Transcript Document

Forensics 101:
Basics of capturing and mounting
forensic images
Security-SIG
February, 2007
ISC/Information Security
Forensics:
Forensic science (often shortened to forensics) is
the application of a broad spectrum of sciences to
answer questions of interest to the legal system. This
may be in relation to a crime or to a civil action…the
term "forensic" is effectively a synonym for "legal" or
"related to courts" (from Latin, it means "before the
forum").
Source: Wikipedia
Security-SIG
February, 2007
ISC/Information Security
Why perform computer forensics?
• You know or suspect one or more computers
has been involved in:
– a crime
– a violation of policy
– an issue of academic integrity (student and/or
faculty)
• A network and/or computer(s) were
compromised, and you just want to find out
how and why
Security-SIG
February, 2007
ISC/Information Security
Why not perform forensics?
• Can be expen$ive
– Commercial forensic and data recovery outlets (e.g. Kroll
Ontrack and RenewData) typically charge $3,000 - $5,000
per drive
– Even when done in-house, can involve large amounts of
employee labor, purchasing extra drive space, etc
• Can be time consuming
– Acquiring drive images takes time…an 80 GB drive
typically takes 2+ hours
– Data analysis can takes days, even weeks, depending on
the scope of the case
Security-SIG
February, 2007
ISC/Information Security
Who can perform forensics?
• For purposes of simply investigating a hacked
system or network that does not appear to have
legal implications, any person knowledgeable with
basic forensic tools and procedures can perform a
forensic examination (with proper authorization)
• In cases where there is potential legal obligation
and/or risk for Penn, only person(s) authorized by
the University may perform forensics (i.e., ISC
Information Security)
Security-SIG
February, 2007
ISC/Information Security
If you begin an independent
forensic examination…
…and encounter evidence of an actual or possible
crime (whether it’s been committed yet or not)
STOP!!
Contact ISC Information Security immediately at
215-898-2172 or [email protected]
Security-SIG
February, 2007
ISC/Information Security
Classes of forensic examinations
• “Live”, i.e. real-time
– Network is up and running, computers are attached and
communicating
– Goal is to observe/capture ongoing activity on network, in
RAM and on disk related to crime or exploit
– Not often done, very complex, often a “fishing expedition”
• “Snapshot”, i.e., static
– Network packet captures have been saved for later
analysis
– In some cases, RAM dumps written to file for analysis
– Drive images taken to preserve status of file system - this
is the most commonly performed forensic operation
Security-SIG
February, 2007
ISC/Information Security
Some common forensic tools:
• Real-time
–
–
–
–
–
tcpdump/WinDump
netstat
Ethereal
pcat
lsof
• Static
–
–
–
–
–
dd (or dcfldd)
mmls
netcat (or cryptcat)
md5sum
grep
Security-SIG
February, 2007
ISC/Information Security
Drive images: what do I need?
• A basic, working knowledge of linux, especially the
use of:
– mount
– dd
– ls
• A basic understanding of image files (.iso, .img)
• A basic understanding of drive geometry (sectors,
partitioning) and file system structure (allocation
tables, inodes, allocated vs. unallocated space,
slack space, MAC times)
Security-SIG
February, 2007
ISC/Information Security
Image files: The Goal
The purpose of capturing a forensic drive image
is to produce a file that is an exact, sector-by
sector reproduction of the drive. The image
preserves not only the data itself, but also the
“geography” of the data - where it physically
resides on the disk.
The image file can then be examined for
evidence without danger of altering or destroying
the original.
Security-SIG
February, 2007
ISC/Information Security
Basic Drive Geometry
• The typical sector size for modern drives is
512 bytes
• Most operating systems (Windows and
Unix/Linux included) use a default allocation
size of 8 sectors (4096 bytes)
Security-SIG
February, 2007
ISC/Information Security
File System Basics
• Allocated space is space that is in use by a file and is being
tracked in the File Allocation Table (FAT)
• Unallocated space is disk space that is available for new or
changed files. It may or may not contain data from deleted files
• Slack space is space that is allocated but unused, i.e., the
remaining space in the last allocated file block
– Unix and Linux pad this space with zeros
– Windows does not…may contain valuable data fragments
• File system metadata includes “card catalog” information such
as inode number and file MAC times
Security-SIG
February, 2007
ISC/Information Security
Linux
• Most versions of linux will work just fine with all
standard forensic tools
• SANS Institute uses Red Hat Fedora as the basis
for their forensics course
• There are Windows-based forensic tools, but many
are commercial, and - surprise! - often don’t work as
well as the unix/linux tools
• To mount and analyze NTFS images, your linux
kernel will need to support and have installed an
NTFS module:
– Start here:
sourceforge.net/project/showfiles.php?group_id=13956
Security-SIG
February, 2007
ISC/Information Security
Toolboxes!
