Click here to load reader
Click here to load reader
Computer crime is not a Canadian problem - it is a global problem.
DisksLinux treats its devices as files. The special directory where these "files" are maintained is "/dev".• Floppy (a:) /dev/fd0• Floppy (b:) /dev/fd1• 1st Hard disk (master, IDE-0) /dev/hda• Hard disk (slave, IDE-0) /dev/hdb• Hard disk (master, IDE-1) /dev/hdc, etc.• 1st SCSI hard disk /dev/sda• 2nd SCSI hard disk /dev/sdb, etc.
Partitions1st Hard disk (master, IDE-0) /dev/hda• 1st Primary partition /dev/hda1• 2nd Primary partition /dev/hda2, etc.• 1st Logical drive (on ext’d part) /dev/hda5• 2nd Logical drive /dev/hda6, etc.2nd Hard disk (slave, IDE-0) /dev/hdb• 1st Primary partition /dev/hdb1, etc.CDROM or 3rd disk (master, IDE-1) /dev/hdcCDROM (SCSI) /dev/scd01st SCSI disk /dev/sda• 1st Primary partition /dev/sda1, etc.
This is an example of the output of fdisk -l /dev/hda on a dual boot system:
Disk /dev/hda: 255 heads, 63 sectors, 1582 cylindersUnits = cylinders of 16065 * 512 bytes
Device Boot Start End Blocks Id System/dev/hda1 * 1 255 2048256 b Win95 FAT32/dev/hda2 256 638 3076447+ 83 Linux/dev/hda3 639 649 88357+ 82 Linux Swap/dev/hda4 650 1582 7494322+ f Win95 Ext’d (LBA)/dev/hda5 650 1453 6458098+ b Win95 FAT32/dev/hda6 1454 1582 1036161 b Win95 FAT32
ModulesModules are object files (*.o) that contain the required driver code for the supported device or option.Modules are installed and removed from the system “on the fly” using the following commands (as root):
insmod -to insert the modulermmod -to remove the modulelsmod -to get a list of currently installed modules
Linux Directory contents can include:/bin -Common commands./boot -Files needed at boot time, including the kernel images pointed to by LILO (the LInux LOader) or GRUB./dev -Files that represent devices on the system./etc -Administrative configuration files and scripts./home -Directories for each user on the system./mnt -Provides mount points for external, remote and removable file systems./root -The root user's home directory.
/sbin -Administrative commands and process control daemons./usr -Contains local software, libraries, games, etc./var -Logs and other variable file will be found here.
"DOS command" = Linux equivalent"dir" = ls list files.
ls –F classifies files and directories.ls –a show all files (including hidden).ls –l detailed file list (long view).ls –lh detailed list (long, with “human readable” file sizes).
"copy" = cp cp sourcefile destinationfile copy a file.“cls” = clear clears the terminal screen of all text and returns a prompt."move" and "ren" = mv mv sourcefile destinationfile move or rename a file."del" = rm rm filename deletes a file."rm -r" recursively deletes all files in directories and subdirectories."md" = mkdir mkdir directoryname creates a directory.
"type" = cat or more or less cat filename The simplest form of file display. “concatenate” by cat file1 file2 > file3
more filename displays the contents of a file one page at a time.
less filename less is a better more.
"help" or " /?" = man or --help man command displays a "manual" page for the specified command. Use "q" to quit.
Other commandsgrep - search for patterns. grep pattern filenamefind - allows you to search for a file find / -name somefile -printpwd - prints the present working directory to the screen. pwdfile - categorizes files based on what they contain. file filenameps - list of current processes. ps
ps -ax shows all processes (-a),
and all processes without an associated
terminal (-x).
strings - prints out the readable characters from a file. stringschmod - changes the permissions on a file.
chmodchown - changes the owner of a file
chownchgrp - changes a file’s group attribute.
chgrpshutdown - this command MUST be used to shutdown the machine shutdown
First character of ls -l output:- = regular filed = directoryb = block device
c = character devicel = link
The next 9 characters indicate the file permissions.
Owner Group Othersrwx rwx rwx
Changing permissions on a file:chmod "octal" filename
where,read (r) = 4write (w) = 2execute (x) = 1
Pipes and RedirectionLike DOS, Linux allows you to redirect the output of a command from the standard output to another device or file.ie. ps -ax | grep bash
If Linux gives you an error message "Permission denied", then use:
su
su is a “switch user” command, and can allow you to become any user (if you know the password), not just root.
