Documente Academic
Documente Profesional
Documente Cultură
Introduction to Linux
V rsion 4.33
Jun 2018
Barry J. Grundy
bgrundy@LinuxLEO.com
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
LEGALITIES................................................................................................................................ 5
ACKNOWLEDGMENTS..................................................................................................................... 5
FOREWORD............................................................................................................................... 6
A WORD ABOUT THE “GNU” IN GNU/LINUX.......................................................................................7
WHY LEARN LINUX?.................................................................................................................... 7
WHERE’S ALL THE GUI TOOLS?....................................................................................................... 9
THE EXERCISES – NEW AND OLD..................................................................................................... 9
LINUXLEO YOUTUBE CHANNEL..................................................................................................... 10
CONVENTIONS USED IN THIS DOCUMENT............................................................................................ 10
I. INSTALLATION..............................................................................................................12
DISTRIBUTIONS......................................................................................................................... 12
SLACKWARE AND USING THIS GUIDE...........................................................................................14
INSTALLATION METHODS............................................................................................................... 15
SLACKWARE INSTALLATION NOTES.................................................................................................... 15
SYSTEM USERS......................................................................................................................... 17
ADDING A NORMAL USER........................................................................................................ 17
THE SUPER USER................................................................................................................. 18
DESKTOP ENVIRONMENT............................................................................................................... 19
THE LINUX KERNEL.................................................................................................................... 20
KERNEL AND HARDWARE INTERACTION...............................................................................................20
HARDWARE CONFIGURATION..................................................................................................... 21
KERNEL MODULES................................................................................................................ 22
HOTPLUG DEVICES AND UDEV................................................................................................... 24
HOT PLUGGING DEVICES AND DESKTOPS......................................................................................25
II. LINUX DISKS, PARTITIONS AND THE FILE SYSTEM........................................27
DISKS................................................................................................................................... 27
DEVICE NODE ASSIGNMENT – LOOKING CLOSER....................................................................................30
THE FILE SYSTEM...................................................................................................................... 32
MOUNTING EXTERNAL FILE SYSTEMS................................................................................................ 33
THE MOUNT COMMAND.......................................................................................................... 34
THE FILE SYSTEM TABLE (/ETC/FSTAB)........................................................................................37
DESKTOP MOUNTING............................................................................................................. 38
III. THE LINUX BOOT SEQUENCE (SIMPLIFIED).....................................................41
BOOTING THE KERNEL.................................................................................................................. 41
SYSTEM INITIALIZATION................................................................................................................ 42
RUNLEVEL............................................................................................................................... 42
GLOBAL STARTUP SCRIPTS............................................................................................................ 43
SERVICE STARTUP SCRIPTS........................................................................................................... 44
BASH.................................................................................................................................... 44
IV. BASIC LINUX COMMANDS......................................................................................46
LINUX AT THE TERMINAL............................................................................................................... 46
ADDITIONAL USEFUL COMMANDS...................................................................................................... 48
COMMAND LINE MATH................................................................................................................ 50
BC – THE BASIC CALCULATOR..................................................................................................... 50
BASH SHELL ARITHMETIC EXPANSION........................................................................................... 52
FILE PERMISSIONS...................................................................................................................... 53
PIPES AND REDIRECTION.............................................................................................................. 54
2
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
FILE ATTRIBUTES....................................................................................................................... 57
METACHARACTERS..................................................................................................................... 59
COMMAND HINTS...................................................................................................................... 59
V. EDITING WITH VI........................................................................................................60
THE JOY OF VI......................................................................................................................... 60
VI COMMAND SUMMARY................................................................................................................ 61
VI. CONFIGURING A FORENSIC WORKSTATION...................................................62
SECURING THE WORKSTATION........................................................................................................ 62
CONFIGURING “RC” (STARTUP) SERVICES......................................................................................63
HOST BASED ACCESS CONTROL................................................................................................ 66
HOST BASED FIREWALL WITH IPTABLES......................................................................................... 71
UPDATING THE OPERATING SYSTEM.................................................................................................. 75
USING SLACKPKG.................................................................................................................. 76
INSTALLING AND UPDATING “EXTERNAL” SOFTWARE...............................................................................78
COMPILING FROM SOURCE....................................................................................................... 78
USING DISTRIBUTION PACKAGES................................................................................................80
BUILDING PACKAGES – SLACKBUILDS..........................................................................................81
USING THE AUTOMATED PACKAGE TOOL SBOTOOLS...........................................................................85
VII. LINUX AND FORENSICS.........................................................................................91
EVIDENCE ACQUISITION................................................................................................................ 91
ANALYSIS ORGANIZATION........................................................................................................ 91
WRITE BLOCKING................................................................................................................. 93
EXAMINING THE PHYSICAL MEDIA INFORMATION...............................................................................94
HASHING MEDIA.................................................................................................................. 99
COLLECTING A FORENSIC IMAGE WITH DD....................................................................................100
DD AND SPLITTING IMAGES..................................................................................................... 102
ALTERNATIVE IMAGING TOOLS................................................................................................. 105
DC3DD........................................................................................................................... 106
LIBEWF AND EWFACQUIRE....................................................................................................... 113
MEDIA ERRORS - DDRESCUE................................................................................................... 123
IMAGING OVER THE WIRE...................................................................................................... 132
OVER THE WIRE - DD.......................................................................................................... 135
OVER THE WIRE - DC3DD..................................................................................................... 136
OVER THE WIRE - EWFACQUIRESTREAM.......................................................................................138
OVER THE WIRE – OTHER OPTIONS.........................................................................................140
PREPARING A DISK FOR THE SUSPECT IMAGE................................................................................145
FINAL WORDS ON IMAGING.................................................................................................... 147
MOUNTING EVIDENCE................................................................................................................ 148
STRUCTURE OF THE IMAGE..................................................................................................... 148
IDENTIFYING FILE SYSTEMS.................................................................................................... 150
THE LOOP DEVICE.............................................................................................................. 151
LOOP OPTION TO THE MOUNT COMMAND......................................................................................151
LOSETUP.......................................................................................................................... 152
MOUNTING FULL DISK IMAGES WITH LOSETUP...............................................................................154
MOUNTING MULTI PARTITION IMAGES WITH KPARTX.........................................................................157
MOUNTING SPLIT IMAGE FILES WITH AFFUSE.................................................................................160
MOUNTING EWF FILES WITH EWFMOUNT....................................................................................164
ANTI-VIRUS – SCANNING THE EVIDENCE FILE SYSTEM WITH CLAMAV........................................................166
BASIC DATA REVIEW ON THE COMMAND LINE....................................................................................170
3
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
XI. CONCLUSION............................................................................................................306
4
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Legalities
Acknowledgments
The list of coll agu s that hav contribut d ov r th many y ars has grown. I r main grat ful
to all that hav giv n th ir tim in r vi wing and providing valuabl f dback, and in som
cas s, simpl ncourag m nt to all v rsions of this guid ov r th y ars. My continu d thanks
to Cory Alth id , Brian Carri r, Christoph r Coop r, Nick Furn aux, John Garris, Rob rt-Jan
Mora, and J ss Kornblum for h lping m lay th foundation for this guid . And for mor
r c nt assistanc , I’d lik to thank Jacqu s Bouch r, Tobin Craig, Simson Garfienk l, Andr as
Guldstrand, Bill Norton, Paul St ph ns, Danny W rb, and as always, Robby Workman.
Finally, I cannot go without thanking my wif Jo and my sons Patrick and Tommy for th
s mingly ndl ss pati nc as th work was und rway.
5
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Foreword
It’s b n n arly t n y ars sinc this guid has b n officcially updat d, and ov r fieftw n
y ars sinc its initial public r l as . In that tim , w ’v s n signifiecant chang s to th for nsic
industry, and a massiv growth in th d v lopm nt of softwwar and t chniqu s us d to uncov r
vid nc from an v r xpanding univ rs of d vic s. The purpos of this docum nt, how v r,
r mains unchang d. I am looking to provid an asy to follow and acc ssibl guid for for nsic
xamin rs across th full sp ctrum of this for nsic disciplin ; law nforc m nt officc rs,
incid nt r spond rs, and all comput r sp cialists r sponsibl for th inv stigation of digital
vid nc . Theis guid continu s to provid an introductory ov rvi w of th GNU/Linux (Linux)
op rating syst m as a for nsic platform for digital inv stigators and for nsic xamin rs.
Abov all, this r mains a b ginn r’s guid . An introduction. It is not m ant to b a full
cours on conducting for nsic xaminations. Theis docum nt is about th tools and th
conc pts us d to mploy th m. Introducing th m, providing simpl guidanc on using th m,
and som id as on how th y can b int grat d into a mod rn digital for nsics laboratory or
inv stigativ proc ss. Theis is also a hands on guid . It’s th b st way to l arn and w ’ll cov r
both basic GNU/Linux utiliti s and sp cializ d softwwar through short x rcis s.
GNU/Linux is a constantly volving op rating syst m. Distributions com and go, and
th r ar now a numb r of “stand out” Linux flaavors that ar commonly us d. In addition to
balancing th b ginn r natur of th cont nt of this guid with th advancing standards in
for nsic ducation, I also fiend mys lf trying to balanc th l v l of d tail r quir d to actually
t ach us ful tasks with th distribution sp cifiec natur of many of th commands and
confiegurations us d.
6
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
As w will discuss in furth r d tail lat r in this guid , many of th d tails ar sp cifiec to
on flaavor of Linux. In most cas s, th commands ar quit portabl and will work on most
any syst m. In oth r cas s (packag manag m nt and confieguration diting, tc.) you may fiend
that you n d to do som r s arch to d t rmin what n ds to b don on your platform of
choic . The d t rmination to provid sp cifiec d tails on actually confieguring a sp cifiec syst m
cam about through ov rwh lming r qu st for guidanc . The d cision to us my Linux
distribution of choic for for nsics as an xampl is p rsonal.
Ov r th y ars I hav r p at dly h ard from coll agu s that hav tri d Linux by
installing it, and th n proc d d to sit back and wond r “what n xt?” I hav also nt rtain d a
numb r of r qu sts and sugg stions for a mor xpansiv xploration of tools and utiliti s
availabl to Linux for for nsic analysis at th application l v l as w ll as num rous r qu sts for
prop r confieguration guid lin s for a bas lin Linux workstation. You hav a copy of this
introduction. Now download th x rcis s and driv on. Theis is only th start of your r ading.
Utiliz d corr ctly, this guid should prompt many mor qu stions and kick start your l arning.
In th y ars sinc this docum nt was fierst r l as d a numb r of xc ll nt books with far mor
d tail hav cropp d up cov ring op n sourc tools and Linux for nsics. I still lik to think this
guid will b us ful for som .
http://www.LinuxLEO.com
On of th qu stions h ard most oftw n is: “why should I us Linux wh n I alr ady hav
[insert Windows GUI forensic tool here]?” The r ar many r asons why Linux is quickly gaining
ground as a for nsic platform. I’m hoping this docum nt will illustrat som of thos
atteribut s.
7
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Control – not just ov r your for nsic softwwar , but th whol OS and
atteach d hardwar .
Fl xibility – boot from a CD (to a compl t OS), fiel syst m support,
platform support, tc.
Pow r – A Linux distribution is (or can b ) a for nsic tool.
Anoth r point to b mad is that simply knowing how Linux works is b coming mor and
mor important. Whil many of th Windows bas d for nsic packag s in us today ar fully
capabl of xamining Linux syst ms, th sam cannot b said for th xamin rs.
As Linux b com s mor and mor popular, both in th comm rcial world and with d sktop
us rs, th chanc that an xamin r will ncount r a Linux syst m in a cas b com s mor
lik ly ( sp cially in n twork inv stigations). Ev n if you l ct to utiliz a Windows for nsic
tool to conduct your analysis, you must at l ast b familiar with th OS you ar xamining. If
you do not know what is normal, th n how do you know what do s not b long? Theis is tru
on so many l v ls, from th actual cont nts of various dir ctori s to strang ntri s in
confieguration fiel s, all th way down to how fiel s ar stor d. Whil this docum nt is mor
about Linux as a for nsic tool rath r than analysis of Linux, you can still l arn a lot about how
th OS works by actually using it.
The r is also th issu of cross-v rifiecation. A working knowl dg of Linux and its for nsic
utility can provid an xamin r with alternative tools on an alternative platform to us as a
m thod to v rify th fiendings of oth r tools on oth r op rating syst ms. Many xamin rs hav
sp nt countl ss hours l arning and using common industry standard Microsoftw Windows
for nsic tools. It would b unr alistic to think that r ading this guid will giv an xamin r th
sam l v l of confied nc , som tim s built through y ars of xp ri nc , as th y hav with th ir
traditional tools of choic . What I can hop is that this guid will provid nough information
to giv th xamin r “anoth r tool for th toolbox”, wh th r it's imaging, r cov ring, or
xamining. Linux as an alt rnativ for nsic platform provid s a p rf ct way to cross ch ck
your work and v rify your r sults, v n if it is not your primary choic .
8
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The fierst is that Linux (and UNIX) fiend th ir foundation at th command lin . Mod rn
Linux and UNIX impl m ntations ar still, at th ir h arts, driv n by syst m that is most
acc ssibl from a command lin int rfac . For this r ason, knowing how to int ract with th
command lin provid s xamin rs th wid st rang of capabiliti s r gardl ss of th distribution
or confieguration of Linux ncount r d. Y s, this is about for nsic tools and utiliti s, but it’s
also about b coming comfortabl with Linux. It is for this r ason that w continu to l arn a
command lin ditor lik vi and simpl bit l v l copying tools lik dd. The r ’s a v ry high
probability that any Linux/UNIX syst m you com across will hav th s tools.
S cond is that knowing and und rstanding th command lin is, in and of its lf, a v ry
pow rful tool. Onc you r aliz th pow r of command pip s and flaow control (using loops
dir ctly on th command lin ), you will fiend yours lf abl to pow r through probl ms far fast r
than you pr viously thought. L arning th prop r us and pow r of utiliti s lik awk, sed, and
grep will op n som pow rful t chniqu s for parsing structur d logs and oth r data sourc s.
Theis guid should provid som basic und rstanding of how thos can b us d. Onc you
und rstand and start to l v rag this pow r, you will fiend yours lf pining for a command lin
and its utiliti s wh n on is not availabl .
The r ar updat s across th board in this v rsion of th guid . Wh r old (and still
us ful) x rcis s r main from pr vious v rsions, th output and tool usag has b n r fr sh d
to r fla ct th curr nt v rsions of th tools us d. Whil som what aging, th s x rcis s and
th fiel s us d to pr s nt th m r main us ful and hav not b n r mov d.
N w x rcis s hav also b n add d to allow for additional cont nt cov ring application
lay r analysis tools and oth r r c nt additions to th Linux for nsics ars nal. K p in mind
that whil this docum nt do s cov r som for nsic strat gi s and basic fundam ntals, it is
r ally about th tools w us and th conc pts b hind mploying th m. As such som of th
9
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
old r x rcis fiel s may s m a bit dat d but th y still s rv th purpos of providing a probl m
s t on which w can l arn commands r gardl ss of th targ t.
Theis v rsion of th guid is NOT a s qu l. It’s an updat – but with som n w mat rial.
You can fiend d monstrations and simpl vid o xampl s of som of th following
chapt rs on th LinuxLEO YouTub chann l at 1:
The r is littel cont nt th r now, but mor will b add d as tim go s on. Subscrib and
you will b notifie d as vid os ar upload d.
Wh n illustrating a command and it's output, you will s som thing lik th following:
root@forensic1:~# command
output
root@forensic1:~#
1
I knowNnot a pr ttey URL, but I n d subscrib rs for that!
10
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$
root@forensic1:~# command
... <--- removed output for brevity
output
... <--- removed output for brevity
11
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
I. Installation
Much has chang d in th past f w y ars with r sp ct to th robustn ss and f atur s t of
th curr nt Linux k rn ls. Hardwar d t ction and confieguration us d to pr s nt som uniqu
chall ng s for Linux novic s. Whil issu s can still occasionally aris , th fact is that s tteing
up a Linux machin as a simpl workstation is no long r th nail biting x rcis in frustration
that it onc was. K rn l d t ction of hardwar has b com th norm, and most distributions of
Linux can b install d with a minimum of fuss on all but th most cutteing dg hardwar (and
usually v n th n).
For th vast majority of comput rs out th r , th d fault k rn l driv rs and s tteings will
work “out of th box” for both old and n w syst ms. The rang of onlin h lp availabl for any
giv n distribution is far wid r now than it was v n t n y ars ago, and most probl ms can b
solv d with a targ t d Int rn t s arch. For the most part, solutions that ar ffo ctiv on on
distribution will b ffo ctiv across th board. Theis may not always b th cas , but if you ar
familiar with your syst m, you can oftw n int rpr t solutions and apply th m to your particular
platform.
If your Linux machin is to b a dual boot syst m with Windows, you can us th
Windows D vic Manag r to r cord all your install d hardwar and th s tteings us d by
Windows. Hardwar compatibility and d t ction hav b n greatly improv d ov r th past
coupl of y ars. Most of th r c nt v rsions of Linux distributions hav xtraordinary
hardwar d t ction. But it still h lps to hav a good id a of th hardwar you ar using so if
probl ms do aris your support qu ri s can b targ t d.
Distributions
12
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
manag m nt archit ctur and confieguration, tc.) and th packag format (th softwwar install
and upgrad path) most commonly diffo r ntiat th various Linux distros.
Pr vious v rsions of this guid provid d a short list of distros and a summary
d scription of ach. Theat has b n r mov d h r for a mor d scriptiv xplanation of why w
hav so many distributions, and how you can choos from among th m. Ev ryon has an
opinion on th s , and th y all hav th ir str ngths and appar nt w akn ss s.
▪ BlackArch Linux – A n w r proj ct, bas d on Arch Linux, that provid s anoth r
alt rnativ “out of th box” s curity focus d distribution.
The r ar many oth rs, along with s l ctions for s curity focus d bootabl distros,
“lightw ight” distros, and many oth rs. Don’t l t th options confus you, though. Find a
mainstr am distribution, install it and l arn it.
Our pr viously m ntion d “g n ral workstation” Linux distros ar all p rf ctly suitabl
for us as a for nsic platform. A majority of p opl n w to Linux ar gravitating toward
Ubuntu as th ir platform of choic . The support community is hug , and a majority of wid ly
13
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
availabl softwwar for Linux for nsics is sp cifiecally built for and support d on Ubuntu (though
not xclusiv ly in most cas s). On a p rsonal not , I fiend Ubuntu l ss than id al for l arning
Linux. Theis is NOT to say that Ubuntu or its variations don’t mak xc ll nt for nsic
platforms. But this guid is focus d on learning, and part of that journ y includ s starting with
a cl an slat and und rstanding how th op rating syst m works and is mad to suit your
nvironm nt. For that w focus on a mor Unix lik distribution.
If you ar unsur wh r to start, will b using this guid as your primary r f r nc , and
ar int r st d mainly in for nsic applications of Linux, th n I would sugg st Slackwar . The
original comm rcial distribution, Slackwar has b n around for y ars and provid s a good
standard Linux that r mains tru to th Unix philosophy. Not ov r- ncumb r d by GUI
confieguration tools, Slackwar aims to produc th most “UNIX-lik ” Linux distribution
availabl . On of my p rsonal favorit s, and in my humbl opinion, curr ntly on of th b st
choic s for a for nsic platform. (http://www.slackware.com/). Theis guid is tailor d for us
with a Slackwar Linux installation.
B caus of diffo r nc s in archit ctur , th Linux distribution of your choic can caus
diffo r nt r sults in commands' output and diffo r nt b havior ov rall. Additionally, som
s ctions of this docum nt d scribing confieguration fiel s, startup scripts or softwwar installation,
for xampl , might app ar vastly diffo r nt d p nding on th distro you s l ct.
14
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Slackwar Linux is stabl , consist nt, and simpl . As always, Linux is Linux. Any
distribution can b chang d to function lik any oth r (in th ory). How v r, my philosophy has
always b n to start with an optimal syst m, rath r than atte mpt to “roll back” a syst m
h avily modifie d and optimiz d for th d sktop rath r than a for nsic workstation.
Installation Methods
During a standard installation, much of th work is don for you, and r lativ ly saf
d faults ar provid d. As m ntion d arli r, hardwar d t ction has gon through som gr at
improv m nts in r c nt y ars. I strongly b li v that many (if not most) Linux distros ar far
asi r and fast r to install than oth r “mainstr am” op rating syst ms. Typical Linux
installation is w ll docum nt d onlin (ch ck your sp cifiec distribution’s w bsit for mor
information). The r ar num rous books availabl on th subj ct, and most of th s ar
suppli d with a Linux distribution r ady for install.
Familiariz yours lf with Linux disk and partition naming conv ntions (cov r d in Chapt r
II of this docum nt) and you should b r ady to start.
If you do d cid to giv Slackwar a shot, h r ar som simpl guid lin s. The
docum ntation provid d on Slackwar 's sit is compl t and asy to follow. R ad th r
fierstNpl as .
D cid on standalon Linux or dual boot. Install Windows fierst in a dual boot syst m.
D t rmin how you want th Linux syst m to b partition d. A singl root partition and a
singl swap partition ar fien . You might fiend it asi r wh n fierst starting out to install Linux
in a virtual machin (VM), ith r through VirtualBox or VMwar for xampl . Theis will allow
you to snapshot along th way and r cov r from any rrors. It also provid s you with acc ss
to community support via th host whil installing your Linux syst m in a VM. Using Linux in
a virtual machin is a p rf ctly acc ptabl way to follow this guid , and probably th asi st if
you ar an absolut b ginn r.
15
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
READ through th installation docum ntation before you start th proc ss. Don't b in
a hurry. If you want to l arn Linux, you hav to b willing to r ad. For Slackwar , hav a look
through th installation chapt rs of th updat d “Slack Book” locat d at
http://www.slackbook.org/beta. The r ar detailed instructions th r if you n d st p by
st p h lp, including partitioning, tc. For a basic und rstanding of how Slackwar works and
how to us it, th Slack Book should b your fierst stop. Som of it may b a bit outdat d, but
th majority of it still appli s.
16
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
• Wh n ask d to format th root partition, I would sugg st s l cting th xt4 fiel syst m.
• Wh n ask d which packag s to s l ct for installation, it is usually saf for a b ginn r to
s l ct “ v rything” or “full”. Theis allows you to try all th packag s, along with
multipl X Window d sktop nvironm nts. Theis can tak as much as 8GB to 12GB on
som of th n w r distributions (7GB on Slackwar , d p nding on options), how v r it
includ s all th softwwar you ar lik ly to n d for a long tim (including many “officc ”
typ applications, Int rn t, -mail, tc.). For a l arning box it will giv you th most
xposur to availabl softwwar for xp rim ntation and additionally nsur s that you
don’t omit librari s that may b n d d for softwwar compilation lat r.
4) Installation Confieguration
• Boot M thod (th Boot load rNs l cts th OS to boot)
• B mindful of EFI vs. l gacy BIOS options. Wh r possibl , s t th BIOS to l gacy
mod .
• LILO or GRUB.
• LILO is th d fault for Slackwar . Som fiend GRUB mor fla xibl and s cur . GRUB
can b install d lat r, if you lik . P rsonally, I pr f r LILO.
• Usually s l ct th option to install LILO to th mast r boot r cord (MBR). The
pr s nc of oth r boot load rs (as provid d by oth r op rating syst ms)
d t rmin s wh r to install LILO or GRUB.
• If you must us EFI, skip this and install lilo or GRUB manually. You should
read README_UEFI.TXT on th install m dia’s root dir ctory b for
b ginning th installation proc ss.
• The boot load r contains th cod that points to th k rn l to b boot d.
• Cr at a us r nam for yours lf – avoid using root xclusiv ly.
• For mor information, ch ck th fiel CHANGES_AND_HINTS.TXT on th install m dia. Theis
fiel is load d with us ful hints and chang s of int r st from on r l as to anoth r.
System Users
For nsic analysis, most notably acquisitions, and basic syst m administration will
normally r quir root p rmissions. But simply logging in as root and conducting your analysis,
particularly from an X Window s ssion, is not advisabl . W n d to add a normal us r
account. From th r you can us su to log in as root t mporarily (cov r d in th n xt s ction).
17
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
• Login Nam
• UID (us r ID)
• Initial Group and Group m mb rship
• Hom Dir ctory
• Sh ll
• Account Expiration Dat
• Account G n ral Info (nam , addr ss, tc.)
• Password
For th most part, th d faults ar acc ptabl ( v n th d fault groups – b car ful not
to skip this part). You invok th script with th command adduser (run as root, obviously)
and th program will prompt you for th r quir d information. Wh n it asks you for
additional groups, b sur to us th up arrow on your k yboard to display availabl groups.
Acc pting th d fault is fien for our purpos s.
Onc compl t , you can log out compl t ly using th xit command and log back in as a
normal us r.
So, w 'v stablish d that w n d to run our syst m as a normal us r. If Linux giv s
you an rror m ssag "Permission denied", th n in all lik lihood you n d to b root to x cut
th command or dit th fiel , tc. You don't hav to log out and th n log back in as root to do
this. Just us th su command to giv yours lf root p rmissions (assuming you know root’s
password). Ent r th password wh n prompt d. You now hav root privil g s (th syst m
prompt will r fla ct this). Wh n you ar fienish d using your su login, r turn to your original
login by typing exit. H r is a sampl su s ssion:
barry@forensic1:~$ su -
Password:
root@forensic1:~# whoami
root
18
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# exit
logout
barry@forensics1:~$
Not that th "-" aftw r su allows Linux to apply root's nvironm nt (including root’s
path) to your su login. So you don't hav to nt r th full path of a command. Actually, su is a
“switch us r” command, and can allow you to b com any us r (if you know th password),
not just root. Notic that aftw r w typ exit as root, our prompt indicat s that w ar back to
our normal us r.
Desktop Environment
Wh n talking about for nsic suitability, your choic of d sktop syst m can mak a
diffo r nc . First of all, th t rm “d sktop nvironm nt” and “window manag r” ar NOT
int rchang abl . L t's bri flay clarify th compon nts of a common Linux GUI.
19
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
manag m nt ov r th d sir for “ y -candy”, tc. You can also l ct to run a Window Manag r
without a d sktop nvironm nt. For xampl , th Enlight nm nt Window Manag r is known
for it's y -candy and can b run standalon , with or without KDE or GNOME, tc.
Slackwar no long r com s with GNOME as an option, though it can b install d lik
any oth r application. During th bas Slackwar installation, you will b giv n a choic of
KDE, XFCE, and som oth rs. I would lik to sugg st XFCE. It provid s a cl an r int rfac for
a b ginn r to l arn on. It is l an r and th r for l ss r sourc int nsiv . You still hav acc ss
to many KDE utiliti s, if you l ct d to install KDE during packag s l ction. You can install
mor than on d sktop and switch b tw n th m, if you lik . The asi st way to switch is with
th xwmconfig command.
As with all for nsic tools, w n d to hav a cl ar vi w of how any k rn l v rsion will
int ract with our for nsic platforms and subj ct hardwar . Almost all curr nt distributions of
Linux alr ady com with a v rsion 4 k rn l install d by d fault, including Slackwar (4.4).
root@forensic1:~# uname -a
Linux forensic1 4.4.14 #2 SMP Fri Jun 24 13:38:27 CDT 2016 x86_64 Intel(R)
Core(TM) i5-3550 CPU @ 3.30GHz GenuineIntel GNU/Linux
The k y to th saf for nsic us (from an vid ntiary standpoint) of ANY op rating
syst m is knowl dg of your nvironm nt and prop r t sting. Pl as k p that in mind. You
MUST und rstand how your hardwar and softwwar int ract with any giv n op rating syst m
b for using it in a “production” for nsic analysis. If for som r ason you f l th n d to
upgrad your k rn l to a n w r v rsion ( ith r through automat d updat s or manually), mak
sur you r ad th docum ntation and th chang log so you hav an und rstanding of any
signifiecant archit ctural chang s that may impact th for nsic nvironm nt.
In this s ction, w will focus on th minimum confieguration knowl dg for bas lin
und rstanding of a sound for nsic nvironm nt und r curr nt Linux distributions. W will
20
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
bri flay discuss hardwar confieguration and inv ntory, d vic nod manag m nt (Udev) and th
d sktop nvironm nt.
Hardware Configguration
It’s always us ful to know xactly what hardwar is on your syst m. The r will b
tim s wh n you might n d to chang or s l ct diffo r nt k rn l driv rs or modules to mak a
pi c of hardwar run corr ctly. B caus th r ar so many diffo r nt hardwar confiegurations
out th r , sp cifiecally confieguring driv rs for your syst m will r main outsid th scop of this
guid . K rn l d t ction and confieguration of d vic s (n twork int rfac s, graphics controll rs,
sound, tc.) is automatic in most cas s. If you hav any issu s, mak not of your hardwar
(s b low) and do som s arching. Googl is your fri nd, and th r is a list of h lpful starting
plac s for assistanc at th nd of this guid .
root@forensic1:~# lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor PCI Express Root Port (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v2/3rd
Gen Core processor Graphics Controller (rev 09)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB xHCI Host Controller (rev 04)
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series
Chipset Family MEI Controller #1 (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579V Gigabit Network
Connection (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family
High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family
PCI Express Root Port 1 (rev c4)
21
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
R ading through this output you can s things lik th fact that th n twork int rfac
in this syst m is an Int l 825579V chips t. Theis is us ful information if you ar having issu s
with g tteing th int rfac to work and you want to s arch for support. You ar far mor lik ly
to g t us ful h lp if you s arch for “Linux Int l 825579v not working” rath r than “Linux
n twork card not working”.
Kernel Modules
On on laptop, for xampl , th output (abbr viat d) for th n twork int rfac s, using
lspci, might look lik this:
22
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis shows both a wir d Eth rn t port and a wir l ss adapt r. If I want d to s xactly
which modul is b ing us d to driv th s d vic s, I can us th -k option to lspci:
Theis tim th output provid s som additional information, including which modul s
ar load d wh n th d vic is d t ct d. Theis can b an important pi c of information if I’m
trying to troubl shoot a misb having d vic . Onlin h lp might sugg st using a diffo r nt
driv r altog th r. If that is th cas , th n you may n d to “blacklist” th curr ntly load d
modul in ord r to pr v nt it from loading and hind ring th corr ct driv (that you may n d
to sp cify). Blacklisting is normally don in /etc/modules.d/ by ith r cr ating a
blacklist-[modulename].conf fiel or making an ntry in blacklist.conf, d p nding on
your distribution. In Slackwar , you can r ad th README fiel in /etc/modules.d and th man
pag for modules.d for mor information. Sinc th st ps for this vary wildly d p nding on
th driv r, it’s d p nd nci s, and th xist nc of comp ting modul s, w won’t cov r this in
any mor d pth. Sp cifiec h lp for individual driv r issu s can b found onlin . Theis simply
introduc s you to pot ntial sourc s of information.
Not that if you ar using a laptop or d sktop with a USB wir l ss adapt r, it lik ly won’t show
up in lspci. For that you’ll hav to us lsusb (list USB – th r ’s a patte rn h r , s ?). In th
following output, lsusb r v als info about a wir l ss n twork adapt r. Us th -v option for
mor v rbos output (bold for mphasis):
root@forensic1:~# lsusb
...
Bus 001 Device 054: ID 2109:2812 VIA Labs, Inc. VL812 Hub
23
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Bus 001 Device 004: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 079: ID 1b1c:1a06 Corsair
Bus 001 Device 003: ID 046d:c077 Logitech, Inc. M105 Optical Mouse
Bus 001 Device 007: ID 11b0:6598 ATECH FLASH TECHNOLOGY
Bus 001 Device 120: ID 148f:5372 Ralink Technology, Corp. RT5372 Wireless
Adapter
Bus 001 Device 005: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 050: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
...
24
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
at all tim s, wh th r in us or not. For xampl , on a syst m with static d vic nod s w may
hav a primary SATA hard driv that is d t ct d by th k rn l as /dev/sda. Sinc w hav no
IDE driv s, no driv is d t ct d as /dev/hda. But wh n w look in th /dev dir ctory w s
static nod s for all th possibl disk and partition nam s for /dev/hda. The d vic nod s xist
wh th r or not th d vic is d t ct d.
In mod rn Linux syst ms, Ud v cr at s d vic nod s “on th flay”. The nod s ar cr at d
as th k rn l d t cts th d vic and th /dev dir ctory is populat d in r al tim . In addition to
b ing mor fficci nt, Ud v also runs in us r spac . On of th b n fiets of Ud v is that it
provid s for “p rsist nt naming”. In oth r words, you can writ a s t of rul s that will allow
Ud v to r cogniz a d vic bas d on individual charact ristics (s rial numb r, manufactur r,
mod l, tc.). The rul can b writte n to cr at a us r-d fien d link in th /dev dir ctory, so that
for xampl , my thumb driv can always b acc ss d through an arbitrary d vic nod nam of
my choic , lik /dev/my-thumb, if I so choos . Theis m ans that I don't hav to s arch through
USB d vic nod s to fiend th corr ct d vic nam if I hav mor than on xt rnal storag
d vic conn ct d. I can conn ct 4 USB d vic s and inst ad of s arching through /dev/sdc,
sdd, sde, and sdf – I can just go to /dev/my-thumb. For a nic , if som what outdat d,
xplanation of Ud v rul s, s : httep://r activat d.n t/writing_Ud v_rul s.html.
XFCE is a light r w ight (r ad: light r on r sourc s) d sktop. And although XFCE is
also capabl of automatically handling hot plugg d d vic s, it allows for asi r control of
r movabl m dia on th d sktop. As an xampl , consid r th following snapshot of an XFCE
s tteings dialog for r movabl m dia. By d fault, on Slackwar 14.2, d vic s ar NOT auto
mount d in th XFCE nvironm nt. Not all distributions might b confiegur d this way,
how v r. B sur to ch ck and t st for yours lf. As a for nsic xamin r, you do NOT want
your syst m automatically mounting d vic s simply b caus you plugg d th m into th
syst m.
25
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
26
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Disks
Linux tr ats its d vic s as fiel s. Theis is an important conc pt for for nsic xamin rs. It
m ans, as w will s lat r on, that many of th commands w can us on r gular fiel s, w can
also us on disks “fiel s”. W can list th m, hash th m and s arch th m in much th sam way
w do fiel s in any standard us r dir ctory. The sp cial dir ctory wh r th s d vic "fiel s" ar
maintain d is /dev. Old r IDE disks would b d t ct d and assign d hd* nam s. W rar ly
s thos anymor .
The patte rn d scrib d abov is fairly asy to follow. If you ar using a standard SATA
disk, it will b r f rr d to as sdx wh r th x is r plac d with an a for th fierst d t ct d driv
and b for th s cond, tc. In th sam way, th CDROM or DVD driv s conn ct d via th
SATA bus will b d t ct d as /dev/sr0 and th n /dev/sr1, tc.
Not that th /dev/sdx d vic nod s will includ USB and Fir wir d vic s. For
xampl , a primary SATA disk will b assign d sda. If you atteach a USB disk or a thumb driv
it will normally b d t ct d as sdb, and so on.
27
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
|-sda1 8:1 0 256M 0 part /boot
|-sda2 8:2 0 32G 0 part [SWAP]
`-sda3 8:3 0 899.3G 0 part /
sdb 8:16 0 238.5G 0 disk
sdc 8:32 0 931.5G 0 disk
`-sdc1 8:33 0 931.5G 0 part
sdi 8:128 0 931.5G 0 disk
`-sdi1 8:129 0 931.5G 0 part /run/media/barry/Evid
sdj 8:144 1 29.3G 0 disk
`-sdj1 8:145 1 29.3G 0 part /run/media/barry/Kingston
sr0 11:0 1 2.6G 0 rom
You can s from th output that disks and partitions ar list d, and if any of th
partitions ar mount d, lsblk will also giv us th curr nt mount point. In this cas w s
/dev/sda1 is mount d on /boot, /dev/sda2 is our swap partition, /dev/sda3 is our root
partition, and w hav /dev/sdi1 mount d as /run/media/barry/Evid and /dev/sdj1
mount d as /run/media/barry/Kingston. The last two volum s ar from xt rnal d vic s,
plugg d in and mount d via th d sktop.
Anoth r som what mor us ful command that is lsscsi. I pr f r lsscsi b caus although it
do s not show partitions, it do s giv a b tte r id a of what th volum s ar
root@forensic1:~# lsscsi
[1:0:0:0] disk ATA ST1000DM003-1ER1 CC45 /dev/sda
[2:0:0:0] cd/dvd HL-DT-ST BD-RE WH16NS40 1.00 /dev/sr0
[11:0:0:0] disk ATA SAMSUNG MZHPV256 500Q /dev/sdb
[23:0:0:0] disk EXS3 CF Kiosk Reader 0575 /dev/sdd
[23:0:0:1] disk EXS3 SD Kiosk Reader 0575 /dev/sde
[23:0:0:2] disk EXS3 MS Kiosk Reader 0575 /dev/sdf
[23:0:0:3] disk EXS3 MSD Kiosk Reader 0575 /dev/sdg
[23:0:0:4] disk EXS3 XD Kiosk Reader 0575 /dev/sdh
[28:0:0:0] disk ST1000DM 003-1ER162 6207 /dev/sdc
[28:0:0:1] disk ST1000DM 003-1ER162 6207 /dev/sdi
[32:0:0:0] disk Kingston DataTraveler 3.0 PMAP /dev/sdj
You can s in th output abov that this particular syst m has a numb r of USB
d vic s and xt rnal m dia atteach d. Theis is a us ful way of fiending out what storag m dia
ar atteach d to a syst m. You’ll also notic that th r ar “disks” id ntifie d by lsscsi that ar
not list d by lsblk. Theis is b caus lsscsi is actually looking what is atteach d to th
int rfac , not th actual m dia. So lsscsi is id ntifying m dia r ad rs that hav no m dia
ins rt d. lsscsi do s not com on most platforms by d fault (although it do s on Slackwar ).
28
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If your syst m do s not hav it by d fault, ch ck your distribution’s packag manag r and
install it.
The r ar oth r nam s, using links, that can acc ss th s d vic nod s. If you xplor
th /dev/disk dir ctory you will s links that provid acc ss to th disk d vic s through
volum lab ls, disk UUID, k rn l path, tc. The s nam s ar us ful to us b caus th y can b
us d to acc ss a particular disk in a r p atabl mann r without having to know what d vic
nod (/dev/sdc or /dev/sdd for xampl ) a disk will b assign d. For now, just b awar that
you can acc ss a disk by a nam oth r than th simpl sdx assign d nod . Also not that som
of th assign d nod s might not y t hav m dia atteach d. In many cas s m dia r ad rs can b
d t ct d and assign d nod s b for m dia is ins rt d. In that cas , th following st ps will
simply display No medium found.
Now that w hav an id a of what our disks ar nam d, w can look at th partitions
and volum s. The fdisk program can b us d to cr at or list partitions on a support d d vic .
Theis is an xampl of th output of fdisk on a Linux workstation using th “list” option ( -l
[dash “ l”]):
fdisk –l /dev/sdx giv s you a list of all th partitions availabl on a particular driv .
Each partition is id ntifie d by its Linux nam . The b ginning and nding s ctors for ach
partition is giv n. The numb r of s ctors p r partition is display d. Finally, th partition typ
is display d.
Not that th output of fdisk will chang d p nding on th Disklabel type of th m dia
b ing qu ri d. The abov output shows a disk with a GPT lab l. If you hav a standard DOS
styl MBR, th output will show slightly diffo r nt fie lds. For nativ handling of GPT partition
lab ls, you can us gdisk
Do not confus Linux fdisk with th old r DOS fdisk (for thos of us old nough to
r m mb r such things). The y ar v ry diffo r nt. The Linux v rsion of fdisk provid s for
much gr at r control ov r partitioning.
