Hack100.Recover Lost Files and Perform Forensic Analysis | BSD Sockets Programming from a Multi-Language Perspective (Programming Series)

Hack 100. Recover Lost Files and Perform Forensic Analysis

The Sleuth Kit and Autopsy are designed for computer forensics, but they also provide a great suite of tools for helping you recover lost data.

Most people know forensicsthe application of domain knowledge to legal questionsbest from television shows like Quincy (for old people and TV Land fans) or CSI (for younger people). Computer Forensics, a science that's growing for a variety of reasons, tries to answer questions like "what the heck happened to my system?" "who hacked in here and what did they change/" and "how did my accountant get all my corporate funds into his Swiss bank account without my noticing?" Even if you don't have one of these specific problems, it's a downright interesting field. What self-respecting computer geek wouldn't like the opportunity to legally burst in somewhere, seize or clone disk drives, do his best to hack in and examine them, and get paid for it, too?

All fun aside, forensic analysis of computer data can save your company's data or bacon (or perhaps both) in court, as well as helping law enforcement officials track down the crackers and thieves who give real hackers a bad name. This hack provides an overview of The Sleuth Kit, the best-known open source software package for computer forensics, and Autopsy, which provides a web-based, graphical frontend to The Sleuth Kit and integrated support for other security and consistency-checking software. The Sleuth Kit (TSK) is based on an earlier collection of forensics tools known as The Coroner's Toolkit (TCT), which is available at http://www.porcupine.org/forensics/tct.html. The Sleuth Kit runs on Linux/Unix systems and can recover files and analyze data from NTFS, FAT, ext2, ext3, UFS1, and UFS2 filesystems.

Walking you through a complete forensic recovery session would require its own book, so the HOWTO portions of this hack will simply explain how to build and install both packages and how to use some of the tools in The Sleuth Kit to recover lost files more easily than you can with the mechanisms discussed in "Recover Deleted Files" [Hack #97].

10.13.1. Building and Installing The Sleuth Kit

The Sleuth Kit and the associated Autopsy package are not provided by default with most Linux distributions, but they're easy enough to build and install. If you're building The Sleuth Kit and Autopsy yourself for installation on your primary system, you can download the latest version of The Sleuth Kit from http://www.sleuthkit.org/sleuthkit/download.php and the latest version of Autopsy from http://www.sleuthkit.org/autopsy/download.php.

One of the key concepts of forensic software is, of course, that you need to be able to run it from a safe, secure environment in order to analyze disks (or disk images) from other systems, so one of the best ways to get and use The Sleuth Kit and Autopsy is to get a bootable CD with these packages installed. My personal favorites are the Penguin Sleuth Kit (http://www.linuxforensics.com/downloads.html), the F.I.R.E. (Forensic and Incident Response Environment) CD (http://fire.dmzs.com), and, for BSD fans, the Snarl Bootable Forensics CD (https://sourceforge.net/projects/snarl/). Each of the CDs includes The Sleuth Kit and a variety of other forensics-related software.

You should always build and install The Sleuth Kit before building and installing Autopsy, because Autopsy's configuration process will ask you for the location of the installed TSK. The downloadable TSK source is provided as a gzipped tar file. To extract its contents and build the software (using Version 2.02 as an example, which was the current version when this book was written), do the following:

 $ tar zxvf sleuthkit-2.02.tar.gz $ cd sleuthkit-2.02 $ make

The Sleuth Kit does not offer an install option, so I generally build it in /usr/local/src and then use sudo or become root to create a symbolic link from /usr/local/sleuthkit to /usr/local/src/sleuthkit-version. I then add /usr/local/sleuthkit/bin to my path, and I'm good to go.

10.13.2. Building and Installing Autopsy and Related Software

The source code for Autopsy is also provided as a downloadable, gzipped tar file. You really only need to install Autopsy if you're interested in forensic analysis. If you're only interested in recovering files using The Sleuth Kit, that's most easily done from the command line (as of the time this book was writtenthings may have changed by the time you read this).

As mentioned earlier, Autopsy also integrates some other forensics software with the core capabilities provided by The Sleuth Kitnamely, a Reference Data Set (RDS) consisting of the digital signatures of known, traceable software applications, which includes hash values for many common hacking scripts and can thus be very useful when trying to determine how a system was hacked. These digital signatures are available from the National Software Reference Library (NSRL), a National Institute of Science and Technology (NIST) project, at the download page http://www.nsrl.nist.gov/Downloads.htm. This page provides ISO images of four CDs, each of which provides signatures for a class of software:

ISO 1 contains the signatures of non-English software.
ISO 2 contains the signatures of common operating systems.
ISO 3 contains the signatures of a huge amount of application software.
ISO 4 contains the signatures of standard image and graphics files and formats.

