging. In order to accommodate this principle, the investigators apply write protect during their examination process, particularly when making forensic imaging at the first time. This write protect can be in the form of either software or hardware. In Ms Windows OS, there are many forensically sound write protect tools offered to users. Most of them are commercial. Write protect is also available on Ubuntu, but this is for free. We just make a little modification on fstab file to configure Ubuntu machine becomes forensically sound write protect. This journal discusses about it including the experiments performed and the results obtained.

Experiments Preparation
The 4GB flash disk is used as the object of these experiments. It is set up by using GParted in order to configure the partition, so that it has 4 partitions with different file systems. Below is the specification of each partition with the operating system installed within it by using Unetbootin.
Partition 1: size=996.19 MB and file system of ntfs. Partition 2: size=996.22 MB and file system of fat16 with BartPE as operating system. Partition 3: size=996.19 MB and file system of ext2 with Helix 3.0 as operating system. Partition 4: size=847.15 MB and file system of ext3 with Ubuntu 8.10 as operating system.

Particularly for partition 1, there is no OS installed in it because it is designed for storing files. This configuration is intended to make a condition of flash disk becomes closely similar with a real hard disk having some partitions with different file systems.

1

Forensic Cop Journal
http://forensiccop.blogspot.com

Volume 1(3), Oct 2009

fstab Configuration
Before configuring /etc/fstab, firstly some subdirectories are made in the directory /media as mounting points of flash disk when it is attached to the experimental machine. In /media, there are 7 new subdirectories made, namely:
/media/sdb1ro /media/sdb2ro /media/sdb3ro /media/sdb4ro /media/sdb5ro /media/sdb6ro /media/sdb7ro

The reason why the number of new subdirectories is 7 is in order to cover the number of partitions in one hard disk. It usually has 2 to 4 partitions. fstab containing descriptive static information about the file systems is only read by programs, and not written. Each line describing file system on separated partition comprises 6 fields, namely file system, mount point, type, options, dump and pass. Below is revised configuration in /etc/fstab which is edited using Text Editor.
/dev/sdb1 /media/sdb1ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0

/dev/sdb2 to /dev/sdb7 have same configuration as /dev/sdb1, except mount point, for instance /dev/sdb2 has /media/sdb2ro as location of mounting. Below is the explanation of selected configuration quoted from manual pages of mount and umount. auto : mount will try to guess the desired type of file system. noauto : it can only be mounted explicitly. user : only the user that mounted a file system can umount it again. ro : mount the file system read only nosuid : do not allow set-user-identifier or set-group-identifier bits to take effect. nodev : do not interpret character or block special devices on the file system. uhelper=hal : The uhelper (unprivileged umount helper) is possible to used when non-root user wants to umount a mountpoint which is not defined in the /etc/fstab file (e.g devices mounted by HAL). After this configuration finished, it was saved in /etc/fstab.

2

Forensic Cop Journal
http://forensiccop.blogspot.com

Volume 1(3), Oct 2009

Comparative Analysis
The 4 GB flash disk above is plugged into the experimental machine having reconfigured fstab, and then it is mounted over command console, then run md5sum to check hash value of each partition. Below is the first result:
/dev/sdb1 94bb79d86726636c015df89e274df644 /dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0 /dev/sdb5 b665c813c2db0aaca3c20cfa38a30023 /dev/sdb6 0578121443c16b0721857a19441d2da0

/dev/sdb5 and /dev/sdb6 refer to partition 3 and 4 because both partitions are logical. On each partition, the file browser is run to access it and also opened some files, after that I calculated again the md5 value of each partition. Below is the second result:
/dev/sdb1 94bb79d86726636c015df89e274df644 /dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0 /dev/sdb5 b665c813c2db0aaca3c20cfa38a30023 /dev/sdb6 0578121443c16b0721857a19441d2da0

md5 value from the first result is same as the second, it means that the reconfigured fstab works well for forensically sound write protect which is automatically set when a removable media attached to the machine at the first time.

Checking the Changes
In order to check the changes which might happen when a removable media attached into a computer, all configurations of write protect in fstab are disabled. The fstab is recovered back to the original state with automount and read-write. The experimental flash disk is plugged in again to the machine, and then md5 value for each partition is directly calculated. Below is the third result:
/dev/sdb1 94bb79d86726636c015df89e274df644 /dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0 /dev/sdb5 9fffeaa755ebf36ef6285fb3272ed420 /dev/sdb6 db2b32be1a9d5de156787241f2413c5d

It is found that md5 value of sdb1 and sdb2 remain the same, but sdb5 and sdb6 have changed without accessing it at all. On each partition, it is accessed by using the file browser twice without opening or accessing files, then md5sum is run to check the hash value. Below is the fourth result:
3

Forensic Cop Journal
http://forensiccop.blogspot.com

Volume 1(3), Oct 2009

/dev/sdb1 94bb79d86726636c015df89e274df644 /dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0 /dev/sdb5 eb891ff58ad46540758cada117cb4983 /dev/sdb6 2043eaa09cc47b1f0743584151b87316

It is noticed that sdb1 with ntfs and sdb2 with fat16 are still unchanged on md5 value, but sdb5 with ext2 and sdb6 with ext3 experienced changed because of being accessed via file browser.

Conclusion
It is too risky running acquisition of a removable media via usb port of an analysis machine without reconfiguring fstab because the original state of fstab allows changes on removable media when it is attached at the first time. If this is still performed, so the acquisition for forensics imaging is questionable and doubt. This can affect the next steps of forensics analysis. To avoid this, it is suggested to reconfigure /etc/fstab as explained above because so far, it is fully protection from the first time a removable media attached via usb port, therefore it fits with forensically sound write protect. From the description above, the experiment of 'forensically sound write protect' on Ubuntu is essential to applied by forensic investigators in order to avoid changes which might happen accidentally. Reconfiguring fstab file for this purpose is reliable to keep the contents of a storage medium. With this technique, they become more flexible to analyse any computers without worrying to make accidental changes.

Bibliography
ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p df. Last accessed 30 September 2009. Ferguson, I. (2008). Lab Session Guidance of CS936: Media Imaging. Glasgow: CIS Department of University of Strathclyde. Ferguson, I. (2008). Stage 2: Preservation. Glasgow: CIS Department of University of Strathclyde. Department of Justice, US. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed 30 September 2009.

4

Sign up to vote on this title
UsefulNot useful