29
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
K p in mind, that v n wh n not mount d, devices can still b writte n to. Simply not
mounting a fiel syst m do s not prot ct it from b ing inadv rt ntly chang d through your
actions or via m chanisms outsid your control.
For xampl , if I plug a USB thumb driv into a Linux comput r I may w ll s an icon
app ar on th d sktop for th disk. I might v n s a fold r op n on th d sktop allowing m
to acc ss th fiel s automatically. If I’m at a t rminal and th r is no X d sktop, I may g t no
f dback at all. I plug th disk in and s nothing. I can, of cours , run th lsscsi command
to s if my list of m dia r fr sh d. But I may want mor info than that.
So wh r can w look to s what d vic nod was assign d to our disk ( /dev/sdc,
/dev/sdd, tc.)? How do w know if it was v n d t ct d? Again, this qu stion is
particularly p rtin nt to th for nsic xamin r, sinc w may lik ly confiegur our syst m to b
a littel l ss “h lpful” in automatically op ning fold rs, tc.
Plugging in th thumb driv and imm diat ly running th dmesg command provid s m
with th following output (abbr viat d for r adability):
root@forensic1:~# dmesg
...
usb 2-4.2: new SuperSpeed USB device number 4 using xhci_hcd
usb 2-4.2: New USB device found, idVendor=0781, idProduct=5583
usb 2-4.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 2-4.2: Product: Ultra Fit
usb 2-4.2: Manufacturer: SanDisk
usb 2-4.2: SerialNumber: 4C530001090827122100
usb-storage 2-4.2:1.0: USB Mass Storage device detected
scsi host19: usb-storage 2-4.2:1.0
scsi 19:0:0:0: Direct-Access SanDisk Ultra Fit 1.00 PQ: 0 ANSI: 6
sd 19:0:0:0: [sdi] 242614272 512-byte logical blocks:(124 GB/116 GiB)
sd 19:0:0:0: [sdi] Write Protect is off
sd 19:0:0:0: [sdi] Mode Sense: 43 00 00 00
sd 19:0:0:0: [sdi] Write cache: disabled, read cache: enabled, doesn't support
DPO or FUA
sdi: sdi1
30
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The important information is in bold. Not that this particular thumb driv (a SanDisk
Ultra Fit) provid s a singl volum with a singl partition ( /dev/sdi1). The dmesg output can
b long, so you can pip through l ss (dmesg | less) or scroll through th output if n d d.
31
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Lik th Windows fiel syst m, th Linux fiel syst m is hi rarchical. th "top" dir ctory
is r f rr d to as "th root" dir ctory and is r pr s nt d by "/". Not that th following is not a
compl t list, but provid s an introduction to som important dir ctori s.
32
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
On v ry us ful r sourc for this subj ct is th Fil Syst m Hi rarchy Standard (FHS),
th purpos of which is to provid a r f r nc for d v lop rs and syst m administrators on fiel
and dir ctory plac m nt. R ad mor about it at http://www.pathname.com/fhs/
The r is a long list of fiel syst m typ s that can b acc ss d through Linux. You do this
by using th mount command. Linux has a coupl of sp cial dir ctori s us d to mount fiel
syst ms to th xisting Linux dir ctory tr . On dir ctory is call d /mnt. It is h r that you
can dynamically atteach n w fiel syst ms from xt rnal (or int rnal) storag d vic s that w r
33
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
not mount d at boot tim . Typically, th /mnt dir ctory is us d for temporary mounting.
Anoth r availabl dir ctory is /media, which provid s a standard plac for us rs and
applications to mount r movabl m dia (this is wh r auto-mounting tak s plac ). Actually
you can mount fiel syst ms anywh r (not just on /mnt or /media), but it's b tte r for
organization. Sinc w will b d aling with mostly t mporary mounting of pot ntial vid nc
volum s, w will us th /mnt dir ctory for most of our work. H r is a bri f ov rvi w.
Any tim you sp cify a mount point you must fierst mak sur that that dir ctory xists.
For xampl to mount a USB disk und r /mnt/evidence you must b sur that
/mnt/evidence xists. Aftw r all, suppos w want to hav a CDROM and a USB driv
mount d at th sam tim ? The y can't both b mount d und r /mnt (you would b trying to
acc ss two fiel syst ms through on dir ctory!). So w cr at dir ctori s for ach d vic ’s fiel
syst m und r th par nt dir ctory /mnt. You d cid what you want to call th dir ctori s, but
mak th m asy to r m mb r. K p in mind that until you l arn to manipulat th fiel
/etc/fstab (cov r d lat r), only root can mount and unmount fiel syst ms ( xplicitly).
N w r distributions usually cr at mount points for you, but you might want to add
oth rs for yours lf (mount points for subj ct disks or imag s, tc. lik /mnt/data or
/mnt/analysis). Not that you must b root to cr at mount points in / mnt:
root@forensic1:~# lsscsi
[0:0:0:0] disk ATA INTEL SSDSC2CT12 300i /dev/sda
2
Actually, mod rn Linux syst ms do a pr ttey d c nt job of auto d t cting fiel syst m typ s, but b ing
xplicit is n v r a bad thing.
34
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W can th n us that information to mount th driv (this command assum s th dir ctory
/mnt/analysis xists – if not th n cr at it with mkdir):
root@forensic1:~# cd /mnt/analysis
You should now b abl to navigat th thumb driv as usual. Ess ntially, what w
hav don h r is tak th logical cont nts of th fiel syst m on /dev/sdi1 and mad it
availabl to th us r through /mnt/analysis. You can now brows th cont nts of th disk.
35
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not th prop r command is umount, not unmount. Theis cl anly unmounts th fiel
syst m. DO NOT r mov th disk OR SWAP th disk until it is unmount d.
If you g t an rror m ssag that says th fiel syst m cannot b unmount d b caus it is
busy, th n you most lik ly hav a fiel op n from that dir ctory, or ar using that dir ctory
from anoth r t rminal. Ch ck all your t rminals and virtual t rminals and mak sur you
ar no long r in th mount d dir ctory.
Ins rt th CDROM:
W us th ISO9660 fiel syst m form mounting most CD and DVD disks. You can ch ck
that again with th file command run on our DVD d vic (/dev/sr0) with a disk
ins rt d:
root@forensic1:~# cd /mnt/cdrom
root@forensic1:~# ls
autorun.inf* document/ installmanager/ menu/ tools/
If you want to s a list of fiel syst ms that ar curr ntly mount d, just us th mount
command without any argum nts or param t rs. It will list th mount point and fiel syst m
typ of ach d vic on syst m, along with th mount options us d (if any). Not in th output
b low you can s th thumb driv and CD disk I just mount d (and did not unmount):
36
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# mount
/dev/sda3 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
/dev/sdi1 on /mnt/hd type ext4 (rw)
/dev/sr0 on /mnt/cdrom type iso9660 (ro)
The ability to mount and unmount fiel syst ms is an important skill in Linux. W us it to
vi w th cont nts of a fiel syst m, and w us it to mount xt rnal storag for coll cting
vid nc fiel s, tc. The r ar a larg numb r of options that can b us d with mount (som w
will cov r lat r), and a numb r of ways th mounting can b don asily and automatically.
R f r to th mount info or man pag s for mor information.
In most mod rn distributions (Slackwar includ d), optical disks will b auto-d t ct d,
and an icon plac d on th d sktop for it. W ’ll cov r that in an upcoming s ction.
The columns ar :
<device> <mount point> <fstype> <default options>
37
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
_________________________________________________________________________
root@forensic1:~# mount /mnt/cdrom
The abov mount commands look incompl t . Wh n not nough information is giv n,
th mount command will look to /etc/fstab to fiell in th blanks. If it fiends th r quir d info,
it will go ah ad with th mount. To fiend out mor about availabl options for /etc/fstab,
nt r info fstab at th command prompt. Aftw r installing a n w Linux syst m, hav a look at
/etc/fstab to s what is availabl for you. If what you n d isn’t th r , add it. In my cas I
un-comm nt d th ntry for th CDROM. Out of old habit, I pr f r using fstab to mount my
CD/DVD m dia.
Desktop Mounting
Mounting can also tak plac via automat d or partially automat d proc ss s through
your d sktop nvironm nt. Linux has a hug list of availabl choic s in d sktop syst ms and
manag m nt (XFCE, KDE, Gnom , Mat , tc.). The y all hav th capability to handl and
mount r movabl d vic s for th us r. Theis is normally don through th dynamic addition of
cont xt capabl d sktop icons that may app ar wh n r movabl m dia is plugg d in. Volum s
can th n b mount d via a right-click m nu.
The r ar a numb r of us ful chang s for th g n ral Linux us r that mak s this sort of
d sktop capabl mounting mak s ns . First, for g n ral daily us as a d sktop workstation,
who wants to hav to log in as root to mount xt rnal d vic s? What if you ar working on a
syst m that you don’t hav l vat d privil g s on? In addition to th p rsonal logistics, th r ’s
also th fact that th mor mod rn mounting syst ms will plac r movabl d vic mount
points to a us r’s p rsonal spac rath r than a syst m wid mount point. Theis offo rs b tte r
s curity and acc ssibility for th us r.
The following xampl will show what can happ n on an XFCE d sktop wh n a USB
driv is ins rt d. Theis is just an illustration. B sur to ch ck your own syst m for d fault
confiegurations that might diffo r from this on . You c rtainly don’t want to accid ntally mount
vid nc just b caus you w r unawar th syst m is doing it for you.
In this cas th USB disk has a partition with a volum lab l “Win10Imag ” (th volum
lab l can b s t by any numb r of tools wh n th fiel syst m is formatte d).
With th USB driv ins rt d, an icon app ars on th d sktop (s Illustration 2).
38
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Back in th arli r s ction on disks and d vic nod s, w talk d about d vic d t ction
and naming. In addition to th /dev/sdx naming, th r ar oth r nam s assign d to th disk
by UUID, lab l, and k rn l path. Wh n I s th Win10Image lab l app ar on th d sk top, a
t rminal can quickly b op n d to s xactly what partition on which disk that lab l b longs
to by acc ssing th /dev/disk/ sub-fold rs, sp cifiecally /dev/disk/by-label:
root@forensic1:~# ls -l /dev/disk
total 0
drwxr-xr-x 2 root root 140 Apr 16 18:28 by-id/
drwxr-xr-x 2 root root 60 Apr 16 18:28 by-label/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-partlabel/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-partuuid/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-path/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-uuid/
root@forensic1:~# ls -l /dev/disk/by-label/
total 0
lrwxrwxrwx 1 root root 10 Apr 16 18:28 Win10Image -> ../../sdb1
39
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# mount
/dev/sda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sdb1 on /run/media/barry/Win10Image type ext4(rw,nodev,nosuid,
uhelper=udisks2)
Mak sur you know how to control th mounting of disks and volum s within your
d sktop nvironm nt. The XFCE shipp d with Slackwar do s no auto-mounting of any
volum s. The icons app ar on th d sktop, but you ar fr to mount th m as you s fiet.
The r ar confieguration options availabl to chang this b havior, so b car ful (s Illustration
1).
40
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not that Slackwar us s LILO by d fault. LILO is an old r and far simpl r syst m for
booting, but is much l ss fla xibl .
The boot load r sp cifie s th “root d vic ” (boot driv ), along with th k rn l v rsion to
b boot d. For LILO, this is all controll d by th fiel /etc/lilo.conf. Each “image=” s ction
r pr s nts a choic in th boot scr n.
Onc th syst m has fienish d booting, you can r play th k rn l m ssag s that “flay”
past th scr n during th booting proc ss with th command dmesg. W discuss d this
command a littel wh n w talk d about d vic r cognition arli r. As pr viously m ntion d,
3
The actual /etc/lilo.conf fiel on your syst m will b much mor clutte r d with comm nts (lin s
starting with a “#”). Comm nts hav b n r mov d for r adability abov .
41
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
this command can b us d to fiend hardwar probl ms, or to s how a r movabl (or susp ct)
driv was d t ct d, including its g om try, tc. The output can b pip d through a paging
vi w r to mak it asi r to s (in this cas , dmesg is pip d through less on my Slackwar
syst m.):
System Initialization
Aftw r th boot load r initiat s th k rn l, th n xt st p in th boot s qu nc starts
with th program /sbin/init. Theis program r ally has two functions:
Runlevel
The runl v l is simply a d scription of th syst m stat . For our purpos s, it is asi st
to say that (for Slackware, at l ast – oth r syst ms, such as thos using systemd, will diffo r):
runl v l 0 = shutdown
runl v l 1 = singl us r mod
runl v l 3 = full multius r mod / t xt login (DEFAULT)
runl v l 4 = full multius r / X11 / graphical login 4
runl v l 6 = r boot
4
This is largely distribution dependent. In some distributions, run level 5 provides a GUI login. In
Slackware (and others), it's run level 4.
42
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
id:3:initdefault:
Not that for Ubuntu, you can cr at an /etc/inittab fiel and plac th valu in th r .
If it xists, th fiel will b r ad and th runl v l chang d accordingly. The systemd styl of
manag m nt us d by Ubuntu do s not r ally utiliz “runl v ls”. It utiliz s targets. Chang s to
th s targets ar mad using th systemctl command. The confieguration and us of Ubuntu is
outsid th scop of this guid , but this particular issu highlights th fact that Linux syst ms
can vary in how th y work.
43
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc th global scripts run, th r ar “s rvic scripts” in th /etc/rc.d/ dir ctory that
ar call d by th various runl v l scripts, as d scrib d abov , d p nding on wh th r th scripts
th ms lv s hav “ x cutabl ” p rmissions. Theis m ans that w can control th boot tim
initialization of a s rvic by changing it's x cutabl status. Mor on how to do this lat r.
Som xampl s of s rvic scripts ar :
Hav a look at th /etc/rc.d dir ctory for mor xampl s. Not that in a standard
Slackwar install, your dir ctory listing will show x cutabl scripts as gr n in color (in a
t rminal with color support) and follow d by an ast risk (*).
Again, this is Slackwar sp cifiec. Oth r distributions diffo r (som diffo r gr atly!), but
th conc pt r mains consist nt. Onc you b com familiar with th proc ss, it will mak
s ns . The ability to manipulat startup scripts is an important st p in your Linux l arning
proc ss. At th v ry l ast, und rstanding how your syst m works and wh r s rvic s ar
start d and stopp d is important.
Bash
Bash (Bourne Again Shell) is th d fault command sh ll for most Linux distros. It is th
program that s ts th nvironm nt for your command lin xp ri nc in Linux. The r ar a
numb r of sh lls availabl , but w will cov r bash, th most commonly us d in Linux, h r .
/etc/profile - Theis is th global bash initialization fiel for int ractiv login sh lls.
Edits mad to this fiel will b appli d to all bash sh ll us rs. Theis fiel s ts th standard
syst m path, th format of th command prompt and oth r nvironm nt variabl s.
44
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not that chang s mad to this fiel may b lost during upgrad s. Anoth r m thod is to
cr at an x cutabl fiel in th dir ctory /etc/profile.d. Ex cutabl fiel s plac d in
that dir ctory ar run at th nd of /etc/profile.
/home/$USER/.bash_profile5 - Theis script is locat d in ach us r’s hom dir ctory
($USER) and can b dit d by th us r, allowing him or h r to customiz th ir own
nvironm nt. It is in this fiel that you can add alias s to chang th way commands
r spond. Not that th dot in front of th fiel nam mak s it a “hidd n” fiel .
/home/$USER/.bash_history – Theis is an xc dingly us ful fiel for a numb r of
r asons. It stor s a s t numb r of commands that hav alr ady b n typ d at th
command lin (d fault is 500). The s ar acc ssibl through ith r “r v rs sh lls” or
simply by using th “up” arrow on th k yboard to scroll through th history of
alr ady-us d commands. Inst ad of r -typing a command ov r and ov r again, you can
acc ss it from th history.
From th p rsp ctiv of a for nsic xamin r, if you ar xamining a Linux syst m, you
can acc ss ach us r's (don't forg t root) .bash_history fiel to s what commands
w r run from th command lin . R m mb r that th l ading “.” in th fiel nam
signifie s that it is a hidd n fiel .
The bash startup s qu nc is actually mor complicat d than this, but this should giv
you a starting point. In addition to th abov fiel s, ch ck out /home/$USER/.bashrc. The man
pag for bash is an int r sting (and long) r ad, and will d scrib som of th customization
options. In addition, r ading th man pag will giv a good introduction to th programming
pow r provid d by bash scripting. Wh n you r ad th man pag , you will want to conc ntrat
on th INVOCATION s ction for how th sh ll is us d and basic programming syntax.
5
In bash w d fien th cont nts of a variabl with a dollar sign. $USER is a variabl that r pr s nts th
nam of th curr nt us r. To s th cont nts of sh ll individual variabl s, us “ echo $VARNAME”.
45
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$ ls -l
total 5195940
drwxr-xr-x 4 root root 4096 Aug 3 2013 Bootable/
drwxr-xr-x 2 root root 4096 Mar 5 15:45 Pictures/
drwxr-xr-x 2 root root 4096 Dec 11 13:44 Desktop/
drwxrwxr-x 2 root root 4096 Mar 24 15:31 LGPL/
-rw-r--r-- 1 root root 4257941850 Aug 28 2016 swwre.tar.gz
...
W will discuss th m aning of ach column in th ls -l output lat r in this docum nt.
Copy fiel s:
cp source destination : copy sourc to d stination
cp -r source destination : copy dir ctory r cursiv ly
46
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Cl ar th T rminal:
clear : cl ars th t rminal scr n of all t xt and r turns a
prompt. <ctrl>- l (control-charact r l) will
accomplish th sam .
If you want to fiend information about a command call d find, including its usag ,
options, output, tc., th n you would us th “man pag ” for th command find :
NAME
find - search for files in a directory hierarchy
SYNOPSIS
find [-H] [-L] [-P] [-D debugopts] [-Olevel] [path...] [expression]
DESCRIPTION
This manual page documents the GNU version of find. GNU find searches the
directory tree rooted at each given file name
<continues>
…
Cr at a dir ctory:
mkdir directory : Cr at s a dir ctory. Again, r m mb r th
diffo r nc b tw n a r lativ and xplicit path h r .
47
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not that you can string tog th r s v ral options. For xampl :
barry@forensic1:~$ ls -aF
./ ../ .bash_history .gnupg/ .xinitrc .xsession*
myscript* textfile1 textifle2
ls -aF will giv you a list of all fiel s (-a), including hidd n fiel s, and fiel /dir ctory
classifiecation (-F, which shows "/" for dir ctori s, "*" for x cutabl s, and "@" for links).
grepwill look for occurr nc s of pattern within th fiel filename. grep is an xtr m ly
pow rful tool. It has hundr ds of us s giv n th larg numb r of options it supports. Ch ck
th man pag for mor d tails. W will us grep in our for nsic x rcis s lat r on.
48
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
find allows you to s arch for a fiel bas d on any numb r of crit ria, including dat s, siz s,
nam patte rs, tc.. To look for your fstab fiel , you might try:
Theis m ans "fiend, starting in th root dir ctory ( / ), by nam , fstab and print th
r sults to th scr n". find will allow you to s arch by fiel typ or v n fiel tim s (actually
inode tim s). The pow r of th find command should not b und r stimat d. Mor on this
tool lat r. Hav a look at man find. Can you s th diffo r nc b tw n -iname and -name?
pwd prints th pr s nt working dir ctory to th scr n. The following xampl shows that
w ar curr ntly in th dir ctory /home/barry.
barry@forensic1:~$ pwd
/home/barry
file cat goriz s fiel s bas d on what th y contain using a signatur , r gardl ss of th nam
(or xt nsion, if on xists). Compar s th fiel h ad r to th "magic" fiel in an atte mpt to ID
th fiel typ . For xampl :
ps list of curr nt proc ss s. Giv s th proc ss ID numb r (PID), and th t rminal on which
th proc ss is running.
ps ax shows all proc ss s (a), and all proc ss s without an associat d t rminal ( x). Not th
lack of a dash in front of th options. S th man pag for info on this d partur from our
pr vious conv ntion.
barry@forensic1:~$ ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 init [4]
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S< 0:00 [kworker/0:0H]
...
1595 ? S 0:00 [kworker/0:0]
1604 pts/1 Ss+ 0:00 -bash
1645 ? S 0:00 [kworker/1:0]
49
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
strings prints out th r adabl charact rs from a fiel . Will print out strings that ar at
l ast four charact rs long (by d fault) from a fiel . Us ful for looking at data fiel s without th
originating program, and s arching x cutabl s for us ful strings, tc. Mor on this
for nsically us ful command lat r.
shutdown -h now -will halt th syst m. R ady for pow r down (chang to
runl v l 0).
For an int ractiv s ssion, simply typ bc at th prompt and you will b dropp d into
th s ssion. Typ th xpr ssion and hit <enter>. Input b low is bold d for clarity.
50
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation,
Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
2+2
4
100*512
51200
5/3
1
quit
barry@forensic1:~$
Typ quit to fienish, and you’ll xit bc. Pay clos atte ntion to th last xpr ssion, 5/3.
Not that th r spons is 1, a whol numb r, rath r than th fraction w would assum . Theis is
b caus bc is a fiex d pr cision calculator, and th d fault scal is 1 (0). You can s t th scal
with th scale=x function, wh r x is th pr cision you’d lik . If you want your answ r
round d to two d cimal plac s, you can us scale=2.
barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
scale=2
5/3
1.66
quit
If you’d pr f r not to us an int ractiv s ssion, you can pip your xpr ssion to bc
using echo:
51
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The abov xampl shows both th d fault output and scal s tteing via echo. The last
command shows a common calculation for byt offos t wh n giv n a s ctor numb r (or s ctor
offos t) in for nsic work.
barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
ibase=16
4C
76
4c <-- Note the chars must be upper case
(standard_in) 4: syntax error
quit
If you ar d aling with simpl int g rs (or h x conv rsion), and flaoating point or
d cimal r spons s ar not r quir d, you can us mor simpl bash (sh ll) Arithm tic
Expansion. Theis is probably th quick st and asi st way to do calculations for simpl addition
or subtraction wh r int g r offos ts ar n d d and you ar not lik ly to ncount r fractional
valuations. Not that you n d to us th echo command to valuat th xpr ssion, or th
valuation its lf will b int rpr t d by th sh ll as a command. Also not that h x valu s
should b pr c d d by 0x (z ro x) H r ’s an xampl s t of valuations:
52
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
File Permissions
Fil s in Linux hav c rtain sp cifie d fiel p rmissions. The s p rmissions can b vi w d
by running th ls -l command on a dir ctory or on a particular fiel . For xampl :
barry@forensic1:~$ ls -l myfile.sh
-rwxr-xr-x 1 barry users 3685 Apr 15 11:14 myfile.sh
If you look clos at th fierst 10 charact rs, you hav a dash (-) follow d by 9 mor
charact rs. The fierst charact r d scrib s th typ of fiel . A dash (-) indicat s a r gular fiel . A
"d" would indicat a dir ctory, and "b" a sp cial block d vic , tc.
53
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis giv s th fiel own r r ad, writ and x cut p rmissions ( rwx), but r stricts oth r
m mb rs of th own r’s group and us rs outsid that group to only r ad and x cut th fiel
(r-x). Writ acc ss is d ni d as symboliz d by th “-”.
octal is a thr digit num rical valu in which th fierst digit r pr s nts th own r, th
s cond digit r pr s nts th group, and th third digit r pr s nts oth rs outsid th own r's
group. Each digit is calculat d by assigning a valu to ach p rmission:
r ad (r) =4
writ (w) =2
x cut (x) =1
For xampl , th fiel filename in our original xampl has an octal p rmission valu of
755 (rwx =7, r-x =5, r-x=5). If you want d to chang th fiel so that th own r and th group
had r ad, writ and x cut p rmissions, but oth rs would only b allow d to r ad th fiel , you
would issu th command:
barry@forensic1:~$ ls -l myfile.sh
-rwxr-xr-x 1 barry users 3685 Apr 15 11:14 myfile.sh
barry@forensic1:~$ ls -l myfile.sh
-rwxrwxr-- 1 barry users 3685 Apr 15 11:14 myfile.sh
54
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
thr str ams w can talk about: stdin is th standard input (usually th k yboard); stdout is
th standard output (usually th display); and stderr is standard rror (usually th display).
• stdout : >
◦ cmd > outfile
◦ cmd is s nding its output to outfile rath r than th display.
• stderr: 2>
◦ cmd 2> errlog
◦ cmd is s nding any rror m ssag s to th fiel errlog.
Manipulating str ams can b us ful for tasks lik cr ating an output fiel that contains a
list of fiel s on a mount d volum , or in a dir ctory. For xampl :
The abov command would output a long list of all th fiel s in th curr nt dir ctory.
Inst ad of outputteing th list to th consol , a n w fiel call d filelist.txt will b cr at d
that will contain th list. If th fiel filelist.txt alr ady xist d, th n it will b ov rwritte n.
Us th following command to append th output of th command to th xisting fiel , inst ad
of ov r-writing it:
Anoth r us ful tool is th command pipe, which us s th | symbol. The command pip
tak s th output of on command and "pip s" it straight to th input of anoth r command.
In this cas , w ar r dir cting th output to anoth r command rath r than a fiel . You
can s th diffo r nc b low. I can echo a charact r string to a fiel with >, or I can echo to a
command with |. The wc command shown b low giv s a count of lin s, words, and byt s. In
th fierst r dir ct b low, I’m creating a fiel call d wc with th output of echo. In th s cond, I’m
using a pip , so th ouput of echo go s to th command wc. In th third, I’m piping th output
of echo to wc and r dir cting th wc output to a fiel : Follow along b low, and xp rim nt.
DON’T do this logg d in as root. Exp rim ntation can g t out of hand quickly.
55
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$ cat wc
hello
Theis is an xtr m ly pow rful tool for th command lin . Look at th following proc ss
list (partial output shown):
barry@forensic1:~$ ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 init [4]
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S< 0:00 [kworker/0:0H]
6 ? S 0:00 [kworker/u4:0]
7 ? S 0:00 [rcu_sched]
<continues>
What if all you want d to s w r thos proc ss s ID's that indicat d a bash sh ll?
You could "pip " th output of ps to th input of grep, sp cifying bash as th patte rn for grep
to s arch. The r sult would giv you only thos lin s of th output from ps that contain d th
patte rn bash.
56
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Desktop/
Documents/
Evidence/
winlog.txt
Stringing multipl pow rful commands tog th r is on of th most us ful and pow rful
t chniqu s provid d by Linux for for nsic analysis. Theis is on of th singl most important
conc pts you will want to l arn if you d cid to tak on Linux as a for nsic tool. With a singl
command lin built from multipl commands and pip s, you can us s v ral utiliti s and
programs to boil down an analysis very quickly.
File Attributes
Linux fiel syst ms (lik xt2, xt3, xt4) support what ar call d fiel atteribut s. The r
ar quit a f w of th m, and w will not cov r all of th m h r . The r ar two that can b v ry
us ful for prot cting for nsic data from haphazard d l tion or tamp ring. The s ar app nd
only (a) and immutabl (i).
Atteribut s ar flaags that can control what fiel op rations ar allow d to occur on a fiel
or a dir ctory. Som of th m can b chang d, and som cannot. W can list th atteribut s of
fiel s and dir ctori s in our curr nt dir ctory with lsattr:
root@forensic1:~/MyDirectory# lsattr
--------------e---- ./data
--------------e---- ./textfile.txt
--------------e---- ./file1.txt
--------------e---- ./log.txt
57
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W add d th immutabl (i) atteribut to th data dir ctory, and you can s in th
subs qu nt lsattr command that th i atteribut is display d for ./data. Wh n w try and
d l t th dir ctory with rm -rf, w fiend that th op ration is not allow d v n though w ar
root. Theis is v ry pow rful. W cannot d l t th dir ctory, nor can w add, d l t , or chang
fiel s in that dir ctory.
W will now add th append only (a) atteribut to log.txt. Theis atteribut m ans that
th fiel can only b op n d in app nd mod . W cannot chang or d l t curr nt cont nt, only
add to it. W will fiend this us ful wh n r -dir cting output to a log fiel for docum nting our
work.
xt nts in this guid . Additional information can b found onlin . htteps:// n.wikip dia.org/wiki/Chatter
58
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
C rtain atteribut s (a and i, for xampl ) can only b s t by root. You can hav thos
atteribut s on us r-own d fiel s, but th y must b s t by root.
Metacharacters
The Linux command lin (actually th bash sh ll in our cas ) also supports wild cards
(m ta-charact rs):
* for multipl charact rs (including ".").
? for singl charact rs.
[ ] for groups of charact rs or a rang of charact rs or numb rs.
Theis is a complicat d and very pow rful subj ct, and will r quir furth r r adingN R f r
to “r gular xpr ssions” in your favorit Linux t xt, along with “globbing” or “sh ll xpansion”.
The r ar important diffo r nc s that can confus a b ginn r, so don’t g t discourag d by
confusion ov r what “*” m ans in diffo r nt situations.
Command Hints
1. Linux has a history list of pr viously us d commands (stor d in th fiel nam d
.bash_history in your hom dir ctory). Us th k yboard arrows to scroll through
commands you'v alr ady typ d.
2. Linux supports command lin diting. You can us th cursor to navigat a pr vious
command and corr ct rrors.
3. Linux commands and fiel nam s ar CASE SENSITIVE.
4. L arn output r dir ction for stdout and stderr (“>” and “2>”). Mor on this lat r.
5. Linux us s “/” for dir ctori s, MS Windows us s “\”.
6. Linux us s “-“ for command options, DOS us s “/”.
7. Us q to quit from less or man s ssions.
8. To x cut commands in th curr nt dir ctory (if th curr nt dir ctory is not in your
PATH), us th syntax ./command. Theis t lls Linux to look in th pr s nt dir ctory for
th command. Unl ss it is xplicitly sp cifie d, th curr nt dir ctory is NOT part of th
normal us r path.
59
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
V. Editing with Vi
The r ar a numb r of t rminal mod (non-GUI) ditors availabl in Linux, including
emacs and vi. You could always us on of th availabl GUI t xt ditors in Xwindow, but
what if you ar unabl to start X, or a windowing syst m is not availabl ? The b n fiet of
l arning vi or emacs is your ability to us th m from a t rminal, a charact r t rminal, or a
telnet or ssh s ssion, tc. W will discuss vi h r . (I don't do emacs :-)). vi in particular is
us ful, b caus you will fiend it on all v rsions of Unix. L arn vi and you should b abl to dit
a fiel on any Unix syst m.
Thee Joy of Vi
You can start vi ith r by simply typing vi at th command prompt, or you can sp cify
th fiel you want to dit with vi filename. If th fiel do s not alr ady xist, it will b cr at d
for you.
vi consists of two op rating mod s, command mod and insert mod . Wh n you fierst
nt r vi you will b in command mod . Command mod allows you to s arch for t xt, mov
around th fiel , and issu commands for saving, sav -as, and xiting th ditor (as w ll as a
whol host of oth r functions). Ins rt mod is wh r you actually input and chang t xt.
In ord r to switch to ins rt mod , typ ith r a (for app nd), i (for ins rt), or on of th
oth r ins rt options list d on th n xt pag . Wh n you do this you will s "--INSERT--"
app ar at th botteom of your scr n (in most v rsions). You can now input t xt. Wh n you
want to xit th ins rt mod and r turn to command mod , hit th scap k y.
You can us th arrow k ys to mov around th fiel in command mod . The vi ditor
was d sign d, how v r, to b xc dingly fficci nt, if not intuitiv . The traditional way of
moving around th fiel is to us th qw rty k ys right und r your fieng r tips. Mor on this
b low. In addition, th r ar a numb r of oth r navigation k ys that mak moving around in
vi asi r, lik using $ to mov to th nd of th curr nt lin or w to mov to th n xt word, tc.
If you los track of which mod you ar in, hit th scap k y twic . You will know
that you ar in command mod .
60
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Vi command summary
The b st way to sav yours lf from a m ss d up dit is to hit <ESC> follow d by :q!
Theat command will quit without saving chang s.
/string
Wh r string is your s arch targ t. Aftw r issuing th command, you can mov on to th
n xt hit by typing n.
61
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Anyon who has b n working in th fie ld of digital and comput r for nsics for any
l ngth of tim can t ll you that for nsic workstation s curity is always a top priority. Som
practition rs work on compl t ly “air gapp d” for nsic n tworks with no conn ction to outsid
r sourc s. Oth rs fiend this approach too limiting and l ct to h avily fier wall and monitor
for nsic workstations whil allowing som l v l of acc ss to xt rnal n tworks. In ith r cas ,
und rstanding your workstation's s curity postur is xtr m ly important. Theis docum nt
do s not ndors or sugg st any particular approach, and as with all things in this busin ss, th
r quir m nts for your particular s tup may chang day to day d p nding on th natur of th
cas s you ar working on, th vid nc you ar handling, th physical or n twork nvironm nt
you ar working in and th polici s s t forth by your ag ncy or company.
The goal h r is to nsur that, at a minimum, a for nsic xamin r und rstands th
curr nt s curity postur of th workstation, or at th v ry l ast, is conv rsant in addr ssing
th m. Theis s ction is not m ant to imply, in any way, that simpl host bas d s curity is nough
to prot ct your for nsic nvironm nt. The id al lab will hav dg rout rs and hardwar bas d
applianc s to prop rly s cur data and n twork acc ss. In som cas s, contraband analysis and
malwar inv stigation for xampl , air gapping may b th only r alistic solution. In any
62
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
v nt, und rstanding th m chanics of host bas d s curity is an oftw n ov rlook d, but
important part of th for nsic nvironm nt.
W 'll start our s curity confieguration with th most basic st psNdisabling s rvic s
(and/or daemons) that start wh n th comput r boots. It's fairly common knowl dg that
running programs and n twork s rvic s that you ar not using and do not n d s rv s only to
introduc pot ntial vuln rabiliti s. The r ar all sorts of s rvic s running on any giv n
workstation, r gardl ss of distribution or op rating syst m. Som of th s s rvic s ar
r quir d, som ar optional, and som ar downright und sirabl for a for nsic nvironm nt.
As pr viously discuss d, this is wh r you will fiend quit a diffo r nc among th various
distributions. Ubuntu, for xampl , us s a n w syst m for managing th starting and stopping
of s rvic s call d upstart. Consult your distribution's docum ntation for mor info, and don't
n gl ct this part of your Linux ducation!
7
rc.inet1 starts th n twork int rfac (s) using rc.inet1.conf and rc.inet2 starts th various n twork
s rvic s.
63
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls -l /etc/rc.d/rc.sshd
-rwxr-xr-x 1 root root 1726 Mar 10 2016 /etc/rc.d/rc.sshd*
The dir ctory listing shows that I hav chang d th x cutabl status of th script, and
th r for pr v nt d th s rvic from starting wh n th syst m boots. D p nding on your
color t rminal s tteings, you may also s th color of th fiel chang .
64
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can us this t chniqu to go through your /etc/rc.d/ dir ctory to turn offo thos
s rvic s that you do not n d. Sinc I'm not running an old laptop, and don't n d PCMCIA
s rvic s nor do I hav wir l ss n twork support on my workstation, I'll mak sur th s do not
hav th x cutabl p rmissions:
You might also consid r doing th sam with som oth r s rvic s:
65
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W continu our bas lin s curity confieguration discussion with a word on simpl host
bas d acc ss control. Not that this is NOT a fier wall. Theis is acc ss control at th host l v l.
In v ry simpl t rms, w can d t rmin who can acc ss our syst m by two fiel s,
/etc/hosts.deny and /etc/hosts.allow. For this w us TCP wrapp rs.
L t's run through an xampl of a s rvic manag d by tcpd h r fierst, th n w 'll follow
up with th two acc ss control fiel s. If w look at our /etc/inetd.conf fiel , w s that most
of th fiel is alr ady comm nt d out, m aning that thos manag d s rvic s ar alr ady
disabl d. The comm nt d lin s start with a # sign. If w want to s only thos lin s that ar
not comm nt d out, w can do a “r v rs gr p”. So if I want to s th lin s in th fiel
/etc/inetd.conf that ar not comm nts, I can do this:
In ord r to und rstand how th s s rvic s work and wh r to fiend sp cifiec information
on what is running on our syst m, l t's hav a mor d tail d look at th third lin in our
output:
Sinc this lin is not comm nt d out, w know that th s rvic is allow d to run on our
syst m. L t's fiend out what it do s and show how w disabl it, and confierm that it's b n
disabl d.
NOTE: The s rvic s that ar l ftw running on a basic Slackwar install ar g n rally l ftw
running for a r ason. I would not r comm nd comm nting out any of th s lin s without
und rstanding th cons qu nc s. W ar d constructing this particular s rvic for ducational
purpos s. At th nd of th l sson, w 'll lik ly k p it nabl d. The purpos of this x rcis is
66
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
to show how you can trac running s rvic s, and fiend out what th y do. If you ar running
Linux (any flaavor), and you do not know what s rvic s ar running and why, th n you n d to
r -think your approach to s curing your for nsic workstation.
Now w 'r going to dig a littel d p r and l arn about som oth r Linux commands and
fiel s (that b ing th point of this guid and allN) as w disabl and r - nabl th s rvic . Pay
atte ntion to th output of th s commands on your workstation, r gardl ss of th distribution.
Knowing what is “normal” for your particular s tup allows you to r cogniz wh n things hav
chang d, ith r through malicious int nt or by accid nt.
So, using th grep command to fiend th lin containing comsat w fiend that it is using
UDP port 512. To d t rmin if port 512 is op n, w can us th netstat command:
The netstat command t lls us about op n, running and list ning s rvic s on our
syst m. W us th -a flaag to show list ning and non-list ning sock ts (a “list ning sock t” is
on that is awaiting incoming conn ctions). W also add th -n flaag to display num ric
port/addr ss numb rs rath r than atte mpt to pars s rvic nam s. The last option, -u, displays
only UDP s rvic s. If you run netstat by its lf, th output is a littel ov rwh lming. W par
it down signifiecantly by limiting th protocols w ar int r st d in s ing. Our netstat
command do s show that UDP port 512 is op n.
67
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# vi /etc/inetd.conf
...
# The comsat daemon notifies the user of new mail when biff is set to y:
#comsat dgram udp wait root /usr/sbin/tcpd in.comsat
...
At this point, you can uncomm nt th comsat lin in /etc/inetd.conf and r start th
da mon again if you choos . The purpos of this x rcis was to introduc you to num rating
running s rvic s and manipulating th TCP wrapp rs confieguration.
68
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The b low command r sults in a succ ssful conn ction as us r barry from th xt rnal
host hermes to our for nsic workstation forensic1. Not th chang in th command prompt
on th last lin :
W ar now logg d into our for nsic workstation (forensic1) from a diffo r nt
comput r (hermes). The SSH s rvic is uniqu in that you will not fiend an ntry in
/etc/inetd.conf. The support for TCP wrapp rs is int rnal to SSH. It do s not n d to b
manag d by /etc/tcpd.
As pr viously m ntion d, th r ar two acc ss control fiel s utiliz d by TCP wrapp rs:
/etc/hosts.deny, which s ts th syst m wid d fault policy for acc ss d nial, and
/etc/hosts.allow, which can th n b us d to pok hol s in th d ni d conn ctions. Both of
th s fiel s tak on th sam basic syntax:
services: systems
ALL:ALL
# End of hosts.deny.
69
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now any incoming conn ctions to s rvic s manag d by TCP wrapp rs will b d ni d.
Not that this in NOT a fier wall. It is simply acc ss control to s rvic s running on th curr nt
syst m. Sinc this is hosts.deny, w ar simply saying “DENY all conn ctions from all
hosts”.
