Difference between pages "Forensic Live CD issues" and "Websites"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Root file system spoofing)
 
 
Line 1: Line 1:
== The problem ==
+
'''Websites''' about [[digital forensics]] and related topics.
  
[[Live CD|Forensic Live CDs]] are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions spread false claims that their distributions "do not touch anything", "write protect everything" and so on. Unfortunately, community-developed distributions are no exception here. Finally, it turns out that many Linux-based forensic Live CDs are not tested properly and there are no suitable test cases published.
+
= Digital Forensics =
 +
; Bruce Nikkel's Computer Forensics Homepage
 +
: [http://digitalforensics.ch/ Bruce Nikkel's Computer Forensics Homepage]
 +
: Presentations, links, references
  
== Another side of the problem ==
+
; Digital Forensic Solution Provider Website
 +
: [http://forensicpeople.com/ Forensic People Website]
  
Another side of the problem of insufficient testing of forensic Live CDs is that many users do not know what happens "under the hood" of the provided operating system and cannot adequately test them.
+
; Certfied Computer Examiner Website
 +
: [http://www.isfce.com/ Certfied Computer Examiner Website]
 +
: Open certification process for digital forensics.
  
=== Example ===
+
; Computer Forensics Tool Testing (CFTT) project
 +
: [http://www.cftt.nist.gov/ Computer Forensics Tool Testing project]
 +
: The Computer Forensic Tool Testing (CFTT) project establishes methodologies for testing computer forensic tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.
  
For example, [http://forensiccop.blogspot.com/2009/10/forensic-cop-journal-13-2009.html ''Forensic Cop Journal'' (Volume 1(3), Oct 2009)] describes a test case when an Ext3 file system was mounted using "-o ro" mount flag as a way to write protect the data. The article says that all tests were successful (i.e. no data modification was found after unmounting the file system), but it is known that damaged (i.e not properly unmounted) Ext3 file systems cannot be write protected using only "-o ro" mount flags (write access will be enabled during file system recovery).
+
; Computer Forensics and Investigations
 +
: [http://computer-forensics-lab.org/ project “COMPUTER FORENSICS AND INVESTIGATIONS”]
 +
: Computer Forensics articles, and website of Igor Michailov
  
And the question is: will many users test damaged Ext3 file system (together with testing the clean one) when validating their favourite forensic Live CD distribution? My answer is "no", because many users are unaware of such traits.
+
; Computer Forensics Tool Catalog
 +
: [http://www.cftt.nist.gov/tool_catalog/ Computer Forensics Tool Catalog]
 +
: The Computer Forensics Tool Catalog provides an easily searchable catalog of forensic tools to enable practitioners to find tools that meet their specific technical needs.
  
== Problems ==
+
; Computer Forensics World
 +
: http://www.computerforensicsworld.com/
 +
: Website with online discussion forums relating to computer forensics.
  
Each problem is followed by a list of distributions affected (currently this list is not up-to-date).
+
; [[Cyberspeak podcast]]
 +
: [http://cyberspeak.libsyn.com/ Cyberspeak Podcast]
 +
: Computer forensics, network security, and computer crime podcast.
  
=== Journaling file system updates ===
+
; Digital Forensics Discussion Forum
 +
: [http://www.multimediaforensics.com/ Digital Forensics Discussion Forum]
 +
: A forum for the discussion of computer and digital forensics examinations, certified and non-certified investigators welcome
  
When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes may occur. Here is a list of such file systems:
+
; Digital Forensic Research Workshop (DFRWS)
 +
: [http://www.dfrws.org/ Official Website for Digital Forensic Research Workshop]
 +
: Open forum for research in digital forensic issues, hosting annual meeting and annual forensics challenge.
  
{| class="wikitable" border="1"
+
; E-Evidence Information Centre
|-
+
: [http://www.e-evidence.info/ E-Evidence Information Centre]
!  File system
+
: An online digital forensics bibliography, updated monthly
!  When data writes happen
+
!  Notes
+
|-
+
|  Ext3
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  Ext4
+
|  File system requires journal recovery
+
|  To disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
+
|-
+
|  ReiserFS
+
|  File system has unfinished transactions
+
|  "nolog" flag does not work (see ''man mount''). To disable journal updates: use "ro,loop" flags
+
|-
+
|  XFS
+
|  Always (when unmounting)
+
|  "norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.
+
|}
+
  
Incorrect mount flags can be used to mount file systems on evidentiary media during the boot process or during the file system preview process. As described above, this may result in data writes to evidentiary media. For example, several Ubuntu-based forensic Live CD distributions mount and recover damaged Ext3/4 file systems on fixed media (e.g. hard drives) during execution of [http://en.wikipedia.org/wiki/Initrd ''initrd''] scripts (these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image).
+
; FCCU GNU/Linux Forensic Boot CD
 +
: [http://www.lnx4n6.be/ Belgian Computer Forensic Website]
 +
: Belgian Computer Forensic Website - Forensic Boot CD  - Linux
  
[[Image:ext3 recovery.png|thumb|right|[[Helix3]]: damaged Ext3 recovery during the boot]]
+
; Forensic Focus
 +
: http://www.forensicfocus.com/
 +
: News, blog, forums, and other resources for folks engaged in or interested in digital forensics.
  
