Tag Archives: linux

Carve and Sift: My Primer to Linux Computer Forensics

The Deft Linux Desktop
The Deft Linux Desktop

Actually, the title is a bit of a misnomer. I’d already learned a bit about computer forensics and the process of recovering files on Windows operating systems some years ago. I had pulled a lot of lost data from a machine that had unexpectedly quit working, saving a lot of customer data for a person who, for the sake of their employment, shall remain anonymous.

However, the method I went about it could hardly be called “forensics” as I had to install some software to a USB and I still had to boot into the OS. I did a lot of writing to the disk (a forensics no-no) and not much was really preserved intact, but I did manage to save what needed to be saved. It really didn’t feel like I had done anything that would be useful to, say, a crime lab.

Deft Linux

cyClone_Menu
The cyClone menu system is pretty clear and can produce either raw or compressed image files with SHA1 or MD5 hashes.

A few weeks ago I was asked if I could perform such a task on a newer Windows 7 laptop, one with a terabyte hard drive, resurrecting some home videos and photos that had been deleted. I jumped at the chance for three reasons: First, these files were of special importance to this person, as one of the family members had died recently and had failed to back them up. Secondly, this gave me a chance to try out the new Deft Linux package on a computer that I could actively see if it was successful. Lastly, the data was relatively nonvolatile. If I accidently wiped it, then no one was getting fired.

I downloaded and burned Deft Linux 7 onto a DVD and got to work. Deft is a Live Disc, meaning that the OS loads from the DVD rather than a hard disk, and is largely based on Ubuntu. The Deft Distro itself is an amalgamation of both Linux and Windows software (through WinE) put together by some people in Italy. It has an English version, and is just about as all-inclusive as you can get with the Linux tools. It also is set up not to mount any drives until you tell it to, and even then you can specify to mount as read-only or full access.

After looking through the impressive and useful manual on their website, I concluded that the pieces of software that I was going to use for the job were cyClone, Foremost and Scalpel. Luckily, there is a GUI front-end for the latter and a menu-driven command-line interface for the former. This was just about as simple as it could get.

Carving

After you carve, you'll want to sift through the image file to see what you can find and/or "resurrect".
After the carve you’ll have a dd image file (raw) and a log telling you how long it took and if it passed the SHA1/MD5 verification check.

The first step in getting the data off of a drive is to Carve it. That is to say, you “carve” out the piece of the drive you want to look at and put it somewhere else, some place that ideally has more space or maybe more computing power. In my case, I didn’t have the time, nor interest, in installing the software on my Linux boxes, so I just carved and set it aside.

Also, I wasn’t particularly interested in the entire drive, as they only really used the first 200GB of the 750GB that had been allotted them on the main C: drive. It would have been too time consuming and not revealed much to look at the last ~550GB of it. So, I carved only the first 200GB and placed it on one of the SATA drives that I had made in a previous project. If you want to get really fancy, you can run the command-line dcfldd which is the US Department of Computer Defence Forensics Lab’s enhanced version of the dd command.

Hunchback_GUI
After you carve, you’ll want to sift through the image file to see what you can find and/or “resurrect”.

Remember before when I said that Deft didn’t mount the drive and you could select to mount as Read Only or Full Access? The reason for this is that data is written to the disk when they are mounted in Full Access mode which is default for almost every OS out there. If we’re police investigators trying to get clues about what’s on a computer, we certainly don’t want to taint the crime scene by scribbling all over it. Mounting a partition in read-only mode prevents the us or the OS from accidently doing just that.

Sifting

Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.
Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.

This is the part that takes the longest. Now that we have our cloned drive, we need to go through it and pull out all of the files we need and organize them. There are many ways to do this, but the easiest in Deft is to use the Hunchback GUI. This is a GUI front-end for for the scalpel and foremost command-line pieces. Options in Hunchback aren’t as robust as they are from the command-line, which is usually the case, but they were good enough for us.