Onc again, in th xampl abov , I'm again trying to log into my for nsic workstation
(host nam forensic1) from a diffo r nt comput r (host nam hermes). The conn ction is
d ni d.
Now that w hav s t a “d fault d ny” policy, l t's pok a hol in th sch m by adding
an allow d s rvic in. W 'll continu to us sshd as an xampl , sinc I lik having acc ss via
ssh and will l av it op n anyway.
To allow acc ss to a s rvic , w dit th /etc/hosts.allow fiel and add a lin for ach
s rvic in th sam services:systems format.
Wh n w add an SSH xc ption for our local n twork to hosts.allow, our sshd
xc ption will look lik this:
sshd:192.168.55.
# End of hosts.allow.
70
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis basically r ads as “ALLOW conn ctions to sshd from syst ms only on th
192.168.55.0 n twork”. Theis limits conn ctions to originating from machin s on my local
for nsic n twork only. R ad th man pag and adjust to your n ds.
Und rstanding inetd.conf, and diting hosts.deny and hosts.allow giv s us a good
start on our s curity confieguration. For a typical for nsic workstation, this is pr ttey much as
simpl as it n ds to b at th host l v l. For many for nsic practition rs, simply comm nting
out th lin s in inetd.conf, adding “ALL:ALL” to hosts.deny and l aving hosts.allow
totally mpty might b sufficci nt.
It is common practic for many for nsic practition rs using oth r op rating syst ms to
utiliz som sort of host bas d fier wall program to monitor th ir workstation's n twork
conn ctions and provid som form of bas lin prot ction from unsolicit d acc ss. You may
want to do th sam thing on your Linux workstation, or you may, in som cas s, b r quir d
to run a host bas d fier wall by ag ncy or corporat policy. In any v nt, th most commonly
us d Linux quival nt for this sort of thing is th iptables n twork pack t fielt r.
Of all th subj cts cov r d in this guid , this is on of th mor compl x, with littel
dir ct r lationship to actual for nsic practic . It is, how v r, too important not to cov r if w
ar going to discuss workstation s curity. A host bas d fier wall may not b a r quir m nt for a
good for nsic workstation, sp cially giv n that many ag nci s and compani s ar alr ady
working in a w ll prot ct d (or air gapp d) n twork nvironm nt. How v r, in my humbl
opinion, it's still a v ry good id a. It's all too common to s novic Linux us rs r ly compl t ly
on th notion that Linux is “just mor s cur ” than oth r op rating syst ms. And I know from
p rsonal xp ri nc that th r ar digital for nsic practition rs out th r that hav fully
conn ct d workstations and don’t tak th s pr cautions.
Unlik most of th oth r subj cts cov r d in this confieguration s ction, iptables
r quir s a bit mor xplanation to ffo ctiv ly s t it up from scratch than I'm willing to put in a
simpl practition r's guid . As a r sult, rath r than giving a d tail d d scription and st p by
st p instructions, w ar going to bri flay discuss how to vi w th iptables confieguration and
provid a bas lin script to g t th r ad r start d. Our “bas lin ” script has b n provid d by
Robby Workman (http://www.rlworkman.net ).
71
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In simpl t rms, iptables d als with chains. The INPUT chain for incoming trafficc, th
OUTPUT chain for outgoing trafficc, and th FORWARD chain that handl s trafficc with n ith r its
origin or d stination at th fielt r d int rfac . The s chains hav d fault polici s, to which
additional rul s can b app nd d.
L t's hav a look at our d fault iptables confieguration (in this cas “d fault” m ans
“ mpty confieguration”). To do this w can us iptables with th -S option to display th
rul s within ach chain. If you do not provid th chain nam ( INPUT, for xampl ), th n th
command will list all th chains and th ir rul s, starting with th d fault polici s:
root@forensic1:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
So th abov command lists th polici s for ach chain along with any rul s that may
hav b n add d. As you can s from th output h r , th d fault polici s ar ACCEPT, and
th r ar no oth r rul s. Non of our n twork trafficc is b ing fielt r d.
It is oftw n d sirabl to hid our syst ms from all n twork trafficc, including ping trafficc.
With our mpty iptables confieguration, from an xt rnal host, w can ping our for nsic
workstation,(192.168.55.32) and th ICMP pack ts com though:
72
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The fiel , shown abov , starts with variabl d fienitions, follow d by a numb r of lin s
that s t various k rn l param t rs for b tte r s curity. W th n continu with s tteing all th
d fault polici s for INPUT, OUTPUT and FORWARD to th far mor s cur DROP, rath r than simply
ACCEPT. The n w d fien rul s that ar app nd d ( -A) to th various chains. Also not that I
uncomm nt d th last lin in th script, r f rring to TCP trafficc ( -p tcp) on d stination port 22
(--dport 22). Theis will allow SSH trafficc in.
73
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls -l /etc/rc.d/rc.firewall
-rw-r--r-- 1 root root 1195 Mar 12 2011 /etc/rc.d/rc.firewall
root@forensic1:~# ls -l /etc/rc.d/rc.firewall
-rwxr-xr-x 1 root root 1195 Mar 12 2011 /etc/rc.d/rc.firewall*
root@forensic1:~# sh /etc/rc.d/rc.firewall
With th last command in th s ssion illustrat d abov , w hav x cut d th fier wall
script and now wh n w look at our iptables confieguration, w s th rul s in plac :
root@forensic1:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m
conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
74
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not that with som distributions, updating th OS on a r gular basis, without prop r
and oftw n compl x confieguration, can r sult in a doz n or so n w and updat d packag s v ry
coupl of w ks. In th cont xt of a stabl , w ll t st d for nsic platform, this is l ss than id al.
Also, Slackwar d v lop rs t nd not to patch upstr am cod , as is common among som oth r
distributions. Slackwar tak s th approach of “if it ain't brok , don't fiex it.”
Theis information is not m ant to disparag oth r distributions. Far from it. Any
prop rly administ r d Linux distribution mak s a fien for nsic platform. The s ar , how v r,
important consid rations if you ar running a for nsic workstation in any sort of litigious
s tteing. Too oftw n, Linux For nsics b ginn rs trust th ir platform to num rous unt st d,
d sktop ori nt d updat s, without thinking about pot ntial chang s in b havior that can, in
admitte dly limit d circumstanc s, rais qu stions.
75
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Using slackpkg
slackpkg is th d fault utility for k ping Slackwar up to dat . It's xtr m ly asy to
confiegur and us . The man pag provid s v ry cl ar instructions on using slackpkg along
with a good d scription of som of it's capabiliti s.
root@forensic1:~# vi /etc/slackpkg/mirrors
...
----------------------------------------------------------------
# Slackware64-14.2
#----------------------------------------------------------------
# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR)
http://mirrors.slackware.com/slackware/slackware64-14.2/
#
# AUSTRALIA (AU)
# ftp://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# http://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# ftp://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# http://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# ftp://mirror.aarnet.edu.au/pub/slackware/slackware64-14.2/
# http://mirror.aarnet.edu.au/pub/slackware/slackware64-14.2/
...
On pr caution you may want to tak with slackpkg is to add s v ral packag s to th
blacklist. The blacklist sp cifie s thos programs and packag s that w do not want
upgrad d on a r gular basis. W do this to avoid having to complicat p riodic s curity
updat s with chang s to our bootload r and oth r compon nts that add xc ssiv compl xity
8
Pay atte ntion to th archit ctur and v rsion. I mad a compl t mupp t of mys lf on th ##slackwar
IRC chann l on day, asking for h lp wh n I was trying to upgrad Slackwar 64 (64 bit OS), not knowing
I had s l ct d a 32 bit mirror and th r for d stroying my syst m wh n I updat d.
76
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
to our upgrad proc ss. In particular, w want to avoid (for now) having to go through all th
st ps r quir d to upgrad our k rn l packag s.
root@forensic1:~# vi /etc/slackpkg/blacklist
...
# Automated upgrade of kernel packages aren't a good idea (and you need to
# run "lilo" after upgrade). If you think the same, uncomment the lines
# below
#
kernel-firmware
kernel-generic
kernel-generic-smp
kernel-headers
kernel-huge
kernel-huge-smp
kernel-modules
kernel-modules-smp
kernel-source
...
W 'v s l ct d our mirror and adjust d our blacklist d packag s, now it is simply a
matte r of updating our packag listNw do this with th simpl command slackpkg update,
which will download th curr nt fiel list (including patch s). Onc that is compl t , you run
slackpkg upgrade-all and you will b pr s nt d with a s l ction of packag s to upgrad
(minus th blacklist d packag s).
The man pag for slackpkg provid s asy to follow instructions. In a nutsh ll, for our
purpos s h r , usag is simply:
77
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
I would strongly sugg st you tak a minut to r ad th chang log for th curr nt
v rsion of Slackwar you ar using. Und rstanding what you ar updating and why is an
important part of und rstanding your for nsic platform. It may s m t dious at fierst, but it
should b part of your common syst m maint nanc tasks. You can r ad th fiel
ChangeLog.txt at th mirror you s l ct d for updating your syst m, or simply go to:
https://mirror.SlackBuilds.org/slackware/slackware64-14.2/ChangeLog.txt wh n
updat s ar availabl .
Compiling from sourc is th most basic m thod for installing softwwar on Linux. It is
g n rally distribution agnostic and will work for any giv n packag on most distributions,
assuming d p nd nci s ar m t. Corr ctly us d, compiling from sourc has th b n fiet of
b ing tailor d mor to your nvironm nt, with b tte r optimization. The bigg st drawback is
that compiling from sourc , without car ful manipulation of confieguration fiel s, can “litte r”
your syst m with x cutabl s and librari s plac d in l ss than optimal locations. It can also
r sult in difficcult to manag upgrad paths for install d softwwar , or v n just trying to
r m mb r what you hav pr viously install d.
The sourc fiel s (containing sourc cod ) normally com in a packag commonly
r f rr d to as a “tarball”, or a tar.gz fiel (a gzip compr ss d tar archiv ). The archiv is
xtract d, th sourc is compil d, and th n an install script is x cut d to plac th r sulting
program fiel s and docum ntation in th appropriat dir ctori s. The following shows a v ry
78
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
First w xtract th packag and chang into th r sulting dir ctory. The ./configure
command9 s ts nvironm nt variabl s and nabl s or disabl s program f atur s bas d on
availabl librari s and argum nts. The make command compil s th program, using th
param t rs provid d by th r sults of th pr vious ./configure command. Finally, th make
install command mov s th compil d x cutabl s, librari s and docum ntation to th ir
r sp ctiv dir ctori s on th comput r. Not that make install is g n rally not distribution
awar , so th r sulting plac m nt of program fiel s might not fiet th conv ntions for a giv n
Linux distro, unl ss th prop r variabl s ar pass d during confieguration.
root@forensic1:~#./configure
...
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
configure: autobuild project... package
...
Assuming no rrors, w typ make and watch th compil r go to work. Finally, w run
th command that prop rly installs both th tools to th prop r path, and any r quir d librari s
to th prop r dir ctori s. Theis is g n rally accomplish d with make install.
root@forensic1:~# make
Making all in lib
make[1]: Entering directory `/root/package/lib'
<continue compiler output>
9
The “./” indicat s that th configure command is run from th curr nt dir ctory.
79
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Our program is now install d and r ady to us . Knowing how to us sourc packag s
for softwwar installation is important part of und rstanding how Linux worksNjust k p in
mind that it's g n rally a b tte r id a to us distribution packag s (or cr at your own). Not
that th xampl shown abov is for sourc packag s built with autoconf/automak . You may
also run across softwwar that is Python or P rl bas d, tc. The s will diffo r in how th y ar
built and install d. Most sourc packag s will includ a README or INSTALL.txt fiel wh n
xtract d. R ad th m.
Unlik pr vious v rsions of this guid , w will avoid using this m thod of installing
softwwar from this point on.
As w 'v alr ady m ntion d, just about v ry Linux distribution has som sort of
“packag manag r” for installing and updating packag s. For updating and adding officcial
Slackwar softwwar (includ d in th distribution), w 'v introduc d using slackpkg. slackpgk
is actually a front nd to pkgtool, which handl s th work of adding and r moving softwwar
packag s from your syst m. For an xc ll nt ov rvi w of pkgtool, and its various commands,
hav a look at http://www.slackware.com/config/packages.php .
80
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can fiend pr -mad packag s for all sorts of softwwar for many distributions all ov r
th Int rn t. The probl m with many of th m is that th y do not com from trust d sourc s
and you oftw n hav no id a what confieguration options w r us d to build th m.
As a g n ral rul of thumb, I always lik to build my own packag s for softwwar that is
not part of th Slackwar full installation. Theis allows m to build th softwwar with th
options I n d (or without on s I don’t), optimiz d for my particular syst m, and it furth r
allows m to control how th softwwar is v ntually install d. Luckily Slackwar provid s a
r lativ ly asy way to cr at packag s from sourc cod . SlackBuilds.
In short, a SlackBuild is a script that (normally) tak s sourc cod and compil s and
packag s it into a Slackwar .tgz (or .tzx) fiel that w can install using pkgtools.
The SlackBuild script handl s th confiegur options and optimizations that th script
author d cid s on (but ar visibl and ditabl by you), and th n installs th softwwar and
r lat d fiel s into a packag that follows Slackwar softwwar conv ntions for x cutabl and
librari s, wh r applicabl , and assuming th build author follows th t mplat . The scripts ar
asily ditabl if you want to chang som of th options or th targ t v rsion, and provid for
an asy, human r adabl way to control th build proc ss. SlackBuilds for a larg s l ction of
softwwar ar availabl at httep://www.SlackBuilds.org .
The SlackBuild its lf com s as a .tar.gz fiel that you xtract with th tar command.
The r sulting dir ctory contains th build script its lf. The script is nam d
software.SlackBuild, with softwwar b ing th nam of th program w ar cr ating a
packag for. The r ar normally four fiel s includ d in th SlackBuild packag :
• software.info giv s information about wh r to obtain th sourc cod , th
v rsion of th softwwar th script is writte n for, th hash of th sourc cod ,
r quir d d p nd nci s, and mor .
• README contains us ful information about th packag , pot ntial pitfalls, and
optional d p nd nci s.
81
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
To build a Slackwar compatibl packag , you simply drop th sourc cod for th
softwwar into th sam dir ctory th SlackBuild is in and x cut th SlackBuild script. The
packag is cr at d and (normally) plac d in th /tmp dir ctory r ady for installation via
pkgtools.
A WORD OF CAUTION: B car ful about r lying sol ly on automat d tools for packag
manag m nt. R gardl ss of th platform you choos to run on, I would urg you to l arn how
to build packag s yours lf, or at th v ry l ast l arn how to d t rmin how to chang packag
options or at a minimum d t rmin what build options w r us d b for running softwwar .
Theis is not to say automat d tools ar badNbut on of th str ngths of Linux that w oftw n talk
about is th control it giv s us ov r our syst m. Controlling your syst m softwwar is on
asp ct of that. You can us automat d tools and still maintain controlNyou just n d to b
car ful. W will us that approach h r .
W will talk sp cifiecally about on of th packag tools you can us with Slackwar to
automat som of th mor mundan st ps w tak wh n installing softwwar . To illustrat th
build proc ss, w will install sbotools via a manual SlackBuild proc ss, and th n us
sbotools to assist us in building and installing th r maind r of th softwwar w ’ll us in this
guid .
--2017-04-17 21:04:09--
https://www.SlackBuilds.org/SlackBuilds/14.2/system/sbotools.tar.gz
Resolving www.SlackBuilds.org (www.SlackBuilds.org)... 208.94.238.115
Connecting to www.SlackBuilds.org (www.SlackBuilds.org)|208.94.238.115|:443...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2038 (2.0K) [application/x-gzip]
Saving to: 'sbotools.tar.gz'
82
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls
sbotools.tar.gz
root@forensic1:~# cd sbotools
root@forensic1:~/sbotools# ls
README sbotools.SlackBuild* sbotools.info slack-desc
The sbotools.info fiel will h lp with this. W ’ll vi w that fiel and th n us th
information contain d th r in to download th sourc cod and ch ck th MD5 hash. The
MD5 hash is a valu that l ts us know th fiel w download is what w xp ct. Using wget
and th URL provid d in th DOWNLOAD fie ld, th sourc cod for sbotools will nd up in th
sam dir ctory.
83
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~/sbotools# ls
README sbotools-2.3.tar.gz sbotools.info
sbotools.SlackBuild* slack-desc
The output from our md5sum command on th download d sourc match s th MD5SUM
fie ld in th sbotools.info fiel , so w know our download is good.
Theis is wh r , if w hav not alr ady don so, w n d to r ad th README fiel (using
cat or less)...und rstand th cav ats and possibl optional d p nd nci sNand th n compil
our sourc cod and mak our Slackwar .tgz packag . The latte r two st ps ar simply
accomplish d by calling th SlackBuild fiel its lf with ./sbotools.SlackBuild:
root@forensic1:~/sbotools# ./sbotools.SlackBuild
sbotools-2.3/
sbotools-2.3/sboclean
sbotools-2.3/man5/
sbotools-2.3/man5/sbotools.conf.5
...
Checking if your kit is complete...
Looks good
...
Creating Slackware package: /tmp/sbotools-2.3-noarch-1_SBo.tgz
...usr/man/man1/sbosnap.1.gz
usr/man/man5/
usr/man/man5/sbotools.conf.5.gz
And looking at th last lin of th output, w s that w hav a usabl .tgz Slackwar
packag cr at d for us in /tmp. All w n d to do now is install th packag with installpkg
from pkgtools:
84
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~/sbotools# ls /usr/sbo/repo
CHECKSUMS.md5 TAGS.txt desktop/ ham/ office/
CHECKSUMS.md5.asc TAGS.txt.gz development/ haskell/ perl/
ChangeLog.txt academic/ doit.sh libraries/ python/
README accessibility/ games/ misc/ ruby/
SlackBuildS.TXT audio/ gis/ multimedia/ system/
SlackBuildS.TXT.gz business/ graphics/ network/
Onc this is don , you can s arch, install and upgrad packag s and th ir initial
d p nd nci s all from singl commands using th following commands:
85
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W ’ll b using sbotools to install softwwar throughout th r maind r of this docum nt.
But l ts start with a quick xampl of a simpl installation for som anti-virus/malwar
d t ction softwwar that w ’ll cov r lat r.
SBo: clamav-unofficial-sigs
Path: /usr/sbo/repo/network/clamav-unofficial-sigs
SBo: clamav
Path: /usr/sbo/repo/system/clamav
SBo: clamsmtp
Path: /usr/sbo/repo/system/clamsmtp
SBo: clamtk
Path: /usr/sbo/repo/system/clamtk
The clamav packag is th third on down. Now I’m going to run sbofind again, but
this tim limit th output to an xact match for clamav (-e) with no tags (-t) and vi w th
README fiel for th packag (-r).
86
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
This build script should build a package that "just works" after
install. You will need to specify a two-letter country code (such as
"us") as an argument to the COUNTRY variable when running the build
script (this will default to "us" if nothing is specified). For
example:
COUNTRY=nl ./clamav.SlackBuild
You must have the 'clamav' group and user to run this script,
for example:
Configuration
See README.SLACKWARE for configuration help.
Now sbotools will download, ch ck, unpack, confiegur , build and fienally install th
packag for us. W ’ll continu to us this m thod to install softwwar through th r st of this
guid . W will cov r ClamAV usag lat r in this docum nt.
W ’ll also install anoth r packag w talk d about pr viously. Back wh n w did our
initial syst m inv ntory, w d scrib d th lshw command. W can install that asily from
SlackBuilds.org using sboinstall.
87
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
First, l t’s mak sur w can fiend lshw, and th n r ad th README fiel :
It currently supports DMI (x86 and EFI only), OpenFirmware device tree
(PowerPC only), PCI/AGP, ISA PnP (x86), CPUID (x86), IDE/ATA/ATAPI, PCMCIA
(only tested on x86), USB, and SCSI.
88
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
On fienal not on packag manag m nt. A compl t list of packag s install d on your
syst m is maintain d in /var/log/packages. You can brows that dir ctory to s what you
hav install d, as w ll as vi w th fiel s th ms lv s to s what was install d with th packag .
On nic thing about using SlackBuilds is that an SBo tag is add d to th packag nam . W
can grep for this tag in /var/log/packages and s xactly which xt rnal packag s w hav
install d via SlackBuilds. Theis is on of th gr at advantag s of using a packag manag r vs.
simply compiling and installing softwwar from sourc dir ctlyNth ability to track what
v rsions of which packag s ar install d.
W hav just install d thr packag s using build scripts from SlackBuilds.org. On via
manual download (sbotools), and two via sbotools (clamav and lshw). W can us gr p to
s this within th /var/log/packages dir ctory (assuming this is a cl an Slackwar syst m
and you’v install d no oth r .tgz or .txz Slackwar packag s):
Wh n it com s tim to upgrad (or ch ck for updat s to) softwwar w ’v install d via
sbotools/SlackBuilds, youcan us sbocheck. Running this command will f tch a fr sh
SlackBuilds tr from SlackBuilds.org and compar your install d packag s to thos curr ntly
availabl .
root@forensic1:~# sbocheck
Updating SlackBuilds tree...
0 0% 0.00kB/s 0:00:00 (xfr#0, to-chk=0/39779)
Checking for updated SlackBuilds...
89
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# sboinstall -v
sbotools version 2.4
licensed under the WTFPL
<http://sam.zoy.org/wtfpl/COPYING>
The arli r caution still stands. Mak sur you und rstand what you ar installing and
always always r ad th README fiel .
90
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In this s ction w ’ll run through a f w of th acquisition tools that ar availabl to us.
W ’ll cov r som of th coll ction issu s, d vic information, imag v rifiecation and mor
advanc d mounting options. Obviously, th fierst thing w n d to do is mak sur w hav a
prop r plac to output th r sults of our imaging and analysis.
Analysis Organization
B for w start coll cting vid ntiary imag s and information that might b com us ful
in a court or an administrativ h aring, w might want to mak sur w stor all this data in an
organiz d fashion. Obviously this is not som thing sp cifiec to Linux, but w n d to mak sur
w hav s v ral fiel syst m locations r ady to stor and r tri v data:
1. Cas sp cifiec dir ctori s or volum s us d to stor for nsic imag s for a giv n cas .
2. Cas sp cifiec dir ctori s for storing for nsic softwwar output and subj ct m dia
information.
3. Sp cifiec dir ctori s to b us d as mount points for vid nc imag s.
4. A log fiel of our actions. Docum ntation and not taking ar an imp rativ part of
prop r for nsics.
Wh r v r you might stor your cas data, you’ll want to k p it organiz d. In most
cas s, wh n conducting an analysis, you’ll want to mak sur you ar using “working copi s”
rath r than th actual imag fiel s. Theis go s without saying. Practition rs will oftw n coll ct
imag s or oth r data dir ctly as vid nc . Copi s will th n m mad of that vid nc , with th
originals b ing plac d in som sort of controll d storag and additional copi s (p rhaps
multipl additional copi s) b ing mad as “working copi s”. W will discuss th simpl
cr ation of dir ctori s to stor th s fiel s as w mov through th upcoming pag s. For
start rs, though, w will at l ast n d a plac to stor imag s and m dia information, both for
our vid nc and for our working copy(s). The following is just an xampl of how you might
organiz th various dir ctori s in which you ar storing data. Obviously nothing will b
writte n to th subj ct disk (th disk w ar analyzing). The in th n xt s ction will d scrib
91
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
how to id ntify th corr ct disks so you don’t confus th subj ct disk with th disk or volum
you will us to writ your imag s to.
NOTE: All of th s pr paration st ps should b tak n before you conn ct a subj ct disk to your
workstation to minimiz th chanc s of writing to th wrong driv . Prop r lab s tup
(d dicat d imaging workstations or imag s storag , tc.) is outsid th scop of this docum nt.
For simplicity and illustration, w ’ll assum you hav a singl workstation and will b
coll cting an imag from on driv (subj ct) to imag fiel s on a mount d volum or local
dir ctory.
You may also want to pr par your vid nc driv by wiping and v rifying. W ’ll also
cov r that lat r onc w ’v had a b tte r introduction to imaging tools.
On th vid nc driv (wh r vid nc imag s ar to b stor d10) you might want to
cr at a top l v l dir ctory with a cas numb r or oth r uniqu id ntifie r for imag s.
D p nding on th tool you us to acquir , an acquisition log might b plac d in this dir ctory
(or sp cifie d location). The only oth r fiel s that might normally b k pt with th original
vid nc imag s would b th acquisition log (mor on that lat r) and p rhaps th m dia
information fiel s (mor on that lat r as w ll). Pay attention to the prompts in the
following examples to ensure you have root permissions when needed (like when
writing to the /mnt directory).
First, in ord r to mak sur you hav nough room on your targ t storag , you can run
th df -h command. Theis “disk fr ” command will show you th fr spac on ach of your
mount points. For xampl , If you hav a 1TB vid nc driv plugg d into your syst m, you
confierm it’s d t ction, and prop r id ntifiecation, mount it, and th n ch ck th fr spac :
root@forensic1:~# lsscsi
...
[29:0:0:0] disk ST1000DM 003-1ER162 6207 /dev/sdh
root@forensic1:~# df -h /mnt/evidence/
Filesystem Size Used Avail Use% Mounted on
/dev/sdh1 932G 190G 742G 21% /mnt/evidence
From this output, I can s that th fiel syst m mount d on /mnt/evidence has n arly
750GB of fr spac . The df command is us d with -h to giv “human r adabl ” output, and
Theis could b a mount d n twork shar or a physical disk or oth r storag m dia that will b us d to
10
92
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
th mount point is pass d as an argum nt to limit th output. If giv n without argum nts, df
-h will show th fr spac on all mount d fiel syst ms.
root@forensic1:~# ls
case1/
Onc you’v pr par d th vid nc driv , you can conn ct th subj ct disk. K p in
mind our pr vious discussion r garding writ blocking. It’s always a good id a to us a
physical writ block r. A d fault install of Slackwar (using th XFCE d sktop, at l ast) will
not atte mpt to auto mount atteach d d vic s. But you should thoroughly t st your syst m
b for r lying on this (or any oth r op rating syst m).
Write Blocking
A quick word on th issu of writ prot cting disk driv s and oth r storag m dia. In
th past, much was mad about th ability to mount volum s as “r ad only” in Linux. Theis
should n v r b trust d oth r than to provid th v ry minimum of accid ntal chang s to a
working copy, or wh n no oth r options xist (and always docum nt thos instanc s). Theis
guid is about using tools, so whil cov ring acquisition policies is som what outsid th scop
of this docum nt, it b ars m ntioning that writ prot ction is som thing that should always b
k pt in mind. Mod rn computing nvironm nts ar xtr m ly compl x, and unl ss you’v
t st d v ry function in v ry possibl s tteing, th r ’s no way to b compl t ly c rtain that
som und rlying k rn l m chanism isn’t making unknown or un xp ct d writ s to poorly
prot ct d vid nc driv s through som pr viously unt st d int rfac or oth r m chanism.
With th subj ct disk conn ct d, it’s tim for us to coll ct information about th driv ,
its capabiliti s, and sp cifiec id ntifiecation.
93
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now w ar r ady to start coll cting information w ’ll n d to ffo ctiv ly acquir
vid nc from sourc m dia. On of th fierst things w ’ll n d to do is r -inv ntory our
syst m’s conn ct d d vic s to nsur that w id ntify th corr ct subj ct disk. Normally you
would hav tak n not s on th physical markings of th hard driv (or oth r m dia) as you
r mov d it from th subj ct comput r, tc. Som sugg st an nlarg d photocopy of th disk
lab l as part of th acquisition not s, providing a r liabl r cord of disk id ntifiecation.
In this particular cas , I will b using a USB to SATA bridg . B caus th r is som
translation going on h r , I want to mak sur I can id ntify th bridg as w ll as th disk
atteach d to it. So onc th bridg is atteach d and pow r d on, I can run lsusb to s its
information (bold for mphasis). If you ar using a dir ctly atteach d SATA driv , you will not
n d to run this command:
root@forensic1:~# lsusb
Bus 006 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
...
Bus 002 Device 007: ID 2109:0812 VIA Labs, Inc. VL812 Hub
Bus 002 Device 012: ID 174c:5106 ASMedia Technology Inc. ASM1051 SATA 3Gb/s bridge
Bus 002 Device 006: ID 2109:0812 VIA Labs, Inc. VL812 Hub
...
root@forensic1:~# lsscsi
[0:0:0:0] disk ATA INTEL SSDSC2CT12 300i /dev/sda
94
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now w can qu ry th disk atteach d to th host using hdparm. In this cas , th USB
bridg supports SATA translation, so commands “pass through” th bridg to th driv its lf.
Theis tool can provid both d tail d information as w ll as pow rful commands to s t options
on a disk. Som of th s options ar us ful for for nsic xamin rs.
First, how v r, w ar looking for information. For that w can us th simpl hdparm
with th -I option on our subj ct disk, /dev/sdc. Theis giv s d tail d information about th
disk that w can r dir ct to a fiel for our r cords.
/dev/sdc:
95
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = ?
Recommended acoustic management value: 128, current value: 0
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=240ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* DOWNLOAD_MICROCODE
SET_MAX security extension
Automatic Acoustic Management feature set
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* Gen1 signaling speed (1.5Gb/s)
* Native Command Queueing (NCQ)
* Software settings preservation
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
not supported: enhanced erase
Checksum: correct
The r ’s a lot of information laid out for us by hdparm. By comparing th fierst f w lin s
(bold for mphasis) to th photocopy of th disk lab l shown pr viously, w ’v again confierm d
w ar coll cting information from th corr ct disk. Theis command can b r dir ct d to a fiel
and sav d to our cas fold r:
root@forensic1:~# ls
case1/
96
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls case1/
case1.disk1.hdparm.txt
Not that you can k p a running log of things that you do by using a doubl r dir ct
[>>] symbol to add all th cas info to a singl log. I would sugg st not taking this approach as
you l arn, though. If you mistak nly us a singl r dir ct [ >], you risk clobb ring an ntir log
fiel (r call that w can us our pr viously discuss d chattr +a command to pr v nt this,
s tteing th fiel to app nd only).
In pr vious v rsions of this docum nt w us d Sl uth Kit tools to accomplish this. But
now hdparm can t ll us if th r is a DCO (and th chang s actually impl m nt d by th DCO).
The s can b manipulat d using hdparm as w ll, but I will l av thos advanc d topics to your
own r s arch (hint: r ad man hdparm).
/dev/sdc:
max sectors = 78125000/78125000, HPA is disabled
97
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
/dev/sdi:
max sectors = 41943040/62914560, HPA is enabled
And th output from hdparm -I run against /dev/sdi would show only 41943040 (partial
output for br vity):
R ad th hdparm man pag car fully and b awar of th options and conditions und r which
a DCO or HPA can b d t ct d and r mov d. For xampl , r storing th full numb r of s ctors on /
dev/sdi would look lik this.
/dev/sdi:
setting max visible sectors to 62914560 (temporary)
max sectors = 78125000/62914560, HPA is disabled
Should you com across a disk with an HPA or DCO, I would sugg st, as th saf st cours of
action, acquiring an imag as th disk sits. Onc an imag of th disk is obtain d, you can pass
commands to r mov prot ct d ar as and r -imag .
98
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Hashing Media
On important st p in any vid nc coll ction is v rifying th int grity of your data
both b for aftw r th acquisition is compl t . You can g t a hash (MD5, or SHA) of th physical
d vic in a numb r of diffo r nt ways.
In this xampl , w will us th SHA hash. SHA is a hash signatur g n rator that
suppli s a 160 bit “fieng rprint” of a fiel or disk (which is r pr s nt d by a fiel -lik d vic nod ).
It is not f asibl for som on to computationally r cr at a fiel bas d on th SHA hash. Theis
m ans that matching SHA signatur s m an id ntical fiel s. The r has b n a lot of talk in th
digital for nsic community ov r th y ars of ( v n r c nt) proof of “collisions” that r nd r
c rtain hash algorithms “obsol t ”. Theis guid is about l arning th tools. Do your r s arch
and ch ck your ag ncy or community guid lin s for additional information on which
algorithm to s l ct.
or
The r dir ction in th s cond command allows us to stor th signatur in a fiel and us
it for v rifiecation lat r on. To g t a hash of a raw disk (/dev/sdc, /dev/sdd, tc.) th disk do s
NOT hav to b mount d. W ar hashing th d vic (th disk) not th cont nts. As w
discuss d arli r, Linux tr ats all obj cts, including physical disks, as figles. So wh th r you ar
hashing a fiel or a hard driv , th command is th sam .
99
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now that w hav coll ct d information on our subj ct m dia and obtain d a hash of
th physical disk for v rifiecation purpos s, w can b gin our acquisition.
Theis is your standard for nsic imag of a susp ct disk. The dd command will copy
v ry bit from th k rn l acc ssibl ar as of th m dia to th d stination of your choic (a
physical d vic or fiel . The r ar a coupl of conc pts to k p in mind wh n using dd. Som of
th s conc pts also apply to th oth r for nsic imaging tools w will cov r. In v ry basic form,
th dd command looks lik this:
100
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
As part of our cas organization, w ’ll mak a n w dir ctory imag s in our case1
dir ctory. Theis is wh r w will k p working copi s of our imag s. Normally, you would
cr at imag s dir ctly to ith r a larg r driv that has b n sanitiz d, or to a n twork storag
volum that is us d to maintain original copi s. Theat will d p nd on your sp cifiec polici s.
In this cas , for illustration, w will imag dir ctly to our cas 1/imag s dir ctory. I
pr f r k ping imag s s parat as it allows prot cting th dir ctory with atteributions that
pr v nt chang s or d l tions to our working copy imag fiel s, onc w ’v compl t d th
imaging proc ss.
To k p our dd command lin short r, w ’ll chang into our cas 1/imag s dir ctory ( cd
case1/images) and writ our output fiel h r . Without n ding to sp cify th dir ctory (w
ar writing to th curr nt dir ctory), w k p th command lin short r and asi r to r ad.
root@forensic1:~# cd case1/images
root@forensic1:~/case1/images# dd if=/dev/sdc of=case1.disk1.raw bs=512
78125000+0 records in
78125000+0 records out
40000000000 bytes (40 GB, 37 GiB) copied, 939.898 s, 42.6 MB/s
Theis tak s your disk d vic /dev/sdc as th input fiel if and writ s th output fiel of
call d case1.disk1.raw in th curr nt dir ctory /root/case1. The bs option sp cifie s th
block siz . Theis is r ally not n d d for most block d vic s (hard driv s, tc.) as th Linux
k rn l handl s th actual block siz . It’s add d h r for illustration, as it can b a us ful option
in many situations (discuss d lat r).
Using dd cr at s an xact duplicat of th physical d vic fiel . Theis includ s all th fiel
slack and unallocat d spac . W ar not simply copying th logical fiel structur . Unlik many
for nsic imaging tools, dd do s not fiell th imag with any propri tary data or information. It
is a simpl bit str am copy from start to nd. Theis has a numb r of advantag s, as w will s
lat r.
You can s from our output abov that dd r ad in th sam s numb r of r cords (512
byt blocks, in this cas ) as th numb r of s ctors for this disk pr viously r port d by hdparm
-I, 78125000. To v rify your imag , w can do th following. W want to r call th hash w
obtain d from th original d vic (/dev/sdc), which w stor d in th fiel
case1/case1.disk1.sha1.txt and compar that to th hash of th imag fiel w just
obtain d.
101
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can s th two hash s match, v rifying our imag as a tru copy of th original
driv . Tak not of th fierst command. R m mb r that w ar curr ntly in th case1/images
dir ctory. The hash fiel case1.disk1.sha1.txt is stor d in th par nt dir ctory, case1.
Wh n w issu our cat command (str am th cont nts of a fiel ), w us th ../ notation to
indicat that th fiel w ar calling is in th par nt dir ctory ( ..).
It has b com common practic for digital for nsics to split th output of our imaging.
Theis is don for a numb r of r asons, ith r for archiving or for us in anoth r program. W
will fierst discuss using split on its own, th n in conjunction with dd for “on th flay” splitteing.
For xampl , w hav our 40GB imag and w now want to split it into 2GB parts so
th y can b writte n to DVD m dia, for xampl 11. Or, if you wish to stor th fiel s on a fiel
syst m with limit d fiel siz s and n d a particular siz , you might want to split th imag into
2GB pi c s. For this w us th split command.
Theis would r sult in 20 fiel s (2GB in siz ) ach nam d with th pr fiex cas 1.split1. as
sp cifie d in th command, follow d by 000, 001, 002, and so on. The -a option with 3 sp cifie s
that w want th xt nsion to b at l ast 3 digits long. Without -a 3, our fiel s would b
nam d *.01, .02, .03, tc. Using 3 digits maintains consist ncy with oth r tools. Not th trailing
11
The r ar b tte r was to stor archiv d imag s. W ar using this fiel siz as an xampl only.
102
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
dot in our output fiel nam . W do this so th sufficx is add d as a fiel xt nsion rath r than as
a sufficx string app nd d to th nd of th nam string.
The proc ss can b r v rs d. If w want to r ass mbl th imag from th split parts,
w can us th cat command and r dir ct th output to a n w fiel . R m mb r cat simply
str ams th sp cifie d fiel s to standard output. If you r dir ct this output, th fiel s ar
ass mbl d into on .
In th abov command w ’v r -ass mbl d th split parts into a n w 40GB imag fiel .
The original split fiel s ar not r mov d, so th abov command will ss ntially doubl your
spac r quir m nts if you ar writing to th sam mount d d vic /dir ctory.
103
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc w hav th imag , th sam t chniqu using cat will allow us to r ass mbl it
for hashing or analysis as w did with th split imag s abov .
For practic , you can us a small USB thumb driv if you hav on availabl and try this
m thod on that, splitteing it into a r asonabl numb r of parts. You can us any sampl driv ,
b ing sur to r plac our d vic nod in th following command with /dev/sdx (wh r x is
your thumb driv , oth r m dia). Obtain a hash fierst, so that w can compar th split fiel s and
th original and mak sur that th splitteing chang s nothing.
Theis xampl us s a 128M USB driv that is arbitrarily split into 32M chunks for
manag abl output. Follow along with th commands, and xp rim nt with options whil
watching chang s in th r sulting output. It’s th b st way to l arn. W ’ll start by id ntifying
th thumb disk with lsscsi as soon as it’s plugg d in (output is abbr viat d for r adability):
root@forensic1:~# lsscsi
...
[38:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdd
104
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W ’ll hav som mor fun with this command lat r on. It is mor than just an imaging
tool.
The r ar a numb r of for nsic sp cifiec tools out th r for Linux us rs that wish to
acquir vid nc . Som of th s tools includ :
105
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis is not an xhaustiv list. The s , how v r, ar som of th mor commonly us d (as
far as I know). W will cov r dc3dd, ewfacquire, and ddrescue in this docum nt.
dc3dd
The fierst alt rnativ imaging tool w will cov r is dc3dd. Theis imaging is tool bas d on
original (patch d) cod from dd. It is v ry similar to th popular dcfldd but provid s a slightly
diffo r nt f atur s t. My choic of wh th r to cov r ith r dcfldd or dc3dd is larg ly
arbitrary. dc3dd is maintain d by th DoD (D partm nt of D f ns ) Cyb r Crim C nt r
(oth r wis known as Dc3)12 R gardl ss of which (dc3dd or dcfldd ) you pr f r, familiarity
with on of th s tools will translat v ry nic ly to th oth r with som r ading and
xp rim ntation, as th y ar v ry similar. Whil th r ar signifiecant diffo r nc s, many of th
f atur s w discuss in this s ction ar common to both dc3dd and dcfldd.
