11.3 Overview of Digital Evidence Processing Tools


11.3 Overview of Digital Evidence Processing Tools

Linux has several features that make it ideal as a digital evidence acquisition and examination system. Linux contains many useful utilities that are designed to work together - the output of one tool can be fed into another tool easily. This ability to pipe (represented by a vertical bar "I") output from one program into another creates great flexibility. For instance, after sanitizing a disk (dd if=/dev/zero of=/dev/fd0; sync), the following command combination can be used to verify that all sectors are filled with zeros:

    dd if - /dev/hda | xxd | grep -v "0000 0000 0000 0000 0000 0000 0000 0000" 

This command looks for anything that is non-zero and should return nothing provided the disk has been properly sanitized. Also, Linux supports many file system types and can be used to examine media from UNIX, Windows, Macintosh, and other more arcane systems. Linux also permits direct access to devices, making it easier to acquire data from damaged media and bypass copy protection on certain memory cards. Furthermore, Linux is open source, creating a large technical support base and allowing digital evidence examiners to verify and augment its operation.

Prior to making a bitstream copy of a disk, it may be necessary to perform a keyword search to determine if there is relevant digital evidence on the system. This is particularly useful when looking for specific items on a large number of systems. The most efficient approach to searching many computers is to boot them using an evidence acquisition boot disk and run a disk search utility from the UNIX prompt. The grep command on Linux provides this keyword search capability. Once a system with useful evidence has been identified, a full bitstream copy can be made.

The mainstay of acquiring digital evidence using UNIX is the dd command. The simplest example is using dd to make a bitstream copy of a floppy disk: "dd if =/dev/fd0 of = floppycopy.dd." The dd command has many options, allowing the user to specify the block size of the evidentiary drive and to save segments of a bitstream copy in multiple files (e.g. to fit on compact disks). The output of dd can be saved in a file as shown above, or put directly onto a blank hard drive to create a clone, or can be sent through a network connection to a remote collection system using netcat. In addition to copying disks, the dd command can be used to perform analysis such as classifying data on storage media as described in the Handbook of Computer Crime Investigation, Chapter 8 (Seglem et al. 2001).

start sidebar

There are some nuances to copying a UNIX disk in this way that are worth mentioning. By default, dd assumes that each sector on a disk is 512 bytes. Copying large disks in 512 byte segments is inefficient and may cause confusion when copying tapes with interblock gaps. Also, when UNIX creates a file system on a disk, it takes into account disk geometry (recall cylinder/block groups), Therefore, if the two disks have even a slightly different geometry, a computer may not be able to find and boot the operating system from the new hard disk because it will be in a slightly different location on the disk. However, although the new disk will not be bootable, it will still be mountable and can be examined using another UNIX system.

end sidebar

When dealing with hard drives that have multiple partitions, it is advisable to make a bitstream copy of the entire disk first and then extract individual partitions later as needed (Carrier 2003a).[3] In this way, a complete copy of the original drive is preserved. Also, before making a bitstream copy, in addition to calculating the MD5 value of the drive, it is useful to document the hard drive that is being copied. To obtain information about a hard drive and the partitions on the drive, use the following commands on Linux:

    examiner1% grep hd /var/log/dmesg        ide0: BM-DMA at 0xa890-0xa897,   BIOS settings:   hda:DMA, hdb:pio        ide1: BM-DMA at 0xa898-0xa89f,   BIOS settings:   hdc:pio, hdd:pio    hda: HITACHI_DK23DA-20, ATA DISK drive    hda: 39070080 sectors (20004 MB) w/2048KiB Cache,     CHS = 2584/240/63,    UDMA(100)    hda: hda1 hda2 hda3 hda4 < hda5 >    examiner1% /sbin/hdparm -I /dev/hda    /dev/hda:    ATA device, with non-removable media            Model Number:          HITACHI_DK23DA-20            Serial Number:         14RM3D            Firmware Revision:     00J2A0F3    Standards:            Used: ATA/ATAPI-5 T13 1321D revision 3            Supported: 5 4 3 2 & some of 6    Configuration:            Logical        max      current            cylinders      16383    16383            heads          16       16            sectors/track  63       63            --             CHS current addressable sectors:    16514064             LBA user addressable sectors:       39070080             device size with M = 1024*1024:        19077 MBytes             device size with M = 1000*1000:        20003 MBytes   (20 GB)    Capabilities:    <cut for brevity>    examiner1% /sbin/sfdisk -l -uS /dev/hda    Disk /dev/hda: 2584 cylinders, 240 heads, 63 sectors/track    Units = sectors of 512 bytes, counting from 0    Device  Boot         Start          End     #sectors      Id   System   /dev/hda1   *            63       211679       211617      83   Linux   /dev/hda2            211680     20684159     20472480      83   Linux   /dev/hda3          20684160     22317119      1632960      82   Linux swap   /dev/hda4          22317120     39070079     16752960       f   Win95 Ext'd (LBA)   /dev/hda5          22317183     39070079     16752897      83   Linux 