These signatures are contained in the file NSRLFile.txt, which is itself contained in a ZIP file in each of the ISO images. You can produce one true signature file by downloading all of the ISOs, mounting them, and concatenating together all of the resulting files. You'll need 8 GB of free space when you're doing this, because the complete concatenated file is 4 GB in size! The following example uses RDS 2.9 as an example, which was the current version when this book was written. After creating the directory /usr/local/nsrl, do the following for each of the ISOs:

 # mount -o loop RDS_29[ABCD].iso /mnt # unzip /mnt/rds_29[abcd].zip NSRLfile.txt # mv NSRLFile.txt NSRLFile.txt.[ABCD] # umount /mnt

You can then concatenate them using the following command:

 $ cat NSRLFile.txt.A NSRLFile.txt.B NSRLFile.txt.C NSRLFile.txt.D > NSRLFile.txt

You should then punt all of the NSRLFile.txt.X files, because you no longer need the individual versions.

You're now ready to build and install Autopsy. To extract the Autopsy source code and build the software (using Version 2.05 as an example, which was the current version when this book was written), do the following:

 $ tar zxvf autopsy-2.05.tar.gz $ cd autopsy-2.05 $ make Autopsy Forensic Browser Installation perl found: /usr/bin/perl --------------------------------------------------------------- Autopsy uses the grep utility from your local system. grep found: /usr/bin/grep --------------------------------------------------------------- Autopsy uses forensic tools from The Sleuth Kit. http://www.sleuthkit.org/sleuthkit/ Enter the directory where you installed it: /usr/local/sleuthkit Sleuth Kit bin directory was found Version 2.02 found Required version found --------------------------------------------------------------- The NIST National Software Reference Library (NSRL) contains hash values of known good and bad files. http://www.nsrl.nist.gov  Have you purchased or downloaded a copy of the NSRL (y/n) [n] y Enter the  directory where you installed it:  /usr/local/nsrl NSRL database was found (NSRLFile.txt) --------------------------------------------------------------- Autopsy saves configuration files, audit logs, and output to the Evidence Locker directory. Enter the directory that you want to use for the Evidence Locker: /usr/local/evidence_locker /usr/local/evidence_locker already exists --------------------------------------------------------------- Settings saved to conf.pl. Execute the './autopsy' command to start with default settings.

You can then run the autopsy command via sudo or as the root user, because it needs root privileges in order to mount disk images, write to the evidence locker directory (unless you've set its ownership so that normal users can write there), and so on:

 # ./autopsy  ============================================================================  Autopsy Forensic Browser  http://www.sleuthkit.org/autopsy/ ver 2.05  ============================================================================  Evidence Locker: /usr/local/evidence_locker  Start Time: Sun Sep 11 16:57:23 2005  Remote Host: localhost  Local Port: 9999  Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsy Keep this process running and use <ctrl-c> to exit

To begin using Autopsy, simply connect to the specified URL using a web browser. As mentioned earlier, stepping through a complete forensic recovery session using Autopsy could easily require its own book, but Autopsy is quite user-friendly in terms of walking you through each step of creating a unique directory (referred to as a "case") to hold the results of the forensic examination of a specific disk, disk image, or set of multiple disks or images. I've found Autopsy to be quite useful for identifying deleted files, such as those shown in Figure 10-6.

Figure 10-6. Browsing a directory of deleted files in Autopsy

10.13.3. Using The Sleuth Kit to Recover Deleted Files

The extent to which you can recover files using The Sleuth Kit (and therefore Autopsy) is completely dependent on the characteristics of the type of filesystem used on each disk or disk image that you're examining. ext2 and ext3 filesystems zero out inodes when the files associated with them are deleted, but the applications provided in The Sleuth Kit can simplify recovering any type of file whose contents you can uniquely identify. This can be problematic when trying to recover binaries, but it's great for text files.

The Sleuth Kit can analyze disks or disk images. To copy an existing partition or disk to a file for forensic analysis, run a command like the following via sudo or as the root user:

 # dd if=/dev/disk-or-partition bs=1024 of=name-of-image-file conv=noerror

Once you have an image of the partition that contains the data you want to recover, make sure that /usr/local/sleuthkit/bin is in your path, and follow the steps below to recover deleted text files. I'll look for the /etc/passwd file in the sample image file hd5_image_etc_files_deleted.img. This is a clone of my system's root disk, in which I've deleted every text file in /etc. (Good thing I only did that as an example!)