List of distributions that recover Ext3 (and sometimes Ext4) file systems during the boot:
+
; International Association of Computer Investigative Specialists
 +
: [http://www.iacis.info/ International Association of Computer Investigative Specialists]
 +
: Volunteer non-profit corporation composed of law enforcement professionals.
  
{| class="wikitable" border="1"
+
; Litilaw Computer Forensics
|-
+
: [http://computer-forensics-litilaw.lexbe.com/ Litilaw Computer Forensics]
!  Distribution
+
: Computer forensics article collection.
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|-
+
|  SPADA
+
|  4
+
|-
+
|  DEFT Linux
+
|  7
+
|}
+
  
=== Orphan inodes deletion ===
+
; MySecured.com
 +
: [http://www.MySecured.com/ MySecured.com]
 +
: Mobile phone forensics, cellphone related investigation and data analysis site.
  
When mounting Ext3/4 file systems all orphan inodes are removed, even if "-o ro" mount flag was specified. Currently, there is no specific mount flag to disable orphan inodes deletion. The only solution here is to use "-o ro,loop" flags.
+
; NIST: Secure Hashing
 +
: [http://csrc.nist.gov/CryptoToolkit/tkhash.html NIST: Secure Hashing]
 +
: The Computer Security Division's (CSD) Security Technology Group (STG) is involved in the development, maintenance, and promotion of a number of standards and guidance that cover a wide range of cryptographic technology.
  
=== Root file system spoofing ===
+
; National Software Reference Library (NSRL)
 +
: [http://www.nsrl.nist.gov/ National Software Reference Library]
 +
: The National Software Reference Library (NSRL) collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set (RDS) of information.
  
''See also: [[Early userspace | early userspace]]''
+
; Open Source Digital Forensics
 +
: [http://www.opensourceforensics.org  “OpenSourceForensics.org”]
 +
: The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response).
  
Most Ubuntu-based forensic Live CD distributions use Casper (a set of scripts used to complete initialization process during early stage of boot). Casper is responsible for searching for a root file system (typically, an image of live environment) on all supported devices (because a bootloader does not pass any information about device used for booting to the kernel), mounting it and executing ''/sbin/init'' program on a mounted root file system that will continue the boot process. Unfortunately, Casper was not designed to meet computer forensics requirements and is responsible for damaged Ext3/4 file systems recovery during the boot (see above) and root file system spoofing.
+
; [University of Delaware]  Computer Forensics Lab
 +
: [http://128.175.24.251/forensics/default.htm University of Delaware]
 +
: Computer Forensics Lab Resource Site.
  
[[Image:Grml.png|thumb|right|[[grml]] mounted root file system from the [[hard drive]]]]
+
; [University of Rhode Island]  Digital Forensics Center
 +
: [http://dfc.cs.uri.edu/ University of Rhode Island]  
 +
: Computer Forensics Lab Resource Site.
  
Currently, Casper may select fake root file system image on evidentiary media (e.g. [[Hard Drive|HDD]]), because there are no authenticity checks performed (except optional UUID check for a possible live file system), and this fake root file system image may be used to execute malicious code during the boot with root privileges. Knoppix-based forensic Live CD distributions are vulnerable to the same attack.
+
; Forensics Sciences Conference and Exhibition
 +
: [http://http://euroforensics.com/]Euroforensics
  
List of Ubuntu-based distributions that allow root file system spoofing:
+
= Non-Digital Forensics =
 +
; NIST Image Group
 +
: [http://fingerprint.nist.gov/ NIST Image Group]
 +
: Many reports, including the [[NIST]] report on [[AFIS]] [[fingerprint]] testing.
  
{| class="wikitable" border="1"
+
= Wikis =
|-
+
; Forensics Wiki (Russian Language)
!  Distribution
+
: [http://www.computer-forensics-lab.org/wiki/ Forensics Wiki in Russian]
!  Version
+
|-
+
|  Helix3
+
|  2009R1
+
|-
+
|  Helix3 Pro
+
|  2009R3
+
|-
+
|  CAINE
+
|  1.5
+
|-
+
|  DEFT Linux
+
|  5
+
|-
+
|  Raptor
+
|  2.0
+
|-
+
|  BackTrack
+
|  4
+
|-
+
|  SMART Linux (Ubuntu)
+
|  2010-01-20
+
|-
+
|  FCCU GNU/Linux Forensic Boot CD
+
|  12.1
+
|}
+
  
Vulnerable Knoppix-based distributions include: SPADA, LinEn Boot CD, BitFlare.
+
= [[Blogs]] =
  
[http://anti-forensics.ru/ Anti-Forensics.Ru project] [http://digitalcorpora.org/corp/aor/drives/ released several ISO 9660 images] used to test various Linux Live CD distributions for root file system spoofing (description for all images is [http://anti-forensics.ru/casper/ here]).
+
= [[Journals]] =
 
