security-sig february, 2007 isc/information security basics of capturing and mounting forensic...

Security-SIGFebruary, 2007

ISC/Information Security

Basics of capturing and mounting forensic images

Forensics 101:



Forensics:

Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action…the term "forensic" is effectively a synonym for "legal" or "related to courts" (from Latin, it means "before the forum").

Source: Wikipedia



Why perform computer forensics?

• You know or suspect one or more computers has been involved in:– a crime– a violation of policy– an issue of academic integrity (student and/or

faculty)

• A network and/or computer(s) were compromised, and you just want to find out how and why



Why not perform forensics?

• Can be expen$ive– Commercial forensic and data recovery outlets (e.g. Kroll

Ontrack and RenewData) typically charge $3,000 - $5,000 per drive

– Even when done in-house, can involve large amounts of employee labor, purchasing extra drive space, etc

• Can be time consuming– Acquiring drive images takes time…an 80 GB drive

typically takes 2+ hours– Data analysis can takes days, even weeks, depending on

the scope of the case



Who can perform forensics?

• For purposes of simply investigating a hacked system or network that does not appear to have legal implications, any person knowledgeable with basic forensic tools and procedures can perform a forensic examination (with proper authorization)

• In cases where there is potential legal obligation and/or risk for Penn, only person(s) authorized by the University may perform forensics (i.e., ISC Information Security)



If you begin an independent forensic examination…

…and encounter evidence of an actual or possible crime (whether it’s been committed yet or not)

STOP!!Contact ISC Information Security immediately at 215-898-2172 or [email protected]



Classes of forensic examinations

• “Live”, i.e. real-time– Network is up and running, computers are attached and

communicating– Goal is to observe/capture ongoing activity on network, in

RAM and on disk related to crime or exploit– Not often done, very complex, often a “fishing expedition”

• “Snapshot”, i.e., static– Network packet captures have been saved for later

analysis– In some cases, RAM dumps written to file for analysis– Drive images taken to preserve status of file system - this

is the most commonly performed forensic operation



Some common forensic tools:

• Real-time– tcpdump/WinDump– netstat– Ethereal– pcat– lsof

• Static– dd (or dcfldd)– mmls– netcat (or cryptcat)– md5sum– grep



Drive images: what do I need?

• A basic, working knowledge of linux, especially the use of:– mount– dd– ls

• A basic understanding of image files (.iso, .img)• A basic understanding of drive geometry (sectors,

partitioning) and file system structure (allocation tables, inodes, allocated vs. unallocated space, slack space, MAC times)



Image files: The Goal

The purpose of capturing a forensic drive image is to produce a file that is an exact, sector-by sector reproduction of the drive. The image preserves not only the data itself, but also the “geography” of the data - where it physically resides on the disk.

The image file can then be examined for evidence without danger of altering or destroying the original.



Basic Drive Geometry

• The typical sector size for modern drives is 512 bytes

• Most operating systems (Windows and Unix/Linux included) use a default allocation size of 8 sectors (4096 bytes)



File System Basics

• Allocated space is space that is in use by a file and is being tracked in the File Allocation Table (FAT)

• Unallocated space is disk space that is available for new or changed files. It may or may not contain data from deleted files

• Slack space is space that is allocated but unused, i.e., the remaining space in the last allocated file block– Unix and Linux pad this space with zeros– Windows does not…may contain valuable data fragments

• File system metadata includes “card catalog” information such as inode number and file MAC times



Linux

• Most versions of linux will work just fine with all standard forensic tools

• SANS Institute uses Red Hat Fedora as the basis for their forensics course

• There are Windows-based forensic tools, but many are commercial, and - surprise! - often don’t work as well as the unix/linux tools

• To mount and analyze NTFS images, your linux kernel will need to support and have installed an NTFS module:– Start here: sourceforge.net/project/showfiles.php?

group_id=13956



Toolboxes!

• “The Coroner’s Toolkit”– A set of tools developed by Dan Farmer and Wietse

Venema– www.porcupine.org/forensics/tct.html

• Helix– Bootable, Knoppix-style linux CD– Graphical interface, or command line/terminal– www.e-fense.com/helix/

• FREE!!



A little more about Helix...

• Current version: 1.8 (10-06-2006)

• Extremely powerful and useful

• Download as ISO file and burn directly to CD-ROM

• IDE drives a snap - ATA’s can be tricky

• It pays to archive older versions– Depending on age and/or

version of BIOS chips, some computers will boot on older versions but not on current



Before you start…

• The Cardinal Rule: DOCUMENT EVERY STEP!!– Date and time you started and ended– Equipment you worked on

• Serial numbers (drive AND CPU)• Owner/user(s)• Purpose(s) machine used for (if you know)• Location

– Commands/tools you ran (including option flags) in the order you ran them– Results you got from commands and tools– Anything else pertinent to the examination

• Record all of the above in a running log and sign it (PGP, or print it out and physically sign it)

Remember: the possibility always exists that you may find information that results in a legal proceeding, and you may be required to explain and justify your work.