The sourc packag and mor information for dc3dd can b found at
https://sourceforge.net/projects/dc3dd/ .
The man pag for dc3dd is concis and asy to r ad. All th information you n d to
us th advanc d f atur s of this imaging tool ar n atly laid out for you.
L t's hav a look at th basic usag of dc3dd. As you r ad through th usag s ction of
th man pag , you'll notic a numb r of additions to r gular dd for th for nsic xamin r. L t's
conc ntrat on th s notabl s additions:
hof=FILE or DEVICE : hash the output fille: Similar to th of= param t r for
dd, this writ s th sp cifie d output fiel and hash s and
v rifie s th output byt s as w ll. Theis ss ntially tak s th
plac of hashing your imag with sha1sum or md5sum aftw r
it compl t s.
ofs=BASE.FMT : split the output fille: Split th output fiel , and us th
nam BASE and sp cify th fiel xt nsion for ach split fiel
using FMT. Theis format can b num rical or alphab tical,
and you can sp cify th l ngth by th numb r of
charact rs you includ in FMT.
hofs=BASE.FMT : hash and split the output fille: Theis is ss ntially a
combination of th fierst two param t rs abov .
12
dcfldd is also nam d for a DoD ntity – th D f ns Comput r For nsics Lab.
106
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If w r do our imaging of /dev/sdc using dc3dd with simpl if= and of= param t rs,
as w us d with dd, th s ssion would look som thing lik this. Not that w ar still in our ~/
case1/images dir ctory and that w ar writing th log fiel to th par nt dir ctory:
Our input fiel is still sdc (if=/dev/sdc), our output fiel is now
case1.disk1.dc3dd.raw (of=case.disk1.dc3dd.raw). On of th fierst things you notic
right away is that dc3dd r turns mor usabl information whil th program is running. It
giv s you a v ry nic progr ss indicator, unlik dd. W also s imm diat ly that th corr ct
numb r of s ctors for /dev/sdc w r captur d (78125000), and that th r w r no “bad”
s ctors d t ct d. The start and stop tim stamps ar also add d by d fault. If you sp cify a log
fiel , this information is all captur d v ry nic ly. W will look at th hashing options and
logging in mor d tail in a littel whil .
107
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
dc3dd has also incorporat d th hashing, splitteing and logging of an acquisition into a
singl command. All of this can b don with r gular dd and xt rnal tools (with pip s,
r dir ction or scripting), but th r is no doubt many practition rs pr f r an int grat d
approach. The standard options availabl to th r gular dd command still ar r adily availabl
in dc3dd (bs, skip, tc.).
Mor than just incorporating th oth r st ps into a singl command, dc3dd xt nds th
functionality. For xampl , using a r gular split command with dd as w did in a pr vious
x rcis , w can ith r allow th d fault alphab tic naming conv ntion of split, or pass th -d
option to provid us with d cimal xt nsions on our fiel s. In contrast, dc3dd allows us to not
only d fien th siz of ach split as an option to th imaging command (using ofsz) without
n d for a pip d command, but it also allows mor granular control ov r th format of th
xt nsions ach split will hav as part of its fiel nam . So, to split a 40 GB disk into 2 GB
imag s, I would simply us :
ofs=BASENAME.FMT ofsz=2G
The ofs param t r is ss ntially “output file split”. The xt nsion following th
output fiel s nam s is dir ctly formatte d in th command its lf. According to th dc3dd man
pag :
I can adjust th valu s for FMT, and my split fiel xt nsions would chang accordingly:
108
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In addition, wh n using r gular GNU dd, our hashing functions ar p rform d xt rnal
to th imaging, by ith r th md5sum or sha1sum commands, d p nding on th analyst
pr f r nc for algorithm. dc3dd allows th us r to run BOTH hash s concurr ntly on an
acquisition and log th hash s. B for w run our split imag s with dc3dd, l ts look at th
hashing options a littel clos r.
W s l ct our hash algorithm with th option hash=, sp cifying any of md5, sha1,
sha256, sha512, or a comma s parat d list of algorithms. In this way you can s l ct multipl
hash m thods for a singl imag fiel . The s will b writte n to a log fiel w indicat , a sp cial
hash log, or to standard output if no log is sp cifie d.
dc3dd also provid s hof and hofs parameters. The hof option acts much lik of, but
hash s th output, compar s it to th input and r cords it. You must s l ct a hash algorithm.
hofs acts much lik ofs, splitteing th output into chunk siz s sp cifie d by ofsz. The hofs
option diffo rs in that it also hash s ach of th input/output str ams and compar s and logs
th m for ach chunk.
You can pass th log=filename param t r to log all output in a singl plac , or you can
log hash s s parat ly using th hlog=filename option.
L t us r do our dd xampl with th 128M thumb driv . Theis tim w will us dc3dd.
Asid from th options cov r d abov , w will also us th . W will discuss th options and
output b low.
root@forensic1:~# lsscsi
...
[38:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdd
109
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
110
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The r sulting output (shown by our ls command b low) giv s us 4 split imag fiel s,
with num rical xt nsions starting with 000. W also hav a log fiel of our hash s and any
rror m ssag s, which w can vi w with less or cat:
As pr viously discuss d, th log fiel contains our hash s and our rror m ssag s. For
th hash s, th input hash from th imag d d vic ar display d fierst (for ach hash w
r qu st d). The n th output hash s ar display d for ach of th output fiel s. If th input
hash match s th output hash for a giv n rang (or th whol d vic ), th output hash is
pr c d d with [ok] so you do not hav to manually compar th output.
The log fiel nds with a tim stamp for your docum ntation.
111
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The d monstration abov illustrat s coll cting two imag s simultan ously. You can s
w s l ct d to hash th output fiel s (hof) using th md5 algorithm (hash=md5). The output
shows th singl input str am was hash d, but th r ar two output str ams, and ach was
hash d and v rifie d s parat ly. Theis is a v ry us ful f atur of dc3dd.
Not again that dc3dd outputs raw imag s. The y can b hash d xactly th sam as dd
output: Dir ctly hash d with your hashing algorithm of choic ( sha1sum, md5sum, tc.), or in
th cas of split fiel s, using th cat command to str am th output of multipl fiel s to th hash
program.
Now w ’ll continu our look at alt rnativ imaging tools with a utility that is us d to
coll ct and manipulat Exp rt Witn ss (E01 or EWF) fiel s, on of th mor ubiquitous formats
us d in comput r for nsics today.
112
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W will xplor a s t of tools h r b longing to th libewf proj ct. The s tools provid
th ability to cr at , vi w, conv rt and work with xp rt witn ss vid nc contain rs.
On of th b n fiets of cov ring libewf b for oth r advanc d for nsic utiliti s is
b caus it n ds to b install d figrst in ord r to supply th r quir d librari s for oth r packag s
to support EWF imag formats . The libewf tools and d tail d proj ct information can b
found at https://github.com/libyal/libewf/
...
Executing install script for libewf-20140608-x86_64-2_SBo.tgz.
Package libewf-20140608-x86_64-2_SBo.tgz installed.
113
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
● ewfacquire
● ewfverify
● ewfinfo
● ewfexport
● ewfacquirestream (in a lat r s ction)
root@forensic1:~# lsscsi
...
[2:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdb
Device information:
Bus type: USB
Vendor: SanDisk
Model: Cruzer Mini
Serial:
114
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5,
encase6, linen5, linen6, ewfx) [encase6]:
Compression method (deflate) [deflate]:
Compression level (none, empty-block, fast, best) [none]:
Start to acquire at offset (0 <= value <= 128450048) [0]:
The number of bytes to acquire (0 <= value <= 128450048) [128450048]:
Evidence segment file size in bytes (1.0 MiB <= value <= 7.9 EiB) [1.4 GiB]: 32M
The number of bytes per sector (1 <= value <= 4294967295) [512]:
The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048,
4096, 8192, 16384, 32768) [64]:
The number of sectors to be used as error granularity (1 <= value <= 64) [64]:
The number of retries when a read error occurs (0 <= value <= 255) [2]:
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]:
Status: at 20%.
acquired 25 MiB (26443776 bytes) of total 122 MiB (128450048 bytes).
completion in 16 second(s) with 6.1 MiB/s (6422502 bytes/second).
...
Written: 122 MiB (128450236 bytes) in 2 minute(s) and 23 second(s) with 877 KiB/s
(898253 bytes/second).
115
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can also issu a singl command and sp cify thos options w us d abov on th
command lin . For xampl , to g t similar r sults, w can issu th following command:
Written: 122 MiB (128450392 bytes) in 16 second(s) with 7.6 MiB/s (8028149
bytes/second).
MD5 hash calculated over data: 43108c653d4724181cf8eed75c20cde4
SHA1 hash calculated over data: 80db4ca23ba091169d1cff8d007e23d32ea97f36
ewfacquire: SUCCESS
You can look at th individual options provid d in th command abov by vi wing man
ewfacquire. Ess ntially this command allows us to run ewfacquire without having to
answ r any prompts. The important options to not h r ar th -d that allows us to sp cify
an additional ch cksum algorithm and th -u (unatte nd d mod ) that forc s ewfacquire to us
th d faults for options not sp cifie d. Mak sur you know what you ar doing b for running
th command unatte nd d.
Onc acquir d, th r sulting fiel s from ewfacquire ar compatibl with any softwwar
that will r ad EWF format imag s. W ’ll b using som for nsic utiliti s lat r to do just that.
116
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
L t’s look now at ewfinfo and ewfverify. The s two tools, also includ d with libewf,
provid information on any prop rly formatte d EWF fiel s you may com across.
ewfinfo simply r ads th imag m tadata that was nt r d during th imaging proc ss.
It will work with imag fiel s acquir d using oth r softwwar as w ll, as long as it is in a prop r
EWF format. For th fiel s w just coll ct d, using ewfacquire, th output would look lik this
(Not th Operating system used and th Software version used):
Acquiry information
Case number: 2017-001
Description: Thumb drive seized from bad guy
Examiner name: Barry J. Grundy
Evidence number: 2017-001-002
Acquisition date: Tue Apr 25 12:39:04 2017
System date: Tue Apr 25 12:39:04 2017
Operating system used: Linux
Software version used: 20140608
Password: N/A
Model: Cruzer Mini
EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: no compression
Set identifier: 780ec790-8375-2f46-abad-ce393e8b7fa5
Media information
Media type: removable disk
Is physical: yes
Bytes per sector: 512
Number of sectors: 250879
Media size: 122 MiB (128450048 bytes)
If you run ewfinfo on fiel s coll ct d using tools oth r than ewfacquire (EnCas und r
Windows, for xampl ), th output might look lik this. Not th Operating system used
and Software version used fie lds. The s giv som hint as to how th fiel s w r cr at d
(EnCas v rsion 7 on Windows 7).
117
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Acquiry information
Description: TestImage
Examiner name: Susan B. Analyst
Acquisition date: Fri Feb 17 13:59:50 2017
System date: Fri Jan 13 16:10:42 2017
Operating system used: Windows 7
Software version used: 7.10.05
Password: N/A
Model: ST2500
Serial number: 03-016831-C
Device label: WT055 12
Extents: 0
EWF information
File format: unknown
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: best compression
Set identifier: ff582a89-3aba-cf46-a634-75edf9c15a97
Media information
Media type: physical
Is physical: yes
Bytes per sector: 512
Number of sectors: 250044416
Media size: 119 GiB (128022740992 bytes)
Also not that th MD5 valu shown is th valu of th data, NOT th imag fiel s th ms lv s.
Hashing th imag fiel s do s will not allow you to v rify against th hash of th original m dia – th
E0* fiel s contain m ta data and so do not r pr s nt an xact copy of th sourc m dia. If you want
to v rify th hash of th data aftw r it’s b n mov d, you n d to us a tool lik ewfverify.
Hashing th data in EWF fiel s r quir s a tool that r cogniz s th m tadata associat d
with an EWF fiel and can pars and hash th original data. For this w us ewfverify.
118
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Read: 122 MiB (128450048 bytes) in 1 second(s) with 122 MiB/s (128450048
bytes/second).
ewfverify: SUCCESS
Theis command simply r hash d th data and compar d it to th hash alr ady stor d
within th fiel . Ev ry tim you mov data b tw n volum s, it’s always good practic to ch ck
that th data is still intact. ewfverify allows you to accomplish this int grity ch ck quickly
and fficci ntly with EWF fiel s.
On last command in th libewf suit of tools. L t's talk about thos situations wh r
you'v b n provid d a s t of imag fiel s (or fiel ) that w r obtain d using a popular Windows
for nsic tool. The r will b tim s wh r you would lik r ad th m ta-data includ d with th
imag s, v rify th cont nts of th imag s, or xport or conv rt th imag s to a bit str am (or
what w r f r to as a dd) format. Onc again, th libewf tools com in handy. The y op rat
at th Linux command lin , don't r quir any oth r sp cial softwwar , lic ns , or dongl and ar
v ry fast. W will us a copy of an NTFS practical x rcis imag w will s mor of lat r in
our upcoming advanc d x rcis s. The EWF fiel s w ’ll b working on can b download d
using wget, as w hav don pr viously. Onc download d, ch ck th hash and compar :
119
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The abov tar command will list (t) and d compr ss (z) th fiel (f)
NTFS_Pract_2017_E01.tar.gz. Theis allows you to s wh r th fiel will b xtract d, and as
th output shows, th r ar fiev fiel s that will b xtract d to a n w dir ctory,
NTFS_Pract_2017/, in th curr nt dir ctory. W will us th tar command xt nsiv ly
throughout this docum nt for download d fiel s.
Now w actually untar th imag s with th tar x option and chang into th r sulting
dir ctory:
root@forensic1:~# cd NTFS_Pract_2017
root@forensic1:~/NTFS_Pract_2017#
The fierst thing w can do is run th ewfinfo command on th imag th fierst fiel of th
imag s t. Theis will r turn th m ta-data that includ s acquisition and m dia information, as
w ’v s n pr viously. W l arn th v rsion of th softwwar that th imag s w r cr at d with,
along with th coll ction platform, dat of acquisition, nam of th xamin r that cr at d th
imag with th d scription and not s. Hav a look at th output of ewfinfo on our fiel s t
(you only n d provid th fierst fiel in th s t as an argum nt to th command):
120
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Acquiry information
Case number: 11-1111-2017
Description: Practical Exercise Image
Examiner name: Barry J. Grundy
Evidence number: 11-1111-2017-001
Notes: This image is for artifact recovery.
Acquisition date: Mon May 1 18:19:14 2017
System date: Mon May 1 18:19:14 2017
Operating system used: Linux
Software version used: 20140608
Password: N/A
EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: no compression
Set identifier: f9f1b88f-9ac9-e04f-bfe5-195039426d7c
Media information
Media type: fixed disk
Is physical: yes
Bytes per sector: 512
Number of sectors: 1024000
Media size: 500 MiB (524288000 bytes)
You can s from our output b low that th NTFS_Pract_2017.E0* fiel s t v rifie s
without rror. The hash obtain d during th v rifiecation match s that stor d within th fiel :
121
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Read: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000
bytes/second).
Now w ’ll look at ewfexport. Theis tool allows you to tak an EWF fiel s t and conv rt
it to a bit str am imag fiel , ss ntially r moving th m ta-data and l aving us with th data in
raw format, as with dd. It is int r sting to not that ewfexport can actually writ to standard
output, making it suitabl for piping to oth r commands. H r , w issu th command with
s v ral options that r sult in th EWF fiel b ing xport d to a raw imag .
Written: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000 bytes/
second).
MD5 hash calculated over data: eb4393cfcc4fca856e0edbf772b2aa7d
ewfexport: SUCCESS
W us th -t option (“targ t”) to writ to a fiel . The -f option with raw indicat s
that th fiel format w ar writing to is raw, as with dd output. W us -u to acc pt th
r maining d faults and pr v nt an int ractiv s ssion. Theis r sults in a singl raw fiel that has
th sam hash as th original m dia (s th output of th md5sum command). W also s an
XML formatte d .info fiel that contains th hash valu 13.
The output of this command might diffo r gr atly d p nding on th v rsion of lib wf you install. Som
13
r postori s might us v rsions that do not app nd th .raw xt nsion or provid an .info fiel .
122
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
At this point, w ’v cov r d dd, dc3dd, ewfacquire and common m thods for ch cking
th int grity of and xporting th coll ct d imag s.
Now that w hav a basic und rstanding of m dia acquisition and th coll ction of
vid nc imag s, what do w do if w run into an rror? Suppos you ar cr ating a disk
imag with dd and th command xits halfway through th proc ss with a r ad rror?
123
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
T sting has shown that standard dd bas d tools ar simply inad quat for acquiring
disks that hav actual rrors. Theis is NOT to say that dd, dc3dd or dcfldd ar us l ssNfar
from it. The y ar just not optimal for rror r cov ry. You may b forc d to us dd or dc3dd
b caus of limits to xt rnal tool acc ss or consid rations of tim . W t ach dd in this guid
b caus th r ar instanc s wh r it may b th only tool availabl to you. In thos cas s,
und rstanding th us of command lin options to optimiz th r cov ry of th disk r gardl ss
of rrors is important for vid nc pr s rvation. How v r, if th r ar options, th n p rhaps a
diffo r nt tool would mak s ns .
Theis s ction is not m ant to provid an ducation on disk rrors, m dia failur , or typ s
of failur . Nor is it m ant to imply that any tool is b tte r or wors than any oth r. I will
simply d scrib th basic functionality and l av it to th r ad r to pursu th d tails.
First, l t's start with som of th issu s that aris with th us of common dd bas d
tools. For th most part, th s tools tak a “lin ar” approach to imaging, m aning that th y
start at th b ginning of th input fiel and r ad block by block until th nd of th fiel is
r ach d. Wh n an rror is ncount r d, th tool will ith r fail with an “input/output” rror,
or if a param t r such as conv=noerror is pass d, will ignor th rrors and atte mpt to r ad
through (or skip) th m, continuing to r ad block by block until it com s across r adabl data
again. H r is a simpl dd command on a disk with rrors. The disk is 41943040 s ctors:
The dd command abov was only abl to r ad 12840 s ctors (which is 6574080 byt s, as
th dd output shows). The sam command, this tim using conv=noerror,sync will ignor
th rror, pad th rror s ctors with null byt s, and continu on:
124
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
12840+2 records in
12842+0 records out
6575104 bytes (6.6 MB, 6.3 MiB) copied, 0.163989 s, 40.1 MB/s
dd: error reading '/dev/sdf': Input/output error
12840+3 records in
12843+0 records out
6575616 bytes (6.6 MB, 6.3 MiB) copied, 0.16426 s, 40.0 MB/s
dd: error reading '/dev/sdf': Input/output error
12840+4 records in
12844+0 records out
...
41943024+16 records in
41943040+0 records out
21474836480 bytes (21 GB, 20 GiB) copied, 1249.57 s, 17.2 MB/s
Obviously, simpl failur (“giving up” wh n rrors ar ncount r d) is not good. Any
data in r adabl ar as b yond th rrors will b miss d. The probl m with ignoring rrors and
atte mpting to r ad through th m (using options lik conv=noerror) is that w ar furth r
str ssing a disk that is alr ady possibly on th v rg of compl t failur . The fact of th matte r
is that you may g t f w chanc s at r ading a disk that has r cord d “bad s ctors”. If th r is an
actual physical d f ct, th simpl act of r ading th bad ar as may mak matte rs wors ,
l ading to disk failur b for oth r viabl ar as of th disk ar coll ct d. All of this appli s, of
cours , to disks with “physical” storag . Solid stat storag is anoth r matte r ntir ly.
In a nutsh ll, that is th philosophy b hind ddrescue. Us d prop rly, ddrescue will
r ad th “h althy” portions of a disk fierst, and th n fall back to r cov ry mod – trying to r ad
data from bad s ctors. It do s this through th us of som v ry robust logging (r c nt
v rsions of ddrescue now r f r to th log fiel as a map figle), which allows it to r sum any
imaging job at any point, giv n a map fiel to work from. Theis is an important (p rhaps th
most important) point about using ddrescue - that is, with a map fiel you n v r n d to r -
r ad alr ady succ ssfully r cov r d s ctors. Wh n ddrescue r f r nc s th map fiel on
succ ssiv runs, it fiells in th gaps, it do s not “r do” work alr ady fienish d.
125
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The docum ntation for ddrescue is xc ll nt. The d tail d manual is in an info pag .
The command info ddrescue will giv you a gr at start to und rstanding how this program
works, including xampl s and th id as b hind th algorithm us d. I'll run through th
proc ss h r , but I strongly advis that you r ad th info pag for ddrescue b for atte mpting
to us it on a cas .
The fierst consid ration wh n using any r cov ry softwwar , is that th disk must b
acc ssibl by th Linux k rn l. If th driv do s not show up in th /dev structur , th n
th r 's no way to g t tools lik ddrescue to work.
N xt, w hav to hav a plan to r cov r as much data as w can from a bad driv . The
pr vailing philosophy of ddrescue is that w should atte mpt to g t all th good data figrst. Theis
diffo rs from normal dd bas d tools, which simply atte mpt to g t all th data at on tim in a
lin ar fashion. ddrescue us s th conc pt of “splitteing th rrors”. In oth r words, wh n an
ar a of bad s ctors is ncount r d, th rrors ar split until th “good” ar as ar prop rly
imag d and th unr adabl ar as mark d as bad. Finally, ddrescue atte mpts to r try th bad
ar as by r -r ading th m until w ith r g t data or fail aftw r a c rtain numb r of sp cifie d
atte mpts.
The r ar a numb r of ing nious options to ddrescue that allow th us r to try and
obtain th most important part of th disk fierst, th n mov on until as much of th disk is
obtain d as possibl . Ar as that ar imag d succ ssfully n d not b r ad mor than onc . As
m ntion d pr viously, this is mad possibl by a robust map fiel . The map fiel is writte n
p riodically during th imaging proc ss, so that v n in th v nt of any int rruption, th
s ssion can b r start d, k ping duplicat imaging ffoorts, and th r for disk acc ss, to a
minimum.
Giv n that w ar addr ssing for nsic acquisition h r , w will conc ntrat all our
ffoorts on obtaining th ntir disk, v n if it m ans multipl runs. The following xampl s
will b us d to illustrat how th most important options to ddrescue work for th for nsic
xamin r. W will conc ntrat on d tailing th map fiel us d by ddrescue so that th us r can
s what is going on with th tool, and how it op rat s.
L t's look at a simpl xampl of using ddrescue on a small driv without rrors, to
start. The simpl st way to run ddrescue is by providing th input fiel , output fiel and a nam
for our map fiel . Not that th r is no if= or of=. In ord r to g t a good look at how th map
fiel works, w 'll int rrupt our imaging proc ss halfway through, ch ck th map fiel to illustrat
how an int rruption is handl d, and th n r sum th imaging.
126
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The map fiel shows us th curr nt status of acquisition 14. Lin s starting with a # ar
comm nts. The r ar two s ctions of not . The fierst non comm nt lin shows th curr nt
status of th imaging whil th s cond s ction (two lin s, in this cas ) shows th status of
various blocks of data. The valu s ar in h xad cimal, and ar us d by ddrescue to k p track
of thos ar as of th targ t d vic that hav mark d rrors, thos ar as that hav alr ady b n
succ ssfully r ad and writte n, and thos that r main to b r ad. The status symbols w will
discuss h r (tak n from th info pag ) ar as follows:
Charact r M aning
? non-tri d
* bad ar a non-trimm d
/ bad ar a non-scrap d
- bad hardwar block(s)
+ fienish d
14
The ddrescue info pag has a v ry d tail d xplanation of th map fiel structur .
127
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
# current_pos current_status
0x40B10000 ?
- The status shows that th curr nt imaging proc ss is copying data at byt offos t
1085341696 (0x40B10000). In our fierst pass, this indicat s th “non-tri d” blocks.
- The data blocks from byt offos t 0 (0x00000000) of siz 1085341696 byt s
(0x40B10000) ar fienish d.
- The data block from offos t 1085341696 (0x40B10000) of siz 1062137856 byt s
(0x3F4EF000) ar still not tri d.
Not also that th siz of our partial imag fiel match s th siz of th block of data
mark d “fienish d” with th + symbol in our log fiel (siz bold for mphasis):
root@forensic1:~# ls -l ddres.img.raw
-rw-r--r-- 1 root root 1085341696 May 3 13:12 ddres.img.raw
W can continu and compl t th copy op ration now by simply invoking th sam
command. By sp cifying th sam input and output fiel s, and by providing th map fiel , w t ll
ddrescue to continu wh r it l ftw offo:
Current status
ipos: 2147 MB, non-trimmed: 0 B, current rate: 3141 kB/s
opos: 2147 MB, non-scraped: 0 B, average rate: 55901 kB/s
non-tried: 0 B, errsize: 0 B, run time: 19s
rescued: 2147 MB, errors: 0, remaining time: n/a
128
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls -l ddres.img.raw
-rw-r--r-- 1 root root 2147479552 May 4 09:19 ddres.img.raw
The r al pow r of th map fiel li s in th fact that w can start and stop th imaging
proc ss as n d d and pot ntially atteack th r cov ry from diffo r nt dir ctions (using th -R
option to r ad th disk in r v rs ) until you’v scrap d tog th r as much of th original data as
you can. For xampl , if you had two id ntical disks, with mirror d data, and both had bad or
failing s ctors, you could probably r construct a compl t imag by imaging both with
ddrescue and using th sam map fiel (and output fiel ). Onc r cov r d and r cord d as such
in th map fiel , s ctors ar not acc ss d again. Theis limits th str ss to th disk.
Using a disk with known rrors w ’ll invok ddrescue with som additional options.
In this cas , I may hav start d imaging a subj ct disk using a common tool lik dd or dc3dd,
and found that th copy fail d with rrors. Knowing this, I’ll switch to using ddrescue. The
options in th b low command ar -i0 to indicat starting at offos t 0. Offos t 0 is th d fault,
but I’m b ing xplicit h r . The r ar situations wh r you might want to start at a diffo r nt
offos t and th n go backNth map fiel allows for this asily. The -d option m ans that w ar
going to dir ctly acc ss th disk, bypassing th k rn l cach . N xt, th -N option is provid d to
pr v nt ddrescue from “trimming” th bad ar as that ar found. Theis option allows ddrescue
to start th r cov ry proc ss by coll cting good data fierst, disturbing th rror ar as as littel as
possibl .
129
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The output abov shows a coupl of things (highlights for mphasis). W hav th
compl t d initial run with th -N option, and th output shows that w hav 655536 byt s “non-
trimm d”, indicating an ar a of rrors. The map fiel shows th position of un-copi d ar a of
th disk (offos t 0x00640000) and a siz of 0x00010000 (655536 byt s). The status of this ar a is
indicat d with an ast risk. Not that th 655536 byt s is xactly 128 s ctors, and this is th
d fault “clust r” siz us d by ddrescue. Theis do s not m an that th r ar 128 s ctors that
cannot b r ad. It simply m ans that th entire clust r could not b r ad, and th -N option
pr v nt d “trimming”, or paring th s ctors down to small r r adabl chunks. The clust r siz
can b controll d with th --cluster-size=X option, wh r X is th numb r of s ctors in a
clust r. W now hav a partial imag .
Now w can continu th imaging with th sam input and output fiel , and th sam
map fiel , but this tim w r mov th -N option, allowing rror ar as to b trimm d, and w
add th -r option to sp cify th numb r of r tri s wh n a bad s ctor is ncount r d, which is
thr in this cas .
130
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Current status
ipos: 6579 kB, non-trimmed: 0 B, current rate: 62464 B/s
opos: 6579 kB, non-scraped: 0 B, average rate: 62464 B/s
non-tried: 0 B, errsize: 3072 B, run time: 1s
rescued: 21474 MB, errors: 1, remaining time: 1s
percent rescued: 99.99% time since last successful read: 0s
Finished
The output show that our “non-trimm d” ar as ar now 0, and th rror siz is 3072
byt s. Looking at th map fiel , w s that th r is a s ction of th disk that is mark d with th
“-”, indicating bad hardware blocks, which in this cas ar unr cov rabl . The siz in th map
fiel (0x00000C00) match s th errsize in th output (3072). Theis m ans w hav 6 bad
s ctors (512 byt s ach).
Whil w w r not abl to obtain th ntir disk in this xampl , hop fully you
r cogniz th b n fiets of th approach w tak using ddr scu to g t th good data fierst whil
r cov ring as much as w can b for acc ssing and pot ntially causing additional damag to
bad ar as of th disk.
131
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In ord r to accomplish imaging across th n twork, w will n d to s tup our coll ction
box to “list n” for data from our subj ct box. W do this using netcat, th nc command. The
basic s tup looks lik this (imag on th following pag ):
132
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Linux Boot CD
Evidence Collection
Subject Computer: Computer
192.168.0.2 192.168.0.1
(net cat “listener”)
Onc you hav th subj ct comput r boot d with a Linux Boot CD (pr f rably on that
is s t up with for nsics in mind). You’ll n d to nsur th two comput rs ar confiegur d on
th sam n twork, and can communicat .
Right now, th output is showing no IPv4 addr ss and th eth0 int rfac is down. I can
giv it a simpl addr ss with th ifconfig command again, this tim sp cifying som simpl
s tteings:
133
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now th output abov shows th int rfac is “up”, and th addr ss is now
192.168.0.1, and th n tmask and broadcast addr ss ar also s t. For now that’s all for our
coll ction workstation as far as simpl confieguration go s.
On our subj ct work station, w ’ll n d to boot it with a suitabl boot disk. I carry
s v ral with m , and just about any of th m will work as long as th y hav a robust tools t.
Onc you boot th subj ct syst m, r p at th st ps abov to s tup a simpl n twork int rfac ,
making sur that th two comput rs ar physically conn ct d via crossov r cabl , hub, or som
oth r m ans. Not th prompt chang h r to illustrat w ar working on th SUBJECT
comput r now, and not our coll ction syst m:
134
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now that w hav both comput rs talking, w can b ing our imaging. Ch ck th hash
of th subj ct disk:
Theis command op ns a netcat (nc) list ning s ssion (-l) on TCP port 2525 (-p 2525)
and pip s any trafficc that com s across that port to th dd command (with only th of= flaag),
which writ s th fiel /mnt/evid/net_image.dd.
135
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc th imaging is compl t 15, w will s that th commands at both nds app ar to
“hang”. Aftw r w r c iv our compl tion m ssag s from dd on both box s (records in /
records out), w can kill th nc list ning on our coll ction box with a simpl ctrl c. Theis
should r turn our prompts on both sid s of th conn ctions. You should th n ch ck both th
hash of th physical disk that was imag d on th subj ct comput r and th r sulting imag on
th coll ction box to s if th y match.
Our hash s match and our n twork acquisition was succ ssful.
dc3dd do s all its magic on th output sid of th acquisition proc ss (unl ss you ar
acquiring from fiel s ts or som oth r non-standard sourc ). Theis m ans w can us plain dd
on our subj ct comput r (using th boot disk) to acquir th disk and str am th cont nts
across our netcat pip , and still allow dc3dd on our coll ction machin to handl hashing,
splitteing and logging. Most of dc3dd’s options and param t rs work on th output str am. So,
whil our list ning proc ss on th coll ction syst m will us dc3dd commands, th subj ct
syst m can us th sam dd commands w us d b for .
On th coll ction syst m, l t’s s t up a list ning proc ss that us s dc3dd to split th
incoming data str am into 2GB chunks and logs th output to nc.dc3dd.raw. As soon as w
initiat our command, dc3dd will start and sit waiting for input from th list ning port ( 2525):
PRO TIP: You can watch th progr ssion of th imag on your coll ction syst m by op ning anoth r t rminal
15
and “watching” th siz of th fiel grow. Us watch ls -lh net_img.raw and ctrl-c wh n it’s compl t . watch
will updat th command ls -lh v ry two s conds until you stop it.
136
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The dc3dd output will start imm diat ly, but stay at 0 bytes until it r c iv s input
through th pip . As soon as you start th imaging proc ss on th subj ct machin , you’ll s
th dc3dd command on th list ning machin start to proc ss th incoming data. Again
notic w ar using plain dd on th subj ct box to simply str am byt s ov r th pip . dc3dd
tak s ov r on th coll ction machin to impl m nt our dc3dd options and logging.
root@forensic1:~# ls -l /mnt/evid/nc.dc3dd.*
-rw-r--r-- 1 root root 0 May 5 23:40 nc.dc3dd.000
-rw-r--r-- 1 root root 2147483648 May 5 23:16 nc.dc3dd.001
-rw-r--r-- 1 root root 2147483648 May 5 23:17 nc.dc3dd.002
-rw-r--r-- 1 root root 2147483648 May 5 23:18 nc.dc3dd.003
-rw-r--r-- 1 root root 2147483648 May 5 23:19 nc.dc3dd.004
-rw-r--r-- 1 root root 2147483648 May 5 23:20 nc.dc3dd.005
-rw-r--r-- 1 root root 935 May 5 23:40 nc.dc3dd.log
137
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
input its lf, but just acc pting th str am through netcat – you n d to manually t ll it wh n
th str am is compl t . Again, wh n compl t d, you should ch ck th r sulting hash s against
our original hash of /dev/sda on th subj ct machin .
Last, but not l ast, w will cov r a tool that will allow us to tak a str am of input (with
th sam netcat pip ) and cr at an EWF fiel from it. ewfacquirestream acts much lik
ewfacquire (and is part of th sam lib wf packag w install d pr viously), but allows for
data to b gath r d via standard input. The most obvious us for this is taking data pass d by
our netcat pip .
Theis command tak s th output from n tcat (nc) and pip s it to ewfacquirestream.
● th cas numb r is sp cifie d with -C
● th vid nc d scription is giv n with -D
● th xamin r giv n with -e
● vid nc numb r with -E
● encase6 format is sp cifie d with -f encase6
● th m dia typ is giv n with -m
● th m dia flaags ar giv n with -M
● not s ar provid d with -N
● th targ t path and fiel nam is sp cifie d with -t /path/fille.
138
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
ewfverify: SUCCESS
139
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In r ality, you might want to consid r wh th r you want your data ncrypt d as it
trav rs s th n twork. In our xampl abov , w may hav b n conn ct d via a crossov r
cabl (int rfac to int rfac ) or through a standalon n twork hub. But what if you ar in a
situation wh r th only m ans of coll ction is r mot ? Or ov r nt rpris n twork hardwar
(switch s, tc.)? In that cas you would want ncryption. For that you could us cryptcat, or
v n ssh. Now that you und rstand th basic m chanics of this t chniqu , you ar urg d to
xplor oth r tools and m thods. The r ar proj cts our th r lik rdd
(https://sourceforge.net/projects/rdd/) and air
(https://sourceforge.net/projects/air-imager/) you might want to xplor , for mor
than just n twork imaging.Compr ssion on th Fly with dd
Anoth r us ful capability whil imaging is compr ssion. Consid ring our conc rn for
for nsic application h r , w will b sur to manag our compr ssion t chniqu so that w can
v rify our hash s without having to d compr ss and writ our imag s out b for ch cking
th m.
For this x rcis , w 'll us th GNU gzip application. gzip is a command lin utility
that allows us som fairly granular control ov r th compr ssion proc ss. The r ar oth r
compr ssion utiliti s (lzip, xz, tc.), but w ’ll conc ntrat on gzip for th sam r asons w
l arn d dd and vi...almost always availabl , and fien starting plac to l arn th command lin
conc pts. Most sourc packag s for softwwar is minimally availabl in a gz compr ss d format,
but I urg you to xplor oth r compr ssion options on your own.
First, for th sak of familiarity, l t's look at th simpl us of gzip on a singl fiel and
xplor som of th options at our disposal. I hav cr at d a dir ctory call d testcomp and I'v
copi d th imag fiel NTFS_Pract_2017.raw into that dir ctory to practic on. Theis giv s m
an unclutte r d plac to xp rim nt. First, l t's doubl ch ck th hash of th imag :
root@forensic1:~# cd testcomp/
root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
140
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now, in its most simpl form, w can call gzip and simply provid th nam of th fiel
w want compr ss d. Theis will replace th original fiel with a compr ss d fiel that has a .gz
sufficx app nd d.
root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz
So now w s that w hav r plac d our original 500M fiel with a 61M fiel that has a
.gz xt nsion. To d compr ss th r sulting .gz fiel :
root@forensic1:~/testcomp# ls -lh
total 500M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
W 'v d compr ss d th fiel and r plac d th .gz fiel with th original imag . A ch ck
of th hash shows that all is in ord r.
root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
root@forensic1:~/testcomp# ls -lh
total 561M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
-rw-r--r-- 1 root root 61M May 6 12:32 NewImage.raw.gz
141
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~/testcomp# ls -lh
total 1.1G
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
-rw-r--r-- 1 root root 61M May 6 12:32 NewImage.raw.gz
-rw-r--r-- 1 root root 500M May 6 12:33 NewUncompressed.raw
In th abov output, w s that th fierst dir ctory listing shows th singl imag fiel .
W th n compr ss using gzip -c which writ s to standard output. W r dir ct that output to
a n w fiel (nam of our choic ). The s cond listing shows that th original fiel r mains, and th
compr ss d fiel is cr at d. W th n us gzip -cd to d compr ss th fiel , r dir cting th
output to a n w fiel and this tim pr s rving th compr ss d fiel .
If w go back to a singl imag fiel in our dir ctory, w can s this in action. R mov
all th fiel s w just cr at d (using th rm command) and l av th singl original dd imag .
Now w will cr at a singl compr ss d fiel from that original imag and th n ch ck th hash
of th compressed fiel to nsur it's validity:
root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz
root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz
142
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
First w s that w hav th corr ct hash. The n w compr ss th imag with a simpl
gzip command that r plac s th original fiel . Now, all w want to do n xt is ch ck th hash of
our compr ss d imag without having to writ out a n w imag . W do this by using gzip -c
(to standard out) -d (d compr ss), passing th nam of our compr ss d fiel but piping th
output to our hash algorithm (in this cas sha1sum). The r sult shows th corr ct hash of th
output str am, wh r th output str am is signifie d by th -.
Okay, so now that w hav a basic grasp of using gzip to compr ss, d compr ss, and
v rify hash s, l t's put it to work “on th flay” using dd to cr at a compr ss d imag . W will
th n ch ck th compr ss d imag 's hash valu against an original hash.
Find a small thumb driv or oth r r movabl m dia to imag . I’ll b using a small 8GB
USB stick. Cl ar out th testcomp dir ctory so that w hav a cl an plac to writ our imag
to (or wh r v r you hav th spac to writ ).
root@forensic1:~/testcomp# ls -lh
total 2.8G
-rw-r--r-- 1 root root 2.8G May 6 13:05 sdi_image.raw
143
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now l t’s go on st p furth r in our on th flay compr ssion d monstration. How about
putteing a f w of th s st ps altog th r? R call our imaging ov r th n twork through netcat.
If you look at th diffo r nt siz s of our compr ss d vs. uncompr ss d imag s, you’ll s th r ’s
quit a diffo r nc in siz (which will, of cours , d p nd on th compr ss-ability of th data on
th volum b ing imag d). Do you think it might b fast r to compr ss data b for s nding
ov r th n twork? L t’s fiend out.
Going back to our simpl n twork s tup, l t’s do th sam imaging, but this tim w ’ll
pip to gzip -c on on sid of th n twork and gzip -cd on th oth r, ffo ctiv ly s nding
compr ss d data across th wir . The r sulting imag is NOT compr ss d. W d compr ss it
b for it r ach s th imaging tool. You can l ct to l av that out if you lik and simply writ a
compr ss d imag .
W ’ll start by hashing th subj ct hard driv again from our boot disk. Assuming th
n twork s tteings ar all corr ct, and th n op ning our netcat list n r and dc3dd proc ss on
th coll ction box:
Op n th list ning proc ss, r dir cting th output to a fiel . I’m using dc3dd with hof=
to coll ct input and output hash to compar with th sha1sum abov .
