Download - File000127
Module XIV – Linux Forensics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Linux Tool Speeds Up Computer Forensics for Cops
Source: http://news.zdnet.com/2100-3513_22-190993.html
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Linux Forensics Environment Creation• Floppy Disk Analysis• Hard Disk Analysis• Linux Boot Sequence• Data Collection using Toolkit• Crash Commands• Step-By-Step Approach to Case• Use of Linux in Forensics• Linux Forensic Tools
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Linux Boot Sequence
Data Collection using Toolkit
Crash Commands
Step-By-Step Approach to Case
Use of Linux in Forensics
Floppy Disk Analysis
Linux Forensics Environment Creation
Hard Disk Analysis
Linux Forensic Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to Linux
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux OS
Linux is a free Unix-type open source operating system originally developed by LinusTorvalds with the assistance of developers around the world
It comes in different packages called distributions such as Red Hat, SuSE, and Mandrake
Linux distributions come in the following editions:
• It is a desktop installation with graphical interface and common applications
Desktop
• It is used in a production environment and business
Server/Enterprise
• The operating system is stored on a bootable storing device
Live CD
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Boot Sequence
The first step in the boot up sequence for Linux is loading the kernel
The kernel image is usually contained in the /boot directory
Details of the boot loader can be gained from LILO or GRUB using more /etc/lilo.conf or more /etc/grub.conf
The next step is initialization where runlevel and startupscripts are initialized and terminal process is controlled
The file that controls the initialization is /etc/inittab and the file that begins the process is /sbin/init
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File System in Linux
On most Linux distributions, the basic directory structure is organized like this:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
File System Description
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Forensics
Linux has a number of simple utilities that make imaging and basic analysis of suspect disks and drives easier. These include:
Utility Description
dd Command to copy data from an input file or device to an output file or device
sfdisk and fdisk Command to determine the disk’s structure
grep Command to search files for instances of an expression or pattern
The loop device Allows you to mount an image without having to rewrite the image to a disk
md5sum and sha1sum
Command to create and store an MD5 or SHA hash of a file or list of files (including devices)
file Command to read file header information in an attempt to ascertain its type, regardless of the name or extension
Xxd Command line hexdump tool
ghex and khexedit The Gnome and KDE (X Window interfaces) hex editors
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Use of Linux as a Forensics Tool
Why use Linux for Forensics?
• Treats every device as a file• Does not need a separate write blocker
Greater Control
• Can be booted from a CD• Can recognize several file systems
Flexibility
• Distributions like THE FARMER'S BOOT CD and Sleuth make Linux a forensic tool in itself
Power
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Advantages of Linux in Forensics
• Software is freely available• Source code is provided• Tools can be closely scrutinized for correctness
Software availability and accessibility
• Allows for much automation and scripting
Efficiency
• Software can be modified to fit the requirements
Optimizing and Customizing
• It supports Ad-hoc community• It uses open and published standards• It is compatible across technologies and organizations
Support
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disadvantages of Linux in Forensics
• It takes time and effort to learn Linux• Command line requires expertise unlike the GUI
environment, which is easy to work with
Requires training
• Continuous changes and updates occurs• It takes time to implement changes• Changes and implementation may not be the final one
Inter-operating with technologies is hard
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Precautions to Take During an Investigation
Avoid running programs on the compromised system
Do not run the programs that will modify the meta-data of files and directories
Write the results of the investigation to a remote location
Calculate the hash values of the digital data to avoid the digital data alteration
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recognizing Partitions in Linux
If a standard IDE disk is being used, it will be referred to as "hdx"
The "x" is replaced with an "a" if the disk is connected to the primary IDE controller as master and with a "b" if the disk is connected to the primary IDE controller as a slave device
