Intro to Linux for Cyber Crime Intro to Linux for Cyber Crime Investigators and Computer Forensic Investigators and Computer Forensic

ExaminersExaminers

By

Ernest Baca

ebaca@linux-forensics.com

www.linux-forensics.com

History of LinuxHistory of Linux

1991 Computer hardware was pushing the limits beyond what anyone 1991 Computer hardware was pushing the limits beyond what anyone expected – DOS was still reigning supreme in the world of personal expected – DOS was still reigning supreme in the world of personal computers. PC users had no other choice. Apple Macintosh prices were computers. PC users had no other choice. Apple Macintosh prices were astronomical.astronomical.

The other dedicated camp of computing was the Unix world. Unix was far The other dedicated camp of computing was the Unix world. Unix was far more expensive and out of reach from PC users. The source code of Unix, more expensive and out of reach from PC users. The source code of Unix, once taught in Universities courtesy of Bell Labs, was now cautiously once taught in Universities courtesy of Bell Labs, was now cautiously guarded.guarded.

A solution appeared on the horizon called MINIX. It was written from A solution appeared on the horizon called MINIX. It was written from scratch by Andrew S. Tanenbaum, a Dutch professor who wanted to teach scratch by Andrew S. Tanenbaum, a Dutch professor who wanted to teach his students the inner workings of a real operating system. It was designed his students the inner workings of a real operating system. It was designed to run on the Intel 8086 microprocessor.to run on the Intel 8086 microprocessor.

History ContinuedHistory Continued

MINIX was not a superb operating system, but it had the advantage that MINIX was not a superb operating system, but it had the advantage that the source code was available.the source code was available.

In 1991, Linus Benedict Torvalds was a second year student of Computer In 1991, Linus Benedict Torvalds was a second year student of Computer Science at the University of Helsinki and a self taught hacker. Torvalds Science at the University of Helsinki and a self taught hacker. Torvalds loved to tinker with the power of computers and the limits which the loved to tinker with the power of computers and the limits which the system could be pushed. All that was lacking was an operating system that system could be pushed. All that was lacking was an operating system that could meet the demands of professionals. MINIX was good, but still it could meet the demands of professionals. MINIX was good, but still it was an operating system for students, designed as a teaching tool.was an operating system for students, designed as a teaching tool.

At the same time, programmers worldwide were greatly inspired by the At the same time, programmers worldwide were greatly inspired by the GNU project by Richard Stallman, a software movement started in 1983 GNU project by Richard Stallman, a software movement started in 1983 to provide free quality software. (GNU is a recursive acronym which to provide free quality software. (GNU is a recursive acronym which actually stands for ‘GNU is Not UNIX’).actually stands for ‘GNU is Not UNIX’).

History ContinuedHistory Continued

August 25, 1991 the historic post was sent to the MINIX newsgroup by August 25, 1991 the historic post was sent to the MINIX newsgroup by Linus Torvalds.Linus Torvalds.

Linus did not believe at the time that Linux was going to be big enough to Linus did not believe at the time that Linux was going to be big enough to change computing forever.change computing forever.

Linux version 0.01 was released by mid September 1991 and was put on Linux version 0.01 was released by mid September 1991 and was put on the Internet. Enthusiasm gathered and codes were downloaded, tweaked, the Internet. Enthusiasm gathered and codes were downloaded, tweaked, and returned to Linus. Linux 0.02 came October 5and returned to Linus. Linux 0.02 came October 5 thth..

That was the start of a new generation Operating systemThat was the start of a new generation Operating system

Why Learn Linux for Cyber Crime Why Learn Linux for Cyber Crime Investigations?Investigations?

Linux is one of the fastest growing operating systems. Linux is one of the fastest growing operating systems. Odds of a Cyber Crime Investigator encountering a Linux Odds of a Cyber Crime Investigator encountering a Linux system is becoming greater.system is becoming greater.

The Internet is made up of a majority of Linux systems. The Internet is made up of a majority of Linux systems. Learning the basic Linux system will help the investigator Learning the basic Linux system will help the investigator understand concepts in order to effectively investigate understand concepts in order to effectively investigate Cyber Crime.Cyber Crime.

A majority hackers and hard core cyber-criminals don’t use A majority hackers and hard core cyber-criminals don’t use Windows based Systems. Learning the basic Linux Windows based Systems. Learning the basic Linux concepts will help the Investigator effectively interview concepts will help the Investigator effectively interview witnesses and suspects.witnesses and suspects.

Learning the Linux system will assist the Investigator in Learning the Linux system will assist the Investigator in Crime Scene response if a Linux system is encountered.Crime Scene response if a Linux system is encountered.

Misconceptions about LinuxMisconceptions about Linux

Linux is to hard to learn!Linux is to hard to learn! Linux is for the Ya Ya Brotherhood and Ya Ya Sisterhood of computer Linux is for the Ya Ya Brotherhood and Ya Ya Sisterhood of computer

gurus!gurus! Linux is hard to install!Linux is hard to install! If you know Linux you’re a COMPUTER GOD!If you know Linux you’re a COMPUTER GOD! Linux is not a good teaching tool.Linux is not a good teaching tool. Linux is only command line driven and therefore to difficult!Linux is only command line driven and therefore to difficult! You must know every Linux command to do anything useful with it.You must know every Linux command to do anything useful with it.

