File000127

Module XIV – Linux Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Linux Tool Speeds Up Computer Forensics for Cops

Source: http://news.zdnet.com/2100-3513_22-190993.html



Module Objective

• Linux Forensics Environment Creation• Floppy Disk Analysis• Hard Disk Analysis• Linux Boot Sequence• Data Collection using Toolkit• Crash Commands• Step-By-Step Approach to Case• Use of Linux in Forensics• Linux Forensic Tools

This module will familiarize you with:



Module Flow

Linux Boot Sequence

Data Collection using Toolkit

Crash Commands

Step-By-Step Approach to Case

Use of Linux in Forensics

Floppy Disk Analysis

Linux Forensics Environment Creation

Hard Disk Analysis

Linux Forensic Tools



Introduction to Linux



Linux OS

Linux is a free Unix-type open source operating system originally developed by LinusTorvalds with the assistance of developers around the world

It comes in different packages called distributions such as Red Hat, SuSE, and Mandrake

Linux distributions come in the following editions:

• It is a desktop installation with graphical interface and common applications

Desktop

• It is used in a production environment and business

Server/Enterprise

• The operating system is stored on a bootable storing device

Live CD



Linux Boot Sequence

The first step in the boot up sequence for Linux is loading the kernel

The kernel image is usually contained in the /boot directory

Details of the boot loader can be gained from LILO or GRUB using more /etc/lilo.conf or more /etc/grub.conf

The next step is initialization where runlevel and startupscripts are initialized and terminal process is controlled

The file that controls the initialization is /etc/inittab and the file that begins the process is /sbin/init



File System in Linux

On most Linux distributions, the basic directory structure is organized like this:



File System Description



Linux Forensics

Linux has a number of simple utilities that make imaging and basic analysis of suspect disks and drives easier. These include:

Utility Description

dd Command to copy data from an input file or device to an output file or device

sfdisk and fdisk Command to determine the disk’s structure

grep Command to search files for instances of an expression or pattern

The loop device Allows you to mount an image without having to rewrite the image to a disk

md5sum and sha1sum

Command to create and store an MD5 or SHA hash of a file or list of files (including devices)

file Command to read file header information in an attempt to ascertain its type, regardless of the name or extension

Xxd Command line hexdump tool

ghex and khexedit The Gnome and KDE (X Window interfaces) hex editors



Use of Linux as a Forensics Tool

Why use Linux for Forensics?

• Treats every device as a file• Does not need a separate write blocker

Greater Control

• Can be booted from a CD• Can recognize several file systems

Flexibility

• Distributions like THE FARMER'S BOOT CD and Sleuth make Linux a forensic tool in itself

Power



Advantages of Linux in Forensics

• Software is freely available• Source code is provided• Tools can be closely scrutinized for correctness

Software availability and accessibility

• Allows for much automation and scripting

Efficiency

• Software can be modified to fit the requirements

Optimizing and Customizing

• It supports Ad-hoc community• It uses open and published standards• It is compatible across technologies and organizations

Support



Disadvantages of Linux in Forensics

• It takes time and effort to learn Linux• Command line requires expertise unlike the GUI

environment, which is easy to work with

Requires training

• Continuous changes and updates occurs• It takes time to implement changes• Changes and implementation may not be the final one

Inter-operating with technologies is hard



Precautions to Take During an Investigation

Avoid running programs on the compromised system

Do not run the programs that will modify the meta-data of files and directories

Write the results of the investigation to a remote location

Calculate the hash values of the digital data to avoid the digital data alteration



Recognizing Partitions in Linux

If a standard IDE disk is being used, it will be referred to as "hdx"

The "x" is replaced with an "a" if the disk is connected to the primary IDE controller as master and with a "b" if the disk is connected to the primary IDE controller as a slave device

Similarly, the IDE disks connected to the secondary IDE controller as master and slave will be referred to as "hdc” and “hdd” respectively



mount Command

Devices such as floppies, CDs, hard disk partitions, and other storage devices must be attached to some existing directory on your system before they can be accessed

This attaching is called mounting, and the directory where the device is attached is called a mount point

After the device is mounted, you can access the files on that device by accessing the directory where the device is attached

Unmount the device when you want to remove or detach it from the mount point

When mounting, specify the device or partition to be mounted and the mount point

The mount point must be a directory that already exists on the system. An example to mount a floppy is:

