Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Transcription

1 Capturing a Forensic Image By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

2 Before you Begin The first step in capturing a forensic image is making an initial determination as to the direction of an investigation. If there is any possibility that the investigation could lead to litigation or criminal proceedings, STOP, do not make forensic images have the drive pulled and delivered to ISC Security with a proper chain of custody form ( If the case is a malware incident response, or other incident that will remain internal, then it is appropriate for SAS Security to complete a forensic drive capture. There are two methods to take a forensic image. The first is to clone the drive, the second is to take an image. In general, images are better as they are more portable and easier to work with. Cloning a drive may be advantageous in certain circumstances, however, so documentation on this method is included as well. Step 1 Tools you need If you intend to clone the target drive you'll need a zero'ed drive. This is any hard drive that has been overwritten with zeros, typically using the dd command. A typical way to do this on a Linux system (assuming /dev/sdc is the hard drive to be wiped) would be: $ dd if=/dev/zero of=/dev/sdc bs=1m Once a drive is zeroed a sticky note should be attached to the device indicating the size of the device and when the drive was wiped and by whom. If you are to image a drive, then you simply need another hard drive with sufficient capacity for the image. Note, however, that if you intend to image a drive you will need a larger hard drive to store the image. Formatted hard drives contain formatting and volume information which take up space so a 250 GB hard drive is not large enough to capture a 250 GB image. You'll also want a USB stick to use for copying specific pieces of malware, writing logs, or keeping digital notes on. Additionally you'll need a stack of bootable Linux distributions on CD (or DVD). It is important to have several because different distributions will work better, or worse, or not at all. Even having different versions of the same distribution will be helpful as one may work when another does not. We typically use: BackTrack, Caine, Deft, Helix and Knoppix. Finally you'll need a notebook that you use for forensics and investigations. Use a dedicated notebook and only use it in such circumstances.

3 Step 2 Approach the target When you first arrive at the scene of the potentially compromised machine you will probably want to determine if the machine can safely be powered off. If you want to grab an image of the RAM (a memory dump, or memory image) you must do this prior to shutting down the target. Otherwise, power off the target. Next, you want to record the date and time, plus the incident name, in your notebook. Plug your USB stick and the drive enclosure with the wiped drive in it into the machine while it's powered off. Boot the machine via CD. To do this power on the machine and place the CD in the tray. Next bring up the BIOS boot menu and choose to boot from CD. You may have to press a key as the machine powers on to do this (for instance F12 on most Dell machines, or hold down C on a Mac). The bootable CD may, or may not, load up. Give the CD sufficient time to load. Different machine architectures and distributions will take variable times to load. Plan on giving the CD minutes to boot before giving up. If one disk fails, simply repeat the process with another disk. Once the CD starts to boot Linux you may be presented with a menu of modes in which to boot. Always be sure to review these modes and choose the forensically sound mode. Some distributions have safe, and unsafe, modes of booting, so pay careful attention. Once the live CD has booted write down the distribution that is being used for the capture in your notebook. Step 3 Capture an image The first step in taking a capture is to identify all the devices plugged into the machine. Typically you'll want to identify: The internal hard disk The external drive The usb stick Each will be in the /dev directory, typically as /dev/sdx where X is a letter starting with a and incrementing. To do this use the fdisk command like so: # fdisk -l You should see output that will identify the various drives, their sizes, and allocation tables. Note that the zeroed drive won't have an allocation table and will merely be identified as a device. The drive size and partitioning are the best clues as to the identity of each drive. If the output is too long, and scrolls off the screen you can pipe it to an editor using the command: # fdisk -l less

4 This will start the less editor and you can use the up and down arrows to scroll through the document. To quit use the 'Ctrl+C' or type ':q' (colon then q) and hit enter. For instance, in the following screenshot you can see the first internal hard drive, identified as /dev/sda, which has three partitions of various sizes and formats: Figure 1: Output of the fdisk command In the next screenshot, the output at the end of the fdisk command, you can see the two terrabyte external drive and the 512 MB USB stick identified as /dev/sdc and /dev/sdd respectively: Figure 2: Further output from the fdisk command Once you have identified the drives, record in your notebook which drive is which including the designation (i.e. /dev/sda), the drive it corresponds to (i.e. internal hard drive, external USB drive, etc.) the size, and partitioning information.