144
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Almost four minut s savings by compr ssing th data b for transporting it. K p in
mind that th us fuln ss of this is d p nd nt on wh r your particular bottel n cks ar . On a
local n twork, via crossov r cabl , and writing to a USB 2.0 driv , compr ssing across th
n twork may hav littel impact. But if you ar imaging ov r an nt rpris n twork, or
r mot ly, you may s quit a p rformanc gain from compr ssion. Your r sults may vary, but
b awar of th t chniqu .
On common practic in for nsic disk analysis is to sanitiz or “wip ” a disk prior to
r storing or copying a for nsic imag to it. Theis nsur s that any data found on th r stor d
disk is from th imag and not from “r sidual” data. Theat is, data l ftw b hind from a pr vious
cas or imag . In t chnical t rms, r sidual data should n v r b an issu unl ss your op rating
syst m or for nsic softwwar is drastically brok n. Theough th r has b n som conc rn ov r
wh th r an xamin r accid ntally physically s arch s a device rath r than an imag fiel on the
d vic . In l gal t rms it’s an important st p to nsur complianc with b st practic s that hav
b n around for a long whil .
145
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis starts at th b ginning of th driv and writ s z ros (th input fiel ) to v ry s ctor
on /dev/sdc (th output fiel ) in 32 kilobyt chunks (bs =<block size>). Sp cifying larg r
block siz s can sp d th writing proc ss (d fault is 512 byt s). Exp rim nt with diffo r nt
block siz s and s what ffo ct it has on th writing sp d (i. . 32k, 64k, tc.). B car ful of
missing partial blocks at th nd of th output if your block siz is not a prop r multipl of th
d vic siz . The rror No spac l ftw on d vic indicat s that th d vic has b n fiell d with
z ros. And, of cours , b v ry sur that th targ t disk is in fact th disk you int nd to wip .
Ch ck and doubl ch ck.
dc3dd mak s th wiping proc ss v n asi r and provid s options to wip with sp cifiec
patte rns. In it’s simpl st form, dc3dd can wip a disk with a simpl :
So how do w v rify that our command to writ z ros to a whol disk was a succ ss?
You could ch ck random s ctors with a h x ditor, but that’s not r alistic for a larg driv . On
of th b st m thods would b to us th xxd command (command lin h xdump) with th
“autoskip” option. The output of this command on a z ro’d driv would giv just thr lin s.
The fierst lin , starting at offos t z ro with a row of z ros in th data ar a, follow d by an ast risk
(*) to indicat id ntical lin s, and fienally th last lin , with th fienal offos t follow d by th
r maining z ros in th data ar a. H r ’s an xampl of th command on a z ro’d driv and its
output.
146
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Using dc3dd with th hwipe option (hash th wip ), th confiermation would look lik
this (and is far quick r than th dd/xdd combination):
Anyon who has work d in th for nsic fie ld for any l ngth of tim can t ll you that
th acquisition proc ss is th foundation of our busin ss. Ev rything ls w do can b cross
v rifie d and validat d aftw r th fact. But you oftw n only g t on shot at a prop r acquisition.
You may hav a limit d amount of tim on sit , or on shot at r cov ring data from a disk
driv . Mak sur you und rstand how th tools work, and what th options actually do.
Validating your approach prior to using it in liv fie ld work is ss ntial.
Theis s ction has introduc d a numb r of basic tools and a rough t chnical proc ss.
R quir m nts and a proc dur s vary from jurisdiction to jurisdiction and across organizations.
Know th r quir m nts of your particular gov rning body, and adh r to th m.
147
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Mounting Evidence
W ’v alr ady discuss d th mount command and using it to acc ss fiel syst ms on
xt rnal d vic s. Now that w ar working with for nsic imag s, w ’ll n d to acc ss thos as
w ll. The r ar two ways w do this: through for nsic softwwar “physically”; or through
volum mounting “logically”.
Wh n w acc ss th imag with for nsic softwwar , w ar acc ssing th ntir physical
imag including unallocat d blocks and oth rwis inacc ssibl fiel syst m and volum
manag m nt artifacts that w r succ ssfully r cov r d and copi d by our imaging softwwar (or
hardwar ). W ’ll cov r som for nsic softwwar in lat r s ctions.
The fierst st p in all this is to d t rmin what volum s and fiel syst ms ar availabl for
logical mounting within our imag . “Structur ”, in this cas , r f rs to th partitioning sch m
and id ntifiecation of volum s and fiel syst ms within th imag .
Giv n that our imag s hav b n of physical disks, th y should all lik ly hav som sort
of partition tabl in th m. W can d t ct this partition tabl using fdisk or gdisk. W will
cov r mor “for nsically” ori nt d softwwar for this lat r (mmls from th Sl uth Kit), but for
now, fdisk and gdisk should b availabl on any r lativ ly mod rn Linux syst m.
W will cov r fdisk fierst, as it was pr viously discuss d, arli r using th -l option.
W can g t th partition information on /dev/sda, for xampl , with:
So th output of fdisk shows that th partition lab l is of typ GPT. What if w run
th gdisk command on th sam disk? H r ’s th output:
148
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
It is sp cially important to not that th fiel syst m cod and nam do not n c ssarily
id ntify th actual fiel syst m on that volum . In our xampl abov , th fiel syst m could b
xt2, xt3, xt4, r is rfs, tc.
149
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
would sugg st you stick to a conv ntion and mak it d scriptiv . Also not that sinc w
id ntifie d an xplicit path for th fiel nam , sda.gdisk.txt will b cr at d in /mnt/evid. Had
w not giv n th path, th fiel would b cr at d in th curr nt dir ctory ( /root, as indicat d by
th ~).
Onc you hav d t rmin d th partition layout of th disk, it’s tim to s if w can
id ntify th fiel syst m and mount th volum s to r vi w th cont nts.
B for w jump straight to mounting a volum for analysis or r vi w, you might want
to id ntify th fiel syst m contain d in that volum . The r ar a numb r of ways to do this.
The mount command is actually v ry good at id ntifying fiel syst ms wh n mounting, so giving
a -t <fstype> option is not always n d d (and is oftw n not us d). But it is still good practic
to ch ck and r cord th fiel syst m prior to mounting, assuming you will b doing a manual
r vi w of th logical volum cont nts.
For a simpl fiel syst m xampl , download th following fiel , and ch ck th hash 16:
150
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W can mount th fiel syst m(s) within th imag using th loop int rfac . Basically,
this allows you to “mount” a fiel syst m within an imag fiel (inst ad of a disk) to a mount
point and brows th cont nts. In simpl t rms, th loop d vic acts as a “proxy disk” to s rv
up th fiel syst m as if it w r on actual m dia.
For a simpl fiel syst m imag (wh r th r ar not multipl partitions in th imag ),
w can us th sam mount command and th sam options as any oth r fiel syst m on a
d vic , but this tim w includ th option loop to indicat that w want to us th loop
d vic to mount th fiel syst m within th imag fiel . Chang to th dir ctory wh r plac d
th fat_fs.raw, and typ th following (skip th mkdir command if you alr ady cr at d this
dir ctory in our arli r s ction on mounting xt rnal fiel syst ms):
root@forensic1:~# ls /mnt/analysis/
151
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
So what happ ns with that loop option? Wh n you pass th loop option in th mount
command, you ar actually calling a shortcut to cr ating loop d vic s with a sp cial command,
losetup. It is important that w und rstand th background h r .
losetup
Cr ating loop d vic s is an important skill. Rath r than l tteing th mount command
tak charg of that proc ss, l t’s hav a look at what is actually going on.
root@forensic1:~# ls /dev/loop*
/dev/loop-control /dev/loop1 /dev/loop3 /dev/loop5 /dev/loop7
/dev/loop0 /dev/loop2 /dev/loop4 /dev/loop6
The s ar d vic s that can b utiliz d to associat fiel s with a d vic . The /dev/loop-
control d vic is an int rfac to allow applications to associat loop d vic s. The command
w us to manag our loop d vic s is losetup. Invok d by its lf, losetup will list associat d
loop d vic s (it will r turn nothing if not loop d vic s ar in us ). In simpl st form, you simply
call losetup with th d vic s nam (/dev/loopX) and th fiel you wish to associat it with:
root@forensic1:~# losetup -l
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 0 0 /root/fat_fs.dd
152
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# ls /mnt/analysis/
ARP.EXE* Docs/ FTP.EXE* Pics/ loveletter.virus* ouchy.dat* snoof.gz*
root@forensic1:~# losetup
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 0 0 /root/fat_fs.raw
153
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~# losetup
root@forensic1:~#
The xampl us d in th pr vious x rcis utiliz s a simpl stand alon fiel syst m.
What happ ns wh n you ar d aling with boot s ctors and multi partition disk imag s? Wh n
you cr at a raw imag of m dia with dd or similar commands you usually nd up with a
numb r of compon nts to th imag . The s compon nts can includ a boot s ctor, partition
tabl , and th various partitions.
If you atte mpt to mount a full disk imag with a loop d vic , you fiend that th mount
command is unabl to id ntify th fiel syst m. Theis is b caus mount do s not know how to
“r cogniz ” th partition tabl . R m mb r, th mount command handl s fiel syst ms, not disks
(or disk imag s). The asy way around this (although it is not v ry fficci nt for larg disks)
would b to cr at s parat imag s for ach disk partition that you want to analyz . For a
simpl hard driv with a singl larg partition, you could cr at two imag s.
The fierst command g ts you a full imag of th ntir disk (sda) for backup purpos s,
including th boot s ctor and partition tabl . The s cond command g ts you th fierst partition
(sda1). The r sulting imag from th s cond command can b mount d via th loop d vic ,
just as with our fat_fs.raw, b caus it is a simpl fiel syst m.
Not that although both of th abov imag s will contain th sam fiel syst m with th
sam data, th hash s will obviously not match. Making s parat imag s for ach partition is
v ry in fficci nt if it is only b ing don
154
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
look at th offos t to a partition, normally giv n in s ctors (using th fdisk command), and
multiply by 512 (th s ctor siz ). Theis giv s us th byt offos t from th start of our imag to th
fierst partition w want to mount. Theis is th n pass d to th mount command as an option,
which ss ntially trigg rs th us of an availabl loop d vic to mount th sp cifie d fiel syst m.
W can illustrat this by looking at th raw imag of th fiel w xport d with ewfexport in
our arli r acquisitions x rcis , th NTFS_Pract_2017.raw fiel . Go ah ad and navigat to
wh r you hav th fiel sav d.
root@forensic1:~#ls /mnt/tmp
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/
So h r w hav a full disk imag . W run fdisk on th imag (an imag fiel is no
diffo r nt than a d vic fiel ) and fiend that th offos t to th partition is 2048 byt s (in r d for
mphasis). W us arithm tic xpansion to calculat th byt offos t ( 2048*512=1048576) and
pass that as th offos t in our mount command. Theis ffo ctiv ly “jumps ov r” th boot s ctor
and go s straight to th “boot s ctor” of th fierst partition, allowing th mount command to
work prop rly. W will xplor this in furth r d tail lat r.
Not that you can do th calculations for th offos t using arithm tic xpansion dir ctly
in th mount command if you choos :
155
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
L t’s look again and what is going on in th background h r with th loop d vic .
W ’ll run through th sam mount x rcis , but this tim using losetup.
Now l t’s r cr at th mount command using a loop d vic rath r than an offos t pass d
to mount. In this cas w ’ll us arithm tic xpansion dir ctly in th commands:
root@forensic1:~# losetup -l
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 523239424 1048576 0 0
root@forensic1:~# ls /mnt/tmp
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/
Not th slash s in th output of ls. The backslash (\) is an scap charact r to allow th spac s within
17
th dir ctory nam System Volume Information/, and th trailing forward slash id ntifie s a dir ctory.
So, th r ar thr dir ctori s in th output
156
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
imag , you could r p at th st ps abov for ach partition you want d to mount, or you could
us a tool s t up to do xactly that. Not that for singl partition imag s lik w hav h r , th
--sizelimit option is actually not r quir d.
Up to this point w ’v mount d a simpl fiel syst m imag with th mount command,
w ’v mount d a fiel syst m from a full disk imag with a singl partition, and w ’v l arn d
about th loop d vic and how to sp cify its association with a sp cifiec partition.
L t’s look now at a disk imag that has multipl partitions. Our pr vious m thod of
id ntifying ach partition by offos t and siz , and passing thos param t rs to th losetup
command would work fien to mount multipl fiel syst ms within a disk imag (using diffo r nt
loop d vic s for ach partition, but wouldn't it b nic if w had a tool that could do all of that
for us? kpartx is that tool.
In simpl t rms, kpartx maps partitions within an imag to s parat loop d vic s that
can th n b mount d th sam as any oth r volum (assuming a mountabl fiel syst m). It is
part of th mulitpath-tools packag for Slackwar , and can b install d via sbotools or
through th SlackBuild availabl at SlackBuilds.org.
Onc th multipath-tools packag is install d, you can hav a look through th man
pag for kpartx with man kpartx. Usag is v ry simpl . The r is a v ry simpl multi partition
imag you can download and us to d monstrat usag . The fiel syst ms r main d mpty for
maximum compr ss-ability. Download th fiel with wget and ch ck th hash to nsur it
match s th on b low:
157
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
D compr ss th gzip’d fiel with gzip -d and ch ck th hash of th r sulting raw imag
fiel :
root@forensic1:~# kpartx
usage : kpartx [-a|-d|-l] [-f] [-v] wholedisk
-a add partition devmappings
-r devmappings will be readonly
-d del partition devmappings
-u update partition devmappings
-l list partitions devmappings that would be added by -a
-p set device name-partition number delimiter
-g force GUID partition table (GPT)
-f force devmap create
-v verbose
-s sync mode. Don't return until the partitions are created
The fierst command b low will list th partitions as th y will app ar ( -l). Aftw r that w
add th mappings in th s cond command with ( -a) and cr at th m with th r ad only option
as w ll (-r):
158
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc w x cut th command abov , our mappings ar cr at d and w can now acc ss ach
partition through th /dev/mapper/loop0pX d vic , wh r X is th numb r of th partition.
root@forensic1:~# ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 May 13 2017 control
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p1 -> ../dm-0
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p2 -> ../dm-1
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p3 -> ../dm-2
W can now mount and brows th s mapp d volum s as w would any oth r:
root@forensic1:~# ls /mnt/tmp
lost+found/
root@forensic1:~# mount
...
/dev/mapper/loop0p1 on /mnt/tmp type ext4 (ro)
18
R m mb r th ../ notation indicat s th dm-* nod s ar in th curr nt dir ctory’s par nt dir ctory.
159
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc you ar fienish d and th fiel syst m is unmount d with th umount command as
shown abov , you can d l t th mappings with kpartx -d:
The Advanc d For nsic Format (AFF) is an op n format for for nsic imaging, and th
affliib packag provid s a numb r of utiliti s to cr at and manipulat imag s in th AFF
format. W won’t cov r thos tools, or th AFF format in this docum nt (at l ast not in this
v rsion), so all w ar int r st d in right now is th affuse program.
affuse provid s virtual acc ss to a numb r of imag formats, split fiel s among th m. It
do s this through th Fil Syst m in Us r Spac softwwar int rfac . Commonly r f rr d to as
“fus fiel syst ms”, fus utiliti s allow us to cr at application l v l fiel syst m acc ss
m chanisms that can bridg to th k rn l and th normal fiel syst m driv rs.
The affliib packag is availabl as a SlackBuild for Slackwar , and can b simply install d
with sboinstall:
The following x rcis assum s that th split imag you ar working with is in raw
format wh n r ass mbl d (or what som r f r to as “dd format”). A fiel that w will us for a
numb r of x rcis s lat r on is in split format and can b download d so you can follow along
h r . Again, us wget and ch ck your hash against th on b low:
160
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
First, chang to th able_3 dir ctory with cd. Not our command prompt chang d to
r fla ct our working dir ctory. W now hav 4 imag fiel s ( .000-.003) and a log fiel . The input
s ction of th log fiel shows that this imag is a 4G imag tak n with dc3dd and split into 4
parts.
root@forensic1:~# cd able_3
161
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
2eddbfe3d00cc7376172ec320df88f61afda3502 (sha1)
4ef834ce95ec545722370ace5a5738865d45df9e, sectors 0 - 2097151
ca848143cca181b112b82c3d20acde6bdaf37506, sectors 2097152 - 4194303
3d63f2724304205b6f7fe5cadcbc39c05f18cf30, sectors 4194304 - 6291455
9e8607df22e24750df7d35549d205c3bd69adfe3, sectors 6291456 - 8388607
...
R m mb r that th cat command simply str ams th fiel s on aftw r th oth r and s nds
th m through standard out. The sha1sum command tak s th data from th pip and hash s it.
As w m ntion d arli r, th – in th hash output indicat s standard input was hash d, not a
fiel . The hash s match and our imag is good.
The probl m with this approach is that it tak s up twic th spac as w ar ss ntially
duplicating th ntir acquir d disk, but in a singl imag rath r than split. Not v ry fficci nt
for r sourc manag m nt.
W n d a way to tak th split imag s and cr at a virtual “whol disk” that w can
mount using t chniqu s w ’v l arn d alr ady. W ’ll us affuse and th fus fiel syst m it
provid s. All w n d to do is call affuse with th nam of th fierst s gm nt of our split
imag and provid a mount point wh r w can acc ss th virtual disk imag :
162
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
root@forensic1:~/able3# ls -l /dev/mapper/loop0p*
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p1 -> ../dm-0
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p2 -> ../dm-1
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p3 -> ../dm-2
163
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Just as w ar bound to com across split imag s w want to brows , w ar also lik ly
to com across Exp rt Witn ss (E01 or EWF) fiel s that w want to p ak into without having to
r stor th m and tak up much mor spac than w n d to.
W ’v alr ady install d lib wf as part of our acquisition l ssons arli r. If you hav not
don so alr ady, you can install lib wf with sboinstall on Slackwar or using which v r
m thod your distribution of choic allows. For this s ction w ar int r st d in th ewfmount
utility that com s with lib wf.
Lik affuse, ewfmount provid s a fus fiel syst m. It is call d in th sam way, and
r sults in th sam virtual raw disk imag that can b pars d for partitions and loop mount d
for browsing. If you r ad th prior s ction on affuse, this will all b v ry familiar. W will
us th EWF v rsion of NTFS_Pract_2017.E0* fiel s w us d in our arli r x rcis s.
164
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Read: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000
bytes/second).
ewfverify: SUCCESS
Mak not of th MD5 hash from our ewfverify output.
root@forensic1:~/NTFS_Pract_2017# ls /mnt/ewf
ewf1
Our virtual disk imag is ewf1. L t’s hash that and compar it to our ewfverify output
abov . As you can s , w g t a match:
And now onc again w ar r ady to pars and mount our disk imag using th
t chniqu s w ’v alr ady l arn d.
165
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
/dev/dm-0: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ",
sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden
sectors 2048, dos < 4.0 BootSector (0x0), FAT (1Y bit by descriptor); NTFS,
sectors/track 63, physical drive 0x80, sectors 1021951, $MFT start cluster 42581,
$MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block
1, serial number 0cae0dfd2e0dfc2bd
root@forensic1:~/NTFS_Pract_2017# ls /mnt/analysis/
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/
And that cov rs our s ction on mounting vid nc . As with v rything in this guid ,
w ’v l ftw a lot of d tail out. Exp rim nt and r ad th man pag s. Mak sur you know what
you ar doing wh n d aling with r al vid nc . Mounting and browsing imag s should always
b don on working copi s wh n possibl .
Part of our approach to und rstanding and d ploying Linux as a comput r for nsic
platform is making th ntir proc ss “stand alon ”. You should b abl to conduct an xam –
from analysis through r porting – within th Linux (and pr f rably command lin )
nvironm nt. On of thos st ps w should consid r taking in almost all xaminations w ar
task d with is to scan our acquir d data with som sort of anti-virus tool.
19
The r ar a numb r of us ful options wh n mounting with ntfs-3g, lik show_sys_files or
streams_interface=windows. W don’t cov r th m h r , but you might want to look at man
mount.ntfs-3g for mor information.
166
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The r ar oth r consid rations that warrant a virus/malwar scan, and it can v ry
sp cifiecally d p nd on th typ of cas you ar inv stigating. Simply making it part of som
ch ck list routin for analysis is fien , but you must still hav an und rstanding of why th scan
is don , and how it appli s to th curr nt cas . For xampl , if th m dia b ing xamin d is th
victim of compromis , th n a virus scan can provid a staring point for additional analysis.
The starting point can b as simpl as id ntifying a v ctor, and utilizing fiel dat s and tim s to
driv additional analysis. Alt rnativ ly, w may fiend ours lv s xamining th comput r in a
child xploitation cas . N gativ r sults, whil pr sumptiv , can still h lp to combat th
pr viously discuss d Trojan Hors D f ns . The botteom lin is that a simpl virus scan should
always b includ d as standard practic . And whil th r ar pl nty of tools out th r
compatibl with Linux, w will focus on ClamAV.
ClamAV has far mor us s and confieguration options that w will not cov r h r . It can
b us d to scan “on us ” volum s, mail s rv rs, and has options and us s for “saf browsing”.
The r ar tools install d with th ClamAV packag that allow for byt cod r vi w, submission
of sampl s, and to assist with da mon mod confieguration. W will b using it to scan
acquir d vid nc . Theis assum s w will updat it as n d d and run it on targ t d imag fiel s,
volum s or mount points. With our simplifie d us cas , w will conc ntrat our us on two
sp cifiec clamav tools: freshclam and clamscan.
root@forensic1:~# freshclam
ClamAV update process started at Wed May 31 12:53:56 2017
WARNING: [LibClamAV] cl_cvdhead: Can't read CVD header in main.cvd
Downloading main.cvd [100%]
20
http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1370&context=chtlj
167
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
WARNING: [LibClamAV] cl_cvdhead: Can't read CVD header in daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 23434, sigs: 2081298, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 301, sigs: 58, f-level: 63, builder: anvilleg)
Database updated (6300146 signatures) from db.us.clamav.net (IP: 69.163.100.14)
WARNING: Clamd was NOT notified: Can't connect to clamd through
/var/run/clamav/clamd.socket: No such file or directory
W ar now r ady to run clamscan on our targ t. ClamAV supports dir ct scanning of
fiel s, and can r curs through many diffo r nt fiel typ s and archiv , including zip fiel s, PDF
fiel s, mount points and for nsic imag fiel s (gpt and mbr partition typ s). The most r liabl
way of running clamscan is to run it on a mount d fiel syst m.
The r ar options within clamscan to copy or mov inf ct d fiel s to alt rnativ
dir ctori s. Normally w do not do this with inf ct d fiel s or malwar during a for nsic
xamination, pr f rring to xamin th fiel s in plac , or xtract th m with for nsic tools.
Ch ck man clamscan for additional d tails if you ar int r st d. The output of clamscan can
b logg d with th --log=logfile option, us ful for k ping compl t xamination not s.
W will try out clamscan on our NTFS EWF fiel s w download d pr viously. Chang
into th dir ctory th fiel s ar locat d in, us ewfmount to mount th imag s, and th n loop
mount th NTFS partition. If you do not alr ady hav th d stination mount points in /mnt
cr at d, th n us mkdir to cr at th m now. W will scan th NTFS partition.
root@forensic1:~# cd NTFS_Pract_2017
168
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
-------------------------------------------------------------------------------
Wh n you ar fienish d, unmount th NTFS fiel syst m and th fus mount d imag .
169
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Linux com s with a numb r of simpl utiliti s that mak imaging and basic r vi w of
susp ct disks and driv s comparativ ly asy. W ’v alr ady cov r d dd, fdisk, limit d grep
commands, hashing and fiel id ntifiecation with th file command. W ’ll continu to us
thos tools, and also cov r som additional utiliti s in som hands on x rcis s.
Having alr ady said that this is just an introduction, most of th work you will do h r
can b appli d to actual cas work. The tools ar standard GNU/Linux tools, and although th
xampl shown h r is very simpl , it can b xt nd d with som practic and a littel (ok, a lot)
of r ading. The practic fiel syst m w ’ll us h r is a simpl old raw imag of a FAT fiel
syst m produc d by th dd command21. W us d this imag in som pr vious x rcis s. If you
hav not alr ady, download it now. You can do this as a normal us r with wg t:
170
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
dir ctory on any m dia or volum you lik . For th sak of simplicity h r , w ’ll us our hom
dir ctory. W ’ll go ah ad and do this as a r gular us r, so w can g t us d to running
commands n d d for root acc ss. It’s n v r a good id a to do all your work logg d in as root.
H r ’s our command to cr at an output dir ctory for analysis r sults. W ar x cuting th
command in th dir ctory wh r w plac d our imag fiel abov . Not th ./ in front of th
dir ctory nam w ar cr ating indicat s “in th curr nt dir ctory”:
barry@forensic1:~$ ls
analysis/ fat_fs.raw*
Dir cting all of our analysis output to this dir ctory will k p our output fiel s s parat d
from v rything ls and maintain cas organization. You may wish to hav a s parat driv
mount d as /mnt/analysis to hold your analysis output. How you organiz it is up to you.
An additional st p you might want to tak is to cr at a sp cial mount point for all
subj ct fiel syst m analysis. Theis is anoth r way of s parating common syst m us with
vid nc proc ssing. To cr at a mount point in th /mnt dir ctory you will n d to b
t mporarily logg d in as root. In this cas w ’ll log in as root, cr at a mount point, and th n
mount th fat_fs.raw imag for furth r xamination. R call our discussion on th “sup r
us r” (root). W us th command su to b com root:
barry@forensic1:~$ su -
Password:
Still using our root login, w ’ll go ah ad and mount th fat_fs.raw imag on
/mnt/evid:
root@forensic1:~# losetup
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 1 0 /home/barry/fat_fs.raw
The fierst command abov is our mount command with th fiel syst m typ s t to vfat
(-t vfat) and th options (-o) r ad only (ro) and using th loop d vic (loop). The fiel syst m
w ar mounting, fat_fs.raw, is locat d in /home/barry (~barry) and w ar mounting it on
/mnt/evid. For illustration, I us th loop command to show th loop association. The r ar
171
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
oth r us ful mount options as w ll, such as noatime and noexec. S man mount for mor
d tails.
root@forensic1:~# exit
barry@forensic1:~$
You can now vi w th cont nts of th r ad-only mount d or r stor d disk or loop-
mount d imag . You can us your a fiel brows r to look through th disk. In most (if not all)
cas s, you will fiend th command lin mor us ful and pow rful in ord r to allow fiel
r dir ction and p rman nt r cord of your analysis. W will us th command lin h r .
Navigat through th dir ctori s and s what you can fiend. Us th ls command. Again, you
should b in th dir ctory /mnt/evid, wh r th imag is mount d. The command in th
following form might b us ful:
barry@forensic1:/mnt/evid$ ls -l
total 107
-rwxr-xr-x 1 root root 19536 Aug 24 1996 ARP.EXE*
drwxr-xr-x 3 root root 512 Sep 23 2000 Docs/
-rwxr-xr-x 1 root root 37520 Aug 24 1996 FTP.EXE*
drwxr-xr-x 2 root root 512 Sep 23 2000 Pics/
-r-xr-xr-x 1 root root 16161 Sep 21 2000 loveletter.virus*
-rwxr-xr-x 1 root root 21271 Mar 19 2000 ouchy.dat*
-rwxr-xr-x 1 root root 12384 Aug 2 2000 snoof.gz*
Theis will list th fiel s in long format to id ntify p rmission, dat , tc. ( -l). You can also
us th –R option to list r cursiv ly through dir ctori s. You might want to pip that through
less.
172
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
./Docs:
total 57
-rwxr-xr-x 1 root root 17920 Sep 21 2000 Benchmarks.xls*
-rwxr-xr-x 1 root root 2061 Sep 21 2000 Computer_Build.xml*
-rwxr-xr-x 1 root root 32768 Sep 21 2000 Law.doc*
drwxr-xr-x 2 root root 512 Sep 23 2000 Private/
-rwxr-xr-x 1 root root 3928 Sep 21 2000 whyhack*
./Docs/Private:
total 0
./Pics:
total 1130
Not that w ar looking at fiel s on a FAT partition using Linux tools. Theings lik
p rmissions can b a littel misl ading b caus of translations that may tak plac , d p nding
on th fiel syst m, and omitte d information. Theis is wh r som of our mor advanc d for nsic
tools com in lat r.
On important st p in any analysis is v rifying th int grity of your data both b for
aftw r th analysis is compl t . W ’v alr ady cov r d int grity ch cks on disks and imag s.
The sam command works on individual fiel s. You can g t a hash (CRC, MD5, or SHA) of ach
fiel in a numb r of diffo r nt ways. In this xampl , w will us th SHA1 hash. W can g t an
SHA1 sum of an individual fiel by changing to our vid nc dir ctory ( /mnt/evid) and running
th following command on on of th fiel s. The s commands can b r plac d with md5sum if
you pr f r to us th MD5 hash algorithm.
The r dir ction in th s cond command, using th > allows us to stor th signatur in
th fiel ~/analysis/ARP.sha1.txt and us it lat r on. Having hash s of individual fiel s can
173
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
s rv a numb r of purpos s, including matching th hash s against lists of known bad fiel s
(contraband fiel s or malwar , for xampl ), or for liminating known good fiel s from an
xamination. Doing this for ach fiel on a disk would b t dious at b st.
W can g t a hash of v ry fiel on th disk using th find command and an option that
allows us to x cut a command on ach fiel found. W can g t a v ry us ful list of SHA
hash s for v ry fiel in our mount point by using fiend to id ntify all th regular fiel s on th fiel
syst m and run a hash on all thos fiel s:
Theis command says “find, starting in th current dir ctory (signifie d by th “.”), any
r gular fiel (-type f) and x cut (-exec) th command sha1sum on all fiel s found ({}).
R dir ct th output to sha.filelist.txt in th ~/analysis dir ctory (wh r w ar storing
all of our vid nc fiel s). The “\;” is an scap s qu nc that nds th –exec command. The
r sult is a list of fiel s from our analysis mount point and th ir SHA hash s. Again, you can
substitut th md5sum command if you pr f r.
You can also us Linux to do your v rifiecation (or hash matching) for you. To v rify
hash s using a hash list cr at d with on of our hashing programs ( sha1sum, md5sum, tc.), you
can us th -c option. If th fiel s match thos in th hash list, th command will r turn OK.
Making sur you ar in a dir ctory wh r th r lativ paths provid d in th list will targ t th
corr ct fiel s, us th following command:
174
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
./loveletter.virus: OK
./ouchy.dat: OK
./snoof.gz: OK
Again, th SHA hash s in th fiel will b compar d with SHA sums tak n from th
mount point. If anything has chang d, th program will giv a FAILED m ssag . If th r ar
fail d hash s, you will g t a m ssag summarizing th numb r of failur s at th botteom of th
output. Theis is th fast st way to v rify hash s. Not that th fiel nam s start with ./. Theis
indicat s a relative path. M aning that w must b in th sam r lativ dir ctory wh n w
ch ck th hash s, sinc that's wh r th command will look for th fiel s.
File Listing
You could also g t a list of th fiel s, on p r lin , using th find command (with -type
f) and r dir cting th output to anoth r list fiel :
The r is also th tree command, which prints a r cursiv listing that is mor visualNIt
ind nts th ntri s by dir ctory d pth and coloriz s th fiel nam s (if th t rminal is corr ctly
s t).
175
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:/mnt/evid$ tree
.
├── ARP.EXE
├── Docs
│ ├── Benchmarks.xls
│ ├── Computer_Build.xml
│ ├── Law.doc
│ ├── Private
│ └── whyhack
├── FTP.EXE
├── Pics
│ ├── C800x600.jpg
│ ├── Stoppie.gif
│ ├── bike2.jpg
│ ├── bike3.jpg
│ ├── matrixs3.jpg
│ └── mulewheelie.gif
├── loveletter.virus
├── ouchy.dat
└── snoof.gz
3 directories, 15 files
Hav a look at th abov commands, and compar th ir output. Which do you lik
b tte r? R m mb r th syntax assum s you ar issuing th command from th /mnt/evid
dir ctory (look at your prompt, or us pwd if you don’t know wh r you ar ). The find
command is sp cially pow rful for s arch for fiel s of a sp cifiec dat or siz (or upp r and
low r limits).
Theis command looks for th patte rn .jpg in th list of fiel s, using th fiel nam
xt nsion to al rt us to a JPEG fiel . The -i mak s th grep command cas ins nsitiv . Onc
you g t a b tte r handl on grep, you can mak your s arch s far mor targ t d. For xampl ,
sp cifying strings at th b ginning or nd of a lin (lik fiel xt nsions) using ^ or $. The grep
man pag has a whol s ction on th s r gular xpr ssion t rms.
176
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
What if you ar looking for JPEGs but th nam of th fiel has b n chang d, or th
xt nsion is wrong? You can also run th command file on ach fiel and s what it might
contain. As w saw in arli r s ctions wh n looking at fiel syst ms, th file command
compar s ach fiel ’s h ad r (th fierst f w byt s of a raw fiel ) with th cont nts of th “magic”
fiel . It th n outputs a d scription of th fiel .
Theis cr at s a t xt fiel with th output of th file command for ach fiel that th find
command r turns. The t xt fiel is in ~/analysis/filetype.txt. Vi w th r sulting list with
th cat command (or less). I s parat d th fiel ntri s b low for r adability:
./Docs/whyhack: ASCII text, with very long lines, with CRLF, LF line terminators
...
If you ar looking for imag s in particular, th n us grep to sp cify that. The following
command would look for th string “imag ” using th grep command on th fiel /root/evid/
filetype.list
177
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density
1x1, segment length 16, baseline, precision 8, 483x354, frames 3
./ouchy.dat: JPEG image data, JFIF standard 1.02, resolution (DPI), density 74x74,
segment length 16
Not that th fiel ouchy.dat do s not hav th prop r xt nsion, but it is still id ntifie d
as a JPEG imag . Also not that som of th imag s abov do not show up in our grep list
b caus th ir d scriptions do not contain th word “imag ”. The r ar two Windows Bitmap
imag s that hav .jpg xt nsions that do not nd up in th grep list. B awar of this wh n
using th file command.
Viewing Files
For t xt fiel s, you might want to us cat, more or less to vi w th cont nts.
cat filename
more filename
less filename
B awar that if th output is not standard t xt, th n you might corrupt th t rminal
output (typ reset or stty sane at th prompt and it should cl ar up). Using th file
command will giv you a good id a of which fiel s will b vi w-abl and what program might
b st b us d to vi w th cont nts of a fiel . For xampl , Microsoftw Officc docum nts can b
op n d und r Linux using programs lik Op nOfficc , catdoc or catdocx.
P rhaps a b tte r alt rnativ for vi wing unknown fiel s would b to us th strings
command. Theis command can b us d to pars r gular ASCII t xt out of any fiel . It’s good for
formatte d docum nts, data fiel s (Exc l, tc.) and v n binari s (unid ntifie d x cutabl fiel s, for
xampl ), which might hav int r sting t xt strings hidd n in th m. It might b b st to pip
th output through less.
Hav a look at th mount d imag on /mnt/evid. The r is a fiel call d ARP.EXE. What
do s this fiel do? W can’t x cut it, and from using th file command w know that it’s an
DOS/Windows x cutabl . Run th following command (again, assuming you ar in th /mnt/
evid dir ctory) and scroll through th output. Do you fiend anything of int r st (hint: lik a
usag m ssag )?
178
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Vi wing imag s (pictur fiel s) from your vid nc mount point can b don on th
command lin with th xv command (assuming you ar in an X window s ssion). xv is
install d by d fault in most mod rn Linux distributions. Hav a look at th ouchy.dat fiel in
th root of your /mnt/evid mount point. W can s it is a pictur fiel , v n though th
xt nsion is wrong by using th file command. Without l aving th command lin , w can
vi w th fiel using xv:
barry@forensic1:/mnt/evid$ xv ouchy.dat
179
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Clos th imag with your mous , or us th ctrl-c k y combo from th command lin
to kill th program.
On n at trick you can do if you hav a handful of pictur fiel s in a dir ctory you want
to vi w without having to us a s parat command for ach is to us a bash loop. Scripting
and bash programming ar outsid th scop of this docum nt (for now), but this is a v ry
simpl loop that illustrat s som mor pow rful command lin usag . Theis can b don all on
on lin , but s parating th individual commands with th < nt r> k y mak s it a bit mor
r adabl .
First, l t’s cd into th Pics/ dir ctory und r /mnt/evid, do a quick ls and s that w
hav a small dir ctory with a f w pictur fiel s (you can ch ck this with file *). W th n typ
our loop:
barry@forensic1:/mnt/evid$ cd Pics
barry@forensic1:/mnt/evid/Pics$ ls
C800x600.jpg* bike2.jpg* matrixs3.jpg*
Stoppie.gif* bike3.jpg* mulewheelie.gif*
The fierst lin of a bash loop abov m ans “for v ry fiel in th curr nt dir ctory (./*),
assign ach fiel th variabl nam pic as w mov through th loop”. The s cond lin is simply
th bash k yword do. The third lin x cut s xv on th valu of th pic variabl ($pic) at ach
it ration of th loop, follow d by th bash k yword done to clos th loop. As you run th
180
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
loop, ach imag will display, and th loop will paus until you clos xv. Wh n you clos xv
th loop continu s until all th valu s of $pic ar xhaust d (all th fiel s in th dir ctory) and
th loop xits. L arn to do this and I promis you will fiend it us ful almost daily.
If you ar curr ntly running th X window syst m, you can us any of th graphics
tools that com standard with which v r Linux distribution you ar using. geeqie is on
graphics tool for th XFCE d sktop that will display graphic fiel s in a dir ctory. Exp rim nt a
littel . Oth r tools, such as gthumb for Gnom and Konqueror from th KDE d sktop hav a
f atur that will cr at a v ry nic html imag gall ry for you from all imag s in a dir ctory.
Onc you ar fienish d xploring, b sur to unmount th loop mount d disk imag .
Again, mak sur you ar not anywh r in th mount point (using that dir ctory in anoth r
t rminal s ssion) wh n you try to unmount, or you will g t th “busy” rror. The following
commands will tak you back to your hom dir ctory (cd without argum nts tak s you to your
hom dir ctory automagically). W su to root, and unmount th loop mount d fiel syst m.
barry@forensic1:/mnt/evid/Pics$ cd
barry@forensic1:~$ su -
Password:
root@forensic1:~$ exit
barry@forensic1:~$
Now l t’s go back to th original imag . The loop mount d disk imag allow d you to
ch ck all th fiel s and dir ctori s using a logical vi w of th fiel syst m. What about
unallocat d and slack spac (physical vi w)? W will now analyz th imag its lf, sinc it was
a bit for bit copy and includ s data in th unallocat d ar as of th disk. W ’ll do this using
rudim ntary Linux tools.
L t’s assum that w hav s iz d this imag from m dia us d by a form r mploy of a
larg corporation. The would-b crack r s nt a l tte r to th corporation thr at ning to unl ash
a virus in th ir n twork. The susp ct d ni s s nding th l tte r. Theis is a simpl matte r of
fiending th t xt from a d l t d fiel (unallocat d spac ).
First, chang back to th dir ctory wh r you sav d th imag fiel fat_fs.raw. In this
cas , th fiel is in my hom dir ctory (which you can s is my pr s nt working dir ctory by
both th ~ in th prompt, and th output of th pwd command).