•$ mount /dev/fd0 /mnt/floppy

For unmounting the device or partition, you must specify its name with unmount command

•$ umount /dev/fd0



dd Command Options

dd command is used to convert and copy a file

It reads the InFile parameter, converts it in a specified format, and copies the data into OutFile parameter

•dd [ bs=BlockSize ][ cbs=BlockSize ] [ conv= [ ascii | block | ebcdic | ibm | unblock ] [ lcase| ucase ] [ iblock ] [ noerror ] [ swab ] [ sync ] [ oblock ] [ notrunc ] ] [ count=InputBlocks ] [ files=InputFiles ] [ fskip=SkipEOFs ] [ ibs=InputBlockSize ] [ if=InFile ] [ obs=OutputBlockSize ][ of=OutFile ] [ seek=RecordNumber ] [ skip=SkipInputBlocks ][ span=yes|no ]

Syntax:



Floppy Disk Analysis

• Use dd to create forensic image and compare SHA hash of the image against floppy

• Use the commands: • # dd if=/dev/fd0 of=/evidence/floppy1.img bs=512• # sha1sum /evidence/floppy1.img >/evidence/floppy1img.sha1sum

• # cat /evidence/floppy1img.sha1sum• # cat /evidence/floppy1.sha1sum

To create floppy disk image:

In floppy disk analysis, insert floppy into floppy drive and obtain its SHA hash



Floppy Disk Analysis (cont’d)

Identify File System:

• Use file utility to identify the file system of floppy disk image• Use the command:• # File /evidence/floppy1.img

Mount the image for analysis:

• Create a directory to mount the image• Use mount utility to mount the image, using loop back• Use the commands:• # mkdir /mnt/analysis• # mount -t vfat -o ro,noexec,loop /evidence/floppy1.img /mnt/analysis

• # umount /mnt/analysis• # mount –o ro,noexec,loop /evidence/floppy1.img /mnt/analysis




• Obtain SHA hash of each file on the floppy disk and check files• Use the command:• # cd /mnt/analysis/mnt/analysis # find . -type f -exec sha1sum {} \; >/evidence/floppy1img.sha1filehash /mnt/analysis # cat /evidence/floppy1img.sha1filehash da39a3ee5e6b4b0d3255bfef95601890afd80709 ./.ICEauthority9155df0f906411433388c335c902d0a7452c6a72 ./addressbook2406038ea5da9776c1f32ba3d7f0e84d0b3d2af9 ./crackdealers.d /mnt/analysis #

Obtain SHA Hash of Contents:




• Use strings utility to extract raw text from a binary file• Use the command:•# strings crackdealers.d | less

View file’s contents:



Hard Disk Analysis

• Use dd partition(s) to image(s)•dd if=/dev/hda1 of=/var/case01.dd

Make an image of the hard disk

• date > case01.evidence.seal md5sum case01.dd >> case01.evidence.seal gpg –clearsign case01.evidence.seal

Use md5sum to collect the information about the system time and date

• Use the command:•mount –o ro,loop,nodev,noexec case01.dd /mnt/evidence

Mount copy of evidence into the file system



Hard Disk Analysis (cont’d)

Capture the drive’s forensic data

•grave-robber –c /mnt/evidence –m \–d /var/investigations/case01 –o LINUX2

Extract deleted inode (mod/access/change) times

•ils case01.dd | ils2mac > case01.ilsbody

Combine evidence for timeline conversion

•cat case01.ilsbody body > case01.evidence

Generate Timeline

•mactime –p /mnt/evidence/etc/passwd \–g /mnt/evidence/etc/group -b case01.evidence \11/28/2003 > case01.timeline



Data Collection



Forensic Toolkit Preparation

The forensic toolkit should include the tools such as:

• nc• dd• datecat• pcat• Hunter.o• insmod• NetstatArproute• dmesg

After building all the tools, copy all of them to the removable media



Data Collection Using the Toolkit

Step 1 • Media mounting

Step 2• Current date

Step 3• Cache tables

Step 4• Current, pending connections and open TCP/UDP ports

Step 5• Physical memory image



Data Collection Using the Toolkit (cont’d)

Step 6• List of modules loaded to the kernel memory of an operating system

Step 7• The list of active processes

Step 8• Collecting of suspicious processes

Step 9• Useful information about the compromised system

Step 10

• Current time




• Mount the toolkit on the external media• # mount -n /mnt/cdrom

• Calculate the hash value of the collected file to maintain the integrity of the digital evidence • # md5sum date_compromised > date_compromised.md5