Mounting File Systems on DisksOnly root can mount and unmount file systems. Any time you specify a mount point you must first make sure that thatdirectory exists.
mkdir /mnt/floppymkdir /mnt/cdrom
Newer distributions usually create these mount points for you, but you might want to add others for yourself (mount points for subject disks or images, etc. like /mnt/data or /mnt/analysis)
The Mount CommandThe "mount" command uses the following syntax:mount -t <filesystem> -o <options> <device> <mountpoint>
Example: Reading a DOS / Windows floppy
Insert the floppy and type:
mkdir /mnt/floppy
mount -t vfat /dev/fd0 /mnt/floppyoptionallymount -o rw,loop -t vfat image /mnt/floppy
Now change to the newly mounted file system:
cd /mnt/floppy
When you are finished, EXIT OUT of the /mnt/floppy directory, and unmount the file system with:
umount /mnt/floppy
Example: Reading a CDROM
Insert the CDROM and type:
mkdir /mnt/cdrom
mount -t iso9660 /dev/cdrom /mnt/cdrom
Now change to the newly mounted file system:
cd /mnt/cdrom
When you are finished, EXIT OUT of the /mnt/cdrom directory, and unmount the file system with:
umount /mnt/cdrom
Example: Mounting an .ISO image
Create a mount point:
mkdir /mnt/iso
mount /directory/image.iso /mnt/iso -t iso9660 -o ro,loop
Now change to the newly mounted file system:
cd /mnt/iso
When you are finished, EXIT OUT of the /mnt/iso directory, and unmount the file system with:
umount /mnt/iso
The file system table (/etc/fstab)It might seem like "mount -t iso9660 /dev/cdrom /mnt/cdrom" is a lot to type every time you want to mount a CD or a disk.One way around this is to edit the file /etc/fstab.
For the sake of safety and practice, change the read-write permissions of your image to read-only.chmod 444 image.dd or even chmod 400 image.dd
DD Examples
Put an image onto a floppy
dd if=floppy.dd of=/dev/fd0
Take an image of a floppy
dd if=/dev/fd0 of=floppy.dd
Mount a dd image
mount -t vfat -o loop,ro,noexec /media/image.dd /media/mountpoint
Verify chechsum on individual files in mounted image
cd into mountpoint, then typefind . -type f -exec sha1sum {} \; > /media/filelist.sha
Making a list of all files
ls –alRitu (hidden files, longformat, recursive, inodes, sort by access time)
find . -type f -print
Making a list of files by type
find . -type f -exec file {} \;
Looking for strings on individual files in mounted image
find . -type f -exec strings {} \;
find . -type f -exec strings {} \; | grep "dirtywordlist"
Searching unallocated and slack space for text
grep –options <pattern> <search_range>
Make a dirty word list using kwrite or kedit (etc.), make sure no blank lines are in the list.
grep –aibf dirty.txt image.disk1 > hits.txt
Forensic Utilities Naming Conventions
D Data Unit LS ListsI Metadata (Inode) CAT DisplayF File Stat DetailsFS File System Find Maps
Calc Calculates
"D" Utilitiesdls, dcat,dstat, dcalc
"I" Utiltiesils, icat, istat, ifind
"F" Utilitiesfls, ffind
"FS" Utilitiesfsstat
Sample uses of Forensic Utilities
Use icat command to view inode number <n> from an image of a filesystem redirected to lessicat image <n> | less
Use icat command to determine the contents of a fileicat image <n> | file -
Use fls to show deleted files from an image of a filesystem redirected to lessfls -rd image | less
Use dls to recover a file from inode number <n> to <m> from a filesystem redirected to dddls -b -f fat image <n>-<m> | dd of=file
Find potential deleted files (e5 is the hex marker used for deleted files) nb: an underscorexxd image | grep e5 > output
The Root Directory in FAT12 is held within Sectors 19 to 32 (each sector is 512 bytes)
echo $((512*32))16384
xxd -l 16384 floppy | grep " e5"
Shows the deleted files found within the floppy with less false positives
Problems grepping large data sets (grep: memory exhausted)tr ‘[:cntrl:]’ ‘\n’ < image | grep -abif dirty > hits.txt
Basically, this command translates (tr) all the characters contained in the set of control characters ([:cntrl:]) to newlines (\n), which changes the stream of non printable control characters (which we don't have in our dirty list) into newlines which will avoid grep: memory exhaused problems.
