Difference between pages "Forensic Live CD issues" and "Main Page"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Incorrect write-blocking approach)
 
m (WIKI NEWS)
 
Line 1: Line 1:
== The problem ==
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
 +
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.
 +
 
 +
Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
 +
</div> 
  
[[Live CD|Forensic Live CDs]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.
 
  
== Another side of the problem ==
+
==WIKI NEWS==
 +
2014-06-14: The Wiki has been migrated to the most up-to-date MediaWiki and moved from HostGator to Pair. The previous bugs with the AccountCreation problem should be fixed. Please let us know if there are any problems.
 +
* 2014-06-16 - It seems that the transfer and upgrade has resulted in some content being lost. We are evaluating the situation.
  
Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.
+
2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the [[ForensicsWiki FeedBurner Feed]]
  
=== Example ===
+
{| width="100%"
 +
|-
 +
| width="60%" style="vertical-align:top" |
 +
<!-- Selected Forensics Research --> 
 +
<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
 +
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
<small>May 2014</small>
 +
<bibtex>
 +
@inproceedings{Hurley:2013:MAC:2488388.2488444,
 +
author = {Sven Ka ̈lber, Andreas Dewald, Steffen Idler},
 +
title = {Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata},
 +
booktitle = {Lecture Notes in Informatics},
 +
volume="P-228",
 +
year=2014,
 +
url = {http://subs.emis.de/LNI/Proceedings/Proceedings228/331.pdf},
 +
}
 +
</bibtex>
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
Abstract: Criminal investigations today can hardly be imagined without the forensic analysis of digital devices, regardless of whether it is a desktop computer, a mobile phone, or a navigation system. This not only holds true for cases of cybercrime, but also for traditional delicts such as murder or blackmail, and also private corporate investigations rely on digital forensics. This leads to an increasing number of cases with an ever-growing amount of data, that exceeds the capacity of the forensic experts. To support investigators to work more efficiently, we introduce a novel approach to automatically reconstruct events that previously occurred on the examined system and to provide a quick overview to the investigator as a starting point for further investigation. In contrast to the few existing approaches, our solution does not rely on any previously profiled system behavior or knowledge about specific applications, log files, or file formats. We further present a prototype implementation of our so-called zero knowledge event reconstruction approach, that solely tries to make sense of characteristic structures in file system metadata such as file- and folder-names and timestamps.
  
== Problems ==
+
(See also [[Past Selected Articles]])
  
Each problem is followed by a list of distributions affected (currently this list is not up-to-date).
+
| width="40%" style="vertical-align:top" |
  
=== Journaling file system updates ===
+
<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
 +
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">  Featured Article </h2>
 +
;[[Forensic Linux Live CD issues]]
 +
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]
  
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
|}
  
{| class="wikitable" border="1"
 
|-
 
!  File system
 
!  When data writes happen
 
!  Notes
 
|-
 
|  Ext3
 
|  File system requires journal recovery
 
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 
|-
 
|  Ext4
 
|  File system requires journal recovery
 
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 
|-
 
|  ReiserFS
 
|  File system has unfinished transactions
 
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
 
|-
 
|  XFS
 
|  Always (when unmounting)
 
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
 
|}
 
  
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
<!-- This begins the two-column section -->
  
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
+
{| width="100%"
 +
|-
 +
| width="60%" style="vertical-align:top" |
  
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">
  
{| class="wikitable" border="1"
+
<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|-
+
|  SPADA
+
|  4
+
|-
+
|  DEFT Linux
+
|  7
+
|}
+
  
=== Orphan inodes deletion ===
+
* '''[[File Analysis]]''':
 +
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
 +
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
 +
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
 +
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
 +
* '''[[Hardware]]''':
 +
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
 +
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
 +
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
 +
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
 +
** '''[[Write Blockers]]''': ...
 +
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
 +
* [[Encryption]]
 +
* [[GPS]]
 +
* [[Forensic_corpora|Forensic Corpora]]
 +
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
 +
* [[Steganography]], [[Steganalysis]]
 +
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
 +
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
 +
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
 +
</div>
  
When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.
 
