Computer crime is not a Canadian problem - it is a global problem.

Disks Linux treats its devices as files. The special directory where these "files" are maintained is "/dev". Floppy (a:) /dev/fd0 Floppy (b:) /dev/fd1 1st Hard disk (master, IDE-0) /dev/hda Hard disk (slave, IDE-0) /dev/hdb Hard disk (master, IDE-1) /dev/hdc, etc. 1st SCSI hard disk /dev/sda 2nd SCSI hard disk /dev/sdb, etc. Partitions 1st Hard disk (master, IDE-0) 1st Primary partition 2nd Primary partition 1st Logical drive (on extd part) 2nd Logical drive 2nd Hard disk (slave, IDE-0) 1st Primary partition CDROM or 3rd disk (master, IDE-1) CDROM (SCSI) 1st SCSI disk 1st Primary partition /dev/hda /dev/hda1 /dev/hda2, etc. /dev/hda5 /dev/hdb /dev/hdc /dev/hda6, etc. /dev/hdb1, etc. /dev/scd0 /dev/sda /dev/sda1, etc.

This is an example of the output of fdisk -l /dev/hda on a dual boot system: Disk /dev/hda: 255 heads, 63 sectors, 1582 cylinders Units = cylinders of 16065 * 512 bytes Device /dev/hda1 /dev/hda2 /dev/hda3 /dev/hda4 /dev/hda5 /dev/hda6 * Boot 1 256 639 650 650 1454 Start End Blocks Id System 255 2048256 b Win95 FAT32 638 3076447+ 83 Linux 649 88357+ 82 Linux Swap 1582 7494322+ f Win95 Extd (LBA) 1453 6458098+ b Win95 FAT32 1036161 b Win95 FAT32

1582

Modules Modules are object files (*.o) that contain the required driver code for the supported device or option. Modules are installed and removed from the system on the fly using the following commands (as root): insmod -to insert the module rmmod -to remove the module lsmod -to get a list of currently installed modules Linux Directory contents can include: /bin -Common commands. /boot -Files needed at boot time, including the kernel images pointed to by LILO (the LInux LOader) or GRUB. /dev -Files that represent devices on the system. /etc -Administrative configuration files and scripts. /home -Directories for each user on the system. /mnt -Provides mount points for external, remote and removable file systems. /root -The root user's home directory.

/sbin /usr /var

-Administrative commands and process control daemons. -Contains local software, libraries, games, etc. -Logs and other variable file will be found here.

"DOS command" = Linux equivalent "dir" = ls list files. ls ls ls ls F a l lh classifies files and directories. show all files (including hidden). detailed file list (long view). detailed list (long, with human readable file sizes). cp sourcefile destinationfile copy a file. clears the terminal screen of all text and returns a mv sourcefile destinationfile move or rename a file. rm filename deletes a file. recursively deletes all files in directories and mkdir directoryname creates a directory.

"copy" = cp cls = clear prompt. "move" and "ren" = mv "del" = rm "rm -r" subdirectories. "md" = mkdir

"type" = cat or more or less cat filename The simplest form of file display. concatenate by cat file1 file2 > file3 more filename displays the contents of a file one page at a time. less filename less is a better more. "help" or " /?" = man or --help specified command. Use "q" to quit. man command displays a "manual" page for the

Other commands grep - search for patterns. pattern filename find - allows you to search for a file somefile -print pwd - prints the present working directory to the screen. file - categorizes files based on what they contain. ps - list of current processes. ps processes (-a), without an associated

grep find / -name pwd file filename ps -ax shows all and all processes terminal (-x).

strings - prints out the readable characters from a file. strings chmod - changes the permissions on a file. chmod chown - changes the owner of a file chown chgrp - changes a files group attribute. chgrp shutdown - this command MUST be used to shutdown the machine shutdown

First character of ls -l output: - = regular file d = directory

b = block device c = character device l = link The next 9 characters indicate the file permissions. Owner rwx Group rwx Others rwx