• “The Coroner’s Toolkit”
– A set of tools developed by Dan Farmer and Wietse
Venema
– www.porcupine.org/forensics/tct.html
• Helix
– Bootable, Knoppix-style linux CD
– Graphical interface, or command line/terminal
– www.e-fense.com/helix/
• FREE!!
Security-SIG
February, 2007
ISC/Information Security
A little more about Helix...
• Current version: 1.8 (10-062006)
• Extremely powerful and
useful
• Download as ISO file and
burn directly to CD-ROM
• IDE drives a snap - ATA’s
can be tricky
• It pays to archive older
versions
– Depending on age and/or
version of BIOS chips,
some computers will boot
on older versions but not
on current
Security-SIG
February, 2007
ISC/Information Security
Before you start…
•
•
The Cardinal Rule: DOCUMENT EVERY STEP!!
– Date and time you started and ended
– Equipment you worked on
• Serial numbers (drive AND CPU)
• Owner/user(s)
• Purpose(s) machine used for (if you know)
• Location
– Commands/tools you ran (including option flags) in the order you ran them
– Results you got from commands and tools
– Anything else pertinent to the examination
Record all of the above in a running log and sign it (PGP, or print it out and
physically sign it)
Remember: the possibility always exists that you may find information
that results in a legal proceeding, and you may be required to explain
and justify your work.
Security-SIG
February, 2007
ISC/Information Security
Determine Scope
• What are you looking for?
• Who is involved?
– All users? Just one? Root/Admin compromise?
• How many drives?
• How many partitions? What kind(s)?
– Windows? Unix/Linux? OS X?
• Need to search for text and/or data?
Security-SIG
February, 2007
ISC/Information Security
Keyword List
• If you’re going to be searching for evidence
of particular actions or behavior in
documents and data files, prepare a list of
keywords that are likely to be found during a
search of files containing text and strings
• There are several tools that can use this list,
including good old grep
Security-SIG
February, 2007
ISC/Information Security
Forensic Drive Imaging: A 12Step Program
Security-SIG
February, 2007
ISC/Information Security
Step 1: Chain of Custody
• Start a Chain of Custody form for each drive you examine
• Records identifying information about the drive (serial number,
model, capacity, etc.)
• Most importantly: establishes and tracks the physical location
and custody of the drive from the beginning of the investigation
through the end.
• A very important document in a legal proceeding - used to
indicate and prove (as much as possible) that evidence has
been properly treated and has not been tampered with
• Information Security can provide you with a suitable form
Security-SIG
February, 2007
ISC/Information Security
Step 2: Capture Setup
• If you have a bootable linux CD (e.g., Helix),
simplest setup is:
– connect an external USB/Firewire drive as the
“image target”
– boot the system up
– mount the drive to be imaged and the “image
target”
– make sure, of course, that the target is LARGER
than the source
Security-SIG
February, 2007
ISC/Information Security
netcat/cryptcat
• netcat allows you to “pipe” output across the
network in similar fashion to how you would do it
locally with cat, ‘>’, etc.
• cryptcat does the same thing, but encrypts the traffic
• uses “client/listener” model
• start the listener:
– nc -l -p [port #] > [output file]
– e.g. nc -l -p 5432 > /casefile/datafile.txt
• pipe client output:
– cat [filename] | nc [listener IP] [listener port]
– e.g., cat testfile.txt | nc 130.91.75.126 5432
Security-SIG
February, 2007
ISC/Information Security
Backups: “File” vs. “Forensic”
• A standard file backup copies only data
residing in allocated disk space
– i.e, an 80 GB drive with 20 MB of allocated files
will produce a 20 MB backup file
• A forensic (image) backup sequentially
copies each and every disk sector,
regardless of whether it is allocated space or
has any data in it
– i.e. an 80 GB drive with 20 MB of allocated files
will produce an 80 GB image file
Security-SIG
February, 2007
ISC/Information Security
Step 3: Hash the drive
• The object is to produce a “snapshot” image of the
drive that is absolutely identical to the drive itself
• The standard method of verifying the integrity of the
image involves using the MD5 hashing algorithm
