GNU/LINUX Forensic Case Study (ubuntu 10.04)

Transcription

1 GNU/LINUX Forensic Case Study (ubuntu 10.04) Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License

2 FCCU Federal Computer Crime Unit of Belgium Assistance house searches Forensic analysis ICT Internet investigations 2

3 Flight Case.. Intervention kit FCCU ATA, SATA, FireWire, USB, Cardreader, DVD,.. 3

4 FCCU GNU/Linux Forensic Boot CD Objectives Learn the forensic methods, primarily done with GNU/Linux system Learn something about forensic tools The Main Purpose of the CD To help in forensic analysis of computers 4

5 Goals Making forensic images primarily Disk 2 disk Partition 2 partition Disk/partition 2 file 5

6 About the Boot CD Difference with other non forensic boot CD's No automatic use of swap partitions Lots of forensic tools No daemons at startup 6

7 Biking Through this case 'Evidence' Imaging & Hardware investigation Why? Low level searches & identify files Deleted files 7

8 Sweating further on the bike Specific files.. Pictures (and multimedia) Compressed files File system specific Timelines Web activitity Log files Virus? Rootkit? 8

9 Determination of Suspect PC Speed? Low level search - keyword search - salvage based on file structures Childporn - an image viewer - mplayer with frame buffer support Internet trace - Firefox - Internet Explorer 9

10 The Evidence Presentation of the Evidence? A 126 MiB USB key Suspect traces are - named forensic target - everything about pirates 10

11 The evidence Forensic sound imaging raw, afflib, libewf,.. Using the tools: dd sdd rdd ddrescue guymanager,dcfldd,cstream,.. 11

12 The Evidence Obtain the forensic image using netcat & dd: Suspect PC dd if=/dev/sda conv=noerrors,sync pipebench netcat -l q 1 Trusted PC netcat x.x 2000 pipebench > /mnt/forensic/sda.dd What does cryptcat do? 12

13 Let's nc We'll use /mnt/forensic as a reference directory: Suspect PC of trustworthy teacher or some peering student cat usbkey.dd pipebench gzip --fast netcat -l q 1 Trusted PC of a good listening student netcat ip.adress.of.sender 2000 gunzip pipebench > /mnt/forensic/usbkey.dd nc ipadress portnr gunzip pv -i 1 -s 128m >/mnt/forensic/usbkey.dd 13

14 The evidence Identifying devices (goals) You have to know what to copy Writing an accurate report Finding suspicious information 14

15 Device Identification General information cat /proc/partitions lshw lshw less cat /proc/meminfo cat /proc/cpuinfo dmesg dmesg more The Evidence dmesg tee dmesg.txt grep 'failed' x86info cpuid 15

16 The Evidence Device identification ATA/IDE Try to find serial numbers Name your image using the serial number lshw less hdparm -i /dev/hda hdparm -I /dev/hda lshw tee lshw.txt egrep -n -A 2 'disk storage' dumpe2fs /dev/hda1 #what? 16

17 The Evidence Device identification HPA/DCO dmesg hdparm --dco-identify /dev/hda hdparm -N /dev/sda disk_stat /dev/hda USB/FireWire/SATA cat /proc/scsi/scsi scsiinfo -s /dev/sda What does dmidecode report? 17

18 Tips Redirect into information file(s) lshw >> usbkey-info.txt Use the bash autocompletion feature (tab (tab)) Read man pages Difference between > and >> 18

19 Image Verification md5sum usbkey.dd #9580e6bb7d6750ad34e fdcc2 md5sum /dev/sda sha1sum usbkey.dd #5f12c42fdb5ea1b9d d303a8f48ed847 sha1sum /dev/sda 19

20 Tips Think like a plumber Why not use tee to calculate the hash during the imaging dd if=/dev/sda tee usbkey.dd md5sum > usbkey.md5 dd if=/dev/sda tee usbkey.dd sha1sum > usbkey.sha1 Try the same with a progress bar (virtual using cat) Could u obtain this also with dcfldd 20

21 The evidence Once imaging is done, try to identify filesystems DOS type partitioning fdisk -lu usbkey.dd sfdisk -lus usbkey.dd Other types DOS type MAC type BSD disklabels SUN mmls usbkey.dd 21

22 The evidence Is it really a partition magic recovery partition? disktype usbkey.dd disktype recognizes and probes partition types DOS APPLE AMIGA ATARI ST BSD LINUX SOLARIS fsstat usbkey.dd -f ntfs -o 51 22

23 The Evidence Mounting the file system read-only mount usbkey.dd /mnt/forensic -o loop,offset=$((51*512)) -r Attention journaling filesystems! 23

24 The Evidence Basic informations about the filesystem Counting regular files find /mnt/forensic/ -type f wc -l Partition usage df -h /mnt/forensic 24