Changing permissions on a file: chmod "octal" filename where, read (r) = 4 write (w) = 2 execute (x) = 1 Pipes and Redirection Like DOS, Linux allows you to redirect the output of a command from the standard output to another device or file. ie. ps -ax | grep bash If Linux gives you an error message "Permission denied", then use: su su is a switch user command, and can allow you to become any user (if you know the password), not just root. Mounting File Systems on Disks Only root can mount and unmount file systems. Any time you specify a mount point you must first make sure that that directory exists. mkdir /mnt/floppy mkdir /mnt/cdrom Newer distributions usually create these mount points for you, but you might want to add others for yourself (mount points for subject disks or images, etc. like /mnt/data or /mnt/analysis) The Mount Command The "mount" command uses the following syntax: mount -t <filesystem> -o <options> <device> <mountpoint> Example: Reading a DOS / Windows floppy Insert the floppy and type: mkdir /mnt/floppy mount -t vfat /dev/fd0 /mnt/floppy optionally mount -o rw,loop -t vfat image /mnt/floppy Now change to the newly mounted file system: cd /mnt/floppy

When you are finished, EXIT OUT of the /mnt/floppy directory, and unmount the file system with: umount /mnt/floppy Example: Reading a CDROM Insert the CDROM and type: mkdir /mnt/cdrom mount -t iso9660 /dev/cdrom /mnt/cdrom Now change to the newly mounted file system: cd /mnt/cdrom When you are finished, EXIT OUT of the /mnt/cdrom directory, and unmount the file system with: umount /mnt/cdrom Example: Mounting an .ISO image Create a mount point: mkdir /mnt/iso mount /directory/image.iso /mnt/iso -t iso9660 -o ro,loop Now change to the newly mounted file system: cd /mnt/iso When you are finished, EXIT OUT of the /mnt/iso directory, and unmount the file system with: umount /mnt/iso

The file system table (/etc/fstab) It might seem like "mount -t iso9660 /dev/cdrom /mnt/cdrom" is a lot to type every time you want to mount a CD or a disk. One way around this is to edit the file /etc/fstab. For the sake of safety and practice, change the read-write permissions of your image to read-only. chmod 444 image.dd or even chmod 400 image.dd DD Examples Put an image onto a floppy

dd if=floppy.dd of=/dev/fd0 Take an image of a floppy dd if=/dev/fd0 of=floppy.dd Mount a dd image mount -t vfat -o loop,ro,noexec /media/image.dd /media/mountpoint Verify chechsum on individual files in mounted image cd into mountpoint, then type find . -type f -exec sha1sum {} \; > /media/filelist.sha Making a list of all files time) ls alRitu (hidden files, longformat, recursive, inodes, sort by access

find . -type f -print Making a list of files by type find . -type f -exec file {} \; Looking for strings on individual files in mounted image find . -type f -exec strings {} \; find . -type f -exec strings {} \; | grep "dirtywordlist" Searching unallocated and slack space for text grep options <pattern> <search_range> Make a dirty word list using kwrite or kedit (etc.), make sure no blank lines are in the list. grep aibf dirty.txt image.disk1 > hits.txt

Forensic Utilities Naming Conventions D I F FS Data Unit Metadata (Inode) File File System CAT LS Lists Display Stat Details Find Maps Calc Calculates

"D" Utilities dls, dcat,dstat, dcalc "I" Utilties ils, icat, istat, ifind "F" Utilities

fls, ffind "FS" Utilities fsstat

Sample uses of Forensic Utilities Use icat command to view inode number <n> from an image of a filesystem redirected to less icat image <n> | less Use icat command to determine the contents of a file icat image <n> | file Use fls to show deleted files from an image of a filesystem redirected to less fls -rd image | less Use dls to recover a file from inode number <n> to <m> from a filesystem redirected to dd dls -b -f fat image <n>-<m> | dd of=file Find potential deleted files (e5 is the hex marker used for deleted files) nb: an underscore xxd image | grep e5 > output The Root Directory in FAT12 is held within Sectors 19 to 32 (each sector is 512 bytes) echo $((512*32)) 16384 xxd -l 16384 floppy | grep " e5" Shows the deleted files found within the floppy with less false positives Problems grepping large data sets (grep: memory exhausted) tr [:cntrl:] \n < image | grep -abif dirty > hits.txt Basically, this command translates (tr) all the characters contained in the set of control characters ([:cntrl:]) to newlines (\n), which changes the stream of non printable control characters (which we don't have in our dirty list) into newlines which will avoid grep: memory exhaused problems. Using fls fls -r -i raw -f fat image fls -d -r -i raw -f fat image Using ifind to locate the inode number of a deleted file call "file.txt" ifind -f fat -n _ile.txt image Generate a history of commandline history Repeat a command in your history !<n> where <n> is the number associated to the command you want repeated Repeat previous command !! Repeat pre-previous command (go back 2 commands)