• Run md5sum against the drive’s device:
– md5sum /dev/sda
• Pipe it to a text file if you like:
– md5sum /dev/sda > hash.txt
• The result will be a 32-character (hex) hash of the
entire disk contents that you will later match against
the image
Security-SIG
February, 2007
ISC/Information Security
Example: MD5
Input
1
2
3
4
5
Security-SIG
February, 2007
Output
B026324c6904b2a9cb4b88d6d61c81d1
26ab0db90d72e28ad0ba1e22ee510510
6d7fce9fee471194aa8b5b6e47267f03
48a24b70a0b376535542b996af517398
1dcca23355272056f04fe8bf20edfce0
ISC/Information Security
Step 4: Image capture with dd
• dd: “duplicate device”
• 2 basic, required parameters:
– input file (‘if’)
– output file (‘of)
• Input and output can be either actual files or block
devices
• For block device (i.e., entire drive) to image file:
– dd if=<device> of=</path/file>
– e.g. dd if=/dev/sda of=/casefile/image01.iso
Security-SIG
February, 2007
ISC/Information Security
An alternative: dcfldd
• Available in Helix and TCT
• Provide progress indicator (count of written
blocks)
– hashwindow=0
• Can perform integrity checks/MD5 sum on
the fly and write to file
– hashlog = <path/file>
• e.g. dcfldd
if=/dev/sda of=/casefile/image01.iso
hashwindow=0 hashlog=/casefile/imagehash.txt
Security-SIG
February, 2007
ISC/Information Security
Step 5: Wait…
• It will vary depending on the equipment
involved, but Information Security’s
experience is that typical current drives can
be imaged at about 40GB/hr
• Go to Starbucks…
Security-SIG
February, 2007
ISC/Information Security
Step 6: Hash the image file
• Run md5sum against the resulting image file
– md5sum /casefile/image01.iso
• Compare this hash to the one obtained in
Step 3 from the drive
– If they match exactly, you have an image file that
is an exact copy of the drive. If they don’t,
something went wrong, and the validity of any
examination of the image data would likely be
challenged in court if it ever came to that
Security-SIG
February, 2007
ISC/Information Security
Step 7: Put the drive away
• Now that you have an image file and have
verified the integrity by matching the MD5
hashes, you do not need the drive
• Store it securely and perform your
examination on the image file
Security-SIG
February, 2007
ISC/Information Security
Step 8: Retrieve partition structure
• mmls
– included in TCT
– extracts logical partition info from image file
– use ‘-t dos’ flag to denote you’re looking for disk
operating system partitions
– output will be used to “carve out” images of
partitions needed
– usage: mmls -t dos </path/file>
• e.g., mmls -t dos /casefile/image01.iso
Security-SIG
February, 2007
ISC/Information Security
mmls: a typical(?) result
# mmls -t dos /casefile/image01.iso
Units are in 512-byte sectors
00:
01:
02:
03:
04:
05:
Slot
--------00:00
----00:01
00:02
Start
0000000000
0000000001
0000000063
0001028160
0002570400
0004209030
End
0000000000
0000000062
0001028159
0002570399
0004209029
0006265349
Length
0000000001
0000000062
0001028097
0001542240
0001638630
0002056320
Description
Table #0
Unallocated
Win95 FAT32 (0x0B)
Unallocated
OpenBSD (0xA6)
NTFS (0x07)
Well, maybe it’s not so typical to have 3 different operating
system partitions on a single drive. This illustrates, though,
that mmls shows you not only what partitions are on the
drive, but also where they are. Take note of the sector size
as well - it’s usually 512 bytes, but can vary.
Security-SIG
February, 2007
ISC/Information Security
Step 9: “Carve out” partitions
• dd can be used with additional parameters
to “carve” the partitions from the image file
and write them to individual image files that
can be directly mounted and browsed
• from mmls, you need to know the sector size
the drive is using (usually 512 bytes)
• also, for each partition, you need:
– size (“Length” column from mmls output)
– skip (“Start” column from mmls output)
Security-SIG
February, 2007
ISC/Information Security
“Carving” with dd
Usage:
dd if=<whole disk image file> bs=<sector
size> count=<partition size> skip=<partition
start> of=<new partition image file>
So, to create an image file of the NTFS partition found by mmls on
the previous slide:
dd if=/casefile/image01.iso bs=512 count=2056320
skip=4209030 of=/casefile/partition01.img
(Yes, you can use dcfldd instead)
Security-SIG
February, 2007
ISC/Information Security
.iso or .img?
