Difference between pages "Forensic Live CD issues" and "Template talk:Neutral"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Root file system spoofing)
 
(Created page with 'Comparison review of Data copy king and Ninja The comparison table will help the potential customer to compare and make a choice with one single sight between Data copy king and…')
 
Line 1: Line 1:
== The problem ==
+
Comparison review of Data copy king and Ninja
  
[[Tools#Forensics_Live_CDs | Forensic Linux Live CD distributions]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Community-developed distributions are not exception here, unfortunately. Finally, it turns out that many forensic Linux Live CD distributions are not tested properly and there are no suitable test cases developed.
+
The comparison table will help the potential customer to compare and make a choice with one single sight between Data copy king and Ninja duplicator.
 +
  
== Another side of the problem ==
+
Data copy king Ninja
 +
Review results
 +
General
 +
Picture
 +
Time to market 2010 N/A
 +
Price 1,998USD 1,590 USD
 +
Drive connectivity  One to one One to one
 +
Potable design  Stand-alone/potable Option
 +
Drive capacity supported TB-level hard drives( up to 131072TB) Mostly target to small capacity hard drives
 +
Drive supported IDE/SATA
 +
RAID/external hard drive / SSD / flash storage media (USB, SD, CF, memory stick etc) with optional adaptor IDE/SATA
  
Another side of the problem of insufficient testing of forensic Live CD distributions is that many users do not know what happens "under the hood" of such distributions and cannot adequately test them.
+
Duplication functions
 +
Coping rate 6.0GB/min 4GB/min
 +
Test, wipe repair functions
 +
Erasing transfer rate 6.6GB/min 2-5 GB/min
 +
Data wiping Yes ⑧
 +
Optional(charge $700 to forensic version with hdd test)
 +
HDD test Yes Optional (charge $400 to ninja kaze together with data wiping)
 +
Test without altering HDD data Yes No
 +
Control the imaging process ⑤
 +
Yes
 +
Yes
  
=== Example ===
+
Data recovery functions
 +
Bad sector repair ①
 +
Yes No
 +
Clicking noises handling ②
 +
Yes
 +
No
 +
Physical read-only Yes Yes
 +
Forensic functions
 +
Access to HPA and doc hidden area Yes Yes
 +
Smart drive reset/reboot  ④
 +
Yes
 +
N/A⑨
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
Backdoor design ⑩
 +
No N/A
 +
verification CRC32 /SHA-256 CRC
 +
Data erasing standard Yes with DoD--5220.22-M/PRC-- BMB21-2007⑥
 +
No
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
DD image Available in upgrade No
 +
MD5 hash calculation Available in upgrade No
 +
Log auto generation Yes Yes
 +
Log export and print Yes No
 +
Others
 +
Touch Screen User Interface Yes Yes
 +
User authority⑦
 +
three-level password No
 +
Language English (Customized to other languages) Only English
 +
Upgradable free lifelong software upgrade No
 +
Technique support Free lifelong support Limited free support
 +
Warranty One year with 3 year optional N/A
 +
 +
NOTE: Words in green refers to the distinguishing features of DCK
 +
① Traditional disk imaging tools and methods are designed to deal with intact hard drives, not the unstable ones with bad sectors that are your stock-in-trade. Bad sector handling is capable of the patient Drives with stop responding, disks degrade or fail under intensive reading, valuable files remain locked in bad sectors.
 +
② Hard drive suffered clicking noises, only if the patient drive is still recognized in the bios, Data copy king is able to clone 300% more data than other data image tools from the patient drive
 +
③ Data loss due to accidental deletion, accidental format, file corruption, software bugs, file system corruption, viruses, etc
 +
④ Automatically resets/reboots drives that become unresponsive to continue imaging process
 +
⑤ Stop or continue the imaging process as you need
 +
⑥ DOD—Department of Defense
 +
PRC--the People's Republic of China
 +
⑦ Three-level user password setting to secure the confidential data
 +
⑧ YES – available
 +
⑨ N/A—NOT Available
 +
⑩ A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.
  
