Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Linux Forensics Tool Guide
1. Computer Forensics – Patricia M Watson
Linux: A Powerful Computer Forensics Tool
Patricia M Watson
2. Computer Forensics – Patricia M Watson
What is Computer Forensics?
Computer forensics involves the preservation,
identification, extraction, documentation and
interpretation of computer media for evidentiary
and/or root cause analysis.
Computer Forensics: Incident Response Essentials, Warren G. Kruse II and
Jay G. Heiser, Addison-Wesley 2003 ISBN 0-201-70719-5
3. Computer Forensics – Patricia M Watson
What Skills Must Forensics Analyst Have?
• A broad range of technical, investigative, procedural, and
legal skills
Disk geometry, file systems, software reverse engineering,
steganography, cryptography, evidence integrity and authentication,
Chain of custody
• The ability to function in a complex, dynamic environment
Computer technology as well as legal and regulatory environments
are constantly changing
• The ability to testify in a court of law
Reproduce incident, interpret results, be prepared for cross-
examination
4. Computer Forensics – Patricia M Watson
Computer Forensics Training
• The SANS Institute – Global Information Assurance
Certification Computer Forensics (GCFA)
http://www.giac.org/certifications/security/gcfa.php
• New Technologies Inc. – Computer Forensics Certification
administered by Oregon State University
http://www.forensics-intl.com/forensic.html
• CompuForensics – in association with the University of
Georgia offer computer forensics certificate courses
http://www.gactr.uga.edu/is/cf/
• Certified Information System Security Professional
(CISSP)
http://www.cissp.com/ispc/cf-bootcamp.asp
5. Computer Forensics – Patricia M Watson
Why is Computer Forensics Important?
• Computers are used to commit crimes
Fraud, theft of intellectual property, threatening letters
• Computers are victims of crimes
Remote attacks, viruses, worms, Trojans
• Computers provide record of activities that are useful
in an investigation of an alleged crime
Best evidence rule: Accurate representation of original
data on a system (bit-for-bit image)
6. Computer Forensics – Patricia M Watson
Forensics in a Nutshell
• Incident response
o Verify the incident
o Evidence Seizure
o Collect volatile and non-volatile data (live system)
• Investigation and analysis
o Image System (dead system)
o Data recovery
• Reporting results
o Record your actions
7. Computer Forensics – Patricia M Watson
Forensics “The Legal Issues”
• Federal (cyber crime is federal)
o Title 18 – communications, computers, fraud, etc.
o USA Patriot Act – extends crimes, streamlines criminal investigation, and increases
penalties
o Digital Millennium Copyright Act – makes it illegal to circumvent digital copyright
protection
• State laws vary
• Admissible evidence
Law enforcement personnel activities are restricted (warrants, privacy, consent)
Law enforcement must follow chain of custody
Private citizens must follow company policies
Policy should address both legal and business environments
8. Computer Forensics – Patricia M Watson
Places for Data to Hide As organized by SANS.org
• Physical Layer
Areas allocated for diagnostics, sector overhead, sectors marked as bad
• Data Layer
Slack space, swap space, free space, unallocated space (file fragments)
• Metadata Layer
Corrupted inodes (Linux), resident data as alternate data streams (NTFS)
• File System Layer
Superblock, boot sector
• File Name Layer
When files are deleted, the file system will hide the file name from the user,
but much data can be recovered using forensic tools.
9. Computer Forensics – Patricia M Watson
The “Tools”
• Although there is no universal forensic solution, Linux based
tools are preferred for the following reasons:
They are FREE
Open source – You can modify/improve
You can verify tool integrity (cryptographic hashes)
You can image any type of media as raw format
Greater versatility – No platform dependencies
10. Computer Forensics – Patricia M Watson
Tools – “The Basics”
• dcfldd – Modified version of dd which provides the ability to perform
hashing on the raw data collected
# dcfldd if=/dev/hda of=/dev/hdb hashwindow=0 hashlog=drive.md5.txt
• dd – Powerful utility used for truncating files, splitting images, or sanitizing
disk or partitions
# dd if=/dev/zero of=/dev/hda#
• Cryptographic Hashes – Provide evidence integrity and
authentication
md5sum, sha1
• mount loop
# mount –o ro,loop imagepath mountpoint
• strings, grep, fgrep, file – Used for keyword searches
11. Computer Forensics – Patricia M Watson
Type of Forensic Toolkits
• Data Analysis Toolkits: Designed to analyze data, best for
live system analysis
o The Coroner’s Toolkit (TCT)
Designed by Dan Farmer and Wietse Venema to investigate “hacked” Unix host
http://www.fish.com/tct
• Data Acquisition Toolkits: Save data to perform lab-based
analysis, best for dead system analysis
o The Sleuth Kit (TSK)
Designed by Brian Carrier, the TSK is a collection of file system analysis tools with
NO platform dependency. http://sleuthkit.sourceforge.net
Autopsy is the graphical interface to TSK
12. Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File System Layer:
fsstat – displays details
about the file system
13. Computer Forensics – Patricia M Watson
The TSK Tool Organization
• Data Layer:
dstat – provides statistics on a given data unit, i.e.
allocation status
dls – copies unallocated contents form data units to
STDOUT, the –s flag extracts slack space on NTFS
and FAT systems
dcalc – takes the “dls” location as input and determines
where it resides in the original image (dd)
dcat – displays the contents of any disk block to
STDOUT
14. Computer Forensics – Patricia M Watson
The TSK Tool Organization
• Metadata Layer:
o istat – displays statistics about a given metadata structure
i.e. permissions, size, allocation status
o ifind – finds the metadata structure that has allocated a
given data unit, most frequently used when performing
keyword searches
o ils - lists general details of inodes, most often used to
collect inodes of deleted files
o icat – displays the contents of all the blocks allocated to an
inode, ideal for recovering deleted files
15. Computer Forensics – Patricia M Watson
The TSK Tool Organization
• File Name Layer:
fls – lists file and directory entries in a directory inode.
Since “fls” is processing the directory content, it can
display the data from deleted files
ffind – a mapping tool that finds the file name for a
metadata address by processing the full directory tree
and locating the entry that points to the metadata
address
16. Computer Forensics – Patricia M Watson
Forensic Resources
• Handbook for Computer Security Incident Response Teams
(CSIRTs)
http://www.sei.cmu.edu/pub/documents/03.reports/pdf/03hb002.pdf
• Intrusion Detection, Honeypots and Incident Handling
Resources http://www.honeypots.net/
• US Department of Justice Forensic Examination of Digital
Evidence http://www.ncjrs.org/pdffiles1/nij/199408.pdf
• USDOJ Searching and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations
http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.pdf
• Computer Forensics Incident Response Essentials. Warren
G. Kruse II and Jay G. Heiser. Addison-Wesley 2003. ISBN
0-201-70719-5
• Know Your Enemy 2nd Edition. The Honeynet Project.