Lab I: Disk Imaging and Cloning

Transcription

1 New Mexico Tech Digital Forensics Fall 2006 Lab I: Disk Imaging and Cloning Objectives - Use VMWare and modify device configuration in a VMWare system - Image a drive to a file - Extract individual partitions from an image file - Mount the image as a loopback device and read only for analysis - Properly sanitize a disk for cloning - Clone a drive versus imaging the drive - Verify disk and file integrity with hashing Procedures Adding Virtual Disks in VMWare Step 1 On your lab machines launch VMWare. A virtual operating system running Linux and containing the forensics tools you will need can be found in the favorites panel. Select Linux Forensics and click edit virtual machines settings. In the Hardware tab you will see a listing of the virtual devices that have been configured with this virtual machine. Devices can be added and removed from this panel as if you were adding and removing actual devices on a physical machine. Select the Network Adapter > choose Remove. Question 1: Why might it be a good idea to disconnect your forensics machine from the network before performing digital analysis on a drive? By being on a network, your forensics system may be at risk of being compromised. The evidence in your custody should be well protected from unauthorized access. Also, If you are analyzing a system that has been compromised you want to take precautions Prepared by Regis Cassidy Sandia National Laboratories Page 1

2 that malicious code does not escape out onto a network. Step 2 In a real world situation you would have seized or collected the computer under investigation and may choose to pull out the hard disk and add it to your own system for performing digital analysis. In VMWare you can simulate this procedure by editing the virtual machine settings and adding another disk. In the Hardware tab click the Add... button > Choose Hard Disk > click Next. The compromised disk has already been set up for you as a VMWare image. Choose Use an existing virtual disk > click Next. Make sure you are browsing in the c:\vmware-images\linux - Forensics directory. Select the Linux Hacked.vmdk file. This file represents the virtual disk that you will be analyzing. Click OK > Finish. Step 3 In the event that the evidence you find will be needed in court, you need to make sure that no modifications are made to the original drive. Therefore, a copy or image of the compromised drive is needed to perform your analysis. You will need to add an additional disk for storing the image you are about to make and any evidence that will be extracted from that image. A general rule of thumb is to add a drive that is at least 3 times the size of the original drive. The original compromised drive is 1GB. Question 2: Why would it be a good idea to use a separate blank drive that contains all the extracted evidence and reports you obtained from the image? Why should this drive be significantly larger then the original drive? The images and evidence you collect can potentially be huge amounts of data. It would be a good idea to avoid fragmenting your own system with these large files. Having all the files related to your investigation on its own disk helps to be organized and makes portability of the evidence easier in case you need to use multiple computer systems to do your analysis. This drive would need to be significantly larger then the original drive under investigation because you may be extracting large amounts of data from the image. For example, you may extract individual partitions from the Prepared by Regis Cassidy Sandia National Laboratories Page 2

3 image, unallocated space, slack space, etc. You also may be recovering deleted files and will have logs and reports from the results of your investigation. Using the procedure described in Step 2, add another virtual disk. This time choose the option Create a new virtual disk. Choose IDE and a disk size that is 3 times the size of the original drive. Make sure that Allocate all disk space now is NOT selected and that Split disk into 2GB files is selected. This nice feature in VMWare helps to conserve physical disk space on your computer if the virtual disks are not being fully utilized. Name the virtual disk Linux - Forensics-image.vmdk Step 4 You should now see 3 hard disks on your virtual forensics machine under the Hardware tab. One hard disk contains the operating system with the forensics tools you will be using. Another simulates the collected disk from a compromised computer. The last hard disk will be large enough to hold an image of the compromised hard disk and any evidence, log, reports you make during the investigation. However, this last hard disk is currently blank and does not contain a file system. The next step is to prepare this hard disk for you to record your investigation. Start the Linux Forensics virtual machine. Login with username root and password letmein. Once the system completely boots, start a Terminal session located on the toolbar. You will need to figure out what the device names are for the two drives you just added to your Linux system. Generally, the operating system (OS) will be on /dev/hda which is the primary channel on the first IDE cable in the computer. The secondary channel on that cable would be /dev/hdb. The primary and secondary channels on the second IDE cable would be /dev/hdc and /dev/hdd. This still all holds true for virtual disks in VMWare since VMWare does such an excellent job modeling a physical computer. fdisk is a Linux tool for listing the partition table of a device. For example, look at the partition table for the disk containing your operating system by running the command # fdisk -l /dev/hda Prepared by Regis Cassidy Sandia National Laboratories Page 3