Similarly, the IDE disks connected to the secondary IDE controller as master and slave will be referred to as "hdc” and “hdd” respectively
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
mount Command
Devices such as floppies, CDs, hard disk partitions, and other storage devices must be attached to some existing directory on your system before they can be accessed
This attaching is called mounting, and the directory where the device is attached is called a mount point
After the device is mounted, you can access the files on that device by accessing the directory where the device is attached
Unmount the device when you want to remove or detach it from the mount point
When mounting, specify the device or partition to be mounted and the mount point
The mount point must be a directory that already exists on the system. An example to mount a floppy is:
•$ mount /dev/fd0 /mnt/floppy
For unmounting the device or partition, you must specify its name with unmount command
•$ umount /dev/fd0
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dd Command Options
dd command is used to convert and copy a file
It reads the InFile parameter, converts it in a specified format, and copies the data into OutFile parameter
•dd [ bs=BlockSize ][ cbs=BlockSize ] [ conv= [ ascii | block | ebcdic | ibm | unblock ] [ lcase| ucase ] [ iblock ] [ noerror ] [ swab ] [ sync ] [ oblock ] [ notrunc ] ] [ count=InputBlocks ] [ files=InputFiles ] [ fskip=SkipEOFs ] [ ibs=InputBlockSize ] [ if=InFile ] [ obs=OutputBlockSize ][ of=OutFile ] [ seek=RecordNumber ] [ skip=SkipInputBlocks ][ span=yes|no ]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Floppy Disk Analysis
• Use dd to create forensic image and compare SHA hash of the image against floppy
• Use the commands: • # dd if=/dev/fd0 of=/evidence/floppy1.img bs=512• # sha1sum /evidence/floppy1.img >/evidence/floppy1img.sha1sum
• # cat /evidence/floppy1img.sha1sum• # cat /evidence/floppy1.sha1sum
To create floppy disk image:
In floppy disk analysis, insert floppy into floppy drive and obtain its SHA hash
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Floppy Disk Analysis (cont’d)
Identify File System:
• Use file utility to identify the file system of floppy disk image• Use the command:• # File /evidence/floppy1.img
Mount the image for analysis:
• Create a directory to mount the image• Use mount utility to mount the image, using loop back• Use the commands:• # mkdir /mnt/analysis• # mount -t vfat -o ro,noexec,loop /evidence/floppy1.img /mnt/analysis
• # umount /mnt/analysis• # mount –o ro,noexec,loop /evidence/floppy1.img /mnt/analysis
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Floppy Disk Analysis (cont’d)
• Obtain SHA hash of each file on the floppy disk and check files• Use the command:• # cd /mnt/analysis/mnt/analysis # find . -type f -exec sha1sum {} \; >/evidence/floppy1img.sha1filehash /mnt/analysis # cat /evidence/floppy1img.sha1filehash da39a3ee5e6b4b0d3255bfef95601890afd80709 ./.ICEauthority9155df0f906411433388c335c902d0a7452c6a72 ./addressbook2406038ea5da9776c1f32ba3d7f0e84d0b3d2af9 ./crackdealers.d /mnt/analysis #
Obtain SHA Hash of Contents:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Floppy Disk Analysis (cont’d)
• Use strings utility to extract raw text from a binary file• Use the command:•# strings crackdealers.d | less
View file’s contents:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Disk Analysis
• Use dd partition(s) to image(s)•dd if=/dev/hda1 of=/var/case01.dd
Make an image of the hard disk
• date > case01.evidence.seal md5sum case01.dd >> case01.evidence.seal gpg –clearsign case01.evidence.seal
Use md5sum to collect the information about the system time and date
• Use the command:•mount –o ro,loop,nodev,noexec case01.dd /mnt/evidence
Mount copy of evidence into the file system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hard Disk Analysis (cont’d)
Capture the drive’s forensic data
•grave-robber –c /mnt/evidence –m \–d /var/investigations/case01 –o LINUX2
Extract deleted inode (mod/access/change) times
•ils case01.dd | ils2mac > case01.ilsbody
Combine evidence for timeline conversion
•cat case01.ilsbody body > case01.evidence
Generate Timeline
•mactime –p /mnt/evidence/etc/passwd \–g /mnt/evidence/etc/group -b case01.evidence \11/28/2003 > case01.timeline
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Toolkit Preparation
The forensic toolkit should include the tools such as:
• nc• dd• datecat• pcat• Hunter.o• insmod• NetstatArproute• dmesg
After building all the tools, copy all of them to the removable media
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit
Step 1 • Media mounting
Step 2• Current date
Step 3• Cache tables
Step 4• Current, pending connections and open TCP/UDP ports
Step 5• Physical memory image
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
Step 6• List of modules loaded to the kernel memory of an operating system
Step 7• The list of active processes
Step 8• Collecting of suspicious processes
Step 9• Useful information about the compromised system
Step 10
• Current time