Looking for a deleted text file requires the following steps:

Use TSK's dls command to extract all of the unallocated space from the disk image into a single file, which expedites the process of searching for the file that you've deleted:
```
 $ dls hd5_image_etc_files_deleted.img > dls_output.dls 
```
Next, use the standard strings command to search for all text strings in the output file produced by the previous step, and write that information to a file:
```
 $ strings -t d dls_output.dls > dls_output.dls.str 
```

Use grep to search for a string that identifies the file you're looking for as uniquely as possible. I'll search for the string :0:0:, which shouldn't appear in too many files other than the /etc/passwd file:

 $ grep ":0:0:" dls_output.dls.str 130746025 (scsi0:0:0:0) 130998233 if ( !strncmp( line, "PSPCAM", 6 ) )root:x:0:0:root:/root:/bin/bash 131698688 root:x:0:0:root:/root:/bin/bash 150589440 root:x:0:0:root:/root:/bin/bash 156106752 root:x:0:0:root:/root:/bin/bash 176209920 root:x:0:0:root:/root:/bin/bash 182677504 root:x:0:0:root:/root:/bin/bash 187670528 root:x:0:0:root:/root:/bin/bash [snip]

The numeric value at the beginning of each line identifies the numeric byte offset for the string you're looking for in the file that contains text strings from the file containing unallocated blocks. Use the standard Linux dc (desktop calculator) command to divide this offset by the filesystem's block size (4096 for ext2/ext3 filesystems, by default) in order to get the right value. I'm looking for the block/fragment that contains the string found in the third entry in the previous output, which is located at byte offset 131698688:
```
 $ dc 131698688 4096 / p 32153 q 
```
Next, use the dcalc command to convert the address from the unallocated block file into the address in the original disk image file:
```
 $ dcalc -u 32153 hd5_image_etc_files_deleted.img 34152 
```

Finally, use the dcat command to display the contents of the specified block in the fragment:

 $ dcat hd5_image_etc_files_deleted.img 34152 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false games:x:12:100:Games account:/var/games:/bin/bash wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false ftp:x:40:49:FTP account:/srv/ftp:/bin/bash nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash news:x:9:13:News system:/etc/news:/bin/bash uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash messagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/false mdnsd:x:78:65534:mDNSResponder runtime user:/var/lib/mdnsd:/bin/false postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false ntp:x:74:65534:NTP daemon:/var/lib/ntp:/bin/false sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false haldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/false gdm:x:50:15:Gnome Display Manager daemon:/var/lib/gdm:/bin/bash ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ @^@^@ [snip]

Voilà! If it looks like a password file and smells like a password file…

Whenever I use this approach, I typically redirect the output of the dcat command into a file, which I can then edit to remove the trailing junk that you see at the end of the last example.

Had I been fumble-fingered enough to actually delete all the files in a real /etc directory, I'd also have to recover /etc/group, possibly /etc/shadow (depending on the authentication mechanism that the system uses), and /etc/fstab, but all of these could easily be recovered using the same approach.

10.13.4. Summary

The Sleuth Kit and Autopsy are powerful packages that do an incredible amount of work for you if you're trying to recover deleted text files and are basically essential if you're trying to do computer forensics work on the Linux platform.

A huge number of other open source packages that purportedly help recover deleted files are also available. One of the most promising of these is Foremost (http://foremost.sourceforge.net), which is open source but was written by two special agents in the United States Air Force Office of Special Investigations. (No, I'm not kidding.) Foremost uses file header and footer signatures and internal data structures to help identify binary files on a disk or in a disk image. It is currently being updatedthe current version (1.0 Beta when this book was written) is hard-wired to accept specific file formats, but they're adding a flexible configuration, which is very promising for sysadmins who need to be able to recover binary files such as Microsoft Office documents, image files, and so on. If you've always wanted to get involved in open source software, this is a great project to start with.

10.13.5. See Also

"Recover Data from Crashed Disks" [Hack #94]
"Recover Deleted Files" [Hack #97]
File System Forensic Analysis, by Brian Carrier (Addison Wesley)
Forensic Discovery, by Dan Farmer and Wietse Venema (Addison Wesley)
The Sleuth Kit: http://www.sleuthkit.org/sleuthkit/
Autopsy: http://www.sleuthkit.org/autopsy/
The Sleuth Kit's newsletter: http://www.sleuthkit.org/informer/
The Coroner's Toolkit: http://www.porcupine.org/forensics/tct.html
Foremost: http://foremost.sourceforge.net
More forensics links: http://www.sleuthkit.org/links.php