Capturing a Forensic Image. By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013



Similar documents
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Computer Forensics using Open Source Tools

Make a Bootable USB Flash Drive from the Restored Edition of Hiren s Boot CD

BackTrack Hard Drive Installation

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

USB 2.0 Flash Drive User Manual

Digital Forensics Tutorials Acquiring an Image with FTK Imager

MSc Computer Security and Forensics. Examinations for / Semester 1

Installing Windows 98 in Windows Virtual PC 7 (Windows Virtual PC)

AlienVault Offline Key Activation

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

User Manual. 2 ) PNY Flash drive 2.0 Series Specification Page 3

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

WES 9.2 DRIVE CONFIGURATION WORKSHEET

How you configure Iscsi target using starwind free Nas software & configure Iscsi initiator on Oracle Linux 6.4

USB Bare Metal Restore: Getting Started

Recovering Data from Windows Systems by Using Linux

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Navigating the Rescue Mode for Linux

Enterprise Erase LAN

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

Recovering Data from Windows Systems by Using Linux

Adafruit's Raspberry Pi Lesson 1. Preparing an SD Card for your Raspberry Pi

«Disaster Recovery» A DOM Restore Guide for Thecus NAS

Ocster Backup - Rescue System

GNU/LINUX Forensic Case Study (ubuntu 10.04)

book.book Page 1 Tuesday, August 19, :01 PM Dell OptiPlex FX160 Re-Imaging Guide

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

Computer Forensic Tools. Stefan Hager

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Operating System Installation Guidelines

Tutorial How to upgrade firmware on Phison S8 controller MyDigitalSSD using a Windows PE environment

Digital Photo Bank / Portable HDD Pan Ocean E350 User Manual

Using VMware Workstation

XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (F Series) 1.

How to Make a USB Bootable

How To Set Up Software Raid In Linux (Amd64)

User Manual. 2 Bay Docking Station

Bare Metal Backup And Restore

Incident Response and Computer Forensics

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

USTM16 Linux System Administration

USB. 16MB~2GB JetFlash. User s Manual

Introduction to Operating Systems

Cloning Complex Linux Servers

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Setup software RAID1 array on running CentOS 6.3 using mdadm. (Multiple Device Administrator) 1. Gather information about current system.

USB bootable Ubuntu Kickstart Howto

ThinLinX TLXOS NUC / Compute Stick / RePC Installation Guide Creating the Installer (Step 1)

v4: How to create a BartPE Rescue CD for Macrium Reflect

Computing forensics: a live analysis

2.5" XTreme Files OS & Data Backup/Restore User Manual Please read the Instruction manual before using the XTreme Files (X Series) 1.

Getting Started User s Guide

CASPER SECURE DRIVE BACKUP

USB FLASH DRIVE. User s Manual. USB 2.0 Compliant. Version A Version A10

Security Incident Investigation

COEN 152 / 252 Lab Exercise 1. Imaging, Hex Editors & File Types

!!! How To! setup storage devices!

RSA Security Analytics Virtual Appliance Setup Guide

X-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:

Installing and Upgrading to Windows 7

Step by step guide how to password protect your USB flash drive

10 Red Hat Linux Tips and Tricks

Understanding Backup and Recovery Methods

Dell DR4000 Disk Backup System. Introduction to the Dell DR4000 Restore Manager A primer for creating and using a Restore Manager USB flash drive

NetVault : Backup. User s Guide for the VaultDR System Plugins

Chapter 5: Fundamental Operating Systems

Lab III: Unix File Recovery Data Unit Level

EXPLORING LINUX KERNEL: THE EASY WAY!

Bringing the Eko VM Home (302)

EnCase Portable Demo P A G E 0

Getting Started with VMware Fusion

DriveClone Server. Users Manual

Installing Ubuntu LTS with full disk encryption

Series 4 and Series 5 Hardware Appliance Imaging Guide

Accessing your Staff (N and O drive) files from off campus

How To Create A Multi-Version Bootable Windows 7 USB Drive

Anti-Virus Scan Tool

Configuring Linux to Enable Multipath I/O

ThinLinX TLXOS 64-bit Firmware Installation Guide for the Intel NUC Range. Materials Required

2. Boot using the Debian Net Install cd and when prompted to continue type "linux26", this will load the 2.6 kernel

LOCKSS on LINUX. Installation Manual and the OpenBSD Transition 02/17/2011

Operating System Installation Guide

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

CPSC 2800 Linux Hands-on Lab #7 on Linux Utilities. Project 7-1

USB FLASH DRIVE. User s Manual 1. INTRODUCTION FEATURES SPECIFICATIONS PACKAGE CONTENTS SYSTEM REQUIREMENTS...