It is also important to calculate the message digest value of data on the disk for later comparison. Linux provides message digest utilities such as md5sum and sha1sum that can be used to verify the integrity of digital evidence. The following combination of commands uses dd to extract data from a floppy disk and feed it to md5sum to calculate the MD5 value of the disk:

    examiner1 % dd if = /dev/fd0 bs = 512 | md = sum    2880+0 records in    2880+0 records out    de3af39674f76d1eb2d652543c536a32 - 

This MD5 value can be compared with that of the evidence after it is collected as shown here:

    examiner1% dd if = /dev/fd0  of = hunter-floppy.dd  bs = 512    2880+0 records in    2880+0 records out    examiner1% md5sum hunter-floppy.dd    de3af39674f76d1eb2d652543c536a32  hunter-floppy.dd 

The DCFL created an enhanced version called dcfl-dd[4] that can calculate MD5 values of data at regular intervals during the copying process.

Once a bitstream copy has been created, it can by "mounted" for examination. Linux provides a loopback interface that allows access to a file as if it were a disk, enabling digital evidence examiners to work on a copy as if it were the original, including accessing the file system and performing searches. For instance, the following commands mount a bitstream copy (readonly, via a loopback device) to generate a list of files with their MD5 values and a list of all files modified in the past day.

    examiner1%  date    Tue May 13  18:01:50 EDT 2003    examiner1%  mount -o ro,loop -t vfat hunter-floppy.dd /e1/case2/exhibit1    examiner1%  find /e1/case2/exhibit1 -type f -exec md5sum {}\;    bca6aa0863902c44206dc3f09ccde765      skiways-getafix.doc    adcbb2fe3bcdeb62addf4ea27f15ac7c      todo.txt    d787d1699ae3c3a81fe94a9482038176      newaddress.txt    9064112159ad06c597ccfa7e70f4ec44      contacts.xls    examiner1% find /e1/case2/exhibit1    -mtime 0  -ls    6  21 -rwxr-xr-x 1  root  root  21504  May  13  11:58  skiways-getafix.doc    7  0  -rwxr-xr-x 1  root  root  122    May  13  12:40  todo.txt    8  0  -rwxr-xr-x 1  root  root  122    May  13  12:42  newaddress.txt 

Some forms of examination can be performed on the evidence file itself as opposed to mounting the file system. For instance, the evidence file can be viewed using a hexidecimal viewer like xxd or can be searched for keywords using strings or grep as shown here:

click to expand

However, this approach to examining a disk is severely limited because it does not indicate which files contained the keywords.

Additionally, utilities for Linux are available from Maresware such as hashl and catalog for listing message digest values and date-time stamps of files, hexdumpl for viewing digital evidence in hexadecimal and ASCII form, and strsrch for finding keywords. The output of hexdumpl is slightly different from xxd, showing the byte offset in decimal rather than hexadecimal.

