The(cid:2) Law Enforc(cid:2)m(cid:2)nt and For(cid:2)nsic Examin(cid:2)r’s Introduction to Linux A Compr(cid:2)h(cid:2)nsiv(cid:2) B(cid:2)ginn(cid:2)r’s Guid(cid:2) to Linux as a Digital For(cid:2)nsic Platform V(cid:2)rsion 4.33 Jun(cid:2) 2018 Barry J. Grundy [email protected] v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform LEGALITIES................................................................................................................................5 ACKNOWLEDGMENTS.....................................................................................................................5 FOREWORD...............................................................................................................................6 A WORD ABOUT THE “GNU” IN GNU/LINUX.......................................................................................7 WHY LEARN LINUX?....................................................................................................................7 WHERE’S ALL THE GUI TOOLS?.......................................................................................................9 THE EXERCISES – NEW AND OLD.....................................................................................................9 LINUXLEO YOUTUBE CHANNEL.....................................................................................................10 CONVENTIONS USED IN THIS DOCUMENT............................................................................................10 I. INSTALLATION..............................................................................................................12 DISTRIBUTIONS.........................................................................................................................12 SLACKWARE AND USING THIS GUIDE...........................................................................................14 INSTALLATION METHODS...............................................................................................................15 SLACKWARE INSTALLATION NOTES....................................................................................................15 SYSTEM USERS.........................................................................................................................17 ADDING A NORMAL USER........................................................................................................17 THE SUPER USER.................................................................................................................18 DESKTOP ENVIRONMENT...............................................................................................................19 THE LINUX KERNEL....................................................................................................................20 KERNEL AND HARDWARE INTERACTION...............................................................................................20 HARDWARE CONFIGURATION.....................................................................................................21 KERNEL MODULES................................................................................................................22 HOTPLUG DEVICES AND UDEV...................................................................................................24 HOT PLUGGING DEVICES AND DESKTOPS......................................................................................25 II. LINUX DISKS, PARTITIONS AND THE FILE SYSTEM........................................27 DISKS...................................................................................................................................27 DEVICE NODE ASSIGNMENT – LOOKING CLOSER....................................................................................30 THE FILE SYSTEM......................................................................................................................32 MOUNTING EXTERNAL FILE SYSTEMS................................................................................................33 THE MOUNT COMMAND..........................................................................................................34 THE FILE SYSTEM TABLE (/ETC/FSTAB)........................................................................................37 DESKTOP MOUNTING.............................................................................................................38 III. THE LINUX BOOT SEQUENCE (SIMPLIFIED).....................................................41 BOOTING THE KERNEL..................................................................................................................41 SYSTEM INITIALIZATION................................................................................................................42 RUNLEVEL...............................................................................................................................42 GLOBAL STARTUP SCRIPTS............................................................................................................43 SERVICE STARTUP SCRIPTS...........................................................................................................44 BASH....................................................................................................................................44 