Computer forensic science This drive has been victimized! Mallory 1
CS78 students must help! CS78 students What happened?! Every student gets a copy 2
Forensic science it s detective work Computer forensic science 3
Not enough drives for everybody would you accept a (large) file? dd if=drive of=file drive.image This week s s exercise shared with us by UCLA professors Peter A. H. Peterson and Peter Reiher (for which, thanks!) they had a corrupted/hacked/victimized drive they dd ed it to a file they named that file act2.img every student gets a copy 4
(a) Disks, partitions, filesystems,and files (b) a virgin hard disk (maybe by Western Digital) (d) an MBR written (maybe by grub; partition table inside) (c) a filesystem written (maybe by mkfs, in the partition) (e) a partition defined (maybe by fdisk; in the MBR) files created (maybe by vi, in the filesystem) (a) /dev/hda Naming of disks and partitions: as if devices ( /dev/ ) (b) disk (d) MBR (c) /dev/hda /dev/hda1 filesystem (e) partition files 5
Q. how can you use your files? A. mount their containing filesystem into a hierarchical file tree / mountpoint What does mount mount? mount mounts filesytesms mount does not mount anything else not disks not partitions not files give mount the name of the filesystem to mount but filesystems don t have their own names! so instead we give mount the name of a partition that contains the filesystem to mount 6
Q. how can you mount a filesystem? A. by referencing its containing partition mount /dev/hda1 /mountpoint /dev/hda1 little disk Copy/dd whole partition into a file partition copy lacks a device name to mount by give it one with losetup big disk File boundaries are dark blue rectangles File contents are rectangles interiors 7
Copy/dd whole disk into a file (on a bigger disk) little disk disk copy lacks a device name give it one with losetup big disk File boundaries are dark blue rectangles File contents are rectangles interiors Obtaining your disk using losetup and mount associate /dev/loop0 with data now de-associate associate with other data Loop device boundaries are red rectangles Loop device contents are rectangles interiors on DETER ~ is persistent while associated, treat /dev/loop0 as if a device, holding the loop-associated data as the device s content First, fdisk worked with /dev/loop0 because the data associated with it was that of a disk, and fdisk works with disks Later, mount worked with /dev/loop0 when the data associated with it was that of a filesystem, and mount works with filesystems 8
Distinguish among machines 3 computers workbench.cfs.usccsci530.isi.deterlab.net (yours) users.isi.deterlab.net (holds export-mounted parts of your filesystem) the one whose corrupted disk we re analyzing pathnames are confusing don t look at the logs in /var/log for example look at those in ~/sda1/var/log Software tools Peterson & Reiher s instructions document numerous commands as potential tools I found these particularly useful/essential sudo history e2undel strings; xxd and hexedit 9
sudo use liberally you can t sudo s config file but root can Everybody can do everything as root provided they do it through sudo history use cat not history command Must be some sensitive data in here 10
e2undel recover to a persistent place OK on mounted image, no need to umount try the different time periods when deletions may have occurred Chose something to recover Then look at it Binary file contents strings, xxd strings extracts just ascii portions xxd and hexedit show each byte twice, as both hex and ascii symbol (if any,. otherwise) 11
scp secure remote file copy no files start with pass on aludra we have one locally scp puts one there and now there it is System log files start here 12
The assignment write a report it was 13