    examiner1% hexdumpl netscape.hst    00000000 00000000 00000000 E8217A3D | ‥‥     ‥‥    ‥‥   Φ ! z= | 4352    E8217A3D 01000000 01000000 536F7572 | Φ!z=   ‥‥    ‥‥   Sour   | 4368    6365466F 7267652E 6E65743A 205Q726F | ceFo  rge.  net:  Pro    | 4384    6A656374 2046696C 656C6973 74006874 | ject  Fil   elis  t.ht   | 4400    74703A2F 2F736F75 72636566 6F726765 | tp:/  /sou  rcef  orge   | 4416    2E6E6574 2F70726F 6A656374 2F73686F | .net  /pro  ject  /sho   | 4432    7766696C 65732E70 68703F67 726F7570 | wfil  es.p  hp?g  roup   | 4448    5F69643D 31333935 36267265 6C656173 | _id=  1395  6&re  leas   | 4464    655F6964 3D343530 313900E4 217A3DA6 | e_id  =450  19.  !z="   | 4480    217A3D03 00000001 00000053 6F757263 | !z=.   ‥‥   S   ourc   | 4496    65466F72 67652E6E 65743A20 50726F6A | eFor  ge.n  et:   Proj   | 4512    65637420 496E666F 202D204C 696E7578 | ect   Info  -L    inux   | 4528    204E5446 53206669 6C652073 79737465 | NTF   S fi  le s  yste   | 4544    6D207375 70706F72 74006874 74703A2F | m su  ppor  t.ht  tp:/   | 4560    2F736F75 72636566 6F726765 2E6E6574 | /sou  rcef  orge  .net   | 4576    2F70726F 6A656374 732F6C69 6E75782D | /pro  ject  s/li  nux-   | 4592    6E746673 2F00C221 7A3DA721 7A3D0700 | ntfs  /. T! z= !  z=    | 4608    00000000 00000068 7474703A 2F2F7366 | ‥‥     h  ttp:  //sf   | 4624    6164732E 6F73646E 2E636F6D 2F62616E | ads.  osdn  .com  /ban   | 4640    6E65722F 73666F73 30303231 656E2E67 | ner/  sfos  0021  en.g   | 4656    69663F31 30333134 31333838 33009621 | if?1  0314  1388  3. !   | 4672    7A3D9621 7A3D0100 00000100 0000536F | z= !  z=   ‥‥    So    | 4688    75726365 466F7267 652E6E65 743A2057 | urce  Forg  e.ne  t: W   | 4704    656C636F 6D650068 7474703A 2F2F736F | elco  me.h  ttp:  //so   | 4720    examiner1% xxd netscape.hst    00010f0: 0000 0000 0000 0000 0000 0000 e821 7a3d    .............!z=    0001100: e821 7a3d 0100 0000 0100 0000 536f 7572    .!z =........Sour    0001110: 6365 466f 7267 652e 6e65 743a 2050 726f    ceForge.net:Pro    0001120: 6a65 6374 2046 696c 656c 6973 7400 6874    ject  Filelist.ht    0001130: 7470 3a2f 2f73 6f75 7263 6566 6f72 6765    tp://sourceforge    0001140: 2e6e 6574 2f70 726f 6a65 6374 2f73 686f    .net/project/sho    0001150: 7766 696c 6573 2e70 6870 3f67 726f 7570    wfiles.php?group    0001160: 5f69 643d 3133 3935 3626 7265 6c65 6173    _id=13956&releas    0001170: 655f 6964 3d34 3530 3139 00e4 217a 3da6    e_id=45019..!z=.    0001180: 217a 3d03 0000 0001 0000 0053 6f75 7263    !=5.........Sourc    0001190: 6546 6f72 6765 2e6e 6574 3a20 5072 6f6a    eForge.net: Proj    00011a0: 6563 7420 496e 666f 202d 204c 696e 7578    ect  Info - Linux    00011b0: 204e 5446 5320 6669 6c65 2073 7973 7465     NTFS file syste    00011c0: 6d20 7375 7070 6f72 7400 6874 7470 3a2f    m support.http:/    00011d0: 2f73 6f75 7263 6566 6f72 6765 2e6e 6574    /sourceforge.net    00011e0: 2f70 726f 6a65 6374 732f 6c69 6e75 782d    /projects/linux-    00011f0: 6e74 6673 2f00 c221 7a3d a721 7a3d 0700    ntfs/! z=. !z=    0001200: 0000 0000 0000 0068 7474 703a 2f2f 7366    .......http://sf    0001210: 6164 732e 6f73 646e 2e63 6f6d 2f62 616e    ads.osdn.com/ban    0001220: 6e65 722f 7366 6f73 3030 3231 656e 2e67    ner/sfos0021en.g    0001230: 6966 3f31 3033 3134 3133 3838 3300 9621    if?1031413883!    0001240: 7a3d 9621 7a3d 0100 0000 0100 0000 536f    z5.!z=........So    0001250: 7572 6365 466f 7267 652e 6e65 743a 2057    urceForge.net: W    0001260: 656c 636f 6d65 0068 7474 703a 2f2f 736f    elcome.http://so 

More advanced examination can be performed using a collection of utilities called The Coroner's Toolkit (TCT).[5] A few example commands with explanations of their function are provided in Table 11.1. These tools can be used on a bitstream copy of a disk or to access a hard drive directly as shown in Table 11.1. Be aware that these tools currently support some UNIX file systems (e.g. UFS, ext2) but not FAT or NTFS. The Grave Robber component of TCT collects data from RAM in a systematic manner as discussed in Chapter 19.

Table 11.1: Utilities from The Coroner's Toolkit being used to access a hard drive directly, illustrating the previewing capabilities of many UNIX-based tools.