Media mounting




Current date:

• Collect the current date result, presented in the UTC format• # nc -l -p port > date_compromised• # /mnt/cdrom/date -u | /mnt/cdrom/nc (remote) port• # md5sum date_compromised > date_compromised.md5

Cache tables:

• Collect the cache table information as it is volatile and can be lost• Mac address cache table:• # nc -l -p port > arp_compromised• # /mnt/cdrom/arp -an | /mnt/cdrom/nc (remote) port• # md5sum arp_compromised > arp_compromised.md5

• Kernel route cache table:• # nc -l -p port > route_compromised• # /mnt/cdrom/route -Cn | /mnt/cdrom/nc (remote) port• #md5sum route_compromised > route_compromised.md5




• Collect information about the current connections and open TCP/UDP ports•#nc -l -p port > connections_compromised•# /mnt/cdrom/netstat -an | /mnt/cdrom/nc (remote) port•#md5sum connections_compromised > connections_compromised.md5

Current, pending connections, and open TCP/UDP ports:

• Access physical memory directly by copying the /dev/mem device or by copying the kcore file

• kcore file can be found in the pseudo file system, which is mounted in the /proc directory•#nc -l -p port > kcore_compromised•#/mnt/cdrom/dd < /proc/kcore | /mnt/cdrom/nc (remote) port•#md5sum kcore_compromised > kcore_compromised.md5

Physical memory image:




List of modules loaded to kernel memory of an operating system:

• Check which modules are currently loaded into memory• # nc -l -p port > lkms_compromised• #/mnt/cdrom/cat /proc/modules | /mnt/cdrom/nc (remote) port• # nc -l -p port > lkms_compromised.md5• # /mnt/cdrom/md5sum /proc/modules | /mnt/cdrom/nc (remote) port

• Analyze the ksyms file to detect the presence of an intruder in the system• #nc -l -p port > ksyms_compromised• #/mnt/cdrom/cat /proc/ksyms | /mnt/cdrom/nc (remote) port• # nc -l -p port > ksyms_compromised.md5• #/mnt/cdrom/md5sum /proc/ksyms | /mnt/cdrom/nc (remote) port




• Collect the information about all processes, open ports, and files with the use of lsof tool• #nc -l -p port > lsof_compromised• #/mnt/cdrom/lsof -n -P -l | /mnt/cdrom/nc (remote) port

• #md5sum lsof_compromised > lsof_compromised.md5

The list of active processes:

• Copy the entire memory allocated by a process• #nc -l -p port > proc_id_compromised• #/mnt/cdrom/pcat proc_id | /mnt/cdrom/nc (remote) port

• #md5 proc_ip_compromised > proc_ip_compromised.md5

Collecting of suspicious processes:




• Use the following commands to collect the information about the suspects system:

Useful information about the compromised system:

Command Description

/mnt/cdrom/cat /proc/version Version of the operating system

/mnt/cdrom/cat /proc/sys/kernel/name Host’s name

/mnt/cdrom/cat /proc/sys/kernel/domainame Domain’s name

/mnt/cdrom/cat /proc/cpuinfo Information about hardware

/mnt/cdrom/cat /proc/swaps All swap partitions

mnt/cdrom/cat /proc/partitions All local file systems

/mnt/cdrom/cat /proc/self/mounts Mounted file systems

mnt/cdrom/cat /proc/uptime Uptime




• Accumulate information about the current time• #nc -l -p port > end_time• # /mnt/cdrom/date | /mnt/cdrom/nc (remote) port

Current time:



Keyword Searching

• Strings:• Used to gather all printable characters from the image file by

using the strings tool• Use the -t switch to add an offset from the beginning of the

file•strings -t d kcore > kcore_strings•md5sum kcore_strings > kcore_strings.md5

• Grep:• Used to gather commands typed by an intruder, IP addresses,

passwords, or even decrypted part of the malicious code

To search for signs of an intrusion, use tools such as:



Linux Crash Utility

Crash is a tool for interactively analyzing the state of the Linux system while it is running, or after a kernel crashes and a core dump has been created by the Red Hat netdump facility

SYNAPSIS: crash [ -h [ opt ] ] [ -v ] [ -s ] [ -i file ] [ -d num ] [ -S ] [ mapfile ] [ namelist ] [ dumpfile ]

