11.3 Overview of Digital Evidence Processing Tools
11.3 Overview of Digital Evidence Processing Tools
Linux has several features that make it ideal as a digital evidence acquisition and examination system. Linux contains many useful utilities that are designed to work together - the output of one tool can be fed into another tool easily. This ability to pipe (represented by a vertical bar "I") output from one program into another creates great flexibility. For instance, after sanitizing a disk (dd if=/dev/zero of=/dev/fd0; sync), the following command combination can be used to verify that all sectors are filled with zeros:
dd if - /dev/hda | xxd | grep -v "0000 0000 0000 0000 0000 0000 0000 0000"
This command looks for anything that is non-zero and should return nothing provided the disk has been properly sanitized. Also, Linux supports many file system types and can be used to examine media from UNIX, Windows, Macintosh, and other more arcane systems. Linux also permits direct access to devices, making it easier to acquire data from damaged media and bypass copy protection on certain memory cards. Furthermore, Linux is open source, creating a large technical support base and allowing digital evidence examiners to verify and augment its operation.
Prior to making a bitstream copy of a disk, it may be necessary to perform a keyword search to determine if there is relevant digital evidence on the system. This is particularly useful when looking for specific items on a large number of systems. The most efficient approach to searching many computers is to boot them using an evidence acquisition boot disk and run a disk search utility from the UNIX prompt. The grep command on Linux provides this keyword search capability. Once a system with useful evidence has been identified, a full bitstream copy can be made.
The mainstay of acquiring digital evidence using UNIX is the dd command. The simplest example is using dd to make a bitstream copy of a floppy disk: "dd if =/dev/fd0 of = floppycopy.dd." The dd command has many options, allowing the user to specify the block size of the evidentiary drive and to save segments of a bitstream copy in multiple files (e.g. to fit on compact disks). The output of dd can be saved in a file as shown above, or put directly onto a blank hard drive to create a clone, or can be sent through a network connection to a remote collection system using netcat. In addition to copying disks, the dd command can be used to perform analysis such as classifying data on storage media as described in the Handbook of Computer Crime Investigation, Chapter 8 (Seglem et al. 2001).
 |
There are some nuances to copying a UNIX disk in this way that are worth mentioning. By default, dd assumes that each sector on a disk is 512 bytes. Copying large disks in 512 byte segments is inefficient and may cause confusion when copying tapes with interblock gaps. Also, when UNIX creates a file system on a disk, it takes into account disk geometry (recall cylinder/block groups), Therefore, if the two disks have even a slightly different geometry, a computer may not be able to find and boot the operating system from the new hard disk because it will be in a slightly different location on the disk. However, although the new disk will not be bootable, it will still be mountable and can be examined using another UNIX system.
|
When dealing with hard drives that have multiple partitions, it is advisable to make a bitstream copy of the entire disk first and then extract individual partitions later as needed (Carrier 2003a).[3] In this way, a complete copy of the original drive is preserved. Also, before making a bitstream copy, in addition to calculating the MD5 value of the drive, it is useful to document the hard drive that is being copied. To obtain information about a hard drive and the partitions on the drive, use the following commands on Linux:
examiner1% grep hd /var/log/dmesg ide0: BM-DMA at 0xa890-0xa897, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xa898-0xa89f, BIOS settings: hdc:pio, hdd:pio hda: HITACHI_DK23DA-20, ATA DISK drive hda: 39070080 sectors (20004 MB) w/2048KiB Cache, CHS = 2584/240/63, UDMA(100) hda: hda1 hda2 hda3 hda4 < hda5 > examiner1% /sbin/hdparm -I /dev/hda /dev/hda: ATA device, with non-removable media Model Number: HITACHI_DK23DA-20 Serial Number: 14RM3D Firmware Revision: 00J2A0F3 Standards: Used: ATA/ATAPI-5 T13 1321D revision 3 Supported: 5 4 3 2 & some of 6 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 16514064 LBA user addressable sectors: 39070080 device size with M = 1024*1024: 19077 MBytes device size with M = 1000*1000: 20003 MBytes (20 GB) Capabilities: <cut for brevity> examiner1% /sbin/sfdisk -l -uS /dev/hda Disk /dev/hda: 2584 cylinders, 240 heads, 63 sectors/track Units = sectors of 512 bytes, counting from 0 Device Boot Start End #sectors Id System /dev/hda1 * 63 211679 211617 83 Linux /dev/hda2 211680 20684159 20472480 83 Linux /dev/hda3 20684160 22317119 1632960 82 Linux swap /dev/hda4 22317120 39070079 16752960 f Win95 Ext'd (LBA) /dev/hda5 22317183 39070079 16752897 83 Linux
It is also important to calculate the message digest value of data on the disk for later comparison. Linux provides message digest utilities such as md5sum and sha1sum that can be used to verify the integrity of digital evidence. The following combination of commands uses dd to extract data from a floppy disk and feed it to md5sum to calculate the MD5 value of the disk:
examiner1 % dd if = /dev/fd0 bs = 512 | md = sum 2880+0 records in 2880+0 records out de3af39674f76d1eb2d652543c536a32 -
This MD5 value can be compared with that of the evidence after it is collected as shown here:
examiner1% dd if = /dev/fd0 of = hunter-floppy.dd bs = 512 2880+0 records in 2880+0 records out examiner1% md5sum hunter-floppy.dd de3af39674f76d1eb2d652543c536a32 hunter-floppy.dd
The DCFL created an enhanced version called dcfl-dd[4] that can calculate MD5 values of data at regular intervals during the copying process.