!-2 Use last argument !$ Fix a typo using caret ^type^fix cat [options] [files] Read (concatenates) one or more files and print them on standard output. -n, --number Number all output lines, starting with 1. Examples cat file Display a file cat file1 file2 file3 > all Combine files cat note5 >> notes Append to a file cat > file Create file at terminal; end with CTRL-C cat > file << STOP Create file at terminal; end with STOP Find a string in a file cat file | egrep string Find the inverted selection cat file | egrep -v string Finding a string in a file in color cat file | egrep --color string Finding a string in a file in color plus and minus 2 lines cat file | egrep --color -2 string Finding dirty words in a file in color plus and minus 2 lines echo dirtywordone >> dirty echo dirtywordtwo >> dirty echo dirtywordthree >> dirty cat file | egrep -f dirty --color -2 Finding offsets (in decimal and hex) for dirty words in a file in color cat file | strings -td | egrep -f dirty --color cat file | strings -tx | egrep -f dirty --color XXD xxd xxd xxd xxd options for hex output -b (binary, defaults to hex) -l <n> (stop after <n> bytes) -s <n> (skip <n> bytes) -s -<n> (stop <n> bytes in reverse order)

Show the first 10 bytes of a file xxd -l 10 file

Show the last 10 bytes of a file xxd -s -10 file Discover the internal format of a filename file -p filename Creating a virtual file system (1GB) dd if=/dev/zero of=1gb bs=1024 count=1048576 mke2fs 1gb mkdir /mnt/virtual mount -o loop 1gb /mnt/virtual Using DD to create a 1024 byte sized file filled with zeroes dd if=/dev/zero bs=1 count=1024 of=file Using DD to create a 1024 byte sized file filled with randomness dd if=/dev/zero bs=1 count=1024 of=file Using DD to sanitize a drive (examples) dd if=/dev/zero of=/dev/sda dd if=/dev/random of=/dev/sda dd if=/dev/urandom of=/dev/sda Verifying the media is blank (all zeros) xxd -a media hexdump media Using DD to sanitize a file of exactly 4096 bytes dd if=/dev/zero bs=4096 count=1 of=file Split a 100 byte file into 10 parts (part.00, part.01 etc) dd if=file | split -d -b 10 - part. Join a 100 byte file which is in 10 parts of 10 bytes each (part.00, part.01 etc) cat part.* > file Split a floppy into 360k pieces dd if=/dev/fd0 | split b 360k floppy.split. Compress a file while using DD dd if=/dev/sda | gzip > evidence Uncompress a file using DD gzip -dc evidence | dd of=/dev/sda Compress and split a file using DD dd if=/dev/sda | gzip -c | split -b -d 4096M -a3 -d - part.gz. Uncompress and join a file using DD cat part.gz.* | gzip -dc | dd of=/dev/sda Using DD to change ASCII to EBCDIC dd if=file of=output conv=ASCII dd if=file of=output conv=EBCDIC Using DD to change case dd if=file of=output conv=ucase dd if=file of=output conv=lcase Changing case using TR cat file | tr '[A-Z]' '[a-z]' > output