IV. BASIC LINUX COMMANDS......................................................................................46 LINUX AT THE TERMINAL...............................................................................................................46 ADDITIONAL USEFUL COMMANDS......................................................................................................48 COMMAND LINE MATH................................................................................................................50 BC – THE BASIC CALCULATOR.....................................................................................................50 BASH SHELL ARITHMETIC EXPANSION...........................................................................................52 FILE PERMISSIONS......................................................................................................................53 PIPES AND REDIRECTION..............................................................................................................54 2 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform FILE ATTRIBUTES.......................................................................................................................57 METACHARACTERS.....................................................................................................................59 COMMAND HINTS......................................................................................................................59 V. EDITING WITH VI........................................................................................................60 THE JOY OF VI.........................................................................................................................60 VI COMMAND SUMMARY................................................................................................................61 VI. CONFIGURING A FORENSIC WORKSTATION...................................................62 SECURING THE WORKSTATION........................................................................................................62 CONFIGURING “RC” (STARTUP) SERVICES......................................................................................63 HOST BASED ACCESS CONTROL................................................................................................66 HOST BASED FIREWALL WITH IPTABLES.........................................................................................71 UPDATING THE OPERATING SYSTEM..................................................................................................75 USING SLACKPKG..................................................................................................................76 INSTALLING AND UPDATING “EXTERNAL” SOFTWARE...............................................................................78 COMPILING FROM SOURCE.......................................................................................................78 USING DISTRIBUTION PACKAGES................................................................................................80 BUILDING PACKAGES – SLACKBUILDS..........................................................................................81 USING THE AUTOMATED PACKAGE TOOL SBOTOOLS...........................................................................85 VII. LINUX AND FORENSICS.........................................................................................91 EVIDENCE ACQUISITION................................................................................................................91 ANALYSIS ORGANIZATION........................................................................................................91 WRITE BLOCKING.................................................................................................................93 EXAMINING THE PHYSICAL MEDIA INFORMATION...............................................................................94 HASHING MEDIA..................................................................................................................99 COLLECTING A FORENSIC IMAGE WITH DD....................................................................................100 DD AND SPLITTING IMAGES.....................................................................................................102 ALTERNATIVE IMAGING TOOLS.................................................................................................105 DC3DD...........................................................................................................................106 LIBEWF AND EWFACQUIRE.......................................................................................................113 MEDIA ERRORS - DDRESCUE...................................................................................................123 IMAGING OVER THE WIRE......................................................................................................132 OVER THE WIRE - DD..........................................................................................................135 OVER THE WIRE - DC3DD.....................................................................................................136 