Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics

Size: px

Start display at page:

Download "Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics"

Britton Glenn
5 years ago
Views:

1 Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics

2 Objectives After completing this chapter, you should be able to: Create a Linux forensic environment Analyze floppy disks Analyze hard disks Perform data collection using Toolkit Understand crash commands Take a step-by-step approach to a case Use Linux in forensics Describe Linux forensic tools 2

3 Introduction to Linux Forensics This chapter will explain: How to perform forensics with a Linux system as a target Why it can be beneficial to use a Linux system in other investigations 3

4 Linux Types of Linux distributions: Desktop distributions Server or enterprise distributions Live-CD distributions Linux boot sequence Loading the kernel Soft link to the current kernel image is available in the /boot directory and is referenced by the Linux Loader (LILO) Initialization: file that controls initialization is /etc/inittab 4

5 File System in Linux Most Linux distributions share a basic directory structure, with files organized in directories: /bin: common commands /boot: files needed at boot time /usr: local software, libraries, etc. /var: logs and other variable files /dev: interface files that allow kernel to interact with hardware and the file system /home: directories for each user on the system /mnt: mount points for external, remote, and removable file systems 5

6 File System in Linux Most Linux distributions share a basic directory structure, with files organized in directories (cont d): /etc: administrative configuration files and scripts /root: foot-user home directory /sbin: Administrative commands /lib: basic system libraries /opt: optional and third-party software Uses a tree, or hierarchical, structure for storing files and directories 6

7 File System in Linux Figure 6-1 A typical Linux file structure 7

8 Linux Forensics Utilities for imaging and basic disk analysis include: dd, sfdisk, fdisk, grep, md5sum, sha1sum, file, xxd, ghex, and khexedit Linux is often used in computer forensics for the following reasons: Greater control Flexibility Power 8

9 Linux Forensics Advantages of Linux in forensics: Software availability and accessibility Efficiency Optimization and customization Support Disadvantages of Linux in forensics: Investigator may need to be specially trained to use Linux Because Linux is an open-source operating system, it is frequently updated 9

10 Precautions During Investigation During an investigation, an investigator has to be sure to follow these precautions: Avoid running programs on a compromised system Do not run programs that will modify the metadata of files and directories Write the results of the investigation to a remote location Calculate the hash values of the data to avoid data alteration 10

11 Recognizing Partitions in Linux File systems must be mounted before being used Any file systems on partitions defined during installation are mounted with each boot Data can be written to devices, even when those devices are not mounted Standard IDE disk connected to the primary IDE controller as the master will be referred to as hda If the disk is connected to the primary IDE controller as a slave device it will be referred to as hdb Each partition is identified by its Linux name 11

12 mount Command Mounting Attaching a device to an existing directory on the system before being accessed Mount point Directory where the device is attached In order to remove the device, it must be unmounted before it is removed mount and umount commands Mounting: mount /dev/fd0 /mnt/floppy Unmounting: umount /dev/fd0 12

13 dd Command Options dd command Used to convert and copy a file Reads the [InFile] parameter, converts it to the specified format, and copies the data into the [OutFile] parameter 13

14 Floppy Disk Analysis Steps: Insert the floppy disk into the drive and obtain its SHA-1 hash Create an image of the floppy s contents Identify the file system Mount the image for analysis Obtain an SHA-1 hash of the contents View the file contents 14

15 Hard Disk Analysis Steps: Make an image of the hard disk using dd Use md5sum to collect information about the system time and date Mount the copy of the evidence into the file system Capture the drive s forensic data Extract deleted inode (modification/access/change) times Combine evidence for timeline conversion Generate timeline 15

16 Data Collection Forensic toolkit preparation Forensic investigators use their own forensic toolkit to find and collect any important data from a compromised system Toolkit is a pack of tools such as nc, dd, datecat, pcat, Hunter.o, insmod, NetstatArproute, dmesg, and others Investigator mounts the toolkit to a removable disk Safest to use the toolkit from a remote system in order to avoid changing the compromised system s metadata 16

