The Modern Control Boot Disk

advertisement
The “Modern” Control
Boot Disk
What do we mean by a “Modern”
control boot disk?
In your previous lectures you learned about the
original DOS control boot disks….where the
Computer Forensic industry started.
…however, DOS is slow and lacks driver, file
system, and application support….so the
industry has moved away from using DOS
control boot disks to boot disks using more
modern and complex OSs.
2
Any CF examiner could make a
DOS control boot disk!
Using a HEX editor, simple modifications were
made to a DOS boot disk to turn it into a
“Control Boot Disk”.
Early software (Int-13) write blockers were
written and widely used: PDBlock and HDL
http://www.cftt.nist.gov/software_write_block.htm
3
DOS Utility Disks
CF examiners built “Utility Disks” to go with
their Control Boot Disks and hold all their
forensic tools.
Few DOS forensic tools to chose from…
Imaging tools: Primarily SafeBack & EnCase
for DOS
Other tools: Searching, Hashing, 3rd party file
system drivers, HEX editor, etc.
4
The “rise” of Linux Live CDs
What are “Live CDs”?
The term "live" derives from the fact that these CDs each
contain a complete, functioning and operational
operating system on the distribution medium.
http://en.wikipedia.org/wiki/Live_CD
The multi-threaded fully-functional OSs allowed the
use of better and faster forensic applications for
acquisition, hashing, searching, etc. in a “controlled”
boot environment.
Became popular with the release of Knoppix in 2003.
5
Linux Live CDs
• Widely used in CF industry
– Free
– Open source, and therefore customizable.
– Built-in tools for imaging (dd), hashing
(md5sum/sha1sum), searching (grep), etc.
– Must have Linux skills and comfort in a Linux
command-line environment.
– EnCase ported from DOS to Linux to create
“LinEn” for use on Linux Live CDs.
– Until 2009, Linux provided the only complex
OS with available forensic tools in the form of
a “controlled” boot disk.
6
Helix, Raptor, SPADA,
Knoppix, Penguin Sleuth,
and many others over the
past several years…
7
Linux Live CDs as “Control
Boot Disks”?
But how “Controlled” is the Linux OS on the
“forensic” Live CDs?
The OS is MUCH more complex than the 3
binary files that make up a DOS bootable
disk….and much more complex to modify
into a “controlled” OS environment.
8
And what about software write-blocking?
We will discuss this in a few slides!
Linux Live CDs as “Control
Boot Disks”?
• “Forensic” Linux Live CDs are modified to
prevent “auto-mounting” of detected file
systems and designed to mount “ReadOnly” any file systems it does mount.
• Live CDs are compiled by Linux experts.
• Typical CF examiner is no longer able to
create/modify their own clean OS into a
controlled boot disk. Must rely on other
peoples’ work and trust that the boot disk
is truly “forensically sound”.
9
Software write-blocking?
• Linux Live CDs do NOT utilize software
write-blocking.
• Most in the CF industry mistakenly believe
that the use of “no auto-mounting” and
mounting “read-only” is software writeblocking.
10
Software write-blocking?
• Many novice Linux users inadvertently
write to disks at the physical level
(/dev/hda) when logical file systems
(/dev/hda1) are mounted “read-only”.
• Disclaimers?
http://www.spada-cd.info/about.htm
11
Software write-blocking?
• Software write-blocking is accomplished
through device drivers in complex OSs
(Unix, Linux, Windows, etc.)
“More complex operating systems, for example Windows XP or a UNIX
variant (e.g., Linux), may disallow any low level interface (through the
BIOS or the controller) and only allow user programs access to a hard
drive through a device driver, a component of the operating system that
manages all access to a device.”
http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf
12
Software write-blocking?
• No Linux Live CD in the world includes
software write-block device drivers.
• Linux software write-blocking does not
exist. (as of the writing of this presentation in 09/2009)
• There is only one forensic “Live CD” in the
world that uses a “complex” OS and
utilizes actual software write-blocking….
SAFETM, the first and only forensic
Windows boot disk by ForensicSoft, Inc. (as of
the writing of this presentation in 09/2009)
http://www.forensicsoft.com/catalog/product_info.php?products_id=31
13
The SAFETM boot disk
14
The SAFETM boot disk
1. Consists of a highly modified Windows PE OS with true
software write-blocking.
2. Users have the ability to block and unblock attached
disks with the click of a button.
3. Hardware specs are documented into a session log to
preserve a record of detected hardware.
4. Utilizes Windows device drivers, which are available for
every disk controller ever created. This is a major
benefit over Linux Live CDs, where Linux drivers are
often unavailable.
–
User can add new drivers on-the-fly very easily.
5. Full file system support for NTFS.
15
The “Modern” Utility Disk
1. CD’s hold more data than old DOS floppies and
therefore forensic utilities can now be incorporated into
the boot disk itself or on a USB thumbdrive.
2. SAFETM runs on Windows PE and supports most
Windows forensic tools.
–
–
EnCase, FTK Imager, X-Ways/WinHex
Hashing, searching, carving, data recovery, file viewing, etc.
3. SAFETM has built-in:
–
–
–
–
–
16
Case documentation features
Hashing
Drive preparation (wiping, partitioning, formatting)
Searching
And many other features…
Trust only yourself!
1. No matter what any CF examiner or vendor tells you
about their tool(s), always validate it for yourself before
using it on evidence.
2. If you didn’t write and/or modify it yourself, how do you
know it is “forensically sound”?
3. Can you testify that the “Control boot disk” you use is in
fact forensically sound and will not/does not alter data
on systems that you boot with the control boot disk?
4. Test it yourself and document your test results.
5. Re-test any time anything changes.
17
Questions?
Please use the discussion board!
Download