OVER THE WIRE - EWFACQUIRESTREAM.......................................................................................138 OVER THE WIRE – OTHER OPTIONS.........................................................................................140 PREPARING A DISK FOR THE SUSPECT IMAGE................................................................................145 FINAL WORDS ON IMAGING....................................................................................................147 MOUNTING EVIDENCE................................................................................................................148 STRUCTURE OF THE IMAGE.....................................................................................................148 IDENTIFYING FILE SYSTEMS....................................................................................................150 THE LOOP DEVICE..............................................................................................................151 LOOP OPTION TO THE MOUNT COMMAND......................................................................................151 LOSETUP..........................................................................................................................152 MOUNTING FULL DISK IMAGES WITH LOSETUP...............................................................................154 MOUNTING MULTI PARTITION IMAGES WITH KPARTX.........................................................................157 MOUNTING SPLIT IMAGE FILES WITH AFFUSE.................................................................................160 MOUNTING EWF FILES WITH EWFMOUNT....................................................................................164 ANTI-VIRUS – SCANNING THE EVIDENCE FILE SYSTEM WITH CLAMAV........................................................166 BASIC DATA REVIEW ON THE COMMAND LINE....................................................................................170 3 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform FILE LISTING....................................................................................................................175 MAKING A LIST OF FILE TYPES................................................................................................177 VIEWING FILES..................................................................................................................178 SEARCHING ALL AREAS OF THE FORENSIC IMAGE FOR TEXT...............................................................181 VIII. ADVANCED (BEGINNER) FORENSICS.............................................................186 THE COMMAND LINE ON STEROIDS................................................................................................186 FUN WITH DD.......................................................................................................................193 DATA CARVING WITH DD.....................................................................................................194 CARVING PARTITIONS WITH DD...............................................................................................197 RECONSTRUCTING THE SUBJECT FILE SYSTEM STRUCTURE (LINUX).......................................................201 IX. ADVANCED ANALYSIS TOOLS..............................................................................205 THE LAYER STRATEGY FOR APPROACHING ANALYSIS.............................................................................206 SLEUTH KIT..........................................................................................................................208 SLEUTH KIT INSTALLATION.....................................................................................................210 SLEUTH KIT EXERCISES........................................................................................................211 SLEUTH KIT EXERCISE #1A – DELETED FILE IDENTIFICATION AND RECOVERY (EXT2).................................212 SLEUTH KIT EXERCISE #1B – DELETED FILE IDENTIFICATION AND RECOVERY (EXT4).................................222 SLEUTH KIT EXERCISE #2A – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT2)...........................226 SLEUTH KIT EXERCISE #2B – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT4)...........................233 SLEUTH KIT EXERCISE #3 – UNALLOCATED EXTRACTION & EXAMINATION..............................................236 SLEUTH KIT EXERCISE #4 – NTFS EXAMINATION: FILE ANALYSIS......................................................242 SLEUTH KIT EXERCISE #5 – NTFS EXAMINATION: ADS................................................................247 SLEUTH KIT EXERCISE #6 – PHYSICAL STRING SEARCH & ALLOCATION STATUS (NTFS)...........................251 BULK EXTRACTOR – COMPREHENSIVE SEARCHING................................................................................257 PHYSICAL CARVING..................................................................................................................265 SCALPEL.........................................................................................................................266 PHOTOREC........................................................................................................................274 