181
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$ pwd
/home/barry
barry@forensic1:~$ ls
Desktop/ Downloads/ analysis/ fat_fs.raw*
The fierst thing w will do is cr at a list of k ywords to s arch for. It’s rar w v r
want to s arch vid nc for a singl k yword, aftw r all. For our xampl , l ts us “ransom”,
“$50,000” (th ransom amount), and “unl ash a virus”. The s ar som k ywords and a phras
that w hav d cid d to us from th original l tte r r c iv d by th corporation. Mak th list
of k ywords (using vi) and sav it as ~/analysis/searchlist.txt. Ensur that ach string
you want to s arch for is on a diffo r nt lin .
$50,000
ransom
unleash a virus
Mak sur th r ar NO BLANK LINES IN THE LIST OR AT THE END OF THE LIST!!
Now w run th grep command on our imag :
Onc you run th command abov , you should hav a n w fiel in your analysis
dir ctory call d hits.txt. Vi w this fiel with less or any t xt vi w r. K p in mind that
strings might b b st for th job. Again, if you us less, you run th risk of corrupting your
t rminal if th r ar non-ASCII charact rs. W will simply us cat to str am th ntir
182
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
cont nts of th fiel to th standard output. The fiel hits.txt should giv you a list of lin s
that contain th words in your searchlist.txt fiel . In front of ach lin is a numb r that
r pr s nts th byt offos t for that “hit” in th imag fiel . For illustration purpos s, th s arch
t rms ar und rlin d, and th byt offos ts ar bold in th output b low:
In k ping with our command lin philosophy, w will us xxd to display th data
found at ach byt offos t. xxd is a command lin h x dump tool, us ful for xamining fiel s. Do
this for ach offos t in th list of hits. The -s option to xxd is so w can “s k” into th fiel th
sp cifie d numb r of byt s. Theis should yi ld som int r sting r sults if you scroll abov and
b low th offos ts. H r w ’ll us xxd and s k to th fierst hit at byt offos t 75441 with th -s
option. W ’ll pip th output to th head command, which will show us th fierst 10 lin s of
output. You can vi w mor of th output by piping through less inst ad.
183
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
illustrat d in small imag analysis xampl , might not work as xp ct d with larg r imag s and
could xit with an rror similar to:
The most appar nt caus for this is that grep do s its s arch s lin by lin . Wh n you
ar “gr pping” a larg disk imag t rabyt s in siz , you might fiend that you hav a hug
numb r of byt s to r ad through b for grep com s across a n wlin charact r. What if grep
had to r ad s v ral gigabyt s of data b for coming across a n wlin ? It would “ xhaust” its lf
(th input buffo r fiells up). The r ar many variabl s that will affo ct this, and th caus s ar
actually far mor compl x.
On pot ntial solution is to forc -f d grep som n wlin s. In our xampl analysis w
ar “gr pping” for t xt. W ar not conc rn d with non-t xt charact rs at all. If w could tak
th input str am to grep and chang th non-t xt charact rs to n wlin s, in most cas s grep
would hav no probl m. Not that changing th input str am to grep do s not chang th
imag its lf. Also, r m mb r that w ar still looking for a byt offos t. Luckily, th charact r
siz s r main th sam , and so th offos t do s not chang as w f d n wlin s into th str am
(simply r placing on “charact r” with anoth r).
L t’s say w want to tak all of th control charact rs str aming into grep from th
disk imag and chang th m to n wlin s. W can us th translate command, tr, to
accomplish this. Ch ck out man tr for mor information about this pow rful command:
184
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
distribution ar xtr m ly pow rful, and ar capabl of tackling n arly any task. Wh r th
standard sh ll fails, you might look at perl or python as options. The s subj cts ar outsid of
th scop of th curr nt pr s ntation, but ar introduc d as fodd r for furth r xp rim ntation.
barry@forensic1:~$ su -
Password:
root@forensic1:~$ exit
barry@forensic1:~$
185
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
L t’s dig a littel d p r into th command lin . Oftw n th r ar argum nts mad about
th us fuln ss of th command lin int rfac (CLI) v rsus a GUI tool for analysis. I would
argu that in th cas of larg s ts of r gim nt d data, th CLI can b fast r and mor fla xibl
than many GUI tools availabl today.
As an xampl , w will look at a s t of log fiel s from a singl Unix syst m. W ar not
going to analyz th m for any sort of vid ntiary data. The point h r is to illustrat th ability
of commands through th CLI to organiz and pars data by using pip s to string a s ri s of
commands tog th r and obtain th d sir d output. Follow along with th xampl , and k p in
mind that to g t anywh r n ar profieci nt with this will r quir a gr at d al of r ading and
practic . The payoffo is normous.
Cr at a dir ctory call d Logs and download th fiel logs.v3.tar.gz into that
dir ctory:
barry@forensic1:~$ cd Logs
186
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc th fiel is download d, ch ck th hash and us th tar command to list th cont nts.
Our command b low shows that th fiel s in th archiv will xtract dir ctly to our curr nt dir ctory.
The r ar 5 messages logs.
barry@forensic1:~/Logs$ ls
logs.v3.tar.gz
The messages logs contain ntri s from a vari ty of sourc s, including th k rn l and
oth r applications. The numb r d fiel s r sult from log rotation. As th logs ar fiell d, th y ar
rotat d and v ntually d l t d. On most Unix syst ms, th logs ar found in /var/log/ or
/var/adm. The s ar from a v ry old syst m, but again it’s not th cont nts w ar int r st d
in h r , it’s using th tools.
xtract th logs:
L t’s hav a look at on log ntry. W pip th output of cat to th command head -n
1 so that w only g t th 1st lin (r call that head without additional argum nts will giv th
fierst 10 lin s):
187
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Each lin in th log fiel s b gin with a dat and tim stamp. N xt com s th host nam
follow d by th nam of th application that g n rat d th log m ssag . Finally, th actual
m ssag is print d.
For th sak of our x rcis , l t’s assum th s logs ar from a victim syst m, and w
want to analyz th m and pars out th us ful information. W ar not going to worry about
what w ar actually s ing h r , our obj ctiv is to und rstand how to boil th information
down to som thing us ful.
First of all, rath r than parsing ach fiel individually, l t’s try and analyz all th logs at
on tim . The y ar all in th sam format, and ss ntially th y compris on larg log. W can
us th cat command to add all th fiel s tog th r and s nd th m to standard output. If w
work on that data str am, th n w ar ss ntially making on larg log out of all fiev logs. Can
you s a pot ntial probl m with this?
If you look at th output (scroll using less), you will s that th dat s asc nd and th n
jump to an arli r dat and th n start to asc nd again. Theis is b caus th lat r log ntri s ar
add d to th botteom of ach fiel , so as th fiel s ar add d tog th r, th dat s app ar to b out of
ord r. What w r ally want to do is str am ach fiel backwards so that th y g t add d tog th r
with th most r c nt dat in ach fiel at the top inst ad of at th botteom. In this way, wh n th
fiel s ar add d tog th r th y ar in ord r. In ord r to accomplish this, w us tac (y s, that’s
cat backwards).
188
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
B autiful. The dat s ar now in ord r. W can now work on th str am of log ntri s
as if th y w r on larg (in ord r) fiel . W will continu to work with this tac command to
cr at our in-ord r str am with ach command. W could r dir ct to anoth r singl log fiel
that contains all th logs, but th r ’s no n d to right now and cr ating on larg log fiel s rv s
no r al purpos .
First, l t’s gath r som information. W might want to know, p rhaps for our not s,
how many ntri s ar in ach fiel , and how many ntri s total. H r ’s a quick way of doing
that from th command lin :
The sam command is us d to str am all th fiel s tog th r and s nd th output through
th pip to th wc command (“word count”). The -l option sp cifie s that w want to count just
lin s inst ad of th d fault output of lin s, words and byt s. To g t a count for all th fiel s and
th total at th sam tim , us wc -l on all th m ssag s fiel s at on tim :
barry@forensic1:~/Logs$ wc -l messages*
100 messages
109 messages.1
100 messages.2
50 messages.3
15 messages.4
374 total
Now w will introduc a n w command, awk, to h lp us vi w sp cifiec fie lds from th log
ntri s, in this cas , th dat s. awk is an xtr m ly pow rful command. The v rsion most oftw n
found on Linux syst ms is gawk (GNU awk). Whil w ar going to us it as a stand-alon
command, awk is actually a programming languag on its own, and can b us d to writ scripts
for organizing data. Our conc ntration will b c nt r d on th awk “print” function. S man
awk for mor d tails.
S ts of r p titiv data can oftw n b divid d into columns or “fie lds”, d p nding on th
structur of th fiel . In this cas , th fie lds in th log fiel s ar s parat d by simpl whit spac
(th awk d fault fie ld s parator). The dat is compris d of th fierst two fie lds (month and day).
So l t’s hav a look at awk in action:
189
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
...
Theis command will str am all th log fiel s ( ach on from botteom to top) and s nd th
output to awk which will print th fierst fie ld, $1 (month), follow d by a spac (" "), follow d by
th s cond fie ld, $2 (day). Theis shows just th month and day for v ry ntry. Suppos I just
want to s on of ach dat wh n an ntry was mad . I don’t n d to s r p ating dat s. I
ask to s on of ach uniqu lin of output with uniq:
Theis r mov s r p at d dat s, and shows m just thos dat s with log activity.
CLI Hint: Inst ad of r -typing th command ach tim , us th up arrow on your k yboard to
scroll through old r commands (part of th command history of bash). Hit th up arrow onc ,
and you can dit your last command. V ry us ful wh n adjusting commands for this sort of
parsing.
If a particular dat is of int r st, I can grep th logs for that particular dat (not th r
ar 2 spac s b tw n Nov and 4, on spac will not work in our grep command):
Of cours , w hav to k p in mind that this would giv us any lin s wh r th string
Nov 4 r sid d, not just in th dat fie ld. To b mor xplicit, w could say that w only want
lin s that start with Nov 4, using th ^ (in our cas , this giv s ss ntially th sam output):
190
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Also, if w don’t know that th r ar two spac s b tw n Nov and 4, w can t ll grep to
look for any numb r of spac s b tw n th two:
The abov grep xpr ssion translat s to “Lin s starting (^) with th string Nov follow d
by z ro or mor (*) of th pr c ding charact rs that ar b tw n th brack ts ( [ ] - in this
cas , a spac ) follow d by a 4”. Obviously, this is a compl x issu . Knowing how to us
r gular xpr ssion will giv you hug fla xibility in sorting through and organizing larg s ts of
data. As m ntion d arli r, r ad th grep man pag for a good prim r on r gular xpr ssions.
As w look through th log fiel s, w may com across ntri s that app ar susp ct.
P rhaps w n d to gath r all th ntri s that w s containing th string Did not receive
identification string from <IP> for furth r analysis.
The r ar 35 such ntri s. Now w just want th dat (fie lds 1 and 2), th tim (fie ld 3)
and th r mot IP addr ss that g n rat d th log ntry. The IP addr ss is th last fie ld. Rath r
than count ach word in th ntry to g t to th fie ld numb r of th IP, w can simply us th
variabl $NF, which m ans “numb r of fie lds”. Sinc th IP is th last fie ld, its fie ld numb r is
qual to th numb r of fie lds:
191
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W can add som tabs (\t) in plac of spac s in our output to mak it mor r adabl
(this assum s fiex d string l ngth). The following command will plac a tab charact r b tw n
th dat and th tim , and b tw n th tim and th IP addr ss:
Theis can all b r dir ct d to an analysis log or t xt fiel for asy addition to a r port.
R m mb r that > report.txt creates th r port fiel (ov rwriting anything th r pr viously),
whil >> report.txt appends to it. You can us su to b com root and s t th “app nd only”
atteribut on you r port fiel to pr v nt accid ntal ov rwrit s 22.
22
W cov r d this arli r in th guid with th chattr command. S th man pag for mor info.
192
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W can also g t a sort d (sort) list of th uniqu (-u) IP addr ss s involv d in th sam
way:
The command abov prints only th last fie ld ($NF) of our grep output (which is th IP
addr ss). The r sulting list of IP addr ss s can also b f d to a script that do s nslookup or
whois databas qu ri s.
As with all th x rcis s in this docum nt, w hav just sampl d th abiliti s of th
Linux command lin . It all s ms som what convolut d to th b ginn r. Aftw r som practic
and xp ri nc with diffo r nt s ts of data, you will fiend that you can glanc at a fiel and say “I
want that information”, and b abl to writ a quick pip d command to g t what you want in a
r adabl format in a matteer of seconds. As with all languag skills, th Linux command lin
“languag ” is p rishabl . K p a good r f r nc handy and r m mb r that you might hav to
look up syntax a f w tim s b for it b com s s cond natur .
Fun with DD
W ’v alr ady don som simpl imaging and wiping using dd, l t’s xplor som oth r
us s for this fla xibl tool. dd is sort of lik a littel for nsic Swiss army knif (talk about ov r-
us d clich s!). It has lots of applications, limit d only by your imagination.
193
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In this n xt xampl , w will us dd to carv a JPEG pictur fiel from a chunk of raw
data. By its lf, this is not a r al us ful x rcis . The r ar lots of tools out th r that will
“carv ” fiel s from for nsic imag s, including a simpl cut and past from a h x ditor.
How v r, th purpos of this x rcis is to h lp you b com mor familiar with dd. In
addition, you will g t a chanc to us a numb r of oth r tools in pr paration for th “carving”.
Theis will h lp familiariz you furth r with th Linux toolbox. First you will n d to download
th raw data chunk and ch ck it’s hash:
Hav a bri f look at th fiel image_carve_2017.raw with your wond rful command
lin h xdump tool, xxd:
It’s r ally just a fiel full of random charact rs. Som wh r insid th r is a standard
JPEG imag . L t’s go through th st ps w n d to tak to r cov r th pictur fiel using dd and
oth r Linux tools. W ar going to stick with command lin tools availabl in most d fault
installations.
First w n d a plan. How would w go about r cov ring th fiel ? What ar th things
w n d to know to g t th imag (pictur ) out, and only th imag ? Imagin dd as a pair of
scissors. W n d to know wh r to put th scissors to start cutteing, and w n d to know
wh r to stop cutteing. Finding th start of th JPEG and th nd of th JPEG can t ll us this.
Onc w know wh r w will start and stop, w can calculat th size of th JPEG. W can
194
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
th n t ll dd wh r to start cutteing, and how much to cut. The output fiel will b our JPEG
imag . Easy, right? So h r ’s our plan, and th tools w ’ll us :
Theis x rcis starts with th assumption that w ar familiar with standard fiel h ad rs.
Sinc w will b s arching for a standard JPEG imag within th data chunk, w will start with
th stipulation that th JPEG h ad r b gins with h x ffd8 with a six-byt offos t to th string
JFIF. The nd of th standard JPEG is mark d by h x ffd9.
The grep command found four lin s that contain th pot ntial h ad r of our pictur
fiel . W know that w ar looking for a JPEG imag , and w know that following an additional
four byt s aftw r th ffd8 w should s th JFIF string. The last lin of our output shows that,
m aning this is th corr ct match. Theis is shown in r d abov .
The start of a standard JPEG fiel h ad r has b n found. The offos t (in h x) for th
b ginning of this lin of xxd output is 00036ac0. Now w can calculat th byt offos t in
d cimal. For this w will us th bc command. As w discuss d in an arli r s ction, bc is a
command lin “calculator”, us ful for conv rsions and calculations. It can b us d ith r
int ractiv ly or tak pip d input. In this cas w will cho th h x offos t to bc, fierst t lling it
that th valu is in bas 16. bc will r turn th d cimal valu .
It’s important that you us uppercase letteers in th h x valu . Not that this is NOT th
start of th JPEG, just th start of th lin in th xxd output. The ffd8 string is actually locat d
anoth r six byt s farth r into that lin of output ( ach h x pair is a charact r valu , and th r
23
The perceptive among you will notice that this is a “perfect world” situation. There are a number of
variables that can make this operation more difficult. The grep command can be adjusted for many
situations using a complex regular expression (outside the scope of this document).
195
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
ar six pairs b for th ffd8). So w add 6 to th start of th lin . Our offos t is now 223942.
W hav found and calculat d th start of th JPEG imag in our data chunk.
Sinc w alr ady know wh r th JPEG starts, w will start our s arch for th nd of
th fiel from that point. Again using xxd and grep w s arch for th foot r valu ffd9
som wh r aftwer th h ad r:
The –s 223942 option to xxd sp cifie s wh r to start s arching (sinc w know this is
th front of th JPEG, th r ’s no r ason to s arch b for it and w liminat fals hits from that
r gion). The output shows th fierst ffd9 on th lin at h x offos t 0005d3c6. L t’s conv rt that
to d cimal, again noting th upp rcas valu in our h x:
W now know th fiel is 157964 byt s in siz , and it starts at byt offos t 223942. The
carving is th asy part! W will us dd with thr options:
196
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You should now hav a fiel in your curr nt dir ctory call d carved.jpg. If you ar in
X, simply us th xv command to vi w th fiel (or any oth r imag vi w r, lik display) and
s what you’v got.
barry@forensic1:~$ xv carved.jpg
Now w can try anoth r us ful x rcis in carving with dd. Oftw n, you will obtain or b
giv n a dd imag of a full disk. At tim s you might fiend it d sirabl to hav ach s parat
partition within th disk availabl to s arch or mount. R m mb r, you cannot simply mount
an ntir disk imag , only th partitions. W ’v alr ady l arn d that w can fiend th structur
of an imag and mount th partitions within using tools lik kpartx and th loop d vic with
th mount command..
The m thod w will us in this x rcis ntails id ntifying th partitions within a raw
imag with fdisk or gdisk. W will th n us dd to carv th partitions out of th imag .
197
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Ch ck th cont nts of th tar archiv (tar tzvf), untar th fiel s (tar xzvf), and
chang into th able_3 dir ctory with cd. You can skip all of this if you alr ady hav th
able_3 dir ctory from our pr vious x rcis . Just chang into th dir ctory.
Now that w ar in th able_3 dir ctory, w can s that w hav our 4 split imag fiel s
and a log fiel with th acquisition information. Theis particular log was cr at d by th dc3dd
command (w cov r d arli r). Vi w th log and look at th hash s:
198
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The fierst hash in th output abov is th ntir input hash for th d vic that was
imag d (/dev/sda1 from th subj ct syst m). W can v rify that by str aming all our split
parts tog th r and piping through sha1sum:
The n xt four hash s ar for th split imag fiel s (and th s ctor rang in ach split).
W could also v rify th s individually, although if th pr vious command works, w ’v
alr ady confierm d our individual hash s will match. Go ah ad and ch ck th m anyway:
Okay, now w hav our imag , and w hav v rifie d that it is an accurat copy. In
ord r to ch ck th fiel syst m and carv th partitions, w ’ll n d to work on a singl raw
imag inst ad of splits. Working from th assumption that w ar x cuting this on a syst m
with basic tools, w ’ll forgo using tools lik affuse and kpartx. Inst ad, w ’ll simply r cr at
a raw imag by using cat to add th fiel s back tog th r and r -dir ct to th raw imag :
L t’s start by xploring th cont nts of th imag with som of our partition parsing
tools. To us th s tools, you’ll n d to b root and chang to th dir ctory wh r th imag s
ar (us r’s hom dir ctory and able_3 sub dir ctory):
barry@forensic1:~/able3$ su -
Password:
root@forensic1:~# cd ~barry/able_3
root@forensic1:/home/barry/able_3#
199
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Looking at th output, w s that th disk has a GPT partitioning sch m . You could
r -run th command using gdisk for docum ntation purpos s. Onc w ’v fienish d with
fdisk, xit th root login and you ar back to a normal us r:
root@forensic1:/home/barry/able_3# exit
logout
barry@forensic1:~/able3$
L t’s go ah ad and dd out ach partition. With th output of fdisk -l shown abov ,
th job is asy.
200
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Examin th s commands clos ly. The input fiel (if=able_3.raw) is th full disk
imag . The output fiel s (of=able_3.part#.raw) will contain ach of th partitions. The block
siz that w ar using is th s ctor siz (bs=512), which match s th output of th fdisk
command. Each dd s ction n ds to start wh r ach partition b gins (skip=X), and cut as far
as th partition go s (count=Y).
Theis will l av you with thr able_3.part*.raw fiel s in your curr nt dir ctory that
can now b loop mount d without th n d for sp cial programs.
Going back to our able_3 cas raw imag s, w now hav th original imag along with
th partition imag s that w carv d out (plus th original split imag s).
For xampl , a syst m administrator may d cid to k p th dir ctory /var/log on its
own s parat partition. Theis might b don in an atte mpt to pr v nt rampant log fiel s from
fielling th root (/ not /root) partition and bringing th syst m down. S v ral y ars ago,
fiending th /boot dir ctory in its own partition was common as w ll. Theis allows th k rn l
imag to b plac d n ar “th front” (in t rms of cylind rs) of a boot volum , an issu in som
old r boot load rs. The r ar also a vari ty of s curity implications addr ss d by this s tup.
So wh n you hav a disk with multipl partitions, how do you fiend out th structur of
th fiel syst m? Earli r in this pap r w discuss d th /etc/fstab fiel . Theis fiel maintains th
mounting information for ach fiel syst m, including th physical partition; mount point, fiel
syst m typ , and options. Onc w fiend this fiel , r constructing th syst m is asy. With
xp ri nc , you will start to g t a f l for how partitions ar s tup, and wh r to look for th
fstab. To mak things simpl h r , just mount ach partition (loop, r ad only) and hav a
look around.
On thing w might lik to know is what sort of fiel syst m is on ach partition b for
w try and mount th m. W can us th file command to do this24. R m mb r from our
24
K p in mind that th file command r li s on th cont nts of th magic fiel to d t rmin a fiel typ . If
this command do s not work for you in th following xampl , th n it is most lik ly b caus th magic
fiel on your syst m do s not includ h ad rs for fiel syst m typ s.
201
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
arli r x rcis that th file command d t rmin s th typ of fiel by looking for “h ad r”
information.
barry@forensic1:~/able3$ su -
Password:
root@forensic1:~# ls /mnt/evid
README.initrd@ config-huge-4.4.14 onlyblue.dat
System.map@ elilo-ia32.efi* slack.bmp
System.map-generic-4.4.14 elilo-x86_64.efi* tuxlogo.bmp
System.map-huge-4.4.14 grub/ tuxlogo.dat
boot.0800 inside.bmp vmlinuz@
boot_message.txt inside.dat vmlinuz-generic@
coffee.dat lost+found/ vmlinuz-generic-4.4.14
config@ map vmlinuz-huge@
config-generic-4.4.14 onlyblue.bmp vmlinuz-huge-4.4.14
202
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
So now w s that th logical fiel syst m was construct d from thr s parat
partitions (not that /dev/sda h r r f rs to th disk wh n it is mount d in th original
syst m):
Now w can cr at th original fiel syst m at our vid nc mount point. The mount
point /mnt/evid alr ady xists. Wh n you mount th root partition of able_3.raw on
/mnt/evid, you will not that th dir ctori s /mnt/evid/boot and /mnt/evid/home alr ady
xist, but ar mpty. Theat is b caus w hav to mount thos partitions to acc ss th cont nts
of thos dir ctori s. W mount th root fiel syst m fierst, and th oth rs ar mount d to that.
Again, w must b root for this:
203
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
At this point w can run all of our s arch s and commands just as w did for th
pr vious fat_fs.raw x rcis on a compl t fiel syst m “root d” at /mnt/evid.
As always, you should know what you ar doing wh n you mount a compl t fiel
syst m on your for nsic workstation. B awar of options to th mount command that you
might want to us (ch ck man mount for options lik nodev and nosuid, noatime, tc.). Tak
not of wh r links point to from th subj ct fiel syst m. Not that w hav mount d th
partitions “r ad only” (ro). R m mb r to unmount (umount) ach partition wh n you ar
fienish d xploring.
204
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
How v r, as for nsic xamin rs, w soon com to fiend out that tim is a valuabl
commodity. Whil l arning to us th command lin tools nativ to a Linux install is us ful for
a myriad of tasks in th “r al world”, it can also b t dious. Aftw r all, th r ar Windows bas d
tools out th r that allow you to do much of what w hav discuss d h r in a simpl point
and click GUI. W ll, th sam can b said for Linux.
In this s ction w will cov r a numb r of for nsic tools availabl to mak your analysis
asi r and mor fficci nt.
AUTHOR’S NOTE: Inclusion of tools and packag s in this s ction in no way constitut s an
ndors m nt of thos tools. Pl as t st th m yours lf to nsur that th y m t your n ds.
Sinc this is a Linux docum nt, I am cov ring availabl Linux tools. Theis do s not m an
that th common tools availabl for oth r platforms cannot b us d to accomplish many of th
sam r sults.
To g t a quick ov rvi w of som fiel syst ms, you can do a quick Int rn t s arch. The r
is a ton of information r adily availabl if you n d a prim r. H r ar som simpl links to g t
you start d26. If you hav qu stions on any of th s fiel syst ms, or how th y work, I would
sugg st som light r ading b for diving into th s x rcis s.
NTFS: http://www.ntfs.com
26
The author does not vouch for any of these sources. They are provided for your information only.
205
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
http://en.wikipedia.org/wiki/NTFS
EXT2/3/4: http://e2fsprogs.sourceforge.net/ext2intro.html
http://en.wikipedia.org/wiki/Ext3
http://en.wikipedia.org/wiki/Ext4
FAT: http://en.wikipedia.org/wiki/File_allocation_table
Also, onc Sl uth Kit (which w cov r soon) is install d, you might want to brows
around http://wiki.sleuthkit.org/ for additional information on fiel syst ms and
impl m ntation.
Brian Carri r, author of The Sl uth Kit, utiliz s a fram work for storag d vic analysis
in his book Fil Syst m For nsic Analysis, which w m ntion d arli r. As a r sult of this
approach, Carri r organiz s his tools into a s ri s of virtual lay rs that d fien th purpos of
ach tool with r sp ct to application to a sp cifiec lay r. Conv ni ntly, th Sl uth Kit tools ar
nam d according to th s lay rs. By introducing tools in a giv n cat gory and d fiening th ir
r sp ctiv lay r m mb rship, stud nts can b tte r organiz th ir und rstanding of ach tool's
function and wh r it b st fiets in an analysis.
Theis approach can asily b xt nd d and xpand d to ncompass additional tools from
outsid Sl uth Kit. Whil som tools do not succinctly fiet in this paradigm, th y can still b
addr ss d in a s qu nc that fiets th ov rall analytical approach.
Theis has th add d b n fiet of giving stud nts a way of conc ptualizing th way tools ar
mploy d. The following fiegur provid s a graphical summary of th lay rs Carri r d signat s
for th analysis of vid nc .
206
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Illustration 5: An example of layers and their associated content based on Carrier's work
Und rstanding wh r particular tools fiet into this approach will h lp us to d fien wh n,
and for what purpos th y should b us d. W ’v alr ady cov r d a numb r of common tools
lik dd, dc3dd, hdparm, lsscsi, lshw and oth rs. The s ar xampl s of tools that work at th
physical media layer – looking dir ctly at physical m dia and disk information, including s rial
numb rs, disk s ctor siz s and th physical bus on which th m dia r sid s.
W ’v also look d at tools that act on th m dia manag m nt lay r, lik fdisk, gdisk,
kpartx and oth rs. The s tools act on information provid d at th partition tabl l v l, but
without sp cifiecally acting on th fiel syst ms th ms lv s.
207
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
- file (fiel typ s), find (locat fiel s) grep (fiel nam atteribut s), common fiel syst m
tools (ls, tc.)
5. Analyz th application lay r:
- vi w fiel s cont nt with less, cat
- locat sp cifiec fiel cont nt with grep
- utiliz xt rnal application l v l tools to vi w fiel formats lik xv (or display) and
catdoc, tc. W will cov r additional sp cializ d tools for this lat r.
So you can s from th list abov that w can hav tools apply to s v ral diffo r nt
lay rs. Theis sp aks to th simplicity of th Unix d v lopm nt approach that has b n around
for d cad s. The tools g n rally do on thing, do it w ll, but can b v rsatil in th ir
mploym nt.
In summary, this all m ans that inst ad of taking th approach that w might normally
tak with multi-functional Windows for nsic softwwar :
• Op n a program
• Op n (or acquir ) an imag fiel with that program
• “Ind x” th imag fiel within th program
• Navigat th m nus, coll cting data and r porting it.
...w can now sit at a command prompt and st p through th various lay rs of our
xamination, coll cting and r dir cting information as w go, p ling through lay r by lay r of
our analysis until w r ach our conclusion. Inst ad of fumbling around th command lin , w
targ t our commands to th lay r w ar curr ntly xamining.
Sleuth Kit
The fierst of th advanc d xt rnal tools w will cov r h r is a coll ction of command lin tools
call d th Sl uth Kit (TSK). Theis is a suit of tools writte n by Brian Carri r and maintain d at
http://www.sleuthkit.org. It is partially bas d on The Coron r’s Toolkit (TCT) originally
writte n by Dan Farm r and Wi ts V n ma. TSK adds additional fiel syst m support and
allows you to analyz various fiel syst m typ s r gardl ss of th platform you ar curr ntly
working on. The curr nt v rsion, as of this writing is 4.4.x.
L t's start with a discussion of th tools fierst. Most of this information is r adily
availabl in th Sl uth Kit docum ntation or on th Sl uth Kit w bsit .
W ’v alr ady discuss d th TSK’s organization of tool function by lay rs. H r ’s a list of som
of th tools, and wh r th y fiet in (th lay rs d fien d h r ar som what diffo r nt from our
ov rall analytical approach).
208
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W also hav tools that addr ss physical disks and tools that addr ss th “journals” of som fiel
syst ms.
Notic that th commands that corr spond to th analysis of a giv n lay r g n rally
b gin with a common l tte r. For xampl , th fiel syst m command starts with fs and th
inod (m ta-data) lay r commands start with i and so on.
http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview
The author do s a fien job of d fiening and d scribing th s lay rs and how th y fiet
tog th r for a for nsic analysis. Und rstanding that TSK tools op rat at diffo r nt lay rs is
xtr m ly important.
In addition to th tools alr ady m ntion d, th r ar som misc llan ous tools includ d
with th Sl uth Kit that don't fall into th abov cat gori s:
209
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Wh n th installation is fienish d, you will fiend th Sl uth Kit tools locat d in /usr/bin.
You can vi w a list of what was install d (and oth r packag information) by vi wing th fiel at
/var/log/packages/sleuthkit-<ver>_Sbo:
210
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis s ction r mains on of th most popular s ctions of this docum nt, providing
hands on x rcis s for TSK and a sampl of its tools.
Lik all of th oth r x rcis s in this docum nt, I’d sugg st you follow along if you can.
Using th s commands on your own is th only way to r ally l arn th t chniqu s. R ad th
includ d man pag s and play with th options to obtain oth r output. The imag fiel s us d in
th following xampl s ar availabl for download, and som hav alr ady b n download d
and us d arli r in th guid .
The r ar a numb r of ways to tackl th following probl ms. In som cas s w ’ll us
affuse or ewfmount to provid fus mount d imag s from EWF fiel s or split fiel s. W ’ll do it
for practic h r , but f l fr to run th tools dir ctly on th imag fiel s th ms lv s (th r will
b d monstrations of both). Practic and xp rim nt.
barry@forensic1:~$ cd able2
Untar th imag and th n l t’s g t start d. G t your hands on th k yboard and follow
along.
211
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Sleuth Kit Exercise #1A – Deleted File Identifigcation and Recovery (ext2)
W will start with a look at a coupl of th fiel syst m and fiel nam lay r tools, fsstat
and fls, running th m against our able2 imag .
Part of th TSK suit of tools, mmls, provid s acc ss to th partition tabl within an
imag , and giv s th partition offos ts in s ctor units. mmls provid s much th sam
information as w g t from fdisk or gdisk.
So, w run th Sl uth Kit fsstat command with -o 10260 to gath r fiel syst m
information at that offos t. Pip th output through less to pag through:
212
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 12881
Root Directory: 2
Free Inodes: 5807
CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 9512
...
The fsstat command provid s typ sp cifiec information about th fiel syst m in a
volum . As pr viously not d, w ran th fsstat command abov with th option -o 10260.
Theis sp cifie s that w want information from th fiel syst m r siding on th partition that
starts at s ctor offos t 10260.
W can g t mor information using th fls command. fls lists th fiel nam s and
dir ctori s contain d in a fiel syst m, or in a dir ctory, if th m ta-data id ntifie r for a
particular dir ctory is pass d. The output can b adjust d with a numb r of options, to includ
gath ring information about d l t d fiel s. If you typ fls on its own, you will s th availabl
options (vi w th man pag for a mor compl t xplanation).
213
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If you run th fls command with only th -o option to sp cify th fiel syst m, th n by
d fault it will run on th fiel syst m’s root dir ctory. Theis is inod 2 on an EXT fiel syst m and
MFT ntry 5 on an NTFS fiel syst m.
AndN
So, in th following command, w run fls and only pass -o 10260. Theis r sults in a
listing of th cont nts of th root dir ctory:
The r ar s v ral points w want to tak not of b for w continu . L t's tak a f w
lin s of output and d scrib what th tool is t lling us. Hav a look at th last thr lin s from
th abov fls command.
214
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
...
r/r 1042: .bash_history
d/d 11105: .001
d/d 12881: $OrphanFiles
Each lin of output starts with two charact rs s parat d by a slash. Theis fie ld indicat s
th fiel typ as d scrib d by th fiel 's dir ctory ntry, and th fiel 's m ta-data (in this cas , th
inod b caus w ar looking at an EXT fiel syst m). For xampl , th fierst fiel list d in th
snipp t abov , .bash_history, is id ntifie d as a r gular fiel in both th fiel 's dir ctory and
inod ntry. Theis is not d by th r/r d signation. Conv rs ly, th following two ntri s (.001
and $OrphanFiles) ar id ntifie d as dir ctori s.
The n xt fie ld is th m ta-data ntry numb r (inod , MFT ntry, tc.) follow d by th
fiel nam . In th cas of th fiel .bash_history th inod is list d as 1042.
W can continu to run fls on dir ctory ntri s to dig d p r into th fiel syst m
structur (or us -r for a r cursiv listing). By passing th m ta data ntry numb r of a
dir ctory, w can vi w it's cont nts. R ad man fls for a look at som us ful f atur s. For
xampl , hav a look at th .001 dir ctory in th listing abov . Theis is an unusual dir ctory
and would caus som suspicion. It is hidd n (starts with a “.”), and no such dir ctory is
common in th root of th fiel syst m. So, to s th cont nts of th .001 dir ctory, w would
pass its inod to fls:
215
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The cont nts of th dir ctory ar list d. W will cov r commands to vi w and analyz
th individual fiel s lat r on.
fls can also b us ful for uncov ring d l t d fiel s. By d fault, fls will show both
allocat d and unallocat d fiel s. W can chang this b havior by passing oth r options. For
xampl , if w want d to s only d l t d ntri s that ar list d as fiel s (rath r than
dir ctori s), and w want th listing to b r cursiv , w could us th following command:
216
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Notic that all of th fiel s list d hav an ast risk ( *) b for th inod . Theis indicat s th
fiel is d l t d, which w xp ct in th abov output sinc w sp cifie d th -d option to fls.
W ar th n pr s nt d with th m ta-data ntry numb r (inod , MFT ntry, tc.) follow d by
th fiel nam .
“Thee difference comes about because there is a figle name layer and a metadata layer. Every
figle has an entry in both layers and each entry has its own allocation status.
If a figle is marked as "deleted" then this means that both the figle name and metadata
entries are marked as unallocated. If a figle is marked as "realloc" then this means that its
figle name is unallocated and its metadata is allocated.
In th cas of inod 2138, it looks as though th r alloc was caus d by th fiel b ing
mov d to th dir ctory .001 (s th fls listing of .001 on th pr vious pag – inod 11105).
Theis caus s it to b d l t d from it's curr nt dir ctory ntry ( root/lolit_pics.tar.gz) and a
n w fiel nam cr at d (.001/lolit_pics.tar.gz). The inod and th data blocks that it
points to r main unchang d and in “allocat d status”, but it has b n “r allocat d” to th n w
nam .
L t's continu our analysis x rcis using a coupl of m ta data (inod ) lay r tools
includ d with th Sl uth Kit. In a Linux EXT typ fiel syst m, an inod has a uniqu numb r
and is assign d to a fiel . The numb r corr sponds to th inode table, allocat d wh n a partition
is formatte d. The inod contains all th m ta data availabl for a fiel , including th
modifie d/acc ss d/chang d (mac) tim s and a list of all th data blocks allocat d to that fiel .
217
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If you look at th output of our last fls command, you will s a d l t d fiel call d
lrkn.tgz locat d in th /root dir ctory (th last fiel in th output of our fls command, b for
th list of orphan fiel s -r call that th ast risk indicat s it is d l t d):
...
r/r * 2139: root/lrkn.tgz
...
The inod display d by fls for this fiel is 2139. Theis sam inod also points to anoth r
d l t d fiel in /dev arli r in th output (sam fiel , diffo r nt location). W can fiend all th fiel
nam s associat d with a particular m ta data ntry by using th ffind command:
H r w s that th r ar two fiel nam s associat d with inod 2139, and both ar
d l t d, as not d again by th ast risk (th -a nsur s that w g t all th inod associations).
Inode Times:
Accessed: 2003-08-10 00:18:38 (EDT)
File Modified: 2003-08-10 00:08:32 (EDT)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)
Direct Blocks:
218
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis r ads th inod statistics ( istat), on th fiel syst m locat d in th able2.dd imag
in th partition at s ctor offos t 10260 (-o 10260), from inod 2139 found in our fls command.
The r is a larg amount of output h r , showing all th inod information and th fiel syst m
blocks (“Dir ct Blocks”) that contain all of th fiel ’s data. W can ith r pip th output of
istat to a fiel for logging, or w can s nd it to less for vi wing.
K p in mind that th Sl uth Kit supports a numb r of diffo r nt fiel syst ms. istat
(along with many of th Sl uth Kit commands) will work on mor than just an EXT fiel syst m.
The d scriptiv output will chang to match th fiel syst m istat is b ing us d on. W will
s mor of this a littel lat r. You can s th support d fiel syst ms by running istat with -f
list.
219
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W ar going to s nd th cont nts of th data blocks assign d to inod 2139 to a fiel for
clos r xamination.
Theis runs th icat command on th fiel syst m in our able2.dd imag at s ctor offos t
10260 (-o 10260) and str ams th cont nts of th data blocks associat d with inod 2139 to
th fiel lrkn.tgz.2139. The fiel nam is arbitrary; I simply took th nam of th fiel from fls
and app nd d th inod numb r to indicat that it was r cov r d. Normally this output should
b dir ct d to som r sults or sp cifie d vid nc dir ctory.
Now that w hav what w hop is a r cov r d fiel , what do w do with it? Look at th
r sulting fiel with th file command:
Hav a look at th cont nts of th r cov r d archiv (pip th output through lessNit’s
long). R m mb r that th t option to th tar command lists th cont nts of th archiv .
W hav not y t xtract d th archiv , w 'v just list d its cont nts. Notic that th r
is a README fiel includ d in th archiv . If w ar curious about th cont nts of th archiv ,
p rhaps r ading th README fiel would b a good id a, y s? Rath r that xtract th ntir
cont nts of th archiv , w will go for just th README using th following tar command:
The diffo r nc with this tar command is that w sp cify that w want th output s nt
to stdout (O [capital l tte r “oh”]) so w can r dir ct it. W also sp cify th nam of th fiel that
220
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
w want xtract d from th archiv (lrk3/README). Theis is all r dir ct d to a n w fiel call d
lrkn.2139.README.
If you r ad that fiel (us less), you will fiend that w hav uncov r d a “rootkit”, full of
programs us d to hid a hack r’s activity.
