Sie sind auf Seite 1von 307

The Law Enforc m nt and For nsic Examin r’s

Introduction to Linux

A Compr h nsiv B ginn r’s Guid to Linux as a Digital For nsic


Platform

V rsion 4.33
Jun 2018

Barry J. Grundy
bgrundy@LinuxLEO.com
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

LEGALITIES................................................................................................................................ 5
ACKNOWLEDGMENTS..................................................................................................................... 5
FOREWORD............................................................................................................................... 6
A WORD ABOUT THE “GNU” IN GNU/LINUX.......................................................................................7
WHY LEARN LINUX?.................................................................................................................... 7
WHERE’S ALL THE GUI TOOLS?....................................................................................................... 9
THE EXERCISES – NEW AND OLD..................................................................................................... 9
LINUXLEO YOUTUBE CHANNEL..................................................................................................... 10
CONVENTIONS USED IN THIS DOCUMENT............................................................................................ 10
I. INSTALLATION..............................................................................................................12
DISTRIBUTIONS......................................................................................................................... 12
SLACKWARE AND USING THIS GUIDE...........................................................................................14
INSTALLATION METHODS............................................................................................................... 15
SLACKWARE INSTALLATION NOTES.................................................................................................... 15
SYSTEM USERS......................................................................................................................... 17
ADDING A NORMAL USER........................................................................................................ 17
THE SUPER USER................................................................................................................. 18
DESKTOP ENVIRONMENT............................................................................................................... 19
THE LINUX KERNEL.................................................................................................................... 20
KERNEL AND HARDWARE INTERACTION...............................................................................................20
HARDWARE CONFIGURATION..................................................................................................... 21
KERNEL MODULES................................................................................................................ 22
HOTPLUG DEVICES AND UDEV................................................................................................... 24
HOT PLUGGING DEVICES AND DESKTOPS......................................................................................25
II. LINUX DISKS, PARTITIONS AND THE FILE SYSTEM........................................27
DISKS................................................................................................................................... 27
DEVICE NODE ASSIGNMENT – LOOKING CLOSER....................................................................................30
THE FILE SYSTEM...................................................................................................................... 32
MOUNTING EXTERNAL FILE SYSTEMS................................................................................................ 33
THE MOUNT COMMAND.......................................................................................................... 34
THE FILE SYSTEM TABLE (/ETC/FSTAB)........................................................................................37
DESKTOP MOUNTING............................................................................................................. 38
III. THE LINUX BOOT SEQUENCE (SIMPLIFIED).....................................................41
BOOTING THE KERNEL.................................................................................................................. 41
SYSTEM INITIALIZATION................................................................................................................ 42
RUNLEVEL............................................................................................................................... 42
GLOBAL STARTUP SCRIPTS............................................................................................................ 43
SERVICE STARTUP SCRIPTS........................................................................................................... 44
BASH.................................................................................................................................... 44
IV. BASIC LINUX COMMANDS......................................................................................46
LINUX AT THE TERMINAL............................................................................................................... 46
ADDITIONAL USEFUL COMMANDS...................................................................................................... 48
COMMAND LINE MATH................................................................................................................ 50
BC – THE BASIC CALCULATOR..................................................................................................... 50
BASH SHELL ARITHMETIC EXPANSION........................................................................................... 52
FILE PERMISSIONS...................................................................................................................... 53
PIPES AND REDIRECTION.............................................................................................................. 54

2
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

FILE ATTRIBUTES....................................................................................................................... 57
METACHARACTERS..................................................................................................................... 59
COMMAND HINTS...................................................................................................................... 59
V. EDITING WITH VI........................................................................................................60
THE JOY OF VI......................................................................................................................... 60
VI COMMAND SUMMARY................................................................................................................ 61
VI. CONFIGURING A FORENSIC WORKSTATION...................................................62
SECURING THE WORKSTATION........................................................................................................ 62
CONFIGURING “RC” (STARTUP) SERVICES......................................................................................63
HOST BASED ACCESS CONTROL................................................................................................ 66
HOST BASED FIREWALL WITH IPTABLES......................................................................................... 71
UPDATING THE OPERATING SYSTEM.................................................................................................. 75
USING SLACKPKG.................................................................................................................. 76
INSTALLING AND UPDATING “EXTERNAL” SOFTWARE...............................................................................78
COMPILING FROM SOURCE....................................................................................................... 78
USING DISTRIBUTION PACKAGES................................................................................................80
BUILDING PACKAGES – SLACKBUILDS..........................................................................................81
USING THE AUTOMATED PACKAGE TOOL SBOTOOLS...........................................................................85
VII. LINUX AND FORENSICS.........................................................................................91
EVIDENCE ACQUISITION................................................................................................................ 91
ANALYSIS ORGANIZATION........................................................................................................ 91
WRITE BLOCKING................................................................................................................. 93
EXAMINING THE PHYSICAL MEDIA INFORMATION...............................................................................94
HASHING MEDIA.................................................................................................................. 99
COLLECTING A FORENSIC IMAGE WITH DD....................................................................................100
DD AND SPLITTING IMAGES..................................................................................................... 102
ALTERNATIVE IMAGING TOOLS................................................................................................. 105
DC3DD........................................................................................................................... 106
LIBEWF AND EWFACQUIRE....................................................................................................... 113
MEDIA ERRORS - DDRESCUE................................................................................................... 123
IMAGING OVER THE WIRE...................................................................................................... 132
OVER THE WIRE - DD.......................................................................................................... 135
OVER THE WIRE - DC3DD..................................................................................................... 136
OVER THE WIRE - EWFACQUIRESTREAM.......................................................................................138
OVER THE WIRE – OTHER OPTIONS.........................................................................................140
PREPARING A DISK FOR THE SUSPECT IMAGE................................................................................145
FINAL WORDS ON IMAGING.................................................................................................... 147
MOUNTING EVIDENCE................................................................................................................ 148
STRUCTURE OF THE IMAGE..................................................................................................... 148
IDENTIFYING FILE SYSTEMS.................................................................................................... 150
THE LOOP DEVICE.............................................................................................................. 151
LOOP OPTION TO THE MOUNT COMMAND......................................................................................151
LOSETUP.......................................................................................................................... 152
MOUNTING FULL DISK IMAGES WITH LOSETUP...............................................................................154
MOUNTING MULTI PARTITION IMAGES WITH KPARTX.........................................................................157
MOUNTING SPLIT IMAGE FILES WITH AFFUSE.................................................................................160
MOUNTING EWF FILES WITH EWFMOUNT....................................................................................164
ANTI-VIRUS – SCANNING THE EVIDENCE FILE SYSTEM WITH CLAMAV........................................................166
BASIC DATA REVIEW ON THE COMMAND LINE....................................................................................170

3
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

FILE LISTING.................................................................................................................... 175


MAKING A LIST OF FILE TYPES................................................................................................ 177
VIEWING FILES.................................................................................................................. 178
SEARCHING ALL AREAS OF THE FORENSIC IMAGE FOR TEXT...............................................................181
VIII. ADVANCED (BEGINNER) FORENSICS.............................................................186
THE COMMAND LINE ON STEROIDS................................................................................................ 186
FUN WITH DD....................................................................................................................... 193
DATA CARVING WITH DD..................................................................................................... 194
CARVING PARTITIONS WITH DD...............................................................................................197
RECONSTRUCTING THE SUBJECT FILE SYSTEM STRUCTURE (LINUX).......................................................201
IX. ADVANCED ANALYSIS TOOLS..............................................................................205
THE LAYER STRATEGY FOR APPROACHING ANALYSIS.............................................................................206
SLEUTH KIT.......................................................................................................................... 208
SLEUTH KIT INSTALLATION..................................................................................................... 210
SLEUTH KIT EXERCISES........................................................................................................ 211
SLEUTH KIT EXERCISE #1A – DELETED FILE IDENTIFICATION AND RECOVERY (EXT2).................................212
SLEUTH KIT EXERCISE #1B – DELETED FILE IDENTIFICATION AND RECOVERY (EXT4).................................222
SLEUTH KIT EXERCISE #2A – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT2)...........................226
SLEUTH KIT EXERCISE #2B – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT4)...........................233
SLEUTH KIT EXERCISE #3 – UNALLOCATED EXTRACTION & EXAMINATION..............................................236
SLEUTH KIT EXERCISE #4 – NTFS EXAMINATION: FILE ANALYSIS......................................................242
SLEUTH KIT EXERCISE #5 – NTFS EXAMINATION: ADS................................................................247
SLEUTH KIT EXERCISE #6 – PHYSICAL STRING SEARCH & ALLOCATION STATUS (NTFS)...........................251
BULK EXTRACTOR – COMPREHENSIVE SEARCHING................................................................................257
PHYSICAL CARVING.................................................................................................................. 265
SCALPEL......................................................................................................................... 266
PHOTOREC........................................................................................................................ 274
COMPARING AND DE-DUPLICATING CARVE OUTPUT.........................................................................282
APPLICATION ANALYSIS.............................................................................................................. 285
REGISTRY PARSING #1 - USERASSIST......................................................................................286
REGISTRY PARSING #2 – SAM AND ACCOUNTS...........................................................................293
APPLICATION ANALYSIS – PREFETCH...........................................................................................297
X. INTEGRATING LINUX WITH YOUR WORK......................................................301

XI. CONCLUSION............................................................................................................306

XII. LINUX SUPPORT.....................................................................................................307


PLACES TO GO FOR SUPPORT:....................................................................................................... 307

4
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Legalities

All trad marks ar th prop rty of th ir r sp ctiv own rs.

© 1998-2017 Barry J. Grundy (bgrundy@LinuxLEO.com): Theis docum nt may b r distribut d,


in its ntir ty, including th whol of this copyright notic , without additional cons nt if th
r distributor r c iv s no r mun ration and if th r distributor us s th s mat rials to assist
and/or train m mb rs of Law Enforc m nt or S curity / Incid nt R spons prof ssionals.
Oth rwis , th s mat rials may not b r distribut d without th xpr ss writte n cons nt of th
author, Barry J. Grundy.

Acknowledgments

As always, th r is no possibl way I can thank v ryon that d s rv s it. Ov r th y ars I


hav l arn d so much from so many. A blog post h r , a r turn d mail th r . H lp on IRC,
onlin forums, and coll agu s in th officc . The contributions I r c iv from oth rs in th fie ld
that tak tim out of th ir own busy days to assist m in growing as an inv stigator and
for nsic xamin r, ar simply too num rous to catalog. My h artf lt thanks to all.

The list of coll agu s that hav contribut d ov r th many y ars has grown. I r main grat ful
to all that hav giv n th ir tim in r vi wing and providing valuabl f dback, and in som
cas s, simpl ncourag m nt to all v rsions of this guid ov r th y ars. My continu d thanks
to Cory Alth id , Brian Carri r, Christoph r Coop r, Nick Furn aux, John Garris, Rob rt-Jan
Mora, and J ss Kornblum for h lping m lay th foundation for this guid . And for mor
r c nt assistanc , I’d lik to thank Jacqu s Bouch r, Tobin Craig, Simson Garfienk l, Andr as
Guldstrand, Bill Norton, Paul St ph ns, Danny W rb, and as always, Robby Workman.

My continu d thanks to th Linux K rn l, various distribution, and softwwar d v lopm nt


t ams for th ir hard work in providing us with an op rating syst m and utiliti s that ar robust
and controllabl . What horrors would I b living without th ir d dication?

The LinuxLEO logo was d sign d by Laura Ette r (WillowWispDesign@yahoo.com).

Finally, I cannot go without thanking my wif Jo and my sons Patrick and Tommy for th
s mingly ndl ss pati nc as th work was und rway.

5
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Foreword

It’s b n n arly t n y ars sinc this guid has b n officcially updat d, and ov r fieftw n
y ars sinc its initial public r l as . In that tim , w ’v s n signifiecant chang s to th for nsic
industry, and a massiv growth in th d v lopm nt of softwwar and t chniqu s us d to uncov r
vid nc from an v r xpanding univ rs of d vic s. The purpos of this docum nt, how v r,
r mains unchang d. I am looking to provid an asy to follow and acc ssibl guid for for nsic
xamin rs across th full sp ctrum of this for nsic disciplin ; law nforc m nt officc rs,
incid nt r spond rs, and all comput r sp cialists r sponsibl for th inv stigation of digital
vid nc . Theis guid continu s to provid an introductory ov rvi w of th GNU/Linux (Linux)
op rating syst m as a for nsic platform for digital inv stigators and for nsic xamin rs.

Abov all, this r mains a b ginn r’s guid . An introduction. It is not m ant to b a full
cours on conducting for nsic xaminations. Theis docum nt is about th tools and th
conc pts us d to mploy th m. Introducing th m, providing simpl guidanc on using th m,
and som id as on how th y can b int grat d into a mod rn digital for nsics laboratory or
inv stigativ proc ss. Theis is also a hands on guid . It’s th b st way to l arn and w ’ll cov r
both basic GNU/Linux utiliti s and sp cializ d softwwar through short x rcis s.

The cont nt is m ant to b “b ginn r” l v l, but as th comput r for nsic community


volv s and th subj ct matte r wid ns and b com s mor mainstr am, th d fienition of
“b ginn r” l v l mat rial starts to blur. Theis guid mak s an ffoort to k p th mat rial as basic
as possibl without omitteing thos subj cts s n as fundam ntal to th prop r und rstanding of
Linux and its pot ntial as a digital for nsic platform. If you’v b n doing for nsic
xaminations for fiev or t n y ars, but n v r d lv d into Linux, th n this is for you. If you’r a
stud nt at Univ rsity and you ar int r st d in how for nsic tools ar mploy d, but cannot
affoord thousands of dollars in lic ns sNth n this is for you.

How v r, this is by no m ans m ant to b th d fienitiv “how-to” on for nsic m thods


using Linux. Rath r, it is a (som what xt nd d) starting point for thos who ar int r st d
in pursuing th s lf- ducation n d d to b com profieci nt in th us of Linux as an
inv stigativ tool. Not all of th commands offo r d h r will work in all situations, but by
d scribing th basic commands availabl to an inv stigator I hop to “start th ball rolling”. I
will pr s nt th commands, th r ad r n ds to follow-up on th mor advanc d options and
us s. Knowing how th s commands work is v ry bit as important as knowing what to typ
at th prompt. If you ar v n an int rm diat Linux us r, th n much of what is contain d in
th s pag s will b r vi w. Still, I hop you fiend som of it us ful.

GNU/Linux is a constantly volving op rating syst m. Distributions com and go, and
th r ar now a numb r of “stand out” Linux flaavors that ar commonly us d. In addition to
balancing th b ginn r natur of th cont nt of this guid with th advancing standards in
for nsic ducation, I also fiend mys lf trying to balanc th l v l of d tail r quir d to actually
t ach us ful tasks with th distribution sp cifiec natur of many of th commands and
confiegurations us d.

6
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

As w will discuss in furth r d tail lat r in this guid , many of th d tails ar sp cifiec to
on flaavor of Linux. In most cas s, th commands ar quit portabl and will work on most
any syst m. In oth r cas s (packag manag m nt and confieguration diting, tc.) you may fiend
that you n d to do som r s arch to d t rmin what n ds to b don on your platform of
choic . The d t rmination to provid sp cifiec d tails on actually confieguring a sp cifiec syst m
cam about through ov rwh lming r qu st for guidanc . The d cision to us my Linux
distribution of choic for for nsics as an xampl is p rsonal.

Ov r th y ars I hav r p at dly h ard from coll agu s that hav tri d Linux by
installing it, and th n proc d d to sit back and wond r “what n xt?” I hav also nt rtain d a
numb r of r qu sts and sugg stions for a mor xpansiv xploration of tools and utiliti s
availabl to Linux for for nsic analysis at th application l v l as w ll as num rous r qu sts for
prop r confieguration guid lin s for a bas lin Linux workstation. You hav a copy of this
introduction. Now download th x rcis s and driv on. Theis is only th start of your r ading.
Utiliz d corr ctly, this guid should prompt many mor qu stions and kick start your l arning.
In th y ars sinc this docum nt was fierst r l as d a numb r of xc ll nt books with far mor
d tail hav cropp d up cov ring op n sourc tools and Linux for nsics. I still lik to think this
guid will b us ful for som .

As always, I am op n to sugg stions and critiqu . My contact information is on th


front pag . If you hav id as, qu stions, or comm nts, pl as don’t h sitat to mail m . Any
f dback is w lcom .

Theis docum nt is occasionally (infr qu ntly, actually) updat d. Ch ck for n w r


v rsions (numb r d on th front pag ) at th officcial sit :

http://www.LinuxLEO.com

A word about the “GNU” in GNU/Linux

Wh n w talk about th “Linux” op rating syst m, w ar actually talking about th


GNU/Linux op rating syst m (OS). Linux its lf is not an OS. It is just a k rn l. The OS is
actually a combination of th Linux k rn l and th GNU utiliti s that allow us (mor
sp cifiecally our hardwar ) to int ract with th k rn l. Which is why th prop r nam for th
OS is “GNU/Linux”. W (incorr ctly) call it “Linux” for conv ni nc .

Why Learn Linux?

On of th qu stions h ard most oftw n is: “why should I us Linux wh n I alr ady hav
[insert Windows GUI forensic tool here]?” The r ar many r asons why Linux is quickly gaining
ground as a for nsic platform. I’m hoping this docum nt will illustrat som of thos
atteribut s.

7
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

 Control – not just ov r your for nsic softwwar , but th whol OS and
atteach d hardwar .
 Fl xibility – boot from a CD (to a compl t OS), fiel syst m support,
platform support, tc.
 Pow r – A Linux distribution is (or can b ) a for nsic tool.

Anoth r point to b mad is that simply knowing how Linux works is b coming mor and
mor important. Whil many of th Windows bas d for nsic packag s in us today ar fully
capabl of xamining Linux syst ms, th sam cannot b said for th xamin rs.

As Linux b com s mor and mor popular, both in th comm rcial world and with d sktop
us rs, th chanc that an xamin r will ncount r a Linux syst m in a cas b com s mor
lik ly ( sp cially in n twork inv stigations). Ev n if you l ct to utiliz a Windows for nsic
tool to conduct your analysis, you must at l ast b familiar with th OS you ar xamining. If
you do not know what is normal, th n how do you know what do s not b long? Theis is tru
on so many l v ls, from th actual cont nts of various dir ctori s to strang ntri s in
confieguration fiel s, all th way down to how fiel s ar stor d. Whil this docum nt is mor
about Linux as a for nsic tool rath r than analysis of Linux, you can still l arn a lot about how
th OS works by actually using it.

The r is also th issu of cross-v rifiecation. A working knowl dg of Linux and its for nsic
utility can provid an xamin r with alternative tools on an alternative platform to us as a
m thod to v rify th fiendings of oth r tools on oth r op rating syst ms. Many xamin rs hav
sp nt countl ss hours l arning and using common industry standard Microsoftw Windows
for nsic tools. It would b unr alistic to think that r ading this guid will giv an xamin r th
sam l v l of confied nc , som tim s built through y ars of xp ri nc , as th y hav with th ir
traditional tools of choic . What I can hop is that this guid will provid nough information
to giv th xamin r “anoth r tool for th toolbox”, wh th r it's imaging, r cov ring, or
xamining. Linux as an alt rnativ for nsic platform provid s a p rf ct way to cross ch ck
your work and v rify your r sults, v n if it is not your primary choic .

W also n d to consid r th us fuln ss of Linux in acad mic and r s arch applications.


The op n natur of Linux and th pl thora of us ful utiliti s includ d in a bas syst m mak it
an almost tailor mad platform for basic digital for nsics. Theis is sp cially tru in an acad mic
nvironm nt wh r w fiend Linux provid s a low cost solution to nabl acc ss to imaging
tools and fiel xamination utiliti s that can b us d to cov r th foundations of digital
inv stigations using tools in an nvironm nt that supports multipl formats and data typ s.
For xampl , w can us th dd program for simpl imaging and carving; grep and xxd to
locat and xamin fiel syst m structur s and t xt string artifacts, and th file command
again with xxd for signatur id ntifiecation and analysis. Theis provid s us with much th sam
s t of simpl tools n d d to pr s nt th v ry basics of digital for nsics whil still t aching
Linux command lin familiarity. Linux as a for nsic platform can asily provid a primary
m ans for digital inv stigations ducation. And in fact, prior v rsions of this guid hav b n
r f r nc d in many advanc d d gr and law nforc m nt programs that t ach basic digital
for nsics.

8
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Where’s all the GUI tools?

As much as possibl , th tools r pr s nt d in this guid ar callabl from and r quir


us r int raction through th command lin nvironm nt. Theis is not simpl sadism. It’s a
matte r of actually l arning Linux (and in som ways UNIX as a by-product). Theis point will b
mad throughout this docum nt, but th goal h r is to introduc tools and how to int ract
through th command lin . R lianc on GUI tools is und rstandabl and is not b ing wholly
disparag d h r . If you ar making th ffoort to r ad and follow along with this guid , th n an
assumption is b ing mad that you want to l arn Linux and th pow r th command lin
brings. The r ar two main points that w can focus on h r :

The fierst is that Linux (and UNIX) fiend th ir foundation at th command lin . Mod rn
Linux and UNIX impl m ntations ar still, at th ir h arts, driv n by syst m that is most
acc ssibl from a command lin int rfac . For this r ason, knowing how to int ract with th
command lin provid s xamin rs th wid st rang of capabiliti s r gardl ss of th distribution
or confieguration of Linux ncount r d. Y s, this is about for nsic tools and utiliti s, but it’s
also about b coming comfortabl with Linux. It is for this r ason that w continu to l arn a
command lin ditor lik vi and simpl bit l v l copying tools lik dd. The r ’s a v ry high
probability that any Linux/UNIX syst m you com across will hav th s tools.

S cond is that knowing and und rstanding th command lin is, in and of its lf, a v ry
pow rful tool. Onc you r aliz th pow r of command pip s and flaow control (using loops
dir ctly on th command lin ), you will fiend yours lf abl to pow r through probl ms far fast r
than you pr viously thought. L arning th prop r us and pow r of utiliti s lik awk, sed, and
grep will op n som pow rful t chniqu s for parsing structur d logs and oth r data sourc s.
Theis guid should provid som basic und rstanding of how thos can b us d. Onc you
und rstand and start to l v rag this pow r, you will fiend yours lf pining for a command lin
and its utiliti s wh n on is not availabl .

K p th s points in mind as you go through th x rcis s h r . Und rstand why and


how th tools work. Don’t just m moriz th commands th ms lv s. Theat would miss th
point.

Thee Exercises – New and Old

The r ar updat s across th board in this v rsion of th guid . Wh r old (and still
us ful) x rcis s r main from pr vious v rsions, th output and tool usag has b n r fr sh d
to r fla ct th curr nt v rsions of th tools us d. Whil som what aging, th s x rcis s and
th fiel s us d to pr s nt th m r main us ful and hav not b n r mov d.

N w x rcis s hav also b n add d to allow for additional cont nt cov ring application
lay r analysis tools and oth r r c nt additions to th Linux for nsics ars nal. K p in mind
that whil this docum nt do s cov r som for nsic strat gi s and basic fundam ntals, it is
r ally about th tools w us and th conc pts b hind mploying th m. As such som of th

9
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

old r x rcis fiel s may s m a bit dat d but th y still s rv th purpos of providing a probl m
s t on which w can l arn commands r gardl ss of th targ t.

Theis v rsion of th guid is NOT a s qu l. It’s an updat – but with som n w mat rial.

LinuxLEO YouTube Channel

You can fiend d monstrations and simpl vid o xampl s of som of th following
chapt rs on th LinuxLEO YouTub chann l at 1:

htteps://www.youtub .com/chann l/UCRyk5g_LoiYtEGy3dlkAsvQ

The r is littel cont nt th r now, but mor will b add d as tim go s on. Subscrib and
you will b notifie d as vid os ar upload d.

Conventions Used in this Document

Wh n illustrating a command and it's output, you will s som thing lik th following:

root@forensic1:~# command
output

Theis is ss ntially a command lin (t rminal) s ssion wh r N

root@forensic1:~#

...is th command prompt, follow d by th command typ d by th us r and th n th


command's output. The command will b shown in bold t xt to furth r diffo r ntiat it from th
r sulting output (as it may span multipl lin s).

In Linux, th command prompt can tak diffo r nt forms, d p nding on th nvironm nt


s tteings (th d fault diffo rs among distributions). In th xampl abov , th format is

user@hostname:[present working directory]#

m aning that w ar th us r “root” working on th comput r nam d “forensic1”


curr ntly working in th dir ctory root (th root us r's hom dir ctory – in this cas , th
“hom dir ctory” is symboliz d by th shorthand r pr s ntation of th tild ~). Not that for a
root login th command prompt's trailing charact r is #. If w log in as a r gular us r, th
d fault prompt charact r chang s to a $, as in th following xampl :

1
I knowNnot a pr ttey URL, but I n d subscrib rs for that!

10
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$

Theis is an important diffo r nc . The root us r is th syst m “sup rus r” or


administrator. W will cov r th diffo r nc s b tw n us r logins lat r in this docum nt.

Wh r you s llips s (“...”), it indicat s r mov d output for th sak of br vity or


clarity:

root@forensic1:~# command
... <--- removed output for brevity
output
... <--- removed output for brevity

11
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

I. Installation
Much has chang d in th past f w y ars with r sp ct to th robustn ss and f atur s t of
th curr nt Linux k rn ls. Hardwar d t ction and confieguration us d to pr s nt som uniqu
chall ng s for Linux novic s. Whil issu s can still occasionally aris , th fact is that s tteing
up a Linux machin as a simpl workstation is no long r th nail biting x rcis in frustration
that it onc was. K rn l d t ction of hardwar has b com th norm, and most distributions of
Linux can b install d with a minimum of fuss on all but th most cutteing dg hardwar (and
usually v n th n).

For th vast majority of comput rs out th r , th d fault k rn l driv rs and s tteings will
work “out of th box” for both old and n w syst ms. The rang of onlin h lp availabl for any
giv n distribution is far wid r now than it was v n t n y ars ago, and most probl ms can b
solv d with a targ t d Int rn t s arch. For the most part, solutions that ar ffo ctiv on on
distribution will b ffo ctiv across th board. Theis may not always b th cas , but if you ar
familiar with your syst m, you can oftw n int rpr t solutions and apply th m to your particular
platform.

If your Linux machin is to b a dual boot syst m with Windows, you can us th
Windows D vic Manag r to r cord all your install d hardwar and th s tteings us d by
Windows. Hardwar compatibility and d t ction hav b n greatly improv d ov r th past
coupl of y ars. Most of th r c nt v rsions of Linux distributions hav xtraordinary
hardwar d t ction. But it still h lps to hav a good id a of th hardwar you ar using so if
probl ms do aris your support qu ri s can b targ t d.

At a minimum, you ar going to want to know and plan for:

• Hard driv partitioning sch m


◦ Siz and partition layout
• N twork confieguration
◦ DHCP or static?
◦ Gat way
◦ DNS, tc.

Most distributions hav a pl thora of docum ntation, including onlin h lp and


docum nts in downloadabl form. Do a W b s arch and you ar lik ly to fiend a numb r of
answ rs to any qu stion you might hav about hardwar compatibility issu s in Linux. A list
of us ful Linux ducational r sourc s is provid d at th nd of this guid . Us th m. And
always r m mb r to r s arch fierst b for jumping into a forum and asking qu stions.

Distributions

Linux com s in a numb r of diffo r nt “flaavors”. The s ar most oftw n r f rr d to as a


“Linux distribution” or “distro”. D fault k rn l confieguration, tools that ar includ d (syst m

12
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

manag m nt archit ctur and confieguration, tc.) and th packag format (th softwwar install
and upgrad path) most commonly diffo r ntiat th various Linux distros.

It is common to h ar us rs complain that d vic X works und r on distribution, but


not on anoth r, tc. Or that d vic Y did not work und r on v rsion of a distribution, but a
chang to anoth r “fiex d it”. Most oftw n, th diffo r nc is in th v rsion of th Linux kernel
b ing us d and th r for th updat d driv rs, or th patch s appli d by th distribution v ndor,
not th v rsion of th distribution (or th distribution its lf).

Pr vious v rsions of this guid provid d a short list of distros and a summary
d scription of ach. Theat has b n r mov d h r for a mor d scriptiv xplanation of why w
hav so many distributions, and how you can choos from among th m. Ev ryon has an
opinion on th s , and th y all hav th ir str ngths and appar nt w akn ss s.

On thing w ’v s n mor and mor of lat ly ar som what specialized distros, or in


som cas s, distros that ar p rc iv d as sp cializ d. The r ar still your “g n ral workstation”
flaavors of Linux – op nSUSE, C ntOS, D bian, Ubuntu, Slackwar , G ntoo, tc., but w also
hav sp cialization now - full distributions d sign d and distribut d sp cifiecally for a targ t
audi nc lik p n-t st rs, nt rpris admins, tc.

Som xampl s of sp cializ d distributions that may b of int r st to r ad rs of this


docum nt:

▪ Thee Parrot Project – A S curity distribution that “includ s a full portabl


laboratory” for s curity and digital for nsic xp rts.

▪ Thee SANS SIFT Workstation – An advanc d incid nt r spons and digital


for nsics distribution that is wid ly support d, fr qu ntly updat d, and w ll
stock d with all th tools you’ll n d to conduct digital triag , incid nt r spons ,
and digital for nsic xaminations.

▪ BlackArch Linux – A n w r proj ct, bas d on Arch Linux, that provid s anoth r
alt rnativ “out of th box” s curity focus d distribution.

▪ Kali Linux – An advanc d p n-t sting and s curity distribution bas d on


D bian. Theis is on of my favorit bootabl Linux distributions, and can also b
install d on a comput r for us as a workstation.

The r ar many oth rs, along with s l ctions for s curity focus d bootabl distros,
“lightw ight” distros, and many oth rs. Don’t l t th options confus you, though. Find a
mainstr am distribution, install it and l arn it.

Our pr viously m ntion d “g n ral workstation” Linux distros ar all p rf ctly suitabl
for us as a for nsic platform. A majority of p opl n w to Linux ar gravitating toward
Ubuntu as th ir platform of choic . The support community is hug , and a majority of wid ly

13
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

availabl softwwar for Linux for nsics is sp cifiecally built for and support d on Ubuntu (though
not xclusiv ly in most cas s). On a p rsonal not , I fiend Ubuntu l ss than id al for l arning
Linux. Theis is NOT to say that Ubuntu or its variations don’t mak xc ll nt for nsic
platforms. But this guid is focus d on learning, and part of that journ y includ s starting with
a cl an slat and und rstanding how th op rating syst m works and is mad to suit your
nvironm nt. For that w focus on a mor Unix lik distribution.

If you ar unsur wh r to start, will b using this guid as your primary r f r nc , and
ar int r st d mainly in for nsic applications of Linux, th n I would sugg st Slackwar . The
original comm rcial distribution, Slackwar has b n around for y ars and provid s a good
standard Linux that r mains tru to th Unix philosophy. Not ov r- ncumb r d by GUI
confieguration tools, Slackwar aims to produc th most “UNIX-lik ” Linux distribution
availabl . On of my p rsonal favorit s, and in my humbl opinion, curr ntly on of th b st
choic s for a for nsic platform. (http://www.slackware.com/). Theis guid is tailor d for us
with a Slackwar Linux installation.

On thing to k p in mind: As I m ntion d arli r, if you ar going to us Linux in a


for nsic capacity, th n try not to r ly on GUI tools too much. Almost all s tteings and
confiegurations in Linux ar maintain d in t xt fiel s (usually in ith r your hom dir ctory, or in
/etc). By l arning to dit th fiel s yours lf, you avoid probl ms wh n ith r th X window
syst m is not availabl , or wh n th sp cifiec GUI tool you r ly on is not on a syst m you might
com across. In addition, knowl dg of th t xt confieguration fiel s will giv you insight into
what is “normal”, and what might hav b n chang d wh n you xamin a subj ct Linux
syst m (though that is not th focus of this docum nt). L arning to int rpr t Linux
confieguration fiel s is all part of th xp ri nc .

SLACKWARE and Using this Guide

B caus of diffo r nc s in archit ctur , th Linux distribution of your choic can caus
diffo r nt r sults in commands' output and diffo r nt b havior ov rall. Additionally, som
s ctions of this docum nt d scribing confieguration fiel s, startup scripts or softwwar installation,
for xampl , might app ar vastly diffo r nt d p nding on th distro you s l ct.

If you ar s l cting a Linux distribution for th sol purpos of l arning through


following along with this docum nt, th n again, I would sugg st Slackware. Slackwar is
stabl and do s not atte mpt to nrich th us r's xp ri nc with cutteing dg fiel syst m hacks
or automatic confiegurations that might hamp r for nsic work. D tail d s ctions of this guid
on th inn r workings of Linux will b writte n toward a basic Slackwar 14.2 64 bit installation
(curr nt as of this writing).

By d fault, Slackwar 's curr nt installation routin l av s initial disk partitioning up to


th us r. The r ar no d fault sch m s that r sult in surprising “volum groups” or oth r
compl x disk manag m nt t chniqu s. The r sulting fiel syst m tabl (also known as fstab) is
standard and do s not r quir diting to provid for a for nsically sound nvironm nt.

14
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Slackwar Linux is stabl , consist nt, and simpl . As always, Linux is Linux. Any
distribution can b chang d to function lik any oth r (in th ory). How v r, my philosophy has
always b n to start with an optimal syst m, rath r than atte mpt to “roll back” a syst m
h avily modifie d and optimiz d for th d sktop rath r than a for nsic workstation.

If you ar comfortabl with anoth r distribution, th n by all m ans, continu to us and


l arn it. Just b awar that th r may b customization and modifiecations mad to th
standard k rn l and fiel syst m s tups that might not b id al for for nsic us . The s can
always b r m di d, but I pr f r to start as clos to optimal as possibl .

Installation Methods

Download th n d d bootabl m dia fiel s, burn th m to a DVD or r movabl driv and


boot th m dia. Theis is th most common m thod of installing Linux. Most distros can b
download d for fr via httep, ftwp, or torr nt. Slackwar is availabl at
http://www.slackware.com. Hav a look at http://distrowatch.com/ for information on
downloading and installing oth r Linux distributions.

During a standard installation, much of th work is don for you, and r lativ ly saf
d faults ar provid d. As m ntion d arli r, hardwar d t ction has gon through som gr at
improv m nts in r c nt y ars. I strongly b li v that many (if not most) Linux distros ar far
asi r and fast r to install than oth r “mainstr am” op rating syst ms. Typical Linux
installation is w ll docum nt d onlin (ch ck your sp cifiec distribution’s w bsit for mor
information). The r ar num rous books availabl on th subj ct, and most of th s ar
suppli d with a Linux distribution r ady for install.

Familiariz yours lf with Linux disk and partition naming conv ntions (cov r d in Chapt r
II of this docum nt) and you should b r ady to start.

Slackware Installation Notes

If you do d cid to giv Slackwar a shot, h r ar som simpl guid lin s. The
docum ntation provid d on Slackwar 's sit is compl t and asy to follow. R ad th r
fierstNpl as .

D cid on standalon Linux or dual boot. Install Windows fierst in a dual boot syst m.
D t rmin how you want th Linux syst m to b partition d. A singl root partition and a
singl swap partition ar fien . You might fiend it asi r wh n fierst starting out to install Linux
in a virtual machin (VM), ith r through VirtualBox or VMwar for xampl . Theis will allow
you to snapshot along th way and r cov r from any rrors. It also provid s you with acc ss
to community support via th host whil installing your Linux syst m in a VM. Using Linux in
a virtual machin is a p rf ctly acc ptabl way to follow this guid , and probably th asi st if
you ar an absolut b ginn r.

15
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

READ through th installation docum ntation before you start th proc ss. Don't b in
a hurry. If you want to l arn Linux, you hav to b willing to r ad. For Slackwar , hav a look
through th installation chapt rs of th updat d “Slack Book” locat d at
http://www.slackbook.org/beta. The r ar detailed instructions th r if you n d st p by
st p h lp, including partitioning, tc. For a basic und rstanding of how Slackwar works and
how to us it, th Slack Book should b your fierst stop. Som of it may b a bit outdat d, but
th majority of it still appli s.

H r ’s som installation advic . R ad this, th n r ad th Installation s ction in th Slack Book


link d abov . As a v ry g n ral ov rvi w:

1) Boot th Linux m dia.


• R ad ach scr n car fully.
• Acc pting most d faults works.
• Your hardwar will b d t ct d and confiegur d und r most circumstanc s.
Onlin support is xt nsiv if you hav probl ms.
• K p in mind that if a pi c of hardwar caus s probl ms during an install, or is
not d t ct d during installation, this do s not m an that it will not work. Install
th op rating syst m and sp nd som tim troubl shooting. Wh n l arning
Linux, Googl is v ry oftw n your b st fri nd.
• The Slackwar install m dia for th curr nt v rsion will boot by d fault using a k rn l
call d huge.s. It includ s support for most hardwar by d fault. Hit th “F2” k y at th
initial “boot:” prompt for mor info.
• Onc th syst m is boot d, you ar pr s nt d with th k yboard map prompt follow d
by th “slackwar login:” prompt. READ THE ENTIRE SCREEN as instruct d. Login as
root, and continu with your install routin .
2) Partition and format for Linux
• You will partition your Slackwar Linux syst m using fdisk or gdisk (if you pr f r a
GPT layout).
• Theis st p is normally part of th installation proc ss, or is cov r d in th distribution's
docum ntation. You can partition how v r you lik . I lik to hav , at th l ast, two
partitions
• Root ( / ) as typ “Linux Nativ ”.
• Swap as typ “Linux Swap” (us 2x your syst m m mory as a starting point for
swap siz ). The us of a swap partition is larg ly optional for machin s with
larg amounts of RAM (>3GB). I still opt to us it.
• You will h ar a lot about using multipl partitions for diffo r nt dir ctori s. Don’t l t
that confus you. The r ar argum nts both for and against using multipl partitions
for a Linux fiel syst m. If you ar just starting out, us on larg root (/) partition, and
on swap partition as d scrib d abov .
3) Packag installation (syst m)
• The main install routin for Slackwar is start d with th command setup. You will
n d to nsur that you hav your disk prop rly partition d before you nt r th s tup
program.
• Tak th tim to r ad ach scr n compl t ly as it com s up.

16
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

• Wh n ask d to format th root partition, I would sugg st s l cting th xt4 fiel syst m.
• Wh n ask d which packag s to s l ct for installation, it is usually saf for a b ginn r to
s l ct “ v rything” or “full”. Theis allows you to try all th packag s, along with
multipl X Window d sktop nvironm nts. Theis can tak as much as 8GB to 12GB on
som of th n w r distributions (7GB on Slackwar , d p nding on options), how v r it
includ s all th softwwar you ar lik ly to n d for a long tim (including many “officc ”
typ applications, Int rn t, -mail, tc.). For a l arning box it will giv you th most
xposur to availabl softwwar for xp rim ntation and additionally nsur s that you
don’t omit librari s that may b n d d for softwwar compilation lat r.
4) Installation Confieguration
• Boot M thod (th Boot load rNs l cts th OS to boot)
• B mindful of EFI vs. l gacy BIOS options. Wh r possibl , s t th BIOS to l gacy
mod .
• LILO or GRUB.
• LILO is th d fault for Slackwar . Som fiend GRUB mor fla xibl and s cur . GRUB
can b install d lat r, if you lik . P rsonally, I pr f r LILO.
• Usually s l ct th option to install LILO to th mast r boot r cord (MBR). The
pr s nc of oth r boot load rs (as provid d by oth r op rating syst ms)
d t rmin s wh r to install LILO or GRUB.
• If you must us EFI, skip this and install lilo or GRUB manually. You should
read README_UEFI.TXT on th install m dia’s root dir ctory b for
b ginning th installation proc ss.
• The boot load r contains th cod that points to th k rn l to b boot d.
• Cr at a us r nam for yours lf – avoid using root xclusiv ly.
• For mor information, ch ck th fiel CHANGES_AND_HINTS.TXT on th install m dia. Theis
fiel is load d with us ful hints and chang s of int r st from on r l as to anoth r.

System Users

Linux is a multi-us r syst m. It is d sign d for us on n tworks (r m mb r, it is bas d


on Unix). The root us r is th syst m administrator, and is cr at d by d fault during
installation. Exclusiv us of th root login is DANGEROUS. Linux assum s that root knows
what h or sh is doing and allows “root” to do anything h or sh wants, including d stroy th
syst m. Don’t log in as root unl ss you must. Having said this, som of th work don for
for nsic analysis will b don as root to allow acc ss to raw d vic s and syst m commands.

Adding a Normal User

For nsic analysis, most notably acquisitions, and basic syst m administration will
normally r quir root p rmissions. But simply logging in as root and conducting your analysis,
particularly from an X Window s ssion, is not advisabl . W n d to add a normal us r
account. From th r you can us su to log in as root t mporarily (cov r d in th n xt s ction).

17
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Slackwar com s with a conv ni nt script, adduser, to handl th d tails of s tteing up


our additional account. Som of th it ms s t by this script includ :

• Login Nam
• UID (us r ID)
• Initial Group and Group m mb rship
• Hom Dir ctory
• Sh ll
• Account Expiration Dat
• Account G n ral Info (nam , addr ss, tc.)
• Password

For th most part, th d faults ar acc ptabl ( v n th d fault groups – b car ful not
to skip this part). You invok th script with th command adduser (run as root, obviously)
and th program will prompt you for th r quir d information. Wh n it asks you for
additional groups, b sur to us th up arrow on your k yboard to display availabl groups.
Acc pting th d fault is fien for our purpos s.

Onc compl t , you can log out compl t ly using th xit command and log back in as a
normal us r.

Thee Super User

So, w 'v stablish d that w n d to run our syst m as a normal us r. If Linux giv s
you an rror m ssag "Permission denied", th n in all lik lihood you n d to b root to x cut
th command or dit th fiel , tc. You don't hav to log out and th n log back in as root to do
this. Just us th su command to giv yours lf root p rmissions (assuming you know root’s
password). Ent r th password wh n prompt d. You now hav root privil g s (th syst m
prompt will r fla ct this). Wh n you ar fienish d using your su login, r turn to your original
login by typing exit. H r is a sampl su s ssion:

root@forensic1:~# barry@slackforensics:~$ whoami


barry

barry@forensic1:~$ /sbin/fdisk -l /dev/sda


fdisk: cannot open /dev/sda: Permission denied

barry@forensic1:~$ su -
Password:

root@forensic1:~# whoami
root

root@forensic1:~# /sbin/fdisk -l /dev/sda


Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes

18
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Sector size (logical/physical): 512 bytes / 512 bytes


I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3CE209F7-E9A0-4D18-91C4-E96EC4383054

Device Start End Sectors Size Type


/dev/sda1 2048 41943006 41940959 20G BIOS boot

root@forensic1:~# exit
logout

barry@forensics1:~$

Not that th "-" aftw r su allows Linux to apply root's nvironm nt (including root’s
path) to your su login. So you don't hav to nt r th full path of a command. Actually, su is a
“switch us r” command, and can allow you to b com any us r (if you know th password),
not just root. Notic that aftw r w typ exit as root, our prompt indicat s that w ar back to
our normal us r.

A word of caution: B VERY judicious in your us of th root login. It can b


d structiv . For simpl tasks that r quir root p rmission, us su and us it sparingly. Som
distributions (Ubuntu, for xampl ) hav d cid d that logging in as th root us r is so
dang rous that th account is “disabl d”. All commands that r quir root p rmissions on
Ubuntu must utiliz th sudo command to giv acc ss. sudo is similar to su, but is us d on a
p r-command basis, so you n v r actually log in as root.

Desktop Environment

Wh n talking about for nsic suitability, your choic of d sktop syst m can mak a
diffo r nc . First of all, th t rm “d sktop nvironm nt” and “window manag r” ar NOT
int rchang abl . L t's bri flay clarify th compon nts of a common Linux GUI.

• X Window – Theis is th basic GUI nvironm nt us d in Linux. Commonly r f rr d to as


“X”, it is th application that provid s th GUI fram work, and is NOT part of th OS.
X is a cli nt / s rv r program with compl t n twork transpar ncy.
• Window Manager – Theis is a program that controls th app aranc of windows in th X
Window syst m, along with c rtain GUI b haviors (window focus, tc.). Exampl s ar
Kwin, M tacity, XFWM, Enlight nm nt, tc.
• Desktop Environment – A combination of Window Manag r and a consist nt int rfac
that provid s th ov rall d sktop xp ri nc . Exampl s ar XFCE, GNOME, KDE, tc.
➢ The d fault Window Manag r for KDE is Kwin.
➢ The d fault Window Manag r for XFCE is XFWM.

The s d faults can b chang d to allow for pr f r nc s in sp d and r sourc

19
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

manag m nt ov r th d sir for “ y -candy”, tc. You can also l ct to run a Window Manag r
without a d sktop nvironm nt. For xampl , th Enlight nm nt Window Manag r is known
for it's y -candy and can b run standalon , with or without KDE or GNOME, tc.

Slackwar no long r com s with GNOME as an option, though it can b install d lik
any oth r application. During th bas Slackwar installation, you will b giv n a choic of
KDE, XFCE, and som oth rs. I would lik to sugg st XFCE. It provid s a cl an r int rfac for
a b ginn r to l arn on. It is l an r and th r for l ss r sourc int nsiv . You still hav acc ss
to many KDE utiliti s, if you l ct d to install KDE during packag s l ction. You can install
mor than on d sktop and switch b tw n th m, if you lik . The asi st way to switch is with
th xwmconfig command.

Thee Linux Kernel

The Linux k rn l is th “brain” of th syst m. It is th bas compon nt of th Op rating


Syst m that allows th hardwar to int ract with and manag oth r softwwar and syst m
r sourc s.

As with all for nsic tools, w n d to hav a cl ar vi w of how any k rn l v rsion will
int ract with our for nsic platforms and subj ct hardwar . Almost all curr nt distributions of
Linux alr ady com with a v rsion 4 k rn l install d by d fault, including Slackwar (4.4).

You can d t rmin your curr nt k rn l v rsion with th uname command:

root@forensic1:~# uname -a
Linux forensic1 4.4.14 #2 SMP Fri Jun 24 13:38:27 CDT 2016 x86_64 Intel(R)
Core(TM) i5-3550 CPU @ 3.30GHz GenuineIntel GNU/Linux

The k y to th saf for nsic us (from an vid ntiary standpoint) of ANY op rating
syst m is knowl dg of your nvironm nt and prop r t sting. Pl as k p that in mind. You
MUST und rstand how your hardwar and softwwar int ract with any giv n op rating syst m
b for using it in a “production” for nsic analysis. If for som r ason you f l th n d to
upgrad your k rn l to a n w r v rsion ( ith r through automat d updat s or manually), mak
sur you r ad th docum ntation and th chang log so you hav an und rstanding of any
signifiecant archit ctural chang s that may impact th for nsic nvironm nt.

On of th gr at st str ngths Linux provid s is th conc pt of “total control”. Theis


r quir s thorough t sting and und rstanding. Don't los sight of this in pursuit of an “ asy”
d sktop xp ri nc .

Kernel and Hardware Interaction

In this s ction, w will focus on th minimum confieguration knowl dg for bas lin
und rstanding of a sound for nsic nvironm nt und r curr nt Linux distributions. W will

20
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

bri flay discuss hardwar confieguration and inv ntory, d vic nod manag m nt (Udev) and th
d sktop nvironm nt.

Hardware Configguration

It’s always us ful to know xactly what hardwar is on your syst m. The r will b
tim s wh n you might n d to chang or s l ct diffo r nt k rn l driv rs or modules to mak a
pi c of hardwar run corr ctly. B caus th r ar so many diffo r nt hardwar confiegurations
out th r , sp cifiecally confieguring driv rs for your syst m will r main outsid th scop of this
guid . K rn l d t ction and confieguration of d vic s (n twork int rfac s, graphics controll rs,
sound, tc.) is automatic in most cas s. If you hav any issu s, mak not of your hardwar
(s b low) and do som s arching. Googl is your fri nd, and th r is a list of h lpful starting
plac s for assistanc at th nd of this guid .

The r ar a numb r of ways to d t rmin what sp cifiec hardwar you ar running on


your syst m. You can us lspci to g t mor d tail d information on sp cifiec d vic s atteach d
to your syst m. lspci (list PCI d vic s), is for thos d vic s sp cifiecally atteach d to th PCI
bus. If you hav hardwar issu s and you s arch for som thing lik “n twork card not
d t ct d in linux”, and you follow a link to a support forum, you will almost always fiend th
r qu st to “post th output of lspci”. It’s on of th fierst diagnostic st ps for d t rmining
many hardwar issu s in Linux. Theis command’s output can g t incr asingly d tail d (or
“v rbos ”) by adding th options -v, -vv, or -vvv. Not that you can run lspci from th
installation disk prior to running th s tup program

Sampl summary output for lspci:

root@forensic1:~# lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor PCI Express Root Port (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v2/3rd
Gen Core processor Graphics Controller (rev 09)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB xHCI Host Controller (rev 04)
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series
Chipset Family MEI Controller #1 (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579V Gigabit Network
Connection (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family
High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family
PCI Express Root Port 1 (rev c4)

21
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

00:1c.2 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family


PCI Express Root Port 3 (rev c4)
00:1c.3 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family
PCI Express Root Port 4 (rev c4)
00:1c.4 PCI bridge: Intel Corporation 82801 PCI Bridge (rev c4)
00:1d.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB Enhanced Host Controller #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation Z77 Express Chipset LPC Controller
(rev 04)
00:1f.2 SATA controller: Intel Corporation 7 Series/C210 Series Chipset
Family 6-port SATA Controller [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 7 Series/C210 Series Chipset Family SMBus
Controller (rev 04)
30:00.0 USB controller: ASMedia Technology Inc. ASM1042 SuperSpeed USB Host
Controller
31:00.0 SATA controller: ASMedia Technology Inc. ASM1062 Serial ATA
Controller (rev 01)
32:00.0 PCI bridge: ASMedia Technology Inc. ASM1083/1085 PCIe to PCI Bridge
(rev 03)

R ading through this output you can s things lik th fact that th n twork int rfac
in this syst m is an Int l 825579V chips t. Theis is us ful information if you ar having issu s
with g tteing th int rfac to work and you want to s arch for support. You ar far mor lik ly
to g t us ful h lp if you s arch for “Linux Int l 825579v not working” rath r than “Linux
n twork card not working”.

Theis brings us to th subj ct of k rn l modul s.

Kernel Modules

As m ntion d pr viously, th k rn l provid s th most basic int rfac b tw n


hardwar and th syst m softwwar and r sourc manag m nt. Theis includ s driv rs and oth r
compon nts that ar actually small s parat pi c s of cod that can ith r b compil d as
modules (load d or unload d dynamically) or compil d dir ctly in th k rn l imag .

The r may com a tim wh n you fiend that th k rn l is loading a l ss than id al


modul for a sp cifiec pi c of hardwar , p rhaps causing it to ith r fail to work, or in som
cas s work at l ss than optimal p rformanc . Wir l ss n twork cards can b a common
xampl .

On on laptop, for xampl , th output (abbr viat d) for th n twork int rfac s, using
lspci, might look lik this:

root@forensic1:~# lspci | less


...

22
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI


Express Fast/Gigabit Ethernet controller (rev 05)
02:00.0 Network controller: Intel Corporation Centrino Wireless-N 2230 (rev
c4)
...

Theis shows both a wir d Eth rn t port and a wir l ss adapt r. If I want d to s xactly
which modul is b ing us d to driv th s d vic s, I can us th -k option to lspci:

root@forensic1:~# lspci -k | less


...
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI
Express Fast/Gigabit Ethernet controller (rev 05)
Subsystem: Lenovo RTL8101E/RTL8102E PCI Express Fast Ethernet
controller
Kernel driver in use: r8169
Kernel modules: r8169
02:00.0 Network controller: Intel Corporation Centrino Wireless-N 2230 (rev
c4)
Subsystem: Intel Corporation Centrino Wireless-N 2230 BGN
Kernel driver in use: iwlwifi
Kernel modules: iwlwifi
...

Theis tim th output provid s som additional information, including which modul s
ar load d wh n th d vic is d t ct d. Theis can b an important pi c of information if I’m
trying to troubl shoot a misb having d vic . Onlin h lp might sugg st using a diffo r nt
driv r altog th r. If that is th cas , th n you may n d to “blacklist” th curr ntly load d
modul in ord r to pr v nt it from loading and hind ring th corr ct driv (that you may n d
to sp cify). Blacklisting is normally don in /etc/modules.d/ by ith r cr ating a
blacklist-[modulename].conf fiel or making an ntry in blacklist.conf, d p nding on
your distribution. In Slackwar , you can r ad th README fiel in /etc/modules.d and th man
pag for modules.d for mor information. Sinc th st ps for this vary wildly d p nding on
th driv r, it’s d p nd nci s, and th xist nc of comp ting modul s, w won’t cov r this in
any mor d pth. Sp cifiec h lp for individual driv r issu s can b found onlin . Theis simply
introduc s you to pot ntial sourc s of information.

Not that if you ar using a laptop or d sktop with a USB wir l ss adapt r, it lik ly won’t show
up in lspci. For that you’ll hav to us lsusb (list USB – th r ’s a patte rn h r , s ?). In th
following output, lsusb r v als info about a wir l ss n twork adapt r. Us th -v option for
mor v rbos output (bold for mphasis):

root@forensic1:~# lsusb
...
Bus 001 Device 054: ID 2109:2812 VIA Labs, Inc. VL812 Hub

23
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Bus 001 Device 004: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 079: ID 1b1c:1a06 Corsair
Bus 001 Device 003: ID 046d:c077 Logitech, Inc. M105 Optical Mouse
Bus 001 Device 007: ID 11b0:6598 ATECH FLASH TECHNOLOGY
Bus 001 Device 120: ID 148f:5372 Ralink Technology, Corp. RT5372 Wireless
Adapter
Bus 001 Device 005: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 050: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
...

Or us th script usb-devices, which organiz s th information from


/sys/bus/usb/devices/usb into a (mortal) human r adabl format. Not that it also r turns
th k rn l modul in us , much lik lspci -k do s for PCI bus d vic s (bold for mphasis).
W us th pip ( | ) to th less command to pag th output for r ading:

root@forensic1:~# usb-devices | less


...
T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=05 Dev#=120 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=148f ProdID=5372 Rev=01.01
S: Manufacturer=Ralink
S: Product=802.11 n WLAN
C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=450mA
I: If#= 0 Alt= 0 #EPs= 7 Cls=ff(vend.) Sub=ff Prot=ff Driver=rt2800usb
...

Not that th commands cov r d h r ar larg ly portabl across distributions, but th


locations of fiel s and m thods for managing modul s may diffo r. The proc ss of id ntifying
modul s and hardwar should mostly b th sam . Man (manual) pag s and distribution
docum ntation should always b r li d on for primary probl m solving.

K p in mind that th s sam commands can b run against a subj ct comput r by


using Linux bas d for nsic boot m dia. If you hav th tim , it’s a gr at way to inv ntory a
subj ct comput r ith r prior to s izur or if you cannot s iz th comput r (only imag it for
what v r r ason), but still wish to hav a full hardwar inv ntory.

Hotplug devices and Udev

Starting with k rn l v rsion 2.6.13, Linux d vic manag m nt was hand d ov r to a


n w syst m call d Udev. Traditionally, th d vic nod s (fiel s r pr s nting th d vic s,
locat d in th /dev dir ctory) us d in pr vious k rn l v rsions w r static, that is th y xist d

24
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

at all tim s, wh th r in us or not. For xampl , on a syst m with static d vic nod s w may
hav a primary SATA hard driv that is d t ct d by th k rn l as /dev/sda. Sinc w hav no
IDE driv s, no driv is d t ct d as /dev/hda. But wh n w look in th /dev dir ctory w s
static nod s for all th possibl disk and partition nam s for /dev/hda. The d vic nod s xist
wh th r or not th d vic is d t ct d.

In mod rn Linux syst ms, Ud v cr at s d vic nod s “on th flay”. The nod s ar cr at d
as th k rn l d t cts th d vic and th /dev dir ctory is populat d in r al tim . In addition to
b ing mor fficci nt, Ud v also runs in us r spac . On of th b n fiets of Ud v is that it
provid s for “p rsist nt naming”. In oth r words, you can writ a s t of rul s that will allow
Ud v to r cogniz a d vic bas d on individual charact ristics (s rial numb r, manufactur r,
mod l, tc.). The rul can b writte n to cr at a us r-d fien d link in th /dev dir ctory, so that
for xampl , my thumb driv can always b acc ss d through an arbitrary d vic nod nam of
my choic , lik /dev/my-thumb, if I so choos . Theis m ans that I don't hav to s arch through
USB d vic nod s to fiend th corr ct d vic nam if I hav mor than on xt rnal storag
d vic conn ct d. I can conn ct 4 USB d vic s and inst ad of s arching through /dev/sdc,
sdd, sde, and sdf – I can just go to /dev/my-thumb. For a nic , if som what outdat d,
xplanation of Ud v rul s, s : httep://r activat d.n t/writing_Ud v_rul s.html.

On Slackwar , Ud v runs as a da mon from th startup script /etc/rc.d/rc.udev.


W will discuss th s startup scripts in mor d tail lat r in this docum nt. W will not do any
sp cifiec confieguration for Ud v on our for nsic comput rs at this tim . W discuss it h r
simply b caus it plays a major part in d vic handling and as such is of int r st to for nsic
xamin rs that want to know what th ir syst m is doing. Ud v do s NOT involv its lf in auto
mounting or oth rwis int racting with applications. It simply provid s a hardwar to k rn l
int rfac .

Hot Plugging Devices and Desktops

On of th consid rations wh n discussing D sktop Environm nts is wh th r or not


th syst m will allow for d sktop auto-mounting of r movabl m dia. KDE and GNOME ar
d sign d for a simpl us r xp ri nc and xamin rs n d to b awar of how to control any
und sir d b havior in a for nsic nvironm nt. Onc you’v install d your syst m of choic ,
mak sur you t st what happ ns wh n you “hot plug” a USB or oth r r movabl m dia d vic .
For xampl , som distributions might l ct to auto-mount d vic s on th GUI d sktop
imm diat ly upon ins rtion.

XFCE is a light r w ight (r ad: light r on r sourc s) d sktop. And although XFCE is
also capabl of automatically handling hot plugg d d vic s, it allows for asi r control of
r movabl m dia on th d sktop. As an xampl , consid r th following snapshot of an XFCE
s tteings dialog for r movabl m dia. By d fault, on Slackwar 14.2, d vic s ar NOT auto
mount d in th XFCE nvironm nt. Not all distributions might b confiegur d this way,
how v r. B sur to ch ck and t st for yours lf. As a for nsic xamin r, you do NOT want
your syst m automatically mounting d vic s simply b caus you plugg d th m into th
syst m.

25
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 1: XFCE Removable Media Handling


Configguration

26
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

II. Linux Disks, Partitions and the File System


As you go through the following pages, please pay atteention to your userid<you’ll need to be root
for most of this.

Disks
Linux tr ats its d vic s as fiel s. Theis is an important conc pt for for nsic xamin rs. It
m ans, as w will s lat r on, that many of th commands w can us on r gular fiel s, w can
also us on disks “fiel s”. W can list th m, hash th m and s arch th m in much th sam way
w do fiel s in any standard us r dir ctory. The sp cial dir ctory wh r th s d vic "fiel s" ar
maintain d is /dev. Old r IDE disks would b d t ct d and assign d hd* nam s. W rar ly
s thos anymor .

As w saw arli r, with th adoption of Ud v, disks ar now assign d d vic nod


nam s dynamically, m aning that th nam s do not xist until th d vic (a thumb driv , for
xampl ) is conn ct d to th syst m. Of cours wh n you boot a normally confiegur d
comput r, you usually hav at l ast on “boot” driv alr ady conn ct d. Und r most
circumstanc s, this will b nam d sda. The s d vic nod s ar populat d und r th /dev
dir ctory. The partitions (primary) ar simply numb r d.

Wh n r f rring to th ntir disk, w us /dev/sda. Wh n r f rring to a partition on


that disk, w us th disk nam and th numb r of th partition, /dev/sda1 for xampl .

DEVICE: FILE NAME:


1st disk (SATA, USB, tc.) /dev/sda
 1st Primary partition /dev/sda1
 2nd partition /dev/sda2, tc.
2nd disk (SATA, USB, tc.) /dev/sdb
 1st Primary partition /dev/sdb1
 2nd partition /dev/sdb2, tc.
CDROM Driv /dev/sr0

The patte rn d scrib d abov is fairly asy to follow. If you ar using a standard SATA
disk, it will b r f rr d to as sdx wh r th x is r plac d with an a for th fierst d t ct d driv
and b for th s cond, tc. In th sam way, th CDROM or DVD driv s conn ct d via th
SATA bus will b d t ct d as /dev/sr0 and th n /dev/sr1, tc.

Not that th /dev/sdx d vic nod s will includ USB and Fir wir d vic s. For
xampl , a primary SATA disk will b assign d sda. If you atteach a USB disk or a thumb driv
it will normally b d t ct d as sdb, and so on.

A simpl way to s th disks and partitions that ar atteach d to your syst m is to us


th lsblk command:

27
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
|-sda1 8:1 0 256M 0 part /boot
|-sda2 8:2 0 32G 0 part [SWAP]
`-sda3 8:3 0 899.3G 0 part /
sdb 8:16 0 238.5G 0 disk
sdc 8:32 0 931.5G 0 disk
`-sdc1 8:33 0 931.5G 0 part
sdi 8:128 0 931.5G 0 disk
`-sdi1 8:129 0 931.5G 0 part /run/media/barry/Evid
sdj 8:144 1 29.3G 0 disk
`-sdj1 8:145 1 29.3G 0 part /run/media/barry/Kingston
sr0 11:0 1 2.6G 0 rom

You can s from th output that disks and partitions ar list d, and if any of th
partitions ar mount d, lsblk will also giv us th curr nt mount point. In this cas w s
/dev/sda1 is mount d on /boot, /dev/sda2 is our swap partition, /dev/sda3 is our root
partition, and w hav /dev/sdi1 mount d as /run/media/barry/Evid and /dev/sdj1
mount d as /run/media/barry/Kingston. The last two volum s ar from xt rnal d vic s,
plugg d in and mount d via th d sktop.

Anoth r som what mor us ful command that is lsscsi. I pr f r lsscsi b caus although it
do s not show partitions, it do s giv a b tte r id a of what th volum s ar

root@forensic1:~# lsscsi
[1:0:0:0] disk ATA ST1000DM003-1ER1 CC45 /dev/sda
[2:0:0:0] cd/dvd HL-DT-ST BD-RE WH16NS40 1.00 /dev/sr0
[11:0:0:0] disk ATA SAMSUNG MZHPV256 500Q /dev/sdb
[23:0:0:0] disk EXS3 CF Kiosk Reader 0575 /dev/sdd
[23:0:0:1] disk EXS3 SD Kiosk Reader 0575 /dev/sde
[23:0:0:2] disk EXS3 MS Kiosk Reader 0575 /dev/sdf
[23:0:0:3] disk EXS3 MSD Kiosk Reader 0575 /dev/sdg
[23:0:0:4] disk EXS3 XD Kiosk Reader 0575 /dev/sdh
[28:0:0:0] disk ST1000DM 003-1ER162 6207 /dev/sdc
[28:0:0:1] disk ST1000DM 003-1ER162 6207 /dev/sdi
[32:0:0:0] disk Kingston DataTraveler 3.0 PMAP /dev/sdj

You can s in th output abov that this particular syst m has a numb r of USB
d vic s and xt rnal m dia atteach d. Theis is a us ful way of fiending out what storag m dia
ar atteach d to a syst m. You’ll also notic that th r ar “disks” id ntifie d by lsscsi that ar
not list d by lsblk. Theis is b caus lsscsi is actually looking what is atteach d to th
int rfac , not th actual m dia. So lsscsi is id ntifying m dia r ad rs that hav no m dia
ins rt d. lsscsi do s not com on most platforms by d fault (although it do s on Slackwar ).

28
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If your syst m do s not hav it by d fault, ch ck your distribution’s packag manag r and
install it.
The r ar oth r nam s, using links, that can acc ss th s d vic nod s. If you xplor
th /dev/disk dir ctory you will s links that provid acc ss to th disk d vic s through
volum lab ls, disk UUID, k rn l path, tc. The s nam s ar us ful to us b caus th y can b
us d to acc ss a particular disk in a r p atabl mann r without having to know what d vic
nod (/dev/sdc or /dev/sdd for xampl ) a disk will b assign d. For now, just b awar that
you can acc ss a disk by a nam oth r than th simpl sdx assign d nod . Also not that som
of th assign d nod s might not y t hav m dia atteach d. In many cas s m dia r ad rs can b
d t ct d and assign d nod s b for m dia is ins rt d. In that cas , th following st ps will
simply display No medium found.

Now that w hav an id a of what our disks ar nam d, w can look at th partitions
and volum s. The fdisk program can b us d to cr at or list partitions on a support d d vic .
Theis is an xampl of th output of fdisk on a Linux workstation using th “list” option ( -l
[dash “ l”]):

root@forensic1:~# fdisk -l /dev/sda


Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 6FB0E42E-B5CF-4C8F-A974-28A65DADC779

Device Start End Sectors Size Type


/dev/sda1 2048 206847 204800 100M Linux filesystem
/dev/sda2 206848 8595455 8388608 4G Linux swap
/dev/sda3 8595456 234441614 225846159 107.7G Linux filesystem

fdisk –l /dev/sdx giv s you a list of all th partitions availabl on a particular driv .
Each partition is id ntifie d by its Linux nam . The b ginning and nding s ctors for ach
partition is giv n. The numb r of s ctors p r partition is display d. Finally, th partition typ
is display d.

Not that th output of fdisk will chang d p nding on th Disklabel type of th m dia
b ing qu ri d. The abov output shows a disk with a GPT lab l. If you hav a standard DOS
styl MBR, th output will show slightly diffo r nt fie lds. For nativ handling of GPT partition
lab ls, you can us gdisk

Do not confus Linux fdisk with th old r DOS fdisk (for thos of us old nough to
r m mb r such things). The y ar v ry diffo r nt. The Linux v rsion of fdisk provid s for
much gr at r control ov r partitioning.

29
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

BEFORE FILE SYSTEMS ON DEVICES CAN BE USED, THEY MUST BE MOUNTED!


Any fiel syst ms on partitions you d fien during installation will b mount d automatically
v ry tim you boot. W will cov r th mounting of fiel syst ms in th s ction that d als with
Linux commands, aftw r you hav som navigation xp ri nc .

K p in mind, that v n wh n not mount d, devices can still b writte n to. Simply not
mounting a fiel syst m do s not prot ct it from b ing inadv rt ntly chang d through your
actions or via m chanisms outsid your control.

Device Node Assignment – Looking closer

Anoth r common qu stion aris s wh n a us r plugs a d vic in a Linux box and


r c iv s no f dback on how (or v n if) th d vic was r cogniz d. On asy m thod for
d t rmining how and if an ins rt d d vic is r gist r d is to us th dmesg command.

For xampl , if I plug a USB thumb driv into a Linux comput r I may w ll s an icon
app ar on th d sktop for th disk. I might v n s a fold r op n on th d sktop allowing m
to acc ss th fiel s automatically. If I’m at a t rminal and th r is no X d sktop, I may g t no
f dback at all. I plug th disk in and s nothing. I can, of cours , run th lsscsi command
to s if my list of m dia r fr sh d. But I may want mor info than that.

So wh r can w look to s what d vic nod was assign d to our disk ( /dev/sdc,
/dev/sdd, tc.)? How do w know if it was v n d t ct d? Again, this qu stion is
particularly p rtin nt to th for nsic xamin r, sinc w may lik ly confiegur our syst m to b
a littel l ss “h lpful” in automatically op ning fold rs, tc.

Plugging in th thumb driv and imm diat ly running th dmesg command provid s m
with th following output (abbr viat d for r adability):

root@forensic1:~# dmesg
...
usb 2-4.2: new SuperSpeed USB device number 4 using xhci_hcd
usb 2-4.2: New USB device found, idVendor=0781, idProduct=5583
usb 2-4.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 2-4.2: Product: Ultra Fit
usb 2-4.2: Manufacturer: SanDisk
usb 2-4.2: SerialNumber: 4C530001090827122100
usb-storage 2-4.2:1.0: USB Mass Storage device detected
scsi host19: usb-storage 2-4.2:1.0
scsi 19:0:0:0: Direct-Access SanDisk Ultra Fit 1.00 PQ: 0 ANSI: 6
sd 19:0:0:0: [sdi] 242614272 512-byte logical blocks:(124 GB/116 GiB)
sd 19:0:0:0: [sdi] Write Protect is off
sd 19:0:0:0: [sdi] Mode Sense: 43 00 00 00
sd 19:0:0:0: [sdi] Write cache: disabled, read cache: enabled, doesn't support
DPO or FUA
sdi: sdi1

30
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

sd 19:0:0:0: [sdi] Attached SCSI removable disk

The important information is in bold. Not that this particular thumb driv (a SanDisk
Ultra Fit) provid s a singl volum with a singl partition ( /dev/sdi1). The dmesg output can
b long, so you can pip through l ss (dmesg | less) or scroll through th output if n d d.

You can also follow th output of dmesg in r al tim by watching th output of


/var/log/messages with tail -f, which ss ntially m ans “watch th tail of th fiel and
follow it as it grows”. Start th following command and then plug in a usb d vic . You’ll s
th m ssag s as th k rn l d t cts it.

root@forensic1:~# tail -f /var/log/messages


...<plug in a device and watch the kernel messages>

Theis s ction cov r d th id ntifiecation of d vic s d t ct d by th Linux k rn l. W will


discuss coll cting information about th s d vic s in lat r s ctions.

31
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Thee File System

Lik th Windows fiel syst m, th Linux fiel syst m is hi rarchical. th "top" dir ctory
is r f rr d to as "th root" dir ctory and is r pr s nt d by "/". Not that th following is not a
compl t list, but provid s an introduction to som important dir ctori s.

/ (“root” not to b confus d with “/root”)


|--bin
| |--<fiel s> ls, chmod, sort, date, cp, dd (us r acc ssibl binari s)
|--boot
| |--<fiel s> vmlinuz, system.map
|--d v
| |--<d vic s> tty*, sd*
|-- tc
| |--X11
| |--<fiel s> xorg.conf
| |--<fiel s> lilo.conf, fstab, inittab, modules.conf
|--hom
| |--barry (your us r’s nam is in h r )
| |--<fiel s> .bashrc, .bash_profigle, p rsonal fiel s
| |--oth r us rs
|--lib[64]
| |--syst m librari s (32bit in lib and 64bit in lib64)
|--m dia
| |_cdrom0
| |_dvd0
|--mnt
| |_oth r t mporary mount points
|--opt (som softwwar installs h r (“optional”)
|--root
| |_<root us r's hom dir ctory> (not to b confus d with “/” [fiel syst m root])
|--run
|--sbin
| |_<fiel s> shutdown, cfdisk, fdisk, insmod (syst m binari s)
|--sys
|--usr
| |_local
| |_lib
| |_man
|_var
| |_log

On most Linux distributions, th dir ctory structur is organiz d in th sam mann r.


C rtain confieguration fiel s and programs ar distribution d p nd nt, but th basic layout is
similar to this. Not that th dir ctory “slash” (/) is opposit what most p opl ar us d to in
Windows (\).

32
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Dir ctory cont nts can includ :

 /bin Common commands.


 /boot Fil s n d d at boot tim , including th k rn l imag s point d to by LILO (th
LInux LOad r) or GRUB.
 /dev Fil s that r pr s nt d vic s on th syst m. The s ar actually int rfac fiel s to
allow th k rn l to int ract with th hardwar and th fiel syst m.
 /etc Administrativ confieguration fiel s and scripts.
 /home Dir ctori s for ach us r on th syst m. Each us r dir ctory can b xt nd d
by th r sp ctiv us r and will contain th ir p rsonal fiel s as w ll as us r
sp cifiec confieguration fiel s (for X pr f r nc s, tc.).
 lib 32 bit librari s
 lib64 64 bit librari s
 /mnt Provid s t mporary mount points for xt rnal, r mot and r movabl fiel
syst ms.
 /media Provid s a standard plac for syst m wid r movabl m dia. Part of th n w
Fil Syst m Hi rarchy Standard.
 /opt Add on application softwwar
 /root The root us r's hom dir ctory.
 /run Run tim fiel s for programs lik Ud v and udisks (this is wh r you might fiend
xt rnal d vic s mount d from th d sktop ( /run/media/$USERNAME/
$VOLUME)
 /sbin Administrativ commands and proc ss control da mons.
 /usr Contains local softwwar , librari s, gam s, tc.
 /var Logs and oth r variabl fiel will b found h r .

Anoth r important conc pt wh n browsing th fiel syst m is that of relative v rsus


explicit paths. Whil confusing at fierst, practic will mak th id a s cond natur . Just
r m mb r that wh n you provid a path nam to a command or fiel , including a “/” in front
m ans an explicit path, and will d fien th location starting from the top level directory (root).
B ginning a path nam without a “/” indicat s that your path starts in the current directory and
is r f rr d to as a relative path. Mor on this lat r.

On v ry us ful r sourc for this subj ct is th Fil Syst m Hi rarchy Standard (FHS),
th purpos of which is to provid a r f r nc for d v lop rs and syst m administrators on fiel
and dir ctory plac m nt. R ad mor about it at http://www.pathname.com/fhs/

Mounting External File Systems

The r is a long list of fiel syst m typ s that can b acc ss d through Linux. You do this
by using th mount command. Linux has a coupl of sp cial dir ctori s us d to mount fiel
syst ms to th xisting Linux dir ctory tr . On dir ctory is call d /mnt. It is h r that you
can dynamically atteach n w fiel syst ms from xt rnal (or int rnal) storag d vic s that w r

33
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

not mount d at boot tim . Typically, th /mnt dir ctory is us d for temporary mounting.
Anoth r availabl dir ctory is /media, which provid s a standard plac for us rs and
applications to mount r movabl m dia (this is wh r auto-mounting tak s plac ). Actually
you can mount fiel syst ms anywh r (not just on /mnt or /media), but it's b tte r for
organization. Sinc w will b d aling with mostly t mporary mounting of pot ntial vid nc
volum s, w will us th /mnt dir ctory for most of our work. H r is a bri f ov rvi w.

Any tim you sp cify a mount point you must fierst mak sur that that dir ctory xists.
For xampl to mount a USB disk und r /mnt/evidence you must b sur that
/mnt/evidence xists. Aftw r all, suppos w want to hav a CDROM and a USB driv
mount d at th sam tim ? The y can't both b mount d und r /mnt (you would b trying to
acc ss two fiel syst ms through on dir ctory!). So w cr at dir ctori s for ach d vic ’s fiel
syst m und r th par nt dir ctory /mnt. You d cid what you want to call th dir ctori s, but
mak th m asy to r m mb r. K p in mind that until you l arn to manipulat th fiel
/etc/fstab (cov r d lat r), only root can mount and unmount fiel syst ms ( xplicitly).

N w r distributions usually cr at mount points for you, but you might want to add
oth rs for yours lf (mount points for subj ct disks or imag s, tc. lik /mnt/data or
/mnt/analysis). Not that you must b root to cr at mount points in / mnt:

root@forensic1:~# mkdir /mnt/analysis

Thee Mount Command

The mount command us s th following syntax:

mount -t <filesystem> -o <options> <device> <mountpoint>

On of th options w pass to th mount command, using -t, is th fiel syst m typ 2.


But what if you don’t know what fiel syst m is on a d vic you’v b n hand d? First, w
n d to to know th partition layout of th d vic . Is th r on partition? Two? Onc w ’v
s l ct d th partition w want to vi w, w n d to know what fiel syst m might b on th r .
W can accomplish this with using a s ri s of commands w ’v alr ady cov r d in th arli r
chapt r on disks and disk naming conv ntions. W us th lsscsi command to vi w our
d vic s that hav b n d t ct d. W us fdisk to d t rmin th partition layout, and fienally
w us th file command with th -s option to d t rmin th fiel syst m typ w will b
mounting. For xampl , if I ins rt a thumb driv into my syst m and I want to manually
mount it, I can us th following commands to gath r th information I n d:

root@forensic1:~# lsscsi
[0:0:0:0] disk ATA INTEL SSDSC2CT12 300i /dev/sda

2
Actually, mod rn Linux syst ms do a pr ttey d c nt job of auto d t cting fiel syst m typ s, but b ing
xplicit is n v r a bad thing.

34
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

[2:0:0:0] disk ATA Hitachi HDS72302 A5C0 /dev/sdb


[3:0:0:0] cd/dvd HL-DT-ST DVDRAM GH24NS90 IN01 /dev/sr0
...
[19:0:0:0] disk SanDisk Ultra Fit 1.00 /dev/sdi

root@forensic1:~# fdisk -l /dev/sdi


Disk /dev/sdi: 115.7 GiB, 124218507264 bytes, 242614272 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3D2FFB58-5AE1-4359-9D65-717404B452E6

Device Start End Sectors Size Type


/dev/sdi1 2048 242612223 242610176 115.7G Linux filesystem

root@forensic1:~# file -s /dev/sdi1


/dev/sdi1: Linux rev 1.0 ext4 filesystem data, UUID=22e4d5cc-7713-4b17-b2df-
11b17a73b954, volume name "Win10Image" (extents) (large files) (huge files)

The p rtin nt output is highlight d in r d. lsscsi shows us that th driv was d t ct d as


/dev/sdi. The fdisk output shows us a singl partition. The file command r ads th
signatur of th partition and d t rmin s it is an EXT4 fiel syst m. W will discuss th file
command xt nsiv ly lat r in this guid . For now, just und rstand that it d t rmin s th typ
of fiel by its signatur (r gardl ss of xt nsion or nam ), in this cas a fiel syst m signatur .

