Trinux

Trinux (http://trinux.sourceforge.net) is a small Linux-based tool kit that boots from a floppy or CD-ROM and runs entirely in memory through the use of a ramdisk (a part of memory that is formatted with a file system and seen by the kernel as a disk drive). When a system’s operating system has been corrupted or has been shut down, it can be booted using Trinux to preserve all information on the hard disk from being modified.

Implementation

You can choose to make either a set of Trinux floppies or a Trinux CD. The trinux-iso CD-ROM ISO image is roughly 19 megabytes and contains many of the available add-on packages (such as nmap, Ethereal, and many others). The trinux-ide floppy image will provide only base functionality (kernel, file system, and network if your NIC is natively supported). From a floppy boot, you can load packages over the network or create additional disks with the packages you’ll need. Some of the essentials you’ll probably want include nmap (nmap.tgz), file utilities such as hexdump (fileutil.tgz), a subset of tools from the Coroner’s Toolkit discussed in Chapter 23 (tctbin.tgz), and additional system utilities (sysutil.tgz). All but the sysutil package comes included on the CD-ROM.

Creating the Trinux Floppy

From the Trinux web site, you can download the Trinux floppy image (trinux-ide) to a forensic workstation. If you’re running a Unix-based operating system, you can use the dd command to copy the trinux-ide image to a floppy disk (in our case, /dev/fd0).

bash# dd if=trinux-0.890.flp of=/dev/fd0 

If you’re on a Windows workstation, you can download the RAWRITE utility (available at http://uranus.it.swin.edu.au/~jn/linux/rawwrite.htm) to perform the same action. RAWRITE will ask you for the floppy image and the destination drive letter (usually A:). Seconds later, your Trinux floppy will be ready to go.

Creating the Trinux CD-ROM

The CD-ROM offers a bit more convenience, as many of the add-on packages are included directly on the disc. This saves you the step of downloading the add-ons or creating additional package disks. From the Trinux web site, download the trinux-iso ISO image. On a Windows workstation, you can use your CD burning software (such as Easy CD Creator) to burn the image to the CD. On Roxio’s Easy CD Creator 5, for example, choose File | Record CD From CD Image, then select ISO from the file type drop-down list, and load the trinux-iso file. On a Unix system, you can use your favorite CD burning software (X-CD-Roast from http://www.xcdroast.org/ is an excellent package) to do the same thing.

Booting Trinux

Once your Trinux boot media is prepared, put it in the victim machine and boot up. After booting from the CD, you should have a shell prompt with basic network access as well as the ability to mount FAT and ISO file systems. As long as you have network access, you can grab additional packages and kernel modules from http://trinux.sourceforge.net/pkg/ and http://trinux.sourceforge.net/modules/, respectively. The file system modules for EXT3, NTFS, and UFS will allow you to mount Linux, Windows NT/2000, and FreeBSD file systems, respectively.

Augmenting the Trinux CD-ROM

You can’t stuff a whole lot more onto the Trinux floppy, but the CD-ROM will hold a great deal more information. You can place additional tools on the CD-ROM for use inside the Trinux environment. This section explains how to add tools to the Trinux ISO image.

Downloading and Mounting the ISO   First, you need to download the standard Trinux ISO image to a Unix workstation containing your tools. Once the ISO has been downloaded, you need to mount that ISO image as if it were a file system on a CD-ROM. In Linux, type the following:

# mount –o loop –t iso9660 trinux-0.890.iso /mnt/cdrom 

This mounts the Trinux ISO image to /mnt/cdrom on the local file system. The –o loop option tells Linux to map a loop device (such as /dev/loop0) to the specified image and mount that device on the specified file system point.

In FreeBSD, the process is slightly different. First you have to use the vnconfig command to create a "vnode pseudo disk device" (similar to the loop device). Then you have to issue a separate mount command, as shown here:

# vnconfig /dev/vn0c trinux-0.890.iso # mount –t cd9660 /dev/vn0c /mnt/cdrom

Once the ISO image is mounted, you can change to the /mnt/cdrom directory and view the Trinux ISO as if it were a CD in your drive.

Exploring the Trinux ISO image   When you look at the Trinux ISO, you’ll see two directories in the root: isolinux and trinux. The isolinux directory contains the ISOLINUX boot loader (isolinux.bin), the boot catalog (boot.cat), the boot configuration file (isolinux.cfg), and the Trinux kernel and ramdisk (bzImage and initrd.gz, respectively). These files allow the CD to boot into the Trinux OS. If you wanted to make your own bootable CD, you could use the ISOLINUX boot loader (available from http://syslinux.zytor.com/iso.php), make your own kernel and initial ramdisk, and create your own ISO image using the mkisofs utility (discussed later in “Building the New Trinux ISO”).

The files in the trinux directory contain the kernel modules and packages you want loaded. Let’s go through each subdirectory one at a time.

• bootpkg   This directory contains all the packages you want loaded at boot time. These packages provide basic functionality such as the bash shell, terminals, network services, and more. Each package is a gzipped tar file. You can examine the contents of each package with the command tar ztf <packagename>.tgz. Any packages that you want to have automatically installed at boot onto your ramdisk should be placed in this directory.

• kpkg   This directory contains all the kernel packages you want loaded at boot time. Only the most basic network modules are included here by default. You may want to add additional kernel packages (such as serial, SCSI, or PCMCIA support) to this directory. You can download kernel packages from /">http://trinux.sourceforge.nt/pkg/<kernel_version>/, where <kernel_version> is the version of your Trinux kernel (Trinux 0.890 uses kernel 2.4.21).