• Doesn’t really matter - you can use pretty
much any file name and extension you want
• By convention, some use .iso for the whole
image and .img for partition images
• Whichever convention you adopt, be
consistent
Security-SIG
February, 2007
ISC/Information Security
Step 10: Mount partition(s)
• To inspect and browse your partition images,
you need to mount them as part of your
Linux file system
• Important flags:
– t
– ro
– loop
File system type (e.g., ntfs)
Read only (used with -o)
Needed to read image file as block device (used with -o)
• Usage: mount
Security-SIG
February, 2007
<options> <path to image> <mountpoint>
ISC/Information Security
Putting it all together…
mount -t ntfs -o ro,loop /casefile/partition01.img /forensics
This tells the system to mount the file as a readonly image file using NTFS at the /forensics
directory (make sure that it exists). Once this is
done, you should be able to inspect all files below
that mountpoint using standard tools like ls and
grep, as well as other specialized forensic tools
from TCT, Helix, et al
Security-SIG
February, 2007
ISC/Information Security
Step 11: Tool Time (“More Power!”)
We’ve already talked about basic tools like grep
and ls. Thanks to toolboxes like TCT and Helix,
there are many more that can be used to literally
take the image apart and dissect it sector by sector,
file by file. We can’t cover all of them here in detail,
but we’ll take a few minutes to highlight some of the
most useful and powerful “cool tools”…
Security-SIG
February, 2007
ISC/Information Security
mac-robber and mactime
•
MAC refers here to Modified, Accessed and Created dates/times for
files in system
• mac-robber collects information from the file systems metadata
structure ( MAC times, file sizes & permissions etc.)
– output defults to STDOUT, can be piped to local file, or to remote
location via netcat/cryptcat
– usage: mac-robber <path> > <target>
– e.g., mac-robber /forensics > partition01_mac.txt
• mactime is a Perl script that processes the output from mac-robber
– allows specification of date/time range
– sorts files by MAC times instead of by directory/path
– use -b flag to designate source file, otherwise defaults to STDIN
– e.g., mactime -b partition01_mac.txt > timeline.txt
Security-SIG
February, 2007
ISC/Information Security
MAC Timeline
• Investigating a compromise via rootkit et al usually involves
inspecting the file system for unusual or unexplained changes
and additions.
• The timeline file generated by mactime presents a
chronological account of changes to individual files
• Can be a time-consuming examination, but often reveals much
insight into how a system was hacked
• e.g., a common administrative tool like ps shows an inode
number change 2 months ago
– typically, core command-line utilities should have lower
inode numbers that never change
– indicates that the ps command was likely tampered with in
order to hide processes from system administrator
Security-SIG
February, 2007
ISC/Information Security
file
•
•
•
•
Displays file type of one or more files
Can use wildcards, e.g., ‘*’
Can try to look inside compressed files (‘-z’)
Useful for finding mismatches between the
file extension in use and what the file
actually is
– e.g., user trying to hide incriminating JPG files by
renaming them with ‘.exe’ extension
Security-SIG
February, 2007
ISC/Information Security
strings
• Locates and extracts strings of 4 characters or more
in binary files
• Useful for finding calls to libraries, IP addresses,
pathnames, etc
• Usage: strings <options> <filename>
• Flags
–
–
–
–
-a
grab all strings
--radix=d byte offset of string found
-f
print filename beside string
-n x
grab strings of at least x length
Security-SIG
February, 2007
ISC/Information Security
dstat
• Displays statistics on a particular data unit
(sector)
• Useful for determining current allocation
status of sector
• Typical usage:
– dstat -f ntfs /casefile/partition01.img 20647
• Typical result:
Fragment: 257
Allocated
Group: 0
Security-SIG
February, 2007
ISC/Information Security
dcat
• Similar to dstat, but outputs actual
contents of sector
• Defaults to STDOUT, can be piped to file
• Usage:
– dcat -f ntfs /casefile/partition01.img 20647
Security-SIG
February, 2007
ISC/Information Security
dls
•
•
•
•
Lists contents from data units
Defaults to STDOUT, can be piped
Useful for recovering deleted files and slack space
Flags:
–
–
–
–
-e
-l
-s
range
show all blocks
list details about each block (no content)
show slack space
range of blocks to be outputted
• e.g.,
–
dls -f ntfs -el /casefile/partition01.img 2000-3000 >
dlsdata.txt
Security-SIG
February, 2007
ISC/Information Security
inode tools
• Similar to the ‘d*’ tools we’ve just covered,
there are tools that permit retrieval and
inspection of file data based on inode
number
–
–
–
–
ifind
istat
ils
icat
Security-SIG
February, 2007
find inode number that points to a disk sector
display metadata info by inode number
list inodes, including deleted files and unlinked but open files
copy files by inode number
ISC/Information Security
Step 12: A Final Windows Hint
• Don’t forget to run these tools on
pagefile.sys - you’d be surprised what you
might find
Security-SIG
February, 2007
ISC/Information Security
Questions?
Security-SIG
February, 2007
ISC/Information Security