W can th n us that information to mount th driv (this command assum s th dir ctory
/mnt/analysis xists – if not th n cr at it with mkdir):

root@forensic1:~# mount -t ext4 /dev/sdi1 /mnt/analysis

Now chang to th n wly mount d fiel syst m:

root@forensic1:~# cd /mnt/analysis

You should now b abl to navigat th thumb driv as usual. Ess ntially, what w
hav don h r is tak th logical cont nts of th fiel syst m on /dev/sdi1 and mad it
availabl to th us r through /mnt/analysis. You can now brows th cont nts of th disk.

Wh n you ar fienish d, l av th /mnt/analysis dir ctory (if you do th cd command


by its lf, you will r turn to your hom dir ctory), and unmount th fiel syst m with:

35
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# umount /mnt/analysis

 Not th prop r command is umount, not unmount. Theis cl anly unmounts th fiel
syst m. DO NOT r mov th disk OR SWAP th disk until it is unmount d.
 If you g t an rror m ssag that says th fiel syst m cannot b unmount d b caus it is
busy, th n you most lik ly hav a fiel op n from that dir ctory, or ar using that dir ctory
from anoth r t rminal. Ch ck all your t rminals and virtual t rminals and mak sur you
ar no long r in th mount d dir ctory.

Anoth r Exampl : R ading a CDROM or DVD

 Ins rt th CDROM:
 W us th ISO9660 fiel syst m form mounting most CD and DVD disks. You can ch ck
that again with th file command run on our DVD d vic (/dev/sr0) with a disk
ins rt d:

root@forensic1:~# file -s /dev/sr0


/dev/sr0: ISO 9660 CD-ROM filesystem data 'MY DATA'

 Now w mount th d vic and chang to th n wly mount d fiel syst m:

root@forensic1:~# mount -t iso9660 /dev/sr0 /mnt/cdrom


mount: /dev/sr0 is write-protected, mounting read-only

root@forensic1:~# cd /mnt/cdrom

root@forensic1:~# ls
autorun.inf* document/ installmanager/ menu/ tools/

 You should now b abl to navigat th disk as usual.


 Wh n you ar fienish d, l av th /mnt/cdrom dir ctory (chang to your hom dir ctory
again with cd or cd ~), and unmount th fiel syst m with:

root@forensic1:~# umount /mnt/cdrom

If you want to s a list of fiel syst ms that ar curr ntly mount d, just us th mount
command without any argum nts or param t rs. It will list th mount point and fiel syst m
typ of ach d vic on syst m, along with th mount options us d (if any). Not in th output
b low you can s th thumb driv and CD disk I just mount d (and did not unmount):

36
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# mount
/dev/sda3 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
/dev/sdi1 on /mnt/hd type ext4 (rw)
/dev/sr0 on /mnt/cdrom type iso9660 (ro)

Alt rnativ ly, you can qu ry /proc/mounts. Wh r th mount command is actually


displaying th cont nts of /etc/mtab, /proc/mounts is actually mor up to dat . The /proc
fiel syst m on Linux is a virtual hi rarchical display of syst m proc ss s and information. Us
cat /proc/mounts to vi w th output.

The ability to mount and unmount fiel syst ms is an important skill in Linux. W us it to
vi w th cont nts of a fiel syst m, and w us it to mount xt rnal storag for coll cting
vid nc fiel s, tc. The r ar a larg numb r of options that can b us d with mount (som w
will cov r lat r), and a numb r of ways th mounting can b don asily and automatically.
R f r to th mount info or man pag s for mor information.

In most mod rn distributions (Slackwar includ d), optical disks will b auto-d t ct d,
and an icon plac d on th d sktop for it. W ’ll cov r that in an upcoming s ction.

Thee File System Table (/etc/fstab)

It might s m lik mount -t iso9660 /dev/cdrom /mnt/cdrom is a lot to typ v ry


tim you want to mount a CD. On way around this is to dit th fiel /etc/fstab (“fiel syst m
tabl ”). Theis fiel allows you to provid d faults for your mountabl fiel syst ms, th r by
short ning th commands r quir d to mount th m. My /etc/fstab looks lik this:

root@forensic1:~# cat /etc/fstab


/dev/sda2 swap swap defaults 0 0
/dev/sda3 / ext4 defaults 1 1
/dev/sda1 /boot ext4 defaults 1 2
/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0

The columns ar :
<device> <mount point> <fstype> <default options>

With this /etc/fstab, I can mount a CD by simply typing:

37
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

_________________________________________________________________________
root@forensic1:~# mount /mnt/cdrom

The abov mount commands look incompl t . Wh n not nough information is giv n,
th mount command will look to /etc/fstab to fiell in th blanks. If it fiends th r quir d info,
it will go ah ad with th mount. To fiend out mor about availabl options for /etc/fstab,
nt r info fstab at th command prompt. Aftw r installing a n w Linux syst m, hav a look at
/etc/fstab to s what is availabl for you. If what you n d isn’t th r , add it. In my cas I
un-comm nt d th ntry for th CDROM. Out of old habit, I pr f r using fstab to mount my
CD/DVD m dia.

Desktop Mounting

Mounting can also tak plac via automat d or partially automat d proc ss s through
your d sktop nvironm nt. Linux has a hug list of availabl choic s in d sktop syst ms and
manag m nt (XFCE, KDE, Gnom , Mat , tc.). The y all hav th capability to handl and
mount r movabl d vic s for th us r. Theis is normally don through th dynamic addition of
cont xt capabl d sktop icons that may app ar wh n r movabl m dia is plugg d in. Volum s
can th n b mount d via a right-click m nu.

The r ar a numb r of us ful chang s for th g n ral Linux us r that mak s this sort of
d sktop capabl mounting mak s ns . First, for g n ral daily us as a d sktop workstation,
who wants to hav to log in as root to mount xt rnal d vic s? What if you ar working on a
syst m that you don’t hav l vat d privil g s on? In addition to th p rsonal logistics, th r ’s
also th fact that th mor mod rn mounting syst ms will plac r movabl d vic mount
points to a us r’s p rsonal spac rath r than a syst m wid mount point. Theis offo rs b tte r
s curity and acc ssibility for th us r.

The following xampl will show what can happ n on an XFCE d sktop wh n a USB
driv is ins rt d. Theis is just an illustration. B sur to ch ck your own syst m for d fault
confiegurations that might diffo r from this on . You c rtainly don’t want to accid ntally mount
vid nc just b caus you w r unawar th syst m is doing it for you.

In this cas th USB disk has a partition with a volum lab l “Win10Imag ” (th volum
lab l can b s t by any numb r of tools wh n th fiel syst m is formatte d).

With th USB driv ins rt d, an icon app ars on th d sktop (s Illustration 2).

38
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 2: A thumb drive with a partition labeled "Win10Image"


is plugged in to an XFCE desktop.

Back in th arli r s ction on disks and d vic nod s, w talk d about d vic d t ction
and naming. In addition to th /dev/sdx naming, th r ar oth r nam s assign d to th disk
by UUID, lab l, and k rn l path. Wh n I s th Win10Image lab l app ar on th d sk top, a
t rminal can quickly b op n d to s xactly what partition on which disk that lab l b longs
to by acc ssing th /dev/disk/ sub-fold rs, sp cifiecally /dev/disk/by-label:

Using ls -l w s that th fiel /dev/disk/by-label/Win10Image is a link (much lik


a shortcut or point r to anoth r fiel ) to /dev/sdb1.

root@forensic1:~# ls -l /dev/disk
total 0
drwxr-xr-x 2 root root 140 Apr 16 18:28 by-id/
drwxr-xr-x 2 root root 60 Apr 16 18:28 by-label/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-partlabel/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-partuuid/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-path/
drwxr-xr-x 2 root root 80 Apr 16 18:28 by-uuid/

root@forensic1:~# ls -l /dev/disk/by-label/
total 0
lrwxrwxrwx 1 root root 10 Apr 16 18:28 Win10Image -> ../../sdb1

If w right click on th icon and s l ct Mount Volume from th m nu, th volum is


mount d on /run/media/$user]/$label. In this cas th us r is barry and th lab l is
Win10Image. S illustration 3.

39
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 3: Context menu that appears


with right click on a volume icon.

Onc mount d, w can s th r sults from th t rminal using th mount command:

root@forensic1:~# mount
/dev/sda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sdb1 on /run/media/barry/Win10Image type ext4(rw,nodev,nosuid,
uhelper=udisks2)

Mak sur you know how to control th mounting of disks and volum s within your
d sktop nvironm nt. The XFCE shipp d with Slackwar do s no auto-mounting of any
volum s. The icons app ar on th d sktop, but you ar fr to mount th m as you s fiet.
The r ar confieguration options availabl to chang this b havior, so b car ful (s Illustration
1).

40
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

III. Thee Linux Boot Sequence (Simplifiged)


Booting the kernel
The fierst st p in th (simplifie d) boot up s qu nc for Linux is loading th k rn l. The
k rn l imag is usually contain d in th /boot dir ctory. It can go by s v ral diffo r nt
nam sN (this can vary gr atly by distro)
 bzImage
 vmlinuz

Som tim s th k rn l imag will sp cify th k rn l v rsion contain d in th imag , i. .


vmlinuz-huge-4.4.19 V ry oftw n th r is a softw link (lik a shortcut) to th most curr nt
k rn l imag in th /boot dir ctory. It is normally this softw link that is r f r nc d by th boot
load r, LILO (or GRUB). In a stock Slackwar syst m, th k rn l imag is /boot/vmlinuz.

Not that Slackwar us s LILO by d fault. LILO is an old r and far simpl r syst m for
booting, but is much l ss fla xibl .

The boot load r sp cifie s th “root d vic ” (boot driv ), along with th k rn l v rsion to
b boot d. For LILO, this is all controll d by th fiel /etc/lilo.conf. Each “image=” s ction
r pr s nts a choic in th boot scr n.

Theis is an xampl of a lilo.conf fiel 3:


root@forensic1:~# cat /etc/lilo.conf
append=" vt.default_utf8=0"
boot = /dev/sda ← our boot device
bitmap = /boot/slack.bmp
bmp-colors = 255,0,255,0,255,0
bmp-table = 60,6,1,16
bmp-timer = 65,27,0,255
prompt
timeout = 1200
change-rules
reset
vga = normal
image = /boot/vmlinuz ← the kernel image we are booting
root = /dev/sda1 ← the partition we boot from
label = Linux
read-only

Onc th syst m has fienish d booting, you can r play th k rn l m ssag s that “flay”
past th scr n during th booting proc ss with th command dmesg. W discuss d this
command a littel wh n w talk d about d vic r cognition arli r. As pr viously m ntion d,
3
The actual /etc/lilo.conf fiel on your syst m will b much mor clutte r d with comm nts (lin s
starting with a “#”). Comm nts hav b n r mov d for r adability abov .

41
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

this command can b us d to fiend hardwar probl ms, or to s how a r movabl (or susp ct)
driv was d t ct d, including its g om try, tc. The output can b pip d through a paging
vi w r to mak it asi r to s (in this cas , dmesg is pip d through less on my Slackwar
syst m.):

root@forensic1:~# dmesg | less


...
Initializing cgroup subsys cpuset
Initializing cgroup subsys cpu
Initializing cgroup subsys cpuacct
Linux version 4.4.38 (root@hive64) (gcc version 5.3.0 (GCC) ) #2 SMP Sun Dec
11 16:18:36 CST 2016
Command line: BOOT_IMAGE=Linux ro root=801 vt.default_utf8=0
x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers'
...

System Initialization
Aftw r th boot load r initiat s th k rn l, th n xt st p in th boot s qu nc starts
with th program /sbin/init. Theis program r ally has two functions:

 initializ th runl v l and startup scripts


 t rminal proc ss control (r spawn t rminals)

In short, th init program is controll d by th fiel /etc/inittab. It is this fiel that


controls your runl v l and th global startup scripts for th syst m. Theis is, again, for a
Slackwar syst m. Som syst ms, lik Ubuntu, for xampl , us a n w systemd sch m for
syst m control and confieguration. If you ar int r st d in th syst m startup routin for your
particular distro (and you should b int r st d), th n r s arch it onlin .

Runlevel
The runl v l is simply a d scription of th syst m stat . For our purpos s, it is asi st
to say that (for Slackware, at l ast – oth r syst ms, such as thos using systemd, will diffo r):

 runl v l 0 = shutdown
 runl v l 1 = singl us r mod
 runl v l 3 = full multius r mod / t xt login (DEFAULT)
 runl v l 4 = full multius r / X11 / graphical login 4
 runl v l 6 = r boot

In th fiel /etc/inittab you will s a lin similar to:

4
This is largely distribution dependent. In some distributions, run level 5 provides a GUI login. In
Slackware (and others), it's run level 4.

42
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

id:3:initdefault:

barry@forensic1:~$ cat /etc/inittab


<previous output>
# These are the default runlevels in Slackware:
# 0 = halt
# 1 = single user mode
# 2 = unused (but configured the same as runlevel 3)
# 3 = multiuser mode (default Slackware runlevel)
# 4 = X11 with KDM/GDM/XDM (session managers)
# 5 = unused (but configured the same as runlevel 3)
# 6 = reboot

# Default runlevel. (Do not set to 0 or 6)


id:3:initdefault:

# System initialization (runs when system boots).


si:S:sysinit:/etc/rc.d/rc.S
...

It is h r that th d fault runl v l for th syst m is s t. If you want a t xt login (which


I sugg st), s t th abov valu in initdefault to “3”. Theis is th d fault for Slackwar . With
this d fault runl v l, you us startx to g t to th X Window GUI syst m. If you want a
graphical login, you would dit th abov lin to contain a “4”.

Not that for Ubuntu, you can cr at an /etc/inittab fiel and plac th valu in th r .
If it xists, th fiel will b r ad and th runl v l chang d accordingly. The systemd styl of
manag m nt us d by Ubuntu do s not r ally utiliz “runl v ls”. It utiliz s targets. Chang s to
th s targets ar mad using th systemctl command. The confieguration and us of Ubuntu is
outsid th scop of this guid , but this particular issu highlights th fact that Linux syst ms
can vary in how th y work.

Global Startup Scripts

Aftw r th d fault run l v l has b n s t, init (via /etc/inittab) th n runs th


following scripts:
 /etc/rc.d/rc.S - handl s syst m initialization, fiel syst m mount and ch ck, ncrypt d
volum s, swap initialization, d vic s, tc.
 /etc/rc.d/rc.X - wh r X is th run l v l pass d as an argum nt by init. In th cas of
mulit-us r (non GUI) logins (run l v l 2 or 3), this is rc.M. Theis script th n calls oth r
startup scripts (various s rvic s, tc.) by ch cking to s if th y ar “ x cutabl ”.
 /etc/rc.d/rc.local - call d from within th sp cifiec run l v l scripts, rc.local is a
g n ral purpos script that can b dit d to includ commands that you want start d at
boot up.
 /etc/rc.d/rc.local_shutdown - Theis fiel should b us d to stop any

43
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

s rvic s that w r start d in rc.local. Cr at th fiel and mak it x cutabl to hav it


run.

Service Startup Scripts

Onc th global scripts run, th r ar “s rvic scripts” in th /etc/rc.d/ dir ctory that
ar call d by th various runl v l scripts, as d scrib d abov , d p nding on wh th r th scripts
th ms lv s hav “ x cutabl ” p rmissions. Theis m ans that w can control th boot tim
initialization of a s rvic by changing it's x cutabl status. Mor on how to do this lat r.
Som xampl s of s rvic scripts ar :

 /etc/rc.d/rc.inet1 - handl s n twork int rfac initialization


 /etc/rc.d/rc.inet2 - handl s n twork s rvic s start. Theis script organiz s th various
n twork s rvic s scripts, and nsur s that th y ar start d in th prop r ord r.
 /etc/rc.d/rc.wireless - handl s wir l ss n twork card s tup.
 /etc/rc.d/rc.sendmail - starts th mail s rv r. Controll d by rc.inet2.
 /etc/rc.d/rc.sshd - starts th Op nSSH s rv r. Also controll d by rc.inet2.
 /etc/rc.d/rc.messagebus - starts d-bus m ssaging s rvic s.
 /etc/rc.d/rc.udev - populat s th /dev dir ctory with d vic nod s, scans for d vic s,
loads th appropriat k rn l modul s, and confiegur s th d vic s.

Hav a look at th /etc/rc.d dir ctory for mor xampl s. Not that in a standard
Slackwar install, your dir ctory listing will show x cutabl scripts as gr n in color (in a
t rminal with color support) and follow d by an ast risk (*).

Again, this is Slackwar sp cifiec. Oth r distributions diffo r (som diffo r gr atly!), but
th conc pt r mains consist nt. Onc you b com familiar with th proc ss, it will mak
s ns . The ability to manipulat startup scripts is an important st p in your Linux l arning
proc ss. At th v ry l ast, und rstanding how your syst m works and wh r s rvic s ar
start d and stopp d is important.

Bash
Bash (Bourne Again Shell) is th d fault command sh ll for most Linux distros. It is th
program that s ts th nvironm nt for your command lin xp ri nc in Linux. The r ar a
numb r of sh lls availabl , but w will cov r bash, th most commonly us d in Linux, h r .

The r ar actually quit a f w fiel s that can b us d to customiz a us r’s Linux


xp ri nc . H r ar som that will g t you start d.

 /etc/profile - Theis is th global bash initialization fiel for int ractiv login sh lls.
Edits mad to this fiel will b appli d to all bash sh ll us rs. Theis fiel s ts th standard
syst m path, th format of th command prompt and oth r nvironm nt variabl s.

44
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

 Not that chang s mad to this fiel may b lost during upgrad s. Anoth r m thod is to
cr at an x cutabl fiel in th dir ctory /etc/profile.d. Ex cutabl fiel s plac d in
that dir ctory ar run at th nd of /etc/profile.
 /home/$USER/.bash_profile5 - Theis script is locat d in ach us r’s hom dir ctory
($USER) and can b dit d by th us r, allowing him or h r to customiz th ir own
nvironm nt. It is in this fiel that you can add alias s to chang th way commands
r spond. Not that th dot in front of th fiel nam mak s it a “hidd n” fiel .
 /home/$USER/.bash_history – Theis is an xc dingly us ful fiel for a numb r of
r asons. It stor s a s t numb r of commands that hav alr ady b n typ d at th
command lin (d fault is 500). The s ar acc ssibl through ith r “r v rs sh lls” or
simply by using th “up” arrow on th k yboard to scroll through th history of
alr ady-us d commands. Inst ad of r -typing a command ov r and ov r again, you can
acc ss it from th history.
 From th p rsp ctiv of a for nsic xamin r, if you ar xamining a Linux syst m, you
can acc ss ach us r's (don't forg t root) .bash_history fiel to s what commands
w r run from th command lin . R m mb r that th l ading “.” in th fiel nam
signifie s that it is a hidd n fiel .

K p in mind that th d fault valu s for ./.bash_history (numb r of ntri s, history


fiel nam , tc.) can b controll d by th us r(s). R ad man bash for mor d tail d info.

The bash startup s qu nc is actually mor complicat d than this, but this should giv
you a starting point. In addition to th abov fiel s, ch ck out /home/$USER/.bashrc. The man
pag for bash is an int r sting (and long) r ad, and will d scrib som of th customization
options. In addition, r ading th man pag will giv a good introduction to th programming
pow r provid d by bash scripting. Wh n you r ad th man pag , you will want to conc ntrat
on th INVOCATION s ction for how th sh ll is us d and basic programming syntax.

5
In bash w d fien th cont nts of a variabl with a dollar sign. $USER is a variabl that r pr s nts th
nam of th curr nt us r. To s th cont nts of sh ll individual variabl s, us “ echo $VARNAME”.

45
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

IV. Basic Linux Commands


Linux at the terminal

Dir ctory listing:


ls : list fiel s
ls –F : classifie s fiel s and dir ctori s
ls –a : show all fiel s (including hidd n)
ls –l : d tail d fiel list (long vi w)
ls –lh : d tail d list (long, with “human r adabl ” fiel siz s)

barry@forensic1:~$ ls -l
total 5195940
drwxr-xr-x 4 root root 4096 Aug 3 2013 Bootable/
drwxr-xr-x 2 root root 4096 Mar 5 15:45 Pictures/
drwxr-xr-x 2 root root 4096 Dec 11 13:44 Desktop/
drwxrwxr-x 2 root root 4096 Mar 24 15:31 LGPL/
-rw-r--r-- 1 root root 4257941850 Aug 28 2016 swwre.tar.gz
...

W will discuss th m aning of ach column in th ls -l output lat r in this docum nt.

Changing Dir ctori s:


cd dir : chang dir ctory to <dir>
cd : (by its lf) shortcut back to your hom dir ctory
cd .. : up on dir ctory (not th spac b tw n “cd” and
“..”
cd - : back to th last dir ctory you w r in.
cd /dirname : chang to th sp cifie d dir ctory. Not that th
addition of th “/” in front of th dir ctory impli s
an xplicit (absolut ) path, not a r lativ on . With
practic , this will mak mor s ns .
cd dirname : chang to th sp cifie d dir ctory. The lack of a “/” in
front of th dir ctory nam impli s a r lativ path
m aning dirname is a subfold r of our curr nt
dir ctory.

Copy fiel s:
cp source destination : copy sourc to d stination
cp -r source destination : copy dir ctory r cursiv ly

46
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Cl ar th T rminal:
clear : cl ars th t rminal scr n of all t xt and r turns a
prompt. <ctrl>- l (control-charact r l) will
accomplish th sam .

Mov a fiel or dir ctory:


mv source destination : mov or r nam a fiel .

D l t a fiel or dir ctory:


rm filename : d l t s a fiel
rm -r : r cursiv ly d l t s all fiel s in dir ctori s and sub
dir ctori s
rmdir : r mov dir ctori s (if mpty)
rm -f : do not prompt for fiel r moval

Display command h lp:


man command : display a "manual" pag for th sp cifie d command.
Us "q" to quit. VERY USEFUL

If you want to fiend information about a command call d find, including its usag ,
options, output, tc., th n you would us th “man pag ” for th command find :

barry@forensic1:~$ man find


FIND(1) General Commands Manual FIND(1)

NAME
find - search for files in a directory hierarchy

SYNOPSIS
find [-H] [-L] [-P] [-D debugopts] [-Olevel] [path...] [expression]

DESCRIPTION
This manual page documents the GNU version of find. GNU find searches the
directory tree rooted at each given file name
<continues>

Cr at a dir ctory:
mkdir directory : Cr at s a dir ctory. Again, r m mb r th
diffo r nc b tw n a r lativ and xplicit path h r .

47
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Display th cont nts of a fiel :


cat filename : The simpl st form of fiel display, cat
str ams th cont nts of a fiel to th
standard output (usually th t rminal).
cat actually stands for “concatenate”.
cat file1 file2 > file3 : Tak s th cont nts of file1 and file2
and str ams th output which is r dir ct d
to a singl fiel , file3. Theis ffo ctiv ly
adds th two fiel s into on singl fiel (th
original fiel s r main unchang d).
more filename : displays th cont nts of a fiel on pag at a
tim . Unlik its DOS count rpart, GNU
more tak s fiel nam s as dir ct argum nts.
less filename : less is a b tte r more - Supports scrolling
in both dir ctions, and a numb r of oth r
pow rful f atur s. less is actually th
GNU v rsion of more, and on many
syst ms you will fiend that more is actually
a link to less. Us q to xit a less
s ssion.

Not that you can string tog th r s v ral options. For xampl :

barry@forensic1:~$ ls -aF
./ ../ .bash_history .gnupg/ .xinitrc .xsession*
myscript* textfile1 textifle2

ls -aF will giv you a list of all fiel s (-a), including hidd n fiel s, and fiel /dir ctory
classifiecation (-F, which shows "/" for dir ctori s, "*" for x cutabl s, and "@" for links).

Additional useful commands

grep s arch s for patte rns.

grep pattern filename

grepwill look for occurr nc s of pattern within th fiel filename. grep is an xtr m ly
pow rful tool. It has hundr ds of us s giv n th larg numb r of options it supports. Ch ck
th man pag for mor d tails. W will us grep in our for nsic x rcis s lat r on.

48
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

find allows you to s arch for a fiel bas d on any numb r of crit ria, including dat s, siz s,
nam patte rs, tc.. To look for your fstab fiel , you might try:

barry@forensic1:~$ find / -iname fstab


/etc/fstab

Theis m ans "fiend, starting in th root dir ctory ( / ), by nam , fstab and print th
r sults to th scr n". find will allow you to s arch by fiel typ or v n fiel tim s (actually
inode tim s). The pow r of th find command should not b und r stimat d. Mor on this
tool lat r. Hav a look at man find. Can you s th diffo r nc b tw n -iname and -name?

pwd prints th pr s nt working dir ctory to th scr n. The following xampl shows that
w ar curr ntly in th dir ctory /home/barry.

barry@forensic1:~$ pwd
/home/barry

file cat goriz s fiel s bas d on what th y contain using a signatur , r gardl ss of th nam
(or xt nsion, if on xists). Compar s th fiel h ad r to th "magic" fiel in an atte mpt to ID
th fiel typ . For xampl :

barry@forensic1:~$ file pic.png


pic.png: PNG image data, 48 x 48, 4-bit colormap, non-interlaced

ps list of curr nt proc ss s. Giv s th proc ss ID numb r (PID), and th t rminal on which
th proc ss is running.

ps ax shows all proc ss s (a), and all proc ss s without an associat d t rminal ( x). Not th
lack of a dash in front of th options. S th man pag for info on this d partur from our
pr vious conv ntion.

barry@forensic1:~$ ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 init [4]
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S< 0:00 [kworker/0:0H]
...
1595 ? S 0:00 [kworker/0:0]
1604 pts/1 Ss+ 0:00 -bash
1645 ? S 0:00 [kworker/1:0]

49
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

1651 ? S 0:00 [kworker/1:1]


1653 pts/0 R+ 0:00 ps ax

strings prints out th r adabl charact rs from a fiel . Will print out strings that ar at
l ast four charact rs long (by d fault) from a fiel . Us ful for looking at data fiel s without th
originating program, and s arching x cutabl s for us ful strings, tc. Mor on this
for nsically us ful command lat r.

chmod chang s th p rmissions on a fiel . (S th s ction in this docum nt on p rmissions).

chown chang s th own r of a fiel in much th sam way as chmod chang s th


p rmissions.

shutdown this command will b us d to shutdown th machin and cl anly xit th


syst m. You can run s v ral diffo r nt options h r (ch ck th man pag for many mor ):

shutdown -r now -will r boot th syst m now (chang to runl v l 6).

shutdown -h now -will halt th syst m. R ady for pow r down (chang to
runl v l 0).

Command Line Math

Wh n conducting an xamination, you’ll oftw n fiend yours lf n ding a quick way to


mak a simpl calculation (s ctor offos t, tc.). W ’r going to cov r som basic ways to
accomplish this via th command lin . W do this for two r asons: First is that it’s oftw n asi r
to includ command lin calculations without having to grab a mous , op n a GUI calculator
and typ in th numb rs – why not just typ in th t rminal and g t your answ r? S cond,
you may fiend yours lf n ding to us a t rminal s ssion or syst m that has no GUI. You might
as w ll l arn how to us th command lin for as much as you can and not r ly on xt rnal
r sourc s. The r ar a numb r of ways to do this:

bc – the basic calculator

If w n d to do som calculations on th command lin , w can us bc and ith r op n


an int ractiv s ssion, or pip th xpr ssion to b valuat d via th echo command through
bc. You’ll n d th s t chniqu s to calculat byt offos ts in lat r x rcis s. You don’t want to
hav to op n a calculator app, do you?

For an int ractiv s ssion, simply typ bc at th prompt and you will b dropp d into
th s ssion. Typ th xpr ssion and hit <enter>. Input b low is bold d for clarity.

50
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation,
Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
2+2
4
100*512
51200
5/3
1
quit

barry@forensic1:~$

Typ quit to fienish, and you’ll xit bc. Pay clos atte ntion to th last xpr ssion, 5/3.
Not that th r spons is 1, a whol numb r, rath r than th fraction w would assum . Theis is
b caus bc is a fiex d pr cision calculator, and th d fault scal is 1 (0). You can s t th scal
with th scale=x function, wh r x is th pr cision you’d lik . If you want your answ r
round d to two d cimal plac s, you can us scale=2.

barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
scale=2
5/3
1.66
quit

H r w s our xp ct d r sult. You can also invok bc -l, which s ts additional


functions, but th scal is s t to 20 by d fault, and you’d normally want to s t a small r scal
anyway.

If you’d pr f r not to us an int ractiv s ssion, you can pip your xpr ssion to bc
using echo:

barry@forensic1:~$ echo 5/3 | bc


1

barry@forensic1:~$ echo "scale=2;5/3" | bc


1.66

51
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ echo 2048*512 | bc


1048576

The abov xampl shows both th d fault output and scal s tteing via echo. The last
command shows a common calculation for byt offos t wh n giv n a s ctor numb r (or s ctor
offos t) in for nsic work.

Finally, w can us bc to conv rt h xad cimal valu s to d cimal valu s by using th


option ibase=16, ith r int ractiv ly or via echo. Not that alpha charact rs in th h x
xpr ssion MUST b upp r cas for bc to work. H r ar a coupl of xampl s:

barry@forensic1:~$ bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
ibase=16
4C
76
4c <-- Note the chars must be upper case
(standard_in) 4: syntax error
quit

barry@forensic1:~$ echo "ibase=16;4C" | bc


76

Bash Shell Arithmetic Expansion

If you ar d aling with simpl int g rs (or h x conv rsion), and flaoating point or
d cimal r spons s ar not r quir d, you can us mor simpl bash (sh ll) Arithm tic
Expansion. Theis is probably th quick st and asi st way to do calculations for simpl addition
or subtraction wh r int g r offos ts ar n d d and you ar not lik ly to ncount r fractional
valuations. Not that you n d to us th echo command to valuat th xpr ssion, or th
valuation its lf will b int rpr t d by th sh ll as a command. Also not that h x valu s
should b pr c d d by 0x (z ro x) H r ’s an xampl s t of valuations:

barry@forensic1:~$ echo $((2048*512))


1048576

barry@forensic1:~$ echo $((5/3))


1 <-- Note the integer response

barry@forensic1:~$ echo $((0x4c))


76

52
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ $((0x4c)) <-- Without the echo command


-bash: 76: command not found

barry@forensic1:~$ echo $((0x4c-70))


6

For additional information, s man bash.

File Permissions

Fil s in Linux hav c rtain sp cifie d fiel p rmissions. The s p rmissions can b vi w d
by running th ls -l command on a dir ctory or on a particular fiel . For xampl :

barry@forensic1:~$ ls -l myfile.sh
-rwxr-xr-x 1 barry users 3685 Apr 15 11:14 myfile.sh

If you look clos at th fierst 10 charact rs, you hav a dash (-) follow d by 9 mor
charact rs. The fierst charact r d scrib s th typ of fiel . A dash (-) indicat s a r gular fiel . A
"d" would indicat a dir ctory, and "b" a sp cial block d vic , tc.

First charact r of ls -l output:


- = r gular fiel
d = dir ctory
b = block d vic (SCSI or IDE disk)
c = charact r d vic (s rial port)
l = link (points to anoth r fiel or dir ctory)

The n xt 9 charact rs indicat th fiel p rmissions. The s ar giv n in groups of thr :

Own r Group Oth rs


rwx rwx rwx

The charact rs indicat


r = r ad
w = writ
x = x cut

So for th abov myfile.sh w hav


rwx r-x r-x

53
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis giv s th fiel own r r ad, writ and x cut p rmissions ( rwx), but r stricts oth r
m mb rs of th own r’s group and us rs outsid that group to only r ad and x cut th fiel
(r-x). Writ acc ss is d ni d as symboliz d by th “-”.

Now back to th chmod command. The r ar a numb r of ways to us this command,


including xplicitly assigning r, w, or x to th fiel . W will cov r th octal m thod h r b caus
th syntax is asi st to r m mb r (and I fiend it most fla xibl ). In this m thod, th syntax is as
follows:
chmod octal filename

octal is a thr digit num rical valu in which th fierst digit r pr s nts th own r, th
s cond digit r pr s nts th group, and th third digit r pr s nts oth rs outsid th own r's
group. Each digit is calculat d by assigning a valu to ach p rmission:

r ad (r) =4
writ (w) =2
x cut (x) =1

For xampl , th fiel filename in our original xampl has an octal p rmission valu of
755 (rwx =7, r-x =5, r-x=5). If you want d to chang th fiel so that th own r and th group
had r ad, writ and x cut p rmissions, but oth rs would only b allow d to r ad th fiel , you
would issu th command:

chmod 774 filename


(r=4)+(w=2)+(x=1)=7 [owner]
(r=4)+(w=2)+(x=1)=7 [group]
(r=4)+(w=0)+(x=0)=4 [others]

Changing p rmissions and th n displaying a n w long list of th fiel would show:

barry@forensic1:~$ ls -l myfile.sh
-rwxr-xr-x 1 barry users 3685 Apr 15 11:14 myfile.sh

barry@forensic1:~$ chmod 774 myfile.sh

barry@forensic1:~$ ls -l myfile.sh
-rwxrwxr-- 1 barry users 3685 Apr 15 11:14 myfile.sh

(rwx = 7, rwx = 7, r-- = 4)

Pipes and Redirection


Linux allows you to r dir ct th output of a command from th standard output
(usually th display or "consol ") to anoth r d vic or fiel . Theis is don with streams. The r ar

54
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

thr str ams w can talk about: stdin is th standard input (usually th k yboard); stdout is
th standard output (usually th display); and stderr is standard rror (usually th display).

W us sp cifiec symbols to r dir ct th s str ams:


• stdin : <
◦ cmd < infile
◦ cmd is taking its input from infile rath r than th k yboard.

• stdout : >
◦ cmd > outfile
◦ cmd is s nding its output to outfile rath r than th display.

• stderr: 2>
◦ cmd 2> errlog
◦ cmd is s nding any rror m ssag s to th fiel errlog.

Manipulating str ams can b us ful for tasks lik cr ating an output fiel that contains a
list of fiel s on a mount d volum , or in a dir ctory. For xampl :

barry@forensic1:~$ ls -al > filelist.txt

The abov command would output a long list of all th fiel s in th curr nt dir ctory.
Inst ad of outputteing th list to th consol , a n w fiel call d filelist.txt will b cr at d
that will contain th list. If th fiel filelist.txt alr ady xist d, th n it will b ov rwritte n.
Us th following command to append th output of th command to th xisting fiel , inst ad
of ov r-writing it:

barry@forensic1:~$ ls -al >> filelist.txt

Anoth r us ful tool is th command pipe, which us s th | symbol. The command pip
tak s th output of on command and "pip s" it straight to th input of anoth r command.

In this cas , w ar r dir cting th output to anoth r command rath r than a fiel . You
can s th diffo r nc b low. I can echo a charact r string to a fiel with >, or I can echo to a
command with |. The wc command shown b low giv s a count of lin s, words, and byt s. In
th fierst r dir ct b low, I’m creating a fiel call d wc with th output of echo. In th s cond, I’m
using a pip , so th ouput of echo go s to th command wc. In th third, I’m piping th output
of echo to wc and r dir cting th wc output to a fiel : Follow along b low, and xp rim nt.
DON’T do this logg d in as root. Exp rim ntation can g t out of hand quickly.

55
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ echo hello


hello

barry@forensic1:~$ echo hello > wc

barry@forensic1:~$ cat wc
hello

barry@forensic1:~$ echo hello | wc


1 1 6

barry@forensic1:~$ echo hello | wc > outfile.txt

barry@forensic1:~$ cat outfile.txt


1 1 6

Theis is an xtr m ly pow rful tool for th command lin . Look at th following proc ss
list (partial output shown):

barry@forensic1:~$ ps ax
PID TTY STAT TIME COMMAND
1 ? Ss 0:00 init [4]
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S< 0:00 [kworker/0:0H]
6 ? S 0:00 [kworker/u4:0]
7 ? S 0:00 [rcu_sched]
<continues>

What if all you want d to s w r thos proc ss s ID's that indicat d a bash sh ll?
You could "pip " th output of ps to th input of grep, sp cifying bash as th patte rn for grep
to s arch. The r sult would giv you only thos lin s of th output from ps that contain d th
patte rn bash.

barry@forensic1:~$ ps ax | grep bash


1522 pts/0 Ss 0:00 bash
1714 pts/1 Ss 0:00 -bash
1729 pts/1 S+ 0:00 grep bash

The r may b tim s wh r you want to s th output of a command display d on th


scr n and hav it r dir ct to a fiel as w ll. You can do that using th tee command.

barry@forensic1:~$ ls | tee filelist.txt

56
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Desktop/
Documents/
Evidence/
winlog.txt

barry@forensic1:~$ cat filelist.txt


Desktop/
Documents/
Evidence/
winlog.txt

In th abov s ssion, w ’v us d th tee command to both display th output of th ls


command to th scr n, and s nd it to a fiel call d filelist.txt. In th cont xt of a for nsic
xamination, this is us ful to captur th output of tools in a log fiel (r m mb r to us >> to
app nd).

Stringing multipl pow rful commands tog th r is on of th most us ful and pow rful
t chniqu s provid d by Linux for for nsic analysis. Theis is on of th singl most important
conc pts you will want to l arn if you d cid to tak on Linux as a for nsic tool. With a singl
command lin built from multipl commands and pip s, you can us s v ral utiliti s and
programs to boil down an analysis very quickly.

File Attributes

Linux fiel syst ms (lik xt2, xt3, xt4) support what ar call d fiel atteribut s. The r
ar quit a f w of th m, and w will not cov r all of th m h r . The r ar two that can b v ry
us ful for prot cting for nsic data from haphazard d l tion or tamp ring. The s ar app nd
only (a) and immutabl (i).

Atteribut s ar flaags that can control what fiel op rations ar allow d to occur on a fiel
or a dir ctory. Som of th m can b chang d, and som cannot. W can list th atteribut s of
fiel s and dir ctori s in our curr nt dir ctory with lsattr:

root@forensic1:~/MyDirectory# lsattr
--------------e---- ./data
--------------e---- ./textfile.txt
--------------e---- ./file1.txt
--------------e---- ./log.txt

H r I hav a dir ctory, in my /home/$USER dir ctory (signifie d by ~/$DIRNAME in th


prompt). Theis output shows that of all th availabl atteribut s, th fiel s and singl dir ctory
(data is a dir ctory) all hav only th extents atteribution ( )6.
6
Ext nts ar a m thod of mapping physical blocks of data in a contiguous fashion. W will not cov r

57
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W add atteribut s with th chattr command, simply using a + to add th atteribut w


want with th fiel nam . For xampl , if I want to mak th dir ctory data/ immutabl , I can
add th i atteribut lik this:

root@forensic1:~/MyDirectory# chattr +i data/


root@forensic1:~/MyDirectory# lsattr
----i---------e---- ./data
--------------e---- ./textfile.txt
--------------e---- ./file1.txt
--------------e---- ./log.txt
root@forensic1:~/MyDirectory# rm -rf data
rm: cannot remove 'data': Operation not permitted

W add d th immutabl (i) atteribut to th data dir ctory, and you can s in th
subs qu nt lsattr command that th i atteribut is display d for ./data. Wh n w try and
d l t th dir ctory with rm -rf, w fiend that th op ration is not allow d v n though w ar
root. Theis is v ry pow rful. W cannot d l t th dir ctory, nor can w add, d l t , or chang
fiel s in that dir ctory.

W will now add th append only (a) atteribut to log.txt. Theis atteribut m ans that
th fiel can only b op n d in app nd mod . W cannot chang or d l t curr nt cont nt, only
add to it. W will fiend this us ful wh n r -dir cting output to a log fiel for docum nting our
work.

root@forensic1:~/MyDirectory# chattr +a log.txt


root@forensic1:~/MyDirectory# lsattr
----i---------e---- ./data
--------------e---- ./textfile.txt
--------------e---- ./file1.txt
-----a--------e---- ./log.txt
root@forensic1:~/MyDirectory# echo "text" > log.txt
-su: log.txt: Operation not permitted
root@forensic1:~/MyDirectory# echo "text" >> log.txt

W chang th atteribut with chattr, s th chang in log.txt with lsattr, and th n


try and r dir ct output to ov rwrit th fiel (using th singl r dir ct >), which fails.
App nding th sam output is succ ssful, how v r (app nding is don with a doubl r dir ct
>>, m aning w ar adding to th nd of th fiel , not ov rwriting). W ’ll l arn mor about
r dir ction lat r in this guid .

xt nts in this guid . Additional information can b found onlin . htteps:// n.wikip dia.org/wiki/Chatter

58
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

C rtain atteribut s (a and i, for xampl ) can only b s t by root. You can hav thos
atteribut s on us r-own d fiel s, but th y must b s t by root.

Metacharacters
The Linux command lin (actually th bash sh ll in our cas ) also supports wild cards
(m ta-charact rs):
 * for multipl charact rs (including ".").
 ? for singl charact rs.
 [ ] for groups of charact rs or a rang of charact rs or numb rs.

Theis is a complicat d and very pow rful subj ct, and will r quir furth r r adingN R f r
to “r gular xpr ssions” in your favorit Linux t xt, along with “globbing” or “sh ll xpansion”.
The r ar important diffo r nc s that can confus a b ginn r, so don’t g t discourag d by
confusion ov r what “*” m ans in diffo r nt situations.

Command Hints
1. Linux has a history list of pr viously us d commands (stor d in th fiel nam d
.bash_history in your hom dir ctory). Us th k yboard arrows to scroll through
commands you'v alr ady typ d.
2. Linux supports command lin diting. You can us th cursor to navigat a pr vious
command and corr ct rrors.
3. Linux commands and fiel nam s ar CASE SENSITIVE.
4. L arn output r dir ction for stdout and stderr (“>” and “2>”). Mor on this lat r.
5. Linux us s “/” for dir ctori s, MS Windows us s “\”.
6. Linux us s “-“ for command options, DOS us s “/”.
7. Us q to quit from less or man s ssions.
8. To x cut commands in th curr nt dir ctory (if th curr nt dir ctory is not in your
PATH), us th syntax ./command. Theis t lls Linux to look in th pr s nt dir ctory for
th command. Unl ss it is xplicitly sp cifie d, th curr nt dir ctory is NOT part of th
normal us r path.

59
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

V. Editing with Vi
The r ar a numb r of t rminal mod (non-GUI) ditors availabl in Linux, including
emacs and vi. You could always us on of th availabl GUI t xt ditors in Xwindow, but
what if you ar unabl to start X, or a windowing syst m is not availabl ? The b n fiet of
l arning vi or emacs is your ability to us th m from a t rminal, a charact r t rminal, or a
telnet or ssh s ssion, tc. W will discuss vi h r . (I don't do emacs :-)). vi in particular is
us ful, b caus you will fiend it on all v rsions of Unix. L arn vi and you should b abl to dit
a fiel on any Unix syst m.

Thee Joy of Vi

You can start vi ith r by simply typing vi at th command prompt, or you can sp cify
th fiel you want to dit with vi filename. If th fiel do s not alr ady xist, it will b cr at d
for you.

vi consists of two op rating mod s, command mod and insert mod . Wh n you fierst
nt r vi you will b in command mod . Command mod allows you to s arch for t xt, mov
around th fiel , and issu commands for saving, sav -as, and xiting th ditor (as w ll as a
whol host of oth r functions). Ins rt mod is wh r you actually input and chang t xt.

In ord r to switch to ins rt mod , typ ith r a (for app nd), i (for ins rt), or on of th
oth r ins rt options list d on th n xt pag . Wh n you do this you will s "--INSERT--"
app ar at th botteom of your scr n (in most v rsions). You can now input t xt. Wh n you
want to xit th ins rt mod and r turn to command mod , hit th scap k y.

You can us th arrow k ys to mov around th fiel in command mod . The vi ditor
was d sign d, how v r, to b xc dingly fficci nt, if not intuitiv . The traditional way of
moving around th fiel is to us th qw rty k ys right und r your fieng r tips. Mor on this
b low. In addition, th r ar a numb r of oth r navigation k ys that mak moving around in
vi asi r, lik using $ to mov to th nd of th curr nt lin or w to mov to th n xt word, tc.

If you los track of which mod you ar in, hit th scap k y twic . You will know
that you ar in command mod .

In curr nt Linux distributions, vi is usually a link to som n w r impl m ntation of vi,


such as vim (vi improv d), or in th cas of Slackwar , elvis. If your distribution includ s vim,
it should com with a nic tutorial. It is worth your tim . Try typing vimtutor at a command
prompt. Work through th ntir fiel . Theis is th singl b st way to start l arning vi. The
navigation k ys m ntion d abov will b com cl ar if you us vimtutor.

60
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Vi command summary

Ent ring Edit Mod from Command Mod :


a : app nd t xt (aftw r th cursor)
i : ins rt t xt (dir ctly und r th cursor)
o (th l tte r “oh”) : op n a n w lin und r th curr nt lin
O (capital “oh”) : op n a n w lin abov th curr nt lin

Command (Normal) Mod :


0 (z ro) : mov cursor to b ginning of curr nt lin .
$ : mov cursor to th nd of curr nt lin .
x : d l t (cut) th charact r und r th cursor
X : d l t (cut) th charact r b for th cursor
dd : d l t (cut) th ntir lin th cursor is on
dw : d l t (cut) to th nd of th word
d$ : d l t (cut) to th nd of th lin
v : nt r visual mod (s l ct t xt w/cursor)
y : yank (copy) t xt
yw : yank (copy) to th nd of th word
y$ : yank (copy) to th nd of th lin
p : past aftw r th cursor
P : past b for th cursor
:w : sav and continu diting
:wq : sav and quit
:q! : quit and discard chang s
:w filename : sav a copy to filename (sav as)

The b st way to sav yours lf from a m ss d up dit is to hit <ESC> follow d by :q!
Theat command will quit without saving chang s.

Anoth r us ful f atur in command mod is th string s arch. To s arch for a


particular string in a fiel , mak sur you ar in command mod and typ

/string

Wh r string is your s arch targ t. Aftw r issuing th command, you can mov on to th
n xt hit by typing n.

vi is an xtr m ly pow rful ditor. The r ar a hug numb r of commands and


capabiliti s that ar outsid th scop of this guid . S man vi for mor d tails. K p in mind
th r ar chapt rs in books d vot d to this ditor. The r ar also compl t books d vot d to vi
alon . The for nsic importanc of vi is that you n v r know wh n you will fiend yours lf
r sponding to a Unix machin , at a t rminal, and n ding to chang a fiel N vi will almost
c rtainly b th r for you.

61
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

VI. Configguring a Forensic Workstation


The r ar many xc ll nt guid s, books and w bsit s out on th Int rn t that provid
som wond rfully d tail d information on s tteing up a Linux installation for day to day us .
W ar going to conc ntrat h r on subj cts of particular int r st to s tteing up a s cur and
usabl for nsic workstation. Theis is on of th mor popular r qu sts I'v r c iv d ov r th
past coupl of y ars.

As with th r st of this guid , th sp cifiec commands pr s nt d h r ar for a Slackwar


14.2 installation. Whil th commands and capabiliti s provid d by oth r distributions will
diffo r som what (or gr atly) th basic concepts should b th sam . As always, ch ck your
distribution's docum ntation b for running th s commands on a non-Slackwar syst m.
And l t m r it rat : The s ar just the basics. The guid lin s s t forth in h r offo r only a
starting point for workstation confieguration and s curity. If you ar not using Slackwar , do
not just skip this s ctionNth information is us ful r gardl ss. Theis is not an xhaustiv
tr atis on s curity and confieguration. It is simply th basics to g t you start d.

Securing the Workstation

The s n xt f w s ctions on start up scripts, tcpwrappers and iptables ar cov r d in


d tail in Slackwar docum ntation (th Slack Book, for xampl ) and ls wh r for oth r
distributions. I'm going to m ntion th m h r so that th r ad r g ts a bas lin und rstanding
of th s subj cts. The d tails can b found through furth r r ading. Again, tak not that v n
if you ar not using Slackwar , and your distribution of choic is not confiegur d as I'm about to
d scrib , it's still worth following along, as th subj ct of d t rmining op n n twork ports and
tracing what s rvic th y b long to is an important on .

Anyon who has b n working in th fie ld of digital and comput r for nsics for any
l ngth of tim can t ll you that for nsic workstation s curity is always a top priority. Som
practition rs work on compl t ly “air gapp d” for nsic n tworks with no conn ction to outsid
r sourc s. Oth rs fiend this approach too limiting and l ct to h avily fier wall and monitor
for nsic workstations whil allowing som l v l of acc ss to xt rnal n tworks. In ith r cas ,
und rstanding your workstation's s curity postur is xtr m ly important. Theis docum nt
do s not ndors or sugg st any particular approach, and as with all things in this busin ss, th
r quir m nts for your particular s tup may chang day to day d p nding on th natur of th
cas s you ar working on, th vid nc you ar handling, th physical or n twork nvironm nt
you ar working in and th polici s s t forth by your ag ncy or company.

The goal h r is to nsur that, at a minimum, a for nsic xamin r und rstands th
curr nt s curity postur of th workstation, or at th v ry l ast, is conv rsant in addr ssing
th m. Theis s ction is not m ant to imply, in any way, that simpl host bas d s curity is nough
to prot ct your for nsic nvironm nt. The id al lab will hav dg rout rs and hardwar bas d
applianc s to prop rly s cur data and n twork acc ss. In som cas s, contraband analysis and
malwar inv stigation for xampl , air gapping may b th only r alistic solution. In any

62
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

v nt, und rstanding th m chanics of host bas d s curity is an oftw n ov rlook d, but
important part of th for nsic nvironm nt.

Configguring “rc” (startup) Services

W 'll start our s curity confieguration with th most basic st psNdisabling s rvic s
(and/or daemons) that start wh n th comput r boots. It's fairly common knowl dg that
running programs and n twork s rvic s that you ar not using and do not n d s rv s only to
introduc pot ntial vuln rabiliti s. The r ar all sorts of s rvic s running on any giv n
workstation, r gardl ss of distribution or op rating syst m. Som of th s s rvic s ar
r quir d, som ar optional, and som ar downright und sirabl for a for nsic nvironm nt.
As pr viously discuss d, this is wh r you will fiend quit a diffo r nc among th various
distributions. Ubuntu, for xampl , us s a n w syst m for managing th starting and stopping
of s rvic s call d upstart. Consult your distribution's docum ntation for mor info, and don't
n gl ct this part of your Linux ducation!

Pr viously, w discuss d th syst m initialization proc ss. Part of that proc ss is th


x cution of “rc” scripts that handl syst m s rvic s. R call that th fiel /etc/inittab invok s
th appropriat run l v l scripts in th /etc/rc.d/ dir ctory. In turn, th s scripts t st
various s rvic scripts, also in th /etc/rc.d/ dir ctory, for x cutabl p rmissions. If th
script is x cutabl , it is invok d and th s rvic is start d. Theis can b chain d, wh r rc.M
ch cks to s if an rc script is x cutabl , and if so th x cution of that script ch cks for mor
scripts that ar x cutabl . For xampl , th t st insid th rc.M (mulitus r init script) for th
n twork s rvic s script7 (rc.inet2) looks lik this (abbr viat d):

root@forensic1:~# cat /etc/rc.d/rc.M


...
# Start networking daemons:
if [ -x /etc/rc.d/rc.inet2 ]; then
. /etc/rc.d/rc.inet2
fi
...

The cod shown abov is an if / then stat m nt wh r th brack ts signify th t st


and th -x ch cks for x cutabl p rmissions. So it would r ad:

if th fiel /etc/rc.d/rc.inet2 is x cutabl , th n x cut th script


/etc/rc.d/rc.inet2

Onc rc.inet2 is running, it ch cks th x cutabl p rmissions on th n twork


s rvic scripts (among oth r things). Theis allows us to control th x cution of scripts simply

7
rc.inet1 starts th n twork int rfac (s) using rc.inet1.conf and rc.inet2 starts th various n twork
s rvic s.

63
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

by changing th p rmissions. If an rc script is x cutabl , it will run. If it is not x cutabl


th n it is pass d ov r. As an xampl , l t's hav a look at th Op nSSH (s cur sh ll) portion of
rc.inet2:

root@forensic1:~# cat /etc/rc.d/rc.inet2


...
# Start the OpenSSH SSH daemon:
if [ -x /etc/rc.d/rc.sshd ]; then
echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
/etc/rc.d/rc.sshd start
fi
...

Again, this portion of rc.inet2 ch cks to s if rc.sshd is x cutabl . If it is, th n it


runs th command /etc/rc.d/rc.sshd start. Not that th rc s rvic scripts can hav ith r
start, stop or restart pass d as argum nts in most cas s. So, in summary for this particular
xampl :

• /etc/inittab calls /etc/rc.d/rc.M


• /etc/rc.d/rc.M calls /etc/rc.d/rc.inet2 (if rc.inet2 is x cutabl )
• /etc/rc.d/rc.inet2 pass s th command /etc/rc.d/rc.sshd start (if rc.sshd is
x cutabl ).

Earli r on w discuss d fiel p rmissions. Now l t us look at a practical xampl of


changing p rmissions for th purpos of stopping s l ct s rvic s from starting at boot tim . A
look at th p rmissions of /etc/rc.d/rc.sshd shows that it is x cutabl , and so will start
wh n rc.inet2 runs:

root@forensic1:~# ls -l /etc/rc.d/rc.sshd
-rwxr-xr-x 1 root root 1726 Mar 10 2016 /etc/rc.d/rc.sshd*

To chang th x cutabl p rmissions to pr v nt th SSH s rvic to start at boot tim , I


x cut th following:

root@forensic1:~# chmod 644 /etc/rc.d/rc.sshd


root@forensic1:~# ls -l /etc/rc.d/rc.sshd
-rw-r--r-- 1 root root 1726 Mar 10 2016 /etc/rc.d/rc.sshd

The dir ctory listing shows that I hav chang d th x cutabl status of th script, and
th r for pr v nt d th s rvic from starting wh n th syst m boots. D p nding on your
color t rminal s tteings, you may also s th color of th fiel chang .

64
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

You can us this t chniqu to go through your /etc/rc.d/ dir ctory to turn offo thos
s rvic s that you do not n d. Sinc I'm not running an old laptop, and don't n d PCMCIA
s rvic s nor do I hav wir l ss n twork support on my workstation, I'll mak sur th s do not
hav th x cutabl p rmissions:

root@forensic1:~# chmod 644 /etc/rc.d/rc.pcmcia


root@forensic1:~# chmod 644 /etc/rc.d/rc.wireless

You might also consid r doing th sam with som oth r s rvic s:

root@forensic1:~# chmod 644 /etc/rc.d/rc.gpm-sample

If you want to know what ach script do s, or if you ar unsur of th purpos of a


s rvic start d by a particular rc script, just op n th script with your paging program ( less,
for instanc ) and r ad th comm nts. Turning offo a s rvic you need is just as bad as l aving
an unn d d s rvic running. L arn what s rvic ach script starts, and why, and nabl or
disabl accordingly.

For xampl , h r 's th comm nts at th b ginning of /etc/rc.d/rc.yp:

root@forensic1:~# less /etc/rc.d/rc.yp


#!/bin/sh
# /etc/rc.d/rc.yp
#
# Start NIS (Network Information Service). NIS provides network-wide
# distribution of hostname, username, and other information databases.
# After configuring NIS, you will need to uncomment the parts of this
# script that you want to run.
#
# NOTE: for detailed information about setting up NIS, see the
# documentation in /usr/doc/yp-tools, /usr/doc/ypbind,
# /usr/doc/ypserv, and /usr/doc/Linux-HOWTOs/NIS-HOWTO.
<continues>

I would sugg st l aving sshd running (via th /etc/rc.d/rc.sshd script). Ev n if you


do not think you will us SSH, as you b com mor profieci nt with Linux, you will fiend that
ssh, th “s cur sh ll”, b com s an important part of your toolbox.

65
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Host Based Access Control

W continu our bas lin s curity confieguration discussion with a word on simpl host
bas d acc ss control. Not that this is NOT a fier wall. Theis is acc ss control at th host l v l.
In v ry simpl t rms, w can d t rmin who can acc ss our syst m by two fiel s,
/etc/hosts.deny and /etc/hosts.allow. For this w us TCP wrapp rs.

Basically, TCP wrapp rs works lik this: Wh n a s rv r confiegur d to run through


TCP wrapp rs r c iv s a conn ction r qu st, th inetd da mon calls th “wrapp r” s rvic ,
/usr/sbin/tcpd. The tcpd program th n ch cks th hosts.deny and hosts.allow fiel to s
if th conn ction is p rmitte d, and runs th r qu st d s rvic /s rv r accordingly.

L t's run through an xampl of a s rvic manag d by tcpd h r fierst, th n w 'll follow
up with th two acc ss control fiel s. If w look at our /etc/inetd.conf fiel , w s that most
of th fiel is alr ady comm nt d out, m aning that thos manag d s rvic s ar alr ady
disabl d. The comm nt d lin s start with a # sign. If w want to s only thos lin s that ar
not comm nt d out, w can do a “r v rs gr p”. So if I want to s th lin s in th fiel
/etc/inetd.conf that ar not comm nts, I can do this:

root@forensic1:~# cat /etc/inetd.conf | grep -v ^#


time stream tcp nowait root internal
time dgram udp wait root internal
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
auth stream tcp wait root /usr/sbin/in.identd in.identd

The command shown abov str ams th cont nt of /etc/inetd.conf on th t rminal


(cat /etc/inetd.conf) and pip s th output to grep. W t ll grep to display lin s that DO
NOT (-v) start with a #. The carat charact r “^” m ans “at th start of th lin ”. Running th
abov command giv s m only thos lin s that ar actually us d in th confieguration.

In ord r to und rstand how th s s rvic s work and wh r to fiend sp cifiec information
on what is running on our syst m, l t's hav a mor d tail d look at th third lin in our
output:

comsat dgram udp wait root /usr/sbin/tcpd in.comsat

Sinc this lin is not comm nt d out, w know that th s rvic is allow d to run on our
syst m. L t's fiend out what it do s and show how w disabl it, and confierm that it's b n
disabl d.

NOTE: The s rvic s that ar l ftw running on a basic Slackwar install ar g n rally l ftw
running for a r ason. I would not r comm nd comm nting out any of th s lin s without
und rstanding th cons qu nc s. W ar d constructing this particular s rvic for ducational
purpos s. At th nd of th l sson, w 'll lik ly k p it nabl d. The purpos of this x rcis is

66
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

to show how you can trac running s rvic s, and fiend out what th y do. If you ar running
Linux (any flaavor), and you do not know what s rvic s ar running and why, th n you n d to
r -think your approach to s curing your for nsic workstation.

So what do s th comsat s rvic do? W can simply run th man command on th


s rv r program that is call d. In this cas , th program is in.comsat. If w run man
in.comsat, w s that this is th s rvic us d to notify a us r of incoming mail (biff).

Now w 'r going to dig a littel d p r and l arn about som oth r Linux commands and
fiel s (that b ing th point of this guid and allN) as w disabl and r - nabl th s rvic . Pay
atte ntion to th output of th s commands on your workstation, r gardl ss of th distribution.
Knowing what is “normal” for your particular s tup allows you to r cogniz wh n things hav
chang d, ith r through malicious int nt or by accid nt.

The following commands, as with v rything ls in this guid , ar b st l arn d by


hands on xp rim ntation – k ping in mind that if you ar not using Slackwar , your output
is lik ly to diffo r, sp cially if TCP wrapp rs is not b ing us d in what v r distribution you
might happ n to b running.

First w 'll xplor th n twork port b ing us d by th s rvic , and s if it is running.


W know th s rvic is call d comsat. W can us th /etc/services fiel to d t rmin th
port numb r to s rvic nam mapping.

root@forensic1:~# cat /etc/services | grep comsat


biff 512/udp comsat #used by mail system to notify users

So, using th grep command to fiend th lin containing comsat w fiend that it is using
UDP port 512. To d t rmin if port 512 is op n, w can us th netstat command:

root@forensic1:~# netstat -anu


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:512 0.0.0.0:*
udp 0 0 0.0.0.0:37 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*

The netstat command t lls us about op n, running and list ning s rvic s on our
syst m. W us th -a flaag to show list ning and non-list ning sock ts (a “list ning sock t” is
on that is awaiting incoming conn ctions). W also add th -n flaag to display num ric
port/addr ss numb rs rath r than atte mpt to pars s rvic nam s. The last option, -u, displays
only UDP s rvic s. If you run netstat by its lf, th output is a littel ov rwh lming. W par
it down signifiecantly by limiting th protocols w ar int r st d in s ing. Our netstat
command do s show that UDP port 512 is op n.

67
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Going back to th /etc/inetd.conf fiel , w will add a # to th start of th lin for


comsat. Us th vi ditor to add th #, comm nting out th lin :

root@forensic1:~# vi /etc/inetd.conf
...
# The comsat daemon notifies the user of new mail when biff is set to y:
#comsat dgram udp wait root /usr/sbin/tcpd in.comsat
...

Onc th lin is comm nt d out, w n d to r start th inetd da mon. W can do this


by running th rc script dir ctly with th restart argum nt. Wh n w r ch ck our netstat
output, w s th s rvic is no long r running.

root@forensic1:~# /etc/rc.d/rc.inetd restart

root@forensic1:~# netstat -anu


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:37 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*

At this point, you can uncomm nt th comsat lin in /etc/inetd.conf and r start th
da mon again if you choos . The purpos of this x rcis was to introduc you to num rating
running s rvic s and manipulating th TCP wrapp rs confieguration.

B for w ar fienish d discussing TCP wrapp rs, w still n d to d al with th acc ss


control fiel s. For illustration purpos s, l t's mak sur w can conn ct from an xt rnal host to
our for nsic workstation via ssh. R m mb r, w l ftw th rc.sshd script x cutabl , so th
s rvic is runningNand at this point w hav not s t any acc ss controls. W can s th op n
SSH port with our netstat command looking for TCP ports this tim , with th -t option.
(Not th duplicat port 22 ntry for IPV6).

root@forensic1:~# netstat -ant


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN

68
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The b low command r sults in a succ ssful conn ction as us r barry from th xt rnal
host hermes to our for nsic workstation forensic1. Not th chang in th command prompt
on th last lin :

bgrundy@hermes:~# ssh -l barry forensic1


barry@forensic1's password:
Last login: Mon Apr 17 10:31:05 2017 from hermes
Linux 4.4.38.
barry@forensic1:~$

W ar now logg d into our for nsic workstation (forensic1) from a diffo r nt
comput r (hermes). The SSH s rvic is uniqu in that you will not fiend an ntry in
/etc/inetd.conf. The support for TCP wrapp rs is int rnal to SSH. It do s not n d to b
manag d by /etc/tcpd.

As pr viously m ntion d, th r ar two acc ss control fiel s utiliz d by TCP wrapp rs:
/etc/hosts.deny, which s ts th syst m wid d fault policy for acc ss d nial, and
/etc/hosts.allow, which can th n b us d to pok hol s in th d ni d conn ctions. Both of
th s fiel s tak on th sam basic syntax:

services: systems

W start with /etc/hosts.deny and us it to t ll TCP wrapp rs to d ny all incoming


conn ctions to all s rvic s. W do this by diting th fiel and adding th string ALL:ALL on
on singl lin . Wh n you fierst op n th fiel for diting, you'll notic that th r ar no lin s
that do not start with a # sign. Theat m ans th ntir fiel is just comm nts with no r al
cont nt. Onc w add our singl lin , it will look lik this:

root@forensic1:~# cat /etc/hosts.deny


#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# Version: @(#)/etc/hosts.deny 1.00 05/28/93
#
# Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

ALL:ALL

# End of hosts.deny.

69
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Now any incoming conn ctions to s rvic s manag d by TCP wrapp rs will b d ni d.
Not that this in NOT a fier wall. It is simply acc ss control to s rvic s running on th curr nt
syst m. Sinc this is hosts.deny, w ar simply saying “DENY all conn ctions from all
hosts”.

Wh n w try and ssh into our workstation from an xt rnal host, w g t no


conn ction:

bgrundy@hermes:~# ssh -l barry forensic1


ssh_exchange_identification: read: Connection reset by peer

Onc again, in th xampl abov , I'm again trying to log into my for nsic workstation
(host nam forensic1) from a diffo r nt comput r (host nam hermes). The conn ction is
d ni d.

Now that w hav s t a “d fault d ny” policy, l t's pok a hol in th sch m by adding
an allow d s rvic in. W 'll continu to us sshd as an xampl , sinc I lik having acc ss via
ssh and will l av it op n anyway.

To allow acc ss to a s rvic , w dit th /etc/hosts.allow fiel and add a lin for ach
s rvic in th sam services:systems format.

Wh n w add an SSH xc ption for our local n twork to hosts.allow, our sshd
xc ption will look lik this:

root@forensic1:~# cat /etc/hosts.allow


#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided by
# the '/usr/sbin/tcpd' server.
#
# Version: @(#)/etc/hosts.allow 1.00 05/28/93
#
# Author: Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

sshd:192.168.55.

# End of hosts.allow.

70
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis basically r ads as “ALLOW conn ctions to sshd from syst ms only on th
192.168.55.0 n twork”. Theis limits conn ctions to originating from machin s on my local
for nsic n twork only. R ad th man pag and adjust to your n ds.

Und rstanding inetd.conf, and diting hosts.deny and hosts.allow giv s us a good
start on our s curity confieguration. For a typical for nsic workstation, this is pr ttey much as
simpl as it n ds to b at th host l v l. For many for nsic practition rs, simply comm nting
out th lin s in inetd.conf, adding “ALL:ALL” to hosts.deny and l aving hosts.allow
totally mpty might b sufficci nt.

R m mb r, though, that TCP wrapp rs only controls acc ss to thos s rv rs and


s rvic s that ar actually handl d by th inetd da mon. In ord r to actually fielt r trafficc at th
n twork int rfac , w 'll n d to s t up a host bas d fier wall.

Host Based Firewall with iptables

It is common practic for many for nsic practition rs using oth r op rating syst ms to
utiliz som sort of host bas d fier wall program to monitor th ir workstation's n twork
conn ctions and provid som form of bas lin prot ction from unsolicit d acc ss. You may
want to do th sam thing on your Linux workstation, or you may, in som cas s, b r quir d
to run a host bas d fier wall by ag ncy or corporat policy. In any v nt, th most commonly
us d Linux quival nt for this sort of thing is th iptables n twork pack t fielt r.

Of all th subj cts cov r d in this guid , this is on of th mor compl x, with littel
dir ct r lationship to actual for nsic practic . It is, how v r, too important not to cov r if w
ar going to discuss workstation s curity. A host bas d fier wall may not b a r quir m nt for a
good for nsic workstation, sp cially giv n that many ag nci s and compani s ar alr ady
working in a w ll prot ct d (or air gapp d) n twork nvironm nt. How v r, in my humbl
opinion, it's still a v ry good id a. It's all too common to s novic Linux us rs r ly compl t ly
on th notion that Linux is “just mor s cur ” than oth r op rating syst ms. And I know from
p rsonal xp ri nc that th r ar digital for nsic practition rs out th r that hav fully
conn ct d workstations and don’t tak th s pr cautions.

Unlik most of th oth r subj cts cov r d in this confieguration s ction, iptables
r quir s a bit mor xplanation to ffo ctiv ly s t it up from scratch than I'm willing to put in a
simpl practition r's guid . As a r sult, rath r than giving a d tail d d scription and st p by
st p instructions, w ar going to bri flay discuss how to vi w th iptables confieguration and
provid a bas lin script to g t th r ad r start d. Our “bas lin ” script has b n provid d by
Robby Workman (http://www.rlworkman.net ).

First, w n d to mak sur w und rstand th diffo r nc s b tw n th prot ctions


provid d by TCP wrapp rs vs. iptables. As w m ntion d arli r, TCP wrapp rs blocks
acc ss at th application l v l, wh r as iptables blocks n twork trafficc at th sp cifie d
int rfac . Theis is an important distinction. iptables ss ntially sits b tw n th n twork and
TCP wrapp rs and acc pts or r j cts n twork pack ts at th k rn l l v l.

71
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

In simpl t rms, iptables d als with chains. The INPUT chain for incoming trafficc, th
OUTPUT chain for outgoing trafficc, and th FORWARD chain that handl s trafficc with n ith r its
origin or d stination at th fielt r d int rfac . The s chains hav d fault polici s, to which
additional rul s can b app nd d.

L t's hav a look at our d fault iptables confieguration (in this cas “d fault” m ans
“ mpty confieguration”). To do this w can us iptables with th -S option to display th
rul s within ach chain. If you do not provid th chain nam ( INPUT, for xampl ), th n th
command will list all th chains and th ir rul s, starting with th d fault polici s:

root@forensic1:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So th abov command lists th polici s for ach chain along with any rul s that may
hav b n add d. As you can s from th output h r , th d fault polici s ar ACCEPT, and
th r ar no oth r rul s. Non of our n twork trafficc is b ing fielt r d.

It is oftw n d sirabl to hid our syst ms from all n twork trafficc, including ping trafficc.
With our mpty iptables confieguration, from an xt rnal host, w can ping our for nsic
workstation,(192.168.55.32) and th ICMP pack ts com though:

bgrundy@hermes:~# ping 192.168.55.32


PING 192.168.55.32 (192.168.55.32) 56(84) bytes of data.
64 bytes from 192.168.55.32: icmp_seq=1 ttl=64 time=0.185 ms
64 bytes from 192.168.55.32: icmp_seq=2 ttl=64 time=0.249 ms
64 bytes from 192.168.55.32: icmp_seq=3 ttl=64 time=0.292 ms
^C
--- 192.168.55.32 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.185/0.242/0.292/0.043 ms

Now w ar going to cr at an iptables script bas d h avily on th on found at


http://www.rlworkman.net/conf/firewall/rc.firewall.desktop.generic

Hav a look at th following v rsion of th script, cr at d with vi (I’m told this is a


good x rcis in vi ditingN), which w ’ll sav as /etc/rc.d/rc.firewall. It's important
that you g t th nam right as this is anoth r script that is call d from /etc/rc.d/rc.inet2,
as w discuss d arli r. Onc th script is cr at d and sav d, l t's hav a look at it.

72
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# less /etc/rc.d/rc.firewall


# Define variables
IPT=/usr/sbin/iptables # change if needed
EXT_IF=eth0 # external interface (connected to Internet)

# Enable TCP SYN Cookie Protection


if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Disable ICMP Redirect Acceptance


echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Do not send Redirect Messages


echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Set default policy to DROP


$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Flush old rules


$IPT -F

# Allow loopback traffic


$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow packets of established connections and those related to them


$IPT -A INPUT -i $EXT_IF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow all outgoing packets


$IPT -A OUTPUT -o $EXT_IF -j ACCEPT

# Allow incoming ssh from Internet


$IPT -A INPUT -i $EXT_IF -p tcp --dport 22 --syn -m conntrack \
--ctstate NEW -j ACCEPT

The fiel , shown abov , starts with variabl d fienitions, follow d by a numb r of lin s
that s t various k rn l param t rs for b tte r s curity. W th n continu with s tteing all th
d fault polici s for INPUT, OUTPUT and FORWARD to th far mor s cur DROP, rath r than simply
ACCEPT. The n w d fien rul s that ar app nd d ( -A) to th various chains. Also not that I
uncomm nt d th last lin in th script, r f rring to TCP trafficc ( -p tcp) on d stination port 22
(--dport 22). Theis will allow SSH trafficc in.

73
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

With th fiel sav d to /etc/rc.d/rc.firewall w start it by making th fiel


x cutabl . The fier wall script, if it xists and has x cutabl p rmissions, will b call d from /
etc/rc.d/rc.inet2. Ch ck th p rmissions on th fiel , chang th m to x cutabl (using
chmod) and ch ck again. W can load th rul s by simply calling th script xplicitly:

root@forensic1:~# ls -l /etc/rc.d/rc.firewall
-rw-r--r-- 1 root root 1195 Mar 12 2011 /etc/rc.d/rc.firewall

root@forensic1:~# chmod 755 /etc/rc.d/rc.firewall

root@forensic1:~# ls -l /etc/rc.d/rc.firewall
-rwxr-xr-x 1 root root 1195 Mar 12 2011 /etc/rc.d/rc.firewall*

root@forensic1:~# sh /etc/rc.d/rc.firewall

With th last command in th s ssion illustrat d abov , w hav x cut d th fier wall
script and now wh n w look at our iptables confieguration, w s th rul s in plac :

root@forensic1:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m
conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT

H r w s th d fault polici s ( -P) ar now s t to DROP and w hav s v ral rul s in


ach chain. The lin s starting with -A signify that w ar appending a rul to our chain. Not
that sinc our d fault policy is to drop all incoming trafficc, and th r is no xplicit rul to allow
incoming ICMP trafficc, w can no long r ping our for nsic workstation from an xt rnal host.
W can, how v r, conn ct with SSH sinc w hav a rul that acc pts TCP trafficc on
d stination port 22 (assuming you un-comm nt d th last lin of th script and assuming th
SSH s rv r is running on th d fault port).

bgrundy@hermes:~# ping 192.168.55.32


PING 192.168.55.32 (192.168.55.32) 56(84) bytes of data.
^C
--- 192.168.55.32 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms

74
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

In th s ssion abov , I am to ping th for nsic workstation (at IP 192.168.55.32) from


a host call d hermes. If you n d to allow oth r trafficc, th r ar many tutorials and xampl s
on th Int rn t to work from. Theis is a v ry simpl and g n ric host bas d n twork pack t
fielt r. And as with th oth r subj cts in this guid , it is m ant to provid a prim r for
additional l arning.

Updating the Operating System

K ping th op rating syst m up to dat is an important part of workstation s curity.


Most Linux distributions com with som sort of m chanism for k ping th OS up to dat
with th lat st s curity and stability patch s. If you choos to us a distribution oth r than
Slackwar , th n b sur to ch ck th appropriat docum ntation.

▪ D bian and Ubuntu - synaptic, aptitude


▪ F dora - yum
▪ Arch Linux - pacman
▪ G ntoo – portage
▪ Slackwar - slackpkg

From th p rsp ctiv of a for nsic workstation, Slackwar tak s a particularly


cons rvativ (and th r for saf ) approach to updating th op rating syst m. Onc a
Slackwar r l as is consid r d “stabl ”, th addition of updat d library and binary packag s is
g n rally limit d to thos r quir d for a prop rly patch d OS. Littel or no mphasis is plac d
on running th “lat st and gr at st” for th simpl sak of doing so. I would strongly sugg st
against continuously updating softwwar without having a good r ason (s curity patch s, for
xampl ). N w v rsions of critical librari s and syst m softwwar should always b t st d
b for us in a production for nsic nvironm nt – this do s not imply r -validation with v ry
updat . Theat's up to your own polici s and proc dur s.

Not that with som distributions, updating th OS on a r gular basis, without prop r
and oftw n compl x confieguration, can r sult in a doz n or so n w and updat d packag s v ry
coupl of w ks. In th cont xt of a stabl , w ll t st d for nsic platform, this is l ss than id al.
Also, Slackwar d v lop rs t nd not to patch upstr am cod , as is common among som oth r
distributions. Slackwar tak s th approach of “if it ain't brok , don't fiex it.”

Theis information is not m ant to disparag oth r distributions. Far from it. Any
prop rly administ r d Linux distribution mak s a fien for nsic platform. The s ar , how v r,
important consid rations if you ar running a for nsic workstation in any sort of litigious
s tteing. Too oftw n, Linux For nsics b ginn rs trust th ir platform to num rous unt st d,
d sktop ori nt d updat s, without thinking about pot ntial chang s in b havior that can, in
admitte dly limit d circumstanc s, rais qu stions.

75
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Using slackpkg

slackpkg is th d fault utility for k ping Slackwar up to dat . It's xtr m ly asy to
confiegur and us . The man pag provid s v ry cl ar instructions on using slackpkg along
with a good d scription of som of it's capabiliti s.

W start by picking a singl “mirror” (Slackwar r pository) list d in th slackpkg


confieguration fiel . Op n /etc/slackpkg/mirrors with vi (or your ditor of choic ). Un-
comm nt a singl lin and you'r r ady to go (d l t th # sign from th front of an addr ss).
The lin you un-comm nt n ds to b for th sp cifiec archit ctur (32 bit vs 64 bit, tc.) and
v rsion of Slackwar you ar running,8 and should b n ar your g ographic r gion (US, UK,
Poland, tc.).

Take note that “Slackware-current” is a development branch of Slackware and is NOT


suitable for our purposes. Do not select a mirror from the Slackware-current list.

