Difference between pages "DCO and HPA" and "Masterkey Linux"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
Device Configuration Overlay (DCO) and Host Protected Area (HPA).
+
{{Infobox_Software |
 +
  name = Masterkey Linux |
 +
  maintainer = Dr. Q. Zhou - Coventry University |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}} |
 +
  website = [http://masterkeylinux.com masterkeylinux.com]
 +
}}
  
== Detection ==
+
'''Masterkey Linux''' (or simply Masterkey) is a [[Live CD]] based on [[Slackware]] developed by Dr. Qin Zhou of Coventry University. It focuses on [[Incident Response|incident response]] and [[computer forensics]].
  
=== Linux ===
+
Whilst designed for use by students entering the field of Computer Forensics, Masterkey contains a diverse range of free and open source tools that both students, computer forensics professionals and system administrators alike can use.
  
==== Using hdparm ====
+
== Tools Included ==
  
'''HPA'''
+
In addition to standard unix/linux tools, a suite of editors, office applications and multimedia tools have been included, as well as the following specialised tools in the Masterkey Linux distribution:
  
Command:
+
* '''[[AIR]]''' 1.2.8
  
<pre># hdparm -N /dev/sda</pre>
+
AIR is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.
  
Disabled HPA:
+
* '''[[Autopsy]]''' 2.21
  
<pre>
+
The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.
/dev/sda:
+
max sectors  = 1465149168/1465149168, HPA is disabled
+
</pre>
+
  
Enabled HPA:
+
* '''[[ClamAV]]''' for Unix 0.91.2
<pre>
+
/dev/sdc:
+
max sectors  = 586070255/586072368, HPA is enabled
+
</pre>
+
  
'''DCO'''
+
Clam AntiVirus is an anti-virus toolkit for UNIX
  
Command:
+
* '''[[chkrootkit]]''' 0.47
  
<pre># hdparm --dco-identify /dev/sda</pre>
+
chkrootkit is a tool to locally check for signs of a rootkit.
  
Example output:
+
* '''[[chntpw]]''' 070923
<pre>
+
/dev/sda:
+
DCO Revision: 0x0001
+
The following features can be selectively disabled via DCO:
+
Transfer modes:
+
mdma0 mdma1 mdma2
+
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
+
Real max sectors: 1465149168
+
ATA command/feature sets:
+
SMART self_test error_log security HPA 48_bit
+
(?): selective_test conveyance_test write_read_verify
+
(?): WRITE_UNC_EXT
+
SATA command/feature sets:
+
(?): NCQ SSP
+
</pre>
+
  
== Removing HPA ==
+
chntpw is an Offline password and Registry Editor
  
=== Linux ===
+
* '''[[dcfldd]]''' 1.3.4-1
  
==== Using hdparm ====
+
dcfldd is an enhanced version of GNU dd (also included in this distribution) with features useful for forensics and security
Command:
+
  
<pre># hdparm -N p586072368 /dev/sdc</pre>
+
* '''[[dd_rescue]]''' 1.14
  
('''permanently''' (!) set max visible number of sectors, see example above)
+
dd_rescue copies data from one file or block device to another. It is intended for error recovery.
  
== Other Tools ==
+
* '''[[GParted]]''' 0.3.3
* [http://www.vidstrom.net/stools/taft/ TAFT (The ATA Forensics Tool)] claims the ability to look at and change the HPA and DCO settings.
+
 
* [http://www.softpedia.com/get/Security/Security-Related/SAFE-Block.shtml SAFE-Block], claims the ability to temporarily remove the HPA and remove the DCO and later return it to its original state.
+
GParted is the Gnome Partition Editor application
* [http://hddguru.com/content/en/software/2007.07.20-HDD-Capacity-Restore-Tool/ HDD Capacity Restore], a reportedly Free utility that removed the DCO (to give you more storage for your hard drive!)
+
 
* [http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf Tableau TD1] can remove the HPA and DCO.
+
* '''[[Foremost]]''' 1.5
* [http://www.mp3cdsoftware.com/blancco---pro-download-292.htm Blancco-Pro 4.5] reportedly removes the HPA and DCO to completely obliterate all of that pesky information which might get in the way.
+
 
 +
Foremost is a console program to recover files based on their headers, footers, and internal data structures. It is a data carving tool.
 +
 
 +
* '''[[mac-robber]]''' 1.00
 +
 
 +
mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.
 +
 
 +
* '''[[md5deep]]''' 1.12
 +
 
 +
md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.
 +
 
 +
* '''[[memdump]]''' 1.01
 +
 
 +
memory dumper for UNIX-like systems
 +
 
 +
* '''[[Rootkit Hunter]]''' 1.3.0
 +
 
 +
Rootkit Hunter is a rootkit scanner.
 +
 
 +
* '''[[Scalpel]]''' 1.60
 +
 
 +
Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
 +
 
 +
* '''[[The Sleuth Kit]]''' 3.01
 +
 
 +
The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.
 +
 
 +
* '''[[Stegdetect]]''' 0.6-4
 +
 
 +
Stegdetect is an automated tool for detecting steganographic content in images.
 +
 
