480 likes | 614 Views
Forensics 101:. Basics of capturing and mounting forensic images. Forensics:.
E N D
Forensics 101: Basics of capturing and mounting forensic images ISC/Information Security
Forensics: Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action…the term "forensic" is effectively a synonym for "legal" or "related to courts" (from Latin, it means "before the forum"). Source: Wikipedia ISC/Information Security
Why perform computer forensics? • You know or suspect one or more computers has been involved in: • a crime • a violation of policy • an issue of academic integrity (student and/or faculty) • A network and/or computer(s) were compromised, and you just want to find out how and why ISC/Information Security
Why not perform forensics? • Can be expen$ive • Commercial forensic and data recovery outlets (e.g. Kroll Ontrack and RenewData) typically charge $3,000 - $5,000 per drive • Even when done in-house, can involve large amounts of employee labor, purchasing extra drive space, etc • Can be time consuming • Acquiring drive images takes time…an 80 GB drive typically takes 2+ hours • Data analysis can takes days, even weeks, depending on the scope of the case ISC/Information Security
Who can perform forensics? • For purposes of simply investigating a hacked system or network that does not appear to have legal implications, any person knowledgeable with basic forensic tools and procedures can perform a forensic examination (with proper authorization) • In cases where there is potential legal obligation and/or risk for Penn, only person(s) authorized by the University may perform forensics (i.e., ISC Information Security) ISC/Information Security
If you begin an independent forensic examination… …and encounter evidence of an actual or possible crime (whether it’s been committed yet or not) STOP!! Contact ISC Information Security immediately at 215-898-2172 or security@isc.upenn.edu ISC/Information Security
Classes of forensic examinations • “Live”, i.e. real-time • Network is up and running, computers are attached and communicating • Goal is to observe/capture ongoing activity on network, in RAM and on disk related to crime or exploit • Not often done, very complex, often a “fishing expedition” • “Snapshot”, i.e., static • Network packet captures have been saved for later analysis • In some cases, RAM dumps written to file for analysis • Drive images taken to preserve status of file system - this is the most commonly performed forensic operation ISC/Information Security
Some common forensic tools: • Real-time • tcpdump/WinDump • netstat • Ethereal • pcat • lsof • Static • dd (or dcfldd) • mmls • netcat (or cryptcat) • md5sum • grep ISC/Information Security
Drive images: what do I need? • A basic, working knowledge of linux, especially the use of: • mount • dd • ls • A basic understanding of image files (.iso, .img) • A basic understanding of drive geometry (sectors, partitioning) and file system structure (allocation tables, inodes, allocated vs. unallocated space, slack space, MAC times) ISC/Information Security
Image files: The Goal The purpose of capturing a forensic drive image is to produce a file that is an exact, sector-by sector reproduction of the drive. The image preserves not only the data itself, but also the “geography” of the data - where it physically resides on the disk. The image file can then be examined for evidence without danger of altering or destroying the original. ISC/Information Security
Basic Drive Geometry • The typical sector size for modern drives is 512 bytes • Most operating systems (Windows and Unix/Linux included) use a default allocation size of 8 sectors (4096 bytes) ISC/Information Security
File System Basics • Allocated space is space that is in use by a file and is being tracked in the File Allocation Table (FAT) • Unallocated space is disk space that is available for new or changed files. It may or may not contain data from deleted files • Slack space is space that is allocated but unused, i.e., the remaining space in the last allocated file block • Unix and Linux pad this space with zeros • Windows does not…may contain valuable data fragments • File system metadata includes “card catalog” information such as inode number and file MAC times ISC/Information Security