COMPARING AND DE-DUPLICATING CARVE OUTPUT.........................................................................282 APPLICATION ANALYSIS..............................................................................................................285 REGISTRY PARSING #1 - USERASSIST......................................................................................286 REGISTRY PARSING #2 – SAM AND ACCOUNTS...........................................................................293 APPLICATION ANALYSIS – PREFETCH...........................................................................................297 X. INTEGRATING LINUX WITH YOUR WORK......................................................301 XI. CONCLUSION............................................................................................................306 XII. LINUX SUPPORT.....................................................................................................307 PLACES TO GO FOR SUPPORT:.......................................................................................................307 4 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform Legalities All trad(cid:2)marks ar(cid:2) th(cid:2) prop(cid:2)rty of th(cid:2)ir r(cid:2)sp(cid:2)ctiv(cid:2) own(cid:2)rs. © 1998-2017 Barry J. Grundy ( bgr u n [email protected] m): Theis docum(cid:2)nt may b(cid:2) r(cid:2)distribut(cid:2)d, in its (cid:2)ntir(cid:2)ty, including th(cid:2) whol(cid:2) of this copyright notic(cid:2), without additional cons(cid:2)nt if th(cid:2) r(cid:2)distributor r(cid:2)c(cid:2)iv(cid:2)s no r(cid:2)mun(cid:2)ration and if th(cid:2) r(cid:2)distributor us(cid:2)s th(cid:2)s(cid:2) mat(cid:2)rials to assist and/or train m(cid:2)mb(cid:2)rs of Law Enforc(cid:2)m(cid:2)nt or S(cid:2)curity / Incid(cid:2)nt R(cid:2)spons(cid:2) prof(cid:2)ssionals. Oth(cid:2)rwis(cid:2), th(cid:2)s(cid:2) mat(cid:2)rials may not b(cid:2) r(cid:2)distribut(cid:2)d without th(cid:2) (cid:2)xpr(cid:2)ss writte(cid:2)n cons(cid:2)nt of th(cid:2) author, Barry J. Grundy. Acknowledgments As always, th(cid:2)r(cid:2) is no possibl(cid:2) way I can thank (cid:2)v(cid:2)ryon(cid:2) that d(cid:2)s(cid:2)rv(cid:2)s it. Ov(cid:2)r th(cid:2) y(cid:2)ars I hav(cid:2) l(cid:2)arn(cid:2)d so much from so many. A blog post h(cid:2)r(cid:2), a r(cid:2)turn(cid:2)d (cid:2)mail th(cid:2)r(cid:2). H(cid:2)lp on IRC, onlin(cid:2) forums, and coll(cid:2)agu(cid:2)s in th(cid:2) officc(cid:2). The(cid:2) contributions I r(cid:2)c(cid:2)iv(cid:2) from oth(cid:2)rs in th(cid:2) fie(cid:2)ld that tak(cid:2) tim(cid:2) out of th(cid:2)ir own busy days to assist m(cid:2) in growing as an inv(cid:2)stigator and for(cid:2)nsic (cid:2)xamin(cid:2)r, ar(cid:2) simply too num(cid:2)rous to catalog. My h(cid:2)artf(cid:2)lt thanks to all. The(cid:2) list of coll(cid:2)agu(cid:2)s that hav(cid:2) contribut(cid:2)d ov(cid:2)r th(cid:2) many y(cid:2)ars has grown. I r(cid:2)main grat(cid:2)ful to all that hav(cid:2) giv(cid:2)n th(cid:2)ir tim(cid:2) in r(cid:2)vi(cid:2)wing and providing valuabl(cid:2) f(cid:2)(cid:2)dback, and in som(cid:2) cas(cid:2)s, simpl(cid:2) (cid:2)ncourag(cid:2)m(cid:2)nt to all v(cid:2)rsions of this guid(cid:2) ov(cid:2)r th(cid:2) y(cid:2)ars. My continu(cid:2)d thanks to Cory Alth(cid:2)id(cid:2), Brian Carri(cid:2)r, Christoph(cid:2)r Coop(cid:2)r, Nick Furn(cid:2)aux, John Garris, Rob(cid:2)rt-Jan Mora, and J(cid:2)ss(cid:2) Kornblum for h(cid:2)lping m(cid:2) lay th(cid:2) foundation for this guid(cid:2). And for mor(cid:2) r(cid:2)c(cid:2)nt assistanc(cid:2), I’d lik(cid:2) to thank Jacqu(cid:2)s Bouch(cid:2)r, Tobin Craig, Simson Garfienk(cid:2)l, Andr(cid:2)as Guldstrand, Bill Norton, Paul St(cid:2)ph(cid:2)ns, Danny W(cid:2)rb, and as always, Robby Workman. My continu(cid:2)d thanks to th(cid:2) Linux K(cid:2)rn(cid:2)l, various distribution, and softwwar(cid:2) d(cid:2)v(cid:2)lopm(cid:2)nt t(cid:2)ams for th(cid:2)ir hard work in providing us with an op(cid:2)rating syst(cid:2)m and utiliti(cid:2)s that ar(cid:2) robust and controllabl(cid:2). What horrors would I b(cid:2) living without th(cid:2)ir d(cid:2)dication? The(cid:2) LinuxLEO logo was d(cid:2)sign(cid:2)d by Laura Ette(cid:2)r ([email protected]). Finally, I cannot go without thanking my wif(cid:2) Jo and my sons Patrick and Tommy for th(cid:2) s(cid:2)(cid:2)mingly (cid:2)ndl(cid:2)ss pati(cid:2)nc(cid:2) as th(cid:2) work was und(cid:2)rway. 5 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform Foreword It’s b(cid:2)(cid:2)n n(cid:2)arly t(cid:2)n y(cid:2)ars sinc(cid:2) this guid(cid:2) has b(cid:2)(cid:2)n officcially updat(cid:2)d, and ov(cid:2)r fieftw(cid:2)(cid:2)n y(cid:2)ars sinc(cid:2) its initial public r(cid:2)l(cid:2)as(cid:2). In that tim(cid:2), w(cid:2)’v(cid:2) s(cid:2)(cid:2)n signifiecant chang(cid:2)s to th(cid:2) for(cid:2)nsic industry, and a massiv(cid:2) growth in th(cid:2) d(cid:2)v(cid:2)lopm(cid:2)nt of softwwar(cid:2) and t(cid:2)chniqu(cid:2)s us(cid:2)d to uncov(cid:2)r (cid:2)vid(cid:2)nc(cid:2) from an (cid:2)v(cid:2)r (cid:2)xpanding univ(cid:2)rs(cid:2) of d(cid:2)vic(cid:2)s. The(cid:2) purpos(cid:2) of this docum(cid:2)nt, how(cid:2)v(cid:2)r, r(cid:2)mains unchang(cid:2)d. I am looking to provid(cid:2) an (cid:2)asy to follow