5 Now that you know where drives are, you need to mount the USB stick so we can write files (specifically log files) to it. To do this you first have to make a target directory, then mount the device using the following commands (assuming /dev/sdb1 is a partition on the the USB stick. Note that while /dev/sdb may refer to the device, /dev/sdb1 is the actual partition of the device used for files): # mkdir /mnt/usbstick # mount /dev/sdb1 /mnt/usbstick Once the USB stick is mounted create a new folder for the incident using the following command: # mkdir /mnt/usbstick/[incidentname] Replacing [incidentname] with an appropriate label. Note the name of all mount points in your notebook. Take a copy of the fdisk output and write it to the usbdrive with using command output redirection like so: # fdisk -1 > /mnt/usbstick/[incidentname]/fdisk.txt Next you'll want to begin the job of copying the target to the wiped drive block by block. The only difference between taking an image, and making a drive clone is the target of the copy command. Use the dc3dd command to begin the copying of the target. If you want to take a clone you copy the entire device to the unmounted external drive. Cloning a Drive To clone a drive using the dc3dd command, execute the following command, assuming /dev/sda is the target hard drive, /dev/sdc is the wiped drive, and the USB stick is mounted on /mnt/usbstick also replace the filename with one more appropriate: # dc3dd if=/dev/sda of=/dev/sdc hash=md5 log=/mnt/usbstick/[incidentname]dc3dd.log This will take clone /dev/sda to /dev/sdc, write the log file to the USB stick, and output the md5 hash of the image. Write the command you used down in your notebook.

6 The following screenshot shows typical output of this command. Note the md5 value: Figure 4: Using the dc3dd command Taking an Image The process for taking a drive image is similar to cloning, but instead of writing to a raw device, you write to a file on a formatted drive. The first step to taking an image is mounting the external drive partition you want to write to. Do this in the same way that you mount the USB stick, assuming /dev/sdc1 is the partition you wish to write to: # mkdir /mnt/extharddrive # mount /dev/sdc1 /mnt/extharddrive Once the drive is mounted the command to copy the image is similar. Make sure the drive is mounted by changing into the target directory like so: # cd /mnt/extharddrive Next, make a directory for the incident and move into that directory: # mkdir [incidentname] ; cd [incidentname] Now you can take the image using the dc3dd in the same way as with a drive clone, only the output file will be an actual file name: # dc3dd if=/dev/sda of=160gbhd.img hash=md5 log=dc3ddlog.txt

7 Figure 5: Taking a drive image (to a file) This will create a new file that will contain an exact copy of the drive. The file extension is somewhat arbitrary. Other extensions for images include.ewf and.aff. Step 4 Verification To view the log file, once the image is complete, we can use the cat command like so: # cat /mnt/usbstick/[incidentname]dc3dd.log To verify this md5 you'll have to use the md5sum command like so (for a drive clone): # md5sum /dev/sdc For an image the command is the same but the target is the file: # md5sum /mnt/extharddrive/[incidentname]/drive.img Note that this can take a long time to complete. The following screenshot shows the md5sum command run against the device in the figure 4: If you feel confident, you may combine both the capture and verification commands so they run sequentially by separating them with a semi-colon like so (NB: there is no line break in the following command): # dc3dd if=/dev/sda of=/dev/sdc hash=md5 log=/mnt/usbstick/[incidentname]dc3dd.log ; md5sum /dev/sdc You must verify that the md5 in the log file (or dc3dd output) matches the sum from the md5sum command. If they do not match then something has gone wrong. If they do match, record the md5 in your notebook. Halt the bootable CD using the command: # halt -n Figure 6: Verifying the MD5 hash The machine should power down. Unplug the USB stick and the hard drive. On a sticky note attached to the hard drive note the incident name, the date and time, your name, and the md5 of the image. Note this information in your notebook as well.