== Problems ==
+
Info provided in the review comes from following two websites:
 +
SalvationDATA Technology          http://www.salvationdata.com/data-recovery-equipment/data-copy-king.htm
  
Here is a list of common problems of forensic Linux Live CD distributions that can be used by developers and users for testing purposes. Each problem is followed by an up to date list of distributions affected.
+
Ninja                           
 
+
http://www.hdd.ji2.com/products/ninja.html
=== Journaling file system updates ===
+
 
+
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  File system
+
!  When data writes happen
+
!  Notes
+
|-
+
|  Ext3
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  Ext4
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  ReiserFS
+
|  File system has unfinished transactions
+
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
+
|-
+
|  XFS
+
|  Always (when unmounting)
+
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
+
|}
+
 
+
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
 
+
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
+
 
+
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|-
+
|  SPADA
+
|  4
+
|}
+
 
+
=== Root file system spoofing ===
+
 
+
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
 
+
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
+
 
+
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
+
 
+
List of Ubuntu-based and Debian-based distributions that allow root file system spoofing:
+
 
+
{| class="wikitable" border="1"
+
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  Helix3 Pro
+
|  2009R3
+
|-
+
|  CAINE
+
|  1.5
+
|-
+
|  DEFT Linux
+
|  5
+
|-
+
|  Raptor
+
|  20091026
+
|-
+
|  grml ''(uses Casper fork - live-initramfs)''
+
|  2009.10
+
|-
+
|  BackTrack
+
|  4
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|}
+
 
+
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
+
 
+
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/images/aor/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
+
 
+
=== Swap space activation ===
+
 
+
=== Incorrect mount policy ===
+
 
+
==== HAL ====
+
 
+
==== rebuildfstab and scanpartitions scripts ====
+
 
+
=== Incorrect write-blocking approach ===
+
 
+
== External links ==
+
 
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
+

Revision as of 03:18, 23 February 2010

Comparison review of Data copy king and Ninja

The comparison table will help the potential customer to compare and make a choice with one single sight between Data copy king and Ninja duplicator.


Data copy king Ninja Review results General Picture Time to market 2010 N/A Price 1,998USD 1,590 USD Drive connectivity One to one One to one Potable design Stand-alone/potable Option Drive capacity supported TB-level hard drives( up to 131072TB) Mostly target to small capacity hard drives Drive supported IDE/SATA RAID/external hard drive / SSD / flash storage media (USB, SD, CF, memory stick etc) with optional adaptor IDE/SATA

Duplication functions Coping rate 6.0GB/min 4GB/min Test, wipe repair functions Erasing transfer rate 6.6GB/min 2-5 GB/min Data wiping Yes ⑧ Optional(charge $700 to forensic version with hdd test) HDD test Yes Optional (charge $400 to ninja kaze together with data wiping) Test without altering HDD data Yes No Control the imaging process ⑤ Yes Yes

Data recovery functions Bad sector repair ① Yes No Clicking noises handling ② Yes No Physical read-only Yes Yes Forensic functions Access to HPA and doc hidden area Yes Yes Smart drive reset/reboot ④ Yes N/A⑨

Backdoor design ⑩ No N/A verification CRC32 /SHA-256 CRC Data erasing standard Yes with DoD--5220.22-M/PRC-- BMB21-2007⑥ No

DD image Available in upgrade No MD5 hash calculation Available in upgrade No Log auto generation Yes Yes Log export and print Yes No Others Touch Screen User Interface Yes Yes User authority⑦ three-level password No Language English (Customized to other languages) Only English Upgradable free lifelong software upgrade No Technique support Free lifelong support Limited free support Warranty One year with 3 year optional N/A

NOTE: Words in green refers to the distinguishing features of DCK ① Traditional disk imaging tools and methods are designed to deal with intact hard drives, not the unstable ones with bad sectors that are your stock-in-trade. Bad sector handling is capable of the patient Drives with stop responding, disks degrade or fail under intensive reading, valuable files remain locked in bad sectors. ② Hard drive suffered clicking noises, only if the patient drive is still recognized in the bios, Data copy king is able to clone 300% more data than other data image tools from the patient drive ③ Data loss due to accidental deletion, accidental format, file corruption, software bugs, file system corruption, viruses, etc ④ Automatically resets/reboots drives that become unresponsive to continue imaging process ⑤ Stop or continue the imaging process as you need ⑥ DOD—Department of Defense PRC--the People's Republic of China ⑦ Three-level user password setting to secure the confidential data ⑧ YES – available ⑨ N/A—NOT Available ⑩ A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

Info provided in the review comes from following two websites: SalvationDATA Technology http://www.salvationdata.com/data-recovery-equipment/data-copy-king.htm

Ninja http://www.hdd.ji2.com/products/ninja.html