Linux System Administration on Red Hat

Hi-Speed USB 2.0 Flash Disk. User s Manual

How To Install A Safesync On A Server

Imation Clip USB 2.0 Flash Drive. Imation Drive Manager Software. User s Manual

Backing Up With Acronis True Image 2015

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Week Overview. Running Live Linux Sending from command line scp and sftp utilities

2 Getting started User interface language Protecting your system...15

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

Puppy Linux Installation To a USB Flash Drive How to install Puppy Linux lupu Lucid to a Flash Drive

Acronis Backup & Recovery 10 Server for Linux. Command Line Reference

BeagleBone Black: Installing Operating Systems

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Transcription:

Capturing a Forensic Image By Justin C. Klein Keane <jukeane@sas.upenn.edu> 12 February, 2013

Before you Begin The first step in capturing a forensic image is making an initial determination as to the direction of an investigation. If there is any possibility that the investigation could lead to litigation or criminal proceedings, STOP, do not make forensic images have the drive pulled and delivered to ISC Security with a proper chain of custody form (http://www.upenn.edu/computing/security/chain/). If the case is a malware incident response, or other incident that will remain internal, then it is appropriate for SAS Security to complete a forensic drive capture. There are two methods to take a forensic image. The first is to clone the drive, the second is to take an image. In general, images are better as they are more portable and easier to work with. Cloning a drive may be advantageous in certain circumstances, however, so documentation on this method is included as well. Step 1 Tools you need If you intend to clone the target drive you'll need a zero'ed drive. This is any hard drive that has been overwritten with zeros, typically using the dd command. A typical way to do this on a Linux system (assuming /dev/sdc is the hard drive to be wiped) would be: $ dd if=/dev/zero of=/dev/sdc bs=1m Once a drive is zeroed a sticky note should be attached to the device indicating the size of the device and when the drive was wiped and by whom. If you are to image a drive, then you simply need another hard drive with sufficient capacity for the image. Note, however, that if you intend to image a drive you will need a larger hard drive to store the image. Formatted hard drives contain formatting and volume information which take up space so a 250 GB hard drive is not large enough to capture a 250 GB image. You'll also want a USB stick to use for copying specific pieces of malware, writing logs, or keeping digital notes on. Additionally you'll need a stack of bootable Linux distributions on CD (or DVD). It is important to have several because different distributions will work better, or worse, or not at all. Even having different versions of the same distribution will be helpful as one may work when another does not. We typically use: BackTrack, Caine, Deft, Helix and Knoppix. Finally you'll need a notebook that you use for forensics and investigations. Use a dedicated notebook and only use it in such circumstances.

Step 2 Approach the target When you first arrive at the scene of the potentially compromised machine you will probably want to determine if the machine can safely be powered off. If you want to grab an image of the RAM (a memory dump, or memory image) you must do this prior to shutting down the target. Otherwise, power off the target. Next, you want to record the date and time, plus the incident name, in your notebook. Plug your USB stick and the drive enclosure with the wiped drive in it into the machine while it's powered off. Boot the machine via CD. To do this power on the machine and place the CD in the tray. Next bring up the BIOS boot menu and choose to boot from CD. You may have to press a key as the machine powers on to do this (for instance F12 on most Dell machines, or hold down C on a Mac). The bootable CD may, or may not, load up. Give the CD sufficient time to load. Different machine architectures and distributions will take variable times to load. Plan on giving the CD 10-15 minutes to boot before giving up. If one disk fails, simply repeat the process with another disk. Once the CD starts to boot Linux you may be presented with a menu of modes in which to boot. Always be sure to review these modes and choose the forensically sound mode. Some distributions have safe, and unsafe, modes of booting, so pay careful attention. Once the live CD has booted write down the distribution that is being used for the capture in your notebook. Step 3 Capture an image The first step in taking a capture is to identify all the devices plugged into the machine. Typically you'll want to identify: The internal hard disk The external drive The usb stick Each will be in the /dev directory, typically as /dev/sdx where X is a letter starting with a and incrementing. To do this use the fdisk command like so: # fdisk -l You should see output that will identify the various drives, their sizes, and allocation tables. Note that the zeroed drive won't have an allocation table and will merely be identified as a device. The drive size and partitioning are the best clues as to the identity of each drive. If the output is too long, and scrolls off the screen you can pipe it to an editor using the command: # fdisk -l less