Understanding LinuxUnderstanding Linux

Linux Versions are referred to as Kernel VersionsLinux Versions are referred to as Kernel Versions Linux Systems are referred to as Distributions.Linux Systems are referred to as Distributions. Distribution is a collection of software that runs on the Linux Kernel. Also Distribution is a collection of software that runs on the Linux Kernel. Also

referred to as a Distro.referred to as a Distro. Different distributions run differently (ex: file structure may be different)Different distributions run differently (ex: file structure may be different) All distributions available for download.All distributions available for download. Source code is available for all distributions of Linux.Source code is available for all distributions of Linux.

Linux DistributionsLinux Distributions

Redhat – Most popular amongst industryRedhat – Most popular amongst industry Debian – Many distributions are based on this distributionDebian – Many distributions are based on this distribution Mandrake – Very popular distributionMandrake – Very popular distribution Suse – Most software rich distribution.Suse – Most software rich distribution. Slackware – Most popular amongst hackers. Very user unfriendlySlackware – Most popular amongst hackers. Very user unfriendly Gentoo – Slowly replacing SlackwareGentoo – Slowly replacing Slackware Many more!Many more!

Next Generation Data ForensicsNext Generation Data Forensics

The Linux SolutionThe Linux Solution

What is Data Forensics?What is Data Forensics?

Process:Process:

Imaging data stored in electronic Imaging data stored in electronic formatformat

Authentication of ImageAuthentication of Image Analyzing the dataAnalyzing the data Reporting results in a neutral mannerReporting results in a neutral manner

How does Linux fit in to Data How does Linux fit in to Data Forensics?Forensics?

An out of the box Linux system already has the An out of the box Linux system already has the built in ability to image, authenticate, wipe, built in ability to image, authenticate, wipe, and search media!and search media!

Benefits of Linux as a Forensic ToolBenefits of Linux as a Forensic Tool

Everything, including hardware, is treated as a fileEverything, including hardware, is treated as a file Support for numerous file system types (many not recognized by windows)Support for numerous file system types (many not recognized by windows) Ability to mount a fileAbility to mount a file Ability to analyze a live system in a safe and minimally invasive manner Ability to analyze a live system in a safe and minimally invasive manner

(No hardware or software write blocker needed)(No hardware or software write blocker needed) Ability to redirect standard output to input (Multiple commands on one Ability to redirect standard output to input (Multiple commands on one

line)line) Ability to review source code for most utilitiesAbility to review source code for most utilities Ability to create bootable mediaAbility to create bootable media Linux is free as well as the source codeLinux is free as well as the source code Tools are mostly Free or inexpensive (Bottom Line Cost efficient)Tools are mostly Free or inexpensive (Bottom Line Cost efficient)

Questions of Death!Questions of Death!

Does your software make mistakes?Does your software make mistakes? How do I know your software does what How do I know your software does what

it says it does?it says it does? Can you validate what you did?Can you validate what you did?

Linux ToolsLinux Tools

TASK & Autopsy –Tool used in data recovery and also used for data examination TASK & Autopsy –Tool used in data recovery and also used for data examination www.atstake.comwww.atstake.com

Foremost – Data carving tool. Foremost – Data carving tool. Foremost.sourceforge.netForemost.sourceforge.net

Corners Toolkit – Used for data recovery Corners Toolkit – Used for data recovery www.porcupine.org/forensics/tct.htmlwww.porcupine.org/forensics/tct.html

Maresware – Linux tools for data forensics. Maresware – Linux tools for data forensics. www.dmares.comwww.dmares.com

SMART Forensic Software – GUI based forensic software used for data SMART Forensic Software – GUI based forensic software used for data acquisition, validation, examination and reporting. acquisition, validation, examination and reporting. www.asrdata.comwww.asrdata.com

Glimpse – Data Indexing and search tool. www.glimpse.cs.arizona.edu

Linux Bootable DistributionsLinux Bootable Distributions

Bootable Business Card – Linux boot CD image suitable to burn onto Bootable Business Card – Linux boot CD image suitable to burn onto business card CD. business card CD. www.lnx-bbc.orgwww.lnx-bbc.org

PLAC – Portable Linux Auditing CD PLAC – Portable Linux Auditing CD sourceforge.net/projects/placsourceforge.net/projects/plac

F.I.R.E – Another bootable Linux CD. F.I.R.E – Another bootable Linux CD. Fire.dmzs.comFire.dmzs.com

Knoppix – GUI based Linux bootable CD. Knoppix – GUI based Linux bootable CD. www.knoppix.dewww.knoppix.de

Useful Linux LinksUseful Linux Links

http://Ohiohtcia.org/linuxintro-1.8.1.pdf - Introduction to Linux for Data http://Ohiohtcia.org/linuxintro-1.8.1.pdf - Introduction to Linux for Data Forensics.Forensics.

http://www.crazytrain.com – Website devoted to Linux Data Forensicshttp://www.crazytrain.com – Website devoted to Linux Data Forensics http://www.linux.org – Good Linux resource for learninghttp://www.linux.org – Good Linux resource for learning http://www.linux-directory.com – Another good Linux resourcehttp://www.linux-directory.com – Another good Linux resource http://www.linux-forensics.com – My website devoted to the use of Linux http://www.linux-forensics.com – My website devoted to the use of Linux

as a data forensic tool. (Currently Under Construction)as a data forensic tool. (Currently Under Construction)

DEMO TIME!!!DEMO TIME!!!