Options: -h opt: Displays a help message-v Displays the versions of the original gdb and crash libraries that make up the crash executable -s Crash does not display any version, GPL, or crash initialization data during startup-i file Crash reads and executes the crash command(s) contained in file before accepting any user input. -d num Crash sets its internal debug level-S Crash uses "/boot/System.map" as the mapfilenamelist: This is a pathname to an uncompressed kernel image (a vmlinux file) that has been compiled with the "-g" option, or that has an accessible, associated debuginfo filemapfile: If the live system kernel, or the kernel from which the dumpfile was derived, was not compiled with the -g switch, then the additional mapfile argument is requireddumpfile: This is a pathname to a kernel memory core dump file



Linux Crash Utility: Commands

crash> ps

Output:



Linux Crash Utility: Commands (cont’d)

crash> ps -t

Output:




crash> ps –a

Output:

crash> foreach files

Output:




crash> foreach net

Output:



Crash Commands (cont’d)

Extract the information related to the state of the system using the crash commands

Information Command

Mounted file systems crash> mount

Open files per file system crash> mount –f

Kernel message buffer crash> log

Swap information crash> swap

Machine information crash> mach

Loaded Kernel Modules crash> mod

chrdevs and blkdevs arrays crash> dev

PCI device data crash> dev –p

I/O port/memory usage crash> dev –I

Kernel memory usage crash> kmem –I

Kernel vm_stat table crash> kmem -V



Case Examples



Case Example I

Rebecca had filed a lawsuit against Good Company Inc for sexual harassment by one of its senior directors Mr. Peter Samson

She submitted a floppy as evidence of Mr. Peter’s advances

She also ascertained that Mr. Peter used to send her explicit material through floppy disks marked as legitimate work

If a forensic investigator has been called to investigate the case by Good Company Inc

How should the forensic investigator proceed with the evidence?



Step-by-Step Approach to Case

• Begin with creating a directory where all forensic activities can be done•/mkdir evidence

• It is desirable to create a special mount point for all physical subject disk analysis •mkdir /mnt/investigation

Document all processes



• Create an image of the disk using the simple bit streaming command dd•dd if=/dev/fd0 of=image.suspectdisk

• Change the read-write permissions of the image to read-only using chmod•chmod 444 image.suspectdisk

Determine the disk structure:

Step-by-Step Approach to Case (cont’d)




Mount the restored imaged working copy and analyze the contents:

•mount -t vfat -o ro,noexec /dev/fd0 /mnt/investigations

• Another option is to mount a point within the image file using the loop interface rather than mounting the contents to another location

•mount -t vfat -o ro,noexec,loop image.suspectdisk/mnt/investigations

Verify the integrity of the data on the imaged file by checking the file hash:

•md5sum /evidence/md5.image.suspectfile or •sha1sum -c /evidence/SHA. image.suspectfile




Use the ls command to view the contents of the disk

• ls –alR to list all files including hidden files and list the directories recursively

Make a list of all files along with access times

• ls –laiRtu > /evidence/suspectfiles.list

Search for likely evidence using:

• grep. grep -i xxx suspectfiles.list

List the unknown file extensions and changed file appearances:

• file changedfile

• Files can be viewed using strings, cat, more, or less




Search for certain keywords from the entire file list

• cat /evidence/ suspectfiles.list | grepblackmailword

• A systematic approach to search for keywords would be to create a keywords list. E.g. save it as: •/evidence/keywordlist.txt

• grep the files for the keywords and save it to a file•grep –aibf keywordlist.txt image.suspectdisk > results.txt

• View the results:•cat results.txt

• To analyze the files at each offset, use the hexdump tool:•xxd -s (offset) image.suspectdisk | less



Challenges in Disk Forensics with Linux

Linux cannot identify the last sector on hard drives with odd number of sectors

Most Linux tools are complicated as they are used at the command line

Devices can be written to even if they are not mounted

Bugs in the open source tools can be used to question the credibility of the tool for forensics’ use

Forensic and Incident Response Environment (F.I.R.E) by William Salusky provides a good tool set



Case Example II

Mr. Jason Smith was accused of hoarding illegal material of questionable moral content on his company’s network systems

Forensic investigator was called upon to examine the suspect’s hard disk and unearth evidence related to the illegal material

How the forensic investigator should proceed in extracting and preserving the evidence?



