Difference between pages "Windows Prefetch File Format" and "Forensic Live CD issues"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Problems)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
== The problem ==
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
[[Live CD|Forensic Live CDs]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.
of multiple prefetch files.
+
  
== Characteristics ==
+
== Another side of the problem ==
Integer values are stored in little-endian.
+
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
+
Timestamps are stored as Windows Filetime.
+
  
== Header ==
+
Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.
  
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
=== Example ===
  
{| class="wikitable"
+
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| H1
+
| 0x0000
+
| 4
+
| DWORD
+
| ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
+
|-
+
| H2
+
| 0x0004
+
| 4
+
| DWORD
+
| ? Probably a file magic number. Only observed value: 0x41434353 ('SCCA')
+
|-
+
| H3
+
| 0x0008
+
| 4
+
| DWORD?
+
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
+
|-
+
| H4
+
| 0x000C
+
| 4
+
| DWORD
+
| Prefetch file length.
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| Name of executable as Unicode string, truncated after 29 code units, if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash, as it appears in the pf file name.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
|-
+
| H8
+
| 0x0054
+
| 4
+
| DWORD
+
| Offset to section A
+
|-
+
| H9
+
| 0x0058
+
| 4
+
| DWORD
+
| ? Nr of entries in section A
+
|-
+
| H10
+
| 0x005C
+
| 4
+
| DWORD
+
| Offset to section B
+
|-
+
| H11
+
| 0x0060
+
| 4
+
| DWORD
+
| Nr of entries in section B
+
|-
+
| H12
+
| 0x0064
+
| 4
+
| DWORD
+
| Offset to section C
+
|-
+
| H13
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C
+
|-
+
| H14
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D
+
|-
+
| H15
+
| 0x0070
+
| 4
+
| DWORD
+
| ? Probably the number of entries in the D section header
+
|-
+
| H16
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D
+
|-
+
| H17
+
| 0x0078
+
| 8
+
| FTIME
+
| Latest execution time of executable (FILETIME)
+
|-
+
| H18
+
| 0x0080
+
| 16
+
| ?
+
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
|-
+
| H19
+
| 0x0090
+
| 4
+
| DWORD
+
| Execution counter
+
|-
+
| H20
+
| 0x0094
+
| 4
+
| DWORD?
+
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
|-
+
|}
+
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
  
== Section A and B ==
+
== Problems ==
  
The content of these two sections is unknown.
+
Each problem is followed by a list of distributions affected (currently this list is not up-to-date).
  
== Section C ==
+
=== Journaling file system updates ===
  
== Section D ==
+
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
  
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
+
{| class="wikitable" border="1"
 +
|-
 +
!  File system
 +
!  When data writes happen
 +
!  Notes
 +
|-
 +
|  Ext3
 +
|  File system requires journal recovery
 +
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 +
|-
 +
|  Ext4
 +
|  File system requires journal recovery
 +
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 +
|-
 +
|  ReiserFS
 +
|  File system has unfinished transactions
 +
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
 +
|-
 +
|  XFS
 +
|  Always (when unmounting)
 +
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
 +
|}
  
In this section, all offsets are assumed to be counted from the start of the D section.
+
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
  
{| class="wikitable"
+
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| +0x0000
+
| 4
+
| DWORD
+
| Offset to volume string (Unicode, terminated by U+0000)
+
|-
+
| DH2
+
| +0x0004
+
| 4
+
| DWORD
+
| Length of volume string (nr of characters, including terminating U+0000)
+
|-
+
| DH3
+
| +0x0008
+
| 8
+
| FTIME
+
| (File time)
+
|-
+
| DH4
+
| +0x0010
+
| 4
+
| DWORD
+
| Volume serial number of volume indicated by volume string
+
|-
+
| DH5
+
| +0x0014
+
| 4
+
| DWORD
+
| ? Offset to section DHS1
+
|-
+
| DH6
+
| +0x0018
+
| 4
+
| DWORD
+
| ? Length of section DHS1 (in bytes)
+
|-
+
| DH7
+
| +0x001C
+
| 4
+
| DWORD
+
| ? Offset to section DHS2
+
|-
+
| DH8
+
| +0x0020
+
| 4
+
| DWORD
+
| ? Nr of strings in section DHS2
+
|-
+
| ?
+
| +0x0024
+
| ?
+
| ?
+
| ? additional 28 bytes (includes one timestamp?)
+
|}
+
  
 +
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
  
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Distribution
 +
!  Version
 +
|-
 +
|  Helix3
 +
|  2009R1
 +
|-
 +
|  SMART Linux (Ubuntu)
 +
|  2010-01-20
 +
|-
 +
|  FCCU GNU/Linux Forensic Boot CD
 +
|  12.1
 +
|-
 +
|  SPADA
 +
|  4
 +
|-
 +
|  DEFT Linux
 +
|  7
 +
|}
  
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
=== Orphan inodes deletion ===
 +
 