The b low xampl shows an dit d /etc/slackpkg/mirrors fiel wh r a singl


mirror for a s rv r in th USA has b n un-comm nt d (bold for mphasis - not th # has
b n r mov d). The mirror w ar s l cting is for Slackwar 64-14.2. S l ct a mirror
appropriat for your location.

root@forensic1:~# vi /etc/slackpkg/mirrors
...
----------------------------------------------------------------
# Slackware64-14.2
#----------------------------------------------------------------
# USE MIRRORS.SLACKWARE.COM (DO NOT USE FTP - ONLY HTTP FINDS A NEARBY MIRROR)
http://mirrors.slackware.com/slackware/slackware64-14.2/
#
# AUSTRALIA (AU)
# ftp://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# http://ftp.cc.swin.edu.au/slackware/slackware64-14.2/
# ftp://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# http://ftp.iinet.net.au/pub/slackware/slackware64-14.2/
# ftp://mirror.aarnet.edu.au/pub/slackware/slackware64-14.2/
# http://mirror.aarnet.edu.au/pub/slackware/slackware64-14.2/
...

On pr caution you may want to tak with slackpkg is to add s v ral packag s to th
blacklist. The blacklist sp cifie s thos programs and packag s that w do not want
upgrad d on a r gular basis. W do this to avoid having to complicat p riodic s curity
updat s with chang s to our bootload r and oth r compon nts that add xc ssiv compl xity
8
Pay atte ntion to th archit ctur and v rsion. I mad a compl t mupp t of mys lf on th ##slackwar
IRC chann l on day, asking for h lp wh n I was trying to upgrad Slackwar 64 (64 bit OS), not knowing
I had s l ct d a 32 bit mirror and th r for d stroying my syst m wh n I updat d.

76
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

to our upgrad proc ss. In particular, w want to avoid (for now) having to go through all th
st ps r quir d to upgrad our k rn l packag s.

The blacklist fiel is locat d at /etc/slackpkg/blacklist and th r ar s v ral lin s


r garding k rn l upgrad s that ar includ d but comm nt d out. Un-comm nt thos lin s by
r moving th l ading # symbol, and add th additional lin s as shown so th fiel looks lik this
(in part):

root@forensic1:~# vi /etc/slackpkg/blacklist
...
# Automated upgrade of kernel packages aren't a good idea (and you need to
# run "lilo" after upgrade). If you think the same, uncomment the lines
# below
#
kernel-firmware
kernel-generic
kernel-generic-smp
kernel-headers
kernel-huge
kernel-huge-smp
kernel-modules
kernel-modules-smp
kernel-source
...

Wh n a critical updat to on of th k rn l packag s is r quir d, th lin s in th


blacklist can always b t mporarily comm nt d out and th packag s updat d as usual. If you
l av th lin s comm nt d out, you will g t p riodic k rn l upgrad s. Just r m mb r to run
/sbin/lilo to install th n w k rn l (you will b prompt d to anyway).

W 'v s l ct d our mirror and adjust d our blacklist d packag s, now it is simply a
matte r of updating our packag listNw do this with th simpl command slackpkg update,
which will download th curr nt fiel list (including patch s). Onc that is compl t , you run
slackpkg upgrade-all and you will b pr s nt d with a s l ction of packag s to upgrad
(minus th blacklist d packag s).

The man pag for slackpkg provid s asy to follow instructions. In a nutsh ll, for our
purpos s h r , usag is simply:

1. un-comm nt a mirror in /etc/slackpkg/mirrors


2. optionally add fiel s (or un-comm nt ntri s) in
/etc/slackpkg/blacklist
3. run slackpkg update
4. run slackpkg upgrade-all

77
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

I would strongly sugg st you tak a minut to r ad th chang log for th curr nt
v rsion of Slackwar you ar using. Und rstanding what you ar updating and why is an
important part of und rstanding your for nsic platform. It may s m t dious at fierst, but it
should b part of your common syst m maint nanc tasks. You can r ad th fiel
ChangeLog.txt at th mirror you s l ct d for updating your syst m, or simply go to:
https://mirror.SlackBuilds.org/slackware/slackware64-14.2/ChangeLog.txt wh n
updat s ar availabl .

Using th slackpkg m thod abov is th asi st way to k p your OS up to dat with


th lat st stable s curity fiex s and patch s. P riodically, you can run th slackpkg update and
slackpkg upgrade-all to k p your syst m up to dat . The fierst two st ps only n d to b
don onc on your syst m.

Onc again, if you ar not using Slackwar , b sur to ch ck your distribution's


docum ntation to d t rmin how b st to k p your workstation prop rly patch d. But pl as
continu to b ar in mind that “lat st and gr at st” do s not translat to “prop rly patch d”. An
important distinction.

Installing and Updating “External” Softwware

So w 'v discuss d using slackpkg for updating th OS packag s and k ping th


syst m prop rly patch d and updat d. What about “ xt rnal” softwwar , that is, softwwar that
is not includ d in a d fault installation, lik our for nsic utiliti s? The r ar a numb r of ways
w can install this “ xt rnal” softwwar on our syst m.

1. Compil from sourc


2. Us a pr -built packag (usually distro d p nd nt)
3. Build your own packag

Compiling From Source

Compiling from sourc is th most basic m thod for installing softwwar on Linux. It is
g n rally distribution agnostic and will work for any giv n packag on most distributions,
assuming d p nd nci s ar m t. Corr ctly us d, compiling from sourc has th b n fiet of
b ing tailor d mor to your nvironm nt, with b tte r optimization. The bigg st drawback is
that compiling from sourc , without car ful manipulation of confieguration fiel s, can “litte r”
your syst m with x cutabl s and librari s plac d in l ss than optimal locations. It can also
r sult in difficcult to manag upgrad paths for install d softwwar , or v n just trying to
r m mb r what you hav pr viously install d.

The sourc fiel s (containing sourc cod ) normally com in a packag commonly
r f rr d to as a “tarball”, or a tar.gz fiel (a gzip compr ss d tar archiv ). The archiv is
xtract d, th sourc is compil d, and th n an install script is x cut d to plac th r sulting
program fiel s and docum ntation in th appropriat dir ctori s. The following shows a v ry

78
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

abbr viat d vi w of a quick sourc compilation. The normal cours of commands us d is


(usually):

tar xzvf packagename.tar.gz


cd packagename
./configure
make
make install

First w xtract th packag and chang into th r sulting dir ctory. The ./configure
command9 s ts nvironm nt variabl s and nabl s or disabl s program f atur s bas d on
availabl librari s and argum nts. The make command compil s th program, using th
param t rs provid d by th r sults of th pr vious ./configure command. Finally, th make
install command mov s th compil d x cutabl s, librari s and docum ntation to th ir
r sp ctiv dir ctori s on th comput r. Not that make install is g n rally not distribution
awar , so th r sulting plac m nt of program fiel s might not fiet th conv ntions for a giv n
Linux distro, unl ss th prop r variabl s ar pass d during confieguration.

H r 's a quick illustration:

Onc w hav a packag download d, w xtract th tarball. Aftw r th packag has


b n xtract d, w chang into th r sulting dir ctory and th n run a “confiegur script” to
allow th program to asc rtain our syst m confieguration and pr par compil r options for our
nvironm nt. W do this by issuing th command ./configure:

root@forensic1:~# tar xzvf package.tar.gz


<package extracts>
root@forensic1:~# cd package/

root@forensic1:~#./configure
...
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
configure: autobuild project... package
...

Assuming no rrors, w typ make and watch th compil r go to work. Finally, w run
th command that prop rly installs both th tools to th prop r path, and any r quir d librari s
to th prop r dir ctori s. Theis is g n rally accomplish d with make install.

root@forensic1:~# make
Making all in lib
make[1]: Entering directory `/root/package/lib'
<continue compiler output>

9
The “./” indicat s that th configure command is run from th curr nt dir ctory.

79
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# make install


Making install in lib
make[1]: Entering directory `/root/package'
make install-am
make[2]: Entering directory
<continues moving files to appropriate directories>

Our program is now install d and r ady to us . Knowing how to us sourc packag s
for softwwar installation is important part of und rstanding how Linux worksNjust k p in
mind that it's g n rally a b tte r id a to us distribution packag s (or cr at your own). Not
that th xampl shown abov is for sourc packag s built with autoconf/automak . You may
also run across softwwar that is Python or P rl bas d, tc. The s will diffo r in how th y ar
built and install d. Most sourc packag s will includ a README or INSTALL.txt fiel wh n
xtract d. R ad th m.

Unlik pr vious v rsions of this guid , w will avoid using this m thod of installing
softwwar from this point on.

Using Distribution Packages

As w 'v alr ady m ntion d, just about v ry Linux distribution has som sort of
“packag manag r” for installing and updating packag s. For updating and adding officcial
Slackwar softwwar (includ d in th distribution), w 'v introduc d using slackpkg. slackpgk
is actually a front nd to pkgtool, which handl s th work of adding and r moving softwwar
packag s from your syst m. For an xc ll nt ov rvi w of pkgtool, and its various commands,
hav a look at http://www.slackware.com/config/packages.php .

Slackwar packag s ar r ally just compr ss d archiv s that, wh n install d, plac th


packag fiel s in th prop r plac . To install a Slackwar packag , wh n w ar not using th
slackpkg front nd, w us th pkgtool command installpkg.

Our xampl h r will b a pr t nd Slackwar packag call d softwware. Slackwar


packag s ar g n rally nam d with th xt nsion tgz or txz (sinc th y ar r ally just
compr ss d archiv s). Onc you'v download d or pr par d your packag (our xampl is
call d software.tgz), you install it with th following command:

root@forensic1:~# installpkg software.tgz


Verifying package software.tgz.
Installing package software.tgz:
PACKAGE DESCRIPTION:
# software
#
# This is where you will find a description

80
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

# of the software package you are installing


#
#
#
# Homepage: http://www.software.homepage.com
#
Executing install script for software.tgz.
Package software.tgz installed.

Packag s can b similarly r mov d or upgrad d with removepkg or upgradepkg,


r sp ctiv ly.

You can fiend pr -mad packag s for all sorts of softwwar for many distributions all ov r
th Int rn t. The probl m with many of th m is that th y do not com from trust d sourc s
and you oftw n hav no id a what confieguration options w r us d to build th m.

As a g n ral rul of thumb, I always lik to build my own packag s for softwwar that is
not part of th Slackwar full installation. Theis allows m to build th softwwar with th
options I n d (or without on s I don’t), optimiz d for my particular syst m, and it furth r
allows m to control how th softwwar is v ntually install d. Luckily Slackwar provid s a
r lativ ly asy way to cr at packag s from sourc cod . SlackBuilds.

Building Packages – SlackBuilds

In short, a SlackBuild is a script that (normally) tak s sourc cod and compil s and
packag s it into a Slackwar .tgz (or .tzx) fiel that w can install using pkgtools.

The SlackBuild script handl s th confiegur options and optimizations that th script
author d cid s on (but ar visibl and ditabl by you), and th n installs th softwwar and
r lat d fiel s into a packag that follows Slackwar softwwar conv ntions for x cutabl and
librari s, wh r applicabl , and assuming th build author follows th t mplat . The scripts ar
asily ditabl if you want to chang som of th options or th targ t v rsion, and provid for
an asy, human r adabl way to control th build proc ss. SlackBuilds for a larg s l ction of
softwwar ar availabl at httep://www.SlackBuilds.org .

The SlackBuild its lf com s as a .tar.gz fiel that you xtract with th tar command.
The r sulting dir ctory contains th build script its lf. The script is nam d
software.SlackBuild, with softwwar b ing th nam of th program w ar cr ating a
packag for. The r ar normally four fiel s includ d in th SlackBuild packag :
• software.info giv s information about wh r to obtain th sourc cod , th
v rsion of th softwwar th script is writte n for, th hash of th sourc cod ,
r quir d d p nd nci s, and mor .
• README contains us ful information about th packag , pot ntial pitfalls, and
optional d p nd nci s.

81
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

• software.SlackBuild is th actual build script.


• slack-desc a bri f d scription of th fiel display d during install.

To build a Slackwar compatibl packag , you simply drop th sourc cod for th
softwwar into th sam dir ctory th SlackBuild is in and x cut th SlackBuild script. The
packag is cr at d and (normally) plac d in th /tmp dir ctory r ady for installation via
pkgtools.

Of cours , th r ar automat d tools to handl building Slackwar packag s for you.


You can ch ck out sbopkg, sbotools, slpkg and a f w oth rs.

A WORD OF CAUTION: B car ful about r lying sol ly on automat d tools for packag
manag m nt. R gardl ss of th platform you choos to run on, I would urg you to l arn how
to build packag s yours lf, or at th v ry l ast l arn how to d t rmin how to chang packag
options or at a minimum d t rmin what build options w r us d b for running softwwar .
Theis is not to say automat d tools ar badNbut on of th str ngths of Linux that w oftw n talk
about is th control it giv s us ov r our syst m. Controlling your syst m softwwar is on
asp ct of that. You can us automat d tools and still maintain controlNyou just n d to b
car ful. W will us that approach h r .

W will talk sp cifiecally about on of th packag tools you can us with Slackwar to
automat som of th mor mundan st ps w tak wh n installing softwwar . To illustrat th
build proc ss, w will install sbotools via a manual SlackBuild proc ss, and th n us
sbotools to assist us in building and installing th r maind r of th softwwar w ’ll us in this
guid .

First, w ’ll grab th SlackBuild from htteps://www.SlackBuilds.org . You can go to th


w bsit s arch and brows th packag s th r , but sinc w know th packag w want, w ll
us th wget tool to download it dir ctly. In th n xt s t of commands w ’ll accomplish th
following:
• download th SlackBuild tarball for sbotools with wget
• xtract th cont nts of th tarball with th tar command
• chang (cd) to th r sulting sbotools dir ctory and list th fiel s (ls)

root@forensic1:~# wget https://www.SlackBuilds.org/SlackBuilds/14.2/system/


sbotools.tar.gz

--2017-04-17 21:04:09--
https://www.SlackBuilds.org/SlackBuilds/14.2/system/sbotools.tar.gz
Resolving www.SlackBuilds.org (www.SlackBuilds.org)... 208.94.238.115
Connecting to www.SlackBuilds.org (www.SlackBuilds.org)|208.94.238.115|:443...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2038 (2.0K) [application/x-gzip]
Saving to: 'sbotools.tar.gz'

82
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

sbotools.tar.gz 100%[======================>] 1.99K --.-KB/s in 0s

2017-04-17 21:04:11 (117 MB/s) - 'sbotools.tar.gz' saved [2038/2038]

root@forensic1:~# ls
sbotools.tar.gz

root@forensic1:~# tar xzvf sbotools.tar.gz


sbotools/
sbotools/slack-desc
sbotools/README
sbotools/sbotools.SlackBuild
sbotools/sbotools.info

root@forensic1:~# cd sbotools

root@forensic1:~/sbotools# ls
README sbotools.SlackBuild* sbotools.info slack-desc

So what w ’v don up to this point is just download and xtract th SlackBuild


packag . Now w n d to g t th sbotools sourc packag in th sam dir ctory.

The sbotools.info fiel will h lp with this. W ’ll vi w that fiel and th n us th
information contain d th r in to download th sourc cod and ch ck th MD5 hash. The
MD5 hash is a valu that l ts us know th fiel w download is what w xp ct. Using wget
and th URL provid d in th DOWNLOAD fie ld, th sourc cod for sbotools will nd up in th
sam dir ctory.

root@forensic1:~/sbotools# cat sbotools.info


PRGNAM="sbotools"
VERSION="2.3"
HOMEPAGE="http://pink-mist.github.io/sbotools/"
DOWNLOAD="http://pink-mist.github.io/sbotools/downloads/sbotools-2.3.tar.gz"
MD5SUM="9b75255e9f3f93717e3f7f75a2e02da8"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES=""
MAINTAINER="Andreas Guldstrand"
EMAIL="andreas.guldstrand@gmail.com"

root@forensic1:~/sbotools# wget http://pink-mist.github.io/sbotools


/downloads/sbotools-2.3.tar.gz
--2017-04-17 22:11:16--
http://pink-mist.github.io/sbotools/downloads/sbotools-2.3.tar.gz
Resolving pink-mist.github.io (pink-mist.github.io)... 151.101.20.133

83
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Connecting to pink-mist.github.io (pink-mist.github.io)|151.101.20.133|:80...


connected.
HTTP request sent, awaiting response... 200 OK
Length: 43885 (43K) [application/octet-stream]
Saving to: 'sbotools-2.3.tar.gz'

sbotools-2.3.tar.gz 100%[======================>] 42.86K --.-KB/s in


0.03s

2017-04-17 22:11:16 (1.39 MB/s) - 'sbotools-2.3.tar.gz' saved [43885/43885]

root@forensic1:~/sbotools# ls
README sbotools-2.3.tar.gz sbotools.info
sbotools.SlackBuild* slack-desc

root@forensic1:~/sbotools# md5sum sbotools-2.3.tar.gz


9b75255e9f3f93717e3f7f75a2e02da8 sbotools-2.3.tar.gz

The output from our md5sum command on th download d sourc match s th MD5SUM
fie ld in th sbotools.info fiel , so w know our download is good.

Theis is wh r , if w hav not alr ady don so, w n d to r ad th README fiel (using
cat or less)...und rstand th cav ats and possibl optional d p nd nci sNand th n compil
our sourc cod and mak our Slackwar .tgz packag . The latte r two st ps ar simply
accomplish d by calling th SlackBuild fiel its lf with ./sbotools.SlackBuild:

root@forensic1:~/sbotools# ./sbotools.SlackBuild
sbotools-2.3/
sbotools-2.3/sboclean
sbotools-2.3/man5/
sbotools-2.3/man5/sbotools.conf.5
...
Checking if your kit is complete...
Looks good
...
Creating Slackware package: /tmp/sbotools-2.3-noarch-1_SBo.tgz
...usr/man/man1/sbosnap.1.gz
usr/man/man5/
usr/man/man5/sbotools.conf.5.gz

Slackware package /tmp/sbotools-2.3-noarch-1_SBo.tgz created.

And looking at th last lin of th output, w s that w hav a usabl .tgz Slackwar
packag cr at d for us in /tmp. All w n d to do now is install th packag with installpkg
from pkgtools:

84
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~/sbotools# installpkg /tmp/sbotools-2.3-noarch-1_SBo.tgz


Verifying package sbotools-2.3-noarch-1_SBo.tgz.
Installing package sbotools-2.3-noarch-1_SBo.tgz:
PACKAGE DESCRIPTION:
# sbotools (ports-like interface to SlackBuilds.org)
#
# sbotools is a set of perl scripts providing a ports-like automation
# interface to SlackBuilds.org. Its features include requirement
# handling and the ability to handle 32-bit and compat32 builds on
# multilib x86_64 systems.
#
# https://pink-mist.github.io/sbotools/
#
Package sbotools-2.3-noarch-1_SBo.tgz installed.

Using the Automated Package Tool sbotools

So, now w ’v install d sbotools, and w ar going to us it in li u of all th


downloading, md5 ch cks, xtracting and building. It is xtr m ly important that w r main
mindful of th README fiel s and nsur that w don’t allow th automation to mak us
complac nt. R ad th docum ntation for ach packag you ar installing and b familiar with
what it is doing to your syst m along with what options you may want to nabl or disabl .

The v ry fierst tim w call sbotools, w n d to initializ th SlackBuild r pository. By


d fault, sbotools (via sbosnap) will pull th ntir SlackBuilds tr (from SlackBuilds.org
[sbo]) and plac it in /usr/sbo/repo.

root@forensic1:~/sbotools# sbosnap fetch


Pulling SlackBuilds tree...
87,402,684 100% 3.73MB/s 0:00:22 (xfr#45484, to-chk=0/52275)

root@forensic1:~/sbotools# ls /usr/sbo/repo
CHECKSUMS.md5 TAGS.txt desktop/ ham/ office/
CHECKSUMS.md5.asc TAGS.txt.gz development/ haskell/ perl/
ChangeLog.txt academic/ doit.sh libraries/ python/
README accessibility/ games/ misc/ ruby/
SlackBuildS.TXT audio/ gis/ multimedia/ system/
SlackBuildS.TXT.gz business/ graphics/ network/

Onc this is don , you can s arch, install and upgrad packag s and th ir initial
d p nd nci s all from singl commands using th following commands:

sbofind : s arch for packag s bas d on nam s and k ywords

85
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

sbocheck : updat th r pository and id ntify packag s that n d upgrading


sboinstall : install a packag (and it’s d p nd nci s)
sboupgrade : upgrad an alr ady install d packag

W ’ll b using sbotools to install softwwar throughout th r maind r of this docum nt.
But l ts start with a quick xampl of a simpl installation for som anti-virus/malwar
d t ction softwwar that w ’ll cov r lat r.

I hav a cl an Slackwar install with a singl xt rnal softwwar packag , sbotools,


install d. Now I want to install mor softwwar . L t’s start with ClamAV ( clamav), a
virus/malwar scann r. W fierst us sbofind to s arch for clamav. W th n narrow our
s arch and tak a quick look at th README fiel . The n w simply run sboinstall to download,
ch ck, build and install th packag for us. The shortcut to all this is to simply typ
sboinstall clamav and w ’r don . But I pr f r a mor cautious approach.

First, l t’s s arch for availabl packag s that match clamav:

root@forensic1:~# sbofind clamav


SBo: thunar-sendto-clamtk
Path: /usr/sbo/repo/desktop/thunar-sendto-clamtk

SBo: clamav-unofficial-sigs
Path: /usr/sbo/repo/network/clamav-unofficial-sigs

SBo: clamav
Path: /usr/sbo/repo/system/clamav

SBo: clamsmtp
Path: /usr/sbo/repo/system/clamsmtp

SBo: clamtk
Path: /usr/sbo/repo/system/clamtk

The clamav packag is th third on down. Now I’m going to run sbofind again, but
this tim limit th output to an xact match for clamav (-e) with no tags (-t) and vi w th
README fiel for th packag (-r).

root@forensic1:~# sbofind -t -e -r clamav


SBo: clamav
Path: /usr/sbo/repo/system/clamav
README:
Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
of this software is the integration with mail servers (attachment
scanning). The package provides a flexible and scalable multithreaded
daemon, a command line scanner, and a tool for automatic updating via
Internet.

86
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

This build script should build a package that "just works" after
install. You will need to specify a two-letter country code (such as
"us") as an argument to the COUNTRY variable when running the build
script (this will default to "us" if nothing is specified). For
example:
COUNTRY=nl ./clamav.SlackBuild

Groupname and Username

You must have the 'clamav' group and user to run this script,
for example:

groupadd -g 210 clamav


useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav

Configuration
See README.SLACKWARE for configuration help.

And what w hav h r is a p rf ct xampl of why w r ad th README fiel s prior to


installing softwwar . In ord r to mak it run corr ctly, w n d to mak sur w hav a group
and us r call d clamav. The commands w n d to accomplish this ar provid d right in th
README. So w run thos and th n w ar r ady to install th softwwar . You can v n allow
sbotools to run th commands for you, but I would sugg st you run th m yours lf and d clin
th prompt in th sboinstall command. clamav also has a s condary README.Slackware fiel
with additional instructions for running th program as a mail scann r. You can l ct to r ad
that as w ll, if you lik , though w won’t b s tteing that up in this xampl .

root@forensic1:~# groupadd -g 210 clamav

root@forensic1:~# useradd -u 210 -d /dev/null -s /bin/false -g clamav clamav

root@forensic1:~# sboinstall clamav

Now sbotools will download, ch ck, unpack, confiegur , build and fienally install th
packag for us. W ’ll continu to us this m thod to install softwwar through th r st of this
guid . W will cov r ClamAV usag lat r in this docum nt.

R m mb r w can p riodically us sbocheck to s if w hav any xt rnal softwwar


that n ds updating (r call that slackpkg update is us d for officcial Slackwar packag s).

W ’ll also install anoth r packag w talk d about pr viously. Back wh n w did our
initial syst m inv ntory, w d scrib d th lshw command. W can install that asily from
SlackBuilds.org using sboinstall.

87
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

First, l t’s mak sur w can fiend lshw, and th n r ad th README fiel :

root@forensic1:~# sbofind lshw


SBo: lshw
Path: /usr/sbo/repo/system/lshw

root@forensic1:~# sbofind -r lshw


SBo: lshw
Path: /usr/sbo/repo/system/lshw
README:
lshw (Hardware Lister) is a small tool to provide detailed information on
the hardware configuration of the machine. It can report exact memory
configuration, firmware version, mainboard configuration, CPU version and
speed, cache configuration, bus speed, etc. on DMI-capable x86 or EFI
(IA-64) systems and on some PowerPC machines (PowerMac G4 is known to work).

Information can be output in plain text, XML, or HTML.

It currently supports DMI (x86 and EFI only), OpenFirmware device tree
(PowerPC only), PCI/AGP, ISA PnP (x86), CPUID (x86), IDE/ATA/ATAPI, PCMCIA
(only tested on x86), USB, and SCSI.

On x86, lshw needs to be run as root to be able to access DMI information


from the BIOS. Running lshw as a non-root user usually gives much less
detailed information.

Wh n w actually run th sboinstall command, th README is display d by d fault


anyway, but w show it abov for xplicitn ss. I pr f r to r ad th README b for th install
command so I know what to xp ct and what cav ats to pr par for. And now w simply
install th build:

root@forensic1:~# sboinstall lshw


...
Proceed with lshw? [y]
...
Install queue: lshw

Are you sure you wish to continue? [y]


...
Executing install script for lshw-B.02.18-x86_64-1_SBo.tgz.
Package lshw-B.02.18-x86_64-1_SBo.tgz installed.

Cleaning for lshw-B.02.18...

88
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

On fienal not on packag manag m nt. A compl t list of packag s install d on your
syst m is maintain d in /var/log/packages. You can brows that dir ctory to s what you
hav install d, as w ll as vi w th fiel s th ms lv s to s what was install d with th packag .
On nic thing about using SlackBuilds is that an SBo tag is add d to th packag nam . W
can grep for this tag in /var/log/packages and s xactly which xt rnal packag s w hav
install d via SlackBuilds. Theis is on of th gr at advantag s of using a packag manag r vs.
simply compiling and installing softwwar from sourc dir ctlyNth ability to track what
v rsions of which packag s ar install d.

W hav just install d thr packag s using build scripts from SlackBuilds.org. On via
manual download (sbotools), and two via sbotools (clamav and lshw). W can us gr p to
s this within th /var/log/packages dir ctory (assuming this is a cl an Slackwar syst m
and you’v install d no oth r .tgz or .txz Slackwar packag s):

root@forensic1:~# ls /var/log/packages/ | grep SBo


clamav-0.99.2-x86_64-1_SBo
sbotools-2.3-noarch-1_SBo
lshw-B.02.18-x86_64-1_SBo

Wh n it com s tim to upgrad (or ch ck for updat s to) softwwar w ’v install d via
sbotools/SlackBuilds, youcan us sbocheck. Running this command will f tch a fr sh
SlackBuilds tr from SlackBuilds.org and compar your install d packag s to thos curr ntly
availabl .

root@forensic1:~# sbocheck
Updating SlackBuilds tree...
0 0% 0.00kB/s 0:00:00 (xfr#0, to-chk=0/39779)
Checking for updated SlackBuilds...

sbotools 2.3 < needs updating (2.4 from SBo)

A copy of the above result is kept in /var/log/sbocheck.log

W can s from th output that a n w v rsion of sbotools is availabl . To upgrad ,


w simply us th command sboupgrade (y s, w ar using sbotools to upgrad sbotools):

root@forensic1:~# sboupgrade sbotools

sbotools (ports-like interface to SlackBuilds.org)


...
Package sbotools-2.4-noarch-1_SBo.tgz installed.

Package sbotools-2.0-noarch-1_SBo upgraded with new package /tmp/sbotools-2.4-


noarch-1_SBo.tgz.

89
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Cleaning for sbotools-2.4…

root@forensic1:~# sboinstall -v
sbotools version 2.4
licensed under the WTFPL
<http://sam.zoy.org/wtfpl/COPYING>

Don’t b confus d by th fact that w ar upgrading sbotools h r . You us sbocheck


and sboupgrade to install any softwwar you’v pr viously install d via SlackBuilds (for th
most partNth r ar xc ptions). Theis provid s us an asy way to install and upgrad xt rnal
packag s, in a Slackwar fri ndly format, with minimal fuss.

The arli r caution still stands. Mak sur you und rstand what you ar installing and
always always r ad th README fiel .

90
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

VII. Linux and Forensics


Evidence Acquisition

In this s ction w ’ll run through a f w of th acquisition tools that ar availabl to us.
W ’ll cov r som of th coll ction issu s, d vic information, imag v rifiecation and mor
advanc d mounting options. Obviously, th fierst thing w n d to do is mak sur w hav a
prop r plac to output th r sults of our imaging and analysis.

As w go through th following s ctions, try and us an old (small r) hard driv to


follow along. Find an old SATA driv (th on I’m using is 40GB) and atteach it to you
comput r, ith r to th SATA bus dir ctly, or through a USB (3.x) bridg . Theat way you can
follow along with th commands and compar th output with what w hav h r . You can
v n us a USB thumb driv , but th n th output for som of th m dia information coll ction
s ctions will not provid comparabl output. The b st way to l arn this mat rial is to actually
do it and xp rim nt with options.

Analysis Organization

B for w start coll cting vid ntiary imag s and information that might b com us ful
in a court or an administrativ h aring, w might want to mak sur w stor all this data in an
organiz d fashion. Obviously this is not som thing sp cifiec to Linux, but w n d to mak sur
w hav s v ral fiel syst m locations r ady to stor and r tri v data:
1. Cas sp cifiec dir ctori s or volum s us d to stor for nsic imag s for a giv n cas .
2. Cas sp cifiec dir ctori s for storing for nsic softwwar output and subj ct m dia
information.
3. Sp cifiec dir ctori s to b us d as mount points for vid nc imag s.
4. A log fiel of our actions. Docum ntation and not taking ar an imp rativ part of
prop r for nsics.

Wh r v r you might stor your cas data, you’ll want to k p it organiz d. In most
cas s, wh n conducting an analysis, you’ll want to mak sur you ar using “working copi s”
rath r than th actual imag fiel s. Theis go s without saying. Practition rs will oftw n coll ct
imag s or oth r data dir ctly as vid nc . Copi s will th n m mad of that vid nc , with th
originals b ing plac d in som sort of controll d storag and additional copi s (p rhaps
multipl additional copi s) b ing mad as “working copi s”. W will discuss th simpl
cr ation of dir ctori s to stor th s fiel s as w mov through th upcoming pag s. For
start rs, though, w will at l ast n d a plac to stor imag s and m dia information, both for
our vid nc and for our working copy(s). The following is just an xampl of how you might
organiz th various dir ctori s in which you ar storing data. Obviously nothing will b
writte n to th subj ct disk (th disk w ar analyzing). The in th n xt s ction will d scrib

91
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

how to id ntify th corr ct disks so you don’t confus th subj ct disk with th disk or volum
you will us to writ your imag s to.

NOTE: All of th s pr paration st ps should b tak n before you conn ct a subj ct disk to your
workstation to minimiz th chanc s of writing to th wrong driv . Prop r lab s tup
(d dicat d imaging workstations or imag s storag , tc.) is outsid th scop of this docum nt.
For simplicity and illustration, w ’ll assum you hav a singl workstation and will b
coll cting an imag from on driv (subj ct) to imag fiel s on a mount d volum or local
dir ctory.

You may also want to pr par your vid nc driv by wiping and v rifying. W ’ll also
cov r that lat r onc w ’v had a b tte r introduction to imaging tools.

On th vid nc driv (wh r vid nc imag s ar to b stor d10) you might want to
cr at a top l v l dir ctory with a cas numb r or oth r uniqu id ntifie r for imag s.
D p nding on th tool you us to acquir , an acquisition log might b plac d in this dir ctory
(or sp cifie d location). The only oth r fiel s that might normally b k pt with th original
vid nc imag s would b th acquisition log (mor on that lat r) and p rhaps th m dia
information fiel s (mor on that lat r as w ll). Pay attention to the prompts in the
following examples to ensure you have root permissions when needed (like when
writing to the /mnt directory).

First, in ord r to mak sur you hav nough room on your targ t storag , you can run
th df -h command. Theis “disk fr ” command will show you th fr spac on ach of your
mount points. For xampl , If you hav a 1TB vid nc driv plugg d into your syst m, you
confierm it’s d t ction, and prop r id ntifiecation, mount it, and th n ch ck th fr spac :

root@forensic1:~# lsscsi
...
[29:0:0:0] disk ST1000DM 003-1ER162 6207 /dev/sdh

root@forensic1:~# mkdir /mnt/evidence

root@forensic1:~# mount /dev/sdh1 /mnt/evidence

root@forensic1:~# df -h /mnt/evidence/
Filesystem Size Used Avail Use% Mounted on
/dev/sdh1 932G 190G 742G 21% /mnt/evidence

From this output, I can s that th fiel syst m mount d on /mnt/evidence has n arly
750GB of fr spac . The df command is us d with -h to giv “human r adabl ” output, and

Theis could b a mount d n twork shar or a physical disk or oth r storag m dia that will b us d to
10

contain th vid nc imag (s).

92
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

th mount point is pass d as an argum nt to limit th output. If giv n without argum nts, df
-h will show th fr spac on all mount d fiel syst ms.

For illustration in th following xampl s, and to k p th command lin s short and


unclutte r d, w will b writing our output to a local cas dir ctory. In th command b low, w
ar cr ating th case1 dir ctory in th root hom dir ctory (/root/case1):

root@forensic1:~# mkdir case1

root@forensic1:~# ls
case1/

Onc you’v pr par d th vid nc driv , you can conn ct th subj ct disk. K p in
mind our pr vious discussion r garding writ blocking. It’s always a good id a to us a
physical writ block r. A d fault install of Slackwar (using th XFCE d sktop, at l ast) will
not atte mpt to auto mount atteach d d vic s. But you should thoroughly t st your syst m
b for r lying on this (or any oth r op rating syst m).

Write Blocking

A quick word on th issu of writ prot cting disk driv s and oth r storag m dia. In
th past, much was mad about th ability to mount volum s as “r ad only” in Linux. Theis
should n v r b trust d oth r than to provid th v ry minimum of accid ntal chang s to a
working copy, or wh n no oth r options xist (and always docum nt thos instanc s). Theis
guid is about using tools, so whil cov ring acquisition policies is som what outsid th scop
of this docum nt, it b ars m ntioning that writ prot ction is som thing that should always b
k pt in mind. Mod rn computing nvironm nts ar xtr m ly compl x, and unl ss you’v
t st d v ry function in v ry possibl s tteing, th r ’s no way to b compl t ly c rtain that
som und rlying k rn l m chanism isn’t making unknown or un xp ct d writ s to poorly
prot ct d vid nc driv s through som pr viously unt st d int rfac or oth r m chanism.

Wh r v r possibl , b sur to us physical writ blocking. Theis can b as simpl as


th physical switch on r movabl m dia, or as xotic (and xp nsiv ) as purpos built for nsic
writ block rs. The r ar m thods availabl for “softwwar ” writ blocking (various k rn l
patch s and oth r scripts), but th s should b r li d upon only s cond to th capability to
physically block writ s at th hardwar l v l. W won’t b cov ring k rn l patching in this
docum nt. W ’ll bri flay cov r commands lik hdparm. The r ar oth r options that will l t you
s t d vic s as r ad only, as with blockdev, but again, your mil ag may vary on thos
t chniqu s. Many k rn l l v l hardwar s tteings tak plac aftw r th k rn l has alr ady had
acc ss to targ t m dia. Sp cifiec chang s to udev to try and pr v nt such acc ss ar outsid th
scop of this docum nt.

With th subj ct disk conn ct d, it’s tim for us to coll ct information about th driv ,
its capabiliti s, and sp cifiec id ntifiecation.

93
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Examining the Physical Media Information

Now w ar r ady to start coll cting information w ’ll n d to ffo ctiv ly acquir
vid nc from sourc m dia. On of th fierst things w ’ll n d to do is r -inv ntory our
syst m’s conn ct d d vic s to nsur that w id ntify th corr ct subj ct disk. Normally you
would hav tak n not s on th physical markings of th hard driv (or oth r m dia) as you
r mov d it from th subj ct comput r, tc. Som sugg st an nlarg d photocopy of th disk
lab l as part of th acquisition not s, providing a r liabl r cord of disk id ntifiecation.

In this particular cas , I will b using a USB to SATA bridg . B caus th r is som
translation going on h r , I want to mak sur I can id ntify th bridg as w ll as th disk
atteach d to it. So onc th bridg is atteach d and pow r d on, I can run lsusb to s its
information (bold for mphasis). If you ar using a dir ctly atteach d SATA driv , you will not
n d to run this command:

root@forensic1:~# lsusb
Bus 006 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
...
Bus 002 Device 007: ID 2109:0812 VIA Labs, Inc. VL812 Hub
Bus 002 Device 012: ID 174c:5106 ASMedia Technology Inc. ASM1051 SATA 3Gb/s bridge
Bus 002 Device 006: ID 2109:0812 VIA Labs, Inc. VL812 Hub
...

So knowing w ar d aling with a S agat 40GB hard disk (ST3405014AS) in a


USB/SATA bridg (ASM dia T chnology), w can id ntify its d vic nod b tte r with lsscsi:

root@forensic1:~# lsscsi
[0:0:0:0] disk ATA INTEL SSDSC2CT12 300i /dev/sda

94
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

[2:0:0:0] disk ATA Hitachi HDS72302 A5C0 /dev/sdb


[3:0:0:0] cd/dvd HL-DT-ST DVDRAM GH24NS90 IN01 /dev/sr0
[14:0:0:0] disk Generic- Compact Flash 1.00 /dev/sde
[14:0:0:1] disk Generic- SM/xD-Picture 1.00 /dev/sdf
[14:0:0:2] disk Generic- SD/MMC 1.00 /dev/sdg
[14:0:0:3] disk Generic- MS/MS-Pro 1.00 /dev/sdh
[31:0:0:0] disk ASMT 2105 0 /dev/sdc

In this cas , th driv its lf is not id ntifie d b caus lsscsi is qu rying th k rn l


sysfs for hosts atteach d to th syst m. It is not s nding qu ri s to ach host for information.

Now w can qu ry th disk atteach d to th host using hdparm. In this cas , th USB
bridg supports SATA translation, so commands “pass through” th bridg to th driv its lf.
Theis tool can provid both d tail d information as w ll as pow rful commands to s t options
on a disk. Som of th s options ar us ful for for nsic xamin rs.

First, how v r, w ar looking for information. For that w can us th simpl hdparm
with th -I option on our subj ct disk, /dev/sdc. Theis giv s d tail d information about th
disk that w can r dir ct to a fiel for our r cords.

root@forensic1:~# hdparm -I /dev/sdc

/dev/sdc:

ATA device, with non-removable media


Model Number: ST340014AS
Serial Number: 5MQ0QS22
Firmware Revision: 8.12
Standards:
Used: ATA/ATAPI-6 T13 1410D revision 2
Supported: 6 5 4
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 78125000
LBA48 user addressable sectors: 78125000
Logical/Physical Sector size: 512 bytes
device size with M = 1024*1024: 38146 MBytes
device size with M = 1000*1000: 40000 MBytes (40 GB)
cache/buffer size = 2048 KBytes
Capabilities:
LBA, IORDY(can be disabled)

95
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = ?
Recommended acoustic management value: 128, current value: 0
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=240ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* DOWNLOAD_MICROCODE
SET_MAX security extension
Automatic Acoustic Management feature set
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* Gen1 signaling speed (1.5Gb/s)
* Native Command Queueing (NCQ)
* Software settings preservation
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
not supported: enhanced erase
Checksum: correct

The r ’s a lot of information laid out for us by hdparm. By comparing th fierst f w lin s
(bold for mphasis) to th photocopy of th disk lab l shown pr viously, w ’v again confierm d
w ar coll cting information from th corr ct disk. Theis command can b r dir ct d to a fiel
and sav d to our cas fold r:

root@forensic1:~# ls
case1/

96
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# hdparm -I /dev/sdc > case1/case1.disk1.hdparm.txt

root@forensic1:~# ls case1/
case1.disk1.hdparm.txt

In th s cond command abov , w ’v r dir ct d ( >) th output of hdparm -I /dev/sdc


to a fiel in th case1 dir ctory. The fiel is call d case1.disk1.hdparm.txt. The last
command lists th cont nts of th case1 dir ctory. If w had multipl disks, th n w could
hav output for disk2, disk3, tc. The fiel naming h r is arbitrary. Theis is just an xampl .

Not that you can k p a running log of things that you do by using a doubl r dir ct
[>>] symbol to add all th cas info to a singl log. I would sugg st not taking this approach as
you l arn, though. If you mistak nly us a singl r dir ct [ >], you risk clobb ring an ntir log
fiel (r call that w can us our pr viously discuss d chattr +a command to pr v nt this,
s tteing th fiel to app nd only).

W can also us th hdparm tool to h lp id ntify disk confieguration ov rlays or host


prot ct d ar as (DCO or HPA, r sp ctiv ly). Manufactur rs us th s to chang th numb r
of s ctors availabl to th us r, som tim s to mak diffo ring driv s match in siz for mark ting
(DCO), and som tim s for hiding things lik “r stor ” or “r cov ry” partitions (HPA). The
history and sp cifiecs of th s ar as ar w ll docum nt d on th Int rn t. If you hav not h ard
of th m, do som r s arch. As for nsic xamin rs, w ar always int r st d in acquiring th
ntir disk (or at l ast thos ar as w can nominally acc ss through k rn l tools). The r ar
v n d p r ar as on disks that w will not addr ss h r .

In pr vious v rsions of this docum nt w us d Sl uth Kit tools to accomplish this. But
now hdparm can t ll us if th r is a DCO (and th chang s actually impl m nt d by th DCO).
The s can b manipulat d using hdparm as w ll, but I will l av thos advanc d topics to your
own r s arch (hint: r ad man hdparm).

In this cas w s w hav no HPA:

root@forensic1:~# hdparm -N /dev/sdc

/dev/sdc:
max sectors = 78125000/78125000, HPA is disabled

Output from hdparm would b diffo r nt if an HPA is pr s nt:

97
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# hdparm -N /dev/sdi

/dev/sdi:
max sectors = 41943040/62914560, HPA is enabled

And th output from hdparm -I run against /dev/sdi would show only 41943040 (partial
output for br vity):

root@forensic1:~# hdparm -I /dev/sdi


...
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 41943040
LBA48 user addressable sectors: 41943040
Logical/Physical Sector size: 512 bytes
device size with M = 1024*1024: 20480 Mbytes
...

R ad th hdparm man pag car fully and b awar of th options and conditions und r which
a DCO or HPA can b d t ct d and r mov d. For xampl , r storing th full numb r of s ctors on /
dev/sdi would look lik this.

root@forensic1:~# hdparm N62914560 /dev/sdi

/dev/sdi:
setting max visible sectors to 62914560 (temporary)
max sectors = 78125000/62914560, HPA is disabled

Should you com across a disk with an HPA or DCO, I would sugg st, as th saf st cours of
action, acquiring an imag as th disk sits. Onc an imag of th disk is obtain d, you can pass
commands to r mov prot ct d ar as and r -imag .

98
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Hashing Media

On important st p in any vid nc coll ction is v rifying th int grity of your data
both b for aftw r th acquisition is compl t . You can g t a hash (MD5, or SHA) of th physical
d vic in a numb r of diffo r nt ways.

Linux can provid hash s using th following tools:

• md5sum - 128 bit ch cksum


• sha1sum - 160 bit ch cksum
• sha224sum - 224 bit ch cksum
• sha256sum - 256 bit ch cksum
• sha384sum - 384 bit ch cksum
• sha512sum - 512 bit ch cksum

In this xampl , w will us th SHA hash. SHA is a hash signatur g n rator that
suppli s a 160 bit “fieng rprint” of a fiel or disk (which is r pr s nt d by a fiel -lik d vic nod ).
It is not f asibl for som on to computationally r cr at a fiel bas d on th SHA hash. Theis
m ans that matching SHA signatur s m an id ntical fiel s. The r has b n a lot of talk in th
digital for nsic community ov r th y ars of ( v n r c nt) proof of “collisions” that r nd r
c rtain hash algorithms “obsol t ”. Theis guid is about l arning th tools. Do your r s arch
and ch ck your ag ncy or community guid lin s for additional information on which
algorithm to s l ct.

W can g t an SHA hash of a disk by running th following command (not that th


following commands can b r plac d with md5sum if you pr f r to us th MD5 hash
algorithm, or any of th oth r abov list d ch cksum tools):

root@forensic1:~# sha1sum /dev/sdc


5175ffff1366d1d5dd02e2d956d132304e7e1677 /dev/sdd

or

root@forensic1:~# sha1sum /dev/sdc > case1/case1.disk1.sha1.txt

The r dir ction in th s cond command allows us to stor th signatur in a fiel and us
it for v rifiecation lat r on. To g t a hash of a raw disk (/dev/sdc, /dev/sdd, tc.) th disk do s
NOT hav to b mount d. W ar hashing th d vic (th disk) not th cont nts. As w
discuss d arli r, Linux tr ats all obj cts, including physical disks, as figles. So wh th r you ar
hashing a fiel or a hard driv , th command is th sam .

99
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Collecting a Forensic Image with dd

Now that w hav coll ct d information on our subj ct m dia and obtain d a hash of
th physical disk for v rifiecation purpos s, w can b gin our acquisition.

dd is th v ry basic data copying utility that com s with a standard GNU/Linux


distribution. The r ar , no doubt, som b tte r imaging tools out th r for us with Linux, but
dd is th old standby. W ’ll b cov ring som of th mor for nsic ori nt d imaging tools in
th following s ctions, but l arning dd is important for much th sam r ason as l arning vi.
Lik vi, you ar bound to fiend dd on just about any Unix machin you might com across. In
som cas s, th b st imaging tool you hav availabl might just b th on you will almost
always hav acc ss to.

Theis is your standard for nsic imag of a susp ct disk. The dd command will copy
v ry bit from th k rn l acc ssibl ar as of th m dia to th d stination of your choic (a
physical d vic or fiel . The r ar a coupl of conc pts to k p in mind wh n using dd. Som of
th s conc pts also apply to th oth r for nsic imaging tools w will cov r. In v ry basic form,
th dd command looks lik this:

dd if=/dev/sdc of=evidence.raw bs=512

• Input fiel (if=): this is th sourc m dia. What w ar imaging.


◦ if=/dev/sdc
• Output fiel (of=): this is th d stination. Wh r w ar placing th imag /copy.
◦ of=evidence.raw
◦ Output can b a fiel (as abov ). Theis is most common.
◦ Output can b a physical d vic . Theis is oftw n r f rr d to as a “clon ”.
• Disk imag (/dev/sdx): W can us th nam for th ntir d vic nod .
• Partition imag (/dev/sdx#): W can us th d vic nam and th partition
numb r to imag a singl partition/fiel syst m. # is th partition numb r (as
r turn d by fdisk -l, for xampl ).
• Block siz (bs=): The block siz of th d vic b ing imag d. The k rn l usually
handl s this. Theis may b com a futur issu as block siz s chang with th
volution of storag m dia. For our curr nt targ t ( /dev/sdc), th hdparm -I
output is showing 512 byt s p r s ctor (Logical/Physical S ctor Siz ). B awar
of som n w r d vic s that ar using 2048 byt s p r s ctor.
• The r is also s t of options that ar oftw n us d to avoid probl ms in cas th r
ar bad s ctors on th disk.
◦ conv=noerror,sync
◦ Theis option instructs dd to bypass copying s ctors with rrors AND pad
thos matching s ctors in th d stination with z ros. The padding k ps
offos ts corr ct in any fiel syst m data and p rhaps still r sult in a usabl
imag (mor on this lat r). I’m not a fan of using this option.

100
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

As part of our cas organization, w ’ll mak a n w dir ctory imag s in our case1
dir ctory. Theis is wh r w will k p working copi s of our imag s. Normally, you would
cr at imag s dir ctly to ith r a larg r driv that has b n sanitiz d, or to a n twork storag
volum that is us d to maintain original copi s. Theat will d p nd on your sp cifiec polici s.

In this cas , for illustration, w will imag dir ctly to our cas 1/imag s dir ctory. I
pr f r k ping imag s s parat as it allows prot cting th dir ctory with atteributions that
pr v nt chang s or d l tions to our working copy imag fiel s, onc w ’v compl t d th
imaging proc ss.

To k p our dd command lin short r, w ’ll chang into our cas 1/imag s dir ctory ( cd
case1/images) and writ our output fiel h r . Without n ding to sp cify th dir ctory (w
ar writing to th curr nt dir ctory), w k p th command lin short r and asi r to r ad.

root@forensic1:~# cd case1/images
root@forensic1:~/case1/images# dd if=/dev/sdc of=case1.disk1.raw bs=512
78125000+0 records in
78125000+0 records out
40000000000 bytes (40 GB, 37 GiB) copied, 939.898 s, 42.6 MB/s

Theis tak s your disk d vic /dev/sdc as th input fiel if and writ s th output fiel of
call d case1.disk1.raw in th curr nt dir ctory /root/case1. The bs option sp cifie s th
block siz . Theis is r ally not n d d for most block d vic s (hard driv s, tc.) as th Linux
k rn l handl s th actual block siz . It’s add d h r for illustration, as it can b a us ful option
in many situations (discuss d lat r).

Using dd cr at s an xact duplicat of th physical d vic fiel . Theis includ s all th fiel
slack and unallocat d spac . W ar not simply copying th logical fiel structur . Unlik many
for nsic imaging tools, dd do s not fiell th imag with any propri tary data or information. It
is a simpl bit str am copy from start to nd. Theis has a numb r of advantag s, as w will s
lat r.

You can s from our output abov that dd r ad in th sam s numb r of r cords (512
byt blocks, in this cas ) as th numb r of s ctors for this disk pr viously r port d by hdparm
-I, 78125000. To v rify your imag , w can do th following. W want to r call th hash w
obtain d from th original d vic (/dev/sdc), which w stor d in th fiel
case1/case1.disk1.sha1.txt and compar that to th hash of th imag fiel w just
obtain d.

root@forensic1:~/case1/images# cat ../case1.disk1.sha1.txt


b3b506ea4c538b33459abcb41b956e0a0250104f /dev/sdc
root@forensic1:~/case1/images# sha1sum case1.disk1.raw
b3b506ea4c538b33459abcb41b956e0a0250104f case1.disk1.raw

101
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

You can s th two hash s match, v rifying our imag as a tru copy of th original
driv . Tak not of th fierst command. R m mb r that w ar curr ntly in th case1/images
dir ctory. The hash fiel case1.disk1.sha1.txt is stor d in th par nt dir ctory, case1.
Wh n w issu our cat command (str am th cont nts of a fiel ), w us th ../ notation to
indicat that th fiel w ar calling is in th par nt dir ctory ( ..).

Theis is th simpl st us cas for dd.

dd and Splitting Images

It has b com common practic for digital for nsics to split th output of our imaging.
Theis is don for a numb r of r asons, ith r for archiving or for us in anoth r program. W
will fierst discuss using split on its own, th n in conjunction with dd for “on th flay” splitteing.

For xampl , w hav our 40GB imag and w now want to split it into 2GB parts so
th y can b writte n to DVD m dia, for xampl 11. Or, if you wish to stor th fiel s on a fiel
syst m with limit d fiel siz s and n d a particular siz , you might want to split th imag into
2GB pi c s. For this w us th split command.

split normally works on lin s of input (i. . from a t xt fiel ). But if w us th –b


option, w forc split to tr at th fiel as binary input and lin s ar ignor d. W can sp cify th
siz of th fiel s w want along with th pr fiex w want for th output fiel s. split can also us
th -d option to giv us num rical numb ring (*.01, *.02, *.03, tc.) for th output fiel s as
oppos d to alphab tical (*.aa, *.ab, *.ac, tc.). The -a option sp cifie s th sufficx l ngth.
The command looks lik :

split -d -a N -b XG <file to be split> <prefix of output files>

wh r N is th l ngth of th xt nsion (or sufficx) w will us and X is th siz of th


r sulting fiel s with a unit modifie r (M, G, KM, KG, tc.). For xampl , with our imag of /dev/
sdc, w can split it into 2GB fiel s using th following command:

root@forensic1:~/case1/images# split -d -a 3 -b 2G case1.disk1.raw


case1.disk1.split.

Theis would r sult in 20 fiel s (2GB in siz ) ach nam d with th pr fiex cas 1.split1. as
sp cifie d in th command, follow d by 000, 001, 002, and so on. The -a option with 3 sp cifie s
that w want th xt nsion to b at l ast 3 digits long. Without -a 3, our fiel s would b
nam d *.01, .02, .03, tc. Using 3 digits maintains consist ncy with oth r tools. Not th trailing

11
The r ar b tte r was to stor archiv d imag s. W ar using this fiel siz as an xampl only.

102
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dot in our output fiel nam . W do this so th sufficx is add d as a fiel xt nsion rath r than as
a sufficx string app nd d to th nd of th nam string.

root@forensic1:~/case1/images# ls -lh case1.disk1.split.*


-rw-r--r-- 1 root root 2.0G Apr 24 10:22 case1.disk1.split.000
-rw-r--r-- 1 root root 2.0G Apr 24 10:22 case1.disk1.split.001
-rw-r--r-- 1 root root 2.0G Apr 24 10:23 case1.disk1.split.002
-rw-r--r-- 1 root root 2.0G Apr 24 10:24 case1.disk1.split.003
-rw-r--r-- 1 root root 2.0G Apr 24 10:25 case1.disk1.split.004
-rw-r--r-- 1 root root 2.0G Apr 24 10:26 case1.disk1.split.005
-rw-r--r-- 1 root root 2.0G Apr 24 10:27 case1.disk1.split.006
-rw-r--r-- 1 root root 2.0G Apr 24 10:27 case1.disk1.split.007
-rw-r--r-- 1 root root 2.0G Apr 24 10:28 case1.disk1.split.008
-rw-r--r-- 1 root root 2.0G Apr 24 10:29 case1.disk1.split.009
-rw-r--r-- 1 root root 2.0G Apr 24 10:30 case1.disk1.split.010
-rw-r--r-- 1 root root 2.0G Apr 24 10:31 case1.disk1.split.011
-rw-r--r-- 1 root root 2.0G Apr 24 10:32 case1.disk1.split.012
-rw-r--r-- 1 root root 2.0G Apr 24 10:32 case1.disk1.split.013
-rw-r--r-- 1 root root 2.0G Apr 24 10:33 case1.disk1.split.014
-rw-r--r-- 1 root root 2.0G Apr 24 10:34 case1.disk1.split.015
-rw-r--r-- 1 root root 2.0G Apr 24 10:35 case1.disk1.split.016
-rw-r--r-- 1 root root 2.0G Apr 24 10:36 case1.disk1.split.017
-rw-r--r-- 1 root root 1.3G Apr 24 10:36 case1.disk1.split.018

The proc ss can b r v rs d. If w want to r ass mbl th imag from th split parts,
w can us th cat command and r dir ct th output to a n w fiel . R m mb r cat simply
str ams th sp cifie d fiel s to standard output. If you r dir ct this output, th fiel s ar
ass mbl d into on .

root@forensic1:~/case1/images# cat case1.disk1.split* > case1.disk1.new.raw

In th abov command w ’v r -ass mbl d th split parts into a n w 40GB imag fiel .
The original split fiel s ar not r mov d, so th abov command will ss ntially doubl your
spac r quir m nts if you ar writing to th sam mount d d vic /dir ctory.

root@forensic1:~/case1/images# cat case1.disk1.split* > case1.disk1.new.raw

The sam cat command can b us d to ch ck th hash of th r sulting imag parts by


str aming all th parts of th imag through a pip to our hash command:

root@forensic1:~/case1/images# cat case1.disk1.split* | sha1sum


b3b506ea4c538b33459abcb41b956e0a0250104f -

103
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Onc again, w s that th hash r mains unchang d. The – at th nd of th output


d not s that w took our input from stdin, not from a fiel or d vic . In th command abov ,
sha1sum r c iv s its input dir ctly from th cat command through th pip .

Anoth r way of accomplishing multi-s gm nt imag s would b to split th imag as w


cr at it (dir ctly from a dd command). Theis is ss ntially th “on th flay” splitteing w
m ntion d arli r. W do this by piping th output of th dd command straight to split,
omitteing th of= portion of th dd command. Assuming our subj ct driv is /dev/sdc, w
would us th command:

root@forensic1:~/case1/images# dd if=/dev/sdc | split -d -a 3 -b 2G –


case1.disk1.split.
78125000+0 records in
78125000+0 records out
40000000000 bytes (40 GB, 37 GiB) copied, 974.1 s, 41.1 MB/s

In this cas , inst ad of giving th nam of th fiel to b split in th split command, w


giv a simpl - (aftw r th 2G, wh r w had th input nam in our pr vious xampl ). The
singl dash is a d scriptor that m ans “standard input”. In oth r words, th command is taking
its input from th data pip provid d by th standard output of dd inst ad of from a fiel . Any
options you want to pass to dd (block siz [bs], count, tc. go b for th pip ). The output
abov shows th familiar numb r of s ctors is corr ct for th disk w ar imaging.

Onc w hav th imag , th sam t chniqu using cat will allow us to r ass mbl it
for hashing or analysis as w did with th split imag s abov .

For practic , you can us a small USB thumb driv if you hav on availabl and try this
m thod on that, splitteing it into a r asonabl numb r of parts. You can us any sampl driv ,
b ing sur to r plac our d vic nod in th following command with /dev/sdx (wh r x is
your thumb driv , oth r m dia). Obtain a hash fierst, so that w can compar th split fiel s and
th original and mak sur that th splitteing chang s nothing.

Theis xampl us s a 128M USB driv that is arbitrarily split into 32M chunks for
manag abl output. Follow along with th commands, and xp rim nt with options whil
watching chang s in th r sulting output. It’s th b st way to l arn. W ’ll start by id ntifying
th thumb disk with lsscsi as soon as it’s plugg d in (output is abbr viat d for r adability):

root@forensic1:~# lsscsi
...
[38:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdd

root@forensic1:~# sha1sum /dev/sdd


80db4ca23ba091169d1cff8d007e23d32ea97f36 /dev/sdd

104
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# dd if=/dev/sdd | split -d -a 3 -b 32M - thumb.split.


250879+0 records in
250879+0 records out
128450048 bytes (128 MB, 122 MiB) copied, 15.8042 s, 8.1 MB/s

root@forensic1:~# ls -lh thumb.split.*


-rw-r--r-- 1 root root 32M Apr 24 11:28 thumb.split.000
-rw-r--r-- 1 root root 32M Apr 24 11:28 thumb.split.001
-rw-r--r-- 1 root root 32M Apr 24 11:28 thumb.split.002
-rw-r--r-- 1 root root 27M Apr 24 11:28 thumb.split.003

root@forensic1:~# cat thumb.split.* | sha1sum


80db4ca23ba091169d1cff8d007e23d32ea97f36 -

Looking at th output of th abov commands, w fiersts s that th thumb driv that


was plugg d in is id ntifie d as an SanDisk Cruzer Mini. W th n hash th d vic , imag and
split on th flay with dd, and ch ck th hash. W fiend th sam hash for th disk, for th split
imag s “cat- d” tog th r, and for th n wly r ass mbl d imag .

W ’ll hav som mor fun with this command lat r on. It is mor than just an imaging
tool.

Alternative Imaging Tools

Standard Linux dd is a fien imaging tool. It is robust, w ll t st d, and has a prov n


track r cord.

As good as dd is as an imaging tool, it has on simpl , p rc iv d flaaw: It was n v r


actually d sign d to b us d for for nsic acquisitions. Whil th word “flaaw” is a littel harsh,
w n d to know that as much as th digital for nsics community r f r to dd as an “imaging”
tool, that is not what it was d sign d for. It is v ry capabl , but som practition rs pr f r full
f atur d, d dicat d imaging tools that do not r quir xt rnal programs to accomplish logging,
hashing, and imaging rror docum ntation. Additionally, dd is not th b st solution for
obtaining vid nc from damag d or failing m dia.

The r ar a numb r of for nsic sp cifiec tools out th r for Linux us rs that wish to
acquir vid nc . Som of th s tools includ :

● dc3dd - nhanc d dd program for for nsic us (bas d on dd cod ).


● dcfldd – nhanc d dd program for for nsic us (fork of dd cod ).
● ewfacquire – Provid d as part of th libewf proj ct, this tool is us d to acquir
Exp rt Witn ss Format (EWF) imag s. W will cov r it in som d tail lat r.
● GNU ddrescue – An imaging tool sp cifiecally d sign d to r cov r data from m dia
xhibiting rrors (not to b confus d with dd_rescue).

105
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

● aimage – for nsic imaging tool provid d primarily to cr at imag s in th Advanc d


For nsic Format (AFF).

Theis is not an xhaustiv list. The s , how v r, ar som of th mor commonly us d (as
far as I know). W will cov r dc3dd, ewfacquire, and ddrescue in this docum nt.

dc3dd

The fierst alt rnativ imaging tool w will cov r is dc3dd. Theis imaging is tool bas d on
original (patch d) cod from dd. It is v ry similar to th popular dcfldd but provid s a slightly
diffo r nt f atur s t. My choic of wh th r to cov r ith r dcfldd or dc3dd is larg ly
arbitrary. dc3dd is maintain d by th DoD (D partm nt of D f ns ) Cyb r Crim C nt r
(oth r wis known as Dc3)12 R gardl ss of which (dc3dd or dcfldd ) you pr f r, familiarity
with on of th s tools will translat v ry nic ly to th oth r with som r ading and
xp rim ntation, as th y ar v ry similar. Whil th r ar signifiecant diffo r nc s, many of th
f atur s w discuss in this s ction ar common to both dc3dd and dcfldd.

The sourc packag and mor information for dc3dd can b found at
https://sourceforge.net/projects/dc3dd/ .

dc3dd is install d by d fault on a curr nt v rsions of Slackwar . If you ar using a


diffo r nt distribution, ch ck your packag manag r’s r pository.

The man pag for dc3dd is concis and asy to r ad. All th information you n d to
us th advanc d f atur s of this imaging tool ar n atly laid out for you.

L t's hav a look at th basic usag of dc3dd. As you r ad through th usag s ction of
th man pag , you'll notic a numb r of additions to r gular dd for th for nsic xamin r. L t's
conc ntrat on th s notabl s additions:

hof=FILE or DEVICE : hash the output fille: Similar to th of= param t r for
dd, this writ s th sp cifie d output fiel and hash s and
v rifie s th output byt s as w ll. Theis ss ntially tak s th
plac of hashing your imag with sha1sum or md5sum aftw r
it compl t s.
ofs=BASE.FMT : split the output fille: Split th output fiel , and us th
nam BASE and sp cify th fiel xt nsion for ach split fiel
using FMT. Theis format can b num rical or alphab tical,
and you can sp cify th l ngth by th numb r of
charact rs you includ in FMT.
hofs=BASE.FMT : hash and split the output fille: Theis is ss ntially a
combination of th fierst two param t rs abov .

12
dcfldd is also nam d for a DoD ntity – th D f ns Comput r For nsics Lab.

106
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ofsz=BYTES : output fille size: Wh n using ith r ofs or hofs, us this


param t r to s t th siz of ach split fiel that is cr at d.
S th man pag for th various sufficx s that can b us d
to d fien th units. For xampl 2G would b
2(1024*1024*1024) byt s.
hash=ALGORITHM : hash algorithm: Wh n sp cifying that w want th
output byt s hash d, this is th algorithm w us .
log=FILE : write a log to FILE: Log our acquisition to th fiel
sp cifie d.
hlog=FILE : write our hashes to FILE: If w sp cify hashing with
hof or hofs, writ th hash s to this fiel .

If w r do our imaging of /dev/sdc using dc3dd with simpl if= and of= param t rs,
as w us d with dd, th s ssion would look som thing lik this. Not that w ar still in our ~/
case1/images dir ctory and that w ar writing th log fiel to th par nt dir ctory:

root@forensic1:~/case1/images# dc3dd if=/dev/sdc of=case1.disk1.dc3dd.raw

dc3dd 7.2.641 started at 2017-04-24 16:34:39 -0400


compiled options:
command line: dc3dd if=/dev/sdc of=case1.disk1.dc3dd.raw
device size: 78125000 sectors (probed), 40,000,000,000 bytes
sector size: 512 bytes (probed)
40000000000 bytes ( 37 G ) copied ( 100% ), 904 s, 42 M/s

input results for device `/dev/sdc':


78125000 sectors in
0 bad sectors replaced by zeros

output results for file `case1.disk1.dc3dd.raw':


78125000 sectors out

dc3dd completed at 2017-04-24 16:49:44 -0400

Our input fiel is still sdc (if=/dev/sdc), our output fiel is now
case1.disk1.dc3dd.raw (of=case.disk1.dc3dd.raw). On of th fierst things you notic
right away is that dc3dd r turns mor usabl information whil th program is running. It
giv s you a v ry nic progr ss indicator, unlik dd. W also s imm diat ly that th corr ct
numb r of s ctors for /dev/sdc w r captur d (78125000), and that th r w r no “bad”
s ctors d t ct d. The start and stop tim stamps ar also add d by d fault. If you sp cify a log
fiel , this information is all captur d v ry nic ly. W will look at th hashing options and
logging in mor d tail in a littel whil .

Theis v rbos standard output and th availability of simpl logging is on of th things


that mak s dc3dd a b tte r candidat for g n ral for nsic imaging wh n compar d to dd.

107
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dc3dd has also incorporat d th hashing, splitteing and logging of an acquisition into a
singl command. All of this can b don with r gular dd and xt rnal tools (with pip s,
r dir ction or scripting), but th r is no doubt many practition rs pr f r an int grat d
approach. The standard options availabl to th r gular dd command still ar r adily availabl
in dc3dd (bs, skip, tc.).

Mor than just incorporating th oth r st ps into a singl command, dc3dd xt nds th
functionality. For xampl , using a r gular split command with dd as w did in a pr vious
x rcis , w can ith r allow th d fault alphab tic naming conv ntion of split, or pass th -d
option to provid us with d cimal xt nsions on our fiel s. In contrast, dc3dd allows us to not
only d fien th siz of ach split as an option to th imaging command (using ofsz) without
n d for a pip d command, but it also allows mor granular control ov r th format of th
xt nsions ach split will hav as part of its fiel nam . So, to split a 40 GB disk into 2 GB
imag s, I would simply us :

ofs=BASENAME.FMT ofsz=2G

The ofs param t r is ss ntially “output file split”. The xt nsion following th
output fiel s nam s is dir ctly formatte d in th command its lf. According to th dc3dd man
pag :

4. FMT is a pattern for a sequence of file extensions that can be


numerical starting at zero, numerical starting at one, or alphabetical.
Specify FMT by using a series of zeros, ones, or a's, respec-
tively. The number of characters used indicates the desired
length of the extensions. For example, a FMT specifier of 0000
indicates four character numerical extensions starting with
0000.

So if I issu th bas command as som thing lik this:

dc3dd if=/dev/sdd ofsz=32M ofs=filename.FMT

I can adjust th valu s for FMT, and my split fiel xt nsions would chang accordingly:

FMT=aa *.aa (two alphab tic chars)


*.ab
*.ac
FMT=aaa *.aaa (thr alphab tic chars)
*.aab
*.aac
FMT=aaaa *.aaaa (four alphab tic chars)
*.aaab
*.aaac

108
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

FMT=00 *.00 (two num ric chars)


*.01
*.02
FMT=000 *.000 (thr num ric chars)
*.001
*.002

In addition, wh n using r gular GNU dd, our hashing functions ar p rform d xt rnal
to th imaging, by ith r th md5sum or sha1sum commands, d p nding on th analyst
pr f r nc for algorithm. dc3dd allows th us r to run BOTH hash s concurr ntly on an
acquisition and log th hash s. B for w run our split imag s with dc3dd, l ts look at th
hashing options a littel clos r.

W s l ct our hash algorithm with th option hash=, sp cifying any of md5, sha1,
sha256, sha512, or a comma s parat d list of algorithms. In this way you can s l ct multipl
hash m thods for a singl imag fiel . The s will b writte n to a log fiel w indicat , a sp cial
hash log, or to standard output if no log is sp cifie d.

dc3dd also provid s hof and hofs parameters. The hof option acts much lik of, but
hash s th output, compar s it to th input and r cords it. You must s l ct a hash algorithm.
hofs acts much lik ofs, splitteing th output into chunk siz s sp cifie d by ofsz. The hofs
option diffo rs in that it also hash s ach of th input/output str ams and compar s and logs
th m for ach chunk.

You can pass th log=filename param t r to log all output in a singl plac , or you can
log hash s s parat ly using th hlog=filename option.

L t us r do our dd xampl with th 128M thumb driv . Theis tim w will us dc3dd.
Asid from th options cov r d abov , w will also us th . W will discuss th options and
output b low.

root@forensic1:~# lsscsi
...
[38:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdd

root@forensic1:~# sha1sum /dev/sdd


80db4ca23ba091169d1cff8d007e23d32ea97f36 /dev/sdd

root@forensic1:~# dc3dd if=/dev/sdd hofs=thumb.dc3dd.000 ofsz=32M hash=sha1


hash=md5 log=thumb.dc3dd.log

dc3dd 7.2.641 started at 2017-04-25 10:32:54 -0400


compiled options:
command line: dc3dd if=/dev/sdd hofs=thumb.dc3dd.000 ofsz=32M hash=sha1 hash=md5
log=thumb.dc3dd.log

109
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

device size: 250879 sectors (probed), 128,450,048 bytes


sector size: 512 bytes (probed)
128450048 bytes ( 122 M ) copied ( 100% ), 17 s, 7.3 M/s
128450048 bytes ( 122 M ) hashed ( 100% ), 1 s, 245 M/s

input results for device `/dev/sdd':


250879 sectors in
0 bad sectors replaced by zeros
43108c653d4724181cf8eed75c20cde4 (md5)
35ed1c3c69e09b92fa0ea7760af0ac73, sectors 0 - 65535
886a206fe0d7e9bb84b5ab945507bdfd, sectors 65536 - 131071
10739e1569037dfcfbc7ccbd8f524313, sectors 131072 - 196607
9be7ef516207ac0c28006f3a99956015, sectors 196608 - 250878
80db4ca23ba091169d1cff8d007e23d32ea97f36 (sha1)
9a5b3ccf8664317771157716bb7abb51698060a0, sectors 0 - 65535
05958e878ff8d53bdfdceb6869dfd8984f8666b0, sectors 65536 - 131071
ee7e61ccd991774bfe6c8e37b1e78bbada64a545, sectors 131072 - 196607
0729dd5c9035107736fe0db0f95facb83c6c90f8, sectors 196608 - 250878

output results for files `thumb.dc3dd.000':


250879 sectors out
[ok] 43108c653d4724181cf8eed75c20cde4 (md5)
[ok] 35ed1c3c69e09b92fa0ea7760af0ac73, sectors 0-65535, `thumb.dc3dd.000'
[ok] 886a206fe0d7e9bb84b5ab945507bdfd, sectors 65536-131071, `thumb.dc3dd.001'
[ok] 10739e1569037dfcfbc7ccbd8f524313, sectors 131072-196607, `thumb.dc3dd.002'
[ok] 9be7ef516207ac0c28006f3a99956015, sectors 196608-250878, `thumb.dc3dd.003'
[ok] 80db4ca23ba091169d1cff8d007e23d32ea97f36 (sha1)
[ok] 9a5b3ccf8664317771157716bb7abb51698060a0, sectors 0-65535,
`thumb.dc3dd.000'
[ok] 05958e878ff8d53bdfdceb6869dfd8984f8666b0, sectors 65536-131071,
`thumb.dc3dd.001'
[ok] ee7e61ccd991774bfe6c8e37b1e78bbada64a545, sectors 131072-196607,
`thumb.dc3dd.002'
[ok] 0729dd5c9035107736fe0db0f95facb83c6c90f8, sectors 196608-250878,
`thumb.dc3dd.003'

dc3dd completed at 2017-04-25 10:33:10 -0400

110
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The options us d abov ar :

if=/dev/sdd : Our sourc d vic , as indicat d by th output


of lsscsi
hofs=thumb.dc3dd.000 : our output fiel BASE and FMT. Using th hofs
option indicat s that w want hash s and
splits of th output fiel . In this cas , th BASE
is thumb.dc3dd. and th format of our
xt nsion (FMT) will b num rical, thr
digits.
ofsz=32M : Sinc w indicat d split fiel s (using hofs or
ofs), w n d to sp cify an output fiel siz .
hash=sha1 : Sinc w indicat d hash th input and output
hash=md5 fiel s (hofs or hof), w n d to provid th
algorithm w want. In this cas w ar
illustrating that w can us TWO algorithms,
and both will b calculat d and r cord d.
log=thumb.dc3dd.log : Indicat s that w want th output of dc3dd
logg d to a fiel that w sp cify. Not that
you can log hash s s parat ly using hlog.

The r sulting output (shown by our ls command b low) giv s us 4 split imag fiel s,
with num rical xt nsions starting with 000. W also hav a log fiel of our hash s and any
rror m ssag s, which w can vi w with less or cat:

root@forensic1:~# ls -lh thumb.dc3dd.*


-rw-r--r-- 1 root root 32M Apr 25 10:32 thumb.dc3dd.000
-rw-r--r-- 1 root root 32M Apr 25 10:33 thumb.dc3dd.001
-rw-r--r-- 1 root root 32M Apr 25 10:33 thumb.dc3dd.002
-rw-r--r-- 1 root root 27M Apr 25 10:33 thumb.dc3dd.003
-rw-r--r-- 1 root root 2.5K Apr 25 10:53 thumb.dc3dd.log

As pr viously discuss d, th log fiel contains our hash s and our rror m ssag s. For
th hash s, th input hash from th imag d d vic ar display d fierst (for ach hash w
r qu st d). The n th output hash s ar display d for ach of th output fiel s. If th input
hash match s th output hash for a giv n rang (or th whol d vic ), th output hash is
pr c d d with [ok] so you do not hav to manually compar th output.

The log fiel nds with a tim stamp for your docum ntation.

Anoth r us ful f atur of dc3dd wh n compar d to r gular dd is th ability (without th


us of xt rnal pip s or piping programs) to coll ct multipl imag s at th sam tim . If
logistics allows, and I n d to coll ct multipl copi s on location to distribut to multipl
parti s, I can hav additional output fiel s:

111
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# dc3dd if=/dev/sdd hof=thumb.dc3dd hof=thumbcopy.dc3dd hash=md5

dc3dd 7.2.641 started at 2017-04-25 11:06:26 -0400


compiled options:
command line: dc3dd if=/dev/sdd hof=thumb.dc3dd hof=thumbcopy.dc3dd hash=md5
device size: 250879 sectors (probed), 128,450,048 bytes
sector size: 512 bytes (probed)
128450048 bytes ( 122 M ) copied ( 100% ), 18 s, 7 M/s
128450048 bytes ( 122 M ) hashed ( 100% ), 0 s, 611 M/s

input results for device `/dev/sdd':


250879 sectors in
0 bad sectors replaced by zeros
43108c653d4724181cf8eed75c20cde4 (md5)

output results for file `thumb.dc3dd':


250879 sectors out
[ok] 43108c653d4724181cf8eed75c20cde4 (md5)

output results for file `thumbcopy.dc3dd':


250879 sectors out
[ok] 43108c653d4724181cf8eed75c20cde4 (md5)

dc3dd completed at 2017-04-25 11:06:43 -0400

root@forensic1:~# ls -lh thumb*


-rw-r--r-- 1 root root 123M Apr 25 11:06 thumb.dc3dd
-rw-r--r-- 1 root root 123M Apr 25 11:06 thumbcopy.dc3dd

The d monstration abov illustrat s coll cting two imag s simultan ously. You can s
w s l ct d to hash th output fiel s (hof) using th md5 algorithm (hash=md5). The output
shows th singl input str am was hash d, but th r ar two output str ams, and ach was
hash d and v rifie d s parat ly. Theis is a v ry us ful f atur of dc3dd.

Not again that dc3dd outputs raw imag s. The y can b hash d xactly th sam as dd
output: Dir ctly hash d with your hashing algorithm of choic ( sha1sum, md5sum, tc.), or in
th cas of split fiel s, using th cat command to str am th output of multipl fiel s to th hash
program.

Now w ’ll continu our look at alt rnativ imaging tools with a utility that is us d to
coll ct and manipulat Exp rt Witn ss (E01 or EWF) fiel s, on of th mor ubiquitous formats
us d in comput r for nsics today.

112
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

libewf and ewfacquire

The r may b tim s wh n you ar ask d to p rform xaminations coll ct d by som on


ls , or p rhaps your organization has l ct d to standardiz on a giv n format for for nsic
imag s. In any cas , chanc s ar you will v ntually com across Exp rt Witn ss format fiel s
(EWF, commonly r f rr d to as “EnCas ” format). The r ar many tools that can r ad, conv rt
or work with th s imag s. In this s ction w will l arn to acquir and manipulat vid nc in
th EWF format.

W will xplor a s t of tools h r b longing to th libewf proj ct. The s tools provid
th ability to cr at , vi w, conv rt and work with xp rt witn ss vid nc contain rs.