17 Data Collection Using the Toolkit Steps to collect data: Media mounting: Mount the toolkit on the external media Calculate the hash value of the collected file Collect the current date result, presented in UTC format Cache tables: Collect the Mac address cache table Collect the kernel route cache table Collect information about current connections and open TCP/UDP ports 17

18 Data Collection Using the Toolkit Steps to collect data (cont d): Acquire a physical memory image List modules loaded to kernel memory: Check which modules are currently loaded in memory Analyze the ksyms file to detect the presence of an intruder Collect information about all processes, open ports, and files with the use of the lsof command Collect suspicious processes Collect information about the compromised system Gather information about the current time 18

19 Data Collection Using the Toolkit Table 6-1 An investigator can use these commands to collect information 19

20 Keyword Searching To search for signs of an intrusion, an investigator can use tools such as the following: strings: Gathers all printable characters from image files Use the -t switch to add an offset from the beginning of the file grep: Gathers commands typed by an intruder, IP addresses, passwords, or even decrypted parts of malicious code 20

21 Linux Crash Utility: Commands Table 6-2 An investigator can use these crash commands to extract system information 21

22 Investigation Examples Investigation Example I: Floppy Disk Forensics Rebecca had filed a lawsuit against Good Company, Inc., for sexual harassment by one of its senior directors, Mr. Peter Samson She claims that Mr. Samson used to send her explicit material through floppy disks marked as legitimate work, and she has submitted a floppy as evidence An investigator has been called to investigate the case on behalf of Good Company, Inc 22

23 Investigation Examples Step-by-step approach All processes must be documented The disk structure should be determined Once a separate mount point has been created, the investigator can proceed to mount the restored, imaged working copy and analyze the contents Integrity of the image file should be checked to be sure it is the same as the original Investigator can then list all files and directories in the image, including hidden files 23

24 Investigation Examples Step-by-step approach (continued) Handling date, file access, and alteration times should be noted Investigator can now search for likely evidence using grep In order to list unknown file extensions and changed file appearances, the investigator can issue the command file [changedfile] Apart from searching suspect files, certain keywords from the entire file list can be searched for 24

25 Investigation Examples Challenges in disk forensics with Linux Linux cannot identify the last sector on hard drives with an odd number of sectors Most Linux tools are used at the command line and are more complicated than Windows or Mac tools Devices can be written to, even if not mounted Bugs in open-source tools can be used to question the credibility of the tools for forensic use Original work, including the evidence, can be destroyed with a command-line typo, particularly when imaging 25

26 Investigation Examples Investigation Example II: Hard Drive Forensics Mr. Jason Smith has been accused of storing illegal material on his company s system An investigator has been called upon to examine the hard disk in question How should the investigator proceed in extracting and preserving the evidence? 26

27 Investigation Examples Step-by-step approach All processes must be documented Investigator may then proceed to prepare an image of the hard disk Partition the newly formatted disk and reboot Disk should then be formatted with the ext3 file system Investigator then prepares the disk for imaging Image the disk Check for accuracy using md5sum Mount the disk and extract evidence 27

28 Linux Forensic Tools The Sleuth Kit Collection of UNIX-based command-line file and volume system forensic analysis tools Supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks Analyzes raw (dd), Expert Witness (EnCase), and AFF file systems and disk images, supporting the NTFS, FAT, UFS 1, UFS 2, ext2, ext3, and ISO 9660 file systems 28

29 Tools in The Sleuth Kit Tools include: File system layer tool: fsstat Filename layer tools: ffind, and fls Metadata layer tools: icat, ifind, ils, and istat Data-unit layer tools: dcat, dls, dstat, and dcalc File system journal tools: jcat, and jls Media management tool: mmls Image file tools: img_stat, and img_cat Disk tools: disk_sreset, and disk_stat Other tools: hfind, mactime, sorter, and sigfind 29

