Difference between revisions of "Forensic Live CD issues"
(→Root file system spoofing) |
(→Root file system spoofing) |
||
Line 68: | Line 68: | ||
=== Root file system spoofing === | === Root file system spoofing === | ||
− | Lets look at Casper scripts (that are used by initrd | + | Lets look at Casper scripts (that are used by initrd). Here is a function (see ''scripts/casper'' in the initrd image of Ubuntu-based forensic Linux Live CD distributions) that is used to search for a root file system image during the early stage of boot process: |
find_livefs() { | find_livefs() { |
Revision as of 22:30, 1 February 2010
Contents
The problem
Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Community-developed distributions are not exception here, unfortunately. Finally, it turns out that many forensic Linux Live CD distributions are not tested properly and there are no suitable test cases developed.
Another side of the problem
Another side of the problem of insufficient testing of forensic Live CD distributions is that many users do not know what happens "under the hood" of such distributions and cannot adequately test them.
Example
For example, Forensic Cop Journal (Volume 1(3), Oct 2009) describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
Problems
Here is a list of common problems of forensic Linux Live CD distributions that can be used by developers and users for testing purposes. Each problem is followed by an up to date list of distributions affected.
Journaling file systems updates
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
File system | When data writes happen | Notes |
---|---|---|
Ext3 | File system requires journal recovery | To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type |
Ext4 | File system requires journal recovery | To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type |
ReiserFS | Always | "nolog" flag does not work (see man mount). To disable journal updates: use "ro,loop" flags |
XFS | Always | "norecovery" flag does not help. To disable data writes: use "ro,loop" flags. The bug was fixed in recent 2.6 kernels. |
Incorrect mount flags can be used to mount a file system on evidentiary media during the boot process or during the file system preview process. As described above, this may result in modification of a file system's data. For example, several Ubuntu-based forensic Linux Live CD distributions mount Ext3/4 file systems on fixed media (e.g. hard drives) during execution of initrd scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
Distribution | Version |
---|---|
Helix3 | 2009R1 |
SMART Linux (Ubuntu) | 2010-01-20 |
FCCU GNU/Linux Forensic Boot CD | 12.1 |
SPADA | 4 |
Root file system spoofing
Lets look at Casper scripts (that are used by initrd). Here is a function (see scripts/casper in the initrd image of Ubuntu-based forensic Linux Live CD distributions) that is used to search for a root file system image during the early stage of boot process:
find_livefs() { timeout="${1}" # first look at the one specified in the command line if [ ! -z "${LIVEMEDIA}" ]; then if check_dev "null" "${LIVEMEDIA}" "skip_uuid_check"; then return 0 fi fi # don't start autodetection before timeout has expired if [ -n "${LIVEMEDIA_TIMEOUT}" ]; then if [ "${timeout}" -lt "${LIVEMEDIA_TIMEOUT}" ]; then return 1 fi fi # or do the scan of block devices for sysblock in $(echo /sys/block/* | tr ' ' '\n' | grep -v loop | grep -v ram); do devname=$(sys2dev "${sysblock}") fstype=$(get_fstype "${devname}") if /lib/udev/cdrom_id ${devname} > /dev/null; then if check_dev "null" "${devname}" ; then return 0 fi elif is_nice_device "${sysblock}" ; then for dev in $(subdevices "${sysblock}"); do if check_dev "${dev}" ; then return 0 fi done elif [ "${fstype}" = "squashfs" -o \ "${fstype}" = "ext3" -o \ "${fstype}" = "ext2" ]; then # This is an ugly hack situation, the block device has # an image directly on it. It's hopefully # casper, so take it and run with it. ln -s "${devname}" "${devname}.${fstype}" echo "${devname}.${fstype}" return 0 fi done return 1 }