I selected all the picture and video types, ignoring things like PDFs or EXEs. Then I pointed to another external drive (from a previous project) and told it to drop all the files that it found in that folder and arrange them by type. The software creates folders for each one and copies what it can accordingly.

Once that was done, I re-mounted the internal 750GB drive with full access, dropped the files I had sifted onto it, and I was done. Now, they could look through the files at their leisure (tens of thousands) and get their deleted files back.

A Further Word

This above, while definitely not a how-to, is a very simple way of getting data off of a Windows or other OS’s drive without disturbing the contents. You could even stop at the image stage and take it with you to sift later. It is an EXACT copy of the drive, deleted files and all.

Deft also contains a gargantuan number of other useful tools for doing things besides straight computer forensics. It also has utilities for network forensics, encryption study and more. If you’ve ever been interested in Computer or Network forensics, then Deft is a must have. It’s definitely tool number one on my belt for this kind of work.

-CJ Julius

Chrome’s Office Beta Was Not Meant For Me

Google Office Viewer Beta doesn't work on Windows 8
Google Office Viewer Beta doesn’t work on Windows 8

I tweeted the other day about Google’s new Chrome Office Viewer Extension (COVE?) that was in beta. It would allow users to see Office documents (as in the Microsoft kind) right in their web browser window. I excitedly talked about how it may move me to Chrome, because I do open a lot of web-hosted word processing documents. It sounded exciting!

Moving from one browser to another would be a herculean task for me, but I was willing to do it for such a neat feature, if it worked as advertised. While importing bookmarks are no big deal, moving my encrypted passwords (some to sites that I don’t even remember I used) and tying a Google account to it are not something that I particularly wanted. But I was willing to give it a try.

...it also doesn't work on Ubuntu Linux.
…it also doesn’t work on Ubuntu Linux.

I downloaded Chrome on my laptop and desktop and set about getting the extension. However, I have been unable to get the extension to install. Google has disabled it for the two operating systems I use the most: Windows 8 and Ubuntu Linux. I even tried launching Google Chrome in Windows 8 Mode, but to no avail. While this is beta, I can’t be the only one who uses these two OSes, or just one of them exclusively.

This left me rather disappointed and solidified me more into the Firefox camp, where all my stuff resides anyway. Maybe I’ll keep Chrome around for a bit longer just to see what’s changed since I’ve last used it, or wait until the Office Viewer gets a proper release, but Firefox is still sitting pretty in my book. I’ll stay there and possibly try again when this comes out of Beta.

-CJ Julius

Teaching Windows 8 and Ubuntu Linux to Share

Rinder500 being shared on Zero.
Rinder500 being shared on Zero.

A few weeks ago, I had put together a project to turn a few eSATA drives that I had lying around into a few mobile digital vaults. This was a complete success, and gave me a bunch more room to do future projects. However, it did not give me an easy way to access these drives, especially the one attached to my main Windows machine and my laptop. Having to unplug/replug every time was proving cumbersome.

So, I decided to make my “mobile” drives a little more permanent, and then just give access to them across a system of three computers via wireless. This would give me 750GB between the machines with which to divvy up as I saw fit.

I’ll be approaching this in three parts:

  1. Setting up the 500GB on the Windows 8 machine (Zero) and sharing.
  2. Setting up the 250GB on my Ubuntu File Server (Crusher) and sharing.
  3. Connecting a Laptop (Stewart) and Zero and Crusher.

In my scenario I did not need to share to my file server from my Windows 8 machine. There’s no reason for it to access it, if successful, from anything other than Zero or Stewart.

Zero Trouble

The Rinder 250 share as viewed from the Windows 8 machine (Zero)
The Network as viewed from the Windows 8 machine (Zero)

So, step one was getting my shares running on Zero. The first thing I did was make sure my networking was all in line. Prior to this, I’d only ever used the Windows 8 computer to connect to the internet, never as part of any network. It had been part of another network previously, but not since the OS was upgraded.