On of th b n fiets of cov ring libewf b for oth r advanc d for nsic utiliti s is
b caus it n ds to b install d figrst in ord r to supply th r quir d librari s for oth r packag s
to support EWF imag formats . The libewf tools and d tail d proj ct information can b
found at https://github.com/libyal/libewf/

W will start by installing libewf using sbotools. Ch ck your distribution


docum ntation, or th install instructions at th w bsit shown abov if you ar using a
distribution oth r than Slackwar . The installation is simpl . libewf has no additional
r quir m nts (you can vi w th info fiel with sbofind -tei libewf). Wh n you start th
installation proc ss b sur to tak th tim to r ad th README fiel that displays.

root@forensic1:~# sboinstall libewf

libewf (libYAL Expert Witness Compression library)

libewf allows you to read media information of EWF


files in the SMART (EWF-S01) format and the EnCase (EWF-E01) format.
libewf allows reading files created by EnCase 1 to 6, linen and FTK
Imager.

Proceed with libewf? [y] y


libewf added to install queue.

Install queue: libewf

Are you sure you wish to continue? [y]

...
Executing install script for libewf-20140608-x86_64-2_SBo.tgz.
Package libewf-20140608-x86_64-2_SBo.tgz installed.

Cleaning for libewf-20140608...

113
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Onc th download, compil , build, and installation of th r sulting packag is


compl t , th actual tools ar plac d in /usr/bin. W will hav a clos r look at th following:

● ewfacquire
● ewfverify
● ewfinfo
● ewfexport
● ewfacquirestream (in a lat r s ction)

W ’ll start with th ewfacquire command us d to cr at EWF fiel s that can b us d in


oth r programs. The asi st way to d scrib how ewfacquire works is to watch it run. The r
ar a numb r of options availabl . To g t a list of options (th r ar many, just run
ewfacquire -h. To obtain an imag , simply issu th command with th nam of th fiel or
physical d vic you wish to imag . Unl ss you m moriz or script th options, this is th
asi st way to run th program. You ar prompt d for r quir d information, to b stor d with
th data in th EWF format (th b low output is int ractiv ):

root@forensic1:~# lsscsi
...
[2:0:0:0] disk SanDisk Cruzer Mini 0.2 /dev/sdb

root@forensic1:~# ewfacquire /dev/sdb


ewfacquire 20140608

Device information:
Bus type: USB
Vendor: SanDisk
Model: Cruzer Mini
Serial:

Storage media information:


Type: Device
Media type: Removable
Media size: 128 MB (128450048 bytes)
Bytes per sector: 512

Acquiry parameters required, please provide the necessary input


Image path and filename without extension: case1.disk2
Case number: 2017-0001
Description: Thumb drive seized from bad guy
Evidence number: 2017-001-002
Examiner name: Barry J. Grundy
Notes:
Media type (fixed, removable, optical, memory) [removable]:
Media characteristics (logical, physical) [logical]: physical

114
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Use EWF file format (ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5,
encase6, linen5, linen6, ewfx) [encase6]:
Compression method (deflate) [deflate]:
Compression level (none, empty-block, fast, best) [none]:
Start to acquire at offset (0 <= value <= 128450048) [0]:
The number of bytes to acquire (0 <= value <= 128450048) [128450048]:
Evidence segment file size in bytes (1.0 MiB <= value <= 7.9 EiB) [1.4 GiB]: 32M
The number of bytes per sector (1 <= value <= 4294967295) [512]:
The number of sectors to read at once (16, 32, 64, 128, 256, 512, 1024, 2048,
4096, 8192, 16384, 32768) [64]:
The number of sectors to be used as error granularity (1 <= value <= 64) [64]:
The number of retries when a read error occurs (0 <= value <= 255) [2]:
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [no]:

The following acquiry parameters were provided:


Image path and filename: case1.disk2.E01
Case number: 2017-0001
Description: Thumb drive seized from bad guy
Evidence number: 2017-001-002
Examiner name: Barry J. Grundy
Notes:
Media type: removable disk
Is physical: yes
EWF file format: EnCase 6 (.E01)
Compression method: deflate
Compression level: none
Acquiry start offset: 0
Number of bytes to acquire: 122 MiB (128450048 bytes)
Evidence segment file size: 32 MiB (33554432 bytes)
Bytes per sector: 512
Block size: 64 sectors
Error granularity: 64 sectors
Retries on read error: 2
Zero sectors on read error: no

Continue acquiry with these values (yes, no) [yes]:

Acquiry started at: Apr 25, 2017 12:24:45


This could take a while.

Status: at 20%.
acquired 25 MiB (26443776 bytes) of total 122 MiB (128450048 bytes).
completion in 16 second(s) with 6.1 MiB/s (6422502 bytes/second).
...

Acquiry completed at: Apr 25, 2017 12:27:08

Written: 122 MiB (128450236 bytes) in 2 minute(s) and 23 second(s) with 877 KiB/s
(898253 bytes/second).

115
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

MD5 hash calculated over data: 43108c653d4724181cf8eed75c20cde4


ewfacquire: SUCCESS

root@forensic1:~# ls -lh case1.*


-rw-r--r-- 1 root root 32M Apr 25 12:24 case1.disk2.E01
-rw-r--r-- 1 root root 32M Apr 25 12:27 case1.disk2.E02
-rw-r--r-- 1 root root 32M Apr 25 12:27 case1.disk2.E03
-rw-r--r-- 1 root root 27M Apr 25 12:27 case1.disk2.E04

In th abov command s ssion, us r input is shown in bold. In plac s wh r th r is no


input provid d by th us r, th d faults (shown in brack ts) ar us d. Notic that ewfacquire
giv s you s v ral options for imag formats that can b sp cifie d. The fiel (s) sp cifie d by th
us r is giv n an E** xt nsion and plac d in th path dir ct d by th us r. Finally, an MD5
hash is provid d at th nd of th output for v rifiecation. As with dc3dd, you also g t a tim
stamp for docum ntation.

You can also issu a singl command and sp cify thos options w us d abov on th
command lin . For xampl , to g t similar r sults, w can issu th following command:

root@forensic1:~# ewfacquire -C "2017-001" -d sha1 -D "Thumb drive seized from bad


guy" -e "Barry J. Grundy" -E "2017-001-002" -m removable -M physical -S 32M -t
case1.disk2 -u /dev/sdb
ewfacquire 20140608
...
Acquiry completed at: Apr 25, 2017 12:39:20

Written: 122 MiB (128450392 bytes) in 16 second(s) with 7.6 MiB/s (8028149
bytes/second).
MD5 hash calculated over data: 43108c653d4724181cf8eed75c20cde4
SHA1 hash calculated over data: 80db4ca23ba091169d1cff8d007e23d32ea97f36
ewfacquire: SUCCESS

You can look at th individual options provid d in th command abov by vi wing man
ewfacquire. Ess ntially this command allows us to run ewfacquire without having to
answ r any prompts. The important options to not h r ar th -d that allows us to sp cify
an additional ch cksum algorithm and th -u (unatte nd d mod ) that forc s ewfacquire to us
th d faults for options not sp cifie d. Mak sur you know what you ar doing b for running
th command unatte nd d.

Onc acquir d, th r sulting fiel s from ewfacquire ar compatibl with any softwwar
that will r ad EWF format imag s. W ’ll b using som for nsic utiliti s lat r to do just that.

116
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

L t’s look now at ewfinfo and ewfverify. The s two tools, also includ d with libewf,
provid information on any prop rly formatte d EWF fiel s you may com across.

ewfinfo simply r ads th imag m tadata that was nt r d during th imaging proc ss.
It will work with imag fiel s acquir d using oth r softwwar as w ll, as long as it is in a prop r
EWF format. For th fiel s w just coll ct d, using ewfacquire, th output would look lik this
(Not th Operating system used and th Software version used):

root@forensic1:~# ewfinfo case1.disk2.E01


ewfinfo 20140608

Acquiry information
Case number: 2017-001
Description: Thumb drive seized from bad guy
Examiner name: Barry J. Grundy
Evidence number: 2017-001-002
Acquisition date: Tue Apr 25 12:39:04 2017
System date: Tue Apr 25 12:39:04 2017
Operating system used: Linux
Software version used: 20140608
Password: N/A
Model: Cruzer Mini

EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: no compression
Set identifier: 780ec790-8375-2f46-abad-ce393e8b7fa5

Media information
Media type: removable disk
Is physical: yes
Bytes per sector: 512
Number of sectors: 250879
Media size: 122 MiB (128450048 bytes)

Digest hash information


MD5: 43108c653d4724181cf8eed75c20cde4
SHA1: 80db4ca23ba091169d1cff8d007e23d32ea97f36

If you run ewfinfo on fiel s coll ct d using tools oth r than ewfacquire (EnCas und r
Windows, for xampl ), th output might look lik this. Not th Operating system used
and Software version used fie lds. The s giv som hint as to how th fiel s w r cr at d
(EnCas v rsion 7 on Windows 7).

117
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# ewfinfo EnCaseimage.E01


ewfinfo 20140608

Acquiry information
Description: TestImage
Examiner name: Susan B. Analyst
Acquisition date: Fri Feb 17 13:59:50 2017
System date: Fri Jan 13 16:10:42 2017
Operating system used: Windows 7
Software version used: 7.10.05
Password: N/A
Model: ST2500
Serial number: 03-016831-C
Device label: WT055 12
Extents: 0

EWF information
File format: unknown
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: best compression
Set identifier: ff582a89-3aba-cf46-a634-75edf9c15a97

Media information
Media type: physical
Is physical: yes
Bytes per sector: 512
Number of sectors: 250044416
Media size: 119 GiB (128022740992 bytes)

Digest hash information


MD5: 46c4d29a3ba96fffb8d7690949ddea1b

Also not that th MD5 valu shown is th valu of th data, NOT th imag fiel s th ms lv s.
Hashing th imag fiel s do s will not allow you to v rify against th hash of th original m dia – th
E0* fiel s contain m ta data and so do not r pr s nt an xact copy of th sourc m dia. If you want
to v rify th hash of th data aftw r it’s b n mov d, you n d to us a tool lik ewfverify.

Hashing th data in EWF fiel s r quir s a tool that r cogniz s th m tadata associat d
with an EWF fiel and can pars and hash th original data. For this w us ewfverify.

root@forensic1:~# ewfverify case1.disk2.E01


ewfverify 20140608

118
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Verify started at: Apr 28, 2017 22:30:22


This could take a while.

Verify completed at: Apr 28, 2017 22:30:23

Read: 122 MiB (128450048 bytes) in 1 second(s) with 122 MiB/s (128450048
bytes/second).

MD5 hash stored in file: 43108c653d4724181cf8eed75c20cde4


MD5 hash calculated over data: 43108c653d4724181cf8eed75c20cde4

Additional hash values:


SHA1: 80db4ca23ba091169d1cff8d007e23d32ea97f36

ewfverify: SUCCESS

Theis command simply r hash d th data and compar d it to th hash alr ady stor d
within th fiel . Ev ry tim you mov data b tw n volum s, it’s always good practic to ch ck
that th data is still intact. ewfverify allows you to accomplish this int grity ch ck quickly
and fficci ntly with EWF fiel s.

On last command in th libewf suit of tools. L t's talk about thos situations wh r
you'v b n provid d a s t of imag fiel s (or fiel ) that w r obtain d using a popular Windows
for nsic tool. The r will b tim s wh r you would lik r ad th m ta-data includ d with th
imag s, v rify th cont nts of th imag s, or xport or conv rt th imag s to a bit str am (or
what w r f r to as a dd) format. Onc again, th libewf tools com in handy. The y op rat
at th Linux command lin , don't r quir any oth r sp cial softwwar , lic ns , or dongl and ar
v ry fast. W will us a copy of an NTFS practical x rcis imag w will s mor of lat r in
our upcoming advanc d x rcis s. The EWF fiel s w ’ll b working on can b download d
using wget, as w hav don pr viously. Onc download d, ch ck th hash and compar :

root@forensic1:~# wget http://www.linuxleo.com/Files/NTFS_Pract_2017_E01.tar.gz


--2017-05-27 10:09:40-- http://www.linuxleo.com/Files/NTFS_Pract_2017_E01.tar.gz
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84
Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63376431 (60M) [application/gzip]
Saving to: ‘NTFS_Pract_2017_E01.tar.gz’

NTFS_Pract_2017_E01 100%[===================>] 60.44M 10.2MB/s in 6.2s

2017-05-27 10:09:47 (9.76 MB/s) - ‘NTFS_Pract_2017_E01.tar.gz’ saved


[63376431/63376431]

root@forensic1:~# sha1sum NTFS_Pract_2017_E01.tar.gz


246c144896c5288369992acc721c95968d2fe9ef NTFS_Pract_2017_E01.tar.gz

119
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

As w ’v s n pr viously with our softwwar downloads, this fiel has a tar.gz


xt nsion. Theat m ans it is a compr ss d TAR archiv . To r vi w, th tar part of th
xt nsion indicat s that th fiel was cr at d using th tar command (s man tar for mor
info). The gz xt nsion indicat s that th fiel was compr ss d (commonly with gzip). Wh n
you fierst download a tar archiv , particularly from un-trust d sourc s, you should always hav
a look at th cont nts of th archiv b for d compr ssing, xtracting and haphazardly writing
th cont nts to your driv . Vi w th cont nts of th archiv with th following command:

root@forensic1:~# tar tzf NTFS_Pract_2017_E01.tar.gz


NTFS_Pract_2017/
NTFS_Pract_2017/NTFS_Pract_2017.E04
NTFS_Pract_2017/NTFS_Pract_2017.E02
NTFS_Pract_2017/NTFS_Pract_2017.E01
NTFS_Pract_2017/NTFS_Pract_2017.E03

The abov tar command will list (t) and d compr ss (z) th fiel (f)
NTFS_Pract_2017_E01.tar.gz. Theis allows you to s wh r th fiel will b xtract d, and as
th output shows, th r ar fiev fiel s that will b xtract d to a n w dir ctory,
NTFS_Pract_2017/, in th curr nt dir ctory. W will us th tar command xt nsiv ly
throughout this docum nt for download d fiel s.

Now w actually untar th imag s with th tar x option and chang into th r sulting
dir ctory:

root@forensic1:~# tar xzvf NTFS_Pract_2017_E01.tar.gz


NTFS_Pract_2017/
NTFS_Pract_2017/NTFS_Pract_2017.E04
NTFS_Pract_2017/NTFS_Pract_2017.E02
NTFS_Pract_2017/NTFS_Pract_2017.E01
NTFS_Pract_2017/NTFS_Pract_2017.E03

root@forensic1:~# cd NTFS_Pract_2017

root@forensic1:~/NTFS_Pract_2017#

The fierst thing w can do is run th ewfinfo command on th imag th fierst fiel of th
imag s t. Theis will r turn th m ta-data that includ s acquisition and m dia information, as
w ’v s n pr viously. W l arn th v rsion of th softwwar that th imag s w r cr at d with,
along with th coll ction platform, dat of acquisition, nam of th xamin r that cr at d th
imag with th d scription and not s. Hav a look at th output of ewfinfo on our fiel s t
(you only n d provid th fierst fiel in th s t as an argum nt to th command):

120
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~/NTFS_Pract_2017# ls -lh NTFS_Pract_2017.E0*


-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E01
-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E02
-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E03
-rw-r--r-- 1 root root 117M May 1 18:19 NTFS_Pract_2017.E04

root@forensic1:~/NTFS_Pract_2017# ewfinfo NTFS_Pract_2017.E01


ewfinfo 20140608

Acquiry information
Case number: 11-1111-2017
Description: Practical Exercise Image
Examiner name: Barry J. Grundy
Evidence number: 11-1111-2017-001
Notes: This image is for artifact recovery.
Acquisition date: Mon May 1 18:19:14 2017
System date: Mon May 1 18:19:14 2017
Operating system used: Linux
Software version used: 20140608
Password: N/A

EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: no compression
Set identifier: f9f1b88f-9ac9-e04f-bfe5-195039426d7c

Media information
Media type: fixed disk
Is physical: yes
Bytes per sector: 512
Number of sectors: 1024000
Media size: 500 MiB (524288000 bytes)

Digest hash information


MD5: eb4393cfcc4fca856e0edbf772b2aa7d
Notic that th last lin in th output provid s us with an MD5 hash of th data in th
fiel s t. Again, don't confus this with th hash of th fiel its lf. A fiel in EWF format stor s
th original data from th m dia that was imag d along with a s ri s of CRC ch cks and m ta-
data. The hash of th E01 fiel (s) its lf will NOT match th hash of th original m dia imag d.
The hash of th original m dia and th r for th data coll ct d is r cord d in th m tadata of
th EWF fiel for lat r v rifiecation.

You can s from our output b low that th NTFS_Pract_2017.E0* fiel s t v rifie s
without rror. The hash obtain d during th v rifiecation match s that stor d within th fiel :

121
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~/NTFS_Pract_2017# ewfverify NTFS_Pract_2017.E01


ewfverify 20140608

Verify started at: May 01, 2017 18:22:11


This could take a while.

Verify completed at: May 01, 2017 18:22:12

Read: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000
bytes/second).

MD5 hash stored in file: eb4393cfcc4fca856e0edbf772b2aa7d


MD5 hash calculated over data: eb4393cfcc4fca856e0edbf772b2aa7d

Now w ’ll look at ewfexport. Theis tool allows you to tak an EWF fiel s t and conv rt
it to a bit str am imag fiel , ss ntially r moving th m ta-data and l aving us with th data in
raw format, as with dd. It is int r sting to not that ewfexport can actually writ to standard
output, making it suitabl for piping to oth r commands. H r , w issu th command with
s v ral options that r sult in th EWF fiel b ing xport d to a raw imag .

root@forensic1:~/NTFS_Pract_2017# ewfexport -t NTFS_Pract_2017 -f raw -u


NTFS_Pract_2017.E01
ewfexport 20140608

Export started at: May 01, 2017 22:09:52


This could take a while.

Export completed at: May 01, 2017 22:09:53

Written: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000 bytes/
second).
MD5 hash calculated over data: eb4393cfcc4fca856e0edbf772b2aa7d
ewfexport: SUCCESS

W us th -t option (“targ t”) to writ to a fiel . The -f option with raw indicat s
that th fiel format w ar writing to is raw, as with dd output. W us -u to acc pt th
r maining d faults and pr v nt an int ractiv s ssion. Theis r sults in a singl raw fiel that has
th sam hash as th original m dia (s th output of th md5sum command). W also s an
XML formatte d .info fiel that contains th hash valu 13.

root@forensic1:~/NTFS_Pract_2017# ls -lh NTFS_Pract_2017.*


-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E01

The output of this command might diffo r gr atly d p nding on th v rsion of lib wf you install. Som
13

r postori s might us v rsions that do not app nd th .raw xt nsion or provid an .info fiel .

122
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E02


-rw-r--r-- 1 root root 128M May 1 18:19 NTFS_Pract_2017.E03
-rw-r--r-- 1 root root 117M May 1 18:19 NTFS_Pract_2017.E04
-rw-r--r-- 1 root root 500M May 1 22:09 NTFS_Pract_2017.raw
-rw-r--r-- 1 root root 158 May 1 22:09 NTFS_Pract_2017.raw.info

root@forensic1:~/NTFS_Pract_2017# md5sum NTFS_Pract_2017.raw


eb4393cfcc4fca856e0edbf772b2aa7d NTFS_Pract_2017.raw

At this point, w ’v cov r d dd, dc3dd, ewfacquire and common m thods for ch cking
th int grity of and xporting th coll ct d imag s.

All of th tools w ’v cov r d so far ar gr at for id al situations, wh r our m dia


b hav s as w xp ct. In addition, th y all hav options or built in m chanisms that would
allow our acquisition to r ad past (or mor accurat ly “around”) any non-fatal disk rrors whil
syncing th output so that th r sulting imag might still b usabl . Whil many practition rs
sugg st th s options as a d fault for running dd r lat d commands, I t nd to urg against it.
Som of th r asons for this will b com mor appar nt in th following s ction.

Media Errors - ddrescue

Now that w hav a basic und rstanding of m dia acquisition and th coll ction of
vid nc imag s, what do w do if w run into an rror? Suppos you ar cr ating a disk
imag with dd and th command xits halfway through th proc ss with a r ad rror?

W can instruct dd to atteempt to r ad past th rrors using th conv=noerror option.


In basic t rms, this is t lling th dd command to ignor th rrors that it fiends, and atte mpt to
r ad past th m. Wh n w sp cify th noerror option it is a good id a to includ th sync
option along with it. Theis will “pad” th dd output wh r v r rrors ar found and nsur that
th output will b “synchroniz d” with th original disk. Theis may allow fiel syst m acc ss and
fiel r cov ry wh r rrors ar not fatal. Assuming that our subj ct driv is /dev/sdc, th
command will look som thing lik :

root@forensic1:~# dd if=/dev/sdc of=image.raw conv=noerror,sync

I would lik to caution for nsic xamin rs against using th conv=noerror,sync


option, how v r. Whil dd is capabl of r ading past rrors in many cas s, it is not d sign d to
actually recover any data from thos ar as. The r ar a numb r of tools out th r that ar
d sign d sp cifiecally for this purpos . If you n d to us conv=noerror,sync, th n you ar
using th wrong tool. Theat is not to say it will not work as adv rtis d (with som cav ats),
only that th r ar b tte r options, or at l ast important consid rations.

Which brings us to ddrescue.

123
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

T sting has shown that standard dd bas d tools ar simply inad quat for acquiring
disks that hav actual rrors. Theis is NOT to say that dd, dc3dd or dcfldd ar us l ssNfar
from it. The y ar just not optimal for rror r cov ry. You may b forc d to us dd or dc3dd
b caus of limits to xt rnal tool acc ss or consid rations of tim . W t ach dd in this guid
b caus th r ar instanc s wh r it may b th only tool availabl to you. In thos cas s,
und rstanding th us of command lin options to optimiz th r cov ry of th disk r gardl ss
of rrors is important for vid nc pr s rvation. How v r, if th r ar options, th n p rhaps a
diffo r nt tool would mak s ns .

Theis s ction is not m ant to provid an ducation on disk rrors, m dia failur , or typ s
of failur . Nor is it m ant to imply that any tool is b tte r or wors than any oth r. I will
simply d scrib th basic functionality and l av it to th r ad r to pursu th d tails.

First, l t's start with som of th issu s that aris with th us of common dd bas d
tools. For th most part, th s tools tak a “lin ar” approach to imaging, m aning that th y
start at th b ginning of th input fiel and r ad block by block until th nd of th fiel is
r ach d. Wh n an rror is ncount r d, th tool will ith r fail with an “input/output” rror,
or if a param t r such as conv=noerror is pass d, will ignor th rrors and atte mpt to r ad
through (or skip) th m, continuing to r ad block by block until it com s across r adabl data
again. H r is a simpl dd command on a disk with rrors. The disk is 41943040 s ctors:

root@forensic1:~# blockdev --getsz /dev/sdf


41943040

root@forensic1:~# dd if=/dev/sdf of=dd.raw


dd: error reading '/dev/sdf': Input/output error
12840+0 records in
12840+0 records out
6574080 bytes (6.6 MB, 6.3 MiB) copied, 0.157453 s, 41.8 MB/s

The dd command abov was only abl to r ad 12840 s ctors (which is 6574080 byt s, as
th dd output shows). The sam command, this tim using conv=noerror,sync will ignor
th rror, pad th rror s ctors with null byt s, and continu on:

root@forensic1:~# dd if=/dev/sdf of=errordisk.raw bs=512 conv=noerror,sync


dd: error reading '/dev/sdf': Input/output error
12840+0 records in
12840+0 records out
6574080 bytes (6.6 MB, 6.3 MiB) copied, 0.163426 s, 40.2 MB/s
dd: error reading '/dev/sdf': Input/output error
12840+1 records in
12841+0 records out
6574592 bytes (6.6 MB, 6.3 MiB) copied, 0.163724 s, 40.2 MB/s
dd: error reading '/dev/sdf': Input/output error

124
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

12840+2 records in
12842+0 records out
6575104 bytes (6.6 MB, 6.3 MiB) copied, 0.163989 s, 40.1 MB/s
dd: error reading '/dev/sdf': Input/output error
12840+3 records in
12843+0 records out
6575616 bytes (6.6 MB, 6.3 MiB) copied, 0.16426 s, 40.0 MB/s
dd: error reading '/dev/sdf': Input/output error
12840+4 records in
12844+0 records out
...
41943024+16 records in
41943040+0 records out
21474836480 bytes (21 GB, 20 GiB) copied, 1249.57 s, 17.2 MB/s

What you nd up with at th nd of this command is an imag of th ntir disk, but


with th rror s ctors fiell d in (sync’d) with z ros. Theis don to maintain corr ct offos ts within
fiel syst ms, tc.

Obviously, simpl failur (“giving up” wh n rrors ar ncount r d) is not good. Any
data in r adabl ar as b yond th rrors will b miss d. The probl m with ignoring rrors and
atte mpting to r ad through th m (using options lik conv=noerror) is that w ar furth r
str ssing a disk that is alr ady possibly on th v rg of compl t failur . The fact of th matte r
is that you may g t f w chanc s at r ading a disk that has r cord d “bad s ctors”. If th r is an
actual physical d f ct, th simpl act of r ading th bad ar as may mak matte rs wors ,
l ading to disk failur b for oth r viabl ar as of th disk ar coll ct d. All of this appli s, of
cours , to disks with “physical” storag . Solid stat storag is anoth r matte r ntir ly.

So, wh n w pass conv=noerror to an imaging command, w ar actually asking our


imaging tools to “grind through” th bad ar as. Why not initially skip ov r th bad s ctions
altog th r, sinc in many cas s r cov ry may b unlik ly? Inst ad w should conc ntrat on
r cov ring data from ar as of th disk that ar good. Onc th “good” data is acquir d, w can
go back and atte mpt to coll ct data from th rror ar as, pr f rably with a r cov ry algorithm
d sign d with purpos .

In a nutsh ll, that is th philosophy b hind ddrescue. Us d prop rly, ddrescue will
r ad th “h althy” portions of a disk fierst, and th n fall back to r cov ry mod – trying to r ad
data from bad s ctors. It do s this through th us of som v ry robust logging (r c nt
v rsions of ddrescue now r f r to th log fiel as a map figle), which allows it to r sum any
imaging job at any point, giv n a map fiel to work from. Theis is an important (p rhaps th
most important) point about using ddrescue - that is, with a map fiel you n v r n d to r -
r ad alr ady succ ssfully r cov r d s ctors. Wh n ddrescue r f r nc s th map fiel on
succ ssiv runs, it fiells in th gaps, it do s not “r do” work alr ady fienish d.

125
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ddrescue is install d by d fault in Slackwar Linux (for full installations), but ch ck


with your distribution of choic to d t rmin availability.

The docum ntation for ddrescue is xc ll nt. The d tail d manual is in an info pag .
The command info ddrescue will giv you a gr at start to und rstanding how this program
works, including xampl s and th id as b hind th algorithm us d. I'll run through th
proc ss h r , but I strongly advis that you r ad th info pag for ddrescue b for atte mpting
to us it on a cas .

The fierst consid ration wh n using any r cov ry softwwar , is that th disk must b
acc ssibl by th Linux k rn l. If th driv do s not show up in th /dev structur , th n
th r 's no way to g t tools lik ddrescue to work.

N xt, w hav to hav a plan to r cov r as much data as w can from a bad driv . The
pr vailing philosophy of ddrescue is that w should atte mpt to g t all th good data figrst. Theis
diffo rs from normal dd bas d tools, which simply atte mpt to g t all th data at on tim in a
lin ar fashion. ddrescue us s th conc pt of “splitteing th rrors”. In oth r words, wh n an
ar a of bad s ctors is ncount r d, th rrors ar split until th “good” ar as ar prop rly
imag d and th unr adabl ar as mark d as bad. Finally, ddrescue atte mpts to r try th bad
ar as by r -r ading th m until w ith r g t data or fail aftw r a c rtain numb r of sp cifie d
atte mpts.

The r ar a numb r of ing nious options to ddrescue that allow th us r to try and
obtain th most important part of th disk fierst, th n mov on until as much of th disk is
obtain d as possibl . Ar as that ar imag d succ ssfully n d not b r ad mor than onc . As
m ntion d pr viously, this is mad possibl by a robust map fiel . The map fiel is writte n
p riodically during th imaging proc ss, so that v n in th v nt of any int rruption, th
s ssion can b r start d, k ping duplicat imaging ffoorts, and th r for disk acc ss, to a
minimum.

Giv n that w ar addr ssing for nsic acquisition h r , w will conc ntrat all our
ffoorts on obtaining th ntir disk, v n if it m ans multipl runs. The following xampl s
will b us d to illustrat how th most important options to ddrescue work for th for nsic
xamin r. W will conc ntrat on d tailing th map fiel us d by ddrescue so that th us r can
s what is going on with th tool, and how it op rat s.

L t's look at a simpl xampl of using ddrescue on a small driv without rrors, to
start. The simpl st way to run ddrescue is by providing th input fiel , output fiel and a nam
for our map fiel . Not that th r is no if= or of=. In ord r to g t a good look at how th map
fiel works, w 'll int rrupt our imaging proc ss halfway through, ch ck th map fiel to illustrat
how an int rruption is handl d, and th n r sum th imaging.

root@forensic1:~# ddrescue /dev/sde ddres.img.raw ddres.map


GNU ddrescue 1.21
Press Ctrl-C to interrupt

126
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ipos: 1085 MB, non-trimmed: 0 B, current rate: 109 MB/s


opos: 1085 MB, non-scraped: 0 B, average rate: 361 MB/s
non-tried: 1062 MB, errsize: 0 B, run time: 3s
rescued: 1085 MB, errors: 0, remaining time: 3s
percent rescued: 50.54% time since last successful read: 0s
Copying non-tried blocks... Pass 1 (forwards)^C
Interrupted by user

H r w us d /dev/sde as our input fiel , wrot th imag to ddres.img.raw, and


wrot th map fiel to ddres.map. Not th output shows th progr ss of th imaging by
d fault, giving us a running count of th amount of data copi d or “r scu d”, along with a
count of th numb r of rrors ncount r d (in this cas z ro), and th imaging sp d. In this
cas , th proc ss was int rrupt d right at about 50% compl tion, with th ctrl-c k y combo.

Now l ts hav a look at our map fiel :

root@forensic1:~# cat ddres.map


# Mapfile. Created by GNU ddrescue version 1.21
# Command line: ddrescue /dev/sde ddres.img.raw ddres.map
# Start time: 2017-05-03 13:12:15
# Current time: 2017-05-03 13:12:28
# Copying non-tried blocks... Pass 1 (forwards)
# current_pos current_status
0x40B10000 ?
# pos size status
0x00000000 0x40B10000 +
0x40B10000 0x3F4EF000 ?

The map fiel shows us th curr nt status of acquisition 14. Lin s starting with a # ar
comm nts. The r ar two s ctions of not . The fierst non comm nt lin shows th curr nt
status of th imaging whil th s cond s ction (two lin s, in this cas ) shows th status of
various blocks of data. The valu s ar in h xad cimal, and ar us d by ddrescue to k p track
of thos ar as of th targ t d vic that hav mark d rrors, thos ar as that hav alr ady b n
succ ssfully r ad and writte n, and thos that r main to b r ad. The status symbols w will
discuss h r (tak n from th info pag ) ar as follows:

Charact r M aning
? non-tri d
* bad ar a non-trimm d
/ bad ar a non-scrap d
- bad hardwar block(s)
+ fienish d

14
The ddrescue info pag has a v ry d tail d xplanation of th map fiel structur .

127
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

In this cas w ar conc rn d only with th ? and th +. Ess ntially, wh n th copying


proc ss is int rrupt d, th log is us d to t ll ddrescue wh r th copying l ftw offo, and what has
alr ady b n copi d (or oth rwis mark d). The fierst s ction (status) alon may b sufficci nt in
this cas , sinc ddrescue n d only pickup wh r it l ftw offo, but in th cas of a disk with rrors,
th block s ction is r quir d so ddrescue can k p track of what ar as still n d to b r tri d as
good data is sought among th bad.

Translat d, our log would t ll us th following:

# current_pos current_status
0x40B10000 ?

- The status shows that th curr nt imaging proc ss is copying data at byt offos t
1085341696 (0x40B10000). In our fierst pass, this indicat s th “non-tri d” blocks.

# pos size status


0x00000000 0x40B10000 +
0x40B10000 0x3F4EF000 ?

- The data blocks from byt offos t 0 (0x00000000) of siz 1085341696 byt s
(0x40B10000) ar fienish d.
- The data block from offos t 1085341696 (0x40B10000) of siz 1062137856 byt s
(0x3F4EF000) ar still not tri d.

Not also that th siz of our partial imag fiel match s th siz of th block of data
mark d “fienish d” with th + symbol in our log fiel (siz bold for mphasis):

root@forensic1:~# ls -l ddres.img.raw
-rw-r--r-- 1 root root 1085341696 May 3 13:12 ddres.img.raw

W can continu and compl t th copy op ration now by simply invoking th sam
command. By sp cifying th sam input and output fiel s, and by providing th map fiel , w t ll
ddrescue to continu wh r it l ftw offo:

root@forensic1:~# ddrescue /dev/sde ddres.img.raw ddres.map


GNU ddrescue 1.21
Press Ctrl-C to interrupt
Initial status (read from mapfile)
rescued: 1085 MB, errsize: 0 B, errors: 0

Current status
ipos: 2147 MB, non-trimmed: 0 B, current rate: 3141 kB/s
opos: 2147 MB, non-scraped: 0 B, average rate: 55901 kB/s
non-tried: 0 B, errsize: 0 B, run time: 19s
rescued: 2147 MB, errors: 0, remaining time: n/a

128
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

percent rescued: 100.00% time since last successful read: 0s


Finished

root@forensic1:~# cat ddres.map


# Mapfile. Created by GNU ddrescue version 1.21
# Command line: ddrescue /dev/sde ddres.img.raw ddres.map
# Start time: 2017-05-04 09:19:13
# Current time: 2017-05-04 09:19:48
# Finished
# current_pos current_status
0x7FFF0000 +
# pos size status
0x00000000 0x7FFFF000 +

root@forensic1:~# echo $((0x7FFFF000))


2147479552

root@forensic1:~# ls -l ddres.img.raw
-rw-r--r-- 1 root root 2147479552 May 4 09:19 ddres.img.raw

The abov s ssion shows th output of th compl t d ddrescue command follow d by


th cont nts of th map fiel . The ddrescue command shows th initial status lin indicating
wh r w l ftw offo, and th n curr nt status through imag compl tion. The echo command
conv rts our h xad cimal valu to d cimal, just so w can illustrat that th total r scu d is
qual in siz to th siz of th imag .

The r al pow r of th map fiel li s in th fact that w can start and stop th imaging
proc ss as n d d and pot ntially atteack th r cov ry from diffo r nt dir ctions (using th -R
option to r ad th disk in r v rs ) until you’v scrap d tog th r as much of th original data as
you can. For xampl , if you had two id ntical disks, with mirror d data, and both had bad or
failing s ctors, you could probably r construct a compl t imag by imaging both with
ddrescue and using th sam map fiel (and output fiel ). Onc r cov r d and r cord d as such
in th map fiel , s ctors ar not acc ss d again. Theis limits th str ss to th disk.

Using a disk with known rrors w ’ll invok ddrescue with som additional options.
In this cas , I may hav start d imaging a subj ct disk using a common tool lik dd or dc3dd,
and found that th copy fail d with rrors. Knowing this, I’ll switch to using ddrescue. The
options in th b low command ar -i0 to indicat starting at offos t 0. Offos t 0 is th d fault,
but I’m b ing xplicit h r . The r ar situations wh r you might want to start at a diffo r nt
offos t and th n go backNth map fiel allows for this asily. The -d option m ans that w ar
going to dir ctly acc ss th disk, bypassing th k rn l cach . N xt, th -N option is provid d to
pr v nt ddrescue from “trimming” th bad ar as that ar found. Theis option allows ddrescue
to start th r cov ry proc ss by coll cting good data fierst, disturbing th rror ar as as littel as
possibl .

129
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# ddrescue -i0 -d -N /dev/sdj bad_disk.raw bad_log.txt


GNU ddrescue 1.21
Press Ctrl-C to interrupt
ipos: 6619 kB, non-trimmed: 65536 B, current rate: 35454 kB/s
opos: 6619 kB, non-scraped: 0 B, average rate: 45497 kB/s
non-tried: 0 B, errsize: 0 B, run time: 7m 52s
rescued: 21474 MB, errors: 0, remaining time: n/a
percent rescued: 99.99% time since last successful read: 0s
Finished

root@forensic1:~# cat bad_log.txt


# Mapfile. Created by GNU ddrescue version 1.21
# Command line: ddrescue -i0 -d -N /dev/sdj bad_disk.raw bad_log.txt
# Start time: 2017-05-31 14:10:23
# Current time: 2017-05-31 14:18:20
# Finished
# current_pos current_status
0x00660000 +
# pos size status
0x00000000 0x00640000 +
0x00640000 0x00010000 *
0x00650000 0x4FF9B0000 +

root@forensic1:~# echo $((0x00010000))


65536

The output abov shows a coupl of things (highlights for mphasis). W hav th
compl t d initial run with th -N option, and th output shows that w hav 655536 byt s “non-
trimm d”, indicating an ar a of rrors. The map fiel shows th position of un-copi d ar a of
th disk (offos t 0x00640000) and a siz of 0x00010000 (655536 byt s). The status of this ar a is
indicat d with an ast risk. Not that th 655536 byt s is xactly 128 s ctors, and this is th
d fault “clust r” siz us d by ddrescue. Theis do s not m an that th r ar 128 s ctors that
cannot b r ad. It simply m ans that th entire clust r could not b r ad, and th -N option
pr v nt d “trimming”, or paring th s ctors down to small r r adabl chunks. The clust r siz
can b controll d with th --cluster-size=X option, wh r X is th numb r of s ctors in a
clust r. W now hav a partial imag .

Now w can continu th imaging with th sam input and output fiel , and th sam
map fiel , but this tim w r mov th -N option, allowing rror ar as to b trimm d, and w
add th -r option to sp cify th numb r of r tri s wh n a bad s ctor is ncount r d, which is
thr in this cas .

130
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# ddrescue -r3 -d /dev/sdj bad_disk.raw bad_log.txt


GNU ddrescue 1.21
Press Ctrl-C to interrupt
Initial status (read from mapfile)
rescued: 21474 MB, errsize: 0 B, errors: 0

Current status
ipos: 6579 kB, non-trimmed: 0 B, current rate: 62464 B/s
opos: 6579 kB, non-scraped: 0 B, average rate: 62464 B/s
non-tried: 0 B, errsize: 3072 B, run time: 1s
rescued: 21474 MB, errors: 1, remaining time: 1s
percent rescued: 99.99% time since last successful read: 0s
Finished

root@forensic1:~# cat bad_log.txt


# Mapfile. Created by GNU ddrescue version 1.21
# Command line: ddrescue -r3 -d /dev/sdj bad_disk.raw bad_log.txt
# Start time: 2017-05-31 15:47:59
# Current time: 2017-05-31 15:47:59
# Finished
# current_pos current_status
0x00646400 +
# pos size status
0x00000000 0x00645A00 +
0x00645A00 0x00000C00 -
0x00646600 0x4FF9B9A00 +

root@forensic1:~# echo $((0x00000C00))


3072

root@forensic1:~# echo "3072/512" | bc


6

The output show that our “non-trimm d” ar as ar now 0, and th rror siz is 3072
byt s. Looking at th map fiel , w s that th r is a s ction of th disk that is mark d with th
“-”, indicating bad hardware blocks, which in this cas ar unr cov rabl . The siz in th map
fiel (0x00000C00) match s th errsize in th output (3072). Theis m ans w hav 6 bad
s ctors (512 byt s ach).

Whil w w r not abl to obtain th ntir disk in this xampl , hop fully you
r cogniz th b n fiets of th approach w tak using ddr scu to g t th good data fierst whil
r cov ring as much as w can b for acc ssing and pot ntially causing additional damag to
bad ar as of th disk.

131
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Imaging Over the Wire

The r may occasions wh r you want or n d to acquir an imag of a comput r using


a boot disk and n twork conn ctivity. Most oftw n, this approach is us d with a Linux boot
disk on th subj ct machin (th machin you ar going to imag ). Anoth r comput r, th
imaging coll ction platform, is conn ct d ith r via a n twork hub or switch; or through a
crossov r cabl . The r ar almost infienit confiegurations possibl . The s sorts of acquisitions
can v n tak plac across th country or anywh r around th world. The r asons and
applications of this approach rang from l v l of physical acc ss to th hardwar and int rfac
issu s to local r sourc s. As an xampl , you might com across a machin that has a driv
int rfac that is incompatibl with your quipm nt. If th r ar no xt rnal ports (USB for
xampl ), th n you might n d to r sort to th n twork int rfac to transf r data. So th driv
is l ftw in plac , and your coll ction platform is atteach d through a hub, switch, or via crossov r
cabl . Obviously th most s cur path b tw n th subj ct and coll ction platform is most
d sirabl . Wh r possibl , I would us ith r a crossov r cabl or my own small hub. Consid r
th s curity and int grity of your data if you atte mpt to transf r it across an nt rpris or v n
xt rnal n twork. W will conc ntrat on th m chanics h r , and th v ry basic commands
r quir d. As always, I urg you to follow along.

First, l ts clarify som t rminology for th purpos of our discussion h r . In this


instanc , th comput r w want to imag will b r f rr d to as th subject comput r. The
comput r to which w ar writing th imag will b r f rr d to as th collection box.

In ord r to accomplish imaging across th n twork, w will n d to s tup our coll ction
box to “list n” for data from our subj ct box. W do this using netcat, th nc command. The
basic s tup looks lik this (imag on th following pag ):

132
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Linux Boot CD

crossover cable / hub

Evidence Collection
Subject Computer: Computer
192.168.0.2 192.168.0.1
(net cat “listener”)

Evidence Storage Drive


(/mnt/evid)

Onc you hav th subj ct comput r boot d with a Linux Boot CD (pr f rably on that
is s t up with for nsics in mind). You’ll n d to nsur th two comput rs ar confiegur d on
th sam n twork, and can communicat .

Ch cking and confieguring n twork int rfac s is accomplish d with th ifconfig


command (int rfac confiegur ). If you run ifconfig -a, you will g t a list of int rfac s and
th ir curr nt (if any) s tteings. On my coll ction box, to short n th output, I’ll run th
command on th n twork int rfac (eth0) dir ctly:

root@forensic1:~# ifconfig eth0


eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 10:bf:48:7f:79:a1 txqueuelen 1000 (Ethernet)
RX packets 1985243 bytes 3005490688 (2.7 GiB)
RX errors 0 dropped 3 overruns 0 frame 0
TX packets 872940 bytes 62217638 (59.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7e00000-f7e20000

Right now, th output is showing no IPv4 addr ss and th eth0 int rfac is down. I can
giv it a simpl addr ss with th ifconfig command again, this tim sp cifying som simpl
s tteings:

133
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# ifconfig eth0 192.168.0.1 netmask 255.255.255.0

root@forensic1:~# ifconfig eth0


eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
ether 10:bf:48:7f:79:a1 txqueuelen 1000 (Ethernet)
RX packets 1985243 bytes 3005490688 (2.7 GiB)
RX errors 0 dropped 3 overruns 0 frame 0
TX packets 872940 bytes 62217638 (59.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7e00000-f7e20000

Now th output abov shows th int rfac is “up”, and th addr ss is now
192.168.0.1, and th n tmask and broadcast addr ss ar also s t. For now that’s all for our
coll ction workstation as far as simpl confieguration go s.

On our subj ct work station, w ’ll n d to boot it with a suitabl boot disk. I carry
s v ral with m , and just about any of th m will work as long as th y hav a robust tools t.
Onc you boot th subj ct syst m, r p at th st ps abov to s tup a simpl n twork int rfac ,
making sur that th two comput rs ar physically conn ct d via crossov r cabl , hub, or som
oth r m ans. Not th prompt chang h r to illustrat w ar working on th SUBJECT
comput r now, and not our coll ction syst m:

root@bootdisk:~# ifconfig eth0 192.168.0.2 netmask 255.255.255.0

root@bootdisk:~# ifconfig eth0


eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255
ether 08:00:27:99:d6:30 txqueuelen 1000 (Ethernet)
RX packets 73 bytes 11716 (11.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1392 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Not th IP addr ss s of our syst ms:

Subj ct Comput r: 192.168.0.2


Coll ction Syst m: 192.168.0.1

W can th n s if w can communicat with our vid nc coll ction syst m


(192.168.0.1) using th ping command (which w int rrupt with ctrl-c):

134
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@bootdisk:~# ping 192.168.0.1


PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.185 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.179 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.165 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4094ms
rtt min/avg/max/mdev = 0.151/0.200/0.310/0.058 ms

Now that w hav both comput rs talking, w can b ing our imaging. Ch ck th hash
of th subj ct disk:

root@bootdisk:~# sha1sum /dev/sda


8f6cec10ae87d6ff4590ba809ba51385679738ed /dev/sda

Over the Wire - dd

The n xt st p is to op n a “list ning” port on th coll ction comput r. W will do this


on our vid nc coll ction syst m with nc (our netcat utility), making sur w hav a
mount d fiel syst m to stor th imag on. In this cas w ar using an xt rnal USB driv
mount d on /mnt/evid to stor our imag :

root@forensic1:~# nc -l -p 2525 | dd of=/mnt/evid/net_img.raw

Theis command op ns a netcat (nc) list ning s ssion (-l) on TCP port 2525 (-p 2525)
and pip s any trafficc that com s across that port to th dd command (with only th of= flaag),
which writ s th fiel /mnt/evid/net_image.dd.

N xt, on th subj ct comput r (again not th command prompt with th hostnam


“bootdisk”), w issu th dd command. Inst ad of giving th command an output fiel
param t r using of=, w pip th dd command output to n tcat (nc) and s nd it to our
list ning port (2525) on th coll ction comput r at IP addr ss 192.166.0.1.

root@bootdisk:~# dd if=/dev/sda | nc 192.168.0.1 2525

Theis command pip s th output of dd straight to nc, dir cting th imag ov r th


n twork to TCP port 2525 on th host 192.168.5.20 (our coll ction box's IP addr ss). If you

135
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

want to us dd options lik conv=noerror,sync or bs=x, th n you do that on th dd sid of th


pip :

root@bootdisk:~# dd if=/dev/sda bs=4096 | nc 192.168.55.20 2525

Onc th imaging is compl t 15, w will s that th commands at both nds app ar to
“hang”. Aftw r w r c iv our compl tion m ssag s from dd on both box s (records in /
records out), w can kill th nc list ning on our coll ction box with a simpl ctrl c. Theis
should r turn our prompts on both sid s of th conn ctions. You should th n ch ck both th
hash of th physical disk that was imag d on th subj ct comput r and th r sulting imag on
th coll ction box to s if th y match.

root@forensic1:~# sha1sum /mnt/evid/net_img.raw


8f6cec10ae87d6ff4590ba809ba51385679738ed /mnt/evid/net_img.raw

Our hash s match and our n twork acquisition was succ ssful.

Over the Wire - dc3dd

As w discuss d pr viously, th r ar a numb r of tools w can us for imaging that


provid a mor for nsic ori nt d approach. dc3dd is as good a choic for ov r th wir
imaging as it is on local disks. You also hav som fla xibility with dc3dd in that v n if your
boot disk do s not com with it install d, you ar still abl to us all its f atur s on th
vid nc coll ction comput r.

dc3dd do s all its magic on th output sid of th acquisition proc ss (unl ss you ar
acquiring from fiel s ts or som oth r non-standard sourc ). Theis m ans w can us plain dd
on our subj ct comput r (using th boot disk) to acquir th disk and str am th cont nts
across our netcat pip , and still allow dc3dd on our coll ction machin to handl hashing,
splitteing and logging. Most of dc3dd’s options and param t rs work on th output str am. So,
whil our list ning proc ss on th coll ction syst m will us dc3dd commands, th subj ct
syst m can us th sam dd commands w us d b for .

On th coll ction syst m, l t’s s t up a list ning proc ss that us s dc3dd to split th
incoming data str am into 2GB chunks and logs th output to nc.dc3dd.raw. As soon as w
initiat our command, dc3dd will start and sit waiting for input from th list ning port ( 2525):

root@forensic1:~# nc -l -p 2525 | dc3dd ofs=/mnt/evid/nc.dc3dd.000 ofsz=2G


log=/mnt/evid/nc.dc3dd.log

PRO TIP: You can watch th progr ssion of th imag on your coll ction syst m by op ning anoth r t rminal
15

and “watching” th siz of th fiel grow. Us watch ls -lh net_img.raw and ctrl-c wh n it’s compl t . watch
will updat th command ls -lh v ry two s conds until you stop it.

136
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dc3dd 7.2.641 started at 2017-05-05 23:39:47 -0400


compiled options:
command line: dc3dd ofs=nc.dc3dd.000 ofsz=2G log=nc.dc3dd.log
sector size: 512 bytes (assumed)
0 bytes ( 0 ) copied (??%), 3 s, 0 K/s

The dc3dd output will start imm diat ly, but stay at 0 bytes until it r c iv s input
through th pip . As soon as you start th imaging proc ss on th subj ct machin , you’ll s
th dc3dd command on th list ning machin start to proc ss th incoming data. Again
notic w ar using plain dd on th subj ct box to simply str am byt s ov r th pip . dc3dd
tak s ov r on th coll ction machin to impl m nt our dc3dd options and logging.

root@bootdisk:~# dd if=/dev/sda | nc 192.168.0.1 2525

Wh n th transf r is compl t , w can look at th r sulting fiel s and th dc3dd log on


our coll ction machin .

root@forensic1:~# ls -l /mnt/evid/nc.dc3dd.*
-rw-r--r-- 1 root root 0 May 5 23:40 nc.dc3dd.000
-rw-r--r-- 1 root root 2147483648 May 5 23:16 nc.dc3dd.001
-rw-r--r-- 1 root root 2147483648 May 5 23:17 nc.dc3dd.002
-rw-r--r-- 1 root root 2147483648 May 5 23:18 nc.dc3dd.003
-rw-r--r-- 1 root root 2147483648 May 5 23:19 nc.dc3dd.004
-rw-r--r-- 1 root root 2147483648 May 5 23:20 nc.dc3dd.005
-rw-r--r-- 1 root root 935 May 5 23:40 nc.dc3dd.log

root@forensic1:~# cat /mnt/evid/nc.dc3dd.log


dc3dd 7.2.641 started at 2017-05-05 23:11:40 -0400
compiled options:
command line: dc3dd ofs=nc.dc3dd.000 ofsz=2G log=nc.dc3dd.log
sector size: 512 bytes (assumed)
12884901888 bytes ( 12 G ) copied (??%), 747.491 s, 16 M/s

input results for file `stdin':


25165824 sectors in

output results for files `nc.dc3dd.000':


25165824 sectors out

dc3dd aborted at 2017-05-05 23:24:08 -0400

W can s that th dc3dd log nd d with an “abort d” m ssag b caus w had to


manually stop th list ning proc ss (with ctrl-c) sinc in this cas dc3dd is not handling th

137
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

input its lf, but just acc pting th str am through netcat – you n d to manually t ll it wh n
th str am is compl t . Again, wh n compl t d, you should ch ck th r sulting hash s against
our original hash of /dev/sda on th subj ct machin .

Over the Wire - ewfacquirestream

Last, but not l ast, w will cov r a tool that will allow us to tak a str am of input (with
th sam netcat pip ) and cr at an EWF fiel from it. ewfacquirestream acts much lik
ewfacquire (and is part of th sam lib wf packag w install d pr viously), but allows for
data to b gath r d via standard input. The most obvious us for this is taking data pass d by
our netcat pip .

In pr vious xampl s, onc th data r ach d th d stination coll ction comput r, th


list ning netcat proc ss pip d th output to th dd or dc3dd command output string, and th
fiel was writte n xactly as it cam across, as a bitstr am imag .

But by using ewfacquirestream, w can cr at EWF fiel s inst ad of a bitstr am imag .


W simply pip th output str am from netcat to ewfacquirestream. If w do not wish to
hav th program us d fault valu s, th n w issu th command with options that d fien how
w want th imag mad (s ctors, hash algorithms, rror handling, tc.) and what information
w want stor d. The command on th subj ct machin r mains th sam . The command on
th coll ction syst m would look som thing lik this (utilizing many of th command d faults):

root@forensic1:~# nc -l -p 2525 | ewfacquirestream -C 111-222 -D 'Subject drive' -


e 'Barry Grundy' -E '1' -f encase6 -m fixed -M physical -N 'Imaged via network' -t
/mnt/evid/nc_ewf_image
...
Acquiry started at: May 06, 2017 09:40:22
This could take a while. <-- output sits here until the acquisition
is started on the subject computer
...

Theis command tak s th output from n tcat (nc) and pip s it to ewfacquirestream.
● th cas numb r is sp cifie d with -C
● th vid nc d scription is giv n with -D
● th xamin r giv n with -e
● vid nc numb r with -E
● encase6 format is sp cifie d with -f encase6
● th m dia typ is giv n with -m
● th m dia flaags ar giv n with -M
● not s ar provid d with -N
● th targ t path and fiel nam is sp cifie d with -t /path/fille.

138
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

No xt nsion is giv n, and ewfacquirestream automatically app nds an E01 xt nsion


to th r sulting fiel . To g t a compl t list of options, look at th man pag s, or run th
command with th -h option.

Back on th subj ct syst m w us our standard “s nd th data across th wir from a


subj ct comput r” commandN

root@bootdisk:~# dd if=/dev/sda | nc 192.168.55.20 2525

Onc th acquisition compl t s (you’ll n d to stop th ewfacquirestream proc ss on


th coll ction syst m wh n th dd command compl t s on th subj ct syst m), you can look at
th r sulting fiel s, and compar th hash s. Sinc w us d sha1sum pr viously, w ’ll r -run
with md5sum to compar against th ewfverify output:

root@bootdisk:~# md5sum /dev/sda


c96c510404d99b4684e50a6995443c9a /dev/sda

root@forensic1:~# ls -lh /mnt/evid/nc_ewf_image .E0*


-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E01
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E02
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E03
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E04
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E05
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E06
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E07
-rw-r--r-- 1 root root 1.5G May 6 09:50 nc_ewf_image.E08
-rw-r--r-- 1 root root 293M May 6 09:50 nc_ewf_image.E09

root@forensic1:~# ewfverify nc_ewf_image.E01


ewfverify 20140608

Verify started at: May 06, 2017 09:51:52


...
Verify completed at: May 06, 2017 09:55:50

Read: 12 GiB (12884901888 bytes) in 3 minute(s) and 58 second(s) with 51 MiB/s


(54138243 bytes/second).

MD5 hash stored in file: c96c510404d99b4684e50a6995443c9a


MD5 hash calculated over data: c96c510404d99b4684e50a6995443c9a

ewfverify: SUCCESS

...and our v rifiecation is succ ssful.

139
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Over the Wire – Other Options

H r w ’v cov r d th v ry basics and m chanics of imaging m dia ov r a n twork


pip . netcat is not your only solution to this, though it is on of th simpl r options and is
usually availabl on most boot disks and Linux syst ms.

In r ality, you might want to consid r wh th r you want your data ncrypt d as it
trav rs s th n twork. In our xampl abov , w may hav b n conn ct d via a crossov r
cabl (int rfac to int rfac ) or through a standalon n twork hub. But what if you ar in a
situation wh r th only m ans of coll ction is r mot ? Or ov r nt rpris n twork hardwar
(switch s, tc.)? In that cas you would want ncryption. For that you could us cryptcat, or
v n ssh. Now that you und rstand th basic m chanics of this t chniqu , you ar urg d to
xplor oth r tools and m thods. The r ar proj cts our th r lik rdd
(https://sourceforge.net/projects/rdd/) and air
(https://sourceforge.net/projects/air-imager/) you might want to xplor , for mor
than just n twork imaging.Compr ssion on th Fly with dd

Anoth r us ful capability whil imaging is compr ssion. Consid ring our conc rn for
for nsic application h r , w will b sur to manag our compr ssion t chniqu so that w can
v rify our hash s without having to d compr ss and writ our imag s out b for ch cking
th m.

For this x rcis , w 'll us th GNU gzip application. gzip is a command lin utility
that allows us som fairly granular control ov r th compr ssion proc ss. The r ar oth r
compr ssion utiliti s (lzip, xz, tc.), but w ’ll conc ntrat on gzip for th sam r asons w
l arn d dd and vi...almost always availabl , and fien starting plac to l arn th command lin
conc pts. Most sourc packag s for softwwar is minimally availabl in a gz compr ss d format,
but I urg you to xplor oth r compr ssion options on your own.

First, for th sak of familiarity, l t's look at th simpl us of gzip on a singl fiel and
xplor som of th options at our disposal. I hav cr at d a dir ctory call d testcomp and I'v
copi d th imag fiel NTFS_Pract_2017.raw into that dir ctory to practic on. Theis giv s m
an unclutte r d plac to xp rim nt. First, l t's doubl ch ck th hash of th imag :

root@forensic1:~# mkdir testcomp

root@forensic1:~# cp NTFS_Pract_2017.raw testcomp/.

root@forensic1:~# cd testcomp/

root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw

root@forensic1:~/testcomp# sha1sum NTFS_Pract_2017.raw


094123df4792b18a1f0f64f1e2fc609028695f85 NTFS_Pract_2017.raw

140
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Now, in its most simpl form, w can call gzip and simply provid th nam of th fiel
w want compr ss d. Theis will replace th original fiel with a compr ss d fiel that has a .gz
sufficx app nd d.

root@forensic1:~/testcomp# gzip NTFS_Pract_2017.raw

root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz

So now w s that w hav r plac d our original 500M fiel with a 61M fiel that has a
.gz xt nsion. To d compr ss th r sulting .gz fiel :

root@forensic1:~/testcomp# gzip -d NTFS_Pract_2017.raw.gz

root@forensic1:~/testcomp# ls -lh
total 500M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw

root@forensic1:~/testcomp# sha1sum NTFS_Pract_2017.raw


094123df4792b18a1f0f64f1e2fc609028695f85 NTFS_Pract_2017.raw

W 'v d compr ss d th fiel and r plac d th .gz fiel with th original imag . A ch ck
of th hash shows that all is in ord r.

Suppos w would lik to compr ss a fiel but l av th original intact. W can us th


gzip command with th -c option. Theis writ s to standard output inst ad of a r plac m nt
fiel . Wh n using this option w n d to r dir ct th output to a fiel nam of our choosing so
that th compr ss d fiel is not simply str am d to our t rminal. H r is a sampl s ssion using
this t chniqu :

root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw

root@forensic1:~/testcomp# gzip -c NTFS_Pract_2017.raw > NewImage.raw.gz

root@forensic1:~/testcomp# ls -lh
total 561M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
-rw-r--r-- 1 root root 61M May 6 12:32 NewImage.raw.gz

root@forensic1:~/testcomp# gzip -cd NewImage.raw.gz > NewUncompressed.raw

141
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~/testcomp# ls -lh
total 1.1G
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw
-rw-r--r-- 1 root root 61M May 6 12:32 NewImage.raw.gz
-rw-r--r-- 1 root root 500M May 6 12:33 NewUncompressed.raw

root@forensic1:~/testcomp# sha1sum NewUncompressed.raw


094123df4792b18a1f0f64f1e2fc609028695f85 NewUncompressed.raw

In th abov output, w s that th fierst dir ctory listing shows th singl imag fiel .
W th n compr ss using gzip -c which writ s to standard output. W r dir ct that output to
a n w fiel (nam of our choic ). The s cond listing shows that th original fiel r mains, and th
compr ss d fiel is cr at d. W th n us gzip -cd to d compr ss th fiel , r dir cting th
output to a n w fiel and this tim pr s rving th compr ss d fiel .

The s ar v ry basic options for th us of gzip. The r ason w l arn th -c option is


to allow us to d compr ss a fiel and pip th output to a hash algorithm. In a mor practical
s ns , this allows us to cr at a compr ss d imag and ch ck th hash of that imag without
writing th fiel twic .

If w go back to a singl imag fiel in our dir ctory, w can s this in action. R mov
all th fiel s w just cr at d (using th rm command) and l av th singl original dd imag .
Now w will cr at a singl compr ss d fiel from that original imag and th n ch ck th hash
of th compressed fiel to nsur it's validity:

root@forensic1:~/testcomp# ls -lh
total 501M
-rw-r--r-- 1 root root 500M May 6 12:10 NTFS_Pract_2017.raw

root@forensic1:~/testcomp# gzip NTFS_Pract_2017.raw

root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz

root@forensic1:~/testcomp# gzip -cd NTFS_Pract_2017.raw.gz | sha1sum


094123df4792b18a1f0f64f1e2fc609028695f85 -

root@forensic1:~/testcomp# ls -lh
total 61M
-rw-r--r-- 1 root root 61M May 6 12:10 NTFS_Pract_2017.raw.gz

142
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

First w s that w hav th corr ct hash. The n w compr ss th imag with a simpl
gzip command that r plac s th original fiel . Now, all w want to do n xt is ch ck th hash of
our compr ss d imag without having to writ out a n w imag . W do this by using gzip -c
(to standard out) -d (d compr ss), passing th nam of our compr ss d fiel but piping th
output to our hash algorithm (in this cas sha1sum). The r sult shows th corr ct hash of th
output str am, wh r th output str am is signifie d by th -.

Okay, so now that w hav a basic grasp of using gzip to compr ss, d compr ss, and
v rify hash s, l t's put it to work “on th flay” using dd to cr at a compr ss d imag . W will
th n ch ck th compr ss d imag 's hash valu against an original hash.

Find a small thumb driv or oth r r movabl m dia to imag . I’ll b using a small 8GB
USB stick. Cl ar out th testcomp dir ctory so that w hav a cl an plac to writ our imag
to (or wh r v r you hav th spac to writ ).

Obtaining a compr ss d dd imag on th flay is simply a matte r of str aming our dd


output through a pip to th gzip command and r dir cting that output to a fiel . Our r sulting
imag 's hash can th n b ch ck d using th sam m thod w us d abov . Consid r th
following s ssion. The physical d vic w hav as an xampl in this cas is /dev/sdi (if you
ar using a d vic to follow along, r m mb r to us lsscsi or lsblk to fiend th corr ct d vic
fiel ).

root@forensic1:~/testcomp# sha1sum /dev/sdi


21e8e6e63bfc9ec3f7a78233956e7ddb94bb2cfc /dev/sdi

root@forensic1:~/testcomp# dd if=/dev/sdi | gzip -c > sdi_image.raw


15695871+0 records in
15695871+0 records out
8036285952 bytes (8.0 GB, 7.5 GiB) copied, 283.091 s, 28.4 MB/s

root@forensic1:~/testcomp# ls -lh
total 2.8G
-rw-r--r-- 1 root root 2.8G May 6 13:05 sdi_image.raw

root@forensic1:~/testcomp# gzip -cd sdi_image.raw | sha1sum


21e8e6e63bfc9ec3f7a78233956e7ddb94bb2cfc -

In th abov dd command th r is no “output fiel ” sp cifie d, just as wh n w pip d th


output to netcat in our “ov r th wir ” s ction. The output is simply pip d straight to gzip
for r dir ction into a n w fiel . W th n follow up with our int grity ch ck by d compr ssing
th fiel to standard output and hashing th str am. The hash s match, so w can s that w
us d dd to acquir a compr ss d imag (2.8G vs. th 8G d vic ), and v rifie d our acquisition
without th n d to d compr ss (and writ to disk) fierst.

143
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Now l t’s go on st p furth r in our on th flay compr ssion d monstration. How about
putteing a f w of th s st ps altog th r? R call our imaging ov r th n twork through netcat.
If you look at th diffo r nt siz s of our compr ss d vs. uncompr ss d imag s, you’ll s th r ’s
quit a diffo r nc in siz (which will, of cours , d p nd on th compr ss-ability of th data on
th volum b ing imag d). Do you think it might b fast r to compr ss data b for s nding
ov r th n twork? L t’s fiend out.

Going back to our simpl n twork s tup, l t’s do th sam imaging, but this tim w ’ll
pip to gzip -c on on sid of th n twork and gzip -cd on th oth r, ffo ctiv ly s nding
compr ss d data across th wir . The r sulting imag is NOT compr ss d. W d compr ss it
b for it r ach s th imaging tool. You can l ct to l av that out if you lik and simply writ a
compr ss d imag .

W ’ll start by hashing th subj ct hard driv again from our boot disk. Assuming th
n twork s tteings ar all corr ct, and th n op ning our netcat list n r and dc3dd proc ss on
th coll ction box:

root@bootdisk:~# sha1sum /dev/sda


8f6cec10ae87d6ff4590ba809ba51385679738ed /dev/sda

Op n th list ning proc ss, r dir cting th output to a fiel . I’m using dc3dd with hof=
to coll ct input and output hash to compar with th sha1sum abov .

root@forensic1:~/testcomp# nc -l -p 2525 | gzip -cd | dc3dd hash=sha1


hof=ncgzuncomp.raw log=ncgzuncomp.log

And now start th imaging on th subj ct box:

root@bootdisk:~# dd if=/dev/sda | gzip -c | nc 192.168.0.1 2525

Wh n th imaging is compl t , w can ch ck th r sulting dc3dd log, ncgzuncomp.log,


to v rify th int grity of th r sulting imag :

root@forensic1:~/testcomp# ls -lh ncgzuncomp.raw


-rw-r--r-- 1 root root 12G May 6 13:46 ncgzuncomp.raw

root@forensic1:~/testcomp# cat ncgzuncomp.log

dc3dd 7.2.641 started at 2017-05-06 13:38:13 -0400


compiled options:
command line: dc3dd hash=sha1 hof=ncgzuncomp.raw log=ncgzuncomp.log
sector size: 512 bytes (assumed)
12884901888 bytes ( 12 G ) copied (??%), 522.142 s, 24 M/s

144
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

12884901888 bytes ( 12 G ) hashed ( 100% ), 32.435 s, 379 M/s

input results for file `stdin':


25165824 sectors in
8f6cec10ae87d6ff4590ba809ba51385679738ed (sha1)

output results for file `ncgzuncomp.raw':


25165824 sectors out
[ok] 8f6cec10ae87d6ff4590ba809ba51385679738ed (sha1)

dc3dd completed at 2017-05-06 13:46:55 -0400

A coupl of things to notic h r . First, our hash s match. W succ ssfully r ad a


d vic , compr ss d th data, pip d it ov r a n twork, d compr ss d th data and wrot an
imag fiel . The r ason w do this is to sav som tim . Hav a look at th tim it took to
imag (from th log fiel ) and compar it against our arli r imag using n tcat without
compr ssion:

Without compr ssion (from pr vious x rcis ): (dd | netcat)


12884901888 bytes ( 12 G ) copied (??%), 747.491 s, 16 M/s

With compr ssion: (dd | gzip | netcat)


12884901888 bytes ( 12 G ) copied (??%), 522.142 s, 24 M/s

Almost four minut s savings by compr ssing th data b for transporting it. K p in
mind that th us fuln ss of this is d p nd nt on wh r your particular bottel n cks ar . On a
local n twork, via crossov r cabl , and writing to a USB 2.0 driv , compr ssing across th
n twork may hav littel impact. But if you ar imaging ov r an nt rpris n twork, or
r mot ly, you may s quit a p rformanc gain from compr ssion. Your r sults may vary, but
b awar of th t chniqu .

Preparing a Disk for the Suspect Image

On common practic in for nsic disk analysis is to sanitiz or “wip ” a disk prior to
r storing or copying a for nsic imag to it. Theis nsur s that any data found on th r stor d
disk is from th imag and not from “r sidual” data. Theat is, data l ftw b hind from a pr vious
cas or imag . In t chnical t rms, r sidual data should n v r b an issu unl ss your op rating
syst m or for nsic softwwar is drastically brok n. Theough th r has b n som conc rn ov r
wh th r an xamin r accid ntally physically s arch s a device rath r than an imag fiel on the
d vic . In l gal t rms it’s an important st p to nsur complianc with b st practic s that hav
b n around for a long whil .

W ’v alr ady cov r d simpl acquisitions, and m dia sanitization is a st p that is


normally p rform d before you conduct vid nc coll ction. It is b ing introduc d h r

145
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

b caus it mak s mor s ns to cov r th subj ct of imaging wh n introducing imaging tools


rath r than introducing driv wiping b for w ’v cov r d th tools w ’ll us .

On to wipingN W can us a sp cial d vic , /dev/zero as a sourc of z ros. Theis can


b us d to cr at mpty fiel s and wip portions of disks. You can writ z ros to an ntir disk
(or at l ast to thos ar as acc ssibl to th k rn l and us r spac ) using th following command
(assuming /dev/sdc is th disk you want to wip ):

root@forensic1:~# dd if=/dev/zero of=/dev/sdc bs=32k


dd: error writing '/dev/sdj': No space left on device
64945+0 records in
64944+0 records out
2128084992 bytes (2.1 GB, 2.0 GiB) copied, 294.083 s, 7.2 MB/s

Theis starts at th b ginning of th driv and writ s z ros (th input fiel ) to v ry s ctor
on /dev/sdc (th output fiel ) in 32 kilobyt chunks (bs =<block size>). Sp cifying larg r
block siz s can sp d th writing proc ss (d fault is 512 byt s). Exp rim nt with diffo r nt
block siz s and s what ffo ct it has on th writing sp d (i. . 32k, 64k, tc.). B car ful of
missing partial blocks at th nd of th output if your block siz is not a prop r multipl of th
d vic siz . The rror No spac l ftw on d vic indicat s that th d vic has b n fiell d with
z ros. And, of cours , b v ry sur that th targ t disk is in fact th disk you int nd to wip .
Ch ck and doubl ch ck.

dc3dd mak s th wiping proc ss v n asi r and provid s options to wip with sp cifiec
patte rns. In it’s simpl st form, dc3dd can wip a disk with a simpl :

root@forensic1:~# dc3dd wipe=/dev/sdc

So how do w v rify that our command to writ z ros to a whol disk was a succ ss?
You could ch ck random s ctors with a h x ditor, but that’s not r alistic for a larg driv . On
of th b st m thods would b to us th xxd command (command lin h xdump) with th
“autoskip” option. The output of this command on a z ro’d driv would giv just thr lin s.
The fierst lin , starting at offos t z ro with a row of z ros in th data ar a, follow d by an ast risk
(*) to indicat id ntical lin s, and fienally th last lin , with th fienal offos t follow d by th
r maining z ros in th data ar a. H r ’s an xampl of th command on a z ro’d driv and its
output.

root@forensic1:~# xxd -a /dev/sdj


00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
*
7ed7fff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................

146
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Using dc3dd with th hwipe option (hash th wip ), th confiermation would look lik
this (and is far quick r than th dd/xdd combination):

root@forensic1:~# dc3dd hwipe=/dev/sdj hash=sha1

dc3dd 7.2.641 started at 2017-05-06 17:10:44 -0400


compiled options:
command line: dc3dd hwipe=/dev/sdj hash=sha1
device size: 4156416 sectors (probed), 2,128,084,992 bytes
sector size: 512 bytes (probed)
2128084992 bytes ( 2 G ) copied ( 100% ), 471 s, 4.3 M/s
2128084992 bytes ( 2 G ) hashed ( 100% ), 148 s, 14 M/s

input results for pattern `00':


4156416 sectors in
4c9b7786abd51a554b35193dd1805476859903f4 (sha1)

output results for device `/dev/sdj':


4156416 sectors out
[ok] 4c9b7786abd51a554b35193dd1805476859903f4 (sha1)

dc3dd completed at 2017-05-06 17:18:35 -0400

Final Words on Imaging

Anyon who has work d in th for nsic fie ld for any l ngth of tim can t ll you that
th acquisition proc ss is th foundation of our busin ss. Ev rything ls w do can b cross
v rifie d and validat d aftw r th fact. But you oftw n only g t on shot at a prop r acquisition.
You may hav a limit d amount of tim on sit , or on shot at r cov ring data from a disk
driv . Mak sur you und rstand how th tools work, and what th options actually do.
Validating your approach prior to using it in liv fie ld work is ss ntial.

Theis s ction has introduc d a numb r of basic tools and a rough t chnical proc ss.
R quir m nts and a proc dur s vary from jurisdiction to jurisdiction and across organizations.
Know th r quir m nts of your particular gov rning body, and adh r to th m.

K p in mind also that t chnological advanc s will chang much of how w do


acquisitions. Solid stat m dia and storag t chnologi s ar mor than just chang s to th
int rfac that may r quir an adapt r. The way data is physically b ing stor d and data blocks
manipulat d is a constant volution. The ntir approach to “obtaining an xact duplicat ” is
changing as storag m thods and t chnologi s advanc . Don’t g t too comfortabl !

147
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Mounting Evidence

W ’v alr ady discuss d th mount command and using it to acc ss fiel syst ms on
xt rnal d vic s. Now that w ar working with for nsic imag s, w ’ll n d to acc ss thos as
w ll. The r ar two ways w do this: through for nsic softwwar “physically”; or through
volum mounting “logically”.

Wh n w acc ss th imag with for nsic softwwar , w ar acc ssing th ntir physical
imag including unallocat d blocks and oth rwis inacc ssibl fiel syst m and volum
manag m nt artifacts that w r succ ssfully r cov r d and copi d by our imaging softwwar (or
hardwar ). W ’ll cov r som for nsic softwwar in lat r s ctions.

For now w ar going to look at som tools and t chniqu s w can us to vi w th


cont nts of an imag as a logically mount d fiel syst m.

Structure of the Image

The fierst st p in all this is to d t rmin what volum s and fiel syst ms ar availabl for
logical mounting within our imag . “Structur ”, in this cas , r f rs to th partitioning sch m
and id ntifiecation of volum s and fiel syst ms within th imag .

Giv n that our imag s hav b n of physical disks, th y should all lik ly hav som sort
of partition tabl in th m. W can d t ct this partition tabl using fdisk or gdisk. W will
cov r mor “for nsically” ori nt d softwwar for this lat r (mmls from th Sl uth Kit), but for
now, fdisk and gdisk should b availabl on any r lativ ly mod rn Linux syst m.

W will cov r fdisk fierst, as it was pr viously discuss d, arli r using th -l option.
W can g t th partition information on /dev/sda, for xampl , with:

root@forensic1:~# fdisk -l /dev/sda


Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 6FB0E42E-B5CF-4C8F-A974-28A65DADC779

Device Start End Sectors Size Type


/dev/sda1 2048 206847 204800 100M Linux filesystem
/dev/sda2 206848 8595455 8388608 4G Linux swap
/dev/sda3 8595456 234441614 225846159 107.7G Linux filesystem

So th output of fdisk shows that th partition lab l is of typ GPT. What if w run
th gdisk command on th sam disk? H r ’s th output:

148
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# gdisk -l /dev/sda


GPT fdisk (gdisk) version 1.0.0

Partition table scan:


MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.


Disk /dev/sda: 234441648 sectors, 111.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 6FB0E42E-B5CF-4C8F-A974-28A65DADC779
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 234441614
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)

Number Start (sector) End (sector) Size Code Name


1 2048 206847 100.0 MiB 8300 Linux filesystem
2 206848 8595455 4.0 GiB 8200 Linux swap
3 8595456 234441614 107.7 GiB 8300 Linux filesystem

The important tak away h r is that th output of th two is functionally th sam .


Wh n r cording th output of th s commands for a for nsic xamination, how v r, I would
urg you to utiliz th tool sp cifiecally d sign d for th syst m you ar curr ntly d aling with.
Us fdisk for DOS partition sch m s, and gdisk for GPT partitioning sch m s wh n
r cording your output. Our output abov shows that /dev/sda has thr partitions. Partitions
1 and 3 ar of typ “Linux”, and partition two is id ntifie d as a Linux swap partition (roughly
virtual m mory or “swap fiel ” for th Linux OS).

It is sp cially important to not that th fiel syst m cod and nam do not n c ssarily
id ntify th actual fiel syst m on that volum . In our xampl abov , th fiel syst m could b
xt2, xt3, xt4, r is rfs, tc.

R cording th output for an xamination is a simpl matte r of r dir cting th output of


ith r command (fdisk or gdisk) to a fiel . Using gdisk as an xampl (assuming a GPT
layout):

root@forensic1:~# gdisk -l /dev/sda > /mnt/evid/sda.gdisk.txt

A coupl of things to not h r : The nam of th output fiel (sda.gdisk.txt) is


compl t ly arbitrary. The r ar no rul s for xt nsions. Nam th fiel anything you want. I

149
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

would sugg st you stick to a conv ntion and mak it d scriptiv . Also not that sinc w
id ntifie d an xplicit path for th fiel nam , sda.gdisk.txt will b cr at d in /mnt/evid. Had
w not giv n th path, th fiel would b cr at d in th curr nt dir ctory ( /root, as indicat d by
th ~).

Onc you hav d t rmin d th partition layout of th disk, it’s tim to s if w can
id ntify th fiel syst m and mount th volum s to r vi w th cont nts.

Identifying File Systems

B for w jump straight to mounting a volum for analysis or r vi w, you might want
to id ntify th fiel syst m contain d in that volum . The r ar a numb r of ways to do this.
The mount command is actually v ry good at id ntifying fiel syst ms wh n mounting, so giving
a -t <fstype> option is not always n d d (and is oftw n not us d). But it is still good practic
to ch ck and r cord th fiel syst m prior to mounting, assuming you will b doing a manual
r vi w of th logical volum cont nts.