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
• Mount the toolkit on the external media• # mount -n /mnt/cdrom
• Calculate the hash value of the collected file to maintain the integrity of the digital evidence • # md5sum date_compromised > date_compromised.md5
Media mounting
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
Current date:
• Collect the current date result, presented in the UTC format• # nc -l -p port > date_compromised• # /mnt/cdrom/date -u | /mnt/cdrom/nc (remote) port• # md5sum date_compromised > date_compromised.md5
Cache tables:
• Collect the cache table information as it is volatile and can be lost• Mac address cache table:• # nc -l -p port > arp_compromised• # /mnt/cdrom/arp -an | /mnt/cdrom/nc (remote) port• # md5sum arp_compromised > arp_compromised.md5
• Kernel route cache table:• # nc -l -p port > route_compromised• # /mnt/cdrom/route -Cn | /mnt/cdrom/nc (remote) port• #md5sum route_compromised > route_compromised.md5
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
• Collect information about the current connections and open TCP/UDP ports•#nc -l -p port > connections_compromised•# /mnt/cdrom/netstat -an | /mnt/cdrom/nc (remote) port•#md5sum connections_compromised > connections_compromised.md5
Current, pending connections, and open TCP/UDP ports:
• Access physical memory directly by copying the /dev/mem device or by copying the kcore file
• kcore file can be found in the pseudo file system, which is mounted in the /proc directory•#nc -l -p port > kcore_compromised•#/mnt/cdrom/dd < /proc/kcore | /mnt/cdrom/nc (remote) port•#md5sum kcore_compromised > kcore_compromised.md5
Physical memory image:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
List of modules loaded to kernel memory of an operating system:
• Check which modules are currently loaded into memory• # nc -l -p port > lkms_compromised• #/mnt/cdrom/cat /proc/modules | /mnt/cdrom/nc (remote) port• # nc -l -p port > lkms_compromised.md5• # /mnt/cdrom/md5sum /proc/modules | /mnt/cdrom/nc (remote) port
• Analyze the ksyms file to detect the presence of an intruder in the system• #nc -l -p port > ksyms_compromised• #/mnt/cdrom/cat /proc/ksyms | /mnt/cdrom/nc (remote) port• # nc -l -p port > ksyms_compromised.md5• #/mnt/cdrom/md5sum /proc/ksyms | /mnt/cdrom/nc (remote) port
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
• Collect the information about all processes, open ports, and files with the use of lsof tool• #nc -l -p port > lsof_compromised• #/mnt/cdrom/lsof -n -P -l | /mnt/cdrom/nc (remote) port
• #md5sum lsof_compromised > lsof_compromised.md5
The list of active processes:
• Copy the entire memory allocated by a process• #nc -l -p port > proc_id_compromised• #/mnt/cdrom/pcat proc_id | /mnt/cdrom/nc (remote) port
• #md5 proc_ip_compromised > proc_ip_compromised.md5
Collecting of suspicious processes:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
• Use the following commands to collect the information about the suspects system:
Useful information about the compromised system:
Command Description
/mnt/cdrom/cat /proc/version Version of the operating system
/mnt/cdrom/cat /proc/sys/kernel/name Host’s name
/mnt/cdrom/cat /proc/sys/kernel/domainame Domain’s name
/mnt/cdrom/cat /proc/cpuinfo Information about hardware
/mnt/cdrom/cat /proc/swaps All swap partitions
mnt/cdrom/cat /proc/partitions All local file systems
/mnt/cdrom/cat /proc/self/mounts Mounted file systems
mnt/cdrom/cat /proc/uptime Uptime
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection Using the Toolkit (cont’d)
• Accumulate information about the current time• #nc -l -p port > end_time• # /mnt/cdrom/date | /mnt/cdrom/nc (remote) port
Current time:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Keyword Searching
• Strings:• Used to gather all printable characters from the image file by
using the strings tool• Use the -t switch to add an offset from the beginning of the
file•strings -t d kcore > kcore_strings•md5sum kcore_strings > kcore_strings.md5
• Grep:• Used to gather commands typed by an intruder, IP addresses,
passwords, or even decrypted part of the malicious code
To search for signs of an intrusion, use tools such as:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Crash Utility
Crash is a tool for interactively analyzing the state of the Linux system while it is running, or after a kernel crashes and a core dump has been created by the Red Hat netdump facility
SYNAPSIS: crash [ -h [ opt ] ] [ -v ] [ -s ] [ -i file ] [ -d num ] [ -S ] [ mapfile ] [ namelist ] [ dumpfile ]
Options: -h opt: Displays a help message-v Displays the versions of the original gdb and crash libraries that make up the crash executable -s Crash does not display any version, GPL, or crash initialization data during startup-i file Crash reads and executes the crash command(s) contained in file before accepting any user input. -d num Crash sets its internal debug level-S Crash uses "/boot/System.map" as the mapfilenamelist: This is a pathname to an uncompressed kernel image (a vmlinux file) that has been compiled with the "-g" option, or that has an accessible, associated debuginfo filemapfile: If the live system kernel, or the kernel from which the dumpfile was derived, was not compiled with the -g switch, then the additional mapfile argument is requireddumpfile: This is a pathname to a kernel memory core dump file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Crash Utility: Commands
