Computer forensic science



Similar documents
Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Navigating the Rescue Mode for Linux

Backup policies. Or - how not to get annoyed when you accidentally delete stuff. Warning - this does get a little technical

Using Encrypted File Systems with Caché 5.0

Lab III: Unix File Recovery Data Unit Level

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

Oracle VM Server Recovery Guide. Version 8.2

Btrfs and Rollback How It Works and How to Avoid Pitfalls

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

The Linux CryptoAPI A User s Perspective

Recovering Data from Windows Systems by Using Linux

UNIX - FILE SYSTEM BASICS

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

Installing Debian with SATA based RAID

USB Bare Metal Restore: Getting Started

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

Sophos Anti-Virus for Linux user manual

Recovering Data from Windows Systems by Using Linux

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

Linux System Administration on Red Hat

Cryptographic Filesystems. Background and Implementations for Linux and OpenBSD

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

Encryption Security Recommendations

ATT8231: Creating a Customized USB Thumb Drive for ZCM Imaging Methods for creating a customized bootable USB Thumb Drive

A Crash Course in OS X D. Riley and M. Allen

The Linux System. o Updating without touching the user's files and configurations.

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

Two Parts. Filesystem Interface. Filesystem design. Interface the user sees. Implementing the interface

System administration basics

VMDK Has Left the Building

Add Disk Space to a VM when a Partition is Full

Linux System Administration

Acronis Backup & Recovery 10 Server for Linux. Command Line Reference

Technical Note TN_146. Creating Android Images for Application Development

Encrypted Root Filesystem HOWTO

Sophos Anti-Virus for Linux configuration guide. Product version: 9

BackTrack Hard Drive Installation

INF-110. GPFS Installation

FileBench's Multi-Client feature

Installing MooseFS Step by Step Tutorial

A candidate following a programme of learning leading to this unit will be able to:

Chapter 14 Analyzing Network Traffic. Ed Crowley

User Manual for Data Backups

Comparing and Contrasting Windows and Linux Forensics. Zlatko Jovanovic. International Academy of Design and Technology

Computer Forensics using Open Source Tools

Planning for an Amanda Disaster Recovery System

Installing a Second Operating System

UNIX Computer Forensics

LSN 10 Linux Overview

Linux System Administration. System Administration Tasks

Encrypting Your Files. Because nobody else will And would you trust them if they did?

Linux Embedded devices with PicoDebian Martin Noha

Linux + Windows 95 mini HOWTO

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Replacing a Laptop Hard Disk On Linux. Khalid Baheyeldin KWLUG, September 2015

On Disk Encryption with Red Hat Enterprise Linux

Red Hat Linux Administration II Installation, Configuration, Software and Troubleshooting

Determining VHD s in Windows 7 Dustin Hurlbut

Sophos Anti-Virus for Linux configuration guide. Product version: 9

TestDisk Step By Step CGSecurity

Creating a Domain Tree

From Hypervisors to Clouds

UNDELETE 7.0 USER GUIDE

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Cloud Storage Quick Start Guide

DCS-COMPASS project backup procedure C.Q. 29/08/03

Oracle Cloud Storage and File system

Introduction to The Sleuth Kit (TSK) By Chris Marko. Rev1 September, Introduction to The Sleuth Kit (TSK) 1

EXPLORING LINUX KERNEL: THE EASY WAY!

Performing Administrative Tasks

Backing Up TestTrack Native Project Databases

The BackTrack Successor

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

RAID Software Suite for Linux

Monitoring disk stats with Cacti

SecureDoc Linux , February 2010 Copyright by WinMagic Inc.