4 Notice in the listing of fdisk that /dev/hda is followed by partition numbers. Physical information and file system information is displayed for each partition. Question 3: Use fdisk like the example above to figure out which device name is associated with the compromised drive and the blank drive. How did you conclude which is the compromised drive and which is the blank drive? You know the OS is on /dev/hda so good reason should lead you to see what is on /dev/hdb. After running fdisk -l /dev/hdb you see a partition table for a 1GB drive with two partitions; a Linux and a Linux swap. This has to be the compromised drive. In this case /dev/hdc is the CDROM drive so you should not see any partition information if there is no disk in the drive. Running fdisk -l /dev/hdd shows you a 3GB disk that contains no partition table information. This must be the blank drive. Step 5 You should now know which device name is associated with the blank drive. You need to add a primary partition and file system to that drive so you can start writing to the disk. Run fdisk to create a new partition on the blank drive. # fdisk /dev/hd(x) NOTE: Where (x) is the device letter you discovered in step 4 for the blank drive. Type m to list the menu. Type n for new partition, choose primary and partition number 1. Use default start and end cylinders. Type w to write to disk and quit. Check that there is now a partition table. # fdisk -l /dev/hd(x) Now add the Linux ext3 file system. Run the Linux command # mkfs -t ext3 /dev/hd(x)1 Once the file system has been made, you must mount the device so that you may have access to it. First create a mount point named evidence in /mnt. Prepared by Regis Cassidy Sandia National Laboratories Page 4

5 # mkdir /mnt/evidence Now mount the device. # mount /dev/hd(x)1 /mnt/evidence Try writing to the disk by creating a directory called lab1. # mkdir /mnt/evidence/lab1 Imaging a Disk Step 6 You are going to use the Linux tool Disk Dump (dd) to create a bit for bit copy of the original compromised drive. An example dd command would look like this: # dd if=source_file of=dest_file bs=8k conv=noerror,sync The arguments for dd are described as follows: if= In file. Specify the source device or file that is to be copied of= Out file. Specify the destination device or file that will contain the copy bs= Block size. Specify the size of a block of data that dd reads and writes at a time conv=noerror,sync if there is a read error, do not stop. If there is a read error the image will be synced with the original by padding the output with 0s. A larger block size will speed up the imaging process. However, if a read error occurs, then the whole block will be lost giving you an inaccurate image. When imaging, it is best to use the default block size of 512 bytes (leave bs out for the default). Create your image of the compromised drive using dd (it may take a few minutes). Be sure that you use the correct device names or you might risk corrupting data. # dd if=/dev/hd(y) of=/mnt/evidence/lab1/image.dd conv=noerror,sync NOTE: Where (y) is the device letter you discovered for the compromised drive. Question 4: Why do you NOT mount the original drive and simply copy the files? Prepared by Regis Cassidy Sandia National Laboratories Page 5