crash> ps
Output:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Crash Utility: Commands (cont’d)
crash> ps -t
Output:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Crash Utility: Commands (cont’d)
crash> ps –a
Output:
crash> foreach files
Output:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Crash Utility: Commands (cont’d)
crash> foreach net
Output:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Crash Commands (cont’d)
Extract the information related to the state of the system using the crash commands
Information Command
Mounted file systems crash> mount
Open files per file system crash> mount –f
Kernel message buffer crash> log
Swap information crash> swap
Machine information crash> mach
Loaded Kernel Modules crash> mod
chrdevs and blkdevs arrays crash> dev
PCI device data crash> dev –p
I/O port/memory usage crash> dev –I
Kernel memory usage crash> kmem –I
Kernel vm_stat table crash> kmem -V
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Examples
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Example I
Rebecca had filed a lawsuit against Good Company Inc for sexual harassment by one of its senior directors Mr. Peter Samson
She submitted a floppy as evidence of Mr. Peter’s advances
She also ascertained that Mr. Peter used to send her explicit material through floppy disks marked as legitimate work
If a forensic investigator has been called to investigate the case by Good Company Inc
How should the forensic investigator proceed with the evidence?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case
• Begin with creating a directory where all forensic activities can be done•/mkdir evidence
• It is desirable to create a special mount point for all physical subject disk analysis •mkdir /mnt/investigation
Document all processes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Create an image of the disk using the simple bit streaming command dd•dd if=/dev/fd0 of=image.suspectdisk
• Change the read-write permissions of the image to read-only using chmod•chmod 444 image.suspectdisk
Determine the disk structure:
Step-by-Step Approach to Case (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case (cont’d)
Mount the restored imaged working copy and analyze the contents:
•mount -t vfat -o ro,noexec /dev/fd0 /mnt/investigations
• Another option is to mount a point within the image file using the loop interface rather than mounting the contents to another location
•mount -t vfat -o ro,noexec,loop image.suspectdisk/mnt/investigations
Verify the integrity of the data on the imaged file by checking the file hash:
•md5sum /evidence/md5.image.suspectfile or •sha1sum -c /evidence/SHA. image.suspectfile
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case (cont’d)
Use the ls command to view the contents of the disk
• ls –alR to list all files including hidden files and list the directories recursively
Make a list of all files along with access times
• ls –laiRtu > /evidence/suspectfiles.list
Search for likely evidence using:
• grep. grep -i xxx suspectfiles.list
List the unknown file extensions and changed file appearances:
• file changedfile
• Files can be viewed using strings, cat, more, or less
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case (cont’d)
Search for certain keywords from the entire file list
• cat /evidence/ suspectfiles.list | grepblackmailword
• A systematic approach to search for keywords would be to create a keywords list. E.g. save it as: •/evidence/keywordlist.txt
• grep the files for the keywords and save it to a file•grep –aibf keywordlist.txt image.suspectdisk > results.txt
• View the results:•cat results.txt
• To analyze the files at each offset, use the hexdump tool:•xxd -s (offset) image.suspectdisk | less
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Challenges in Disk Forensics with Linux
Linux cannot identify the last sector on hard drives with odd number of sectors
Most Linux tools are complicated as they are used at the command line
Devices can be written to even if they are not mounted
Bugs in the open source tools can be used to question the credibility of the tool for forensics’ use
Forensic and Incident Response Environment (F.I.R.E) by William Salusky provides a good tool set
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Example II
Mr. Jason Smith was accused of hoarding illegal material of questionable moral content on his company’s network systems
Forensic investigator was called upon to examine the suspect’s hard disk and unearth evidence related to the illegal material
How the forensic investigator should proceed in extracting and preserving the evidence?