cat file | tr '[a-z]' '[A-Z]' > output Byte swapping with DD dd if=file of=output conv=swab Using Stream Editor to sanitize log files of IP Addresses and Port Numbers (IPs and Sockets) echo 's/[[:digit:]]\{1,5\}/\x/g' > ipaddress.sed sed -f ipaddress.sed < logfile Generate list of users, prior logins etc. last, w, who Get directory listing sorted by last modified, last accessed, etc ls, ls -lat, ls -lrt, ls -lrtu Get listing of opened file handles lsof Identity partitions on a dirve fdisk -l /dev/hdd Generate system timestamp using UTC date -u Calculating Hashes md5sum, sha1, sha1sum Displaying contents of a file cat, less, more, dd Oddly, displaying contents of a file in reverse order (cat backwards) tac Display strings found in a file strings, strings -td, strings -tx Display begining and endings of files head, tail Data Destruction (over-write 3 times, ending with all zeros, then delete this file) shred -n 3 -z -u file Drive Destruction (not really destroyed, but over-written 3 times, ending with all zeros) shred -n 3 -z /dev/sda dd if=/dev/random of=/dev/sda bs=4096 dd if=/dev/zero of=/dev/sda bs=4096 Over-write all remaining disk space in the partition with random, then delete the random dd if=/dev/random of=junk bs=4096; rm -fr junk Making a filesystem (not a complete list of options, just examples) mkfs -t vfat -F 32 /dev/sda1 mkfs -t ext2 /dev/sda1 mkfs -t ntfs -Q /dev/sda1 Finding large files (using k, M, and G) find / -size +10000k -print find / -size +100M -print find / -size +1G -print

Finding the top 100 largest files in decending order of size find / -type f -exec du -b {} \; | sort -nr | head -100 Finding files from the recent past (10 minutes ago, 10 days ago) find / -mmin -10 find / -mtime -10 Finding files more current than a specific file find / -newer /dev/sda1/file Finding files more current than a specific time (September 9, 2010 at 9:09am 9seconds) touch -t 20110909090909.09 /tmp/timestamp find / -newer /tmp/timestamp -ls Finding USB device names dmesg | grep "SCSI device" lsusb Finding Serial Numbers for installed USB devices touch /root/timestamp ... plug in USB device ... wait a moment find / -newer /root/timestamp | grep by-id Finding names of files containing a string (second option is faster) find . -type f -exec grep -l string {} \; find . -type f -print | xargs grep -l string Verifying the speed of commands like above time find . -type f -exec grep -l string {} \; time find . -type f -print | xargs grep -l string Finding the newest file in a directory ls -t | head -1 ls -lt | head -2 | tail -1 ls -lrt | tail -1 Finding all directories begining with a period. find / -type d -name .\* -print Finding all image files in a file system and verifying their contents match the file extension echo jpg >> imagenames.txt echo jpeg >> imagenames.txt find . -type f ! -print0 | xargs -0 file | grep -f imagenames.txt As above, but only showing files that do not match find . -type f ! \( -name '*.jpg' -or -name '*.jpeg'\) -print0 | xargs -0 file | grep -f imagenames.txt Reduce the search space and focus on documents created by humancraft First create a known md5 list of machine generated files you want to ignore find . -type f -exec md5sum {} \; > machinegenerated.hashes Next search for files not in your list (try both x and X) md5deep -r -x machinegenerated.hashes * md5deep -r -X machinegenerated.hashes * As above, only more detailed md5deep -wbezof -x machinegenerated.hashes * md5deep -wbezof -X machinegenerated.hashes *

Use this commands and combine your organizations machine generated files with the National Software Reference Library (NSRL) [It's on your DVDs Whoot!] Converting timestamps from Unix "seconds since January 1, 1970" into human readable format date -d @1284004800 Thu Sep 9 00:00:00 EDT 2010 Caseless sorting sort -f file Unique caseless sorting uniq -i file Shell Math using echo $(( ... )) where ... is +,-,/,* decimal and hex numbers echo $((0xff)) 255 echo $((0xff-0x01)) 254 echo $((2+2)) 4 echo 'obase=10; ibase=16; FF' | bc 255 echo 'obase=16; ibase=10; 255' | bc FF echo 'obase=8; ibase=10; 15' | bc 17 echo 'obase=2; ibase=10; 15' | bc 1111 printf %0x\\n 255 ff printf %d\\n 0xff 255 Using Stream Editor (SED) to replace words in a file dd if=file | sed 's/foo/bar/g' | dd of=output Detecting if a file has changed (can use sha1, sha1sum, sha256 etc) md5sum file > hash md5sum -c hash Archived hashes can be used for future comparisons Creating a list of hashes for all files find . -type f -exec md5sum {} \; find . -type f -exec sha1sum {} \; Creating an integrity seal on your evidence date -u >> evidence.seal md5sum casedata >> evidence.seal Signing your evidence