• modules   This directory contains any additional kernel modules you want to have available, such as network card modules, file system modules, and the like. Adding file system modules for EXT3 (Linux), UFS (FreeBSD), NTFS (Windows 200x/XP), and SMBFS (NetBIOS drive mapping) are strongly recommended. You can download individual modules from /">http://trinux.sourceforge.net/modules/<kernel_version>/. The file system modules can be found inside the kernel/fs subdirectory.

• pkg   This directory contains additional packages you might want to have available for install. The CD comes with a number of utilities bundled in this directory.

• tux   This directory contains information about Trinux and also can be used for storing configuration information. This directory is of more use on the floppy disk version as Trinux offers utilities for saving home directories and configuration files to floppies so that you can reload them on a future boot.

Adding Files to the Trinux ISO   Unfortunately, when you mount an ISO image as a device, you can’t write to any of the files. That means that to add or modify any of the Trinux files, you’ll need to copy them to another location. Let’s assume that we’ve mounted the Trinux ISO at /mnt/cdrom and that we’ve created a directory called /tmp/trinuxiso to hold our new ISO image. First we need to copy the current files from the ISO image:

# cp –R /mnt/cdrom/* /tmp/trinuxiso/

Now we can add and modify files to the existing Trinux distribution inside /tmp/trinuxiso/.

Building the New Trinux ISO   Once you’ve made the modifications and added the packages you need, you need to create a new ISO image based on the files in /tmp/trinuxiso. You also need to make sure you consider those bootable files in /tmp/trinuxiso/isolinux so that the ISO image you create will be bootable when burned to a CD. For these tasks, you’ll need the mkisofs utility.

The mkisofs utility comes bundled with most Unix CD recording tools. For Linux, you can search for and download the cdrecord RPM. On FreeBSD, mkisofs and cdrecord are bundled in the cdrtools package/port. For more information on these tools, visit http://freshmeat.net/projects/cdrecord/.

To create your new bootable Trinux ISO, run the following command:

# mkisofs –o mytrinux.iso –b isolinux/isolinux.bin –c isolinux/boot.cat \     -no-emul-boot –boot-load-size 4 –boot-info-table /tmp/trinuxiso

This creates a new ISO image called mytrinux.iso that will use isolinux.bin as its boot image. Now your new Trinux ISO image is ready to be burned to CD.

Beyond Trinux   Trinux is a simple, lightweight bootable Linux that can run completely in memory. If you’re looking for something more full-featured, take a look at either Gnoppix (http://www.gnoppix.org/) or Knoppix (http://www.knoppix.net/). These tools provide live Linux operating systems from a CD without installing anything on the system’s hard drive. They even include working X environments and graphical desktops (Gnome for Gnoppix, KDE for Knoppix). Although the functionality and organizational hierarchies of Gnoppix and Knoppix are different from Trinux, the basic concept is the same. If you find Trinux to be lacking, try out Gnoppix or Knoppix.

One of your IIS web servers has crashed. Upon inspection, you find that the system will no longer boot. Your manager wants the server fixed and functional as soon as possible, so you get to work. You grab your Windows recovery CD and start to place it in the drive but stop short. Shouldn't you figure out what made the system crash? If you use the Windows recovery CD, you might repair the problem, but in the process you may also erase any trace of what initially caused the problem.

Thinking quickly, you grab your Trinux Tool CD that was prepared using the steps in the previous section. You pop it in the drive and turn on the system. Trinux loads the kernel and tools into memory, allowing you to examine the hard drive devices. Before you do anything else, you decide to make a disk dump (dd) of the hard drive (/dev/hda) so that you can use forensic analysis tools (discussed in upcoming chapters) to examine the current state of the disk. Because you won't have any local place to put this image, you'll need to write the image to a mounted network share. You can do this using NFS or Trinux's SMBFS support, assuming that you placed the appropriate NFS and SMBFS modules (such as smbfs.o) in the trinux/modules directory of your Trinux ISO. The following commands mount a network drive labeled "data" on the Windows server MYIMAGESERV to the local directory /mnt/data. The image of the IDE hard drive /dev/hda is written to the file crashedweb-20031013.img on the MYIMAGESERV "data" share.

bash# mount –t smbfs –o username=guest //MYIMAGESERV/data /mnt/data Password: bash# dd if=/dev/hda of=/mnt/data/crashedweb-20031013.img bs=1024 \    conv=noerror,notrunc,sync

Once the image has been made, you can try mounting the file systems on that drive as read-only so you can take a look at the data without modifying anything. Trinux supports VFAT partitions by default, but if you built your Trinux ISO with the ntfs.o module you should be able to mount NTFS partitions as well.

With the NTFS file system mounted, you take a look at the IIS web logs. You see that someone exploited a Unicode Directory Traversal vulnerability in your IIS to upload an unknown program to your web server and execute it with system privileges. Further analysis suggests that the rogue program overwrote the boot sector on your hard drive and rebooted the system. You remove the rogue program from the disk.

With the web server isolated from the rest of the network, you use your Windows recovery CD to correct the boot sector. You turn off IIS and re-attach the system to the network. After downloading and patching IIS, you re-attach the system to the network. Thanks to your bootable tool CD, all is well, and your knowledge of exactly what happened can help you prevent it from happening again.