and acc(cid:2)ssibl(cid:2) guid(cid:2) for for(cid:2)nsic (cid:2)xamin(cid:2)rs across th(cid:2) full sp(cid:2)ctrum of this for(cid:2)nsic disciplin(cid:2); law (cid:2)nforc(cid:2)m(cid:2)nt officc(cid:2)rs, incid(cid:2)nt r(cid:2)spond(cid:2)rs, and all comput(cid:2)r sp(cid:2)cialists r(cid:2)sponsibl(cid:2) for th(cid:2) inv(cid:2)stigation of digital (cid:2)vid(cid:2)nc(cid:2). Theis guid(cid:2) continu(cid:2)s to provid(cid:2) an introductory ov(cid:2)rvi(cid:2)w of th(cid:2) GNU/Linux (Linux) op(cid:2)rating syst(cid:2)m as a for(cid:2)nsic platform for digital inv(cid:2)stigators and for(cid:2)nsic (cid:2)xamin(cid:2)rs. Abov(cid:2) all, this r(cid:2)mains a b(cid:2)ginn(cid:2)r’s guid(cid:2). An introduction. It is not m(cid:2)ant to b(cid:2) a full cours(cid:2) on conducting for(cid:2)nsic (cid:2)xaminations. Theis docum(cid:2)nt is about th(cid:2) tools and th(cid:2) conc(cid:2)pts us(cid:2)d to (cid:2)mploy th(cid:2)m. Introducing th(cid:2)m, providing simpl(cid:2) guidanc(cid:2) on using th(cid:2)m, and som(cid:2) id(cid:2)as on how th(cid:2)y can b(cid:2) int(cid:2)grat(cid:2)d into a mod(cid:2)rn digital for(cid:2)nsics laboratory or inv(cid:2)stigativ(cid:2) proc(cid:2)ss. Theis is also a hands on guid(cid:2). It’s th(cid:2) b(cid:2)st way to l(cid:2)arn and w(cid:2)’ll cov(cid:2)r both basic GNU/Linux utiliti(cid:2)s and sp(cid:2)cializ(cid:2)d softwwar(cid:2) through short (cid:2)x(cid:2)rcis(cid:2)s. The(cid:2) cont(cid:2)nt is m(cid:2)ant to b(cid:2) “b(cid:2)ginn(cid:2)r” l(cid:2)v(cid:2)l, but as th(cid:2) comput(cid:2)r for(cid:2)nsic community (cid:2)volv(cid:2)s and th(cid:2) subj(cid:2)ct matte(cid:2)r wid(cid:2)ns and b(cid:2)com(cid:2)s mor(cid:2) mainstr(cid:2)am, th(cid:2) d(cid:2)fienition of “b(cid:2)ginn(cid:2)r” l(cid:2)v(cid:2)l mat(cid:2)rial starts to blur. Theis guid(cid:2) mak(cid:2)s an (cid:2)ffoort to k(cid:2)(cid:2)p th(cid:2) mat(cid:2)rial as basic as possibl(cid:2) without omitteing thos(cid:2) subj(cid:2)cts s(cid:2)(cid:2)n as fundam(cid:2)ntal to th(cid:2) prop(cid:2)r und(cid:2)rstanding of Linux and its pot(cid:2)ntial as a digital for(cid:2)nsic platform. If you’v(cid:2) b(cid:2)(cid:2)n doing for(cid:2)nsic (cid:2)xaminations for fiev(cid:2) or t(cid:2)n y(cid:2)ars, but n(cid:2)v(cid:2)r d(cid:2)lv(cid:2)d into Linux, th(cid:2)n this is for you. If you’r(cid:2) a stud(cid:2)nt at Univ(cid:2)rsity and you ar(cid:2) int(cid:2)r(cid:2)st(cid:2)d in how for(cid:2)nsic tools ar(cid:2) (cid:2)mploy(cid:2)d, but cannot affoord thousands of dollars in lic(cid:2)ns(cid:2)sNth(cid:2)n this is for you. How(cid:2)v(cid:2)r, this is by no m(cid:2)ans m(cid:2)ant to b(cid:2) th(cid:2) d(cid:2)fienitiv(cid:2) “how-to” on for(cid:2)nsic m(cid:2)thods using Linux. Rath(cid:2)r, it is a (som(cid:2)what (cid:2)xt(cid:2)nd(cid:2)d) starting point for thos(cid:2) who ar(cid:2) int(cid:2)r(cid:2)st(cid:2)d in pursuing th(cid:2) s(cid:2)lf-(cid:2)ducation n(cid:2)(cid:2)d(cid:2)d to b(cid:2)com(cid:2) profieci(cid:2)nt in th(cid:2) us(cid:2) of Linux as an inv(cid:2)stigativ(cid:2) tool. Not all of th(cid:2) commands offo(cid:2)r(cid:2)d h(cid:2)r(cid:2) will work in all situations, but by d(cid:2)scribing th(cid:2) basic commands availabl(cid:2) to an inv(cid:2)stigator I hop(cid:2) to “start th(cid:2) ball rolling”. I will pr(cid:2)s(cid:2)nt th(cid:2) commands, th(cid:2) r(cid:2)ad(cid:2)r n(cid:2)(cid:2)ds to follow-up on th(cid:2) mor(cid:2) advanc(cid:2)d options and us(cid:2)s. Knowing how th(cid:2)s(cid:2) commands work is (cid:2)v(cid:2)ry bit as important as knowing what to typ(cid:2) at th(cid:2) prompt. If you ar(cid:2) (cid:2)v(cid:2)n an int(cid:2)rm(cid:2)diat(cid:2) Linux us(cid:2)r, th(cid:2)n much of what is contain(cid:2)d in th(cid:2)s(cid:2) pag(cid:2)s will b(cid:2) r(cid:2)vi(cid:2)w. Still, I hop(cid:2) you fiend som(cid:2) of it us(cid:2)ful. GNU/Linux is a constantly (cid:2)volving op(cid:2)rating syst(cid:2)m. Distributions com(cid:2) and go, and th(cid:2)r(cid:2) ar(cid:2) now a numb(cid:2)r of “stand out” Linux flaavors that ar(cid:2) commonly us(cid:2)d. In addition to balancing th(cid:2) b(cid:2)ginn(cid:2)r natur(cid:2) of th(cid:2) cont(cid:2)nt of this guid(cid:2) with th(cid:2) advancing standards in for(cid:2)nsic (cid:2)ducation, I also fiend mys(cid:2)lf trying to balanc(cid:2) th(cid:2) l(cid:2)v(cid:2)l of d(cid:2)tail r(cid:2)quir(cid:2)d to actually t(cid:2)ach us(cid:2)ful tasks with th(cid:2) distribution sp(cid:2)cifiec natur(cid:2) of many of th(cid:2) commands and confiegurations us(cid:2)d. 6 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform As w(cid:2) will discuss in furth(cid:2)r d(cid:2)tail lat(cid:2)r in this guid(cid:2), many of th(cid:2) d(cid:2)tails ar(cid:2) sp(cid:2)cifiec to on(cid:2) flaavor of Linux. In most cas(cid:2)s, th(cid:2) commands ar(cid:2) quit(cid:2) portabl(cid:2) and will work on most any syst(cid:2)m. In oth(cid:2)r cas(cid:2)s (packag(cid:2) manag(cid:2)m(cid:2)nt and confieguration (cid:2)diting, (cid:2)tc.) you may fiend that you n(cid:2)(cid:2)d to do som(cid:2) r(cid:2)s(cid:2)arch to d(cid:2)t(cid:2)rmin(cid:2) what n(cid:2)(cid:2)ds to b(cid:2) don(cid:2) on your platform of choic(cid:2). The(cid:2) d(cid:2)t(cid:2)rmination to provid(cid:2) sp(cid:2)cifiec d(cid:2)tails on actually confieguring a