Using flsfls -r -i raw -f fat imagefls -d -r -i raw -f fat image
Using ifind to locate the inode number of a deleted file call "file.txt"ifind -f fat -n _ile.txt image
Generate a history of commandlinehistory
Repeat a command in your history!<n> where <n> is the number associated to the command you want repeated
Repeat previous command!!
Repeat pre-previous command (go back 2 commands)!-2
Use last argument!$
Fix a typo using caret^type^fix
cat [options] [files]Read (concatenates) one or more files and print them on standard output.
-n, --numberNumber all output lines, starting with 1.
Examplescat fileDisplay a file
cat file1 file2 file3 > allCombine files
cat note5 >> notesAppend to a file
cat > fileCreate file at terminal; end with CTRL-C
cat > file << STOPCreate file at terminal; end with STOP
Find a string in a filecat file | egrep string
Find the inverted selectioncat file | egrep -v string
Finding a string in a file in colorcat file | egrep --color string
Finding a string in a file in color plus and minus 2 linescat file | egrep --color -2 string
Finding dirty words in a file in color plus and minus 2 linesecho dirtywordone >> dirtyecho dirtywordtwo >> dirtyecho dirtywordthree >> dirtycat file | egrep -f dirty --color -2
Finding offsets (in decimal and hex) for dirty words in a file in colorcat file | strings -td | egrep -f dirty --colorcat file | strings -tx | egrep -f dirty --color
XXD options for hex outputxxd -b (binary, defaults to hex)xxd -l <n> (stop after <n> bytes)xxd -s <n> (skip <n> bytes)xxd -s -<n> (stop <n> bytes in reverse order)
Show the first 10 bytes of a filexxd -l 10 file
Show the last 10 bytes of a filexxd -s -10 file
Discover the internal format of a filenamefile -p filename
Creating a virtual file system (1GB)dd if=/dev/zero of=1gb bs=1024 count=1048576 mke2fs 1gbmkdir /mnt/virtualmount -o loop 1gb /mnt/virtual
Using DD to create a 1024 byte sized file filled with zeroesdd if=/dev/zero bs=1 count=1024 of=file
Using DD to create a 1024 byte sized file filled with randomnessdd if=/dev/zero bs=1 count=1024 of=file
Using DD to sanitize a drive (examples)dd if=/dev/zero of=/dev/sdadd if=/dev/random of=/dev/sdadd if=/dev/urandom of=/dev/sda
Verifying the media is blank (all zeros)xxd -a mediahexdump media
Using DD to sanitize a file of exactly 4096 bytesdd if=/dev/zero bs=4096 count=1 of=file
Split a 100 byte file into 10 parts (part.00, part.01 etc)dd if=file | split -d -b 10 - part.
Join a 100 byte file which is in 10 parts of 10 bytes each (part.00, part.01 etc)cat part.* > file
Split a floppy into 360k pieces dd if=/dev/fd0 | split –b 360k – floppy.split.
Compress a file while using DDdd if=/dev/sda | gzip > evidence
Uncompress a file using DDgzip -dc evidence | dd of=/dev/sda
Compress and split a file using DDdd if=/dev/sda | gzip -c | split -b -d 4096M -a3 -d - part.gz.