gpg --gen-key (this only needs to be done once, per system) gpg --clearsign evidence.seal cat evidence.seal.asc Verifying your evidence gpg --verify evidence.seal.asc Using openssl to encrypt your evidence openssl enc -des3 -in file -out file.encrypted enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: Using openssl to decrypt your evidence openssl enc -d -des3 -in file.encrypted -out file.decrypted enter des-ede3-cbc decryption password: Using openssl to base64 encode and decode openssl enc -base64 -in infile -out output.b64 openssl enc -d -base64 -in output.b64 -out out.decrypt Finding relevant search hits Create a file called dirty and populate this list with your case specific search terms Verifying all files on the file system find . -type f -exec md5sum {} \; > md5hashes md5sum -c md5hashes Recursive commands on files find . -type f -print find . -type f -exec strings {} \; find . -type f -exec file {} \; Replace foo with bar in all files in the current directory using the Stream Editor (sed) sed -i.bak 's/foo/bar/g' * Replace foo with bar in all files across an entire directory structure using the Stream Editor (sed) find . -type f | xargs sed -i.bak 's/foo/bar/g' Count lines in a file wc -l file Count words in a file wc -w file Count bytes in a file wc -c file Count characters in a file wc -m file Compare two files byte by byte cmp -b file1 file2 Compare files line by line diff file1 file2 Compare sorted files FILE1 and FILE2 line by line comm file1 file2 System statistics

uptime, free, ps aux File information file, stat, strings, cat, xxd, hexdump Coroner's Toolkit Data captuing tool grave-robber Coroner's Toolkit Tools to recover deleted file space unrm, lazarus Coroner's Toolkit Create timeline of files mactime Report disk usage and disk free du, df Use Use Use Use du du du du or or or or df df df df with with with with -a -b -c -h or or or or --all for all files, not just subdirectories --bytes for sizes in bytes --total to print grand total of all aguments --human-readable for human reader friendly format

Using Copy and Convert (DD) dd if=/*source* of=/*destination* if= infile (evidence your are acquiring) source= source of evidence of= outfile (forensic duplicate of evidence) destination= destination of forensic duplicate Block sizes ibs, obs, bs Number of blocks count, skip, seek Converstion conv Use windows dd to move a file to the CFA Linux Forensic Workstation dd if=source bs=1460 of=\\192.168.2.2\images\destination This only works because the CFA Linux Forensic Workstation has a SAMBA share that windows can see Using NetCat to move files linux: nc -l -p 1234 | dd of=received Windows: dd if=sending bs=1460 | nc 192.168.2.2 1234 Using NetCat to move compressed files (Save Network Bandwidth) linux:

nc -l -p 1234 | gzip -dfc | dd of=received Windows: dd if=sending bs=1460 | gzip -cf | nc 192.168.2.2 1234 Note about windows DD Logical drives are \\.\E: Physical drives are \\.\PhysicalDrive0 Obtaining Disk Information hdparm /dev/hda hdparm -I /dev/sda Viewing metadata information of E01 formatted acquisitions ewfinfo image.E01 Verifying ewfverify ewfexport ewfexport the hash of E01 formatted acquisitions image.E01 image.E01 | md5sum image.E01 | sha1sum

Extracting the image from the E01 formatted acquisitions ewfexport -t image.dd image.E01 md5sum image.dd sha1sum image.dd Obtaining an image using E01 format ewfacquire /dev/hda ewfacquire /dev/sda Recall transfering files using NetCat Source of evidence dd if=/dev/sda bs=1460 | nc 192.168.55.20 1234 Destination of evidence nc -l -p 1234 | dd of=image.dd The same, using E01 format, change the 'Destination of evidence' to the following: nc -l -p 1234 | ewfacquirestream -C 111-222 -D 'removable thumb drive' -e 'USERNAME' -E '1' -f encase5 -m removable -M physical -N 'Seized from subject' -t image -C -D -e -E -f -m -M -N -t case number is specified evidence description examiner's name evidence number format is specified media type volume type notes target path and file name