Step-by-Step Approach to Case

Note down the model’s information from the hard disk label /manufacturer’s web site, and the size and total number of sectors on the drive

Wipe and format a image disk drive using the ext3 file system (> 3x evidence size)

Fill the disk with zeros and ensure that the contents match

• dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync

Partition the disk and reboot

• fdisk /dev/hda

Format with the ext3 file system

• mkfs –t ext3 /dev/image.disk




• Mount the read-write image disk•mount /dev/hda /mnt/image.disk

• Create a directory for all documentation and analysis•mkdir /mnt/image.disk/case_no

• Create a sub-directory to hold the evidence’s image•mkdir /mnt/image.disk/case_no/evidence_no

• Document the details of the investigation in a text file including investigator’s details, case background details, and investigation dates

• Carry out the document details of the disk media including investigator’s name and organization, case number, media evidence number, date and time of imaging; make, model, and serial number of the computer, IP and system’s hostname; make, model, and serial number of HD, source of HD, and scope of the investigation

Prepare the disk for imaging




• Connect both original evidence drive and drive to be imaged to the imaging system

• Verify all jumper settings – Master/Slave• Make sure that the imaging system will boot only from CD by

checking the BIOS settings• Image the disk using dd: •dd if=/dev/hdx of=image.disk conv=noerror,sync• This will allow dd to try to ignore any errors (conv=noerror)

and synchronize the output (sync)with the original

Image the disk:



Check for accuracy by comparing md5sum

Mount the disk and extract evidence

Images can be carved using dd or the hex dump tool xxd




Linux Forensics Tools



Popular Linux Forensics Tools

The Sleuth Kit written by Brian Carrier and maintained at http://www.sleuthkit.org

Autopsy – HTML front-end for sleuthkit

SMART for Linux- by ASR Data is a commercial data forensics program that runs on Linux

THE FARMER'S BOOT CD- by farmerdude, is a bootable CD that is oriented towards previewing of data quickly

Penguin Sleuth - Knoppix based linux distribution with a forensic flavor

Forensix



The Sleuth Kit

The Sleuth Kit is a collection of command line digital investigation tools

The tools run on Linux, OS X, FreeBSD, OpenBSD, and Solaris and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS

The Autopsy Forensic Browser is an HTML-based graphical interface for the command line tools in the Sleuth Kit which makes it much easier and faster to investigate a system

mac-robber is a tool that will collect temporal data from the mounted file systems

The data can be used to make a timeline of the file’s activity on the system using tools from The Sleuth Kit



Tools in “The Sleuth kit”

Tool Type Tool’s Name

File System Layer tools fsstat

File Name Layer tools ffind, fls

Meta Data Layer tools icat, ifind, ils , istat

Data Unit Layer tools dcat , dls , dstat, dcalc

File System Journal tools jcat , jls

Media Management tools mmls

Image File tools img_stat, mg_cat

Disk tools disk_sreset, disk_stat

Other tools hfind, mactime, sorter, sigfind



Autopsy

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit

Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3)

The Sleuth Kit and Autopsy are both open source and run on UNIX platforms

As autopsy is HTML-based, you can connect to the autopsy server from any platform using an HTML browser

Autopsy provides a "File Manager“ like interface and shows details about the deleted data and the file system’s structures



The Evidence Analysis Techniques in Autopsy

File Listing:

• Analyze the files and directories, including the names of the deleted files and files with Unicode-based names

File Content:

• The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted

Hash Databases:

• Look up the unknown files in a hash database to quickly identify it as good or bad

File Type Sorting:

• Sort the files based on their internal signatures to identify files of a known type

Timeline of the File’s Activity:

• Create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files



The Evidence Analysis Techniques in Autopsy (cont’d)

Keyword Search:

• Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions

Meta Data Analysis:

• It allows you to view the details of any meta data structure in the file system

Data Unit Analysis:

• It allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings

Image Details:

• You can view the file system details including on-disk layout and the time of activity so that it is possible to recover data



Autopsy – File Listing



Autopsy – File Content



Autopsy – Hash Databases



Autopsy – File Type Sorting



Autopsy – Timeline of File Activity



Autopsy – Keyword Search



Autopsy – Meta Data Analysis



Autopsy – Data Unit Analysis



Autopsy – Image Details



SMART for Linux

SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals

It is known as ‘The Next Generation Data Forensic Tool’