Bri flay, l t's look at a diffo r nt typ of fiel r cov r d by icat. The conc pt is th sam ,
but inst ad of xtracting a fiel , you can str am it's cont nts to stdout for vi wing. R call our
pr vious dir ctory listing of th .001 dir ctory at inod 11105:
W can d t rmin th cont nts of th (allocat d) fiel with inod 11108, for xampl , by
using icat to str am th inod 's data blocks through a pip to th file command. W us th
“-” to indicat that file is g tteing its input from th pip :
221
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Sleuth Kit Exercise #1B – Deleted File Identifigcation and Recovery (ext4)
The pr vious x rcis is a good prim r for l arning how to run TSK commands against
a for nsic imag and id ntify and xtract fiel s. W us an old r for nsic imag of an xt2 fiel
syst m b caus it allows us to run th full cours of id ntifiecation and xtraction tools
provid d by TSK. W can do this b caus xt2 fiel s that ar d l t d still hav nough
information in th ir associat d fiel syst m m tadata (“inod ” for xt fiel syst ms) to b abl to
r cov r th fiel . As you will s in th coming pag s, this has chang d for th xt4 fiel syst m.
As it has b n mad cl ar in th past, this is not m ant to b an ducation on fiel syst ms in
g n ral. Rath r, th purpos h r is to highlight th tools and how you can xp ct diffo r nt
output bas d on th fiel syst m b ing us d. W also want to nsur that th limitations of our
tools ar known. W r you to l arn TSK on an xt2 fiel syst m, you might xp ct it to work in
xactly th sam way on xt4. Theis is not th cas , and this x rcis illustrat s that. It is on of
th primary r asons why th able_3 imag was add d to our probl m s t.
First w n d to d cid how w want to acc ss our imag fiel . The able_3 disk imag ,
as it was download d, is a s t of four split imag s. As w ’v don b for , you could us affuse
to mount th splits as a singl imag and v n us kpartx to s parat th partitions. But sinc
th Sl uth Kit supports analysis of split imag fiel s, w ’ll go ah ad and just l av th m as is.
You can us th img_stat command from TSK to docum nt this.
Start by changing into th able_3 dir ctory w cr at d pr viously for our imag fiel s,
run img_stat to s th split fiel support and run mmls to id ntify th partitions. Wh n using
TSK on split imag s, w only n d to provid th fierst imag fiel in th s t (th sam rul holds
for EWF fiel s – you only provid th fierst fiel nam in th s t):
222
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
--------------------------------------------
Split Information:
able_3.000 (0 to 1073741823)
able_3.001 (1073741824 to 2147483647)
able_3.002 (2147483648 to 3221225471)
able_3.003 (3221225472 to 4294967295)
Run fsstat on that partition to id ntify th fiel syst m typ and information. You
might want to pip th output through less for asi r vi wing:
223
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
224
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can s som familiar fiel s in this output. W s th lolitaz fiel s w saw in th
.001 dir ctory on able2, and w also s th lrkn.tar.gz fiel w r cov r d and xtract d th
README from. For this x rcis , w will b int r st d in th lolitaz fiel s. The lrkn.tar.gz
cont nts will com lat r. You’ll notic that th majority of th fiel s r sid in an allocat d (not
d l t d) dir ctory call d .h and ar d l t d fiel s (signifie d by th ast risk *). The r is a singl
allocat d fiel in that dir ctory call d lolitaz13. Compar th output of istat and a follow-
up icat command b tw n th allocat d fiel lolitaz13 (inod 20), and on of th d l t d fiel s
- w ’ll us lolitaz2 (inod 21). For th icat command, w ’ll pip th output to our h x
vi w r xxd and look at th fierst fiev lin s with head -n 5. H r ’s th output of both:
Inode Times:
Accessed: 2017-05-08 00:18:16 (EDT)
File Modified: 2003-08-03 19:15:07 (EDT)
Inode Modified: 2017-05-08 00:18:16 (EDT)
Direct Blocks:
9921 9922 9923 9924 9925 9926 9927 9928
9929 9930 9931 9932 9933 9934 9935
225
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Inode Times:
Accessed: 2017-05-08 00:18:16 (EDT)
File Modified: 2017-05-08 00:22:58 (EDT)
Inode Modified: 2017-05-08 00:22:58 (EDT)
Deleted: 2017-05-08 00:22:58 (EDT)
Direct Blocks:
Wh n w t st tools for for nsic us , it is not nough to say “X tool do s not work on Y
fiel syst m”. You should und rstand why. In this cas it would b accurat to say that “ icat
works as xp ct d on an xt4 fiel syst m, but is of limit d us on d l t d ntri s”. B sur to
und rstand th diffo r nc , and t st your tools!
Sleuth Kit Exercise #2A – Physical String Search & Allocation Status (ext2)
W did a v ry basic r cov ry of a physical string s arch on our fat_fs.raw fiel syst m
imag arli r in this docum nt. Theis x rcis is m ant to tak som of what w l arn d th r
and apply it to a mor compl x disk imag with additional chall ng s. In a normal
226
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
xamination you ar going to want to fiend out (if possibl ) what fiel a positiv string s arch
r sult b long d to and wh th r or not that fiel is allocat d or unallocat d. Theat is th purpos
of this x rcis .
Ex rcis s lik this highlight v ry cl arly th b n fiet of l arning digital for nsics with
tools lik th Sl uth Kit. Unlik most GUI for nsic tools with m nus and multipl windows,
TSK forc s you to und rstand th s conc pts b hind th tools. You cannot us TSK without
und rstanding which tools to us and wh n. Without knowing th conc pts b hind th tools,
you don't g t v ry far.
Back to our able2 imag . Theis tim w ar going to do a s arch for a singl string in
able2.dd. In this cas w will s arch our imag for th k yword Cybernetik. Chang to th
dir ctory containing our able2.dd imag and us grep to s arch for th string:
R call that our grep command is taking th fiel able2.dd tr ating it as a t xt fiel (-a)
and s arching for th string cybernetik. The s arch is cas -ins nsitiv (-i) and will output
th byt offos t of any match s (-b).
Our output shows that th fierst match com s at byt offos t 10561603. Lik w did in
our fierst string s arch x rcis , w ar going to quickly vi w th match by using our h x
vi w r xxd and using th -s option to provid th offos t giv n by grep. W will also us th
head command to indicat that w only want to s a sp cifiec numb r of lin s, in this cas just
5 (-n 5). W just want to g t a quick look at th cont xt of th match b for proc ding.
227
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
L t's fiegur out which partition (and fiel syst m) th match is in. Us bc to calculat
which s ctor of th imag and th r for th original disk th k yword is in. Each s ctor is 512
byt s, so dividing th byt offos t by 512 t lls us which s ctor:
The Sl uth Kit's mmls command giv s us th offos t to ach partition in th imag :
From th output of mmls abov , w s that our calculat d s ctor, 20628, falls in th
s cond partition (b tw n 10260 and 112859). The offos t to our fiel syst m for th Sl uth Kit
commands will b 10260.
228
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The probl m is that th offos t that w hav is th k yword's offos t in th disk image, not
in th fiel syst m (which is what th volum data block is associat d with). So w hav to
calculat th offos t to th fiel AND th offos t to th partition that contains th fiel . The offos t
to th partition is simply a matte r of multiplying th s ctor offos t by th siz of th s ctor for
our fiel syst m:
229
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
...
The abbr viat d fsstat output abov shows us (highlight d in bold) that th data
blocks within th volum ar 1024 byt s ach. If w divid th volum offos t by 1024, w
id ntify th data block that holds th k yword hit.
230
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
In short, our calculation, taking into account all th illustrations abov , is simply:
Not that w us par nth s s to group our calculations. W fiend th byt offos t to th
fiel syst m fierst (10260*512), subtract that from th offos t to th string (10561603) and th n
divid th whol thing by th data unit siz (1024) obtain d from fsstat. Theis (5184) is our
data unit (not th inod !) that contains th string w found with grep. V ry quickly, w can
asc rtain its allocation status with th Sl uth Kit command blkstat:
The command blkstat tak s a data block from a fiel syst m and t lls us what it can
about its status and wh r it b longs. W ’ll cov r th TSK blk tools in mor d tail lat r. So in
this cas , blkstat t lls us that our k y word s arch for th string cybernetik r sult d in a
match in an unallocat d block. Now w us ifind to t ll us which inod (m ta-data structur )
points to data block 5184 in th s cond partition of our imag :
Exc ll nt! The inod that holds th k yword match is 10090. Now w us istat to giv
us th statistics of that inod :
231
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Inode Times:
Accessed: 2003-08-10 00:18:36 (EDT)
File Modified: 1996-12-25 16:27:43 (EST)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)
Direct Blocks:
5184 5185 5186 5187
From th istat output w s that inod 10090 is unallocat d (sam as blkstat told us
about th data unit). Not also that th fierst dir ct block indicat d by our istat output is
5184, just as w calculat d.
W can g t th data from th dir ct blocks of th original fiel by using icat -r. Pip
th output through less so that w can r ad it asi r. Not that our k yword is right th r at
th top:
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <stdio.h>
...
At this point, w hav r cov r d th data w w r looking for. W can run our icat
command as abov again, this tim dir cting th output to a fiel (as w did with th rootkit fiel
from our pr vious r cov ry x rcis ). W ’ll do that h r for possibl lat r r f r nc :
232
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~/able2$ ls -l 10090.recover
-rw-r--r-- 1 barry users 3591 May 28 13:25 10090.recover
On additional not : th Sl uth Kit provid s a virtual dir ctory that contains ntri s for
orphan figles. As w pr viously not d, in our discussion of th fls command, th s fiel s ar th
r sult of an inod containing fiel data having no fiel nam (dir ctory ntry) associat d with it.
Sl uth Kit organiz s th s in th virtual $OrphanFiles dir ctory. Theis is a us ful f atur
b caus it allows us to id ntify and acc ss orphan fiel s from th output of th fls command.
R m mb r that various fiel syst ms act v ry diffo r ntly. W ’ll continu to xplor th
diffo r nc s b tw n xt2 and xt4 h r in th n xt x rcis . Much lik TSK x rcis #1, w ar
going to do th sam s t of st ps on th able_3 imag and s what w g t.
Sleuth Kit Exercise #2B – Physical String Search & Allocation Status (ext4)
Much lik TSK x rcis #1, w ar going to r p at our st ps h r for th xt4 imag in
able_3.000. Again, w ar illustrating th diffo r nc s in output for our tools bas d on th
typ of fiel syst m b ing analyz d so that w can r cogniz th diffo r nc fiel syst m b havior
mak s in our output. No diagrams this tim . You should b familiar with th commands w
ar going to us h r . The goal is to show th output w can xp ct at th nd, and how w
can p rhaps d al with it.
233
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W us th cat command to str am our split fiel s to grep for our s arch. Theis is no
diffo r nt that r constructing th fiel (cr ating a singl imag with cat >), but inst ad w just
pass th output of cat straight to grep. The r sults ar slightly diffo r nt from our able2
s arch, but w ar going to conc ntrat on th sam match w us d for our able2 xt2
x rcis . Theat would b th k yword hit at 1632788547.
234
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W ’r r ady to run our blkstat command to fiend out if our k yword hit is in a block
assign d to an allocat d inod :
So th block is unallocat d. L t’s now s if w can fiend what inod this unallocat d
block b long d to:
And th r ’s our answ r. The inod cannot b found. Again this is b caus th inod s in
xt4 that ar unallocat d hav th dir ct block point rs d l t d. The ifind command is
s arching for a point r to th data unit (-d) 327206.
All is not lost, though. Inst ad of using icat to xtract that data blocks point d to by
an inod , w can inst ad us blkcat to dir ctly str am th cont nts of a data block. hav a
look b low. W ’ll us blkcat and r dir ct to a fiel :
barry@forensic1:~/able_3$ ls -l blk.327206
-rw-r--r-- 1 barry users 4096 May 28 13:50 blk.327206
235
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
(“block cat”) a singl block of data (that w know is 4096 byt s from our fsstat output) and
sav th whol thing. R m mb r our output from th able2 x rcis prior to this:
barry@forensic1:~/able2$ ls -l 10090.recover
-rw-r--r-- 1 barry users 3591 May 28 13:25 10090.recover
Look at that! The md5sum of th fiel w r cov r d from able2 with icat now match s
th fiel w r cov r d using blkcat in able_3. Again, not quit r alistic, but it s rv s to
illustrat xactly what data w ar g tteing and why. Hop fully th r is som ducational valu
for you th r .
236
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
actual fiel syst m blocks that hold th information w ar s king. The y ar not sp cifiec to
unallocat d data only, but ar sp cially us ful for working on unallocat d blocks that hav
b n xtract d from an imag . The tools that manipulat this lay r, as you would xp ct, start
with blk and includ :
blkls
blkcalc
blkstat
blkcat
The tool that starts us offo h r is blkls. Theis command “lists all th data blocks”. If you w r
to us th -e option, th output would b th sam as th output of dd for that volum , sinc -
e t lls blkls to copy “ v ry block”. How v r, by d fault, blkls will only copy out th
unallocat d blocks of an imag .
Theis allows us to s parat allocat d and unallocat d blocks in our fiel syst m. W can
us logical tools (find, ls, tc.) on th “liv ” fiel s in a mount d fiel syst m, and conc ntrat
data r cov ry ffoorts on only thos blocks that may contain d l t d or oth rwis unallocat d
data. Conv rs ly, wh n w do a physical s arch of th output of blkls, w can b sur that
artifacts found ar from unallocat d cont nt.
To illustrat what w ar talking about h r , w 'll run th sam x rcis w did in TSK
Ex rcis #2A, this tim xtracting th unallocat d data from our volum of int r st and
comparing th output from th whol volum analysis vs. just unallocat d analysis. So, w 'll
b working on th able2.dd imag . W xp ct to g t th sam r sults w did in Ex rcis #2A,
but this tim by analyzing only th unallocat d spac , and th n associating th r cov r d data
with its original location in th full disk imag .
First w 'll n d to chang into th dir ctory containing our able2.dd imag . The n w
ch ck th partition tabl and d cid which volum w 'll b xamining so w know th -o
(offos t) valu from for our Sl uth Kit commands. To do this, w run th mmls command as
b for :
237
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
As with Ex rcis #2, w 'v d cid d to s arch th unallocat d spac in th s cond Linux
partition (at offos t 10260, in bold abov ).
W run th blkls command using th offos t option -o which indicat s what partition's
fiel syst m w ar xporting th unallocat d spac from. W th n r dir ct th output to a n w
fiel that will contain only th unallocat d blocks of that particular volum .
Now, as w did in our pr vious analysis of this fiel syst m (Ex rcis #2) w will us
grep, this tim on th extracted unallocated space, our able2.blkls fiel , to s arch for our t xt
string of int r st. R ad back through Ex rcis #2 if you n d a r fr sh r on th s commands.
The grep command abov now t lls us that w hav found th string cybernetik at
four diffo r nt offos ts in th xtract d unallocat d spac . W will conc ntrat on th fierst hit.
Of cours th s ar diffo r nt from th offos ts w found in Ex rcis #2 b caus w ar no long r
s arching th ntir original imag .
238
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
b long d to, m ta data associat d with th fiel , and cont xt. Finding pot ntial vid nc in a big
block of aggr gat unallocat d spac is of littel us to us if w cannot at l ast mak som ffoort
at atteribution in th original fiel syst m.
Theat's wh r th oth r block lay r tools com in. W can us blkcalc to calculat th
location (by data block or fragm nt) in our original imag . Onc w 'v don that, w simply
us th m ta data lay r tools to id ntify and pot ntially r cov r th original fiel , as w did in
our pr vious ffoort.
First w n d to gath r a bit of data about th original fiel syst m. W run th fsstat
command to d t rmin th siz of th data blocks w ar working with. W ’v don this a
numb r of tim s alr ady, but th r p tition is us ful to driv hom th importanc of this
information.
In th fsstat command abov , w s that th block siz (in bold) is 1024. W tak th
offos t from our grep output on th able2.blkls imag and divid that by 1024. Theis t lls us
how many unallocat d data blocks into th unallocat d imag w found our string of int r st.
As usual, w us th echo command to pass th math xpr ssion to th command lin
calculator, bc:
W now know, from th abov output, that th string cybernetik is in data block 1593
of our xtract d unallocat d fiel , able2.blkls.
239
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The command abov is running blkcalc on th fiel syst m at offos t 10260 (-o 10260)
in th original able2.dd, passing th data block w calculat d from th blkls imag
able2.blkls (-u 1593). The r sult is a familiar block 5184 (s Ex rcis #2A again). The
illustration b low giv s a visual r pr s ntation of a simpl xampl :
So, in simpl t rms, w hav xtract d th unallocat d spac , found a string of int r st
in a data block in th unallocat d imag , and th n found th corr sponding data block in th
original imag .
If w look at th blkstat (data block statistics) output for block 5184 in th original
imag , w s that it is, in fact unallocat d, which mak s s ns , sinc w found it within our
xtract d unallocat d spac (w 'r back to th sam r sults as in Ex rcis #2A). Not that w
240
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Using th command blkcat w can look at th raw cont nts of th data block (using
xxd and less as a vi w r). If w want to, w can v n us blkcat to xtract th block,
r dir cting th cont nts to anoth r fiel , just as w did in x rcis #2B with our xt4 fiel syst m
imag .
If w want to r cov r th actual fiel and m ta data associat d with th id ntifie d data
block, w us ifind to d t rmin which m ta data structur (in this cas inode sinc w ar
working on an EXT fiel syst m) holds th data in block 5184. The n istat shows us th m ta
data for th inod :
Inode Times:
Accessed: 2003-08-10 00:18:36 (EDT)
File Modified: 1996-12-25 16:27:43 (EST)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)
Direct Blocks:
5184 5185 5186 5187
241
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W th n us icat to r cov r th fiel . In this cas , w just pip th fierst f w lin s out to
s our string of int r st, cybernetik.
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
At this point w 'v don a coupl of int rm diat x rcis s using xt2 and xt4 fiel
syst ms from a Linux disk imag s. In th following x rcis s w will do som simpl analys s
on an NTFS fiel syst m. Theis is th most common fiel syst m you ar lik ly to fiend wh n it
com s to p rsonal and nt rpris d sktop and laptop comput rs today.
Som might ask, “why?” The r ar many tools out th r capabl of analyzing an NTFS
fiel syst m in its nativ nvironm nt. In my mind th r ar two v ry good r asons for l arning
to apply th Sl uth Kit on Windows fiel syst ms. First, th Sl uth Kit is compris d of a numb r
of s parat tools with v ry discr t s ts of capabiliti s. The sp cializ d natur of th s tools
m ans that you hav to und rstand th ir int raction with th fiel syst m b ing analyz d. Theis
mak s th m sp cially suit d to h lp l arning th ins and outs of fiel syst m b havior. The fact
that th Sl uth Kit do s less of th work for you mak s it a gr at l arning tool. S cond, an
op n sourc tool that op rat s in an nvironm nt oth r than Windows mak s for an xc ll nt
cross-v rifiecation utility.
If you hav not alr ady don so, I would strongly sugg st (again) that you inv st in a
copy of Brian Carri r's book: Fil Syst m For nsic Analysis (Publish d by Addison-W sl y,
2005). Theis book is th d fienitiv guid to fiel syst m b havior for for nsic analysts. As a
r mind r (again), th purpos of th s x rcis s in NOT to t ach you fiel syst ms (or for nsic
m thods, for that matte r), but rath r to illustrat and introduc th d tail d information TSK
can provid on common fiel syst ms ncount r d by fie ld xamin rs.
242
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
support for libewf built into TSK, w ’ll work dir ctly from thos fiel s. If you hav not alr ady
don so, download th NTFS EWF fiel s, xtract th archiv and l t’s b gin.
barry@forensic1:~/NTFS_Pract_2017$
The output shows that an NTFS partition (and most lik ly th fiel syst m) b gins at
s ctor offos t 2048. Theis is th offos t w will us in all our Sl uth Kit commands. W now us
fsstat to hav a look at th fiel syst m statistics insid that partition:
METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 42581
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
243
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
...
Looking at th fsstat output on our NTFS fiel syst m, w s it diffo rs gr atly from
th output w saw running on a Linux EXT fiel syst m. The tool is d sign d to provid
p rtin nt information bas d on th fiel syst m b ing targ t d. Notic that wh n run on an
NTFS fiel syst m, fsstat provid s us with information sp cifiec to NTFS, including data about
th Mast r Fil Tabl (MFT) and sp cifiec atteribut valu s.
W will now hav a look at how th Sl uth Kit int racts with activ and d l t d fiel s on
an NTFS fiel syst m. L t’s fierst run fls on just th root l v l dir ctory of our imag :
Not that fls displays far mor information for us than normal dir ctory listings for
NTFS. Includ d with our r gular fiel s and dir ctori s ar th NTFS syst m fiel s (starting with
th $), including th $MFT and $MFTMIRROR (r cord numb rs 0 and 1). If you look at th MFT
numb rs, you’ll s that for som r ason r cord numb r 5 is missing. MFT r cord 5 is th root
244
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
dir ctory, which is what w ar displaying h r . Just as th d fault display for EXT fiel
syst ms with fls is inod 2, th d fault for NTFS is MFT r cord 5.
You can dig d p r and d p r into th fiel syst m by providing fls with a dir ctory
MFT r cord and it will display th cont nts of that dir ctory. For illustration, r run th
command (us th up arrow and dit th pr vious command) with th MFT r cord 64 (th
Users dir ctory):
You can d lv d p into ach dir ctory this way. Theis is on way to “brows ” th fiel
syst m with fls.
W can also sp cify that fls only show us only “d l t d” cont nt on th command lin
with th -d option. W will us -F (only fiel ntri s) and -r (r cursiv ) as w ll:
245
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The output abov shows that our NTFS xampl fiel syst m holds a numb r of d l t d
fiel s in s v ral dir ctori s. L t's hav a clos r look at som NTFS sp cifiec information that can
b pars d with TSK tools.
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $FILE_NAME (48-4) Name: N/A Resident size: 100
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $DATA (128-2) Name: N/A Non-Resident size: 59861 init_size: 59861
91473 91474 91475 91476 91477 91478 91479 91480
246
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The information istat provid s us from th MFT shows valu s dir ctly from th
$STANDARD_INFORMATION atteribut (which contains th basic m ta data for a fiel ) as w ll as th
$FILE_NAME atteribut and basic information for oth r atteribut s that ar part of an MFT ntry.
The data blocks that contain th actual fiel cont nt ar list d at th botteom of th output (for
Non-R sid nt data).
The 48-4 atteribut stor s th fiel nam . By piping th output of icat to xxd w can s
th cont nts of this atteribut , allowing us to vi w individual atteribut s for ach MFT ntry. By
its lf, this may not b of much inv stigativ int r st in this particular instanc , but you should
und rstand that atteribut s can b acc ss d s parat ly by providing th full atteribut id ntifie r.
The sam id a is xt nd d to oth r atteribut s of a fiel , most notably th “Alt rnat Data
Str ams” or ADS. By showing us th xist nc of multipl atteribut id ntifie rs for a giv n fiel ,
th Sl uth Kit giv s us a way of d t cting pot ntially hidd n data. W cov r this in our n xt
x rcis .
247
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
R m mb r that th mount command works on fiel syst ms, not disks. The fiel syst m in
this imag starts 2048 s ctors into th imag , so w mount using an offos t. Sinc w ar also
xamining an EWF imag , w ’ll n d to us ewfmount to fus mount th imag fiel . Theis all
must b don as root:
barry@forensic1:~/NTFS_Pract_2017$ su -
Password:
root@forensic1:~# cd ~barry/NTFS_Pract_2017
root@forensic1:/home/barry/NTFS_Pract_2017# exit
logout
barry@forensic1:~/NTFS_Pract_2017$
The find command, starts at th mount point ( /mnt/evid), looking for all r gular fiel s
(type -f). The r sult giv s us a v ry long list of all th allocat d regular fiel s on th mount
248
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
point. Theat’s quit a lot of fiel s, so for th sak of this x rcis l t’s just look at th cont nts of
th us r Alb rt’s Pictur s dir ctory (us th sam command, but grep for AlbertE/Pictures):
Of particular int r st in this output is th jet.mpg. Tak not of this fiel . Our curr nt
m thod of listing fiel s, how v r, giv s us no indication of why this fiel is not worthy.
At this point w ar fienish d with th mount point and th fus mount d imag .
K ping track of mount d disks and partitions is an important part of this proc ss:
barry@forensic1:~/NTFS_Pract_2017$ su -
Password:
root@forensic1:~# exit
logout
barry@forensic1:~/NTFS_Pract_2017$
249
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W can unmount both th /mnt/evid fiel syst m and th fus disk imag at /mnt/ewf
on th sam lin by s parating with th &&. Theis m ans that th s cond command
(fusermount) will only x cut if th fierst umount is succ ssful.
Back to our probl mNTo s why th fiel jet.mpg is int r sting, l t's try anoth r
m thod of obtaining a fiel list, th fls command. W can us th -F option to look only at
dir ctori s, and -r to do it r cursiv ly. W ’ll also grep for jet.mpg. You could us th
dir ctory MFT r cord numb rs to brows down to th fiel , but this is quick r and mor
fficci nt:
39-128-1
39-128-3
Both ntri s hav th sam MFT r cord numb r and ar id ntifie d as fiel data ( 39-128)
but th atteribut id ntifie r incr m nts ar diffo r nt. Theis is an xampl of an Alternate Data
Stream (ADS). Acc ssing th standard cont nts (39-128-1) of jet.mpg is asy, sinc it is an
allocat d fiel . How v r, w can acc ss ith r data str am, th normal data or th ADS, by
using th Sl uth Kit command icat, much as w did with th fiel s in our pr vious x rcis s.
W simply call icat with th compl t MFT r cord ntry, to includ th alt rnat atteribut
id ntifie r. H r w sp cify ach of th data str ams and s nd th m to th file command using
icat:
In this fierst (d fault) str am, w simply us th MFT r cord 39 to pass th d fault data
to fiel . For th s cond str am, w pass th full atteribut ( 39-128-3):
250
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis tim w s it is ASCII t xt. So now w can just pip th sam command to less
(or just straight to STDOUT) to vi w:
+---------------------------------------------------------------------------+
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
:pha+-------------------------------------------------------------------+pha:
:PHA: Phreakers/Hackers/Anarchists Present: :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: +=+ Gaining Better Access On Any Unix System +=+ :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: Written By Doctor Dissector (doctord@darkside.com) UPDT: 1/8/91 :PHA:
:pha+-------------------------------------------------------------------+pha:
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
+---------------------------------------------------------------------------+
+-----------------------------------------------------------------------------+
:=[ Disclaimer ]==============================================================:
+-----------------------------------------------------------------------------+
The author and the sponsor group Phreakers/Hackers/Anarchists will not be held
responsible for any actions done by anyone reading this material before,
during, and after exposure to this document. This document has been
released under the notion that the material presented herin is for
informational purposes only, and that neither the author nor the group
P/H/A encourage the use of this information for any type of illegal
purpose. Thank you.
...
Sleuth Kit Exercise #6 – Physical String Search & Allocation Status (NTFS)
W ’v alr ady don a f w string s arch x rcis s, but all of th m hav b n on EXT fiel
syst ms. W mak a lot of assumptions wh n w s arch for simpl strings in an imag . W
assum th strings will b acc ssibl (not in a contain r that r quir s pr -proc ssing), and w
assum th y will b in a charact r ncoding that our s arch utility will fiend. Theis is not always
th cas . Most of th string s arch s w ’v don thus far hav r sult d in match s that ar
found in r gular ASCII t xt fiel s. Wh n w s arch for strings in docum nts on Windows
syst ms, for xampl , that won’t always b th cas . W ’ll n d to d al with mor control
charact rs, and additional application ov rh ad and consid rations, lik compr ss d and
ncod d formats.
251
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis x rcis still simplifie s som of that, but it also s rv s to mak you awar of som
of th mor compl x issu s that may aris wh n s arching larg r imag s with mor compl x
cont nt. It will also introduc us to som basic application l v l fiel vi w rs b yond thos
w ’v alr ady s n. The sc nario h r is th sam as pr vious x rcis s. W ’ll pick a k yword,
s arch th ntir disk, and th n r cov r and vi w th associat d fiel . It will b v ry similar to
th EXT x rcis s w did arli r (2A and 2B). Theis tim , how v r, NTFS is our targ t fiel
syst m.
The grep command points to th fus mount d imag in ewfmnt/. Sinc ewfmnt is in
our curr nt dir ctory (w just cr at d it h r ), th r is no n d for a l ading /.
Back in our for nsic basics s ction, arly in this docum nt, w discuss d using th tr
command to translat “control charact rs” to n wlin s. Theis has th ffo ct of r moving much
of th unr adabl cont nt from our vi w as w ll as from th grep s arch, whil th on for on
charact r r plac m nt caus s no issu for offos t calculations. Us tr h r :
252
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
426596865:www.stopcyberbullying.org
426596971:Cyberbullying by proxy
426596995:Cyberbullying by proxy is when a cyberbully gets someone else to do
their dirty work. Most of the time they are unwitting accomplices and don't know
that they are being used by the cyberbully. Cyberbullying by proxy is the most
dangerous kind of cyberbullying because it often gets adults involve in the
harassment and people who don't know they are dealing with a kid or someone they
know.
...
253
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
...
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
...
For r vi w, this r ads: “Tak our offos t to th k yword in our disk ( 426596865), subtract
th offos t to th start of th partition ( 2048*512), and divid th r sulting valu by our fiel
syst m block siz (4096). Our fiel syst m block is 103893.
W can s that blkstat t lls us th clust r (block) is unallocat d, and ifind (shows us
that th m ta-data structur (MFT ntry) associat d with that data block ( -d 103893) is
248-128-2.
Piping our icat output through th file command shows us w hav a Microsoftw
Word docum nt. Not that wh n w pass th MFT r cord to icat, w us only th r cord
numb r, 248 rath r than th ntir atteribut sinc w ar looking for th d fault atteribut
anyway, which is $DATA.
254
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If w try and vi w th docum nt with cat or less, w again g t non-ASCII charact rs,
making r ading difficcult.
Theis is fien , but op ning and closing GUI programs to vi w fiel cont nts is not id al for
our command lin approach. Inst ad, w can us a simpl tool lik catdoc to r ad MS Officc
fiel s (.doc format) from th command lin .
255
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~/NTFS_Pract_2017$ su -
Password:
catdoc reads MS Word file and prints readable ASCII text to stdout, just
like Unix cat command. It also able to produce correct escape sequences
if some UNICODE characters have to be represented specially in your
typesetting system such as (La)TeX.
root@forensic1:~# exit
logout
Onc install d, you can ith r op n th fiel you xport d ( ntfs.248) with catdoc, or
you can simply str am th output of icat straight through to catdoc, and again through less
(multipl pip s ar just aw som ).
www.stopcyberbullying.org
________________________________________________________________________
Cyberbullying by proxy
Theis x rcis ss ntially clos s th loop on our physical s arching of fiel syst ms. As
w can s th r can b a lot mor to s arching an imag than simpl gr p strings.
L t’s l av with on mor command, and a qu stion. The fus mount d imag should
still b availabl at ewfmnt/ewf1. Do a quick k yword s arch for "Uranium-235" (sounds
ominous, do sn’t it?):
256
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
For thos of you that hav not alr ady h ard of or us d bulk_extractor, it is on of
thos tools that I v ry rar ly don’t us on v ry cas . Ev n wh r I hav a targ t d xtraction
or analysis to p rform, bulk_extractor can always fiend additional information or, at th v ry
l ast, provid an xc ll nt ov rvi w of us r activity or disk cont xt. It is particularly us ful in
situations wh r you hav b n giv n (or acquir d yours lf) a high volum of m dia and you
want to quickly sort out th int r sting data. Theis triag capability is on of th highlights of
bulk_extractor.
bulk_extractor diffo rs from som oth r mor common tools in that it runs and
s arch s compl t ly ind p nd nt of th fiel syst m. In this cas , it’s not th fiel s th ms lv s
that ar int r sting, but th cont nt – wh th r allocat d or unallocat d, whol or fragm nt d,
or v n in compr ss d contain rs. bulk_extractor r ads in th data by blocks, without
r gard to fiel syst m structur , and r cursiv ly s arch s thos blocks for int r sting features.
R cursiv in this cas m ans th tool will, for xampl , d compr ss an archiv to s arch th
cont nts and xtract t xt from PDF fiel s to b furth r proc ss d.
http://downloads.digitalcorpora.org/downloads/bulk_extractor/BEUsersManual.pdf
257
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Required parameters:
imagefile - the file to extract
or -R filedir - recurse through a directory of files
HAS SUPPORT FOR E01 FILES
HAS SUPPORT FOR AFF FILES
-o outdir - specifies output directory. Must not exist.
bulk_extractor creates this directory.
Options:
-i - INFO mode. Do a quick random sample and print a report.
-b banner.txt- Add banner.txt contents to the top of every output file.
-r alert_list.txt - a file containing the alert list of features to alert
(can be a feature file or a list of globs)
(can be repeated.)
-w stop_list.txt - a file containing the stop list of features (white list
(can be a feature file or a list of globs)s
(can be repeated.)
-F <rfile> - Read a list of regular expressions from <rfile> to find
-f <regex> - find occurrences of <regex>; may be repeated.
results go into find.txt
...
These scanners disabled by default; enable with -e:
-e base16 - enable scanner base16
-e facebook - enable scanner facebook
-e outlook - enable scanner outlook
-e sceadan - enable scanner sceadan
258
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
You can also g t a slightly mor d scriptiv output on th scann rs by doing th sam
as abov but with -H inst ad of -h.
259
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The command provid s som fairly s lf- xplanatory information, including th data
proc ss d and th hash of th disk imag . Chang into th output dir ctory and l t’s hav a
look at th fiel s that w r produc d.
barry@forensic1:~$ cd blk_out/
barry@forensic1:~/bulk_out$ ls -l
total 336
-rw-r--r-- 1 barry users 0 Jun 5 08:27 alerts.txt
-rw-r--r-- 1 barry users 263 Jun 5 08:27 find.txt
-rw-r--r-- 1 barry users 206 Jun 5 08:27 find_histogram.txt
-rw-r--r-- 1 barry users 9814 Jun 5 08:27 report.xml
-rw-r--r-- 1 barry users 0 Jun 5 08:27 unzip_carved.txt
-rw-r--r-- 1 barry users 319995 Jun 5 08:27 zip.txt
Any fiel s that ar 0 siz ar mpty and no f atur s w r not d. In this cas th
alerts.txt fiel is mpty b caus w did not sp cify an al rt fiel with th -r option. The
f atur fiel w ar conc rn d with h r is th find.txt, produc d by th find scann r. Op n
and hav a look at this fiel :
260
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The find.txt fiel has a comm nt d ar a (lin s starting with #), and th actual output
of th scann r its lf, with ach “f atur ” found on on lin . The r ar thr parts to th
scann r output for ach f atur . The fierst is an offos t. Theis offos t can hav multipl parts. In
bulk_extractor this is r f rr d to as th forensic path. Theis includ s a disk offos t to th data
containing th f atur , th scann r(s) that found th obj ct, and th n th offos t within that
data. The for nsic path is follow d by th f atur its lf, in this cas our “ Uranium-235” s arch
t rm. Finally w ar giv n a small bit of cont xt. In oth r words, for our xampl abov :
Using what w ’v l arn d pr viously about physical s arching, l t’s hav a quick look a
th data found at that offos t. R m mb r our formula for fiending th offos t in a fiel syst m
wh n giv n a disk offos t? W ’v s n this NTFS imag s t b for , so w alr ady know th fiel
syst m starts at s ctor offos t 2048, so w ’ll calculat th fiel syst m offos t and th n run th
ifind command w ’v us d s v ral tim s alr ady to fiend out what MFT ntry points to th
data block. Finally w ’ll us th icat command and pip th output to file so w can id ntify
th typ :
261
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
L t’s run bulk_extractor again, but this tim w ’ll l av all th d fault scann rs
running and us a list of s arch t rms inst ad (just two). Chang back to your hom dir ctory,
and using a t xt ditor (vi), cr at a fiel with just th s two t rms:
[Uu]ranium-235
262698143
...w ’v turn d our fierst t rm into r gular xpr ssion that looks for ith r an upp r or
low rcas l tte r to start th word. The s cond is a “known victim” social s curity numb r 28.
Sav th fiel as myterms.txt.
W ’ll also cr at a bann r fiel so that all of our output fiel s hav a h ading that
id ntifie s th cas and th xamin r/analyst. Again, using a t xt ditor nt r information you
might want at th top of ach fiel :
Office of Investigations
Case of the Century
Case#: 2017-01-0001
Investigator: Barry Grundy
28
The s cond t rm is a social s curity numb r. Numb rs for this x rcis w r g n rat d with
http://www.theonegenerator.com/ssngenerator
262
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Now w ’ll r -run bulk xtractor, without disabling or nabling scann rs, using a
bann r fiel (-b mybanner.txt) and a fiel of t rms to s arch for (-F myterms.txt). The output
dir ctory will b blk_out_full (-o blk_out_full). With all th scann rs running, you will
s quit a f w mor fiel s in th output dir ctory.
barry@forensic1:~$ ls blk_out_full/
aes_keys.txt find_histogram.txt telephone_histogram.txt
alerts.txt gps.txt unrar_carved.txt
ccn.txt httplogs.txt unzip_carved.txt
ccn_histogram.txt ip.txt url.txt
ccn_track2.txt ip_histogram.txt url_facebook-address.txt
ccn_track2_histogram.txt jpeg_carved.txt url_facebook-id.txt
domain.txt json.txt url_histogram.txt
domain_histogram.txt kml/ url_microsoft-live.txt
elf.txt kml.txt url_searches.txt
email.txt pii.txt url_services.txt
email_domain_histogram.txt pii_teamviewer.txt vcard.txt
email_histogram.txt rar.txt windirs.txt
ether.txt report.xml winlnk.txt
ether_histogram.txt rfc822.txt winpe.txt
exif.txt sqlite_carved.txt winprefetch.txt
find.txt telephone.txt zip.txt
263
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
# Filename: NTFS_Pract_2017/NTFS_Pract_2017.E01
# Feature-File-Version: 1.1
1193351-PDF-92 262698143 629369510 SSN: 262698143
445901295-ZIP-9745 Uranium-235 ference between Uranium-235 and Uranium-238
445901295-ZIP-0-MSXML-857 Uranium-235 ference between Uranium-235 and Uranium-238
Not that now all th output fiel s also hav our mybanner.txt t xt at th top. And this
tim w s that our find.txt contains both th Uranium-235 hit w saw pr viously but also
th “victim” social s curity numb r w add d to our t rms list. W now hav f atur s that
w r found in a zip archiv (.docx fiel w id ntifie d arli r) and a PDF fiel (using th pdf
scann r). The Microsoftw Word fiel w id ntifie d arli r is now showing two f atur s inst ad of
on . Theis is b caus it was found by two scann rs, th zip scann r and th msxml scann r.
On thing you may notic is that a larg numb r of th f atur s found by th email and
url scann rs (and oth rs) com from known sourc s. Ev ry op rating syst m and th xt rnal
softwwar w us has h lp fiel s, manuals, and oth r docum ntation that contain mail addr ss s,
t l phon numb rs, and w b addr ss s that ar unint r sting, but will still nd up in your
bulk_extractor f atur fiel s and histograms. The s fals positiv s can b limit d by using
stop lists. Much lik our myterms.txt fiel , a stop list can b a simpl list of t rms (or t rms
with cont xt) that ar block d from th r gular scann r f atur fiel s (but still r port d in
sp cial stopped.txt fiel s for ach scann r).
barry@forensic1:~$ su -
Password:
root@forensic1:~# exit
264
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis command us s wget to download th catdocx script from github dir ctly to /usr/
bin/catdocx (with th -O option). The && allows us to run chmod imm diat ly aftw r th wget
compl t s to chang th p rmissions and mak th fiel x cutabl .
