The Enhanced Linux Loopback Device

In the last section, we had to change the offset with losetup to access the partition, because the loopback devices do not recognize partition tables. The process of guessing where the partitions begin to mount file systems on loopback devices can be tedious and unnecessary. Luckily, NASA developed a new enhanced loopback device to solve the offset problem and makes the forensic analysis process much easier.

The enhanced loopback device is not bundled with any Linux distribution as of this writing, but it can be found at a publicly accessible FTP server located at ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/. You must undergo two installations to capture the enhanced functionality. One installation will update the kernel to a newer modified kernel, and the other will add the tools necessary to use the added benefit found in the installed kernel.

Implementation

The first thing you will want to do is edit your lilo.conf file, which determines what will be booted upon system startup. Edit your current lilo.conf file to mimic the following file obtained from a RedHat Linux 7.2 system.

prompt timeout=50 default=linux boot=/dev/hda map=/boot/map install=/boot/boot.b message=/boot/message linear     image=/boot/vmlinuz-2.4.7-10       label=linux       initrd=/boot/initrd-2.4.7-10.imp       read-only       root=/dev/hda2     image=/boot/vmlinuz-2.4.17-xfs-enhanced_loop       label=linux_enhanced       root=/dev/hda2 

To install the enhanced loopback kernel, you must download and extract it into a directory using tar. The following command line extracts the kernel source:

forensic# tar xzvf linux-2.4.17-xfs-enhanced.tar.gz -C /usr/src

After the kernel source has been extracted, the kernel must be recompiled. Note that every installation will be different, because different hardware may be used on each platform on which this kernel will execute. Therefore, when make menuconfig is run, you should choose the options pertinent to your platform. The compilation can be accomplished by the following command lines:

forensic# cd /usr/src/inux-2.4.17-xfs-enhanced_loop forensic# make menuconfig forensic# make dep forensic# make clean forensic# make bzImage forensic# make modules forensic# make modules_install forensic# cd arch/i386/boot forensic# cp bzImage /boot/vmlinuz-2.4.17-xfs-enhanced_loop forensic# lilo –v

After the kernel has been installed, you need to install the loopback tool kit binary files using the following command line:

forensic# rpm –ivh --force loop-utils-0.0.1-1.i386.rpm

Now reboot the system and be sure to choose the new kernel by typing linux_enhanced at the LILO boot prompt; otherwise, you will reboot your old kernel. After the machine is finished rebooting, log in as root. You are now running the enhanced kernel (as you probably observed when you were logging in).

After the loopback tool kit has been installed, the real magic begins. Using the same evidence file used in the previous section (disk.bin), you can mount the source data found in the Windows 98 partition using losetup in the same fashion without an offset. The additional -r flag to losetup allows the evidence file to become read-only, which is always a good safety measure to put in place. After the evidence file has been associated with the /dev/loop0 device file, type dmesg at the prompt to display the partitions found in the evidence file. Simply mount the partitions as you would with any physical hard drive. In this scenario, the partitions begin to fill out the other loop devices with increasing device file minor numbers. For example, the first partition is now /dev/loop1, the second is /dev/loop2, and so on. The process can be viewed here:

forensic# losetup /dev/loop0 /mnt/storage/disk.bin forensic# mount -o ro /dev/loop0 /mnt/evidence forensic# ls /mnt/evidence 

When you are finished analyzing the evidence, the following commands will break the association created in the preceding commands:

forensic# cd /mnt/storage forensic# umount /mnt/evidence forensic# losetup -d /dev/loop0