Difference between pages "CAINE Live CD" and "Forensic Live CD issues"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Forensic Issues)
 
(Journaling file systems updates)
 
Line 1: Line 1:
{{Infobox_Software |
+
== The problem ==
  name = CAINE Live CD |
+
  maintainer = [[CAINE Project]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://www.caine-live.net/] |
+
}}
+
  
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Live CD]] built on top of Ubuntu.
+
[[Tools#Forensics_Live_CDs | Forensic Linux Live CD distributions]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Community-developed distributions are not exception here, unfortunately. Finally, it turns out that many forensic Linux Live CD distributions are not tested properly and there are no suitable test cases developed.
== CAINE 1.5 ==
+
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
+
  
== Forensic Issues ==
+
== Another side of the problem ==
  
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
+
Another side of the problem of insufficient testing of forensic Live CD distributions is that many users do not know what happens "under the hood" of such distributions and cannot adequately test them.
* '''CAINE Live CD Version 1.0 introduced new mounting policies''':
+
  
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
+
=== Example ===
  
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
+
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
  
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 partition is mounted, there is no danger of modifying the journal metadata.
+
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
  
- Applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off without by pulling the plug.
+
== Problems ==
  
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
+
Here is a list of common problems of forensic Linux Live CD distributions that can be used by developers and users for testing purposes. Each problem is followed by an up to date list of distributions affected.
  
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
+
=== Journaling file systems updates ===
  
    # ntfs-3g /device-path /your-mount-point
+
When mounting (and unmounting) several journaling file system types with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
!  File system
 +
!  When happens
 +
!  Notes
 +
|-
 +
|  Ext3
 +
|  File system requires journal recovery
 +
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 +
|-
 +
|  Ext4
 +
|  File system requires journal recovery
 +
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
 +
|-
 +
|  ReiserFS
 +
|  Always
 +
|  "nolog" flag does not work (see ''man mount''). To disable: use "ro,loop" flags
 +
|-
 +
|  XFS
 +
|  Always
 +
|  "norecovery" flag does not work. To disable: use "ro,loop" flags. The bug was fixed in latest 2.6 kernels.
 +
|}
 +
 
 +
Incorrect mount flags can be used to mount a file system on
 +
 
 +
=== Root file system spoofing ===
 +
 
 +
=== Swap space activation ===
 +
 
 +
=== Incorrect automount policy for removable media ===
 +
 
 +
=== Incorrect write-blocking approach ===
 +
 
 +
=== Software RAID (Linux RAID) activation ===

Revision as of 17:00, 1 February 2010

The problem

Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Community-developed distributions are not exception here, unfortunately. Finally, it turns out that many forensic Linux Live CD distributions are not tested properly and there are no suitable test cases developed.

Another side of the problem

Another side of the problem of insufficient testing of forensic Live CD distributions is that many users do not know what happens "under the hood" of such distributions and cannot adequately test them.

Example

For example, Forensic Cop Journal (Volume 1(3), Oct 2009) describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).

And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.

Problems

Here is a list of common problems of forensic Linux Live CD distributions that can be used by developers and users for testing purposes. Each problem is followed by an up to date list of distributions affected.

Journaling file systems updates

When mounting (and unmounting) several journaling file system types with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:

File system When happens Notes
Ext3 File system requires journal recovery To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
Ext4 File system requires journal recovery To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
ReiserFS Always "nolog" flag does not work (see man mount). To disable: use "ro,loop" flags
XFS Always "norecovery" flag does not work. To disable: use "ro,loop" flags. The bug was fixed in latest 2.6 kernels.

Incorrect mount flags can be used to mount a file system on

Root file system spoofing

Swap space activation

Incorrect automount policy for removable media

Incorrect write-blocking approach

Software RAID (Linux RAID) activation