For a simpl fiel syst m xampl , download th following fiel , and ch ck th hash 16:

root@forensic1:~# wget http://www.linuxleo.com/Files/fat_fs.raw


--2017-05-27 10:22:47-- http://www.linuxleo.com/Files/fat_fs.raw
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84
Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1474560 (1.4M)
Saving to: ‘fat_fs.raw.1’

fat_fs.raw.1 100%[===================>] 1.41M 3.78MB/s in 0.4s

2017-05-27 10:22:47 (3.78 MB/s) - ‘fat_fs.raw.1’ saved [1474560/1474560]

root@forensic1:~# sha1sum fat_fs.raw


f5ee9cf56f23e5f5773e2a4854360404a62015cf fat_fs.raw

W can us th file command to giv us an id a of what is contain d in th imag .


R m mb r that th output of file is d p nd nt on th magic fiel s for your giv n Linux
distribution. Running th file command on my syst m giv s this:

root@forensic1:~# file fat_fs.raw


FAT_FS.dd: DOS/MBR boot sector, code offset 0x3e+2, OEM-ID "(wA~PIHC" cached by
Windows 9M, root entries 224, sectors 2880 (volumes <=32 MB) , sectors/FAT 9,
sectors/track 18, serial number 0x16e42d6d, unlabeled, FAT (12 bit), followed by
FAT
16
Theis imag is id ntical to th on us d in pr vious v rsions of this guid . W will continu to us it h r b caus
it is small, simpl , and provid s a good practic s t for commands in th following s ctions.

150
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The r ’s a lot of information provid d in th file output. W g t th ID’s, numb r of


s ctors (this is r ad from m ta data, not from th imag siz its lf), s rial numb r, and oth r
id ntifie rs. W ’ll cov r imag s with s parat partitions in a mom nt. Theis is a simpl imag of
a fiel syst m that is not part of a partition tabl . You may s such imag s wh r USB thumb
driv s or oth r r movabl m dia hav b n imag d.
A quick word on using th file command dir ctly on d vic s. The file command will
provid a r spons on xactly th obj ct you r f r nc . If I run file on /dev/sda, for
xampl , I g t notifie d that it is a block sp cial fiel . If you want to know mor about th d vic
rath r than th d vic fiel , th n us th -s option to file to sp cify that w want to know
about th d vic b ing r f r nc d by th /dev block d vic . Try this on your own syst m.

root@forensic1:~# file /dev/sda


/dev/sda: block special (8/0)

root@forensic1:~# file -s /dev/sda


/dev/sda: DOS/MBR boot sector, LInux i386 boot LOader; partition 1 : ID=0xee,
start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 234441647 sectors

So w know what fiel syst m w ar d aling with, now w n d to mount th imag as


a d vic so w can s th cont nts. For that w can us a loop d vic .

Thee Loop Device

W can mount th fiel syst m(s) within th imag using th loop int rfac . Basically,
this allows you to “mount” a fiel syst m within an imag fiel (inst ad of a disk) to a mount
point and brows th cont nts. In simpl t rms, th loop d vic acts as a “proxy disk” to s rv
up th fiel syst m as if it w r on actual m dia.

Loop option to the mount command

For a simpl fiel syst m imag (wh r th r ar not multipl partitions in th imag ),
w can us th sam mount command and th sam options as any oth r fiel syst m on a
d vic , but this tim w includ th option loop to indicat that w want to us th loop
d vic to mount th fiel syst m within th imag fiel . Chang to th dir ctory wh r plac d
th fat_fs.raw, and typ th following (skip th mkdir command if you alr ady cr at d this
dir ctory in our arli r s ction on mounting xt rnal fiel syst ms):

root@forensic1:~# mkdir /mnt/analysis

root@forensic1:~# mount -t vfat -o ro,loop fat_fs.raw /mnt/analysis/

root@forensic1:~# ls /mnt/analysis/

151
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ARP.EXE* Docs/ FTP.EXE* Pics/ loveletter.virus* ouchy.dat* snoof.gz*

Now you can chang to /mnt/analysis and brows th imag as if it w r a mount d


disk. Us th mount command by its lf to doubl ch ck th mount d options (w pip it
through gr p h r to isolat our mount point):

root@forensic1:~# mount | grep analysis


fat_fs.raw on /mnt/analysis type vfat (ro)

Wh n you ar fienish d browsing, unmount th imag fiel (again, not th command is


umount, not “unmount”):

root@forensic1:~# umount /mnt/analysis

So what happ ns with that loop option? Wh n you pass th loop option in th mount
command, you ar actually calling a shortcut to cr ating loop d vic s with a sp cial command,
losetup. It is important that w und rstand th background h r .

losetup

Cr ating loop d vic s is an important skill. Rath r than l tteing th mount command
tak charg of that proc ss, l t’s hav a look at what is actually going on.

Loop d vic s ar cr at d by th Linux k rn l in th /dev dir ctory, just lik oth r


d vic s.

root@forensic1:~# ls /dev/loop*
/dev/loop-control /dev/loop1 /dev/loop3 /dev/loop5 /dev/loop7
/dev/loop0 /dev/loop2 /dev/loop4 /dev/loop6

The s ar d vic s that can b utiliz d to associat fiel s with a d vic . The /dev/loop-
control d vic is an int rfac to allow applications to associat loop d vic s. The command
w us to manag our loop d vic s is losetup. Invok d by its lf, losetup will list associat d
loop d vic s (it will r turn nothing if not loop d vic s ar in us ). In simpl st form, you simply
call losetup with th d vic s nam (/dev/loopX) and th fiel you wish to associat it with:

root@forensic1:~# losetup /dev/loop0 fat_fs.raw

root@forensic1:~# losetup -l
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 0 0 /root/fat_fs.dd

152
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# file -s /dev/loop0


/dev/loop0: DOS/MBR boot sector, code offset 0x3e+2, OEM-ID "(wA~PIHC" cached by
Windows 9M, root entries 224, sectors 2880 (volumes <=32 MB) , sectors/FAT 9,
sectors/track 18, serial number 0x16e42d6d, unlabeled, FAT (12 bit), followed by
FAT

root@forensic1:~# sha1sum fat_fs.raw


f5ee9cf56f23e5f5773e2a4854360404a62015cf fat_fs.raw

root@forensic1:~# sha1sum /dev/loop0


f5ee9cf56f23e5f5773e2a4854360404a62015cf /dev/loop0

In th abov commands, w associat th loop d vic /dev/loop0 with th fiel


fat_fs.raw. W follow by using th losetup command with th -l option to list th
/dev/loop associations. Theis is ss ntially what occurs in th background wh n you issu th
mount command with th -o loop option w us d pr viously. Wh n w id ntify th d vic
fiel cont nts using file -s, w g t th sam as wh n w ran file on th fat_fs.raw. W
also s that th hash of fat_fs.raw match s th now associat d loop d vic , indicating it is
an xact duplicat . With th loop d vic associat d, you can issu th mount command as if
fat_fs.raw w r a volum call d /dev/loop0:

root@forensic1:~# mount -t vfat -o ro /dev/loop0 /mnt/analysis/

root@forensic1:~# mount | grep /mnt/analysis


/dev/loop0 on /mnt/analysis type vfat (ro)

root@forensic1:~# ls /mnt/analysis/
ARP.EXE* Docs/ FTP.EXE* Pics/ loveletter.virus* ouchy.dat* snoof.gz*

root@forensic1:~# umount /mnt/analysis

In th abov s ssion, w mount th fiel syst m associat d with /dev/loop0, using th


r ad-only option (-o ro) on th mount point /mnt/analysis. W ch ck th mount with th
mount command displaying only lin s that contain /mnt/analysis (grep) and th n list th
cont nts of th mount point with ls. W unmount th fiel syst m with umount.

Finally, w can r mov th loop association with losetup -d:

root@forensic1:~# losetup
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 0 0 /root/fat_fs.raw

root@forensic1:~# losetup -d /dev/loop0

153
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# losetup
root@forensic1:~#

Not all m dia imag s ar this simpl , how v rN

Mounting Full Disk Images with losetup

The xampl us d in th pr vious x rcis utiliz s a simpl stand alon fiel syst m.
What happ ns wh n you ar d aling with boot s ctors and multi partition disk imag s? Wh n
you cr at a raw imag of m dia with dd or similar commands you usually nd up with a
numb r of compon nts to th imag . The s compon nts can includ a boot s ctor, partition
tabl , and th various partitions.

If you atte mpt to mount a full disk imag with a loop d vic , you fiend that th mount
command is unabl to id ntify th fiel syst m. Theis is b caus mount do s not know how to
“r cogniz ” th partition tabl . R m mb r, th mount command handl s fiel syst ms, not disks
(or disk imag s). The asy way around this (although it is not v ry fficci nt for larg disks)
would b to cr at s parat imag s for ach disk partition that you want to analyz . For a
simpl hard driv with a singl larg partition, you could cr at two imag s.

On for th ntir disk:

root@forensic1:~# dd if=/dev/sda of=image.raw

And on for th partition:

root@forensic1:~# dd if=/dev/sda1 of=image.raw

The fierst command g ts you a full imag of th ntir disk (sda) for backup purpos s,
including th boot s ctor and partition tabl . The s cond command g ts you th fierst partition
(sda1). The r sulting imag from th s cond command can b mount d via th loop d vic ,
just as with our fat_fs.raw, b caus it is a simpl fiel syst m.

Not that although both of th abov imag s will contain th sam fiel syst m with th
sam data, th hash s will obviously not match. Making s parat imag s for ach partition is
v ry in fficci nt if it is only b ing don

On m thod for handling full disks wh n using th loop d vic is to s nd th mount


command a m ssag to skip th boot s ctor of th imag and fiend th partition. The s s ctors
ar us d to contain information (lik th MBR) that is not part of a normal fiel syst m. W can

154
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

look at th offos t to a partition, normally giv n in s ctors (using th fdisk command), and
multiply by 512 (th s ctor siz ). Theis giv s us th byt offos t from th start of our imag to th
fierst partition w want to mount. Theis is th n pass d to th mount command as an option,
which ss ntially trigg rs th us of an availabl loop d vic to mount th sp cifie d fiel syst m.
W can illustrat this by looking at th raw imag of th fiel w xport d with ewfexport in
our arli r acquisitions x rcis , th NTFS_Pract_2017.raw fiel . Go ah ad and navigat to
wh r you hav th fiel sav d.

V ry quickly, l ts run through th st ps w n d to mount this imag . First tim round,


w ’ll d t rmin th structur with fdisk, obtain th offos t to th actual fiel syst m using math
xpansion, and th n mount th fiel syst m using th mount command with th -o loop option.

root@forensic1:~# fdisk -l NTFS_Pract_2017.raw


Disk NTFS_Pract_2017.raw: 500 MiB, 524288000 bytes, 1024000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8dd21ee

Device Boot Start End Sectors Size Id Type


NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

root@forensic1:~# echo $((2048*512))


1048576

root@forensic1:~# mount -o ro,loop,offset=1048576 NTFS_Pract_2017.raw /mnt/tmp/

root@forensic1:~#ls /mnt/tmp
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/

So h r w hav a full disk imag . W run fdisk on th imag (an imag fiel is no
diffo r nt than a d vic fiel ) and fiend that th offos t to th partition is 2048 byt s (in r d for
mphasis). W us arithm tic xpansion to calculat th byt offos t ( 2048*512=1048576) and
pass that as th offos t in our mount command. Theis ffo ctiv ly “jumps ov r” th boot s ctor
and go s straight to th “boot s ctor” of th fierst partition, allowing th mount command to
work prop rly. W will xplor this in furth r d tail lat r.

Not that you can do th calculations for th offos t using arithm tic xpansion dir ctly
in th mount command if you choos :

root@forensic1:~# mount -o ro,loop,offset=$((2048*512)) NTFS_Pract_2017.raw


/mnt/tmp/

155
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

L t’s look again and what is going on in th background h r with th loop d vic .
W ’ll run through th sam mount x rcis , but this tim using losetup.

First, b sur th fiel syst m is unmount d:

root@forensic1:~# umount /mnt/tmp/

Now l t’s r cr at th mount command using a loop d vic rath r than an offos t pass d
to mount. In this cas w ’ll us arithm tic xpansion dir ctly in th commands:

root@forensic1:~# fdisk -l NTFS_Pract_2017.raw


Disk NTFS_Pract_2017.raw: 500 MiB, 524288000 bytes, 1024000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8dd21ee

Device Boot Start End Sectors Size Id Type


NTFS_Pract_2017.raw1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

root@forensic1:~# losetup -o $((2048*512)) --sizelimit $((1021952*512)) /dev/loop0


NTFS_Pract_2017.raw

root@forensic1:~# losetup -l
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 523239424 1048576 0 0

root@forensic1:~# mount /dev/loop0 /mnt/tmp

root@forensic1:~# ls /mnt/tmp
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/

root@forensic1:~# umount /mnt/tmp

So h r w ar using th losetup command on an imag , but this tim w pass it an


offos t to a fiel syst m insid th imag ( -o $((2048*512)) ) and w also l t th loop d vic
know th xact siz of th partition w ar associating ( --sizelimit $((1021952*512)) ).
Onc w ’v associat d th loop d vic , w mount it to /mnt/tmp and list th cont nts of th
imag with ls17. Finally, w unmount th fiel syst m with umount. For a multi partition

Not th slash s in th output of ls. The backslash (\) is an scap charact r to allow th spac s within
17

th dir ctory nam System Volume Information/, and th trailing forward slash id ntifie s a dir ctory.
So, th r ar thr dir ctori s in th output

156
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

imag , you could r p at th st ps abov for ach partition you want d to mount, or you could
us a tool s t up to do xactly that. Not that for singl partition imag s lik w hav h r , th
--sizelimit option is actually not r quir d.

Mounting Multi Partition Images with kpartx

Up to this point w ’v mount d a simpl fiel syst m imag with th mount command,
w ’v mount d a fiel syst m from a full disk imag with a singl partition, and w ’v l arn d
about th loop d vic and how to sp cify its association with a sp cifiec partition.

L t’s look now at a disk imag that has multipl partitions. Our pr vious m thod of
id ntifying ach partition by offos t and siz , and passing thos param t rs to th losetup
command would work fien to mount multipl fiel syst ms within a disk imag (using diffo r nt
loop d vic s for ach partition, but wouldn't it b nic if w had a tool that could do all of that
for us? kpartx is that tool.

In simpl t rms, kpartx maps partitions within an imag to s parat loop d vic s that
can th n b mount d th sam as any oth r volum (assuming a mountabl fiel syst m). It is
part of th mulitpath-tools packag for Slackwar , and can b install d via sbotools or
through th SlackBuild availabl at SlackBuilds.org.

root@forensic1:~# sbofind multipath


SBo: multipath-tools
Path: /usr/sbo/repo/system/multipath-tools

root@forensic1:~# sboinstall multipath-tools

Utilities used to drive the Device Mapper multipathing driver

Proceed with multipath-tools? [y]


multipath-tools added to install queue.

Install queue: multipath-tools


...
Cleaning for multipath-tools-0.5.0...

Onc th multipath-tools packag is install d, you can hav a look through th man
pag for kpartx with man kpartx. Usag is v ry simpl . The r is a v ry simpl multi partition
imag you can download and us to d monstrat usag . The fiel syst ms r main d mpty for
maximum compr ss-ability. Download th fiel with wget and ch ck th hash to nsur it
match s th on b low:

root@forensic1:~# wget http://www.linuxleo.com/Files/gptimage.raw.gz


--2017-05-27 10:58:38-- http://www.linuxleo.com/Files/gptimage.raw.gz
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84

157
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.


HTTP request sent, awaiting response... 200 OK
Length: 4181657 (4.0M) [application/gzip]
Saving to: ‘gptimage.raw.gz’

gptimage.raw.gz 100%[===================>] 3.99M 6.25MB/s in 0.6s

2017-05-27 10:58:39 (6.25 MB/s) - ‘gptimage.raw.gz’ saved [4181657/4181657]

root@forensic1:~# sha1sum gptimage.raw.gz


b7dde25864b9686aafe78a3d4c77406c3117d30c gptimage.raw.gz

D compr ss th gzip’d fiel with gzip -d and ch ck th hash of th r sulting raw imag
fiel :

root@forensic1:~# gzip -d gptimage.raw.gz

root@forensic1:~# sha1sum gptimage.raw


99b7519cecb9a48d2fd57c673cbf462746627a84 gptimage.raw

Now w can run kpartx on th imag fiel to ch ck th partitions, and th n to map


th m, r ad only, to loop d vic nod s. To s th availabl options, run kpartx by its lf:

root@forensic1:~# kpartx
usage : kpartx [-a|-d|-l] [-f] [-v] wholedisk
-a add partition devmappings
-r devmappings will be readonly
-d del partition devmappings
-u update partition devmappings
-l list partitions devmappings that would be added by -a
-p set device name-partition number delimiter
-g force GUID partition table (GPT)
-f force devmap create
-v verbose
-s sync mode. Don't return until the partitions are created

The fierst command b low will list th partitions as th y will app ar ( -l). Aftw r that w
add th mappings in th s cond command with ( -a) and cr at th m with th r ad only option
as w ll (-r):

root@forensic1:~# kpartx -l gptimage.raw


loop0p1 : 0 204800 /dev/loop0 2048
loop0p2 : 0 2097152 /dev/loop0 206848

158
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

loop0p3 : 0 6084575 /dev/loop0 2304000


loop deleted : /dev/loop0

root@forensic1:~# kpartx -r -a gptimage.raw

Onc w x cut th command abov , our mappings ar cr at d and w can now acc ss ach
partition through th /dev/mapper/loop0pX d vic , wh r X is th numb r of th partition.

root@forensic1:~# ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 May 13 2017 control
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p1 -> ../dm-0
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p2 -> ../dm-1
lrwxrwxrwx 1 root root 7 May 13 12:58 loop0p3 -> ../dm-2

On thing to k p in mind is that th /dev/mapper nod s ar actually symbolic links to


/dev/dm-* nod s18, so if you run th file command to try and d t ct th fiel syst m typ , it will
simply say symbolic link. To us th file command, run it against th dm d vic . All oth r
op rations that w us h r can b don on /dev/mapper/loop0pX.

root@forensic1:~# file -s /dev/mapper/loop0p1


/dev/mapper/loop0p1: symbolic link to ../dm-0

root@forensic1:~# file -s /dev/dm-*


/dev/dm-0: Linux rev 1.0 ext4 filesystem data, UUID=cd5213b1-e674-41b2-8f7f-
d6f6e97fbdee (extents) (large files) (huge files)
/dev/dm-1: Linux rev 1.0 ext4 filesystem data, UUID=7f7be41c-4b0d-41d4-8c94-
ff84a121e542 (extents) (large files) (huge files)
/dev/dm-2: Linux rev 1.0 ext4 filesystem data, UUID=837a55a6-39f1-433b-bf1a-
34538feee7e8 (extents) (large files) (huge files)

W can now mount and brows th s mapp d volum s as w would any oth r:

root@forensic1:~# mount /dev/mapper/loop0p1 /mnt/tmp


mount: /dev/mapper/loop0p1 is write-protected, mounting read-only

root@forensic1:~# ls /mnt/tmp
lost+found/

root@forensic1:~# mount
...
/dev/mapper/loop0p1 on /mnt/tmp type ext4 (ro)

root@forensic1:~# umount /mnt/tmp

18
R m mb r th ../ notation indicat s th dm-* nod s ar in th curr nt dir ctory’s par nt dir ctory.

159
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Onc you ar fienish d and th fiel syst m is unmount d with th umount command as
shown abov , you can d l t th mappings with kpartx -d:

root@forensic1:~# kpartx -d gptimage.raw


loop deleted : /dev/loop0

Mounting Split Image Files with affuuse

W ar going to continu our xploration of mounting options for imag fiel s by


addr ssing thos occasions wh r you might want to mount and brows an imag fiel that has
b n split with dd/split or dc3dd, tc. For that w can us affuse from th affliib packag .

The Advanc d For nsic Format (AFF) is an op n format for for nsic imaging, and th
affliib packag provid s a numb r of utiliti s to cr at and manipulat imag s in th AFF
format. W won’t cov r thos tools, or th AFF format in this docum nt (at l ast not in this
v rsion), so all w ar int r st d in right now is th affuse program.

affuse provid s virtual acc ss to a numb r of imag formats, split fiel s among th m. It
do s this through th Fil Syst m in Us r Spac softwwar int rfac . Commonly r f rr d to as
“fus fiel syst ms”, fus utiliti s allow us to cr at application l v l fiel syst m acc ss
m chanisms that can bridg to th k rn l and th normal fiel syst m driv rs.

The affliib packag is availabl as a SlackBuild for Slackwar , and can b simply install d
with sboinstall:

root@forensic1:~# sboinstall afflib

afflib is library and set of tools used to support of Advanced Forensic


Format (AFF).
...
Cleaning for afflib-3.7.7…

The following x rcis assum s that th split imag you ar working with is in raw
format wh n r ass mbl d (or what som r f r to as “dd format”). A fiel that w will us for a
numb r of x rcis s lat r on is in split format and can b download d so you can follow along
h r . Again, us wget and ch ck your hash against th on b low:

root@forensic1:~# wget http://www.linuxleo.com/Files/able_3.tar.gz


--2017-05-27 11:06:00-- http://www.linuxleo.com/Files/able_3.tar.gz
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84
Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 526734961 (502M) [application/gzip]
Saving to: ‘able_3.tar.gz’

160
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

able_3.tar.gz 100%[===================>] 502.33M 10.1MB/s in 50s

2017-05-27 11:06:51 (9.97 MB/s) - ‘able_3.tar.gz’ saved [526734961/526734961]

root@forensic1:~# sha1sum able_3.tar.gz


6d8de5017336028d3c221678b483a81e341a9220 able_3.tar.gz

Vi w th cont nts of th archiv with th following command:

root@forensic1:~# tar tzf able_3.tar.gz


able_3/
able_3/able_3.000
able_3/able_3.001
able_3/able_3.log
able_3/able_3.003
able_3/able_3.002
Now w can xtract th archiv using th tar command with th xtract option (x)
rath r than th option to list cont nts ( t):

root@forensic1:~# tar xzvf able_3.tar.gz


able_3/
able_3/able_3.000
able_3/able_3.001
able_3/able_3.log
able_3/able_3.003
able_3/able_3.002

First, chang to th able_3 dir ctory with cd. Not our command prompt chang d to
r fla ct our working dir ctory. W now hav 4 imag fiel s ( .000-.003) and a log fiel . The input
s ction of th log fiel shows that this imag is a 4G imag tak n with dc3dd and split into 4
parts.

root@forensic1:~# cd able_3

root@forensic1:~/able_3# cat able_3.log


dc3dd 7.2.646 started at 2017-05-25 15:51:04 +0000
compiled options:
command line: dc3dd if=/dev/sda hofs=able_3.000 ofsz=1G hash=sha1 log=able_3.log
device size: 8388608 sectors (probed), 4,294,967,296 bytes
sector size: 512 bytes (probed)
4294967296 bytes ( 4 G ) copied ( 100% ), 1037.42 s, 3.9 M/s
4294967296 bytes ( 4 G ) hashed ( 100% ), 506.481 s, 8.1 M/s

input results for device `/dev/sda':


8388608 sectors in
0 bad sectors replaced by zeros

161
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

2eddbfe3d00cc7376172ec320df88f61afda3502 (sha1)
4ef834ce95ec545722370ace5a5738865d45df9e, sectors 0 - 2097151
ca848143cca181b112b82c3d20acde6bdaf37506, sectors 2097152 - 4194303
3d63f2724304205b6f7fe5cadcbc39c05f18cf30, sectors 4194304 - 6291455
9e8607df22e24750df7d35549d205c3bd69adfe3, sectors 6291456 - 8388607
...

L t’s ch ck th hash of th imag parts combin d and compar to th log:

root@forensic1:~/able3# cat able3.00* | sha1sum


2eddbfe3d00cc7376172ec320df88f61afda3502 -

R m mb r that th cat command simply str ams th fiel s on aftw r th oth r and s nds
th m through standard out. The sha1sum command tak s th data from th pip and hash s it.
As w m ntion d arli r, th – in th hash output indicat s standard input was hash d, not a
fiel . The hash s match and our imag is good.

Now suppos w want to mount th imag s to s th fiel syst ms and brows or


s arch th m for sp cifiec fiel s. On solution would b to us th cat command lik w did
abov and r dir ct th output to a n w fiel mad up of all th s gm nts.

root@forensic1:~/able3# cat able_3.0* > able_3.raw

root@forensic1:~/able3# ls -lh able_3.raw


-rw-r--r-- 1 barry users 4.0G May 27 11:28 able_3.raw

root@forensic1:~/able3# sha1sum able_3.raw


2eddbfe3d00cc7376172ec320df88f61afda3502 able_3.raw

The probl m with this approach is that it tak s up twic th spac as w ar ss ntially
duplicating th ntir acquir d disk, but in a singl imag rath r than split. Not v ry fficci nt
for r sourc manag m nt.

W n d a way to tak th split imag s and cr at a virtual “whol disk” that w can
mount using t chniqu s w ’v l arn d alr ady. W ’ll us affuse and th fus fiel syst m it
provid s. All w n d to do is call affuse with th nam of th fierst s gm nt of our split
imag and provid a mount point wh r w can acc ss th virtual disk imag :

root@forensic1:~/able3# mkdir /mnt/aff

root@forensic1:~/able3# affuse able_3.000 /mnt/aff

root@forensic1:~/able3# ls -lh /mnt/aff


total 0

162
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

-r--r--r-- 1 root root 4.0G Dec 31 1969 able_3.000.raw

root@forensic1:~/able3# sha1sum /mnt/aff/able_3.000.raw


2eddbfe3d00cc7376172ec320df88f61afda3502 /mnt/aff/able_3.000.raw
In th abov s ssion, w cr at a mount point for our fus imag (th nam h r is
arbitrary) with th mkdir command. The w us affuse with th fierst s gm nt of our four part
imag and fus mount it to /mnt/aff. affuse cr at s our singl virtual imag fiel for us in
/mnt/aff and nam s it with th imag nam and th .raw xt nsion. Finally, w ch ck th
hash of this n w virtual imag and fiend it’s th sam as th hash for th input and output byt s
(for th total disk) in our log fiel .

Now w can run gdisk or fdisk on th imag to id ntify th partition layout of th


disk; w can us kpartx to map th partitions to loop d vic s w can mount; and w can run
th file command to id ntify th fiel syst ms for furth r inv stigation. All this as w hav
l arn d in pr c ding s ctions wh n working on compl t imag fiel s:

root@forensic1:~/able3# fdisk -l /mnt/aff/able_3.000.raw


Disk /mnt/aff/able_3.000.raw: 4 GiB, 4294967296 bytes, 8388608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: B94F8C48-CE81-43F4-A062-AA2E55C2C833

Device Start End Sectors Size Type


/mnt/aff/able_3.000.raw1 2048 104447 102400 50M Linux filesystem
/mnt/aff/able_3.000.raw2 104448 309247 204800 100M Linux filesystem
/mnt/aff/able_3.000.raw3 571392 8388574 7817183 3.7G Linux filesystem

root@forensic1:~/able3# kpartx -a -r /mnt/aff/able_3.000.raw

root@forensic1:~/able3# ls -l /dev/mapper/loop0p*
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p1 -> ../dm-0
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p2 -> ../dm-1
lrwxrwxrwx 1 root root 7 May 27 11:34 /dev/mapper/loop0p3 -> ../dm-2

root@forensic1:~/able3# file -s /dev/dm-*


/dev/dm-0: Linux rev 1.0 ext4 filesystem data, UUID=ca05157e-f7b3-4c6a-9b63-
235c4cad7b73 (extents) (large files) (huge files)
/dev/dm-1: Linux rev 1.0 ext4 filesystem data, UUID=c4ac4c0f-d9de-4d26-9e16-
10583b607372 (extents) (large files) (huge files)
/dev/dm-2: Linux rev 1.0 ext4 filesystem data, UUID=c7f748b2-3a38-44e9-aa43-
f924955b9fdd (extents) (large files) (huge files)

So without having to r ass mbl th split imag s to a singl imag , w w r abl to


map th partitions and id ntify th fiel syst ms r ady for mounting.

163
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~/able3# mount -o ro -t ext4 /dev/mapper/loop0p1 /mnt/analysis/

Wh n w hav fienish d with th affuse mount point, w r mov it with th


fusermount -u command. Theis r mov s our virtual disk imag from th mount point.
REMEMBER w must unmount any mount d fiel syst ms from th imag , and th n d l t our
loop associations with kpartx -d prior to our fus unmount.

root@forensic1:~/able3# umount /mnt/analysis/

root@forensic1:~/able3# kpartx -d /mnt/aff/able_3.000.raw


loop deleted : /dev/loop0

root@forensic1:~/able3# fusermount -u /mnt/aff

Mounting EWF Files with ewfmount

Just as w ar bound to com across split imag s w want to brows , w ar also lik ly
to com across Exp rt Witn ss (E01 or EWF) fiel s that w want to p ak into without having to
r stor th m and tak up much mor spac than w n d to.

W ’v alr ady install d lib wf as part of our acquisition l ssons arli r. If you hav not
don so alr ady, you can install lib wf with sboinstall on Slackwar or using which v r
m thod your distribution of choic allows. For this s ction w ar int r st d in th ewfmount
utility that com s with lib wf.

Lik affuse, ewfmount provid s a fus fiel syst m. It is call d in th sam way, and
r sults in th sam virtual raw disk imag that can b pars d for partitions and loop mount d
for browsing. If you r ad th prior s ction on affuse, this will all b v ry familiar. W will
us th EWF v rsion of NTFS_Pract_2017.E0* fiel s w us d in our arli r x rcis s.

It might b a good id a to run ewfverify (also from th lib wf packag – r call w


us d it in th acquisitions s ction) to nsur th int grity of th E01 s t is still intact.

root@forensic1:~/NTFS_Pract_2017# ewfverify NTFS_Pract_2017.E01


ewfverify 20140608

Verify started at: May 14, 2017 00:00:15


This could take a while.
...
Verify completed at: May 14, 2017 00:00:16

164
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Read: 500 MiB (524288000 bytes) in 1 second(s) with 500 MiB/s (524288000
bytes/second).

MD5 hash stored in file: eb4393cfcc4fca856e0edbf772b2aa7d


MD5 hash calculated over data: eb4393cfcc4fca856e0edbf772b2aa7d

ewfverify: SUCCESS
Mak not of th MD5 hash from our ewfverify output.

Now w cr at our EWF mount point (again this is an arbitrary nam ). Us th


ewfmount command to fus mount th imag fiel s. You only n d to provid th fierst fiel nam
for th imag s t. ewfmount will fiend th r st of th s gm nts. W can us th ls command on
our mount point to s th fus mount disk imag that r sult d:

root@forensic1:~/NTFS_Pract_2017# mkdir /mnt/ewf

root@forensic1:~/NTFS_Pract_2017# ewfmount NTFS_Pract_2017.E01 /mnt/ewf


ewfmount 20140608

root@forensic1:~/NTFS_Pract_2017# ls /mnt/ewf
ewf1

Our virtual disk imag is ewf1. L t’s hash that and compar it to our ewfverify output
abov . As you can s , w g t a match:

root@forensic1:~/NTFS_Pract_2017# md5sum /mnt/ewf/ewf1


eb4393cfcc4fca856e0edbf772b2aa7d /mnt/ewf/ewf1

And now onc again w ar r ady to pars and mount our disk imag using th
t chniqu s w ’v alr ady l arn d.

root@forensic1:~/NTFS_Pract_2017# fdisk -l /mnt/ewf/ewf1


Disk /mnt/ewf/ewf1: 500 MiB, 524288000 bytes, 1024000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe8dd21ee

Device Boot Start End Sectors Size Id Type


/mnt/ewf/ewf1p1 2048 1023999 1021952 499M 7 HPFS/NTFS/exFAT

root@forensic1:~/NTFS_Pract_2017# kpartx -r -a /mnt/ewf/ewf1

root@forensic1:~/NTFS_Pract_2017# file -s /dev/dm-0

165
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

/dev/dm-0: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ",
sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden
sectors 2048, dos < 4.0 BootSector (0x0), FAT (1Y bit by descriptor); NTFS,
sectors/track 63, physical drive 0x80, sectors 1021951, $MFT start cluster 42581,
$MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block
1, serial number 0cae0dfd2e0dfc2bd

root@forensic1:~/NTFS_Pract_2017# mount -o ro -t ntfs-3g /dev/mapper/loop0p1 /mnt/


analysis/

root@forensic1:~/NTFS_Pract_2017# ls /mnt/analysis/
ProxyLog1.log* System\ Volume\ Information/ Users/ Windows/

Using fdisk -l, w s th structur of th imag . W us kpartx with th r ad-only


option (-r) to add th loop mapping (-a) for th partition. W ch ck th fiel syst m typ with file
-s and confierm it is NTFS. Finally w mount th volum with th mount command. In this cas w
us th ntfs-3g19 fiel syst m driv r (-t ntfs-3g).

And, as b for , wh n w ar fienish d w n d to unmount th volum , d l t th mappings,


and th unmount th fus fiel syst m. Theis is th sam s t of st ps (forward and backward) w did
with affuse and th split imag .

root@forensic1:~/NTFS_Pract_2017# umount /mnt/analysis/

root@forensic1:~/NTFS_Pract_2017# kpartx -d /mnt/ewf/ewf1


loop deleted : /dev/loop0

root@forensic1:~/NTFS_Pract_2017# fusermount -u /mnt/ewf

And that cov rs our s ction on mounting vid nc . As with v rything in this guid ,
w ’v l ftw a lot of d tail out. Exp rim nt and r ad th man pag s. Mak sur you know what
you ar doing wh n d aling with r al vid nc . Mounting and browsing imag s should always
b don on working copi s wh n possibl .

Anti-Virus – Scanning the Evidence File System with ClamAV

Part of our approach to und rstanding and d ploying Linux as a comput r for nsic
platform is making th ntir proc ss “stand alon ”. You should b abl to conduct an xam –
from analysis through r porting – within th Linux (and pr f rably command lin )
nvironm nt. On of thos st ps w should consid r taking in almost all xaminations w ar
task d with is to scan our acquir d data with som sort of anti-virus tool.
19
The r ar a numb r of us ful options wh n mounting with ntfs-3g, lik show_sys_files or
streams_interface=windows. W don’t cov r th m h r , but you might want to look at man
mount.ntfs-3g for mor information.

166
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W ’v all h ard th v r famous “Trojan Hors D f ns ”, wh r w worry that


malicious activity will b blam d on an inf ct d comput r that th d f ndant “had no control
ov r”. Whil it’s not som thing I’v p rsonally xp ri nc d, it has happ n d and is w ll
docum nt d.20 Scanning th vid nc mak s s ns from both an inculpatory and xculpatory
point of vi w. If th r ar circumstanc s wh r malwar may hav play d a rol , w will
c rtainly want to know that.

The r ar oth r consid rations that warrant a virus/malwar scan, and it can v ry
sp cifiecally d p nd on th typ of cas you ar inv stigating. Simply making it part of som
ch ck list routin for analysis is fien , but you must still hav an und rstanding of why th scan
is don , and how it appli s to th curr nt cas . For xampl , if th m dia b ing xamin d is th
victim of compromis , th n a virus scan can provid a staring point for additional analysis.
The starting point can b as simpl as id ntifying a v ctor, and utilizing fiel dat s and tim s to
driv additional analysis. Alt rnativ ly, w may fiend ours lv s xamining th comput r in a
child xploitation cas . N gativ r sults, whil pr sumptiv , can still h lp to combat th
pr viously discuss d Trojan Hors D f ns . The botteom lin is that a simpl virus scan should
always b includ d as standard practic . And whil th r ar pl nty of tools out th r
compatibl with Linux, w will focus on ClamAV.

ClamAV is op n sourc and fr ly availabl . It is w ll support d and is quit


comparabl to oth r anti-virus with r sp ct to id ntifying inf ctions and artifacts. If you ar
d ploying Linux in a laboratory nvironm nt, it also provid s xc ll nt backup and cross-
v rifiecation to anti-virus r sults provid d in oth r op rating syst ms.

W alr ady install d th ClamAV packag arli r in th s ction on xt rnal softwwar . If


you hav not don so, ith r install th clamav via th SlackBuild (using sboinstall) or via
your distribution’s packag manag m nt m thod.

ClamAV has far mor us s and confieguration options that w will not cov r h r . It can
b us d to scan “on us ” volum s, mail s rv rs, and has options and us s for “saf browsing”.
The r ar tools install d with th ClamAV packag that allow for byt cod r vi w, submission
of sampl s, and to assist with da mon mod confieguration. W will b using it to scan
acquir d vid nc . Theis assum s w will updat it as n d d and run it on targ t d imag fiel s,
volum s or mount points. With our simplifie d us cas , w will conc ntrat our us on two
sp cifiec clamav tools: freshclam and clamscan.

Onc clamav is install d, w will n d to download th d fienition fiel s. W do this with


freshclam. Theis command will download th appropriat fiel s with th initial main.cvd, as
w ll as th daily.cvd containing th most r c nt signatur s:

root@forensic1:~# freshclam
ClamAV update process started at Wed May 31 12:53:56 2017
WARNING: [LibClamAV] cl_cvdhead: Can't read CVD header in main.cvd
Downloading main.cvd [100%]
20
http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1370&context=chtlj

167
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
WARNING: [LibClamAV] cl_cvdhead: Can't read CVD header in daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 23434, sigs: 2081298, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 301, sigs: 58, f-level: 63, builder: anvilleg)
Database updated (6300146 signatures) from db.us.clamav.net (IP: 69.163.100.14)
WARNING: Clamd was NOT notified: Can't connect to clamd through
/var/run/clamav/clamd.socket: No such file or directory

H r w s th download of main.cvd, daily.cvd and bytecode.cvd. The r ar a


coupl of warnings issu d, and this is b caus th fiel s do not xist and freshclam atte mpts to
r ad th v rsion h ad rs b for updating. Subs qu nt updat s will not show th s warnings.
W also g t a warning that Clamd was NOT notified. Theis is b caus w ar not running a
scanning da mon (common for mail s rv rs). You can run freshclam with --no-warnings if
you wish to suppr ss thos .

W ar now r ady to run clamscan on our targ t. ClamAV supports dir ct scanning of
fiel s, and can r curs through many diffo r nt fiel typ s and archiv , including zip fiel s, PDF
fiel s, mount points and for nsic imag fiel s (gpt and mbr partition typ s). The most r liabl
way of running clamscan is to run it on a mount d fiel syst m.

The r ar options within clamscan to copy or mov inf ct d fiel s to alt rnativ
dir ctori s. Normally w do not do this with inf ct d fiel s or malwar during a for nsic
xamination, pr f rring to xamin th fiel s in plac , or xtract th m with for nsic tools.
Ch ck man clamscan for additional d tails if you ar int r st d. The output of clamscan can
b logg d with th --log=logfile option, us ful for k ping compl t xamination not s.

W will try out clamscan on our NTFS EWF fiel s w download d pr viously. Chang
into th dir ctory th fiel s ar locat d in, us ewfmount to mount th imag s, and th n loop
mount th NTFS partition. If you do not alr ady hav th d stination mount points in /mnt
cr at d, th n us mkdir to cr at th m now. W will scan th NTFS partition.

root@forensic1:~# cd NTFS_Pract_2017

root@forensic1:~/NTFS_Pract_2017# ewfmount NTFS_Pract_2017.E01 /mnt/ewf


ewfmount 20140608

root@forensic1:~/NTFS_Pract_2017# mount -o ro,loop,offset=$((2048*512))


/mnt/ewf/ewf1 /mnt/analysis/

root@forensic1:~/NTFS_Pract_2017# clamscan -r -i /mnt/analysis/ --log=NTFS_AV.txt


/mnt/analysis/Windows/System32/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------

168
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Known viruses: 6294420


Engine version: 0.99.2
Scanned directories: 26
Scanned files: 187
Infected files: 1
Data scanned: 265.78 MB
Data read: 95.12 MB (ratio 2.79:1)
Time: 43.197 sec (0 m 43 s)

Using ewfmount, w fus mount th EWF fiel s to /mnt/ewf, and th n w mount th


NTFS partition at s ctor offos t 2048 (w know this from pr vious x rcis s, or you can us
fdisk -l of /mnt/ewf/ewf1 to confierm). The command clamscan is th n run with th -r
option for r cursiv (scan sub dir ctori s), and -i to only show inf ct d fiel s. The -i option
pr v nts ov rly clutte r d output (lists of “OK” fiel s). Finally, w us --log to docum nt our
output. The virus signatur found is for a common anti-virus t st fiel .

Vi w th r sulting log with cat:

root@forensic1:~/NTFS_Pract_2017# cat NTFS_AV.txt

-------------------------------------------------------------------------------

/mnt/analysis/Windows/System32/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------


Known viruses: 6294420
Engine version: 0.99.2
Scanned directories: 26
Scanned files: 187
Infected files: 1
Data scanned: 265.78 MB
Data read: 95.12 MB (ratio 2.79:1)
Time: 43.197 sec (0 m 43 s)

Wh n you ar fienish d, unmount th NTFS fiel syst m and th fus mount d imag .

root@forensic1:~/NTFS_Pract_2017# umount /mnt/analysis/

root@forensic1:~/NTFS_Pract_2017# fusermount -u /mnt/ewf

Theis is a v ry simpl xampl of virus scanning vid nc with ClamAV. Theis is an


xc ptionally pow rful tool, and you should xplor th man pag and th onlin
docum ntation.

169
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Basic Data Review on the Command Line

Linux com s with a numb r of simpl utiliti s that mak imaging and basic r vi w of
susp ct disks and driv s comparativ ly asy. W ’v alr ady cov r d dd, fdisk, limit d grep
commands, hashing and fiel id ntifiecation with th file command. W ’ll continu to us
thos tools, and also cov r som additional utiliti s in som hands on x rcis s.

Following is a very simpl s ri s of st ps to allow you to p rform an asy practic data


r vi w using th simpl tools m ntion d abov . All of th commands can b furth r xplor d
with man [command]. Again, this is just an introduction to th basic commands. Our focus
h r is on th commands th ms lv s, NOT on th fiel syst m w ar r vi wing. The s st ps
can b far mor pow rful with som command lin tw aking.

Having alr ady said that this is just an introduction, most of th work you will do h r
can b appli d to actual cas work. The tools ar standard GNU/Linux tools, and although th
xampl shown h r is very simpl , it can b xt nd d with som practic and a littel (ok, a lot)
of r ading. The practic fiel syst m w ’ll us h r is a simpl old raw imag of a FAT fiel
syst m produc d by th dd command21. W us d this imag in som pr vious x rcis s. If you
hav not alr ady, download it now. You can do this as a normal us r with wg t:

barry@forensic1:~$ wget http://www.linuxleo.com/Files/fat_fs.raw


--2017-05-27 11:41:26-- http://www.linuxleo.com/Files/fat_fs.raw
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84
Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1474560 (1.4M)
Saving to: ‘fat_fs.raw’

fat_fs.raw 100%[===================>] 1.41M 3.69MB/s in 0.4s

2017-05-27 11:41:27 (3.69 MB/s) - ‘fat_fs.raw’ saved [1474560/1474560]

barry@forensic1:~$ sha1sum fat_fs.raw


f5ee9cf56f23e5f5773e2a4854360404a62015cf fat_fs.raw

The output of various commands and th amount of s arching w will do h r is limit d


by th scop of this xampl and th amount of data in this v ry small imag .

As w pr viously m ntion d, wh n you actually do an analysis on larg r m dia, you


will want to hav it organiz d. Not that wh n you issu a command that r sults in an output
fiel , that fiel will nd up in your curr nt dir ctory, unl ss you sp cify a path for it.

On way of organizing your data would b to cr at a dir ctory in your “hom ”


dir ctory for vid nc and th n a sub dir ctory for diffo r nt cas s. You can cr at your output
21
Theis is th xact sam imag as th pr viously nam d practical.floppy.dd

170
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dir ctory on any m dia or volum you lik . For th sak of simplicity h r , w ’ll us our hom
dir ctory. W ’ll go ah ad and do this as a r gular us r, so w can g t us d to running
commands n d d for root acc ss. It’s n v r a good id a to do all your work logg d in as root.
H r ’s our command to cr at an output dir ctory for analysis r sults. W ar x cuting th
command in th dir ctory wh r w plac d our imag fiel abov . Not th ./ in front of th
dir ctory nam w ar cr ating indicat s “in th curr nt dir ctory”:

barry@forensic1:~$ mkdir ./analysis

barry@forensic1:~$ ls
analysis/ fat_fs.raw*

Dir cting all of our analysis output to this dir ctory will k p our output fiel s s parat d
from v rything ls and maintain cas organization. You may wish to hav a s parat driv
mount d as /mnt/analysis to hold your analysis output. How you organiz it is up to you.

An additional st p you might want to tak is to cr at a sp cial mount point for all
subj ct fiel syst m analysis. Theis is anoth r way of s parating common syst m us with
vid nc proc ssing. To cr at a mount point in th /mnt dir ctory you will n d to b
t mporarily logg d in as root. In this cas w ’ll log in as root, cr at a mount point, and th n
mount th fat_fs.raw imag for furth r xamination. R call our discussion on th “sup r
us r” (root). W us th command su to b com root:

barry@forensic1:~$ su -
Password:

root@forensic1:~# mkdir /mnt/evid

Still using our root login, w ’ll go ah ad and mount th fat_fs.raw imag on
/mnt/evid:

root@forensic1:~# mount -t vfat -o ro,loop ~barry/fat_fs.raw /mnt/evid/

root@forensic1:~# losetup
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0 0 0 1 0 /home/barry/fat_fs.raw

The fierst command abov is our mount command with th fiel syst m typ s t to vfat
(-t vfat) and th options (-o) r ad only (ro) and using th loop d vic (loop). The fiel syst m
w ar mounting, fat_fs.raw, is locat d in /home/barry (~barry) and w ar mounting it on
/mnt/evid. For illustration, I us th loop command to show th loop association. The r ar

171
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

oth r us ful mount options as w ll, such as noatime and noexec. S man mount for mor
d tails.

With th imag mount d, w can xit our root login.

root@forensic1:~# exit

barry@forensic1:~$

You can now vi w th cont nts of th r ad-only mount d or r stor d disk or loop-
mount d imag . You can us your a fiel brows r to look through th disk. In most (if not all)
cas s, you will fiend th command lin mor us ful and pow rful in ord r to allow fiel
r dir ction and p rman nt r cord of your analysis. W will us th command lin h r .

W ar also assuming that you ar issuing th following commands from th prop r


mount point (/mnt/ vid). If you want to sav a copy of ach command’s output, b sur to
dir ct th output fiel to your vid nc dir ctory (~/analysis) using an xplicit path. Again,
not that if you ar logg d in as “timmy”, th n th tild ( ~) is a shortcut to /home/timmy. So in
my cas , ~/analysis is th sam as typing /home/barry/analysis.

Navigat through th dir ctori s and s what you can fiend. Us th ls command. Again, you
should b in th dir ctory /mnt/evid, wh r th imag is mount d. The command in th
following form might b us ful:

barry@forensic1:/mnt/evid$ ls -l
total 107
-rwxr-xr-x 1 root root 19536 Aug 24 1996 ARP.EXE*
drwxr-xr-x 3 root root 512 Sep 23 2000 Docs/
-rwxr-xr-x 1 root root 37520 Aug 24 1996 FTP.EXE*
drwxr-xr-x 2 root root 512 Sep 23 2000 Pics/
-r-xr-xr-x 1 root root 16161 Sep 21 2000 loveletter.virus*
-rwxr-xr-x 1 root root 21271 Mar 19 2000 ouchy.dat*
-rwxr-xr-x 1 root root 12384 Aug 2 2000 snoof.gz*

Theis will list th fiel s in long format to id ntify p rmission, dat , tc. ( -l). You can also
us th –R option to list r cursiv ly through dir ctori s. You might want to pip that through
less.

barry@forensic1:/mnt/evid$ ls -lR | less


.:
total 107
-rwxr-xr-x 1 root root 19536 Aug 24 1996 ARP.EXE*
drwxr-xr-x 3 root root 512 Sep 23 2000 Docs/
-rwxr-xr-x 1 root root 37520 Aug 24 1996 FTP.EXE*
drwxr-xr-x 2 root root 512 Sep 23 2000 Pics/

172
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

-r-xr-xr-x 1 root root 16161 Sep 21 2000 loveletter.virus*


-rwxr-xr-x 1 root root 21271 Mar 19 2000 ouchy.dat*
-rwxr-xr-x 1 root root 12384 Aug 2 2000 snoof.gz*

./Docs:
total 57
-rwxr-xr-x 1 root root 17920 Sep 21 2000 Benchmarks.xls*
-rwxr-xr-x 1 root root 2061 Sep 21 2000 Computer_Build.xml*
-rwxr-xr-x 1 root root 32768 Sep 21 2000 Law.doc*
drwxr-xr-x 2 root root 512 Sep 23 2000 Private/
-rwxr-xr-x 1 root root 3928 Sep 21 2000 whyhack*

./Docs/Private:
total 0

./Pics:
total 1130

Not that w ar looking at fiel s on a FAT partition using Linux tools. Theings lik
p rmissions can b a littel misl ading b caus of translations that may tak plac , d p nding
on th fiel syst m, and omitte d information. Theis is wh r som of our mor advanc d for nsic
tools com in lat r.

Us th spac bar to scroll through th r cursiv list of fiel s. R m mb r that th l tte r q


will quit a paging s ssion.

On important st p in any analysis is v rifying th int grity of your data both b for
aftw r th analysis is compl t . W ’v alr ady cov r d int grity ch cks on disks and imag s.
The sam command works on individual fiel s. You can g t a hash (CRC, MD5, or SHA) of ach
fiel in a numb r of diffo r nt ways. In this xampl , w will us th SHA1 hash. W can g t an
SHA1 sum of an individual fiel by changing to our vid nc dir ctory ( /mnt/evid) and running
th following command on on of th fiel s. The s commands can b r plac d with md5sum if
you pr f r to us th MD5 hash algorithm.

barry@forensic1:/mnt/evid$ sha1sum ARP.EXE


49f0405267a653bac165795ee2f8d934fb1650a9 ARP.EXE

barry@forensic1:/mnt/evid$ sha1sum ARP.EXE > ~/analysis/ARP.sha1.txt

barry@forensic1:/mnt/evid$ cat ~/analysis/ARP.sha1.txt


49f0405267a653bac165795ee2f8d934fb1650a9 ARP.EXE

The r dir ction in th s cond command, using th > allows us to stor th signatur in
th fiel ~/analysis/ARP.sha1.txt and us it lat r on. Having hash s of individual fiel s can

173
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

s rv a numb r of purpos s, including matching th hash s against lists of known bad fiel s
(contraband fiel s or malwar , for xampl ), or for liminating known good fiel s from an
xamination. Doing this for ach fiel on a disk would b t dious at b st.
W can g t a hash of v ry fiel on th disk using th find command and an option that
allows us to x cut a command on ach fiel found. W can g t a v ry us ful list of SHA
hash s for v ry fiel in our mount point by using fiend to id ntify all th regular fiel s on th fiel
syst m and run a hash on all thos fiel s:

barry@forensic1:/mnt/evid$ find . -type f -exec sha1sum {} \; >


~/analysis/sha1.filelist.txt

barry@forensic1:/mnt/evid$ cat ~/analysis/sha1.filelist.txt


86082e288fea4a0f5c5ed3c7c40b3e7947afec11 ./Docs/Benchmarks.xls
81e62f9f73633e85b91e7064655b0ed190228108 ./Docs/Computer_Build.xml
...

Theis command says “find, starting in th current dir ctory (signifie d by th “.”), any
r gular fiel (-type f) and x cut (-exec) th command sha1sum on all fiel s found ({}).
R dir ct th output to sha.filelist.txt in th ~/analysis dir ctory (wh r w ar storing
all of our vid nc fiel s). The “\;” is an scap s qu nc that nds th –exec command. The
r sult is a list of fiel s from our analysis mount point and th ir SHA hash s. Again, you can
substitut th md5sum command if you pr f r.

W can th n look at th hash s by using th cat command to str am th fiel to


standard output (in this cas , our t rminal scr n), as in th s cond command abov .

You can also us Linux to do your v rifiecation (or hash matching) for you. To v rify
hash s using a hash list cr at d with on of our hashing programs ( sha1sum, md5sum, tc.), you
can us th -c option. If th fiel s match thos in th hash list, th command will r turn OK.
Making sur you ar in a dir ctory wh r th r lativ paths provid d in th list will targ t th
corr ct fiel s, us th following command:

barry@forensic1:/mnt/evid$ sha1sum -c ~/analysis/sha1.filelist.txt


./Docs/Benchmarks.xls: OK
./Docs/Computer_Build.xml: OK
./Docs/Law.doc: OK
./Docs/whyhack: OK
./Pics/C800x600.jpg: OK
./Pics/bike2.jpg: OK
./Pics/bike3.jpg: OK
./Pics/matrixs3.jpg: OK
./Pics/mulewheelie.gif: OK
./Pics/Stoppie.gif: OK
./ARP.EXE: OK
./FTP.EXE: OK

174
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

./loveletter.virus: OK
./ouchy.dat: OK
./snoof.gz: OK

Again, th SHA hash s in th fiel will b compar d with SHA sums tak n from th
mount point. If anything has chang d, th program will giv a FAILED m ssag . If th r ar
fail d hash s, you will g t a m ssag summarizing th numb r of failur s at th botteom of th
output. Theis is th fast st way to v rify hash s. Not that th fiel nam s start with ./. Theis
indicat s a relative path. M aning that w must b in th sam r lativ dir ctory wh n w
ch ck th hash s, sinc that's wh r th command will look for th fiel s.

File Listing

G t cr ativ . Tak th ls command w us d arli r and r dir ct th output to your


~/analysis dir ctory. With that you will hav a list of all th fiel s and th ir own rs and
p rmissions on th subj ct fiel syst m. Theis is a v ry important command. Ch ck th man
pag for various us s and options. For xampl , you could us th –i option to includ th
inod in th list (for Linux fiel syst ms), th –t option can b us d so that th output will
includ and sort by modifiecation.

barry@forensic1:/mnt/evid$ ls -lRt > ~/analysis/ModTime.filelist.txt

You could also g t a list of th fiel s, on p r lin , using th find command (with -type
f) and r dir cting th output to anoth r list fiel :

barry@forensic1:/mnt/evid$ find . -type f > ~/analysis/find.filelist.txt

Or a list of just dir ctori s (-type d)

barry@forensic1:/mnt/evid$ find . -type d > ~/analysis/find.dirlist.txt

The r is also th tree command, which prints a r cursiv listing that is mor visualNIt
ind nts th ntri s by dir ctory d pth and coloriz s th fiel nam s (if th t rminal is corr ctly
s t).

175
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:/mnt/evid$ tree
.
├── ARP.EXE
├── Docs
│ ├── Benchmarks.xls
│ ├── Computer_Build.xml
│ ├── Law.doc
│ ├── Private
│ └── whyhack
├── FTP.EXE
├── Pics
│ ├── C800x600.jpg
│ ├── Stoppie.gif
│ ├── bike2.jpg
│ ├── bike3.jpg
│ ├── matrixs3.jpg
│ └── mulewheelie.gif
├── loveletter.virus
├── ouchy.dat
└── snoof.gz

3 directories, 15 files

Hav a look at th abov commands, and compar th ir output. Which do you lik
b tte r? R m mb r th syntax assum s you ar issuing th command from th /mnt/evid
dir ctory (look at your prompt, or us pwd if you don’t know wh r you ar ). The find
command is sp cially pow rful for s arch for fiel s of a sp cifiec dat or siz (or upp r and
low r limits).

You can also us th grep command on ith r of lists cr at d by th fierst two


commands abov for what v r strings or xt nsions you want to look for.

barry@forensic1:/mnt/evid$ grep -i .jpg ~/analysis/find.filelist.txt


./Pics/C800x600.jpg
./Pics/bike2.jpg
./Pics/bike3.jpg
./Pics/matrixs3.jpg

Theis command looks for th patte rn .jpg in th list of fiel s, using th fiel nam
xt nsion to al rt us to a JPEG fiel . The -i mak s th grep command cas ins nsitiv . Onc
you g t a b tte r handl on grep, you can mak your s arch s far mor targ t d. For xampl ,
sp cifying strings at th b ginning or nd of a lin (lik fiel xt nsions) using ^ or $. The grep
man pag has a whol s ction on th s r gular xpr ssion t rms.

176
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Making a List of File Types

What if you ar looking for JPEGs but th nam of th fiel has b n chang d, or th
xt nsion is wrong? You can also run th command file on ach fiel and s what it might
contain. As w saw in arli r s ctions wh n looking at fiel syst ms, th file command
compar s ach fiel ’s h ad r (th fierst f w byt s of a raw fiel ) with th cont nts of th “magic”
fiel . It th n outputs a d scription of th fiel .

R m mb r our us of th find command’s -exec option with sha1sum? L t’s do th


sam thing with file:

barry@forensic1:/mnt/evid$ find . -type f -exec file {} \; >


~/analysis/filetype.txt

Theis cr at s a t xt fiel with th output of th file command for ach fiel that th find
command r turns. The t xt fiel is in ~/analysis/filetype.txt. Vi w th r sulting list with
th cat command (or less). I s parat d th fiel ntri s b low for r adability:

barry@forensic1:/mnt/evid$ cat ~/analysis/filetype.txt


./Docs/Benchmarks.xls: Composite Document File V2 Document, Little Endian, Os:
Windows, Version 4.10, Code page: 1252, Author: Barry J. Grundy, Last Saved By:
Barry J. Grundy, Name of Creating Application: Microsoft Excel, Create Time/Date:
Sat Jan 9 19:53:35 1999, Security: 0

./Docs/Computer_Build.xml: gzip compressed data, from Unix

./Docs/Law.doc: Composite Document File V2 Document, Little Endian, Os: Windows,


Version 4.0, Code page: 1252, Title: The Long Arm of the Law, Author: OAG,
Template: Normal.dot, Last Saved By: OAG, Revision Number: 2, Name of Creating
Application: Microsoft Word 8.0, Total Editing Time: 01:00, Create Time/Date: Thu
Sep 21 13:16:00 2000, Last Saved Time/Date: Thu Sep 21 13:16:00 2000, Number of
Pages: 1, Number of Words: 1335, Number of Characters: 7610, Security: 0

./Docs/whyhack: ASCII text, with very long lines, with CRLF, LF line terminators
...

If you ar looking for imag s in particular, th n us grep to sp cify that. The following
command would look for th string “imag ” using th grep command on th fiel /root/evid/
filetype.list

177
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:/mnt/evid$ grep image ~/analysis/filetype.txt


./Pics/C800x600.jpg: JPEG image data, JFIF standard 1.02, resolution (DPI),
density 80x80, segment length 16, comment: "File written by Adobe Photoshop\250
5.0", progressive, precision 8, 800x600, frames 3

./Pics/matrixs3.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density
1x1, segment length 16, baseline, precision 8, 483x354, frames 3

./Pics/Stoppie.gif: GIF image data, version 87a, 1024 x 693

./ouchy.dat: JPEG image data, JFIF standard 1.02, resolution (DPI), density 74x74,
segment length 16

Not that th fiel ouchy.dat do s not hav th prop r xt nsion, but it is still id ntifie d
as a JPEG imag . Also not that som of th imag s abov do not show up in our grep list
b caus th ir d scriptions do not contain th word “imag ”. The r ar two Windows Bitmap
imag s that hav .jpg xt nsions that do not nd up in th grep list. B awar of this wh n
using th file command.

Viewing Files

For t xt fiel s, you might want to us cat, more or less to vi w th cont nts.

cat filename
more filename
less filename

B awar that if th output is not standard t xt, th n you might corrupt th t rminal
output (typ reset or stty sane at th prompt and it should cl ar up). Using th file
command will giv you a good id a of which fiel s will b vi w-abl and what program might
b st b us d to vi w th cont nts of a fiel . For xampl , Microsoftw Officc docum nts can b
op n d und r Linux using programs lik Op nOfficc , catdoc or catdocx.

P rhaps a b tte r alt rnativ for vi wing unknown fiel s would b to us th strings
command. Theis command can b us d to pars r gular ASCII t xt out of any fiel . It’s good for
formatte d docum nts, data fiel s (Exc l, tc.) and v n binari s (unid ntifie d x cutabl fiel s, for
xampl ), which might hav int r sting t xt strings hidd n in th m. It might b b st to pip
th output through less.

Hav a look at th mount d imag on /mnt/evid. The r is a fiel call d ARP.EXE. What
do s this fiel do? W can’t x cut it, and from using th file command w know that it’s an
DOS/Windows x cutabl . Run th following command (again, assuming you ar in th /mnt/
evid dir ctory) and scroll through th output. Do you fiend anything of int r st (hint: lik a
usag m ssag )?

178
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:/mnt/evid$ strings ARP.EXE | less


!This program cannot be run in DOS mode.
.text
`.data
.rsrc
@.reloc
WSOCK32.dll
CRTDLL.dll
KERNEL32.dll
NTDLL.DLL
... <output continues>
inetmib1.dll
Displays and modifies the IP-to-Physical address translation tables used by
address resolution protocol (ARP).
ARP -s inet_addr eth_addr [if_addr]
ARP -d inet_addr [if_addr]
ARP -a [inet_addr] [-N if_addr]
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
inet_addr Specifies an internet address.
...

Vi wing imag s (pictur fiel s) from your vid nc mount point can b don on th
command lin with th xv command (assuming you ar in an X window s ssion). xv is
install d by d fault in most mod rn Linux distributions. Hav a look at th ouchy.dat fiel in
th root of your /mnt/evid mount point. W can s it is a pictur fiel , v n though th
xt nsion is wrong by using th file command. Without l aving th command lin , w can
vi w th fiel using xv:

barry@forensic1:/mnt/evid$ file ouchy.dat


ouchy.dat: JPEG image data, JFIF standard 1.02, resolution (DPI), density 74x74,
segment length 16, comment: "File written by Adobe Photoshop\250 5.0", baseline,
precision 8, 440x297, frames 3

barry@forensic1:/mnt/evid$ xv ouchy.dat

179
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 4: Ouptut of xv ouchy.dat

Clos th imag with your mous , or us th ctrl-c k y combo from th command lin
to kill th program.

On n at trick you can do if you hav a handful of pictur fiel s in a dir ctory you want
to vi w without having to us a s parat command for ach is to us a bash loop. Scripting
and bash programming ar outsid th scop of this docum nt (for now), but this is a v ry
simpl loop that illustrat s som mor pow rful command lin usag . Theis can b don all on
on lin , but s parating th individual commands with th < nt r> k y mak s it a bit mor
r adabl .

First, l t’s cd into th Pics/ dir ctory und r /mnt/evid, do a quick ls and s that w
hav a small dir ctory with a f w pictur fiel s (you can ch ck this with file *). W th n typ
our loop:

barry@forensic1:/mnt/evid$ cd Pics

barry@forensic1:/mnt/evid/Pics$ ls
C800x600.jpg* bike2.jpg* matrixs3.jpg*
Stoppie.gif* bike3.jpg* mulewheelie.gif*

barry@forensic1:/mnt/evid/Pics$ for pic in ./* <enter>


> do <enter>
> xv $pic <enter>
> done <enter>

The fierst lin of a bash loop abov m ans “for v ry fiel in th curr nt dir ctory (./*),
assign ach fiel th variabl nam pic as w mov through th loop”. The s cond lin is simply
th bash k yword do. The third lin x cut s xv on th valu of th pic variabl ($pic) at ach
it ration of th loop, follow d by th bash k yword done to clos th loop. As you run th

180
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

loop, ach imag will display, and th loop will paus until you clos xv. Wh n you clos xv
th loop continu s until all th valu s of $pic ar xhaust d (all th fiel s in th dir ctory) and
th loop xits. L arn to do this and I promis you will fiend it us ful almost daily.

If you ar curr ntly running th X window syst m, you can us any of th graphics
tools that com standard with which v r Linux distribution you ar using. geeqie is on
graphics tool for th XFCE d sktop that will display graphic fiel s in a dir ctory. Exp rim nt a
littel . Oth r tools, such as gthumb for Gnom and Konqueror from th KDE d sktop hav a
f atur that will cr at a v ry nic html imag gall ry for you from all imag s in a dir ctory.

Onc you ar fienish d xploring, b sur to unmount th loop mount d disk imag .
Again, mak sur you ar not anywh r in th mount point (using that dir ctory in anoth r
t rminal s ssion) wh n you try to unmount, or you will g t th “busy” rror. The following
commands will tak you back to your hom dir ctory (cd without argum nts tak s you to your
hom dir ctory automagically). W su to root, and unmount th loop mount d fiel syst m.

barry@forensic1:/mnt/evid/Pics$ cd

barry@forensic1:~$ su -
Password:

root@forensic1:~$ umount /mnt/evid

root@forensic1:~$ exit

barry@forensic1:~$

Searching All Areas of the Forensic Image for Text

Now l t’s go back to th original imag . The loop mount d disk imag allow d you to
ch ck all th fiel s and dir ctori s using a logical vi w of th fiel syst m. What about
unallocat d and slack spac (physical vi w)? W will now analyz th imag its lf, sinc it was
a bit for bit copy and includ s data in th unallocat d ar as of th disk. W ’ll do this using
rudim ntary Linux tools.

L t’s assum that w hav s iz d this imag from m dia us d by a form r mploy of a
larg corporation. The would-b crack r s nt a l tte r to th corporation thr at ning to unl ash
a virus in th ir n twork. The susp ct d ni s s nding th l tte r. Theis is a simpl matte r of
fiending th t xt from a d l t d fiel (unallocat d spac ).

First, chang back to th dir ctory wh r you sav d th imag fiel fat_fs.raw. In this
cas , th fiel is in my hom dir ctory (which you can s is my pr s nt working dir ctory by
both th ~ in th prompt, and th output of th pwd command).

181
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ pwd
/home/barry

barry@forensic1:~$ ls
Desktop/ Downloads/ analysis/ fat_fs.raw*

Now w will us th grep command to s arch th imag for any instanc of an


xpr ssion or patte rn. W will us a numb r of options to mak th output of grep mor
us ful. The syntax of grep is normally:

grep –options <pattern> <file-to-search>

The fierst thing w will do is cr at a list of k ywords to s arch for. It’s rar w v r
want to s arch vid nc for a singl k yword, aftw r all. For our xampl , l ts us “ransom”,
“$50,000” (th ransom amount), and “unl ash a virus”. The s ar som k ywords and a phras
that w hav d cid d to us from th original l tte r r c iv d by th corporation. Mak th list
of k ywords (using vi) and sav it as ~/analysis/searchlist.txt. Ensur that ach string
you want to s arch for is on a diffo r nt lin .

$50,000
ransom
unleash a virus

Mak sur th r ar NO BLANK LINES IN THE LIST OR AT THE END OF THE LIST!!
Now w run th grep command on our imag :

barry@forensic1:~$ grep -abif analysis/searchlist.txt fat_fs.raw >


analysis/hits.txt

W ar asking grep to us th list w cr at d in ./analysis/searchlist.txt for th


patte rns w ar looking for. Theis is sp cifie d with th -f <file> option. W ar t lling grep
to s arch fat_fs.raw for th s patte rns, and r dir ct th output to a fiel call d hits.txt in
th ./analysis dir ctory, so w can r cord th output. The –a option t lls grep to proc ss th
fiel as if it w r t xt, v n if it’s binary. The option -i t lls grep to ignor upp r and low r
cas . And th -b option t lls grep to giv us th byt offos t of ach hit so w can fiend th lin
in xxd (our command lin h x vi w r). Earli r w m ntion d th grep man pag and th
s ction it has on r gular xpr ssions. Pl as tak th tim to r ad through it and xp rim nt.

Onc you run th command abov , you should hav a n w fiel in your analysis
dir ctory call d hits.txt. Vi w this fiel with less or any t xt vi w r. K p in mind that
strings might b b st for th job. Again, if you us less, you run th risk of corrupting your
t rminal if th r ar non-ASCII charact rs. W will simply us cat to str am th ntir

182
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

cont nts of th fiel to th standard output. The fiel hits.txt should giv you a list of lin s
that contain th words in your searchlist.txt fiel . In front of ach lin is a numb r that
r pr s nts th byt offos t for that “hit” in th imag fiel . For illustration purpos s, th s arch
t rms ar und rlin d, and th byt offos ts ar bold in th output b low:

barry@forensic1:~$ cat analysis/hits.txt


75441:you and your entire business ransom.
75500:I have had enough of your mindless corporate piracy and will no longer stand
for it. You will recieve another letter next week. It will have a single bank
account number and bank name. I want you to deposit $50,000 in the account the
day you receive the letter.
75767:Don't try anything, and dont contact the cops. If you do, I will unleash a
virus that will bring down your whole network and destroy your consumer's
confidence.

In k ping with our command lin philosophy, w will us xxd to display th data
found at ach byt offos t. xxd is a command lin h x dump tool, us ful for xamining fiel s. Do
this for ach offos t in th list of hits. The -s option to xxd is so w can “s k” into th fiel th
sp cifie d numb r of byt s. Theis should yi ld som int r sting r sults if you scroll abov and
b low th offos ts. H r w ’ll us xxd and s k to th fierst hit at byt offos t 75441 with th -s
option. W ’ll pip th output to th head command, which will show us th fierst 10 lin s of
output. You can vi w mor of th output by piping through less inst ad.

barry@forensic1:~$ xxd -s 75441 fat_fs.raw | head


000126b1: 796f 7520 616e 6420 796f 7572 2065 6e74 you and your ent
000126c1: 6972 6520 6275 7369 6e65 7373 2072 616e ire business ran
000126d1: 736f 6d2e 0a0a 5468 6973 2069 7320 6e6f som...This is no
000126e1: 7420 6120 6a6f 6b65 2e0a 0a49 2068 6176 t a joke...I hav
000126f1: 6520 6861 6420 656e 6f75 6768 206f 6620 e had enough of
00012701: 796f 7572 206d 696e 646c 6573 7320 636f your mindless co
00012711: 7270 6f72 6174 6520 7069 7261 6379 2061 rporate piracy a
00012721: 6e64 2077 696c 6c20 6e6f 206c 6f6e 6765 nd will no longe
00012731: 7220 7374 616e 6420 666f 7220 6974 2e20 r stand for it.
00012741: 596f 7520 7769 6c6c 2072 6563 6965 7665 You will recieve

Pl as not that th us of grep in this mann r is fairly limit d. The r ar charact r


s ts that th common v rsions of grep (and strings as w ll) do not support. So doing a
physical s arch for a string on an imag fiel is r ally only us ful for what it do s show you. In
oth r words, n gativ r sults for a grep s arch of an imag can b misl ading. The strings or
k ywords may xist in th imag in a form not r cognizabl to grep or strings. The r ar
tools that addr ss this, and w will discuss som of th m lat r.

In addition to th structur of th imag s and th issu s of imag siz s, w also hav to


b conc rn d with m mory usag and our tools. You might fiend that grep, wh n us d as

183
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

illustrat d in small imag analysis xampl , might not work as xp ct d with larg r imag s and
could xit with an rror similar to:

grep: memory exhausted

The most appar nt caus for this is that grep do s its s arch s lin by lin . Wh n you
ar “gr pping” a larg disk imag t rabyt s in siz , you might fiend that you hav a hug
numb r of byt s to r ad through b for grep com s across a n wlin charact r. What if grep
had to r ad s v ral gigabyt s of data b for coming across a n wlin ? It would “ xhaust” its lf
(th input buffo r fiells up). The r ar many variabl s that will affo ct this, and th caus s ar
actually far mor compl x.

On pot ntial solution is to forc -f d grep som n wlin s. In our xampl analysis w
ar “gr pping” for t xt. W ar not conc rn d with non-t xt charact rs at all. If w could tak
th input str am to grep and chang th non-t xt charact rs to n wlin s, in most cas s grep
would hav no probl m. Not that changing th input str am to grep do s not chang th
imag its lf. Also, r m mb r that w ar still looking for a byt offos t. Luckily, th charact r
siz s r main th sam , and so th offos t do s not chang as w f d n wlin s into th str am
(simply r placing on “charact r” with anoth r).

L t’s say w want to tak all of th control charact rs str aming into grep from th
disk imag and chang th m to n wlin s. W can us th translate command, tr, to
accomplish this. Ch ck out man tr for mor information about this pow rful command:

barry@forensic1:~$ tr '[:cntrl:]' '\n' < fat_fs.raw | grep -abif


analysis/searchlist.txt
75441:you and your entire business ransom.
75500:I have had enough of your mindless corporate piracy and will no longer stand
for it. You will recieve another letter next week. It will have a single bank
account number and bank name. I want you to deposit $50,000 in the account the
day you receive the letter.
75767:Don't try anything, and dont contact the cops. If you do, I will unleash a
virus that will bring down your whole network and destroy your consumer's
confidence.

Theis command would r ad: “Translat all th charact rs contain d in th s t of control


charact rs [:cntrl:] to n wlin s \n. Tak th input to tr from fat_fs.raw (w ar r -
dir cting in th opposit dir ction this tim ) and pip th output to grep, and th n to head.
Theis ffo ctiv ly chang s th str am b for it g ts to grep. Notic th output do s not chang .
The translation occurs in th str am, and it’s a charact r for charact r swap.
Theis is only on of many possibl probl ms you could com across. My point h r is
that wh n issu s such as th s aris , you n d to b familiar nough with th tools Linux
provid s to b abl to und rstand why such rrors might hav b n produc d, and how you can
g t around th m. R m mb r, th sh ll tools and th GNU softwwar that accompany a Linux

184
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

distribution ar xtr m ly pow rful, and ar capabl of tackling n arly any task. Wh r th
standard sh ll fails, you might look at perl or python as options. The s subj cts ar outsid of
th scop of th curr nt pr s ntation, but ar introduc d as fodd r for furth r xp rim ntation.

B sur to unmount th imag wh n you ar fienish d:

barry@forensic1:~$ su -
Password:

root@forensic1:~$ umount /mnt/evid

root@forensic1:~$ exit

barry@forensic1:~$

185
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

VIII. Advanced (Beginner) Forensics


The following s ctions ar mor advanc d and d tail d. N w tools ar introduc d to
h lp round out som of your knowl dg and provid a mor solid footing on th capabiliti s of
th Linux command lin . The topics ar still at th b ginn r l v l, but you should b at l ast
som what comfortabl with th command lin b for tackling th x rcis s. Although I’v
includ d th commands and much of th output for thos who ar r ading this without th
b n fiet of a Linux box n arby, it is important that you follow along on your own syst m as w
go through th practical x rcis s. Typing at th k yboard and xp rim ntation is th b st
way to l arn.

Thee Command Line on Steroids

L t’s dig a littel d p r into th command lin . Oftw n th r ar argum nts mad about
th us fuln ss of th command lin int rfac (CLI) v rsus a GUI tool for analysis. I would
argu that in th cas of larg s ts of r gim nt d data, th CLI can b fast r and mor fla xibl
than many GUI tools availabl today.

As an xampl , w will look at a s t of log fiel s from a singl Unix syst m. W ar not
going to analyz th m for any sort of vid ntiary data. The point h r is to illustrat th ability
of commands through th CLI to organiz and pars data by using pip s to string a s ri s of
commands tog th r and obtain th d sir d output. Follow along with th xampl , and k p in
mind that to g t anywh r n ar profieci nt with this will r quir a gr at d al of r ading and
practic . The payoffo is normous.

Cr at a dir ctory call d Logs and download th fiel logs.v3.tar.gz into that
dir ctory:

barry@forensic1:~$ mkdir Logs

barry@forensic1:~$ cd Logs

barry@forensic1:~/Logs$ wget http://www.linuxleo.com/Files/logs.v3.tar.gz


--2017-05-20 15:16:41-- http://www.linuxleo.com/Files/logs.v3.tar.gz
Resolving www.linuxleo.com (www.linuxleo.com)... 216.250.120.84
Connecting to www.linuxleo.com (www.linuxleo.com)|216.250.120.84|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5144 (5.0K) [application/gzip]
Saving to: ‘logs.v3.tar.gz’

logs.v3.tar.gz 100%[===================>] 5.02K --.-KB/s in 0s

2017-05-20 15:16:41 (401 MB/s) - ‘logs.v3.tar.gz’ saved [5144/5144]

186
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Onc th fiel is download d, ch ck th hash and us th tar command to list th cont nts.
Our command b low shows that th fiel s in th archiv will xtract dir ctly to our curr nt dir ctory.
The r ar 5 messages logs.

barry@forensic1:~/Logs$ ls
logs.v3.tar.gz

barry@forensic1:~/Logs$ sha1sum logs.v3.tar.gz


a66bc61628af6eab8cef780e4c3f60edcedbcf12 logs.v3.tar.gz

barry@forensic1:~/Logs$ tar tzvf logs.v3.tar.gz


-rw-r--r-- root/root 8282 2003-10-29 12:45 messages
-rw------- root/root 8302 2003-10-29 16:17 messages.1
-rw------- root/root 8293 2003-10-29 16:19 messages.2
-rw------- root/root 4694 2003-10-29 16:23 messages.3
-rw------- root/root 1215 2003-10-29 16:23 messages.4

The messages logs contain ntri s from a vari ty of sourc s, including th k rn l and
oth r applications. The numb r d fiel s r sult from log rotation. As th logs ar fiell d, th y ar
rotat d and v ntually d l t d. On most Unix syst ms, th logs ar found in /var/log/ or
/var/adm. The s ar from a v ry old syst m, but again it’s not th cont nts w ar int r st d
in h r , it’s using th tools.

xtract th logs:

barry@forensic1:~/Logs$ tar xzvf logs.v3.tar.gz


messages
messages.1
messages.2
messages.3
messages.4

Inst ad of listing th cont nts with th t option, w ar xtracting it with th x option.