+
=== Swap space activation ===
+
 
+
''Feel free to add information about swap space activation during the boot in some distributions''
+
 
+
=== Incorrect mount policy ===
+
 
+
==== rebuildfstab and scanpartitions scripts ====
+
 
+
Several forensic Linux Live CD distributions (Helix3 2009R1, Helix3 Pro 2009R3, old versions of CAINE, old versions of grml) use rebuildfstab and scanpartition scripts to create entries for attached devices in ''/etc/fstab''. Some versions of these scripts use wrong wildcards while searching for available block devices (''/dev/?d?'' instead of ''/dev/?d*''), this results in missing several "exotic" devices (like /dev/sdad, /dev/sdad1, etc) and in data writes when mounting them (because fstab lacks of read-only mount options for these devices).
+
 
+
=== Incorrect write-blocking approach ===
+
 
+
Some forensic Linux Live CD distributions rely on [[hdparm]] and [[blockdev]] programs to mount file systems in read-only mode (by setting the underlying block device to read-only mode). Unfortunately, setting the block device to read-only mode does not guarantee that [http://archives.free.net.ph/message/20090721.105120.99250e3f.en.html no write commands will be passed to the drive].
+
 
+
== External links ==
+
 
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators_2.pdf Linux for computer forensic investigators: problems of booting trusted operating system]
+
* [http://www.computer-forensics-lab.org/pdf/Linux_for_computer_forensic_investigators.pdf Linux for computer forensic investigators: «pitfalls» of mounting file systems]
+
 
+
[[Category:Live CD]]
+

Revision as of 12:10, 20 May 2014

Websites about digital forensics and related topics.

Digital Forensics

Bruce Nikkel's Computer Forensics Homepage
Bruce Nikkel's Computer Forensics Homepage
Presentations, links, references
Digital Forensic Solution Provider Website
Forensic People Website
Certfied Computer Examiner Website
Certfied Computer Examiner Website
Open certification process for digital forensics.
Computer Forensics Tool Testing (CFTT) project
Computer Forensics Tool Testing project
The Computer Forensic Tool Testing (CFTT) project establishes methodologies for testing computer forensic tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.
Computer Forensics and Investigations
project “COMPUTER FORENSICS AND INVESTIGATIONS”
Computer Forensics articles, and website of Igor Michailov
Computer Forensics Tool Catalog
Computer Forensics Tool Catalog
The Computer Forensics Tool Catalog provides an easily searchable catalog of forensic tools to enable practitioners to find tools that meet their specific technical needs.
Computer Forensics World
http://www.computerforensicsworld.com/
Website with online discussion forums relating to computer forensics.
Cyberspeak podcast
Cyberspeak Podcast
Computer forensics, network security, and computer crime podcast.
Digital Forensics Discussion Forum
Digital Forensics Discussion Forum
A forum for the discussion of computer and digital forensics examinations, certified and non-certified investigators welcome
Digital Forensic Research Workshop (DFRWS)
Official Website for Digital Forensic Research Workshop
Open forum for research in digital forensic issues, hosting annual meeting and annual forensics challenge.
E-Evidence Information Centre
E-Evidence Information Centre
An online digital forensics bibliography, updated monthly
FCCU GNU/Linux Forensic Boot CD
Belgian Computer Forensic Website
Belgian Computer Forensic Website - Forensic Boot CD - Linux
Forensic Focus
http://www.forensicfocus.com/
News, blog, forums, and other resources for folks engaged in or interested in digital forensics.
International Association of Computer Investigative Specialists
International Association of Computer Investigative Specialists
Volunteer non-profit corporation composed of law enforcement professionals.
Litilaw Computer Forensics
Litilaw Computer Forensics
Computer forensics article collection.
MySecured.com
MySecured.com
Mobile phone forensics, cellphone related investigation and data analysis site.
NIST
Secure Hashing
NIST: Secure Hashing
The Computer Security Division's (CSD) Security Technology Group (STG) is involved in the development, maintenance, and promotion of a number of standards and guidance that cover a wide range of cryptographic technology.
National Software Reference Library (NSRL)
National Software Reference Library
The National Software Reference Library (NSRL) collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set (RDS) of information.
Open Source Digital Forensics
“OpenSourceForensics.org”
The Open Source Digital Forensics site is a reference for the use of open source software in digital investigations (a.k.a. digital forensics, computer forensics, incident response).
[University of Delaware] Computer Forensics Lab
University of Delaware
Computer Forensics Lab Resource Site.
[University of Rhode Island] Digital Forensics Center
University of Rhode Island
Computer Forensics Lab Resource Site.
Forensics Sciences Conference and Exhibition
[1]Euroforensics

Non-Digital Forensics

NIST Image Group
NIST Image Group
Many reports, including the NIST report on AFIS fingerprint testing.

Wikis

Forensics Wiki (Russian Language)
Forensics Wiki in Russian

Blogs

Journals