Hack 100. Recover Lost Files and Perform Forensic Analysis
The Sleuth Kit and Autopsy are designed for computer forensics, but they also provide a great suite of tools for helping you recover lost data. Most people know forensicsthe application of domain knowledge to legal questionsbest from television shows like Quincy (for old people and TV Land fans) or CSI (for younger people). Computer Forensics, a science that's growing for a variety of reasons, tries to answer questions like "what the heck happened to my system?" "who hacked in here and what did they change/" and "how did my accountant get all my corporate funds into his Swiss bank account without my noticing?" Even if you don't have one of these specific problems, it's a downright interesting field. What self-respecting computer geek wouldn't like the opportunity to legally burst in somewhere, seize or clone disk drives, do his best to hack in and examine them, and get paid for it, too? All fun aside, forensic analysis of computer data can save your company's data or bacon (or perhaps both) in court, as well as helping law enforcement officials track down the crackers and thieves who give real hackers a bad name. This hack provides an overview of The Sleuth Kit, the best-known open source software package for computer forensics, and Autopsy, which provides a web-based, graphical frontend to The Sleuth Kit and integrated support for other security and consistency-checking software. The Sleuth Kit (TSK) is based on an earlier collection of forensics tools known as The Coroner's Toolkit (TCT), which is available at http://www.porcupine.org/forensics/tct.html. The Sleuth Kit runs on Linux/Unix systems and can recover files and analyze data from NTFS, FAT, ext2, ext3, UFS1, and UFS2 filesystems. Walking you through a complete forensic recovery session would require its own book, so the HOWTO portions of this hack will simply explain how to build and install both packages and how to use some of the tools in The Sleuth Kit to recover lost files more easily than you can with the mechanisms discussed in "Recover Deleted Files" [Hack #97]. 10.13.1. Building and Installing The Sleuth KitThe Sleuth Kit and the associated Autopsy package are not provided by default with most Linux distributions, but they're easy enough to build and install. If you're building The Sleuth Kit and Autopsy yourself for installation on your primary system, you can download the latest version of The Sleuth Kit from http://www.sleuthkit.org/sleuthkit/download.php and the latest version of Autopsy from http://www.sleuthkit.org/autopsy/download.php.
You should always build and install The Sleuth Kit before building and installing Autopsy, because Autopsy's configuration process will ask you for the location of the installed TSK. The downloadable TSK source is provided as a gzipped tar file. To extract its contents and build the software (using Version 2.02 as an example, which was the current version when this book was written), do the following: $ tar zxvf sleuthkit-2.02.tar.gz $ cd sleuthkit-2.02 $ make The Sleuth Kit does not offer an install option, so I generally build it in /usr/local/src and then use sudo or become root to create a symbolic link from /usr/local/sleuthkit to /usr/local/src/sleuthkit-version. I then add /usr/local/sleuthkit/bin to my path, and I'm good to go. 10.13.2. Building and Installing Autopsy and Related SoftwareThe source code for Autopsy is also provided as a downloadable, gzipped tar file. You really only need to install Autopsy if you're interested in forensic analysis. If you're only interested in recovering files using The Sleuth Kit, that's most easily done from the command line (as of the time this book was writtenthings may have changed by the time you read this). As mentioned earlier, Autopsy also integrates some other forensics software with the core capabilities provided by The Sleuth Kitnamely, a Reference Data Set (RDS) consisting of the digital signatures of known, traceable software applications, which includes hash values for many common hacking scripts and can thus be very useful when trying to determine how a system was hacked. These digital signatures are available from the National Software Reference Library (NSRL), a National Institute of Science and Technology (NIST) project, at the download page http://www.nsrl.nist.gov/Downloads.htm. This page provides ISO images of four CDs, each of which provides signatures for a class of software:
These signatures are contained in the file NSRLFile.txt, which is itself contained in a ZIP file in each of the ISO images. You can produce one true signature file by downloading all of the ISOs, mounting them, and concatenating together all of the resulting files. You'll need 8 GB of free space when you're doing this, because the complete concatenated file is 4 GB in size! The following example uses RDS 2.9 as an example, which was the current version when this book was written. After creating the directory /usr/local/nsrl, do the following for each of the ISOs: # mount -o loop RDS_29[ABCD].iso /mnt # unzip /mnt/rds_29[abcd].zip NSRLfile.txt # mv NSRLFile.txt NSRLFile.txt.