SAMPLE COMMAND

DESCRIPTION

ils -r /dev/hda1

List inodes of deleted files on partition 1 on drive hda

icat /dev/hda1 2

Show the contents of inode 2 on partition 1 on drive hda

unrm /dev/hda1 > unallocated

Extract unallocated space from partition 1 on drive hda

mactime -R -d

Generate a chronological list of MAC times of files in the /e1/case2/exhibit3 directory and all subdirectories between December 13, 2002, and the present time

/e1/case2/exhibit3 12/13/2002

As an example, the second inode can be viewed in hexadecimal form as shown below and compared with Figure 11.4. Note that the inode numbers shown here in bold are little-endian, so inode 229,377 corresponding to the "etc" directory mentioned earlier (hex value "x00 x03 x80 x01") is represented as "x01 x80 x03 x00."

    examiner1% icat/dev/hdc2 2 | xxd    0000000: 0200 0000 0c00 0102 2e00 0000 0200 0000   ................    0000010: 0c00 0202 2e2e 0000 0b00 0000 1400 0a02   ................    0000020: 6c6f 7374 2b66 6f75 6e64 0000 0180 0000   lost1found......    0000030: 0c00 0402 626f 6f74 0100 0100 0c00 0302   ....boot........    0000040: 6465 7600 0100 0200 0c00 0402 7072 6f63   dev.........proc    0000050: 0c00 0000 1c00 0901 2e61 7574 6f66 7363   .........autofsc    0000060: 6b74 6573 742d 6669 6c65 6d67 0180 0200   ktest-filemg....    0000070: 0c00 0302 7661 7200 0140 0300 0c00 0302   ....var..@......    0000080: 746d 7000 0180 0300 0c00 0302 6574 6300   tmp.........etc.    0000090: 0180 0400 0c00 0302 7573 7200 0380 5900   ........usr...Y.    00000a0: 0c00 0302 6269 6e00 0300 6400 0c00 0402   ....bin...d.....    00000b0: 686f 6d65 03c0 6400 1000 0602 696e 6974   home..d.....init    00000c0: 7264 0000 0300 6500 0c00 0302 6c69 6200   rd....e.....lib.    00000d0: 0300 6600 0c00 0302 6d6e 7400 03c0 6600   ..f.....mnt...f.    00000e0: 0c00 0302 6f70 7400 0300 6700 0c00 0402   ....opt...g.....    00000f0: 726f 6f74 03c0 6700 0c00 0402 7362 696e   root..g.....sbin    0000100: 4cc0 4400 0c00 0402 6d69 7363 2100 0e00   L.D.....misc!...    0000110: 0c00 0202 6531 6c74 ba00 4300 e80e 0502   ....e1lt..C..... 

The Sleuth Kit[6] (previously TASK) extends TCT to support FAT and NTFS file systems and provides several other powerful utilities.

The istat command in The Sleuth Kit can be used to examine specific inodes as shown here. Note that the deletion time is only shown for deleted files. Similar information about regular files can be obtained using the standard Linux stat command.

    examiner1% istat -f linux-ext2 ext2-bitstream.dd 2    inode: 2    Allocated    Group: 0    uid/gid: 0/0    mode: drwxr-xr-x    size: 4096    num of links: 21    Inode Times:    Accessed:        Tue  Nov  26  04:03:19  2002    File Modified:   Mon  Nov  25  20:39:17  2002    Inode Modified:  Mon  Nov  25  20:39:17  2002    Direct Blocks:    519 

The Sleuth Kit can be combined with the Autopsy Forensic Browser to provide different views of data through a Web browser interface (Figure 11.6).

click to expand
Figure 11.6: Viewing a Linux system using The Sleuth Kit and Autopsy Forensic Browser.

Given the large number of utilities available and the infinite adaptability of Linux, its power as a forensic examination platform is limited only by one's knowledge of the system. Although some Windows-based tools can be used to examine ext2, ext3, and UFS file systems, most do not facilitate examination of inodes and other attributes distinctive to UNIX file systems. Therefore, as mentioned in the previous chapter, no single tool should be relied upon solely. Use tools for their strengths and validate results from one tool by checking them with another.

[3]Some versions of UNIX, including BSD, have different partition tables than Linux and Windows, requiring a different approach to extracting partitions (Carrier 2003b).

[4]http://sourceforge.net/projects/biatchux/

[5]http://www.porcupine.org/forensics/

[6]The Sleuth Kit and the Autopsy Forensic Browser are available at http://www.sleuthkit.org




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net