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case
Note down the model’s information from the hard disk label /manufacturer’s web site, and the size and total number of sectors on the drive
Wipe and format a image disk drive using the ext3 file system (> 3x evidence size)
Fill the disk with zeros and ensure that the contents match
• dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync
Partition the disk and reboot
• fdisk /dev/hda
Format with the ext3 file system
• mkfs –t ext3 /dev/image.disk
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case (cont’d)
• Mount the read-write image disk•mount /dev/hda /mnt/image.disk
• Create a directory for all documentation and analysis•mkdir /mnt/image.disk/case_no
• Create a sub-directory to hold the evidence’s image•mkdir /mnt/image.disk/case_no/evidence_no
• Document the details of the investigation in a text file including investigator’s details, case background details, and investigation dates
• Carry out the document details of the disk media including investigator’s name and organization, case number, media evidence number, date and time of imaging; make, model, and serial number of the computer, IP and system’s hostname; make, model, and serial number of HD, source of HD, and scope of the investigation
Prepare the disk for imaging
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step-by-Step Approach to Case (cont’d)
• Connect both original evidence drive and drive to be imaged to the imaging system
• Verify all jumper settings – Master/Slave• Make sure that the imaging system will boot only from CD by
checking the BIOS settings• Image the disk using dd: •dd if=/dev/hdx of=image.disk conv=noerror,sync• This will allow dd to try to ignore any errors (conv=noerror)
and synchronize the output (sync)with the original
Image the disk:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for accuracy by comparing md5sum
Mount the disk and extract evidence
Images can be carved using dd or the hex dump tool xxd
Step-by-Step Approach to Case (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linux Forensics Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Popular Linux Forensics Tools
The Sleuth Kit written by Brian Carrier and maintained at http://www.sleuthkit.org
Autopsy – HTML front-end for sleuthkit
SMART for Linux- by ASR Data is a commercial data forensics program that runs on Linux
THE FARMER'S BOOT CD- by farmerdude, is a bootable CD that is oriented towards previewing of data quickly
Penguin Sleuth - Knoppix based linux distribution with a forensic flavor
Forensix
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Sleuth Kit
The Sleuth Kit is a collection of command line digital investigation tools
The tools run on Linux, OS X, FreeBSD, OpenBSD, and Solaris and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS
The Autopsy Forensic Browser is an HTML-based graphical interface for the command line tools in the Sleuth Kit which makes it much easier and faster to investigate a system
mac-robber is a tool that will collect temporal data from the mounted file systems
The data can be used to make a timeline of the file’s activity on the system using tools from The Sleuth Kit
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools in “The Sleuth kit”
Tool Type Tool’s Name
File System Layer tools fsstat
File Name Layer tools ffind, fls
Meta Data Layer tools icat, ifind, ils , istat
Data Unit Layer tools dcat , dls , dstat, dcalc
File System Journal tools jcat , jls
Media Management tools mmls
Image File tools img_stat, mg_cat
Disk tools disk_sreset, disk_stat
Other tools hfind, mactime, sorter, sigfind
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit
Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3)
The Sleuth Kit and Autopsy are both open source and run on UNIX platforms
As autopsy is HTML-based, you can connect to the autopsy server from any platform using an HTML browser
Autopsy provides a "File Manager“ like interface and shows details about the deleted data and the file system’s structures
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Evidence Analysis Techniques in Autopsy
File Listing:
• Analyze the files and directories, including the names of the deleted files and files with Unicode-based names
File Content:
• The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted
Hash Databases:
• Look up the unknown files in a hash database to quickly identify it as good or bad
File Type Sorting:
• Sort the files based on their internal signatures to identify files of a known type
Timeline of the File’s Activity:
• Create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Evidence Analysis Techniques in Autopsy (cont’d)
Keyword Search:
• Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions
Meta Data Analysis:
• It allows you to view the details of any meta data structure in the file system
Data Unit Analysis:
• It allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings
Image Details:
• You can view the file system details including on-disk layout and the time of activity so that it is possible to recover data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – File Listing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – File Content
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Hash Databases
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – File Type Sorting
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Timeline of File Activity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Keyword Search
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Meta Data Analysis
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Data Unit Analysis
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Autopsy – Image Details
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART for Linux
SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals
It is known as ‘The Next Generation Data Forensic Tool’
• "Knock-and-talk" inquiries and investigations• On-site or remote preview of a target system• Post mortem analysis of a dead system• Testing and verification of other forensic programs• Conversion of proprietary "evidence file" formats• Baselining of a system
Functions of SMART:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features of SMART for Linux
SMART displays the list of the connected storage devices in the main window list
It uses plugins to do much of the work, and the application itself utilizes a highly modular design philosophy
It is multi-threaded
Its powerful, flexible acquisition options allow you to create pure bit-image copies and quasi-proprietary formats that support seekable compression
It can acquire and clone a single source to any number of images and devices simultaneously
It generates information about hashes
It provides the ability to perform real authentication
It gives you an easy interface to Linux mounts and GUI environments such as KDE and GNOME
It enables complex tasks and search result rules to be applied automatically
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 1
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 2
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 3
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 4
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 5
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SMART: Screenshots 6
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penguin Sleuth
The Penguin Sleuth Kit is a bootable Linux distribution based on KNOPPIX
It is the collection of some useful tools, including The Coroner’s Toolkit (TCT), Autopsy, and The Sleuth Kit, as well as penetration testing and virus scanning tools
It offers a GUI environment as well as the good old fashion command line environment fitting the novice user to the experienced user
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools Included in Penguin Sleuth Kit
Tool Name Description
Sleuth Kit Command Line Forensic Tools
Autopsy Part of Sleuth Kit
Foremost Command line data carving tool
Glimpse Command line data indexing and searching tool
Wipe Command line utility to securely wipe hard drives and files
Etherape Visual network monitor
Fenris Multipurpose tracer
Honeyd Command line honeypot program
Snort Command line network intrusion tool
Dsniff Command Line network auditing and penetration testing tools
John The Ripper Command Line Password Cracking tool
Nikto Webserver scanner
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools Included in Penguin Sleuth Kit (cont’d)
Tool Name Description
Nbtscan Command-line tool that scans for open NETBIOS nameservers
Xprobe Command line remote operating system fingerprinting tool
Ngrep Command line Network grep Function
Nemesis Command Line network packet injector
Fragroute Command line network intrusion testing tool
Fping Command line multiple host ping utility
TCPtraceroute Command line traceroute TCP packages
TCPReplay Command line utility that replays a TCP dump
Nessus Graphical Security Scanner
Ethereal Graphical Network analyzer
Netcat Command line tool to read and write over network
TCPdump Command line tool that dumps network traffic
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tools Included in Penguin Sleuth Kit (cont’d)
Tool Name Description
Hping2 Command line packet assembler / analyzer
Ettercap Command line sniffer / interceptor / logger for Ethernet networks
Openssh Secure remote connection utility
Kismet Graphical wireless network sniffer
AirSnort Graphical wireless network intrusion tool
GPG Encryption utility
OpenSSL Secure remote connection utility
Lsof Command line utility that lists all open files
Hunt Command line TCP / IP exploit scanner
Stunnel SSL connection package
ARPwatch Command line Ethernet monitor
Dig Command line tool for querying domain name servers
Chkrootkit Looks for signs of root kit
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
THE FARMER'S BOOT CD (The FBCD)
FBCD allows you to examine storage media directly from Linux
Boot any x86 system and mount file systems in a forensically sound manner (including journaled file systems)
Previews data safely using a single, unified graphical user interface (GUI)
Is designed and optimized for previewing, authenticating, acquiring, and analyzing media
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
THE FARMER'S BOOT CD (The FBCD) (cont’d)
• It supports the greatest amount of hardware in the widest range of cases
• It minimizes its footprint on the system, saving memory (RAM) for critical processes and tasks
• Every included application is already configured for data forensics so that there is no need to change settings or wonder about configuration parameters
THE FARMER'S BOOT CD is configured such that:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
Delve, the proprietary preview program found on THE FARMER'S BOOT CD
DEVICES tab is used to mount file systems (truly read-only). Right-click on any file system to view the available options (depends upon the mount ‘status) as shown in the right hand side
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
PAGEFILE tab is used to identify email and URLs in the Windows “pagefile.sys” file
.URL output :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
WINDOWS LOGS tab is used to identify key log files of interest on Windows systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
WEB HISTORY tab is used to identify the web browser ‘s cache files and extract cookie and history information as shown in the two output files:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
