Forensics 101: Basics of capturing and mounting forensic images Security-SIG February, 2007 ISC/Information Security Forensics: Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action…the term "forensic" is effectively a synonym for "legal" or "related to courts" (from Latin, it means "before the forum"). Source: Wikipedia Security-SIG February, 2007 ISC/Information Security Why perform computer forensics? • You know or suspect one or more computers has been involved in: – a crime – a violation of policy – an issue of academic integrity (student and/or faculty) • A network and/or computer(s) were compromised, and you just want to find out how and why Security-SIG February, 2007 ISC/Information Security Why not perform forensics? • Can be expen$ive – Commercial forensic and data recovery outlets (e.g. Kroll Ontrack and RenewData) typically charge $3,000 - $5,000 per drive – Even when done in-house, can involve large amounts of employee labor, purchasing extra drive space, etc • Can be time consuming – Acquiring drive images takes time…an 80 GB drive typically takes 2+ hours – Data analysis can takes days, even weeks, depending on the scope of the case Security-SIG February, 2007 ISC/Information Security Who can perform forensics? • For purposes of simply investigating a hacked system or network that does not appear to have legal implications, any person knowledgeable with basic forensic tools and procedures can perform a forensic examination (with proper authorization) • In cases where there is potential legal obligation and/or risk for Penn, only person(s) authorized by the University may perform forensics (i.e., ISC Information Security) Security-SIG February, 2007 ISC/Information Security If you begin an independent forensic examination… …and encounter evidence of an actual or possible crime (whether it’s been committed yet or not) STOP!! Contact ISC Information Security immediately at 215-898-2172 or security@isc.upenn.edu Security-SIG February, 2007 ISC/Information Security Classes of forensic examinations • “Live”, i.e. real-time – Network is up and running, computers are attached and communicating – Goal is to observe/capture ongoing activity on network, in RAM and on disk related to crime or exploit – Not often done, very complex, often a “fishing expedition” • “Snapshot”, i.e., static – Network packet captures have been saved for later analysis – In some cases, RAM dumps written to file for analysis – Drive images taken to preserve status of file system - this is the most commonly performed forensic operation Security-SIG February, 2007 ISC/Information Security Some common forensic tools: • Real-time – – – – – tcpdump/WinDump netstat Ethereal pcat lsof • Static – – – – – dd (or dcfldd) mmls netcat (or cryptcat) md5sum grep Security-SIG February, 2007 ISC/Information Security Drive images: what do I need? • A basic, working knowledge of linux, especially the use of: – mount – dd – ls • A basic understanding of image files (.iso, .img) • A basic understanding of drive geometry (sectors, partitioning) and file system structure (allocation tables, inodes, allocated vs. unallocated space, slack space, MAC times) Security-SIG February, 2007 ISC/Information Security Image files: The Goal The purpose of capturing a forensic drive image is to produce a file that is an exact, sector-by sector reproduction of the drive. The image preserves not only the data itself, but also the “geography” of the data - where it physically resides on the disk. The image file can then be examined for evidence without danger of altering or destroying the original. Security-SIG February, 2007 ISC/Information Security Basic Drive Geometry • The typical sector size for modern drives is 512 bytes • Most operating systems (Windows and Unix/Linux included) use a default allocation size of 8 sectors (4096 bytes) Security-SIG February, 2007 ISC/Information Security File System Basics • Allocated space is space that is in use by a file and is being tracked in the File Allocation Table (FAT) • Unallocated space is disk space that is available for new or changed files. It may or may not contain data from deleted files • Slack space is space that is allocated but unused, i.e., the remaining space in the last allocated file block – Unix and Linux pad this space with zeros – Windows does not…may contain valuable data fragments • File system metadata includes “card catalog” information such as inode number and file MAC times Security-SIG February, 2007 ISC/Information Security Linux • Most versions of linux will work just fine with all standard forensic tools • SANS Institute uses Red Hat Fedora as the basis for their forensics course • There are Windows-based forensic tools, but many are commercial, and - surprise! - often don’t work as well as the unix/linux tools • To mount and analyze NTFS images, your linux kernel will need to support and have installed an NTFS module: – Start here: sourceforge.net/project/showfiles.php?group_id=13956 Security-SIG February, 2007 ISC/Information Security Toolboxes! • “The Coroner’s Toolkit” – A set of tools developed by Dan Farmer and Wietse Venema – www.porcupine.org/forensics/tct.html • Helix – Bootable, Knoppix-style linux CD – Graphical interface, or command line/terminal – www.e-fense.com/helix/ • FREE!! Security-SIG February, 2007 ISC/Information Security A little more about Helix... • Current version: 1.8 (10-062006) • Extremely powerful and useful • Download as ISO file and burn directly to CD-ROM • IDE drives a snap - ATA’s can be tricky • It pays to archive older versions – Depending on age and/or version of BIOS chips, some computers will boot on older versions but not on current Security-SIG February, 2007 ISC/Information Security Before you start… • • The Cardinal Rule: DOCUMENT EVERY STEP!! – Date and time you started and ended – Equipment you worked on • Serial numbers (drive AND CPU) • Owner/user(s) • Purpose(s) machine used for (if you know) • Location – Commands/tools you ran (including option flags) in the order you ran them – Results you got from commands and tools – Anything else pertinent to the examination Record all of the above in a running log and sign it (PGP, or print it out and physically sign it) Remember: the possibility always exists that you may find information that results in a legal proceeding, and you may be required to explain and justify your work. Security-SIG February, 2007 ISC/Information Security Determine Scope • What are you looking for? • Who is involved? – All users? Just one? Root/Admin compromise? • How many drives? • How many partitions? What kind(s)? – Windows? Unix/Linux? OS X? • Need to search for text and/or data? Security-SIG February, 2007 ISC/Information Security Keyword List • If you’re going to be searching for evidence of particular actions or behavior in documents and data files, prepare a list of keywords that are likely to be found during a search of files containing text and strings • There are several tools that can use this list, including good old grep Security-SIG February, 2007 ISC/Information Security Forensic Drive Imaging: A 12Step Program Security-SIG February, 2007 ISC/Information Security Step 1: Chain of Custody • Start a Chain of Custody form for each drive you examine • Records identifying information about the drive (serial number, model, capacity, etc.) • Most importantly: establishes and tracks the physical location and custody of the drive from the beginning of the investigation through the end. • A very important document in a legal proceeding - used to indicate and prove (as much as possible) that evidence has been properly treated and has not been tampered with • Information Security can provide you with a suitable form Security-SIG February, 2007 ISC/Information Security Step 2: Capture Setup • If you have a bootable linux CD (e.g., Helix), simplest setup is: – connect an external USB/Firewire drive as the “image target” – boot the system up – mount the drive to be imaged and the “image target” – make sure, of course, that the target is LARGER than the source Security-SIG February, 2007 ISC/Information Security netcat/cryptcat • netcat allows you to “pipe” output across the network in similar fashion to how you would do it locally with cat, ‘>’, etc. • cryptcat does the same thing, but encrypts the traffic • uses “client/listener” model • start the listener: – nc -l -p [port #] > [output file] – e.g. nc -l -p 5432 > /casefile/datafile.txt • pipe client output: – cat [filename] | nc [listener IP] [listener port] – e.g., cat testfile.txt | nc 130.91.75.126 5432 Security-SIG February, 2007 ISC/Information Security Backups: “File” vs. “Forensic” • A standard file backup copies only data residing in allocated disk space – i.e, an 80 GB drive with 20 MB of allocated files will produce a 20 MB backup file • A forensic (image) backup sequentially copies each and every disk sector, regardless of whether it is allocated space or has any data in it – i.e. an 80 GB drive with 20 MB of allocated files will produce an 80 GB image file Security-SIG February, 2007 ISC/Information Security Step 3: Hash the drive • The object is to produce a “snapshot” image of the drive that is absolutely identical to the drive itself • The standard method of verifying the integrity of the image involves using the MD5 hashing algorithm • Run md5sum against the drive’s device: – md5sum /dev/sda • Pipe it to a text file if you like: – md5sum /dev/sda > hash.txt • The