Once a bitstream copy has been created, it can by "mounted" for examination. Linux provides a loopback interface that allows access to a file as if it were a disk, enabling digital evidence examiners to work on a copy as if it were the original, including accessing the file system and performing searches. For instance, the following commands mount a bitstream copy (readonly, via a loopback device) to generate a list of files with their MD5 values and a list of all files modified in the past day.
examiner1% date Tue May 13 18:01:50 EDT 2003 examiner1% mount -o ro,loop -t vfat hunter-floppy.dd /e1/case2/exhibit1 examiner1% find /e1/case2/exhibit1 -type f -exec md5sum {}\; bca6aa0863902c44206dc3f09ccde765 skiways-getafix.doc adcbb2fe3bcdeb62addf4ea27f15ac7c todo.txt d787d1699ae3c3a81fe94a9482038176 newaddress.txt 9064112159ad06c597ccfa7e70f4ec44 contacts.xls examiner1% find /e1/case2/exhibit1 -mtime 0 -ls 6 21 -rwxr-xr-x 1 root root 21504 May 13 11:58 skiways-getafix.doc 7 0 -rwxr-xr-x 1 root root 122 May 13 12:40 todo.txt 8 0 -rwxr-xr-x 1 root root 122 May 13 12:42 newaddress.txt Some forms of examination can be performed on the evidence file itself as opposed to mounting the file system. For instance, the evidence file can be viewed using a hexidecimal viewer like xxd or can be searched for keywords using strings or grep as shown here:
However, this approach to examining a disk is severely limited because it does not indicate which files contained the keywords.
Additionally, utilities for Linux are available from Maresware such as hashl and catalog for listing message digest values and date-time stamps of files, hexdumpl for viewing digital evidence in hexadecimal and ASCII form, and strsrch for finding keywords. The output of hexdumpl is slightly different from xxd, showing the byte offset in decimal rather than hexadecimal.
examiner1% hexdumpl netscape.hst 00000000 00000000 00000000 E8217A3D | ‥‥ ‥‥ ‥‥ Φ ! z= | 4352 E8217A3D 01000000 01000000 536F7572 | Φ!z= ‥‥ ‥‥ Sour | 4368 6365466F 7267652E 6E65743A 205Q726F | ceFo rge. net: Pro | 4384 6A656374 2046696C 656C6973 74006874 | ject Fil elis t.ht | 4400 74703A2F 2F736F75 72636566 6F726765 | tp:/ /sou rcef orge | 4416 2E6E6574 2F70726F 6A656374 2F73686F | .net /pro ject /sho | 4432 7766696C 65732E70 68703F67 726F7570 | wfil es.p hp?g roup | 4448 5F69643D 31333935 36267265 6C656173 | _id= 1395 6&re leas | 4464 655F6964 3D343530 313900E4 217A3DA6 | e_id =450 19.∑ !z=" | 4480 217A3D03 00000001 00000053 6F757263 | !z=. ‥‥ …S ourc | 4496 65466F72 67652E6E 65743A20 50726F6A | eFor ge.n et: Proj | 4512 65637420 496E666F 202D204C 696E7578 | ect Info -L inux | 4528 204E5446 53206669 6C652073 79737465 | NTF S fi le s yste | 4544 6D207375 70706F72 74006874 74703A2F | m su ppor t.ht tp:/ | 4560 2F736F75 72636566 6F726765 2E6E6574 | /sou rcef orge .net | 4576 2F70726F 6A656374 732F6C69 6E75782D | /pro ject s/li nux- | 4592 6E746673 2F00C221 7A3DA721 7A3D0700 | ntfs /. T! z= ! z=‥ | 4608 00000000 00000068 7474703A 2F2F7366 | ‥‥ …h ttp: //sf | 4624 6164732E 6F73646E 2E636F6D 2F62616E | ads. osdn .com /ban | 4640 6E65722F 73666F73 30303231 656E2E67 | ner/ sfos 0021 en.g | 4656 69663F31 30333134 31333838 