• "Knock-and-talk" inquiries and investigations• On-site or remote preview of a target system• Post mortem analysis of a dead system• Testing and verification of other forensic programs• Conversion of proprietary "evidence file" formats• Baselining of a system

Functions of SMART:



Features of SMART for Linux

SMART displays the list of the connected storage devices in the main window list

It uses plugins to do much of the work, and the application itself utilizes a highly modular design philosophy

It is multi-threaded

Its powerful, flexible acquisition options allow you to create pure bit-image copies and quasi-proprietary formats that support seekable compression

It can acquire and clone a single source to any number of images and devices simultaneously

It generates information about hashes

It provides the ability to perform real authentication

It gives you an easy interface to Linux mounts and GUI environments such as KDE and GNOME

It enables complex tasks and search result rules to be applied automatically



SMART: Screenshots 1


















Penguin Sleuth

The Penguin Sleuth Kit is a bootable Linux distribution based on KNOPPIX

It is the collection of some useful tools, including The Coroner’s Toolkit (TCT), Autopsy, and The Sleuth Kit, as well as penetration testing and virus scanning tools

It offers a GUI environment as well as the good old fashion command line environment fitting the novice user to the experienced user



Tools Included in Penguin Sleuth Kit

Tool Name Description

Sleuth Kit Command Line Forensic Tools

Autopsy Part of Sleuth Kit

Foremost Command line data carving tool

Glimpse Command line data indexing and searching tool

Wipe Command line utility to securely wipe hard drives and files

Etherape Visual network monitor

Fenris Multipurpose tracer

Honeyd Command line honeypot program

Snort Command line network intrusion tool

Dsniff Command Line network auditing and penetration testing tools

John The Ripper Command Line Password Cracking tool

Nikto Webserver scanner



Tools Included in Penguin Sleuth Kit (cont’d)


Nbtscan Command-line tool that scans for open NETBIOS nameservers

Xprobe Command line remote operating system fingerprinting tool

Ngrep Command line Network grep Function

Nemesis Command Line network packet injector

Fragroute Command line network intrusion testing tool

Fping Command line multiple host ping utility

TCPtraceroute Command line traceroute TCP packages

TCPReplay Command line utility that replays a TCP dump

Nessus Graphical Security Scanner

Ethereal Graphical Network analyzer

Netcat Command line tool to read and write over network

TCPdump Command line tool that dumps network traffic



Tools Included in Penguin Sleuth Kit (cont’d)


Hping2 Command line packet assembler / analyzer

Ettercap Command line sniffer / interceptor / logger for Ethernet networks

Openssh Secure remote connection utility

Kismet Graphical wireless network sniffer

AirSnort Graphical wireless network intrusion tool

GPG Encryption utility

OpenSSL Secure remote connection utility

Lsof Command line utility that lists all open files

Hunt Command line TCP / IP exploit scanner

Stunnel SSL connection package

ARPwatch Command line Ethernet monitor

Dig Command line tool for querying domain name servers

Chkrootkit Looks for signs of root kit



THE FARMER'S BOOT CD (The FBCD)

FBCD allows you to examine storage media directly from Linux

Boot any x86 system and mount file systems in a forensically sound manner (including journaled file systems)

Previews data safely using a single, unified graphical user interface (GUI)

Is designed and optimized for previewing, authenticating, acquiring, and analyzing media



THE FARMER'S BOOT CD (The FBCD) (cont’d)

• It supports the greatest amount of hardware in the widest range of cases

• It minimizes its footprint on the system, saving memory (RAM) for critical processes and tasks

• Every included application is already configured for data forensics so that there is no need to change settings or wonder about configuration parameters

THE FARMER'S BOOT CD is configured such that:



Delve: Screenshots

Delve, the proprietary preview program found on THE FARMER'S BOOT CD

DEVICES tab is used to mount file systems (truly read-only). Right-click on any file system to view the available options (depends upon the mount ‘status) as shown in the right hand side



Delve: Screenshots

PAGEFILE tab is used to identify email and URLs in the Windows “pagefile.sys” file

.URL output :



Delve: Screenshots

WINDOWS LOGS tab is used to identify key log files of interest on Windows systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing



Delve: Screenshots

WEB HISTORY tab is used to identify the web browser ‘s cache files and extract cookie and history information as shown in the two output files:



Delve: Screenshots

CATALOG tab is used to identify and catalog files of interest by extension or header. Found files may be copied, opened, or a file listing dumped



Delve: Screenshots

LINUX LOGS tab is used to identify key log files on Linux systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing



Delve: Screenshots

DATE CONVERTER tab is used to convert date and times from one format to many other formats



Delve: Screenshots

GRAPHICS VIEWER tab is used to identify graphics files and open a viewer for found files



Delve: Screenshots

MISC menu option provides miscellaneous utilities, including dumping hard drive information, dumping the system BIOS tables, dumping an inventory of hardware, etc.