Linux • Most versions of linux will work just fine with all standard forensic tools • SANS Institute uses Red Hat Fedora as the basis for their forensics course • There are Windows-based forensic tools, but many are commercial, and - surprise! - often don’t work as well as the unix/linux tools • To mount and analyze NTFS images, your linux kernel will need to support and have installed an NTFS module: • Start here: sourceforge.net/project/showfiles.php?group_id=13956 ISC/Information Security
Toolboxes! • “The Coroner’s Toolkit” • A set of tools developed by Dan Farmer and Wietse Venema • www.porcupine.org/forensics/tct.html • Helix • Bootable, Knoppix-style linux CD • Graphical interface, or command line/terminal • www.e-fense.com/helix/ • FREE!! ISC/Information Security
A little more about Helix... • Current version: 1.8 (10-06-2006) • Extremely powerful and useful • Download as ISO file and burn directly to CD-ROM • IDE drives a snap - ATA’s can be tricky • It pays to archive older versions • Depending on age and/or version of BIOS chips, some computers will boot on older versions but not on current ISC/Information Security
Before you start… • The Cardinal Rule: DOCUMENT EVERY STEP!! • Date and time you started and ended • Equipment you worked on • Serial numbers (drive AND CPU) • Owner/user(s) • Purpose(s) machine used for (if you know) • Location • Commands/tools you ran (including option flags) in the order you ran them • Results you got from commands and tools • Anything else pertinent to the examination • Record all of the above in a running log and sign it (PGP, or print it out and physically sign it) Remember: the possibility always exists that you may find information that results in a legal proceeding, and you may be required to explain and justify your work. ISC/Information Security
Determine Scope • What are you looking for? • Who is involved? • All users? Just one? Root/Admin compromise? • How many drives? • How many partitions? What kind(s)? • Windows? Unix/Linux? OS X? • Need to search for text and/or data? ISC/Information Security
Keyword List • If you’re going to be searching for evidence of particular actions or behavior in documents and data files, prepare a list of keywords that are likely to be found during a search of files containing text and strings • There are several tools that can use this list, including good old grep ISC/Information Security
Forensic Drive Imaging: A 12-Step Program ISC/Information Security
Step 1: Chain of Custody • Start a Chain of Custody form for each drive you examine • Records identifying information about the drive (serial number, model, capacity, etc.) • Most importantly: establishes and tracks the physical location and custody of the drive from the beginning of the investigation through the end. • A very important document in a legal proceeding - used to indicate and prove (as much as possible) that evidence has been properly treated and has not been tampered with • Information Security can provide you with a suitable form ISC/Information Security
Step 2: Capture Setup • If you have a bootable linux CD (e.g., Helix), simplest setup is: • connect an external USB/Firewire drive as the “image target” • boot the system up • mount the drive to be imaged and the “image target” • make sure, of course, that the target is LARGER than the source ISC/Information Security
netcat/cryptcat • netcat allows you to “pipe” output across the network in similar fashion to how you would do it locally with cat, ‘>’, etc. • cryptcat does the same thing, but encrypts the traffic • uses “client/listener” model • start the listener: • nc -l -p [port #] > [output file] • e.g. nc -l -p 5432 > /casefile/datafile.txt • pipe client output: • cat [filename] | nc [listener IP] [listener port] • e.g., cat testfile.txt | nc 130.91.75.126 5432 ISC/Information Security
Backups: “File” vs. “Forensic” • A standard file backup copies only data residing in allocated disk space • i.e, an 80 GB drive with 20 MB of allocated files will produce a 20 MB backup file • A forensic (image) backup sequentially copies each and every disk sector, regardless of whether it is allocated space or has any data in it • i.e. an 80 GB drive with 20 MB of allocated files will produce an 80 GB image file ISC/Information Security
Step 3: Hash the drive • The object is to produce a “snapshot” image of the drive that is absolutely identical to the drive itself • The standard method of verifying the integrity of the image involves using the MD5 hashing algorithm • Run md5sum against the drive’s device: • md5sum /dev/sda • Pipe it to a text file if you like: • md5sum /dev/sda > hash.txt • The result will be a 32-character (hex) hash of the entire disk contents that you will later match against the image ISC/Information Security