30 Autopsy Autopsy Forensic Browser Graphical interface to The Sleuth Kit Since Autopsy is HTML-based, the Autopsy server can be reached from any platform using an HTML browser Provides a File Manager like interface and shows details about deleted data and file system structures Analysis modes: dead analysis, and live analysis 30

31 Autopsy Evidence search techniques: file listing, file content, hash databases File type sorting Timeline of file activity Keyword search Metadata analysis Data-unit analysis Image details 31

32 SMART for Linux Figure 6-2 SMART supports plug-ins for multiple uses 32

33 Penguin Sleuth Kit Bootable Linux distribution based on Knoppix Collects several tools including The Coroner s Toolkit (TCT), Autopsy, and The Sleuth Kit, as well as penetration-testing and virus-scanning tools Offers both a GUI environment and a commandline interface 33

34 The Farmer s Boot CD Farmer s Boot CD (FBCD) Can safely and quickly preview systems (hard drives, thumb drives, digital music devices such as ipods, digital camera media, and more) directly from Linux Features include the following: Boot almost any x86 system Mount file systems in a forensically sound manner Preview data using a single, unified graphical user interface (GUI) Acquire media after it is previewed 34

35 The Farmer s Boot CD Some advantages: Allows attaching digital cameras, previewing contents of onboard memory, and dumping software information and graphics or video files Authenticates and acquires file systems or devices in simple point-and-click GUIs Generates a catalog of all hardware attached to system Dumps BIOS information of the system Easily obtains both hard drive and file system information 35

36 Delve Figure 6-3 Delve s Devices tab mounts systems in a read-only manner. Right-click on any file system to view its available options 36

37 Maresware Maresware Provides tools for investigating computer records on an Intel-based Linux machine Includes the following major programs: Bates_no Catalog Hash Hashcmp Md5 Strsrch U_to_A 37

38 Captain Nemo Figure 6-4 Captain Nemo will mount Linux drives in Windows 38

39 The Coroner s Toolkit (TCT) Coroner s Toolkit Collection containing the following programs: Grave-robber ils and mactime tools unrm and lazarus tools findkey tool 39

40 FLAG FLAG (Forensic Log Analysis GUI) Used for log file analysis and forensic investigations Uses a database as a back end to assist in managing large volumes of data FLAG features: Log analysis Network forensics Disk forensics 40

41 md5deep md5deep Cross-platform set of programs used to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files Features include the following: Recursive operation Comparison mode Time estimation 41

42 TestDisk TestDisk helps recover lost partitions and make nonbooting disks bootable again Can perform the following functions: Fix the partition table to recover deleted partitions Recover a FAT32 boot sector from its backup Rebuild a FAT12/FAT16/FAT32 boot sector Fix FAT tables Rebuild an NTFS boot sector Recover an NTFS boot sector from its backup Copy files from deleted FAT, NTFS, and ext2/ext3 partitions 42

43 HELIX HELIX An incident response and computer forensic toolkit formerly based on Knoppix Live CD No longer available as a free forensic software Latest version, Helix3 Pro, is only available to e- Fense members through a paid subscription Booting into HELIX provides a graphical menu for accessing forensic tools 43

44 BackTrack BackTrack can be used as a bootable CD or bootable USB flash drive Also available as a VM appliance for use in a virtual environment Provides over 300 tools, such as: Penetration testing tools Wireless cracking tools Network mapping tools Information gathering tools Vulnerability identification tools Forensic and reverse engineering tools 44

45 Kali Linux Kali Linux - an updated version of BackTrack Figure 6-5 Kali Linux

46 Summary Linux imparts flexibility, power, and greater control as a forensic tool than other operating systems Linux has a number of simple utilities that make imaging and basic analysis of suspect disks There are several popular Linux toolkits that provide a GUI 46

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system