In System Properties> Network ID I set it up as part of a Home Computer and gave it the Workgroup “ZRO_WG”. This is so I have an easy way of recognizing this machine on the network uniquely. Then, I simply shared the Rinder500 drive and set it to require a password.

Even though on Windows 8 your login is an email address, you’re only concerned with the username of the account. So if your account is SomeGuy@Somewhere.com then your user name is most likely going to be just “SomeGuy”. In my advanced sharing options (right-click, Advanced Sharing) I put a comment on the share to easily identify it, required a password and a simple name “rinder500”.

And that was it.

Doing Samba

Rinder250 shared on Linux
Rinder250 shared on Linux

In Ubuntu it was almost just as easy. I’m currently running Ubuntu 10.04 Server LTS on my file server, because I’m trying to stay away from Unity as long as I can*, and that’s what was around when I first put this machine together. That should also give you an idea of its age. Keep this in mind as I proceed as some of my methods may not work for new versions or the problems I had may not even be an issue anymore.

You can Share a drive on Ubuntu just like you would share any folder, since that’s how they’re treated when mounted. You do this by heading into the drive, in my case /media/Rinder250 and right-click to share. Then, I used the shares-admin command from terminal and added the users I wanted and verified that my shares had been added properly.

Shares-admin shows all the users and your shares.
Shares-admin shows all the users and your shares.

Your Workgroup defaults to your machine name, so it was Crusher for the file server. I used a local user (me) as someone with full rights to the share, just to keep it simple. But, you can use this method to add any number of users to the share and give them different permissions if you want.

To do any of this however, you will need to install Samba. You will be prompted for it when you try to share, so this isn’t an issue, unless your server isn’t connected to the internet for whatever reason.

Building the Intranet

Now that I had both of the shares created, it was time to link all of them together. I had three machines that I wanted to link together: Zero, Stewart and Crusher. All three had different OS’s and different needs so I’m detailing them individually.

Laptop's (Stewart) view of the network.
Laptop’s (Stewart) view of the network.

Zero

Zero is the Windows 8 machine and sharing the 500GB eSATA drive. The only one that it needed to link to was Crusher. I scanned the network (by doing the cumbersome task of clicking on the Network) and selecting Crusher.local. Then I put in my username and password for the share and Viola! everything was able to be read from and written to.

Crusher

Crusher is the Ubuntu 10.04 Server sharing the 250GB eSata drive. This got complicated, mostly because of the way Samba (on 10.04 at least) handles Windows shares. You can’t just find the share in the network, double click on it and be good. You have to manually type in the address and then fill out the user/pass information. Using the Go > Location menu and then putting in something like:

smb://WORKGROUP;username@ip.address.of.server/share/

Note the case of the case of the words, as they are important. The workgroup has to be in upper case and the username and share need to be in lower case. If it isn’t put in exactly as you see here, then it won’t work.

Stewart

Stewart shared nothing, but needed to access both shares on Crusher and Zero using Ubuntu 12.04. This one was finished just like Ubuntu 10.04 machine, except that I had to put in two shares. Also, instead of an IP for Crusher I was able to put in just crusher.local. Other than that, exactly the same.

In Production

On the two Ubuntu machines I ended up making bookmarks for them, so I could easily get to them without having to type in that long address every time. If I reboot the server, which is rarely, and I don’t have a static IP assigned, I will need to add the share again and bookmark it again.

Now that I have put together these shared drives, I can move or save things to them across the network. I will be using these network drives in the future, when I will attempt to digitize my movie library.

*As mentioned, I do have 12.04 on my laptop, Stewart.

How I Turned an Old Computer Into a Mobile Digital Vault

For a couple of years I’ve had an older HP AMD64 sitting around that the motherboard went out on, and I’ve been looking for a use for the parts. More specifically, I’ve been looking for a way to use the 500GB SATA HD that’s inside. It seemed like an awful lot of space to waste.

Stripped Insides of the old computer
I just took the HD, RAM and CPU.

I posted a while back on my Twitter (or possibly LinkedIn, it’s been a while) a link to LifeHacker’s “Five Best Drive Enclosures” and slowly the idea has been making its way up my project list.

But I wanted to one-up the project. I didn’t just want a portable hard drive, I wanted a device that I could move around, somewhat, and still be secured in the event that it was stolen. Basically I wanted a mobile digital vault.

First step was to get the drive out of the computer and into something that was useful. Referring back to the LifeHacker article before I chose the Rosewill RX-358 which met all of my criteria: It had to be cooled (fan), support larger drives (500GB) and be ESATA compatible.

HD just before putting top on
It slides right in to the connectors on the back and fits like it came from the factory that way. Kudos to Rosewill.

I dropped the old SATA drive into it, which fit snugly into the case. Once you put the Rosewill back together, it actually feels like it was factory built to be a mobile drive. It feels solid and secure.

I backed up any data on it I wanted, which wasn’t much, and then formatted the drive. I chose NTFS for the drive format type because both Windows and Linux, the two OSes I use most, can both read it. I didn’t plan to turn all 500GB into an digital vault, since I don’t have that many private documents, but you can certainly do that with the software.

Now that I had a newly-formatted 500GB drive I used TrueCrypt to create the virtual drive on it. This software runs on Windows, Mac and Linux, so a drive created in one is readable on any device that has TrueCrypt installed. This is of course assuming that it’s in a filesystem that the OS can read.

TrueCrypt Main Screen
The TrueCrypt Main Screen before I hit the “Mount” button. You can have several encrypted virtual drives running at once.

I tried initially to create a 50GB drive (more than enough for me) in NTFS through Windows, but for some reason Windows wasn’t able to write past about 7GB before shutting down. I tried again in Linux and it had no problem creating the entire 50GB partition and encrypting it with my key.

When I did this, however, NTFS was not an option and I chose EXT4 (Linux filesystem) instead. This meant that while I was able to mount it in Windows, I wouldn’t be able to read the virtual drive without some extra work. This was fine for me, as I use Linux primarily. If you are trying this on your own, keep this in mind.

After the new drive was created, formatted and mounted (with password required)*, I put a copy of a faux folder called “Important Documents” into it with a few files and dismounted. The dismounted virtual drive was an unintelligible mess with no indication of what it was supposed to be, which is exactly what you want.

My "Important" documents
My “Important” Documents encrypted and decrypted fine. Ubuntu acts like it’s just another drive, but in Linux it isn’t in fstab so it won’t show up in your Unity dock.

The device mounted again, after rebooting on the machine it was created on and on another system entirely, showing me my documents in good condition. I was able to mount it on Windows as well, though as mentioned I was not able to read the files from it. I tried a program that was built to read mounted EXT2/3/4 drives, but it didn’t seem to pick up my encrypted drive. There are other methods, such as installing a driver to read the other filesystems, but since this was not a high priority for me I did not do it. Perhaps I will try those options later. I’ll post an update on this blog post if I get anything to work (or not!).

So, there you have it. I now have a 500GB mobile drive with a 50GB digital vault. I would recommend also putting a copy of Truecrypt on your un-encrypted portion so you can install it if need be. If not that, then you can do as I have and sync the installer to your Dropbox. My method, of course, assumes that you’ll have internet access. I wouldn’t recommend encrypting the entire drive for this reason as well, especially if you have a large one. Truecrypt is very smooth, but you don’t want to have to do that every time you get on your drive to move some pictures or something.

Rosewill Running
The Rosewill attached via the ESATA port. The blue lights are factory standard.

Any way you go about it, this is a good way to securely move your data around. If the unthinkable happens, you’ll know that you don’t have anything to worry about… other than getting a new mobile drive.

*Note: Just to give you an idea of the power of the encryption technology in use, with AES encryption it would take a trillion computers doing a billion brute force attacks (password guesses) a second, two billion years to break into your data. Fort Knox wishes it was this secure.

-CJ Julius