[ABCD] # umount /mnt You can then concatenate them using the following command: $ cat NSRLFile.txt.A NSRLFile.txt.B NSRLFile.txt.C NSRLFile.txt.D > NSRLFile.txt You should then punt all of the NSRLFile.txt.X files, because you no longer need the individual versions. You're now ready to build and install Autopsy. To extract the Autopsy source code and build the software (using Version 2.05 as an example, which was the current version when this book was written), do the following: $ tar zxvf autopsy-2.05.tar.gz $ cd autopsy-2.05 $ make Autopsy Forensic Browser Installation perl found: /usr/bin/perl --------------------------------------------------------------- Autopsy uses the grep utility from your local system. grep found: /usr/bin/grep --------------------------------------------------------------- Autopsy uses forensic tools from The Sleuth Kit. http://www.sleuthkit.org/sleuthkit/ Enter the directory where you installed it: /usr/local/sleuthkit Sleuth Kit bin directory was found Version 2.02 found Required version found --------------------------------------------------------------- The NIST National Software Reference Library (NSRL) contains hash values of known good and bad files. http://www.nsrl.nist.gov Have you purchased or downloaded a copy of the NSRL (y/n) [n] y Enter the directory where you installed it: /usr/local/nsrl NSRL database was found (NSRLFile.txt) --------------------------------------------------------------- Autopsy saves configuration files, audit logs, and output to the Evidence Locker directory. Enter the directory that you want to use for the Evidence Locker: /usr/local/evidence_locker /usr/local/evidence_locker already exists --------------------------------------------------------------- Settings saved to conf.pl. Execute the './autopsy' command to start with default settings. You can then run the autopsy command via sudo or as the root user, because it needs root privileges in order to mount disk images, write to the evidence locker directory (unless you've set its ownership so that normal users can write there), and so on: # ./autopsy ============================================================================ Autopsy Forensic Browser http://www.sleuthkit.org/autopsy/ ver 2.05 ============================================================================ Evidence Locker: /usr/local/evidence_locker Start Time: Sun Sep 11 16:57:23 2005 Remote Host: localhost Local Port: 9999 Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsy Keep this process running and use <ctrl-c> to exit To begin using Autopsy, simply connect to the specified URL using a web browser. As mentioned earlier, stepping through a complete forensic recovery session using Autopsy could easily require its own book, but Autopsy is quite user-friendly in terms of walking you through each step of creating a unique directory (referred to as a "case") to hold the results of the forensic examination of a specific disk, disk image, or set of multiple disks or images. I've found Autopsy to be quite useful for identifying deleted files, such as those shown in Figure 10-6. Figure 10-6. Browsing a directory of deleted files in Autopsy10.13.3. Using The Sleuth Kit to Recover Deleted FilesThe extent to which you can recover files using The Sleuth Kit (and therefore Autopsy) is completely dependent on the characteristics of the type of filesystem used on each disk or disk image that you're examining. ext2 and ext3 filesystems zero out inodes when the files associated with them are deleted, but the applications provided in The Sleuth Kit can simplify recovering any type of file whose contents you can uniquely identify. This can be problematic when trying to recover binaries, but it's great for text files. The Sleuth Kit can analyze disks or disk images. To copy an existing partition or disk to a file for forensic analysis, run a command like the following via sudo or as the root user: # dd if=/dev/disk-or-partition bs=1024 of=name-of-image-file conv=noerror Once you have an image of the partition that contains the data you want to recover, make sure that /usr/local/sleuthkit/bin is in your path, and follow the steps below to recover deleted text files. I'll look for the /etc/passwd file in the sample image file hd5_image_etc_files_deleted.img. This is a clone of my system's root disk, in which I've deleted every text file in /etc. (Good thing I only did that as an example!) Looking for a deleted text file requires the following steps:
Voilà! If it looks like a password file and smells like a password file…
Had I been fumble-fingered enough to actually delete all the files in a real /etc directory, I'd also have to recover /etc/group, possibly /etc/shadow (depending on the authentication mechanism that the system uses), and /etc/fstab, but all of these could easily be recovered using the same approach. 10.13.4. SummaryThe Sleuth Kit and Autopsy are powerful packages that do an incredible amount of work for you if you're trying to recover deleted text files and are basically essential if you're trying to do computer forensics work on the Linux platform. A huge number of other open source packages that purportedly help recover deleted files are also available. One of the most promising of these is Foremost (http://foremost.sourceforge.net), which is open source but was written by two special agents in the United States Air Force Office of Special Investigations. (No, I'm not kidding.) Foremost uses file header and footer signatures and internal data structures to help identify binary files on a disk or in a disk image. It is currently being updatedthe current version (1.0 Beta when this book was written) is hard-wired to accept specific file formats, but they're adding a flexible configuration, which is very promising for sysadmins who need to be able to recover binary files such as Microsoft Office documents, image files, and so on. If you've always wanted to get involved in open source software, this is a great project to start with. 10.13.5. See Also
|