Physical Carving
265
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Scalpel
To use it, you MUST have a conf file that defines the file types you want
to recover. Use the example scalpel.conf file from /usr/doc/scalpel
If you r ad th README fiel (which you did, RIGHT?), you will s that w n d to copy
and dit th scalpel.conf fiel b for w can run th program. W can ith r dit and us it
in plac , or copy it to our working dir ctory which scalpel us s by d fault.
For now, w ’ll copy th scalpel.conf fiel that was install d with our packag to a n w
carve sub dir ctory in our /home dir ctory, which w ’ll cr at now, and dit it th r .
barry@forensic1:~$ cd ~/carve
barry@forensic1:~/carve$ cp /usr/share/doc/scalpel-2.0/scalpel.conf .
266
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The fienal “.” in th command abov signifie s th d stination, our curr nt dir ctory.
scalpel.conf starts out compl t ly comm nt d out. W will n d to uncomm nt som fiel
d fienitions in ord r to hav scalpel work. Op n it with vi (or your ditor of choic ) to dit.
You should tak tim to r ad th fiel as it xplains th structur of th fiel d fienitions in us ful
d tail.
barry@forensic1:~/carve$ vi scalpel.conf
# Scalpel configuration file
# This configuration file controls the types and sizes of files that
# are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
# EXTENDED in Scalpel 1.90-->!
# For each file type, the configuration file describes the file's
# extension, whether the header and footer are case sensitive, the
# min/maximum file size, and the header and footer for the file. The
# footer field is optional, but extension, case sensitivity, size, and
# footer are required. Any line that begins with a '#' is considered
# a comment and ignored. Thus, to skip a file type just put a '#' at
# the beginning of the line containing the rule for the file type.
#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00
# PNG
png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe
267
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives
# TIFF
tif y 200000000 \x49\x49\x2a\x00
# TIFF
tif y 200000000 \x4D\x4D\x00\x2A
If you look at th lin s for th jpg imag s, you will s th familiar patte rn that w
s arch d for during our dd carving x rcis . \xff\xd8 for th h ad r and \xff\xd9 for th
foot r. Wh n w run scalpel th s uncomm nt d lin s will b us d to s arch for patte rns.
Wh n you ar fienish d diting th fiel (doubl ch ck!), sav and quit with :wq
For this x rcis , w will us th able_3 split imag as our x rcis targ t. In our
Sl uth Kit x rcis #1B (d l t d fiel id ntifiecation and r cov ry – xt4), w ran across a numb r
of fiel s (lolitaz*) in th /home/ dir ctory that could not b r cov r d. Theis is an obvious us
cas for fiel carving.
R m mb r that th TSK tools can work dir ctly on split imag s, so th r is no n d for
us to fus mount th imag or loop mount any fiel syst ms. Running mmls giv s us th fiel
syst m offos ts (if you r m mb r, th /home dir ctory was mount d on th s cond Linux fiel
syst m at offos t 104448). W us that with our blkls command. You can run a quick
r cursiv fls command using th -r option to r fr sh your m mory on th fiel s w ar
looking for. The fiel s with th ast risk ( * ) n xt to th inod numb r ar d l t d:
268
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~/carve$ ls
home.blkls scalpel.conf*
The blkls command is run with th offos t (-o) pointing to th s cond Linux fiel syst m
that starts at s ctor 104448. The output is r dir ct d to home.blkls. The nam “hom ” is us d
to signify that this is th partition mount d as /home. Now w can s (with th ls command
abov ) that w hav two fiel s in th ~/carve dir ctory.
269
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
would b s arching for fiel s that start at th b ginning of a data block. B car ful doing that.
The trad offo h r is that whil you g t f w r fals positiv s, it also m ans that you miss fiel s
that may b mb dd d or “n st d” in oth r fiel s. Block align d s arching is don with th -q
<blocksize> option. Try this option lat r, and compar th output. To g t th block siz for
th targ t fiel syst m, you can us th fsstat command as w did in pr vious x rcis s.
You can carv multipl imag s at onc with th -i <listfile> option, and th r ar
oth r options to t st data (writ an audit fiel without carving).
In this cas , w ’ll us an option that allows us to prop rly pars mb dd d fiel s ( -e).
Theis option allows th prop r pairing of h ad rs and foot rs. Without th -e option, a h ad r
follow d by anoth r h ad r (as with an mb dd d fiel ), would r sult in both fiel s sharing th
sam foot r.
Finally, w ’ll us th -o option to r dir ct our carv d fiel s to a dir ctory w ar going to
call scalp_out and th -O option so th output r mains in a singl output dir ctory inst ad of
cat goriz d sub dir ctori s. Having th fiel s in a singl fold r mak s for asi r vi wing.
270
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Done.
Scalpel is done, files carved = 7, elapsed = 2 secs.
barry@forensic1:~/carve$ ls scalp_out/
00000000.gif 00000002.jpg 00000004.jpg 00000006.jpg
00000001.jpg 00000003.jpg 00000005.jpg audit.txt
The output abov shows scalpel carving thos fiel typ s in which th d fienitions w r
uncomm nt d. Onc th command compl t s, a dir ctory listing shows th fiel s (with th
xt nsion for th carv d fiel typ add d) and an audit.txt fiel . The audit.txt fiel provid s a
log with th cont nts of scalpel.conf and th program output:
# This configuration file controls the types and sizes of files that
# are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
# EXTENDED in Scalpel 1.90-->!
...
------ END COPY OF CONFIG FILE USED ------
271
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The fiel s can b vi w d with display at th command lin or with a GUI vi w r that
can provid a thumbnail and window d vi w. The program geeqie is a simpl xampl .
barry@forensic1:~/carve$ cd scalp_out/
barry@forensic1:~/carve/scalp_out$ geeqie
The r ar oth r fiel s to b found in this unallocat d data. To illustrat this, l t’s look at
th scalpel.conf fiel again and add a diffo r nt h ad r d fienition for a bitmap fiel . Op n
272
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives
H r w ’v chang d th max siz to 300000 byt s, and r plac d th fierst x00 string with
x04. Sav th fiel .
R -run scalpel again (writ to a diffo r nt output dir ctory - scalp_out2), and ch ck
th output:
273
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Giv n that carving can b approach d with a vari ty of algorithms, it might b a good
id a to run your data through mor than on tool. As a r sult of this, w ’ll also look at
photorec.
photorec
274
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~/carve$ su -
Password:
275
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If you want to enable the use of sudo run the script with SUDO=true
It looks like testdisk has options; would you like to set any when the SlackBuild
is run? [n]
...
Proceed with testdisk? [y]
...
Package testdisk-7.0-x86_64-1_SBo.tgz installed.
root@forensic1:~# exit
barry@forensic1:~/carve$
Running photorec from th command lin is simpl . W ’ll call and option for cr ating
a log fiel using /log (cr at d in th curr nt dir ctory) and providing an out put dir ctory /d
<dirname> (w ’ll us photorec_out). W will also point th program dir ctly at th
home.blkls unallocat d data from able_3. Theis will drop us into th photorec m nu.
The main m nu app ars with th home.blkls fiel alr ady s l ct d and load d. W ’ll go
through th m nu options quickly. It’s all fairly s lf xplanatory, and additional d tails can b
found at http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step.
276
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Normally, th abov m nu would includ disk partitions from int rnal disks and
r movabl m dia, but sinc w sp cifiecally call d th home.blkls fiel , it is load d by d fault.
S l ct [Proceed] with th arrow k ys and hit <enter>.
277
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
If this w r a full disk imag , photorec would display th contain d fiel syst ms and
partitions. In this cas , it is simply unallocat d data and th r is no partition to display. S l ct
[Options] and hit <enter>.
Obviously f l fr to play with th options and xplor th diffo r nt m nus. For this
simpl x rcis , l aving th d faults as is will work just fien .
278
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis will bring you to th fiel s l ction m nu. photorec will r cov r almost fiev
hundr d diffo r nt fiel signatur s. You can s l ct or d s l ct from this m nu. For now w ’ll
l av th d fault fiel s l ctions in plac (th r ar a f w d s l ct d by d fault). s l ct [Quit]
again to r turn to th main m nu. At th main m nu, s l ct [ Search ] and hit <enter>
279
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Onc th s arch is compl t , you will s th numb r of fiel s r cov r d, and th output
dir ctory (photorec_out, which w sp cifie d on our command lin ). The carv is now
compl t . S l ct [ Quit ] in th subs qu nt m nus and xit th program You’ll b dropp d
back at th command prompt.
Looking at a dir ctory listing, you can s w now hav a n w output dir ctory,
photorec_out.1/ along with a log fiel that was cr at d with th /log option. Hav a look at
th log fiel , photorec.log with th less command.
barry@forensic1:~/carve$ ls
home.blkls photorec_out.1/ scalp_out2/
photorec.log scalp_out/ scalpel.conf*
280
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
12196 sectors contains unknown data, 2 invalid files found and rejected.
Lik scalpel, th log output provid s suitabl information for inclusion in a r port if
n d d, not that th offos t locations for ach carv d fiel ar giv n in sector offos t rath r than
byte offos t (multiply ach offos t giv n abov by 512 to compar th offos ts with th scalpel
audit.txt fiel ).
barry@forensic1:~/carve$ ls photorec_out.1/
f0012156.gif f0012262.jpg f0012904_lrkn.tar.gz
f0012206.jpg f0012294.bmp report.xml
The cont nts of th output dir ctory show photorec r cov r d not only a f w imag
fiel s, but also a fiel call d f0012904_lrkn.tar.gz. If you r call our able_3 x rcis , you’ll
r m mb r that this was a fiel of som int r st. photorec is us ful for far mor than just a f w
imag s. If you try and untar/ xtract th fiel , you’ll fiend it’s corrupt d. Som of it, how v r, is
still r cov rabl .
281
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
...
-rw-r--r-- lp/lp 1996 1996-11-02 16:39 lrk3/z2.c
The r is still much information that can b gl an d from th r cov ry of this fiel . You
can s th README is on of thos fiel s r cov r d. W can us this to d fien strings for us to
s arch and p rhaps discov r wh r th archiv was d compr ss d and xtract d (which w did
arli r in our physical s arch x rcis ). Theis is on of th r asons w l ct to us mor than
on carving utility. Diffo r nc s in output can str ngth n our analysis.
On qu stion you might fiend yours lf asking is “How do I fficci ntly compar carv
output from two diffo r nt tools to g t an accurat count of fiel s r cov r d?”. In our v ry small
sampl produc d by th x rcis s h r , it’s a fairly simpl job. W just compar th imag fiel s
in a graphical vi w r. The r ar a littel ov r a doz n total imag s to r vi w. If, how v r, w
w r to carv a disk imag with hundr ds of unallocat d imag fiel s, th comparison would b
far mor difficcult. To addr ss this, l t’s hav a look at a simpl program that will do th work
for us.
Obviously this is not a simpl matte r of comparing fiel nam s. The fiel s ar carv d from
th data blocks without any r gard to dir ctory ntri s or oth r fiel syst m information. So th
tools us th ir own naming sch m . Int r stingly photorec includ d th nam of th original
lrkn.tar.gz nam of th tar archiv in its output. Theis is b caus th nam of th fiel is part
of th fiel m tadata (run file f0012904_lrkn.tar.gz and you’ll s th gzip h ad r contains
th nam ).
282
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
437a614c352b03a6a4575e9bbc2070ae scalp_out2/00000003.jpg
6742ca9862a16d82fdc4f6d54f808f41 scalp_out2/00000007.bmp
a0794399a278ce48bfbd3bd77cd3394d scalp_out2/00000002.jpg
aa607253fc9b0a70564228ac27ad0b13 scalp_out2/00000006.jpg
b5ca633bea09599c3fb223b4187bb544 photorec_out.1/f0012294.bmp
b6703670db3f13f23f7a3ed496a2b95c scalp_out2/00000001.jpg
f979cd849ccdd5c00fd396b600a9a283 scalp_out2/00000005.jpg
110983800a177c1746c54b15edec989a photorec_out.1/f0012156.gif
110983800a177c1746c54b15edec989a scalp_out2/00000000.gif
W ll, this is fien . But it might also b nic to actually d -duplicat th fiel s by r moving
on of th duplicat s. Again, asy nough in our small sampl h r , but far mor chall nging
and tim consuming if you ar d aling with hundr ds or thousands of contraband imag s you
n d to sort and accurat ly count.
For this w can us a program call d fdupes. fdupes works using both fiel nam s and
hash s to fiend, r port, and if r qu st d – r mov duplicat fiel s from us r sp cifie d dir ctori s.
It is asy to us and v ry ffo ctiv .
barry@forensic1:~/carve$ su -
Password:
root@forensic1:~# exit
283
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
W will run fdupes twic (always good practic ). The fierst run will show all th
duplicat d fiel s, ach pair on a singl lin . R vi w th output to nsur th r ar no
un xp ct d fiel s, and th n r -run th command with th --delete option.
The options w pass ar -R for r cursion. The r ar no sub fold rs in this xampl , but
it n v r hurts to allow r cursion. Particularly on larg scal xaminations wh r carv output
can b quit massiv and you might hav sp cifie d cat goriz d output for scalpel in
particular (diffo r nt fiel typ s in diffo r nt dir ctori s). W also us th -1 option to put
match s on th sam lin . Theis is p rsonal pr f r nc . Run without this option and s what
you pr f r.
[+] scalp_out2/00000000.gif
[-] photorec_out.1/f0012156.gif
[+] scalp_out2/00000003.jpg
[-] photorec_out.1/f0012206.jpg
[+] scalp_out2/00000004.jpg
[-] photorec_out.1/f0012262.jpg
The output abov indicat s that th fierst fiel has b n k pt [+] and th s cond fiel
d l t d [-]. If th r w r mor than on matching fiel in ach s t, th n only th fierst would
r main. To b tte r control this b havior, r mov th -N option and you can s l ct which fiel s to
k p.
Theis conclud s our physical carving s ction. W ’v l arn d how to carv fiel s from
unallocat d spac , vi w th fiel s, sort th m, and r mov duplicat s in an fficci nt mann r.
284
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Application Analysis
Theis is wh r th Application Layer of our analysis mod l com s in. For our purpos s
h r , th t rm “application” can b thought of as op rating syst m or us r int ractiv fiel s -
that is: fiel s that ar cr at d by applications acc ss d by th op rating syst m or through us r
int raction ( ith r with th op rating syst m or xt rnal softwwar ).
In simpl st t rms, application analysis can b as simpl as vi wing th fiel dir ctly for
cont nt – w ’v us d catdoc and catdox for MS Officc fiel s, various imag vi w rs lik
geeqie, xv and display for pictur s, and simpl t xt vi w rs lik less for simpl ASCII fiel s.
But for nsic analysis is much mor than simply r cov ring fiel s and displaying th cont nt.
Theat sort of activity is r ally just data recovery. Digital forensics, how v r, n ds to includ
oth r t chniqu s:
285
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
b ing, th s mak for xc ll nt t rtiary cross-v rifiecation tools and v hicl s for l arning
sp cifiec artifacts and structur .
L t’s start our xploration of libyal and application analysis by looking at sp cifiec
Windows r gistry fiel s.
As usual, w start with th disclaim r that this s ction is not about l arning r gistry
for nsics. It’s about th tools. Of cours you might gain som knowl dg along th way, but
that is not our purpos h r . If you want to look d p r into th s r gistry fiel s and l arn mor
about th art of r gistry for nsics, th n I strongly sugg st you look to th xc ll nt book 30
writte n by Harlan Carv y on th subj ct (and brows his blog 31). You might want to hav a
basic und rstanding of r gistry structur b for you b gin this x rcis , so you hav som
cont xt for what’s to com . And, of cours th r ar oth r (fast r and mor compr h nsiv )
ways to pars a r gistry. For xampl , Harlan Carv y’s w ll known RegRipper will run just
fien on Linux.
Our r al purpos in this s ction is to show you how to do this sort of analysis at th
byt l v l, using som common Linux tools lik xxd and tr, rath r than r lying on mor
automat d tools to do it for you. What w do h r is not much diffo r nt from what th P rl
scripts in RegRipper do (although w simplify it som what h r ).
First, though, w n d to hav a r gistry fiel to work on. W ’ll start with th
NTUSER.DAT fiel from th AlbertE account in our NTFS fiel syst m sampl
(NTFS_Pract_2017.E01).
Sinc w ar targ ting th AlbertE account, and w know that a sp cifiec us r’s
NTUSER.DAT fiel is in th /Users/$USERNAME/ fold r, w can us ifind to targ t th sp cifiec
fiel by nam . To run ifind, w us mmls as w did pr viously to fiend th offos t to th fiel
syst m in our imag :
30
https://www.elsevier.com/books/windows-registry-forensics/carvey/978-1-59749-580-6
31
http://windowsir.blogspot.com/
286
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Alt rnativ ly, if you want to s arch for all th NTUSER.DAT fiel s on a syst m, you could
us fls with th option to r cursiv ly list all r gular fiel s (-Fr), gr pping th output for
NTUSER.DAT. In ith r cas , w again fiend th MFT ntry for AlbertE’s NTUSER.DAT is 285:
Onc you’v id ntifie d th MFT ntry using on of th two m thods abov , you can
simply xtract th fiel with icat, arbitrarily naming th output (w us NTUSER.285 h r ).
Run th file command to ch ck th r sulting typ :
Now that w hav th r gistry fiel w want w can choos a sp cifiec k y to s arch for
us ful information. As an xampl , w ’ll look at th UserAssist ntri s. The s ntri s occur
in th r gistry wh n a us r x cut s a program from th d sktop. UserAssist ntri s ar
287
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~$ su -
Password:
root@forensic1:~# exit
You can hav a look at th utiliti s that w r install d by this packag by looking at th
packag fiel in /var/log/packages:
W can s that th packag cam with thr x cutabl programs plac d in /usr/bin.
W will conc ntrat on using regfmount. Much lik libewf’s ewfmount (which is also part of
th libyal proj ct) regfmount provid s a fus fiel syst m int rfac to a fiel obj ct, in this cas
ar gistry fiel . The usag is v ry similar. First, w ’ll cr at a mount point in our curr nt
dir ctory, follow d with th r gistry b ing mount d:
barry@forensic1:~$ cd ntusermnt
barry@forensic1:~/ntusermnt$ ls
AppEvents/ EUDC/ Keyboard\ Layout/ Software/
Console/ Environment/ Network/ System/
Control\ Panel/ Identities/ Printers/
288
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
barry@forensic1:~/ntusermnt$ cd
Software/Microsoft/Windows/CurrentVersion/Explorer/UserAssist/
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist$ ls
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}/
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/
You can s onc w chang into that dir ctory our prompt is quit long! Wh n w run
our ls command, w s two cryptic looking dir ctory (GUID) ntri s. Chang dir ctory into
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}32 and th sub dir ctory Count/(values). Not
that wh n you typ th (values) sub dir ctory, you will n d to scap th par nth s s with
\, so you will us \(values\).
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist$ cd \{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F\}/
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}$ cd Count/\(values\)/
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/Count/(values)$
Now hav a look at th cont nts of this dir ctory. I’m going to abbr viat th command
prompt with ... to mak th lin s mor r adabl .
barry@forensic1:~.../Count/(values)$ ls
HRZR_PGYFRFFVBA
HRZR_PGYPHNPbhag:pgbe
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Jvaqbjf\ Snk\ naq\ Fpna.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\KCF\ Ivrjre.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Cnvag.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Erzbgr\ Qrfxgbc\
Pbaarpgvba.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Favccvat\ Gbby.yax
Theis is wh r bash compl tion com s in r al handy. Wh n using th cd command h r , typ th fierst
32
two charact rs and hit th <tab> k y( cd {F<tab> )...The r st will fiell in automatically. B st. F atur .
Ev r
289
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Fgvpxl\ Abgrf.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Jrypbzr\ Pragre.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Pnyphyngbe.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\qvfcynlfjvgpu.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Nqzvavfgengvir\ Gbbyf\\\\Pbzchgre\
Znantrzrag.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Jvaqbjf\ Rkcybere.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Tbbtyr\ Puebzr.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Vagrearg\ Rkcybere.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Zbmvyyn\ Sversbk.yax
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\\\Npprffbevrf\\\\Npprffvovyvgl\\\\
Zntavsl.yax
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\\\Npprffbevrf\\\\Pbzznaq\ Cebzcg.yax
So if you did any r ading on this particular r gistry k y, you’ll fiend that th abov
ntri s (or “fiel s” in our fus mount d fiel syst m) ar ROT 13 obfuscat d. Theis m ans that th
charact rs in ach string abov ar swapp d a-m or A-M for th corr sponding n-z or N-Z, so
an “a” b com s an “n” and a “b” b com s an “o”, and so on. W can d -obfuscat this t xt with
th tr command w ’v us d pr viously to r plac on charact r with anoth r. In this cas
w ’ll b r placing charact rs n-za-m with a-z, tc. L t’s try this on th r p ating string at th
nd of v ry lin , .yax:
W can s that th .yax string at th nd of ach lin is actually th .lnk fiel xt nsion
(indicating a link or shortcut fiel ).
290
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Sticky Notes.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Welcome Center.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Calculator.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\displayswitch.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Administrative Tools\\Computer
Management.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Windows Explorer.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Google Chrome.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Internet Explorer.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Mozilla Firefox.lnk
./{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Accessories\\Accessibility\\Magnify.lnk
./{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Accessories\\Command Prompt.lnk
For r vi w, th fierst lin of a bash loop abov m ans “for v ry file in th curr nt
dir ctory (./*), do th following echo | tr command, follow d by th bash k yword done to
clos th loop.
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Zbmvyyn\ Sversbk.yax
{9E3995AB-1F9C-4F13-B827-48B24B6C7174} \\TaskBar \\Mozilla Firefox.lnk
Theat particular ntry is for a link to Mozilla Fir fox. The GUID valu in th front of th fiel
nam r pr s nts th FOLDERID_UserPinned “known fold r”34. If w want to vi w th cont nts or
“valu ” of th ntry, w n d to us th ROT-13 nam on th command lin . W can us xxd to s
th raw valu s in h x.
A count of th numb r of tim s this link was us d can b found at offos t 0x04
(highlight d in y llow). So this link was acc ss d 4 tim s, according to this ntry. The dat in
Windows FILETIME format can b found at offos t 0x3c (highlight d in blu ).
33
The xtra scap (\) charact rs in th obfuscat d output is b caus th ls command scap s th spac s.
The echo command us d with th tr command do s not.
34
https://msdn.microsoft.com/en-us/library/windows/desktop/dd378457(v=vs.85).aspx
291
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Whil th acc ss count at 0x04 is asy to d ciph r, th Windows dat valu is not. I us
a small python script to d cod th tim valu (th numb r of 100 nanos cond blocks sinc
January 1, 1601). You can download th python script ( WinTime) using wget:
Onc you hav th script, you can copy th h x valu and provid it as an argum nt to
WinTime.py. B sur to r mov th spac s from th valu (w ’ll us an alt rnativ way of
g tteing this valu from xxd lat r):
If you did a full install of Slackwar , Python should alr ady b on your syst m. Not
that th python command points to th WinTime.py fiel w pr viously nam d with wget -O.
The ~ indicat s th fiel is in our hom dir ctory. Theis l av s us with a last x cution tim of
April 27 at approximat ly 01:45. A compl t for nsic ducation r garding r gistry ntri s,
int rpr ting dat s and tim s, and tim zon adjustm nt is far outsid th scop of this guid ,
but mak sur you tak tim s tteings, tim zon s and clock sk w into account for any for nsic
xamination wh r dat s ar m aningful. Fil dat s and tim stamps ar on of th pitfalls of
analysis. R ad up on th subj ct compl t ly b for making any int rpr tations.
Sp aking of dat s and tim s, how would b go about fiending th last writ tim of th
Us rAssist sub k y its lf? W ’v b n looking at and d coding sub k y values, but th last
writ tim of a k y is mor akin to a property of th k y its lf. With th r gistry fiel fus
mount d through regfmount, th k ys and sub-k ys act as dir ctori s. If you run th ls -l
command, you can s a dat associat d with th k ys. Chang dir ctori s up so your curr nt
working dir ctory is
/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/. Theis would b up
four l v ls, or up to th “par nt dir ctory [../] four tim s”. The n run ls -l:
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/Count/(values)$ cd ../../../..
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer
$ ls -l
total 0
dr-xr-xr-x 2 barry users 0 May 1 12:39 (values)/
292
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The tim shown for th UserAssist “dir ctory” is Apr 5 21:36. A mor pr cis tim
can b shown with th stat command run on th dir ctory:
barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer
$ stat UserAssist/
File: 'UserAssist/'
Size: 0 Blocks: 0 IO Block: 4096 directory
Device: 25h/37d Inode: 8 Links: 2
Access: (0555/dr-xr-xr-x) Uid: ( 1000/ barry) Gid: ( 100/ users)
Access: 2017-04-05 21:36:50.000000000 -0400
Modify: 2017-04-05 21:36:50.000000000 -0400
Change: 2017-04-05 21:36:50.000000000 -0400
Birth: -
L t’s look at anoth r r gistry fiel , th SAM hiv . The SAM hiv can hav a gr at d al of
information availabl if th r ar local accounts pr s nt on th syst m. Again, w ’r not going
to go through a compr h nsiv analysis, w ’r just going to hav a look at a f w valu s of on
of th mor important k ys.
W can grab th SAM hiv th sam way w did th NTUSER.DAT, fierst s arching for th
prop r MFT ntry using fls and th n using icat to xtract th fiel :
293
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
So our targ t MFT ntry h r is 178. Now w ’ll xtract with icat and ch ck th fiel
typ again with th file command. The fiel nam w us on th xtract d fiel is arbitrary.
Nam it how v r you lik . Consist ncy is a good id a, though.
Now w ’ll cr at a mount point for th SAM fiel and us regfmount to fus mount th
hiv .
Sinc w alr ady pull d th NTUSER.DAT fiel for th AlbertE account, l t’s hav a look
at th sam account in th SAM fiel . If w chang dir ctori s down to
SAM/Domains/Account/Users, w ’ll s th following list of pot ntial accounts:
barry@forensic1:~$ cd sammnt/SAM/Domains/Account/Users/
barry@forensic1:~/sammnt/SAM/Domains/Account/Users$ ls
(values)/ 000001F4/ 000001F5/ 000003E8/ 000003E9/ Names/
But l t’s do it all at onc with a for loop to r p at th command across all th
dir ctori s (but only thos that ar a h x valu ):
294
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
501
1000
1001
barry@forensic1:~/sammnt/SAM/Domains/Account/Users$ cd 000003E8/\(values\)/
barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ ls
F UserPasswordHint V
bbarry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd V
...
00000160: 0000 0001 0000 0000 0102 0000 0000 0005 ................
00000170: 2000 0000 2002 0000 0102 0000 0000 0005 ... ...........
00000180: 2000 0000 2002 0000 4100 6c00 6200 6500 ... ...A.l.b.e.
00000190: 7200 7400 4500 0000 0102 0000 0700 0000 r.t.E...........
000001a0: 0300 0100 0300 0100 13c4 df6f 671a 70d2 ...........og.p.
000001b0: 0c04 49e1 c16e c39a 0300 0100 0300 0100 ..I..n..........
barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd F
00000000: 0200 0100 0000 0000 678e 5df7 f7c1 d201 ........g.].....
00000010: 0000 0000 0000 0000 20d7 bf15 76ae d201 ........ ...v...
00000020: ffff ffff ffff ff7f 5ce9 5df2 f7c1 d201 ........\.].....
00000030: e803 0000 0102 0000 1402 0000 0000 0000 ................
00000040: 0000 0700 0100 0000 0000 4876 488a 3600 ..........HvH.6.
295
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
...and oth r account information (numb r of logins, RID, tc.). W ar going to conc ntrat on
th dat s at th offos ts shown abov . W ’v alr ady conv rt d similar dat s using th python
WinTime.py script. W could typ ach valu on th command lin , and run th script
s parat ly for ach valu . A b tte r way, how v r, would b to us th command lin to giv us
just th valu w want, and pass ach on to th WinTime.py script. W can do this with a
bash for loop. And if you r ad th man pag for xxd, you will s that w can also us
diffo r nt options for xxd to nabl us to compl t th dat conv rsion without having to copy
th h x valu out.
L t’s look at what happ ns if w run xxd with -ps (plain h xdump) -s8 (s k to byt 8)
-l8 (output is 8 byt s in l ngth). The command prompt has b n truncat d again for
r adability (F is th “fiel ” w ar vi wing):
Theis can b tak n a st p furth r. W hav thr s parat dat valu s to conv rt h r .
On is at offos t 8 (-s8 as w conv rt d abov ). The oth rs ar at offos t 24 and 40. Sounds lik
a p rf ct candidat for our now familiar bash for loop. W can us offos ts 8, 24 and 40 as our
variabl , and pass thos into our command substitution for WinTime.py. It should look
som thing lik this:
296
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Inst ad of r p ating th command with -s8, -s24 and -s40, w simply cr at a loop
with $offset and provid th valu s 8, 24, and 40 in th loop. Theis giv s us th r sulting
valu s:
Pr f tch fiel s can b a us ful for nsic artifact for any numb r of r asons. The y can
provid additional x cution tim s for tim lin s, th y can b us d to prov program x cution
v n wh n an x cutabl has b n d l t d, and th y can b us d to corr lat oth r artifacts
cr at d during x cution. Mor information can b found on th Int rn t 35.
barry@forensic1:~$ su -
Password:
root@forensic1:~# exit
35
httep://www.for nsicswiki.org/wiki/Pr f tch is a good start.
297
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
With libscca install d, l t’s look for a pr f tch fiel to vi w. W ’ll s arch th NTFS
imag for fiel s nding in .pf. You can s th r ar quit a f w of th m (output is truncat d).
Our familiar fls command is x cut d, looking for fiel s only, r cursiv ly ( -Fr) in th
fiel syst m at offos t 2048 (-o 2048) in our NTFS EWF fiel s. Using grep, w ar looking for .pf
at th nd of th lin (signifie d by th $). The list is long, but w ’ll look at th NMAP.EXE
pr f tch fiel (MFT ntry 123-128-2). W can xtract th fiel from th imag with icat:
L t’s v ry quickly hav a look at th h ad r of th fiel with xxd. You can imm diat ly
s why th library w just install d is call d libscca. The pr f tch h ad r is 84 byt s long
with th v rsion at offos t 0x00 and th SCCA h ad r at offos t 0x0436.
The lat st x cution tim can b fount at offos t 128 in th pr f tch fiel (8 byt s long),
and w can us WinTime.py again to d ciph r it:
36
httep://www.for nsicswiki.org/wiki/Windows_Pr f tch_Fil _Format
298
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Giv n nough information about th format, you could sp nd a lot of tim parsing th
fiel . The r ’s oth r information stor d within, including librari s and oth r fiel s acc ss d wh n
th x cutabl is start d. But from h r w ’ll us sccainfo from libscca to vi w th pr f tch
fiel cont nts, which is quit xt nsiv .
Filenames:
Number of filenames : 53
Filename: 1 : \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
Filename: 2 : \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\
KERNEL32.DLL
Filename: 3 :
...
\DEVICE\HARDDISKVOLUME2\USERS\ALBERTE\DOWNLOADS\NMAP-7.40-WIN32\NMAP-7.40\NMAP-OS-
DB
Volumes:
Number of volumes : 1
Volume: 1 information:
Device path : \DEVICE\HARDDISKVOLUME2
Creation time : Apr 06, 2017 04:48:55.209910400 UTC
Serial number : 0x5019050c
The r ar num rous utiliti s availabl to Linux us rs that can b found to assist in
parsing fiel s, artifacts and oth r data r cov r d from comput rs running op rating syst ms
oth r than Linux. The r ar , in fact, too many to list h r . Som tim s it’s simply a matte r of
fiending a comparabl op n sourc proj ct: lik using Libr Officc to vi w Microsoftw Officc or
Visio fiel s. The r ar also th simpl utiliti s that ar ith r pr -install d or asily install d on
299
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
your Linux distribution, lik catdoc or tools lik pdfinfo and exiftool for r ading fiel
m tadata. The r ar too many to list h r , but sufficc to say that ov r th past f w y ars
application lay r analysis has b com much asi r on Linux.
300
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Theis guid has cov r d a myriad of subj cts that r ally just touch th surfac of th
command lin capabiliti s of Linux as a for nsic platform. And whil it is a l ngthy guid , it
still only imparts a basic s t of commands and utiliti s to allow you to l arn and grow as a
for nsic xamin r or digital inv stigator. The r al pow r of Linux (as an h ir of UNIX its lf) is
in thinking UNIX. The mor you us commands and g t us d to th output th y pr s nt, th
mor you will l arn to string th m tog th r, solving incr asingly compl x issu s quickly and
fficci ntly. G tteing a solid grasp of commands, command history, pip s and r dir ction is a
lib rating proc ss.
W ’v s n tools in this guid that can b us d to acc ss fiel data, fiel syst m data,
volum information, and block information, tc. It can b don quickly and without th n d
for lic ns s, multipl programs, or xc ssiv r sourc s to load and vi w targ t d information.
B ing abl to accomplish this on full disk imag or blocks of s parat d data (lik th
unallocat d output of blkls, for xampl ), and v n individual fiel s, mak s Linux an xc ll nt
platform for both tool validation and th cross-v rifiecation of fiendings.
301
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
validation standards for for nsic softwwar and hardwar , you can str ngth n th s by not only
confierming similar functions in multipl tools, but by comparing th output of th tool b ing
t st d (a function of comm rcial softwwar on Windows, for xampl ) to an op n sourc tool on
an alt rnativ (and also op n sourc ) op rating syst m. Conclusiv validation of functional
output is far asi r to ascrib to t st r sults wh n thos r sults ar from ntir ly diffo r nt
syst ms. Linux can provid that nvironm nt wh r s parat tools ar running on an ntir ly
diffo r nt op rating syst m k rn l and nvironm nt compl t ly, r moving any pot ntial
app aranc of int rf r nc .
W can also us Linux for cross-v rifiecation. In thos cas s wh r you fiend sp cifiec
vid nc with on of your standard comm rcial for nsic tools, you can v rify thos r sults by
comparing th m on an alt rnativ op rating syst m with alt rnativ tools. Theis is not th
sam as validation. In this cas w ar not testing a function, w ar configrming a fignding. For
xampl , you might fiend a fiel or s t of fiel s p rtin nt to an inv stigation. The fiel s w r found
in a particular volum , in a particular block (or clust r) that was associat d with a particular
m ta-data ntry ( .g. MFT). Running mmls, blkstat and ifind, tc. can h lp us verify thos
fiendings tak n from a comm rcial tool. In cas s wh r th data r cov r d may b cont st d or
your r cov ry proc ss insp ct d, having this cross-v rifiecation can r nd r argum nts against
your proc dur s or tools mor difficcult.
Parsing th fiel for us r data, w may fiend that th last login for th us r AlbertE is
critical to our cas and th data found might com up in t stimony. Output of our primary
r gistry analysis shows th following (output from an xamination using Windows tools):
302
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $FILE_NAME (48-4) Name: N/A Resident size: 72
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $DATA (128-2) Name: N/A Non-Resident size: 262144 init_size: 262144
95487 95488 95489 95490 95491 95492 95493 95494
95495 95496 95497 95498 95499 95500 95501 95502
...
303
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
Not that th tim s ar diffo r nt. Obviously this is b caus of th application of tim
zon s. Diffo r nc s in th output ar not disqualifying as cross-v rifiecation if you ar abl to
xplain why th diffo r nc occurs. Theis is th foundation of knowing how your softwwar
works.
barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd F
00000000: 0200 0100 0000 0000 678e 5df7 f7c1 d201 ........g.].....
00000010: 0000 0000 0000 0000 20d7 bf15 76ae d201 ........ ...v...
00000020: ffff ffff ffff ff7f 5ce9 5df2 f7c1 d201 ........\.].....
00000030: e803 0000 0102 0000 1402 0000 0000 0000 ................
00000040: 0000 0700 0100 0000 0000 4876 488a 3600 ..........HvH.6.
If you can fiend a way to add Linux to your workflaow, you could k p your skills curr nt,
l arn additional skills, and p rhaps v n l arn to automat som of this workflaow through
scripting. The r ar s v ral ways you can d ploy Linux in your work, including virtual
machin s, standalon workstations, and bootabl distributions.
Virtual machin s (VM) ar growing in popularity, and hav b n for y ars. The r ar
fr options (lik VirtualBox) that ar quit robust and offo r xc ll nt compatibility and
confieguration options for a for nsic xamin r. You can run a VM on your main for nsic
workstation and provid it acc ss to vid nc fold rs and fiel s, allowing dir ct int rfac
b tw n th tool and th targ t imag . VMs also hav a “snapshot” f atur so that wh n work
is compl t , a snapshot of a cl an and p riodically updat d op rating syst m can b r stor d.
Also not that VMs can b run th oth r way – I normally run Windows in a VM on a physical
Slackwar Linux workstation. The r ason I do this highlights on of th drawbacks of VM
usag – dir ct acc ss to hardwar . A VirtualBox VM, for xampl , will allow conn ctions via a
virtual USB controll r. The r ar , how v r, tim s wh r I would want to qu ry dir ctly
304
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
The oth r obvious way to run Linux is to hav an actual d dicat d workstation. Theis is
fien if you hav on you can d vot to th purpos , and it all viat s th afor m ntion d
hardwar acc ss and int rrogation issu s. A full work station is particularly us ful wh r you
might want to validat or cross v rify hardwar id ntifiecation or num ration. Having a
physical workstation r quir s mor mon tary r sourc s and can r quir mor confieguration
ffoort for xotic or l ss common hardwar , but it also provid s th most compl t for nsic
acc ss for th op rating syst m to int ract with atteach d hardwar .
The fienal way you can continu using Linux is through a bootabl distribution. The s
ar always handy to k p around for tim s wh r you may n d to boot a subj ct comput r to
acquir vid nc or v n conduct a limit d xamination without imaging int rnal m dia. W
us d this approach in our “dd ov r th wir ” x rcis . The r ar a numb r of good bootabl
distributions availabl suitabl for for nsic us . Download a coupl , try th m out, and s
what works b st for you. It may b a good id a to hav s v ral diffo r nt v rsions for diffo r nt
sc narios or hardwar confiegurations. Two bootabl Linux variants that com to mind
imm diat ly ar Cain and Kali Linux:
Cain : http://www.caine-live.net/
Kali: https://www.kali.org/
305
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
XI. Conclusion
The xampl s and practical x rcis s pr s nt d to you h r ar r lativ ly simpl . The r
ar quick r and mor pow rful ways of accomplishing som of what w hav don in th scop
of this docum nt. The st ps tak n in th s pag s allow you to us common Linux tools and
utiliti s that ar h lpful to th b ginn r. W ’v also incorporat d mor advanc d tools and
x rcis s to add som “r al world” applicability.
Onc you b com comfortabl with Linux, you can xt nd th commands to ncompass
many mor options. Practic will allow you to g t mor and mor comfortabl with piping
commands tog th r to accomplish tasks you n v r thought possibl with a d fault OS load
(and on th command lin to boot!). The only way to b com profieci nt on th command lin
is to us it. And onc you g t th r , you may hav a hard tim going back.
I hop that your tim sp nt working with this guid was a us ful inv stm nt. At th
v ry l ast, I’m hoping it gav you som thing to do, rath r than star at Linux for th fierst tim
and wond r “what now?”
306
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
http://www.forensicfocus.com
Try ##slackwar on th Fr nod n twork (or oth r suitabl chann l for your Linux
distribution of choic ).
307