Forensix

The goal of the Forensix ("4N6") Project is to allow a system to be monitored so that, in the event of a security compromise, it is easy to track the compromise back to its source and recover from it

It performs a complete kernel event audit on the target system and streams the high-definition audit trail to a backend database that has been optimized for reconstruction queries

• Accurately replays any and all system compromises• Determines what specific data (such as credit card numbers) has been

accessed on the system as a result of a compromise• Automatically determines what modifications have been made to a system by

an illicit user• Selectively "undo"-ing illicit system modifications

Functions:



Tool: Maresware

Linux Forensics provides tools for investigating computer records while running the LINUX operating system on Intel processors

Maresware is useful to all types of investigators, including law enforcement, intelligence agency, private investigator, and corporate internal investigator

This software enables discovery of evidence for using in criminal or civil legal proceedings



Major Programs Present inMaresware

Program Description

Bates_noA unique program for adding identifying numbers to filenames in e-documents

CatalogCatalogues every file on a Linux file system and identifies headers

Hash Performs MD5 (CRC, or SHA) hash of every file on a drive

Hashcmp Compares outputs of successive hash runs

Md5 Calculates MD5 hash of a file

Strsrch Searches files for text strings

U_to_A Converts *ix text to DOS text



Tool: Captain Nemo

Widely used by law enforcement personnel, forensic investigators, as well as network administrators.

Captain Nemo enables you to access any Linux drive from your Windows computer without requiring a network setup

Just connect the Linux drive to your machine and Captain Nemo will let you mount your Linux partitions in Windows

You can read, search, and view all your Linux files and copy them to your Windows drive

It supports ext2fs and ext3fs



Captain Nemo: Screenshot



The Coroner’s Toolkit (TCT)

TCT is a collection of programs

In TCT, grave-robber tool captures information

The ils and mactime tools display access patterns of files dead or alive

The unrm and lazarus tools recover the deleted files

The findkey tool recovers cryptographic keys from a running process or from files



Tool: FLAG

FLAG is used for the log file analysis and forensic investigations

It uses a database as a backend to assist in managing the large volumes of data

Features of FLAG:

• FLAG supports generic firewall logs• It collects information about the log and searches for suspicious activity

Log analysis:

• It uses the dissected information to construct a knowledge base of different entities on the network

Network Forensics:

• It uses the Sleuth Kit tool to analyze dd images

Disk Forensics



FLAG: Screenshot

Figure: FLAG Listening ports



FLAG: Screenshot

Figure: FLAG connecting to port 80



Tool: md5deep

md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files

Features of md5deep:

• Recursive operation: md5deep is able to recursive examine an entire directory tree

• Comparison mode: It computes the MD5 for every file in a directory and for every file in every subdirectory

• Time estimation: It can produce a time estimate when it is processing large files



Tool: TestDisk

TestDisk help to recover lost partitions and/or make non-booting disks bootable again

• Fix partition table, recover deleted partition• Recover FAT32 boot sector from its backup• Rebuild FAT12/FAT16/FAT32 boot sector• Fix FAT tables• Rebuild NTFS boot sector• Recover NTFS boot sector from its backup• Copy files from the deleted FAT, NTFS, and ext2/ext3 partitions

Functions:



Tool: Vinetto

Vinetto is a forensics tool to examine Thumbs.db files

It extracts the related thumbnails to a directory

It gets a metadata report on all non deleted Thumbs.db files contained within a partition

Syntax:

•vinetto [OPTIONS] [-s] [-U] [-o DIR] file



Summary

Linux imparts greater control, flexibility, and power as a forensics tool

Linux has a number of simple utilities that make imaging and basic analysis of the suspect disks and drives easier

Linux cannot identify the last sector on hard drives with an odd number of sectors

There are several popular Linux tool kits that provide GUI as well for convenience





Technology

File000127