Lecture 3: Initial Assessment

6/4/2003

CSCE 590

Summer 2003

Collect the Most Volatile Evidence First

• Memory

• Swap space or page file

• Network status and connections

• Processes running

• Storage media

• Removable media

Preparation

• Assemble toolkits

• Clean your media– Before imaging evidence media to your media– # dd if=/dev/zero of={device}– Clean floppy:

# dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \> hashwindow=1024 hashlog=a:\hashlog.txt

dd and dcfldd

• Low level command• Copies bit for bit• Does not ‘know’ data structure of data• Can copy:

– Single file

– Piece of a file

– Partition

– Logical or physical disks

– From stdin and stdout

• dcfldd – dd with integrated MD5 hashing

dd and dcfldd Usage

• Typical arguments:– if=device input file or device

– of=device output file or device

– bs=# block size, amount of data transferred in one I/O operation (important on tape)

• dcfldd– hashlog=a:\hashfile.txt

– hashwindow=1024 hash every 1024 bytes

Mystery Tape Block Sizes

• # dd if=device bs=128k of=/tmp/tapetest \ > count=1– Read data, using block size of 128k until it hits

the first record gap– If 128k isn’t big enough, you get an error– Else, size of /tmp/tapetest = block size of tape

• What kind of tape? tar, cpio, dump?– # file /tmp/tapetest

Splitting an Image up

• Copy 600 One Megabyte blocks per image

• # dd if=device of=media.slice1.img bs=102400 count=600

• # dd if=device of=media.slice2.img bs=102400 count=600 skip=601

• # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201

• # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801

Typical UNIX Devices

• /dev/fd0 (floppy)

• /dev/st0 (tape)

• /dev/hda first IDE hard drive

• /dev/hdb second IDE hard drive

• /dev/sda first SCSI hard drive

• /dev/sdb second SCSI hard drive

Network dd• No local clean media on victim machine,

can’t reboot yet– netcat (nc) and dd (may want encryption too)– Forensic rig with cleaned media:

• # nc –l –p 31337 | dd of=(local clean media)

– Victim system:• # dd if=(local physical disk) | nc –w 3 \

> forensic.rig.net 31337

– nc host port (send to host on port)• -w 3 (wait 3 milliseconds between packets)• -l (listen mode, send mode is default)• -p port (listen on port, use with listen mode)

Date and Time

• Windows– Date– Time

• Unix– w– date

System Configuration Information

• Windows:– psinfo– at– ‘net’ commands:

• accounts, file, session, share, start, use, user, view

• Unix– df –k– uname –a– ifconfig –a– uptime

Current Users

• Windows– psloggedon

• Unix– w– who

Network Status and Connections

• Windows– arp –a IP to physical addr– netstat –anpr open sockets– fport socket processes– nbtstat systems connected

• Unix– arp –a IP to physical addr– netstat -anpr open sockets– lsof -i socket processes– Netstat systems connected

Running Processes• Windows

– procinterrogate –list

– pslist –x check other options too

• UNIX– ps –wwwaux

– ps –ef

– lsof

– kstat –P find LKM hidden processes• LKM = dynamically Loadable Kernel Modules like device

drivers)

• kstat –s finds clues of LKM rootkits

– /proc kernel data structures for processes

Swap Space or Page File

• When there isn’t enough memory, chunks of processes will be paged out to disk

• Older systems, entire processes are swapped out to disk

• Windows:– copy c:\pagefile.sys d:– copy c:\win386.swp d: win9x

• Unix:– Can get it when imaging whole drive

Memory

• Windows:– Don’t use book’s method– Modified dd at:

• http://users.erols.com/gmgarner/forensics/– # dd if=\\.\PhysicalMemory conv=noerror \

> | nc forensic.rig.net 31337– Or use pmdump

• Unix– # dd if=/dev/mem | nc forensic.rig.net 31337– # dd if=/dev/kmem | nc forensic.rig.net 31337– # dd if=/dev/kcore | nc forensic.rig.net 31337

Storage Media

• Imaging to work on copies

• Use MD5 hashes

• Write blockers– Software– Hardware– busTRACE: http://www.bustrace.com/ for live

imaging

Removable Media

• Make to sure to flush pending writes (sync) to removable media before removing

• Can be imaged like storage media

Physical Collection Issues

• Don’t overlook fingerprints on keyboard and mouse to place person at keyboard

• Evidence exposed to hazardous material, chemical weapons, toxic waste– Have it evaluated and approved by HAZMAT experts

• Organic chemicals, biological matter, fingerprint, or other forensic tests:– Fingerprinting process (cyanoacrylate) will severely

damage electronic media– Scraping can physically damage media (floppy)

Wet Media

• Soaked or immersed electronic media:– Keep it immersed in distilled water– Drying in uncontrolled conditions can lead to

deposits– photograph any paper labels on magnetic media

before immersion in distilled water

• Tape or floppy just a little wet– seal in plastic bag, don't immerse

• Paper, cellulose based media, printouts:– freeze or freeze dry if wet

Wet Media• Flood damage

– Immerse and flush with clean water

– Salt water:• Place in container or plastic bag with enough ocean water to

keep it immersed

• Immerse and flush it in distilled water ASAP

• Immersion may cause biological evidence to deteriorate– Separate samples before immersion if they are plentiful

or it is easy

– Be aware and make judgment calls

Tape: Physical Issues

• Age, disuse, poor storage conditions– Layers can become sticky and stick together or to the

read head

– Static buildup increases read error rates

– Unrolling untreated tape can cause oxide layer to be torn from substrate

• Collect all pieces, can help with splices• Ship to lab to be processed and reconditioned

• Reading for Lectures 2-5: – Mandia/Prosise: Chapters 2-5, 9– Casey: Chapter 2 (in Reading Room)

• Homework 1: Due Monday, June 9, 2003