CATALOG tab is used to identify and catalog files of interest by extension or header. Found files may be copied, opened, or a file listing dumped
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
LINUX LOGS tab is used to identify key log files on Linux systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
DATE CONVERTER tab is used to convert date and times from one format to many other formats
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
GRAPHICS VIEWER tab is used to identify graphics files and open a viewer for found files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Delve: Screenshots
MISC menu option provides miscellaneous utilities, including dumping hard drive information, dumping the system BIOS tables, dumping an inventory of hardware, etc.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensix
The goal of the Forensix ("4N6") Project is to allow a system to be monitored so that, in the event of a security compromise, it is easy to track the compromise back to its source and recover from it
It performs a complete kernel event audit on the target system and streams the high-definition audit trail to a backend database that has been optimized for reconstruction queries
• Accurately replays any and all system compromises• Determines what specific data (such as credit card numbers) has been
accessed on the system as a result of a compromise• Automatically determines what modifications have been made to a system by
an illicit user• Selectively "undo"-ing illicit system modifications
Functions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Maresware
Linux Forensics provides tools for investigating computer records while running the LINUX operating system on Intel processors
Maresware is useful to all types of investigators, including law enforcement, intelligence agency, private investigator, and corporate internal investigator
This software enables discovery of evidence for using in criminal or civil legal proceedings
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Major Programs Present inMaresware
Program Description
Bates_noA unique program for adding identifying numbers to filenames in e-documents
CatalogCatalogues every file on a Linux file system and identifies headers
Hash Performs MD5 (CRC, or SHA) hash of every file on a drive
Hashcmp Compares outputs of successive hash runs
Md5 Calculates MD5 hash of a file
Strsrch Searches files for text strings
U_to_A Converts *ix text to DOS text
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Captain Nemo
Widely used by law enforcement personnel, forensic investigators, as well as network administrators.
Captain Nemo enables you to access any Linux drive from your Windows computer without requiring a network setup
Just connect the Linux drive to your machine and Captain Nemo will let you mount your Linux partitions in Windows
You can read, search, and view all your Linux files and copy them to your Windows drive
It supports ext2fs and ext3fs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Captain Nemo: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Coroner’s Toolkit (TCT)
TCT is a collection of programs
In TCT, grave-robber tool captures information
The ils and mactime tools display access patterns of files dead or alive
The unrm and lazarus tools recover the deleted files
The findkey tool recovers cryptographic keys from a running process or from files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: FLAG
FLAG is used for the log file analysis and forensic investigations
It uses a database as a backend to assist in managing the large volumes of data
Features of FLAG:
• FLAG supports generic firewall logs• It collects information about the log and searches for suspicious activity
Log analysis:
• It uses the dissected information to construct a knowledge base of different entities on the network
Network Forensics:
• It uses the Sleuth Kit tool to analyze dd images
Disk Forensics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FLAG: Screenshot
Figure: FLAG Listening ports
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FLAG: Screenshot
Figure: FLAG connecting to port 80
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: md5deep
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files
Features of md5deep:
• Recursive operation: md5deep is able to recursive examine an entire directory tree
• Comparison mode: It computes the MD5 for every file in a directory and for every file in every subdirectory
• Time estimation: It can produce a time estimate when it is processing large files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: TestDisk
TestDisk help to recover lost partitions and/or make non-booting disks bootable again
• Fix partition table, recover deleted partition• Recover FAT32 boot sector from its backup• Rebuild FAT12/FAT16/FAT32 boot sector• Fix FAT tables• Rebuild NTFS boot sector• Recover NTFS boot sector from its backup• Copy files from the deleted FAT, NTFS, and ext2/ext3 partitions
Functions:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Vinetto
Vinetto is a forensics tool to examine Thumbs.db files
It extracts the related thumbnails to a directory
It gets a metadata report on all non deleted Thumbs.db files contained within a partition
Syntax:
•vinetto [OPTIONS] [-s] [-U] [-o DIR] file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Linux imparts greater control, flexibility, and power as a forensics tool
Linux has a number of simple utilities that make imaging and basic analysis of the suspect disks and drives easier
Linux cannot identify the last sector on hard drives with an odd number of sectors
There are several popular Linux tool kits that provide GUI as well for convenience
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited