Session 06 - Linux Tools

Requirements:

A computer that runs Linux; OR

A virtual machine that runs Linux

A USB stick you don't care about any more and is rather small in storage capacity (the smaller the better, and make sure you've copied any important files off the USB stick onto somewhere else)

The Grundy_Tutorial.zip file from Blackboard

Analysis Organisation

Depending on your Linux distribution, you may have to find out how to deactivate auto-mounting of plugged in media (e.g., USB sticks)
It's best to simply plug a USB stick into your machine first to find out if it is auto-mounted at all before you go looking for instructions

Note: As you've hopefully come across before, the $ shown in these example commands is simply a dummy placeholder for your prompt, which will look different from everyone else's prompt., so $ is used generically. Of course, that means that you do not type the $.

You can use a few commands to figure out which device identifier your USB stick received after you plugged it in (e.g., /dev/sdb, /dev/sdc, etc.):

$ dmesg | tail (this will show you the last 10 lines of the system's log that will show you the device identification your USB stick received)
$ dmesg | less (this will show you the full log which you can scroll up and down, use q to quit and return to your prompt)

DO NOT IGNORE THIS NOTE: The following might render your system unbootable if you get it wrong, so be very careful and only use a system that you're happy to re-install Linux onto. If you're doing this with a VM you'll have to ensure that you're passing the USB stick into the virtual machine (less risky). You have been warned!

Note: Most of the commands in this exercise require you, the user, to have elevated privileges. That means you'll have to execute them by prepending sudo. For example: $ sudo wipefs -a ...

Zeroing a disk (or USB stick) means wiping it clean of any residue data that might have been there before you use it for this exercise. A bit like a real physical laboratory, you want to make sure that there is no residue that could interfere with your results.

The Correct but Impractical Way (for this exercise)

Due to modern disk (or USB stick) sizes this might not be feasible (1GB+ is going to take a while). The command will literally write 512-byte chunks of zeroes to your USB stick, and of course, the bigger your storage the longer it'll take. So, unless you really want to, don't do this command. It is here for documentation purposes, and so you know what you could do if you wanted to wipe a disk clean with zeroes.

$ dd if=/dev/zero of=/dev/sdX bs=512 (Note that X in /dev/sdX will have to be an actual letter that the system gave the USB stick once you plugged it in, as mentioned at the start of this document)

Once the disk has been filled with zeroes, dd would terminate, and you could check that the disk is in fact full of zeroes by running:

$ xxd -a /dev/sdX (again, same drive identifier as determined earlier)

The Less Correct but Practical Way (for this exercise)

Take the smallest USB stick you have, and make sure that you have copied any important data from it to a safe location, before attempting this.

The following only removes the partition information (MBR and GPT) but does not attempt to fill the disk with zeroes. Of course this is not a very thorough and certainly not secure way of wiping data (despite the tool's name).

$ wipefs -a /dev/sdX

Unzip the `Grundy_Tutorial.zip` File

First make sure that you're in your "home" directory (do NOT prepend this with sudo):

$ cd ~

Double-check with the pwd command (do NOT prepend this with sudo):

$ pwd

Your output should be something like this:

/home/user/ (where "user" is your username)

If you haven't done so already, move the Grundy_Tutorial.zip file from your "Downloads" directory to your home directory:

$ mv ~/Downloads/Grundy_Tutorial.zip ~

Now unzip the Grundy_Tutorial.zip file, for example:

$ unzip Grundy_Tutorial.zip -d Grundy_Tutorial

This will create a directory called Grundy_Tutorial, and inside you'll find the extracted contents. Make sure you changed directory to it:

$ cd Grundy_Tutorial

$ ls

The ls command should list the contents of the directory you're in now, and should show the following files:

able2.tar.gz
image_carve.raw
linuxintro-LEFE-2.55.pdf
logs.tar.gz
practical.floppy.dd

If this is not the case, follow the above instructions from the top where you unzip the Grundy_Tutorial.zip file.

Copy the Floppy Image to a USB Stick

This will write the image, "as is" to the USB stick, ensure that you've double-checked that you're writing to the correct device that is associated with your USB stick (e.g., /dev/sdb, etc.)!!!

$ dd if=practical.floppy.dd of=/dev/sdX (again, remember that sdX is just a placeholder for your actual drive identifier)

Now create a directory that you'll use to gather evidence:

$ mkdir evidence

Finally, create a directory that you'll use as a mount-point for the USB stick:

$ mkdir analysis

Determining the Structure of the Disk

Use lsblk to determine the disks your system can see. You should be able to find your USB stick's device identifier.

Get partition information from your USB stick:

$ fdisk -l /dev/sdX

Repeat that command, but this time save the output into a file for later:

$ fdisk -l /dev/sdX > ./evidence/fdisk.disk1

Creating a Forensic Image of the Suspect Disk

Change directory to evidence directory:

$ cd evidence

Take an image of the USB stick:

$ dd if=/dev/sdX of=image.dd bs=512

Change permissions on the image file to read-only:

$ chmod 444 image.dd

Mounting a Restored Image (via USB stick)

Change directory back to Grundy_Tutorial directory:

$ cd ..

Mount the USB stick:

$ mount -t vfat -o ro,noexec /dev/sdX ./analysis

Side-quest: Find out what the additional -o options nodev and noatime do.

Change directory to analysis directory:

$ cd analysis

Have a look around (using cd and ls to navigate and list files and directories)

After you've completed your exploration make sure you're back in the Grundy_Tutorial directory:

$ cd ~/Grundy_Tutorial

Unmount the USB stick:

$ umount analysis

Mounting the Image File using the Loopback Device

We can also just mount the image directly, without having to go via a USB stick.

$ mount -t vfat -o ro,noexec,loop image.dd analysis

Question: Why does this work? Check the manual page for the mount command and find what the loop option does.

Change directory into the analysis directory once more.

$ cd analysis

Once more, explore.

When done, make sure you're back in the Grundy_Tutorial directory and unmount the image file:

$ umount analysis

File Hash

Let's create some hash sums next, which is the equivalent of a digital fingerprint.

Try sha1sum first to generate a hash for the USB stick: $ sha1sum /dev/sdX

Now, try md5sum next, to do the same thing, but note the difference in hash length: $ md5sum /dev/sdX

A good investigator always records their steps, so let's repeat that, but this time redirect the output into a file:

$ sha1sum /dev/sdX > ./evidence/usb.sha1sum

$ md5sum /dev/sdX > ./evidence/usb.md5sum

Let's now generate hashes from the files on the image file. Once again, mount the image file using the loopback device:

$ mount -t vfat -o ro,noexec,loop image.dd analysis

The following combination of commands will find regular files on the filesystem of the mounted image file and run a hash on each file it finds, it will then redirect the output and store it in a file list:

$ find ./analysis/ -type f -exec sha1sum {} \; > ./evidence/filelist.sha1sum

$ find ./analysis/ -type f -exec md5sum {} \; > ./evidence/filelist.md5sum

Have a look at the hashes:

$ cat ./evidence/filelist.*

Comparing all the hashes with your eyes is slow, tedious, annoying, and error-prone. So, let's have Linux check the hashes for us instead:

$ sha1sum -c ./evidence/filelist.sha1sum (should return OK for each file if the file is unchanged)

Repeat the check for the MD5 hashes.

The Analysis

Remember each command can be output to a file using redirection. First, navigate through the directories:

$ ls -alR | less (you can return to your prompt by pressing q for "quit")

Making a List of All Files (from the `analysis` directory)

For good measure, let's also create a list of all the files on the mounted image:

$ ls -laiRtu > ./evidence/listed_files.list

$ find ./analysis/ -type f > ./evidence/found_files.list

We also use the extracted file lists to find certain file names, for example those ending in jpg:

$ grep -i jpg ./evidence/found_files.list

Making a List of File Types

Let's find the filetypes (remember, file-extensions are meaningless in Linux-world, but can be (ab)used to confuse operating systems that rely on them to launch the appropriate application for the extension):

$ find ./analysis/ -type f -exec file {} \; > ./evidence/filetypes.list

Let's have a look:

$ cat ./evidence/filetypes.list

Now, let's see if we can find files that are not what they seem:

$ grep image ./evidence/filetypes.list

Can you see something that might be suspicious?

Viewing Files

We can also extract information from binary files (i.e., executables/compiled files) using a nifty little tool called strings:

$ strings ./analysis/arp.exe | less (see if you can find the usage message)

Finally, unmount the image again:

$ umount ./analysis

And you're done!

U19960 - Data Recovery and Analysis