290 likes | 705 Views
Introduction to Linux Forensics. By Chris Marko June 2005. Linux is Growing in Popularity. Each new version becoming more user friendly. Disk installation no longer confusing. Installation interface more intuitive. Graphical environment becoming much more mature.
E N D
Introduction toLinux Forensics By Chris Marko June 2005
Linux is Growing in Popularity • Each new version becoming more user friendly. • Disk installation no longer confusing. • Installation interface more intuitive. • Graphical environment becoming much more mature. • More and more companies are embracing & supporting Linux. • IBM has teams of developers working on it. • Apple’s OS now has a UNIX-like core. • Novell is now in the Linux business. • More and more devices are now running Linux • Personal Devices: Cell Phones & PDA’s. • Electronics: Video Recorders, MP3 Players.
Linux Boot Sequence • Start your computer that has Linux installed.
Floppy Disk Analysis • Insert Floppy • Obtain SHA hash
Create Floppy Disk Image • Use dd to create forensic image. • Compare SHA hash of image against floppy to confirm good image.
Identify File System • Use file utility to identify the file system of floppy disk image. • file utility can identify more than 30 different file system types & many more standard file types.
Mount the Image for Analysis • Create a directory to mount the image against. • Use mount utility to mount the image, using loop back to trick OS into thinking this is a physical device.
Obtain SHA Hash of Contents • Obtain SHA hash of each file on the floppy disk. • Check file to confirm all looks as expected.
Identify File Contents • ls to view all the files on floppy. • file utility to identify file header. • Tells us that this is actually a Microsoft Office Document.
View File Contents • strings utility to extract raw text from a binary file.
Evidential Search Criteria • Put together keyword list to use in search applied against evidence. • This screenshot shows the use of the vi editor.
Apply Search List • Apply the search list against the entire image of the floppy by using the grep utility.
View Search Results • Viewing the Search Results File with cat shows binary, so we use strings instead to just view the ASCII text from the file. HEX location is shown in [numeric]: I.e. “49189:”
Search Hit Example • xxd utility used to perform a hex dump of data. • # xxd -s 49189 /evidence/floppy1.img | less • Note the match giving an address to the Boston Crackdlr of 11 Clarendon Apt 6 in Boston’s Back Bay
Conclusion • You have now seen an introductory to analyzing a floppy disk with a few tools. • Next, you might further analyze the addressbook file • file utility to identify type • strings utility to extract raw text • Maybe copy the .d file to a machine with Microsoft Word to view interpreted content