Uncompress and join a file using DDcat part.gz.* | gzip -dc | dd of=/dev/sda
Using DD to change ASCII to EBCDICdd if=file of=output conv=ASCIIdd if=file of=output conv=EBCDIC
Using DD to change casedd if=file of=output conv=ucasedd if=file of=output conv=lcase
Changing case using TRcat file | tr '[A-Z]' '[a-z]' > outputcat file | tr '[a-z]' '[A-Z]' > output
Byte swapping with DDdd if=file of=output conv=swab
Using Stream Editor to sanitize log files of IP Addresses and Port Numbers (IPs and Sockets)echo 's/[[:digit:]]\{1,5\}/\x/g' > ipaddress.sedsed -f ipaddress.sed < logfile
Generate list of users, prior logins etc.last, w, who
Get directory listing sorted by last modified, last accessed, etcls, ls -lat, ls -lrt, ls -lrtu
Get listing of opened file handleslsof
Identity partitions on a dirvefdisk -l /dev/hdd
Generate system timestamp using UTCdate -u
Calculating Hashesmd5sum, sha1, sha1sum
Displaying contents of a filecat, less, more, dd
Oddly, displaying contents of a file in reverse order (cat backwards)tac
Display strings found in a filestrings, strings -td, strings -tx
Display begining and endings of fileshead, tail
Data Destruction (over-write 3 times, ending with all zeros, then delete this file)shred -n 3 -z -u file
Drive Destruction (not really destroyed, but over-written 3 times, ending with all zeros)shred -n 3 -z /dev/sdadd if=/dev/random of=/dev/sda bs=4096dd if=/dev/zero of=/dev/sda bs=4096
Over-write all remaining disk space in the partition with random, then delete the randomdd if=/dev/random of=junk bs=4096; rm -fr junk
Making a filesystem (not a complete list of options, just examples)mkfs -t vfat -F 32 /dev/sda1mkfs -t ext2 /dev/sda1mkfs -t ntfs -Q /dev/sda1
Finding large files (using k, M, and G)find / -size +10000k -printfind / -size +100M -printfind / -size +1G -print
Finding the top 100 largest files in decending order of size
find / -type f -exec du -b {} \; | sort -nr | head -100
Finding files from the recent past (10 minutes ago, 10 days ago)find / -mmin -10find / -mtime -10
Finding files more current than a specific filefind / -newer /dev/sda1/file
Finding files more current than a specific time (September 9, 2010 at 9:09am 9seconds)touch -t 20110909090909.09 /tmp/timestampfind / -newer /tmp/timestamp -ls
Finding USB device namesdmesg | grep "SCSI device"lsusb
Finding Serial Numbers for installed USB devices touch /root/timestamp... plug in USB device ... wait a momentfind / -newer /root/timestamp | grep by-id
Finding names of files containing a string (second option is faster)find . -type f -exec grep -l string {} \;find . -type f -print | xargs grep -l string
Verifying the speed of commands like abovetime find . -type f -exec grep -l string {} \;time find . -type f -print | xargs grep -l string
Finding the newest file in a directoryls -t | head -1ls -lt | head -2 | tail -1ls -lrt | tail -1
Finding all directories begining with a period.find / -type d -name .\* -print
Finding all image files in a file system and verifying their contents match the file extensionecho jpg >> imagenames.txtecho jpeg >> imagenames.txtfind . -type f ! -print0 | xargs -0 file | grep -f imagenames.txt
As above, but only showing files that do not matchfind . -type f ! \( -name '*.jpg' -or -name '*.jpeg'\) -print0 | xargs -0 file | grep -f imagenames.txt
Reduce the search space and focus on documents created by humancraftFirst create a known md5 list of machine generated files you want to ignorefind . -type f -exec md5sum {} \; > machinegenerated.hashes
Next search for files not in your list (try both x and X)md5deep -r -x machinegenerated.hashes *md5deep -r -X machinegenerated.hashes *
As above, only more detailedmd5deep -wbezof -x machinegenerated.hashes *md5deep -wbezof -X machinegenerated.hashes *
Use this commands and combine your organizations machine generated files with the National Software Reference Library (NSRL) [It's on your DVDs Whoot!]