sp(cid:2)cifiec syst(cid:2)m cam(cid:2) about through ov(cid:2)rwh(cid:2)lming r(cid:2)qu(cid:2)st for guidanc(cid:2). The(cid:2) d(cid:2)cision to us(cid:2) my Linux distribution of choic(cid:2) for for(cid:2)nsics as an (cid:2)xampl(cid:2) is p(cid:2)rsonal. Ov(cid:2)r th(cid:2) y(cid:2)ars I hav(cid:2) r(cid:2)p(cid:2)at(cid:2)dly h(cid:2)ard from coll(cid:2)agu(cid:2)s that hav(cid:2) tri(cid:2)d Linux by installing it, and th(cid:2)n proc(cid:2)(cid:2)d(cid:2)d to sit back and wond(cid:2)r “what n(cid:2)xt?” I hav(cid:2) also (cid:2)nt(cid:2)rtain(cid:2)d a numb(cid:2)r of r(cid:2)qu(cid:2)sts and sugg(cid:2)stions for a mor(cid:2) (cid:2)xpansiv(cid:2) (cid:2)xploration of tools and utiliti(cid:2)s availabl(cid:2) to Linux for for(cid:2)nsic analysis at th(cid:2) application l(cid:2)v(cid:2)l as w(cid:2)ll as num(cid:2)rous r(cid:2)qu(cid:2)sts for prop(cid:2)r confieguration guid(cid:2)lin(cid:2)s for a bas(cid:2)lin(cid:2) Linux workstation. You hav(cid:2) a copy of this introduction. Now download th(cid:2) (cid:2)x(cid:2)rcis(cid:2)s and driv(cid:2) on. Theis is only th(cid:2) start of your r(cid:2)ading. Utiliz(cid:2)d corr(cid:2)ctly, this guid(cid:2) should prompt many mor(cid:2) qu(cid:2)stions and kick start your l(cid:2)arning. In th(cid:2) y(cid:2)ars sinc(cid:2) this docum(cid:2)nt was fierst r(cid:2)l(cid:2)as(cid:2)d a numb(cid:2)r of (cid:2)xc(cid:2)ll(cid:2)nt books with far mor(cid:2) d(cid:2)tail hav(cid:2) cropp(cid:2)d up cov(cid:2)ring op(cid:2)n sourc(cid:2) tools and Linux for(cid:2)nsics. I still lik(cid:2) to think this guid(cid:2) will b(cid:2) us(cid:2)ful for som(cid:2). As always, I am op(cid:2)n to sugg(cid:2)stions and critiqu(cid:2). My contact information is on th(cid:2) front pag(cid:2). If you hav(cid:2) id(cid:2)as, qu(cid:2)stions, or comm(cid:2)nts, pl(cid:2)as(cid:2) don’t h(cid:2)sitat(cid:2) to (cid:2)mail m(cid:2). Any f(cid:2)(cid:2)dback is w(cid:2)lcom(cid:2). Theis docum(cid:2)nt is occasionally (infr(cid:2)qu(cid:2)ntly, actually) updat(cid:2)d. Ch(cid:2)ck for n(cid:2)w(cid:2)r v(cid:2)rsions (numb(cid:2)r(cid:2)d on th(cid:2) front pag(cid:2)) at th(cid:2) officcial sit(cid:2): http://www.LinuxLEO.com A word about the “GNU” in GNU/Linux Wh(cid:2)n w(cid:2) talk about th(cid:2) “Linux” op(cid:2)rating syst(cid:2)m, w(cid:2) ar(cid:2) actually talking about th(cid:2) GNU/Linux op(cid:2)rating syst(cid:2)m (OS). Linux its(cid:2)lf is not an OS. It is just a k(cid:2)rn(cid:2)l. The(cid:2) OS is actually a combination of th(cid:2) Linux k(cid:2)rn(cid:2)l and th(cid:2) GNU utiliti(cid:2)s that allow us (mor(cid:2) sp(cid:2)cifiecally our hardwar(cid:2)) to int(cid:2)ract with th(cid:2) k(cid:2)rn(cid:2)l. Which is why th(cid:2) prop(cid:2)r nam(cid:2) for th(cid:2) OS is “GNU/Linux”. W(cid:2) (incorr(cid:2)ctly) call it “Linux” for conv(cid:2)ni(cid:2)nc(cid:2). Why Learn Linux? On(cid:2) of th(cid:2) qu(cid:2)stions h(cid:2)ard most oftw(cid:2)n is: “why should I us(cid:2) Linux wh(cid:2)n I alr(cid:2)ady hav(cid:2) [insert Windows GUI forensic tool here]?” The(cid:2)r(cid:2) ar(cid:2) many r(cid:2)asons why Linux is quickly gaining ground as a for(cid:2)nsic platform. I’m hoping this docum(cid:2)nt will illustrat(cid:2) som(cid:2) of thos(cid:2) atteribut(cid:2)s. 7 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform  Control – not just ov(cid:2)r your for(cid:2)nsic softwwar(cid:2), but th(cid:2) whol(cid:2) OS and atteach(cid:2)d hardwar(cid:2).  Fl(cid:2)xibility – boot from a CD (to a compl(cid:2)t(cid:2) OS), fiel(cid:2) syst(cid:2)m support, platform support, (cid:2)tc.  Pow(cid:2)r – A Linux distribution is (or can b(cid:2)) a for(cid:2)nsic tool. Anoth(cid:2)r point to b(cid:2) mad(cid:2) is that simply knowing how Linux works is b(cid:2)coming mor(cid:2) and mor(cid:2) important. Whil(cid:2) many of th(cid:2) Windows bas(cid:2)d for(cid:2)nsic packag(cid:2)s in us(cid:2) today ar(cid:2) fully capabl(cid:2) of (cid:2)xamining Linux syst(cid:2)ms, th(cid:2) sam(cid:2) cannot b(cid:2) said for th(cid:2) (cid:2)xamin(cid:2)rs. As Linux b(cid:2)com(cid:2)s mor(cid:2) and mor(cid:2) popular, both in th(cid:2) comm(cid:2)rcial world and with d(cid:2)sktop us(cid:2)rs, th(cid:2) chanc(cid:2) that an (cid:2)xamin(cid:2)r will (cid:2)ncount(cid:2)r a Linux syst(cid:2)m in a cas(cid:2) b(cid:2)com(cid:2)s mor(cid:2) lik(cid:2)ly ((cid:2)sp(cid:2)cially in n(cid:2)twork inv(cid:2)stigations). Ev(cid:2)n if you (cid:2)l(cid:2)ct to utiliz(cid:2) a Windows for(cid:2)nsic tool to conduct your analysis, you must at l(cid:2)ast b(cid:2) familiar with th(cid:2) OS you ar(cid:2) (cid:2)xamining. If you do not know what is normal, th(cid:2)n how do you know what do(cid:2)s not b(cid:2)long? Theis is tru(cid:2) on so many l(cid:2)v(cid:2)ls, from th(cid:2) actual cont(cid:2)nts of various dir(cid:2)ctori(cid:2)s to strang(cid:2) (cid:2)ntri(cid:2)s in confieguration fiel(cid:2)s, all th(cid:2) way down to how fiel(cid:2)s ar(cid:2) stor(cid:2)d. Whil(cid:2) this docum(cid:2)nt is mor(cid:2) about Linux as a for(cid:2)nsic tool rath(cid:2)r than analysis of Linux, you can still l(cid:2)arn a lot about how th(cid:2) OS works by actually using it. The(cid:2)r(cid:2) is also th(cid:2) issu(cid:2) of cross-v(cid:2)rifiecation. A working knowl(cid:2)dg(cid:2) of Linux and its