Example: MD5 Input Output • B026324c6904b2a9cb4b88d6d61c81d1 • 26ab0db90d72e28ad0ba1e22ee510510 • 6d7fce9fee471194aa8b5b6e47267f03 • 48a24b70a0b376535542b996af517398 • 1dcca23355272056f04fe8bf20edfce0 ISC/Information Security
Step 4: Image capture with dd • dd: “duplicate device” • 2 basic, required parameters: • input file (‘if’) • output file (‘of) • Input and output can be either actual files or block devices • For block device (i.e., entire drive) to image file: • dd if=<device> of=</path/file> • e.g. dd if=/dev/sda of=/casefile/image01.iso ISC/Information Security
An alternative: dcfldd • Available in Helix and TCT • Provide progress indicator (count of written blocks) • hashwindow=0 • Can perform integrity checks/MD5 sum on the fly and write to file • hashlog = <path/file> • e.g. dcfldd if=/dev/sda of=/casefile/image01.iso hashwindow=0 hashlog=/casefile/imagehash.txt ISC/Information Security
Step 5: Wait… • It will vary depending on the equipment involved, but Information Security’s experience is that typical current drives can be imaged at about 40GB/hr • Go to Starbucks… ISC/Information Security
Step 6: Hash the image file • Run md5sum against the resulting image file • md5sum /casefile/image01.iso • Compare this hash to the one obtained in Step 3 from the drive • If they match exactly, you have an image file that is an exact copy of the drive. If they don’t, something went wrong, and the validity of any examination of the image data would likely be challenged in court if it ever came to that ISC/Information Security
Step 7: Put the drive away • Now that you have an image file and have verified the integrity by matching the MD5 hashes, you do not need the drive • Store it securely and perform your examination on the image file ISC/Information Security
Step 8: Retrieve partition structure • mmls • included in TCT • extracts logical partition info from image file • use ‘-t dos’ flag to denote you’re looking for disk operating system partitions • output will be used to “carve out” images of partitions needed • usage: mmls -t dos </path/file> • e.g., mmls -t dos /casefile/image01.iso ISC/Information Security
mmls: a typical(?) result # mmls -t dos /casefile/image01.iso Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Table #0 01: ----- 0000000001 0000000062 0000000062 Unallocated 02: 00:00 0000000063 0001028159 0001028097 Win95 FAT32 (0x0B) 03: ----- 0001028160 0002570399 0001542240 Unallocated 04: 00:01 0002570400 0004209029 0001638630 OpenBSD (0xA6) 05: 00:02 0004209030 0006265349 0002056320 NTFS (0x07) Well, maybe it’s not so typical to have 3 different operating system partitions on a single drive. This illustrates, though, that mmls shows you not only what partitions are on the drive, but also where they are. Take note of the sector size as well - it’s usually 512 bytes, but can vary. ISC/Information Security
Step 9: “Carve out” partitions • dd can be used with additional parameters to “carve” the partitions from the image file and write them to individual image files that can be directly mounted and browsed • from mmls, you need to know the sector size the drive is using (usually 512 bytes) • also, for each partition, you need: • size (“Length” column from mmls output) • skip (“Start” column from mmls output) ISC/Information Security
“Carving” with dd Usage: dd if=<whole disk image file> bs=<sector size> count=<partition size> skip=<partition start> of=<new partition image file> So, to create an image file of the NTFS partition found by mmls on the previous slide: dd if=/casefile/image01.iso bs=512 count=2056320 skip=4209030 of=/casefile/partition01.img (Yes, you can use dcfldd instead) ISC/Information Security
.iso or .img? • Doesn’t really matter - you can use pretty much any file name and extension you want • By convention, some use .iso for the whole image and .img for partition images • Whichever convention you adopt, be consistent ISC/Information Security
Step 10: Mount partition(s) • To inspect and browse your partition images, you need to mount them as part of your Linux file system • Important flags: • t File system type (e.g., ntfs) • ro Read only (used with -o) • loop Needed to read image file as block device (used with -o) • Usage: mount <options> <path to image> <mountpoint> ISC/Information Security