6 If you only copy files from the drive under investigation you may be missing a majority of the data on that drive. You will not be copying system information such as the partition table, boot record, and meta layer information (superblock, FAT, MFT). You also miss any of the data hidden in unallocated space and will not be able to recover deleted files. In order to make sure you have all data to analyze you must do a bit for bit copy of the original drive. Before any type of verification or analysis of this image file is done its permissions should be set to read only to avoid accidental modification. # chmod a-w /mnt/evidence/lab1/image.dd Verify Disk Image Step 7 You must verify that the image you created is an exact replica of the original. You can confirm the imaging process by comparing hashes from the original drive with the new image. You will need to save these hashes for your records. # sha1sum /dev/hd(y) > /mnt/evidence/lab1/original.sha1.txt # sha1sum /mnt/evidence/lab1/image.dd > /mnt/evidence/lab1/image.sha1.txt # cat /mnt/evidence/lab1/*sha1.txt Question 5: What are the hash values? Why should you compute the hash of the original drive only after you've created the image? The hash of both the original drive and image should match. In the rare event that the drive you are to investigate only has a very limited amout of life on it, you should make imaging first priority. If you were to take a hash of the drive first and during that process the drive goes bad, you are out of luck without any kind of backup. Prepared by Regis Cassidy Sandia National Laboratories Page 6

7 Splitting out Individual Partitions Step 8 The file image.dd is an image of an entire disk that may contain multiple partitions. In order to perform proper analysis you must be able to access these individual partitions. A version of fdisk with a few more features is sfdisk. sfdisk will allow you to look at the structure of the image file like fdisk, but can report more information such as the number of sectors in a partition. Use sfdisk to look at the partition table of the image file # sfdisk -lus /mnt/evidence/lab1/image.dd Option l lists the partition table and us reports disk structure according to sectors. You should notice two partitions. The first partition must be the root directory '/' and the second is the swap partition. Question 6: What are the beginning sector numbers and the number of sectors for the two partitions? (Note: If the rows do not properly line up with the columns, make sure you are looking at the right values). Why do you think the first partition does not begin at the first sector (sector 0)? The root partition begins at sector 32 and is sectors long. The swap partition begins at sector and is sectors long. Since this is a bootable drive the first 32 sectors have been reserved for the master boot record (MBR). The MBR contains the partition table that sfdisk reads to display the output you just saw. You are now going to learn a couple more features of the dd command. The option skip will skip over a specified number of blocks, bs in length (default 512 bytes). The option count copies a specified number of those blocks. With the information found from sfdisk you can now use dd to extract the partitions from the image. You use the default bs of 512 bytes since that is the size of a disk sector. # dd if=/mnt/evidence/lab1/image.dd of=/mnt/evidence/lab1/image.root.dd skip=x count=y conv=noerror,sync # dd if=/mnt/evidence/lab1/image.dd of=/mnt/evidence/lab1/image.swap.dd skip=w count=z Prepared by Regis Cassidy Sandia National Laboratories Page 7

8 conv=noerror,sync NOTE: Where x,y,w and z are the values you found using sfdisk. Change the permissions of these image files to read only. # chmod a-w /mnt/evidence/lab1/image.*.dd Create hashes of the two new images and append it to your other hash file. # sha1sum /mnt/evidence/lab1/image.root.dd >> /mnt/evidence/lab1/image.sha1.txt # sha1sum /mnt/evidence/lab1/image.swap.dd >> /mnt/evidence/lab1/image.sha1.txt Question 7: You should verify the above hashes with the partitions on the original drive. What steps would you take to do this? Use fdisk or sfdisk to confirm the partition device names on the original drive. # fdisk -l /dev/hdb The first root partition on the original drive is /dev/hdb1 and the swap partition is /dev/hdb2. Hash these and record them to your hash file. # sha1sum /dev/hdb1 /dev/hdb2 >> /mnt/evidence/lab1/original.sha1.txt Verify the hashes match # cat /mnt/evidence/lab1/*sha1.txt Question 8: # dd if=/dev/hdb1 of=/mnt/evidence/lab1/image.root.dd conv=noerror,sync is another possible way to have created an image of an individual partition and may even seem easier. Why might you not want to extract individual partitions in this way? As a digital forensics investigator you want to access the original drive the least amount of times as possible. The idea is to get the entire drive imaged, obtain a hash value and lock the drive up in a safe place as soon as possible. Prepared by Regis Cassidy Sandia National Laboratories Page 8