Determine Scope

• What are you looking for?• Who is involved?

– All users? Just one? Root/Admin compromise?

• How many drives?• How many partitions? What kind(s)?

– Windows? Unix/Linux? OS X?

• Need to search for text and/or data?



Keyword List

• If you’re going to be searching for evidence of particular actions or behavior in documents and data files, prepare a list of keywords that are likely to be found during a search of files containing text and strings

• There are several tools that can use this list, including good old grep



Forensic Drive Imaging: A 12-Step Program



Step 1: Chain of Custody

• Start a Chain of Custody form for each drive you examine• Records identifying information about the drive (serial number,

model, capacity, etc.)• Most importantly: establishes and tracks the physical location

and custody of the drive from the beginning of the investigation through the end.

• A very important document in a legal proceeding - used to indicate and prove (as much as possible) that evidence has been properly treated and has not been tampered with

• Information Security can provide you with a suitable form



Step 2: Capture Setup

• If you have a bootable linux CD (e.g., Helix), simplest setup is:– connect an external USB/Firewire drive as the

“image target”– boot the system up– mount the drive to be imaged and the “image

target”– make sure, of course, that the target is LARGER

than the source



netcat/cryptcat

• netcat allows you to “pipe” output across the network in similar fashion to how you would do it locally with cat, ‘>’, etc.

• cryptcat does the same thing, but encrypts the traffic• uses “client/listener” model• start the listener:

– nc -l -p [port #] > [output file]– e.g. nc -l -p 5432 > /casefile/datafile.txt

• pipe client output:– cat [filename] | nc [listener IP] [listener

port]– e.g., cat testfile.txt | nc 130.91.75.126 5432



Backups: “File” vs. “Forensic”

• A standard file backup copies only data residing in allocated disk space– i.e, an 80 GB drive with 20 MB of allocated files

will produce a 20 MB backup file

• A forensic (image) backup sequentially copies each and every disk sector, regardless of whether it is allocated space or has any data in it– i.e. an 80 GB drive with 20 MB of allocated files

will produce an 80 GB image file



Step 3: Hash the drive

• The object is to produce a “snapshot” image of the drive that is absolutely identical to the drive itself

• The standard method of verifying the integrity of the image involves using the MD5 hashing algorithm

• Run md5sum against the drive’s device:– md5sum /dev/sda

• Pipe it to a text file if you like:– md5sum /dev/sda > hash.txt

• The result will be a 32-character (hex) hash of the entire disk contents that you will later match against the image



Example: MD5

Input Output

1 B026324c6904b2a9cb4b88d6d61c81d1

2 26ab0db90d72e28ad0ba1e22ee510510

3 6d7fce9fee471194aa8b5b6e47267f03

4 48a24b70a0b376535542b996af517398

5 1dcca23355272056f04fe8bf20edfce0



Step 4: Image capture with dd

• dd: “duplicate device”• 2 basic, required parameters:

– input file (‘if’)– output file (‘of)

• Input and output can be either actual files or block devices

• For block device (i.e., entire drive) to image file:– dd if=<device> of=</path/file>– e.g. dd if=/dev/sda of=/casefile/image01.iso



An alternative: dcfldd

• Available in Helix and TCT• Provide progress indicator (count of written

blocks)– hashwindow=0

• Can perform integrity checks/MD5 sum on the fly and write to file– hashlog = <path/file>

• e.g. dcfldd if=/dev/sda of=/casefile/image01.iso hashwindow=0 hashlog=/casefile/imagehash.txt



Step 5: Wait…

• It will vary depending on the equipment involved, but Information Security’s experience is that typical current drives can be imaged at about 40GB/hr

• Go to Starbucks…



Step 6: Hash the image file

• Run md5sum against the resulting image file– md5sum /casefile/image01.iso

• Compare this hash to the one obtained in Step 3 from the drive– If they match exactly, you have an image file that

is an exact copy of the drive. If they don’t, something went wrong, and the validity of any examination of the image data would likely be challenged in court if it ever came to that



Step 7: Put the drive away

• Now that you have an image file and have verified the integrity by matching the MD5 hashes, you do not need the drive

• Store it securely and perform your examination on the image file



Step 8: Retrieve partition structure

• mmls– included in TCT– extracts logical partition info from image file– use ‘-t dos’ flag to denote you’re looking for disk

operating system partitions– output will be used to “carve out” images of

partitions needed– usage: mmls -t dos </path/file>

• e.g., mmls -t dos /casefile/image01.iso



mmls: a typical(?) result

# mmls -t dos /casefile/image01.isoUnits are in 512-byte sectors

Slot Start End Length Description00: ----- 0000000000 0000000000 0000000001 Table #001: ----- 0000000001 0000000062 0000000062 Unallocated02: 00:00 0000000063 0001028159 0001028097 Win95 FAT32 (0x0B)03: ----- 0001028160 0002570399 0001542240 Unallocated04: 00:01 0002570400 0004209029 0001638630 OpenBSD (0xA6)05: 00:02 0004209030 0006265349 0002056320 NTFS (0x07)

Well, maybe it’s not so typical to have 3 different operating system partitions on a single drive. This illustrates, though, that mmls shows you not only what partitions are on the drive, but also where they are. Take note of the sector size as well - it’s usually 512 bytes, but can vary.



