You are on page 1of 14

Validation:

Raptor LiveCD

Company Name

Test Name: Raptor LiveCD - Version 2.0 r20100417


Test Date: June 07, 2010
Revision 0.2
Erik Musick
Contents

0.1 Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

0.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

0.3 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

0.4 Test Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

0.5 Test Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

0.6 Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1
0.1 Identification

Test Name: Raptor LiveCD - Version 2.0 r20100417

Test Date: June 07, 2010

Software Title: Raptor LiveCD

Software Version: 2.0 r20100417

Software Release Date: April 07, 2010

Software File Name: Raptor20100417.iso

Software Hash:
SHA-256: CA5215F9A064CBDB2C4060E876E537D61EE32CB7FA6D0761173944E672479FAC

Software Homepage: http://forwarddiscovery.com/Raptor

Software Local Archive: I:\5-Forensics\ NO REDISTRIBUTION\Operating Systems\Linux\Raptor\

0.2 Scope

Raptor is a LiveCD based on Ubuntu Linux for the purpose of forensic analysis. It includes a
built-in “toolbox” providing a GUI frontend for imaging, mounting, verifying, and steralizing
media.

This validation tests whether the Raptor LiveCD can provide a sane forensic environment for
the purposes of live previews, imaging media, and verfying data. To achieve this environment,
no writes can be made to media unless explicitly allowed by the examiner. No automounting
of media, including existing swap files and partitions, can occur. The environment should
be able to produce copies of media that are verifiable.

2
0.3 Test Environment

Operating System: Microsoft Windows XP Professional SP3

CPU: Intel T2600 2.16GHz

Memory: 2GB

Additional Software Name 1: FTK Imager

Additional Software Version 1: 2.6.1.62

Additional Software Hash 1:


SHA-256: BF2FEE269980C3968CE2E04229E90E7E55BBBD1FCBCD70D56E89680E34650FE0

Additional Software Path 1: I:\5-Forensics\Software\Windows\Forensic\Imaging\

Additional Software Name 2: WinHex

Additional Software Version 2: 15.6 SR-6

Additional Software Hash 2:


SHA-256: 6AC61325620D67BECBE62A8CE3912FFCFE90BFC95561C23532F4C9899A2D0096

Additional Software Path 2: I:\5-Forensics\Software\Windows\Editors\Hex Editor\WinHex\15.6\

3
0.4 Test Data

Test Clause Does not automount media on boot

Procedure mount

cat /etc/fstab

Expected Results Mount and fstab do not display any attached media

Observed Results Mount and fstab do not display any attached media

Notes Mount shows what is mounted. Fstab shows available media to mount.

An existing Linux Swap partition was found and displayed in fstab, but
not mounted.

Test Clause No swap is used

Procedure mount

cat /etc/fstab

cat /cdrom/isolinux/text.cfg

Expected Results Mount and fstab do not display swap

Text.cfg should indicate that the “noswap” option is passed to the


default boot kernel.

Observed Results Mount does not display swap. Fstab displays an entry for a swap
partition found on the host machine.

Text.cfg indicates that the “noswap” option is passed to the default


boot kernel.

Notes Although fstab has an entry for swap with options “swap swap defaults
0 0,” it is not automatically enabled.

4
Test Clause Defaults mounting to read-only in the toolbox

Procedure Execute the “Raptor Toolbox”

Select the “Mount” tab

Expected Results A method to toggle read and write modes

Observed Results A checkbox exists to “Allow changes,” and is not checked by default

Notes

Test Clause Defaults mounting to read-only in the terminal

Procedure mkdir /mnt/test

mount /dev/sda1 /mnt/test

Expected Results Mount command shows the partition as read-only (ro)

Observed Results Mount displays “/dev/sda1 on /mnt/test type ext3 (ro3)”

Notes One must use sudo to mount. Mounting throws an error: “mount:
block device /dev/sda1 is write-protected, mounting read-only”

Test Clause Manual shutdown via terminal makes no writes to the media

Procedure Obtain MD5 hash of virtual hard drive

Boot the Raptor LiveCD

shutdown -h now

Verify the MD5 is the same

Expected Results Pre- and Post- MD5 values match

Observed Results Pre- and Post- MD5 values match

Notes

5
Test Clause GUI shutdown makes no writes to media

Procedure Obtain MD5 hash of virtual hard drive

Boot the Raptor LiveCD

Click the power button in the top-right of the menu bar

Select “Shutdown”

Verify the MD5 is the same

Expected Results Pre- and Post- MD5 values match

Observed Results Pre- and Post- MD5 values match

Notes

Test Clause Mounting via Toolbox without enabling “Allow changes” mounts read
only

Procedure Launch the Raptor Toolbox

Select the “Mount” tab

Select “/dev/sda1” for mounting

Ensure that “Allow Changes” is not checked

Mount the drive

Attempt to create a directory on the newly mounted partition

Expected Results A read-only error

Observed Results A read-only error

Notes A directory listing does not show the attempted mkdir entry

6
Test Clause Mounting via Toolbox enabling “Allow changes” mounts writeable

Procedure Launch the Raptor Toolbox

Select the “Mount” tab

Select “/dev/sda1” for mounting

Ensure that “Allow Changes” is checked

Mount the drive

Attempt to create a directory on the newly mounted partition

Expected Results No error and a directory listing shows the created directory

Observed Results No error and a directory listing shows the created directory

Notes

Test Clause Creates valid MD5 digests

Procedure md5deep -b -r D:\isolinux\ outside of Raptor environment

Boot Raptor

Use the Raptor Toolbox Verify command on single files (ie. dcfldd
bs=32k of=/dev/null hash=md5 if=/cdrom/isolinux/am.tr)

Check this against hahes obtained via md5deep

Expected Results Both hash values should match

Observed Results Both hash values match

Notes

7
Test Clause Creates valid SHA1 digests

Procedure sha1deep -b -r D:\isolinux\ outside of Raptor environment

Boot Raptor

Use the Raptor Toolbox Verify command on single files (ie. dcfldd
bs=32k of=/dev/null hash=sha1 if=/cdrom/isolinux/am.tr)

Check this against hahes obtained via sha1deep

Expected Results Both hash values should match

Observed Results Both hash values match

Notes

Test Clause Creates valid raw images (dd)

Procedure Create physical, dd image of flash drive using FTK Imager

Save MD5 and SHA1 values from FTK Imager report

Boot Raptor

Launch Raptor Toolbox and select the “Image” tab

Create a raw dd image of the physical flash drive

Check the “Verify after creation” checkbox

Compare the MD5 and SHA1 hash values

Expected Results FTK Imager and Raptor generated the same MD5 and SHA1 hashes
for the acquired dd image

Observed Results FTK Imager and Raptor generated the same MD5 and SHA1 hashes
for the acquired dd image

Notes FTK Imager from AccessData version 2.6.1.62

8
Test Clause Creates valid E01 image

Procedure Create physical, e01 image of flash drive using FTK Imager

Save MD5 and SHA1 values from FTK Imager report

Boot Raptor

Launch Raptor Toolbox and select the “Image” tab

Create an e01 image of the physical flash drive

Check the “Verify after creation” checkbox

Compare the MD5 and SHA1 hash values

Expected Results FTK Imager and Raptor generated the same MD5 and SHA1 hashes
for the acquired e01 image

Observed Results FTK Imager and Raptor generated the same MD5 and SHA1 hashes
for the acquired e01 image

Notes FTK Imager from AccessData version 2.6.1.62

Raptor uses ewfacquirestream with a compression level of “fast.”


FTK Imager ignores compression settings for E01 files and appears to
default to 0. Due to the variable compression levels and the inflexible
nature of available applications, it is inconclusive at this time whether
or not Raptor can generate valid E01 image files.

9
Test Clause Wipe media

Procedure Launch the Raptor Toolbox

Select the “Wipe” tab

Select media and check “Verify after wipe”

View the results with WinHex to ensure 0x00 occupies the media en-
tirely

Perform a checksum64 with WinHex

Expected Results Target media is written with 0x00 and checksum64 reports all zeros

Observed Results Target media is written with 0x00 and checksum64 reports all zeros

Notes Raptor LiveCD uses dcfldd pattern=00 bs=32k of=/dev/sdb


sizeprobe for wiping. An undetermined verify function is performed.
Verification reports only appear on unsuccessful verifies. WinHex ver-
sion 15.6 SR-6 was used in testing.

Test Clause Formats NTFS

Procedure Launch the Raptor Toolbox

Select the “Format” tab

Select media, enter a label, and check “NTFS”

Perform checkdisk from host machine

Expected Results No errors are reported

Observed Results No errors are reported

Notes Raptor LiveCD uses mkntfs -f -L NTFS TEST /dev/sdb1 for for-
mating NTFS.

10
Test Clause Formats FAT32

Procedure Launch the Raptor Toolbox

Select the “Format” tab

Select media, enter a label, and check “FAT32”

Perform checkdisk from host machine

Expected Results No errors are reported

Observed Results No errors are reported

Notes Raptor LiveCD uses mkfs.vfat -I -n FAT32 TEST /dev/sdb1 for


formating FAT32.

0.5 Test Conclusion

Test Clause Result

Does not automount media on boot Pass

Test Clause Result

No swap is used Pass

Test Clause Result

Defaults mounting to read-only in the toolbox Pass

Test Clause Result

Defaults mounting to read-only in the terminal Pass

Test Clause Result

Manual shutdown via terminal makes no writes to the media Pass

Test Clause Result

GUI shutdown makes no writes to media Pass

11
Test Clause Result

Mounting via Toolbox without enabling “Allow changes” mounts read Pass
only

Test Clause Result

Mounting via Toolbox enabling “Allow changes” mounts writeable Pass

Test Clause Result

Creates valid MD5 digests Pass

Test Clause Result

Creates valid SHA1 digests Pass

Test Clause Result

Creates valid raw images (dd) Pass

Test Clause Result

Creates valid E01 image Inconclusive

Test Clause Result

Wipe Media Pass

Test Clause Result

Formants NTFS Pass

Test Clause Result

Formats FAT32 Pass

All test clauses passed successfully with one exception. The test for creation of valid E01
images is inconclusive at this time. Due to the nature of available applications with respect

12
to undefined compression schemes, it is difficult to ascertain how to compare the resulting
hash values as there is no way to create the same image with two different applications.

The recommendation for Raptor LiveCD version 2.0 r20100417 is to accept in part. Acknowl-
edging an inconclusive test for E01 images, Raptor LiveCD version 2.0 r20100417 meets the
criteria set forth above.

0.6 Signature

Validation Author: Erik Musick

Lab Supervisor:

13