Putting it all together… mount -t ntfs -o ro,loop /casefile/partition01.img /forensics This tells the system to mount the file as a read-only image file using NTFS at the /forensics directory (make sure that it exists). Once this is done, you should be able to inspect all files below that mountpoint using standard tools like ls and grep, as well as other specialized forensic tools from TCT, Helix, et al ISC/Information Security
Step 11: Tool Time (“More Power!”) We’ve already talked about basic tools like grep and ls. Thanks to toolboxes like TCT and Helix, there are many more that can be used to literally take the image apart and dissect it sector by sector, file by file. We can’t cover all of them here in detail, but we’ll take a few minutes to highlight some of the most useful and powerful “cool tools”… ISC/Information Security
mac-robber and mactime • MAC refers here to Modified, Accessed and Created dates/times for files in system • mac-robber collects information from the file systems metadata structure ( MAC times, file sizes & permissions etc.) • output defults to STDOUT, can be piped to local file, or to remote location via netcat/cryptcat • usage: mac-robber <path> > <target> • e.g., mac-robber /forensics > partition01_mac.txt • mactime is a Perl script that processes the output from mac-robber • allows specification of date/time range • sorts files by MAC times instead of by directory/path • use -b flag to designate source file, otherwise defaults to STDIN • e.g., mactime -b partition01_mac.txt > timeline.txt ISC/Information Security
MAC Timeline • Investigating a compromise via rootkit et al usually involves inspecting the file system for unusual or unexplained changes and additions. • The timeline file generated by mactime presents a chronological account of changes to individual files • Can be a time-consuming examination, but often reveals much insight into how a system was hacked • e.g., a common administrative tool like ps shows an inode number change 2 months ago • typically, core command-line utilities should have lower inode numbers that never change • indicates that the ps command was likely tampered with in order to hide processes from system administrator ISC/Information Security
file • Displays file type of one or more files • Can use wildcards, e.g., ‘*’ • Can try to look inside compressed files (‘-z’) • Useful for finding mismatches between the file extension in use and what the file actually is • e.g., user trying to hide incriminating JPG files by renaming them with ‘.exe’ extension ISC/Information Security
strings • Locates and extracts strings of 4 characters or more in binary files • Useful for finding calls to libraries, IP addresses, pathnames, etc • Usage: strings <options> <filename> • Flags • -a grab all strings • --radix=d byte offset of string found • -f print filename beside string • -n x grab strings of at least x length ISC/Information Security
dstat • Displays statistics on a particular data unit (sector) • Useful for determining current allocation status of sector • Typical usage: • dstat -f ntfs /casefile/partition01.img 20647 • Typical result: Fragment: 257 Allocated Group: 0 ISC/Information Security
dcat • Similar to dstat, but outputs actual contents of sector • Defaults to STDOUT, can be piped to file • Usage: • dcat -f ntfs /casefile/partition01.img 20647 ISC/Information Security
dls • Lists contents from data units • Defaults to STDOUT, can be piped • Useful for recovering deleted files and slack space • Flags: • -e show all blocks • -l list details about each block (no content) • -s show slack space • range range of blocks to be outputted • e.g., • dls -f ntfs -el /casefile/partition01.img 2000-3000 > dlsdata.txt ISC/Information Security
inode tools • Similar to the ‘d*’ tools we’ve just covered, there are tools that permit retrieval and inspection of file data based on inode number • ifind find inode number that points to a disk sector • istat display metadata info by inode number • ils list inodes, including deleted files and unlinked but open files • icat copy files by inode number ISC/Information Security
Step 12: A Final Windows Hint • Don’t forget to run these tools on pagefile.sys - you’d be surprised what you might find ISC/Information Security
Questions? ISC/Information Security