Transcript Lecture 1
Lecture 3: Initial Assessment
6/4/2003
CSCE 590
Summer 2003
Collect the Most Volatile
Evidence First
•
•
•
•
•
•
Memory
Swap space or page file
Network status and connections
Processes running
Storage media
Removable media
Preparation
• Assemble toolkits
• Clean your media
– Before imaging evidence media to your media
– # dd if=/dev/zero of={device}
– Clean floppy:
# dd if=/dev/zero of=/dev/fd0 bs=1024
# dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \
> hashwindow=1024 hashlog=a:\hashlog.txt
dd and dcfldd
•
•
•
•
Low level command
Copies bit for bit
Does not ‘know’ data structure of data
Can copy:
–
–
–
–
–
Single file
Piece of a file
Partition
Logical or physical disks
From stdin and stdout
• dcfldd – dd with integrated MD5 hashing
dd and dcfldd Usage
• Typical arguments:
– if=device input file or device
– of=device output file or device
– bs=# block size, amount of data transferred in one I/O
operation (important on tape)
• dcfldd
– hashlog=a:\hashfile.txt
– hashwindow=1024
hash every 1024 bytes
Mystery Tape Block Sizes
• # dd if=device bs=128k of=/tmp/tapetest \
> count=1
– Read data, using block size of 128k until it hits
the first record gap
– If 128k isn’t big enough, you get an error
– Else, size of /tmp/tapetest = block size of tape
• What kind of tape? tar, cpio, dump?
– # file /tmp/tapetest
Splitting an Image up
• Copy 600 One Megabyte blocks per image
• # dd if=device of=media.slice1.img bs=102400 count=600
• # dd if=device of=media.slice2.img bs=102400 count=600
skip=601
• # dd if=device of=media.slice3.img bs=102400 count=600
skip=1201
• # dd if=device of=media.slice3.img bs=102400 count=600
skip=1801
Typical UNIX Devices
•
•
•
•
•
•
/dev/fd0
/dev/st0
/dev/hda
/dev/hdb
/dev/sda
/dev/sdb
(floppy)
(tape)
first IDE hard drive
second IDE hard drive
first SCSI hard drive
second SCSI hard drive
Network dd
• No local clean media on victim machine,
can’t reboot yet
– netcat (nc) and dd (may want encryption too)
– Forensic rig with cleaned media:
• # nc –l –p 31337 | dd of=(local clean media)
– Victim system:
• # dd if=(local physical disk) | nc –w 3 \
> forensic.rig.net 31337
– nc host port (send to host on port)
• -w 3
• -l
• -p port
(wait 3 milliseconds between packets)
(listen mode, send mode is default)
(listen on port, use with listen mode)
Date and Time
• Windows
– Date
– Time
• Unix
–w
– date
System Configuration
Information
• Windows:
– psinfo
– at
– ‘net’ commands:
• accounts, file, session, share, start, use, user, view
• Unix
–
–
–
–
df –k
uname –a
ifconfig –a
uptime
Current Users
• Windows
– psloggedon
• Unix
–w
– who
Network Status and Connections
• Windows
–
–
–
–
arp –a
netstat –anpr
fport
nbtstat
IP to physical addr
open sockets
socket processes
systems connected
• Unix
–
–
–
–
arp –a
netstat -anpr
lsof -i
Netstat
IP to physical addr
open sockets
socket processes
systems connected
Running Processes
• Windows
– procinterrogate –list
– pslist –x
check other options too
• UNIX
–
–
–
–
ps –wwwaux
ps –ef
lsof
kstat –P
find LKM hidden processes
• LKM = dynamically Loadable Kernel Modules like device
drivers)
• kstat –s finds clues of LKM rootkits
– /proc
kernel data structures for processes
Swap Space or Page File
• When there isn’t enough memory, chunks of
processes will be paged out to disk
• Older systems, entire processes are swapped out to
disk
• Windows:
– copy c:\pagefile.sys d:
– copy c:\win386.swp d:
win9x
• Unix:
– Can get it when imaging whole drive
Memory
• Windows:
– Don’t use book’s method
– Modified dd at:
• http://users.erols.com/gmgarner/forensics/
– # dd if=\\.\PhysicalMemory conv=noerror \
> | nc forensic.rig.net 31337
– Or use pmdump
• Unix
– # dd if=/dev/mem | nc forensic.rig.net 31337
– # dd if=/dev/kmem | nc forensic.rig.net 31337
– # dd if=/dev/kcore | nc forensic.rig.net 31337
Storage Media
• Imaging to work on copies
• Use MD5 hashes
• Write blockers
– Software
– Hardware
– busTRACE: http://www.bustrace.com/ for live
imaging
Removable Media
• Make to sure to flush pending writes (sync)
to removable media before removing
• Can be imaged like storage media
Physical Collection Issues
• Don’t overlook fingerprints on keyboard and
mouse to place person at keyboard
• Evidence exposed to hazardous material, chemical
weapons, toxic waste
– Have it evaluated and approved by HAZMAT experts
• Organic chemicals, biological matter, fingerprint,
or other forensic tests:
– Fingerprinting process (cyanoacrylate) will severely
damage electronic media
– Scraping can physically damage media (floppy)
Wet Media
• Soaked or immersed electronic media:
– Keep it immersed in distilled water
– Drying in uncontrolled conditions can lead to
deposits
– photograph any paper labels on magnetic media
before immersion in distilled water
• Tape or floppy just a little wet
– seal in plastic bag, don't immerse
• Paper, cellulose based media, printouts:
– freeze or freeze dry if wet
Wet Media
• Flood damage
– Immerse and flush with clean water
– Salt water:
• Place in container or plastic bag with enough ocean water to
keep it immersed
• Immerse and flush it in distilled water ASAP
• Immersion may cause biological evidence to
deteriorate
– Separate samples before immersion if they are plentiful
or it is easy
– Be aware and make judgment calls
Tape: Physical Issues
• Age, disuse, poor storage conditions
– Layers can become sticky and stick together or to the
read head
– Static buildup increases read error rates
– Unrolling untreated tape can cause oxide layer to be
torn from substrate
• Collect all pieces, can help with splices
• Ship to lab to be processed and reconditioned
• Reading for Lectures 2-5:
– Mandia/Prosise: Chapters 2-5, 9
– Casey: Chapter 2 (in Reading Room)
• Homework 1: Due Monday, June 9, 2003