======================================================= Tools to wipe out unwanted data: =======================================================

INSTALL ZENTYAL SERVER

RECOVER IT ALL NOW. User Manual. Version 1.0

w1r3 Network Documentation

Yocto Project Eclipse plug-in and Developer Tools Hands-on Lab

LVM2 data recovery. Milan Brož LinuxAlt 2009, Brno

USB 2.0 Flash Drive User Manual

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

5 HDFS - Hadoop Distributed System

Networks and Security Lab. Network Forensics

Creating a Disk Drive For Linux

Procedure to convert Intel Dot.Station 2300 into a LINUX Red Hat 8.0 box. Document Version: 1.1 Author: Javier Castilla (latas) Release: 1

How to Restore a Linux Server Using Bare Metal Restore

LucidNAS Quick Start Guide

Computer Forensic Tools. Stefan Hager

Moving the Web Security Log Database

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

CS615 - Aspects of System Administration

System Administration and your Bio-Linux Machine

Back Up Linux And Windows Systems With BackupPC

Digital Forensics Lecture 3. Hard Disk Drive (HDD) Media Forensics

TELE 301 Lecture 7: Linux/Unix file

System Administration

Transcription:

Computer forensic science This drive has been victimized! Mallory 1

CS78 students must help! CS78 students What happened?! Every student gets a copy 2

Forensic science it s detective work Computer forensic science 3

Not enough drives for everybody would you accept a (large) file? dd if=drive of=file drive.image This week s s exercise shared with us by UCLA professors Peter A. H. Peterson and Peter Reiher (for which, thanks!) they had a corrupted/hacked/victimized drive they dd ed it to a file they named that file act2.img every student gets a copy 4

(a) Disks, partitions, filesystems,and files (b) a virgin hard disk (maybe by Western Digital) (d) an MBR written (maybe by grub; partition table inside) (c) a filesystem written (maybe by mkfs, in the partition) (e) a partition defined (maybe by fdisk; in the MBR) files created (maybe by vi, in the filesystem) (a) /dev/hda Naming of disks and partitions: as if devices ( /dev/ ) (b) disk (d) MBR (c) /dev/hda /dev/hda1 filesystem (e) partition files 5

Q. how can you use your files? A. mount their containing filesystem into a hierarchical file tree / mountpoint What does mount mount? mount mounts filesytesms mount does not mount anything else not disks not partitions not files give mount the name of the filesystem to mount but filesystems don t have their own names! so instead we give mount the name of a partition that contains the filesystem to mount 6

Q. how can you mount a filesystem? A. by referencing its containing partition mount /dev/hda1 /mountpoint /dev/hda1 little disk Copy/dd whole partition into a file partition copy lacks a device name to mount by give it one with losetup big disk File boundaries are dark blue rectangles File contents are rectangles interiors 7

Copy/dd whole disk into a file (on a bigger disk) little disk disk copy lacks a device name give it one with losetup big disk File boundaries are dark blue rectangles File contents are rectangles interiors Obtaining your disk using losetup and mount associate /dev/loop0 with data now de-associate associate with other data Loop device boundaries are red rectangles Loop device contents are rectangles interiors on DETER ~ is persistent while associated, treat /dev/loop0 as if a device, holding the loop-associated data as the device s content First, fdisk worked with /dev/loop0 because the data associated with it was that of a disk, and fdisk works with disks Later, mount worked with /dev/loop0 when the data associated with it was that of a filesystem, and mount works with filesystems 8

Distinguish among machines 3 computers workbench.cfs.usccsci530.isi.deterlab.net (yours) users.isi.deterlab.net (holds export-mounted parts of your filesystem) the one whose corrupted disk we re analyzing pathnames are confusing don t look at the logs in /var/log for example look at those in ~/sda1/var/log Software tools Peterson & Reiher s instructions document numerous commands as potential tools I found these particularly useful/essential sudo history e2undel strings; xxd and hexedit 9

sudo use liberally you can t sudo s config file but root can Everybody can do everything as root provided they do it through sudo history use cat not history command Must be some sensitive data in here 10

e2undel recover to a persistent place OK on mounted image, no need to umount try the different time periods when deletions may have occurred Chose something to recover Then look at it Binary file contents strings, xxd strings extracts just ascii portions xxd and hexedit show each byte twice, as both hex and ascii symbol (if any,. otherwise) 11

scp secure remote file copy no files start with pass on aludra we have one locally scp puts one there and now there it is System log files start here 12

The assignment write a report it was 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information