Step 9: “Carve out” partitions

• dd can be used with additional parameters to “carve” the partitions from the image file and write them to individual image files that can be directly mounted and browsed

• from mmls, you need to know the sector size the drive is using (usually 512 bytes)

• also, for each partition, you need:– size (“Length” column from mmls output)– skip (“Start” column from mmls output)



“Carving” with dd

Usage:

dd if=<whole disk image file> bs=<sector size> count=<partition size> skip=<partition start> of=<new partition image file>

So, to create an image file of the NTFS partition found by mmls on the previous slide:

dd if=/casefile/image01.iso bs=512 count=2056320 skip=4209030 of=/casefile/partition01.img

(Yes, you can use dcfldd instead)



.iso or .img?

• Doesn’t really matter - you can use pretty much any file name and extension you want

• By convention, some use .iso for the whole image and .img for partition images

• Whichever convention you adopt, be consistent



Step 10: Mount partition(s)

• To inspect and browse your partition images, you need to mount them as part of your Linux file system

• Important flags:– t File system type (e.g., ntfs)– ro Read only (used with -o)– loop Needed to read image file as block device (used with -o)

• Usage: mount <options> <path to image> <mountpoint>



Putting it all together…

mount -t ntfs -o ro,loop /casefile/partition01.img /forensics

This tells the system to mount the file as a read-only image file using NTFS at the /forensics directory (make sure that it exists). Once this is done, you should be able to inspect all files below that mountpoint using standard tools like ls and grep, as well as other specialized forensic tools from TCT, Helix, et al



Step 11: Tool Time (“More Power!”)

We’ve already talked about basic tools like grep and ls. Thanks to toolboxes like TCT and Helix, there are many more that can be used to literally take the image apart and dissect it sector by sector, file by file. We can’t cover all of them here in detail, but we’ll take a few minutes to highlight some of the most useful and powerful “cool tools”…



mac-robber and mactime

• MAC refers here to Modified, Accessed and Created dates/times for files in system

• mac-robber collects information from the file systems metadata structure ( MAC times, file sizes & permissions etc.)– output defults to STDOUT, can be piped to local file, or to remote

location via netcat/cryptcat– usage: mac-robber <path> > <target>– e.g., mac-robber /forensics > partition01_mac.txt

• mactime is a Perl script that processes the output from mac-robber– allows specification of date/time range– sorts files by MAC times instead of by directory/path– use -b flag to designate source file, otherwise defaults to STDIN– e.g., mactime -b partition01_mac.txt > timeline.txt



MAC Timeline

• Investigating a compromise via rootkit et al usually involves inspecting the file system for unusual or unexplained changes and additions.

• The timeline file generated by mactime presents a chronological account of changes to individual files

• Can be a time-consuming examination, but often reveals much insight into how a system was hacked

• e.g., a common administrative tool like ps shows an inode number change 2 months ago– typically, core command-line utilities should have lower

inode numbers that never change– indicates that the ps command was likely tampered with in

order to hide processes from system administrator



file

• Displays file type of one or more files• Can use wildcards, e.g., ‘*’• Can try to look inside compressed files (‘-z’)• Useful for finding mismatches between the

file extension in use and what the file actually is– e.g., user trying to hide incriminating JPG files by

renaming them with ‘.exe’ extension



strings

• Locates and extracts strings of 4 characters or more in binary files

• Useful for finding calls to libraries, IP addresses, pathnames, etc

• Usage: strings <options> <filename>• Flags

– -a grab all strings– --radix=d byte offset of string found– -f print filename beside string– -n x grab strings of at least x length



dstat

• Displays statistics on a particular data unit (sector)

• Useful for determining current allocation status of sector

• Typical usage:– dstat -f ntfs /casefile/partition01.img 20647

• Typical result:Fragment: 257

Allocated

Group: 0



dcat

• Similar to dstat, but outputs actual contents of sector

• Defaults to STDOUT, can be piped to file• Usage:

– dcat -f ntfs /casefile/partition01.img 20647



dls

• Lists contents from data units• Defaults to STDOUT, can be piped• Useful for recovering deleted files and slack space• Flags:

– -e show all blocks– -l list details about each block (no content)– -s show slack space– range range of blocks to be outputted

• e.g.,– dls -f ntfs -el /casefile/partition01.img 2000-3000 >

dlsdata.txt



inode tools

• Similar to the ‘d*’ tools we’ve just covered, there are tools that permit retrieval and inspection of file data based on inode number

– ifind find inode number that points to a disk sector– istat display metadata info by inode number– ils list inodes, including deleted files and unlinked but open files– icat copy files by inode number



Step 12: A Final Windows Hint

• Don’t forget to run these tools on pagefile.sys - you’d be surprised what you might find



Questions?

security-sig february, 2007 isc/information security basics of capturing and mounting forensic...

Documents