  
=== Root file system spoofing ===
 
  
''See also: [[Early userspace | early userspace]]''
+
| width="40%" style="vertical-align:top" |
  
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
<!-- Tools -->
 +
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">
  
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
+
<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>
  
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
+
* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
 +
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
 +
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
 +
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
 +
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], [[Photo Investigator]]...
 +
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
 +
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]],  [[Wireshark]], [[Kismet]],  [[NetworkMiner]]...
 +
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
 +
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
 +
</div>
  
List of Ubuntu-based distributions that allow root file system spoofing:
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">
  
{| class="wikitable" border="1"
+
<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>
|-
+
!  Distribution
+
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  Helix3 Pro
+
|  2009R3
+
|-
+
|  CAINE
+
|  1.5
+
|-
+
|  DEFT Linux
+
|  5
+
|-
+
|  Raptor
+
|  2.0
+
|-
+
| BackTrack
+
|  4
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|}
+
  
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
+
The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:
  
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/aor/drives/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
+
* [[:Category:Tools|Tools]]
 +
* [[:Category:Disk file systems|Disk file systems]]
 +
* [[:Category:File Formats|File Formats]]
 +
* [[:Category:Howtos|Howtos]]
 +
* [[:Category:Licenses|Licenses]]
 +
* [[:Category:Operating systems|Operating systems]]
 +
* [[:Category:People|People]]
 +
* [[:Category:Bibliographies|Bibliographies]]
  
=== Swap space activation ===
+
</div>
 +
 
  
''Feel free to add information about swap space activation during the boot in some distributions''
+
|}
  
=== Incorrect mount policy ===
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
 +
'''You can help!'''  We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
 +
</div>
 +
  
==== rebuildfstab and scanpartitions scripts ====
 
  
Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in ''/etc/fstab''. Some versions of these scripts use wrong wildcards while searching for available block devices (''/dev/?d?'' instead of ''/dev/?d*''), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).
 
  
=== Incorrect write-blocking approach ===
+
__NOTOC__
 
+
Some forensic Linux Live CD distributions rely on [[hdparm]] and [[blockdev]] programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting a block device to read-only mode does not guarantee that [http://oss.sgi.com/archives/xfs/2009-07/msg00213.html no write commands will be passed to the drive]. There were several other bugs related to writing on a read-only block device in the past (like [https://lkml.org/lkml/2007/2/6/1 Ext3/4 orphan inodes deletion]). At present (Linux 3.14.2), kernel code still disregards read-only mode set on block devices in many places (it should be noted that setting a block device to read-only mode will efficiently write-protect the drive from programs running in userspace, while kernel and its modules still can write anything to the block device, regardless of the read-only mode).
+
 
+
=== TRIM aka discard command ===
+
 
+
== External links ==
+
 
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
+
 
+
[[Category:Live CD]]
+

Revision as of 04:46, 16 June 2014

This is the Forensics Wiki, a Creative Commons-licensed wiki devoted to information about digital forensics (also known as computer forensics). We currently list a total of 724 pages.

Much of computer forensics is focused on the tools and techniques used by investigators, but there are also a number of important papers, people, and organizations involved. Many of those organizations sponsor conferences throughout the year and around the world. You may also wish to examine the popular journals and some special reports.


WIKI NEWS

2014-06-14: The Wiki has been migrated to the most up-to-date MediaWiki and moved from HostGator to Pair. The previous bugs with the AccountCreation problem should be fixed. Please let us know if there are any problems.

  • 2014-06-16 - It seems that the transfer and upgrade has resulted in some content being lost. We are evaluating the situation.

2013-05-15: You can now subscribe to Forensics Wiki Recent Changes with the ForensicsWiki FeedBurner Feed

Featured Forensic Research

May 2014

Sven Ka ̈lber, Andreas Dewald, Steffen Idler - Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata
Lecture Notes in Informatics P-228,2014
http://subs.emis.de/LNI/Proceedings/Proceedings228/331.pdf
Bibtex
Author : Sven Ka ̈lber, Andreas Dewald, Steffen Idler
Title : Forensic Zero-Knowledge Event Reconstruction on Filesystem Metadata
In : Lecture Notes in Informatics -
Address :
Date : 2014

Abstract: Criminal investigations today can hardly be imagined without the forensic analysis of digital devices, regardless of whether it is a desktop computer, a mobile phone, or a navigation system. This not only holds true for cases of cybercrime, but also for traditional delicts such as murder or blackmail, and also private corporate investigations rely on digital forensics. This leads to an increasing number of cases with an ever-growing amount of data, that exceeds the capacity of the forensic experts. To support investigators to work more efficiently, we introduce a novel approach to automatically reconstruct events that previously occurred on the examined system and to provide a quick overview to the investigator as a starting point for further investigation. In contrast to the few existing approaches, our solution does not rely on any previously profiled system behavior or knowledge about specific applications, log files, or file formats. We further present a prototype implementation of our so-called zero knowledge event reconstruction approach, that solely tries to make sense of characteristic structures in file system metadata such as file- and folder-names and timestamps.

(See also Past Selected Articles)

Featured Article

Forensic Linux Live CD issues
Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. Read More...


Topics



You can help! We have a list of articles that need to be expanded. If you know anything about any of these topics, please feel free to chip in.