All th oth r options r main th sam .

L t’s hav a look at on log ntry. W pip th output of cat to th command head -n
1 so that w only g t th 1st lin (r call that head without additional argum nts will giv th
fierst 10 lin s):

barry@forensic1:~/Logs$ cat messages | head -n 1


Nov 17 04:02:14 hostname123 syslogd 1.4.1: restart.

187
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Each lin in th log fiel s b gin with a dat and tim stamp. N xt com s th host nam
follow d by th nam of th application that g n rat d th log m ssag . Finally, th actual
m ssag is print d.

For th sak of our x rcis , l t’s assum th s logs ar from a victim syst m, and w
want to analyz th m and pars out th us ful information. W ar not going to worry about
what w ar actually s ing h r , our obj ctiv is to und rstand how to boil th information
down to som thing us ful.

First of all, rath r than parsing ach fiel individually, l t’s try and analyz all th logs at
on tim . The y ar all in th sam format, and ss ntially th y compris on larg log. W can
us th cat command to add all th fiel s tog th r and s nd th m to standard output. If w
work on that data str am, th n w ar ss ntially making on larg log out of all fiev logs. Can
you s a pot ntial probl m with this?

barry@forensic1:~/Logs$ cat messages* | less


Nov 17 04:02:14 hostname123 syslogd 1.4.1: restart.
Nov 17 04:05:46 hostname123 su(pam_unix)[19307]: session opened for user news by
(uid=0)
Nov 17 04:05:47 hostname123 su(pam_unix)[19307]: session closed for user news
...
Nov 23 18:27:58 hostname123 kernel: hda: hda1 hda2 hda3 hda4 < hda5 hda6 hda7 >
Nov 23 18:27:00 hostname123 rc.sysinit: Mounting proc filesystem: succeeded
Nov 10 04:02:08 hostname123 syslogd 1.4.1: restart.<-- entries appear out of order
Nov 10 04:05:55 hostname123 su(pam_unix)[15181]: session opened for user news by
(uid=0)
Nov 10 04:05:55 hostname123 su(pam_unix)[15181]: session closed for user news
Nov 11 04:06:09 hostname123 su(pam_unix)[32640]: session opened for user news by
(uid=0)
Nov 11 04:06:10 hostname123 su(pam_unix)[32640]: session closed for user news
...

If you look at th output (scroll using less), you will s that th dat s asc nd and th n
jump to an arli r dat and th n start to asc nd again. Theis is b caus th lat r log ntri s ar
add d to th botteom of ach fiel , so as th fiel s ar add d tog th r, th dat s app ar to b out of
ord r. What w r ally want to do is str am ach fiel backwards so that th y g t add d tog th r
with th most r c nt dat in ach fiel at the top inst ad of at th botteom. In this way, wh n th
fiel s ar add d tog th r th y ar in ord r. In ord r to accomplish this, w us tac (y s, that’s
cat backwards).

barry@forensic1:~/Logs$ tac messages* | less


Nov 23 18:27:00 hostname123 rc.sysinit: Mounting proc filesystem: succeeded
Nov 23 18:27:58 hostname123 kernel: hda: hda1 hda2 hda3 hda4 < hda5 hda6 hda7 >
Nov 23 18:27:58 hostname123 kernel: Partition check:
...

188
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

B autiful. The dat s ar now in ord r. W can now work on th str am of log ntri s
as if th y w r on larg (in ord r) fiel . W will continu to work with this tac command to
cr at our in-ord r str am with ach command. W could r dir ct to anoth r singl log fiel
that contains all th logs, but th r ’s no n d to right now and cr ating on larg log fiel s rv s
no r al purpos .

First, l t’s gath r som information. W might want to know, p rhaps for our not s,
how many ntri s ar in ach fiel , and how many ntri s total. H r ’s a quick way of doing
that from th command lin :

barry@forensic1:~/Logs$ tac messages* | wc -l


374

The sam command is us d to str am all th fiel s tog th r and s nd th output through
th pip to th wc command (“word count”). The -l option sp cifie s that w want to count just
lin s inst ad of th d fault output of lin s, words and byt s. To g t a count for all th fiel s and
th total at th sam tim , us wc -l on all th m ssag s fiel s at on tim :

barry@forensic1:~/Logs$ wc -l messages*
100 messages
109 messages.1
100 messages.2
50 messages.3
15 messages.4
374 total

Now w will introduc a n w command, awk, to h lp us vi w sp cifiec fie lds from th log
ntri s, in this cas , th dat s. awk is an xtr m ly pow rful command. The v rsion most oftw n
found on Linux syst ms is gawk (GNU awk). Whil w ar going to us it as a stand-alon
command, awk is actually a programming languag on its own, and can b us d to writ scripts
for organizing data. Our conc ntration will b c nt r d on th awk “print” function. S man
awk for mor d tails.

S ts of r p titiv data can oftw n b divid d into columns or “fie lds”, d p nding on th
structur of th fiel . In this cas , th fie lds in th log fiel s ar s parat d by simpl whit spac
(th awk d fault fie ld s parator). The dat is compris d of th fierst two fie lds (month and day).
So l t’s hav a look at awk in action:

barry@forensic1:~/Logs$ tac messages* | awk '{print $1" "$2}' | less


Nov 23
Nov 23

189
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

...
Theis command will str am all th log fiel s ( ach on from botteom to top) and s nd th
output to awk which will print th fierst fie ld, $1 (month), follow d by a spac (" "), follow d by
th s cond fie ld, $2 (day). Theis shows just th month and day for v ry ntry. Suppos I just
want to s on of ach dat wh n an ntry was mad . I don’t n d to s r p ating dat s. I
ask to s on of ach uniqu lin of output with uniq:

barry@forensic1:~/Logs$ tac messages* | awk '{print $1" "$2}' | uniq | less


Nov 23
Nov 22
Nov 21
Nov 20
Nov 19

Theis r mov s r p at d dat s, and shows m just thos dat s with log activity.

CLI Hint: Inst ad of r -typing th command ach tim , us th up arrow on your k yboard to
scroll through old r commands (part of th command history of bash). Hit th up arrow onc ,
and you can dit your last command. V ry us ful wh n adjusting commands for this sort of
parsing.

If a particular dat is of int r st, I can grep th logs for that particular dat (not th r
ar 2 spac s b tw n Nov and 4, on spac will not work in our grep command):

barry@forensic1:~/Logs$ tac messages* | grep "Nov 4"


Nov 4 17:41:27 hostname123 sshd(pam_unix)[27630]: session closed for user root
Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214:
11: Disconnect requested by Windows SSH Client.
Nov 4 17:13:07 hostname123 sshd(pam_unix)[27630]: session opened for user root by
(uid=0)
Nov 4 17:13:07 hostname123 sshd[27630]: Accepted password for root from
1xx.183.221.214 port 1762 ssh2
Nov 4 17:08:23 hostname123 sshd(pam_unix)[27479]: session closed for user root
...

Of cours , w hav to k p in mind that this would giv us any lin s wh r th string
Nov 4 r sid d, not just in th dat fie ld. To b mor xplicit, w could say that w only want
lin s that start with Nov 4, using th ^ (in our cas , this giv s ss ntially th sam output):

barry@forensic1:~/Logs$ tac messages* | grep ^"Nov 4"


Nov 4 17:41:27 hostname123 sshd(pam_unix)[27630]: session closed for user root
Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214:
11: Disconnect requested by Windows SSH Client.
...

190
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Also, if w don’t know that th r ar two spac s b tw n Nov and 4, w can t ll grep to
look for any numb r of spac s b tw n th two:

barry@forensic1:~/Logs$ tac messages* | grep ^"Nov[ ]*4"


Nov 4 17:41:27 hostname123 sshd(pam_unix)[27630]: session closed for user root
Nov 4 17:41:27 hostname123 sshd[27630]: Received disconnect from 1xx.183.221.214:
11: Disconnect requested by Windows SSH Client.
...

The abov grep xpr ssion translat s to “Lin s starting (^) with th string Nov follow d
by z ro or mor (*) of th pr c ding charact rs that ar b tw n th brack ts ( [ ] - in this
cas , a spac ) follow d by a 4”. Obviously, this is a compl x issu . Knowing how to us
r gular xpr ssion will giv you hug fla xibility in sorting through and organizing larg s ts of
data. As m ntion d arli r, r ad th grep man pag for a good prim r on r gular xpr ssions.

As w look through th log fiel s, w may com across ntri s that app ar susp ct.
P rhaps w n d to gath r all th ntri s that w s containing th string Did not receive
identification string from <IP> for furth r analysis.

barry@forensic1:~/Logs$ tac messages* | grep "identification string"


Nov 22 23:48:47 hostname123 sshd[19380]: Did not receive identification string
from 19x.xx9.220.35
Nov 22 23:48:47 hostname123 sshd[19379]: Did not receive identification string
from 19x.xx9.220.35
Nov 20 14:13:11 hostname123 sshd[29854]: Did not receive identification string
from 200.xx.114.131
...

How many of th s ntri s ar th r ?

barry@forensic1:~/Logs$ tac messages* | grep "identification string" | wc -l


35

The r ar 35 such ntri s. Now w just want th dat (fie lds 1 and 2), th tim (fie ld 3)
and th r mot IP addr ss that g n rat d th log ntry. The IP addr ss is th last fie ld. Rath r
than count ach word in th ntry to g t to th fie ld numb r of th IP, w can simply us th
variabl $NF, which m ans “numb r of fie lds”. Sinc th IP is th last fie ld, its fie ld numb r is
qual to th numb r of fie lds:

barry@forensic1:~/Logs$ tac messages* | grep "identification string" | awk


'{print $1" "$2" "$3" "$NF}'

191
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Nov 22 23:48:47 19x.xx9.220.35


Nov 22 23:48:47 19x.xx9.220.35
Nov 20 14:13:11 200.xx.114.131
Nov 18 18:55:06 6x.x2.248.243
...

W can add som tabs (\t) in plac of spac s in our output to mak it mor r adabl
(this assum s fiex d string l ngth). The following command will plac a tab charact r b tw n
th dat and th tim , and b tw n th tim and th IP addr ss:

barry@forensic1:~/Logs$ tac messages* | grep "identification string" | awk


'{print $1" "$2"\t"$3"\t"$NF}'
Nov 22 23:48:47 19x.xx9.220.35
Nov 22 23:48:47 19x.xx9.220.35
Nov 20 14:13:11 200.xx.114.131
...

Theis can all b r dir ct d to an analysis log or t xt fiel for asy addition to a r port.
R m mb r that > report.txt creates th r port fiel (ov rwriting anything th r pr viously),
whil >> report.txt appends to it. You can us su to b com root and s t th “app nd only”
atteribut on you r port fiel to pr v nt accid ntal ov rwrit s 22.

The following commands ar typ d on on lin ach:

barry@forensic1:~/Logs$ echo "Localhost123: Log entries from /var/log/messages" >


report.txt

barry@forensic1:~/Logs$ echo "\"Did not receive identification string\":" >>


report.txt

barry@forensic1:~/Logs$ tac messages* | grep "identification string" | awk


'{print $1" "$2"\t"$3"\t"$NF}' >> report.txt

barry@forensic1:~/Logs$ cat report.txt


Localhost123: Log entries from /var/log/messages
"Did not receive identification string":
Nov 22 23:48:47 19x.xx9.220.35
Nov 22 23:48:47 19x.xx9.220.35
Nov 20 14:13:11 200.xx.114.131
Nov 18 18:55:06 6x.x2.248.243
...

22
W cov r d this arli r in th guid with th chattr command. S th man pag for mor info.

192
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W can also g t a sort d (sort) list of th uniqu (-u) IP addr ss s involv d in th sam
way:

barry@forensic1:~/Logs$ tac messages* | grep "identification string" | awk


'{print $NF}' | sort -u >> report.txt

barry@forensic1:~/Logs$ cat report.txt


Localhost123: Log entries from /var/log/messages
"Did not receive identification string":
Nov 22 23:48:47 19x.xx9.220.35
Nov 22 23:48:47 19x.xx9.220.35
...
Unique IP addresses:
19x.xx9.220.35
200.xx.114.131
200.xx.72.129
212.xx.13.130
2xx.54.67.197
2xx.71.188.192
2xx.x48.210.129
6x.x2.248.243
6x.x44.180.27
xx.192.39.131

The command abov prints only th last fie ld ($NF) of our grep output (which is th IP
addr ss). The r sulting list of IP addr ss s can also b f d to a script that do s nslookup or
whois databas qu ri s.

You can vi w th r sulting r port (report.txt) using th less command.

As with all th x rcis s in this docum nt, w hav just sampl d th abiliti s of th
Linux command lin . It all s ms som what convolut d to th b ginn r. Aftw r som practic
and xp ri nc with diffo r nt s ts of data, you will fiend that you can glanc at a fiel and say “I
want that information”, and b abl to writ a quick pip d command to g t what you want in a
r adabl format in a matteer of seconds. As with all languag skills, th Linux command lin
“languag ” is p rishabl . K p a good r f r nc handy and r m mb r that you might hav to
look up syntax a f w tim s b for it b com s s cond natur .

Fun with DD

W ’v alr ady don som simpl imaging and wiping using dd, l t’s xplor som oth r
us s for this fla xibl tool. dd is sort of lik a littel for nsic Swiss army knif (talk about ov r-
us d clich s!). It has lots of applications, limit d only by your imagination.

193
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Data Carving with DD

In this n xt xampl , w will us dd to carv a JPEG pictur fiel from a chunk of raw
data. By its lf, this is not a r al us ful x rcis . The r ar lots of tools out th r that will
“carv ” fiel s from for nsic imag s, including a simpl cut and past from a h x ditor.
How v r, th purpos of this x rcis is to h lp you b com mor familiar with dd. In
addition, you will g t a chanc to us a numb r of oth r tools in pr paration for th “carving”.
Theis will h lp familiariz you furth r with th Linux toolbox. First you will n d to download
th raw data chunk and ch ck it’s hash:

barry@forensic1:~$ wget http://www.linuxleo.com/Files/image_carve_2017.raw


...

barry@forensic1:~$ sha1sum image_carve_2017.raw


ac3dd14e9a84f8dc5b827ba6262c295d28d3cecc image_carve_2017.raw

Hav a bri f look at th fiel image_carve_2017.raw with your wond rful command
lin h xdump tool, xxd:

barry@forensic1:~$ xxd image_carve_2017.raw | less


00000000: f0d5 0291 431e 41db 5fb9 abce 7240 4543 ....C.A._...r@EC
00000010: 9a71 389a e0f1 4cf7 bfb4 32e2 6fe9 1132 .q8...L...2.o..2
00000020: fc36 ddca eb48 56c1 1501 bcfd e7dd 2631 .6...HV.......&1
00000030: ffa6 bc3e e7bc ddd4 e986 f222 7198 11a9 ...>......."q...
00000040: ee92 a2a1 56c2 22fc 9838 dff4 5d24 8a56 ....V."..8..]$.V
00000050: da3d 0a2c a91c e2dd 5095 40fd e43a 1208 .=.,....P.@..:..
00000060: a76d 997e 9daf f4fa 9218 a2e4 6d81 a8ca .m.~........m...
00000070: cdf2 5055 12d5 f703 44bd 8d8b 88ed abab ..PU....D.......
00000080: 9023 ee54 f4f4 77f5 c89e ffdc 7c1a dba3 .#.T..w.....|...
00000090: 42c7 9f07 902e 08c9 778c 67e3 479b 70f4 B.......w.g.G.p.
000000a0: 187a 613f 3a8c 3096 9d62 e48b 7504 7e68 .za?:.0..b..u.~h
...

It’s r ally just a fiel full of random charact rs. Som wh r insid th r is a standard
JPEG imag . L t’s go through th st ps w n d to tak to r cov r th pictur fiel using dd and
oth r Linux tools. W ar going to stick with command lin tools availabl in most d fault
installations.

First w n d a plan. How would w go about r cov ring th fiel ? What ar th things
w n d to know to g t th imag (pictur ) out, and only th imag ? Imagin dd as a pair of
scissors. W n d to know wh r to put th scissors to start cutteing, and w n d to know
wh r to stop cutteing. Finding th start of th JPEG and th nd of th JPEG can t ll us this.
Onc w know wh r w will start and stop, w can calculat th size of th JPEG. W can

194
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

th n t ll dd wh r to start cutteing, and how much to cut. The output fiel will b our JPEG
imag . Easy, right? So h r ’s our plan, and th tools w ’ll us :

1) Find th start of th JPEG (xxd and grep)


2) Find th nd of th JPEG (xxd and grep)
3) Calculat th siz of th JPEG (in byt s using bc)
4) Cut from th start to th nd and output to a fiel (using dd)

Theis x rcis starts with th assumption that w ar familiar with standard fiel h ad rs.
Sinc w will b s arching for a standard JPEG imag within th data chunk, w will start with
th stipulation that th JPEG h ad r b gins with h x ffd8 with a six-byt offos t to th string
JFIF. The nd of th standard JPEG is mark d by h x ffd9.

L t’s go ah ad with st p 1: Using xxd, w pip th output of our image_carve.raw fiel


to gr p and look for th start of th JPEG23:

barry@forensic1:~$ xxd image_carve_2017.raw | grep ffd8


0000f900: 901d cfe7 8488 ac23 ffd8 24ab 4f4d 1613 .......#..$.OM..
0001bba0: e798 a4b6 d833 9567 af5f ffd8 e5e9 ed24 .....3.g._.....$
00033080: 84a5 aeec d7db ffd8 3c37 c52d a80e 6e7e ........<7.-..n~
00036ac0: 1676 761b e3d4 ffd8 ffe0 0010 4a46 4946 .vv.........JFIF

The grep command found four lin s that contain th pot ntial h ad r of our pictur
fiel . W know that w ar looking for a JPEG imag , and w know that following an additional
four byt s aftw r th ffd8 w should s th JFIF string. The last lin of our output shows that,
m aning this is th corr ct match. Theis is shown in r d abov .

The start of a standard JPEG fiel h ad r has b n found. The offos t (in h x) for th
b ginning of this lin of xxd output is 00036ac0. Now w can calculat th byt offos t in
d cimal. For this w will us th bc command. As w discuss d in an arli r s ction, bc is a
command lin “calculator”, us ful for conv rsions and calculations. It can b us d ith r
int ractiv ly or tak pip d input. In this cas w will cho th h x offos t to bc, fierst t lling it
that th valu is in bas 16. bc will r turn th d cimal valu .

barry@forensic1:~$ echo "ibase=16;36AC0" | bc


223936

It’s important that you us uppercase letteers in th h x valu . Not that this is NOT th
start of th JPEG, just th start of th lin in th xxd output. The ffd8 string is actually locat d
anoth r six byt s farth r into that lin of output ( ach h x pair is a charact r valu , and th r
23
The perceptive among you will notice that this is a “perfect world” situation. There are a number of
variables that can make this operation more difficult. The grep command can be adjusted for many
situations using a complex regular expression (outside the scope of this document).

195
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ar six pairs b for th ffd8). So w add 6 to th start of th lin . Our offos t is now 223942.
W hav found and calculat d th start of th JPEG imag in our data chunk.

Now it’s tim to fiend th nd of th fiel .

Sinc w alr ady know wh r th JPEG starts, w will start our s arch for th nd of
th fiel from that point. Again using xxd and grep w s arch for th foot r valu ffd9
som wh r aftwer th h ad r:

barry@forensic1:~$ xxd -s 223942 image_carve_2017.raw | grep ffd9


0005d3c6: af29 6ae7 06e1 2e48 38a3 ffd9 8303 a138 .)j....H8......8

The –s 223942 option to xxd sp cifie s wh r to start s arching (sinc w know this is
th front of th JPEG, th r ’s no r ason to s arch b for it and w liminat fals hits from that
r gion). The output shows th fierst ffd9 on th lin at h x offos t 0005d3c6. L t’s conv rt that
to d cimal, again noting th upp rcas valu in our h x:

barry@forensic1:~$ echo "ibase=16;5D3C6" | bc


381894

B caus that is th offos t for th start of th lin , w n d to add 12 to th valu to


includ th ffd9 (giving us 381906). W do this b caus th ffd9 n ds to b included in our
carv , so w skip past it. Now that w know th start and th nd of th fiel , w can calculat
th siz :

barry@forensic1:~$ echo "381906-223942" | bc


157964

W now know th fiel is 157964 byt s in siz , and it starts at byt offos t 223942. The
carving is th asy part! W will us dd with thr options:

skip= how far into th data chuck w b gin “cutteing”.


bs= (block siz ) th numb r of byt s w includ as a “block”.
count= th numb r of blocks w will b “cutteing”.

The input fiel for th dd command is image_carve_2017.raw. Obviously, th valu of


skip will b th offos t to th start of th JPEG. The asi st way to handl th block siz is to
sp cify it as bs=1 (m aning on byt ) and th n s tteing count to th siz of th fiel . The nam
of th output fiel is arbitrary.

196
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ dd if=image_carve_2017.raw of=carved.jpg bs=1 skip=223942


count=157964
157964+0 records in
157964+0 records out
157964 bytes (158 kB, 154 KiB) copied, 0.279145 s, 566 kB/s

You should now hav a fiel in your curr nt dir ctory call d carved.jpg. If you ar in
X, simply us th xv command to vi w th fiel (or any oth r imag vi w r, lik display) and
s what you’v got.

barry@forensic1:~$ xv carved.jpg

Carving Partitions with DD

Now w can try anoth r us ful x rcis in carving with dd. Oftw n, you will obtain or b
giv n a dd imag of a full disk. At tim s you might fiend it d sirabl to hav ach s parat
partition within th disk availabl to s arch or mount. R m mb r, you cannot simply mount
an ntir disk imag , only th partitions. W ’v alr ady l arn d that w can fiend th structur
of an imag and mount th partitions within using tools lik kpartx and th loop d vic with
th mount command..

In this cas , how v r, w will assum w ar on a syst m wh r w may not hav


acc ss to xt rnally availabl tools lik kpartx. W introduc this t chniqu h r not to t ach
it for practical us (though it may hav som limit d practical us ), but to provid anoth r
practical x rcis using a numb r of important command lin tools. In any v nt, for th
b ginning Linux for nsics stud nt, I would still consid r this an important skill. It's just good
practic for a numb r of common and us ful commands.

The m thod w will us in this x rcis ntails id ntifying th partitions within a raw
imag with fdisk or gdisk. W will th n us dd to carv th partitions out of th imag .

W will us th sam disk imag w us d pr viously (able_3.00*). If you hav not


download d it alr ady, do so now using wget. The n ch ck th hash of th download d fiel . It
should match min h r :

barry@forensic1:~$ wget http://www.linuxleo.com/Files/able_3.tar.gz


...

barry@forensic1:~$ sha1sum able_3.tar.gz


6d8de5017336028d3c221678b483a81e341a9220 able_3.tar.gz

197
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Ch ck th cont nts of th tar archiv (tar tzvf), untar th fiel s (tar xzvf), and
chang into th able_3 dir ctory with cd. You can skip all of this if you alr ady hav th
able_3 dir ctory from our pr vious x rcis . Just chang into th dir ctory.

barry@forensic1:~$ tar tzvf able_3.tar.gz


drwxr-xr-x barry/users 0 2017-05-25 12:42 able_3/
-rw-r--r-- barry/users 1073741824 2017-05-25 12:13 able_3/able_3.000
-rw-r--r-- barry/users 1073741824 2017-05-25 12:13 able_3/able_3.001
-rw-r--r-- barry/users 1339 2017-05-25 12:14 able_3/able_3.log
-rw-r--r-- barry/users 1073741824 2017-05-25 12:14 able_3/able_3.003
-rw-r--r-- barry/users 1073741824 2017-05-25 12:14 able_3/able_3.002

barry@forensic1:~$ tar xzvf able_3.tar.gz


able_3/
able_3/able_3.000
able_3/able_3.001
able_3/able_3.log
able_3/able_3.003
able_3/able_3.002
barry@forensic1:~$ cd able_3

Now that w ar in th able_3 dir ctory, w can s that w hav our 4 split imag fiel s
and a log fiel with th acquisition information. Theis particular log was cr at d by th dc3dd
command (w cov r d arli r). Vi w th log and look at th hash s:

barry@forensic1:~/able3$ cat able_3.log

dc3dd 7.2.646 started at 2017-05-25 15:51:04 +0000


compiled options:
command line: dc3dd if=/dev/sda hofs=able_3.000 ofsz=1G hash=sha1 log=able_3.log
device size: 8388608 sectors (probed), 4,294,967,296 bytes
sector size: 512 bytes (probed)
4294967296 bytes ( 4 G ) copied ( 100% ), 1037.42 s, 3.9 M/s
4294967296 bytes ( 4 G ) hashed ( 100% ), 506.481 s, 8.1 M/s

input results for device `/dev/sda':


8388608 sectors in
0 bad sectors replaced by zeros
2eddbfe3d00cc7376172ec320df88f61afda3502 (sha1)
4ef834ce95ec545722370ace5a5738865d45df9e, sectors 0 - 2097151
ca848143cca181b112b82c3d20acde6bdaf37506, sectors 2097152 - 4194303
3d63f2724304205b6f7fe5cadcbc39c05f18cf30, sectors 4194304 - 6291455
9e8607df22e24750df7d35549d205c3bd69adfe3, sectors 6291456 - 8388607
...

198
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The fierst hash in th output abov is th ntir input hash for th d vic that was
imag d (/dev/sda1 from th subj ct syst m). W can v rify that by str aming all our split
parts tog th r and piping through sha1sum:

barry@forensic1:~/able3$ cat able_3.0* | sha1sum


2eddbfe3d00cc7376172ec320df88f61afda3502 -

The n xt four hash s ar for th split imag fiel s (and th s ctor rang in ach split).
W could also v rify th s individually, although if th pr vious command works, w ’v
alr ady confierm d our individual hash s will match. Go ah ad and ch ck th m anyway:

barry@forensic1:~/able3$ sha1sum able_3.0*


4ef834ce95ec545722370ace5a5738865d45df9e able_3.000
ca848143cca181b112b82c3d20acde6bdaf37506 able_3.001
3d63f2724304205b6f7fe5cadcbc39c05f18cf30 able_3.002
9e8607df22e24750df7d35549d205c3bd69adfe3 able_3.003

W can s th y match th hash s in log fiel .

Okay, now w hav our imag , and w hav v rifie d that it is an accurat copy. In
ord r to ch ck th fiel syst m and carv th partitions, w ’ll n d to work on a singl raw
imag inst ad of splits. Working from th assumption that w ar x cuting this on a syst m
with basic tools, w ’ll forgo using tools lik affuse and kpartx. Inst ad, w ’ll simply r cr at
a raw imag by using cat to add th fiel s back tog th r and r -dir ct to th raw imag :

barry@forensic1:~/able3$ cat able_3.0* > able_3.raw

And now w will work on th able_3.raw imag .

L t’s start by xploring th cont nts of th imag with som of our partition parsing
tools. To us th s tools, you’ll n d to b root and chang to th dir ctory wh r th imag s
ar (us r’s hom dir ctory and able_3 sub dir ctory):

barry@forensic1:~/able3$ su -
Password:

root@forensic1:~# cd ~barry/able_3

root@forensic1:/home/barry/able_3#

199
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Starting with fdisk:

root@forensic1:/home/barry/able_3# fdisk -l able_3.raw


Disk able_3.raw: 4 GiB, 4294967296 bytes, 8388608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: B94F8C48-CE81-43F4-A062-AA2E55C2C833

Device Start End Sectors Size Type


able_3.raw1 2048 104447 102400 50M Linux filesystem
able_3.raw2 104448 309247 204800 100M Linux filesystem
able_3.raw3 571392 8388574 7817183 3.7G Linux filesystem

Looking at th output, w s that th disk has a GPT partitioning sch m . You could
r -run th command using gdisk for docum ntation purpos s. Onc w ’v fienish d with
fdisk, xit th root login and you ar back to a normal us r:

root@forensic1:/home/barry/able_3# exit
logout

barry@forensic1:~/able3$

L t’s go ah ad and dd out ach partition. With th output of fdisk -l shown abov ,
th job is asy.

barry@forensic1:~/able3$ dd if=able_3.raw of=able_3.part1.raw bs=512 skip=2048


count=102400
102400+0 records in
102400+0 records out
52428800 bytes (52 MB, 50 MiB) copied, 0.167642 s, 313 MB/s
barry@SlackBuilds:~/able_3$ dd if=able_3.raw of=able_3.part2.raw bs=512
skip=104448 count=204800
204800+0 records in
204800+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 0.385551 s, 272 MB/s
barry@SlackBuilds:~/able_3$ dd if=able_3.raw of=able_3.part3.raw bs=512
skip=571392 count=7817183
7817183+0 records in
7817183+0 records out
4002397696 bytes (4.0 GB, 3.7 GiB) copied, 94.3723 s, 42.4 MB/s

200
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Examin th s commands clos ly. The input fiel (if=able_3.raw) is th full disk
imag . The output fiel s (of=able_3.part#.raw) will contain ach of th partitions. The block
siz that w ar using is th s ctor siz (bs=512), which match s th output of th fdisk
command. Each dd s ction n ds to start wh r ach partition b gins (skip=X), and cut as far
as th partition go s (count=Y).

Theis will l av you with thr able_3.part*.raw fiel s in your curr nt dir ctory that
can now b loop mount d without th n d for sp cial programs.

Reconstructing the Subject File System Structure (Linux)

Going back to our able_3 cas raw imag s, w now hav th original imag along with
th partition imag s that w carv d out (plus th original split imag s).

able_3.part1.raw (1st Partition)


able_3.part2.raw (2nd Partition)
able_3.part3.raw (3rd Partition)

The n xt trick is to mount th partitions in such a way that w r construct th original


fiel syst m. Theis g n rally p rtains to subj ct disks that w r imag d from Unix hosts.

On of th b n fiets of Linux/Unix syst ms is th ability to s parat th fiel syst m


across partitions. Theis can b don for any numb r of r asons, allowing for fla xibility wh r
th r ar conc rns about disk spac or s curity, tc.

For xampl , a syst m administrator may d cid to k p th dir ctory /var/log on its
own s parat partition. Theis might b don in an atte mpt to pr v nt rampant log fiel s from
fielling th root (/ not /root) partition and bringing th syst m down. S v ral y ars ago,
fiending th /boot dir ctory in its own partition was common as w ll. Theis allows th k rn l
imag to b plac d n ar “th front” (in t rms of cylind rs) of a boot volum , an issu in som
old r boot load rs. The r ar also a vari ty of s curity implications addr ss d by this s tup.

So wh n you hav a disk with multipl partitions, how do you fiend out th structur of
th fiel syst m? Earli r in this pap r w discuss d th /etc/fstab fiel . Theis fiel maintains th
mounting information for ach fiel syst m, including th physical partition; mount point, fiel
syst m typ , and options. Onc w fiend this fiel , r constructing th syst m is asy. With
xp ri nc , you will start to g t a f l for how partitions ar s tup, and wh r to look for th
fstab. To mak things simpl h r , just mount ach partition (loop, r ad only) and hav a
look around.

On thing w might lik to know is what sort of fiel syst m is on ach partition b for
w try and mount th m. W can us th file command to do this24. R m mb r from our
24
K p in mind that th file command r li s on th cont nts of th magic fiel to d t rmin a fiel typ . If
this command do s not work for you in th following xampl , th n it is most lik ly b caus th magic
fiel on your syst m do s not includ h ad rs for fiel syst m typ s.

201
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

arli r x rcis that th file command d t rmin s th typ of fiel by looking for “h ad r”
information.

barry@forensic1:~/able3$ file able_3.part*


able_3.part1.raw: Linux rev 1.0 ext4 filesystem data, UUID=ca05157e-f7b3-4c6a-
9b63-235c4cad7b73 (extents) (large files) (huge files)
able_3.part2.raw: Linux rev 1.0 ext4 filesystem data, UUID=c4ac4c0f-d9de-4d26-
9e16-10583b607372 (extents) (large files) (huge files)
able_3.part3.raw: Linux rev 1.0 ext4 filesystem data, UUID=c7f748b2-3a38-44e9-
aa43-f924955b9fdd (extents) (large files) (huge files)

Pr viously, w w r abl to d t rmin that th partitions w r “Linux” partitions from


th output of fdisk. Now file informs us that th fiel syst m typ is ext425. W can us this
information to mount th partitions. R m mb r that you will n d to b root to mount th
partitions, so su to root fierst, mount and umount ach partition, until you fiend th /etc
dir ctory containing th fstab:

barry@forensic1:~/able3$ su -
Password:

root@forensic1:~# mount -t ext4 -o ro,loop ~barry/able_3/able_3.part1.raw


/mnt/evid

root@forensic1:~# ls /mnt/evid
README.initrd@ config-huge-4.4.14 onlyblue.dat
System.map@ elilo-ia32.efi* slack.bmp
System.map-generic-4.4.14 elilo-x86_64.efi* tuxlogo.bmp
System.map-huge-4.4.14 grub/ tuxlogo.dat
boot.0800 inside.bmp vmlinuz@
boot_message.txt inside.dat vmlinuz-generic@
coffee.dat lost+found/ vmlinuz-generic-4.4.14
config@ map vmlinuz-huge@
config-generic-4.4.14 onlyblue.bmp vmlinuz-huge-4.4.14

(we are looking for /etc, and it’s not here...)

root@forensic1:~# umount /mnt/evid/

If you do this for ach partition in turn ( ith r un-mounting b tw n partitions, or


mounting to a diffo r nt mount point), you will v ntually fiend th /etc dir ctory containing
th fstab fiel in able_3.part3.raw with th following important ntri s:

You can also us th auto d t ction capabiliti s of th


25
mount command, but I pr f r to b xplicit.
Ch ck man mount for mor information.

202
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able3$ cat /mnt/evid/etc/fstab


/dev/sda3 / ext4 defaults 1 1
/dev/sda1 /boot ext4 defaults 1 2
/dev/sda2 /home ext4 defaults 1 2

So now w s that th logical fiel syst m was construct d from thr s parat
partitions (not that /dev/sda h r r f rs to th disk wh n it is mount d in th original
syst m):

/root :mount d from /dev/sda3


├── bin
├── boot :mount d from /dev/sda1
├── dev
├── etc
├── home :mount d from /dev/sda2
├── lib
├── lib64
├── lost+found
├── media
├── mnt
├── opt
├── proc
├── root
├── run
├── sbin
├── srv
├── sys
├── tmp
├── usr
└── var

Now w can cr at th original fiel syst m at our vid nc mount point. The mount
point /mnt/evid alr ady xists. Wh n you mount th root partition of able_3.raw on
/mnt/evid, you will not that th dir ctori s /mnt/evid/boot and /mnt/evid/home alr ady
xist, but ar mpty. Theat is b caus w hav to mount thos partitions to acc ss th cont nts
of thos dir ctori s. W mount th root fiel syst m fierst, and th oth rs ar mount d to that.
Again, w must b root for this:

203
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

root@forensic1:~# mount -t ext4 -o ro,loop ~barry/able_3/able_3.part3.raw


/mnt/evid

root@forensic1:~# mount -t ext4 -o ro,loop ~barry/able_3/able_3.part1.raw


/mnt/evid/boot

root@forensic1:~# mount -t ext4 -o ro,loop ~barry/able_3/able_3.part2.raw


/mnt/evid/home

W now hav th r cr at d original fiel syst m und r /mnt/evid:

barry@forensic1:~/able3$ mount | grep evid


/home/barry/able_3/able_3.part3.raw on /mnt/evid type ext4 (ro)
/home/barry/able_3/able_3.part1.raw on /mnt/evid/boot type ext4 (ro)
/home/barry/able_3/able_3.part2.raw on /mnt/evid/home type ext4 (ro)

At this point w can run all of our s arch s and commands just as w did for th
pr vious fat_fs.raw x rcis on a compl t fiel syst m “root d” at /mnt/evid.

As always, you should know what you ar doing wh n you mount a compl t fiel
syst m on your for nsic workstation. B awar of options to th mount command that you
might want to us (ch ck man mount for options lik nodev and nosuid, noatime, tc.). Tak
not of wh r links point to from th subj ct fiel syst m. Not that w hav mount d th
partitions “r ad only” (ro). R m mb r to unmount (umount) ach partition wh n you ar
fienish d xploring.

204
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

IX. Advanced Analysis Tools


So now you hav som xp ri nc with using th Linux command lin and th
pow rful tools that ar provid d with a Linux installation.

How v r, as for nsic xamin rs, w soon com to fiend out that tim is a valuabl
commodity. Whil l arning to us th command lin tools nativ to a Linux install is us ful for
a myriad of tasks in th “r al world”, it can also b t dious. Aftw r all, th r ar Windows bas d
tools out th r that allow you to do much of what w hav discuss d h r in a simpl point
and click GUI. W ll, th sam can b said for Linux.

The popularity of Linux is growing at a fantastic rat . Not only do w s it in an


nt rpris nvironm nt and in big m dia, but it continu s to grow in popularity within th
fie ld of comput r for nsics. In r c nt y ars w ’v s n th list of availabl for nsic tools for
Linux grow with th r st of th industry.

In this s ction w will cov r a numb r of for nsic tools availabl to mak your analysis
asi r and mor fficci nt.

AUTHOR’S NOTE: Inclusion of tools and packag s in this s ction in no way constitut s an
ndors m nt of thos tools. Pl as t st th m yours lf to nsur that th y m t your n ds.

Sinc this is a Linux docum nt, I am cov ring availabl Linux tools. Theis do s not m an
that th common tools availabl for oth r platforms cannot b us d to accomplish many of th
sam r sults.

Pl as k p in mind, as you work through th s x rcis s, this docum nt is NOT m ant


to b an ducation in fiel syst m or physical volum analysis. As you work through th
x rcis s you will com across t rms lik inode, MFT entry, allocation status, partition tables and
direct and indirect blocks, tc. The s x rcis s ar about using th tools, and ar not m ant to
instruct you on basic for nsic knowl dg , Linux fiel syst ms or any oth r fiel syst ms. Theis is
all about th tools.

If you n d to l arn fiel syst m structur as it r lat s to comput r for nsics, pl as r ad


Brian Carri r's book: Fil Syst m For nsic Analysis (Publish d by Addison-W sl y, 2005). Theis
is not th last tim I will sugg st this.

To g t a quick ov rvi w of som fiel syst ms, you can do a quick Int rn t s arch. The r
is a ton of information r adily availabl if you n d a prim r. H r ar som simpl links to g t
you start d26. If you hav qu stions on any of th s fiel syst ms, or how th y work, I would
sugg st som light r ading b for diving into th s x rcis s.

NTFS: http://www.ntfs.com

26
The author does not vouch for any of these sources. They are provided for your information only.

205
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

http://en.wikipedia.org/wiki/NTFS

EXT2/3/4: http://e2fsprogs.sourceforge.net/ext2intro.html
http://en.wikipedia.org/wiki/Ext3
http://en.wikipedia.org/wiki/Ext4

FAT: http://en.wikipedia.org/wiki/File_allocation_table

Also, onc Sl uth Kit (which w cov r soon) is install d, you might want to brows
around http://wiki.sleuthkit.org/ for additional information on fiel syst ms and
impl m ntation.

Thee Layer Strategy for Approaching Analysis

On of th r asons Linux is s n as both xtr m ly fficci nt by its propon nts and


xc ssiv ly compl x by its d tractors is it's focus on modular programming wh r on tool
accomplish s on task rath r than th monolithic approach of many comm rcial for nsic
suit s. The d sign of Linux tools, both GNU command lin utiliti s and for nsic softwwar such
as th Sl uth Kit, can app ar daunting wh n a stud nt r aliz s that th y must try to r m mb r
multipl tools, outputs and command param t rs in ord r to x cut an ffo ctiv xamination
rath r that navigating a graphical m nu bas d for nsic tool wh r functions, options and
output ar display d in an organiz d “on click away” fashion.

Brian Carri r, author of The Sl uth Kit, utiliz s a fram work for storag d vic analysis
in his book Fil Syst m For nsic Analysis, which w m ntion d arli r. As a r sult of this
approach, Carri r organiz s his tools into a s ri s of virtual lay rs that d fien th purpos of
ach tool with r sp ct to application to a sp cifiec lay r. Conv ni ntly, th Sl uth Kit tools ar
nam d according to th s lay rs. By introducing tools in a giv n cat gory and d fiening th ir
r sp ctiv lay r m mb rship, stud nts can b tte r organiz th ir und rstanding of ach tool's
function and wh r it b st fiets in an analysis.

Theis approach can asily b xt nd d and xpand d to ncompass additional tools from
outsid Sl uth Kit. Whil som tools do not succinctly fiet in this paradigm, th y can still b
addr ss d in a s qu nc that fiets th ov rall analytical approach.

Theis has th add d b n fiet of giving stud nts a way of conc ptualizing th way tools ar
mploy d. The following fiegur provid s a graphical summary of th lay rs Carri r d signat s
for th analysis of vid nc .

206
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 5: An example of layers and their associated content based on Carrier's work

W hav a div rs s t of tools to work with in Linux, particularly wh r tackling an


analysis from th command lin is conc rn d. Knowing wh n to us what tools can b b tte r
m ntally organiz d by xt nding this lay r approach to our ntir analysis.

Und rstanding wh r particular tools fiet into this approach will h lp us to d fien wh n,
and for what purpos th y should b us d. W ’v alr ady cov r d a numb r of common tools
lik dd, dc3dd, hdparm, lsscsi, lshw and oth rs. The s ar xampl s of tools that work at th
physical media layer – looking dir ctly at physical m dia and disk information, including s rial
numb rs, disk s ctor siz s and th physical bus on which th m dia r sid s.

W ’v also look d at tools that act on th m dia manag m nt lay r, lik fdisk, gdisk,
kpartx and oth rs. The s tools act on information provid d at th partition tabl l v l, but
without sp cifiecally acting on th fiel syst ms th ms lv s.

As w progr ss through th r st of this guid , b awar that oftw n a tool’s plac in th


lay r approach is not d fien d by th tool its lf, but by how you us it. Tak grep for xampl .
grep looks for matching xpr ssions in a fiel . So w could say it works on th fiel sub lay r of
th Fil Syst m lay r (r f r to illustration 5 abov ). How v r, wh n w us it against a
for nsic imag of a physical disk (lik our able_3.raw fiel ), w ar not using it at th fiel lay r
of that imag , but at th physical layer of the image. I can grep for an xpr ssion in a s t of
fiel s, or I can grep for an xpr ssion in a disk imag . How I us th tool d fien s its plac , not
th tool its lf in many cas s.

So w n d to adjust our thinking on how w approach our analysis, k ping in mind


that th tool organization of th Sl uth Kit may not always dir ctly match our analysis
approach. But w can simpl y summariz it lik this:

1. Analyz th physical d vic :


- lsscsi, lshw, hdparm
2. Analyz th m dia manag m nt lay r:
- fdisk, gdisk, file (partition typ ), mmls (w ’ll cov r in th Sl uth Kit s ction)
3. Analyz th fiel syst m lay r:
- Sl uth Kit tools (fsstat, fls), file (fiel syst m typ )
4. Analyz th fiel sub lay r:

207
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

- file (fiel typ s), find (locat fiel s) grep (fiel nam atteribut s), common fiel syst m
tools (ls, tc.)
5. Analyz th application lay r:
- vi w fiel s cont nt with less, cat
- locat sp cifiec fiel cont nt with grep
- utiliz xt rnal application l v l tools to vi w fiel formats lik xv (or display) and
catdoc, tc. W will cov r additional sp cializ d tools for this lat r.

So you can s from th list abov that w can hav tools apply to s v ral diffo r nt
lay rs. Theis sp aks to th simplicity of th Unix d v lopm nt approach that has b n around
for d cad s. The tools g n rally do on thing, do it w ll, but can b v rsatil in th ir
mploym nt.

In summary, this all m ans that inst ad of taking th approach that w might normally
tak with multi-functional Windows for nsic softwwar :
• Op n a program
• Op n (or acquir ) an imag fiel with that program
• “Ind x” th imag fiel within th program
• Navigat th m nus, coll cting data and r porting it.

...w can now sit at a command prompt and st p through th various lay rs of our
xamination, coll cting and r dir cting information as w go, p ling through lay r by lay r of
our analysis until w r ach our conclusion. Inst ad of fumbling around th command lin , w
targ t our commands to th lay r w ar curr ntly xamining.

Sleuth Kit

The fierst of th advanc d xt rnal tools w will cov r h r is a coll ction of command lin tools
call d th Sl uth Kit (TSK). Theis is a suit of tools writte n by Brian Carri r and maintain d at
http://www.sleuthkit.org. It is partially bas d on The Coron r’s Toolkit (TCT) originally
writte n by Dan Farm r and Wi ts V n ma. TSK adds additional fiel syst m support and
allows you to analyz various fiel syst m typ s r gardl ss of th platform you ar curr ntly
working on. The curr nt v rsion, as of this writing is 4.4.x.

L t's start with a discussion of th tools fierst. Most of this information is r adily
availabl in th Sl uth Kit docum ntation or on th Sl uth Kit w bsit .

W ’v alr ady discuss d th TSK’s organization of tool function by lay rs. H r ’s a list of som
of th tools, and wh r th y fiet in (th lay rs d fien d h r ar som what diffo r nt from our
ov rall analytical approach).

 M dia manag m nt lay r – mmls, mmcat, mmstat


 Fil syst m lay r – fsstat
 Fil nam lay r (“Human Int rfac ”) – flss, ffinnd
 M ta data (inod ) lay r – icat, ils, ifignd, istat

208
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

 Cont nt (data) lay r – blkcalc, blkcat, blkls, blkstat

W also hav tools that addr ss physical disks and tools that addr ss th “journals” of som fiel
syst ms.

 Journal tools – jcat, jls


 fiel cont nt tools – hfignd, fcat

Notic that th commands that corr spond to th analysis of a giv n lay r g n rally
b gin with a common l tte r. For xampl , th fiel syst m command starts with fs and th
inod (m ta-data) lay r commands start with i and so on.

If th “lay r” approach r f r nc d abov s ms a littel confusing to you, you should


tak th tim to r ad TKS's tool ov rvi w at:

http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview

The author do s a fien job of d fiening and d scribing th s lay rs and how th y fiet
tog th r for a for nsic analysis. Und rstanding that TSK tools op rat at diffo r nt lay rs is
xtr m ly important.

It should b not d h r that th output of ach tool is sp cifiecally tailor d to th fiel


syst m b ing analyz d. For xampl , th fsstat command is us d to print fiel syst m d tails.
The structur of th output and th d scriptiv fie lds chang d p nding on th targ t fiel
syst m. Theis will b com appar nt throughout th x rcis s.

In addition to th tools alr ady m ntion d, th r ar som misc llan ous tools includ d
with th Sl uth Kit that don't fall into th abov cat gori s:

• tsk_recover – r cov rs unallocat d (or all) fiel s from a fiel syst m.


• tsk_gettimes – cr at s a body fiel for tim lin s (fiel activity only)
• sorter – cat goriz s allocat d and unallocat d fiel s bas d on typ (imag s, x cutabl s,
tc). Extr m ly fla xibl and confiegurabl .
• img_cat – allows for th s paration of m ta-data and original data from imag fiel s
(m dia duplication, not pictur s).
• img_stat – provid s information about a for nsic imag . The information it provid s is
d p nd nt on th imag format (aff, ewf, etc.).
• hfind – hash lookup tool. Cr at s and s arch s an ind x d databas .
• sigfind - s arch s a giv n fiel (for nsic imag , disk, tc.) for a h x signatur at any
sp cifie d offos t (s ctor boundary). Us d for fiending data structur s
• mactime – cr at s a tim lin of fiel activity. Us ful for intrusion inv stigations wh r
t mporal r lationships ar critical.
• srch_strings – lik standard BSD strings command, but with th ability to pars
diffo r nt ncodings.

209
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Sleuth Kit Installation

W can install TSK simply with sboinstall:

root@forensic1:~$ sboinstall sleuthkit


...
Proceed with sleuthkit? [y]
...
Package sleuthkit-4.4.2-x86_64-1_SBo.tgz installed.
...

Wh n w install TSK using th SlackBuild through sboinstall, or if you install it


manually from sourc , you can watch th build proc ss. It should b not d that in ord r for
Sl uth Kit tools to hav built-in support for Exp rt Witn ss format imag s (EWF imag s), w
n d to hav libewf install d fierst. Theis is why w cov r d libewf and install d it arli r in
th docum nt. Whil th Sl uth Kit is confieguring its installation proc ss, it s arch s th
syst m for librari s that it supports. Unl ss it’s told not to includ sp cifiec capabiliti s, it will
compil its lf accordingly. In this cas , sinc w hav libewf and afflib alr ady install d,
TSK will b built with thos formats support d. Theis will allow us to work dir ctly on EWF
and AFF imag s.

Wh n th installation is fienish d, you will fiend th Sl uth Kit tools locat d in /usr/bin.

You can vi w a list of what was install d (and oth r packag information) by vi wing th fiel at
/var/log/packages/sleuthkit-<ver>_Sbo:

root@forensic1:~$ less /var/log/packages/sleuthkit-4.4.2-x86_64-1_SBo


PACKAGE NAME: sleuthkit-4.4.2-x86_64-1_SBo
...
usr/
usr/bin/
usr/bin/blkcalc
usr/bin/blkcat
usr/bin/blkls
usr/bin/blkstat
usr/bin/fcat
usr/bin/ffind
...

210
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Sleuth Kit Exercises

Theis s ction r mains on of th most popular s ctions of this docum nt, providing
hands on x rcis s for TSK and a sampl of its tools.

Lik all of th oth r x rcis s in this docum nt, I’d sugg st you follow along if you can.
Using th s commands on your own is th only way to r ally l arn th t chniqu s. R ad th
includ d man pag s and play with th options to obtain oth r output. The imag fiel s us d in
th following xampl s ar availabl for download, and som hav alr ady b n download d
and us d arli r in th guid .

The r ar a numb r of ways to tackl th following probl ms. In som cas s w ’ll us
affuse or ewfmount to provid fus mount d imag s from EWF fiel s or split fiel s. W ’ll do it
for practic h r , but f l fr to run th tools dir ctly on th imag fiel s th ms lv s (th r will
b d monstrations of both). Practic and xp rim nt.

W ’ll also us som of th old r imag fiel s that w r us d in pr vious v rsions of th


guid . Whil th imag s ar old and th fiel syst ms som what d pr cat d, w us th m h r
b caus th y provid a p rf ct v hicl for d monstrating tool usag . You’ll und rstand this a
bit mor as w progr ss. W can compar output on som of th n w r imag s and you’ll
und rstand th limitations.

For th following s t of x rcis s, w ’ll us th able2 imag , on of th old r but mor


ducational imag s w ’v us d. Cr at a dir ctory for th able2 imag and th n cd into th
dir ctory. As usual, download with wget and ch ck th hash, making sur it match s what w
hav h r :

barry@forensic1:~$ mkdir able2

barry@forensic1:~$ cd able2

barry@forensic1:~/able2$ wget http://www.linuxleo.com/Files/able2.tar.gz


...

barry@forensic1:~/able2$ sha1sum able2.tar.gz


a093ec9aed6054665b89aa82140803790be97a6e able2.tar.gz

Untar th imag and th n l t’s g t start d. G t your hands on th k yboard and follow
along.

211
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able2$ tar tzf able2.tar.gz <-- List the contents


able2.dd
able2.log
md5.dd
md5.hdd

barry@forensic1:~/able2$ tar xzvf able2.tar.gz <-- Extract the contents


able2.dd
able2.log
md5.dd
md5.hdd

Sleuth Kit Exercise #1A – Deleted File Identifigcation and Recovery (ext2)

W will start with a look at a coupl of th fiel syst m and fiel nam lay r tools, fsstat
and fls, running th m against our able2 imag .

Part of th TSK suit of tools, mmls, provid s acc ss to th partition tabl within an
imag , and giv s th partition offos ts in s ctor units. mmls provid s much th sam
information as w g t from fdisk or gdisk.

barry@forensic1:~/able2$ mmls able2.dd


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000056 0000000057 Unallocated
002: 000:000 0000000057 0000010259 0000010203 Linux (0x83)
003: 000:001 0000010260 0000112859 0000102600 Linux (0x83)
004: 000:002 0000112860 0000178694 0000065835 Linux Swap / Solaris x86
(0x82)
005: 000:003 0000178695 0000675449 0000496755 Linux (0x83)

For th sak of this analysis, th information w ar looking for is locat d on th root


partition (fiel syst m) of our imag . The root ( / ) fiel syst m is locat d on th s cond
partition. Looking at our mmls output, w can s that that partition starts at s ctor 10260
(actually numb r d 03 in th mmls output, or slot 000:001).

So, w run th Sl uth Kit fsstat command with -o 10260 to gath r fiel syst m
information at that offos t. Pip th output through less to pag through:

212
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able2$ fsstat -o 10260 able2.dd | less


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext2
Volume Name:
Volume ID: 906e777080e09488d0116064da18c0c4

Last Written at: 2003-08-10 14:50:03 (EDT)


Last Checked at: 1997-02-11 00:20:09 (EST)

Last Mounted at: 1997-02-13 02:33:02 (EST)


Unmounted Improperly
Last mounted on:

Source OS: Linux


Dynamic Structure
InCompat Features: Filetype,
Read Only Compat Features: Sparse Super,

METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 12881
Root Directory: 2
Free Inodes: 5807

CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 9512
...

The fsstat command provid s typ sp cifiec information about th fiel syst m in a
volum . As pr viously not d, w ran th fsstat command abov with th option -o 10260.
Theis sp cifie s that w want information from th fiel syst m r siding on th partition that
starts at s ctor offos t 10260.

W can g t mor information using th fls command. fls lists th fiel nam s and
dir ctori s contain d in a fiel syst m, or in a dir ctory, if th m ta-data id ntifie r for a
particular dir ctory is pass d. The output can b adjust d with a numb r of options, to includ
gath ring information about d l t d fiel s. If you typ fls on its own, you will s th availabl
options (vi w th man pag for a mor compl t xplanation).

213
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If you run th fls command with only th -o option to sp cify th fiel syst m, th n by
d fault it will run on th fiel syst m’s root dir ctory. Theis is inod 2 on an EXT fiel syst m and
MFT ntry 5 on an NTFS fiel syst m.

In oth r words, on an EXT fiel syst m, running:

barry@forensic1:~/able2$ fls -o 10260 able2.dd

AndN

barry@forensic1:~/able2$ fls -o 10260 able2.dd 2

...will r sult in th sam output. In th s cond command, th 2 pass d at th nd of th


command m ans “root dir ctory”(for EXT), which is th d fault in th fierst command.

So, in th following command, w run fls and only pass -o 10260. Theis r sults in a
listing of th cont nts of th root dir ctory:

barry@forensic1:~/able2$ fls -o 10260 able2.dd


d/d 11: lost+found
d/d 3681: boot
d/d 7361: usr
d/d 3682: proc
d/d 7362: var
d/d 5521: tmp
d/d 7363: dev
d/d 9201: etc
d/d 1843: bin
d/d 1844: home
d/d 7368: lib
d/d 7369: mnt
d/d 7370: opt
d/d 1848: root
d/d 1849: sbin
r/r 1042: .bash_history
d/d 11105: .001
d/d 12881: $OrphanFiles

The r ar s v ral points w want to tak not of b for w continu . L t's tak a f w
lin s of output and d scrib what th tool is t lling us. Hav a look at th last thr lin s from
th abov fls command.

214
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

...
r/r 1042: .bash_history
d/d 11105: .001
d/d 12881: $OrphanFiles

Each lin of output starts with two charact rs s parat d by a slash. Theis fie ld indicat s
th fiel typ as d scrib d by th fiel 's dir ctory ntry, and th fiel 's m ta-data (in this cas , th
inod b caus w ar looking at an EXT fiel syst m). For xampl , th fierst fiel list d in th
snipp t abov , .bash_history, is id ntifie d as a r gular fiel in both th fiel 's dir ctory and
inod ntry. Theis is not d by th r/r d signation. Conv rs ly, th following two ntri s (.001
and $OrphanFiles) ar id ntifie d as dir ctori s.

The n xt fie ld is th m ta-data ntry numb r (inod , MFT ntry, tc.) follow d by th
fiel nam . In th cas of th fiel .bash_history th inod is list d as 1042.

Not that th last lin of th output, $OrphanFiles is a virtual fold r cr at d by TSK


and assign d a virtual inod . Theis fold r contains virtual fiel ntri s that r pr s nt unallocat d
m ta data ntri s wh r th r ar no corr sponding fiel nam s. The s ar commonly r f rr d
to as “orphan fiel s”, which can b acc ss d by sp cifying th m ta data addr ss, but not
through any fiel nam path.

W can continu to run fls on dir ctory ntri s to dig d p r into th fiel syst m
structur (or us -r for a r cursiv listing). By passing th m ta data ntry numb r of a
dir ctory, w can vi w it's cont nts. R ad man fls for a look at som us ful f atur s. For
xampl , hav a look at th .001 dir ctory in th listing abov . Theis is an unusual dir ctory
and would caus som suspicion. It is hidd n (starts with a “.”), and no such dir ctory is
common in th root of th fiel syst m. So, to s th cont nts of th .001 dir ctory, w would
pass its inod to fls:

barry@forensic1:~/able2$ fls -o 10260 able2.dd 11105


r/r 2138: lolit_pics.tar.gz
r/r 11107: lolitaz1
r/r 11108: lolitaz10
r/r 11109: lolitaz11
r/r 11110: lolitaz12
r/r 11111: lolitaz13
r/r 11112: lolitaz2
r/r 11113: lolitaz3
r/r 11114: lolitaz4
r/r 11115: lolitaz5
r/r 11116: lolitaz6
r/r 11117: lolitaz7
r/r 11118: lolitaz8
r/r 11119: lolitaz9

215
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The cont nts of th dir ctory ar list d. W will cov r commands to vi w and analyz
th individual fiel s lat r on.

fls can also b us ful for uncov ring d l t d fiel s. By d fault, fls will show both
allocat d and unallocat d fiel s. W can chang this b havior by passing oth r options. For
xampl , if w want d to s only d l t d ntri s that ar list d as fiel s (rath r than
dir ctori s), and w want th listing to b r cursiv , w could us th following command:

barry@forensic1:~/able2$ fls -o 10260 -Frd able2.dd


r/r * 11120(realloc): var/lib/slocate/slocate.db.tmp
r/r * 10063: var/log/xferlog.5
r/r * 10063: var/lock/makewhatis.lock
r/r * 6613: var/run/shutdown.pid
r/r * 1046: var/tmp/rpm-tmp.64655
r/r * 6609(realloc): var/catman/cat1/rdate.1.gz
r/r * 6613: var/catman/cat1/rdate.1.gz
r/r * 6616: tmp/logrot2V6Q1J
r/r * 2139: dev/ttYZ0/lrkn.tgz
d/r * 10071(realloc): dev/ttYZ0/lrk3
r/r * 6572(realloc): etc/X11/fs/config-
l/r * 1041(realloc): etc/rc.d/rc0.d/K83ypbind
l/r * 1042(realloc): etc/rc.d/rc1.d/K83ypbind
l/r * 6583(realloc): etc/rc.d/rc2.d/K83ypbind
l/r * 6584(realloc): etc/rc.d/rc4.d/K83ypbind
l/r * 1044: etc/rc.d/rc5.d/K83ypbind
l/r * 6585(realloc): etc/rc.d/rc6.d/K83ypbind
r/r * 1044: etc/rc.d/rc.firewall~
r/r * 6544(realloc): etc/pam.d/passwd-
r/r * 10055(realloc): etc/mtab.tmp
r/r * 10047(realloc): etc/mtab~
r/- * 0: etc/.inetd.conf.swx
r/r * 2138(realloc): root/lolit_pics.tar.gz
r/r * 2139: root/lrkn.tgz
-/r * 1055: $OrphanFiles/OrphanFile-1055
-/r * 1056: $OrphanFiles/OrphanFile-1056
-/r * 1057: $OrphanFiles/OrphanFile-1057
-/r * 2141: $OrphanFiles/OrphanFile-2141
-/r * 2142: $OrphanFiles/OrphanFile-2142
-/r * 2143: $OrphanFiles/OrphanFile-2143
...

In th abov command, w run th fls command against th partition in able2.dd


starting at s ctor offos t 10260 (-o 10260), showing only fiel ntri s (-F), d sc nding into
dir ctori s r cursiv ly (-r), and displaying d l t d ntri s (-d).

216
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Notic that all of th fiel s list d hav an ast risk ( *) b for th inod . Theis indicat s th
fiel is d l t d, which w xp ct in th abov output sinc w sp cifie d th -d option to fls.
W ar th n pr s nt d with th m ta-data ntry numb r (inod , MFT ntry, tc.) follow d by
th fiel nam .

Hav a look at th lin of output for inod numb r 2138 (root/lolit_pics.tar.gz).


The inod is follow d by realloc. K p in mind that fls d scrib s th figle name lay r. The
r alloc m ans that th fiel nam list d is mark d as unallocat d, v n though th m ta data
ntry (2138) is mark d as allocat d. In oth r wordsNth inod from our d l t d fiel may hav
b n “r allocat d” to a n w fiel .

According to Brian Carri r:

“Thee difference comes about because there is a figle name layer and a metadata layer. Every
figle has an entry in both layers and each entry has its own allocation status.

If a figle is marked as "deleted" then this means that both the figle name and metadata
entries are marked as unallocated. If a figle is marked as "realloc" then this means that its
figle name is unallocated and its metadata is allocated.

Thee latteer occurs if:


- Thee figle was renamed and a new figle name entry was created for the
figle, but the metadata stayed the same.
- NTFS resorted the names and the old copies of the name will be
"unallocated" even though the figle still exists. [not w ar curr ntly on an EXT fiel
syst m]
- Thee figle was deleted, but the metadata has been reallocated to a
new figle.

In the figrst two cases, the metadata correctly corresponds to the


deleted figle name. In the last case, the metadata may not correspond
to the name because it may instead correspond to a new figle.”

In th cas of inod 2138, it looks as though th r alloc was caus d by th fiel b ing
mov d to th dir ctory .001 (s th fls listing of .001 on th pr vious pag – inod 11105).
Theis caus s it to b d l t d from it's curr nt dir ctory ntry ( root/lolit_pics.tar.gz) and a
n w fiel nam cr at d (.001/lolit_pics.tar.gz). The inod and th data blocks that it
points to r main unchang d and in “allocat d status”, but it has b n “r allocat d” to th n w
nam .

L t's continu our analysis x rcis using a coupl of m ta data (inod ) lay r tools
includ d with th Sl uth Kit. In a Linux EXT typ fiel syst m, an inod has a uniqu numb r
and is assign d to a fiel . The numb r corr sponds to th inode table, allocat d wh n a partition
is formatte d. The inod contains all th m ta data availabl for a fiel , including th
modifie d/acc ss d/chang d (mac) tim s and a list of all th data blocks allocat d to that fiel .

217
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If you look at th output of our last fls command, you will s a d l t d fiel call d
lrkn.tgz locat d in th /root dir ctory (th last fiel in th output of our fls command, b for
th list of orphan fiel s -r call that th ast risk indicat s it is d l t d):

...
r/r * 2139: root/lrkn.tgz
...

The inod display d by fls for this fiel is 2139. Theis sam inod also points to anoth r
d l t d fiel in /dev arli r in th output (sam fiel , diffo r nt location). W can fiend all th fiel
nam s associat d with a particular m ta data ntry by using th ffind command:

barry@forensic1:~/able2$ ffind -o 10260 -a able2.dd 2139


* /dev/ttYZ0/lrkn.tgz
* /root/lrkn.tgz

H r w s that th r ar two fiel nam s associat d with inod 2139, and both ar
d l t d, as not d again by th ast risk (th -a nsur s that w g t all th inod associations).

Continuing on, w ar going to us istat. R m mb r that fsstat took a figle system as


an argum nt and r port d statistics about that fiel syst m. istat do s th sam thing; only it
works on a sp cifie d inode or m ta data ntry. In NTFS, this would b an MFT ntry, for
xampl .

W us istat to gath r information about inod 2139:

barry@forensic1:~/able2$ istat -o 10260 able2.dd 2139 | less


inode: 2139
Not Allocated
Group: 1
Generation Id: 3534950564
uid / gid: 0 / 0
mode: rrw-r--r--
size: 3639016
num of links: 0

Inode Times:
Accessed: 2003-08-10 00:18:38 (EDT)
File Modified: 2003-08-10 00:08:32 (EDT)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)

Direct Blocks:

218
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

22811 22812 22813 22814 22815 22816 22817 22818


22819 22820 22821 22822 22824 22825 22826 22827
...

Theis r ads th inod statistics ( istat), on th fiel syst m locat d in th able2.dd imag
in th partition at s ctor offos t 10260 (-o 10260), from inod 2139 found in our fls command.
The r is a larg amount of output h r , showing all th inod information and th fiel syst m
blocks (“Dir ct Blocks”) that contain all of th fiel ’s data. W can ith r pip th output of
istat to a fiel for logging, or w can s nd it to less for vi wing.

K p in mind that th Sl uth Kit supports a numb r of diffo r nt fiel syst ms. istat
(along with many of th Sl uth Kit commands) will work on mor than just an EXT fiel syst m.
The d scriptiv output will chang to match th fiel syst m istat is b ing us d on. W will
s mor of this a littel lat r. You can s th support d fiel syst ms by running istat with -f
list.

barry@forensic1:~/able2$ istat -f list


Supported file system types:
ntfs (NTFS)
fat (FAT (Auto Detection))
ext (ExtX (Auto Detection))
iso9660 (ISO9660 CD)
hfs (HFS+)
ufs (UFS (Auto Detection))
raw (Raw Data)
swap (Swap Space)
fat12 (FAT12)
fat16 (FAT16)
fat32 (FAT32)
exfat (exFAT)
ext2 (Ext2)
ext3 (Ext3)
ext4 (Ext4)
ufs1 (UFS1)
ufs2 (UFS2)
yaffs2 (YAFFS2)

W now hav th nam of a d l t d fiel of int r st (from fls) and th inod


information, including wh r th data is stor d (from istat).

Now w ar going to us th icat command from TSK to grab th actual data


contain d in th data blocks r f r nc d from th inod . icat also tak s th inod as an
argum nt and r ads th cont nt of th data blocks that ar assign d to that inod , s nding it to
standard output. R m mb r, this is a deleted fiel that w ar r cov ring h r .

219
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W ar going to s nd th cont nts of th data blocks assign d to inod 2139 to a fiel for
clos r xamination.

barry@forensic1:~/able2$ icat -o 10260 able2.dd 2139 > lrkn.tgz.2139

Theis runs th icat command on th fiel syst m in our able2.dd imag at s ctor offos t
10260 (-o 10260) and str ams th cont nts of th data blocks associat d with inod 2139 to
th fiel lrkn.tgz.2139. The fiel nam is arbitrary; I simply took th nam of th fiel from fls
and app nd d th inod numb r to indicat that it was r cov r d. Normally this output should
b dir ct d to som r sults or sp cifie d vid nc dir ctory.

Now that w hav what w hop is a r cov r d fiel , what do w do with it? Look at th
r sulting fiel with th file command:

barry@forensic1:~/able2$ file lrkn.tgz.2139


lrkn.tgz.2139: gzip compressed data, was "lrkn.tar", last modified: Sat Oct 3
09:04:08 1998, from Unix

Hav a look at th cont nts of th r cov r d archiv (pip th output through lessNit’s
long). R m mb r that th t option to th tar command lists th cont nts of th archiv .

barry@forensic1:~/able2$ tar tzvf lrkn.tgz.2139 | less


drwxr-xr-x lp/lp 0 1998-10-01 18:48 lrk3/
-rwxr-xr-x lp/lp 742 1998-06-27 11:30 lrk3/1
-rw-r--r-- lp/lp 716 1996-11-02 16:38 lrk3/MCONFIG
-rw-r--r-- lp/lp 6833 1998-10-03 05:02 lrk3/Makefile
-rw-r--r-- lp/lp 6364 1996-12-27 22:01 lrk3/README
-rwxr-xr-x lp/lp 90 1998-06-27 12:53 lrk3/RUN

W hav not y t xtract d th archiv , w 'v just list d its cont nts. Notic that th r
is a README fiel includ d in th archiv . If w ar curious about th cont nts of th archiv ,
p rhaps r ading th README fiel would b a good id a, y s? Rath r that xtract th ntir
cont nts of th archiv , w will go for just th README using th following tar command:

barry@forensic1:~/able2$ tar xzvfO lrkn.tgz.2139 lrk3/README > lrkn.2139.README


lrk3/README

The diffo r nc with this tar command is that w sp cify that w want th output s nt
to stdout (O [capital l tte r “oh”]) so w can r dir ct it. W also sp cify th nam of th fiel that

220
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

w want xtract d from th archiv (lrk3/README). Theis is all r dir ct d to a n w fiel call d
lrkn.2139.README.

If you r ad that fiel (us less), you will fiend that w hav uncov r d a “rootkit”, full of
programs us d to hid a hack r’s activity.

Bri flay, l t's look at a diffo r nt typ of fiel r cov r d by icat. The conc pt is th sam ,
but inst ad of xtracting a fiel , you can str am it's cont nts to stdout for vi wing. R call our
pr vious dir ctory listing of th .001 dir ctory at inod 11105:

barry@forensic1:~/able2$ fls -o 10260 able2.dd 11105


r/r 2138: lolit_pics.tar.gz
r/r 11107: lolitaz1
r/r 11108: lolitaz10
...

W can d t rmin th cont nts of th (allocat d) fiel with inod 11108, for xampl , by
using icat to str am th inod 's data blocks through a pip to th file command. W us th
“-” to indicat that file is g tteing its input from th pip :

barry@forensic1:~/able2$ icat -o 10260 able2.dd 11108 | file -


/dev/stdin: GIF image data, version 89a, 233 x 220

The output shows that w ar d aling with a pictur fiel . So w d cid to us th


display command to show us th cont nts. display is a us ful program as it will tak input
from stdin (from a pip ). Theis is particularly us ful with th icat command.

barry@forensic1:~/able2$ icat -o 10260 able2.dd 11108 | display

Theis r sults in an imag op ning in a window, assuming you ar running in a graphical


nvironm nt and hav ImageMagick install d, which provid s th display utility.

221
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Sleuth Kit Exercise #1B – Deleted File Identifigcation and Recovery (ext4)

The pr vious x rcis is a good prim r for l arning how to run TSK commands against
a for nsic imag and id ntify and xtract fiel s. W us an old r for nsic imag of an xt2 fiel
syst m b caus it allows us to run th full cours of id ntifiecation and xtraction tools
provid d by TSK. W can do this b caus xt2 fiel s that ar d l t d still hav nough
information in th ir associat d fiel syst m m tadata (“inod ” for xt fiel syst ms) to b abl to
r cov r th fiel . As you will s in th coming pag s, this has chang d for th xt4 fiel syst m.
As it has b n mad cl ar in th past, this is not m ant to b an ducation on fiel syst ms in
g n ral. Rath r, th purpos h r is to highlight th tools and how you can xp ct diffo r nt
output bas d on th fiel syst m b ing us d. W also want to nsur that th limitations of our
tools ar known. W r you to l arn TSK on an xt2 fiel syst m, you might xp ct it to work in
xactly th sam way on xt4. Theis is not th cas , and this x rcis illustrat s that. It is on of
th primary r asons why th able_3 imag was add d to our probl m s t.

So now w ar going to roughly r plicat th sam analysis as th pr vious x rcis , but


this tim xamining an xt4 fiel syst m in th able_3 imag . W ’ll b bri f in th xplanation
of th commands, sinc th y ar larg ly th sam as thos w ran in x rcis 1A. R vi w that
x rcis and mak sur you ar familiar with th commands us d b for proc ding h r . The
fiel s b ing r cov r d ar th sam , but th ir plac m nt diffo rs a bit from th able2 imag .

First w n d to d cid how w want to acc ss our imag fiel . The able_3 disk imag ,
as it was download d, is a s t of four split imag s. As w ’v don b for , you could us affuse
to mount th splits as a singl imag and v n us kpartx to s parat th partitions. But sinc
th Sl uth Kit supports analysis of split imag fiel s, w ’ll go ah ad and just l av th m as is.
You can us th img_stat command from TSK to docum nt this.

Start by changing into th able_3 dir ctory w cr at d pr viously for our imag fiel s,
run img_stat to s th split fiel support and run mmls to id ntify th partitions. Wh n using
TSK on split imag s, w only n d to provid th fierst imag fiel in th s t (th sam rul holds
for EWF fiel s – you only provid th fierst fiel nam in th s t):

222
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able_3$ img_stat able_3.000


IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 4294967296

--------------------------------------------
Split Information:
able_3.000 (0 to 1073741823)
able_3.001 (1073741824 to 2147483647)
able_3.002 (2147483648 to 3221225471)
able_3.003 (3221225472 to 4294967295)

barry@forensic1:~/able_3$ mmls able_3.000


GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000104447 0000102400 Linux filesystem
005: 001 0000104448 0000309247 0000204800 Linux filesystem
006: ------- 0000309248 0000571391 0000262144 Unallocated
007: 002 0000571392 0008388574 0007817183 Linux filesystem
008: ------- 0008388575 0008388607 0000000033 Unallocated

Sinc our purpos h r it to highlight th diffo r nc s b tw n th xamination of this


imag s t vs. th able2 imag , rath r than s arch ach partition individually w will just focus
on th /home partition. R call from our fiel syst m r construction x rcis that th partition
us d for th /home dir ctory on th able_3 imag is th partition at offos t 104448 (bold for
mphasis abov ).

Run fsstat on that partition to id ntify th fiel syst m typ and information. You
might want to pip th output through less for asi r vi wing:

barry@forensic1:~/able_3$ fsstat -o 104448 able_3.000 | less


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: 7273603b5810169e264dded90f4cacc4

223
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Last Written at: 2017-05-25 15:20:50 (EDT)


Last Checked at: 2017-05-06 16:49:45 (EDT)

Last Mounted at: 2017-05-25 15:10:23 (EDT)


Unmounted properly
Last mounted on: /home
...

H r w s w ar xamining an xt4 fiel syst m that was mount d on /home. Run a


quick fls command to vi w th root l v l cont nts of this partition:

barry@forensic1:~/able_3$ fls -o 104448 able_3.000


d/d 11: lost+found
d/d 12: ftp
d/d 13: albert
d/d 25689: $OrphanFiles

You can s th r ar f w ntri s h r . You could start digging down by providing th


inod to th flss command for th cont nts of individual dir ctori s, but inst ad w ’ll simply do
a r cursiv flss.

barry@forensic1:~/able_3$ fls -o 104448 -r able_3.000


d/d 11: lost+found
d/d 12: ftp
d/d 13: albert
+ d/d 14: .h
++ r/d * 15(realloc): lolit_pics.tar.gz
++ r/r * 16(realloc): lolitaz1
++ r/r * 17: lolitaz10
++ r/r * 18: lolitaz11
++ r/r * 19: lolitaz12
++ r/r 20: lolitaz13
++ r/r * 21: lolitaz2
++ r/r * 22: lolitaz3
++ r/r * 23: lolitaz4
++ r/r * 24: lolitaz5
++ r/r * 25: lolitaz6
++ r/r * 26: lolitaz7
++ r/r * 27: lolitaz8
++ r/r * 28: lolitaz9
+ d/d 15: Download
++ r/r 16: index.html
++ r/r * 17: lrkn.tar.gz
d/d 25689: $OrphanFiles

224
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

You can s som familiar fiel s in this output. W s th lolitaz fiel s w saw in th
.001 dir ctory on able2, and w also s th lrkn.tar.gz fiel w r cov r d and xtract d th
README from. For this x rcis , w will b int r st d in th lolitaz fiel s. The lrkn.tar.gz
cont nts will com lat r. You’ll notic that th majority of th fiel s r sid in an allocat d (not
d l t d) dir ctory call d .h and ar d l t d fiel s (signifie d by th ast risk *). The r is a singl
allocat d fiel in that dir ctory call d lolitaz13. Compar th output of istat and a follow-
up icat command b tw n th allocat d fiel lolitaz13 (inod 20), and on of th d l t d fiel s
- w ’ll us lolitaz2 (inod 21). For th icat command, w ’ll pip th output to our h x
vi w r xxd and look at th fierst fiev lin s with head -n 5. H r ’s th output of both:

barry@forensic1:~/able_3$ istat -o 104448 able_3.000 20


inode: 20
Allocated
Group: 0
Generation Id: 1815721463
uid / gid: 1000 / 100
mode: rrw-r--r--
Flags: Extents,
size: 15045
num of links: 1

Inode Times:
Accessed: 2017-05-08 00:18:16 (EDT)
File Modified: 2003-08-03 19:15:07 (EDT)
Inode Modified: 2017-05-08 00:18:16 (EDT)

Direct Blocks:
9921 9922 9923 9924 9925 9926 9927 9928
9929 9930 9931 9932 9933 9934 9935

barry@forensic1:~/able_3$ icat -o 104448 able_3.000 20 | xxd | head -n 5


00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001 ......JFIF......
00000010: 0001 0000 ffdb 0043 0008 0606 0706 0508 .......C........
00000020: 0707 0709 0908 0a0c 140d 0c0b 0b0c 1912 ................
00000030: 130f 141d 1a1f 1e1d 1a1c 1c20 242e 2720 ........... $.'
00000040: 222c 231c 1c28 3729 2c30 3134 3434 1f27 ",#..(7),01444.'