 +
When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.
 +
 
 +
=== Root file system spoofing ===
 +
 
 +
''See also: [[Early userspace | early userspace]]''
 +
 
 +
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
 +
 
 +
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
 +
 
 +
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
 +
 
 +
List of Ubuntu-based distributions that allow root file system spoofing:
 +
 
 +
{| class="wikitable" border="1"
 +
  |-
 +
!  Distribution
 +
!  Version
 +
|-
 +
|  Helix3
 +
|  2009R1
 +
|-
 +
|  Helix3 Pro
 +
|  2009R3
 +
|-
 +
|  CAINE
 +
|  1.5
 +
|-
 +
|  DEFT Linux
 +
|  5
 +
|-
 +
|  Raptor
 +
|  2.0
 +
|-
 +
|  BackTrack
 +
|  4
 +
|-
 +
|  SMART Linux (Ubuntu)
 +
|  2010-01-20
 +
|-
 +
|  FCCU GNU/Linux Forensic Boot CD
 +
|  12.1
 +
|}
 +
 
 +
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
 +
 
 +
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/aor/drives/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
 +
 
 +
=== Swap space activation ===
 +
 
 +
''Feel free to add information about swap space activation during the boot in some distributions''
 +
 
 +
=== Incorrect mount policy ===
 +
 
 +
==== rebuildfstab and scanpartitions scripts ====
 +
 
 +
Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in ''/etc/fstab''. Some versions of these scripts use wrong wildcards while searching for available block devices (''/dev/?d?'' instead of ''/dev/?d*''), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).
 +
 
 +
=== Incorrect write-blocking approach ===
 +
 
 +
Some forensic Linux Live CD distributions rely on [[hdparm]] and [[blockdev]] programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting a block device to read-only mode does not guarantee that [http://oss.sgi.com/archives/xfs/2009-07/msg00213.html no write commands will be passed to the drive]. There were several other bugs related to writing on a read-only device in the past (like [https://lkml.org/lkml/2007/2/6/1 Ext3/4 orphan inodes deletion]). At present, kernel code still disregards read-only mode set on block devices in many places (it should be noted that setting a block device to read-only mode will efficiently write-protect the drive from programs running in userspace, while kernel and its modules still can write anything to the block device, regardless of the read-only mode).
 +
 
 +
=== TRIM aka discard command ===
 +
 
 +
== External links ==
 +
 
 +
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
 +
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
 +
 
 +
[[Category:Live CD]]

Revision as of 18:59, 15 June 2014

The problem

Forensic Live CDs are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.

Another side of the problem

Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.

Example

For example, Forensic Cop Journal (Volume 1(3), Oct 2009) describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).

And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.

Problems

Each problem is followed by a list of distributions affected (currently this list is not up-to-date).

Journaling file system updates

When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:

File system When data writes happen Notes
Ext3 File system requires journal recovery To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
Ext4 File system requires journal recovery To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
ReiserFS File system has unfinished transactions "nolog" flag does not work (see man mount). To disable journal updates: use "ro,loop" flags
XFS Always (when unmounting) "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.

Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of initrd scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).

Helix3: damaged Ext3 recovery during the boot

List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:

Distribution Version
Helix3 2009R1
SMART Linux (Ubuntu) 2010-01-20
FCCU GNU/Linux Forensic Boot CD 12.1
SPADA 4
DEFT Linux 7

Orphan inodes deletion

When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.

Root file system spoofing

See also: early userspace

Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing /sbin/init program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.

grml mounted root file system from the hard drive

Currently, Casper may select fake root file system image on evidentiary media (e.g. HDD), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.

List of Ubuntu-based distributions that allow root file system spoofing:

Distribution Version
Helix3 2009R1
Helix3 Pro 2009R3
CAINE 1.5
DEFT Linux 5
Raptor 2.0
BackTrack 4
SMART Linux (Ubuntu) 2010-01-20
FCCU GNU/Linux Forensic Boot CD 12.1

Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.

Anti-Forensics.Ru project released several ISO 9660 images used to test various Linux Live CD distributions for root file system spoofing (description for all images is here).

Swap space activation

Feel free to add information about swap space activation during the boot in some distributions

Incorrect mount policy

rebuildfstab and scanpartitions scripts

Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in /etc/fstab. Some versions of these scripts use wrong wildcards while searching for available block devices (/dev/?d? instead of /dev/?d*), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).

Incorrect write-blocking approach

Some forensic Linux Live CD distributions rely on hdparm and blockdev programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting a block device to read-only mode does not guarantee that no write commands will be passed to the drive. There were several other bugs related to writing on a read-only device in the past (like Ext3/4 orphan inodes deletion). At present, kernel code still disregards read-only mode set on block devices in many places (it should be noted that setting a block device to read-only mode will efficiently write-protect the drive from programs running in userspace, while kernel and its modules still can write anything to the block device, regardless of the read-only mode).

TRIM aka discard command

External links