Linux - is a freely distributed operating system that behaves likethe Unix operating system. Linux is a free operating system thatwas developed on the internet. It was formed by Linus Torvaldsfirst, and has been developed by users into a hugely diversifiedoperating system that is in use by large companies, academicinstitutions and individual users. The free source code has been a big advantage, which has allowedLinux to become a success in a short period of time. Linux wasdesigned specifically for the PC platform and takes advantage of itsdesign to give users comparable performance to high-end UNIXworkstations. From 1991, Linux quickly developed on hackers webpages as the alternative to Windows and the more expensive UNIXsystems.
Each new version becoming more user friendly.◦ Disk installation no longer confusing.◦ Installation interface more intuitive.◦ Graphical environment becoming much more mature. More and more companies are embracing &supporting Linux.◦ IBM has teams of developers working on it.◦ Apple’s OS now has a UNIX-like core.◦ Novell is now in the Linux business. More and more devices are now running Linux◦ Personal Devices: Cell Phones & PDA’s.◦ Electronics: Video Recorders, MP3 Players.
Reliability Scalability Flexibility-boot from a CD (to a completeOS), file system support, platform support,etc. Security -not just over your forensicsoftware, but the whole OS and attachedhardware. Price –Free (no license fee, open source) Power – A Linux distribution is (or can be) aforensic tool.
Almost all types of computer users now use LinuxEngineers and scientists use it for code developmentand simulation. System administrators. Network providers:networking is one of the real strengths of Linux(share files, remote logins, SAMBA, ...) Kernel hackers: lots of talented people on web forhelp . Multimedia authors : works with almost all sound &video cards. OpenGL has been ported. Even some Virtual Reality machines now use Linux.Very handy graphics tools called Gimp too. Antartica research stations Oceanography vesselsStudents
Linux is just the kernel (i.e., the heart of the OS),not the OS itself. The OS consists of the kernel and the basic toolsand utilities supporting the kernel, like the filemanipulation and search commands, editors,compilers, etc. The kernel by itself is pretty useless…..it is like abrain without a body! Linux kernel + GNU utilities form the “Linux OS”as most people know it. e.g., RedHat Linux,Mandrake Linux, SuSe Linux, Debian Linux,Slackware Linux
Linux Windows Open source File systems-EXT2(inodes),EXT3(journaling) Rieser FS,4,etc. GUI: KDE and Gnome Text Modeinterface:BASH single hierarchaldirectory structure Starting root (/) Lilo and GRUB bootloaders Proprietary File systems- FAT12,16,32 NTFS, exFAT GUI: Windows Text Modeinterface:commandinterpreter(Dos prompt) Partitions with driveletter directories C: D: Ntldr and Boot.ini loaders
Hierarchical Data Structure “/” is the root directory Linux primary file systems◦ Second Extended File System (Ext2fs)◦ Ext3fs, journaling version of Ext2fs Employs inodes◦ Contain information about each file or directory Everything is a file called objects Linux consists of four “blocks” that contain objects: Boot block(bootstrap code) Superblock (Manages the file system) Inode blocks(file allocation) Data blocks(Where directories and files are stored)
Linux treats its devices as files. The special directorywhere these "files“ are maintained is "/dev". Labeled as path starting at root (/) directory Primary master disk (/dev/hda) First partition is /dev/hda1 Second partition is /dev/hda2 Primary slave or secondary master or slave (/dev/hdb) First partition is /dev/hdb1 SCSI controllers /dev/sda with first partition /dev/sda1 Linux treats SATA, USB, and FireWire devices the same wayas SCSI devices
Adepto Autopsy Acquisition-Making a copy ofthe original drive(physical,logical) Validation-Ensuring theintegrity of data being copied(hashing,headers) Discrimination-sorting andsearching through allinvestigation data Extraction-Recovering data isthe first step in analyzing aninvestigation’s data (keyword,carving,decrypting) Reconstruction-Re-create asuspect drive to show whathappened during a crime oran incident Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Reporting-To complete aforensics disk analysis andexamination, you need tocreate a report
dd command used to copy from an input file or device to an output file or device. Simple bitstream imaging. sfdisk and fdisk used to determine the disk structure. grep search files (or multiple files) for instances of an expression or pattern. The loop device allows you to associate regular files with device nodes. This will then allow you to mount a bitstream image without having to rewrite the image to a disk. md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices). file reads a file’s header information in an attempt to ascertain its type, regardless of name or extension. xxd command line hexdump tool. For viewing a file in hex mode.
Provide a lower cost way to maximize thetools Typically include the most often used tools1. Paraben2. Encase3. X- Ways Forensics4. FTK5. Pro Discover
SMART-Can analyze a variety of file systems withSMART -many plug-in utilities are included Helix-You can load it on a live Windows system -Loads as a bootable Linux OS from a cold boot(does not touch host PC) -contains Adepto to capture image and Autopsyto analyze the image Knoppix-STD-A collection of tools for configuringsecurity measures, including computer and networkforensics The Sleuth Kit Backtrack Coroners Tool Kit FIRE
Helix is a live Linux CDcarefully tailored forincident response,system investigationand analysis, datarecovery, and securityauditing. Helix has twomodes, including pureLinux bootable live CDand the Windowsmode, where it can beused in-vivo on top ofa running Windowsdesktop.
Open Source Platform. Linux platform◦ Bootable Linux OS from a cold boot◦ Easier to script and perform operations Has better compatibility tools i.e. (Adepto andAutopsy) Windows platform-used for safer “Live”captures on running systems Compiled toolkit◦ Lesser dependency at client side Easy to use – Ubuntu + GUI interface
Adepto DemoHow to capture an image usingAdepto
After image is captured with Adepto, then Autopsycan analyze the captured drive’s data. Autopsy Demonstration