This will start the less editor and you can use the up and down arrows to scroll through the document. To quit use the 'Ctrl+C' or type ':q' (colon then q) and hit enter. For instance, in the following screenshot you can see the first internal hard drive, identified as /dev/sda, which has three partitions of various sizes and formats: Figure 1: Output of the fdisk command In the next screenshot, the output at the end of the fdisk command, you can see the two terrabyte external drive and the 512 MB USB stick identified as /dev/sdc and /dev/sdd respectively: Figure 2: Further output from the fdisk command Once you have identified the drives, record in your notebook which drive is which including the designation (i.e. /dev/sda), the drive it corresponds to (i.e. internal hard drive, external USB drive, etc.) the size, and partitioning information.

Now that you know where drives are, you need to mount the USB stick so we can write files (specifically log files) to it. To do this you first have to make a target directory, then mount the device using the following commands (assuming /dev/sdb1 is a partition on the the USB stick. Note that while /dev/sdb may refer to the device, /dev/sdb1 is the actual partition of the device used for files): # mkdir /mnt/usbstick # mount /dev/sdb1 /mnt/usbstick Once the USB stick is mounted create a new folder for the incident using the following command: # mkdir /mnt/usbstick/[incidentname] Replacing [incidentname] with an appropriate label. Note the name of all mount points in your notebook. Take a copy of the fdisk output and write it to the usbdrive with using command output redirection like so: # fdisk -1 > /mnt/usbstick/[incidentname]/fdisk.txt Next you'll want to begin the job of copying the target to the wiped drive block by block. The only difference between taking an image, and making a drive clone is the target of the copy command. Use the dc3dd command to begin the copying of the target. If you want to take a clone you copy the entire device to the unmounted external drive. Cloning a Drive To clone a drive using the dc3dd command, execute the following command, assuming /dev/sda is the target hard drive, /dev/sdc is the wiped drive, and the USB stick is mounted on /mnt/usbstick also replace the filename with one more appropriate: # dc3dd if=/dev/sda of=/dev/sdc hash=md5 log=/mnt/usbstick/[incidentname]dc3dd.log This will take clone /dev/sda to /dev/sdc, write the log file to the USB stick, and output the md5 hash of the image. Write the command you used down in your notebook.

The following screenshot shows typical output of this command. Note the md5 value: Figure 4: Using the dc3dd command Taking an Image The process for taking a drive image is similar to cloning, but instead of writing to a raw device, you write to a file on a formatted drive. The first step to taking an image is mounting the external drive partition you want to write to. Do this in the same way that you mount the USB stick, assuming /dev/sdc1 is the partition you wish to write to: # mkdir /mnt/extharddrive # mount /dev/sdc1 /mnt/extharddrive Once the drive is mounted the command to copy the image is similar. Make sure the drive is mounted by changing into the target directory like so: # cd /mnt/extharddrive Next, make a directory for the incident and move into that directory: # mkdir [incidentname] ; cd [incidentname] Now you can take the image using the dc3dd in the same way as with a drive clone, only the output file will be an actual file name: # dc3dd if=/dev/sda of=160gbhd.img hash=md5 log=dc3ddlog.txt

Figure 5: Taking a drive image (to a file) This will create a new file that will contain an exact copy of the drive. The file extension is somewhat arbitrary. Other extensions for images include.ewf and.aff. Step 4 Verification To view the log file, once the image is complete, we can use the cat command like so: # cat /mnt/usbstick/[incidentname]dc3dd.log To verify this md5 you'll have to use the md5sum command like so (for a drive clone): # md5sum /dev/sdc For an image the command is the same but the target is the file: # md5sum /mnt/extharddrive/[incidentname]/drive.img Note that this can take a long time to complete. The following screenshot shows the md5sum command run against the device in the figure 4: If you feel confident, you may combine both the capture and verification commands so they run sequentially by separating them with a semi-colon like so (NB: there is no line break in the following command): # dc3dd if=/dev/sda of=/dev/sdc hash=md5 log=/mnt/usbstick/[incidentname]dc3dd.log ; md5sum /dev/sdc You must verify that the md5 in the log file (or dc3dd output) matches the sum from the md5sum command. If they do not match then something has gone wrong. If they do match, record the md5 in your notebook. Halt the bootable CD using the command: # halt -n Figure 6: Verifying the MD5 hash The machine should power down. Unplug the USB stick and the hard drive. On a sticky note attached to the hard drive note the incident name, the date and time, your name, and the md5 of the image. Note this information in your notebook as well.