result will be a 32-character (hex) hash of the entire disk contents that you will later match against the image Security-SIG February, 2007 ISC/Information Security Example: MD5 Input 1 2 3 4 5 Security-SIG February, 2007 Output B026324c6904b2a9cb4b88d6d61c81d1 26ab0db90d72e28ad0ba1e22ee510510 6d7fce9fee471194aa8b5b6e47267f03 48a24b70a0b376535542b996af517398 1dcca23355272056f04fe8bf20edfce0 ISC/Information Security Step 4: Image capture with dd • dd: “duplicate device” • 2 basic, required parameters: – input file (‘if’) – output file (‘of) • Input and output can be either actual files or block devices • For block device (i.e., entire drive) to image file: – dd if=<device> of=</path/file> – e.g. dd if=/dev/sda of=/casefile/image01.iso Security-SIG February, 2007 ISC/Information Security An alternative: dcfldd • Available in Helix and TCT • Provide progress indicator (count of written blocks) – hashwindow=0 • Can perform integrity checks/MD5 sum on the fly and write to file – hashlog = <path/file> • e.g. dcfldd if=/dev/sda of=/casefile/image01.iso hashwindow=0 hashlog=/casefile/imagehash.txt Security-SIG February, 2007 ISC/Information Security Step 5: Wait… • It will vary depending on the equipment involved, but Information Security’s experience is that typical current drives can be imaged at about 40GB/hr • Go to Starbucks… Security-SIG February, 2007 ISC/Information Security Step 6: Hash the image file • Run md5sum against the resulting image file – md5sum /casefile/image01.iso • Compare this hash to the one obtained in Step 3 from the drive – If they match exactly, you have an image file that is an exact copy of the drive. If they don’t, something went wrong, and the validity of any examination of the image data would likely be challenged in court if it ever came to that Security-SIG February, 2007 ISC/Information Security Step 7: Put the drive away • Now that you have an image file and have verified the integrity by matching the MD5 hashes, you do not need the drive • Store it securely and perform your examination on the image file Security-SIG February, 2007 ISC/Information Security Step 8: Retrieve partition structure • mmls – included in TCT – extracts logical partition info from image file – use ‘-t dos’ flag to denote you’re looking for disk operating system partitions – output will be used to “carve out” images of partitions needed – usage: mmls -t dos </path/file> • e.g., mmls -t dos /casefile/image01.iso Security-SIG February, 2007 ISC/Information Security mmls: a typical(?) result # mmls -t dos /casefile/image01.iso Units are in 512-byte sectors 00: 01: 02: 03: 04: 05: Slot --------00:00 ----00:01 00:02 Start 0000000000 0000000001 0000000063 0001028160 0002570400 0004209030 End 0000000000 0000000062 0001028159 0002570399 0004209029 0006265349 Length 0000000001 0000000062 0001028097 0001542240 0001638630 0002056320 Description Table #0 Unallocated Win95 FAT32 (0x0B) Unallocated OpenBSD (0xA6) NTFS (0x07) Well, maybe it’s not so typical to have 3 different operating system partitions on a single drive. This illustrates, though, that mmls shows you not only what partitions are on the drive, but also where they are. Take note of the sector size as well - it’s usually 512 bytes, but can vary. Security-SIG February, 2007 ISC/Information Security Step 9: “Carve out” partitions • dd can be used with additional parameters to “carve” the partitions from the image file and write them to individual image files that can be directly mounted and browsed • from mmls, you need to know the sector size the drive is using (usually 512 bytes) • also, for each partition, you need: – size (“Length” column from mmls output) – skip (“Start” column from mmls output) Security-SIG February, 2007 ISC/Information Security “Carving” with dd Usage: dd if=<whole disk image file> bs=<sector size> count=<partition size> skip=<partition start> of=<new partition image file> So, to create an image file of the NTFS partition found by mmls on the previous slide: dd if=/casefile/image01.iso bs=512 count=2056320 skip=4209030 of=/casefile/partition01.img (Yes, you can use dcfldd instead) Security-SIG February, 2007 ISC/Information Security .iso or .img? • Doesn’t really matter - you can use pretty much any file name and extension you want • By convention, some use .iso for the whole image and .img for partition images • Whichever convention you adopt, be consistent Security-SIG February, 2007 ISC/Information Security Step 10: Mount partition(s) • To inspect and browse your partition images, you need to mount them as part of your Linux file system • Important flags: – t – ro – loop File system type (e.g., ntfs) Read only (used with -o) Needed to read image file as block device (used with -o) • Usage: mount Security-SIG February, 2007 <options> <path to image> <mountpoint> ISC/Information Security Putting it all together… mount -t ntfs -o ro,loop /casefile/partition01.img /forensics This tells the system to mount the file as a readonly image file using NTFS at the /forensics directory (make sure that it exists). Once this is done, you should be able to inspect all files below that mountpoint using standard tools like ls and grep, as well as other specialized forensic tools from TCT, Helix, et al Security-SIG February, 2007 ISC/Information Security Step 11: Tool Time (“More Power!”) We’ve already talked about basic tools like grep and ls. Thanks to toolboxes like TCT and Helix, there are many more that can be used to literally take the image apart and dissect it sector by sector, file by file. We can’t cover all of them here in detail, but we’ll take a few minutes to highlight some of the most useful and powerful “cool tools”… Security-SIG February, 2007 ISC/Information Security mac-robber and mactime • MAC refers here to Modified, Accessed and Created dates/times for files in system • mac-robber collects information from the file systems metadata structure ( MAC times, file sizes & permissions etc.) – output defults to STDOUT, can be piped to local file, or to remote location via netcat/cryptcat – usage: mac-robber <path> > <target> – e.g., mac-robber /forensics > partition01_mac.txt • mactime is a Perl script that processes the output from mac-robber – allows specification of date/time range – sorts files by MAC times instead of by directory/path – use -b flag to designate source file, otherwise defaults to STDIN – e.g., mactime -b partition01_mac.txt > timeline.txt Security-SIG February, 2007 ISC/Information Security MAC Timeline • Investigating a compromise via rootkit et al usually involves inspecting the file system for unusual or unexplained changes and additions. • The timeline file generated by mactime presents a chronological account of changes to individual files • Can be a time-consuming examination, but often reveals much insight into how a system was hacked • e.g., a common administrative tool like ps shows an inode number change 2 months ago – typically, core command-line utilities should have lower inode numbers that never change – indicates that the ps command was likely tampered with in order to hide processes from system administrator Security-SIG February, 2007 ISC/Information Security file • • • • Displays file type of one or more files Can use wildcards, e.g., ‘*’ Can try to look inside compressed files (‘-z’) Useful for finding mismatches between the file extension in use and what the file actually is – e.g., user trying to hide incriminating JPG files by renaming them with ‘.exe’ extension Security-SIG February, 2007 ISC/Information Security strings • Locates and extracts strings of 4 characters or more in binary files • Useful for finding calls to libraries, IP addresses, pathnames, etc • Usage: strings <options> <filename> • Flags – – – – -a grab all strings --radix=d byte offset of string found -f print filename beside string -n x grab strings of at least x length Security-SIG February, 2007 ISC/Information Security dstat • Displays statistics on a particular data unit (sector) • Useful for determining current allocation status of sector • Typical usage: – dstat -f ntfs /casefile/partition01.img 20647 • Typical result: Fragment: 257 Allocated Group: 0 Security-SIG February, 2007 ISC/Information Security dcat • Similar to dstat, but outputs actual contents of sector • Defaults to STDOUT, can be piped to file • Usage: – dcat -f ntfs /casefile/partition01.img 20647 Security-SIG February, 2007 ISC/Information Security dls • • • • Lists contents from data units Defaults to STDOUT, can be piped Useful for recovering deleted files and slack space Flags: – – – – -e -l -s range show all blocks list details about each block (no content) show slack space range of blocks to be outputted • e.g., – dls -f ntfs -el /casefile/partition01.img 2000-3000 > dlsdata.txt Security-SIG February, 2007 ISC/Information Security inode tools • Similar to the ‘d*’ tools we’ve just covered, there are tools that permit retrieval and inspection of file data based on inode number – – – – ifind istat ils icat Security-SIG February, 2007 find inode number that points to a disk sector display metadata info by inode number list inodes, including deleted files and unlinked but open files copy files by inode number ISC/Information Security Step 12: A Final Windows Hint • Don’t forget to run these tools on pagefile.sys - you’d be surprised what you might find Security-SIG February, 2007 ISC/Information Security Questions? Security-SIG February, 2007 ISC/Information Security