for(cid:2)nsic utility can provid(cid:2) an (cid:2)xamin(cid:2)r with alternative tools on an alternative platform to us(cid:2) as a m(cid:2)thod to v(cid:2)rify th(cid:2) fiendings of oth(cid:2)r tools on oth(cid:2)r op(cid:2)rating syst(cid:2)ms. Many (cid:2)xamin(cid:2)rs hav(cid:2) sp(cid:2)nt countl(cid:2)ss hours l(cid:2)arning and using common industry standard Microsoftw Windows for(cid:2)nsic tools. It would b(cid:2) unr(cid:2)alistic to think that r(cid:2)ading this guid(cid:2) will giv(cid:2) an (cid:2)xamin(cid:2)r th(cid:2) sam(cid:2) l(cid:2)v(cid:2)l of confied(cid:2)nc(cid:2), som(cid:2)tim(cid:2)s built through y(cid:2)ars of (cid:2)xp(cid:2)ri(cid:2)nc(cid:2), as th(cid:2)y hav(cid:2) with th(cid:2)ir traditional tools of choic(cid:2). What I can hop(cid:2) is that this guid(cid:2) will provid(cid:2) (cid:2)nough information to giv(cid:2) th(cid:2) (cid:2)xamin(cid:2)r “anoth(cid:2)r tool for th(cid:2) toolbox”, wh(cid:2)th(cid:2)r it's imaging, r(cid:2)cov(cid:2)ring, or (cid:2)xamining. Linux as an alt(cid:2)rnativ(cid:2) for(cid:2)nsic platform provid(cid:2)s a p(cid:2)rf(cid:2)ct way to cross ch(cid:2)ck your work and v(cid:2)rify your r(cid:2)sults, (cid:2)v(cid:2)n if it is not your primary choic(cid:2). W(cid:2) also n(cid:2)(cid:2)d to consid(cid:2)r th(cid:2) us(cid:2)fuln(cid:2)ss of Linux in acad(cid:2)mic and r(cid:2)s(cid:2)arch applications. The(cid:2) op(cid:2)n natur(cid:2) of Linux and th(cid:2) pl(cid:2)thora of us(cid:2)ful utiliti(cid:2)s includ(cid:2)d in a bas(cid:2) syst(cid:2)m mak(cid:2) it an almost tailor mad(cid:2) platform for basic digital for(cid:2)nsics. Theis is (cid:2)sp(cid:2)cially tru(cid:2) in an acad(cid:2)mic (cid:2)nvironm(cid:2)nt wh(cid:2)r(cid:2) w(cid:2) fiend Linux provid(cid:2)s a low cost solution to (cid:2)nabl(cid:2) acc(cid:2)ss to imaging tools and fiel(cid:2) (cid:2)xamination utiliti(cid:2)s that can b(cid:2) us(cid:2)d to cov(cid:2)r th(cid:2) foundations of digital inv(cid:2)stigations using tools in an (cid:2)nvironm(cid:2)nt that supports multipl(cid:2) formats and data typ(cid:2)s. For (cid:2)xampl(cid:2), w(cid:2) can us(cid:2) th(cid:2) dd program for simpl(cid:2) imaging and carving; grep and xxd to locat(cid:2) and (cid:2)xamin(cid:2) fiel(cid:2) syst(cid:2)m structur(cid:2)s and t(cid:2)xt string artifacts, and th(cid:2) file command again with xxd for signatur(cid:2) id(cid:2)ntifiecation and analysis. Theis provid(cid:2)s us with much th(cid:2) sam(cid:2) s(cid:2)t of simpl(cid:2) tools n(cid:2)(cid:2)d(cid:2)d to pr(cid:2)s(cid:2)nt th(cid:2) v(cid:2)ry basics of digital for(cid:2)nsics whil(cid:2) still t(cid:2)aching Linux command lin(cid:2) familiarity. Linux as a for(cid:2)nsic platform can (cid:2)asily provid(cid:2) a primary m(cid:2)ans for digital inv(cid:2)stigations (cid:2)ducation. And in fact, prior v(cid:2)rsions of this guid(cid:2) hav(cid:2) b(cid:2)(cid:2)n r(cid:2)f(cid:2)r(cid:2)nc(cid:2)d in many advanc(cid:2)d d(cid:2)gr(cid:2)(cid:2) and law (cid:2)nforc(cid:2)m(cid:2)nt programs that t(cid:2)ach basic digital for(cid:2)nsics. 8 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform Where’s all the GUI tools? As much as possibl(cid:2), th(cid:2) tools r(cid:2)pr(cid:2)s(cid:2)nt(cid:2)d in this guid(cid:2) ar(cid:2) callabl(cid:2) from and r(cid:2)quir(cid:2) us(cid:2)r int(cid:2)raction through th(cid:2) command lin(cid:2) (cid:2)nvironm(cid:2)nt. Theis is not simpl(cid:2) sadism. It’s a matte(cid:2)r of actually l(cid:2)arning Linux (and in som(cid:2) ways UNIX as a by-product). Theis point will b(cid:2) mad(cid:2) throughout this docum(cid:2)nt, but th(cid:2) goal h(cid:2)r(cid:2) is to introduc(cid:2) tools and how to int(cid:2)ract through th(cid:2) command lin(cid:2). R(cid:2)lianc(cid:2) on GUI tools is und(cid:2)rstandabl(cid:2) and is not b(cid:2)ing wholly disparag(cid:2)d h(cid:2)r(cid:2). If you ar(cid:2) making th(cid:2) (cid:2)ffoort to r(cid:2)ad and follow along with this guid(cid:2), th(cid:2)n an assumption is b(cid:2)ing mad(cid:2) that you want to l(cid:2)arn Linux and th(cid:2) pow(cid:2)r th(cid:2) command lin(cid:2) brings. The(cid:2)r(cid:2) ar(cid:2) two main points that w(cid:2) can focus on h(cid:2)r(cid:2): The(cid:2) fierst is that Linux (and UNIX) fiend th(cid:2)ir foundation at th(cid:2) command lin(cid:2). Mod(cid:2)rn Linux and UNIX impl(cid:2)m(cid:2)ntations ar(cid:2) still, at th(cid:2)ir h(cid:2)arts, driv(cid:2)n by syst(cid:2)m that is most acc(cid:2)ssibl(cid:2) from a command lin(cid:2) int(cid:2)rfac(cid:2). For this r(cid:2)ason, knowing how to int(cid:2)ract with th(cid:2) command lin(cid:2) provid(cid:2)s (cid:2)xamin(cid:2)rs th(cid:2) wid(cid:2)st rang(cid:2) of capabiliti(cid:2)s r(cid:2)gardl(cid:2)ss of th(cid:2) distribution or confieguration of Linux (cid:2)ncount(cid:2)r(cid:2)d. Y(cid:2)s, this is about for(cid:2)nsic tools and utiliti(cid:2)s, but it’s also about b(cid:2)coming comfortabl(cid:2) with Linux. It is for this r(cid:2)ason that w(cid:2) continu(cid:2) to l(cid:2)arn a command lin(cid:2) (cid:2)ditor lik(cid:2) vi and simpl(cid:2) bit l(cid:2)v(cid:2)l copying tools lik(cid:2) dd. The(cid:2)r(cid:2)’s a v(cid:2)ry high probability that any Linux/UNIX syst(cid:2)m you com(cid:2) across will hav(cid:2) th(cid:2)s(cid:2) tools. S(cid:2)cond is that