The int r sting output of istat is highlight d in r d. W can s that th inod is


allocat d and th data can b found in th dir ct blocks sp cifie d at th botteom. Wh n vi w d
with xxd and head w s th xp ct d signatur of a JPEG imag .

N and now for unallocat d inod 21:

225
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able_3$ istat -o 104448 able_3.000 21


inode: 21
Not Allocated
Group: 0
Generation Id: 1815721464
uid / gid: 1000 / 100
mode: rrw-r--r--
Flags: Extents,
size: 0
num of links: 0

Inode Times:
Accessed: 2017-05-08 00:18:16 (EDT)
File Modified: 2017-05-08 00:22:58 (EDT)
Inode Modified: 2017-05-08 00:22:58 (EDT)
Deleted: 2017-05-08 00:22:58 (EDT)

Direct Blocks:

barry@forensic1:~/able_3$ icat -o 104448 able_3.000 21 | xxd | head -n 5


<no output>

H r w hav a diffo r nt outcom . Inod 21 points to an unallocat d fiel . On an xt4


fiel syst m, wh n an inod is unallocat d th ntry for th Direct Blocks is cl ar d. The r is
no long r a point r to th data, so commands lik icat will not work. R m mb r that icat
works at th inod (fiel m ta-data) lay r. The icat command us s th information found in
th inod to r cov r th fiel . In this cas th r is non .

Theis do s not m an w cannot r cov r th data that was th r . On th contrary, th r


ar a numb r of t chniqu s w can us to atte mpt to r cov r th d l t d fiel s. But in this cas
it b com s far mor difficcult to r cov r th data and associat it with a particular fiel nam and
inod information. Whil this sort of for nsic analysis is outsid th scop of our x rcis , it
do s highlight th diffo r nc b tw n using th s tools on two diffo r nt fiel syst ms. And that
is th point: Know your tools, th ir capabiliti s, and th ir limits.

Wh n w t st tools for for nsic us , it is not nough to say “X tool do s not work on Y
fiel syst m”. You should und rstand why. In this cas it would b accurat to say that “ icat
works as xp ct d on an xt4 fiel syst m, but is of limit d us on d l t d ntri s”. B sur to
und rstand th diffo r nc , and t st your tools!

Sleuth Kit Exercise #2A – Physical String Search & Allocation Status (ext2)

W did a v ry basic r cov ry of a physical string s arch on our fat_fs.raw fiel syst m
imag arli r in this docum nt. Theis x rcis is m ant to tak som of what w l arn d th r
and apply it to a mor compl x disk imag with additional chall ng s. In a normal

226
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

xamination you ar going to want to fiend out (if possibl ) what fiel a positiv string s arch
r sult b long d to and wh th r or not that fiel is allocat d or unallocat d. Theat is th purpos
of this x rcis .

Ex rcis s lik this highlight v ry cl arly th b n fiet of l arning digital for nsics with
tools lik th Sl uth Kit. Unlik most GUI for nsic tools with m nus and multipl windows,
TSK forc s you to und rstand th s conc pts b hind th tools. You cannot us TSK without
und rstanding which tools to us and wh n. Without knowing th conc pts b hind th tools,
you don't g t v ry far.

Back to our able2 imag . Theis tim w ar going to do a s arch for a singl string in
able2.dd. In this cas w will s arch our imag for th k yword Cybernetik. Chang to th
dir ctory containing our able2.dd imag and us grep to s arch for th string:

barry@forensic1:~/able2$ grep -abi cybernetik able2.dd


10561603: * updated by Cybernetik for linux rootkit
55306929:Cybernetik proudly presents...
55312943:Email: cybernetik@nym.alias.net
55312975:Finger: cybernetik@nym.alias.net

R call that our grep command is taking th fiel able2.dd tr ating it as a t xt fiel (-a)
and s arching for th string cybernetik. The s arch is cas -ins nsitiv (-i) and will output
th byt offos t of any match s (-b).

Our output shows that th fierst match com s at byt offos t 10561603. Lik w did in
our fierst string s arch x rcis , w ar going to quickly vi w th match by using our h x
vi w r xxd and using th -s option to provid th offos t giv n by grep. W will also us th
head command to indicat that w only want to s a sp cifiec numb r of lin s, in this cas just
5 (-n 5). W just want to g t a quick look at th cont xt of th match b for proc ding.

barry@forensic1:~/able2$ xxd -s 10561603 able2.dd | head -n 5


00a12843: 202a 0975 7064 6174 6564 2062 7920 4379 *.updated by Cy
00a12853: 6265 726e 6574 696b 2066 6f72 206c 696e bernetik for lin
00a12863: 7578 2072 6f6f 746b 6974 0a20 2a2f 0a0a ux rootkit. */..
00a12873: 2369 6e63 6c75 6465 203c 7379 732f 7479 #include <sys/ty
00a12883: 7065 732e 683e 0a23 696e 636c 7564 6520 pes.h>.#include

W also hav to k p in mind that what w hav found is th offos t to th match in th


ntir disk (able2.dd is a full disk imag ), not in a sp cifiec fiel syst m. In ord r to us th
Sl uth Kit tools, w n d to hav a fiel syst m to targ t.

227
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

L t's fiegur out which partition (and fiel syst m) th match is in. Us bc to calculat
which s ctor of th imag and th r for th original disk th k yword is in. Each s ctor is 512
byt s, so dividing th byt offos t by 512 t lls us which s ctor:

barry@forensic1:~/able2$ echo "10561603/512" | bc


20628

The Sl uth Kit's mmls command giv s us th offos t to ach partition in th imag :

barry@forensic1:~/able2$ mmls able2.dd


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000056 0000000057 Unallocated
002: 000:000 0000000057 0000010259 0000010203 Linux (0x83)
003: 000:001 0000010260 0000112859 0000102600 Linux (0x83)
004: 000:002 0000112860 0000178694 0000065835 Linux Swap/Solaris x86 (0x82)
005: 000:003 0000178695 0000675449 0000496755 Linux (0x83)

From th output of mmls abov , w s that our calculat d s ctor, 20628, falls in th
s cond partition (b tw n 10260 and 112859). The offos t to our fiel syst m for th Sl uth Kit
commands will b 10260.

228
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The probl m is that th offos t that w hav is th k yword's offos t in th disk image, not
in th fiel syst m (which is what th volum data block is associat d with). So w hav to
calculat th offos t to th fiel AND th offos t to th partition that contains th fiel . The offos t
to th partition is simply a matte r of multiplying th s ctor offos t by th siz of th s ctor for
our fiel syst m:

barry@forensic1:~/able2$ echo "10260*512" | bc


5253120

The diffo r nc b tw n th two is th volume offset of th k yword hit, inst ad of th


physical disk (or imag ) offos t.

barry@forensic1:~/able2$ echo "10561603-5253120" | bc


5308483

229
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Now w know th offos t to th k yword within th actual volum , rath r than th


ntir imag . L t's fiend out what inod (m ta-data unit) points to th volum data block at that
offos t. To fiend which inod this b longs to, w fierst hav to calculat th volum data block
addr ss. Look at th Sl uth Kit's fsstat output to s th numb r of byt s p r block. W n d
to run fsstat on th fiel syst m at s ctor offos t 10260:

barry@forensic1:~/able2$ fsstat -o 10260 able2.dd


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext2
...

CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
...

The abbr viat d fsstat output abov shows us (highlight d in bold) that th data
blocks within th volum ar 1024 byt s ach. If w divid th volum offos t by 1024, w
id ntify th data block that holds th k yword hit.

barry@forensic1:~/able2$ echo "5308483/1024" | bc


5184

H r ar our calculations, summariz d:


◦ offos t to th string in th disk imag (from our grep output): 10561603
◦ offos t to th partition that contains th fiel : 10260 s ctors * 512 byt s p r s ctor
◦ offos t to th string in th partition is th diffo r nc b tw n th two abov numb rs.
◦ th data block is th offos t in th fiel syst m divid d by th block siz , (data unit
siz ) 1024, from our fsstat output.

230
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

In short, our calculation, taking into account all th illustrations abov , is simply:

barry@forensic1:~/able2$ echo "(10561603-(10260*512))/1024" | bc


5184

Not that w us par nth s s to group our calculations. W fiend th byt offos t to th
fiel syst m fierst (10260*512), subtract that from th offos t to th string (10561603) and th n
divid th whol thing by th data unit siz (1024) obtain d from fsstat. Theis (5184) is our
data unit (not th inod !) that contains th string w found with grep. V ry quickly, w can
asc rtain its allocation status with th Sl uth Kit command blkstat:

barry@forensic1:~/able2$ blkstat -o 10260 able2.dd 5184


Fragment: 5184
Not Allocated
Group: 0

The command blkstat tak s a data block from a fiel syst m and t lls us what it can
about its status and wh r it b longs. W ’ll cov r th TSK blk tools in mor d tail lat r. So in
this cas , blkstat t lls us that our k y word s arch for th string cybernetik r sult d in a
match in an unallocat d block. Now w us ifind to t ll us which inod (m ta-data structur )
points to data block 5184 in th s cond partition of our imag :

barry@forensic1:~/able2$ ifind -o 10260 -d 5184 able2.dd


10090

Exc ll nt! The inod that holds th k yword match is 10090. Now w us istat to giv
us th statistics of that inod :

231
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able2$ istat -o 10260 able2.dd 10090


inode: 10090
Not Allocated
Group: 5
Generation Id: 3534950782
uid / gid: 4 / 7
mode: rrw-r--r--
size: 3591
num of links: 0

Inode Times:
Accessed: 2003-08-10 00:18:36 (EDT)
File Modified: 1996-12-25 16:27:43 (EST)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)

Direct Blocks:
5184 5185 5186 5187

From th istat output w s that inod 10090 is unallocat d (sam as blkstat told us
about th data unit). Not also that th fierst dir ct block indicat d by our istat output is
5184, just as w calculat d.

W can g t th data from th dir ct blocks of th original fiel by using icat -r. Pip
th output through less so that w can r ad it asi r. Not that our k yword is right th r at
th top:

barry@forensic1:~/able2$ icat -o 10260 able2.dd 10090 | less


/*
* fixer.c
* by Idefix
* inspired on sum.c and SaintStat 2.0
* updated by Cybernetik for linux rootkit
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <stdio.h>
...

At this point, w hav r cov r d th data w w r looking for. W can run our icat
command as abov again, this tim dir cting th output to a fiel (as w did with th rootkit fiel
from our pr vious r cov ry x rcis ). W ’ll do that h r for possibl lat r r f r nc :

232
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able2$ icat -o 10260 able2.dd 10090 > 10090.recover

barry@forensic1:~/able2$ ls -l 10090.recover
-rw-r--r-- 1 barry users 3591 May 28 13:25 10090.recover

barry@forensic1:~/able2$ md5sum 10090.recover


c3b01f91d3fa72b1b951e6d6d45c7d9a 10090.recover

On additional not : th Sl uth Kit provid s a virtual dir ctory that contains ntri s for
orphan figles. As w pr viously not d, in our discussion of th fls command, th s fiel s ar th
r sult of an inod containing fiel data having no fiel nam (dir ctory ntry) associat d with it.
Sl uth Kit organiz s th s in th virtual $OrphanFiles dir ctory. Theis is a us ful f atur
b caus it allows us to id ntify and acc ss orphan fiel s from th output of th fls command.

In this x rcis , w d t rmin d through our calculations that w w r looking for th


cont nts of inod 10090. The Sl uth Kit command ffind can t ll us th fiel nam associat d
with an inod . H r , w ar provid d with th $OrphanFiles ntry:

barry@forensic1:~/able2$ ffind -o 10260 able2.dd 10090


* /$OrphanFiles/OrphanFile-10090

R m mb r that various fiel syst ms act v ry diffo r ntly. W ’ll continu to xplor th
diffo r nc s b tw n xt2 and xt4 h r in th n xt x rcis . Much lik TSK x rcis #1, w ar
going to do th sam s t of st ps on th able_3 imag and s what w g t.

Sleuth Kit Exercise #2B – Physical String Search & Allocation Status (ext4)

Much lik TSK x rcis #1, w ar going to r p at our st ps h r for th xt4 imag in
able_3.000. Again, w ar illustrating th diffo r nc s in output for our tools bas d on th
typ of fiel syst m b ing analyz d so that w can r cogniz th diffo r nc fiel syst m b havior
mak s in our output. No diagrams this tim . You should b familiar with th commands w
ar going to us h r . The goal is to show th output w can xp ct at th nd, and how w
can p rhaps d al with it.

Chang back into th able_3/ dir ctory wh r th able_3 imag s t is stor d. In th


able2 x rcis w did a full disk s arch for th t rm cybernetik. In this cas w hav a s t of
split imag s. W know th Sl uth Kit tools work on th split fiel s, but how do I grep th ntir
disk wh n I hav split imag s? As w m ntion d in our pr vious able_3 x rcis , w can us
affuse to provid a fus mount d full disk imag for us. In this cas , how v r, I don’t n d a
full disk imag xc pt for th grep command. And sinc grep will tak input from stdin
(through a pip ), why not just str am th imag s through a pip to grep so th y app ar as a
singl imag ? Theat is what w do h r , s arching for th sam t rm as w did b for :

233
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/able_3$ cat able_3.00* | grep -abi cybernetik


429415089:Cybernetik proudly presents...
429422127:Email: cybernetik@nym.alias.net
429422159:Finger: cybernetik@nym.alias.net
1632788547: * updated by Cybernetik for linux rootkit
2934551933:23140 Cybernetik.net

W us th cat command to str am our split fiel s to grep for our s arch. Theis is no
diffo r nt that r constructing th fiel (cr ating a singl imag with cat >), but inst ad w just
pass th output of cat straight to grep. The r sults ar slightly diffo r nt from our able2
s arch, but w ar going to conc ntrat on th sam match w us d for our able2 xt2
x rcis . Theat would b th k yword hit at 1632788547.

R m mb r our st ps from h r . W n d to calculat th offos t in s ctors (divid by


512), th n calculat th offos t to th volum w found th k yword in, and th n subtract th
volum offos t from th k yword offos t to fiend th offos t to th string in th volum . Mak sur
w calculat using th corr ct block siz for th fiel syst m. R m mb r w ar working with
data blocks h r . The ffstat command will giv you th prop r siz for this fiel syst m.

W nd up with th numb rs b low. R vi w th pr vious x rcis if you hav any


qu stions on th st ps tak n:

barry@forensic1:~/able_3$ echo $((1632788547/512))


3189040

barry@forensic1:~/able_3$ mmls able_3.000


GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000104447 0000102400 Linux filesystem
005: 001 0000104448 0000309247 0000204800 Linux filesystem
006: ------- 0000309248 0000571391 0000262144 Unallocated
007: 002 0000571392 0008388574 0007817183 Linux filesystem
008: ------- 0008388575 0008388607 0000000033 Unallocated

barry@forensic1:~/able_3$ fsstat -o 571392 able_3.000 | less


FILE SYSTEM INFORMATION
--------------------------------------------

234
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

File System Type: Ext4


...
CONTENT INFORMATION
--------------------------------------------
Block Groups Per Flex Group: 16
Block Range: 0 - 977146
Block Size: 4096
...
barry@forensic1:~/able_3$ echo "(1632788547-(571392*512))/4096" | bc
327206

W ’r r ady to run our blkstat command to fiend out if our k yword hit is in a block
assign d to an allocat d inod :

barry@forensic1:~/able_3$ blkstat -o 571392 able_3.000 327206


Fragment: 327206
Not Allocated
Group: 9

So th block is unallocat d. L t’s now s if w can fiend what inod this unallocat d
block b long d to:

barry@forensic1:~/able_3$ ifind -o 571392 -d 327206 able_3.000


Inode not found

And th r ’s our answ r. The inod cannot b found. Again this is b caus th inod s in
xt4 that ar unallocat d hav th dir ct block point rs d l t d. The ifind command is
s arching for a point r to th data unit (-d) 327206.

All is not lost, though. Inst ad of using icat to xtract that data blocks point d to by
an inod , w can inst ad us blkcat to dir ctly str am th cont nts of a data block. hav a
look b low. W ’ll us blkcat and r dir ct to a fiel :

barry@forensic1:~/able_3$ blkcat -o 571392 able_3.000 327206 > blk.327206

barry@forensic1:~/able_3$ ls -l blk.327206
-rw-r--r-- 1 barry users 4096 May 28 13:50 blk.327206

Look at th fiel with cat or less. you’ll s it is th sam fiel as th on w r cov r d


from able2. It has som garbag at th nd, though. Why is that? R m mb r wh n w
r cov r d this sam fiel from able2 with icat? icat had th information it n d d to do a
compl t r cov ry of th corr ct data. W don’t hav that h r , and all w did was str am

235
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

(“block cat”) a singl block of data (that w know is 4096 byt s from our fsstat output) and
sav th whol thing. R m mb r our output from th able2 x rcis prior to this:

barry@forensic1:~/able2$ ls -l 10090.recover
-rw-r--r-- 1 barry users 3591 May 28 13:25 10090.recover

barry@forensic1:~/able2$ md5sum 10090.recover


c3b01f91d3fa72b1b951e6d6d45c7d9a 10090.recover

The abov is from th able2 disk imag (s th prompt? W ar in th able2


dir ctory). Look at th siz of th fiel . 3591 byt s. Now, r alistically w would not hav this
information availabl for us in a r al xam, but just for fun, l t us s if w can mak th fiel s
match using th siz of th fiel from our able2 r cov ry as a go-by. Sinc th fiel from able_3
is bigg r, w can us dd to cut th corr ct data from it. The fiel is curr ntly 4096 byt s in siz .
W n d it to b 3591 byt s:

barry@forensic1:~/able_3$ dd if=blk.327206 bs=1 count=3591 > 327206.recover


3591+0 records in
3591+0 records out
3591 bytes (3.6 kB, 3.5 KiB) copied, 0.00947136 s, 379 kB/s

barry@forensic1:~/able_3$ md5sum 327206.recover


c3b01f91d3fa72b1b951e6d6d45c7d9a 327206.recover

barry@forensic1:~/able_3$ md5sum ../able2/10090.recover


c3b01f91d3fa72b1b951e6d6d45c7d9a ../able2/10090.recover

Look at that! The md5sum of th fiel w r cov r d from able2 with icat now match s
th fiel w r cov r d using blkcat in able_3. Again, not quit r alistic, but it s rv s to
illustrat xactly what data w ar g tteing and why. Hop fully th r is som ducational valu
for you th r .

Sleuth Kit Exercise #3 – Unallocated Extraction & Examination

As th siz of m dia b ing xamin d continu s to grow, it is b coming appar nt to


many inv stigators that data r duction t chniqu s ar mor important than v r. The s
t chniqu s tak on s v ral forms, including hash analysis (r moving known “good” fiel s from a
data s t, for xampl ) and s parating allocat d spac in an imag from unallocat d spac ,
allowing th m to b s arch d s parat ly with sp cializ d tools. W will b doing th latte r in
this x rcis .

The blkcat command w us d arli r is a m mb r of th Sl uth Kit s t of tools for


handling information at th “block” lay r of th analysis mod l. The block lay r consists of th

236
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

actual fiel syst m blocks that hold th information w ar s king. The y ar not sp cifiec to
unallocat d data only, but ar sp cially us ful for working on unallocat d blocks that hav
b n xtract d from an imag . The tools that manipulat this lay r, as you would xp ct, start
with blk and includ :

blkls
blkcalc
blkstat
blkcat

W will b focusing on blkls, blkcalc and blkstat for th n xt coupl of x rcis s.

The tool that starts us offo h r is blkls. Theis command “lists all th data blocks”. If you w r
to us th -e option, th output would b th sam as th output of dd for that volum , sinc -
e t lls blkls to copy “ v ry block”. How v r, by d fault, blkls will only copy out th
unallocat d blocks of an imag .

Theis allows us to s parat allocat d and unallocat d blocks in our fiel syst m. W can
us logical tools (find, ls, tc.) on th “liv ” fiel s in a mount d fiel syst m, and conc ntrat
data r cov ry ffoorts on only thos blocks that may contain d l t d or oth rwis unallocat d
data. Conv rs ly, wh n w do a physical s arch of th output of blkls, w can b sur that
artifacts found ar from unallocat d cont nt.

To illustrat what w ar talking about h r , w 'll run th sam x rcis w did in TSK
Ex rcis #2A, this tim xtracting th unallocat d data from our volum of int r st and
comparing th output from th whol volum analysis vs. just unallocat d analysis. So, w 'll
b working on th able2.dd imag . W xp ct to g t th sam r sults w did in Ex rcis #2A,
but this tim by analyzing only th unallocat d spac , and th n associating th r cov r d data
with its original location in th full disk imag .

First w 'll n d to chang into th dir ctory containing our able2.dd imag . The n w
ch ck th partition tabl and d cid which volum w 'll b xamining so w know th -o
(offos t) valu from for our Sl uth Kit commands. To do this, w run th mmls command as
b for :

barry@forensic1:~/able2$ mmls able2.dd


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000056 0000000057 Unallocated
002: 000:000 0000000057 0000010259 0000010203 Linux (0x83)
003: 000:001 0000010260 0000112859 0000102600 Linux (0x83)

237
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

004: 000:002 0000112860 0000178694 0000065835 Linux Swap / Solaris x86


(0x82)
005: 000:003 0000178695 0000675449 0000496755 Linux (0x83)

As with Ex rcis #2, w 'v d cid d to s arch th unallocat d spac in th s cond Linux
partition (at offos t 10260, in bold abov ).

W run th blkls command using th offos t option -o which indicat s what partition's
fiel syst m w ar xporting th unallocat d spac from. W th n r dir ct th output to a n w
fiel that will contain only th unallocat d blocks of that particular volum .

barry@forensic1:~/able2$ blkls -o 10260 able2.dd > able2.blkls

barry@forensic1:~/able2$ ls -lh able2.blkls


-rw-r--r-- 1 barry users 9.3M May 28 14:44 able2.blkls

In th abov command, w ar using blkls on th s cond partition (-o 10260) within


th able2.dd imag , and r dir cting th output to a fiel call d able2.blkls. The fiel
able2.blkls will contain only th unallocat d blocks from th targ t fiel syst m. In this cas
w nd up with a fiel that is 9.3M in siz .

Now, as w did in our pr vious analysis of this fiel syst m (Ex rcis #2) w will us
grep, this tim on th extracted unallocated space, our able2.blkls fiel , to s arch for our t xt
string of int r st. R ad back through Ex rcis #2 if you n d a r fr sh r on th s commands.

barry@forensic1:~/able2$ grep -abi cybernetik able2.blkls


1631299: * updated by Cybernetik for linux rootkit
9317041:Cybernetik proudly presents...
9323055:Email: cybernetik@nym.alias.net
9323087:Finger: cybernetik@nym.alias.net

The grep command abov now t lls us that w hav found th string cybernetik at
four diffo r nt offos ts in th xtract d unallocat d spac . W will conc ntrat on th fierst hit.
Of cours th s ar diffo r nt from th offos ts w found in Ex rcis #2 b caus w ar no long r
s arching th ntir original imag .

So th n xt obvious qu stion is “so what?”. W found pot ntial vid nc in our


xtract d unallocat d spac . But how do s it r lat to th original imag ? As for nsic
xamin rs, m r ly fiending pot ntial vid nc is not good nough. W also n d to know
wh r it cam from (physical location in th original imag ), what fiel it b longs or (possibly)

238
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

b long d to, m ta data associat d with th fiel , and cont xt. Finding pot ntial vid nc in a big
block of aggr gat unallocat d spac is of littel us to us if w cannot at l ast mak som ffoort
at atteribution in th original fiel syst m.

Theat's wh r th oth r block lay r tools com in. W can us blkcalc to calculat th
location (by data block or fragm nt) in our original imag . Onc w 'v don that, w simply
us th m ta data lay r tools to id ntify and pot ntially r cov r th original fiel , as w did in
our pr vious ffoort.

First w n d to gath r a bit of data about th original fiel syst m. W run th fsstat
command to d t rmin th siz of th data blocks w ar working with. W ’v don this a
numb r of tim s alr ady, but th r p tition is us ful to driv hom th importanc of this
information.

barry@forensic1:~/able2$ fsstat -o 10260 able2.dd | less


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext2
Volume Name:
...
Source OS: Linux
Dynamic Structure
...
CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 51299
Block Size: 1024
...

In th fsstat command abov , w s that th block siz (in bold) is 1024. W tak th
offos t from our grep output on th able2.blkls imag and divid that by 1024. Theis t lls us
how many unallocat d data blocks into th unallocat d imag w found our string of int r st.
As usual, w us th echo command to pass th math xpr ssion to th command lin
calculator, bc:

barry@forensic1:~/able2$ echo "1631299/1024" | bc


1593

W now know, from th abov output, that th string cybernetik is in data block 1593
of our xtract d unallocat d fiel , able2.blkls.

Theis is wh r our handy blkcalc command com s in. W us blkcalc with th -u


option to sp cify that w want to calculat th block addr ss from an xtract d unallocat d

239
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

imag (from blkls output). W run th command on th original dd imag b caus w ar


calculating th original data block in that imag . The qu stion w ar answ ring h r is “What
data block in th original imag is unallocat d block 1593?”.

barry@forensic1:~/able2$ blkcalc -o 10260 -u 1593 able2.dd


5184

The command abov is running blkcalc on th fiel syst m at offos t 10260 (-o 10260)
in th original able2.dd, passing th data block w calculat d from th blkls imag
able2.blkls (-u 1593). The r sult is a familiar block 5184 (s Ex rcis #2A again). The
illustration b low giv s a visual r pr s ntation of a simpl xampl :

In th illustrat d xampl abov , th data in block #3 of th blkls imag would map to


block #49 in th original fiel syst m. W would fiend this with th blkcalc command as shown
in Illustration 6.

So, in simpl t rms, w hav xtract d th unallocat d spac , found a string of int r st
in a data block in th unallocat d imag , and th n found th corr sponding data block in th
original imag .

If w look at th blkstat (data block statistics) output for block 5184 in th original
imag , w s that it is, in fact unallocat d, which mak s s ns , sinc w found it within our
xtract d unallocat d spac (w 'r back to th sam r sults as in Ex rcis #2A). Not that w

240
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

ar now running th commands on th original dd imag . W 'll continu on for th sak of


compl t n ss. And b caus it’s good practic N

barry@forensic1:~/able2$ blkstat -o 10260 able2.dd 5184


Fragment: 5184
Not Allocated
Group: 0

Using th command blkcat w can look at th raw cont nts of th data block (using
xxd and less as a vi w r). If w want to, w can v n us blkcat to xtract th block,
r dir cting th cont nts to anoth r fiel , just as w did in x rcis #2B with our xt4 fiel syst m
imag .

If w want to r cov r th actual fiel and m ta data associat d with th id ntifie d data
block, w us ifind to d t rmin which m ta data structur (in this cas inode sinc w ar
working on an EXT fiel syst m) holds th data in block 5184. The n istat shows us th m ta
data for th inod :

barry@forensic1:~/able2$ ifind -o 10260 -d 5184 able2.dd


10090

barry@forensic1:~/able2$ istat -o 10260 able2.dd 10090


inode: 10090
Not Allocated
Group: 5
Generation Id: 3534950782
uid / gid: 4 / 7
mode: rrw-r--r--
size: 3591
num of links: 0

Inode Times:
Accessed: 2003-08-10 00:18:36 (EDT)
File Modified: 1996-12-25 16:27:43 (EST)
Inode Modified: 2003-08-10 00:29:58 (EDT)
Deleted: 2003-08-10 00:29:58 (EDT)

Direct Blocks:
5184 5185 5186 5187

Again, as w saw pr viously, th istat command, which shows us th m ta data for


inod 10090, indicat s that th fiel with this inod is Not Allocated, and its fierst dir ct block is
5184. Just as w xp ct d.

241
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W th n us icat to r cov r th fiel . In this cas , w just pip th fierst f w lin s out to
s our string of int r st, cybernetik.

barry@forensic1:~/able2$ icat -o 10260 able2.dd 10090 | head -n 10


/*
* fixer.c
* by Idefix
* inspired on sum.c and SaintStat 2.0
* updated by Cybernetik for linux rootkit
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>

Sleuth Kit Exercise #4 – NTFS Examination: File Analysis

At this point w 'v don a coupl of int rm diat x rcis s using xt2 and xt4 fiel
syst ms from a Linux disk imag s. In th following x rcis s w will do som simpl analys s
on an NTFS fiel syst m. Theis is th most common fiel syst m you ar lik ly to fiend wh n it
com s to p rsonal and nt rpris d sktop and laptop comput rs today.

Som might ask, “why?” The r ar many tools out th r capabl of analyzing an NTFS
fiel syst m in its nativ nvironm nt. In my mind th r ar two v ry good r asons for l arning
to apply th Sl uth Kit on Windows fiel syst ms. First, th Sl uth Kit is compris d of a numb r
of s parat tools with v ry discr t s ts of capabiliti s. The sp cializ d natur of th s tools
m ans that you hav to und rstand th ir int raction with th fiel syst m b ing analyz d. Theis
mak s th m sp cially suit d to h lp l arning th ins and outs of fiel syst m b havior. The fact
that th Sl uth Kit do s less of th work for you mak s it a gr at l arning tool. S cond, an
op n sourc tool that op rat s in an nvironm nt oth r than Windows mak s for an xc ll nt
cross-v rifiecation utility.

The following x rcis follows a s t of v ry basic st ps us ful in most any analysis.


Mak sur that you follow along at th command lin . Exp rim ntation is th b st way to
l arn.

If you hav not alr ady don so, I would strongly sugg st (again) that you inv st in a
copy of Brian Carri r's book: Fil Syst m For nsic Analysis (Publish d by Addison-W sl y,
2005). Theis book is th d fienitiv guid to fiel syst m b havior for for nsic analysts. As a
r mind r (again), th purpos of th s x rcis s in NOT to t ach you fiel syst ms (or for nsic
m thods, for that matte r), but rath r to illustrat and introduc th d tail d information TSK
can provid on common fiel syst ms ncount r d by fie ld xamin rs.

For th s x rcis s that follow, w ’ll b using th NTFS_Pract_2017.E01 s t of fiel s w


download d and us d for our libewf s ctions arli r. Sinc th s ar EWF fiel s, and w hav

242
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

support for libewf built into TSK, w ’ll work dir ctly from thos fiel s. If you hav not alr ady
don so, download th NTFS EWF fiel s, xtract th archiv and l t’s b gin.

barry@forensic1:~$ wget http://www.linuxleo.com/Files/NTFS_Pract_2017_E01.tar.gz


...
barry@forensic1:~$ tar tzf NTFS_Pract_2017_E01.tar.gz
...
barry@forensic1:~$ tar xzvf NTFS_Pract_2017_E01.tar.gz
...
barry@forensic1:~$ cd NTFS_Pract_2017

barry@forensic1:~/NTFS_Pract_2017$

W will start by running through a s ri s of basic Sl uth Kit commands as w would in


any analysis. The structur of th for nsic imag is vi w d using mmls:

barry@forensic1:~/NTFS_Pract_2017$ mmls NTFS_Pract_2017.E01


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07)

The output shows that an NTFS partition (and most lik ly th fiel syst m) b gins at
s ctor offos t 2048. Theis is th offos t w will us in all our Sl uth Kit commands. W now us
fsstat to hav a look at th fiel syst m statistics insid that partition:

barry@forensic1:~/NTFS_Pract_2017$ fsstat -o 2048 NTFS_Pract_2017.E01 | less


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: CAE0DFD2E0DFC2BD
OEM Name: NTFS
Volume Name: NTFS_2017d
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 42581
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes

243
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Size of Index Records: 4096 bytes


Range: 0 - 293
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
...

Looking at th fsstat output on our NTFS fiel syst m, w s it diffo rs gr atly from
th output w saw running on a Linux EXT fiel syst m. The tool is d sign d to provid
p rtin nt information bas d on th fiel syst m b ing targ t d. Notic that wh n run on an
NTFS fiel syst m, fsstat provid s us with information sp cifiec to NTFS, including data about
th Mast r Fil Tabl (MFT) and sp cifiec atteribut valu s.

W will now hav a look at how th Sl uth Kit int racts with activ and d l t d fiel s on
an NTFS fiel syst m. L t’s fierst run fls on just th root l v l dir ctory of our imag :

barry@forensic1:~/NTFS_Pract_2017$ fls -o 2048 NTFS_Pract_2017.E01


r/r 4-128-4: $AttrDef
r/r 8-128-2: $BadClus
r/r 8-128-1: $BadClus:$Bad
r/r 6-128-4: $Bitmap
r/r 7-128-1: $Boot
d/d 11-144-4: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-6: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure:$SDS
r/r 9-144-11: $Secure:$SDH
r/r 9-144-14: $Secure:$SII
r/r 10-128-1: $UpCase
r/r 10-128-4: $UpCase:$Info
r/r 3-128-3: $Volume
r/r 38-128-1: ProxyLog1.log
d/d 35-144-1: System Volume Information
d/d 64-144-2: Users
d/d 67-144-2: Windows
d/d 293: $OrphanFiles

Not that fls displays far mor information for us than normal dir ctory listings for
NTFS. Includ d with our r gular fiel s and dir ctori s ar th NTFS syst m fiel s (starting with
th $), including th $MFT and $MFTMIRROR (r cord numb rs 0 and 1). If you look at th MFT
numb rs, you’ll s that for som r ason r cord numb r 5 is missing. MFT r cord 5 is th root

244
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dir ctory, which is what w ar displaying h r . Just as th d fault display for EXT fiel
syst ms with fls is inod 2, th d fault for NTFS is MFT r cord 5.

You can dig d p r and d p r into th fiel syst m by providing fls with a dir ctory
MFT r cord and it will display th cont nts of that dir ctory. For illustration, r run th
command (us th up arrow and dit th pr vious command) with th MFT r cord 64 (th
Users dir ctory):

barry@forensic1:~/NTFS_Pract_2017$ fls -o 2048 NTFS_Pract_2017.E01 64


d/d 65-144-2: AlbertE
d/d 66-144-2: ElsaE

You can d lv d p into ach dir ctory this way. Theis is on way to “brows ” th fiel
syst m with fls.

W can also sp cify that fls only show us only “d l t d” cont nt on th command lin
with th -d option. W will us -F (only fiel ntri s) and -r (r cursiv ) as w ll:

barry@forensic1:~/NTFS_Pract_2017$ fls -o 2048 -Frd NTFS_Pract_2017.E01


-/r * 40-128-1: Users/AlbertE/Documents/Credit Report.pdf
-/r * 40-128-3: Users/AlbertE/Documents/Credit Report.pdf:Zone.Identifier
r/- * 0: Users/AlbertE/Documents/ManProj/World's First Atomic Bomb - Manhattan
Project Documentary - Films - YouTube.url
-/r * 236-128-2: Users/AlbertE/Documents/ManProj/MMManhattan Project.docx
-/r * 237-128-2: Users/AlbertE/Documents/ManProj/The Manhattan Project -
YouTube.url
-/r * 238-128-2: Users/AlbertE/Documents/ManProj/World's First Atomic Bomb -
Manhattan Project Documentary - Films - YouTube.url
-/r * 239-128-2: Users/AlbertE/Documents/ManProj/manhattan_project.zip
-/r * 248-128-2: Users/AlbertE/Documents/cyberbullying_by_proxy.doc
r/- * 0: Users/AlbertE/Pictures/Tails/Thumbs.db
r/r * 221-128-2: Users/AlbertE/Pictures/Tails/Thumbs.db
-/r * 216-128-2: Users/AlbertE/Pictures/Tails/BigBikeBH1017.jpg
-/r * 217-128-2: Users/AlbertE/Pictures/Tails/BigBikeSoloCBR900SC33.jpg
-/r * 218-128-2: Users/AlbertE/Pictures/Tails/BigBikeTailBandit.jpg
-/r * 219-128-2: Users/AlbertE/Pictures/Tails/GemoTailG4.jpg
-/r * 220-128-2: Users/AlbertE/Pictures/Tails/GemoTailUniversal.jpg
r/- * 0: Windows/Prefetch/EXPLORER.EXE-A80E4F97.pf
r/- * 0: Windows/Prefetch/MAINTENANCESERVICE.EXE-28D2775E.pf
r/- * 0: Windows/Prefetch/RUNDLL32.EXE-411A328D.pf
d/- * 0: Windows/System32
-/r * 167-128-2: Windows/Drop Location 2.kml
-/r * 168-128-2: Windows/Drop location 1.kml
-/r * 169-128-2: Windows/Meeting place.kml
-/r * 170-128-2: Windows/Nums_to_use.txt
-/r * 171-128-2: Windows/mycase.jpg

245
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

-/r * 172-128-2: Windows/mycase.jpg_original


-/r * 173-128-2: Windows/pickup location.kml

The output abov shows that our NTFS xampl fiel syst m holds a numb r of d l t d
fiel s in s v ral dir ctori s. L t's hav a clos r look at som NTFS sp cifiec information that can
b pars d with TSK tools.

Hav a look a th d l t d fiel at MFT ntry 216. The fiel is Users/AlbertE/Pictures/


Tails/BigBikeBH1017.jpg . W can hav a clos r look at th fiel 's atteribut s by xamining its
MFT ntry dir ctly with istat. R call that wh n w w r working on an EXT fiel syst m
pr viously, th output of istat gav us information dir ctly from th inode of th sp cifie d fiel
(s Sl uth Kit Ex rcis #1). So l t's run th command on MFT ntry 216 in our curr nt
x rcis :

barry@forensic1:~/NTFS_Pract_2017$ istat -o 2048 NTFS_Pract_2017.E01 216


MFT Entry Header Values:
Entry: 216 Sequence: 2
$LogFile Sequence Number: 4199136
Not Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:


Flags: Archive
Owner ID: 0
Security ID: 0 ()
Created: 2017-05-01 09:04:42.810747600 (EDT)
File Modified: 2006-10-14 10:41:41.158486000 (EDT)
MFT Modified: 2017-05-01 09:04:42.818945100 (EDT)
Accessed: 2017-05-01 09:04:42.818865600 (EDT)

$FILE_NAME Attribute Values:


Flags: Archive
Name: BigBikeBH1017.jpg
Parent MFT Entry: 186 Sequence: 1
Allocated Size: 61440 Actual Size: 59861
Created: 2017-05-01 09:04:42.810747600 (EDT)
File Modified: 2006-10-14 10:41:41.158486000 (EDT)
MFT Modified: 2017-05-01 09:04:42.818865600 (EDT)
Accessed: 2017-05-01 09:04:42.818865600 (EDT)

Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $FILE_NAME (48-4) Name: N/A Resident size: 100
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $DATA (128-2) Name: N/A Non-Resident size: 59861 init_size: 59861
91473 91474 91475 91476 91477 91478 91479 91480

246
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

91481 91482 91483 91484 91485 91486 91487

The information istat provid s us from th MFT shows valu s dir ctly from th
$STANDARD_INFORMATION atteribut (which contains th basic m ta data for a fiel ) as w ll as th
$FILE_NAME atteribut and basic information for oth r atteribut s that ar part of an MFT ntry.
The data blocks that contain th actual fiel cont nt ar list d at th botteom of th output (for
Non-R sid nt data).

Tak not of th fact that th r is a s parat atteribut id ntifie r for th $FILE_NAME


atteribut , 48-4. It is int r sting to not w can acc ss th cont nts of ach atteribut s parat ly
using th icat command.

The 48-4 atteribut stor s th fiel nam . By piping th output of icat to xxd w can s
th cont nts of this atteribut , allowing us to vi w individual atteribut s for ach MFT ntry. By
its lf, this may not b of much inv stigativ int r st in this particular instanc , but you should
und rstand that atteribut s can b acc ss d s parat ly by providing th full atteribut id ntifie r.

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 216-48-4 |


xxd
00000000: ba00 0000 0000 0100 d486 cd7f 7bc2 d201 ............{...
00000010: 5cef 99dc 9eef c601 f0c3 ce7f 7bc2 d201 \...........{...
00000020: f0c3 ce7f 7bc2 d201 00f0 0000 0000 0000 ....{...........
00000030: d5e9 0000 0000 0000 2000 0000 0000 0000 ........ .......
00000040: 1100 4200 6900 6700 4200 6900 6b00 6500 ..B.i.g.B.i.k.e.
00000050: 4200 4800 3100 3000 3100 3700 2e00 6a00 B.H.1.0.1.7...j.
00000060: 7000 6700 p.g.

The sam id a is xt nd d to oth r atteribut s of a fiel , most notably th “Alt rnat Data
Str ams” or ADS. By showing us th xist nc of multipl atteribut id ntifie rs for a giv n fiel ,
th Sl uth Kit giv s us a way of d t cting pot ntially hidd n data. W cov r this in our n xt
x rcis .

Sleuth Kit Exercise #5 – NTFS Examination: ADS

First, to s what w ar discussing h r , in cas th r ad r is not familiar with


alt rnat data str ams, w should compar th output of a normal fiel listing with that
obtain d through a for nsic utility.

Obviously, wh n xamining a syst m, it may b us ful to g t a look at all of th fiel s


contain d in an imag . W can do this two ways. The fierst way would b to simply mount our
imag with th loop back d vic and g t a fiel listing. W will do this to compar a m thod
using standard command lin utiliti s that w us d in th past with a m thod using th Sl uth
Kit tools.

247
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

R m mb r that th mount command works on fiel syst ms, not disks. The fiel syst m in
this imag starts 2048 s ctors into th imag , so w mount using an offos t. Sinc w ar also
xamining an EWF imag , w ’ll n d to us ewfmount to fus mount th imag fiel . Theis all
must b don as root:

barry@forensic1:~/NTFS_Pract_2017$ su -
Password:

root@forensic1:~# cd ~barry/NTFS_Pract_2017

root@forensic1:/home/barry/NTFS_Pract_2017# ewfmount NTFS_Pract_2017.E01 /mnt/ewf


ewfmount 20140608

root@forensic1:/home/barry/NTFS_Pract_2017# mount -o ro,loop,offset=$


((2048*512)) /mnt/ewf/ewf1 /mnt/evid

root@forensic1:/home/barry/NTFS_Pract_2017# exit
logout

barry@forensic1:~/NTFS_Pract_2017$

In th abov s t of commands, w su to root, us ewfmount to mount th EWF imag


on /mnt/ewf as /mnt/ewf/ewf1. W th n mount th data partition (which w know is at
offos t 2048 from our pr vious x rcis ) and th n xit27.

W can th n obtain a simpl list of fiel s using th find command:

barry@forensic1:~/NTFS_Pract_2017$ find /mnt/evid/ -type f


/mnt/evid/ProxyLog1.log
/mnt/evid/System Volume Information/IndexerVolumeGuid
/mnt/evid/System Volume Information/WPSettings.dat
/mnt/evid/Users/AlbertE/Documents/better_access_unix.txt
/mnt/evid/Users/AlbertE/Documents/books.txt
/mnt/evid/Users/AlbertE/Documents/cable.txt
/mnt/evid/Users/AlbertE/Documents/cabletv.txt
/mnt/evid/Users/AlbertE/Documents/hackcabl.txt
...

The find command, starts at th mount point ( /mnt/evid), looking for all r gular fiel s
(type -f). The r sult giv s us a v ry long list of all th allocat d regular fiel s on th mount

Not that you can us


27
ewfmount as a normal us r, in this cas w n d to b root anyway for th loop
mount.

248
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

point. Theat’s quit a lot of fiel s, so for th sak of this x rcis l t’s just look at th cont nts of
th us r Alb rt’s Pictur s dir ctory (us th sam command, but grep for AlbertE/Pictures):

barry@forensic1:~/NTFS_Pract_2017$ find /mnt/evid/ -type f | grep


"AlbertE/Pictures"
/mnt/evid/Users/AlbertE/Pictures/b45ac806a965017dd71e3382581c47f3_refined.jpg
/mnt/evid/Users/AlbertE/Pictures/bankor1.jpg
/mnt/evid/Users/AlbertE/Pictures/desktop.ini
/mnt/evid/Users/AlbertE/Pictures/fighterama2005-ban3.jpg
/mnt/evid/Users/AlbertE/Pictures/jet.mpg <<-- Pay attention to this one
/mnt/evid/Users/AlbertE/Pictures/pvannorden2.jpg
...

Of particular int r st in this output is th jet.mpg. Tak not of this fiel . Our curr nt
m thod of listing fiel s, how v r, giv s us no indication of why this fiel is not worthy.

The output of th file commands shows us th xp ct d fiel typ . It is an MPEG


vid o. You can play th vid o with th mplayer command from th command lin to vi w it if
you lik .

barry@forensic1:~/NTFS_Pract_2017$ file /mnt/evid/Users/AlbertE/Pictures/jet.mpg


/mnt/evid/Users/AlbertE/Pictures/jet.mpg: MPEG sequence, v1, progressive Y'CbCr
4:2:0 video, CIF NTSC, NTSC 4:3, 29.97 fps, Constrained

barry@forensic1:~/NTFS_Pract_2017$ mplayer /mnt/evid/Users/AlbertE/Pictures/jet.mpg


<video plays>
Playing /mnt/evid/Users/AlbertE/Pictures/jet.mpg.
...

At this point w ar fienish d with th mount point and th fus mount d imag .
K ping track of mount d disks and partitions is an important part of this proc ss:

barry@forensic1:~/NTFS_Pract_2017$ su -
Password:

root@forensic1:~# umount /mnt/evid && fusermount -u /mnt/ewf

root@forensic1:~# exit
logout

barry@forensic1:~/NTFS_Pract_2017$

249
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W can unmount both th /mnt/evid fiel syst m and th fus disk imag at /mnt/ewf
on th sam lin by s parating with th &&. Theis m ans that th s cond command
(fusermount) will only x cut if th fierst umount is succ ssful.

Back to our probl mNTo s why th fiel jet.mpg is int r sting, l t's try anoth r
m thod of obtaining a fiel list, th fls command. W can us th -F option to look only at
dir ctori s, and -r to do it r cursiv ly. W ’ll also grep for jet.mpg. You could us th
dir ctory MFT r cord numb rs to brows down to th fiel , but this is quick r and mor
fficci nt:

barry@forensic1:~/NTFS_Pract_2017$ fls -o 2048 -Fr NTFS_Pract_2017.E01 | grep


jet.mpg
r/r 39-128-1: Users/AlbertE/Pictures/jet.mpg
r/r 39-128-3: Users/AlbertE/Pictures/jet.mpg:unixphreak.txt

In th output of fls, jet.mpg has two ntri s:

39-128-1
39-128-3

Both ntri s hav th sam MFT r cord numb r and ar id ntifie d as fiel data ( 39-128)
but th atteribut id ntifie r incr m nts ar diffo r nt. Theis is an xampl of an Alternate Data
Stream (ADS). Acc ssing th standard cont nts (39-128-1) of jet.mpg is asy, sinc it is an
allocat d fiel . How v r, w can acc ss ith r data str am, th normal data or th ADS, by
using th Sl uth Kit command icat, much as w did with th fiel s in our pr vious x rcis s.
W simply call icat with th compl t MFT r cord ntry, to includ th alt rnat atteribut
id ntifie r. H r w sp cify ach of th data str ams and s nd th m to th file command using
icat:

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 39 | file -


/dev/stdin: MPEG sequence, v1, progressive Y'CbCr 4:2:0 video, CIF NTSC, NTSC 4:3,
29.97 fps, Constrained

In this fierst (d fault) str am, w simply us th MFT r cord 39 to pass th d fault data
to fiel . For th s cond str am, w pass th full atteribut ( 39-128-3):

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 39-128-3 |


file -
/dev/stdin: ASCII text, with CRLF line terminators

250
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis tim w s it is ASCII t xt. So now w can just pip th sam command to less
(or just straight to STDOUT) to vi w:

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 39-128-3 |


less

+---------------------------------------------------------------------------+
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
:pha+-------------------------------------------------------------------+pha:
:PHA: Phreakers/Hackers/Anarchists Present: :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: +=+ Gaining Better Access On Any Unix System +=+ :PHA:
:pha: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= :pha:
:PHA: Written By Doctor Dissector (doctord@darkside.com) UPDT: 1/8/91 :PHA:
:pha+-------------------------------------------------------------------+pha:
:PHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHAphaPHA:
+---------------------------------------------------------------------------+

+-----------------------------------------------------------------------------+
:=[ Disclaimer ]==============================================================:
+-----------------------------------------------------------------------------+

The author and the sponsor group Phreakers/Hackers/Anarchists will not be held
responsible for any actions done by anyone reading this material before,
during, and after exposure to this document. This document has been
released under the notion that the material presented herin is for
informational purposes only, and that neither the author nor the group
P/H/A encourage the use of this information for any type of illegal
purpose. Thank you.
...

And h r w ’v display d our NTFS ADS.

Sleuth Kit Exercise #6 – Physical String Search & Allocation Status (NTFS)

W ’v alr ady don a f w string s arch x rcis s, but all of th m hav b n on EXT fiel
syst ms. W mak a lot of assumptions wh n w s arch for simpl strings in an imag . W
assum th strings will b acc ssibl (not in a contain r that r quir s pr -proc ssing), and w
assum th y will b in a charact r ncoding that our s arch utility will fiend. Theis is not always
th cas . Most of th string s arch s w ’v don thus far hav r sult d in match s that ar
found in r gular ASCII t xt fiel s. Wh n w s arch for strings in docum nts on Windows
syst ms, for xampl , that won’t always b th cas . W ’ll n d to d al with mor control
charact rs, and additional application ov rh ad and consid rations, lik compr ss d and
ncod d formats.

251
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis x rcis still simplifie s som of that, but it also s rv s to mak you awar of som
of th mor compl x issu s that may aris wh n s arching larg r imag s with mor compl x
cont nt. It will also introduc us to som basic application l v l fiel vi w rs b yond thos
w ’v alr ady s n. The sc nario h r is th sam as pr vious x rcis s. W ’ll pick a k yword,
s arch th ntir disk, and th n r cov r and vi w th associat d fiel . It will b v ry similar to
th EXT x rcis s w did arli r (2A and 2B). Theis tim , how v r, NTFS is our targ t fiel
syst m.

Onc again, w ar d aling with th NTFS_Pract_2017.E01 imag s t. And, again,


sinc w ar doing a physical s arch using non-EWF awar tools, w ’ll ewfmount th imag s
and work on th raw fus mount d disk imag . Theis tim w cr at a mount point in our
curr nt dir ctory and us wfmount with our normal us r accountNno n d for loop d vic s
and root p rmissions:

barry@forensic1:~/NTFS_Pract_2017$ mkdir ewfmnt

barry@forensic1:~/NTFS_Pract_2017$ ewfmount NTFS_Pract_2017.E01 ewfmnt/


ewfmount 20140608

The grep command points to th fus mount d imag in ewfmnt/. Sinc ewfmnt is in
our curr nt dir ctory (w just cr at d it h r ), th r is no n d for a l ading /.

barry@forensic1:~/NTFS_Pract_2017$ grep -abi cyberbullying ewfmnt/ewf1


C���#`Փ)|��#�Г)|��#@Ba>B #ULTIMATEJOURNEYDK.wmv##�Г)|��#@Ba>B )|��#�Г)|��#@Ba>B #ULTIMATEJOURNEYDK.wmv##�Г)|��#@Ba>B
#ULTIMATEJOURNEYDK.wmv##�lC���#`Փ)|��#�Г)|��#@Ba>B #ULTIMATEJOURNEYDK.wmv##�Г)|��#@Ba>B )|��#�Г)|��#@Ba>B
#ULTIMATEJOURNEYDK.wmv##YYYYYY��#��#>�#ࡱ ����#<#:##
9�����������������������������
...
D#�
Dq� � �
______________________________________________________________________________
Cyberbullying by proxy is when a cyberbully gets someone else to do their dirty
...

Wh n w x cut our s arch, w ar gr t d with a signifiecant numb r of non-ASCII


charact rs that s riously imp d th r adability of th output. Wh n you scroll down th
output, you can s th string w ar looking for, but th offos ts ar obscur d.

Back in our for nsic basics s ction, arly in this docum nt, w discuss d using th tr
command to translat “control charact rs” to n wlin s. Theis has th ffo ct of r moving much
of th unr adabl cont nt from our vi w as w ll as from th grep s arch, whil th on for on
charact r r plac m nt caus s no issu for offos t calculations. Us tr h r :

252
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/NTFS_Pract_2017$ tr '[:cntrl:]' '\n' < ewfmnt/ewf1 | grep -abi


cyberbullying

426596865:www.stopcyberbullying.org
426596971:Cyberbullying by proxy
426596995:Cyberbullying by proxy is when a cyberbully gets someone else to do
their dirty work. Most of the time they are unwitting accomplices and don't know
that they are being used by the cyberbully. Cyberbullying by proxy is the most
dangerous kind of cyberbullying because it often gets adults involve in the
harassment and people who don't know they are dealing with a kid or someone they
know.
...

The command abov us s tr to conv rt th s t of control charact rs ([:cntrl:]) to


n wlin s (‘\n’). The input is tak n from ewfmnt/ewf1, and th n th r sulting str am is pip d
through grep to our s arch with th usual -abi options to tr at it lik a t xt fiel (a), provid
th byt offos t (b) and mak th s arch cas ins nsitiv (i). The output shows our offos ts and
string hits ar now much mor r adabl .

Now w run through th sam s t of commands w did pr viously. Calculating what


s ctor th k yword is in, th offos t within th volum , and fienally which data block and m ta-
data ntry is associat d with th k yword hit.

W ’ll work with th fierst k yword hit (426596865:www.stopcyberbullying.org).


The s ctor offos t to our hit is found by dividing th byt offos t by th s ctor siz ( 512). W
alr ady know that th r is only on partition in this imag , but w ’ll run mmls just to b sur .
W also run fsstat again to confierm th block siz (which w alr ady know from pr vious
x rcis s is 4096 byt s). R p ating th s st ps is just good practic :

barry@forensic1:~/NTFS_Pract_2017$ echo "426596865/512" | bc


833197

barry@forensic1:~/NTFS_Pract_2017$ mmls NTFS_Pract_2017.E01


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07)

barry@forensic1:~/NTFS_Pract_2017$ fsstat -o 2048 NTFS_Pract_2017.E01


FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS

253
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

...
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
...

As xp ct d, th k yword is in th only NTFS partition which r sid s at offos t 2048


(s ctors). W can compl t th math and d t rmin th block th k yword r sid s in all at
onc :

barry@forensic1:~/NTFS_Pract_2017$ echo "(426596865-(2048*512))/4096" | bc


103893

For r vi w, this r ads: “Tak our offos t to th k yword in our disk ( 426596865), subtract
th offos t to th start of th partition ( 2048*512), and divid th r sulting valu by our fiel
syst m block siz (4096). Our fiel syst m block is 103893.

barry@forensic1:~/NTFS_Pract_2017$ blkstat -o 2048 NTFS_Pract_2017.E01 103893


Cluster: 103893
Not Allocated

barry@forensic1:~/NTFS_Pract_2017$ ifind -o 2048 -d 103893 NTFS_Pract_2017.E01


248-128-2

W can s that blkstat t lls us th clust r (block) is unallocat d, and ifind (shows us
that th m ta-data structur (MFT ntry) associat d with that data block ( -d 103893) is
248-128-2.

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 248 | file -


/dev/stdin: Composite Document File V2 Document, Little Endian, Os: Windows,
Version 5.1, Code page: 1252, Template: Normal, Last Saved By: buckyball, Revision
Number: 2, Name of Creating Application: Microsoft Word 10.0, Last Printed: 02:05,
Create Time/Date: Tue Nov 21 21:41:00 1995, Last Saved Time/Date: Wed Oct 25
23:14:00 2006, Number of Pages: 2, Number of Words: 822, Number of Characters:
4087, Security: 0

Piping our icat output through th file command shows us w hav a Microsoftw
Word docum nt. Not that wh n w pass th MFT r cord to icat, w us only th r cord
numb r, 248 rath r than th ntir atteribut sinc w ar looking for th d fault atteribut
anyway, which is $DATA.

254
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If w try and vi w th docum nt with cat or less, w again g t non-ASCII charact rs,
making r ading difficcult.

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 248 | less


<D0><CF>^Qࡱ^Z<E1>^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@>^@^C^@<FE><FF>
^@^F^@^@^@^@^@^@^@^@^@^@^@^A^@^@^@:^@^@^@^@^@^@^@^@^P^@^@<^@^@^@^A^@^@^@<FE><FF><F
F><FF>^@^@^@^@9^@^@^@<FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><FF><
FF>
...
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^Hwww.stopcyberbullying.org^M_____________________
_________________________________________________________^K^MCyberbullying by

W could us icat to r dir ct th cont nts to a fiel :

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 248 >


ntfs.248

From th r w could vi w th fiel in an MS Word compatibl application lik


Libr Officc :

Theis is fien , but op ning and closing GUI programs to vi w fiel cont nts is not id al for
our command lin approach. Inst ad, w can us a simpl tool lik catdoc to r ad MS Officc
fiel s (.doc format) from th command lin .

catdoc can b install d via sboinstall on Slackwar :

255
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/NTFS_Pract_2017$ su -
Password:

root@forensic1:~# sboinstall catdoc

catdoc reads MS Word file and prints readable ASCII text to stdout, just
like Unix cat command. It also able to produce correct escape sequences
if some UNICODE characters have to be represented specially in your
typesetting system such as (La)TeX.

Proceed with catdoc? [y]


...
Cleaning for catdoc-0.94.2...

root@forensic1:~# exit
logout

Onc install d, you can ith r op n th fiel you xport d ( ntfs.248) with catdoc, or
you can simply str am th output of icat straight through to catdoc, and again through less
(multipl pip s ar just aw som ).

barry@forensic1:~/NTFS_Pract_2017$ icat -o 2048 NTFS_Pract_2017.E01 248-128-2 |


catdoc | less

www.stopcyberbullying.org

________________________________________________________________________
Cyberbullying by proxy

Cyberbullying by proxy is when a cyberbully gets someone else to do


their dirty work. Most of the time they are unwitting accomplices and
...

Theis x rcis ss ntially clos s th loop on our physical s arching of fiel syst ms. As
w can s th r can b a lot mor to s arching an imag than simpl gr p strings.

L t’s l av with on mor command, and a qu stion. The fus mount d imag should
still b availabl at ewfmnt/ewf1. Do a quick k yword s arch for "Uranium-235" (sounds
ominous, do sn’t it?):

barry@forensic1:~/NTFS_Pract_2017$ grep -abi "Uranium-235" ewfmnt/ewf1


<returns nothing>

256
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The patte rn "Uranium-235" do s not app ar to b found. Do s this m an I’m fr to


draw th conclusion that th r ar no instanc s of th string “Uranium-235” to b found on th
disk? Of cours not. W ’ll addr ss this in our n xt x rcis .

B sur to unmount th fus mount d imag b for you mov on.

barry@forensic1:~/NTFS_Pract_2017$ fusermount -u ewfmnt

Bulk Extractor – Comprehensive Searching

In pr vious x rcis s, w discuss d issu s wh r simpl t xt bas d string s arch s


might not b ffo ctiv d p nding on charact r ncoding and fiel formats (compr ssion, tc.).
The r ar a numb r of charact r s t awar tools out th r that w can us to ov rcom many of
th s issu s, but d tail d d scriptions of charact r ncoding and s arch s ar not what w ar
aiming for h r . Inst ad w ar going to introduc a tool, bulk_extractor, that incorporat s
som xc ll nt multi-format s arching capabiliti s with som oth r v ry us ful functions.
bulk_extractor was cr at d by Simson Garfienk l at th Naval Postgraduat School.

For thos of you that hav not alr ady h ard of or us d bulk_extractor, it is on of
thos tools that I v ry rar ly don’t us on v ry cas . Ev n wh r I hav a targ t d xtraction
or analysis to p rform, bulk_extractor can always fiend additional information or, at th v ry
l ast, provid an xc ll nt ov rvi w of us r activity or disk cont xt. It is particularly us ful in
situations wh r you hav b n giv n (or acquir d yours lf) a high volum of m dia and you
want to quickly sort out th int r sting data. Theis triag capability is on of th highlights of
bulk_extractor.

bulk_extractor diffo rs from som oth r mor common tools in that it runs and
s arch s compl t ly ind p nd nt of th fiel syst m. In this cas , it’s not th fiel s th ms lv s
that ar int r sting, but th cont nt – wh th r allocat d or unallocat d, whol or fragm nt d,
or v n in compr ss d contain rs. bulk_extractor r ads in th data by blocks, without
r gard to fiel syst m structur , and r cursiv ly s arch s thos blocks for int r sting features.
R cursiv in this cas m ans th tool will, for xampl , d compr ss an archiv to s arch th
cont nts and xtract t xt from PDF fiel s to b furth r proc ss d.

A compl t us r’s manual for bulk_extractor is availabl at:

http://downloads.digitalcorpora.org/downloads/bulk_extractor/BEUsersManual.pdf

bulk_extractor also has a GUI tool, BEviewer, commonly us d to r ad th f atur


fiel s and run th program. If you want to s this in action, you’ll n d java install d.
Op nJDK is th asi st to install from sbotools, but b sur to r ad th README. Op nJDK will

257
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

n d to b install d prior to bulk_extractor for BEviewer to b includ d in th fienal packag .


BEviewer was writte n by Bruc All n.

L t’s install bulk_extractor now and hav a clos r look at th options.

root@forensic1:~# sboinstall bulk_extractor

bulk_extractor is a C++ program that scans a disk image, a file, or a directory


of files and extracts useful information without parsing the file system or
file system structures...
...
The s arch s p rform d by bulk_extractor ar don using sp cifiec scanners that can
b nabl d and disabl d d p nding on what you want to s arch for and how. It is th s
scann rs that manag th parsing of PDF fiel s or compr ss d archiv s and oth r formats. W
can g t a look at availabl scann rs by vi wing th output of bulk_extractor with -h. It’s a
long list of command options, so you might want to pip th output through less:

barry@forensic1:~$ bulk_extractor -h | less


bulk_extractor version 1.5.5
Usage: bulk_extractor [options] imagefile
runs bulk extractor and outputs to stdout a summary of what was found where

Required parameters:
imagefile - the file to extract
or -R filedir - recurse through a directory of files
HAS SUPPORT FOR E01 FILES
HAS SUPPORT FOR AFF FILES
-o outdir - specifies output directory. Must not exist.
bulk_extractor creates this directory.
Options:
-i - INFO mode. Do a quick random sample and print a report.
-b banner.txt- Add banner.txt contents to the top of every output file.
-r alert_list.txt - a file containing the alert list of features to alert
(can be a feature file or a list of globs)
(can be repeated.)
-w stop_list.txt - a file containing the stop list of features (white list
(can be a feature file or a list of globs)s
(can be repeated.)
-F <rfile> - Read a list of regular expressions from <rfile> to find
-f <regex> - find occurrences of <regex>; may be repeated.
results go into find.txt
...
These scanners disabled by default; enable with -e:
-e base16 - enable scanner base16
-e facebook - enable scanner facebook
-e outlook - enable scanner outlook
-e sceadan - enable scanner sceadan

258
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

-e wordlist - enable scanner wordlist


-e xor - enable scanner xor

These scanners enabled by default; disable with -x:


-x accts - disable scanner accts
-x aes - disable scanner aes
-x base64 - disable scanner base64
-x elf - disable scanner elf
-x email - disable scanner email
-x exif - disable scanner exif
...

You can also g t a slightly mor d scriptiv output on th scann rs by doing th sam
as abov but with -H inst ad of -h.

The r ar a lot of options to go through. Som w ’ll cov r as w go through a sampl


x rcis , and oth rs w ’ll skip ov r and allow you to xplor on your own. The simpl st way to
run bulk_extractor is to l av v rything d fault and simply provid an output dir ctory for
th r sults. Theis can tak awhil , but it provid s th b st ov rall int llig nc on th disk
cont nts. For now, w ar going to r duc th output by limiting th scann rs and providing a
singl s arch t rm. Theis will allow us to isolat th r sults and sp nd som tim talking about
th output fiel s.

Som of th mor important options to r m mb r wh n running bulk_extractor ar :


- o <output_dir> Dir ctory to writ th r sults (bulk_ xtractor will cr at this)
- e <scanner> Enabl <scanner>
- E <scanner> Disabl ALL scann rs xc pt <scanner>
- x <scanner> Disabl <scanner>

The asi st way to xplain th options is to run th command and ch ck th output.


W nd d th last s ction on NTFS physical string s arching by doing a simpl grep for th
t rm “Uranium-235” in our NTFS E01 imag s t. The r sults r turn d nothing. Now w ’ll run
th sam s arch again using bulk_extractor. Run th command with th following options.
Not that bulk_extractor can run dir ctly on th EWF fiel s if libewf is install d:

barry@forensic1:~$ bulk_extractor -E zip -e find -f "Uranium-235" -o blk_out


NTFS_Pract_2017/NTFS_Pract_2017.E01
bulk_extractor version: 1.5.5
Hostname: forensic1
Input file: NTFS_Pract_2017/NTFS_Pract_2017.E01
Output directory: blk_out
Disk Size: 524288000
Threads: 1
8:27:15 Offset 67MB (12.80%) Done in 0:00:12 at 08:27:27
...
8:27:26 Offset 318MB (60.80%) Done in 0:00:08 at 08:27:34

259
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

8:27:39 Offset 486MB (92.80%) Done in 0:00:02 at 08:27:41


All data are read; waiting for threads to finish...
Time elapsed waiting for 1 thread to finish:
(timeout in 60 min.)
All Threads Finished!
Producer time spent waiting: 25.5601 sec.
Average consumer time spent waiting: 0.065733 sec.
MD5 of Disk Image: eb4393cfcc4fca856e0edbf772b2aa7d
Phase 2. Shutting down scanners
Phase 3. Creating Histograms
Elapsed time: 27.9671 sec.
Total MB processed: 524

In th abov command, w us -E zip to disabl v ry d fault scann r xc pt th zip


scann r. W th n r - nabl th find scann r with -e find (so that w can run our string
s arch). Theis is follow d by th -f “Uranium-235” s arch t rm. Theis t rm can b a string or
a r gular xpr ssion. W can also add additional t rms or cr at a s arch t rm fiel and run it
with th -F option. Our output dir ctory is s t with -o blk_out.

The command provid s som fairly s lf- xplanatory information, including th data
proc ss d and th hash of th disk imag . Chang into th output dir ctory and l t’s hav a
look at th fiel s that w r produc d.

barry@forensic1:~$ cd blk_out/

barry@forensic1:~/bulk_out$ ls -l
total 336
-rw-r--r-- 1 barry users 0 Jun 5 08:27 alerts.txt
-rw-r--r-- 1 barry users 263 Jun 5 08:27 find.txt
-rw-r--r-- 1 barry users 206 Jun 5 08:27 find_histogram.txt
-rw-r--r-- 1 barry users 9814 Jun 5 08:27 report.xml
-rw-r--r-- 1 barry users 0 Jun 5 08:27 unzip_carved.txt
-rw-r--r-- 1 barry users 319995 Jun 5 08:27 zip.txt

The r ar basically thr diffo r nt fiel s shown in th output abov . The s ar :


◦ F atur fiel s: Fil s that contain th output of ach scann r.
◦ Histogram fiel s: Fil s that show th fr qu ncy that ach it m in a f atur fiel is
ncount r d. W ’ll discuss th us fuln ss of th s in mor d tail lat r.
◦ The r port fiel : A DFXML formatte d r port of th output and nvironm nt.

Any fiel s that ar 0 siz ar mpty and no f atur s w r not d. In this cas th
alerts.txt fiel is mpty b caus w did not sp cify an al rt fiel with th -r option. The
f atur fiel w ar conc rn d with h r is th find.txt, produc d by th find scann r. Op n
and hav a look at this fiel :

260
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~/bulk_out$ cat find.txt


# BANNER FILE NOT PROVIDED (-b option)
# BULK_EXTRACTOR-Version: 1.5.5 ($Rev: 10844 $)
# Feature-Recorder: find
# Filename: NTFS_Pract_2017/NTFS_Pract_2017.E01
# Feature-File-Version: 1.1
445901295-ZIP-9745 Uranium-235 ference between Uranium-235 and Uranium-238

The find.txt fiel has a comm nt d ar a (lin s starting with #), and th actual output
of th scann r its lf, with ach “f atur ” found on on lin . The r ar thr parts to th
scann r output for ach f atur . The fierst is an offos t. Theis offos t can hav multipl parts. In
bulk_extractor this is r f rr d to as th forensic path. Theis includ s a disk offos t to th data
containing th f atur , th scann r(s) that found th obj ct, and th n th offos t within that
data. The for nsic path is follow d by th f atur its lf, in this cas our “ Uranium-235” s arch
t rm. Finally w ar giv n a small bit of cont xt. In oth r words, for our xampl abov :

445901295-ZIP-9745 Compr ss d data (ZIP) was found at disk offos t


445901295. The f atur (Uranium-235)was
found at offos t 9745 in that compr ss d data.
Uranium-235 The f atur that was found (our s arch t rm)
ference between Uranium-235 and The cont xt th f atur was found in.
Uranium-238

Using what w ’v l arn d pr viously about physical s arching, l t’s hav a quick look a
th data found at that offos t. R m mb r our formula for fiending th offos t in a fiel syst m
wh n giv n a disk offos t? W ’v s n this NTFS imag s t b for , so w alr ady know th fiel
syst m starts at s ctor offos t 2048, so w ’ll calculat th fiel syst m offos t and th n run th
ifind command w ’v us d s v ral tim s alr ady to fiend out what MFT ntry points to th
data block. Finally w ’ll us th icat command and pip th output to file so w can id ntify
th typ :

barry@forensic1:~/bulk_out$ echo "((445901295-(2048*512))/4096)" | bc


108606

barry@forensic1:~/bulk_out$ ifind -d 108606 -o 2048


../NTFS_Pract_2017/NTFS_Pract_2017.E01
236-128-2

barry@forensic1:~/bulk_out$ icat -o 2048 ../NTFS_Pract_2017/NTFS_Pract_2017.E01


236 | file -
/dev/stdin: Microsoft Word 2007+

261
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

So w s that th f atur was found in a Microsoftw Word docum nt in .docx format,


which is compr ss d XML. Theis fiel can b vi w d with th catdocx script (r m mb r
catdoc? catdocx is similar, but for th XML zipp d .docx format ). W will do this at th nd
of th x rcis .

Aftw r th f atur fiel s, w mov on to th histogram fiel . A histogram is simply a fiel


that will list th f atur s along with th number of times that f atur was found. Theis
fr qu ncy r porting is on of th mor us ful asp cts of bulk_extractor. It is th histograms
that provid a gr at d al of cont xt to th cont nts of a disk imag . Particularly wh r
inv stigations involving fraud or PII ar conc rn d, th fr qu ncy of a cr dit card numb r or
mail addr ss can t ll an inv stigator, at a glanc , what accounts w r us d and th most
fr qu ntly us d accounts, or who th clos st associat s might b , tc. In our cas th
histogram shows only on instanc (n=1) of our s arch t rm.

barry@forensic1:~/bulk_out$ cat find_histogram.txt


# BANNER FILE NOT PROVIDED (-b option)
# BULK_EXTRACTOR-Version: 1.5.5 ($Rev: 10844 $)
# Feature-Recorder: find
# Filename: NTFS_Pract_2017/NTFS_Pract_2017.E01
# Histogram-File-Version: 1.1
n=1 uranium-235

L t’s run bulk_extractor again, but this tim w ’ll l av all th d fault scann rs
running and us a list of s arch t rms inst ad (just two). Chang back to your hom dir ctory,
and using a t xt ditor (vi), cr at a fiel with just th s two t rms:

[Uu]ranium-235
262698143

...w ’v turn d our fierst t rm into r gular xpr ssion that looks for ith r an upp r or
low rcas l tte r to start th word. The s cond is a “known victim” social s curity numb r 28.
Sav th fiel as myterms.txt.

W ’ll also cr at a bann r fiel so that all of our output fiel s hav a h ading that
id ntifie s th cas and th xamin r/analyst. Again, using a t xt ditor nt r information you
might want at th top of ach fiel :

Office of Investigations
Case of the Century
Case#: 2017-01-0001
Investigator: Barry Grundy

28
The s cond t rm is a social s curity numb r. Numb rs for this x rcis w r g n rat d with
http://www.theonegenerator.com/ssngenerator

262
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

...sav th fiel as mybanner.txt.

Now w ’ll r -run bulk xtractor, without disabling or nabling scann rs, using a
bann r fiel (-b mybanner.txt) and a fiel of t rms to s arch for (-F myterms.txt). The output
dir ctory will b blk_out_full (-o blk_out_full). With all th scann rs running, you will
s quit a f w mor fiel s in th output dir ctory.

barry@forensic1:~$ bulk_extractor -b mybanner.txt -F myterms.txt -o blk_out_full


NTFS_Pract_2017/NTFS_Pract_2017.E01
bulk_extractor version: 1.5.5
Hostname: forensic1
Input file: NTFS_Pract_2017/NTFS_Pract_2017.E01
Output directory: blk_out_full
Disk Size: 524288000
...
Overall performance: 4.91323 MBytes/sec (4.91323 MBytes/sec/thread)
Total email features found: 570

Theis command r sults in a gr at d al mor output (but k p in mind that fiel s of z ro


l ngth ar mpty – nothing found). Look at th cont nts of th find.txt fiel now:

barry@forensic1:~$ ls blk_out_full/
aes_keys.txt find_histogram.txt telephone_histogram.txt
alerts.txt gps.txt unrar_carved.txt
ccn.txt httplogs.txt unzip_carved.txt
ccn_histogram.txt ip.txt url.txt
ccn_track2.txt ip_histogram.txt url_facebook-address.txt
ccn_track2_histogram.txt jpeg_carved.txt url_facebook-id.txt
domain.txt json.txt url_histogram.txt
domain_histogram.txt kml/ url_microsoft-live.txt
elf.txt kml.txt url_searches.txt
email.txt pii.txt url_services.txt
email_domain_histogram.txt pii_teamviewer.txt vcard.txt
email_histogram.txt rar.txt windirs.txt
ether.txt report.xml winlnk.txt
ether_histogram.txt rfc822.txt winpe.txt
exif.txt sqlite_carved.txt winprefetch.txt
find.txt telephone.txt zip.txt

barry@forensic1:~/bulk_out_full$ cat find.txt


# Office of Investigations
# Case of the Century
# Case#: 2017-01-0001
# Investigator: Barry Grundy
# BULK_EXTRACTOR-Version: 1.5.5 ($Rev: 10844 $)
# Feature-Recorder: find

263
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

# Filename: NTFS_Pract_2017/NTFS_Pract_2017.E01
# Feature-File-Version: 1.1
1193351-PDF-92 262698143 629369510 SSN: 262698143
445901295-ZIP-9745 Uranium-235 ference between Uranium-235 and Uranium-238
445901295-ZIP-0-MSXML-857 Uranium-235 ference between Uranium-235 and Uranium-238

Not that now all th output fiel s also hav our mybanner.txt t xt at th top. And this
tim w s that our find.txt contains both th Uranium-235 hit w saw pr viously but also
th “victim” social s curity numb r w add d to our t rms list. W now hav f atur s that
w r found in a zip archiv (.docx fiel w id ntifie d arli r) and a PDF fiel (using th pdf
scann r). The Microsoftw Word fiel w id ntifie d arli r is now showing two f atur s inst ad of
on . Theis is b caus it was found by two scann rs, th zip scann r and th msxml scann r.

You can brows around th r st of th f atur fiel s and histograms to s what ls w


may hav uncov r d. The r ’s quit a bit of information th r and you can g t a g n ral id a of
things lik th us r’s browsing activity by looking at url_histogram.txt. You c rtainly can’t
draw conclusions, but high r fr qu ncy domains can provid som cont xt to you inv stigation.

On thing you may notic is that a larg numb r of th f atur s found by th email and
url scann rs (and oth rs) com from known sourc s. Ev ry op rating syst m and th xt rnal
softwwar w us has h lp fiel s, manuals, and oth r docum ntation that contain mail addr ss s,
t l phon numb rs, and w b addr ss s that ar unint r sting, but will still nd up in your
bulk_extractor f atur fiel s and histograms. The s fals positiv s can b limit d by using
stop lists. Much lik our myterms.txt fiel , a stop list can b a simpl list of t rms (or t rms
with cont xt) that ar block d from th r gular scann r f atur fiel s (but still r port d in
sp cial stopped.txt fiel s for ach scann r).

A fienal bulk_extractor capability that w ’ll m ntion bri flay h r is th wordlist


scann r. Disabl d by d fault, th wordlist scann r cr at s lists of words that can b us d to
atte mpt password cracking. In a normal bulk_extractor run, just us -e wordlist to nabl
th scann r, or us -E wordlist to run it on its own.