33009621 | if?1 0314 1388 3. ! | 4672 7A3D9621 7A3D0100 00000100 0000536F | z= ! z=‥ ‥‥ ‥So | 4688 75726365 466F7267 652E6E65 743A2057 | urce Forg e.ne t: W | 4704 656C636F 6D650068 7474703A 2F2F736F | elco me.h ttp: //so | 4720 examiner1% xxd netscape.hst 00010f0: 0000 0000 0000 0000 0000 0000 e821 7a3d .............!z= 0001100: e821 7a3d 0100 0000 0100 0000 536f 7572 .!z =........Sour 0001110: 6365 466f 7267 652e 6e65 743a 2050 726f ceForge.net:Pro 0001120: 6a65 6374 2046 696c 656c 6973 7400 6874 ject Filelist.ht 0001130: 7470 3a2f 2f73 6f75 7263 6566 6f72 6765 tp://sourceforge 0001140: 2e6e 6574 2f70 726f 6a65 6374 2f73 686f .net/project/sho 0001150: 7766 696c 6573 2e70 6870 3f67 726f 7570 wfiles.php?group 0001160: 5f69 643d 3133 3935 3626 7265 6c65 6173 _id=13956&releas 0001170: 655f 6964 3d34 3530 3139 00e4 217a 3da6 e_id=45019..!z=. 0001180: 217a 3d03 0000 0001 0000 0053 6f75 7263 !=5.........Sourc 0001190: 6546 6f72 6765 2e6e 6574 3a20 5072 6f6a eForge.net: Proj 00011a0: 6563 7420 496e 666f 202d 204c 696e 7578 ect Info - Linux 00011b0: 204e 5446 5320 6669 6c65 2073 7973 7465 NTFS file syste 00011c0: 6d20 7375 7070 6f72 7400 6874 7470 3a2f m support.http:/ 00011d0: 2f73 6f75 7263 6566 6f72 6765 2e6e 6574 /sourceforge.net 00011e0: 2f70 726f 6a65 6374 732f 6c69 6e75 782d /projects/linux- 00011f0: 6e74 6673 2f00 c221 7a3d a721 7a3d 0700 ntfs/‥! z=. !z=‥ 0001200: 0000 0000 0000 0068 7474 703a 2f2f 7366 .......http://sf 0001210: 6164 732e 6f73 646e 2e63 6f6d 2f62 616e ads.osdn.com/ban 0001220: 6e65 722f 7366 6f73 3030 3231 656e 2e67 ner/sfos0021en.g 0001230: 6966 3f31 3033 3134 3133 3838 3300 9621 if?1031413883‥! 0001240: 7a3d 9621 7a3d 0100 0000 0100 0000 536f z5.!z=........So 0001250: 7572 6365 466f 7267 652e 6e65 743a 2057 urceForge.net: W 0001260: 656c 636f 6d65 0068 7474 703a 2f2f 736f elcome.http://so
More advanced examination can be performed using a collection of utilities called The Coroner's Toolkit (TCT).[5] A few example commands with explanations of their function are provided in Table 11.1. These tools can be used on a bitstream copy of a disk or to access a hard drive directly as shown in Table 11.1. Be aware that these tools currently support some UNIX file systems (e.g. UFS, ext2) but not FAT or NTFS. The Grave Robber component of TCT collects data from RAM in a systematic manner as discussed in Chapter 19.
| SAMPLE COMMAND | DESCRIPTION |
|---|---|
| ils -r /dev/hda1 | List inodes of deleted files on partition 1 on drive hda |
| icat /dev/hda1 2 | Show the contents of inode 2 on partition 1 on drive hda |
| unrm /dev/hda1 > unallocated | Extract unallocated space from partition 1 on drive hda |
| mactime -R -d | Generate a chronological list of MAC times of files in the /e1/case2/exhibit3 directory and all subdirectories between December 13, 2002, and the present time |
| /e1/case2/exhibit3 12/13/2002 |
As an example, the second inode can be viewed in hexadecimal form as shown below and compared with Figure 11.4. Note that the inode numbers shown here in bold are little-endian, so inode 229,377 corresponding to the "etc" directory mentioned earlier (hex value "x00 x03 x80 x01") is represented as "x01 x80 x03 x00."