knowing and und(cid:2)rstanding th(cid:2) command lin(cid:2) is, in and of its(cid:2)lf, a v(cid:2)ry pow(cid:2)rful tool. Onc(cid:2) you r(cid:2)aliz(cid:2) th(cid:2) pow(cid:2)r of command pip(cid:2)s and flaow control (using loops dir(cid:2)ctly on th(cid:2) command lin(cid:2)), you will fiend yours(cid:2)lf abl(cid:2) to pow(cid:2)r through probl(cid:2)ms far fast(cid:2)r than you pr(cid:2)viously thought. L(cid:2)arning th(cid:2) prop(cid:2)r us(cid:2) and pow(cid:2)r of utiliti(cid:2)s lik(cid:2) awk, sed, and grep will op(cid:2)n som(cid:2) pow(cid:2)rful t(cid:2)chniqu(cid:2)s for parsing structur(cid:2)d logs and oth(cid:2)r data sourc(cid:2)s. Theis guid(cid:2) should provid(cid:2) som(cid:2) basic und(cid:2)rstanding of how thos(cid:2) can b(cid:2) us(cid:2)d. Onc(cid:2) you und(cid:2)rstand and start to l(cid:2)v(cid:2)rag(cid:2) this pow(cid:2)r, you will fiend yours(cid:2)lf pining for a command lin(cid:2) and its utiliti(cid:2)s wh(cid:2)n on(cid:2) is not availabl(cid:2). K(cid:2)(cid:2)p th(cid:2)s(cid:2) points in mind as you go through th(cid:2) (cid:2)x(cid:2)rcis(cid:2)s h(cid:2)r(cid:2). Und(cid:2)rstand why and how th(cid:2) tools work. Don’t just m(cid:2)moriz(cid:2) th(cid:2) commands th(cid:2)ms(cid:2)lv(cid:2)s. Theat would miss th(cid:2) point. Thee Exercises – New and Old The(cid:2)r(cid:2) ar(cid:2) updat(cid:2)s across th(cid:2) board in this v(cid:2)rsion of th(cid:2) guid(cid:2). Wh(cid:2)r(cid:2) old (and still us(cid:2)ful) (cid:2)x(cid:2)rcis(cid:2)s r(cid:2)main from pr(cid:2)vious v(cid:2)rsions, th(cid:2) output and tool usag(cid:2) has b(cid:2)(cid:2)n r(cid:2)fr(cid:2)sh(cid:2)d to r(cid:2)fla(cid:2)ct th(cid:2) curr(cid:2)nt v(cid:2)rsions of th(cid:2) tools us(cid:2)d. Whil(cid:2) som(cid:2)what aging, th(cid:2)s(cid:2) (cid:2)x(cid:2)rcis(cid:2)s and th(cid:2) fiel(cid:2)s us(cid:2)d to pr(cid:2)s(cid:2)nt th(cid:2)m r(cid:2)main us(cid:2)ful and hav(cid:2) not b(cid:2)(cid:2)n r(cid:2)mov(cid:2)d. N(cid:2)w (cid:2)x(cid:2)rcis(cid:2)s hav(cid:2) also b(cid:2)(cid:2)n add(cid:2)d to allow for additional cont(cid:2)nt cov(cid:2)ring application lay(cid:2)r analysis tools and oth(cid:2)r r(cid:2)c(cid:2)nt additions to th(cid:2) Linux for(cid:2)nsics ars(cid:2)nal. K(cid:2)(cid:2)p in mind that whil(cid:2) this docum(cid:2)nt do(cid:2)s cov(cid:2)r som(cid:2) for(cid:2)nsic strat(cid:2)gi(cid:2)s and basic fundam(cid:2)ntals, it is r(cid:2)ally about th(cid:2) tools w(cid:2) us(cid:2) and th(cid:2) conc(cid:2)pts b(cid:2)hind (cid:2)mploying th(cid:2)m. As such som(cid:2) of th(cid:2) 9 v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform old(cid:2)r (cid:2)x(cid:2)rcis(cid:2) fiel(cid:2)s may s(cid:2)(cid:2)m a bit dat(cid:2)d but th(cid:2)y still s(cid:2)rv(cid:2) th(cid:2) purpos(cid:2) of providing a probl(cid:2)m s(cid:2)t on which w(cid:2) can l(cid:2)arn commands r(cid:2)gardl(cid:2)ss of th(cid:2) targ(cid:2)t. Theis v(cid:2)rsion of th(cid:2) guid(cid:2) is NOT a s(cid:2)qu(cid:2)l. It’s an updat(cid:2) – but with som(cid:2) n(cid:2)w mat(cid:2)rial. LinuxLEO YouTube Channel You can fiend d(cid:2)monstrations and simpl(cid:2) vid(cid:2)o (cid:2)xampl(cid:2)s of som(cid:2) of th(cid:2) following chapt(cid:2)rs on th(cid:2) LinuxLEO YouTub(cid:2) chann(cid:2)l at1: htteps://www.youtub(cid:2).com/chann(cid:2)l/UCRyk5g_LoiYtEGy3dlkAsvQ The(cid:2)r(cid:2) is littel(cid:2) cont(cid:2)nt th(cid:2)r(cid:2) now, but mor(cid:2) will b(cid:2) add(cid:2)d as tim(cid:2) go(cid:2)s on. Subscrib(cid:2) and you will b(cid:2) notifie(cid:2)d as vid(cid:2)os ar(cid:2) upload(cid:2)d. Conventions Used in this Document Wh(cid:2)n illustrating a command and it's output, you will s(cid:2)(cid:2) som(cid:2)thing lik(cid:2) th(cid:2) following: root@forensic1:~# command output Theis is (cid:2)ss(cid:2)ntially a command lin(cid:2) (t(cid:2)rminal) s(cid:2)ssion wh(cid:2)r(cid:2)N root@forensic1:~# ...is th(cid:2) command prompt, follow(cid:2)d by th(cid:2) command typ(cid:2)d by th(cid:2) us(cid:2)r and th(cid:2)n th(cid:2) command's output. The(cid:2) command will b(cid:2) shown in bold t(cid:2)xt to furth(cid:2)r diffo(cid:2)r(cid:2)ntiat(cid:2) it from th(cid:2) r(cid:2)sulting output (as it may span multipl(cid:2) lin(cid:2)s). In Linux, th(cid:2) command prompt can tak(cid:2) diffo(cid:2)r(cid:2)nt forms, d(cid:2)p(cid:2)nding on th(cid:2) (cid:2)nvironm(cid:2)nt s(cid:2)tteings (th(cid:2) d(cid:2)fault diffo(cid:2)rs among distributions). In th(cid:2) (cid:2)xampl(cid:2) abov(cid:2), th(cid:2) format is user@hostname:[present working directory]# m(cid:2)aning that w(cid:2) ar(cid:2) th(cid:2) us(cid:2)r “root” working on th(cid:2) comput(cid:2)r nam(cid:2)d “forensic1” curr(cid:2)ntly working in th(cid:2) dir(cid:2)ctory root (th(cid:2) root us(cid:2)r's hom(cid:2) dir(cid:2)ctory – in this cas(cid:2), th(cid:2) “hom(cid:2) dir(cid:2)ctory” is symboliz(cid:2)d by th(cid:2) shorthand r(cid:2)pr(cid:2)s(cid:2)ntation of th(cid:2) tild(cid:2) ~). Not(cid:2) that for a root login th(cid:2) command prompt's trailing charact(cid:2)r is #. If w(cid:2) log in as a r(cid:2)gular us(cid:2)r, th(cid:2) d(cid:2)fault prompt charact(cid:2)r chang(cid:2)s to a $, as in th(cid:2) following (cid:2)xampl(cid:2): 1I knowNnot a pr(cid:2)ttey URL, but I n(cid:2)(cid:2)d subscrib(cid:2)rs for that! 10