GNU/LINUX Forensic Case Study (ubuntu 10.04)



Similar documents
Linux in Law Enforcement

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Computer Forensics using Open Source Tools

Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Open Source and Incident Response

USB 2.0 Flash Drive User Manual

Computer Forensic Tools. Stefan Hager

Recovering Data from Windows Systems by Using Linux

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Recovering Data from Windows Systems by Using Linux

Acronis True Image 2015 REVIEWERS GUIDE

Security Incident Investigation

Open Source Data Recovery

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

BackTrack Hard Drive Installation

USB Bare Metal Restore: Getting Started

Unix/Linux Forensics 1

MSc Computer Security and Forensics. Examinations for / Semester 1

Lab III: Unix File Recovery Data Unit Level

Linux System Administration on Red Hat

Digital Forensics with Open Source Tools

Forensic Investigator. Module XI Linux Forensics

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

UNIX Computer Forensics

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Introduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, Introduction to The Sleuth Kit (TSK) 1

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Technical Procedure for Evidence Search

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

Forensics with Linux 101 or How to do Forensics for Free

Chapter 8 Objectives. Chapter 8 Operating Systems and Utility Programs. Operating Systems. Operating Systems. Operating Systems.

2.8.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 16

Installing a Second Operating System

Navigating the Rescue Mode for Linux

Oracle VM Server Recovery Guide. Version 8.2

Paragon Backup Retention Wizard

Digital Forensics For Unix. The SANS Institute

Where is computer forensics used?

PARALLELS SERVER BARE METAL 5.0 README

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

EnCase v7 Essential Training. Sherif Eldeeb

Do it Yourself System Administration

Computing forensics: a live analysis

Cloning Utility for VersaView Industrial Computers

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

User Manual. 2 ) PNY Flash drive 2.0 Series Specification Page 3

IT Essentials v4.1 LI Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI Windows OS directory structures

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

Linux command line. An introduction to the Linux command line for genomics. Susan Fairley

Deploying a Virtual Machine (Instance) using a Template via CloudStack UI in v4.5.x (procedure valid until Oct 2015)

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

TUXERA NTFS for Mac USER GUIDE 2/13. Index

Fred Hantelmann LINUX. Start-up Guide. A self-contained introduction. With 57 Figures. Springer

Impact of Digital Forensics Training on Computer Incident Response Techniques

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

An Introduction to the Linux Command Shell For Beginners

Reviewer s Guide. EaseUS Backup Solution. EaseUS Todo Backup Reviewer s Guide 1. Contents Introduction Chapter 1...3

Linux System Administration

System administration basics

TestDisk Step By Step CGSecurity

Cloning Complex Linux Servers

Tutorial 0A Programming on the command line

PrimeRail Installation Notes Version A June 9,

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics. Module 4 CS 996

EaseUS Partition Master

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

How To Set Up Software Raid In Linux (Amd64)

How to Restore a Linux Server Using Bare Metal Restore

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Dr Michael Cohen. This talk does not represent my Employer. April 2005

Bare Metal Backup And Restore

Abstract. Microsoft Corporation Published: August 2009

Using Secure4Audit in an IRIX 6.5 Environment

Installing Windows 98 in Windows Virtual PC 7 (Windows Virtual PC)

Taurus - RAID. Dual-Bay Storage Enclosure for 3.5 Serial ATA Hard Drives. User Manual

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

DeployStudio Server Quick Install

HARD DISK MANAGER 14 / FULL FEATURES LIST. HDM 14 Suite. Features. HDM 14 Pro. Drive Partitioning. Data Backup & Restore

HP LeftHand SAN Solutions

Using Symantec NetBackup with Symantec Security Information Manager 4.5

Lecture 6: Operating Systems and Utility Programs

StorageCraft Technology Corporation Leading the Way to Safer Computing StorageCraft Technology Corporation. All Rights Reserved.

Digital Forensics using Linux and Open Source Tools

Full version is >>> HERE <<<

Make a Bootable USB Flash Drive from the Restored Edition of Hiren s Boot CD

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

is605 Dual-Bay Storage Enclosure for 3.5 Serial ATA Hard Drives FW400 + FW800 + USB2.0 Combo External RAID 0, 1 Subsystem User Manual

PCIe AHCI-IP Demo Instruction Rev Jul-15

Windows 7. Tips and Tricks. Scott Sekinger

User Manual. 2 Bay Docking Station

Hands on Post Mortem Forensics Analysis in SUSE Linux Enterprise Servers Technical Tutorial Session Length - 1 hour

EC-Council Ethical Hacking and Countermeasures

Replacing a Laptop Hard Disk On Linux. Khalid Baheyeldin KWLUG, September 2015

ITU Session Four: Device Imaging And Analysis. Mounir Kamal Q-CERT

Transcription:

GNU/LINUX Forensic Case Study (ubuntu 10.04) Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License wim.bertels@khleuven.be

FCCU Federal Computer Crime Unit of Belgium Assistance house searches Forensic analysis ICT Internet investigations 2

Flight Case.. Intervention kit FCCU ATA, SATA, FireWire, USB, Cardreader, DVD,.. 3

FCCU GNU/Linux Forensic Boot CD Objectives Learn the forensic methods, primarily done with GNU/Linux system Learn something about forensic tools The Main Purpose of the CD To help in forensic analysis of computers 4

Goals Making forensic images primarily Disk 2 disk Partition 2 partition Disk/partition 2 file 5

About the Boot CD Difference with other non forensic boot CD's No automatic use of swap partitions Lots of forensic tools No daemons at startup 6

Biking Through this case 'Evidence' Imaging & Hardware investigation Why? Low level searches & identify files Deleted files 7

Sweating further on the bike Specific files.. Pictures (and multimedia) Compressed files File system specific Timelines Web activitity Log files Virus? Rootkit? 8

Determination of Suspect PC Speed? Low level search - keyword search - salvage based on file structures Childporn - an image viewer - mplayer with frame buffer support Internet trace - Firefox - Internet Explorer 9

The Evidence Presentation of the Evidence? A 126 MiB USB key Suspect traces are - named forensic target - everything about pirates 10

The evidence Forensic sound imaging raw, afflib, libewf,.. Using the tools: dd sdd rdd ddrescue http://www.gnu.org/software/ddrescue/ddrescue.html guymanager,dcfldd,cstream,.. 11

The Evidence Obtain the forensic image using netcat & dd: Suspect PC dd if=/dev/sda conv=noerrors,sync pipebench netcat -l 2000 -q 1 Trusted PC netcat 192.168.x.x 2000 pipebench > /mnt/forensic/sda.dd What does cryptcat do? 12

Let's nc We'll use /mnt/forensic as a reference directory: Suspect PC of trustworthy teacher or some peering student cat usbkey.dd pipebench gzip --fast netcat -l 2000 -q 1 Trusted PC of a good listening student netcat ip.adress.of.sender 2000 gunzip pipebench > /mnt/forensic/usbkey.dd nc ipadress portnr gunzip pv -i 1 -s 128m >/mnt/forensic/usbkey.dd 13

The evidence Identifying devices (goals) You have to know what to copy Writing an accurate report Finding suspicious information 14

Device Identification General information cat /proc/partitions lshw lshw less cat /proc/meminfo cat /proc/cpuinfo dmesg dmesg more The Evidence dmesg tee dmesg.txt grep 'failed' x86info cpuid 15

The Evidence Device identification ATA/IDE Try to find serial numbers Name your image using the serial number lshw less hdparm -i /dev/hda hdparm -I /dev/hda lshw tee lshw.txt egrep -n -A 2 'disk storage' dumpe2fs /dev/hda1 #what? 16

The Evidence Device identification HPA/DCO dmesg hdparm --dco-identify /dev/hda hdparm -N /dev/sda disk_stat /dev/hda USB/FireWire/SATA cat /proc/scsi/scsi scsiinfo -s /dev/sda What does dmidecode report? 17

Tips Redirect into information file(s) lshw >> usbkey-info.txt Use the bash autocompletion feature (tab (tab)) Read man pages Difference between > and >> 18

Image Verification md5sum usbkey.dd #9580e6bb7d6750ad34e31719129fdcc2 md5sum /dev/sda sha1sum usbkey.dd #5f12c42fdb5ea1b9d507636029d303a8f48ed847 sha1sum /dev/sda 19

Tips Think like a plumber Why not use tee to calculate the hash during the imaging dd if=/dev/sda tee usbkey.dd md5sum > usbkey.md5 dd if=/dev/sda tee usbkey.dd sha1sum > usbkey.sha1 Try the same with a progress bar (virtual using cat) Could u obtain this also with dcfldd 20

The evidence Once imaging is done, try to identify filesystems DOS type partitioning fdisk -lu usbkey.dd sfdisk -lus usbkey.dd Other types DOS type MAC type BSD disklabels SUN mmls usbkey.dd 21

The evidence Is it really a partition magic recovery partition? disktype usbkey.dd disktype recognizes and probes partition types DOS APPLE AMIGA ATARI ST BSD LINUX SOLARIS fsstat usbkey.dd -f ntfs -o 51 22

The Evidence Mounting the file system read-only mount usbkey.dd /mnt/forensic -o loop,offset=$((51*512)) -r Attention journaling filesystems! 23

The Evidence Basic informations about the filesystem Counting regular files find /mnt/forensic/ -type f wc -l Partition usage df -h /mnt/forensic 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information