V ry quickly l ts go back and us our k yword hit on Uranium-235 to l arn about a


quick command lin .docx format fiel vi w r, catdocx. Theis is actually a v ry short script
rath r than a program, and it simply unzips th fiel and mak s th XML cont nt r adabl .

barry@forensic1:~$ su -
Password:

root@forensic1:~# wget https://raw.githubusercontent.com/jncraton/catdocx/master/


catdocx.sh -O /usr/bin/catdocx && chmod 755 /usr/bin/catdocx

root@forensic1:~# exit

264
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis command us s wget to download th catdocx script from github dir ctly to /usr/
bin/catdocx (with th -O option). The && allows us to run chmod imm diat ly aftw r th wget
compl t s to chang th p rmissions and mak th fiel x cutabl .

Now w can r -run th icat command w us d arli r on th MFT ntry pointing to


th Uranium-235 k yword. Theis tim w ’ll r -dir ct th output of icat to a fiel call d
NTFS.236. The n w us catdocx pip d through less to display th fiel :

barry@forensic1:~$ icat -o 2048 ../NTFS_Pract_2017/NTFS_Pract_2017.E01 236 >


NTFS.236

barry@forensic1:~$ catdocx NTFS.236 | less


Watch modern marvels the Manhattan project. You can find it in 5 parts on youtube
https://www.youtube.com/watch?v=SwHds1any9Y
https://www.youtube.com/watch?v=VGGAIuc5dWI
https://www.youtube.com/watch?v=eHvUgtVOP64
https://www.youtube.com/watch?v=aAXy5V-zRyc
https://www.youtube.com/watch?v=aJuBHzgLUAw
Name_______________________________
Modern Marvels: Manhattan Project
...
What is the difference between Uranium-235 and Uranium-238?
...

Physical Carving

W ’v s n a numb r of cas s in pr vious x rcis s wh r w n d d to locat fiel


h ad rs to r cov r data. W saw a sp cifiec n d for this with our xt4 x rcis wh r w
found out that dir ct block point rs w r no long r availabl for d l t d fiel s, making r cov ry
v ry difficcult. W also did manual r cov ry in our “Data Carving With dd” x rcis , locating
th h ad r of a JPEG fiel in h x and using dd to physically “carv ” out th fiel . A us ful skill,
but a bit t dious on a larg disk imag with pot ntially doz ns, hundr ds or v n thousands of
fiel s that might r quir r cov ry. If you ar unfamiliar with fiel carving, or n d a r fr sh r,
you can start r ading h r : http://forensicswiki.org/wiki/File_Carving

Sinc w gain d a cursory und rstanding of th m chanics of carving through our dd


probl m, w can mov on to mor automat d tools that do th work for us. The r ar a
numb r of tools availabl to accomplish this. W ar going to conc ntrat on just two.
Scalpel, and photorec. The latte r is from th testdisk packag .

265
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Scalpel

W ’ll start by installing scalpel. Us sboinstall to install it, b ing sur to r ad th


README fiel . If you ar not using Slackwar , go ah ad and us your distribution’s packag
manag m nt tool. You will s that for Slackwar , scalpel has a singl d p nd ncy that must
b install d fierst TRE, which is handl d automatically by sboinstall:

root@forensic1:~# sboinstall scalpel


Scalpel is a fast file carver that reads a database of header and footer
definitions and extracts matching files or data fragments from a set of
image files or raw device files. Scalpel is filesystem-independent and will
carve files from FATx, NTFS, ext2/3, HFS+, or raw partitions. It is useful
for both digital forensics investigation and file recovery.

To use it, you MUST have a conf file that defines the file types you want
to recover. Use the example scalpel.conf file from /usr/doc/scalpel

See the man page for details


...
Proceed with tre? [y]
tre added to install queue.
...
Proceed with scalpel? [y]
...
Install queue: tre scalpel

Are you sure you wish to continue? [y]


...
Package scalpel-2.0-x86_64-1_SBo.tgz installed.

Cleaning for scalpel-2.0...

If you r ad th README fiel (which you did, RIGHT?), you will s that w n d to copy
and dit th scalpel.conf fiel b for w can run th program. W can ith r dit and us it
in plac , or copy it to our working dir ctory which scalpel us s by d fault.

For now, w ’ll copy th scalpel.conf fiel that was install d with our packag to a n w
carve sub dir ctory in our /home dir ctory, which w ’ll cr at now, and dit it th r .

barry@forensic1:~$ mkdir ~/carve

barry@forensic1:~$ cd ~/carve

barry@forensic1:~/carve$ cp /usr/share/doc/scalpel-2.0/scalpel.conf .

266
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The fienal “.” in th command abov signifie s th d stination, our curr nt dir ctory.
scalpel.conf starts out compl t ly comm nt d out. W will n d to uncomm nt som fiel
d fienitions in ord r to hav scalpel work. Op n it with vi (or your ditor of choic ) to dit.
You should tak tim to r ad th fiel as it xplains th structur of th fiel d fienitions in us ful
d tail.

barry@forensic1:~/carve$ vi scalpel.conf
# Scalpel configuration file

# This configuration file controls the types and sizes of files that
# are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
# EXTENDED in Scalpel 1.90-->!

# For each file type, the configuration file describes the file's
# extension, whether the header and footer are case sensitive, the
# min/maximum file size, and the header and footer for the file. The
# footer field is optional, but extension, case sensitivity, size, and
# footer are required. Any line that begins with a '#' is considered
# a comment and ignored. Thus, to skip a file type just put a '#' at
# the beginning of the line containing the rule for the file type.

Scroll down to wh r th # GRAPHICS FILES s ction starts (for th purpos of our


x rcis ) and just uncomm nt v ry lin that describes a figle in that s ction. B car ful not to
uncomm nt lin s that should r main comm nts. To uncomm nt a lin , simply r mov th
hash (#) symbol at th start of th lin . The # GRAPHICS FILES s ction should look lik this
wh n you ar don ( xtra hash symbols don’t matte r, as long as th corr ct lin s ar
uncomm nt d, and th s ction lin s ar still comm nt d):

#---------------------------------------------------------------------
# GRAPHICS FILES
#---------------------------------------------------------------------
#
#
# AOL ART files
art y 150000 \x4a\x47\x04\x0e \xcf\xc7\xcb
art y 150000 \x4a\x47\x03\x0e \xd0\xcb\x00\x00

# GIF and JPG files (very common)


gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b
jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9

# PNG
png y 20000000 \x50\x4e\x47? \xff\xfc\xfd\xfe

267
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives

bmp y 100000 BM??\x00\x00\x00

# TIFF
tif y 200000000 \x49\x49\x2a\x00
# TIFF
tif y 200000000 \x4D\x4D\x00\x2A

If you look at th lin s for th jpg imag s, you will s th familiar patte rn that w
s arch d for during our dd carving x rcis . \xff\xd8 for th h ad r and \xff\xd9 for th
foot r. Wh n w run scalpel th s uncomm nt d lin s will b us d to s arch for patte rns.
Wh n you ar fienish d diting th fiel (doubl ch ck!), sav and quit with :wq

For this x rcis , w will us th able_3 split imag as our x rcis targ t. In our
Sl uth Kit x rcis #1B (d l t d fiel id ntifiecation and r cov ry – xt4), w ran across a numb r
of fiel s (lolitaz*) in th /home/ dir ctory that could not b r cov r d. Theis is an obvious us
cas for fiel carving.

Sinc w are abl to g t th allocat d fiel s from th /home partition on able_3, w


might want to limit our carving to unallocat d blocks only. Theis is a common way to carv fiel
syst ms – s parat th allocat d and th unallocat d and carv thos blocks only. W alr ady
l arn d how to xtract all unallocat d blocks from a fiel syst m using th TSK tool blkls. So
w ’ll start by xtracting th unallocat d fierst.

R m mb r that th TSK tools can work dir ctly on split imag s, so th r is no n d for
us to fus mount th imag or loop mount any fiel syst ms. Running mmls giv s us th fiel
syst m offos ts (if you r m mb r, th /home dir ctory was mount d on th s cond Linux fiel
syst m at offos t 104448). W us that with our blkls command. You can run a quick
r cursiv fls command using th -r option to r fr sh your m mory on th fiel s w ar
looking for. The fiel s with th ast risk ( * ) n xt to th inod numb r ar d l t d:

barry@forensic1:~/carve$ mmls ~/able_3/able_3.000


GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header

268
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

003: Meta 0000000002 0000000033 0000000032 Partition Table


004: 000 0000002048 0000104447 0000102400 Linux filesystem
005: 001 0000104448 0000309247 0000204800 Linux filesystem
006: ------- 0000309248 0000571391 0000262144 Unallocated
007: 002 0000571392 0008388574 0007817183 Linux filesystem
008: ------- 0008388575 0008388607 0000000033 Unallocated

barry@forensic1:~/carve$ fls -o 104448 -r ~/able_3/able_3.000


d/d 11: lost+found
d/d 12: ftp
d/d 13: albert
+ d/d 14: .h
++ r/d * 15(realloc): lolit_pics.tar.gz
++ r/r * 16(realloc): lolitaz1
++ r/r * 17: lolitaz10
++ r/r * 18: lolitaz11
++ r/r * 19: lolitaz12
++ r/r 20: lolitaz13
++ r/r * 21: lolitaz2
++ r/r * 22: lolitaz3
++ r/r * 23: lolitaz4
++ r/r * 24: lolitaz5
++ r/r * 25: lolitaz6
++ r/r * 26: lolitaz7
++ r/r * 27: lolitaz8
++ r/r * 28: lolitaz9
+ d/d 15: Download
++ r/r 16: index.html
++ r/r * 17: lrkn.tar.gz
d/d 25689: $OrphanFiles

To obtain th unallocat d blocks using blkls:

barry@forensic1:~/carve$ blkls -o 104448 ~/able_3/able_3.000 > home.blkls

barry@forensic1:~/carve$ ls
home.blkls scalpel.conf*

The blkls command is run with th offos t (-o) pointing to th s cond Linux fiel syst m
that starts at s ctor 104448. The output is r dir ct d to home.blkls. The nam “hom ” is us d
to signify that this is th partition mount d as /home. Now w can s (with th ls command
abov ) that w hav two fiel s in th ~/carve dir ctory.

scalpel has a numb r of options availabl to adjust th carving. The r is an option to


hav scalpel carv th fiel s on block (or clust r) align d boundari s. Theis m ans that you

269
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

would b s arching for fiel s that start at th b ginning of a data block. B car ful doing that.
The trad offo h r is that whil you g t f w r fals positiv s, it also m ans that you miss fiel s
that may b mb dd d or “n st d” in oth r fiel s. Block align d s arching is don with th -q
<blocksize> option. Try this option lat r, and compar th output. To g t th block siz for
th targ t fiel syst m, you can us th fsstat command as w did in pr vious x rcis s.

You can carv multipl imag s at onc with th -i <listfile> option, and th r ar
oth r options to t st data (writ an audit fiel without carving).

In this cas , w ’ll us an option that allows us to prop rly pars mb dd d fiel s ( -e).
Theis option allows th prop r pairing of h ad rs and foot rs. Without th -e option, a h ad r
follow d by anoth r h ad r (as with an mb dd d fiel ), would r sult in both fiel s sharing th
sam foot r.

Finally, w ’ll us th -o option to r dir ct our carv d fiel s to a dir ctory w ar going to
call scalp_out and th -O option so th output r mains in a singl output dir ctory inst ad of
cat goriz d sub dir ctori s. Having th fiel s in a singl fold r mak s for asi r vi wing.

barry@forensic1:~/carve$ scalpel -o scalp_out -O -e home.blkls


Scalpel version 2.0
Written by Golden G. Richard III and Lodovico Marziale.
Multi-core CPU threading model enabled.
Initializing thread group data structures.
Creating threads...
Thread creation completed.

Opening target "/home/barry/carve/home.blkls"

Image file pass 1/2.


home.blkls: 100.0% |*******************************************| 91.3 MB
00:00 ETAAllocating work queues...
Work queues allocation complete. Building work queues...
Work queues built. Workload:
art with header "\x4a\x47\x04\x0e" and footer "\xcf\xc7\xcb" --> 0 files
art with header "\x4a\x47\x03\x0e" and footer "\xd0\xcb\x00\x00" --> 0 files
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 0 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x00\x3b" --> 1 files
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 6 files
jpg with header "\xff\xd8\xff\xe1" and footer "\xff\xd9" --> 0 files
png with header "\x50\x4e\x47?" and footer "\xff\xfc\xfd\xfe" --> 0 files
bmp with header "BM??\x00\x00\x00" and footer "" --> 0 files
tif with header "\x49\x49\x2a\x00" and footer "" --> 0 files
tif with header "\x4D\x4D\x00\x2A" and footer "" --> 0 files
Carving files from image.
Image file pass 2/2.
home.blkls: 100.0% |*******************************************| 91.3 MB
00:00 ETAProcessing of image file complete. Cleaning up...

270
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Done.
Scalpel is done, files carved = 7, elapsed = 2 secs.

barry@forensic1:~/carve$ ls scalp_out/
00000000.gif 00000002.jpg 00000004.jpg 00000006.jpg
00000001.jpg 00000003.jpg 00000005.jpg audit.txt

The output abov shows scalpel carving thos fiel typ s in which th d fienitions w r
uncomm nt d. Onc th command compl t s, a dir ctory listing shows th fiel s (with th
xt nsion for th carv d fiel typ add d) and an audit.txt fiel . The audit.txt fiel provid s a
log with th cont nts of scalpel.conf and th program output:

barry@forensic1:~/carve$ less scalp_out/audit.txt


Scalpel version 2.0 audit file
Started at Fri Jun 2 15:29:39 2017
Command line:
scalpel -o scalp_out -O -e home.blkls

Output directory: scalp_out


Configuration file: /home/barry/carve/scalpel.conf

------ BEGIN COPY OF CONFIG FILE USED ------


# Scalpel configuration file

# This configuration file controls the types and sizes of files that
# are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS
# EXTENDED in Scalpel 1.90-->!
...
------ END COPY OF CONFIG FILE USED ------

Opening target "/home/barry/carve/home.blkls"

The following files were carved:


File Start Chop Length Extracted
From
00000006.jpg 6586930 NO 6513 home.blkls
00000005.jpg 6586368 NO 64601 home.blkls
00000004.jpg 6278144 NO 15373 home.blkls
00000003.jpg 6249472 NO 27990 home.blkls
00000002.jpg 6129070 NO 5145 home.blkls
00000001.jpg 6128640 NO 94426 home.blkls
00000000.gif 6223872 NO 25279 home.blkls

Completed at Fri Jun 2 15:29:41 2017

271
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The ntir scalpel.conf fiel is includ d in audit.txt. At th botteom of th output is


our list of carv d fiel s with th offos t th h ad r was found at, th l ngth of th fiel , and th
sourc (what was carv d). The column lab l d Chop would r f r to fiel s that had a maximum
numb r of byt s carv d b for th foot r was found. You can r ad th scalpel.conf fiel for a
mor d tail d d scription.

The fiel s can b vi w d with display at th command lin or with a GUI vi w r that
can provid a thumbnail and window d vi w. The program geeqie is a simpl xampl .

barry@forensic1:~/carve$ cd scalp_out/

barry@forensic1:~/carve/scalp_out$ geeqie

Illustration 6: Viewing carved figles with geeqie

The r ar oth r fiel s to b found in this unallocat d data. To illustrat this, l t’s look at
th scalpel.conf fiel again and add a diffo r nt h ad r d fienition for a bitmap fiel . Op n

272
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

scalpel.conf with your t xt ditor (vi) and add th following lin 29


(in r d) und r th curr nt
bmp lin in th # GRAPHICS FILES s ction:

# BMP (used by MSWindows, use only if you have reason to think there are
# BMP files worth digging for. This often kicks back a lot of false
# positives

bmp y 100000 BM??\x00\x00\x00


bmp y 300000 BM??\x04\x00\x00

H r w ’v chang d th max siz to 300000 byt s, and r plac d th fierst x00 string with
x04. Sav th fiel .

R -run scalpel again (writ to a diffo r nt output dir ctory - scalp_out2), and ch ck
th output:

barry@forensic1:~/carve$ scalpel -o scalp_out2 -O -e home.blkls


Scalpel version 2.0
Written by Golden G. Richard III and Lodovico Marziale.
Multi-core CPU threading model enabled.
Initializing thread group data structures.
Creating threads...
Thread creation completed.

Opening target "/home/barry/carve/home.blkls"

Image file pass 1/2.


home.blkls: 100.0% |*******************************************| 91.3 MB
00:00 ETAAllocating work queues...
Work queues allocation complete. Building work queues...
Work queues built. Workload:
art with header "\x4a\x47\x04\x0e" and footer "\xcf\xc7\xcb" --> 0 files
art with header "\x4a\x47\x03\x0e" and footer "\xd0\xcb\x00\x00" --> 0 files
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 0 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x00\x3b" --> 1 files
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 6 files
jpg with header "\xff\xd8\xff\xe1" and footer "\xff\xd9" --> 0 files
png with header "\x50\x4e\x47?" and footer "\xff\xfc\xfd\xfe" --> 0 files
bmp with header "BM??\x00\x00\x00" and footer "" --> 0 files
bmp with header "BM??\x04\x00\x00" and footer "" --> 1 files
tif with header "\x49\x49\x2a\x00" and footer "" --> 0 files
tif with header "\x4D\x4D\x00\x2A" and footer "" --> 0 files
Carving files from image.
Image file pass 2/2.
29
If you ar using vi to dit th fiel , you should copy and past th lin . With th cursor on th xisting
lin , us yy to copy th t xt (curr nt lin ) and th n p to past on th lin b low. The n dit that lin .

273
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

home.blkls: 100.0% |*******************************************| 91.3 MB


00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 8, elapsed = 2 secs.

Looking at th highlight d output abov , w can s that a total of ight fiel s w r


carv d this tim . The bitmap d fienition w add d cl arly shows th scalpel.conf fiel can b
improv d on. It’s also not difficcult to do. Simply using xxd to fiend matching patte rns in groups
of fiel s can b nough for you to build a d c nt library of h ad rs. Particularly if you com
across many propri tary formats.

Giv n that carving can b approach d with a vari ty of algorithms, it might b a good
id a to run your data through mor than on tool. As a r sult of this, w ’ll also look at
photorec.

photorec

Part of th testdisk packag , photorec is anoth r carving program. It do s, how v r,


tak a v ry diffo r nt approach. photorec was not originally d sign d as a for nsic utility, but
rath r as a data r cov ry tool for p opl who los fiel s from SD cards and oth r m dia. It has
volv d into a v ry us ful tool for xtracting many diffo r nt fiel s from m dia. As part of th
testdisk packag , it is install d alongsid th testdisk tool its lf (for r cov ring partitions),
fidentify (sam basic id a as th fiel command, but l ss v rbos ), and qphotorec.
qphotorec is a GUI front nd to photorec.

274
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Illustration 7: Qphotorec - GUI frontend for photorec

W will, of cours , b sticking to th command lin v rsion h r (which is actually


m nu driv n). W can compar th output r c iv d from scalpel with th output from
photorec by running th carv on th sam home.blkls unallocat d data from our able_3
disk imag . First, log in as root (su -) and install th testdisk packag with sboinstall:

barry@forensic1:~/carve$ su -
Password:

root@forensic1:~# sboinstall testdisk


TestDisk is a powerful free data recovery software. It was primarily
designed to help recover lost partitions and/or make non-booting
disks bootable again when these symptoms are caused by faulty
software, certain types of viruses or human error (such as
accidentally deleting a Partition Table). Partition table recovery
using TestDisk is really easy.

PhotoRec is file data recovery software designed to recover lost files


including video, documents and archives from Hard Disks and CDRom and
lost pictures from digital camera memory.

275
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If you want to enable the use of sudo run the script with SUDO=true

libewf is an optional dependency.

It looks like testdisk has options; would you like to set any when the SlackBuild
is run? [n]
...
Proceed with testdisk? [y]
...
Package testdisk-7.0-x86_64-1_SBo.tgz installed.

Cleaning for testdisk-7.0…

root@forensic1:~# exit

barry@forensic1:~/carve$

Running photorec from th command lin is simpl . W ’ll call and option for cr ating
a log fiel using /log (cr at d in th curr nt dir ctory) and providing an out put dir ctory /d
<dirname> (w ’ll us photorec_out). W will also point th program dir ctly at th
home.blkls unallocat d data from able_3. Theis will drop us into th photorec m nu.

barry@forensic1:~/carve$ photorec /log /d photorec_out home.blkls

The main m nu app ars with th home.blkls fiel alr ady s l ct d and load d. W ’ll go
through th m nu options quickly. It’s all fairly s lf xplanatory, and additional d tails can b
found at http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step.

276
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Normally, th abov m nu would includ disk partitions from int rnal disks and
r movabl m dia, but sinc w sp cifiecally call d th home.blkls fiel , it is load d by d fault.
S l ct [Proceed] with th arrow k ys and hit <enter>.

277
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

If this w r a full disk imag , photorec would display th contain d fiel syst ms and
partitions. In this cas , it is simply unallocat d data and th r is no partition to display. S l ct
[Options] and hit <enter>.

The options provid d ar :


• Paranoid: Us d to validat fiel s that ar carv d. W ’ll l av it as Yes for now.
• Keep corrupted files: In normal us you might want to nabl this just to b saf
(coll ct as much data as possibl ). I’v n v r found it particularly us ful.
• Expert mode: Provid s additional options for s tteing sp cifiec disk g om try. Unl ss
you ar working with a corrupt disk imag with a mangl d partition tabl , you can
l av this at No
• Low memory: For r ally larg disk imag s wh r m mory b com s an issu .

Obviously f l fr to play with th options and xplor th diffo r nt m nus. For this
simpl x rcis , l aving th d faults as is will work just fien .

R turn to th main m nu by s l cting >Quit and from th main m nu choos [File


Opt] and hit <enter>

278
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis will bring you to th fiel s l ction m nu. photorec will r cov r almost fiev
hundr d diffo r nt fiel signatur s. You can s l ct or d s l ct from this m nu. For now w ’ll
l av th d fault fiel s l ctions in plac (th r ar a f w d s l ct d by d fault). s l ct [Quit]
again to r turn to th main m nu. At th main m nu, s l ct [ Search ] and hit <enter>

279
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Theis is wh r w s l ct th fiel syst m typ . W ’ll choos [ ext2/ext3 ] and hit


<enter>, starting th s arch.

Onc th s arch is compl t , you will s th numb r of fiel s r cov r d, and th output
dir ctory (photorec_out, which w sp cifie d on our command lin ). The carv is now
compl t . S l ct [ Quit ] in th subs qu nt m nus and xit th program You’ll b dropp d
back at th command prompt.

Looking at a dir ctory listing, you can s w now hav a n w output dir ctory,
photorec_out.1/ along with a log fiel that was cr at d with th /log option. Hav a look at
th log fiel , photorec.log with th less command.

barry@forensic1:~/carve$ ls
home.blkls photorec_out.1/ scalp_out2/
photorec.log scalp_out/ scalpel.conf*

barry@forensic1:~/carve$ less photorec.log


...
Sat Jun 3 11:05:47 2017
Command line: PhotoRec /log /d photorec_out home.blkls

PhotoRec 7.0, Data Recovery Utility, April 2015


Christophe GRENIER <grenier@cgsecurity.org>
...

280
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Disk home.blkls - 95 MB / 91 MiB - CHS 12 255 63 (RO), sector size=512

Elapsed time 0h00m01s


Pass 1 (blocksize=1024) STATUS_EXT2_ON
photorec_out.1/f0012156.gif 12156-12205
photorec_out.1/f0012206.jpg 12206-12261
photorec_out.1/f0012262.jpg 12262-12293
photorec_out.1/f0012294.bmp 12294-12863
photorec_out.1/f0012904.gz 12904-186965
Elapsed time 0h00m01s
Pass 1 +5 files
jpg: 2/4 recovered
bmp: 1/1 recovered
gif: 1/1 recovered
gz: 1/1 recovered
Total: 5 files found

12196 sectors contains unknown data, 2 invalid files found and rejected.

PhotoRec exited normally.

Lik scalpel, th log output provid s suitabl information for inclusion in a r port if
n d d, not that th offos t locations for ach carv d fiel ar giv n in sector offos t rath r than
byte offos t (multiply ach offos t giv n abov by 512 to compar th offos ts with th scalpel
audit.txt fiel ).

Hav a look at th output of photorec:

barry@forensic1:~/carve$ ls photorec_out.1/
f0012156.gif f0012262.jpg f0012904_lrkn.tar.gz
f0012206.jpg f0012294.bmp report.xml

The cont nts of th output dir ctory show photorec r cov r d not only a f w imag
fiel s, but also a fiel call d f0012904_lrkn.tar.gz. If you r call our able_3 x rcis , you’ll
r m mb r that this was a fiel of som int r st. photorec is us ful for far mor than just a f w
imag s. If you try and untar/ xtract th fiel , you’ll fiend it’s corrupt d. Som of it, how v r, is
still r cov rabl .

barry@forensic1:~/carve$ tar tzvf photorec_out.1/f0012904_lrkn.tar.gz


drwxr-xr-x lp/lp 0 1998-10-01 18:48 lrk3/
-rwxr-xr-x lp/lp 742 1998-06-27 11:30 lrk3/1
-rw-r--r-- lp/lp 716 1996-11-02 16:38 lrk3/MCONFIG
-rw-r--r-- lp/lp 6833 1998-10-03 05:02 lrk3/Makefile
-rw-r--r-- lp/lp 6364 1996-12-27 22:01 lrk3/README

281
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

...
-rw-r--r-- lp/lp 1996 1996-11-02 16:39 lrk3/z2.c

gzip: stdin: decompression OK, trailing garbage ignored


tar: Child returned status 2
tar: Error is not recoverable: exiting now

The r is still much information that can b gl an d from th r cov ry of this fiel . You
can s th README is on of thos fiel s r cov r d. W can us this to d fien strings for us to
s arch and p rhaps discov r wh r th archiv was d compr ss d and xtract d (which w did
arli r in our physical s arch x rcis ). Theis is on of th r asons w l ct to us mor than
on carving utility. Diffo r nc s in output can str ngth n our analysis.

On qu stion you might fiend yours lf asking is “How do I fficci ntly compar carv
output from two diffo r nt tools to g t an accurat count of fiel s r cov r d?”. In our v ry small
sampl produc d by th x rcis s h r , it’s a fairly simpl job. W just compar th imag fiel s
in a graphical vi w r. The r ar a littel ov r a doz n total imag s to r vi w. If, how v r, w
w r to carv a disk imag with hundr ds of unallocat d imag fiel s, th comparison would b
far mor difficcult. To addr ss this, l t’s hav a look at a simpl program that will do th work
for us.

Comparing and De-duplicating Carve Output

Obviously this is not a simpl matte r of comparing fiel nam s. The fiel s ar carv d from
th data blocks without any r gard to dir ctory ntri s or oth r fiel syst m information. So th
tools us th ir own naming sch m . Int r stingly photorec includ d th nam of th original
lrkn.tar.gz nam of th tar archiv in its output. Theis is b caus th nam of th fiel is part
of th fiel m tadata (run file f0012904_lrkn.tar.gz and you’ll s th gzip h ad r contains
th nam ).

On thing w can do is compar hash s. If hash s match, r gardl ss of fiel nam , th n


w know w hav two of th sam fiel s. On simpl way to do this would b to hash all th
fiel s in ach dir ctory (photorec_out and scalp_out2) and writ th m to a fiel . W could
th n sort this fiel by th hash and look for duplicat s. Theis can b don in on command. Not
that w us f0* and 0* for th md5sum command in ach dir ctory so that w g t just th carv
output fiel s and not th log/audit fiel s from ach tool.

barry@forensic1:~/carve$ md5sum photorec_out.1/f0* scalp_out2/0* | sort


110983800a177c1746c54b15edec989a photorec_out.1/f0012156.gif
110983800a177c1746c54b15edec989a scalp_out2/00000000.gif
2d7d4def42fcbcc0c813a27505f0508b photorec_out.1/f0012904_lrkn.tar.gz
357ca99e654ca2b179e1c5a0290b1f94 photorec_out.1/f0012262.jpg
357ca99e654ca2b179e1c5a0290b1f94 scalp_out2/00000004.jpg
437a614c352b03a6a4575e9bbc2070ae photorec_out.1/f0012206.jpg

282
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

437a614c352b03a6a4575e9bbc2070ae scalp_out2/00000003.jpg
6742ca9862a16d82fdc4f6d54f808f41 scalp_out2/00000007.bmp
a0794399a278ce48bfbd3bd77cd3394d scalp_out2/00000002.jpg
aa607253fc9b0a70564228ac27ad0b13 scalp_out2/00000006.jpg
b5ca633bea09599c3fb223b4187bb544 photorec_out.1/f0012294.bmp
b6703670db3f13f23f7a3ed496a2b95c scalp_out2/00000001.jpg
f979cd849ccdd5c00fd396b600a9a283 scalp_out2/00000005.jpg

By sorting th output, th duplicat hash s ar list d tog th r. From th output abov ,


w can s that th s two fiel s ar id ntical:

110983800a177c1746c54b15edec989a photorec_out.1/f0012156.gif
110983800a177c1746c54b15edec989a scalp_out2/00000000.gif

Theis can b r -dir ct d to a fiel for lat r proc ssing.

barry@forensic1:~/carve$ md5sum photorec_out.1/f0* scalp_out2/0* | sort >


carvehash.txt

W ll, this is fien . But it might also b nic to actually d -duplicat th fiel s by r moving
on of th duplicat s. Again, asy nough in our small sampl h r , but far mor chall nging
and tim consuming if you ar d aling with hundr ds or thousands of contraband imag s you
n d to sort and accurat ly count.

For this w can us a program call d fdupes. fdupes works using both fiel nam s and
hash s to fiend, r port, and if r qu st d – r mov duplicat fiel s from us r sp cifie d dir ctori s.
It is asy to us and v ry ffo ctiv .

barry@forensic1:~/carve$ su -
Password:

root@forensic1:~# sboinstall fdupes


FDUPES is a program for identifying or deleting duplicate files residing
within specified directories.

Proceed with fdupes? [y]


...
Package fdupes-1.51-x86_64-2_SBo.tgz installed.

Cleaning for fdupes-1.51…

root@forensic1:~# exit

283
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

W will run fdupes twic (always good practic ). The fierst run will show all th
duplicat d fiel s, ach pair on a singl lin . R vi w th output to nsur th r ar no
un xp ct d fiel s, and th n r -run th command with th --delete option.

barry@forensic1:~/carve$ fdupes -R -1 photorec_out.1/ scalp_out2/


scalp_out2/00000000.gif photorec_out.1/f0012156.gif
scalp_out2/00000003.jpg photorec_out.1/f0012206.jpg
scalp_out2/00000004.jpg photorec_out.1/f0012262.jpg

The options w pass ar -R for r cursion. The r ar no sub fold rs in this xampl , but
it n v r hurts to allow r cursion. Particularly on larg scal xaminations wh r carv output
can b quit massiv and you might hav sp cifie d cat goriz d output for scalpel in
particular (diffo r nt fiel typ s in diffo r nt dir ctori s). W also us th -1 option to put
match s on th sam lin . Theis is p rsonal pr f r nc . Run without this option and s what
you pr f r.

Onc th output has b n pr vi w d, r -run th command with th --delete option to


k p only th fierst fiel in ach pair (or s t). If you’v r vi w d th output prior to d l ting,
th n you might want to add th -N option for “no prompt”. Us at your own discr tion.
Without -N, if you hav hundr ds of pairs of matching fiel s, you’ll n d to confierm ach
d l tion.

barry@forensic1:~/carve$ fdupes -R -N --delete photorec_out.1/ scalp_out2/

[+] scalp_out2/00000000.gif
[-] photorec_out.1/f0012156.gif

[+] scalp_out2/00000003.jpg
[-] photorec_out.1/f0012206.jpg

[+] scalp_out2/00000004.jpg
[-] photorec_out.1/f0012262.jpg

The output abov indicat s that th fierst fiel has b n k pt [+] and th s cond fiel
d l t d [-]. If th r w r mor than on matching fiel in ach s t, th n only th fierst would
r main. To b tte r control this b havior, r mov th -N option and you can s l ct which fiel s to
k p.

Theis conclud s our physical carving s ction. W ’v l arn d how to carv fiel s from
unallocat d spac , vi w th fiel s, sort th m, and r mov duplicat s in an fficci nt mann r.

284
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Application Analysis

W ’v now cov r d s v ral of th lay rs w discuss d pr viously, including th physical


and m dia manag m nt lay rs for disk information and partition layout; fiel syst m tools for
gath ring information on th fiel syst m statistics; and tools to work on individual fiel s to
s arch cont nt and id ntify fiel typ s of int r st. W ’v v n don som data r cov ry at th
physical block lay r – r gardl ss of volum and fiel syst m through carving and xt nsiv
s arch s. So now that w ’v r cov r d fiel s, what do w do with th m?

Theis is wh r th Application Layer of our analysis mod l com s in. For our purpos s
h r , th t rm “application” can b thought of as op rating syst m or us r int ractiv fiel s -
that is: fiel s that ar cr at d by applications acc ss d by th op rating syst m or through us r
int raction ( ith r with th op rating syst m or xt rnal softwwar ).

In simpl st t rms, application analysis can b as simpl as vi wing th fiel dir ctly for
cont nt – w ’v us d catdoc and catdox for MS Officc fiel s, various imag vi w rs lik
geeqie, xv and display for pictur s, and simpl t xt vi w rs lik less for simpl ASCII fiel s.
But for nsic analysis is much mor than simply r cov ring fiel s and displaying th cont nt.
Theat sort of activity is r ally just data recovery. Digital forensics, how v r, n ds to includ
oth r t chniqu s:

• t mporal analysis (when did it happ n?)


• atteribution (who mad it happ n?)
• activity mapping (how did it happ n?)

Obviously w can gl an som of this information through th analysis w ’v don


alr ady, using fiel tim s w s in th istat output or th location of fiel s in a particular us r’s
home dir ctory or Users fold r.

In ord r to dig a littel d p r, w ar going to hav a look at som simpl applications


that will allow us to p r into th Windows R gistry, Windows Ev nt logs, and oth r artifacts
to obtain additional for nsically us ful information. W ’ll do this using som utiliti s from th
libyal proj ct.

You can r ad mor about libyal at https://github.com/libyal/libyal/wiki.


The r ar a coupl of important not s on th s librari s w n d to cov r b for w b gin.
First and for most, mak sur you und rstand that many of th s librari s ar in alpha or
experimental status, m aning th y ar not fully matur d and, as th abov sit v ry cl arly
stat s, ar subj ct to br ak and/or chang . The proj cts w will look at h r ar in alpha status.
The y hav b n t st d on som simpl sampl fiel s, but make sure that you test them in
your own nvironm nt prior to us . The s ar xc ll nt proj cts, and w ll worth k ping up
with, but mak sur you know what you ar doing (and s ing) b for using th m in
production. Using softwwar that is cl arly mark d alpha or experimental is not r comm nd d
for production cas work unl ss you und rstand and t st th output for yours lf. For th tim

285
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

b ing, th s mak for xc ll nt t rtiary cross-v rifiecation tools and v hicl s for l arning
sp cifiec artifacts and structur .

Registry Parsing #1 - UserAssist

L t’s start our xploration of libyal and application analysis by looking at sp cifiec
Windows r gistry fiel s.

As usual, w start with th disclaim r that this s ction is not about l arning r gistry
for nsics. It’s about th tools. Of cours you might gain som knowl dg along th way, but
that is not our purpos h r . If you want to look d p r into th s r gistry fiel s and l arn mor
about th art of r gistry for nsics, th n I strongly sugg st you look to th xc ll nt book 30
writte n by Harlan Carv y on th subj ct (and brows his blog 31). You might want to hav a
basic und rstanding of r gistry structur b for you b gin this x rcis , so you hav som
cont xt for what’s to com . And, of cours th r ar oth r (fast r and mor compr h nsiv )
ways to pars a r gistry. For xampl , Harlan Carv y’s w ll known RegRipper will run just
fien on Linux.

Our r al purpos in this s ction is to show you how to do this sort of analysis at th
byt l v l, using som common Linux tools lik xxd and tr, rath r than r lying on mor
automat d tools to do it for you. What w do h r is not much diffo r nt from what th P rl
scripts in RegRipper do (although w simplify it som what h r ).

First, though, w n d to hav a r gistry fiel to work on. W ’ll start with th
NTUSER.DAT fiel from th AlbertE account in our NTFS fiel syst m sampl
(NTFS_Pract_2017.E01).

W n d to mak sur w obtain th corr ct NTUSER.DAT. The r ar a coupl of ways


w can locat and xtract th fiel from a disk imag . You can mount th imag (in our cas
using ewfmount), brows to th fiel and xtract by copying it out of th mount d fiel syst m.
Theis r quir s a f w mor st ps than w n d to do though, so w ’ll d monstrat it h r with
two simpl location m thods, and th n xtract th fiel with icat.

Sinc w ar targ ting th AlbertE account, and w know that a sp cifiec us r’s
NTUSER.DAT fiel is in th /Users/$USERNAME/ fold r, w can us ifind to targ t th sp cifiec
fiel by nam . To run ifind, w us mmls as w did pr viously to fiend th offos t to th fiel
syst m in our imag :

30
https://www.elsevier.com/books/windows-registry-forensics/carvey/978-1-59749-580-6
31
http://windowsir.blogspot.com/

286
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ mmls NTFS_Pract_2017/NTFS_Pract_2017.E01


DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07)

barry@forensic1:~$ ifind -n "users/alberte/ntuser.dat" -o 2048


NTFS_Pract_2017/NTFS_Pract_2017.E01
285

So h r w us ifind (fiend th “inod ”, or m ta-data structur ) using -n to fiend by


nam , at th 2048 offos t w again found in our NTFS fiel syst m imag by running mmls. The
r turn valu w g t from ifind is 285, th MFT ntry for th AlbertE account’s NTUSER.DAT
fiel .

Alt rnativ ly, if you want to s arch for all th NTUSER.DAT fiel s on a syst m, you could
us fls with th option to r cursiv ly list all r gular fiel s (-Fr), gr pping th output for
NTUSER.DAT. In ith r cas , w again fiend th MFT ntry for AlbertE’s NTUSER.DAT is 285:

barry@forensic1:~$ fls -Fr -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 | grep


NTUSER.DAT
r/r 285-128-2: Users/AlbertE/NTUSER.DAT
r/r 286-128-2: Users/ElsaE/NTUSER.DAT

Onc you’v id ntifie d th MFT ntry using on of th two m thods abov , you can
simply xtract th fiel with icat, arbitrarily naming th output (w us NTUSER.285 h r ).
Run th file command to ch ck th r sulting typ :

barry@forensic1:~$ icat -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 285 >


NTUSER.285

barry@forensic1:~$ file NTUSER.285


NTUSER.285: MS Windows registry file, NT/2000 or above

Now that w hav th r gistry fiel w want w can choos a sp cifiec k y to s arch for
us ful information. As an xampl , w ’ll look at th UserAssist ntri s. The s ntri s occur
in th r gistry wh n a us r x cut s a program from th d sktop. UserAssist ntri s ar

287
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

locat d at Software\Microsoft\Windows\CurrentVersion\Explorer\. For a compl t


xplanation, I r f r you again to th afor m ntion d book by Harlan Carv y.

So w hav our r gistry fiel , NTUSER.DAT, and targ t k y, UserAssist. W n d


softwwar to acc ss th data. For this, w install libregf:

barry@forensic1:~$ su -
Password:

root@forensic1:~# sboinstall libregf


...
Cleaning for libregf-20170130…

root@forensic1:~# exit

You can hav a look at th utiliti s that w r install d by this packag by looking at th
packag fiel in /var/log/packages:

barry@forensic1:~$ grep usr/bin /var/log/packages/libregf-20170130-x86_64-1_SBo


usr/bin/
usr/bin/regfexport
usr/bin/regfinfo
usr/bin/regfmount

W can s that th packag cam with thr x cutabl programs plac d in /usr/bin.
W will conc ntrat on using regfmount. Much lik libewf’s ewfmount (which is also part of
th libyal proj ct) regfmount provid s a fus fiel syst m int rfac to a fiel obj ct, in this cas
ar gistry fiel . The usag is v ry similar. First, w ’ll cr at a mount point in our curr nt
dir ctory, follow d with th r gistry b ing mount d:

barry@forensic1:~$ mkdir ntusermnt

barry@forensic1:~$ regfmount NTUSER.285 ntusermnt/


regfmount 20170130

barry@forensic1:~$ cd ntusermnt

barry@forensic1:~/ntusermnt$ ls
AppEvents/ EUDC/ Keyboard\ Layout/ Software/
Console/ Environment/ Network/ System/
Control\ Panel/ Identities/ Printers/

288
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

The r gistry fiel NTUSER.285 is mount d using regfmount on th mount point w


cr at d, ntusermnt (in th curr nt dir ctory). Wh n w chang to th ntusermnt dir ctory,
w s th cont nts of th r gistry fiel in th sam sort of hi rarchical structur as would b
found in any oth r r gistry vi w r. Theis w can now navigat and vi w using normal
command lin utiliti s. So l t’s navigat to th UserAssist k y and vi w th cont nts.

barry@forensic1:~/ntusermnt$ cd
Software/Microsoft/Windows/CurrentVersion/Explorer/UserAssist/

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist$ ls
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}/
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/

You can s onc w chang into that dir ctory our prompt is quit long! Wh n w run
our ls command, w s two cryptic looking dir ctory (GUID) ntri s. Chang dir ctory into
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}32 and th sub dir ctory Count/(values). Not
that wh n you typ th (values) sub dir ctory, you will n d to scap th par nth s s with
\, so you will us \(values\).

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist$ cd \{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F\}/

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}$ cd Count/\(values\)/

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/Count/(values)$

Now hav a look at th cont nts of this dir ctory. I’m going to abbr viat th command
prompt with ... to mak th lin s mor r adabl .

barry@forensic1:~.../Count/(values)$ ls
HRZR_PGYFRFFVBA
HRZR_PGYPHNPbhag:pgbe
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Jvaqbjf\ Snk\ naq\ Fpna.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\KCF\ Ivrjre.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Cnvag.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Erzbgr\ Qrfxgbc\
Pbaarpgvba.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Favccvat\ Gbby.yax

Theis is wh r bash compl tion com s in r al handy. Wh n using th cd command h r , typ th fierst
32

two charact rs and hit th <tab> k y( cd {F<tab> )...The r st will fiell in automatically. B st. F atur .
Ev r

289
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Fgvpxl\ Abgrf.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Jrypbzr\ Pragre.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\Pnyphyngbe.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Npprffbevrf\\\\qvfcynlfjvgpu.yax
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\\\\Nqzvavfgengvir\ Gbbyf\\\\Pbzchgre\
Znantrzrag.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Jvaqbjf\ Rkcybere.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Tbbtyr\ Puebzr.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Vagrearg\ Rkcybere.yax
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Zbmvyyn\ Sversbk.yax
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\\\Npprffbevrf\\\\Npprffvovyvgl\\\\
Zntavsl.yax
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\\\\Npprffbevrf\\\\Pbzznaq\ Cebzcg.yax

So if you did any r ading on this particular r gistry k y, you’ll fiend that th abov
ntri s (or “fiel s” in our fus mount d fiel syst m) ar ROT 13 obfuscat d. Theis m ans that th
charact rs in ach string abov ar swapp d a-m or A-M for th corr sponding n-z or N-Z, so
an “a” b com s an “n” and a “b” b com s an “o”, and so on. W can d -obfuscat this t xt with
th tr command w ’v us d pr viously to r plac on charact r with anoth r. In this cas
w ’ll b r placing charact rs n-za-m with a-z, tc. L t’s try this on th r p ating string at th
nd of v ry lin , .yax:

barry@forensic1:~.../Count/(values)$ echo ".yax" | tr 'n-za-mN-ZA-M' 'a-zA-Z'


.lnk

W can s that th .yax string at th nd of ach lin is actually th .lnk fiel xt nsion
(indicating a link or shortcut fiel ).

So what’s th b st way to run th abov tr command on all th fiel s in th


/Count/(values) dir ctory? W can go back to th short bash loop w introduc d in th
Viewing Files s ction of this guid :

barry@forensic1:~.../Count/(values)$ for file in *


> do
> echo $file | tr 'n-za-mN-ZA-M' 'a-zA-z'
> done
./UEME_CTLSESSION
./UEME_CTLCUACount:ctor
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Windows Fax and Scan.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\XPS Viewer.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Paint.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Remote Desktop
Connection.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Snipping Tool.lnk

290
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Sticky Notes.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Welcome Center.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\Calculator.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Accessories\\displayswitch.lnk
./{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\\Administrative Tools\\Computer
Management.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Windows Explorer.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Google Chrome.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Internet Explorer.lnk
./{9E3995AB-1F9C-4F13-B827-48B24B6C7174}\\TaskBar\\Mozilla Firefox.lnk
./{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Accessories\\Accessibility\\Magnify.lnk
./{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\\Accessories\\Command Prompt.lnk

For r vi w, th fierst lin of a bash loop abov m ans “for v ry file in th curr nt
dir ctory (./*), do th following echo | tr command, follow d by th bash k yword done to
clos th loop.

You can s from th output that w ’v d -obfuscat d th “fiel ” nam s. The d -


obfuscat d output match s th original output lin for lin . Theis m ans th s ar th sam 33

(third from th botteom):

{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\\\\GnfxOne\\\\Zbmvyyn\ Sversbk.yax
{9E3995AB-1F9C-4F13-B827-48B24B6C7174} \\TaskBar \\Mozilla Firefox.lnk

Theat particular ntry is for a link to Mozilla Fir fox. The GUID valu in th front of th fiel
nam r pr s nts th FOLDERID_UserPinned “known fold r”34. If w want to vi w th cont nts or
“valu ” of th ntry, w n d to us th ROT-13 nam on th command lin . W can us xxd to s
th raw valu s in h x.

barry@forensic1:~.../Count/(values)$ xxd \{9R3995NO-1S9P-4S13-O827-


48O24O6P7174\}\\\\GnfxOne\\\\Zbmvyyn\ Sversbk.yax
00000000: 0000 0000 0400 0000 0000 0000 0400 0000 ................
00000010: 0000 80bf 0000 80bf 0000 80bf 0000 80bf ................
00000020: 0000 80bf 0000 80bf 0000 80bf 0000 80bf ................
00000030: 0000 80bf 0000 80bf ffff ffff c03a bc03 .............:..
00000040: f8be d201 0000 0000 ........

A count of th numb r of tim s this link was us d can b found at offos t 0x04
(highlight d in y llow). So this link was acc ss d 4 tim s, according to this ntry. The dat in
Windows FILETIME format can b found at offos t 0x3c (highlight d in blu ).

33
The xtra scap (\) charact rs in th obfuscat d output is b caus th ls command scap s th spac s.
The echo command us d with th tr command do s not.
34
https://msdn.microsoft.com/en-us/library/windows/desktop/dd378457(v=vs.85).aspx

291
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Whil th acc ss count at 0x04 is asy to d ciph r, th Windows dat valu is not. I us
a small python script to d cod th tim valu (th numb r of 100 nanos cond blocks sinc
January 1, 1601). You can download th python script ( WinTime) using wget:

barry@forensic1:~.../Count/(values)$ wget http://www.linuxleo.com/Files/WinTime -


O ~/WinTime.py

Sinc w ar curr ntly in th ntusermnt mount point, b sur to us th wget -O


option to writ th fiel to you hom dir ctory ( ~/WinTime.py). You don’t want to try and
download the fille to the current directory (it’s our fus mount d r gistry point).

Onc you hav th script, you can copy th h x valu and provid it as an argum nt to
WinTime.py. B sur to r mov th spac s from th valu (w ’ll us an alt rnativ way of
g tteing this valu from xxd lat r):

barry@forensic1:~.../Count/(values)$ python ~/WinTime.py c03abc03f8bed201


Thu Apr 27 01:45:57 2017

If you did a full install of Slackwar , Python should alr ady b on your syst m. Not
that th python command points to th WinTime.py fiel w pr viously nam d with wget -O.
The ~ indicat s th fiel is in our hom dir ctory. Theis l av s us with a last x cution tim of
April 27 at approximat ly 01:45. A compl t for nsic ducation r garding r gistry ntri s,
int rpr ting dat s and tim s, and tim zon adjustm nt is far outsid th scop of this guid ,
but mak sur you tak tim s tteings, tim zon s and clock sk w into account for any for nsic
xamination wh r dat s ar m aningful. Fil dat s and tim stamps ar on of th pitfalls of
analysis. R ad up on th subj ct compl t ly b for making any int rpr tations.

Sp aking of dat s and tim s, how would b go about fiending th last writ tim of th
Us rAssist sub k y its lf? W ’v b n looking at and d coding sub k y values, but th last
writ tim of a k y is mor akin to a property of th k y its lf. With th r gistry fiel fus
mount d through regfmount, th k ys and sub-k ys act as dir ctori s. If you run th ls -l
command, you can s a dat associat d with th k ys. Chang dir ctori s up so your curr nt
working dir ctory is
/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/. Theis would b up
four l v ls, or up to th “par nt dir ctory [../] four tim s”. The n run ls -l:

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer/
UserAssist/{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}/Count/(values)$ cd ../../../..

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer
$ ls -l
total 0
dr-xr-xr-x 2 barry users 0 May 1 12:39 (values)/

292
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

dr-xr-xr-x 2 barry users 0 Apr 30 15:45 Advanced/


dr-xr-xr-x 2 barry users 0 Apr 5 21:39 ApplicationDestinations/
...
dr-xr-xr-x 2 barry users 0 Apr 5 21:39 TypedPaths/
dr-xr-xr-x 2 barry users 0 Apr 5 21:35 User\ Shell\ Folders/
dr-xr-xr-x 2 barry users 0 Apr 5 21:36 UserAssist/
...

The tim shown for th UserAssist “dir ctory” is Apr 5 21:36. A mor pr cis tim
can b shown with th stat command run on th dir ctory:

barry@forensic1:~/ntusermnt/Software/Microsoft/Windows/CurrentVersion/Explorer
$ stat UserAssist/
File: 'UserAssist/'
Size: 0 Blocks: 0 IO Block: 4096 directory
Device: 25h/37d Inode: 8 Links: 2
Access: (0555/dr-xr-xr-x) Uid: ( 1000/ barry) Gid: ( 100/ users)
Access: 2017-04-05 21:36:50.000000000 -0400
Modify: 2017-04-05 21:36:50.000000000 -0400
Change: 2017-04-05 21:36:50.000000000 -0400
Birth: -

H r w g t th mor pr cis tim of 2017-04-05 21:36:50.000000000 -0400.


Mak particular not of th fact that th tim zon is shown as -0400. B caus this is b ing
run within a fus mount point, th tim s ar shown in th host syst m tim , NOT th tim
zon of th sourc of th r gistry fiel . The r st of th information is also larg ly us l ss, as it is
not r ally associat d with th original sourc data. What w hav shown h r is that th last
writ tim of th UserAssist k y is 2017-04-05 21:36:50.000000000 -0400. If w add
four hours to th output, w g t 2017-04-06 01:36:50.000000000 UTC.

Registry Parsing #2 – SAM and Accounts

L t’s look at anoth r r gistry fiel , th SAM hiv . The SAM hiv can hav a gr at d al of
information availabl if th r ar local accounts pr s nt on th syst m. Again, w ’r not going
to go through a compr h nsiv analysis, w ’r just going to hav a look at a f w valu s of on
of th mor important k ys.

W can grab th SAM hiv th sam way w did th NTUSER.DAT, fierst s arching for th
prop r MFT ntry using fls and th n using icat to xtract th fiel :

barry@forensic1:~$ fls -Fr -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 | grep SAM


r/r 178-128-2: Windows/System32/config/SAM

293
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

So our targ t MFT ntry h r is 178. Now w ’ll xtract with icat and ch ck th fiel
typ again with th file command. The fiel nam w us on th xtract d fiel is arbitrary.
Nam it how v r you lik . Consist ncy is a good id a, though.

barry@forensic1:~$ icat -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 178 > SAM.178

barry@forensic1:~$ file SAM.178


SAM.178: MS Windows registry file, NT/2000 or above

Now w ’ll cr at a mount point for th SAM fiel and us regfmount to fus mount th
hiv .

barry@forensic1:~$ mkdir sammnt

barry@forensic1:~$ regfmount SAM.178 sammnt/


regfmount 20170130

Sinc w alr ady pull d th NTUSER.DAT fiel for th AlbertE account, l t’s hav a look
at th sam account in th SAM fiel . If w chang dir ctori s down to
SAM/Domains/Account/Users, w ’ll s th following list of pot ntial accounts:

barry@forensic1:~$ cd sammnt/SAM/Domains/Account/Users/

barry@forensic1:~/sammnt/SAM/Domains/Account/Users$ ls
(values)/ 000001F4/ 000001F5/ 000003E8/ 000003E9/ Names/

What w s in th output abov ar a s ri s of sub k ys (thos starting with 00000*


that r pr s nt th h x valu of account Relative ID. W can translat th s with bc, as w
would any h x valu :

echo “ibase=16; 000001F4” | bc

But l t’s do it all at onc with a for loop to r p at th command across all th
dir ctori s (but only thos that ar a h x valu ):

barry@forensic1:~/sammnt/SAM/Domains/Account/Users$ for name in 00000*


> do
> echo "ibase=16;$name" | bc
> done
500

294
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

501
1000
1001

If you r ad up on Windows accounts, you’ll s w hav th syst m administrator (RID


500), th gu st account (RID 501), and a pair of us r accounts (1000 and 1001). The r ar a
numb r of ways to associat th accounts with particular us rs, but w will simply navigat to
th valu s und r th 000003E8/ sub k y.

barry@forensic1:~/sammnt/SAM/Domains/Account/Users$ cd 000003E8/\(values\)/

barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ ls
F UserPasswordHint V

W hav thr “fiel s” h r to look at. A v ry quick p k at th botteom of th V fiel


shows th us rnam associat d with this account:

bbarry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd V
...
00000160: 0000 0001 0000 0000 0102 0000 0000 0005 ................
00000170: 2000 0000 2002 0000 0102 0000 0000 0005 ... ...........
00000180: 2000 0000 2002 0000 4100 6c00 6200 6500 ... ...A.l.b.e.
00000190: 7200 7400 4500 0000 0102 0000 0700 0000 r.t.E...........
000001a0: 0300 0100 0300 0100 13c4 df6f 671a 70d2 ...........og.p.
000001b0: 0c04 49e1 c16e c39a 0300 0100 0300 0100 ..I..n..........

The highlight d r d t xt shows th associat d account as that of AlbertE. The


UserPasswordHint is fairly obvious. But l t’s hav a look at th cont nts of F:

barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd F
00000000: 0200 0100 0000 0000 678e 5df7 f7c1 d201 ........g.].....
00000010: 0000 0000 0000 0000 20d7 bf15 76ae d201 ........ ...v...
00000020: ffff ffff ffff ff7f 5ce9 5df2 f7c1 d201 ........\.].....
00000030: e803 0000 0102 0000 1402 0000 0000 0000 ................
00000040: 0000 0700 0100 0000 0000 4876 488a 3600 ..........HvH.6.

Unlik th V or UserPasswordHint fiel s, F do s not display any obvious data. What


you ar s ing is account information for th us r AlbertE, including:

• Last Login Dat : offos t 8


• Password S t/R s t Dat : offos t 24

295
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

• Last Fail d Login : offos t 40

...and oth r account information (numb r of logins, RID, tc.). W ar going to conc ntrat on
th dat s at th offos ts shown abov . W ’v alr ady conv rt d similar dat s using th python
WinTime.py script. W could typ ach valu on th command lin , and run th script
s parat ly for ach valu . A b tte r way, how v r, would b to us th command lin to giv us
just th valu w want, and pass ach on to th WinTime.py script. W can do this with a
bash for loop. And if you r ad th man pag for xxd, you will s that w can also us
diffo r nt options for xxd to nabl us to compl t th dat conv rsion without having to copy
th h x valu out.

L t’s look at what happ ns if w run xxd with -ps (plain h xdump) -s8 (s k to byt 8)
-l8 (output is 8 byt s in l ngth). The command prompt has b n truncat d again for
r adability (F is th “fiel ” w ar vi wing):

barry@forensic1:~.../000003E8/(values)$ xxd -ps -s8 -l8 F


678e5df7f7c1d201

W fiend th dat string xtract d is xactly th format w n d to pass to WinTime.py.


In ord r to pass th output, w ’ll us command substitution. Theis is don by using th back-tic
(` `) symbols around th xxd command. Theis substitut s th output of xxd straight to th
argum nt r quir d for WinTime.py:

barry@forensic1:~.../000003E8/(values)$ python ~/WinTime.py `xxd -ps -s8 -l8 F`


Sun Apr 30 21:23:09 2017

Theis can b tak n a st p furth r. W hav thr s parat dat valu s to conv rt h r .
On is at offos t 8 (-s8 as w conv rt d abov ). The oth rs ar at offos t 24 and 40. Sounds lik
a p rf ct candidat for our now familiar bash for loop. W can us offos ts 8, 24 and 40 as our
variabl , and pass thos into our command substitution for WinTime.py. It should look
som thing lik this:

barry@forensic1:~.../000003E8/(values)$ for offset in 8 24 40


> do
> python ~/WinTime.py `xxd -ps -s$offset -l8 F`
> done
Sun Apr 30 21:23:09 2017
Thu Apr 6 01:35:34 2017
Sun Apr 30 21:23:01 2017

296
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Inst ad of r p ating th command with -s8, -s24 and -s40, w simply cr at a loop
with $offset and provid th valu s 8, 24, and 40 in th loop. Theis giv s us th r sulting
valu s:

• Last Login Dat : Sun Apr 30 21:23:09 2017


• Password S t/R s t Dat : Thu Apr 6 01:35:34 2017
• Last Fail d Login : Sun Apr 30 21:23:01 2017

Examining Windows r gistry fiel s in a command lin nvironm nt may not b th


simpl st or most fficci nt m thod, but it is a gr at way to l arn how a r gistry is pars d, and
wh r information is locat d.

Application Analysis – prefetch

Und rstanding th cav ats w provid d arli r on th status of many of th libyal


proj cts, b sur to brows som of th m and try th m out. Docum ntation can b spars in
plac s, but that’s wh r xp rim ntation and t sting com s in. In many cas s, th librari s ar
provid d to add capabiliti s to oth r programs – th provid d utiliti s may simply xport
information from an artifact to XML or t xt format straight to standard output. libscca is an
xampl of this and is us d to acc ss Windows pr f tch fiel s.

Pr f tch fiel s can b a us ful for nsic artifact for any numb r of r asons. The y can
provid additional x cution tim s for tim lin s, th y can b us d to prov program x cution
v n wh n an x cutabl has b n d l t d, and th y can b us d to corr lat oth r artifacts
cr at d during x cution. Mor information can b found on th Int rn t 35.

L t’s hav a look at a quick xampl , aftw r installing libscca:

barry@forensic1:~$ su -
Password:

root@forensic1:~# sboinstall libscca

libscca (libYAL Windows Prefetch File parser)

libscca is a library to access the Windows Prefetch File (SCCA) format.

Proceed with libscca? [y]


...
Cleaning for libscca-20170105...

root@forensic1:~# exit

35
httep://www.for nsicswiki.org/wiki/Pr f tch is a good start.

297
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

With libscca install d, l t’s look for a pr f tch fiel to vi w. W ’ll s arch th NTFS
imag for fiel s nding in .pf. You can s th r ar quit a f w of th m (output is truncat d).

barry@forensic1:~$ fls -Fr -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 |


grep .pf$
r/r 72-128-2: Windows/Prefetch/58.0.3029.81_CHROME_INSTALLER-F06A66AC.pf
r/r 73-128-2: Windows/Prefetch/AUDIODG.EXE-BDFD3029.pf
...
r/r 123-128-2: Windows/Prefetch/NMAP.EXE-69B77167.pf
...
r/r 135-128-2: Windows/Prefetch/SEARCHFILTERHOST.EXE-77482212.pf

Our familiar fls command is x cut d, looking for fiel s only, r cursiv ly ( -Fr) in th
fiel syst m at offos t 2048 (-o 2048) in our NTFS EWF fiel s. Using grep, w ar looking for .pf
at th nd of th lin (signifie d by th $). The list is long, but w ’ll look at th NMAP.EXE
pr f tch fiel (MFT ntry 123-128-2). W can xtract th fiel from th imag with icat:

barry@forensic1:~$ icat -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 123 >


nmap.pf.123

L t’s v ry quickly hav a look at th h ad r of th fiel with xxd. You can imm diat ly
s why th library w just install d is call d libscca. The pr f tch h ad r is 84 byt s long
with th v rsion at offos t 0x00 and th SCCA h ad r at offos t 0x0436.

barry@forensic1:~$ xxd -l 84 nmap.pf.123


00000000: 1700 0000 5343 4341 1100 0000 aeaa 0000 ....SCCA........
00000010: 4e00 4d00 4100 5000 2e00 4500 5800 4500 N.M.A.P...E.X.E.
00000020: 0000 0200 0000 0000 d935 a382 c07b 719d .........5...{q.
00000030: bb36 a382 0100 0000 483d 4087 1100 0000 .6......H=@.....
00000040: 483d 4087 c029 3685 0000 0000 6771 b769 H=@..)6.....gq.i
00000050: 0000 0000 ....

Som of th f atur s w can fiend (b car ful of byt ord ring):


• pr f tch v rsion = 0x0017 (V rsion 23 - Windows 7)
• SCCA h ad r = 0x5343 0x4341 (SCCA)
• x cutabl nam = 0x4e 0x4d 0x41 0x50 0x2e 0x45 0x58 0x45 (NMAP.EXE)
• pr f tch hash = 0x69b7 0x7167 (match s th hash in th .pf fiel nam )

The lat st x cution tim can b fount at offos t 128 in th pr f tch fiel (8 byt s long),
and w can us WinTime.py again to d ciph r it:

36
httep://www.for nsicswiki.org/wiki/Windows_Pr f tch_Fil _Format

298
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

barry@forensic1:~$ python WinTime.py `xxd -s 128 -l8 -ps nmap.pf.123`


Thu Apr 6 15:07:20 2017

Giv n nough information about th format, you could sp nd a lot of tim parsing th
fiel . The r ’s oth r information stor d within, including librari s and oth r fiel s acc ss d wh n
th x cutabl is start d. But from h r w ’ll us sccainfo from libscca to vi w th pr f tch
fiel cont nts, which is quit xt nsiv .

barry@forensic1:~$ sccainfo nmap.pf.123


sccainfo 20170105

Windows Prefetch File (PF) information:


Format version : 23
Prefetch hash : 0x69b77167
Executable filename : NMAP.EXE
Run count : 9
Last run time: : Apr 06, 2017 15:07:20.470652700 UTC

Filenames:
Number of filenames : 53
Filename: 1 : \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
Filename: 2 : \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\
KERNEL32.DLL
Filename: 3 :

...

\DEVICE\HARDDISKVOLUME2\USERS\ALBERTE\DOWNLOADS\NMAP-7.40-WIN32\NMAP-7.40\NMAP-OS-
DB

Volumes:
Number of volumes : 1

Volume: 1 information:
Device path : \DEVICE\HARDDISKVOLUME2
Creation time : Apr 06, 2017 04:48:55.209910400 UTC
Serial number : 0x5019050c

The r ar num rous utiliti s availabl to Linux us rs that can b found to assist in
parsing fiel s, artifacts and oth r data r cov r d from comput rs running op rating syst ms
oth r than Linux. The r ar , in fact, too many to list h r . Som tim s it’s simply a matte r of
fiending a comparabl op n sourc proj ct: lik using Libr Officc to vi w Microsoftw Officc or
Visio fiel s. The r ar also th simpl utiliti s that ar ith r pr -install d or asily install d on

299
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

your Linux distribution, lik catdoc or tools lik pdfinfo and exiftool for r ading fiel
m tadata. The r ar too many to list h r , but sufficc to say that ov r th past f w y ars
application lay r analysis has b com much asi r on Linux.

300
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

X. Integrating Linux with Your Work

Theis guid has cov r d a myriad of subj cts that r ally just touch th surfac of th
command lin capabiliti s of Linux as a for nsic platform. And whil it is a l ngthy guid , it
still only imparts a basic s t of commands and utiliti s to allow you to l arn and grow as a
for nsic xamin r or digital inv stigator. The r al pow r of Linux (as an h ir of UNIX its lf) is
in thinking UNIX. The mor you us commands and g t us d to th output th y pr s nt, th
mor you will l arn to string th m tog th r, solving incr asingly compl x issu s quickly and
fficci ntly. G tteing a solid grasp of commands, command history, pip s and r dir ction is a
lib rating proc ss.

Som of th r p at d x rcis s w ’v don h r w r d sign d to kick start th


r p tition n d d to anchor th command lin proc ss into m mory. It is not, how v r,
r alistic to xp ct that v ryon will sudd nly conv rt to Linux and for go oth r op rating
syst ms for for nsic analysis. Linux is, at th nd of th day, just anoth r platform and tool s t.
I maintain that it is a us ful tool s t, and that th r is som valu in v ry xamin r at l ast
b ing familiar with it and th tools it provid s. W ’v talk d about how th command lin
tools w ’v ncount r d h r (and th r ar many mor ) ar uniqu wh n compar d to
common Windows tools. Much of this diffo r nc aris s from th fact that th y ar generally
d sign d with th UNIX approach of "do on thing and do it w ll". W s this in tools lik
grep, head, tail, tr, sed and utiliti s lik icat, blkls and catdoc. The y provid discr t
output wh n run on th ir own, but as you start piping th m tog th r, w nd up accomplishing
multipl st ps in th sam command lin . Theis b com s v ry pow rful not only wh n you
l arn what ach tool is capabl of, but wh n you also start to think in t rms of a modular
command lin . L arning and r m mb ring all this, how v r, m ans mor of a burd n on
xamin r r sourc s. And so, on of th str ngths of Linux is also, in fact, on of its w akn ss s
wh n it com s to mass app al in th for nsic community.

So how do w continu to us Linux, maintain what w ’v l arn d and continu


l arning, whil still r maining fficci nt? L t’s discuss som ways you can int grat a Linux
platform into you curr nt lab or xamination proc ss s and continu to us it, if not on a daily
basis, at l ast nough to maintain (and continu growing) th skills w ’v introduc d h r .

W ’v s n tools in this guid that can b us d to acc ss fiel data, fiel syst m data,
volum information, and block information, tc. It can b don quickly and without th n d
for lic ns s, multipl programs, or xc ssiv r sourc s to load and vi w targ t d information.
B ing abl to accomplish this on full disk imag or blocks of s parat d data (lik th
unallocat d output of blkls, for xampl ), and v n individual fiel s, mak s Linux an xc ll nt
platform for both tool validation and th cross-v rifiecation of fiendings.

Validation, in this cont xt, can b s n as comparing th output of diffo r nt tools to t st


sp cifiec softwwar functions (or in som cas s, hardwar functions) and hop fully d t rmin
that th output it’s supposed to giv is actually produc d. If your lab or organization has

301
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

validation standards for for nsic softwwar and hardwar , you can str ngth n th s by not only
confierming similar functions in multipl tools, but by comparing th output of th tool b ing
t st d (a function of comm rcial softwwar on Windows, for xampl ) to an op n sourc tool on
an alt rnativ (and also op n sourc ) op rating syst m. Conclusiv validation of functional
output is far asi r to ascrib to t st r sults wh n thos r sults ar from ntir ly diffo r nt
syst ms. Linux can provid that nvironm nt wh r s parat tools ar running on an ntir ly
diffo r nt op rating syst m k rn l and nvironm nt compl t ly, r moving any pot ntial
app aranc of int rf r nc .

W can also us Linux for cross-v rifiecation. In thos cas s wh r you fiend sp cifiec
vid nc with on of your standard comm rcial for nsic tools, you can v rify thos r sults by
comparing th m on an alt rnativ op rating syst m with alt rnativ tools. Theis is not th
sam as validation. In this cas w ar not testing a function, w ar configrming a fignding. For
xampl , you might fiend a fiel or s t of fiel s p rtin nt to an inv stigation. The fiel s w r found
in a particular volum , in a particular block (or clust r) that was associat d with a particular
m ta-data ntry ( .g. MFT). Running mmls, blkstat and ifind, tc. can h lp us verify thos
fiendings tak n from a comm rcial tool. In cas s wh r th data r cov r d may b cont st d or
your r cov ry proc ss insp ct d, having this cross-v rifiecation can r nd r argum nts against
your proc dur s or tools mor difficcult.

As a v ry simpl xampl , l t’s look at th SAM r gistry fiel that w work d on in th


s ction cov ring application lay r analysis. If w commonly us Windows as our standard
for nsic platform, w might xtract r gistry fiel s with Acc ss Data’s FTK and us tools lik
R gRipp r to pars th m. If that was th cas with th SAM fiel w xamin d pr viously, th n
I might hav found th following information:

Parsing th fiel for us r data, w may fiend that th last login for th us r AlbertE is
critical to our cas and th data found might com up in t stimony. Output of our primary
r gistry analysis shows th following (output from an xamination using Windows tools):

302
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Username : AlbertE [1000]


Full Name :
User Comment :
Account Type : Default Admin User
Account Created : Thu Apr 6 01:35:32 2017 Z
Name :
Password Hint : InitialsInCapsCountToFour
Last Login Date : Sun Apr 30 21:23:09 2017 Z
Pwd Reset Date : Thu Apr 6 01:35:34 2017 Z
Pwd Fail Date : Sun Apr 30 21:23:01 2017 Z
Login Count : 7

B caus of th importanc of this particular vid nc to th cas , w d cid to cross


v rify th output using compl t ly unr lat d tools und r Linux (w cov r d th st ps
pr viously). Looking at th MFT ntry with TSK’s istat, w can v rify information found in
our Windows softwwar . The following istat command confierms th fiel dat s and tim , th
siz , and th location of th fiel .

barry@forensic1:~$ istat -o 2048 NTFS_Pract_2017/NTFS_Pract_2017.E01 178


MFT Entry Header Values:
Entry: 178 Sequence: 1
...
Created: 2017-05-01 09:00:42.659179200 (EDT)
File Modified: 2017-05-01 12:39:35.889046400 (EDT)
MFT Modified: 2017-05-01 09:00:42.676485200 (EDT)
Accessed: 2017-05-01 09:00:42.676286700 (EDT)

$FILE_NAME Attribute Values:


Flags: Archive
Name: SAM
Parent MFT Entry: 69 Sequence: 1
Allocated Size: 262144 Actual Size: 262144
Created: 2017-05-01 09:00:42.659179200 (EDT)
File Modified: 2017-05-01 12:39:35.889046400 (EDT)
MFT Modified: 2017-05-01 09:00:42.676286700 (EDT)
Accessed: 2017-05-01 09:00:42.676286700 (EDT)

Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $FILE_NAME (48-4) Name: N/A Resident size: 72
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $DATA (128-2) Name: N/A Non-Resident size: 262144 init_size: 262144
95487 95488 95489 95490 95491 95492 95493 95494
95495 95496 95497 95498 95499 95500 95501 95502
...

303
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

Not that th tim s ar diffo r nt. Obviously this is b caus of th application of tim
zon s. Diffo r nc s in th output ar not disqualifying as cross-v rifiecation if you ar abl to
xplain why th diffo r nc occurs. Theis is th foundation of knowing how your softwwar
works.

Looking at th output of th Windows softwwar r gistry parsing, w can v rify with


commands w us d pr viously:

barry@forensic1:~/sammnt/SAM/Domains/Account/Users/000003E8/(values)$ xxd F
00000000: 0200 0100 0000 0000 678e 5df7 f7c1 d201 ........g.].....
00000010: 0000 0000 0000 0000 20d7 bf15 76ae d201 ........ ...v...
00000020: ffff ffff ffff ff7f 5ce9 5df2 f7c1 d201 ........\.].....
00000030: e803 0000 0102 0000 1402 0000 0000 0000 ................
00000040: 0000 0700 0100 0000 0000 4876 488a 3600 ..........HvH.6.

• Last Login Dat : offos t 8

barry@forensic1:~.../000003E8/(values)$ python ~/WinTime.py `xxd -ps -s8 -l8 F`


Sun Apr 30 21:23:09 2017

So with a simpl f w st ps w ’v confierm d critical output, using diffo r nt tools on a


diffo r nt platform, which can hop fully str ngth n any t stimony w may b r quir d to giv
on th fiendings.

Cross v rifiecation can also b us d to confierm th v ry fierst and most important st p of


any for nsic proc ss: th acquisition and prop r handling of coll ct d vid nc . W can v rify
oth r tools’ m dia hash s, coll ction hash s, or m dia id ntifiecation.

If you can fiend a way to add Linux to your workflaow, you could k p your skills curr nt,
l arn additional skills, and p rhaps v n l arn to automat som of this workflaow through
scripting. The r ar s v ral ways you can d ploy Linux in your work, including virtual
machin s, standalon workstations, and bootabl distributions.

Virtual machin s (VM) ar growing in popularity, and hav b n for y ars. The r ar
fr options (lik VirtualBox) that ar quit robust and offo r xc ll nt compatibility and
confieguration options for a for nsic xamin r. You can run a VM on your main for nsic
workstation and provid it acc ss to vid nc fold rs and fiel s, allowing dir ct int rfac
b tw n th tool and th targ t imag . VMs also hav a “snapshot” f atur so that wh n work
is compl t , a snapshot of a cl an and p riodically updat d op rating syst m can b r stor d.
Also not that VMs can b run th oth r way – I normally run Windows in a VM on a physical
Slackwar Linux workstation. The r ason I do this highlights on of th drawbacks of VM
usag – dir ct acc ss to hardwar . A VirtualBox VM, for xampl , will allow conn ctions via a
virtual USB controll r. The r ar , how v r, tim s wh r I would want to qu ry dir ctly

304
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

conn ct d d vic s without th n d of a virtual bridg . I pr f r to us Linux for that, so


Windows is r l gat d to a VM and Slackwar is giv n dir ct acc ss to hardwar . Theat,
how v r, is a matte r of p rsonal pr f r nc .

The oth r obvious way to run Linux is to hav an actual d dicat d workstation. Theis is
fien if you hav on you can d vot to th purpos , and it all viat s th afor m ntion d
hardwar acc ss and int rrogation issu s. A full work station is particularly us ful wh r you
might want to validat or cross v rify hardwar id ntifiecation or num ration. Having a
physical workstation r quir s mor mon tary r sourc s and can r quir mor confieguration
ffoort for xotic or l ss common hardwar , but it also provid s th most compl t for nsic
acc ss for th op rating syst m to int ract with atteach d hardwar .

The fienal way you can continu using Linux is through a bootabl distribution. The s
ar always handy to k p around for tim s wh r you may n d to boot a subj ct comput r to
acquir vid nc or v n conduct a limit d xamination without imaging int rnal m dia. W
us d this approach in our “dd ov r th wir ” x rcis . The r ar a numb r of good bootabl
distributions availabl suitabl for for nsic us . Download a coupl , try th m out, and s
what works b st for you. It may b a good id a to hav s v ral diffo r nt v rsions for diffo r nt
sc narios or hardwar confiegurations. Two bootabl Linux variants that com to mind
imm diat ly ar Cain and Kali Linux:

Cain : http://www.caine-live.net/

Kali: https://www.kali.org/

305
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

XI. Conclusion
The xampl s and practical x rcis s pr s nt d to you h r ar r lativ ly simpl . The r
ar quick r and mor pow rful ways of accomplishing som of what w hav don in th scop
of this docum nt. The st ps tak n in th s pag s allow you to us common Linux tools and
utiliti s that ar h lpful to th b ginn r. W ’v also incorporat d mor advanc d tools and
x rcis s to add som “r al world” applicability.

Onc you b com comfortabl with Linux, you can xt nd th commands to ncompass
many mor options. Practic will allow you to g t mor and mor comfortabl with piping
commands tog th r to accomplish tasks you n v r thought possibl with a d fault OS load
(and on th command lin to boot!). The only way to b com profieci nt on th command lin
is to us it. And onc you g t th r , you may hav a hard tim going back.

I hop that your tim sp nt working with this guid was a us ful inv stm nt. At th
v ry l ast, I’m hoping it gav you som thing to do, rath r than star at Linux for th fierst tim
and wond r “what now?”

306
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform

XII. Linux Support


Places to go for support:

Asid from th copious w b sit r f r nc s throughout this docum nt, th r ar


a numb r of v ry basic sit s you can visit for mor information on v rything from
running Linux to using sp cifiec for nsic tools. H r is a sampl of som of th mor
informativ sit s you will fiend:

Slackwar . Just on of many Linux distro's.


http://www.slackware.com

L arn Slackwar (Slackwar Linux Ess ntials):


https://slackbook.org/beta/

The “unofficcial” officcial sourc for onlin assistanc is th Slackwar forum at


linuxquestions.org:
http://www.linuxquestions.org/questions/slackware-14/

Sl uth Kit Wiki


http://wiki.sleuthkit.org

The Linux Docum ntation Proj ct (LDP):


http://www.tldp.org

In addition to th abov list, th r ar a hug numb r of us r forums, som of which ar


sp cifiec to Linux and comput r for nsics:

http://www.forensicfocus.com

IRC (Int rn t R lay Chat)

Try ##slackwar on th Fr nod n twork (or oth r suitabl chann l for your Linux
distribution of choic ).

A Googl s arch will b your v ry b st fri nd in most instanc s.

307