Converting timestamps from Unix "seconds since January 1, 1970" into human readable formatdate -d @1284004800Thu Sep 9 00:00:00 EDT 2010
Caseless sortingsort -f file
Unique caseless sorting uniq -i file
Shell Math using echo $(( ... )) where ... is +,-,/,* decimal and hex numbersecho $((0xff))255
echo $((0xff-0x01))254
echo $((2+2))4
echo 'obase=10; ibase=16; FF' | bc255
echo 'obase=16; ibase=10; 255' | bcFF
echo 'obase=8; ibase=10; 15' | bc17
echo 'obase=2; ibase=10; 15' | bc1111
printf %0x\\n 255ff
printf %d\\n 0xff255
Using Stream Editor (SED) to replace words in a filedd if=file | sed 's/foo/bar/g' | dd of=output
Detecting if a file has changed (can use sha1, sha1sum, sha256 etc)md5sum file > hashmd5sum -c hashArchived hashes can be used for future comparisons
Creating a list of hashes for all filesfind . -type f -exec md5sum {} \;find . -type f -exec sha1sum {} \;
Creating an integrity seal on your evidencedate -u >> evidence.sealmd5sum casedata >> evidence.seal
Signing your evidencegpg --gen-key (this only needs to be done once, per system)
gpg --clearsign evidence.sealcat evidence.seal.asc
Verifying your evidencegpg --verify evidence.seal.asc
Using openssl to encrypt your evidenceopenssl enc -des3 -in file -out file.encryptedenter des-ede3-cbc encryption password:Verifying - enter des-ede3-cbc encryption password:
Using openssl to decrypt your evidenceopenssl enc -d -des3 -in file.encrypted -out file.decryptedenter des-ede3-cbc decryption password:
Using openssl to base64 encode and decodeopenssl enc -base64 -in infile -out output.b64openssl enc -d -base64 -in output.b64 -out out.decrypt
Finding relevant search hitsCreate a file called dirty and populate this list with your case specific search terms
Verifying all files on the file systemfind . -type f -exec md5sum {} \; > md5hashesmd5sum -c md5hashes
Recursive commands on filesfind . -type f -printfind . -type f -exec strings {} \;find . -type f -exec file {} \;
Replace foo with bar in all files in the current directory using the Stream Editor (sed)sed -i.bak 's/foo/bar/g' *
Replace foo with bar in all files across an entire directory structure using the Stream Editor (sed)find . -type f | xargs sed -i.bak 's/foo/bar/g'
Count lines in a filewc -l file
Count words in a filewc -w file
Count bytes in a filewc -c file
Count characters in a filewc -m file
Compare two files byte by bytecmp -b file1 file2
Compare files line by linediff file1 file2
Compare sorted files FILE1 and FILE2 line by linecomm file1 file2
System statisticsuptime, free, ps aux
File informationfile, stat, strings, cat, xxd, hexdump
Coroner's ToolkitData captuing toolgrave-robber
Coroner's ToolkitTools to recover deleted file spaceunrm, lazarus
Coroner's ToolkitCreate timeline of filesmactime
Report disk usage and disk freedu, df
Use du or df with -a or --all for all files, not just subdirectoriesUse du or df with -b or --bytes for sizes in bytesUse du or df with -c or --total to print grand total of all agumentsUse du or df with -h or --human-readable for human reader friendly format
Using Copy and Convert (DD)dd if=/*source* of=/*destination*
if= infile (evidence your are acquiring)source= source of evidence
of= outfile (forensic duplicate of evidence)destination= destination of forensic duplicate
Block sizesibs, obs, bs
Number of blockscount, skip, seek
Converstionconv
Use windows dd to move a file to the CFA Linux Forensic Workstationdd if=source bs=1460 of=\\192.168.2.2\images\destination
This only works because the CFA Linux Forensic Workstation has a SAMBA share that windows can see
Using NetCat to move files
linux: nc -l -p 1234 | dd of=received
Windows:dd if=sending bs=1460 | nc 192.168.2.2 1234
Using NetCat to move compressed files (Save Network Bandwidth)
linux: nc -l -p 1234 | gzip -dfc | dd of=received
Windows:dd if=sending bs=1460 | gzip -cf | nc 192.168.2.2 1234
Note about windows DDLogical drives are \\.\E:Physical drives are \\.\PhysicalDrive0
Obtaining Disk Information
hdparm /dev/hdahdparm -I /dev/sda
Viewing metadata information of E01 formatted acquisitionsewfinfo image.E01
Verifying the hash of E01 formatted acquisitionsewfverify image.E01ewfexport image.E01 | md5sumewfexport image.E01 | sha1sum
Extracting the image from the E01 formatted acquisitionsewfexport -t image.dd image.E01md5sum image.ddsha1sum image.dd
Obtaining an image using E01 formatewfacquire /dev/hdaewfacquire /dev/sda
Recall transfering files using NetCat
Source of evidencedd if=/dev/sda bs=1460 | nc 192.168.55.20 1234
Destination of evidencenc -l -p 1234 | dd of=image.dd
The same, using E01 format, change the 'Destination of evidence' to the following:nc -l -p 1234 | ewfacquirestream -C 111-222 -D 'removable thumb drive' -e 'USERNAME' -E '1' -f encase5 -m removable -M physical -N 'Seized from subject' -t image
-C case number is specified-D evidence description-e examiner's name-E evidence number-f format is specified -m media type-M volume type-N notes-t target path and file name