Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Forensics With Linux

4,560 views

Published on

Forensics With Linux 101

Published in: Self Improvement
  • Be the first to comment

Forensics With Linux

  1. 1. Forensics with Linux Anuchit Chalothorn anuchit.ch@sipa.or.th
  2. 2. Agenda ● Introduction ● Preparation ● Imaging technique ● Archiving technique ● Analysis ● Conclusion
  3. 3. About Me ● Senior Software Engineer @ SIPA ● Co-Project manager @ Trilex Lab ● Fedora Ambassador ● Open Source Software Contributor ● I am not Hacker!
  4. 4. Why using Linux forensics ? ● Tools are free of charge ● Most of open source software ● Environment is flexible, it only command line :P
  5. 5. The limitation ● No support from the author or call ● It should has buggy ● No universal standard ● Hard to decide what is the best way to do something ● Use as your own risk, typing correctly man!
  6. 6. Let's begin ● Computer system with forensic analysis system running on Linux ● Linux Live CD/USB ● Evidence Hard Drive running any operating system ● Image Hard Drive
  7. 7. Linux Live CD/USB ● F.I.R.E. ● DEFT ● Knoppix STD ● Penguin Sleuth ● Others ~ not design for forensics
  8. 8. Preparation for Imaging ● HDD label or model information, note size and total number of sectors for this drive ● Wipe and format a very large drive (> 3x evidence size) ● Wipe drive with dcfldd if=/dev/zero of=/dev/hda bs=8k conv=noerror,sync ● Create a partition with fdisk /dev/hda ● Format with mkfs –t ext3 /dev/hda1
  9. 9. Preparation for Imaging ● Mount evidence drive read-write mount / dev/hda1 /mnt/hda1 ● Create directory on the evidence drive for this case mkdir /mnt/hda1/case_no ● Create a subdirectory under that for thispiece of evidence mkdir /mnt/hda1/case_no/evidence_no
  10. 10. Desctiption the case ● Create text file with vim or nano ● General information about the case: ● Your name and organization ● Case number or other identifier ● Date ● General information about the case
  11. 11. Description the piece of media ● Include information about this case and all identifying information about this media: ● Your name and organization ● Case number or other identifier for this job ● Evidence number assigned to this HD ● Date and time image will be made ● Make, model, and serial number of computer ● IP and hostname of computer ● Make, model, and serial number of HD ● Where HD came from and why you are looking at it
  12. 12. Conect the evidence ● Connect the evidence drive and image drive ● Boot from CD/USB ● Ensure that Master/Slave cable select correct ● Ensure BIOS boot from CD/USB
  13. 13. Getting start with Linux ● Most of forecsics distribution will drop you to command line mode or shell ● Easy to switch the terminal press Ctrl+Alt+F2 ● Login as root ● Do not mount the evidence hard drive
  14. 14. Figure out which HDD is which ? ● Using command line to see the boot message dmesg | grep hd ● Change hd for IDE and sd for SATA
  15. 15. Figure out which HD is which ? ● Assume image HD is /dev/hdc and evidence is /dev/hda ● Mount the image hard drive read-write mount /dev/hdc1 /mnt/hdc1 ● Change to your directory for this piece of evidence cd /mnt/hdc1/case_no/evidence_no dmesg | tee case_no_dmesg.txt
  16. 16. Use hdparm ● Get evidence hard disk information by using hdparm hdparm –giI /dev/hda | tee case_no_hdparm.txt
  17. 17. List partitions with sfdisk ● List the evidence partition with fdisk or sfdisk sfdisk –luS /dev/hda | tee sfdisk.txt
  18. 18. Hashing Option ● Hasing the evidence for integrity checking ● Tools ● MD5 ● SHA1
  19. 19. Hashing with MD5 ● hash text files md5sum *.txt | tee case_no_txt_hashes.txt ● hash drive md5sum /dev/hda | tee serial_no.original.md5.txt
  20. 20. Hashing SHA1 ● hash text files sha1sum *.txt | tee case_no_txt_hashes.txt ● hash drive sha1sum /dev/hda | tee serial_no.original.sha1.txt