9 Mounting the Partition Images Step 9 Never mount the original drive! You want to eliminate any chance of data corruption. Therefore, you need a way to mount the image files you just created. The image dd files are obviously not normal block devices so you cannot mount them as if they were physical drives. The way you mount an image file is by using a loopback device. A loopback device allows an image to be mounted as a filesystem. This is done by the loop option in the mount command. Create a mount point for the compromised root partition. # mkdir /mnt/hacked You need to mount your images as read only. You must be able to gather evidence and later prove that you have not made any writes to the image. This will help eliminate accusations that evidence was planted, tampered with or destroyed. Use the ro option in the mount command. # mount -o ro,loop /mnt/evidence/lab1/image.root.dd /mnt/hacked You should now be able to view and browse around the root directory of the compromised system. # ls /mnt/hacked Question 9: Assuming you have completed your analysis, extracting any evidence you have found, what could you now do to verify you have not made any changes to the image file? (Note: You are not actually doing any analysis in this lab). You should re-hash your image files to verify that you have not made any alterations during your evidence gathering. Unmount the compromised system and your image drive. Prepared by Regis Cassidy Sandia National Laboratories Page 9

10 # umount /mnt/hacked # umount /mnt/evidence Creating a Clone Step 10 Rather than creating a bit by bit image to a file like in the steps above, you may choose to duplicate the original drive directly to another drive. Shutdown your VMWare session. Remove the original compromised drive from your system. Be sure to remove the drive that is named Linux Hacked.vmdk. In a real world situation, once you created your images, you would want to remove the drive and store and lock it in a safe place. Add another IDE disk named Linux Forensics-clone.vmdk and make it the same size as the original drive (1GB). Reboot the system and log in as root. Use fdisk (or sfdisk) to confirm what device name you need to use before running dd. In a real world situation, it may be possible that there is data on the disk you wish to use as your clone, even if you reformat the drive. When you go to perform your investigation, you need to be assured that you will only be looking at data from the original drive under investigation. You need to sanitize the new drive removing any residing data. Writing all zeros with the special device /dev/zero to the disk is sufficient. # dd if=/dev/zero of=/dev/hd(z) bs=8k NOTE: Where (z) is the drive letter for the clone drive. Question 10: How would you now use dd to create a clone on the new drive you added? Use the image dd file you created earlier as your source file. Verify your clone is an exact copy. # mount /dev/hdd1 /mnt/evidence # dd if=/mnt/evidence/lab1/image.dd of=/dev/hdb conv=noerror,sync Compute the hash of the clone and verify it with the original. Prepared by Regis Cassidy Sandia National Laboratories Page 10

11 # sha1sum /dev/hd(z) > /mnt/evidence/lab1/clone.sha1.txt # cat /mnt/evidence/lab1/original.sha1.txt /mnt/evidence/lab1/clone.sha1.txt Question 11: Why might you want to have an actual clone of the drive versus an image file that you can mount as a loopback device? Having an actual cloned disk will allow you to boot the system under investigation and perform a live analysis. In this case the investigator will be altering the data on that cloned drive. This may be acceptable, but the investigator would still have to later prove that any evidence found during a live analysis also exists on the unmodified original drive. By booting the system some of the investigative process may be made easier, such as observing system behaviors, but is definitely not always necessary to complete an investigation. Step 11 It is very important to do these next steps so that the lab is properly set up for the person who uses the computer after you. Unmount any drives you mounted and shutdown the VMWare system. In VMWare, revert 'Linux - Forensics' back to the snapshot by clicking the 'Revert' button. From the c:\vmware-images\linux - Forensics\ directory remove all files beginning with 'Linux Hacked ', 'Linux - Forensics-Clone' and 'Linux Forensics-Image'. Question 12: What are your comments and suggestions for this lab? Prepared by Regis Cassidy Sandia National Laboratories Page 11