examiner1% icat/dev/hdc2 2 | xxd 0000000: 0200 0000 0c00 0102 2e00 0000 0200 0000 ................ 0000010: 0c00 0202 2e2e 0000 0b00 0000 1400 0a02 ................ 0000020: 6c6f 7374 2b66 6f75 6e64 0000 0180 0000 lost1found...... 0000030: 0c00 0402 626f 6f74 0100 0100 0c00 0302 ....boot........ 0000040: 6465 7600 0100 0200 0c00 0402 7072 6f63 dev.........proc 0000050: 0c00 0000 1c00 0901 2e61 7574 6f66 7363 .........autofsc 0000060: 6b74 6573 742d 6669 6c65 6d67 0180 0200 ktest-filemg.... 0000070: 0c00 0302 7661 7200 0140 0300 0c00 0302 ....var..@...... 0000080: 746d 7000 0180 0300 0c00 0302 6574 6300 tmp.........etc. 0000090: 0180 0400 0c00 0302 7573 7200 0380 5900 ........usr...Y. 00000a0: 0c00 0302 6269 6e00 0300 6400 0c00 0402 ....bin...d..... 00000b0: 686f 6d65 03c0 6400 1000 0602 696e 6974 home..d.....init 00000c0: 7264 0000 0300 6500 0c00 0302 6c69 6200 rd....e.....lib. 00000d0: 0300 6600 0c00 0302 6d6e 7400 03c0 6600 ..f.....mnt...f. 00000e0: 0c00 0302 6f70 7400 0300 6700 0c00 0402 ....opt...g..... 00000f0: 726f 6f74 03c0 6700 0c00 0402 7362 696e root..g.....sbin 0000100: 4cc0 4400 0c00 0402 6d69 7363 2100 0e00 L.D.....misc!... 0000110: 0c00 0202 6531 6c74 ba00 4300 e80e 0502 ....e1lt..C.....
The Sleuth Kit[6] (previously TASK) extends TCT to support FAT and NTFS file systems and provides several other powerful utilities.
The istat command in The Sleuth Kit can be used to examine specific inodes as shown here. Note that the deletion time is only shown for deleted files. Similar information about regular files can be obtained using the standard Linux stat command.
examiner1% istat -f linux-ext2 ext2-bitstream.dd 2 inode: 2 Allocated Group: 0 uid/gid: 0/0 mode: drwxr-xr-x size: 4096 num of links: 21 Inode Times: Accessed: Tue Nov 26 04:03:19 2002 File Modified: Mon Nov 25 20:39:17 2002 Inode Modified: Mon Nov 25 20:39:17 2002 Direct Blocks: 519
The Sleuth Kit can be combined with the Autopsy Forensic Browser to provide different views of data through a Web browser interface (Figure 11.6).
Figure 11.6: Viewing a Linux system using The Sleuth Kit and Autopsy Forensic Browser.
Given the large number of utilities available and the infinite adaptability of Linux, its power as a forensic examination platform is limited only by one's knowledge of the system. Although some Windows-based tools can be used to examine ext2, ext3, and UFS file systems, most do not facilitate examination of inodes and other attributes distinctive to UNIX file systems. Therefore, as mentioned in the previous chapter, no single tool should be relied upon solely. Use tools for their strengths and validate results from one tool by checking them with another.
[3]Some versions of UNIX, including BSD, have different partition tables than Linux and Windows, requiring a different approach to extracting partitions (Carrier 2003b).
[4]http://sourceforge.net/projects/biatchux/
[5]http://www.porcupine.org/forensics/
[6]The Sleuth Kit and the Autopsy Forensic Browser are available at http://www.sleuthkit.org
EAN: 2147483647
Pages: 279
- Chapter I e-Search: A Conceptual Framework of Online Consumer Behavior
- Chapter VII Objective and Perceived Complexity and Their Impacts on Internet Communication
- Chapter IX Extrinsic Plus Intrinsic Human Factors Influencing the Web Usage
- Chapter XIII Shopping Agent Web Sites: A Comparative Shopping Environment
- Chapter XVII Internet Markets and E-Loyalty