  21. 21. Imaging options ● dd ● rda ● dcfldd
  22. 22. dcfldd options - conv ● conv=sync,noerror ● noerror = do not stop on a read error ● sync = if there is a read error, pad output with 0x00. Without sync, read errors result in skipping sectors, which messes up file allocation table, etc.
  23. 23. dcfldd options - bs ● bs means blocksize ● Default bs=512 bytes ● Will get better performance with larger bs (such as bs=8k) based off hdparm results ● If there is a read error, you will lose the entire block (so I leave bs at default)
  24. 24. dcfldd options ● Can hash while imaging – hashwindow=0 – hashlog=case_no_dcflddhash.txt. ● Can split while imaging (use a script or pipe to split)
  25. 25. dcfldd ● Example command with all recommended options: dcfldd if=/dev/hda of=/mnt/hdc1/ case_no/evidence_no/serial_no.dd conv=noerror,sync hashwindow=0 hashlog=serial_no.md5.txt ● DO NOT CONFUSE if= AND of= !!
  26. 26. Archiving ● Compress disk image, file or directory ● Smaller size than original ● Easy to carry out ● Easy to transfer to another host
  27. 27. Archiving Tools ● Gzip ● Tar ● Bzip2 ● Lzma
  28. 28. Archiving Technique ● Compress directory with tar and gzip tar zcvf archivename.tar.gz directoryname ● Option description ● z = gzip compresion ● c = compress mode ● v = verbose ● f = force
  29. 29. Archiving Technique ● Extract compress file with tar and gzip tar zxvf archivename.tar.gz directoryname ● Option description ● z = gzip compresion ● x = extract mode ● v = verbose ● f = force
  30. 30. Archiving Technique ● Compress directory with tar and bzip tar jcvf archivename.tar.bzip directoryname ● Option description ● j = bzip compresion ● c = compress mode ● v = verbose ● f = force
  31. 31. Archiving Technique ● Extract compress file with tar and bzip tar jxvf archivename.tar.bzip directoryname ● Option description ● j = bzip compresion ● x = compress mode ● v = verbose ● f = force
  32. 32. Analysis ● Mount the disk images or partition images ● Find the piece of evidence it should be filesm directories or transactions in files ● Report to the court
  33. 33. Mount image loopback ● Disk image cannot mount directly ● Patition image can mouth directly ● Disk image should has it own device, we call loop device ● Patition image can mount with loop output
  34. 34. Mount partition image ● Mount loop output for partition image mount -o loop diskimage.dd /mount-directory ● Umount image if you don't want to use it anymore umouth /mount-directory
  35. 35. Mount disk image ● Show disk information using sfdisk or fdisk or file sfdisk -luS diskimage.dd file -l diskimage.dd ● Register disk image to loop device, you may set an offset before setup loop device losetup /dev/loop0 diskimage.dd losetup -f -o $((63*512))
  36. 36. Mount disk image ● If no idea to find the offset for mount with offset try this script sudo fdisk -l /dev/loop0 | awk '/^Units/ { bytes=$(NF-1) } /^// { print $1 "[" $NF "]: mount -o offset=" $3 * bytes }' ● After register disk image to device loop you can mount volume with mount command mount /dev/loop0 /mnt
  37. 37. Analysis 'n tools ● Sleuth Kit ● Odessa ● Rapid Evidence eXtractor (rex) ● Forensics and Log Analysis GUI (flag)
  38. 38. Useful links ● Penguin Sleuth www.linux-forensics.com ● Forensic and Log Analysis GUI (FLAG) www.dsd.gov.au/software/flag ● SleuthKit/Autopsy www.sleuthkit.org
  39. 39. Useful links ● National Software Reference Library (NSRL) www.nsrl.nist.gov ● Tools, forums, mailing lists www.openforensics.org ● The Coroner’s Toolkit www.porcupine.org/forensics/tct.html
  40. 40. Useful links ● F.I.R.E fire.dmzs.com ● DEFT www.deftlinux.net
  41. 41. Conclude ● All about this just a tools, you can use ● The important thing is your experience and tactic ● Teamwork
  42. 42. Q & A
  43. 43. Thank You ;)
  44. 44. Creative Commons CC-BY-SA

×