 +
* '''[[Wipe]]''' 2005-05-09
 +
 
 +
Wipe is a file and block device wiping utility.
 +
 
 +
* '''[[Wireshark]]''' 0.99.6
 +
 
 +
Wireshark is a network protocol analyzer.
 +
 
 +
== Forensic Features ==
 +
 
 +
* Disk partitions and USB storage devices found by Masterkey are mounted read-only automatically. Icons for these mounted devices are displayed on the user's Desktop. This facilitates access and prevents a user from accidentally writing to the devices and contaminating evidence.
 +
 
 +
* Mounting and use of swap partitions is not allowed. This prevents a user from destroying any evidence present on swap partitions.
 +
 
 +
* Root privilege. The user works with the system as a super user (administrator) so that tools requiring root privilege can be used straightaway.
 +
 
 +
* Console login. The Desktop environment (graphic user interface) does not start automatically during bootup. This makes it possible to work with Masterkey on older computers. The user can choose to start either the KDE or Fluxbox desktops if they wish.
 +
 
 +
== Forensic Issues ==
 +
 
 +
* Masterkey Linux relies on "-o ro" mount option to provide forensically sound mounts. Unfortunately, this option is not enough to provide real read-only access to media.
  
 
== External Links ==
 
== External Links ==
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4HR72JM-2&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=030e6e2928779b385c76658736d11b98 Methods of discovery and exploitation of Host Protected Areas on IDE storage devices that conform to ATAPI-4], Mark Bedford, Digital Investigation, Volume 2, Issue 4, December 2005, Pages 268-275
+
 
* [http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BEB146864A2671.pdf Hidden Disk Areas: HPA and DCO], Mayank R. Gupta, Michael D. Hoeschele, Marcus K. Rogers, International Journal of Digital Evidence, Fall 2006, Volume 5, Issue 1
+
* [http://masterkeylinux.com Masterkey Web Site]
* [http://www.sleuthkit.org/informer/sleuthkit-informer-20.txt REMOVING HOST PROTECTED AREAS (HPA) IN LINUX], Brian Carrier, SleuthKit Informer #20
+
* [http://masterkeylinux.com/community Masterkey Community Forum]
* [http://en.wikipedia.org/wiki/Device_configuration_overlay Wikipedia article on Device Configuration Overlay]
+
* [http://masterkeylinux.com/index.php/lft Live Forensic Toolkit]
* [http://en.wikipedia.org/wiki/Host_protected_area Wikipedia article on Host Proteced Area]
+
 
* [http://www.recover.co.il/SA-cover/SA-cover.pdf Hiding Data in Hard-Drive’s Service Areas], by [[Ariel Berkman]], February 14, 2013
+
[[Category:Incident response tools]]

Revision as of 07:34, 28 July 2012

Masterkey Linux
Maintainer: Dr. Q. Zhou - Coventry University
OS: Linux
Genre: Live CD
License: GPL
Website: masterkeylinux.com

Masterkey Linux (or simply Masterkey) is a Live CD based on Slackware developed by Dr. Qin Zhou of Coventry University. It focuses on incident response and computer forensics.

Whilst designed for use by students entering the field of Computer Forensics, Masterkey contains a diverse range of free and open source tools that both students, computer forensics professionals and system administrators alike can use.

Tools Included

In addition to standard unix/linux tools, a suite of editors, office applications and multimedia tools have been included, as well as the following specialised tools in the Masterkey Linux distribution:

AIR is a GUI front-end to dd/dcfldd designed for easily creating forensic bit images.

The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit.

Clam AntiVirus is an anti-virus toolkit for UNIX

chkrootkit is a tool to locally check for signs of a rootkit.

chntpw is an Offline password and Registry Editor

dcfldd is an enhanced version of GNU dd (also included in this distribution) with features useful for forensics and security

dd_rescue copies data from one file or block device to another. It is intended for error recovery.

GParted is the Gnome Partition Editor application

Foremost is a console program to recover files based on their headers, footers, and internal data structures. It is a data carving tool.

mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.

md5deep is a cross-platform set of programs to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files.

memory dumper for UNIX-like systems

Rootkit Hunter is a rootkit scanner.

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools.

Stegdetect is an automated tool for detecting steganographic content in images.

Wipe is a file and block device wiping utility.

Wireshark is a network protocol analyzer.

Forensic Features

  • Disk partitions and USB storage devices found by Masterkey are mounted read-only automatically. Icons for these mounted devices are displayed on the user's Desktop. This facilitates access and prevents a user from accidentally writing to the devices and contaminating evidence.
  • Mounting and use of swap partitions is not allowed. This prevents a user from destroying any evidence present on swap partitions.
  • Root privilege. The user works with the system as a super user (administrator) so that tools requiring root privilege can be used straightaway.
  • Console login. The Desktop environment (graphic user interface) does not start automatically during bootup. This makes it possible to work with Masterkey on older computers. The user can choose to start either the KDE or Fluxbox desktops if they wish.

Forensic Issues

  • Masterkey Linux relies on "-o ro" mount option to provide forensically sound mounts. Unfortunately, this option is not enough to provide real read-only access to media.

External Links